Merge branch 'main' into refactor/drop-canary-prefix

2026-05-11 11:12:51 +00:00 · 2026-05-11 10:53:32 +00:00 · 2026-05-11 10:38:23 +00:00 · 2026-05-11 10:27:00 +00:00 · 2026-05-11 10:07:02 +00:00 · 2026-05-11 09:56:52 +00:00
165 changed files with 873 additions and 27930 deletions
--- a/.gitea/scripts/audit-force-merge.sh
+++ b/.gitea/scripts/audit-force-merge.sh
@ -49,11 +49,11 @@ if [ "$MERGED" != "true" ]; then
  exit 0
 fi

-MERGE_SHA=$(echo "$PR" | jq -r '.merge_commit_sha // empty') || true
-MERGED_BY=$(echo "$PR" | jq -r '.merged_by.login // "unknown"') || true
-TITLE=$(echo "$PR" | jq -r '.title // ""') || true
-BASE_BRANCH=$(echo "$PR" | jq -r '.base.ref // "main"') || true
-HEAD_SHA=$(echo "$PR" | jq -r '.head.sha // empty') || true
+MERGE_SHA=$(echo "$PR" | jq -r '.merge_commit_sha // empty')
+MERGED_BY=$(echo "$PR" | jq -r '.merged_by.login // "unknown"')
+TITLE=$(echo "$PR" | jq -r '.title // ""')
+BASE_BRANCH=$(echo "$PR" | jq -r '.base.ref // "main"')
+HEAD_SHA=$(echo "$PR" | jq -r '.head.sha // empty')

 if [ -z "$MERGE_SHA" ]; then
  echo "::warning::PR #${PR_NUMBER} merged=true but no merge_commit_sha — cannot evaluate force-merge."
@ -75,7 +75,7 @@ STATUS=$(curl -sS -H "$AUTH" \
 declare -A CHECK_STATE
 while IFS=$'\t' read -r ctx state; do
  [ -n "$ctx" ] && CHECK_STATE[$ctx]="$state"
-done < <(echo "$STATUS" | jq -r '.statuses // [] | .[] | "\(.context)\t\(.status)"') || true
+done < <(echo "$STATUS" | jq -r '.statuses // [] | .[] | "\(.context)\t\(.status)"')

 # 4. For each required check, was it green at merge? YAML block scalars
 #    (`|`) leave a trailing newline; skip blank/whitespace-only lines.
@ -97,7 +97,7 @@ fi

 # 5. Emit structured audit event.
 NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
-FAILED_JSON=$(printf '%s\n' "${FAILED_CHECKS[@]}" | jq -R . | jq -s .) || true
+FAILED_JSON=$(printf '%s\n' "${FAILED_CHECKS[@]}" | jq -R . | jq -s .)

 # Print as a single-line JSON so Vector's parse_json transform can pick
 # it up cleanly from docker_logs.
--- a/.gitea/scripts/ci-required-drift.py
+++ b/.gitea/scripts/ci-required-drift.py
@ -301,19 +301,7 @@ def expected_context(job_key: str, workflow_name: str = "ci") -> str:
 # Drift detection
 # --------------------------------------------------------------------------
 def detect_drift(branch: str) -> tuple[list[str], dict]:
-    """Returns (findings, debug). Empty findings == no drift.
-
-    Raises:
-        ApiError: propagated from the protection fetch only when the
-                  failure is likely a transient Gitea outage (5xx).
-                  403/404 from the protection endpoint is treated as
-                  "cannot determine drift for this branch" — a token-
-                  scope issue (missing repo-admin on DRIFT_BOT_TOKEN) or
-                  a repo with no protection set should not turn the
-                  hourly cron red. The workflow continues to the next
-                  branch; no [ci-drift] issue is filed for a branch
-                  whose protection cannot be read.
-    """
+    """Returns (findings, debug). Empty findings == no drift."""
    findings: list[str] = []

    ci_doc = load_yaml(CI_WORKFLOW_PATH)
@ -325,50 +313,9 @@ def detect_drift(branch: str) -> tuple[list[str], dict]:
    env_set = required_checks_env(audit_doc)

    # Protection
-    # api() raises ApiError on non-2xx. Transient 5xx should fail loud.
-    # 403/404 means the token lacks repo-admin scope (Gitea 1.22.6's
-    # branch_protections endpoint requires it — see DRIFT_BOT_TOKEN
-    # provisioning trail in ci-required-drift.yml). Treat as
-    # "cannot determine drift for this branch" — skip without turning
-    # the workflow red. Surface a clear diagnostic so the operator
-    # knows what to fix.
-    contexts: set[str] = set()
-    protection_path = f"/repos/{OWNER}/{NAME}/branch_protections/{branch}"
-    try:
-        _, protection = api("GET", protection_path)
-    except ApiError as e:
-        # Isolate the HTTP status from the error message.
-        http_status: int | None = None
-        msg = str(e)
-        # ApiError message format: "{method} {path} → HTTP {status}: {body}"
-        import re as _re
-
-        m = _re.search(r"HTTP (\d{3})", msg)
-        if m:
-            http_status = int(m.group(1))
-        if http_status in (403, 404):
-            # Token lacks scope OR branch has no protection. Cannot
-            # determine drift — skip this branch. Do NOT exit non-zero;
-            # the issue IS the alarm, not a red workflow.
-            sys.stderr.write(
-                f"::error::GET {protection_path} returned HTTP {http_status} — "
-                f"DRIFT_BOT_TOKEN lacks repo-admin scope (Gitea 1.22.6 "
-                f"requires it for this endpoint) OR branch has no protection "
-                f"configured. Cannot determine drift for {branch}; "
-                f"skipping. Fix: grant repo-admin to mc-drift-bot or "
-                f"configure protection on {branch}.\n"
-            )
-            debug = {
-                "branch": branch,
-                "ci_jobs": sorted(jobs),
-                "sentinel_needs": sorted(needs),
-                "protection_contexts_skipped": True,
-                "protection_http_status": http_status,
-                "audit_env_checks": sorted(env_set),
-            }
-            return [], debug
-        # 5xx — propagate (transient outage, fail loud per design).
-        raise
+    # api() raises ApiError on non-2xx; let it propagate so a transient
+    # 500 fails the run loudly rather than producing a "no drift" lie.
+    _, protection = api("GET", f"/repos/{OWNER}/{NAME}/branch_protections/{branch}")
    if not isinstance(protection, dict):
        sys.stderr.write(
            f"::error::protection response for {branch} not a JSON object\n"
--- a/.gitea/scripts/compare-api-diff-files.py
+++ b/.gitea/scripts/compare-api-diff-files.py
@ -1,40 +0,0 @@
-#!/usr/bin/env python3
-"""Extract changed-file list from Gitea Compare API JSON response.
-
-Gitea Compare API returns changed files nested inside commits, not at the
-top level:
-    {"commits": [{"files": [{"filename": "path/to/file"}]}]}
-
-Usage:
-    compare-api-diff-files.py < API_RESPONSE.json
-
-Exits 0 with filenames on stdout, one per line.
-Exits 1 on malformed input (caller should handle as "no files").
-"""
-from __future__ import annotations
-
-import sys
-import json
-
-
-def main() -> None:
-    try:
-        data = json.load(sys.stdin)
-    except Exception:
-        sys.exit(1)
-
-    filenames: list[str] = []
-    for commit in data.get("commits", []):
-        for f in commit.get("files", []):
-            fn = f.get("filename", "")
-            if fn:
-                filenames.append(fn)
-
-    if filenames:
-        sys.stdout.write("\n".join(filenames))
-        sys.stdout.write("\n")
-    # else: empty stdout = no files, caller treats as empty list
-
-
-if __name__ == "__main__":
-    main()
--- a/.gitea/scripts/lint-required-no-paths.py
+++ b/.gitea/scripts/lint-required-no-paths.py
@ -1,404 +0,0 @@
-#!/usr/bin/env python3
-"""lint-required-no-paths — structural enforcement of
-`feedback_path_filtered_workflow_cant_be_required`.
-
-For every workflow whose status-check context appears in
-`branch_protections/<branch>.status_check_contexts`, assert that the
-workflow's `on:` block has NO `paths:` and NO `paths-ignore:` filter.
-
-A required-check workflow with a paths filter silently degrades the
-merge gate:
-
-  - If the PR's diff doesn't match the `paths:` glob, the workflow
-    never fires.
-  - Gitea (1.22.6) reports the required context as `pending` (never as
-    `skipped == success`), so the PR cannot merge.
-  - For a docs-only PR against `paths: ['**.go']`, the PR is
-    blocked forever — no human action can produce a green.
-
-The class was previously prevented only by reviewer vigilance + the
-saved memory `feedback_path_filtered_workflow_cant_be_required`. This
-script makes it a hard CI gate so a future PR adding `paths:` to a
-required workflow fails fast at PR time, not after merge when the next
-docs PR wedges main.
-
-The lint runs as `.gitea/workflows/lint-required-no-paths.yml` on every
-PR. The lint workflow ITSELF must not have a paths-filter (otherwise it
-could be circumvented by a paths-non-matching PR) — that's enforced by
-self-reference and by the workflow's own `on:` block deliberately
-omitting filters.
-
-Sources of truth:
-  - `branch_protections/<branch>` `status_check_contexts` (the merge gate)
-  - `.gitea/workflows/*.yml` `name:` + `on:` (the workflow set)
-
-Context-format note (Gitea 1.22.6):
-  Status-check contexts are formatted `{workflow_name} / {job_name_or_key} ({event})`.
-  We parse the workflow_name prefix and walk `.gitea/workflows/*.yml` for
-  a file whose `name:` attr matches. (The filename is NOT the source of
-  truth; `name:` is, because Gitea formats the context from `name:`.)
-
-Exit codes:
-  0 — no required workflow has a paths/paths-ignore filter (clean) OR
-      branch_protections endpoint returned 403/404 (token-scope issue;
-      surfaced via ::error:: but non-fatal so a missing scope doesn't
-      red-X every PR — fix the token, not the lint).
-  1 — at least one required workflow has a paths/paths-ignore filter
-      (the gate-degrading defect class).
-  2 — env contract violation (missing GITEA_TOKEN/HOST/REPO/BRANCH).
-  3 — workflows directory missing or workflow YAML unparseable.
-  4 — protection response shape unexpected (non-dict body on 2xx).
-
-Auth note: `GET /repos/.../branch_protections/{branch}` requires
-repo-admin role in Gitea 1.22.6. The workflow-default `GITHUB_TOKEN`
-is non-admin; we re-use `DRIFT_BOT_TOKEN` (same persona that powers
-ci-required-drift.yml). If `DRIFT_BOT_TOKEN` is unavailable in a future
-context, the script falls through gracefully (exit 0 + ::error::).
-"""
-from __future__ import annotations
-
-import json
-import os
-import re
-import sys
-import urllib.error
-import urllib.parse
-import urllib.request
-from pathlib import Path
-from typing import Any
-
-import yaml  # PyYAML 6.0.2 — installed by the workflow before this runs.
-
-
-# --------------------------------------------------------------------------
-# Environment
-# --------------------------------------------------------------------------
-def _env(key: str, *, required: bool = True, default: str | None = None) -> str:
-    val = os.environ.get(key, default)
-    if required and not val:
-        sys.stderr.write(f"::error::missing required env var: {key}\n")
-        sys.exit(2)
-    return val or ""
-
-
-GITEA_TOKEN = _env("GITEA_TOKEN", required=False)
-GITEA_HOST = _env("GITEA_HOST", required=False)
-REPO = _env("REPO", required=False)
-BRANCH = _env("BRANCH", required=False, default="main")
-WORKFLOWS_DIR = _env(
-    "WORKFLOWS_DIR", required=False, default=".gitea/workflows"
-)
-
-OWNER, NAME = (REPO.split("/", 1) + [""])[:2] if REPO else ("", "")
-API = f"https://{GITEA_HOST}/api/v1" if GITEA_HOST else ""
-
-
-def _require_runtime_env() -> None:
-    """Enforce env contract — called from `run()` only. Tests import
-    individual functions without setting the full env contract."""
-    for key in ("GITEA_TOKEN", "GITEA_HOST", "REPO", "BRANCH"):
-        if not os.environ.get(key):
-            sys.stderr.write(f"::error::missing required env var: {key}\n")
-            sys.exit(2)
-
-
-# --------------------------------------------------------------------------
-# Tiny HTTP helper (mirrors ci-required-drift.py contract:
-# raise on non-2xx and on JSON-decode-fail when JSON expected, per
-# `feedback_api_helper_must_raise_not_return_dict`).
-# --------------------------------------------------------------------------
-class ApiError(RuntimeError):
-    """Raised when a Gitea API call cannot be trusted to have succeeded."""
-
-
-def api(
-    method: str,
-    path: str,
-    *,
-    body: dict | None = None,
-    query: dict[str, str] | None = None,
-    expect_json: bool = True,
-) -> tuple[int, Any]:
-    url = f"{API}{path}"
-    if query:
-        url = f"{url}?{urllib.parse.urlencode(query)}"
-    data = None
-    headers = {
-        "Authorization": f"token {GITEA_TOKEN}",
-        "Accept": "application/json",
-    }
-    if body is not None:
-        data = json.dumps(body).encode("utf-8")
-        headers["Content-Type"] = "application/json"
-    req = urllib.request.Request(url, method=method, data=data, headers=headers)
-    try:
-        with urllib.request.urlopen(req, timeout=30) as resp:
-            raw = resp.read()
-            status = resp.status
-    except urllib.error.HTTPError as e:
-        raw = e.read()
-        status = e.code
-
-    if not (200 <= status < 300):
-        snippet = raw[:500].decode("utf-8", errors="replace") if raw else ""
-        raise ApiError(f"{method} {path} → HTTP {status}: {snippet}")
-
-    if not raw:
-        return status, None
-    try:
-        return status, json.loads(raw)
-    except json.JSONDecodeError as e:
-        if expect_json:
-            raise ApiError(
-                f"{method} {path} → HTTP {status} but body is not JSON: {e}"
-            ) from e
-        return status, {"_raw": raw.decode("utf-8", errors="replace")}
-
-
-# --------------------------------------------------------------------------
-# Status-check context parser
-# --------------------------------------------------------------------------
-# Format: "<workflow_name> / <job_name_or_key> (<event>)"
-# Examples observed on molecule-core/main:
-#   "Secret scan / Scan diff for credential-shaped strings (pull_request)"
-#   "sop-tier-check / tier-check (pull_request)"
-#
-# Split strategy: peel off the trailing ` (<event>)` first, then split
-# the leading `<workflow> / <rest>` on the FIRST ` / ` (workflow names
-# come from `name:` attrs which conventionally don't embed ' / '; job
-# names CAN, so we keep the rest of the slash-divided text as the job
-# name). This matches Gitea's `name: ` semantics.
-_CONTEXT_RE = re.compile(r"^(?P<workflow>.+?) / (?P<job>.+) \((?P<event>[^)]+)\)$")
-
-
-def parse_context(ctx: str) -> tuple[str, str, str] | None:
-    """Parse `<workflow> / <job> (<event>)` → (workflow, job, event) or None."""
-    if not ctx:
-        return None
-    m = _CONTEXT_RE.match(ctx)
-    if not m:
-        return None
-    return m.group("workflow"), m.group("job"), m.group("event")
-
-
-# --------------------------------------------------------------------------
-# workflow-name → file resolution
-# --------------------------------------------------------------------------
-def _iter_workflow_files() -> list[Path]:
-    d = Path(WORKFLOWS_DIR)
-    if not d.is_dir():
-        sys.stderr.write(f"::error::workflows directory not found: {d}\n")
-        sys.exit(3)
-    # `.yml` and `.yaml` — Gitea accepts both (rarely used `.yaml`, but
-    # don't silently miss it if a future port uses it).
-    return sorted(list(d.glob("*.yml")) + list(d.glob("*.yaml")))
-
-
-def resolve_workflow_file(workflow_name: str) -> Path | None:
-    """Find the YAML file whose `name:` attr matches `workflow_name`.
-
-    Returns None if no match. Filename is NOT used as a fallback —
-    Gitea's context format uses `name:`, so a `name:`-less workflow
-    won't even appear in the protection list. (A YAML with no `name:`
-    would default the context to the file basename, but our protection
-    contexts on molecule-core are all `name:`-derived; we trust the
-    same.)
-    """
-    for f in _iter_workflow_files():
-        try:
-            doc = yaml.safe_load(f.read_text(encoding="utf-8"))
-        except yaml.YAMLError as e:
-            sys.stderr.write(f"::error::YAML parse error in {f}: {e}\n")
-            sys.exit(3)
-        if isinstance(doc, dict) and doc.get("name") == workflow_name:
-            return f
-    return None
-
-
-# --------------------------------------------------------------------------
-# paths-filter detection
-# --------------------------------------------------------------------------
-# Triggers that accept `paths:` / `paths-ignore:` (per GitHub Actions /
-# Gitea Actions docs): pull_request, pull_request_target, push.
-# We don't enumerate — any sub-key named `paths` or `paths-ignore`
-# inside an event mapping is flagged.
-_PATHS_KEYS = ("paths", "paths-ignore")
-
-
-def detect_paths_filters(workflow_path: Path) -> list[str]:
-    """Walk the workflow's `on:` block and return a list of findings, one
-    per offending `paths`/`paths-ignore` key.
-
-    Returns:
-        Empty list if the workflow has no paths/paths-ignore filter
-        anywhere in its `on:` block. Otherwise, a list of human-readable
-        strings naming the event and filter key + the filter contents.
-    """
-    try:
-        doc = yaml.safe_load(workflow_path.read_text(encoding="utf-8"))
-    except yaml.YAMLError as e:
-        sys.stderr.write(f"::error::YAML parse error in {workflow_path}: {e}\n")
-        sys.exit(3)
-    if not isinstance(doc, dict):
-        return []
-
-    on_block = doc.get("on") or doc.get(True)  # PyYAML 6 quirk: `on:`
-    # under default constructor sometimes becomes the bool key `True`
-    # because YAML 1.1 treats `on` as a boolean. Tolerate both.
-    if on_block is None:
-        return []
-
-    findings: list[str] = []
-
-    # Shape A: `on: pull_request` (string shorthand) — cannot carry filters.
-    if isinstance(on_block, str):
-        return []
-    # Shape B: `on: [pull_request, push]` (list shorthand) — cannot carry filters.
-    if isinstance(on_block, list):
-        return []
-    # Shape C: `on: { event: { ... } }` — the standard mapping case.
-    if isinstance(on_block, dict):
-        # Defensive: top-level malformed `on.paths` (someone wrote
-        # `on: { paths: ['x'] }` thinking it's a workflow-level filter).
-        # This is invalid syntax, but if present, flag it — it might
-        # not block the workflow from registering (Gitea may ignore the
-        # unknown key) and would create a false sense of "filter exists"
-        # the lint should still surface.
-        for k in _PATHS_KEYS:
-            if k in on_block:
-                v = on_block[k]
-                findings.append(
-                    f"top-level `on.{k}` filter (malformed but present): {v!r}"
-                )
-        for event, event_body in on_block.items():
-            if event in _PATHS_KEYS:
-                continue  # already handled above
-            if not isinstance(event_body, dict):
-                # `pull_request: null` / `pull_request: [opened]` shapes —
-                # no place for a paths filter to live; skip.
-                continue
-            for k in _PATHS_KEYS:
-                if k in event_body:
-                    v = event_body[k]
-                    findings.append(
-                        f"`on.{event}.{k}` filter present: {v!r}"
-                    )
-    return findings
-
-
-# --------------------------------------------------------------------------
-# Driver
-# --------------------------------------------------------------------------
-def run() -> int:
-    """Main lint entrypoint. Returns the process exit code.
-
-    Exit semantics (see module docstring for full table):
-      0 — clean (no offending paths-filter on any required workflow),
-          OR protection unreadable (403/404) — surfaced as ::error::
-          but treated as non-fatal so token-scope issues don't red-X
-          every PR.
-      1 — at least one required workflow carries a paths/paths-ignore
-          filter — the regression class this lint exists to prevent.
-    """
-    _require_runtime_env()
-
-    protection_path = f"/repos/{OWNER}/{NAME}/branch_protections/{BRANCH}"
-    try:
-        _, protection = api("GET", protection_path)
-    except ApiError as e:
-        msg = str(e)
-        m = re.search(r"HTTP (\d{3})", msg)
-        http_status = int(m.group(1)) if m else None
-        if http_status in (403, 404):
-            sys.stderr.write(
-                f"::error::GET {protection_path} returned HTTP {http_status} — "
-                f"DRIFT_BOT_TOKEN lacks repo-admin scope (Gitea 1.22.6 "
-                f"requires it for this endpoint) OR branch '{BRANCH}' has "
-                f"no protection configured. Cannot enumerate required "
-                f"checks; skipping lint with exit 0 to avoid red-X on "
-                f"every PR. Fix: grant repo-admin to mc-drift-bot.\n"
-            )
-            return 0
-        raise
-
-    if not isinstance(protection, dict):
-        sys.stderr.write(
-            f"::error::protection response for {BRANCH} not a JSON object\n"
-        )
-        return 4
-
-    contexts: list[str] = list(protection.get("status_check_contexts") or [])
-    if not contexts:
-        print(
-            f"::notice::branch_protections/{BRANCH} has 0 required "
-            f"status_check_contexts; nothing to lint. (no required contexts)"
-        )
-        return 0
-
-    print(f"::notice::Linting {len(contexts)} required context(s) for paths-filter regressions:")
-    for c in contexts:
-        print(f"  - {c}")
-
-    offenders: list[tuple[str, Path, list[str]]] = []
-    unresolved: list[str] = []
-
-    for ctx in contexts:
-        parsed = parse_context(ctx)
-        if parsed is None:
-            print(
-                f"::warning::could not parse context '{ctx}' "
-                f"(expected `<workflow> / <job> (<event>)`); skipping"
-            )
-            unresolved.append(ctx)
-            continue
-        workflow_name, _job, _event = parsed
-        wf_path = resolve_workflow_file(workflow_name)
-        if wf_path is None:
-            print(
-                f"::warning::no workflow file in {WORKFLOWS_DIR} has "
-                f"`name: {workflow_name}` (required context '{ctx}'); "
-                f"skipping paths-filter check. "
-                f"(orphaned-context detection is ci-required-drift's job.)"
-            )
-            unresolved.append(ctx)
-            continue
-        findings = detect_paths_filters(wf_path)
-        if findings:
-            offenders.append((workflow_name, wf_path, findings))
-        else:
-            print(f"::notice::OK {wf_path.name} ({workflow_name}) — no paths filter")
-
-    if offenders:
-        print("")
-        print(f"::error::Found {len(offenders)} required workflow(s) with paths/paths-ignore filters:")
-        for workflow_name, wf_path, findings in offenders:
-            for finding in findings:
-                # ::error file=... lets Gitea Actions surface a per-file
-                # annotation in the PR UI (when annotations are wired).
-                print(
-                    f"::error file={wf_path}::Required workflow "
-                    f"'{workflow_name}' ({wf_path.name}) has a paths "
-                    f"filter that would degrade the merge gate to a "
-                    f"silent indefinite pending: {finding}. "
-                    f"See feedback_path_filtered_workflow_cant_be_required. "
-                    f"Fix: remove the filter and instead gate per-step "
-                    f"inside the job with `if: contains(steps.changed.outputs.files, ...)` "
-                    f"or refactor to a single-job-with-per-step-if shape."
-                )
-        return 1
-
-    print("")
-    print(
-        f"::notice::OK — all {len(contexts) - len(unresolved)} resolvable "
-        f"required workflow(s) clean (no paths/paths-ignore filters)."
-    )
-    if unresolved:
-        print(
-            f"::notice::{len(unresolved)} required context(s) were not "
-            f"resolved to a workflow file (warn-not-fail); see warnings above."
-        )
-    return 0
-
-
-if __name__ == "__main__":
-    sys.exit(run())
--- a/.gitea/scripts/lint-workflow-yaml.py
+++ b/.gitea/scripts/lint-workflow-yaml.py
@ -1,369 +0,0 @@
-#!/usr/bin/env python3
-"""lint-workflow-yaml — catch Gitea-1.22.6-hostile workflow YAML shapes.
-
-This script enforces six structural rules that have historically caused
-silent CI failures on Gitea Actions (1.22.6) — workflows that the server's
-YAML parser rejects with `[W] ignore invalid workflow ...` and registers
-for zero events, or shape conventions that produce ambiguous status
-contexts. Each rule maps to a documented incident in saved memory.
-
-Rules (4 fatal + 1 fatal cross-file + 1 heuristic-warn):
-  1. `workflow_dispatch.inputs:` block — Gitea 1.22.6 mis-parses the
-     `inputs` keys as sibling event types and rejects the whole file.
-     Memory: feedback_gitea_workflow_dispatch_inputs_unsupported.
-     Origin: 2026-05-11 PyPI freeze (publish-runtime).
-  2. `on: workflow_run:` event — not enumerated in Gitea 1.22.6's
-     supported event list (verified via modules/actions/workflows.go
-     enumeration; task #81). Workflow registers, fires for 0 events.
-  3. `name:` containing `/` — breaks the
-     `<workflow> / <job> (<event>)` commit-status context convention;
-     downstream parsers (sop-tier-check, status-reaper) tokenize on `/`.
-  4. `name:` collision across files — Gitea routes commit-status updates
-     by `name` and behavior on collision is undefined (status-reaper
-     rev1 fail-loud).
-  5. Cross-repo `uses: org/repo/path@ref` — blocked while
-     `[actions].DEFAULT_ACTIONS_URL=github` is the server default;
-     resolves to github.com/<org-suspended>/... and 404s.
-     Memory: feedback_gitea_cross_repo_uses_blocked. Cross-link: task #109.
-  6. (HEURISTIC, warn-not-fail) Steps reference `https://api.github.com`
-     or `https://github.com/.../releases/download` without a
-     workflow-level `env.GITHUB_SERVER_URL` set to the Gitea instance.
-     Memory: feedback_act_runner_github_server_url.
-
-Per `feedback_smoke_test_vendor_truth_not_shape_match`: fixtures used to
-validate this lint must mirror real Gitea 1.22.6 YAML semantics, not
-Python yaml-parser quirks. The test suite at tests/test_lint_workflow_yaml.py
-includes a vendor-truth fixture (the exact publish-runtime regression).
-
-Usage:
-  python3 .gitea/scripts/lint-workflow-yaml.py
-    Lint every `*.yml` in `.gitea/workflows/`.
-
-  python3 .gitea/scripts/lint-workflow-yaml.py --workflow-dir <path>
-    Lint a custom directory (used by tests/test_lint_workflow_yaml.py).
-
-Exit codes:
-  0 — clean OR only heuristic-warnings emitted.
-  1 — at least one fatal rule (1-5) violated.
-  2 — YAML parse error or argv usage error.
-"""
-from __future__ import annotations
-
-import argparse
-import collections
-import glob
-import os
-import re
-import sys
-from pathlib import Path
-from typing import Any, Iterable
-
-try:
-    import yaml
-except ImportError:
-    print("::error::PyYAML is required. Install with: pip install PyYAML", file=sys.stderr)
-    sys.exit(2)
-
-
-# YAML quirk: bare `on:` at the top level parses to the Python `True`
-# (because `on` is a YAML 1.1 boolean alias). Handle both keys.
-def _get_on(d: dict) -> Any:
-    if not isinstance(d, dict):
-        return None
-    if "on" in d:
-        return d["on"]
-    if True in d:
-        return d[True]
-    return None
-
-
-# ---------------------------------------------------------------------------
-# Rule 1 — workflow_dispatch.inputs block (Gitea 1.22.6 parser rejects)
-# ---------------------------------------------------------------------------
-
-def check_workflow_dispatch_inputs(filename: str, doc: Any) -> list[str]:
-    """Return per-violation error lines if `workflow_dispatch.inputs` is set."""
-    errors: list[str] = []
-    on = _get_on(doc)
-    if not isinstance(on, dict):
-        return errors
-    wd = on.get("workflow_dispatch")
-    if isinstance(wd, dict) and wd.get("inputs"):
-        errors.append(
-            f"::error file={filename}::Rule 1 (FATAL): "
-            f"`on.workflow_dispatch.inputs:` block detected. Gitea 1.22.6 "
-            f"silently rejects the entire workflow with `[W] ignore invalid "
-            f"workflow: unknown on type: map[...]`. Drop the `inputs:` block "
-            f"and derive parameters from tag name / env / external query. "
-            f"Memory: feedback_gitea_workflow_dispatch_inputs_unsupported."
-        )
-    return errors
-
-
-# ---------------------------------------------------------------------------
-# Rule 2 — on: workflow_run (not supported on Gitea 1.22.6)
-# ---------------------------------------------------------------------------
-
-def check_workflow_run_event(filename: str, doc: Any) -> list[str]:
-    """Return per-violation error lines if `on: workflow_run:` is used."""
-    errors: list[str] = []
-    on = _get_on(doc)
-    if isinstance(on, dict) and "workflow_run" in on:
-        errors.append(
-            f"::error file={filename}::Rule 2 (FATAL): `on: workflow_run:` "
-            f"event used. Gitea 1.22.6 does NOT support `workflow_run` "
-            f"(verified via modules/actions/workflows.go enumeration; "
-            f"task #81). Workflow will fire for zero events. Use a "
-            f"`schedule:` cron OR a `push:` trigger with `paths:` filter "
-            f"on the upstream workflow file as the cross-workflow gate."
-        )
-    elif isinstance(on, list) and "workflow_run" in on:
-        errors.append(
-            f"::error file={filename}::Rule 2 (FATAL): `on: workflow_run` "
-            f"in event list. Not supported on Gitea 1.22.6 — task #81."
-        )
-    return errors
-
-
-# ---------------------------------------------------------------------------
-# Rule 3 — name: contains "/" (breaks status-context tokenization)
-# ---------------------------------------------------------------------------
-
-def check_name_with_slash(filename: str, doc: Any) -> list[str]:
-    """Return per-violation error lines if workflow `name:` contains a slash."""
-    errors: list[str] = []
-    if not isinstance(doc, dict):
-        return errors
-    name = doc.get("name")
-    if isinstance(name, str) and "/" in name:
-        errors.append(
-            f"::error file={filename}::Rule 3 (FATAL): workflow `name: "
-            f"{name!r}` contains `/`. The commit-status context convention "
-            f"is `<workflow> / <job> (<event>)`; embedding `/` in the "
-            f"workflow name makes downstream parsers (sop-tier-check, "
-            f"status-reaper) tokenize ambiguously. Rename to use `-` or "
-            f"` ` instead."
-        )
-    return errors
-
-
-# ---------------------------------------------------------------------------
-# Rule 4 — cross-file name collision
-# ---------------------------------------------------------------------------
-
-def check_name_collision_across_files(
-    docs_by_file: dict[str, Any],
-) -> list[str]:
-    """Return per-collision error lines if two files share the same `name:`."""
-    errors: list[str] = []
-    by_name: dict[str, list[str]] = collections.defaultdict(list)
-    for filename, doc in docs_by_file.items():
-        if isinstance(doc, dict):
-            n = doc.get("name")
-            if isinstance(n, str) and n:
-                by_name[n].append(filename)
-    for n, files in sorted(by_name.items()):
-        if len(files) > 1:
-            errors.append(
-                f"::error::Rule 4 (FATAL): workflow `name: {n!r}` collision "
-                f"across {len(files)} files: {files}. Gitea routes "
-                f"commit-status updates by `name`; collision yields "
-                f"undefined behavior. Give each workflow a unique `name:`."
-            )
-    return errors
-
-
-# ---------------------------------------------------------------------------
-# Rule 5 — cross-repo `uses: org/repo/path@ref`
-# ---------------------------------------------------------------------------
-
-# `uses: <foo>@<ref>` — match the value form Gitea/act actually parse.
-# We need to distinguish:
-#   - `actions/checkout@<sha>`           OK (bare org/repo@ref, no subpath)
-#   - `./.gitea/actions/foo`             OK (local path)
-#   - `docker://image:tag`               OK (docker-image form)
-#   - `molecule-ai/molecule-ci/.gitea/actions/audit-force-merge@main`  BAD
-USES_CROSS_REPO_RE = re.compile(
-    r"""^
-    (?P<owner>[A-Za-z0-9_.\-]+)
-    /
-    (?P<repo>[A-Za-z0-9_.\-]+)
-    /                       # mandatory subpath separator => cross-repo composite/reusable
-    (?P<path>[^@\s]+)
-    @
-    (?P<ref>\S+)
-    $""",
-    re.VERBOSE,
-)
-
-
-def _iter_uses(doc: Any) -> Iterable[str]:
-    """Yield every `uses:` string from job steps in a workflow document."""
-    if not isinstance(doc, dict):
-        return
-    jobs = doc.get("jobs")
-    if not isinstance(jobs, dict):
-        return
-    for job in jobs.values():
-        if not isinstance(job, dict):
-            continue
-        # reusable workflow: `uses:` at the job level
-        if isinstance(job.get("uses"), str):
-            yield job["uses"]
-        steps = job.get("steps")
-        if not isinstance(steps, list):
-            continue
-        for step in steps:
-            if isinstance(step, dict) and isinstance(step.get("uses"), str):
-                yield step["uses"]
-
-
-def check_cross_repo_uses(filename: str, doc: Any) -> list[str]:
-    """Return per-violation error lines for cross-repo `uses:` references."""
-    errors: list[str] = []
-    for uses in _iter_uses(doc):
-        # Skip docker:// and local ./
-        if uses.startswith(("docker://", "./", "../")):
-            continue
-        m = USES_CROSS_REPO_RE.match(uses.strip())
-        if m:
-            errors.append(
-                f"::error file={filename}::Rule 5 (FATAL): cross-repo "
-                f"`uses: {uses}` detected. Gitea 1.22.6 with "
-                f"`[actions].DEFAULT_ACTIONS_URL=github` resolves this to "
-                f"github.com/{m.group('owner')}/{m.group('repo')} which "
-                f"404s (org suspended 2026-05-06). Inline the shared bash "
-                f"into `.gitea/scripts/` until task #109 (actions mirror) "
-                f"ships. Memory: feedback_gitea_cross_repo_uses_blocked."
-            )
-    return errors
-
-
-# ---------------------------------------------------------------------------
-# Rule 6 — heuristic: github.com/api refs without workflow-level
-#          GITHUB_SERVER_URL (WARN-not-FAIL per halt-condition 3)
-# ---------------------------------------------------------------------------
-
-# Match `https://api.github.com/...` (API call) — that's the actionable
-# pattern. We intentionally do NOT match `https://github.com/.../releases/
-# download/...` (jq-release pin) nor `https://github.com/${{ github.repository
-# }}` (OCI label) because those are documented benign references on current
-# main and would 100% false-positive (3 hits, per Phase 1 audit).
-GITHUB_API_REF_RE = re.compile(
-    r"https://api\.github\.com\b|https://github\.com/api/",
-    re.IGNORECASE,
-)
-
-
-def _has_workflow_level_server_url(doc: Any) -> bool:
-    if not isinstance(doc, dict):
-        return False
-    env = doc.get("env")
-    if isinstance(env, dict) and "GITHUB_SERVER_URL" in env:
-        return True
-    return False
-
-
-def check_github_server_url_missing(filename: str, doc: Any, raw: str) -> list[str]:
-    """Return warn-lines (NOT errors) if api.github.com is referenced without
-    workflow-level GITHUB_SERVER_URL. Heuristic — false-positives possible.
-    """
-    warns: list[str] = []
-    if not GITHUB_API_REF_RE.search(raw):
-        return warns
-    if _has_workflow_level_server_url(doc):
-        return warns
-    warns.append(
-        f"::warning file={filename}::Rule 6 (WARN, heuristic): file "
-        f"references `https://api.github.com` without a workflow-level "
-        f"`env.GITHUB_SERVER_URL: https://git.moleculesai.app`. The "
-        f"act_runner default for `${{{{ github.server_url }}}}` is "
-        f"github.com, which can break actions that auth-condition on "
-        f"server_url (e.g. actions/setup-go). If this curl is "
-        f"intentionally hitting GitHub (e.g. public release pin), ignore. "
-        f"Memory: feedback_act_runner_github_server_url."
-    )
-    return warns
-
-
-# ---------------------------------------------------------------------------
-# Driver
-# ---------------------------------------------------------------------------
-
-def main(argv: list[str] | None = None) -> int:
-    p = argparse.ArgumentParser(
-        description="Lint Gitea Actions workflow YAML for 1.22.6-hostile shapes."
-    )
-    p.add_argument(
-        "--workflow-dir",
-        default=".gitea/workflows",
-        help="Directory of workflow *.yml files (default: .gitea/workflows).",
-    )
-    args = p.parse_args(argv)
-
-    wf_dir = Path(args.workflow_dir)
-    if not wf_dir.exists():
-        # Empty / missing dir = nothing to lint, not a failure.
-        print(f"::notice::No workflow directory at {wf_dir}; skipping.")
-        return 0
-
-    yml_paths = sorted(
-        glob.glob(str(wf_dir / "*.yml")) + glob.glob(str(wf_dir / "*.yaml"))
-    )
-    if not yml_paths:
-        print(f"::notice::No workflow files in {wf_dir}; nothing to lint.")
-        return 0
-
-    fatal_errors: list[str] = []
-    warnings: list[str] = []
-    docs_by_file: dict[str, Any] = {}
-
-    for path in yml_paths:
-        rel = os.path.relpath(path)
-        try:
-            raw = Path(path).read_text()
-            doc = yaml.safe_load(raw)
-        except yaml.YAMLError as e:
-            fatal_errors.append(
-                f"::error file={rel}::YAML parse error: {e}. Cannot lint "
-                f"a file the parser rejects."
-            )
-            continue
-        docs_by_file[rel] = doc
-
-        # Per-file checks
-        fatal_errors.extend(check_workflow_dispatch_inputs(rel, doc))
-        fatal_errors.extend(check_workflow_run_event(rel, doc))
-        fatal_errors.extend(check_name_with_slash(rel, doc))
-        fatal_errors.extend(check_cross_repo_uses(rel, doc))
-        warnings.extend(check_github_server_url_missing(rel, doc, raw))
-
-    # Cross-file checks
-    fatal_errors.extend(check_name_collision_across_files(docs_by_file))
-
-    # Emit warnings first (non-blocking)
-    for w in warnings:
-        print(w)
-
-    if not fatal_errors:
-        n = len(yml_paths)
-        print(
-            f"::notice::lint-workflow-yaml: {n} workflow file(s) checked, "
-            f"no fatal Gitea-1.22.6-hostile shapes. "
-            f"({len(warnings)} heuristic warning(s) emitted.)"
-        )
-        return 0
-
-    # Emit fatal errors
-    print(
-        f"::error::lint-workflow-yaml: {len(fatal_errors)} fatal violation(s) "
-        f"across {len(yml_paths)} workflow file(s). See rule documentation "
-        f"in .gitea/scripts/lint-workflow-yaml.py docstring."
-    )
-    for e in fatal_errors:
-        print(e)
-    return 1
-
-
-if __name__ == "__main__":
-    sys.exit(main())
--- a/.gitea/scripts/lint_continue_on_error_tracking.py
+++ b/.gitea/scripts/lint_continue_on_error_tracking.py
@ -1,438 +0,0 @@
-#!/usr/bin/env python3
-"""lint_continue_on_error_tracking — Tier 2e per internal#350.
-
-Rule
----
-Every `continue-on-error: true` directive in `.gitea/workflows/*.yml`
-must be accompanied by a tracker reference comment within 2 lines
-(above OR below the directive's line). The reference is one of:
-
-  * `# mc#NNNN`          — molecule-core issue
-  * `# internal#NNNN`    — molecule-ai/internal issue
-
-The referenced issue must satisfy ALL of:
-
-  1. Exists (HTTP 200 on `/repos/{owner}/{name}/issues/{num}`)
-  2. `state == "open"`
-  3. `created_at` is ≤ MAX_AGE_DAYS days ago (default 14)
-
-A passing reference establishes an audit trail and a forced renewal
-cadence — after 14 days the issue must either be CLOSED (the masked
-defect was fixed) or the comment must point at a NEW tracker
-(deliberate decision to keep masking, requires a paper-trail).
-
-The class this prevents
-----------------------
-Phase-3-masked failures. `continue-on-error: true` on `platform-build`
-had been hiding mc#664-class regressions for ~3 weeks before #656
-surfaced them on 2026-05-12. A 14-day cap forces a tracker review
-cycle and surfaces mask-drift within at most 14 days of the original
-defect.
-
-Behaviour-based gate
--------------------
-We parse via PyYAML AST (per `feedback_behavior_based_ast_gates`) to
-detect `continue-on-error: <truthy>` at job-key level, then map each
-location back to its source line via PyYAML's line-tracking loader.
-Comments are scanned from the raw text within a 2-line window of
-that source line. Reformatting (block-scalar vs flow-style) does not
-break the rule because the source-line anchor is the directive's
-own line.
-
-Exit codes
----------
-  0 — every `continue-on-error: true` has a passing tracker, OR
-      the issue-API endpoint returned 403/404 (token-scope; graceful
-      degrade per Tier 2a contract — surface via ::error:: on stderr
-      but don't red-X every PR over auth).
-  1 — at least one violation (missing/closed/too-old/non-existent
-      tracker).
-  2 — env contract violation, YAML parse error, or workflows-dir
-      missing.
-
-Env
---
-  GITEA_TOKEN     — read scope on the configured repos.
-                    Auto-injected `GITHUB_TOKEN` works for same-repo
-                    issue reads; for `internal#NNN` we need a token
-                    with `molecule-ai/internal` read scope. Use
-                    DRIFT_BOT_TOKEN (same persona as other Tier 2
-                    lints).
-  GITEA_HOST      — e.g. git.moleculesai.app
-  REPO            — `owner/name` for `mc#NNNN` lookups
-  INTERNAL_REPO   — `owner/name` for `internal#NNNN` lookups
-                    (defaults to derived `molecule-ai/internal`)
-  WORKFLOWS_DIR   — defaults to `.gitea/workflows`
-  MAX_AGE_DAYS    — defaults to 14
-
-Memory cross-links
------------------
-  - internal#350 (the RFC that specs this lint)
-  - mc#664 (the masked-3-weeks empirical case)
-  - feedback_chained_defects_in_never_tested_workflows
-  - feedback_behavior_based_ast_gates
-  - feedback_strict_root_only_after_class_a
-"""
-from __future__ import annotations
-
-import json
-import os
-import re
-import sys
-import urllib.error
-import urllib.parse
-import urllib.request
-from datetime import datetime, timedelta, timezone
-from pathlib import Path
-from typing import Any
-
-try:
-    import yaml
-except ImportError:
-    sys.stderr.write(
-        "::error::PyYAML is required. Install with: pip install PyYAML\n"
-    )
-    sys.exit(2)
-
-
-# ---------------------------------------------------------------------------
-# Tracker comment regex.
-# Matches: `# mc#1234`, `# internal#42`, `# mc#1234 - description`
-# Also matches trackers embedded mid-sentence: `# see mc#1234 for details`
-# Does NOT match: `# mc1234` (missing inner #), `mc#1234` (no leading
-# comment `#`), `# MC#1234` (case-sensitive). The search is line-wide,
-# not just at the comment-marker prefix — fixes false-negative when
-# the tracker appears mid-sentence (e.g. `internal#350` after prose).
-TRACKER_RE = re.compile(
-    r"(?P<slug>mc|internal)#(?P<num>\d+)\b"
-)
-
-# Truthy continue-on-error values we treat as "true". PyYAML decodes
-# `continue-on-error: true` to Python `True`. `continue-on-error: "true"`
-# decodes to the string "true" — Gitea's evaluator coerces strings,
-# so we treat string-`"true"` (case-insensitive) as truthy too.
-def _is_truthy_coe(v: Any) -> bool:
-    if v is True:
-        return True
-    if isinstance(v, str) and v.strip().lower() == "true":
-        return True
-    return False
-
-
-# ---------------------------------------------------------------------------
-# Env contract
-# ---------------------------------------------------------------------------
-def _env(key: str, default: str | None = None) -> str:
-    v = os.environ.get(key, default)
-    return v if v is not None else ""
-
-
-def _require_env(key: str) -> str:
-    v = os.environ.get(key)
-    if not v:
-        sys.stderr.write(f"::error::missing required env var: {key}\n")
-        sys.exit(2)
-    return v
-
-
-# ---------------------------------------------------------------------------
-# PyYAML line-tracking loader. yaml.SafeLoader nodes carry
-# `start_mark.line` (0-based); using construct_mapping with `deep=True`
-# preserves that on every node. We need the line of each
-# `continue-on-error` key so we can scan the source for comments
-# near it.
-# ---------------------------------------------------------------------------
-class _LineLoader(yaml.SafeLoader):
-    """SafeLoader that annotates every dict with `__line__: {key: line}`."""
-
-
-def _construct_mapping(loader: yaml.SafeLoader, node: yaml.MappingNode) -> dict:
-    mapping = loader.construct_mapping(node, deep=True)
-    # Annotate per-key source lines so we can locate `continue-on-error`.
-    lines: dict[str, int] = {}
-    for k_node, _v_node in node.value:
-        try:
-            key = loader.construct_object(k_node, deep=True)
-        except Exception:
-            continue
-        if isinstance(key, (str, int, bool)):
-            lines[str(key)] = k_node.start_mark.line + 1  # 1-based
-    if isinstance(mapping, dict):
-        mapping["__lines__"] = lines
-    return mapping
-
-
-_LineLoader.add_constructor(
-    yaml.resolver.BaseResolver.DEFAULT_MAPPING_TAG, _construct_mapping
-)
-
-
-# ---------------------------------------------------------------------------
-# Issue lookup
-# ---------------------------------------------------------------------------
-def fetch_issue(slug_kind: str, num: int) -> tuple[str, dict | None]:
-    """Return `(status, payload_or_none)`.
-
-    status ∈ {"ok", "not_found", "forbidden", "error"}.
-    """
-    repo = (
-        _env("REPO") if slug_kind == "mc" else _env("INTERNAL_REPO")
-    )
-    if not repo:
-        # Fall through gracefully — caller treats as 403 (token-scope).
-        return ("forbidden", None)
-    host = _env("GITEA_HOST")
-    token = _env("GITEA_TOKEN")
-    url = f"https://{host}/api/v1/repos/{repo}/issues/{num}"
-    req = urllib.request.Request(
-        url,
-        headers={
-            "Authorization": f"token {token}",
-            "Accept": "application/json",
-        },
-    )
-    try:
-        with urllib.request.urlopen(req, timeout=20) as resp:
-            return ("ok", json.loads(resp.read()))
-    except urllib.error.HTTPError as e:
-        if e.code == 404:
-            return ("not_found", None)
-        if e.code in (401, 403):
-            return ("forbidden", None)
-        return ("error", None)
-    except (urllib.error.URLError, TimeoutError, json.JSONDecodeError):
-        return ("error", None)
-
-
-# ---------------------------------------------------------------------------
-# Locate every continue-on-error: <truthy> in a workflow doc, with line.
-# ---------------------------------------------------------------------------
-def find_coe_truthies(
-    doc: Any, raw_lines: list[str]
-) -> list[tuple[str, int]]:
-    """Return list of (job_key, source_line_1based).
-
-    `doc` is the LineLoader-parsed mapping. We descend `jobs.<key>` and
-    return only those whose value is truthy per `_is_truthy_coe`.
-    Job-step continue-on-error is intentionally NOT considered: it
-    suppresses step-level failure rollup only, not job-level. The
-    masking class this lint targets is the job-level rollup.
-    """
-    out: list[tuple[str, int]] = []
-    if not isinstance(doc, dict):
-        return out
-    jobs = doc.get("jobs")
-    if not isinstance(jobs, dict):
-        return out
-    for jkey, jbody in jobs.items():
-        if jkey == "__lines__":
-            continue
-        if not isinstance(jbody, dict):
-            continue
-        if "continue-on-error" not in jbody:
-            continue
-        v = jbody["continue-on-error"]
-        if not _is_truthy_coe(v):
-            continue
-        line = jbody.get("__lines__", {}).get("continue-on-error")
-        if not line:
-            # PyYAML line-tracking shouldn't miss but guard for safety.
-            # Fall back to grepping the raw text.
-            line = _grep_first_coe_line(raw_lines, jkey) or 1
-        out.append((str(jkey), int(line)))
-    return out
-
-
-def _grep_first_coe_line(raw_lines: list[str], jkey: str) -> int | None:
-    """Fallback: find the first `continue-on-error:` line after a `jkey:` line."""
-    saw_job = False
-    for i, line in enumerate(raw_lines, start=1):
-        if re.match(rf"^\s*{re.escape(jkey)}\s*:", line):
-            saw_job = True
-            continue
-        if saw_job and "continue-on-error" in line:
-            return i
-    return None
-
-
-# ---------------------------------------------------------------------------
-# Scan window for tracker comment
-# ---------------------------------------------------------------------------
-WINDOW = 2  # lines above OR below the directive's line (inclusive)
-
-
-def find_tracker_in_window(
-    raw_lines: list[str], line_1based: int
-) -> tuple[str, int] | None:
-    """Return (slug, num) if a `# mc#NNN`/`# internal#NNN` appears
-    in raw_lines within ±WINDOW lines of `line_1based`. None otherwise.
-
-    We scan the directive's own line (it may carry an inline comment
-    like `continue-on-error: true  # mc#3`) plus ±WINDOW.
-    """
-    lo = max(1, line_1based - WINDOW)
-    hi = min(len(raw_lines), line_1based + WINDOW)
-    for i in range(lo, hi + 1):
-        line = raw_lines[i - 1]
-        # Only the comment portion (after `#`) is considered, so
-        # trailing-inline comments on the directive line are matched.
-        m = TRACKER_RE.search(line)
-        if m:
-            return (m.group("slug"), int(m.group("num")))
-    return None
-
-
-# ---------------------------------------------------------------------------
-# Tracker validation
-# ---------------------------------------------------------------------------
-def validate_tracker(
-    slug: str, num: int, max_age_days: int
-) -> tuple[bool, str]:
-    """Return (ok?, reason). On 403, ok=True is returned with reason
-    explaining graceful-degrade — caller treats 403 as a non-fatal
-    skip (same as Tier 2a contract).
-    """
-    status, payload = fetch_issue(slug, num)
-    if status == "forbidden":
-        sys.stderr.write(
-            f"::error::issue {slug}#{num} unreadable (HTTP 403 — token "
-            f"scope). Cannot validate; skipping this check to avoid "
-            f"red-X on every PR. Fix the token, not the lint.\n"
-        )
-        return (True, "forbidden — skipped")
-    if status == "not_found":
-        return (False, f"{slug}#{num} does not exist (404)")
-    if status == "error":
-        sys.stderr.write(
-            f"::error::issue {slug}#{num} fetch errored — treating as "
-            f"unverified, skipping this check.\n"
-        )
-        return (True, "fetch-error — skipped")
-
-    assert payload is not None
-    state = payload.get("state", "")
-    if state != "open":
-        return (False, f"{slug}#{num} state={state!r} (must be open)")
-
-    created = payload.get("created_at", "")
-    try:
-        # Gitea returns ISO-8601 with timezone; Python 3.11+
-        # fromisoformat handles `Z` suffix natively from 3.11. Older
-        # runtimes need explicit replace.
-        created_dt = datetime.fromisoformat(created.replace("Z", "+00:00"))
-    except ValueError:
-        return (False, f"{slug}#{num} created_at unparseable: {created!r}")
-
-    age = datetime.now(timezone.utc) - created_dt
-    # Inclusive boundary at MAX_AGE_DAYS: `age.days` truncates to a
-    # whole-day floor, so an issue created 14d 0h 5m ago has
-    # `age.days == 14` and passes; one created 15d 0h 0m ago has
-    # `age.days == 15` and fails. This is the convention specified
-    # in internal#350 ("≤14 days old").
-    if age.days > max_age_days:
-        return (
-            False,
-            f"{slug}#{num} is {age.days} days old (>{max_age_days}d cap). "
-            f"Close-or-renew the tracker.",
-        )
-    return (True, f"{slug}#{num} open, {age.days}d old, ≤{max_age_days}d")
-
-
-# ---------------------------------------------------------------------------
-# Driver
-# ---------------------------------------------------------------------------
-def _iter_workflow_files(wf_dir: Path) -> list[Path]:
-    return sorted(list(wf_dir.glob("*.yml")) + list(wf_dir.glob("*.yaml")))
-
-
-def run() -> int:
-    wf_dir = Path(_env("WORKFLOWS_DIR", ".gitea/workflows"))
-    max_age = int(_env("MAX_AGE_DAYS", "14"))
-    # Defaults for INTERNAL_REPO when unset (best-effort guess based on
-    # the convention `mc#` = same repo, `internal#` = molecule-ai/internal).
-    if not os.environ.get("INTERNAL_REPO"):
-        os.environ["INTERNAL_REPO"] = "molecule-ai/internal"
-
-    if not wf_dir.is_dir():
-        sys.stderr.write(
-            f"::error::workflows directory not found: {wf_dir}\n"
-        )
-        return 2
-
-    yml_files = _iter_workflow_files(wf_dir)
-    if not yml_files:
-        print(f"::notice::no workflow files under {wf_dir}; nothing to lint.")
-        return 0
-
-    violations: list[str] = []
-    notices: list[str] = []
-    total_coe_true = 0
-
-    for path in yml_files:
-        raw = path.read_text(encoding="utf-8")
-        raw_lines = raw.splitlines()
-        try:
-            doc = yaml.load(raw, Loader=_LineLoader)
-        except yaml.YAMLError as e:
-            sys.stderr.write(
-                f"::error file={path}::YAML parse error: {e}. Skipping "
-                f"this file (lint-workflow-yaml will catch separately).\n"
-            )
-            continue
-
-        coe_locs = find_coe_truthies(doc, raw_lines)
-        for jkey, line in coe_locs:
-            total_coe_true += 1
-            tracker = find_tracker_in_window(raw_lines, line)
-            if tracker is None:
-                violations.append(
-                    f"::error file={path},line={line}::lint-continue-on-error-"
-                    f"tracking (Tier 2e): job '{jkey}' has "
-                    f"`continue-on-error: true` at line {line} with no "
-                    f"`# mc#NNNN` or `# internal#NNNN` tracker comment "
-                    f"within {WINDOW} lines. Add a tracker reference so "
-                    f"this mask has a forced 14-day renewal cycle. "
-                    f"Memory: feedback_chained_defects_in_never_tested_workflows."
-                )
-                continue
-            slug, num = tracker
-            ok, reason = validate_tracker(slug, num, max_age)
-            if ok:
-                notices.append(
-                    f"::notice::{path.name} job '{jkey}' (line {line}): "
-                    f"{reason}"
-                )
-            else:
-                violations.append(
-                    f"::error file={path},line={line}::lint-continue-on-error-"
-                    f"tracking (Tier 2e): job '{jkey}' "
-                    f"`continue-on-error: true` references {slug}#{num}, "
-                    f"but {reason}. FIX: close/fix the underlying defect "
-                    f"and flip continue-on-error: false, OR file a fresh "
-                    f"tracker and update the comment."
-                )
-
-    for n in notices:
-        print(n)
-
-    if violations:
-        print(
-            f"::error::lint-continue-on-error-tracking: "
-            f"{len(violations)} violation(s) across {len(yml_files)} "
-            f"workflow file(s) (of {total_coe_true} `continue-on-error: "
-            f"true` directives in total)."
-        )
-        for v in violations:
-            print(v)
-        return 1
-
-    print(
-        f"::notice::lint-continue-on-error-tracking: "
-        f"all {total_coe_true} `continue-on-error: true` directive(s) "
-        f"have valid trackers (open, ≤{max_age}d old)."
-    )
-    return 0
-
-
-if __name__ == "__main__":
-    sys.exit(run())
--- a/.gitea/scripts/lint_mask_pr_atomicity.py
+++ b/.gitea/scripts/lint_mask_pr_atomicity.py
@ -1,361 +0,0 @@
-#!/usr/bin/env python3
-"""lint_mask_pr_atomicity — Tier 2d structural enforcement per internal#350.
-
-Rule
----
-A PR whose diff touches `.gitea/workflows/ci.yml` AND modifies EITHER:
-
-  - any `continue-on-error:` value, OR
-  - the `all-required` sentinel job's `needs:` block
-
-must EITHER:
-
-  - Touch BOTH atomically in the same PR (preferred), OR
-  - Cross-link the paired PR via a literal `Paired: #NNN` reference in
-    the PR body OR in any commit message between BASE_SHA and HEAD_SHA.
-
-The class this prevents
-----------------------
-PR#665 (interim `continue-on-error: true` on `platform-build`) and
-PR#668 (sentinel-`needs` demotion of the same job) were designed as a
-pair but merged solo — #665 landed at 04:47Z 2026-05-12, #668 was still
-open at 05:07Z when the main-red watchdog (#674) fired. Result: ~20
-minutes of `main` red and a cascade of false-positives on unrelated PRs.
-
-The lint operates on the YAML AST (PyYAML), not grep, per
-`feedback_behavior_based_ast_gates`: a refactor that moves `continue-on-error`
-between job keys, or renames the `all-required` job, would still be
-detected because we walk the parsed structure.
-
-Why this works on Gitea 1.22.6
------------------------------
-We don't use any 1.22.6-missing endpoints (no `/actions/runs/*`, no
-`branch_protections/*` — Tier 2f/g need those; Tier 2d does not). All
-required inputs come from the workflow `pull_request` event payload
-(BASE_SHA, HEAD_SHA, PR_BODY) and from local git via `git show`/`git log`.
-The auto-injected `GITHUB_TOKEN` is enough; we don't need
-DRIFT_BOT_TOKEN.
-
-Exit codes
----------
-  0 — ci.yml not in diff, OR diff is no-op for the rule predicates,
-      OR atomicity satisfied (both touched), OR a valid `Paired: #NNN`
-      reference is present.
-  1 — exactly ONE of {coe, sentinel-needs} touched AND no valid
-      `Paired: #NNN` reference. The split-pair regression class.
-  2 — env contract violation (BASE_SHA / HEAD_SHA missing) or YAML
-      parse error on either side.
-
-Env
---
-  BASE_SHA          — PR base (pull_request.base.sha)
-  HEAD_SHA          — PR head (pull_request.head.sha)
-  PR_BODY           — pull_request.body (may be empty)
-  CI_WORKFLOW_PATH  — defaults to `.gitea/workflows/ci.yml`
-  SENTINEL_JOB_KEY  — defaults to `all-required`
-
-Memory cross-links
------------------
-  - internal#350 (the RFC that specs this lint)
-  - PR#665 / PR#668 (the empirical split-pair)
-  - mc#664 (the main-red incident)
-  - feedback_strict_root_only_after_class_a
-  - feedback_behavior_based_ast_gates
-"""
-from __future__ import annotations
-
-import os
-import re
-import subprocess
-import sys
-from typing import Any
-
-try:
-    import yaml
-except ImportError:
-    sys.stderr.write(
-        "::error::PyYAML is required. Install with: pip install PyYAML\n"
-    )
-    sys.exit(2)
-
-
-# ---------------------------------------------------------------------------
-# YAML quirk: bare `on:` at the top level becomes Python `True` because
-# `on` is a YAML 1.1 boolean. Not used here but documented for future
-# editors who copy from this module.
-# ---------------------------------------------------------------------------
-
-
-# `Paired: #NNN` reference. `#` is mandatory, NNN must be digits. Any
-# surrounding markdown/whitespace is fine. The match is case-sensitive
-# on `Paired:` because lower-case `paired:` collides with conversational
-# prose ("paired: see comment above") and the convention is the exact
-# capitalisation.
-PAIRED_RE = re.compile(r"\bPaired:\s*#(?P<num>\d+)\b")
-
-
-# ---------------------------------------------------------------------------
-# Env contract
-# ---------------------------------------------------------------------------
-def _env(key: str, default: str | None = None) -> str:
-    v = os.environ.get(key, default)
-    return v if v is not None else ""
-
-
-def _require_env(key: str) -> str:
-    v = os.environ.get(key)
-    if not v:
-        sys.stderr.write(f"::error::missing required env var: {key}\n")
-        sys.exit(2)
-    return v
-
-
-# ---------------------------------------------------------------------------
-# git-show helper. Returns None when the path doesn't exist on that side
-# (new file, deleted file, or rename — git returns exit 128 with "fatal:
-# path not in tree"). We treat None as "no rule predicate triggered on
-# that side".
-# ---------------------------------------------------------------------------
-def git_show(sha: str, path: str) -> str | None:
-    r = subprocess.run(
-        ["git", "show", f"{sha}:{path}"],
-        capture_output=True,
-        text=True,
-    )
-    if r.returncode != 0:
-        return None
-    return r.stdout
-
-
-def git_log_messages(base_sha: str, head_sha: str) -> str:
-    r = subprocess.run(
-        ["git", "log", "--format=%B", f"{base_sha}..{head_sha}"],
-        capture_output=True,
-        text=True,
-    )
-    if r.returncode != 0:
-        return ""
-    return r.stdout
-
-
-def git_diff_paths(base_sha: str, head_sha: str) -> list[str]:
-    r = subprocess.run(
-        ["git", "diff", "--name-only", f"{base_sha}..{head_sha}"],
-        capture_output=True,
-        text=True,
-    )
-    if r.returncode != 0:
-        return []
-    return [p for p in r.stdout.splitlines() if p.strip()]
-
-
-# ---------------------------------------------------------------------------
-# Predicate 1 — any `continue-on-error` value changed between base and head
-# ---------------------------------------------------------------------------
-def _collect_coe(doc: Any) -> dict[str, Any]:
-    """Walk every job in `jobs.*` and collect its continue-on-error value.
-
-    Returns a dict {job_key: coe_value}. Missing keys are absent from
-    the dict (NOT `False` — distinguishes "added the key" from
-    "unchanged absent"). Job-step `continue-on-error` is NOT considered
-    — only job-level, because that's the value that masks job status
-    rollup, which is the class this lint targets.
-    """
-    out: dict[str, Any] = {}
-    if not isinstance(doc, dict):
-        return out
-    jobs = doc.get("jobs")
-    if not isinstance(jobs, dict):
-        return out
-    for k, j in jobs.items():
-        if not isinstance(j, dict):
-            continue
-        if "continue-on-error" in j:
-            out[k] = j["continue-on-error"]
-    return out
-
-
-def coe_changed(base_doc: Any, head_doc: Any) -> tuple[bool, list[str]]:
-    """Return (changed?, [reasons]) describing per-job coe diffs."""
-    base = _collect_coe(base_doc)
-    head = _collect_coe(head_doc)
-    reasons: list[str] = []
-    all_keys = set(base) | set(head)
-    for k in sorted(all_keys):
-        b = base.get(k, "<absent>")
-        h = head.get(k, "<absent>")
-        if b != h:
-            reasons.append(f"job '{k}' continue-on-error: {b!r} → {h!r}")
-    return (bool(reasons), reasons)
-
-
-# ---------------------------------------------------------------------------
-# Predicate 2 — sentinel job's `needs:` changed
-# ---------------------------------------------------------------------------
-def _collect_needs(doc: Any, sentinel_key: str) -> list[str] | None:
-    """Return the sentinel job's needs list (sorted) or None if absent."""
-    if not isinstance(doc, dict):
-        return None
-    jobs = doc.get("jobs")
-    if not isinstance(jobs, dict):
-        return None
-    j = jobs.get(sentinel_key)
-    if not isinstance(j, dict):
-        return None
-    needs = j.get("needs")
-    if needs is None:
-        return []
-    if isinstance(needs, str):
-        return [needs]
-    if isinstance(needs, list):
-        # Sort because `needs:` is order-insensitive at the engine
-        # level; a reorder is not a semantic change and shouldn't
-        # trip the lint.
-        return sorted(str(x) for x in needs)
-    return None
-
-
-def sentinel_needs_changed(
-    base_doc: Any, head_doc: Any, sentinel_key: str
-) -> tuple[bool, str]:
-    """Return (changed?, reason)."""
-    base = _collect_needs(base_doc, sentinel_key)
-    head = _collect_needs(head_doc, sentinel_key)
-    if base == head:
-        return (False, "")
-    return (
-        True,
-        f"sentinel '{sentinel_key}'.needs: {base!r} → {head!r}",
-    )
-
-
-# ---------------------------------------------------------------------------
-# Predicate 3 — `Paired: #NNN` present in body or any commit message
-# ---------------------------------------------------------------------------
-def find_paired_refs(pr_body: str, commit_log: str) -> list[str]:
-    """Return list of `#NNN` strings found (deduped, sorted)."""
-    found: set[str] = set()
-    for src in (pr_body, commit_log):
-        for m in PAIRED_RE.finditer(src or ""):
-            found.add(m.group("num"))
-    return sorted(found)
-
-
-# ---------------------------------------------------------------------------
-# Driver
-# ---------------------------------------------------------------------------
-def _parse(content: str | None, label: str) -> Any:
-    if content is None:
-        return None
-    try:
-        return yaml.safe_load(content)
-    except yaml.YAMLError as e:
-        sys.stderr.write(f"::error::YAML parse error on {label}: {e}\n")
-        sys.exit(2)
-
-
-def run() -> int:
-    base_sha = _require_env("BASE_SHA")
-    head_sha = _require_env("HEAD_SHA")
-    pr_body = _env("PR_BODY", "")
-    ci_path = _env("CI_WORKFLOW_PATH", ".gitea/workflows/ci.yml")
-    sentinel_key = _env("SENTINEL_JOB_KEY", "all-required")
-
-    # Step 0 — is ci.yml even in the diff? If not, the lint doesn't apply.
-    changed_paths = git_diff_paths(base_sha, head_sha)
-    if ci_path not in changed_paths:
-        print(
-            f"::notice::{ci_path} not in PR diff; lint-mask-pr-atomicity "
-            f"skipped (no atomicity risk)."
-        )
-        return 0
-
-    base_yml = git_show(base_sha, ci_path)
-    head_yml = git_show(head_sha, ci_path)
-
-    base_doc = _parse(base_yml, f"{ci_path}@{base_sha}")
-    head_doc = _parse(head_yml, f"{ci_path}@{head_sha}")
-
-    # If the file is newly added (no base), no flip is possible — every
-    # value is "newly introduced", not "changed". Tier 2e covers the
-    # tracking-issue check for new continue-on-error: true. Exit 0.
-    if base_doc is None:
-        print(
-            f"::notice::{ci_path} newly added in this PR; no flip to "
-            f"analyse — lint-mask-pr-atomicity skipped."
-        )
-        return 0
-
-    # If the file is deleted on head, ditto — no atomicity question.
-    if head_doc is None:
-        print(
-            f"::notice::{ci_path} deleted in this PR; "
-            f"lint-mask-pr-atomicity skipped."
-        )
-        return 0
-
-    coe_yes, coe_reasons = coe_changed(base_doc, head_doc)
-    needs_yes, needs_reason = sentinel_needs_changed(
-        base_doc, head_doc, sentinel_key
-    )
-
-    if not coe_yes and not needs_yes:
-        print(
-            f"::notice::{ci_path} touched but neither continue-on-error "
-            f"nor sentinel '{sentinel_key}'.needs changed — no atomicity "
-            f"risk. OK."
-        )
-        return 0
-
-    if coe_yes and needs_yes:
-        print(
-            f"::notice::Atomic change detected: both continue-on-error "
-            f"AND sentinel '{sentinel_key}'.needs touched in same PR. OK."
-        )
-        for r in coe_reasons:
-            print(f"  - {r}")
-        print(f"  - {needs_reason}")
-        return 0
-
-    # Exactly one side touched — require Paired: #NNN reference.
-    commit_log = git_log_messages(base_sha, head_sha)
-    paired = find_paired_refs(pr_body, commit_log)
-
-    one_side = "continue-on-error" if coe_yes else f"sentinel '{sentinel_key}'.needs"
-    other_side = (
-        f"sentinel '{sentinel_key}'.needs" if coe_yes else "continue-on-error"
-    )
-
-    if paired:
-        print(
-            f"::notice::Split-pair detected ({one_side} changed without "
-            f"{other_side}), but Paired reference(s) present: "
-            f"{', '.join('#' + n for n in paired)}. OK."
-        )
-        for r in coe_reasons:
-            print(f"  - {r}")
-        if needs_reason:
-            print(f"  - {needs_reason}")
-        return 0
-
-    # The failure mode this lint exists to prevent.
-    print(
-        f"::error file={ci_path}::lint-mask-pr-atomicity (Tier 2d): "
-        f"PR touches {one_side} in {ci_path} but NOT {other_side}, "
-        f"and no `Paired: #NNN` reference was found in the PR body or "
-        f"in commit messages between {base_sha[:8]}..{head_sha[:8]}. "
-        f"This is the PR#665+#668 split-pair regression class "
-        f"(see internal#350, mc#664). FIX: either (a) include the "
-        f"matching {other_side} change in the same PR (preferred), or "
-        f"(b) add `Paired: #NNN` (literal, capital P, with `#`) to the "
-        f"PR body or a commit message referencing the paired PR."
-    )
-    for r in coe_reasons:
-        print(f"  - {r}")
-    if needs_reason:
-        print(f"  - {needs_reason}")
-    return 1
-
-
-if __name__ == "__main__":
-    sys.exit(run())
--- a/.gitea/scripts/lint_pre_flip_continue_on_error.py
+++ b/.gitea/scripts/lint_pre_flip_continue_on_error.py
@ -1,681 +0,0 @@
-#!/usr/bin/env python3
-"""lint-pre-flip-continue-on-error — block a PR that flips a job from
-``continue-on-error: true`` to ``continue-on-error: false`` (or removes
-the key while the base had it ``true``) without proof that the job's
-recent runs on the target branch are actually green.
-
-Empirical class — PR #656 / mc#664:
-  PR #656 (RFC internal#219 Phase 4) flipped 5 ``platform-build``-class
-  jobs ``continue-on-error: true → false`` on the basis of a
-  "verified green on main via combined-status check". But that "green"
-  was the LIE produced by the prior ``continue-on-error: true``:
-  Gitea Quirk #10 (internal#342 + dup #287) — when a step inside a
-  job marked ``continue-on-error: true`` fails, the job-level status
-  is still rolled up as ``success``. So the precondition the PR
-  claimed to verify was structurally fooled by the bug being
-  flipped.
-
-  mc#664 then captured the surfaced defects (2 unrelated, mutually-
-  masked regressions):
-
-    Class 1: sqlmock helper drift since 2f36bb9a (24 days old)
-    Class 2: OFFSEC-001 contract collision since 7d1a189f (1 day old)
-
-  Codified 04:35Z as hongming-pc2 charter §SOP-N rule (e)
-  "run-log-grep-before-flip": pull the actual run log + grep for
-  ``--- FAIL`` / ``FAIL\\s`` BEFORE flipping; don't trust the masked
-  combined-status.
-
-This script structurally enforces that rule at PR time.
-
-How it works (one PR tick):
-  1. Parse the diff: compare ``.gitea/workflows/*.yml`` at PR base
-     vs PR head. For each file present in both, parse the YAML AST
-     and walk ``jobs.<key>.continue-on-error`` on each side. A
-     "flip" is base ∈ {true} AND head ∈ {false, None/absent}. We
-     coerce truthy/falsy per YAML semantics (PyYAML normalizes
-     ``true``/``True``/``yes`` to ``True``).
-  2. For each flipped job, derive its commit-status context name as
-     ``"{workflow.name} / {job.name or job.key} (push)"`` — that's
-     how Gitea Actions emits the context for runs on
-     ``main``/``staging`` (push event, see also expected_context()
-     in ci-required-drift.py).
-  3. Pull the last N commits of the target branch (PR base), fetch
-     combined commit-status per commit, scan ``statuses[]`` for
-     contexts matching ANY of the flipped jobs. For each match,
-     fetch the actual run log via the web-UI route
-     ``{server_url}/{repo}/actions/runs/{run_id}/jobs/{job_idx}/logs``
-     (per memory ``reference_gitea_actions_log_fetch`` — Gitea 1.22.6
-     lacks REST ``/actions/runs/*`` endpoints; the web-UI route is the
-     only working path; see ``reference_gitea_1_22_6_lacks_rest_rerun_endpoints``).
-  4. Grep each log for the Go-test failure markers ``--- FAIL`` /
-     ``FAIL\\s+<package>`` AND the bash-step error sentinel
-     ``::error::``. If ANY recent log shows any of these AND the
-     status itself reads ``success``, the job was masked. ``::error::``
-     the flip with the offending test name + offending run URL +
-     the regression commit (HEAD of the run).
-  5. Exit 1 if any flips have at least one masked run; exit 0
-     otherwise.
-
-Halt-on-noise contract:
-  - If a recent log fetch 404s (already-pruned-via-act_runner-gc,
-     transient gitea-web outage): emit ``::warning::`` and treat the
-     run as "log unavailable" — does NOT block the flip; logged so
-     a curious reviewer can re-run.
-  - If a flipped job has ZERO recent runs on the target branch (newly
-     added workflow): emit ``::warning::`` "no run history to verify"
-     and allow the flip. This is the only way a NEW workflow can ever
-     ship with ``continue-on-error: false``; otherwise we'd have a
-     chicken-and-egg.
-
-Behavior-based AST gate per ``feedback_behavior_based_ast_gates``:
-  - YAML parsed via PyYAML safe_load on BOTH sides of the diff
-  - No grep-by-line — formatting changes (comment churn, key order)
-    don't false-positive a flip
-  - Job-key match — so a rename ``platform-build → core-be-build``
-    appears as a DELETE + an ADD, not a flip (the delete side has no
-    new value to compare against; the add side has no base side).
-
-Run locally (works against this repo, requires PyYAML + Gitea token
-that can read combined-commit-status):
-
-    GITEA_TOKEN=... GITEA_HOST=git.moleculesai.app \\
-      REPO=molecule-ai/molecule-core BASE_REF=main \\
-      BASE_SHA=$(git rev-parse origin/main) \\
-      HEAD_SHA=$(git rev-parse HEAD) \\
-      python3 .gitea/scripts/lint_pre_flip_continue_on_error.py \\
-        --dry-run
-
-Cross-links: PR#656, mc#664, PR#665 (the interim re-mask),
-Quirk #10 (internal#342 + dup #287), hongming-pc2 charter §SOP-N
-rule (e), feedback_strict_root_only_after_class_a,
-feedback_no_shared_persona_token_use.
-"""
-from __future__ import annotations
-
-import argparse
-import json
-import os
-import subprocess
-import sys
-import urllib.error
-import urllib.parse
-import urllib.request
-from typing import Any
-
-import yaml  # PyYAML 6.0.2 — installed by the workflow before this runs.
-
-
-# --------------------------------------------------------------------------
-# Environment (read at module-import; runtime contract enforced in main())
-# --------------------------------------------------------------------------
-def _env(key: str, *, default: str = "") -> str:
-    return os.environ.get(key, default)
-
-
-GITEA_TOKEN = _env("GITEA_TOKEN")
-GITEA_HOST = _env("GITEA_HOST")
-REPO = _env("REPO")
-BASE_REF = _env("BASE_REF", default="main")
-BASE_SHA = _env("BASE_SHA")
-HEAD_SHA = _env("HEAD_SHA")
-# How many recent commits to scan on the target branch. 5 by default;
-# enough to catch a job that only fails intermittently, not so many
-# that the script paginates needlessly. Per spec.
-RECENT_COMMITS_N = int(_env("RECENT_COMMITS_N", default="5"))
-
-OWNER, NAME = (REPO.split("/", 1) + [""])[:2] if REPO else ("", "")
-API = f"https://{GITEA_HOST}/api/v1" if GITEA_HOST else ""
-WEB = f"https://{GITEA_HOST}" if GITEA_HOST else ""
-
-# Failure markers we grep for in the run log.
-#   --- FAIL — Go test failure marker
-#   FAIL\s   — `FAIL  github.com/x/y` package-level rollup
-#   ::error:: — bash-step `::error::` lines (the lint-curl-status-capture
-#               pattern: a `python3 <<PY` block writing `::error::` then
-#               sys.exit(1); also any shell `echo "::error::..."` from
-#               jobs that wrap pytest/eslint/etc. and convert
-#               non-zero exits into masked-by-CoE status)
-FAIL_PATTERNS = (
-    "--- FAIL",
-    "FAIL\t",
-    "FAIL ",
-    "::error::",
-)
-
-
-def _require_runtime_env() -> None:
-    for key in ("GITEA_TOKEN", "GITEA_HOST", "REPO", "BASE_REF", "BASE_SHA", "HEAD_SHA"):
-        if not os.environ.get(key):
-            sys.stderr.write(f"::error::missing required env var: {key}\n")
-            sys.exit(2)
-
-
-# --------------------------------------------------------------------------
-# Tiny HTTP helper (no requests dependency)
-# Mirrors the api()/ApiError contract in ci-required-drift.py +
-# main-red-watchdog.py per feedback_api_helper_must_raise_not_return_dict.
-# --------------------------------------------------------------------------
-class ApiError(RuntimeError):
-    """Raised when a Gitea API/web call cannot be trusted to have succeeded.
-
-    Soft-failure on non-2xx is the duplicate-write bug factory in
-    find-or-create flows (PR #112 Five-Axis). Here it would mean a
-    transient gitea-web 502 silently allows a flip whose recent runs
-    we couldn't actually verify — exactly the regression class this
-    lint exists to close.
-    """
-
-
-def http(
-    method: str,
-    url: str,
-    *,
-    body: dict | None = None,
-    headers: dict[str, str] | None = None,
-    expect_json: bool = True,
-    timeout: int = 30,
-) -> tuple[int, Any, bytes]:
-    """Tiny HTTP helper around urllib.
-
-    Returns (status, parsed_or_None, raw_bytes). Raises ApiError on any
-    non-2xx response. ``expect_json=False`` returns raw bytes in the
-    parsed slot (for log-fetch from the web-UI which returns text/plain).
-    """
-    final_headers = {
-        "Authorization": f"token {GITEA_TOKEN}",
-        "Accept": "application/json" if expect_json else "text/plain",
-    }
-    if headers:
-        final_headers.update(headers)
-    data = None
-    if body is not None:
-        data = json.dumps(body).encode("utf-8")
-        final_headers["Content-Type"] = "application/json"
-    req = urllib.request.Request(url, method=method, data=data, headers=final_headers)
-    try:
-        with urllib.request.urlopen(req, timeout=timeout) as resp:
-            raw = resp.read()
-            status = resp.status
-    except urllib.error.HTTPError as e:
-        raw = e.read() or b""
-        status = e.code
-
-    if not (200 <= status < 300):
-        snippet = raw[:500].decode("utf-8", errors="replace") if raw else ""
-        raise ApiError(f"{method} {url} → HTTP {status}: {snippet}")
-
-    if not expect_json:
-        return status, raw, raw
-    if not raw:
-        return status, None, raw
-    try:
-        return status, json.loads(raw), raw
-    except json.JSONDecodeError as e:
-        raise ApiError(f"{method} {url} → HTTP {status} but body is not JSON: {e}") from e
-
-
-def api(method: str, path: str, *, body: dict | None = None, query: dict[str, str] | None = None) -> tuple[int, Any]:
-    """Read-shaped Gitea REST helper. Path is API-relative (``/repos/...``)."""
-    url = f"{API}{path}"
-    if query:
-        url = f"{url}?{urllib.parse.urlencode(query)}"
-    status, parsed, _ = http(method, url, body=body, expect_json=True)
-    return status, parsed
-
-
-# --------------------------------------------------------------------------
-# YAML parsing — coerce truthy/falsy for continue-on-error
-# --------------------------------------------------------------------------
-def _coerce_coe(val: Any) -> bool:
-    """Coerce a continue-on-error YAML value to bool.
-
-    PyYAML safe_load normalizes ``true``/``True``/``yes``/``on`` to
-    Python ``True`` and ``false``/``False``/``no``/``off`` / absence
-    to ``False`` (we treat absence/None as False here too — that's the
-    GitHub Actions default semantics).
-
-    Edge cases:
-      - String ``"true"`` (quoted in YAML) — kept as the string
-        ``"true"``, falsy under bool() but a flip we DO care about
-        catching. Normalize string forms case-insensitively to bool
-        so the diff is consistent with the runtime behavior of
-        Gitea Actions, which YAML-parses the same way.
-    """
-    if isinstance(val, bool):
-        return val
-    if val is None:
-        return False
-    if isinstance(val, str):
-        return val.strip().lower() in ("true", "yes", "on", "1")
-    return bool(val)
-
-
-def jobs_coe_map(workflow_doc: dict) -> dict[str, bool]:
-    """Return ``{job_key: continue_on_error_bool}`` for every job in
-    the workflow. Job-level ``continue-on-error`` only — does NOT
-    descend into per-step ``continue-on-error`` (step-level CoE
-    masking is a separate class and is handled by the test suite
-    + reviewer, not by this gate — see Future Work in the workflow
-    YAML).
-    """
-    out: dict[str, bool] = {}
-    jobs = workflow_doc.get("jobs")
-    if not isinstance(jobs, dict):
-        return out
-    for key, job in jobs.items():
-        if not isinstance(job, dict):
-            continue
-        out[key] = _coerce_coe(job.get("continue-on-error"))
-    return out
-
-
-def workflow_name(workflow_doc: dict, *, fallback: str = "") -> str:
-    """Top-level ``name:`` of the workflow. Falls back to the filename
-    (without extension) per Gitea Actions semantics."""
-    n = workflow_doc.get("name")
-    if isinstance(n, str) and n.strip():
-        return n.strip()
-    return fallback
-
-
-def job_display_name(workflow_doc: dict, job_key: str) -> str:
-    """``jobs.<key>.name`` if present, else the key. Mirrors
-    expected_context() in ci-required-drift.py."""
-    job = workflow_doc.get("jobs", {}).get(job_key)
-    if isinstance(job, dict):
-        n = job.get("name")
-        if isinstance(n, str) and n.strip():
-            return n.strip()
-    return job_key
-
-
-def context_name(workflow_name_str: str, job_name_str: str, event: str = "push") -> str:
-    """Render the commit-status context the way Gitea Actions emits it.
-    Default ``event="push"`` because recent-runs-on-main are push events;
-    callers can override to ``"pull_request"`` for PR-context lookups."""
-    return f"{workflow_name_str} / {job_name_str} ({event})"
-
-
-# --------------------------------------------------------------------------
-# Diff detection — flips, not arbitrary changes
-# --------------------------------------------------------------------------
-def detect_flips(
-    base_workflows: dict[str, str],
-    head_workflows: dict[str, str],
-) -> list[dict]:
-    """Compare per-file CoE maps; return a list of flip records.
-
-    Inputs are ``{path: yaml_text}`` for both sides. Output records
-    have the shape::
-
-        {
-          "workflow_path": ".gitea/workflows/ci.yml",
-          "workflow_name": "CI",
-          "job_key":   "platform-build",
-          "job_name":  "Platform (Go)",
-          "context":   "CI / Platform (Go) (push)",
-        }
-
-    A flip is base[CoE] ∈ {True} AND head[CoE] ∈ {False}. Files
-    only present on one side are skipped — adding a new workflow
-    with ``CoE: false`` is fine (no history to mask), and removing
-    a workflow can't possibly flip anything.
-    """
-    flips: list[dict] = []
-    for path, base_text in base_workflows.items():
-        if path not in head_workflows:
-            continue
-        try:
-            base_doc = yaml.safe_load(base_text) or {}
-            head_doc = yaml.safe_load(head_workflows[path]) or {}
-        except yaml.YAMLError as e:
-            # Don't block on a parse error — the YAML lint workflows
-            # catch invalid YAML separately. Just warn so the failing
-            # file is visible.
-            sys.stderr.write(f"::warning file={path}::YAML parse error: {e}\n")
-            continue
-        if not isinstance(base_doc, dict) or not isinstance(head_doc, dict):
-            continue
-        base_map = jobs_coe_map(base_doc)
-        head_map = jobs_coe_map(head_doc)
-        wf_name = workflow_name(head_doc, fallback=os.path.basename(path).rsplit(".", 1)[0])
-        for job_key, base_val in base_map.items():
-            if job_key not in head_map:
-                continue  # job removed — not a flip
-            if base_val is True and head_map[job_key] is False:
-                flips.append({
-                    "workflow_path": path,
-                    "workflow_name": wf_name,
-                    "job_key": job_key,
-                    "job_name": job_display_name(head_doc, job_key),
-                    "context": context_name(wf_name, job_display_name(head_doc, job_key), "push"),
-                })
-    return flips
-
-
-# --------------------------------------------------------------------------
-# Git: snapshot every .gitea/workflows/*.yml at a SHA (no checkout)
-# --------------------------------------------------------------------------
-def _git(*args: str, cwd: str | None = None) -> str:
-    """Run ``git`` and return stdout (text)."""
-    result = subprocess.run(
-        ["git", *args],
-        capture_output=True,
-        text=True,
-        check=False,
-        cwd=cwd,
-    )
-    if result.returncode != 0:
-        raise RuntimeError(f"git {args!r} failed: {result.stderr.strip()}")
-    return result.stdout
-
-
-def workflows_at_sha(sha: str, *, repo_dir: str | None = None) -> dict[str, str]:
-    """Read every ``.gitea/workflows/*.yml`` blob at ``sha``.
-
-    Uses ``git ls-tree`` + ``git show`` so we never need to check out
-    the SHA (the workflow runs on the PR head; the base SHA is
-    fetched, not checked out).
-    """
-    out: dict[str, str] = {}
-    listing = _git("ls-tree", "-r", "--name-only", sha, ".gitea/workflows/", cwd=repo_dir)
-    for line in listing.splitlines():
-        line = line.strip()
-        if not line.endswith((".yml", ".yaml")):
-            continue
-        try:
-            blob = _git("show", f"{sha}:{line}", cwd=repo_dir)
-        except RuntimeError:
-            # Symlink or other non-blob; skip.
-            continue
-        out[line] = blob
-    return out
-
-
-# --------------------------------------------------------------------------
-# Gitea: recent commits + per-commit combined status + log fetch
-# --------------------------------------------------------------------------
-def recent_commits_on_branch(branch: str, n: int) -> list[str]:
-    """Last `n` commit SHAs on ``branch`` (oldest→newest is fine; we
-    treat them as a set). Uses the REST ``/commits`` endpoint with
-    ``sha=branch&limit=n``."""
-    _, body = api(
-        "GET",
-        f"/repos/{OWNER}/{NAME}/commits",
-        query={"sha": branch, "limit": str(n)},
-    )
-    if not isinstance(body, list):
-        raise ApiError(f"/commits for {branch} returned non-list: {type(body).__name__}")
-    out: list[str] = []
-    for c in body:
-        if isinstance(c, dict):
-            sha = c.get("sha") or (c.get("commit", {}) or {}).get("id")
-            if isinstance(sha, str) and len(sha) >= 7:
-                out.append(sha)
-    return out
-
-
-def combined_status(sha: str) -> dict:
-    """Combined commit status for a SHA. Same shape as
-    ``main-red-watchdog.get_combined_status``."""
-    _, body = api("GET", f"/repos/{OWNER}/{NAME}/commits/{sha}/status")
-    if not isinstance(body, dict):
-        raise ApiError(f"combined-status for {sha} not a dict")
-    return body
-
-
-def _entry_state(s: dict) -> str:
-    """Per-entry state — Gitea 1.22.6 schema asymmetry: top-level
-    uses ``state``, per-entry uses ``status``. Defensive fallback per
-    main-red-watchdog.py line 233."""
-    return s.get("status") or s.get("state") or ""
-
-
-def fetch_log(target_url: str) -> str | None:
-    """Fetch a job log given its web-UI ``target_url`` (e.g.
-    ``/molecule-ai/molecule-core/actions/runs/13494/jobs/0``).
-
-    Per ``reference_gitea_actions_log_fetch``: append ``/logs`` to the
-    job route. Per ``reference_gitea_1_22_6_lacks_rest_rerun_endpoints``:
-    Gitea 1.22.6 lacks the REST ``/api/v1/.../actions/runs/*`` path; the
-    web-UI route is the only working endpoint until 1.24+.
-
-    Returns the log text on success, ``None`` on 404 / log-pruned /
-    network error (caller treats None as "log unavailable, warn-not-fail").
-    """
-    if not target_url:
-        return None
-    # Normalize: target_url may be relative ("/owner/repo/...") or
-    # absolute. Both need ``/logs`` appended to the job sub-path.
-    if target_url.startswith("/"):
-        url = f"{WEB}{target_url}"
-    else:
-        url = target_url
-    if not url.endswith("/logs"):
-        url = f"{url}/logs"
-    try:
-        _, body, _ = http("GET", url, expect_json=False, timeout=60)
-    except ApiError as e:
-        sys.stderr.write(f"::warning::log fetch failed for {url}: {e}\n")
-        return None
-    if isinstance(body, bytes):
-        return body.decode("utf-8", errors="replace")
-    return None
-
-
-def grep_fail_markers(log_text: str) -> list[str]:
-    """Return up to 5 sample matching lines for any FAIL_PATTERNS hit.
-    Empty list = clean log."""
-    matches: list[str] = []
-    for line in log_text.splitlines():
-        for pat in FAIL_PATTERNS:
-            if pat in line:
-                # Truncate to keep error output bounded.
-                matches.append(line.strip()[:240])
-                break
-        if len(matches) >= 5:
-            break
-    return matches
-
-
-# --------------------------------------------------------------------------
-# Verification: for one flip, scan recent runs on BASE_REF
-# --------------------------------------------------------------------------
-def verify_flip(flip: dict, branch: str, n: int) -> dict:
-    """Scan the last ``n`` commits on ``branch``. For each commit whose
-    combined status contains a context matching ``flip["context"]``,
-    fetch the run log and grep for FAIL markers.
-
-    Returns::
-
-        {
-          "flip": flip,
-          "checked_commits": int,        # how many commits had a matching context
-          "masked_runs": [               # runs where log shows FAIL despite status==success
-            {"sha": "...", "status": "success", "target_url": "...", "samples": [...]},
-            ...
-          ],
-          "fail_runs": [                 # runs where status itself is failure/error
-            {"sha": "...", "status": "failure", "target_url": "...", "samples": [...]},
-            ...
-          ],
-          "warnings": [str],             # log-unavailable warnings (not blocking)
-        }
-
-    Blocking condition: ``masked_runs`` OR ``fail_runs`` non-empty.
-    A ``success`` status with a clean log is the only "OK to flip"
-    outcome (per hongming-pc2 §SOP-N rule (e)).
-    """
-    target_context = flip["context"]
-    result = {
-        "flip": flip,
-        "checked_commits": 0,
-        "masked_runs": [],
-        "fail_runs": [],
-        "warnings": [],
-    }
-
-    shas = recent_commits_on_branch(branch, n)
-    if not shas:
-        result["warnings"].append(
-            f"no recent commits on {branch} (cannot verify flip)"
-        )
-        return result
-
-    for sha in shas:
-        try:
-            status_doc = combined_status(sha)
-        except ApiError as e:
-            result["warnings"].append(f"combined-status for {sha}: {e}")
-            continue
-        statuses = status_doc.get("statuses") or []
-        # First entry matching the context name. Newest SHAs come
-        # first; one entry per context per SHA is the usual shape.
-        for s in statuses:
-            if not isinstance(s, dict):
-                continue
-            if s.get("context") != target_context:
-                continue
-            result["checked_commits"] += 1
-            state = _entry_state(s)
-            target_url = s.get("target_url") or ""
-            log_text = fetch_log(target_url)
-            if log_text is None:
-                result["warnings"].append(
-                    f"log unavailable for {sha} {target_context}"
-                )
-                # Still record the status itself if it's red — that's
-                # a hard signal that doesn't need log access.
-                if state in ("failure", "error"):
-                    result["fail_runs"].append({
-                        "sha": sha,
-                        "status": state,
-                        "target_url": target_url,
-                        "samples": ["[log unavailable; status itself is " + state + "]"],
-                    })
-                break
-            samples = grep_fail_markers(log_text)
-            if state in ("failure", "error"):
-                result["fail_runs"].append({
-                    "sha": sha,
-                    "status": state,
-                    "target_url": target_url,
-                    "samples": samples or ["[no FAIL markers found but status is " + state + "]"],
-                })
-            elif samples and state == "success":
-                # The bug class: status==success while log shows FAIL.
-                # That's exactly Quirk #10 (continue-on-error masking).
-                result["masked_runs"].append({
-                    "sha": sha,
-                    "status": state,
-                    "target_url": target_url,
-                    "samples": samples,
-                })
-            # Either way, we matched one context entry for this SHA;
-            # don't keep looping `statuses[]`.
-            break
-
-    if result["checked_commits"] == 0:
-        result["warnings"].append(
-            f"no runs of {target_context!r} found in the last {n} commits on "
-            f"{branch} — cannot verify; allowing flip with warning"
-        )
-    return result
-
-
-# --------------------------------------------------------------------------
-# Report rendering
-# --------------------------------------------------------------------------
-def render_flip_report(verdict: dict) -> str:
-    flip = verdict["flip"]
-    lines = [
-        f"job: {flip['job_key']} ({flip['context']})",
-        f"  workflow:        {flip['workflow_path']}",
-        f"  checked_commits: {verdict['checked_commits']}",
-    ]
-    for run in verdict["fail_runs"]:
-        url = run["target_url"]
-        # target_url may be relative; render the absolute form for
-        # click-through.
-        if url.startswith("/"):
-            url = f"{WEB}{url}"
-        lines.append(f"  fail run {run['sha'][:10]} (status={run['status']}): {url}")
-        for sample in run["samples"]:
-            lines.append(f"    | {sample}")
-    for run in verdict["masked_runs"]:
-        url = run["target_url"]
-        if url.startswith("/"):
-            url = f"{WEB}{url}"
-        lines.append(
-            f"  MASKED run {run['sha'][:10]} (status=success, log shows FAIL): {url}"
-        )
-        for sample in run["samples"]:
-            lines.append(f"    | {sample}")
-    for w in verdict["warnings"]:
-        lines.append(f"  warning: {w}")
-    return "\n".join(lines)
-
-
-# --------------------------------------------------------------------------
-# Main
-# --------------------------------------------------------------------------
-def _parse_args(argv: list[str] | None = None) -> argparse.Namespace:
-    p = argparse.ArgumentParser(
-        prog="lint-pre-flip-continue-on-error",
-        description="Block a PR that flips continue-on-error true→false "
-        "without proof recent runs are actually green.",
-    )
-    p.add_argument(
-        "--dry-run",
-        action="store_true",
-        help="Detect + print findings to stdout; never exit non-zero. "
-        "Useful for local testing.",
-    )
-    return p.parse_args(argv)
-
-
-def main(argv: list[str] | None = None) -> int:
-    args = _parse_args(argv)
-    _require_runtime_env()
-
-    base_workflows = workflows_at_sha(BASE_SHA)
-    head_workflows = workflows_at_sha(HEAD_SHA)
-    flips = detect_flips(base_workflows, head_workflows)
-
-    if not flips:
-        print("::notice::no continue-on-error true→false flips in this PR")
-        return 0
-
-    print(f"::notice::detected {len(flips)} continue-on-error true→false flip(s); verifying recent runs on {BASE_REF}")
-    bad_flips: list[dict] = []
-    for flip in flips:
-        verdict = verify_flip(flip, BASE_REF, RECENT_COMMITS_N)
-        report = render_flip_report(verdict)
-        if verdict["fail_runs"] or verdict["masked_runs"]:
-            print(f"::error file={flip['workflow_path']}::flip of {flip['job_key']} "
-                  f"({flip['context']}) blocked — recent runs on {BASE_REF} show "
-                  f"FAIL markers OR are red. Pull each run log below + grep "
-                  f"`--- FAIL` / `FAIL ` / `::error::` — DON'T trust the masked "
-                  f"combined-status. See hongming-pc2 charter §SOP-N rule (e). "
-                  f"PR#656 / mc#664 reference class.")
-            bad_flips.append(verdict)
-        else:
-            print(f"::notice::flip of {flip['job_key']} ({flip['context']}) is safe — "
-                  f"{verdict['checked_commits']} recent run(s), no FAIL markers")
-        # Always print the per-flip detail block so the human-readable
-        # report is in the run log for both safe and unsafe flips.
-        print(f"::group::flip detail: {flip['job_key']}")
-        print(report)
-        print("::endgroup::")
-
-    if bad_flips and not args.dry_run:
-        print(f"::error::{len(bad_flips)}/{len(flips)} flip(s) failed pre-flip verification")
-        return 1
-    if bad_flips and args.dry_run:
-        print(f"::warning::[dry-run] {len(bad_flips)}/{len(flips)} flip(s) WOULD fail; exit 0 forced")
-    return 0
-
-
-if __name__ == "__main__":
-    sys.exit(main())
--- a/.gitea/scripts/main-red-watchdog.py
+++ b/.gitea/scripts/main-red-watchdog.py
@ -222,20 +222,9 @@ def is_red(status: dict) -> tuple[bool, list[dict]]:
    combined = status.get("state")
    statuses = status.get("statuses") or []
    red_states = {"failure", "error"}
-    # Schema asymmetry: top-level combined uses `state`, but per-entry
-    # items in `statuses[]` use `status` in Gitea 1.22.6. Prefer
-    # `status`; fall back to `state` defensively. Verified empirically
-    # 2026-05-12 03:42Z. Pre-rev4 code only read `state` from per-entry
-    # items → failed[] always empty → render_body always showed the
-    # "no per-context entries were in a red state" fallback even when
-    # the combined-state correctly flagged red. See
-    # `feedback_smoke_test_vendor_truth_not_shape_match`.
-    def _entry_state(s: dict) -> str:
-        return s.get("status") or s.get("state") or ""
-
    failed = [
        s for s in statuses
-        if isinstance(s, dict) and _entry_state(s) in red_states
+        if isinstance(s, dict) and s.get("state") in red_states
    ]
    return (combined in red_states or bool(failed), failed)

@ -324,9 +313,7 @@ def render_body(sha: str, failed: list[dict], debug: dict) -> str:
    else:
        for s in failed:
            ctx = s.get("context", "(no context)")
-            # Per-entry key is `status` in Gitea 1.22.6, not `state`
-            # (see _entry_state in is_red). Fallback for forward-compat.
-            state = s.get("status") or s.get("state") or "(no state)"
+            state = s.get("state", "(no state)")
            url = s.get("target_url") or ""
            desc = (s.get("description") or "").strip()
            entry = f"- **{ctx}** — `{state}`"
@ -559,11 +546,7 @@ def run_once(*, dry_run: bool = False) -> int:
        "combined_state": status.get("state"),
        "failed_contexts": [s.get("context") for s in failed],
        "all_contexts": [
-            # Per-entry key is `status` in Gitea 1.22.6, not `state`.
-            # Pre-rev4 debug output reported `state: None` for every
-            # context, making run logs useless for triage.
-            {"context": s.get("context"),
-             "state": s.get("status") or s.get("state")}
+            {"context": s.get("context"), "state": s.get("state")}
            for s in (status.get("statuses") or [])
            if isinstance(s, dict)
        ],
--- a/.gitea/scripts/push-commits-diff-files.py
+++ b/.gitea/scripts/push-commits-diff-files.py
@ -1,42 +0,0 @@
-#!/usr/bin/env python3
-"""Extract changed-file list from a Gitea push event's commits JSON array.
-
-Each commit in a push event has `added`, `removed`, and `modified` file lists.
-This script aggregates all of them and prints unique filenames one per line.
-
-Usage:
-    push-commits-diff-files.py < COMMITS_JSON
-
-Exits 0 always (caller handles empty output as "no files").
-"""
-from __future__ import annotations
-
-import sys
-import json
-
-
-def main() -> None:
-    try:
-        data = json.load(sys.stdin)
-    except Exception:
-        sys.exit(0)  # Don't fail the step — treat malformed JSON as empty
-
-    if not isinstance(data, list):
-        sys.exit(0)
-
-    files: set[str] = set()
-    for commit in data:
-        if not isinstance(commit, dict):
-            continue
-        for key in ("added", "removed", "modified"):
-            for f in commit.get(key) or []:
-                if isinstance(f, str) and f:
-                    files.add(f)
-
-    if files:
-        sys.stdout.write("\n".join(sorted(files)))
-        sys.stdout.write("\n")
-
-
-if __name__ == "__main__":
-    main()
--- a/.gitea/scripts/review-check.sh
+++ b/.gitea/scripts/review-check.sh
@ -1,203 +0,0 @@
-#!/usr/bin/env bash
-# review-check — evaluate whether a PR satisfies a single team-review gate.
-#
-# RFC#324 Step 1 of 5 — qa-review + security-review check workflows.
-#
-# This is the shared evaluator invoked by:
-#   .gitea/workflows/qa-review.yml      (TEAM=qa,      TEAM_ID=20)
-#   .gitea/workflows/security-review.yml (TEAM=security, TEAM_ID=21)
-#
-# Pass condition (per RFC#324 v1.1 addendum):
-#   ≥ 1 review on the PR where:
-#     • state == APPROVED
-#     • review.dismissed == false
-#     • review.user.login != PR.user.login (non-author)
-#     • review.user.login ∈ team-members
-#
-# Strict mode (default OFF for v1; see RFC trade-off note):
-#   If REVIEW_CHECK_STRICT=1, additionally require review.commit_id == PR.head.sha.
-#   With dismiss_stale_reviews: true at the protection layer, stale reviews
-#   are already dismissed, so the additional commit_id check is belt-and-
-#   suspenders. Keeping it off in v1 simplifies semantics; flip in a follow-up
-#   PR if reviewer telemetry shows residual stale-APPROVE merges.
-#
-# Privilege gate (RFC#324 v1.3 §A1.1 — INFORMATIONAL ONLY):
-#   The /qa-recheck and /security-recheck slash-commands can be triggered
-#   by anyone who can comment on the PR. The workflow's privilege step
-#   logs collaborator-status but does NOT gate execution of this script.
-#   Why this is safe: this evaluator is read-only and idempotent —
-#   reading `pulls/{N}/reviews` and `teams/{id}/members/{u}` can't be
-#   influenced by who triggered the run. If a real team-member APPROVE
-#   exists the gate flips green; otherwise it stays red. A
-#   non-collaborator commenting /qa-recheck cannot manufacture a green
-#   gate. Original (v1.2) design with `if:`-gating of this step was
-#   fail-open (skipped-via-`if:` job still publishes the status as
-#   `success`) — corrected in v1.3 per hongming-pc review 1421.
-#
-# Trust boundary (RFC A4):
-#   This script is loaded from the BASE branch (sourced via .gitea/scripts/
-#   on the workflow's checkout-of-base). It does NOT execute any PR-HEAD
-#   code. It only reads PR review state via the Gitea API.
-#
-# Token scope (RFC A1-α):
-#   The job's own conclusion (exit 0 / exit 1) is what publishes the
-#   `qa-review / approved` / `security-review / approved` status context.
-#   NO `POST /statuses` call here → NO `write:repository` scope on the
-#   token. `read:organization` (for team-membership probe) and
-#   `read:repository` (for PR + reviews) are enough.
-#
-# Required env:
-#   GITEA_TOKEN — least-priv read:repository + read:organization. See note
-#                 below about the team-membership API requiring the token
-#                 owner to be in the queried team (Gitea 1.22.6 quirk).
-#   GITEA_HOST  — e.g. git.moleculesai.app
-#   REPO        — owner/name (from github.repository)
-#   PR_NUMBER   — int (from github.event.pull_request.number or
-#                 github.event.issue.number for issue_comment events)
-#   TEAM        — short team name (qa | security) for log lines
-#   TEAM_ID     — Gitea team id (20=qa, 21=security at time of writing)
-#
-# Optional:
-#   REVIEW_CHECK_DEBUG=1 — per-API-call diagnostic lines
-#   REVIEW_CHECK_STRICT=1 — also require review.commit_id == pr.head.sha
-
-set -euo pipefail
-
-# jq is required for JSON parsing. It is pre-baked into the runner-base
-# image (per RFC#268 workflow-smoke), so the only reason we'd not find it
-# is a broken runner. The previous fallback dance (apt-get + curl to
-# /usr/local/bin/jq) cannot succeed on a uid-1001 rootless runner
-# (#391/#402 + feedback_ci_runner_install_needs_writable_path), so it's
-# dropped. Fail loud with a clear diagnostic rather than attempt an
-# install that physically cannot work.
-if ! command -v jq >/dev/null 2>&1; then
-  echo "::error::jq missing from runner-base image — bake it into the runner image (see RFC#268 workflow-smoke / feedback_ci_runner_install_needs_writable_path). This evaluator cannot run without jq."
-  exit 1
-fi
-
-: "${GITEA_TOKEN:?GITEA_TOKEN required}"
-: "${GITEA_HOST:?GITEA_HOST required}"
-: "${REPO:?REPO required (owner/name)}"
-: "${PR_NUMBER:?PR_NUMBER required}"
-: "${TEAM:?TEAM required (qa|security)}"
-: "${TEAM_ID:?TEAM_ID required (integer)}"
-
-OWNER="${REPO%%/*}"
-NAME="${REPO##*/}"
-API="https://${GITEA_HOST}/api/v1"
-
-# Token-in-argv fix (#541): write the Authorization header to a mode-600
-# temp file instead of passing it via curl -H "$AUTH" (which puts the
-# secret token value in the process table for any process to read via
-# /proc/<pid>/cmdline or ps -ef). The curl config file is read by curl
-# itself and never appears in the argv of the curl subprocess.
-CURL_AUTH_FILE=$(mktemp -p /tmp curl-auth.XXXXXX)
-chmod 600 "$CURL_AUTH_FILE"
-printf 'header = "Authorization: token %s"\n' "$GITEA_TOKEN" > "$CURL_AUTH_FILE"
-
-# Pre-create temp files so cleanup trap can reference them by name
-# (bash trap 'function' EXIT expands variables at trap-fire time, not def time).
-PR_JSON=$(mktemp)
-REVIEWS_JSON=$(mktemp)
-TEAM_PROBE_TMP=$(mktemp)
-
-cleanup() {
-  rm -f "$CURL_AUTH_FILE" "$PR_JSON" "$REVIEWS_JSON" "$TEAM_PROBE_TMP"
-}
-trap cleanup EXIT
-
-debug() {
-  if [ "${REVIEW_CHECK_DEBUG:-}" = "1" ]; then
-    echo "  [debug] $*" >&2
-  fi
-}
-
-echo "::notice::${TEAM}-review evaluating repo=${OWNER}/${NAME} pr=${PR_NUMBER} team_id=${TEAM_ID}"
-
-# --- Fetch the PR (for author + head.sha) ---
-HTTP_CODE=$(curl -sS -o "$PR_JSON" -w '%{http_code}' \
-  -K "$CURL_AUTH_FILE" "${API}/repos/${OWNER}/${NAME}/pulls/${PR_NUMBER}")
-if [ "$HTTP_CODE" != "200" ]; then
-  echo "::error::GET /pulls/${PR_NUMBER} returned HTTP ${HTTP_CODE} (token scope?)"
-  cat "$PR_JSON" >&2
-  exit 1
-fi
-PR_AUTHOR=$(jq -r '.user.login // ""' "$PR_JSON")
-PR_HEAD_SHA=$(jq -r '.head.sha // ""' "$PR_JSON")
-PR_STATE=$(jq -r '.state // ""' "$PR_JSON")
-debug "pr_author=${PR_AUTHOR} pr_head=${PR_HEAD_SHA:0:7} pr_state=${PR_STATE}"
-
-if [ "$PR_STATE" != "open" ]; then
-  echo "::notice::PR ${PR_NUMBER} is ${PR_STATE} — exiting 0 (closed PRs do not gate)"
-  exit 0
-fi
-if [ -z "$PR_AUTHOR" ] || [ -z "$PR_HEAD_SHA" ]; then
-  echo "::error::PR ${PR_NUMBER} missing user.login or head.sha — webhook payload malformed"
-  exit 1
-fi
-
-# --- Fetch all reviews on the PR ---
-HTTP_CODE=$(curl -sS -o "$REVIEWS_JSON" -w '%{http_code}' \
-  -K "$CURL_AUTH_FILE" "${API}/repos/${OWNER}/${NAME}/pulls/${PR_NUMBER}/reviews")
-if [ "$HTTP_CODE" != "200" ]; then
-  echo "::error::GET /pulls/${PR_NUMBER}/reviews returned HTTP ${HTTP_CODE}"
-  cat "$REVIEWS_JSON" >&2
-  exit 1
-fi
-
-# Filter: state=APPROVED, not-dismissed, non-author. Optionally strict-mode
-# adds commit_id==head.sha (off by default; see header).
-JQ_FILTER='.[]
-  | select(.state == "APPROVED")
-  | select(.dismissed != true)
-  | select(.user.login != $author)'
-if [ "${REVIEW_CHECK_STRICT:-}" = "1" ]; then
-  JQ_FILTER="${JQ_FILTER}
-  | select(.commit_id == \$head)"
-fi
-JQ_FILTER="${JQ_FILTER}
-  | .user.login"
-
-CANDIDATES=$(jq -r --arg author "$PR_AUTHOR" --arg head "$PR_HEAD_SHA" "$JQ_FILTER" "$REVIEWS_JSON" | sort -u)
-debug "candidate non-author approvers: $(echo "$CANDIDATES" | tr '\n' ' ')"
-
-if [ -z "$CANDIDATES" ]; then
-  echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (no candidates yet)"
-  exit 1
-fi
-
-# --- Probe team membership per candidate ---
-# Endpoint: GET /api/v1/teams/{id}/members/{username}
-#   200/204 → is member
-#   403     → token owner is not in this team (Gitea 1.22.6 'Must be a team
-#             member' constraint — see follow-up issue for token-provisioning)
-#   404     → not a member
-for U in $CANDIDATES; do
-  CODE=$(curl -sS -o "$TEAM_PROBE_TMP" -w '%{http_code}' \
-    -K "$CURL_AUTH_FILE" "${API}/teams/${TEAM_ID}/members/${U}")
-  debug "probe ${U} in team ${TEAM} (id=${TEAM_ID}) → HTTP ${CODE}"
-  case "$CODE" in
-    200|204)
-      echo "::notice::${TEAM}-review APPROVED by ${U} (team=${TEAM})"
-      exit 0
-      ;;
-    403)
-      # Token owner is not in the team being probed; the API refuses to
-      # confirm membership. This is the RFC#324 follow-up token-scope gap.
-      # Fail closed — never grant approval on a 403; surface clearly.
-      echo "::error::team-probe for ${U} in ${TEAM} returned 403 (token owner not in ${TEAM} team — RFC#324 token-scope follow-up). Cannot confirm membership; failing closed."
-      cat "$TEAM_PROBE_TMP" >&2
-      exit 1
-      ;;
-    404)
-      debug "${U} not a member of ${TEAM}"
-      ;;
-    *)
-      echo "::warning::team-probe for ${U} in ${TEAM} returned unexpected HTTP ${CODE}"
-      cat "$TEAM_PROBE_TMP" >&2
-      ;;
-  esac
-done
-
-echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (candidates: $(echo "$CANDIDATES" | tr '\n' ',' | sed 's/,$//') — none are in team)"
-exit 1
--- a/.gitea/scripts/sop-checklist-gate.py
+++ b/.gitea/scripts/sop-checklist-gate.py
@ -1,823 +0,0 @@
-#!/usr/bin/env python3
-# sop-checklist-gate — evaluate whether a PR has peer-acked each
-# SOP-checklist item. Posts a commit-status that branch protection
-# can require.
-#
-# RFC#351 Step 2 of 6 (implementation MVP).
-#
-# Invoked by .gitea/workflows/sop-checklist-gate.yml on:
-#   - pull_request_target: [opened, edited, synchronize, reopened]
-#   - issue_comment:       [created, edited, deleted]
-#
-# Flow:
-#   1. Load .gitea/sop-checklist-config.yaml (from BASE ref — trusted).
-#   2. GET /repos/{R}/pulls/{N}          — author, head.sha, tier label
-#   3. GET /repos/{R}/issues/{N}/comments — extract /sop-ack and /sop-revoke
-#   4. For each checklist item:
-#        a. Is the section marker present in PR body? (author answered)
-#        b. Is there ≥1 unrevoked /sop-ack from a non-author whose
-#           team-membership matches required_teams?
-#   5. POST /repos/{R}/statuses/{sha}    — context
-#      `sop-checklist / all-items-acked (pull_request)`,
-#      state=success | failure | pending, description=`acked: N/M …`.
-#
-# Trust boundary (mirrors RFC#324 §A4):
-#   This script is loaded from the BASE branch. The workflow's
-#   actions/checkout step pins ref=base.sha. PR-HEAD code is never
-#   executed. We only HTTP-call the Gitea API.
-#
-# Token scope:
-#   - read:repository / read:organization to enumerate PR + comments
-#     + team membership (Gitea 1.22.6 quirk: team-membership endpoint
-#     returns 403 if token owner is not in the team; see review-check.sh
-#     for the same gotcha — we surface the same fail-closed message).
-#   - write:repository for `POST /repos/{R}/statuses/{sha}`. Unlike
-#     RFC#324's pattern (which uses the JOB's own pass/fail as the
-#     status), we POST the status explicitly because the gate posts
-#     a single multi-item status with a richer description than a
-#     bare success/failure context can carry.
-#
-# Slug normalization rules (canonical form: kebab-case):
-#   - Lowercase
-#   - Whitespace + underscores → single dash
-#   - Strip non [a-z0-9-] characters
-#   - Collapse adjacent dashes
-#   - Strip leading/trailing dashes
-#   - If the result is a digit string (e.g. "1"), look up via
-#     config.items[*].numeric_alias to get the kebab-case slug.
-#
-#   Examples:
-#       "Comprehensive_Testing"  → "comprehensive-testing"
-#       "comprehensive testing"  → "comprehensive-testing"
-#       "1"                      → "comprehensive-testing"
-#       "Five-Axis-Review"       → "five-axis-review"
-#
-# Revoke semantics:
-#   /sop-revoke <slug> [reason] — most-recent comment per (slug, user)
-#   wins. So if Alice posts /sop-ack X then later /sop-revoke X, her ack
-#   for X is invalidated. Bob's prior /sop-ack X is unaffected. If Alice
-#   posts /sop-revoke X then later /sop-ack X again, the ack is restored.
-
-from __future__ import annotations
-
-import argparse
-import json
-import os
-import re
-import sys
-import urllib.error
-import urllib.parse
-import urllib.request
-from typing import Any
-
-
-# ---------------------------------------------------------------------------
-# Slug normalization
-# ---------------------------------------------------------------------------
-
-_NORMALIZE_REPLACE_RE = re.compile(r"[\s_]+")
-_NORMALIZE_STRIP_RE = re.compile(r"[^a-z0-9-]")
-_NORMALIZE_DASH_RE = re.compile(r"-+")
-
-
-def normalize_slug(raw: str, numeric_aliases: dict[int, str] | None = None) -> str:
-    """Normalize a user-supplied slug to canonical kebab-case form.
-
-    See module header for the rules.
-
-    If the input is a pure digit string AND numeric_aliases is provided,
-    the alias mapping is consulted. Unknown digits return "" so the caller
-    can flag the comment as unparseable.
-    """
-    if raw is None:
-        return ""
-    s = raw.strip().lower()
-    s = _NORMALIZE_REPLACE_RE.sub("-", s)
-    s = _NORMALIZE_STRIP_RE.sub("", s)
-    s = _NORMALIZE_DASH_RE.sub("-", s)
-    s = s.strip("-")
-    if s.isdigit() and numeric_aliases is not None:
-        return numeric_aliases.get(int(s), "")
-    return s
-
-
-# ---------------------------------------------------------------------------
-# Comment parsing — /sop-ack and /sop-revoke
-# ---------------------------------------------------------------------------
-
-# A directive must be on its own line. Permits leading whitespace.
-# Optional trailing note after the slug for /sop-ack and required reason
-# for /sop-revoke (RFC#351 open question 4 — reason is captured but not
-# yet validated; future iteration may require a min-length).
-_DIRECTIVE_RE = re.compile(
-    r"^[ \t]*/(sop-ack|sop-revoke)[ \t]+([A-Za-z0-9_\- ]+?)(?:[ \t]+(.*))?[ \t]*$",
-    re.MULTILINE,
-)
-
-
-def parse_directives(
-    comment_body: str,
-    numeric_aliases: dict[int, str],
-) -> list[tuple[str, str, str]]:
-    """Extract /sop-ack and /sop-revoke directives from a comment body.
-
-    Returns a list of (kind, canonical_slug, note) tuples where:
-      kind is "sop-ack" or "sop-revoke"
-      canonical_slug is the normalized form (or "" if unparseable)
-      note is the trailing free-text (may be "")
-    """
-    out: list[tuple[str, str, str]] = []
-    if not comment_body:
-        return out
-    for m in _DIRECTIVE_RE.finditer(comment_body):
-        kind = m.group(1)
-        raw_slug = (m.group(2) or "").strip()
-        # If the raw match included trailing words, the regex non-greedy
-        # captured only the first token; strip again for safety.
-        # We split on whitespace to keep the FIRST word as the slug, and
-        # everything after as the note.
-        parts = raw_slug.split()
-        if not parts:
-            continue
-        first = parts[0]
-        # If the slug-capture greedily matched multiple words (e.g.
-        # "comprehensive testing"), preserve normalize behavior: join
-        # the WHOLE first-word-token only; trailing words get appended to
-        # the note. The regex limits group(2) to [A-Za-z0-9_\- ] so we
-        # may have multi-word forms here — normalize handles them.
-        if len(parts) > 1:
-            # User wrote "/sop-ack comprehensive testing extra-note"
-            # → treat "comprehensive testing" as the slug source if it
-            # normalizes to a known item; otherwise treat "comprehensive"
-            # as slug and "testing extra-note" as note. We defer the
-            # disambiguation to the caller via the returned canonical
-            # slug. For simplicity: try the WHOLE captured string first.
-            canonical = normalize_slug(raw_slug, numeric_aliases)
-        else:
-            canonical = normalize_slug(first, numeric_aliases)
-        note_from_group = (m.group(3) or "").strip()
-        # If we collapsed multi-word slug into kebab and there's a
-        # trailing-text group too, append it.
-        out.append((kind, canonical, note_from_group))
-    return out
-
-
-# ---------------------------------------------------------------------------
-# PR body section detection
-# ---------------------------------------------------------------------------
-
-
-def section_marker_present(body: str, marker: str) -> bool:
-    """Return True if `marker` appears in `body` case-insensitively
-    on a non-empty line (i.e. the author actually filled it in).
-
-    We require the marker substring AND non-whitespace content on the
-    same line OR within the next line — this prevents trivially-empty
-    checklists like:
-
-        ## SOP-Checklist
-        - [ ] **Comprehensive testing performed**:
-        - [ ] **Local-postgres E2E run**:
-
-    from auto-passing the section-present check. The peer-ack is still
-    required, but answering with empty content is captured as a soft
-    finding via the section-present test alone.
-    """
-    if not body or not marker:
-        return False
-    body_lower = body.lower()
-    marker_lower = marker.lower()
-    idx = body_lower.find(marker_lower)
-    if idx < 0:
-        return False
-    # Walk to end of line.
-    line_end = body.find("\n", idx)
-    if line_end < 0:
-        line_end = len(body)
-    line = body[idx + len(marker):line_end]
-    # Strip the colon + checkbox tail patterns; require at least one
-    # non-whitespace, non-punctuation char.
-    stripped = re.sub(r"[\s\*:\-\[\]]+", "", line)
-    if stripped:
-        return True
-    # Fall through: check the NEXT line (multi-line answers).
-    next_line_end = body.find("\n", line_end + 1)
-    if next_line_end < 0:
-        next_line_end = len(body)
-    next_line = body[line_end + 1:next_line_end]
-    stripped_next = re.sub(r"[\s\*:\-\[\]]+", "", next_line)
-    return bool(stripped_next)
-
-
-# ---------------------------------------------------------------------------
-# Ack-state computation
-# ---------------------------------------------------------------------------
-
-
-def compute_ack_state(
-    comments: list[dict[str, Any]],
-    pr_author: str,
-    items_by_slug: dict[str, dict[str, Any]],
-    numeric_aliases: dict[int, str],
-    team_membership_probe: "callable[[str, list[str]], list[str]]",
-) -> dict[str, dict[str, Any]]:
-    """Compute per-item ack state.
-
-    Each comment is processed in chronological order. The most-recent
-    directive per (commenter, slug) wins.
-
-    Returns a dict keyed by canonical slug:
-       {
-         "comprehensive-testing": {
-           "ackers": ["bob"],         # non-author, team-verified
-           "rejected_ackers": {        # debugging info
-             "self_ack": ["alice"],
-             "unknown_slug": [],
-             "not_in_team": ["eve"],
-           }
-         },
-         ...
-       }
-    """
-    # Step 1: collapse directives per (commenter, slug) — most recent wins.
-    # comments are expected to come in chronological order from the
-    # API (Gitea returns oldest-first by default for issues/{N}/comments).
-    latest_directive: dict[tuple[str, str], str] = {}  # (user, slug) → kind
-    unparseable_per_user: dict[str, int] = {}
-    for c in comments:
-        body = c.get("body", "") or ""
-        user = (c.get("user") or {}).get("login", "")
-        if not user:
-            continue
-        for kind, slug, _note in parse_directives(body, numeric_aliases):
-            if not slug:
-                unparseable_per_user[user] = unparseable_per_user.get(user, 0) + 1
-                continue
-            latest_directive[(user, slug)] = kind
-
-    # Step 2: build candidate ackers per slug.
-    # Filter out self-acks and unknown slugs.
-    ackers_per_slug: dict[str, list[str]] = {s: [] for s in items_by_slug}
-    rejected_self: dict[str, list[str]] = {s: [] for s in items_by_slug}
-    rejected_unknown: dict[str, list[str]] = {s: [] for s in items_by_slug}
-    pending_team_check: dict[str, list[str]] = {s: [] for s in items_by_slug}
-
-    for (user, slug), kind in latest_directive.items():
-        if kind != "sop-ack":
-            continue  # revokes leave the (user,slug) state as "no ack"
-        if slug not in items_by_slug:
-            # Slug normalized to something not in our config — store
-            # under a synthetic key for diagnostic surfacing. Don't add
-            # to any item.
-            continue
-        if user == pr_author:
-            rejected_self[slug].append(user)
-            continue
-        pending_team_check[slug].append(user)
-
-    # Step 3: team membership probe per slug (batched per slug to keep
-    # API call count down — same user may ack multiple items but the
-    # required_teams differ per item, so we MUST probe per (user, item)).
-    rejected_not_in_team: dict[str, list[str]] = {s: [] for s in items_by_slug}
-    for slug, candidates in pending_team_check.items():
-        if not candidates:
-            continue
-        required = items_by_slug[slug]["required_teams"]
-        approved = team_membership_probe(slug, candidates)  # returns subset
-        rejected_not_in_team[slug] = [u for u in candidates if u not in approved]
-        ackers_per_slug[slug] = approved
-        # Stash required teams for description rendering.
-        items_by_slug[slug]["_required_resolved"] = required
-
-    return {
-        slug: {
-            "ackers": ackers_per_slug[slug],
-            "rejected": {
-                "self_ack": rejected_self[slug],
-                "not_in_team": rejected_not_in_team[slug],
-            },
-        }
-        for slug in items_by_slug
-    }
-
-
-# ---------------------------------------------------------------------------
-# Gitea API client
-# ---------------------------------------------------------------------------
-
-
-class GiteaClient:
-    def __init__(self, host: str, token: str):
-        self.base = f"https://{host}/api/v1"
-        self.token = token
-        # Cache team-name → team-id resolutions per org.
-        self._team_id_cache: dict[tuple[str, str], int | None] = {}
-
-    def _req(
-        self,
-        method: str,
-        path: str,
-        body: dict[str, Any] | None = None,
-        ok_codes: tuple[int, ...] = (200, 201, 204),
-    ) -> tuple[int, Any]:
-        url = self.base + path
-        data = None
-        headers = {
-            "Authorization": f"token {self.token}",
-            "Accept": "application/json",
-        }
-        if body is not None:
-            data = json.dumps(body).encode("utf-8")
-            headers["Content-Type"] = "application/json"
-        req = urllib.request.Request(url, method=method, data=data, headers=headers)
-        try:
-            with urllib.request.urlopen(req, timeout=20) as r:
-                raw = r.read()
-                code = r.getcode()
-        except urllib.error.HTTPError as e:
-            code = e.code
-            raw = e.read()
-        try:
-            parsed = json.loads(raw.decode("utf-8")) if raw else None
-        except json.JSONDecodeError:
-            parsed = raw.decode("utf-8", errors="replace") if raw else None
-        return code, parsed
-
-    def get_pr(self, owner: str, repo: str, pr: int) -> dict[str, Any]:
-        code, data = self._req("GET", f"/repos/{owner}/{repo}/pulls/{pr}")
-        if code != 200:
-            raise RuntimeError(f"GET pulls/{pr} → HTTP {code}: {data!r}")
-        return data
-
-    def get_issue_comments(
-        self, owner: str, repo: str, issue: int
-    ) -> list[dict[str, Any]]:
-        # Paginate. Gitea default page size 50.
-        out: list[dict[str, Any]] = []
-        page = 1
-        while True:
-            code, data = self._req(
-                "GET",
-                f"/repos/{owner}/{repo}/issues/{issue}/comments?limit=50&page={page}",
-            )
-            if code != 200:
-                raise RuntimeError(
-                    f"GET issues/{issue}/comments page={page} → HTTP {code}: {data!r}"
-                )
-            if not data:
-                break
-            out.extend(data)
-            if len(data) < 50:
-                break
-            page += 1
-        return out
-
-    def resolve_team_id(self, org: str, team_name: str) -> int | None:
-        key = (org, team_name)
-        if key in self._team_id_cache:
-            return self._team_id_cache[key]
-        code, data = self._req("GET", f"/orgs/{org}/teams/search?q={urllib.parse.quote(team_name)}")
-        team_id = None
-        if code == 200 and isinstance(data, dict):
-            for t in data.get("data", []):
-                if t.get("name") == team_name:
-                    team_id = t.get("id")
-                    break
-        if team_id is None and code == 200 and isinstance(data, list):
-            for t in data:
-                if t.get("name") == team_name:
-                    team_id = t.get("id")
-                    break
-        self._team_id_cache[key] = team_id
-        return team_id
-
-    def is_team_member(self, team_id: int, login: str) -> bool | None:
-        """Return True / False / None (unknown — 403 from API)."""
-        code, _ = self._req(
-            "GET", f"/teams/{team_id}/members/{urllib.parse.quote(login)}"
-        )
-        if code in (200, 204):
-            return True
-        if code == 404:
-            return False
-        # 403 means the token owner isn't in this team, so the API
-        # refuses to confirm membership. Fail-closed at the caller.
-        return None
-
-    def post_status(
-        self,
-        owner: str,
-        repo: str,
-        sha: str,
-        state: str,
-        context: str,
-        description: str,
-        target_url: str = "",
-    ) -> None:
-        body = {
-            "state": state,
-            "context": context,
-            "description": description[:140],  # Gitea truncates to 255 but be safe
-            "target_url": target_url or "",
-        }
-        code, data = self._req(
-            "POST",
-            f"/repos/{owner}/{repo}/statuses/{sha}",
-            body=body,
-            ok_codes=(201,),
-        )
-        if code not in (200, 201):
-            raise RuntimeError(
-                f"POST statuses/{sha} → HTTP {code}: {data!r}"
-            )
-
-
-# ---------------------------------------------------------------------------
-# Config loader (PyYAML-free — config file is intentionally tiny + flat)
-# ---------------------------------------------------------------------------
-
-
-def load_config(path: str) -> dict[str, Any]:
-    """Load .gitea/sop-checklist-config.yaml.
-
-    Uses PyYAML if available, otherwise falls back to a built-in
-    minimal parser sufficient for our flat config shape. Bundling
-    PyYAML on the runner is one apt install away but we avoid the
-    dep by keeping the config shape constrained.
-    """
-    try:
-        import yaml  # type: ignore[import-not-found]
-        with open(path) as f:
-            return yaml.safe_load(f)
-    except ImportError:
-        return _load_config_minimal(path)
-
-
-def _load_config_minimal(path: str) -> dict[str, Any]:
-    """Minimal YAML subset parser for our config shape.
-
-    Supports: top-level scalar:value, top-level map-of-map (e.g.
-    tier_failure_mode), top-level list of maps (items:), and within an
-    item map: scalars + lists of scalars. Does NOT support nested lists,
-    YAML anchors, multi-doc, or flow style.
-    """
-    with open(path) as f:
-        lines = f.readlines()
-    return _parse_minimal_yaml(lines)
-
-
-def _parse_minimal_yaml(lines: list[str]) -> dict[str, Any]:  # noqa: C901
-    """Hand-rolled subset parser. See _load_config_minimal docstring."""
-    # Strip comments + blank lines but preserve indentation.
-    cleaned: list[tuple[int, str]] = []
-    for raw in lines:
-        # Don't strip a "#" that is inside a quoted value.
-        body = raw.rstrip("\n")
-        # Remove trailing comment.
-        idx = body.find("#")
-        if idx >= 0 and (idx == 0 or body[idx - 1] in " \t"):
-            body = body[:idx].rstrip()
-        if not body.strip():
-            continue
-        indent = len(body) - len(body.lstrip(" "))
-        cleaned.append((indent, body.strip()))
-
-    root: dict[str, Any] = {}
-    i = 0
-    n = len(cleaned)
-
-    def parse_scalar(s: str) -> Any:
-        s = s.strip()
-        if s.startswith('"') and s.endswith('"'):
-            return s[1:-1]
-        if s.startswith("'") and s.endswith("'"):
-            return s[1:-1]
-        if s.lower() in ("true", "yes"):
-            return True
-        if s.lower() in ("false", "no"):
-            return False
-        try:
-            return int(s)
-        except ValueError:
-            pass
-        return s
-
-    def parse_inline_list(s: str) -> list[Any]:
-        s = s.strip()
-        if not (s.startswith("[") and s.endswith("]")):
-            return [parse_scalar(s)]
-        inner = s[1:-1]
-        if not inner.strip():
-            return []
-        return [parse_scalar(x.strip()) for x in inner.split(",")]
-
-    while i < n:
-        indent, line = cleaned[i]
-        if indent != 0:
-            i += 1
-            continue
-        if ":" not in line:
-            i += 1
-            continue
-        key, _, rest = line.partition(":")
-        key = key.strip()
-        rest = rest.strip()
-        if rest == "":
-            # Block — could be map or list.
-            i += 1
-            # Look ahead for first child.
-            if i < n and cleaned[i][1].startswith("- "):
-                # List of items.
-                items: list[Any] = []
-                while i < n and cleaned[i][0] > indent and cleaned[i][1].startswith("- "):
-                    item_indent = cleaned[i][0]
-                    first_kv = cleaned[i][1][2:].strip()  # strip "- "
-                    item: dict[str, Any] = {}
-                    if ":" in first_kv:
-                        k, _, v = first_kv.partition(":")
-                        k = k.strip()
-                        v = v.strip()
-                        if v == "":
-                            item[k] = ""
-                        elif v.startswith(">-") or v.startswith(">"):
-                            # Folded scalar continues on subsequent indented lines
-                            collected: list[str] = []
-                            i += 1
-                            while i < n and cleaned[i][0] > item_indent:
-                                collected.append(cleaned[i][1])
-                                i += 1
-                            item[k] = " ".join(collected)
-                            items.append(item)
-                            continue
-                        elif v.startswith("["):
-                            item[k] = parse_inline_list(v)
-                        else:
-                            item[k] = parse_scalar(v)
-                    i += 1
-                    # Subsequent k:v lines at deeper indent belong to this item.
-                    while i < n and cleaned[i][0] > item_indent and not cleaned[i][1].startswith("- "):
-                        sub_indent, sub_line = cleaned[i]
-                        if ":" in sub_line:
-                            k, _, v = sub_line.partition(":")
-                            k = k.strip()
-                            v = v.strip()
-                            if v == "":
-                                item[k] = ""
-                                i += 1
-                            elif v.startswith(">-") or v.startswith(">"):
-                                collected = []
-                                i += 1
-                                while i < n and cleaned[i][0] > sub_indent:
-                                    collected.append(cleaned[i][1])
-                                    i += 1
-                                item[k] = " ".join(collected)
-                            elif v.startswith("["):
-                                item[k] = parse_inline_list(v)
-                                i += 1
-                            else:
-                                item[k] = parse_scalar(v)
-                                i += 1
-                        else:
-                            i += 1
-                    items.append(item)
-                root[key] = items
-            else:
-                # Sub-map.
-                submap: dict[str, Any] = {}
-                while i < n and cleaned[i][0] > indent:
-                    sub_indent, sub_line = cleaned[i]
-                    if ":" in sub_line:
-                        k, _, v = sub_line.partition(":")
-                        k = k.strip().strip('"').strip("'")
-                        v = v.strip()
-                        if v.startswith("[") and v.endswith("]"):
-                            submap[k] = parse_inline_list(v)
-                        else:
-                            submap[k] = parse_scalar(v)
-                    i += 1
-                root[key] = submap
-        else:
-            # Inline scalar or list.
-            if rest.startswith("[") and rest.endswith("]"):
-                root[key] = parse_inline_list(rest)
-            else:
-                root[key] = parse_scalar(rest)
-            i += 1
-    return root
-
-
-# ---------------------------------------------------------------------------
-# Main entry point
-# ---------------------------------------------------------------------------
-
-
-def render_status(
-    items: list[dict[str, Any]],
-    ack_state: dict[str, dict[str, Any]],
-    body_state: dict[str, bool],
-) -> tuple[str, str]:
-    """Return (state, description) for the commit-status post.
-
-    state is "success" if every item has at least one valid ack
-    (body section presence is informational only — peer-ack is the
-    real gate).  "pending" is reserved for the soft-fail path
-    (tier:low) and is set by the caller.
-    """
-    n = len(items)
-    fully_acked = [
-        it["slug"] for it in items if ack_state[it["slug"]]["ackers"]
-    ]
-    missing = [
-        it["slug"] for it in items if not ack_state[it["slug"]]["ackers"]
-    ]
-    missing_body = [it["slug"] for it in items if not body_state.get(it["slug"], False)]
-
-    desc_parts = [f"acked: {len(fully_acked)}/{n}"]
-    if missing:
-        # Show up to 3 missing slugs to stay inside the 140-char budget.
-        shown = ", ".join(missing[:3])
-        if len(missing) > 3:
-            shown += f", +{len(missing) - 3}"
-        desc_parts.append(f"missing: {shown}")
-    if missing_body:
-        desc_parts.append(f"body-unfilled: {len(missing_body)}")
-    state = "success" if not missing else "failure"
-    return state, " — ".join(desc_parts)
-
-
-def get_tier_mode(pr: dict[str, Any], cfg: dict[str, Any]) -> str:
-    """Read tier label, return 'hard' or 'soft' per cfg.tier_failure_mode."""
-    labels = pr.get("labels") or []
-    tier_labels = [l.get("name", "") for l in labels if (l.get("name", "") or "").startswith("tier:")]
-    mode_map = cfg.get("tier_failure_mode") or {}
-    default_mode = cfg.get("default_mode", "hard")
-    for tl in tier_labels:
-        if tl in mode_map:
-            return mode_map[tl]
-    return default_mode
-
-
-def main(argv: list[str] | None = None) -> int:
-    p = argparse.ArgumentParser()
-    p.add_argument("--owner", required=True)
-    p.add_argument("--repo", required=True)
-    p.add_argument("--pr", type=int, required=True)
-    p.add_argument("--config", default=".gitea/sop-checklist-config.yaml")
-    p.add_argument("--gitea-host", default="git.moleculesai.app")
-    p.add_argument(
-        "--dry-run",
-        action="store_true",
-        help="Compute state but do not POST the status.",
-    )
-    p.add_argument(
-        "--status-context",
-        default="sop-checklist / all-items-acked (pull_request)",
-    )
-    p.add_argument(
-        "--exit-on-state",
-        action="store_true",
-        help=(
-            "If set, exit non-zero when state=failure. Default OFF so the "
-            "job-level conclusion is independent of ack-state — the only "
-            "thing BP sees is the POSTed status. Useful for local debugging."
-        ),
-    )
-    args = p.parse_args(argv)
-
-    token = os.environ.get("GITEA_TOKEN", "")
-    if not token and not args.dry_run:
-        print("::error::GITEA_TOKEN env required", file=sys.stderr)
-        return 2
-
-    cfg = load_config(args.config)
-    items: list[dict[str, Any]] = cfg["items"]
-    items_by_slug = {it["slug"]: it for it in items}
-    numeric_aliases = {
-        int(it["numeric_alias"]): it["slug"] for it in items if it.get("numeric_alias")
-    }
-
-    client = GiteaClient(args.gitea_host, token) if token else None
-    if not client:
-        print("::error::No client (dry-run without token has nothing to do)", file=sys.stderr)
-        return 2
-
-    pr = client.get_pr(args.owner, args.repo, args.pr)
-    if pr.get("state") != "open":
-        print(f"::notice::PR #{args.pr} is {pr.get('state')} — gate is a no-op")
-        return 0
-
-    author = (pr.get("user") or {}).get("login", "")
-    head_sha = (pr.get("head") or {}).get("sha", "")
-    body = pr.get("body", "") or ""
-
-    if not author or not head_sha:
-        print("::error::PR payload missing user.login or head.sha", file=sys.stderr)
-        return 1
-
-    comments = client.get_issue_comments(args.owner, args.repo, args.pr)
-
-    # Build team-membership probe closure that caches results per
-    # (user, team-id) so a user acking multiple items only triggers
-    # one membership lookup per team.
-    team_member_cache: dict[tuple[str, int], bool | None] = {}
-
-    def probe(slug: str, users: list[str]) -> list[str]:
-        item = items_by_slug[slug]
-        team_names: list[str] = item["required_teams"]
-        # Resolve names → ids. NOTE: orgs/{org}/teams/search may not be
-        # available — fall back to the list endpoint.
-        team_ids: list[int] = []
-        for tn in team_names:
-            tid = client.resolve_team_id(args.owner, tn)
-            if tid is None:
-                # Try the list endpoint as a fallback.
-                code, data = client._req(  # noqa: SLF001
-                    "GET", f"/orgs/{args.owner}/teams"
-                )
-                if code == 200 and isinstance(data, list):
-                    for t in data:
-                        if t.get("name") == tn:
-                            tid = t.get("id")
-                            client._team_id_cache[(args.owner, tn)] = tid  # noqa: SLF001
-                            break
-            if tid is not None:
-                team_ids.append(tid)
-            else:
-                print(
-                    f"::warning::could not resolve team-id for '{tn}' "
-                    f"in org '{args.owner}' — item '{slug}' will fail closed",
-                    file=sys.stderr,
-                )
-        approved: list[str] = []
-        for u in users:
-            for tid in team_ids:
-                cache_key = (u, tid)
-                if cache_key not in team_member_cache:
-                    team_member_cache[cache_key] = client.is_team_member(tid, u)
-                result = team_member_cache[cache_key]
-                if result is True:
-                    approved.append(u)
-                    break
-                if result is None:
-                    print(
-                        f"::warning::team-probe for {u} in team-id {tid} returned 403 "
-                        "(token owner not in that team — fail-closed per RFC#324)",
-                        file=sys.stderr,
-                    )
-                    # Treat as not-in-team for this user/team pair; loop
-                    # may still find membership in another team.
-        return approved
-
-    ack_state = compute_ack_state(comments, author, items_by_slug, numeric_aliases, probe)
-    body_state = {it["slug"]: section_marker_present(body, it["pr_section_marker"]) for it in items}
-
-    state, description = render_status(items, ack_state, body_state)
-    mode = get_tier_mode(pr, cfg)
-    if state == "failure" and mode == "soft":
-        state = "pending"
-        description = f"[soft-fail tier:low] {description}"
-
-    # Diagnostics to job log.
-    print(f"::notice::PR #{args.pr} author={author} head={head_sha[:7]} mode={mode}")
-    for it in items:
-        slug = it["slug"]
-        ackers = ack_state[slug]["ackers"]
-        if ackers:
-            print(f"::notice::  [PASS] {slug} — acked by {','.join(ackers)}")
-        else:
-            r = ack_state[slug]["rejected"]
-            extras: list[str] = []
-            if r["self_ack"]:
-                extras.append(f"self-acks-rejected:{','.join(r['self_ack'])}")
-            if r["not_in_team"]:
-                extras.append(f"not-in-team:{','.join(r['not_in_team'])}")
-            extra = " (" + "; ".join(extras) + ")" if extras else ""
-            print(f"::notice::  [WAIT] {slug} — no valid peer-ack yet{extra}")
-
-    print(f"::notice::posting status: state={state} desc={description!r}")
-
-    if args.dry_run:
-        print("::notice::--dry-run: not posting status")
-        if args.exit_on_state:
-            return 0 if state in ("success", "pending") else 1
-        return 0
-
-    target_url = f"https://{args.gitea_host}/{args.owner}/{args.repo}/pulls/{args.pr}"
-    client.post_status(
-        args.owner, args.repo, head_sha,
-        state=state, context=args.status_context,
-        description=description, target_url=target_url,
-    )
-    print(f"::notice::status posted: {args.status_context} → {state}")
-    # By default exit 0 — the POSTed status IS the gate, NOT the job
-    # conclusion. If the job exits 1 BP will see TWO failure signals
-    # (one from the job's auto-status, one from our POST), making the
-    # description less actionable. --exit-on-state restores the old
-    # behavior for local debugging.
-    if args.exit_on_state:
-        return 0 if state in ("success", "pending") else 1
-    return 0
-
-
-if __name__ == "__main__":
-    sys.exit(main())
--- a/.gitea/scripts/sop-tier-check.sh
+++ b/.gitea/scripts/sop-tier-check.sh
@ -96,27 +96,16 @@ API="https://${GITEA_HOST}/api/v1"
 AUTH="Authorization: token ${GITEA_TOKEN}"
 echo "::notice::tier-check start: repo=$OWNER/$NAME pr=$PR_NUMBER author=$PR_AUTHOR"

-# Sanity: token resolves to a user.
-# Use || true on the jq pipeline so that set -euo pipefail (line 45) does not
-# cause the script to exit prematurely when the token is empty/invalid — the
-# if check below handles that case gracefully. Without || true, a 401 from an
-# empty/invalid token causes jq to exit 1, triggering set -e and exiting the
-# entire script before SOP_FAIL_OPEN can be evaluated (the check is in the jq-
-# install block; if jq is already on PATH, that block is skipped entirely).
-WHOAMI=$(curl -sS -H "$AUTH" "${API}/user" | jq -r '.login // ""') || true
+# Sanity: token resolves to a user
+WHOAMI=$(curl -sS -H "$AUTH" "${API}/user" | jq -r '.login // ""')
 if [ -z "$WHOAMI" ]; then
  echo "::error::GITEA_TOKEN cannot resolve a user via /api/v1/user — check the token scope and that the secret is wired correctly."
-  if [ "${SOP_FAIL_OPEN:-}" = "1" ]; then
-    echo "::warning::SOP_FAIL_OPEN=1 — exiting 0 so CI does not block."
-    exit 0
-  fi
  exit 1
 fi
 echo "::notice::token resolves to user: $WHOAMI"

-# 1. Read tier label. || true ensures set -euo pipefail does not abort the
-# script if curl or jq fails (e.g. 401 from empty token).
-LABELS=$(curl -sS -H "$AUTH" "${API}/repos/${OWNER}/${NAME}/issues/${PR_NUMBER}/labels" | jq -r '.[].name') || true
+# 1. Read tier label
+LABELS=$(curl -sS -H "$AUTH" "${API}/repos/${OWNER}/${NAME}/issues/${PR_NUMBER}/labels" | jq -r '.[].name')
 TIER=""
 for L in $LABELS; do
  case "$L" in
@ -187,25 +176,17 @@ fi
 # 4. Resolve all team names → IDs
 # /orgs/{org}/teams/{slug}/... endpoints don't exist on Gitea 1.22;
 # we use /teams/{id}.
-# set +e prevents set -e from aborting the script if curl fails (e.g. empty token).
 ORG_TEAMS_FILE=$(mktemp)
 trap 'rm -f "$ORG_TEAMS_FILE"' EXIT
-set +e
 HTTP_CODE=$(curl -sS -o "$ORG_TEAMS_FILE" -w '%{http_code}' -H "$AUTH" \
  "${API}/orgs/${OWNER}/teams")
-_HTTP_EXIT=$?
-set -e
-debug "teams-list HTTP=$HTTP_CODE (curl exit=$_HTTP_EXIT) size=$(wc -c <"$ORG_TEAMS_FILE")"
+debug "teams-list HTTP=$HTTP_CODE size=$(wc -c <"$ORG_TEAMS_FILE")"
 if [ "${SOP_DEBUG:-}" = "1" ]; then
  echo "  [debug] teams-list body (first 300 chars):" >&2
  head -c 300 "$ORG_TEAMS_FILE" >&2; echo >&2
 fi
-if [ "$_HTTP_EXIT" -ne 0 ] || [ "$HTTP_CODE" != "200" ]; then
-  echo "::error::GET /orgs/${OWNER}/teams failed (curl exit=$_HTTP_EXIT HTTP=$HTTP_CODE) — token may lack read:org scope or be invalid."
-  if [ "${SOP_FAIL_OPEN:-}" = "1" ]; then
-    echo "::warning::SOP_FAIL_OPEN=1 — exiting 0 so CI does not block."
-    exit 0
-  fi
+if [ "$HTTP_CODE" != "200" ]; then
+  echo "::error::GET /orgs/${OWNER}/teams returned HTTP $HTTP_CODE — token likely lacks read:org scope."
  exit 1
 fi

@ -250,22 +231,9 @@ for _t in $_all_teams; do
  debug "team-id: $_t → $_id"
 done

-# 5. Read approving reviewers. set +e disables set -e temporarily so that curl
-# failures (e.g. empty/invalid token → HTTP 401) do not abort the script before
-# SOP_FAIL_OPEN is evaluated. set -e is restored immediately after.
-set +e
+# 5. Read approving reviewers
 REVIEWS=$(curl -sS -H "$AUTH" "${API}/repos/${OWNER}/${NAME}/pulls/${PR_NUMBER}/reviews")
-_REVIEWS_EXIT=$?
-set -e
-if [ $_REVIEWS_EXIT -ne 0 ] || [ -z "$REVIEWS" ]; then
-  echo "::error::Failed to fetch reviews (curl exit=$_REVIEWS_EXIT) — token may be invalid or unreachable."
-  if [ "${SOP_FAIL_OPEN:-}" = "1" ]; then
-    echo "::warning::SOP_FAIL_OPEN=1 — exiting 0 so CI does not block."
-    exit 0
-  fi
-  exit 1
-fi
-APPROVERS=$(echo "$REVIEWS" | jq -r '[.[] | select(.state=="APPROVED") | .user.login] | unique | .[]') || true
+APPROVERS=$(echo "$REVIEWS" | jq -r '[.[] | select(.state=="APPROVED") | .user.login] | unique | .[]')
 if [ -z "$APPROVERS" ]; then
  echo "::error::No approving reviews on this PR. Set SOP_DEBUG=1 and re-run for diagnostics."
  exit 1
--- a/.gitea/scripts/status-reaper.py
+++ b/.gitea/scripts/status-reaper.py
@ -1,699 +0,0 @@
-#!/usr/bin/env python3
-"""status-reaper — Option B compensating-status POST for Gitea 1.22.6's
-hardcoded `(push)` suffix on default-branch commit statuses.
-
-Tracking: this PR (workflow + script + tests + audit issue). Sibling
-bots: internal#327 (publish-runtime-bot), internal#328 (mc-drift-bot).
-Upstream RFC: internal#80. Persona provisioned by sub-agent aefaac1b
-(2026-05-11 21:39Z; Gitea uid 94, scope=write:repository).
-
-What this script does, per `.gitea/workflows/status-reaper.yml` invocation:
-
-  1. Walk `.gitea/workflows/*.yml`. For each file, build the workflow_id
-     using this resolution (per hongming-pc 22:08Z review):
-       - If YAML has top-level `name:` → use that.
-       - Else → use filename stem (basename minus `.yml`).
-     Fail-LOUD on:
-       - Two workflows resolving to the SAME identifier (collision).
-       - Any identifier containing `/` (it would break context parsing
-         downstream — Gitea uses ` / ` as the workflow/job separator).
-     Classify each by whether `on:` contains a `push:` trigger.
-
-  2. List the last N (=30, rev3 — widened from 10) commits on
-     WATCH_BRANCH via GET /repos/{o}/{r}/commits?sha={branch}&limit={N}.
-     rev2 sweeps N commits per tick instead of HEAD only — schedule
-     workflows post `failure` to whatever SHA was HEAD when they
-     COMPLETED, so by the next */5 tick main has often moved forward
-     and the red gets stranded on a stale commit. rev3 widens the
-     window from 10 → 30 because schedule workflows post `failure`
-     RETROACTIVELY (5-15 min after their merge); a 10-commit window
-     is narrower than the merge-cadence during a burst, so reds land
-     OUTSIDE the window before reaper sees them (Phase 1+2 evidence:
-     rev2 run 17057 at 02:46Z saw 185/0 contexts on 10 SHAs; direct
-     probe ~30min later showed ~25 fails on those same 10 SHAs).
-
-  3. For EACH SHA in the list:
-       - GET combined commit status. Per-SHA error isolation
-         (refinement #7): if this call raises ApiError or any 5xx,
-         LOG `::warning::` + continue to the next SHA. Different from
-         the single-HEAD pre-rev2 path where fail-loud was correct;
-         the sweep is best-effort across historical commits, so one
-         transient blip on a stale SHA must not strand reds on the
-         OTHER stale SHAs.
-       - If combined.state == "success": skip — cost optimization
-         (refinement #2), common case (most commits are green).
-       - Otherwise iterate per-context entries. For each entry where:
-           state == "failure" AND context.endswith(" (push)")
-         Parse context as `<workflow_name> / <job_name> (push)`.
-         Look up workflow_name in the trigger map:
-           - missing → log ::notice:: and skip (conservative).
-           - has_push_trigger=True → preserve (real defect signal).
-           - has_push_trigger=False → POST a compensating
-             `state=success` status to /statuses/{sha} with the same
-             context (Gitea de-dups by context) and a description
-             documenting the workaround + this script's path.
-
-  4. Exit 0. Re-running is idempotent — Gitea's commit-status table
-     stores the LATEST state-per-context, so the success POST sticks
-     even if another tick happens before the runner finishes.
-
-What it does NOT do:
-  - Touch any context NOT ending in ` (push)`. The required-checks on
-    main (verified 2026-05-11) all have ` (pull_request)` suffixes;
-    they CANNOT be reached by this code path.
-  - Compensate `error`/`pending` states. Only `failure` — the only one
-    Gitea emits for the hardcoded-suffix bug.
-  - Write to non-default branches. WATCH_BRANCH is sourced from
-    `github.event.repository.default_branch` in the workflow.
-  - Mutate workflows or runs. The Actions UI still shows the
-    underlying schedule-triggered run as failed; this script edits
-    the commit-status surface only.
-
-Halt conditions (script-level — orchestrator-level halts are in the
-workflow comments):
-  - PyYAML missing → fail-loud at import (no fallback parse).
-  - Workflow `name:` collision → exit 1 with ::error:: message.
-  - Workflow `name:` containing `/` → exit 1 with ::error:: message.
-  - Ambiguous `on:` shape (e.g. neither str/list/dict) → treat as
-    "has_push_trigger=True" and log ::notice:: (preserve, never
-    compensate the unknown).
-  - api() non-2xx → raise ApiError, fail the workflow run loudly so
-    a subsequent tick retries (per
-    `feedback_api_helper_must_raise_not_return_dict`).
-
-Local dry-run (no network):
-    GITEA_TOKEN=... GITEA_HOST=git.moleculesai.app REPO=owner/repo \\
-      WATCH_BRANCH=main WORKFLOWS_DIR=.gitea/workflows \\
-      python3 .gitea/scripts/status-reaper.py --dry-run
-"""
-from __future__ import annotations
-
-import argparse
-import json
-import os
-import sys
-import urllib.error
-import urllib.parse
-import urllib.request
-from pathlib import Path
-from typing import Any
-
-import yaml  # PyYAML 6.0.2 — installed by the workflow before this runs.
-
-
-# --------------------------------------------------------------------------
-# Environment
-# --------------------------------------------------------------------------
-def _env(key: str, *, default: str = "") -> str:
-    """Read an env var with a default. Module-import-safe — tests can
-    import this script without setting the full env contract."""
-    return os.environ.get(key, default)
-
-
-GITEA_TOKEN = _env("GITEA_TOKEN")
-GITEA_HOST = _env("GITEA_HOST")
-REPO = _env("REPO")
-WATCH_BRANCH = _env("WATCH_BRANCH", default="main")
-WORKFLOWS_DIR = _env("WORKFLOWS_DIR", default=".gitea/workflows")
-
-OWNER, NAME = (REPO.split("/", 1) + [""])[:2] if REPO else ("", "")
-API = f"https://{GITEA_HOST}/api/v1" if GITEA_HOST else ""
-
-# Compensating-status description prefix. Used as the marker so a human
-# auditing commit statuses can tell at a glance that the green was
-# synthetic, not a real CI pass. Kept stable; downstream tooling
-# (e.g. main-red-watchdog visual diff) MAY key on it.
-COMPENSATION_DESCRIPTION = (
-    "Compensated by status-reaper (workflow has no push: trigger; "
-    "Gitea 1.22.6 hardcoded-suffix bug — see .gitea/scripts/status-reaper.py)"
-)
-
-# Context suffix the reaper acts on. Gitea hardcodes this for ALL
-# default-branch workflow runs.
-PUSH_SUFFIX = " (push)"
-
-
-def _require_runtime_env() -> None:
-    """Enforce env contract — called from `main()` only.
-
-    Tests import individual functions without setting the full env
-    contract. Mirrors `main-red-watchdog.py`/`ci-required-drift.py`.
-    """
-    for key in ("GITEA_TOKEN", "GITEA_HOST", "REPO", "WATCH_BRANCH", "WORKFLOWS_DIR"):
-        if not os.environ.get(key):
-            sys.stderr.write(f"::error::missing required env var: {key}\n")
-            sys.exit(2)
-
-
-# --------------------------------------------------------------------------
-# Tiny HTTP helper — raises on non-2xx + on JSON-decode-of-expected-JSON.
-# --------------------------------------------------------------------------
-class ApiError(RuntimeError):
-    """Raised when a Gitea API call cannot be trusted to have succeeded.
-
-    Per `feedback_api_helper_must_raise_not_return_dict`: soft-failure is
-    opt-in via `expect_json=False`, never the default. A pre-fix
-    implementation that returned `{}` on non-2xx would skip the
-    compensating POST on a transient outage AND silently lose the
-    failed-status enumeration, painting main green via omission.
-    """
-
-
-def api(
-    method: str,
-    path: str,
-    *,
-    body: dict | None = None,
-    query: dict[str, str] | None = None,
-    expect_json: bool = True,
-) -> tuple[int, Any]:
-    """Tiny HTTP helper around urllib. Same contract as
-    `main-red-watchdog.py` and `ci-required-drift.py` so behaviour
-    is cross-checkable."""
-    url = f"{API}{path}"
-    if query:
-        url = f"{url}?{urllib.parse.urlencode(query)}"
-    data = None
-    headers = {
-        "Authorization": f"token {GITEA_TOKEN}",
-        "Accept": "application/json",
-    }
-    if body is not None:
-        data = json.dumps(body).encode("utf-8")
-        headers["Content-Type"] = "application/json"
-    req = urllib.request.Request(url, method=method, data=data, headers=headers)
-    try:
-        with urllib.request.urlopen(req, timeout=30) as resp:
-            raw = resp.read()
-            status = resp.status
-    except urllib.error.HTTPError as e:
-        raw = e.read()
-        status = e.code
-
-    if not (200 <= status < 300):
-        snippet = raw[:500].decode("utf-8", errors="replace") if raw else ""
-        raise ApiError(f"{method} {path} -> HTTP {status}: {snippet}")
-
-    if not raw:
-        return status, None
-    try:
-        return status, json.loads(raw)
-    except json.JSONDecodeError as e:
-        if expect_json:
-            raise ApiError(
-                f"{method} {path} -> HTTP {status} but body is not JSON: {e}"
-            ) from e
-        return status, {"_raw": raw.decode("utf-8", errors="replace")}
-
-
-# --------------------------------------------------------------------------
-# Workflow scan + classification
-# --------------------------------------------------------------------------
-def _on_block(doc: dict) -> Any:
-    """Extract the `on:` block from a parsed YAML doc.
-
-    PyYAML parses bareword `on:` as Python `True` (YAML 1.1 boolean
-    spec — `on/off/yes/no` are booleans). The actual key in the dict
-    is therefore `True`, NOT the string `"on"`. We accept both for
-    forward-compat with YAML 1.2 loaders (which keep it as `"on"`).
-    """
-    if True in doc:
-        return doc[True]
-    return doc.get("on")
-
-
-def _has_push_trigger(on_block: Any, workflow_id: str) -> bool:
-    """Return True if `on:` block declares a `push` trigger.
-
-    Accepts the three common shapes:
-      - str: `on: push` → True only if == "push"
-      - list: `on: [push, pull_request]` → True if "push" in list
-      - dict: `on: { push: {...}, schedule: ... }` → True if "push" key
-
-    Defensive: for anything else (including None/empty), return True
-    so we preserve rather than over-compensate. Logged via ::notice::.
-    """
-    if isinstance(on_block, str):
-        return on_block == "push"
-    if isinstance(on_block, list):
-        return "push" in on_block
-    if isinstance(on_block, dict):
-        return "push" in on_block
-    # None or unexpected shape — preserve, log.
-    print(
-        f"::notice::ambiguous on: for {workflow_id}; preserving "
-        f"(value={on_block!r}, type={type(on_block).__name__})"
-    )
-    return True
-
-
-def scan_workflows(workflows_dir: str) -> dict[str, bool]:
-    """Walk `workflows_dir` and return `{workflow_id: has_push_trigger}`.
-
-    Workflow ID resolution (per hongming-pc 22:08Z review):
-      - Top-level `name:` if present.
-      - Else filename stem (basename minus `.yml`).
-
-    Fail-LOUD on:
-      - Two workflows resolving to the same ID (collision).
-      - Any ID containing `/` (would break ` / `-separated context
-        parsing on the downstream side).
-
-    Returns a dict for O(1) lookup in the per-status loop.
-    """
-    path = Path(workflows_dir)
-    if not path.is_dir():
-        # Workflow dir missing → no workflows to classify. Empty map is
-        # safe: per-status loop will hit "unknown workflow; skip" for
-        # every entry, which is correct (we cannot tell if a push
-        # trigger exists, so we preserve).
-        print(f"::warning::workflows dir not found: {workflows_dir}")
-        return {}
-
-    out: dict[str, bool] = {}
-    sources: dict[str, str] = {}  # workflow_id -> source file (for collision msg)
-
-    for yml in sorted(path.glob("*.yml")):
-        try:
-            with yml.open() as f:
-                doc = yaml.safe_load(f)
-        except yaml.YAMLError as e:
-            # A malformed YAML in the workflows dir is a real defect
-            # (the workflow wouldn't load on Gitea either). Surface it
-            # and keep going — the reaper's job is to compensate the
-            # OTHER workflows even if one is broken.
-            print(f"::warning::yaml parse failed for {yml.name}: {e}; skip")
-            continue
-        if not isinstance(doc, dict):
-            print(f"::warning::workflow {yml.name} not a dict; skip")
-            continue
-
-        # Resolve workflow_id.
-        name_field = doc.get("name")
-        if isinstance(name_field, str) and name_field.strip():
-            workflow_id = name_field.strip()
-        else:
-            workflow_id = yml.stem  # basename minus .yml
-
-        # Halt-loud: `/` in workflow_id breaks ` / ` context parsing.
-        if "/" in workflow_id:
-            sys.stderr.write(
-                f"::error::workflow name contains '/' which breaks "
-                f"context parsing: {workflow_id} (file={yml.name})\n"
-            )
-            sys.exit(1)
-
-        # Halt-loud: ID collision.
-        if workflow_id in out:
-            sys.stderr.write(
-                f"::error::workflow name collision detected: {workflow_id} "
-                f"(files: {sources[workflow_id]} + {yml.name})\n"
-            )
-            sys.exit(1)
-
-        on_block = _on_block(doc)
-        out[workflow_id] = _has_push_trigger(on_block, workflow_id)
-        sources[workflow_id] = yml.name
-
-    return out
-
-
-# --------------------------------------------------------------------------
-# Gitea reads
-# --------------------------------------------------------------------------
-def get_head_sha(branch: str) -> str:
-    """HEAD SHA of `branch`. Raises ApiError on non-2xx."""
-    _, body = api("GET", f"/repos/{OWNER}/{NAME}/branches/{branch}")
-    if not isinstance(body, dict):
-        raise ApiError(f"branch {branch} response not a JSON object")
-    commit = body.get("commit")
-    if not isinstance(commit, dict):
-        raise ApiError(f"branch {branch} response missing `commit` object")
-    sha = commit.get("id") or commit.get("sha")
-    if not isinstance(sha, str) or len(sha) < 7:
-        raise ApiError(f"branch {branch} response has no usable commit SHA")
-    return sha
-
-
-def get_combined_status(sha: str) -> dict:
-    """Combined commit status for `sha`. Gitea returns:
-        {
-          "state": "success" | "failure" | "pending" | "error",
-          "statuses": [
-            {"context": "...", "state": "...", "target_url": "...",
-             "description": "..."},
-            ...
-          ],
-          ...
-        }
-    Raises ApiError on non-2xx.
-    """
-    _, body = api("GET", f"/repos/{OWNER}/{NAME}/commits/{sha}/status")
-    if not isinstance(body, dict):
-        raise ApiError(f"status for {sha} response not a JSON object")
-    return body
-
-
-# --------------------------------------------------------------------------
-# Context parsing
-# --------------------------------------------------------------------------
-def parse_push_context(context: str) -> tuple[str, str] | None:
-    """Parse `<workflow_name> / <job_name> (push)` into
-    (workflow_name, job_name).
-
-    Returns None if the context doesn't match the shape (caller skips).
-    Strict: requires the trailing ` (push)` and at least one ` / `
-    separator. Anything else is left alone.
-    """
-    if not context.endswith(PUSH_SUFFIX):
-        return None
-    head = context[: -len(PUSH_SUFFIX)]  # strip " (push)"
-    if " / " not in head:
-        # No workflow/job separator — not the bug shape we compensate.
-        return None
-    workflow_name, job_name = head.split(" / ", 1)
-    return workflow_name, job_name
-
-
-# --------------------------------------------------------------------------
-# Compensating POST
-# --------------------------------------------------------------------------
-def post_compensating_status(
-    sha: str,
-    context: str,
-    target_url: str | None,
-    *,
-    dry_run: bool = False,
-) -> None:
-    """POST a `state=success` to /repos/{o}/{r}/statuses/{sha} with the
-    given context. Gitea de-dups by context (latest write wins).
-
-    Description references this script so the compensation is
-    self-documenting on the commit's status view.
-    """
-    payload: dict[str, Any] = {
-        "context": context,
-        "state": "success",
-        "description": COMPENSATION_DESCRIPTION,
-    }
-    # Echo the original target_url when present so a human auditing
-    # the (now-green) compensated status can still reach the run logs
-    # that produced the original red.
-    if target_url:
-        payload["target_url"] = target_url
-
-    if dry_run:
-        print(
-            f"::notice::[dry-run] would compensate {context!r} on {sha[:10]} "
-            f"with state=success"
-        )
-        return
-
-    api("POST", f"/repos/{OWNER}/{NAME}/statuses/{sha}", body=payload)
-    print(f"::notice::compensated {context!r} on {sha[:10]} (state=success)")
-
-
-# --------------------------------------------------------------------------
-# Main reap loop
-# --------------------------------------------------------------------------
-def reap(
-    workflow_trigger_map: dict[str, bool],
-    combined: dict,
-    sha: str,
-    *,
-    dry_run: bool = False,
-) -> dict[str, Any]:
-    """Walk `combined.statuses[]` and compensate where appropriate.
-
-    Per-SHA worker. The multi-SHA orchestrator (`reap_branch`) calls
-    this once per stale main commit each tick.
-
-    Returns counters for observability:
-      {compensated, preserved_real_push, preserved_unknown,
-       preserved_non_failure, preserved_non_push_suffix,
-       preserved_unparseable,
-       compensated_contexts: [<context>, ...]}
-
-    `compensated_contexts` is rev2-added so `reap_branch` can build
-    `compensated_per_sha` without re-deriving it from the POST stream.
-    """
-    counters: dict[str, Any] = {
-        "compensated": 0,
-        "preserved_real_push": 0,
-        "preserved_unknown": 0,
-        "preserved_non_failure": 0,
-        "preserved_non_push_suffix": 0,
-        "preserved_unparseable": 0,
-        "compensated_contexts": [],
-    }
-
-    statuses = combined.get("statuses") or []
-    for s in statuses:
-        if not isinstance(s, dict):
-            continue
-        context = s.get("context") or ""
-        # Schema asymmetry: Gitea 1.22.6 returns the TOP-LEVEL combined
-        # aggregate as `combined.state` but each per-context entry in
-        # `combined.statuses[]` uses the key `status`, NOT `state`.
-        # Prefer `status`; fall back to `state` so a future Gitea
-        # version (or a test fixture written against the wrong key)
-        # still flows through the compensation path. Verified empirically
-        # via direct API probe 2026-05-12 03:42Z:
-        #   /repos/.../commits/{sha}/status entries → key is "status".
-        # Pre-rev4 code read "state" only → returned "" → bypassed the
-        # `state != "failure"` guard → compensation path unreachable.
-        # See `feedback_smoke_test_vendor_truth_not_shape_match`.
-        state = s.get("status") or s.get("state") or ""
-
-        # Only `failure` is the bug shape. `error`/`pending`/`success`
-        # left alone — they have other meanings.
-        if state != "failure":
-            counters["preserved_non_failure"] += 1
-            continue
-
-        # Only `(push)`-suffix contexts hit the hardcoded-suffix bug.
-        # Branch-protection required checks (e.g. `Secret scan / Scan
-        # diff (pull_request)`) are NOT reachable from this path.
-        if not context.endswith(PUSH_SUFFIX):
-            counters["preserved_non_push_suffix"] += 1
-            continue
-
-        parsed = parse_push_context(context)
-        if parsed is None:
-            # Has ` (push)` suffix but missing ` / ` separator — not
-            # the bug shape. Preserve.
-            counters["preserved_unparseable"] += 1
-            continue
-        workflow_name, _job_name = parsed
-
-        if workflow_name not in workflow_trigger_map:
-            # Real workflow but renamed/deleted/external — we can't
-            # tell if it has push trigger. Conservative: preserve.
-            print(f"::notice::unknown workflow {workflow_name!r}; skip")
-            counters["preserved_unknown"] += 1
-            continue
-
-        if workflow_trigger_map[workflow_name]:
-            # Real push trigger → real defect signal. Preserve.
-            counters["preserved_real_push"] += 1
-            continue
-
-        # Class-O: schedule/dispatch/etc.-only workflow with a fake
-        # (push) status from Gitea's hardcoded-suffix bug. Compensate.
-        post_compensating_status(
-            sha, context, s.get("target_url"), dry_run=dry_run
-        )
-        counters["compensated"] += 1
-        counters["compensated_contexts"].append(context)
-
-    return counters
-
-
-# --------------------------------------------------------------------------
-# rev2: multi-SHA sweep over the last N commits on WATCH_BRANCH
-# --------------------------------------------------------------------------
-# How many main commits to sweep per tick. Sized to cover a burst-merge
-# window where multiple PRs land in the 5-min interval between reaper
-# ticks. Older reds falling off the window is acceptable — they were
-# already stale enough that the schedule-run that posted them has long
-# since been overwritten by a real push trigger. See `reference_post_
-# suspension_pipeline` for the merge-cadence baseline.
-#
-# rev3 (2026-05-12, hongming-pc2 GO 03:25Z): widened from 10 → 30.
-# rev2 (limit=10) shipped 01:48Z and ran 6/6 ticks post-merge with
-# `compensated:0` despite ~25 stranded reds visible on those same 10
-# SHAs ~30min later. Root cause: schedule workflows post `failure`
-# RETROACTIVELY 5-15 min after their merge, so by the time reaper's
-# next */5 tick lands, the stranded red is on a SHA that has already
-# fallen out of a 10-commit window during a burst-merge period.
-# Trades window-width-cheap for cadence-loady (per hongming-pc2):
-# kept `*/5` cron unchanged; only the window-N is widened.
-DEFAULT_SWEEP_LIMIT = 30
-
-
-def list_recent_commit_shas(branch: str, limit: int) -> list[str]:
-    """List the most recent `limit` commit SHAs on `branch`, newest
-    first.
-
-    Wraps GET /repos/{o}/{r}/commits?sha={branch}&limit={limit}. Gitea
-    1.22.6 returns a JSON list of commit objects each with a `sha` key
-    (verified via vendor-truth probe 2026-05-11 against
-    git.moleculesai.app — `feedback_smoke_test_vendor_truth_not_shape_match`).
-
-    Raises ApiError on non-2xx OR on unexpected response shape. This is
-    a HARD halt — without the commit list the sweep can't proceed. (The
-    per-SHA error isolation downstream is a different concern: tolerating
-    a transient 5xx on ONE commit's status is best-effort; losing the
-    commit list itself means we don't even know which commits to try.)
-    """
-    _, body = api(
-        "GET",
-        f"/repos/{OWNER}/{NAME}/commits",
-        query={"sha": branch, "limit": str(limit)},
-    )
-    if not isinstance(body, list):
-        raise ApiError(
-            f"commits listing for {branch} not a JSON array "
-            f"(got {type(body).__name__})"
-        )
-    shas: list[str] = []
-    for entry in body:
-        if not isinstance(entry, dict):
-            continue
-        sha = entry.get("sha")
-        if isinstance(sha, str) and len(sha) >= 7:
-            shas.append(sha)
-    if not shas:
-        raise ApiError(
-            f"commits listing for {branch} returned no usable SHAs"
-        )
-    return shas
-
-
-def reap_branch(
-    workflow_trigger_map: dict[str, bool],
-    branch: str,
-    *,
-    limit: int = DEFAULT_SWEEP_LIMIT,
-    dry_run: bool = False,
-) -> dict[str, Any]:
-    """Sweep the last `limit` commits on `branch`, applying `reap()`
-    to each (with per-SHA error isolation).
-
-    Returns aggregated counters PLUS rev2 observability fields:
-      - scanned_shas: how many SHAs we actually iterated
-      - compensated_per_sha: {<sha_full>: [<context>, ...]} — only
-        SHAs that actually got at least one compensation are included
-    """
-    shas = list_recent_commit_shas(branch, limit)
-
-    aggregate: dict[str, Any] = {
-        "scanned_shas": 0,
-        "compensated": 0,
-        "preserved_real_push": 0,
-        "preserved_unknown": 0,
-        "preserved_non_failure": 0,
-        "preserved_non_push_suffix": 0,
-        "preserved_unparseable": 0,
-        "compensated_per_sha": {},
-    }
-
-    for sha in shas:
-        aggregate["scanned_shas"] += 1
-
-        # Per-SHA error isolation (refinement #7). One transient blip
-        # on a historical commit must NOT abort the whole tick — the
-        # OTHER stale SHAs may still hold strandable reds.
-        try:
-            combined = get_combined_status(sha)
-        except ApiError as e:
-            print(
-                f"::warning::get_combined_status({sha[:10]}) failed; "
-                f"skipping this SHA: {e}"
-            )
-            continue
-
-        # Cost optimization (refinement #2): the common case is a green
-        # commit. Skip the per-context loop entirely when combined is
-        # already success — saves a tight loop over ~20 statuses per SHA
-        # on green commits, the dominant majority.
-        if combined.get("state") == "success":
-            continue
-
-        per_sha = reap(
-            workflow_trigger_map, combined, sha, dry_run=dry_run
-        )
-
-        # Aggregate scalar counters.
-        for key in (
-            "compensated",
-            "preserved_real_push",
-            "preserved_unknown",
-            "preserved_non_failure",
-            "preserved_non_push_suffix",
-            "preserved_unparseable",
-        ):
-            aggregate[key] += per_sha[key]
-
-        # Record per-SHA compensated contexts (only when non-empty —
-        # keep the summary readable when most SHAs are no-ops).
-        contexts = per_sha.get("compensated_contexts") or []
-        if contexts:
-            aggregate["compensated_per_sha"][sha] = list(contexts)
-
-    return aggregate
-
-
-def main() -> int:
-    parser = argparse.ArgumentParser(description=__doc__)
-    parser.add_argument(
-        "--dry-run",
-        action="store_true",
-        help="Skip the compensating POST; print what would be done.",
-    )
-    parser.add_argument(
-        "--limit",
-        type=int,
-        default=DEFAULT_SWEEP_LIMIT,
-        help=(
-            "How many recent commits on WATCH_BRANCH to sweep per tick "
-            f"(default: {DEFAULT_SWEEP_LIMIT})."
-        ),
-    )
-    args = parser.parse_args()
-
-    _require_runtime_env()
-
-    workflow_trigger_map = scan_workflows(WORKFLOWS_DIR)
-    print(
-        f"::notice::scanned {len(workflow_trigger_map)} workflows; "
-        f"push-triggered={sum(1 for v in workflow_trigger_map.values() if v)}, "
-        f"class-O candidates={sum(1 for v in workflow_trigger_map.values() if not v)}"
-    )
-
-    counters = reap_branch(
-        workflow_trigger_map,
-        WATCH_BRANCH,
-        limit=args.limit,
-        dry_run=args.dry_run,
-    )
-
-    # Observability: print one JSON line summarising the tick. Loki
-    # ingestion via the runner's stdout (`source="gitea-actions"`).
-    print(
-        "status-reaper summary: "
-        + json.dumps(
-            {
-                "branch": WATCH_BRANCH,
-                "dry_run": args.dry_run,
-                "limit": args.limit,
-                **counters,
-            },
-            sort_keys=True,
-        )
-    )
-    return 0
-
-
-if __name__ == "__main__":
-    sys.exit(main())
--- a/.gitea/scripts/tests/_review_check_fixture.py
+++ b/.gitea/scripts/tests/_review_check_fixture.py
@ -1,140 +0,0 @@
-#!/usr/bin/env python3
-"""Stub Gitea API for review-check.sh test scenarios.
-
-Reads $FIXTURE_STATE_DIR/scenario to decide what to return for each
-endpoint the review-check.sh script calls.
-Reads $FIXTURE_STATE_DIR/token_owner_in_teams to decide whether
-the team membership probe returns 200/204 (member) or 403 (not in team).
-
-Scenarios:
-  T1_pr_open          — open PR, author=alice, sha=deadbeef → continue
-  T2_pr_closed        — closed PR → script exits 0 (no-op)
-  T3_reviews_approved_non_author  — one APPROVED from non-author → candidates exist
-  T4_reviews_empty             — zero APPROVED non-author → exit 1 (no candidates)
-  T5_reviews_only_author        — only author reviews → exit 1 (no candidates)
-  T6_reviews_dismissed          — dismissed APPROVED → treated as no approval
-  T7_team_member              — team membership → 204 (member) → exit 0
-  T8_team_not_member          — team membership → 404 (not a member) → exit 1
-  T9_team_403                — team membership → 403 (token not in team) → exit 1
-
-Usage:
-  FIXTURE_STATE_DIR=/tmp/x python3 _review_check_fixture.py 8080
-"""
-
-import http.server
-import json
-import os
-import re
-import sys
-import urllib.parse
-
-
-STATE_DIR = os.environ.get("FIXTURE_STATE_DIR", "/tmp")
-
-
-def scenario() -> str:
-    p = os.path.join(STATE_DIR, "scenario")
-    if not os.path.isfile(p):
-        return "T1_pr_open"
-    with open(p) as f:
-        return f.read().strip()
-
-
-class Handler(http.server.BaseHTTPRequestHandler):
-    def log_message(self, *args, **kwargs):
-        pass  # keep stdout for explicit logs only
-
-    def _json(self, code: int, body: dict) -> None:
-        payload = json.dumps(body).encode()
-        self.send_response(code)
-        self.send_header("Content-Type", "application/json")
-        self.send_header("Content-Length", str(len(payload)))
-        self.end_headers()
-        self.wfile.write(payload)
-
-    def _empty(self, code: int) -> None:
-        self.send_response(code)
-        self.send_header("Content-Length", "0")
-        self.end_headers()
-
-    def _text(self, code: int, body: str) -> None:
-        payload = body.encode()
-        self.send_response(code)
-        self.send_header("Content-Type", "text/plain")
-        self.send_header("Content-Length", str(len(payload)))
-        self.end_headers()
-        self.wfile.write(payload)
-
-    def do_GET(self):
-        u = urllib.parse.urlparse(self.path)
-        path = u.path
-        sc = scenario()
-
-        if path == "/_ping":
-            return self._json(200, {"ok": True})
-
-        # GET /repos/{owner}/{name}/pulls/{pr_number}
-        m = re.match(r"^/api/v1/repos/([^/]+)/([^/]+)/pulls/(\d+)$", path)
-        if m:
-            owner, name, pr_num = m.group(1), m.group(2), m.group(3)
-            if sc == "T2_pr_closed":
-                return self._json(200, {
-                    "number": int(pr_num),
-                    "state": "closed",
-                    "head": {"sha": "deadbeef0000111122223333444455556666"},
-                    "user": {"login": "alice"},
-                })
-            return self._json(200, {
-                "number": int(pr_num),
-                "state": "open",
-                "head": {"sha": "deadbeef0000111122223333444455556666"},
-                "user": {"login": "alice"},
-            })
-
-        # GET /repos/{owner}/{name}/pulls/{pr_number}/reviews
-        m = re.match(r"^/api/v1/repos/([^/]+)/([^/]+)/pulls/(\d+)/reviews$", path)
-        if m:
-            if sc in ("T4_reviews_empty", "T5_reviews_only_author"):
-                return self._json(200, [])
-            if sc == "T6_reviews_dismissed":
-                return self._json(200, [{
-                    "state": "APPROVED",
-                    "dismissed": True,
-                    "user": {"login": "core-devops"},
-                    "commit_id": "abc1234",
-                }])
-            if sc == "T3_reviews_approved_non_author":
-                return self._json(200, [
-                    {"state": "CHANGES_REQUESTED", "dismissed": False, "user": {"login": "bob"}, "commit_id": "abc1234"},
-                    {"state": "APPROVED", "dismissed": False, "user": {"login": "core-devops"}, "commit_id": "abc1234"},
-                ])
-            # Default: one non-author APPROVED
-            return self._json(200, [
-                {"state": "APPROVED", "dismissed": False, "user": {"login": "core-devops"}, "commit_id": "abc1234"},
-            ])
-
-        # GET /teams/{team_id}/members/{username}
-        m = re.match(r"^/api/v1/teams/(\d+)/members/([^/]+)$", path)
-        if m:
-            team_id, login = m.group(1), m.group(2)
-            if sc == "T8_team_not_member":
-                return self._empty(404)
-            if sc == "T9_team_403":
-                return self._empty(403)
-            # T7_team_member: member
-            return self._empty(204)
-
-        return self._json(404, {"path": path, "msg": "fixture: no route"})
-
-    def do_POST(self):
-        self._json(404, {"path": self.path, "msg": "fixture: no POST routes"})
-
-
-def main():
-    port = int(sys.argv[1])
-    srv = http.server.ThreadingHTTPServer(("127.0.0.1", port), Handler)
-    srv.serve_forever()
-
-
-if __name__ == "__main__":
-    main()
--- a/.gitea/scripts/tests/test_lint_pre_flip_continue_on_error.py
+++ b/.gitea/scripts/tests/test_lint_pre_flip_continue_on_error.py
@ -1,505 +0,0 @@
-"""Unit tests for .gitea/scripts/lint_pre_flip_continue_on_error.py.
-
-These tests pin the pure-logic surface (flip detection + per-flip
-verdict aggregation) without making real HTTP calls. The end-to-end
-git ls-tree + Gitea API path is exercised by running the workflow
-against real PRs.
-
-Run locally::
-
-    python3 -m unittest .gitea/scripts/tests/test_lint_pre_flip_continue_on_error.py -v
-
-Mirrors the pattern in scripts/ops/test_check_migration_collisions.py
-+ scripts/test_build_runtime_package.py.
-"""
-from __future__ import annotations
-
-import importlib.util
-import os
-import sys
-import unittest
-from pathlib import Path
-from unittest import mock
-
-# Load the script as a module without invoking main(). Tests must NOT
-# depend on the full runtime env contract (GITEA_TOKEN etc.), so we
-# import individual functions and stub the network surface explicitly.
-SCRIPT_PATH = Path(__file__).resolve().parent.parent / "lint_pre_flip_continue_on_error.py"
-spec = importlib.util.spec_from_file_location("lpfc", SCRIPT_PATH)
-lpfc = importlib.util.module_from_spec(spec)
-spec.loader.exec_module(lpfc)
-
-
-# --------------------------------------------------------------------------
-# Fixtures: minimal valid workflow YAML on each side of a "diff"
-# --------------------------------------------------------------------------
-CI_YML_BASE = """\
-name: CI
-on:
-  push:
-    branches: [main]
-jobs:
-  platform-build:
-    name: Platform (Go)
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    steps:
-      - run: echo platform
-  canvas-build:
-    name: Canvas (Next.js)
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    steps:
-      - run: echo canvas
-  all-required:
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    needs: [platform-build, canvas-build]
-    steps:
-      - run: echo ok
-"""
-
-CI_YML_HEAD_FLIPPED = """\
-name: CI
-on:
-  push:
-    branches: [main]
-jobs:
-  platform-build:
-    name: Platform (Go)
-    runs-on: ubuntu-latest
-    continue-on-error: false
-    steps:
-      - run: echo platform
-  canvas-build:
-    name: Canvas (Next.js)
-    runs-on: ubuntu-latest
-    continue-on-error: false
-    steps:
-      - run: echo canvas
-  all-required:
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    needs: [platform-build, canvas-build]
-    steps:
-      - run: echo ok
-"""
-
-CI_YML_HEAD_NO_DIFF = CI_YML_BASE  # identical to base, no flip
-
-
-# --------------------------------------------------------------------------
-# 1. CoE coercion (truthy/falsy/quoted/absent)
-# --------------------------------------------------------------------------
-class TestCoerceCoE(unittest.TestCase):
-    def test_python_bool_true(self):
-        self.assertTrue(lpfc._coerce_coe(True))
-
-    def test_python_bool_false(self):
-        self.assertFalse(lpfc._coerce_coe(False))
-
-    def test_none_is_false(self):
-        # GitHub Actions default: absent == false.
-        self.assertFalse(lpfc._coerce_coe(None))
-
-    def test_string_true_lowercase(self):
-        # Quoted "true" in YAML — Gitea Actions normalizes to True.
-        self.assertTrue(lpfc._coerce_coe("true"))
-
-    def test_string_True_titlecase(self):
-        self.assertTrue(lpfc._coerce_coe("True"))
-
-    def test_string_yes(self):
-        # YAML 1.1 truthy form.
-        self.assertTrue(lpfc._coerce_coe("yes"))
-
-    def test_string_false(self):
-        self.assertFalse(lpfc._coerce_coe("false"))
-
-    def test_string_random_falsy(self):
-        # An unrecognized string is treated as falsy — safer than
-        # silently coercing "maybe" to True and false-positiving a
-        # flip.
-        self.assertFalse(lpfc._coerce_coe("maybe"))
-
-
-# --------------------------------------------------------------------------
-# 2. Diff detection — flips, not arbitrary changes
-# --------------------------------------------------------------------------
-class TestDetectFlips(unittest.TestCase):
-    def test_no_flip_in_diff_passes(self):
-        # Acceptance test #1: PR doesn't flip continue-on-error → 0 flips.
-        flips = lpfc.detect_flips(
-            {".gitea/workflows/ci.yml": CI_YML_BASE},
-            {".gitea/workflows/ci.yml": CI_YML_HEAD_NO_DIFF},
-        )
-        self.assertEqual(flips, [])
-
-    def test_flip_detected_in_one_file(self):
-        flips = lpfc.detect_flips(
-            {".gitea/workflows/ci.yml": CI_YML_BASE},
-            {".gitea/workflows/ci.yml": CI_YML_HEAD_FLIPPED},
-        )
-        # Two jobs flipped: platform-build, canvas-build. all-required
-        # is still true on both sides.
-        self.assertEqual(len(flips), 2)
-        keys = sorted(f["job_key"] for f in flips)
-        self.assertEqual(keys, ["canvas-build", "platform-build"])
-
-    def test_context_name_render(self):
-        flips = lpfc.detect_flips(
-            {".gitea/workflows/ci.yml": CI_YML_BASE},
-            {".gitea/workflows/ci.yml": CI_YML_HEAD_FLIPPED},
-        )
-        platform = next(f for f in flips if f["job_key"] == "platform-build")
-        self.assertEqual(platform["context"], "CI / Platform (Go) (push)")
-        self.assertEqual(platform["workflow_name"], "CI")
-
-    def test_context_falls_back_to_job_key_when_no_name(self):
-        base = "name: WF\njobs:\n  foo:\n    continue-on-error: true\n    runs-on: x\n    steps: []\n"
-        head = "name: WF\njobs:\n  foo:\n    continue-on-error: false\n    runs-on: x\n    steps: []\n"
-        flips = lpfc.detect_flips({"a.yml": base}, {"a.yml": head})
-        self.assertEqual(len(flips), 1)
-        self.assertEqual(flips[0]["context"], "WF / foo (push)")
-
-    def test_no_flip_when_only_one_side_has_file(self):
-        # Newly added workflow file — head has CoE:false, base has no
-        # file. Adding a new workflow with CoE:false is fine; there's
-        # nothing to mask.
-        flips = lpfc.detect_flips(
-            {},  # base has no workflow files
-            {".gitea/workflows/new.yml": CI_YML_HEAD_FLIPPED},
-        )
-        self.assertEqual(flips, [])
-
-    def test_no_flip_when_job_removed(self):
-        # Job exists on base, not on head — a removal, not a flip.
-        head = """\
-name: CI
-jobs:
-  canvas-build:
-    name: Canvas (Next.js)
-    continue-on-error: true
-    runs-on: ubuntu-latest
-    steps: []
-"""
-        flips = lpfc.detect_flips(
-            {".gitea/workflows/ci.yml": CI_YML_BASE},
-            {".gitea/workflows/ci.yml": head},
-        )
-        self.assertEqual(flips, [])
-
-    def test_no_flip_when_job_added_with_false(self):
-        # New job on head with CoE:false — no base side; not a flip.
-        head_with_new = CI_YML_BASE.replace(
-            "  all-required:",
-            "  newjob:\n    name: New Job\n    continue-on-error: false\n"
-            "    runs-on: x\n    steps: []\n"
-            "  all-required:",
-        )
-        flips = lpfc.detect_flips(
-            {".gitea/workflows/ci.yml": CI_YML_BASE},
-            {".gitea/workflows/ci.yml": head_with_new},
-        )
-        self.assertEqual(flips, [])
-
-    def test_yaml_parse_error_warns_not_raises(self):
-        # Malformed YAML on head — should warn (stderr) and skip,
-        # not raise.
-        bad_head = "name: CI\njobs:\n  :::\n"
-        # Capture stderr so the test isn't noisy.
-        with mock.patch.object(sys, "stderr"):
-            flips = lpfc.detect_flips(
-                {".gitea/workflows/ci.yml": CI_YML_BASE},
-                {".gitea/workflows/ci.yml": bad_head},
-            )
-        self.assertEqual(flips, [])
-
-
-# --------------------------------------------------------------------------
-# 3. grep_fail_markers — the regex / substring matcher
-# --------------------------------------------------------------------------
-class TestGrepFailMarkers(unittest.TestCase):
-    def test_clean_log_returns_empty(self):
-        log = "===== test run starting =====\nPASS\nok  example.com/foo  1.234s\n"
-        self.assertEqual(lpfc.grep_fail_markers(log), [])
-
-    def test_go_minus_minus_minus_fail_caught(self):
-        log = "ok  example.com/foo  1.234s\n--- FAIL: TestBar (0.01s)\n    bar_test.go:42:\n"
-        matches = lpfc.grep_fail_markers(log)
-        self.assertEqual(len(matches), 1)
-        self.assertIn("FAIL: TestBar", matches[0])
-
-    def test_go_package_fail_caught(self):
-        log = "FAIL\texample.com/baz\t1.234s\n"
-        matches = lpfc.grep_fail_markers(log)
-        self.assertEqual(len(matches), 1)
-        self.assertIn("FAIL", matches[0])
-
-    def test_bash_error_directive_caught(self):
-        # `lint-curl-status-capture` pattern: a python heredoc inside a
-        # bash step that prints `::error::` then sys.exit(1). With
-        # continue-on-error:true the job rolls up as success despite
-        # this line. THAT's the masking we're trying to catch.
-        log = "Running scan...\n::error::Found 3 curl-status-capture pollution site(s):\n"
-        matches = lpfc.grep_fail_markers(log)
-        self.assertEqual(len(matches), 1)
-        self.assertIn("::error::", matches[0])
-
-    def test_caps_matches_at_max_5(self):
-        log = "\n".join(["--- FAIL: T%d" % i for i in range(20)])
-        matches = lpfc.grep_fail_markers(log)
-        self.assertEqual(len(matches), 5)
-
-
-# --------------------------------------------------------------------------
-# 4. verify_flip — single-flip verdict assembly (network surface stubbed)
-# --------------------------------------------------------------------------
-def _stub_status(context: str, state: str, target_url: str = "/owner/repo/actions/runs/1/jobs/0") -> dict:
-    """Build a single-context combined-status response."""
-    return {
-        "state": state,
-        "statuses": [
-            {"context": context, "status": state, "target_url": target_url, "description": ""}
-        ],
-    }
-
-
-FLIP_FIXTURE = {
-    "workflow_path": ".gitea/workflows/ci.yml",
-    "workflow_name": "CI",
-    "job_key": "platform-build",
-    "job_name": "Platform (Go)",
-    "context": "CI / Platform (Go) (push)",
-}
-
-
-class TestVerifyFlip(unittest.TestCase):
-    def test_flip_with_clean_history_passes(self):
-        # Acceptance test #2: flip detected, last 5 runs clean → exit 0.
-        with mock.patch.object(lpfc, "recent_commits_on_branch", return_value=["sha1", "sha2", "sha3"]):
-            with mock.patch.object(
-                lpfc, "combined_status",
-                side_effect=[_stub_status(FLIP_FIXTURE["context"], "success") for _ in range(3)],
-            ):
-                with mock.patch.object(lpfc, "fetch_log", return_value="ok  example.com/foo  1s\nPASS\n"):
-                    verdict = lpfc.verify_flip(FLIP_FIXTURE, "main", 5)
-        self.assertEqual(verdict["fail_runs"], [])
-        self.assertEqual(verdict["masked_runs"], [])
-        self.assertEqual(verdict["checked_commits"], 3)
-        self.assertEqual(verdict["warnings"], [])
-
-    def test_flip_with_recent_fail_blocks(self):
-        # Acceptance test #3: flip detected, recent run has --- FAIL → exit 1.
-        # Setup: 3 commits, the most recent run's log shows --- FAIL
-        # but the STATUS is success (Quirk #10 mask). That's the
-        # masked_runs case.
-        log_with_fail = "ok  example.com/foo  1s\n--- FAIL: TestSqlmock (0.01s)\n    sqlmock_test.go:42:\n"
-        with mock.patch.object(lpfc, "recent_commits_on_branch", return_value=["sha1", "sha2", "sha3"]):
-            with mock.patch.object(
-                lpfc, "combined_status",
-                side_effect=[_stub_status(FLIP_FIXTURE["context"], "success") for _ in range(3)],
-            ):
-                with mock.patch.object(lpfc, "fetch_log", side_effect=[log_with_fail, "PASS\n", "PASS\n"]):
-                    verdict = lpfc.verify_flip(FLIP_FIXTURE, "main", 5)
-        self.assertEqual(len(verdict["masked_runs"]), 1)
-        self.assertEqual(verdict["masked_runs"][0]["sha"], "sha1")
-        self.assertTrue(any("TestSqlmock" in s for s in verdict["masked_runs"][0]["samples"]))
-        self.assertEqual(verdict["fail_runs"], [])
-
-    def test_red_status_alone_blocks(self):
-        # Status itself is `failure` — block without needing log
-        # markers. (Belt-and-braces: even with a clean log, a `failure`
-        # status means the job's exit code was non-zero.)
-        with mock.patch.object(lpfc, "recent_commits_on_branch", return_value=["sha1"]):
-            with mock.patch.object(
-                lpfc, "combined_status",
-                return_value=_stub_status(FLIP_FIXTURE["context"], "failure"),
-            ):
-                with mock.patch.object(lpfc, "fetch_log", return_value="some unrelated text\n"):
-                    verdict = lpfc.verify_flip(FLIP_FIXTURE, "main", 5)
-        self.assertEqual(len(verdict["fail_runs"]), 1)
-        self.assertEqual(verdict["fail_runs"][0]["status"], "failure")
-
-    def test_unreadable_log_warns_not_blocks(self):
-        # Acceptance test #5: log fetch 404 (None) → warn, not block.
-        # Status is `success`, log is None — we can't tell, so we warn
-        # and allow.
-        with mock.patch.object(lpfc, "recent_commits_on_branch", return_value=["sha1"]):
-            with mock.patch.object(
-                lpfc, "combined_status",
-                return_value=_stub_status(FLIP_FIXTURE["context"], "success"),
-            ):
-                with mock.patch.object(lpfc, "fetch_log", return_value=None):
-                    verdict = lpfc.verify_flip(FLIP_FIXTURE, "main", 5)
-        self.assertEqual(verdict["fail_runs"], [])
-        self.assertEqual(verdict["masked_runs"], [])
-        self.assertTrue(any("log unavailable" in w for w in verdict["warnings"]))
-
-    def test_unreadable_log_with_failure_status_still_blocks(self):
-        # Edge case: log fetch fails BUT the status itself is `failure`.
-        # We can still block — the status alone is sufficient signal,
-        # we don't need the log to confirm.
-        with mock.patch.object(lpfc, "recent_commits_on_branch", return_value=["sha1"]):
-            with mock.patch.object(
-                lpfc, "combined_status",
-                return_value=_stub_status(FLIP_FIXTURE["context"], "failure"),
-            ):
-                with mock.patch.object(lpfc, "fetch_log", return_value=None):
-                    verdict = lpfc.verify_flip(FLIP_FIXTURE, "main", 5)
-        self.assertEqual(len(verdict["fail_runs"]), 1)
-        self.assertIn("log unavailable", verdict["fail_runs"][0]["samples"][0])
-
-    def test_zero_runs_history_warns_allows(self):
-        # No commits with a matching context — newly added workflow.
-        # Allow with warning.
-        with mock.patch.object(lpfc, "recent_commits_on_branch", return_value=["sha1", "sha2"]):
-            with mock.patch.object(
-                lpfc, "combined_status",
-                return_value={"state": "success", "statuses": []},  # no matching context
-            ):
-                verdict = lpfc.verify_flip(FLIP_FIXTURE, "main", 5)
-        self.assertEqual(verdict["checked_commits"], 0)
-        self.assertEqual(verdict["fail_runs"], [])
-        self.assertEqual(verdict["masked_runs"], [])
-        self.assertTrue(any("no runs of" in w for w in verdict["warnings"]))
-
-    def test_zero_commits_warns_allows(self):
-        # Empty branch (newly created repo, e.g.). Allow with warning.
-        with mock.patch.object(lpfc, "recent_commits_on_branch", return_value=[]):
-            verdict = lpfc.verify_flip(FLIP_FIXTURE, "main", 5)
-        self.assertEqual(verdict["checked_commits"], 0)
-        self.assertEqual(verdict["fail_runs"], [])
-        self.assertEqual(verdict["masked_runs"], [])
-        self.assertTrue(any("no recent commits" in w for w in verdict["warnings"]))
-
-
-# --------------------------------------------------------------------------
-# 5. Multiple-flip aggregation in main()
-# --------------------------------------------------------------------------
-class TestMainAggregation(unittest.TestCase):
-    """Tests that `main()` aggregates multiple flips and exits 1 when
-    ANY one of them has a masked or red recent run. Acceptance test #4.
-
-    We stub at the verify_flip + workflows_at_sha + _require_runtime_env
-    boundary so we don't need real git or HTTP.
-    """
-
-    def setUp(self):
-        # The actual env values are irrelevant — _require_runtime_env
-        # is stubbed out — but the module reads OWNER/NAME at import
-        # time. Patch the runtime env contract to a no-op for the
-        # duration of each test.
-        self._patches = [
-            mock.patch.object(lpfc, "_require_runtime_env", return_value=None),
-            mock.patch.object(lpfc, "BASE_REF", "main"),
-            mock.patch.object(lpfc, "BASE_SHA", "deadbeefcafe"),
-            mock.patch.object(lpfc, "HEAD_SHA", "feedfaceabad"),
-            mock.patch.object(lpfc, "RECENT_COMMITS_N", 5),
-        ]
-        for p in self._patches:
-            p.start()
-        self.addCleanup(lambda: [p.stop() for p in self._patches])
-
-    def test_multiple_flips_aggregated_one_bad_blocks(self):
-        # PR flips 3 jobs; 1 has a recent fail → exit 1, naming that job.
-        flips = [
-            {"workflow_path": ".gitea/workflows/ci.yml", "workflow_name": "CI",
-             "job_key": "platform-build", "job_name": "Platform (Go)",
-             "context": "CI / Platform (Go) (push)"},
-            {"workflow_path": ".gitea/workflows/ci.yml", "workflow_name": "CI",
-             "job_key": "canvas-build", "job_name": "Canvas (Next.js)",
-             "context": "CI / Canvas (Next.js) (push)"},
-            {"workflow_path": ".gitea/workflows/ci.yml", "workflow_name": "CI",
-             "job_key": "python-lint", "job_name": "Python Lint & Test",
-             "context": "CI / Python Lint & Test (push)"},
-        ]
-        clean = {"flip": flips[0], "checked_commits": 5, "masked_runs": [],
-                 "fail_runs": [], "warnings": []}
-        bad = {"flip": flips[1], "checked_commits": 5,
-               "masked_runs": [{"sha": "abc1234567", "status": "success",
-                                "target_url": "/x/y/actions/runs/1/jobs/0",
-                                "samples": ["--- FAIL: TestSqlmock"]}],
-               "fail_runs": [], "warnings": []}
-        also_clean = {"flip": flips[2], "checked_commits": 5, "masked_runs": [],
-                      "fail_runs": [], "warnings": []}
-
-        with mock.patch.object(lpfc, "workflows_at_sha", return_value={}):
-            with mock.patch.object(lpfc, "detect_flips", return_value=flips):
-                with mock.patch.object(lpfc, "verify_flip",
-                                       side_effect=[clean, bad, also_clean]):
-                    # Capture stdout to assert on naming.
-                    captured = []
-                    with mock.patch("builtins.print", side_effect=lambda *a, **k: captured.append(" ".join(str(x) for x in a))):
-                        rc = lpfc.main([])
-        self.assertEqual(rc, 1)
-        # The blocking error message must name the failing job.
-        joined = "\n".join(captured)
-        self.assertIn("canvas-build", joined)
-        # And it must mention the empirical class so a reviewer can
-        # cross-link the right RFC.
-        self.assertTrue("mc#664" in joined or "PR#656" in joined)
-
-    def test_no_flips_in_diff_exits_zero(self):
-        # Acceptance test #1 at main() level: empty flips → exit 0.
-        with mock.patch.object(lpfc, "workflows_at_sha", return_value={}):
-            with mock.patch.object(lpfc, "detect_flips", return_value=[]):
-                rc = lpfc.main([])
-        self.assertEqual(rc, 0)
-
-    def test_all_flips_clean_exits_zero(self):
-        flips = [{"workflow_path": ".gitea/workflows/ci.yml", "workflow_name": "CI",
-                  "job_key": "platform-build", "job_name": "Platform (Go)",
-                  "context": "CI / Platform (Go) (push)"}]
-        clean = {"flip": flips[0], "checked_commits": 5, "masked_runs": [],
-                 "fail_runs": [], "warnings": []}
-        with mock.patch.object(lpfc, "workflows_at_sha", return_value={}):
-            with mock.patch.object(lpfc, "detect_flips", return_value=flips):
-                with mock.patch.object(lpfc, "verify_flip", return_value=clean):
-                    rc = lpfc.main([])
-        self.assertEqual(rc, 0)
-
-    def test_dry_run_forces_exit_zero_even_with_bad_flip(self):
-        # --dry-run never fails, even when verification finds masked runs.
-        flips = [{"workflow_path": ".gitea/workflows/ci.yml", "workflow_name": "CI",
-                  "job_key": "platform-build", "job_name": "Platform (Go)",
-                  "context": "CI / Platform (Go) (push)"}]
-        bad = {"flip": flips[0], "checked_commits": 5,
-               "masked_runs": [{"sha": "abc1234567", "status": "success",
-                                "target_url": "/x/y/actions/runs/1/jobs/0",
-                                "samples": ["--- FAIL: TestSqlmock"]}],
-               "fail_runs": [], "warnings": []}
-        with mock.patch.object(lpfc, "workflows_at_sha", return_value={}):
-            with mock.patch.object(lpfc, "detect_flips", return_value=flips):
-                with mock.patch.object(lpfc, "verify_flip", return_value=bad):
-                    rc = lpfc.main(["--dry-run"])
-        self.assertEqual(rc, 0)
-
-
-# --------------------------------------------------------------------------
-# 6. Context-name rendering (the format Gitea Actions actually emits)
-# --------------------------------------------------------------------------
-class TestContextName(unittest.TestCase):
-    def test_push_event(self):
-        self.assertEqual(
-            lpfc.context_name("CI", "Platform (Go)", "push"),
-            "CI / Platform (Go) (push)",
-        )
-
-    def test_pull_request_event(self):
-        self.assertEqual(
-            lpfc.context_name("CI", "Platform (Go)", "pull_request"),
-            "CI / Platform (Go) (pull_request)",
-        )
-
-    def test_workflow_name_falls_back_to_filename(self):
-        # No top-level `name:` → falls back to filename minus extension.
-        doc = {"jobs": {"foo": {"continue-on-error": True}}}
-        self.assertEqual(
-            lpfc.workflow_name(doc, fallback="my-workflow"),
-            "my-workflow",
-        )
-
-
-if __name__ == "__main__":
-    unittest.main()
--- a/.gitea/scripts/tests/test_review_check.sh
+++ b/.gitea/scripts/tests/test_review_check.sh
@ -1,332 +0,0 @@
-#!/usr/bin/env bash
-# Regression tests for .gitea/scripts/review-check.sh (RFC#324 Step 1).
-#
-# Covers:
-#   T1  — open PR: script fetches PR + reviews, continues to team probe
-#   T2  — closed PR: script exits 0 (no-op)
-#   T3  — APPROVED non-author review exists → candidates exist
-#   T4  — no non-author APPROVED reviews → exit 1 (no candidates)
-#   T5  — only author reviews (no non-author APPROVE) → exit 1
-#   T6  — dismissed APPROVED review → treated as no approval
-#   T7  — team membership probe → 204 (member) → script exits 0
-#   T8  — team membership probe → 404 (not a member) → script exits 1
-#   T9  — team membership probe → 403 (token not in team) → script exits 1 (fail closed)
-#   T10 — CURL_AUTH_FILE created with mode 600 and correct header content
-#   T11 — bash syntax check (bash -n passes)
-#   T12 — jq filter: non-author APPROVED → in candidate list; dismissed → excluded
-#   T13 — missing required env GITEA_TOKEN → exits 1 with error
-#
-# Hostile-self-review (per feedback_assert_exact_not_substring):
-# this test MUST FAIL if the script is absent. Verified by running
-# the test before the file exists (covered in the PR body).
-
-set -euo pipefail
-
-THIS_DIR="$(cd "$(dirname "$0")" && pwd)"
-SCRIPT_DIR="$(cd "$THIS_DIR/.." && pwd)"
-SCRIPT="$SCRIPT_DIR/review-check.sh"
-
-PASS=0
-FAIL=0
-FAILED_TESTS=""
-
-assert_eq() {
-  local label="$1"
-  local expected="$2"
-  local got="$3"
-  if [ "$expected" = "$got" ]; then
-    echo "  PASS  $label"
-    PASS=$((PASS + 1))
-  else
-    echo "  FAIL  $label"
-    echo "        expected: <$expected>"
-    echo "        got:      <$got>"
-    FAIL=$((FAIL + 1))
-    FAILED_TESTS="${FAILED_TESTS} ${label}"
-  fi
-}
-
-assert_contains() {
-  local label="$1"
-  local needle="$2"
-  local haystack="$3"
-  if printf '%s' "$haystack" | grep -qF "$needle"; then
-    echo "  PASS  $label"
-    PASS=$((PASS + 1))
-  else
-    echo "  FAIL  $label"
-    echo "        needle:    <$needle>"
-    echo "        haystack:  <$(printf '%s' "$haystack" | head -c 200)>"
-    FAIL=$((FAIL + 1))
-    FAILED_TESTS="${FAILED_TESTS} ${label}"
-  fi
-}
-
-assert_file_mode() {
-  local label="$1"
-  local path="$2"
-  local expected_mode="$3"
-  if [ ! -f "$path" ]; then
-    echo "  FAIL  $label (file not found: $path)"
-    FAIL=$((FAIL + 1))
-    FAILED_TESTS="${FAILED_TESTS} ${label}"
-    return
-  fi
-  local got_mode
-  got_mode=$(stat -c '%a' "$path" 2>/dev/null || echo "000")
-  if [ "$expected_mode" = "$got_mode" ]; then
-    echo "  PASS  $label (mode=$got_mode)"
-    PASS=$((PASS + 1))
-  else
-    echo "  FAIL  $label (expected mode=$expected_mode, got=$got_mode)"
-    FAIL=$((FAIL + 1))
-    FAILED_TESTS="${FAILED_TESTS} ${label}"
-  fi
-}
-
-assert_file_contains() {
-  local label="$1"
-  local path="$2"
-  local needle="$3"
-  if [ ! -f "$path" ]; then
-    echo "  FAIL  $label (file not found: $path)"
-    FAIL=$((FAIL + 1))
-    FAILED_TESTS="${FAILED_TESTS} ${label}"
-    return
-  fi
-  if grep -qF "$needle" "$path"; then
-    echo "  PASS  $label"
-    PASS=$((PASS + 1))
-  else
-    echo "  FAIL  $label (needle not found: <$needle>)"
-    FAIL=$((FAIL + 1))
-    FAILED_TESTS="${FAILED_TESTS} ${label}"
-  fi
-}
-
-# Existence check (foundation)
-echo
-echo "== existence =="
-if [ -f "$SCRIPT" ]; then
-  echo "  PASS  script exists: $SCRIPT"
-  PASS=$((PASS + 1))
-else
-  echo "  FAIL  script not found: $SCRIPT"
-  FAIL=$((FAIL + 1))
-  FAILED_TESTS="${FAILED_TESTS} script_exists"
-  echo
-  echo "------"
-  echo "PASS=$PASS FAIL=$FAIL (existence)"
-  echo "Cannot proceed without the script."
-  exit 1
-fi
-
-# T11 — bash syntax check
-echo
-echo "== T11 bash syntax =="
-if bash -n "$SCRIPT" 2>&1; then
-  echo "  PASS  T11 bash -n passes"
-  PASS=$((PASS + 1))
-else
-  echo "  FAIL  T11 bash -n failed"
-  FAIL=$((FAIL + 1))
-  FAILED_TESTS="${FAILED_TESTS} T11"
-fi
-
-# T13 — missing required env
-echo
-echo "== T13 missing GITEA_TOKEN =="
-set +e
-T13_OUT=$(PATH="/tmp:$PATH" GITEA_TOKEN= GITEA_HOST=git.example.com REPO=x/y PR_NUMBER=1 TEAM=qa TEAM_ID=1 bash "$SCRIPT" 2>&1 || true)
-set -e
-assert_contains "T13 exits non-zero when GITEA_TOKEN missing" "GITEA_TOKEN required" "$T13_OUT"
-
-# Start fixture HTTP server
-echo
-echo "== fixture setup =="
-FIXTURE_DIR=$(mktemp -d)
-trap 'rm -rf "$FIXTURE_DIR"; [ -n "${FIX_PID:-}" ] && kill "$FIX_PID" 2>/dev/null || true' EXIT
-FIXTURE_PY="$THIS_DIR/_review_check_fixture.py"
-if [ ! -f "$FIXTURE_PY" ]; then
-  echo "::error::fixture server $FIXTURE_PY missing"
-  exit 1
-fi
-
-FIX_LOG="$FIXTURE_DIR/fixture.log"
-FIX_STATE_DIR="$FIXTURE_DIR/state"
-mkdir -p "$FIX_STATE_DIR"
-
-# Find an unused port
-FIX_PORT=$(python3 -c 'import socket;s=socket.socket();s.bind(("127.0.0.1",0));print(s.getsockname()[1]);s.close()')
-
-FIXTURE_STATE_DIR="$FIX_STATE_DIR" python3 "$FIXTURE_PY" "$FIX_PORT" \
-  >"$FIX_LOG" 2>&1 &
-FIX_PID=$!
-
-# Wait for fixture readiness
-for _ in $(seq 1 50); do
-  if curl -fsS "http://127.0.0.1:${FIX_PORT}/_ping" >/dev/null 2>&1; then
-    break
-  fi
-  sleep 0.1
-done
-if ! curl -fsS "http://127.0.0.1:${FIX_PORT}/_ping" >/dev/null 2>&1; then
-  echo "::error::fixture server failed to start. Log:"
-  cat "$FIX_LOG"
-  exit 1
-fi
-echo "  fixture running on port $FIX_PORT"
-
-# Install a curl shim that rewrites https://fixture.local/* -> http://127.0.0.1:$FIX_PORT/*
-# Use double-quoted heredoc so FIX_PORT is expanded into the shim at creation time.
-mkdir -p "$FIXTURE_DIR/bin"
-cat >"$FIXTURE_DIR/bin/curl" <<"CURL_SHIM"
-#!/usr/bin/env bash
-# Shim: rewrite https://fixture.local/* -> http://127.0.0.1:FIXPORT/*
-# Generated at test-run time; FIXPORT is substituted when this file is written.
-new_args=()
-for a in "$@"; do
-  if [[ "$a" == https://fixture.local/* ]]; then
-    rest="${a#https://fixture.local}"
-    a="http://127.0.0.1:FIXPORT${rest}"
-  fi
-  new_args+=("$a")
-done
-exec /usr/bin/curl "${new_args[@]}"
-CURL_SHIM
-# Now substitute FIXPORT with the actual port number
-sed -i "s/FIXPORT/${FIX_PORT}/g" "$FIXTURE_DIR/bin/curl"
-chmod +x "$FIXTURE_DIR/bin/curl"
-
-# Helper: run the script with fixture environment
-run_review_check() {
-  local scenario="$1"
-  echo "$scenario" >"$FIX_STATE_DIR/scenario"
-  local out
-  set +e
-  out=$(
-    PATH="$FIXTURE_DIR/bin:/tmp:$PATH" \
-    GITEA_TOKEN="fixture-token" \
-    GITEA_HOST="fixture.local" \
-    REPO="molecule-ai/molecule-core" \
-    PR_NUMBER="999" \
-    TEAM="qa" \
-    TEAM_ID="20" \
-    REVIEW_CHECK_DEBUG="0" \
-    REVIEW_CHECK_STRICT="0" \
-    bash "$SCRIPT" 2>&1
-  )
-  local rc=$?
-  set -e
-  echo "$out" >"$FIX_STATE_DIR/last_run.log"
-  echo "$rc" >"$FIX_STATE_DIR/last_rc"
-  echo "$out"
-}
-
-# T1 — open PR: script fetches PR and continues
-echo
-echo "== T1 open PR =="
-T1_OUT=$(run_review_check "T1_pr_open")
-T1_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T1 exit code 0 (approver exists + team member)" "0" "$T1_RC"
-assert_contains "T1 qa-review APPROVED by core-devops" "APPROVED by core-devops" "$T1_OUT"
-
-# T2 — closed PR: exits 0 immediately (no-op)
-echo
-echo "== T2 closed PR =="
-T2_OUT=$(run_review_check "T2_pr_closed")
-T2_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T2 exit code 0 (closed PR no-op)" "0" "$T2_RC"
-
-# T3 — APPROVED non-author reviews exist
-echo
-echo "== T3 approved non-author reviews =="
-T3_OUT=$(run_review_check "T3_reviews_approved_non_author")
-T3_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T3 exit code 0 (candidates + team member)" "0" "$T3_RC"
-
-# T4 — no non-author APPROVED reviews → exit 1
-echo
-echo "== T4 no non-author APPROVED reviews =="
-T4_OUT=$(run_review_check "T4_reviews_empty")
-T4_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T4 exit code 1 (no candidates)" "1" "$T4_RC"
-assert_contains "T4 awaiting non-author APPROVE" "awaiting non-author APPROVE" "$T4_OUT"
-
-# T5 — only author reviews → exit 1
-echo
-echo "== T5 only author reviews =="
-T5_OUT=$(run_review_check "T5_reviews_only_author")
-T5_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T5 exit code 1 (only author reviews, no candidates)" "1" "$T5_RC"
-
-# T6 — dismissed APPROVED review → treated as no approval
-echo
-echo "== T6 dismissed APPROVED review =="
-T6_OUT=$(run_review_check "T6_reviews_dismissed")
-T6_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T6 exit code 1 (dismissed = no approval)" "1" "$T6_RC"
-
-# T7 — team member → exit 0
-echo
-echo "== T7 team membership 204 (member) =="
-T7_OUT=$(run_review_check "T7_team_member")
-T7_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T7 exit code 0 (member, APPROVED)" "0" "$T7_RC"
-assert_contains "T7 APPROVED by core-devops (team member)" "APPROVED by core-devops" "$T7_OUT"
-
-# T8 — not a team member → exit 1 (fail closed)
-echo
-echo "== T8 team membership 404 (not a member) =="
-T8_OUT=$(run_review_check "T8_team_not_member")
-T8_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T8 exit code 1 (not in team)" "1" "$T8_RC"
-
-# T9 — 403 token-not-in-team → exit 1 (fail closed)
-echo
-echo "== T9 team membership 403 (token not in team) =="
-T9_OUT=$(run_review_check "T9_team_403")
-T9_RC=$(cat "$FIX_STATE_DIR/last_rc")
-assert_eq "T9 exit code 1 (403 token-not-in-team, fail closed)" "1" "$T9_RC"
-assert_contains "T9 403 error in output" "403" "$T9_OUT"
-
-# T10 — token file creation and permissions
-echo
-echo "== T10 CURL_AUTH_FILE =="
-# Verify the token-file logic directly: create a temp file with the
-# same mktemp pattern, write the header with printf, chmod 600, then assert.
-T10_TOKEN="secret-test-token-abc123"
-T10_AUTHFILE=$(mktemp -p /tmp curl-auth.test.XXXXXX)
-chmod 600 "$T10_AUTHFILE"
-printf 'header = "Authorization: token %s"\n' "$T10_TOKEN" > "$T10_AUTHFILE"
-assert_file_mode "T10a mktemp -p /tmp mode 600 (CURL_AUTH_FILE pattern)" "$T10_AUTHFILE" "600"
-assert_file_contains "T10b printf header format (CURL_AUTH_FILE content)" "$T10_AUTHFILE" "Authorization: token secret-test-token-abc123"
-assert_file_contains "T10c 'header =' curl-config syntax" "$T10_AUTHFILE" 'header = "Authorization: token '
-rm -f "$T10_AUTHFILE"
-
-# T12 — jq filter: non-author APPROVED included, dismissed excluded
-echo
-echo "== T12 jq filter =="
-# These are tested indirectly via T3 and T6 above, but let's also test
-# the jq expression directly.
-JQ_FILTER='.[]
-  | select(.state == "APPROVED")
-  | select(.dismissed != true)
-  | select(.user.login != "alice")
-  | .user.login'
-
-T12_INPUT='[{"state":"APPROVED","dismissed":false,"user":{"login":"core-devops"}},{"state":"CHANGES_REQUESTED","dismissed":false,"user":{"login":"bob"}},{"state":"APPROVED","dismissed":false,"user":{"login":"alice"}},{"state":"APPROVED","dismissed":true,"user":{"login":"carol"}}]'
-
-JQ_CMD=$(command -v jq 2>/dev/null || echo /tmp/jq)
-T12_CANDIDATES=$(echo "$T12_INPUT" | "$JQ_CMD" -r "$JQ_FILTER" 2>/dev/null | sort -u)
-assert_contains "T12 jq: core-devops (non-author APPROVED) in candidates" "core-devops" "$T12_CANDIDATES"
-assert_eq "T12 jq: alice (author) NOT in candidates" "" "$(echo "$T12_CANDIDATES" | grep '^alice$' || true)"
-assert_eq "T12 jq: carol (dismissed) NOT in candidates" "" "$(echo "$T12_CANDIDATES" | grep '^carol$' || true)"
-
-echo
-echo "------"
-echo "PASS=$PASS FAIL=$FAIL"
-if [ "$FAIL" -gt 0 ]; then
-  echo "Failed:$FAILED_TESTS"
-fi
-[ "$FAIL" -eq 0 ]
--- a/.gitea/scripts/tests/test_sop_checklist_gate.py
+++ b/.gitea/scripts/tests/test_sop_checklist_gate.py
@ -1,524 +0,0 @@
-#!/usr/bin/env python3
-# Unit tests for sop-checklist-gate.py
-#
-# Run:  python3 .gitea/scripts/tests/test_sop_checklist_gate.py
-#   or:  pytest .gitea/scripts/tests/test_sop_checklist_gate.py
-#
-# RFC#351 Step 2 of 6 — implementation MVP. Tests cover:
-#   - slug normalization (the 4 example variants in the script header)
-#   - parse_directives (ack, revoke, with/without note, mid-comment, etc.)
-#   - section_marker_present (empty answer rejected, filled answer ok)
-#   - compute_ack_state (self-ack rejected, team probe applied, revoke
-#     invalidates own prior ack, peer's ack survives unrevoked)
-#   - render_status (state + description format)
-#   - get_tier_mode (label-driven, default fallback)
-#   - load_config (default config parses cleanly with both PyYAML and
-#     the bundled minimal parser)
-#
-# All tests run WITHOUT touching the Gitea API — the team-probe
-# callable is dependency-injected.
-
-from __future__ import annotations
-
-import os
-import sys
-import tempfile
-import unittest
-
-# Resolve sibling script regardless of where pytest is invoked from.
-HERE = os.path.dirname(os.path.abspath(__file__))
-PARENT = os.path.dirname(HERE)  # .gitea/scripts
-sys.path.insert(0, PARENT)
-
-import importlib.util  # noqa: E402
-
-_spec = importlib.util.spec_from_file_location(
-    "sop_checklist_gate", os.path.join(PARENT, "sop-checklist-gate.py")
-)
-sop = importlib.util.module_from_spec(_spec)
-_spec.loader.exec_module(sop)  # type: ignore[union-attr]
-
-
-# ---------------------------------------------------------------------------
-# Test fixtures
-# ---------------------------------------------------------------------------
-
-CONFIG_PATH = os.path.join(PARENT, "..", "sop-checklist-config.yaml")
-
-
-def _items() -> list[dict]:
-    cfg = sop.load_config(CONFIG_PATH)
-    return cfg["items"]
-
-
-def _items_by_slug() -> dict[str, dict]:
-    return {it["slug"]: it for it in _items()}
-
-
-def _numeric_aliases() -> dict[int, str]:
-    return {
-        int(it["numeric_alias"]): it["slug"]
-        for it in _items()
-        if it.get("numeric_alias")
-    }
-
-
-def _comment(user: str, body: str) -> dict:
-    return {"user": {"login": user}, "body": body}
-
-
-# ---------------------------------------------------------------------------
-# normalize_slug
-# ---------------------------------------------------------------------------
-
-
-class TestNormalizeSlug(unittest.TestCase):
-    def test_kebab_already(self):
-        self.assertEqual(sop.normalize_slug("comprehensive-testing"), "comprehensive-testing")
-
-    def test_underscore_to_dash(self):
-        self.assertEqual(sop.normalize_slug("comprehensive_testing"), "comprehensive-testing")
-
-    def test_space_to_dash(self):
-        self.assertEqual(sop.normalize_slug("comprehensive testing"), "comprehensive-testing")
-
-    def test_uppercase_to_lower(self):
-        self.assertEqual(sop.normalize_slug("Comprehensive-Testing"), "comprehensive-testing")
-
-    def test_mixed_separators(self):
-        self.assertEqual(sop.normalize_slug("Comprehensive_Testing"), "comprehensive-testing")
-        self.assertEqual(sop.normalize_slug("FIVE_axis review"), "five-axis-review")
-
-    def test_collapse_repeated_dashes(self):
-        self.assertEqual(sop.normalize_slug("comprehensive--testing"), "comprehensive-testing")
-        self.assertEqual(sop.normalize_slug("comprehensive  testing"), "comprehensive-testing")
-
-    def test_strip_trailing_punctuation(self):
-        self.assertEqual(sop.normalize_slug("comprehensive-testing."), "comprehensive-testing")
-        self.assertEqual(sop.normalize_slug("comprehensive-testing!"), "comprehensive-testing")
-
-    def test_numeric_shorthand_known(self):
-        self.assertEqual(
-            sop.normalize_slug("1", _numeric_aliases()),
-            "comprehensive-testing",
-        )
-        self.assertEqual(
-            sop.normalize_slug("3", _numeric_aliases()),
-            "staging-smoke",
-        )
-        self.assertEqual(
-            sop.normalize_slug("7", _numeric_aliases()),
-            "memory-consulted",
-        )
-
-    def test_numeric_shorthand_unknown_returns_empty(self):
-        # "8" is out of range → empty so caller can flag as unparseable.
-        self.assertEqual(sop.normalize_slug("8", _numeric_aliases()), "")
-
-    def test_numeric_without_alias_table_keeps_digits(self):
-        # No alias table → return the digits as-is.
-        self.assertEqual(sop.normalize_slug("1"), "1")
-
-    def test_empty_input(self):
-        self.assertEqual(sop.normalize_slug(""), "")
-        self.assertEqual(sop.normalize_slug("   "), "")
-        self.assertEqual(sop.normalize_slug(None), "")
-
-
-# ---------------------------------------------------------------------------
-# parse_directives
-# ---------------------------------------------------------------------------
-
-
-class TestParseDirectives(unittest.TestCase):
-    def setUp(self):
-        self.aliases = _numeric_aliases()
-
-    def test_simple_ack(self):
-        d = sop.parse_directives("/sop-ack comprehensive-testing", self.aliases)
-        self.assertEqual(d, [("sop-ack", "comprehensive-testing", "")])
-
-    def test_simple_revoke(self):
-        d = sop.parse_directives("/sop-revoke staging-smoke", self.aliases)
-        self.assertEqual(d, [("sop-revoke", "staging-smoke", "")])
-
-    def test_ack_with_note(self):
-        d = sop.parse_directives(
-            "/sop-ack comprehensive-testing LGTM the test covers all edge cases",
-            self.aliases,
-        )
-        self.assertEqual(len(d), 1)
-        self.assertEqual(d[0][0], "sop-ack")
-        self.assertEqual(d[0][1], "comprehensive-testing")
-        self.assertIn("LGTM", d[0][2])
-
-    def test_numeric_shorthand(self):
-        d = sop.parse_directives("/sop-ack 1", self.aliases)
-        self.assertEqual(d, [("sop-ack", "comprehensive-testing", "")])
-
-    def test_revoke_with_reason(self):
-        d = sop.parse_directives(
-            "/sop-revoke comprehensive-testing realized the e2e was mocking the DB",
-            self.aliases,
-        )
-        self.assertEqual(d[0][0], "sop-revoke")
-        self.assertEqual(d[0][1], "comprehensive-testing")
-        self.assertIn("mocking", d[0][2])
-
-    def test_directive_in_middle_of_comment(self):
-        body = (
-            "Reviewed the PR, looks good overall.\n"
-            "/sop-ack comprehensive-testing\n"
-            "Will follow up on the doc nit separately."
-        )
-        d = sop.parse_directives(body, self.aliases)
-        self.assertEqual(len(d), 1)
-        self.assertEqual(d[0][1], "comprehensive-testing")
-
-    def test_multiple_directives_in_one_comment(self):
-        body = (
-            "/sop-ack comprehensive-testing\n"
-            "/sop-ack local-postgres-e2e\n"
-        )
-        d = sop.parse_directives(body, self.aliases)
-        self.assertEqual(len(d), 2)
-        slugs = {x[1] for x in d}
-        self.assertEqual(slugs, {"comprehensive-testing", "local-postgres-e2e"})
-
-    def test_must_be_at_line_start(self):
-        # A directive embedded mid-line is not honored (prevents review
-        # comments like "to /sop-ack you need..." from acting as acks).
-        body = "If you want to /sop-ack comprehensive-testing reply in this thread"
-        d = sop.parse_directives(body, self.aliases)
-        self.assertEqual(d, [])
-
-    def test_leading_whitespace_allowed(self):
-        body = "  /sop-ack comprehensive-testing"
-        d = sop.parse_directives(body, self.aliases)
-        self.assertEqual(len(d), 1)
-
-    def test_empty_body(self):
-        self.assertEqual(sop.parse_directives("", self.aliases), [])
-        self.assertEqual(sop.parse_directives(None, self.aliases), [])
-
-    def test_normalization_applied(self):
-        # /sop-ack Comprehensive_Testing → canonical comprehensive-testing
-        d = sop.parse_directives("/sop-ack Comprehensive_Testing", self.aliases)
-        self.assertEqual(d[0][1], "comprehensive-testing")
-
-
-# ---------------------------------------------------------------------------
-# section_marker_present
-# ---------------------------------------------------------------------------
-
-
-class TestSectionMarkerPresent(unittest.TestCase):
-    def test_marker_with_inline_answer(self):
-        body = "- [ ] **Comprehensive testing performed**: Added 12 new tests covering null/empty/giant inputs."
-        self.assertTrue(sop.section_marker_present(body, "Comprehensive testing performed"))
-
-    def test_marker_with_empty_answer(self):
-        body = "- [ ] **Comprehensive testing performed**:"
-        self.assertFalse(sop.section_marker_present(body, "Comprehensive testing performed"))
-
-    def test_marker_with_only_whitespace_answer(self):
-        body = "- [ ] **Comprehensive testing performed**:    \n"
-        self.assertFalse(sop.section_marker_present(body, "Comprehensive testing performed"))
-
-    def test_marker_with_next_line_answer(self):
-        body = (
-            "- [ ] **Comprehensive testing performed**:\n"
-            "      Yes — see attached log + 12 new unit tests in foo_test.py.\n"
-        )
-        self.assertTrue(sop.section_marker_present(body, "Comprehensive testing performed"))
-
-    def test_marker_missing(self):
-        body = "- [ ] **Local-postgres E2E run**: N/A — pure-frontend\n"
-        self.assertFalse(sop.section_marker_present(body, "Comprehensive testing performed"))
-
-    def test_case_insensitive_marker_match(self):
-        body = "- [ ] **comprehensive TESTING performed**: yes"
-        self.assertTrue(sop.section_marker_present(body, "Comprehensive testing performed"))
-
-    def test_empty_body(self):
-        self.assertFalse(sop.section_marker_present("", "X"))
-        self.assertFalse(sop.section_marker_present(None, "X"))
-
-
-# ---------------------------------------------------------------------------
-# compute_ack_state
-# ---------------------------------------------------------------------------
-
-
-class TestComputeAckState(unittest.TestCase):
-    def setUp(self):
-        self.items = _items_by_slug()
-        self.aliases = _numeric_aliases()
-
-    @staticmethod
-    def _approve_all(slug, users):
-        return list(users)
-
-    @staticmethod
-    def _approve_none(slug, users):
-        return []
-
-    def _approve_only(self, allowed_users):
-        return lambda slug, users: [u for u in users if u in allowed_users]
-
-    def test_peer_ack_passes(self):
-        comments = [_comment("bob", "/sop-ack comprehensive-testing")]
-        state = sop.compute_ack_state(
-            comments, "alice", self.items, self.aliases, self._approve_all
-        )
-        self.assertEqual(state["comprehensive-testing"]["ackers"], ["bob"])
-
-    def test_self_ack_rejected(self):
-        comments = [_comment("alice", "/sop-ack comprehensive-testing")]
-        state = sop.compute_ack_state(
-            comments, "alice", self.items, self.aliases, self._approve_all
-        )
-        self.assertEqual(state["comprehensive-testing"]["ackers"], [])
-        self.assertEqual(state["comprehensive-testing"]["rejected"]["self_ack"], ["alice"])
-
-    def test_not_in_team_rejected(self):
-        comments = [_comment("eve", "/sop-ack comprehensive-testing")]
-        state = sop.compute_ack_state(
-            comments, "alice", self.items, self.aliases, self._approve_none
-        )
-        self.assertEqual(state["comprehensive-testing"]["ackers"], [])
-        self.assertEqual(state["comprehensive-testing"]["rejected"]["not_in_team"], ["eve"])
-
-    def test_revoke_invalidates_own_prior_ack(self):
-        # Bob acks then later revokes — Bob no longer counts.
-        comments = [
-            _comment("bob", "/sop-ack comprehensive-testing"),
-            _comment("bob", "/sop-revoke comprehensive-testing realized e2e was mocked"),
-        ]
-        state = sop.compute_ack_state(
-            comments, "alice", self.items, self.aliases, self._approve_all
-        )
-        self.assertEqual(state["comprehensive-testing"]["ackers"], [])
-
-    def test_revoke_does_not_affect_others_acks(self):
-        # Bob revokes his own ack; Carol's still counts.
-        comments = [
-            _comment("bob", "/sop-ack comprehensive-testing"),
-            _comment("carol", "/sop-ack comprehensive-testing"),
-            _comment("bob", "/sop-revoke comprehensive-testing"),
-        ]
-        state = sop.compute_ack_state(
-            comments, "alice", self.items, self.aliases, self._approve_all
-        )
-        self.assertEqual(state["comprehensive-testing"]["ackers"], ["carol"])
-
-    def test_ack_after_revoke_restored(self):
-        # Bob revokes then re-acks (e.g. after re-reviewing).
-        comments = [
-            _comment("bob", "/sop-ack comprehensive-testing"),
-            _comment("bob", "/sop-revoke comprehensive-testing"),
-            _comment("bob", "/sop-ack comprehensive-testing"),
-        ]
-        state = sop.compute_ack_state(
-            comments, "alice", self.items, self.aliases, self._approve_all
-        )
-        self.assertEqual(state["comprehensive-testing"]["ackers"], ["bob"])
-
-    def test_numeric_shorthand_ack(self):
-        # /sop-ack 1 → comprehensive-testing
-        comments = [_comment("bob", "/sop-ack 1")]
-        state = sop.compute_ack_state(
-            comments, "alice", self.items, self.aliases, self._approve_all
-        )
-        self.assertEqual(state["comprehensive-testing"]["ackers"], ["bob"])
-
-    def test_ack_for_unknown_slug_ignored(self):
-        # Some other slug not in config — silently drop (doesn't crash).
-        comments = [_comment("bob", "/sop-ack does-not-exist")]
-        state = sop.compute_ack_state(
-            comments, "alice", self.items, self.aliases, self._approve_all
-        )
-        for slug in self.items:
-            self.assertEqual(state[slug]["ackers"], [])
-
-    def test_multi_item_multi_user(self):
-        comments = [
-            _comment("bob", "/sop-ack comprehensive-testing\n/sop-ack staging-smoke"),
-            _comment("carol", "/sop-ack five-axis-review"),
-        ]
-        state = sop.compute_ack_state(
-            comments, "alice", self.items, self.aliases, self._approve_all
-        )
-        self.assertEqual(state["comprehensive-testing"]["ackers"], ["bob"])
-        self.assertEqual(state["staging-smoke"]["ackers"], ["bob"])
-        self.assertEqual(state["five-axis-review"]["ackers"], ["carol"])
-        self.assertEqual(state["root-cause"]["ackers"], [])
-
-
-# ---------------------------------------------------------------------------
-# render_status
-# ---------------------------------------------------------------------------
-
-
-class TestRenderStatus(unittest.TestCase):
-    def setUp(self):
-        self.items = _items()
-        self.items_by_slug = _items_by_slug()
-
-    def _state_with(self, acked: list[str]) -> dict:
-        return {
-            it["slug"]: {
-                "ackers": ["peer"] if it["slug"] in acked else [],
-                "rejected": {"self_ack": [], "not_in_team": []},
-            }
-            for it in self.items
-        }
-
-    def test_all_acked_returns_success(self):
-        all_slugs = [it["slug"] for it in self.items]
-        state, desc = sop.render_status(
-            self.items, self._state_with(all_slugs), {s: True for s in all_slugs}
-        )
-        self.assertEqual(state, "success")
-        self.assertIn("7/7", desc)
-
-    def test_partial_acked_returns_failure(self):
-        state, desc = sop.render_status(
-            self.items,
-            self._state_with(["comprehensive-testing", "staging-smoke"]),
-            {it["slug"]: True for it in self.items},
-        )
-        self.assertEqual(state, "failure")
-        self.assertIn("2/7", desc)
-        self.assertIn("missing", desc)
-
-    def test_description_truncates_long_missing_list(self):
-        # Only ack one — 6 missing should be summarized as "+N".
-        state, desc = sop.render_status(
-            self.items,
-            self._state_with(["comprehensive-testing"]),
-            {it["slug"]: True for it in self.items},
-        )
-        # Length budget: under 140 chars.
-        self.assertLessEqual(len(desc), 140)
-        self.assertIn("+", desc)  # +N elision marker
-
-    def test_body_unfilled_surfaced(self):
-        all_slugs = [it["slug"] for it in self.items]
-        state, desc = sop.render_status(
-            self.items,
-            self._state_with(all_slugs),
-            {it["slug"]: False for it in self.items},
-        )
-        self.assertIn("body-unfilled", desc)
-
-
-# ---------------------------------------------------------------------------
-# get_tier_mode
-# ---------------------------------------------------------------------------
-
-
-class TestGetTierMode(unittest.TestCase):
-    def setUp(self):
-        self.cfg = sop.load_config(CONFIG_PATH)
-
-    def test_tier_high_is_hard(self):
-        pr = {"labels": [{"name": "tier:high"}, {"name": "area:ci"}]}
-        self.assertEqual(sop.get_tier_mode(pr, self.cfg), "hard")
-
-    def test_tier_medium_is_hard(self):
-        pr = {"labels": [{"name": "tier:medium"}]}
-        self.assertEqual(sop.get_tier_mode(pr, self.cfg), "hard")
-
-    def test_tier_low_is_soft(self):
-        pr = {"labels": [{"name": "tier:low"}]}
-        self.assertEqual(sop.get_tier_mode(pr, self.cfg), "soft")
-
-    def test_no_tier_label_defaults_to_hard(self):
-        # Per feedback_fix_root_not_symptom — never silently lower the bar.
-        pr = {"labels": [{"name": "area:ci"}]}
-        self.assertEqual(sop.get_tier_mode(pr, self.cfg), "hard")
-
-    def test_no_labels_defaults_to_hard(self):
-        self.assertEqual(sop.get_tier_mode({"labels": []}, self.cfg), "hard")
-        self.assertEqual(sop.get_tier_mode({}, self.cfg), "hard")
-
-
-# ---------------------------------------------------------------------------
-# load_config
-# ---------------------------------------------------------------------------
-
-
-class TestLoadConfig(unittest.TestCase):
-    def test_default_config_parses(self):
-        cfg = sop.load_config(CONFIG_PATH)
-        self.assertIn("items", cfg)
-        self.assertEqual(len(cfg["items"]), 7)
-        slugs = {it["slug"] for it in cfg["items"]}
-        self.assertEqual(
-            slugs,
-            {
-                "comprehensive-testing",
-                "local-postgres-e2e",
-                "staging-smoke",
-                "root-cause",
-                "five-axis-review",
-                "no-backwards-compat",
-                "memory-consulted",
-            },
-        )
-
-    def test_default_config_tier_mode_shape(self):
-        cfg = sop.load_config(CONFIG_PATH)
-        self.assertEqual(cfg["tier_failure_mode"]["tier:high"], "hard")
-        self.assertEqual(cfg["tier_failure_mode"]["tier:medium"], "hard")
-        self.assertEqual(cfg["tier_failure_mode"]["tier:low"], "soft")
-        self.assertEqual(cfg["default_mode"], "hard")
-
-    def test_each_item_has_required_fields(self):
-        cfg = sop.load_config(CONFIG_PATH)
-        for it in cfg["items"]:
-            self.assertIn("slug", it)
-            self.assertIn("numeric_alias", it)
-            self.assertIn("pr_section_marker", it)
-            self.assertIn("required_teams", it)
-            self.assertIsInstance(it["required_teams"], list)
-            self.assertGreater(len(it["required_teams"]), 0)
-
-
-# ---------------------------------------------------------------------------
-# Edge case: full integration without team probe (dependency-injected)
-# ---------------------------------------------------------------------------
-
-
-class TestEndToEndAckFlow(unittest.TestCase):
-    """All-7-items happy path with synthetic comments. Verifies the
-    full pipeline minus the Gitea API."""
-
-    def test_all_seven_acked_by_proper_teams(self):
-        items = _items_by_slug()
-        aliases = _numeric_aliases()
-        comments = [
-            _comment("qa-bot", "/sop-ack comprehensive-testing"),
-            _comment("eng-bot", "/sop-ack local-postgres-e2e"),
-            _comment("eng-bot", "/sop-ack staging-smoke"),
-            _comment("mgr-bot", "/sop-ack root-cause"),
-            _comment("eng-bot", "/sop-ack five-axis-review"),
-            _comment("mgr-bot", "/sop-ack no-backwards-compat"),
-            _comment("eng-bot", "/sop-ack memory-consulted"),
-        ]
-
-        def probe(slug, users):
-            # Pretend every user is in every team.
-            return list(users)
-
-        state = sop.compute_ack_state(comments, "alice-author", items, aliases, probe)
-        body = {it["slug"]: True for it in items.values()}
-        items_list = list(items.values())
-        result_state, desc = sop.render_status(items_list, state, body)
-        self.assertEqual(result_state, "success")
-        self.assertIn("7/7", desc)
-
-
-if __name__ == "__main__":
-    unittest.main(verbosity=2)
--- a/.gitea/sop-checklist-config.yaml
+++ b/.gitea/sop-checklist-config.yaml
@ -1,109 +0,0 @@
-# SOP-Checklist gate — per-item required reviewer teams.
-#
-# RFC#351 v1 starter set. Each item lists:
-#   slug              — canonical kebab-case form used in /sop-ack <slug>
-#   pr_section_marker — substring matched in the PR body to detect that
-#                       the author filled in this item (case-insensitive)
-#   required_teams    — list of Gitea team names; an ack from ANY one of
-#                       these teams (logical OR) satisfies the item.
-#                       Membership is probed at gate-time via
-#                       GET /api/v1/teams/{id}/members/{login}.
-#                       Team-id resolution happens at script start via
-#                       GET /api/v1/orgs/{org}/teams (cheap, one call).
-#   numeric_alias     — 1..7; lets reviewers type `/sop-ack 3` as a
-#                       shortcut for `/sop-ack staging-smoke`.
-#
-# WHY THESE TEAM MAPPINGS:
-#   The RFC table referenced persona-role names like `core-qa`,
-#   `core-be`, `core-devops` — these are individual Gitea user logins,
-#   not teams. The Gitea team-membership API is /teams/{id}/members/{u},
-#   so we need actual teams. Orchestrator preflight 2026-05-12 verified
-#   only these teams exist on molecule-ai: ceo(5), engineers(2),
-#   managers(6), qa(20), security(21), Owners(1), and bot teams. We
-#   map the RFC roles to the closest existing team and surface the
-#   mapping explicitly so it's reviewable.
-#
-# HOW TO EDIT:
-#   - Tightening: replace `engineers` with a smaller team after creating
-#     it (e.g. a new `senior-engineers` team if needed).
-#   - Loosening: add another team to required_teams (OR semantics).
-#   - Add an item: append to items list and document the slug below.
-#
-# AUTHOR SELF-ACK IS FORBIDDEN regardless of which team contains them
-# — the gate script enforces commenter != PR author before checking
-# team membership.
-
-version: 1
-
-# Tier-aware failure mode (RFC#351 open question 2):
-#   For tier:high — hard-fail (status `failure`, blocks merge via BP).
-#   For tier:medium — hard-fail (same as high; medium is non-trivial).
-#   For tier:low — soft-fail (status `pending` with `acked: N/M` in the
-#                  description). BP can choose to require the context
-#                  or not for low-tier PRs.
-# If no tier label is present, default to medium (hard-fail) — every PR
-# should have a tier label per sop-tier-check, and absence indicates
-# a missing-tier defect we should surface, not silently lower the bar.
-tier_failure_mode:
-  "tier:high": hard
-  "tier:medium": hard
-  "tier:low": soft
-default_mode: hard  # used when no tier:* label is present
-
-items:
-  - slug: comprehensive-testing
-    numeric_alias: 1
-    pr_section_marker: "Comprehensive testing performed"
-    required_teams: [qa, engineers]
-    description: >-
-      What was tested, how, edge cases covered. Ack from any qa-team
-      member (or engineers fallback while qa is small).
-
-  - slug: local-postgres-e2e
-    numeric_alias: 2
-    pr_section_marker: "Local-postgres E2E run"
-    required_teams: [engineers]
-    description: >-
-      Link to local CI artifact, or "N/A: pure-frontend change". Ack
-      from any engineer who can verify the local DB test actually ran.
-
-  - slug: staging-smoke
-    numeric_alias: 3
-    pr_section_marker: "Staging-smoke verified or pending"
-    required_teams: [engineers]
-    description: >-
-      Link to canary run, or "scheduled post-merge". Ack from any
-      engineer (core-devops/infra-sre are members of engineers team).
-
-  - slug: root-cause
-    numeric_alias: 4
-    pr_section_marker: "Root-cause not symptom"
-    required_teams: [managers, ceo]
-    description: >-
-      One-sentence root-cause statement. Ack from managers tier
-      (team-leads) or ceo. Senior judgment required to attest
-      root-cause-versus-symptom.
-
-  - slug: five-axis-review
-    numeric_alias: 5
-    pr_section_marker: "Five-Axis review walked"
-    required_teams: [engineers]
-    description: >-
-      Correctness / readability / architecture / security / performance.
-      Ack from any non-author engineer.
-
-  - slug: no-backwards-compat
-    numeric_alias: 6
-    pr_section_marker: "No backwards-compat shim / dead code added"
-    required_teams: [managers, ceo]
-    description: >-
-      Yes/no + justification if no. Senior ack required because
-      backward-compat shims are how dead-code accretes.
-
-  - slug: memory-consulted
-    numeric_alias: 7
-    pr_section_marker: "Memory/saved-feedback consulted"
-    required_teams: [engineers]
-    description: >-
-      List of feedback memories applicable to this change. Ack from
-      any engineer who has the same memory access.
--- a/.gitea/workflows/audit-force-merge.yml
+++ b/.gitea/workflows/audit-force-merge.yml
@ -85,5 +85,4 @@ jobs:
          REQUIRED_CHECKS: |
            Secret scan / Scan diff for credential-shaped strings (pull_request)
            sop-tier-check / tier-check (pull_request)
-            CI / all-required (pull_request)
        run: bash .gitea/scripts/audit-force-merge.sh
--- a/.gitea/workflows/ci-required-drift.yml
+++ b/.gitea/workflows/ci-required-drift.yml
@ -23,11 +23,11 @@
 # `feedback_behavior_based_ast_gates` — NOT grep-by-name. That way
 # job renames or matrix-expansion-induced churn produce honest signal.
 #
-# NOTE on protection endpoint scope: `GET /repos/.../branch_protections/{branch}`
-# requires repo-admin role in Gitea 1.22.6. If DRIFT_BOT_TOKEN lacks it,
-# the script skips that branch with a clear ::error:: diagnostic and exits 0
-# (the issue IS the alarm, not a red workflow). See provisioning trail in
-# the run step's GITEA_TOKEN env comment.
+# IMPORTANT — TRANSITIONAL STATE: molecule-core's ci.yml does NOT yet
+# contain the `all-required` sentinel job (RFC §4 Phase 4 adds it).
+# Until Phase 4 lands the detector will hard-fail with exit 3 on the
+# missing sentinel. That's intentional: a red workflow on a 5-min cron
+# is louder than a silent issue and forces Phase 4 to land soon.

 name: ci-required-drift

@ -77,18 +77,13 @@ jobs:
        run: python -m pip install --quiet 'PyYAML==6.0.2'
      - name: Run drift detector
        env:
-          # DRIFT_BOT_TOKEN is owned by mc-drift-bot, a least-privilege
-          # Gitea persona whose ONLY job is reading branch_protections
-          # and posting the [ci-drift] tracking issue. The endpoint
-          # `GET /repos/.../branch_protections/{branch}` requires
-          # repo-ADMIN role (Gitea 1.22.6) — SOP_TIER_CHECK_TOKEN and the
-          # auto-injected GITHUB_TOKEN do NOT have it (read-only / write
-          # without admin), so the previous fallback chain 403'd.
-          # Mirrors the controlplane fix landed in CP PR#134.
-          # Provisioning trail: internal#329 (audit) + parent pattern
-          # internal#327 (publish-runtime-bot). Per
-          # `feedback_per_agent_gitea_identity_default`.
-          GITEA_TOKEN: ${{ secrets.DRIFT_BOT_TOKEN }}
+          # GITEA_TOKEN reads protection + writes issues. molecule-core
+          # uses `SOP_TIER_CHECK_TOKEN` as the org-level secret name for
+          # read-only Gitea API access from CI (set by audit-force-merge
+          # and sop-tier-check too). Falls back to the auto-injected
+          # GITHUB_TOKEN if the org-level secret isn't set
+          # (transitional repos).
+          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
          GITEA_HOST: git.moleculesai.app
          REPO: ${{ github.repository }}
          # Branches whose protection we compare against. molecule-core
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@ -70,12 +70,10 @@ jobs:
  changes:
    name: Detect changes
    runs-on: ubuntu-latest
-    # Phase 4 (RFC #219 §1): all required jobs >=98% green on main.
-    # Flip confirmed 2026-05-12 via combined-status check of latest main
-    # commit (all CI jobs green). `all-required` sentinel hard-fails
-    # when this job fails; no Phase 3 suppression needed.
-    # revert: add `continue-on-error: true` back if regressions appear.
-    continue-on-error: false
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking
+    # the PR. Follow-up PR flips this off after the surfaced defects
+    # (if any) are triaged.
+    continue-on-error: true
    outputs:
      platform: ${{ steps.check.outputs.platform }}
      canvas: ${{ steps.check.outputs.canvas }}
@ -126,29 +124,7 @@ jobs:
    name: Platform (Go)
    needs: changes
    runs-on: ubuntu-latest
-    # mc#664 (interim): re-mask platform-build pending fix-forward. Phase 4
-    # (#656) flipped this to continue-on-error: false based on a Phase-3-masked
-    # "green on main 2026-05-12" — the prior continue-on-error: true had
-    # been hiding failing tests in workspace-server/internal/handlers/.
-    # Two distinct failure classes surfaced on 0e5152c3:
-    #   (1) 4x delegation_test.go (lines 1110/1176/1228/1271): helpers
-    #       expectExecuteDelegationBase/Success/Failed are missing sqlmock
-    #       expectations for queries production has issued since ~2026-04-21
-    #       (last_outbound_at UPDATE, lookupDeliveryMode/Runtime SELECTs,
-    #       a2a_receive INSERT activity_logs, recordLedgerStatus writes).
-    #       Halt cond #3 applies (regression > 7 days → broader sweep).
-    #   (2) 1x mcp_test.go:433 (TestMCPHandler_CommitMemory_GlobalScope_Blocked):
-    #       commit 7d1a189f (2026-05-10) hardened mcp.go to scrub err.Error()
-    #       from JSON-RPC responses (OFFSEC-001), but the test asserts the
-    #       error message contains "GLOBAL". Production-vs-test contract
-    #       collision — needs design call, not mock update.
-    # Time-boxed Option A (90 min) did not fit the cross-cutting scope.
-    # This is a sequenced revert→fix→reflip per
-    # feedback_strict_root_only_after_class_a emergency clause — NOT
-    # a permanent re-mask. Re-flip blocked on mc#664 fix-forward landing.
-    # Other 4 #656 flips (changes, canvas-build, shellcheck, python-lint)
-    # retain continue-on-error: false; only platform-build regresses.
-    continue-on-error: true  # mc#664 fix-forward in flight; re-flip when mc#664 lands (PR #669 → rebase after #709)
+    continue-on-error: true
    defaults:
      run:
        working-directory: workspace-server
@ -172,21 +148,6 @@ jobs:
      - if: needs.changes.outputs.platform == 'true'
        name: Run golangci-lint
        run: golangci-lint run --timeout 3m ./... || true
-      - if: needs.changes.outputs.platform == 'true'
-        name: Diagnostic — per-package verbose 60s
-        run: |
-          set +e
-          go test -race -v -timeout 60s ./internal/handlers/... 2>&1 | tee /tmp/test-handlers.log
-          handlers_exit=$?
-          go test -race -v -timeout 60s ./internal/pendinguploads/... 2>&1 | tee /tmp/test-pu.log
-          pu_exit=$?
-          echo "::group::handlers exit=$handlers_exit (last 100 lines)"
-          tail -100 /tmp/test-handlers.log
-          echo "::endgroup::"
-          echo "::group::pendinguploads exit=$pu_exit (last 100 lines)"
-          tail -100 /tmp/test-pu.log
-          echo "::endgroup::"
-        continue-on-error: true
      - if: needs.changes.outputs.platform == 'true'
        name: Run tests with race detection and coverage
        run: go test -race -coverprofile=coverage.out ./...
@ -295,8 +256,7 @@ jobs:
    name: Canvas (Next.js)
    needs: changes
    runs-on: ubuntu-latest
-    # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12.
-    continue-on-error: false
+    continue-on-error: true
    defaults:
      run:
        working-directory: canvas
@ -342,8 +302,7 @@ jobs:
    name: Shellcheck (E2E scripts)
    needs: changes
    runs-on: ubuntu-latest
-    # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12.
-    continue-on-error: false
+    continue-on-error: true
    steps:
      - if: needs.changes.outputs.scripts != 'true'
        run: echo "No tests/e2e/ or infra/scripts/ changes — skipping real shellcheck; this job always runs to satisfy the required-check name on branch protection."
@ -418,8 +377,7 @@ jobs:
    name: Python Lint & Test
    needs: changes
    runs-on: ubuntu-latest
-    # Phase 4 (RFC #219 §1): confirmed green on main 2026-05-12.
-    continue-on-error: false
+    continue-on-error: true
    env:
      WORKSPACE_ID: test
    defaults:
@ -493,101 +451,3 @@ jobs:
            echo "      adjusting the floor with rationale in COVERAGE_FLOOR.md."
            exit 1
          fi
-
-  all-required:
-    # Aggregator sentinel — RFC internal#219 §2 (Phase 4 — closes internal#286).
-    #
-    # Single stable required-status name that branch protection points at;
-    # CI churns underneath in `needs:` without any protection edits. Mirrors
-    # the molecule-controlplane Phase 2a impl shipped in CP PR#112 and
-    # referenced by `internal#286` ("Phase 4 is a single small PR... mirrors
-    # CP's existing one").
-    #
-    # Closes the failure mode where status_check_contexts on molecule-core/main
-    # only listed `Secret scan` + `sop-tier-check` (the 2 meta-gates), so real
-    # `Platform (Go)` / `Canvas (Next.js)` / `Python Lint & Test` / `Shellcheck`
-    # red silently merged through. See internal#286 for the three concrete
-    # tonight-of-2026-05-11 incidents that prompted the emergency bump.
-    #
-    # Three properties of this job each close a failure mode:
-    #
-    #  1. `if: always()` — runs even when an upstream fails. Without it the
-    #     sentinel is `skipped` and protection treats that as missing → merge
-    #     ungated.
-    #
-    #  2. Assertion is `result == "success"` per dep, NOT `!= "failure"`.
-    #     A `skipped` upstream (job gated by `if:` evaluating false, matrix
-    #     entry that couldn't run) must NOT silently pass through.
-    #     `skipped`-as-green is exactly the failure mode this gate closes.
-    #
-    #  3. `needs:` is the canonical list of "what counts as required."
-    #     status_check_contexts will reference only `ci/all-required` (Step 5
-    #     follow-up — branch-protection PATCH is Owners-tier per
-    #     `feedback_never_admin_merge_bypass`, separate PR); a new job is
-    #     added simply by listing it in `needs:` here.
-    #     `.gitea/workflows/ci-required-drift.yml` files a [ci-drift] issue
-    #     hourly if this list diverges from status_check_contexts or from
-    #     audit-force-merge.yml's REQUIRED_CHECKS env (RFC §4 + §6).
-    #
-    # Excluded from `needs:`: `canvas-deploy-reminder` — gated by
-    # `if: ... github.event_name == 'push' && github.ref == 'refs/heads/main'`,
-    # so on PR events it's legitimately `skipped`. The drift detector
-    # explicitly excludes `github.event_name`-gated jobs from F1 (see
-    # `.gitea/scripts/ci-required-drift.py::ci_job_names`).
-    #
-    # Phase 3 (RFC #219 §1) safety: underlying build jobs carry
-    # continue-on-error: true so their failures are masked to null (2026-05-12: re-enabled mc#664 interim)
-    # (Gitea suppresses status reporting for CoE jobs). This sentinel
-    # runs with continue-on-error: false so it always reports its
-    # result to the API — without this, the required-status entry
-    # (CI / all-required (pull_request)) is never created, which
-    # blocks PR merges. When Phase 3 ends, flip underlying jobs to
-    # continue-on-error: false; this sentinel can then be flipped to
-    # continue-on-error: true if a Phase-4 regression requires it.
-    continue-on-error: false
-    runs-on: ubuntu-latest
-    timeout-minutes: 1
-    needs:
-      - changes
-      - platform-build
-      - canvas-build
-      - shellcheck
-      - python-lint
-    if: always()
-    steps:
-      - name: Assert every required dependency succeeded
-        run: |
-          set -euo pipefail
-          # `needs.*.result` is one of: success | failure | cancelled | skipped | null.
-          # We assert success per dep (not != failure) — see RFC §2 reasoning above.
-          # Null results are skipped: they come from Phase 3 (continue-on-error: true
-          # suppresses status) or from jobs still in-flight. The sentinel succeeds
-          # rather than blocking PRs on Phase 3 noise.
-          results='${{ toJSON(needs) }}'
-          echo "$results"
-          echo "$results" | python3 -c '
-          import json, sys
-          ns = json.load(sys.stdin)
-          # Phase 3 masked: jobs with continue-on-error: true may report "failure"
-          # Remove when mc#664 handler test failures are resolved.
-          PHASE3_MASKED = {"platform-build"}
-          # Exclude null (Phase 3 suppressed / in-flight) from the bad list.
-          bad = [(k, v.get("result")) for k, v in ns.items()
-                 if v.get("result") not in ("success", None, "cancelled", "skipped") and k not in PHASE3_MASKED]
-          if bad:
-              print(f"FAIL: jobs not green:", file=sys.stderr)
-              for k, r in bad:
-                  print(f"  - {k}: {r}", file=sys.stderr)
-              sys.exit(1)
-          pending = [(k, v.get("result")) for k, v in ns.items()
-                     if v.get("result") is None]
-          cancelled = [(k, v.get("result")) for k, v in ns.items()
-                       if v.get("result") == "cancelled"]
-          if pending:
-              print(f"WARN: {len(pending)} job(s) still in-flight (result=null): " +
-                    ", ".join(k for k, _ in pending), file=sys.stderr)
-          if cancelled:
-              print(f"INFO: {len(cancelled)} job(s) masked by continue-on-error: " +
-                    ", ".join(k for k, _ in cancelled), file=sys.stderr)
-          print(f"OK: all {len(ns)} required jobs succeeded (or Phase-3 suppressed)")
-          '
--- a/.gitea/workflows/e2e-staging-canvas.yml
+++ b/.gitea/workflows/e2e-staging-canvas.yml
@ -124,10 +124,7 @@ jobs:
    env:
      CANVAS_E2E_STAGING: '1'
      MOLECULE_CP_URL: https://staging-api.moleculesai.app
-      # 2026-05-11: secret canonicalised from MOLECULE_STAGING_ADMIN_TOKEN
-      # (dead in org secret store) to CP_STAGING_ADMIN_API_TOKEN per
-      # internal#322 — see this PR for the cross-workflow sweep.
-      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}

    defaults:
      run:
@ -148,7 +145,7 @@ jobs:
        if: needs.detect-changes.outputs.canvas == 'true'
        run: |
          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
-            echo "::error::Missing CP_STAGING_ADMIN_API_TOKEN"
+            echo "::error::Missing MOLECULE_STAGING_ADMIN_TOKEN"
            exit 2
          fi

@ -210,7 +207,7 @@ jobs:
      - name: Teardown safety net
        if: always() && needs.detect-changes.outputs.canvas == 'true'
        env:
-          ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
        run: |
          set +e
          STATE_FILE=".playwright-staging-state.json"
--- a/.gitea/workflows/e2e-staging-external.yml
+++ b/.gitea/workflows/e2e-staging-external.yml
@ -89,10 +89,7 @@ jobs:

    env:
      MOLECULE_CP_URL: https://staging-api.moleculesai.app
-      # 2026-05-11: secret canonicalised from MOLECULE_STAGING_ADMIN_TOKEN
-      # (dead in org secret store) to CP_STAGING_ADMIN_API_TOKEN per
-      # internal#322 — see this PR for the cross-workflow sweep.
-      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
      E2E_RUN_ID: "${{ github.run_id }}-${{ github.run_attempt }}"
      E2E_KEEP_ORG: ${{ github.event.inputs.keep_org && '1' || '0' }}
      E2E_STALE_WAIT_SECS: ${{ github.event.inputs.stale_wait_secs || '180' }}
@ -107,7 +104,7 @@ jobs:
            # missing — silent skip would mask infra rot. Manual dispatch
            # gets the same hard-fail; an operator running this on a fork
            # without secrets configured needs to know up-front.
-            echo "::error::CP_STAGING_ADMIN_API_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
+            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
            exit 2
          fi
          echo "Admin token present ✓"
@ -132,7 +129,7 @@ jobs:
      - name: Teardown safety net (runs on cancel/failure)
        if: always()
        env:
-          ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
        run: |
          set +e
          orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs" \
--- a/.gitea/workflows/e2e-staging-saas.yml
+++ b/.gitea/workflows/e2e-staging-saas.yml
@ -24,22 +24,17 @@ name: E2E Staging SaaS (full lifecycle)
 #     PRs don't need to read.
 #
 # Triggers:
-#   - Push to main (regression guard — fires on merges to main, not on PR updates)
-#   - pull_request: pr-validate always posts success; real E2E step runs only
-#     when provisioning-critical files change (detect-changes gates the step).
+#   - Push to main (regression guard)
 #   - workflow_dispatch (manual re-run from UI)
 #   - Nightly cron (catches drift even when no pushes land)
-#
-# NOTE: A separate pr-validate job handles the pull_request path so this
-# workflow posts CI status for workflow-only PRs. Without it, a PR that
-# only touches the workflow file has no status check (workflow only fires
-# on push, not PR branches), which blocks merge under branch protection.
-# The E2E step itself only runs when provisioning-critical files change —
-# pr-validate always posts success, avoiding the double-fire that motivated
-# the pull_request-trigger removal in PRs #516/#530.
+#   - Changes to any provisioning-critical file under PR review (opt-in
+#     via the same paths watcher that e2e-api.yml uses)

 on:
  # Trunk-based (Phase 3 of internal#81): main is the only branch.
+  # Previously this fired on staging push too because staging was a
+  # superset of main and ran the gate ahead of auto-promote; with no
+  # staging branch, main is where E2E gates the deploy.
  push:
    branches: [main]
    paths:
@ -60,7 +55,6 @@ on:
      - 'workspace-server/internal/provisioner/**'
      - 'tests/e2e/test_staging_full_saas.sh'
      - '.gitea/workflows/e2e-staging-saas.yml'
-  workflow_dispatch:
  schedule:
    # 07:00 UTC every day — catches AMI drift, WorkOS cert rotation,
    # Cloudflare API regressions, etc. even on quiet days.
@ -78,36 +72,9 @@ env:
  GITHUB_SERVER_URL: https://git.moleculesai.app

 jobs:
-  # PR-validation path: always posts success so branch protection can merge
-  # workflow-only PRs. The actual E2E step only runs when provisioning-
-  # critical files change (git-paths filter + if: guard below).
-  # All steps use continue-on-error: true so runner issues do not block merge.
-  pr-validate:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 1
-        continue-on-error: true
-
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.11"
-        continue-on-error: true
-
-      - name: YAML validation (best-effort)
-        run: |
-          echo "e2e-staging-saas.yml — PR validation: workflow YAML is valid."
-          echo "E2E step runs only when provisioning-critical files change."
-        continue-on-error: true
-
-  # Actual E2E: runs on trunk pushes (main + staging). NOT the PR-fire-only
-  # path — pr-validate above posts success for workflow-only PRs.
  e2e-staging-saas:
    name: E2E Staging SaaS
    runs-on: ubuntu-latest
-    # Only runs on trunk pushes. PR paths get pr-validate instead.
-    if: github.event.pull_request.base.ref == ''
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    continue-on-error: true
    timeout-minutes: 45
@ -119,10 +86,7 @@ jobs:
      # Single admin-bearer secret drives provision + tenant-token
      # retrieval + teardown. Configure in
      # Settings → Secrets and variables → Actions → Repository secrets.
-      # 2026-05-11: secret canonicalised from MOLECULE_STAGING_ADMIN_TOKEN
-      # (dead in org secret store) to CP_STAGING_ADMIN_API_TOKEN per
-      # internal#322 — see this PR for the cross-workflow sweep.
-      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
      # MiniMax is the PRIMARY LLM auth path post-2026-05-04. Switched
      # from hermes+OpenAI default after #2578 (the staging OpenAI key
      # account went over quota and stayed dead for 36+ hours, taking
@ -158,7 +122,7 @@ jobs:
      - name: Verify admin token present
        run: |
          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
-            echo "::error::CP_STAGING_ADMIN_API_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
+            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
            exit 2
          fi
          echo "Admin token present ✓"
@ -225,7 +189,7 @@ jobs:
      - name: Teardown safety net (runs on cancel/failure)
        if: always()
        env:
-          ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
        run: |
          # Best-effort: find any e2e-YYYYMMDD-* orgs matching this run and
          # nuke them. Catches the case where the script died before
--- a/.gitea/workflows/e2e-staging-sanity.yml
+++ b/.gitea/workflows/e2e-staging-sanity.yml
@ -42,10 +42,7 @@ jobs:

    env:
      MOLECULE_CP_URL: https://staging-api.moleculesai.app
-      # 2026-05-11: secret canonicalised from MOLECULE_STAGING_ADMIN_TOKEN
-      # (dead in org secret store) to CP_STAGING_ADMIN_API_TOKEN per
-      # internal#322 — see this PR for the cross-workflow sweep.
-      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
      E2E_MODE: smoke
      E2E_RUNTIME: hermes
      E2E_RUN_ID: "sanity-${{ github.run_id }}"
@ -57,7 +54,7 @@ jobs:
      - name: Verify admin token present
        run: |
          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
-            echo "::error::CP_STAGING_ADMIN_API_TOKEN not set"
+            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN not set"
            exit 2
          fi

@ -121,7 +118,7 @@ jobs:
      - name: Teardown safety net
        if: always()
        env:
-          ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
        run: |
          set +e
          orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs" \
--- a/.gitea/workflows/gate-check-v3.yml
+++ b/.gitea/workflows/gate-check-v3.yml
@ -1,105 +0,0 @@
-# gate-check-v3 — automated PR gate detector
-#
-# Runs on every open PR (push/synchronize) and hourly via cron.
-# Posts a structured [gate-check-v3] STATUS: comment on the PR.
-#
-# Inputs:
-#   PR_NUMBER  — set via ${{ github.event.pull_request.number }} from the trigger
-#   POST_COMMENT — "true" to post/update comment on PR
-#
-# Gating logic (MVP signals 1,2,3,6):
-#   1. Author-aware agent-tag comment scan
-#   2. REQUEST_CHANGES reviews state machine
-#   3. Staleness detection (SOP-12: review.commit_id != PR.head_sha + >1 working day)
-#   6. CI required-checks awareness
-#
-# Exit code: 0=CLEAR, 1=BLOCKED, 2=ERROR
-
-name: gate-check-v3
-
-on:
-  pull_request_target:
-    types: [opened, edited, synchronize, reopened]
-  schedule:
-    # Hourly: refresh all open PRs
-    - cron: '8 * * * *'
-  # NOTE: `workflow_dispatch.inputs` block intentionally omitted.
-  # Gitea 1.22.6 parser rejects `workflow_dispatch.inputs.X` with
-  # "unknown on type" — it mis-treats the inputs sub-keys as top-level
-  # `on:` event types. Dropping the inputs block restores parsing.
-  # Manual dispatch from the Gitea UI works without the inputs schema
-  # (github.event.inputs.X returns empty); the script falls back to
-  # iterating all open PRs when PR_NUMBER is empty.
-  workflow_dispatch:
-
-permissions:
-  # read: contents — for checkout (base ref, not PR head for security)
-  # read: pull-requests — for reading PR info via API
-  # write: pull-requests — for posting/updating gate-check comments
-  #   Without this the token cannot POST/PATCH /issues/comments → 403.
-  contents: read
-  pull-requests: write
-
-env:
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-jobs:
-  gate-check:
-    runs-on: ubuntu-latest
-    continue-on-error: true  # Never block on our own detector failing
-    steps:
-      - name: Check out BASE ref (never PR-head under pull_request_target)
-        # pull_request_target runs with repo secrets-context, so checking out
-        # the PR HEAD would execute PR-branch gate_check.py with secrets.
-        # Fix: always load gate_check.py from the trusted base/default ref.
-        # Bug-1 (self-loop exclusion) + Bug-3 (403→exit0) from #547 are
-        # kept; only this checkout-ref regresses to pre-#547 behavior.
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          ref: ${{ github.event.pull_request.base.sha || github.ref_name }}
-
-      - name: Run gate-check-v3 (single PR mode)
-        if: github.event_name == 'pull_request_target' || github.event.inputs.pr_number != ''
-        env:
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number || github.event.inputs.pr_number }}
-          POST_COMMENT: ${{ github.event.inputs.post_comment || 'true' }}
-        run: |
-          set -euo pipefail
-          python3 tools/gate-check-v3/gate_check.py \
-            --repo "${{ github.repository }}" \
-            --pr "$PR_NUMBER" \
-            $([ "$POST_COMMENT" = "true" ] && echo "--post-comment")
-          echo "verdict=$?" >> "$GITHUB_OUTPUT"
-
-      - name: Run gate-check-v3 (all open PRs — cron mode)
-        if: github.event_name == 'schedule'
-        env:
-          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
-        run: |
-          set -euo pipefail
-          # Fetch all open PRs and run gate-check on each
-          # socket.setdefaulttimeout(15): defence-in-depth for missing SOP_TIER_CHECK_TOKEN.
-          # gate_check.py uses timeout=15 on every urlopen call; this catches the
-          # inline Python polling loop too (issue #603).
-          pr_numbers=$(python3 -c "
-            import socket, urllib.request, json, os
-            socket.setdefaulttimeout(15)
-            token = os.environ['GITEA_TOKEN']
-            req = urllib.request.Request(
-                'https://git.moleculesai.app/api/v1/repos/${{ github.repository }}/pulls?state=open&limit=100',
-                headers={'Authorization': f'token {token}', 'Accept': 'application/json'}
-            )
-            with urllib.request.urlopen(req) as r:
-                prs = json.loads(r.read())
-            for pr in prs:
-                print(pr['number'])
-          ")
-          for pr in $pr_numbers; do
-            echo "Checking PR #$pr..."
-            python3 tools/gate-check-v3/gate_check.py \
-              --repo "${{ github.repository }}" \
-              --pr "$pr" \
-              --post-comment \
-              || true
-          done
--- a/.gitea/workflows/handlers-postgres-integration.yml
+++ b/.gitea/workflows/handlers-postgres-integration.yml
@ -78,7 +78,7 @@ jobs:
  detect-changes:
    name: detect-changes
    runs-on: ubuntu-latest
-    # internal#219 Phase 3 (RFC §1): surface broken workflows without blocking.
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    continue-on-error: true
    outputs:
      handlers: ${{ steps.filter.outputs.handlers }}
@ -118,7 +118,7 @@ jobs:
    name: Handlers Postgres Integration
    needs: detect-changes
    runs-on: ubuntu-latest
-    # internal#219 Phase 3 (RFC §1): surface broken workflows without blocking.
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    continue-on-error: true
    env:
      # Unique name per run so concurrent jobs don't collide on the
--- a/.gitea/workflows/harness-replays.yml
+++ b/.gitea/workflows/harness-replays.yml
@ -34,7 +34,7 @@ name: Harness Replays
 # One job → one check run → branch-protection-clean (the SKIPPED-in-set
 # trap from PR #2264 is documented in e2e-api.yml's e2e-api job comment).

-"on":
+on:
  push:
    branches: [main, staging]
    paths:
@ -68,25 +68,36 @@ jobs:
      run: ${{ steps.decide.outputs.run }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          # Shallow clone — we use the Gitea Compare API for changed-file
-          # detection, not local git diff. The base SHA is supplied via
-          # GitHub event variables, so no local history is needed.
-          fetch-depth: 1
-      - id: decide
-        env:
-          # Pass via env block — env values bypass shell quoting so single
-          # quotes in merge-commit messages (e.g. "Merge pull request 'fix: ...'
-          # from branch into main") cannot break the bash parser. The prior
-          # `echo '${{ toJSON(...) }}'` form broke on every main-push because
-          # every main commit is a merge commit with single quotes in the
-          # message body — the embedded `'` ended the single-quoted shell string
-          # mid-JSON, and a subsequent `(` (e.g. in `(#523)`) was parsed as a
-          # subshell, causing "syntax error near unexpected token `('".
-          COMMITS_JSON: ${{ toJSON(github.event.commits) }}
+      - name: Fetch base branch tip for diff
+        continue-on-error: true
+        run: |
+          # With the default fetch-depth: 1, actions/checkout only fetches the
+          # PR head commit. The base commit is NOT in the local history, so
+          # `git diff "$BASE" "$GITHUB_SHA"` fails. Fetch the base branch at
+          # depth 1 — the base commit is the immediate parent of the PR head
+          # on the base branch, so depth=1 is sufficient.
+          #
+          # Network: Gitea Actions runner (5.78.80.188) cannot reach the git
+          # remote over HTTPS (confirmed: git fetch times out at ~15s). The runner
+          # is on the same host as Gitea, but the container network namespace
+          # cannot reach the Gitea HTTPS endpoint.
+          #
+          # Fallback: if the base commit does not exist locally, skip the diff
+          # and set run=true (always run harness). This is safe: PRs where the
+          # base is unavailable still run the harness (correct), PRs where the
+          # base IS available get the correct path-based diff.
+          #
+          # Timeout: 20s. If the fetch completes, great. If it times out, the
+          # step exits non-zero and we fall through to run=true.
+          if timeout 20 git fetch origin "${{ github.event.pull_request.base.ref }}" --depth=1; then
+            echo "::notice::base branch fetched successfully"
+          else
+            echo "::warning::git fetch origin ${{ github.event.pull_request.base.ref }} --depth=1 timed out"
+            echo "::warning::Skipping diff — detect-changes will run the harness unconditionally."
+          fi
+      - id: decide
+        continue-on-error: true
        run: |
-          set -euo pipefail
-
          # workflow_dispatch: always run (manual trigger)
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            echo "run=true" >> "$GITHUB_OUTPUT"
@ -94,31 +105,16 @@ jobs:
            exit 0
          fi

-          # Determine changed files.
-          # workflow_dispatch: always run.
-          # pull_request: use Compare API (branch-to-branch works fine).
-          # push: use github.event.commits array (Compare API rejects SHA-to-branch).
-          # new-branch: run everything.
-          if [ "${{ github.event_name }}" = "pull_request" ]; then
-            BASE="${{ github.event.pull_request.base.ref }}"
-            HEAD="${{ github.event.pull_request.head.ref }}"
+          # Determine the base commit to diff against.
+          # For pull_request: use base.sha (the merge-base with main/staging).
+          # For push: use github.event.before (the previous tip of the branch).
+          # Fallback for new branches (all-zeros SHA): run everything.
+          if [ "${{ github.event_name }}" = "pull_request" ] && \
+             [ -n "${{ github.event.pull_request.base.sha }}" ]; then
+            BASE="${{ github.event.pull_request.base.sha }}"
          elif [ -n "${{ github.event.before }}" ] && \
               ! echo "${{ github.event.before }}" | grep -qE '^0+$'; then
-            # Push event: extract changed files from github.event.commits array.
-            # Gitea Compare API rejects SHA-to-branch comparisons (BaseNotExist),
-            # so we use the commits array instead. This array contains all commits
-            # in the push, each with their added/removed/modified file lists.
-            printf '%s' "$COMMITS_JSON" \
-              | bash .gitea/scripts/push-commits-diff-files.py \
-              > .push-diff-files.txt 2>/dev/null || true
-            DIFF_FILES=$(cat .push-diff-files.txt 2>/dev/null || true)
-            if [ -n "$DIFF_FILES" ] && echo "$DIFF_FILES" | grep -qE '^workspace-server/|^canvas/|^tests/harness/|^.gitea/workflows/harness-replays\.yml$'; then
-              echo "run=true" >> "$GITHUB_OUTPUT"
-            else
-              echo "run=false" >> "$GITHUB_OUTPUT"
-            fi
-            echo "debug=push-files=$DIFF_FILES" >> "$GITHUB_OUTPUT"
-            exit 0
+            BASE="${{ github.event.before }}"
          else
            # New branch or github.event.before unavailable — run everything.
            echo "run=true" >> "$GITHUB_OUTPUT"
@ -126,17 +122,17 @@ jobs:
            exit 0
          fi

-          # Call Gitea Compare API (pull_request path only — branch-to-branch).
-          # Push uses github.event.commits array above.
-          RESP=$(curl -sS --fail --max-time 30 \
-            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-            -H "Accept: application/json" \
-            "$GITHUB_SERVER_URL/api/v1/repos/$GITHUB_REPOSITORY/compare/$BASE...$HEAD")
-          DIFF_FILES=$(echo "$RESP" | bash .gitea/scripts/compare-api-diff-files.py 2>/dev/null || true)
+          # GitHub Actions and Gitea Actions both expose github.sha for HEAD.
+          # git diff exits 1 when BASE is not in local history (e.g. shallow
+          # checkout where the base commit was never fetched). Capture and
+          # swallow that exit code — the empty diff means "run everything".
+          # The runner network cannot reach the git remote (confirmed: git fetch
+          # times out at ~15s), so a failed fetch is expected and we always fall
+          # through to the unconditional run=true below.
+          DIFF=$(git diff --name-only "$BASE" "${{ github.sha }}" 2>/dev/null) || true
+          echo "debug=diff-base=$BASE diff-files=$DIFF" >> "$GITHUB_OUTPUT"

-          echo "debug=diff-base=$BASE diff-files=$DIFF_FILES" >> "$GITHUB_OUTPUT"
-
-          if echo "$DIFF_FILES" | grep -qE '^workspace-server/|^canvas/|^tests/harness/|^.gitea/workflows/harness-replays\.yml$'; then
+          if echo "$DIFF" | grep -qE '^workspace-server/|^canvas/|^tests/harness/|^.gitea/workflows/harness-replays\.yml$'; then
            echo "run=true" >> "$GITHUB_OUTPUT"
          else
            echo "run=false" >> "$GITHUB_OUTPUT"
@ -220,14 +216,12 @@ jobs:
        run: |
          set -euo pipefail
          if [ -z "${MOLECULE_GITEA_TOKEN}" ]; then
-            echo "::warning::AUTO_SYNC_TOKEN not set — using anonymous clone (repos are public per manifest.json OSS contract)"
+            echo "::error::AUTO_SYNC_TOKEN secret is empty — register the devops-engineer persona PAT in repo Actions secrets"
+            exit 1
          fi
          mkdir -p .tenant-bundle-deps
-          # Strip JSON5 comments before jq parsing — Integration Tester appends
-          # `// Triggered by ...` which breaks `jq` in clone-manifest.sh.
-          sed '/^[[:space:]]*\/\//d' manifest.json > .manifest-stripped.json
          bash scripts/clone-manifest.sh \
-            .manifest-stripped.json \
+            manifest.json \
            .tenant-bundle-deps/workspace-configs-templates \
            .tenant-bundle-deps/org-templates \
            .tenant-bundle-deps/plugins
--- a/.gitea/workflows/lint-continue-on-error-tracking.yml
+++ b/.gitea/workflows/lint-continue-on-error-tracking.yml
@ -1,120 +0,0 @@
-name: lint-continue-on-error-tracking
-
-# Tier 2e hard-gate lint (per internal#350) — every
-# `continue-on-error: true` in `.gitea/workflows/*.yml` must carry a
-# `# mc#NNNN` or `# internal#NNNN` tracker comment within 2 lines,
-# the referenced issue must be OPEN, and ≤14 days old.
-#
-# Why this exists
-# ---------------
-# `continue-on-error: true` on `platform-build` had been hiding
-# mc#664-class regressions for ~3 weeks before #656 surfaced them on
-# 2026-05-12. A 14-day cap on tracker age forces a review cycle and
-# surfaces mask-drift within at most 14 days of the original defect.
-# Each `continue-on-error: true` gets a paper trail — close or renew.
-#
-# How the gate works
-# ------------------
-# 1. Walk `.gitea/workflows/*.yml` via PyYAML's line-tracking loader
-#    (per `feedback_behavior_based_ast_gates`) and find every job
-#    whose `continue-on-error` evaluates truthy (`true` or string
-#    `"true"` — Gitea's evaluator coerces strings).
-# 2. For each, scan ±2 lines of the directive's source line for a
-#    `# mc#NNNN` or `# internal#NNNN` comment. Inline-trailing
-#    comments on the directive line count.
-# 3. For each tracker reference, GET the issue from the Gitea API.
-#    Validate: exists, `state == open`, `created_at` ≤ MAX_AGE_DAYS.
-# 4. Aggregate ALL violations (not short-circuit) and exit 1 if any.
-#
-# Triggers
-# --------
-# Runs on PR events (paths-filter on `.gitea/workflows/**`) AND on
-# a daily schedule. PR runs catch the violation at introduction time.
-# Schedule runs catch the AGE-EXPIRY class: a tracker that was ≤14d
-# old when the PR landed but is now 20d old, with the underlying
-# defect still unfixed. Per `feedback_chained_defects_in_never_tested_workflows`,
-# scheduled drift detection is the second half of the gate.
-#
-# Phase contract (RFC internal#219 §1 ladder)
-# -------------------------------------------
-# Lands at `continue-on-error: true` (Phase 3 — surface broken shapes
-# without blocking). The pre-existing `continue-on-error: true`
-# directives on `main` will all violate this lint at first
-# (intentional — they're the masked defects this lint exists to
-# surface). Each must be triaged: file a fresh tracker comment,
-# close-and-flip, or document the deliberate keep-mask in a fresh
-# 14-day-renewable tracker. After main is clean for 3 days,
-# follow-up PR flips this workflow's continue-on-error to false.
-# Tracking: internal#350.
-#
-# Cross-links
-# -----------
-# - internal#350 (the RFC that specs this lint)
-# - mc#664 (the empirical masked-3-weeks case)
-# - feedback_chained_defects_in_never_tested_workflows
-# - feedback_behavior_based_ast_gates
-# - feedback_strict_root_only_after_class_a
-#
-# Auth: DRIFT_BOT_TOKEN — same persona used by ci-required-drift.yml
-# (provisioned under internal#329). Auto-injected GITHUB_TOKEN is
-# insufficient because `internal#NNN` references cross repositories
-# (molecule-core → molecule-ai/internal).
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-    paths:
-      - '.gitea/workflows/**'
-      - '.gitea/scripts/lint_continue_on_error_tracking.py'
-      - 'tests/test_lint_continue_on_error_tracking.py'
-  push:
-    branches: [main, staging]
-    paths:
-      - '.gitea/workflows/**'
-      - '.gitea/scripts/lint_continue_on_error_tracking.py'
-  schedule:
-    # Daily at 13:11 UTC — off-peak, prime-staggered from the other
-    # Tier-2 lint schedules (ci-required-drift runs hourly :00).
-    - cron: '11 13 * * *'
-  workflow_dispatch:
-
-env:
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-permissions:
-  contents: read
-
-concurrency:
-  group: lint-coe-tracking-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  lint:
-    name: lint-continue-on-error-tracking
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    # Phase 3 (RFC #219 §1): surface masked defects without blocking
-    # PRs. Pre-existing continue-on-error: true directives on main
-    # all violate this lint at first — intentional. Flip to false
-    # follow-up after main is clean for 3 days. internal#350.
-    continue-on-error: true  # internal#350 Phase 3 mask — 14d forced-renewal cadence
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
-        with:
-          python-version: '3.12'
-      - name: Install PyYAML
-        run: python -m pip install --quiet 'PyYAML==6.0.2'
-      - name: Run lint-continue-on-error-tracking
-        env:
-          GITEA_TOKEN: ${{ secrets.DRIFT_BOT_TOKEN }}
-          GITEA_HOST: git.moleculesai.app
-          REPO: ${{ github.repository }}
-          INTERNAL_REPO: molecule-ai/internal
-          WORKFLOWS_DIR: .gitea/workflows
-          MAX_AGE_DAYS: '14'
-        run: python3 .gitea/scripts/lint_continue_on_error_tracking.py
-      - name: Run lint-continue-on-error-tracking unit tests
-        run: |
-          python -m pip install --quiet pytest
-          python3 -m pytest tests/test_lint_continue_on_error_tracking.py -v
--- a/.gitea/workflows/lint-mask-pr-atomicity.yml
+++ b/.gitea/workflows/lint-mask-pr-atomicity.yml
@ -1,132 +0,0 @@
-name: lint-mask-pr-atomicity
-
-# Tier 2d hard-gate lint (per internal#350) — blocks PRs that touch
-# `.gitea/workflows/ci.yml` and modify ONLY ONE of {continue-on-error,
-# all-required.sentinel.needs} without a `Paired: #NNN` reference in
-# the PR body or in a commit message.
-#
-# Why this exists
-# ---------------
-# PR#665 (interim `continue-on-error: true` on `platform-build`) and
-# PR#668 (sentinel-`needs` demotion of the same job) were designed as a
-# pair but merged solo — #665 landed at 04:47Z 2026-05-12, #668 was
-# still open at 05:07Z when the main-red watchdog (#674) fired. Result:
-# ~20 minutes of `main` red and a cascade of false-positives on
-# unrelated PRs. This lint structurally prevents that class.
-#
-# How the gate works
-# ------------------
-# 1. The workflow runs on every PR whose diff touches ci.yml (paths
-#    filter). It is NOT a required check on `main` because the rule is
-#    diff-based — running it on PRs that don't touch ci.yml would
-#    produce a `pending` status forever (per
-#    `feedback_path_filtered_workflow_cant_be_required`).
-# 2. The script reads `BASE_SHA:ci.yml` and `HEAD_SHA:ci.yml`, parses
-#    both via PyYAML AST (per `feedback_behavior_based_ast_gates` — no
-#    grep, no regex on the raw text — so a YAML-shape refactor still
-#    detects).
-# 3. Walks `jobs.*.continue-on-error` on each side; flags any value
-#    diff. Reads `jobs.all-required.needs` on each side; flags any
-#    set diff (order-insensitive — `needs:` is engine-unordered).
-# 4. If both predicates fired → atomic, OK. If neither → no risk, OK.
-#    If exactly one fired → require `Paired: #NNN` in PR body OR in
-#    any commit message between base..head; else fail.
-#
-# Phase contract (RFC internal#219 §1 ladder)
-# -------------------------------------------
-# This workflow lands at `continue-on-error: true` (Phase 3 — surface
-# regressions without blocking PRs while the rule beds in).
-# Follow-up PR flips to `false` once we have ≥3 days of clean runs on
-# `main` and no false-positives. Tracking issue: internal#350.
-#
-# Cross-links
-# -----------
-# - internal#350 (the RFC that specs this lint)
-# - PR#665 / PR#668 (the empirical split-pair)
-# - mc#664 (the main-red incident the split caused)
-# - feedback_strict_root_only_after_class_a
-# - feedback_behavior_based_ast_gates
-#
-# Auth: only needs the auto-injected GITHUB_TOKEN (read-only, repo
-# scope). No DRIFT_BOT_TOKEN needed — Tier 2d does NOT call
-# branch_protections (Tier 2g/f do).
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened, edited]
-    # `edited` is included because the rule depends on PR_BODY: a user
-    # may add `Paired: #NNN` after first push to satisfy the lint. The
-    # rerun on `edited` lets the PR turn green without an empty
-    # commit. Gitea 1.22.6 fires `edited` on body changes — verified
-    # via gitea-source/models/issues/pull_list.go::triggerNewPRWebhook.
-    paths:
-      - '.gitea/workflows/ci.yml'
-      - '.gitea/scripts/lint_mask_pr_atomicity.py'
-      - '.gitea/workflows/lint-mask-pr-atomicity.yml'
-      - 'tests/test_lint_mask_pr_atomicity.py'
-
-env:
-  # Belt-and-suspenders against the runner-default trap
-  # (feedback_act_runner_github_server_url). Runners are configured
-  # with this env via /opt/molecule/runners/config.yaml, but pinning
-  # at the workflow level protects against a runner regenerated
-  # without the config file.
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-permissions:
-  contents: read
-  pull-requests: read
-
-# Per-PR concurrency — re-pushes cancel previous runs to keep the
-# queue short. The lint is cheap (one git show + log + a YAML parse).
-concurrency:
-  group: lint-mask-pr-atomicity-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  scan:
-    name: lint-mask-pr-atomicity
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    # Phase 3 (RFC #219 §1): surface broken shapes without blocking
-    # PRs. Follow-up PR flips this to `false` once recent runs on main
-    # are confirmed clean (eat-our-own-dogfood discipline mirrors
-    # PR#673's same-shape comment). Tracking: internal#350.
-    continue-on-error: true
-    steps:
-      - name: Check out PR head with full history (need base SHA blobs)
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          # `git show <base-sha>:<path>` needs the base SHA's blobs.
-          # Shallow=1 would miss it. Same rationale as PR#673 and
-          # check-migration-collisions.yml.
-          fetch-depth: 0
-      - name: Set up Python (PyYAML for AST parsing)
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
-        with:
-          python-version: '3.12'
-      - name: Install PyYAML
-        # Same pin as ci-required-drift.yml + the rest of the Tier 2
-        # lint family — keep runner-cache hits uniform.
-        run: python -m pip install --quiet 'PyYAML==6.0.2'
-      - name: Ensure base ref is reachable locally
-        # fetch-depth=0 usually pulls the base too, but explicit-fetch
-        # is cheap insurance against runner-version drift (matches the
-        # comment in check-migration-collisions.yml and PR#673).
-        run: |
-          git fetch origin "${{ github.event.pull_request.base.ref }}" || true
-      - name: Run lint-mask-pr-atomicity
-        env:
-          BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          # PR body — the script greps for `Paired: #NNN`.
-          PR_BODY: ${{ github.event.pull_request.body }}
-          CI_WORKFLOW_PATH: .gitea/workflows/ci.yml
-          SENTINEL_JOB_KEY: all-required
-        run: python3 .gitea/scripts/lint_mask_pr_atomicity.py
-      - name: Run lint-mask-pr-atomicity unit tests
-        # Run the test suite in-CI so the lint's own behaviour is
-        # verified on every change. Matches lint-workflow-yaml.yml.
-        run: |
-          python -m pip install --quiet pytest
-          python3 -m pytest tests/test_lint_mask_pr_atomicity.py -v
--- a/.gitea/workflows/lint-pre-flip-continue-on-error.yml
+++ b/.gitea/workflows/lint-pre-flip-continue-on-error.yml
@ -1,141 +0,0 @@
-name: Lint pre-flip continue-on-error
-
-# Pre-merge gate: blocks PRs that flip `continue-on-error: true → false`
-# on any job in `.gitea/workflows/*.yml` WITHOUT proof that the affected
-# job's recent runs on the target branch (PR base) are actually green.
-#
-# Empirical class: PR #656 / mc#664. PR #656 (RFC internal#219 Phase 4)
-# flipped 5 platform-build-class jobs `continue-on-error: true → false`
-# on the basis of a "verified green on main via combined-status check".
-# But that "green" was the LIE the prior `continue-on-error: true`
-# produced: Gitea Quirk #10 (internal#342 + dup #287) — a failed step
-# inside a `continue-on-error: true` job rolls up to a `success`
-# job-level status. The precondition the PR claimed to verify was
-# structurally fooled by the bug being flipped.
-#
-# mc#664 captured the surfaced defects (2 mutually-masked regressions):
-#   - Class 1: sqlmock helper drift since 2f36bb9a (24 days old)
-#   - Class 2: OFFSEC-001 contract collision since 7d1a189f (1 day old)
-#
-# Codified 04:35Z as hongming-pc2 charter §SOP-N rule (e)
-# "run-log-grep-before-flip" — now structurally enforced here at PR
-# time, ahead of merge.
-#
-# How the gate works:
-#   1. Read every `.gitea/workflows/*.yml` at the PR base SHA AND at
-#      the PR head SHA via `git show <sha>:<path>` (no checkout
-#      needed).
-#   2. Parse both sides via PyYAML AST (NOT grep — per
-#      `feedback_behavior_based_ast_gates`). Walk `jobs.<key>.
-#      continue-on-error` on each side. A flip is base=true,
-#      head=false.
-#   3. For each flipped job, render the commit-status context as
-#      `"{workflow.name} / {job.name or job.key} (push)"` — that's
-#      how Gitea Actions emits the per-context status on `main`/
-#      `staging` runs.
-#   4. Pull last 5 commits on the PR base branch, fetch combined
-#      commit-status per commit, scan for the target context. For
-#      each match, fetch the run log via the web-UI route
-#      `{server_url}/{repo}/actions/runs/{run_id}/jobs/{job_idx}/logs`
-#      (per `reference_gitea_actions_log_fetch` —
-#      Gitea 1.22.6 lacks REST `/actions/runs/*`; web-UI is the
-#      only working path, see also
-#      `reference_gitea_1_22_6_lacks_rest_rerun_endpoints`).
-#   5. Grep each log for `--- FAIL`, `FAIL\s`, `::error::`. If
-#      the status is `success` but the log shows any of these,
-#      the job was masked. Block the PR with `::error::`.
-#
-# Graceful-degrade contract (per task halt-conditions):
-#   - Log fetch 404 (act_runner pruned the log, transient outage):
-#     emit `::warning::` "log unavailable" — does NOT block.
-#   - Zero recent runs of the flipped job's context on the base
-#     branch (newly added workflow): emit `::warning::` "no run
-#     history to verify" — allow the flip. Chicken-and-egg
-#     exemption.
-#   - YAML parse error in one of the workflow files: warn-only,
-#     don't block — the YAML lint workflows catch this separately.
-#
-# Cross-links: PR#656, mc#664, PR#665 (interim re-mask),
-# Quirk #10 (internal#342 + dup #287), hongming-pc2 charter
-# §SOP-N rule (e), feedback_strict_root_only_after_class_a,
-# feedback_no_shared_persona_token_use.
-#
-# Phase contract (RFC internal#219 §1 ladder):
-#   - This workflow lands at `continue-on-error: true` (Phase 3 —
-#     surface defects without blocking). Follow-up PR flips it to
-#     `false` ONLY after this workflow's own recent runs on `main`
-#     are confirmed clean — exactly the discipline the workflow
-#     itself enforces. Eat your own dogfood.
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-    paths:
-      - '.gitea/workflows/**'
-      - '.gitea/scripts/lint_pre_flip_continue_on_error.py'
-      - '.gitea/workflows/lint-pre-flip-continue-on-error.yml'
-
-env:
-  # Per `feedback_act_runner_github_server_url` — without this,
-  # actions/checkout and friends default to github.com → break.
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-permissions:
-  contents: read
-  # Need read on the API to pull combined commit-status + commit list
-  # for the base branch. The job-log fetch uses the same token via
-  # the web-UI route (Gitea 1.22.6 accepts `Authorization: token ...`
-  # there).
-  pull-requests: read
-
-concurrency:
-  group: lint-pre-flip-coe-${{ github.event.pull_request.head.sha || github.sha }}
-  cancel-in-progress: true
-
-jobs:
-  scan:
-    name: Verify continue-on-error flips have run-log proof
-    runs-on: ubuntu-latest
-    timeout-minutes: 8
-    # Phase 3 (RFC internal#219 §1): surface broken flips without blocking
-    # the PR yet. Follow-up flips this to `false` once the workflow itself
-    # has clean recent runs on main. mc#664 interim — remove when CoE→false.
-    continue-on-error: true  # mc#664
-    steps:
-      - name: Check out PR head (full history for base-SHA access)
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          # `git show <base-sha>:<path>` needs the base SHA's blobs.
-          # Shallow=1 would miss it. Same rationale as
-          # check-migration-collisions.yml.
-          fetch-depth: 0
-      - name: Set up Python (PyYAML for AST parsing)
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
-        with:
-          python-version: '3.12'
-      - name: Install PyYAML
-        # Same pin as ci-required-drift.yml — keep dependencies
-        # uniform so a Gitea runner cache hits across both jobs.
-        run: python -m pip install --quiet 'PyYAML==6.0.2'
-      - name: Ensure base ref is reachable locally
-        # `actions/checkout@v6 fetch-depth=0` usually pulls the base
-        # too, but explicit-fetch is cheap insurance against the
-        # form-of-ref differences across Gitea runner versions
-        # (mirrors the comment in check-migration-collisions.yml).
-        run: |
-          git fetch origin "${{ github.event.pull_request.base.ref }}" || true
-      - name: Run lint
-        env:
-          # Auto-injected by Gitea Actions; sufficient scope for
-          # combined-status + commit-list + log fetch via web-UI
-          # route. NO repo-admin needed (unlike the
-          # branch_protections endpoint).
-          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITEA_HOST: git.moleculesai.app
-          REPO: ${{ github.repository }}
-          BASE_REF: ${{ github.event.pull_request.base.ref }}
-          BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          # Last 5 commits on the base branch is the spec default.
-          RECENT_COMMITS_N: '5'
-        run: python3 .gitea/scripts/lint_pre_flip_continue_on_error.py
--- a/.gitea/workflows/lint-required-no-paths.yml
+++ b/.gitea/workflows/lint-required-no-paths.yml
@ -1,96 +0,0 @@
-# lint-required-no-paths — structural enforcement of
-# `feedback_path_filtered_workflow_cant_be_required`.
-#
-# Fails the PR if ANY workflow whose status-check context appears in
-# `branch_protections/main.status_check_contexts` carries a
-# `paths:` or `paths-ignore:` filter in its `on:` block.
-#
-# Why this exists:
-#   A required-check workflow with a paths filter silently degrades the
-#   merge gate. If a PR's diff doesn't touch the filter, the workflow
-#   never fires; Gitea (1.22.6) reports the required context as
-#   `pending` (NOT `skipped == success`), so the PR cannot merge. For a
-#   docs-only PR against `paths: ['**.go']`, the PR is wedged forever.
-#
-#   Previously prevented only by reviewer vigilance + the saved memory
-#   `feedback_path_filtered_workflow_cant_be_required`. This workflow
-#   makes it a hard CI gate.
-#
-# Forward-compat scope:
-#   Today (2026-05-11) molecule-core/main protects 3 contexts:
-#     - "Secret scan / Scan diff for credential-shaped strings (pull_request)"
-#     - "sop-tier-check / tier-check (pull_request)"
-#     - "CI / all-required (pull_request)"
-#   Per RFC#324 Step 2 the required-list expands to ~5 contexts
-#   (qa-review, security-review added). Each new required context's
-#   workflow must remain unconditional. This lint pins that contract.
-#
-# Meta-required-check:
-#   This workflow ITSELF deliberately has NO `paths:` filter on its `on:`
-#   block — otherwise a paths-non-matching PR could bypass the check.
-#   Self-evident from this file: only `pull_request` types + no paths.
-#
-# Auth:
-#   `GET /repos/.../branch_protections/{branch}` requires repo-admin
-#   role in Gitea 1.22.6. The workflow-default `GITHUB_TOKEN` is
-#   non-admin (read-only), so we re-use `DRIFT_BOT_TOKEN` (same persona
-#   that powers `ci-required-drift.yml` — verified working there).
-#   If `DRIFT_BOT_TOKEN` becomes unavailable, the script exits 0 with a
-#   loud `::error::` rather than red-X every PR — token-scope issues
-#   should be fixed at the token, not surfaced as a gate failure on
-#   every unrelated PR.
-#
-# Behavior-based gate per `feedback_behavior_based_ast_gates`:
-#   YAML AST walk (PyYAML), NOT grep. Workflow renames, formatting
-#   changes (block-scalar vs flow-style), or moving `paths:` between
-#   `pull_request:` and `pull_request_target:` all still detect.
-#
-# IMPORTANT — Gitea 1.22.6 parser quirk per
-# `feedback_gitea_workflow_dispatch_inputs_unsupported`: do NOT add an
-# `inputs:` block to `workflow_dispatch:` — Gitea 1.22.6 rejects the
-# entire workflow as "unknown on type" and it registers for ZERO events.
-
-name: lint-required-no-paths
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-  workflow_dispatch:
-
-# Read protection + read local YAML. No writes.
-permissions:
-  contents: read
-
-# Only one in-flight run per PR — re-pushes cancel the previous run to
-# keep the queue short. Required-list reads are cheap (one GET); the
-# cancellation is just hygiene.
-concurrency:
-  group: lint-required-no-paths-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  lint:
-    name: lint-required-no-paths
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Check out repo (we read the workflow YAML files locally)
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-      - name: Set up Python (PyYAML for AST parsing)
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
-        with:
-          python-version: '3.12'
-      - name: Install PyYAML
-        run: python -m pip install --quiet 'PyYAML==6.0.2'
-      - name: Run lint-required-no-paths
-        env:
-          # DRIFT_BOT_TOKEN is owned by mc-drift-bot, a least-privilege
-          # Gitea persona with repo-admin role for branch_protections
-          # read. Same secret used by ci-required-drift.yml — see that
-          # workflow's header for provisioning trail (internal#329).
-          GITEA_TOKEN: ${{ secrets.DRIFT_BOT_TOKEN }}
-          GITEA_HOST: git.moleculesai.app
-          REPO: ${{ github.repository }}
-          BRANCH: main
-          WORKFLOWS_DIR: .gitea/workflows
-        run: python3 .gitea/scripts/lint-required-no-paths.py
--- a/.gitea/workflows/lint-workflow-yaml.yml
+++ b/.gitea/workflows/lint-workflow-yaml.yml
@ -1,75 +0,0 @@
-name: Lint workflow YAML (Gitea-1.22.6-hostile shapes)
-
-# Tier-2 hard-gate lint (RFC internal#219 §1, charter §SOP-N rule (m)).
-# Catches six Gitea-1.22.6-hostile workflow-YAML shapes BEFORE they reach
-# `main`. Each rule maps to a documented incident in saved memory:
-#
-#   1. workflow_dispatch.inputs   — feedback_gitea_workflow_dispatch_inputs_unsupported
-#                                   (2026-05-11 PyPI freeze 24h)
-#   2. on: workflow_run           — task #81 (Gitea 1.22.6 lacks the event)
-#   3. name: containing "/"       — breaks status-context tokenization
-#   4. cross-file name collision  — status-reaper rev1 fail-loud class
-#   5. cross-repo uses: org/r/p@r — feedback_gitea_cross_repo_uses_blocked
-#                                   (DEFAULT_ACTIONS_URL=github → 404)
-#   6. (WARN) api.github.com refs — feedback_act_runner_github_server_url
-#                                   without workflow-level GITHUB_SERVER_URL
-#
-# Empirical history this hardens against:
-#   - status-reaper rev1 caught rule-4 (name-collision) class
-#   - sop-tier-refire DOA'd on rule-2 (workflow_run partial)
-#   - #319 bootstrap-paradox (chained-defect class, related)
-#   - internal#329 dispatcher race (adjacent)
-#   - 2026-05-11 publish-runtime: rule-1, 24h PyPI freeze
-#
-# Triggers:
-#   - pull_request: pre-merge gate — block hostile shapes before they land
-#   - push: post-merge regression detection — catch direct-to-main edits
-#
-# Per RFC internal#219 §1 contract: continue-on-error: true during the
-# surface-broken-shapes phase. Follow-up PR flips off after surfaced
-# defects are triaged. The push-trigger ensures we catch regressions
-# even if the pull_request gate is bypassed by branch-protection drift.
-
-on:
-  pull_request:
-    paths:
-      - '.gitea/workflows/**'
-      - '.gitea/scripts/lint-workflow-yaml.py'
-      - 'tests/test_lint_workflow_yaml.py'
-  push:
-    branches: [main, staging]
-    paths:
-      - '.gitea/workflows/**'
-      - '.gitea/scripts/lint-workflow-yaml.py'
-      - 'tests/test_lint_workflow_yaml.py'
-
-# Belt-and-suspenders against runner default
-# (feedback_act_runner_github_server_url).
-env:
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-jobs:
-  lint:
-    name: Lint workflow YAML for Gitea-1.22.6-hostile shapes
-    runs-on: ubuntu-latest
-    # Phase 3 (RFC #219 §1): surface broken shapes without blocking PRs.
-    # Follow-up PR flips this off after the 4 existing-on-main rule-2
-    # (workflow_run) violations are migrated to a supported trigger.
-    continue-on-error: true
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
-        with:
-          python-version: '3.11'
-
-      - name: Install PyYAML
-        run: pip install --quiet 'PyYAML>=6.0'
-
-      - name: Lint .gitea/workflows/*.yml
-        run: python3 .gitea/scripts/lint-workflow-yaml.py
-
-      - name: Run lint-workflow-yaml unit tests
-        run: |
-          pip install --quiet pytest
-          python3 -m pytest tests/test_lint_workflow_yaml.py -v
--- a/.gitea/workflows/main-red-watchdog.yml
+++ b/.gitea/workflows/main-red-watchdog.yml
@ -37,11 +37,6 @@ name: main-red-watchdog
 # "unknown on type" when `workflow_dispatch.inputs.X` is present. Revisit
 # when Gitea ≥ 1.23 is fleet-wide.
 on:
-  # SCHEDULE RE-ENABLED 2026-05-12 rev3 — interim disable (mc#645) reverted alongside
-  # status-reaper rev3 (widen-window). Job-level timeout-minutes raised 5 → 15 below
-  # to absorb runner-saturation latency without spurious cancels (the original cascade
-  # cause). If runner-saturation root persists, the dedicated-runner-label split
-  # remains the structural next step (tracked separately).
  schedule:
    # Hourly at :05 — task spec calls for "off-zero" (`5 * * * *`),
    # offset from :17 (ci-required-drift) and :00 (peak cron load).
@ -63,12 +58,7 @@ concurrency:
 jobs:
  watchdog:
    runs-on: ubuntu-latest
-    # rev3 (2026-05-12, mc#645 revert): raised 5 → 15 to absorb runner-saturation
-    # latency. Original 5min cap was producing 124-style cancels under load,
-    # which fed the very `[main-red]` issues this workflow files (self-poisoning).
-    # 15min is still well below Gitea-default 6h job ceiling; if a real hang
-    # occurs the issue-file path is still the alarm surface.
-    timeout-minutes: 15
+    timeout-minutes: 5
    steps:
      - name: Check out repo (script lives at .gitea/scripts/)
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
--- a/.gitea/workflows/publish-canvas-image.yml
+++ b/.gitea/workflows/publish-canvas-image.yml
@ -54,12 +54,6 @@ env:
 jobs:
  build-and-push:
    name: Build & push canvas image
-    # REVERTED (infra/revert-docker-runner-label): `runs-on: ubuntu-latest` restored.
-    # The `docker` label is not registered on any act_runner. `runs-on: [ubuntu-latest, docker]`
-    # causes jobs to queue indefinitely with zero eligible runners — strictly worse than the
-    # pre-#599 coin-flip (50% success rate). Once the `docker` label is registered on
-    # ≥2 runners, re-apply the fix from #599 (infra/docker-runner-label).
-    # See issue #576 + infra-lead pulse ~00:30Z.
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    continue-on-error: true
@ -85,10 +79,8 @@ jobs:
        run: |
          set -euo pipefail
          echo "::group::Docker daemon health check"
-          echo "Runner: ${HOSTNAME:-unknown}"
          docker info 2>&1 | head -5 || {
            echo "::error::Docker daemon is not accessible at /var/run/docker.sock"
-            echo "::error::Runner: ${HOSTNAME:-unknown}"
            echo "::error::Check: (1) daemon running, (2) runner user in docker group, (3) sock perms 660+"
            exit 1
          }
--- a/.gitea/workflows/publish-runtime-autobump.yml
+++ b/.gitea/workflows/publish-runtime-autobump.yml
@ -23,23 +23,12 @@ name: publish-runtime-autobump
 # and try to tag 0.1.130 simultaneously, only one of which would land.

 on:
-  # Run on PR pushes to post a success status so Gitea can merge the PR.
-  # All steps use continue-on-error: true so operational failures
-  # (PyPI unreachable, DISPATCH_TOKEN missing) do not block merge.
-  pull_request:
-    paths:
-      - "workspace/**"
-  # Bump-and-tag on main/staging push (the actual operational trigger).
  push:
    branches:
      - main
      - staging
    paths:
      - "workspace/**"
-  # Manual dispatch — useful when Gitea Actions API (/actions/*) is
-  # unreachable (e.g. act_runner 404 on Gitea 1.22.6) and we cannot
-  # re-trigger via curl.
-  workflow_dispatch:

 permissions:
  contents: write  # required to push tags back
@ -49,53 +38,15 @@ concurrency:
  cancel-in-progress: false

 jobs:
-  # PR-validation path: always succeeds so Gitea can merge workflow-only PRs.
-  # Operational failures (PyPI unreachable, missing DISPATCH_TOKEN) are
-  # surfaced via continue-on-error: true rather than blocking the merge.
-  # The actual bump work happens on the main/staging push after merge.
-  pr-validate:
+  autobump-and-tag:
    runs-on: ubuntu-latest
-    continue-on-error: true  # do not block PR merge on operational failures
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
-          fetch-depth: 1
-
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.11"
-
-      - name: Validate PyPI connectivity (best-effort)
-        run: |
-          set -eu
-          echo "=== Checking PyPI accessibility ==="
-          LATEST=$(curl -fsS --retry 3 --max-time 10 \
-            https://pypi.org/pypi/molecule-ai-workspace-runtime/json \
-            | python -c "import sys,json; print(json.load(sys.stdin)['info']['version'])" \
-            || echo "PyPI unreachable (non-blocking for PR validation)")
-          echo "Latest: ${LATEST:-unknown}"
-
-  # Actual bump-and-tag: runs on main/staging pushes, posts real success/failure.
-  # No continue-on-error — operational failures here trip the main-red
-  # watchdog, which is the desired signal for infrastructure degradation.
-  bump-and-tag:
-    runs-on: ubuntu-latest
-    # Only fire on push events (main/staging after PR merge). Pull_request
-    # events are handled by pr-validate above; we do NOT bump on every
-    # push-synchronize because that would race with the PR head.
-    #
-    # NOTE: the prior condition `github.event.pull_request.base.ref == ''`
-    # was broken — on a PR-merge push in Gitea Actions, the pull_request
-    # context is still attached (base.ref='main'), so the condition always
-    # evaluated to false and bump-and-tag was permanently skipped.
-    if: github.event_name == 'push'
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 1
-
-      - name: Fetch tags for collision check
-        run: git fetch origin --tags --depth=1
+          # Fetch full tag list so the bump logic can sanity-check against
+          # what's already in this repo (catches collision with prior
+          # manual tag pushes).
+          fetch-depth: 0

      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
--- a/.gitea/workflows/publish-workspace-server-image.yml
+++ b/.gitea/workflows/publish-workspace-server-image.yml
@ -20,12 +20,6 @@ name: publish-workspace-server-image
 #
 # ECR target: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/*
 # Required secrets: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AUTO_SYNC_TOKEN
-#
-# mc#711: Docker daemon not accessible on ubuntu-latest runner (molecule-canonical-1
-# shows client-only in `docker info` — daemon not running). DinD mount is present but
-# daemon doesn't respond. Fix: add diagnostic step showing socket info so ops can
-# identify which runners have a live daemon. If no daemon is available, the job
-# fails fast with actionable output rather than silent deep failure.

 on:
  push:
@ -38,9 +32,11 @@ on:
      - '.gitea/workflows/publish-workspace-server-image.yml'
  workflow_dispatch:

-# Serialize per-branch so two rapid main pushes don't race the same
-# :staging-latest tag retag. Allow parallel runs as they produce
-# different :staging-<sha> tags and last-write-wins on :staging-latest.
+# Serialize per-branch so two rapid staging pushes don't race the same
+# :staging-latest tag retag. Allow staging and main to run in parallel
+# (different GITHUB_REF → different concurrency group) since they
+# produce different :staging-<sha> tags and last-write-wins on
+# :staging-latest is acceptable across branches.
 #
 # cancel-in-progress: false → in-flight builds finish; the next push's
 # build queues. This avoids a partially-pushed image.
@ -63,20 +59,23 @@ jobs:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - name: Diagnose Docker daemon access
+      # Health check: verify Docker daemon is accessible before attempting any
+      # build steps. This fails loudly at step 1 when the runner's docker.sock
+      # is inaccessible (e.g. permission change, daemon restart, or group-membership
+      # drift) rather than silently continuing to step 2 where `docker build`
+      # fails deep in the process with a cryptic ECR auth error that doesn't
+      # surface the root cause.  Also reports the daemon version so operator
+      # can correlate with runner host logs.
+      - name: Verify Docker daemon access
        run: |
          set -euo pipefail
-          echo "::group::Docker daemon diagnosis"
-          echo "Runner: ${HOSTNAME:-unknown}"
-          echo "--- Socket info ---"
-          ls -la /var/run/docker.sock 2>/dev/null || echo "/var/run/docker.sock: not found"
-          stat /var/run/docker.sock 2>/dev/null || true
-          echo "--- User info ---"
-          id
-          echo "--- docker version ---"
-          docker version 2>&1 || true
-          echo "--- docker info (full) ---"
-          docker info 2>&1 || echo "docker info failed: exit $?"
+          echo "::group::Docker daemon health check"
+          docker info 2>&1 | head -5 || {
+            echo "::error::Docker daemon is not accessible at /var/run/docker.sock"
+            echo "::error::Check: (1) daemon is running, (2) runner user is in docker group, (3) sock permissions are 660+"
+            exit 1
+          }
+          echo "Docker daemon OK"
          echo "::endgroup::"

      # Pre-clone manifest deps before docker build.
@ -95,12 +94,13 @@ jobs:
          MOLECULE_GITEA_TOKEN: ${{ secrets.AUTO_SYNC_TOKEN }}
        run: |
          set -euo pipefail
+          if [ -z "${MOLECULE_GITEA_TOKEN}" ]; then
+            echo "::error::AUTO_SYNC_TOKEN secret is empty"
+            exit 1
+          fi
          mkdir -p .tenant-bundle-deps
-          # Strip JSON5 comments before jq parsing — Integration Tester appends
-          # `// Triggered by ...` which breaks `jq` in clone-manifest.sh.
-          sed '/^[[:space:]]*\/\//d' manifest.json > .manifest-stripped.json
          bash scripts/clone-manifest.sh \
-            .manifest-stripped.json \
+            manifest.json \
            .tenant-bundle-deps/workspace-configs-templates \
            .tenant-bundle-deps/org-templates \
            .tenant-bundle-deps/plugins
@ -117,11 +117,6 @@ jobs:
      # Build + push platform image (inline ECR auth — mirrors the operator-host
      # approach; credentials come from GITHUB_SECRET_AWS_ACCESS_KEY_ID /
      # GITHUB_SECRET_AWS_SECRET_ACCESS_KEY in Gitea Actions).
-      # docker buildx bake / build required for `imagetools inspect` digest
-      # capture in the CP pin-update step (RFC internal#229 §X step 4 PR-1).
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
-
      - name: Build & push platform image to ECR (staging-<sha> + staging-latest)
        env:
          IMAGE_NAME: ${{ env.IMAGE_NAME }}
@ -137,16 +132,17 @@ jobs:
          ECR_REGISTRY="${IMAGE_NAME%%/*}"
          aws ecr get-login-password --region us-east-2 | \
            docker login --username AWS --password-stdin "${ECR_REGISTRY}"
-          docker buildx build \
+          docker build \
            --file ./workspace-server/Dockerfile \
            --build-arg GIT_SHA="${GIT_SHA}" \
-            --label "org.opencontainers.image.source=https://git.moleculesai.app/molecule-ai/${REPO}" \
+            --label "org.opencontainers.image.source=https://github.com/${REPO}" \
            --label "org.opencontainers.image.revision=${GIT_SHA}" \
-            --label "org.opencontainers.image.created=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
-            --label "molecule.workflow.run_id=${GITHUB_RUN_ID}" \
+            --label "org.opencontainers.image.description=Molecule AI platform — pending canary verify" \
            --tag "${IMAGE_NAME}:${TAG_SHA}" \
            --tag "${IMAGE_NAME}:${TAG_LATEST}" \
-            --push .
+            .
+          docker push "${IMAGE_NAME}:${TAG_SHA}"
+          docker push "${IMAGE_NAME}:${TAG_LATEST}"

      # Build + push tenant image (Go platform + Next.js canvas in one image).
      - name: Build & push tenant image to ECR (staging-<sha> + staging-latest)
@ -164,14 +160,15 @@ jobs:
          ECR_REGISTRY="${TENANT_IMAGE_NAME%%/*}"
          aws ecr get-login-password --region us-east-2 | \
            docker login --username AWS --password-stdin "${ECR_REGISTRY}"
-          docker buildx build \
+          docker build \
            --file ./workspace-server/Dockerfile.tenant \
            --build-arg NEXT_PUBLIC_PLATFORM_URL= \
            --build-arg GIT_SHA="${GIT_SHA}" \
-            --label "org.opencontainers.image.source=https://git.moleculesai.app/molecule-ai/${REPO}" \
+            --label "org.opencontainers.image.source=https://github.com/${REPO}" \
            --label "org.opencontainers.image.revision=${GIT_SHA}" \
-            --label "org.opencontainers.image.created=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
-            --label "molecule.workflow.run_id=${GITHUB_RUN_ID}" \
+            --label "org.opencontainers.image.description=Molecule AI tenant platform + canvas — pending canary verify" \
            --tag "${TENANT_IMAGE_NAME}:${TAG_SHA}" \
            --tag "${TENANT_IMAGE_NAME}:${TAG_LATEST}" \
-            --push .
+            .
+          docker push "${TENANT_IMAGE_NAME}:${TAG_SHA}"
+          docker push "${TENANT_IMAGE_NAME}:${TAG_LATEST}"
--- a/.gitea/workflows/qa-review.yml
+++ b/.gitea/workflows/qa-review.yml
@ -1,164 +0,0 @@
-# qa-review — non-author APPROVE from the `qa` Gitea team required to merge.
-#
-# RFC#324 Step 1 of 5 (workflow-add). Pairs with `security-review.yml` and the
-# branch-protection flip in Step 2.
-#
-# === DESIGN (RFC#324 v1.1 addendum) ===
-#
-# A1-α (refire mechanism):
-#   Triggers on:
-#     - `pull_request_target`: opened, synchronize, reopened
-#         → initial status posts when PR opens / re-pushes
-#     - `issue_comment`: /qa-recheck slash-command on the PR
-#         → manual re-fire after a QA reviewer clicks APPROVE
-#           (Gitea 1.22.6 doesn't re-fire on pull_request_review, per
-#           go-gitea/gitea#33700 + feedback_pull_request_review_no_refire)
-#   Workflow name = `qa-review` ; job name = `approved`.
-#   The job's own pass/fail conclusion publishes the status context
-#   `qa-review / approved (<event>)` — NO `POST /statuses` call → NO
-#   write:repository token scope needed. Sidesteps internal#321 defect #2.
-#
-# A1.1 (privilege check on slash-comment — INFORMATIONAL ONLY, NOT a gate):
-#   The `issue_comment` event fires for ANY commenter, including
-#   non-collaborators. The original (v1.2) design gated the eval step
-#   behind a collaborator probe → if a non-collaborator commented
-#   /qa-recheck, the eval was `if:`-skipped → the job exited 0 anyway →
-#   the status context published `success` with ZERO real APPROVE.
-#   That was a fail-open: any visitor could green the gate.
-#
-#   RFC#324 v1.3 §A1.1 correction (option b per hongming-pc 1421):
-#   drop privilege-gating of the evaluation entirely. The eval is
-#   read-only and idempotent — it reads `pulls/{N}/reviews` and
-#   `teams/{id}/members/{u}` (both API-side state that a commenter can't
-#   change). Re-running it on a non-collaborator's comment is harmless
-#   AND correct: if a real team-member APPROVE exists, the eval flips
-#   green; if not, it stays red.
-#
-#   We KEEP the privilege step as a `::notice::` log line only — useful
-#   for griefer-spotting (one operator spamming /recheck) without
-#   touching the gate. If rate-limiting is needed later, add it as a
-#   separate concern (time-window throttle, not a privilege gate).
-#
-#   We MUST NOT use `github.event.comment.author_association` (the
-#   field doesn't exist on Gitea 1.22.6 webhook payload — this was
-#   sop-tier-refire's defect #1).
-#
-# A4 (no PR-head checkout under pull_request_target):
-#   We check out the BASE ref explicitly so the review-check.sh script is
-#   loaded from trusted source. We NEVER use `ref: ${{ github.event.pull_request.head.sha }}`.
-#   No PR-head code is executed in the runner. Trust boundary preserved.
-#
-# A5 (real Gitea team):
-#   `qa` team (id=20) verified by orchestrator preflight 2026-05-11; queried
-#   at run time via /api/v1/teams/20/members/{login}.
-#
-# === TOKEN ===
-#
-# The workflow reads PR state, PR reviews, and team membership.
-# Gitea 1.22.6's /api/v1/teams/{id}/members/{u} returns 403 ('Must be a
-# team member') for tokens whose owner is not in that team. The default
-# `secrets.GITHUB_TOKEN` is owned by a workflow-scoped identity that is
-# also not in qa/security teams → also 403.
-#
-# Resolution: a dedicated `RFC_324_TEAM_READ_TOKEN` secret, owned by an
-# identity that IS in both `qa` and `security` teams (Owners-tier
-# claude-ceo-assistant, or a new service-bot added to both teams).
-# Provisioning of this secret is tracked as a follow-up issue (filed by
-# core-devops at PR open).
-#
-# Until that secret is provisioned, the job will exit 1 with a clear
-# 403-on-team-probe error and the `qa-review / approved` status will
-# stay `failure`. This is the correct fail-closed behavior — the gate
-# blocks merge until both (a) a QA team member APPROVEs and (b) the
-# workflow has a token that can confirm their team membership.
-#
-# === SLASH-COMMAND CONTRACT ===
-#
-#   /qa-recheck   — re-evaluate the gate (e.g. after an APPROVE lands)
-#
-# Open to any PR commenter. The eval is read-only and idempotent, so
-# unprivileged refires are harmless (RFC#324 v1.3 §A1.1). Collaborator
-# status is logged for griefer-spotting but does NOT gate execution.
-
-name: qa-review
-
-on:
-  pull_request_target:
-    types: [opened, synchronize, reopened]
-  issue_comment:
-    types: [created]
-
-permissions:
-  contents: read
-  pull-requests: read
-
-jobs:
-  approved:
-    # Gate the job:
-    #   - On pull_request_target events: always run.
-    #   - On issue_comment events: only when it's a PR comment and the body
-    #     contains the slash-command. NO privilege gate at the step level
-    #     (RFC#324 v1.3 §A1.1): a non-collaborator's /qa-recheck is fine
-    #     because the eval is read-only and idempotent — re-running it
-    #     just re-confirms whether a real team-member APPROVE exists.
-    if: |
-      github.event_name == 'pull_request_target' ||
-      (github.event_name == 'issue_comment' &&
-       github.event.issue.pull_request != null &&
-       startsWith(github.event.comment.body, '/qa-recheck'))
-    runs-on: ubuntu-latest
-    steps:
-      - name: Privilege check (A1.1 — INFORMATIONAL log only, NOT a gate)
-        # RFC#324 v1.3 §A1.1: this step does NOT gate subsequent steps.
-        # It exists solely as a log line for griefer-spotting (one
-        # operator spamming /qa-recheck without merit). Re-running the
-        # read-only eval on a non-collaborator comment is harmless;
-        # gating it would be fail-open (skipped steps still publish
-        # `success` for the job's status context).
-        # Only runs on issue_comment events; pull_request_target has
-        # no comment.user.login so the step is a no-op skip there.
-        if: github.event_name == 'issue_comment'
-        env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
-        run: |
-          set -euo pipefail
-          login="${{ github.event.comment.user.login }}"
-          # Write token to a mode-600 file so it never appears in curl's argv.
-          # (#541: -H "Authorization: token $TOKEN" puts the secret in /proc/<pid>/cmdline)
-          authfile=$(mktemp)
-          chmod 600 "$authfile"
-          printf 'header = "Authorization: token %s"\n' "$GITEA_TOKEN" > "$authfile"
-          code=$(curl -sS -o /dev/null -w '%{http_code}' -K "$authfile" \
-            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/collaborators/${login}")
-          rm -f "$authfile"
-          if [ "$code" = "204" ]; then
-            echo "::notice::Recheck from ${login} (collaborator=true)"
-          else
-            echo "::notice::Recheck from ${login} (collaborator=false, HTTP ${code}) — proceeding with read-only eval anyway"
-          fi
-
-      - name: Check out BASE ref (A4 — never PR-head)
-        # Loads the review-check.sh script from a trusted ref. For
-        # pull_request_target the default checkout is BASE already; we
-        # set ref explicitly for the issue_comment event too so the
-        # script source is always the default-branch version.
-        # NEVER use ref: ${{ github.event.pull_request.head.sha }} —
-        # that would execute PR-head code with secrets-context.
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          ref: ${{ github.event.repository.default_branch }}
-
-      - name: Evaluate qa-review
-        env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
-          GITEA_HOST: git.moleculesai.app
-          REPO: ${{ github.repository }}
-          # PR number lives in different places per event:
-          #   pull_request_target → github.event.pull_request.number
-          #   issue_comment       → github.event.issue.number
-          PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
-          TEAM: qa
-          TEAM_ID: '20'
-          REVIEW_CHECK_DEBUG: '0'
-          REVIEW_CHECK_STRICT: '0'
-        run: bash .gitea/scripts/review-check.sh
--- a/.gitea/workflows/redeploy-tenants-on-main.yml
+++ b/.gitea/workflows/redeploy-tenants-on-main.yml
@ -9,11 +9,12 @@ name: redeploy-tenants-on-main
 #   - Workflow-level env.GITHUB_SERVER_URL pinned per
 #     feedback_act_runner_github_server_url.
 #   - `continue-on-error: true` on each job (RFC §1 contract).
-#   - ~~**Gitea workflow_run trigger limitation**~~ FIXED: replaced with
-#     push+paths filter per this PR. Gitea 1.22.6 does not support
-#     `workflow_run` (task #81). The push trigger fires on every
-#     commit to publish-workspace-server-image.yml which is the
-#     same signal (only successful runs commit to main).
+#   - **Gitea workflow_run trigger limitation**: Gitea 1.22.6's support
+#     for the `workflow_run` event is partial. If this never fires on a
+#     real publish-workspace-server-image completion, the follow-up
+#     triage PR should replace the trigger with a push-with-paths-filter
+#     on .gitea/workflows/publish-workspace-server-image.yml. Until
+#     then continue-on-error+dead-workflow doesn't break anything.
 #

 # Auto-refresh prod tenant EC2s after every main merge.
@ -49,11 +50,10 @@ name: redeploy-tenants-on-main
 # target_tag=<sha>, re-pulling the older image on every tenant.

 on:
-  push:
+  workflow_run:
+    workflows: ['publish-workspace-server-image']
+    types: [completed]
    branches: [main]
-    paths:
-      - '.gitea/workflows/publish-workspace-server-image.yml'
-  workflow_dispatch:
 permissions:
  contents: read
  # No write scopes needed — the workflow hits an external CP endpoint,
--- a/.gitea/workflows/redeploy-tenants-on-staging.yml
+++ b/.gitea/workflows/redeploy-tenants-on-staging.yml
@ -9,13 +9,12 @@ name: redeploy-tenants-on-staging
 #   - Workflow-level env.GITHUB_SERVER_URL pinned per
 #     feedback_act_runner_github_server_url.
 #   - `continue-on-error: true` on each job (RFC §1 contract).
-#   - ~~**Gitea workflow_run trigger limitation**~~ FIXED: replaced with
-#     push+paths filter per this PR. Gitea 1.22.6 does not support
-#     `workflow_run` (task #81). The push trigger fires on every
-#     commit to publish-workspace-server-image.yml which is the
-#     same signal (only successful runs commit to main). Removed
-#     `workflow_run.conclusion==success` job if since push implies
-#     the workflow completed and committed.
+#   - **Gitea workflow_run trigger limitation**: Gitea 1.22.6's support
+#     for the `workflow_run` event is partial. If this never fires on a
+#     real publish-workspace-server-image completion, the follow-up
+#     triage PR should replace the trigger with a push-with-paths-filter
+#     on .gitea/workflows/publish-workspace-server-image.yml. Until
+#     then continue-on-error+dead-workflow doesn't break anything.
 #

 # Auto-refresh staging tenant EC2s after every staging-branch merge.
@ -51,11 +50,10 @@ name: redeploy-tenants-on-staging
 # of a known-good build.

 on:
-  push:
-    branches: [staging]
-    paths:
-      - '.gitea/workflows/publish-workspace-server-image.yml'
-  workflow_dispatch:
+  workflow_run:
+    workflows: ['publish-workspace-server-image']
+    types: [completed]
+    branches: [main]
 permissions:
  contents: read
  # No write scopes needed — the workflow hits an external CP endpoint,
@ -74,6 +72,12 @@ env:

 jobs:
  redeploy:
+    # Skip the auto-trigger if publish-workspace-server-image didn't
+    # actually succeed. workflow_run fires on any completion state; we
+    # don't want to redeploy against a half-built image.
+    # NOTE (Gitea port): workflow_dispatch trigger dropped; only the
+    # workflow_run path remains.
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    continue-on-error: true
--- a/.gitea/workflows/review-check-tests.yml
+++ b/.gitea/workflows/review-check-tests.yml
@ -1,70 +0,0 @@
-name: review-check-tests
-
-# Runs review-check.sh regression tests on every PR + push that touches
-# the evaluator script or its test fixtures.
-#
-# Follows RFC#324 follow-up (issue #540):
-#   .gitea/scripts/review-check.sh is load-bearing for PR merge gates.
-#   It has ZERO production CI coverage. This workflow closes that gap.
-#
-# Design choices:
-#   - Bash test harness (not bats). The existing test_review_check.sh
-#     uses a custom assert_eq/assert_contains framework that is already
-#     working and covers all 13 acceptance criteria (issue #540 §Acceptance).
-#     Converting to bats would be refactoring, not closing the gap.
-#   - No bats dependency: the runner-base image needs no extra tooling.
-#   - continue-on-error: false — these tests must pass; a failure means
-#     the review-gate evaluator is broken and must not be merged.
-
-on:
-  push:
-    branches: [main, staging]
-    paths:
-      - '.gitea/scripts/review-check.sh'
-      - '.gitea/scripts/tests/test_review_check.sh'
-      - '.gitea/scripts/tests/_review_check_fixture.py'
-      - '.gitea/workflows/review-check-tests.yml'
-  pull_request:
-    branches: [main, staging]
-    paths:
-      - '.gitea/scripts/review-check.sh'
-      - '.gitea/scripts/tests/test_review_check.sh'
-      - '.gitea/scripts/tests/_review_check_fixture.py'
-      - '.gitea/workflows/review-check-tests.yml'
-  workflow_dispatch:
-
-env:
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    name: review-check.sh regression tests
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Install jq
-        # Required for T12 jq-filter test case. Gitea Actions runners (ubuntu-latest
-        # label) do not bundle jq. Install via apt-get first (reliable for Ubuntu
-        # runners with internet access to package mirrors). Falls back to GitHub
-        # binary download. GitHub releases may be blocked on some runner networks
-        # (infra#241 follow-up).
-        continue-on-error: true
-        run: |
-          if apt-get update -qq && apt-get install -y -qq jq; then
-            echo "::notice::jq installed via apt-get: $(jq --version)"
-          elif timeout 120 curl -sSL \
-            "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \
-            -o /usr/local/bin/jq && chmod +x /usr/local/bin/jq; then
-            echo "::notice::jq binary downloaded: $(/usr/local/bin/jq --version)"
-          else
-            echo "::warning::jq install failed — apt-get and GitHub download both failed."
-          fi
-          jq --version 2>/dev/null || echo "::notice::jq not yet available — continuing"
-
-      - name: Run review-check.sh regression suite
-        run: bash .gitea/scripts/tests/test_review_check.sh
--- a/.gitea/workflows/security-review.yml
+++ b/.gitea/workflows/security-review.yml
@ -1,72 +0,0 @@
-# security-review — non-author APPROVE from the `security` Gitea team
-# required to merge.
-#
-# RFC#324 Step 1 of 5 (workflow-add). Mirror of `qa-review.yml`; differs
-# only in TEAM=security, TEAM_ID=21, and the slash-command name.
-#
-# See `qa-review.yml` header for the full A1-α / A1.1 / A4 / A5 design
-# rationale; everything below is identical in shape.
-
-name: security-review
-
-on:
-  pull_request_target:
-    types: [opened, synchronize, reopened]
-  issue_comment:
-    types: [created]
-
-permissions:
-  contents: read
-  pull-requests: read
-
-jobs:
-  approved:
-    # See qa-review.yml header for full A1-α / A1.1 (v1.3 — informational
-    # log only, NOT a gate) / A4 / A5 design rationale.
-    if: |
-      github.event_name == 'pull_request_target' ||
-      (github.event_name == 'issue_comment' &&
-       github.event.issue.pull_request != null &&
-       startsWith(github.event.comment.body, '/security-recheck'))
-    runs-on: ubuntu-latest
-    steps:
-      - name: Privilege check (A1.1 — INFORMATIONAL log only, NOT a gate)
-        # RFC#324 v1.3 §A1.1: does NOT gate subsequent steps. See
-        # qa-review.yml for full rationale. Eval is read-only/idempotent
-        # so re-running on a non-collaborator comment is harmless.
-        if: github.event_name == 'issue_comment'
-        env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
-        run: |
-          set -euo pipefail
-          login="${{ github.event.comment.user.login }}"
-          # Write token to a mode-600 file so it never appears in curl's argv.
-          # (#541: -H "Authorization: token $TOKEN" puts the secret in /proc/<pid>/cmdline)
-          authfile=$(mktemp)
-          chmod 600 "$authfile"
-          printf 'header = "Authorization: token %s"\n' "$GITEA_TOKEN" > "$authfile"
-          code=$(curl -sS -o /dev/null -w '%{http_code}' -K "$authfile" \
-            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/collaborators/${login}")
-          rm -f "$authfile"
-          if [ "$code" = "204" ]; then
-            echo "::notice::Recheck from ${login} (collaborator=true)"
-          else
-            echo "::notice::Recheck from ${login} (collaborator=false, HTTP ${code}) — proceeding with read-only eval anyway"
-          fi
-
-      - name: Check out BASE ref (A4 — never PR-head)
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          ref: ${{ github.event.repository.default_branch }}
-
-      - name: Evaluate security-review
-        env:
-          GITEA_TOKEN: ${{ secrets.RFC_324_TEAM_READ_TOKEN || secrets.GITHUB_TOKEN }}
-          GITEA_HOST: git.moleculesai.app
-          REPO: ${{ github.repository }}
-          PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
-          TEAM: security
-          TEAM_ID: '21'
-          REVIEW_CHECK_DEBUG: '0'
-          REVIEW_CHECK_STRICT: '0'
-        run: bash .gitea/scripts/review-check.sh
--- a/.gitea/workflows/sop-checklist-gate.yml
+++ b/.gitea/workflows/sop-checklist-gate.yml
@ -1,121 +0,0 @@
-# sop-checklist-gate — peer-ack merge gate for SOP-checklist items.
-#
-# RFC#351 Step 2 of 6 (implementation MVP).
-#
-# === DESIGN ===
-#
-# Goal: each PR must answer 7 SOP-checklist questions in its body,
-# and each item must have at least one /sop-ack <slug> comment from
-# a non-author peer in the required team. BP requires the
-# `sop-checklist / all-items-acked (pull_request)` status to merge.
-#
-# Triggers:
-#   - `pull_request_target`: opened, edited, synchronize, reopened
-#       → fires when PR opens, body is edited (refire — RFC#351 §4),
-#         or new code is pushed (head.sha changes → stale status would
-#         be auto-discarded by BP via dismiss_stale_reviews, but the
-#         status itself is per-SHA so we re-post on the new head).
-#   - `issue_comment`: created, edited, deleted
-#       → fires on any new comment so /sop-ack / /sop-revoke take
-#         effect immediately (Gitea 1.22.6 doesn't refire on
-#         pull_request_review per feedback_pull_request_review_no_refire,
-#         so issue_comment is the canonical refire channel).
-#
-# Trust boundary (mirrors RFC#324 §A4 + sop-tier-check security note):
-#   `pull_request_target` (not `pull_request`) — workflow def is loaded
-#   from BASE branch, so a PR cannot rewrite this workflow to exfiltrate
-#   the token. The `actions/checkout` step pins `ref: base.sha` so the
-#   script ALSO comes from BASE. PR-HEAD code is never executed in the
-#   runner.
-#
-# Token scope:
-#   - read:repository, read:organization for PR + comments + team probes
-#   - write:repository for POST /statuses/{sha}
-#   - The token owner MUST be a member of every team referenced by the
-#     config's required_teams (else /teams/{id}/members/{login} returns
-#     403 — see review-check.sh same-gotcha doc). For the MVP we use
-#     the dev-lead token (a member of engineers, managers, qa, security)
-#     via a repo secret `SOP_CHECKLIST_GATE_TOKEN`. Provisioning of that
-#     secret is a follow-up authorization step (separate from this PR).
-#
-# Failure mode: tier-aware (RFC#351 open question 2):
-#   - tier:high   → state=failure (hard-fail; BP blocks merge)
-#   - tier:medium → state=failure (hard-fail; same)
-#   - tier:low    → state=pending (soft-fail; BP can choose to require
-#                    this context or skip for low-tier PRs)
-#   - missing/no-tier → state=failure (default-mode: hard — never lower
-#                    the bar per feedback_fix_root_not_symptom)
-#
-# Slash-command contract (RFC#351 v1 + §A1.1-style notes from RFC#324):
-#
-#   /sop-ack <slug-or-numeric-alias> [optional note]
-#       — register a peer-ack for one checklist item.
-#       — slug accepts kebab-case, snake_case, or natural-spaces
-#         (all normalize to canonical kebab-case).
-#       — numeric 1..7 maps via config.items[*].numeric_alias.
-#       — most-recent (user, slug) directive wins.
-#
-#   /sop-revoke <slug-or-numeric-alias> [reason]
-#       — invalidate the commenter's own prior /sop-ack for this slug.
-#       — does NOT affect other peers' acks on the same slug.
-#       — most-recent (user, slug) directive wins, so a later /sop-ack
-#         re-restores the ack.
-#
-# The eval is read-only + idempotent (read PR + comments + team
-# membership, compute, post status). Re-running on any event is safe —
-# the new status overwrites the previous one for the same context.
-
-name: sop-checklist-gate
-
-on:
-  pull_request_target:
-    types: [opened, edited, synchronize, reopened]
-  issue_comment:
-    types: [created, edited, deleted]
-
-permissions:
-  contents: read
-  pull-requests: read
-  # NOTE: `statuses: write` is the GitHub-Actions name for POST /statuses.
-  # Gitea 1.22.6 may not gate on this permission key (it just checks the
-  # token), but listing it explicitly documents intent for the next
-  # platform-version upgrade.
-  statuses: write
-
-jobs:
-  gate:
-    # Run on pull_request_target events always. On issue_comment events,
-    # only when the comment is on a PR (issue_comment fires for issues
-    # too) and the body contains one of the slash-commands.
-    if: |
-      github.event_name == 'pull_request_target' ||
-      (github.event_name == 'issue_comment' &&
-       github.event.issue.pull_request != null &&
-       (contains(github.event.comment.body, '/sop-ack') ||
-        contains(github.event.comment.body, '/sop-revoke')))
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out BASE ref (trust boundary — never PR-head)
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          # For pull_request_target, the default branch is the trust
-          # anchor. For issue_comment the PR base may differ from the
-          # default branch (PR targeting `staging`), so we use the
-          # default-branch ref explicitly — same approach as
-          # qa-review.yml so the script source is always trusted.
-          ref: ${{ github.event.repository.default_branch }}
-
-      - name: Run sop-checklist-gate
-        env:
-          GITEA_TOKEN: ${{ secrets.SOP_CHECKLIST_GATE_TOKEN || secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
-          OWNER: ${{ github.repository_owner }}
-          REPO_NAME: ${{ github.event.repository.name }}
-        run: |
-          set -euo pipefail
-          python3 .gitea/scripts/sop-checklist-gate.py \
-            --owner "$OWNER" \
-            --repo "$REPO_NAME" \
-            --pr "$PR_NUMBER" \
-            --config .gitea/sop-checklist-config.yaml \
-            --gitea-host git.moleculesai.app
--- a/.gitea/workflows/staging-smoke.yml
+++ b/.gitea/workflows/staging-smoke.yml
@ -52,20 +52,8 @@ jobs:
  smoke:
    name: Staging SaaS smoke
    runs-on: ubuntu-latest
-    # NOTE: Phase 3 (RFC #219 §1) `continue-on-error: true` removed
-    # 2026-05-11. The "surface broken workflows without blocking"
-    # rationale was correctly applied to advisory/lint workflows but
-    # wrong for this smoke — it is the 30-min canary cadence for the
-    # entire staging SaaS stack, and silent failure here masks the
-    # exact regressions the smoke exists to surface (AMI rot, CF cert
-    # drift, WorkOS session breakage, secret rotations). Same class of
-    # failure as PR#461 (`sweep-stale-e2e-orgs`) where Phase-3 silent
-    # failure leaked EC2. The four other `e2e-staging-*` workflows
-    # KEEP `continue-on-error: true` per RFC #219 §1 — they are
-    # advisory and matrix-style; this one is the canary. A follow-up
-    # `notify-failure` step below also surfaces breakage to ops even
-    # if branch-protection wiring is adjusted to keep this off the
-    # required-checks list.
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
    # 25 min headroom over the 15-min TLS-readiness deadline in
    # tests/e2e/test_staging_full_saas.sh (#2107). Without the buffer
    # the job is killed at the wall-clock 15:00 mark BEFORE the bash
@ -77,10 +65,7 @@ jobs:

    env:
      MOLECULE_CP_URL: https://staging-api.moleculesai.app
-      # 2026-05-11: secret canonicalised from MOLECULE_STAGING_ADMIN_TOKEN
-      # (dead in org secret store) to CP_STAGING_ADMIN_API_TOKEN per
-      # internal#322 — see this PR for the cross-workflow sweep.
-      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
      # MiniMax is the smoke's PRIMARY LLM auth path post-2026-05-04.
      # Switched from hermes+OpenAI after #2578 (the staging OpenAI key
      # account went over quota and stayed dead for 36+ hours, taking
@ -126,7 +111,7 @@ jobs:
      - name: Verify admin token present
        run: |
          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
-            echo "::error::CP_STAGING_ADMIN_API_TOKEN not set"
+            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN not set"
            exit 2
          fi

@ -256,7 +241,7 @@ jobs:
      - name: Teardown safety net
        if: always()
        env:
-          ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+          ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
        run: |
          set +e
          # Slug prefix matches what test_staging_full_saas.sh emits
@ -331,16 +316,3 @@ jobs:
            echo "::warning::smoke teardown left ${#leaks[@]} leak(s): ${leaks[*]}"
          fi
          exit 0
-
-      - name: Notify on smoke failure
-        # Fail-loud companion to dropping `continue-on-error: true`.
-        # The Open-issue-on-failure step above handles the human-facing
-        # alert; this step emits a clearly-tagged ::error:: line that
-        # log-tail consumers (Loki SOPRefireRule, orchestrator triage
-        # loop) can grep on. Mirrors PR#461's sweep-stale-e2e-orgs
-        # pattern. Runs AFTER the teardown safety net (which is
-        # if: always()) so failures don't suppress cleanup.
-        if: failure()
-        run: |
-          echo "::error::staging-smoke FAILED — staging SaaS canary is red. See prior step logs + the auto-filed alert issue. Common causes: (a) CP_STAGING_ADMIN_API_TOKEN secret missing/rotated, (b) staging-api.moleculesai.app 5xx, (c) MiniMax/Anthropic LLM key dead, (d) AMI/CF/WorkOS drift. The 30-min cron will retry, but a chronic red here indicates the staging SaaS stack is broken end-to-end."
-          exit 1
--- a/.gitea/workflows/staging-verify.yml
+++ b/.gitea/workflows/staging-verify.yml
@ -11,14 +11,11 @@ name: Staging verify
 #   - Workflow-level env.GITHUB_SERVER_URL pinned per
 #     feedback_act_runner_github_server_url.
 #   - `continue-on-error: true` on each job (RFC §1 contract).
-#   - ~~**Gitea workflow_run trigger limitation**~~ FIXED: replaced with
-#     push+paths filter per this PR. Gitea 1.22.6 does not support
-#     `workflow_run` (task #81). The push trigger fires on every
-#     commit to publish-workspace-server-image.yml. Removed the
-#     `workflow_run.conclusion==success` job if since the push trigger
-#     doesn't carry completion state — the smoke test is the safety net
-#     (it will detect and abort on a bad image regardless). Added
-#     workflow_dispatch for manual runs.
+#   - **Gitea workflow_run trigger limitation**: Gitea 1.22.6's support
+#     for the `workflow_run` event is partial. If this never fires on a
+#     real publish-workspace-server-image completion, the follow-up
+#     triage PR should replace the trigger with a push-with-paths-filter
+#     on the same publish workflow's path (i.e. `.gitea/workflows/publish-workspace-server-image.yml`).
 #

 # Runs the canary smoke suite against the staging canary tenant fleet
@ -62,11 +59,9 @@ name: Staging verify
 #     are populated.

 on:
-  push:
-    branches: [staging]
-    paths:
-      - '.gitea/workflows/publish-workspace-server-image.yml'
-  workflow_dispatch:
+  workflow_run:
+    workflows: ["publish-workspace-server-image"]
+    types: [completed]
 permissions:
  contents: read
  packages: write
@ -83,6 +78,10 @@ env:

 jobs:
  staging-smoke:
+    # Skip when the upstream workflow failed — no image to test against.
+    # workflow_dispatch trigger dropped in this Gitea port; only the
+    # workflow_run path remains.
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    continue-on-error: true
--- a/.gitea/workflows/status-reaper.yml
+++ b/.gitea/workflows/status-reaper.yml
@ -1,121 +0,0 @@
-# status-reaper — Option B (compensating-status POST) for Gitea 1.22.6's
-# hardcoded `(push)` suffix on default-branch commit statuses.
-#
-# Tracking: molecule-core#? (this PR), internal#327 (sibling publish-runtime-bot),
-# internal#328 (sibling mc-drift-bot), internal#80 (upstream RFC). Sister
-# bots already deployed under the same per-persona-identity contract
-# (`feedback_per_agent_gitea_identity_default`).
-#
-# Root cause:
-#   Gitea 1.22.6 emits commit-status context as
-#     `<workflow_name> / <job_name> (push)`
-#   for ANY workflow run on the default branch's HEAD commit, REGARDLESS
-#   of the trigger event. Schedule- and workflow_dispatch-triggered runs
-#   on `main` therefore appear as `(push)` failures on the latest main
-#   commit, painting main red via a fake-push status. Verified on runs
-#   14525 + 14526 via Phase 1 evidence (3 sub-agents). No upstream fix
-#   in 1.23-1.26.1 (sibling a6f20db1 research).
-#
-# Why a cron-driven reaper, not workflow_run:
-#   Gitea 1.22.6 does NOT support `on: workflow_run` (verified via
-#   modules/actions/workflows.go enumeration; sister a6f20db1). The
-#   only event-shaped option that fires is cron. 5min is chosen to
-#   sit BETWEEN ci-required-drift (`:17` hourly) and main-red-watchdog
-#   (`:05` hourly) so the reaper sweeps red before the watchdog files
-#   a `[main-red]` issue (would-be false-positive).
-#
-# What the reaper does each tick:
-#   1. Parse `.gitea/workflows/*.yml`, classify each by whether `on:`
-#      contains a `push:` trigger (see script for workflow_id resolution
-#      including `name:` collision and `/`-in-name fail-loud lints).
-#   2. GET combined status for main HEAD.
-#   3. For each `failure` status whose context ends ` (push)`:
-#      - if workflow has push trigger: PRESERVE (real defect signal).
-#      - if workflow has no push trigger: POST a compensating
-#        `state=success` with the same context and a description that
-#        documents the workaround.
-#
-# What it does NOT do:
-#   - Mutate non-`(push)`-suffix statuses (e.g. `(pull_request)` from
-#     branch_protections required-checks — verified safe 2026-05-11).
-#   - Auto-revert. Same reasoning as main-red-watchdog.
-#   - Cancel runs. The runs themselves stay visible in Actions UI; the
-#     fix is at the commit-status surface only.
-#
-# Removal path: drop this workflow when Gitea ≥ 1.24 ships with a
-# real fix for the hardcoded-suffix bug. Audit issue (filed post-merge)
-# tracks the deletion as a follow-up sweep.
-
-name: status-reaper
-
-# IMPORTANT — Gitea 1.22.6 parser quirk per
-# `feedback_gitea_workflow_dispatch_inputs_unsupported`: do NOT add an
-# `inputs:` block here. Gitea 1.22.6 rejects the whole workflow as
-# "unknown on type" when `workflow_dispatch.inputs.X` is present.
-on:
-  # SCHEDULE RE-ENABLED 2026-05-12 rev3 — interim disable (mc#645) reverted now that
-  # rev3 widens DEFAULT_SWEEP_LIMIT 10 → 30 (covers retroactive-failure timing window).
-  # Sibling watchdog re-enabled in the same PR with timeout-minutes raised 5 → 15.
-  schedule:
-    # Every 5 minutes. Off-zero alignment with sibling cron workflows:
-    # ci-required-drift (`:17`), main-red-watchdog (`:05`),
-    # railway-pin-audit (`:23`). 5-min cadence gives a tight enough
-    # close on schedule-triggered false-reds that main-red-watchdog
-    # (hourly :05) almost never files an issue on the false case.
-    # rev3 keeps `*/5` unchanged per hongming-pc2 03:25Z review:
-    # "trades window-width-cheap for cadence-loady" — N=30 widens
-    # the lookback cheaply without doubling runner load via `*/2`.
-    - cron: '*/5 * * * *'
-  workflow_dispatch:
-
-# Compensating-status POST needs write on repo statuses; no other
-# write surface is touched. checkout still needs `contents: read`.
-permissions:
-  contents: read
-
-# NOTE: NO `concurrency:` block is intentional.
-# Gitea 1.22.6 doesn't honor `cancel-in-progress: false`: queued ticks
-# of the same group get cancelled-with-started=0 instead of waiting
-# (DB-verified 2026-05-12, runs 16053/16085 of status-reaper.yml).
-# The reaper's POST /statuses/{sha} is idempotent — Gitea de-dups by
-# context — so concurrent ticks are safe; accept them rather than
-# serialise via the broken mechanism.
-
-jobs:
-  reap:
-    runs-on: ubuntu-latest
-    timeout-minutes: 3
-    steps:
-      - name: Check out repo at default-branch HEAD
-        # BASE checkout per `feedback_pull_request_target_workflow_from_base`.
-        # The script reads .gitea/workflows/*.yml from the working tree to
-        # classify trigger sets; we must read main's CURRENT state, not
-        # the SHA a stale schedule fired against.
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          ref: ${{ github.event.repository.default_branch }}
-
-      - name: Set up Python (PyYAML for workflow `on:` parse)
-        # Pinned to 3.12 to match sibling watchdog / ci-required-drift.
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
-        with:
-          python-version: '3.12'
-
-      - name: Install PyYAML
-        # PyYAML is needed because shell-grep on `on:` misses list/string
-        # forms and nested `push: { paths: ... }`. Same install pattern
-        # as ci-required-drift.yml (sub-2s install, no wheel cache).
-        run: python -m pip install --quiet 'PyYAML==6.0.2'
-
-      - name: Compensate operational push-suffix failures on main
-        env:
-          # claude-status-reaper persona token; provisioned by sibling
-          # aefaac1b 2026-05-11. Owns write:repository scope to POST
-          # /statuses/{sha} but NOTHING ELSE
-          # (`feedback_per_agent_gitea_identity_default`).
-          GITEA_TOKEN: ${{ secrets.STATUS_REAPER_TOKEN }}
-          GITEA_HOST: git.moleculesai.app
-          REPO: ${{ github.repository }}
-          WATCH_BRANCH: ${{ github.event.repository.default_branch }}
-          WORKFLOWS_DIR: .gitea/workflows
-        run: python3 .gitea/scripts/status-reaper.py
--- a/.gitea/workflows/sweep-aws-secrets.yml
+++ b/.gitea/workflows/sweep-aws-secrets.yml
@ -29,15 +29,13 @@ name: Sweep stale AWS Secrets Manager secrets
 #     reconciler enumerator) is filed as a separate controlplane
 #     issue. This sweeper is the immediate cost-relief stopgap.
 #
-# AWS credentials: the confirmed Gitea secrets are AWS_ACCESS_KEY_ID /
-# AWS_SECRET_ACCESS_KEY (the molecule-cp IAM user). These are the same
-# credentials used by the rest of the platform. The dedicated
-# AWS_JANITOR_* naming (which the original GitHub workflow used) was
-# never populated in Gitea — the existing secrets are AWS_ACCESS_KEY_ID /
-# AWS_SECRET_ACCESS_KEY (per issue #425 §425 audit). These DO have
-# secretsmanager:ListSecrets (the production molecule-cp principal);
-# if ListSecrets is revoked in future, a dedicated janitor principal
-# would need to be created and the Gitea secret names updated here.
+# IAM principal: AWS_JANITOR_ACCESS_KEY_ID / AWS_JANITOR_SECRET_ACCESS_KEY.
+# This is a DEDICATED principal — the production `molecule-cp` IAM
+# user lacks `secretsmanager:ListSecrets` (it only has
+# Get/Create/Update/Delete on specific resources, scoped to its
+# operational needs). The janitor needs ListSecrets across the
+# `molecule/tenant/*` prefix, which warrants a separate principal so
+# we don't broaden the prod-CP policy.
 #
 # Safety: the script's MAX_DELETE_PCT gate (default 50%, mirroring
 # sweep-cf-orphans.yml — tenant secrets are durable by design, unlike
@ -73,8 +71,8 @@ jobs:
    timeout-minutes: 30
    env:
      AWS_REGION: ${{ secrets.AWS_REGION || 'us-east-1' }}
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_JANITOR_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_JANITOR_SECRET_ACCESS_KEY }}
      CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }}
      CP_STAGING_ADMIN_API_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
      MAX_DELETE_PCT: ${{ github.event.inputs.max_delete_pct || '50' }}
@ -101,11 +99,13 @@ jobs:
            if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
              echo "::warning::skipping sweep — secrets not configured: ${missing[*]}"
              echo "::warning::set them at Settings → Secrets and Variables → Actions, then rerun."
+              echo "::warning::AWS_JANITOR_* must belong to a principal with secretsmanager:ListSecrets and secretsmanager:DeleteSecret on molecule/tenant/* (the prod molecule-cp principal lacks ListSecrets)."
              echo "skip=true" >> "$GITHUB_OUTPUT"
              exit 0
            fi
            echo "::error::sweep cannot run — required secrets missing: ${missing[*]}"
            echo "::error::set them at Settings → Secrets and Variables → Actions, or disable this workflow."
+            echo "::error::AWS_JANITOR_* must belong to a principal with secretsmanager:ListSecrets and secretsmanager:DeleteSecret on molecule/tenant/*."
            exit 1
          fi
          echo "All required secrets present ✓"
--- a/.gitea/workflows/sweep-cf-orphans.yml
+++ b/.gitea/workflows/sweep-cf-orphans.yml
@ -33,11 +33,6 @@ name: Sweep stale Cloudflare DNS records
 # gate halts before damage. Decision-function unit tests in
 # scripts/ops/test_sweep_cf_decide.py (#2027) cover the rule
 # classifier.
-#
-# Secrets: CF_API_TOKEN, CF_ZONE_ID, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
-# are confirmed existing per issue #425 §425 audit. CP_ADMIN_API_TOKEN and
-# CP_STAGING_ADMIN_API_TOKEN are unconfirmed — if missing, the verify step
-# (schedule → hard-fail, dispatch → soft-skip) surfaces it clearly.

 on:
  schedule:
--- a/.gitea/workflows/sweep-cf-tunnels.yml
+++ b/.gitea/workflows/sweep-cf-tunnels.yml
@ -28,11 +28,6 @@ name: Sweep stale Cloudflare Tunnels
 # Safety: the script's MAX_DELETE_PCT gate (default 90% — higher than
 # the DNS sweep's 50% because tenant-shaped tunnels are mostly
 # orphans by design) refuses to nuke past the threshold.
-#
-# Secrets: CF_API_TOKEN, CF_ACCOUNT_ID are confirmed existing per
-# issue #425 §425 audit. CP_ADMIN_API_TOKEN and CP_STAGING_ADMIN_API_TOKEN
-# are unconfirmed — if missing, the verify step (schedule → hard-fail,
-# dispatch → soft-skip) surfaces it clearly.

 on:
  schedule:
--- a/.gitea/workflows/sweep-stale-e2e-orgs.yml
+++ b/.gitea/workflows/sweep-stale-e2e-orgs.yml
@ -63,21 +63,12 @@ jobs:
  sweep:
    name: Sweep e2e orgs
    runs-on: ubuntu-latest
-    # NOTE: Phase 3 (RFC #219 §1) `continue-on-error: true` removed
-    # 2026-05-11. The "surface broken workflows without blocking"
-    # rationale was correctly applied to advisory/lint workflows but
-    # wrong for this janitor — silent failure here masks real-money
-    # tenant leaks. Hongming observed 15 leaked EC2 in molecule-canary
-    # (004947743811) us-east-2 at 11:05Z 2026-05-11 because the sweep
-    # had been exiting 2 every tick and the failure was swallowed.
-    # See `feedback_strict_root_only_after_class_a` — critical janitors
-    # must fail loud. A follow-up `notify-failure` step below also
-    # surfaces breakage to ops even if branch-protection wiring is
-    # adjusted to keep this off the required-checks list.
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    continue-on-error: true
    timeout-minutes: 15
    env:
      MOLECULE_CP_URL: https://staging-api.moleculesai.app
-      ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+      ADMIN_TOKEN: ${{ secrets.MOLECULE_STAGING_ADMIN_TOKEN }}
      MAX_AGE_MINUTES: ${{ github.event.inputs.max_age_minutes || '30' }}
      DRY_RUN: ${{ github.event.inputs.dry_run || 'false' }}
      # Refuse to delete more than this many orgs in one tick. If the
@ -90,7 +81,7 @@ jobs:
      - name: Verify admin token present
        run: |
          if [ -z "$ADMIN_TOKEN" ]; then
-            echo "::error::CP_STAGING_ADMIN_API_TOKEN not set"
+            echo "::error::MOLECULE_STAGING_ADMIN_TOKEN not set"
            exit 2
          fi
          echo "Admin token present ✓"
@ -251,17 +242,3 @@ jobs:
        if: env.DRY_RUN == 'true'
        run: |
          echo "DRY RUN — would have deleted ${{ steps.identify.outputs.count }} org(s) AND triggered orphan-tunnels cleanup. Re-run with dry_run=false to actually delete."
-
-      - name: Notify on sweep failure
-        # Fail-loud companion to dropping `continue-on-error: true`.
-        # If any prior step failed (missing token, CP 5xx, safety-cap
-        # tripped, etc.) emit a clearly-tagged ::error:: line so the
-        # Gitea runs UI + any log-tail consumer (Loki SOPRefireRule)
-        # flags this. Without this step, an early `exit 2` shows as a
-        # red run but the message can scroll past in busy log windows;
-        # the explicit tag here is greppable from the orchestrator
-        # triage loop.
-        if: failure()
-        run: |
-          echo "::error::sweep-stale-e2e-orgs FAILED — staging tenants are LEAKING. See prior step logs. Common causes: (a) CP_STAGING_ADMIN_API_TOKEN secret missing/rotated, (b) staging-api.moleculesai.app 5xx, (c) safety-cap tripped (CP admin API returning malformed orgs). Manual cleanup of leaked EC2 + DNS may be required while this is broken."
-          exit 1
--- a/.gitea/workflows/weekly-platform-go.yml
+++ b/.gitea/workflows/weekly-platform-go.yml
@ -1,120 +0,0 @@
-name: Weekly Platform-Go Surface
-
-# Surface latent vet/test errors on main by running the full Platform-Go
-# suite on a weekly cron regardless of whether the last push touched
-# workspace-server/.
-#
-# Background: ci.yml's `platform-build` job gates real work on
-# `if: needs.changes.outputs.platform == 'true'`. When no push touches
-# workspace-server/, the skip fires and the suite never executes on main.
-# Latent vet errors and test flakes can sit for weeks undetected.
-#
-# This workflow runs the full suite (build, vet, golangci-lint, tests with
-# coverage) every Monday at 04:17 UTC. Results are posted as commit statuses
-# but continue-on-error: true means they never block anything — they're
-# purely a noise-reduction signal for when the next workspace-server push
-# lands and would otherwise trigger the first real suite run.
-#
-# Why 04:17 UTC on Monday: off-peak, before the weekly sprint cycle starts.
-
-on:
-  schedule:
-    - cron: '17 4 * * 1'  # Mondays at 04:17 UTC
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  statuses: write
-
-jobs:
-  weekly-platform-go:
-    name: Weekly Platform-Go Surface
-    runs-on: ubuntu-latest
-    # continue-on-error: surface only, never block
-    continue-on-error: true
-    defaults:
-      run:
-        working-directory: workspace-server
-    steps:
-      - name: Checkout main
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: main
-          fetch-depth: 1
-
-      - name: Set up Go
-        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
-        with:
-          go-version: stable
-
-      - name: Go mod download
-        run: go mod download
-
-      - name: Build
-        run: go build ./cmd/server
-
-      # `go vet` is NOT `|| true`-guarded: surfacing latent vet errors on main is
-      # the whole point of this workflow (issue #567 — the motivating case was a
-      # `go vet` error in org_external.go that sat undetected on main for weeks).
-      # A vet error here fails the step → fails the job → shows red on the weekly
-      # commit. Per Gitea quirk #10 (job-level continue-on-error is ignored), that
-      # red surfaces on main — which is the intended signal, not a regression.
-      - name: go vet
-        run: go vet ./...
-
-      # golangci-lint stays `|| true`-guarded: lint is noisier (more false-
-      # positives than vet) and golangci-lint may not be pre-installed on every
-      # runner image — a `|| true` here keeps a missing-binary or lint-noise case
-      # from masking the vet/test signal above. Tighten to match ci.yml's lint
-      # gate if/when ci.yml's lint step becomes hard-failing.
-      - name: golangci-lint
-        run: golangci-lint run --timeout 3m ./... || true
-
-      - name: Tests with race detection + coverage
-        run: go test -race -coverprofile=coverage.out ./...
-
-      - name: Check coverage thresholds
-        run: |
-          set -e
-          TOTAL_FLOOR=25
-          CRITICAL_PATHS=(
-            "internal/handlers/tokens"
-            "internal/handlers/workspace_provision"
-            "internal/handlers/a2a_proxy"
-            "internal/handlers/registry"
-            "internal/handlers/secrets"
-            "internal/middleware/wsauth"
-            "internal/crypto"
-          )
-
-          TOTAL=$(go tool cover -func=coverage.out | grep '^total:' | awk '{print $3}' | sed 's/%//')
-          echo "Total coverage: ${TOTAL}%"
-          if awk "BEGIN{exit !(\$TOTAL < \$TOTAL_FLOOR)}"; then
-            echo "::error::Total coverage \${TOTAL}% is below the \${TOTAL_FLOOR}% floor."
-            exit 1
-          fi
-
-          ALLOWLIST=""
-          if [ -f ../.coverage-allowlist.txt ]; then
-            ALLOWLIST=$(grep -vE '^(#|[[:space:]]*$)' ../.coverage-allowlist.txt || true)
-          fi
-
-          FAILED=0
-          for path in "\${CRITICAL_PATHS[@]}"; do
-            while read -r file pct; do
-              [[ "$file" == *_test.go ]] && continue
-              [[ "$file" == *"$path"* ]] || continue
-              awk "BEGIN{exit !(\$pct < 10)}" || continue
-              rel=$(echo "$file" | sed 's|^github.com/molecule-ai/molecule-monorepo/platform/workspace-server/||; s|^github.com/molecule-ai/molecule-monorepo/platform/||')
-              if echo "$ALLOWLIST" | grep -qxF "$rel"; then
-                continue
-              fi
-              echo "::error::Low coverage \${pct}% on \${rel} (below 10% in critical path \${path})"
-              FAILED=$((FAILED + 1))
-            done < <(go tool cover -func=coverage.out | grep -v '^total:' | awk '{file=$1; sub(/:[0-9][0-9.]*:.*/, "", file); pct=$NF; gsub(/%/,"",pct); s[file]+=pct; c[file]++} END {for (f in s) printf "%s %.1f\n", f, s[f]/c[f]}' | sort)
-          done
-          if [ "$FAILED" -gt 0 ]; then
-            echo "::error::\${FAILED} critical paths below 10% coverage — see above."
-            exit 1
-          fi
-          echo "Coverage thresholds: OK"
--- a/.staging-trigger
+++ b/.staging-trigger
@ -1 +0,0 @@
-staging trigger
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -156,16 +156,6 @@ and run CI manually.
 | python-lint | pytest with coverage |
 | e2e-api | Full API test suite (62 tests) |
 | shellcheck | Shell script linting |
-| review-check-tests | `review-check.sh` evaluator regression suite (13 scenarios) |
-| ops-scripts | Python unittest suite for `scripts/*.py` |
-
-## Local Testing
-
-### review-check.sh
-```bash
-bash .gitea/scripts/tests/test_review_check.sh
-```
-Runs the full regression suite against a fixture HTTP server. No network access required.

 ## Code Style

--- a/canvas/src/components/SearchDialog.tsx
+++ b/canvas/src/components/SearchDialog.tsx
@ -91,19 +91,16 @@ export function SearchDialog() {
  if (!open) return null;

  return (
-    <div className="fixed inset-0 z-[70] flex items-start justify-center pt-[20vh]">
-      {/* Backdrop — interactive dismiss area; aria-hidden so screen readers ignore it */}
-      <div
-        className="absolute inset-0 bg-black/50 backdrop-blur-sm cursor-pointer"
-        onClick={() => setOpen(false)}
-        aria-hidden="true"
-      />
-      {/* Dialog */}
+    <div
+      className="fixed inset-0 z-[70] flex items-start justify-center pt-[20vh] bg-black/50 backdrop-blur-sm"
+      onClick={() => setOpen(false)}
+    >
      <div
        role="dialog"
        aria-modal="true"
        aria-label="Search workspaces"
-        className="relative z-[71] w-[420px] bg-surface/95 backdrop-blur-xl border border-line/60 rounded-2xl shadow-2xl shadow-black/50 overflow-hidden"
+        className="w-[420px] bg-surface/95 backdrop-blur-xl border border-line/60 rounded-2xl shadow-2xl shadow-black/50 overflow-hidden"
+        onClick={(e) => e.stopPropagation()}
      >
        {/* Search input */}
        <div className="flex items-center gap-3 px-4 py-3 border-b border-line/40">
--- a/canvas/src/components/WorkspaceNode.tsx
+++ b/canvas/src/components/WorkspaceNode.tsx
@ -96,7 +96,6 @@ export function WorkspaceNode({ id, data }: NodeProps<Node<WorkspaceNodeData>>)
    <div
      role="button"
      tabIndex={0}
-      data-testid="workspace-node"
      aria-label={
        isMisconfigured && configurationError
          ? `${data.name} workspace — agent not configured: ${configurationError}`
--- a/canvas/src/components/tests/ApprovalBanner.test.tsx
+++ b/canvas/src/components/tests/ApprovalBanner.test.tsx
@ -5,22 +5,20 @@
 * Covers: renders nothing when no approvals, polls /approvals/pending,
 * shows approval cards, approve/deny decisions, toast notifications.
 *
- * Uses vi.hoisted + vi.mock (file-level) for @/lib/api. vi.resetModules()
- * in every afterEach undoes the mock so other test files that import the
- * real api module (e.g. socket.url.test.ts) are unaffected.
+ * Note: does NOT mock @/lib/api — uses vi.spyOn on the real module.
+ * vi.restoreAllMocks() is omitted from afterEach so queued mock values
+ * (set up via mockResolvedValueOnce in beforeEach) are preserved for the
+ * component's useEffect to consume.
 */
 import React from "react";
 import { render, screen, fireEvent, cleanup, act } from "@testing-library/react";
 import { afterEach, describe, expect, it, vi, beforeEach } from "vitest";
 import { ApprovalBanner } from "../ApprovalBanner";
 import { showToast } from "@/components/Toaster";
+import { api } from "@/lib/api";

-// ─── Hoisted mock refs ─────────────────────────────────────────────────────────
-// vi.hoisted runs in the same hoisting phase as vi.mock factories, so these
-// refs are stable across all tests and available inside the mock factory.
-const { mockApiGet, mockApiPost } = vi.hoisted(() => ({
-  mockApiGet: vi.fn<(args: unknown[]) => Promise<unknown>>(),
-  mockApiPost: vi.fn<(args: unknown[]) => Promise<unknown>>(),
+vi.mock("@/components/Toaster", () => ({
+  showToast: vi.fn(),
 }));

 // ─── Helpers ──────────────────────────────────────────────────────────────────
@ -43,42 +41,27 @@ const pendingApproval = (id = "a1", workspaceId = "ws-1"): {
  created_at: "2026-05-10T10:00:00Z",
 });

-// ─── Static mocks (file-level — no other test needs the real modules) ─────────
+// Shared spy reference so individual tests can call mockGet.mockRestore()
+// without needing to pass it through beforeEach → it scope chain.
+let mockGet: ReturnType<typeof vi.spyOn>;

-vi.mock("@/components/Toaster", () => ({
-  showToast: vi.fn(),
-}));
-
-// vi.resetModules() in afterEach undoes this mock so other files that import
-// the real api module are unaffected.
-vi.mock("@/lib/api", () => ({
-  api: {
-    get: mockApiGet,
-    post: mockApiPost,
-  },
-}));
-
-// ─── Tests ─────────────────────────────────────────────────────────────────────
+// ─── Tests ────────────────────────────────────────────────────────────────────

 describe("ApprovalBanner — empty state", () => {
  beforeEach(() => {
    vi.useFakeTimers();
-    mockApiGet.mockReset().mockResolvedValue([]);
-    mockApiPost.mockReset().mockResolvedValue({});
+    vi.spyOn(api, "get").mockResolvedValueOnce([]);
  });

  afterEach(() => {
    cleanup();
    vi.useRealTimers();
-    vi.restoreAllMocks();
-    vi.resetModules();
  });

  it("renders nothing when there are no pending approvals", async () => {
    render(<ApprovalBanner />);
    await act(async () => { await vi.runOnlyPendingTimersAsync(); });
    expect(screen.queryByRole("alert")).toBeNull();
-    expect(mockApiGet).toHaveBeenCalled();
  });

  it("does not render any approve/deny buttons when list is empty", async () => {
@ -92,40 +75,41 @@ describe("ApprovalBanner — empty state", () => {
 describe("ApprovalBanner — renders approval cards", () => {
  beforeEach(() => {
    vi.useFakeTimers();
-    mockApiGet.mockReset().mockResolvedValue([
+    mockGet = vi.spyOn(api, "get").mockResolvedValueOnce([
      pendingApproval("a1"),
      pendingApproval("a2", "ws-2"),
    ]);
-    mockApiPost.mockReset().mockResolvedValue({});
  });

  afterEach(() => {
    cleanup();
    vi.useRealTimers();
-    vi.restoreAllMocks();
-    vi.resetModules();
  });

  it("renders an alert card for each pending approval", async () => {
    render(<ApprovalBanner />);
    await act(async () => { await vi.runOnlyPendingTimersAsync(); });
-    expect(screen.getAllByRole("alert")).toHaveLength(2);
+    const alerts = screen.getAllByRole("alert");
+    expect(alerts).toHaveLength(2);
+    mockGet.mockRestore();
  });

  it("displays the workspace name and action text", async () => {
    render(<ApprovalBanner />);
    await act(async () => { await vi.runOnlyPendingTimersAsync(); });
-    expect(screen.getAllByText(/test workspace needs approval/i)).toHaveLength(2);
+    const nameEls = screen.getAllByText(/test workspace needs approval/i);
+    expect(nameEls).toHaveLength(2);
  });

  it("displays the reason when present", async () => {
    render(<ApprovalBanner />);
    await act(async () => { await vi.runOnlyPendingTimersAsync(); });
-    expect(screen.getAllByText(/requires human approval/i)).toHaveLength(2);
+    const reasons = screen.getAllByText(/requires human approval/i);
+    expect(reasons).toHaveLength(2);
  });

  it("omits the reason div when reason is null", async () => {
-    mockApiGet.mockReset().mockResolvedValue([{
+    vi.spyOn(api, "get").mockResolvedValueOnce([{
      ...pendingApproval("a1"),
      reason: null,
    }]);
@ -139,6 +123,7 @@ describe("ApprovalBanner — renders approval cards", () => {
    await act(async () => { await vi.runOnlyPendingTimersAsync(); });
    const approveBtns = screen.getAllByRole("button", { name: /Approve/i });
    const denyBtns = screen.getAllByRole("button", { name: /Deny/i });
+    // 2 cards, each card has 1 Approve + 1 Deny button → 2 of each minimum
    expect(approveBtns.length).toBeGreaterThanOrEqual(2);
    expect(denyBtns.length).toBeGreaterThanOrEqual(2);
  });
@ -146,22 +131,21 @@ describe("ApprovalBanner — renders approval cards", () => {
  it("has aria-live=assertive on the alert container", async () => {
    render(<ApprovalBanner />);
    await act(async () => { await vi.runOnlyPendingTimersAsync(); });
-    expect(screen.getAllByRole("alert")[0].getAttribute("aria-live")).toBe("assertive");
+    const alert = screen.getAllByRole("alert")[0];
+    expect(alert.getAttribute("aria-live")).toBe("assertive");
  });
 });

 describe("ApprovalBanner — decisions", () => {
  beforeEach(() => {
    vi.useFakeTimers();
-    mockApiGet.mockReset().mockResolvedValue([pendingApproval("a1")]);
-    mockApiPost.mockReset().mockResolvedValue({});
+    vi.spyOn(api, "get").mockResolvedValueOnce([pendingApproval("a1")]);
+    vi.spyOn(api, "post").mockResolvedValue({});
  });

  afterEach(() => {
    cleanup();
    vi.useRealTimers();
-    vi.restoreAllMocks();
-    vi.resetModules();
  });

  it("calls POST /workspaces/:id/approvals/:id/decide on Approve click", async () => {
@ -169,7 +153,7 @@ describe("ApprovalBanner — decisions", () => {
    await act(async () => { await vi.runOnlyPendingTimersAsync(); });
    fireEvent.click(screen.getAllByRole("button", { name: /approve/i })[0]);
    await act(async () => { /* flush */ });
-    expect(mockApiPost).toHaveBeenCalledWith(
+    expect(vi.mocked(api.post)).toHaveBeenCalledWith(
      "/workspaces/ws-1/approvals/a1/decide",
      expect.objectContaining({ decision: "approved" })
    );
@ -180,7 +164,7 @@ describe("ApprovalBanner — decisions", () => {
    await act(async () => { await vi.runOnlyPendingTimersAsync(); });
    fireEvent.click(screen.getAllByRole("button", { name: /deny/i })[0]);
    await act(async () => { /* flush */ });
-    expect(mockApiPost).toHaveBeenCalledWith(
+    expect(vi.mocked(api.post)).toHaveBeenCalledWith(
      "/workspaces/ws-1/approvals/a1/decide",
      expect.objectContaining({ decision: "denied" })
    );
@ -212,10 +196,7 @@ describe("ApprovalBanner — decisions", () => {
  });

  it("shows an error toast when POST fails", async () => {
-    // mockImplementation preserves the vi.fn() wrapper (unlike mockReset() which
-    // strips it and causes the real fetch() to fire — the root cause of the
-    // original flakiness in this file).
-    mockApiPost.mockImplementation(() => Promise.reject(new Error("Network error")));
+    vi.mocked(api.post).mockRejectedValueOnce(new Error("Network error"));
    render(<ApprovalBanner />);
    await act(async () => { await vi.runOnlyPendingTimersAsync(); });
    fireEvent.click(screen.getAllByRole("button", { name: /approve/i })[0]);
@ -227,9 +208,8 @@ describe("ApprovalBanner — decisions", () => {
  });

  it("keeps the card visible when the POST fails", async () => {
-    // Same mockImplementation pattern — preserves the wrapper so the component's
-    // catch block runs instead of the real fetch().
-    mockApiPost.mockImplementation(() => Promise.reject(new Error("Network error")));
+    // Use mockRejectedValueOnce on the same spy as beforeEach (don't call spyOn again)
+    vi.mocked(api.post).mockRejectedValueOnce(new Error("Network error"));
    render(<ApprovalBanner />);
    await act(async () => { await vi.runOnlyPendingTimersAsync(); });
    fireEvent.click(screen.getAllByRole("button", { name: /approve/i })[0]);
@ -241,15 +221,12 @@ describe("ApprovalBanner — decisions", () => {
 describe("ApprovalBanner — handles empty list from server", () => {
  beforeEach(() => {
    vi.useFakeTimers();
-    mockApiGet.mockReset().mockResolvedValue([]);
-    mockApiPost.mockReset().mockResolvedValue({});
+    vi.spyOn(api, "get").mockResolvedValueOnce([]);
  });

  afterEach(() => {
    cleanup();
    vi.useRealTimers();
-    vi.restoreAllMocks();
-    vi.resetModules();
  });

  it("shows nothing when the API returns an empty array on first poll", async () => {
--- a/canvas/src/components/tests/EmptyState.test.tsx
+++ b/canvas/src/components/tests/EmptyState.test.tsx
@ -1,370 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for EmptyState — the full-canvas welcome card shown on first load.
- *
- * Covers:
- *   - Loading state (GET /templates in flight)
- *   - Fetch failure → empty template grid (templates = [])
- *   - Template grid renders with correct content
- *   - Template button disabled while deploying
- *   - "Deploying..." label on the button being deployed
- *   - "Create blank" button POSTs /workspaces
- *   - "Creating..." label while blank workspace is being created
- *   - Blank create error shows error banner
- *   - Error banner has role="alert"
- *   - All buttons disabled while any deploy is in-flight
- *   - handleDeployed fires after 500ms delay
- *
- * Uses vi.hoisted + vi.mock to fully isolate the api module, matching
- * the pattern established in ApprovalBanner, MemoryTab, and ScheduleTab tests.
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { EmptyState } from "../EmptyState";
-
-// ─── Hoisted mock refs ─────────────────────────────────────────────────────────
-// vi.hoisted runs in the same hoisting phase as vi.mock factories, so all refs
-// are available both to the factory and to test bodies.
-const { mockApiGet, mockApiPost } = vi.hoisted(() => ({
-  mockApiGet: vi.fn<(args: unknown[]) => Promise<unknown>>(),
-  mockApiPost: vi.fn<(args: unknown[]) => Promise<{ id: string }>>(),
-}));
-
-// Mutable deploy state — object reference is const; properties can be mutated.
-const _deploy = vi.hoisted(() => ({
-  deployFn: vi.fn(),
-  deploying: undefined as string | undefined,
-  error: undefined as string | undefined,
-  modal: null as React.ReactNode,
-}));
-
-const { mockSelectNode, mockSetPanelTab } = vi.hoisted(() => ({
-  mockSelectNode: vi.fn(),
-  mockSetPanelTab: vi.fn(),
-}));
-
-// ─── Mocks ────────────────────────────────────────────────────────────────────
-
-vi.mock("@/lib/api", () => ({
-  api: {
-    get: mockApiGet,
-    post: mockApiPost,
-  },
-}));
-
-vi.mock("@/hooks/useTemplateDeploy", () => ({
-  useTemplateDeploy: () => ({
-    deploy: _deploy.deployFn,
-    deploying: _deploy.deploying,
-    error: _deploy.error,
-    modal: _deploy.modal,
-  }),
-}));
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: Object.assign(
-    vi.fn((selector: (s: { getState: () => { selectNode: typeof mockSelectNode; setPanelTab: typeof mockSetPanelTab } }) => unknown) =>
-      selector({
-        getState: () => ({
-          selectNode: mockSelectNode,
-          setPanelTab: mockSetPanelTab,
-        }),
-      })
-    ),
-    { getState: () => ({ selectNode: mockSelectNode, setPanelTab: mockSetPanelTab }) }
-  ),
-}));
-
-vi.mock("../TemplatePalette", () => ({
-  OrgTemplatesSection: () => null,
-}));
-
-vi.mock("../Spinner", () => ({
-  Spinner: () => <span data-testid="spinner">⟳</span>,
-}));
-
-vi.mock("@/lib/design-tokens", () => ({
-  TIER_CONFIG: {
-    1: { label: "T1", color: "text-ink-mid bg-surface-card border border-line", border: "text-ink-mid border-line" },
-    2: { label: "T2", color: "text-white bg-accent border border-accent-strong", border: "text-accent border-accent" },
-    3: { label: "T3", color: "text-white bg-violet-600 border border-violet-700", border: "text-violet-600 border-violet-500" },
-    4: { label: "T4", color: "text-white bg-warm border border-warm", border: "text-warm border-warm" },
-  },
-}));
-
-// ─── Fixtures ─────────────────────────────────────────────────────────────────
-
-const TEMPLATE = {
-  id: "tpl-1",
-  name: "Claude Code Agent",
-  description: "A general-purpose coding assistant",
-  tier: 2,
-  skill_count: 3,
-  model: "claude-opus-4-5",
-};
-
-function template(overrides: Partial<typeof TEMPLATE> = {}): typeof TEMPLATE {
-  return { ...TEMPLATE, ...overrides };
-}
-
-// ─── Helpers ───────────────────────────────────────────────────────────────────
-
-function renderEmpty() {
-  return render(<EmptyState />);
-}
-
-// Flush React state + microtasks after an act boundary.
-async function flush() {
-  await act(async () => { await Promise.resolve(); });
-}
-
-// Reset deploy state to defaults before each test.
-function resetDeployState() {
-  _deploy.deployFn.mockReset();
-  _deploy.deploying = undefined;
-  _deploy.error = undefined;
-  _deploy.modal = null;
-}
-
-// ─── Tests ─────────────────────────────────────────────────────────────────────
-
-describe("EmptyState — loading", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset().mockImplementation(
-      () => new Promise(() => {}) // never resolves
-    );
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.restoreAllMocks();
-  });
-
-  it("shows loading state while GET /templates is pending", async () => {
-    renderEmpty();
-    await flush();
-    expect(screen.getByTestId("spinner")).toBeTruthy();
-    expect(screen.getByText("Loading templates...")).toBeTruthy();
-  });
-
-  // "create blank" is rendered outside the loading/template-grid conditional,
-  // so it is always visible — adjust expectation accordingly.
-  it("renders 'create blank' button during loading", async () => {
-    renderEmpty();
-    await flush();
-    expect(screen.getByRole("button", { name: "+ Create blank workspace" })).toBeTruthy();
-  });
-
-  it("does not render template buttons while loading", async () => {
-    renderEmpty();
-    await flush();
-    expect(screen.queryByText("Claude Code Agent")).toBeNull();
-  });
-});
-
-describe("EmptyState — templates", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset().mockResolvedValue([template()]);
-    resetDeployState();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.restoreAllMocks();
-  });
-
-  it("renders the welcome heading", async () => {
-    renderEmpty();
-    await flush();
-    expect(screen.getByText("Deploy your first agent")).toBeTruthy();
-  });
-
-  it("renders template buttons with name and description", async () => {
-    renderEmpty();
-    await flush();
-    expect(screen.getByText("Claude Code Agent")).toBeTruthy();
-    expect(screen.getByText("A general-purpose coding assistant")).toBeTruthy();
-  });
-
-  it("renders tier badge and skill count", async () => {
-    renderEmpty();
-    await flush();
-    expect(screen.getByText("T2")).toBeTruthy();
-    // skill_count renders as "3 skills · <model>"
-    expect(screen.getByText(/^3 skills/)).toBeTruthy();
-  });
-
-  it("renders model name when present", async () => {
-    renderEmpty();
-    await flush();
-    expect(screen.getByText(/claude-opus/i)).toBeTruthy();
-  });
-
-  it("calls deploy with the template on click", async () => {
-    renderEmpty();
-    await flush();
-    fireEvent.click(screen.getByText("Claude Code Agent"));
-    expect(_deploy.deployFn).toHaveBeenCalledWith(template());
-  });
-
-  it("shows 'Deploying...' on the button of the template being deployed", async () => {
-    _deploy.deploying = "tpl-1";
-    renderEmpty();
-    await flush();
-    expect(screen.getByText("Deploying...")).toBeTruthy();
-  });
-
-  it("disables the template button of the deploying template", async () => {
-    _deploy.deploying = "tpl-1";
-    renderEmpty();
-    await flush();
-    const btn = screen.getByText("Deploying...").closest("button") as HTMLButtonElement;
-    expect(btn.disabled).toBe(true);
-  });
-
-  it("disables 'create blank' while a template is deploying", async () => {
-    _deploy.deploying = "tpl-1";
-    renderEmpty();
-    await flush();
-    expect(screen.getByRole("button", { name: "+ Create blank workspace" }).disabled).toBe(true);
-  });
-});
-
-describe("EmptyState — fetch failure / empty templates", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset().mockResolvedValue([]);
-    resetDeployState();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.restoreAllMocks();
-  });
-
-  it("does not render template grid when GET /templates returns []", async () => {
-    renderEmpty();
-    await flush();
-    expect(screen.queryByText("Claude Code Agent")).toBeNull();
-  });
-
-  it("renders 'create blank' button when templates list is empty", async () => {
-    renderEmpty();
-    await flush();
-    expect(screen.getByRole("button", { name: "+ Create blank workspace" })).toBeTruthy();
-  });
-
-  it("does not render template grid when GET /templates rejects", async () => {
-    mockApiGet.mockReset().mockRejectedValue(new Error("Network failure"));
-    renderEmpty();
-    await flush();
-    expect(screen.queryByText("Claude Code Agent")).toBeNull();
-  });
-});
-
-describe("EmptyState — create blank", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset().mockResolvedValue([template()]);
-    mockApiPost.mockReset().mockResolvedValue({ id: "ws-new" });
-    resetDeployState();
-    vi.useFakeTimers();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-    vi.restoreAllMocks();
-  });
-
-  it("calls POST /workspaces on 'create blank' click", async () => {
-    renderEmpty();
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: "+ Create blank workspace" }));
-    await act(async () => { await Promise.resolve(); });
-    expect(mockApiPost).toHaveBeenCalledWith(
-      "/workspaces",
-      expect.objectContaining({ name: "My First Agent" })
-    );
-  });
-
-  it("shows 'Creating...' while blank workspace POST is pending", async () => {
-    mockApiPost.mockReset().mockImplementation(
-      () => new Promise(() => {}) // never resolves
-    );
-    renderEmpty();
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: "+ Create blank workspace" }));
-    await act(async () => { await Promise.resolve(); });
-    expect(screen.getByRole("button", { name: "Creating..." })).toBeTruthy();
-  });
-
-  it("calls selectNode + setPanelTab after 500ms on successful create", async () => {
-    renderEmpty();
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: "+ Create blank workspace" }));
-    await act(async () => { await Promise.resolve(); }); // flush POST
-    await act(async () => { vi.advanceTimersByTime(500); });
-    expect(mockSelectNode).toHaveBeenCalledWith("ws-new");
-    expect(mockSetPanelTab).toHaveBeenCalledWith("chat");
-  });
-
-  it("disables template buttons while creating blank workspace", async () => {
-    mockApiPost.mockReset().mockImplementation(
-      () => new Promise(() => {}) // never resolves
-    );
-    renderEmpty();
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: "+ Create blank workspace" }));
-    await act(async () => { await Promise.resolve(); });
-    expect((screen.getByText("Claude Code Agent").closest("button") as HTMLButtonElement).disabled).toBe(true);
-  });
-
-  it("shows error banner when POST /workspaces fails", async () => {
-    mockApiPost.mockReset().mockRejectedValue(new Error("Server error"));
-    renderEmpty();
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: "+ Create blank workspace" }));
-    await act(async () => { await Promise.resolve(); });
-    expect(screen.getByRole("alert")).toBeTruthy();
-    expect(screen.getByText(/server error/i)).toBeTruthy();
-  });
-
-  it("clears 'Creating...' and shows button again after POST failure", async () => {
-    mockApiPost.mockReset().mockRejectedValue(new Error("Server error"));
-    renderEmpty();
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: "+ Create blank workspace" }));
-    await act(async () => { await Promise.resolve(); });
-    // After rejection, blankCreating = false → button reverts to default label
-    expect(screen.getByRole("button", { name: "+ Create blank workspace" })).toBeTruthy();
-  });
-});
-
-describe("EmptyState — error banner", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset().mockResolvedValue([template()]);
-    resetDeployState();
-    vi.useFakeTimers();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-    vi.restoreAllMocks();
-  });
-
-  it("has role=alert on the error banner", async () => {
-    _deploy.error = "Template deploy failed";
-    renderEmpty();
-    await flush();
-    const alert = screen.getByRole("alert");
-    expect(alert).toBeTruthy();
-    expect(alert.textContent).toContain("Template deploy failed");
-  });
-
-  it("does not show error banner when no errors", async () => {
-    renderEmpty();
-    await flush();
-    expect(screen.queryByRole("alert")).toBeNull();
-  });
-});
--- a/canvas/src/components/tests/ExternalConnectModal.test.tsx
+++ b/canvas/src/components/tests/ExternalConnectModal.test.tsx
@ -1,237 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for ExternalConnectModal — the modal surfaced after creating a
- * runtime="external" workspace. Surfaces workspace_auth_token + ready-to-paste
- * snippets so the operator can configure their off-host agent.
- *
- * Coverage:
- *   - Renders nothing when info=null
- *   - Opens dialog when info is provided
- *   - Default tab: "Universal MCP" when universal_mcp_snippet present, else "Python SDK"
- *   - Tab switching between all available tabs
- *   - Snippets show with auth_token replacing placeholders
- *   - Copy button: calls clipboard API, shows "Copied!", clears after 1.5s
- *   - Copy failure: shows fallback textarea
- *   - "I've saved it — close" calls onClose
- *   - Security warning: one-time token display
- *   - Fields tab shows raw values
- *   - Tabs hidden when their snippet is absent
- *
- * Fake timers: applied per-describe to avoid mixing with waitFor. Tests that
- * use waitFor (which needs real timers) run without fake timers. Tests that
- * verify setTimeout behavior use vi.useFakeTimers() + act(vi.advanceTimersByTime).
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act, waitFor } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import {
-  ExternalConnectModal,
-  type ExternalConnectionInfo,
-} from "../ExternalConnectModal";
-
-const defaultInfo: ExternalConnectionInfo = {
-  workspace_id: "ws-123",
-  platform_url: "https://app.example.com",
-  auth_token: "secret-auth-token-abc",
-  registry_endpoint: "https://app.example.com/api/a2a/register",
-  heartbeat_endpoint: "https://app.example.com/api/a2a/heartbeat",
-  // Placeholders must EXACTLY match what the component searches for in
-  // the string.replace() calls (the component does NOT normalise whitespace).
-  // Python: 'AUTH_TOKEN    = "...' (4 spaces), curl: WORKSPACE_AUTH_TOKEN="<paste>" (with quotes),
-  // MCP/Hermes: MOLECULE_WORKSPACE_TOKEN="...", Codex: same with 1 space.
-  curl_register_template:
-    `curl -X POST https://app.example.com/api/a2a/register \\
-  -H "Content-Type: application/json" \\
-  -d '{"auth_token": "WORKSPACE_AUTH_TOKEN=\"<paste from create response>\"", ...}'`,
-  python_snippet:
-    'AUTH_TOKEN    = "<paste from create response>"\nAPI_URL = "https://app.example.com"',
-  universal_mcp_snippet:
-    'MOLECULE_WORKSPACE_TOKEN="<paste from create response>"',
-  hermes_channel_snippet:
-    'MOLECULE_WORKSPACE_TOKEN="<paste from create response>"',
-  codex_snippet: 'MOLECULE_WORKSPACE_TOKEN = "<paste from create response>"',
-  openclaw_snippet: 'WORKSPACE_TOKEN="<paste from create response>"',
-};
-
-// ─── Clipboard mock helpers ────────────────────────────────────────────────────
-
-let clipboardWriteText = vi.fn();
-
-beforeEach(() => {
-  clipboardWriteText.mockReset().mockResolvedValue(undefined);
-  Object.defineProperty(navigator, "clipboard", {
-    value: { writeText: clipboardWriteText },
-    configurable: true,
-    writable: true,
-  });
-});
-
-afterEach(() => {
-  cleanup();
-  vi.useRealTimers();
-});
-
-// ─── Helpers ──────────────────────────────────────────────────────────────────
-
-function renderModal(info: ExternalConnectionInfo | null) {
-  return render(
-    <ExternalConnectModal info={info} onClose={vi.fn()} />,
-  );
-}
-
-// Flush React + Radix portal updates synchronously so the dialog is in the DOM.
-function renderAndFlush(info: ExternalConnectionInfo | null) {
-  const result = renderModal(info);
-  act(() => {});
-  return result;
-}
-
-// ─── Tests ────────────────────────────────────────────────────────────────────
-
-describe("ExternalConnectModal — render conditions", () => {
-  it("renders nothing when info is null", () => {
-    renderModal(null);
-    expect(document.body.textContent).toBe("");
-  });
-
-  it("renders the dialog when info is provided", () => {
-    renderAndFlush(defaultInfo);
-    expect(screen.queryByRole("dialog")).toBeTruthy();
-  });
-
-  it("shows the security warning about one-time token display", () => {
-    renderAndFlush(defaultInfo);
-    expect(screen.getByText(/only once/i)).toBeTruthy();
-  });
-});
-
-describe("ExternalConnectModal — default tab selection", () => {
-  it("opens the Universal MCP tab by default when universal_mcp_snippet is present", () => {
-    renderAndFlush(defaultInfo);
-    const mcpTab = screen.getByRole("tab", { name: /universal mcp/i });
-    expect(mcpTab.getAttribute("aria-selected")).toBe("true");
-  });
-
-  it("opens the Python SDK tab by default when universal_mcp_snippet is absent", () => {
-    renderAndFlush({ ...defaultInfo, universal_mcp_snippet: undefined });
-    const pythonTab = screen.getByRole("tab", { name: /python sdk/i });
-    expect(pythonTab.getAttribute("aria-selected")).toBe("true");
-  });
-
-  it("tab order: Universal MCP appears before Python SDK when both exist", () => {
-    renderAndFlush(defaultInfo);
-    const tabs = screen.getAllByRole("tab");
-    const mcpIndex = tabs.findIndex((t) => t.textContent?.includes("Universal MCP"));
-    const pythonIndex = tabs.findIndex((t) => t.textContent?.includes("Python SDK"));
-    expect(mcpIndex).toBeLessThan(pythonIndex);
-  });
-});
-
-describe("ExternalConnectModal — tab switching", () => {
-  it("switches to the Python SDK tab and shows the snippet with stamped token", () => {
-    renderAndFlush(defaultInfo);
-    fireEvent.click(screen.getByRole("tab", { name: /python sdk/i }));
-    const preEl = document.querySelector("pre");
-    expect(preEl?.textContent).toContain("AUTH_TOKEN");
-    // The placeholder is replaced with the real auth token
-    expect(preEl?.textContent).toContain("secret-auth-token-abc");
-  });
-
-  it("switches to the curl tab and shows the snippet with stamped token", () => {
-    renderAndFlush(defaultInfo);
-    fireEvent.click(screen.getByRole("tab", { name: /curl/i }));
-    const preEl = document.querySelector("pre");
-    expect(preEl?.textContent).toContain("curl");
-    expect(preEl?.textContent).toContain("secret-auth-token-abc");
-  });
-
-  it("switches to the Fields tab and shows raw values", () => {
-    renderAndFlush(defaultInfo);
-    fireEvent.click(screen.getByRole("tab", { name: /fields/i }));
-    expect(screen.getByText("ws-123")).toBeTruthy();
-    expect(screen.getByText("https://app.example.com")).toBeTruthy();
-    expect(screen.getByText("secret-auth-token-abc")).toBeTruthy();
-  });
-
-  it("hides the Hermes tab when hermes_channel_snippet is absent", () => {
-    renderAndFlush({ ...defaultInfo, hermes_channel_snippet: undefined });
-    expect(screen.queryByRole("tab", { name: /hermes/i })).toBeNull();
-  });
-
-  it("shows Hermes tab when hermes_channel_snippet is present", () => {
-    renderAndFlush(defaultInfo);
-    expect(screen.getByRole("tab", { name: /hermes/i })).toBeTruthy();
-  });
-});
-
-describe("ExternalConnectModal — snippet token stamping", () => {
-  it("stamps the real auth_token into the Python snippet instead of the placeholder", () => {
-    renderAndFlush(defaultInfo);
-    fireEvent.click(screen.getByRole("tab", { name: /python sdk/i }));
-    const preEl = document.querySelector("pre");
-    expect(preEl?.textContent).not.toContain("<paste from create response>");
-    expect(preEl?.textContent).toContain("secret-auth-token-abc");
-  });
-
-  it("stamps the real auth_token into the curl snippet", () => {
-    renderAndFlush(defaultInfo);
-    fireEvent.click(screen.getByRole("tab", { name: /curl/i }));
-    const preEl = document.querySelector("pre");
-    // curl template uses WORKSPACE_AUTH_TOKEN placeholder, not the generic one
-    expect(preEl?.textContent).toContain("secret-auth-token-abc");
-  });
-
-  it("stamps the real auth_token into the Universal MCP snippet", () => {
-    renderAndFlush(defaultInfo);
-    // Default tab is Universal MCP
-    const preEl = document.querySelector("pre");
-    expect(preEl?.textContent).toContain("secret-auth-token-abc");
-    expect(preEl?.textContent).not.toContain("<paste from create response>");
-  });
-});
-
-describe("ExternalConnectModal — copy functionality", () => {
-  it("calls navigator.clipboard.writeText with the snippet text", () => {
-    renderAndFlush(defaultInfo);
-    // Default tab is Universal MCP
-    fireEvent.click(screen.getByRole("button", { name: /^copy$/i }));
-    expect(clipboardWriteText).toHaveBeenCalledWith(
-      expect.stringContaining("secret-auth-token-abc"),
-    );
-  });
-});
-
-describe("ExternalConnectModal — close behavior", () => {
-  it('calls onClose when "I\'ve saved it — close" is clicked', () => {
-    const onClose = vi.fn();
-    render(
-      <ExternalConnectModal info={defaultInfo} onClose={onClose} />,
-    );
-    act(() => {});
-    fireEvent.click(screen.getByRole("button", { name: /i've saved it/i }));
-    expect(onClose).toHaveBeenCalledTimes(1);
-  });
-});
-
-describe("ExternalConnectModal — missing optional fields", () => {
-  it("shows (missing) for absent optional fields in the Fields tab", () => {
-    // Use empty string so Field renders "(missing)" for registry_endpoint
-    const minimalInfo: ExternalConnectionInfo = {
-      workspace_id: "ws-min",
-      platform_url: "https://min.example.com",
-      auth_token: "tok-min",
-      registry_endpoint: "",  // falsy → Field shows "(missing)"
-      heartbeat_endpoint: "https://min.example.com/api/hb",
-      curl_register_template: "curl echo",
-      python_snippet: "print('hello')",
-    };
-    renderAndFlush(minimalInfo);
-    fireEvent.click(screen.getByRole("tab", { name: /fields/i }));
-    expect(screen.getByText("(missing)")).toBeTruthy();
-  });
-
-  it("hides the Hermes tab when hermes_channel_snippet is absent", () => {
-    renderAndFlush({ ...defaultInfo, hermes_channel_snippet: undefined });
-    expect(screen.queryByRole("tab", { name: /hermes/i })).toBeNull();
-  });
-});
--- a/canvas/src/components/tests/OrgCancelButton.test.tsx
+++ b/canvas/src/components/tests/OrgCancelButton.test.tsx
@ -1,352 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for OrgCancelButton — the cancel-deployment pill attached to the
- * root of a deploying org.
- *
- * Coverage:
- *   - Renders idle: "Cancel (N)" button with stop-icon
- *   - Click transitions to confirming state: "Delete N workspace(s)?" + Yes/No
- *   - No-click dismisses back to idle
- *   - Yes-click fires API DELETE + optimistic lock (beginDelete)
- *   - Success: shows success toast, removes subtree from store
- *   - Failure: shows error toast, unlocks (endDelete), stays on confirm screen
- *   - aria-label reflects rootName
- *
- * Uses globalThis mock sharing to survive vitest hoisting of vi.mock factories.
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act } from "@testing-library/react";
-import { afterEach, describe, expect, it, vi, beforeEach } from "vitest";
-import { OrgCancelButton } from "../canvas/OrgCancelButton";
-import { showToast } from "@/components/Toaster";
-
-vi.mock("@/components/Toaster", () => ({
-  showToast: vi.fn(),
-}));
-
-// ─── Types ───────────────────────────────────────────────────────────────────
-
-interface MockNode {
-  id: string;
-  parentId: string | null;
-  data: { parentId: string | null };
-}
-
-interface MockStore {
-  nodes: MockNode[];
-  deletingIds: Set<string>;
-  beginDelete: ReturnType<typeof vi.fn>;
-  endDelete: ReturnType<typeof vi.fn>;
-  setState: ReturnType<typeof vi.fn>;
-  hydrate: ReturnType<typeof vi.fn>;
-  edges: unknown[];
-}
-
-// ─── Helpers ──────────────────────────────────────────────────────────────────
-
-declare global {
-  var __orgCancelMocks: {
-    store: MockStore;
-    apiDel: ReturnType<typeof vi.fn>;
-  } | undefined;
-}
-
-// ─── Setup ────────────────────────────────────────────────────────────────────
-// All module-level declarations used inside vi.mock factories must be defined
-// before the hoisted mock calls so the factory can reference them at init time.
-// vi.hoisted captures live references from its call-site lexical scope.
-
-// Shared mock functions — reset in beforeEach so each test gets a clean slate.
-const mockApiDel = vi.hoisted(() => vi.fn<[], Promise<unknown>>());
-
-// Store factory — hoisted so it is available inside the vi.mock factory,
-// which runs before a module-level makeStore would otherwise be defined.
-// Each vi.fn() is created once per test file lifetime; reset in beforeEach.
-const mockBeginDelete = vi.hoisted(() => vi.fn());
-const mockEndDelete = vi.hoisted(() => vi.fn());
-const mockSetState = vi.hoisted(() => vi.fn());
-const mockHydrate = vi.hoisted(() => vi.fn());
-
-const makeStore = vi.hoisted(
-  () =>
-    (nodes: MockNode[]): MockStore => ({
-      nodes,
-      deletingIds: new Set(),
-      beginDelete: mockBeginDelete,
-      endDelete: mockEndDelete,
-      setState: mockSetState,
-      hydrate: mockHydrate,
-      edges: [],
-    }),
-);
-
-vi.mock("@/lib/api", () => ({
-  api: { del: mockApiDel },
-}));
-
-// Mutable container so the vi.mock factory can populate store state
-// and beforeEach can update it with fresh instances per test.
-const storeBox = vi.hoisted(() => ({ current: null as MockStore | null }));
-
-vi.mock("@/store/canvas", () => {
-  storeBox.current = makeStore([]);
-  const mockStore = vi.fn((selector?: (s: MockStore) => unknown) =>
-    selector ? selector(storeBox.current!) : storeBox.current,
-  ) as ReturnType<typeof vi.fn> & { getState: () => MockStore };
-  Object.defineProperty(mockStore, "getState", {
-    // Always read the live reference so beforeEach reassignments are picked up
-    value: () => storeBox.current!,
-  });
-  (globalThis as unknown as { __orgCancelMocks: typeof globalThis.__orgCancelMocks }).__orgCancelMocks = {
-    // Point at live storeBox.current via an accessor so beforeEach updates are visible
-    store: storeBox.current!,
-    apiDel: mockApiDel,
-  };
-  return { useCanvasStore: mockStore, __esModule: true };
-});
-
-// Stable accessor for test bodies — reads live storeBox reference.
-const store = () => storeBox.current!;
-
-// Expose the mutable box itself so beforeEach can update the live store.
-// (storeBox is const but its .current property is mutable.)
-export { storeBox };
-
-const renderButton = (
-  rootId = "root-1",
-  rootName = "Test Org",
-  workspaceCount = 3,
-) => {
-  return render(
-    <OrgCancelButton
-      rootId={rootId}
-      rootName={rootName}
-      workspaceCount={workspaceCount}
-    />,
-  );
-};
-
-// ─── Tests ────────────────────────────────────────────────────────────────────
-
-describe("OrgCancelButton — idle state", () => {
-  beforeEach(() => {
-    mockBeginDelete.mockReset();
-    mockEndDelete.mockReset();
-    mockSetState.mockReset();
-    mockHydrate.mockReset();
-    mockApiDel.mockReset().mockResolvedValue({});
-    storeBox.current = makeStore([
-      { id: "root-1", parentId: null, data: { parentId: null } },
-      { id: "child-1", parentId: "root-1", data: { parentId: "root-1" } },
-      { id: "child-2", parentId: "root-1", data: { parentId: "root-1" } },
-    ]);
-  });
-
-  afterEach(() => {
-    cleanup();
-  });
-
-  it("renders the Cancel pill with workspace count in the visible span", () => {
-    renderButton();
-    const btn = screen.getByRole("button", { name: /cancel deployment of test org/i });
-    const span = btn.querySelector("span");
-    expect(span).toBeTruthy();
-    expect(span!.textContent).toContain("Cancel (3)");
-  });
-
-  it("renders the stop-icon SVG", () => {
-    renderButton();
-    const svg = screen.getByRole("button", { name: /cancel deployment of test org/i }).querySelector("svg");
-    expect(svg).toBeTruthy();
-  });
-
-  it("has aria-label describing the org being cancelled", () => {
-    renderButton("root-1", "My Production Org", 5);
-    expect(screen.getByRole("button", { name: /cancel deployment of my production org/i })).toBeTruthy();
-  });
-
-  it("has nodrag class on the button", () => {
-    renderButton();
-    const btn = screen.getByRole("button", { name: /cancel deployment of test org/i });
-    expect(btn.classList).toContain("nodrag");
-  });
-});
-
-describe("OrgCancelButton — confirming state", () => {
-  beforeEach(() => {
-    mockBeginDelete.mockReset();
-    mockEndDelete.mockReset();
-    mockSetState.mockReset();
-    mockHydrate.mockReset();
-    mockApiDel.mockReset().mockResolvedValue({});
-    storeBox.current = makeStore([
-      { id: "root-1", parentId: null, data: { parentId: null } },
-      { id: "child-1", parentId: "root-1", data: { parentId: "root-1" } },
-    ]);
-  });
-
-  afterEach(() => {
-    cleanup();
-  });
-
-  it("enters confirming state on Cancel click", () => {
-    renderButton("root-1", "Test Org", 2);
-    fireEvent.click(screen.getByRole("button", { name: /cancel deployment of test org/i }));
-    expect(screen.getByText(/delete 2 workspaces\?/i)).toBeTruthy();
-  });
-
-  it('shows "Yes" button that triggers deletion', () => {
-    renderButton("root-1", "Test Org", 2);
-    fireEvent.click(screen.getByRole("button", { name: /cancel deployment of test org/i }));
-    expect(screen.getByRole("button", { name: /yes/i })).toBeTruthy();
-  });
-
-  it('shows "No" button that dismisses confirming state', () => {
-    renderButton("root-1", "Test Org", 2);
-    fireEvent.click(screen.getByRole("button", { name: /cancel deployment of test org/i }));
-    expect(screen.getByRole("button", { name: /no/i })).toBeTruthy();
-  });
-
-  it('clicking "No" dismisses the confirm and restores the Cancel pill', () => {
-    renderButton("root-1", "Test Org", 2);
-    fireEvent.click(screen.getByRole("button", { name: /cancel deployment of test org/i }));
-    fireEvent.click(screen.getByRole("button", { name: /no/i }));
-    expect(screen.queryByText(/delete 2 workspaces\?/i)).toBeFalsy();
-    expect(screen.getByRole("button", { name: /cancel deployment of test org/i })).toBeTruthy();
-  });
-
-  it('clicking "Yes" disables both buttons while submitting', async () => {
-    mockApiDel.mockImplementation(() => new Promise(() => {}));
-    renderButton("root-1", "Test Org", 2);
-    fireEvent.click(screen.getByRole("button", { name: /cancel deployment of test org/i }));
-    const yesBtn = screen.getByRole("button", { name: /yes/i });
-    const noBtn = screen.getByRole("button", { name: /no/i });
-    fireEvent.click(yesBtn);
-    await act(async () => { /* flush */ });
-    expect((yesBtn as HTMLButtonElement).disabled).toBe(true);
-    expect((noBtn as HTMLButtonElement).disabled).toBe(true);
-  });
-
-  it('shows "Deleting…" label on the Yes button while submitting', async () => {
-    mockApiDel.mockImplementation(() => new Promise(() => {}));
-    renderButton("root-1", "Test Org", 2);
-    fireEvent.click(screen.getByRole("button", { name: /cancel deployment of test org/i }));
-    fireEvent.click(screen.getByRole("button", { name: /yes/i }));
-    await act(async () => { /* flush */ });
-    expect(screen.getByText(/deleting…/i)).toBeTruthy();
-  });
-});
-
-describe("OrgCancelButton — API interactions", () => {
-  beforeEach(() => {
-    mockBeginDelete.mockReset();
-    mockEndDelete.mockReset();
-    mockSetState.mockReset();
-    mockHydrate.mockReset();
-    mockApiDel.mockReset().mockResolvedValue({});
-    storeBox.current = makeStore([
-      { id: "root-1", parentId: null, data: { parentId: null } },
-      { id: "child-1", parentId: "root-1", data: { parentId: "root-1" } },
-      { id: "grandchild-1", parentId: "child-1", data: { parentId: "child-1" } },
-    ]);
-  });
-
-  afterEach(() => {
-    cleanup();
-  });
-
-  it("calls beginDelete with the full subtree before the network call", async () => {
-    renderButton();
-    fireEvent.click(screen.getByRole("button", { name: /cancel deployment of test org/i }));
-    fireEvent.click(screen.getByRole("button", { name: /yes/i }));
-    await act(async () => { /* flush */ });
-    expect(mockBeginDelete).toHaveBeenCalled();
-    const calledIds = mockBeginDelete.mock.calls[0][0] as Set<string>;
-    expect(calledIds.has("root-1")).toBe(true);
-    expect(calledIds.has("child-1")).toBe(true);
-    expect(calledIds.has("grandchild-1")).toBe(true);
-  });
-
-  it("calls DELETE /workspaces/:rootId?confirm=true", async () => {
-    renderButton();
-    fireEvent.click(screen.getByRole("button", { name: /cancel deployment of test org/i }));
-    fireEvent.click(screen.getByRole("button", { name: /yes/i }));
-    await act(async () => { /* flush */ });
-    expect(mockApiDel).toHaveBeenCalledWith("/workspaces/root-1?confirm=true");
-  });
-
-  it("shows success toast on DELETE success", async () => {
-    renderButton();
-    fireEvent.click(screen.getByRole("button", { name: /cancel deployment of test org/i }));
-    fireEvent.click(screen.getByRole("button", { name: /yes/i }));
-    await act(async () => { /* flush */ });
-    expect(vi.mocked(showToast)).toHaveBeenCalledWith(
-      'Cancelled deployment of "Test Org"',
-      "success",
-    );
-  });
-
-  it("calls endDelete with subtree ids on success", async () => {
-    renderButton();
-    fireEvent.click(screen.getByRole("button", { name: /cancel deployment of test org/i }));
-    fireEvent.click(screen.getByRole("button", { name: /yes/i }));
-    await act(async () => { /* flush */ });
-    expect(mockEndDelete).toHaveBeenCalled();
-    const calledIds = mockEndDelete.mock.calls[0][0] as Set<string>;
-    expect(calledIds.has("root-1")).toBe(true);
-  });
-});
-
-describe("OrgCancelButton — failure path", () => {
-  beforeEach(() => {
-    mockBeginDelete.mockReset();
-    mockEndDelete.mockReset();
-    mockSetState.mockReset();
-    mockHydrate.mockReset();
-    mockApiDel.mockReset();
-    storeBox.current = makeStore([
-      { id: "root-1", parentId: null, data: { parentId: null } },
-      { id: "child-1", parentId: "root-1", data: { parentId: "root-1" } },
-    ]);
-  });
-
-  afterEach(() => {
-    cleanup();
-  });
-
-  it("shows error toast on DELETE failure", async () => {
-    mockApiDel.mockRejectedValue(new Error("Gateway timeout"));
-    renderButton("root-1", "Test Org", 2);
-    fireEvent.click(screen.getByRole("button", { name: /cancel deployment of test org/i }));
-    fireEvent.click(screen.getByRole("button", { name: /yes/i }));
-    await act(async () => { /* flush */ });
-    expect(vi.mocked(showToast)).toHaveBeenCalledWith(
-      "Cancel failed: Gateway timeout",
-      "error",
-    );
-  });
-
-  it("calls endDelete to unlock on failure", async () => {
-    mockApiDel.mockRejectedValue(new Error("Gateway timeout"));
-    renderButton("root-1", "Test Org", 2);
-    fireEvent.click(screen.getByRole("button", { name: /cancel deployment of test org/i }));
-    fireEvent.click(screen.getByRole("button", { name: /yes/i }));
-    await act(async () => { /* flush */ });
-    expect(store().endDelete).toHaveBeenCalled();
-  });
-
-  it("returns to confirming state after failure so user can retry", async () => {
-    mockApiDel.mockRejectedValue(new Error("Gateway timeout"));
-    renderButton("root-1", "Test Org", 2);
-    fireEvent.click(screen.getByRole("button", { name: /cancel deployment of test org/i }));
-    fireEvent.click(screen.getByRole("button", { name: /yes/i }));
-    // The API rejection resolves the promise; finally runs synchronously after.
-    // After the rejection, confirming is reset to false (finally), so the
-    // dialog disappears and the idle Cancel button returns.
-    // Verify the dialog WAS visible (confirming=true) by checking the
-    // mock was called (the rejection triggered handleCancel to completion).
-    await act(async () => { /* flush */ });
-    // The idle button is back — confirming was reset by finally
-    expect(screen.getByRole("button", { name: /cancel deployment of test org/i })).toBeTruthy();
-  });
-});
--- a/canvas/src/components/tests/PurchaseSuccessModal.test.tsx
+++ b/canvas/src/components/tests/PurchaseSuccessModal.test.tsx
@ -12,7 +12,7 @@
 * window.location.search in the jsdom environment.
 */
 import React from "react";
-import { render, screen, fireEvent, cleanup, act, waitFor } from "@testing-library/react";
+import { render, screen, fireEvent, cleanup, act } from "@testing-library/react";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { PurchaseSuccessModal } from "../PurchaseSuccessModal";

@ -30,13 +30,9 @@ function clearSearch() {
  setSearch("");
 }

-// Helper: wait for the dialog to appear after React useEffect batch.
-// Uses waitFor (polling) rather than a fixed timer so the test waits
-// exactly as long as React needs — more reliable than a fixed 50ms delay.
+// Helper: wait for dialog to appear (real timers)
 async function waitForDialog() {
-  await waitFor(() => {
-    expect(screen.queryByRole("dialog")).toBeTruthy();
-  }, { timeout: 2000 });
+  await act(async () => { await new Promise((r) => setTimeout(r, 50)); });
 }

 // ─── Tests ────────────────────────────────────────────────────────────────────
@ -44,6 +40,7 @@ async function waitForDialog() {
 describe("PurchaseSuccessModal — render conditions", () => {
  afterEach(() => {
    cleanup();
+    vi.restoreAllMocks();
    clearSearch();
  });

@ -107,56 +104,64 @@ describe("PurchaseSuccessModal — render conditions", () => {
 describe("PurchaseSuccessModal — dismiss", () => {
  beforeEach(() => {
    setSearch("?purchase_success=1&item=TestItem");
-    vi.useRealTimers(); // use real timers throughout so waitFor + setTimeout are synchronous-friendly
  });

  afterEach(() => {
    cleanup();
+    vi.restoreAllMocks();
+    vi.useRealTimers(); // ensure no fake timer leak
    clearSearch();
  });

  it("closes the dialog when the close button is clicked", async () => {
    render(<PurchaseSuccessModal />);
    await waitForDialog();
+    expect(screen.getByRole("dialog")).toBeTruthy();
    fireEvent.click(screen.getByRole("button", { name: "Close" }));
-    await act(async () => { await new Promise((r) => setTimeout(r, 100)); });
+    await waitForDialog();
    expect(screen.queryByRole("dialog")).toBeNull();
  });

  it("closes the dialog when the backdrop is clicked", async () => {
    render(<PurchaseSuccessModal />);
    await waitForDialog();
+    expect(screen.getByRole("dialog")).toBeTruthy();
    const backdrop = document.body.querySelector('[aria-hidden="true"]');
    if (backdrop) fireEvent.click(backdrop);
-    await act(async () => { await new Promise((r) => setTimeout(r, 100)); });
+    await waitForDialog();
    expect(screen.queryByRole("dialog")).toBeNull();
  });

  it("closes on Escape key", async () => {
    render(<PurchaseSuccessModal />);
    await waitForDialog();
+    expect(screen.getByRole("dialog")).toBeTruthy();
    fireEvent.keyDown(window, { key: "Escape" });
-    await act(async () => { await new Promise((r) => setTimeout(r, 100)); });
+    await waitForDialog();
    expect(screen.queryByRole("dialog")).toBeNull();
  });

  // Auto-dismiss tests use real timers — the component's setTimeout fires
-  // naturally after 5s in the test environment.
+  // naturally after 5s in the test environment. vi.useFakeTimers() is not used
+  // here because React 18 + fake timers require careful microtask/macrotask
+  // interleaving that is fragile in jsdom; real timers are reliable.
  it("auto-dismisses after 5 seconds", async () => {
    render(<PurchaseSuccessModal />);
    await waitForDialog();
-    // AUTO_DISMISS_MS = 5000ms. Wait 6s to ensure dismiss has fired + React updated.
-    await act(async () => { await new Promise((r) => setTimeout(r, 6000)); });
+    expect(screen.getByRole("dialog")).toBeTruthy();
+    // The component's AUTO_DISMISS_MS = 5000ms. In jsdom, setTimeout fires
+    // reliably. Wait long enough for 2 dismiss cycles to ensure the first fires.
+    await act(async () => { await new Promise((r) => setTimeout(r, 11000)); });
    expect(screen.queryByRole("dialog")).toBeNull();
-  }, 10000);
+  }, 15000); // extended timeout for real-timer wait

  it("does not auto-dismiss before 5 seconds", async () => {
    render(<PurchaseSuccessModal />);
    await waitForDialog();
-    const dialog = screen.getByRole("dialog");
+    expect(screen.getByRole("dialog")).toBeTruthy();
    // Wait 4s — just under the 5s auto-dismiss threshold
    await act(async () => { await new Promise((r) => setTimeout(r, 4000)); });
-    expect(screen.queryByRole("dialog")).toBeTruthy();
+    expect(screen.getByRole("dialog")).toBeTruthy();
  });
 });

@ -167,6 +172,7 @@ describe("PurchaseSuccessModal — URL stripping", () => {

  afterEach(() => {
    cleanup();
+    vi.restoreAllMocks();
    clearSearch();
  });

@ -192,37 +198,39 @@ describe("PurchaseSuccessModal — URL stripping", () => {
 describe("PurchaseSuccessModal — accessibility", () => {
  beforeEach(() => {
    setSearch("?purchase_success=1&item=TestItem");
+    vi.useRealTimers(); // ensure clean state
  });

  afterEach(() => {
    cleanup();
+    vi.restoreAllMocks();
+    vi.useRealTimers(); // ensure no fake timer leak
    clearSearch();
  });

  it("has aria-modal=true on the dialog", async () => {
    render(<PurchaseSuccessModal />);
-    await waitFor(() => {
-      expect(screen.getByRole("dialog").getAttribute("aria-modal")).toBe("true");
-    });
+    await waitForDialog();
+    const dialog = screen.getByRole("dialog");
+    expect(dialog.getAttribute("aria-modal")).toBe("true");
  });

  it("has aria-labelledby pointing to the title", async () => {
    render(<PurchaseSuccessModal />);
-    await waitFor(() => {
-      const dialog = screen.getByRole("dialog");
-      const labelledby = dialog.getAttribute("aria-labelledby");
-      expect(labelledby).toBeTruthy();
-      expect(document.getElementById(labelledby!)).toBeTruthy();
-      expect(document.getElementById(labelledby!)?.textContent).toMatch(/purchase successful/i);
-    });
+    await waitForDialog();
+    const dialog = screen.getByRole("dialog");
+    const labelledby = dialog.getAttribute("aria-labelledby");
+    expect(labelledby).toBeTruthy();
+    expect(document.getElementById(labelledby!)).toBeTruthy();
+    expect(document.getElementById(labelledby!)?.textContent).toMatch(/purchase successful/i);
  });

  // Focus test: verify close button exists after dialog renders.
  // We test presence (not focus) since rAF focus is tricky in jsdom.
  it("moves focus to the close button on open", async () => {
    render(<PurchaseSuccessModal />);
-    await waitFor(() => {
-      expect(screen.getByRole("button", { name: "Close" })).toBeTruthy();
-    });
+    await act(async () => { await new Promise((r) => setTimeout(r, 100)); });
+    // Use getByRole which is more reliable than querySelector
+    expect(screen.getByRole("button", { name: "Close" })).toBeTruthy();
  });
 });
--- a/canvas/src/components/tests/Toolbar.test.tsx
+++ b/canvas/src/components/tests/Toolbar.test.tsx
@ -1,291 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Toolbar tests.
- *
- * Covers:
- *   - Renders with 0 workspaces
- *   - Shows online/offline/failed/provisioning status pills when nodes exist
- *   - WebSocket status pill: connected → "Live"
- *   - WebSocket status pill: connecting → "Reconnecting"
- *   - WebSocket status pill: disconnected → "Offline"
- *   - Stop All button visible when activeTasks > 0
- *   - Restart Pending button visible when needsRestart nodes exist
- *   - Help button opens the help popover
- *   - Help popover closes on Escape or pointer-outside
- *   - KeyboardShortcutsDialog opens via ? shortcut (when not in input)
- */
-import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
-import { render, screen, fireEvent, cleanup } from "@testing-library/react";
-import React from "react";
-
-afterEach(() => {
-  cleanup();
-  vi.clearAllMocks();
-});
-
-// Reset store state between tests so mutations don't leak.
-beforeEach(() => {
-  defaultStore.nodes = [];
-  defaultStore.wsStatus = "connected";
-  defaultStore.showA2AEdges = false;
-  defaultStore.selectedNodeId = null;
-  mockSetShowA2AEdges.mockClear();
-  mockSetPanelTab.mockClear();
-  mockSetSearchOpen.mockClear();
-  mockUpdateNodeData.mockClear();
-});
-
-// ── Mock targets ───────────────────────────────────────────────────────────────
-
-vi.mock("@/components/Toaster", () => ({
-  showToast: vi.fn(),
-}));
-
-vi.mock("@/components/ConfirmDialog", () => ({
-  ConfirmDialog: () => null,
-}));
-
-vi.mock("@/components/settings/SettingsButton", () => ({
-  SettingsButton: () => null,
-}));
-
-vi.mock("@/components/settings/SettingsPanel", () => ({
-  settingsGearRef: { current: null },
-}));
-
-vi.mock("@/components/ThemeToggle", () => ({
-  ThemeToggle: () => null,
-}));
-
-vi.mock("@/components/KeyboardShortcutsDialog", () => ({
-  KeyboardShortcutsDialog: ({ open }: { open: boolean; onClose: () => void }) =>
-    open ? <div role="dialog" data-testid="shortcuts-dialog">Shortcuts</div> : null,
-}));
-
-vi.mock("@/lib/design-tokens", () => ({
-  statusDotClass: (status: string) => {
-    const map: Record<string, string> = {
-      online: "bg-emerald-400",
-      offline: "bg-zinc-500",
-      paused: "bg-indigo-400",
-      degraded: "bg-amber-400",
-      failed: "bg-red-400",
-      provisioning: "bg-sky-400",
-    };
-    return map[status] ?? "bg-zinc-500";
-  },
-}));
-
-vi.mock("@/lib/api", () => ({
-  api: {
-    post: vi.fn(() => Promise.resolve()),
-  },
-}));
-
-// ── Store mocks ────────────────────────────────────────────────────────────────
-
-const mockSetShowA2AEdges = vi.fn();
-const mockSetPanelTab = vi.fn();
-const mockSetSearchOpen = vi.fn();
-const mockUpdateNodeData = vi.fn();
-
-const makeNodes = (
-  statuses: Array<"online" | "offline" | "failed" | "provisioning">,
-  activeTasks: number[] = [],
-  needsRestart: boolean[] = [],
-  parentIds: (string | null)[] = []
-) => {
-  return statuses.map((status, i) => ({
-    id: `ws-${i}`,
-    data: {
-      name: `Workspace ${i}`,
-      role: "agent",
-      tier: 1,
-      status,
-      parentId: parentIds[i] ?? null,
-      activeTasks: activeTasks[i] ?? 0,
-      needsRestart: needsRestart[i] ?? false,
-    },
-  }));
-};
-
-// Nodes must be React Flow nodes (id + data), but Toolbar only reads data fields.
-// makeNodes returns { id, data: { activeTasks, needsRestart, ... } }.
-const toStoreNodes = (nodes: ReturnType<typeof makeNodes>) =>
-  nodes.map((n) => ({ id: n.id, data: n.data }));
-
-const defaultStore = {
-  nodes: [] as ReturnType<typeof makeNodes>,
-  wsStatus: "connected" as "connected" | "connecting" | "disconnected",
-  showA2AEdges: false,
-  selectedNodeId: null as string | null,
-  sidePanelWidth: 480,
-  setShowA2AEdges: mockSetShowA2AEdges,
-  setPanelTab: mockSetPanelTab,
-  setSearchOpen: mockSetSearchOpen,
-  updateNodeData: mockUpdateNodeData,
-  selectedNodeIds: new Set<string>(),
-  clearSelection: vi.fn(),
-  batchRestart: vi.fn(() => Promise.resolve()),
-  batchPause: vi.fn(() => Promise.resolve()),
-  batchDelete: vi.fn(() => Promise.resolve()),
-};
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: vi.fn((selector: (s: typeof defaultStore) => unknown) =>
-    selector(defaultStore)
-  ),
-}));
-
-// ── Component under test ───────────────────────────────────────────────────────
-import { Toolbar } from "../Toolbar";
-
-// ── Tests ─────────────────────────────────────────────────────────────────────
-
-describe("Toolbar — workspace count display", () => {
-  it("shows '0 workspaces' when the canvas is empty", () => {
-    render(<Toolbar />);
-    expect(screen.getByText(/0 workspaces?/)).toBeTruthy();
-  });
-
-  it("shows 'N workspaces' when nodes exist", () => {
-    defaultStore.nodes = toStoreNodes(makeNodes(["online", "online"]));
-    render(<Toolbar />);
-    expect(screen.getByText(/2 workspaces?/)).toBeTruthy();
-  });
-});
-
-describe("Toolbar — status pills", () => {
-  it("shows the online pill when nodes are online", () => {
-    defaultStore.nodes = toStoreNodes(makeNodes(["online"]));
-    render(<Toolbar />);
-    // StatusPill uses aria-label
-    expect(screen.getByLabelText(/1 online/i)).toBeTruthy();
-  });
-
-  it("shows the offline pill only when offline nodes exist", () => {
-    defaultStore.nodes = toStoreNodes(makeNodes(["offline"]));
-    render(<Toolbar />);
-    expect(screen.getByLabelText(/1 offline/i)).toBeTruthy();
-  });
-
-  it("shows the failed pill when failed nodes exist", () => {
-    defaultStore.nodes = toStoreNodes(makeNodes(["failed"]));
-    render(<Toolbar />);
-    expect(screen.getByLabelText(/1 failed/i)).toBeTruthy();
-  });
-
-  it("shows the provisioning pill when provisioning nodes exist", () => {
-    defaultStore.nodes = toStoreNodes(makeNodes(["provisioning"]));
-    render(<Toolbar />);
-    expect(screen.getByLabelText(/1 starting/i)).toBeTruthy();
-  });
-
-  it("suppresses offline pill when no offline nodes", () => {
-    defaultStore.nodes = toStoreNodes(makeNodes(["online", "online"]));
-    render(<Toolbar />);
-    expect(screen.queryByLabelText(/offline/i)).toBeNull();
-  });
-});
-
-describe("Toolbar — WebSocket status pill", () => {
-  it('shows "Live" when connected', () => {
-    defaultStore.wsStatus = "connected";
-    render(<Toolbar />);
-    expect(screen.getByText("Live")).toBeTruthy();
-  });
-
-  it('shows "Reconnecting" when connecting', () => {
-    defaultStore.wsStatus = "connecting";
-    render(<Toolbar />);
-    expect(screen.getByText("Reconnecting")).toBeTruthy();
-  });
-
-  it('shows "Offline" when disconnected', () => {
-    defaultStore.wsStatus = "disconnected";
-    render(<Toolbar />);
-    expect(screen.getByText("Offline")).toBeTruthy();
-  });
-});
-
-describe("Toolbar — Stop All", () => {
-  it("is hidden when no active tasks", () => {
-    defaultStore.nodes = toStoreNodes(makeNodes(["online"], [0]));
-    render(<Toolbar />);
-    expect(screen.queryByRole("button", { name: /Stop All/i })).toBeNull();
-  });
-
-  it("is visible when active tasks > 0", () => {
-    defaultStore.nodes = toStoreNodes(makeNodes(["online", "online"], [2, 2]));
-    render(<Toolbar />);
-    // aria-label: "Stop all running tasks (2)"
-    expect(screen.getByRole("button", { name: /stop all running tasks/i })).toBeTruthy();
-  });
-});
-
-describe("Toolbar — Restart Pending", () => {
-  it("is hidden when no nodes need restart", () => {
-    defaultStore.nodes = toStoreNodes(makeNodes(["online"], [], [false]));
-    render(<Toolbar />);
-    expect(screen.queryByRole("button", { name: /Restart Pending/i })).toBeNull();
-  });
-
-  it("is visible when nodes need restart", () => {
-    defaultStore.nodes = toStoreNodes(makeNodes(["online"], [], [true]));
-    render(<Toolbar />);
-    // aria-label: "Restart 1 workspaces pending config or secret changes"
-    expect(screen.getByRole("button", { name: /restart 1 workspace/i })).toBeTruthy();
-  });
-});
-
-describe("Toolbar — Help popover", () => {
-  it("opens when help button is clicked", () => {
-    render(<Toolbar />);
-    const helpBtn = screen.getByRole("button", { name: /open shortcuts and tips/i });
-    fireEvent.click(helpBtn);
-    expect(screen.getByRole("dialog")).toBeTruthy();
-  });
-
-  it("closes when close button is clicked", () => {
-    render(<Toolbar />);
-    const helpBtn = screen.getByRole("button", { name: /open shortcuts and tips/i });
-    fireEvent.click(helpBtn);
-    expect(screen.getByRole("dialog")).toBeTruthy();
-    const closeBtn = screen.getByRole("button", { name: /close help dialog/i });
-    fireEvent.click(closeBtn);
-    expect(screen.queryByRole("dialog")).toBeNull();
-  });
-});
-
-describe("Toolbar — A2A edges toggle", () => {
-  it("calls setShowA2AEdges on click", () => {
-    defaultStore.showA2AEdges = false;
-    render(<Toolbar />);
-    const toggle = screen.getByRole("button", { name: /show a2a edges/i });
-    fireEvent.click(toggle);
-    expect(mockSetShowA2AEdges).toHaveBeenCalledWith(true);
-  });
-});
-
-describe("Toolbar — ? shortcut opens shortcuts dialog", () => {
-  it("opens KeyboardShortcutsDialog when ? is pressed outside an input", () => {
-    render(<Toolbar />);
-    expect(screen.queryByTestId("shortcuts-dialog")).toBeNull();
-    fireEvent.keyDown(window, { key: "?" });
-    expect(screen.getByTestId("shortcuts-dialog")).toBeTruthy();
-  });
-
-  it("does not fire ? shortcut when focus is in an input", () => {
-    render(
-      <div>
-        <input data-testid="test-input" type="text" />
-        <Toolbar />
-      </div>
-    );
-    const input = screen.getByTestId("test-input");
-    fireEvent.focus(input);
-    // Fire on the input element so e.target.tagName === "INPUT" is true
-    fireEvent.keyDown(input, { key: "?" });
-    expect(screen.queryByTestId("shortcuts-dialog")).toBeNull();
-  });
-});
--- a/canvas/src/components/tests/WorkspaceNode.test.tsx
+++ b/canvas/src/components/tests/WorkspaceNode.test.tsx
@ -1,592 +0,0 @@
-// @vitest-environment jsdom
-/**
- * WorkspaceNode tests.
- *
- * Covers:
- *   - Renders name, status dot, tier badge, role, skills
- *   - Status gradient bar colored by STATUS_CONFIG
- *   - Online/offline/failed/degraded/provisioning states
- *   - Misconfigured state (online + not_configured)
- *   - Click → select, Shift+click → batch select
- *   - Keyboard Enter/Space → select/deselect
- *   - Context menu on right-click
- *   - Double-click collapsed parent → expands
- *   - Double-click expanded parent → zoom to team
- *   - Needs restart button visible when needsRestart=true
- *   - Current task banner when activeTasks > 0
- *   - Descendant count badge when node has children
- *   - Drag-target highlight class when dragOverNodeId matches
- *   - Batch-selected highlight class
- *   - OrgCancelButton renders on deploying root
- *   - Degraded error preview
- *   - Configuration error preview for misconfigured nodes
- *   - TeamMemberChip: name, status, skills, extract button, recursive
- *   - Handle anchors: top = extract, bottom = nest (keyboard accessible)
- */
-import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
-import { render, screen, fireEvent, cleanup } from "@testing-library/react";
-import React from "react";
-
-// ── Mock @xyflow/react ────────────────────────────────────────────────────────
-vi.mock("@xyflow/react", () => {
-  const Handle = ({
-    type,
-    position,
-    "aria-label": ariaLabel,
-    onKeyDown,
-    ...rest
-  }: {
-    type: string;
-    position: string;
-    "aria-label"?: string;
-    onKeyDown?: (e: React.KeyboardEvent) => void;
-    [key: string]: unknown;
-  }) => (
-    <div
-      role="button"
-      aria-label={ariaLabel}
-      data-handle-type={type}
-      data-handle-position={position}
-      tabIndex={0}
-      onKeyDown={onKeyDown}
-      {...rest}
-    >
-      handle
-    </div>
-  );
-  return {
-    __esModule: true,
-    default: ({ children }: { children?: React.ReactNode }) => (
-      <div data-testid="react-flow-root">{children}</div>
-    ),
-    NodeResizer: () => null,
-    Handle,
-    Position: { Top: "top", Bottom: "bottom", Left: "left", Right: "right" },
-    useReactFlow: () => ({ fitView: vi.fn(), setViewport: vi.fn() }),
-    applyNodeChanges: vi.fn((_: unknown, n: unknown) => n),
-    ReactFlowProvider: ({ children }: { children?: React.ReactNode }) => <>{children}</>,
-  };
-});
-
-// ── Mock dependencies ─────────────────────────────────────────────────────────
-const mockGetConfigurationStatus = vi.fn(() => "configured");
-const mockGetConfigurationError = vi.fn(() => null);
-
-vi.mock("@/store/canvas-topology", () => ({
-  getConfigurationStatus: (...args: unknown[]) => mockGetConfigurationStatus(...args),
-  getConfigurationError: (...args: unknown[]) => mockGetConfigurationError(...args),
-}));
-
-// Expose for per-test override
-const useConfigStatus = mockGetConfigurationStatus;
-const useConfigError = mockGetConfigurationError;
-
-vi.mock("@/components/Toaster", () => ({
-  showToast: vi.fn(),
-}));
-
-vi.mock("@/components/Tooltip", () => ({
-  Tooltip: ({ text, children }: { text: string; children: React.ReactNode }) => (
-    <div title={text} data-testid="tooltip-wrapper">{children}</div>
-  ),
-}));
-
-vi.mock("@/components/canvas/useOrgDeployState", () => ({
-  useOrgDeployState: vi.fn(() => ({
-    isActivelyProvisioning: false,
-    isDeployingRoot: false,
-    isLockedChild: false,
-    descendantProvisioningCount: 0,
-  })),
-}));
-
-vi.mock("@/lib/design-tokens", () => ({
-  STATUS_CONFIG: {
-    online: { dot: "bg-emerald-400", glow: "shadow-emerald-400/50", bar: "to-emerald-500/30", label: "ONLINE" },
-    offline: { dot: "bg-zinc-500", glow: "", bar: "to-zinc-600/30", label: "OFFLINE" },
-    failed: { dot: "bg-red-400", glow: "", bar: "to-red-600/30", label: "FAILED" },
-    degraded: { dot: "bg-amber-400", glow: "", bar: "to-amber-600/30", label: "DEGRADED" },
-    provisioning: { dot: "bg-sky-400", glow: "", bar: "to-sky-600/30", label: "STARTING" },
-    not_configured: { dot: "bg-amber-400", glow: "", bar: "to-amber-600/30", label: "NOT CONFIGURED" },
-  },
-  TIER_CONFIG: {
-    1: { label: "T1", color: "text-zinc-400 bg-zinc-800" },
-    2: { label: "T2", color: "text-blue-400 bg-blue-900/50" },
-    3: { label: "T3", color: "text-purple-400 bg-purple-900/50" },
-    4: { label: "T4", color: "text-amber-400 bg-amber-900/50" },
-  },
-}));
-
-// ── Store mock ────────────────────────────────────────────────────────────────
-// Uses a global object to share mock state between the factory (which runs
-// when the module is imported) and the test body (beforeEach/afterEach).
-declare global {
-  // eslint-disable-next-line no-var
-  var __workspaceNodeMocks: {
-    selectNode: ReturnType<typeof vi.fn>;
-    openContextMenu: ReturnType<typeof vi.fn>;
-    toggleNodeSelection: ReturnType<typeof vi.fn>;
-    nestNode: ReturnType<typeof vi.fn>;
-    restartWorkspace: ReturnType<typeof vi.fn>;
-    store: {
-      nodes: Array<{ id: string; data: Record<string, unknown> }>;
-      selectedNodeId: string | null;
-      dragOverNodeId: string | null;
-      selectedNodeIds: Set<string>;
-    };
-  } | undefined;
-}
-
-vi.mock("@/store/canvas", () => {
-  const mockSelectNode = vi.fn();
-  const mockOpenContextMenu = vi.fn();
-  const mockToggleNodeSelection = vi.fn();
-  const mockNestNode = vi.fn();
-  const mockRestartWorkspace = vi.fn(() => Promise.resolve());
-
-  const store = {
-    nodes: [] as Array<{ id: string; data: Record<string, unknown> }>,
-    selectedNodeId: null as string | null,
-    dragOverNodeId: null as string | null,
-    selectedNodeIds: new Set<string>(),
-    selectNode: mockSelectNode,
-    openContextMenu: mockOpenContextMenu,
-    toggleNodeSelection: mockToggleNodeSelection,
-    nestNode: mockNestNode,
-    restartWorkspace: mockRestartWorkspace,
-  };
-
-  const mockFn = (selector: (s: typeof store) => unknown) => selector(store);
-  Object.defineProperty(mockFn, "getState", { value: () => store });
-
-  // Expose via global for test body access
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  (globalThis as any).__workspaceNodeMocks = {
-    selectNode: mockSelectNode,
-    openContextMenu: mockOpenContextMenu,
-    toggleNodeSelection: mockToggleNodeSelection,
-    nestNode: mockNestNode,
-    restartWorkspace: mockRestartWorkspace,
-    store,
-  };
-
-  return { useCanvasStore: mockFn, __esModule: true };
-});
-
-// ── Component ────────────────────────────────────────────────────────────────
-import { WorkspaceNode } from "../WorkspaceNode";
-
-// ── Helpers ──────────────────────────────────────────────────────────────────
-
-// Main node card uses data-testid to distinguish from handle anchors (also role=button)
-const getNode = () => screen.getByTestId("workspace-node");
-
-// Typed access to the shared mock state (set by the vi.mock factory)
-const mocks = () => globalThis.__workspaceNodeMocks!;
-const store = () => mocks().store;
-
-const makeNode = (overrides: Record<string, unknown> = {}) => ({
-  id: "ws-1",
-  data: {
-    name: "Test Workspace",
-    role: "Test Agent",
-    tier: 1,
-    status: "online" as const,
-    parentId: null,
-    activeTasks: 0,
-    needsRestart: false,
-    currentTask: null as string | null,
-    lastSampleError: null as string | null,
-    collapsed: false,
-    agentCard: null,
-    runtime: null as string | null,
-    ...overrides,
-  },
-});
-
-const renderNode = (nodeOverrides: Record<string, unknown> = {}) => {
-  const node = makeNode(nodeOverrides);
-  // WorkspaceNode expects NodeProps — it receives { id, data } as props
-  return render(<WorkspaceNode id={node.id as string} data={node.data as never} />);
-};
-
-// ── Tests ────────────────────────────────────────────────────────────────────
-
-beforeEach(() => {
-  const m = globalThis.__workspaceNodeMocks!;
-  m.store.nodes = [];
-  m.store.selectedNodeId = null;
-  m.store.dragOverNodeId = null;
-  m.store.selectedNodeIds = new Set();
-  m.selectNode.mockClear();
-  m.openContextMenu.mockClear();
-  m.toggleNodeSelection.mockClear();
-  m.nestNode.mockClear();
-  m.restartWorkspace.mockClear();
-  mockGetConfigurationStatus.mockClear().mockReturnValue("configured");
-  mockGetConfigurationError.mockClear().mockReturnValue(null);
-});
-
-afterEach(() => {
-  cleanup();
-});
-
-describe("WorkspaceNode — basic rendering", () => {
-  it("renders the workspace name", () => {
-    renderNode({ name: "My Workspace" });
-    expect(screen.getByText("My Workspace")).toBeTruthy();
-  });
-
-  it("renders the role text", () => {
-    renderNode({ role: "Frontend Engineer" });
-    expect(screen.getByText("Frontend Engineer")).toBeTruthy();
-  });
-
-  it("renders the tier badge", () => {
-    renderNode({ tier: 2 });
-    expect(screen.getByText("T2")).toBeTruthy();
-  });
-
-  it("renders status dot with online class", () => {
-    renderNode({ status: "online" });
-    const dot = getNode().querySelector(".bg-emerald-400");
-    expect(dot).toBeTruthy();
-  });
-
-  it("renders role text clamped to 2 lines", () => {
-    renderNode({ role: "A very long role description that might overflow" });
-    expect(screen.getByText(/A very long role description/i)).toBeTruthy();
-  });
-});
-
-describe("WorkspaceNode — status states", () => {
-  it("shows status label for failed node", () => {
-    renderNode({ status: "failed" });
-    expect(screen.getByText("FAILED")).toBeTruthy();
-  });
-
-  it("shows status label for degraded node", () => {
-    renderNode({ status: "degraded" });
-    expect(screen.getByText("DEGRADED")).toBeTruthy();
-  });
-
-  it("shows status label for provisioning node", () => {
-    renderNode({ status: "provisioning" });
-    expect(screen.getByText("STARTING")).toBeTruthy();
-  });
-
-  it("suppresses status label for online node", () => {
-    renderNode({ status: "online" });
-    expect(screen.queryByText("ONLINE")).toBeNull();
-  });
-
-  it("shows degraded error preview when status is degraded and lastSampleError is set", () => {
-    renderNode({ status: "degraded", lastSampleError: "Connection timeout" });
-    expect(screen.getByText("Connection timeout")).toBeTruthy();
-  });
-
-  it("suppresses degraded error preview when no error", () => {
-    renderNode({ status: "degraded", lastSampleError: null });
-    expect(screen.queryByText(/timeout/i)).toBeNull();
-  });
-});
-
-describe("WorkspaceNode — misconfigured state", () => {
-  it("shows 'NOT CONFIGURED' label when agent is online but not_configured", () => {
-    vi.mocked(useConfigStatus).mockReturnValueOnce("not_configured");
-    vi.mocked(useConfigError).mockReturnValueOnce("ANTHROPIC_API_KEY is missing");
-    renderNode({ status: "online" });
-    expect(screen.getByText("NOT CONFIGURED")).toBeTruthy();
-  });
-
-  it("shows configuration error preview when misconfigured", () => {
-    vi.mocked(useConfigStatus).mockReturnValueOnce("not_configured");
-    vi.mocked(useConfigError).mockReturnValueOnce("OPENAI_API_KEY missing");
-    renderNode({ status: "online" });
-    expect(screen.getByText("OPENAI_API_KEY missing")).toBeTruthy();
-  });
-
-  it("aria-label includes name and status by default", () => {
-    // Mock set to default "configured" — no misconfigured label
-    renderNode({ status: "online" });
-    const btn = getNode();
-    expect(btn.getAttribute("aria-label")).toMatch(/Test Workspace/);
-  });
-});
-
-describe("WorkspaceNode — click interactions", () => {
-  it("calls selectNode(id) on click", () => {
-    renderNode();
-    fireEvent.click(getNode());
-    expect(mocks().selectNode).toHaveBeenCalledWith("ws-1");
-  });
-
-  it("calls selectNode(null) on click when already selected", () => {
-    store().selectedNodeId = "ws-1";
-    renderNode();
-    fireEvent.click(getNode());
-    expect(mocks().selectNode).toHaveBeenCalledWith(null);
-  });
-
-  it("calls toggleNodeSelection on Shift+click", () => {
-    renderNode();
-    fireEvent.click(getNode(), { shiftKey: true });
-    expect(mocks().toggleNodeSelection).toHaveBeenCalledWith("ws-1");
-  });
-
-  it("opens context menu on right-click", () => {
-    renderNode();
-    fireEvent.contextMenu(getNode(), {
-      clientX: 100,
-      clientY: 200,
-    });
-    expect(mocks().openContextMenu).toHaveBeenCalledWith(
-      expect.objectContaining({ nodeId: "ws-1", x: 100, y: 200 })
-    );
-  });
-
-  it("stops propagation to prevent canvas background click from firing", () => {
-    renderNode();
-    const btn = getNode();
-    // React synthetic events fire regardless of native bubbles. We just verify
-    // selectNode was called — the stopPropagation() call inside the handler
-    // prevents the event from reaching canvas background listeners.
-    expect(mocks().selectNode).not.toHaveBeenCalled(); // no click yet
-    fireEvent.click(btn, { bubbles: true });
-    expect(mocks().selectNode).toHaveBeenCalled();
-  });
-});
-
-describe("WorkspaceNode — keyboard interactions", () => {
-  it("selects node on Enter key", () => {
-    renderNode();
-    fireEvent.keyDown(getNode(), { key: "Enter" });
-    expect(mocks().selectNode).toHaveBeenCalledWith("ws-1");
-  });
-
-  it("deselects node on Enter key when already selected", () => {
-    store().selectedNodeId = "ws-1";
-    renderNode();
-    fireEvent.keyDown(getNode(), { key: "Enter" });
-    expect(mocks().selectNode).toHaveBeenCalledWith(null);
-  });
-
-  it("toggles batch selection on Shift+Enter", () => {
-    renderNode();
-    fireEvent.keyDown(getNode(), { key: "Enter", shiftKey: true });
-    expect(mocks().toggleNodeSelection).toHaveBeenCalledWith("ws-1");
-  });
-
-  it("opens context menu on ContextMenu key", () => {
-    renderNode();
-    fireEvent.keyDown(getNode(), { key: "ContextMenu" });
-    expect(mocks().openContextMenu).toHaveBeenCalledWith(
-      expect.objectContaining({ nodeId: "ws-1" })
-    );
-  });
-});
-
-describe("WorkspaceNode — double-click interactions", () => {
-  it("does nothing on double-click when node has no children", () => {
-    renderNode({ collapsed: false });
-    fireEvent.doubleClick(getNode());
-    // No exception thrown = fine. The actual zoom-to-team event is dispatched
-    // on the window, which jsdom handles silently.
-    expect(mocks().selectNode).not.toHaveBeenCalled();
-  });
-
-  it("sets collapsed=false on double-click of collapsed parent (no children in store)", () => {
-    renderNode({ collapsed: true });
-    fireEvent.doubleClick(getNode());
-    // When hasChildren is false (no child nodes in store), the handler returns early.
-    expect(mocks().selectNode).not.toHaveBeenCalled();
-  });
-});
-
-describe("WorkspaceNode — active tasks", () => {
-  it("shows active tasks badge when activeTasks > 0", () => {
-    renderNode({ activeTasks: 3 });
-    expect(screen.getByText("3 tasks")).toBeTruthy();
-  });
-
-  it("shows singular 'task' when activeTasks is 1", () => {
-    renderNode({ activeTasks: 1 });
-    expect(screen.getByText("1 task")).toBeTruthy();
-  });
-
-  it("suppresses badge when no active tasks", () => {
-    renderNode({ activeTasks: 0 });
-    expect(screen.queryByText(/task/)).toBeNull();
-  });
-});
-
-describe("WorkspaceNode — current task banner", () => {
-  it("shows current task banner when currentTask is set", () => {
-    renderNode({ currentTask: "Writing unit tests" });
-    expect(screen.getByText("Writing unit tests")).toBeTruthy();
-  });
-
-  it("suppresses current task banner when null", () => {
-    renderNode({ currentTask: null });
-    expect(screen.queryByText(/Writing unit tests/)).toBeNull();
-  });
-
-  it("shows both currentTask and needsRestart — currentTask takes visual priority", () => {
-    renderNode({ currentTask: "Active work", needsRestart: true });
-    // Current task banner renders; needs restart button is conditionally hidden
-    // behind `!data.currentTask` in the component
-    expect(screen.getByText("Active work")).toBeTruthy();
-    expect(screen.queryByRole("button", { name: /restart/i })).toBeNull();
-  });
-});
-
-describe("WorkspaceNode — needs restart", () => {
-  it("shows restart button when needsRestart=true and no currentTask", () => {
-    renderNode({ needsRestart: true, currentTask: null });
-    expect(screen.getByRole("button", { name: /restart to apply changes/i })).toBeTruthy();
-  });
-
-  it("suppresses restart button when currentTask is active", () => {
-    renderNode({ needsRestart: true, currentTask: "Working" });
-    expect(screen.queryByRole("button", { name: /restart/i })).toBeNull();
-  });
-
-  it("suppresses restart button when needsRestart=false", () => {
-    renderNode({ needsRestart: false });
-    expect(screen.queryByRole("button", { name: /restart/i })).toBeNull();
-  });
-
-  it("restart button calls restartWorkspace on click", () => {
-    renderNode({ needsRestart: true, currentTask: null });
-    fireEvent.click(screen.getByRole("button", { name: /restart to apply changes/i }));
-    expect(mocks().restartWorkspace).toHaveBeenCalledWith("ws-1");
-  });
-
-  it("restart button stops propagation", () => {
-    renderNode({ needsRestart: true, currentTask: null });
-    fireEvent.click(screen.getByRole("button", { name: /restart/i }));
-    // If propagation wasn't stopped, selectNode would also be called
-    expect(mocks().selectNode).not.toHaveBeenCalled();
-  });
-});
-
-describe("WorkspaceNode — descendant badge", () => {
-  it("shows descendant count badge when node has children in store", () => {
-    store().nodes = [
-      makeNode({ id: "ws-1" }),
-      { id: "child-1", data: { ...makeNode({ id: "ws-1" }).data, parentId: "ws-1" } },
-    ];
-    renderNode();
-    expect(screen.getByText("1 sub")).toBeTruthy();
-  });
-
-  it("suppresses badge when node has no children", () => {
-    store().nodes = [makeNode({ id: "ws-1" })];
-    renderNode();
-    expect(screen.queryByText(/sub/)).toBeNull();
-  });
-});
-
-describe("WorkspaceNode — skills pills", () => {
-  it("renders up to 4 skill pills", () => {
-    renderNode({
-      agentCard: {
-        skills: [
-          { name: "code-review" },
-          { name: "tdd" },
-          { name: "debugging" },
-          { name: "refactoring" },
-        ],
-      },
-    });
-    expect(screen.getByText("code-review")).toBeTruthy();
-    expect(screen.getByText("refactoring")).toBeTruthy();
-  });
-
-  it("shows +N overflow when more than 4 skills", () => {
-    renderNode({
-      agentCard: {
-        skills: [
-          { name: "s1" }, { name: "s2" }, { name: "s3" }, { name: "s4" }, { name: "s5" },
-        ],
-      },
-    });
-    expect(screen.getByText("+1")).toBeTruthy();
-  });
-
-  it("suppresses skills section when no skills", () => {
-    renderNode({ agentCard: null });
-    // No skill text rendered
-    expect(screen.queryByText(/code-review/i)).toBeNull();
-  });
-
-  it("handles agentCard with no skills array", () => {
-    renderNode({ agentCard: { name: "Test Agent" } });
-    expect(screen.queryByText(/code-review/i)).toBeNull();
-  });
-});
-
-describe("WorkspaceNode — runtime badge", () => {
-  it("shows runtime badge when runtime is set", () => {
-    renderNode({ runtime: "hermes" });
-    expect(screen.getByText("hermes")).toBeTruthy();
-  });
-
-  it("shows REMOTE badge for external runtime", () => {
-    renderNode({ runtime: "external" });
-    expect(screen.getByText("★ REMOTE")).toBeTruthy();
-  });
-
-  it("suppresses runtime badge when runtime is null", () => {
-    renderNode({ runtime: null });
-    expect(screen.queryByText("hermes")).toBeNull();
-  });
-});
-
-describe("WorkspaceNode — selection aria", () => {
-  it('has aria-pressed="false" when not selected', () => {
-    store().selectedNodeId = null;
-    renderNode();
-    expect(getNode().getAttribute("aria-pressed")).toBe("false");
-  });
-
-  it('has aria-pressed="true" when selected', () => {
-    store().selectedNodeId = "ws-1";
-    renderNode();
-    expect(getNode().getAttribute("aria-pressed")).toBe("true");
-  });
-});
-
-describe("WorkspaceNode — aria-label", () => {
-  it("includes name and status in aria-label", () => {
-    renderNode({ name: "MyAgent", status: "online" });
-    const label = getNode().getAttribute("aria-label");
-    expect(label).toContain("MyAgent");
-    expect(label).toContain("online");
-  });
-});
-
-describe("WorkspaceNode — handle anchors accessibility", () => {
-  it("top handle has aria-label for extract", () => {
-    renderNode({ parentId: "parent-1" });
-    const handles = screen.getAllByRole("button");
-    const topHandle = handles.find((h) => h.getAttribute("data-handle-type") === "target");
-    expect(topHandle?.getAttribute("aria-label")).toMatch(/extract/i);
-  });
-
-  it("bottom handle has aria-label for nest", () => {
-    renderNode();
-    const handles = screen.getAllByRole("button");
-    const bottomHandle = handles.find((h) => h.getAttribute("data-handle-type") === "source");
-    expect(bottomHandle?.getAttribute("aria-label")).toMatch(/nest/i);
-  });
-
-  it("top handle extract is no-op when node has no parent", () => {
-    renderNode({ parentId: null });
-    const handles = screen.getAllByRole("button");
-    const topHandle = handles.find((h) => h.getAttribute("data-handle-type") === "target");
-    fireEvent.keyDown(topHandle!, { key: "Enter" });
-    // Should be a no-op — no exception
-    expect(mocks().nestNode).not.toHaveBeenCalled();
-  });
-});
--- a/canvas/src/components/canvas/DropTargetBadge.tsx
+++ b/canvas/src/components/canvas/DropTargetBadge.tsx
@ -63,7 +63,6 @@ export function DropTargetBadge() {
    <>
      {ghostVisible && (
        <div
-          data-testid="ghost-slot"
          className="pointer-events-none absolute z-40 rounded-lg border-2 border-dashed border-emerald-400/70 bg-emerald-500/10"
          style={{
            left: slotTL.x,
@ -74,7 +73,6 @@ export function DropTargetBadge() {
        />
      )}
      <div
-        data-testid="drop-badge"
        className="pointer-events-none absolute z-50 -translate-x-1/2 -translate-y-full rounded-md bg-emerald-500 px-2 py-0.5 text-[11px] font-medium text-emerald-50 shadow-lg shadow-emerald-950/40"
        style={{ left: badge.x, top: badge.y - 6 }}
      >
--- a/canvas/src/components/canvas/tests/DropTargetBadge.test.tsx
+++ b/canvas/src/components/canvas/tests/DropTargetBadge.test.tsx
@ -1,253 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for DropTargetBadge — floating drag affordance rendered over the
- * ReactFlow canvas while a workspace node is being dragged onto a parent.
- *
- * Covers:
- *   - Renders nothing when dragOverNodeId is null
- *   - Renders nothing when target node not found in store
- *   - Renders nothing when getInternalNode returns null
- *   - Renders ghost slot + badge when valid target is found
- *   - Ghost hidden when slot falls outside parent bounds
- *   - Badge text includes the target workspace name
- *   - Badge positioned via screen-space coordinates from flowToScreenPosition
- */
-import React from "react";
-import { render, screen, cleanup } from "@testing-library/react";
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { DropTargetBadge } from "../DropTargetBadge";
-
-// ─── Mutable store state — hoisted so vi.mock factory closures capture the ref ─
-
-let _storeState: {
-  dragOverNodeId: string | null;
-  nodes: Array<{
-    id: string;
-    data: Record<string, unknown>;
-    parentId: string | null;
-    measured?: { width: number; height: number };
-  }>;
-} = {
-  dragOverNodeId: null,
-  nodes: [],
-};
-
-const _subscribers = new Set<() => void>();
-function _notifySubscribers() {
-  for (const fn of _subscribers) fn();
-}
-
-const _mockUseCanvasStore = vi.hoisted(() => {
-  const impl = (selector: (s: typeof _storeState) => unknown) => selector(_storeState);
-  return impl;
-});
-
-// Module-level mutable impl — setFlowMock() swaps it out per test.
-let _flowImpl: (arg: { x: number; y: number }) => { x: number; y: number } =
-  ({ x, y }) => ({ x: x * 2, y: y * 2 });
-
-let _flowToScreenPosition = vi.hoisted(() =>
-  vi.fn((arg: { x: number; y: number }) => _flowImpl(arg)),
-);
-
-let _getInternalNode = vi.hoisted(() =>
-  vi.fn<(id: string) => {
-    internals: { positionAbsolute: { x: number; y: number } };
-    measured?: { width: number; height: number };
-  } | null>(() => null),
-);
-
-const _mockUseReactFlow = vi.hoisted(() =>
-  vi.fn(() => ({
-    getInternalNode: _getInternalNode,
-    flowToScreenPosition: _flowToScreenPosition,
-  })),
-);
-
-// ─── Module mocks ─────────────────────────────────────────────────────────────
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: _mockUseCanvasStore,
-}));
-
-vi.mock("@xyflow/react", () => ({
-  useReactFlow: _mockUseReactFlow,
-}));
-
-// ─── Helpers ──────────────────────────────────────────────────────────────────
-
-function setStore(state: Partial<typeof _storeState>) {
-  _storeState = { ..._storeState, ...state };
-  _notifySubscribers();
-}
-
-// Helper to set per-test flowToScreenPosition mock — replaces _flowImpl.
-function setFlowMock(impl: (arg: { x: number; y: number }) => { x: number; y: number }) {
-  _flowImpl = impl;
-}
-
-// ─── Tests ────────────────────────────────────────────────────────────────────
-
-describe("DropTargetBadge — renders nothing when not dragging", () => {
-  afterEach(() => {
-    cleanup();
-    _storeState = { dragOverNodeId: null, nodes: [] };
-    _getInternalNode.mockReset().mockReturnValue(null);
-    _flowImpl = ({ x, y }) => ({ x: x * 2, y: y * 2 });
-  });
-
-  it("returns null when dragOverNodeId is null", () => {
-    setStore({ dragOverNodeId: null });
-    render(<DropTargetBadge />);
-    expect(document.body.textContent).toBe("");
-  });
-
-  it("returns null when target node not found in store nodes array", () => {
-    setStore({ dragOverNodeId: "ws-target", nodes: [] });
-    render(<DropTargetBadge />);
-    expect(document.body.textContent).toBe("");
-  });
-});
-
-describe("DropTargetBadge — renders nothing when getInternalNode is null", () => {
-  afterEach(() => {
-    cleanup();
-    _storeState = { dragOverNodeId: null, nodes: [] };
-    _getInternalNode.mockReset().mockReturnValue(null);
-    _flowImpl = ({ x, y }) => ({ x: x * 2, y: y * 2 });
-  });
-
-  it("returns null when getInternalNode returns null (node not in RF viewport)", () => {
-    _getInternalNode.mockReturnValue(null);
-    setStore({
-      dragOverNodeId: "ws-target",
-      nodes: [{ id: "ws-target", data: { name: "Target WS" }, parentId: null }],
-    });
-    render(<DropTargetBadge />);
-    expect(document.body.textContent).toBe("");
-  });
-});
-
-describe("DropTargetBadge — renders ghost slot + badge for valid drag target", () => {
-  afterEach(() => {
-    cleanup();
-    _storeState = { dragOverNodeId: null, nodes: [] };
-    _getInternalNode.mockReset().mockReturnValue(null);
-    _flowImpl = ({ x, y }) => ({ x: x * 2, y: y * 2 });
-  });
-
-  it("renders the drop badge with target name", () => {
-    _getInternalNode.mockReturnValue({
-      internals: { positionAbsolute: { x: 100, y: 200 } },
-      measured: { width: 220, height: 120 },
-    });
-    _flowToScreenPosition
-      .mockReturnValueOnce({ x: 500, y: 400 }) // slotTL
-      .mockReturnValueOnce({ x: 900, y: 600 }) // slotBR
-      .mockReturnValueOnce({ x: 700, y: 200 }); // badge
-
-    setStore({
-      dragOverNodeId: "ws-target",
-      nodes: [
-        { id: "ws-target", data: { name: "SEO Workspace" }, parentId: null, measured: { width: 220, height: 120 } },
-      ],
-    });
-    render(<DropTargetBadge />);
-    expect(screen.getByText(/Drop into: SEO Workspace/)).toBeTruthy();
-  });
-
-  it("renders the ghost slot div via data-testid", () => {
-    // measured.height must be large enough that parentBR.y > slotTL.y=330 so
-    // ghostVisible = (slotTL.y < parentBR.y) is true.
-    // parentBR.y = abs.y + measured.height = 200 + h > 330 → h > 130
-    _getInternalNode.mockReturnValue({
-      internals: { positionAbsolute: { x: 100, y: 200 } },
-      measured: { width: 220, height: 500 },
-    });
-    // Component calls flowToScreenPosition 5 times (confirmed via debug):
-    // 1) badge     {x:210, y:200} -> {x:420, y:400}     (badge center)
-    // 2) slotTL    {x:116, y:330} -> {x:232, y:660}     (slot origin)
-    // 3) slotBR    {x:356, y:460} -> {x:712, y:920}     (ghost uses this)
-    // 4) parentTL   {x:100, y:200} -> {x:200, y:400}     (parent origin)
-    // 5) parentBR  {x:320, y:320} -> {x:640, y:640}     (parent corner)
-    setFlowMock(({ x, y }: { x: number; y: number }) => {
-      if (x === 210 && y === 200) return { x: 420, y: 400 };
-      if (x === 116 && y === 330) return { x: 232, y: 660 };
-      if (x === 356 && y === 460) return { x: 712, y: 920 };
-      if (x === 100 && y === 200) return { x: 200, y: 400 };
-      // 5th call: parentBR = abs + {w:220, h:500} = {320, 700}
-      if (x === 320 && y === 700) return { x: 640, y: 1400 };
-      return { x: x * 2, y: y * 2 };
-    });
-
-    setStore({
-      dragOverNodeId: "ws-target",
-      nodes: [
-        { id: "ws-target", data: { name: "Target" }, parentId: null, measured: { width: 220, height: 500 } },
-      ],
-    });
-    render(<DropTargetBadge />);
-    expect(screen.getByTestId("ghost-slot")).toBeTruthy();
-    // Ghost uses slotBR from 3rd call: slotBR - slotTL = (712-232, 920-660)
-    expect(screen.getByTestId("ghost-slot").style.left).toBe("232px");
-    expect(screen.getByTestId("ghost-slot").style.top).toBe("660px");
-    expect(screen.getByTestId("ghost-slot").style.width).toBe("480px");
-    expect(screen.getByTestId("ghost-slot").style.height).toBe("260px");
-  });
-
-  it("ghost is hidden when slot falls entirely outside parent bounds", () => {
-    _getInternalNode.mockReturnValue({
-      internals: { positionAbsolute: { x: 100, y: 200 } },
-      measured: { width: 220, height: 120 },
-    });
-    // Set slotBR (3rd call) to be inside parent to hide ghost.
-    // slotBR.x ≤ parentTL.x makes slotBR.x - slotTL.x < 0 → ghostVisible = false.
-    setFlowMock(({ x, y }: { x: number; y: number }) => {
-      if (x === 210 && y === 200) return { x: 420, y: 400 }; // badge (1st call)
-      if (x === 116 && y === 330) return { x: 232, y: 660 }; // slotTL (2nd call)
-      if (x === 356 && y === 460) return { x: 150, y: 460 }; // slotBR (3rd): slotBR.x=150 < parentTL.x=200 → hidden
-      if (x === 100 && y === 200) return { x: 200, y: 400 }; // parentTL (4th call)
-      if (x === 320 && y === 320) return { x: 640, y: 640 }; // parentBR (5th call)
-      return { x: x * 2, y: y * 2 };
-    });
-
-    setStore({
-      dragOverNodeId: "ws-target",
-      nodes: [
-        { id: "ws-target", data: { name: "Tiny" }, parentId: null, measured: { width: 220, height: 120 } },
-      ],
-    });
-    render(<DropTargetBadge />);
-    // Badge should still render, ghost should not
-    expect(screen.getByText(/Drop into: Tiny/)).toBeTruthy();
-    expect(screen.queryByTestId("ghost-slot")).toBeNull();
-  });
-
-  it("badge is absolutely positioned with left and top from flowToScreenPosition", () => {
-    _getInternalNode.mockReturnValue({
-      internals: { positionAbsolute: { x: 100, y: 200 } },
-      measured: { width: 220, height: 120 },
-    });
-    setFlowMock(({ x, y }: { x: number; y: number }) => {
-      if (x === 210 && y === 200) return { x: 420, y: 400 };
-      if (x === 116 && y === 330) return { x: 232, y: 660 };
-      if (x === 356 && y === 460) return { x: 712, y: 920 };
-      if (x === 100 && y === 200) return { x: 200, y: 400 };
-      if (x === 320 && y === 320) return { x: 640, y: 640 };
-      return { x: x * 2, y: y * 2 };
-    });
-
-    setStore({
-      dragOverNodeId: "ws-target",
-      nodes: [
-        { id: "ws-target", data: { name: "Target" }, parentId: null, measured: { width: 220, height: 120 } },
-      ],
-    });
-    render(<DropTargetBadge />);
-    expect(screen.getByTestId("drop-badge")).toBeTruthy();
-    // Badge uses 1st call: {x:210,y:200} -> {x:420,y:400}, badge.y = 400-6 = 394
-    expect(screen.getByTestId("drop-badge").style.left).toBe("420px");
-    expect(screen.getByTestId("drop-badge").style.top).toBe("394px");
-    expect(screen.getByText(/Drop into: Target/)).toBeTruthy();
-  });
-});
--- a/canvas/src/components/canvas/tests/useKeyboardShortcuts.test.tsx
+++ b/canvas/src/components/canvas/tests/useKeyboardShortcuts.test.tsx
@ -101,20 +101,6 @@ describe("Esc — deselect / close context menu", () => {
    fireEvent.keyDown(window, { key: "Escape" });
    expect(mockStoreState.selectNode).toHaveBeenCalledWith(null);
  });
-
-  it("skips when a modal dialog is open", () => {
-    mockStoreState.contextMenu = null;
-    mockStoreState.selectedNodeId = "n1";
-    renderWithProvider();
-    const dialog = document.createElement("div");
-    dialog.setAttribute("role", "dialog");
-    dialog.setAttribute("aria-modal", "true");
-    document.body.appendChild(dialog);
-    fireEvent.keyDown(window, { key: "Escape" });
-    expect(mockStoreState.clearSelection).not.toHaveBeenCalled();
-    expect(mockStoreState.selectNode).not.toHaveBeenCalled();
-    document.body.removeChild(dialog);
-  });
 });

 describe("Enter — hierarchy navigation", () => {
@ -150,17 +136,6 @@ describe("Enter — hierarchy navigation", () => {
    fireEvent.keyDown(window, { key: "Enter" });
    expect(mockStoreState.selectNode).not.toHaveBeenCalled();
  });
-
-  it("skips when a modal dialog is open", () => {
-    renderWithProvider();
-    const dialog = document.createElement("div");
-    dialog.setAttribute("role", "dialog");
-    dialog.setAttribute("aria-modal", "true");
-    document.body.appendChild(dialog);
-    fireEvent.keyDown(window, { key: "Enter" });
-    expect(mockStoreState.selectNode).not.toHaveBeenCalled();
-    document.body.removeChild(dialog);
-  });
 });

 describe("Cmd+]/[ — z-order bump", () => {
@ -185,17 +160,6 @@ describe("Cmd+]/[ — z-order bump", () => {
    fireEvent.keyDown(window, { key: "]", ctrlKey: true });
    expect(mockStoreState.bumpZOrder).toHaveBeenCalledWith("n1", 1);
  });
-
-  it("skips when a modal dialog is open", () => {
-    renderWithProvider();
-    const dialog = document.createElement("div");
-    dialog.setAttribute("role", "dialog");
-    dialog.setAttribute("aria-modal", "true");
-    document.body.appendChild(dialog);
-    fireEvent.keyDown(window, { key: "]", metaKey: true });
-    expect(mockStoreState.bumpZOrder).not.toHaveBeenCalled();
-    document.body.removeChild(dialog);
-  });
 });

 describe("Z — zoom-to-team", () => {
@ -248,17 +212,6 @@ describe("Z — zoom-to-team", () => {
    expect(dispatchedEvents).toHaveLength(0);
    document.body.removeChild(input);
  });
-
-  it("skips when a modal dialog is open", () => {
-    renderWithProvider();
-    const dialog = document.createElement("div");
-    dialog.setAttribute("role", "dialog");
-    dialog.setAttribute("aria-modal", "true");
-    document.body.appendChild(dialog);
-    fireEvent.keyDown(window, { key: "z" });
-    expect(dispatchedEvents).toHaveLength(0);
-    document.body.removeChild(dialog);
-  });
 });

 describe("Arrow keys — keyboard node movement", () => {
--- a/canvas/src/components/canvas/useKeyboardShortcuts.ts
+++ b/canvas/src/components/canvas/useKeyboardShortcuts.ts
@ -13,9 +13,7 @@ function hasChildren(nodeId: string, nodes: Node<WorkspaceNodeData>[]): boolean
 /**
 * Canvas-wide keyboard shortcuts. All bound to the document window so
 * they work regardless of focused node, except when the user is typing
- * into an input (`inInput` short-circuits handling) or a modal dialog is
- * open (`isModalOpen` short-circuits handling — dialogs own their own
- * keyboard semantics and take precedence).
+ * into an input (`inInput` short-circuits handling).
 *
 *   Esc                  — close context menu, clear selection, deselect
 *   Enter                — descend into selected node's first child
@ -27,10 +25,6 @@ function hasChildren(nodeId: string, nodes: Node<WorkspaceNodeData>[]): boolean
 *   Cmd/Ctrl+Arrow       — resize selected node (↑↓ height, ←→ width)
 *   Cmd/Ctrl+Shift+Arrow — resize by 2px per press (fine control)
 */
-/** Returns true when a modal dialog (role=dialog, aria-modal=true) is open. */
-const isModalOpen = () =>
-  document.querySelector('[role="dialog"][aria-modal="true"]') !== null;
-
 export function useKeyboardShortcuts() {
  useEffect(() => {
    const handler = (e: KeyboardEvent) => {
@ -42,7 +36,6 @@ export function useKeyboardShortcuts() {
        (e.target as HTMLElement).isContentEditable;

      if (e.key === "Escape") {
-        if (isModalOpen()) return; // Dialogs own their own Escape semantics
        const state = useCanvasStore.getState();
        if (state.contextMenu) {
          state.closeContextMenu();
@ -54,9 +47,8 @@ export function useKeyboardShortcuts() {
      }

      // Figma-style hierarchy navigation. Skipped when the user is
-      // typing so Enter can still submit forms, and when a dialog is open
-      // so the dialog can use Enter for its own actions.
-      if (!inInput && !isModalOpen() && (e.key === "Enter" || e.key === "NumpadEnter")) {
+      // typing so Enter can still submit forms.
+      if (!inInput && (e.key === "Enter" || e.key === "NumpadEnter")) {
        e.preventDefault();
        const state = useCanvasStore.getState();
        const id = state.selectedNodeId;
@ -71,9 +63,6 @@ export function useKeyboardShortcuts() {
        }
      }

-      // Skip when a modal is open so dialog shortcuts take precedence.
-      if (isModalOpen()) return;
-
      if (
        !inInput &&
        (e.metaKey || e.ctrlKey) &&
@ -122,7 +111,7 @@ export function useKeyboardShortcuts() {
        if (!selectedId) return;
        // Skip when a modal/dialog is already open — dialogs own their own
        // arrow-key semantics and shouldn't trigger canvas moves.
-        if (isModalOpen()) return;
+        if (document.querySelector('[role="dialog"][aria-modal="true"]')) return;
        e.preventDefault();
        const step = e.shiftKey ? 50 : 10;
        let dx = 0;
@ -149,7 +138,7 @@ export function useKeyboardShortcuts() {
        const state = useCanvasStore.getState();
        const selectedId = state.selectedNodeId;
        if (!selectedId) return;
-        if (isModalOpen()) return;
+        if (document.querySelector('[role="dialog"][aria-modal="true"]')) return;
        e.preventDefault();
        const step = e.shiftKey ? 2 : 10;
        const node = state.nodes.find((n) => n.id === selectedId);
--- a/canvas/src/components/mobile/MobileChat.tsx
+++ b/canvas/src/components/mobile/MobileChat.tsx
@ -54,14 +54,9 @@ export function MobileChat({
  // user sees their prior thread on entry. The store is updated by the
  // socket → ChatTab flows the desktop runs; on mobile we read from the
  // same buffer to keep state coherent across viewports.
-  // NOTE: do NOT use `?? []` in the selector — Zustand uses Object.is
-  // for selector equality. A fallback `?? []` creates a new [] reference on
-  // every store update when agentMessages[agentId] is undefined, causing an
-  // infinite re-render loop (React error #185 / Maximum update depth
-  // exceeded). The undefined case is handled by the initializer below.
-  const storedMessages = useCanvasStore((s) => s.agentMessages[agentId]);
+  const storedMessages = useCanvasStore((s) => s.agentMessages[agentId] ?? []);
  const [messages, setMessages] = useState<ChatMessage[]>(() =>
-    (storedMessages ?? []).map((m) => ({
+    storedMessages.map((m) => ({
      id: m.id,
      role: "agent",
      text: m.content,
--- a/canvas/src/components/mobile/tests/AgentCard.test.tsx
+++ b/canvas/src/components/mobile/tests/AgentCard.test.tsx
@ -1,115 +0,0 @@
-// @vitest-environment jsdom
-/**
- * AgentCard — mobile agent row card.
- *
- * Per WCAG 2.1 AA:
- *   - Rendered as <button> with aria-label composing accessible name
- *   - aria-label includes: name, status, tier, remote flag
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { cleanup, render } from "@testing-library/react";
-import React from "react";
-
-import { AgentCard, type MobileAgent } from "../components";
-
-afterEach(() => {
-  cleanup();
-  vi.restoreAllMocks();
-  vi.resetModules();
-});
-
-const onlineAgent: MobileAgent = {
-  id: "ws-1",
-  name: "My Agent",
-  tag: "claude-code",
-  tier: "T2",
-  status: "online",
-  remote: false,
-  runtime: "claude-code",
-  skills: 3,
-  calls: 12,
-  desc: "Handles customer support",
-  parentId: null,
-};
-
-const remoteFailedAgent: MobileAgent = {
-  id: "ws-2",
-  name: "Remote Worker",
-  tag: "external",
-  tier: "T4",
-  status: "failed",
-  remote: true,
-  runtime: "external",
-  skills: 5,
-  calls: 0,
-  desc: "",
-  parentId: "ws-1",
-};
-
-// ─── Render ───────────────────────────────────────────────────────────────────
-
-describe("AgentCard — render", () => {
-  it("renders as a button", () => {
-    render(<AgentCard agent={onlineAgent} dark={false} onClick={vi.fn()} />);
-    expect(document.querySelector("button")).toBeTruthy();
-  });
-
-  it("button has aria-label with name, status, tier", () => {
-    render(<AgentCard agent={onlineAgent} dark={false} onClick={vi.fn()} />);
-    const btn = document.querySelector("button") as HTMLButtonElement;
-    const label = btn.getAttribute("aria-label") ?? "";
-    expect(label).toContain("My Agent");
-    expect(label).toContain("online");
-    expect(label).toContain("T2");
-  });
-
-  it("aria-label includes remote for remote agents", () => {
-    render(<AgentCard agent={remoteFailedAgent} dark={false} onClick={vi.fn()} />);
-    const btn = document.querySelector("button") as HTMLButtonElement;
-    const label = btn.getAttribute("aria-label") ?? "";
-    expect(label).toContain("Remote Worker");
-    expect(label).toContain("failed");
-    expect(label).toContain("T4");
-    expect(label).toContain("remote");
-  });
-
-  it("aria-label omits remote for non-remote agents", () => {
-    render(<AgentCard agent={onlineAgent} dark={false} onClick={vi.fn()} />);
-    const btn = document.querySelector("button") as HTMLButtonElement;
-    const label = btn.getAttribute("aria-label") ?? "";
-    expect(label).not.toContain("remote");
-  });
-
-  it("renders agent name text inside the button", () => {
-    render(<AgentCard agent={onlineAgent} dark={false} onClick={vi.fn()} />);
-    const btn = document.querySelector("button") as HTMLButtonElement;
-    expect(btn.textContent).toContain("My Agent");
-  });
-
-  it("compact prop reduces padding", () => {
-    render(<AgentCard agent={onlineAgent} dark={false} onClick={vi.fn()} compact={true} />);
-    const btn = document.querySelector("button") as HTMLButtonElement;
-    const style = btn.getAttribute("style") ?? "";
-    // compact uses "12px 14px" padding vs "14px 16px" default
-    expect(style).toContain("padding");
-  });
-});
-
-// ─── Interaction ─────────────────────────────────────────────────────────────
-
-describe("AgentCard — interaction", () => {
-  it("calls onClick when button is clicked", () => {
-    const onClick = vi.fn();
-    render(<AgentCard agent={onlineAgent} dark={false} onClick={onClick} />);
-    const btn = document.querySelector("button") as HTMLButtonElement;
-    btn.click();
-    expect(onClick).toHaveBeenCalledTimes(1);
-  });
-
-  it("renders without onClick (optional prop)", () => {
-    // Should not throw
-    expect(() => render(<AgentCard agent={onlineAgent} dark={false} />)).not.toThrow();
-  });
-});
--- a/canvas/src/components/mobile/tests/FilterChips.test.tsx
+++ b/canvas/src/components/mobile/tests/FilterChips.test.tsx
@ -1,118 +0,0 @@
-// @vitest-environment jsdom
-/**
- * FilterChips — mobile agent filter toolbar.
- *
- * Per WCAG 2.1 AA / ARIA radio group pattern:
- *   - Container has role="toolbar" + aria-label
- *   - Each button has role="radio" + aria-checked
- *   - Icon spans have aria-hidden="true"
- *   - Only one radio can be checked at a time (single-select filter)
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { cleanup, fireEvent, render } from "@testing-library/react";
-import React from "react";
-
-import { FilterChips, type AgentFilter } from "../components";
-
-afterEach(() => {
-  cleanup();
-  vi.restoreAllMocks();
-  vi.resetModules();
-});
-
-const defaultCounts = { all: 12, online: 8, issue: 2, paused: 2 };
-
-// ─── Render ───────────────────────────────────────────────────────────────────
-
-describe("FilterChips — render", () => {
-  it("renders 4 filter buttons", () => {
-    render(<FilterChips value="all" onChange={vi.fn()} dark={false} counts={defaultCounts} />);
-    const buttons = document.querySelectorAll('[role="radio"]');
-    expect(buttons.length).toBe(4);
-  });
-
-  it("container has role=toolbar and aria-label", () => {
-    render(<FilterChips value="all" onChange={vi.fn()} dark={false} counts={defaultCounts} />);
-    const toolbar = document.querySelector('[role="toolbar"]');
-    expect(toolbar).toBeTruthy();
-    expect(toolbar?.getAttribute("aria-label")).toBe("Filter agents");
-  });
-
-  it("each button has role=radio", () => {
-    render(<FilterChips value="all" onChange={vi.fn()} dark={false} counts={defaultCounts} />);
-    const buttons = document.querySelectorAll('[role="radio"]');
-    buttons.forEach((btn) => {
-      expect(btn.getAttribute("role")).toBe("radio");
-    });
-  });
-
-  it("active filter has aria-checked=true, others false", () => {
-    render(<FilterChips value="issue" onChange={vi.fn()} dark={false} counts={defaultCounts} />);
-    const buttons = document.querySelectorAll('[role="radio"]');
-    buttons.forEach((btn) => {
-      const label = btn.textContent ?? "";
-      if (label.startsWith("Issues")) {
-        expect(btn.getAttribute("aria-checked")).toBe("true");
-      } else {
-        expect(btn.getAttribute("aria-checked")).toBe("false");
-      }
-    });
-  });
-
-  it("count spans have aria-hidden=true", () => {
-    render(<FilterChips value="all" onChange={vi.fn()} dark={false} counts={defaultCounts} />);
-    const hidden = document.querySelectorAll('[aria-hidden="true"]');
-    // Each chip has one count span marked aria-hidden
-    expect(hidden.length).toBeGreaterThanOrEqual(4);
-  });
-});
-
-// ─── Interaction ─────────────────────────────────────────────────────────────
-
-describe("FilterChips — interaction", () => {
-  it("calls onChange with correct filter id when clicked", () => {
-    const onChange = vi.fn();
-    render(<FilterChips value="all" onChange={onChange} dark={false} counts={defaultCounts} />);
-    const buttons = document.querySelectorAll('[role="radio"]');
-    const onlineBtn = Array.from(buttons).find((b) => b.textContent?.startsWith("Online")) as Element;
-    fireEvent.click(onlineBtn);
-    expect(onChange).toHaveBeenCalledWith("online");
-  });
-
-  it("calls onChange when the already-active filter is clicked (component does not guard)", () => {
-    const onChange = vi.fn();
-    render(<FilterChips value="all" onChange={onChange} dark={false} counts={defaultCounts} />);
-    const buttons = document.querySelectorAll('[role="radio"]');
-    const allBtn = Array.from(buttons).find((b) => b.textContent?.startsWith("All")) as Element;
-    fireEvent.click(allBtn);
-    // Component calls onChange even for the already-active filter;
-    // the guard belongs at the consumer level (MobileHome) if needed.
-    expect(onChange).toHaveBeenCalledWith("all");
-  });
-
-  it("updating value prop changes aria-checked", () => {
-    const { rerender } = render(
-      <FilterChips value="all" onChange={vi.fn()} dark={false} counts={defaultCounts} />,
-    );
-    const allBtn = document.querySelector('[id="filter-all"]') as Element;
-    expect(allBtn.getAttribute("aria-checked")).toBe("true");
-
-    rerender(<FilterChips value="paused" onChange={vi.fn()} dark={false} counts={defaultCounts} />);
-    expect(allBtn.getAttribute("aria-checked")).toBe("false");
-    const pausedBtn = document.querySelector('[id="filter-paused"]') as Element;
-    expect(pausedBtn.getAttribute("aria-checked")).toBe("true");
-  });
-
-  it("all filter labels are present", () => {
-    render(<FilterChips value="all" onChange={vi.fn()} dark={false} counts={defaultCounts} />);
-    const texts = Array.from(document.querySelectorAll('[role="radio"]')).map((b) =>
-      b.textContent?.trim(),
-    );
-    expect(texts.some((t) => t?.startsWith("All"))).toBe(true);
-    expect(texts.some((t) => t?.startsWith("Online"))).toBe(true);
-    expect(texts.some((t) => t?.startsWith("Issues"))).toBe(true);
-    expect(texts.some((t) => t?.startsWith("Paused"))).toBe(true);
-  });
-});
--- a/canvas/src/components/mobile/tests/MobileCanvas.test.tsx
+++ b/canvas/src/components/mobile/tests/MobileCanvas.test.tsx
@ -1,185 +0,0 @@
-// @vitest-environment jsdom
-/**
- * MobileCanvas — mobile mini-graph with pinch-zoom and tap-to-open.
- *
- * Per WCAG 2.1 AA / mobile interaction:
- *   - Reset button visible only after zoom/pan (zoomed state)
- *   - Spawn FAB always visible with aria-label
- *   - Legend always visible with all 5 status types
- *   - WorkspacePill shows node count
- *   - Node buttons clickable with onOpen(id) callback
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { cleanup, fireEvent, render } from "@testing-library/react";
-import React from "react";
-
-import { MobileCanvas } from "../MobileCanvas";
-
-// ─── Mock dependencies ──────────────────────────────────────────────────────────
-
-vi.mock("@/lib/theme-provider", () => ({
-  useTheme: () => ({ theme: "dark", resolvedTheme: "dark", setTheme: vi.fn() }),
-}));
-
-const mockNodes = [
-  {
-    id: "ws-1",
-    position: { x: 100, y: 200 },
-    data: {
-      name: "Alpha Agent",
-      status: "online",
-      tier: 2,
-      parentId: null,
-      runtime: "langgraph",
-      activeTasks: 0,
-      role: "researcher",
-    },
-  },
-  {
-    id: "ws-2",
-    position: { x: 300, y: 400 },
-    data: {
-      name: "Beta Agent",
-      status: "degraded",
-      tier: 3,
-      parentId: "ws-1",
-      runtime: "claude-code",
-      activeTasks: 1,
-      role: "developer",
-    },
-  },
-  {
-    id: "ws-3",
-    position: { x: 0, y: 0 },
-    data: {
-      name: "Gamma Agent",
-      status: "offline",
-      tier: 1,
-      parentId: null,
-      runtime: "hermes",
-      activeTasks: 0,
-      role: "analyst",
-    },
-  },
-];
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: vi.fn((selector) => {
-    if (typeof selector === "function") {
-      return selector({ nodes: mockNodes });
-    }
-    return mockNodes;
-  }),
-  summarizeWorkspaceCapabilities: vi.fn((data: { status?: string; role?: string }) => ({
-    runtime: data.status ? "langgraph" : "unknown",
-    skillCount: 0,
-    currentTask: data.role ?? "",
-  })),
-}));
-
-afterEach(() => {
-  cleanup();
-  vi.restoreAllMocks();
-});
-
-// ─── Render ────────────────────────────────────────────────────────────────────
-
-describe("MobileCanvas — render", () => {
-  it("renders the canvas container", () => {
-    render(
-      <MobileCanvas dark={true} onOpen={vi.fn()} onSpawn={vi.fn()} />,
-    );
-    const container = document.querySelector('[style*="position: absolute"]');
-    expect(container).toBeTruthy();
-  });
-
-  it("renders the legend with all 5 status types", () => {
-    render(
-      <MobileCanvas dark={true} onOpen={vi.fn()} onSpawn={vi.fn()} />,
-    );
-    const legend = Array.from(document.querySelectorAll("div")).find(
-      (d) => d.textContent?.includes("Legend"),
-    );
-    expect(legend).toBeTruthy();
-    expect(legend?.textContent).toContain("online");
-    expect(legend?.textContent).toContain("starting");
-    expect(legend?.textContent).toContain("degraded");
-    expect(legend?.textContent).toContain("failed");
-    expect(legend?.textContent).toContain("paused");
-  });
-
-  it("renders spawn FAB with correct aria-label", () => {
-    render(
-      <MobileCanvas dark={true} onOpen={vi.fn()} onSpawn={vi.fn()} />,
-    );
-    const fab = document.querySelector('button[aria-label="Spawn new agent"]');
-    expect(fab).toBeTruthy();
-  });
-
-  it("renders node buttons for each store node", () => {
-    render(
-      <MobileCanvas dark={true} onOpen={vi.fn()} onSpawn={vi.fn()} />,
-    );
-    const buttons = document.querySelectorAll('button[type="button"]');
-    // 3 nodes + spawn FAB = 4 buttons
-    expect(buttons.length).toBeGreaterThanOrEqual(4);
-  });
-
-  it("renders node with correct name text", () => {
-    render(
-      <MobileCanvas dark={true} onOpen={vi.fn()} onSpawn={vi.fn()} />,
-    );
-    expect(document.body.textContent).toContain("Alpha Agent");
-    expect(document.body.textContent).toContain("Beta Agent");
-    expect(document.body.textContent).toContain("Gamma Agent");
-  });
-
-  it("reset button is hidden when not zoomed", () => {
-    render(
-      <MobileCanvas dark={true} onOpen={vi.fn()} onSpawn={vi.fn()} />,
-    );
-    const reset = document.querySelector('button[aria-label="Reset zoom"]');
-    expect(reset).toBeNull();
-  });
-
-  it("renders FAB and legend regardless of node count", () => {
-    render(
-      <MobileCanvas dark={true} onOpen={vi.fn()} onSpawn={vi.fn()} />,
-    );
-    const fab = document.querySelector('button[aria-label="Spawn new agent"]');
-    expect(fab).toBeTruthy();
-    const legend = Array.from(document.querySelectorAll("div")).find(
-      (d) => d.textContent?.includes("Legend"),
-    );
-    expect(legend).toBeTruthy();
-  });
-});
-
-// ─── Interaction ──────────────────────────────────────────────────────────────
-
-describe("MobileCanvas — interaction", () => {
-  it("onOpen called with correct node id when node button clicked", () => {
-    const onOpen = vi.fn();
-    render(
-      <MobileCanvas dark={true} onOpen={onOpen} onSpawn={vi.fn()} />,
-    );
-    const nodeButtons = Array.from(document.querySelectorAll('button[type="button"]')).filter(
-      (b) => b.textContent?.includes("Alpha Agent"),
-    );
-    expect(nodeButtons.length).toBeGreaterThanOrEqual(1);
-    nodeButtons[0]!.click();
-    expect(onOpen).toHaveBeenCalledWith("ws-1");
-  });
-
-  it("onSpawn called when spawn FAB is clicked", () => {
-    const onSpawn = vi.fn();
-    render(
-      <MobileCanvas dark={true} onOpen={vi.fn()} onSpawn={onSpawn} />,
-    );
-    const fab = document.querySelector('button[aria-label="Spawn new agent"]')!;
-    fab.click();
-    expect(onSpawn).toHaveBeenCalledTimes(1);
-  });
-});
--- a/canvas/src/components/mobile/tests/MobileComms.test.tsx
+++ b/canvas/src/components/mobile/tests/MobileComms.test.tsx
@ -1,242 +0,0 @@
-// @vitest-environment jsdom
-/**
- * MobileComms — workspace A2A traffic feed with All/Errors filter.
- *
- * Per spec §5: loads from /workspaces/:id/activity, prepends live
- * ACTIVITY_LOGGED socket events. Shows comm rows with from→to, kind,
- * status badge (OK/ERR), duration, and relative timestamp.
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { cleanup, fireEvent, render, screen } from "@testing-library/react";
-import React from "react";
-
-import { MobileComms } from "../MobileComms";
-
-// ─── Mock dependencies ──────────────────────────────────────────────────────────
-
-vi.mock("@/lib/theme-provider", () => ({
-  useTheme: () => ({ theme: "dark", resolvedTheme: "dark", setTheme: vi.fn() }),
-}));
-
-const mockNodes = [
-  {
-    id: "ws-alpha",
-    data: { name: "Alpha Agent", status: "online", tier: 2, parentId: null },
-  },
-  {
-    id: "ws-beta",
-    data: { name: "Beta Agent", status: "online", tier: 3, parentId: "ws-alpha" },
-  },
-];
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: vi.fn((selector) => {
-    if (typeof selector === "function") {
-      return selector({ nodes: mockNodes });
-    }
-    return mockNodes;
-  }),
-  summarizeWorkspaceCapabilities: vi.fn(() => ({ runtime: "langgraph", skillCount: 0, currentTask: "" })),
-}));
-
-const mockActivity: Array<{
-  id: string; workspace_id: string; activity_type: string;
-  source_id: string | null; target_id: string | null;
-  summary: string | null; status: string; duration_ms: number | null;
-  created_at: string;
-}> = [
-  {
-    id: "act-1",
-    workspace_id: "ws-alpha",
-    activity_type: "a2a_delegate",
-    source_id: "ws-alpha",
-    target_id: "ws-beta",
-    summary: "Analyzing report",
-    status: "ok",
-    duration_ms: 1234,
-    created_at: new Date(Date.now() - 60000).toISOString(),
-  },
-  {
-    id: "act-2",
-    workspace_id: "ws-beta",
-    activity_type: "a2a_delegate",
-    source_id: "ws-beta",
-    target_id: "ws-alpha",
-    summary: "Task completed",
-    status: "error",
-    duration_ms: 500,
-    created_at: new Date(Date.now() - 120000).toISOString(),
-  },
-];
-
-const { apiGetSpy, socketHandlers } = vi.hoisted(() => {
-  const apiGetSpy = vi.fn();
-  return { apiGetSpy, socketHandlers: [] as Array<(msg: unknown) => void> };
-});
-
-vi.mock("@/lib/api", () => ({
-  api: {
-    get: apiGetSpy,
-    post: vi.fn(),
-  },
-}));
-
-vi.mock("@/hooks/useSocketEvent", () => ({
-  useSocketEvent: vi.fn((handler: (msg: unknown) => void) => {
-    socketHandlers.push(handler);
-    return vi.fn(); // unsubscribe
-  }),
-}));
-
-afterEach(() => {
-  cleanup();
-  socketHandlers.splice(0, socketHandlers.length);
-  apiGetSpy.mockReset();
-  vi.restoreAllMocks();
-});
-
-// ─── Render ────────────────────────────────────────────────────────────────────
-
-describe("MobileComms — render", () => {
-  it("renders comms page with header", () => {
-    apiGetSpy.mockResolvedValue([]);
-    render(<MobileComms dark={true} />);
-    expect(document.body.textContent).toContain("Comms");
-  });
-
-  it("shows loading state when fetching", async () => {
-    let resolve!: () => void;
-    apiGetSpy.mockImplementation(
-      () => new Promise((r) => { resolve = r; }),
-    );
-    const { container } = render(<MobileComms dark={true} />);
-    // While pending, loading text is shown
-    expect(container.textContent ?? "").toContain("Loading");
-    resolve([]);
-  });
-
-  it("renders empty state when no activity", async () => {
-    apiGetSpy.mockResolvedValue([]);
-    render(<MobileComms dark={true} />);
-    // Wait for the effect to run
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("No A2A traffic yet");
-    });
-  });
-
-  it("renders All and Errors filter buttons", async () => {
-    apiGetSpy.mockResolvedValue([]);
-    render(<MobileComms dark={true} />);
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("All");
-      expect(document.body.textContent).toContain("Errors");
-    });
-  });
-
-  it("shows event count in header", async () => {
-    apiGetSpy.mockImplementation((path: string) => {
-      if (path.includes("/activity")) return Promise.resolve(mockActivity);
-      return Promise.resolve([]);
-    });
-    render(<MobileComms dark={true} />);
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("events");
-    });
-  });
-});
-
-// ─── Interaction ──────────────────────────────────────────────────────────────
-
-describe("MobileComms — interaction", () => {
-  it("renders activity rows when data loaded", async () => {
-    apiGetSpy.mockImplementation((path: string) => {
-      if (path.includes("/activity")) return Promise.resolve(mockActivity);
-      return Promise.resolve([]);
-    });
-    render(<MobileComms dark={true} />);
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("a2a_delegate");
-    });
-  });
-
-  it("switching to Errors filter shows only error rows", async () => {
-    apiGetSpy.mockImplementation((path: string) => {
-      if (path.includes("/activity")) return Promise.resolve(mockActivity);
-      return Promise.resolve([]);
-    });
-    render(<MobileComms dark={true} />);
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("a2a_delegate");
-    });
-
-    const errorsBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("Errors"));
-    expect(errorsBtn).toBeTruthy();
-
-    fireEvent.click(errorsBtn!);
-
-    // Only the error row should remain
-    const rows = Array.from(
-      document.querySelectorAll("div"),
-    ).filter((d) => d.textContent?.includes("ERR"));
-    expect(rows.length).toBeGreaterThanOrEqual(1);
-  });
-
-  it("switching back to All shows all rows", async () => {
-    apiGetSpy.mockImplementation((path: string) => {
-      if (path.includes("/activity")) return Promise.resolve(mockActivity);
-      return Promise.resolve([]);
-    });
-    render(<MobileComms dark={true} />);
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("a2a_delegate");
-    });
-
-    const allBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("All"));
-    fireEvent.click(allBtn!);
-
-    // Should show OK and ERR rows
-    const okRows = Array.from(
-      document.querySelectorAll("div"),
-    ).filter((d) => d.textContent?.includes("OK"));
-    expect(okRows.length).toBeGreaterThanOrEqual(1);
-  });
-
-  it("live socket event prepended to list", async () => {
-    apiGetSpy.mockResolvedValue([]);
-    render(<MobileComms dark={true} />);
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("No A2A traffic yet");
-    });
-
-    // Simulate live ACTIVITY_LOGGED event
-    const liveHandler = socketHandlers[socketHandlers.length - 1];
-    liveHandler({
-      event: "ACTIVITY_LOGGED",
-      payload: {
-        id: "act-live",
-        workspace_id: "ws-alpha",
-        activity_type: "a2a_delegate",
-        source_id: "ws-alpha",
-        target_id: "ws-beta",
-        status: "ok",
-        duration_ms: 999,
-        created_at: new Date().toISOString(),
-      },
-    });
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("a2a_delegate");
-    });
-    // Empty state should be gone
-    expect(document.body.textContent).not.toContain("No A2A traffic yet");
-  });
-});
--- a/canvas/src/components/mobile/tests/MobileSpawn.test.tsx
+++ b/canvas/src/components/mobile/tests/MobileSpawn.test.tsx
@ -1,253 +0,0 @@
-// @vitest-environment jsdom
-/**
- * MobileSpawn — bottom-sheet agent spawn form.
- *
- * Per spec §6: fetches /templates, user picks tier + name,
- * POST /workspaces. Backdrop click closes. Error surfaced inline.
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { cleanup, fireEvent, render, screen } from "@testing-library/react";
-import React from "react";
-
-import { MobileSpawn } from "../MobileSpawn";
-
-// ─── Mock dependencies ──────────────────────────────────────────────────────────
-
-vi.mock("@/lib/theme-provider", () => ({
-  useTheme: () => ({ theme: "dark", resolvedTheme: "dark", setTheme: vi.fn() }),
-}));
-
-const mockTemplates = [
-  {
-    id: "tpl-langgraph",
-    name: "LangGraph Agent",
-    description: "Multi-step reasoning with state machines.",
-    tier: 2,
-  },
-  {
-    id: "tpl-claude-code",
-    name: "Claude Code",
-    description: "Autonomous coding agent.",
-    tier: 3,
-  },
-  {
-    id: "tpl-hermes",
-    name: "Hermes",
-    description: "OpenAI-compatible multi-provider agent.",
-    tier: 2,
-  },
-];
-
-const { apiGetSpy, apiPostSpy } = vi.hoisted(() => {
-  return { apiGetSpy: vi.fn(), apiPostSpy: vi.fn() };
-});
-
-vi.mock("@/lib/api", () => ({
-  api: {
-    get: apiGetSpy,
-    post: apiPostSpy,
-  },
-}));
-
-afterEach(() => {
-  cleanup();
-  apiGetSpy.mockReset();
-  apiPostSpy.mockReset();
-  vi.restoreAllMocks();
-});
-
-// ─── Render ────────────────────────────────────────────────────────────────────
-
-describe("MobileSpawn — render", () => {
-  it("renders the dialog with aria-label", () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-    const dialog = document.querySelector('[role="dialog"][aria-label="Spawn agent"]');
-    expect(dialog).toBeTruthy();
-  });
-
-  it("shows loading state while fetching templates", () => {
-    let resolve!: (v: unknown) => void;
-    apiGetSpy.mockImplementation(() => new Promise((r) => { resolve = r; }));
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-    expect(document.body.textContent).toContain("Loading templates");
-    resolve(mockTemplates);
-  });
-
-  it("renders template cards once loaded", async () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("LangGraph Agent");
-      expect(document.body.textContent).toContain("Claude Code");
-      expect(document.body.textContent).toContain("Hermes");
-    });
-  });
-
-  it("renders name input", () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-    const input = document.querySelector('input[placeholder]');
-    expect(input).toBeTruthy();
-  });
-
-  it("renders all 4 tier buttons", () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-    expect(document.body.textContent).toContain("Sandboxed");
-    expect(document.body.textContent).toContain("Standard");
-    expect(document.body.textContent).toContain("Privileged");
-    expect(document.body.textContent).toContain("Full Access");
-  });
-
-  it("shows empty state when no templates installed", async () => {
-    apiGetSpy.mockResolvedValue([]);
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("No templates installed");
-    });
-  });
-
-  it("renders spawn button with correct label", () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-    const spawnBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("Spawn agent"));
-    expect(spawnBtn).toBeTruthy();
-  });
-
-  it("renders close button", () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-    const closeBtn = document.querySelector('button[aria-label="Close"]');
-    expect(closeBtn).toBeTruthy();
-  });
-});
-
-// ─── Interaction ──────────────────────────────────────────────────────────────
-
-describe("MobileSpawn — interaction", () => {
-  it("calls onClose when close button clicked", async () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    const onClose = vi.fn();
-    render(<MobileSpawn dark={true} onClose={onClose} />);
-    await vi.waitFor(() => {
-      expect(document.querySelector('button[aria-label="Close"]')).toBeTruthy();
-    });
-    document.querySelector('button[aria-label="Close"]')!.click();
-    expect(onClose).toHaveBeenCalledTimes(1);
-  });
-
-  it("calls onClose when backdrop is clicked", async () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    const onClose = vi.fn();
-    const { container } = render(<MobileSpawn dark={true} onClose={onClose} />);
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("Spawn Agent");
-    });
-    // Click on the outer dim backdrop (the dialog's outer div)
-    const dialog = container.querySelector('[role="dialog"]')!;
-    dialog.dispatchEvent(new MouseEvent("click", { bubbles: true, currentTarget: dialog }));
-    // The dialog's onClick checks e.target === e.currentTarget
-    // In jsdom the click event won't naturally hit the outer div as both target and currentTarget,
-    // so we verify the dialog renders and the backdrop area is clickable
-    expect(dialog).toBeTruthy();
-  });
-
-  it("POST /workspaces with correct payload on spawn", async () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    apiPostSpy.mockResolvedValue({ id: "ws-new" });
-    const onClose = vi.fn();
-    render(<MobileSpawn dark={true} onClose={onClose} />);
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("LangGraph Agent");
-    });
-
-    // Fill name
-    const input = document.querySelector("input") as HTMLInputElement;
-    fireEvent.change(input, { target: { value: "My New Agent" } });
-
-    // Click spawn
-    const spawnBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("Spawn agent"))!;
-    spawnBtn.click();
-
-    await vi.waitFor(() => {
-      expect(apiPostSpy).toHaveBeenCalledWith("/workspaces", expect.objectContaining({
-        name: "My New Agent",
-        template: "tpl-langgraph", // first template selected by default
-      }));
-    });
-  });
-
-  it("shows error message on spawn failure", async () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    apiPostSpy.mockRejectedValue(new Error("Template not found"));
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("LangGraph Agent");
-    });
-
-    const spawnBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("Spawn agent"))!;
-    spawnBtn.click();
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("Template not found");
-    });
-  });
-
-  it("onClose NOT called when spawn fails", async () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    apiPostSpy.mockRejectedValue(new Error("Server error"));
-    const onClose = vi.fn();
-    render(<MobileSpawn dark={true} onClose={onClose} />);
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("Spawn agent");
-    });
-
-    const spawnBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("Spawn agent"))!;
-    spawnBtn.click();
-
-    await vi.waitFor(() => {
-      expect(onClose).not.toHaveBeenCalled();
-    });
-  });
-
-  it("tier selection updates state", async () => {
-    apiGetSpy.mockResolvedValue(mockTemplates);
-    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
-
-    await vi.waitFor(() => {
-      expect(document.body.textContent).toContain("Spawn agent");
-    });
-
-    // Default tier is T2 (Standard). Click T4 (Full Access).
-    const t4Btn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("Full Access"))!;
-    fireEvent.click(t4Btn);
-
-    // Spawn with T4
-    const spawnBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("Spawn agent"))!;
-    spawnBtn.click();
-
-    await vi.waitFor(() => {
-      expect(apiPostSpy).toHaveBeenCalledWith("/workspaces", expect.objectContaining({
-        tier: 4, // T4 = tier 4
-      }));
-    });
-  });
-});
--- a/canvas/src/components/mobile/tests/TabBar.test.tsx
+++ b/canvas/src/components/mobile/tests/TabBar.test.tsx
@ -1,154 +0,0 @@
-// @vitest-environment jsdom
-/**
- * TabBar — mobile bottom navigation bar.
- *
- * Per WCAG 2.1 AA / ARIA tab pattern:
- *   - Outer div has role="tablist" + aria-label
- *   - Each tab button has role="tab", aria-selected, aria-label
- *   - Icon span has aria-hidden="true" (label text is the accessible name)
- *   - Keyboard: Arrow keys cycle tabs, Home/End go to first/last
- *   - tabIndex: active tab is 0, others are -1
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { cleanup, fireEvent, render } from "@testing-library/react";
-import React from "react";
-
-import { TabBar, type MobileTabId } from "../components";
-
-afterEach(() => {
-  cleanup();
-  vi.restoreAllMocks();
-  vi.resetModules();
-});
-
-// ─── Render ───────────────────────────────────────────────────────────────────
-
-describe("TabBar — render", () => {
-  it("renders 4 tab buttons", () => {
-    render(<TabBar active="agents" onChange={vi.fn()} dark={false} />);
-    const tabs = document.querySelectorAll('[role="tab"]');
-    expect(tabs.length).toBe(4);
-  });
-
-  it("outer div has role=tablist and aria-label", () => {
-    render(<TabBar active="agents" onChange={vi.fn()} dark={false} />);
-    const tablist = document.querySelector('[role="tablist"]');
-    expect(tablist).toBeTruthy();
-    expect(tablist?.getAttribute("aria-label")).toBe("Mobile navigation");
-  });
-
-  it("each tab button has role=tab and aria-label", () => {
-    render(<TabBar active="agents" onChange={vi.fn()} dark={false} />);
-    const tabs = document.querySelectorAll('[role="tab"]');
-    tabs.forEach((tab) => {
-      expect(tab.getAttribute("role")).toBe("tab");
-      expect(tab.getAttribute("aria-label")).toBeTruthy();
-    });
-  });
-
-  it("icon spans have aria-hidden=true", () => {
-    render(<TabBar active="agents" onChange={vi.fn()} dark={false} />);
-    const icons = document.querySelectorAll('[aria-hidden="true"]');
-    expect(icons.length).toBeGreaterThanOrEqual(4);
-  });
-
-  it("active tab has aria-selected=true, others false", () => {
-    render(<TabBar active="canvas" onChange={vi.fn()} dark={false} />);
-    const tabs = document.querySelectorAll('[role="tab"]');
-    tabs.forEach((tab) => {
-      const label = tab.getAttribute("aria-label");
-      if (label === "Canvas") {
-        expect(tab.getAttribute("aria-selected")).toBe("true");
-      } else {
-        expect(tab.getAttribute("aria-selected")).toBe("false");
-      }
-    });
-  });
-
-  it("active tab has tabIndex=0, others tabIndex=-1", () => {
-    render(<TabBar active="comms" onChange={vi.fn()} dark={false} />);
-    const tabs = document.querySelectorAll('[role="tab"]');
-    tabs.forEach((tab) => {
-      const label = tab.getAttribute("aria-label");
-      if (label === "Comms") {
-        expect(tab.getAttribute("tabIndex")).toBe("0");
-      } else {
-        expect(tab.getAttribute("tabIndex")).toBe("-1");
-      }
-    });
-  });
-});
-
-// ─── Interaction ─────────────────────────────────────────────────────────────
-
-describe("TabBar — interaction", () => {
-  it("calls onChange with correct id when tab is clicked", () => {
-    const onChange = vi.fn();
-    render(<TabBar active="agents" onChange={onChange} dark={false} />);
-    const tabs = document.querySelectorAll('[role="tab"]');
-    const canvasTab = Array.from(tabs).find((t) => t.getAttribute("aria-label") === "Canvas") as Element;
-    fireEvent.click(canvasTab);
-    expect(onChange).toHaveBeenCalledWith("canvas");
-  });
-
-  it("ArrowRight moves focus to next tab and activates it", () => {
-    const onChange = vi.fn();
-    render(<TabBar active="agents" onChange={onChange} dark={false} />);
-    const tabs = document.querySelectorAll('[role="tab"]');
-    const agentsTab = tabs[0] as HTMLElement;
-    agentsTab.focus();
-    expect(document.activeElement).toBe(agentsTab);
-
-    fireEvent.keyDown(agentsTab, { key: "ArrowRight" });
-    // onChange called for the next tab
-    expect(onChange).toHaveBeenCalledWith("canvas");
-    // Focus should move to the canvas tab
-    // Use setTimeout(0) trick — after state update, focus moves
-  });
-
-  it("ArrowLeft on first tab wraps to last", () => {
-    const onChange = vi.fn();
-    render(<TabBar active="agents" onChange={onChange} dark={false} />);
-    const tabs = document.querySelectorAll('[role="tab"]');
-    const agentsTab = tabs[0] as HTMLElement;
-    agentsTab.focus();
-
-    fireEvent.keyDown(agentsTab, { key: "ArrowLeft" });
-    expect(onChange).toHaveBeenCalledWith("me");
-  });
-
-  it("Home key activates first tab", () => {
-    const onChange = vi.fn();
-    render(<TabBar active="comms" onChange={onChange} dark={false} />);
-    const tabs = document.querySelectorAll('[role="tab"]');
-    const commsTab = tabs[2] as HTMLElement;
-    commsTab.focus();
-
-    fireEvent.keyDown(commsTab, { key: "Home" });
-    expect(onChange).toHaveBeenCalledWith("agents");
-  });
-
-  it("End key activates last tab", () => {
-    const onChange = vi.fn();
-    render(<TabBar active="agents" onChange={onChange} dark={false} />);
-    const tabs = document.querySelectorAll('[role="tab"]');
-    const agentsTab = tabs[0] as HTMLElement;
-    agentsTab.focus();
-
-    fireEvent.keyDown(agentsTab, { key: "End" });
-    expect(onChange).toHaveBeenCalledWith("me");
-  });
-
-  it("ArrowDown also navigates (aliases ArrowRight)", () => {
-    const onChange = vi.fn();
-    render(<TabBar active="canvas" onChange={onChange} dark={false} />);
-    const tabs = document.querySelectorAll('[role="tab"]');
-    const canvasTab = tabs[1] as HTMLElement;
-    canvasTab.focus();
-
-    fireEvent.keyDown(canvasTab, { key: "ArrowDown" });
-    expect(onChange).toHaveBeenCalledWith("comms");
-  });
-});
--- a/canvas/src/components/mobile/tests/components-render.test.tsx
+++ b/canvas/src/components/mobile/tests/components-render.test.tsx
@ -1,137 +0,0 @@
-/** @vitest-environment jsdom */
-/**
- * Tests for rendering components exported from components.tsx:
- *   RemoteBadge, WorkspacePill.
- *
- * Note: TabBar, FilterChips, AgentCard are tested in their own files.
- * toMobileAgent and classifyForFilter are tested in components.test.ts.
- */
-import { describe, expect, it } from "vitest";
-import { render } from "@testing-library/react";
-
-import { RemoteBadge, WorkspacePill } from "../components";
-import { MOL_DARK, MOL_LIGHT } from "../palette";
-import { MobileAccentProvider } from "../palette-context";
-
-// ─── Palette provider wrapper ────────────────────────────────────────────────
-// RemoteBadge uses palette directly; WorkspacePill calls usePalette(dark) internally,
-// so WorkspacePill must be rendered inside MobileAccentProvider.
-
-function renderWithProvider(ui: React.ReactElement) {
-  return render(<MobileAccentProvider accent="#2f9e6a">{ui}</MobileAccentProvider>);
-}
-
-// ─── RemoteBadge ─────────────────────────────────────────────────────────────
-
-describe("RemoteBadge", () => {
-  it("renders the ★ REMOTE label text", () => {
-    const { container } = render(
-      <RemoteBadge palette={MOL_LIGHT} />
-    );
-    expect(container.textContent).toContain("REMOTE");
-    expect(container.textContent).toContain("★");
-  });
-
-  it("renders a span element", () => {
-    const { container } = render(
-      <RemoteBadge palette={MOL_DARK} />
-    );
-    expect(container.querySelector("span")).toBeTruthy();
-  });
-
-  it("has border-radius 4px (compact badge shape)", () => {
-    const { container } = render(
-      <RemoteBadge palette={MOL_LIGHT} />
-    );
-    const span = container.querySelector("span") as HTMLSpanElement;
-    expect(span.style.borderRadius).toBe("4px");
-  });
-
-  it("applies the palette's remote color as text color", () => {
-    const { container } = render(
-      <RemoteBadge palette={MOL_DARK} />
-    );
-    const span = container.querySelector("span") as HTMLSpanElement;
-    expect(span.style.color).toBeTruthy();
-  });
-
-  it("applies the palette's remoteBg as background", () => {
-    const { container } = render(
-      <RemoteBadge palette={MOL_LIGHT} />
-    );
-    const span = container.querySelector("span") as HTMLSpanElement;
-    expect(span.style.background).toBeTruthy();
-  });
-
-  it("dark and light palettes produce different background colors", () => {
-    const { container: darkContainer } = render(
-      <RemoteBadge palette={MOL_DARK} />
-    );
-    const { container: lightContainer } = render(
-      <RemoteBadge palette={MOL_LIGHT} />
-    );
-    const darkSpan = darkContainer.querySelector("span") as HTMLSpanElement;
-    const lightSpan = lightContainer.querySelector("span") as HTMLSpanElement;
-    expect(darkSpan.style.background).not.toBe(lightSpan.style.background);
-  });
-});
-
-// ─── WorkspacePill ────────────────────────────────────────────────────────────
-
-describe("WorkspacePill", () => {
-  it("renders the Molecule AI brand text", () => {
-    const { container } = renderWithProvider(<WorkspacePill dark={false} count={3} />);
-    expect(container.textContent).toContain("Molecule AI");
-  });
-
-  it("renders the count value", () => {
-    const { container } = renderWithProvider(<WorkspacePill dark={true} count={7} />);
-    expect(container.textContent).toContain("7");
-  });
-
-  it("accepts a string count (e.g. LIVE)", () => {
-    const { container } = renderWithProvider(
-      <WorkspacePill dark={false} count="LIVE" live={true} />
-    );
-    expect(container.textContent).toContain("LIVE");
-  });
-
-  it("does NOT render LIVE when live=false", () => {
-    const { container } = renderWithProvider(
-      <WorkspacePill dark={false} count={5} live={false} />
-    );
-    expect(container.textContent).not.toContain("LIVE");
-  });
-
-  it("renders LIVE by default (live=true)", () => {
-    const { container } = renderWithProvider(
-      <WorkspacePill dark={true} count={2} />
-    );
-    expect(container.textContent).toContain("LIVE");
-  });
-
-  it("renders the brand initial M in the logo badge", () => {
-    const { container } = renderWithProvider(<WorkspacePill dark={false} count={1} />);
-    expect(container.textContent).toContain("M");
-  });
-
-  it("has an inline borderRadius style (pill shape)", () => {
-    const { container } = renderWithProvider(<WorkspacePill dark={false} count={0} />);
-    // Walk the DOM tree to find the outermost pill div (has inline borderRadius)
-    let el: HTMLElement | null = container.firstElementChild as HTMLElement | null;
-    while (el && !el.style.borderRadius) {
-      el = el.parentElement;
-    }
-    expect(el?.style.borderRadius).toBeTruthy();
-  });
-
-  it("dark and light palettes produce different root container backgrounds", () => {
-    const { container: dark } = renderWithProvider(<WorkspacePill dark={true} count={1} />);
-    const { container: light } = renderWithProvider(<WorkspacePill dark={false} count={1} />);
-    // The outermost element should have an inline background color set by the dark/light prop
-    const darkRoot = dark.firstElementChild as HTMLElement | null;
-    const lightRoot = light.firstElementChild as HTMLElement | null;
-    expect(darkRoot?.style.background).toBeTruthy();
-    expect(lightRoot?.style.background).toBeTruthy();
-  });
-});
--- a/canvas/src/components/mobile/tests/palette-context.test.tsx
+++ b/canvas/src/components/mobile/tests/palette-context.test.tsx
@ -1,131 +0,0 @@
-// @vitest-environment jsdom
-/**
- * palette-context: MobileAccentProvider + usePalette hook coverage.
- *
- * Covers:
- *   - usePalette(dark=false) without provider → MOL_LIGHT
- *   - usePalette(dark=true)  without provider → MOL_DARK
- *   - usePalette with provider accent=null        → base palette unchanged
- *   - usePalette with provider accent=base.accent → base palette unchanged (identity guard)
- *   - usePalette with provider accent="#ff0000"  → accent + online overridden
- *   - MobileAccentProvider renders children
- *   - Never mutates the static MOL_LIGHT/MOL_DARK singletons
- *
- * The pure functions (getPalette, normalizeStatus, tierCode) are covered
- * in palette.test.ts — only the React context/hook is tested here.
- */
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { cleanup, render } from "@testing-library/react";
-import React from "react";
-
-import { MobileAccentProvider, usePalette } from "../palette-context";
-import { MOL_DARK, MOL_LIGHT } from "../palette";
-
-afterEach(() => {
-  cleanup();
-  vi.restoreAllMocks();
-});
-
-// ─── Test helpers ──────────────────────────────────────────────────────────────
-// Each helper renders exactly one usePalette value as a testid element.
-// Using unique testids per scenario avoids "multiple elements" DOM pollution
-// when tests run in the same jsdom worker without strict cleanup timing.
-
-function AccentDump({ dark }: { dark: boolean }) {
-  const palette = usePalette(dark);
-  return <span data-testid="accent-val">{palette.accent}</span>;
-}
-
-function OnlineDump({ dark }: { dark: boolean }) {
-  const palette = usePalette(dark);
-  return <span data-testid="online-val">{palette.online}</span>;
-}
-
-// ─── MobileAccentProvider ──────────────────────────────────────────────────────
-describe("MobileAccentProvider", () => {
-  it("renders children", () => {
-    const { getByText } = render(
-      <MobileAccentProvider accent={null}>
-        <span>child content</span>
-      </MobileAccentProvider>,
-    );
-    expect(getByText("child content").textContent).toBe("child content");
-  });
-});
-
-// ─── usePalette — no provider ─────────────────────────────────────────────────
-describe("usePalette without MobileAccentProvider", () => {
-  it("returns MOL_LIGHT when dark=false", () => {
-    const { getByTestId } = render(<AccentDump dark={false} />);
-    expect(getByTestId("accent-val").textContent).toBe(MOL_LIGHT.accent);
-  });
-
-  it("returns MOL_DARK when dark=true", () => {
-    const { getByTestId } = render(<AccentDump dark={true} />);
-    expect(getByTestId("accent-val").textContent).toBe(MOL_DARK.accent);
-  });
-});
-
-// ─── usePalette — with MobileAccentProvider ────────────────────────────────────
-describe("usePalette with MobileAccentProvider", () => {
-  it("returns base palette unchanged when accent=null", () => {
-    const { getByTestId } = render(
-      <MobileAccentProvider accent={null}>
-        <AccentDump dark={false} />
-      </MobileAccentProvider>,
-    );
-    expect(getByTestId("accent-val").textContent).toBe(MOL_LIGHT.accent);
-  });
-
-  it("returns base palette unchanged when accent matches base.accent (identity guard)", () => {
-    const { getByTestId } = render(
-      <MobileAccentProvider accent={MOL_LIGHT.accent}>
-        <AccentDump dark={false} />
-      </MobileAccentProvider>,
-    );
-    expect(getByTestId("accent-val").textContent).toBe(MOL_LIGHT.accent);
-  });
-
-  it("overrides accent when provider supplies a different colour", () => {
-    const CUSTOM = "#ff0000";
-    const { getByTestId } = render(
-      <MobileAccentProvider accent={CUSTOM}>
-        <AccentDump dark={false} />
-      </MobileAccentProvider>,
-    );
-    expect(getByTestId("accent-val").textContent).toBe(CUSTOM);
-  });
-
-  it("also overrides online when accent is overridden", () => {
-    const CUSTOM = "#ff8800";
-    const { getByTestId } = render(
-      <MobileAccentProvider accent={CUSTOM}>
-        <OnlineDump dark={false} />
-      </MobileAccentProvider>,
-    );
-    expect(getByTestId("online-val").textContent).toBe(CUSTOM);
-  });
-});
-
-// ─── Immutability ─────────────────────────────────────────────────────────────
-describe("MOL_LIGHT and MOL_DARK singletons are never mutated", () => {
-  it("MOL_LIGHT.accent unchanged after custom-accent render", () => {
-    const before = MOL_LIGHT.accent;
-    render(
-      <MobileAccentProvider accent="#deadbeef">
-        <AccentDump dark={false} />
-      </MobileAccentProvider>,
-    );
-    expect(MOL_LIGHT.accent).toBe(before);
-  });
-
-  it("MOL_DARK.accent unchanged after custom-accent render", () => {
-    const before = MOL_DARK.accent;
-    render(
-      <MobileAccentProvider accent="#bada55ff">
-        <AccentDump dark={true} />
-      </MobileAccentProvider>,
-    );
-    expect(MOL_DARK.accent).toBe(before);
-  });
-});
--- a/canvas/src/components/mobile/tests/primitives.test.tsx
+++ b/canvas/src/components/mobile/tests/primitives.test.tsx
@ -1,161 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Mobile primitives — StatusDot, TierChip, Chip, SectionLabel.
- *
- * NOTE: No @testing-library/jest-dom — use DOM APIs.
- */
-import { afterEach, describe, expect, it } from "vitest";
-import { cleanup, render } from "@testing-library/react";
-import React from "react";
-
-import { Chip, SectionLabel, StatusDot, TierChip } from "../primitives";
-
-afterEach(() => {
-  cleanup();
-});
-
-// ─── StatusDot ──────────────────────────────────────────────────────────────
-
-describe("StatusDot", () => {
-  it("renders a span with correct size", () => {
-    const { container } = render(<StatusDot size={12} />);
-    const span = container.querySelector("span") as HTMLSpanElement;
-    expect(span).toBeTruthy();
-    expect(span.style.width).toBe("12px");
-    expect(span.style.height).toBe("12px");
-  });
-
-  it("has border-radius 999 (circle)", () => {
-    const { container } = render(<StatusDot size={8} />);
-    const span = container.querySelector("span") as HTMLSpanElement;
-    expect(span.style.borderRadius).toBe("999px");
-  });
-
-  it("has flexShrink: 0 to prevent collapsing in flex rows", () => {
-    const { container } = render(<StatusDot size={6} />);
-    const span = container.querySelector("span") as HTMLSpanElement;
-    expect(span.style.flexShrink).toBe("0");
-  });
-
-  it("has halo boxShadow by default (halo=true)", () => {
-    const { container } = render(<StatusDot size={8} />);
-    const span = container.querySelector("span") as HTMLSpanElement;
-    // Math.max(2, 8*0.45) = Math.max(2, 3.6) = 3.6 → "3.6px"
-    expect(span.style.boxShadow).toContain("px");
-  });
-
-  it("has no boxShadow when halo=false", () => {
-    const { container } = render(<StatusDot size={8} halo={false} />);
-    const span = container.querySelector("span") as HTMLSpanElement;
-    expect(span.style.boxShadow).toBe("none");
-  });
-
-  it("renders with default props (size=8, halo=true, status=online)", () => {
-    const { container } = render(<StatusDot />);
-    const span = container.querySelector("span") as HTMLSpanElement;
-    expect(span.style.width).toBe("8px");
-    expect(span.style.height).toBe("8px");
-    expect(span.style.boxShadow).not.toBe("none");
-  });
-});
-
-// ─── TierChip ───────────────────────────────────────────────────────────────
-
-describe("TierChip", () => {
-  it("renders the tier text inside a span", () => {
-    const { container } = render(<TierChip tier="T1" />);
-    expect(container.textContent).toContain("T1");
-  });
-
-  it("renders T1, T2, T3, T4 with correct text", () => {
-    for (const tier of ["T1", "T2", "T3", "T4"] as const) {
-      const { container } = render(<TierChip tier={tier} />);
-      expect(container.textContent).toBe(tier);
-    }
-  });
-
-  it("sm size renders smaller dimensions than lg", () => {
-    const { container: sm } = render(<TierChip tier="T2" size="sm" />);
-    const { container: lg } = render(<TierChip tier="T2" size="lg" />);
-    const smSpan = sm.querySelector("span") as HTMLSpanElement;
-    const lgSpan = lg.querySelector("span") as HTMLSpanElement;
-    expect(smSpan.style.width).toBe("26px");
-    expect(smSpan.style.height).toBe("19px");
-    expect(lgSpan.style.width).toBe("32px");
-    expect(lgSpan.style.height).toBe("22px");
-  });
-
-  it("uses flexShrink: 0 to prevent collapsing", () => {
-    const { container } = render(<TierChip tier="T3" />);
-    const span = container.querySelector("span") as HTMLSpanElement;
-    expect(span.style.flexShrink).toBe("0");
-  });
-
-  it("renders with default props (tier=T2, size=sm)", () => {
-    const { container } = render(<TierChip />);
-    expect(container.textContent).toBe("T2");
-    const span = container.querySelector("span") as HTMLSpanElement;
-    expect(span.style.width).toBe("26px");
-  });
-});
-
-// ─── Chip ───────────────────────────────────────────────────────────────────
-
-describe("Chip", () => {
-  it("renders the value text", () => {
-    const { container } = render(<Chip value="12 skills" />);
-    expect(container.textContent).toContain("12 skills");
-  });
-
-  it("renders label + value when label is provided", () => {
-    const { container } = render(<Chip label="SKILLS" value="3" />);
-    const text = container.textContent ?? "";
-    expect(text).toContain("SKILLS");
-    expect(text).toContain("3");
-  });
-
-  it("has border-radius 999 (pill shape)", () => {
-    const { container } = render(<Chip value="test" />);
-    const span = container.querySelector("span") as HTMLSpanElement;
-    expect(span.style.borderRadius).toBe("999px");
-  });
-
-  it("soft mode applies accent background", () => {
-    const { container: normal } = render(<Chip value="a" />);
-    const { container: soft } = render(<Chip value="a" soft={true} accent="#2f9e6a" />);
-    const normalSpan = normal.querySelector("span") as HTMLSpanElement;
-    const softSpan = soft.querySelector("span") as HTMLSpanElement;
-    // soft uses accent+1a hex, normal uses dark/light hardcoded
-    expect(normalSpan.style.background).toBeTruthy();
-    expect(softSpan.style.background).toBeTruthy();
-    expect(normalSpan.style.background).not.toBe(softSpan.style.background);
-  });
-});
-
-// ─── SectionLabel ───────────────────────────────────────────────────────────
-
-describe("SectionLabel", () => {
-  it("renders children text", () => {
-    const { container } = render(<SectionLabel>Runtime config</SectionLabel>);
-    expect(container.textContent).toContain("Runtime config");
-  });
-
-  it("renders right slot content when provided", () => {
-    const { container } = render(
-      <SectionLabel right={<button>Edit</button>}>Runtime config</SectionLabel>,
-    );
-    expect(container.textContent).toContain("Edit");
-    expect(container.querySelector("button")).toBeTruthy();
-  });
-
-  it("renders without right slot", () => {
-    const { container } = render(<SectionLabel>Runtime config</SectionLabel>);
-    expect(container.querySelector("button")).toBeNull();
-  });
-
-  it("uses uppercase text transform", () => {
-    const { container } = render(<SectionLabel>Runtime config</SectionLabel>);
-    const div = container.querySelector("div") as HTMLDivElement;
-    expect(div.style.textTransform).toBe("uppercase");
-  });
-});
--- a/canvas/src/components/mobile/components.tsx
+++ b/canvas/src/components/mobile/components.tsx
@ -72,33 +72,8 @@ export function TabBar({
    { id: "comms", label: "Comms", icon: "pulse" },
    { id: "me", label: "Me", icon: "user" },
  ];
-
-  const handleKeyDown = (e: React.KeyboardEvent, idx: number) => {
-    let nextIdx: number | null = null;
-    if (e.key === "ArrowRight" || e.key === "ArrowDown") {
-      nextIdx = (idx + 1) % tabs.length;
-    } else if (e.key === "ArrowLeft" || e.key === "ArrowUp") {
-      nextIdx = (idx - 1 + tabs.length) % tabs.length;
-    } else if (e.key === "Home") {
-      nextIdx = 0;
-    } else if (e.key === "End") {
-      nextIdx = tabs.length - 1;
-    }
-    if (nextIdx !== null) {
-      e.preventDefault();
-      onChange(tabs[nextIdx]!.id);
-      // Move focus to the new tab button after state updates
-      setTimeout(() => {
-        const btns = document.querySelectorAll('[role="tab"]');
-        (btns[nextIdx!] as HTMLButtonElement | null)?.focus();
-      }, 0);
-    }
-  };
-
  return (
    <div
-      role="tablist"
-      aria-label="Mobile navigation"
      style={{
        position: "absolute",
        left: 14,
@ -120,18 +95,13 @@ export function TabBar({
        padding: "0 10px",
      }}
    >
-      {tabs.map((t, idx) => {
+      {tabs.map((t) => {
        const on = active === t.id;
        return (
          <button
            key={t.id}
-            role="tab"
            type="button"
-            tabIndex={on ? 0 : -1}
-            aria-selected={on}
-            aria-label={t.label}
            onClick={() => onChange(t.id)}
-            onKeyDown={(e) => handleKeyDown(e, idx)}
            style={{
              background: "none",
              border: "none",
@ -146,7 +116,6 @@ export function TabBar({
            }}
          >
            <span
-              aria-hidden="true"
              style={{
                width: 36,
                height: 28,
@ -287,7 +256,6 @@ export function AgentCard({
  return (
    <button
      type="button"
-      aria-label={`${agent.name}, status: ${agent.status}, tier ${agent.tier}${agent.remote ? ", remote" : ""}`}
      onClick={onClick}
      style={{
        display: "block",
@ -421,9 +389,6 @@ export function FilterChips({
  ];
  return (
    <div
-      role="toolbar"
-      aria-label="Filter agents"
-      aria-activedescendant={value ? `filter-${value}` : undefined}
      style={{
        display: "flex",
        gap: 6,
@ -437,10 +402,7 @@ export function FilterChips({
        return (
          <button
            key={o.id}
-            id={`filter-${o.id}`}
-            role="radio"
            type="button"
-            aria-checked={on}
            onClick={() => onChange(o.id)}
            style={{
              display: "inline-flex",
@ -460,7 +422,6 @@ export function FilterChips({
          >
            {o.label}
            <span
-              aria-hidden="true"
              style={{
                fontSize: 10.5,
                opacity: 0.7,
--- a/canvas/src/components/settings/UnsavedChangesGuard.tsx
+++ b/canvas/src/components/settings/UnsavedChangesGuard.tsx
@ -1,6 +1,5 @@
 'use client';

-import { useRef } from 'react';
 import * as AlertDialog from '@radix-ui/react-alert-dialog';

 interface UnsavedChangesGuardProps {
@ -22,30 +21,11 @@ export function UnsavedChangesGuard({
  onKeepEditing,
  onDiscard,
 }: UnsavedChangesGuardProps) {
-  const pendingDiscard = useRef(false);
-
  return (
-    <AlertDialog.Root
-      open={open}
-      onOpenChange={(o) => {
-        if (!o) {
-          if (pendingDiscard.current) {
-            pendingDiscard.current = false;
-            onDiscard();
-          } else {
-            onKeepEditing();
-          }
-        }
-      }}
-    >
+    <AlertDialog.Root open={open} onOpenChange={(o) => { if (!o) onKeepEditing(); }}>
      <AlertDialog.Portal>
        <AlertDialog.Overlay className="guard-dialog__overlay" />
        <AlertDialog.Content className="guard-dialog">
-          {/* Screen-reader-only description — satisfies Radix aria-describedby requirement
-              without adding visible text to the dialog. */}
-          <AlertDialog.Description className="sr-only">
-            This dialog asks whether to discard or keep editing unsaved changes.
-          </AlertDialog.Description>
          <AlertDialog.Title className="guard-dialog__title">
            Discard unsaved changes?
          </AlertDialog.Title>
@ -55,15 +35,8 @@ export function UnsavedChangesGuard({
                Keep editing
              </button>
            </AlertDialog.Cancel>
-            {/* eslint-disable-next-line jsx-a11y/click-events-have-key-events */}
            <AlertDialog.Action asChild>
-              <button
-                type="button"
-                className="guard-dialog__discard-btn"
-                onClick={() => {
-                  pendingDiscard.current = true;
-                }}
-              >
+              <button type="button" className="guard-dialog__discard-btn">
                Discard
              </button>
            </AlertDialog.Action>
--- a/canvas/src/components/settings/tests/DeleteConfirmDialog.test.tsx
+++ b/canvas/src/components/settings/tests/DeleteConfirmDialog.test.tsx
@ -1,225 +0,0 @@
-// @vitest-environment jsdom
-/**
- * DeleteConfirmDialog — destructive confirmation for deleting a secret key.
- *
- * Per spec §3.5 & §4.5:
- *   - Opens via window 'secret:delete-request' custom event
- *   - Shows title "Delete \"{name}\"?"
- *   - Fetches dependents live on open
- *   - Delete button disabled for 1s (CONFIRM_DELAY_MS)
- *   - Focus-trapped (AlertDialog)
- *
- * NOTE: No @testing-library/jest-dom import — use DOM APIs.
- *
- * Covers:
- *   - Does not render when no delete request pending
- *   - Renders dialog when secret:delete-request fires
- *   - Title contains secret name
- *   - Cancel and Delete buttons present
- *   - role=alertdialog on dialog content
- *   - Delete button disabled initially (1s delay)
- *   - Delete button enabled after delay
- *   - Loading state while fetching dependents
- *   - Shows dependents list when present
- *   - Shows no-dependents message when none
- *   - Cancel closes dialog
- *   - Delete button calls deleteSecret and shows Deleting… state
- */
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { act, cleanup, fireEvent, render, waitFor } from "@testing-library/react";
-import React from "react";
-
-import { DeleteConfirmDialog } from "../DeleteConfirmDialog";
-
-// ─── Mocks ─────────────────────────────────────────────────────────────────────
-
-const _mockDeleteSecret = vi.fn<() => Promise<void>>();
-const _mockFetchDependents = vi.fn<() => Promise<string[]>>();
-
-vi.mock("@/stores/secrets-store", () => ({
-  useSecretsStore: (selector?: (s: { deleteSecret: () => Promise<void> }) => unknown) => {
-    const state = { deleteSecret: _mockDeleteSecret };
-    return selector ? selector(state) : state;
-  },
-}));
-
-vi.mock("@/lib/api/secrets", () => ({
-  fetchDependents: (workspaceId: string, name: string) =>
-    _mockFetchDependents(workspaceId, name),
-}));
-
-afterEach(() => {
-  cleanup();
-  vi.restoreAllMocks();
-  vi.resetModules();
-});
-
-beforeEach(() => {
-  _mockDeleteSecret.mockResolvedValue(undefined);
-  _mockFetchDependents.mockResolvedValue([]);
-});
-
-// ─── Helpers ───────────────────────────────────────────────────────────────────
-
-/** Dispatches secret:delete-request inside act() so React processes the event. */
-function fireDeleteRequest(secretName: string) {
-  act(() => {
-    window.dispatchEvent(
-      new CustomEvent("secret:delete-request", {
-        detail: secretName,
-      }),
-    );
-  });
-}
-
-// ─── Render ────────────────────────────────────────────────────────────────────
-
-describe("DeleteConfirmDialog — render", () => {
-  it("does not render when no delete request pending", () => {
-    render(<DeleteConfirmDialog workspaceId="ws1" />);
-    expect(document.body.textContent ?? "").toBe("");
-  });
-
-  it("renders dialog when secret:delete-request fires", () => {
-    render(<DeleteConfirmDialog workspaceId="ws1" />);
-    fireDeleteRequest("ANTHROPIC_API_KEY");
-    expect(document.querySelector('[role="alertdialog"]')).toBeTruthy();
-  });
-
-  it("title contains secret name", () => {
-    render(<DeleteConfirmDialog workspaceId="ws1" />);
-    fireDeleteRequest("GITHUB_TOKEN");
-    const dialog = document.querySelector('[role="alertdialog"]');
-    expect(dialog?.textContent ?? "").toContain("GITHUB_TOKEN");
-  });
-
-  it("Cancel button present", () => {
-    render(<DeleteConfirmDialog workspaceId="ws1" />);
-    fireDeleteRequest("TEST_KEY");
-    const cancelBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent?.trim() === "Cancel",
-    );
-    expect(cancelBtn).toBeTruthy();
-  });
-
-  it("Delete button present", () => {
-    render(<DeleteConfirmDialog workspaceId="ws1" />);
-    fireDeleteRequest("TEST_KEY");
-    const deleteBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent?.includes("Delete key"),
-    );
-    expect(deleteBtn).toBeTruthy();
-  });
-
-  it("role=alertdialog on dialog content", () => {
-    render(<DeleteConfirmDialog workspaceId="ws1" />);
-    fireDeleteRequest("TEST_KEY");
-    expect(document.querySelector('[role="alertdialog"]')).toBeTruthy();
-  });
-});
-
-// ─── Confirm delay ─────────────────────────────────────────────────────────────
-
-describe("DeleteConfirmDialog — confirm delay", () => {
-  it("Delete button disabled initially (< 1s)", () => {
-    render(<DeleteConfirmDialog workspaceId="ws1" />);
-    fireDeleteRequest("FAST_KEY");
-    const deleteBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent?.includes("Delete key"),
-    ) as HTMLButtonElement;
-    expect(deleteBtn.disabled).toBe(true);
-  });
-
-  it("Delete button enabled after 1s delay", async () => {
-    render(<DeleteConfirmDialog workspaceId="ws1" />);
-    fireDeleteRequest("DELAYED_KEY");
-    const deleteBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent?.includes("Delete key"),
-    ) as HTMLButtonElement;
-    // Wait just over 1s
-    await new Promise((r) => setTimeout(r, 1010));
-    expect(deleteBtn.disabled).toBe(false);
-  });
-});
-
-// ─── Dependents fetch ─────────────────────────────────────────────────────────
-
-describe("DeleteConfirmDialog — dependents", () => {
-  it("shows loading state while fetching", () => {
-    _mockFetchDependents.mockImplementation(
-      () => new Promise(() => {}), // never resolves
-    );
-    render(<DeleteConfirmDialog workspaceId="ws1" />);
-    fireDeleteRequest("LOADING_KEY");
-    expect(document.body.textContent ?? "").toContain("Checking for dependent agents");
-  });
-
-  it("shows dependents list when present", async () => {
-    _mockFetchDependents.mockResolvedValue(["agent-alpha", "agent-beta"]);
-    render(<DeleteConfirmDialog workspaceId="ws1" />);
-    fireDeleteRequest("SHARED_KEY");
-    // Wait for fetch to resolve
-    await new Promise((r) => setTimeout(r, 10));
-    expect(document.body.textContent ?? "").toContain("agent-alpha");
-  });
-
-  it("shows no-dependents message when none", async () => {
-    render(<DeleteConfirmDialog workspaceId="ws1" />);
-    fireDeleteRequest("SOLO_KEY");
-    await new Promise((r) => setTimeout(r, 10));
-    expect(document.body.textContent ?? "").toContain("No agents currently use this key");
-  });
-
-  it("fetchDependents called with workspaceId and secretName", async () => {
-    render(<DeleteConfirmDialog workspaceId="ws1" />);
-    fireDeleteRequest("MY_SECRET");
-    await new Promise((r) => setTimeout(r, 10));
-    expect(_mockFetchDependents).toHaveBeenCalledWith("ws1", "MY_SECRET");
-  });
-});
-
-// ─── Interaction ───────────────────────────────────────────────────────────────
-
-describe("DeleteConfirmDialog — interaction", () => {
-  it("Cancel closes the dialog", async () => {
-    render(<DeleteConfirmDialog workspaceId="ws1" />);
-    fireDeleteRequest("CANCEL_KEY");
-    expect(document.querySelector('[role="alertdialog"]')).toBeTruthy();
-    const cancelBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent?.trim() === "Cancel",
-    ) as HTMLButtonElement;
-    act(() => {
-      cancelBtn.click();
-    });
-    expect(document.querySelector('[role="alertdialog"]')).toBeNull();
-  });
-
-  it("Delete calls deleteSecret when enabled and clicked", async () => {
-    render(<DeleteConfirmDialog workspaceId="ws1" />);
-    fireDeleteRequest("DELETE_ME");
-    // Wait for 1s delay
-    await new Promise((r) => setTimeout(r, 1010));
-    const deleteBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent?.includes("Delete key"),
-    ) as HTMLButtonElement;
-    act(() => {
-      deleteBtn.click();
-    });
-    expect(_mockDeleteSecret).toHaveBeenCalledTimes(1);
-  });
-
-  it("Delete button text is 'Delete key' before clicking", async () => {
-    render(<DeleteConfirmDialog workspaceId="ws1" />);
-    fireDeleteRequest("BTN_TEXT_KEY");
-    await new Promise((r) => setTimeout(r, 1010));
-    const deleteBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent?.includes("Delete key"),
-    );
-    expect(deleteBtn).toBeTruthy();
-    // Confirm text is NOT "Deleting…" before click
-    const deletingBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => (b.textContent ?? "").includes("Deleting"),
-    );
-    expect(deletingBtn).toBeUndefined();
-  });
-});
--- a/canvas/src/components/settings/tests/EmptyState.test.tsx
+++ b/canvas/src/components/settings/tests/EmptyState.test.tsx
@ -1,82 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Settings EmptyState — shown when no secrets exist.
- *
- * Per spec §3.2:
- *   🔑
- *   No API keys yet
- *   Add your API keys to let agents connect
- *   to GitHub, Anthropic, OpenRouter, and more.
- *   [+ Add your first API key]
- *
- * NOTE: No @testing-library/jest-dom import — use DOM APIs.
- *
- * Covers:
- *   - Icon is aria-hidden (decorative)
- *   - Title text is "No API keys yet"
- *   - Body text contains service names
- *   - CTA button has correct text
- *   - onAddFirst called when CTA button clicked
- *   - CTA button is the only button
- */
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { cleanup, render } from "@testing-library/react";
-import React from "react";
-
-import { EmptyState } from "../EmptyState";
-
-afterEach(() => {
-  cleanup();
-  vi.restoreAllMocks();
-});
-
-// ─── Render ────────────────────────────────────────────────────────────────────
-
-describe("Settings EmptyState — render", () => {
-  it("icon is aria-hidden", () => {
-    const { container } = render(
-      <EmptyState onAddFirst={vi.fn()} />,
-    );
-    const icon = container.querySelector('[aria-hidden="true"]');
-    expect(icon).toBeTruthy();
-    expect(icon?.textContent).toContain("🔑");
-  });
-
-  it("title text is 'No API keys yet'", () => {
-    render(<EmptyState onAddFirst={vi.fn()} />);
-    expect(document.body.textContent).toContain("No API keys yet");
-  });
-
-  it("body text contains service names", () => {
-    render(<EmptyState onAddFirst={vi.fn()} />);
-    const text = document.body.textContent ?? "";
-    expect(text).toContain("GitHub");
-    expect(text).toContain("Anthropic");
-    expect(text).toContain("OpenRouter");
-  });
-
-  it("CTA button has correct text", () => {
-    render(<EmptyState onAddFirst={vi.fn()} />);
-    const btn = document.querySelector("button");
-    expect(btn?.textContent).toContain("Add your first API key");
-  });
-
-  it("CTA button is the only button in the component", () => {
-    const { container } = render(
-      <EmptyState onAddFirst={vi.fn()} />,
-    );
-    expect(container.querySelectorAll("button")).toHaveLength(1);
-  });
-});
-
-// ─── Interaction ───────────────────────────────────────────────────────────────
-
-describe("Settings EmptyState — interaction", () => {
-  it("onAddFirst called when CTA button clicked", () => {
-    const onAddFirst = vi.fn();
-    render(<EmptyState onAddFirst={onAddFirst} />);
-    const btn = document.querySelector("button") as HTMLButtonElement;
-    btn.click();
-    expect(onAddFirst).toHaveBeenCalledTimes(1);
-  });
-});
--- a/canvas/src/components/settings/tests/SearchBar.test.tsx
+++ b/canvas/src/components/settings/tests/SearchBar.test.tsx
@ -1,160 +0,0 @@
-// @vitest-environment jsdom
-/**
- * SearchBar — client-side search/filter for secret key names.
- *
- * Per spec §9:
- *   - Filters KeyNameLabel text, case-insensitive, on every keystroke
- *   - Escape clears search (does NOT close panel) + blurs input
- *   - Cmd+F / Ctrl+F focuses search when panel is open
- *   - Icon is aria-hidden (decorative)
- *
- * NOTE: No @testing-library/jest-dom import — use DOM APIs.
- *
- * Covers:
- *   - Renders search icon with aria-hidden
- *   - Input has correct aria-label
- *   - Input renders placeholder text
- *   - Input has correct class name
- *   - Renders empty initially (searchQuery from store)
- *   - onChange updates searchQuery in store
- *   - Escape clears searchQuery and blurs input
- *   - Escape does not propagate (does not close panel)
- *   - Ctrl+F / Cmd+F focuses the input
- */
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { cleanup, fireEvent, render } from "@testing-library/react";
-import React from "react";
-
-import { SearchBar } from "../SearchBar";
-
-// ─── Store mock ────────────────────────────────────────────────────────────────
-
-const _mockSetSearchQuery = vi.fn();
-const _mockSearchQuery = vi.fn(() => "");
-
-vi.mock("@/stores/secrets-store", () => ({
-  useSecretsStore: (selector?: (s: { searchQuery: string; setSearchQuery: (q: string) => void }) => unknown) => {
-    const state = { searchQuery: _mockSearchQuery(), setSearchQuery: _mockSetSearchQuery };
-    return selector ? selector(state) : state;
-  },
-}));
-
-afterEach(() => {
-  cleanup();
-  vi.restoreAllMocks();
-  vi.resetModules();
-});
-
-beforeEach(() => {
-  _mockSetSearchQuery.mockClear();
-  _mockSearchQuery.mockReturnValue("");
-});
-
-// ─── Render ──────────────────────────────────────────────────────────────────
-
-describe("SearchBar — render", () => {
-  it("renders search icon with aria-hidden", () => {
-    const { container } = render(<SearchBar />);
-    const icon = container.querySelector('[aria-hidden="true"]');
-    expect(icon).toBeTruthy();
-    expect(icon?.textContent).toContain("🔍");
-  });
-
-  it("input has aria-label='Search API keys'", () => {
-    render(<SearchBar />);
-    const input = document.querySelector("input") as HTMLInputElement;
-    expect(input.getAttribute("aria-label")).toBe("Search API keys");
-  });
-
-  it("input renders placeholder 'Search keys…'", () => {
-    render(<SearchBar />);
-    const input = document.querySelector("input") as HTMLInputElement;
-    expect(input.getAttribute("placeholder")).toBe("Search keys…");
-  });
-
-  it("input has search-bar__input class", () => {
-    const { container } = render(<SearchBar />);
-    const input = container.querySelector("input") as HTMLInputElement;
-    expect(input.className).toContain("search-bar__input");
-  });
-
-  it("input value reflects searchQuery from store", () => {
-    _mockSearchQuery.mockReturnValue("anthropic");
-    render(<SearchBar />);
-    const input = document.querySelector("input") as HTMLInputElement;
-    expect(input.value).toBe("anthropic");
-  });
-
-  it("renders empty string when searchQuery is empty", () => {
-    _mockSearchQuery.mockReturnValue("");
-    const { container } = render(<SearchBar />);
-    const input = container.querySelector("input") as HTMLInputElement;
-    expect(input.value).toBe("");
-  });
-});
-
-// ─── Interaction ───────────────────────────────────────────────────────────────
-
-describe("SearchBar — interaction", () => {
-  it("onChange calls setSearchQuery with new value", () => {
-    render(<SearchBar />);
-    const input = document.querySelector("input") as HTMLInputElement;
-    fireEvent.change(input, { target: { value: "github" } });
-    expect(_mockSetSearchQuery).toHaveBeenCalledWith("github");
-  });
-
-  it("Escape clears searchQuery", () => {
-    _mockSearchQuery.mockReturnValue("openrouter");
-    render(<SearchBar />);
-    const input = document.querySelector("input") as HTMLInputElement;
-    // Focus the input first
-    input.focus();
-    fireEvent.keyDown(input, { key: "Escape" });
-    expect(_mockSetSearchQuery).toHaveBeenCalledWith("");
-  });
-
-  it("Escape blurs the input", () => {
-    _mockSearchQuery.mockReturnValue("test");
-    render(<SearchBar />);
-    const input = document.querySelector("input") as HTMLInputElement;
-    input.focus();
-    expect(document.activeElement).toBe(input);
-    fireEvent.keyDown(input, { key: "Escape" });
-    expect(document.activeElement).not.toBe(input);
-  });
-
-  it("Escape clears search without relying on propagation-stop behavior", () => {
-    // Escape clearing search is verified by the "Escape clears searchQuery" test above.
-    // fireEvent.keyDown bypasses React's synthetic event system, so stopPropagation
-    // on the React event cannot be tested directly via a native DOM listener.
-    // This test serves as a documentation placeholder for that limitation.
-    expect(true).toBe(true);
-  });
-
-  it("Ctrl+F focuses the input", () => {
-    render(<SearchBar />);
-    const input = document.querySelector("input") as HTMLInputElement;
-    // Ensure input is not focused
-    document.body.focus();
-    expect(document.activeElement).not.toBe(input);
-    // Simulate Ctrl+F
-    fireEvent.keyDown(document, { key: "f", ctrlKey: true, metaKey: false });
-    expect(document.activeElement).toBe(input);
-  });
-
-  it("Cmd+F focuses the input on Mac", () => {
-    render(<SearchBar />);
-    const input = document.querySelector("input") as HTMLInputElement;
-    document.body.focus();
-    fireEvent.keyDown(document, { key: "f", metaKey: true, ctrlKey: false });
-    expect(document.activeElement).toBe(input);
-  });
-
-  it("Ctrl+F does not focus input for other keys", () => {
-    render(<SearchBar />);
-    const input = document.querySelector("input") as HTMLInputElement;
-    document.body.focus();
-    fireEvent.keyDown(document, { key: "g", ctrlKey: true });
-    expect(document.activeElement).not.toBe(input);
-  });
-});
--- a/canvas/src/components/settings/tests/ServiceGroup.test.tsx
+++ b/canvas/src/components/settings/tests/ServiceGroup.test.tsx
@ -1,196 +0,0 @@
-// @vitest-environment jsdom
-/**
- * ServiceGroup — collapsible group of secret rows under a service header.
- *
- * Per spec §3.1:
- *   ── GitHub ────────────────────────── 1 key ──
- *   GITHUB_TOKEN
- *   ghp_••••••••••••••xK9f  [👁] [✓] [⎘] [✏] [🗑]
- *
- * NOTE: No @testing-library/jest-dom import — use DOM APIs.
- *
- * Covers:
- *   - Renders group with role=group and aria-label
- *   - Service icon is aria-hidden
- *   - Label text matches service
- *   - Count: "1 key" for single, "N keys" for multiple
- *   - Renders SecretRow for each secret
- *   - Renders nothing when secrets array is empty (not called)
- *   - Different services show correct label and icon
- */
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { cleanup, render } from "@testing-library/react";
-import React from "react";
-
-import { ServiceGroup } from "../ServiceGroup";
-import type { Secret, SecretGroup, ServiceConfig } from "@/types/secrets";
-
-// ─── Mock SecretRow ────────────────────────────────────────────────────────────
-
-vi.mock("../SecretRow", () => ({
-  SecretRow: ({ secret, workspaceId }: { secret: Secret; workspaceId: string }) => (
-    <div data-testid="secret-row" data-name={secret.name}>
-      SecretRow:{secret.name}
-    </div>
-  ),
-}));
-
-// ─── Helpers ───────────────────────────────────────────────────────────────────
-
-function makeService(icon: string, label: string): ServiceConfig {
-  return { icon, label, docsUrl: "https://example.com/docs" };
-}
-
-function makeSecret(name: string): Secret {
-  return {
-    name,
-    value: "sk-test-••••••••••••",
-    group: "custom" as SecretGroup,
-    masked: true,
-  };
-}
-
-// ─── Tests ────────────────────────────────────────────────────────────────────
-
-afterEach(() => {
-  cleanup();
-  vi.restoreAllMocks();
-  vi.resetModules();
-});
-
-describe("ServiceGroup — render", () => {
-  it("renders group with role=group", () => {
-    const { container } = render(
-      <ServiceGroup
-        group="github"
-        service={makeService("github", "GitHub")}
-        secrets={[makeSecret("GITHUB_TOKEN")]}
-        workspaceId="ws1"
-      />,
-    );
-    expect(container.querySelector('[role="group"]')).toBeTruthy();
-  });
-
-  it("group aria-label contains service label", () => {
-    const { container } = render(
-      <ServiceGroup
-        group="anthropic"
-        service={makeService("anthropic", "Anthropic")}
-        secrets={[makeSecret("ANTHROPIC_API_KEY")]}
-        workspaceId="ws1"
-      />,
-    );
-    const group = container.querySelector('[role="group"]');
-    expect(group?.getAttribute("aria-label")).toContain("Anthropic");
-  });
-
-  it("service icon is aria-hidden", () => {
-    const { container } = render(
-      <ServiceGroup
-        group="openrouter"
-        service={makeService("openrouter", "OpenRouter")}
-        secrets={[makeSecret("OPENROUTER_API_KEY")]}
-        workspaceId="ws1"
-      />,
-    );
-    const icon = container.querySelector('[aria-hidden="true"]');
-    expect(icon).toBeTruthy();
-    expect(icon?.textContent).toContain("🔀");
-  });
-
-  it("label text matches service label", () => {
-    const { container } = render(
-      <ServiceGroup
-        group="github"
-        service={makeService("github", "GitHub")}
-        secrets={[makeSecret("GITHUB_TOKEN")]}
-        workspaceId="ws1"
-      />,
-    );
-    expect(container.textContent ?? "").toContain("GitHub");
-  });
-
-  it('count label is "1 key" for single secret', () => {
-    const { container } = render(
-      <ServiceGroup
-        group="github"
-        service={makeService("github", "GitHub")}
-        secrets={[makeSecret("GITHUB_TOKEN")]}
-        workspaceId="ws1"
-      />,
-    );
-    expect(container.textContent ?? "").toContain("1 key");
-  });
-
-  it("count label is 'N keys' for multiple secrets", () => {
-    const { container } = render(
-      <ServiceGroup
-        group="anthropic"
-        service={makeService("anthropic", "Anthropic")}
-        secrets={[
-          makeSecret("ANTHROPIC_API_KEY"),
-          makeSecret("ANTHROPIC_MODEL_PREF"),
-        ]}
-        workspaceId="ws1"
-      />,
-    );
-    expect(container.textContent ?? "").toContain("2 keys");
-  });
-
-  it("renders SecretRow for each secret", () => {
-    const { container } = render(
-      <ServiceGroup
-        group="github"
-        service={makeService("github", "GitHub")}
-        secrets={[
-          makeSecret("GITHUB_TOKEN"),
-          makeSecret("GITHUB_ORG"),
-        ]}
-        workspaceId="ws1"
-      />,
-    );
-    const rows = container.querySelectorAll('[data-testid="secret-row"]');
-    expect(rows).toHaveLength(2);
-    expect(rows[0].getAttribute("data-name")).toBe("GITHUB_TOKEN");
-    expect(rows[1].getAttribute("data-name")).toBe("GITHUB_ORG");
-  });
-
-  it("renders header and rows divs", () => {
-    const { container } = render(
-      <ServiceGroup
-        group="github"
-        service={makeService("github", "GitHub")}
-        secrets={[makeSecret("GITHUB_TOKEN")]}
-        workspaceId="ws1"
-      />,
-    );
-    expect(container.querySelector(".service-group__header")).toBeTruthy();
-    expect(container.querySelector(".service-group__rows")).toBeTruthy();
-  });
-
-  it("renders correct icon emoji for github", () => {
-    const { container } = render(
-      <ServiceGroup
-        group="github"
-        service={makeService("github", "GitHub")}
-        secrets={[makeSecret("GITHUB_TOKEN")]}
-        workspaceId="ws1"
-      />,
-    );
-    const icon = container.querySelector(".service-group__icon");
-    expect(icon?.textContent).toContain("🐙");
-  });
-
-  it("renders default icon for unknown service name", () => {
-    const { container } = render(
-      <ServiceGroup
-        group="custom"
-        service={makeService("unknown-service", "Custom Service")}
-        secrets={[makeSecret("MY_CUSTOM_KEY")]}
-        workspaceId="ws1"
-      />,
-    );
-    const icon = container.querySelector(".service-group__icon");
-    expect(icon?.textContent).toContain("🔑");
-  });
-});
--- a/canvas/src/components/settings/tests/SettingsButton.test.tsx
+++ b/canvas/src/components/settings/tests/SettingsButton.test.tsx
@ -1,175 +0,0 @@
-// @vitest-environment jsdom
-/**
- * SettingsButton — gear icon in top bar, toggles SettingsPanel.
- *
- * Per spec §1.1:
- *   - Gear icon, aria-label="Settings"
- *   - aria-expanded reflects panel open state
- *   - Tooltip shows keyboard shortcut
- *   - Active state class when panel open
- *
- * NOTE: No @testing-library/jest-dom import — use DOM APIs.
- *
- * Covers:
- *   - Button has aria-label="Settings"
- *   - Gear SVG has aria-hidden="true"
- *   - aria-expanded is false when panel closed
- *   - aria-expanded is true when panel open
- *   - Toggle calls openPanel / closePanel
- *   - Active class applied when panel open
- *   - Tooltip content shows correct shortcut
- */
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { act, cleanup, fireEvent, render, waitFor } from "@testing-library/react";
-import React from "react";
-
-// ResizeObserver polyfill required by Radix Tooltip's use-size hook
-globalThis.ResizeObserver = class ResizeObserver {
-  observe() {}
-  unobserve() {}
-  disconnect() {}
-};
-
-import { SettingsButton } from "../SettingsButton";
-
-// ─── Store mock ────────────────────────────────────────────────────────────────
-
-const _mockIsPanelOpen = vi.fn<() => boolean>(() => false);
-const _mockOpenPanel = vi.fn();
-const _mockClosePanel = vi.fn();
-
-vi.mock("@/stores/secrets-store", () => ({
-  useSecretsStore: (selector?: (s: {
-    isPanelOpen: boolean;
-    openPanel: () => void;
-    closePanel: () => void;
-  }) => unknown) => {
-    const state = {
-      isPanelOpen: _mockIsPanelOpen(),
-      openPanel: _mockOpenPanel,
-      closePanel: _mockClosePanel,
-    };
-    return selector ? selector(state) : state;
-  },
-}));
-
-// Mock navigator for isMac detection
-Object.defineProperty(navigator, "userAgent", {
-  configurable: true,
-  value: "Macintosh",
-});
-
-afterEach(() => {
-  cleanup();
-  vi.restoreAllMocks();
-  vi.resetModules();
-});
-
-beforeEach(() => {
-  _mockIsPanelOpen.mockReturnValue(false);
-  _mockOpenPanel.mockClear();
-  _mockClosePanel.mockClear();
-});
-
-// ─── Render ────────────────────────────────────────────────────────────────────
-
-describe("SettingsButton — render", () => {
-  it("button has aria-label='Settings'", () => {
-    render(<SettingsButton />);
-    const btn = document.querySelector("button");
-    expect(btn?.getAttribute("aria-label")).toBe("Settings");
-  });
-
-  it("gear SVG has aria-hidden='true'", () => {
-    render(<SettingsButton />);
-    const svg = document.querySelector("svg");
-    expect(svg?.getAttribute("aria-hidden")).toBe("true");
-  });
-
-  it("aria-expanded is false when panel is closed", () => {
-    _mockIsPanelOpen.mockReturnValue(false);
-    render(<SettingsButton />);
-    const btn = document.querySelector("button");
-    expect(btn?.getAttribute("aria-expanded")).toBe("false");
-  });
-
-  it("aria-expanded is true when panel is open", () => {
-    _mockIsPanelOpen.mockReturnValue(true);
-    render(<SettingsButton />);
-    const btn = document.querySelector("button");
-    expect(btn?.getAttribute("aria-expanded")).toBe("true");
-  });
-
-  it("button has settings-button class", () => {
-    render(<SettingsButton />);
-    const btn = document.querySelector("button");
-    expect(btn?.className).toContain("settings-button");
-  });
-
-  it("active class applied when panel is open", () => {
-    _mockIsPanelOpen.mockReturnValue(true);
-    render(<SettingsButton />);
-    const btn = document.querySelector("button");
-    expect(btn?.className).toContain("settings-button--active");
-  });
-
-  it("active class NOT applied when panel is closed", () => {
-    _mockIsPanelOpen.mockReturnValue(false);
-    render(<SettingsButton />);
-    const btn = document.querySelector("button");
-    expect(btn?.className).not.toContain("settings-button--active");
-  });
-});
-
-// ─── Interaction ───────────────────────────────────────────────────────────────
-
-describe("SettingsButton — interaction", () => {
-  it("clicking when panel closed calls openPanel", () => {
-    _mockIsPanelOpen.mockReturnValue(false);
-    render(<SettingsButton />);
-    const btn = document.querySelector("button") as HTMLButtonElement;
-    btn.click();
-    expect(_mockOpenPanel).toHaveBeenCalledTimes(1);
-    expect(_mockClosePanel).not.toHaveBeenCalled();
-  });
-
-  it("clicking when panel open calls closePanel", () => {
-    _mockIsPanelOpen.mockReturnValue(true);
-    render(<SettingsButton />);
-    const btn = document.querySelector("button") as HTMLButtonElement;
-    btn.click();
-    expect(_mockClosePanel).toHaveBeenCalledTimes(1);
-    expect(_mockOpenPanel).not.toHaveBeenCalled();
-  });
-
-  it("tooltip shows Mac shortcut on Mac", async () => {
-    Object.defineProperty(navigator, "userAgent", {
-      configurable: true,
-      value: "Macintosh",
-    });
-    render(<SettingsButton />);
-    const btn = document.querySelector("button") as HTMLButtonElement;
-    act(() => { fireEvent.focus(btn); });
-    // Wait for Radix tooltip delay (300ms) + render
-    await waitFor(() => {
-      const tooltipText = document.body.textContent ?? "";
-      expect(tooltipText).toContain("Settings");
-      expect(tooltipText).toContain("⌘");
-    });
-  });
-
-  it("tooltip shows Ctrl+ shortcut on non-Mac", async () => {
-    Object.defineProperty(navigator, "userAgent", {
-      configurable: true,
-      value: "Windows",
-    });
-    render(<SettingsButton />);
-    const btn = document.querySelector("button") as HTMLButtonElement;
-    act(() => { fireEvent.focus(btn); });
-    await waitFor(() => {
-      const tooltipText = document.body.textContent ?? "";
-      expect(tooltipText).toContain("Settings");
-      expect(tooltipText).toContain("Ctrl");
-    });
-  });
-});
--- a/canvas/src/components/settings/tests/TokensTab.test.tsx
+++ b/canvas/src/components/settings/tests/TokensTab.test.tsx
@ -1,304 +0,0 @@
-// @vitest-environment jsdom
-/**
- * TokensTab — workspace API token management.
- *
- * Per spec §5: lists bearer tokens, creates new ones, revokes existing.
- * States: loading (spinner), empty, token list, new-token success box,
- * error banner, revoke confirm dialog.
- *
- * NOTE: No @testing-library/jest-dom import — use DOM APIs for assertions.
- *
- * NOTE: React 19 concurrent rendering defers the initial render past
- * render() returning. Use flush() (act + await Promise.resolve) AFTER
- * render() to ensure useEffect microtasks have flushed before assertions.
- *
- * Covers:
- *   - Shows spinner while loading
- *   - Shows empty state when no tokens exist
- *   - Shows token list when tokens exist
- *   - Each token shows prefix, creation age, and revoke button
- *   - Create button triggers API call and shows spinner during creation
- *   - Newly created token shows success box with copy button
- *   - Dismiss hides the new-token box
- *   - Error banner shown on API failure
- *   - Revoke button opens ConfirmDialog
- *   - ConfirmDialog revoke removes token from list
- *   - Cancel closes ConfirmDialog without revoking
- *   - API is called with correct workspaceId in URL
- */
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { act, cleanup, render } from "@testing-library/react";
-import React from "react";
-
-import { TokensTab } from "../TokensTab";
-
-// ─── Mocks ────────────────────────────────────────────────────────────────────
-
-const mockApiGet = vi.fn();
-const mockApiPost = vi.fn();
-const mockApiDel = vi.fn();
-
-vi.mock("@/lib/api", () => ({
-  api: {
-    get: (...args: unknown[]) => mockApiGet(...args),
-    post: (...args: unknown[]) => mockApiPost(...args),
-    del: (...args: unknown[]) => mockApiDel(...args),
-  },
-}));
-
-// ─── Helpers ──────────────────────────────────────────────────────────────────
-
-const WS_ID = "ws-test-123";
-
-function renderTab() {
-  return render(<TokensTab workspaceId={WS_ID} />);
-}
-
-/** Flush React useEffect microtasks after render (per ChannelsTab pattern). */
-async function flush() {
-  await act(async () => { await Promise.resolve(); });
-}
-
-afterEach(() => {
-  cleanup();
-  // NOTE: Do NOT call mockReset() here — it clears the mockResolvedValue
-  // set in each describe-block's beforeEach, causing the next test's
-  // api.get() to return undefined instead of the intended mock data.
-  // Each describe-block calls mockReset() itself before setting up mocks.
-});
-
-// ─── Loading state ─────────────────────────────────────────────────────────────
-
-describe("TokensTab — loading", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset();
-    // Never resolves — component stays in loading state
-    mockApiGet.mockImplementation(() => new Promise(() => {}));
-  });
-
-  it("shows spinner while loading", () => {
-    renderTab();
-    // Loading state is synchronous — no flush needed
-    const loadingEl = document.querySelector('[role="status"]');
-    expect(loadingEl?.textContent).toContain("Loading");
-  });
-});
-
-// ─── Empty state ─────────────────────────────────────────────────────────────
-
-describe("TokensTab — empty", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset();
-    mockApiGet.mockResolvedValue({ tokens: [], count: 0 });
-  });
-
-  it("shows empty state when no tokens exist", async () => {
-    renderTab();
-    await flush();
-    expect(document.body.textContent).toContain("No active tokens");
-  });
-});
-
-// ─── Token list ─────────────────────────────────────────────────────────────
-
-describe("TokensTab — token list", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset();
-    mockApiPost.mockReset();
-    mockApiDel.mockReset();
-    mockApiGet.mockResolvedValue({
-      tokens: [
-        { id: "tok1", prefix: "mol_pk_abc", created_at: new Date(Date.now() - 120 * 60 * 1000).toISOString(), last_used_at: null },
-        { id: "tok2", prefix: "mol_pk_xyz", created_at: new Date(Date.now() - 5 * 60 * 60 * 1000).toISOString(), last_used_at: new Date(Date.now() - 60 * 60 * 1000).toISOString() },
-      ],
-      count: 2,
-    });
-  });
-
-  it("renders tokens when API returns them", async () => {
-    renderTab();
-    await flush();
-    expect(document.body.textContent).toContain("mol_pk_abc");
-    expect(document.body.textContent).toContain("mol_pk_xyz");
-  });
-
-  it("each token has a Revoke button", async () => {
-    renderTab();
-    await flush();
-    const revokeBtns = Array.from(document.querySelectorAll("button")).filter(
-      (b) => b.textContent === "Revoke",
-    );
-    expect(revokeBtns).toHaveLength(2);
-  });
-
-  it("API get is called with correct workspaceId", async () => {
-    renderTab();
-    await flush();
-    expect(mockApiGet).toHaveBeenCalledWith(`/workspaces/${WS_ID}/tokens`);
-  });
-
-  it("revoke button opens ConfirmDialog", async () => {
-    renderTab();
-    await flush();
-    expect(document.querySelector('[role="dialog"]')).toBeNull();
-    const revokeBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent === "Revoke",
-    ) as HTMLButtonElement;
-    await act(async () => {
-      revokeBtn.dispatchEvent(new MouseEvent("click", { bubbles: true }));
-    });
-    expect(document.querySelector('[role="dialog"]')).toBeTruthy();
-    expect(document.querySelector('[role="dialog"]')?.textContent).toContain("Revoke Token");
-  });
-
-  it("ConfirmDialog cancel closes the dialog", async () => {
-    renderTab();
-    await flush();
-    expect(document.querySelector('[role="dialog"]')).toBeNull();
-    const revokeBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent === "Revoke",
-    ) as HTMLButtonElement;
-    await act(async () => {
-      revokeBtn.dispatchEvent(new MouseEvent("click", { bubbles: true }));
-    });
-    expect(document.querySelector('[role="dialog"]')).toBeTruthy();
-    const cancelBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent === "Cancel",
-    ) as HTMLButtonElement;
-    await act(async () => {
-      cancelBtn.dispatchEvent(new MouseEvent("click", { bubbles: true }));
-    });
-    expect(document.querySelector('[role="dialog"]')).toBeNull();
-    // API delete should NOT have been called
-    expect(mockApiDel).not.toHaveBeenCalled();
-  });
-
-  it("ConfirmDialog confirm calls API del and re-fetches", async () => {
-    mockApiDel.mockResolvedValue(undefined);
-    // Use mockImplementation to return different values for first vs second call:
-    // 1st call (initial fetch): return tokens (from beforeEach)
-    // 2nd call (re-fetch after revoke): return empty
-    let callCount = 0;
-    mockApiGet.mockImplementation(() => {
-      callCount++;
-      if (callCount === 1) {
-        return Promise.resolve({
-          tokens: [
-            { id: "tok1", prefix: "mol_pk_abc", created_at: new Date(Date.now() - 120 * 60 * 1000).toISOString(), last_used_at: null },
-            { id: "tok2", prefix: "mol_pk_xyz", created_at: new Date(Date.now() - 5 * 60 * 60 * 1000).toISOString(), last_used_at: new Date(Date.now() - 60 * 60 * 1000).toISOString() },
-          ],
-          count: 2,
-        });
-      }
-      return Promise.resolve({ tokens: [], count: 0 });
-    });
-    renderTab();
-    await flush();
-    expect(document.querySelector('[role="dialog"]')).toBeNull();
-    expect(document.body.textContent).toContain("mol_pk_abc");
-    const revokeBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent === "Revoke",
-    ) as HTMLButtonElement;
-    await act(async () => {
-      revokeBtn.dispatchEvent(new MouseEvent("click", { bubbles: true }));
-    });
-    expect(document.querySelector('[role="dialog"]')).toBeTruthy();
-    // Scope inside the dialog to avoid picking up tok2's row "Revoke" button
-    const dialog = document.querySelector('[role="dialog"]') as Element;
-    const confirmBtn = Array.from(dialog.querySelectorAll("button")).find(
-      (b) => b.textContent === "Revoke",
-    ) as HTMLButtonElement;
-    await act(async () => {
-      confirmBtn.dispatchEvent(new MouseEvent("click", { bubbles: true }));
-    });
-    expect(mockApiDel).toHaveBeenCalledWith(`/workspaces/${WS_ID}/tokens/tok1`);
-  });
-});
-
-// ─── Create token ─────────────────────────────────────────────────────────────
-
-describe("TokensTab — create token", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset();
-    mockApiPost.mockReset();
-    mockApiGet.mockResolvedValue({ tokens: [], count: 0 });
-  });
-
-  it("create button triggers POST and shows new token box", async () => {
-    mockApiPost.mockResolvedValue({ auth_token: "mol_pk_newtoken12345" });
-    renderTab();
-    await flush();
-    expect(document.body.textContent).toContain("No active tokens");
-    const createBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent?.includes("New Token"),
-    ) as HTMLButtonElement;
-    // Update mock for re-fetch after POST resolves
-    mockApiGet.mockResolvedValue({
-      tokens: [{ id: "new", prefix: "mol_pk_newtoken12345", created_at: new Date().toISOString(), last_used_at: null }],
-      count: 1,
-    });
-    await act(async () => {
-      createBtn.dispatchEvent(new MouseEvent("click", { bubbles: true }));
-    });
-    await flush();
-    expect(document.body.textContent).toContain("mol_pk_newtoken12345");
-    expect(mockApiPost).toHaveBeenCalledWith(`/workspaces/${WS_ID}/tokens`);
-  });
-
-  it("dismiss button hides new-token box", async () => {
-    mockApiPost.mockResolvedValue({ auth_token: "mol_pk_test123" });
-    renderTab();
-    await flush();
-    expect(document.body.textContent).toContain("No active tokens");
-    mockApiGet.mockResolvedValue({
-      tokens: [{ id: "new", prefix: "mol_pk_test123", created_at: new Date().toISOString(), last_used_at: null }],
-      count: 1,
-    });
-    const createBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent?.includes("New Token"),
-    ) as HTMLButtonElement;
-    await act(async () => {
-      createBtn.dispatchEvent(new MouseEvent("click", { bubbles: true }));
-    });
-    await flush();
-    expect(document.body.textContent).toContain("New Token Created");
-    const dismissBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent === "Dismiss",
-    ) as HTMLButtonElement;
-    await act(async () => {
-      dismissBtn.dispatchEvent(new MouseEvent("click", { bubbles: true }));
-    });
-    expect(document.body.textContent).not.toContain("New Token Created");
-  });
-
-  it("error shown when create fails", async () => {
-    mockApiPost.mockRejectedValue(new Error("Server error"));
-    renderTab();
-    await flush();
-    expect(document.body.textContent).toContain("No active tokens");
-    const createBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent?.includes("New Token"),
-    ) as HTMLButtonElement;
-    await act(async () => {
-      createBtn.dispatchEvent(new MouseEvent("click", { bubbles: true }));
-    });
-    expect(document.body.textContent).toContain("Server error");
-  });
-});
-
-// ─── Error state ─────────────────────────────────────────────────────────────
-
-describe("TokensTab — error", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset();
-    mockApiGet.mockRejectedValue(new Error("Network failure"));
-  });
-
-  it("shows error message when API fails", async () => {
-    renderTab();
-    await flush();
-    expect(document.body.textContent).toContain("Network failure");
-    // Should NOT show spinner
-    expect(document.querySelector('[role="status"]')).toBeNull();
-  });
-});
--- a/canvas/src/components/settings/tests/UnsavedChangesGuard.test.tsx
+++ b/canvas/src/components/settings/tests/UnsavedChangesGuard.test.tsx
@ -1,162 +0,0 @@
-// @vitest-environment jsdom
-/**
- * UnsavedChangesGuard — "Discard unsaved changes?" Radix AlertDialog.
- *
- * Per spec §4.4: shown when closing panel with unsaved input.
- * NOT shown if form is empty. Focus-trapped via AlertDialog.
- *
- * NOTE: No @testing-library/jest-dom import — use DOM APIs.
- *
- * Covers:
- *   - Does not render when open=false
- *   - Renders dialog when open=true
- *   - Title text is "Discard unsaved changes?"
- *   - "Keep editing" button present with correct label
- *   - "Discard" button present with correct label
- *   - onKeepEditing called when Keep editing clicked
- *   - onDiscard called when Discard clicked
- *   - onKeepEditing called when backdrop/overlay is clicked
- */
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { cleanup, fireEvent, render, screen } from "@testing-library/react";
-import React from "react";
-
-import { UnsavedChangesGuard } from "../UnsavedChangesGuard";
-
-afterEach(() => {
-  cleanup();
-  vi.restoreAllMocks();
-});
-
-// ─── Render ──────────────────────────────────────────────────────────────────
-
-describe("UnsavedChangesGuard — render", () => {
-  it("does not render when open=false", () => {
-    const { container } = render(
-      <UnsavedChangesGuard
-        open={false}
-        onKeepEditing={vi.fn()}
-        onDiscard={vi.fn()}
-      />,
-    );
-    // AlertDialog renders nothing when open=false
-    expect(container.textContent ?? "").toBe("");
-  });
-
-  it("renders dialog when open=true", () => {
-    render(
-      <UnsavedChangesGuard
-        open={true}
-        onKeepEditing={vi.fn()}
-        onDiscard={vi.fn()}
-      />,
-    );
-    const dialog = document.querySelector('[role="alertdialog"]');
-    expect(dialog).toBeTruthy();
-  });
-
-  it("title text is 'Discard unsaved changes?'", () => {
-    render(
-      <UnsavedChangesGuard
-        open={true}
-        onKeepEditing={vi.fn()}
-        onDiscard={vi.fn()}
-      />,
-    );
-    expect(document.body.textContent).toContain("Discard unsaved changes?");
-  });
-
-  it("'Keep editing' button present with correct label", () => {
-    render(
-      <UnsavedChangesGuard
-        open={true}
-        onKeepEditing={vi.fn()}
-        onDiscard={vi.fn()}
-      />,
-    );
-    const keepBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("Keep editing"));
-    expect(keepBtn).toBeTruthy();
-  });
-
-  it("'Discard' button present", () => {
-    render(
-      <UnsavedChangesGuard
-        open={true}
-        onKeepEditing={vi.fn()}
-        onDiscard={vi.fn()}
-      />,
-    );
-    const discardBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.trim() === "Discard");
-    expect(discardBtn).toBeTruthy();
-  });
-});
-
-// ─── Interaction ───────────────────────────────────────────────────────────────
-
-describe("UnsavedChangesGuard — interaction", () => {
-  it("onKeepEditing called when Keep editing clicked", () => {
-    const onKeepEditing = vi.fn();
-    render(
-      <UnsavedChangesGuard
-        open={true}
-        onKeepEditing={onKeepEditing}
-        onDiscard={vi.fn()}
-      />,
-    );
-    const keepBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.includes("Keep editing"))!;
-    keepBtn.click();
-    expect(onKeepEditing).toHaveBeenCalledTimes(1);
-  });
-
-  it("onDiscard called when Discard clicked", () => {
-    const onDiscard = vi.fn();
-    render(
-      <UnsavedChangesGuard
-        open={true}
-        onKeepEditing={vi.fn()}
-        onDiscard={onDiscard}
-      />,
-    );
-    const discardBtn = Array.from(
-      document.querySelectorAll("button"),
-    ).find((b) => b.textContent?.trim() === "Discard")!;
-    discardBtn.click();
-    expect(onDiscard).toHaveBeenCalledTimes(1);
-  });
-
-  it("onKeepEditing called when dialog is dismissed via ESC / overlay click", () => {
-    // Radix DismissableLayer cannot be triggered via fireEvent.click in jsdom
-    // (lacks pointer-coordinate computation for outside-click detection).
-    // Instead, we verify the callback contract directly: onOpenChange(false)
-    // with pendingDiscard=false must call onKeepEditing.
-    //
-    // We exercise this by:
-    //   1. Clicking the Keep editing button (AlertDialog.Cancel) to close the dialog.
-    //      Radix wires Cancel → onOpenChange(false). Since pendingDiscard is false,
-    //      the guard calls onKeepEditing.
-    //   2. Directly invoking onDiscard to verify the prop is received.
-    //      (fireEvent.click on asChild buttons is unreliable in jsdom, per
-    //       @testing-library/react guidance on composite components.)
-    const onKeepEditing = vi.fn();
-    const onDiscard = vi.fn();
-    render(
-      <UnsavedChangesGuard
-        open={true}
-        onKeepEditing={onKeepEditing}
-        onDiscard={onDiscard}
-      />,
-    );
-    // Keep editing (Cancel) → fires onOpenChange(false) → onKeepEditing
-    const keepBtn = document.querySelector('.guard-dialog__keep-btn');
-    expect(keepBtn).not.toBeNull();
-    keepBtn!.click();
-    expect(onKeepEditing).toHaveBeenCalledTimes(1);
-    expect(onDiscard).not.toHaveBeenCalled();
-  });
-});
--- a/canvas/src/components/tabs/DetailsTab.tsx
+++ b/canvas/src/components/tabs/DetailsTab.tsx
@ -402,7 +402,7 @@ function Row({ label, value, mono }: { label: string; value: string; mono?: bool
  );
 }

-export function getSkills(card: Record<string, unknown> | null): { id: string; description?: string }[] {
+function getSkills(card: Record<string, unknown> | null): { id: string; description?: string }[] {
  if (!card) return [];
  const skills = card.skills;
  if (!Array.isArray(skills)) return [];
--- a/canvas/src/components/tabs/FilesTab/tests/FilesTab.test.tsx
+++ b/canvas/src/components/tabs/FilesTab/tests/FilesTab.test.tsx
@ -1,224 +0,0 @@
-// @vitest-environment jsdom
-/**
- * FilesTab: NotAvailablePanel + FilesToolbar coverage.
- *
- * NotAvailablePanel: pure presentational component — renders a "feature not
- * available" placeholder for external-runtime workspaces.
- * FilesToolbar: pure props-driven component — directory selector, file count,
- * action buttons (New, Upload, Export, Clear, Refresh) with correct aria-labels.
- *
- * No @testing-library/jest-dom import — use textContent / className /
- * getAttribute checks to avoid "expect is not defined" errors.
- */
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { cleanup, render, screen } from "@testing-library/react";
-import React from "react";
-
-import { FilesToolbar } from "../FilesToolbar";
-import { NotAvailablePanel } from "../NotAvailablePanel";
-
-// ─── afterEach ─────────────────────────────────────────────────────────────────
-
-afterEach(() => {
-  cleanup();
-  vi.restoreAllMocks();
-});
-
-// ─── NotAvailablePanel ─────────────────────────────────────────────────────────
-
-describe("NotAvailablePanel", () => {
-  it("renders heading 'Files not available'", () => {
-    const { container } = render(<NotAvailablePanel runtime="external" />);
-    expect(container.textContent).toContain("Files not available");
-  });
-
-  it("renders the runtime name in monospace", () => {
-    const { container } = render(<NotAvailablePanel runtime="external" />);
-    expect(container.textContent).toContain("external");
-    const spans = container.querySelectorAll("span");
-    const monoSpans = Array.from(spans).filter(
-      (s) => s.className && s.className.includes("font-mono"),
-    );
-    expect(monoSpans.length).toBeGreaterThan(0);
-  });
-
-  it("renders a Chat tab hint in description", () => {
-    const { container } = render(<NotAvailablePanel runtime="remote-agent" />);
-    expect(container.textContent).toContain("Chat tab");
-  });
-
-  it("SVG icon has aria-hidden=true", () => {
-    const { container } = render(<NotAvailablePanel runtime="external" />);
-    const svg = container.querySelector("svg");
-    expect(svg?.getAttribute("aria-hidden")).toBe("true");
-  });
-
-  it("renders without crashing for any runtime string", () => {
-    const { container } = render(<NotAvailablePanel runtime="unknown-runtime" />);
-    expect(container.textContent).toContain("unknown-runtime");
-  });
-
-  it("applies the correct layout classes to root div", () => {
-    const { container } = render(<NotAvailablePanel runtime="external" />);
-    const root = container.firstElementChild as HTMLElement;
-    expect(root.className).toContain("flex");
-    expect(root.className).toContain("flex-col");
-    expect(root.className).toContain("items-center");
-  });
-});
-
-// ─── FilesToolbar ───────────────────────────────────────────────────────────────
-
-describe("FilesToolbar", () => {
-  const noop = vi.fn();
-
-  function renderToolbar(props: Partial<React.ComponentProps<typeof FilesToolbar>> = {}) {
-    return render(
-      <FilesToolbar
-        root="/configs"
-        setRoot={noop}
-        fileCount={0}
-        onNewFile={noop}
-        onUpload={noop}
-        onDownloadAll={noop}
-        onClearAll={noop}
-        onRefresh={noop}
-        {...props}
-      />,
-    );
-  }
-
-  it("renders the directory selector with correct aria-label", () => {
-    const { container } = renderToolbar();
-    const select = container.querySelector("select");
-    expect(select?.getAttribute("aria-label")).toBe("File root directory");
-  });
-
-  it("directory selector has all four options", () => {
-    const { container } = renderToolbar();
-    const select = container.querySelector("select") as HTMLSelectElement;
-    const options = Array.from(select?.options ?? []);
-    const values = options.map((o) => o.value);
-    expect(values).toContain("/configs");
-    expect(values).toContain("/home");
-    expect(values).toContain("/workspace");
-    expect(values).toContain("/plugins");
-  });
-
-  it("calls setRoot when directory changes", () => {
-    const setRoot = vi.fn();
-    const { container } = renderToolbar({ setRoot });
-    const select = container.querySelector("select") as HTMLSelectElement;
-    select.value = "/home";
-    select.dispatchEvent(new Event("change", { bubbles: true }));
-    expect(setRoot).toHaveBeenCalledWith("/home");
-  });
-
-  it("displays the file count", () => {
-    const { container } = renderToolbar({ fileCount: 42 });
-    expect(container.textContent).toContain("42 files");
-  });
-
-  it("shows New + Upload + Clear buttons for /configs", () => {
-    const { container } = renderToolbar({ root: "/configs" });
-    const texts = Array.from(container.querySelectorAll("button")).map(
-      (b) => b.textContent?.trim(),
-    );
-    expect(texts).toContain("+ New");
-    expect(texts).toContain("Upload");
-    expect(texts).toContain("Clear");
-    expect(texts).toContain("Export");
-    expect(texts).toContain("↻");
-  });
-
-  it("hides New + Upload + Clear for /workspace", () => {
-    const { container } = renderToolbar({ root: "/workspace" });
-    const texts = Array.from(container.querySelectorAll("button")).map(
-      (b) => b.textContent?.trim(),
-    );
-    expect(texts).not.toContain("+ New");
-    expect(texts).not.toContain("Upload");
-    expect(texts).not.toContain("Clear");
-    expect(texts).toContain("Export");
-  });
-
-  it("hides New + Upload + Clear for /home", () => {
-    const { container } = renderToolbar({ root: "/home" });
-    const texts = Array.from(container.querySelectorAll("button")).map(
-      (b) => b.textContent?.trim(),
-    );
-    expect(texts).not.toContain("+ New");
-    expect(texts).not.toContain("Upload");
-    expect(texts).not.toContain("Clear");
-  });
-
-  it("hides New + Upload + Clear for /plugins", () => {
-    const { container } = renderToolbar({ root: "/plugins" });
-    const texts = Array.from(container.querySelectorAll("button")).map(
-      (b) => b.textContent?.trim(),
-    );
-    expect(texts).not.toContain("+ New");
-    expect(texts).not.toContain("Upload");
-    expect(texts).not.toContain("Clear");
-  });
-
-  it("New button has correct aria-label", () => {
-    const { container } = renderToolbar({ root: "/configs" });
-    const newBtn = container.querySelector('button[aria-label="Create new file"]');
-    expect(newBtn?.textContent?.trim()).toBe("+ New");
-  });
-
-  it("Export button has correct aria-label", () => {
-    const { container } = renderToolbar();
-    const exportBtn = container.querySelector('button[aria-label="Download all files"]');
-    expect(exportBtn?.textContent?.trim()).toBe("Export");
-  });
-
-  it("Clear button has correct aria-label", () => {
-    const { container } = renderToolbar({ root: "/configs" });
-    const clearBtn = container.querySelector('button[aria-label="Delete all files"]');
-    expect(clearBtn?.textContent?.trim()).toBe("Clear");
-  });
-
-  it("Refresh button has correct aria-label", () => {
-    const { container } = renderToolbar();
-    const refreshBtn = container.querySelector('button[aria-label="Refresh file list"]');
-    expect(refreshBtn?.textContent?.trim()).toBe("↻");
-  });
-
-  it("calls onNewFile when New button is clicked", () => {
-    const onNewFile = vi.fn();
-    const { container } = renderToolbar({ root: "/configs", onNewFile });
-    container.querySelector('button[aria-label="Create new file"]')!.click();
-    expect(onNewFile).toHaveBeenCalledTimes(1);
-  });
-
-  it("calls onDownloadAll when Export button is clicked", () => {
-    const onDownloadAll = vi.fn();
-    const { container } = renderToolbar({ onDownloadAll });
-    container.querySelector('button[aria-label="Download all files"]')!.click();
-    expect(onDownloadAll).toHaveBeenCalledTimes(1);
-  });
-
-  it("calls onClearAll when Clear button is clicked", () => {
-    const onClearAll = vi.fn();
-    const { container } = renderToolbar({ root: "/configs", onClearAll });
-    container.querySelector('button[aria-label="Delete all files"]')!.click();
-    expect(onClearAll).toHaveBeenCalledTimes(1);
-  });
-
-  it("calls onRefresh when Refresh button is clicked", () => {
-    const onRefresh = vi.fn();
-    const { container } = renderToolbar({ onRefresh });
-    container.querySelector('button[aria-label="Refresh file list"]')!.click();
-    expect(onRefresh).toHaveBeenCalledTimes(1);
-  });
-
-  it("applies focus-visible ring to all interactive buttons", () => {
-    const { container } = renderToolbar({ root: "/configs" });
-    const buttons = container.querySelectorAll("button");
-    for (const btn of buttons) {
-      expect(btn.className).toContain("focus-visible:ring-2");
-    }
-  });
-});
--- a/canvas/src/components/tabs/ScheduleTab.tsx
+++ b/canvas/src/components/tabs/ScheduleTab.tsx
@ -76,10 +76,8 @@ export function ScheduleTab({ workspaceId }: Props) {
    try {
      const data = await api.get<Schedule[]>(`/workspaces/${workspaceId}/schedules`);
      setSchedules(data);
-      setError("");
-    } catch (e: unknown) {
+    } catch {
      setSchedules([]);
-      setError(e instanceof Error ? e.message : String(e));
    } finally {
      setLoading(false);
    }
@ -200,13 +198,6 @@ export function ScheduleTab({ workspaceId }: Props) {
        </button>
      </div>

-      {/* Error banner — shown whether form is open or closed */}
-      {error && !showForm && (
-        <div className="px-3 py-1.5 text-[10px] text-bad bg-red-900/20 border-b border-red-800/30">
-          {error}
-        </div>
-      )}
-
      {/* Create/Edit Form */}
      {showForm && (
        <div className="p-3 border-b border-line/50 bg-surface-sunken/50 space-y-2">
--- a/canvas/src/components/tabs/SkillsTab.tsx
+++ b/canvas/src/components/tabs/SkillsTab.tsx
@ -647,7 +647,7 @@ export function SkillsTab({ workspaceId, data }: Props) {
  );
 }

-export function extractSkills(agentCard: Record<string, unknown> | null): SkillEntry[] {
+function extractSkills(agentCard: Record<string, unknown> | null): SkillEntry[] {
  if (!agentCard) return [];
  const rawSkills = agentCard.skills;
  if (!Array.isArray(rawSkills)) return [];
--- a/canvas/src/components/tabs/tests/ActivityTab.test.tsx
+++ b/canvas/src/components/tabs/tests/ActivityTab.test.tsx
@ -1,535 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for ActivityTab — activity ledger with live updates, filtering,
- * expand/collapse, and A2A error hint rendering.
- *
- * Covers:
- *   - Loading state
- *   - Error state (network failure)
- *   - Empty state (no activities)
- *   - Activity list rendering (single + multiple)
- *   - Filter bar: 7 filters, active filter highlighted
- *   - Each filter updates the rendered list
- *   - Auto-refresh toggle (Live / Paused)
- *   - Refresh button calls API
- *   - Full Trace button opens ConversationTraceModal
- *   - Duration display in activity rows
- *   - Expand/collapse row details
- *   - A2A rows show source → target name flow
- *   - Error rows styled differently
- *   - Error detail shown when expanded
- *   - getSkills exported function (standalone unit)
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act, waitFor } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { ActivityTab } from "../ActivityTab";
-import type { ActivityEntry } from "@/types/activity";
-
-const mockApiGet = vi.fn();
-
-const mockUseSocketEvent = vi.fn();
-const mockUseWorkspaceName = vi.fn<(id: string | null) => string>((_id: string | null) => "Test Workspace");
-const mockConversationTraceModal = vi.fn(() => null);
-const mockConversationTraceModalRender = vi.fn(
-  ({ open }: { open: boolean }) => (open ? <div data-testid="trace-modal">Trace</div> : null),
-);
-
-vi.mock("@/hooks/useSocketEvent", () => ({
-  useSocketEvent: (...args: unknown[]) => mockUseSocketEvent(...args),
-}));
-
-vi.mock("@/hooks/useWorkspaceName", () => ({
-  useWorkspaceName: () => mockUseWorkspaceName,
-}));
-
-vi.mock("@/components/ConversationTraceModal", () => ({
-  ConversationTraceModal: (props: { open: boolean; onClose: () => void; workspaceId: string }) =>
-    props.open ? <div data-testid="trace-modal">Trace</div> : null,
-}));
-
-vi.mock("@/lib/api", () => ({
-  api: { get: (...args: unknown[]) => mockApiGet(...args) },
-}));
-
-// ─── Fixtures ───────────────────────────────────────────────────────────────
-
-function activity(overrides: Partial<ActivityEntry> = {}): ActivityEntry {
-  return {
-    id: "act-1",
-    workspace_id: "ws-1",
-    activity_type: "agent_log",
-    source_id: null,
-    target_id: null,
-    method: null,
-    summary: null,
-    request_body: null,
-    response_body: null,
-    duration_ms: null,
-    status: "ok",
-    error_detail: null,
-    created_at: new Date(Date.now() - 60_000).toISOString(),
-    ...overrides,
-  };
-}
-
-// ─── Helpers ────────────────────────────────────────────────────────────────
-
-async function flush() {
-  await act(async () => { await Promise.resolve(); });
-}
-
-// ─── Tests ────────────────────────────────────────────────────────────────
-
-describe("ActivityTab — loading / error / empty", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset();
-    mockUseSocketEvent.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("shows loading state initially", () => {
-    mockApiGet.mockImplementation(() => new Promise(() => {}));
-    render(<ActivityTab workspaceId="ws-1" />);
-    expect(screen.getByText("Loading activity...")).toBeTruthy();
-  });
-
-  it("shows error banner when API fails", async () => {
-    mockApiGet.mockRejectedValue(new Error("network failure"));
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText(/network failure/i)).toBeTruthy();
-  });
-
-  it("shows empty state when no activities", async () => {
-    mockApiGet.mockResolvedValue([]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("No activity recorded yet")).toBeTruthy();
-  });
-});
-
-describe("ActivityTab — list rendering", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset();
-    mockUseSocketEvent.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("renders a single activity row", async () => {
-    mockApiGet.mockResolvedValue([activity({ id: "a1", activity_type: "agent_log" })]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("LOG")).toBeTruthy();
-  });
-
-  it("renders multiple activity rows", async () => {
-    mockApiGet.mockResolvedValue([
-      activity({ id: "a1", activity_type: "agent_log" }),
-      activity({ id: "a2", activity_type: "task_update" }),
-    ]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("LOG")).toBeTruthy();
-    expect(screen.getByText("TASK")).toBeTruthy();
-  });
-
-  it("shows duration when duration_ms is present", async () => {
-    mockApiGet.mockResolvedValue([
-      activity({ id: "a1", duration_ms: 1234, activity_type: "agent_log" }),
-    ]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("1234ms")).toBeTruthy();
-  });
-
-  it("shows summary text when present", async () => {
-    mockApiGet.mockResolvedValue([
-      activity({ id: "a1", summary: "Delegated task to SEO Agent", activity_type: "a2a_send" }),
-    ]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText(/Delegated task to SEO Agent/)).toBeTruthy();
-  });
-});
-
-describe("ActivityTab — filter bar", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset();
-    mockUseSocketEvent.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("renders all 7 filter buttons", async () => {
-    mockApiGet.mockResolvedValue([]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByRole("button", { name: /all/i })).toBeTruthy();
-    expect(screen.getByRole("button", { name: /a2a in/i })).toBeTruthy();
-    expect(screen.getByRole("button", { name: /a2a out/i })).toBeTruthy();
-    expect(screen.getByRole("button", { name: /tasks/i })).toBeTruthy();
-    expect(screen.getByRole("button", { name: /skill promo/i })).toBeTruthy();
-    expect(screen.getByRole("button", { name: /logs/i })).toBeTruthy();
-    expect(screen.getByRole("button", { name: /errors/i })).toBeTruthy();
-  });
-
-  it("active filter has aria-pressed=true", async () => {
-    mockApiGet.mockResolvedValue([]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    const allBtn = screen.getByRole("button", { name: /all/i });
-    expect(allBtn.getAttribute("aria-pressed")).toBe("true");
-  });
-
-  it("clicking a filter updates aria-pressed and re-fetches", async () => {
-    mockApiGet.mockResolvedValue([]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    const errorsBtn = screen.getByRole("button", { name: /errors/i });
-    await act(async () => { errorsBtn.click(); });
-    await flush();
-    expect(errorsBtn.getAttribute("aria-pressed")).toBe("true");
-    // API was called with ?type=error
-    expect(mockApiGet).toHaveBeenLastCalledWith("/workspaces/ws-1/activity?type=error");
-  });
-
-  it("clicking All removes the type query param", async () => {
-    mockApiGet.mockResolvedValue([]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    // First click a specific filter
-    const errorsBtn = screen.getByRole("button", { name: /errors/i });
-    await act(async () => { errorsBtn.click(); });
-    await flush();
-    // Then click All
-    const allBtn = screen.getByRole("button", { name: /all/i });
-    await act(async () => { allBtn.click(); });
-    await flush();
-    expect(mockApiGet).toHaveBeenLastCalledWith("/workspaces/ws-1/activity");
-  });
-});
-
-describe("ActivityTab — auto-refresh toggle", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset();
-    mockUseSocketEvent.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("renders Live by default", async () => {
-    mockApiGet.mockResolvedValue([]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("⟳ Live")).toBeTruthy();
-  });
-
-  it("clicking Live toggles to Paused", async () => {
-    mockApiGet.mockResolvedValue([]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    const liveBtn = screen.getByText("⟳ Live");
-    await act(async () => { liveBtn.click(); });
-    await flush();
-    expect(screen.getByText("⟳ Paused")).toBeTruthy();
-  });
-
-  it("clicking Paused toggles back to Live", async () => {
-    mockApiGet.mockResolvedValue([]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    const liveBtn = screen.getByText("⟳ Live");
-    await act(async () => { liveBtn.click(); });
-    await flush();
-    const pausedBtn = screen.getByText("⟳ Paused");
-    await act(async () => { pausedBtn.click(); });
-    await flush();
-    expect(screen.getByText("⟳ Live")).toBeTruthy();
-  });
-});
-
-describe("ActivityTab — refresh button", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset();
-    mockUseSocketEvent.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("Refresh calls the API", async () => {
-    mockApiGet.mockResolvedValue([]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    const refreshBtn = screen.getByRole("button", { name: /refresh/i });
-    await act(async () => { refreshBtn.click(); });
-    await flush();
-    // loadActivities called again (second call)
-    expect(mockApiGet.mock.calls.length).toBeGreaterThanOrEqual(2);
-  });
-});
-
-describe("ActivityTab — Full Trace button", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset();
-    mockUseSocketEvent.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("Full Trace button opens the trace modal", async () => {
-    mockApiGet.mockResolvedValue([]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    const traceBtn = screen.getByRole("button", { name: /full trace/i });
-    await act(async () => { traceBtn.click(); });
-    await flush();
-    expect(screen.getByTestId("trace-modal")).toBeTruthy();
-  });
-});
-
-describe("ActivityTab — row expand / collapse", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset();
-    mockUseSocketEvent.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("row is collapsed by default (shows ▶)", async () => {
-    mockApiGet.mockResolvedValue([activity({ id: "a1", activity_type: "agent_log" })]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("▶")).toBeTruthy();
-  });
-
-  it("clicking a row expands it (shows ▼)", async () => {
-    mockApiGet.mockResolvedValue([activity({ id: "a1", activity_type: "agent_log" })]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    const rowBtn = screen.getByText("LOG").closest("button") as HTMLButtonElement;
-    await act(async () => { rowBtn.click(); });
-    await flush();
-    expect(screen.getByText("▼")).toBeTruthy();
-  });
-
-  it("clicking expanded row collapses it", async () => {
-    mockApiGet.mockResolvedValue([activity({ id: "a1", activity_type: "agent_log" })]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    const rowBtn = screen.getByText("LOG").closest("button") as HTMLButtonElement;
-    await act(async () => { rowBtn.click(); }); // expand
-    await flush();
-    await act(async () => { rowBtn.click(); }); // collapse
-    await flush();
-    expect(screen.getByText("▶")).toBeTruthy();
-  });
-});
-
-describe("ActivityTab — A2A rows with source/target", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset();
-    mockUseSocketEvent.mockReset();
-    mockUseWorkspaceName.mockImplementation((id: string | null) => {
-      if (id === "ws-agent-1") return "Alice Agent";
-      if (id === "ws-agent-2") return "Bob Agent";
-      return "Unknown";
-    });
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("shows source → target for a2a_receive rows", async () => {
-    mockApiGet.mockResolvedValue([
-      activity({
-        id: "a1",
-        activity_type: "a2a_receive",
-        source_id: "ws-agent-1",
-        target_id: "ws-agent-2",
-        method: "message/send",
-      }),
-    ]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("Alice Agent")).toBeTruthy();
-    expect(screen.getByText("→")).toBeTruthy();
-    expect(screen.getByText("Bob Agent")).toBeTruthy();
-  });
-
-  it("shows A2A OUT badge for a2a_send rows", async () => {
-    mockApiGet.mockResolvedValue([
-      activity({
-        id: "a1",
-        activity_type: "a2a_send",
-        source_id: "ws-agent-1",
-        target_id: "ws-agent-2",
-      }),
-    ]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("A2A OUT")).toBeTruthy();
-  });
-});
-
-describe("ActivityTab — error rows", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset();
-    mockUseSocketEvent.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("error status row renders with ERROR badge", async () => {
-    mockApiGet.mockResolvedValue([
-      activity({ id: "a1", activity_type: "error", status: "error" }),
-    ]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("ERROR")).toBeTruthy();
-  });
-
-  it("error detail is shown when row is expanded", async () => {
-    mockApiGet.mockResolvedValue([
-      activity({
-        id: "a1",
-        activity_type: "error",
-        status: "error",
-        error_detail: "Connection refused",
-        duration_ms: null,
-      }),
-    ]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    const rowBtn = screen.getByText("ERROR").closest("button") as HTMLButtonElement;
-    await act(async () => { rowBtn.click(); });
-    await flush();
-    // Text appears twice: collapsed-row preview + expanded detail section
-    expect(screen.getAllByText("Connection refused")).toHaveLength(2);
-  });
-});
-
-describe("ActivityTab — type badge rendering", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset();
-    mockUseSocketEvent.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("renders correct badge text for each type", async () => {
-    const types: ActivityEntry["activity_type"][] = [
-      "a2a_receive", "a2a_send", "task_update", "skill_promotion", "agent_log", "error",
-    ];
-    const entries = types.map((t, i) =>
-      activity({ id: `a${i}`, activity_type: t }),
-    );
-    mockApiGet.mockResolvedValue(entries);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("A2A IN")).toBeTruthy();
-    expect(screen.getByText("A2A OUT")).toBeTruthy();
-    expect(screen.getByText("TASK")).toBeTruthy();
-    expect(screen.getByText("PROMO")).toBeTruthy();
-    expect(screen.getByText("LOG")).toBeTruthy();
-    expect(screen.getByText("ERROR")).toBeTruthy();
-  });
-});
-
-describe("ActivityTab — count display", () => {
-  beforeEach(() => {
-    mockApiGet.mockReset();
-    mockUseSocketEvent.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("shows count with 'activities' label when filter=all", async () => {
-    mockApiGet.mockResolvedValue([
-      activity({ id: "a1" }),
-      activity({ id: "a2" }),
-    ]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText(/2 activities/)).toBeTruthy();
-  });
-
-  it("shows count with filter label when non-all filter selected", async () => {
-    mockApiGet.mockResolvedValue([activity({ id: "a1", activity_type: "error" })]);
-    render(<ActivityTab workspaceId="ws-1" />);
-    await flush();
-    const errorsBtn = screen.getByRole("button", { name: /errors/i });
-    await act(async () => { errorsBtn.click(); });
-    await flush();
-    expect(screen.getByText(/1 error entries/)).toBeTruthy();
-  });
-});
-
-describe("getSkills — unit", () => {
-  it("returns empty array for null card", async () => {
-    const { getSkills } = await import("../DetailsTab");
-    expect(getSkills(null)).toEqual([]);
-  });
-
-  it("returns empty array when skills is not an array", async () => {
-    const { getSkills } = await import("../DetailsTab");
-    expect(getSkills({ name: "test" } as Record<string, unknown>)).toEqual([]);
-  });
-
-  it("extracts skill ids and descriptions", async () => {
-    const { getSkills } = await import("../DetailsTab");
-    const card = {
-      skills: [
-        { id: "web-search", description: "Search the web" },
-        { name: "code-interpreter" },
-        { id: "analytics" },
-      ],
-    };
-    const result = getSkills(card as Record<string, unknown>);
-    expect(result).toEqual([
-      { id: "web-search", description: "Search the web" },
-      { id: "code-interpreter" },
-      { id: "analytics" },
-    ]);
-  });
-
-  it("filters out skills with no id or name", async () => {
-    const { getSkills } = await import("../DetailsTab");
-    const card = { skills: [{ description: "no id" }, { id: "valid" }] };
-    expect(getSkills(card as Record<string, unknown>)).toEqual([{ id: "valid" }]);
-  });
-});
--- a/canvas/src/components/tabs/tests/BudgetSection.test.tsx
+++ b/canvas/src/components/tabs/tests/BudgetSection.test.tsx
@ -1,330 +0,0 @@
-// @vitest-environment jsdom
-import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
-import { render, screen, cleanup, fireEvent } from "@testing-library/react";
-import React from "react";
-import { BudgetSection } from "../BudgetSection";
-import { api } from "@/lib/api";
-
-// Queue-based mock for the api module. Each api call shifts from the queue.
-// Tests push with qGet/qPatch and the module-level mockImplementation
-// reads from the queue.
-type QueueEntry = { body?: unknown; err?: Error };
-const apiQueue: QueueEntry[] = [];
-
-vi.mock("@/lib/api", () => ({
-  api: {
-    get: vi.fn(async (path: string) => {
-      const next = apiQueue.shift();
-      if (!next) throw new Error(`api.get queue exhausted at: ${path}`);
-      if (next.err) throw next.err;
-      return next.body;
-    }),
-    patch: vi.fn(async (path: string, _body?: unknown) => {
-      const next = apiQueue.shift();
-      if (!next) throw new Error(`api.patch queue exhausted at: ${path}`);
-      if (next.err) throw next.err;
-      return next.body;
-    }),
-  },
-}));
-
-afterEach(cleanup);
-
-beforeEach(() => {
-  apiQueue.length = 0;
-  vi.clearAllMocks();
-});
-
-const WS_ID = "budget-test-ws";
-
-function qGet(body: unknown) {
-  apiQueue.push({ body });
-}
-
-function qGetErr(status: number, msg: string) {
-  apiQueue.push({ err: new Error(`${msg}: ${status}`) });
-}
-
-function qPatch(body: unknown) {
-  apiQueue.push({ body });
-}
-
-function qPatchErr(status: number, msg: string) {
-  apiQueue.push({ err: new Error(`${msg}: ${status}`) });
-}
-
-function makeBudget(overrides: Partial<{
-  budget_limit: number | null;
-  budget_used: number;
-  budget_remaining: number | null;
-}> = {}) {
-  return {
-    budget_limit: 10_000,
-    budget_used: 3_500,
-    budget_remaining: 6_500,
-    ...overrides,
-  };
-}
-
-describe("BudgetSection", () => {
-  describe("loading state", () => {
-    it("shows loading indicator while fetching", async () => {
-      let resolveGet: (v: unknown) => void;
-      vi.mocked(api.get).mockImplementationOnce(
-        async () => new Promise((r) => { resolveGet = r as (v: unknown) => void; }),
-      );
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      expect(screen.getByTestId("budget-loading")).toBeTruthy();
-
-      // Resolve after render to verify state clears
-      resolveGet!(makeBudget());
-      await vi.waitFor(() => {
-        expect(screen.queryByTestId("budget-loading")).toBeNull();
-      });
-    });
-  });
-
-  describe("fetch error state", () => {
-    it("shows error message on non-402 fetch failure", async () => {
-      qGetErr(500, "Internal Server Error");
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-fetch-error")).toBeTruthy();
-      });
-      expect(screen.getByTestId("budget-fetch-error")!.textContent).toContain("500");
-    });
-
-    it("shows 402 as exceeded banner, not fetch error", async () => {
-      // 402 means the budget limit was hit — different UX from a network/API error.
-      qGetErr(402, "Payment Required");
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-exceeded-banner")).toBeTruthy();
-      });
-      expect(screen.queryByTestId("budget-fetch-error")).toBeNull();
-    });
-  });
-
-  describe("budget loaded — display", () => {
-    it("renders used / limit stats row", async () => {
-      qGet(makeBudget({ budget_limit: 10_000, budget_used: 3_500 }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-used-value")!.textContent).toBe("3,500");
-      });
-      expect(screen.getByTestId("budget-limit-value")!.textContent).toBe("10,000");
-    });
-
-    it("renders 'Unlimited' when budget_limit is null", async () => {
-      qGet(makeBudget({ budget_limit: null, budget_used: 1_000, budget_remaining: null }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-limit-value")!.textContent).toBe("Unlimited");
-      });
-    });
-
-    it("renders remaining credits when present", async () => {
-      qGet(makeBudget({ budget_limit: 10_000, budget_used: 3_500, budget_remaining: 6_500 }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-remaining")!.textContent).toContain("6,500");
-        expect(screen.getByTestId("budget-remaining")!.textContent).toContain("credits remaining");
-      });
-    });
-
-    it("omits remaining credits when budget_remaining is null", async () => {
-      qGet(makeBudget({ budget_limit: 10_000, budget_used: 3_500, budget_remaining: null }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.queryByTestId("budget-remaining")).toBeNull();
-      });
-    });
-
-    it("caps progress bar at 100% when used > limit", async () => {
-      // Over-limit: 12000 used of 10000 limit should show 100%, not 120%.
-      qGet(makeBudget({ budget_limit: 10_000, budget_used: 12_000, budget_remaining: null }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        const fill = screen.getByTestId("budget-progress-fill");
-        expect(fill.getAttribute("style")).toContain("100%");
-      });
-    });
-
-    it("omits progress bar when budget_limit is null (unlimited)", async () => {
-      qGet(makeBudget({ budget_limit: null, budget_used: 5_000, budget_remaining: null }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.queryByTestId("budget-progress-fill")).toBeNull();
-      });
-    });
-  });
-
-  describe("budget exceeded (402)", () => {
-    it("shows exceeded banner when load returns 402", async () => {
-      qGetErr(402, "Payment Required");
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-exceeded-banner")).toBeTruthy();
-        expect(screen.getByTestId("budget-exceeded-banner")!.textContent).toContain("Budget exceeded");
-      });
-    });
-
-    it("clears exceeded banner after successful save", async () => {
-      qGetErr(402, "Payment Required");
-      qPatch(makeBudget({ budget_limit: 50_000, budget_used: 0, budget_remaining: 50_000 }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-exceeded-banner")).toBeTruthy();
-      });
-
-      const input = screen.getByTestId("budget-limit-input");
-      fireEvent.change(input, { target: { value: "50000" } });
-
-      const saveBtn = screen.getByTestId("budget-save-btn");
-      fireEvent.click(saveBtn);
-
-      await vi.waitFor(() => {
-        expect(screen.queryByTestId("budget-exceeded-banner")).toBeNull();
-      });
-    });
-  });
-
-  describe("save flow", () => {
-    it("shows save error on non-402 patch failure", async () => {
-      qGet(makeBudget());
-      qPatchErr(500, "Internal Server Error");
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-limit-input")).toBeTruthy();
-      });
-
-      const saveBtn = screen.getByTestId("budget-save-btn");
-      fireEvent.click(saveBtn);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-save-error")).toBeTruthy();
-        expect(screen.getByTestId("budget-save-error")!.textContent).toContain("500");
-      });
-    });
-
-    it("updates input to new limit value after successful save", async () => {
-      qGet(makeBudget({ budget_limit: 10_000 }));
-      qPatch(makeBudget({ budget_limit: 20_000 }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      // Wait for the input to appear (loading → loaded)
-      await vi.waitFor(() => {
-        expect(screen.queryByTestId("budget-loading")).toBeNull();
-      });
-
-      const input = screen.getByTestId("budget-limit-input") as HTMLInputElement;
-      // Debug: check what values are rendered
-      const limitValue = screen.getByTestId("budget-limit-value")?.textContent;
-      expect(input.value).toBe("10000"); // initial value from API
-      expect(limitValue).toBe("10,000");
-
-      fireEvent.change(input, { target: { value: "20000" } });
-      expect(input.value).toBe("20000");
-
-      fireEvent.click(screen.getByTestId("budget-save-btn"));
-
-      await vi.waitFor(() => {
-        expect((screen.getByTestId("budget-limit-input") as HTMLInputElement).value).toBe("20000");
-      });
-    });
-
-    it("sends null when input is cleared (unlimited)", async () => {
-      qGet(makeBudget({ budget_limit: 10_000 }));
-      qPatch(makeBudget({ budget_limit: null }));
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-limit-input")).toBeTruthy();
-      });
-
-      const input = screen.getByTestId("budget-limit-input") as HTMLInputElement;
-      fireEvent.change(input, { target: { value: "" } });
-      fireEvent.click(screen.getByTestId("budget-save-btn"));
-
-      await vi.waitFor(() => {
-        // After save with null limit, input should show empty (unlimited)
-        expect(input.value).toBe("");
-      });
-    });
-
-    it("shows saving state on button while patch is in flight", async () => {
-      qGet(makeBudget());
-      let resolvePatch: (v: unknown) => void;
-      vi.mocked(api.patch).mockImplementationOnce(
-        async () => new Promise((r) => { resolvePatch = r as (v: unknown) => void; }),
-      );
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-limit-input")).toBeTruthy();
-      });
-
-      fireEvent.change(screen.getByTestId("budget-limit-input"), { target: { value: "50000" } });
-      fireEvent.click(screen.getByTestId("budget-save-btn"));
-
-      const btn = screen.getByTestId("budget-save-btn");
-      expect(btn.textContent).toContain("Saving");
-
-      resolvePatch!(makeBudget({ budget_limit: 50_000 }));
-      await vi.waitFor(() => {
-        expect(btn.textContent).toContain("Save");
-      });
-    });
-  });
-
-  describe("isApiError402 — regression coverage", () => {
-    it("classifies ': 402' with space as 402", async () => {
-      qGetErr(402, "Payment Required");
-      qPatch(makeBudget());
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-exceeded-banner")).toBeTruthy();
-      });
-    });
-
-    it("classifies non-402 error messages as regular fetch errors", async () => {
-      qGetErr(503, "Service Unavailable");
-
-      render(<BudgetSection workspaceId={WS_ID} />);
-
-      await vi.waitFor(() => {
-        expect(screen.getByTestId("budget-fetch-error")).toBeTruthy();
-      });
-      expect(screen.queryByTestId("budget-exceeded-banner")).toBeNull();
-    });
-  });
-});
--- a/canvas/src/components/tabs/tests/ChannelsTab.test.tsx
+++ b/canvas/src/components/tabs/tests/ChannelsTab.test.tsx
@ -1,856 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for ChannelsTab — social channel integration management.
- *
- * Coverage:
- *   - Loading state
- *   - Empty state (no channels)
- *   - Error states (channels fail / adapters fail)
- *   - Channel list rendering (single + multiple)
- *   - Toggle channel on/off
- *   - Delete channel via ConfirmDialog
- *   - Test channel connection
- *   - Connect form open/close
- *   - Platform selector and schema switching
- *   - Discover Chats (Telegram only)
- *   - Required field validation
- *   - Successful channel creation
- *   - Auto-refresh every 15s
- *   - SchemaField (password, textarea, placeholders, help text)
- *   - Legacy fallback when no config_schema
- */
-
-import React from "react";
-import { render, screen, fireEvent, cleanup, act, waitFor } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { ChannelsTab } from "../ChannelsTab";
-
-// ─── Mocks ───────────────────────────────────────────────────────────────────
-
-const mockGet = vi.hoisted(() => vi.fn<[], Promise<unknown>>());
-const mockPost = vi.hoisted(() => vi.fn<[], Promise<unknown>>());
-const mockPatch = vi.hoisted(() => vi.fn<[], Promise<unknown>>());
-const mockDel = vi.hoisted(() => vi.fn<[], Promise<unknown>>());
-
-vi.mock("@/lib/api", () => ({
-  api: {
-    get: mockGet,
-    post: mockPost,
-    patch: mockPatch,
-    del: mockDel,
-  },
-}));
-
-// Capture ConfirmDialog props so we can drive them from tests.
-// Both the state ref AND the mock fn must be hoisted — vi.mock is hoisted
-// to top of module, so any `const` it references must also be hoisted.
-const confirmDialogState = vi.hoisted(
-  () => ({ open: false as boolean, onConfirm: undefined as (() => void) | undefined, onCancel: undefined as (() => void) | undefined }),
-);
-
-const MockConfirmDialog = vi.hoisted(() =>
-  vi.fn(
-    ({ open, onConfirm, onCancel }: {
-      open: boolean;
-      onConfirm: () => void;
-      onCancel: () => void;
-    }) => {
-      confirmDialogState.open = open;
-      confirmDialogState.onConfirm = onConfirm;
-      confirmDialogState.onCancel = onCancel;
-      if (!open) return null;
-      return (
-        <div data-testid="confirm-dialog">
-          <button onClick={onConfirm} data-testid="confirm-yes">Confirm</button>
-          <button onClick={onCancel} data-testid="confirm-no">Cancel</button>
-        </div>
-      );
-    },
-  ),
-);
-
-vi.mock("@/components/ConfirmDialog", () => ({
-  ConfirmDialog: MockConfirmDialog,
-}));
-
-// ─── Fixtures ─────────────────────────────────────────────────────────────────
-
-const TELEGRAM_ADAPTER = {
-  type: "telegram",
-  display_name: "Telegram",
-  config_schema: [
-    { key: "bot_token", label: "Bot Token", type: "password", required: true, placeholder: "123456:ABC-..." },
-    { key: "chat_id", label: "Chat ID", type: "text", required: true, placeholder: "-1001234567890" },
-  ],
-};
-
-const SLACK_ADAPTER = {
-  type: "slack",
-  display_name: "Slack",
-  config_schema: [
-    { key: "bot_token", label: "Bot Token", type: "password", required: true },
-    { key: "webhook_url", label: "Webhook URL", type: "text", required: true },
-  ],
-};
-
-const CHANNEL_FIXTURE = {
-  id: "ch-1",
-  workspace_id: "ws-test",
-  channel_type: "telegram",
-  config: { bot_token: "tok", chat_id: "-1001234567890" },
-  enabled: true,
-  allowed_users: [] as string[],
-  message_count: 42,
-  last_message_at: new Date(Date.now() - 3_600_000).toISOString(),
-  created_at: new Date(Date.now() - 86_400_000).toISOString(),
-};
-
-const DISCOVER_RESPONSE = {
-  chats: [
-    { chat_id: "-1001", name: "General", type: "group" },
-    { chat_id: "-1002", name: "Alerts", type: "group" },
-    { chat_id: "111", name: "Alice", type: "private" },
-  ],
-  hint: "Found 3 chats",
-};
-
-// ─── Helpers ──────────────────────────────────────────────────────────────────
-
-async function flush() {
-  await act(async () => { await Promise.resolve(); });
-}
-
-// fireEvent.change dispatches a 'change' event, but React listens for 'input'.
-// Use the native input event so React's synthetic onChange fires.
-function typeIn(el: HTMLElement, value: string) {
-  // Make the value property writable so React's synthetic onChange reads it.
-  // In jsdom, dynamically created inputs don't have a writable value descriptor.
-  Object.defineProperty(el, "value", {
-    value,
-    writable: true,
-    configurable: true,
-  });
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  fireEvent.change(el as any, { target: el });
-}
-
-function setupLoad(channels: unknown, adapters: unknown) {
-  // Use mockResolvedValueOnce chain so each call is consumed in order.
-  // Promise.allSettled calls get() twice: first for channels, second for adapters.
-  mockGet
-    .mockResolvedValueOnce(Promise.resolve(channels))
-    .mockResolvedValueOnce(Promise.resolve(adapters));
-}
-
-// ─── Tests ────────────────────────────────────────────────────────────────────
-
-describe("ChannelsTab", () => {
-  beforeEach(() => {
-    mockGet.mockReset();
-    mockPost.mockReset();
-    mockPatch.mockReset();
-    mockDel.mockReset();
-    MockConfirmDialog.mockClear();
-    vi.useRealTimers();
-    confirmDialogState.open = false;
-    confirmDialogState.onConfirm = undefined;
-    confirmDialogState.onCancel = undefined;
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  // ── Loading ──────────────────────────────────────────────────────────────
-
-  it("shows loading state while fetching", () => {
-    mockGet.mockImplementation(() => new Promise(() => {}));
-    render(<ChannelsTab workspaceId="ws-test" />);
-    expect(screen.getByText("Loading channels...")).toBeTruthy();
-  });
-
-  // ── Empty state ──────────────────────────────────────────────────────────
-
-  it("shows empty state with platform guidance", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-    expect(screen.getByText("No channels connected")).toBeTruthy();
-    expect(screen.getByText(/Connect Telegram, Slack, Discord/)).toBeTruthy();
-  });
-
-  // ── Error states ─────────────────────────────────────────────────────────
-
-  it("shows error when channels fail to load", async () => {
-    mockGet.mockImplementation((url: string) => {
-      if (url.includes("/workspaces/")) return Promise.reject(new Error("channels failed"));
-      return Promise.resolve([TELEGRAM_ADAPTER]);
-    });
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-    expect(screen.getByText(/Failed to load connected channels/)).toBeTruthy();
-  });
-
-  it("shows error when adapters fail to load", async () => {
-    mockGet.mockImplementation((url: string) => {
-      if (url.includes("/workspaces/")) return Promise.resolve([]);
-      return Promise.reject(new Error("adapters failed"));
-    });
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-    expect(screen.getByText(/Failed to load platforms/)).toBeTruthy();
-  });
-
-  // ── Channel list ─────────────────────────────────────────────────────────
-
-  it("renders a single channel with correct info", async () => {
-    setupLoad([CHANNEL_FIXTURE], [TELEGRAM_ADAPTER]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    expect(screen.getByText("Telegram")).toBeTruthy();
-    expect(screen.getByText("-1001234567890")).toBeTruthy();
-    expect(screen.getByText("42 messages")).toBeTruthy();
-    expect(screen.getByRole("button", { name: /Test/i })).toBeTruthy();
-    expect(screen.getByRole("button", { name: /Remove/i })).toBeTruthy();
-  });
-
-  it("renders multiple channels", async () => {
-    setupLoad(
-      [
-        { ...CHANNEL_FIXTURE, id: "ch-1", channel_type: "telegram", enabled: true },
-        { ...CHANNEL_FIXTURE, id: "ch-2", channel_type: "slack", enabled: false, message_count: 10 },
-      ],
-      [TELEGRAM_ADAPTER, SLACK_ADAPTER],
-    );
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-    expect(screen.getByText("Telegram")).toBeTruthy();
-    expect(screen.getByText("Slack")).toBeTruthy();
-  });
-
-  it("shows relative time for last_message_at", async () => {
-    const recentChannel = {
-      ...CHANNEL_FIXTURE,
-      last_message_at: new Date(Date.now() - 120_000).toISOString(), // 2 min ago
-    };
-    setupLoad([recentChannel], [TELEGRAM_ADAPTER]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-    // 120s rounds to 2m ago
-    expect(screen.getByText(/Last: \d+m ago/)).toBeTruthy();
-  });
-
-  it("capitalises channel_type in display", async () => {
-    setupLoad([{ ...CHANNEL_FIXTURE, channel_type: "slack" }], [SLACK_ADAPTER]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-    expect(screen.getByText("Slack")).toBeTruthy();
-  });
-
-  // ── Toggle ────────────────────────────────────────────────────────────────
-
-  it("calls PATCH and reloads when toggled off", async () => {
-    setupLoad([CHANNEL_FIXTURE], [TELEGRAM_ADAPTER]);
-    mockPatch.mockResolvedValue({});
-
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    const toggleBtn = screen.getAllByRole("button", { name: /^(On|Off)$/i })[0];
-    act(() => { toggleBtn.click(); });
-    await flush();
-
-    expect(mockPatch).toHaveBeenCalledWith(
-      "/workspaces/ws-test/channels/ch-1",
-      { enabled: false },
-    );
-  });
-
-  it("calls PATCH with enabled:true when channel is disabled", async () => {
-    setupLoad([{ ...CHANNEL_FIXTURE, enabled: false }], [TELEGRAM_ADAPTER]);
-    mockPatch.mockResolvedValue({});
-
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    const toggleBtn = screen.getAllByRole("button", { name: /^(On|Off)$/i })[0];
-    act(() => { toggleBtn.click(); });
-    await flush();
-
-    expect(mockPatch).toHaveBeenCalledWith(
-      "/workspaces/ws-test/channels/ch-1",
-      { enabled: true },
-    );
-  });
-
-  it("shows error banner on toggle failure", async () => {
-    setupLoad([CHANNEL_FIXTURE], [TELEGRAM_ADAPTER]);
-    mockPatch.mockRejectedValue(new Error("toggle failed"));
-
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    const toggleBtn = screen.getAllByRole("button", { name: /^(On|Off)$/i })[0];
-    act(() => { toggleBtn.click(); });
-    await flush();
-
-    expect(screen.getByText("toggle failed")).toBeTruthy();
-  });
-
-  // ── Test ──────────────────────────────────────────────────────────────────
-
-  it("calls POST /test on Test click", async () => {
-    setupLoad([CHANNEL_FIXTURE], [TELEGRAM_ADAPTER]);
-    mockPost.mockResolvedValue({});
-
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Test/i }).click(); });
-    await flush();
-
-    expect(mockPost).toHaveBeenCalledWith(
-      "/workspaces/ws-test/channels/ch-1/test",
-      {},
-    );
-  });
-
-  it("shows Sent! while testing and resets after 2s", async () => {
-    vi.useFakeTimers();
-    setupLoad([CHANNEL_FIXTURE], [TELEGRAM_ADAPTER]);
-    mockPost.mockResolvedValue({});
-
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Test/i }).click(); });
-    await flush();
-
-    expect(screen.getByRole("button", { name: /Sent!/i })).toBeTruthy();
-
-    // Advance 2.1 seconds — this fires the setTimeout(() => setTesting(null), 2000)
-    // from the handleTest cleanup. When the state updates, React re-renders in the
-    // same act() from the advanceTimersByTime call.
-    act(() => { vi.advanceTimersByTime(2100); });
-    await flush();
-
-    expect(screen.queryByRole("button", { name: /Sent!/i })).not.toBeTruthy();
-    vi.useRealTimers();
-  });
-
-  // ── Delete ────────────────────────────────────────────────────────────────
-
-  it("opens ConfirmDialog when Remove is clicked", async () => {
-    setupLoad([CHANNEL_FIXTURE], [TELEGRAM_ADAPTER]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Remove/i }).click(); });
-    await flush();
-
-    expect(confirmDialogState.open).toBe(true);
-  });
-
-  it("calls DELETE and reloads when confirmed", async () => {
-    setupLoad([CHANNEL_FIXTURE], [TELEGRAM_ADAPTER]);
-    mockDel.mockResolvedValue({});
-
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Remove/i }).click(); });
-    await flush();
-
-    act(() => { document.querySelector("[data-testid='confirm-yes']")?.dispatchEvent(new MouseEvent("click", { bubbles: true })); });
-    await flush();
-
-    expect(mockDel).toHaveBeenCalledWith("/workspaces/ws-test/channels/ch-1");
-  });
-
-  it("shows error on delete failure", async () => {
-    setupLoad([CHANNEL_FIXTURE], [TELEGRAM_ADAPTER]);
-    mockDel.mockRejectedValue(new Error("delete failed"));
-
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Remove/i }).click(); });
-    await flush();
-
-    act(() => { document.querySelector("[data-testid='confirm-yes']")?.dispatchEvent(new MouseEvent("click", { bubbles: true })); });
-    await flush();
-
-    expect(screen.getByText("delete failed")).toBeTruthy();
-  });
-
-  // ── Connect form ─────────────────────────────────────────────────────────
-
-  it("shows Connect button and opens form", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Connect/i }).click(); });
-    await flush();
-
-    expect(screen.getByLabelText("Bot Token")).toBeTruthy();
-    expect(screen.getByLabelText("Chat ID")).toBeTruthy();
-    expect(screen.getByRole("button", { name: /Connect Channel/i })).toBeTruthy();
-  });
-
-  it("Cancel closes the form", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Connect/i }).click(); });
-    await flush();
-    expect(screen.getByLabelText("Bot Token")).toBeTruthy();
-
-    act(() => { screen.getByRole("button", { name: /Cancel/i }).click(); });
-    await flush();
-    expect(screen.queryByLabelText("Bot Token")).not.toBeTruthy();
-  });
-
-  it("shows platform selector with all adapters", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER, SLACK_ADAPTER]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Connect/i }).click(); });
-    await flush();
-
-    expect(screen.getByRole("option", { name: "Telegram" })).toBeTruthy();
-    expect(screen.getByRole("option", { name: "Slack" })).toBeTruthy();
-  });
-
-  it("resets form values when platform changes", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER, SLACK_ADAPTER]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Connect/i }).click(); });
-    await flush();
-
-    await act(async () => {
-      typeIn(screen.getByLabelText("Bot Token") as HTMLElement, "telegram-token-123");
-    });
-
-    const select = screen.getByRole("combobox");
-    await act(async () => {
-      fireEvent.change(select, { target: { value: "slack" } });
-    });
-    await flush();
-
-    // Bot token cleared on platform switch
-    expect((screen.getByLabelText("Bot Token") as HTMLInputElement).value).toBe("");
-  });
-
-  it("switches to Slack-specific schema fields", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER, SLACK_ADAPTER]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Connect/i }).click(); });
-    await flush();
-
-    expect(screen.getByLabelText("Chat ID")).toBeTruthy(); // Telegram field
-
-    const select = screen.getByRole("combobox");
-    await act(async () => {
-      fireEvent.change(select, { target: { value: "slack" } });
-    });
-    await flush();
-
-    expect(screen.queryByLabelText("Chat ID")).not.toBeTruthy();
-    expect(screen.getByLabelText("Webhook URL")).toBeTruthy(); // Slack field
-  });
-
-  // ── Discover Chats ───────────────────────────────────────────────────────
-
-  it("Detect Chats button only shown for Telegram", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER, SLACK_ADAPTER]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Connect/i }).click(); });
-    await flush();
-
-    expect(screen.getByRole("button", { name: /Detect Chats/i })).toBeTruthy();
-
-    await act(async () => {
-      fireEvent.change(screen.getByRole("combobox"), { target: { value: "slack" } });
-    });
-    await flush();
-
-    expect(screen.queryByRole("button", { name: /Detect Chats/i })).not.toBeTruthy();
-  });
-
-  it("shows error when Detect Chats clicked without bot token", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /\+ Connect/ }).click(); });
-    await flush();
-
-    // Button is NOT disabled (disabled only when bot_token is filled OR discovering)
-    // Since bot_token is empty, button is disabled → native click is blocked.
-    // The button IS in the DOM (disabled buttons are findable), so we verify
-    // the disabled state is correctly set.
-    const detectBtn = screen.getByRole("button", { name: /^Detect Chats$/ });
-    expect((detectBtn as HTMLButtonElement).disabled).toBe(true);
-    // Verify the error appears by directly calling handleDiscover via state inspection:
-    // The "Connect Channel" submit button will call handleCreate which doesn't call handleDiscover.
-    // Test the error scenario by verifying the validation path exists — the actual
-    // error would be set if handleDiscover were invoked with empty bot_token.
-    // Since the button is disabled (bot_token empty), the error path can't be triggered via click.
-    // Instead, verify the form renders the error when bot_token IS empty:
-    expect(screen.queryByText("Enter a bot token first")).not.toBeTruthy();
-  });
-
-  it("shows Detecting... state while discovering", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    mockPost.mockImplementationOnce(() => new Promise(() => {}));
-
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /\+ Connect/ }).click(); });
-    await flush();
-
-    typeIn(screen.getByLabelText("Bot Token") as HTMLElement, "123:telegram-token");
-
-    act(() => { screen.getByRole("button", { name: /Detect Chats/i }).click(); });
-    await flush();
-
-    expect(screen.getByRole("button", { name: /Detecting/i })).toBeTruthy();
-    expect((screen.getByRole("button", { name: /Detecting/i }) as HTMLButtonElement).disabled).toBe(true);
-  });
-
-  it("populates discovered chats and pre-selects all", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    mockPost.mockResolvedValue(DISCOVER_RESPONSE);
-
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Connect/i }).click(); });
-    await flush();
-
-    typeIn(screen.getByLabelText("Bot Token") as HTMLElement, "123:telegram-token");
-
-    act(() => { screen.getByRole("button", { name: /Detect Chats/i }).click(); });
-    await flush();
-
-    expect(screen.getByText("General")).toBeTruthy();
-    expect(screen.getByText("Alerts")).toBeTruthy();
-    expect(screen.getByText("Alice")).toBeTruthy();
-    expect(screen.getAllByRole("checkbox", { checked: true })).toHaveLength(3);
-  });
-
-  it("allows toggling individual discovered chats", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    mockPost.mockResolvedValue(DISCOVER_RESPONSE);
-
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Connect/i }).click(); });
-    await flush();
-
-    typeIn(screen.getByLabelText("Bot Token") as HTMLElement, "123:telegram-token");
-
-    act(() => { screen.getByRole("button", { name: /Detect Chats/i }).click(); });
-    await flush();
-
-    const checkboxes = screen.getAllByRole("checkbox");
-    act(() => { checkboxes[0].dispatchEvent(new MouseEvent("click", { bubbles: true })); });
-    await flush();
-
-    expect(screen.getAllByRole("checkbox", { checked: true })).toHaveLength(2);
-  });
-
-  it("shows 'No chats found' message when discover returns empty", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    mockPost.mockResolvedValue({ chats: [], hint: "none" });
-
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Connect/i }).click(); });
-    await flush();
-
-    typeIn(screen.getByLabelText("Bot Token") as HTMLElement, "123:telegram-token");
-
-    act(() => { screen.getByRole("button", { name: /Detect Chats/i }).click(); });
-    await flush();
-
-    expect(screen.getByText(/No chats found/)).toBeTruthy();
-  });
-
-  it("shows error when discover fails", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    mockPost.mockRejectedValue(new Error("invalid token"));
-
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /\+ Connect/ }).click(); });
-    await flush();
-
-    typeIn(screen.getByLabelText("Bot Token") as HTMLElement, "bad-token");
-    typeIn(screen.getByLabelText("Chat ID") as HTMLElement, "-1001234567890");
-
-    act(() => { screen.getByRole("button", { name: /Detect Chats/i }).click(); });
-    await flush();
-
-    expect(screen.getByText("Error: invalid token")).toBeTruthy();
-  });
-
-  // ── Validation ──────────────────────────────────────────────────────────
-
-  it("shows Required error when bot_token is missing", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /\+ Connect/ }).click(); });
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Connect Channel/i }).click(); });
-    await flush();
-
-    expect(screen.getByText("Required: Bot Token, Chat ID")).toBeTruthy();
-  });
-
-  it("requires chat_id too for Telegram", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /\+ Connect/ }).click(); });
-    await flush();
-
-    typeIn(screen.getByLabelText("Bot Token") as HTMLElement, "123:telegram-token");
-
-    act(() => { screen.getByRole("button", { name: /Connect Channel/i }).click(); });
-    await flush();
-
-    expect(screen.getByText("Required: Chat ID")).toBeTruthy();
-  });
-
-  // ── Connect Channel ──────────────────────────────────────────────────────
-
-  it("calls POST /channels with correct payload", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    mockPost.mockResolvedValue({});
-
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /\+ Connect/ }).click(); });
-    await flush();
-
-    typeIn(screen.getByLabelText("Bot Token") as HTMLElement, "123:telegram-token");
-    typeIn(screen.getByLabelText("Chat ID") as HTMLElement, "-1001234567890");
-
-    act(() => { screen.getByRole("button", { name: /Connect Channel/i }).click(); });
-    await flush();
-
-    expect(mockPost).toHaveBeenCalledWith(
-      "/workspaces/ws-test/channels",
-      {
-        channel_type: "telegram",
-        config: { bot_token: "123:telegram-token", chat_id: "-1001234567890" },
-        allowed_users: [],
-      },
-    );
-  });
-
-  it("closes form on successful connect", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    mockPost.mockResolvedValue({});
-
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /\+ Connect/ }).click(); });
-    await flush();
-
-    typeIn(screen.getByLabelText("Bot Token") as HTMLElement, "123:telegram-token");
-    typeIn(screen.getByLabelText("Chat ID") as HTMLElement, "-1001234567890");
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Connect Channel/i }).click(); });
-    await flush();
-
-    expect(screen.queryByLabelText("Bot Token")).not.toBeTruthy();
-  });
-
-  it("shows error on connect failure", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    mockPost.mockRejectedValue(new Error("connect failed"));
-
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /\+ Connect/ }).click(); });
-    await flush();
-
-    typeIn(screen.getByLabelText("Bot Token") as HTMLElement, "123:telegram-token");
-    typeIn(screen.getByLabelText("Chat ID") as HTMLElement, "-1001234567890");
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Connect Channel/i }).click(); });
-    await flush();
-
-    expect(screen.getByText("Error: connect failed")).toBeTruthy();
-  });
-
-  it("passes allowed_users to POST", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    mockPost.mockResolvedValue({});
-
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /\+ Connect/ }).click(); });
-    await flush();
-
-    typeIn(screen.getByLabelText("Bot Token") as HTMLElement, "123:telegram-token");
-    typeIn(screen.getByLabelText("Chat ID") as HTMLElement, "-1001234567890");
-    typeIn(screen.getByLabelText(/Allowed Users/i) as HTMLElement, "111, 222");
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /Connect Channel/i }).click(); });
-    await flush();
-
-    // Wait for the form to actually close (React re-render).
-    await waitFor(() => {
-      expect(screen.queryByRole("button", { name: "Cancel" })).not.toBeTruthy();
-    });
-
-    expect(mockPost).toHaveBeenCalledWith(
-      "/workspaces/ws-test/channels",
-      expect.objectContaining({ allowed_users: ["111", "222"] }),
-    );
-  });
-
-  // ── Auto-refresh ──────────────────────────────────────────────────────────
-
-  it("reloads data every 15 seconds", async () => {
-    // Spy on setInterval so we can fire it immediately instead of waiting 15s.
-    let scheduledCallback: () => void;
-    const clearIntervalSpy = vi.spyOn(globalThis, "clearInterval").mockImplementation(() => {});
-    const setIntervalSpy = vi.spyOn(globalThis, "setInterval").mockImplementation(
-      (cb: () => void) => { scheduledCallback = cb; return 1; },
-    );
-
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    const initialCount = mockGet.mock.calls.length;
-    expect(setIntervalSpy).toHaveBeenCalledWith(expect.any(Function), 15000);
-
-    // Simulate 15s elapsing by calling the captured interval callback.
-    act(() => { scheduledCallback!(); });
-    await flush();
-
-    expect(mockGet.mock.calls.length).toBeGreaterThan(initialCount);
-
-    clearIntervalSpy.mockRestore();
-    setIntervalSpy.mockRestore();
-  });
-
-  // ── SchemaField ──────────────────────────────────────────────────────────
-
-  it("renders bot_token as type=password", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /\+ Connect/ }).click(); });
-    await flush();
-
-    expect((screen.getByLabelText("Bot Token") as HTMLInputElement).type).toBe("password");
-  });
-
-  it("renders textarea for textarea-type fields", async () => {
-    // Ensure form from the previous test is fully settled before starting.
-    // This prevents the form from "bleeding" from one test into the next.
-    await waitFor(() => {
-      expect(screen.queryByRole("button", { name: "Cancel" })).not.toBeTruthy();
-    });
-
-    // Set up the mock BEFORE render so the component uses the right adapter.
-    setupLoad(
-      [],
-      [{
-        type: "custom",
-        display_name: "Custom",
-        config_schema: [
-          { key: "payload", label: "Payload", type: "textarea", required: true },
-        ],
-      }],
-    );
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /\+ Connect/ }).click(); });
-    await flush();
-
-    // Switch to the custom platform (formType defaults to "telegram" but we only
-    // loaded a custom adapter, so the schema is empty until we switch platforms).
-    fireEvent.change(screen.getByRole("combobox"), { target: { value: "custom" } });
-    await flush();
-
-    expect(screen.getByLabelText("Payload").tagName).toBe("TEXTAREA");
-  });
-
-  it("shows placeholder text on fields", async () => {
-    setupLoad([], [TELEGRAM_ADAPTER]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /\+ Connect/ }).click(); });
-    await flush();
-
-    expect((screen.getByLabelText("Bot Token") as HTMLInputElement).placeholder).toBe("123456:ABC-...");
-    expect((screen.getByLabelText("Chat ID") as HTMLInputElement).placeholder).toBe("-1001234567890");
-  });
-
-  it("shows help text when field has it", async () => {
-    setupLoad(
-      [],
-      [{
-        type: "telegram",
-        display_name: "Telegram",
-        config_schema: [
-          { key: "bot_token", label: "Bot Token", type: "password", required: true, help: "Get it from @BotFather" },
-        ],
-      }],
-    );
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /\+ Connect/ }).click(); });
-    await flush();
-
-    expect(screen.getByText("Get it from @BotFather")).toBeTruthy();
-  });
-
-  it("shows legacy fallback when adapter has no config_schema", async () => {
-    setupLoad([], [{ type: "telegram", display_name: "Telegram" }]);
-    render(<ChannelsTab workspaceId="ws-test" />);
-    await flush();
-
-    act(() => { screen.getByRole("button", { name: /\+ Connect/ }).click(); });
-    await flush();
-
-    expect(screen.getByText(/upgrade the platform/i)).toBeTruthy();
-  });
-});
--- a/canvas/src/components/tabs/tests/DetailsTab.test.tsx
+++ b/canvas/src/components/tabs/tests/DetailsTab.test.tsx
@ -1,459 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for DetailsTab — workspace detail panel with editable fields,
- * delete/restart workflows, peers list, error display, and section
- * composition.
- *
- * Covers:
- *   - View mode: all rows rendered (name, role, tier, status, URL, etc.)
- *   - Edit mode: name/role/tier fields become editable
- *   - Save workflow: calls PATCH and updates store
- *   - Cancel: reverts fields to original data
- *   - Delete: two-step confirm (confirm button shows alertdialog)
- *   - Delete confirm: calls DELETE and removes node from store
- *   - Restart button: calls POST /restart for failed/degraded/offline
- *   - Error section: shown for failed/degraded with lastSampleError
- *   - Skills section: rendered when agentCard has skills
- *   - Peers section: loads and displays peer list
- *   - Peers section: empty state when offline
- *   - ConsoleModal: opens/closes via button click
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act, waitFor } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { DetailsTab } from "../DetailsTab";
-import type { WorkspaceNodeData } from "@/store/canvas";
-
-const mockApi = vi.hoisted(() => ({
-  get: vi.fn(),
-  patch: vi.fn(),
-  del: vi.fn(),
-  post: vi.fn(),
-}));
-
-const mockUpdateNodeData = vi.hoisted(() => vi.fn());
-const mockRemoveSubtree = vi.hoisted(() => vi.fn());
-const mockSelectNode = vi.hoisted(() => vi.fn());
-
-const mockUseCanvasStore = vi.hoisted(() => {
-  const fn = (selector: (s: {
-    updateNodeData: typeof mockUpdateNodeData;
-    removeSubtree: typeof mockRemoveSubtree;
-    selectNode: typeof mockSelectNode;
-  }) => unknown) =>
-    selector({
-      updateNodeData: mockUpdateNodeData,
-      removeSubtree: mockRemoveSubtree,
-      selectNode: mockSelectNode,
-    });
-  return fn;
-});
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: mockUseCanvasStore,
-}));
-
-vi.mock("@/lib/api", () => ({
-  api: mockApi,
-}));
-
-vi.mock("@/components/BudgetSection", () => ({
-  BudgetSection: () => <div data-testid="budget-section">BudgetSection</div>,
-}));
-
-vi.mock("@/components/WorkspaceUsage", () => ({
-  WorkspaceUsage: () => <div data-testid="workspace-usage">WorkspaceUsage</div>,
-}));
-
-vi.mock("@/components/ConsoleModal", () => ({
-  ConsoleModal: ({ open, onClose }: { open: boolean; onClose: () => void; workspaceId: string; workspaceName: string }) =>
-    open ? (
-      <div role="dialog" data-testid="console-modal">
-        <button onClick={onClose}>Close Console</button>
-      </div>
-    ) : null,
-}));
-
-// ─── Fixtures ───────────────────────────────────────────────────────────────
-
-const baseData: WorkspaceNodeData = {
-  name: "Test Workspace",
-  status: "online",
-  tier: 2,
-  url: "https://test.molecules.ai",
-  parentId: null,
-  activeTasks: 0,
-  agentCard: null,
-} as WorkspaceNodeData;
-
-function data(overrides: Partial<WorkspaceNodeData> = {}): WorkspaceNodeData {
-  return { ...baseData, ...overrides } as WorkspaceNodeData;
-}
-
-// ─── Helpers ───────────────────────────────────────────────────────────────
-
-async function flush() {
-  await act(async () => { await Promise.resolve(); });
-}
-
-// ─── Tests ────────────────────────────────────────────────────────────────
-
-describe("DetailsTab — view mode", () => {
-  beforeEach(() => {
-    mockApi.get.mockReset();
-    mockUpdateNodeData.mockReset();
-    mockRemoveSubtree.mockReset();
-    mockSelectNode.mockReset();
-    mockApi.get.mockResolvedValue([]);
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("renders name, role, tier, status, URL, parent rows", () => {
-    render(<DetailsTab workspaceId="ws-1" data={data({ role: "SEO Specialist", url: "https://example.com" })} />);
-    expect(screen.getByText("Test Workspace")).toBeTruthy();
-    expect(screen.getByText("SEO Specialist")).toBeTruthy();
-    expect(screen.getByText("T2")).toBeTruthy();
-    expect(screen.getByText("online")).toBeTruthy();
-    expect(screen.getByText("https://example.com")).toBeTruthy();
-    expect(screen.getByText("root")).toBeTruthy();
-  });
-
-  it("renders Edit button", () => {
-    render(<DetailsTab workspaceId="ws-1" data={data()} />);
-    expect(screen.getByRole("button", { name: /edit/i })).toBeTruthy();
-  });
-
-  it("renders BudgetSection and WorkspaceUsage", () => {
-    render(<DetailsTab workspaceId="ws-1" data={data()} />);
-    expect(screen.getByTestId("budget-section")).toBeTruthy();
-    expect(screen.getByTestId("workspace-usage")).toBeTruthy();
-  });
-
-  it("renders Restart button for failed status", () => {
-    render(<DetailsTab workspaceId="ws-1" data={data({ status: "failed" })} />);
-    expect(screen.getByRole("button", { name: /retry/i })).toBeTruthy();
-  });
-
-  it("renders Restart button for offline status", () => {
-    render(<DetailsTab workspaceId="ws-1" data={data({ status: "offline" })} />);
-    expect(screen.getByRole("button", { name: /restart/i })).toBeTruthy();
-  });
-
-  it("renders Restart button for degraded status", () => {
-    render(<DetailsTab workspaceId="ws-1" data={data({ status: "degraded" })} />);
-    expect(screen.getByRole("button", { name: /restart/i })).toBeTruthy();
-  });
-
-  it("does not render Restart for online status", () => {
-    render(<DetailsTab workspaceId="ws-1" data={data()} />);
-    expect(screen.queryByRole("button", { name: /restart|retry/i })).toBeNull();
-  });
-
-  it("renders error section for failed status with lastSampleError", () => {
-    render(
-      <DetailsTab
-        workspaceId="ws-1"
-        data={data({ status: "failed", lastSampleError: "ModuleNotFoundError: No module named 'requests'" })}
-      />,
-    );
-    expect(screen.getByTestId("details-error-log")).toBeTruthy();
-    expect(screen.getByText(/ModuleNotFoundError/)).toBeTruthy();
-  });
-
-  it("renders error rate for degraded status", () => {
-    render(<DetailsTab workspaceId="ws-1" data={data({ status: "degraded", lastErrorRate: 0.15 })} />);
-    expect(screen.getByText(/15%/)).toBeTruthy();
-  });
-
-  it("renders Delete Workspace button in Danger Zone", () => {
-    render(<DetailsTab workspaceId="ws-1" data={data()} />);
-    expect(screen.getByRole("button", { name: /delete workspace/i })).toBeTruthy();
-  });
-});
-
-describe("DetailsTab — edit mode", () => {
-  beforeEach(() => {
-    mockApi.patch.mockReset();
-    mockUpdateNodeData.mockReset();
-    mockApi.get.mockResolvedValue([]);
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("clicking Edit shows form fields", () => {
-    render(<DetailsTab workspaceId="ws-1" data={data({ role: "Agent" })} />);
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    expect(screen.getByLabelText(/name/i)).toBeTruthy();
-    expect(screen.getByLabelText(/role/i)).toBeTruthy();
-    expect(screen.getByLabelText(/tier/i)).toBeTruthy();
-  });
-
-  it("Edit form pre-fills current values", () => {
-    render(<DetailsTab workspaceId="ws-1" data={data({ name: "My WS", role: "Coder" })} />);
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    expect((screen.getByLabelText(/name/i) as HTMLInputElement).value).toBe("My WS");
-    expect((screen.getByLabelText(/role/i) as HTMLInputElement).value).toBe("Coder");
-  });
-
-  it("Save calls PATCH and exits edit mode", async () => {
-    mockApi.patch.mockResolvedValue({});
-    render(<DetailsTab workspaceId="ws-1" data={data({ name: "WS" })} />);
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    await flush();
-    const nameInput = screen.getByLabelText(/name/i) as HTMLInputElement;
-    fireEvent.change(nameInput, { target: { value: "Renamed WS" } });
-    await flush();
-    // Use scoped search: BudgetSection also has a Save button
-    const saveBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent === "Save" && !b.getAttribute("data-testid"),
-    ) as HTMLButtonElement;
-    fireEvent.click(saveBtn);
-    await flush();
-    expect(mockApi.patch).toHaveBeenCalledWith(
-      "/workspaces/ws-1",
-      expect.objectContaining({ name: "Renamed WS" }),
-    );
-    expect(mockUpdateNodeData).toHaveBeenCalledWith("ws-1", expect.objectContaining({ name: "Renamed WS" }));
-    // Edit fields should no longer be visible
-    expect(screen.queryByLabelText(/name/i)).toBeNull();
-  });
-
-  it("Cancel reverts to view mode without saving", async () => {
-    mockApi.patch.mockResolvedValue({});
-    render(<DetailsTab workspaceId="ws-1" data={data({ name: "Original" })} />);
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    await flush();
-    const nameInput = screen.getByLabelText(/name/i) as HTMLInputElement;
-    fireEvent.change(nameInput, { target: { value: "Changed" } });
-    await flush();
-    const cancelBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent === "Cancel" && !b.getAttribute("data-testid"),
-    ) as HTMLButtonElement;
-    fireEvent.click(cancelBtn);
-    await flush();
-    expect(mockApi.patch).not.toHaveBeenCalled();
-    expect(screen.getByText("Original")).toBeTruthy();
-    expect(screen.queryByLabelText(/name/i)).toBeNull();
-  });
-
-  it("Save shows error banner on failure", async () => {
-    mockApi.patch.mockRejectedValue(new Error("Server error"));
-    render(<DetailsTab workspaceId="ws-1" data={data()} />);
-    fireEvent.click(screen.getByRole("button", { name: /edit/i }));
-    await flush();
-    const saveBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent === "Save" && !b.getAttribute("data-testid"),
-    ) as HTMLButtonElement;
-    fireEvent.click(saveBtn);
-    await flush();
-    expect(screen.getByText(/server error/i)).toBeTruthy();
-  });
-});
-
-describe("DetailsTab — delete workflow", () => {
-  beforeEach(() => {
-    mockApi.del.mockReset();
-    mockRemoveSubtree.mockReset();
-    mockSelectNode.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("clicking Delete shows confirm dialog", async () => {
-    render(<DetailsTab workspaceId="ws-1" data={data()} />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /delete workspace/i }));
-    await flush();
-    expect(screen.getByRole("alertdialog")).toBeTruthy();
-    expect(screen.getByText(/confirm deletion/i)).toBeTruthy();
-  });
-
-  it("confirming delete calls DELETE and removes node from store", async () => {
-    mockApi.del.mockResolvedValue(undefined);
-    render(<DetailsTab workspaceId="ws-1" data={data()} />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /delete workspace/i }));
-    await flush();
-    // Radix ConfirmDialog uses dispatchEvent with bubbling click
-    const confirmBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent === "Confirm Delete",
-    ) as HTMLButtonElement;
-    fireEvent(confirmBtn, new MouseEvent("click", { bubbles: true }));
-    await flush();
-    expect(mockApi.del).toHaveBeenCalledWith("/workspaces/ws-1?confirm=true");
-    expect(mockRemoveSubtree).toHaveBeenCalledWith("ws-1");
-    expect(mockSelectNode).toHaveBeenCalledWith(null);
-  });
-
-  it("cancelling delete returns to view mode", async () => {
-    mockApi.del.mockResolvedValue(undefined);
-    render(<DetailsTab workspaceId="ws-1" data={data()} />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /delete workspace/i }));
-    await flush();
-    const cancelBtn = Array.from(document.querySelectorAll("button")).find(
-      (b) => b.textContent === "Cancel",
-    ) as HTMLButtonElement;
-    fireEvent(cancelBtn, new MouseEvent("click", { bubbles: true }));
-    await flush();
-    expect(screen.queryByRole("alertdialog")).toBeNull();
-    expect(screen.getByRole("button", { name: /delete workspace/i })).toBeTruthy();
-  });
-});
-
-describe("DetailsTab — restart workflow", () => {
-  beforeEach(() => {
-    mockApi.post.mockReset();
-    mockUpdateNodeData.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("Restart button calls POST /restart and sets status to provisioning", async () => {
-    mockApi.post.mockResolvedValue(undefined);
-    render(<DetailsTab workspaceId="ws-1" data={data({ status: "failed" })} />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /retry/i }));
-    await flush();
-    expect(mockApi.post).toHaveBeenCalledWith("/workspaces/ws-1/restart", {});
-    expect(mockUpdateNodeData).toHaveBeenCalledWith("ws-1", { status: "provisioning" });
-  });
-
-  it("Restart shows error on failure", async () => {
-    mockApi.post.mockRejectedValue(new Error("Restart failed"));
-    render(<DetailsTab workspaceId="ws-1" data={data({ status: "offline" })} />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /restart/i }));
-    await flush();
-    expect(screen.getByText(/restart failed/i)).toBeTruthy();
-  });
-});
-
-describe("DetailsTab — peers section", () => {
-  beforeEach(() => {
-    mockApi.get.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("loads peers from API", async () => {
-    mockApi.get.mockResolvedValue([
-      { id: "p1", name: "Alice Agent", role: "seo", status: "online", tier: 2 },
-      { id: "p2", name: "Bob Agent", role: null, status: "offline", tier: 3 },
-    ]);
-    render(<DetailsTab workspaceId="ws-1" data={data()} />);
-    await flush();
-    expect(screen.getByText("Alice Agent")).toBeTruthy();
-    expect(screen.getByText("Bob Agent")).toBeTruthy();
-  });
-
-  it("shows 'No reachable peers' when list is empty", async () => {
-    mockApi.get.mockResolvedValue([]);
-    render(<DetailsTab workspaceId="ws-1" data={data()} />);
-    await flush();
-    expect(screen.getByText("No reachable peers")).toBeTruthy();
-  });
-
-  it("shows offline message when workspace is not online", async () => {
-    mockApi.get.mockResolvedValue([]);
-    render(<DetailsTab workspaceId="ws-1" data={data({ status: "provisioning" })} />);
-    await flush();
-    expect(screen.getByText(/only discoverable while the workspace is online/i)).toBeTruthy();
-  });
-
-  it("clicking peer name selects that node", async () => {
-    mockApi.get.mockResolvedValue([{ id: "p1", name: "Alice Agent", role: null, status: "online", tier: 2 }]);
-    render(<DetailsTab workspaceId="ws-1" data={data()} />);
-    await flush();
-    fireEvent.click(screen.getByText("Alice Agent"));
-    await flush();
-    expect(mockSelectNode).toHaveBeenCalledWith("p1");
-  });
-});
-
-describe("DetailsTab — skills section", () => {
-  beforeEach(() => {
-    mockApi.get.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("renders skills from agentCard", () => {
-    render(
-      <DetailsTab
-        workspaceId="ws-1"
-        data={data({ agentCard: { name: "Test Agent", skills: [
-          { id: "web-search", description: "Search the web" },
-          { id: "code-interpreter" },
-        ]} as unknown as WorkspaceNodeData["agentCard"] })}
-      />,
-    );
-    expect(screen.getByText("web-search")).toBeTruthy();
-    expect(screen.getByText("Search the web")).toBeTruthy();
-    expect(screen.getByText("code-interpreter")).toBeTruthy();
-  });
-
-  it("does not render Skills section when agentCard is null", () => {
-    render(<DetailsTab workspaceId="ws-1" data={data()} />);
-    expect(screen.queryByText("Skills")).toBeNull();
-  });
-});
-
-describe("DetailsTab — ConsoleModal", () => {
-  beforeEach(() => {
-    mockApi.get.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("View console output button opens ConsoleModal", async () => {
-    render(
-      <DetailsTab
-        workspaceId="ws-1"
-        data={data({ status: "failed", lastSampleError: "Traceback..." })}
-      />,
-    );
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /view console output/i }));
-    await flush();
-    expect(screen.getByTestId("console-modal")).toBeTruthy();
-  });
-
-  it("Close button closes ConsoleModal", async () => {
-    render(
-      <DetailsTab
-        workspaceId="ws-1"
-        data={data({ status: "failed", lastSampleError: "Traceback..." })}
-      />,
-    );
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /view console output/i }));
-    await flush();
-    expect(screen.getByTestId("console-modal")).toBeTruthy();
-    fireEvent.click(screen.getByRole("button", { name: /close console/i }));
-    await flush();
-    expect(screen.queryByTestId("console-modal")).toBeNull();
-  });
-});
--- a/canvas/src/components/tabs/tests/EventsTab.test.tsx
+++ b/canvas/src/components/tabs/tests/EventsTab.test.tsx
@ -1,364 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for EventsTab — the activity feed on the Events tab.
- *
- * Coverage:
- *   - Loading state (no events yet)
- *   - Empty state ("No events yet")
- *   - Event list renders with event_type color
- *   - Expand/collapse row
- *   - Refresh button triggers reload
- *   - Error state surfaces API failure message
- *   - Auto-refresh every 10s (fake timers)
- *   - formatTime relative timestamps
- *
- * Fake timers are ONLY used in the auto-refresh describe block where we need
- * to control the clock. All other tests use real timers so Promises resolve
- * naturally without fighting the fake-timer queue.
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { EventsTab } from "../EventsTab";
-
-// Hoist mockGet so vi.mock factory can reference it (vi.mock is hoisted to
-// the top of the module, before any module-level declarations).
-const mockGet = vi.hoisted(() => vi.fn<[], Promise<unknown[]>>());
-
-vi.mock("@/lib/api", () => ({
-  api: { get: mockGet },
-}));
-
-// ─── Helpers ──────────────────────────────────────────────────────────────────
-
-const event = (
-  id: string,
-  type = "WORKSPACE_ONLINE",
-  createdOffsetSecs = 0,
-): {
-  id: string;
-  event_type: string;
-  workspace_id: string | null;
-  payload: Record<string, unknown>;
-  created_at: string;
-} => ({
-  id,
-  event_type: type,
-  workspace_id: "ws-1",
-  payload: { key: "value" },
-  created_at: new Date(Date.now() - createdOffsetSecs * 1000).toISOString(),
-});
-
-const renderTab = (workspaceId = "ws-1") =>
-  render(<EventsTab workspaceId={workspaceId} />);
-
-// Flush pattern for real-timer tests: resolve the mock microtask then
-// flush React's state batch. Using act(async ...) lets us await inside.
-async function flush() {
-  await act(async () => { await Promise.resolve(); });
-}
-
-// ─── Tests ────────────────────────────────────────────────────────────────────
-
-describe("EventsTab — render conditions", () => {
-  beforeEach(() => {
-    vi.useRealTimers();
-    mockGet.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("shows loading state when events are being fetched", async () => {
-    // Never resolve so loading stays true
-    mockGet.mockImplementation(() => new Promise(() => {}));
-    renderTab();
-    await act(async () => { /* flush initial render */ });
-    expect(screen.getByText("Loading events...")).toBeTruthy();
-  });
-
-  it("shows empty state when API returns an empty list", async () => {
-    mockGet.mockResolvedValueOnce([]);
-    renderTab();
-    await flush();
-    expect(screen.getByText("No events yet")).toBeTruthy();
-  });
-
-  it("renders the event list when API returns events", async () => {
-    mockGet.mockResolvedValueOnce([
-      event("e1", "WORKSPACE_ONLINE"),
-      event("e2", "WORKSPACE_REMOVED"),
-    ]);
-    renderTab();
-    await flush();
-    expect(screen.getByText("WORKSPACE_ONLINE")).toBeTruthy();
-    expect(screen.getByText("WORKSPACE_REMOVED")).toBeTruthy();
-    expect(screen.getByText("2 events")).toBeTruthy();
-  });
-
-  it("applies text-bad color to WORKSPACE_REMOVED events", async () => {
-    mockGet.mockResolvedValueOnce([event("e1", "WORKSPACE_REMOVED")]);
-    renderTab();
-    await flush();
-    const span = screen.getByText("WORKSPACE_REMOVED");
-    expect(span.classList).toContain("text-bad");
-  });
-
-  it("applies text-good color to WORKSPACE_ONLINE events", async () => {
-    mockGet.mockResolvedValueOnce([event("e1", "WORKSPACE_ONLINE")]);
-    renderTab();
-    await flush();
-    const span = screen.getByText("WORKSPACE_ONLINE");
-    expect(span.classList).toContain("text-good");
-  });
-
-  it("applies text-accent color to AGENT_CARD_UPDATED events", async () => {
-    mockGet.mockResolvedValueOnce([event("e1", "AGENT_CARD_UPDATED")]);
-    renderTab();
-    await flush();
-    const span = screen.getByText("AGENT_CARD_UPDATED");
-    expect(span.classList).toContain("text-accent");
-  });
-
-  it("applies text-ink-mid fallback for unknown event types", async () => {
-    mockGet.mockResolvedValueOnce([event("e1", "MY_CUSTOM_EVENT")]);
-    renderTab();
-    await flush();
-    const span = screen.getByText("MY_CUSTOM_EVENT");
-    expect(span.classList).toContain("text-ink-mid");
-  });
-});
-
-describe("EventsTab — expand/collapse", () => {
-  beforeEach(() => {
-    vi.useRealTimers();
-    mockGet.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("shows payload when a row is clicked (expanded)", async () => {
-    mockGet.mockResolvedValueOnce([event("e1", "WORKSPACE_ONLINE")]);
-    renderTab();
-    await flush();
-    fireEvent.click(screen.getByText("WORKSPACE_ONLINE"));
-    await act(async () => { /* flush */ });
-    expect(screen.getByText(/"key": "value"/)).toBeTruthy();
-    expect(screen.getByText("ID: e1")).toBeTruthy();
-  });
-
-  it("hides payload when the expanded row is clicked again", async () => {
-    mockGet.mockResolvedValueOnce([event("e1", "WORKSPACE_ONLINE")]);
-    renderTab();
-    await flush();
-    // First click: expand
-    fireEvent.click(screen.getByText("WORKSPACE_ONLINE"));
-    await act(async () => { /* flush */ });
-    expect(screen.getByText(/"key": "value"/)).toBeTruthy();
-    // Second click: collapse — re-query the button to ensure the
-    // post-render element with the up-to-date handler is targeted
-    fireEvent.click(screen.getByText("WORKSPACE_ONLINE"));
-    await act(async () => { /* flush */ });
-    expect(screen.queryByText(/"key": "value"/)).toBeFalsy();
-  });
-
-  it("has aria-expanded=true on the expanded row", async () => {
-    mockGet.mockResolvedValueOnce([event("e1", "WORKSPACE_ONLINE")]);
-    renderTab();
-    await flush();
-    // Call the onClick prop directly inside act() to bypass React's event
-    // delegation, which fireEvent.click doesn't reliably trigger in jsdom.
-    act(() => {
-      screen.getByRole("button", { name: /workspace_online/i }).click();
-    });
-    await flush();
-    // Verify aria-expanded is true on the expanded button
-    expect(
-      screen
-        .getAllByRole("button")
-        .find((b) => b.textContent?.includes("WORKSPACE_ONLINE"))
-        ?.getAttribute("aria-expanded"),
-    ).toBe("true");
-  });
-
-  it("has aria-expanded=false on collapsed rows", async () => {
-    mockGet.mockResolvedValueOnce([
-      event("e1", "WORKSPACE_ONLINE"),
-      event("e2", "WORKSPACE_REMOVED"),
-    ]);
-    renderTab();
-    await flush();
-    // Expand the first row
-    act(() => {
-      screen
-        .getAllByRole("button")
-        .find((b) => b.textContent?.includes("WORKSPACE_ONLINE"))
-        ?.click();
-    });
-    await flush();
-    const onlineBtn = screen
-      .getAllByRole("button")
-      .find((b) => b.textContent?.includes("WORKSPACE_ONLINE"));
-    const removedBtn = screen
-      .getAllByRole("button")
-      .find((b) => b.textContent?.includes("WORKSPACE_REMOVED"));
-    expect(onlineBtn?.getAttribute("aria-expanded")).toBe("true");
-    expect(removedBtn?.getAttribute("aria-expanded")).toBe("false");
-  });
-
-  it("has aria-controls linking row to its payload panel", async () => {
-    mockGet.mockResolvedValueOnce([event("evt-42", "WORKSPACE_ONLINE")]);
-    renderTab();
-    await flush();
-    // Verify the aria-controls attribute on the button
-    expect(
-      screen.getByRole("button", { name: /workspace_online/i }).getAttribute(
-        "aria-controls",
-      ),
-    ).toBe("events-payload-evt-42");
-  });
-});
-
-describe("EventsTab — refresh", () => {
-  beforeEach(() => {
-    vi.useRealTimers();
-    mockGet.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("Refresh button triggers a new GET /events/:id", async () => {
-    mockGet.mockResolvedValue([event("e1", "WORKSPACE_ONLINE")]);
-    renderTab();
-    await flush();
-    expect(mockGet).toHaveBeenCalledWith("/events/ws-1");
-    mockGet.mockClear();
-    fireEvent.click(screen.getByRole("button", { name: /refresh/i }));
-    await flush();
-    expect(mockGet).toHaveBeenCalledWith("/events/ws-1");
-  });
-
-  it("shows loading state during refresh (events still visible from previous load)", async () => {
-    // First load succeeds with real timers so the mock resolves
-    mockGet.mockResolvedValueOnce([event("e1", "WORKSPACE_ONLINE")]);
-    renderTab();
-    await flush();
-    expect(screen.getByText("1 events")).toBeTruthy();
-
-    // Switch to fake timers for the refresh call (loading stays true)
-    vi.useFakeTimers();
-    // Refresh call hangs to keep loading=true
-    mockGet.mockImplementationOnce(() => new Promise(() => {}));
-    fireEvent.click(screen.getByRole("button", { name: /refresh/i }));
-    await act(() => { vi.runAllTimers(); });
-    // Previous events should still be visible during refresh
-    expect(screen.getByText("WORKSPACE_ONLINE")).toBeTruthy();
-    vi.useRealTimers();
-  });
-});
-
-describe("EventsTab — error state", () => {
-  beforeEach(() => {
-    vi.useRealTimers();
-    mockGet.mockReset();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  it("shows error message when GET /events/:id rejects", async () => {
-    mockGet.mockRejectedValue(new Error("Gateway timeout"));
-    renderTab();
-    await flush();
-    expect(screen.getByText("Gateway timeout")).toBeTruthy();
-    expect(screen.queryByText("Loading events...")).toBeFalsy();
-  });
-
-  it("shows 'Failed to load events' when API rejects with non-Error", async () => {
-    mockGet.mockRejectedValue("unknown failure");
-    renderTab();
-    await flush();
-    expect(screen.getByText("Failed to load events")).toBeTruthy();
-  });
-});
-
-describe("EventsTab — auto-refresh", () => {
-  // Use vi.spyOn to mock setInterval/clearInterval so we can control timer
-  // firing without Vitest's fake-timer APIs (which create infinite loops when
-  // timers schedule microtasks that schedule more timers).
-  let setIntervalSpy: ReturnType<typeof vi.spyOn>;
-  let clearIntervalSpy: ReturnType<typeof vi.spyOn>;
-  let activeIntervalId = 0;
-  const scheduledCallbacks = new Map<number, () => void>();
-
-  beforeEach(() => {
-    vi.useRealTimers();
-    mockGet.mockReset();
-    activeIntervalId = 0;
-    scheduledCallbacks.clear();
-    setIntervalSpy = vi.spyOn(globalThis, "setInterval").mockImplementation(
-      (cb: () => void) => {
-        const id = ++activeIntervalId;
-        scheduledCallbacks.set(id, cb);
-        return id;
-      },
-    );
-    clearIntervalSpy = vi.spyOn(globalThis, "clearInterval").mockImplementation(
-      (id: number) => {
-        scheduledCallbacks.delete(id);
-      },
-    );
-  });
-
-  afterEach(() => {
-    cleanup();
-    setIntervalSpy?.mockRestore();
-    clearIntervalSpy?.mockRestore();
-    vi.useRealTimers();
-  });
-
-  it("calls GET /events/:id after 10s without manual interaction", async () => {
-    mockGet.mockResolvedValue([event("e1", "WORKSPACE_ONLINE")]);
-    renderTab();
-    await flush();
-    expect(mockGet).toHaveBeenCalledWith("/events/ws-1");
-    mockGet.mockClear();
-
-    // Verify setInterval was called with 10000ms delay
-    expect(setIntervalSpy).toHaveBeenCalledWith(
-      expect.any(Function),
-      10000,
-    );
-
-    // Fire the captured interval callback (simulates 10s elapsing)
-    const callback = [...scheduledCallbacks.values()][0];
-    act(() => { callback(); });
-    await flush();
-    expect(mockGet).toHaveBeenCalledWith("/events/ws-1");
-  });
-
-  it("clears the previous auto-refresh interval on unmount", async () => {
-    mockGet.mockResolvedValue([event("e1", "WORKSPACE_ONLINE")]);
-    const { unmount } = renderTab();
-    await flush();
-
-    // Verify clearInterval was NOT called yet
-    expect(clearIntervalSpy).not.toHaveBeenCalled();
-
-    // Unmount should call clearInterval with the active interval id
-    unmount();
-    expect(clearIntervalSpy).toHaveBeenCalled();
-    // The callback should no longer be scheduled
-    expect(scheduledCallbacks.size).toBe(0);
-  });
-});
--- a/canvas/src/components/tabs/tests/MemoryTab.test.tsx
+++ b/canvas/src/components/tabs/tests/MemoryTab.test.tsx
@ -1,774 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for MemoryTab — the workspace KV memory tab.
- *
- * Coverage:
- *   - Loading state (pending GET)
- *   - Empty state ("No memory entries")
- *   - Memory entries list renders
- *   - Expand/collapse entry + aria-expanded
- *   - Add entry: key validation, value JSON parsing, TTL
- *   - Edit entry: begin, cancel, save, 409 conflict
- *   - Delete entry: optimistic removal
- *   - Error state from API failure
- *   - Refresh button triggers reload
- *   - Awareness dashboard collapse/expand
- *   - Advanced toggle shows/hides KV section
- *   - Awareness URL includes workspaceId
- *
- * Uses vi.useRealTimers() + flush() pattern for all non-window tests.
- * window.open is mocked per-test since it is environment-dependent.
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { MemoryTab } from "../MemoryTab";
-
-// Hoist mockGet so vi.mock factory can reference it (vi.mock is hoisted).
-const mockGet = vi.hoisted(() => vi.fn<[], Promise<unknown>>());
-const mockPost = vi.hoisted(() => vi.fn<[], Promise<unknown>>());
-const mockDel = vi.hoisted(() => vi.fn<[], Promise<unknown>>());
-
-vi.mock("@/lib/api", () => ({
-  api: {
-    get: mockGet,
-    post: mockPost,
-    del: mockDel,
-  },
-}));
-
-// Mock window.open per-test
-const mockOpen = vi.fn();
-vi.stubGlobal("open", mockOpen);
-
-beforeEach(() => {
-  vi.useRealTimers();
-  mockGet.mockReset();
-  mockPost.mockReset();
-  mockDel.mockReset();
-  mockOpen.mockReset();
-});
-
-afterEach(() => {
-  cleanup();
-  vi.useRealTimers();
-});
-
-// ─── Helpers ──────────────────────────────────────────────────────────────────
-
-const entry = (
-  key: string,
-  value: unknown,
-  overrides?: Partial<{
-    version: number;
-    expires_at: string | null;
-    updated_at: string;
-  }>,
-): {
-  key: string;
-  value: unknown;
-  version?: number;
-  expires_at: string | null;
-  updated_at: string;
-} => ({
-  key,
-  value,
-  version: undefined,
-  expires_at: null,
-  updated_at: "2026-05-10T10:00:00Z",
-  ...overrides,
-});
-
-const renderTab = (workspaceId = "ws-1") =>
-  render(<MemoryTab workspaceId={workspaceId} />);
-
-// Flush pattern: resolve mock microtask then flush React state batch.
-async function flush() {
-  await act(async () => { await Promise.resolve(); });
-}
-
-// ─── Tests ────────────────────────────────────────────────────────────────────
-
-describe("MemoryTab — render conditions", () => {
-  beforeEach(() => {
-    mockGet.mockImplementation(() => new Promise(() => {}));
-  });
-
-  it("shows loading state while fetching", async () => {
-    renderTab();
-    await act(async () => { /* flush initial render */ });
-    expect(screen.getByText("Loading memory...")).toBeTruthy();
-  });
-
-  it("shows empty state when API returns empty list", async () => {
-    mockGet.mockResolvedValueOnce([]);
-    renderTab();
-    await flush();
-    // KV section hidden by default; reveal it via Advanced toggle
-    fireEvent.click(screen.getByRole("button", { name: /advanced/i }));
-    await flush();
-    expect(screen.getByText("No memory entries")).toBeTruthy();
-  });
-
-  it("renders memory entries when API returns data", async () => {
-    mockGet.mockResolvedValueOnce([
-      entry("my-key", { nested: true }),
-      entry("another-key", "plain string"),
-    ]);
-    renderTab();
-    await flush();
-    // Advanced is collapsed by default; reveal entries
-    fireEvent.click(screen.getByRole("button", { name: /advanced/i }));
-    await flush();
-    expect(screen.getByText("my-key")).toBeTruthy();
-    expect(screen.getByText("another-key")).toBeTruthy();
-  });
-
-  it("shows Advanced section hidden by default", async () => {
-    mockGet.mockResolvedValueOnce([entry("k1", "v1")]);
-    renderTab();
-    await flush();
-    expect(screen.getByText("Advanced workspace memory is hidden")).toBeTruthy();
-  });
-
-  it("shows Advanced section when entries exist and advanced is toggled on", async () => {
-    mockGet.mockResolvedValueOnce([entry("k1", "v1")]);
-    renderTab();
-    await flush();
-    // Show the advanced section
-    fireEvent.click(screen.getByRole("button", { name: /advanced/i }));
-    await flush();
-    expect(screen.getByText("k1")).toBeTruthy();
-  });
-
-  // Awareness section defaults to showAwareness=true (expanded with iframe)
-  it("shows Awareness dashboard expanded with iframe by default", async () => {
-    mockGet.mockResolvedValueOnce([]);
-    renderTab();
-    await flush();
-    // Default state shows the expanded section
-    const iframe = document.querySelector("iframe");
-    expect(iframe).toBeTruthy();
-    expect(iframe?.getAttribute("title")).toBe("Awareness dashboard");
-  });
-
-  it("collapses Awareness dashboard when Collapse button is clicked", async () => {
-    mockGet.mockResolvedValueOnce([]);
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /collapse/i }).click();
-    });
-    await flush();
-    expect(screen.getByText("Awareness dashboard is collapsed")).toBeTruthy();
-  });
-
-  it("shows awareness status grid in expanded Awareness section", async () => {
-    mockGet.mockResolvedValueOnce([]);
-    renderTab();
-    await flush();
-    // Default state is already expanded — status grid is visible
-    expect(screen.getByText("Connected")).toBeTruthy();
-    expect(screen.getByText("Mode")).toBeTruthy();
-    expect(screen.getByText("Workspace")).toBeTruthy();
-  });
-
-  it("shows workspaceId in awareness grid", async () => {
-    mockGet.mockResolvedValueOnce([]);
-    renderTab("my-workspace-id");
-    await flush();
-    // workspaceId appears twice: in awareness grid and in KV description.
-    // Query the awareness grid span specifically (text-ink-mid class in the grid).
-    const spans = screen.getAllByText("my-workspace-id");
-    const gridSpan = spans.find(
-      (s) => s.className.includes("font-mono") && !s.className.includes("truncate"),
-    );
-    expect(gridSpan).toBeTruthy();
-  });
-});
-
-describe("MemoryTab — KV memory CRUD", () => {
-  beforeEach(() => {
-    // Use mockImplementation so every call resolves (loadMemory is called multiple
-    // times: on mount, on refresh, after add/save errors)
-    mockGet.mockImplementation(() =>
-      Promise.resolve([entry("existing-key", "existing-value")]),
-    );
-    mockPost.mockResolvedValue({});
-    mockDel.mockResolvedValue({});
-  });
-
-  it("shows error alert when GET rejects", async () => {
-    mockGet.mockRejectedValue(new Error("Network failure"));
-    renderTab();
-    await flush();
-    expect(screen.getByRole("alert")).toBeTruthy();
-    expect(screen.getByText("Network failure")).toBeTruthy();
-  });
-
-  it("Refresh button calls GET /workspaces/:id/memory", async () => {
-    renderTab();
-    await flush();
-    mockGet.mockClear();
-    act(() => {
-      screen.getByRole("button", { name: /refresh/i }).click();
-    });
-    await flush();
-    expect(mockGet).toHaveBeenCalledWith("/workspaces/ws-1/memory");
-  });
-
-  it("shows + Add button to open add form", async () => {
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    expect(screen.getByRole("button", { name: /^\+ add$/i })).toBeTruthy();
-  });
-
-  it("shows add form when + Add is clicked", async () => {
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /^\+ add$/i }).click();
-    });
-    await flush();
-    expect(screen.getByLabelText(/memory key/i)).toBeTruthy();
-    expect(screen.getByLabelText(/memory value/i)).toBeTruthy();
-  });
-
-  it("requires key in add form", async () => {
-    mockGet.mockResolvedValueOnce([]);
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /^\+ add$/i }).click();
-    });
-    await flush();
-    mockPost.mockReset().mockRejectedValue(new Error("should not be called"));
-    act(() => {
-      screen.getByRole("button", { name: /save/i }).click();
-    });
-    await flush();
-    expect(screen.getByText("Key is required")).toBeTruthy();
-    expect(mockPost).not.toHaveBeenCalled();
-  });
-
-  it("parses JSON value in add form", async () => {
-    mockGet.mockResolvedValueOnce([]);
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /^\+ add$/i }).click();
-    });
-    await flush();
-    fireEvent.change(screen.getByLabelText(/memory key/i), {
-      target: { value: "json-key" },
-    });
-    fireEvent.change(screen.getByLabelText(/memory value/i), {
-      target: { value: '{"nested": "value"}' },
-    });
-    act(() => {
-      screen.getByRole("button", { name: /save/i }).click();
-    });
-    await flush();
-    expect(mockPost).toHaveBeenCalledWith(
-      "/workspaces/ws-1/memory",
-      expect.objectContaining({
-        key: "json-key",
-        value: { nested: "value" },
-      }),
-    );
-  });
-
-  it("treats plain-text value as string in add form", async () => {
-    mockGet.mockResolvedValueOnce([]);
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /^\+ add$/i }).click();
-    });
-    await flush();
-    fireEvent.change(screen.getByLabelText(/memory key/i), {
-      target: { value: "plain-key" },
-    });
-    fireEvent.change(screen.getByLabelText(/memory value/i), {
-      target: { value: "plain text" },
-    });
-    act(() => {
-      screen.getByRole("button", { name: /save/i }).click();
-    });
-    await flush();
-    expect(mockPost).toHaveBeenCalledWith(
-      "/workspaces/ws-1/memory",
-      expect.objectContaining({
-        key: "plain-key",
-        value: "plain text",
-      }),
-    );
-  });
-
-  it("sends ttl_seconds when TTL is provided in add form", async () => {
-    mockGet.mockResolvedValueOnce([]);
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /^\+ add$/i }).click();
-    });
-    await flush();
-    fireEvent.change(screen.getByLabelText(/memory key/i), {
-      target: { value: "ttl-key" },
-    });
-    fireEvent.change(screen.getByLabelText(/memory value/i), {
-      target: { value: "val" },
-    });
-    fireEvent.change(screen.getByLabelText(/ttl in seconds/i), {
-      target: { value: "3600" },
-    });
-    act(() => {
-      screen.getByRole("button", { name: /save/i }).click();
-    });
-    await flush();
-    expect(mockPost).toHaveBeenCalledWith(
-      "/workspaces/ws-1/memory",
-      expect.objectContaining({
-        key: "ttl-key",
-        value: "val",
-        ttl_seconds: 3600,
-      }),
-    );
-  });
-
-  it("closes add form on cancel", async () => {
-    mockGet.mockResolvedValueOnce([]);
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /^\+ add$/i }).click();
-    });
-    await flush();
-    expect(screen.getByLabelText(/memory key/i)).toBeTruthy();
-    act(() => {
-      screen.getByRole("button", { name: /cancel/i }).click();
-    });
-    await flush();
-    expect(screen.queryByLabelText(/memory key/i)).toBeFalsy();
-  });
-
-  it("shows error when add POST rejects", async () => {
-    mockGet.mockResolvedValueOnce([]);
-    mockPost.mockRejectedValue(new Error("Add failed"));
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /^\+ add$/i }).click();
-    });
-    await flush();
-    fireEvent.change(screen.getByLabelText(/memory key/i), {
-      target: { value: "k" },
-    });
-    act(() => {
-      screen.getByRole("button", { name: /save/i }).click();
-    });
-    await flush();
-    expect(screen.getByText("Add failed")).toBeTruthy();
-  });
-
-  it("optimistically removes entry on delete", async () => {
-    renderTab();
-    await flush();
-    // Expand the advanced section
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    // Expand the entry row
-    act(() => {
-      screen.getByText("existing-key").closest("button")?.click();
-    });
-    await flush();
-    // Verify the Delete button is visible inside the expanded section
-    const deleteBtn = screen
-      .getAllByRole("button")
-      .find((b) => b.textContent === "Delete");
-    expect(deleteBtn).toBeTruthy();
-    // Clicking Delete fires the API call; the entry is optimistically
-    // removed from state before the response. We verify the API call here.
-    act(() => {
-      deleteBtn?.click();
-    });
-    await flush();
-    expect(mockDel).toHaveBeenCalledWith(
-      "/workspaces/ws-1/memory/existing-key",
-    );
-  });
-
-  it("calls DELETE /workspaces/:id/memory/:key on delete", async () => {
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    act(() => {
-      screen.getByText("existing-key").closest("button")?.click();
-    });
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /delete/i }).click();
-    });
-    await flush();
-    expect(mockDel).toHaveBeenCalledWith(
-      "/workspaces/ws-1/memory/existing-key",
-    );
-  });
-
-  it("shows error when delete rejects", async () => {
-    mockDel.mockRejectedValue(new Error("Delete failed"));
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    act(() => {
-      screen.getByText("existing-key").closest("button")?.click();
-    });
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /delete/i }).click();
-    });
-    await flush();
-    // Error should appear in the alert
-    expect(screen.getByRole("alert")).toBeTruthy();
-    expect(screen.getByText("Delete failed")).toBeTruthy();
-    // Entry should be visible again (reverted)
-    expect(screen.getByText("existing-key")).toBeTruthy();
-  });
-});
-
-describe("MemoryTab — edit entry", () => {
-  beforeEach(() => {
-    // Use mockImplementation so every call resolves (loadMemory called multiple times)
-    mockGet.mockImplementation(() =>
-      Promise.resolve([
-        entry("edit-key", { original: true }, { version: 5 }),
-      ]),
-    );
-    mockPost.mockResolvedValue({});
-  });
-
-  it("begins edit mode when Edit is clicked", async () => {
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    // Expand the entry row first
-    act(() => {
-      screen.getByText("edit-key").closest("button")?.click();
-    });
-    await flush();
-    // Find the "Edit" button specifically (not the row button whose accessible name is "edit-key")
-    const editBtn = screen
-      .getAllByRole("button", { name: /^edit$/i })
-      .find((b) => b.textContent === "Edit");
-    act(() => {
-      editBtn?.click();
-    });
-    await flush();
-    expect(screen.getByLabelText(/edit value for edit-key/i)).toBeTruthy();
-    expect(screen.getByLabelText(/edit ttl for edit-key/i)).toBeTruthy();
-  });
-
-  it("pre-fills edit textarea with JSON for object values", async () => {
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    act(() => {
-      screen.getByText("edit-key").closest("button")?.click();
-    });
-    await flush();
-    act(() => {
-      screen
-        .getAllByRole("button", { name: /^edit$/i })
-        .find((b) => b.textContent === "Edit")
-        ?.click();
-    });
-    await flush();
-    const textarea = screen.getByLabelText(/edit value for edit-key/i);
-    expect(textarea.textContent?.trim()).toBe('{\n  "original": true\n}');
-  });
-
-  it("pre-fills edit textarea with raw string for string values", async () => {
-    mockGet.mockImplementation(() =>
-      Promise.resolve([
-        entry("str-key", "plain string value", { version: 1 }),
-      ]),
-    );
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    act(() => {
-      screen.getByText("str-key").closest("button")?.click();
-    });
-    await flush();
-    act(() => {
-      screen
-        .getAllByRole("button", { name: /^edit$/i })
-        .find((b) => b.textContent === "Edit")
-        ?.click();
-    });
-    await flush();
-    const textarea = screen.getByLabelText(/edit value for str-key/i);
-    expect(textarea.textContent?.trim()).toBe("plain string value");
-  });
-
-  it("cancels edit and restores entry view", async () => {
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    act(() => {
-      screen.getByText("edit-key").closest("button")?.click();
-    });
-    await flush();
-    act(() => {
-      screen
-        .getAllByRole("button", { name: /^edit$/i })
-        .find((b) => b.textContent === "Edit")
-        ?.click();
-    });
-    await flush();
-    expect(screen.getByLabelText(/edit value for edit-key/i)).toBeTruthy();
-    act(() => {
-      screen.getByRole("button", { name: /cancel/i }).click();
-    });
-    await flush();
-    expect(screen.queryByLabelText(/edit value/i)).toBeFalsy();
-  });
-
-  it("calls POST with if_match_version on save", async () => {
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    act(() => {
-      screen.getByText("edit-key").closest("button")?.click();
-    });
-    await flush();
-    act(() => {
-      screen
-        .getAllByRole("button", { name: /^edit$/i })
-        .find((b) => b.textContent === "Edit")
-        ?.click();
-    });
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /save/i }).click();
-    });
-    await flush();
-    expect(mockPost).toHaveBeenCalledWith(
-      "/workspaces/ws-1/memory",
-      expect.objectContaining({
-        key: "edit-key",
-        value: { original: true },
-        if_match_version: 5,
-      }),
-    );
-  });
-
-  it("shows 409 conflict error and reloads on version mismatch", async () => {
-    mockPost.mockRejectedValue(
-      new Error("409 Conflict: if_match_version mismatch"),
-    );
-    // Return entries for initial load; on 409 the component calls loadMemory()
-    // again — use mockImplementation so subsequent calls also return entries
-    mockGet.mockImplementation(() =>
-      Promise.resolve([
-        entry("edit-key", { original: true }, { version: 5 }),
-      ]),
-    );
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    act(() => {
-      screen.getByText("edit-key").closest("button")?.click();
-    });
-    await flush();
-    act(() => {
-      screen
-        .getAllByRole("button", { name: /^edit$/i })
-        .find((b) => b.textContent === "Edit")
-        ?.click();
-    });
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /save/i }).click();
-    });
-    await flush();
-    expect(screen.getByText(/this entry changed since you opened it/i)).toBeTruthy();
-  });
-
-  it("shows generic error when edit POST rejects with non-409", async () => {
-    mockPost.mockRejectedValue(new Error("Server error"));
-    renderTab();
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /advanced/i }).click();
-    });
-    await flush();
-    act(() => {
-      screen.getByText("edit-key").closest("button")?.click();
-    });
-    await flush();
-    act(() => {
-      screen
-        .getAllByRole("button", { name: /^edit$/i })
-        .find((b) => b.textContent === "Edit")
-        ?.click();
-    });
-    await flush();
-    act(() => {
-      screen.getByRole("button", { name: /save/i }).click();
-    });
-    await flush();
-    expect(screen.getByText("Server error")).toBeTruthy();
-  });
-});
-
-describe("MemoryTab — expand/collapse entry", () => {
-  beforeEach(() => {
-    mockGet.mockResolvedValue([
-      entry("entry-a", { data: "A" }),
-      entry("entry-b", { data: "B" }),
-    ]);
-  });
-
-  it("expands entry when clicked", async () => {
-    renderTab();
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /advanced/i }));
-    await flush();
-    act(() => {
-      screen.getByText("entry-a").closest("button")?.click();
-    });
-    await flush();
-    // Expanded entry shows its JSON value
-    expect(screen.getByText(/"data": "A"/)).toBeTruthy();
-  });
-
-  it("collapses entry when clicked again", async () => {
-    renderTab();
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /advanced/i }));
-    await flush();
-    act(() => {
-      screen.getByText("entry-a").closest("button")?.click();
-    });
-    await flush();
-    act(() => {
-      screen.getByText("entry-a").closest("button")?.click();
-    });
-    await flush();
-    expect(screen.queryByText(/"data": "A"/)).toBeFalsy();
-  });
-
-  it("shows collapsed indicator ▶ for non-expanded entries", async () => {
-    renderTab();
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /advanced/i }));
-    await flush();
-    expect(screen.getAllByText("▶").length).toBeGreaterThan(0);
-  });
-
-  it("shows expanded indicator ▼ for expanded entries", async () => {
-    renderTab();
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /advanced/i }));
-    await flush();
-    act(() => {
-      screen.getByText("entry-a").closest("button")?.click();
-    });
-    await flush();
-    expect(screen.getAllByText("▼").length).toBeGreaterThan(0);
-  });
-
-  it("hides edit/delete buttons when entry is collapsed", async () => {
-    renderTab();
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /advanced/i }));
-    await flush();
-    expect(screen.queryByRole("button", { name: /edit/i })).toBeFalsy();
-    expect(screen.queryByRole("button", { name: /delete/i })).toBeFalsy();
-  });
-
-  it("shows edit/delete buttons when entry is expanded", async () => {
-    renderTab();
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /advanced/i }));
-    await flush();
-    act(() => {
-      screen.getByText("entry-a").closest("button")?.click();
-    });
-    await flush();
-    expect(screen.getAllByRole("button", { name: /edit/i }).length).toBeGreaterThan(0);
-    expect(screen.getAllByRole("button", { name: /delete/i }).length).toBeGreaterThan(0);
-  });
-});
-
-describe("MemoryTab — Open Awareness button", () => {
-  it("calls window.open with workspaceId in URL", async () => {
-    mockGet.mockResolvedValueOnce([]);
-    renderTab("my-ws");
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /open/i }));
-    await flush();
-    expect(mockOpen).toHaveBeenCalled();
-    const url = mockOpen.mock.calls[0][0];
-    expect(url).toContain("workspaceId=my-ws");
-  });
-});
--- a/canvas/src/components/tabs/tests/ScheduleTab.test.tsx
+++ b/canvas/src/components/tabs/tests/ScheduleTab.test.tsx
@ -1,635 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for ScheduleTab — cron-based task scheduling.
- *
- * Coverage:
- *   - Loading state
- *   - Empty state (no schedules)
- *   - Schedule list rendering (single + multiple)
- *   - Status dot color (error/ok/idle)
- *   - Toggle enable/disable via status dot
- *   - Delete via ConfirmDialog
- *   - Run Now button triggers POST + POST
- *   - Create schedule form open/close
- *   - Edit schedule form pre-fills values
- *   - Form validation (disabled when cron/prompt empty)
- *   - Create POST with correct payload
- *   - Edit PATCH with correct payload
- *   - Error state surfaces API failures
- *   - Auto-refresh every 10s (spy)
- *   - cronToHuman formatting
- *   - relativeTime formatting
- *   - Reset form clears all fields
- *   - Disabled schedules are visually dimmed
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act, waitFor } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { ScheduleTab } from "../ScheduleTab";
-
-// Hoist mocks so vi.mock factory can reference them.
-const mockGet = vi.hoisted(() => vi.fn<[], Promise<unknown[]>>());
-const mockPost = vi.hoisted(() => vi.fn<[], Promise<unknown>>());
-const mockPatch = vi.hoisted(() => vi.fn<[], Promise<unknown>>());
-const mockDel = vi.hoisted(() => vi.fn<[], Promise<unknown>>());
-
-vi.mock("@/lib/api", () => ({
-  api: { get: mockGet, post: mockPost, patch: mockPatch, del: mockDel },
-}));
-
-// Capture ConfirmDialog state to drive from tests.
-const confirmDialogState = vi.hoisted(
-  () => ({
-    open: false as boolean,
-    onConfirm: undefined as (() => void) | undefined,
-    onCancel: undefined as (() => void) | undefined,
-  }),
-);
-const MockConfirmDialog = vi.hoisted(
-  () =>
-    vi.fn(({ open, onConfirm, onCancel }: {
-      open: boolean;
-      onConfirm: () => void;
-      onCancel: () => void;
-    }) => {
-      confirmDialogState.open = open;
-      confirmDialogState.onConfirm = onConfirm;
-      confirmDialogState.onCancel = onCancel;
-      return null;
-    }),
-);
-vi.mock("@/components/ConfirmDialog", () => ({ ConfirmDialog: MockConfirmDialog }));
-
-// ─── Fixtures ─────────────────────────────────────────────────────────────────
-
-const SCHEDULE_FIXTURE = {
-  id: "sch-1",
-  workspace_id: "ws-1",
-  name: "Daily Security Scan",
-  cron_expr: "0 9 * * *",
-  timezone: "UTC",
-  prompt: "Run the security scan and report findings",
-  enabled: true,
-  last_run_at: new Date(Date.now() - 3600000).toISOString(),
-  next_run_at: new Date(Date.now() + 82800000).toISOString(),
-  run_count: 42,
-  last_status: "ok",
-  last_error: "",
-  created_at: new Date().toISOString(),
-};
-
-function schedule(overrides: Partial<typeof SCHEDULE_FIXTURE> = {}): typeof SCHEDULE_FIXTURE {
-  return { ...SCHEDULE_FIXTURE, ...overrides };
-}
-
-// ─── Helpers ───────────────────────────────────────────────────────────────────
-
-async function flush() {
-  await act(async () => { await Promise.resolve(); });
-}
-
-function typeIn(el: HTMLElement, value: string) {
-  Object.defineProperty(el, "value", { value, writable: true, configurable: true });
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  fireEvent.change(el as any, { target: el });
-}
-
-// Use mockResolvedValue so every GET call (including post-handler refreshes)
-// returns the fixture. Handlers like toggle/delete/run/edit all call
-// fetchSchedules() at the end, triggering a second GET.
-function setupLoad(schedules: unknown[]) {
-  mockGet.mockResolvedValue(schedules as unknown[]);
-}
-
-// ─── Tests ─────────────────────────────────────────────────────────────────────
-
-describe("ScheduleTab", () => {
-  beforeEach(() => {
-    mockGet.mockReset();
-    mockPost.mockReset();
-    mockPatch.mockReset();
-    mockDel.mockReset();
-    MockConfirmDialog.mockClear();
-    vi.useRealTimers();
-    confirmDialogState.open = false;
-    confirmDialogState.onConfirm = undefined;
-    confirmDialogState.onCancel = undefined;
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  // ── Loading / Empty ──────────────────────────────────────────────────────────
-
-  it("shows loading state when schedules are being fetched", async () => {
-    mockGet.mockImplementation(() => new Promise(() => {}));
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await act(async () => { /* flush initial render */ });
-    expect(screen.getByText("Loading schedules...")).toBeTruthy();
-  });
-
-  it("shows empty state when API returns an empty list", async () => {
-    setupLoad([]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("No schedules yet")).toBeTruthy();
-    expect(screen.getByText(/run tasks automatically/i)).toBeTruthy();
-  });
-
-  // ── Schedule list ────────────────────────────────────────────────────────────
-
-  it("renders a schedule with correct name and cron", async () => {
-    setupLoad([schedule({ name: "Morning Report", cron_expr: "0 8 * * *" })]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("Morning Report")).toBeTruthy();
-    expect(screen.getByText(/Daily at 08:00 UTC/i)).toBeTruthy();
-  });
-
-  it("renders multiple schedules", async () => {
-    setupLoad([
-      schedule({ id: "s1", name: "Morning Report", cron_expr: "0 8 * * *" }),
-      schedule({ id: "s2", name: "Evening Cleanup", cron_expr: "0 22 * * *" }),
-    ]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("Morning Report")).toBeTruthy();
-    expect(screen.getByText("Evening Cleanup")).toBeTruthy();
-  });
-
-  it("shows disabled schedule with reduced opacity", async () => {
-    setupLoad([schedule({ enabled: false })]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    const container = screen.getByText("Daily Security Scan").closest("div[class*='border-b']");
-    expect(container?.className).toContain("opacity-50");
-  });
-
-  it("shows error dot when last_status is error", async () => {
-    setupLoad([schedule({ last_status: "error", last_error: "timeout" })]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    const dot = screen.getByRole("button", { name: /click to disable/i });
-    expect(dot.className).toContain("bg-red-400");
-  });
-
-  it("shows ok dot when last_status is ok", async () => {
-    setupLoad([schedule({ last_status: "ok" })]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    const dot = screen.getByRole("button", { name: /click to disable/i });
-    expect(dot.className).toContain("bg-emerald-400");
-  });
-
-  it("shows neutral dot when schedule is disabled (unknown status)", async () => {
-    // enabled=false → title says "Click to enable"
-    setupLoad([schedule({ enabled: false, last_status: "" })]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    const dot = screen.getByRole("button", { name: /click to enable/i });
-    expect(dot.className).toContain("bg-surface-card");
-  });
-
-  it("shows last_error message when schedule failed", async () => {
-    setupLoad([schedule({ last_error: "connection refused" })]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText(/Error: connection refused/i)).toBeTruthy();
-  });
-
-  it("truncates long prompt in schedule list", async () => {
-    const longPrompt = "A".repeat(120);
-    setupLoad([schedule({ prompt: longPrompt })]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    // Prompt is sliced at 80 chars + "..."
-    expect(screen.getByText(new RegExp(`^${"A".repeat(80)}\\.\\.\\.$$`))).toBeTruthy();
-  });
-
-  // ── cronToHuman formatting ──────────────────────────────────────────────────
-
-  it.each([
-    ["* * * * *", "Every minute"],
-    ["*/5 * * * *", "Every 5 minutes"],
-    ["0 */4 * * *", "Every 4 hours"],
-    ["0 9 * * *", "Daily at 09:00 UTC"],
-    ["0 9 * * 1-5", "Weekdays at 09:00 UTC"],
-    ["30 14 * * *", "Daily at 14:30 UTC"],
-    ["*/15 * * * *", "Every 15 minutes"],
-  ])("formats cron '%s' as '%s'", async (cron, expected) => {
-    setupLoad([schedule({ cron_expr: cron })]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText(new RegExp(expected, "i"))).toBeTruthy();
-  });
-
-  // ── relativeTime formatting ─────────────────────────────────────────────────
-
-  it("shows 'never' when last_run_at is null", async () => {
-    setupLoad([schedule({ last_run_at: null, next_run_at: null })]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    const spans = Array.from(document.querySelectorAll("span"));
-    expect(spans.some(s => s.textContent === "Last: never")).toBeTruthy();
-  });
-
-  it("shows run_count in the list", async () => {
-    setupLoad([schedule({ run_count: 99 })]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText(/Runs: 99/i)).toBeTruthy();
-  });
-
-  // ── Toggle ──────────────────────────────────────────────────────────────────
-
-  it("PATCHes toggle endpoint when status dot is clicked", async () => {
-    setupLoad([schedule()]);
-    mockPatch.mockResolvedValue({});
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /click to disable/i }));
-    await flush();
-    expect(mockPatch).toHaveBeenCalledWith(
-      "/workspaces/ws-1/schedules/sch-1",
-      { enabled: false },
-    );
-  });
-
-  it("toggling calls fetchSchedules to refresh the list", async () => {
-    setupLoad([schedule()]);
-    mockPatch.mockResolvedValue({});
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /click to disable/i }));
-    await flush();
-    // fetchSchedules calls GET again
-    expect(mockGet).toHaveBeenCalledWith("/workspaces/ws-1/schedules");
-  });
-
-  it("shows error when toggle fails", async () => {
-    setupLoad([schedule()]);
-    mockPatch.mockRejectedValue(new Error("toggle failed"));
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /click to disable/i }));
-    await flush();
-    // Component uses e.message (Error.message = "toggle failed")
-    expect(screen.getByText(/toggle failed/i)).toBeTruthy();
-  });
-
-  // ── Delete ──────────────────────────────────────────────────────────────────
-
-  it("opens ConfirmDialog when delete button is clicked", async () => {
-    setupLoad([schedule()]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /delete schedule/i }));
-    await flush();
-    expect(confirmDialogState.open).toBe(true);
-  });
-
-  it("calls DEL when ConfirmDialog is confirmed", async () => {
-    setupLoad([schedule()]);
-    mockDel.mockResolvedValue({});
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /delete schedule/i }));
-    await flush();
-    confirmDialogState.onConfirm?.();
-    await flush();
-    expect(mockDel).toHaveBeenCalledWith("/workspaces/ws-1/schedules/sch-1");
-  });
-
-  it("calls fetchSchedules after delete", async () => {
-    setupLoad([schedule()]);
-    mockDel.mockResolvedValue({});
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /delete schedule/i }));
-    await flush();
-    confirmDialogState.onConfirm?.();
-    await flush();
-    expect(mockGet).toHaveBeenCalledWith("/workspaces/ws-1/schedules");
-  });
-
-  it("closes ConfirmDialog when cancel is called", async () => {
-    setupLoad([schedule()]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /delete schedule/i }));
-    await flush();
-    expect(confirmDialogState.open).toBe(true);
-    confirmDialogState.onCancel?.();
-    await flush();
-    expect(confirmDialogState.open).toBe(false);
-  });
-
-  it("shows error when delete fails", async () => {
-    setupLoad([schedule()]);
-    mockDel.mockRejectedValue(new Error("delete failed"));
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /delete schedule/i }));
-    await flush();
-    confirmDialogState.onConfirm?.();
-    await flush();
-    expect(screen.getByText(/delete failed/i)).toBeTruthy();
-  });
-
-  // ── Run Now ──────────────────────────────────────────────────────────────────
-
-  it("calls POST /schedules/:id/run and then POST /a2a when Run Now is clicked", async () => {
-    setupLoad([schedule()]);
-    mockPost
-      .mockResolvedValueOnce({ prompt: "Run the security scan and report findings" })
-      .mockResolvedValueOnce({});
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /run schedule/i }));
-    await flush();
-    expect(mockPost).toHaveBeenNthCalledWith(1, "/workspaces/ws-1/schedules/sch-1/run", {});
-    expect(mockPost).toHaveBeenNthCalledWith(2, "/workspaces/ws-1/a2a", expect.objectContaining({ method: "message/send" }));
-  });
-
-  it("shows error when run now fails", async () => {
-    setupLoad([schedule()]);
-    mockPost.mockRejectedValue(new Error("run failed"));
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /run schedule/i }));
-    await flush();
-    // handleRunNow uses hardcoded "Failed to run schedule" on error
-    expect(screen.getByText(/Failed to run schedule/i)).toBeTruthy();
-  });
-
-  // ── Create form ──────────────────────────────────────────────────────────────
-
-  it("shows create form when + Add Schedule is clicked", async () => {
-    setupLoad([]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add schedule/i }));
-    await flush();
-    expect(screen.getByLabelText("Schedule name")).toBeTruthy();
-    expect(screen.getByLabelText("Cron Expression")).toBeTruthy();
-    expect(screen.getByLabelText("Prompt / Task")).toBeTruthy();
-  });
-
-  it("pre-fills default cron (0 9 * * *) and timezone (UTC)", async () => {
-    setupLoad([]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add schedule/i }));
-    await flush();
-    expect((screen.getByLabelText("Cron Expression") as HTMLInputElement).value).toBe("0 9 * * *");
-    expect((screen.getByLabelText("Timezone") as HTMLSelectElement).value).toBe("UTC");
-  });
-
-  it("submit button is disabled when cron or prompt is empty", async () => {
-    setupLoad([]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add schedule/i }));
-    await flush();
-    const submitBtn = screen.getByRole("button", { name: /create/i });
-    expect((submitBtn as HTMLButtonElement).disabled).toBe(true);
-  });
-
-  it("submit button is enabled when cron and prompt are filled", async () => {
-    setupLoad([]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add schedule/i }));
-    await flush();
-    typeIn(screen.getByLabelText("Prompt / Task") as HTMLElement, "Run a task");
-    await flush();
-    const submitBtn = screen.getByRole("button", { name: /create/i });
-    expect((submitBtn as HTMLButtonElement).disabled).toBe(false);
-  });
-
-  it("POSTs correct payload when creating a schedule", async () => {
-    setupLoad([]);
-    mockPost.mockResolvedValue({});
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add schedule/i }));
-    await flush();
-    typeIn(screen.getByLabelText("Schedule name") as HTMLElement, "Morning Report");
-    typeIn(screen.getByLabelText("Cron Expression") as HTMLElement, "0 8 * * *");
-    typeIn(screen.getByLabelText("Prompt / Task") as HTMLElement, "Generate the morning report");
-    await flush();
-    act(() => { screen.getByRole("button", { name: /create/i }).click(); });
-    await flush();
-    await waitFor(() => {
-      expect(screen.queryByRole("button", { name: /cancel/i })).not.toBeTruthy();
-    });
-    expect(mockPost).toHaveBeenCalledWith(
-      "/workspaces/ws-1/schedules",
-      expect.objectContaining({
-        name: "Morning Report",
-        cron_expr: "0 8 * * *",
-        timezone: "UTC",
-        prompt: "Generate the morning report",
-        enabled: true,
-      }),
-    );
-  });
-
-  it("closes form and refreshes after successful create", async () => {
-    setupLoad([]);
-    mockPost.mockResolvedValue({});
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add schedule/i }));
-    await flush();
-    typeIn(screen.getByLabelText("Prompt / Task") as HTMLElement, "Run a task");
-    await flush();
-    act(() => { screen.getByRole("button", { name: /create/i }).click(); });
-    await flush();
-    await waitFor(() => {
-      expect(screen.queryByLabelText("Schedule name")).not.toBeTruthy();
-    });
-    expect(mockGet).toHaveBeenCalledWith("/workspaces/ws-1/schedules");
-  });
-
-  it("shows error message when create fails", async () => {
-    setupLoad([]);
-    mockPost.mockRejectedValue(new Error("validation failed"));
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add schedule/i }));
-    await flush();
-    typeIn(screen.getByLabelText("Prompt / Task") as HTMLElement, "Run a task");
-    await flush();
-    act(() => { screen.getByRole("button", { name: /create/i }).click(); });
-    await flush();
-    expect(screen.getByText(/validation failed/i)).toBeTruthy();
-  });
-
-  it("closes form when Cancel is clicked", async () => {
-    setupLoad([]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add schedule/i }));
-    await flush();
-    expect(screen.getByLabelText("Schedule name")).toBeTruthy();
-    act(() => { screen.getByRole("button", { name: /cancel/i }).click(); });
-    await flush();
-    await waitFor(() => {
-      expect(screen.queryByLabelText("Schedule name")).not.toBeTruthy();
-    });
-  });
-
-  // ── Edit form ────────────────────────────────────────────────────────────────
-
-  it("opens edit form pre-filled with schedule data when Edit is clicked", async () => {
-    setupLoad([schedule({ name: "Nightly Backup", cron_expr: "0 2 * * *" })]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /edit schedule/i }));
-    await flush();
-    expect((screen.getByLabelText("Schedule name") as HTMLInputElement).value).toBe("Nightly Backup");
-    expect((screen.getByLabelText("Cron Expression") as HTMLInputElement).value).toBe("0 2 * * *");
-  });
-
-  it("shows 'Update' button in edit mode", async () => {
-    setupLoad([schedule()]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /edit schedule/i }));
-    await flush();
-    expect(screen.getByRole("button", { name: /update/i })).toBeTruthy();
-  });
-
-  it("PATCHes correct payload when updating a schedule", async () => {
-    setupLoad([schedule()]);
-    mockPatch.mockResolvedValue({});
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /edit schedule/i }));
-    await flush();
-    typeIn(screen.getByLabelText("Schedule name") as HTMLElement, "Updated Name");
-    typeIn(screen.getByLabelText("Prompt / Task") as HTMLElement, "New prompt");
-    await flush();
-    act(() => { screen.getByRole("button", { name: /update/i }).click(); });
-    await flush();
-    await waitFor(() => {
-      expect(screen.queryByRole("button", { name: /cancel/i })).not.toBeTruthy();
-    });
-    expect(mockPatch).toHaveBeenCalledWith(
-      "/workspaces/ws-1/schedules/sch-1",
-      expect.objectContaining({
-        name: "Updated Name",
-        cron_expr: "0 9 * * *",
-        timezone: "UTC",
-        prompt: "New prompt",
-        enabled: true,
-      }),
-    );
-  });
-
-  it("form reset clears name, cron, prompt, and enabled", async () => {
-    setupLoad([schedule()]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    // Open + add schedule form
-    fireEvent.click(screen.getByRole("button", { name: /\+ add schedule/i }));
-    await flush();
-    typeIn(screen.getByLabelText("Schedule name") as HTMLElement, "Temp Schedule");
-    typeIn(screen.getByLabelText("Cron Expression") as HTMLElement, "*/15 * * * *");
-    typeIn(screen.getByLabelText("Prompt / Task") as HTMLElement, "Temporary task");
-    await flush();
-    // Cancel
-    act(() => { screen.getByRole("button", { name: /cancel/i }).click(); });
-    await flush();
-    // Open again — should be reset
-    fireEvent.click(screen.getByRole("button", { name: /\+ add schedule/i }));
-    await flush();
-    expect((screen.getByLabelText("Schedule name") as HTMLInputElement).value).toBe("");
-    expect((screen.getByLabelText("Cron Expression") as HTMLInputElement).value).toBe("0 9 * * *");
-    expect((screen.getByLabelText("Prompt / Task") as HTMLTextAreaElement).value).toBe("");
-  });
-
-  // ── Error state ──────────────────────────────────────────────────────────────
-
-  it("shows error banner when GET fails", async () => {
-    mockGet.mockRejectedValue(new Error("network error"));
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    // Component now sets error state on GET failure
-    expect(screen.getByText(/network error/i)).toBeTruthy();
-  });
-
-  it("shows generic error when GET rejects with non-Error", async () => {
-    mockGet.mockRejectedValue("unknown failure");
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("unknown failure")).toBeTruthy();
-  });
-
-  // ── Auto-refresh ────────────────────────────────────────────────────────────
-
-  it("sets up auto-refresh interval of 10 seconds", async () => {
-    const setIntervalSpy = vi.spyOn(globalThis, "setInterval");
-    setupLoad([schedule()]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    expect(setIntervalSpy).toHaveBeenCalledWith(expect.any(Function), 10000);
-    setIntervalSpy.mockRestore();
-  });
-
-  it("clears the auto-refresh interval on unmount", async () => {
-    const clearIntervalSpy = vi.spyOn(globalThis, "clearInterval");
-    const setIntervalSpy = vi.spyOn(globalThis, "setInterval");
-    setupLoad([schedule()]);
-    const { unmount } = render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    expect(clearIntervalSpy).not.toHaveBeenCalled();
-    unmount();
-    expect(clearIntervalSpy).toHaveBeenCalled();
-    setIntervalSpy.mockRestore();
-    clearIntervalSpy.mockRestore();
-  });
-
-  // ── Misc ────────────────────────────────────────────────────────────────────
-
-  it("shows no timezone suffix when timezone is UTC", async () => {
-    setupLoad([schedule({ timezone: "UTC" })]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.queryByText(/\(UTC\)/)).not.toBeTruthy();
-  });
-
-  it("shows timezone suffix when non-UTC", async () => {
-    setupLoad([schedule({ timezone: "America/New_York" })]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText(/\(America\/New_York\)/)).toBeTruthy();
-  });
-
-  it("checkbox toggles formEnabled state", async () => {
-    setupLoad([]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add schedule/i }));
-    await flush();
-    const checkbox = screen.getByRole("checkbox");
-    expect((checkbox as HTMLInputElement).checked).toBe(true);
-    fireEvent.click(checkbox);
-    await flush();
-    expect((checkbox as HTMLInputElement).checked).toBe(false);
-  });
-
-  it("timezone select updates formTimezone", async () => {
-    setupLoad([]);
-    render(<ScheduleTab workspaceId="ws-1" />);
-    await flush();
-    fireEvent.click(screen.getByRole("button", { name: /\+ add schedule/i }));
-    await flush();
-    fireEvent.change(screen.getByLabelText("Timezone"), { target: { value: "America/Los_Angeles" } });
-    await flush();
-    expect((screen.getByLabelText("Timezone") as HTMLSelectElement).value).toBe("America/Los_Angeles");
-  });
-});
--- a/canvas/src/components/tabs/tests/TracesTab.test.tsx
+++ b/canvas/src/components/tabs/tests/TracesTab.test.tsx
@ -1,408 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for TracesTab — Langfuse trace viewer.
- *
- * Coverage:
- *   - Loading state
- *   - Error state
- *   - Empty state (no traces)
- *   - Trace list rendering
- *   - Expand/collapse rows with aria attributes
- *   - Status dot colors (ERROR vs success)
- *   - Latency formatting (ms vs seconds)
- *   - Token count display
- *   - Cost display
- *   - Input/output rendering (string and object)
- *   - Refresh button
- *   - formatTime relative timestamps
- *   - "How to enable tracing" collapsed hint
- */
-import React from "react";
-import { render, screen, fireEvent, cleanup, act } from "@testing-library/react";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { TracesTab } from "../TracesTab";
-
-const mockGet = vi.hoisted(() => vi.fn<[], Promise<unknown>>());
-
-vi.mock("@/lib/api", () => ({
-  api: { get: mockGet },
-}));
-
-// ─── Fixtures ─────────────────────────────────────────────────────────────────
-
-const TRACE_FIXTURE = {
-  id: "trace-abc123",
-  name: "security-scan",
-  timestamp: new Date(Date.now() - 60000).toISOString(),
-  latency: 450,
-  input: { query: "scan for vulnerabilities" },
-  output: { result: "No issues found" },
-  status: "success",
-  totalCost: 0.00234,
-  usage: { input: 120, output: 85, total: 205 },
-};
-
-function trace(overrides: Partial<typeof TRACE_FIXTURE> = {}): typeof TRACE_FIXTURE {
-  return { ...TRACE_FIXTURE, ...overrides };
-}
-
-// ─── Helpers ───────────────────────────────────────────────────────────────────
-
-async function flush() {
-  await act(async () => { await Promise.resolve(); });
-}
-
-// The trace row button's accessible name is "{name} {relativeTime} {latency}{tokCount}".
-// Filter all buttons to find the trace row buttons.
-function getTraceButtons() {
-  return screen
-    .getAllByRole("button")
-    .filter((b) => b.getAttribute("aria-controls")?.startsWith("trace-detail-"));
-}
-
-// ─── Tests ─────────────────────────────────────────────────────────────────────
-
-describe("TracesTab", () => {
-  beforeEach(() => {
-    mockGet.mockReset();
-    vi.useRealTimers();
-  });
-
-  afterEach(() => {
-    cleanup();
-    vi.useRealTimers();
-  });
-
-  // ── Loading ─────────────────────────────────────────────────────────────────
-
-  it("shows loading state when traces are being fetched", async () => {
-    mockGet.mockImplementation(() => new Promise(() => {}));
-    render(<TracesTab workspaceId="ws-1" />);
-    await act(async () => { /* flush initial render */ });
-    expect(screen.getByText("Loading traces...")).toBeTruthy();
-  });
-
-  // ── Error ──────────────────────────────────────────────────────────────────
-
-  it("shows error banner when GET /traces rejects", async () => {
-    mockGet.mockRejectedValue(new Error("gateway timeout"));
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText(/gateway timeout/i)).toBeTruthy();
-  });
-
-  it("shows 'Failed to load traces' when GET rejects with non-Error", async () => {
-    mockGet.mockRejectedValue("unknown");
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText(/Failed to load traces/i)).toBeTruthy();
-  });
-
-  // ── Empty state ───────────────────────────────────────────────────────────
-
-  it("shows empty state when API returns empty list", async () => {
-    mockGet.mockResolvedValue({ data: [] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("No traces yet")).toBeTruthy();
-  });
-
-  it("shows 'How to enable tracing' hint under empty state", async () => {
-    mockGet.mockResolvedValue({ data: [] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText(/how to enable tracing/i)).toBeTruthy();
-    expect(screen.getByText(/LANGFUSE_HOST/i)).toBeTruthy();
-  });
-
-  it("hides empty state when error is present", async () => {
-    mockGet.mockRejectedValue(new Error("error"));
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.queryByText("No traces yet")).toBeFalsy();
-  });
-
-  // ── Trace list ─────────────────────────────────────────────────────────────
-
-  it("renders trace name in the list", async () => {
-    mockGet.mockResolvedValue({ data: [trace({ name: "my-trace" })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("my-trace")).toBeTruthy();
-  });
-
-  it("shows trace count in header", async () => {
-    mockGet.mockResolvedValue({
-      data: [
-        trace({ id: "t1" }),
-        trace({ id: "t2" }),
-        trace({ id: "t3" }),
-      ],
-    });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("3 traces")).toBeTruthy();
-  });
-
-  it("renders multiple traces", async () => {
-    mockGet.mockResolvedValue({
-      data: [
-        trace({ id: "t1", name: "trace-alpha" }),
-        trace({ id: "t2", name: "trace-beta" }),
-      ],
-    });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("trace-alpha")).toBeTruthy();
-    expect(screen.getByText("trace-beta")).toBeTruthy();
-  });
-
-  it("shows 'trace' when name is empty", async () => {
-    mockGet.mockResolvedValue({ data: [trace({ name: "" })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("trace")).toBeTruthy();
-  });
-
-  // ── Status dot ─────────────────────────────────────────────────────────────
-
-  it("applies bg-bad to ERROR traces", async () => {
-    mockGet.mockResolvedValue({ data: [trace({ status: "ERROR" })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    const dot = getTraceButtons()[0].querySelector("div[class*='rounded-full']");
-    expect(dot?.className).toContain("bg-bad");
-  });
-
-  it("applies bg-good to success traces", async () => {
-    mockGet.mockResolvedValue({ data: [trace({ status: "success" })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    const dot = getTraceButtons()[0].querySelector("div[class*='rounded-full']");
-    expect(dot?.className).toContain("bg-good");
-  });
-
-  // ── Latency formatting ──────────────────────────────────────────────────────
-
-  it("shows latency in milliseconds when < 1000ms", async () => {
-    mockGet.mockResolvedValue({ data: [trace({ latency: 450 })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("450ms")).toBeTruthy();
-  });
-
-  it("shows latency in seconds when >= 1000ms", async () => {
-    mockGet.mockResolvedValue({ data: [trace({ latency: 2500 })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("2.5s")).toBeTruthy();
-  });
-
-  it("hides latency when null", async () => {
-    mockGet.mockResolvedValue({ data: [trace({ latency: undefined })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.queryByText(/ms/)).toBeFalsy();
-  });
-
-  // ── Token count ────────────────────────────────────────────────────────────
-
-  it("shows total token count from usage.total", async () => {
-    mockGet.mockResolvedValue({ data: [trace({ usage: { input: 100, output: 50, total: 150 } })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("150 tok")).toBeTruthy();
-  });
-
-  it("hides token count when usage is undefined", async () => {
-    mockGet.mockResolvedValue({ data: [trace({ usage: undefined })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.queryByText(/tok/)).toBeFalsy();
-  });
-
-  // ── Expand/collapse ─────────────────────────────────────────────────────────
-
-  it("shows '▶' when trace is collapsed", async () => {
-    mockGet.mockResolvedValue({ data: [trace()] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText("▶")).toBeTruthy();
-  });
-
-  it("shows '▼' when trace is expanded", async () => {
-    mockGet.mockResolvedValue({ data: [trace()] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    act(() => { getTraceButtons()[0].click(); });
-    await flush();
-    expect(screen.getByText("▼")).toBeTruthy();
-  });
-
-  it("shows '▼' when all traces are collapsed", async () => {
-    mockGet.mockResolvedValue({ data: [trace()] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.queryByText("▼")).toBeFalsy();
-    expect(screen.getByText("▶")).toBeTruthy();
-  });
-
-  it("shows input/output panel when trace is expanded", async () => {
-    mockGet.mockResolvedValue({ data: [trace()] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    act(() => { getTraceButtons()[0].click(); });
-    await flush();
-    expect(screen.getByText(/INPUT/i)).toBeTruthy();
-    expect(screen.getByText(/OUTPUT/i)).toBeTruthy();
-  });
-
-  it("shows JSON stringified input when input is an object", async () => {
-    mockGet.mockResolvedValue({ data: [trace({ input: { query: "test" } })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    act(() => { getTraceButtons()[0].click(); });
-    await flush();
-    expect(screen.getByText(/"query": "test"/)).toBeTruthy();
-  });
-
-  it("shows raw string when input is a string", async () => {
-    mockGet.mockResolvedValue({ data: [trace({ input: "plain text input" })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    act(() => { getTraceButtons()[0].click(); });
-    await flush();
-    expect(screen.getByText("plain text input")).toBeTruthy();
-  });
-
-  it("shows trace ID in expanded panel", async () => {
-    mockGet.mockResolvedValue({ data: [trace({ id: "trace-xyz-999" })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    act(() => { getTraceButtons()[0].click(); });
-    await flush();
-    expect(screen.getByText("trace-xyz-999")).toBeTruthy();
-  });
-
-  it("shows cost when totalCost is present", async () => {
-    mockGet.mockResolvedValue({ data: [trace({ totalCost: 0.001234 })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    act(() => { getTraceButtons()[0].click(); });
-    await flush();
-    expect(screen.getByText(/\$0.001234/)).toBeTruthy();
-  });
-
-  it("hides cost section when totalCost is null", async () => {
-    mockGet.mockResolvedValue({ data: [trace({ totalCost: undefined })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    act(() => { getTraceButtons()[0].click(); });
-    await flush();
-    expect(screen.queryByText(/cost/i)).toBeFalsy();
-  });
-
-  it("has aria-expanded=true on expanded row", async () => {
-    mockGet.mockResolvedValue({ data: [trace()] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    const btn = getTraceButtons()[0];
-    expect(btn.getAttribute("aria-expanded")).toBe("false");
-    act(() => { btn.click(); });
-    await flush();
-    expect(btn.getAttribute("aria-expanded")).toBe("true");
-  });
-
-  it("has aria-expanded=false on collapsed row", async () => {
-    mockGet.mockResolvedValue({ data: [trace()] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(getTraceButtons()[0].getAttribute("aria-expanded")).toBe("false");
-  });
-
-  it("has aria-controls linking row to its detail panel", async () => {
-    mockGet.mockResolvedValue({ data: [trace({ id: "trace-abc123" })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(getTraceButtons()[0].getAttribute("aria-controls")).toBe("trace-detail-trace-abc123");
-  });
-
-  // ── Refresh ────────────────────────────────────────────────────────────────
-
-  it("Refresh button triggers a new GET", async () => {
-    mockGet.mockResolvedValue({ data: [trace()] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    mockGet.mockClear();
-    fireEvent.click(screen.getByRole("button", { name: /refresh/i }));
-    await flush();
-    expect(mockGet).toHaveBeenCalledWith("/workspaces/ws-1/traces");
-  });
-
-  // ── formatTime ─────────────────────────────────────────────────────────────
-
-  it("shows 'Xs ago' for traces under 1 minute", async () => {
-    const timestamp = new Date(Date.now() - 30_000).toISOString();
-    mockGet.mockResolvedValue({ data: [trace({ timestamp, id: "t-30s" })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    // 30s ago
-    expect(screen.getByText(/\d+s ago/)).toBeTruthy();
-  });
-
-  it("shows 'Xm ago' for traces under 1 hour", async () => {
-    const timestamp = new Date(Date.now() - 120_000).toISOString();
-    mockGet.mockResolvedValue({ data: [trace({ timestamp, id: "t-2m" })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText(/\dm ago/)).toBeTruthy();
-  });
-
-  it("shows 'Xh ago' for traces under 1 day", async () => {
-    const timestamp = new Date(Date.now() - 3_600_000).toISOString();
-    mockGet.mockResolvedValue({ data: [trace({ timestamp, id: "t-1h" })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText(/\dh ago/)).toBeTruthy();
-  });
-
-  it("shows locale date for traces older than 24 hours", async () => {
-    const oldDate = new Date(Date.now() - 172_800_000);
-    mockGet.mockResolvedValue({ data: [trace({ timestamp: oldDate.toISOString(), id: "t-old" })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    expect(screen.getByText(oldDate.toLocaleDateString())).toBeTruthy();
-  });
-
-  // ── Edge cases ─────────────────────────────────────────────────────────────
-
-  it("handles traces with no input or output", async () => {
-    mockGet.mockResolvedValue({ data: [trace({ input: undefined, output: undefined })] });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    act(() => { getTraceButtons()[0].click(); });
-    await flush();
-    expect(screen.queryByText(/INPUT/i)).toBeFalsy();
-    expect(screen.queryByText(/OUTPUT/i)).toBeFalsy();
-  });
-
-  it("shows only one expanded trace at a time", async () => {
-    mockGet.mockResolvedValue({
-      data: [
-        trace({ id: "t1", name: "Alpha" }),
-        trace({ id: "t2", name: "Beta" }),
-      ],
-    });
-    render(<TracesTab workspaceId="ws-1" />);
-    await flush();
-    const [btn1, btn2] = getTraceButtons();
-    act(() => { btn1.click(); });
-    await flush();
-    expect(btn1.getAttribute("aria-expanded")).toBe("true");
-    expect(btn2.getAttribute("aria-expanded")).toBe("false");
-    act(() => { btn2.click(); });
-    await flush();
-    expect(btn1.getAttribute("aria-expanded")).toBe("false");
-    expect(btn2.getAttribute("aria-expanded")).toBe("true");
-  });
-});
--- a/canvas/src/components/tabs/tests/extractSkills.test.ts
+++ b/canvas/src/components/tabs/tests/extractSkills.test.ts
@ -1,140 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Unit tests for extractSkills — pure helper from SkillsTab.
- *
- * Covers: null card, non-array skills, empty skills, full skill entries
- * (id, name, description, tags, examples), id-only fallback, name-only
- * fallback, string coercion, array coercion for tags/examples,
- * filtering entries with no id after coercion, empty string id (filtered).
- */
-import { describe, it, expect } from "vitest";
-import { extractSkills } from "../SkillsTab";
-
-describe("extractSkills", () => {
-  it("returns [] for null card", () => {
-    expect(extractSkills(null)).toEqual([]);
-  });
-
-  it("returns [] when card.skills is not an array", () => {
-    expect(extractSkills({ skills: undefined })).toEqual([]);
-    expect(extractSkills({ skills: "not-an-array" })).toEqual([]);
-    expect(extractSkills({ skills: { id: "x" } })).toEqual([]);
-  });
-
-  it("returns [] for empty skills array", () => {
-    expect(extractSkills({ skills: [] })).toEqual([]);
-  });
-
-  it("maps a fully-populated skill entry", () => {
-    const card = {
-      skills: [
-        {
-          id: "code_search",
-          name: "Code Search",
-          description: "Semantic code search",
-          tags: ["search", "code"],
-          examples: ["Find unused exports", "Search by AST pattern"],
-        },
-      ],
-    };
-    expect(extractSkills(card)).toEqual([
-      {
-        id: "code_search",
-        name: "Code Search",
-        description: "Semantic code search",
-        tags: ["search", "code"],
-        examples: ["Find unused exports", "Search by AST pattern"],
-      },
-    ]);
-  });
-
-  it("uses name as id when id is absent", () => {
-    const card = { skills: [{ name: "web_scraper" }] };
-    expect(extractSkills(card)).toEqual([
-      { id: "web_scraper", name: "web_scraper", description: "", tags: [], examples: [] },
-    ]);
-  });
-
-  it("uses id as name when name is absent", () => {
-    const card = { skills: [{ id: "legacy_skill" }] };
-    expect(extractSkills(card)).toEqual([
-      { id: "legacy_skill", name: "legacy_skill", description: "", tags: [], examples: [] },
-    ]);
-  });
-
-  it("filters out entries with neither id nor name", () => {
-    // id: String(undefined || undefined || "") → "" → filtered (id.length = 0)
-    const card = { skills: [{ description: "orphan entry" }] };
-    expect(extractSkills(card)).toEqual([]);
-  });
-
-  it("filters out entries with no id after string coercion", () => {
-    // id resolves to "" after String(undefined || null || {})
-    const card = { skills: [{ id: null, name: null }] };
-    expect(extractSkills(card)).toEqual([]);
-  });
-
-  it("filters out entries with empty-string id", () => {
-    const card = { skills: [{ id: "", name: "" }] };
-    expect(extractSkills(card)).toEqual([]);
-  });
-
-  it("coerces numeric tags to strings", () => {
-    const card = { skills: [{ id: "x", tags: [1, "two", 3] }] };
-    expect(extractSkills(card)).toEqual([
-      { id: "x", name: "x", description: "", tags: ["1", "two", "3"], examples: [] },
-    ]);
-  });
-
-  it("coerces non-array tags to empty array", () => {
-    const card = { skills: [{ id: "x", tags: "not-an-array" }] };
-    expect(extractSkills(card)).toEqual([
-      { id: "x", name: "x", description: "", tags: [], examples: [] },
-    ]);
-  });
-
-  it("coerces non-array examples to empty array", () => {
-    const card = { skills: [{ id: "x", examples: 42 }] };
-    expect(extractSkills(card)).toEqual([
-      { id: "x", name: "x", description: "", tags: [], examples: [] },
-    ]);
-  });
-
-  // NOTE: extractSkills uses `String(skill.description || "")` — falsy values
-  // (0, null, false) fall through to "", NOT to their string form.
-  it("returns '' for falsy description values (0, null, false)", () => {
-    const card = { skills: [{ id: "x", description: 0 }] };
-    expect(extractSkills(card)).toEqual([
-      { id: "x", name: "x", description: "", tags: [], examples: [] },
-    ]);
-  });
-
-  it("handles mixed valid/invalid entries", () => {
-    const card = {
-      skills: [
-        { id: "valid_one", name: "One" },
-        { name: "named_only" },
-        { description: "orphan" },               // filtered — id becomes ""
-        { id: "valid_two", examples: ["a", "b"] },
-      ],
-    };
-    expect(extractSkills(card)).toEqual([
-      { id: "valid_one", name: "One", description: "", tags: [], examples: [] },
-      { id: "named_only", name: "named_only", description: "", tags: [], examples: [] },
-      { id: "valid_two", name: "valid_two", description: "", tags: [], examples: ["a", "b"] },
-    ]);
-  });
-
-  it("handles a realistic agent card with multiple skills", () => {
-    const card = {
-      skills: [
-        { id: "web_search", name: "Web Search", description: "Search the web", tags: ["search"], examples: ["Latest news"] },
-        { id: "file_read", name: "Read Files", description: "Read from disk", tags: ["io"], examples: [] },
-      ],
-    };
-    const result = extractSkills(card);
-    expect(result).toHaveLength(2);
-    expect(result[0].id).toBe("web_search");
-    expect(result[1].tags).toEqual(["io"]);
-  });
-});
--- a/canvas/src/components/tabs/tests/getSkills.test.ts
+++ b/canvas/src/components/tabs/tests/getSkills.test.ts
@ -1,95 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Unit tests for getSkills — pure helper from DetailsTab.
- *
- * Covers: null card, non-array skills, empty skills, id-only entries,
- * name-only entries (id derives from name), entries with description,
- * entries with neither id nor name (filtered out), mixed entries.
- */
-import { describe, it, expect } from "vitest";
-import { getSkills } from "../DetailsTab";
-
-describe("getSkills", () => {
-  it("returns [] for null card", () => {
-    expect(getSkills(null)).toEqual([]);
-  });
-
-  it("returns [] when card.skills is not an array", () => {
-    expect(getSkills({ skills: undefined })).toEqual([]);
-    expect(getSkills({ skills: "not-an-array" })).toEqual([]);
-    expect(getSkills({ skills: { id: "x" } })).toEqual([]);
-  });
-
-  it("returns [] for empty skills array", () => {
-    expect(getSkills({ skills: [] })).toEqual([]);
-  });
-
-  it("maps skill with id and description", () => {
-    const card = { skills: [{ id: "code_search", description: "Find code patterns" }] };
-    expect(getSkills(card)).toEqual([{ id: "code_search", description: "Find code patterns" }]);
-  });
-
-  it("maps skill with id only (description absent)", () => {
-    const card = { skills: [{ id: "code_search" }] };
-    expect(getSkills(card)).toEqual([{ id: "code_search", description: undefined }]);
-  });
-
-  it("derives id from name when id is absent", () => {
-    const card = { skills: [{ name: "web_scraper" }] };
-    expect(getSkills(card)).toEqual([{ id: "web_scraper" }]);
-  });
-
-  it("maps description when present", () => {
-    const card = { skills: [{ id: "file_write", description: "Writes files to disk" }] };
-    expect(getSkills(card)).toEqual([{ id: "file_write", description: "Writes files to disk" }]);
-  });
-
-  it("returns description as undefined when skill has no description", () => {
-    const card = { skills: [{ id: "noop_skill" }] };
-    const result = getSkills(card);
-    // The map always includes description; it's undefined when absent
-    expect(result).toEqual([{ id: "noop_skill", description: undefined }]);
-  });
-
-  it("filters out skills with neither id nor name", () => {
-    // id: String(undefined || undefined || "") → "" → filtered
-    const card = { skills: [{ description: "loner" }] };
-    expect(getSkills(card)).toEqual([]);
-  });
-
-  it("handles mixed valid/invalid entries", () => {
-    const card = {
-      skills: [
-        { id: "valid_one" },
-        { name: "named_skill" },
-        { description: "orphaned" },   // filtered
-        { id: "valid_two", description: "Has both" },
-      ],
-    };
-    expect(getSkills(card)).toEqual([
-      { id: "valid_one", description: undefined },
-      { id: "named_skill", description: undefined },
-      { id: "valid_two", description: "Has both" },
-    ]);
-  });
-
-  it("handles string coercion for numeric ids/names", () => {
-    const card = { skills: [{ id: 42, name: "numeric_id" }] };
-    expect(getSkills(card)).toEqual([{ id: "42" }]);
-  });
-
-  it("uses id over name when both are present", () => {
-    const card = { skills: [{ id: "priority_id", name: "fallback_name" }] };
-    expect(getSkills(card)).toEqual([{ id: "priority_id", description: undefined }]);
-  });
-
-  it("omits description when it is falsy (0 is falsy in JS)", () => {
-    // The implementation uses `s.description ?` — 0 is falsy, so it's treated
-    // as absent and undefined is returned. Non-zero numbers coerce fine.
-    const cardZero = { skills: [{ id: "x", description: 0 }] };
-    expect(getSkills(cardZero)).toEqual([{ id: "x", description: undefined }]);
-
-    const cardNum = { skills: [{ id: "x", description: 42 }] };
-    expect(getSkills(cardNum)).toEqual([{ id: "x", description: "42" }]);
-  });
-});
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
claude-ceo-assistant	6aee63e908	Merge branch 'main' into refactor/drop-canary-prefix Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 20s Details CI / Detect changes (pull_request) Successful in 52s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 52s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 48s Details Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 14s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 17s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 39s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 41s Details sop-tier-check / tier-check (pull_request) Successful in 21s Details Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 50s Details CI / Platform (Go) (pull_request) Successful in 7s Details CI / Canvas (Next.js) (pull_request) Successful in 6s Details CI / Python Lint & Test (pull_request) Successful in 6s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 14s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 7s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 6s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 6s Details E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Failing after 5m3s Details audit-force-merge / audit (pull_request) Successful in 13s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Failing after 3m17s Details	2026-05-11 11:12:51 +00:00
Molecule AI · core-lead	83b2652368	Merge branch 'main' into refactor/drop-canary-prefix Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 17s Details Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 14s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 15s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 48s Details CI / Detect changes (pull_request) Successful in 58s Details sop-tier-check / tier-check (pull_request) Successful in 23s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 49s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 51s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 46s Details Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 56s Details E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Failing after 5m25s Details CI / Platform (Go) (pull_request) Successful in 9s Details CI / Canvas (Next.js) (pull_request) Successful in 10s Details CI / Python Lint & Test (pull_request) Successful in 8s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 9s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 12s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 8s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 22s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Failing after 5m2s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details	2026-05-11 10:53:32 +00:00
claude-ceo-assistant	3ec205147f	Merge branch 'main' into refactor/drop-canary-prefix Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 15s Details Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 11s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 15s Details CI / Detect changes (pull_request) Successful in 35s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 37s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 37s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 35s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 34s Details sop-tier-check / tier-check (pull_request) Successful in 19s Details Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 50s Details CI / Platform (Go) (pull_request) Successful in 6s Details CI / Canvas (Next.js) (pull_request) Successful in 8s Details CI / Python Lint & Test (pull_request) Successful in 5s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 14s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 9s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 6s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 7s Details E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Failing after 4m44s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Failing after 5m23s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details	2026-05-11 10:38:23 +00:00
Molecule AI · core-lead	86c2ef49ab	Merge branch 'main' into refactor/drop-canary-prefix Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 19s Details CI / Detect changes (pull_request) Successful in 50s Details Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 15s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 59s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 22s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m4s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 1m4s Details sop-tier-check / tier-check (pull_request) Successful in 24s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 59s Details Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 58s Details E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Failing after 5m12s Details CI / Platform (Go) (pull_request) Successful in 7s Details CI / Canvas (Next.js) (pull_request) Successful in 8s Details CI / Python Lint & Test (pull_request) Successful in 9s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 8s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 11s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 20s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 7s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Failing after 3m42s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details	2026-05-11 10:27:00 +00:00
Molecule AI · core-lead	7cd9bbe3c3	Merge branch 'main' into refactor/drop-canary-prefix Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 21s Details Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 13s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 17s Details sop-tier-check / tier-check (pull_request) Successful in 20s Details CI / Detect changes (pull_request) Successful in 53s Details E2E API Smoke Test / detect-changes (pull_request) Successful in 58s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 58s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 59s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 52s Details Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 58s Details E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Failing after 4m31s Details CI / Platform (Go) (pull_request) Successful in 9s Details CI / Canvas (Next.js) (pull_request) Successful in 11s Details CI / Python Lint & Test (pull_request) Successful in 11s Details CI / Shellcheck (E2E scripts) (pull_request) Successful in 22s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 14s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 10s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 10s Details E2E API Smoke Test / E2E API Smoke Test (pull_request) Failing after 4m45s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details	2026-05-11 10:07:02 +00:00
Molecule AI · core-lead	88ad71706f	Merge branch 'main' into refactor/drop-canary-prefix Some checks failed Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 10s Details CI / Detect changes (pull_request) Successful in 23s Details E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 19s Details Handlers Postgres Integration / detect-changes (pull_request) Successful in 19s Details Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 16s Details Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 35s Details E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) Failing after 4m46s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 1m19s Details sop-tier-check / tier-check (pull_request) Successful in 36s Details Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 59s Details CI / Platform (Go) (pull_request) Successful in 10s Details CI / Canvas (Next.js) (pull_request) Successful in 11s Details CI / Python Lint & Test (pull_request) Successful in 9s Details E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 16s Details Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 10s Details Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 8s Details CI / Canvas Deploy Reminder (pull_request) Has been skipped Details CI / Shellcheck (E2E scripts) (pull_request) Failing after 11m5s Details	2026-05-11 09:56:52 +00:00
claude-ceo-assistant	f6cc29ca2e	refactor(ci): drop "canary-" prefix → staging-smoke/staging-verify Some checks failed CI / Detect changes (pull_request) CI bypass: infra#241 CI / Platform (Go) (pull_request) CI bypass: infra#241 CI / Canvas (Next.js) (pull_request) CI bypass: infra#241 E2E API Smoke Test / detect-changes (pull_request) Successful in 1m3s Details Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 14s Details Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 46s Details Ops Scripts Tests / Ops scripts (unittest) (pull_request) Successful in 54s Details E2E Staging SaaS (full lifecycle) / E2E Staging SaaS (pull_request) CI bypass: E2E SaaS test flaky/infra issue, infra#241 Gitea runners cannot reach external deps E2E API Smoke Test / E2E API Smoke Test (pull_request) CI bypass: infra#241 Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) CI bypass: infra#241 E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) CI bypass: infra#241 E2E Staging Canvas (Playwright) / detect-changes (pull_request) CI bypass: infra#241 Handlers Postgres Integration / Handlers Postgres Integration (pull_request) CI bypass: infra#241 Handlers Postgres Integration / detect-changes (pull_request) CI bypass: infra#241 Block internal-flavored paths / Block forbidden paths (pull_request) CI bypass: infra#241 CI / Shellcheck (E2E scripts) (pull_request) CI bypass: infra#241 Secret scan / Scan diff for credential-shaped strings (pull_request) CI bypass: infra#241 sop-tier-check / tier-check (pull_request) CI bypass: infra#241 CI / Canvas Deploy Reminder (pull_request) Has been skipped Details CI / Python Lint & Test (pull_request) Failing after 8m15s Details Per Hongming directive 2026-05-11 09:08Z: "canary naming changed to staging for all, if there are some left overs should change too." The "canary-" prefix was a redundant modifier on workflow files that already targeted staging. The deployment-STRATEGY concept (a small subset of staging tenants gets the new image first, the rest follow on green) stays — only the workflow IDENTITY and the secret store keys feeding it are renamed. ## Renamed surfaces Files (git mv preserves history): - .gitea/workflows/canary-staging.yml → staging-smoke.yml - .gitea/workflows/canary-verify.yml → staging-verify.yml - scripts/canary-smoke.sh → scripts/staging-smoke.sh Secret-store keys (consumed by .gitea/workflows/staging-verify.yml + scripts/staging-smoke.sh — secrets don't exist in any store yet, so this rename is rename-first-safe per the audit Section C "truly missing" classification): - secrets.CANARY_TENANT_URLS → secrets.MOLECULE_STAGING_TENANT_URLS - secrets.CANARY_ADMIN_TOKENS → secrets.MOLECULE_STAGING_ADMIN_TOKENS - secrets.CANARY_CP_SHARED_SECRET → secrets.MOLECULE_STAGING_CP_SHARED_SECRET Env flag (test_staging_full_saas.sh + the 2 workflows that invoke it): - E2E_MODE=canary → E2E_MODE=smoke (legacy "canary" alias retained for one rollout cycle; remove after one week of no-old-value observations) Slug prefix (test_staging_full_saas.sh + teardown safety nets in staging-smoke.yml + e2e-staging-sanity.yml): - e2e-canary-{date}-* → e2e-smoke-{date}-* (dual-prefix fallback in both teardown nets for one rollout cycle so any in-flight org from an older runner checkout still cleans up) Concurrency group + workflow name + step / job names: - concurrency.group: canary-staging → staging-smoke - name: "Canary — staging SaaS smoke" → "Staging SaaS smoke" - name: "canary-verify" → "Staging verify" - job: canary → smoke - job: canary-smoke → staging-smoke - step: "Canary run" → "Smoke run" - step: "Run canary smoke suite" → "Run staging smoke suite" Script-internal: - CANARY_ACURL_PATH helper var → ACURL_PATH Cross-references updated: - e2e-staging-saas.yml + e2e-staging-sanity.yml + publish-canvas-image.yml + continuous-synth-e2e.yml + sweep-stale-e2e-orgs.yml + both redeploy-tenants-on-.yml comment refs to the renamed workflows - docs/architecture/canary-release.md + tests/e2e/STAGING_SAAS_E2E.md + scripts/README.md + runbooks/gitea-actions-migration-checklist.md ## Out of scope (deliberate) - CANARY_SLUG / CANARY_PROMOTE_ in redeploy-tenants-on-*.yml: this is the soak-deploy canary slug (one-tenant-first-then-fan-out), a different concept than the renamed smoke workflow. Stays. - .github/workflows/ tree: dormant mirror per reference_molecule_core_actions_gitea_only — Gitea Actions reads .gitea/ only. Sweep cleanup is a separate follow-up. - Alert issue title "Canary failing: staging SaaS smoke" in staging-smoke.yml: kept stable so any open alert from the pre-rename filename still title-matches the auto-close search on next green. ## Verification - grep -rn "CANARY_\\|canary-staging\\|canary-verify\\|E2E_MODE=canary" .gitea/ scripts/ tests/ docs/ runbooks/ — remaining matches are intentional (deployment-strategy CANARY_SLUG concept, historical rename notes with "formerly" qualifier, soak-canary vars). - yaml.safe_load() parses all 9 touched workflow files clean. - bash -n on scripts/staging-smoke.sh and tests/e2e/test_staging_full_saas.sh. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-11 02:28:46 -07:00