fix(canvas/test): wrap render() in act() for SettingsPanel open/close tests

React state updates triggered by store subscriptions are not guaranteed
to flush before the next synchronous assertion. On slower runners (CI cold
start), getByTestId("secrets-tab") fires before the Dialog.Root
open={isPanelOpen} effect resolves, causing a 5000ms timeout.

Wrapping every render() that sets isPanelOpen=true inside act() ensures
all pending effects and state updates flush before the assertion runs.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/review-refire-comments.yml

@@ -18,6 +18,10 @@ permissions:
   pull-requests: read
   statuses: write
 
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.issue.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   dispatch:
     runs-on: ubuntu-latest

.gitea/workflows/sop-checklist.yml

@@ -70,7 +70,7 @@ name: sop-checklist
 # Cancel any in-progress runs for the same PR to prevent
 # stale runs from overwriting newer status contexts.
 concurrency:
-  group: ${{ github.repository }}-${{ github.event.pull_request.number }}
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.event.issue.number || github.ref }}
   cancel-in-progress: true
 
 # bp-required: yes  ← emits sop-checklist / all-items-acked (pull_request)

.gitea/workflows/sop-tier-check.yml

@@ -61,6 +61,10 @@ on:
   pull_request_review:
     types: [submitted, dismissed, edited]
 
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   tier-check:
     runs-on: ubuntu-latest

canvas/src/components/settings/__tests__/SettingsPanel.test.tsx

@@ -122,33 +122,33 @@ describe("SettingsPanel — closed by default", () => {
 describe("SettingsPanel — open / close", () => {
   it("renders SecretsTab when panel is open", () => {
     storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-xyz" />);
+    act(() => { render(<SettingsPanel workspaceId="ws-xyz" />); });
     expect(screen.getByTestId("secrets-tab")).toBeTruthy();
     expect(screen.getByText(/workspaceId=ws-xyz/i)).toBeTruthy();
   });
 
   it("renders TokensTab tab in tabs list", () => {
     storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
+    act(() => { render(<SettingsPanel workspaceId="ws-1" />); });
     expect(screen.getByRole("tab", { name: /workspace tokens/i })).toBeTruthy();
   });
 
   it("renders Org API Keys tab in tabs list", () => {
     storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
+    act(() => { render(<SettingsPanel workspaceId="ws-1" />); });
     expect(screen.getByRole("tab", { name: /org api keys/i })).toBeTruthy();
   });
 
   it("Secrets tab is default active", () => {
     storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
+    act(() => { render(<SettingsPanel workspaceId="ws-1" />); });
     expect(screen.getByTestId("secrets-tab")).toBeTruthy();
     expect(screen.getByRole("tab", { name: /secrets/i }).getAttribute("data-state")).toBe("active");
   });
 
   it("Tokens tab trigger exists with correct aria attributes", () => {
     storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
+    act(() => { render(<SettingsPanel workspaceId="ws-1" />); });
     const tab = screen.getByRole("tab", { name: /workspace tokens/i });
     // Radix Tabs.Trigger has role="tab" and aria-selected
     expect(tab).toBeTruthy();
@@ -161,14 +161,14 @@ describe("SettingsPanel — open / close", () => {
 
   it("Close button calls closePanel", () => {
     storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
+    act(() => { render(<SettingsPanel workspaceId="ws-1" />); });
     fireEvent.click(screen.getByRole("button", { name: /close settings/i }));
     expect(mockClosePanel).toHaveBeenCalled();
   });
 
   it("calls fetchSecrets(workspaceId) when panel opens", () => {
     storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-fetch-test" />);
+    act(() => { render(<SettingsPanel workspaceId="ws-fetch-test" />); });
     expect(mockFetchSecrets).toHaveBeenCalledWith("ws-fetch-test");
   });
 });
@@ -179,7 +179,7 @@ describe("SettingsPanel — unsaved changes guard", () => {
   it("shows guard when panel closing with isAddFormOpen=true", () => {
     storeState.isPanelOpen = true;
     storeState.isAddFormOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
+    act(() => { render(<SettingsPanel workspaceId="ws-1" />); });
     fireEvent.click(screen.getByRole("button", { name: /close settings/i }));
     expect(screen.getByTestId("unsaved-guard")).toBeTruthy();
   });
@@ -187,7 +187,7 @@ describe("SettingsPanel — unsaved changes guard", () => {
   it("guard shows when editingKey is set (dirty form)", () => {
     storeState.isPanelOpen = true;
     storeState.editingKey = "GITHUB_TOKEN";
-    render(<SettingsPanel workspaceId="ws-1" />);
+    act(() => { render(<SettingsPanel workspaceId="ws-1" />); });
     fireEvent.click(screen.getByRole("button", { name: /close settings/i }));
     expect(screen.getByTestId("unsaved-guard")).toBeTruthy();
   });
@@ -195,7 +195,7 @@ describe("SettingsPanel — unsaved changes guard", () => {
   it("'Keep editing' closes guard but panel stays open", () => {
     storeState.isPanelOpen = true;
     storeState.editingKey = "GITHUB_TOKEN";
-    render(<SettingsPanel workspaceId="ws-1" />);
+    act(() => { render(<SettingsPanel workspaceId="ws-1" />); });
     // Trigger close attempt
     fireEvent.click(screen.getByRole("button", { name: /close settings/i }));
     expect(screen.getByTestId("unsaved-guard")).toBeTruthy();
@@ -209,7 +209,7 @@ describe("SettingsPanel — unsaved changes guard", () => {
   it("'Discard' button on guard calls closePanel", () => {
     storeState.isPanelOpen = true;
     storeState.isAddFormOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
+    act(() => { render(<SettingsPanel workspaceId="ws-1" />); });
     fireEvent.click(screen.getByRole("button", { name: /close settings/i }));
     fireEvent.click(screen.getByTestId("guard-discard"));
     expect(mockClosePanel).toHaveBeenCalled();
@@ -221,13 +221,13 @@ describe("SettingsPanel — unsaved changes guard", () => {
 describe("SettingsPanel — accessibility", () => {
   it("Dialog.Content has aria-label='Settings: API Keys'", () => {
     storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
+    act(() => { render(<SettingsPanel workspaceId="ws-1" />); });
     expect(document.querySelector('[aria-label="Settings: API Keys"]')).toBeTruthy();
   });
 
   it("TabList has aria-label='Settings sections'", () => {
     storeState.isPanelOpen = true;
-    render(<SettingsPanel workspaceId="ws-1" />);
+    act(() => { render(<SettingsPanel workspaceId="ws-1" />); });
     expect(document.querySelector('[aria-label="Settings sections"]')).toBeTruthy();
   });
 });

workspace-server/internal/handlers/external_connection.go

@@ -646,8 +646,12 @@ const externalOpenClawTemplate = `# OpenClaw MCP config — outbound tool path.
 # external machine today, pair with the Python SDK tab.
 
 # 1. Install openclaw CLI + the workspace runtime wheel:
+#    The version pin (>=0.1.999) ensures the "molecule-mcp" console
+#    script is present — it is what keeps the workspace ALIVE on canvas
+#    (register-on-startup + 20s heartbeat). Older versions only ship
+#    a2a_mcp_server which does not heartbeat.
 npm install -g openclaw@latest
-pip install molecule-ai-workspace-runtime
+pip install "molecule-ai-workspace-runtime>=0.1.999"
 
 # 2. Onboard openclaw against your model provider (one-time setup).
 #    --non-interactive needs an explicit --provider + --model so it