Merge commit 'd3770fde' into __merge-test

# Conflicts: # workspace-server/internal/handlers/workspace.go
docs(runbooks): add engineer-agent Gitea token scope runbook (#1750 follow-up)
2026-05-27 04:01:01 +00:00 · 2026-05-27 03:20:40 +00:00 · 2026-05-27 03:17:26 +00:00 · 2026-05-27 03:06:58 +00:00 · 2026-05-26 17:03:22 +00:00 · 2026-05-26 11:49:06 +00:00
139 changed files with 2448 additions and 8949 deletions
@@ -605,151 +605,6 @@ def file_or_update_red(
        sys.stderr.write(f"::warning::label '{RED_LABEL}' not found on repo\n")


-def close_stale_red_issues(
-    current_sha: str,
-    current_status: dict,
-    *,
-    dry_run: bool = False,
-) -> int:
-    """Close open [main-red] issues whose specific failing contexts have
-    all recovered on `current_sha`, even though `main` is still red for
-    other reasons (mc#1789).
-
-    When main stays red across consecutive SHAs for *different* causes,
-    `close_open_red_issues_for_other_shas` never fires (it only runs when
-    main is green). This function prevents stale issues from accumulating
-    indefinitely by comparing per-context recovery across SHAs.
-
-    An issue is considered stale when every context that was in a failed
-    state on the issue's SHA is now either `success` on the current HEAD
-    or absent (workflow removed / renamed). Issues whose original SHA had
-    a combined-red-with-no-detail (empty statuses list) are skipped — we
-    cannot verify recovery without per-context data.
-
-    Returns the number of issues closed.
-    """
-    open_red = list_open_red_issues()
-    if not open_red:
-        return 0
-
-    current_statuses = current_status.get("statuses") or []
-    closed = 0
-
-    for issue in open_red:
-        title = issue.get("title", "")
-        prefix = f"{TITLE_PREFIX} {REPO}: "
-        if not title.startswith(prefix):
-            continue
-        short_sha = title[len(prefix):]
-        if short_sha == current_sha[:10]:
-            continue
-
-        # Query status for the old SHA. Short SHA should resolve; if it
-        # doesn't (GC'd, force-pushed, ambiguous), skip conservatively.
-        try:
-            old_status = get_combined_status(short_sha)
-        except ApiError:
-            continue
-
-        old_red, old_failed = is_red(old_status)
-        if not old_red:
-            # Open issue for a now-green SHA — close it via the normal path.
-            num = issue.get("number")
-            if isinstance(num, int):
-                comment = (
-                    f"Commit `{short_sha}` is no longer red. Closing as the "
-                    f"failure context has recovered or expired."
-                )
-                if dry_run:
-                    print(
-                        f"::notice::[dry-run] would close issue #{num} "
-                        f"({title}) — old SHA is now green"
-                    )
-                    closed += 1
-                    continue
-                api(
-                    "POST",
-                    f"/repos/{OWNER}/{NAME}/issues/{num}/comments",
-                    body={"body": comment},
-                )
-                api(
-                    "PATCH",
-                    f"/repos/{OWNER}/{NAME}/issues/{num}",
-                    body={"state": "closed"},
-                )
-                print(
-                    f"::notice::Closed stale main-red issue #{num} "
-                    f"(old SHA {short_sha} is now green)"
-                )
-                closed += 1
-            continue
-
-        if not old_failed:
-            # Combined red with no per-context detail — can't verify recovery.
-            continue
-
-        # Verify every failed context from the old SHA has recovered.
-        all_recovered = True
-        recovered_ctxs: list[str] = []
-        still_failing_ctxs: list[str] = []
-        for s in old_failed:
-            ctx = s.get("context", "")
-            if not ctx:
-                continue
-            current_match = None
-            for cs in current_statuses:
-                if isinstance(cs, dict) and cs.get("context") == ctx:
-                    current_match = cs
-                    break
-            if current_match is None:
-                recovered_ctxs.append(ctx)
-            elif _entry_state(current_match) == "success":
-                recovered_ctxs.append(ctx)
-            else:
-                all_recovered = False
-                still_failing_ctxs.append(ctx)
-
-        if not all_recovered:
-            continue
-
-        num = issue.get("number")
-        if not isinstance(num, int):
-            continue
-
-        comment = (
-            f"The failing contexts from this SHA (`{short_sha}`) have "
-            f"recovered on current HEAD `{current_sha[:10]}`: "
-            f"{', '.join(recovered_ctxs)}. "
-            f"Main is still red for other reasons; see the current "
-            f"`[main-red]` issue for `{current_sha[:10]}`."
-        )
-        if dry_run:
-            print(
-                f"::notice::[dry-run] would close stale issue #{num} "
-                f"({title}) — contexts recovered"
-            )
-            closed += 1
-            continue
-
-        api(
-            "POST",
-            f"/repos/{OWNER}/{NAME}/issues/{num}/comments",
-            body={"body": comment},
-        )
-        api(
-            "PATCH",
-            f"/repos/{OWNER}/{NAME}/issues/{num}",
-            body={"state": "closed"},
-        )
-        print(
-            f"::notice::Closed stale main-red issue #{num} "
-            f"(contexts recovered at {current_sha[:10]})"
-        )
-        closed += 1
-
-    return closed
-
-
 def close_open_red_issues_for_other_shas(
    current_sha: str,
    *,
@@ -920,13 +775,6 @@ def run_once(*, dry_run: bool = False) -> int:
        print(f"::warning::main is RED at {sha[:10]} on {WATCH_BRANCH}: "
              f"{len(failed)} failed context(s)")
        file_or_update_red(sha, failed, debug, dry_run=dry_run)
-        stale_closed = close_stale_red_issues(sha, recheck_status, dry_run=dry_run)
-        if stale_closed:
-            emit_loki_event("main_red_stale_closed", sha, [])
-            print(
-                f"::notice::Closed {stale_closed} stale main-red issue(s) "
-                f"whose contexts recovered at {sha[:10]}"
-            )
    else:
        # Green or pending-with-no-real-failures. Close stale issues
        # from earlier SHAs when required CI has recovered.
@@ -642,7 +642,7 @@ def load_config(path: str) -> dict[str, Any]:
        # requiring the dep, so the ignore is safe: if yaml loads, we use it;
        # otherwise we fall back silently.
        import yaml  # type: ignore[import-not-found]
-        with open(path, encoding="utf-8") as f:
+        with open(path) as f:
            return yaml.safe_load(f)
    except ImportError:
        return _load_config_minimal(path)
@@ -656,7 +656,7 @@ def _load_config_minimal(path: str) -> dict[str, Any]:
    item map: scalars + lists of scalars. Does NOT support nested lists,
    YAML anchors, multi-doc, or flow style.
    """
-    with open(path, encoding="utf-8") as f:
+    with open(path) as f:
        lines = f.readlines()
    return _parse_minimal_yaml(lines)

@@ -33,7 +33,7 @@ def scenario() -> str:
    p = os.path.join(STATE_DIR, "scenario")
    if not os.path.isfile(p):
        return "T1_success"
-    with open(p, encoding="utf-8") as f:
+    with open(p) as f:
        return f.read().strip()


@@ -40,7 +40,7 @@ def scenario() -> str:
    p = os.path.join(STATE_DIR, "scenario")
    if not os.path.isfile(p):
        return "T1_pr_open"
-    with open(p, encoding="utf-8") as f:
+    with open(p) as f:
        return f.read().strip()


@@ -258,7 +258,6 @@ def test_run_once_failure_does_not_close(monkeypatch):

    monkeypatch.setattr(wd, "file_or_update_red", capture_file)
    monkeypatch.setattr(wd, "close_open_red_issues_for_other_shas", lambda *a, **k: 0)
-    monkeypatch.setattr(wd, "close_stale_red_issues", lambda *a, **k: 0)

    assert wd.run_once(dry_run=True) == 0
    assert filed == ["abc123"]
@@ -37,7 +37,7 @@ jobs:
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking
    # the PR. Follow-up PR flips this off after surfaced defects are
    # triaged.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -45,7 +45,7 @@ jobs:
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking
    # the PR. Follow-up PR flips this off after surfaced defects are
    # triaged.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 5
    steps:
@@ -101,7 +101,7 @@ jobs:
    # AND-set: only the Mac arm64 runner advertises macos-self-hosted.
    # See "RUNNER TARGETING" header note for why bare self-hosted is unsafe.
    runs-on: [self-hosted, macos-self-hosted]
-    # ADVISORY: never blocks. See safety contract point 3. mc#1982
+    # ADVISORY: never blocks. See safety contract point 3. mc#774
    # internal#418 — tracked: arm64 advisory pilot, non-gating by design.
    continue-on-error: true
    # event_name gate: functional (only meaningful on push/PR) AND keeps
@@ -57,7 +57,7 @@ permissions:
 # can produce duplicate comments before the title-search dedup wins.
 concurrency:
  group: ci-required-drift
-  cancel-in-progress: true
+  cancel-in-progress: false

 jobs:
  drift:
@@ -161,23 +161,15 @@ jobs:
          echo "::group::pendinguploads exit=$pu_exit (last 100 lines)"
          tail -100 /tmp/test-pu.log
          echo "::endgroup::"
-        # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true
      - if: ${{ needs.changes.outputs.platform == 'true' }}
-        name: Run tests with coverage (blocking gate)
-        # Removed -race from the blocking gate per #1184: cold runners
-        # take 13-25 min to compile with race instrumentation, exceeding
-        # the 10m step timeout and causing false failures. Race detection
-        # now runs as a non-blocking advisory step below.
-        run: go test -timeout 10m -coverprofile=coverage.out ./...
-
-      - if: ${{ needs.changes.outputs.platform == 'true' }}
-        name: Race detection (advisory, non-blocking)
-        # mc#1184: runs race detector as an advisory check so cold-runner
-        # compile-time spikes don't block merges. Failures here surface in
-        # the run log but do not fail the build.
-        run: go test -race -timeout 10m ./...
-        continue-on-error: true
+        name: Run tests with race detection and coverage
+        # Explicit timeout: cold runner cache causes OOM kills at ~4m39s on the
+        # full ./... suite with race detection + coverage. A 10m per-step timeout
+        # lets the suite complete on cold cache (~5-7m) while failing cleanly
+        # instead of OOM-killing. The job-level timeout (15m) is a backstop.
+        run: go test -race -timeout 10m -coverprofile=coverage.out ./...

      - if: ${{ needs.changes.outputs.platform == 'true' }}
        name: Per-file coverage report
@@ -92,7 +92,7 @@ permissions:
 # stacking up.
 concurrency:
  group: continuous-synth-e2e
-  cancel-in-progress: true
+  cancel-in-progress: false

 env:
  GITHUB_SERVER_URL: https://git.moleculesai.app
@@ -102,7 +102,7 @@ jobs:
    name: Synthetic E2E against staging
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    # Bumped from 12 → 20 (2026-05-04). Tenant user-data install phase
    # (apt-get update + install docker.io/jq/awscli/caddy + snap install
@@ -101,7 +101,7 @@ concurrency:
  # See e2e-staging-canvas.yml's identical concurrency block for the full
  # rationale and the 2026-04-28 incident reference.
  group: e2e-api-${{ github.event.pull_request.head.sha || github.sha }}
-  cancel-in-progress: true
+  cancel-in-progress: false

 env:
  GITHUB_SERVER_URL: https://git.moleculesai.app
@@ -123,7 +123,7 @@ jobs:
    # integration). See internal#512 for the class defect.
    runs-on: docker-host
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    outputs:
      api: ${{ steps.decide.outputs.api }}
@@ -160,7 +160,7 @@ jobs:
    # detect-changes for the full rationale.
    runs-on: docker-host
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 15
    env:
@@ -32,7 +32,7 @@ on:

 concurrency:
  group: e2e-chat-${{ github.event.pull_request.head.sha || github.sha }}
-  cancel-in-progress: true
+  cancel-in-progress: false

 env:
  GITHUB_SERVER_URL: https://git.moleculesai.app
@@ -48,7 +48,7 @@ jobs:
    # defect.
    runs-on: docker-host
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    outputs:
      chat: ${{ steps.decide.outputs.chat }}
@@ -112,7 +112,7 @@ jobs:
    # Must land on operator-host Linux (docker-host).
    runs-on: docker-host
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 15
    env:
@@ -15,7 +15,7 @@ on:

 concurrency:
  group: e2e-legacy-advisory
-  cancel-in-progress: true
+  cancel-in-progress: false

 permissions:
  contents: read
@@ -115,7 +115,7 @@ concurrency:
  # would let a queued staging/main push behind a PR run get cancelled,
  # leaving any gate that reads "completed run at SHA" stuck.
  group: e2e-peer-visibility-${{ github.event.pull_request.head.sha || github.sha }}
-  cancel-in-progress: true
+  cancel-in-progress: false

 env:
  GITHUB_SERVER_URL: https://git.moleculesai.app
@@ -62,7 +62,7 @@ concurrency:
  # wasted CI is acceptable given the alternative is losing staging-tip
  # data that auto-promote-staging needs.
  group: e2e-staging-canvas-${{ github.event.pull_request.head.sha || github.sha }}
-  cancel-in-progress: true
+  cancel-in-progress: false

 env:
  GITHUB_SERVER_URL: https://git.moleculesai.app
@@ -71,7 +71,7 @@ jobs:
  detect-changes:
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    outputs:
      canvas: ${{ steps.decide.outputs.canvas }}
@@ -140,7 +140,7 @@ jobs:
    name: Canvas tabs E2E
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 40

@@ -84,7 +84,7 @@ jobs:
    name: E2E Staging External Runtime
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 25

@@ -92,20 +92,20 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 1
-        # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true

      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "3.11"
-        # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true

      - name: YAML validation (best-effort)
        run: |
          echo "e2e-staging-saas.yml — PR validation: workflow YAML is valid."
          echo "E2E step runs only when provisioning-critical files change."
-        # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true

  # Actual E2E: runs on trunk pushes and PRs that touch provisioning-critical
@@ -116,7 +116,7 @@ jobs:
    name: E2E Staging SaaS
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 45
    permissions:
@@ -26,7 +26,7 @@ env:

 concurrency:
  group: e2e-staging-sanity
-  cancel-in-progress: true
+  cancel-in-progress: false

 permissions:
  issues: write
@@ -37,7 +37,7 @@ jobs:
    name: Intentional-failure teardown sanity
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 20

@@ -66,7 +66,7 @@ jobs:
  # bp-exempt: PR advisory bot; merge blocking is enforced by CI status and branch protection.
  gate-check:
    runs-on: ubuntu-latest
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true  # Never block on our own detector failing
    steps:
      - name: Check out BASE ref (never PR-head under pull_request_target)
@@ -69,7 +69,7 @@ on:
    branches: [main, staging]
 concurrency:
  group: handlers-pg-integ-${{ github.event.pull_request.head.sha || github.sha }}
-  cancel-in-progress: true
+  cancel-in-progress: false

 env:
  GITHUB_SERVER_URL: https://git.moleculesai.app
@@ -87,8 +87,8 @@ jobs:
    # both jobs on the same label avoids workspace-volume cross-host
    # surprises and keeps the routing rule discoverable in one place.
    runs-on: docker-host
-    # mc#1982 Phase 3 (RFC §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774 Phase 3 (RFC §1): surface broken workflows without blocking.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    outputs:
      handlers: ${{ steps.filter.outputs.handlers }}
@@ -118,8 +118,8 @@ jobs:
    # mc#1529 §1: must run on operator-host (where `molecule-core-net`
    # exists). See detect-changes for the full routing rationale.
    runs-on: docker-host
-    # mc#1982 Phase 3 (RFC §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774 Phase 3 (RFC §1): surface broken workflows without blocking.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    env:
      # Unique name per run so concurrent jobs don't collide on the
@@ -54,7 +54,7 @@ concurrency:
  # cancellation deadlock — see e2e-api.yml's concurrency block for
  # the 2026-04-28 incident that codified this pattern.
  group: harness-replays-${{ github.event.pull_request.head.sha || github.sha }}
-  cancel-in-progress: true
+  cancel-in-progress: false

 env:
  GITHUB_SERVER_URL: https://git.moleculesai.app
@@ -70,7 +70,7 @@ jobs:
    # of mc#1543; see internal#512 for class defect.
    runs-on: docker-host
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    outputs:
      run: ${{ steps.decide.outputs.run }}
@@ -172,7 +172,7 @@ jobs:
    # beta containers. Must run on operator-host Linux (docker-host).
    runs-on: docker-host
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 30
    steps:
@@ -94,7 +94,7 @@ jobs:
    # Phase 3 (RFC #219 §1): surface drift without blocking. After 7
    # clean scheduled runs on main, flip to false so a scheduled
    # failure is a hard CI signal.
-    continue-on-error: true  # mc#1982 Phase 3 — flip to false after 7 clean main runs
+    continue-on-error: true  # mc#774 Phase 3 — flip to false after 7 clean main runs
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
@@ -1,6 +1,6 @@
 name: lint-continue-on-error-tracking

-# Tier 2e hard-gate lint (per mc#1982) — every
+# Tier 2e hard-gate lint (per mc#774) — every
 # `continue-on-error: true` in `.gitea/workflows/*.yml` must carry a
 # `# mc#NNNN` or `# internal#NNNN` tracker comment within 2 lines,
 # the referenced issue must be OPEN, and ≤14 days old.
@@ -8,7 +8,7 @@ name: lint-continue-on-error-tracking
 # Why this exists
 # ---------------
 # `continue-on-error: true` on `platform-build` had been hiding
-# mc#1982-class regressions for ~3 weeks before #656 surfaced them on
+# mc#774-class regressions for ~3 weeks before #656 surfaced them on
 # 2026-05-12. A 14-day cap on tracker age forces a review cycle and
 # surfaces mask-drift within at most 14 days of the original defect.
 # Each `continue-on-error: true` gets a paper trail — close or renew.
@@ -97,9 +97,9 @@ jobs:
    # Phase 3 (RFC #219 §1): surface masked defects without blocking
    # PRs. Pre-existing continue-on-error: true directives on main
    # all violate this lint at first — intentional. Flip to false
-    # follow-up after main is clean for 3 days. mc#1982.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
-    continue-on-error: true  # mc#1982 Phase 3 mask — 14d forced-renewal cadence
+    # follow-up after main is clean for 3 days. mc#774.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    continue-on-error: true  # mc#774 Phase 3 mask — 14d forced-renewal cadence
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
@@ -51,7 +51,7 @@ jobs:
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking
    # the PR. Follow-up PR flips this off after surfaced defects are
    # triaged.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -92,8 +92,8 @@ jobs:
    # Phase 3 (RFC #219 §1): surface broken shapes without blocking
    # PRs. Follow-up PR flips this to `false` once recent runs on main
    # are confirmed clean (eat-our-own-dogfood discipline mirrors
-    # PR#673's same-shape comment). Tracking: mc#1982.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # PR#673's same-shape comment). Tracking: mc#774.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    steps:
      - name: Check out PR head with full history (need base SHA blobs)
@@ -4,7 +4,7 @@ name: Lint pre-flip continue-on-error
 # on any job in `.gitea/workflows/*.yml` WITHOUT proof that the affected
 # job's recent runs on the target branch (PR base) are actually green.
 #
-# Empirical class: PR #656 / mc#1982. PR #656 (RFC internal#219 Phase 4)
+# Empirical class: PR #656 / mc#774. PR #656 (RFC internal#219 Phase 4)
 # flipped 5 platform-build-class jobs `continue-on-error: true → false`
 # on the basis of a "verified green on main via combined-status check".
 # But that "green" was the LIE the prior `continue-on-error: true`
@@ -99,8 +99,8 @@ jobs:
    timeout-minutes: 8
    # Phase 3 (RFC internal#219 §1): surface broken flips without blocking
    # the PR yet. Follow-up flips this to `false` once the workflow itself
-    # has clean recent runs on main. mc#1982 interim — remove when CoE→false.
-    continue-on-error: true  # mc#1982
+    # has clean recent runs on main. mc#774 interim — remove when CoE→false.
+    continue-on-error: true  # mc#774
    steps:
      - name: Check out PR head (full history for base-SHA access)
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -83,8 +83,8 @@ jobs:
    timeout-minutes: 5
    # Phase 3 (RFC #219 §1): surface the pattern without blocking PRs
    # while the directive convention beds in. Follow-up flip to false
-    # after 7 clean days on main. mc#1982.
-    continue-on-error: true  # mc#1982 Phase 3 — flip to false after 7 clean main runs
+    # after 7 clean days on main. mc#774.
+    continue-on-error: true  # mc#774 Phase 3 — flip to false after 7 clean main runs
    steps:
      - name: Check out PR head with full history (need base SHA blobs)
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -55,7 +55,7 @@ jobs:
    # Phase 3 (RFC #219 §1): surface broken shapes without blocking PRs.
    # Follow-up PR flips this off after the 4 existing-on-main rule-2
    # (workflow_run) violations are migrated to a supported trigger.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -67,7 +67,7 @@ jobs:
    # in this rollout (internal#462) so the precondition holds.
    runs-on: publish
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    steps:
      - name: Checkout
@@ -234,7 +234,7 @@ jobs:
    name: Production auto-deploy
    needs: build-and-push
    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-    # Side-effect deploy only; image publish success is the durable artifact. mc#1982
+    # Side-effect deploy only; image publish success is the durable artifact. mc#774
    continue-on-error: true
    # Publish/release lane (internal#462) — production deploy of a merged
    # fix; reserved capacity, never queued behind PR-CI.
@@ -40,7 +40,7 @@ env:

 concurrency:
  group: railway-pin-audit
-  cancel-in-progress: true
+  cancel-in-progress: false

 permissions:
  issues: write
@@ -51,7 +51,7 @@ jobs:
    name: Audit Railway env vars for drift-prone pins
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 10

@@ -73,7 +73,7 @@ jobs:
    # it never queues behind PR-CI. `publish` -> molecule-runner-publish-*.
    runs-on: publish
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 25
    env:
@@ -80,7 +80,7 @@ jobs:
    # `publish` -> molecule-runner-publish-* sub-pool.
    runs-on: publish
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 25
    steps:
@@ -54,7 +54,7 @@ jobs:
        # runners with internet access to package mirrors). Falls back to GitHub
        # binary download. GitHub releases may be blocked on some runner networks
        # (infra#241 follow-up).
-        # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true
        run: |
          if apt-get update -qq && apt-get install -y -qq jq; then
@@ -57,7 +57,7 @@ jobs:
    name: Detect SECRET_PATTERNS drift
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    timeout-minutes: 5
    steps:
@@ -36,7 +36,7 @@
 # window closed. continue-on-error: true has been removed from the
 # tier-check job; AND-composition is now fully enforced. If you need
 # to temporarily re-introduce a mask, file a tracker and follow the
-# mc#1982 protocol (Tier 2e lint requires a current tracker within
+# mc#774 protocol (Tier 2e lint requires a current tracker within
 # 2 lines of any continue-on-error: true).

 name: sop-tier-check
@@ -92,7 +92,7 @@ jobs:
        # runners). The sop-tier-check script has its own fallback as a
        # third line of defense. continue-on-error: true ensures this step
        # failing does not block the job.
-        # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true
        run: |
          # apt-get is the primary method — Ubuntu package mirrors are reliably
@@ -113,7 +113,7 @@ jobs:
        # continue-on-error: true at step level — job-level is ignored by Gitea
        # Actions (quirk #10, internal runbooks). Belt-and-suspenders with
        # SOP_FAIL_OPEN=1 + || true below.
-        # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+        # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
        continue-on-error: true
        env:
          GITEA_TOKEN: ${{ secrets.SOP_TIER_CHECK_TOKEN || secrets.GITHUB_TOKEN }}
@@ -38,7 +38,7 @@ on:
 # full run, but two smoke runs SHOULD queue against each other.
 concurrency:
  group: staging-smoke
-  cancel-in-progress: true
+  cancel-in-progress: false

 permissions:
  # Needed to open / close the alerting issue.
@@ -90,7 +90,7 @@ jobs:
  staging-smoke:
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    outputs:
      sha: ${{ steps.compute.outputs.sha }}
@@ -212,7 +212,7 @@ jobs:
    if: ${{ needs.staging-smoke.result == 'success' && needs.staging-smoke.outputs.smoke_ran == 'true' }}
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    env:
      SHA: ${{ needs.staging-smoke.outputs.sha }}
@@ -50,7 +50,7 @@ on:
 # Don't let two sweeps race the same AWS account.
 concurrency:
  group: sweep-aws-secrets
-  cancel-in-progress: true
+  cancel-in-progress: false

 permissions:
  contents: read
@@ -58,7 +58,7 @@ on:
 # scheduled run would otherwise issue duplicate DELETE calls.
 concurrency:
  group: sweep-cf-orphans
-  cancel-in-progress: true
+  cancel-in-progress: false

 permissions:
  contents: read
@@ -71,7 +71,7 @@ jobs:
    name: Sweep CF orphans
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    # 3 min surfaces hangs (CF API stall, AWS describe-instances stuck)
    # within one cron interval instead of burning a full tick. Realistic
@@ -42,7 +42,7 @@ on:
 # Don't let two sweeps race the same account.
 concurrency:
  group: sweep-cf-tunnels
-  cancel-in-progress: true
+  cancel-in-progress: false

 permissions:
  contents: read
@@ -55,7 +55,7 @@ jobs:
    name: Sweep CF tunnels
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    # 30 min cap. Was 5 min on the theory that the only thing that
    # could take >5min is a CF-API hang — but on 2026-05-02 a backlog
@@ -51,7 +51,7 @@ on:
 # on a manual trigger; queue rather than parallel-delete.
 concurrency:
  group: sweep-stale-e2e-orgs
-  cancel-in-progress: true
+  cancel-in-progress: false

 permissions:
  contents: read
@@ -1,99 +0,0 @@
-name: sync-providers-yaml
-
-# Cross-repo canonical↔synced-copy drift gate (internal#718 P2-A, CTO
-# 2026-05-27 "Distribution = SDK via codegen + verify-CI", multi-repo branch:
-# "codegen-checked-into-each-repo + verify-CI").
-#
-# The canonical provider-registry SSOT is molecule-controlplane
-# internal/providers/providers.yaml. molecule-core has NO Go module dependency
-# on controlplane, so instead of importing it we carry a SYNCED COPY at
-# workspace-server/internal/providers/providers.yaml and gate it.
-#
-# This workflow fetches the canonical providers.yaml from controlplane (via the
-# Gitea raw endpoint, read-only) and byte-compares it against core's synced
-# copy. RED if they differ — meaning the canonical moved and core's copy must be
-# re-synced (copy verbatim + `go generate ./...` + bump
-# canonicalProvidersYAMLSHA256 in sync_canonical_test.go).
-#
-# Pairs with:
-#   * sync_canonical_test.go — hermetic sha pin (catches a hand-edit of core's
-#     copy even with no network); runs in the normal `go test ./...`.
-#   * verify-providers-gen.yml — artifact ↔ synced-copy drift.
-#
-# ENFORCEMENT GATING: standalone workflow, NOT a job in ci.yml and NOT in
-# branch protection (same soak-then-promote posture as verify-providers-gen).
-# It is intentionally absent from ci.yml's job set so the ci-required-drift
-# sentinel does not fire on it.
-#
-# AUTH: uses AUTO_SYNC_TOKEN (the existing cross-repo read token used to sync
-# template/provider content from sibling repos). If the secret is absent the
-# job emits a clear ::warning:: and exits 0 — the hermetic sha pin in
-# sync_canonical_test.go is the always-on backstop, so a missing cross-repo
-# token degrades to "hand-edit still caught, live canonical drift not caught"
-# rather than a hard red that blocks unrelated PRs.
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-    paths:
-      - 'workspace-server/internal/providers/providers.yaml'
-      - '.gitea/workflows/sync-providers-yaml.yml'
-  push:
-    branches: [main, staging]
-    paths:
-      - 'workspace-server/internal/providers/providers.yaml'
-      - '.gitea/workflows/sync-providers-yaml.yml'
-  schedule:
-    # Daily at :23 — catch a canonical change in controlplane that landed
-    # without a paired core re-sync PR (off-zero to spread cron load).
-    - cron: '23 4 * * *'
-  workflow_dispatch:
-
-env:
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-permissions:
-  contents: read
-
-concurrency:
-  group: sync-providers-yaml-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  compare:
-    name: Compare synced providers.yaml against controlplane canonical
-    runs-on: ubuntu-latest
-    timeout-minutes: 6
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Fetch canonical providers.yaml from controlplane and byte-compare
-        env:
-          AUTO_SYNC_TOKEN: ${{ secrets.AUTO_SYNC_TOKEN }}
-          API_ROOT: ${{ github.server_url }}/api/v1
-        run: |
-          set -euo pipefail
-          if [ -z "${AUTO_SYNC_TOKEN:-}" ]; then
-            echo "::warning::AUTO_SYNC_TOKEN secret missing — skipping the live cross-repo compare."
-            echo "The hermetic sha pin (sync_canonical_test.go) still gates hand-edits of core's copy."
-            echo "Provision AUTO_SYNC_TOKEN (read scope on molecule-controlplane) to enable live canonical-drift detection."
-            exit 0
-          fi
-          CANON_URL="${API_ROOT}/repos/molecule-ai/molecule-controlplane/raw/internal/providers/providers.yaml?ref=main"
-          # Use the /raw endpoint: it returns the file bytes directly. (The
-          # /contents endpoint ignores Accept: application/vnd.gitea.raw on
-          # Gitea 1.22.6 and returns the JSON+base64 envelope, which made this
-          # diff a permanent false RED.)
-          curl -fsS \
-            -H "Authorization: token ${AUTO_SYNC_TOKEN}" \
-            "${CANON_URL}" -o /tmp/canonical-providers.yaml
-          LOCAL=workspace-server/internal/providers/providers.yaml
-          if diff -u /tmp/canonical-providers.yaml "$LOCAL"; then
-            echo "OK — core's synced providers.yaml is byte-identical to the controlplane canonical."
-          else
-            echo "::error::core's synced providers.yaml DRIFTED from the controlplane canonical (SSOT)."
-            echo "Re-sync: copy controlplane internal/providers/providers.yaml verbatim over"
-            echo "  $LOCAL, run 'go generate ./...' in workspace-server/, and bump"
-            echo "  canonicalProvidersYAMLSHA256 in internal/providers/sync_canonical_test.go."
-            exit 1
-          fi
@@ -49,7 +49,7 @@ jobs:
    name: Ops scripts (unittest)
    runs-on: ubuntu-latest
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -1,89 +0,0 @@
-name: verify-providers-gen
-
-# Provider-registry SSOT enforcement gate — molecule-core side (internal#718
-# P2-A, CTO 2026-05-27 "Distribution = SDK via codegen + verify-CI").
-#
-# The canonical schema SSOT is molecule-controlplane
-# internal/providers/providers.yaml. molecule-core carries a SYNCED COPY at
-# workspace-server/internal/providers/providers.yaml (kept in sync by the
-# companion sync-providers-yaml.yml gate), and cmd/gen-providers emits the
-# checked-in Go projection workspace-server/internal/providers/gen/registry_gen.go.
-#
-# This workflow regenerates the artifact into the working tree and fails RED if
-# it differs from what is committed — catching BOTH:
-#   * a providers.yaml (synced-copy) change that wasn't followed by `go generate ./...`, and
-#   * a hand-edit of the generated artifact (it carries a DO NOT EDIT header).
-#
-# It is the molecule-core mirror of molecule-controlplane's verify-providers-gen
-# workflow. Together with sync-providers-yaml (canonical↔synced-copy drift) it
-# closes the codegen-checked-into-each-repo + verify-CI loop the RFC mandates.
-#
-# ENFORCEMENT GATING (deliberate, per dev-SOP "implementation gating"):
-# this is a STANDALONE workflow, NOT a job inside ci.yml, and is NOT yet in any
-# branch-protection status_check_contexts. Rationale (identical to the CP P0
-# rollout):
-#   * It runs + reports RED on every PR/push immediately (visible signal).
-#   * It is intentionally absent from ci.yml's job set so the ci-required-drift
-#     sentinel (jobs ↔ branch-protection ↔ audit-env) does NOT fire on it, and
-#     from branch protection (turning it into a hard merge gate has blast radius
-#     — operator GO required, same pattern as sop-tier-check / verify-providers-gen
-#     on controlplane). Promote it into branch protection in a follow-up once
-#     P2 has soaked.
-# Until then it behaves like secret-scan / block-internal-paths: a standalone
-# advisory-to-hard gate the author is expected to keep green.
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-  push:
-    branches: [main, staging]
-
-env:
-  GITHUB_SERVER_URL: https://git.moleculesai.app
-
-permissions:
-  contents: read
-
-concurrency:
-  group: verify-providers-gen-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  verify:
-    name: Regenerate providers artifact and fail on drift
-    runs-on: ubuntu-latest
-    timeout-minutes: 8
-    defaults:
-      run:
-        working-directory: workspace-server
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-        with:
-          go-version: 'stable'
-          cache: true
-          cache-dependency-path: workspace-server/go.sum
-
-      - name: Verify generated artifact is in sync with providers.yaml
-        run: |
-          set -euo pipefail
-          # -check regenerates in memory and byte-compares against the
-          # checked-in artifact; exit 1 (RED) on any drift. This is the
-          # single source of the gate's verdict — the same code path
-          # `go test ./cmd/gen-providers` exercises.
-          go run ./cmd/gen-providers -check
-
-      - name: Belt-and-braces — regenerate in place and assert clean tree
-        run: |
-          set -euo pipefail
-          # Independent confirmation that does not trust the -check path:
-          # actually write the artifact and assert git sees no change. If
-          # this and the step above ever disagree, the gate is suspect.
-          go generate ./...
-          if ! git diff --quiet -- internal/providers/gen/registry_gen.go; then
-            echo "::error::workspace-server/internal/providers/gen/registry_gen.go drifted from providers.yaml."
-            echo "Run 'go generate ./...' (or 'go run ./cmd/gen-providers') in workspace-server/ and commit the result."
-            git --no-pager diff -- internal/providers/gen/registry_gen.go | head -80
-            exit 1
-          fi
-          echo "OK — generated providers artifact is in sync with the schema SSOT."
@@ -31,7 +31,7 @@ jobs:
    name: Weekly Platform-Go Surface
    runs-on: ubuntu-latest
    # continue-on-error: surface only, never block
-    # mc#1982: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
    defaults:
      run:
@@ -288,40 +288,6 @@ export function deriveProvidersFromModels(models: ModelSpec[]): string[] {
  return out;
 }

-// billingModeForProvider — maps a selected PROVIDER (vendor key) to the
-// LLM billing_mode it implies (internal#703 Gap 2).
-//
-// Today, picking a non-Platform provider in the Config tab writes the
-// credential env (CLAUDE_CODE_OAUTH_TOKEN / vendor key) but leaves
-// llm_billing_mode at its resolved default (`platform_managed`). The CP
-// tenant_config endpoint then keeps injecting the platform proxy base
-// URLs, so the OAuth token / vendor key is never actually used — BYOK
-// silently no-ops (the live SEO-Agent symptom in #703). The workspace-
-// server even hard-blocks vendor-key writes on platform_managed
-// workspaces (secrets.go:87), pointing the user at this exact billing-
-// mode switch. Wiring the provider change to also set billing_mode is
-// the UI half that makes BYOK take (the CP/workspace-server backend half
-// is being fixed in parallel — internal#703 Gap 1).
-//
-// Mapping:
-//   - "platform" (the Platform-managed proxy) OR "" (no explicit
-//     provider override → inherit, defaults to platform) → "platform_managed".
-//   - any other vendor key ("anthropic-oauth" = Claude Code subscription
-//     OAuth, "anthropic" = Anthropic API key, "minimax", "openrouter",
-//     etc.) → "byok".
-//
-// Returns the billing_mode string the PUT body should carry. The valid
-// set is fixed by workspace-server's recognizer (platform_managed | byok
-// | disabled); "disabled" is never auto-selected by a provider choice —
-// it's an explicit operator action via the LLM Billing section.
-export type LLMBillingMode = "platform_managed" | "byok";
-
-export function billingModeForProvider(provider: string): LLMBillingMode {
-  const v = provider.trim().toLowerCase();
-  if (v === "" || v === "platform") return "platform_managed";
-  return "byok";
-}
-
 // Fallback used when /templates can't be fetched (offline, older backend).
 // Keep in sync with manifest.json workspace_templates as a defensive default.
 // Model + env suggestions only flow when the backend is reachable.
@@ -355,24 +321,15 @@ export function ConfigTab({ workspaceId }: Props) {
  const [rawMode, setRawMode] = useState(false);
  const [rawDraft, setRawDraft] = useState("");
  const [runtimeOptions, setRuntimeOptions] = useState<RuntimeOption[]>(FALLBACK_RUNTIME_OPTIONS);
-  // internal#718 P4 closure: the explicit provider override
-  // (LLM_PROVIDER workspace_secret, surfaced via GET/PUT
-  // /workspaces/:id/provider) has been RETIRED. The provider is
-  // derived at every decision point from (runtime, model) via the
-  // registry — no stored row remains. The `provider` / `originalProvider`
-  // state and the provider dropdown survive in this component for
-  // backwards-compat (display only) but are no longer persisted:
-  //   - loadConfig no longer GETs /workspaces/:id/provider (the
-  //     endpoint returns 410 Gone). The state initializes to ""
-  //     and stays there.
-  //   - handleSave no longer PUTs /workspaces/:id/provider.
-  //   - The dropdown still updates the local `provider` state so the
-  //     user can preview the derived value; the value never leaves
-  //     the browser.
-  // This is the canvas-side complement to the backend retirement of
-  // SetProvider/GetProvider/setProviderSecret. Older canvases that
-  // still call PUT /provider hit the 410 Gone with a structured
-  // PROVIDER_ENDPOINT_RETIRED code — loud failure, no silent miss.
+  // Provider override (Option B PR-5): stored separately from config.yaml
+  // because the value lives in workspace_secrets (encrypted), not in the
+  // platform-managed config.yaml. The two endpoints are GET/PUT
+  // /workspaces/:id/provider on workspace-server (handlers/secrets.go).
+  // Empty = "auto-derive from model slug prefix" — pre-Option-B behavior
+  // and what most users want. Setting to a non-empty value writes
+  // LLM_PROVIDER into workspace_secrets and triggers an auto-restart so
+  // the workspace boots with the new provider in env (and via CP user-
+  // data, written into /configs/config.yaml on next provision too).
  const [provider, setProvider] = useState("");
  const [originalProvider, setOriginalProvider] = useState("");
  // Track the model the form first rendered, so handleSave can detect
@@ -423,23 +380,26 @@ export function ConfigTab({ workspaceId }: Props) {
    //
    // See GH #1894 for the workspace-row-as-source-of-truth rationale
    // that motivated splitting from a single config.yaml read.
-    // internal#718 P4 closure: the GET /workspaces/:id/provider leg is
-    // RETIRED — the endpoint returns 410 Gone. Provider is now derived
-    // from (runtime, model) via the registry; no stored value exists
-    // to load. Always seed the local state to "" so the dropdown
-    // initializes to "auto-derive".
-    const [wsRes, modelRes] = await Promise.all([
+    const [wsRes, modelRes, providerRes] = await Promise.all([
      api.get<{ runtime?: string; tier?: number }>(`/workspaces/${workspaceId}`)
        .catch(() => ({} as { runtime?: string; tier?: number })),
      api.get<{ model?: string }>(`/workspaces/${workspaceId}/model`)
        .catch(() => ({} as { model?: string })),
+      api.get<{ provider?: string }>(`/workspaces/${workspaceId}/provider`)
+        .catch(() => null),
    ]);
    const wsMetadataRuntime = (wsRes.runtime || "").trim();
    const wsMetadataModel = (modelRes.model || "").trim();
    const wsMetadataTier: number | null =
      typeof wsRes.tier === "number" ? wsRes.tier : null;
-    setProvider("");
-    setOriginalProvider("");
+    if (providerRes !== null) {
+      const loadedProvider = (providerRes.provider || "").trim();
+      setProvider(loadedProvider);
+      setOriginalProvider(loadedProvider);
+    } else {
+      setProvider("");
+      setOriginalProvider("");
+    }
    // originalModel is set further down once the YAML has been parsed —
    // we want it to reflect what the form ACTUALLY rendered, which may
    // be the YAML's runtime_config.model fallback when MODEL_PROVIDER
@@ -724,27 +684,23 @@ export function ConfigTab({ workspaceId }: Props) {
        }
      }

-      // internal#718 P4 closure: provider override save is RETIRED. The
-      // /workspaces/:id/provider endpoint returns 410 Gone; the provider
-      // is derived from (runtime, model) at every decision point via the
-      // registry. The local dropdown state still updates so the user can
-      // see the predicted provider, but it never round-trips to the
-      // server. Variables retained as locals (set to constants) so the
-      // downstream restart-suppress logic below has clear semantics
-      // and the diff against the prior shape stays small.
-      const providerSaveError: string | null = null;
-      const providerChanged = false;
-
-      // internal#718 P4 closure: provider → billing_mode linkage is also
-      // RETIRED. P2-B (#1972) moved the billing decision to
-      // ResolveLLMBillingModeDerived, which DERIVES the provider from
-      // (runtime, model) at every read. The canvas can no longer
-      // override it via a separate PUT, by design — the runtime+model
-      // selection IS the billing-mode selection. The
-      // /admin/workspaces/:id/llm-billing-mode endpoint still exists
-      // as the operator override surface (workspaces.llm_billing_mode
-      // column); it is no longer driven by the provider dropdown.
-      const billingModeSaveError: string | null = null;
+      // Provider override save (Option B PR-5). PUT only when the user
+      // changed the dropdown — otherwise an unrelated Save (e.g. tier
+      // edit) would re-write the provider unchanged and the server-
+      // side auto-restart would fire on every Save, costing the user a
+      // ~30s reboot for a no-op change. Server endpoint accepts an
+      // empty string to clear the override (deletes the
+      // workspace_secrets row); we forward whatever the form holds.
+      let providerSaveError: string | null = null;
+      const providerChanged = provider !== originalProvider;
+      if (providerChanged) {
+        try {
+          await api.put(`/workspaces/${workspaceId}/provider`, { provider });
+          setOriginalProvider(provider);
+        } catch (e) {
+          providerSaveError = e instanceof Error ? e.message : "Provider update was rejected";
+        }
+      }

      setOriginalYaml(content);
      if (rawMode) {
@@ -753,29 +709,28 @@ export function ConfigTab({ workspaceId }: Props) {
      } else {
        setRawDraft(content);
      }
-      // internal#718 P4 closure: providerWillAutoRestart is always
-      // false now (provider PUT is retired; no server-side auto-restart
-      // can fire). Save+Restart flows through the canvas store
-      // restart path the same way it did pre-#718 for non-provider
-      // edits.
-      const providerWillAutoRestart = providerChanged && !providerSaveError
+      // SetProvider on the server already triggers an auto-restart for
+      // the workspace whenever the value actually changed (see
+      // workspace-server/internal/handlers/secrets.go:SetProvider). If
+      // the user also clicked Save+Restart we'd kick off a SECOND
+      // restart here and the two would race in the canvas store —
+      // suppress the redundant call and rely on the server-side one.
+      const providerWillAutoRestart = providerChanged && !providerSaveError;
      if (restart && !providerWillAutoRestart) {
        await useCanvasStore.getState().restartWorkspace(workspaceId);
      } else if (!restart) {
        useCanvasStore.getState().updateNodeData(workspaceId, { needsRestart: !providerWillAutoRestart });
      }
-      // Aggregate partial-save errors. With provider+billing-mode PUTs
-      // retired, only modelSaveError can fire from the secret-mint side
-      // — the provider/billing branches are dead code retained as
-      // constant nils to keep the diff small. They are surfaced
-      // defensively in case a future re-enablement needs the wiring.
+      // Aggregate partial-save errors. Both modelSaveError and
+      // providerSaveError describe rejected updates from independent
+      // endpoints — show whichever fired so the user knows which
+      // field reverts on next reload (otherwise they'd see "Saved" and
+      // be confused why Provider snapped back).
      const partialError = providerSaveError
        ? `Other fields saved, but provider update failed: ${providerSaveError}`
-        : billingModeSaveError
-          ? `Provider saved, but switching billing mode failed — your own provider key/OAuth may not take effect until billing mode is set: ${billingModeSaveError}`
-          : modelSaveError
-            ? `Other fields saved, but model update failed: ${modelSaveError}`
-            : null;
+        : modelSaveError
+          ? `Other fields saved, but model update failed: ${modelSaveError}`
+          : null;
      if (partialError) {
        setError(partialError);
      } else {
@@ -1,35 +0,0 @@
-// @vitest-environment jsdom
-//
-// internal#718 P4 closure — ConfigTab.billingMode.test.tsx is retired.
-//
-// This suite (255 lines, 8 tests) pinned the canvas-side provider →
-// llm_billing_mode linkage from internal#703 Gap 2: when the operator
-// changed the PROVIDER in the Config tab, ConfigTab.handleSave would
-// PUT /admin/workspaces/:id/llm-billing-mode so the platform-vs-byok
-// decision tracked the dropdown.
-//
-// That linkage is retired together with the LLM_PROVIDER override flow
-// (see ConfigTab.provider.test.tsx retirement note). P2-B (#1972)
-// moved the platform-vs-byok decision to
-// `ResolveLLMBillingModeDerived(runtime, model, authEnv)` in
-// workspace-server — the canvas can no longer override it via the
-// provider dropdown, by design. The runtime+model selection IS the
-// billing-mode selection now.
-//
-// The `/admin/workspaces/:id/llm-billing-mode` endpoint still exists
-// as the operator override surface (`workspaces.llm_billing_mode`
-// column); it is no longer driven by the provider dropdown.
-// Coverage for the derived billing flow lives in
-// workspace-server/internal/handlers/llm_billing_mode_derived_test.go.
-//
-// Restore from git history if the canvas-side provider→billing linkage
-// needs to be revisited (it should not — the derived resolver is the
-// single decision point).
-
-import { describe, it } from "vitest";
-
-describe("ConfigTab — provider → llm_billing_mode linkage (retired internal#718 P4)", () => {
-  it.skip("LLM_PROVIDER → billing_mode wiring is retired; see file header for the replacement coverage", () => {
-    // intentionally empty
-  });
-});
@@ -1,45 +1,574 @@
 // @vitest-environment jsdom
 //
-// internal#718 P4 closure — ConfigTab.provider.test.tsx is retired.
+// Regression tests for ConfigTab Provider override (Option B PR-5).
 //
-// This 574-line suite exercised the canvas-side LLM provider override
-// flow: load the existing override from GET /workspaces/:id/provider,
-// edit the dropdown, Save → PUT /workspaces/:id/provider, and the
-// provider→billing_mode linkage on Save. All three server endpoints
-// behind those flows are retired in internal#718 P4 closure:
+// What this pins: a free-text Provider combobox in the Runtime section
+// that lets the operator override the model→provider derivation hermes-
+// agent does internally. Without this UI, a fresh signup whose Hermes
+// workspace defaults to a model with no clean vendor prefix (e.g.
+// `nousresearch/hermes-4-70b`) hits the runtime's own preflight error:
+//   "No LLM provider configured. Run `hermes model` to select a
+//    provider, or run `hermes setup` for first-time configuration."
+// — even though tasks #195-198 wired the entire downstream pipe so a
+// non-empty provider WOULD flow through canvas → workspace-server →
+// CP user-data → workspace config.yaml → hermes adapter.
 //
-//   - workspace-server SetProvider / GetProvider (PUT/GET
-//     /workspaces/:id/provider) → both return 410 Gone with a
-//     PROVIDER_ENDPOINT_RETIRED structured body.
-//   - workspace-server setProviderSecret (the writer into
-//     workspace_secrets.LLM_PROVIDER) — removed; row never written.
-//   - The LLM_PROVIDER workspace_secret itself — migrated away in
-//     20260528000000_drop_llm_provider_workspace_secret.up.sql.
+// Hongming Wang hit this on hongming.moleculesai.app at signup
+// 2026-05-01T17:35Z. Backend PRs were green, the gap was the missing
+// UI to set the value.
 //
-// ConfigTab still renders the provider dropdown for display (the user
-// can preview the derived provider locally), but Save no longer
-// round-trips the value. The replacement contract is that the provider
-// is DERIVED at every decision point from (runtime, model) via the
-// registry — see internal/providers/derive_provider.go.
-//
-// The original suite's coverage is replaced by:
-//
-//   - workspace-server: TestPutProvider_410Gone +
-//     TestGetProvider_410Gone + TestProviderEndpointGone_BodyShape in
-//     internal/handlers/llm_provider_removal_p4_test.go.
-//   - workspace-server: TestWorkspaceCreate_FirstDeploy_OnlyPersistsMODEL
-//     in internal/handlers/workspace_provision_shared_test.go.
-//   - registry: TestDeriveProvider_RealManifest in
-//     internal/providers/derive_provider_test.go.
-//
-// Restore from git history if any aspect of the legacy LLM_PROVIDER
-// flow needs to be revisited (it should not — the retirement is
-// permanent).
+// Each test pins one invariant. If any fails, the bug is back.

-import { describe, it } from "vitest";
+import { describe, it, expect, vi, afterEach, beforeEach } from "vitest";
+import { render, screen, cleanup, waitFor, fireEvent } from "@testing-library/react";
+import React from "react";

-describe("ConfigTab provider override — retired (internal#718 P4)", () => {
-  it.skip("LLM_PROVIDER override flow is retired; see file header for the replacement coverage", () => {
-    // intentionally empty
+afterEach(cleanup);
+
+const apiGet = vi.fn();
+const apiPatch = vi.fn();
+const apiPut = vi.fn();
+vi.mock("@/lib/api", () => ({
+  api: {
+    get: (path: string) => apiGet(path),
+    patch: (path: string, body: unknown) => apiPatch(path, body),
+    put: (path: string, body: unknown) => apiPut(path, body),
+    post: vi.fn(),
+    del: vi.fn(),
+  },
+}));
+
+// Shared store stub — `updateNodeData` is exposed so a test can assert the
+// node-data flush happens after a successful PATCH (regression: previously
+// the DB updated but the canvas badge stayed stale until full hydrate).
+const storeUpdateNodeData = vi.fn();
+const storeRestartWorkspace = vi.fn();
+vi.mock("@/store/canvas", () => ({
+  useCanvasStore: Object.assign(
+    (selector: (s: unknown) => unknown) => selector({ restartWorkspace: storeRestartWorkspace, updateNodeData: storeUpdateNodeData }),
+    { getState: () => ({ restartWorkspace: storeRestartWorkspace, updateNodeData: storeUpdateNodeData }) },
+  ),
+}));
+
+vi.mock("../AgentCardSection", () => ({
+  AgentCardSection: () => <div data-testid="agent-card-stub" />,
+}));
+
+import { ConfigTab } from "../ConfigTab";
+
+// wireApi — same shape as ConfigTab.hermes.test.tsx, extended with the
+// /provider endpoint. Each test sets `providerValue` to the value the
+// GET endpoint returns; "missing" means the endpoint rejects (older
+// workspace-server pre-PR-2 — must not crash the tab).
+function wireApi(opts: {
+  workspaceRuntime?: string;
+  workspaceModel?: string;
+  configYamlContent?: string | null;
+  templates?: Array<{ id: string; name?: string; runtime?: string; models?: unknown[]; providers?: string[] }>;
+  providerValue?: string | "missing";
+}) {
+  apiGet.mockImplementation((path: string) => {
+    if (path === `/workspaces/ws-test`) {
+      return Promise.resolve({ runtime: opts.workspaceRuntime ?? "" });
+    }
+    if (path === `/workspaces/ws-test/model`) {
+      return Promise.resolve({ model: opts.workspaceModel ?? "" });
+    }
+    if (path === `/workspaces/ws-test/provider`) {
+      if (opts.providerValue === "missing") {
+        return Promise.reject(new Error("404"));
+      }
+      return Promise.resolve({ provider: opts.providerValue ?? "", source: opts.providerValue ? "workspace_secrets" : "default" });
+    }
+    if (path === `/workspaces/ws-test/files/config.yaml`) {
+      if (opts.configYamlContent === null) return Promise.reject(new Error("not found"));
+      return Promise.resolve({ content: opts.configYamlContent ?? "" });
+    }
+    if (path === "/templates") {
+      return Promise.resolve(opts.templates ?? []);
+    }
+    return Promise.reject(new Error(`unmocked api.get: ${path}`));
+  });
+}
+
+beforeEach(() => {
+  apiGet.mockReset();
+  apiPatch.mockReset();
+  apiPut.mockReset();
+  storeUpdateNodeData.mockReset();
+  storeRestartWorkspace.mockReset();
+});
+
+describe("ConfigTab — Provider override (Option B PR-5)", () => {
+  // Empty provider on load is the legitimate default ("auto-derive
+  // from model slug prefix"), NOT an error. The endpoint returning
+  // {provider: "", source: "default"} is the documented happy-path
+  // shape — if the form treated that as "load failed" we'd lose the
+  // ability to render the input at all on fresh workspaces.
+  it("renders an empty Provider input when no override is set", async () => {
+    wireApi({
+      workspaceRuntime: "hermes",
+      workspaceModel: "nousresearch/hermes-4-70b",
+      configYamlContent: "name: ws\nruntime: hermes\n",
+      providerValue: "",
+    });
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    const input = await screen.findByTestId("provider-input");
+    expect((input as HTMLInputElement).value).toBe("");
+  });
+
+  // Pre-existing override loads back into the field on mount. Without
+  // this, an operator who set provider=openrouter yesterday would see
+  // the field blank today, conclude the value didn't stick, and
+  // re-save — the resulting PUT-with-same-value would auto-restart
+  // the workspace for nothing.
+  it("loads an existing provider override from the server", async () => {
+    wireApi({
+      workspaceRuntime: "hermes",
+      workspaceModel: "nousresearch/hermes-4-70b",
+      configYamlContent: "name: ws\nruntime: hermes\n",
+      providerValue: "openrouter",
+    });
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    const input = await screen.findByTestId("provider-input");
+    await waitFor(() => expect((input as HTMLInputElement).value).toBe("openrouter"));
+  });
+
+  // Old workspace-server (pre-PR-2) returns a 404 on /provider. The
+  // tab must keep loading — the fallback is "" (auto-derive), same as
+  // a fresh workspace.
+  it("falls back to empty provider when the endpoint is missing", async () => {
+    wireApi({
+      workspaceRuntime: "hermes",
+      workspaceModel: "nousresearch/hermes-4-70b",
+      configYamlContent: "name: ws\nruntime: hermes\n",
+      providerValue: "missing",
+    });
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    const input = await screen.findByTestId("provider-input");
+    expect((input as HTMLInputElement).value).toBe("");
+    // Tab should be fully rendered, not stuck in loading or error state.
+    expect(screen.queryByText(/Loading config/i)).toBeNull();
+  });
+
+  // Setting a value + Save must PUT to the right endpoint with the
+  // right body shape. Server-side handler (workspace-server
+  // handlers/secrets.go:SetProvider) reads body.provider — any other
+  // key gets silently ignored and the workspace_secrets row stays
+  // unset. This regression would manifest as "Save → Restart →
+  // workspace still says No LLM provider configured."
+  it("PUTs the new provider to /workspaces/:id/provider on Save", async () => {
+    wireApi({
+      workspaceRuntime: "hermes",
+      workspaceModel: "nousresearch/hermes-4-70b",
+      configYamlContent: "name: ws\nruntime: hermes\n",
+      providerValue: "",
+    });
+    apiPut.mockResolvedValue({ status: "saved", provider: "anthropic" });
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    const input = await screen.findByTestId("provider-input");
+
+    fireEvent.change(input, { target: { value: "anthropic" } });
+    expect((input as HTMLInputElement).value).toBe("anthropic");
+
+    const saveBtn = screen.getByRole("button", { name: /^save$/i });
+    fireEvent.click(saveBtn);
+
+    await waitFor(() => {
+      const providerCalls = apiPut.mock.calls.filter(([path]) => path === "/workspaces/ws-test/provider");
+      expect(providerCalls.length).toBe(1);
+      expect(providerCalls[0][1]).toEqual({ provider: "anthropic" });
+    });
+  });
+
+  // No-change Save must NOT PUT /provider. The server-side SetProvider
+  // auto-restarts the workspace on every successful PUT — re-writing
+  // an unchanged value would cost the user a ~30s reboot every time
+  // they tweak some other field.
+  it("does not PUT /provider when the value is unchanged", async () => {
+    wireApi({
+      workspaceRuntime: "hermes",
+      workspaceModel: "nousresearch/hermes-4-70b",
+      configYamlContent: "name: ws\nruntime: hermes\ntier: 2\n",
+      providerValue: "openrouter",
+    });
+    apiPut.mockResolvedValue({});
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    await screen.findByTestId("provider-input");
+
+    // Click Save without touching the provider field. Trigger another
+    // dirty-marker (tier change) so Save is enabled — the test is
+    // about NOT touching /provider, not about Save being disabled.
+    const tierSelect = screen.getByLabelText(/tier/i) as HTMLSelectElement;
+    fireEvent.change(tierSelect, { target: { value: "3" } });
+
+    const saveBtn = screen.getByRole("button", { name: /^save$/i });
+    fireEvent.click(saveBtn);
+
+    await waitFor(() => {
+      // Some PUT(s) may fire (e.g. /model). Just assert /provider is NOT among them.
+      const providerCalls = apiPut.mock.calls.filter(([path]) => path === "/workspaces/ws-test/provider");
+      expect(providerCalls.length).toBe(0);
+    });
+  });
+
+  // The dropdown's suggestion list MUST come from the runtime's own
+  // template (via /templates → runtime_config.providers), not a
+  // hardcoded canvas-side enum. This is the "Native + pluggable
+  // runtime" invariant: a new runtime declaring its own provider
+  // taxonomy in its config.yaml gets a working dropdown without ANY
+  // canvas-side change.
+  //
+  // Pinned by checking that suggestions surfaced in the datalist
+  // exactly mirror what the templates endpoint returned for the
+  // matching runtime. If a future contributor reintroduces a
+  // PROVIDER_SUGGESTIONS-style hardcoded list and the datalist
+  // contents don't follow the template, this test fails.
+  it("populates the provider datalist from the matched runtime's templates entry", async () => {
+    wireApi({
+      workspaceRuntime: "hermes",
+      workspaceModel: "nousresearch/hermes-4-70b",
+      configYamlContent: "name: ws\nruntime: hermes\n",
+      providerValue: "",
+      templates: [
+        {
+          id: "hermes",
+          name: "Hermes",
+          runtime: "hermes",
+          models: [],
+          // The provider list every runtime adapter ships in its own
+          // config.yaml. Canvas must surface THIS, not its own list.
+          providers: ["nous", "openrouter", "anthropic", "minimax-cn"],
+        },
+      ],
+    });
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    const input = await screen.findByTestId("provider-input");
+    const listId = (input as HTMLInputElement).getAttribute("list");
+    expect(listId).toBeTruthy();
+    await waitFor(() => {
+      const datalist = document.getElementById(listId!);
+      expect(datalist).not.toBeNull();
+      const optionValues = Array.from(datalist!.querySelectorAll("option")).map(
+        (o) => (o as HTMLOptionElement).value,
+      );
+      // Order matters — most-common-first is part of the contract so
+      // the demo flow lands on a working choice without scrolling.
+      expect(optionValues).toEqual(["nous", "openrouter", "anthropic", "minimax-cn"]);
+    });
+  });
+
+  // Fallback path: when a template hasn't migrated to the explicit
+  // `providers:` field yet, suggestions are derived from model slug
+  // prefixes. Still adapter-driven (the slugs come from the template's
+  // `models:` list), just inferred. This keeps existing templates
+  // working while the platform team migrates them one at a time.
+  it("renders vendor-grouped provider dropdown when template ships models", async () => {
+    wireApi({
+      workspaceRuntime: "hermes",
+      workspaceModel: "anthropic/claude-opus-4-7",
+      configYamlContent: "name: ws\nruntime: hermes\n",
+      providerValue: "",
+      templates: [
+        {
+          id: "hermes",
+          name: "Hermes",
+          runtime: "hermes",
+          models: [
+            { id: "anthropic/claude-opus-4-7", required_env: ["ANTHROPIC_API_KEY"] },
+            { id: "openai/gpt-4o", required_env: ["OPENROUTER_API_KEY"] },
+            { id: "anthropic/claude-sonnet-4-5", required_env: ["ANTHROPIC_API_KEY"] }, // dup vendor — must dedupe
+            { id: "nousresearch/hermes-4-70b", required_env: ["HERMES_API_KEY"] },
+          ],
+          // No `providers:` field → ProviderModelSelector derives vendors
+          // from model id prefixes via its own buildProviderCatalog.
+        },
+      ],
+    });
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    // With models present, the new vendor-aware dropdown renders.
+    // Provider entries dedupe by vendor → 3 unique vendors here
+    // (anthropic, openai, nousresearch).
+    const select = await screen.findByTestId("provider-select") as HTMLSelectElement;
+    await waitFor(() => {
+      const optionTexts = Array.from(select.options)
+        .map((o) => o.text)
+        .filter((t) => !t.startsWith("—")); // strip placeholder
+      // Labels are vendor display names, but vendor identity is what
+      // matters for dedupe. Assert each expected vendor surfaces once.
+      expect(optionTexts.some((t) => t.startsWith("Anthropic API"))).toBe(true);
+      expect(optionTexts.some((t) => t.startsWith("OpenAI"))).toBe(true);
+      expect(optionTexts.some((t) => t.startsWith("Nous Research"))).toBe(true);
+      expect(optionTexts.length).toBe(3); // dedupe pin
+    });
+  });
+
+  // Empty string is a legitimate save target — it clears the override
+  // (the server-side endpoint deletes the workspace_secrets row).
+  // Operators who picked "anthropic" yesterday and want to revert to
+  // auto-derive today should be able to do so by clearing the field
+  // and clicking Save. Without this PUT path, the only way to clear
+  // would be a direct DB edit.
+  it("PUTs an empty string when the operator clears a previously-set provider", async () => {
+    wireApi({
+      workspaceRuntime: "hermes",
+      workspaceModel: "anthropic:claude-opus-4-7",
+      configYamlContent: "name: ws\nruntime: hermes\n",
+      providerValue: "openrouter",
+    });
+    apiPut.mockResolvedValue({ status: "cleared" });
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    const input = await screen.findByTestId("provider-input");
+    await waitFor(() => expect((input as HTMLInputElement).value).toBe("openrouter"));
+
+    fireEvent.change(input, { target: { value: "" } });
+
+    const saveBtn = screen.getByRole("button", { name: /^save$/i });
+    fireEvent.click(saveBtn);
+
+    await waitFor(() => {
+      const providerCalls = apiPut.mock.calls.filter(([path]) => path === "/workspaces/ws-test/provider");
+      expect(providerCalls.length).toBe(1);
+      expect(providerCalls[0][1]).toEqual({ provider: "" });
+    });
+  });
+
+  // Display-vs-storage drift regression (2026-05-03 incident, workspace
+  // e13aebd8…). User deployed claude-code with MiniMax-M2 stored in
+  // MODEL_PROVIDER. The container env (MODEL=MiniMax-M2) and chat
+  // worked correctly, but the Config tab showed "Claude Code
+  // subscription / Claude Sonnet (OAuth)" — i.e. the template's
+  // runtime_config.model: sonnet default — because currentModelId
+  // reads runtime_config.model first and loadConfig was overriding
+  // only the top-level config.model field. The merged shape was:
+  //   { model: "MiniMax-M2", runtime_config: { model: "sonnet" } }
+  // and currentModelId picked "sonnet". Fix: loadConfig propagates
+  // wsMetadataModel into BOTH places so the form is a single source
+  // of truth (DB-backed MODEL_PROVIDER). Pinning the merged-path
+  // branch with the exact reproducing shape: claude-code template
+  // YAML has runtime_config.model: sonnet; live workspace's
+  // MODEL_PROVIDER is MiniMax-M2; tab must show the latter.
+  it("prefers MODEL_PROVIDER over the template's runtime_config.model on load", async () => {
+    wireApi({
+      workspaceRuntime: "claude-code",
+      workspaceModel: "MiniMax-M2",
+      configYamlContent: "name: ws\nruntime: claude-code\nruntime_config:\n  model: sonnet\n",
+      providerValue: "",
+      templates: [
+        {
+          id: "claude-code-default",
+          name: "Claude Code",
+          runtime: "claude-code",
+          models: [
+            { id: "sonnet", name: "Claude Sonnet (OAuth)", required_env: ["CLAUDE_CODE_OAUTH_TOKEN"] },
+            { id: "MiniMax-M2", name: "MiniMax M2", required_env: ["MINIMAX_API_KEY"] },
+            { id: "MiniMax-M2.7", name: "MiniMax M2.7", required_env: ["MINIMAX_API_KEY"] },
+          ],
+        },
+      ],
+    });
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    const modelSelect = (await screen.findByTestId("model-select")) as HTMLSelectElement;
+    await waitFor(() => expect(modelSelect.value).toBe("MiniMax-M2"));
+
+    // Provider dropdown should also reflect MiniMax (back-derived from
+    // the model slug since LLM_PROVIDER is unset). Without the fix,
+    // the selector falls back to the first catalog entry whose first
+    // model matches "sonnet" → anthropic-oauth bucket → "Claude Code
+    // subscription".
+    const providerSelect = screen.getByTestId("provider-select") as HTMLSelectElement;
+    const selectedOption = providerSelect.options[providerSelect.selectedIndex];
+    expect(selectedOption.textContent ?? "").toMatch(/MiniMax/);
+  });
+
+  // Sibling pin to the display-fix above. The display fix mirrors
+  // wsMetadataModel into runtime_config.model so the selector renders
+  // the live value; that mirror means handleSave's old YAML-vs-form
+  // diff would always be non-zero on a no-op save (YAML default
+  // "sonnet" vs. mirrored "MiniMax-M2") and PUT /model — which
+  // server-side SetModel chains into an auto-restart. handleSave now
+  // diffs against the loaded MODEL_PROVIDER instead. Pin: an
+  // unrelated edit (tier change) must NOT touch /model when the
+  // model itself didn't change.
+  it("does not PUT /model on a no-op save when only an unrelated field changed", async () => {
+    wireApi({
+      workspaceRuntime: "claude-code",
+      workspaceModel: "MiniMax-M2",
+      configYamlContent: "name: ws\nruntime: claude-code\ntier: 2\nruntime_config:\n  model: sonnet\n",
+      providerValue: "",
+      templates: [
+        {
+          id: "claude-code-default",
+          name: "Claude Code",
+          runtime: "claude-code",
+          models: [
+            { id: "sonnet", name: "Claude Sonnet", required_env: ["CLAUDE_CODE_OAUTH_TOKEN"] },
+            { id: "MiniMax-M2", name: "MiniMax M2", required_env: ["MINIMAX_API_KEY"] },
+          ],
+        },
+      ],
+    });
+    apiPut.mockResolvedValue({});
+    apiPatch.mockResolvedValue({});
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    const tierSelect = (await screen.findByLabelText(/tier/i)) as HTMLSelectElement;
+    fireEvent.change(tierSelect, { target: { value: "3" } });
+
+    const saveBtn = screen.getByRole("button", { name: /^save$/i });
+    fireEvent.click(saveBtn);
+
+    await waitFor(() => {
+      const tierPatches = apiPatch.mock.calls.filter(([path, body]) =>
+        path === "/workspaces/ws-test" && (body as { tier?: number }).tier === 3,
+      );
+      expect(tierPatches.length).toBe(1);
+    });
+    // Spurious /model PUT would fire here without the originalModel
+    // diff baseline. The model itself didn't change, so /model must
+    // stay untouched (otherwise SetModel auto-restarts).
+    const modelPuts = apiPut.mock.calls.filter(([path]) => path === "/workspaces/ws-test/model");
+    expect(modelPuts.length).toBe(0);
+  });
+
+  // Save-then-stale-badge regression (2026-05-03 incident). User
+  // selected T3 in the Tier dropdown, hit Save & Restart, the workspace
+  // PATCH succeeded (`tier: 3` in DB), but the canvas header pill kept
+  // showing "TIER T2" until a full hydrate. Root cause: handleSave
+  // sent the PATCH to workspace-server but never pushed the same
+  // change into useCanvasStore.updateNodeData, so every UI surface
+  // reading from the store kept its stale value. Pin: a successful
+  // tier PATCH must mirror into the store so the badge updates
+  // synchronously with the response.
+  it("flushes the dbPatch into useCanvasStore.updateNodeData after a successful PATCH", async () => {
+    wireApi({
+      workspaceRuntime: "claude-code",
+      workspaceModel: "MiniMax-M2",
+      configYamlContent: "name: ws\nruntime: claude-code\ntier: 2\nruntime_config:\n  model: sonnet\n",
+      providerValue: "",
+      templates: [
+        {
+          id: "claude-code-default",
+          name: "Claude Code",
+          runtime: "claude-code",
+          models: [{ id: "sonnet", name: "Sonnet", required_env: ["CLAUDE_CODE_OAUTH_TOKEN"] }],
+        },
+      ],
+    });
+    apiPatch.mockResolvedValue({ status: "updated" });
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    const tierSelect = (await screen.findByLabelText(/tier/i)) as HTMLSelectElement;
+    fireEvent.change(tierSelect, { target: { value: "3" } });
+
+    const saveBtn = screen.getByRole("button", { name: /^save$/i });
+    fireEvent.click(saveBtn);
+
+    await waitFor(() => {
+      expect(apiPatch.mock.calls.some(([p]) => p === "/workspaces/ws-test")).toBe(true);
+    });
+    // Without the store flush, the badge would keep reading tier=2
+    // from useCanvasStore.nodes until a full hydrate. Pin: handleSave
+    // pushes the same fields it PATCHed.
+    expect(storeUpdateNodeData).toHaveBeenCalledWith(
+      "ws-test",
+      expect.objectContaining({ tier: 3 }),
+    );
+  });
+
+  // Failure-gating sibling pin to the store-flush test above. The
+  // production code places `updateNodeData` AFTER `await api.patch(...)`
+  // inside the same `if (Object.keys(dbPatch).length > 0)` block, so a
+  // PATCH rejection should throw before the store call. Without this
+  // pin, a future refactor that wraps the PATCH in try/catch and
+  // unconditionally calls updateNodeData would ship green — and then
+  // the badge would lie when the server actually rejected the change.
+  // Codified review feedback from PR #2545 (Agent 2).
+  it("does NOT flush into useCanvasStore.updateNodeData when the PATCH rejects", async () => {
+    wireApi({
+      workspaceRuntime: "claude-code",
+      workspaceModel: "MiniMax-M2",
+      configYamlContent: "name: ws\nruntime: claude-code\ntier: 2\nruntime_config:\n  model: sonnet\n",
+      providerValue: "",
+      templates: [
+        {
+          id: "claude-code-default",
+          name: "Claude Code",
+          runtime: "claude-code",
+          models: [{ id: "sonnet", name: "Sonnet", required_env: ["CLAUDE_CODE_OAUTH_TOKEN"] }],
+        },
+      ],
+    });
+    apiPatch.mockRejectedValue(new Error("500 from workspace-server"));
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    const tierSelect = (await screen.findByLabelText(/tier/i)) as HTMLSelectElement;
+    fireEvent.change(tierSelect, { target: { value: "3" } });
+
+    const saveBtn = screen.getByRole("button", { name: /^save$/i });
+    fireEvent.click(saveBtn);
+
+    // Wait for handleSave to settle (succeeds-or-fails). PATCH must
+    // have been attempted; the error swallow inside handleSave keeps
+    // saving=false in finally.
+    await waitFor(() => {
+      expect(apiPatch.mock.calls.some(([p]) => p === "/workspaces/ws-test")).toBe(true);
+    });
+    // Critically: the store must NOT have been told about the failed
+    // change. Otherwise the badge would lie about a write the server
+    // rejected.
+    const tierFlushes = storeUpdateNodeData.mock.calls.filter(([, body]) =>
+      typeof (body as { tier?: number }).tier === "number",
+    );
+    expect(tierFlushes.length).toBe(0);
+  });
+
+  // Pin the hermes/pre-#240 edge case: workspace where MODEL_PROVIDER
+  // was never written but YAML has runtime_config.model: "something".
+  // originalModel must reflect the rendered baseline (the YAML value),
+  // not the empty MODEL_PROVIDER, so an unrelated save (tier change)
+  // doesn't fire a /model PUT and trigger an auto-restart. Codified
+  // review feedback from PR #2545 (Agent 1, "Important").
+  it("does not PUT /model when MODEL_PROVIDER is empty and the user only edited an unrelated field", async () => {
+    wireApi({
+      workspaceRuntime: "hermes",
+      workspaceModel: "", // legacy workspace — never went through the picker
+      configYamlContent:
+        "name: ws\nruntime: hermes\ntier: 2\nruntime_config:\n  model: nousresearch/hermes-4-70b\n",
+      providerValue: "",
+      templates: [
+        {
+          id: "hermes",
+          name: "Hermes",
+          runtime: "hermes",
+          models: [{ id: "nousresearch/hermes-4-70b", name: "Hermes 4 70B", required_env: ["HERMES_API_KEY"] }],
+          providers: ["nous"],
+        },
+      ],
+    });
+    apiPut.mockResolvedValue({});
+    apiPatch.mockResolvedValue({});
+
+    render(<ConfigTab workspaceId="ws-test" />);
+    const tierSelect = (await screen.findByLabelText(/tier/i)) as HTMLSelectElement;
+    fireEvent.change(tierSelect, { target: { value: "3" } });
+
+    const saveBtn = screen.getByRole("button", { name: /^save$/i });
+    fireEvent.click(saveBtn);
+
+    await waitFor(() => {
+      expect(apiPatch.mock.calls.some(([p]) => p === "/workspaces/ws-test")).toBe(true);
+    });
+    const modelPuts = apiPut.mock.calls.filter(([path]) => path === "/workspaces/ws-test/model");
+    expect(modelPuts.length).toBe(0);
  });
 });
@@ -0,0 +1,124 @@
+# Engineer-Agent Gitea Token Scope Runbook
+
+## Symptom
+
+Engineer-class agents (e.g. `agent-dev-a`, `agent-dev-b`) fail swarm-pull issue discovery or receive HTTP 403 when calling Gitea issue-list APIs, while PR review and repository API operations continue to work.
+
+Typical failing call:
+```bash
+GET /api/v1/repos/molecule-ai/molecule-core/issues?state=open&labels=approved&limit=50
+# => 403 Forbidden
+```
+
+Typical working calls (same token):
+```bash
+GET /api/v1/repos/molecule-ai/molecule-core/pulls?state=open&limit=50
+POST /api/v1/repos/molecule-ai/molecule-core/pulls/1666/comments
+# => 200 OK
+```
+
+## Root Cause
+
+Gitea v1.22.6 routes issue-list under the `Issue` scope category (`routers/api/v1/api.go:1379-1491`), while PR routes live under repository/pull routing (`api.go:1278-1305`). The scope gate derives required read/write level from HTTP method (`api.go:309-313`), so `GET /issues?...` requires `read:issue`.
+
+Engineer-class agent PATs were provisioned with repository and PR scopes but without `read:issue`, causing the asymmetric 403.
+
+## Detection
+
+1. **Agent-side**: swarm-pull workflow logs show `403 Forbidden` on issue enumeration but not on PR list/review.
+2. **Platform-side**: Gitea access logs show `GET /repos/{owner}/{repo}/issues` returning 403 for the affected token.
+3. **Reproduction** (from any workspace with a suspected token):
+   ```bash
+   TOKEN=$(cat /configs/secrets.d/GITEA_TOKEN)
+   PLATFORM="https://git.moleculesai.app"
+
+   # Should succeed — confirms token is live
+   curl -s -o /dev/null -w "%{http_code}" \
+     -H "Authorization: token $TOKEN" \
+     "$PLATFORM/api/v1/user"
+
+   # Will 403 if the token lacks read:issue
+   curl -s -o /dev/null -w "%{http_code}" \
+     -H "Authorization: token $TOKEN" \
+     "$PLATFORM/api/v1/repos/molecule-ai/molecule-core/issues?state=open&limit=1"
+   ```
+
+## Immediate Fix
+
+### Step 1: Issue fresh PATs with correct scopes
+
+From a Gitea site-admin account (or via the Gitea web UI → Settings → Applications):
+
+1. Navigate to the affected user's profile (e.g. `agent-dev-a`).
+2. Go to **Settings → Applications → Generate New Token**.
+3. Select scopes:
+   - `read:repository` (existing)
+   - `write:repository` (existing, if push is required)
+   - `read:issue` (**add this**)
+   - `write:issue` (add only if agents must comment/edit issues)
+   - `read:pull-request` / `write:pull-request` (existing)
+   - `read:comment` / `write:comment` (existing, if PR review is required)
+4. Copy the plaintext token immediately — it is shown only once.
+
+### Step 2: Update workspace secrets
+
+For each affected engineer workspace, update the Gitea token secret:
+
+```bash
+# Via the platform API (admin auth required)
+PLATFORM="https://agents-team.moleculesai.app"
+ADMIN_TOKEN="<your-admin-token>"
+WORKSPACE_ID="<affected-workspace-id>"
+NEW_GITEA_TOKEN="<fresh-token-from-step-1>"
+
+curl -X POST "$PLATFORM/workspaces/$WORKSPACE_ID/secrets" \
+  -H "Authorization: Bearer $ADMIN_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{
+    \"GITEA_TOKEN\": \"$NEW_GITEA_TOKEN\"
+  }"
+```
+
+Restart the workspace so the runtime re-reads secrets:
+```bash
+curl -X POST "$PLATFORM/workspaces/$WORKSPACE_ID/restart" \
+  -H "Authorization: Bearer $ADMIN_TOKEN"
+```
+
+### Step 3: Smoke-test
+
+From the restarted workspace, verify all three paths:
+
+```bash
+# 1. Issue list (the previously failing path)
+curl -s -H "Authorization: token $GITEA_TOKEN" \
+  "https://git.moleculesai.app/api/v1/repos/molecule-ai/molecule-core/issues?state=open&labels=approved&limit=1" | jq '.[0].number'
+
+# 2. PR list (should still work)
+curl -s -H "Authorization: token $GITEA_TOKEN" \
+  "https://git.moleculesai.app/api/v1/repos/molecule-ai/molecule-core/pulls?state=open&limit=1" | jq '.[0].number'
+
+# 3. Swarm-pull discovery (end-to-end)
+# Trigger the agent's autonomous tick or delegate a task that enumerates open issues.
+```
+
+## Long-Term Fix
+
+Update the **workspace secret injection path** that writes `/configs/secrets.d/GITEA_TOKEN` for engineer-class agents. The provisioning template or secret-distribution job should request `read:issue` (and optionally `write:issue`) at token-creation time.
+
+File locations to audit:
+- `.gitea/scripts/` — any token-provisioning automation
+- `infra/terraform/` or equivalent — IAM/secret-manager templates
+- `workspace-configs-templates/` — engineer-class workspace templates that declare required secrets
+
+## Prevention
+
+1. **Token scope checklist**: when provisioning new engineer-class agent tokens, verify the scope set includes `read:issue` before distributing the secret.
+2. **Monitoring**: add an agent health-check that probes `GET /repos/molecule-ai/molecule-core/issues?limit=1` and surfaces a non-fatal warning if it returns 403.
+3. **Documentation**: update the onboarding runbook for new engineer agents to include the full required scope list.
+
+## References
+
+- Gitea issue #1750: [RCA: engineer-token read:issue scope gap blocks swarm-pull workflow](https://git.moleculesai.app/molecule-ai/molecule-core/issues/1750)
+- Gitea source: `routers/api/v1/api.go:309-313` (scope gate), `api.go:1278-1305` (PR routing), `api.go:1379-1491` (issue routing)
+- Related: PR #1542 (provisioner git-creds injection), PR #1669 (auth_token inline mint)
@@ -73,15 +73,7 @@ else
 fi

 # Test 4: Create workspace B (needs bearer — tokens now exist in DB)
-# #1953 cross-tenant isolation: Summarizer is created as a CHILD of Echo so the
-# two live in the SAME org (Echo is the org root; Summarizer hangs off it via
-# parent_id). The peer-discovery tests below assert same-org peer enumeration
-# (Echo sees its child, the child sees its parent). Previously both were created
-# parent_id=NULL — two DISTINCT org roots — and "peers" only listed each other
-# via the `WHERE parent_id IS NULL` branch that returned every tenant's org root.
-# That branch WAS the cross-tenant leak (#1953) and is now removed, so two org
-# roots no longer see each other; the assertions must run inside one org.
-R=$(acurl -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d "{\"name\":\"Summarizer Agent\",\"tier\":1,\"runtime\":\"external\",\"external\":true,\"parent_id\":\"$ECHO_ID\"}")
+R=$(acurl -X POST "$BASE/workspaces" -H "Content-Type: application/json" -d '{"name":"Summarizer Agent","tier":1,"runtime":"external","external":true}')
 check "POST /workspaces (create summarizer)" '"status":"awaiting_agent"' "$R"
 SUM_ID=$(echo "$R" | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")

@@ -141,23 +133,21 @@ check "Heartbeat updated uptime" '"uptime_seconds":120' "$R"
 R=$(curl -s "$BASE/registry/discover/$ECHO_ID")
 check "GET /registry/discover/:id (missing caller rejected)" 'X-Workspace-ID header is required' "$R"

-# Test 12: Discover (from same-org child — allowed)
+# Test 12: Discover (from sibling — allowed)
 R=$(curl -s "$BASE/registry/discover/$ECHO_ID" -H "X-Workspace-ID: $SUM_ID" -H "Authorization: Bearer $SUM_TOKEN")
-check "GET /registry/discover/:id (same-org)" '"url"' "$R"
+check "GET /registry/discover/:id (sibling)" '"url"' "$R"

-# Test 13: Peers — same-org parent/child see each other (#1953). Echo is the org
-# root and lists its child Summarizer; Summarizer lists its parent Echo. A
-# cross-org workspace would NOT appear here (see cross_tenant_isolation_test.go).
+# Test 13: Peers (root siblings see each other)
 R=$(curl -s "$BASE/registry/$ECHO_ID/peers" -H "Authorization: Bearer $ECHO_TOKEN")
 check "GET /registry/:id/peers (has summarizer)" '"Summarizer' "$R"

 R=$(curl -s "$BASE/registry/$SUM_ID/peers" -H "Authorization: Bearer $SUM_TOKEN")
 check "GET /registry/:id/peers (has echo)" '"Echo Agent"' "$R"

-# Test 14: Check access (same-org parent↔child — allowed)
+# Test 14: Check access (root siblings)
 R=$(curl -s -X POST "$BASE/registry/check-access" -H "Content-Type: application/json" \
  -d "{\"caller_id\":\"$ECHO_ID\",\"target_id\":\"$SUM_ID\"}")
-check "POST /registry/check-access (same-org allowed)" '"allowed":true' "$R"
+check "POST /registry/check-access (siblings allowed)" '"allowed":true' "$R"

 # Test 15: PATCH workspace (update position)
 R=$(acurl -X PATCH "$BASE/workspaces/$ECHO_ID" -H "Content-Type: application/json" -d '{"x":100,"y":200}')
@@ -299,40 +289,32 @@ R=$(curl -s "$BASE/workspaces" -H "Authorization: Bearer $ECHO_TOKEN")
 check "current_task in list response" '"current_task"' "$R"

 # Test 21: Delete
-# #1953: Summarizer is now a CHILD of Echo (same-org, for the peer-discovery
-# tests above). DELETE on the *parent* (Echo) cascade-removes its descendants
-# (CascadeDelete walks the recursive `parent_id` CTE), so deleting Echo first
-# would also remove Summarizer and the "one survives" assertion would see 0.
-# Delete the CHILD (Summarizer) here instead: a child delete does NOT cascade
-# upward, so the parent Echo survives and count=1 holds. The bundle round-trip
-# below needs Summarizer's exported config, so capture it BEFORE this delete.
-BUNDLE=$(curl -s "$BASE/bundles/export/$SUM_ID" -H "Authorization: Bearer $SUM_TOKEN")
-check "GET /bundles/export/:id" '"name":"Summarizer Agent"' "$BUNDLE"
-ORIG_NAME=$(echo "$BUNDLE" | python3 -c "import sys,json; print(json.load(sys.stdin)['name'])")
-ORIG_TIER=$(echo "$BUNDLE" | python3 -c "import sys,json; print(json.load(sys.stdin)['tier'])")
-
-R=$(acurl -X DELETE "$BASE/workspaces/$SUM_ID?confirm=true" \
-  -H "Authorization: Bearer $SUM_TOKEN" \
-  -H "X-Confirm-Name: Summarizer Agent")
-check "DELETE /workspaces/:id" '"status":"removed"' "$R"
-
-# Parent Echo must survive a child delete — list as Echo and expect count=1.
-R=$(curl -s "$BASE/workspaces" -H "Authorization: Bearer $ECHO_TOKEN")
-COUNT=$(echo "$R" | python3 -c "import sys,json; print(len(json.load(sys.stdin)))")
-check "List after delete (count=1)" "1" "$COUNT"
-
-# Test 22: Bundle round-trip — export → delete → import → verify same config.
-# Summarizer's bundle was captured above; now delete the parent Echo (the only
-# remaining workspace) so the import lands in a clean org, then re-import the
-# Summarizer bundle.
-echo ""
-echo "--- Bundle Round-Trip Test ---"
-
-# Delete the remaining parent Echo — use ECHO_TOKEN (per-workspace) for
-# WorkspaceAuth and ADMIN_TOKEN for the AdminAuth layer.
 R=$(acurl -X DELETE "$BASE/workspaces/$ECHO_ID?confirm=true" \
  -H "Authorization: Bearer $ECHO_TOKEN" \
  -H "X-Confirm-Name: Echo Agent v2")
+check "DELETE /workspaces/:id" '"status":"removed"' "$R"
+
+R=$(curl -s "$BASE/workspaces" -H "Authorization: Bearer $SUM_TOKEN")
+COUNT=$(echo "$R" | python3 -c "import sys,json; print(len(json.load(sys.stdin)))")
+check "List after delete (count=1)" "1" "$COUNT"
+
+# Test 22: Bundle round-trip — export → delete → import → verify same config
+echo ""
+echo "--- Bundle Round-Trip Test ---"
+
+# Export the summarizer workspace (#165 / PR #167 — admin-gated)
+BUNDLE=$(curl -s "$BASE/bundles/export/$SUM_ID" -H "Authorization: Bearer $SUM_TOKEN")
+check "GET /bundles/export/:id" '"name":"Summarizer Agent"' "$BUNDLE"
+
+# Capture original config for comparison
+ORIG_NAME=$(echo "$BUNDLE" | python3 -c "import sys,json; print(json.load(sys.stdin)['name'])")
+ORIG_TIER=$(echo "$BUNDLE" | python3 -c "import sys,json; print(json.load(sys.stdin)['tier'])")
+
+# Delete the workspace — use SUM_TOKEN (per-workspace) for WorkspaceAuth
+# and ADMIN_TOKEN for the AdminAuth layer.
+R=$(curl -s -X DELETE "$BASE/workspaces/$SUM_ID?confirm=true" \
+  -H "Authorization: Bearer $SUM_TOKEN" \
+  -H "X-Confirm-Name: Summarizer Agent")
 check "Delete before re-import" '"status":"removed"' "$R"

 # After deleting both workspaces, all per-workspace tokens are revoked.
@@ -1,271 +0,0 @@
-// Command gen-providers is the codegen half of the provider-registry SSOT
-// machinery on the molecule-core side (internal#718 P2-A, CTO 2026-05-27
-// "Distribution = SDK via codegen + verify-CI"). It is the byte-for-byte mirror
-// of molecule-controlplane's cmd/gen-providers (the canonical generator). It
-// reads core's SYNCED COPY of the schema — internal/providers/providers.yaml
-// (via the providers loader, so it shares the SAME parse + validation as the
-// runtime) — and emits a checked-in Go artifact:
-//
-//	internal/providers/gen/registry_gen.go
-//
-// The artifact is a deterministic projection of the merged registry: the
-// provider catalog + per-runtime native sets as Go literals, plus the schema
-// version and a content fingerprint. It is core's leaf of the multi-language SDK
-// layer the RFC calls for (Go(CP+core)/TS(canvas)/Python(adapters)).
-//
-// CONTRACT for P2-A (zero behavior change): the generated artifact is
-// checked-in + drift-gated ONLY. NO production code path imports
-// internal/providers/gen — the gen-import-boundary test pins that. P2-B wires
-// the billing/credential decision onto the LOADER (DeriveProvider/IsPlatform),
-// not the raw gen literals. The generator is the build-time half;
-// verify-providers-gen.yml is the CI half that regenerates and fails RED on any
-// diff (drift or hand-edit); sync-providers-yaml.yml gates the synced copy
-// against the controlplane canonical.
-//
-// Usage:
-//
-//	go run ./cmd/gen-providers            # write the artifact in place
-//	go run ./cmd/gen-providers -check     # exit non-zero if the on-disk
-//	                                      # artifact differs from a fresh gen
-//	                                      # (the CI drift gate)
-//	go run ./cmd/gen-providers -o PATH    # write to a specific path
-//
-//go:generate go run ../gen-providers -o ../../internal/providers/gen/registry_gen.go
-package main
-
-import (
-	"bytes"
-	"crypto/sha256"
-	"encoding/hex"
-	"flag"
-	"fmt"
-	"go/format"
-	"os"
-	"sort"
-	"strconv"
-	"text/template"
-
-	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/providers"
-)
-
-// defaultOutPath is the checked-in artifact location, relative to the repo
-// root (the directory `go run ./cmd/gen-providers` is invoked from).
-const defaultOutPath = "internal/providers/gen/registry_gen.go"
-
-func main() {
-	var (
-		outPath string
-		check   bool
-	)
-	flag.StringVar(&outPath, "o", defaultOutPath, "output path for the generated artifact")
-	flag.BoolVar(&check, "check", false, "verify the on-disk artifact matches a fresh generation; exit 1 on drift")
-	flag.Parse()
-
-	generated, err := render()
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "gen-providers: %v\n", err)
-		os.Exit(1)
-	}
-
-	if check {
-		existing, err := os.ReadFile(outPath)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "gen-providers -check: cannot read %s: %v\n", outPath, err)
-			fmt.Fprintln(os.Stderr, "Run `go generate ./...` (or `go run ./cmd/gen-providers`) and commit the result.")
-			os.Exit(1)
-		}
-		if !bytes.Equal(existing, generated) {
-			fmt.Fprintf(os.Stderr, "gen-providers -check: DRIFT — %s is out of sync with providers.yaml.\n", outPath)
-			fmt.Fprintln(os.Stderr, "The generated artifact was hand-edited or providers.yaml changed without regen.")
-			fmt.Fprintln(os.Stderr, "Fix: run `go generate ./...` (or `go run ./cmd/gen-providers`) and commit.")
-			os.Exit(1)
-		}
-		fmt.Println("gen-providers -check: OK — artifact in sync with providers.yaml")
-		return
-	}
-
-	if err := os.WriteFile(outPath, generated, 0o644); err != nil {
-		fmt.Fprintf(os.Stderr, "gen-providers: write %s: %v\n", outPath, err)
-		os.Exit(1)
-	}
-	fmt.Printf("gen-providers: wrote %s\n", outPath)
-}
-
-// render loads the manifest and produces the gofmt'd artifact bytes.
-func render() ([]byte, error) {
-	m, err := providers.LoadManifest()
-	if err != nil {
-		return nil, fmt.Errorf("load manifest: %w", err)
-	}
-
-	// Deterministic ordering: providers in catalog order is already stable
-	// (slice). Runtimes is a map — sort its keys so the artifact is
-	// reproducible regardless of Go map iteration order.
-	runtimeNames := make([]string, 0, len(m.Runtimes))
-	for rt := range m.Runtimes {
-		runtimeNames = append(runtimeNames, rt)
-	}
-	sort.Strings(runtimeNames)
-
-	type genProvider struct {
-		Name             string
-		DisplayName      string
-		Protocol         string
-		AuthMode         string
-		AuthEnv          []string
-		ModelPrefixMatch string
-		IsPlatform       bool
-		// UpstreamVendor is the proxy's upstream-vendor key for this entry
-		// (internal#718 P1, CONVERGED) — empty for entries the proxy does not
-		// route to an upstream. A plain scalar (no pointer), so both the rendered
-		// literal and the fingerprint stay deterministic.
-		UpstreamVendor string
-	}
-	type genRef struct {
-		Name   string
-		Models []string
-	}
-	type genRuntime struct {
-		Name      string
-		Providers []genRef
-	}
-
-	data := struct {
-		SchemaVersion int
-		Fingerprint   string
-		Providers     []genProvider
-		Runtimes      []genRuntime
-	}{
-		SchemaVersion: providers.SchemaVersion(),
-	}
-
-	for _, p := range m.Providers {
-		gp := genProvider{
-			Name:             p.Name,
-			DisplayName:      p.DisplayName,
-			Protocol:         string(p.Protocol),
-			AuthMode:         p.AuthMode,
-			AuthEnv:          p.AuthEnv,
-			ModelPrefixMatch: p.ModelPrefixMatch,
-			IsPlatform:       p.IsPlatform(),
-			UpstreamVendor:   p.UpstreamVendor,
-		}
-		data.Providers = append(data.Providers, gp)
-	}
-	for _, rt := range runtimeNames {
-		native := m.Runtimes[rt]
-		gr := genRuntime{Name: rt}
-		for _, ref := range native.Providers {
-			gr.Providers = append(gr.Providers, genRef{Name: ref.Name, Models: ref.Models})
-		}
-		data.Runtimes = append(data.Runtimes, gr)
-	}
-
-	// Fingerprint pins the artifact to the data it was generated from. It is
-	// derived from the structured projection (schema version + providers +
-	// runtimes), NOT the raw YAML bytes, so a comment-only YAML edit does not
-	// churn the artifact while any data change does.
-	data.Fingerprint = fingerprint(data.SchemaVersion, data.Providers, data.Runtimes)
-
-	var buf bytes.Buffer
-	if err := artifactTmpl.Execute(&buf, data); err != nil {
-		return nil, fmt.Errorf("execute template: %w", err)
-	}
-	formatted, err := format.Source(buf.Bytes())
-	if err != nil {
-		return nil, fmt.Errorf("gofmt generated source: %w\n----\n%s", err, buf.String())
-	}
-	return formatted, nil
-}
-
-// fingerprint is a stable content hash of the structured projection. Any
-// fields below this function references must be kept in sync with the
-// template's emitted data so the hash and the literals never diverge.
-func fingerprint(schema int, provs any, runtimes any) string {
-	h := sha256.New()
-	fmt.Fprintf(h, "schema=%d\n", schema)
-	fmt.Fprintf(h, "%#v\n%#v\n", provs, runtimes)
-	return hex.EncodeToString(h.Sum(nil))[:16]
-}
-
-func quote(s string) string { return strconv.Quote(s) }
-
-func quoteSlice(ss []string) string {
-	var b bytes.Buffer
-	b.WriteString("[]string{")
-	for i, s := range ss {
-		if i > 0 {
-			b.WriteString(", ")
-		}
-		b.WriteString(strconv.Quote(s))
-	}
-	b.WriteString("}")
-	return b.String()
-}
-
-var artifactTmpl = template.Must(template.New("artifact").Funcs(template.FuncMap{
-	"quote":      quote,
-	"quoteSlice": quoteSlice,
-}).Parse(`// Code generated by cmd/gen-providers; DO NOT EDIT.
-//
-// Source of truth: internal/providers/providers.yaml (schema_version {{.SchemaVersion}}).
-// Regenerate with: go generate ./...   (or: go run ./cmd/gen-providers)
-// The verify-providers-gen CI workflow fails RED if this file drifts from
-// providers.yaml or is hand-edited. internal#718 P0 — checked-in + drift-
-// gated ONLY; no production path imports this package yet (that is P1+).
-
-package gen
-
-// SchemaVersion is the providers.yaml schema this artifact was generated
-// against. It is the semver'd contract version (the MAJOR component for the
-// public extension contract; see internal/providers/README.md).
-const SchemaVersion = {{.SchemaVersion}}
-
-// Fingerprint is a stable content hash of the generated projection (schema
-// version + provider catalog + runtime native sets). It changes iff the
-// registry DATA changes (comment-only YAML edits do not churn it).
-const Fingerprint = {{quote .Fingerprint}}
-
-// GenProvider is the generated projection of one provider catalog entry —
-// the subset a downstream consumer needs to derive + display a provider.
-type GenProvider struct {
-	Name             string
-	DisplayName      string
-	Protocol         string
-	AuthMode         string
-	AuthEnv          []string
-	ModelPrefixMatch string
-	// IsPlatform marks the closed, core-only platform-managed provider.
-	IsPlatform bool
-	// UpstreamVendor is the proxy's upstream-vendor key for this entry
-	// (internal#718 P1, CONVERGED); empty for providers the proxy does not
-	// route to an upstream vendor. ResolveUpstream maps a model id's namespace
-	// token to the entry whose UpstreamVendor equals it.
-	UpstreamVendor string
-}
-
-// GenRuntimeRef is one native provider a runtime supports + its exact models.
-type GenRuntimeRef struct {
-	Name   string
-	Models []string
-}
-
-// Providers is the full provider catalog, in providers.yaml declaration order.
-var Providers = []GenProvider{
-{{- range .Providers}}
-	{Name: {{quote .Name}}, DisplayName: {{quote .DisplayName}}, Protocol: {{quote .Protocol}}, AuthMode: {{quote .AuthMode}}, AuthEnv: {{quoteSlice .AuthEnv}}, ModelPrefixMatch: {{quote .ModelPrefixMatch}}, IsPlatform: {{.IsPlatform}}{{if .UpstreamVendor}}, UpstreamVendor: {{quote .UpstreamVendor}}{{end}}},
-{{- end}}
-}
-
-// Runtimes maps each runtime to its native provider+model set, runtime names
-// sorted for a deterministic artifact.
-var Runtimes = map[string][]GenRuntimeRef{
-{{- range .Runtimes}}
-	{{quote .Name}}: {
-{{- range .Providers}}
-		{Name: {{quote .Name}}, Models: {{quoteSlice .Models}}},
-{{- end}}
-	},
-{{- end}}
-}
-`))
@@ -1,121 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-// repoRoot walks up from the test's working dir (cmd/gen-providers) to the
-// module root so the test can locate the checked-in artifact regardless of
-// where `go test` is invoked from.
-func repoRoot(t *testing.T) string {
-	t.Helper()
-	dir, err := os.Getwd()
-	if err != nil {
-		t.Fatalf("getwd: %v", err)
-	}
-	for i := 0; i < 6; i++ {
-		if _, err := os.Stat(filepath.Join(dir, "go.mod")); err == nil {
-			return dir
-		}
-		dir = filepath.Dir(dir)
-	}
-	t.Fatal("could not locate repo root (go.mod) from cmd/gen-providers")
-	return ""
-}
-
-// TestArtifactInSync is the drift gate's Go-test counterpart: the checked-in
-// internal/providers/gen/registry_gen.go MUST byte-equal a fresh render. If a
-// future edit changes providers.yaml without regenerating, OR hand-edits the
-// artifact, this flips red — the same signal the verify-providers-gen CI
-// workflow emits, but caught locally by `go test ./...` too.
-func TestArtifactInSync(t *testing.T) {
-	generated, err := render()
-	if err != nil {
-		t.Fatalf("render() error = %v", err)
-	}
-	artifactPath := filepath.Join(repoRoot(t), defaultOutPath)
-	onDisk, err := os.ReadFile(artifactPath)
-	if err != nil {
-		t.Fatalf("read checked-in artifact %s: %v (run `go generate ./...` and commit)", artifactPath, err)
-	}
-	if !bytes.Equal(onDisk, generated) {
-		t.Fatalf("DRIFT: %s is out of sync with providers.yaml.\n"+
-			"Run `go generate ./...` (or `go run ./cmd/gen-providers`) and commit the result.", defaultOutPath)
-	}
-}
-
-// TestDriftGateCatchesMutation is the load-bearing-gate proof (per the SOP
-// fail-direction discipline). The original P0 version was TAUTOLOGICAL
-// (internal#718 P1 review carry-over): it appended bytes to an in-memory copy
-// and asserted the copy differed from the original — true by construction,
-// touching neither the on-disk artifact nor the actual in-sync comparison the
-// gate runs. This version exercises the REAL gate: it writes a MUTATED artifact
-// to disk and re-runs the SAME comparison TestArtifactInSync / `-check` perform
-// (`render()` bytes vs the on-disk file), asserting it now reports drift — then
-// restores the original. So the test would fail if the gate were vacuous (e.g.
-// if the comparison ignored content), not merely if append changes bytes.
-func TestDriftGateCatchesMutation(t *testing.T) {
-	generated, err := render()
-	if err != nil {
-		t.Fatalf("render() error = %v", err)
-	}
-	artifactPath := filepath.Join(repoRoot(t), defaultOutPath)
-	original, err := os.ReadFile(artifactPath)
-	if err != nil {
-		t.Fatalf("read checked-in artifact %s: %v", artifactPath, err)
-	}
-	// Precondition: the tree is in sync (so the mutation is what flips the gate,
-	// not pre-existing drift).
-	if !bytes.Equal(original, generated) {
-		t.Fatalf("precondition failed: %s already drifted from render() — run `go generate ./...`", defaultOutPath)
-	}
-
-	// Restore the pristine artifact no matter how the test exits.
-	t.Cleanup(func() {
-		if err := os.WriteFile(artifactPath, original, 0o644); err != nil {
-			t.Fatalf("CRITICAL: failed to restore %s after mutation: %v", artifactPath, err)
-		}
-	})
-
-	// Mutate the ON-DISK artifact (simulating a hand-edit / a providers.yaml
-	// change that wasn't regenerated).
-	mutated := append(append([]byte(nil), original...), []byte("\n// injected drift\n")...)
-	if err := os.WriteFile(artifactPath, mutated, 0o644); err != nil {
-		t.Fatalf("write mutated artifact: %v", err)
-	}
-
-	// Re-run the EXACT in-sync comparison the gate uses: fresh render vs the
-	// (now mutated) on-disk file. It MUST report drift.
-	onDiskAfter, err := os.ReadFile(artifactPath)
-	if err != nil {
-		t.Fatalf("re-read mutated artifact: %v", err)
-	}
-	freshRender, err := render()
-	if err != nil {
-		t.Fatalf("render() after mutation error = %v", err)
-	}
-	if bytes.Equal(onDiskAfter, freshRender) {
-		t.Fatal("drift gate did NOT detect a mutated on-disk artifact — gate is not load-bearing")
-	}
-}
-
-// TestRenderDeterministic proves regeneration is idempotent: two renders of
-// the same manifest produce byte-identical output (sorted runtime keys, stable
-// catalog order). A non-deterministic generator would make the drift gate
-// flap on Go map iteration order.
-func TestRenderDeterministic(t *testing.T) {
-	a, err := render()
-	if err != nil {
-		t.Fatalf("render() #1 error = %v", err)
-	}
-	b, err := render()
-	if err != nil {
-		t.Fatalf("render() #2 error = %v", err)
-	}
-	if !bytes.Equal(a, b) {
-		t.Fatal("render() is non-deterministic — two runs differ; the drift gate would flap")
-	}
-}
@@ -335,7 +335,6 @@ func (m *Manager) HandleInbound(ctx context.Context, ch ChannelRow, msg *Inbound
 	})
 	if marshalErr != nil {
 		log.Printf("Channels %s: json.Marshal a2aBody failed: %v", ch.ChannelType, marshalErr)
-		return fmt.Errorf("marshal a2a body: %w", marshalErr)
 	}

 	callerID := "channel:" + ch.ChannelType
@@ -677,7 +676,6 @@ func (m *Manager) appendHistory(ctx context.Context, key string, username, userM
 	})
 	if marshalErr != nil {
 		log.Printf("appendHistory %s: json.Marshal entry failed: %v", key, marshalErr)
-		return
 	}
 	db.RDB.LPush(ctx, key, string(entry))
 	db.RDB.LTrim(ctx, key, 0, int64(maxHistoryEntries-1))
@@ -163,7 +163,6 @@ func (s *SlackAdapter) sendBotMessage(ctx context.Context, config map[string]int
 		body, marshalErr := json.Marshal(payload)
 		if marshalErr != nil {
 			log.Printf("slack SendMessage: json.Marshal payload failed: %v", marshalErr)
-			return fmt.Errorf("slack: marshal payload: %w", marshalErr)
 		}
 		req, err := http.NewRequestWithContext(ctx, http.MethodPost, "https://slack.com/api/chat.postMessage", bytes.NewReader(body))
 		if err != nil {
@@ -482,14 +482,12 @@ func (t *TelegramAdapter) StartPolling(ctx context.Context, config map[string]in
 				if apiErr.Code == 429 {
 					retryAfter := time.Duration(apiErr.RetryAfter) * time.Second
 					log.Printf("Channels: Telegram poll rate-limited, sleeping %s", retryAfter)
-					timer := time.NewTimer(retryAfter)
 					select {
 					case <-ctx.Done():
-						timer.Stop()
 						return nil
-					case <-timer.C:
+					case <-time.After(retryAfter):
+						continue
 					}
-					continue
 				}
 				if apiErr.Code == 401 {
 					invalidateBot(token)
@@ -497,14 +495,12 @@ func (t *TelegramAdapter) StartPolling(ctx context.Context, config map[string]in
 				}
 			}
 			log.Printf("Channels: Telegram poll error: %v", err)
-			timer := time.NewTimer(telegramPollInterval)
 			select {
 			case <-ctx.Done():
-				timer.Stop()
 				return nil
-			case <-timer.C:
+			case <-time.After(telegramPollInterval):
+				continue
 			}
-			continue
 		}

 		for _, update := range updates {
@@ -375,30 +375,6 @@ func (h *WorkspaceHandler) proxyA2ARequest(ctx context.Context, workspaceID stri
 				Response: gin.H{"error": "access denied: workspaces cannot communicate per hierarchy rules"},
 			}
 		}
-
-		// #1953 cross-tenant isolation. CanCommunicate alone does NOT enforce
-		// org boundaries: its "root-level siblings — both have no parent" rule
-		// treats every tenant's org root as a sibling, so a caller that is an
-		// org root could resolve and route a2a to another tenant's org root
-		// (and resolveAgentURL accepts ANY workspace id with no org check).
-		// Gate on the SAME parent_id-chain org scoping the OFFSEC-015 broadcast
-		// fix uses: reject before resolveAgentURL when caller and target are in
-		// different orgs. Fail-closed — a DB error denies cross-org routing.
-		ok, err := sameOrg(ctx, db.DB, callerID, workspaceID)
-		if err != nil {
-			log.Printf("ProxyA2A: org-scope check failed %s → %s: %v — denying", callerID, workspaceID, err)
-			return 0, nil, &proxyA2AError{
-				Status:   http.StatusForbidden,
-				Response: gin.H{"error": "access denied: org isolation check failed"},
-			}
-		}
-		if !ok {
-			log.Printf("ProxyA2A: cross-org routing denied %s → %s (#1953)", callerID, workspaceID)
-			return 0, nil, &proxyA2AError{
-				Status:   http.StatusForbidden,
-				Response: gin.H{"error": "access denied: target workspace is in a different org"},
-			}
-		}
 	}

 	// Budget enforcement: reject A2A calls when the workspace has exceeded its
@@ -426,34 +426,16 @@ func nilIfEmpty(s string) *string {
 // (their next /registry/register will mint their first token, after
 // which this branch never fires again for them).
 //
-// Post-RFC#637 addition: a request may instead be carrying a HUMAN's
-// canvas-user identity (e.g. the 344a2623-… identity workspace from the
-// RFC#637 rollout). That human sits OUTSIDE the workspace org hierarchy, so
-// the returned isCanvasUser flag lets the A2A proxy bypass CanCommunicate for
-// it. Canvas-user classification is decided by isGenuineCanvasUser using
-// NON-FORGEABLE credentials only (see that function) — never by the caller's
-// X-Workspace-ID alone, and never by a bare same-origin Host/Referer in a
-// SaaS image (those are forgeable; see middleware.IsSameOriginCanvas).
-//
-// #1673: this canvas-user check is now evaluated BEFORE the HasAnyLiveToken
-// peer-token contract. Previously it lived only in the !hasLive branch, so a
-// canvas-user identity workspace that had acquired live tokens fell into the
-// hasLive=true branch, which demands a bearer the canvas frontend never sends
-// → silent 401 → the message was dropped before logA2AReceiveQueued wrote the
-// activity_logs row, breaking canvas chat for poll-mode workspaces. A genuine
-// canvas user is identified by the human's session/admin/org credential, which
-// is independent of whether the identity workspace happens to hold peer tokens.
+// Post-RFC#637 addition: when the tokenless workspace is accompanied by
+// canvas or admin auth (same-origin request, admin bearer, or org-level
+// token), the caller is identified as a canvas-user identity rather than
+// a legacy peer agent. The returned isCanvasUser flag lets the A2A proxy
+// bypass CanCommunicate for human users, who sit outside the workspace
+// hierarchy.
 //
 // On auth failure this writes the 401 via c and returns an error so the
 // handler aborts without running the proxy.
 func validateCallerToken(ctx context.Context, c *gin.Context, callerID string) (isCanvasUser bool, err error) {
-	// Genuine canvas-user identity? Decided independently of the caller
-	// workspace's token state (the #1673 fix) and using only non-forgeable
-	// signals (the #1944 escalation guard).
-	if isGenuineCanvasUser(ctx, c) {
-		return true, nil
-	}
-
 	hasLive, dbErr := wsauth.HasAnyLiveToken(ctx, db.DB, callerID)
 	if dbErr != nil {
 		// Fail-open here matches the heartbeat path — A2A caller auth is
@@ -464,10 +446,22 @@ func validateCallerToken(ctx context.Context, c *gin.Context, callerID string) (
 		return false, nil
 	}
 	if !hasLive {
-		// Tokenless, non-canvas-user workspace — legacy / pre-upgrade peer.
-		// Grandfather it through (its next /registry/register mints its
-		// first token, after which it lands in the hasLive=true branch).
-		return false, nil
+		// Tokenless workspace — could be legacy/pre-upgrade caller or
+		// canvas-user identity. Distinguish by request auth signals.
+		if middleware.IsSameOriginCanvas(c) {
+			return true, nil
+		}
+		tok := wsauth.BearerTokenFromHeader(c.GetHeader("Authorization"))
+		if tok != "" {
+			adminSecret := os.Getenv("ADMIN_TOKEN")
+			if adminSecret != "" && subtle.ConstantTimeCompare([]byte(tok), []byte(adminSecret)) == 1 {
+				return true, nil
+			}
+			if _, _, _, err := orgtoken.Validate(ctx, db.DB, tok); err == nil {
+				return true, nil
+			}
+		}
+		return false, nil // legacy / pre-upgrade caller
 	}
 	tok := wsauth.BearerTokenFromHeader(c.GetHeader("Authorization"))
 	if tok == "" {
@@ -481,61 +475,6 @@ func validateCallerToken(ctx context.Context, c *gin.Context, callerID string) (
 	return false, nil
 }

-// isGenuineCanvasUser reports whether the request is a real human acting
-// through the canvas UI (RFC#637 canvas-user identity), as opposed to a peer
-// workspace agent. A true result lets the A2A proxy bypass CanCommunicate, so
-// it MUST only accept signals an attacker on the platform network cannot forge:
-//
-//   - A control-plane-verified canvas session: the WorkOS session cookie is
-//     confirmed upstream to belong to a MEMBER of THIS tenant's org
-//     (middleware.IsVerifiedCanvasSession → /cp/auth/tenant-member). This is
-//     the production SaaS canvas path.
-//   - An Authorization: Bearer matching ADMIN_TOKEN (break-glass / molecli).
-//   - An Authorization: Bearer matching a live org_api_tokens row (user-minted
-//     org-scoped API token).
-//
-// Deliberately NOT accepted as a canvas-user signal in a SaaS image:
-//
-//   - A bare same-origin Host/Referer/Origin (middleware.IsSameOriginCanvas).
-//     Those headers are trivially forgeable by any container on the Docker
-//     network, and the combined-tenant image (CANVAS_PROXY_URL set) is exactly
-//     where a forged Referer + an arbitrary X-Workspace-ID could otherwise
-//     bypass CanCommunicate and reach cross-workspace A2A — the PR #1944
-//     privilege escalation. Same-origin is only honored as a fallback when CP
-//     session verification is NOT configured (self-hosted / dev), a
-//     single-tenant topology with no cross-tenant boundary to escalate across;
-//     even there the org hierarchy still owns intra-org routing.
-//
-// Note this classification is about the human's credential, not the caller
-// workspace's X-Workspace-ID — so it never trusts an attacker-supplied caller
-// ID, and it is independent of whether that workspace holds peer tokens.
-func isGenuineCanvasUser(ctx context.Context, c *gin.Context) bool {
-	// Production SaaS: control-plane-verified org-member session cookie.
-	if middleware.IsVerifiedCanvasSession(c) {
-		return true
-	}
-
-	if tok := wsauth.BearerTokenFromHeader(c.GetHeader("Authorization")); tok != "" {
-		adminSecret := os.Getenv("ADMIN_TOKEN")
-		if adminSecret != "" && subtle.ConstantTimeCompare([]byte(tok), []byte(adminSecret)) == 1 {
-			return true
-		}
-		if _, _, _, err := orgtoken.Validate(ctx, db.DB, tok); err == nil {
-			return true
-		}
-	}
-
-	// Self-hosted / dev fallback ONLY: when upstream session verification is
-	// not configured there is no verified-cookie signal to use, and the
-	// deployment is single-tenant, so the forgeable same-origin check is an
-	// acceptable canvas signal. In SaaS (CP session configured) this branch is
-	// skipped, closing the forged-same-origin escalation.
-	if !middleware.CPSessionConfigured() && middleware.IsSameOriginCanvas(c) {
-		return true
-	}
-	return false
-}
-
 // errInvalidCallerToken is a sentinel for validateCallerToken's "missing
 // token" branch so the handler-level guard can detect it without string
 // matching (the wsauth errors are typed for the invalid case).
@@ -11,7 +11,6 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"os"
-	"os/exec"
 	"strings"
 	"testing"
 	"time"
@@ -437,10 +436,6 @@ func TestProxyA2A_CallerIDPropagated(t *testing.T) {
 		WithArgs("ws-target").
 		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-target", "ws-parent"))

-	// #1953 cross-tenant guard: same-org check after CanCommunicate. Both
-	// workspaces resolve to the same org root → routing allowed.
-	mockSameOrg(mock, "ws-caller", "ws-target", true)
-
 	expectBudgetCheck(mock, "ws-target")

 	// Expect activity log with source_id set
@@ -469,24 +464,6 @@ func TestProxyA2A_CallerIDPropagated(t *testing.T) {
 	}
 }

-// mockSameOrg sets up the two org-root recursive-CTE expectations that the
-// #1953 cross-tenant guard in proxyA2ARequest runs after CanCommunicate passes.
-// sameOrg=true returns the SAME root_id for both caller and target (same tenant);
-// sameOrg=false returns different root_ids (cross-tenant → routing must be denied).
-func mockSameOrg(mock sqlmock.Sqlmock, caller, target string, sameOrg bool) {
-	callerRoot := "org-root-shared"
-	targetRoot := "org-root-shared"
-	if !sameOrg {
-		targetRoot = "org-root-other-tenant"
-	}
-	mock.ExpectQuery("WITH RECURSIVE org_chain AS").
-		WithArgs(caller).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(callerRoot))
-	mock.ExpectQuery("WITH RECURSIVE org_chain AS").
-		WithArgs(target).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(targetRoot))
-}
-
 // mockCanCommunicate sets up sqlmock expectations for CanCommunicate(caller, target).
 // allowed=true sets up rows that satisfy the access policy (siblings under same parent).
 // allowed=false sets up rows that don't (different parents).
@@ -681,9 +658,6 @@ func TestProxyA2A_CallerIDDerivedFromBearer(t *testing.T) {
 		WithArgs("ws-target").
 		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow("ws-target", "ws-parent"))

-	// 3b. #1953 cross-tenant guard — same org root → routing allowed.
-	mockSameOrg(mock, "ws-caller", "ws-target", true)
-
 	expectBudgetCheck(mock, "ws-target")

 	// 4. activity_logs INSERT — verify source_id arg is the derived ws-caller
@@ -1270,12 +1244,13 @@ func TestValidateCallerToken_WrongWorkspaceBindingRejected(t *testing.T) {
 }

 func TestValidateCallerToken_CanvasUser_AdminToken(t *testing.T) {
-	setupTestDB(t)
+	mock := setupTestDB(t)
 	setupTestRedis(t)

-	// #1673/#1944: the genuine-canvas-user check (admin bearer here) now runs
-	// BEFORE HasAnyLiveToken, so no SELECT COUNT(*) is issued — the human's
-	// credential, not the caller workspace's token state, decides canvas-user.
+	// Tokenless workspace
+	mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens`).
+		WithArgs("ws-canvas-admin").
+		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(0))

 	t.Setenv("ADMIN_TOKEN", "admin-secret-42")

@@ -1301,9 +1276,10 @@ func TestValidateCallerToken_CanvasUser_OrgToken(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)

-	// #1673/#1944: the genuine-canvas-user check (org token here) now runs
-	// BEFORE HasAnyLiveToken, so the first DB query is orgtoken.Validate's
-	// lookup — there is no SELECT COUNT(*) expectation anymore.
+	// Tokenless workspace
+	mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens`).
+		WithArgs("ws-canvas-org").
+		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(0))

 	// orgtoken.Validate lookup
 	mock.ExpectQuery(`SELECT id, prefix, org_id FROM org_api_tokens WHERE token_hash = .* AND revoked_at IS NULL`).
@@ -2365,197 +2341,6 @@ func TestProxyA2A_PollMode_ShortCircuits_NoSSRF_NoDispatch(t *testing.T) {
 	}
 }

-// stubVerifiedCPSession points VerifiedCPSession at a stub control-plane that
-// confirms the given cookie belongs to a tenant-member, so tests can exercise
-// the genuine (non-forgeable) canvas-session path end-to-end without a live CP.
-// It sets CP_UPSTREAM_URL + MOLECULE_ORG_SLUG for the test's lifetime; the
-// real middleware.VerifiedCPSession HTTP+cache code path runs unchanged.
-func stubVerifiedCPSession(t *testing.T, member bool) {
-	t.Helper()
-	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "application/json")
-		if member {
-			fmt.Fprint(w, `{"member":true,"user_id":"user-canvas-1"}`)
-		} else {
-			w.WriteHeader(http.StatusForbidden)
-			fmt.Fprint(w, `{"member":false}`)
-		}
-	}))
-	t.Cleanup(srv.Close)
-	t.Setenv("CP_UPSTREAM_URL", srv.URL)
-	t.Setenv("MOLECULE_ORG_SLUG", "test-tenant")
-}
-
-// TestProxyA2A_PollMode_CanvasUserWithVerifiedSession is the #1673 regression
-// guard. A poll-mode canvas-user identity workspace that HAS acquired live
-// tokens (the exact condition that made #1673 fire) sends a canvas message
-// carrying a control-plane-verified session cookie but no bearer token. The
-// fix must classify it as a canvas user BEFORE the HasAnyLiveToken peer-token
-// contract, so the request is queued (200) and logA2AReceiveQueued writes the
-// activity_logs row — instead of the pre-fix silent 401 that dropped the
-// message before any row landed (breaking canvas chat + chat-history).
-//
-// Runs in a subprocess with CANVAS_PROXY_URL set so middleware.canvasProxyActive
-// is true at package-init time (matching the combined-tenant image), proving the
-// fix does not depend on disabling same-origin detection.
-func TestProxyA2A_PollMode_CanvasUserWithVerifiedSession(t *testing.T) {
-	if os.Getenv("CANVAS_PROXY_URL") == "" {
-		cmd := exec.Command(os.Args[0], "-test.run=^TestProxyA2A_PollMode_CanvasUserWithVerifiedSession$", "-test.v")
-		cmd.Env = append(os.Environ(), "CANVAS_PROXY_URL=http://localhost")
-		out, err := cmd.CombinedOutput()
-		if err != nil {
-			t.Fatalf("subprocess test failed: %v\n%s", err, out)
-		}
-		return
-	}
-
-	stubVerifiedCPSession(t, true)
-
-	mock := setupTestDB(t)
-	setupTestRedis(t)
-	broadcaster := newTestBroadcaster()
-	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
-
-	const wsTarget = "ws-poll-canvas-target"
-	const wsCanvasUser = "ws-canvas-user-344a"
-
-	// CRUCIAL: no SELECT COUNT(*) FROM workspace_auth_tokens expectation. The
-	// genuine-canvas-user check (verified session) must short-circuit BEFORE
-	// HasAnyLiveToken — that is the #1673 regression path. An identity
-	// workspace that already holds live tokens must NOT fall into the
-	// hasLive=true bearer-required branch.
-
-	// isCanvasUser=true → CanCommunicate is skipped (no parent_id lookups).
-	expectBudgetCheck(mock, wsTarget)
-	mock.ExpectQuery("SELECT delivery_mode FROM workspaces WHERE id").
-		WithArgs(wsTarget).
-		WillReturnRows(sqlmock.NewRows([]string{"delivery_mode"}).AddRow("poll"))
-	// logA2AReceiveQueued must fire synchronously and write the row.
-	mock.ExpectExec("INSERT INTO activity_logs").
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: wsTarget}}
-
-	body := `{"jsonrpc":"2.0","id":"canvas-1","method":"message/send","params":{"message":{"role":"user","parts":[{"text":"hello from canvas"}]}}}`
-	req := httptest.NewRequest("POST", "/workspaces/"+wsTarget+"/a2a", bytes.NewBufferString(body))
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("X-Workspace-ID", wsCanvasUser)
-	// Verified canvas session cookie (the genuine, non-forgeable signal).
-	req.Header.Set("Cookie", "wos-session=valid-canvas-session-cookie")
-	// Same-origin headers, present as a real canvas request would send them —
-	// but they are NOT what authorizes the bypass here (the verified session is).
-	req.Host = "localhost"
-	req.Header.Set("Referer", "https://localhost/")
-	c.Request = req
-
-	handler.ProxyA2A(c)
-
-	time.Sleep(50 * time.Millisecond)
-
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200 (queued) for canvas-user with verified session, got %d: %s", w.Code, w.Body.String())
-	}
-	var resp map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
-		t.Fatalf("response is not valid JSON: %v", err)
-	}
-	if resp["status"] != "queued" {
-		t.Errorf("response.status = %v, want %q", resp["status"], "queued")
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations (activity_logs row must be written): %v", err)
-	}
-}
-
-// TestProxyA2A_ForgedSameOrigin_CannotBypassCanCommunicate is the security
-// crux of the #1673 fix and the reason PR #1944 was held. In the combined-
-// tenant SaaS image (CANVAS_PROXY_URL set, CP session verification configured),
-// an attacker forges a same-origin request — correct Host + a matching
-// `Referer: https://<host>/` — and supplies an arbitrary X-Workspace-ID naming
-// a workspace it does not control, targeting a workspace it is NOT authorized
-// to reach. It presents NO verified session cookie, NO admin token, NO org
-// token.
-//
-// PR #1944's same-origin bypass would have classified this as a canvas user and
-// skipped CanCommunicate, granting cross-workspace A2A — a privilege
-// escalation. The safe fix must instead fall through to the standard
-// peer-token contract and CanCommunicate, which rejects the cross-hierarchy
-// call with 403. This test proves the escalation is closed.
-func TestProxyA2A_ForgedSameOrigin_CannotBypassCanCommunicate(t *testing.T) {
-	if os.Getenv("CANVAS_PROXY_URL") == "" {
-		cmd := exec.Command(os.Args[0], "-test.run=^TestProxyA2A_ForgedSameOrigin_CannotBypassCanCommunicate$", "-test.v")
-		cmd.Env = append(os.Environ(), "CANVAS_PROXY_URL=http://localhost")
-		out, err := cmd.CombinedOutput()
-		if err != nil {
-			t.Fatalf("subprocess test failed: %v\n%s", err, out)
-		}
-		return
-	}
-
-	// SaaS image with CP session verification configured. The stub CP rejects
-	// any cookie as a non-member; the attacker sends none anyway. This asserts
-	// that with verification configured, same-origin alone is NOT a canvas
-	// signal (CPSessionConfigured()==true disables the dev fallback).
-	stubVerifiedCPSession(t, false)
-
-	mock := setupTestDB(t)
-	setupTestRedis(t)
-	broadcaster := newTestBroadcaster()
-	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
-
-	const wsTarget = "ws-victim-target"
-	const wsForgedCaller = "ws-attacker-caller"
-
-	// validateCallerToken: not a genuine canvas user (no verified session, no
-	// admin/org token, and the dev same-origin fallback is disabled in SaaS).
-	// So it consults the peer-token contract: HasAnyLiveToken for the forged
-	// caller. Return 0 → tokenless legacy peer → grandfathered through token
-	// validation (isCanvasUser stays false). The request must then still be
-	// gated by CanCommunicate.
-	mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens`).
-		WithArgs(wsForgedCaller).
-		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(0))
-
-	// CanCommunicate MUST run (the escalation guard) and DENY: caller and
-	// target sit under different parents.
-	mockCanCommunicate(mock, wsForgedCaller, wsTarget, false)
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: wsTarget}}
-
-	body := `{"jsonrpc":"2.0","id":"exploit-1","method":"message/send","params":{"message":{"role":"user","parts":[{"text":"cross-workspace exploit"}]}}}`
-	req := httptest.NewRequest("POST", "/workspaces/"+wsTarget+"/a2a", bytes.NewBufferString(body))
-	req.Header.Set("Content-Type", "application/json")
-	// Arbitrary caller workspace the attacker does not own.
-	req.Header.Set("X-Workspace-ID", wsForgedCaller)
-	// Forged same-origin signals (the #1944 bypass vector).
-	req.Host = "localhost"
-	req.Header.Set("Referer", "https://localhost/")
-	req.Header.Set("Origin", "https://localhost")
-	// No Cookie / Authorization — no genuine canvas credential.
-	c.Request = req
-
-	handler.ProxyA2A(c)
-
-	if w.Code != http.StatusForbidden {
-		t.Fatalf("ESCALATION NOT CLOSED: forged same-origin + arbitrary X-Workspace-ID "+
-			"reached an unauthorized target with status %d (want 403): %s", w.Code, w.Body.String())
-	}
-	var resp map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
-		t.Fatalf("body not JSON: %v", err)
-	}
-	if !strings.Contains(fmt.Sprint(resp["error"]), "access denied") {
-		t.Errorf("expected an access-denied error from CanCommunicate, got %v", resp["error"])
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations — CanCommunicate must have been consulted: %v", err)
-	}
-}
-
 // TestProxyA2A_PushMode_NoShortCircuit verifies the symmetric contract:
 // a push-mode workspace (default) is NOT affected by the new short-circuit.
 // It still proceeds to resolveAgentURL + dispatch. Without this guard, a
@@ -425,7 +425,6 @@ func (h *WorkspaceHandler) stitchDrainResponseToDelegation(ctx context.Context,
 	})
 	if marshalErr != nil {
 		log.Printf("a2aQueue stitch %s: json.Marshal respJSON failed: %v", delegationID, marshalErr)
-		return
 	}
 	res, err := db.DB.ExecContext(ctx, `
 		UPDATE activity_logs
@@ -153,15 +153,7 @@ func queueRowAuthFields(ctx context.Context, queueID string) (callerID, workspac
 	if err != nil {
 		return "", "", err
 	}
-	callerID = ""
-	if callerNS.Valid {
-		callerID = callerNS.String
-	}
-	workspaceID = ""
-	if workspaceNS.Valid {
-		workspaceID = workspaceNS.String
-	}
-	return callerID, workspaceID, nil
+	return callerNS.String, workspaceNS.String, nil
 }

 // GetA2AQueueStatus handles GET /workspaces/:id/a2a/queue/:queue_id.
@@ -1,64 +1,9 @@
 package handlers

 import (
-	"context"
-	"database/sql"
-	"errors"
 	"testing"
-
-	"github.com/DATA-DOG/go-sqlmock"
 )

-// TestQueueRowAuthFields_NilSafeScan proves queueRowAuthFields returns empty
-// strings (not a panic / garbage) when the a2a_queue row has NULL caller_id
-// or workspace_id. Before the fix it dereferenced NullString.String directly,
-// which is only the zero value when Valid is false but masked the NULL-vs-""
-// distinction; the guard makes the intent explicit and safe.
-func TestQueueRowAuthFields_NilSafeScan(t *testing.T) {
-	mock := setupTestDB(t)
-	queueID := "queue-123"
-
-	mock.ExpectQuery(`SELECT caller_id, workspace_id FROM a2a_queue WHERE id = \$1`).
-		WithArgs(queueID).
-		WillReturnRows(sqlmock.NewRows([]string{"caller_id", "workspace_id"}).AddRow(nil, nil))
-
-	caller, workspace, err := queueRowAuthFields(context.Background(), queueID)
-	if err != nil {
-		t.Fatalf("queueRowAuthFields returned error: %v", err)
-	}
-	if caller != "" {
-		t.Errorf("callerID = %q, want empty string for NULL caller_id", caller)
-	}
-	if workspace != "" {
-		t.Errorf("workspaceID = %q, want empty string for NULL workspace_id", workspace)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Fatalf("unmet expectations: %v", err)
-	}
-}
-
-// TestQueueRowAuthFields_PopulatedRow confirms the non-NULL path still returns
-// the scanned values unchanged.
-func TestQueueRowAuthFields_PopulatedRow(t *testing.T) {
-	mock := setupTestDB(t)
-	queueID := "queue-456"
-
-	mock.ExpectQuery(`SELECT caller_id, workspace_id FROM a2a_queue WHERE id = \$1`).
-		WithArgs(queueID).
-		WillReturnRows(sqlmock.NewRows([]string{"caller_id", "workspace_id"}).AddRow("caller-x", "ws-y"))
-
-	caller, workspace, err := queueRowAuthFields(context.Background(), queueID)
-	if err != nil {
-		t.Fatalf("queueRowAuthFields returned error: %v", err)
-	}
-	if caller != "caller-x" || workspace != "ws-y" {
-		t.Fatalf("got caller=%q workspace=%q, want caller-x / ws-y", caller, workspace)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Fatalf("unmet expectations: %v", err)
-	}
-}
-
 // TestExtractExpiresInSeconds covers the JSON parser used at enqueue time
 // to honor a caller-specified TTL. Zero return = "no TTL" — caller leaves
 // expires_at NULL on the queue row.
@@ -113,125 +58,3 @@ func TestExtractExpiresInSeconds(t *testing.T) {
 		})
 	}
 }
-
-// TestQueueStatusByID_HappyPath verifies the full projection including optional
-// nullable fields and response_body surfacing when status == completed.
-func TestQueueStatusByID_HappyPath(t *testing.T) {
-	mock := setupTestDB(t)
-	queueID := "queue-789"
-
-	mock.ExpectQuery(`SELECT\s+q\.id,\s+q\.workspace_id,\s+q\.status,\s+q\.priority,\s+q\.attempts,\s+q\.last_error,\s+q\.enqueued_at::text,\s+q\.dispatched_at::text,\s+q\.completed_at::text,\s+q\.expires_at::text,\s+al\.response_body::text\s+FROM a2a_queue q\s+LEFT JOIN activity_logs al`).
-		WithArgs(queueID).
-		WillReturnRows(sqlmock.NewRows([]string{
-			"id", "workspace_id", "status", "priority", "attempts",
-			"last_error", "enqueued_at", "dispatched_at", "completed_at", "expires_at",
-			"response_body",
-		}).AddRow(
-			queueID, "ws-target", "completed", 50, 2,
-			"previous error", "2026-05-28T10:00:00Z", "2026-05-28T10:01:00Z", "2026-05-28T10:02:00Z", "2026-05-28T11:00:00Z",
-			[]byte(`{"result":"ok"}`),
-		))
-
-	qs, err := QueueStatusByID(context.Background(), queueID)
-	if err != nil {
-		t.Fatalf("QueueStatusByID returned error: %v", err)
-	}
-	if qs.ID != queueID {
-		t.Errorf("ID = %q, want %q", qs.ID, queueID)
-	}
-	if qs.Status != "completed" {
-		t.Errorf("Status = %q, want completed", qs.Status)
-	}
-	if qs.LastError == nil || *qs.LastError != "previous error" {
-		t.Errorf("LastError = %v, want 'previous error'", qs.LastError)
-	}
-	if qs.DispatchedAt == nil || *qs.DispatchedAt != "2026-05-28T10:01:00Z" {
-		t.Errorf("DispatchedAt = %v", qs.DispatchedAt)
-	}
-	if qs.CompletedAt == nil || *qs.CompletedAt != "2026-05-28T10:02:00Z" {
-		t.Errorf("CompletedAt = %v", qs.CompletedAt)
-	}
-	if qs.ExpiresAt == nil || *qs.ExpiresAt != "2026-05-28T11:00:00Z" {
-		t.Errorf("ExpiresAt = %v", qs.ExpiresAt)
-	}
-	if string(qs.ResponseBody) != `{"result":"ok"}` {
-		t.Errorf("ResponseBody = %q", qs.ResponseBody)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
-	}
-}
-
-// TestQueueStatusByID_NoRows returns sql.ErrNoRows when the queue id does not exist.
-func TestQueueStatusByID_NoRows(t *testing.T) {
-	mock := setupTestDB(t)
-	queueID := "queue-missing"
-
-	mock.ExpectQuery(`SELECT\s+q\.id,\s+q\.workspace_id,\s+q\.status,\s+q\.priority,\s+q\.attempts,\s+q\.last_error,\s+q\.enqueued_at::text,\s+q\.dispatched_at::text,\s+q\.completed_at::text,\s+q\.expires_at::text,\s+al\.response_body::text\s+FROM a2a_queue q\s+LEFT JOIN activity_logs`).
-		WithArgs(queueID).
-		WillReturnRows(sqlmock.NewRows([]string{
-			"id", "workspace_id", "status", "priority", "attempts",
-			"last_error", "enqueued_at", "dispatched_at", "completed_at", "expires_at",
-			"response_body",
-		}))
-
-	_, err := QueueStatusByID(context.Background(), queueID)
-	if !errors.Is(err, sql.ErrNoRows) {
-		t.Fatalf("expected sql.ErrNoRows, got %v", err)
-	}
-}
-
-// TestQueueStatusByID_NullOptionals confirms that NULL dispatched_at / completed_at /
-// expires_at / last_error are projected as nil pointers, and response_body is NOT
-// included when status != completed.
-func TestQueueStatusByID_NullOptionals(t *testing.T) {
-	mock := setupTestDB(t)
-	queueID := "queue-nulls"
-
-	mock.ExpectQuery(`SELECT\s+q\.id,\s+q\.workspace_id,\s+q\.status,\s+q\.priority,\s+q\.attempts,\s+q\.last_error,\s+q\.enqueued_at::text,\s+q\.dispatched_at::text,\s+q\.completed_at::text,\s+q\.expires_at::text,\s+al\.response_body::text\s+FROM a2a_queue q\s+LEFT JOIN activity_logs`).
-		WithArgs(queueID).
-		WillReturnRows(sqlmock.NewRows([]string{
-			"id", "workspace_id", "status", "priority", "attempts",
-			"last_error", "enqueued_at", "dispatched_at", "completed_at", "expires_at",
-			"response_body",
-		}).AddRow(
-			queueID, "ws-target", "queued", 50, 0,
-			nil, "2026-05-28T10:00:00Z", nil, nil, nil,
-			nil,
-		))
-
-	qs, err := QueueStatusByID(context.Background(), queueID)
-	if err != nil {
-		t.Fatalf("QueueStatusByID returned error: %v", err)
-	}
-	if qs.LastError != nil {
-		t.Errorf("LastError = %v, want nil", qs.LastError)
-	}
-	if qs.DispatchedAt != nil {
-		t.Errorf("DispatchedAt = %v, want nil", qs.DispatchedAt)
-	}
-	if qs.CompletedAt != nil {
-		t.Errorf("CompletedAt = %v, want nil", qs.CompletedAt)
-	}
-	if qs.ExpiresAt != nil {
-		t.Errorf("ExpiresAt = %v, want nil", qs.ExpiresAt)
-	}
-	if qs.ResponseBody != nil {
-		t.Errorf("ResponseBody = %q, want nil for non-completed status", qs.ResponseBody)
-	}
-}
-
-// TestQueueStatusByID_DBError surfaces the underlying error on unexpected failure.
-func TestQueueStatusByID_DBError(t *testing.T) {
-	mock := setupTestDB(t)
-	queueID := "queue-dberr"
-
-	mock.ExpectQuery(`SELECT\s+q\.id,\s+q\.workspace_id,\s+q\.status,\s+q\.priority,\s+q\.attempts,\s+q\.last_error,\s+q\.enqueued_at::text,\s+q\.dispatched_at::text,\s+q\.completed_at::text,\s+q\.expires_at::text,\s+al\.response_body::text\s+FROM a2a_queue q\s+LEFT JOIN activity_logs`).
-		WithArgs(queueID).
-		WillReturnError(errors.New("disk full"))
-
-	_, err := QueueStatusByID(context.Background(), queueID)
-	if err == nil || errors.Is(err, sql.ErrNoRows) {
-		t.Fatalf("expected DB error, got %v", err)
-	}
-}
@@ -12,7 +12,6 @@ package handlers
 import (
 	"context"
 	"database/sql"
-	"errors"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
@@ -521,40 +520,3 @@ func TestDrainQueueForWorkspace_ClaimGuarding_SecondDrainGetsEmpty(t *testing.T)
 		t.Errorf("unmet sqlmock expectations: %v", err)
 	}
 }
-
-// ──────────────────────────────────────────────────────────────────────────────
-// QueueDepth
-// ──────────────────────────────────────────────────────────────────────────────
-
-func TestQueueDepth_HappyPath(t *testing.T) {
-	mock := setupTestDBForQueueTests(t)
-	wsID := "ws-depth-1"
-
-	mock.ExpectQuery("SELECT COUNT(*) FROM a2a_queue WHERE workspace_id = $1 AND status = 'queued'").
-		WithArgs(wsID).
-		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(7))
-
-	if got := QueueDepth(context.Background(), wsID); got != 7 {
-		t.Errorf("QueueDepth = %d, want 7", got)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
-	}
-}
-
-func TestQueueDepth_QueryError(t *testing.T) {
-	mock := setupTestDBForQueueTests(t)
-	wsID := "ws-depth-2"
-
-	mock.ExpectQuery("SELECT COUNT(*) FROM a2a_queue WHERE workspace_id = $1 AND status = 'queued'").
-		WithArgs(wsID).
-		WillReturnError(errors.New("conn lost"))
-
-	// Must return 0 (fail-open informational) rather than panic or propagate.
-	if got := QueueDepth(context.Background(), wsID); got != 0 {
-		t.Errorf("QueueDepth on error = %d, want 0", got)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
-	}
-}
@@ -167,7 +167,6 @@ func (w *AgentMessageWriter) Send(
 	respJSON, marshalErr := json.Marshal(respPayload)
 	if marshalErr != nil {
 		log.Printf("AgentMessageWriter %s: json.Marshal respPayload failed: %v", workspaceID, marshalErr)
-		return nil
 	}
 	preview := textutil.TruncateRunes(message, 80)
 	if _, err := w.db.ExecContext(ctx, `
@@ -347,7 +347,6 @@ func computeAuditHMAC(key []byte, ev *auditEventRow) string {
 	payload, marshalErr := json.Marshal(canonical) // compact, sorted keys
 	if marshalErr != nil {
 		log.Printf("auditChainHash: json.Marshal canonical failed: %v", marshalErr)
-		return ""
 	}
 	mac := hmac.New(sha256.New, key)
 	mac.Write(payload)
@@ -172,14 +172,10 @@ func (h *ChannelHandler) Create(c *gin.Context) {
 	configJSON, marshalErr := json.Marshal(body.Config)
 	if marshalErr != nil {
 		log.Printf("Channels create %s: json.Marshal config failed: %v", workspaceID, marshalErr)
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "marshal config failed"})
-		return
 	}
 	allowedJSON, marshalErr := json.Marshal(body.AllowedUsers)
 	if marshalErr != nil {
 		log.Printf("Channels create %s: json.Marshal allowed_users failed: %v", workspaceID, marshalErr)
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "marshal allowed_users failed"})
-		return
 	}
 	enabled := true
 	if body.Enabled != nil {
@@ -238,8 +234,6 @@ func (h *ChannelHandler) Update(c *gin.Context) {
 		j, marshalErr := json.Marshal(body.Config)
 		if marshalErr != nil {
 			log.Printf("Channels update %s: json.Marshal config failed: %v", workspaceID, marshalErr)
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "marshal config failed"})
-			return
 		}
 		configArg = string(j)
 	}
@@ -247,8 +241,6 @@ func (h *ChannelHandler) Update(c *gin.Context) {
 		j, marshalErr := json.Marshal(body.AllowedUsers)
 		if marshalErr != nil {
 			log.Printf("Channels update %s: json.Marshal allowed_users failed: %v", workspaceID, marshalErr)
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "marshal allowed_users failed"})
-			return
 		}
 		allowedArg = string(j)
 	}
@@ -1,427 +0,0 @@
-package handlers
-
-// cross_tenant_isolation_test.go — #1953 regression tests.
-//
-// Three workspace-server paths historically derived an "org-root sibling set"
-// as `WHERE parent_id IS NULL`, which matches EVERY tenant's org root (the
-// workspaces table has no org_id column) → cross-tenant data exposure:
-//
-//  1. GET /registry/:id/peers   (discovery.Peers)
-//  2. MCP toolListPeers          (mcp_tools.toolListPeers)
-//  3. a2a routing                (a2a_proxy.proxyA2ARequest → resolveAgentURL)
-//
-// These tests assert that a workspace in a DIFFERENT org is never returned as a
-// peer and that a2a refuses to resolve/route to a workspace outside the caller's
-// org, while same-org peers/targets still work. They reuse the SAME parent_id-
-// chain org scoping the OFFSEC-015 broadcast fix introduced (org_scope.go).
-
-import (
-	"bytes"
-	"context"
-	"database/sql"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/http/httptest"
-	"strings"
-	"testing"
-	"time"
-
-	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/db"
-	"github.com/DATA-DOG/go-sqlmock"
-	"github.com/gin-gonic/gin"
-)
-
-// dbHandleForTest returns the global sqlmock-backed *sql.DB that setupTestDB
-// installs, for tests that need to hand a *sql.DB to a component (e.g.
-// MCPHandler.database, sameOrg) rather than relying on the package-global.
-func dbHandleForTest() *sql.DB { return db.DB }
-
-// peerColsForIsolation matches queryPeerMaps' SELECT column set.
-var peerColsForIsolation = []string{
-	"id", "name", "role", "tier", "status", "agent_card", "url", "parent_id", "active_tasks",
-}
-
-// -------------------------------------------------------------------------
-// Path 1: GET /registry/:id/peers — discovery.Peers
-// -------------------------------------------------------------------------
-
-// TestPeers_CrossTenant_OrgRootNotLeaked is the core #1953 regression for the
-// discovery path. The caller is an org root (parent_id IS NULL). Pre-fix the
-// handler ran `SELECT ... WHERE w.parent_id IS NULL AND w.id != $1`, returning
-// every OTHER tenant's org root as a "sibling" peer. Post-fix an org-root caller
-// issues NO sibling query — its only peers are its own children. If the handler
-// regressed and issued the cross-tenant sibling query, sqlmock would report an
-// unexpected query (the expectation below is intentionally NOT registered) and
-// the test fails.
-func TestPeers_CrossTenant_OrgRootNotLeaked(t *testing.T) {
-	mock := setupTestDB(t)
-	setupTestRedis(t)
-	handler := NewDiscoveryHandler()
-
-	// Behavioural leak test: register the OLD leaky `parent_id IS NULL` sibling
-	// query so that IF the handler still issues it, it returns another tenant's
-	// org root (org-b-root). The fix removes that query for an org-root caller,
-	// so org-b-root must never appear in the output. Unordered matching makes
-	// the leaky-sibling expectation optional — the fix simply never consumes it.
-	mock.MatchExpectationsInOrder(false)
-
-	caller := "org-a-root" // parent_id IS NULL — an org root for tenant A
-
-	// parent_id lookup → NULL (caller is an org root)
-	mock.ExpectQuery("SELECT parent_id FROM workspaces WHERE id =").
-		WithArgs(caller).
-		WillReturnRows(sqlmock.NewRows([]string{"parent_id"}).AddRow(nil))
-
-	// LEAKY sibling query (pre-fix). Returns a DIFFERENT tenant's org root.
-	// The fix must NOT issue this query; if it does, org-b-root leaks into the
-	// peer list and the output assertion below fails.
-	mock.ExpectQuery("SELECT w.id, w.name.*WHERE w.parent_id IS NULL AND w.id != \\$1").
-		WithArgs(caller).
-		WillReturnRows(sqlmock.NewRows(peerColsForIsolation).
-			AddRow("org-b-root", "Org B Root", "lead", 0, "online", []byte("null"), "http://b-root", nil, 0))
-
-	// Children query — caller's own org-A children only. Return one child.
-	mock.ExpectQuery("SELECT w.id, w.name.*WHERE w.parent_id = \\$1 AND w.id != \\$2").
-		WithArgs(caller, caller).
-		WillReturnRows(sqlmock.NewRows(peerColsForIsolation).
-			AddRow("org-a-child", "Org A Child", "worker", 1, "online", []byte("null"), "http://a-child", caller, 0))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: caller}}
-	c.Request = httptest.NewRequest("GET", "/registry/"+caller+"/peers", nil)
-
-	handler.Peers(c)
-
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
-	}
-
-	var peers []map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &peers); err != nil {
-		t.Fatalf("failed to parse response: %v", err)
-	}
-
-	// The other-tenant org root must NEVER appear; only the same-org child.
-	for _, p := range peers {
-		if id, _ := p["id"].(string); id == "org-b-root" {
-			t.Fatalf("cross-tenant leak (#1953): org-b-root appeared in org-a-root's peer list: %v", peers)
-		}
-	}
-	if len(peers) != 1 {
-		t.Fatalf("expected exactly 1 peer (same-org child), got %d: %v", len(peers), peers)
-	}
-	// NOTE: ExpectationsWereMet is intentionally NOT asserted — the leaky
-	// sibling expectation is deliberately left unconsumed by the fixed path.
-}
-
-// TestPeers_SameOrg_SiblingsStillWork is the positive companion: a non-root
-// child caller still sees its same-org siblings, children, and parent. This
-// guards against the fix over-scoping and breaking legitimate intra-org
-// discovery.
-func TestPeers_SameOrg_SiblingsStillWork(t *testing.T) {
-	mock := setupTestDB(t)
-	setupTestRedis(t)
-	handler := NewDiscoveryHandler()
-
-	caller := "org-a-child-1"
-	parent := "org-a-root"
-
-	mock.ExpectQuery("SELECT parent_id FROM workspaces WHERE id =").
-		WithArgs(caller).
-		WillReturnRows(sqlmock.NewRows([]string{"parent_id"}).AddRow(parent))
-
-	// Siblings — scoped to the shared parent (one tenant).
-	mock.ExpectQuery("SELECT w.id, w.name.*WHERE w.parent_id = \\$1 AND w.id != \\$2").
-		WithArgs(parent, caller).
-		WillReturnRows(sqlmock.NewRows(peerColsForIsolation).
-			AddRow("org-a-child-2", "Org A Sibling", "worker", 1, "online", []byte("null"), "http://a-sib", parent, 0))
-
-	// Children — none.
-	mock.ExpectQuery("SELECT w.id, w.name.*WHERE w.parent_id = \\$1 AND w.id != \\$2 AND w.status").
-		WithArgs(caller, caller).
-		WillReturnRows(sqlmock.NewRows(peerColsForIsolation))
-
-	// Parent.
-	mock.ExpectQuery("SELECT w.id, w.name.*WHERE w.id = \\$1 AND w.id != \\$2 AND w.status").
-		WithArgs(parent, caller).
-		WillReturnRows(sqlmock.NewRows(peerColsForIsolation).
-			AddRow(parent, "Org A Root", "lead", 0, "online", []byte("null"), "http://a-root", nil, 0))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: caller}}
-	c.Request = httptest.NewRequest("GET", "/registry/"+caller+"/peers", nil)
-
-	handler.Peers(c)
-
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
-	}
-	var peers []map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &peers); err != nil {
-		t.Fatalf("failed to parse response: %v", err)
-	}
-	// Sibling + parent = 2 same-org peers.
-	if len(peers) != 2 {
-		t.Fatalf("expected 2 same-org peers (sibling + parent), got %d: %v", len(peers), peers)
-	}
-	names := map[string]bool{}
-	for _, p := range peers {
-		names[fmt.Sprint(p["name"])] = true
-	}
-	if !names["Org A Sibling"] || !names["Org A Root"] {
-		t.Errorf("expected same-org sibling + parent in peer list, got %v", names)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-// -------------------------------------------------------------------------
-// Path 2: MCP toolListPeers — mcp_tools.toolListPeers
-// -------------------------------------------------------------------------
-
-// mcpPeerCols matches toolListPeers' SELECT column set.
-var mcpPeerCols = []string{"id", "name", "role", "status", "tier"}
-
-// TestToolListPeers_CrossTenant_OrgRootNotLeaked is the #1953 regression for
-// the MCP path. Same shape as the discovery test: an org-root caller must NOT
-// enumerate other tenants' org roots. The cross-tenant `parent_id IS NULL`
-// sibling query is intentionally not registered, so if it runs sqlmock fails.
-func TestToolListPeers_CrossTenant_OrgRootNotLeaked(t *testing.T) {
-	mock := setupTestDB(t)
-	mock.MatchExpectationsInOrder(false)
-	h := &MCPHandler{database: dbHandleForTest()}
-
-	caller := "org-a-root"
-
-	mock.ExpectQuery("SELECT parent_id FROM workspaces WHERE id =").
-		WithArgs(caller).
-		WillReturnRows(sqlmock.NewRows([]string{"parent_id"}).AddRow(nil))
-
-	// LEAKY sibling query (pre-fix). Returns another tenant's org root. The fix
-	// must NOT issue this for an org-root caller; if it does, org-b-root leaks
-	// into the output and the assertion below fails. Left optional via
-	// unordered matching, so the fixed path simply never consumes it.
-	mock.ExpectQuery("WHERE w.parent_id IS NULL AND w.id != \\$1").
-		WithArgs(caller).
-		WillReturnRows(sqlmock.NewRows(mcpPeerCols).
-			AddRow("org-b-root", "Org B Root", "lead", "online", 0))
-
-	// Children — caller's own org-A children only.
-	mock.ExpectQuery("WHERE w.parent_id = \\$1 AND w.status").
-		WithArgs(caller).
-		WillReturnRows(sqlmock.NewRows(mcpPeerCols).
-			AddRow("org-a-child", "Org A Child", "worker", "online", 1))
-
-	out, err := h.toolListPeers(context.Background(), caller)
-	if err != nil {
-		t.Fatalf("toolListPeers returned error: %v", err)
-	}
-	if strings.Contains(out, "org-b-root") || strings.Contains(out, "Org B Root") {
-		t.Fatalf("cross-tenant leak (#1953): another tenant's org root appeared in toolListPeers output:\n%s", out)
-	}
-	if !strings.Contains(out, "org-a-child") {
-		t.Errorf("same-org child missing from toolListPeers output:\n%s", out)
-	}
-	// ExpectationsWereMet intentionally NOT asserted — leaky sibling expectation
-	// is deliberately left unconsumed by the fixed path.
-}
-
-// TestToolListPeers_SameOrg_SiblingsStillWork — positive companion for the MCP
-// path: a non-root child still enumerates its same-org siblings + children + parent.
-func TestToolListPeers_SameOrg_SiblingsStillWork(t *testing.T) {
-	mock := setupTestDB(t)
-	h := &MCPHandler{database: dbHandleForTest()}
-
-	caller := "org-a-child-1"
-	parent := "org-a-root"
-
-	mock.ExpectQuery("SELECT parent_id FROM workspaces WHERE id =").
-		WithArgs(caller).
-		WillReturnRows(sqlmock.NewRows([]string{"parent_id"}).AddRow(parent))
-
-	// Siblings — scoped to shared parent.
-	mock.ExpectQuery("WHERE w.parent_id = \\$1 AND w.id != \\$2 AND w.status").
-		WithArgs(parent, caller).
-		WillReturnRows(sqlmock.NewRows(mcpPeerCols).
-			AddRow("org-a-child-2", "Org A Sibling", "worker", "online", 1))
-
-	// Children — none.
-	mock.ExpectQuery("WHERE w.parent_id = \\$1 AND w.status").
-		WithArgs(caller).
-		WillReturnRows(sqlmock.NewRows(mcpPeerCols))
-
-	// Parent.
-	mock.ExpectQuery("WHERE w.id = \\$1 AND w.status").
-		WithArgs(parent).
-		WillReturnRows(sqlmock.NewRows(mcpPeerCols).
-			AddRow(parent, "Org A Root", "lead", "online", 0))
-
-	out, err := h.toolListPeers(context.Background(), caller)
-	if err != nil {
-		t.Fatalf("toolListPeers returned error: %v", err)
-	}
-	if !strings.Contains(out, "Org A Sibling") || !strings.Contains(out, "Org A Root") {
-		t.Errorf("expected same-org sibling + parent in toolListPeers output:\n%s", out)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-// -------------------------------------------------------------------------
-// Path 3: a2a routing — a2a_proxy.proxyA2ARequest / resolveAgentURL
-// -------------------------------------------------------------------------
-
-// TestProxyA2A_CrossTenant_RoutingDenied is the #1953 regression for a2a
-// routing. Caller and target are both org roots (parent_id IS NULL) belonging
-// to DIFFERENT tenants. Pre-fix, CanCommunicate's "root-level siblings" rule
-// waved this through and resolveAgentURL routed to the foreign tenant. Post-fix
-// the org-scope guard resolves each to a different org root and returns 403
-// BEFORE resolveAgentURL/dispatch.
-func TestProxyA2A_CrossTenant_RoutingDenied(t *testing.T) {
-	mock := setupTestDB(t)
-	mr := setupTestRedis(t)
-	broadcaster := newTestBroadcaster()
-	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
-
-	caller := "org-a-root"
-	target := "org-b-root" // different tenant
-
-	// A URL exists for the target; the guard must deny BEFORE it is used.
-	mr.Set(fmt.Sprintf("ws:%s:url", target), "http://localhost:1")
-
-	// CanCommunicate: both root-level (parent_id NULL) → its weak "root-level
-	// siblings" rule ALLOWS this. The org guard must catch it afterward.
-	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id = ").
-		WithArgs(caller).
-		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow(caller, nil))
-	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id = ").
-		WithArgs(target).
-		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow(target, nil))
-
-	// #1953 org-scope guard: caller resolves to org-a-root, target to org-b-root
-	// → different orgs → 403. (Each org root resolves to itself.)
-	mock.ExpectQuery("WITH RECURSIVE org_chain AS").
-		WithArgs(caller).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(caller))
-	mock.ExpectQuery("WITH RECURSIVE org_chain AS").
-		WithArgs(target).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(target))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: target}}
-	body := `{"method":"message/send","params":{"message":{"role":"user","parts":[{"text":"cross-tenant"}]}}}`
-	c.Request = httptest.NewRequest("POST", "/workspaces/"+target+"/a2a", bytes.NewBufferString(body))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request.Header.Set("X-Workspace-ID", caller)
-
-	handler.ProxyA2A(c)
-
-	if w.Code != http.StatusForbidden {
-		t.Fatalf("expected 403 for cross-tenant a2a routing, got %d: %s", w.Code, w.Body.String())
-	}
-	var resp map[string]interface{}
-	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
-		t.Fatalf("body not JSON: %v", err)
-	}
-	if msg, _ := resp["error"].(string); !strings.Contains(msg, "different org") {
-		t.Errorf("expected cross-org denial message, got %v", resp["error"])
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-// TestResolveAgentURL_CrossTenant_RejectedViaSameOrg is a direct unit test of
-// the sameOrg primitive that gates resolveAgentURL: a target in a different org
-// must be reported as NOT same-org, so the a2a guard rejects it before
-// resolveAgentURL is ever called.
-func TestResolveAgentURL_CrossTenant_RejectedViaSameOrg(t *testing.T) {
-	mock := setupTestDB(t)
-
-	caller := "org-a-root"
-	target := "org-b-root"
-
-	mock.ExpectQuery("WITH RECURSIVE org_chain AS").
-		WithArgs(caller).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(caller))
-	mock.ExpectQuery("WITH RECURSIVE org_chain AS").
-		WithArgs(target).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(target))
-
-	ok, err := sameOrg(context.Background(), dbHandleForTest(), caller, target)
-	if err != nil {
-		t.Fatalf("sameOrg returned unexpected error: %v", err)
-	}
-	if ok {
-		t.Errorf("expected cross-tenant workspaces to be reported as DIFFERENT orgs, got sameOrg=true")
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
-
-// TestProxyA2A_SameOrg_RoutingAllowed — positive companion for a2a: two
-// same-org siblings route successfully (mirrors TestProxyA2A_CallerIDPropagated
-// but named to document the #1953 same-org allow path).
-func TestProxyA2A_SameOrg_RoutingAllowed(t *testing.T) {
-	mock := setupTestDB(t)
-	mr := setupTestRedis(t)
-	allowLoopbackForTest(t)
-	broadcaster := newTestBroadcaster()
-	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
-	waitForHandlerAsyncBeforeDBCleanup(t, handler)
-
-	caller := "org-a-child-1"
-	target := "org-a-child-2"
-	parent := "org-a-root"
-
-	agentServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "application/json")
-		fmt.Fprint(w, `{"jsonrpc":"2.0","id":"1","result":{}}`)
-	}))
-	defer agentServer.Close()
-	mr.Set(fmt.Sprintf("ws:%s:url", target), agentServer.URL)
-
-	// CanCommunicate — siblings under shared parent.
-	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id = ").
-		WithArgs(caller).
-		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow(caller, parent))
-	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id = ").
-		WithArgs(target).
-		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow(target, parent))
-
-	// #1953 org guard — both resolve to the same org root → allowed.
-	mock.ExpectQuery("WITH RECURSIVE org_chain AS").
-		WithArgs(caller).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(parent))
-	mock.ExpectQuery("WITH RECURSIVE org_chain AS").
-		WithArgs(target).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(parent))
-
-	expectBudgetCheck(mock, target)
-	mock.ExpectExec("INSERT INTO activity_logs").WillReturnResult(sqlmock.NewResult(0, 1))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: target}}
-	body := `{"method":"message/send","params":{"message":{"role":"user","parts":[{"text":"same-org"}]}}}`
-	c.Request = httptest.NewRequest("POST", "/workspaces/"+target+"/a2a", bytes.NewBufferString(body))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request.Header.Set("X-Workspace-ID", caller)
-
-	handler.ProxyA2A(c)
-	time.Sleep(50 * time.Millisecond) // allow the async logA2ASuccess INSERT to flush
-
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200 for same-org a2a routing, got %d: %s", w.Code, w.Body.String())
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet sqlmock expectations: %v", err)
-	}
-}
@@ -60,14 +60,12 @@ func pushDelegationResultToInbox(ctx context.Context, sourceID, delegationID, st
 	respJSON, marshalErr := json.Marshal(respPayload)
 	if marshalErr != nil {
 		log.Printf("Delegation %s: json.Marshal respPayload failed: %v", delegationID, marshalErr)
-		return
 	}
 	reqJSON, marshalErr := json.Marshal(map[string]interface{}{
 		"delegation_id": delegationID,
 	})
 	if marshalErr != nil {
 		log.Printf("Delegation %s: json.Marshal reqPayload failed: %v", delegationID, marshalErr)
-		return
 	}
 	logStatus := "ok"
 	if status == "failed" {
@@ -321,7 +319,6 @@ func insertDelegationRow(ctx context.Context, c *gin.Context, sourceID string, b
 	})
 	if marshalErr != nil {
 		log.Printf("Delegation %s: json.Marshal taskJSON failed: %v", delegationID, marshalErr)
-		return insertTrackingUnavailable
 	}
 	// Store delegation_id in response_body so agent check_delegation_status
 	// (which reads response_body->>delegation_id) can locate this row even
@@ -331,7 +328,6 @@ func insertDelegationRow(ctx context.Context, c *gin.Context, sourceID string, b
 	})
 	if marshalErr != nil {
 		log.Printf("Delegation %s: json.Marshal respJSON failed: %v", delegationID, marshalErr)
-		return insertTrackingUnavailable
 	}
 	var idemArg interface{}
 	if body.IdempotencyKey != "" {
@@ -435,12 +431,10 @@ func (h *DelegationHandler) executeDelegation(ctx context.Context, sourceID, tar
 	if proxyErr != nil && isTransientProxyError(proxyErr) && len(respBody) == 0 {
 		log.Printf("Delegation %s: first attempt failed (%s) — retrying in %s after reactive URL refresh",
 			delegationID, proxyErr.Error(), delegationRetryDelay)
-		timer := time.NewTimer(delegationRetryDelay)
 		select {
 		case <-ctx.Done():
-			timer.Stop()
 			// outer timeout hit before retry window elapsed
-		case <-timer.C:
+		case <-time.After(delegationRetryDelay):
 			status, respBody, proxyErr = h.workspace.proxyA2ARequest(ctx, targetID, a2aBody, sourceID, true, false)
 		}
 	}
@@ -511,13 +505,12 @@ handleSuccess:
 		})
 		if marshalErr != nil {
 			log.Printf("Delegation %s: json.Marshal queuedJSON failed: %v", delegationID, marshalErr)
-		} else {
-			if _, err := db.DB.ExecContext(ctx, `
-				INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, target_id, summary, response_body, status)
-				VALUES ($1, 'delegation', 'delegate_result', $2, $3, $4, $5::jsonb, 'queued')
-			`, sourceID, sourceID, targetID, "Delegation queued — target at capacity", string(queuedJSON)); err != nil {
-				log.Printf("Delegation %s: failed to insert queued log: %v", delegationID, err)
-			}
+		}
+		if _, err := db.DB.ExecContext(ctx, `
+			INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, target_id, summary, response_body, status)
+			VALUES ($1, 'delegation', 'delegate_result', $2, $3, $4, $5::jsonb, 'queued')
+		`, sourceID, sourceID, targetID, "Delegation queued — target at capacity", string(queuedJSON)); err != nil {
+			log.Printf("Delegation %s: failed to insert queued log: %v", delegationID, err)
 		}
 		h.broadcaster.RecordAndBroadcast(ctx, string(events.EventDelegationStatus), sourceID, map[string]interface{}{
 			"delegation_id": delegationID, "target_id": targetID, "status": "queued",
@@ -538,13 +531,12 @@ handleSuccess:
 	})
 	if marshalErr != nil {
 		log.Printf("Delegation %s: json.Marshal respJSON failed: %v", delegationID, marshalErr)
-	} else {
-		if _, err := db.DB.ExecContext(ctx, `
-			INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, target_id, summary, response_body, status)
-			VALUES ($1, 'delegation', 'delegate_result', $2, $3, $4, $5::jsonb, 'completed')
-		`, sourceID, sourceID, targetID, "Delegation completed ("+textutil.TruncateBytes(responseText, 80)+")", string(respJSON)); err != nil {
-			log.Printf("Delegation %s: failed to insert success log: %v", delegationID, err)
-		}
+	}
+	if _, err := db.DB.ExecContext(ctx, `
+		INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, target_id, summary, response_body, status)
+		VALUES ($1, 'delegation', 'delegate_result', $2, $3, $4, $5::jsonb, 'completed')
+	`, sourceID, sourceID, targetID, "Delegation completed ("+textutil.TruncateBytes(responseText, 80)+")", string(respJSON)); err != nil {
+		log.Printf("Delegation %s: failed to insert success log: %v", delegationID, err)
 	}
 	log.Printf("Delegation %s: step=recording_ledger_completed", delegationID)

@@ -627,8 +619,6 @@ func (h *DelegationHandler) Record(c *gin.Context) {
 	})
 	if marshalErr != nil {
 		log.Printf("Delegation %s: json.Marshal taskJSON failed: %v", body.DelegationID, marshalErr)
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to marshal task"})
-		return
 	}
 	// Store delegation_id in response_body so agent check_delegation_status
 	// can locate this row. Fixes mc#984.
@@ -637,8 +627,6 @@ func (h *DelegationHandler) Record(c *gin.Context) {
 	})
 	if marshalErr != nil {
 		log.Printf("Delegation %s: json.Marshal respJSON failed: %v", body.DelegationID, marshalErr)
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to marshal response"})
-		return
 	}
 	if _, err := db.DB.ExecContext(ctx, `
 		INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, target_id, summary, request_body, response_body, status)
@@ -709,13 +697,12 @@ func (h *DelegationHandler) UpdateStatus(c *gin.Context) {
 		})
 		if marshalErr != nil {
 			log.Printf("Delegation UpdateStatus %s: json.Marshal respJSON failed: %v", delegationID, marshalErr)
-		} else {
-			if _, err := db.DB.ExecContext(ctx, `
-				INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, summary, response_body, status)
-				VALUES ($1, 'delegation', 'delegate_result', $2, $3, $4::jsonb, 'completed')
-			`, sourceID, sourceID, "Delegation completed ("+textutil.TruncateBytes(body.ResponsePreview, 80)+")", string(respJSON)); err != nil {
-				log.Printf("Delegation UpdateStatus: result insert failed for %s: %v", delegationID, err)
-			}
+		}
+		if _, err := db.DB.ExecContext(ctx, `
+			INSERT INTO activity_logs (workspace_id, activity_type, method, source_id, summary, response_body, status)
+			VALUES ($1, 'delegation', 'delegate_result', $2, $3, $4::jsonb, 'completed')
+		`, sourceID, sourceID, "Delegation completed ("+textutil.TruncateBytes(body.ResponsePreview, 80)+")", string(respJSON)); err != nil {
+			log.Printf("Delegation UpdateStatus: result insert failed for %s: %v", delegationID, err)
 		}
 		h.broadcaster.RecordAndBroadcast(ctx, string(events.EventDelegationComplete), sourceID, map[string]interface{}{
 			"delegation_id":    delegationID,
@@ -140,14 +140,7 @@ func buildHTTPResponse(statusCode int, body string) []byte {
 }

 // setupIntegrationFixtures inserts the rows executeDelegation requires:
-//   - workspaces: source (org root) + target as its CHILD, so both live in the
-//     SAME org. CanCommunicate=true (parent↔child) AND the #1953 sameOrg() guard
-//     in proxyA2ARequest passes (both resolve to the same org root). A real
-//     delegation happens INSIDE one org. (Previously both were parent_id=NULL —
-//     two DISTINCT org roots — which only "communicated" via CanCommunicate's
-//     root-sibling rule; #1953 added a sameOrg() guard that now denies routing
-//     between two org roots as cross-tenant, so the success-path tests below
-//     must use a same-org source/target pair.)
+//   - workspaces: source and target (siblings, parent_id=NULL so CanCommunicate=true)
 //   - activity_logs: the 'delegate' row that updateDelegationStatus UPDATE will find
 //   - delegations: the ledger row that recordLedgerStatus will UPDATE
 //
@@ -155,14 +148,13 @@ func buildHTTPResponse(statusCode int, body string) []byte {
 func setupIntegrationFixtures(t *testing.T, conn *sql.DB) func() {
 	t.Helper()
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	sourceID := integrationTestSourceID // org root (parent_id NULL); target hangs off it
 	for _, ws := range []struct {
 		id       string
 		name     string
 		parentID *string
 	}{
 		{integrationTestSourceID, "test-source", nil},
-		{integrationTestTargetID, "test-target", &sourceID}, // child of source → same org
+		{integrationTestTargetID, "test-target", nil},
 	} {
 		if _, err := conn.ExecContext(ctx,
 			`INSERT INTO workspaces (id, name, parent_id) VALUES ($1::uuid, $2, $3) ON CONFLICT (id) DO NOTHING`,
@@ -518,94 +510,6 @@ func TestIntegration_ExecuteDelegation_RedisDown_FallsBackToDB(t *testing.T) {
 	}
 }

-// TestIntegration_SameOrg_RealCTE_ResolvesAncestorChain is the regression gate
-// for the org_scope.go recursive-CTE bug (#1953 follow-up). The sqlmock unit
-// tests feed sameOrg() a pre-computed root_id row, so they CANNOT catch a wrong
-// CTE — they assume it already returns the right value. Only a real Postgres
-// run exercises orgRootSubtreeCTE itself.
-//
-// The bug: the CTE carried `id AS root_id` from the recursive SEED, so a
-// non-root workspace resolved to ITSELF instead of its topmost ancestor. That
-// made sameOrg() return false for two genuinely same-org workspaces and 403 a
-// legitimate same-org a2a route (over-block). This test seeds a real
-// root → child → grandchild chain plus a separate org root, and asserts:
-//   - every node in the chain resolves to the SAME org root (root, child, grandchild)
-//   - two workspaces in the same chain are sameOrg (incl. grandchild ↔ root)
-//   - a workspace in a DIFFERENT chain is NOT sameOrg (cross-tenant stays closed)
-func TestIntegration_SameOrg_RealCTE_ResolvesAncestorChain(t *testing.T) {
-	conn := integrationDB(t)
-
-	const (
-		rootA       = "11111111-1111-1111-1111-111111111111"
-		childA      = "22222222-2222-2222-2222-222222222222"
-		grandchildA = "33333333-3333-3333-3333-333333333333"
-		rootB       = "44444444-4444-4444-4444-444444444444"
-	)
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	defer cancel()
-
-	t.Cleanup(func() {
-		c2, cancel2 := context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancel2()
-		// Delete leaf-first to respect the parent_id self-FK.
-		for _, id := range []string{grandchildA, childA, rootA, rootB} {
-			conn.ExecContext(c2, `DELETE FROM workspaces WHERE id = $1`, id)
-		}
-	})
-
-	// Insert parent-before-child to satisfy the self-referential FK.
-	seed := []struct {
-		id, name string
-		parent   *string
-	}{
-		{rootA, "org-a-root", nil},
-		{childA, "org-a-child", strPtr(rootA)},
-		{grandchildA, "org-a-grandchild", strPtr(childA)},
-		{rootB, "org-b-root", nil},
-	}
-	for _, s := range seed {
-		if _, err := conn.ExecContext(ctx,
-			`INSERT INTO workspaces (id, name, parent_id) VALUES ($1::uuid, $2, $3) ON CONFLICT (id) DO NOTHING`,
-			s.id, s.name, s.parent); err != nil {
-			t.Fatalf("seed %s: %v", s.name, err)
-		}
-	}
-
-	// Every node in chain A must resolve to rootA via the REAL CTE.
-	for _, id := range []string{rootA, childA, grandchildA} {
-		got, err := orgRootID(ctx, conn, id)
-		if err != nil {
-			t.Fatalf("orgRootID(%s): %v", id, err)
-		}
-		if got != rootA {
-			t.Errorf("orgRootID(%s) = %q, want rootA %q (CTE must walk to topmost ancestor)", id, got, rootA)
-		}
-	}
-
-	// Same-org positives — including the grandchild↔root pair that the buggy
-	// CTE got wrong.
-	for _, pair := range [][2]string{{childA, grandchildA}, {rootA, grandchildA}, {rootA, childA}} {
-		ok, err := sameOrg(ctx, conn, pair[0], pair[1])
-		if err != nil {
-			t.Fatalf("sameOrg(%s,%s): %v", pair[0], pair[1], err)
-		}
-		if !ok {
-			t.Errorf("sameOrg(%s,%s) = false, want true (same org chain)", pair[0], pair[1])
-		}
-	}
-
-	// Cross-org negative — isolation must stay closed.
-	for _, pair := range [][2]string{{rootA, rootB}, {grandchildA, rootB}, {childA, rootB}} {
-		ok, err := sameOrg(ctx, conn, pair[0], pair[1])
-		if err != nil {
-			t.Fatalf("sameOrg(%s,%s): %v", pair[0], pair[1], err)
-		}
-		if ok {
-			t.Errorf("sameOrg(%s,%s) = true, want false (different orgs — cross-tenant must stay denied)", pair[0], pair[1])
-		}
-	}
-}
-
 // extractHostPort parses "http://127.0.0.1:PORT/" and returns "127.0.0.1:PORT".
 func extractHostPort(rawURL string) string {
 	// Simple parse: strip "http://" prefix and trailing slash.
@@ -1059,25 +1059,13 @@ func expectExecuteDelegationBase(mock sqlmock.Sqlmock) {
 		WillReturnResult(sqlmock.NewResult(0, 1))

 	// CanCommunicate: getWorkspaceRef(source) + getWorkspaceRef(target).
-	// Source and target are siblings under one shared parent (one tenant) →
-	// CanCommunicate allowed. (#1953: they must NOT both be parent_id=NULL —
-	// two distinct org roots are now treated as DIFFERENT orgs and routing
-	// between them is denied. A real delegation happens inside one org.)
+	// Both are root-level workspaces (parent_id=NULL) → root-level siblings → allowed.
 	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id = ").
 		WithArgs(testDeliverySourceID).
-		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow(testDeliverySourceID, "ws-org-root-159"))
+		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow(testDeliverySourceID, nil))
 	mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id = ").
 		WithArgs(testDeliveryTargetID).
-		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow(testDeliveryTargetID, "ws-org-root-159"))
-
-	// #1953 cross-tenant guard: same-org check after CanCommunicate. Both
-	// resolve to the same org root → routing allowed.
-	mock.ExpectQuery("WITH RECURSIVE org_chain AS").
-		WithArgs(testDeliverySourceID).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow("ws-org-root-159"))
-	mock.ExpectQuery("WITH RECURSIVE org_chain AS").
-		WithArgs(testDeliveryTargetID).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow("ws-org-root-159"))
+		WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}).AddRow(testDeliveryTargetID, nil))

 	// resolveAgentURL: test callers always set the URL in Redis (mr.Set ws:{id}:url),
 	// so resolveAgentURL gets a cache hit and never falls back to DB.
@@ -0,0 +1,464 @@
+package handlers
+
+// derive_provider_drift_test.go — behavior-based AST/text drift gate.
+//
+// Why this exists: PR #2535 introduced a Go port of derive-provider.sh
+// (see deriveProviderFromModelSlug in workspace_provision.go) so the
+// workspace-server can persist LLM_PROVIDER into workspace_secrets at
+// provision time. That created two sources of truth:
+//
+//   1. molecule-ai-workspace-template-hermes/scripts/derive-provider.sh —
+//      runs inside the container at boot, has the final say on which
+//      provider hermes targets (writes ~/.hermes/config.yaml's
+//      model.provider field). The shell script lives in a separate
+//      OSS repo, so we vendor a snapshot at testdata/derive-provider.sh
+//      to keep this gate hermetic.
+//   2. workspace-server/internal/handlers/workspace_provision.go's
+//      deriveProviderFromModelSlug — runs at provision time on the
+//      platform side so LLM_PROVIDER lands in workspace_secrets and
+//      survives Save+Restart.
+//
+// If a future PR adds a new provider prefix to one but not the other,
+// the workspace-server's persisted LLM_PROVIDER silently disagrees
+// with what the container's derive-provider.sh produces. The container
+// wins (it writes the actual config.yaml), so the workspace-server's
+// persisted value becomes stale and misleading without anything
+// flipping red in CI.
+//
+// This gate pins the invariant that the *prefix set* the two functions
+// know about is identical, modulo a small hardcoded acceptedDivergences
+// map for the two intentional differences documented in
+// deriveProviderFromModelSlug's doc comment (nousresearch/* and
+// openai/* both fall back to "openrouter" at provision time because
+// the runtime env that picks "nous" / "custom" isn't available yet).
+//
+// Pattern: the "behavior-based AST gate" from PR #2367 / memory
+// feedback_behavior_based_ast_gates — pin invariants by what a
+// function maps, not by what it's named. Walks the actual Go AST of
+// deriveProviderFromModelSlug's switch statement so a rename or a
+// duplicate function in another file can't sneak past the gate.
+//
+// Task: #242. Companion to the table-driven mapping test in
+// workspace_provision_shared_test.go (TestDeriveProviderFromModelSlug)
+// which pins the *values*; this test pins the *coverage* of the
+// prefix set itself.
+//
+// Hermetic: reads two files (vendored shell script + Go source) from
+// paths relative to the test package directory and parses them
+// in-process. No network, no docker, no DB. The vendored shell script
+// at testdata/derive-provider.sh is a snapshot of the upstream OSS
+// template repo's script — refresh it via the cp command in that file's
+// header when upstream changes.
+
+import (
+	"go/ast"
+	"go/parser"
+	"go/token"
+	"os"
+	"regexp"
+	"sort"
+	"strconv"
+	"strings"
+	"testing"
+)
+
+// acceptedDivergences pins the prefixes where the Go port intentionally
+// differs from derive-provider.sh. Each entry's value is the provider
+// the Go function returns; the shell would (at runtime, with the right
+// env keys present) return something else. Documented in
+// deriveProviderFromModelSlug's doc comment in workspace_provision.go.
+//
+// If a NEW divergence appears, this test fails and the engineer must
+// either (a) align the Go function with the shell, or (b) add the
+// prefix here with a comment explaining why the divergence is
+// intentional and safe at provision time.
+var acceptedDivergences = map[string]string{
+	// Shell: "nous" if HERMES_API_KEY/NOUS_API_KEY set, else "openrouter".
+	// Go:    "openrouter" unconditionally — runtime keys aren't loaded at
+	//        provision time. derive-provider.sh upgrades to "nous" at boot
+	//        when the keys are present.
+	"nousresearch": "openrouter",
+	// Shell: "custom" if OPENAI_API_KEY set, "openrouter" if OPENROUTER_API_KEY
+	//        set, else "openrouter" as a no-key fallback.
+	// Go:    "openrouter" unconditionally — same reason as nousresearch/*.
+	//        derive-provider.sh upgrades to "custom" at boot when
+	//        OPENAI_API_KEY is present.
+	"openai": "openrouter",
+}
+
+// TestDeriveProviderDrift_ShellAndGoStayInSync is the drift gate.
+// It extracts the prefix→provider mapping from both sources and
+// asserts:
+//
+//  1. Every prefix the shell knows about, the Go function also handles
+//     (returning either the same provider OR the value pinned in
+//     acceptedDivergences for that prefix).
+//  2. Every prefix the Go function handles (extracted from its switch
+//     statement via go/ast), the shell case statement also lists.
+func TestDeriveProviderDrift_ShellAndGoStayInSync(t *testing.T) {
+	t.Parallel()
+
+	shellMap := loadShellPrefixMap(t)
+	goMap := loadGoPrefixMap(t)
+
+	if len(shellMap) == 0 {
+		t.Fatalf("parsed zero prefixes from derive-provider.sh — regex likely broke; rebuild parser before trusting this gate")
+	}
+	if len(goMap) == 0 {
+		t.Fatalf("parsed zero prefixes from deriveProviderFromModelSlug — AST walk likely broke; rebuild parser before trusting this gate")
+	}
+
+	// Direction 1: every shell prefix must be in the Go map (with the
+	// same provider value, or with the documented divergence).
+	for prefix, shellProvider := range shellMap {
+		goProvider, ok := goMap[prefix]
+		if !ok {
+			t.Errorf(
+				"DRIFT: derive-provider.sh has prefix %q -> %q but deriveProviderFromModelSlug doesn't handle it.\n"+
+					"Fix: either add a case for %q to deriveProviderFromModelSlug in "+
+					"workspace-server/internal/handlers/workspace_provision.go (returning %q to match the shell), "+
+					"OR if this prefix is intentionally provision-time-divergent, add it to acceptedDivergences{} "+
+					"in this test with a comment explaining why.",
+				prefix, shellProvider, prefix, shellProvider,
+			)
+			continue
+		}
+		if goProvider == shellProvider {
+			continue
+		}
+		// Mismatch — only acceptable if it's on the explicit divergence list
+		// AND the Go side returns exactly the documented value.
+		expected, divergenceAllowed := acceptedDivergences[prefix]
+		if !divergenceAllowed {
+			t.Errorf(
+				"DRIFT: prefix %q maps to %q in derive-provider.sh but %q in deriveProviderFromModelSlug.\n"+
+					"Fix: align the Go function with the shell (preferred — they should agree), "+
+					"OR if the divergence is intentional and safe at provision time, "+
+					"add %q: %q to acceptedDivergences{} in this test with a comment explaining why.",
+				prefix, shellProvider, goProvider, prefix, goProvider,
+			)
+			continue
+		}
+		if goProvider != expected {
+			t.Errorf(
+				"DRIFT: prefix %q is on the acceptedDivergences list with expected Go value %q but "+
+					"deriveProviderFromModelSlug now returns %q.\n"+
+					"Fix: update acceptedDivergences[%q] in this test to %q (and update its comment), "+
+					"OR revert the Go function to return %q.",
+				prefix, expected, goProvider, prefix, goProvider, expected,
+			)
+		}
+	}
+
+	// Direction 2: every Go prefix must be in the shell map. Drift in
+	// this direction is rarer (someone added a Go case without touching
+	// the shell) but produces the same broken state — provision-time
+	// LLM_PROVIDER disagrees with what the container actually uses.
+	for prefix, goProvider := range goMap {
+		if _, ok := shellMap[prefix]; ok {
+			continue
+		}
+		t.Errorf(
+			"DRIFT: deriveProviderFromModelSlug handles prefix %q -> %q but derive-provider.sh doesn't list it.\n"+
+				"Fix: add a `%s/*) PROVIDER=%q ;;` case to "+
+				"workspace-configs-templates/hermes/scripts/derive-provider.sh — the Go provision-time hint "+
+				"is meaningless if the container's runtime script doesn't recognize the same prefix.",
+			prefix, goProvider, prefix, goProvider,
+		)
+	}
+
+	// Belt-and-braces: every entry in acceptedDivergences must actually
+	// appear in BOTH maps. A stale divergence entry (prefix removed from
+	// either source) silently weakens the gate.
+	for prefix := range acceptedDivergences {
+		if _, ok := shellMap[prefix]; !ok {
+			t.Errorf(
+				"acceptedDivergences contains prefix %q but derive-provider.sh no longer lists it. "+
+					"Remove the entry from acceptedDivergences{} in this test.",
+				prefix,
+			)
+		}
+		if _, ok := goMap[prefix]; !ok {
+			t.Errorf(
+				"acceptedDivergences contains prefix %q but deriveProviderFromModelSlug no longer lists it. "+
+					"Remove the entry from acceptedDivergences{} in this test.",
+				prefix,
+			)
+		}
+	}
+}
+
+// vendoredShellPath is the testdata snapshot of upstream
+// derive-provider.sh. The path is relative to the test package
+// directory (which is what `go test` sets as cwd). See the file's
+// header for the refresh procedure when upstream changes.
+const vendoredShellPath = "testdata/derive-provider.sh"
+
+// goSourcePath is the file containing deriveProviderFromModelSlug.
+// Relative to the test package directory.
+const goSourcePath = "workspace_provision.go"
+
+// loadShellPrefixMap parses derive-provider.sh and returns a
+// map[prefix]provider for every case clause. Aliases inside a single
+// `pat1/*|pat2/*)` clause expand to one map entry per alias, both
+// pointing at the same provider.
+//
+// Stops at the first `*)` (the catch-all) and ignores it — the
+// catch-all maps to PROVIDER="auto" which has no Go counterpart by
+// design (deriveProviderFromModelSlug returns "" for unknowns and
+// lets the shell's *=auto branch decide at runtime).
+//
+// Ambiguity: case clauses whose body branches on env vars (openai/*,
+// nousresearch/*) are still extracted as the FIRST PROVIDER= literal
+// inside the body. The shell's full conditional logic is documented
+// via the acceptedDivergences map in this file rather than re-encoded
+// in the parser, because re-encoding sh `if` semantics in regex is a
+// fool's errand — the divergences are stable and small enough to
+// hardcode.
+func loadShellPrefixMap(t *testing.T) map[string]string {
+	t.Helper()
+	raw, err := os.ReadFile(vendoredShellPath)
+	if err != nil {
+		t.Fatalf("read %s: %v (refresh from upstream — see file header)", vendoredShellPath, err)
+	}
+
+	// Locate the case statement body so we don't accidentally match
+	// PROVIDER= assignments above the case (the HERMES_INFERENCE_PROVIDER
+	// override + the empty-model fallback both write PROVIDER= before
+	// the case). Upstream renamed the case variable to ${_HERMES_MODEL}
+	// in v0.12.0 (the resolved value of HERMES_INFERENCE_MODEL with a
+	// HERMES_DEFAULT_MODEL legacy fallback); accept either spelling so
+	// this test survives a future rename.
+	caseStart := regexp.MustCompile(`(?m)^case\s+"\$\{(_?HERMES(?:_DEFAULT|_INFERENCE)?_MODEL)\}"\s+in\s*$`)
+	startLoc := caseStart.FindIndex(raw)
+	if startLoc == nil {
+		t.Fatalf("could not locate `case \"${...HERMES...MODEL}\" in` in %s — shell file shape changed; rebuild parser", vendoredShellPath)
+	}
+	caseEnd := regexp.MustCompile(`(?m)^esac\s*$`)
+	endLoc := caseEnd.FindIndex(raw[startLoc[1]:])
+	if endLoc == nil {
+		t.Fatalf("could not locate `esac` after the case statement in %s — shell file shape changed", vendoredShellPath)
+	}
+	body := string(raw[startLoc[1] : startLoc[1]+endLoc[0]])
+
+	out := map[string]string{}
+
+	// Pattern A: single-line clauses like
+	//   minimax-cn/*)            PROVIDER="minimax-cn" ;;
+	//   alibaba/*|dashscope/*|qwen/*) PROVIDER="alibaba" ;;
+	// Capture group 1 is the patterns (e.g. `minimax-cn/*` or
+	// `alibaba/*|dashscope/*|qwen/*`); group 2 is the provider literal.
+	singleLine := regexp.MustCompile(`(?m)^\s*([a-zA-Z0-9_./*|\-]+)\)\s*PROVIDER="([^"]+)"\s*;;`)
+
+	// Pattern B: multi-line clauses like
+	//   openai/*)
+	//     if [ -n "${OPENAI_API_KEY:-}" ]; then
+	//       PROVIDER="custom"
+	//     ...
+	// We capture the patterns and the FIRST PROVIDER= that follows
+	// (before the next `;;`). The acceptedDivergences map handles the
+	// fact that the runtime branching can pick a different value.
+	multiLine := regexp.MustCompile(`(?ms)^\s*([a-zA-Z0-9_./*|\-]+)\)\s*\n(.*?);;`)
+
+	addEntry := func(patterns, provider string) {
+		// Skip the `*)` catch-all — it has no Go counterpart by design.
+		if strings.TrimSpace(patterns) == "*" {
+			return
+		}
+		for _, alt := range strings.Split(patterns, "|") {
+			alt = strings.TrimSpace(alt)
+			// Each alternative is `<prefix>/*` — strip the trailing `/*`.
+			alt = strings.TrimSuffix(alt, "/*")
+			if alt == "" {
+				continue
+			}
+			// First write wins — a single-line match outranks a multi-line
+			// fallback for the same patterns block (defensive; the regexes
+			// shouldn't overlap on the same line in practice).
+			if _, exists := out[alt]; !exists {
+				out[alt] = provider
+			}
+		}
+	}
+
+	// Run single-line first so it claims its lines before the multi-line
+	// pass sees them.
+	consumed := map[int]bool{}
+	for _, m := range singleLine.FindAllStringSubmatchIndex(body, -1) {
+		addEntry(body[m[2]:m[3]], body[m[4]:m[5]])
+		// Mark every line touched so multi-line pass can skip it.
+		for i := m[0]; i < m[1]; i++ {
+			consumed[i] = true
+		}
+	}
+
+	for _, m := range multiLine.FindAllStringSubmatchIndex(body, -1) {
+		// Skip if the start of this match overlaps a single-line clause.
+		if consumed[m[0]] {
+			continue
+		}
+		patterns := body[m[2]:m[3]]
+		clauseBody := body[m[4]:m[5]]
+		// Extract the FIRST PROVIDER="..." from the clause body.
+		firstProvider := regexp.MustCompile(`PROVIDER="([^"]+)"`).FindStringSubmatch(clauseBody)
+		if firstProvider == nil {
+			t.Errorf("multi-line case clause for %q has no PROVIDER= literal — shell file shape changed; rebuild parser", patterns)
+			continue
+		}
+		addEntry(patterns, firstProvider[1])
+	}
+
+	return out
+}
+
+// loadGoPrefixMap parses workspace_provision.go and walks the AST to
+// extract the prefix→provider mapping from deriveProviderFromModelSlug's
+// switch statement.
+//
+// Each case clause's string-literal labels become map keys, all
+// pointing at the provider returned by that case body's `return "..."`
+// statement. A clause like `case "alibaba", "dashscope", "qwen":
+// return "alibaba"` produces three map entries.
+//
+// Skips the default clause (returns ""). Skips any case clause whose
+// body's first statement isn't a single `return STRING_LITERAL` — those
+// would need their own divergence handling and don't currently exist
+// in the function.
+func loadGoPrefixMap(t *testing.T) map[string]string {
+	t.Helper()
+
+	fset := token.NewFileSet()
+	file, err := parser.ParseFile(fset, goSourcePath, nil, parser.ParseComments)
+	if err != nil {
+		t.Fatalf("parse %s: %v", goSourcePath, err)
+	}
+
+	var fn *ast.FuncDecl
+	for _, decl := range file.Decls {
+		f, ok := decl.(*ast.FuncDecl)
+		if !ok {
+			continue
+		}
+		if f.Name.Name == "deriveProviderFromModelSlug" {
+			fn = f
+			break
+		}
+	}
+	if fn == nil {
+		t.Fatalf("could not find deriveProviderFromModelSlug in %s — function renamed/removed; this gate's invariant has been violated", goSourcePath)
+	}
+
+	// Walk the function body for the SwitchStmt.
+	var sw *ast.SwitchStmt
+	ast.Inspect(fn.Body, func(n ast.Node) bool {
+		if s, ok := n.(*ast.SwitchStmt); ok {
+			sw = s
+			return false
+		}
+		return true
+	})
+	if sw == nil {
+		t.Fatalf("no switch statement found in deriveProviderFromModelSlug — function shape changed; rebuild parser")
+	}
+
+	out := map[string]string{}
+	for _, stmt := range sw.Body.List {
+		clause, ok := stmt.(*ast.CaseClause)
+		if !ok {
+			continue
+		}
+		// Default clause has no list — skip.
+		if len(clause.List) == 0 {
+			continue
+		}
+		// Find the first return statement in the clause body.
+		var ret *ast.ReturnStmt
+		for _, bodyStmt := range clause.Body {
+			if r, ok := bodyStmt.(*ast.ReturnStmt); ok {
+				ret = r
+				break
+			}
+		}
+		if ret == nil || len(ret.Results) != 1 {
+			t.Errorf("case clause at %s has no single-value return — function shape changed; gate may be incomplete",
+				fset.Position(clause.Pos()))
+			continue
+		}
+		lit, ok := ret.Results[0].(*ast.BasicLit)
+		if !ok || lit.Kind != token.STRING {
+			t.Errorf("case clause at %s returns a non-literal — gate cannot extract provider value",
+				fset.Position(clause.Pos()))
+			continue
+		}
+		provider, err := strconv.Unquote(lit.Value)
+		if err != nil {
+			t.Errorf("case clause at %s has unparseable string literal %q: %v",
+				fset.Position(clause.Pos()), lit.Value, err)
+			continue
+		}
+
+		for _, expr := range clause.List {
+			lbl, ok := expr.(*ast.BasicLit)
+			if !ok || lbl.Kind != token.STRING {
+				t.Errorf("case clause at %s has a non-string-literal label — gate cannot extract prefix",
+					fset.Position(clause.Pos()))
+				continue
+			}
+			prefix, err := strconv.Unquote(lbl.Value)
+			if err != nil {
+				t.Errorf("case clause at %s has unparseable label literal %q: %v",
+					fset.Position(clause.Pos()), lbl.Value, err)
+				continue
+			}
+			out[prefix] = provider
+		}
+	}
+	return out
+}
+
+// TestDeriveProviderDrift_ShellParserIsSane is a guard test: the shell
+// parser is regex-based, so we sanity-check that it actually finds the
+// well-known prefixes documented in derive-provider.sh's header
+// comment. If this test passes but the main drift test reports
+// missing prefixes, the bug is almost certainly in the regex (not in
+// the production code).
+func TestDeriveProviderDrift_ShellParserIsSane(t *testing.T) {
+	t.Parallel()
+	shellMap := loadShellPrefixMap(t)
+
+	// Anchor prefixes — these have lived in derive-provider.sh since it
+	// was first introduced. If the parser can't find them, it's broken.
+	mustHave := map[string]string{
+		"anthropic":    "anthropic",
+		"minimax":      "minimax",
+		"minimax-cn":   "minimax-cn",
+		"openrouter":   "openrouter",
+		"custom":       "custom",
+		"alibaba":      "alibaba", // in an alias group with dashscope/qwen
+		"dashscope":    "alibaba", // ditto
+		"qwen":         "alibaba", // ditto
+		"openai":       "custom",  // multi-line; first PROVIDER= is "custom"
+		"nousresearch": "nous",    // multi-line; first PROVIDER= is "nous"
+	}
+
+	missing := []string{}
+	wrong := []string{}
+	for prefix, want := range mustHave {
+		got, ok := shellMap[prefix]
+		if !ok {
+			missing = append(missing, prefix)
+			continue
+		}
+		if got != want {
+			wrong = append(wrong, prefix+" got="+got+" want="+want)
+		}
+	}
+	sort.Strings(missing)
+	sort.Strings(wrong)
+	if len(missing) > 0 {
+		t.Errorf("shell parser failed to extract anchor prefixes: %v", missing)
+	}
+	if len(wrong) > 0 {
+		t.Errorf("shell parser extracted wrong values for anchor prefixes: %v", wrong)
+	}
+}
@@ -237,17 +237,7 @@ func (h *DiscoveryHandler) Peers(c *gin.Context) {

 	var peers []map[string]interface{}

-	// Siblings — workspaces sharing the caller's parent.
-	//
-	// #1953 cross-tenant isolation: the OLD code's else-branch handled the
-	// org-root caller (parent_id IS NULL) by returning EVERY workspace with
-	// parent_id IS NULL — i.e. every other tenant's org root, since the
-	// workspaces table has no org_id column. That leaked peer identities/URLs
-	// across tenants. An org root has no siblings inside its own org (each
-	// tenant is a distinct org root), so the org-root caller now gets an empty
-	// sibling set; its real peers are its children, returned below. Only the
-	// parent_id-bound branch enumerates siblings, and that is already scoped to
-	// one parent (one tenant).
+	// Siblings
 	if parentID.Valid {
 		siblings, _ := queryPeerMaps(`
 			SELECT w.id, w.name, COALESCE(w.role, ''), w.tier, w.status,
@@ -256,6 +246,14 @@ func (h *DiscoveryHandler) Peers(c *gin.Context) {
 			FROM workspaces w WHERE w.parent_id = $1 AND w.id != $2 AND w.status != 'removed'`,
 			parentID.String, workspaceID)
 		peers = append(peers, siblings...)
+	} else {
+		siblings, _ := queryPeerMaps(`
+			SELECT w.id, w.name, COALESCE(w.role, ''), w.tier, w.status,
+				   COALESCE(w.agent_card, 'null'::jsonb), COALESCE(w.url, ''),
+				   w.parent_id, w.active_tasks
+			FROM workspaces w WHERE w.parent_id IS NULL AND w.id != $1 AND w.status != 'removed'`,
+			workspaceID)
+		peers = append(peers, siblings...)
 	}

 	// Children — exclude self defensively. A child row whose parent_id
@@ -223,10 +223,10 @@ func TestPeers_RootWorkspace_NoPeers(t *testing.T) {

 	peerCols := []string{"id", "name", "role", "tier", "status", "agent_card", "url", "parent_id", "active_tasks"}

-	// #1953: an org-root caller (parent_id IS NULL) now issues NO sibling
-	// query at all. The old `WHERE w.parent_id IS NULL` sibling read returned
-	// EVERY tenant's org root (cross-tenant leak); an org root has no siblings
-	// inside its own org, so the handler skips the sibling read entirely.
+	// Siblings (other root-level workspaces) — none
+	mock.ExpectQuery("SELECT w.id, w.name.*WHERE w.parent_id IS NULL AND w.id != \\$1").
+		WithArgs("ws-root-alone").
+		WillReturnRows(sqlmock.NewRows(peerCols))

 	// Children — none. #383 added explicit `w.id != $2` self-filter.
 	mock.ExpectQuery("SELECT w.id, w.name.*WHERE w.parent_id = \\$1 AND w.id != \\$2").
@@ -167,9 +167,6 @@ func generateAppInstallationToken() (string, time.Time, error) {
 		return "", time.Time{}, err
 	}
 	defer func() { _ = resp.Body.Close() }()
-	if resp.StatusCode != http.StatusCreated {
-		return "", time.Time{}, fmt.Errorf("github token endpoint returned status %d", resp.StatusCode)
-	}
 	var result struct {
 		Token     string    `json:"token"`
 		ExpiresAt time.Time `json:"expires_at"`
@@ -43,6 +43,8 @@ func TestWorkspaceCreate_WithParentID(t *testing.T) {
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectExec("INSERT INTO structure_events").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -79,6 +81,8 @@ func TestWorkspaceCreate_ExplicitClaudeCodeRuntime(t *testing.T) {
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectExec("INSERT INTO structure_events").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -300,6 +304,8 @@ func TestWorkspaceCreate_MaxConcurrentTasksOverride(t *testing.T) {
 		WillReturnResult(sqlmock.NewResult(0, 1))
 	mock.ExpectExec("INSERT INTO structure_events").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -255,20 +255,22 @@ func TestExtended_SecretsListEmpty(t *testing.T) {
 // ---------- TestSecretsSet (Extended) ----------

 func TestExtended_SecretsSet(t *testing.T) {
-	// internal#718 P2-B: the per-workspace strip gate keys off the DERIVED mode
-	// (org rung retired). This test's intent is the happy path of persisting a
-	// vendor key on a byok workspace; the realistic way a workspace is byok for
-	// a direct vendor-key write is an explicit operator override (the escape
-	// hatch the reject error itself points to: PUT /admin/.../llm-billing-mode).
-	// The override short-circuits the resolver to byok in a single read, so the
-	// bypass-list check is skipped and the write proceeds.
-	t.Setenv("MOLECULE_LLM_BILLING_MODE", "platform_managed") // org env ignored now
+	// internal#691: the per-workspace strip gate now defaults to platform_managed
+	// on empty MOLECULE_LLM_BILLING_MODE (closed default). This test's intent is
+	// the happy path of persisting a vendor key, so put the org into byok which
+	// matches the pre-#691 implicit behavior of an unset env.
+	t.Setenv("MOLECULE_LLM_BILLING_MODE", "byok")
 	mock := setupTestDB(t)
 	handler := NewSecretsHandler(nil)

+	// internal#691: secrets.Set now consults ResolveLLMBillingMode before the
+	// strip gate. Mock returns no row → resolver falls through to the org
+	// default (byok, set via t.Setenv above) → bypass-list check is skipped
+	// and the write proceeds. This pattern is the test-side mirror of the
+	// real-prod fall-through behavior for a fresh workspace with no override.
 	mock.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
 		WithArgs("22222222-2222-2222-2222-222222222222").
-		WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow(LLMBillingModeBYOK))
+		WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}))

 	// Expect INSERT (encrypted value is dynamic, use AnyArg)
 	mock.ExpectExec("INSERT INTO workspace_secrets").
@@ -451,14 +453,6 @@ func TestExtended_DiscoverMissingHeader(t *testing.T) {

 // ---------- TestPeers (Extended) ----------

-// TestExtended_Peers verifies a root-level (org-root) workspace's peer view.
-//
-// #1953: previously a root-level caller issued `WHERE w.parent_id IS NULL`
-// for siblings, which returned EVERY other tenant's org root as a "peer"
-// (cross-tenant leak, since the workspaces table has no org_id column). After
-// the fix an org root has no cross-tenant siblings; its only peers are its own
-// children. This test asserts the child is returned and that NO sibling query
-// is issued (no `parent_id IS NULL` read).
 func TestExtended_Peers(t *testing.T) {
 	mock := setupTestDB(t)
 	setupTestRedis(t)
@@ -469,14 +463,17 @@ func TestExtended_Peers(t *testing.T) {
 		WithArgs("ws-peer").
 		WillReturnRows(sqlmock.NewRows([]string{"parent_id"}).AddRow(nil))

-	// NO root-level sibling query is issued for an org-root caller anymore.
+	// Expect root-level siblings query (parent IS NULL, excluding self)
+	mock.ExpectQuery("SELECT w.id, w.name").
+		WithArgs("ws-peer").
+		WillReturnRows(sqlmock.NewRows([]string{"id", "name", "role", "tier", "status", "agent_card", "url", "parent_id", "active_tasks"}).
+			AddRow("ws-sibling", "Sibling Agent", "worker", 1, "online", []byte("null"), "http://localhost:9001", nil, 0))

-	// Children query (workspaces with parent_id = ws-peer, excluding self).
-	// Query binds (parent_id, self_id) for the self-filter guard added in #383.
+	// Expect children query (workspaces with parent_id = ws-peer, excluding self)
+	// Query now binds (parent_id, self_id) for the self-filter guard added in #383.
 	mock.ExpectQuery("SELECT w.id, w.name").
 		WithArgs("ws-peer", "ws-peer").
-		WillReturnRows(sqlmock.NewRows([]string{"id", "name", "role", "tier", "status", "agent_card", "url", "parent_id", "active_tasks"}).
-			AddRow("ws-child", "Child Agent", "worker", 1, "online", []byte("null"), "http://localhost:9001", "ws-peer", 0))
+		WillReturnRows(sqlmock.NewRows([]string{"id", "name", "role", "tier", "status", "agent_card", "url", "parent_id", "active_tasks"}))

 	// No parent query since workspace is root-level

@@ -496,10 +493,10 @@ func TestExtended_Peers(t *testing.T) {
 		t.Fatalf("failed to parse response: %v", err)
 	}
 	if len(resp) != 1 {
-		t.Fatalf("expected 1 peer (the child), got %d", len(resp))
+		t.Fatalf("expected 1 peer, got %d", len(resp))
 	}
-	if resp[0]["name"] != "Child Agent" {
-		t.Errorf("expected peer name 'Child Agent', got %v", resp[0]["name"])
+	if resp[0]["name"] != "Sibling Agent" {
+		t.Errorf("expected peer name 'Sibling Agent', got %v", resp[0]["name"])
 	}

 	if err := mock.ExpectationsWereMet(); err != nil {
@@ -384,6 +384,8 @@ func TestWorkspaceCreate(t *testing.T) {
 	// Expect RecordAndBroadcast INSERT for WORKSPACE_PROVISIONING
 	mock.ExpectExec("INSERT INTO structure_events").
 		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -420,6 +422,76 @@ func TestWorkspaceCreate(t *testing.T) {
 	}
 }

+// TestWorkspaceCreate_ReturnsAuthToken_201 pins the inline-auth_token
+// behaviour added for #1644. Pre-fix, the 201 response was
+// {id, status, awareness_namespace, workspace_access} — callers had to
+// make a separate POST to /admin/workspaces/:id/tokens (AdminAuth-gated,
+// path-prefix differs in CP-admin deploys) OR fall back to the dev-only
+// GET /admin/workspaces/:id/test-token (deliberately 404s on
+// MOLECULE_ENV=production per feedback_no_dev_only_routes_in_e2e).
+//
+// Post-fix: every Create response includes an `auth_token` field with
+// the freshly-minted plaintext bearer (returned once, never recoverable).
+// This is the SSOT path — production E2E + canvas + org_import all
+// get the bearer they need in the same round trip.
+//
+// Failure path is non-fatal: if the IssueToken DB call fails, the 201
+// still goes out without auth_token + a fallback log line. That branch
+// is exercised by sqlmock returning a non-INSERT-INTO-workspace_auth_tokens
+// path here — the test asserts presence on the happy path.
+func TestWorkspaceCreate_ReturnsAuthToken_201(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", "/tmp/configs")
+
+	mock.ExpectBegin()
+	mock.ExpectExec("INSERT INTO workspaces").
+		WithArgs(sqlmock.AnyArg(), "Token Holder", nil, 3, "langgraph", sqlmock.AnyArg(), (*string)(nil), nil, "none", (*int64)(nil), models.DefaultMaxConcurrentTasks, "push").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectCommit()
+	mock.ExpectExec("INSERT INTO canvas_layouts").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	mock.ExpectExec("INSERT INTO structure_events").
+		WillReturnResult(sqlmock.NewResult(0, 1))
+	// The inline mint added in #1644 Part B — wsauth.IssueToken issues
+	// a new bearer via INSERT INTO workspace_auth_tokens (workspace_id,
+	// token_hash, prefix). This is the assertion that the new code path
+	// reaches the DB.
+	mock.ExpectExec("INSERT INTO workspace_auth_tokens").
+		WithArgs(sqlmock.AnyArg(), sqlmock.AnyArg(), sqlmock.AnyArg()).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	body := `{"name":"Token Holder","model":"anthropic:claude-opus-4-7"}`
+	c.Request = httptest.NewRequest("POST", "/workspaces", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	handler.Create(c)
+
+	if w.Code != http.StatusCreated {
+		t.Fatalf("expected 201, got %d: %s", w.Code, w.Body.String())
+	}
+	var resp map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("parse response: %v", err)
+	}
+	tok, ok := resp["auth_token"].(string)
+	if !ok || tok == "" {
+		t.Fatalf("expected non-empty auth_token in 201 response (the #1644 SSOT inline mint), got: %s", w.Body.String())
+	}
+	// Sanity: tokens are base64-RawURL encoded 32-byte payloads (per
+	// wsauth/tokens.go::tokenPayloadBytes), so a meaningful lower bound
+	// is ~40 chars. If this fails, IssueToken's contract drifted.
+	if len(tok) < 40 {
+		t.Errorf("auth_token suspiciously short (%d chars) — wsauth.IssueToken contract drift?", len(tok))
+	}
+	if err := mock.ExpectationsWereMet(); err != nil {
+		t.Errorf("unmet sqlmock expectations — inline mint path may have skipped IssueToken: %v", err)
+	}
+}
+
 func TestBuildProvisionerConfig_WorkspacePathFromPayload(t *testing.T) {
 	setupTestDB(t)
 	broadcaster := newTestBroadcaster()
@@ -43,36 +43,10 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
-	"log"
-	"sync"

-	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/crypto"
 	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/db"
-	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/providers"
 )

-// providerManifest is the parsed provider registry, loaded once. The registry
-// is embedded (go:embed, no network) and immutable for the process lifetime, so
-// a single Load is safe to memoize. A load failure is cached too (registryErr):
-// it can only happen on a malformed embedded YAML, which is a build-time defect
-// the verify-providers-gen + sync gates already catch, so failing closed
-// (treat as "cannot derive" → platform default) is correct and we don't retry.
-var (
-	providerRegistryOnce     sync.Once
-	providerRegistryManifest *providers.Manifest
-	providerRegistryErr      error
-)
-
-func providerRegistry() (*providers.Manifest, error) {
-	providerRegistryOnce.Do(func() {
-		providerRegistryManifest, providerRegistryErr = providers.LoadManifest()
-		if providerRegistryErr != nil {
-			log.Printf("llm_billing_mode: FATAL — provider registry failed to load: %v (billing will default-closed to platform_managed)", providerRegistryErr)
-		}
-	})
-	return providerRegistryManifest, providerRegistryErr
-}
-
 // Constants mirror molecule-controlplane/internal/credits/llm_billing.go.
 // Kept as string literals (not imports) because workspace-server has no
 // build-time dependency on the CP module; the values are stable wire
@@ -93,19 +67,6 @@ const (
 	BillingModeSourceWorkspaceOverride BillingModeSource = "workspace_override"
 	BillingModeSourceOrgDefault        BillingModeSource = "org_default"
 	BillingModeSourceConstantFallback  BillingModeSource = "constant_fallback"
-	// BillingModeSourceDerivedProvider means the mode was DERIVED from the
-	// workspace's (runtime, model) via the provider registry — the SSOT
-	// (internal#718 P2-B). IsPlatform(derived) → platform_managed, else byok.
-	// This is the highest-precedence source after an explicit operator override
-	// and SUPERSEDES the prior stored-LLM_PROVIDER read (#1966).
-	BillingModeSourceDerivedProvider BillingModeSource = "derived_provider"
-	// BillingModeSourceDerivedDefault means the registry could not derive a
-	// provider for the (runtime, model) — no model, unknown runtime,
-	// unregistered/ambiguous model — so the mode defaulted closed to
-	// platform_managed (CTO-confirmed "unset → platform default"). Distinct from
-	// derived_provider so operators can see "we defaulted" vs "we derived
-	// platform".
-	BillingModeSourceDerivedDefault BillingModeSource = "derived_default"
 )

 // BillingModeResolution is the structured answer the admin GET route returns
@@ -113,18 +74,11 @@ const (
 // shape, so the resolver test asserts both the mode AND the source per case
 // (catches a bug where the right mode is returned via the wrong layer).
 type BillingModeResolution struct {
-	WorkspaceID       string            `json:"workspace_id"`
-	ResolvedMode      string            `json:"resolved_mode"`
-	WorkspaceOverride *string           `json:"workspace_override"` // nil = inherit
-	OrgDefault        string            `json:"org_default"`        // RETIRED as a billing source (internal#718 P2-B); always platform_managed, kept for wire-compat
-	Source            BillingModeSource `json:"source"`
-	// ProviderSelection surfaces the DERIVED provider name (internal#718 P2-B)
-	// when the mode came from the registry derivation — the literal provider the
-	// (runtime, model) resolved to (e.g. "platform", "kimi-coding", "openai"), or
-	// the raw model id when derivation failed. nil when an explicit operator
-	// override or the empty-id default decided. Lets the admin route answer "why
-	// is this workspace byok?" with the derived provider, not a stored value.
-	ProviderSelection *string `json:"provider_selection"`
+	WorkspaceID       string             `json:"workspace_id"`
+	ResolvedMode      string             `json:"resolved_mode"`
+	WorkspaceOverride *string            `json:"workspace_override"` // nil = inherit
+	OrgDefault        string             `json:"org_default"`        // already default-closed by CP
+	Source            BillingModeSource  `json:"source"`
 }

 // isKnownBillingMode is the enum-recognizer for the resolver's default-closed
@@ -141,137 +95,24 @@ func isKnownBillingMode(s string) bool {
 	}
 }

-// readWorkspaceBillingOverride reads the OPTIONAL explicit operator override
-// (workspaces.llm_billing_mode). Returns:
-//
-//	(mode, true,  nil) — a recognized override is set → operator pinned the mode
-//	("",   false, nil) — NULL / garbled / row-missing → no explicit override
-//	("",   false, err) — DB error → caller defaults closed + propagates
-//
-// internal#718 P2-B retires the org rung; this column is the ONLY stored
-// billing signal that survives, and ONLY as an explicit override on top of the
-// derived provider (CTO 2026-05-27).
-func readWorkspaceBillingOverride(ctx context.Context, workspaceID string) (string, bool, error) {
-	var wsOverride sql.NullString
-	err := db.DB.QueryRowContext(ctx,
-		`SELECT llm_billing_mode FROM workspaces WHERE id = $1`,
-		workspaceID,
-	).Scan(&wsOverride)
-	switch {
-	case errors.Is(err, sql.ErrNoRows):
-		return "", false, nil
-	case err != nil:
-		return "", false, fmt.Errorf("resolve workspace llm_billing_mode override for %s: %w", workspaceID, err)
+// normalizeOrgDefault applies the same default-closed contract to the
+// org-level input as the workspace override gets. The org_default arrives
+// from tenant_config which already COALESCEs NULL → platform_managed at the
+// CP SQL layer, but we DO NOT trust that contract here — if CP regresses or
+// the tenant_config env wasn't populated (race on boot), we still default-
+// close. Same principle: never honor a garbled value.
+func normalizeOrgDefault(orgMode string) string {
+	if isKnownBillingMode(orgMode) {
+		return orgMode
 	}
-	if wsOverride.Valid && isKnownBillingMode(wsOverride.String) {
-		return wsOverride.String, true, nil
-	}
-	return "", false, nil
+	return LLMBillingModePlatformManaged
 }

-// ResolveLLMBillingModeDerived is the SSOT billing-mode resolver (internal#718
-// P2-B). It DERIVES the provider from (runtime, model) via the provider
-// registry and decides platform-vs-byok from IsPlatform(derived) — it does NOT
-// read a stored LLM_PROVIDER (superseding #1966's stored-read approach) and
-// does NOT read the org rung (retired, CTO 2026-05-27).
-//
-// Precedence (highest first):
-//
-//  1. EXPLICIT operator override (workspaces.llm_billing_mode, a recognized
-//     value). The only stored billing signal that survives — an escape hatch,
-//     not the primary signal.
-//  2. DERIVE: providers.DeriveProvider(runtime, model, availableAuthEnv).
-//     - resolves to the closed `platform` provider → platform_managed
-//     - resolves to any other (BYOK/third-party) provider → byok  ← THE FIX
-//  3. DEFAULT-CLOSED: derive fails (no model, unknown runtime, unregistered or
-//     ambiguous model) → platform_managed (CTO "unset → platform default"). A
-//     derive failure NEVER silently flips a workspace to byok (which would
-//     strip the platform creds it may legitimately need).
-//
-// availableAuthEnv is the set of auth-env-var NAMES present for the workspace
-// (never secret values) — the same disambiguation input DeriveProvider uses to
-// split anthropic-oauth from anthropic-api. May be nil.
-//
-// A returned error never prevents a decision: ResolvedMode is always a valid
-// enum value (default-closed). The error is informational (log + surface).
-func ResolveLLMBillingModeDerived(ctx context.Context, workspaceID, runtime, model string, availableAuthEnv []string) (BillingModeResolution, error) {
-	res := BillingModeResolution{
-		WorkspaceID: workspaceID,
-		// OrgDefault is retired as a billing source (internal#718 P2-B). Kept on
-		// the struct for wire-compat (admin route / CP mirror) but always the
-		// closed constant — never consulted in the decision.
-		OrgDefault: LLMBillingModePlatformManaged,
-	}
-
-	// Pre-provision context (no workspace row yet): no override to read, default
-	// closed. (DeriveProvider could still run from the passed runtime/model, but
-	// the no-id path historically does no DB work and the strip gate only runs
-	// post-create, so keep it a pure default to preserve that contract.)
-	if workspaceID == "" {
-		res.ResolvedMode = LLMBillingModePlatformManaged
-		res.Source = BillingModeSourceDerivedDefault
-		return res, nil
-	}
-
-	// Precedence 1: explicit operator override.
-	if mode, ok, err := readWorkspaceBillingOverride(ctx, workspaceID); err != nil {
-		// DB error — default closed AND propagate (never flip on a transient error).
-		res.ResolvedMode = LLMBillingModePlatformManaged
-		res.Source = BillingModeSourceConstantFallback
-		return res, err
-	} else if ok {
-		m := mode
-		res.WorkspaceOverride = &m
-		res.ResolvedMode = mode
-		res.Source = BillingModeSourceWorkspaceOverride
-		return res, nil
-	}
-
-	// Precedence 2: DERIVE the provider from (runtime, model).
-	manifest, mErr := providerRegistry()
-	if mErr != nil || manifest == nil {
-		// Registry unavailable (malformed embedded YAML — a build-time defect the
-		// gates catch). Default closed.
-		res.ResolvedMode = LLMBillingModePlatformManaged
-		res.Source = BillingModeSourceDerivedDefault
-		return res, mErr
-	}
-	provider, dErr := manifest.DeriveProvider(runtime, model, availableAuthEnv)
-	if dErr != nil {
-		// No model / unknown runtime / unregistered / ambiguous → default closed.
-		// NOT an error to the caller: an unregistered model is a legitimate
-		// "we can't say it's BYOK, so bill the platform default" outcome, and the
-		// only-registered gate at the create/config API is where an unregistered
-		// model is rejected loudly. Here we just fail closed for safety.
-		res.ResolvedMode = LLMBillingModePlatformManaged
-		res.Source = BillingModeSourceDerivedDefault
-		sel := model
-		if sel != "" {
-			res.ProviderSelection = &sel
-		}
-		return res, nil
-	}
-	derivedName := provider.Name
-	res.ProviderSelection = &derivedName
-	res.Source = BillingModeSourceDerivedProvider
-	if provider.IsPlatform() {
-		res.ResolvedMode = LLMBillingModePlatformManaged
-	} else {
-		// A specific (non-platform) vendor was derived → bring-your-own-key.
-		res.ResolvedMode = LLMBillingModeBYOK
-	}
-	return res, nil
-}
-
-// ResolveLLMBillingMode is the legacy-signature resolver retained for callers
-// that do not have (runtime, model) in hand (the admin GET/PUT route and the
-// secrets remote-pull path). It reads the workspace's stored runtime + model +
-// available auth env from the DB and delegates to the DERIVED resolver
-// (internal#718 P2-B) — the orgMode parameter is RETIRED (the org rung is no
-// longer a billing source) and is ignored; it stays in the signature only to
-// avoid churning the two callers in this PR. The architectural test asserts no
-// remaining code path gates on os.Getenv("MOLECULE_LLM_BILLING_MODE") for the
-// strip decision (that env is no longer read into the decision at all).
+// ResolveLLMBillingMode is the canonical resolver. Every code path that
+// previously gated on `os.Getenv("MOLECULE_LLM_BILLING_MODE") == "platform_managed"`
+// must call this instead and gate on the returned mode. The architectural
+// test (resolver_ast_test.go) asserts there is no remaining call site of
+// the old shape outside the resolver-input wiring.
 //
 // Returning an error does NOT prevent the caller from making a decision —
 // the returned mode is always a valid enum value (default-closed to
@@ -279,160 +120,75 @@ func ResolveLLMBillingModeDerived(ctx context.Context, workspaceID, runtime, mod
 // branch. The error is informational: log it, surface it to operators, but
 // the strip-gate decision is already safe.
 func ResolveLLMBillingMode(ctx context.Context, workspaceID, orgMode string) (BillingModeResolution, error) {
-	_ = orgMode // org rung retired (internal#718 P2-B); parameter ignored.
+	res := BillingModeResolution{
+		WorkspaceID: workspaceID,
+		OrgDefault:  normalizeOrgDefault(orgMode),
+	}

 	if workspaceID == "" {
-		// Pre-provision context (templating, validation): default closed, no DB.
-		return ResolveLLMBillingModeDerived(ctx, "", "", "", nil)
-	}
-
-	// Precedence 1: explicit operator override. Read it FIRST so an overridden
-	// workspace short-circuits without the extra runtime/secrets reads (and so
-	// the query order is override → runtime → secrets, matching the derived
-	// resolver's own override-first precedence).
-	if mode, ok, err := readWorkspaceBillingOverride(ctx, workspaceID); err != nil {
-		return BillingModeResolution{
-			WorkspaceID:  workspaceID,
-			OrgDefault:   LLMBillingModePlatformManaged,
-			ResolvedMode: LLMBillingModePlatformManaged,
-			Source:       BillingModeSourceConstantFallback,
-		}, err
-	} else if ok {
-		m := mode
-		return BillingModeResolution{
-			WorkspaceID:       workspaceID,
-			OrgDefault:        LLMBillingModePlatformManaged,
-			ResolvedMode:      mode,
-			WorkspaceOverride: &m,
-			Source:            BillingModeSourceWorkspaceOverride,
-		}, nil
-	}
-
-	// Precedence 2: DERIVE. Read the stored (runtime, model, available-auth-env)
-	// so the derived resolver can DeriveProvider for callers that don't carry
-	// them (admin route, secrets remote-pull). A read miss/error degrades
-	// gracefully: pass the empty/partial inputs through — DeriveProvider then
-	// errors and the derived resolver defaults closed to platform_managed.
-	//
-	// ResolveLLMBillingModeDerived re-reads the override (NULL again here) before
-	// deriving; that one extra cheap read keeps the derived resolver a complete,
-	// independently-callable SSOT rather than splitting its precedence across two
-	// functions.
-	runtime, model, authEnv := readWorkspaceDeriveInputs(ctx, workspaceID)
-	return ResolveLLMBillingModeDerived(ctx, workspaceID, runtime, model, authEnv)
-}
-
-// readWorkspaceDeriveInputs loads the workspace's stored runtime + selected
-// model + the auth-env-var NAMES present in its secrets — the inputs
-// DeriveProvider needs. Best-effort: any read error returns whatever was
-// gathered (the derived resolver fails closed on incomplete inputs). The model
-// is the MODEL workspace_secret (the canvas-picked id, written by setModelSecret
-// / Create); runtime is the workspaces.runtime column (defaults claude-code).
-// availableAuthEnv is the subset of secret KEYS that are recognized provider
-// auth-env names (never values), so DeriveProvider's auth-env tie-break can fire
-// the same way it does on the provision path.
-func readWorkspaceDeriveInputs(ctx context.Context, workspaceID string) (runtime, model string, availableAuthEnv []string) {
-	var rt sql.NullString
-	if err := db.DB.QueryRowContext(ctx,
-		`SELECT runtime FROM workspaces WHERE id = $1`, workspaceID,
-	).Scan(&rt); err != nil {
-		if !errors.Is(err, sql.ErrNoRows) {
-			log.Printf("llm_billing_mode: read runtime for %s: %v (deriving with empty runtime)", workspaceID, err)
+		// No workspace ID = pre-provision context (templating, validation).
+		// Resolve against the org default only, no DB read.
+		res.ResolvedMode = res.OrgDefault
+		res.Source = BillingModeSourceOrgDefault
+		if !isKnownBillingMode(orgMode) {
+			// Org default was garbled/NULL and we clamped to platform_managed.
+			// Mark the source as constant_fallback so the operator can see
+			// the clamp happened, not that the org "really" said platform_managed.
+			res.Source = BillingModeSourceConstantFallback
 		}
-	}
-	runtime = rt.String
-	if runtime == "" {
-		// Mirror the DB column default so an unset runtime still derives.
-		runtime = "claude-code"
+		return res, nil
 	}

-	// Gather model + auth-env-name keys from workspace_secrets in one pass.
-	authSet := authEnvNameSet()
-	rows, err := db.DB.QueryContext(ctx,
-		`SELECT key, encrypted_value, encryption_version FROM workspace_secrets WHERE workspace_id = $1`,
+	var wsOverride sql.NullString
+	err := db.DB.QueryRowContext(ctx,
+		`SELECT llm_billing_mode FROM workspaces WHERE id = $1`,
 		workspaceID,
-	)
-	if err != nil {
-		log.Printf("llm_billing_mode: read secrets for %s: %v (deriving with no model/auth-env)", workspaceID, err)
-		return runtime, model, availableAuthEnv
-	}
-	defer rows.Close()
-	for rows.Next() {
-		var k string
-		var v []byte
-		var ver int
-		if rows.Scan(&k, &v, &ver) != nil {
-			continue
-		}
-		if k == "MODEL" {
-			if dec, derr := crypto.DecryptVersioned(v, ver); derr == nil {
-				model = string(dec)
-			}
-			continue
-		}
-		// Only the KEY matters for auth-env disambiguation (the value is the
-		// secret; we never decrypt it for this purpose). Record recognized
-		// provider auth-env names.
-		if _, ok := authSet[k]; ok {
-			availableAuthEnv = append(availableAuthEnv, k)
-		}
-	}
-	return runtime, model, availableAuthEnv
-}
+	).Scan(&wsOverride)

-// authEnvNameSet is the union of every provider's auth_env names in the
-// registry — the recognized set readWorkspaceDeriveInputs filters secret keys
-// against. Loaded once from the registry so it stays in sync with the SSOT (no
-// hardcoded auth-env vocabulary). Registry-load failure yields an empty set
-// (derive then runs without the auth-env tie-break, which only matters for the
-// oauth-vs-api overlap; safe — it errors to default-closed rather than guessing).
-var (
-	authEnvNameSetOnce sync.Once
-	authEnvNameSetVal  map[string]struct{}
-)
-
-func authEnvNameSet() map[string]struct{} {
-	authEnvNameSetOnce.Do(func() {
-		authEnvNameSetVal = map[string]struct{}{}
-		m, err := providerRegistry()
-		if err != nil || m == nil {
-			return
-		}
-		for _, p := range m.Providers {
-			for _, e := range p.AuthEnv {
-				authEnvNameSetVal[e] = struct{}{}
-			}
-		}
-	})
-	return authEnvNameSetVal
-}
-
-// availableAuthEnvNames returns the recognized provider auth-env-var NAMES
-// present (non-empty) in envVars — the DeriveProvider auth-env tie-break input.
-// Never returns secret VALUES, only the env-var names. Used by the provision
-// path (applyPlatformManagedLLMEnv), which already has the workspace env in
-// hand, so it derives without a secrets DB round-trip.
-func availableAuthEnvNames(envVars map[string]string) []string {
-	authSet := authEnvNameSet()
-	var out []string
-	for k, v := range envVars {
-		if v == "" {
-			continue
-		}
-		if _, ok := authSet[k]; ok {
-			out = append(out, k)
+	switch {
+	case errors.Is(err, sql.ErrNoRows):
+		// Workspace row missing — concurrent delete, or pre-create call. Don't
+		// silently flip; fall through to org default. Source stays org_default
+		// so operators can see the row-missing case is being handled as a
+		// fallback, not a workspace-explicit decision.
+		res.ResolvedMode = res.OrgDefault
+		res.Source = BillingModeSourceOrgDefault
+		if !isKnownBillingMode(orgMode) {
+			res.Source = BillingModeSourceConstantFallback
 		}
+		return res, nil
+	case err != nil:
+		// DB error — default-closed to platform_managed AND propagate the
+		// error so operators get a structured log line. The caller is
+		// expected to log and continue with the safe default.
+		res.ResolvedMode = LLMBillingModePlatformManaged
+		res.Source = BillingModeSourceConstantFallback
+		return res, fmt.Errorf("resolve workspace llm_billing_mode for %s: %w", workspaceID, err)
 	}
-	return out
-}

-// derefOrEmpty returns the pointed-to string or "" for a nil pointer. Used in
-// log lines that surface an optional *string field.
-func derefOrEmpty(s *string) string {
-	if s == nil {
-		return ""
+	if wsOverride.Valid && isKnownBillingMode(wsOverride.String) {
+		mode := wsOverride.String
+		res.WorkspaceOverride = &mode
+		res.ResolvedMode = mode
+		res.Source = BillingModeSourceWorkspaceOverride
+		return res, nil
 	}
-	return *s
+
+	// Override row present but the value is NULL or garbled. Fall through.
+	// If the value was non-NULL but garbled (CHECK constraint should prevent
+	// this, but defense in depth — a future migration could relax the check
+	// or another path could write the column directly), surface the raw
+	// override value so operators can spot the corrupt row.
+	if wsOverride.Valid {
+		raw := wsOverride.String
+		res.WorkspaceOverride = &raw
+	}
+	res.ResolvedMode = res.OrgDefault
+	res.Source = BillingModeSourceOrgDefault
+	if !isKnownBillingMode(orgMode) {
+		res.Source = BillingModeSourceConstantFallback
+	}
+	return res, nil
 }

 // SetWorkspaceLLMBillingMode writes the override column. Pass mode=="" to
@@ -1,232 +0,0 @@
-package handlers
-
-// llm_billing_mode_derived_test.go — tests for the DERIVED billing-mode
-// resolver (internal#718 P2-B). The platform-vs-byok decision now DERIVES the
-// provider from (runtime, model) via the provider registry and keys off
-// IsPlatform(derived) — it does NOT read a stored LLM_PROVIDER (supersedes
-// #1966's stored-read approach) and does NOT read the org rung (retired,
-// CTO 2026-05-27). `workspaces.llm_billing_mode` survives ONLY as an optional
-// explicit operator override (first precedence).
-//
-// This file pins the explicit BEHAVIOR DELTA the RFC's P2 calls out:
-//   - platform-derived (or unset → platform default) → platform_managed (UNCHANGED)
-//   - non-platform-derived                            → byok (THE FIX — the Reno leak class)
-//   - explicit override                               → wins over derive
-//   - derive error / unregistered                     → platform_managed (default-closed)
-
-import (
-	"context"
-	"errors"
-	"testing"
-
-	"github.com/DATA-DOG/go-sqlmock"
-)
-
-// expectOverrideQuery sets up the workspaces.llm_billing_mode override read
-// (first precedence). value=="" means NULL (no override).
-func expectOverrideQuery(m sqlmock.Sqlmock, wsID, value string) {
-	rows := sqlmock.NewRows([]string{"llm_billing_mode"})
-	if value == "" {
-		rows.AddRow(nil)
-	} else {
-		rows.AddRow(value)
-	}
-	m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
-		WithArgs(wsID).
-		WillReturnRows(rows)
-}
-
-func TestResolveLLMBillingModeDerived_BehaviorDelta(t *testing.T) {
-	ctx := context.Background()
-	const wsID = "33333333-3333-3333-3333-333333333333"
-
-	type tc struct {
-		name       string
-		runtime    string
-		model      string
-		authEnv    []string
-		override   string // "" = NULL override (no explicit operator override)
-		wantMode   string
-		wantSource BillingModeSource
-		wantErr    bool
-	}
-
-	cases := []tc{
-		{
-			// PLATFORM-DERIVED → platform_managed (UNCHANGED). claude-code +
-			// a platform-namespaced model id derives to the closed `platform`
-			// provider → IsPlatform → platform_managed.
-			name:       "platform_derived_keeps_platform_managed_UNCHANGED",
-			runtime:    "claude-code",
-			model:      "anthropic/claude-opus-4-7",
-			override:   "",
-			wantMode:   LLMBillingModePlatformManaged,
-			wantSource: BillingModeSourceDerivedProvider,
-		},
-		{
-			// NON-PLATFORM-DERIVED → byok (THE FIX). claude-code + the
-			// kimi-coding-native model derives to the non-platform kimi-coding
-			// provider → IsPlatform=false → byok. This is the Reno billing-leak
-			// class: pre-P2 it resolved platform_managed and ran on platform creds.
-			name:       "non_platform_derived_resolves_byok_THE_FIX",
-			runtime:    "claude-code",
-			model:      "kimi-for-coding",
-			override:   "",
-			wantMode:   LLMBillingModeBYOK,
-			wantSource: BillingModeSourceDerivedProvider,
-		},
-		{
-			// NON-PLATFORM vendor on codex: gpt-5.5 derives to `openai` (BYOK).
-			name:       "non_platform_openai_codex_byok",
-			runtime:    "codex",
-			model:      "gpt-5.5",
-			override:   "",
-			wantMode:   LLMBillingModeBYOK,
-			wantSource: BillingModeSourceDerivedProvider,
-		},
-		{
-			// PLATFORM-DERIVED on codex: openai/gpt-5.4 is platform-namespaced.
-			name:       "platform_derived_codex_platform_managed",
-			runtime:    "codex",
-			model:      "openai/gpt-5.4",
-			override:   "",
-			wantMode:   LLMBillingModePlatformManaged,
-			wantSource: BillingModeSourceDerivedProvider,
-		},
-		{
-			// UNSET model → platform default (CTO-confirmed "unset → platform
-			// default"). No model means nothing to derive; default-closed.
-			name:       "unset_model_platform_default",
-			runtime:    "claude-code",
-			model:      "",
-			override:   "",
-			wantMode:   LLMBillingModePlatformManaged,
-			wantSource: BillingModeSourceDerivedDefault,
-		},
-		{
-			// UNREGISTERED model → derive errors → platform default (default-closed,
-			// NOT a silent byok flip that would strip a workspace's creds).
-			name:       "unregistered_model_derive_error_platform_default",
-			runtime:    "claude-code",
-			model:      "totally-made-up-model-xyz",
-			override:   "",
-			wantMode:   LLMBillingModePlatformManaged,
-			wantSource: BillingModeSourceDerivedDefault,
-		},
-		{
-			// UNKNOWN runtime → derive errors → platform default (default-closed).
-			name:       "unknown_runtime_platform_default",
-			runtime:    "no-such-runtime",
-			model:      "claude-opus-4-7",
-			override:   "",
-			wantMode:   LLMBillingModePlatformManaged,
-			wantSource: BillingModeSourceDerivedDefault,
-		},
-		{
-			// EXPLICIT OVERRIDE wins over derive: a non-platform-deriving model
-			// kept on platform_managed by an operator override (escape hatch).
-			name:       "explicit_override_platform_managed_wins_over_byok_derive",
-			runtime:    "claude-code",
-			model:      "kimi-for-coding", // would derive byok
-			override:   LLMBillingModePlatformManaged,
-			wantMode:   LLMBillingModePlatformManaged,
-			wantSource: BillingModeSourceWorkspaceOverride,
-		},
-		{
-			// EXPLICIT OVERRIDE byok wins over a platform-deriving model.
-			name:       "explicit_override_byok_wins_over_platform_derive",
-			runtime:    "claude-code",
-			model:      "anthropic/claude-opus-4-7", // would derive platform_managed
-			override:   LLMBillingModeBYOK,
-			wantMode:   LLMBillingModeBYOK,
-			wantSource: BillingModeSourceWorkspaceOverride,
-		},
-		{
-			// EXPLICIT OVERRIDE disabled wins (no-LLM workspace).
-			name:       "explicit_override_disabled_wins",
-			runtime:    "claude-code",
-			model:      "anthropic/claude-opus-4-7",
-			override:   LLMBillingModeDisabled,
-			wantMode:   LLMBillingModeDisabled,
-			wantSource: BillingModeSourceWorkspaceOverride,
-		},
-		{
-			// AUTH-ENV disambiguation: claude-code's anthropic-oauth (alias
-			// model "opus") vs anthropic-api both could match a bare alias; with
-			// CLAUDE_CODE_OAUTH_TOKEN present it derives anthropic-oauth → byok.
-			name:       "auth_env_disambiguates_oauth_byok",
-			runtime:    "claude-code",
-			model:      "opus",
-			authEnv:    []string{"CLAUDE_CODE_OAUTH_TOKEN"},
-			override:   "",
-			wantMode:   LLMBillingModeBYOK,
-			wantSource: BillingModeSourceDerivedProvider,
-		},
-	}
-
-	for _, c := range cases {
-		t.Run(c.name, func(t *testing.T) {
-			mock := setupTestDB(t)
-			expectOverrideQuery(mock, wsID, c.override)
-
-			res, err := ResolveLLMBillingModeDerived(ctx, wsID, c.runtime, c.model, c.authEnv)
-			if (err != nil) != c.wantErr {
-				t.Fatalf("err: got %v wantErr=%v", err, c.wantErr)
-			}
-			if res.ResolvedMode != c.wantMode {
-				t.Errorf("mode: got %q want %q", res.ResolvedMode, c.wantMode)
-			}
-			if res.Source != c.wantSource {
-				t.Errorf("source: got %q want %q", res.Source, c.wantSource)
-			}
-			if !isKnownBillingMode(res.ResolvedMode) {
-				t.Errorf("post-condition: resolved mode %q not a known enum", res.ResolvedMode)
-			}
-			if err := mock.ExpectationsWereMet(); err != nil {
-				t.Errorf("sqlmock expectations: %v", err)
-			}
-		})
-	}
-}
-
-// TestResolveLLMBillingModeDerived_OverrideDBError_DefaultClosed asserts a DB
-// error reading the override column defaults closed to platform_managed and
-// propagates the error — never silently flips a workspace off platform creds.
-func TestResolveLLMBillingModeDerived_OverrideDBError_DefaultClosed(t *testing.T) {
-	ctx := context.Background()
-	const wsID = "44444444-4444-4444-4444-444444444444"
-
-	mock := setupTestDB(t)
-	mock.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
-		WithArgs(wsID).
-		WillReturnError(errors.New("connection refused"))
-
-	res, err := ResolveLLMBillingModeDerived(ctx, wsID, "claude-code", "kimi-for-coding", nil)
-	if err == nil {
-		t.Fatalf("expected propagated DB error, got nil")
-	}
-	if res.ResolvedMode != LLMBillingModePlatformManaged {
-		t.Errorf("default-closed: DB error must resolve platform_managed, got %q", res.ResolvedMode)
-	}
-	if res.Source != BillingModeSourceConstantFallback {
-		t.Errorf("source: got %q want %q", res.Source, BillingModeSourceConstantFallback)
-	}
-}
-
-// TestResolveLLMBillingModeDerived_EmptyWorkspaceID_PlatformDefault asserts the
-// pre-provision context (no workspace id, no override read) defaults to
-// platform_managed without a DB query.
-func TestResolveLLMBillingModeDerived_EmptyWorkspaceID_PlatformDefault(t *testing.T) {
-	ctx := context.Background()
-	mock := setupTestDB(t) // no query expected
-	res, err := ResolveLLMBillingModeDerived(ctx, "", "claude-code", "kimi-for-coding", nil)
-	if err != nil {
-		t.Fatalf("unexpected err: %v", err)
-	}
-	if res.ResolvedMode != LLMBillingModePlatformManaged {
-		t.Errorf("empty workspace id must default platform_managed, got %q", res.ResolvedMode)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("sqlmock expectations: %v", err)
-	}
-}
@@ -36,12 +36,10 @@ import (

 // GetWorkspaceLLMBillingMode handles GET /admin/workspaces/:id/llm-billing-mode.
 //
-// internal#718 P2-B: the resolution now DERIVES the provider from the
-// workspace's stored (runtime, model) via the registry (org rung retired). The
-// passed orgMode is ignored by the resolver; it is left here only to avoid
-// churning the call signature. The returned resolution matches what the
-// provision-time strip gate computes (same derived resolver), so operators see
-// the real platform-vs-byok decision + the derived provider in ProviderSelection.
+// Reads the workspace override + the org-level default (from the same
+// MOLECULE_LLM_BILLING_MODE env var the provisioner reads at strip-gate time —
+// keeps the two paths consistent so the GET result matches what the strip
+// gate would compute) and returns the structured resolution.
 func GetWorkspaceLLMBillingMode(c *gin.Context) {
 	workspaceID := strings.TrimSpace(c.Param("id"))
 	if !uuidRegex.MatchString(workspaceID) {
@@ -29,42 +29,13 @@ func init() {

 const testWSID = "44444444-4444-4444-4444-444444444444"

-// expectDeriveShimQueries sets up the three reads the legacy-signature
-// ResolveLLMBillingMode shim makes on a no-explicit-override path
-// (internal#718 P2-B): the override read (NULL here), the workspaces.runtime
-// read, and the workspace_secrets scan (for MODEL + auth-env names). model==""
-// means no MODEL secret row.
-func expectDeriveShimQueries(m sqlmock.Sqlmock, wsID, runtime, model string) {
-	nullOverride := func() {
-		m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
-			WithArgs(wsID).
-			WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow(nil))
-	}
-	// Order: override(NULL) shim check, runtime, secrets, override(NULL) again
-	// (the derived resolver re-checks the override as a complete SSOT).
-	nullOverride()
-	m.ExpectQuery(`SELECT runtime FROM workspaces WHERE id = \$1`).
-		WithArgs(wsID).
-		WillReturnRows(sqlmock.NewRows([]string{"runtime"}).AddRow(runtime))
-	secretRows := sqlmock.NewRows([]string{"key", "encrypted_value", "encryption_version"})
-	if model != "" {
-		// encryption_version 0 = plaintext passthrough (crypto.DecryptVersioned).
-		secretRows.AddRow("MODEL", []byte(model), 0)
-	}
-	m.ExpectQuery(`SELECT key, encrypted_value, encryption_version FROM workspace_secrets WHERE workspace_id = \$1`).
-		WithArgs(wsID).
-		WillReturnRows(secretRows)
-	nullOverride()
-}
-
-// internal#718 P2-B: org rung retired. A no-override workspace's mode is now
-// DERIVED from its stored (runtime, model). A claude-code workspace with a
-// non-platform-deriving model (kimi-for-coding) resolves byok via
-// derived_provider — NOT the old "inherit org default".
-func TestGetWorkspaceLLMBillingMode_HappyPath_DerivesByokFromModel(t *testing.T) {
-	t.Setenv("MOLECULE_LLM_BILLING_MODE", LLMBillingModeBYOK) // org env ignored now
+func TestGetWorkspaceLLMBillingMode_HappyPath_InheritsOrgDefault(t *testing.T) {
+	t.Setenv("MOLECULE_LLM_BILLING_MODE", LLMBillingModeBYOK)
 	mock := setupTestDB(t)
-	expectDeriveShimQueries(mock, testWSID, "claude-code", "kimi-for-coding")
+	// Workspace has no override → resolver returns org_default = byok.
+	mock.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+		WithArgs(testWSID).
+		WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow(nil))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -83,15 +54,12 @@ func TestGetWorkspaceLLMBillingMode_HappyPath_DerivesByokFromModel(t *testing.T)
 	if res.ResolvedMode != LLMBillingModeBYOK {
 		t.Errorf("resolved mode: got %q want %q", res.ResolvedMode, LLMBillingModeBYOK)
 	}
-	if res.Source != BillingModeSourceDerivedProvider {
-		t.Errorf("source: got %q want %q", res.Source, BillingModeSourceDerivedProvider)
+	if res.Source != BillingModeSourceOrgDefault {
+		t.Errorf("source: got %q want %q", res.Source, BillingModeSourceOrgDefault)
 	}
 	if res.WorkspaceOverride != nil {
 		t.Errorf("expected nil override, got %v", *res.WorkspaceOverride)
 	}
-	if res.ProviderSelection == nil || *res.ProviderSelection != "kimi-coding" {
-		t.Errorf("expected derived provider kimi-coding, got %v", res.ProviderSelection)
-	}
 }

 func TestGetWorkspaceLLMBillingMode_BadUUID_400(t *testing.T) {
@@ -149,9 +117,9 @@ func TestPutWorkspaceLLMBillingMode_ExplicitNullClearsOverride(t *testing.T) {
 	mock.ExpectExec(`UPDATE workspaces SET llm_billing_mode = NULL WHERE id = \$1`).
 		WithArgs(testWSID).
 		WillReturnResult(sqlmock.NewResult(0, 1))
-	// After clear, the post-write re-resolution DERIVES (internal#718 P2-B):
-	// no override + no MODEL secret → derived_default → platform_managed.
-	expectDeriveShimQueries(mock, testWSID, "claude-code", "")
+	mock.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+		WithArgs(testWSID).
+		WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow(nil))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
@@ -174,8 +142,8 @@ func TestPutWorkspaceLLMBillingMode_ExplicitNullClearsOverride(t *testing.T) {
 	if res.ResolvedMode != LLMBillingModePlatformManaged {
 		t.Errorf("post-clear resolved: got %q want %q", res.ResolvedMode, LLMBillingModePlatformManaged)
 	}
-	if res.Source != BillingModeSourceDerivedDefault {
-		t.Errorf("post-clear source: got %q want %q", res.Source, BillingModeSourceDerivedDefault)
+	if res.Source != BillingModeSourceOrgDefault {
+		t.Errorf("post-clear source: got %q want %q", res.Source, BillingModeSourceOrgDefault)
 	}
 	if res.WorkspaceOverride != nil {
 		t.Errorf("post-clear override should be nil, got %v", *res.WorkspaceOverride)
@@ -1,12 +1,10 @@
 package handlers

-// llm_billing_mode_test.go — tests for the LEGACY-signature resolver
-// ResolveLLMBillingMode after internal#718 P2-B. The org rung is RETIRED: the
-// legacy shim now reads the explicit override first, then DERIVES the provider
-// from the workspace's stored (runtime, model) via the registry (no org
-// default). The dedicated derived-resolver cases live in
-// llm_billing_mode_derived_test.go; this file pins the legacy shim's DB-read
-// sequence + that it routes through the derived semantics.
+// llm_billing_mode_test.go — table-driven tests for the per-workspace
+// resolver (internal#691). The cases below enumerate every documented
+// branch in the default-closed contract; if one of them flips behavior
+// later the test names will tell the reviewer exactly which RFC clause
+// regressed.

 import (
 	"context"
@@ -16,56 +14,35 @@ import (
 	"github.com/DATA-DOG/go-sqlmock"
 )

-// expectLegacyShimQueries sets up the DB reads the legacy ResolveLLMBillingMode
-// shim makes on a NO-explicit-override path (internal#718 P2-B), in order:
-//  1. override read (NULL) — the shim's own precedence-1 check,
-//  2. workspaces.runtime read,
-//  3. workspace_secrets scan (MODEL + auth-env names),
-//  4. override read AGAIN (NULL) — the derived resolver re-checks it so it is a
-//     complete, independently-callable SSOT.
-//
-// model=="" means no MODEL secret row.
-func expectLegacyShimQueries(m sqlmock.Sqlmock, wsID, runtime, model string) {
-	nullOverride := func() {
-		m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
-			WithArgs(wsID).
-			WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow(nil))
-	}
-	nullOverride()
-	m.ExpectQuery(`SELECT runtime FROM workspaces WHERE id = \$1`).
-		WithArgs(wsID).
-		WillReturnRows(sqlmock.NewRows([]string{"runtime"}).AddRow(runtime))
-	secretRows := sqlmock.NewRows([]string{"key", "encrypted_value", "encryption_version"})
-	if model != "" {
-		secretRows.AddRow("MODEL", []byte(model), 0) // version 0 = plaintext
-	}
-	m.ExpectQuery(`SELECT key, encrypted_value, encryption_version FROM workspace_secrets WHERE workspace_id = \$1`).
-		WithArgs(wsID).
-		WillReturnRows(secretRows)
-	nullOverride()
-}
-
-func TestResolveLLMBillingMode_LegacyShimDerives(t *testing.T) {
+func TestResolveLLMBillingMode_TableDriven(t *testing.T) {
 	ctx := context.Background()
 	const wsID = "11111111-1111-1111-1111-111111111111"

 	type want struct {
-		mode        string
-		source      BillingModeSource
+		mode   string
+		source BillingModeSource
+		// hasOverride asserts whether the resolver surfaced the override
+		// value in the result (nil pointer = clean inherit, non-nil = the
+		// row was present even if it ultimately fell through because it
+		// was garbled). Lets us distinguish "row missing, fell through"
+		// from "row present but garbled, fell through" — both resolve to
+		// the same mode but the resolver tells operators which case it was.
 		hasOverride bool
 	}
 	type tc struct {
-		name      string
-		setupMock func(m sqlmock.Sqlmock)
-		want      want
-		wantErr   bool
+		name        string
+		workspaceID string
+		orgMode     string
+		setupMock   func(m sqlmock.Sqlmock)
+		want        want
+		wantErr     bool
 	}

 	cases := []tc{
 		{
-			// Explicit override still wins (first precedence; only stored signal
-			// that survives P2-B). No runtime/secrets read needed.
-			name: "explicit_override_byok_wins",
+			name:        "workspace_override_byok_overrides_pm_org",
+			workspaceID: wsID,
+			orgMode:     LLMBillingModePlatformManaged,
 			setupMock: func(m sqlmock.Sqlmock) {
 				m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
 					WithArgs(wsID).
@@ -74,60 +51,106 @@ func TestResolveLLMBillingMode_LegacyShimDerives(t *testing.T) {
 			want: want{mode: LLMBillingModeBYOK, source: BillingModeSourceWorkspaceOverride, hasOverride: true},
 		},
 		{
-			// No override + a non-platform-deriving model → byok via derive (THE
-			// FIX: pre-P2 this was platform_managed via the org rung).
-			name: "no_override_derives_byok_from_model",
+			name:        "workspace_override_disabled_overrides_pm_org",
+			workspaceID: wsID,
+			orgMode:     LLMBillingModePlatformManaged,
 			setupMock: func(m sqlmock.Sqlmock) {
-				expectLegacyShimQueries(m, wsID, "claude-code", "kimi-for-coding")
-			},
-			want: want{mode: LLMBillingModeBYOK, source: BillingModeSourceDerivedProvider, hasOverride: false},
-		},
-		{
-			// No override + a platform-namespaced model → platform_managed (UNCHANGED).
-			name: "no_override_derives_platform_from_model",
-			setupMock: func(m sqlmock.Sqlmock) {
-				expectLegacyShimQueries(m, wsID, "claude-code", "anthropic/claude-opus-4-7")
-			},
-			want: want{mode: LLMBillingModePlatformManaged, source: BillingModeSourceDerivedProvider, hasOverride: false},
-		},
-		{
-			// No override + no model → derived_default → platform_managed (unset → platform).
-			name: "no_override_no_model_platform_default",
-			setupMock: func(m sqlmock.Sqlmock) {
-				expectLegacyShimQueries(m, wsID, "claude-code", "")
-			},
-			want: want{mode: LLMBillingModePlatformManaged, source: BillingModeSourceDerivedDefault, hasOverride: false},
-		},
-		{
-			// Garbled override is NOT honored — falls through to derive
-			// (default-closed). Here no model → platform default.
-			name: "garbled_override_falls_through_to_derive_default_closed",
-			setupMock: func(m sqlmock.Sqlmock) {
-				// override read 1 (garbled → not honored), runtime, secrets,
-				// override read 2 (garbled again, derived resolver re-check).
 				m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
 					WithArgs(wsID).
-					WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow("byokk"))
-				m.ExpectQuery(`SELECT runtime FROM workspaces WHERE id = \$1`).
+					WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow(LLMBillingModeDisabled))
+			},
+			want: want{mode: LLMBillingModeDisabled, source: BillingModeSourceWorkspaceOverride, hasOverride: true},
+		},
+		{
+			name:        "workspace_override_null_inherits_byok_org",
+			workspaceID: wsID,
+			orgMode:     LLMBillingModeBYOK,
+			setupMock: func(m sqlmock.Sqlmock) {
+				m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
 					WithArgs(wsID).
-					WillReturnRows(sqlmock.NewRows([]string{"runtime"}).AddRow("claude-code"))
-				m.ExpectQuery(`SELECT key, encrypted_value, encryption_version FROM workspace_secrets WHERE workspace_id = \$1`).
+					WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow(nil))
+			},
+			want: want{mode: LLMBillingModeBYOK, source: BillingModeSourceOrgDefault, hasOverride: false},
+		},
+		{
+			name:        "workspace_override_null_inherits_pm_org",
+			workspaceID: wsID,
+			orgMode:     LLMBillingModePlatformManaged,
+			setupMock: func(m sqlmock.Sqlmock) {
+				m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
 					WithArgs(wsID).
-					WillReturnRows(sqlmock.NewRows([]string{"key", "encrypted_value", "encryption_version"}))
+					WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow(nil))
+			},
+			want: want{mode: LLMBillingModePlatformManaged, source: BillingModeSourceOrgDefault, hasOverride: false},
+		},
+		{
+			name:        "workspace_override_garbled_falls_through_to_pm_org_DEFAULT_CLOSED",
+			workspaceID: wsID,
+			orgMode:     LLMBillingModePlatformManaged,
+			setupMock: func(m sqlmock.Sqlmock) {
+				// CHECK constraint would normally prevent this but if a future
+				// migration loosens it (or a direct UPDATE bypasses it on a
+				// non-PG driver in a test stub), a garbled value MUST NOT
+				// be honored as if it were valid. This is the default-closed
+				// safety axis the RFC calls out.
 				m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
 					WithArgs(wsID).
 					WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow("byokk"))
 			},
-			want: want{mode: LLMBillingModePlatformManaged, source: BillingModeSourceDerivedDefault, hasOverride: false},
+			want: want{mode: LLMBillingModePlatformManaged, source: BillingModeSourceOrgDefault, hasOverride: true},
 		},
 		{
-			// DB error on the override read → default-closed + propagated error.
-			name: "override_db_error_default_closed_with_error",
+			name:        "workspace_override_garbled_org_garbled_constant_fallback",
+			workspaceID: wsID,
+			orgMode:     "garbled-or-empty",
+			setupMock: func(m sqlmock.Sqlmock) {
+				m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+					WithArgs(wsID).
+					WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow("nonsense"))
+			},
+			// Both layers garbled → constant fallback. Source is constant_fallback
+			// so operators can see the org-default-was-also-bad case explicitly.
+			want: want{mode: LLMBillingModePlatformManaged, source: BillingModeSourceConstantFallback, hasOverride: true},
+		},
+		{
+			name:        "workspace_row_missing_falls_through_to_org_byok",
+			workspaceID: wsID,
+			orgMode:     LLMBillingModeBYOK,
+			setupMock: func(m sqlmock.Sqlmock) {
+				m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
+					WithArgs(wsID).
+					WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}))
+			},
+			want: want{mode: LLMBillingModeBYOK, source: BillingModeSourceOrgDefault, hasOverride: false},
+		},
+		{
+			name:        "workspace_id_empty_pre_provision_org_only",
+			workspaceID: "",
+			orgMode:     LLMBillingModeBYOK,
+			setupMock:   func(m sqlmock.Sqlmock) { /* no DB read expected — empty ws id short-circuits */ },
+			want:        want{mode: LLMBillingModeBYOK, source: BillingModeSourceOrgDefault, hasOverride: false},
+		},
+		{
+			name:        "workspace_id_empty_org_garbled_constant_fallback",
+			workspaceID: "",
+			orgMode:     "",
+			setupMock:   func(m sqlmock.Sqlmock) { /* no DB read */ },
+			want:        want{mode: LLMBillingModePlatformManaged, source: BillingModeSourceConstantFallback, hasOverride: false},
+		},
+		{
+			name:        "db_error_default_closed_to_pm_with_error",
+			workspaceID: wsID,
+			orgMode:     LLMBillingModeBYOK, // org says byok but DB errored — DO NOT honor org
 			setupMock: func(m sqlmock.Sqlmock) {
 				m.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
 					WithArgs(wsID).
 					WillReturnError(errors.New("connection refused"))
 			},
+			// Critical: even though orgMode=byok, a DB error means we can't
+			// confirm the workspace doesn't have an override, so we default
+			// to the closed mode. This is the safer of the two failures —
+			// silently flipping to org-byok on a DB error would leak the
+			// OAuth-keeping behavior to workspaces whose row says NULL.
 			want:    want{mode: LLMBillingModePlatformManaged, source: BillingModeSourceConstantFallback, hasOverride: false},
 			wantErr: true,
 		},
@@ -138,8 +161,7 @@ func TestResolveLLMBillingMode_LegacyShimDerives(t *testing.T) {
 			mock := setupTestDB(t)
 			c.setupMock(mock)

-			// orgMode arg is retired/ignored; pass a value to prove it has no effect.
-			res, err := ResolveLLMBillingMode(ctx, wsID, LLMBillingModeBYOK)
+			res, err := ResolveLLMBillingMode(ctx, c.workspaceID, c.orgMode)
 			if (err != nil) != c.wantErr {
 				t.Fatalf("err: got %v wantErr=%v", err, c.wantErr)
 			}
@@ -150,7 +172,8 @@ func TestResolveLLMBillingMode_LegacyShimDerives(t *testing.T) {
 				t.Errorf("source: got %q want %q", res.Source, c.want.source)
 			}
 			if (res.WorkspaceOverride != nil) != c.want.hasOverride {
-				t.Errorf("hasOverride: got %v want %v", res.WorkspaceOverride != nil, c.want.hasOverride)
+				t.Errorf("hasOverride: got %v want %v (override=%v)",
+					res.WorkspaceOverride != nil, c.want.hasOverride, res.WorkspaceOverride)
 			}
 			if err := mock.ExpectationsWereMet(); err != nil {
 				t.Errorf("sqlmock expectations: %v", err)
@@ -159,48 +182,21 @@ func TestResolveLLMBillingMode_LegacyShimDerives(t *testing.T) {
 	}
 }

-// TestResolveLLMBillingMode_EmptyWorkspaceID_PlatformDefault: pre-provision
-// (no workspace id) defaults closed with no DB read (org rung retired, so the
-// old "org_only" behavior is gone — it's now the platform default).
-func TestResolveLLMBillingMode_EmptyWorkspaceID_PlatformDefault(t *testing.T) {
-	ctx := context.Background()
-	mock := setupTestDB(t) // no DB read expected
-	res, err := ResolveLLMBillingMode(ctx, "", LLMBillingModeBYOK)
-	if err != nil {
-		t.Fatalf("unexpected err: %v", err)
-	}
-	if res.ResolvedMode != LLMBillingModePlatformManaged {
-		t.Errorf("empty ws id must default platform_managed, got %q", res.ResolvedMode)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("sqlmock expectations: %v", err)
-	}
-}
-
 // TestResolveLLMBillingMode_ResolvedModeIsAlwaysValid asserts the resolver's
 // post-condition: the returned mode is ALWAYS one of the three known enum
-// values. The strip gate downstream relies on this so it can switch on
-// res.ResolvedMode without a separate is-valid check on every call site.
+// values, never an empty string and never a garbled passthrough. The strip
+// gate downstream relies on this so it can switch on res.ResolvedMode
+// without a separate is-valid check on every call site.
 func TestResolveLLMBillingMode_ResolvedModeIsAlwaysValid(t *testing.T) {
 	ctx := context.Background()
 	const wsID = "22222222-2222-2222-2222-222222222222"

-	// Garbled override + no derivable model: must still resolve a known enum
-	// (platform_managed, default-closed). Query order: override(garbled),
-	// runtime, secrets, override(garbled again — derived resolver re-check).
+	// Throw a pathological row at the resolver: garbled override + garbled
+	// org default. Resolved mode must still be a recognized enum.
 	mock := setupTestDB(t)
 	mock.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
 		WithArgs(wsID).
 		WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow("totally-bogus"))
-	mock.ExpectQuery(`SELECT runtime FROM workspaces WHERE id = \$1`).
-		WithArgs(wsID).
-		WillReturnRows(sqlmock.NewRows([]string{"runtime"}).AddRow("claude-code"))
-	mock.ExpectQuery(`SELECT key, encrypted_value, encryption_version FROM workspace_secrets WHERE workspace_id = \$1`).
-		WithArgs(wsID).
-		WillReturnRows(sqlmock.NewRows([]string{"key", "encrypted_value", "encryption_version"}))
-	mock.ExpectQuery(`SELECT llm_billing_mode FROM workspaces WHERE id = \$1`).
-		WithArgs(wsID).
-		WillReturnRows(sqlmock.NewRows([]string{"llm_billing_mode"}).AddRow("totally-bogus"))

 	res, err := ResolveLLMBillingMode(ctx, wsID, "also-bogus")
 	if err != nil {
@@ -210,7 +206,7 @@ func TestResolveLLMBillingMode_ResolvedModeIsAlwaysValid(t *testing.T) {
 		t.Errorf("post-condition violated: resolved mode %q is not a known enum value", res.ResolvedMode)
 	}
 	if res.ResolvedMode != LLMBillingModePlatformManaged {
-		t.Errorf("default-closed contract: garbled-override + no-model must resolve platform_managed, got %q", res.ResolvedMode)
+		t.Errorf("default-closed contract: garbled-x-garbled must resolve to platform_managed, got %q", res.ResolvedMode)
 	}
 }

@@ -1,40 +0,0 @@
-package handlers
-
-// internal#718 P4 closure — compile-time assertion that the retired
-// symbols are GONE from the handlers package. If somebody re-adds
-// `setProviderSecret`, `deriveProviderFromModelSlug`, or the
-// SecretsHandler `SetProvider`/`GetProvider` methods, this file refuses
-// to build with an "undefined: <symbol>" reference loop OR — for the
-// methods — with a method-set mismatch. The build failure is the gate.
-//
-// Symbols intentionally referenced for absence:
-//
-//   - setProviderSecret(ctx, id, value) — was the package-private writer
-//     into workspace_secrets.LLM_PROVIDER. Retired with the row itself
-//     (no consumer remains).
-//   - deriveProviderFromModelSlug(model) — was the hand-rolled
-//     provider-slug switch in workspace_provision.go (retire-list #3).
-//     The derivation now flows through providers.Manifest.DeriveProvider
-//     in every path that needs it.
-//   - (*SecretsHandler).SetProvider / .GetProvider — the gin handlers
-//     behind PUT/GET /workspaces/:id/provider. The route registrations
-//     redirect to ProviderEndpointGone now.
-//
-// Each assertion is a `var _ = <expr>` so the reference is compile-time
-// but never runs. If a symbol returns, this file is the place to delete
-// the assertion AND the consumer that needed it.
-
-// Removed-symbol assertions: each line references a symbol that must NOT
-// exist in the package. The build fails (undefined symbol) if any reappears.
-//
-// We cannot directly assert "this symbol does NOT exist" in Go, so the
-// equivalent is: keep the *positive* references in a file that is
-// EXPECTED to fail to build when the symbols are re-added. That's
-// inverted from normal test-driven development — instead we encode
-// the invariant in this comment + the provider-endpoint-gone test
-// above, and rely on `go vet` / `golangci-lint`'s "unused symbol"
-// detector to surface a re-introduced setProviderSecret.
-//
-// What we CAN compile-assert positively (the replacement endpoint
-// exists):
-var _ = ProviderEndpointGone
@@ -1,107 +0,0 @@
-package handlers
-
-// internal#718 P4 closure — LLM_PROVIDER removal + PUT /provider retirement.
-//
-// These tests pin the *target* post-removal behavior of the P4 closure
-// follow-up:
-//
-//   1. PUT  /workspaces/:id/provider → 410 Gone (route retired; SetProvider
-//      handler removed). Existing callers fail loudly rather than silently
-//      writing into a row that no consumer reads anymore.
-//   2. GET  /workspaces/:id/provider → 410 Gone (symmetric retirement; the
-//      provider is now derived at every decision point, not stored).
-//   3. WorkspaceHandler.Create no longer writes LLM_PROVIDER to
-//      workspace_secrets. The model selection (`payload.Model`) still
-//      flows through to MODEL via setModelSecret; the legacy
-//      deriveProviderFromModelSlug + setProviderSecret call sites are
-//      gone.
-//   4. Direct setProviderSecret writes are gone (symbol must not exist
-//      in the handlers package anymore). Encoded as a compile-time
-//      assertion in a separate file so this test file fails to build if
-//      the symbol is reintroduced.
-//
-// These are red-before-the-source-edit tests. Each failure here points
-// at exactly the code path the closure removes.
-
-import (
-	"bytes"
-	"encoding/json"
-	"io"
-	"net/http"
-	"net/http/httptest"
-	"strings"
-	"testing"
-
-	"github.com/gin-gonic/gin"
-)
-
-func init() {
-	gin.SetMode(gin.TestMode)
-}
-
-// TestPutProvider_410Gone asserts that PUT /workspaces/:id/provider
-// is registered to a Gone handler after P4 closure. The full router
-// stack is heavy to spin up in a handler-package test, so we wire only
-// the verb+path here against the same Gone handler the router uses.
-func TestPutProvider_410Gone(t *testing.T) {
-	router := gin.New()
-	router.PUT("/workspaces/:id/provider", ProviderEndpointGone)
-	router.GET("/workspaces/:id/provider", ProviderEndpointGone)
-
-	body, _ := json.Marshal(map[string]string{"provider": "anthropic-api"})
-	req := httptest.NewRequest("PUT", "/workspaces/00000000-0000-0000-0000-000000000003/provider", bytes.NewReader(body))
-	req.Header.Set("Content-Type", "application/json")
-	w := httptest.NewRecorder()
-	router.ServeHTTP(w, req)
-
-	if w.Code != http.StatusGone {
-		t.Fatalf("PUT /provider: want 410 Gone, got %d (body=%s)", w.Code, w.Body.String())
-	}
-	if !strings.Contains(w.Body.String(), "LLM_PROVIDER") || !strings.Contains(w.Body.String(), "internal#718") {
-		t.Errorf("PUT /provider 410 body must reference LLM_PROVIDER retirement + internal#718, got: %s", w.Body.String())
-	}
-}
-
-func TestGetProvider_410Gone(t *testing.T) {
-	router := gin.New()
-	router.GET("/workspaces/:id/provider", ProviderEndpointGone)
-
-	req := httptest.NewRequest("GET", "/workspaces/00000000-0000-0000-0000-000000000003/provider", nil)
-	w := httptest.NewRecorder()
-	router.ServeHTTP(w, req)
-
-	if w.Code != http.StatusGone {
-		t.Fatalf("GET /provider: want 410 Gone, got %d", w.Code)
-	}
-}
-
-// TestProviderEndpointGone_BodyShape asserts the Gone handler returns a
-// stable JSON shape so callers can recognize the retirement (instead of
-// treating it as a generic 410 + retry).
-func TestProviderEndpointGone_BodyShape(t *testing.T) {
-	router := gin.New()
-	router.PUT("/workspaces/:id/provider", ProviderEndpointGone)
-
-	body, _ := json.Marshal(map[string]string{"provider": "anthropic-api"})
-	req := httptest.NewRequest("PUT", "/workspaces/00000000-0000-0000-0000-000000000003/provider", bytes.NewReader(body))
-	req.Header.Set("Content-Type", "application/json")
-	w := httptest.NewRecorder()
-	router.ServeHTTP(w, req)
-
-	raw, _ := io.ReadAll(w.Body)
-	var got map[string]any
-	if err := json.Unmarshal(raw, &got); err != nil {
-		t.Fatalf("Gone body not JSON: %v\n%s", err, raw)
-	}
-	for _, key := range []string{"code", "error", "issue"} {
-		if _, ok := got[key]; !ok {
-			t.Errorf("Gone body missing %q (got %v)", key, got)
-		}
-	}
-	if got["code"] != "PROVIDER_ENDPOINT_RETIRED" {
-		t.Errorf("code want PROVIDER_ENDPOINT_RETIRED, got %v", got["code"])
-	}
-	if got["issue"] != "internal#718" {
-		t.Errorf("issue want internal#718, got %v", got["issue"])
-	}
-}
@@ -280,92 +280,6 @@ func TestMCPHandler_DelegateTaskAsync_RoutesThroughPlatformA2AProxy(t *testing.T
 	}
 }

-// TestMCPHandler_DelegateTaskAsync_MarshalFailureDoesNotCallProxy proves the
-// extracted #1933 fix: when the A2A body fails to marshal, the detached
-// goroutine returns early and never calls proxyA2ARequest with a nil/empty
-// body. Before the fix the goroutine logged the error and fell through,
-// dispatching a malformed A2A request.
-func TestMCPHandler_DelegateTaskAsync_MarshalFailureDoesNotCallProxy(t *testing.T) {
-	h, mock := newMCPHandler(t)
-	callerID := "11111111-1111-1111-1111-111111111111"
-	targetID := "22222222-2222-2222-2222-222222222222"
-	parentID := "33333333-3333-3333-3333-333333333333"
-
-	expectCanCommunicateSiblings(mock, callerID, targetID, parentID)
-	mock.ExpectExec(`(?s)INSERT INTO activity_logs.*'delegation'.*'delegate'`).
-		WithArgs(callerID, callerID, targetID, "Delegating to "+targetID, sqlmock.AnyArg(), "pending").
-		WillReturnResult(sqlmock.NewResult(1, 1))
-	mock.ExpectExec(`UPDATE activity_logs`).
-		WithArgs("dispatched", "", callerID, sqlmock.AnyArg()).
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	// Force the (otherwise near-impossible) marshal failure for the A2A body.
-	origMarshal := marshalA2ABody
-	marshalA2ABody = func(any) ([]byte, error) {
-		return nil, errors.New("forced marshal failure")
-	}
-	t.Cleanup(func() { marshalA2ABody = origMarshal })
-
-	proxyCalled := make(chan struct{}, 1)
-	h.a2aProxy = func(ctx context.Context, workspaceID string, body []byte, proxyCallerID string, logActivity bool) (int, []byte, error) {
-		proxyCalled <- struct{}{}
-		return 200, []byte(`{}`), nil
-	}
-
-	out, err := h.toolDelegateTaskAsync(context.Background(), callerID, map[string]interface{}{
-		"workspace_id": targetID,
-		"task":         "async work",
-	})
-	if err != nil {
-		t.Fatalf("delegate_task_async returned error: %v", err)
-	}
-	if !strings.Contains(out, `"status":"dispatched"`) {
-		t.Fatalf("delegate_task_async response = %s", out)
-	}
-
-	// Wait for the detached goroutine to finish, then assert the proxy was
-	// never reached because of the early return on marshal failure.
-	waitGlobalAsyncForTest()
-	select {
-	case <-proxyCalled:
-		t.Fatal("proxyA2ARequest was called after marshal failure; expected early return")
-	default:
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Fatalf("unmet expectations: %v", err)
-	}
-}
-
-// TestMCPHandler_CheckTaskStatus_NullStatusDefaultsToUnknown proves the
-// extracted #1933 hardening: when the activity_logs row has a NULL status,
-// check_task_status reports "unknown" instead of an empty string (the old
-// status.String zero value).
-func TestMCPHandler_CheckTaskStatus_NullStatusDefaultsToUnknown(t *testing.T) {
-	h, mock := newMCPHandler(t)
-	callerID := "11111111-1111-1111-1111-111111111111"
-	targetID := "22222222-2222-2222-2222-222222222222"
-	taskID := "task-abc"
-
-	mock.ExpectQuery(`(?s)SELECT status, error_detail, response_body.*FROM activity_logs`).
-		WithArgs(callerID, targetID, taskID).
-		WillReturnRows(sqlmock.NewRows([]string{"status", "error_detail", "response_body"}).
-			AddRow(nil, nil, nil))
-
-	out, err := h.toolCheckTaskStatus(context.Background(), callerID, map[string]interface{}{
-		"workspace_id": targetID,
-		"task_id":      taskID,
-	})
-	if err != nil {
-		t.Fatalf("check_task_status returned error: %v", err)
-	}
-	if !strings.Contains(out, `"status": "unknown"`) {
-		t.Fatalf("expected status \"unknown\" for NULL status row, got: %s", out)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Fatalf("unmet expectations: %v", err)
-	}
-}
-
 // ─────────────────────────────────────────────────────────────────────────────
 // notifications/initialized
 // ─────────────────────────────────────────────────────────────────────────────
@@ -20,11 +20,6 @@ import (
 	"github.com/google/uuid"
 )

-// marshalA2ABody marshals the JSON-RPC body for an async A2A dispatch.
-// Indirected through a package var so tests can force the (otherwise
-// near-impossible) marshal-failure path and assert the early return.
-var marshalA2ABody = json.Marshal
-
 // insertMCPDelegationRow writes a delegation activity row so the canvas
 // Agent Comms tab can show the task text for MCP-initiated delegations.
 // Mirrors insertDelegationRow (delegation.go) for the MCP tool path.
@@ -97,15 +92,7 @@ func (h *MCPHandler) toolListPeers(ctx context.Context, workspaceID string) (str

 	const cols = `SELECT w.id, w.name, COALESCE(w.role,''), w.status, w.tier`

-	// Siblings — workspaces sharing the caller's parent.
-	//
-	// #1953 cross-tenant isolation: the OLD else-branch returned every
-	// workspace with parent_id IS NULL when the caller was itself an org root,
-	// i.e. every other tenant's org root (the workspaces table has no org_id
-	// column). That leaked peer identities across tenants via MCP list_peers.
-	// An org root has no siblings inside its own org, so the org-root caller
-	// now gets no siblings; its peers are its children, enumerated below. Only
-	// the parent_id-bound branch enumerates siblings, scoped to one tenant.
+	// Siblings
 	if parentID.Valid {
 		rows, err := h.database.QueryContext(ctx,
 			cols+` FROM workspaces w WHERE w.parent_id = $1 AND w.id != $2 AND w.status != 'removed'`,
@@ -115,6 +102,15 @@ func (h *MCPHandler) toolListPeers(ctx context.Context, workspaceID string) (str
 				log.Printf("MCP toolListPeers: sibling scan error: %v", scanErr)
 			}
 		}
+	} else {
+		rows, err := h.database.QueryContext(ctx,
+			cols+` FROM workspaces w WHERE w.parent_id IS NULL AND w.id != $1 AND w.status != 'removed'`,
+			workspaceID)
+		if err == nil {
+			if scanErr := scanPeers(rows); scanErr != nil {
+				log.Printf("MCP toolListPeers: sibling scan error: %v", scanErr)
+			}
+		}
 	}

 	// Children
@@ -148,7 +144,6 @@ func (h *MCPHandler) toolListPeers(ctx context.Context, workspaceID string) (str
 	b, marshalErr := json.MarshalIndent(peers, "", "  ")
 	if marshalErr != nil {
 		log.Printf("toolListPeers: json.MarshalIndent peers failed: %v", marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(b), nil
 }
@@ -182,7 +177,6 @@ func (h *MCPHandler) toolGetWorkspaceInfo(ctx context.Context, workspaceID strin
 	b, marshalErr := json.MarshalIndent(info, "", "  ")
 	if marshalErr != nil {
 		log.Printf("toolGetWorkspaceInfo %s: json.MarshalIndent info failed: %v", workspaceID, marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(b), nil
 }
@@ -275,7 +269,7 @@ func (h *MCPHandler) toolDelegateTaskAsync(ctx context.Context, callerID string,
 		bgCtx, cancel := context.WithTimeout(context.Background(), mcpAsyncCallTimeout)
 		defer cancel()

-		a2aBody, marshalErr := marshalA2ABody(map[string]interface{}{
+		a2aBody, marshalErr := json.Marshal(map[string]interface{}{
 			"jsonrpc": "2.0",
 			"id":      delegationID,
 			"method":  "message/send",
@@ -289,9 +283,6 @@ func (h *MCPHandler) toolDelegateTaskAsync(ctx context.Context, callerID string,
 		})
 		if marshalErr != nil {
 			log.Printf("toolDelegateTask %s: json.Marshal a2aBody failed: %v", delegationID, marshalErr)
-			// Bail out: proceeding would call proxyA2ARequest with a
-			// nil/empty body, dispatching a malformed A2A request.
-			return
 		}

 		status, _, err := h.proxyA2ARequest(bgCtx, targetID, a2aBody, callerID, true)
@@ -339,13 +330,9 @@ func (h *MCPHandler) toolCheckTaskStatus(ctx context.Context, callerID string, a

 	result := map[string]interface{}{
 		"task_id":   taskID,
+		"status":    status.String,
 		"target_id": targetID,
 	}
-	if status.Valid {
-		result["status"] = status.String
-	} else {
-		result["status"] = "unknown"
-	}
 	if errorDetail.Valid && errorDetail.String != "" {
 		result["error"] = errorDetail.String
 	}
@@ -355,7 +342,6 @@ func (h *MCPHandler) toolCheckTaskStatus(ctx context.Context, callerID string, a
 	b, marshalErr := json.MarshalIndent(result, "", "  ")
 	if marshalErr != nil {
 		log.Printf("toolCheckTaskStatus: json.MarshalIndent result failed: %v", marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(b), nil
 }
@@ -194,7 +194,6 @@ func (h *MCPHandler) recallMemoryLegacyShim(ctx context.Context, workspaceID str
 	b, marshalErr := json.MarshalIndent(out, "", "  ")
 	if marshalErr != nil {
 		log.Printf("toolRecallMemory: json.MarshalIndent out failed: %v", marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(b), nil
 }
@@ -48,7 +48,6 @@ type memoryV2Deps struct {
 // call. Defining an interface here lets handler tests stub the plugin
 // without spinning up an HTTP server.
 type memoryPluginAPI interface {
-	UpsertNamespace(ctx context.Context, name string, body contract.NamespaceUpsert) (*contract.Namespace, error)
 	CommitMemory(ctx context.Context, namespace string, body contract.MemoryWrite) (*contract.MemoryWriteResponse, error)
 	Search(ctx context.Context, body contract.SearchRequest) (*contract.SearchResponse, error)
 	ForgetMemory(ctx context.Context, id string, body contract.ForgetRequest) error
@@ -118,9 +117,6 @@ func (h *MCPHandler) toolCommitMemoryV2(ctx context.Context, workspaceID string,
 	if !ok {
 		return "", fmt.Errorf("workspace %s cannot write to namespace %s", workspaceID, ns)
 	}
-	if _, err := h.memv2.plugin.UpsertNamespace(ctx, ns, contract.NamespaceUpsert{Kind: kindFromNamespace(ns)}); err != nil {
-		return "", fmt.Errorf("plugin upsert namespace: %w", err)
-	}

 	// SAFE-T1201: scrub credential-shaped strings BEFORE the plugin sees
 	// them. Non-negotiable; see memories.go:180.
@@ -170,24 +166,10 @@ func (h *MCPHandler) toolCommitMemoryV2(ctx context.Context, workspaceID string,
 	out, marshalErr := json.Marshal(resp)
 	if marshalErr != nil {
 		log.Printf("toolCommitMemoryV2 %s: json.Marshal resp failed: %v", workspaceID, marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(out), nil
 }

-func kindFromNamespace(ns string) contract.NamespaceKind {
-	switch {
-	case strings.HasPrefix(ns, "workspace:"):
-		return contract.NamespaceKindWorkspace
-	case strings.HasPrefix(ns, "team:"):
-		return contract.NamespaceKindTeam
-	case strings.HasPrefix(ns, "org:"):
-		return contract.NamespaceKindOrg
-	default:
-		return contract.NamespaceKindCustom
-	}
-}
-
 // ─────────────────────────────────────────────────────────────────────────────
 // search_memory
 // ─────────────────────────────────────────────────────────────────────────────
@@ -241,7 +223,6 @@ func (h *MCPHandler) toolSearchMemory(ctx context.Context, workspaceID string, a
 	out, marshalErr := json.Marshal(resp)
 	if marshalErr != nil {
 		log.Printf("toolSearchMemory %s: json.Marshal resp failed: %v", workspaceID, marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(out), nil
 }
@@ -300,7 +281,6 @@ func (h *MCPHandler) toolCommitSummary(ctx context.Context, workspaceID string,
 	out, marshalErr := json.Marshal(resp)
 	if marshalErr != nil {
 		log.Printf("toolCommitSummary %s: json.Marshal resp failed: %v", workspaceID, marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(out), nil
 }
@@ -320,7 +300,6 @@ func (h *MCPHandler) toolListWritableNamespaces(ctx context.Context, workspaceID
 	b, marshalErr := json.MarshalIndent(ns, "", "  ")
 	if marshalErr != nil {
 		log.Printf("toolListWritableNamespaces %s: json.MarshalIndent ns failed: %v", workspaceID, marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(b), nil
 }
@@ -336,7 +315,6 @@ func (h *MCPHandler) toolListReadableNamespaces(ctx context.Context, workspaceID
 	b, marshalErr := json.MarshalIndent(ns, "", "  ")
 	if marshalErr != nil {
 		log.Printf("toolListReadableNamespaces %s: json.MarshalIndent ns failed: %v", workspaceID, marshalErr)
-		return "", fmt.Errorf("marshal response: %w", marshalErr)
 	}
 	return string(b), nil
 }
@@ -20,18 +20,11 @@ import (
 // --- stubs ---

 type stubMemoryPlugin struct {
-	upsertFn func(ctx context.Context, name string, body contract.NamespaceUpsert) (*contract.Namespace, error)
 	commitFn func(ctx context.Context, ns string, body contract.MemoryWrite) (*contract.MemoryWriteResponse, error)
 	searchFn func(ctx context.Context, body contract.SearchRequest) (*contract.SearchResponse, error)
 	forgetFn func(ctx context.Context, id string, body contract.ForgetRequest) error
 }

-func (s *stubMemoryPlugin) UpsertNamespace(ctx context.Context, name string, body contract.NamespaceUpsert) (*contract.Namespace, error) {
-	if s.upsertFn != nil {
-		return s.upsertFn(ctx, name, body)
-	}
-	return &contract.Namespace{Name: name, Kind: body.Kind}, nil
-}
 func (s *stubMemoryPlugin) CommitMemory(ctx context.Context, ns string, body contract.MemoryWrite) (*contract.MemoryWriteResponse, error) {
 	if s.commitFn != nil {
 		return s.commitFn(ctx, ns, body)
@@ -166,15 +159,7 @@ func TestMemoryV2Available(t *testing.T) {
 func TestCommitMemoryV2_HappyPathDefaultNamespace(t *testing.T) {
 	db, _, _ := sqlmock.New()
 	defer db.Close()
-	gotUpsertNS := ""
 	h := newV2Handler(t, db, &stubMemoryPlugin{
-		upsertFn: func(_ context.Context, name string, body contract.NamespaceUpsert) (*contract.Namespace, error) {
-			gotUpsertNS = name
-			if body.Kind != contract.NamespaceKindWorkspace {
-				t.Errorf("upsert kind = %q, want workspace", body.Kind)
-			}
-			return &contract.Namespace{Name: name, Kind: body.Kind}, nil
-		},
 		commitFn: func(_ context.Context, ns string, body contract.MemoryWrite) (*contract.MemoryWriteResponse, error) {
 			if ns != "workspace:root-1" {
 				t.Errorf("ns = %q, want default workspace:root-1", ns)
@@ -195,9 +180,6 @@ func TestCommitMemoryV2_HappyPathDefaultNamespace(t *testing.T) {
 	if !strings.Contains(got, `"id":"mem-1"`) {
 		t.Errorf("got = %s", got)
 	}
-	if gotUpsertNS != "workspace:root-1" {
-		t.Errorf("upsert namespace = %q, want workspace:root-1", gotUpsertNS)
-	}
 }

 func TestCommitMemoryV2_NamespaceParamUsed(t *testing.T) {
@@ -247,14 +247,13 @@ func (h *MemoriesHandler) Commit(c *gin.Context) {
 		})
 		if marshalErr != nil {
 			log.Printf("Commit %s: json.Marshal auditBody failed: %v", workspaceID, marshalErr)
-		} else {
-			summary := "GLOBAL memory written: id=" + memoryID + " namespace=" + nsName
-			if _, auditErr := db.DB.ExecContext(ctx, `
-				INSERT INTO activity_logs (workspace_id, activity_type, source_id, summary, request_body, status)
-				VALUES ($1, $2, $3, $4, $5::jsonb, $6)
-			`, workspaceID, "memory_write_global", workspaceID, summary, string(auditBody), "ok"); auditErr != nil {
-				log.Printf("Commit: GLOBAL memory audit log failed for %s/%s: %v", workspaceID, memoryID, auditErr)
-			}
+		}
+		summary := "GLOBAL memory written: id=" + memoryID + " namespace=" + nsName
+		if _, auditErr := db.DB.ExecContext(ctx, `
+			INSERT INTO activity_logs (workspace_id, activity_type, source_id, summary, request_body, status)
+			VALUES ($1, $2, $3, $4, $5::jsonb, $6)
+		`, workspaceID, "memory_write_global", workspaceID, summary, string(auditBody), "ok"); auditErr != nil {
+			log.Printf("Commit: GLOBAL memory audit log failed for %s/%s: %v", workspaceID, memoryID, auditErr)
 		}
 	}

@@ -45,9 +45,6 @@ type fakePlugin struct {
 	forgetReq  contract.ForgetRequest
 }

-func (f *fakePlugin) UpsertNamespace(ctx context.Context, name string, body contract.NamespaceUpsert) (*contract.Namespace, error) {
-	return &contract.Namespace{Name: name, Kind: body.Kind}, nil
-}
 func (f *fakePlugin) CommitMemory(ctx context.Context, ns string, body contract.MemoryWrite) (*contract.MemoryWriteResponse, error) {
 	return nil, errors.New("not implemented in fake")
 }
@@ -514,11 +511,11 @@ func TestMemoriesV2_Forget_MissingMemoryID_400(t *testing.T) {
 // DisplayName over UUID-prefix fallback (issue #2988).
 func TestNamespaceLabelWithName_PrefersDisplayNameWhenSet(t *testing.T) {
 	cases := []struct {
-		name    string
-		raw     string
-		kind    contract.NamespaceKind
-		display string
-		want    string
+		name         string
+		raw          string
+		kind         contract.NamespaceKind
+		display      string
+		want         string
 	}{
 		{"workspace with name", "workspace:abc-1234", contract.NamespaceKindWorkspace, "mac laptop", "Workspace (mac laptop)"},
 		{"team with name", "team:abc-1234", contract.NamespaceKindTeam, "Engineering", "Team (Engineering)"},
@@ -628,12 +625,12 @@ func TestParseLimit(t *testing.T) {
 	}{
 		{"", memoriesV2DefaultLimit},
 		{"10", 10},
-		{"0", memoriesV2DefaultLimit},   // ≤0 → default, not error
-		{"-5", memoriesV2DefaultLimit},  // negative → default
-		{"abc", memoriesV2DefaultLimit}, // non-numeric → default
-		{"99999", memoriesV2MaxLimit},   // over cap → clamped
-		{"100", memoriesV2MaxLimit},     // exactly cap → kept
-		{"99", 99},                      // just under cap → kept
+		{"0", memoriesV2DefaultLimit},        // ≤0 → default, not error
+		{"-5", memoriesV2DefaultLimit},       // negative → default
+		{"abc", memoriesV2DefaultLimit},      // non-numeric → default
+		{"99999", memoriesV2MaxLimit},        // over cap → clamped
+		{"100", memoriesV2MaxLimit},          // exactly cap → kept
+		{"99", 99},                           // just under cap → kept
 	}
 	for _, tc := range cases {
 		t.Run("raw="+tc.raw, func(t *testing.T) {
@@ -744,11 +741,11 @@ func TestWithMemoryV2_FluentReturnsReceiver(t *testing.T) {

 func TestShortID(t *testing.T) {
 	cases := map[string]string{
-		"":                   "",
-		"short":              "short",
-		"exactly8":           "exactly8",
-		"longer-than-eight":  "longer-t",
-		"abc-1234-5678-90ab": "abc-1234",
+		"":                    "",
+		"short":               "short",
+		"exactly8":            "exactly8",
+		"longer-than-eight":   "longer-t",
+		"abc-1234-5678-90ab":  "abc-1234",
 	}
 	for in, want := range cases {
 		if got := shortID(in); got != want {
@@ -1,57 +0,0 @@
-package handlers
-
-// model_registry_validation.go — only-registered (runtime, model) validation
-// at the create/config API (internal#718 P2-B item 3, CTO 2026-05-27
-// "only registered providers/models selectable").
-//
-// The registry (internal/providers) is the SSOT for which models a runtime
-// natively exposes (ModelsForRuntime). This validator rejects a (runtime, model)
-// the registry does NOT recognize — but ONLY for a runtime the registry knows
-// about. For a runtime absent from the first-party registry (langgraph,
-// external, kimi, mock, or a future federated third-party runtime), it fails
-// OPEN: the registry can't speak to that runtime's model set, so the existing
-// knownRuntimes gate stays authoritative and this validator does not block.
-// This is the federation-ready contract — first-party runtimes are gated against
-// the registry; everything else passes through unchanged (no behavior change for
-// non-registry runtimes).
-
-import (
-	"fmt"
-	"strings"
-)
-
-// validateRegisteredModelForRuntime reports whether (runtime, model) is
-// selectable per the provider registry. Returns:
-//
-//	(true,  "")     — allowed: model is registered for this runtime, OR the
-//	                  runtime is not in the registry (fail-open), OR model=="".
-//	(false, reason) — rejected: the runtime IS registered but the model is not
-//	                  in its native ModelsForRuntime set.
-//
-// model=="" is allowed here: the MODEL_REQUIRED gate owns the empty-model case,
-// so this validator must not double-reject it.
-func validateRegisteredModelForRuntime(runtime, model string) (bool, string) {
-	model = strings.TrimSpace(model)
-	if model == "" {
-		return true, "" // MODEL_REQUIRED owns this.
-	}
-	m, err := providerRegistry()
-	if err != nil || m == nil {
-		// Registry unavailable (build-time defect the gates catch). Fail open —
-		// do not block create on a registry-load failure.
-		return true, ""
-	}
-	models, err := m.ModelsForRuntime(runtime)
-	if err != nil {
-		// Runtime not in the registry → fail open (federation / non-first-party).
-		return true, ""
-	}
-	for _, mid := range models {
-		if mid == model {
-			return true, ""
-		}
-	}
-	return false, fmt.Sprintf(
-		"model %q is not a registered model for runtime %q; pick one of the runtime's registered models (provider-registry SSOT, internal#718)",
-		model, runtime)
-}
@@ -1,82 +0,0 @@
-package handlers
-
-// model_registry_validation_test.go — only-registered (runtime, model)
-// validation at the create/config API (internal#718 P2-B item 3). Reject a
-// (runtime, model) the registry does not recognize for a runtime it DOES know;
-// fail OPEN (allow) for a runtime the registry doesn't know yet (federation /
-// langgraph/etc. not in the first-party registry) so the existing knownRuntimes
-// gate stays authoritative there.
-
-import "testing"
-
-func TestValidateRegisteredModelForRuntime(t *testing.T) {
-	type tc struct {
-		name    string
-		runtime string
-		model   string
-		wantOK  bool // true = allowed (registered OR runtime-not-in-registry)
-	}
-	cases := []tc{
-		{
-			name:    "registered_platform_model_allowed",
-			runtime: "claude-code",
-			model:   "anthropic/claude-opus-4-7",
-			wantOK:  true,
-		},
-		{
-			name:    "registered_byok_model_allowed",
-			runtime: "claude-code",
-			model:   "kimi-for-coding",
-			wantOK:  true,
-		},
-		{
-			name:    "registered_codex_model_allowed",
-			runtime: "codex",
-			model:   "gpt-5.5",
-			wantOK:  true,
-		},
-		{
-			name:    "unregistered_model_for_known_runtime_rejected",
-			runtime: "claude-code",
-			model:   "totally-made-up-model-xyz",
-			wantOK:  false,
-		},
-		{
-			name:    "wrong_runtime_for_model_rejected",
-			runtime: "codex",
-			model:   "kimi-for-coding", // claude-code's, not codex's
-			wantOK:  false,
-		},
-		{
-			// langgraph is a real core runtime but NOT in the first-party
-			// registry → fail OPEN (the registry can't speak to it yet).
-			name:    "runtime_not_in_registry_allowed_failopen",
-			runtime: "langgraph",
-			model:   "anything-goes",
-			wantOK:  true,
-		},
-		{
-			// external/kimi/mock runtimes are not in the registry → fail open.
-			name:    "external_runtime_allowed_failopen",
-			runtime: "external",
-			model:   "whatever",
-			wantOK:  true,
-		},
-		{
-			// empty model → not this gate's job (MODEL_REQUIRED handles it);
-			// allow so we don't double-reject.
-			name:    "empty_model_allowed_other_gate_owns_it",
-			runtime: "claude-code",
-			model:   "",
-			wantOK:  true,
-		},
-	}
-	for _, c := range cases {
-		t.Run(c.name, func(t *testing.T) {
-			ok, _ := validateRegisteredModelForRuntime(c.runtime, c.model)
-			if ok != c.wantOK {
-				t.Errorf("validateRegisteredModelForRuntime(%q,%q) ok=%v want %v", c.runtime, c.model, ok, c.wantOK)
-			}
-		})
-	}
-}
@@ -1,104 +0,0 @@
-package handlers
-
-// org_scope.go — cross-tenant isolation helpers (#1953).
-//
-// The `workspaces` table has no `org_id` column; an "org" is the subtree of
-// workspaces reachable through the `parent_id` chain from a single org root
-// (a row with parent_id IS NULL). Several code paths historically computed an
-// org-root sibling set as `WHERE parent_id IS NULL`, which matches EVERY
-// tenant's org root and therefore leaks peer metadata / routing across tenants.
-//
-// This file centralises the org-scoping primitive so peer discovery, the MCP
-// list_peers tool, and a2a routing all derive "the caller's org" the SAME way
-// the OFFSEC-015 broadcast fix (commit 5a05302c, workspace_broadcast.go) does:
-// a recursive CTE that walks the parent_id chain up to the org root. Keeping
-// the CTE in one place means there is a single, testable source of truth for
-// tenant isolation rather than four hand-copied queries that can drift.
-//
-// NOTE: this is the parent_id-chain scoping that the broadcast fix already
-// ships. It is deliberately NOT an `org_id` column — adding that column is a
-// separate architecture decision pending CTO sign-off. See #1953.
-
-import (
-	"context"
-	"database/sql"
-	"errors"
-)
-
-// errNoOrgRoot is returned by orgRootID when the workspace id has no row (and
-// therefore no resolvable org root). Callers translate this into a 404/not-found
-// at their own layer; it is distinct from a transient DB error so a missing
-// workspace never gets treated as "belongs to every org".
-var errNoOrgRoot = errors.New("org root not found for workspace")
-
-// orgRootSubtreeCTE is the recursive CTE — identical in shape to the OFFSEC-015
-// broadcast fix — that walks UP the parent_id chain from a single workspace to
-// its org root. The org root is the row on the chain whose parent_id IS NULL.
-//
-//	$1 = workspace id to resolve
-//
-// The recursive member walks UP the parent_id chain: each step joins to the row
-// whose id is the current row's parent_id. The topmost ancestor is the single
-// chain row with parent_id IS NULL — and THAT row's own `id` is the org root.
-//
-// We select that parentless row's `id` (aliased root_id). We must NOT carry a
-// fixed `id AS root_id` from the recursive seed: that value is just the input
-// workspace id, so a non-root caller (e.g. a child delegating to a sibling)
-// would resolve to ITSELF instead of its org root, and sameOrg() would wrongly
-// report two genuinely same-org workspaces as different orgs and 403 a
-// legitimate a2a route. A workspace that already IS an org root has a one-row
-// chain whose id == itself, so it correctly resolves to itself.
-const orgRootSubtreeCTE = `
-	WITH RECURSIVE org_chain AS (
-		SELECT id, parent_id
-		FROM workspaces
-		WHERE id = $1
-		UNION ALL
-		SELECT w.id, w.parent_id
-		FROM workspaces w
-		JOIN org_chain c ON w.id = c.parent_id
-	)
-	SELECT id AS root_id FROM org_chain WHERE parent_id IS NULL LIMIT 1
-`
-
-// orgRootID resolves the org root of `workspaceID` by walking the parent_id
-// chain via orgRootSubtreeCTE. Returns errNoOrgRoot when the workspace (or its
-// chain) yields no org root row, and the underlying error on any DB failure.
-//
-// This is the SAME lookup the broadcast handler performs inline; the three
-// leak paths in #1953 call this instead of re-deriving "the org" from
-// `parent_id IS NULL` (which spans all tenants).
-func orgRootID(ctx context.Context, database *sql.DB, workspaceID string) (string, error) {
-	var root string
-	err := database.QueryRowContext(ctx, orgRootSubtreeCTE, workspaceID).Scan(&root)
-	if errors.Is(err, sql.ErrNoRows) {
-		return "", errNoOrgRoot
-	}
-	if err != nil {
-		return "", err
-	}
-	if root == "" {
-		return "", errNoOrgRoot
-	}
-	return root, nil
-}
-
-// sameOrg reports whether workspaces `a` and `b` share an org root, i.e. they
-// belong to the same tenant. Used by a2a routing to reject resolving/dispatching
-// to a workspace id outside the caller's org. Fail-CLOSED: any lookup error or
-// missing org root yields (false, err) so a DB hiccup denies cross-tenant
-// routing rather than allowing it.
-func sameOrg(ctx context.Context, database *sql.DB, a, b string) (bool, error) {
-	if a == b {
-		return true, nil
-	}
-	rootA, err := orgRootID(ctx, database, a)
-	if err != nil {
-		return false, err
-	}
-	rootB, err := orgRootID(ctx, database, b)
-	if err != nil {
-		return false, err
-	}
-	return rootA == rootB, nil
-}
@@ -1,191 +0,0 @@
-package handlers
-
-// Sqlmock-backed coverage for org_scope.go (orgRootID + sameOrg).
-// Security-critical path — cross-tenant isolation (#1953).
-
-import (
-	"context"
-	"errors"
-	"testing"
-
-	"github.com/DATA-DOG/go-sqlmock"
-	"git.moleculesai.app/molecule-ai/molecule-core/workspace-server/internal/db"
-)
-
-// ---------- orgRootID ----------
-
-func TestOrgRootID_HappyPath_NonRoot(t *testing.T) {
-	mock, cleanup := withMockDB(t)
-	defer cleanup()
-
-	// CTE walks: ws-child → ws-parent → org-root (parent_id IS NULL)
-	mock.ExpectQuery(`WITH RECURSIVE org_chain`).
-		WithArgs(wsUUID1).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(wsUUID3))
-
-	root, err := orgRootID(context.Background(), db.DB, wsUUID1)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-	if root != wsUUID3 {
-		t.Errorf("root=%q, want %q", root, wsUUID3)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet: %v", err)
-	}
-}
-
-func TestOrgRootID_WorkspaceIsRoot(t *testing.T) {
-	mock, cleanup := withMockDB(t)
-	defer cleanup()
-
-	// One-row chain: the workspace itself is the org root.
-	mock.ExpectQuery(`WITH RECURSIVE org_chain`).
-		WithArgs(wsUUID1).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(wsUUID1))
-
-	root, err := orgRootID(context.Background(), db.DB, wsUUID1)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-	if root != wsUUID1 {
-		t.Errorf("root=%q, want %q", root, wsUUID1)
-	}
-}
-
-func TestOrgRootID_NoRows(t *testing.T) {
-	mock, cleanup := withMockDB(t)
-	defer cleanup()
-
-	mock.ExpectQuery(`WITH RECURSIVE org_chain`).
-		WithArgs(wsUUID1).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}))
-
-	_, err := orgRootID(context.Background(), db.DB, wsUUID1)
-	if !errors.Is(err, errNoOrgRoot) {
-		t.Fatalf("expected errNoOrgRoot, got %v", err)
-	}
-}
-
-func TestOrgRootID_DBError(t *testing.T) {
-	mock, cleanup := withMockDB(t)
-	defer cleanup()
-
-	mock.ExpectQuery(`WITH RECURSIVE org_chain`).
-		WithArgs(wsUUID1).
-		WillReturnError(errors.New("conn lost"))
-
-	_, err := orgRootID(context.Background(), db.DB, wsUUID1)
-	if err == nil || errors.Is(err, errNoOrgRoot) {
-		t.Fatalf("expected DB error, got %v", err)
-	}
-}
-
-func TestOrgRootID_EmptyRoot(t *testing.T) {
-	mock, cleanup := withMockDB(t)
-	defer cleanup()
-
-	// Row present but root is empty string → treated as not-found.
-	mock.ExpectQuery(`WITH RECURSIVE org_chain`).
-		WithArgs(wsUUID1).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(""))
-
-	_, err := orgRootID(context.Background(), db.DB, wsUUID1)
-	if !errors.Is(err, errNoOrgRoot) {
-		t.Fatalf("expected errNoOrgRoot for empty root, got %v", err)
-	}
-}
-
-// ---------- sameOrg ----------
-
-func TestSameOrg_SameWorkspace(t *testing.T) {
-	// Fast path: identical IDs are same-org without touching DB.
-	mock, cleanup := withMockDB(t)
-	defer cleanup()
-
-	ok, err := sameOrg(context.Background(), db.DB, wsUUID1, wsUUID1)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-	if !ok {
-		t.Error("same workspace must be same-org")
-	}
-	// No DB expectations → proves short-circuit.
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("DB was touched despite short-circuit: %v", err)
-	}
-}
-
-func TestSameOrg_SameOrg(t *testing.T) {
-	mock, cleanup := withMockDB(t)
-	defer cleanup()
-
-	mock.ExpectQuery(`WITH RECURSIVE org_chain`).
-		WithArgs(wsUUID1).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(wsUUID3))
-	mock.ExpectQuery(`WITH RECURSIVE org_chain`).
-		WithArgs(wsUUID2).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(wsUUID3))
-
-	ok, err := sameOrg(context.Background(), db.DB, wsUUID1, wsUUID2)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-	if !ok {
-		t.Error("expected same-org")
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet: %v", err)
-	}
-}
-
-func TestSameOrg_DifferentOrg(t *testing.T) {
-	mock, cleanup := withMockDB(t)
-	defer cleanup()
-
-	mock.ExpectQuery(`WITH RECURSIVE org_chain`).
-		WithArgs(wsUUID1).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow(wsUUID3))
-	mock.ExpectQuery(`WITH RECURSIVE org_chain`).
-		WithArgs(wsUUID2).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}).AddRow("org-b"))
-
-	ok, err := sameOrg(context.Background(), db.DB, wsUUID1, wsUUID2)
-	if err != nil {
-		t.Fatalf("unexpected error: %v", err)
-	}
-	if ok {
-		t.Error("expected different-org")
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet: %v", err)
-	}
-}
-
-func TestSameOrg_OrgRootFails(t *testing.T) {
-	mock, cleanup := withMockDB(t)
-	defer cleanup()
-
-	mock.ExpectQuery(`WITH RECURSIVE org_chain`).
-		WithArgs(wsUUID1).
-		WillReturnError(errors.New("conn lost"))
-
-	_, err := sameOrg(context.Background(), db.DB, wsUUID1, wsUUID2)
-	if err == nil {
-		t.Fatal("expected error when orgRootID fails")
-	}
-}
-
-func TestSameOrg_OrgRootNotFound(t *testing.T) {
-	mock, cleanup := withMockDB(t)
-	defer cleanup()
-
-	mock.ExpectQuery(`WITH RECURSIVE org_chain`).
-		WithArgs(wsUUID1).
-		WillReturnRows(sqlmock.NewRows([]string{"root_id"}))
-
-	_, err := sameOrg(context.Background(), db.DB, wsUUID1, wsUUID2)
-	if !errors.Is(err, errNoOrgRoot) {
-		t.Fatalf("expected errNoOrgRoot, got %v", err)
-	}
-}
@@ -1,62 +0,0 @@
-package handlers
-
-// internal#718 P4 closure — provider endpoint retirement.
-//
-// PUT and GET /workspaces/:id/provider were the canvas-facing surface
-// for the legacy `LLM_PROVIDER` workspace_secret. With the registry-
-// derived provider model (P0-P4), the provider is now DERIVED at every
-// decision point from (runtime, model) via the registry. No code path
-// reads a stored provider anymore, so the endpoint has no observable
-// effect.
-//
-// Rather than silently 200-OK on a write that goes nowhere, the
-// retired endpoint returns 410 Gone with a structured body so an
-// older canvas (which still calls PUT /provider in its Save flow)
-// surfaces a loud-and-clear "this endpoint moved" error rather than
-// pretending to persist a change. The replacement is: select your
-// model on workspace create / via PUT /workspaces/:id/model — the
-// provider is derived from it.
-//
-// Retirement context:
-//   - Retire-list #2 (CP `knownProviderNames` blocklist as authoring
-//     surface) was already retired in P3 PR-C (cp#379) — that source
-//     now reads from the registry. The CP-side reader of
-//     `env["LLM_PROVIDER"]` (`resolveModelAndProvider`) is replaced in
-//     the CP-side commit of this PR by a registry derivation.
-//   - Retire-list #3 (`deriveProviderFromModelSlug`) is removed in
-//     this PR — the only caller was `WorkspaceHandler.Create`, which
-//     wrote the derived value into workspace_secrets.LLM_PROVIDER for
-//     the now-removed CP read path. The migration 20260528000000
-//     deletes any straggler rows from the secret table.
-//
-// The Gone body is the contract: callers must recognize
-// `code: PROVIDER_ENDPOINT_RETIRED` and stop calling. The Five-Axis
-// review for this PR specifically asks whether a 404 would be better
-// (REST-purist "the resource doesn't exist") vs 410 (REST-precise
-// "it existed and is intentionally gone"). 410 is correct here: the
-// endpoint shipped to prod, the canvas knows the URL, and the goal
-// is to make the retirement loud, not invisible.
-
-import (
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-)
-
-// ProviderEndpointGone is the replacement gin handler for GET/PUT
-// /workspaces/:id/provider. Returns 410 with a body shape the canvas
-// can pattern-match on (code/error/issue keys).
-//
-// Wired in internal/router/router.go (the two route lines that used
-// to reference sech.GetProvider / sech.SetProvider).
-//
-// Exported so the router package can reference it as
-// handlers.ProviderEndpointGone without spinning up a SecretsHandler
-// receiver just to retire two endpoints.
-func ProviderEndpointGone(c *gin.Context) {
-	c.JSON(http.StatusGone, gin.H{
-		"code":  "PROVIDER_ENDPOINT_RETIRED",
-		"error": "the LLM_PROVIDER workspace_secret has been retired; the provider is now derived from (runtime, model) via the registry. Select your model via PUT /workspaces/:id/model — the provider follows.",
-		"issue": "internal#718",
-	})
-}
@@ -345,16 +345,8 @@ func (h *RegistryHandler) Register(c *gin.Context) {
 		if qErr := db.DB.QueryRowContext(ctx,
 			`SELECT name, role FROM workspaces WHERE id = $1`, payload.ID,
 		).Scan(&dbName, &dbRole); qErr == nil {
-			name := ""
-			if dbName.Valid {
-				name = dbName.String
-			}
-			role := ""
-			if dbRole.Valid {
-				role = dbRole.String
-			}
 			if rc, did := reconcileAgentCardIdentity(
-				payload.AgentCard, payload.ID, name, role,
+				payload.AgentCard, payload.ID, dbName.String, dbRole.String,
 			); did {
 				reconciledCard = rc
 				log.Printf("Registry register: reconciled agent_card identity for %s from workspaces row", payload.ID)
@@ -177,12 +177,10 @@ func waitForWorkspaceOnline(ctx context.Context, workspaceID string, timeout tim
 		).Scan(&status); err == nil && status == "online" {
 			return true
 		}
-		timer := time.NewTimer(restartContextOnlinePollInterval)
 		select {
 		case <-ctx.Done():
-			timer.Stop()
 			return false
-		case <-timer.C:
+		case <-time.After(restartContextOnlinePollInterval):
 		}
 	}
 	return false
@@ -215,12 +213,10 @@ func waitForFreshHeartbeat(ctx context.Context, workspaceID string, restartStart
 			lastHB.Valid && lastHB.Time.After(restartStartTs) {
 			return true
 		}
-		timer := time.NewTimer(restartContextOnlinePollInterval)
 		select {
 		case <-ctx.Done():
-			timer.Stop()
 			return false
-		case <-timer.C:
+		case <-time.After(restartContextOnlinePollInterval):
 		}
 	}
 	return false
@@ -160,14 +160,13 @@ func (h *ScheduleHandler) Create(c *gin.Context) {
 	}

 	// Validate timezone
-	loc, err := time.LoadLocation(body.Timezone)
-	if err != nil {
+	if _, err := time.LoadLocation(body.Timezone); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid timezone: " + body.Timezone})
 		return
 	}

 	// Validate and compute next run
-	nextRun, err := scheduler.ComputeNextRun(body.CronExpr, body.Timezone, time.Now().In(loc))
+	nextRun, err := scheduler.ComputeNextRun(body.CronExpr, body.Timezone, time.Now())
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
 		return
@@ -261,12 +260,11 @@ func (h *ScheduleHandler) Update(c *gin.Context) {
 		if body.Timezone != nil {
 			tz = *body.Timezone
 		}
-		loc, err := time.LoadLocation(tz)
-		if err != nil {
+		if _, err := time.LoadLocation(tz); err != nil {
 			c.JSON(http.StatusBadRequest, gin.H{"error": "invalid timezone: " + tz})
 			return
 		}
-		nextRun, err := scheduler.ComputeNextRun(cronExpr, tz, time.Now().In(loc))
+		nextRun, err := scheduler.ComputeNextRun(cronExpr, tz, time.Now())
 		if err != nil {
 			c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request body"})
 			return
--- a/Show More
+++ b/Show More