test(external_connection): add BuildExternalConnectionPayload + externalPlatformURL coverage

- TestBuildExternalConnectionPayload_HappyPath: verifies workspace_id, platform_url, auth_token, registry_endpoint, heartbeat_endpoint. - TestBuildExternalConnectionPayload_TrailingSlashStripped: one trailing slash removed from platform URL input. - TestBuildExternalConnectionPayload_EmptyAuthToken: empty token is valid for read-only "show instructions again" path. - TestBuildExternalConnectionPayload_SnippetsStamped: all 8 snippet fields have {{PLATFORM_URL}} and {{WORKSPACE_ID}} substituted, no raw placeholders. - TestExternalPlatformURL_EnvVarTakesPrecedence: EXTERNAL_PLATFORM_URL env wins over all request-based fallbacks. - TestExternalPlatformURL_XForwardedProtoAndHost: X-Forwarded-{Proto,Host} headers override scheme/host. - TestExternalPlatformURL_HTTPSNoHeaders: TLS nil → http, TLS set → https. - TestExternalPlatformURL_HTTPNoTLS: explicit host + nil TLS → http://host. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Merge pull request 'fix(registry): reconcile agent_card identity from trusted workspaces row (internal#492)' (#1427 ) from fix/agent-card-identity-reconcile-internal-492 into staging
2026-05-17 17:22:13 +00:00 · 2026-05-17 17:00:11 +00:00 · 2026-05-17 17:00:08 +00:00 · 2026-05-17 17:00:05 +00:00 · 2026-05-17 07:50:14 -07:00 · 2026-05-17 07:45:14 -07:00
19 changed files with 825 additions and 945 deletions
@@ -11,13 +11,21 @@ import { render, screen, fireEvent, cleanup, act } from "@testing-library/react"
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { TestConnectionButton } from "../ui/TestConnectionButton";
 import type { SecretGroup } from "@/types/secrets";
-import { validateSecret } from "@/lib/api/secrets";
+import { validateSecret, ApiError } from "@/lib/api/secrets";

 // ─── Mock validateSecret ──────────────────────────────────────────────────────
 // vi.mock is hoisted, so validateSecret (imported above) refers to the mocked
 // namespace value once vi.mock runs. Use vi.mocked() to access it in tests.
 vi.mock("@/lib/api/secrets", () => ({
  validateSecret: vi.fn(),
+  ApiError: class ApiError extends Error {
+    status: number;
+    constructor(status: number, message: string) {
+      super(message);
+      this.name = "ApiError";
+      this.status = status;
+    }
+  },
 }));

 // SecretGroup is a string literal type: 'github' | 'anthropic' | 'openrouter' | 'custom'
@@ -102,7 +110,7 @@ describe("TestConnectionButton — state machine", () => {
    expect(screen.getByText("Permission denied")).toBeTruthy();
  });

-  it("shows generic error message on unexpected exception", async () => {
+  it("shows a connectivity message on a genuine network exception", async () => {
    vi.mocked(validateSecret).mockRejectedValue(new Error("timeout"));
    render(<TestConnectionButton provider={toGroup("anthropic")} secretValue="sk-..." />);

@@ -110,8 +118,23 @@ describe("TestConnectionButton — state machine", () => {
    await act(async () => { /* flush */ });

    expect(screen.getByRole("alert")).toBeTruthy();
-    // The error detail is hardcoded to "Connection timed out. Service may be down."
-    expect(document.body.querySelector('[role="alert"]')?.textContent).toMatch(/timed out/i);
+    // A real thrown network error → honest connectivity message (not a
+    // fabricated "service down"); see internal#492.
+    expect(document.body.querySelector('[role="alert"]')?.textContent).toMatch(
+      /could not reach the validation service/i,
+    );
+  });
+
+  it("does not claim a timeout when the validate endpoint 404s (internal#492)", async () => {
+    vi.mocked(validateSecret).mockRejectedValue(new ApiError(404, "Not Found"));
+    render(<TestConnectionButton provider={toGroup("anthropic")} secretValue="sk-..." />);
+
+    fireEvent.click(screen.getByRole("button"));
+    await act(async () => { /* flush */ });
+
+    const alert = document.body.querySelector('[role="alert"]')?.textContent ?? "";
+    expect(alert).not.toMatch(/timed out/i);
+    expect(alert).toMatch(/not available/i);
  });
 });

@@ -16,7 +16,40 @@ interface TokensTabProps {
  workspaceId: string;
 }

+// The settings panel passes the literal sentinel "global" when no canvas
+// node is selected. Workspace tokens are inherently per-workspace — there
+// is no /workspaces/global/tokens endpoint (querying the uuid column with
+// "global" 500s on Postgres). The org-wide equivalent lives in the
+// separate "Org API Keys" tab. Mirrors the sentinel-awareness that
+// api/secrets.ts already has (workspaceId === 'global' → /settings/secrets).
+const GLOBAL_WORKSPACE_ID = 'global';
+
 export function TokensTab({ workspaceId }: TokensTabProps) {
+  if (workspaceId === GLOBAL_WORKSPACE_ID) {
+    return (
+      <div className="p-4 space-y-4">
+        <div>
+          <h3 className="text-sm font-semibold text-ink">API Tokens</h3>
+          <p className="text-[10px] text-ink-mid mt-0.5">
+            Bearer tokens for authenticating API calls to this workspace.
+          </p>
+        </div>
+        <div className="text-center py-6">
+          <p className="text-xs text-ink-mid">Select a workspace node first</p>
+          <p className="text-[10px] text-ink-mid mt-1">
+            Workspace tokens are scoped to a single workspace. Select a node
+            on the canvas to manage its tokens, or use the{' '}
+            <span className="text-accent font-medium">Org API Keys</span> tab
+            for org-wide API keys.
+          </p>
+        </div>
+      </div>
+    );
+  }
+  return <WorkspaceTokensTab workspaceId={workspaceId} />;
+}
+
+function WorkspaceTokensTab({ workspaceId }: TokensTabProps) {
  const [tokens, setTokens] = useState<Token[]>([]);
  const [loading, setLoading] = useState(true);
  const [creating, setCreating] = useState(false);
@@ -302,3 +302,35 @@ describe("TokensTab — error", () => {
    expect(document.querySelector('[role="status"]')).toBeNull();
  });
 });
+
+// ─── "global" sentinel (no node selected) ────────────────────────────────────
+//
+// Regression: SettingsPanel passes the literal "global" when no canvas
+// node is selected. workspace tokens are per-workspace and there is no
+// /workspaces/global/tokens endpoint — calling it 500'd
+// ("invalid input syntax for type uuid: global"). The tab must NOT call
+// the API in that state and must point the user at the Org API Keys tab.
+describe("TokensTab — global sentinel (no node selected)", () => {
+  beforeEach(() => {
+    mockApiGet.mockReset();
+    mockApiPost.mockReset();
+    mockApiGet.mockRejectedValue(new Error("should not be called"));
+  });
+
+  it("does not call the API and shows a pointer to Org API Keys", async () => {
+    render(<TokensTab workspaceId="global" />);
+    await flush();
+    expect(mockApiGet).not.toHaveBeenCalled();
+    expect(mockApiPost).not.toHaveBeenCalled();
+    expect(document.body.textContent).toContain("Select a workspace node");
+    expect(document.body.textContent).toContain("Org API Keys");
+    // No error banner, no scary 500 surfacing.
+    expect(document.querySelector(".text-bad")).toBeNull();
+  });
+
+  it("has no create button in the global state", async () => {
+    render(<TokensTab workspaceId="global" />);
+    await flush();
+    expect(document.body.textContent).not.toContain("New Token");
+  });
+});
@@ -2,7 +2,7 @@

 import { useState, useCallback, useRef, useEffect } from 'react';
 import type { TestConnectionState, SecretGroup } from '@/types/secrets';
-import { validateSecret } from '@/lib/api/secrets';
+import { validateSecret, ApiError } from '@/lib/api/secrets';

 interface TestConnectionButtonProps {
  provider: SecretGroup;
@@ -55,9 +55,23 @@ export function TestConnectionButton({
      }
      onResult?.(result.valid);
      resetTimerRef.current = setTimeout(() => setState('idle'), RESET_DELAYS[nextState]!);
-    } catch {
+    } catch (err) {
+      // Distinguish a real failure shape rather than always claiming a
+      // timeout. A reachable server that answered with an HTTP status
+      // (ApiError) did NOT time out — most commonly the validation route
+      // is not available (404/501), which must not masquerade as
+      // "service down". Only an actual thrown network/abort error is a
+      // connectivity failure.
      setState('failure');
-      setErrorDetail('Connection timed out. Service may be down.');
+      if (err instanceof ApiError) {
+        setErrorDetail(
+          err.status === 404 || err.status === 501
+            ? 'Key validation is not available for this service yet. The key was not tested.'
+            : `Could not verify key (server returned ${err.status}). Saving is unaffected.`,
+        );
+      } else {
+        setErrorDetail('Could not reach the validation service. Check your connection and try again.');
+      }
      onResult?.(false);
      resetTimerRef.current = setTimeout(() => setState('idle'), RESET_DELAYS.failure);
    }
@@ -28,8 +28,20 @@ const mockValidateSecret = vi.fn();

 vi.mock("@/lib/api/secrets", () => ({
  validateSecret: (...args: unknown[]) => mockValidateSecret(...args),
+  ApiError: class ApiError extends Error {
+    status: number;
+    constructor(status: number, message: string) {
+      super(message);
+      this.name = "ApiError";
+      this.status = status;
+    }
+  },
 }));

+// Re-import the mocked ApiError so test cases construct the same class the
+// component's `instanceof` check sees.
+import { ApiError } from "@/lib/api/secrets";
+
 beforeEach(() => {
  vi.useFakeTimers();
  vi.clearAllMocks();
@@ -201,8 +213,27 @@ describe("TestConnectionButton — failure path", () => {
 });

 describe("TestConnectionButton — catch path", () => {
-  it("shows 'Connection timed out' on network error", async () => {
-    mockValidateSecret.mockRejectedValue(new Error("timeout"));
+  it("does NOT claim a timeout when the validate endpoint 404s (regression: internal#492)", async () => {
+    // The validate route is unimplemented on the server and returns a fast
+    // 404. Before the fix this rendered the misleading hardcoded string
+    // "Connection timed out. Service may be down." It must instead state
+    // honestly that validation isn't available and the key was not tested.
+    mockValidateSecret.mockRejectedValue(new ApiError(404, "Not Found"));
+    render(
+      <TestConnectionButton provider="anthropic" secretValue="sk-ant-xxx" />,
+    );
+    fireEvent.click(document.querySelector('button[type="button"]')!);
+    await act(async () => {
+      await vi.advanceTimersByTimeAsync(0);
+    });
+    expect(document.body.textContent).not.toContain("Connection timed out");
+    expect(document.body.textContent).not.toContain("Service may be down");
+    expect(document.body.textContent).toContain("not available");
+    expect(document.body.textContent).toContain("not tested");
+  });
+
+  it("reports a non-404 server error with its status, not a timeout", async () => {
+    mockValidateSecret.mockRejectedValue(new ApiError(500, "Internal Server Error"));
    render(
      <TestConnectionButton provider="github" secretValue="ghp_xxx" />,
    );
@@ -210,7 +241,20 @@ describe("TestConnectionButton — catch path", () => {
    await act(async () => {
      await vi.advanceTimersByTimeAsync(0);
    });
-    expect(document.body.textContent).toContain("Connection timed out");
+    expect(document.body.textContent).toContain("500");
+    expect(document.body.textContent).not.toContain("Connection timed out");
+  });
+
+  it("shows a connectivity message on a genuine network error", async () => {
+    mockValidateSecret.mockRejectedValue(new Error("network down"));
+    render(
+      <TestConnectionButton provider="github" secretValue="ghp_xxx" />,
+    );
+    fireEvent.click(document.querySelector('button[type="button"]')!);
+    await act(async () => {
+      await vi.advanceTimersByTimeAsync(0);
+    });
+    expect(document.body.textContent).toContain("Could not reach the validation service");
  });

  it("calls onResult(false) on network error", async () => {
@@ -1,102 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for design-tokens.ts constant exports.
- *
- * STATUS_CONFIG is tested here directly rather than inside
- * statusDotClass.test.ts so the constant's full shape (dot, glow, label,
- * bar per key) is explicitly asserted — not just indirectly via the
- * statusDotClass helper that consumes its .dot field.
- */
-import { describe, it, expect } from "vitest";
-import { STATUS_CONFIG } from "../design-tokens";
-
-const ALL_STATUS_KEYS = [
-  "online",
-  "offline",
-  "paused",
-  "degraded",
-  "failed",
-  "provisioning",
-  "not_configured",
-] as const;
-
-describe("STATUS_CONFIG", () => {
-  it("has exactly the expected status keys and no extras", () => {
-    const actual = Object.keys(STATUS_CONFIG).sort();
-    const expected = [...ALL_STATUS_KEYS].sort();
-    expect(actual).toEqual(expected);
-  });
-
-  it("every entry has dot, glow, label, and bar fields", () => {
-    for (const key of ALL_STATUS_KEYS) {
-      const entry = STATUS_CONFIG[key];
-      expect(entry, `entry for "${key}"`).toHaveProperty("dot");
-      expect(entry, `entry for "${key}"`).toHaveProperty("glow");
-      expect(entry, `entry for "${key}"`).toHaveProperty("label");
-      expect(entry, `entry for "${key}"`).toHaveProperty("bar");
-    }
-  });
-
-  it("dot, glow, label, bar are all non-empty strings", () => {
-    for (const key of ALL_STATUS_KEYS) {
-      const entry = STATUS_CONFIG[key];
-      for (const field of ["dot", "glow", "label", "bar"] as const) {
-        expect(typeof entry[field], `"${key}".${field}`).toBe("string");
-        // label must be non-empty; others may be empty (e.g. offline.glow = "").
-        if (field === "label") {
-          expect(entry[field].length, `"${key}".${field}`).toBeGreaterThan(0);
-        }
-      }
-    }
-  });
-
-  it('online: dot is emerald, glow is set, label is "Online"', () => {
-    expect(STATUS_CONFIG.online.dot).toBe("bg-emerald-400");
-    expect(STATUS_CONFIG.online.glow).toBe("shadow-emerald-400/50");
-    expect(STATUS_CONFIG.online.label).toBe("Online");
-    expect(STATUS_CONFIG.online.bar).toBe("from-emerald-500/20 to-transparent");
-  });
-
-  it('offline: dot is zinc, glow is empty, label is "Offline"', () => {
-    expect(STATUS_CONFIG.offline.dot).toBe("bg-zinc-500");
-    expect(STATUS_CONFIG.offline.glow).toBe("");
-    expect(STATUS_CONFIG.offline.label).toBe("Offline");
-    expect(STATUS_CONFIG.offline.bar).toBe("from-zinc-600/10 to-transparent");
-  });
-
-  it('paused: dot is indigo, label is "Paused"', () => {
-    expect(STATUS_CONFIG.paused.dot).toBe("bg-indigo-400");
-    expect(STATUS_CONFIG.paused.glow).toBe("");
-    expect(STATUS_CONFIG.paused.label).toBe("Paused");
-  });
-
-  it('degraded: dot is amber with glow, label is "Degraded"', () => {
-    expect(STATUS_CONFIG.degraded.dot).toBe("bg-amber-400");
-    expect(STATUS_CONFIG.degraded.glow).toBe("shadow-amber-400/50");
-    expect(STATUS_CONFIG.degraded.label).toBe("Degraded");
-  });
-
-  it('failed: dot is red with glow, label is "Failed"', () => {
-    expect(STATUS_CONFIG.failed.dot).toBe("bg-red-400");
-    expect(STATUS_CONFIG.failed.glow).toBe("shadow-red-400/50");
-    expect(STATUS_CONFIG.failed.label).toBe("Failed");
-  });
-
-  it('provisioning: dot is sky with pulse animation, label is "Starting"', () => {
-    expect(STATUS_CONFIG.provisioning.dot).toBe("bg-sky-400 motion-safe:animate-pulse");
-    expect(STATUS_CONFIG.provisioning.glow).toBe("shadow-sky-400/50");
-    expect(STATUS_CONFIG.provisioning.label).toBe("Starting");
-  });
-
-  it('not_configured: dot is amber-300 with glow, label is "Not configured"', () => {
-    expect(STATUS_CONFIG.not_configured.dot).toBe("bg-amber-300");
-    expect(STATUS_CONFIG.not_configured.glow).toBe("shadow-amber-300/50");
-    expect(STATUS_CONFIG.not_configured.label).toBe("Not configured");
-  });
-
-  it("is a frozen static map — same key always returns same object reference", () => {
-    for (const key of ALL_STATUS_KEYS) {
-      expect(STATUS_CONFIG[key]).toBe(STATUS_CONFIG[key]);
-    }
-  });
-});
@@ -1,60 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for theme.ts — cssVar() function and ColorToken type.
- */
-import { describe, it, expect } from "vitest";
-import { cssVar, type ColorToken } from "../theme";
-
-describe("cssVar", () => {
-  it("wraps each known token in a var() reference", () => {
-    const tokens: ColorToken[] = [
-      "surface",
-      "surface-elevated",
-      "surface-sunken",
-      "surface-card",
-      "line",
-      "line-soft",
-      "ink",
-      "ink-mid",
-      "ink-soft",
-      "accent",
-      "accent-strong",
-      "warm",
-      "good",
-      "bad",
-      "bg",
-      "bg-elev",
-      "bg-card",
-      "line-strong",
-      "ink-mute",
-      "ink-dim",
-      "accent-dim",
-      "plasma",
-      "warn",
-    ];
-    for (const token of tokens) {
-      expect(cssVar(token)).toBe(`var(--color-${token})`);
-    }
-  });
-
-  it("is a pure function — same token always returns same value", () => {
-    for (let i = 0; i < 5; i++) {
-      expect(cssVar("accent")).toBe("var(--color-accent)");
-      expect(cssVar("surface")).toBe("var(--color-surface)");
-      expect(cssVar("good")).toBe("var(--color-good)");
-    }
-  });
-
-  it("handles hyphenated tokens correctly", () => {
-    expect(cssVar("surface-elevated")).toBe("var(--color-surface-elevated)");
-    expect(cssVar("line-soft")).toBe("var(--color-line-soft)");
-    expect(cssVar("ink-mute")).toBe("var(--color-ink-mute)");
-  });
-
-  it("produces a value usable as an inline style prop value", () => {
-    const result = cssVar("accent");
-    expect(typeof result).toBe("string");
-    expect(result.startsWith("var(--color-")).toBe(true);
-    expect(result.endsWith(")")).toBe(true);
-  });
-});
@@ -0,0 +1,113 @@
+package handlers
+
+import "encoding/json"
+
+// agent_card_reconcile.go — server-side repair for the fleet-wide
+// agent-card identity gap.
+//
+// Root cause: the runtime builds its AgentCard from config.name
+// (workspace/main.py:198), and config.name is read from the
+// CP-regenerated /configs/config.yaml whose `name:` field is the raw
+// workspace UUID — NOT the friendly name the operator sees. The friendly
+// name IS captured: POST /workspaces and PATCH /workspaces/:id (the
+// canvas Details tab) write it to the trusted workspaces.name DB column.
+// But /registry/register stores the runtime-supplied card verbatim
+// (registry.go: `agent_card = EXCLUDED.agent_card`), so the stored card
+// served at /.well-known/agent-card.json and returned to peers via
+// agent_card_url ends up with name = UUID, description = "", role = null.
+//
+// Fix shape (deliberately minimal, no contract weakening): when the
+// runtime-supplied card's `name` is empty or equals the workspace UUID
+// (the placeholder the runtime had no better value for), the PLATFORM —
+// not the agent — substitutes the friendly value from the trusted
+// workspaces row. Identity stays platform-controlled: the agent never
+// gains the ability to self-set its own name/role; the platform sources
+// it from the operator-controlled DB column. We only ever FILL gaps
+// (empty / UUID-placeholder); a card that already carries a real
+// friendly name is never downgraded.
+//
+// list_peers / the /registry/:id/peers endpoint already resolve display
+// names from workspaces.name directly (discovery.go / mcp_tools.go
+// `SELECT w.id, w.name, ...`), so peer_name in delivered message tags
+// was already correct — this fix closes the remaining surface: the
+// agent_card blob itself (canvas Agent Card / Skills view, peer
+// agent_card_url fetches, the well-known card).
+//
+// description / role degrade discovery the same way: an empty
+// description and null role give peers nothing to reason about. We
+// default description from the (now reconciled) name when blank and
+// role from workspaces.role when the operator set one.
+
+// reconcileAgentCardIdentity patches identity gaps in a runtime-supplied
+// agent card from the trusted workspace DB row. It returns the
+// (possibly rewritten) card bytes and whether anything changed. On any
+// failure (malformed JSON, nothing to fill) it returns the input bytes
+// unchanged with changed=false so the caller can store them verbatim —
+// this is strictly no-worse-than-before, never a regression.
+//
+// Pure function: no DB / HTTP / globals, so it is exhaustively
+// unit-testable (agent_card_reconcile_test.go) without booting the
+// handler or a sqlmock.
+func reconcileAgentCardIdentity(card json.RawMessage, workspaceID, dbName, dbRole string) (json.RawMessage, bool) {
+	var m map[string]any
+	if err := json.Unmarshal(card, &m); err != nil || m == nil {
+		// Malformed card — not this function's job to reject it (the
+		// upsert stores it as-is and downstream readers handle bad
+		// JSON). Return verbatim so byte-for-byte behaviour is
+		// preserved on the failure path.
+		return card, false
+	}
+
+	changed := false
+
+	// name: fill only when empty or the UUID placeholder. A dbName that
+	// is itself the UUID is a placeholder row (registry.go INSERT seeds
+	// name = id before the canvas sets a friendly one) — not a friendly
+	// name, so it is not an eligible source.
+	cardName, _ := m["name"].(string)
+	if (cardName == "" || cardName == workspaceID) &&
+		dbName != "" && dbName != workspaceID {
+		m["name"] = dbName
+		changed = true
+	}
+
+	// description: when blank, default to the (reconciled) name so peers
+	// and the canvas Agent Card view have a non-empty human label
+	// instead of "". Mirrors the runtime's own
+	// `config.description or config.name` fallback (main.py:199) but
+	// applied to the registry copy where the runtime's fallback was the
+	// UUID.
+	if desc, _ := m["description"].(string); desc == "" {
+		if n, _ := m["name"].(string); n != "" && n != workspaceID {
+			m["description"] = n
+			changed = true
+		}
+	}
+
+	// role: surface the operator-set workspaces.role when the card
+	// carries none. Discovery (peer_role) and the canvas Role row read
+	// workspaces.role directly; this just makes the standalone card
+	// self-describing too. Never overwrite a role the card already has.
+	if dbRole != "" {
+		if r, ok := m["role"].(string); !ok || r == "" {
+			m["role"] = dbRole
+			changed = true
+		}
+	}
+
+	if !changed {
+		// No-op: return the original bytes untouched so callers that
+		// compare/store get byte-identical input (re-marshalling would
+		// reorder keys for no reason).
+		return card, false
+	}
+
+	out, err := json.Marshal(m)
+	if err != nil {
+		// Re-marshal of a map we just unmarshalled should never fail;
+		// if it somehow does, fall back to the verbatim input rather
+		// than storing nothing.
+		return card, false
+	}
+	return out, true
+}
@@ -0,0 +1,166 @@
+package handlers
+
+import (
+	"encoding/json"
+	"testing"
+)
+
+// TestReconcileAgentCardIdentity covers the server-side backfill that
+// repairs the fleet-wide agent-card identity gap (internal#XXX): the
+// runtime POSTs /registry/register with agent_card.name = the workspace
+// UUID (because the CP-regenerated /configs/config.yaml sets name: <uuid>)
+// while the trusted workspaces.name DB column — the value the canvas
+// Details tab shows and lets the operator edit — holds the friendly
+// name ("Claude Code Agent"). The platform reconciles them from the DB
+// row (NOT from the agent — identity stays platform-controlled, not
+// self-mutable).
+func TestReconcileAgentCardIdentity(t *testing.T) {
+	const wsID = "3b81321b-1ec7-488c-96f7-72c42a968da6"
+
+	tests := []struct {
+		name        string
+		card        string
+		dbName      string
+		dbRole      string
+		wantName    string
+		wantDesc    string
+		wantRole    string
+		wantChanged bool
+	}{
+		{
+			name:        "name is the workspace UUID — backfill from DB",
+			card:        `{"name":"3b81321b-1ec7-488c-96f7-72c42a968da6","description":"","capabilities":{"streaming":true}}`,
+			dbName:      "Claude Code Agent",
+			dbRole:      "",
+			wantName:    "Claude Code Agent",
+			wantDesc:    "Claude Code Agent",
+			wantRole:    "",
+			wantChanged: true,
+		},
+		{
+			name:        "empty name — backfill from DB",
+			card:        `{"name":"","description":"x"}`,
+			dbName:      "ops-agent",
+			dbRole:      "sre",
+			wantName:    "ops-agent",
+			wantDesc:    "x",
+			wantRole:    "sre",
+			wantChanged: true,
+		},
+		{
+			name:        "role null in card, DB has role — backfill role only",
+			card:        `{"name":"Reviewer","description":"Senior reviewer"}`,
+			dbName:      "Reviewer",
+			dbRole:      "code-reviewer",
+			wantName:    "Reviewer",
+			wantDesc:    "Senior reviewer",
+			wantRole:    "code-reviewer",
+			wantChanged: true,
+		},
+		{
+			name: "card already has a real friendly name — do NOT clobber it",
+			// A richer card (e.g. an external channel agent) must win;
+			// the platform only fills gaps, never downgrades.
+			card:        `{"name":"Claude Code (channel)","description":"Local Claude Code session bridged","role":"assistant"}`,
+			dbName:      "hongming-pc",
+			dbRole:      "operator",
+			wantName:    "Claude Code (channel)",
+			wantDesc:    "Local Claude Code session bridged",
+			wantRole:    "assistant",
+			wantChanged: false,
+		},
+		{
+			name:        "no DB name available — leave UUID name untouched (no worse than before)",
+			card:        `{"name":"3b81321b-1ec7-488c-96f7-72c42a968da6","description":""}`,
+			dbName:      "",
+			dbRole:      "",
+			wantName:    "3b81321b-1ec7-488c-96f7-72c42a968da6",
+			wantDesc:    "",
+			wantRole:    "",
+			wantChanged: false,
+		},
+		{
+			name:        "dbName equals UUID (placeholder row) — not a friendly name, leave untouched",
+			card:        `{"name":"3b81321b-1ec7-488c-96f7-72c42a968da6"}`,
+			dbName:      "3b81321b-1ec7-488c-96f7-72c42a968da6",
+			dbRole:      "",
+			wantName:    "3b81321b-1ec7-488c-96f7-72c42a968da6",
+			wantDesc:    "",
+			wantRole:    "",
+			wantChanged: false,
+		},
+		{
+			name:        "malformed card JSON — return unchanged, no panic",
+			card:        `{not json`,
+			dbName:      "Claude Code Agent",
+			dbRole:      "",
+			wantChanged: false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			out, changed := reconcileAgentCardIdentity(
+				json.RawMessage(tc.card), wsID, tc.dbName, tc.dbRole,
+			)
+			if changed != tc.wantChanged {
+				t.Fatalf("changed = %v, want %v", changed, tc.wantChanged)
+			}
+			if !tc.wantChanged {
+				// Unchanged path must return the input bytes verbatim.
+				if string(out) != tc.card {
+					t.Fatalf("unchanged path mutated bytes:\n got  %s\n want %s", out, tc.card)
+				}
+				return
+			}
+			var got map[string]any
+			if err := json.Unmarshal(out, &got); err != nil {
+				t.Fatalf("output not valid JSON: %v (%s)", err, out)
+			}
+			if g, _ := got["name"].(string); g != tc.wantName {
+				t.Errorf("name = %q, want %q", g, tc.wantName)
+			}
+			if g, _ := got["description"].(string); g != tc.wantDesc {
+				t.Errorf("description = %q, want %q", g, tc.wantDesc)
+			}
+			if tc.wantRole != "" {
+				if g, _ := got["role"].(string); g != tc.wantRole {
+					t.Errorf("role = %q, want %q", g, tc.wantRole)
+				}
+			}
+		})
+	}
+}
+
+// TestReconcileAgentCardIdentity_PreservesOtherFields ensures the
+// reconcile is a minimal in-place patch — capabilities, version,
+// skills and any unknown future fields survive untouched.
+func TestReconcileAgentCardIdentity_PreservesOtherFields(t *testing.T) {
+	card := `{"name":"ws-uuid","description":"","version":"1.0.0",` +
+		`"capabilities":{"streaming":true,"pushNotifications":true},` +
+		`"skills":[{"id":"a","name":"a"}],"configuration_status":"ready"}`
+	out, changed := reconcileAgentCardIdentity(
+		json.RawMessage(card), "ws-uuid", "Friendly Name", "",
+	)
+	if !changed {
+		t.Fatal("expected changed = true")
+	}
+	var got map[string]any
+	if err := json.Unmarshal(out, &got); err != nil {
+		t.Fatalf("invalid JSON: %v", err)
+	}
+	if got["version"] != "1.0.0" {
+		t.Errorf("version not preserved: %v", got["version"])
+	}
+	if got["configuration_status"] != "ready" {
+		t.Errorf("configuration_status not preserved: %v", got["configuration_status"])
+	}
+	caps, ok := got["capabilities"].(map[string]any)
+	if !ok || caps["streaming"] != true {
+		t.Errorf("capabilities not preserved: %v", got["capabilities"])
+	}
+	skills, ok := got["skills"].([]any)
+	if !ok || len(skills) != 1 {
+		t.Errorf("skills not preserved: %v", got["skills"])
+	}
+}
@@ -1,8 +1,12 @@
 package handlers

 import (
+	"crypto/tls"
+	"net/http/httptest"
 	"strings"
 	"testing"
+
+	"github.com/gin-gonic/gin"
 )

 // TestExternalTemplates_NoMoleculeOrgIDPlaceholder pins the invariant
@@ -118,3 +122,153 @@ func TestExternalTemplates_NoBrokenMoleculeAIGitHubURLs(t *testing.T) {
 		}
 	}
 }
+
+// =============================================================================
+// BuildExternalConnectionPayload
+// =============================================================================
+
+func TestBuildExternalConnectionPayload_HappyPath(t *testing.T) {
+	payload := BuildExternalConnectionPayload(
+		"https://platform.example.com/",
+		"ws-123",
+		"tok-secret-abc",
+	)
+
+	if payload["workspace_id"] != "ws-123" {
+		t.Errorf("workspace_id = %v; want ws-123", payload["workspace_id"])
+	}
+	if payload["platform_url"] != "https://platform.example.com" {
+		t.Errorf("platform_url = %v; want https://platform.example.com", payload["platform_url"])
+	}
+	if payload["auth_token"] != "tok-secret-abc" {
+		t.Errorf("auth_token = %v; want tok-secret-abc", payload["auth_token"])
+	}
+	if payload["registry_endpoint"] != "https://platform.example.com/registry/register" {
+		t.Errorf("registry_endpoint = %v", payload["registry_endpoint"])
+	}
+	if payload["heartbeat_endpoint"] != "https://platform.example.com/registry/heartbeat" {
+		t.Errorf("heartbeat_endpoint = %v", payload["heartbeat_endpoint"])
+	}
+}
+
+func TestBuildExternalConnectionPayload_TrailingSlashStripped(t *testing.T) {
+	// TrimSuffix only removes one trailing slash; multiple slashes stay.
+	// This is intentional — the function documents this behavior.
+	payload := BuildExternalConnectionPayload(
+		"https://platform.example.com/",
+		"ws-456",
+		"tok",
+	)
+	if payload["platform_url"] != "https://platform.example.com" {
+		t.Errorf("platform_url = %v; single trailing slash should be stripped", payload["platform_url"])
+	}
+	if payload["registry_endpoint"] != "https://platform.example.com/registry/register" {
+		t.Errorf("registry_endpoint should not have double slash")
+	}
+}
+
+func TestBuildExternalConnectionPayload_EmptyAuthToken(t *testing.T) {
+	// Empty token is valid for "show instructions again" read-only path
+	payload := BuildExternalConnectionPayload(
+		"https://platform.example.com",
+		"ws-789",
+		"",
+	)
+	if payload["workspace_id"] != "ws-789" {
+		t.Errorf("workspace_id = %v", payload["workspace_id"])
+	}
+	if payload["auth_token"] != "" {
+		t.Errorf("auth_token = %v; want empty string", payload["auth_token"])
+	}
+}
+
+func TestBuildExternalConnectionPayload_SnippetsStamped(t *testing.T) {
+	payload := BuildExternalConnectionPayload(
+		"https://platform.example.com",
+		"ws-test",
+		"tok-test",
+	)
+
+	for _, key := range []string{
+		"curl_register_template",
+		"python_snippet",
+		"claude_code_channel_snippet",
+		"universal_mcp_snippet",
+		"hermes_channel_snippet",
+		"codex_snippet",
+		"openclaw_snippet",
+		"kimi_snippet",
+	} {
+		v, ok := payload[key].(string)
+		if !ok {
+			t.Errorf("%s is not a string", key)
+			continue
+		}
+		if strings.Contains(v, "{{PLATFORM_URL}}") {
+			t.Errorf("%s still contains unsubstituted {{PLATFORM_URL}}", key)
+		}
+		if strings.Contains(v, "{{WORKSPACE_ID}}") {
+			t.Errorf("%s still contains unsubstituted {{WORKSPACE_ID}}", key)
+		}
+		// Should contain the stamped values
+		if !strings.Contains(v, "https://platform.example.com") {
+			t.Errorf("%s does not contain stamped platform URL", key)
+		}
+		if !strings.Contains(v, "ws-test") {
+			t.Errorf("%s does not contain stamped workspace ID", key)
+		}
+	}
+}
+
+// =============================================================================
+// externalPlatformURL
+// =============================================================================
+
+func TestExternalPlatformURL_EnvVarTakesPrecedence(t *testing.T) {
+	t.Setenv("EXTERNAL_PLATFORM_URL", "https://external.example.com")
+	c, _ := gin.CreateTestContext(httptest.NewRecorder())
+	c.Request = httptest.NewRequest("GET", "/", nil)
+
+	got := externalPlatformURL(c)
+	if got != "https://external.example.com" {
+		t.Errorf("got %q; want EXTERNAL_PLATFORM_URL value", got)
+	}
+}
+
+func TestExternalPlatformURL_XForwardedProtoAndHost(t *testing.T) {
+	c, _ := gin.CreateTestContext(httptest.NewRecorder())
+	c.Request = httptest.NewRequest("GET", "/", nil)
+	c.Request.Header.Set("X-Forwarded-Proto", "https")
+	c.Request.Header.Set("X-Forwarded-Host", "tenant.example.com")
+
+	got := externalPlatformURL(c)
+	if got != "https://tenant.example.com" {
+		t.Errorf("got %q; want https://tenant.example.com", got)
+	}
+}
+
+func TestExternalPlatformURL_HTTPSNoHeaders(t *testing.T) {
+	c, _ := gin.CreateTestContext(httptest.NewRecorder())
+	c.Request = httptest.NewRequest("GET", "/", nil)
+	c.Request.Host = "platform.example.com"
+	// TLS set → https scheme (regardless of host)
+	c.Request.TLS = &tls.ConnectionState{}
+
+	got := externalPlatformURL(c)
+	if got != "https://platform.example.com" {
+		t.Errorf("got %q; want https://platform.example.com (TLS set)", got)
+	}
+}
+
+func TestExternalPlatformURL_HTTPNoTLS(t *testing.T) {
+	c, _ := gin.CreateTestContext(httptest.NewRecorder())
+	c.Request = httptest.NewRequest("GET", "/", nil)
+	c.Request.Host = "localhost:8080"
+	// TLS nil → http
+	c.Request.TLS = nil
+
+	got := externalPlatformURL(c)
+	if got != "http://localhost:8080" {
+		t.Errorf("got %q; want http://localhost:8080", got)
+	}
+}
@@ -1,55 +0,0 @@
-package handlers
-
-import (
-	"encoding/json"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/gin-gonic/gin"
-)
-
-// ListSources is the only exported function in plugins_sources.go.
-// It calls h.sources.Schemes() and returns the result verbatim,
-// so the test verifies the handler correctly serialises whatever
-// the real registry provides.
-func TestListSources_ReturnsSchemes(t *testing.T) {
-	// Use a real handler — the registry is deterministic (local + github).
-	h := NewPluginsHandler(t.TempDir(), nil, nil)
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Request = httptest.NewRequest("GET", "/plugins/sources", nil)
-
-	h.ListSources(c)
-
-	if w.Code != http.StatusOK {
-		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
-	}
-
-	var body struct {
-		Schemes []string `json:"schemes"`
-	}
-	if err := json.Unmarshal(w.Body.Bytes(), &body); err != nil {
-		t.Fatalf("failed to unmarshal response: %v", err)
-	}
-
-	// The default registry registers local + github resolvers.
-	if len(body.Schemes) < 1 {
-		t.Fatalf("expected at least 1 scheme, got %d: %v", len(body.Schemes), body.Schemes)
-	}
-
-	// Verify stability — same call always returns same result.
-	w2 := httptest.NewRecorder()
-	c2, _ := gin.CreateTestContext(w2)
-	c2.Request = httptest.NewRequest("GET", "/plugins/sources", nil)
-	h.ListSources(c2)
-
-	var body2 struct {
-		Schemes []string `json:"schemes"`
-	}
-	json.Unmarshal(w2.Body.Bytes(), &body2)
-	if len(body.Schemes) != len(body2.Schemes) {
-		t.Errorf("Schemes() is not stable: first=%v, second=%v", body.Schemes, body2.Schemes)
-	}
-}
@@ -327,7 +327,33 @@ func (h *RegistryHandler) Register(c *gin.Context) {
 		}
 	}

-	agentCardStr := string(payload.AgentCard)
+	// Reconcile the runtime-supplied card's identity fields against the
+	// trusted workspaces row before storing. The runtime builds its card
+	// from config.name, which the CP-regenerated /configs/config.yaml
+	// sets to the workspace UUID — so without this the stored card
+	// served at /.well-known/agent-card.json and returned to peers via
+	// agent_card_url has name = UUID, description = "", role = null even
+	// though the operator-controlled workspaces.name holds the friendly
+	// name the canvas shows. We only FILL gaps from the DB (never
+	// downgrade a card that already carries a real name); identity stays
+	// platform-controlled — the agent cannot self-set these. Best-effort:
+	// a lookup failure leaves the card exactly as the runtime sent it
+	// (no-worse-than-before). See agent_card_reconcile.go.
+	reconciledCard := payload.AgentCard
+	{
+		var dbName, dbRole sql.NullString
+		if qErr := db.DB.QueryRowContext(ctx,
+			`SELECT name, role FROM workspaces WHERE id = $1`, payload.ID,
+		).Scan(&dbName, &dbRole); qErr == nil {
+			if rc, did := reconcileAgentCardIdentity(
+				payload.AgentCard, payload.ID, dbName.String, dbRole.String,
+			); did {
+				reconciledCard = rc
+				log.Printf("Registry register: reconciled agent_card identity for %s from workspaces row", payload.ID)
+			}
+		}
+	}
+	agentCardStr := string(reconciledCard)

 	// urlForUpsert: poll-mode workspaces don't need a URL. Empty input
 	// becomes NULL via sql.NullString so the row's URL stays clean (the
@@ -413,10 +439,12 @@ func (h *RegistryHandler) Register(c *gin.Context) {
 		}
 	}

-	// Broadcast WORKSPACE_ONLINE
+	// Broadcast WORKSPACE_ONLINE — use the reconciled card so the canvas
+	// Agent Card view live-updates with the friendly name, matching what
+	// was just persisted (not the runtime's raw UUID-name card).
 	if err := h.broadcaster.RecordAndBroadcast(ctx, string(events.EventWorkspaceOnline), payload.ID, map[string]interface{}{
 		"url":           cachedURL,
-		"agent_card":    payload.AgentCard,
+		"agent_card":    reconciledCard,
 		"delivery_mode": effectiveMode,
 	}); err != nil {
 		log.Printf("Registry broadcast error: %v", err)
@@ -19,6 +19,7 @@ package handlers
 import (
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"log"
 	"os"
@@ -357,6 +358,28 @@ func writeFileViaEIC(ctx context.Context, instanceID, runtime, root, relPath str
 		var stderr bytes.Buffer
 		sshCmd.Stderr = &stderr
 		if err := sshCmd.Run(); err != nil {
+			// When the per-op context deadline (eicFileOpTimeout) fires,
+			// exec.CommandContext SIGKILLs the ssh subprocess and Run()
+			// returns the bare "signal: killed" with empty stderr. That
+			// surfaced to the canvas as an opaque
+			// `500 {"error":"ssh install: signal: killed ()"}` which gave
+			// the operator no idea the workspace was simply mid-provision
+			// with a slow/unready EIC tunnel (internal#423). Detect the
+			// deadline explicitly and return an actionable message instead
+			// — the EIC mechanism, timeout value, and success path are all
+			// unchanged; this only improves the error a stuck write emits.
+			if cerr := ctx.Err(); cerr != nil {
+				reason := "timed out after " + eicFileOpTimeout.String()
+				if errors.Is(cerr, context.Canceled) && !errors.Is(cerr, context.DeadlineExceeded) {
+					reason = "was cancelled"
+				}
+				return fmt.Errorf(
+					"ssh install: EIC tunnel to workspace %s — "+
+						"the workspace may still be provisioning (slow/unready SSH); "+
+						"retry once it is online, or apply provider credentials via "+
+						"Settings → Secrets (encrypted, does not use this file-write path)",
+					reason)
+			}
 			return fmt.Errorf("ssh install: %w (%s)", err, strings.TrimSpace(stderr.String()))
 		}
 		log.Printf("writeFileViaEIC: ws instance=%s runtime=%s root=%s wrote %d bytes → %s",
@@ -0,0 +1,71 @@
+package handlers
+
+// template_files_eic_write_timeout_test.go — pins the actionable-error
+// behavior added for internal#423.
+//
+// When the per-op context deadline (eicFileOpTimeout) fires,
+// exec.CommandContext SIGKILLs the ssh subprocess and Run() returns the
+// bare "signal: killed" with empty stderr. Before the fix that surfaced
+// to the canvas as an opaque `500 {"error":"ssh install: signal:
+// killed ()"}` — useless to an operator whose workspace was simply
+// mid-provision with a slow/unready EIC tunnel. The fix detects the
+// deadline explicitly (errors.Is(ctx.Err(), context.DeadlineExceeded))
+// and returns a message that names the cause and the
+// Settings → Secrets workaround.
+
+import (
+	"context"
+	"strings"
+	"testing"
+	"time"
+)
+
+// TestWriteFileViaEIC_DeadlineExceeded_ActionableError stubs
+// withEICTunnel so the *real* inner closure runs against a context that
+// has already exceeded its deadline. The ssh subprocess fails (no real
+// sshd on the fake port) and ctx.Err() == DeadlineExceeded, so the new
+// branch must fire and produce an actionable message — NOT the opaque
+// "signal: killed ()" string the canvas used to show.
+func TestWriteFileViaEIC_DeadlineExceeded_ActionableError(t *testing.T) {
+	prev := withEICTunnel
+	withEICTunnel = func(_ context.Context, instanceID string, fn func(s eicSSHSession) error) error {
+		// Run the real inner closure. It closes over the ctx that
+		// writeFileViaEIC derived from our already-cancelled parent, so
+		// the ssh subprocess is killed immediately and ctx.Err()
+		// resolves — exactly the eicFileOpTimeout-expiry shape.
+		return fn(eicSSHSession{
+			instanceID: instanceID,
+			osUser:     "ubuntu",
+			localPort:  1, // nothing listening → ssh fails fast
+			keyPath:    "/nonexistent/key",
+		})
+	}
+	t.Cleanup(func() { withEICTunnel = prev })
+
+	// Drive the real writeFileViaEIC. Pass a parent whose deadline has
+	// already passed: the context.WithTimeout(ctx, eicFileOpTimeout)
+	// derived inside writeFileViaEIC inherits the expired parent
+	// deadline, so ctx.Err() == context.DeadlineExceeded by the time
+	// the killed ssh subprocess returns — the exact production shape
+	// (eicFileOpTimeout expiry), exercised deterministically.
+	parent, cancel := context.WithDeadline(context.Background(), time.Now().Add(-time.Second))
+	defer cancel()
+
+	err := writeFileViaEIC(parent, "i-test", "claude-code", "/configs", "config.yaml", []byte("model: sonnet\n"))
+	if err == nil {
+		t.Fatalf("expected an error from a killed ssh subprocess, got nil")
+	}
+	msg := err.Error()
+
+	// Must NOT leak the opaque bare-signal string to the operator.
+	if strings.Contains(msg, "signal: killed ()") {
+		t.Fatalf("error still surfaces the opaque %q form: %q", "signal: killed ()", msg)
+	}
+	// Must name the cause and the Secrets workaround so the canvas
+	// shows something actionable.
+	for _, want := range []string{"timed out", "provisioning", "Settings", "Secrets"} {
+		if !strings.Contains(msg, want) {
+			t.Errorf("actionable error missing %q; got: %q", want, msg)
+		}
+	}
+}
@@ -10,8 +10,20 @@ import (
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/wsauth"
 	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
 )

+// validWorkspaceID returns true when id is a syntactically valid UUID.
+// workspace_id is a `uuid` column; passing a non-UUID (e.g. the canvas
+// "global" sentinel sent when no node is selected) makes Postgres raise
+// `invalid input syntax for type uuid`, which previously leaked as an
+// opaque 500. Reject up front with a clean 400 instead. Mirrors the
+// uuid.Parse guard already used in handlers/activity.go.
+func validWorkspaceID(id string) bool {
+	_, err := uuid.Parse(id)
+	return err == nil
+}
+
 // TokenHandler exposes user-facing token management for workspaces.
 // Routes: GET/POST/DELETE /workspaces/:id/tokens (behind WorkspaceAuth).
 type TokenHandler struct{}
@@ -31,6 +43,10 @@ type tokenListItem struct {
 // never the plaintext or hash).
 func (h *TokenHandler) List(c *gin.Context) {
 	workspaceID := c.Param("id")
+	if !validWorkspaceID(workspaceID) {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid workspace id"})
+		return
+	}

 	limit := 50
 	if v := c.Query("limit"); v != "" {
@@ -53,6 +69,7 @@ func (h *TokenHandler) List(c *gin.Context) {
 		LIMIT $2 OFFSET $3
 	`, workspaceID, limit, offset)
 	if err != nil {
+		log.Printf("tokens: list query failed for workspace %s: %v", workspaceID, err)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to list tokens"})
 		return
 	}
@@ -85,6 +102,10 @@ const maxTokensPerWorkspace = 50
 // exactly once in the response — it cannot be recovered afterwards.
 func (h *TokenHandler) Create(c *gin.Context) {
 	workspaceID := c.Param("id")
+	if !validWorkspaceID(workspaceID) {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid workspace id"})
+		return
+	}

 	// Rate limit: max active tokens per workspace
 	var count int
@@ -117,6 +138,10 @@ func (h *TokenHandler) Create(c *gin.Context) {
 func (h *TokenHandler) Revoke(c *gin.Context) {
 	workspaceID := c.Param("id")
 	tokenID := c.Param("tokenId")
+	if !validWorkspaceID(workspaceID) {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid workspace id"})
+		return
+	}

 	result, err := db.DB.ExecContext(c.Request.Context(), `
 		UPDATE workspace_auth_tokens
@@ -41,6 +41,15 @@ import (

 func init() { gin.SetMode(gin.TestMode) }

+// Workspace IDs are validated as UUIDs up front (tokens.go validWorkspaceID),
+// so handler tests must pass syntactically valid UUIDs. Fixed values keep
+// sqlmock WithArgs assertions deterministic.
+const (
+	wsUUID1 = "11111111-1111-1111-1111-111111111111"
+	wsUUID2 = "22222222-2222-2222-2222-222222222222"
+	wsUUID3 = "33333333-3333-3333-3333-333333333333"
+)
+
 // withMockDB swaps `db.DB` for a sqlmock and returns the mock plus a
 // restore func. Tests use this in place of setupTokenTestDB which
 // skips on a missing real DB.
@@ -81,13 +90,13 @@ func TestTokenHandler_List_HappyPath(t *testing.T) {
 	created := time.Date(2026, 4, 1, 12, 0, 0, 0, time.UTC)
 	last := created.Add(time.Hour)
 	mock.ExpectQuery(`SELECT id, prefix, created_at, last_used_at\s+FROM workspace_auth_tokens`).
-		WithArgs("ws-1", 50, 0).
+		WithArgs(wsUUID1, 50, 0).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "created_at", "last_used_at"}).
 			AddRow("tok-1", "abc12345", created, last).
 			AddRow("tok-2", "def67890", created, nil))

 	w := makeReq(t, NewTokenHandler().List, "GET",
-		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: "ws-1"}})
+		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: wsUUID1}})

 	if w.Code != http.StatusOK {
 		t.Fatalf("expected 200, got %d: %s", w.Code, w.Body.String())
@@ -121,7 +130,7 @@ func TestTokenHandler_List_EmptyResult(t *testing.T) {
 		WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "created_at", "last_used_at"}))

 	w := makeReq(t, NewTokenHandler().List, "GET",
-		"/workspaces/ws-2/tokens", gin.Params{{Key: "id", Value: "ws-2"}})
+		"/workspaces/ws-2/tokens", gin.Params{{Key: "id", Value: wsUUID2}})

 	if w.Code != http.StatusOK {
 		t.Fatalf("expected 200 on empty list, got %d", w.Code)
@@ -146,7 +155,7 @@ func TestTokenHandler_List_QueryError(t *testing.T) {
 		WillReturnError(errors.New("connection refused"))

 	w := makeReq(t, NewTokenHandler().List, "GET",
-		"/workspaces/ws-3/tokens", gin.Params{{Key: "id", Value: "ws-3"}})
+		"/workspaces/ws-3/tokens", gin.Params{{Key: "id", Value: wsUUID3}})

 	if w.Code != http.StatusInternalServerError {
 		t.Errorf("query error must surface as 500, got %d", w.Code)
@@ -158,13 +167,13 @@ func TestTokenHandler_List_RespectsLimit(t *testing.T) {
 	defer cleanup()

 	mock.ExpectQuery(`SELECT id, prefix, created_at, last_used_at`).
-		WithArgs("ws-1", 10, 5).
+		WithArgs(wsUUID1, 10, 5).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "created_at", "last_used_at"}))

 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
 	c.Request = httptest.NewRequest("GET", "/workspaces/ws-1/tokens?limit=10&offset=5", nil)
-	c.Params = gin.Params{{Key: "id", Value: "ws-1"}}
+	c.Params = gin.Params{{Key: "id", Value: wsUUID1}}
 	NewTokenHandler().List(c)

 	if w.Code != http.StatusOK {
@@ -186,7 +195,7 @@ func TestTokenHandler_List_ScanError(t *testing.T) {
 			AddRow("tok-1", "abc", "not-a-timestamp", nil))

 	w := makeReq(t, NewTokenHandler().List, "GET",
-		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: "ws-1"}})
+		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: wsUUID1}})

 	if w.Code != http.StatusInternalServerError {
 		t.Errorf("scan error must surface as 500, got %d: %s", w.Code, w.Body.String())
@@ -201,11 +210,11 @@ func TestTokenHandler_Create_RateLimited(t *testing.T) {

 	// Count query returns 50 (== max) → 429.
 	mock.ExpectQuery(`SELECT COUNT\(\*\) FROM workspace_auth_tokens`).
-		WithArgs("ws-1").
+		WithArgs(wsUUID1).
 		WillReturnRows(sqlmock.NewRows([]string{"count"}).AddRow(50))

 	w := makeReq(t, NewTokenHandler().Create, "POST",
-		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: "ws-1"}})
+		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: wsUUID1}})

 	if w.Code != http.StatusTooManyRequests {
 		t.Errorf("max active tokens should 429, got %d", w.Code)
@@ -225,7 +234,7 @@ func TestTokenHandler_Create_IssueFails(t *testing.T) {
 		WillReturnError(errors.New("disk full"))

 	w := makeReq(t, NewTokenHandler().Create, "POST",
-		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: "ws-1"}})
+		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: wsUUID1}})

 	if w.Code != http.StatusInternalServerError {
 		t.Errorf("IssueToken DB error must 500, got %d", w.Code)
@@ -242,7 +251,7 @@ func TestTokenHandler_Create_HappyPath(t *testing.T) {
 		WillReturnResult(sqlmock.NewResult(1, 1))

 	w := makeReq(t, NewTokenHandler().Create, "POST",
-		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: "ws-1"}})
+		"/workspaces/ws-1/tokens", gin.Params{{Key: "id", Value: wsUUID1}})

 	if w.Code != http.StatusCreated {
 		t.Fatalf("expected 201, got %d: %s", w.Code, w.Body.String())
@@ -257,7 +266,7 @@ func TestTokenHandler_Create_HappyPath(t *testing.T) {
 	if body.AuthToken == "" {
 		t.Errorf("auth_token must be present and non-empty in response")
 	}
-	if body.WorkspaceID != "ws-1" {
+	if body.WorkspaceID != wsUUID1 {
 		t.Errorf("workspace_id mismatch: %q", body.WorkspaceID)
 	}
 }
@@ -269,12 +278,12 @@ func TestTokenHandler_Revoke_HappyPath(t *testing.T) {
 	defer cleanup()

 	mock.ExpectExec(`UPDATE workspace_auth_tokens\s+SET revoked_at = now\(\)`).
-		WithArgs("tok-1", "ws-1").
+		WithArgs("tok-1", wsUUID1).
 		WillReturnResult(sqlmock.NewResult(0, 1))

 	w := makeReq(t, NewTokenHandler().Revoke, "DELETE",
 		"/workspaces/ws-1/tokens/tok-1", gin.Params{
-			{Key: "id", Value: "ws-1"},
+			{Key: "id", Value: wsUUID1},
 			{Key: "tokenId", Value: "tok-1"},
 		})

@@ -289,12 +298,12 @@ func TestTokenHandler_Revoke_NotFound(t *testing.T) {

 	// 0 rows affected → token not found OR already revoked.
 	mock.ExpectExec(`UPDATE workspace_auth_tokens`).
-		WithArgs("tok-ghost", "ws-1").
+		WithArgs("tok-ghost", wsUUID1).
 		WillReturnResult(sqlmock.NewResult(0, 0))

 	w := makeReq(t, NewTokenHandler().Revoke, "DELETE",
 		"/workspaces/ws-1/tokens/tok-ghost", gin.Params{
-			{Key: "id", Value: "ws-1"},
+			{Key: "id", Value: wsUUID1},
 			{Key: "tokenId", Value: "tok-ghost"},
 		})

@@ -312,7 +321,7 @@ func TestTokenHandler_Revoke_DBError(t *testing.T) {

 	w := makeReq(t, NewTokenHandler().Revoke, "DELETE",
 		"/workspaces/ws-1/tokens/tok-1", gin.Params{
-			{Key: "id", Value: "ws-1"},
+			{Key: "id", Value: wsUUID1},
 			{Key: "tokenId", Value: "tok-1"},
 		})

@@ -321,6 +330,59 @@ func TestTokenHandler_Revoke_DBError(t *testing.T) {
 	}
 }

+// ---- UUID validation (regression: "global" sentinel 500) ------------
+
+// The canvas Settings → Workspace Tokens tab sent the literal sentinel
+// "global" as the workspace id when no node was selected. workspace_id
+// is a `uuid` column, so the query raised
+// `invalid input syntax for type uuid: "global"` which leaked as an
+// opaque 500. List/Create/Revoke now reject any non-UUID id with a
+// clean 400 before touching the DB. No DB expectation is set on the
+// mock — a DB hit would fail ExpectationsWereMet, proving short-circuit.
+func TestTokenHandler_RejectsNonUUIDWorkspaceID(t *testing.T) {
+	h := NewTokenHandler()
+	cases := []struct {
+		name   string
+		run    func(c *gin.Context)
+		method string
+		params gin.Params
+	}{
+		{"List", h.List, "GET", gin.Params{{Key: "id", Value: "global"}}},
+		{"Create", h.Create, "POST", gin.Params{{Key: "id", Value: "global"}}},
+		{"Revoke", h.Revoke, "DELETE", gin.Params{
+			{Key: "id", Value: "global"},
+			{Key: "tokenId", Value: "tok-1"},
+		}},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			mock, cleanup := withMockDB(t)
+			defer cleanup()
+
+			w := makeReq(t, tc.run, tc.method,
+				"/workspaces/global/tokens", tc.params)
+
+			if w.Code != http.StatusBadRequest {
+				t.Fatalf("%s with non-UUID id must 400, got %d: %s",
+					tc.name, w.Code, w.Body.String())
+			}
+			var body struct {
+				Error string `json:"error"`
+			}
+			_ = json.Unmarshal(w.Body.Bytes(), &body)
+			if body.Error != "invalid workspace id" {
+				t.Errorf("%s: want error=%q, got %q",
+					tc.name, "invalid workspace id", body.Error)
+			}
+			// No query/exec was expected → if the handler hit the DB
+			// this fails, proving the guard short-circuits before SQL.
+			if err := mock.ExpectationsWereMet(); err != nil {
+				t.Errorf("%s leaked a DB call past the uuid guard: %v", tc.name, err)
+			}
+		})
+	}
+}
+
 // Compile-time noise removal: the imports list pulls in the sql /
 // driver packages and the silenced ctx so a future scenario that
 // needs them doesn't have to re-add the import. Documented here so
@@ -11,6 +11,7 @@ import (
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/wsauth"
 	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
 )

 func init() { gin.SetMode(gin.TestMode) }
@@ -167,11 +168,14 @@ func TestTokenHandler_RevokeWrongWorkspace(t *testing.T) {

 	h := NewTokenHandler()

-	// Try to revoke with a different workspace ID — should 404
+	// Try to revoke with a different (valid-UUID) workspace ID that does
+	// not own the token — should 404. A valid UUID is required so this
+	// exercises the ownership branch, not the up-front uuid-shape 400.
+	otherWS := uuid.NewString()
 	w := httptest.NewRecorder()
 	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "wrong-workspace-id"}, {Key: "tokenId", Value: tokenID}}
-	c.Request = httptest.NewRequest("DELETE", "/workspaces/wrong/tokens/"+tokenID, nil)
+	c.Params = gin.Params{{Key: "id", Value: otherWS}, {Key: "tokenId", Value: tokenID}}
+	c.Request = httptest.NewRequest("DELETE", "/workspaces/"+otherWS+"/tokens/"+tokenID, nil)
 	h.Revoke(c)

 	if w.Code != http.StatusNotFound {
@@ -1,297 +0,0 @@
-package handlers
-
-import (
-	"bytes"
-	"context"
-	"database/sql"
-	"encoding/json"
-	"errors"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/DATA-DOG/go-sqlmock"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
-	"github.com/gin-gonic/gin"
-)
-
-func setupAbilitiesTest(t *testing.T) (sqlmock.Sqlmock, func()) {
-	t.Helper()
-	mockDB, mock, err := sqlmock.New()
-	if err != nil {
-		t.Fatalf("failed to create sqlmock: %v", err)
-	}
-	prev := db.DB
-	db.DB = mockDB
-	return mock, func() {
-		db.DB = prev
-		mockDB.Close()
-	}
-}
-
-func TestPatchAbilities_InvalidWorkspaceID_Returns400(t *testing.T) {
-	_, cleanup := setupAbilitiesTest(t)
-	defer cleanup()
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "not-a-valid-uuid"}}
-	c.Request = httptest.NewRequest("PATCH",
-		"/workspaces/not-a-valid-uuid/abilities",
-		bytes.NewBufferString(`{"broadcast_enabled":true}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	PatchAbilities(c)
-
-	if w.Code != http.StatusBadRequest {
-		t.Errorf("expected 400, got %d: %s", w.Code, w.Body.String())
-	}
-	var body map[string]string
-	json.Unmarshal(w.Body.Bytes(), &body)
-	if body["error"] != "invalid workspace ID" {
-		t.Errorf("expected 'invalid workspace ID', got %q", body["error"])
-	}
-}
-
-func TestPatchAbilities_EmptyBody_Returns400(t *testing.T) {
-	_, cleanup := setupAbilitiesTest(t)
-	defer cleanup()
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "550e8400-e29b-41d4-a716-446655440000"}}
-	c.Request = httptest.NewRequest("PATCH",
-		"/workspaces/550e8400-e29b-41d4-a716-446655440000/abilities",
-		bytes.NewBufferString(`{}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	PatchAbilities(c)
-
-	if w.Code != http.StatusBadRequest {
-		t.Errorf("expected 400, got %d: %s", w.Code, w.Body.String())
-	}
-	var body map[string]string
-	json.Unmarshal(w.Body.Bytes(), &body)
-	if body["error"] != "at least one ability field required" {
-		t.Errorf("expected 'at least one ability field required', got %q", body["error"])
-	}
-}
-
-func TestPatchAbilities_InvalidJSON_Returns400(t *testing.T) {
-	_, cleanup := setupAbilitiesTest(t)
-	defer cleanup()
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "550e8400-e29b-41d4-a716-446655440000"}}
-	c.Request = httptest.NewRequest("PATCH",
-		"/workspaces/550e8400-e29b-41d4-a716-446655440000/abilities",
-		bytes.NewBufferString(`{invalid json}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	PatchAbilities(c)
-
-	if w.Code != http.StatusBadRequest {
-		t.Errorf("expected 400, got %d: %s", w.Code, w.Body.String())
-	}
-	var body map[string]string
-	json.Unmarshal(w.Body.Bytes(), &body)
-	if body["error"] != "invalid request body" {
-		t.Errorf("expected 'invalid request body', got %q", body["error"])
-	}
-}
-
-func TestPatchAbilities_WorkspaceNotFound_Returns404(t *testing.T) {
-	mock, cleanup := setupAbilitiesTest(t)
-	defer cleanup()
-
-	mock.ExpectQuery("SELECT EXISTS").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000").
-		WillReturnError(sql.ErrNoRows)
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "550e8400-e29b-41d4-a716-446655440000"}}
-	c.Request = httptest.NewRequest("PATCH",
-		"/workspaces/550e8400-e29b-41d4-a716-446655440000/abilities",
-		bytes.NewBufferString(`{"broadcast_enabled":true}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	PatchAbilities(c)
-
-	if w.Code != http.StatusNotFound {
-		t.Errorf("expected 404, got %d: %s", w.Code, w.Body.String())
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
-	}
-}
-
-func TestPatchAbilities_WorkspaceDBError_Returns404(t *testing.T) {
-	mock, cleanup := setupAbilitiesTest(t)
-	defer cleanup()
-
-	mock.ExpectQuery("SELECT EXISTS").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000").
-		WillReturnError(errors.New("connection refused"))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "550e8400-e29b-41d4-a716-446655440000"}}
-	c.Request = httptest.NewRequest("PATCH",
-		"/workspaces/550e8400-e29b-41d4-a716-446655440000/abilities",
-		bytes.NewBufferString(`{"broadcast_enabled":true}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	PatchAbilities(c)
-
-	if w.Code != http.StatusNotFound {
-		t.Errorf("expected 404, got %d: %s", w.Code, w.Body.String())
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
-	}
-}
-
-func TestPatchAbilities_UpdateBroadcastEnabled_Returns200(t *testing.T) {
-	mock, cleanup := setupAbilitiesTest(t)
-	defer cleanup()
-
-	mock.ExpectQuery("SELECT EXISTS").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000").
-		WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(true))
-	mock.ExpectExec("UPDATE workspaces SET broadcast_enabled").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000", true).
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "550e8400-e29b-41d4-a716-446655440000"}}
-	c.Request = httptest.NewRequest("PATCH",
-		"/workspaces/550e8400-e29b-41d4-a716-446655440000/abilities",
-		bytes.NewBufferString(`{"broadcast_enabled":true}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	PatchAbilities(c)
-
-	if w.Code != http.StatusOK {
-		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
-	}
-	var body map[string]string
-	json.Unmarshal(w.Body.Bytes(), &body)
-	if body["status"] != "updated" {
-		t.Errorf("expected status=updated, got %v", body)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
-	}
-}
-
-func TestPatchAbilities_UpdateTalkToUserEnabled_Returns200(t *testing.T) {
-	mock, cleanup := setupAbilitiesTest(t)
-	defer cleanup()
-
-	mock.ExpectQuery("SELECT EXISTS").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000").
-		WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(true))
-	mock.ExpectExec("UPDATE workspaces SET talk_to_user_enabled").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000", true).
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "550e8400-e29b-41d4-a716-446655440000"}}
-	c.Request = httptest.NewRequest("PATCH",
-		"/workspaces/550e8400-e29b-41d4-a716-446655440000/abilities",
-		bytes.NewBufferString(`{"talk_to_user_enabled":true}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	PatchAbilities(c)
-
-	if w.Code != http.StatusOK {
-		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
-	}
-	var body map[string]string
-	json.Unmarshal(w.Body.Bytes(), &body)
-	if body["status"] != "updated" {
-		t.Errorf("expected status=updated, got %v", body)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
-	}
-}
-
-func TestPatchAbilities_UpdateBothAbilities_Returns200(t *testing.T) {
-	mock, cleanup := setupAbilitiesTest(t)
-	defer cleanup()
-
-	mock.ExpectQuery("SELECT EXISTS").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000").
-		WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(true))
-	mock.ExpectExec("UPDATE workspaces SET broadcast_enabled").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000", true).
-		WillReturnResult(sqlmock.NewResult(0, 1))
-	mock.ExpectExec("UPDATE workspaces SET talk_to_user_enabled").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000", false).
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "550e8400-e29b-41d4-a716-446655440000"}}
-	c.Request = httptest.NewRequest("PATCH",
-		"/workspaces/550e8400-e29b-41d4-a716-446655440000/abilities",
-		bytes.NewBufferString(`{"broadcast_enabled":true,"talk_to_user_enabled":false}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	PatchAbilities(c)
-
-	if w.Code != http.StatusOK {
-		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
-	}
-	var body map[string]string
-	json.Unmarshal(w.Body.Bytes(), &body)
-	if body["status"] != "updated" {
-		t.Errorf("expected status=updated, got %v", body)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
-	}
-}
-
-func TestPatchAbilities_UpdateBroadcastDisabled_Returns200(t *testing.T) {
-	mock, cleanup := setupAbilitiesTest(t)
-	defer cleanup()
-
-	mock.ExpectQuery("SELECT EXISTS").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000").
-		WillReturnRows(sqlmock.NewRows([]string{"exists"}).AddRow(true))
-	mock.ExpectExec("UPDATE workspaces SET broadcast_enabled").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000", false).
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "550e8400-e29b-41d4-a716-446655440000"}}
-	c.Request = httptest.NewRequest("PATCH",
-		"/workspaces/550e8400-e29b-41d4-a716-446655440000/abilities",
-		bytes.NewBufferString(`{"broadcast_enabled":false}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	PatchAbilities(c)
-
-	if w.Code != http.StatusOK {
-		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
-	}
-}
@@ -1,398 +0,0 @@
-package handlers
-
-import (
-	"bytes"
-	"context"
-	"database/sql"
-	"encoding/json"
-	"errors"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/DATA-DOG/go-sqlmock"
-	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
-	"github.com/gin-gonic/gin"
-)
-
-// -------------------------------------------------------------------------- //
-// broadcastTruncate
-// -------------------------------------------------------------------------- //
-
-func TestBroadcastTruncate_ShortString_ReturnsUnmodified(t *testing.T) {
-	result := broadcastTruncate("hello", 10)
-	if result != "hello" {
-		t.Errorf("expected 'hello', got %q", result)
-	}
-}
-
-func TestBroadcastTruncate_ExactlyMaxLength_ReturnsUnmodified(t *testing.T) {
-	result := broadcastTruncate("hello", 5)
-	if result != "hello" {
-		t.Errorf("expected 'hello', got %q", result)
-	}
-}
-
-func TestBroadcastTruncate_ExceedsMaxLength_TruncatesWithEllipsis(t *testing.T) {
-	result := broadcastTruncate("hello world", 5)
-	if result != "hello…" {
-		t.Errorf("expected 'hello…', got %q", result)
-	}
-}
-
-func TestBroadcastTruncate_Unicode_TruncatesAtRuneBoundary(t *testing.T) {
-	result := broadcastTruncate("日本語テスト", 2)
-	if result != "日本…" {
-		t.Errorf("expected '日本…', got %q", result)
-	}
-}
-
-// -------------------------------------------------------------------------- //
-// BroadcastHandler
-// -------------------------------------------------------------------------- //
-
-func setupBroadcastTest(t *testing.T) (sqlmock.Sqlmock, func()) {
-	t.Helper()
-	mockDB, mock, err := sqlmock.New()
-	if err != nil {
-		t.Fatalf("failed to create sqlmock: %v", err)
-	}
-	prev := db.DB
-	db.DB = mockDB
-	return mock, func() {
-		db.DB = prev
-		mockDB.Close()
-	}
-}
-
-func TestBroadcast_InvalidWorkspaceID_Returns400(t *testing.T) {
-	_, cleanup := setupBroadcastTest(t)
-	defer cleanup()
-
-	h := NewBroadcastHandler(newTestBroadcaster())
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "not-a-uuid"}}
-	c.Request = httptest.NewRequest("POST", "/workspaces/not-a-uuid/broadcast",
-		bytes.NewBufferString(`{"message":"hello"}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	h.Broadcast(c)
-
-	if w.Code != http.StatusBadRequest {
-		t.Errorf("expected 400, got %d: %s", w.Code, w.Body.String())
-	}
-	var body map[string]string
-	json.Unmarshal(w.Body.Bytes(), &body)
-	if body["error"] != "invalid workspace ID" {
-		t.Errorf("expected 'invalid workspace ID', got %q", body["error"])
-	}
-}
-
-func TestBroadcast_MissingMessage_Returns400(t *testing.T) {
-	_, cleanup := setupBroadcastTest(t)
-	defer cleanup()
-
-	h := NewBroadcastHandler(newTestBroadcaster())
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "550e8400-e29b-41d4-a716-446655440000"}}
-	c.Request = httptest.NewRequest("POST",
-		"/workspaces/550e8400-e29b-41d4-a716-446655440000/broadcast",
-		bytes.NewBufferString(`{}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	h.Broadcast(c)
-
-	if w.Code != http.StatusBadRequest {
-		t.Errorf("expected 400, got %d: %s", w.Code, w.Body.String())
-	}
-	var body map[string]string
-	json.Unmarshal(w.Body.Bytes(), &body)
-	if body["error"] != "message is required" {
-		t.Errorf("expected 'message is required', got %q", body["error"])
-	}
-}
-
-func TestBroadcast_WorkspaceNotFound_Returns404(t *testing.T) {
-	mock, cleanup := setupBroadcastTest(t)
-	defer cleanup()
-
-	mock.ExpectQuery("SELECT name, broadcast_enabled FROM workspaces").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000").
-		WillReturnError(sql.ErrNoRows)
-
-	h := NewBroadcastHandler(newTestBroadcaster())
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "550e8400-e29b-41d4-a716-446655440000"}}
-	c.Request = httptest.NewRequest("POST",
-		"/workspaces/550e8400-e29b-41d4-a716-446655440000/broadcast",
-		bytes.NewBufferString(`{"message":"hello"}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	h.Broadcast(c)
-
-	if w.Code != http.StatusNotFound {
-		t.Errorf("expected 404, got %d: %s", w.Code, w.Body.String())
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
-	}
-}
-
-func TestBroadcast_BroadcastDisabled_Returns403(t *testing.T) {
-	mock, cleanup := setupBroadcastTest(t)
-	defer cleanup()
-
-	mock.ExpectQuery("SELECT name, broadcast_enabled FROM workspaces").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000").
-		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).
-			AddRow("test-agent", false))
-
-	h := NewBroadcastHandler(newTestBroadcaster())
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "550e8400-e29b-41d4-a716-446655440000"}}
-	c.Request = httptest.NewRequest("POST",
-		"/workspaces/550e8400-e29b-41d4-a716-446655440000/broadcast",
-		bytes.NewBufferString(`{"message":"hello"}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	h.Broadcast(c)
-
-	if w.Code != http.StatusForbidden {
-		t.Errorf("expected 403, got %d: %s", w.Code, w.Body.String())
-	}
-	var body map[string]string
-	json.Unmarshal(w.Body.Bytes(), &body)
-	if body["error"] != "broadcast_disabled" {
-		t.Errorf("expected error='broadcast_disabled', got %v", body)
-	}
-	if _, ok := body["hint"]; !ok {
-		t.Errorf("expected hint field in 403 body, got %v", body)
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
-	}
-}
-
-func TestBroadcast_RecipientQueryFails_Returns500(t *testing.T) {
-	mock, cleanup := setupBroadcastTest(t)
-	defer cleanup()
-
-	mock.ExpectQuery("SELECT name, broadcast_enabled FROM workspaces").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000").
-		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).
-			AddRow("test-agent", true))
-	mock.ExpectQuery("SELECT id FROM workspaces WHERE status != 'removed' AND id != ").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000").
-		WillReturnError(errors.New("connection refused"))
-
-	h := NewBroadcastHandler(newTestBroadcaster())
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "550e8400-e29b-41d4-a716-446655440000"}}
-	c.Request = httptest.NewRequest("POST",
-		"/workspaces/550e8400-e29b-41d4-a716-446655440000/broadcast",
-		bytes.NewBufferString(`{"message":"hello"}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	h.Broadcast(c)
-
-	if w.Code != http.StatusInternalServerError {
-		t.Errorf("expected 500, got %d: %s", w.Code, w.Body.String())
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
-	}
-}
-
-func TestBroadcast_NoRecipients_Returns200(t *testing.T) {
-	mock, cleanup := setupBroadcastTest(t)
-	defer cleanup()
-
-	mock.ExpectQuery("SELECT name, broadcast_enabled FROM workspaces").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000").
-		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).
-			AddRow("test-agent", true))
-	mock.ExpectQuery("SELECT id FROM workspaces WHERE status != 'removed' AND id != ").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000").
-		WillReturnRows(sqlmock.NewRows([]string{"id"}))
-	mock.ExpectExec("INSERT INTO activity_logs").
-		WithArgs("550e8400-e29b-41d4-a716-446655440000", "Broadcast sent to 0 workspace(s)").
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	h := NewBroadcastHandler(newTestBroadcaster())
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: "550e8400-e29b-41d4-a716-446655440000"}}
-	c.Request = httptest.NewRequest("POST",
-		"/workspaces/550e8400-e29b-41d4-a716-446655440000/broadcast",
-		bytes.NewBufferString(`{"message":"hello"}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	h.Broadcast(c)
-
-	if w.Code != http.StatusOK {
-		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
-	}
-	var body map[string]interface{}
-	json.Unmarshal(w.Body.Bytes(), &body)
-	if body["status"] != "sent" {
-		t.Errorf("expected status=sent, got %v", body)
-	}
-	if int(body["delivered"].(float64)) != 0 {
-		t.Errorf("expected delivered=0, got %v", body["delivered"])
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
-	}
-}
-
-func TestBroadcast_DeliversToOneRecipient_Returns200(t *testing.T) {
-	mock, cleanup := setupBroadcastTest(t)
-	defer cleanup()
-
-	senderID := "550e8400-e29b-41d4-a716-446655440000"
-	recipientID := "660e8400-e29b-41d4-a716-446655440001"
-	senderName := "test-agent"
-
-	mock.ExpectQuery("SELECT name, broadcast_enabled FROM workspaces").
-		WithArgs(senderID).
-		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).
-			AddRow(senderName, true))
-	mock.ExpectQuery("SELECT id FROM workspaces WHERE status != 'removed' AND id != ").
-		WithArgs(senderID).
-		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(recipientID))
-	mock.ExpectExec("INSERT INTO activity_logs").
-		WithArgs(recipientID, senderID, "Broadcast from "+senderName+": hello").
-		WillReturnResult(sqlmock.NewResult(0, 1))
-	mock.ExpectExec("INSERT INTO activity_logs").
-		WithArgs(senderID, "Broadcast sent to 1 workspace(s)").
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	h := NewBroadcastHandler(newTestBroadcaster())
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: senderID}}
-	c.Request = httptest.NewRequest("POST",
-		"/workspaces/"+senderID+"/broadcast",
-		bytes.NewBufferString(`{"message":"hello"}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	h.Broadcast(c)
-
-	if w.Code != http.StatusOK {
-		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
-	}
-	var body map[string]interface{}
-	json.Unmarshal(w.Body.Bytes(), &body)
-	if int(body["delivered"].(float64)) != 1 {
-		t.Errorf("expected delivered=1, got %v", body["delivered"])
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
-	}
-}
-
-func TestBroadcast_RecipientInsertFails_Continues_Returns200(t *testing.T) {
-	mock, cleanup := setupBroadcastTest(t)
-	defer cleanup()
-
-	senderID := "550e8400-e29b-41d4-a716-446655440000"
-	recipientID := "660e8400-e29b-41d4-a716-446655440001"
-	senderName := "test-agent"
-
-	mock.ExpectQuery("SELECT name, broadcast_enabled FROM workspaces").
-		WithArgs(senderID).
-		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).
-			AddRow(senderName, true))
-	mock.ExpectQuery("SELECT id FROM workspaces WHERE status != 'removed' AND id != ").
-		WithArgs(senderID).
-		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(recipientID))
-	mock.ExpectExec("INSERT INTO activity_logs").
-		WithArgs(recipientID, senderID, "Broadcast from "+senderName+": hello").
-		WillReturnError(errors.New("connection refused"))
-	mock.ExpectExec("INSERT INTO activity_logs").
-		WithArgs(senderID, "Broadcast sent to 0 workspace(s)").
-		WillReturnResult(sqlmock.NewResult(0, 1))
-
-	h := NewBroadcastHandler(newTestBroadcaster())
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: senderID}}
-	c.Request = httptest.NewRequest("POST",
-		"/workspaces/"+senderID+"/broadcast",
-		bytes.NewBufferString(`{"message":"hello"}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	h.Broadcast(c)
-
-	if w.Code != http.StatusOK {
-		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
-	}
-	var body map[string]interface{}
-	json.Unmarshal(w.Body.Bytes(), &body)
-	if int(body["delivered"].(float64)) != 0 {
-		t.Errorf("expected delivered=0 (failed inserts don't count), got %v", body["delivered"])
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
-	}
-}
-
-func TestBroadcast_SenderLogFails_StillReturns200(t *testing.T) {
-	mock, cleanup := setupBroadcastTest(t)
-	defer cleanup()
-
-	senderID := "550e8400-e29b-41d4-a716-446655440000"
-	recipientID := "660e8400-e29b-41d4-a716-446655440001"
-	senderName := "test-agent"
-
-	mock.ExpectQuery("SELECT name, broadcast_enabled FROM workspaces").
-		WithArgs(senderID).
-		WillReturnRows(sqlmock.NewRows([]string{"name", "broadcast_enabled"}).
-			AddRow(senderName, true))
-	mock.ExpectQuery("SELECT id FROM workspaces WHERE status != 'removed' AND id != ").
-		WithArgs(senderID).
-		WillReturnRows(sqlmock.NewRows([]string{"id"}).AddRow(recipientID))
-	mock.ExpectExec("INSERT INTO activity_logs").
-		WithArgs(recipientID, senderID, "Broadcast from "+senderName+": hello").
-		WillReturnResult(sqlmock.NewResult(0, 1))
-	mock.ExpectExec("INSERT INTO activity_logs").
-		WithArgs(senderID, "Broadcast sent to 1 workspace(s)").
-		WillReturnError(errors.New("connection refused"))
-
-	h := NewBroadcastHandler(newTestBroadcaster())
-	w := httptest.NewRecorder()
-	c, _ := gin.CreateTestContext(w)
-	c.Params = gin.Params{{Key: "id", Value: senderID}}
-	c.Request = httptest.NewRequest("POST",
-		"/workspaces/"+senderID+"/broadcast",
-		bytes.NewBufferString(`{"message":"hello"}`))
-	c.Request.Header.Set("Content-Type", "application/json")
-	c.Request = c.Request.WithContext(context.Background())
-
-	h.Broadcast(c)
-
-	if w.Code != http.StatusOK {
-		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
-	}
-	var body map[string]interface{}
-	json.Unmarshal(w.Body.Bytes(), &body)
-	if int(body["delivered"].(float64)) != 1 {
-		t.Errorf("expected delivered=1, got %v", body["delivered"])
-	}
-	if err := mock.ExpectationsWereMet(); err != nil {
-		t.Errorf("unmet expectations: %v", err)
-	}
-}