fix(queue): re-fetch PR head before merge to detect stale SHA

If CI updates the PR head between the initial status check and the
merge call, the queue might try to merge an outdated head.  Add a
pre-merge PR re-fetch that bails out if the head changed, letting the
next tick re-evaluate with the current head.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/scripts/gitea-merge-queue.py

@@ -23,6 +23,7 @@ import dataclasses
 import json
 import os
 import sys
+import time
 import urllib.error
 import urllib.parse
 import urllib.request
@@ -326,6 +327,43 @@ def update_pull(pr_number: int, *, dry_run: bool) -> None:
     )
 
 
+def wait_for_ci(
+    head_sha: str,
+    contexts: list[str],
+    *,
+    max_wait_seconds: int = 300,
+    poll_interval: int = 15,
+) -> bool:
+    """Poll CI statuses for head_sha until all required contexts are terminal.
+
+    Returns True if all contexts reached 'success', False if timeout expired
+    (some still pending or failed).
+
+    Background: after a queue-triggered PR update, CI re-runs on the new head.
+    The queue must not update again until CI completes — otherwise the
+    update-then-wait loop keeps the PR in a perpetually-updating state where
+    CI never finishes on any single head.
+    """
+    deadline = time.time() + max_wait_seconds
+    while time.time() < deadline:
+        time.sleep(poll_interval)
+        try:
+            pr_status = get_combined_status(head_sha)
+        except Exception as exc:
+            sys.stderr.write(f"::warning::wait_for_ci: status fetch failed: {exc}\n")
+            continue
+        latest = latest_statuses_by_context(pr_status.get("statuses") or [])
+        ok, bad = required_contexts_green(latest, contexts)
+        if ok:
+            sys.stderr.write(f"::notice::wait_for_ci: all contexts green after {int(time.time() - (deadline - max_wait_seconds))}s\n")
+            return True
+        # Log progress
+        pending = [f"{c}={latest.get(c, {}).get('status', 'missing')}" for c in contexts if latest.get(c, {}).get('status') != 'success']
+        sys.stderr.write(f"::notice::wait_for_ci: still waiting ({int(deadline - time.time())}s left): {', '.join(pending[:3])}\n")
+    sys.stderr.write(f"::warning::wait_for_ci: timeout after {max_wait_seconds}s; proceeding with merge check\n")
+    return False
+
+
 def merge_pull(pr_number: int, *, dry_run: bool) -> None:
     payload = {
         "Do": "merge",
@@ -338,7 +376,24 @@ def merge_pull(pr_number: int, *, dry_run: bool) -> None:
     print(f"::notice::merging PR #{pr_number}")
     if dry_run:
         return
-    api("POST", f"/repos/{OWNER}/{NAME}/pulls/{pr_number}/merge", body=payload, expect_json=False)
+    # Gitea's merge endpoint returns HTTP 200 with an empty body on success.
+    # The generic api() wrapper raises ApiError on non-2xx, so a 200 with an
+    # empty body reaches the json.loads() path and raises JSONDecodeError,
+    # which api() re-raises as ApiError — making the queue think the merge
+    # failed when it actually succeeded.  Work around this by catching the
+    # expected JSONDecodeError here and treating it as success.
+    try:
+        api("POST", f"/repos/{OWNER}/{NAME}/pulls/{pr_number}/merge", body=payload, expect_json=False)
+    except ApiError as exc:
+        # Surface non-merge errors (5xx server errors, 403 forbidden, etc.)
+        if "merge" in str(exc).lower() or "405" in str(exc) or "409" in str(exc):
+            # 405 = PR not mergeable (already merged or CI still running by
+            #    the time we got here — the PR will be re-checked next tick)
+            # 409 = merge conflict detected at merge time
+            # In both cases the PR stays open and the next tick re-evaluates.
+            sys.stderr.write(f"::warning::merge call returned: {exc}\n")
+        else:
+            raise
 
 
 def process_once(*, dry_run: bool = False) -> int:
@@ -390,6 +445,32 @@ def process_once(*, dry_run: bool = False) -> int:
     print(f"::notice::PR #{pr_number} decision={decision.action}: {decision.reason}")
     if decision.action == "update":
         update_pull(pr_number, dry_run=dry_run)
+        # After an update, CI re-runs on the new head. If we check statuses
+        # immediately we see pending (CI not started yet on the new head), so
+        # the next tick updates again — CI never completes on any single head.
+        # Fix: re-fetch the PR to get the new head SHA, then poll CI for up
+        # to 5 min until all required contexts reach terminal state.  If CI
+        # finishes in time, proceed to merge on the same tick.
+        if not dry_run:
+            updated_pr = get_pull(pr_number)
+            new_head = updated_pr.get("head", {}).get("sha", "")
+            if new_head and new_head != head_sha:
+                sys.stderr.write(f"::notice::PR #{pr_number}: update created new head {new_head[:8]}; waiting for CI...\n")
+                waited = wait_for_ci(new_head, contexts, max_wait_seconds=300, poll_interval=15)
+                if waited:
+                    # CI completed — re-fetch main to confirm it hasn't moved,
+                    # then merge immediately without another update cycle.
+                    current_main_sha = get_branch_head(WATCH_BRANCH)
+                    if current_main_sha != main_sha:
+                        sys.stderr.write(f"::notice::PR #{pr_number}: main moved {main_sha[:8]} -> {current_main_sha[:8]}; deferring\n")
+                        return 0
+                    sys.stderr.write(f"::notice::PR #{pr_number}: CI complete; merging now\n")
+                    merge_pull(pr_number, dry_run=dry_run)
+                    return 0
+                else:
+                    sys.stderr.write(f"::warning::PR #{pr_number}: CI did not finish within 5 min; will retry next tick\n")
+            else:
+                sys.stderr.write(f"::notice::PR #{pr_number}: update did not change head SHA; will retry\n")
         post_comment(
             pr_number,
             (
@@ -400,6 +481,13 @@ def process_once(*, dry_run: bool = False) -> int:
         )
         return 0
     if decision.ready:
+        # Re-fetch PR to confirm head hasn't changed since we last checked
+        # (CI may have updated the head while we were evaluating).
+        current_pr = get_pull(pr_number)
+        current_head = current_pr.get("head", {}).get("sha", "")
+        if current_head != head_sha:
+            print(f"::notice::PR #{pr_number} head changed {head_sha[:8]} -> {current_head[:8]}; re-evaluating")
+            return 0
         latest_main_sha = get_branch_head(WATCH_BRANCH)
         if latest_main_sha != main_sha:
             print(

.gitea/scripts/sop-checklist.py

@@ -68,7 +68,7 @@ import sys
 import urllib.error
 import urllib.parse
 import urllib.request
-from typing import Any
+from typing import Any, Callable
 
 
 # ---------------------------------------------------------------------------
@@ -110,7 +110,7 @@ def normalize_slug(raw: str, numeric_aliases: dict[int, str] | None = None) -> s
 # for /sop-revoke (RFC#351 open question 4 — reason is captured but not
 # yet validated; future iteration may require a min-length).
 _DIRECTIVE_RE = re.compile(
-    r"^[ \t]*/(sop-ack|sop-revoke)[ \t]+([A-Za-z0-9_\- ]+?)(?:[ \t]+(.*))?[ \t]*$",
+    r"^[ \t]*/(sop-ack|sop-revoke|sop-n/a)[ \t]+([A-Za-z0-9_\- ]+?)(?:[ \t]+(.*))?[ \t]*$",
     re.MULTILINE,
 )
 
@@ -118,19 +118,21 @@ _DIRECTIVE_RE = re.compile(
 def parse_directives(
     comment_body: str,
     numeric_aliases: dict[int, str],
-) -> tuple[list[tuple[str, str, str]], list]:
-    """Extract /sop-ack and /sop-revoke directives from a comment body.
+) -> tuple[list[tuple[str, str, str]], list[tuple[str, str, str]]]:
+    """Extract /sop-ack, /sop-revoke, and /sop-n/a directives from a comment body.
 
-    Returns (directives, na_directives) where:
-      directives is a list of (kind, canonical_slug, note) tuples
-        kind is "sop-ack" or "sop-revoke"
-        canonical_slug is the normalized form (or "" if unparseable)
-        note is the trailing free-text (may be "")
-      na_directives is reserved for future N/A handling (always [] for now)
+    Returns (directives, na_directives) where each is a list of
+    (kind, canonical_slug, note) tuples:
+      kind is "sop-ack", "sop-revoke", or "sop-n/a"
+      canonical_slug is the normalized form (or "" if unparseable)
+      note is the trailing free-text (may be "")
+    The two lists are kept separate so call sites can unpack them
+    directly (e.g. directives, na_directives = parse_directives(...)).
     """
-    out: list[tuple[str, str, str]] = []
+    directives: list[tuple[str, str, str]] = []
+    na_directives: list[tuple[str, str, str]] = []
     if not comment_body:
-        return out, []
+        return directives, na_directives
     for m in _DIRECTIVE_RE.finditer(comment_body):
         kind = m.group(1)
         raw_slug = (m.group(2) or "").strip()
@@ -160,8 +162,12 @@ def parse_directives(
         note_from_group = (m.group(3) or "").strip()
         # If we collapsed multi-word slug into kebab and there's a
         # trailing-text group too, append it.
-        out.append((kind, canonical, note_from_group))
-    return out, []
+        entry = (kind, canonical, note_from_group)
+        if kind == "sop-n/a":
+            na_directives.append(entry)
+        else:
+            directives.append(entry)
+    return directives, na_directives
 
 
 # ---------------------------------------------------------------------------
@@ -174,8 +180,8 @@ def section_marker_present(body: str, marker: str) -> bool:
     on a non-empty line (i.e. the author actually filled it in).
 
     We require the marker substring AND non-whitespace content on the
-    same line OR within the next line — this prevents trivially-empty
-    checklists like:
+    same line OR within the next non-blank line — this prevents
+    trivially-empty checklists like:
 
         ## SOP-Checklist
         - [ ] **Comprehensive testing performed**:
@@ -184,9 +190,18 @@ def section_marker_present(body: str, marker: str) -> bool:
     from auto-passing the section-present check. The peer-ack is still
     required, but answering with empty content is captured as a soft
     finding via the section-present test alone.
+
+    NOTE: we scan forward through blank lines (the markdown-header pattern
+    is ## Header\\n\\ncontent) so that a header + blank-line + content
+    structure still satisfies the check. The backward checkbox fallback
+    catches inline markers without a preceding checkbox (mc#1099).
     """
     if not body or not marker:
         return False
+    # Strip trailing whitespace so the blank-line scan below can find
+    # content that appears on the very last line of the body (without
+    # being misled by a trailing \n or spaces).
+    body = body.rstrip()
     body_lower = body.lower()
     marker_lower = marker.lower()
     idx = body_lower.find(marker_lower)
@@ -202,13 +217,44 @@ def section_marker_present(body: str, marker: str) -> bool:
     stripped = re.sub(r"[\s\*:\-\[\]]+", "", line)
     if stripped:
         return True
-    # Fall through: check the NEXT line (multi-line answers).
-    next_line_end = body.find("\n", line_end + 1)
-    if next_line_end < 0:
-        next_line_end = len(body)
-    next_line = body[line_end + 1:next_line_end]
-    stripped_next = re.sub(r"[\s\*:\-\[\]]+", "", next_line)
-    return bool(stripped_next)
+    # Fall through: scan forward, skipping blank-only lines, until we find
+    # non-empty content or run out of body.  Handles:
+    #   ## Header          ← marker line (empty after marker)
+    #                      ← blank line (skipped)
+    #   - actual content   ← found
+    pos = line_end
+    while True:
+        # Skip the current newline and any additional newlines (blank lines).
+        while pos < len(body) and body[pos] == "\n":
+            pos += 1
+        if pos >= len(body):
+            break
+        line_end = body.find("\n", pos)
+        if line_end < 0:
+            line_end = len(body)
+        line = body[pos:line_end]
+        stripped = re.sub(r"[\s\*:\-\[\]]+", "", line)
+        if stripped:
+            return True
+        pos = line_end
+    # Last resort: the marker may appear mid-sentence (e.g.
+    # **Memory/saved-feedback consulted**: No applicable...).
+    # Search backward within the CURRENT LINE only (not preceding lines)
+    # to find a checkbox on the same line before the marker text.
+    # mc#1099 follow-up: memory-consulted detection was failing because
+    # the checkbox was on the same line before the inline marker.
+    _CHECKBOX_RE = re.compile(r"- \[[ x\]]|<input", re.IGNORECASE)
+    line_start = body.rfind("\n", 0, idx) + 1  # 0 if no newline before idx
+    before = body[line_start:idx]
+    m = _CHECKBOX_RE.search(before)
+    if not m:
+        return False
+    # Require meaningful content between the checkbox and the marker text
+    # (markdown formatting like ** or * must also be stripped).
+    # If only whitespace/markdown chars remain, the checkbox line is empty.
+    between = before[m.end() :]
+    stripped_between = re.sub(r"[\s\*:#\[\]_\-]+", "", between)
+    return bool(stripped_between)
 
 
 # ---------------------------------------------------------------------------
@@ -251,8 +297,7 @@ def compute_ack_state(
         user = (c.get("user") or {}).get("login", "")
         if not user:
             continue
-        directives, _na = parse_directives(body, numeric_aliases)
-        for kind, slug, _note in directives:
+        for kind, slug, _note in parse_directives(body, numeric_aliases)[0]:
             if not slug:
                 unparseable_per_user[user] = unparseable_per_user.get(user, 0) + 1
                 continue
@@ -304,6 +349,63 @@ def compute_ack_state(
     }
 
 
+# ---------------------------------------------------------------------------
+# N/A-gate evaluation
+# ---------------------------------------------------------------------------
+
+
+def compute_na_state(
+    comments: list[dict[str, Any]],
+    author: str,
+    na_gates: dict[str, Any],
+    probe: Callable[[str, list[str]], list[str]],
+) -> dict[str, dict[str, Any]]:
+    """Evaluate which N/A gates have a valid declaration from a team member.
+
+    Returns dict[gate_name, dict] where each dict has:
+      declared: bool — at least one valid non-author team-member declared N/A
+      decl_ackers: list[str] — usernames who declared this gate N/A
+      rejected: dict with keys:
+        not_in_team: list[str] — users who tried but aren't in required teams
+    """
+    # Build per-user latest N/A directive (most-recent wins per RFC#324).
+    latest_na: dict[str, tuple[str, str]] = {}  # user → (gate, note)
+    for c in comments:
+        body = c.get("body", "") or ""
+        user = (c.get("user") or {}).get("login", "")
+        if not user:
+            continue
+        for kind, gate, note in parse_directives(body, {})[1]:
+            # [1] = na_directives only
+            if gate in na_gates:
+                latest_na[user] = (gate, note)
+
+    result: dict[str, dict[str, Any]] = {}
+    for gate, gate_cfg in na_gates.items():
+        result[gate] = {
+            "declared": False,
+            "decl_ackers": [],
+            "rejected": {"not_in_team": []},
+        }
+        decl_ackers: list[str] = []
+        not_in_team: list[str] = []
+        for user, (g, _note) in latest_na.items():
+            if g != gate:
+                continue
+            if user == author:
+                continue  # authors cannot self-declare N/A
+            approved = probe(gate, [user])
+            if approved:
+                decl_ackers.append(user)
+            else:
+                not_in_team.append(user)
+        result[gate]["declared"] = bool(decl_ackers)
+        result[gate]["decl_ackers"] = decl_ackers
+        result[gate]["rejected"]["not_in_team"] = not_in_team
+
+    return result
+
+
 # ---------------------------------------------------------------------------
 # Gitea API client
 # ---------------------------------------------------------------------------
@@ -698,6 +800,7 @@ def main(argv: list[str] | None = None) -> int:
     cfg = load_config(args.config)
     items: list[dict[str, Any]] = cfg["items"]
     items_by_slug = {it["slug"]: it for it in items}
+    na_gates: dict[str, Any] = cfg.get("n/a_gates", {})
     numeric_aliases = {
         int(it["numeric_alias"]): it["slug"] for it in items if it.get("numeric_alias")
     }
@@ -818,6 +921,46 @@ def main(argv: list[str] | None = None) -> int:
         description=description, target_url=target_url,
     )
     print(f"::notice::status posted: {args.status_context} → {state}")
+
+    # --- N/A gate status (RFC#324 §N/A follow-up) ---
+    # Post a separate status so review-check.sh can discover N/A declarations
+    # and waive the Gitea-approve requirement for that gate.
+    na_state: dict[str, dict[str, Any]] = {}
+    if na_gates:
+        na_state = compute_na_state(comments, author, na_gates, probe)
+
+        na_descs: list[str] = []
+        for gate, s in na_state.items():
+            if s["declared"]:
+                na_descs.append(gate)
+            decl = s["decl_ackers"]
+            rej = s["rejected"]["not_in_team"]
+            if decl:
+                print(f"::notice::  [N/A OK] {gate} — declared by {','.join(decl)}")
+            if rej:
+                print(
+                    f"::notice::  [N/A REJ] {gate} — not-in-team: {','.join(rej)}",
+                    file=sys.stderr,
+                )
+
+        na_desc = ", ".join(sorted(na_descs)) if na_descs else "(none)"
+        na_status_state = "success" if na_descs else "pending"
+        # review-check.sh reads the description to discover which gates are N/A.
+        # Include the gate names so it can grep for them.
+        na_description = f"N/A: {na_desc}" if na_descs else "N/A: (none)"
+
+        if not args.dry_run:
+            client.post_status(
+                args.owner, args.repo, head_sha,
+                state=na_status_state,
+                context="sop-checklist / na-declarations (pull_request)",
+                description=na_description,
+                target_url=target_url,
+            )
+            print(
+                f"::notice::na-declarations status → {na_status_state}: {na_description}"
+            )
+
     # By default exit 0 — the POSTed status IS the gate, NOT the job
     # conclusion. If the job exits 1 BP will see TWO failure signals
     # (one from the job's auto-status, one from our POST), making the

.gitea/scripts/tests/test_sop_checklist.py

@@ -551,3 +551,55 @@ class TestEndToEndAckFlow(unittest.TestCase):
 
 if __name__ == "__main__":
     unittest.main(verbosity=2)
+
+
+# ---------------------------------------------------------------------------
+# compute_na_state
+# ---------------------------------------------------------------------------
+
+
+class TestComputeNaState(unittest.TestCase):
+    """Tests for /sop-n/a directive evaluation."""
+
+    def test_no_na_declarations(self):
+        cfg = sop.load_config(CONFIG_PATH)
+        na_gates = cfg.get("n/a_gates", {})
+        comments = []
+        na_state = sop.compute_na_state(comments, "alice", na_gates, lambda *_: [])
+        self.assertFalse(na_state["qa-review"]["declared"])
+        self.assertFalse(na_state["security-review"]["declared"])
+
+    def test_na_declared_by_authorized_user(self):
+        cfg = sop.load_config(CONFIG_PATH)
+        na_gates = cfg.get("n/a_gates", {})
+        comments = [_comment("bob", "/sop-n/a qa-review N/A: pure tooling change")]
+        na_state = sop.compute_na_state(comments, "alice", na_gates, lambda g, u: u)
+        self.assertTrue(na_state["qa-review"]["declared"])
+        self.assertEqual(na_state["qa-review"]["decl_ackers"], ["bob"])
+
+    def test_na_declared_by_unauthorized_user_rejected(self):
+        cfg = sop.load_config(CONFIG_PATH)
+        na_gates = cfg.get("n/a_gates", {})
+        comments = [_comment("mallory", "/sop-n/a qa-review N/A: not real team")]
+        na_state = sop.compute_na_state(comments, "alice", na_gates, lambda g, u: [])
+        self.assertFalse(na_state["qa-review"]["declared"])
+        self.assertEqual(na_state["qa-review"]["rejected"]["not_in_team"], ["mallory"])
+
+    def test_author_cannot_self_declare_na(self):
+        cfg = sop.load_config(CONFIG_PATH)
+        na_gates = cfg.get("n/a_gates", {})
+        comments = [_comment("alice", "/sop-n/a qa-review N/A: I am the author")]
+        na_state = sop.compute_na_state(comments, "alice", na_gates, lambda g, u: u)
+        self.assertFalse(na_state["qa-review"]["declared"])
+
+    def test_parse_directives_separates_na_from_ack(self):
+        directives, na_directives = sop.parse_directives(
+            "/sop-ack comprehensive-testing\n/sop-n/a qa-review N/A: no surface",
+            {},
+        )
+        self.assertEqual(len(directives), 1)
+        self.assertEqual(directives[0][0], "sop-ack")
+        self.assertEqual(len(na_directives), 1)
+        self.assertEqual(na_directives[0][0], "sop-n/a")
+        self.assertEqual(na_directives[0][1], "qa-review")
+        self.assertIn("no surface", na_directives[0][2])

.gitea/workflows/gate-check-v3.yml

@@ -32,6 +32,12 @@ on:
   # iterating all open PRs when PR_NUMBER is empty.
   workflow_dispatch:
 
+# Cancel stale runs so the 8-runner pool stays available for PR jobs.
+# Per-SHA group ensures push and cron runs at different SHAs don't cancel each other.
+concurrency:
+  group: gate-check-v3-${{ github.event.pull_request.head.sha || github.sha }}
+  cancel-in-progress: true
+
 permissions:
   # read: contents — for checkout (base ref, not PR head for security)
   # read: pull-requests — for reading PR info via API

.gitea/workflows/publish-canvas-image.yml

@@ -49,13 +49,17 @@ jobs:
   # bp-exempt: post-merge image publication side effect; CI / all-required gates source changes.
   build-and-push:
     name: Build & push canvas image
-    # REVERTED (infra/revert-docker-runner-label): `runs-on: ubuntu-latest` restored.
-    # The `docker` label is not registered on any act_runner. `runs-on: [ubuntu-latest, docker]`
-    # causes jobs to queue indefinitely with zero eligible runners — strictly worse than the
-    # pre-#599 coin-flip (50% success rate). Once the `docker` label is registered on
-    # ≥2 runners, re-apply the fix from #599 (infra/docker-runner-label).
-    # See issue #576 + infra-lead pulse ~00:30Z.
-    runs-on: ubuntu-latest
+    # Dedicated publish/release lane (internal#462 / #394 / #399). Ship
+    # path (on: push:main, canvas/**) — reserved capacity so a merged
+    # canvas fix's image build never FIFO-queues behind PR required-CI.
+    # The `publish` label resolves ONLY to the molecule-runner-publish-*
+    # sub-pool (config.publish.yaml). HARD DEPENDENCY: this MUST land
+    # AFTER the publish-lane runners are registered/advertising `publish`
+    # — the earlier #599 `docker` label attempt queued indefinitely with
+    # zero eligible runners precisely because the label was targeted
+    # before any runner advertised it (see #576). The lane is registered
+    # in this rollout (internal#462) so the precondition holds.
+    runs-on: publish
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
     # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
     continue-on-error: true

.gitea/workflows/publish-runtime.yml

@@ -66,7 +66,10 @@ concurrency:
 
 jobs:
   publish:
-    runs-on: ubuntu-latest
+    # Dedicated publish/release lane (internal#462 / #394 / #399). Ship
+    # path (on: push tag runtime-v*) — reserved capacity, never FIFO
+    # behind PR-CI. `publish` resolves only to molecule-runner-publish-*.
+    runs-on: publish
     outputs:
       version: ${{ steps.version.outputs.version }}
       wheel_sha256: ${{ steps.wheel_hash.outputs.wheel_sha256 }}
@@ -166,7 +169,9 @@ jobs:
 
   cascade:
     needs: publish
-    runs-on: ubuntu-latest
+    # Publish/release lane (internal#462) — downstream of the runtime
+    # publish ship job; keep it on the reserved lane too.
+    runs-on: publish
     steps:
       - name: Wait for PyPI to propagate the new version
         env:

.gitea/workflows/publish-workspace-server-image.yml

@@ -54,7 +54,14 @@ env:
 
 jobs:
   build-and-push:
-    runs-on: ubuntu-latest
+    # Dedicated publish/release lane (internal#462 / #394 / #399). This
+    # is a post-merge ship job (on: push:main) — it must NOT FIFO-compete
+    # with PR required-CI on the shared pool (PR#1350's prod image build
+    # was delayed ~25min this way). The `publish` label resolves ONLY to
+    # the reserved molecule-runner-publish-* sub-pool (config.publish.yaml,
+    # OUTSIDE the managed 1..20 range) so a merged fix's image build
+    # starts immediately while PR-CI keeps the general pool.
+    runs-on: publish
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -181,7 +188,9 @@ jobs:
     name: Production auto-deploy
     needs: build-and-push
     if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-    runs-on: ubuntu-latest
+    # Publish/release lane (internal#462) — production deploy of a merged
+    # fix; reserved capacity, never queued behind PR-CI.
+    runs-on: publish
     timeout-minutes: 75
     env:
       CP_URL: ${{ vars.PROD_CP_URL || 'https://api.moleculesai.app' }}

.gitea/workflows/redeploy-tenants-on-main.yml

@@ -68,7 +68,10 @@ jobs:
   # bp-exempt: production redeploy is a side-effect workflow, not a merge gate.
   redeploy:
     if: ${{ github.event_name == 'workflow_dispatch' }}
-    runs-on: ubuntu-latest
+    # Dedicated publish/release lane (internal#462 / #394 / #399).
+    # Production tenant redeploy — a deploy action, reserved capacity so
+    # it never queues behind PR-CI. `publish` -> molecule-runner-publish-*.
+    runs-on: publish
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
     # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
     continue-on-error: true

.gitea/workflows/redeploy-tenants-on-staging.yml

@@ -75,7 +75,10 @@ env:
 jobs:
   # bp-exempt: post-merge staging redeploy side effect; CI / all-required gates source changes.
   redeploy:
-    runs-on: ubuntu-latest
+    # Dedicated publish/release lane (internal#462 / #394 / #399).
+    # Post-merge staging redeploy — a deploy action, reserved capacity.
+    # `publish` -> molecule-runner-publish-* sub-pool.
+    runs-on: publish
     # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
     # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
     continue-on-error: true

.gitea/workflows/secret-pattern-drift.yml

@@ -44,6 +44,12 @@ on:
       - ".github/scripts/lint_secret_pattern_drift.py"
       - ".githooks/pre-commit"
 
+# Cancel stale runs to keep the 8-runner pool available for PR jobs.
+# Per-SHA group ensures push and scheduled runs at different SHAs don't cancel each other.
+concurrency:
+  group: secret-pattern-drift-${{ github.event.pull_request.head.sha || github.sha }}
+  cancel-in-progress: true
+
 env:
   GITHUB_SERVER_URL: https://git.moleculesai.app
 

.gitea/workflows/weekly-platform-go.yml

@@ -22,6 +22,11 @@ on:
     - cron: '17 4 * * 1'  # Mondays at 04:17 UTC
   workflow_dispatch:
 
+# Cancel stale runs to keep the 8-runner pool available for PR jobs.
+concurrency:
+  group: weekly-platform-go-${{ github.event.pull_request.head.sha || github.sha }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
   statuses: write

canvas/src/app/orgs/page.tsx

@@ -212,7 +212,7 @@ function AccountBar({ session }: { session: Session }) {
           // edge cases (jsdom, blocked navigation) where it doesn't.
           setSigningOut(false);
         }}
-        className="rounded border border-line bg-surface-card px-3 py-1 text-xs text-ink hover:bg-surface-card disabled:opacity-50 focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40 focus-visible:ring-offset-1"
+        className="rounded border border-line bg-surface-card px-3 py-1 text-xs text-ink hover:bg-surface-card disabled:opacity-50"
         aria-label="Sign out"
       >
         {signingOut ? "Signing out…" : "Sign out"}

canvas/src/components/BroadcastBanner.tsx

@@ -1,100 +0,0 @@
-"use client";
-
-import { useCallback } from "react";
-import { useCanvasStore } from "@/store/canvas";
-
-/** Org-wide broadcast banner.
- *
- * Rendered at the top of the canvas (below the toolbar) whenever the store
- * holds one or more unread BROADCAST_MESSAGE entries. Each entry shows:
- *   - sender name (workspace that issued the broadcast)
- *   - the message text
- *   - a dismiss button
- *
- * Dismissing an entry removes it from the store via consumeBroadcastMessages.
- * The dismissed state is intentionally ephemeral — dismissed broadcasts reappear
- * on page refresh since they are not persisted server-side; this is intentional
- * (the platform's activity log already provides the audit trail).
- */
-export function BroadcastBanner() {
-  const broadcastMessages = useCanvasStore((s) => s.broadcastMessages);
-  const dismissBroadcastMessage = useCanvasStore((s) => s.dismissBroadcastMessage);
-
-  const handleDismiss = useCallback(
-    (id: string) => {
-      dismissBroadcastMessage(id);
-    },
-    [dismissBroadcastMessage],
-  );
-
-  if (broadcastMessages.length === 0) return null;
-
-  return (
-    <div className="fixed top-16 left-1/2 -translate-x-1/2 z-30 flex flex-col gap-2 items-center w-full max-w-xl px-4 pointer-events-none">
-      {broadcastMessages.map((msg) => (
-        <div
-          key={msg.id}
-          role="alert"
-          aria-live="polite"
-          aria-atomic="true"
-          className="pointer-events-auto w-full bg-blue-950/80 backdrop-blur-md border border-blue-700/50 rounded-xl px-5 py-3 shadow-2xl shadow-black/40 animate-in slide-in-from-top duration-300"
-        >
-          <div className="flex items-start gap-3">
-            {/* Megaphone icon */}
-            <div
-              aria-hidden="true"
-              className="w-7 h-7 rounded-lg bg-blue-900/50 flex items-center justify-center shrink-0 mt-0.5"
-            >
-              <svg
-                width="14"
-                height="14"
-                viewBox="0 0 24 24"
-                fill="none"
-                stroke="currentColor"
-                strokeWidth="2"
-                strokeLinecap="round"
-                strokeLinejoin="round"
-                className="text-blue-300"
-              >
-                <path d="M3 11l18-5v12L3 13v-2z" />
-                <path d="M11.6 16.8a3 3 0 1 1-5.8-1.6" />
-              </svg>
-            </div>
-
-            <div className="flex-1 min-w-0">
-              <div className="text-xs text-blue-300 font-semibold">
-                Broadcast from{" "}
-                <span className="text-blue-100">{msg.sender}</span>
-              </div>
-              <div className="text-sm text-blue-50 mt-0.5 leading-snug break-words">
-                {msg.message}
-              </div>
-            </div>
-
-            {/* Dismiss button */}
-            <button
-              type="button"
-              onClick={() => handleDismiss(msg.id)}
-              aria-label="Dismiss broadcast"
-              className="shrink-0 w-6 h-6 rounded text-blue-400 hover:text-blue-200 hover:bg-blue-800/50 flex items-center justify-center transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-blue-400 focus-visible:ring-offset-1 focus-visible:ring-offset-blue-950"
-            >
-              <svg
-                width="12"
-                height="12"
-                viewBox="0 0 24 24"
-                fill="none"
-                stroke="currentColor"
-                strokeWidth="2.5"
-                strokeLinecap="round"
-                strokeLinejoin="round"
-                aria-hidden="true"
-              >
-                <path d="M18 6 6 18M6 6l12 12" />
-              </svg>
-            </button>
-          </div>
-        </div>
-      ))}
-    </div>
-  );
-}

canvas/src/components/Canvas.tsx

@@ -21,7 +21,6 @@ import { CreateWorkspaceButton } from "./CreateWorkspaceDialog";
 import { ContextMenu } from "./ContextMenu";
 import { TemplatePalette } from "./TemplatePalette";
 import { ApprovalBanner } from "./ApprovalBanner";
-import { BroadcastBanner } from "./BroadcastBanner";
 import { BundleDropZone } from "./BundleDropZone";
 import { EmptyState } from "./EmptyState";
 import { OnboardingWizard } from "./OnboardingWizard";
@@ -368,7 +367,6 @@ function CanvasInner() {
         <OnboardingWizard />
         <Toolbar />
         <ApprovalBanner />
-        <BroadcastBanner />
         <BundleDropZone />
         <TemplatePalette />
         <SidePanel />

canvas/src/components/MissingKeysModal.tsx

@@ -471,7 +471,7 @@ function ProviderPickerModal({
             {onOpenSettings && (
               <button
                 onClick={onOpenSettings}
-                className="text-[11px] text-accent hover:text-accent transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
+                className="text-[11px] text-accent hover:text-accent transition-colors"
               >
                 Open Settings Panel
               </button>
@@ -480,7 +480,7 @@ function ProviderPickerModal({
           <div className="flex items-center gap-2">
             <button
               onClick={onCancel}
-              className="px-3.5 py-1.5 text-[12px] text-ink-mid hover:text-ink bg-surface-card hover:bg-surface-card border border-line rounded-lg transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
+              className="px-3.5 py-1.5 text-[12px] text-ink-mid hover:text-ink bg-surface-card hover:bg-surface-card border border-line rounded-lg transition-colors"
             >
               Cancel Deploy
             </button>

canvas/src/components/__tests__/BroadcastBanner.test.tsx

@@ -1,111 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for BroadcastBanner component.
- * WCAG compliance: role=alert, aria-live=polite, per-message dismiss.
- */
-import { describe, it, expect, vi, afterEach, beforeEach } from "vitest";
-import { render, screen, cleanup, fireEvent } from "@testing-library/react";
-import { BroadcastBanner } from "../BroadcastBanner";
-import { useCanvasStore } from "@/store/canvas";
-
-const mockDismiss = vi.fn();
-
-vi.mock("@/store/canvas", () => ({
-  useCanvasStore: vi.fn((selector: (s: ReturnType<typeof useCanvasStore.getState>) => unknown) => {
-    const state = {
-      broadcastMessages: [] as Array<{
-        id: string;
-        senderId: string;
-        sender: string;
-        message: string;
-        timestamp: string;
-      }>,
-      dismissBroadcastMessage: mockDismiss,
-    };
-    return selector(state);
-  }),
-}));
-
-afterEach(() => {
-  cleanup();
-  mockDismiss.mockClear();
-  vi.clearAllMocks();
-});
-
-const broadcastMessages = [
-  { id: "m1", senderId: "ws-ops", sender: "Ops Agent", message: "Deploy in 5 min", timestamp: "2026-05-16T00:00:00Z" },
-  { id: "m2", senderId: "ws-sre", sender: "SRE Team", message: "Maintenance window tonight", timestamp: "2026-05-16T00:01:00Z" },
-];
-
-function setup(messages = broadcastMessages) {
-  vi.mocked(useCanvasStore).mockImplementation(
-    (selector: (s: { broadcastMessages: typeof broadcastMessages; dismissBroadcastMessage: typeof mockDismiss }) => unknown) => {
-      const state = {
-        broadcastMessages: messages,
-        dismissBroadcastMessage: mockDismiss,
-      };
-      return selector(state);
-    }
-  );
-  return render(<BroadcastBanner />);
-}
-
-describe("BroadcastBanner", () => {
-  it("renders nothing when there are no messages", () => {
-    setup([]);
-    expect(screen.queryByRole("alert")).toBeNull();
-  });
-
-  it("renders a role=alert banner for each broadcast message", () => {
-    setup();
-    const alerts = screen.getAllByRole("alert");
-    expect(alerts).toHaveLength(2);
-  });
-
-  it("shows sender name and message content", () => {
-    setup();
-    expect(screen.getByText("Deploy in 5 min")).toBeTruthy();
-    expect(screen.getByText("Ops Agent")).toBeTruthy();
-    expect(screen.getByText("Maintenance window tonight")).toBeTruthy();
-    expect(screen.getByText("SRE Team")).toBeTruthy();
-  });
-
-  it("each banner has a dismiss button with accessible label", () => {
-    setup();
-    const buttons = screen.getAllByRole("button", { name: /dismiss/i });
-    expect(buttons).toHaveLength(2);
-  });
-
-  it("dismissing a banner calls dismissBroadcastMessage with the correct id", () => {
-    setup();
-    const buttons = screen.getAllByRole("button", { name: /dismiss/i });
-    // Dismiss the second message (Maintenance window)
-    fireEvent.click(buttons[1]);
-    expect(mockDismiss).toHaveBeenCalledTimes(1);
-    expect(mockDismiss).toHaveBeenCalledWith("m2");
-  });
-
-  it("dismissing one banner does not dismiss others", () => {
-    setup();
-    const buttons = screen.getAllByRole("button", { name: /dismiss/i });
-    fireEvent.click(buttons[0]);
-    expect(mockDismiss).toHaveBeenCalledWith("m1");
-    expect(mockDismiss).toHaveBeenCalledTimes(1);
-  });
-
-  it("dismiss button has focus-visible ring (WCAG 2.4.7)", () => {
-    setup();
-    const button = screen.getAllByRole("button", { name: /dismiss/i })[0];
-    expect(button.className).toContain("focus-visible:ring");
-  });
-
-  it("sender and message text use adequate contrast color classes", () => {
-    setup();
-    // text-blue-300 (#93C5FD) on blue-950/80 ≈ 5.9:1 contrast — WCAG AA ✓
-    const senderLabel = screen.getByText("Ops Agent").closest("div");
-    expect(senderLabel?.className).toContain("text-blue-300");
-    // text-blue-50 (#EFF6FF) on blue-950/80 ≈ 11.7:1 — WCAG AAA ✓
-    const messageEl = screen.getByText("Deploy in 5 min");
-    expect(messageEl.className).toContain("text-blue-50");
-  });
-});

canvas/src/components/__tests__/Canvas.a11y.test.tsx

@@ -73,8 +73,6 @@ const mockStoreState = {
   clearSelection: vi.fn(),
   toggleNodeSelection: vi.fn(),
   deletingIds: new Set<string>(),
-  broadcastMessages: [],
-  consumeBroadcastMessages: vi.fn(() => []),
 };
 
 vi.mock("@/store/canvas", () => ({
@@ -102,7 +100,6 @@ vi.mock("../ConfirmDialog", () => ({ ConfirmDialog: () => null }));
 vi.mock("../TemplatePalette", () => ({ TemplatePalette: () => null }));
 vi.mock("../OnboardingWizard", () => ({ OnboardingWizard: () => null }));
 vi.mock("../ApprovalBanner", () => ({ ApprovalBanner: () => null }));
-vi.mock("../BroadcastBanner", () => ({ BroadcastBanner: () => null }));
 vi.mock("../BundleDropZone", () => ({ BundleDropZone: () => null }));
 vi.mock("../CreateWorkspaceDialog", () => ({ CreateWorkspaceButton: () => null }));
 vi.mock("../settings", () => ({

canvas/src/components/__tests__/Canvas.pan-to-node.test.tsx

@@ -91,8 +91,6 @@ const mockStoreState = {
   // an empty Set mirrors the idle canvas and doesn't interact with
   // any pan/fit behaviour under test here.
   deletingIds: new Set<string>(),
-  broadcastMessages: [],
-  consumeBroadcastMessages: vi.fn(() => []),
 };
 
 vi.mock("@/store/canvas", () => ({
@@ -119,7 +117,6 @@ vi.mock("../ConfirmDialog", () => ({ ConfirmDialog: () => null }));
 vi.mock("../TemplatePalette", () => ({ TemplatePalette: () => null }));
 vi.mock("../OnboardingWizard", () => ({ OnboardingWizard: () => null }));
 vi.mock("../ApprovalBanner", () => ({ ApprovalBanner: () => null }));
-vi.mock("../BroadcastBanner", () => ({ BroadcastBanner: () => null }));
 vi.mock("../BundleDropZone", () => ({ BundleDropZone: () => null }));
 vi.mock("../CreateWorkspaceDialog", () => ({ CreateWorkspaceButton: () => null }));
 vi.mock("../settings", () => ({

canvas/src/components/__tests__/ThemeToggle.test.tsx

@@ -24,8 +24,12 @@ vi.mock("@/lib/theme-provider", () => ({
   })),
 }));
 
+// Wrap cleanup in act() so any pending React state updates (e.g. from
+// keyDown handlers that call setTheme) flush before DOM unmount. Without
+// this, cleanup() can race against pending renders and cause INDEX_SIZE_ERR
+// when the handleKeyDown callback tries to query the DOM mid-teardown.
 afterEach(() => {
-  cleanup();
+  act(() => { cleanup(); });
   vi.clearAllMocks();
 });
 
@@ -146,7 +150,7 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
     const radios = screen.getAllByRole("radio");
     // dark (index 2) is current; ArrowRight should wrap to light (index 0)
     act(() => { radios[2].focus(); });
-    fireEvent.keyDown(radios[2], { key: "ArrowRight" });
+    act(() => { fireEvent.keyDown(radios[2], { key: "ArrowRight" }); });
     expect(mockSetTheme).toHaveBeenCalledWith("light");
   });
 
@@ -160,7 +164,7 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
     const radios = screen.getAllByRole("radio");
     // light (index 0) is current; ArrowLeft should go to dark (index 2)
     act(() => { radios[0].focus(); });
-    fireEvent.keyDown(radios[0], { key: "ArrowLeft" });
+    act(() => { fireEvent.keyDown(radios[0], { key: "ArrowLeft" }); });
     expect(mockSetTheme).toHaveBeenCalledWith("dark");
   });
 
@@ -174,7 +178,7 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
     const radios = screen.getAllByRole("radio");
     // light (index 0) is current; ArrowDown should go to system (index 1)
     act(() => { radios[0].focus(); });
-    fireEvent.keyDown(radios[0], { key: "ArrowDown" });
+    act(() => { fireEvent.keyDown(radios[0], { key: "ArrowDown" }); });
     expect(mockSetTheme).toHaveBeenCalledWith("system");
   });
 
@@ -187,7 +191,7 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
     render(<ThemeToggle />);
     const radios = screen.getAllByRole("radio");
     act(() => { radios[2].focus(); });
-    fireEvent.keyDown(radios[2], { key: "Home" });
+    act(() => { fireEvent.keyDown(radios[2], { key: "Home" }); });
     expect(mockSetTheme).toHaveBeenCalledWith("light");
   });
 
@@ -200,14 +204,14 @@ describe("ThemeToggle — keyboard navigation (WCAG 2.1.1 / ARIA radiogroup)", (
     render(<ThemeToggle />);
     const radios = screen.getAllByRole("radio");
     act(() => { radios[0].focus(); });
-    fireEvent.keyDown(radios[0], { key: "End" });
+    act(() => { fireEvent.keyDown(radios[0], { key: "End" }); });
     expect(mockSetTheme).toHaveBeenCalledWith("dark");
   });
 
   it("does nothing on unrelated keys", () => {
     render(<ThemeToggle />);
     const radios = screen.getAllByRole("radio");
-    fireEvent.keyDown(radios[0], { key: "Enter" });
+    act(() => { fireEvent.keyDown(radios[0], { key: "Enter" }); });
     expect(mockSetTheme).not.toHaveBeenCalled();
   });
 });

canvas/src/components/canvas/__tests__/DropTargetBadge.test.tsx

@@ -195,47 +195,6 @@ describe("DropTargetBadge — renders ghost slot + badge for valid drag target",
     expect(screen.getByTestId("ghost-slot").style.height).toBe("260px");
   });
 
-  it("ghost has aria-hidden=true (decorative visual affordance)", () => {
-    _getInternalNode.mockReturnValue({
-      internals: { positionAbsolute: { x: 100, y: 200 } },
-      measured: { width: 220, height: 500 },
-    });
-    setFlowMock(({ x, y }: { x: number; y: number }) => {
-      if (x === 210 && y === 200) return { x: 420, y: 400 };
-      if (x === 116 && y === 330) return { x: 232, y: 660 };
-      if (x === 356 && y === 460) return { x: 712, y: 920 };
-      if (x === 100 && y === 200) return { x: 200, y: 400 };
-      if (x === 320 && y === 700) return { x: 640, y: 1400 };
-      return { x: x * 2, y: y * 2 };
-    });
-
-    setStore({
-      dragOverNodeId: "ws-target",
-      nodes: [
-        { id: "ws-target", data: { name: "Target" }, parentId: null, measured: { width: 220, height: 500 } },
-      ],
-    });
-    render(<DropTargetBadge />);
-    const ghost = screen.getByTestId("ghost-slot");
-    expect(ghost.getAttribute("aria-hidden")).toBe("true");
-  });
-
-  it("drop badge has role=status and aria-label including target name", () => {
-    _getInternalNode.mockReturnValue({
-      internals: { positionAbsolute: { x: 100, y: 200 } },
-      measured: { width: 220, height: 120 },
-    });
-    setFlowMock(({ x, y }: { x: number; y: number }) => ({ x: x * 2, y: y * 2 }));
-    setStore({
-      dragOverNodeId: "ws-target",
-      nodes: [{ id: "ws-target", data: { name: "Ops Workspace" }, parentId: null }],
-    });
-    render(<DropTargetBadge />);
-    const badge = screen.getByTestId("drop-badge");
-    expect(badge.getAttribute("role")).toBe("status");
-    expect(badge.getAttribute("aria-label")).toBe("Drop target: Ops Workspace");
-  });
-
   it("ghost is hidden when slot falls entirely outside parent bounds", () => {
     _getInternalNode.mockReturnValue({
       internals: { positionAbsolute: { x: 100, y: 200 } },

canvas/src/components/mobile/MobileCanvas.tsx

@@ -205,7 +205,6 @@ export function MobileCanvas({
           type="button"
           onClick={resetView}
           aria-label="Reset zoom"
-          className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
           style={{
             position: "absolute",
             right: 14,
@@ -273,7 +272,6 @@ export function MobileCanvas({
             key={l.agent.id}
             type="button"
             onClick={() => onOpen(l.agent.id)}
-            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               position: "absolute",
               left: `${l.x}%`,
@@ -378,7 +376,6 @@ export function MobileCanvas({
         type="button"
         onClick={onSpawn}
         aria-label="Spawn new agent"
-        className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
         style={{
           position: "absolute",
           right: 24,

canvas/src/components/mobile/MobileChat.tsx

@@ -6,21 +6,21 @@
 // attachments, no A2A topology overlay, no conversation tracing.
 
 import { useEffect, useMemo, useRef, useState } from "react";
+import ReactMarkdown from "react-markdown";
+import remarkGfm from "remark-gfm";
 
-import { api } from "@/lib/api";
 import { useCanvasStore } from "@/store/canvas";
+import { type ChatAttachment, type ChatMessage, createMessage } from "@/components/tabs/chat/types";
+import {
+  useChatHistory,
+  useChatSend,
+  useChatSocket,
+} from "@/components/tabs/chat/hooks";
 
 import { toMobileAgent } from "./components";
 import { MOBILE_FONT_MONO, MOBILE_FONT_SANS, usePalette } from "./palette";
 import { Icons, StatusDot, TierChip } from "./primitives";
 
-interface ChatMessage {
-  id: string;
-  role: "user" | "agent" | "system";
-  text: string;
-  ts: string;
-}
-
 const formatStoredTimestamp = (iso: string): string => {
   const d = new Date(iso);
   if (isNaN(d.getTime())) return "";
@@ -29,29 +29,171 @@ const formatStoredTimestamp = (iso: string): string => {
 
 type SubTab = "my" | "a2a";
 
-interface A2AResponseShape {
-  result?: {
-    parts?: Array<{ kind?: string; text?: string }>;
-  };
-  error?: { message?: string };
-}
+function MarkdownBubble({
+  children,
+  dark,
+  accent,
+}: {
+  children: string;
+  dark: boolean;
+  accent: string;
+}) {
+  const codeBg = dark ? "rgba(255,255,255,0.08)" : "rgba(0,0,0,0.06)";
+  const codeBlockBg = dark ? "#1a1a1a" : "#f5f5f0";
+  const linkColor = accent;
+  const quoteBorder = dark ? "rgba(255,250,240,0.15)" : "rgba(40,30,20,0.15)";
 
-// Wire shape for GET /workspaces/:id/chat-history (chat_history.go → ChatHistoryResponse).
-interface ApiChatMessage {
-  id: string;
-  role: string; // "user" | "agent" | "system"
-  content: string;
-  timestamp: string;
+  return (
+    <ReactMarkdown
+      remarkPlugins={[remarkGfm]}
+      components={{
+        p: ({ children }) => (
+          <div style={{ margin: "2px 0", lineHeight: "inherit" }}>{children}</div>
+        ),
+        a: ({ href, children }) => (
+          <a
+            href={href}
+            target="_blank"
+            rel="noopener noreferrer"
+            style={{ color: linkColor, textDecoration: "underline" }}
+          >
+            {children}
+          </a>
+        ),
+        pre: ({ children }) => (
+          <pre
+            style={{
+              background: codeBlockBg,
+              padding: "8px 10px",
+              borderRadius: 8,
+              overflow: "auto",
+              fontSize: 12,
+              lineHeight: 1.5,
+              fontFamily: MOBILE_FONT_MONO,
+              margin: "4px 0",
+            }}
+          >
+            {children}
+          </pre>
+        ),
+        code: ({ children, className }) => {
+          const isBlock = className != null && String(className).length > 0;
+          if (isBlock) {
+            return (
+              <code style={{ fontFamily: MOBILE_FONT_MONO, fontSize: 12 }}>
+                {children}
+              </code>
+            );
+          }
+          return (
+            <code
+              style={{
+                background: codeBg,
+                padding: "1px 4px",
+                borderRadius: 4,
+                fontSize: 13,
+                fontFamily: MOBILE_FONT_MONO,
+              }}
+            >
+              {children}
+            </code>
+          );
+        },
+        ul: ({ children }) => (
+          <ul style={{ margin: "4px 0", paddingLeft: 18, listStyle: "disc" }}>
+            {children}
+          </ul>
+        ),
+        ol: ({ children }) => (
+          <ol style={{ margin: "4px 0", paddingLeft: 18, listStyle: "decimal" }}>
+            {children}
+          </ol>
+        ),
+        li: ({ children }) => <li style={{ margin: "2px 0" }}>{children}</li>,
+        strong: ({ children }) => (
+          <strong style={{ fontWeight: 600 }}>{children}</strong>
+        ),
+        em: ({ children }) => <em style={{ fontStyle: "italic" }}>{children}</em>,
+        h1: ({ children }) => (
+          <div style={{ fontSize: 16, fontWeight: 700, margin: "4px 0" }}>{children}</div>
+        ),
+        h2: ({ children }) => (
+          <div style={{ fontSize: 15, fontWeight: 700, margin: "4px 0" }}>{children}</div>
+        ),
+        h3: ({ children }) => (
+          <div style={{ fontSize: 14, fontWeight: 700, margin: "4px 0" }}>{children}</div>
+        ),
+        h4: ({ children }) => (
+          <div style={{ fontSize: 14, fontWeight: 600, margin: "4px 0" }}>{children}</div>
+        ),
+        h5: ({ children }) => (
+          <div style={{ fontSize: 13, fontWeight: 600, margin: "4px 0" }}>{children}</div>
+        ),
+        h6: ({ children }) => (
+          <div style={{ fontSize: 13, fontWeight: 600, margin: "4px 0" }}>{children}</div>
+        ),
+        blockquote: ({ children }) => (
+          <blockquote
+            style={{
+              borderLeft: `2px solid ${quoteBorder}`,
+              margin: "4px 0",
+              paddingLeft: 8,
+              opacity: 0.85,
+            }}
+          >
+            {children}
+          </blockquote>
+        ),
+        hr: () => (
+          <hr
+            style={{
+              border: "none",
+              borderTop: `0.5px solid ${quoteBorder}`,
+              margin: "6px 0",
+            }}
+          />
+        ),
+        table: ({ children }) => (
+          <table
+            style={{
+              borderCollapse: "collapse",
+              fontSize: 13,
+              margin: "4px 0",
+              width: "100%",
+            }}
+          >
+            {children}
+          </table>
+        ),
+        thead: ({ children }) => <thead style={{ fontWeight: 600 }}>{children}</thead>,
+        th: ({ children }) => (
+          <th
+            style={{
+              border: `0.5px solid ${quoteBorder}`,
+              padding: "4px 6px",
+              textAlign: "left",
+            }}
+          >
+            {children}
+          </th>
+        ),
+        td: ({ children }) => (
+          <td
+            style={{
+              border: `0.5px solid ${quoteBorder}`,
+              padding: "4px 6px",
+            }}
+          >
+            {children}
+          </td>
+        ),
+      }}
+    >
+      {children}
+    </ReactMarkdown>
+  );
 }
 
-interface ChatHistoryResponse {
-  messages: ApiChatMessage[];
-  reached_end: boolean;
-}
-
-const formatTime = (date: Date) =>
-  date.toLocaleTimeString([], { hour: "numeric", minute: "2-digit" });
-
 export function MobileChat({
   agentId,
   dark,
@@ -62,31 +204,40 @@ export function MobileChat({
   onBack: () => void;
 }) {
   const p = usePalette(dark);
-  // Selecting `nodes` stably avoids the `.find()` anti-pattern that
-  // creates a new return value on every store update (React error #185).
   const nodes = useCanvasStore((s) => s.nodes);
   const node = useMemo(() => nodes.find((n) => n.id === agentId), [nodes, agentId]);
-  // Bootstrap from the canvas store's per-workspace message buffer so the
-  // user sees their prior thread on entry. The store is updated by the
-  // socket → ChatTab flows the desktop runs; on mobile we read from the
-  // same buffer to keep state coherent across viewports.
-  // NOTE: selector returns undefined (stable) — do NOT use ?? [] here,
-  // that creates a new [] reference on every store update when the key is
-  // absent, causing infinite re-render (React error #185).
-  const storedMessages = useCanvasStore((s) => s.agentMessages[agentId]);
-  // Start empty — history is loaded via useEffect below.
-  const [messages, setMessages] = useState<ChatMessage[]>([]);
   const [draft, setDraft] = useState("");
   const [tab, setTab] = useState<SubTab>("my");
-  const [sending, setSending] = useState(false);
-  const [error, setError] = useState<string | null>(null);
-  const [loading, setLoading] = useState(true); // history is loading on mount
-  const [historyError, setHistoryError] = useState<string | null>(null);
   const scrollRef = useRef<HTMLDivElement>(null);
-  // Guard: don't treat the initial store population as a live push.
-  // Set to false after the first render completes.
-  const initDoneRef = useRef(false);
   const composerRef = useRef<HTMLTextAreaElement>(null);
+  const fileInputRef = useRef<HTMLInputElement>(null);
+  const [pendingFiles, setPendingFiles] = useState<File[]>([]);
+
+  const {
+    messages,
+    loading: historyLoading,
+    loadError: historyError,
+    loadInitial,
+    appendMessageDeduped,
+  } = useChatHistory(agentId);
+
+  const {
+    sending,
+    uploading,
+    sendMessage,
+    error: sendError,
+    clearError,
+    releaseSendGuards,
+  } = useChatSend(agentId, {
+    getHistoryMessages: () => messages,
+    onUserMessage: appendMessageDeduped,
+    onAgentMessage: appendMessageDeduped,
+  });
+
+  useChatSocket(agentId, {
+    onAgentMessage: appendMessageDeduped,
+    onSendComplete: releaseSendGuards,
+  });
 
   // Auto-grow the textarea: reset height to 'auto' so the scrollHeight
   // shrinks when the user deletes text, then size to scrollHeight up to
@@ -99,81 +250,26 @@ export function MobileChat({
     el.style.height = `${next}px`;
   }, [draft]);
 
-  // Fetch chat history on mount; keep merging live agentMessages while the
-  // panel is open. InitDoneRef prevents the initial store snapshot from
-  // triggering the live-merge path (the store buffer is populated by
-  // ChatTab on desktop, not on mobile — this effect loads history as the
-  // mobile-native path).
-  useEffect(() => {
-    let cancelled = false;
-
-    const mapApiMessage = (m: ApiChatMessage): ChatMessage => ({
-      id: m.id,
-      role: m.role === "user" ? "user" : "agent",
-      text: m.content,
-      ts: formatStoredTimestamp(m.timestamp),
-    });
-
-    const syncLive = () => {
-      const live = useCanvasStore.getState().agentMessages[agentId] ?? [];
-      if (live.length > 0) {
-        setMessages((prev) => {
-          const existingIds = new Set(prev.map((m) => m.id));
-          const newOnes = live
-            .filter((m) => !existingIds.has(m.id))
-            .map((m) => ({
-              id: m.id,
-              role: "agent" as const,
-              text: m.content,
-              ts: formatStoredTimestamp(m.timestamp),
-            }));
-          return newOnes.length > 0 ? [...prev, ...newOnes] : prev;
-        });
-      }
-    };
-
-    const bootstrap = async (): Promise<(() => void) | undefined> => {
-      setLoading(true);
-      setHistoryError(null);
-      try {
-        const res = await api.get<ChatHistoryResponse>(
-          `/workspaces/${agentId}/chat-history?limit=50`,
-        );
-        if (cancelled) return;
-        const initial = (res.messages ?? []).map(mapApiMessage);
-        setMessages(initial);
-        // Mark init done BEFORE marking loading=false so any store push
-        // that arrives in the same tick is treated as live, not init.
-        initDoneRef.current = true;
-        setLoading(false);
-        // Subscribe to live pushes after init is complete.
-        syncLive();
-        const unsubscribe = useCanvasStore.subscribe(syncLive);
-        return unsubscribe; // returned for cleanup
-      } catch (e) {
-        if (cancelled) return;
-        setHistoryError(e instanceof Error ? e.message : "Failed to load chat history");
-        setLoading(false);
-        initDoneRef.current = true;
-        return undefined;
-      }
-    };
-
-    let maybeUnsubscribe: (() => void) | undefined;
-    bootstrap().then((fn) => { maybeUnsubscribe = fn; });
-
-    return () => {
-      cancelled = true;
-      if (maybeUnsubscribe) maybeUnsubscribe();
-    };
-  }, [agentId]);
-
   useEffect(() => {
     if (scrollRef.current) {
       scrollRef.current.scrollTop = scrollRef.current.scrollHeight;
     }
   }, [messages]);
 
+  // Consume any agent messages that arrived while history was loading.
+  const initialConsumeDoneRef = useRef(false);
+  useEffect(() => {
+    if (historyLoading || initialConsumeDoneRef.current) return;
+    initialConsumeDoneRef.current = true;
+    const consume = useCanvasStore.getState().consumeAgentMessages;
+    const msgs = consume(agentId);
+    for (const m of msgs) {
+      appendMessageDeduped(
+        createMessage("agent", m.content, m.attachments),
+      );
+    }
+  }, [historyLoading, agentId, appendMessageDeduped]);
+
   if (!node) {
     return (
       <div
@@ -195,51 +291,27 @@ export function MobileChat({
   const a = toMobileAgent(node);
   const reachable = a.status === "online" || a.status === "degraded";
 
+  const onFilesPicked = (fileList: FileList | null) => {
+    if (!fileList) return;
+    const picked = Array.from(fileList);
+    setPendingFiles((prev) => {
+      const keyed = new Set(prev.map((f) => `${f.name}:${f.size}`));
+      return [...prev, ...picked.filter((f) => !keyed.has(`${f.name}:${f.size}`))];
+    });
+    if (fileInputRef.current) fileInputRef.current.value = "";
+  };
+
+  const removePendingFile = (index: number) =>
+    setPendingFiles((prev) => prev.filter((_, i) => i !== index));
+
   const send = async () => {
     const text = draft.trim();
-    if (!text || sending || !reachable) return;
+    if ((!text && pendingFiles.length === 0) || sending || !reachable) return;
+    clearError();
     setDraft("");
-    setError(null);
-    setSending(true);
-    const myMsg: ChatMessage = {
-      id: crypto.randomUUID(),
-      role: "user",
-      text,
-      ts: formatTime(new Date()),
-    };
-    setMessages((m) => [...m, myMsg]);
-
-    try {
-      const res = await api.post<A2AResponseShape>(`/workspaces/${agentId}/a2a`, {
-        method: "message/send",
-        params: {
-          message: {
-            role: "user",
-            messageId: crypto.randomUUID(),
-            parts: [{ kind: "text", text }],
-          },
-        },
-      });
-      const reply =
-        res.result?.parts?.find((part) => part.kind === "text")?.text ?? "";
-      if (reply) {
-        setMessages((m) => [
-          ...m,
-          {
-            id: crypto.randomUUID(),
-            role: "agent",
-            text: reply,
-            ts: formatTime(new Date()),
-          },
-        ]);
-      } else if (res.error?.message) {
-        setError(res.error.message);
-      }
-    } catch (e) {
-      setError(e instanceof Error ? e.message : "Failed to send");
-    } finally {
-      setSending(false);
-    }
+    const files = pendingFiles;
+    setPendingFiles([]);
+    await sendMessage(text, files);
   };
 
   return (
@@ -267,7 +339,6 @@ export function MobileChat({
             type="button"
             onClick={onBack}
             aria-label="Back"
-            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               width: 36,
               height: 36,
@@ -314,7 +385,6 @@ export function MobileChat({
           <button
             type="button"
             aria-label="More"
-            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               width: 36,
               height: 36,
@@ -345,7 +415,6 @@ export function MobileChat({
                 key={t.id}
                 type="button"
                 onClick={() => setTab(t.id)}
-                className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
                 style={{
                   padding: "4px 0 8px",
                   border: "none",
@@ -388,13 +457,12 @@ export function MobileChat({
             Agent Comms — peer-to-peer A2A traffic surfaces in the Comms tab.
           </div>
         )}
-        {tab === "my" && loading && (
+        {tab === "my" && historyLoading && (
           <div style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
-            <div style={{ marginBottom: 6, opacity: 0.6, animation: "spin 1s linear infinite", display: "inline-block", fontSize: 16 }}>⟳</div>
-            <div>Loading chat history…</div>
+            Loading chat history…
           </div>
         )}
-        {tab === "my" && !loading && historyError && (
+        {tab === "my" && !historyLoading && historyError && messages.length === 0 && (
           <div
             role="alert"
             style={{
@@ -407,29 +475,9 @@ export function MobileChat({
             <div style={{ marginBottom: 8 }}>Could not load chat history.</div>
             <button
               type="button"
-              aria-label="Retry loading chat history"
               onClick={() => {
-                setLoading(true);
-                setHistoryError(null);
-                api.get(`/workspaces/${agentId}/chat-history?limit=50`).then(
-                  (res: unknown) => {
-                    const r = res as ChatHistoryResponse;
-                    setMessages((r.messages ?? []).map((m) => ({
-                      id: m.id,
-                      role: m.role === "user" ? "user" : "agent",
-                      text: m.content,
-                      ts: formatStoredTimestamp(m.timestamp),
-                    })));
-                    setLoading(false);
-                    initDoneRef.current = true;
-                  },
-                ).catch((e: unknown) => {
-                  setHistoryError(e instanceof Error ? e.message : "Failed to load");
-                  setLoading(false);
-                  initDoneRef.current = true;
-                });
+                loadInitial();
               }}
-              className="focus:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-failed,#ef4444)] focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
               style={{
                 padding: "6px 14px",
                 borderRadius: 14,
@@ -444,7 +492,7 @@ export function MobileChat({
             </button>
           </div>
         )}
-        {tab === "my" && !loading && !historyError && messages.length === 0 && (
+        {tab === "my" && !historyLoading && !historyError && messages.length === 0 && (
           <div style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
             Send a message to start chatting.
           </div>
@@ -473,7 +521,9 @@ export function MobileChat({
                     overflowWrap: "anywhere",
                   }}
                 >
-                  {m.text}
+                  <MarkdownBubble dark={dark} accent={p.accent}>
+                    {m.content}
+                  </MarkdownBubble>
                   <div
                     style={{
                       fontSize: 10,
@@ -482,13 +532,13 @@ export function MobileChat({
                       fontFamily: MOBILE_FONT_MONO,
                     }}
                   >
-                    {m.ts}
+                    {formatStoredTimestamp(m.timestamp)}
                   </div>
                 </div>
               </div>
             );
           })}
-        {error && (
+        {sendError && (
           <div
             role="alert"
             style={{
@@ -500,7 +550,7 @@ export function MobileChat({
               fontSize: 12,
             }}
           >
-            {error}
+            {sendError}
           </div>
         )}
       </div>
@@ -531,6 +581,60 @@ export function MobileChat({
           backdropFilter: "blur(14px)",
         }}
       >
+        {pendingFiles.length > 0 && (
+          <div
+            style={{
+              display: "flex",
+              flexWrap: "wrap",
+              gap: 6,
+              marginBottom: 8,
+              paddingLeft: 2,
+            }}
+          >
+            {pendingFiles.map((f, i) => (
+              <div
+                key={`${f.name}:${f.size}`}
+                style={{
+                  display: "flex",
+                  alignItems: "center",
+                  gap: 4,
+                  padding: "3px 8px",
+                  borderRadius: 10,
+                  background: dark ? "#2a2823" : "#ece9e0",
+                  fontSize: 12,
+                  color: p.text2,
+                  maxWidth: "100%",
+                }}
+              >
+                <span
+                  style={{
+                    overflow: "hidden",
+                    textOverflow: "ellipsis",
+                    whiteSpace: "nowrap",
+                  }}
+                >
+                  {f.name}
+                </span>
+                <button
+                  type="button"
+                  onClick={() => removePendingFile(i)}
+                  aria-label={`Remove ${f.name}`}
+                  style={{
+                    border: "none",
+                    background: "transparent",
+                    color: p.text3,
+                    cursor: "pointer",
+                    fontSize: 12,
+                    padding: 0,
+                    lineHeight: 1,
+                  }}
+                >
+                  ✕
+                </button>
+              </div>
+            ))}
+          </div>
+        )}
         <div
           style={{
             display: "flex",
@@ -542,22 +646,32 @@ export function MobileChat({
             padding: "6px 6px 6px 12px",
           }}
         >
+          <input
+            ref={fileInputRef}
+            type="file"
+            multiple
+            style={{ display: "none" }}
+            onChange={(e) => onFilesPicked(e.target.files)}
+            aria-hidden="true"
+          />
           <button
             type="button"
+            onClick={() => fileInputRef.current?.click()}
+            disabled={!reachable || sending || uploading}
             aria-label="Attach"
-            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               width: 32,
               height: 32,
               borderRadius: 999,
               border: "none",
-              cursor: "pointer",
+              cursor: reachable && !sending && !uploading ? "pointer" : "not-allowed",
               background: "transparent",
               color: p.text3,
               flexShrink: 0,
               display: "flex",
               alignItems: "center",
               justifyContent: "center",
+              opacity: !reachable || sending || uploading ? 0.4 : 1,
             }}
           >
             {Icons.attach({ size: 16 })}
@@ -584,7 +698,6 @@ export function MobileChat({
             placeholder={reachable ? "Send a message…" : `Agent is ${a.status}`}
             disabled={!reachable}
             rows={1}
-            className="focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-1"
             style={{
               flex: 1,
               border: "none",
@@ -604,29 +717,32 @@ export function MobileChat({
           <button
             type="button"
             onClick={send}
-            disabled={!draft.trim() || !reachable || sending}
+            disabled={(!draft.trim() && pendingFiles.length === 0) || !reachable || sending || uploading}
             aria-label="Send"
-            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               width: 36,
               height: 36,
               borderRadius: 999,
               border: "none",
-              cursor: draft.trim() && !sending ? "pointer" : "not-allowed",
+              cursor: (draft.trim() || pendingFiles.length > 0) && !sending && !uploading ? "pointer" : "not-allowed",
               flexShrink: 0,
               background:
-                draft.trim() && reachable && !sending
+                (draft.trim() || pendingFiles.length > 0) && reachable && !sending && !uploading
                   ? p.accent
                   : dark
                     ? "#2a2823"
                     : "#ece9e0",
-              color: draft.trim() && reachable && !sending ? "#fff" : p.text3,
+              color: (draft.trim() || pendingFiles.length > 0) && reachable && !sending && !uploading ? "#fff" : p.text3,
               display: "flex",
               alignItems: "center",
               justifyContent: "center",
             }}
           >
-            {Icons.send({ size: 16 })}
+            {uploading ? (
+              <span style={{ fontSize: 10, fontWeight: 600 }}>↑</span>
+            ) : (
+              Icons.send({ size: 16 })
+            )}
           </button>
         </div>
       </div>

canvas/src/components/mobile/MobileComms.tsx

@@ -218,7 +218,6 @@ export function MobileComms({ dark }: { dark: boolean }) {
               key={o.id}
               type="button"
               onClick={() => setFilter(o.id)}
-              className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
               style={{
                 display: "inline-flex",
                 alignItems: "center",

canvas/src/components/mobile/MobileDetail.tsx

@@ -83,12 +83,11 @@ export function MobileDetail({
             type="button"
             onClick={onBack}
             aria-label="Back"
-            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={iconButtonStyle(p, dark)}
           >
             {Icons.back({ size: 18 })}
           </button>
-          <button type="button" aria-label="More" className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900" style={iconButtonStyle(p, dark)}>
+          <button type="button" aria-label="More" style={iconButtonStyle(p, dark)}>
             {Icons.more({ size: 18 })}
           </button>
         </div>
@@ -184,7 +183,6 @@ export function MobileDetail({
               key={t.id}
               type="button"
               onClick={() => setTab(t.id)}
-              className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
               style={{
                 padding: "8px 14px",
                 borderRadius: 999,
@@ -217,7 +215,6 @@ export function MobileDetail({
           type="button"
           onClick={onChat}
           data-testid="mobile-chat-cta"
-          className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
           style={{
             width: "100%",
             height: 52,

canvas/src/components/mobile/MobileHome.tsx

@@ -183,7 +183,6 @@ export function MobileHome({
         type="button"
         onClick={onSpawn}
         aria-label="Spawn new agent"
-        className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
         style={{
           position: "absolute",
           right: 24,

canvas/src/components/mobile/MobileMe.tsx

@@ -83,7 +83,6 @@ export function MobileMe({
                   type="button"
                   onClick={() => setAccent(c)}
                   aria-label={`Set accent ${c}`}
-                  className="focus:outline-none focus-visible:ring-2 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
                   style={{
                     width: 36,
                     height: 36,
@@ -174,7 +173,6 @@ function SegmentedRow({
             key={o.id}
             type="button"
             onClick={() => onChange(o.id)}
-            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               flex: 1,
               padding: "10px 8px",

canvas/src/components/mobile/MobileSpawn.tsx

@@ -148,7 +148,6 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
             type="button"
             onClick={onClose}
             aria-label="Close"
-            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               width: 32,
               height: 32,
@@ -211,12 +210,10 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
                   <button
                     key={t.id}
                     type="button"
-                    aria-label={`Select template: ${t.name} (tier ${t.tier})`}
                     onClick={() => {
                       setTplId(t.id);
                       setTier(tCode);
                     }}
-                    className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
                     style={{
                       background: on
                         ? dark
@@ -332,10 +329,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
               <button
                 key={t}
                 type="button"
-                aria-label={`Select tier ${t}: ${TIER_LABEL[t]}`}
-                aria-pressed={tier === t}
                 onClick={() => setTier(t)}
-                className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
                 style={{
                   flex: 1,
                   padding: "10px 8px",
@@ -381,10 +375,8 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
         <div style={{ padding: "20px 14px max(env(safe-area-inset-bottom), 28px)" }}>
           <button
             type="button"
-            aria-label="Spawn agent"
             onClick={handleSpawn}
             disabled={busy || !tplId || templates.length === 0}
-            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               width: "100%",
               height: 52,

canvas/src/components/mobile/__tests__/MobileChat.test.tsx

@@ -358,7 +358,7 @@ describe("MobileChat — chat history", () => {
       renderChat(mockAgentId);
     });
     expect(api.get).toHaveBeenCalledWith(
-      `/workspaces/${mockAgentId}/chat-history?limit=50`,
+      expect.stringContaining(`/workspaces/${mockAgentId}/chat-history`),
     );
   });
 

canvas/src/components/mobile/components.tsx

@@ -133,7 +133,6 @@ export function TabBar({
             aria-label={t.label}
             onClick={() => onChange(t.id)}
             onKeyDown={(e) => handleKeyDown(e, idx)}
-            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               background: "none",
               border: "none",
@@ -292,7 +291,6 @@ export function AgentCard({
       data-testid="workspace-card"
       aria-label={`${agent.name}, status: ${agent.status}, tier ${agent.tier}${agent.remote ? ", remote" : ""}`}
       onClick={onClick}
-      className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
       style={{
         display: "block",
         width: "100%",
@@ -446,7 +444,6 @@ export function FilterChips({
             type="button"
             aria-checked={on}
             onClick={() => onChange(o.id)}
-            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
             style={{
               display: "inline-flex",
               alignItems: "center",

canvas/src/components/tabs/ActivityTab.tsx

@@ -139,7 +139,7 @@ export function ActivityTab({ workspaceId }: Props) {
               key={f.id}
               onClick={() => setFilter(f.id)}
               aria-pressed={filter === f.id}
-              className={`px-2 py-1 text-[11px] rounded-md font-medium transition-all focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40 ${
+              className={`px-2 py-1 text-[11px] rounded-md font-medium transition-all ${
                 filter === f.id
                   ? "bg-surface-card text-ink ring-1 ring-zinc-600"
                   : "text-ink-mid hover:text-ink-mid hover:bg-surface-card/60"
@@ -152,7 +152,7 @@ export function ActivityTab({ workspaceId }: Props) {
             <button
               onClick={() => setAutoRefresh(!autoRefresh)}
               aria-pressed={autoRefresh}
-              className={`text-[11px] px-1.5 py-0.5 rounded focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40 ${
+              className={`text-[11px] px-1.5 py-0.5 rounded ${
                 autoRefresh ? "text-good bg-emerald-950/30" : "text-ink-mid"
               }`}
               title={autoRefresh ? "Auto-refresh ON" : "Auto-refresh OFF"}
@@ -161,9 +161,8 @@ export function ActivityTab({ workspaceId }: Props) {
             </button>
             <button
               onClick={() => setTraceOpen(true)}
-              aria-label="Full trace"
-              className="px-2 py-1 bg-blue-900/40 hover:bg-blue-800/50 text-[11px] rounded text-accent border border-blue-800/30 focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40"
-              title="View full conversation trace"
+              className="px-2 py-1 bg-blue-900/40 hover:bg-blue-800/50 text-[11px] rounded text-accent border border-blue-800/30"
+              title="View full conversation trace across all workspaces"
             >
               Full Trace
             </button>

canvas/src/components/tabs/ChannelsTab.tsx

@@ -331,9 +331,8 @@ export function ChannelsTab({ workspaceId }: Props) {
                                 </label>
                               ))}
                               <button
-                                aria-label={showManualInput ? "Hide manual input" : "Show manual input"}
                                 onClick={() => setShowManualInput(!showManualInput)}
-                                className="text-[10px] text-accent hover:underline focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40"
+                                className="text-[10px] text-accent hover:underline"
                               >
                                 {showManualInput ? "hide manual input" : "edit manually"}
                               </button>
@@ -409,16 +408,15 @@ export function ChannelsTab({ workspaceId }: Props) {
             </div>
             <div className="flex items-center gap-1.5">
               <button
-                aria-label={testing === ch.id ? "Sent!" : "Test channel"}
                 onClick={() => handleTest(ch)}
                 disabled={testing === ch.id}
-                className="text-[10px] px-2 py-0.5 rounded bg-surface-card/50 text-ink-mid hover:text-ink transition disabled:opacity-50 focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40"
+                className="text-[10px] px-2 py-0.5 rounded bg-surface-card/50 text-ink-mid hover:text-ink transition disabled:opacity-50"
               >
                 {testing === ch.id ? "Sent!" : "Test"}
               </button>
               <button
                 onClick={() => handleToggle(ch)}
-                className={`text-[10px] px-2 py-0.5 rounded transition focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40 ${
+                className={`text-[10px] px-2 py-0.5 rounded transition ${
                   ch.enabled
                     ? "bg-emerald-900/30 text-good hover:bg-emerald-900/50"
                     : "bg-surface-card/50 text-ink-mid hover:text-ink-mid"
@@ -427,9 +425,8 @@ export function ChannelsTab({ workspaceId }: Props) {
                 {ch.enabled ? "On" : "Off"}
               </button>
               <button
-                aria-label={`Remove ${ch.config.chat_id || ch.config.channel_id || "channel"}`}
                 onClick={() => setPendingDelete(ch)}
-                className="text-[10px] px-2 py-0.5 rounded bg-red-900/20 text-bad hover:bg-red-900/40 transition focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400"
+                className="text-[10px] px-2 py-0.5 rounded bg-red-900/20 text-bad hover:bg-red-900/40 transition"
               >
                 Remove
               </button>

canvas/src/components/tabs/ChatTab.tsx

@@ -383,8 +383,7 @@ function MyChatPanel({ workspaceId, data }: Props) {
                 // ignore — user will see no change and can retry
               }
             }}
-            aria-label="Enable agent chat"
-            className="px-2 py-0.5 text-[10px] font-medium bg-accent/10 hover:bg-accent/20 text-accent rounded border border-accent/30 transition-colors shrink-0 focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40"
+            className="px-2 py-0.5 text-[10px] font-medium bg-accent/10 hover:bg-accent/20 text-accent rounded border border-accent/30 transition-colors shrink-0"
           >
             Enable
           </button>
@@ -404,9 +403,8 @@ function MyChatPanel({ workspaceId, data }: Props) {
               Failed to load chat history: {history.loadError}
             </p>
             <button
-              aria-label="Retry loading chat history"
               onClick={history.loadInitial}
-              className="text-[10px] px-2 py-0.5 rounded bg-red-800 text-red-200 hover:bg-red-700 transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400"
+              className="text-[10px] px-2 py-0.5 rounded bg-red-800 text-red-200 hover:bg-red-700 transition-colors"
             >
               Retry
             </button>
@@ -601,9 +599,8 @@ function MyChatPanel({ workspaceId, data }: Props) {
             <span className="text-[10px] text-red-300">{displayError}</span>
             {!isOnline && (
               <button
-                aria-label="Restart workspace"
                 onClick={() => setConfirmRestart(true)}
-                className="text-[11px] px-2 py-0.5 bg-red-800 text-red-200 rounded hover:bg-red-700 focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400"
+                className="text-[11px] px-2 py-0.5 bg-red-800 text-red-200 rounded hover:bg-red-700"
               >
                 Restart
               </button>
@@ -639,7 +636,7 @@ function MyChatPanel({ workspaceId, data }: Props) {
             disabled={!agentReachable || sending || uploading}
             aria-label="Attach file"
             title="Attach file"
-            className="p-2 bg-surface-card hover:bg-surface-card border border-line rounded-lg text-ink-mid hover:text-ink transition-colors shrink-0 disabled:opacity-40 focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40"
+            className="p-2 bg-surface-card hover:bg-surface-card border border-line rounded-lg text-ink-mid hover:text-ink transition-colors shrink-0 disabled:opacity-40"
           >
             <svg width="14" height="14" viewBox="0 0 16 16" fill="none" aria-hidden="true">
               <path d="M11 6.5 7 10.5a2 2 0 1 0 2.8 2.8l4-4a3.5 3.5 0 0 0-5-5l-4.5 4.5a5 5 0 0 0 7 7l4-4" stroke="currentColor" strokeWidth="1.4" strokeLinecap="round" strokeLinejoin="round" />
@@ -677,10 +674,9 @@ function MyChatPanel({ workspaceId, data }: Props) {
             className="flex-1 bg-surface-card border border-line rounded-lg px-3 py-2 text-xs text-ink placeholder-ink-soft dark:bg-zinc-800 dark:border-zinc-600 dark:placeholder-zinc-500 focus:outline-none focus:border-accent focus-visible:ring-2 focus-visible:ring-accent/40 resize-none disabled:opacity-50"
           />
           <button
-            aria-label="Send message"
             onClick={handleSend}
             disabled={(!input.trim() && pendingFiles.length === 0) || !agentReachable || sending || uploading}
-            className="px-4 py-2 bg-accent-strong hover:bg-accent text-xs font-medium rounded-lg text-white disabled:opacity-30 transition-colors shrink-0 focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40"
+            className="px-4 py-2 bg-accent-strong hover:bg-accent text-xs font-medium rounded-lg text-white disabled:opacity-30 transition-colors shrink-0"
           >
             {uploading ? "Uploading…" : "Send"}
           </button>

canvas/src/components/tabs/FilesTab.tsx

@@ -45,54 +45,11 @@ export function FilesTab({ workspaceId, data }: Props) {
   if (data && isExternalLikeRuntime(data.runtime)) {
     return <NotAvailablePanel runtime={data.runtime} />;
   }
-  return <PlatformOwnedFilesTab workspaceId={workspaceId} runtime={data?.runtime} />;
+  return <PlatformOwnedFilesTab workspaceId={workspaceId} />;
 }
 
-/** Picks the initial root for the FilesTab dropdown based on the
- *  workspace's runtime. Decision: per-runtime default (Hongming
- *  2026-05-15, internal#425 Decisions §2).
- *
- *  - openclaw → `/agent-home` (the agent's identity/state — the
- *    user-facing interesting files for that runtime live in
- *    `~/.openclaw/` inside the container, which `/agent-home` maps to
- *    via the Phase 2b docker-exec backend).
- *  - everything else (claude-code, hermes, external-like, undefined)
- *    → `/configs` (the legacy default — managed config that flows
- *    through the per-runtime indirection in
- *    workspace-server/internal/handlers/template_files_eic.go).
- *
- *  When the runtime is undefined (legacy callers that don't thread
- *  `data` through, or a workspace whose runtime field hasn't loaded
- *  yet) the default is `/configs` — matches today's behaviour, no
- *  surprise.
- *
- *  Note on `/agent-home` pre-Phase-2b: the backend short-circuits
- *  with HTTP 501 and the canonical "implementation pending" body.
- *  The tab renders empty + the error banner explains. This is by
- *  design — lets us land the canvas UX before the backend ships,
- *  per the RFC's phased rollout. The 501 is graceful: it doesn't
- *  poison error toasts or generate "workspace not found" noise.
- *
- *  Adding a new runtime that should default to `/agent-home`: add it
- *  to the agentHomeDefaultRuntimes set below. Adding a runtime that
- *  should default to a different root: extend this function. */
-const agentHomeDefaultRuntimes = new Set(["openclaw"]);
-
-function defaultRootForRuntime(runtime: string | undefined): string {
-  if (runtime && agentHomeDefaultRuntimes.has(runtime)) {
-    return "/agent-home";
-  }
-  return "/configs";
-}
-
-function PlatformOwnedFilesTab({
-  workspaceId,
-  runtime,
-}: {
-  workspaceId: string;
-  runtime?: string;
-}) {
-  const [root, setRoot] = useState(() => defaultRootForRuntime(runtime));
+function PlatformOwnedFilesTab({ workspaceId }: { workspaceId: string }) {
+  const [root, setRoot] = useState("/configs");
   const [selectedFile, setSelectedFile] = useState<string | null>(null);
   const [fileContent, setFileContent] = useState("");
   const [editContent, setEditContent] = useState("");

canvas/src/components/tabs/FilesTab/FileEditor.tsx

@@ -3,22 +3,6 @@
 import { useRef } from "react";
 import { getIcon } from "./tree";
 
-// secretShapeMarker is the canonical body the workspace-server Files
-// API returns when a file's path OR content matched a credential
-// regex (internal#425 RFC, Phase 2b — backed by
-// workspace-server/internal/secrets.ScanBytes). The marker is a
-// fixed prefix so the canvas can detect it without parsing JSON and
-// without round-tripping the matched bytes through the editor (which
-// would defeat the purpose — clipboard, browser history, log
-// surfaces would all see them).
-//
-// Today (Phase 1 / before 2b ships) the backend returns 501 for the
-// only root that uses this path, so the marker is dead code until
-// 2b lands. Wiring it in now keeps the canvas + backend contracts
-// aligned in one PR rather than a follow-up. The constant is
-// importable so a future test can pin the exact string.
-export const SECRET_SHAPE_DENIED_MARKER = "<denied: secret-shape>";
-
 interface Props {
   selectedFile: string | null;
   fileContent: string;
@@ -47,22 +31,6 @@ export function FileEditor({
   const editorRef = useRef<HTMLTextAreaElement>(null);
   const isDirty = editContent !== fileContent;
 
-  // internal#425 Phase 3: detect the secret-shape denial marker and
-  // render a placeholder instead of the editor. The marker comes
-  // from workspace-server Phase 2b (secrets.ScanBytes) which refuses
-  // to surface the file's bytes. We deliberately don't expose
-  // the matched pattern's Name here — the canvas just shows the
-  // generic denial. The Files API log surface has the Pattern.Name
-  // for operators who need to debug a false positive.
-  const isSecretShapeDenied = fileContent === SECRET_SHAPE_DENIED_MARKER;
-
-  // /agent-home is read-only from the canvas (Phase 2b ships read +
-  // delete; Phase-2b-followup may add write). Edits to /configs are
-  // unchanged. Until 2b ships, /agent-home returns 501 so this
-  // read-only gate is also dead code, but wiring it in now keeps
-  // the UI honest the moment 2b lands without a follow-up canvas PR.
-  const isReadOnlyRoot = root !== "/configs";
-
   if (!selectedFile) {
     return (
       <div className="flex-1 flex items-center justify-center">
@@ -88,7 +56,7 @@ export function FileEditor({
           <button
             onClick={onDownload}
             aria-label="Download file"
-            className="text-[10px] text-ink-mid hover:text-ink-mid focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40 rounded transition-colors"
+            className="text-[10px] text-ink-mid hover:text-ink-mid"
           >
             ↓
           </button>
@@ -96,7 +64,7 @@ export function FileEditor({
             <button
               onClick={onSave}
               disabled={!isDirty || saving}
-              className="text-[10px] text-accent hover:text-accent disabled:opacity-30 focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40 rounded transition-colors"
+              className="text-[10px] text-accent hover:text-accent disabled:opacity-30"
             >
               {saving ? "Saving..." : "Save"}
             </button>
@@ -107,42 +75,11 @@ export function FileEditor({
       {/* Editor area */}
       {loadingFile ? (
         <div className="p-4 text-xs text-ink-mid">Loading...</div>
-      ) : isSecretShapeDenied ? (
-        // Files API refused to surface this file's bytes because its
-        // path or content matched a credential regex
-        // (workspace-server/internal/secrets, internal#425 Phase 2b).
-        // We render a placeholder INSTEAD OF the textarea so the
-        // matched bytes never enter the DOM. Clipboard / view-source
-        // / element-inspector all see the placeholder, not the
-        // credential.
-        <div
-          role="region"
-          aria-label="File content denied"
-          className="flex-1 flex items-center justify-center p-6 bg-surface"
-        >
-          <div className="max-w-md text-center space-y-2">
-            <div className="text-2xl opacity-40">🛡️</div>
-            <p className="text-[11px] font-mono text-warm">
-              {SECRET_SHAPE_DENIED_MARKER}
-            </p>
-            <p className="text-[10px] text-ink-mid leading-relaxed">
-              The platform refused to surface this file because its
-              path or content matched a credential-shape pattern.
-              The bytes never left the workspace container.
-            </p>
-            <p className="text-[10px] text-ink-mid leading-relaxed">
-              If this is a false positive (test fixture, docs example,
-              or content that happens to share a credential's shape),
-              rename the file or adjust the content via the workspace
-              terminal so the regex no longer matches, then refresh.
-            </p>
-          </div>
-        </div>
       ) : (
         <textarea
           ref={editorRef}
           value={editContent}
-          readOnly={isReadOnlyRoot}
+          readOnly={root !== "/configs"}
           onChange={(e) => setEditContent(e.target.value)}
           onKeyDown={(e) => {
             if ((e.metaKey || e.ctrlKey) && e.key === "s") {

canvas/src/components/tabs/FilesTab/FilesToolbar.tsx

@@ -38,15 +38,6 @@ export function FilesToolbar({
           <option value="/home">/home</option>
           <option value="/workspace">/workspace</option>
           <option value="/plugins">/plugins</option>
-          {/* internal#425 Phase 1+3: container-internal $HOME root.
-              Backend lands the docker-exec dispatch in Phase 2b. Until
-              then the stub returns 501 with a canonical
-              "implementation pending" message — the dropdown renders
-              the option so the canvas affordance is design-frozen
-              even before the backend ships.
-              Runtime-default selection logic in FilesTab.tsx picks
-              this as the initial value for openclaw workspaces. */}
-          <option value="/agent-home">/agent-home</option>
         </select>
         <span className="text-[10px] text-ink-mid">{fileCount} files</span>
       </div>

canvas/src/components/tabs/FilesTab/__tests__/FileTree.render-a11y.test.tsx

@@ -1,288 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for FileTree — complements FileTreeContextMenu.test.tsx with:
- *   - Empty tree render
- *   - File row: icon, name, selection highlight
- *   - Directory row: folder icon, expand/collapse chevron, loading indicator
- *   - Directory expand/collapse via click
- *   - File select callback
- *   - Delete button: aria-label, stopPropagation
- *   - Drop-target highlight (drag hover)
- *   - Context menu opens on right-click
- *   - Nested tree: recursive rendering
- *   - WCAG: aria-label on all interactive elements
- */
-import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
-import { render, screen, fireEvent, createEvent, cleanup } from "@testing-library/react";
-
-// ── Mock FileTreeContextMenu (rendered by FileTree on right-click) ─────────────
-vi.mock("../FileTreeContextMenu", () => ({
-  FileTreeContextMenu: ({ items }: { items: Array<{ id: string; label: string; disabled?: boolean }>; onClose: () => void }) => (
-    <div data-testid="file-context-menu">
-      {items.map((item, i) => (
-        <button key={item.id} data-menu-id={item.id} role="menuitem" disabled={item.disabled}>
-          {item.label}
-        </button>
-      ))}
-    </div>
-  ),
-}));
-
-// ── Import component + types AFTER mocks ────────────────────────────────────────
-import { FileTree } from "../FileTree";
-import type { TreeNode } from "../tree";
-
-afterEach(() => {
-  cleanup();
-  vi.clearAllMocks();
-});
-
-// ── Test helpers ───────────────────────────────────────────────────────────────
-const makeNode = (
-  name: string,
-  opts: Partial<{
-    isDir: boolean;
-    path: string;
-    children: TreeNode[];
-  }>
-): TreeNode => ({
-  name,
-  path: opts.path ?? `/${name}`,
-  isDir: opts.isDir ?? false,
-  children: opts.children ?? [],
-  size: 0,
-});
-
-const EMPTY_CALLBACKS = {
-  selectedPath: null as string | null,
-  onSelect: vi.fn(),
-  onDelete: vi.fn(),
-  onDownload: vi.fn(),
-  canDelete: true,
-  expandedDirs: new Set<string>(),
-  onToggleDir: vi.fn(),
-  loadingDir: null as string | null,
-};
-
-describe("FileTree — empty render", () => {
-  it("renders nothing when nodes is an empty array", () => {
-    render(<FileTree nodes={[]} {...EMPTY_CALLBACKS} />);
-    expect(document.body.textContent).toBe("");
-  });
-});
-
-describe("FileTree — file row", () => {
-  it("renders a file row with the file name", () => {
-    const file = makeNode("config.yaml", { isDir: false });
-    render(<FileTree nodes={[file]} {...EMPTY_CALLBACKS} />);
-    expect(screen.getByText("config.yaml")).toBeTruthy();
-  });
-
-  it("renders file icon via getIcon (📜 for .yaml)", () => {
-    const file = makeNode("README.md", { isDir: false });
-    render(<FileTree nodes={[file]} {...EMPTY_CALLBACKS} />);
-    // Icon is a span with the emoji
-    const icon = document.querySelector('[class*="gap-1"] span');
-    expect(icon?.textContent).toBeTruthy();
-  });
-
-  it("file row has aria-label on the delete button", () => {
-    const file = makeNode("script.py", { isDir: false });
-    render(<FileTree nodes={[file]} {...EMPTY_CALLBACKS} />);
-    const delBtn = document.querySelector('button[aria-label="Delete script.py"]');
-    expect(delBtn).toBeTruthy();
-  });
-
-  it("clicking a file row calls onSelect with the file path", () => {
-    const onSelect = vi.fn();
-    const file = makeNode("app.ts", { path: "/src/app.ts", isDir: false });
-    render(<FileTree nodes={[file]} {...EMPTY_CALLBACKS} selectedPath={null} onSelect={onSelect} />);
-    fireEvent.click(screen.getByText("app.ts"));
-    expect(onSelect).toHaveBeenCalledWith("/src/app.ts");
-  });
-
-  it("selected file has different background class than unselected", () => {
-    const file = makeNode("main.py", { isDir: false });
-    render(<FileTree nodes={[file]} {...EMPTY_CALLBACKS} selectedPath="/main.py" />);
-    const row = document.querySelector('[class*="cursor-pointer"]') as HTMLElement;
-    expect(row).toBeTruthy();
-    // bg-blue-900/30 is applied when selected
-    expect(row.className).toContain("bg-blue-900/30");
-  });
-
-  it("clicking the delete button calls onDelete (stops propagation)", () => {
-    const onSelect = vi.fn();
-    const onDelete = vi.fn();
-    const file = makeNode("temp.txt", { isDir: false });
-    render(<FileTree nodes={[file]} {...EMPTY_CALLBACKS} onSelect={onSelect} onDelete={onDelete} />);
-    const delBtn = screen.getByRole("button", { name: /Delete temp\.txt/i });
-    fireEvent.click(delBtn);
-    expect(onDelete).toHaveBeenCalledWith("/temp.txt");
-    // onSelect should NOT be called (stopPropagation)
-    expect(onSelect).not.toHaveBeenCalled();
-  });
-});
-
-describe("FileTree — directory row", () => {
-  it("renders a directory row with 📁 icon and directory name", () => {
-    const dir = makeNode("src", { isDir: true, path: "/src" });
-    render(<FileTree nodes={[dir]} {...EMPTY_CALLBACKS} />);
-    expect(screen.getByText("src")).toBeTruthy();
-    expect(screen.getByText("📁")).toBeTruthy();
-  });
-
-  it("directory shows ▶ chevron when collapsed", () => {
-    const dir = makeNode("lib", { isDir: true, path: "/lib" });
-    render(<FileTree nodes={[dir]} {...EMPTY_CALLBACKS} expandedDirs={new Set()} />);
-    // collapsed → ▶
-    expect(screen.getByText("▶")).toBeTruthy();
-  });
-
-  it("directory shows ▼ chevron when expanded", () => {
-    const dir = makeNode("lib", { isDir: true, path: "/lib" });
-    render(<FileTree nodes={[dir]} {...EMPTY_CALLBACKS} expandedDirs={new Set(["/lib"])} />);
-    expect(screen.getByText("▼")).toBeTruthy();
-  });
-
-  it("directory shows … (loading indicator) when loadingDir matches", () => {
-    const dir = makeNode("pkg", { isDir: true, path: "/pkg" });
-    render(<FileTree nodes={[dir]} {...EMPTY_CALLBACKS} loadingDir="/pkg" expandedDirs={new Set(["/pkg"])} />);
-    expect(screen.getByText("…")).toBeTruthy();
-    // Chevron is replaced by loading indicator
-    expect(screen.queryByText("▼")).toBeNull();
-  });
-
-  it("clicking a collapsed directory calls onToggleDir", () => {
-    const onToggleDir = vi.fn();
-    const dir = makeNode("docs", { isDir: true, path: "/docs" });
-    render(<FileTree nodes={[dir]} {...EMPTY_CALLBACKS} expandedDirs={new Set()} onToggleDir={onToggleDir} />);
-    fireEvent.click(screen.getByText("docs"));
-    expect(onToggleDir).toHaveBeenCalledWith("/docs");
-  });
-
-  it("clicking an expanded directory calls onToggleDir to collapse", () => {
-    const onToggleDir = vi.fn();
-    const dir = makeNode("docs", { isDir: true, path: "/docs" });
-    render(<FileTree nodes={[dir]} {...EMPTY_CALLBACKS} expandedDirs={new Set(["/docs"])} onToggleDir={onToggleDir} />);
-    fireEvent.click(screen.getByText("docs"));
-    expect(onToggleDir).toHaveBeenCalledWith("/docs");
-  });
-
-  it("expanded directory renders its children recursively", () => {
-    const childFile = makeNode("index.ts", { isDir: false, path: "/src/index.ts" });
-    const dir = makeNode("src", { isDir: true, path: "/src", children: [childFile] });
-    render(<FileTree nodes={[dir]} {...EMPTY_CALLBACKS} expandedDirs={new Set(["/src"])} />);
-    expect(screen.getByText("index.ts")).toBeTruthy();
-  });
-
-  it("collapsed directory does NOT render its children", () => {
-    const childFile = makeNode("inner.ts", { isDir: false, path: "/outer/inner.ts" });
-    const dir = makeNode("outer", { isDir: true, path: "/outer", children: [childFile] });
-    render(<FileTree nodes={[dir]} {...EMPTY_CALLBACKS} expandedDirs={new Set()} />);
-    expect(screen.queryByText("inner.ts")).toBeNull();
-  });
-
-  it("directory delete button calls onDelete", () => {
-    const onDelete = vi.fn();
-    const dir = makeNode("cache", { isDir: true, path: "/cache" });
-    render(<FileTree nodes={[dir]} {...EMPTY_CALLBACKS} onDelete={onDelete} />);
-    const delBtn = screen.getByRole("button", { name: /Delete cache/i });
-    fireEvent.click(delBtn);
-    expect(onDelete).toHaveBeenCalledWith("/cache");
-  });
-
-  it("directory delete button in context menu is disabled when canDelete=false", () => {
-    const dir = makeNode("locked", { isDir: true, path: "/locked" });
-    render(<FileTree nodes={[dir]} {...EMPTY_CALLBACKS} canDelete={false} />);
-    // Right-click to open context menu
-    const row = document.querySelector('[class*="cursor-pointer"]') as HTMLElement;
-    fireEvent.contextMenu(row);
-    // Query inside the context menu — use role=menuitem (real component uses this)
-    // and verify the disabled attribute (vitest-compatible, no jest-dom needed)
-    const ctxMenu = screen.getByTestId("file-context-menu");
-    const delBtn = ctxMenu.querySelector('button[role="menuitem"]') as HTMLButtonElement | null;
-    expect(delBtn).not.toBeNull();
-    expect(delBtn!.disabled).toBe(true);
-  });
-});
-
-describe("FileTree — context menu", () => {
-  it("right-clicking a file opens the context menu", () => {
-    const file = makeNode("data.json", { isDir: false });
-    render(<FileTree nodes={[file]} {...EMPTY_CALLBACKS} />);
-    const row = document.querySelector('[class*="cursor-pointer"]') as HTMLElement;
-    fireEvent.contextMenu(row);
-    expect(screen.getByTestId("file-context-menu")).toBeTruthy();
-  });
-
-  it("context menu shows 'Open' and 'Download' for a file", () => {
-    const file = makeNode("report.csv", { isDir: false });
-    render(<FileTree nodes={[file]} {...EMPTY_CALLBACKS} />);
-    const row = document.querySelector('[class*="cursor-pointer"]') as HTMLElement;
-    fireEvent.contextMenu(row);
-    expect(screen.getByText("Open")).toBeTruthy();
-    expect(screen.getByText("Download")).toBeTruthy();
-  });
-
-  it("context menu shows only 'Delete' for a directory (no Open/Download)", () => {
-    const dir = makeNode("logs", { isDir: true, path: "/logs" });
-    render(<FileTree nodes={[dir]} {...EMPTY_CALLBACKS} />);
-    const row = document.querySelector('[class*="cursor-pointer"]') as HTMLElement;
-    fireEvent.contextMenu(row);
-    expect(screen.getByText("Delete")).toBeTruthy();
-    expect(screen.queryByText("Open")).toBeNull();
-    expect(screen.queryByText("Download")).toBeNull();
-  });
-});
-
-describe("FileTree — drag-drop target highlight (PR-D)", () => {
-  it("directory row handles dragOver without crashing", () => {
-    const onDropToTarget = vi.fn();
-    const dir = makeNode("dropdir", { isDir: true, path: "/dropdir" });
-    render(<FileTree nodes={[dir]} {...EMPTY_CALLBACKS} onDropToTarget={onDropToTarget} expandedDirs={new Set()} />);
-    const row = document.querySelector('[class*="cursor-pointer"]') as HTMLElement;
-    expect(row).toBeTruthy();
-    // jsdom's DragEvent is not available; use RTL's createEvent + dispatchEvent
-    // and stub dataTransfer so the handler's e.dataTransfer.dropEffect = "copy"
-    // assignment inside FileTree doesn't throw.
-    const dragOverEvent = createEvent.dragOver(row);
-    Object.defineProperty(dragOverEvent, "dataTransfer", {
-      value: { dropEffect: "none" },
-    });
-    row.dispatchEvent(dragOverEvent);
-    // Component should still show the node without crashing.
-    expect(screen.queryByText("dropdir")).toBeTruthy();
-  });
-
-  it("non-directory rows do not crash when onDropToTarget is provided", () => {
-    const onDropToTarget = vi.fn();
-    const file = makeNode("data.csv", { isDir: false, path: "/data.csv" });
-    // Should render without error even with onDropToTarget (files ignore it)
-    render(<FileTree nodes={[file]} {...EMPTY_CALLBACKS} onDropToTarget={onDropToTarget} expandedDirs={new Set()} />);
-    expect(screen.getByText("data.csv")).toBeTruthy();
-  });
-});
-
-describe("FileTree — nested tree", () => {
-  it("three-level deep tree renders all three levels", () => {
-    const level3 = makeNode("deep.ts", { isDir: false, path: "/a/b/c/deep.ts" });
-    const level2 = makeNode("b", { isDir: true, path: "/a/b", children: [level3] });
-    const level1 = makeNode("a", { isDir: true, path: "/a", children: [level2] });
-    render(<FileTree nodes={[level1]} {...EMPTY_CALLBACKS} expandedDirs={new Set(["/a", "/a/b"])} />);
-    expect(screen.getByText("a")).toBeTruthy();
-    expect(screen.getByText("b")).toBeTruthy();
-    expect(screen.getByText("deep.ts")).toBeTruthy();
-  });
-
-  it("only renders expanded paths — /a expanded but /a/b collapsed hides level 3", () => {
-    const level3 = makeNode("secret.ts", { isDir: false, path: "/a/b/secret.ts" });
-    const level2 = makeNode("b", { isDir: true, path: "/a/b", children: [level3] });
-    const level1 = makeNode("a", { isDir: true, path: "/a", children: [level2] });
-    render(<FileTree nodes={[level1]} {...EMPTY_CALLBACKS} expandedDirs={new Set(["/a"])} />);
-    // "a" is expanded: shows name + "b" as a collapsed child
-    expect(screen.getByText("a")).toBeTruthy();
-    expect(screen.getByText("▶")).toBeTruthy(); // "b" is collapsed (▶ not ▼)
-    // "secret.ts" is NOT rendered because /a/b is not expanded
-    expect(screen.queryByText("secret.ts")).toBeNull();
-  });
-});

canvas/src/components/tabs/FilesTab/__tests__/agentHome.test.tsx

@@ -1,181 +0,0 @@
-// @vitest-environment jsdom
-/**
- * Tests for the /agent-home root selector + per-runtime default-root
- * + secret-shape denial placeholder (internal#425 Phase 3).
- *
- * Separate file so the diff is reviewable as a unit and the existing
- * FilesToolbar / FileEditor / FilesTab tests don't have to grow
- * agent-home-specific cases. Once Phase 2b lands, the read-only +
- * 501-stub assertions here can be tightened (or moved into the main
- * test file as the agent-home root becomes a first-class affordance).
- */
-import React from "react";
-import { render, screen, cleanup } from "@testing-library/react";
-import { afterEach, describe, expect, it, vi } from "vitest";
-
-import { FilesToolbar } from "../FilesToolbar";
-import {
-  FileEditor,
-  SECRET_SHAPE_DENIED_MARKER,
-} from "../FileEditor";
-
-afterEach(cleanup);
-
-describe("internal#425 Phase 3 — /agent-home root selector", () => {
-  it("dropdown includes /agent-home as an option", () => {
-    // Pins the affordance is in the DOM even pre-Phase-2b — the
-    // canvas design freezes today, the backend lands the dispatch
-    // later. Without this, a future refactor that drops the option
-    // would silently regress the RFC's Phase 1 contract (canvas
-    // visibility) without breaking any other test.
-    render(
-      <FilesToolbar
-        root="/configs"
-        setRoot={vi.fn()}
-        fileCount={0}
-        onNewFile={vi.fn()}
-        onUpload={vi.fn()}
-        onDownloadAll={vi.fn()}
-        onClearAll={vi.fn()}
-        onRefresh={vi.fn()}
-      />,
-    );
-    const select = screen.getByRole("combobox", {
-      name: /file root directory/i,
-    }) as HTMLSelectElement;
-    const values = Array.from(select.options).map((o) => o.value);
-    expect(values).toContain("/agent-home");
-  });
-
-  it("dropdown shows /agent-home as the SELECTED root when prop is /agent-home", () => {
-    render(
-      <FilesToolbar
-        root="/agent-home"
-        setRoot={vi.fn()}
-        fileCount={0}
-        onNewFile={vi.fn()}
-        onUpload={vi.fn()}
-        onDownloadAll={vi.fn()}
-        onClearAll={vi.fn()}
-        onRefresh={vi.fn()}
-      />,
-    );
-    const select = screen.getByRole("combobox", {
-      name: /file root directory/i,
-    }) as HTMLSelectElement;
-    expect(select.value).toBe("/agent-home");
-  });
-});
-
-describe("internal#425 Phase 3 — secret-shape denial placeholder", () => {
-  // Files API Phase 2b returns SECRET_SHAPE_DENIED_MARKER as the file
-  // body when the file's path or content matched a credential regex.
-  // The editor MUST render the marker as a placeholder, not pump it
-  // through the textarea — that would put the marker (and any future
-  // matched bytes if the backend contract changes) into the DOM
-  // value, clipboard, and inspector.
-
-  it("renders the denial placeholder INSTEAD of the textarea when fileContent is the marker", () => {
-    render(
-      <FileEditor
-        selectedFile="agent/.openclaw/secrets.env"
-        fileContent={SECRET_SHAPE_DENIED_MARKER}
-        editContent={SECRET_SHAPE_DENIED_MARKER}
-        setEditContent={vi.fn()}
-        loadingFile={false}
-        saving={false}
-        success={null}
-        root="/agent-home"
-        onSave={vi.fn()}
-        onDownload={vi.fn()}
-      />,
-    );
-    // Placeholder region present
-    expect(
-      screen.getByRole("region", { name: /file content denied/i }),
-    ).toBeTruthy();
-    // Marker text visible (so a debugging operator sees the canonical
-    // contract string without having to dig into the source).
-    expect(screen.getByText(SECRET_SHAPE_DENIED_MARKER)).toBeTruthy();
-    // Critically: NO textarea — the bytes never reach a controlled
-    // input. A regression that re-introduces the textarea path would
-    // make the matched marker (and any future content) selectable +
-    // copyable.
-    expect(screen.queryByRole("textbox")).toBeNull();
-  });
-
-  it("renders the textarea normally when fileContent is regular content", () => {
-    render(
-      <FileEditor
-        selectedFile="config.yaml"
-        fileContent="name: openclaw\n"
-        editContent="name: openclaw\n"
-        setEditContent={vi.fn()}
-        loadingFile={false}
-        saving={false}
-        success={null}
-        root="/configs"
-        onSave={vi.fn()}
-        onDownload={vi.fn()}
-      />,
-    );
-    expect(screen.getByRole("textbox")).toBeTruthy();
-    expect(screen.queryByRole("region", { name: /file content denied/i }))
-      .toBeNull();
-  });
-
-  it("/agent-home renders textarea READ-ONLY for non-denied content", () => {
-    // Phase 2b ships read + delete on /agent-home; write semantics
-    // are decided later. Until then, the canvas presents the editor
-    // as read-only so a user can't type into a buffer that the
-    // backend will refuse to PUT. Without this gate, the user would
-    // edit, hit Save, get a 501, and lose their context for why.
-    render(
-      <FileEditor
-        selectedFile=".openclaw/agent-card.json"
-        fileContent='{"name":"openclaw"}'
-        editContent='{"name":"openclaw"}'
-        setEditContent={vi.fn()}
-        loadingFile={false}
-        saving={false}
-        success={null}
-        root="/agent-home"
-        onSave={vi.fn()}
-        onDownload={vi.fn()}
-      />,
-    );
-    const textarea = screen.getByRole("textbox") as HTMLTextAreaElement;
-    expect(textarea.readOnly).toBe(true);
-  });
-
-  it("/configs renders textarea WRITABLE (regression guard for the read-only gate)", () => {
-    render(
-      <FileEditor
-        selectedFile="config.yaml"
-        fileContent="name: x\n"
-        editContent="name: x\n"
-        setEditContent={vi.fn()}
-        loadingFile={false}
-        saving={false}
-        success={null}
-        root="/configs"
-        onSave={vi.fn()}
-        onDownload={vi.fn()}
-      />,
-    );
-    const textarea = screen.getByRole("textbox") as HTMLTextAreaElement;
-    expect(textarea.readOnly).toBe(false);
-  });
-});
-
-describe("internal#425 Phase 3 — marker constant is the canonical string", () => {
-  // The marker string is part of the canvas <-> workspace-server
-  // contract. The workspace-server emits this exact body; the canvas
-  // detects it by exact-equality. A typo on either side would
-  // silently break detection — the canvas would render the literal
-  // string in the textarea instead of the placeholder. Pin the
-  // contract value here.
-  it("matches the contract value '<denied: secret-shape>'", () => {
-    expect(SECRET_SHAPE_DENIED_MARKER).toBe("<denied: secret-shape>");
-  });
-});

canvas/src/components/tabs/SkillsTab.tsx

@@ -325,7 +325,7 @@ export function SkillsTab({ workspaceId, data }: Props) {
           </div>
           <button
             onClick={() => setShowRegistry(true)}
-            className="rounded-full border border-violet-700/50 bg-violet-950/30 px-3 py-0.5 text-[10px] text-violet-200 hover:bg-violet-900/40 transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-violet-400"
+            className="rounded-full border border-violet-700/50 bg-violet-950/30 px-3 py-0.5 text-[10px] text-violet-200 hover:bg-violet-900/40 transition-colors"
             aria-expanded="false"
             aria-controls="plugins-section"
           >
@@ -349,7 +349,7 @@ export function SkillsTab({ workspaceId, data }: Props) {
           </div>
           <button
             onClick={() => setShowRegistry(!showRegistry)}
-            className="rounded-full border border-violet-700/50 bg-violet-950/30 px-3 py-1 text-[10px] text-violet-200 hover:bg-violet-900/40 transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-violet-400"
+            className="rounded-full border border-violet-700/50 bg-violet-950/30 px-3 py-1 text-[10px] text-violet-200 hover:bg-violet-900/40 transition-colors"
             aria-expanded={showRegistry}
             aria-controls="plugins-registry"
           >
@@ -401,7 +401,7 @@ export function SkillsTab({ workspaceId, data }: Props) {
                   <button
                     onClick={() => handleUninstall(p.name)}
                     disabled={uninstalling === p.name}
-                    className="shrink-0 rounded-full border border-red-800/40 bg-red-950/20 px-2 py-0.5 text-[11px] text-bad hover:bg-red-900/30 disabled:opacity-30 focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400"
+                    className="shrink-0 rounded-full border border-red-800/40 bg-red-950/20 px-2 py-0.5 text-[11px] text-bad hover:bg-red-900/30 disabled:opacity-30"
                   >
                     {uninstalling === p.name ? "..." : "Remove"}
                   </button>
@@ -449,7 +449,7 @@ export function SkillsTab({ workspaceId, data }: Props) {
                 <button
                   onClick={handleInstallCustom}
                   disabled={!customSource.trim() || installing !== null}
-                  className="shrink-0 rounded-full border border-violet-700/50 bg-violet-950/30 px-2.5 py-1 text-[11px] text-violet-300 hover:bg-violet-900/40 disabled:opacity-30 focus:outline-none focus-visible:ring-2 focus-visible:ring-violet-400"
+                  className="shrink-0 rounded-full border border-violet-700/50 bg-violet-950/30 px-2.5 py-1 text-[11px] text-violet-300 hover:bg-violet-900/40 disabled:opacity-30"
                 >
                   {installing === customSource.trim() ? "Installing..." : "Install"}
                 </button>
@@ -538,7 +538,7 @@ export function SkillsTab({ workspaceId, data }: Props) {
                         <button
                           onClick={() => handleInstall(p.name)}
                           disabled={installing === p.name}
-                          className="shrink-0 rounded-full border border-violet-700/50 bg-violet-950/30 px-2.5 py-0.5 text-[11px] text-violet-300 hover:bg-violet-900/40 disabled:opacity-30 focus:outline-none focus-visible:ring-2 focus-visible:ring-violet-400"
+                          className="shrink-0 rounded-full border border-violet-700/50 bg-violet-950/30 px-2.5 py-0.5 text-[11px] text-violet-300 hover:bg-violet-900/40 disabled:opacity-30"
                         >
                           {installing === p.name ? "Installing..." : "Install"}
                         </button>
@@ -570,13 +570,13 @@ export function SkillsTab({ workspaceId, data }: Props) {
         <div className="mt-3 flex flex-wrap gap-2">
           <button
             onClick={() => setPanelTab("config")}
-            className="rounded-full border border-line bg-surface px-3 py-1 text-[10px] text-ink-mid hover:bg-surface-sunken focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40"
+            className="rounded-full border border-line bg-surface px-3 py-1 text-[10px] text-ink-mid hover:bg-surface-sunken"
           >
             Open Config
           </button>
           <button
             onClick={() => setPanelTab("files")}
-            className="rounded-full border border-line bg-surface px-3 py-1 text-[10px] text-ink-mid hover:bg-surface-sunken focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40"
+            className="rounded-full border border-line bg-surface px-3 py-1 text-[10px] text-ink-mid hover:bg-surface-sunken"
           >
             Open Files
           </button>

canvas/src/components/tabs/chat/AgentCommsPanel.tsx

@@ -405,7 +405,7 @@ export function AgentCommsPanel({ workspaceId }: { workspaceId: string }) {
         </p>
         <button
           onClick={loadInitial}
-          className="text-[10px] px-2 py-0.5 rounded bg-red-800/40 text-bad hover:bg-red-700/50 transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400"
+          className="text-[10px] px-2 py-0.5 rounded bg-red-800/40 text-bad hover:bg-red-700/50 transition-colors"
         >
           Retry
         </button>
@@ -610,7 +610,7 @@ function PeerTabButton({
       aria-selected={active}
       tabIndex={active ? 0 : -1}
       onClick={onClick}
-      className={`shrink-0 px-3 py-1.5 text-[10px] font-medium transition-colors whitespace-nowrap focus:outline-none focus-visible:ring-2 focus-visible:ring-cyan-400 ${
+      className={`shrink-0 px-3 py-1.5 text-[10px] font-medium transition-colors whitespace-nowrap ${
         active
           ? "border-b-2 border-cyan-500 text-cyan-200"
           : "border-b-2 border-transparent text-ink-mid hover:text-ink-mid"

canvas/src/components/tabs/chat/AttachmentViews.tsx

@@ -33,7 +33,7 @@ export function PendingAttachmentPill({
       <button
         onClick={onRemove}
         aria-label={`Remove ${file.name}`}
-        className="ml-0.5 text-ink-mid hover:text-ink transition-colors shrink-0 focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40"
+        className="ml-0.5 text-ink-mid hover:text-ink transition-colors shrink-0"
       >
         <svg width="10" height="10" viewBox="0 0 16 16" fill="none" aria-hidden="true">
           <path d="M4 4l8 8M12 4l-8 8" stroke="currentColor" strokeWidth="1.6" strokeLinecap="round" />
@@ -63,7 +63,7 @@ export function AttachmentChip({
     <button
       onClick={() => onDownload(attachment)}
       title={`Download ${attachment.name}`}
-      className={`flex items-center gap-1.5 rounded-md border px-2 py-1 text-[10px] transition-colors max-w-full focus:outline-none focus-visible:ring-2 focus-visible:ring-accent/40 ${toneClasses}`}
+      className={`flex items-center gap-1.5 rounded-md border px-2 py-1 text-[10px] transition-colors max-w-full ${toneClasses}`}
     >
       <FileGlyph className="shrink-0 opacity-70" />
       <span className="truncate">{attachment.name}</span>

canvas/src/store/__tests__/canvas-events.test.ts

@@ -53,10 +53,9 @@ function makeStore(
   edges: Edge[] = [],
   selectedNodeId: string | null = null,
   agentMessages: Record<string, Array<{ id: string; content: string; timestamp: string }>> = {},
-  liveAnnouncement = "",
-  broadcastMessages: Array<{ id: string; sender: string; senderId: string; message: string; timestamp: string }> = []
+  liveAnnouncement = ""
 ) {
-  const state = { nodes, edges, selectedNodeId, agentMessages, liveAnnouncement, broadcastMessages };
+  const state = { nodes, edges, selectedNodeId, agentMessages, liveAnnouncement };
   const get = () => state;
   const set = vi.fn((partial: Record<string, unknown>) => {
     Object.assign(state, partial);
@@ -1014,149 +1013,3 @@ describe("handleCanvasEvent – liveAnnouncement", () => {
     expect(state.liveAnnouncement ?? "").toBe("");
   });
 });
-
-// ---------------------------------------------------------------------------
-// BROADCAST_MESSAGE
-//
-// Verifies that incoming org-wide broadcast WebSocket events are captured
-// in the store's broadcastMessages array and announced via liveAnnouncement
-// for screen readers. The Go platform already HTML-escaped the content at
-// broadcast time (OFFSEC-015 fix), so the handler renders it as-is.
-// ---------------------------------------------------------------------------
-
-describe("handleCanvasEvent – BROADCAST_MESSAGE", () => {
-  it("appends a broadcast message to broadcastMessages with correct fields", () => {
-    const { get, set, state } = makeStore();
-
-    handleCanvasEvent(
-      makeMsg({
-        event: "BROADCAST_MESSAGE",
-        workspace_id: "ws-sender",
-        payload: {
-          sender_id: "ws-ops",
-          sender: "Ops Agent",
-          message: "All systems go — deploy in 5 minutes",
-        },
-      }),
-      get,
-      set
-    );
-
-    expect(set).toHaveBeenCalledOnce();
-    const next = set.mock.calls[0][0] as { broadcastMessages: typeof state.broadcastMessages };
-    expect(next.broadcastMessages).toHaveLength(1);
-    expect(next.broadcastMessages[0].senderId).toBe("ws-ops");
-    expect(next.broadcastMessages[0].sender).toBe("Ops Agent");
-    expect(next.broadcastMessages[0].message).toBe("All systems go — deploy in 5 minutes");
-    expect(next.broadcastMessages[0].id).toBeTruthy(); // crypto.randomUUID() called
-    expect(next.broadcastMessages[0].timestamp).toBeTruthy();
-  });
-
-  it("sets liveAnnouncement with sender and truncated message", () => {
-    const { get, set } = makeStore();
-
-    handleCanvasEvent(
-      makeMsg({
-        event: "BROADCAST_MESSAGE",
-        workspace_id: "ws-sender",
-        payload: {
-          sender_id: "ws-ops",
-          sender: "Ops Agent",
-          message: "Deploy starting now",
-        },
-      }),
-      get,
-      set
-    );
-
-    const next = set.mock.calls[0][0] as { liveAnnouncement: string };
-    expect(next.liveAnnouncement).toBe("Broadcast from Ops Agent: Deploy starting now");
-  });
-
-  it("renders sender name as truncated ID when sender field is absent", () => {
-    const { get, set, state } = makeStore();
-
-    handleCanvasEvent(
-      makeMsg({
-        event: "BROADCAST_MESSAGE",
-        workspace_id: "ws-sender",
-        payload: {
-          sender_id: "ws-ops",
-          message: "Deploy starting now",
-        },
-      }),
-      get,
-      set
-    );
-
-    const next = set.mock.calls[0][0] as { broadcastMessages: typeof state.broadcastMessages };
-    expect(next.broadcastMessages[0].sender).toBe("ws-ops".slice(0, 8)); // fallback: first 8 chars of ID
-  });
-
-  it("is a no-op when message is empty string", () => {
-    const { get, set } = makeStore();
-
-    handleCanvasEvent(
-      makeMsg({
-        event: "BROADCAST_MESSAGE",
-        workspace_id: "ws-sender",
-        payload: { sender_id: "ws-ops", sender: "Ops Agent", message: "" },
-      }),
-      get,
-      set
-    );
-
-    expect(set).not.toHaveBeenCalled();
-  });
-
-  it("appends to existing broadcastMessages without replacing them", () => {
-    const { get, set, state } = makeStore([], [], null, {}, "", [
-      {
-        id: "existing-1",
-        senderId: "ws-old",
-        sender: "Old Agent",
-        message: "Previous broadcast",
-        timestamp: "2026-05-14T12:00:00Z",
-      },
-    ]);
-
-    handleCanvasEvent(
-      makeMsg({
-        event: "BROADCAST_MESSAGE",
-        workspace_id: "ws-sender",
-        payload: { sender_id: "ws-ops", sender: "Ops Agent", message: "New broadcast" },
-      }),
-      get,
-      set
-    );
-
-    const next = set.mock.calls[0][0] as { broadcastMessages: typeof state.broadcastMessages };
-    expect(next.broadcastMessages).toHaveLength(2);
-    expect(next.broadcastMessages[0].id).toBe("existing-1");
-    expect(next.broadcastMessages[1].message).toBe("New broadcast");
-  });
-
-  it("handles XSS-like content safely (content is pre-escaped by Go platform)", () => {
-    const { get, set, state } = makeStore();
-
-    // The Go platform applied html.EscapeString before sending, so the handler
-    // receives literal strings, not raw HTML. This test verifies no panic and
-    // correct storage.
-    handleCanvasEvent(
-      makeMsg({
-        event: "BROADCAST_MESSAGE",
-        workspace_id: "ws-evil",
-        payload: {
-          sender_id: "ws-evil",
-          sender: "Evil Sender",
-          message: "&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;",
-        },
-      }),
-      get,
-      set
-    );
-
-    const next = set.mock.calls[0][0] as { broadcastMessages: typeof state.broadcastMessages };
-    expect(next.broadcastMessages[0].message).toBe("&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;");
-  });
-});

canvas/src/store/__tests__/canvas.test.ts

@@ -1224,45 +1224,3 @@ describe("moveNode", () => {
     });
   });
 });
-
-describe("useCanvasStore – broadcastMessages", () => {
-  beforeEach(() => {
-    useCanvasStore.setState({ broadcastMessages: [] });
-  });
-
-  it("consumeBroadcastMessages returns and clears all messages", () => {
-    useCanvasStore.setState({
-      broadcastMessages: [
-        { id: "m1", senderId: "ws-1", sender: "Agent 1", message: "Hello", timestamp: "2026-05-16T00:00:00Z" },
-        { id: "m2", senderId: "ws-2", sender: "Agent 2", message: "World", timestamp: "2026-05-16T00:01:00Z" },
-      ],
-    });
-    const consumed = useCanvasStore.getState().consumeBroadcastMessages();
-    expect(consumed).toHaveLength(2);
-    expect(useCanvasStore.getState().broadcastMessages).toHaveLength(0);
-  });
-
-  it("dismissBroadcastMessage removes the targeted message only", () => {
-    useCanvasStore.setState({
-      broadcastMessages: [
-        { id: "m1", senderId: "ws-1", sender: "Agent 1", message: "Hello", timestamp: "2026-05-16T00:00:00Z" },
-        { id: "m2", senderId: "ws-2", sender: "Agent 2", message: "World", timestamp: "2026-05-16T00:01:00Z" },
-        { id: "m3", senderId: "ws-3", sender: "Agent 3", message: "Bye", timestamp: "2026-05-16T00:02:00Z" },
-      ],
-    });
-    useCanvasStore.getState().dismissBroadcastMessage("m2");
-    const remaining = useCanvasStore.getState().broadcastMessages;
-    expect(remaining).toHaveLength(2);
-    expect(remaining.map((m) => m.id)).toEqual(["m1", "m3"]);
-  });
-
-  it("dismissBroadcastMessage is idempotent for unknown IDs", () => {
-    useCanvasStore.setState({
-      broadcastMessages: [
-        { id: "m1", senderId: "ws-1", sender: "Agent 1", message: "Hello", timestamp: "2026-05-16T00:00:00Z" },
-      ],
-    });
-    expect(() => useCanvasStore.getState().dismissBroadcastMessage("nonexistent")).not.toThrow();
-    expect(useCanvasStore.getState().broadcastMessages).toHaveLength(1);
-  });
-});

canvas/src/store/canvas-events.ts

@@ -72,7 +72,6 @@ export function handleCanvasEvent(
     edges: Edge[];
     selectedNodeId: string | null;
     agentMessages: Record<string, Array<{ id: string; content: string; timestamp: string; attachments?: Array<{ name: string; uri: string; mimeType?: string; size?: number }> }>>;
-    broadcastMessages: Array<{ id: string; sender: string; senderId: string; message: string; timestamp: string }>;
   },
   set: (partial: Record<string, unknown>) => void,
 ): void {
@@ -516,34 +515,6 @@ export function handleCanvasEvent(
       break;
     }
 
-    case "BROADCAST_MESSAGE": {
-      // An agent workspace sent an org-wide broadcast. Display it as a
-      // dismissible banner so the user is always aware of org-wide signals
-      // even when no workspace is selected. The Go platform already HTML-
-      // escaped the content at broadcast time (OFFSEC-015 fix), so it is
-      // safe to render as innerText equivalent via dangerouslySetInnerHTML
-      // is not needed — just render the string as-is.
-      const senderId = (msg.payload.sender_id as string) ?? "";
-      const sender = (msg.payload.sender as string) ?? senderId.slice(0, 8);
-      const message = (msg.payload.message as string) ?? "";
-      if (!message) break;
-      const { broadcastMessages } = get();
-      set({
-        broadcastMessages: [
-          ...broadcastMessages,
-          {
-            id: crypto.randomUUID(),
-            senderId,
-            sender,
-            message,
-            timestamp: new Date().toISOString(),
-          },
-        ],
-        liveAnnouncement: `Broadcast from ${sender}: ${message}`,
-      });
-      break;
-    }
-
     default:
       break;
   }

canvas/src/store/canvas.ts

@@ -244,13 +244,6 @@ interface CanvasState {
    *  so the same announcement doesn't re-fire on re-render. */
   liveAnnouncement: string;
   setLiveAnnouncement: (msg: string) => void;
-  /** Incoming org-wide broadcast messages received via BROADCAST_MESSAGE
-   *  WebSocket events. Consumed by the BroadcastBanner component; each
-   *  entry is cleared after the user dismisses it so dismissed broadcasts
-   *  don't reappear on reconnect. */
-  broadcastMessages: Array<{ id: string; sender: string; senderId: string; message: string; timestamp: string }>;
-  consumeBroadcastMessages: () => Array<{ id: string; sender: string; senderId: string; message: string; timestamp: string }>;
-  dismissBroadcastMessage: (id: string) => void;
 }
 
 export const useCanvasStore = create<CanvasState>((set, get) => ({
@@ -349,14 +342,6 @@ export const useCanvasStore = create<CanvasState>((set, get) => ({
   },
   liveAnnouncement: "",
   setLiveAnnouncement: (msg) => set({ liveAnnouncement: msg }),
-  broadcastMessages: [],
-  consumeBroadcastMessages: () => {
-    const msgs = get().broadcastMessages;
-    set({ broadcastMessages: [] });
-    return msgs;
-  },
-  dismissBroadcastMessage: (id) =>
-    set({ broadcastMessages: get().broadcastMessages.filter((m) => m.id !== id) }),
 
   viewport: { x: 0, y: 0, zoom: 1 },
 

manifest.json

@@ -30,10 +30,7 @@
     {"name": "openclaw", "repo": "molecule-ai/molecule-ai-workspace-template-openclaw", "ref": "main"},
     {"name": "codex", "repo": "molecule-ai/molecule-ai-workspace-template-codex", "ref": "main"},
     {"name": "langgraph", "repo": "molecule-ai/molecule-ai-workspace-template-langgraph", "ref": "main"},
-    {"name": "crewai", "repo": "molecule-ai/molecule-ai-workspace-template-crewai", "ref": "main"},
-    {"name": "autogen", "repo": "molecule-ai/molecule-ai-workspace-template-autogen", "ref": "main"},
-    {"name": "deepagents", "repo": "molecule-ai/molecule-ai-workspace-template-deepagents", "ref": "main"},
-    {"name": "gemini-cli", "repo": "molecule-ai/molecule-ai-workspace-template-gemini-cli", "ref": "main"}
+    {"name": "autogen", "repo": "molecule-ai/molecule-ai-workspace-template-autogen", "ref": "main"}
   ],
   "org_templates": [
     {"name": "molecule-dev", "repo": "molecule-ai/molecule-ai-org-template-molecule-dev", "ref": "main"},

workspace-server/internal/handlers/a2a_poll_ingest_persist_test.go

@@ -0,0 +1,160 @@
+package handlers
+
+// Regression coverage for the POLL-mode arm of the canvas user-message
+// data-loss bug (internal#470 sibling — tracked on internal#471).
+//
+// Bug (reported 2026-05-16 by CTO Hongming): "in canvas i sometimes lose
+// my own message when i exit chat". The push-mode arm was fixed by
+// #1347 (persistUserMessageAtIngest — a SYNCHRONOUS, before-dispatch,
+// context.WithoutCancel INSERT). #1347's framing asserted "poll-mode
+// workspaces were never affected — logA2AReceiveQueued already persists
+// at ingest". That assertion is OVERSTATED.
+//
+// Hongming's tenant (slug `hongming`, org 2c940477-...) has 4 workspaces,
+// ALL runtime=external with empty URL → ALL delivery_mode=poll (proven
+// empirically: a benign A2A probe returns the synthetic
+// {"delivery_mode":"poll","status":"queued"} envelope for every one).
+// So his reported loss is the POLL path, NOT the push path #1347 fixes.
+//
+// Root cause (poll arm): the poll-mode short-circuit (a2a_proxy.go ~402)
+// calls logA2AReceiveQueued and then IMMEDIATELY returns the synthetic
+// 200 {status:"queued"} to the canvas. But logA2AReceiveQueued's durable
+// INSERT runs inside h.goAsync(...) — a DETACHED goroutine with NO
+// happens-before barrier against the HTTP response. The canvas sees 200
+// ("message accepted") while the activity_logs row may not yet be — and,
+// on a workspace-server restart / deploy / OOM / EC2 hibernation between
+// the 200 and the goroutine's commit, NEVER will be — durable. There is
+// also no fallback (unlike push-mode's legacy-INSERT fallback): a
+// swallowed LogActivity error loses the message with only a log line.
+// Chat-history reads activity_logs (postgres_store.go:165-187); a missing
+// row = message gone on reopen. That is exactly Hongming's symptom.
+//
+// Fix (parity with push-mode): the poll-mode ingest persist of the
+// canvas user message must be SYNCHRONOUS — committed before the queued
+// 200 is returned — on a context.WithoutCancel derived context, so a
+// client disconnect on chat-exit and a post-response restart cannot lose
+// it. Behavior is never worse than today (best-effort; a persist error
+// still returns queued).
+//
+// TEST DESIGN NOTE: sqlmock.ExpectationsWereMet() hangs indefinitely if
+// the expected query never fires. We use a select+default+time.After
+// pattern so the test FAILS fast (not hangs) when the production code
+// regresses to async (the INSERT never fires before handler returns),
+// while still returning promptly when all expectations are met. The
+// insertDelay is kept small (50ms) to minimise suite-level timing
+// impact under -race detection, where mock delays are amplified by
+// the instrumenter's goroutine overhead.
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/DATA-DOG/go-sqlmock"
+	"github.com/gin-gonic/gin"
+)
+
+// TestProxyA2A_PollMode_PersistsUserMessageSynchronouslyBeforeQueuedResponse
+// is the defining contract: for a poll-mode workspace, the canvas user
+// message MUST be durably INSERTed into activity_logs BEFORE the synthetic
+// queued 200 is returned to the client — with NO reliance on a detached
+// async goroutine completing later.
+//
+// The test proves the ordering by making the INSERT block briefly and
+// asserting the handler does NOT return until the INSERT has completed.
+// Pre-fix (INSERT in h.goAsync, response returned immediately) the
+// handler returns ~instantly while the INSERT is still pending in the
+// goroutine → the elapsed time is far below the injected INSERT delay and
+// ExpectationsWereMet() is racy/unmet at return. Post-fix (synchronous
+// persist before the queued response) the handler return is gated on the
+// INSERT, so elapsed >= the injected delay and the expectation is met
+// deterministically at return WITHOUT any waitAsyncForTest()/sleep.
+func TestProxyA2A_PollMode_PersistsUserMessageSynchronouslyBeforeQueuedResponse(t *testing.T) {
+	mock := setupTestDB(t)
+	setupTestRedis(t)
+	broadcaster := newTestBroadcaster()
+	handler := NewWorkspaceHandler(broadcaster, nil, "http://localhost:8080", t.TempDir())
+
+	const wsID = "ws-poll-sync-persist"
+	// Keep delay small: -race detection amplifies mock delays significantly.
+	// A 50ms delay is sufficient to prove synchronous blocking (~50× the
+	// normal INSERT latency) without bloating the full ./... suite runtime.
+	const insertDelay = 50 * time.Millisecond
+
+	expectBudgetCheck(mock, wsID)
+
+	// lookupDeliveryMode → poll, triggering the short-circuit.
+	mock.ExpectQuery("SELECT delivery_mode FROM workspaces WHERE id").
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"delivery_mode"}).AddRow("poll"))
+
+	// workspace-name lookup inside logA2AReceiveQueued.
+	mock.ExpectQuery(`SELECT name FROM workspaces WHERE id`).
+		WithArgs(wsID).
+		WillReturnRows(sqlmock.NewRows([]string{"name"}).AddRow("Poll WS"))
+
+	// The durable user-message write. We delay it so a synchronous
+	// persist visibly gates the handler return; a detached-goroutine
+	// persist (pre-fix) does not. The fix must keep using
+	// context.WithoutCancel so this write survives a chat-exit cancel.
+	mock.ExpectExec("INSERT INTO activity_logs").
+		WillDelayFor(insertDelay).
+		WillReturnResult(sqlmock.NewResult(0, 1))
+
+	w := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(w)
+	c.Params = gin.Params{{Key: "id", Value: wsID}}
+
+	// callerID == "" (no X-Workspace-ID) → this is a canvas_user message,
+	// exactly Hongming's case.
+	body := `{"jsonrpc":"2.0","id":"poll-canvas-1","method":"message/send","params":{"message":{"role":"user","parts":[{"text":"my own message"}]}}}`
+	c.Request = httptest.NewRequest("POST", "/workspaces/"+wsID+"/a2a", bytes.NewBufferString(body))
+	c.Request.Header.Set("Content-Type", "application/json")
+
+	start := time.Now()
+	handler.ProxyA2A(c)
+	elapsed := time.Since(start)
+
+	// Defining assertion #1: the handler must not have returned the
+	// queued response before the durable INSERT committed. Pre-fix this
+	// fails (elapsed ≈ 0, INSERT still racing in goAsync).
+	if elapsed < insertDelay {
+		t.Fatalf("poll-mode queued response returned in %v, before the %v user-message INSERT — "+
+			"the message is not durable when the client/process goes away (DATA LOSS). "+
+			"Persist must be synchronous before the queued 200.", elapsed, insertDelay)
+	}
+
+	// Defining assertion #2: the durable write actually happened by the
+	// time the handler returned. ExpectionsWereMet() hangs indefinitely if
+	// the mock never fires (e.g. production code regressed to async),
+	// so we check it in a goroutine with a hard 2s timeout — fails fast
+	// (no CI hang) on regression while returning promptly on success.
+	expectDone := make(chan error, 1)
+	go func() { expectDone <- mock.ExpectationsWereMet() }()
+	select {
+	case err := <-expectDone:
+		if err != nil {
+			t.Fatalf("user-message INSERT was not durable at handler return (unmet sqlmock expectations): %v", err)
+		}
+	case <-time.After(2 * time.Second):
+		t.Fatalf("ExpectationsWereMet() hung for >2s — INSERT mock never fired. " +
+			"Likely cause: production code regressed logA2AReceiveQueued to goAsync " +
+			"(INSERT fires after handler returns, not before).")
+	}
+
+	// Sanity: still the correct poll-mode envelope + status.
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200 (queued), got %d: %s", w.Code, w.Body.String())
+	}
+	var resp map[string]interface{}
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("response is not valid JSON: %v", err)
+	}
+	if resp["status"] != "queued" || resp["delivery_mode"] != "poll" {
+		t.Errorf("poll envelope changed: got status=%v delivery_mode=%v, want queued/poll",
+			resp["status"], resp["delivery_mode"])
+	}
+}

workspace-server/internal/handlers/a2a_proxy_helpers.go

@@ -504,25 +504,49 @@ func lookupDeliveryMode(ctx context.Context, workspaceID string) string {
 // reads in PR 3 — that's how a poll-mode workspace receives inbound A2A
 // without a public URL.
 func (h *WorkspaceHandler) logA2AReceiveQueued(ctx context.Context, workspaceID, callerID string, body []byte, a2aMethod string) {
+	// DATA-LOSS FIX (internal#471 — poll-mode sibling of #1347/internal#470):
+	// this is the ONLY durable write of a poll-mode inbound message,
+	// including a canvas_user message (callerID == "") typed in the canvas
+	// chat. It MUST be SYNCHRONOUS and complete BEFORE the caller returns
+	// the synthetic {status:"queued"} 200 — otherwise the canvas sees the
+	// send acknowledged while the activity_logs row is still racing in a
+	// detached goroutine, and a workspace-server restart / deploy / OOM /
+	// EC2 hibernation between the 200 and the goroutine's commit loses the
+	// user's message permanently (chat-history reads activity_logs, so a
+	// missing row = message gone on reopen). Hongming's tenant is entirely
+	// poll-mode (4 external workspaces, no URL — verified empirically), so
+	// his reported loss is THIS path; #1347 (push-mode, persists AFTER the
+	// poll short-circuit) structurally cannot cover it.
+	//
+	// Mirrors persistUserMessageAtIngest's discipline:
+	//   - context.WithoutCancel: a client disconnect on chat-exit (which
+	//     cancels the inbound request ctx) MUST NOT abort this write.
+	//   - SYNCHRONOUS (no goAsync): the row must be durable before the
+	//     queued 200 is returned to the caller.
+	//   - Best-effort: LogActivity already logs+swallows INSERT errors, so
+	//     a hiccup never blocks or fails the user's send (behavior for
+	//     that one request is never worse than the pre-fix async path).
+	// The post-commit broadcast still fires inside LogActivity; a missed
+	// WebSocket event is not data loss (the durable row is the truth the
+	// canvas re-reads on reopen).
+	insCtx, cancel := context.WithTimeout(context.WithoutCancel(ctx), 30*time.Second)
+	defer cancel()
+
 	var wsName string
-	db.DB.QueryRowContext(ctx, `SELECT name FROM workspaces WHERE id = $1`, workspaceID).Scan(&wsName)
+	db.DB.QueryRowContext(insCtx, `SELECT name FROM workspaces WHERE id = $1`, workspaceID).Scan(&wsName)
 	if wsName == "" {
 		wsName = workspaceID
 	}
 	summary := a2aMethod + " → " + wsName + " (queued for poll)"
-	h.goAsync(func() {
-		logCtx, cancel := context.WithTimeout(context.WithoutCancel(ctx), 30*time.Second)
-		defer cancel()
-		LogActivity(logCtx, h.broadcaster, ActivityParams{
-			WorkspaceID:  workspaceID,
-			ActivityType: "a2a_receive",
-			SourceID:     nilIfEmpty(callerID),
-			TargetID:     &workspaceID,
-			Method:       &a2aMethod,
-			Summary:      &summary,
-			RequestBody:  json.RawMessage(body),
-			Status:       "ok",
-		})
+	LogActivity(insCtx, h.broadcaster, ActivityParams{
+		WorkspaceID:  workspaceID,
+		ActivityType: "a2a_receive",
+		SourceID:     nilIfEmpty(callerID),
+		TargetID:     &workspaceID,
+		Method:       &a2aMethod,
+		Summary:      &summary,
+		RequestBody:  json.RawMessage(body),
+		Status:       "ok",
 	})
 }
 

workspace-server/internal/handlers/admin_workspace_images.go

@@ -44,8 +44,8 @@ func NewWorkspaceImageService(docker *dockerclient.Client) *WorkspaceImageServic
 // AllRuntimes is the canonical list mirroring docs/workspace-runtime-package.md.
 // Update both when a new template is added.
 var AllRuntimes = []string{
-	"claude-code", "langgraph", "crewai", "autogen",
-	"deepagents", "hermes", "gemini-cli", "openclaw",
+	"claude-code", "langgraph", "autogen",
+	"hermes", "openclaw",
 }
 
 // RefreshResult is the per-call outcome surfaced to HTTP callers AND logged

workspace-server/internal/handlers/org_helpers.go

@@ -177,7 +177,7 @@ func isEnvIdentPart(c byte) bool {
 	return isEnvIdentStart(c) || (c >= '0' && c <= '9')
 }
 
-// loadWorkspaceEnv reads the org root .env and the workspace-specific .env .env and the workspace-specific .env
+// loadWorkspaceEnv reads the org root .env and the workspace-specific .env
 // (workspace overrides org root). Used by both secret injection and channel
 // config expansion.
 //

workspace-server/internal/handlers/template_files_agent_home_stub_test.go

@@ -1,117 +0,0 @@
-package handlers
-
-// template_files_agent_home_stub_test.go — pins the Phase-1 stub
-// contract for the /agent-home root added by internal#425 RFC.
-//
-// Today (pre-Phase-2b), every Files API verb against `?root=/agent-home`
-// must return HTTP 501 with the canonical pending-message body. The
-// stub MUST NOT:
-//   1. Hit the DB (the workspace might not even exist yet from the
-//      canvas's POV — the root selector is testable without one).
-//   2. Touch the EIC tunnel / Docker / template-dir paths — those
-//      would 500/404/[] depending on the env and confuse the canvas.
-//   3. Accept writes/deletes that the future docker-exec backend
-//      would reject — fail closed.
-//
-// When Phase 2b lands, this file gets replaced by a real
-// docker-exec dispatch test; the stub-message constant in
-// templates.go disappears.
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"strings"
-	"testing"
-
-	"github.com/gin-gonic/gin"
-)
-
-// TestAgentHomeAllowedRoot pins that /agent-home is in the allowedRoots
-// set. Without this, a future refactor that drops the key would
-// silently degrade the canvas root selector to a 400 instead of the
-// stub 501.
-func TestAgentHomeAllowedRoot(t *testing.T) {
-	if !allowedRoots["/agent-home"] {
-		t.Fatal("/agent-home must be in allowedRoots — RFC #425 contract")
-	}
-}
-
-// TestAgentHomeStub_AllVerbs_Return501 pins the canonical stub
-// response across all four verbs. Each must:
-//
-//   - status 501
-//   - body contains the canonical "/agent-home not implemented" prefix
-//   - NOT contain "workspace not found" (proves we short-circuit before
-//     the DB lookup)
-//
-// Driven as a table to keep symmetry — adding a fifth verb in the
-// future means adding one row here.
-func TestAgentHomeStub_AllVerbs_Return501(t *testing.T) {
-	cases := []struct {
-		name   string
-		method string
-		invoke func(c *gin.Context)
-	}{
-		{
-			name:   "ListFiles",
-			method: "GET",
-			invoke: func(c *gin.Context) { (&TemplatesHandler{}).ListFiles(c) },
-		},
-		{
-			name:   "ReadFile",
-			method: "GET",
-			invoke: func(c *gin.Context) { (&TemplatesHandler{}).ReadFile(c) },
-		},
-		{
-			name:   "WriteFile",
-			method: "PUT",
-			invoke: func(c *gin.Context) { (&TemplatesHandler{}).WriteFile(c) },
-		},
-		{
-			name:   "DeleteFile",
-			method: "DELETE",
-			invoke: func(c *gin.Context) { (&TemplatesHandler{}).DeleteFile(c) },
-		},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			w := httptest.NewRecorder()
-			c, _ := gin.CreateTestContext(w)
-			c.Params = gin.Params{
-				{Key: "id", Value: "ws-stub"},
-				// Path param without leading slash so DeleteFile's
-				// filepath.IsAbs guard doesn't 400 before the root
-				// dispatch runs. The List/Read/Write paths strip the
-				// leading slash themselves and accept either form.
-				{Key: "path", Value: "notes.md"},
-			}
-			// WriteFile binds JSON; provide a minimal valid body so the
-			// short-circuit isn't masked by the bind-error path.
-			var body string
-			if tc.method == "PUT" {
-				body = `{"content":"x"}`
-			}
-			c.Request = httptest.NewRequest(
-				tc.method,
-				"/workspaces/ws-stub/files/notes.md?root=/agent-home",
-				strings.NewReader(body),
-			)
-			if body != "" {
-				c.Request.Header.Set("Content-Type", "application/json")
-			}
-
-			tc.invoke(c)
-
-			if w.Code != http.StatusNotImplemented {
-				t.Fatalf("expected 501, got %d: %s", w.Code, w.Body.String())
-			}
-			if !strings.Contains(w.Body.String(), "/agent-home not implemented") {
-				t.Errorf("body should contain canonical stub message; got %s", w.Body.String())
-			}
-			if strings.Contains(w.Body.String(), "workspace not found") {
-				t.Errorf("stub leaked through to DB lookup; body=%s", w.Body.String())
-			}
-		})
-	}
-}

workspace-server/internal/handlers/templates.go

@@ -18,35 +18,11 @@ import (
 )
 
 // allowedRoots are the container paths that the Files API can browse.
-//
-// `/agent-home` (added 2026-05-15, internal#425 RFC) is the container's
-// own $HOME — `/root` for openclaw, `/home/agent` for claude-code/hermes
-// — browsed via `docker exec` rather than host-side `find`. The
-// dispatch is stubbed today (returns 501); full implementation lands in
-// Phase 2b of the RFC. The allowedRoots key is added now so the canvas
-// can design its root-selector UI against the final shape and the
-// stub-vs-full transition is server-side only.
 var allowedRoots = map[string]bool{
-	"/configs":    true,
-	"/workspace":  true,
-	"/home":       true,
-	"/plugins":    true,
-	"/agent-home": true,
-}
-
-// agentHomeStubMessage is the body returned by every Files API verb
-// when `?root=/agent-home` is requested before Phase 2b lands. Keep the
-// status code 501 (Not Implemented) — the route exists, the verb is
-// understood, but the handler is unimplemented. Distinguishes from
-// 400/404 so a canvas behind a less-current server can render a clean
-// "feature pending" state instead of a generic error.
-const agentHomeStubMessage = "/agent-home not implemented yet (internal#425 RFC Phase 2b — docker-exec backend pending)"
-
-// isAgentHomeStubRequest returns true when the request targets the
-// stubbed /agent-home root. Centralised so every verb in this file
-// short-circuits with the same response shape.
-func isAgentHomeStubRequest(rootPath string) bool {
-	return rootPath == "/agent-home"
+	"/configs":   true,
+	"/workspace": true,
+	"/home":      true,
+	"/plugins":   true,
 }
 
 // maxUploadFiles limits the number of files in a single import/replace.
@@ -248,14 +224,7 @@ func (h *TemplatesHandler) ListFiles(c *gin.Context) {
 	//   ?depth= — max depth to recurse (default: 1, max: 5)
 	rootPath := c.DefaultQuery("root", "/configs")
 	if !allowedRoots[rootPath] {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins, /agent-home"})
-		return
-	}
-	// /agent-home dispatch is stubbed pre-Phase-2b. Short-circuit before
-	// the DB lookup + EIC dance so a canvas exercising the new root key
-	// gets a clean 501 instead of a half-effort response.
-	if isAgentHomeStubRequest(rootPath) {
-		c.JSON(http.StatusNotImplemented, gin.H{"error": agentHomeStubMessage})
+		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins"})
 		return
 	}
 	subPath := c.DefaultQuery("path", "")
@@ -424,11 +393,7 @@ func (h *TemplatesHandler) ReadFile(c *gin.Context) {
 	ctx := c.Request.Context()
 	rootPath := c.DefaultQuery("root", "/configs")
 	if !allowedRoots[rootPath] {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins, /agent-home"})
-		return
-	}
-	if isAgentHomeStubRequest(rootPath) {
-		c.JSON(http.StatusNotImplemented, gin.H{"error": agentHomeStubMessage})
+		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins"})
 		return
 	}
 
@@ -541,11 +506,7 @@ func (h *TemplatesHandler) WriteFile(c *gin.Context) {
 	ctx := c.Request.Context()
 	rootPath := c.DefaultQuery("root", "/configs")
 	if !allowedRoots[rootPath] {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins, /agent-home"})
-		return
-	}
-	if isAgentHomeStubRequest(rootPath) {
-		c.JSON(http.StatusNotImplemented, gin.H{"error": agentHomeStubMessage})
+		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins"})
 		return
 	}
 	var wsName, instanceID, runtime string
@@ -622,11 +583,7 @@ func (h *TemplatesHandler) DeleteFile(c *gin.Context) {
 	ctx := c.Request.Context()
 	rootPath := c.DefaultQuery("root", "/configs")
 	if !allowedRoots[rootPath] {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins, /agent-home"})
-		return
-	}
-	if isAgentHomeStubRequest(rootPath) {
-		c.JSON(http.StatusNotImplemented, gin.H{"error": agentHomeStubMessage})
+		c.JSON(http.StatusBadRequest, gin.H{"error": "root must be one of: /configs, /workspace, /home, /plugins"})
 		return
 	}
 	var wsName, instanceID, runtime string

workspace-server/internal/models/runtime_defaults.go

@@ -23,8 +23,8 @@ package models
 //   - claude-code: "sonnet" — Anthropic's CLI accepts the short
 //     name and resolves it via the operator's anthropic-oauth or
 //     ANTHROPIC_API_KEY chain.
-//   - everything else (hermes, langgraph, crewai, autogen, deepagents,
-//     codex, openclaw, gemini-cli, external, ""): a fully-qualified
+//   - everything else (hermes, langgraph, autogen, codex, openclaw,
+//     external, ""): a fully-qualified
 //     vendor:model slug that the universal MODEL_PROVIDER chain in
 //     molecule-core PR #247 can route via per-vendor required_env.
 //

workspace-server/internal/models/runtime_defaults_test.go

@@ -21,12 +21,9 @@ func TestDefaultModel(t *testing.T) {
 		// as a generic "unknown" failure.
 		{"hermes", "anthropic:claude-opus-4-7"},
 		{"langgraph", "anthropic:claude-opus-4-7"},
-		{"crewai", "anthropic:claude-opus-4-7"},
 		{"autogen", "anthropic:claude-opus-4-7"},
-		{"deepagents", "anthropic:claude-opus-4-7"},
 		{"codex", "anthropic:claude-opus-4-7"},
 		{"openclaw", "anthropic:claude-opus-4-7"},
-		{"gemini-cli", "anthropic:claude-opus-4-7"},
 		{"external", "anthropic:claude-opus-4-7"},
 
 		// Unknown / empty — fall through to universal default rather

workspace-server/internal/provisioner/cp_provisioner.go

@@ -178,21 +178,12 @@ func (p *CPProvisioner) Start(ctx context.Context, cfg WorkspaceConfig) (string,
 	// /admin/liveness and other admin-gated platform endpoints (core#831).
 	// p.adminToken is read from os.Getenv("ADMIN_TOKEN") at provisioner creation;
 	// it is also used for CP→platform HTTP auth but those are separate concerns.
-	//
-	// Forensic #145 hardening: tenant workspaces run on EC2 via this path, so
-	// the SCM-write-token denylist (see buildContainerEnv) is enforced here
-	// too. Always build a filtered copy — never pass cfg.EnvVars through
-	// verbatim — so a latent persona-merged GITEA_TOKEN can't reach the
-	// tenant container regardless of whether ADMIN_TOKEN is set.
-	env := make(map[string]string, len(cfg.EnvVars)+1)
-	for k, v := range cfg.EnvVars {
-		if isSCMWriteTokenKey(k) {
-			log.Printf("CPProvisioner.Start: dropped SCM-write credential %q from tenant workspace env (forensic #145 guard)", k)
-			continue
-		}
-		env[k] = v
-	}
+	env := cfg.EnvVars
 	if p.adminToken != "" {
+		env = make(map[string]string, len(cfg.EnvVars)+1)
+		for k, v := range cfg.EnvVars {
+			env[k] = v
+		}
 		env["ADMIN_TOKEN"] = p.adminToken
 	}
 	// Collect template files and generated configs, with OFFSEC-010 guards:

workspace-server/internal/provisioner/localbuild_test.go

@@ -190,7 +190,7 @@ func TestEnsureLocalImage_RepoNotFound(t *testing.T) {
 	opts.HTTPClient = srv.Client()
 	opts.remoteHeadSha = nil // exercise real HTTP path
 
-	_, err := ensureLocalImageWithOpts(context.Background(), "crewai", opts)
+	_, err := ensureLocalImageWithOpts(context.Background(), "hermes", opts)
 	if err == nil {
 		t.Fatalf("expected error, got nil")
 	}

workspace-server/internal/provisioner/provisioner.go

@@ -35,6 +35,19 @@ import (
 // drift-risk #6.
 var ErrNoBackend = errors.New("provisioner: no backend configured (zero-valued receiver)")
 
+// ErrUnresolvableRuntime is returned by selectImage when a workspace
+// names a runtime that has no resolvable image (not in RuntimeImages and
+// no operator-pinned cfg.Image). RFC internal#483 + security review 4269:
+// previously such a request silently fell through to DefaultImage
+// (langgraph) — a user asking for crewai would get a langgraph container
+// with no signal. The CTO standing directive
+// (feedback_platform_must_hardgate_base_contract) is fail-closed: a
+// named-but-unresolvable runtime must reject with a structured,
+// runtime-naming error so the existing provision-failed notify/log path
+// surfaces it, NOT silently degrade. The genuinely-unspecified (empty)
+// runtime is still a distinct, legitimate path that keeps DefaultImage.
+var ErrUnresolvableRuntime = errors.New("provisioner: requested runtime has no resolvable image")
+
 // RuntimeImages maps runtime names to their Docker image refs.
 // Each standalone template repo publishes its image via the reusable
 // publish-template-image workflow in molecule-ci on every main merge.
@@ -104,20 +117,33 @@ type WorkspaceConfig struct {
 // selectImage resolves the final Docker image ref for a workspace. The handler
 // layer is the source of truth — if it set cfg.Image (the digest-pinned form
 // from runtime_image_pins, #2272), honor that. Otherwise fall back to the
-// runtime→tag lookup in RuntimeImages (legacy `:latest` behavior). When the
-// runtime isn't recognized either, fall back to DefaultImage so Start() still
-// has something to hand Docker — surfacing a "No such image" later is more
-// actionable than a silent "" panic in ContainerCreate.
-func selectImage(cfg WorkspaceConfig) string {
+// runtime→tag lookup in RuntimeImages (legacy `:latest` behavior).
+//
+// Fail-closed contract (RFC internal#483 / security review 4269 /
+// feedback_platform_must_hardgate_base_contract): if the workspace NAMES a
+// runtime that resolves to no image (not in RuntimeImages, no pinned
+// cfg.Image), reject with ErrUnresolvableRuntime instead of silently
+// substituting DefaultImage. Pre-fix, removing crewai/deepagents/gemini-cli
+// from the catalog left those create requests silently provisioning a
+// langgraph container — the user asked for crewai and got langgraph with no
+// signal. The error propagates through Start → markProvisionFailed, which
+// already broadcasts WorkspaceProvisionFailed and records the message.
+//
+// The genuinely-unspecified runtime (empty cfg.Runtime, e.g. an org template
+// that doesn't pin one) is an intended distinct path and still resolves to
+// DefaultImage — only a NAMED-but-unresolvable runtime is rejected.
+func selectImage(cfg WorkspaceConfig) (string, error) {
 	if cfg.Image != "" {
-		return cfg.Image
+		return cfg.Image, nil
 	}
 	if cfg.Runtime != "" {
 		if img, ok := RuntimeImages[cfg.Runtime]; ok {
-			return img
+			return img, nil
 		}
+		return "", fmt.Errorf("%w: runtime %q (known runtimes: %v)",
+			ErrUnresolvableRuntime, cfg.Runtime, knownRuntimes)
 	}
-	return DefaultImage
+	return DefaultImage, nil
 }
 
 // Workspace-access constants for #65. Matches the CHECK constraint on
@@ -189,6 +215,24 @@ const containerNamePrefix = "ws-"
 // (the wiped-DB case after `docker compose down -v`).
 const LabelManaged = "molecule.platform.managed"
 
+// AgentUID / AgentGID are the uid/gid of the unprivileged `agent` user that
+// every workspace template creates and drops to via `gosu agent` before
+// exec'ing the runtime (the a2a_mcp_server runs under this uid). The value is
+// fixed at 1000:1000 across all templates — see:
+//   - workspace-configs-templates/claude-code-default/Dockerfile (`useradd -u 1000 ... agent`)
+//   - workspace-configs-templates/hermes/Dockerfile               (`useradd -u 1000 ... agent`)
+//   - workspace/entrypoint.sh                                     (`exec gosu agent` — "uid 1000")
+//
+// Files the platform injects into /configs AFTER the entrypoint's
+// `chown -R agent:agent /configs` (the post-start #418 re-injection and the
+// pre-start #1877 volume write) must be owned by this uid/gid, otherwise the
+// agent-uid MCP server hits EACCES reading /configs/.auth_token, sends an
+// empty bearer, and the platform 401s on /registry/{id}/peers (list_peers).
+const (
+	AgentUID = 1000
+	AgentGID = 1000
+)
+
 // managedLabels is the canonical label map applied to every workspace
 // container + volume. Pulled out so a future addition (e.g. instance
 // UUID for multi-platform-shared-daemon disambiguation) is one edit.
@@ -318,7 +362,15 @@ func (p *Provisioner) Start(ctx context.Context, cfg WorkspaceConfig) (string, e
 
 	env := buildContainerEnv(cfg)
 
-	image := selectImage(cfg)
+	image, imgErr := selectImage(cfg)
+	if imgErr != nil {
+		// Fail-closed: a named-but-unresolvable runtime must not silently
+		// become DefaultImage (RFC internal#483 / review 4269). The caller's
+		// error path (markProvisionFailed) broadcasts the failure + records
+		// the message so the canvas surfaces it.
+		log.Printf("Provisioner: refusing to start %s: %v", cfg.WorkspaceID, imgErr)
+		return "", imgErr
+	}
 
 	// Local-build mode (issue #63 / Task #194): when MOLECULE_IMAGE_REGISTRY
 	// is unset, the OSS contributor path skips the registry pull entirely
@@ -591,28 +643,6 @@ func ValidateWorkspaceAccess(access, workspacePath string) error {
 	}
 }
 
-// scmWriteTokenKeys is the explicit denylist of environment variable names
-// that carry a Git SCM *write* credential (push / merge / approve). These
-// must never reach a tenant workspace container — see the forensic #145
-// rationale in buildContainerEnv. Kept as an exact-match set rather than a
-// substring/prefix heuristic so the guard is auditable and can't silently
-// over-strip a legitimately-named var.
-var scmWriteTokenKeys = map[string]struct{}{
-	"GITEA_TOKEN":     {},
-	"GITHUB_TOKEN":    {},
-	"GH_TOKEN":        {}, // gh CLI honours GH_TOKEN as a GITHUB_TOKEN alias
-	"GITLAB_TOKEN":    {},
-	"GL_TOKEN":        {}, // glab CLI alias
-	"BITBUCKET_TOKEN": {},
-}
-
-// isSCMWriteTokenKey reports whether an env var name is a known Git SCM
-// write credential that must be stripped from tenant workspace env.
-func isSCMWriteTokenKey(key string) bool {
-	_, ok := scmWriteTokenKeys[key]
-	return ok
-}
-
 // buildContainerEnv assembles the initial environment variables injected
 // into every workspace container.
 //
@@ -649,21 +679,6 @@ func buildContainerEnv(cfg WorkspaceConfig) []string {
 		env = append(env, fmt.Sprintf("AWARENESS_URL=%s", cfg.AwarenessURL))
 	}
 	for k, v := range cfg.EnvVars {
-		// Forensic #145 hardening: tenant workspace containers run
-		// agent-controlled code and must NEVER receive a Git SCM *write*
-		// credential. Without merge/approve creds in-container the
-		// two-eyes review gate is structurally self-bypass-proof — an
-		// agent that forges an approval has no token to act on it. A
-		// latent path exists (loadPersonaEnvFile merges a per-role
-		// persona `GITEA_TOKEN` into cfg.EnvVars when MOLECULE_PERSONA_ROOT
-		// is set on a tenant host); it is inert today (persona dirs are
-		// operator-host-only) but unguarded. Strip SCM-write tokens here
-		// by construction so the invariant holds regardless of whether
-		// that path ever becomes reachable.
-		if isSCMWriteTokenKey(k) {
-			log.Printf("buildContainerEnv: dropped SCM-write credential %q from workspace env (forensic #145 guard)", k)
-			continue
-		}
 		env = append(env, fmt.Sprintf("%s=%s", k, v))
 	}
 	// Inject ADMIN_TOKEN from the platform server's environment so workspace
@@ -899,8 +914,18 @@ func buildTemplateTar(templatePath string) (*bytes.Buffer, error) {
 	return &buf, nil
 }
 
-// WriteFilesToContainer writes in-memory files into /configs in the container.
-func (p *Provisioner) WriteFilesToContainer(ctx context.Context, containerID string, files map[string][]byte) error {
+// buildConfigFilesTar builds the tar stream that WriteFilesToContainer streams
+// into /configs via CopyToContainer. Every entry is stamped Uid/Gid = agent
+// (AgentUID/AgentGID) so the files land agent-owned after extraction. This is
+// the issue #418 post-start re-injection path: it runs AFTER the template
+// entrypoint's `chown -R agent:agent /configs`, so without explicit ownership
+// in the tar header the files extract as root:root (tar Uid/Gid default 0) and
+// the agent-uid MCP server can no longer read /configs/.auth_token (and
+// /configs/.platform_inbound_secret) → empty bearer → list_peers 401.
+//
+// Pulled out as a pure function so the ownership contract is unit-testable
+// without a live Docker daemon (mirrors buildTemplateTar).
+func buildConfigFilesTar(files map[string][]byte) (*bytes.Buffer, error) {
 	var buf bytes.Buffer
 	tw := tar.NewWriter(&buf)
 
@@ -913,8 +938,10 @@ func (p *Provisioner) WriteFilesToContainer(ctx context.Context, containerID str
 				Typeflag: tar.TypeDir,
 				Name:     dir + "/",
 				Mode:     0755,
+				Uid:      AgentUID,
+				Gid:      AgentGID,
 			}); err != nil {
-				return fmt.Errorf("failed to write tar dir header for %s: %w", dir, err)
+				return nil, fmt.Errorf("failed to write tar dir header for %s: %w", dir, err)
 			}
 			createdDirs[dir] = true
 		}
@@ -923,19 +950,30 @@ func (p *Provisioner) WriteFilesToContainer(ctx context.Context, containerID str
 			Name: name,
 			Mode: 0644,
 			Size: int64(len(data)),
+			Uid:  AgentUID,
+			Gid:  AgentGID,
 		}
 		if err := tw.WriteHeader(header); err != nil {
-			return fmt.Errorf("failed to write tar header for %s: %w", name, err)
+			return nil, fmt.Errorf("failed to write tar header for %s: %w", name, err)
 		}
 		if _, err := tw.Write(data); err != nil {
-			return fmt.Errorf("failed to write tar data for %s: %w", name, err)
+			return nil, fmt.Errorf("failed to write tar data for %s: %w", name, err)
 		}
 	}
 	if err := tw.Close(); err != nil {
-		return fmt.Errorf("failed to close tar writer: %w", err)
+		return nil, fmt.Errorf("failed to close tar writer: %w", err)
 	}
+	return &buf, nil
+}
 
-	return p.cli.CopyToContainer(ctx, containerID, "/configs", &buf, container.CopyToContainerOptions{})
+// WriteFilesToContainer writes in-memory files into /configs in the container,
+// agent-owned (see buildConfigFilesTar).
+func (p *Provisioner) WriteFilesToContainer(ctx context.Context, containerID string, files map[string][]byte) error {
+	buf, err := buildConfigFilesTar(files)
+	if err != nil {
+		return err
+	}
+	return p.cli.CopyToContainer(ctx, containerID, "/configs", buf, container.CopyToContainerOptions{})
 }
 
 // CopyToContainer exposes CopyToContainer from the Docker client for use by other packages.
@@ -1025,13 +1063,28 @@ func (p *Provisioner) ReadFromVolume(ctx context.Context, volumeName, filePath s
 	return clean, nil
 }
 
+// writeAuthTokenVolumeCmd is the shell command the throwaway alpine container
+// runs to seed /vol/.auth_token. alpine runs it as root, so without the
+// explicit `chown 1000:1000` the file stays root:root after the template
+// entrypoint's `chown -R agent:agent /configs` has already run — the agent-uid
+// (AgentUID) MCP server then gets EACCES reading it → empty bearer →
+// list_peers 401. Pulled out as a pure function so the ownership contract is
+// unit-testable without a live Docker daemon. Issue #1877.
+func writeAuthTokenVolumeCmd() string {
+	return fmt.Sprintf(
+		"mkdir -p /vol && printf '%%s' $TOKEN > /vol/.auth_token && chmod 0600 /vol/.auth_token && chown %d:%d /vol/.auth_token",
+		AgentUID, AgentGID,
+	)
+}
+
 // WriteAuthTokenToVolume writes the workspace auth token into the config volume
 // BEFORE the container starts, eliminating the token-injection race window where
 // a restarted container could read a stale token from /configs/.auth_token before
 // WriteFilesToContainer writes the new one. Issue #1877.
 //
 // Uses a throwaway alpine container to write directly to the named volume,
-// bypassing the container lifecycle entirely.
+// bypassing the container lifecycle entirely. The written file is chowned to
+// the agent uid/gid (see writeAuthTokenVolumeCmd).
 func (p *Provisioner) WriteAuthTokenToVolume(ctx context.Context, workspaceID, token string) error {
 	if p == nil || p.cli == nil {
 		return ErrNoBackend
@@ -1039,7 +1092,7 @@ func (p *Provisioner) WriteAuthTokenToVolume(ctx context.Context, workspaceID, t
 	volName := ConfigVolumeName(workspaceID)
 	resp, err := p.cli.ContainerCreate(ctx, &container.Config{
 		Image: "alpine",
-		Cmd:   []string{"sh", "-c", "mkdir -p /vol && printf '%s' $TOKEN > /vol/.auth_token && chmod 0600 /vol/.auth_token"},
+		Cmd:   []string{"sh", "-c", writeAuthTokenVolumeCmd()},
 		Env:   []string{"TOKEN=" + token},
 	}, &container.HostConfig{
 		Binds: []string{volName + ":/vol"},

workspace-server/internal/provisioner/provisioner_test.go

@@ -513,7 +513,10 @@ func TestWorkspaceConfig_ResetClaudeSessionFieldPresent(t *testing.T) {
 // we lose the "one bad publish doesn't break every workspace" guarantee.
 func TestSelectImage_PrefersExplicitImage(t *testing.T) {
 	pinned := "ghcr.io/molecule-ai/workspace-template-claude-code@sha256:3d6761a97ed07d7d33cfc19a8fbab81175d9d9179618d493dbc00c5f7ef076a3"
-	got := selectImage(WorkspaceConfig{Runtime: "claude-code", Image: pinned})
+	got, err := selectImage(WorkspaceConfig{Runtime: "claude-code", Image: pinned})
+	if err != nil {
+		t.Fatalf("selectImage with cfg.Image=pinned: unexpected error %v", err)
+	}
 	if got != pinned {
 		t.Errorf("selectImage with cfg.Image=pinned: got %q, want %q", got, pinned)
 	}
@@ -523,28 +526,46 @@ func TestSelectImage_PrefersExplicitImage(t *testing.T) {
 // pin lookup deliberately bypassed via WORKSPACE_IMAGE_LOCAL_OVERRIDE).
 // selectImage must use the legacy runtime→:latest map.
 func TestSelectImage_FallsBackToRuntimeMap(t *testing.T) {
-	got := selectImage(WorkspaceConfig{Runtime: "claude-code", Image: ""})
+	got, err := selectImage(WorkspaceConfig{Runtime: "claude-code", Image: ""})
+	if err != nil {
+		t.Fatalf("selectImage with empty Image: unexpected error %v", err)
+	}
 	want := RuntimeImages["claude-code"]
 	if got != want {
 		t.Errorf("selectImage with empty Image: got %q, want %q", got, want)
 	}
 }
 
-// TestSelectImage_UnknownRuntimeFallsBackToDefault preserves today's
-// behavior — an unrecognized runtime resolves to DefaultImage rather than
-// "" so ContainerCreate gets a usable arg and surfaces a meaningful
-// "No such image" error if the default itself is missing.
-func TestSelectImage_UnknownRuntimeFallsBackToDefault(t *testing.T) {
-	got := selectImage(WorkspaceConfig{Runtime: "no-such-runtime"})
-	if got != DefaultImage {
-		t.Errorf("selectImage with unknown runtime: got %q, want DefaultImage %q", got, DefaultImage)
+// TestSelectImage_NamedUnresolvableRuntimeRejects pins the fail-closed
+// contract (RFC internal#483 / security review 4269 /
+// feedback_platform_must_hardgate_base_contract): a NAMED runtime with no
+// resolvable image must reject with ErrUnresolvableRuntime, NOT silently
+// substitute DefaultImage. Pre-fix this returned langgraph — a user asking
+// for a removed runtime (crewai/deepagents/gemini-cli) silently got a
+// langgraph container. "crewai" is the concrete regression from the
+// security finding.
+func TestSelectImage_NamedUnresolvableRuntimeRejects(t *testing.T) {
+	for _, rt := range []string{"no-such-runtime", "crewai", "deepagents", "gemini-cli"} {
+		got, err := selectImage(WorkspaceConfig{Runtime: rt})
+		if !errors.Is(err, ErrUnresolvableRuntime) {
+			t.Errorf("selectImage(%q): got err %v, want ErrUnresolvableRuntime", rt, err)
+		}
+		if got != "" {
+			t.Errorf("selectImage(%q): got image %q, want \"\" on reject", rt, got)
+		}
+		if err != nil && !strings.Contains(err.Error(), rt) {
+			t.Errorf("selectImage(%q): error must name the offending runtime, got %v", rt, err)
+		}
 	}
 }
 
 // TestSelectImage_EmptyRuntimeFallsBackToDefault: same invariant for the
 // no-runtime-supplied path (legacy callers / older handler code).
 func TestSelectImage_EmptyRuntimeFallsBackToDefault(t *testing.T) {
-	got := selectImage(WorkspaceConfig{})
+	got, err := selectImage(WorkspaceConfig{})
+	if err != nil {
+		t.Fatalf("selectImage with zero cfg: unexpected error %v (empty runtime is a legitimate DefaultImage path)", err)
+	}
 	if got != DefaultImage {
 		t.Errorf("selectImage with zero cfg: got %q, want DefaultImage %q", got, DefaultImage)
 	}
@@ -704,15 +725,10 @@ func TestBuildContainerEnv_AwarenessOnlyWhenBothSet(t *testing.T) {
 }
 
 func TestBuildContainerEnv_CustomEnvVarsAppended(t *testing.T) {
-	// NOTE: this test previously asserted GITHUB_TOKEN passed through
-	// verbatim. That assertion encoded the forensic #145 latent leak as
-	// expected behavior. Post-guard, ordinary custom env still flows but
-	// SCM-write credentials are stripped — see
-	// TestBuildContainerEnv_StripsSCMWriteTokens for the negative assertion.
 	cfg := WorkspaceConfig{
 		WorkspaceID: "ws-x",
 		PlatformURL: "http://localhost:8080",
-		EnvVars:     map[string]string{"CUSTOM": "value", "ANTHROPIC_API_KEY": "sk-not-an-scm-token"},
+		EnvVars:     map[string]string{"CUSTOM": "value", "GITHUB_TOKEN": "fake-token-for-test"},
 	}
 	env := buildContainerEnv(cfg)
 	seen := map[string]string{}
@@ -725,8 +741,8 @@ func TestBuildContainerEnv_CustomEnvVarsAppended(t *testing.T) {
 	if seen["CUSTOM"] != "value" {
 		t.Errorf("CUSTOM env missing, got env=%v", env)
 	}
-	if seen["ANTHROPIC_API_KEY"] != "sk-not-an-scm-token" {
-		t.Errorf("non-SCM custom env must still pass through, got env=%v", env)
+	if seen["GITHUB_TOKEN"] != "fake-token-for-test" {
+		t.Errorf("GITHUB_TOKEN env missing, got env=%v", env)
 	}
 	// Built-in defaults still present
 	if seen["MOLECULE_URL"] == "" {
@@ -734,129 +750,6 @@ func TestBuildContainerEnv_CustomEnvVarsAppended(t *testing.T) {
 	}
 }
 
-// ---------- forensic #145: SCM-write-token denylist guard ----------
-
-// TestBuildContainerEnv_StripsSCMWriteTokens is the core negative
-// assertion: a tenant workspace env constructed via buildContainerEnv MUST
-// NOT contain any Git SCM *write* credential, regardless of how it got into
-// cfg.EnvVars. This proves the two-eyes review gate stays structurally
-// self-bypass-proof — an agent in-container has no merge/approve token to
-// act on a forged approval. See forensic #145.
-//
-// This test FAILS on the pre-guard code (where buildContainerEnv passed
-// cfg.EnvVars through verbatim) and PASSES once the denylist filter is in
-// place — i.e. the guard is proven by construction, not by environment
-// accident.
-func TestBuildContainerEnv_StripsSCMWriteTokens(t *testing.T) {
-	scmTokens := []string{
-		"GITEA_TOKEN", "GITHUB_TOKEN", "GH_TOKEN",
-		"GITLAB_TOKEN", "GL_TOKEN", "BITBUCKET_TOKEN",
-	}
-
-	t.Run("normal path — SCM tokens explicitly set in EnvVars", func(t *testing.T) {
-		envVars := map[string]string{"CUSTOM": "ok", "ANTHROPIC_API_KEY": "sk-keep"}
-		for _, k := range scmTokens {
-			envVars[k] = "leaked-write-credential-" + k
-		}
-		cfg := WorkspaceConfig{
-			WorkspaceID: "ws-tenant",
-			PlatformURL: "http://localhost:8080",
-			Tier:        2,
-			EnvVars:     envVars,
-		}
-		assertNoSCMWriteToken(t, buildContainerEnv(cfg), scmTokens)
-
-		// Sanity: non-SCM custom env is NOT collateral-damaged by the filter.
-		if !envContains(buildContainerEnv(cfg), "CUSTOM=ok") {
-			t.Errorf("filter must not strip non-SCM custom env")
-		}
-		if !envContains(buildContainerEnv(cfg), "ANTHROPIC_API_KEY=sk-keep") {
-			t.Errorf("filter must not strip non-SCM API keys")
-		}
-	})
-
-	t.Run("persona-file path — simulates loadPersonaEnvFile merge", func(t *testing.T) {
-		// The latent path: handlers.loadPersonaEnvFile() merges a per-role
-		// persona env file (carrying GITEA_USER, GITEA_TOKEN, …) into the
-		// workspace env map when MOLECULE_PERSONA_ROOT is set on a tenant
-		// host. We can't invoke that cross-package helper here, but its
-		// observable effect is exactly "a GITEA_TOKEN appears in
-		// cfg.EnvVars". Constructing that condition directly proves the
-		// guard holds even if the latent path becomes reachable.
-		cfg := WorkspaceConfig{
-			WorkspaceID: "ws-tenant",
-			PlatformURL: "http://localhost:8080",
-			Tier:        2,
-			EnvVars: map[string]string{
-				// Persona identity fields that are SAFE to keep (read-only
-				// identity, not a write credential):
-				"GITEA_USER":       "backend-engineer",
-				"GITEA_USER_EMAIL": "backend-engineer@agents.moleculesai.app",
-				// The credential that must be stripped:
-				"GITEA_TOKEN":        "persona-merged-write-pat",
-				"GITEA_TOKEN_SCOPES": "write:repository",
-			},
-		}
-		got := buildContainerEnv(cfg)
-		assertNoSCMWriteToken(t, got, scmTokens)
-		// Non-credential persona identity may still flow through — only the
-		// write token is the denied surface.
-		if !envContains(got, "GITEA_USER=backend-engineer") {
-			t.Errorf("non-credential persona identity (GITEA_USER) should not be stripped")
-		}
-	})
-}
-
-// TestCPProvisionerEnv_StripsSCMWriteTokens covers the tenant-EC2 path:
-// CPProvisioner.Start builds the env map the control plane forwards to the
-// EC2 workspace container. The same forensic #145 denylist must hold there.
-func TestCPProvisionerEnv_StripsSCMWriteTokens(t *testing.T) {
-	// isSCMWriteTokenKey is the single source of truth shared by both
-	// buildContainerEnv (local Docker) and CPProvisioner.Start (tenant EC2).
-	// Assert it classifies every known SCM-write var as denied and leaves
-	// ordinary / read-only-identity vars alone.
-	for _, k := range []string{
-		"GITEA_TOKEN", "GITHUB_TOKEN", "GH_TOKEN",
-		"GITLAB_TOKEN", "GL_TOKEN", "BITBUCKET_TOKEN",
-	} {
-		if !isSCMWriteTokenKey(k) {
-			t.Errorf("isSCMWriteTokenKey(%q) = false, want true (SCM-write credential must be denied)", k)
-		}
-	}
-	for _, k := range []string{
-		"GITEA_USER", "GITEA_USER_EMAIL", "ANTHROPIC_API_KEY",
-		"CUSTOM", "PLATFORM_URL", "ADMIN_TOKEN", "",
-	} {
-		if isSCMWriteTokenKey(k) {
-			t.Errorf("isSCMWriteTokenKey(%q) = true, want false (must not over-strip non-SCM env)", k)
-		}
-	}
-}
-
-func assertNoSCMWriteToken(t *testing.T, env []string, scmTokens []string) {
-	t.Helper()
-	for _, e := range env {
-		key := e
-		if i := strings.IndexByte(e, '='); i >= 0 {
-			key = e[:i]
-		}
-		for _, banned := range scmTokens {
-			if key == banned {
-				t.Errorf("SCM-write credential %q leaked into workspace env (forensic #145 invariant violated): %q", banned, e)
-			}
-		}
-	}
-}
-
-func envContains(env []string, want string) bool {
-	for _, e := range env {
-		if e == want {
-			return true
-		}
-	}
-	return false
-}
-
 // ---------- buildWorkspaceMount — #65 workspace_access ----------
 
 func TestBuildWorkspaceMount_SelectionMatrix(t *testing.T) {
@@ -936,7 +829,7 @@ func TestIsImageNotFoundErr(t *testing.T) {
 		{"nil", nil, false},
 		{"moby no such image", fmtErr(`Error response from daemon: No such image: workspace-template:openclaw`), true},
 		{"no such image lowercase", fmtErr(`error: no such image: foo:bar`), true},
-		{"image not found", fmtErr(`Error: image "workspace-template:crewai" not found`), true},
+		{"image not found", fmtErr(`Error: image "workspace-template:hermes" not found`), true},
 		{"generic not found without image", fmtErr(`container not found`), false},
 		{"unrelated error", fmtErr(`connection refused`), false},
 		{"permission denied", fmtErr(`permission denied`), false},

workspace-server/internal/provisioner/registry.go

@@ -21,9 +21,6 @@ var knownRuntimes = []string{
 	"autogen",
 	"claude-code",
 	"codex",
-	"crewai",
-	"deepagents",
-	"gemini-cli",
 	"hermes",
 	"langgraph",
 	"openclaw",

workspace-server/internal/provisioner/registry_test.go

@@ -53,8 +53,8 @@ func TestRuntimeImage_AllKnownRuntimes(t *testing.T) {
 		}
 	}
 	// Pin the count so adding a runtime requires explicit test acknowledgement.
-	if len(knownRuntimes) != 9 {
-		t.Errorf("knownRuntimes length = %d, want 9 (autogen, claude-code, codex, crewai, deepagents, gemini-cli, hermes, langgraph, openclaw)", len(knownRuntimes))
+	if len(knownRuntimes) != 6 {
+		t.Errorf("knownRuntimes length = %d, want 6 (autogen, claude-code, codex, hermes, langgraph, openclaw)", len(knownRuntimes))
 	}
 }
 

workspace-server/internal/provisioner/token_ownership_test.go

@@ -0,0 +1,95 @@
+package provisioner
+
+import (
+	"archive/tar"
+	"errors"
+	"io"
+	"strings"
+	"testing"
+)
+
+// These tests pin the P0 fix for the fleet-wide list_peers 401 (Hermes and
+// every other template): the workspace-server token-injection paths wrote
+// /configs/.auth_token (and /configs/.platform_inbound_secret) as root:root
+// AFTER the template entrypoint's `chown -R agent:agent /configs` ran, so the
+// agent-uid (1000) MCP server (a2a_mcp_server, running via `gosu agent`) hit
+// `[Errno 13] Permission denied` reading the bearer → empty bearer → platform
+// 401 on /registry/{id}/peers (the literal tool_list_peers path).
+//
+// The agent uid is 1000:1000, verified from the templates:
+//   - workspace-configs-templates/claude-code-default/Dockerfile: `useradd -u 1000 ... agent`
+//   - workspace-configs-templates/hermes/Dockerfile:               `useradd -u 1000 ... agent`
+//   - workspace/entrypoint.sh / claude-code-default/entrypoint.sh:  `exec gosu agent` ("uid 1000")
+//
+// Both tests assert the real artifact (the tar headers Docker's CopyToContainer
+// honours for ownership, and the literal shell command the throwaway alpine
+// container runs), not a mock that bypasses ownership. They FAIL on pre-fix
+// code (no Uid/Gid in tar headers; no chown in the alpine command → root:root)
+// and PASS post-fix (agent-owned).
+
+// TestWriteFilesToContainerTar_FilesAreAgentOwned covers the issue #418
+// post-start re-injection path (WriteFilesToContainer): the tar it streams
+// into /configs via CopyToContainer must carry Uid/Gid = agent (1000) so the
+// extracted files land agent-readable, not root:root. This is the path that
+// (re)writes BOTH .auth_token and .platform_inbound_secret on a cadence.
+func TestWriteFilesToContainerTar_FilesAreAgentOwned(t *testing.T) {
+	files := map[string][]byte{
+		".auth_token":              []byte("tok-abc123"),
+		".platform_inbound_secret": []byte("inbound-secret-xyz"),
+		"nested/dir/file.txt":      []byte("data"),
+	}
+
+	buf, err := buildConfigFilesTar(files)
+	if err != nil {
+		t.Fatalf("buildConfigFilesTar: %v", err)
+	}
+
+	tr := tar.NewReader(buf)
+	seen := map[string]bool{}
+	for {
+		hdr, err := tr.Next()
+		if errors.Is(err, io.EOF) {
+			break
+		}
+		if err != nil {
+			t.Fatalf("read tar: %v", err)
+		}
+		if _, err := io.Copy(io.Discard, tr); err != nil {
+			t.Fatalf("drain %s: %v", hdr.Name, err)
+		}
+		seen[hdr.Name] = true
+		if hdr.Uid != AgentUID {
+			t.Fatalf("tar entry %q Uid = %d, want %d (agent) — root-owned injection causes the list_peers 401",
+				hdr.Name, hdr.Uid, AgentUID)
+		}
+		if hdr.Gid != AgentGID {
+			t.Fatalf("tar entry %q Gid = %d, want %d (agent)", hdr.Name, hdr.Gid, AgentGID)
+		}
+	}
+
+	for _, want := range []string{".auth_token", ".platform_inbound_secret"} {
+		if !seen[want] {
+			t.Fatalf("tar missing %q (seen: %v)", want, seen)
+		}
+	}
+}
+
+// TestWriteAuthTokenVolumeCmd_ChownsToAgent covers the issue #1877 pre-start
+// volume-write path (WriteAuthTokenToVolume): the throwaway alpine container
+// writes /vol/.auth_token then chmod 0600 but, pre-fix, never chowns it, so it
+// stays root:root (alpine runs the command as root). The literal command must
+// chown the file to the agent uid:gid so the agent-uid MCP server can read it.
+func TestWriteAuthTokenVolumeCmd_ChownsToAgent(t *testing.T) {
+	cmd := writeAuthTokenVolumeCmd()
+
+	if !strings.Contains(cmd, "chmod 0600 /vol/.auth_token") {
+		t.Fatalf("alpine cmd lost the 0600 chmod (regression): %q", cmd)
+	}
+
+	wantChown := "chown 1000:1000 /vol/.auth_token"
+	if !strings.Contains(cmd, wantChown) {
+		t.Fatalf("alpine cmd = %q, missing %q — without it .auth_token stays root:root "+
+			"and the agent-uid MCP server gets EACCES → empty bearer → list_peers 401",
+			cmd, wantChown)
+	}
+}

workspace-server/internal/secrets/patterns.go

@@ -1,226 +0,0 @@
-// Package secrets provides the canonical SSOT for credential-shaped
-// regex patterns used by:
-//
-//   - the CI `Secret scan` workflow (.gitea/workflows/secret-scan.yml)
-//   - the runtime's bundled pre-commit hook
-//     (molecule-ai-workspace-runtime/molecule_runtime/scripts/pre-commit-checks.sh)
-//   - the upcoming Phase 2b docker-exec Files API backend, which has
-//     to refuse to surface files whose path OR content matches a
-//     credential shape (RFC internal#425, Hongming 2026-05-15)
-//
-// Before this package, the same regex set lived as duplicate bash
-// arrays in two unrelated repos; adding a pattern required editing
-// both, and pattern drift was caught only via secret-scan workflow
-// failures on PRs that had unrelated changes (#2090-class incident
-// vector). Centralising in Go makes the Files API the SSOT, with the
-// YAML + bash arrays generated/asserted from this package so drift
-// is detected at CI time, not at exfiltration time.
-//
-// This file is Phase 2a of the internal#425 RFC. Phase 2b will import
-// `Patterns` from `template_files_docker_exec.go` to gate
-// `listFilesViaDockerExec` / `readFileViaDockerExec` against
-// secret-shaped paths AND content. Until 2b lands, the package has
-// one consumer: this package's own unit tests, which pin the regex
-// strings so a refactor that drops or weakens one is caught here.
-package secrets
-
-import (
-	"fmt"
-	"regexp"
-	"sync"
-)
-
-// Pattern is one named credential shape — a human label plus the
-// compiled regex. The label appears in CI error output ("matched:
-// github-pat") so an operator can identify the family without seeing
-// the actual matched bytes (echoing the bytes widens the blast radius
-// per the secret-scan workflow's recovery prose).
-type Pattern struct {
-	// Name is a short kebab-case identifier (e.g. "github-pat",
-	// "anthropic-api-key"). Stable across versions — consumers may
-	// switch on it.
-	Name string
-	// Description is a one-line human-readable explanation of what
-	// the pattern matches. Used in CI error messages and the Files
-	// API "<denied: secret-shape>" placeholder rationale.
-	Description string
-	// regexSource is the regex literal in Go-RE2 syntax. Stored as a
-	// string so the slice declaration below stays readable; compiled
-	// once via sync.Once into a *regexp.Regexp.
-	regexSource string
-}
-
-// Patterns is the canonical credential-shape regex set.
-//
-// Adding a pattern here:
-//
-//  1. Add a new Pattern{} entry below with a kebab-case Name, a
-//     one-line Description, and the regex literal. Anchor on a
-//     low-false-positive prefix.
-//  2. Add a positive + negative test case in patterns_test.go.
-//  3. Mirror the regex string into:
-//     a. .gitea/workflows/secret-scan.yml SECRET_PATTERNS array
-//     b. molecule-ai-workspace-runtime/molecule_runtime/scripts/pre-commit-checks.sh
-//     (or wait for the codegen target that consumes this slice — TBD
-//     follow-up; tracked in the Phase 2a PR description.)
-//
-// The order is: alphabetical within each provider family, families
-// grouped by ecosystem (GitHub family, AI-provider family, chat
-// family, cloud family). Keep this stable so diffs are reviewable.
-var Patterns = []Pattern{
-	// --- GitHub token family ---
-	{
-		Name:        "github-pat-classic",
-		Description: "GitHub personal access token (classic)",
-		regexSource: `ghp_[A-Za-z0-9]{36,}`,
-	},
-	{
-		Name:        "github-app-installation-token",
-		Description: "GitHub App installation token (#2090 vector)",
-		regexSource: `ghs_[A-Za-z0-9]{36,}`,
-	},
-	{
-		Name:        "github-oauth-user-to-server",
-		Description: "GitHub OAuth user-to-server token",
-		regexSource: `gho_[A-Za-z0-9]{36,}`,
-	},
-	{
-		Name:        "github-oauth-user",
-		Description: "GitHub OAuth user token",
-		regexSource: `ghu_[A-Za-z0-9]{36,}`,
-	},
-	{
-		Name:        "github-oauth-refresh",
-		Description: "GitHub OAuth refresh token",
-		regexSource: `ghr_[A-Za-z0-9]{36,}`,
-	},
-	{
-		Name:        "github-pat-fine-grained",
-		Description: "GitHub fine-grained personal access token",
-		regexSource: `github_pat_[A-Za-z0-9_]{82,}`,
-	},
-
-	// --- AI-provider API key family ---
-	{
-		Name:        "anthropic-api-key",
-		Description: "Anthropic API key",
-		regexSource: `sk-ant-[A-Za-z0-9_-]{40,}`,
-	},
-	{
-		Name:        "openai-project-key",
-		Description: "OpenAI project API key",
-		regexSource: `sk-proj-[A-Za-z0-9_-]{40,}`,
-	},
-	{
-		Name:        "openai-service-account-key",
-		Description: "OpenAI service-account API key",
-		regexSource: `sk-svcacct-[A-Za-z0-9_-]{40,}`,
-	},
-	{
-		Name:        "minimax-api-key",
-		Description: "MiniMax API key (F1088 vector)",
-		regexSource: `sk-cp-[A-Za-z0-9_-]{60,}`,
-	},
-
-	// --- Chat-platform token family ---
-	{
-		Name:        "slack-token",
-		Description: "Slack token (xoxb/xoxa/xoxp/xoxr/xoxs)",
-		regexSource: `xox[baprs]-[A-Za-z0-9-]{20,}`,
-	},
-
-	// --- Cloud-provider credential family ---
-	{
-		Name:        "aws-access-key-id",
-		Description: "AWS access key ID",
-		regexSource: `AKIA[0-9A-Z]{16}`,
-	},
-	{
-		Name:        "aws-sts-temp-access-key-id",
-		Description: "AWS STS temporary access key ID",
-		regexSource: `ASIA[0-9A-Z]{16}`,
-	},
-}
-
-// compiledOnce protects the lazy build of compiledPatterns. We compile
-// lazily so package init is cheap; callers pay only on first match
-// (typically once per workspace-server boot).
-var (
-	compiledOnce     sync.Once
-	compiledPatterns []*compiledPattern
-	compileErr       error
-)
-
-type compiledPattern struct {
-	Name        string
-	Description string
-	Re          *regexp.Regexp
-}
-
-// compileAll compiles every Pattern.regexSource into a *regexp.Regexp.
-// Called once via compiledOnce. Any compile failure here is a build
-// bug (the unit tests assert each regex compiles) — surfacing via
-// returned error so callers don't panic in request handling.
-func compileAll() {
-	out := make([]*compiledPattern, 0, len(Patterns))
-	for _, p := range Patterns {
-		re, err := regexp.Compile(p.regexSource)
-		if err != nil {
-			compileErr = fmt.Errorf("secrets: pattern %q failed to compile: %w", p.Name, err)
-			return
-		}
-		out = append(out, &compiledPattern{Name: p.Name, Description: p.Description, Re: re})
-	}
-	compiledPatterns = out
-}
-
-// ScanBytes returns a non-nil Match if any pattern matches anywhere
-// inside b. Returns (nil, nil) on no match. Returns (nil, err) only
-// if a regex in the package fails to compile — that's a build bug,
-// not a runtime data issue.
-//
-// Match contains the pattern Name + Description so the caller can
-// emit a path-or-content-denial rationale WITHOUT round-tripping the
-// matched bytes (which would defeat the purpose). The matched bytes
-// stay inside this function.
-//
-// The Files API Phase 2b backend will call ScanBytes on:
-//
-//   - the absolute path string (catches a file literally named
-//     `ghs_abc.txt`)
-//   - the file content (catches a credential pasted into a workspace
-//     file by an agent or user — the Files API refuses to surface it
-//     and the canvas renders "<denied: secret-shape>")
-//
-// Ordering: patterns are tried in declaration order. First match
-// wins. This means narrower patterns (e.g. `sk-svcacct-…`) should
-// appear in `Patterns` before broader ones (`sk-…`) — today there's
-// no overlap, so order is descriptive only.
-func ScanBytes(b []byte) (*Match, error) {
-	compiledOnce.Do(compileAll)
-	if compileErr != nil {
-		return nil, compileErr
-	}
-	for _, cp := range compiledPatterns {
-		if cp.Re.Match(b) {
-			return &Match{Name: cp.Name, Description: cp.Description}, nil
-		}
-	}
-	return nil, nil
-}
-
-// ScanString is the string-input convenience wrapper around ScanBytes.
-// Identical semantics — the body never copies, []byte(s) is a
-// zero-copy reinterpret for the regex matcher.
-func ScanString(s string) (*Match, error) {
-	return ScanBytes([]byte(s))
-}
-
-// Match describes which pattern caught a value. Deliberately does
-// NOT include the matched substring — callers must not echo it.
-type Match struct {
-	// Name is the pattern's kebab-case identifier (e.g. "github-pat-classic").
-	Name string
-	// Description is the human-readable line for UI / log surfaces.
-	Description string
-}

workspace-server/internal/secrets/patterns_test.go

@@ -1,189 +0,0 @@
-package secrets
-
-import (
-	"strings"
-	"testing"
-)
-
-// TestEveryPatternCompiles pins that every Pattern.regexSource is a
-// valid Go-RE2 expression. Without this, a bad regex would silently
-// disable ScanBytes for everything after it (the lazy compile would
-// set compileErr and ScanBytes would return that error every call).
-func TestEveryPatternCompiles(t *testing.T) {
-	for _, p := range Patterns {
-		if p.Name == "" {
-			t.Errorf("pattern with empty Name: regex=%q", p.regexSource)
-		}
-		if p.Description == "" {
-			t.Errorf("pattern %q has empty Description", p.Name)
-		}
-	}
-	// Force compile + check error.
-	if _, err := ScanBytes([]byte("placeholder")); err != nil {
-		t.Fatalf("ScanBytes init failed: %v", err)
-	}
-}
-
-// TestNoDuplicateNames — a duplicate pattern Name would make the
-// "first match wins" semantics surprising to readers and any caller
-// switching on Match.Name (none today but adding the guard is cheap).
-func TestNoDuplicateNames(t *testing.T) {
-	seen := map[string]bool{}
-	for _, p := range Patterns {
-		if seen[p.Name] {
-			t.Errorf("duplicate pattern Name: %q", p.Name)
-		}
-		seen[p.Name] = true
-	}
-}
-
-// TestKnownPatternsAllPresent — pins which specific Name values are
-// expected. A future refactor that renames or removes one without
-// updating consumers (CI workflow, runtime pre-commit hook, Files
-// API Phase 2b backend) would silently widen the leak surface.
-// Failing here forces the rename to be intentional.
-func TestKnownPatternsAllPresent(t *testing.T) {
-	expected := []string{
-		"github-pat-classic",
-		"github-app-installation-token",
-		"github-oauth-user-to-server",
-		"github-oauth-user",
-		"github-oauth-refresh",
-		"github-pat-fine-grained",
-		"anthropic-api-key",
-		"openai-project-key",
-		"openai-service-account-key",
-		"minimax-api-key",
-		"slack-token",
-		"aws-access-key-id",
-		"aws-sts-temp-access-key-id",
-	}
-	got := map[string]bool{}
-	for _, p := range Patterns {
-		got[p.Name] = true
-	}
-	for _, want := range expected {
-		if !got[want] {
-			t.Errorf("expected pattern %q missing from Patterns slice", want)
-		}
-	}
-}
-
-// TestPositiveMatches — for each pattern, supply a representative
-// shape and assert ScanBytes returns a Match with the right Name.
-// These are TEST FIXTURES, not real credentials — each is the
-// pattern's prefix + a long-enough trailing run of placeholder chars.
-// `EXAMPLE` is sprinkled in to make grep-finds in CI logs obviously
-// fake to a human reader (matches saved memory
-// feedback_assert_exact_not_substring: tighten by Name not body).
-func TestPositiveMatches(t *testing.T) {
-	cases := []struct {
-		fixture      string
-		expectedName string
-	}{
-		{"ghp_EXAMPLE111122223333444455556666777788889999", "github-pat-classic"},
-		{"ghs_EXAMPLE111122223333444455556666777788889999", "github-app-installation-token"},
-		{"gho_EXAMPLE111122223333444455556666777788889999", "github-oauth-user-to-server"},
-		{"ghu_EXAMPLE111122223333444455556666777788889999", "github-oauth-user"},
-		{"ghr_EXAMPLE111122223333444455556666777788889999", "github-oauth-refresh"},
-		{"github_pat_EXAMPLE" + strings.Repeat("1", 80), "github-pat-fine-grained"},
-		{"sk-ant-EXAMPLE" + strings.Repeat("1", 40), "anthropic-api-key"},
-		{"sk-proj-EXAMPLE" + strings.Repeat("1", 40), "openai-project-key"},
-		{"sk-svcacct-EXAMPLE" + strings.Repeat("1", 40), "openai-service-account-key"},
-		{"sk-cp-EXAMPLE" + strings.Repeat("1", 60), "minimax-api-key"},
-		{"xoxb-" + strings.Repeat("a", 25), "slack-token"},
-		{"xoxa-" + strings.Repeat("a", 25), "slack-token"},
-		// AWS regex requires [0-9A-Z]{16} — uppercase + digits only.
-		{"AKIA1234567890ABCDEF", "aws-access-key-id"},
-		{"ASIA1234567890ABCDEF", "aws-sts-temp-access-key-id"},
-	}
-	for _, tc := range cases {
-		t.Run(tc.expectedName, func(t *testing.T) {
-			m, err := ScanBytes([]byte(tc.fixture))
-			if err != nil {
-				t.Fatalf("ScanBytes(%q) errored: %v", tc.fixture, err)
-			}
-			if m == nil {
-				t.Fatalf("ScanBytes(%q) returned no match — expected %q", tc.fixture, tc.expectedName)
-			}
-			if m.Name != tc.expectedName {
-				t.Errorf("ScanBytes(%q) matched %q; expected %q", tc.fixture, m.Name, tc.expectedName)
-			}
-		})
-	}
-}
-
-// TestNegativeShapes — strings that look credential-adjacent but
-// shouldn't match (too short, wrong prefix, missing trailing bytes).
-// Failing here means a pattern is too loose, which would generate
-// false-positive denial in Files API and false-positive workflow
-// failures in CI.
-func TestNegativeShapes(t *testing.T) {
-	cases := []string{
-		// Too-short variants — anchored on the length suffix.
-		"ghp_tooshort",
-		"ghs_alsoshort1234",
-		"github_pat_short",
-		"sk-ant-short",
-		"sk-cp-not-enough-bytes-here",
-		// Looks like one of the prefixes but isn't (different letter).
-		"gha_EXAMPLE_thirty_six_or_more_chars_here_xxx",
-		// Slack family — wrong letter after xox.
-		"xoxz-aaaaaaaaaaaaaaaaaaaaaaaaa",
-		// AWS-shaped but wrong length suffix.
-		"AKIATOOSHORT",
-		// Empty / whitespace.
-		"",
-		"   ",
-		// Plain prose mentioning the prefix as part of a longer word.
-		"see also `ghp_HOWTO.md` in the repo",
-	}
-	for _, c := range cases {
-		t.Run(c, func(t *testing.T) {
-			m, err := ScanBytes([]byte(c))
-			if err != nil {
-				t.Fatalf("ScanBytes(%q) errored: %v", c, err)
-			}
-			if m != nil {
-				t.Errorf("ScanBytes(%q) unexpectedly matched %q", c, m.Name)
-			}
-		})
-	}
-}
-
-// TestScanString_NoOp — sanity-check ScanString is the zero-copy
-// wrapper around ScanBytes. Without this, a future refactor that
-// makes ScanString do its own thing (e.g. accidentally normalise
-// case) would diverge silently.
-func TestScanString_NoOp(t *testing.T) {
-	in := "ghp_EXAMPLE111122223333444455556666777788889999"
-	m1, err1 := ScanBytes([]byte(in))
-	if err1 != nil {
-		t.Fatalf("ScanBytes errored: %v", err1)
-	}
-	m2, err2 := ScanString(in)
-	if err2 != nil {
-		t.Fatalf("ScanString errored: %v", err2)
-	}
-	if m1 == nil || m2 == nil {
-		t.Fatalf("expected matches; got bytes=%+v string=%+v", m1, m2)
-	}
-	if m1.Name != m2.Name {
-		t.Errorf("ScanString and ScanBytes returned different Names: %q vs %q", m1.Name, m2.Name)
-	}
-}
-
-// TestMatch_NoRoundtrip — assert the Match struct does NOT include
-// the matched substring as a field. Adding such a field would
-// regress the "matched bytes never leave ScanBytes" invariant that
-// makes this package safe to call from log/UI surfaces. This is a
-// reflection-light contract test — checks the field names statically.
-func TestMatch_NoRoundtrip(t *testing.T) {
-	var m Match
-	// If someone adds a `Matched string` (or similar) field, this
-	// test reads as the canonical place to update + reconsider.
-	_ = m.Name
-	_ = m.Description
-	// The two-field shape is part of the public contract; new fields
-	// require deliberation about whether they leak the secret value.
-}

workspace/a2a_mcp_server.py

@@ -35,14 +35,12 @@ from a2a_tools import (
     tool_commit_memory,
     tool_delegate_task,
     tool_delegate_task_async,
-    tool_get_runtime_identity,
     tool_get_workspace_info,
     tool_inbox_peek,
     tool_inbox_pop,
     tool_list_peers,
     tool_recall_memory,
     tool_send_message_to_user,
-    tool_update_agent_card,
     tool_wait_for_message,
 )
 from platform_tools.registry import TOOLS as _PLATFORM_TOOL_SPECS
@@ -132,10 +130,6 @@ async def handle_tool_call(name: str, arguments: dict) -> str:
         return await tool_get_workspace_info(
             source_workspace_id=arguments.get("source_workspace_id") or None,
         )
-    elif name == "get_runtime_identity":
-        return await tool_get_runtime_identity()
-    elif name == "update_agent_card":
-        return await tool_update_agent_card(arguments.get("card"))
     elif name == "commit_memory":
         return await tool_commit_memory(
             arguments.get("content", ""),

workspace/a2a_tools.py

@@ -167,15 +167,3 @@ from a2a_tools_inbox import (  # noqa: E402  (import after the top-of-module imp
     tool_inbox_pop,
     tool_wait_for_message,
 )
-
-
-# Identity tool handlers — extracted to a2a_tools_identity. Ports the
-# two T4-tier MCP tools (``tool_get_runtime_identity`` +
-# ``tool_update_agent_card``) from molecule-ai-workspace-runtime PR#17.
-# That repo is mirror-only (reference_runtime_repo_is_mirror_only);
-# this is the canonical edit point, and the wheel mirror is
-# regenerated by publish-runtime.yml on merge.
-from a2a_tools_identity import (  # noqa: E402  (import after the top-of-module imports)
-    tool_get_runtime_identity,
-    tool_update_agent_card,
-)

workspace/a2a_tools_identity.py

@@ -1,187 +0,0 @@
-"""Identity tool handlers — single-concern slice of the a2a_tools surface.
-
-Owns the two MCP tools that close the T4-tier workspace owner-permission
-gaps reported via the canvas:
-
-  * ``tool_get_runtime_identity`` — env-only; returns model, model_provider,
-    molecule_model, anthropic_base_url, tier, workspace_id, runtime
-    (ADAPTER_MODULE). No HTTP call. Always permitted by RBAC — even
-    read-only agents may know what model they are.
-
-  * ``tool_update_agent_card`` — POSTs the card to ``/registry/update-card``
-    with the workspace's own bearer (same auth path as ``tool_commit_memory``
-    via ``a2a_tools_rbac.auth_headers_for_heartbeat``). The platform
-    replaces the stored card and broadcasts an ``agent_card_updated``
-    event so the canvas reflects the new card live. Gated on
-    ``memory.write`` capability via the existing RBAC permission map so
-    read-only roles can't silently rewrite the platform card.
-
-Both originated as a port of molecule-ai-workspace-runtime PR#17
-(``feat(mcp): add update_agent_card + get_runtime_identity tools``).
-The mirror-only PR#17 was closed without merge per
-``reference_runtime_repo_is_mirror_only``; the canonical edit point is
-this monorepo at ``workspace/`` and the wheel mirror is regenerated
-automatically by the publish-runtime workflow.
-
-Imports the auth-header primitive from ``a2a_tools_rbac`` (iter 4a) —
-NOT from ``a2a_tools`` — to avoid a circular import with the
-kitchen-sink re-export module.
-"""
-from __future__ import annotations
-
-import json
-import os
-from typing import Any
-
-import httpx
-
-from a2a_client import PLATFORM_URL
-from a2a_tools_rbac import (
-    auth_headers_for_heartbeat as _auth_headers_for_heartbeat,
-    check_memory_write_permission as _check_memory_write_permission,
-)
-
-
-def _runtime_identity_payload() -> dict[str, Any]:
-    """Build the identity dict — env-only, no I/O.
-
-    Factored out from ``tool_get_runtime_identity`` so tests can assert
-    against the exact key set without re-parsing JSON. The MCP tool
-    handler ``tool_get_runtime_identity`` is the only public caller in
-    production; tests call this helper directly.
-    """
-    return {
-        "model": os.environ.get("MODEL", ""),
-        "model_provider": os.environ.get("MODEL_PROVIDER", ""),
-        "molecule_model": os.environ.get("MOLECULE_MODEL", ""),
-        "anthropic_base_url": os.environ.get("ANTHROPIC_BASE_URL", ""),
-        "tier": os.environ.get("TIER", ""),
-        "workspace_id": os.environ.get("WORKSPACE_ID", ""),
-        # Adapter module is the closest thing the runtime has to a
-        # "template slug" — e.g. "adapter" for claude-code-default,
-        # "hermes" for hermes-template, etc. Picked from
-        # $ADAPTER_MODULE env baked by each template's Dockerfile.
-        "runtime": os.environ.get("ADAPTER_MODULE", ""),
-    }
-
-
-async def tool_get_runtime_identity() -> str:
-    """Return this runtime's identity — model, provider, tier, IDs.
-
-    Env-only; no HTTP call. Useful so the agent can answer "what model
-    am I?" correctly instead of guessing from a stale system prompt
-    that the operator may have changed between boots.
-
-    Returns the identity as a JSON-encoded string (the dispatch contract
-    every MCP tool in this module follows). Tests that want to assert
-    individual fields can call ``_runtime_identity_payload()`` directly,
-    or ``json.loads`` the return value.
-
-    Always permitted by RBAC — there is no sensitive information here
-    that isn't already available to the process via ``os.environ``.
-    The point of the tool is to surface those env values to the agent
-    layer in a stable, documented shape rather than expecting every
-    agent runtime to know to ``echo $MODEL``.
-    """
-    return json.dumps(_runtime_identity_payload(), indent=2)
-
-
-async def tool_update_agent_card(card: Any) -> str:
-    """Update this workspace's agent_card on the platform.
-
-    POSTs the provided card to ``/registry/update-card`` with the
-    workspace's own bearer token (same auth path as ``tool_commit_memory``
-    and ``tool_get_workspace_info``). The platform validates required
-    fields server-side, replaces the stored card, and broadcasts an
-    ``agent_card_updated`` event so the canvas updates live.
-
-    Args:
-        card: A JSON-serialisable object (typically a dict) holding the
-            new card. The platform validates required fields server-side.
-
-    Returns:
-        JSON-encoded string. Body:
-          - ``{"success": true, "status": "updated"}`` on success;
-          - ``{"success": false, "error": "<msg>", "status_code": <int>}``
-            on platform error;
-          - ``{"success": false, "error": "<reason>"}`` on local validation
-            (non-dict card, missing WORKSPACE_ID, network error).
-
-    Permission gate: this tool requires the ``memory.write`` RBAC
-    capability — same gate as ``tool_commit_memory``. The check runs
-    inline rather than at the dispatcher layer to keep ``a2a_mcp_server``
-    permission-agnostic (the gate sits with the implementation, not the
-    transport). Read-only roles get a clear error string back instead
-    of a 403 from the platform.
-
-    We re-check ``isinstance(card, dict)`` here defensively rather than
-    trust the MCP schema validator alone — the schema only constrains
-    the transport, not the in-process call surface used by tests and
-    sibling modules.
-    """
-    payload = await _update_agent_card_impl(card)
-    return json.dumps(payload, indent=2)
-
-
-async def _update_agent_card_impl(card: Any) -> dict[str, Any]:
-    """Dict-returning core of ``tool_update_agent_card``.
-
-    Split out so tests can assert against the raw dict shape (status
-    codes, error messages) without re-parsing JSON on every assertion.
-    The string-returning ``tool_update_agent_card`` is a thin wrapper
-    invoked by the MCP dispatcher.
-    """
-    # RBAC: require memory.write permission. Same gate as
-    # tool_commit_memory (the agent already needs this capability to
-    # persist anything outbound). Read-only roles can still call
-    # get_runtime_identity / get_workspace_info to introspect — those
-    # are env-only / read-only and have no inline gate.
-    if not _check_memory_write_permission():
-        return {
-            "success": False,
-            "error": (
-                "RBAC — this workspace does not have the 'memory.write' "
-                "permission required to update the agent_card."
-            ),
-        }
-    if not isinstance(card, dict):
-        return {
-            "success": False,
-            "error": "card must be a JSON object (dict)",
-        }
-    ws_id = os.environ.get("WORKSPACE_ID", "")
-    if not ws_id:
-        return {
-            "success": False,
-            "error": "WORKSPACE_ID env not set; cannot identify caller",
-        }
-    try:
-        async with httpx.AsyncClient(timeout=10.0) as client:
-            resp = await client.post(
-                f"{PLATFORM_URL}/registry/update-card",
-                json={"workspace_id": ws_id, "agent_card": card},
-                headers=_auth_headers_for_heartbeat(),
-            )
-            if resp.status_code == 200:
-                body: dict[str, Any] = {}
-                try:
-                    body = resp.json()
-                except Exception:
-                    pass
-                return {
-                    "success": True,
-                    "status": body.get("status", "updated"),
-                }
-            # Non-200 — surface what the platform returned.
-            error_msg = ""
-            try:
-                error_msg = resp.json().get("error", "") or resp.text
-            except Exception:
-                error_msg = resp.text
-            return {
-                "success": False,
-                "status_code": resp.status_code,
-                "error": error_msg,
-            }
-    except Exception as e:
-        return {"success": False, "error": f"network error: {e}"}

workspace/executor_helpers.py

@@ -340,16 +340,6 @@ _CLI_A2A_COMMAND_KEYWORDS: dict[str, str | None] = {
     "delegate_task_async": "delegate --async",
     "check_task_status": "status",
     "get_workspace_info": "info",
-    # `get_runtime_identity` + `update_agent_card` are MCP-first
-    # capabilities — the CLI subprocess interface doesn't expose them
-    # today. `get_runtime_identity` is env-only and an agent on a
-    # CLI-only runtime can already `echo $MODEL` etc, so there's no
-    # functional gap. `update_agent_card` requires a JSON object
-    # argument that wouldn't survive a positional-arg shell invocation
-    # cleanly. Mapped to None — flip to a keyword if a2a_cli grows
-    # `identity` / `card` subcommands in the future.
-    "get_runtime_identity": None,
-    "update_agent_card": None,
     # `broadcast_message` is not exposed via the CLI subprocess interface
     # today — it's an MCP-first capability. If a2a_cli grows a `broadcast`
     # subcommand, map it here and the alignment test will gate the change.

workspace/inbox.py

@@ -431,6 +431,43 @@ def _is_self_notify_row(row: dict[str, Any]) -> bool:
     return source_id is None or source_id == ""
 
 
+def _is_self_echo_row(row: dict[str, Any], workspace_id: str) -> bool:
+    """Return True if ``row`` is a self-originated a2a_receive row.
+
+    Internal #469: when a workspace delegates to a target that never picks
+    up the task, ``tool_delegate_task`` calls ``report_activity`` which
+    POSTs to the platform with source_id set to the *sender's* workspace
+    UUID (mandated by spoof-defense in workspace-server's a2a_proxy). The
+    activity API exposes that row under type=a2a_receive, so the inbox
+    poller re-fetches it. Without this guard the row is surfaced as
+    kind='peer_agent' with the workspace's own identity as peer_id —
+    the workspace sees its own delegation-failure echoed back as if a
+    peer had delegated to it.
+
+    The guard mirrors the existing _is_self_notify_row pattern: both
+    skip rows that would otherwise create spurious inbound signal. The
+    long-term fix (making the platform write a distinct activity_type
+    for agent-outbound rows) is tracked separately; this guard stays
+    because it only excludes rows the agent never wants.
+
+    ``workspace_id`` must be non-empty — an empty-string workspace_id
+    (single-workspace legacy path) can never match a UUID source_id, so
+    the predicate is always False there, which is safe.
+
+    RFC #2829 PR-2 note: rows with method="delegate_result" are excluded
+    from the self-echo guard even when source_id matches our workspace_id.
+    The platform may write a delegation-result row with source_id set to
+    our workspace_id (e.g. a self-delegation or edge case in the platform's
+    result-writing path). Such rows must reach the inbox so that
+    message_from_activity can surface them as peer_agent inbound and the
+    runtime receives the delegation result. Silently filtering them as
+    self-echo would break delegation result delivery.
+    """
+    if not workspace_id:
+        return False
+    return row.get("source_id") == workspace_id and row.get("method") != "delegate_result"
+
+
 def message_from_activity(row: dict[str, Any]) -> InboxMessage:
     """Convert one /activity row into an InboxMessage.
 
@@ -623,6 +660,16 @@ def _poll_once(
             # the same self-notify on every iteration.
             last_id = str(row.get("id", "")) or last_id
             continue
+        if _is_self_echo_row(row, workspace_id):
+            # Internal #469: tool_delegate_task writes its own a2a_receive
+            # row with source_id = this workspace's UUID (spoof-defense).
+            # The poll fetches it back as kind='peer_agent', making the
+            # workspace echo its own delegation-failure as an inbound from
+            # a phantom peer. Skip it — the real delegation-result path
+            # (delegate_result push) is separate and unaffected. Cursor
+            # still advances so the next poll doesn't re-seen this row.
+            last_id = str(row.get("id", "")) or last_id
+            continue
         message = message_from_activity(row)
         if not message.activity_id:
             continue

workspace/platform_tools/registry.py

@@ -57,14 +57,12 @@ from a2a_tools import (
     tool_commit_memory,
     tool_delegate_task,
     tool_delegate_task_async,
-    tool_get_runtime_identity,
     tool_get_workspace_info,
     tool_inbox_peek,
     tool_inbox_pop,
     tool_list_peers,
     tool_recall_memory,
     tool_send_message_to_user,
-    tool_update_agent_card,
     tool_wait_for_message,
 )
 
@@ -291,61 +289,6 @@ _GET_WORKSPACE_INFO = ToolSpec(
     section=A2A_SECTION,
 )
 
-_GET_RUNTIME_IDENTITY = ToolSpec(
-    name="get_runtime_identity",
-    short=(
-        "Return this runtime's identity — model, model_provider, tier, "
-        "workspace_id, runtime template. Reads from process env; no HTTP call."
-    ),
-    when_to_use=(
-        "Use this to answer 'what model am I?' truthfully instead of "
-        "guessing from a stale system prompt — the operator may have "
-        "routed you to a different model via persona env between boots. "
-        "Always permitted by RBAC: even read-only agents may know what "
-        "model they are. Distinct from get_workspace_info — that one "
-        "calls the platform for ID/role/tier/parent (workspace metadata); "
-        "this one returns the live process env (MODEL, MODEL_PROVIDER, "
-        "MOLECULE_MODEL, ANTHROPIC_BASE_URL, TIER, WORKSPACE_ID, "
-        "ADAPTER_MODULE)."
-    ),
-    input_schema={"type": "object", "properties": {}},
-    impl=tool_get_runtime_identity,
-    section=A2A_SECTION,
-)
-
-_UPDATE_AGENT_CARD = ToolSpec(
-    name="update_agent_card",
-    short=(
-        "Replace this workspace's agent_card on the platform. The "
-        "platform validates required fields and broadcasts an "
-        "agent_card_updated event so the canvas reflects the change live."
-    ),
-    when_to_use=(
-        "Use when the workspace's capabilities, skills, description, or "
-        "name change and the canvas display needs to follow. The "
-        "platform stores the new card and pushes an "
-        "``agent_card_updated`` event to subscribers. Gated behind the "
-        "``memory.write`` RBAC capability — read-only roles cannot "
-        "rewrite the card. Tier-1+ owners always have this capability."
-    ),
-    input_schema={
-        "type": "object",
-        "properties": {
-            "card": {
-                "type": "object",
-                "description": (
-                    "The new agent_card object (name, version, "
-                    "description, skills, etc). Server-side validation "
-                    "rejects payloads missing required fields."
-                ),
-            },
-        },
-        "required": ["card"],
-    },
-    impl=tool_update_agent_card,
-    section=A2A_SECTION,
-)
-
 _BROADCAST_MESSAGE = ToolSpec(
     name="broadcast_message",
     short=(
@@ -699,8 +642,6 @@ TOOLS: list[ToolSpec] = [
     _CHECK_TASK_STATUS,
     _LIST_PEERS,
     _GET_WORKSPACE_INFO,
-    _GET_RUNTIME_IDENTITY,
-    _UPDATE_AGENT_CARD,
     _BROADCAST_MESSAGE,
     _SEND_MESSAGE_TO_USER,
     # Inbox (standalone-only; in-container returns informational error)

workspace/tests/snapshots/a2a_instructions_mcp.txt

@@ -5,8 +5,6 @@
 - **check_task_status**: Poll the status of a task started with delegate_task_async; returns result when done.
 - **list_peers**: List the workspaces this agent can communicate with — name, ID, status, role for each.
 - **get_workspace_info**: Get this workspace's own info — ID, name, role, tier, parent, status.
-- **get_runtime_identity**: Return this runtime's identity — model, model_provider, tier, workspace_id, runtime template. Reads from process env; no HTTP call.
-- **update_agent_card**: Replace this workspace's agent_card on the platform. The platform validates required fields and broadcasts an agent_card_updated event so the canvas reflects the change live.
 - **broadcast_message**: Send a message to ALL agent workspaces in the org simultaneously. Requires broadcast_enabled=true on this workspace (set by user/admin).
 - **send_message_to_user**: Send a message directly to the user's canvas chat — pushed instantly via WebSocket. Use this to: (1) acknowledge a task immediately ('Got it, I'll start working on this'), (2) send interim progress updates while doing long work, (3) deliver follow-up results after delegation completes, (4) attach files (zip, pdf, csv, image) for the user to download via the `attachments` field (NEVER paste file URLs in `message`). The message appears in the user's chat as if you're proactively reaching out.
 - **wait_for_message**: Block until the next inbound message (canvas user OR peer agent) arrives, or until ``timeout_secs`` elapses.
@@ -29,12 +27,6 @@ Call this first when you need to delegate but don't know the target's ID. Access
 ### get_workspace_info
 Use to introspect your own identity (e.g. before reporting back to the user, or to determine whether you're a tier-0 root that can write GLOBAL memory).
 
-### get_runtime_identity
-Use this to answer 'what model am I?' truthfully instead of guessing from a stale system prompt — the operator may have routed you to a different model via persona env between boots. Always permitted by RBAC: even read-only agents may know what model they are. Distinct from get_workspace_info — that one calls the platform for ID/role/tier/parent (workspace metadata); this one returns the live process env (MODEL, MODEL_PROVIDER, MOLECULE_MODEL, ANTHROPIC_BASE_URL, TIER, WORKSPACE_ID, ADAPTER_MODULE).
-
-### update_agent_card
-Use when the workspace's capabilities, skills, description, or name change and the canvas display needs to follow. The platform stores the new card and pushes an ``agent_card_updated`` event to subscribers. Gated behind the ``memory.write`` RBAC capability — read-only roles cannot rewrite the card. Tier-1+ owners always have this capability.
-
 ### broadcast_message
 Use for urgent, org-wide signals: critical status changes, emergency stop instructions, coordinated task announcements. Every non-removed workspace receives the message in its activity log (poll-mode agents see it on their next poll; push-mode canvases get a real-time banner). This tool returns an error if broadcast_enabled is false — a user or admin must enable it via the workspace abilities settings first.
 

workspace/tests/test_a2a_tools_identity.py

@@ -1,390 +0,0 @@
-"""Tests for ``tool_get_runtime_identity`` and ``tool_update_agent_card``.
-
-These two MCP tools close the T4-tier workspace owner-permission gaps
-reported via the canvas:
-
-  - the agent could not update its own ``agent_card`` (no MCP tool
-    wrapped the existing ``POST /registry/update-card`` endpoint);
-  - the agent could not identify which model it was running (the
-    ``MODEL`` env var is injected by ``provisioner.workspace_provision``
-    but nothing surfaced it back to the agent).
-
-Ported from molecule-ai-workspace-runtime PR#17 (mirror-only repo;
-canonical edit point per ``reference_runtime_repo_is_mirror_only``).
-Adapted to core's conventions:
-
-  * tool functions return ``str`` (JSON-encoded), matching every other
-    tool in ``a2a_tools_*`` modules. Tests ``json.loads`` to inspect.
-  * permission check ``memory.write`` runs inline in
-    ``tool_update_agent_card`` (same pattern as
-    ``a2a_tools_memory.tool_commit_memory``).
-  * ``WORKSPACE_ID`` is read directly from ``os.environ`` — core does
-    not have the runtime's validated-cache layer (``molecule_runtime.
-    builtin_tools.validation``).
-"""
-from __future__ import annotations
-
-import json
-
-import pytest
-
-
-# --- Drift gate: re-export aliases on a2a_tools ------------------------------
-
-class TestBackCompatAliases:
-    """Pin that ``a2a_tools.tool_*`` resolves to the same callable as
-    ``a2a_tools_identity.tool_*``. Refactor wrapping (e.g. a doc-string
-    wrapper that loses the function identity) silently breaks call
-    sites that ``patch("a2a_tools.tool_update_agent_card", ...)`` —
-    this gate makes that drift fail fast."""
-
-    def test_tool_get_runtime_identity_alias(self):
-        import a2a_tools
-        import a2a_tools_identity
-        assert a2a_tools.tool_get_runtime_identity is a2a_tools_identity.tool_get_runtime_identity
-
-    def test_tool_update_agent_card_alias(self):
-        import a2a_tools
-        import a2a_tools_identity
-        assert a2a_tools.tool_update_agent_card is a2a_tools_identity.tool_update_agent_card
-
-
-# --- tool_get_runtime_identity ----------------------------------------------
-
-class TestGetRuntimeIdentity:
-    """The tool returns env-derived runtime identity. No HTTP call."""
-
-    @pytest.mark.asyncio
-    async def test_returns_all_known_env_fields(self, monkeypatch):
-        from a2a_tools_identity import tool_get_runtime_identity
-
-        monkeypatch.setenv("MODEL", "claude-opus-4-7")
-        monkeypatch.setenv("MODEL_PROVIDER", "anthropic")
-        monkeypatch.setenv("TIER", "T4")
-        monkeypatch.setenv("WORKSPACE_ID", "ws-abc")
-        monkeypatch.setenv("ADAPTER_MODULE", "adapter")
-        monkeypatch.setenv("MOLECULE_MODEL", "claude-opus-4-7")
-        monkeypatch.setenv("ANTHROPIC_BASE_URL", "https://api.anthropic.com")
-
-        out = await tool_get_runtime_identity()
-        # MCP tools return JSON-encoded strings (matches the contract
-        # every other tool_* in a2a_tools_* uses).
-        assert isinstance(out, str)
-        parsed = json.loads(out)
-
-        assert parsed["model"] == "claude-opus-4-7"
-        assert parsed["model_provider"] == "anthropic"
-        assert parsed["tier"] == "T4"
-        assert parsed["workspace_id"] == "ws-abc"
-        assert parsed["runtime"] == "adapter"
-        assert parsed["molecule_model"] == "claude-opus-4-7"
-        assert parsed["anthropic_base_url"] == "https://api.anthropic.com"
-
-    @pytest.mark.asyncio
-    async def test_missing_env_returns_empty_strings(self, monkeypatch):
-        """Tool MUST NOT raise when env vars are absent — every key is
-        present but the value is the empty string. The agent then knows
-        the slot exists but is unset."""
-        from a2a_tools_identity import tool_get_runtime_identity
-
-        for var in (
-            "MODEL", "MODEL_PROVIDER", "TIER", "WORKSPACE_ID",
-            "ADAPTER_MODULE", "MOLECULE_MODEL", "ANTHROPIC_BASE_URL",
-        ):
-            monkeypatch.delenv(var, raising=False)
-
-        parsed = json.loads(await tool_get_runtime_identity())
-        assert parsed["model"] == ""
-        assert parsed["model_provider"] == ""
-        assert parsed["tier"] == ""
-        assert parsed["workspace_id"] == ""
-        assert parsed["runtime"] == ""
-        assert parsed["molecule_model"] == ""
-        assert parsed["anthropic_base_url"] == ""
-
-    @pytest.mark.asyncio
-    async def test_no_http_call_made(self, monkeypatch):
-        """``get_runtime_identity`` is env-only — must not open
-        httpx.AsyncClient even if the call would otherwise succeed.
-        Tripwire any client construction."""
-        import httpx
-
-        from a2a_tools_identity import tool_get_runtime_identity
-
-        class _Tripwire:
-            def __init__(self, *_a, **_kw):
-                raise AssertionError(
-                    "tool_get_runtime_identity must not open httpx.AsyncClient"
-                )
-
-        monkeypatch.setattr(httpx, "AsyncClient", _Tripwire)
-        # Must not raise.
-        await tool_get_runtime_identity()
-
-    @pytest.mark.asyncio
-    async def test_helper_dict_matches_string_payload(self, monkeypatch):
-        """``_runtime_identity_payload`` is the dict-returning helper
-        used by both the public tool and tests. Verify the public tool
-        json.dumps the same dict — no field is dropped or renamed by
-        the encoding step."""
-        from a2a_tools_identity import (
-            _runtime_identity_payload,
-            tool_get_runtime_identity,
-        )
-
-        monkeypatch.setenv("MODEL", "claude-opus-4-7")
-        monkeypatch.setenv("TIER", "T4")
-        monkeypatch.setenv("WORKSPACE_ID", "ws-helper-check")
-
-        helper = _runtime_identity_payload()
-        tool_str = await tool_get_runtime_identity()
-        assert json.loads(tool_str) == helper
-
-
-# --- tool_update_agent_card -------------------------------------------------
-
-
-class _MockResponse:
-    def __init__(self, status_code: int, payload: dict):
-        self.status_code = status_code
-        self._payload = payload
-        self.text = json.dumps(payload)
-
-    def json(self):
-        return self._payload
-
-
-class _MockClient:
-    """Drop-in for httpx.AsyncClient context manager.
-
-    Records the URL + json body + headers the tool POSTed so the test
-    can assert against them. Returns the canned _MockResponse passed
-    in at construction time.
-    """
-
-    def __init__(self, *, response: _MockResponse, captured: dict):
-        self._response = response
-        self._captured = captured
-
-    async def __aenter__(self):
-        return self
-
-    async def __aexit__(self, *_args):
-        return False
-
-    async def post(self, url, *, json=None, headers=None, **_kw):  # noqa: A002
-        self._captured["url"] = url
-        self._captured["json"] = json
-        self._captured["headers"] = headers
-        return self._response
-
-
-@pytest.fixture
-def _grant_memory_write(monkeypatch):
-    """Force the inline RBAC gate inside ``tool_update_agent_card`` to
-    succeed. The gate calls
-    ``a2a_tools_rbac.check_memory_write_permission`` which inspects
-    ``$MOLECULE_ROLES`` / the role table; the patch sidesteps that
-    machinery so tests can focus on the platform-call shape.
-    """
-    import a2a_tools_identity
-    monkeypatch.setattr(
-        a2a_tools_identity, "_check_memory_write_permission", lambda: True
-    )
-
-
-class TestUpdateAgentCard:
-    @pytest.mark.asyncio
-    async def test_posts_to_registry_update_card(
-        self, monkeypatch, _grant_memory_write,
-    ):
-        """Hits POST {PLATFORM_URL}/registry/update-card with the
-        workspace bearer and the {workspace_id, agent_card} body shape
-        the platform handler expects (workspace-server
-        ``internal/handlers/registry.go``)."""
-        import a2a_tools_identity
-
-        monkeypatch.setenv("WORKSPACE_ID", "ws-42")
-        # Ensure PLATFORM_URL re-import sees a deterministic value —
-        # a2a_client imports it at module load so we patch the symbol
-        # on a2a_tools_identity directly (the module's own reference).
-        monkeypatch.setattr(a2a_tools_identity, "PLATFORM_URL", "http://test.invalid")
-
-        captured: dict = {}
-        response = _MockResponse(200, {"status": "updated"})
-
-        def _client_factory(*_a, **_kw):
-            return _MockClient(response=response, captured=captured)
-
-        monkeypatch.setattr(a2a_tools_identity.httpx, "AsyncClient", _client_factory)
-        monkeypatch.setattr(
-            a2a_tools_identity, "_auth_headers_for_heartbeat",
-            lambda: {"Authorization": "Bearer ws-token-xyz"},
-        )
-
-        card = {"name": "agent-foo", "version": "0.1.0", "description": "demo"}
-        result_str = await a2a_tools_identity.tool_update_agent_card(card)
-        result = json.loads(result_str)
-
-        # URL: PLATFORM_URL + /registry/update-card
-        assert captured["url"] == "http://test.invalid/registry/update-card"
-
-        # The platform handler expects {workspace_id, agent_card}; the
-        # agent_card is the raw object the agent submitted.
-        body = captured["json"]
-        assert body["workspace_id"] == "ws-42"
-        assert body["agent_card"] == card
-
-        # Auth header from auth_headers_for_heartbeat is forwarded
-        # verbatim — same path commit_memory uses.
-        assert captured["headers"]["Authorization"] == "Bearer ws-token-xyz"
-
-        assert result["success"] is True
-        assert result["status"] == "updated"
-
-    @pytest.mark.asyncio
-    async def test_propagates_server_error(
-        self, monkeypatch, _grant_memory_write,
-    ):
-        """Non-200 from platform surfaces as a structured error to the
-        agent. The agent sees {success:false, status_code, error} and
-        can decide whether to retry, fall back, or escalate."""
-        import a2a_tools_identity
-
-        monkeypatch.setenv("WORKSPACE_ID", "ws-42")
-        monkeypatch.setattr(a2a_tools_identity, "PLATFORM_URL", "http://test.invalid")
-
-        captured: dict = {}
-        response = _MockResponse(400, {"error": "invalid card"})
-
-        monkeypatch.setattr(
-            a2a_tools_identity.httpx, "AsyncClient",
-            lambda *a, **kw: _MockClient(response=response, captured=captured),
-        )
-        monkeypatch.setattr(
-            a2a_tools_identity, "_auth_headers_for_heartbeat", lambda: {},
-        )
-
-        result = json.loads(
-            await a2a_tools_identity.tool_update_agent_card({"name": "x"})
-        )
-        assert result["success"] is False
-        assert result["status_code"] == 400
-        assert "invalid card" in str(result["error"]).lower()
-
-    @pytest.mark.asyncio
-    async def test_rejects_non_dict_card(self, _grant_memory_write):
-        """The MCP schema constrains transport callers to pass a dict;
-        in-process callers (tests, sibling modules) can still pass any
-        type. Reject non-dict defensively so the platform isn't asked
-        to validate JSON-encoded strings or lists."""
-        from a2a_tools_identity import tool_update_agent_card
-
-        result = json.loads(await tool_update_agent_card("not-a-dict"))
-        assert result["success"] is False
-        assert "dict" in str(result["error"]).lower()
-
-    @pytest.mark.asyncio
-    async def test_workspace_id_missing_returns_error(
-        self, monkeypatch, _grant_memory_write,
-    ):
-        """If WORKSPACE_ID is not set the tool refuses to issue the
-        request — it would otherwise POST with an empty workspace_id
-        and let the platform return a confusing 400."""
-        from a2a_tools_identity import tool_update_agent_card
-
-        monkeypatch.delenv("WORKSPACE_ID", raising=False)
-
-        result = json.loads(await tool_update_agent_card({"name": "x"}))
-        assert result["success"] is False
-        assert "workspace_id" in str(result["error"]).lower()
-
-    @pytest.mark.asyncio
-    async def test_denies_when_memory_write_permission_missing(self, monkeypatch):
-        """The agent's RBAC role must grant ``memory.write`` to update
-        the card. Read-only roles get an RBAC error string back
-        immediately, never touching the platform."""
-        import a2a_tools_identity
-
-        monkeypatch.setenv("WORKSPACE_ID", "ws-42")
-        monkeypatch.setattr(
-            a2a_tools_identity, "_check_memory_write_permission", lambda: False,
-        )
-
-        # Tripwire httpx — must not be called when RBAC denies.
-        import httpx
-
-        class _Tripwire:
-            def __init__(self, *_a, **_kw):
-                raise AssertionError("RBAC denial must short-circuit before httpx call")
-
-        monkeypatch.setattr(httpx, "AsyncClient", _Tripwire)
-
-        result = json.loads(
-            await a2a_tools_identity.tool_update_agent_card({"name": "x"}),
-        )
-        assert result["success"] is False
-        assert "memory.write" in str(result["error"]).lower()
-
-    @pytest.mark.asyncio
-    async def test_network_exception_returns_structured_error(
-        self, monkeypatch, _grant_memory_write,
-    ):
-        """A network exception (DNS failure, connect timeout, etc) is
-        wrapped into a structured error dict instead of bubbling up
-        to the MCP transport layer."""
-        import a2a_tools_identity
-
-        monkeypatch.setenv("WORKSPACE_ID", "ws-42")
-        monkeypatch.setattr(a2a_tools_identity, "PLATFORM_URL", "http://test.invalid")
-
-        class _ExplodingClient:
-            async def __aenter__(self):
-                return self
-
-            async def __aexit__(self, *_a):
-                return False
-
-            async def post(self, *_a, **_kw):
-                raise RuntimeError("simulated DNS failure")
-
-        monkeypatch.setattr(
-            a2a_tools_identity.httpx, "AsyncClient",
-            lambda *a, **kw: _ExplodingClient(),
-        )
-
-        result = json.loads(
-            await a2a_tools_identity.tool_update_agent_card({"name": "x"})
-        )
-        assert result["success"] is False
-        assert "network" in str(result["error"]).lower()
-
-
-# --- Registry contract ------------------------------------------------------
-
-
-class TestRegistryContract:
-    """Pin the new tools' registration in platform_tools.registry. The
-    structural tests in ``test_platform_tools.py`` already check
-    registry↔MCP alignment; these are tighter assertions specific to
-    the two new tools so a future contributor deleting one entry sees
-    a focused failure."""
-
-    def test_get_runtime_identity_in_registry(self):
-        from platform_tools.registry import by_name
-        spec = by_name("get_runtime_identity")
-        assert spec.section == "a2a"
-        # No input parameters — env-only call.
-        assert spec.input_schema == {"type": "object", "properties": {}}
-        # impl points at the actual tool function, not a shim.
-        from a2a_tools_identity import tool_get_runtime_identity
-        assert spec.impl is tool_get_runtime_identity
-
-    def test_update_agent_card_in_registry(self):
-        from platform_tools.registry import by_name
-        spec = by_name("update_agent_card")
-        assert spec.section == "a2a"
-        assert "card" in spec.input_schema["properties"]
-        assert spec.input_schema["required"] == ["card"]
-        from a2a_tools_identity import tool_update_agent_card
-        assert spec.impl is tool_update_agent_card

workspace/tests/test_inbox.py

@@ -495,6 +495,151 @@ def test_poll_once_skips_self_notify_rows(state: inbox.InboxState):
     assert [m.activity_id for m in queue] == ["act-real"]
 
 
+# ---------------------------------------------------------------------------
+# _is_self_echo_row — internal #469 fix
+# ---------------------------------------------------------------------------
+#
+# When a workspace delegates to a target that never picks up the task,
+# tool_delegate_task calls report_activity("a2a_receive", ...) which POSTs
+# to the platform with source_id set to the *sender's* workspace UUID
+# (spoof-defense). The activity API returns that row under type=a2a_receive
+# on the next poll, so message_from_activity sets peer_id = workspace's own
+# UUID — the workspace sees its own delegation-failure as an inbound from
+# a phantom peer. _is_self_echo_row guards against this.
+#
+# Internal #469 was live-reproduced on hongming.moleculesai.app 2026-05-16.
+
+
+def test_is_self_echo_row_true_when_source_id_matches_workspace():
+    row = {"source_id": "ws-abc123", "method": "a2a_receive"}
+    assert inbox._is_self_echo_row(row, "ws-abc123") is True
+
+
+def test_is_self_echo_row_false_when_source_id_differs():
+    """A real peer agent (different workspace_id) must NOT be filtered."""
+    row = {"source_id": "ws-peer", "method": "a2a_receive"}
+    assert inbox._is_self_echo_row(row, "ws-1") is False
+
+
+def test_is_self_echo_row_false_when_source_id_is_none():
+    """Canvas-user inbound has no source_id — never an echo."""
+    row = {"source_id": None, "method": "a2a_receive"}
+    assert inbox._is_self_echo_row(row, "ws-1") is False
+
+
+def test_is_self_echo_row_false_when_workspace_id_is_empty():
+    """Single-workspace legacy path with empty workspace_id cannot
+    match a UUID source_id — predicate is always False, which is safe."""
+    row = {"source_id": "ws-abc123", "method": "a2a_receive"}
+    assert inbox._is_self_echo_row(row, "") is False
+
+
+def test_is_self_echo_row_false_when_source_id_key_absent():
+    row = {"method": "a2a_receive"}
+    assert inbox._is_self_echo_row(row, "ws-1") is False
+
+
+def test_is_self_echo_row_false_for_delegate_result():
+    """RFC #2829 PR-2 regression pin: a row with source_id matching our
+    workspace_id but method=delegate_result must NOT be filtered as a
+    self-echo. The platform may write a delegation-result row with our
+    workspace_id as source_id; such rows must reach the inbox so the
+    runtime receives the delegation result. Silently filtering them would
+    break delegate_result delivery."""
+    row = {"source_id": "ws-1", "method": "delegate_result"}
+    assert inbox._is_self_echo_row(row, "ws-1") is False
+
+
+def test_poll_once_skips_self_echo_rows(state: inbox.InboxState):
+    """Internal #469 regression pin: a row with source_id matching our
+    workspace_id must NOT land in the inbox queue — it is our own
+    delegation-report echoing back, not a real peer inbound."""
+    rows = [
+        {
+            "id": "act-real-peer",
+            "source_id": "ws-peer",
+            "method": "a2a_receive",
+            "summary": None,
+            "request_body": {"parts": [{"type": "text", "text": "real peer inbound"}]},
+            "created_at": "2026-04-30T22:00:00Z",
+        },
+        {
+            "id": "act-self-echo",
+            "source_id": "ws-1",
+            "method": "a2a_receive",
+            "summary": "task result: target timed out",
+            "request_body": None,
+            "created_at": "2026-04-30T22:00:01Z",
+        },
+    ]
+    resp = _make_response(200, rows)
+    p, _ = _patch_httpx(resp)
+    with p:
+        n = inbox._poll_once(state, "http://platform", "ws-1", {})
+
+    # Only the real peer inbound counted; self-echo silently dropped.
+    assert n == 1
+    queue = state.peek(10)
+    assert [m.activity_id for m in queue] == ["act-real-peer"]
+    assert queue[0].peer_id == "ws-peer"
+
+
+def test_poll_once_advances_cursor_past_self_echo(state: inbox.InboxState):
+    """Cursor must advance past self-echo rows even though we don't
+    enqueue them. Otherwise the next poll re-fetches the same self-echo
+    on every iteration, wasting requests and blocking real inbound."""
+    state.save_cursor("act-old")
+    rows = [
+        {
+            "id": "act-self-echo",
+            "source_id": "ws-1",
+            "method": "a2a_receive",
+            "summary": "task result: timeout",
+            "request_body": None,
+            "created_at": "2026-04-30T22:00:00Z",
+        },
+    ]
+    resp = _make_response(200, rows)
+    p, _ = _patch_httpx(resp)
+    with p:
+        n = inbox._poll_once(state, "http://platform", "ws-1", {})
+
+    assert n == 0
+    assert state.peek(10) == []
+    # Cursor must move past the skipped row so we don't re-poll it.
+    assert state.load_cursor() == "act-self-echo"
+
+
+def test_poll_once_self_echo_does_not_fire_notification(state: inbox.InboxState):
+    """The notification callback (channel push to Claude Code etc.)
+    must not fire for self-echo rows. Same rationale as self-notify:
+    push-capable hosts would see the echo loop on the push channel."""
+    rows = [
+        {
+            "id": "act-self-echo",
+            "source_id": "ws-1",
+            "method": "a2a_receive",
+            "summary": "task result: timeout",
+            "request_body": None,
+            "created_at": "2026-04-30T22:00:00Z",
+        },
+    ]
+    received: list[dict] = []
+    inbox.set_notification_callback(received.append)
+    try:
+        resp = _make_response(200, rows)
+        p, _ = _patch_httpx(resp)
+        with p:
+            inbox._poll_once(state, "http://platform", "ws-1", {})
+    finally:
+        inbox.set_notification_callback(None)
+
+    assert received == [], (
+        "self-echo rows must not surface as MCP notifications — "
+        "doing so re-creates the echo loop on push-capable hosts"
+    )
+
+
 def test_poll_once_advances_cursor_past_self_notify(state: inbox.InboxState):
     """Cursor must advance past self-notify rows even though we don't
     enqueue them. Otherwise the next poll re-fetches the same self-