Merge pull request 'feat(security): RFC#523 3-layer forbidden-env guardrail for tenant workspaces (task #146 )' (#1555 ) from feat/146-forbidden-env-guard into main

Merge pull request 'fix(sop-checklist): widen ack eligibility per RFC#450 Option C (closes internal#442)' (#1554 ) from fix/sop-checklist-widen-ack-internal-442 into main
Merge pull request 'test(e2e): local prod-mimic backend for peer-visibility MCP gate + make e2e-peer-visibility (task #166 )' (#1551 ) from e2e/peer-visibility-local-backend-task166 into main
2026-05-19 01:57:30 +00:00 · 2026-05-19 01:57:08 +00:00 · 2026-05-19 01:57:06 +00:00 · 2026-05-19 01:56:16 +00:00 · 2026-05-19 01:56:12 +00:00 · 2026-05-19 01:56:10 +00:00
220 changed files with 15870 additions and 3395 deletions
@@ -65,6 +65,11 @@ class ApiError(RuntimeError):
    pass


+class MergePermissionError(ApiError):
+    """Merge failed with a permanent permission error (403/404/405).
+    The queue should skip this PR and move to the next one."""
+
+
@dataclasses.dataclass(frozen=True)
 class MergeDecision:
    ready: bool
@@ -148,15 +153,38 @@ def latest_statuses_by_context(statuses: list[dict]) -> dict[str, dict]:
    return latest


+def _is_tier_low_pending_ok(
+    latest_statuses: dict[str, dict],
+    context: str,
+    pr_labels: set[str],
+) -> bool:
+    """Return True if tier:low PR can tolerate sop-checklist pending state.
+
+    Per sop-checklist-config.yaml tier_failure_mode, tier:low uses soft-fail:
+    sop-checklist posts state=pending when acks are satisfied (missing
+    manager/ceo acks are informational only). The queue should accept
+    pending instead of waiting for success.
+    """
+    if "tier:low" not in pr_labels:
+        return False
+    if "sop-checklist" not in context:
+        return False
+    status = latest_statuses.get(context) or {}
+    return status_state(status) == "pending"
+
+
 def required_contexts_green(
    latest_statuses: dict[str, dict],
    contexts: list[str],
+    pr_labels: set[str] | None = None,
 ) -> tuple[bool, list[str]]:
    missing_or_bad: list[str] = []
    for context in contexts:
        status = latest_statuses.get(context)
        state = status_state(status or {})
        if state != "success":
+            if pr_labels and _is_tier_low_pending_ok(latest_statuses, context, pr_labels):
+                continue  # tier:low soft-fail: accept pending sop-checklist
            missing_or_bad.append(f"{context}={state or 'missing'}")
    return not missing_or_bad, missing_or_bad

@@ -209,6 +237,7 @@ def evaluate_merge_readiness(
    pr_status: dict,
    required_contexts: list[str],
    pr_has_current_base: bool,
+    pr_labels: set[str] | None = None,
 ) -> MergeDecision:
    # Check push-required contexts explicitly instead of combined state.
    # Combined state can be "failure" due to non-blocking jobs
@@ -228,7 +257,7 @@ def evaluate_merge_readiness(
    # The required_contexts list is the authoritative gate — it includes only
    # the checks that actually block merges.
    latest = latest_statuses_by_context(pr_status.get("statuses") or [])
-    ok, missing_or_bad = required_contexts_green(latest, required_contexts)
+    ok, missing_or_bad = required_contexts_green(latest, required_contexts, pr_labels)
    if not ok:
        return MergeDecision(False, "wait", "required contexts not green: " + ", ".join(missing_or_bad))
    return MergeDecision(True, "merge", "ready")
@@ -253,27 +282,32 @@ def get_combined_status(sha: str) -> dict:
    _, combined = api("GET", f"/repos/{OWNER}/{NAME}/commits/{sha}/status")
    if not isinstance(combined, dict):
        raise ApiError(f"status for {sha} response not object")
-    # Fetch full statuses list; 200 covers >99% of real-world runs.
-    # The list is ordered ascending by id (oldest first) — callers must
-    # iterate in reverse to get the newest entry per context.
-    # Best-effort: large repos (main with 550+ statuses) may time out.
-    # On timeout, fall back to the statuses[] already in the combined
-    # response (usually 30 entries — enough for most PRs, enough for
-    # main's early push-required contexts).
+    combined_statuses: list[dict] = combined.get("statuses") or []
    try:
-        _, all_statuses = api(
+        _, all_statuses_raw = api(
            "GET",
            f"/repos/{OWNER}/{NAME}/commits/{sha}/statuses",
            query={"limit": "50"},
        )
-        if isinstance(all_statuses, list):
-            combined["statuses"] = all_statuses
+        if isinstance(all_statuses_raw, list):
+            all_statuses: list[dict] = list(all_statuses_raw)
+        else:
+            all_statuses = []
    except (ApiError, urllib.error.URLError, TimeoutError, OSError) as exc:
-        # URLError covers network-level failures (DNS, refused, timeout).
-        # TimeoutError and OSError cover socket-level timeouts.
        sys.stderr.write(f"::warning::could not fetch full statuses list for {sha[:8]}: {exc}\n")
-        # Fall back to the statuses[] already in the combined response.
-        pass
+        all_statuses = []
+    # Build latest per context: process combined (ascending→reverse=newest
+    # first), then fill gaps from all_statuses (already newest-first).
+    latest: dict[str, dict] = {}
+    for status in reversed(sorted(combined_statuses, key=lambda s: s.get("id") or 0)):
+        ctx = status.get("context")
+        if isinstance(ctx, str) and ctx not in latest:
+            latest[ctx] = status
+    for status in all_statuses:
+        ctx = status.get("context")
+        if isinstance(ctx, str) and ctx not in latest:
+            latest[ctx] = status
+    combined["statuses"] = list(latest.values())
    return combined


@@ -338,7 +372,16 @@ def merge_pull(pr_number: int, *, dry_run: bool) -> None:
    print(f"::notice::merging PR #{pr_number}")
    if dry_run:
        return
-    api("POST", f"/repos/{OWNER}/{NAME}/pulls/{pr_number}/merge", body=payload, expect_json=False)
+    try:
+        api("POST", f"/repos/{OWNER}/{NAME}/pulls/{pr_number}/merge", body=payload, expect_json=False)
+    except ApiError as exc:
+        # Re-raise permission-like errors so process_once can skip this PR.
+        # 403 = no push access, 404 = repo/pr not found, 405 = not allowed.
+        msg = str(exc)
+        for code in ("403", "404", "405"):
+            if code in msg:
+                raise MergePermissionError(msg) from exc
+        raise  # re-raise other ApiErrors unchanged


 def process_once(*, dry_run: bool = False) -> int:
@@ -380,11 +423,13 @@ def process_once(*, dry_run: bool = False) -> int:
    commits = get_pull_commits(pr_number)
    current_base = pr_has_current_base(pr, commits, main_sha)
    pr_status = get_combined_status(head_sha)
+    pr_labels = label_names(pr)
    decision = evaluate_merge_readiness(
        main_status=main_status,
        pr_status=pr_status,
        required_contexts=contexts,
        pr_has_current_base=current_base,
+        pr_labels=pr_labels,
    )

    print(f"::notice::PR #{pr_number} decision={decision.action}: {decision.reason}")
@@ -407,7 +452,25 @@ def process_once(*, dry_run: bool = False) -> int:
                "deferring to next tick"
            )
            return 0
-        merge_pull(pr_number, dry_run=dry_run)
+        try:
+            merge_pull(pr_number, dry_run=dry_run)
+        except MergePermissionError as exc:
+            # Permanent merge failure (HTTP 403/404/405). Post a comment so
+            # maintainers know why, then return 0 so this tick is done.
+            # The PR stays in the queue; future ticks can retry after the
+            # permission issue is resolved.
+            sys.stderr.write(f"::error::merge permission error for PR #{pr_number}: {exc}\n")
+            post_comment(
+                pr_number,
+                (
+                    "merge-queue: merge failed with HTTP 405 'User not allowed to merge PR'. "
+                    "No available token has Can-merge permission on this repo. "
+                    "Fix: grant Can-merge to a token, or add a maintain/admin collaborator. "
+                    "Skipping to next queued PR on next tick."
+                ),
+                dry_run=dry_run,
+            )
+            return 0
        return 0
    return 0

@@ -100,11 +100,12 @@ printf 'header = "Authorization: token %s"\n' "$GITEA_TOKEN" > "$CURL_AUTH_FILE"
 # (bash trap 'function' EXIT expands variables at trap-fire time, not def time).
 PR_JSON=$(mktemp)
 REVIEWS_JSON=$(mktemp)
+COMMENTS_JSON=$(mktemp)
 TEAM_PROBE_TMP=$(mktemp)
 NA_STATUSES_TMP=""  # declared here so cleanup() always has the var

 cleanup() {
-  rm -f "$CURL_AUTH_FILE" "$PR_JSON" "$REVIEWS_JSON" "$TEAM_PROBE_TMP" "${NA_STATUSES_TMP-}"
+  rm -f "$CURL_AUTH_FILE" "$PR_JSON" "$REVIEWS_JSON" "$COMMENTS_JSON" "$TEAM_PROBE_TMP" "${NA_STATUSES_TMP-}"
 }
 trap cleanup EXIT

@@ -206,7 +207,81 @@ CANDIDATES=$(jq -r --arg author "$PR_AUTHOR" --arg head "$PR_HEAD_SHA" "$JQ_FILT
 debug "candidate non-author approvers: $(echo "$CANDIDATES" | tr '\n' ' ')"

 if [ -z "$CANDIDATES" ]; then
-  echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (no candidates yet)"
+  # --- Guardrail (internal#503): explain the most common false
+  # "no candidates" red. Gitea's review event enum is EXACTLY
+  # APPROVED/REQUEST_CHANGES/COMMENT/PENDING. A wrong value ("APPROVE",
+  # lowercase, ...) is silently accepted (HTTP 200) and stored as
+  # state=PENDING. A correctly-started draft review has an EMPTY body;
+  # a NON-empty body + state==PENDING by a non-author == an intended
+  # verdict mis-filed by a wrong event string. Surface it actionably.
+  # This does NOT change the gate result (still fail-closed below) — it
+  # only converts a mystery red into a named, self-fixing error.
+  MISFILED_FILTER='.[]
+    | select(.state == "PENDING")
+    | select(.dismissed != true)
+    | select(.user.login != $author)
+    | select(((.body // "") | gsub("^\\s+|\\s+$";"") | length) > 0)
+    | "\(.id)\t\(.user.login)"'
+  MISFILED=$(jq -r --arg author "$PR_AUTHOR" "$MISFILED_FILTER" "$REVIEWS_JSON" 2>/dev/null || true)
+  if [ -n "$MISFILED" ]; then
+    echo "::error::${TEAM}-review: non-author review(s) were SUBMITTED but stored as PENDING — almost certainly the wrong Gitea review event string (internal#503)."
+    echo "::error::Gitea accepts ONLY the exact enum APPROVED / REQUEST_CHANGES / COMMENT. 'APPROVE' or lowercase is silently (HTTP 200) filed as PENDING and is invisible to this gate."
+    printf '%s\n' "$MISFILED" | while IFS="$(printf '\t')" read -r _rid _rl; do
+      [ -n "${_rid:-}" ] && echo "::error::  review id=${_rid} by '${_rl}': RE-SUBMIT via POST ${API}/repos/${OWNER}/${NAME}/pulls/${PR_NUMBER}/reviews with {\"event\":\"APPROVED\"} (correct enum) — do NOT edit the DB."
+    done
+  fi
+
+  # --- Fallback (internal#348): check issue comments for agent-approval ---
+  # core-qa-agent and core-security-agent approve via issue comments, NOT
+  # the reviews API. The reviews API returns zero entries for comment-only
+  # approvals. This fallback reads PR issue comments and extracts logins that:
+  #   1. Posted a comment matching the agent-prefix pattern for this gate:
+  #        qa      → "[core-qa-agent] APPROVED"
+  #        security → "[core-security-agent] APPROVED"
+  #      OR posted a generic approval keyword (word-anchored, case-insensitive):
+  #        APPROVED / LGTM / ACCEPTED
+  #   2. Are not the PR author
+  #   3. The team-membership probe below is the authoritative filter.
+  AGENT_PATTERN=""
+  case "$TEAM" in
+    qa)       AGENT_PATTERN="\\[core-qa-agent\\]" ;;
+    security) AGENT_PATTERN="\\[core-security-agent\\]" ;;
+  esac
+  HTTP_CODE=$(curl -sS -o "$COMMENTS_JSON" -w '%{http_code}' \
+    -K "$CURL_AUTH_FILE" "${API}/repos/${OWNER}/${NAME}/issues/${PR_NUMBER}/comments")
+  debug "GET /issues/${PR_NUMBER}/comments → HTTP ${HTTP_CODE}"
+  if [ "$HTTP_CODE" = "200" ]; then
+    # JQ expression: select non-author comments that match either the
+    # agent-prefix pattern (case-insensitive) OR a generic approval keyword.
+    JQ_APPROVALS='
+      .[] |
+      select(.user.login != $author) |
+      . as $cmt |
+      if ($agent_pattern | length) > 0 and ($cmt.body // "" | test($agent_pattern; "i")) then
+        $cmt.user.login
+      elif ($cmt.body // "" | test("\\b(APPROVED|LGTM|ACCEPTED)\\b"; "i")) then
+        $cmt.user.login
+      else
+        empty
+      end
+    '
+    CANDIDATES=$(jq -r \
+      --arg author "$PR_AUTHOR" \
+      --arg agent_pattern "$AGENT_PATTERN" \
+      "$JQ_APPROVALS" \
+      "$COMMENTS_JSON" 2>/dev/null | sort -u)
+    debug "comment-based approval candidates: $(echo "$CANDIDATES" | tr '\n' ' ')"
+
+    if [ -n "$CANDIDATES" ]; then
+      echo "::notice::${TEAM}-review: reviews API found no APPROVED reviews; found $(echo "$CANDIDATES" | wc -w | xargs) comment-based approval candidate(s) — verifying team membership..."
+    fi
+  else
+    debug "could not fetch issue comments (HTTP ${HTTP_CODE})"
+  fi
+fi
+
+if [ -z "${CANDIDATES:-}" ]; then
+  echo "::error::${TEAM}-review awaiting non-author APPROVE from ${TEAM} team (no candidates from reviews API or issue comments)"
  exit 1
 fi

@@ -68,7 +68,7 @@ import sys
 import urllib.error
 import urllib.parse
 import urllib.request
-from typing import Any
+from typing import Any, Callable


 # ---------------------------------------------------------------------------
@@ -110,7 +110,7 @@ def normalize_slug(raw: str, numeric_aliases: dict[int, str] | None = None) -> s
 # for /sop-revoke (RFC#351 open question 4 — reason is captured but not
 # yet validated; future iteration may require a min-length).
 _DIRECTIVE_RE = re.compile(
-    r"^[ \t]*/(sop-ack|sop-revoke)[ \t]+([A-Za-z0-9_\- ]+?)(?:[ \t]+(.*))?[ \t]*$",
+    r"^[ \t]*/(sop-ack|sop-revoke|sop-n/a)[ \t]+([A-Za-z0-9_\- ]+?)(?:[ \t]+(.*))?[ \t]*$",
    re.MULTILINE,
 )

@@ -118,17 +118,21 @@ _DIRECTIVE_RE = re.compile(
 def parse_directives(
    comment_body: str,
    numeric_aliases: dict[int, str],
-) -> list[tuple[str, str, str]]:
-    """Extract /sop-ack and /sop-revoke directives from a comment body.
+) -> tuple[list[tuple[str, str, str]], list[tuple[str, str, str]]]:
+    """Extract /sop-ack, /sop-revoke, and /sop-n/a directives from a comment body.

-    Returns a list of (kind, canonical_slug, note) tuples where:
-      kind is "sop-ack" or "sop-revoke"
+    Returns (directives, na_directives) where each is a list of
+    (kind, canonical_slug, note) tuples:
+      kind is "sop-ack", "sop-revoke", or "sop-n/a"
      canonical_slug is the normalized form (or "" if unparseable)
      note is the trailing free-text (may be "")
+    The two lists are kept separate so call sites can unpack them
+    directly (e.g. directives, na_directives = parse_directives(...)).
    """
-    out: list[tuple[str, str, str]] = []
+    directives: list[tuple[str, str, str]] = []
+    na_directives: list[tuple[str, str, str]] = []
    if not comment_body:
-        return out
+        return directives, na_directives
    for m in _DIRECTIVE_RE.finditer(comment_body):
        kind = m.group(1)
        raw_slug = (m.group(2) or "").strip()
@@ -158,8 +162,12 @@ def parse_directives(
        note_from_group = (m.group(3) or "").strip()
        # If we collapsed multi-word slug into kebab and there's a
        # trailing-text group too, append it.
-        out.append((kind, canonical, note_from_group))
-    return out
+        entry = (kind, canonical, note_from_group)
+        if kind == "sop-n/a":
+            na_directives.append(entry)
+        else:
+            directives.append(entry)
+    return directives, na_directives


 # ---------------------------------------------------------------------------
@@ -172,8 +180,8 @@ def section_marker_present(body: str, marker: str) -> bool:
    on a non-empty line (i.e. the author actually filled it in).

    We require the marker substring AND non-whitespace content on the
-    same line OR within the next line — this prevents trivially-empty
-    checklists like:
+    same line OR within the next non-blank line — this prevents
+    trivially-empty checklists like:

        ## SOP-Checklist
        - [ ] **Comprehensive testing performed**:
@@ -182,9 +190,18 @@ def section_marker_present(body: str, marker: str) -> bool:
    from auto-passing the section-present check. The peer-ack is still
    required, but answering with empty content is captured as a soft
    finding via the section-present test alone.
+
+    NOTE: we scan forward through blank lines (the markdown-header pattern
+    is ## Header\\n\\ncontent) so that a header + blank-line + content
+    structure still satisfies the check. The backward checkbox fallback
+    catches inline markers without a preceding checkbox (mc#1099).
    """
    if not body or not marker:
        return False
+    # Strip trailing whitespace so the blank-line scan below can find
+    # content that appears on the very last line of the body (without
+    # being misled by a trailing \n or spaces).
+    body = body.rstrip()
    body_lower = body.lower()
    marker_lower = marker.lower()
    idx = body_lower.find(marker_lower)
@@ -200,13 +217,44 @@ def section_marker_present(body: str, marker: str) -> bool:
    stripped = re.sub(r"[\s\*:\-\[\]]+", "", line)
    if stripped:
        return True
-    # Fall through: check the NEXT line (multi-line answers).
-    next_line_end = body.find("\n", line_end + 1)
-    if next_line_end < 0:
-        next_line_end = len(body)
-    next_line = body[line_end + 1:next_line_end]
-    stripped_next = re.sub(r"[\s\*:\-\[\]]+", "", next_line)
-    return bool(stripped_next)
+    # Fall through: scan forward, skipping blank-only lines, until we find
+    # non-empty content or run out of body.  Handles:
+    #   ## Header          ← marker line (empty after marker)
+    #                      ← blank line (skipped)
+    #   - actual content   ← found
+    pos = line_end
+    while True:
+        # Skip the current newline and any additional newlines (blank lines).
+        while pos < len(body) and body[pos] == "\n":
+            pos += 1
+        if pos >= len(body):
+            break
+        line_end = body.find("\n", pos)
+        if line_end < 0:
+            line_end = len(body)
+        line = body[pos:line_end]
+        stripped = re.sub(r"[\s\*:\-\[\]]+", "", line)
+        if stripped:
+            return True
+        pos = line_end
+    # Last resort: the marker may appear mid-sentence (e.g.
+    # **Memory/saved-feedback consulted**: No applicable...).
+    # Search backward within the CURRENT LINE only (not preceding lines)
+    # to find a checkbox on the same line before the marker text.
+    # mc#1099 follow-up: memory-consulted detection was failing because
+    # the checkbox was on the same line before the inline marker.
+    _CHECKBOX_RE = re.compile(r"- \[[ x\]]|<input", re.IGNORECASE)
+    line_start = body.rfind("\n", 0, idx) + 1  # 0 if no newline before idx
+    before = body[line_start:idx]
+    m = _CHECKBOX_RE.search(before)
+    if not m:
+        return False
+    # Require meaningful content between the checkbox and the marker text
+    # (markdown formatting like ** or * must also be stripped).
+    # If only whitespace/markdown chars remain, the checkbox line is empty.
+    between = before[m.end() :]
+    stripped_between = re.sub(r"[\s\*:#\[\]_\-]+", "", between)
+    return bool(stripped_between)


 # ---------------------------------------------------------------------------
@@ -220,6 +268,7 @@ def compute_ack_state(
    items_by_slug: dict[str, dict[str, Any]],
    numeric_aliases: dict[int, str],
    team_membership_probe: "callable[[str, list[str]], list[str]]",
+    high_risk: bool = False,
 ) -> dict[str, dict[str, Any]]:
    """Compute per-item ack state.

@@ -249,7 +298,7 @@ def compute_ack_state(
        user = (c.get("user") or {}).get("login", "")
        if not user:
            continue
-        for kind, slug, _note in parse_directives(body, numeric_aliases):
+        for kind, slug, _note in parse_directives(body, numeric_aliases)[0]:
            if not slug:
                unparseable_per_user[user] = unparseable_per_user.get(user, 0) + 1
                continue
@@ -282,11 +331,16 @@ def compute_ack_state(
    for slug, candidates in pending_team_check.items():
        if not candidates:
            continue
-        required = items_by_slug[slug]["required_teams"]
+        # Risk-class-aware required-teams resolution (RFC#450 Option C):
+        # high-risk PRs use `required_teams_high_risk` (when set on the
+        # item); default class uses `required_teams`. The probe closure
+        # is built with the same high_risk flag so the two reads are
+        # always consistent (both sites share `resolve_required_teams`).
+        required = resolve_required_teams(items_by_slug[slug], high_risk)
        approved = team_membership_probe(slug, candidates)  # returns subset
        rejected_not_in_team[slug] = [u for u in candidates if u not in approved]
        ackers_per_slug[slug] = approved
-        # Stash required teams for description rendering.
+        # Stash resolved teams for description rendering.
        items_by_slug[slug]["_required_resolved"] = required

    return {
@@ -301,6 +355,63 @@ def compute_ack_state(
    }


+# ---------------------------------------------------------------------------
+# N/A-gate evaluation
+# ---------------------------------------------------------------------------
+
+
+def compute_na_state(
+    comments: list[dict[str, Any]],
+    author: str,
+    na_gates: dict[str, Any],
+    probe: Callable[[str, list[str]], list[str]],
+) -> dict[str, dict[str, Any]]:
+    """Evaluate which N/A gates have a valid declaration from a team member.
+
+    Returns dict[gate_name, dict] where each dict has:
+      declared: bool — at least one valid non-author team-member declared N/A
+      decl_ackers: list[str] — usernames who declared this gate N/A
+      rejected: dict with keys:
+        not_in_team: list[str] — users who tried but aren't in required teams
+    """
+    # Build per-user latest N/A directive (most-recent wins per RFC#324).
+    latest_na: dict[str, tuple[str, str]] = {}  # user → (gate, note)
+    for c in comments:
+        body = c.get("body", "") or ""
+        user = (c.get("user") or {}).get("login", "")
+        if not user:
+            continue
+        for kind, gate, note in parse_directives(body, {})[1]:
+            # [1] = na_directives only
+            if gate in na_gates:
+                latest_na[user] = (gate, note)
+
+    result: dict[str, dict[str, Any]] = {}
+    for gate, gate_cfg in na_gates.items():
+        result[gate] = {
+            "declared": False,
+            "decl_ackers": [],
+            "rejected": {"not_in_team": []},
+        }
+        decl_ackers: list[str] = []
+        not_in_team: list[str] = []
+        for user, (g, _note) in latest_na.items():
+            if g != gate:
+                continue
+            if user == author:
+                continue  # authors cannot self-declare N/A
+            approved = probe(gate, [user])
+            if approved:
+                decl_ackers.append(user)
+            else:
+                not_in_team.append(user)
+        result[gate]["declared"] = bool(decl_ackers)
+        result[gate]["decl_ackers"] = decl_ackers
+        result[gate]["rejected"]["not_in_team"] = not_in_team
+
+    return result
+
+
 # ---------------------------------------------------------------------------
 # Gitea API client
 # ---------------------------------------------------------------------------
@@ -660,6 +771,42 @@ def get_tier_mode(pr: dict[str, Any], cfg: dict[str, Any]) -> str:
    return default_mode


+def is_high_risk(pr: dict[str, Any], cfg: dict[str, Any]) -> bool:
+    """Return True when the PR is high-risk per RFC#450 Option C.
+
+    A PR is high-risk when ANY of:
+      - it carries the `tier:high` label (mechanically strictest tier), or
+      - it carries any label listed in cfg.high_risk_labels.
+
+    High-risk PRs use `required_teams_high_risk` (when set on an item)
+    instead of the default `required_teams`. Items without
+    `required_teams_high_risk` are unaffected (the default applies).
+
+    Governance fix for internal#442 — closes the inconsistency between
+    sop-tier-check (tier-aware) and sop-checklist (was tier-blind).
+    """
+    label_set = {(l.get("name") or "") for l in (pr.get("labels") or [])}
+    if "tier:high" in label_set:
+        return True
+    high_risk_labels = set(cfg.get("high_risk_labels") or [])
+    return bool(label_set & high_risk_labels)
+
+
+def resolve_required_teams(item: dict[str, Any], high_risk: bool) -> list[str]:
+    """Pick the active required_teams list for an item.
+
+    When high_risk is True AND the item declares a non-empty
+    `required_teams_high_risk`, return that. Else fall back to
+    `required_teams`. Keeping this in one helper means the gate's
+    decision shape stays single-sited even as items grow.
+    """
+    if high_risk:
+        elevated = item.get("required_teams_high_risk") or []
+        if elevated:
+            return list(elevated)
+    return list(item.get("required_teams") or [])
+
+
 def main(argv: list[str] | None = None) -> int:
    p = argparse.ArgumentParser()
    p.add_argument("--owner", required=True)
@@ -695,6 +842,7 @@ def main(argv: list[str] | None = None) -> int:
    cfg = load_config(args.config)
    items: list[dict[str, Any]] = cfg["items"]
    items_by_slug = {it["slug"]: it for it in items}
+    na_gates: dict[str, Any] = cfg.get("n/a_gates", {})
    numeric_aliases = {
        int(it["numeric_alias"]): it["slug"] for it in items if it.get("numeric_alias")
    }
@@ -719,6 +867,12 @@ def main(argv: list[str] | None = None) -> int:

    comments = client.get_issue_comments(args.owner, args.repo, args.pr)

+    # High-risk classification (RFC#450 Option C, governance fix for
+    # internal#442). Computed ONCE per PR — used by both the probe
+    # closure and compute_ack_state so the elevation decision is
+    # single-sited.
+    high_risk = is_high_risk(pr, cfg)
+
    # Build team-membership probe closure that caches results per
    # (user, team-id) so a user acking multiple items only triggers
    # one membership lookup per team.
@@ -726,7 +880,7 @@ def main(argv: list[str] | None = None) -> int:

    def probe(slug: str, users: list[str]) -> list[str]:
        item = items_by_slug[slug]
-        team_names: list[str] = item["required_teams"]
+        team_names: list[str] = resolve_required_teams(item, high_risk)
        # Resolve names → ids. NOTE: orgs/{org}/teams/search may not be
        # available — fall back to the list endpoint.
        team_ids: list[int] = []
@@ -771,7 +925,9 @@ def main(argv: list[str] | None = None) -> int:
                    # may still find membership in another team.
        return approved

-    ack_state = compute_ack_state(comments, author, items_by_slug, numeric_aliases, probe)
+    ack_state = compute_ack_state(
+        comments, author, items_by_slug, numeric_aliases, probe, high_risk=high_risk
+    )
    body_state = {it["slug"]: section_marker_present(body, it["pr_section_marker"]) for it in items}

    state, description = render_status(items, ack_state, body_state)
@@ -784,7 +940,10 @@ def main(argv: list[str] | None = None) -> int:
        description = f"[info tier:low] {description}"

    # Diagnostics to job log.
-    print(f"::notice::PR #{args.pr} author={author} head={head_sha[:7]} mode={mode}")
+    print(
+        f"::notice::PR #{args.pr} author={author} head={head_sha[:7]} "
+        f"mode={mode} risk_class={'high' if high_risk else 'default'}"
+    )
    for it in items:
        slug = it["slug"]
        ackers = ack_state[slug]["ackers"]
@@ -815,6 +974,46 @@ def main(argv: list[str] | None = None) -> int:
        description=description, target_url=target_url,
    )
    print(f"::notice::status posted: {args.status_context} → {state}")
+
+    # --- N/A gate status (RFC#324 §N/A follow-up) ---
+    # Post a separate status so review-check.sh can discover N/A declarations
+    # and waive the Gitea-approve requirement for that gate.
+    na_state: dict[str, dict[str, Any]] = {}
+    if na_gates:
+        na_state = compute_na_state(comments, author, na_gates, probe)
+
+        na_descs: list[str] = []
+        for gate, s in na_state.items():
+            if s["declared"]:
+                na_descs.append(gate)
+            decl = s["decl_ackers"]
+            rej = s["rejected"]["not_in_team"]
+            if decl:
+                print(f"::notice::  [N/A OK] {gate} — declared by {','.join(decl)}")
+            if rej:
+                print(
+                    f"::notice::  [N/A REJ] {gate} — not-in-team: {','.join(rej)}",
+                    file=sys.stderr,
+                )
+
+        na_desc = ", ".join(sorted(na_descs)) if na_descs else "(none)"
+        na_status_state = "success" if na_descs else "pending"
+        # review-check.sh reads the description to discover which gates are N/A.
+        # Include the gate names so it can grep for them.
+        na_description = f"N/A: {na_desc}" if na_descs else "N/A: (none)"
+
+        if not args.dry_run:
+            client.post_status(
+                args.owner, args.repo, head_sha,
+                state=na_status_state,
+                context="sop-checklist / na-declarations (pull_request)",
+                description=na_description,
+                target_url=target_url,
+            )
+            print(
+                f"::notice::na-declarations status → {na_status_state}: {na_description}"
+            )
+
    # By default exit 0 — the POSTed status IS the gate, NOT the job
    # conclusion. If the job exits 1 BP will see TWO failure signals
    # (one from the job's auto-status, one from our POST), making the
@@ -17,6 +17,9 @@ Scenarios:
  T8_team_not_member          — team membership → 404 (not a member) → exit 1
  T9_team_403                — team membership → 403 (token not in team) → exit 1
  T14_non_default_base        — open PR targeting staging → script exits 0 (no-op)
+  T15_comments_agent_approval — reviews empty; comments have "[core-qa-agent] APPROVED" → exit 0
+  T16_comments_generic_approval — reviews empty; comments have "APPROVED" by team member → exit 0
+  T17_comments_no_approval   — reviews empty; comments have no approval keywords → exit 1

 Usage:
  FIXTURE_STATE_DIR=/tmp/x python3 _review_check_fixture.py 8080
@@ -97,7 +100,9 @@ class Handler(http.server.BaseHTTPRequestHandler):
        # GET /repos/{owner}/{name}/pulls/{pr_number}/reviews
        m = re.match(r"^/api/v1/repos/([^/]+)/([^/]+)/pulls/(\d+)/reviews$", path)
        if m:
-            if sc in ("T4_reviews_empty", "T5_reviews_only_author"):
+            if sc in ("T4_reviews_empty", "T5_reviews_only_author",
+                      "T15_comments_agent_approval", "T16_comments_generic_approval",
+                      "T17_comments_no_approval"):
                return self._json(200, [])
            if sc == "T6_reviews_dismissed":
                return self._json(200, [{
@@ -116,6 +121,28 @@ class Handler(http.server.BaseHTTPRequestHandler):
                {"state": "APPROVED", "dismissed": False, "user": {"login": "core-devops"}, "commit_id": "abc1234"},
            ])

+        # GET /repos/{owner}/{name}/issues/{pr_number}/comments
+        m = re.match(r"^/api/v1/repos/([^/]+)/([^/]+)/issues/(\d+)/comments$", path)
+        if m:
+            if sc == "T15_comments_agent_approval":
+                return self._json(200, [
+                    {"user": {"login": "core-qa-agent"}, "body": "[core-qa-agent] APPROVED this PR. Good changes.", "id": 1},
+                    {"user": {"login": "alice"}, "body": "I authored this PR", "id": 2},
+                    {"user": {"login": "random-user"}, "body": "Looks okay to me", "id": 3},
+                ])
+            if sc == "T16_comments_generic_approval":
+                return self._json(200, [
+                    {"user": {"login": "core-qa-agent"}, "body": "APPROVED — all acceptance criteria met", "id": 1},
+                    {"user": {"login": "alice"}, "body": "-authored", "id": 2},
+                ])
+            if sc == "T17_comments_no_approval":
+                return self._json(200, [
+                    {"user": {"login": "alice"}, "body": "I authored this PR", "id": 1},
+                    {"user": {"login": "random-user"}, "body": "Looks okay to me", "id": 2},
+                ])
+            # Default scenarios (T1–T9, T14): no comments
+            return self._json(200, [])
+
        # GET /teams/{team_id}/members/{username}
        m = re.match(r"^/api/v1/teams/(\d+)/members/([^/]+)$", path)
        if m:
@@ -127,6 +154,12 @@ class Handler(http.server.BaseHTTPRequestHandler):
            # T7_team_member: member
            return self._empty(204)

+        # GET /repos/{owner}/{name}/statuses/{sha} — for N/A declaration check
+        m = re.match(r"^/api/v1/repos/([^/]+)/([^/]+)/statuses/([a-f0-9]+)$", path)
+        if m:
+            # All comment-based scenarios have no N/A declarations
+            return self._json(200, [])
+
        return self._json(404, {"path": path, "msg": "fixture: no route"})

    def do_POST(self):
@@ -118,3 +118,13 @@ def test_merge_decision_updates_stale_pr_before_merge():

    assert decision.ready is False
    assert decision.action == "update"
+
+
+def test_MergePermissionError_inherits_from_ApiError():
+    assert issubclass(mq.MergePermissionError, mq.ApiError)
+
+
+def test_MergePermissionError_message_preserved():
+    exc = mq.MergePermissionError("POST /merge -> HTTP 405: User not allowed")
+    assert "405" in str(exc)
+    assert "User not allowed" in str(exc)
@@ -334,6 +334,31 @@ assert_contains "T12 jq: core-devops (non-author APPROVED) in candidates" "core-
 assert_eq "T12 jq: alice (author) NOT in candidates" "" "$(echo "$T12_CANDIDATES" | grep '^alice$' || true)"
 assert_eq "T12 jq: carol (dismissed) NOT in candidates" "" "$(echo "$T12_CANDIDATES" | grep '^carol$' || true)"

+# T15 — comment-based approval via agent prefix pattern → exit 0
+echo
+echo "== T15 comment agent-prefix approval =="
+T15_OUT=$(run_review_check "T15_comments_agent_approval")
+T15_RC=$(cat "$FIX_STATE_DIR/last_rc")
+assert_eq "T15 exit code 0 (agent-comment approval + team member)" "0" "$T15_RC"
+assert_contains "T15 comment fallback notice" "comment-based approval" "$T15_OUT"
+assert_contains "T15 core-qa-agent APPROVED" "APPROVED by core-qa-agent" "$T15_OUT"
+
+# T16 — comment-based approval via generic APPROVED keyword → exit 0
+echo
+echo "== T16 comment generic keyword approval =="
+T16_OUT=$(run_review_check "T16_comments_generic_approval")
+T16_RC=$(cat "$FIX_STATE_DIR/last_rc")
+assert_eq "T16 exit code 0 (generic-approval comment + team member)" "0" "$T16_RC"
+assert_contains "T16 comment fallback notice" "comment-based approval" "$T16_OUT"
+
+# T17 — no approval keywords in comments → exit 1
+echo
+echo "== T17 comments with no approval keywords =="
+T17_OUT=$(run_review_check "T17_comments_no_approval")
+T17_RC=$(cat "$FIX_STATE_DIR/last_rc")
+assert_eq "T17 exit code 1 (no candidates from comments)" "1" "$T17_RC"
+assert_contains "T17 no candidates error" "no candidates from reviews API or issue comments" "$T17_OUT"
+
 echo
 echo "------"
 echo "PASS=$PASS FAIL=$FAIL"
@@ -551,3 +551,267 @@ class TestEndToEndAckFlow(unittest.TestCase):

 if __name__ == "__main__":
    unittest.main(verbosity=2)
+
+
+# ---------------------------------------------------------------------------
+# compute_na_state
+# ---------------------------------------------------------------------------
+
+
+class TestComputeNaState(unittest.TestCase):
+    """Tests for /sop-n/a directive evaluation."""
+
+    def test_no_na_declarations(self):
+        cfg = sop.load_config(CONFIG_PATH)
+        na_gates = cfg.get("n/a_gates", {})
+        comments = []
+        na_state = sop.compute_na_state(comments, "alice", na_gates, lambda *_: [])
+        self.assertFalse(na_state["qa-review"]["declared"])
+        self.assertFalse(na_state["security-review"]["declared"])
+
+    def test_na_declared_by_authorized_user(self):
+        cfg = sop.load_config(CONFIG_PATH)
+        na_gates = cfg.get("n/a_gates", {})
+        comments = [_comment("bob", "/sop-n/a qa-review N/A: pure tooling change")]
+        na_state = sop.compute_na_state(comments, "alice", na_gates, lambda g, u: u)
+        self.assertTrue(na_state["qa-review"]["declared"])
+        self.assertEqual(na_state["qa-review"]["decl_ackers"], ["bob"])
+
+    def test_na_declared_by_unauthorized_user_rejected(self):
+        cfg = sop.load_config(CONFIG_PATH)
+        na_gates = cfg.get("n/a_gates", {})
+        comments = [_comment("mallory", "/sop-n/a qa-review N/A: not real team")]
+        na_state = sop.compute_na_state(comments, "alice", na_gates, lambda g, u: [])
+        self.assertFalse(na_state["qa-review"]["declared"])
+        self.assertEqual(na_state["qa-review"]["rejected"]["not_in_team"], ["mallory"])
+
+    def test_author_cannot_self_declare_na(self):
+        cfg = sop.load_config(CONFIG_PATH)
+        na_gates = cfg.get("n/a_gates", {})
+        comments = [_comment("alice", "/sop-n/a qa-review N/A: I am the author")]
+        na_state = sop.compute_na_state(comments, "alice", na_gates, lambda g, u: u)
+        self.assertFalse(na_state["qa-review"]["declared"])
+
+    def test_parse_directives_separates_na_from_ack(self):
+        directives, na_directives = sop.parse_directives(
+            "/sop-ack comprehensive-testing\n/sop-n/a qa-review N/A: no surface",
+            {},
+        )
+        self.assertEqual(len(directives), 1)
+        self.assertEqual(directives[0][0], "sop-ack")
+        self.assertEqual(len(na_directives), 1)
+        self.assertEqual(na_directives[0][0], "sop-n/a")
+        self.assertEqual(na_directives[0][1], "qa-review")
+
+
+# ---------------------------------------------------------------------------
+# RFC#450 Option C — risk-classed two-eyes (governance fix for internal#442)
+# ---------------------------------------------------------------------------
+
+
+class TestIsHighRisk(unittest.TestCase):
+    """The high-risk predicate decides which required_teams list applies.
+
+    Predicate: tier:high label OR any label in cfg.high_risk_labels.
+    """
+
+    def setUp(self):
+        self.cfg = sop.load_config(CONFIG_PATH)
+
+    def test_no_labels_is_default_class(self):
+        pr = {"labels": []}
+        self.assertFalse(sop.is_high_risk(pr, self.cfg))
+
+    def test_tier_high_is_high_risk(self):
+        pr = {"labels": [{"name": "tier:high"}]}
+        self.assertTrue(sop.is_high_risk(pr, self.cfg))
+
+    def test_tier_low_is_default_class(self):
+        pr = {"labels": [{"name": "tier:low"}]}
+        self.assertFalse(sop.is_high_risk(pr, self.cfg))
+
+    def test_tier_medium_is_default_class(self):
+        # tier:medium alone is NOT high-risk (Option C — medium routes
+        # to the wider engineers OR-set).
+        pr = {"labels": [{"name": "tier:medium"}]}
+        self.assertFalse(sop.is_high_risk(pr, self.cfg))
+
+    def test_area_security_label_is_high_risk(self):
+        pr = {"labels": [{"name": "tier:medium"}, {"name": "area:security"}]}
+        self.assertTrue(sop.is_high_risk(pr, self.cfg))
+
+    def test_area_schema_label_is_high_risk(self):
+        pr = {"labels": [{"name": "area:schema"}]}
+        self.assertTrue(sop.is_high_risk(pr, self.cfg))
+
+    def test_area_identity_label_is_high_risk(self):
+        pr = {"labels": [{"name": "area:identity"}]}
+        self.assertTrue(sop.is_high_risk(pr, self.cfg))
+
+    def test_area_fleet_image_label_is_high_risk(self):
+        pr = {"labels": [{"name": "area:fleet-image"}]}
+        self.assertTrue(sop.is_high_risk(pr, self.cfg))
+
+    def test_area_gate_meta_label_is_high_risk(self):
+        # Gate-meta = changes to sop-checklist/sop-tier-check itself.
+        pr = {"labels": [{"name": "area:gate-meta"}]}
+        self.assertTrue(sop.is_high_risk(pr, self.cfg))
+
+    def test_unknown_area_label_is_default_class(self):
+        pr = {"labels": [{"name": "area:docs"}]}
+        self.assertFalse(sop.is_high_risk(pr, self.cfg))
+
+
+class TestResolveRequiredTeams(unittest.TestCase):
+    """The team resolver picks the elevated list only for high-risk PRs
+    AND only when the item declares one — items without an elevated
+    list always use the default required_teams."""
+
+    def test_default_class_uses_default_teams(self):
+        item = {"required_teams": ["engineers", "managers", "ceo"], "required_teams_high_risk": ["ceo"]}
+        self.assertEqual(
+            sop.resolve_required_teams(item, high_risk=False),
+            ["engineers", "managers", "ceo"],
+        )
+
+    def test_high_risk_uses_elevated_teams(self):
+        item = {"required_teams": ["engineers", "managers", "ceo"], "required_teams_high_risk": ["ceo"]}
+        self.assertEqual(
+            sop.resolve_required_teams(item, high_risk=True),
+            ["ceo"],
+        )
+
+    def test_high_risk_without_elevated_falls_back_to_default(self):
+        # Items that don't declare required_teams_high_risk (e.g.
+        # comprehensive-testing, staging-smoke) are unaffected by risk-class.
+        item = {"required_teams": ["engineers"]}
+        self.assertEqual(
+            sop.resolve_required_teams(item, high_risk=True),
+            ["engineers"],
+        )
+
+    def test_empty_elevated_list_falls_back_to_default(self):
+        # A defensive case: required_teams_high_risk: [] should not
+        # silently lock out all approvers — fall back to the default
+        # so the gate stays satisfiable. (Tightening should remove the
+        # key, not set it to empty.)
+        item = {"required_teams": ["engineers"], "required_teams_high_risk": []}
+        self.assertEqual(
+            sop.resolve_required_teams(item, high_risk=True),
+            ["engineers"],
+        )
+
+
+class TestRootCauseAckEligibilityWidened(unittest.TestCase):
+    """Closes internal#442: a non-author engineers-team ack now satisfies
+    root-cause / no-backwards-compat for the default class.
+
+    The dead-managers/ceo-persona-token gridlock is the symptom; the
+    root cause is that sop-checklist ignored tier-class. These tests
+    pin the new wider-default behavior so it can't regress silently.
+    """
+
+    def setUp(self):
+        self.items = _items_by_slug()
+        self.aliases = _numeric_aliases()
+
+    @staticmethod
+    def _approve_only(allowed):
+        return lambda slug, users: [u for u in users if u in allowed]
+
+    def test_engineers_ack_satisfies_root_cause_default_class(self):
+        # Bob is in engineers only (not managers, not ceo). Default class.
+        comments = [_comment("bob", "/sop-ack root-cause")]
+        # Probe: bob is approved because root-cause now lists engineers.
+        probe = self._approve_only({"bob"})
+        state = sop.compute_ack_state(
+            comments, "alice", self.items, self.aliases, probe, high_risk=False
+        )
+        self.assertEqual(state["root-cause"]["ackers"], ["bob"])
+
+    def test_engineers_ack_satisfies_no_backwards_compat_default_class(self):
+        comments = [_comment("bob", "/sop-ack no-backwards-compat")]
+        probe = self._approve_only({"bob"})
+        state = sop.compute_ack_state(
+            comments, "alice", self.items, self.aliases, probe, high_risk=False
+        )
+        self.assertEqual(state["no-backwards-compat"]["ackers"], ["bob"])
+
+    def test_engineers_ack_alone_fails_root_cause_when_high_risk(self):
+        # High-risk PR: only ceo can ack. Engineers-only ack must fail.
+        comments = [_comment("bob", "/sop-ack root-cause")]
+        # Probe: bob is in engineers, not ceo. Under high_risk,
+        # required_teams_high_risk=[ceo] → bob is NOT approved.
+        # Probe receives the items + flag indirectly via main(); for
+        # the unit-test path we inject a probe that rejects bob.
+        probe = self._approve_only(set())  # nobody is in ceo
+        state = sop.compute_ack_state(
+            comments, "alice", self.items, self.aliases, probe, high_risk=True
+        )
+        self.assertEqual(state["root-cause"]["ackers"], [])
+        self.assertIn("bob", state["root-cause"]["rejected"]["not_in_team"])
+
+    def test_ceo_ack_satisfies_root_cause_when_high_risk(self):
+        # High-risk PR + ceo-team approver → passes (the senior path).
+        comments = [_comment("hongming", "/sop-ack root-cause")]
+        probe = self._approve_only({"hongming"})
+        state = sop.compute_ack_state(
+            comments, "alice", self.items, self.aliases, probe, high_risk=True
+        )
+        self.assertEqual(state["root-cause"]["ackers"], ["hongming"])
+
+    def test_self_ack_still_forbidden_even_with_widened_eligibility(self):
+        # Author cannot self-ack — widening teams must NOT weaken
+        # the non-author rule.
+        comments = [_comment("alice", "/sop-ack root-cause")]
+        probe = self._approve_only({"alice"})
+        state = sop.compute_ack_state(
+            comments, "alice", self.items, self.aliases, probe, high_risk=False
+        )
+        self.assertEqual(state["root-cause"]["ackers"], [])
+        self.assertIn("alice", state["root-cause"]["rejected"]["self_ack"])
+
+
+class TestHighRiskClassUsesElevatedListInConfig(unittest.TestCase):
+    """End-to-end: the shipped config + RFC#450 predicate must keep
+    root-cause / no-backwards-compat gated on ceo for high-risk PRs."""
+
+    def test_root_cause_high_risk_elevated_to_ceo_only(self):
+        items = _items_by_slug()
+        # tier:high alone makes the PR high-risk → root-cause needs ceo.
+        self.assertEqual(
+            sop.resolve_required_teams(items["root-cause"], high_risk=True),
+            ["ceo"],
+        )
+        # Default class accepts engineers/managers/ceo.
+        self.assertEqual(
+            sorted(sop.resolve_required_teams(items["root-cause"], high_risk=False)),
+            sorted(["engineers", "managers", "ceo"]),
+        )
+
+    def test_no_backwards_compat_high_risk_elevated_to_ceo_only(self):
+        items = _items_by_slug()
+        self.assertEqual(
+            sop.resolve_required_teams(items["no-backwards-compat"], high_risk=True),
+            ["ceo"],
+        )
+        self.assertEqual(
+            sorted(sop.resolve_required_teams(items["no-backwards-compat"], high_risk=False)),
+            sorted(["engineers", "managers", "ceo"]),
+        )
+
+    def test_other_items_unchanged_by_risk_class(self):
+        # Items without required_teams_high_risk are unaffected.
+        items = _items_by_slug()
+        for slug in (
+            "comprehensive-testing",
+            "local-postgres-e2e",
+            "staging-smoke",
+            "five-axis-review",
+            "memory-consulted",
+        ):
+            self.assertEqual(
+                sop.resolve_required_teams(items[slug], high_risk=False),
+                sop.resolve_required_teams(items[slug], high_risk=True),
+                f"item {slug} should not be affected by risk-class",
+            )
@@ -50,6 +50,34 @@ tier_failure_mode:
  "tier:low": soft
 default_mode: hard  # used when no tier:* label is present

+# High-risk class (RFC#450 Option C, governance-fix for internal#442).
+#
+# A PR is "high-risk" when ANY of the listed labels are applied OR when
+# the PR has `tier:high` (mechanically the strictest existing tier).
+# High-risk items use `required_teams_high_risk` (when present on the
+# item); non-high-risk items use the default `required_teams`.
+#
+# This closes the inconsistency that the SOP charter already mandates
+# `tier:high → ceo only` for the sibling `sop-tier-check` gate; the
+# sop-checklist's `root-cause` and `no-backwards-compat` items now
+# follow the same risk-classed two-eyes shape:
+#   - Default class (tier:low/medium, not high-risk): a non-author
+#     engineers/managers/ceo ack satisfies the item — 25+ live
+#     identities, no dependency on a dead/inactive senior persona
+#     token.
+#   - High-risk class (tier:high OR any high_risk_label): still
+#     requires a non-author ceo ack (durable human team).
+#
+# Tightening: add labels to high_risk_labels.
+# Loosening: remove labels.
+high_risk_labels:
+  - "risk:high"
+  - "area:security"
+  - "area:schema"
+  - "area:fleet-image"
+  - "area:identity"
+  - "area:gate-meta"
+
 items:
  - slug: comprehensive-testing
    numeric_alias: 1
@@ -78,11 +106,15 @@ items:
  - slug: root-cause
    numeric_alias: 4
    pr_section_marker: "Root-cause not symptom"
-    required_teams: [managers, ceo]
+    required_teams: [engineers, managers, ceo]
+    required_teams_high_risk: [ceo]
    description: >-
-      One-sentence root-cause statement. Ack from managers tier
-      (team-leads) or ceo. Senior judgment required to attest
-      root-cause-versus-symptom.
+      One-sentence root-cause statement. Default class: non-author
+      engineers/managers/ceo ack suffices (engineers can attest
+      root-cause-vs-symptom for routine fixes). High-risk class
+      (see `high_risk_labels`): non-author ceo ack required —
+      senior judgment for irreversible/security/identity/gate
+      changes. Closes internal#442 + tracks RFC#450.

  - slug: five-axis-review
    numeric_alias: 5
@@ -95,10 +127,14 @@ items:
  - slug: no-backwards-compat
    numeric_alias: 6
    pr_section_marker: "No backwards-compat shim / dead code added"
-    required_teams: [managers, ceo]
+    required_teams: [engineers, managers, ceo]
+    required_teams_high_risk: [ceo]
    description: >-
-      Yes/no + justification if no. Senior ack required because
-      backward-compat shims are how dead-code accretes.
+      Yes/no + justification if no. Default class: non-author
+      engineers/managers/ceo ack suffices. High-risk class
+      (see `high_risk_labels`): non-author ceo ack required —
+      senior judgment for shim-versus-real-fix on irreversible
+      surfaces. Closes internal#442 + tracks RFC#450.

  - slug: memory-consulted
    numeric_alias: 7
@@ -158,8 +158,68 @@ jobs:
            echo "NOTE: No warning in output (may be suppressed by log level)"
          fi

+      - name: Reproduce openclaw failure — pipe held OPEN, no EOF
+        run: |
+          set -euo pipefail
+          echo "=== keep-stdin-open pipe (the real openclaw / Claude Code case) ==="
+          echo ""
+          echo "Before the readline() fix this HANGS: main() did"
+          echo "  stdin.read(65536)  -> on a pipe, blocks until 64KB OR EOF."
+          echo "An MCP client sends one ~150B initialize and keeps stdin"
+          echo "open waiting for the response, so the server never parsed"
+          echo "the request and the client timed out (openclaw: 'MCP error"
+          echo "-32000: Connection closed'). The earlier regular-file /"
+          echo "heredoc-pipe steps PASSED through this bug because a file"
+          echo "(or a closing heredoc) yields EOF immediately."
+          echo ""
+
+          # Drive the server through a real pipe that stays OPEN: write
+          # one initialize, do NOT close stdin, and require a response
+          # within a hard timeout. read(65536) -> no output -> timeout
+          # kills it -> FAIL. readline() -> immediate response -> PASS.
+          python - <<'PYEOF'
+          import json, subprocess, sys, time, select
+
+          proc = subprocess.Popen(
+              [sys.executable, "a2a_mcp_server.py"],
+              stdin=subprocess.PIPE, stdout=subprocess.PIPE,
+              stderr=subprocess.STDOUT,
+              env={**__import__("os").environ},
+          )
+          req = json.dumps({
+              "jsonrpc": "2.0", "id": 1, "method": "initialize",
+              "params": {"protocolVersion": "2024-11-05",
+                         "capabilities": {},
+                         "clientInfo": {"name": "keepopen", "version": "1"}},
+          }) + "\n"
+          proc.stdin.write(req.encode())
+          proc.stdin.flush()
+          # Deliberately DO NOT close proc.stdin — mirror a live MCP client.
+
+          deadline = time.time() + 15
+          line = b""
+          while time.time() < deadline:
+              r, _, _ = select.select([proc.stdout], [], [], 1)
+              if r:
+                  line = proc.stdout.readline()
+                  if line:
+                      break
+          proc.kill()
+
+          if not line:
+              print("FAIL: no response within 15s on an open pipe — "
+                    "stdin.read(65536) regression is back")
+              sys.exit(1)
+          resp = json.loads(line.decode())
+          assert resp.get("id") == 1 and "result" in resp, \
+              f"unexpected response: {line[:200]!r}"
+          assert resp["result"]["serverInfo"]["name"] == "molecule", \
+              f"wrong serverInfo: {line[:200]!r}"
+          print("PASS: server answered initialize on a still-open pipe")
+          PYEOF
+
      - name: Run unit tests for stdio transport
        run: |
          set -euo pipefail
          echo "=== Running stdio transport unit tests ==="
-          python -m pytest tests/test_a2a_mcp_server.py::TestStdioPipeAssertion -v --no-cov
+          python -m pytest tests/test_a2a_mcp_server.py::TestStdioPipeAssertion tests/test_a2a_mcp_server.py::TestStdioKeepOpenPipe -v --no-cov
@@ -397,18 +397,23 @@ jobs:
            scripts/promote-tenant-image.sh \
            scripts/test-promote-tenant-image.sh

+  # mc#959 root-fix (sre)
+
  canvas-deploy-reminder:
    name: Canvas Deploy Reminder
    runs-on: ubuntu-latest
-    # This job must run on PRs because all-required needs it. The step exits
-    # 0 when it is not a main push, giving branch protection a green no-op
-    # instead of a skipped/missing required dependency.
-    needs: canvas-build
+    # mc#774 root-fix: added job-level `if:` so ci-required-drift.py's
+    # ci_job_names() detects this as github.ref-gated and skips it from F1.
+    # The step-level exit 0 handles the "not main push" case; the job-level
+    # `if:` makes the gating explicit so the drift script sees it.
+    # Runs on both main and staging pushes; step exits 0 when not applicable.
+    if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/staging' }}
+    needs: [changes, canvas-build]
    steps:
      - name: Write deploy reminder to step summary
        env:
          COMMIT_SHA: ${{ github.sha }}
-          CANVAS_CHANGED: "true"
+          CANVAS_CHANGED: ${{ needs.changes.outputs.canvas }}
          EVENT_NAME: ${{ github.event_name }}
          REF_NAME: ${{ github.ref }}
          # github.server_url resolves via the workflow-level env override
@@ -533,11 +538,13 @@ jobs:
  all-required:
    # Aggregator sentinel — RFC internal#219 §2 (Phase 4 — closes internal#286).
    #
-    # Single stable required-status name that branch protection points at;
-    # CI churns underneath in `needs:` without any protection edits. Mirrors
-    # the molecule-controlplane Phase 2a impl shipped in CP PR#112 and
-    # referenced by `internal#286` ("Phase 4 is a single small PR... mirrors
-    # CP's existing one").
+    # Emits `CI / all-required (<event>)` where <event> is the workflow trigger
+    # (e.g. `CI / all-required (pull_request)`, `CI / all-required (push)`).
+    # Branch protection MUST be updated to require the event-suffixed name —
+    # requiring `CI / all-required` (bare, no suffix) silently blocks all merges
+    # because Gitea treats absent status contexts as pending (not skipped), and
+    # no workflow emits the bare name. Fixed: BP now requires
+    # `CI / all-required (pull_request)` per issue #1473.
    #
    # Closes the failure mode where status_check_contexts on molecule-core/main
    # only listed `Secret scan` + `sop-tier-check` (the 2 meta-gates), so real
@@ -0,0 +1,288 @@
+name: E2E Chat
+
+# Comprehensive Playwright E2E for the unified chat stack (desktop
+# ChatTab + mobile MobileChat). Runs on every PR that touches canvas,
+# workspace-server, or this workflow file.
+#
+# Architecture:
+#   1. Ephemeral Postgres + Redis (docker, unique container names)
+#   2. workspace-server built from source, started with
+#      MOLECULE_ENV=development (fail-open auth)
+#   3. canvas dev server (npm run dev) on :3000
+#   4. Playwright tests create workspaces via API, point them at an
+#      in-process echo runtime, and exercise the full send/receive
+#      round-trip through the browser.
+#
+# Parallel-safety: same pattern as e2e-api.yml — per-run container names
+# and ephemeral host ports so concurrent jobs on the host-network runner
+# don't collide.
+
+on:
+  push:
+    branches: [main, staging]
+  pull_request:
+    branches: [main, staging]
+
+concurrency:
+  group: e2e-chat-${{ github.event.pull_request.head.sha || github.sha }}
+  cancel-in-progress: false
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  # bp-exempt: helper job; real gate is E2E Chat / E2E Chat (pull_request)
+  detect-changes:
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    continue-on-error: true
+    outputs:
+      chat: ${{ steps.decide.outputs.chat }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      - id: decide
+        run: |
+          BASE="${GITHUB_BASE_REF:-${{ github.event.before }}}"
+          if [ "${{ github.event_name }}" = "pull_request" ] && [ -n "${{ github.event.pull_request.base.sha }}" ]; then
+            BASE="${{ github.event.pull_request.base.sha }}"
+          fi
+          if [ -z "$BASE" ] || echo "$BASE" | grep -qE '^0+$'; then
+            echo "chat=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          if ! git cat-file -e "$BASE" 2>/dev/null; then
+            git fetch --depth=1 origin "$BASE" 2>/dev/null || true
+          fi
+          if ! git cat-file -e "$BASE" 2>/dev/null; then
+            echo "chat=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          CHANGED=$(git diff --name-only "$BASE" HEAD)
+          if echo "$CHANGED" | grep -qE '^(canvas/|workspace-server/|\.gitea/workflows/e2e-chat\.yml$)'; then
+            echo "chat=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "chat=false" >> "$GITHUB_OUTPUT"
+          fi
+
+  # bp-required: pending #1142 — new E2E check; add to branch protection after 3 green runs.
+  e2e-chat:
+    needs: detect-changes
+    name: E2E Chat
+    runs-on: ubuntu-latest
+    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
+    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
+    continue-on-error: true
+    timeout-minutes: 15
+    env:
+      PG_CONTAINER: pg-e2e-chat-${{ github.run_id }}-${{ github.run_attempt }}
+      REDIS_CONTAINER: redis-e2e-chat-${{ github.run_id }}-${{ github.run_attempt }}
+    steps:
+      - name: No-op pass (paths filter excluded this commit)
+        if: needs.detect-changes.outputs.chat != 'true'
+        run: |
+          echo "No canvas / workspace-server / workflow changes — E2E Chat gate satisfied without running tests."
+          echo "::notice::E2E Chat no-op pass (paths filter excluded this commit)."
+
+      - if: needs.detect-changes.outputs.chat == 'true'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - if: needs.detect-changes.outputs.chat == 'true'
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: 'stable'
+          cache: true
+          cache-dependency-path: workspace-server/go.sum
+
+      - if: needs.detect-changes.outputs.chat == 'true'
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: '22'
+          cache: 'npm'
+          cache-dependency-path: canvas/package-lock.json
+
+      - name: Start Postgres (docker)
+        if: needs.detect-changes.outputs.chat == 'true'
+        run: |
+          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
+          docker run -d --name "$PG_CONTAINER" \
+            -e POSTGRES_USER=dev -e POSTGRES_PASSWORD=dev -e POSTGRES_DB=molecule \
+            -p 0:5432 postgres:16 >/dev/null
+          PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
+          if [ -z "$PG_PORT" ]; then
+            PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | head -1 | awk -F: '{print $NF}')
+          fi
+          if [ -z "$PG_PORT" ]; then
+            echo "::error::Could not resolve host port for $PG_CONTAINER"
+            exit 1
+          fi
+          echo "PG_PORT=${PG_PORT}" >> "$GITHUB_ENV"
+          echo "DATABASE_URL=postgres://dev:dev@127.0.0.1:${PG_PORT}/molecule?sslmode=disable" >> "$GITHUB_ENV"
+          echo "E2E_DATABASE_URL=postgres://dev:dev@127.0.0.1:${PG_PORT}/molecule?sslmode=disable" >> "$GITHUB_ENV"
+          for i in $(seq 1 30); do
+            if docker exec "$PG_CONTAINER" pg_isready -U dev >/dev/null 2>&1; then
+              echo "Postgres ready after ${i}s"
+              exit 0
+            fi
+            sleep 1
+          done
+          echo "::error::Postgres did not become ready in 30s"
+          exit 1
+
+      - name: Start Redis (docker)
+        if: needs.detect-changes.outputs.chat == 'true'
+        run: |
+          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
+          docker run -d --name "$REDIS_CONTAINER" -p 0:6379 redis:7 >/dev/null
+          REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
+          if [ -z "$REDIS_PORT" ]; then
+            REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | head -1 | awk -F: '{print $NF}')
+          fi
+          if [ -z "$REDIS_PORT" ]; then
+            echo "::error::Could not resolve host port for $REDIS_CONTAINER"
+            exit 1
+          fi
+          echo "REDIS_PORT=${REDIS_PORT}" >> "$GITHUB_ENV"
+          echo "REDIS_URL=redis://127.0.0.1:${REDIS_PORT}" >> "$GITHUB_ENV"
+          for i in $(seq 1 15); do
+            if docker exec "$REDIS_CONTAINER" redis-cli ping 2>/dev/null | grep -q PONG; then
+              echo "Redis ready after ${i}s"
+              exit 0
+            fi
+            sleep 1
+          done
+          echo "::error::Redis did not become ready in 15s"
+          exit 1
+
+      - name: Build platform
+        if: needs.detect-changes.outputs.chat == 'true'
+        working-directory: workspace-server
+        run: go build -o platform-server ./cmd/server
+
+      - name: Pick platform port
+        if: needs.detect-changes.outputs.chat == 'true'
+        run: |
+          PLATFORM_PORT=$(python3 - <<'PY'
+          import socket
+          with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+              s.bind(("127.0.0.1", 0))
+              print(s.getsockname()[1])
+          PY
+          )
+          echo "PLATFORM_PORT=${PLATFORM_PORT}" >> "$GITHUB_ENV"
+          echo "E2E_PLATFORM_URL=http://127.0.0.1:${PLATFORM_PORT}" >> "$GITHUB_ENV"
+          echo "Platform host port: ${PLATFORM_PORT}"
+
+      - name: Pick canvas port
+        if: needs.detect-changes.outputs.chat == 'true'
+        run: |
+          CANVAS_PORT=$(python3 - <<'PY'
+          import socket
+          with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+              s.bind(("127.0.0.1", 0))
+              print(s.getsockname()[1])
+          PY
+          )
+          echo "CANVAS_PORT=${CANVAS_PORT}" >> "$GITHUB_ENV"
+          echo "Canvas host port: ${CANVAS_PORT}"
+
+      - name: Start platform (background)
+        if: needs.detect-changes.outputs.chat == 'true'
+        working-directory: workspace-server
+        run: |
+          export MOLECULE_ENV=development
+          export DATABASE_URL="${DATABASE_URL}"
+          export REDIS_URL="${REDIS_URL}"
+          export PORT="${PLATFORM_PORT}"
+          export CORS_ORIGINS="http://localhost:3000,http://localhost:3001,http://localhost:${CANVAS_PORT},http://127.0.0.1:${CANVAS_PORT}"
+          ./platform-server > platform.log 2>&1 &
+          echo $! > platform.pid
+
+      - name: Wait for /health
+        if: needs.detect-changes.outputs.chat == 'true'
+        run: |
+          for i in $(seq 1 30); do
+            if curl -sf "http://127.0.0.1:${PLATFORM_PORT}/health" > /dev/null; then
+              echo "Platform up after ${i}s"
+              exit 0
+            fi
+            sleep 1
+          done
+          echo "::error::Platform did not become healthy in 30s"
+          cat workspace-server/platform.log || true
+          exit 1
+
+      - name: Install canvas dependencies
+        if: needs.detect-changes.outputs.chat == 'true'
+        working-directory: canvas
+        run: npm ci
+
+      - name: Install Playwright browsers
+        if: needs.detect-changes.outputs.chat == 'true'
+        working-directory: canvas
+        run: npx playwright install --with-deps chromium
+
+      - name: Start canvas dev server (background)
+        if: needs.detect-changes.outputs.chat == 'true'
+        working-directory: canvas
+        run: |
+          export NEXT_PUBLIC_PLATFORM_URL="http://127.0.0.1:${PLATFORM_PORT}"
+          export NEXT_PUBLIC_WS_URL="ws://127.0.0.1:${PLATFORM_PORT}/ws"
+          npx next dev --turbopack -p "${CANVAS_PORT}" > canvas.log 2>&1 &
+          echo $! > canvas.pid
+          for i in $(seq 1 30); do
+            if curl -sf "http://localhost:${CANVAS_PORT}" > /dev/null 2>&1; then
+              echo "Canvas up after ${i}s"
+              exit 0
+            fi
+            sleep 1
+          done
+          echo "::error::Canvas did not start in 30s"
+          cat canvas.log || true
+          exit 1
+
+      - name: Run Playwright E2E tests
+        if: needs.detect-changes.outputs.chat == 'true'
+        working-directory: canvas
+        run: |
+          export E2E_PLATFORM_URL="http://127.0.0.1:${PLATFORM_PORT}"
+          export E2E_DATABASE_URL="${DATABASE_URL}"
+          export PLAYWRIGHT_BASE_URL="http://localhost:${CANVAS_PORT}"
+          npx playwright test e2e/chat-desktop.spec.ts e2e/chat-mobile.spec.ts
+
+      - name: Dump platform log on failure
+        if: failure() && needs.detect-changes.outputs.chat == 'true'
+        run: cat workspace-server/platform.log || true
+
+      - name: Dump canvas log on failure
+        if: failure() && needs.detect-changes.outputs.chat == 'true'
+        run: cat canvas/canvas.log || true
+
+      - name: Upload Playwright report
+        if: failure() && needs.detect-changes.outputs.chat == 'true'
+        uses: actions/upload-artifact@v3.2.2
+        with:
+          name: playwright-report-chat
+          path: canvas/playwright-report/
+
+      - name: Stop canvas
+        if: always() && needs.detect-changes.outputs.chat == 'true'
+        run: |
+          if [ -f canvas/canvas.pid ]; then
+            kill "$(cat canvas/canvas.pid)" 2>/dev/null || true
+          fi
+
+      - name: Stop platform
+        if: always() && needs.detect-changes.outputs.chat == 'true'
+        run: |
+          if [ -f workspace-server/platform.pid ]; then
+            kill "$(cat workspace-server/platform.pid)" 2>/dev/null || true
+          fi
+
+      - name: Stop service containers
+        if: always() && needs.detect-changes.outputs.chat == 'true'
+        run: |
+          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
+          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
@@ -0,0 +1,397 @@
+name: E2E Peer Visibility (literal MCP list_peers)
+
+# WHY A DEDICATED WORKFLOW (not folded into e2e-staging-saas.yml)
+# --------------------------------------------------------------
+# This is the systemic fix for a real trust failure. Hermes and OpenClaw
+# were reported "fleet-verified / cascade-complete" because the *proxy*
+# signals were green (registry registration + heartbeat for Hermes; model
+# round-trip 200 for OpenClaw). A freshly-provisioned workspace asked on
+# canvas "can you see your peers" actually FAILS:
+#   - Hermes: 401 on the molecule MCP `list_peers` call
+#   - OpenClaw: native `sessions_list` fallback, sees no platform peers
+# Tasks #142/#159 were even marked "completed" under this proxy flaw.
+#
+# A dedicated workflow (vs extending e2e-staging-saas.yml) because:
+#   - It must provision MULTIPLE distinct runtimes (hermes, openclaw,
+#     claude-code) in ONE org and assert each sees the others. The
+#     full-saas script is single-runtime-per-run (E2E_RUNTIME) and folding
+#     a multi-runtime matrix into it would conflate concerns and bloat its
+#     already-45-min run.
+#   - It needs its own concurrency group so it doesn't fight full-saas /
+#     canvas for the staging org-creation quota.
+#   - It needs an independent, non-required status-context name so it can
+#     be RED today (the in-flight Hermes-401 / OpenClaw-MCP-wiring fixes
+#     have not landed) WITHOUT wedging unrelated merges — and flipped to
+#     REQUIRED in one branch-protection edit once it goes green
+#     (flip-to-required checklist: molecule-core#1296).
+#
+# THE ASSERTION IS NOT A PROXY. The driving script
+# tests/e2e/test_peer_visibility_mcp_staging.sh issues the byte-for-byte
+# JSON-RPC `tools/call name=list_peers` envelope to `POST
+# /workspaces/:id/mcp` using each workspace's OWN bearer token, through
+# the real WorkspaceAuth + MCPRateLimiter middleware chain — the exact
+# call mcp_molecule_list_peers makes from a canvas agent. It does NOT
+# read a registry row, /health, the heartbeat table, or
+# GET /registry/:id/peers.
+#
+# HONEST GATE — NO continue-on-error. Per feedback_fix_root_not_symptom a
+# fake-green mask would defeat the entire purpose. This workflow goes red
+# on today's broken behavior and green only when the root-cause fixes
+# actually land. It is intentionally NOT in branch_protections — see PR
+# body for the required-vs-not decision + flip tracking issue.
+#
+# Gitea 1.22.6 / act_runner notes honored:
+#   - No cross-repo `uses:` (feedback_gitea_cross_repo_uses_blocked). The
+#     actions/checkout SHA is the one e2e-staging-canvas.yml already uses
+#     successfully (a mirrored SHA — see #1277/PR#1292 root-cause).
+#   - Per-SHA concurrency, not global (feedback_concurrency_group_per_sha).
+#   - Workflow-level GITHUB_SERVER_URL pinned
+#     (feedback_act_runner_github_server_url).
+#   - pr-validate posts a status under the same check name so a
+#     workflow-only PR is not silently statusless and the context is
+#     flip-to-required-ready (mirrors e2e-staging-saas.yml's proven shape;
+#     real EC2-provisioning E2E is push/dispatch/cron only — it is 30+ min
+#     and cannot run per-PR-update).
+#
+# LOCAL BACKEND (added 2026-05-15 — feedback_local_must_mimic_production,
+# feedback_mandatory_local_e2e_before_ship, feedback_local_test_before_
+# staging_e2e)
+# --------------------------------------------------------------------
+# The standing rule is that the local prod-mimic stack runs a MANDATORY
+# local-Postgres E2E BEFORE staging E2E. A staging-only peer-visibility
+# gate caught regressions late + expensively (cold EC2). The
+# `peer-visibility-local` job below runs the SAME byte-identical
+# assertion (tests/e2e/lib/peer_visibility_assert.sh) against the local
+# docker-compose stack — built + booted exactly like e2e-api.yml's
+# proven E2E API Smoke Test job (ephemeral pg/redis ports, go build,
+# background platform-server). It runs on PR + push (local boot is
+# minutes, not the 30+ min cold-EC2 path), so peer-visibility is part of
+# the local gate that fires before the staging E2E.
+#
+# It is its OWN non-required status context `E2E Peer Visibility (local)`
+# — same non-required-by-design decision as the staging job (red until
+# Hermes-401 #162 / OpenClaw-never-online #165 land; flip-to-required
+# tracked at molecule-core#1296). It is an HONEST gate: NO
+# continue-on-error mask (feedback_fix_root_not_symptom). It is kept a
+# distinct context (not folded into e2e-api.yml's required `E2E API
+# Smoke Test`) precisely so a deliberately-RED-today gate cannot wedge
+# the required local-E2E job or any unrelated merge.
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'workspace-server/internal/handlers/mcp.go'
+      - 'workspace-server/internal/handlers/mcp_tools.go'
+      - 'workspace-server/internal/middleware/**'
+      - 'workspace-server/internal/handlers/registry.go'
+      - 'workspace-server/internal/handlers/workspace.go'
+      - 'workspace/a2a_mcp_server.py'
+      - 'workspace/platform_tools/registry.py'
+      - 'tests/e2e/test_peer_visibility_mcp_staging.sh'
+      - 'tests/e2e/test_peer_visibility_mcp_local.sh'
+      - 'tests/e2e/lib/peer_visibility_assert.sh'
+      - '.gitea/workflows/e2e-peer-visibility.yml'
+  pull_request:
+    branches: [main]
+    paths:
+      - 'workspace-server/internal/handlers/mcp.go'
+      - 'workspace-server/internal/handlers/mcp_tools.go'
+      - 'workspace-server/internal/middleware/**'
+      - 'workspace-server/internal/handlers/registry.go'
+      - 'workspace-server/internal/handlers/workspace.go'
+      - 'workspace/a2a_mcp_server.py'
+      - 'workspace/platform_tools/registry.py'
+      - 'tests/e2e/test_peer_visibility_mcp_staging.sh'
+      - 'tests/e2e/test_peer_visibility_mcp_local.sh'
+      - 'tests/e2e/lib/peer_visibility_assert.sh'
+      - '.gitea/workflows/e2e-peer-visibility.yml'
+  workflow_dispatch:
+  schedule:
+    # 07:30 UTC daily — catches AMI / template-hermes / template-openclaw
+    # drift even on quiet days. Offset 30m from e2e-staging-saas (07:00)
+    # so the two don't collide on the staging org-creation quota.
+    - cron: '30 7 * * *'
+
+concurrency:
+  # Per-SHA (feedback_concurrency_group_per_sha). A single global group
+  # would let a queued staging/main push behind a PR run get cancelled,
+  # leaving any gate that reads "completed run at SHA" stuck.
+  group: e2e-peer-visibility-${{ github.event.pull_request.head.sha || github.sha }}
+  cancel-in-progress: false
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  # PR path: post a real status under the required-ready check name so a
+  # workflow-only PR is never silently statusless. The actual EC2 E2E is
+  # push/dispatch/cron only (30+ min). This is NOT a fake-green mask of
+  # the real assertion — it validates the driving script's bash syntax
+  # and inline-python so a broken test script fails at PR time.
+  pr-validate:
+    name: E2E Peer Visibility
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Validate driving scripts + shared assertion lib
+        run: |
+          bash -n tests/e2e/lib/peer_visibility_assert.sh
+          echo "lib/peer_visibility_assert.sh — bash syntax OK"
+          bash -n tests/e2e/test_peer_visibility_mcp_staging.sh
+          echo "test_peer_visibility_mcp_staging.sh — bash syntax OK"
+          bash -n tests/e2e/test_peer_visibility_mcp_local.sh
+          echo "test_peer_visibility_mcp_local.sh — bash syntax OK"
+          echo "Staging fresh-provision MCP list_peers E2E runs on push to"
+          echo "main / workflow_dispatch / daily cron (30+ min EC2 boot)."
+          echo "The LOCAL backend runs in the peer-visibility-local job"
+          echo "below on this same PR (local docker-compose stack)."
+
+  # LOCAL gate: same byte-identical assertion against the local prod-mimic
+  # docker-compose stack — the MANDATORY local-E2E that must run BEFORE
+  # the staging E2E (feedback_mandatory_local_e2e_before_ship,
+  # feedback_local_test_before_staging_e2e). Bootstrap mirrors
+  # e2e-api.yml's proven E2E API Smoke Test job (per-run container names +
+  # ephemeral host ports so concurrent host-network act_runner runs don't
+  # collide; go build; background platform-server). Its OWN non-required
+  # status context `E2E Peer Visibility (local)` — non-required-by-design
+  # exactly like the staging job (red until #162/#165 land;
+  # flip-to-required tracked at molecule-core#1296). HONEST gate, NO
+  # continue-on-error mask (feedback_fix_root_not_symptom). Runs on PR +
+  # push (local boot is minutes, not the 30+ min cold-EC2 path).
+  # bp-required: pending #1296
+  peer-visibility-local:
+    name: E2E Peer Visibility (local)
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    env:
+      # Per-run names + ephemeral ports — same collision-avoidance as
+      # e2e-api.yml (host-network act_runner; feedback_act_runner_*).
+      PG_CONTAINER: pg-e2e-pv-${{ github.run_id }}-${{ github.run_attempt }}
+      REDIS_CONTAINER: redis-e2e-pv-${{ github.run_id }}-${{ github.run_attempt }}
+      # LLM keys so hermes/openclaw can actually boot. The local script
+      # SKIPs (not fails) any runtime whose key is absent, so a partially
+      # keyed CI env still exercises whatever it can.
+      CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.E2E_CLAUDE_CODE_OAUTH_TOKEN }}
+      E2E_MINIMAX_API_KEY: ${{ secrets.MOLECULE_STAGING_MINIMAX_API_KEY }}
+      E2E_ANTHROPIC_API_KEY: ${{ secrets.MOLECULE_STAGING_ANTHROPIC_API_KEY }}
+      E2E_OPENAI_API_KEY: ${{ secrets.MOLECULE_STAGING_OPENAI_API_KEY }}
+      PV_RUNTIMES: "hermes openclaw claude-code"
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: 'stable'
+          cache: true
+          cache-dependency-path: workspace-server/go.sum
+      - name: Pre-pull alpine + ensure provisioner network
+        run: |
+          docker pull alpine:latest >/dev/null
+          docker network create molecule-core-net >/dev/null 2>&1 || true
+          echo "alpine:latest pre-pulled; molecule-core-net ensured."
+      - name: Start Postgres (docker, ephemeral port)
+        run: |
+          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
+          docker run -d --name "$PG_CONTAINER" \
+            -e POSTGRES_USER=dev -e POSTGRES_PASSWORD=dev -e POSTGRES_DB=molecule \
+            -p 0:5432 postgres:16 >/dev/null
+          PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
+          [ -n "$PG_PORT" ] || PG_PORT=$(docker port "$PG_CONTAINER" 5432/tcp | head -1 | awk -F: '{print $NF}')
+          if [ -z "$PG_PORT" ]; then
+            echo "::error::Could not resolve host port for $PG_CONTAINER"
+            docker logs "$PG_CONTAINER" || true; exit 1
+          fi
+          echo "DATABASE_URL=postgres://dev:dev@127.0.0.1:${PG_PORT}/molecule?sslmode=disable" >> "$GITHUB_ENV"
+          for i in $(seq 1 30); do
+            docker exec "$PG_CONTAINER" pg_isready -U dev >/dev/null 2>&1 && { echo "Postgres ready after ${i}s"; exit 0; }
+            sleep 1
+          done
+          echo "::error::Postgres did not become ready in 30s"; docker logs "$PG_CONTAINER" || true; exit 1
+      - name: Start Redis (docker, ephemeral port)
+        run: |
+          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
+          docker run -d --name "$REDIS_CONTAINER" -p 0:6379 redis:7 >/dev/null
+          REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | awk -F: '/^0\.0\.0\.0:/ {print $2; exit}')
+          [ -n "$REDIS_PORT" ] || REDIS_PORT=$(docker port "$REDIS_CONTAINER" 6379/tcp | head -1 | awk -F: '{print $NF}')
+          if [ -z "$REDIS_PORT" ]; then
+            echo "::error::Could not resolve host port for $REDIS_CONTAINER"
+            docker logs "$REDIS_CONTAINER" || true; exit 1
+          fi
+          echo "REDIS_URL=redis://127.0.0.1:${REDIS_PORT}" >> "$GITHUB_ENV"
+          for i in $(seq 1 15); do
+            docker exec "$REDIS_CONTAINER" redis-cli ping 2>/dev/null | grep -q PONG && { echo "Redis ready after ${i}s"; exit 0; }
+            sleep 1
+          done
+          echo "::error::Redis did not become ready in 15s"; docker logs "$REDIS_CONTAINER" || true; exit 1
+      - name: Build platform
+        working-directory: workspace-server
+        run: go build -o platform-server ./cmd/server
+      - name: Pick platform port
+        run: |
+          PLATFORM_PORT=$(python3 - <<'PY'
+          import socket
+          with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+              s.bind(("127.0.0.1", 0))
+              print(s.getsockname()[1])
+          PY
+          )
+          echo "PORT=${PLATFORM_PORT}" >> "$GITHUB_ENV"
+          echo "BASE=http://127.0.0.1:${PLATFORM_PORT}" >> "$GITHUB_ENV"
+          echo "Platform host port: ${PLATFORM_PORT}"
+      - name: Kill stale platform-server before start
+        run: |
+          killed=0
+          for pid in $(grep -l "platform-serve" /proc/[0-9]*/comm 2>/dev/null); do
+            kpid="${pid%/comm}"; kpid="${kpid##*/}"
+            cmdline=$(cat "/proc/${kpid}/cmdline" 2>/dev/null | tr '\0' ' ')
+            if echo "$cmdline" | grep -q "platform-server"; then
+              echo "Killing stale platform-server pid ${kpid}"
+              kill "$kpid" 2>/dev/null || true; killed=$((killed + 1))
+            fi
+          done
+          [ "$killed" -gt 0 ] && sleep 2 || true
+          echo "stale-kill done ($killed killed)"
+      - name: Start platform (background)
+        working-directory: workspace-server
+        run: |
+          ./platform-server > platform.log 2>&1 &
+          echo $! > platform.pid
+      - name: Wait for /health
+        run: |
+          for i in $(seq 1 30); do
+            curl -sf "$BASE/health" > /dev/null && { echo "Platform up after ${i}s"; exit 0; }
+            sleep 1
+          done
+          echo "::error::Platform did not become healthy in 30s"
+          cat workspace-server/platform.log || true; exit 1
+      - name: Run LOCAL fresh-provision peer-visibility E2E (literal MCP list_peers)
+        # HONEST gate — NO continue-on-error. Red today (Hermes-401 #162 /
+        # OpenClaw-never-online #165 not yet fixed); green when they land.
+        # Non-required-by-design via its distinct status context until the
+        # molecule-core#1296 flip-to-required.
+        run: bash tests/e2e/test_peer_visibility_mcp_local.sh
+      - name: Dump platform log on failure
+        if: failure()
+        run: cat workspace-server/platform.log || true
+      - name: Stop platform
+        if: always()
+        run: |
+          if [ -f workspace-server/platform.pid ]; then
+            kill "$(cat workspace-server/platform.pid)" 2>/dev/null || true
+          fi
+      - name: Stop service containers
+        if: always()
+        run: |
+          docker rm -f "$PG_CONTAINER" 2>/dev/null || true
+          docker rm -f "$REDIS_CONTAINER" 2>/dev/null || true
+
+  # Real STAGING gate: provisions a throwaway org + sibling-per-runtime,
+  # drives the LITERAL list_peers MCP call per runtime, asserts 200 +
+  # expected peer set, then scoped teardown. push(main)/dispatch/cron only.
+  peer-visibility:
+    name: E2E Peer Visibility
+    runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request'
+    timeout-minutes: 60
+
+    env:
+      MOLECULE_CP_URL: https://staging-api.moleculesai.app
+      MOLECULE_ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+      # LLM provider key so each runtime can authenticate at boot.
+      # Priority MiniMax → direct-Anthropic → OpenAI matches
+      # test_staging_full_saas.sh's secrets-injection chain.
+      E2E_MINIMAX_API_KEY: ${{ secrets.MOLECULE_STAGING_MINIMAX_API_KEY }}
+      E2E_ANTHROPIC_API_KEY: ${{ secrets.MOLECULE_STAGING_ANTHROPIC_API_KEY }}
+      E2E_OPENAI_API_KEY: ${{ secrets.MOLECULE_STAGING_OPENAI_API_KEY }}
+      E2E_RUN_ID: "${{ github.run_id }}-${{ github.run_attempt }}"
+      PV_RUNTIMES: "hermes openclaw claude-code"
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Verify admin token present
+        run: |
+          if [ -z "$MOLECULE_ADMIN_TOKEN" ]; then
+            echo "::error::CP_STAGING_ADMIN_API_TOKEN secret not set (Railway staging CP_ADMIN_API_TOKEN)"
+            exit 2
+          fi
+          echo "Admin token present"
+
+      - name: Verify an LLM key present
+        run: |
+          if [ -z "${E2E_MINIMAX_API_KEY:-}" ] && [ -z "${E2E_ANTHROPIC_API_KEY:-}" ] && [ -z "${E2E_OPENAI_API_KEY:-}" ]; then
+            echo "::error::No LLM provider key set — workspaces fail at boot with 'No provider API key found'. Set MOLECULE_STAGING_MINIMAX_API_KEY (or ANTHROPIC / OPENAI)."
+            exit 2
+          fi
+          echo "LLM key present"
+
+      - name: CP staging health preflight
+        run: |
+          code=$(curl -sS -o /dev/null -w "%{http_code}" --max-time 10 "$MOLECULE_CP_URL/health")
+          if [ "$code" != "200" ]; then
+            echo "::error::Staging CP unhealthy (HTTP $code) — infra, not a workspace bug. Failing loud per feedback_fix_root_not_symptom."
+            exit 1
+          fi
+          echo "Staging CP healthy"
+
+      - name: Run fresh-provision peer-visibility E2E (literal MCP list_peers)
+        run: bash tests/e2e/test_peer_visibility_mcp_staging.sh
+
+      # Belt-and-braces scoped teardown: the script installs an EXIT/INT/
+      # TERM trap, but if the runner itself is cancelled the trap may not
+      # fire. This always() step deletes ONLY the e2e-pv-<run_id> org this
+      # run created — never a cluster-wide sweep
+      # (feedback_never_run_cluster_cleanup_tests_on_live_platform). The
+      # admin DELETE is idempotent so double-invoking is safe;
+      # sweep-stale-e2e-orgs is the final net (slug starts with 'e2e-').
+      - name: Teardown safety net (runs on cancel/failure)
+        if: always()
+        env:
+          ADMIN_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
+        run: |
+          set +e
+          orgs=$(curl -sS "$MOLECULE_CP_URL/cp/admin/orgs?limit=500" \
+            -H "Authorization: Bearer $ADMIN_TOKEN" 2>/dev/null \
+            | python3 -c "
+          import json, sys, os, datetime
+          run_id = os.environ.get('GITHUB_RUN_ID', '')
+          try:
+              d = json.load(sys.stdin)
+          except Exception:
+              print(''); sys.exit(0)
+          # ONLY sweep slugs from THIS run. e2e-pv-<YYYYMMDD>-<run_id>-...
+          # Sweep today AND yesterday's UTC date so a midnight-crossing run
+          # still matches its own slug (same bug class as the saas/canvas
+          # safety nets).
+          today = datetime.date.today()
+          yest = today - datetime.timedelta(days=1)
+          dates = (today.strftime('%Y%m%d'), yest.strftime('%Y%m%d'))
+          if run_id:
+              prefixes = tuple(f'e2e-pv-{dt}-{run_id}-' for dt in dates)
+          else:
+              prefixes = tuple(f'e2e-pv-{dt}-' for dt in dates)
+          orgs = d if isinstance(d, list) else d.get('orgs', [])
+          cands = [o['slug'] for o in orgs
+                   if any(o.get('slug','').startswith(p) for p in prefixes)
+                   and o.get('instance_status') not in ('purged',)]
+          print('\n'.join(cands))
+          " 2>/dev/null)
+          for slug in $orgs; do
+            echo "Safety-net teardown: $slug"
+            set +e
+            curl -sS -o /tmp/pv-cleanup.out -w "%{http_code}" \
+              -X DELETE "$MOLECULE_CP_URL/cp/admin/tenants/$slug" \
+              -H "Authorization: Bearer $ADMIN_TOKEN" \
+              -H "Content-Type: application/json" \
+              -d "{\"confirm\":\"$slug\"}" >/tmp/pv-cleanup.code
+            set -e
+            code=$(cat /tmp/pv-cleanup.code 2>/dev/null || echo "000")
+            if [ "$code" = "200" ] || [ "$code" = "204" ]; then
+              echo "[teardown] deleted $slug (HTTP $code)"
+            else
+              echo "::warning::pv teardown for $slug returned HTTP $code — sweep-stale-e2e-orgs will catch it within MAX_AGE_MINUTES. Body: $(head -c 300 /tmp/pv-cleanup.out 2>/dev/null)"
+            fi
+          done
+          exit 0
@@ -52,5 +52,9 @@ jobs:
          # explicitly instead of the combined state avoids false-pause when
          # non-blocking jobs (continue-on-error: true) have failed — those
          # failures pollute combined state but do not gate merges.
+          # NOTE: the event-suffixed context name is intentional — branch protection
+          # MUST require `CI / all-required (pull_request)` (with suffix), NOT the
+          # bare `CI / all-required`. Gitea treats absent contexts as pending, not
+          # skipped; requiring the bare name silently blocks all merges (issue #1473).
          PUSH_REQUIRED_CONTEXTS: CI / all-required (push)
        run: python3 .gitea/scripts/gitea-merge-queue.py
@@ -0,0 +1,168 @@
+name: Lint forbidden tenant-env keys
+
+# RFC#523 Layer 3 (task #146): scan workspace_secrets-writer Go code
+# under workspace-server/ for new code that hardcodes a forbidden
+# operator-scope env var NAME (GITEA_TOKEN, CP_ADMIN_API_TOKEN,
+# RAILWAY_TOKEN, INFISICAL_OPERATOR_TOKEN, MOLECULE_OPERATOR_*, …).
+#
+# Catches the class "a new writer accidentally widens the propagation
+# set" — e.g. a future env-mutator plugin that sets envVars["GITEA_TOKEN"]
+# directly. Today the L1 runtime guard would abort the provision, but
+# this lint surfaces the offending code at PR review time instead of
+# at first provision attempt.
+#
+# Companion layers:
+#   - L1: workspace-server/internal/handlers/workspace_provision_forbidden_env.go
+#         (fail-closed abort at provision time)
+#   - L2: workspace/entrypoint.sh top-of-file env-grep + exit 1
+#
+# Open-source-template-friendly: the deny pattern is generic. A fork
+# can copy this workflow and replace OPERATOR_KEY_PATTERN with its
+# own operator-scope key names.
+#
+# Path-filter discipline:
+#   This workflow runs on every PR (no paths: filter — see
+#   feedback_path_filtered_workflow_cant_be_required). The scan itself
+#   targets workspace_secrets-writer paths via grep -r; it's fast
+#   (sub-second) so unconditional run is fine.
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches: [main, staging]
+
+env:
+  GITHUB_SERVER_URL: https://git.moleculesai.app
+
+jobs:
+  scan:
+    name: Scan workspace_secrets writers for forbidden env keys
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 1
+
+      - name: Scan for forbidden operator-scope env key NAMES in writer paths
+        run: |
+          set -euo pipefail
+
+          # Forbidden EXACT-MATCH env var names. Kept in lockstep with
+          # workspace-server/internal/handlers/workspace_provision_forbidden_env.go
+          # forbiddenTenantEnvKeys. The Go-side test
+          # TestIsForbiddenTenantEnvKey_ExactMatches is the source of
+          # truth — if Go-side adds a key, also add it here (and
+          # vice-versa). Drift between the two is the failure mode this
+          # entire 3-layer guardrail is designed to catch.
+          FORBIDDEN_KEYS=(
+            "GITEA_TOKEN" "GITEA_PAT"
+            "GITHUB_TOKEN" "GITHUB_PAT" "GH_TOKEN"
+            "GITLAB_TOKEN" "GL_TOKEN"
+            "BITBUCKET_TOKEN"
+            "CP_ADMIN_API_TOKEN" "CP_ADMIN_TOKEN"
+            "INFISICAL_OPERATOR_TOKEN" "INFISICAL_BOOTSTRAP_TOKEN"
+            "RAILWAY_TOKEN" "RAILWAY_PERSONAL_API_TOKEN"
+            "HETZNER_TOKEN" "HETZNER_API_TOKEN"
+          )
+
+          # Forbidden PREFIX patterns — operator-scope families.
+          FORBIDDEN_PREFIXES=(
+            "MOLECULE_OPERATOR_"
+          )
+
+          # Writer paths: Go source under workspace-server/ that
+          # writes to the env-vars map or to workspace_secrets DB rows.
+          # Tests, the forbidden-env source itself, and the silent-
+          # strip denylist are exempt (they LIST the keys by design).
+          SCAN_ROOT="workspace-server/internal"
+          # Exempt paths fall in two classes:
+          #   1. The deny-set definitions + the silent-strip denylist:
+          #      they LIST the forbidden names by design.
+          #   2. Pre-RFC#523 persona-merge / config-read paths that
+          #      already handle these names correctly (the silent-
+          #      strip downstream + the new L1 fail-closed cover the
+          #      runtime risk; these reads are unchanged).
+          # New code MUST NOT be added to this list without reviewer
+          # signoff and a one-line justification in this diff.
+          EXEMPT_PATHS=(
+            # Class 1 — deny-set definitions
+            "workspace-server/internal/handlers/workspace_provision_forbidden_env.go"
+            "workspace-server/internal/handlers/workspace_provision_forbidden_env_test.go"
+            "workspace-server/internal/provisioner/provisioner.go"
+            "workspace-server/internal/provisioner/provisioner_test.go"
+            # Class 2 — pre-existing persona-fallback / org-helper paths
+            # that set the GITEA_TOKEN fallback lane (stripped downstream
+            # by provisioner.buildContainerEnv per forensic #145). The
+            # new L1 fail-closed runs BEFORE these writers, so any
+            # operator-scope leak via global/workspace_secrets is
+            # already caught. See applyAgentGitHTTPCreds doc-comment.
+            "workspace-server/internal/handlers/agent_git_identity.go"
+            "workspace-server/internal/handlers/org_helpers.go"
+            "workspace-server/internal/handlers/org.go"
+            # Class 2 — CP→platform admin auth (NOT a tenant env write;
+            # this is the control-plane HTTP auth header source).
+            "workspace-server/internal/provisioner/cp_provisioner.go"
+          )
+
+          # Build a single grep -F pattern: every forbidden key wrapped
+          # in quotes (Go string-literal form, which is how env-map
+          # writes appear). e.g. envVars["GITEA_TOKEN"] = ... or
+          # `"GITEA_TOKEN":` in a literal-map declaration.
+          #
+          # We deliberately match the quoted form so a comment that
+          # happens to spell the name without quotes (e.g. "see
+          # GITEA_TOKEN below") doesn't trip the lint.
+          PATTERN=""
+          for k in "${FORBIDDEN_KEYS[@]}"; do
+            PATTERN="${PATTERN}\"${k}\"\n"
+          done
+          for p in "${FORBIDDEN_PREFIXES[@]}"; do
+            # Prefix match needs a regex; switch to grep -E below for
+            # this slice. Kept conceptually here so the deny set lives
+            # in one place; scan is run twice (literal + prefix).
+            true
+          done
+
+          # Build exempt-paths grep filter — `grep -v -f` style.
+          EXEMPT_FILTER=$(mktemp)
+          trap 'rm -f "$EXEMPT_FILTER"' EXIT
+          for p in "${EXEMPT_PATHS[@]}"; do
+            echo "$p" >> "$EXEMPT_FILTER"
+          done
+
+          # --- Exact-match scan ---
+          HITS=""
+          for k in "${FORBIDDEN_KEYS[@]}"; do
+            # Only .go files; skip _test.go for the writer-path scan
+            # since tests legitimately reference the names. The
+            # writer-path lint targets PRODUCTION code only.
+            found=$(grep -rn --include='*.go' --exclude='*_test.go' "\"${k}\"" "$SCAN_ROOT" 2>/dev/null \
+                    | grep -v -F -f "$EXEMPT_FILTER" || true)
+            if [ -n "$found" ]; then
+              HITS="${HITS}${found}\n"
+            fi
+          done
+
+          # --- Prefix scan ---
+          for prefix in "${FORBIDDEN_PREFIXES[@]}"; do
+            found=$(grep -rnE --include='*.go' --exclude='*_test.go' "\"${prefix}[A-Z0-9_]+\"" "$SCAN_ROOT" 2>/dev/null \
+                    | grep -v -F -f "$EXEMPT_FILTER" || true)
+            if [ -n "$found" ]; then
+              HITS="${HITS}${found}\n"
+            fi
+          done
+
+          if [ -n "$HITS" ]; then
+            echo "::error::RFC#523 Layer 3: forbidden operator-scope env var name(s) hardcoded in tenant-workspace writer paths:"
+            printf "$HITS"
+            echo ""
+            echo "These env-var NAMES are on the operator-scope deny list (see"
+            echo "workspace-server/internal/handlers/workspace_provision_forbidden_env.go)."
+            echo "If your code legitimately needs to inject one of these for a"
+            echo "non-tenant code path, add the file to EXEMPT_PATHS in this"
+            echo "workflow with a one-line justification — reviewer signoff required."
+            exit 1
+          fi
+
+          echo "OK No forbidden operator-scope env key names hardcoded in writer paths."
@@ -0,0 +1,88 @@
+name: Lint shellcheck (arm64 pilot)
+
+# Mac-CI dual-track pilot (#233). ADDITIVE / NOT REQUIRED.
+#
+# Validates the arm64 self-hosted lane (no docker.sock, no privileged
+# ops) before any required gate moves onto it. Until a Mac arm64 runner
+# is registered with the `arm64` label, this workflow sits PENDING —
+# that is FINE: `arm64` is NOT in branch_protections required contexts.
+#
+# Pairs with internal#543 (RFC: Mac arm64 multi-arch runner-base).
+# No paths: filter on purpose (feedback_path_filtered_workflow_cant_be_required).
+
+on:
+  pull_request:
+    branches:
+      - main
+      - staging
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  shellcheck-arm64:
+    name: shellcheck-arm64 (pilot)
+    runs-on: [self-hosted, arm64]
+    # NOT a required check; safe to sit pending until Mac runner is up.
+    # If the Mac runner has trouble pulling actions/checkout we fall
+    # back to a plain git clone (see step 'fallback clone').
+    timeout-minutes: 10
+    env:
+      GITHUB_SERVER_URL: https://git.moleculesai.app
+    steps:
+      - name: Identify runner
+        run: |
+          set -eu
+          echo "arch=$(uname -m)"
+          echo "kernel=$(uname -sr)"
+          echo "shell=$BASH_VERSION"
+          # Sanity: must actually be arm64. If amd64 sneaks in here,
+          # fail fast — that means the label routing is wrong.
+          case "$(uname -m)" in
+            aarch64|arm64) echo "arm64 confirmed" ;;
+            *) echo "ERROR: expected arm64, got $(uname -m)"; exit 1 ;;
+          esac
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Install shellcheck (arm64)
+        run: |
+          set -eu
+          if command -v shellcheck >/dev/null 2>&1; then
+            echo "shellcheck already present: $(shellcheck --version | head -1)"
+          else
+            # Prefer apt if the runner base ships it; else download arm64 binary.
+            if command -v apt-get >/dev/null 2>&1; then
+              sudo apt-get update -qq
+              sudo apt-get install -y --no-install-recommends shellcheck
+            else
+              SC_VER=v0.10.0
+              curl -fsSL "https://github.com/koalaman/shellcheck/releases/download/${SC_VER}/shellcheck-${SC_VER}.linux.aarch64.tar.xz" \
+                | tar -xJf - --strip-components=1
+              sudo mv shellcheck /usr/local/bin/
+            fi
+          fi
+          shellcheck --version | head -2
+
+      - name: Run shellcheck on .gitea/scripts/*.sh
+        run: |
+          set -eu
+          # Only the scripts we control under .gitea/scripts. Pilot
+          # scope is intentionally narrow — broaden in a follow-up
+          # once the lane is proven.
+          mapfile -t TARGETS < <(find .gitea/scripts -maxdepth 2 -type f -name '*.sh' | sort)
+          if [ "${#TARGETS[@]}" -eq 0 ]; then
+            echo "No .sh files found under .gitea/scripts — nothing to check"
+            exit 0
+          fi
+          echo "Checking ${#TARGETS[@]} file(s):"
+          printf '  %s\n' "${TARGETS[@]}"
+          # SC1091 = couldn't follow non-constant source; expected for
+          # CI-time analysis without the full runtime layout.
+          shellcheck --severity=error --exclude=SC1091 "${TARGETS[@]}"
@@ -49,13 +49,17 @@ jobs:
  # bp-exempt: post-merge image publication side effect; CI / all-required gates source changes.
  build-and-push:
    name: Build & push canvas image
-    # REVERTED (infra/revert-docker-runner-label): `runs-on: ubuntu-latest` restored.
-    # The `docker` label is not registered on any act_runner. `runs-on: [ubuntu-latest, docker]`
-    # causes jobs to queue indefinitely with zero eligible runners — strictly worse than the
-    # pre-#599 coin-flip (50% success rate). Once the `docker` label is registered on
-    # ≥2 runners, re-apply the fix from #599 (infra/docker-runner-label).
-    # See issue #576 + infra-lead pulse ~00:30Z.
-    runs-on: ubuntu-latest
+    # Dedicated publish/release lane (internal#462 / #394 / #399). Ship
+    # path (on: push:main, canvas/**) — reserved capacity so a merged
+    # canvas fix's image build never FIFO-queues behind PR required-CI.
+    # The `publish` label resolves ONLY to the molecule-runner-publish-*
+    # sub-pool (config.publish.yaml). HARD DEPENDENCY: this MUST land
+    # AFTER the publish-lane runners are registered/advertising `publish`
+    # — the earlier #599 `docker` label attempt queued indefinitely with
+    # zero eligible runners precisely because the label was targeted
+    # before any runner advertised it (see #576). The lane is registered
+    # in this rollout (internal#462) so the precondition holds.
+    runs-on: publish
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
@@ -104,7 +104,7 @@ jobs:
        with:
          python-version: "3.11"

-      - name: Compute next version from PyPI latest
+      - name: Compute next version from PyPI latest and existing tags
        id: bump
        run: |
          set -eu
@@ -112,9 +112,24 @@ jobs:
            | python -c "import sys,json; print(json.load(sys.stdin)['info']['version'])")
          MAJOR=$(echo "$LATEST" | cut -d. -f1)
          MINOR=$(echo "$LATEST" | cut -d. -f2)
-          PATCH=$(echo "$LATEST" | cut -d. -f3)
-          VERSION="${MAJOR}.${MINOR}.$((PATCH+1))"
-          echo "PyPI latest=$LATEST -> next=$VERSION"
+          TAG_LATEST=$(git tag --list "runtime-v${MAJOR}.${MINOR}.*" \
+            | sed -E 's/^runtime-v//' \
+            | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' \
+            | sort -V \
+            | tail -1 || true)
+          VERSION=$(PYPI_LATEST="$LATEST" TAG_LATEST="$TAG_LATEST" python - <<'PY'
+          import os
+
+          def parse(v):
+              return tuple(int(part) for part in v.split("."))
+
+          pypi = os.environ["PYPI_LATEST"]
+          tag = os.environ.get("TAG_LATEST") or pypi
+          base = max(parse(pypi), parse(tag))
+          print(f"{base[0]}.{base[1]}.{base[2] + 1}")
+          PY
+          )
+          echo "PyPI latest=$LATEST, latest runtime tag=${TAG_LATEST:-none} -> next=$VERSION"
          if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
            echo "::error::computed version $VERSION does not match PEP 440 X.Y.Z"
            exit 1
@@ -66,7 +66,10 @@ concurrency:

 jobs:
  publish:
-    runs-on: ubuntu-latest
+    # Dedicated publish/release lane (internal#462 / #394 / #399). Ship
+    # path (on: push tag runtime-v*) — reserved capacity, never FIFO
+    # behind PR-CI. `publish` resolves only to molecule-runner-publish-*.
+    runs-on: publish
    outputs:
      version: ${{ steps.version.outputs.version }}
      wheel_sha256: ${{ steps.wheel_hash.outputs.wheel_sha256 }}
@@ -159,6 +162,7 @@ jobs:
            exit 1
          fi
          python -m twine upload \
+            --verbose \
            --repository pypi \
            --username __token__ \
            --password "$PYPI_TOKEN" \
@@ -166,7 +170,9 @@ jobs:

  cascade:
    needs: publish
-    runs-on: ubuntu-latest
+    # Publish/release lane (internal#462) — downstream of the runtime
+    # publish ship job; keep it on the reserved lane too.
+    runs-on: publish
    steps:
      - name: Wait for PyPI to propagate the new version
        env:
@@ -54,7 +54,14 @@ env:

 jobs:
  build-and-push:
-    runs-on: ubuntu-latest
+    # Dedicated publish/release lane (internal#462 / #394 / #399). This
+    # is a post-merge ship job (on: push:main) — it must NOT FIFO-compete
+    # with PR required-CI on the shared pool (PR#1350's prod image build
+    # was delayed ~25min this way). The `publish` label resolves ONLY to
+    # the reserved molecule-runner-publish-* sub-pool (config.publish.yaml,
+    # OUTSIDE the managed 1..20 range) so a merged fix's image build
+    # starts immediately while PR-CI keeps the general pool.
+    runs-on: publish
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -181,7 +188,9 @@ jobs:
    name: Production auto-deploy
    needs: build-and-push
    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-    runs-on: ubuntu-latest
+    # Publish/release lane (internal#462) — production deploy of a merged
+    # fix; reserved capacity, never queued behind PR-CI.
+    runs-on: publish
    timeout-minutes: 75
    env:
      CP_URL: ${{ vars.PROD_CP_URL || 'https://api.moleculesai.app' }}
@@ -89,6 +89,7 @@ on:
 permissions:
  contents: read
  pull-requests: read
+  secrets: read

 jobs:
  # bp-exempt: PR review bot signal; required merge state is enforced by CI / all-required.
@@ -68,7 +68,10 @@ jobs:
  # bp-exempt: production redeploy is a side-effect workflow, not a merge gate.
  redeploy:
    if: ${{ github.event_name == 'workflow_dispatch' }}
-    runs-on: ubuntu-latest
+    # Dedicated publish/release lane (internal#462 / #394 / #399).
+    # Production tenant redeploy — a deploy action, reserved capacity so
+    # it never queues behind PR-CI. `publish` -> molecule-runner-publish-*.
+    runs-on: publish
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
@@ -75,7 +75,10 @@ env:
 jobs:
  # bp-exempt: post-merge staging redeploy side effect; CI / all-required gates source changes.
  redeploy:
-    runs-on: ubuntu-latest
+    # Dedicated publish/release lane (internal#462 / #394 / #399).
+    # Post-merge staging redeploy — a deploy action, reserved capacity.
+    # `publish` -> molecule-runner-publish-* sub-pool.
+    runs-on: publish
    # Phase 3 (RFC #219 §1): surface broken workflows without blocking.
    # mc#774: pre-existing continue-on-error mask; root-fix and remove, do not renew silently.
    continue-on-error: true
@@ -30,6 +30,11 @@ jobs:
  scan:
    name: Scan diff for credential-shaped strings
    runs-on: ubuntu-latest
+    # Hard CI gate — must complete or the PR is unmergable. 10-minute ceiling
+    # is generous for a diff-scan against a single SHA. If this times out, the
+    # runner is frozen and holding a slot — the step timeout triggers clean
+    # failure, releasing the runner for the next job.
+    timeout-minutes: 10
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -133,6 +138,14 @@ jobs:
            [ -z "$f" ] && continue
            [ "$f" = "$SELF_GITHUB" ] && continue
            [ "$f" = "$SELF_GITEA" ] && continue
+            # Test-fixture exclude (internal#425): the secrets-detector's OWN
+            # unit-test corpus deliberately embeds credential-SHAPED example
+            # strings to exercise the detector. Verified 2026-05-18 synthetic
+            # (fabricated ghp_* fixtures, not real). Without this the scanner
+            # self-trips on its own fixtures and fail-closes every deploy.
+            # Same rationale as the SELF_* excludes above; gate NOT weakened
+            # (all other paths still fully scanned).
+            [ "$f" = "workspace-server/internal/secrets/patterns_test.go" ] && continue
            if [ -n "$DIFF_RANGE" ]; then
              ADDED=$(git diff --no-color --unified=0 "$BASE" "$HEAD" -- "$f" 2>/dev/null | grep -E '^\+[^+]' || true)
            else
@@ -16,6 +16,7 @@ on:
 permissions:
  contents: read
  pull-requests: read
+  secrets: read

 jobs:
  # bp-exempt: PR security review bot signal; required merge state is enforced by CI / all-required.
@@ -84,11 +84,8 @@ on:
 permissions:
  contents: read
  pull-requests: read
-  # NOTE: `statuses: write` is the GitHub-Actions name for POST /statuses.
-  # Gitea 1.22.6 may not gate on this permission key (it just checks the
-  # token), but listing it explicitly documents intent for the next
-  # platform-version upgrade.
  statuses: write
+  secrets: read

 jobs:
  all-items-acked:
@@ -71,6 +71,7 @@ jobs:
    permissions:
      contents: read
      pull-requests: read
+      secrets: read
    steps:
      - name: Check out base branch (for the script)
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -1,255 +0,0 @@
-name: canary-verify
-
-# Runs the canary smoke suite against the staging canary tenant fleet
-# after a new :staging-<sha> image lands in ECR. On green, calls the
-# CP redeploy-fleet endpoint to promote :staging-<sha> → :latest so
-# the prod tenant fleet's 5-minute auto-updater picks up the verified
-# digest. On red, :latest stays on the prior known-good digest and
-# prod is untouched.
-#
-# Registry note (2026-05-10): This workflow previously used GHCR
-# (ghcr.io/molecule-ai/platform-tenant) — that registry was retired
-# during the 2026-05-06 Gitea suspension migration when publish-
-# workspace-server-image.yml switched to the operator's ECR org
-# (153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/
-# platform-tenant). The GHCR → ECR migration was never applied to
-# this file, so canary-verify was silently smoke-testing the stale
-# GHCR image while the actual staging/prod tenants ran the ECR image.
-# Result: smoke tests could not catch a broken ECR build. Fix:
-#   - Wait step: reads SHA from running canary /health (tenant-
-#     agnostic, works regardless of registry).
-#   - Promote step: calls CP redeploy-fleet endpoint with target_tag=
-#     staging-<sha>, same mechanism as redeploy-tenants-on-main.yml.
-#     No longer attempts GHCR crane ops.
-#
-# Dependencies:
-#   - publish-workspace-server-image.yml publishes :staging-<sha>
-#     to ECR on staging and main merges.
-#   - Canary tenants are configured to pull :staging-<sha> from ECR
-#     (TENANT_IMAGE env set to the ECR :staging-<sha> tag).
-#   - Repo secrets CANARY_TENANT_URLS / CANARY_ADMIN_TOKENS /
-#     CANARY_CP_SHARED_SECRET are populated.
-
-on:
-  workflow_run:
-    workflows: ["publish-workspace-server-image"]
-    types: [completed]
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  packages: write
-  actions: read
-
-env:
-  # ECR registry (post-2026-05-06 SSOT for tenant images).
-  # publish-workspace-server-image.yml pushes here.
-  IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform
-  TENANT_IMAGE_NAME: 153263036946.dkr.ecr.us-east-2.amazonaws.com/molecule-ai/platform-tenant
-  # CP endpoint for redeploy-fleet (used in promote step below).
-  CP_URL: ${{ vars.CP_URL || 'https://staging-api.moleculesai.app' }}
-
-jobs:
-  canary-smoke:
-    # Skip when the upstream workflow failed — no image to test against.
-    if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}
-    runs-on: ubuntu-latest
-    outputs:
-      sha: ${{ steps.compute.outputs.sha }}
-      smoke_ran: ${{ steps.smoke.outputs.ran }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Compute sha
-        id: compute
-        run: echo "sha=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
-
-      - name: Wait for canary tenants to pick up :staging-<sha>
-        # Poll canary health endpoints every 30s for up to 7 min instead
-        # of a fixed 6-min sleep. Exits as soon as ALL canaries report
-        # the new SHA (~2-3 min typical vs 6 min fixed). Falls back to
-        # proceeding after 7 min even if not all canaries responded —
-        # the smoke suite will catch any that didn't update.
-        #
-        # NOTE: The SHA is read from the running tenant's /health response,
-        # NOT from a registry lookup. This is registry-agnostic and works
-        # regardless of whether the tenant pulls from ECR, GHCR, or any
-        # other registry — the canary is telling us what it's actually
-        # running, which is the ground truth for smoke testing.
-        env:
-          CANARY_TENANT_URLS: ${{ secrets.CANARY_TENANT_URLS }}
-          EXPECTED_SHA: ${{ steps.compute.outputs.sha }}
-        run: |
-          if [ -z "$CANARY_TENANT_URLS" ]; then
-            echo "No canary URLs configured — falling back to 60s wait"
-            sleep 60
-            exit 0
-          fi
-          IFS=',' read -ra URLS <<< "$CANARY_TENANT_URLS"
-          MAX_WAIT=420  # 7 minutes
-          INTERVAL=30
-          ELAPSED=0
-          while [ $ELAPSED -lt $MAX_WAIT ]; do
-            ALL_READY=true
-            for url in "${URLS[@]}"; do
-              HEALTH=$(curl -s --max-time 5 "${url}/health" 2>/dev/null || echo "{}")
-              SHA=$(echo "$HEALTH" | grep -o "\"sha\":\"[^\"]*\"" | head -1 | cut -d'"' -f4)
-              if [ "$SHA" != "$EXPECTED_SHA" ]; then
-                ALL_READY=false
-                break
-              fi
-            done
-            if $ALL_READY; then
-              echo "All canaries running staging-${EXPECTED_SHA} after ${ELAPSED}s"
-              exit 0
-            fi
-            echo "Waiting for canaries... (${ELAPSED}s / ${MAX_WAIT}s)"
-            sleep $INTERVAL
-            ELAPSED=$((ELAPSED + INTERVAL))
-          done
-          echo "Timeout after ${MAX_WAIT}s — proceeding anyway (smoke suite will validate)"
-
-      - name: Run canary smoke suite
-        id: smoke
-        # Graceful-skip when no canary fleet is configured (Phase 2 not yet
-        # stood up — see molecule-controlplane/docs/canary-tenants.md).
-        # Sets `ran=false` on skip so promote-to-latest stays off (we don't
-        # want every main merge auto-promoting without gating). Manual
-        # promote-latest.yml is the release gate while canary is absent.
-        # Once the fleet is real: delete the early-exit branch.
-        env:
-          CANARY_TENANT_URLS: ${{ secrets.CANARY_TENANT_URLS }}
-          CANARY_ADMIN_TOKENS: ${{ secrets.CANARY_ADMIN_TOKENS }}
-          CANARY_CP_BASE_URL: https://staging-api.moleculesai.app
-          CANARY_CP_SHARED_SECRET: ${{ secrets.CANARY_CP_SHARED_SECRET }}
-        run: |
-          set -euo pipefail
-          if [ -z "${CANARY_TENANT_URLS:-}" ] \
-            || [ -z "${CANARY_ADMIN_TOKENS:-}" ] \
-            || [ -z "${CANARY_CP_SHARED_SECRET:-}" ]; then
-            {
-              echo "## ⚠️ canary-verify skipped"
-              echo
-              echo "One or more canary secrets are unset (\`CANARY_TENANT_URLS\`, \`CANARY_ADMIN_TOKENS\`, \`CANARY_CP_SHARED_SECRET\`)."
-              echo "Phase 2 canary fleet has not been stood up yet —"
-              echo "see [canary-tenants.md](https://git.moleculesai.app/molecule-ai/molecule-controlplane/blob/main/docs/canary-tenants.md)."
-              echo
-              echo "**Skipped — promote-to-latest will NOT auto-fire.** Dispatch \`promote-latest.yml\` manually when ready."
-            } >> "$GITHUB_STEP_SUMMARY"
-            echo "ran=false" >> "$GITHUB_OUTPUT"
-            echo "::notice::canary-verify: skipped — no canary fleet configured"
-            exit 0
-          fi
-          bash scripts/canary-smoke.sh
-          echo "ran=true" >> "$GITHUB_OUTPUT"
-
-      - name: Summary on failure
-        if: ${{ failure() }}
-        run: |
-          {
-            echo "## Canary smoke FAILED"
-            echo
-            echo "Canary tenants rejected image \`staging-${{ steps.compute.outputs.sha }}\`."
-            echo ":latest stays pinned to the prior good digest — prod is untouched."
-            echo
-            echo "Fix forward and merge again, or investigate the specific failed"
-            echo "assertions in the canary-smoke step log above."
-          } >> "$GITHUB_STEP_SUMMARY"
-
-  promote-to-latest:
-    # On green, calls the CP redeploy-fleet endpoint with target_tag=
-    # staging-<sha> to promote the verified ECR image. This is the same
-    # mechanism as redeploy-tenants-on-main.yml — no GHCR crane ops.
-    #
-    # Pre-fix history: the old GHCR promote step used `crane tag` against
-    # ghcr.io/molecule-ai/platform-tenant, but publish-workspace-server-
-    # image.yml had already migrated to ECR on 2026-05-07 (commit
-    # 10e510f5). The GHCR tags were never updated, so this step was
-    # silently promoting a stale GHCR image while actual prod tenants
-    # pulled from ECR. Canary smoke tests were GHCR-targeted and could
-    # not catch a broken ECR build.
-    needs: canary-smoke
-    if: ${{ needs.canary-smoke.result == 'success' && needs.canary-smoke.outputs.smoke_ran == 'true' }}
-    runs-on: ubuntu-latest
-    env:
-      SHA: ${{ needs.canary-smoke.outputs.sha }}
-      CP_URL: ${{ vars.CP_URL || 'https://staging-api.moleculesai.app' }}
-      # CP_ADMIN_API_TOKEN gates write access to the redeploy endpoint.
-      # Stored at the repo level so all workflows pick it up automatically.
-      CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }}
-      # canary_slug pin: deploy the verified :staging-<sha> to the canary
-      # first (soak 120s), then fan out to the rest of the fleet.
-      CANARY_SLUG: ${{ vars.CANARY_PROMOTE_SLUG || '' }}
-      SOAK_SECONDS: ${{ vars.CANARY_PROMOTE_SOAK || '120' }}
-      BATCH_SIZE: ${{ vars.CANARY_PROMOTE_BATCH || '3' }}
-    steps:
-      - name: Check CP credentials
-        run: |
-          if [ -z "${CP_ADMIN_API_TOKEN:-}" ]; then
-            echo "::error::CP_ADMIN_API_TOKEN secret is not set — promote step cannot call redeploy-fleet."
-            echo "::error::Set it at: repo Settings → Actions → Variables and Secrets → New Secret."
-            exit 1
-          fi
-
-      - name: Promote verified ECR image to :latest
-        run: |
-          set -euo pipefail
-
-          TARGET_TAG="staging-${SHA}"
-          BODY=$(jq -nc \
-            --arg tag "$TARGET_TAG" \
-            --argjson soak "${SOAK_SECONDS:-120}" \
-            --argjson batch "${BATCH_SIZE:-3}" \
-            --argjson dry false \
-            '{
-              target_tag: $tag,
-              soak_seconds: $soak,
-              batch_size: $batch,
-              dry_run: $dry
-            }')
-
-          if [ -n "${CANARY_SLUG:-}" ]; then
-            BODY=$(jq '. * {canary_slug: $slug}' --arg slug "$CANARY_SLUG" <<<"$BODY")
-          fi
-
-          echo "Calling: POST $CP_URL/cp/admin/tenants/redeploy-fleet"
-          echo "  target_tag: $TARGET_TAG"
-          echo "  body: $BODY"
-
-          HTTP_RESPONSE=$(mktemp)
-          HTTP_CODE_FILE=$(mktemp)
-          set +e
-          curl -sS -o "$HTTP_RESPONSE" -w '%{http_code}' \
-            -m 1200 \
-            -H "Authorization: Bearer $CP_ADMIN_API_TOKEN" \
-            -H "Content-Type: application/json" \
-            -X POST "$CP_URL/cp/admin/tenants/redeploy-fleet" \
-            -d "$BODY" >"$HTTP_CODE_FILE"
-          CURL_EXIT=$?
-          set -e
-
-          HTTP_CODE=$(cat "$HTTP_CODE_FILE" 2>/dev/null || echo "000")
-          [ -z "$HTTP_CODE" ] && HTTP_CODE="000"
-
-          echo "HTTP $HTTP_CODE (curl exit $CURL_EXIT)"
-          cat "$HTTP_RESPONSE" | jq . || cat "$HTTP_RESPONSE"
-
-          if [ "$HTTP_CODE" -ge 400 ]; then
-            echo "::error::CP redeploy-fleet returned HTTP $HTTP_CODE — refusing to proceed."
-            exit 1
-          fi
-
-      - name: Summary
-        run: |
-          {
-            echo "## Canary verified — :latest promoted via CP redeploy-fleet"
-            echo ""
-            echo "- **Target tag:** \`staging-${{ needs.canary-smoke.outputs.sha }}\`"
-            echo "- **Registry:** ECR (\`${TENANT_IMAGE_NAME}\`)"
-            echo "- **Canary slug:** \`${CANARY_SLUG:-<none>}\` (soak ${SOAK_SECONDS}s)"
-            echo "- **Batch size:** ${BATCH_SIZE:-3}"
-            echo ""
-            echo "CP redeploy-fleet is rolling out the verified image across the prod fleet."
-            echo "The fleet's 5-minute health-check loop will pick up the update automatically."
-          } >> "$GITHUB_STEP_SUMMARY"
@@ -1,400 +0,0 @@
-name: redeploy-tenants-on-main
-
-# Auto-refresh prod tenant EC2s after every main merge.
-#
-# Why this workflow exists: publish-workspace-server-image builds and
-# pushes a new platform-tenant :<sha> to ECR on every merge to main,
-# but running tenants pulled their image once at boot and never re-pull.
-# Users see stale code indefinitely.
-#
-# This workflow closes the gap by calling the control-plane admin
-# endpoint that performs a canary-first, batched, health-gated rolling
-# redeploy across every live tenant. Implemented in molecule-ai/
-# molecule-controlplane as POST /cp/admin/tenants/redeploy-fleet
-# (feat/tenant-auto-redeploy, landing alongside this workflow).
-#
-# Registry: ECR (153263036946.dkr.ecr.us-east-2.amazonaws.com/
-# molecule-ai/platform-tenant). GHCR was retired 2026-05-07 during the
-# Gitea suspension migration. The canary-verify.yml promote step now
-# uses the same redeploy-fleet endpoint (fixes the silent-GHCR gap).
-#
-# Runtime ordering:
-#   1. publish-workspace-server-image completes → new :staging-<sha> in ECR.
-#   2. This workflow fires via workflow_run, calls redeploy-fleet with
-#      target_tag=staging-<sha>. No CDN propagation wait needed —
-#      ECR image manifest is consistent immediately after push.
-#   3. Calls redeploy-fleet with canary_slug (if set) and a soak
-#      period. Canary proves the image boots; batches follow.
-#   4. Any failure aborts the rollout and leaves older tenants on the
-#      prior image — safer default than half-and-half state.
-#
-# Rollback path: re-run this workflow with a specific SHA pinned via
-# the workflow_dispatch input. That calls redeploy-fleet with
-# target_tag=<sha>, re-pulling the older image on every tenant.
-
-on:
-  workflow_run:
-    workflows: ['publish-workspace-server-image']
-    types: [completed]
-    branches: [main]
-  workflow_dispatch:
-    inputs:
-      target_tag:
-        # Empty default → auto-trigger and dispatch-without-input both
-        # resolve to `staging-<short_head_sha>` (the digest publish-image
-        # just pushed). Pre-fix this defaulted to 'latest', which only
-        # gets retagged by canary-verify's promote-to-latest job — and
-        # that job soft-skips when CANARY_TENANT_URLS is unset (the
-        # current state, until Phase 2 canary fleet is live). Result:
-        # `:latest` had been pinned to a 4-day-old digest (2026-04-28)
-        # while every main push pushed fresh `staging-<sha>` images;
-        # every prod redeploy pulled the stale `:latest` and the verify
-        # step correctly flagged 3/3 tenants STALE. Pulling the
-        # just-published `staging-<sha>` directly skips the dead retag
-        # path. When canary fleet is real, this workflow should chain
-        # on canary-verify completion (workflow_run from canary-verify),
-        # not publish-image — separate, smaller PR.
-        description: 'Tenant image tag to deploy (e.g. "latest", "staging-a59f1a6c"). Empty = auto staging-<head_sha>.'
-        required: false
-        type: string
-        default: ''
-      canary_slug:
-        description: 'Tenant slug to deploy first + soak (empty = skip canary, fan out immediately).'
-        required: false
-        type: string
-        # Must be an actual prod tenant slug (current: hongming,
-        # chloe-dong, reno-stars). The previous default 'hongmingwang'
-        # didn't match any tenant — CP soft-skipped the missing canary
-        # and the fleet rolled out without the soak gate, defeating the
-        # whole point of canary-first.
-        default: 'hongming'
-      soak_seconds:
-        description: 'Seconds to wait after canary before fanning out.'
-        required: false
-        type: string
-        default: '60'
-      batch_size:
-        description: 'How many tenants SSM redeploys in parallel per batch.'
-        required: false
-        type: string
-        default: '3'
-      dry_run:
-        description: 'Plan only — do not actually redeploy.'
-        required: false
-        type: boolean
-        default: false
-
-permissions:
-  contents: read
-  # No write scopes needed — the workflow hits an external CP endpoint,
-  # not the GitHub API.
-
-# Serialize redeploys so two rapid main pushes' redeploys don't overlap
-# and cause confusing per-tenant SSM state. Without this, GitHub's
-# implicit workflow_run queueing would *probably* serialize them, but
-# the explicit block makes the invariant defensible. Mirrors the
-# concurrency block on redeploy-tenants-on-staging.yml for shape parity.
-#
-# cancel-in-progress: false → aborting a half-rolled-out fleet would
-# leave tenants stuck on whatever image they happened to be on when
-# cancelled. Better to finish the in-flight rollout before starting
-# the next one.
-concurrency:
-  group: redeploy-tenants-on-main
-  cancel-in-progress: false
-
-jobs:
-  redeploy:
-    # Skip the auto-trigger if publish-workspace-server-image didn't
-    # actually succeed. workflow_run fires on any completion state; we
-    # don't want to redeploy against a half-built image.
-    if: |
-      github.event_name == 'workflow_dispatch' ||
-      (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success')
-    runs-on: ubuntu-latest
-    timeout-minutes: 25
-    steps:
-      - name: Note on ECR propagation
-        # ECR image manifests are consistent immediately after push — no
-        # CDN cache to wait for. The old GHCR-based workflow had a 30s
-        # sleep to avoid race conditions; ECR makes that unnecessary.
-        run: echo "ECR image available immediately after push — proceeding."
-
-      - name: Compute target tag
-        id: tag
-        # Resolution order:
-        #   1. Operator-supplied input (workflow_dispatch with explicit
-        #      tag) → used verbatim. Lets ops pin `latest` for emergency
-        #      rollback to last canary-verified digest, or pin a specific
-        #      `staging-<sha>` to roll back to a known-good build.
-        #   2. Default → `staging-<short_head_sha>`. The just-published
-        #      digest. Bypasses the `:latest` retag path that's currently
-        #      dead (canary-verify soft-skips without canary fleet, so
-        #      the only thing retagging `:latest` today is the manual
-        #      promote-latest.yml — last run 2026-04-28). Auto-trigger
-        #      from workflow_run uses workflow_run.head_sha; manual
-        #      dispatch with no input falls through to github.sha.
-        env:
-          INPUT_TAG: ${{ inputs.target_tag }}
-          HEAD_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
-        run: |
-          set -euo pipefail
-          if [ -n "${INPUT_TAG:-}" ]; then
-            echo "target_tag=$INPUT_TAG" >> "$GITHUB_OUTPUT"
-            echo "Using operator-pinned tag: $INPUT_TAG"
-          else
-            SHORT="${HEAD_SHA:0:7}"
-            echo "target_tag=staging-$SHORT" >> "$GITHUB_OUTPUT"
-            echo "Using auto tag: staging-$SHORT (head_sha=$HEAD_SHA)"
-          fi
-
-      - name: Call CP redeploy-fleet
-        # CP_ADMIN_API_TOKEN must be set as a repo/org secret on
-        # molecule-ai/molecule-core, matching the staging/prod CP's
-        # CP_ADMIN_API_TOKEN env. Stored in Railway, mirrored to this
-        # repo's secrets for CI.
-        env:
-          CP_URL: ${{ vars.CP_URL || 'https://api.moleculesai.app' }}
-          CP_ADMIN_API_TOKEN: ${{ secrets.CP_ADMIN_API_TOKEN }}
-          TARGET_TAG: ${{ steps.tag.outputs.target_tag }}
-          CANARY_SLUG: ${{ inputs.canary_slug || 'hongming' }}
-          SOAK_SECONDS: ${{ inputs.soak_seconds || '60' }}
-          BATCH_SIZE: ${{ inputs.batch_size || '3' }}
-          DRY_RUN: ${{ inputs.dry_run || false }}
-        run: |
-          set -euo pipefail
-
-          if [ -z "${CP_ADMIN_API_TOKEN:-}" ]; then
-            echo "::error::CP_ADMIN_API_TOKEN secret not set — skipping redeploy"
-            echo "::notice::Set CP_ADMIN_API_TOKEN in repo secrets to enable auto-redeploy."
-            exit 1
-          fi
-
-          BODY=$(jq -nc \
-            --arg tag "$TARGET_TAG" \
-            --arg canary "$CANARY_SLUG" \
-            --argjson soak "$SOAK_SECONDS" \
-            --argjson batch "$BATCH_SIZE" \
-            --argjson dry "$DRY_RUN" \
-            '{
-              target_tag: $tag,
-              canary_slug: $canary,
-              soak_seconds: $soak,
-              batch_size: $batch,
-              dry_run: $dry
-            }')
-
-          echo "POST $CP_URL/cp/admin/tenants/redeploy-fleet"
-          echo "  body: $BODY"
-
-          HTTP_RESPONSE=$(mktemp)
-          HTTP_CODE_FILE=$(mktemp)
-          # Route -w into its own tempfile so curl's exit code (e.g. 56
-          # on connection-reset, 22 on --fail-with-body 4xx/5xx) can't
-          # pollute the captured stdout. The previous inline-substitution
-          # shape produced "000000" on connection reset (curl wrote
-          # "000" via -w, then the inline echo-fallback appended another
-          # "000") — caught on the 2026-05-04 redeploy of sha 2b862f6.
-          # set +e/-e keeps the non-zero curl exit from tripping the
-          # outer pipeline. See lint-curl-status-capture.yml for the
-          # CI gate that pins this fix shape.
-          set +e
-          curl -sS -o "$HTTP_RESPONSE" -w '%{http_code}' \
-            -m 1200 \
-            -H "Authorization: Bearer $CP_ADMIN_API_TOKEN" \
-            -H "Content-Type: application/json" \
-            -X POST "$CP_URL/cp/admin/tenants/redeploy-fleet" \
-            -d "$BODY" >"$HTTP_CODE_FILE"
-          set -e
-          # Stderr from curl (e.g. dial errors with -sS) goes to the runner
-          # log so operators can see WHY a connection failed. Stdout is
-          # captured to $HTTP_CODE_FILE because that's where -w writes.
-          HTTP_CODE=$(cat "$HTTP_CODE_FILE" 2>/dev/null || echo "000")
-          [ -z "$HTTP_CODE" ] && HTTP_CODE="000"
-
-          echo "HTTP $HTTP_CODE"
-          cat "$HTTP_RESPONSE" | jq . || cat "$HTTP_RESPONSE"
-
-          # Pretty-print per-tenant results in the job summary so
-          # ops can see which tenants were redeployed without drilling
-          # into the raw response.
-          {
-            echo "## Tenant redeploy fleet"
-            echo ""
-            echo "**Target tag:** \`$TARGET_TAG\`"
-            echo "**Canary:** \`$CANARY_SLUG\` (soak ${SOAK_SECONDS}s)"
-            echo "**Batch size:** $BATCH_SIZE"
-            echo "**Dry run:** $DRY_RUN"
-            echo "**HTTP:** $HTTP_CODE"
-            echo ""
-            echo "### Per-tenant result"
-            echo ""
-            echo '| Slug | Phase | SSM Status | Exit | Healthz | Error |'
-            echo '|------|-------|------------|------|---------|-------|'
-            jq -r '.results[]? | "| \(.slug) | \(.phase) | \(.ssm_status // "-") | \(.ssm_exit_code) | \(.healthz_ok) | \(.error // "-") |"' "$HTTP_RESPONSE" || true
-          } >> "$GITHUB_STEP_SUMMARY"
-
-          if [ "$HTTP_CODE" != "200" ]; then
-            echo "::error::redeploy-fleet returned HTTP $HTTP_CODE"
-            exit 1
-          fi
-          OK=$(jq -r '.ok' "$HTTP_RESPONSE")
-          if [ "$OK" != "true" ]; then
-            echo "::error::redeploy-fleet reported ok=false (see summary for which tenant halted the rollout)"
-            exit 1
-          fi
-          echo "::notice::Tenant fleet redeploy reported ssm_status=Success — verifying actual image roll on each tenant..."
-
-          # Stash the response for the verify step. $RUNNER_TEMP outlasts
-          # the step boundary; $HTTP_RESPONSE doesn't.
-          cp "$HTTP_RESPONSE" "$RUNNER_TEMP/redeploy-response.json"
-
-      - name: Verify each tenant /buildinfo matches published SHA
-        # ROOT FIX FOR #2395.
-        #
-        # `redeploy-fleet`'s `ssm_status=Success` means "the SSM RPC
-        # didn't error" — NOT "the new image is running on the tenant."
-        # `:latest` lives in the local Docker daemon's image cache; if
-        # the SSM document does `docker compose up -d` without an
-        # explicit `docker pull`, the daemon serves the previously-
-        # cached digest and the container restarts on stale code.
-        # 2026-04-30 incident: hongmingwang's tenant reported
-        # ssm_status=Success at 17:00:53Z but kept serving pre-501a42d7
-        # chat_files for 30+ min — the lazy-heal fix never reached the
-        # user despite green deploy + green redeploy.
-        #
-        # This step closes the gap by curling each tenant's /buildinfo
-        # endpoint (added in workspace-server/internal/buildinfo +
-        # /Dockerfile* GIT_SHA build-arg, this PR) and comparing the
-        # returned git_sha to the SHA the workflow expects. Mismatches
-        # fail the workflow, which is what `ok=true` should have
-        # guaranteed all along.
-        #
-        # When the redeploy was triggered by workflow_dispatch with a
-        # specific tag (target_tag != "latest"), the expected SHA may
-        # not equal ${{ github.sha }} — in that case we resolve via
-        # GHCR's manifest. For workflow_run (default :latest) the
-        # workflow_run.head_sha is the SHA that just published.
-        env:
-          EXPECTED_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
-          TARGET_TAG: ${{ steps.tag.outputs.target_tag }}
-          # Tenant subdomain template — slugs from the response are
-          # appended. Production CP issues `<slug>.moleculesai.app`;
-          # staging CP issues `<slug>.staging.moleculesai.app`. This
-          # workflow runs on main → prod CP → no `staging.` infix.
-          TENANT_DOMAIN: 'moleculesai.app'
-        run: |
-          set -euo pipefail
-
-          EXPECTED_SHORT="${EXPECTED_SHA:0:7}"
-          if [ "$TARGET_TAG" != "latest" ] \
-             && [ "$TARGET_TAG" != "$EXPECTED_SHA" ] \
-             && [ "$TARGET_TAG" != "staging-$EXPECTED_SHORT" ]; then
-            # workflow_dispatch with a pinned tag that isn't the head
-            # SHA — operator is rolling back / pinning. Skip the
-            # verification because we don't have the expected SHA in
-            # this context (would need to crane-inspect the GHCR
-            # manifest, which is a follow-up). Failing-open here is
-            # safe: the operator chose the tag deliberately.
-            #
-            # `staging-<short_head_sha>` IS verified — it's the new
-            # auto-trigger default (see Compute target tag step) and
-            # the digest under that tag SHOULD match EXPECTED_SHA.
-            echo "::notice::target_tag=$TARGET_TAG (operator-pinned) — skipping per-tenant SHA verification."
-            exit 0
-          fi
-
-          RESP="$RUNNER_TEMP/redeploy-response.json"
-          if [ ! -s "$RESP" ]; then
-            echo "::error::redeploy-response.json missing or empty — verify step ran without a response to read"
-            exit 1
-          fi
-
-          # Pull only successfully-redeployed tenants. Any tenant that
-          # halted the rollout already failed the previous step, so we
-          # don't double-count them here.
-          mapfile -t SLUGS < <(jq -r '.results[]? | select(.healthz_ok == true) | .slug' "$RESP")
-          if [ ${#SLUGS[@]} -eq 0 ]; then
-            echo "::warning::No tenants reported healthz_ok — nothing to verify"
-            exit 0
-          fi
-
-          echo "Verifying ${#SLUGS[@]} tenant(s) against EXPECTED_SHA=${EXPECTED_SHA:0:7}..."
-
-          # Two distinct failure modes — STALE (the #2395 bug class, hard-fail)
-          # vs UNREACHABLE (teardown race, soft-warn). See the staging variant's
-          # comment for the full rationale; same logic applies on prod even
-          # though prod has fewer ephemeral tenants — the asymmetry would be a
-          # gratuitous fork.
-          STALE_COUNT=0
-          UNREACHABLE_COUNT=0
-          STALE_LINES=()
-          UNREACHABLE_LINES=()
-          for slug in "${SLUGS[@]}"; do
-            URL="https://${slug}.${TENANT_DOMAIN}/buildinfo"
-            # 30s total: tenant just SSM-restarted, may still be coming
-            # up. Retry-on-empty rather than retry-on-status — we want
-            # to fail fast on "responded with wrong SHA", not "still
-            # warming up".
-            BODY=$(curl -sS --max-time 30 --retry 3 --retry-delay 5 --retry-connrefused "$URL" || true)
-            ACTUAL_SHA=$(echo "$BODY" | jq -r '.git_sha // ""' 2>/dev/null || echo "")
-            if [ -z "$ACTUAL_SHA" ]; then
-              UNREACHABLE_COUNT=$((UNREACHABLE_COUNT + 1))
-              UNREACHABLE_LINES+=("| $slug | (no /buildinfo response) | ${EXPECTED_SHA:0:7} | ⚠ unreachable (likely teardown race) |")
-              continue
-            fi
-            if [ "$ACTUAL_SHA" = "$EXPECTED_SHA" ]; then
-              echo "  $slug: ${ACTUAL_SHA:0:7} ✓"
-            else
-              STALE_COUNT=$((STALE_COUNT + 1))
-              STALE_LINES+=("| $slug | ${ACTUAL_SHA:0:7} | ${EXPECTED_SHA:0:7} | ❌ stale |")
-            fi
-          done
-
-          {
-            echo ""
-            echo "### Per-tenant /buildinfo verification"
-            echo ""
-            echo "Expected SHA: \`${EXPECTED_SHA:0:7}\`"
-            echo ""
-            if [ $STALE_COUNT -gt 0 ]; then
-              echo "**${STALE_COUNT} STALE tenant(s) — these did NOT pick up the new image despite ssm_status=Success:**"
-              echo ""
-              echo "| Slug | Actual /buildinfo SHA | Expected | Status |"
-              echo "|------|----------------------|----------|--------|"
-              for line in "${STALE_LINES[@]}"; do echo "$line"; done
-              echo ""
-            fi
-            if [ $UNREACHABLE_COUNT -gt 0 ]; then
-              echo "**${UNREACHABLE_COUNT} unreachable tenant(s) — likely teardown race (soft-warn, not failing):**"
-              echo ""
-              echo "| Slug | Actual /buildinfo SHA | Expected | Status |"
-              echo "|------|----------------------|----------|--------|"
-              for line in "${UNREACHABLE_LINES[@]}"; do echo "$line"; done
-              echo ""
-            fi
-            if [ $STALE_COUNT -eq 0 ] && [ $UNREACHABLE_COUNT -eq 0 ]; then
-              echo "All ${#SLUGS[@]} tenants returned matching SHA. ✓"
-            fi
-          } >> "$GITHUB_STEP_SUMMARY"
-
-          if [ $UNREACHABLE_COUNT -gt 0 ]; then
-            echo "::warning::$UNREACHABLE_COUNT tenant(s) unreachable post-redeploy. Likely benign teardown race — CP healthz monitor catches real outages."
-          fi
-
-          # Belt-and-suspenders sanity floor: same logic as the staging
-          # variant — see that file's comment for the full rationale.
-          # Floor only applies when fleet >= 4; below that, canary-verify
-          # is the actual gate.
-          TOTAL_VERIFIED=${#SLUGS[@]}
-          if [ $TOTAL_VERIFIED -ge 4 ] && [ $UNREACHABLE_COUNT -gt $((TOTAL_VERIFIED / 2)) ]; then
-            echo "::error::$UNREACHABLE_COUNT of $TOTAL_VERIFIED tenant(s) unreachable — exceeds 50% threshold on a fleet large enough that this signals a real outage, not teardown race."
-            exit 1
-          fi
-
-          if [ $STALE_COUNT -gt 0 ]; then
-            echo "::error::$STALE_COUNT tenant(s) returned a stale SHA. ssm_status=Success was misleading — see job summary."
-            exit 1
-          fi
-
-          echo "::notice::Tenant fleet redeploy complete — all reachable tenants on ${EXPECTED_SHA:0:7} (${UNREACHABLE_COUNT} unreachable, soft-warned)."
@@ -1,362 +0,0 @@
-name: redeploy-tenants-on-staging
-
-# Auto-refresh staging tenant EC2s after every staging-branch merge.
-#
-# Mirror of redeploy-tenants-on-main.yml, with the staging-CP host and
-# the :staging-latest tag. Sister workflow exists for prod (rolls
-# :latest after canary-verify). Both share the same shape — just
-# different CP_URL + target_tag + admin token secret.
-#
-# Why this workflow exists: publish-workspace-server-image now builds
-# on every staging-branch push (PR #2335), pushing
-# platform-tenant:staging-latest to GHCR. Existing tenants pulled
-# their image once at boot and never re-pull, so the new image just
-# sits unused until the tenant is reprovisioned.
-#
-# This workflow closes the gap by calling staging-CP's
-# /cp/admin/tenants/redeploy-fleet, which performs a canary-first,
-# batched, health-gated SSM redeploy across every live staging tenant.
-# Same endpoint shape as prod CP — only the host differs.
-#
-# Runtime ordering:
-#   1. publish-workspace-server-image completes on staging branch →
-#      new :staging-latest in GHCR.
-#   2. This workflow fires via workflow_run, waits 30s for GHCR's CDN
-#      to propagate the new tag.
-#   3. Calls redeploy-fleet with no canary (staging IS canary; we don't
-#      need a sub-canary inside it). Soak still applies to the first
-#      tenant in case of bad-deploy detection.
-#   4. Any failure aborts the rollout and leaves older tenants on the
-#      prior image — safer default than half-and-half state.
-#
-# Rollback path: re-run with workflow_dispatch + target_tag=staging-<sha>
-# of a known-good build.
-
-on:
-  workflow_run:
-    workflows: ['publish-workspace-server-image']
-    types: [completed]
-    branches: [main]
-  workflow_dispatch:
-    inputs:
-      target_tag:
-        description: 'Tenant image tag to deploy (e.g. "staging-latest" or "staging-a59f1a6c"). Defaults to staging-latest when empty.'
-        required: false
-        type: string
-        default: 'staging-latest'
-      canary_slug:
-        description: 'Tenant slug to deploy first + soak (empty = skip canary, fan out immediately). Default empty for staging since staging itself is the canary.'
-        required: false
-        type: string
-        default: ''
-      soak_seconds:
-        description: 'Seconds to wait after canary before fanning out. Only meaningful if canary_slug is set.'
-        required: false
-        type: string
-        default: '60'
-      batch_size:
-        description: 'How many tenants SSM redeploys in parallel per batch.'
-        required: false
-        type: string
-        default: '3'
-      dry_run:
-        description: 'Plan only — do not actually redeploy.'
-        required: false
-        type: boolean
-        default: false
-
-permissions:
-  contents: read
-  # No write scopes needed — the workflow hits an external CP endpoint,
-  # not the GitHub API.
-
-# Serialize per-branch so two rapid staging pushes' redeploys don't
-# overlap and cause confusing per-tenant SSM state. cancel-in-progress
-# is false because aborting a half-rolled-out fleet leaves tenants
-# stuck on whatever image they happened to be on when cancelled.
-concurrency:
-  group: redeploy-tenants-on-staging
-  cancel-in-progress: false
-
-jobs:
-  redeploy:
-    # Skip the auto-trigger if publish-workspace-server-image didn't
-    # actually succeed. workflow_run fires on any completion state; we
-    # don't want to redeploy against a half-built image.
-    if: |
-      github.event_name == 'workflow_dispatch' ||
-      (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success')
-    runs-on: ubuntu-latest
-    timeout-minutes: 25
-    steps:
-      - name: Wait for GHCR tag propagation
-        # GHCR's edge cache takes ~15-30s to consistently serve the new
-        # :staging-latest manifest after the registry accepts the push.
-        # Same rationale as redeploy-tenants-on-main.yml.
-        run: sleep 30
-
-      - name: Call staging-CP redeploy-fleet
-        # CP_STAGING_ADMIN_API_TOKEN must be set as a repo/org secret
-        # on molecule-ai/molecule-core, matching staging-CP's
-        # CP_ADMIN_API_TOKEN env var (visible in Railway controlplane
-        # / staging environment). Stored separately from the prod
-        # CP_ADMIN_API_TOKEN so a leak of one doesn't auth the other.
-        env:
-          CP_URL: ${{ vars.STAGING_CP_URL || 'https://staging-api.moleculesai.app' }}
-          CP_STAGING_ADMIN_API_TOKEN: ${{ secrets.CP_STAGING_ADMIN_API_TOKEN }}
-          TARGET_TAG: ${{ inputs.target_tag || 'staging-latest' }}
-          CANARY_SLUG: ${{ inputs.canary_slug || '' }}
-          SOAK_SECONDS: ${{ inputs.soak_seconds || '60' }}
-          BATCH_SIZE: ${{ inputs.batch_size || '3' }}
-          DRY_RUN: ${{ inputs.dry_run || false }}
-        run: |
-          set -euo pipefail
-
-          # Schedule-vs-dispatch hardening (mirrors sweep-cf-orphans
-          # and sweep-cf-tunnels): hard-fail on auto-trigger when the
-          # secret is missing so a misconfigured-repo doesn't silently
-          # serve stale staging tenants. Soft-skip on operator dispatch.
-          if [ -z "${CP_STAGING_ADMIN_API_TOKEN:-}" ]; then
-            if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-              echo "::warning::CP_STAGING_ADMIN_API_TOKEN secret not set — skipping redeploy"
-              echo "::warning::Set CP_STAGING_ADMIN_API_TOKEN in repo secrets to enable auto-redeploy."
-              echo "::notice::Pull the value from staging-CP's CP_ADMIN_API_TOKEN env in Railway."
-              exit 0
-            fi
-            echo "::error::staging redeploy cannot run — CP_STAGING_ADMIN_API_TOKEN secret missing"
-            echo "::error::set it at Settings → Secrets and Variables → Actions; pull from staging-CP's CP_ADMIN_API_TOKEN env in Railway."
-            exit 1
-          fi
-
-          BODY=$(jq -nc \
-            --arg tag "$TARGET_TAG" \
-            --arg canary "$CANARY_SLUG" \
-            --argjson soak "$SOAK_SECONDS" \
-            --argjson batch "$BATCH_SIZE" \
-            --argjson dry "$DRY_RUN" \
-            '{
-              target_tag: $tag,
-              canary_slug: $canary,
-              soak_seconds: $soak,
-              batch_size: $batch,
-              dry_run: $dry
-            }')
-
-          echo "POST $CP_URL/cp/admin/tenants/redeploy-fleet"
-          echo "  body: $BODY"
-
-          HTTP_RESPONSE=$(mktemp)
-          HTTP_CODE_FILE=$(mktemp)
-          # Route -w into its own tempfile so curl's exit code (e.g. 56
-          # on connection-reset) can't pollute the captured stdout. The
-          # previous inline-substitution shape produced "000000" on
-          # connection reset — caught on main variant 2026-05-04
-          # redeploying sha 2b862f6. Same fix shape as the synth-E2E
-          # §9c gate (PR #2797). See lint-curl-status-capture.yml for
-          # the CI gate that pins this fix shape.
-          set +e
-          curl -sS -o "$HTTP_RESPONSE" -w '%{http_code}' \
-            -m 1200 \
-            -H "Authorization: Bearer $CP_STAGING_ADMIN_API_TOKEN" \
-            -H "Content-Type: application/json" \
-            -X POST "$CP_URL/cp/admin/tenants/redeploy-fleet" \
-            -d "$BODY" >"$HTTP_CODE_FILE"
-          set -e
-          # Stderr from curl (-sS shows dial errors etc.) goes to the
-          # runner log so operators can see WHY a connection failed.
-          HTTP_CODE=$(cat "$HTTP_CODE_FILE" 2>/dev/null || echo "000")
-          [ -z "$HTTP_CODE" ] && HTTP_CODE="000"
-
-          echo "HTTP $HTTP_CODE"
-          cat "$HTTP_RESPONSE" | jq . || cat "$HTTP_RESPONSE"
-
-          {
-            echo "## Staging tenant redeploy fleet"
-            echo ""
-            echo "**Target tag:** \`$TARGET_TAG\`"
-            echo "**Canary:** \`${CANARY_SLUG:-(none — staging is itself the canary)}\` (soak ${SOAK_SECONDS}s)"
-            echo "**Batch size:** $BATCH_SIZE"
-            echo "**Dry run:** $DRY_RUN"
-            echo "**HTTP:** $HTTP_CODE"
-            echo ""
-            echo "### Per-tenant result"
-            echo ""
-            echo '| Slug | Phase | SSM Status | Exit | Healthz | Error |'
-            echo '|------|-------|------------|------|---------|-------|'
-            jq -r '.results[]? | "| \(.slug) | \(.phase) | \(.ssm_status // "-") | \(.ssm_exit_code) | \(.healthz_ok) | \(.error // "-") |"' "$HTTP_RESPONSE" || true
-          } >> "$GITHUB_STEP_SUMMARY"
-
-          # Distinguish "real fleet failure" from "E2E teardown race".
-          #
-          # CP returns HTTP 500 + ok=false whenever ANY tenant in the
-          # fleet failed SSM or healthz. In practice the recurring source
-          # of these is ephemeral test tenants being torn down by their
-          # parent E2E run mid-redeploy: the EC2 dies → SSM exit=2 or
-          # healthz timeout → CP marks the fleet failed → this workflow
-          # goes red even though every operator-facing tenant rolled fine.
-          #
-          # Ephemeral slug prefixes (kept in sync with sweep-stale-e2e-orgs.yml
-          # — see that file for the source-of-truth list and rationale):
-          #   - e2e-*       — canvas/saas/ext E2E suites
-          #   - rt-e2e-*    — runtime-test harness fixtures (RFC #2251)
-          # Long-lived prefixes that are NOT ephemeral and MUST hard-fail:
-          # demo-prep, dryrun-*, dryrun2-*, plus all human tenant slugs.
-          #
-          # Filter: if HTTP=500/ok=false AND every failed slug matches an
-          # ephemeral prefix, treat as soft-warn and let the verify step
-          # downstream handle unreachable-vs-stale (#2402). Any non-ephemeral
-          # failure or a non-500 HTTP response remains a hard failure.
-          OK=$(jq -r '.ok // "false"' "$HTTP_RESPONSE")
-          FAILED_SLUGS=$(jq -r '
-            .results[]?
-            | select((.healthz_ok != true) or (.ssm_status != "Success"))
-            | .slug' "$HTTP_RESPONSE" 2>/dev/null || true)
-          EPHEMERAL_PREFIX_RE='^(e2e-|rt-e2e-)'
-          NON_EPHEMERAL_FAILED=$(printf '%s\n' "$FAILED_SLUGS" | grep -v '^$' | grep -Ev "$EPHEMERAL_PREFIX_RE" || true)
-
-          if [ "$HTTP_CODE" = "200" ] && [ "$OK" = "true" ]; then
-            : # happy path — fall through to verification
-          elif [ "$HTTP_CODE" = "500" ] && [ -z "$NON_EPHEMERAL_FAILED" ] && [ -n "$FAILED_SLUGS" ]; then
-            COUNT=$(printf '%s\n' "$FAILED_SLUGS" | grep -Ec "$EPHEMERAL_PREFIX_RE" || true)
-            echo "::warning::redeploy-fleet returned HTTP 500 but every failed tenant ($COUNT) is ephemeral (e2e-*/rt-e2e-*) — treating as teardown race, soft-warning."
-            printf '%s\n' "$FAILED_SLUGS" | sed 's/^/::warning::  failed: /'
-          elif [ "$HTTP_CODE" != "200" ]; then
-            echo "::error::redeploy-fleet returned HTTP $HTTP_CODE"
-            if [ -n "$NON_EPHEMERAL_FAILED" ]; then
-              echo "::error::non-ephemeral tenant(s) failed:"
-              printf '%s\n' "$NON_EPHEMERAL_FAILED" | sed 's/^/::error::  /'
-            fi
-            exit 1
-          else
-            # HTTP=200 but ok=false (shouldn't happen with current CP
-            # but keep the gate for completeness).
-            echo "::error::redeploy-fleet reported ok=false (see summary for which tenant halted the rollout)"
-            exit 1
-          fi
-          echo "::notice::Staging tenant fleet redeploy reported ssm_status=Success — verifying actual image roll on each tenant..."
-
-          cp "$HTTP_RESPONSE" "$RUNNER_TEMP/redeploy-response.json"
-
-      - name: Verify each staging tenant /buildinfo matches published SHA
-        # Mirror of the verify step in redeploy-tenants-on-main.yml — see
-        # there for the rationale (#2395 root fix). Staging has the same
-        # ssm_status-success-but-stale-image hazard and benefits from the
-        # same gate. Diff: TENANT_DOMAIN includes the `staging.` infix.
-        env:
-          EXPECTED_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
-          TARGET_TAG: ${{ inputs.target_tag || 'staging-latest' }}
-          TENANT_DOMAIN: 'staging.moleculesai.app'
-        run: |
-          set -euo pipefail
-
-          # staging-latest is the staging-side moving tag; treat it the
-          # same way main treats `latest`. Operator-pinned SHAs skip
-          # verification (see main variant for why).
-          if [ "$TARGET_TAG" != "staging-latest" ] && [ "$TARGET_TAG" != "latest" ] && [ "$TARGET_TAG" != "$EXPECTED_SHA" ]; then
-            echo "::notice::target_tag=$TARGET_TAG (operator-pinned) — skipping per-tenant SHA verification."
-            exit 0
-          fi
-
-          RESP="$RUNNER_TEMP/redeploy-response.json"
-          if [ ! -s "$RESP" ]; then
-            echo "::error::redeploy-response.json missing or empty"
-            exit 1
-          fi
-
-          mapfile -t SLUGS < <(jq -r '.results[]? | select(.healthz_ok == true) | .slug' "$RESP")
-          if [ ${#SLUGS[@]} -eq 0 ]; then
-            echo "::warning::No staging tenants reported healthz_ok — nothing to verify"
-            exit 0
-          fi
-
-          echo "Verifying ${#SLUGS[@]} staging tenant(s) against EXPECTED_SHA=${EXPECTED_SHA:0:7}..."
-
-          # Two distinct failure modes here:
-          #   STALE_COUNT      — tenant returned a SHA that doesn't match. THIS is
-          #                      the #2395 bug class: tenant up + serving old code.
-          #                      Always hard-fail the workflow.
-          #   UNREACHABLE_COUNT — tenant didn't respond. Almost always a benign
-          #                      teardown race: redeploy-fleet snapshot says
-          #                      healthz_ok=true, then the E2E suite tears the
-          #                      ephemeral tenant down before this step runs (the
-          #                      e2e-* fixtures churn 5-10/hour on staging). Soft-
-          #                      warn so we don't block staging→main on cleanup.
-          #                      Real "tenant up but unreachable" is caught by CP's
-          #                      own healthz monitor + the post-redeploy alert; we
-          #                      don't need to double-count it here.
-          STALE_COUNT=0
-          UNREACHABLE_COUNT=0
-          STALE_LINES=()
-          UNREACHABLE_LINES=()
-          for slug in "${SLUGS[@]}"; do
-            URL="https://${slug}.${TENANT_DOMAIN}/buildinfo"
-            BODY=$(curl -sS --max-time 30 --retry 3 --retry-delay 5 --retry-connrefused "$URL" || true)
-            ACTUAL_SHA=$(echo "$BODY" | jq -r '.git_sha // ""' 2>/dev/null || echo "")
-            if [ -z "$ACTUAL_SHA" ]; then
-              UNREACHABLE_COUNT=$((UNREACHABLE_COUNT + 1))
-              UNREACHABLE_LINES+=("| $slug | (no /buildinfo response) | ${EXPECTED_SHA:0:7} | ⚠ unreachable (likely teardown race) |")
-              continue
-            fi
-            if [ "$ACTUAL_SHA" = "$EXPECTED_SHA" ]; then
-              echo "  $slug: ${ACTUAL_SHA:0:7} ✓"
-            else
-              STALE_COUNT=$((STALE_COUNT + 1))
-              STALE_LINES+=("| $slug | ${ACTUAL_SHA:0:7} | ${EXPECTED_SHA:0:7} | ❌ stale |")
-            fi
-          done
-
-          {
-            echo ""
-            echo "### Per-tenant /buildinfo verification (staging)"
-            echo ""
-            echo "Expected SHA: \`${EXPECTED_SHA:0:7}\`"
-            echo ""
-            if [ $STALE_COUNT -gt 0 ]; then
-              echo "**${STALE_COUNT} STALE tenant(s) — these did NOT pick up the new image despite ssm_status=Success:**"
-              echo ""
-              echo "| Slug | Actual /buildinfo SHA | Expected | Status |"
-              echo "|------|----------------------|----------|--------|"
-              for line in "${STALE_LINES[@]}"; do echo "$line"; done
-              echo ""
-            fi
-            if [ $UNREACHABLE_COUNT -gt 0 ]; then
-              echo "**${UNREACHABLE_COUNT} unreachable tenant(s) — likely E2E teardown race (soft-warn, not failing):**"
-              echo ""
-              echo "| Slug | Actual /buildinfo SHA | Expected | Status |"
-              echo "|------|----------------------|----------|--------|"
-              for line in "${UNREACHABLE_LINES[@]}"; do echo "$line"; done
-              echo ""
-            fi
-            if [ $STALE_COUNT -eq 0 ] && [ $UNREACHABLE_COUNT -eq 0 ]; then
-              echo "All ${#SLUGS[@]} staging tenants returned matching SHA. ✓"
-            fi
-          } >> "$GITHUB_STEP_SUMMARY"
-
-          if [ $UNREACHABLE_COUNT -gt 0 ]; then
-            echo "::warning::$UNREACHABLE_COUNT staging tenant(s) unreachable post-redeploy. Likely benign teardown race — CP healthz monitor catches real outages."
-          fi
-
-          # Belt-and-suspenders sanity floor: if MORE than half the fleet is
-          # unreachable AND the fleet is large enough that "half down" is
-          # statistically meaningful, this is a real outage (e.g. new image
-          # crashes on startup), not a teardown race. Hard-fail.
-          #
-          # Floor only applies when TOTAL_VERIFIED >= 4 — below that, the
-          # canary-verify step is the actual gate for "all tenants down"
-          # detection (it runs against the canary first and aborts the
-          # rollout if the canary fails to come up). Without the >=4 gate,
-          # a 1-tenant fleet (e.g. a single ephemeral e2e-* tenant on a
-          # quiet staging push) would re-flake on the exact teardown-race
-          # condition #2402 fixed: 1 of 1 unreachable = 100% > 50% → fail.
-          TOTAL_VERIFIED=${#SLUGS[@]}
-          if [ $TOTAL_VERIFIED -ge 4 ] && [ $UNREACHABLE_COUNT -gt $((TOTAL_VERIFIED / 2)) ]; then
-            echo "::error::$UNREACHABLE_COUNT of $TOTAL_VERIFIED staging tenant(s) unreachable — exceeds 50% threshold on a fleet large enough that this signals a real outage, not teardown race."
-            exit 1
-          fi
-
-          if [ $STALE_COUNT -gt 0 ]; then
-            echo "::error::$STALE_COUNT staging tenant(s) returned a stale SHA. ssm_status=Success was misleading — see job summary."
-            exit 1
-          fi
-
-          echo "::notice::Staging tenant fleet redeploy complete — all reachable tenants on ${EXPECTED_SHA:0:7} (${UNREACHABLE_COUNT} unreachable, soft-warned)."
@@ -57,24 +57,24 @@ See `CLAUDE.md` for a full list of environment variables and their purposes.

 This repo is scoped to **code** (canvas, workspace, workspace-server, related
 infra). Public content (blog posts, marketing copy, OG images, SEO briefs,
-DevRel demos) lives in [`Molecule-AI/docs`](https://git.moleculesai.app/molecule-ai/docs).
+DevRel demos) lives in [`molecule-ai/docs`](https://git.moleculesai.app/molecule-ai/docs).
 The `Block forbidden paths` CI gate fails any PR that writes to `marketing/`
-or other removed paths — open against `Molecule-AI/docs` instead.
+or other removed paths — open against `molecule-ai/docs` instead.

 | Content type | Target |
 |---|---|
-| Blog posts | `Molecule-AI/docs` → `content/blog/<YYYY-MM-DD-slug>/` |
-| Doc pages | `Molecule-AI/docs` → `content/docs/` |
-| Marketing copy / PMM positioning | `Molecule-AI/docs` → `marketing/` |
-| OG images, visual assets | `Molecule-AI/docs` → `app/` or `marketing/` |
-| SEO briefs | `Molecule-AI/docs` → `marketing/` |
-| DevRel demos (runnable code) | Standalone repo under `Molecule-AI/`, OR embedded in `Molecule-AI/docs` |
+| Blog posts | `molecule-ai/docs` → `content/blog/<YYYY-MM-DD-slug>/` |
+| Doc pages | `molecule-ai/docs` → `content/docs/` |
+| Marketing copy / PMM positioning | `molecule-ai/docs` → `marketing/` |
+| OG images, visual assets | `molecule-ai/docs` → `app/` or `marketing/` |
+| SEO briefs | `molecule-ai/docs` → `marketing/` |
+| DevRel demos (runnable code) | Standalone repo under `molecule-ai/`, OR embedded in `molecule-ai/docs` |
 | Launch checklists, internal tracking | GitHub Issues — **not** committed files |
 | Engineering docs (`docs/adr/`, `docs/architecture/`, `docs/incidents/`) | This repo (internal, not published) |
 | Live product pages (e.g. `canvas/src/app/pricing/page.tsx`) | This repo (these are app code, not marketing copy) |

 If a PR fails the `Block forbidden paths` check, the contents belong in
-`Molecule-AI/docs`. No CI drag, no Canvas E2E, content lands in minutes.
+`molecule-ai/docs`. No CI drag, no Canvas E2E, content lands in minutes.

 ## Development Workflow

@@ -190,9 +190,9 @@ Runs the full regression suite against a fixture HTTP server. No network access
 Code in this repo lands in molecule-core. Some related runtime artifacts
 live in their own repos:

- [`Molecule-AI/molecule-ai-workspace-runtime`](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime) — Python adapter SDK (`molecule_runtime`) that runs inside containerized Molecule workspaces. Bridges Claude Code SDK / hermes / langgraph / etc. → A2A queue.
- [`Molecule-AI/molecule-sdk-python`](https://git.moleculesai.app/molecule-ai/molecule-sdk-python) — `A2AServer` + `RemoteAgentClient` for external agents that register over the public `/registry/register` flow.
- [`Molecule-AI/molecule-mcp-claude-channel`](https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel) — Claude Code channel plugin. Bridges A2A traffic into a running Claude Code session via MCP `notifications/claude/channel`. Polling-based (no tunnel required); install with `claude --channels plugin:molecule@Molecule-AI/molecule-mcp-claude-channel`.
+- [`molecule-ai/molecule-ai-workspace-runtime`](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime) — Python adapter SDK (`molecule_runtime`) that runs inside containerized Molecule workspaces. Bridges Claude Code SDK / hermes / langgraph / etc. → A2A queue.
+- [`molecule-ai/molecule-sdk-python`](https://git.moleculesai.app/molecule-ai/molecule-sdk-python) — `A2AServer` + `RemoteAgentClient` for external agents that register over the public `/registry/register` flow.
+- [`molecule-ai/molecule-mcp-claude-channel`](https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel) — Claude Code channel plugin. Bridges A2A traffic into a running Claude Code session via MCP `notifications/claude/channel`. Polling-based (no tunnel required); install inside Claude Code via `/plugin marketplace add https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel.git` → `/plugin install molecule@molecule-channel`, then launch with `claude --dangerously-load-development-channels --channels plugin:molecule@molecule-channel`.

 When extending the **A2A surface** in molecule-core (`workspace-server/internal/handlers/a2a_proxy.go` etc.), consider whether the change has a downstream impact on the runtime SDK or the channel plugin — they're versioned independently but share the wire shape.

@@ -4,10 +4,10 @@
 # use this Makefile; CI calls docker compose / go test directly so the
 # Makefile can evolve without breaking the build.

-.PHONY: help dev up down logs build test
+.PHONY: help dev up down logs build test e2e-peer-visibility

 help: ## Show this help.
-	@grep -E '^[a-zA-Z_-]+:.*?## ' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-12s\033[0m %s\n", $$1, $$2}'
+	@grep -E '^[a-zA-Z0-9_-]+:.*?## ' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-22s\033[0m %s\n", $$1, $$2}'

 dev: ## Start the full stack with air hot-reload for the platform service.
 	docker compose -f docker-compose.yml -f docker-compose.dev.yml up
@@ -26,3 +26,13 @@ build: ## Force a fresh build of the platform image (no cache).

 test: ## Run Go unit tests in workspace-server/.
 	cd workspace-server && go test -race ./...
+
+# ─── Local prod-mimic E2E gates ────────────────────────────────────────
+# Run the LITERAL peer-visibility MCP list_peers gate against the
+# already-running local stack (`make up` or `make dev`). Same byte-
+# identical assertion as the staging gate — only provisioning differs.
+# Skips any runtime whose provider key is absent (partially-keyed env
+# is fine). See tests/e2e/test_peer_visibility_mcp_local.sh for the
+# env contract (CLAUDE_CODE_OAUTH_TOKEN / E2E_MINIMAX_API_KEY / etc).
+e2e-peer-visibility: ## Run the LOCAL peer-visibility MCP gate vs the running stack (needs `make up` first).
+	bash tests/e2e/test_peer_visibility_mcp_local.sh
@@ -238,7 +238,7 @@ The result is not just “an agent that learns.” It is **an organization that
 - subscribe to one or more workspaces; peer messages surface as conversation turns; replies route back through Molecule's A2A
 - no tunnel, no public endpoint — the plugin self-registers each watched workspace as `delivery_mode=poll` and long-polls `/activity?since_id=…`
 - multi-tenant friendly: one plugin install can watch workspaces across multiple Molecule tenants (`MOLECULE_PLATFORM_URLS` per-workspace)
- install via the standard marketplace flow: `/plugin marketplace add Molecule-AI/molecule-mcp-claude-channel` → `/plugin install molecule-channel@molecule-mcp-claude-channel`
+- install via the standard marketplace flow: `/plugin marketplace add https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel.git` → `/plugin install molecule@molecule-channel`, then launch with `claude --dangerously-load-development-channels --channels plugin:molecule@molecule-channel`

 ## Built For Teams That Need More Than A Demo

@@ -237,7 +237,7 @@ Molecule AI 并不是要替代下面这些 framework，而是把它们纳入更
 - 订阅一个或多个 workspace；peer 的消息会以 user-turn 出现，回复会经 Molecule A2A 路由出去
 - 无需公网隧道、无需公开端点 —— 插件启动时自动把每个 watched workspace 注册成 `delivery_mode=poll`，长轮询 `/activity?since_id=…`
 - 多租户友好：单次安装即可同时 watch 跨多个 Molecule 租户的 workspace（`MOLECULE_PLATFORM_URLS` 按 workspace 配置）
- 通过标准 marketplace 流程安装：`/plugin marketplace add Molecule-AI/molecule-mcp-claude-channel` → `/plugin install molecule-channel@molecule-mcp-claude-channel`
+- 通过标准 marketplace 流程安装：`/plugin marketplace add https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel.git` → `/plugin install molecule@molecule-channel`，然后用 `claude --dangerously-load-development-channels --channels plugin:molecule@molecule-channel` 启动

 ## 适合什么团队

@@ -0,0 +1,173 @@
+import { test, expect } from "@playwright/test";
+import { startEchoRuntime } from "./fixtures/echo-runtime";
+import { seedWorkspace, startHeartbeat, cleanupWorkspace } from "./fixtures/chat-seed";
+
+
+test.describe("Desktop ChatTab", () => {
+  let cleanup: () => Promise<void> = async () => {};
+  let workspaceId = "";
+  let workspaceName = "";
+
+  test.beforeAll(async () => {
+    const echo = await startEchoRuntime();
+    const ws = await seedWorkspace(echo.baseURL);
+    workspaceId = ws.id;
+    workspaceName = ws.name;
+    const stopHeartbeat = startHeartbeat(ws.id, ws.authToken);
+
+    cleanup = async () => {
+      stopHeartbeat();
+      await echo.stop();
+    };
+  });
+
+  test.afterAll(async () => {
+    await cleanupWorkspace(workspaceId);
+    await cleanup();
+  });
+
+  test.beforeEach(async ({ page }) => {
+    await page.setViewportSize({ width: 1280, height: 800 });
+    await page.goto("/");
+    await page.waitForSelector(".react-flow__node", { timeout: 10_000 });
+    // Dismiss onboarding guide if present.
+    const skipGuide = page.getByText("Skip guide");
+    if (await skipGuide.isVisible().catch(() => false)) {
+      await skipGuide.click();
+    }
+    // Click the workspace node by its exact name label.
+    await page.getByText(workspaceName, { exact: true }).first().click();
+    // Wait for the side panel chat tab to be clickable, then click it.
+    await page.locator('#tab-chat').click();
+    await page.waitForSelector("[data-testid='chat-panel']", { timeout: 5_000 });
+    // Wait for the workspace status to flip to online and the textarea to be enabled.
+    await expect(page.locator("textarea").first()).toBeEnabled({ timeout: 15_000 });
+  });
+
+  test("chat panel loads without error", async ({ page }) => {
+    const hasEmptyState = await page.getByText("Send a message to start chatting.").isVisible().catch(() => false);
+    const hasHistory = await page.locator("[data-testid='chat-panel']").locator("div").count() > 3;
+    expect(hasEmptyState || hasHistory).toBeTruthy();
+  });
+
+  test("send text message and receive echo response", async ({ page }) => {
+    const textarea = page.locator("textarea").first();
+    await textarea.fill("What is the weather?");
+    await page.getByRole("button", { name: /Send/ }).first().click();
+
+    await expect(page.getByText("What is the weather?")).toBeVisible({ timeout: 5_000 });
+    await expect(page.getByText("Echo: What is the weather?")).toBeVisible({ timeout: 15_000 });
+  });
+
+  test("history persists across reload", async ({ page }) => {
+    const textarea = page.locator("textarea").first();
+    await textarea.fill("Persistence test");
+    await page.getByRole("button", { name: /Send/ }).first().click();
+
+    await expect(page.getByText("Echo: Persistence test")).toBeVisible({ timeout: 15_000 });
+
+    await page.reload();
+    await page.waitForSelector(".react-flow__node", { timeout: 10_000 });
+    await page.getByText(workspaceName, { exact: true }).first().click();
+    await page.locator('#tab-chat').click();
+    await page.waitForSelector("[data-testid='chat-panel']", { timeout: 5_000 });
+    // Wait for the workspace status to flip to online and the textarea to be enabled.
+    await expect(page.locator("textarea").first()).toBeEnabled({ timeout: 15_000 });
+
+    await expect(page.getByText("Persistence test", { exact: true })).toBeVisible({ timeout: 5_000 });
+    await expect(page.getByText("Echo: Persistence test")).toBeVisible({ timeout: 5_000 });
+  });
+
+  test("file attachment round-trip", async ({ page }) => {
+    const textarea = page.locator("textarea").first();
+    await textarea.fill("Please read this file");
+
+    const fileInput = page.locator("[data-testid='chat-panel'] input[type='file']").first();
+    await fileInput.setInputFiles({
+      name: "test.txt",
+      mimeType: "text/plain",
+      buffer: Buffer.from("secret content abc123"),
+    });
+
+    await expect(page.getByText("test.txt")).toBeVisible({ timeout: 3_000 });
+
+    await page.getByRole("button", { name: /Send/ }).first().click();
+
+    await expect(page.getByText("Echo: Please read this file")).toBeVisible({ timeout: 15_000 });
+  });
+
+  test("activity log appears during send", async ({ page }) => {
+    const textarea = page.locator("textarea").first();
+    await textarea.fill("Trigger activity");
+    await page.getByRole("button", { name: /Send/ }).first().click();
+
+    // Activity log container should appear during the send flow.
+    await expect(page.locator("[data-testid='activity-log']").first()).toBeVisible({ timeout: 10_000 }).catch(() => {
+      // Activity log may not be present in all layouts.
+    });
+  });
+});
+
+test.describe("Desktop ChatTab — Markdown rendering", () => {
+  let cleanup: () => Promise<void> = async () => {};
+  let workspaceId = "";
+  let workspaceName = "";
+
+  test.beforeAll(async () => {
+    const echo = await startEchoRuntime();
+    const ws = await seedWorkspace(echo.baseURL);
+    workspaceId = ws.id;
+    workspaceName = ws.name;
+    const stopHeartbeat = startHeartbeat(ws.id, ws.authToken);
+
+    cleanup = async () => {
+      stopHeartbeat();
+      await echo.stop();
+    };
+  });
+
+  test.afterAll(async () => {
+    await cleanupWorkspace(workspaceId);
+    await cleanup();
+  });
+
+  test.beforeEach(async ({ page }) => {
+    await page.setViewportSize({ width: 1280, height: 800 });
+    await page.goto("/");
+    await page.waitForSelector(".react-flow__node", { timeout: 10_000 });
+    const skipGuide2 = page.getByText("Skip guide");
+    if (await skipGuide2.isVisible().catch(() => false)) {
+      await skipGuide2.click();
+    }
+    await page.getByText(workspaceName, { exact: true }).first().click();
+    await page.locator('#tab-chat').click();
+    await page.waitForSelector("[data-testid='chat-panel']", { timeout: 5_000 });
+    // Wait for the workspace status to flip to online and the textarea to be enabled.
+    await expect(page.locator("textarea").first()).toBeEnabled({ timeout: 15_000 });
+  });
+
+  test("code block renders <pre>", async ({ page }) => {
+    const textarea = page.locator("textarea").first();
+    await textarea.fill("```js\nconst x = 1;\n```");
+    await page.getByRole("button", { name: /Send/ }).first().click();
+
+    await expect(page.getByText("Echo: ```js")).toBeVisible({ timeout: 15_000 });
+
+    const pre = page.locator("pre").first();
+    await expect(pre).toBeVisible({ timeout: 5_000 });
+    await expect(pre).toContainText("const x = 1;");
+  });
+
+  test("table renders <table>", async ({ page }) => {
+    const textarea = page.locator("textarea").first();
+    await textarea.fill("| A | B |\n|---|---|\n| 1 | 2 |");
+    await page.getByRole("button", { name: /Send/ }).first().click();
+
+    await expect(page.getByText("Echo: | A | B |")).toBeVisible({ timeout: 15_000 });
+
+    const table = page.locator("table").first();
+    await expect(table).toBeVisible({ timeout: 5_000 });
+    await expect(table).toContainText("A");
+    await expect(table).toContainText("1");
+  });
+});
@@ -0,0 +1,97 @@
+import { test, expect } from "@playwright/test";
+import { startEchoRuntime } from "./fixtures/echo-runtime";
+import { seedWorkspace, startHeartbeat, cleanupWorkspace } from "./fixtures/chat-seed";
+
+
+test.describe("MobileChat", () => {
+  let cleanup: () => Promise<void> = async () => {};
+  let workspaceId = "";
+
+  test.beforeAll(async () => {
+    const echo = await startEchoRuntime();
+    const ws = await seedWorkspace(echo.baseURL);
+    workspaceId = ws.id;
+    const stopHeartbeat = startHeartbeat(ws.id, ws.authToken);
+
+    cleanup = async () => {
+      stopHeartbeat();
+      await echo.stop();
+    };
+  });
+
+  test.afterAll(async () => {
+    await cleanupWorkspace(workspaceId);
+    await cleanup();
+  });
+
+  test.beforeEach(async ({ page }) => {
+    await page.setViewportSize({ width: 375, height: 812 });
+    // Navigate directly to the mobile chat view.
+    await page.goto(`/?m=chat&a=${workspaceId}`);
+    await page.waitForSelector("[data-testid='chat-panel']", { timeout: 10_000 });
+    // Wait for the workspace status to flip to online and the textarea to be enabled.
+    await expect(page.locator("textarea").first()).toBeEnabled({ timeout: 15_000 });
+    // Dismiss onboarding guide if present.
+    const skipGuide = page.getByText("Skip guide");
+    if (await skipGuide.isVisible().catch(() => false)) {
+      await skipGuide.click();
+    }
+  });
+
+  test("chat panel loads without error", async ({ page }) => {
+    const hasEmptyState = await page.getByText("Send a message to start chatting.").isVisible().catch(() => false);
+    const hasHistory = await page.locator("[data-testid='chat-panel']").locator("div").count() > 3;
+    expect(hasEmptyState || hasHistory).toBeTruthy();
+  });
+
+  test("send text message and receive echo response", async ({ page }) => {
+    const textarea = page.locator("textarea").first();
+    await textarea.fill("Mobile test message");
+    await page.getByRole("button", { name: /Send/ }).first().click();
+
+    await expect(page.getByText("Mobile test message")).toBeVisible({ timeout: 5_000 });
+    await expect(page.getByText("Echo: Mobile test message")).toBeVisible({ timeout: 15_000 });
+  });
+
+  test("history persists across reload", async ({ page }) => {
+    const textarea = page.locator("textarea").first();
+    await textarea.fill("Mobile persistence");
+    await page.getByRole("button", { name: /Send/ }).first().click();
+
+    await expect(page.getByText("Echo: Mobile persistence")).toBeVisible({ timeout: 15_000 });
+
+    await page.reload();
+    await page.waitForSelector("[data-testid='chat-panel']", { timeout: 10_000 });
+
+    await expect(page.getByText("Mobile persistence", { exact: true })).toBeVisible({ timeout: 5_000 });
+    await expect(page.getByText("Echo: Mobile persistence")).toBeVisible({ timeout: 5_000 });
+  });
+
+  test("composer auto-grows with multi-line text", async ({ page }) => {
+    const textarea = page.locator("textarea").first();
+    const initialHeight = await textarea.evaluate((el: HTMLElement) => el.offsetHeight);
+
+    await textarea.fill("Line 1\nLine 2\nLine 3\nLine 4\nLine 5");
+    await page.waitForTimeout(300);
+
+    const grownHeight = await textarea.evaluate((el: HTMLElement) => el.offsetHeight);
+    expect(grownHeight).toBeGreaterThan(initialHeight);
+  });
+
+  test("file attachment in mobile chat", async ({ page }) => {
+    const textarea = page.locator("textarea").first();
+    await textarea.fill("Mobile file test");
+
+    const fileInput = page.locator("[data-testid='chat-panel'] input[type='file']").first();
+    await fileInput.setInputFiles({
+      name: "mobile.txt",
+      mimeType: "text/plain",
+      buffer: Buffer.from("mobile secret"),
+    });
+
+    await expect(page.getByText("mobile.txt")).toBeVisible({ timeout: 3_000 });
+
+    await page.getByRole("button", { name: /Send/ }).first().click();
+    await expect(page.getByText("Echo: Mobile file test")).toBeVisible({ timeout: 15_000 });
+  });
+});
@@ -0,0 +1,187 @@
+/**
+ * E2E seed fixture for chat tests.
+ *
+ * Creates an external workspace via the workspace-server API, extracts the
+ * auto-minted auth token, then overrides the DB row so it appears "online"
+ * with an echo-runtime URL.  External runtime is used because the health
+ * sweep skips Docker checks for external workspaces; we keep the workspace
+ * alive with periodic heartbeats.
+ */
+
+import { randomUUID } from "node:crypto";
+
+const PLATFORM_URL = process.env.E2E_PLATFORM_URL ?? "http://localhost:8080";
+
+export interface SeededWorkspace {
+  id: string;
+  name: string;
+  agentURL: string;
+  authToken: string;
+}
+
+/**
+ * Create an external workspace and wire it to the echo runtime.
+ */
+export async function seedWorkspace(echoURL: string): Promise<SeededWorkspace> {
+  // 1. Create external workspace (no URL — platform will mint an auth token).
+  const runId = Math.random().toString(36).slice(2, 8);
+  const wsName = `Chat E2E Agent ${runId}`;
+  const createRes = await fetch(`${PLATFORM_URL}/workspaces`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ name: wsName, tier: 1, external: true, runtime: "external" }),
+  });
+  if (!createRes.ok) {
+    const text = await createRes.text();
+    throw new Error(`Failed to create workspace: ${createRes.status} ${text}`);
+  }
+  const ws = (await createRes.json()) as {
+    id: string;
+    name: string;
+    connection?: { auth_token?: string };
+  };
+  const authToken = ws.connection?.auth_token;
+  if (!authToken) {
+    throw new Error("Workspace created but no auth_token returned");
+  }
+
+  // 2. Direct DB update: mark online + point url at echo runtime.
+  //    The platform blocks loopback URLs at the API layer (SSRF guard),
+  //    so we bypass via psql for local E2E.
+  const dbUrl = process.env.E2E_DATABASE_URL;
+  if (!dbUrl) {
+    throw new Error("E2E_DATABASE_URL must be set for DB seeding");
+  }
+  const pgRegex = /postgres:\/\/([^:]+):([^@]+)@([^:]+):(\d+)\/([^?]+)/;
+  const m = dbUrl.match(pgRegex);
+  if (!m) {
+    throw new Error(`Cannot parse E2E_DATABASE_URL: ${dbUrl}`);
+  }
+  const [, user, pass, host, port, db] = m;
+
+  // Pre-seed a platform_inbound_secret so chat file uploads don't trigger
+  // the lazy-heal 503 "retry in 30 s" path on first use.
+  const inboundSecret = Array.from({ length: 43 }, () =>
+    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"[
+      Math.floor(Math.random() * 64)
+    ],
+  ).join("");
+
+  const psql = [
+    `PGPASSWORD=${pass} psql`,
+    `-h ${host} -p ${port} -U ${user} -d ${db}`,
+    `-c "UPDATE workspaces SET status = 'online', url = '${echoURL}', platform_inbound_secret = '${inboundSecret}' WHERE id = '${ws.id}'"`,
+  ].join(" ");
+
+  const { execSync } = await import("node:child_process");
+  try {
+    execSync(psql, { stdio: "pipe", timeout: 30_000 });
+  } catch (err) {
+    throw new Error(`DB update failed: ${err}`);
+  }
+
+  return { id: ws.id, name: wsName, agentURL: echoURL, authToken };
+}
+
+/**
+ * Start a heartbeat interval that keeps an external workspace alive.
+ * Returns a stop function.
+ */
+export function startHeartbeat(
+  workspaceId: string,
+  authToken: string,
+  intervalMs = 30_000,
+): () => void {
+  const send = () => {
+    fetch(`${PLATFORM_URL}/registry/heartbeat`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${authToken}`,
+      },
+      body: JSON.stringify({
+        workspace_id: workspaceId,
+        error_rate: 0,
+        sample_error: "",
+        active_tasks: 0,
+        current_task: "",
+        uptime_seconds: 0,
+      }),
+    }).catch(() => {});
+  };
+
+  // Send immediately so the first heartbeat lands before the stale sweep.
+  send();
+  const timer = setInterval(send, intervalMs);
+
+  return () => clearInterval(timer);
+}
+
+/**
+ * Seed chat-history rows for a workspace.
+ */
+export async function seedChatHistory(
+  workspaceId: string,
+  messages: Array<{ role: "user" | "agent"; content: string }>,
+): Promise<void> {
+  const dbUrl = process.env.E2E_DATABASE_URL;
+  if (!dbUrl) return;
+
+  const pgRegex = /postgres:\/\/([^:]+):([^@]+)@([^:]+):(\d+)\/([^?]+)/;
+  const m = dbUrl.match(pgRegex);
+  if (!m) return;
+  const [, user, pass, host, port, db] = m;
+
+  const values = messages
+    .map(
+      (msg, i) =>
+        `('${randomUUID()}', '${workspaceId}', '${msg.role}', '${msg.content.replace(/'/g, "''")}', NOW() - INTERVAL '${messages.length - i} seconds')`,
+    )
+    .join(",");
+
+  const sql = `INSERT INTO chat_messages (id, workspace_id, role, content, created_at) VALUES ${values};`;
+
+  const { execSync } = await import("node:child_process");
+  const psql = `PGPASSWORD=${pass} psql -h ${host} -p ${port} -U ${user} -d ${db} -c "${sql}"`;
+  execSync(psql, { stdio: "pipe", timeout: 10_000 });
+}
+
+/**
+ * Delete a seeded workspace row directly from the DB.
+ * Uses psql (same credentials as seedWorkspace) so we bypass any
+ * workspace-server side-effects (container stop, cascade cleanup, etc.)
+ * that can race or 500 on external workspaces.
+ */
+export async function cleanupWorkspace(workspaceId: string): Promise<void> {
+  const dbUrl = process.env.E2E_DATABASE_URL;
+  if (!dbUrl) return;
+
+  const pgRegex = /postgres:\/\/([^:]+):([^@]+)@([^:]+):(\d+)\/([^?]+)/;
+  const m = dbUrl.match(pgRegex);
+  if (!m) return;
+  const [, user, pass, host, port, db] = m;
+
+  const psql = `PGPASSWORD=${pass} psql -h ${host} -p ${port} -U ${user} -d ${db} -c "DELETE FROM workspaces WHERE id = '${workspaceId}'"`;
+
+  const { execSync } = await import("node:child_process");
+  try {
+    execSync(psql, { stdio: "pipe", timeout: 30_000 });
+  } catch {
+    // Best-effort cleanup; don't fail the test suite if the row is already gone.
+  }
+}
+
+/**
+ * Mint a workspace auth token so the canvas can make authenticated API
+ * calls (WorkspaceAuth middleware).
+ */
+export async function mintTestToken(workspaceId: string): Promise<string> {
+  const res = await fetch(
+    `${PLATFORM_URL}/admin/workspaces/${workspaceId}/test-token`,
+  );
+  if (!res.ok) {
+    throw new Error(`Failed to mint test token: ${res.status}`);
+  }
+  const data = (await res.json()) as { auth_token: string };
+  return data.auth_token;
+}
@@ -0,0 +1,180 @@
+/**
+ * Minimal A2A echo runtime for E2E tests.
+ *
+ * Listens on an ephemeral port, receives A2A JSON-RPC `message/send`
+ * requests, and returns a response with the original text echoed back.
+ * Also implements the workspace-side chat upload ingest endpoint so
+ * file-attachment E2E can exercise the full upload → send → echo
+ * round-trip.
+ *
+ * Usage (inside test fixture):
+ *   const echo = await startEchoRuntime();
+ *   // ... seed workspace with agent_url pointing to echo.baseURL ...
+ *   echo.stop();
+ */
+
+import { createServer, type Server } from "node:http";
+
+export interface EchoRuntime {
+  baseURL: string;
+  stop: () => Promise<void>;
+  lastRequest: { method: string; text: string; files: unknown[] } | null;
+}
+
+/** Parse a minimal multipart body and extract the first file's name + content. */
+function parseMultipart(body: Buffer): { name: string; mimeType: string; content: Buffer } | null {
+  // Find the boundary line (first line starting with "--").
+  const str = body.toString("binary");
+  const firstDash = str.indexOf("--");
+  if (firstDash === -1) return null;
+  const eol = str.indexOf("\r\n", firstDash);
+  if (eol === -1) return null;
+  const boundary = str.slice(firstDash + 2, eol);
+  const boundaryMarker = "\r\n--" + boundary;
+
+  // Find the first part that has a filename in Content-Disposition.
+  let pos = eol + 2;
+  while (pos < str.length) {
+    const nextBoundary = str.indexOf(boundaryMarker, pos);
+    if (nextBoundary === -1) break;
+    const part = str.slice(pos, nextBoundary);
+
+    const cdMatch = part.match(/Content-Disposition:[^\r\n]*filename="([^"]+)"/i);
+    if (cdMatch) {
+      const name = cdMatch[1];
+      const ctMatch = part.match(/Content-Type:\s*([^\r\n]+)/i);
+      const mimeType = ctMatch ? ctMatch[1].trim() : "application/octet-stream";
+      // Body starts after the first double-CRLF in the part.
+      const bodyStart = part.indexOf("\r\n\r\n");
+      if (bodyStart !== -1) {
+        // Extract the raw bytes (not the string) so binary is safe.
+        const headerBytes = Buffer.byteLength(part.slice(0, bodyStart + 4), "binary");
+        const partStartInBody = Buffer.byteLength(str.slice(0, pos + bodyStart + 4), "binary");
+        const partEndInBody = Buffer.byteLength(str.slice(0, nextBoundary), "binary");
+        const content = body.subarray(partStartInBody, partEndInBody);
+        return { name, mimeType, content };
+      }
+    }
+    pos = nextBoundary + boundaryMarker.length;
+    // Skip trailing "--" (end marker) or CRLF.
+    if (str.slice(pos, pos + 2) === "--") break;
+    if (str.slice(pos, pos + 2) === "\r\n") pos += 2;
+  }
+  return null;
+}
+
+export async function startEchoRuntime(): Promise<EchoRuntime> {
+  let lastRequest: EchoRuntime["lastRequest"] = null;
+
+  const server = createServer((req, res) => {
+    // CORS: allow the canvas origin (localhost:3000) to call us.
+    res.setHeader("Access-Control-Allow-Origin", "*");
+    res.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
+
+    if (req.method === "OPTIONS") {
+      res.writeHead(204);
+      res.end();
+      return;
+    }
+
+    const url = req.url ?? "/";
+
+    // Workspace-side chat upload ingest (RFC #2312).
+    if (url === "/internal/chat/uploads/ingest" && req.method === "POST") {
+      const chunks: Buffer[] = [];
+      req.on("data", (chunk: Buffer) => chunks.push(chunk));
+      req.on("end", () => {
+        const body = Buffer.concat(chunks);
+        const file = parseMultipart(body);
+        if (!file) {
+          res.writeHead(400);
+          res.end(JSON.stringify({ error: "no files field" }));
+          return;
+        }
+        const sanitized = file.name.replace(/[^a-zA-Z0-9._\-]/g, "_").replace(/ /g, "_");
+        const prefix = Array.from({ length: 32 }, () =>
+          Math.floor(Math.random() * 16).toString(16),
+        ).join("");
+        const response = {
+          files: [
+            {
+              uri: `workspace:/workspace/.molecule/chat-uploads/${prefix}-${sanitized}`,
+              name: sanitized,
+              mimeType: file.mimeType,
+              size: file.content.length,
+            },
+          ],
+        };
+        res.setHeader("Content-Type", "application/json");
+        res.writeHead(200);
+        res.end(JSON.stringify(response));
+      });
+      return;
+    }
+
+    // Default: A2A JSON-RPC handler.
+    let body = "";
+    req.setEncoding("utf8");
+    req.on("data", (chunk: string) => {
+      body += chunk;
+    });
+    req.on("end", () => {
+      res.setHeader("Content-Type", "application/json");
+      try {
+        const rpc = JSON.parse(body);
+        const msg = rpc.params?.message;
+        const textParts =
+          msg?.parts
+            ?.filter((p: { kind?: string; text?: string }) => p.kind === "text")
+            .map((p: { text?: string }) => p.text)
+            .filter(Boolean) ?? [];
+        const fileParts =
+          msg?.parts?.filter((p: { kind?: string }) => p.kind === "file") ?? [];
+        const text = textParts.join("\n");
+
+        lastRequest = {
+          method: rpc.method ?? "unknown",
+          text,
+          files: fileParts,
+        };
+
+        const replyText = text
+          ? `Echo: ${text}`
+          : fileParts.length > 0
+            ? "Echo: received your file(s)."
+            : "Echo: hello";
+
+        const response = {
+          jsonrpc: "2.0",
+          id: rpc.id ?? null,
+          result: {
+            parts: [{ kind: "text", text: replyText }],
+          },
+        };
+
+        res.writeHead(200);
+        res.end(JSON.stringify(response));
+      } catch {
+        res.writeHead(400);
+        res.end(JSON.stringify({ error: "invalid json" }));
+      }
+    });
+  });
+
+  await new Promise<void>((resolve) => server.listen(0, "127.0.0.1", resolve));
+  const address = server.address();
+  const port = typeof address === "object" && address ? address.port : 0;
+  const baseURL = `http://127.0.0.1:${port}`;
+
+  return {
+    baseURL,
+    stop: () =>
+      new Promise((resolve) => {
+        server.close(() => resolve(undefined));
+      }),
+    get lastRequest() {
+      return lastRequest;
+    },
+  };
+}
@@ -5,9 +5,10 @@ export default defineConfig({
  timeout: 30_000,
  expect: { timeout: 10_000 },
  fullyParallel: false,
+  workers: 1,
  retries: 0,
  use: {
-    baseURL: "http://localhost:3000",
+    baseURL: process.env.PLAYWRIGHT_BASE_URL || "http://localhost:3000",
    headless: true,
    screenshot: "only-on-failure",
  },
@@ -0,0 +1,113 @@
+import { describe, it, expect, vi } from "vitest";
+
+// Marketing-launch SEO (mc#1486). These tests pin the public crawler
+// contract: anything that flips public marketing routes to disallow,
+// drops the sitemap from robots.txt, or removes the OG image
+// reference from root metadata should fail loudly here.
+
+// next/font and the rest of the layout's runtime tree are not
+// vitest-compatible (next/font expects the Next.js compiler swc
+// transform). We import layout.tsx only for its exported `metadata`
+// constant — mock the font module to a constructor-returning stub.
+vi.mock("next/font/google", () => ({
+  Inter: () => ({ variable: "--font-inter" }),
+  JetBrains_Mono: () => ({ variable: "--font-jetbrains" }),
+}));
+
+import robots from "../robots";
+import sitemap from "../sitemap";
+import { metadata } from "../layout";
+
+describe("robots.ts", () => {
+  it("allows public marketing routes and blocks authed/app routes", () => {
+    const r = robots();
+    expect(r.rules).toBeDefined();
+    const rule = Array.isArray(r.rules) ? r.rules[0] : r.rules!;
+    expect(rule.userAgent).toBe("*");
+    const allow = Array.isArray(rule.allow) ? rule.allow : [rule.allow];
+    expect(allow).toEqual(expect.arrayContaining(["/", "/pricing", "/blog"]));
+    const disallow = Array.isArray(rule.disallow)
+      ? rule.disallow
+      : [rule.disallow];
+    expect(disallow).toEqual(
+      expect.arrayContaining(["/api/", "/orgs", "/cp/"]),
+    );
+  });
+
+  it("declares the sitemap URL", () => {
+    const r = robots();
+    expect(r.sitemap).toMatch(/\/sitemap\.xml$/);
+  });
+
+  it("declares a canonical host", () => {
+    const r = robots();
+    expect(r.host).toMatch(/^https:\/\//);
+  });
+});
+
+describe("sitemap.ts", () => {
+  it("includes apex, pricing, and the live blog post", () => {
+    const entries = sitemap();
+    const urls = entries.map((e) => e.url);
+    expect(urls.some((u) => u.endsWith("/"))).toBe(true);
+    expect(urls.some((u) => u.endsWith("/pricing"))).toBe(true);
+    expect(
+      urls.some((u) => u.includes("/blog/2026-04-20-chrome-devtools-mcp")),
+    ).toBe(true);
+  });
+
+  it("does NOT include authed/app routes", () => {
+    const entries = sitemap();
+    const urls = entries.map((e) => e.url);
+    expect(urls.some((u) => u.includes("/orgs"))).toBe(false);
+    expect(urls.some((u) => u.includes("/api/"))).toBe(false);
+  });
+
+  it("sets a non-zero priority and a valid changeFrequency on every entry", () => {
+    const valid = new Set([
+      "always",
+      "hourly",
+      "daily",
+      "weekly",
+      "monthly",
+      "yearly",
+      "never",
+    ]);
+    for (const e of sitemap()) {
+      expect(e.priority).toBeGreaterThan(0);
+      expect(valid.has(String(e.changeFrequency))).toBe(true);
+    }
+  });
+});
+
+describe("root layout metadata", () => {
+  it("sets a templated title + non-empty description", () => {
+    const t = metadata.title as { default: string; template: string };
+    expect(t.default).toMatch(/Molecule AI/);
+    expect(t.template).toMatch(/%s/);
+    expect((metadata.description ?? "").length).toBeGreaterThan(50);
+  });
+
+  it("declares OG + Twitter text fields (image comes from opengraph-image.tsx)", () => {
+    const og = metadata.openGraph;
+    expect(og).toBeDefined();
+    expect((og as { title: string }).title).toMatch(/Molecule AI/);
+    expect((og as { description: string }).description.length).toBeGreaterThan(
+      50,
+    );
+    const tw = metadata.twitter;
+    expect(tw).toBeDefined();
+    // Next.js typings narrow twitter.card to a union — assert via cast.
+    expect((tw as { card: string }).card).toBe("summary_large_image");
+  });
+
+  it("sets a canonical alternate", () => {
+    expect(metadata.alternates?.canonical).toBe("/");
+  });
+
+  it("enables indexing at the metadata level (robots.ts owns per-route)", () => {
+    const r = metadata.robots as { index: boolean; follow: boolean };
+    expect(r.index).toBe(true);
+    expect(r.follow).toBe(true);
+  });
+});
@@ -27,9 +27,78 @@ import {
  themeBootScript,
 } from "@/lib/theme-cookie";

+// Marketing-launch SEO (mc#1486). Canonical apex is app.moleculesai.app —
+// tenant subdomains (<slug>.moleculesai.app) reuse the same Next.js build
+// but are gated behind auth (AuthGate redirects anonymous → /cp/auth/login)
+// and are de-indexed in robots.ts. The metadata here applies to the
+// public marketing surface served from the apex host.
+//
+// Override per-route by exporting a page-level `metadata`/`generateMetadata`
+// — Next.js merges page metadata over layout metadata using
+// `title.template` for "<page> | Molecule AI" composition.
+const SITE_URL =
+  process.env.NEXT_PUBLIC_SITE_URL ?? "https://app.moleculesai.app";
+
 export const metadata: Metadata = {
-  title: "Molecule AI",
-  description: "AI Org Chart Canvas",
+  metadataBase: new URL(SITE_URL),
+  title: {
+    default: "Molecule AI — the AI org chart canvas",
+    template: "%s | Molecule AI",
+  },
+  description:
+    "Molecule AI is an org-chart canvas for AI agent teams. Wire Claude Code, Codex, Hermes, and OpenClaw agents into a governed multi-agent workspace with credit metering, audit, and one-click runtime provisioning.",
+  applicationName: "Molecule AI",
+  keywords: [
+    "AI agents",
+    "multi-agent",
+    "agent orchestration",
+    "AI org chart",
+    "Claude Code",
+    "Codex",
+    "MCP",
+    "agent governance",
+    "A2A",
+    "agent runtime",
+  ],
+  authors: [{ name: "Molecule AI" }],
+  creator: "Molecule AI",
+  publisher: "Molecule AI",
+  alternates: { canonical: "/" },
+  // OG + Twitter images come from the file-convention sibling
+  // `opengraph-image.tsx` — Next.js auto-attaches them to og:image
+  // and twitter:image when present at the segment root. We keep the
+  // text fields here so they win over per-page metadata when a page
+  // doesn't override them. `images: []` as the structural fallback
+  // for hosts that won't follow the file convention; the real URL
+  // is injected by Next.js at build time from opengraph-image.tsx.
+  openGraph: {
+    type: "website",
+    siteName: "Molecule AI",
+    url: SITE_URL,
+    title: "Molecule AI — the AI org chart canvas",
+    description:
+      "Wire Claude Code, Codex, Hermes, and OpenClaw agents into a governed multi-agent workspace. Credit metering, audit, and one-click runtime provisioning.",
+    locale: "en_US",
+  },
+  twitter: {
+    card: "summary_large_image",
+    title: "Molecule AI — the AI org chart canvas",
+    description:
+      "Wire Claude Code, Codex, Hermes, and OpenClaw agents into a governed multi-agent workspace.",
+  },
+  icons: {
+    icon: "/molecule-icon.png",
+    apple: "/molecule-icon.png",
+  },
+  // robots.ts owns the per-route allow/disallow contract; this is the
+  // header-level fallback for routes the crawler reaches before
+  // robots.txt resolves. Default = index public marketing routes;
+  // app/auth/api/orgs are noindex'd by robots.ts.
+  robots: {
+    index: true,
+    follow: true,
+    googleBot: { index: true, follow: true, "max-image-preview": "large" },
+  },
 };

 export default async function RootLayout({
@@ -94,6 +163,75 @@ export default async function RootLayout({
          nonce={nonce}
          dangerouslySetInnerHTML={{ __html: themeBootScript }}
        />
+        {/*
+         * JSON-LD structured data (mc#1486). Two graph nodes:
+         *
+         *   - Organization: surfaces the brand to Google Knowledge
+         *     Graph + Bing entity index. URL+logo+sameAs are the
+         *     minimum recommended set for new brands without a
+         *     Wikipedia page.
+         *
+         *   - WebSite: enables the sitelinks search box and tells
+         *     crawlers the canonical site URL when the same content
+         *     is reachable via multiple subdomains (apex + tenant).
+         *
+         * Type-application/ld+json runs synchronously without
+         * executing JS, so 'strict-dynamic' isn't required — we still
+         * carry the nonce because production CSP's default-src 'self'
+         * applies to any <script> element. The "type" attribute is
+         * what keeps the browser from running the body as JS, but
+         * CSP nonces are gated on the element not the type, so we
+         * include the nonce too.
+         */}
+        <script
+          type="application/ld+json"
+          nonce={nonce}
+          dangerouslySetInnerHTML={{
+            __html: JSON.stringify({
+              "@context": "https://schema.org",
+              "@graph": [
+                {
+                  "@type": "Organization",
+                  "@id": `${SITE_URL}#organization`,
+                  name: "Molecule AI",
+                  url: SITE_URL,
+                  logo: `${SITE_URL}/molecule-icon.png`,
+                  sameAs: [
+                    "https://github.com/molecule-ai",
+                    "https://x.com/moleculeai",
+                  ],
+                },
+                {
+                  "@type": "WebSite",
+                  "@id": `${SITE_URL}#website`,
+                  url: SITE_URL,
+                  name: "Molecule AI",
+                  publisher: { "@id": `${SITE_URL}#organization` },
+                  inLanguage: "en-US",
+                },
+                {
+                  "@type": "SoftwareApplication",
+                  "@id": `${SITE_URL}#software`,
+                  name: "Molecule AI",
+                  applicationCategory: "DeveloperApplication",
+                  operatingSystem: "Web",
+                  description:
+                    "Org-chart canvas for AI agent teams with credit metering, audit, and one-click runtime provisioning.",
+                  url: SITE_URL,
+                  offers: {
+                    "@type": "AggregateOffer",
+                    priceCurrency: "USD",
+                    lowPrice: "0",
+                    highPrice: "99",
+                    offerCount: "3",
+                    url: `${SITE_URL}/pricing`,
+                  },
+                  publisher: { "@id": `${SITE_URL}#organization` },
+                },
+              ],
+            }),
+          }}
+        />
      </head>
      <body className={`bg-surface text-ink ${interFont.variable} ${monoFont.variable}`}>
        <ThemeProvider initialTheme={theme}>
@@ -0,0 +1,82 @@
+import { ImageResponse } from "next/og";
+
+// Marketing-launch SEO (mc#1486). Next.js App-Router file-system OG
+// convention: served as `/opengraph-image` and auto-attached as
+// `og:image` + `twitter:image`. Dynamic (not a static PNG in /public)
+// so we can iterate the brand mark + tagline pre-launch without
+// churning a binary blob in git history.
+export const runtime = "edge";
+
+export const alt = "Molecule AI — the AI org chart canvas";
+export const size = { width: 1200, height: 630 };
+export const contentType = "image/png";
+
+export default function OG() {
+  return new ImageResponse(
+    (
+      <div
+        style={{
+          width: "100%",
+          height: "100%",
+          display: "flex",
+          flexDirection: "column",
+          alignItems: "flex-start",
+          justifyContent: "center",
+          padding: "80px",
+          background:
+            "linear-gradient(135deg, #0a0a0a 0%, #1a1a2e 60%, #16213e 100%)",
+          color: "#ffffff",
+          fontFamily: "system-ui, -apple-system, sans-serif",
+        }}
+      >
+        <div
+          style={{
+            fontSize: 28,
+            color: "#a3a3c2",
+            letterSpacing: "0.18em",
+            textTransform: "uppercase",
+            marginBottom: 24,
+          }}
+        >
+          Molecule AI
+        </div>
+        <div
+          style={{
+            fontSize: 76,
+            fontWeight: 700,
+            lineHeight: 1.05,
+            letterSpacing: "-0.02em",
+            maxWidth: 980,
+          }}
+        >
+          The AI org chart canvas
+        </div>
+        <div
+          style={{
+            fontSize: 32,
+            color: "#c8c8d8",
+            marginTop: 32,
+            lineHeight: 1.3,
+            maxWidth: 980,
+          }}
+        >
+          Wire Claude Code, Codex, Hermes, and OpenClaw agents into a governed
+          multi-agent workspace.
+        </div>
+        <div
+          style={{
+            position: "absolute",
+            right: 80,
+            bottom: 80,
+            fontSize: 22,
+            color: "#7a7a96",
+            display: "flex",
+          }}
+        >
+          moleculesai.app
+        </div>
+      </div>
+    ),
+    { ...size },
+  );
+}
@@ -103,7 +103,7 @@ export default function Home() {
                setHydrationError(null);
                window.location.reload();
              }}
-              className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm"
+              className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
            >
              Retry
            </button>
@@ -115,7 +115,9 @@ export default function Home() {

  return (
    <>
-      <Canvas />
+      <main aria-label="Agent canvas">
+        <Canvas />
+      </main>
      <Legend />
      <CommunicationOverlay />
      {hydrationError && (
@@ -134,7 +136,7 @@ export default function Home() {
              setHydrationError(null);
              window.location.reload();
            }}
-            className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm"
+            className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
          >
            Retry
          </button>
@@ -176,7 +178,7 @@ brew services start redis`}</pre>
      </p>
      <button
        onClick={() => window.location.reload()}
-        className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm mt-2"
+        className="px-4 py-2 bg-accent-strong hover:bg-accent text-white rounded-md text-sm mt-2 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
      >
        Reload
      </button>
@@ -0,0 +1,45 @@
+import type { MetadataRoute } from "next";
+
+// Marketing-launch SEO (mc#1486). Next.js App-Router robots convention:
+// this file is served as `/robots.txt` at build time and is the single
+// source of truth for crawler allow/disallow.
+//
+// Contract:
+//   - Public marketing routes (/, /pricing, /blog/*) are crawlable.
+//   - Authed/app routes (/orgs, /api/*) are noindex'd. They render
+//     useful content only after a session round-trip, so a crawler hit
+//     just wastes our crawl budget and exposes endpoint shapes.
+//   - Tenant subdomains (<slug>.moleculesai.app) share this build but
+//     are blocked at the host level by the canvas middleware sending
+//     an `X-Robots-Tag: noindex` header — robots.txt is per-host and
+//     this file's `host` field claims the apex as canonical.
+//
+// Note: `sitemap` is published via the sibling `sitemap.ts` route; we
+// reference it explicitly here so crawlers don't have to guess.
+const SITE_URL =
+  process.env.NEXT_PUBLIC_SITE_URL ?? "https://app.moleculesai.app";
+
+export default function robots(): MetadataRoute.Robots {
+  return {
+    rules: [
+      {
+        userAgent: "*",
+        allow: ["/", "/pricing", "/blog"],
+        // Authed app surface + API + transient checkout returns. The
+        // /orgs route boots the org-selector behind AuthGate; even
+        // though SSR returns markup, that markup is a login wall when
+        // hit by an unauthenticated crawler, so indexing it dilutes
+        // brand searches with a "Please sign in" snippet.
+        disallow: [
+          "/orgs",
+          "/orgs/",
+          "/api/",
+          "/cp/",
+          "/checkout/",
+        ],
+      },
+    ],
+    sitemap: `${SITE_URL}/sitemap.xml`,
+    host: SITE_URL,
+  };
+}
@@ -0,0 +1,42 @@
+import type { MetadataRoute } from "next";
+
+// Marketing-launch SEO (mc#1486). App-Router sitemap convention: this
+// file is served as `/sitemap.xml` and enumerates the public marketing
+// surface for search crawlers + AI training pipelines.
+//
+// Scope deliberately narrow:
+//   - Apex landing, pricing, and the (currently single) blog post.
+//   - Authed app routes are excluded — they're disallowed in robots.ts
+//     and would appear as "Please sign in" wall to a crawler.
+//
+// `lastModified` uses a build-time timestamp rather than per-route
+// fs.stat so the same value applies regardless of where the build
+// runs (Vercel/Railway/local). When we add CMS-backed blog content,
+// swap to a per-entry timestamp from the source-of-truth metadata.
+const SITE_URL =
+  process.env.NEXT_PUBLIC_SITE_URL ?? "https://app.moleculesai.app";
+
+const BUILD_DATE = new Date();
+
+export default function sitemap(): MetadataRoute.Sitemap {
+  return [
+    {
+      url: `${SITE_URL}/`,
+      lastModified: BUILD_DATE,
+      changeFrequency: "weekly",
+      priority: 1.0,
+    },
+    {
+      url: `${SITE_URL}/pricing`,
+      lastModified: BUILD_DATE,
+      changeFrequency: "weekly",
+      priority: 0.9,
+    },
+    {
+      url: `${SITE_URL}/blog/2026-04-20-chrome-devtools-mcp`,
+      lastModified: new Date("2026-04-20"),
+      changeFrequency: "monthly",
+      priority: 0.6,
+    },
+  ];
+}
@@ -132,7 +132,7 @@ export function AuditTrailPanel({ workspaceId }: Props) {

  if (loading) {
    return (
-      <div className="flex items-center justify-center h-32">
+      <div role="status" aria-live="polite" className="flex items-center justify-center h-32">
        <span className="text-xs text-ink-mid">Loading audit trail…</span>
      </div>
    );
@@ -133,13 +133,13 @@ export function ConversationTraceModal({ open, workspaceId: _workspaceId, onClos
            {/* Timeline */}
            <div className="flex-1 overflow-y-auto px-5 py-4">
              {loading && (
-                <div className="text-xs text-ink-mid text-center py-8">
+                <div role="status" aria-live="polite" className="text-xs text-ink-mid text-center py-8">
                  Loading trace from all workspaces...
                </div>
              )}

              {!loading && entries.length === 0 && (
-                <div className="text-xs text-ink-mid text-center py-8">
+                <div role="status" aria-live="polite" className="text-xs text-ink-mid text-center py-8">
                  No activity found
                </div>
              )}
@@ -105,7 +105,7 @@ export function EmptyState() {

        {/* Template grid */}
        {loading ? (
-          <div className="flex items-center justify-center gap-2 text-xs text-ink-mid py-4">
+          <div role="status" aria-live="polite" className="flex items-center justify-center gap-2 text-xs text-ink-mid py-4">
            <Spinner />
            Loading templates...
          </div>
@@ -15,7 +15,7 @@
 //     ($AGENT_URL). They ARE NOT filled in server-side because the
 //     server doesn't know where the operator's agent will live.

-import { useCallback, useState } from "react";
+import { useCallback, useRef, useState } from "react";
 import * as Dialog from "@radix-ui/react-dialog";

 type Tab = "python" | "curl" | "claude" | "mcp" | "hermes" | "codex" | "openclaw" | "kimi" | "fields";
@@ -84,6 +84,33 @@ export function ExternalConnectModal({ info, onClose }: Props) {
    : "python";
  const [tab, setTab] = useState<Tab>(initialTab);
  const [copiedKey, setCopiedKey] = useState<string | null>(null);
+  const tabRefs = useRef<Map<Tab, HTMLButtonElement | null>>(new Map());
+
+  const handleTabKeyDown = useCallback(
+    (e: React.KeyboardEvent<HTMLButtonElement>, current: Tab, tabs: Tab[]) => {
+      const idx = tabs.indexOf(current);
+      if (e.key === "ArrowRight" || e.key === "ArrowDown") {
+        e.preventDefault();
+        const next = tabs[(idx + 1) % tabs.length];
+        setTab(next);
+        tabRefs.current.get(next)?.focus();
+      } else if (e.key === "ArrowLeft" || e.key === "ArrowUp") {
+        e.preventDefault();
+        const prev = tabs[(idx - 1 + tabs.length) % tabs.length];
+        setTab(prev);
+        tabRefs.current.get(prev)?.focus();
+      } else if (e.key === "Home") {
+        e.preventDefault();
+        setTab(tabs[0]);
+        tabRefs.current.get(tabs[0])?.focus();
+      } else if (e.key === "End") {
+        e.preventDefault();
+        setTab(tabs[tabs.length - 1]);
+        tabRefs.current.get(tabs[tabs.length - 1])?.focus();
+      }
+    },
+    [],
+  );

  const copy = useCallback(async (value: string, key: string) => {
    try {
@@ -160,6 +187,19 @@ export function ExternalConnectModal({ info, onClose }: Props) {
    `MOLECULE_WORKSPACE_TOKEN=${info.auth_token}`,
  );

+  // Build the tab list once so both the tab bar and keyboard handler
+  // share the same ordered array. Computed here (after all filled* vars)
+  // so TypeScript's block-scoping analysis can reach them.
+  const tabList: Tab[] = [];
+  if (filledUniversalMcp) tabList.push("mcp");
+  tabList.push("python");
+  if (filledChannel) tabList.push("claude");
+  if (filledHermes) tabList.push("hermes");
+  if (filledCodex) tabList.push("codex");
+  if (filledOpenClaw) tabList.push("openclaw");
+  if (filledKimi) tabList.push("kimi");
+  tabList.push("curl", "fields");
+
  return (
    <Dialog.Root open onOpenChange={(o) => !o && onClose()}>
      <Dialog.Portal>
@@ -180,34 +220,18 @@ export function ExternalConnectModal({ info, onClose }: Props) {
            aria-label="Connection snippet format"
            className="mt-4 flex gap-1 border-b border-line"
          >
-            {(() => {
-              // Build the tab order dynamically. Claude Code first
-              // (when offered) since it's the simplest setup; Python
-              // SDK second (full register+heartbeat+inbound); Universal
-              // MCP third (any MCP-aware runtime, outbound-only); curl
-              // for one-shot register; Fields for raw values.
-              // Tab order: Universal MCP first (default, runtime-
-              // agnostic primitives), then runtime-specific channel/
-              // SDK tabs, then curl + Fields. Each runtime tab only
-              // appears when the platform supplies the snippet — no
-              // dead "tab missing snippet" UX.
-              const tabs: Tab[] = [];
-              if (filledUniversalMcp) tabs.push("mcp");
-              tabs.push("python");
-              if (filledChannel) tabs.push("claude");
-              if (filledHermes) tabs.push("hermes");
-              if (filledCodex) tabs.push("codex");
-              if (filledOpenClaw) tabs.push("openclaw");
-              if (filledKimi) tabs.push("kimi");
-              tabs.push("curl", "fields");
-              return tabs;
-            })().map((t) => (
+            {tabList.map((t) => (
              <button
                key={t}
                type="button"
                role="tab"
+                id={`tab-${t}`}
                aria-selected={tab === t}
+                aria-controls={`panel-${t}`}
+                tabIndex={tab === t ? 0 : -1}
+                ref={(el) => { tabRefs.current.set(t, el); }}
                onClick={() => setTab(t)}
+                onKeyDown={(e) => handleTabKeyDown(e, t, tabList)}
                className={`px-3 py-2 text-sm border-b-2 -mb-px transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface ${
                  tab === t
                    ? "border-accent text-ink"
@@ -235,18 +259,39 @@ export function ExternalConnectModal({ info, onClose }: Props) {
            ))}
          </div>

-          {/* Snippet area */}
-          <div className="mt-3">
-            {tab === "claude" && filledChannel && (
-              <SnippetBlock
-                value={filledChannel}
-                label="Claude Code channel — polls workspace's A2A; no tunnel needed"
-                copyKey="claude"
-                copied={copiedKey === "claude"}
-                onCopy={() => copy(filledChannel, "claude")}
-              />
-            )}
-            {tab === "python" && (
+          {/* Snippet area — all panels always in the DOM so aria-controls
+              targets are stable. Hidden panels use aria-hidden so screen
+              readers skip them; active panel uses role=tabpanel with
+              aria-labelledby pointing to the tab button. */}
+          <div className="mt-3" data-testid="snippet-panels">
+            {/* Claude Code tab */}
+            <div
+              id="panel-claude"
+              data-testid="panel-claude"
+              role="tabpanel"
+              aria-labelledby="tab-claude"
+              hidden={tab !== "claude" || !filledChannel}
+              className={tab === "claude" && filledChannel ? "" : "hidden"}
+            >
+              {filledChannel && (
+                <SnippetBlock
+                  value={filledChannel}
+                  label="Claude Code channel — polls workspace's A2A; no tunnel needed"
+                  copyKey="claude"
+                  copied={copiedKey === "claude"}
+                  onCopy={() => copy(filledChannel, "claude")}
+                />
+              )}
+            </div>
+            {/* Python SDK tab */}
+            <div
+              id="panel-python"
+              data-testid="panel-python"
+              role="tabpanel"
+              aria-labelledby="tab-python"
+              hidden={tab !== "python"}
+              className={tab === "python" ? "" : "hidden"}
+            >
              <SnippetBlock
                value={filledPython}
                label="Python SDK — includes heartbeat loop (push-mode, needs public URL)"
@@ -254,8 +299,16 @@ export function ExternalConnectModal({ info, onClose }: Props) {
                copied={copiedKey === "python"}
                onCopy={() => copy(filledPython, "python")}
              />
-            )}
-            {tab === "curl" && (
+            </div>
+            {/* curl tab */}
+            <div
+              id="panel-curl"
+              data-testid="panel-curl"
+              role="tabpanel"
+              aria-labelledby="tab-curl"
+              hidden={tab !== "curl"}
+              className={tab === "curl" ? "" : "hidden"}
+            >
              <SnippetBlock
                value={filledCurl}
                label="curl — one-shot register only (no heartbeat)"
@@ -263,53 +316,111 @@ export function ExternalConnectModal({ info, onClose }: Props) {
                copied={copiedKey === "curl"}
                onCopy={() => copy(filledCurl, "curl")}
              />
-            )}
-            {tab === "mcp" && filledUniversalMcp && (
-              <SnippetBlock
-                value={filledUniversalMcp}
-                label="Universal MCP — standalone register + heartbeat + tools for any MCP-aware runtime (Claude Code, hermes, codex). Pair with Python or Claude Code tab if you need inbound A2A delivery."
-                copyKey="mcp"
-                copied={copiedKey === "mcp"}
-                onCopy={() => copy(filledUniversalMcp, "mcp")}
-              />
-            )}
-            {tab === "hermes" && filledHermes && (
-              <SnippetBlock
-                value={filledHermes}
-                label="Hermes channel — bridges this workspace's A2A traffic into your hermes-agent session as platform messages (push parity with Claude Code). Long-poll based; no tunnel needed."
-                copyKey="hermes"
-                copied={copiedKey === "hermes"}
-                onCopy={() => copy(filledHermes, "hermes")}
-              />
-            )}
-            {tab === "codex" && filledCodex && (
-              <SnippetBlock
-                value={filledCodex}
-                label="Codex MCP config — wires the molecule MCP server into ~/.codex/config.toml. Outbound tools today; inbound A2A push needs the Python SDK tab paired in (codex's MCP runtime doesn't route arbitrary notifications/* yet)."
-                copyKey="codex"
-                copied={copiedKey === "codex"}
-                onCopy={() => copy(filledCodex, "codex")}
-              />
-            )}
-            {tab === "openclaw" && filledOpenClaw && (
-              <SnippetBlock
-                value={filledOpenClaw}
-                label="OpenClaw MCP config — wires the molecule MCP server via openclaw mcp set + starts the gateway on loopback. Outbound tools today; inbound A2A push on an external openclaw needs the Python SDK tab paired in (a sessions.steer bridge daemon is future work)."
-                copyKey="openclaw"
-                copied={copiedKey === "openclaw"}
-                onCopy={() => copy(filledOpenClaw, "openclaw")}
-              />
-            )}
-            {tab === "kimi" && filledKimi && (
-              <SnippetBlock
-                value={filledKimi}
-                label="Kimi CLI — self-contained Python bridge. Registers, heartbeats, polls for canvas messages, and echoes replies back. NAT-safe (no public URL). Run in a background terminal or via launchd."
-                copyKey="kimi"
-                copied={copiedKey === "kimi"}
-                onCopy={() => copy(filledKimi, "kimi")}
-              />
-            )}
-            {tab === "fields" && (
+            </div>
+            {/* Universal MCP tab */}
+            <div
+              id="panel-mcp"
+              data-testid="panel-mcp"
+              role="tabpanel"
+              aria-labelledby="tab-mcp"
+              hidden={tab !== "mcp" || !filledUniversalMcp}
+              className={tab === "mcp" && filledUniversalMcp ? "" : "hidden"}
+            >
+              {filledUniversalMcp && (
+                <SnippetBlock
+                  value={filledUniversalMcp}
+                  label="Universal MCP — standalone register + heartbeat + tools for any MCP-aware runtime (Claude Code, hermes, codex). Pair with Python or Claude Code tab if you need inbound A2A delivery."
+                  copyKey="mcp"
+                  copied={copiedKey === "mcp"}
+                  onCopy={() => copy(filledUniversalMcp, "mcp")}
+                />
+              )}
+            </div>
+            {/* Hermes tab */}
+            <div
+              id="panel-hermes"
+              data-testid="panel-hermes"
+              role="tabpanel"
+              aria-labelledby="tab-hermes"
+              hidden={tab !== "hermes" || !filledHermes}
+              className={tab === "hermes" && filledHermes ? "" : "hidden"}
+            >
+              {filledHermes && (
+                <SnippetBlock
+                  value={filledHermes}
+                  label="Hermes channel — bridges this workspace's A2A traffic into your hermes-agent session as platform messages (push parity with Claude Code). Long-poll based; no tunnel needed."
+                  copyKey="hermes"
+                  copied={copiedKey === "hermes"}
+                  onCopy={() => copy(filledHermes, "hermes")}
+                />
+              )}
+            </div>
+            {/* Codex tab */}
+            <div
+              id="panel-codex"
+              data-testid="panel-codex"
+              role="tabpanel"
+              aria-labelledby="tab-codex"
+              hidden={tab !== "codex" || !filledCodex}
+              className={tab === "codex" && filledCodex ? "" : "hidden"}
+            >
+              {filledCodex && (
+                <SnippetBlock
+                  value={filledCodex}
+                  label="Codex MCP config — wires the molecule MCP server into ~/.codex/config.toml. Outbound tools today; inbound A2A push needs the Python SDK tab paired in (codex's MCP runtime doesn't route arbitrary notifications/* yet)."
+                  copyKey="codex"
+                  copied={copiedKey === "codex"}
+                  onCopy={() => copy(filledCodex, "codex")}
+                />
+              )}
+            </div>
+            {/* OpenClaw tab */}
+            <div
+              id="panel-openclaw"
+              data-testid="panel-openclaw"
+              role="tabpanel"
+              aria-labelledby="tab-openclaw"
+              hidden={tab !== "openclaw" || !filledOpenClaw}
+              className={tab === "openclaw" && filledOpenClaw ? "" : "hidden"}
+            >
+              {filledOpenClaw && (
+                <SnippetBlock
+                  value={filledOpenClaw}
+                  label="OpenClaw MCP config — wires the molecule MCP server via openclaw mcp set + starts the gateway on loopback. Outbound tools today; inbound A2A push on an external openclaw needs the Python SDK tab paired in (a sessions.steer bridge daemon is future work)."
+                  copyKey="openclaw"
+                  copied={copiedKey === "openclaw"}
+                  onCopy={() => copy(filledOpenClaw, "openclaw")}
+                />
+              )}
+            </div>
+            {/* Kimi tab */}
+            <div
+              id="panel-kimi"
+              data-testid="panel-kimi"
+              role="tabpanel"
+              aria-labelledby="tab-kimi"
+              hidden={tab !== "kimi" || !filledKimi}
+              className={tab === "kimi" && filledKimi ? "" : "hidden"}
+            >
+              {filledKimi && (
+                <SnippetBlock
+                  value={filledKimi}
+                  label="Kimi CLI — self-contained Python bridge. Registers, heartbeats, polls for canvas messages, and echoes replies back. NAT-safe (no public URL). Run in a background terminal or via launchd."
+                  copyKey="kimi"
+                  copied={copiedKey === "kimi"}
+                  onCopy={() => copy(filledKimi, "kimi")}
+                />
+              )}
+            </div>
+            {/* Fields tab */}
+            <div
+              id="panel-fields"
+              data-testid="panel-fields"
+              role="tabpanel"
+              aria-labelledby="tab-fields"
+              hidden={tab !== "fields"}
+              className={tab === "fields" ? "" : "hidden"}
+            >
              <div className="space-y-2">
                <Field label="workspace_id" value={info.workspace_id} onCopy={() => copy(info.workspace_id, "wsid")} copied={copiedKey === "wsid"} />
                <Field label="platform_url" value={info.platform_url} onCopy={() => copy(info.platform_url, "url")} copied={copiedKey === "url"} />
@@ -323,7 +434,7 @@ export function ExternalConnectModal({ info, onClose }: Props) {
                <Field label="registry_endpoint" value={info.registry_endpoint} onCopy={() => copy(info.registry_endpoint, "reg")} copied={copiedKey === "reg"} />
                <Field label="heartbeat_endpoint" value={info.heartbeat_endpoint} onCopy={() => copy(info.heartbeat_endpoint, "hb")} copied={copiedKey === "hb"} />
              </div>
-            )}
+            </div>
          </div>

          <div className="mt-5 flex justify-end gap-2">
@@ -344,7 +344,7 @@ function ProviderPickerModal({
  // wrapper's bounds instead of the viewport.
  if (typeof document === "undefined") return null;

-  const allSaved = entries.length > 0 && entries.every((e) => e.saved);
+  const allSaved = entries.every((e) => e.saved);
  const anySaving = entries.some((e) => e.saving);
  const runtimeLabel = runtime
    .replace(/[-_]/g, " ")
@@ -440,6 +440,7 @@ function ProviderPickerModal({
                      onChange={(e) => updateEntry(index, { value: e.target.value.trimStart() })}
                      placeholder={entry.key.includes("API_KEY") ? "sk-..." : "Enter value"}
                      type="password"
+                      aria-label={`Value for ${entry.key}`}
                      ref={index === 0 ? firstInputRef : undefined}
                      onKeyDown={(e) => {
                        if (e.key === "Enter" && entry.value.trim()) {
@@ -459,7 +460,7 @@ function ProviderPickerModal({
                )}

                {entry.error && (
-                  <div className="mt-1.5 text-[10px] text-bad">{entry.error}</div>
+                  <div role="alert" aria-live="assertive" className="mt-1.5 text-[10px] text-bad">{entry.error}</div>
                )}
              </div>
            ))}
@@ -616,7 +617,7 @@ function AllKeysModal({
  if (!open) return null;
  if (typeof document === "undefined") return null;

-  const allSaved = entries.length > 0 && entries.every((e) => e.saved);
+  const allSaved = entries.every((e) => e.saved);
  const anySaving = entries.some((e) => e.saving);
  const runtimeLabel = runtime
    .replace(/[-_]/g, " ")
@@ -694,6 +695,7 @@ function AllKeysModal({
                    onChange={(e) => updateEntry(index, { value: e.target.value.trimStart() })}
                    placeholder={entry.key.includes("API_KEY") ? "sk-..." : "Enter value"}
                    type="password"
+                    aria-label={`Value for ${entry.key}`}
                    autoFocus={index === 0}
                    onKeyDown={(e) => {
                      if (e.key === "Enter" && entry.value.trim()) {
@@ -718,7 +720,7 @@ function AllKeysModal({
          ))}

          {globalError && (
-            <div className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[11px] text-bad">
+            <div role="alert" aria-live="assertive" className="px-3 py-2 bg-red-950/40 border border-red-800/50 rounded-lg text-[11px] text-bad">
              {globalError}
            </div>
          )}
@@ -62,21 +62,12 @@ export function ThemeToggle({ className = "" }: { className?: string }) {
      }
      setTheme(OPTIONS[next].value);
      // Move focus to the new button so arrow-key navigation is continuous.
-      // Use direct-child query to scope strictly to this radiogroup's buttons
-      // and avoid accidentally focusing unrelated [role=radio] elements
+      // Query is already scoped to radiogroup so no child-combinator needed;
+      // avoids accidentally focusing unrelated [role=radio] elements
      // elsewhere in the DOM (e.g. React Flow canvas nodes).
-      // Guard: skip focus if the current target is no longer in the document
-      // (e.g. React StrictMode double-invokes handlers during re-render).
-      if (!e.currentTarget.isConnected) return;
      const radiogroup = e.currentTarget.closest("[role=radiogroup]") as HTMLElement | null;
-      if (!radiogroup) return;
-      // Use children[] instead of querySelectorAll("> [role=radio]") to avoid
-      // jsdom's child-combinator selector parsing issues in test environments.
-      const btns = Array.from(radiogroup.children).filter(
-        (el): el is HTMLButtonElement =>
-          el.tagName === "BUTTON" && el.getAttribute("role") === "radio"
-      );
-      if (next < btns.length) btns[next]?.focus();
+      const btns = radiogroup?.querySelectorAll<HTMLButtonElement>("[role=radio]");
+      btns?.[next]?.focus();
    },
    []
  );
@@ -13,17 +13,20 @@ import { isExternalLikeRuntime } from "@/lib/externalRuntimes";

 /** Descendant count for the "N sub" badge — children are first-class nodes
 *  rendered as full cards inside this one via React Flow's native parentId,
- *  so we don't need to subscribe to the actual child list here. */
+ *  so we don't need to subscribe to the actual child list here.
+ *  Selecting `nodes` stably avoids a new selector reference on every store
+ *  update (React error #185 / Zustand + React 19 Object.is strictness). */
 function useDescendantCount(nodeId: string): number {
-  return useCanvasStore(
-    useCallback((s) => countDescendants(nodeId, s.nodes), [nodeId])
-  );
+  const nodes = useCanvasStore((s) => s.nodes);
+  return useMemo(() => countDescendants(nodeId, nodes), [nodeId, nodes]);
 }

+/** Boolean flag used to drive min-size and NodeResizer dimensions.
+ *  Selecting `nodes` stably avoids re-render loops (same issue as
+ *  useDescendantCount). */
 function useHasChildren(nodeId: string): boolean {
-  return useCanvasStore(
-    useCallback((s) => s.nodes.some((n) => n.data.parentId === nodeId), [nodeId])
-  );
+  const nodes = useCanvasStore((s) => s.nodes);
+  return useMemo(() => nodes.some((n) => n.data.parentId === nodeId), [nodes, nodeId]);
 }

 /** Eject/extract arrow icon — visually distinct from delete ✕ */
@@ -71,7 +71,7 @@ export function WorkspaceUsage({ workspaceId }: WorkspaceUsageProps) {
            <SkeletonRow />
          </>
        ) : error ? (
-          <p className="text-xs text-bad" data-testid="usage-error">
+          <p role="alert" aria-live="assertive" className="text-xs text-bad" data-testid="usage-error">
            {error}
          </p>
        ) : metrics ? (
@@ -131,7 +131,9 @@ describe("ExternalConnectModal — tab switching", () => {
  it("switches to the Python SDK tab and shows the snippet with stamped token", () => {
    renderAndFlush(defaultInfo);
    fireEvent.click(screen.getByRole("tab", { name: /python sdk/i }));
-    const preEl = document.querySelector("pre");
+    // Query within the python panel so we get the right pre (not the first in DOM).
+    const pythonPanel = document.querySelector("[data-testid='panel-python']");
+    const preEl = pythonPanel?.querySelector("pre");
    expect(preEl?.textContent).toContain("AUTH_TOKEN");
    // The placeholder is replaced with the real auth token
    expect(preEl?.textContent).toContain("secret-auth-token-abc");
@@ -140,7 +142,9 @@ describe("ExternalConnectModal — tab switching", () => {
  it("switches to the curl tab and shows the snippet with stamped token", () => {
    renderAndFlush(defaultInfo);
    fireEvent.click(screen.getByRole("tab", { name: /curl/i }));
-    const preEl = document.querySelector("pre");
+    // Query within the curl panel so we get the right pre (not the first in DOM).
+    const curlPanel = document.querySelector("[data-testid='panel-curl']");
+    const preEl = curlPanel?.querySelector("pre");
    expect(preEl?.textContent).toContain("curl");
    expect(preEl?.textContent).toContain("secret-auth-token-abc");
  });
@@ -148,9 +152,11 @@ describe("ExternalConnectModal — tab switching", () => {
  it("switches to the Fields tab and shows raw values", () => {
    renderAndFlush(defaultInfo);
    fireEvent.click(screen.getByRole("tab", { name: /fields/i }));
-    expect(screen.getByText("ws-123")).toBeTruthy();
-    expect(screen.getByText("https://app.example.com")).toBeTruthy();
-    expect(screen.getByText("secret-auth-token-abc")).toBeTruthy();
+    // Query within the fields panel for specific values.
+    const fieldsPanel = document.querySelector("[data-testid='panel-fields']");
+    expect(fieldsPanel?.textContent).toContain("ws-123");
+    expect(fieldsPanel?.textContent).toContain("https://app.example.com");
+    expect(fieldsPanel?.textContent).toContain("secret-auth-token-abc");
  });

  it("hides the Hermes tab when hermes_channel_snippet is absent", () => {
@@ -168,7 +174,8 @@ describe("ExternalConnectModal — snippet token stamping", () => {
  it("stamps the real auth_token into the Python snippet instead of the placeholder", () => {
    renderAndFlush(defaultInfo);
    fireEvent.click(screen.getByRole("tab", { name: /python sdk/i }));
-    const preEl = document.querySelector("pre");
+    const pythonPanel = document.querySelector("[data-testid='panel-python']");
+    const preEl = pythonPanel?.querySelector("pre");
    expect(preEl?.textContent).not.toContain("<paste from create response>");
    expect(preEl?.textContent).toContain("secret-auth-token-abc");
  });
@@ -176,7 +183,8 @@ describe("ExternalConnectModal — snippet token stamping", () => {
  it("stamps the real auth_token into the curl snippet", () => {
    renderAndFlush(defaultInfo);
    fireEvent.click(screen.getByRole("tab", { name: /curl/i }));
-    const preEl = document.querySelector("pre");
+    const curlPanel = document.querySelector("[data-testid='panel-curl']");
+    const preEl = curlPanel?.querySelector("pre");
    // curl template uses WORKSPACE_AUTH_TOKEN placeholder, not the generic one
    expect(preEl?.textContent).toContain("secret-auth-token-abc");
  });
@@ -184,7 +192,8 @@ describe("ExternalConnectModal — snippet token stamping", () => {
  it("stamps the real auth_token into the Universal MCP snippet", () => {
    renderAndFlush(defaultInfo);
    // Default tab is Universal MCP
-    const preEl = document.querySelector("pre");
+    const mcpPanel = document.querySelector("[data-testid='panel-mcp']");
+    const preEl = mcpPanel?.querySelector("pre");
    expect(preEl?.textContent).toContain("secret-auth-token-abc");
    expect(preEl?.textContent).not.toContain("<paste from create response>");
  });
@@ -193,8 +202,10 @@ describe("ExternalConnectModal — snippet token stamping", () => {
 describe("ExternalConnectModal — copy functionality", () => {
  it("calls navigator.clipboard.writeText with the snippet text", () => {
    renderAndFlush(defaultInfo);
-    // Default tab is Universal MCP
-    fireEvent.click(screen.getByRole("button", { name: /^copy$/i }));
+    // Default tab is Universal MCP — query the copy button within the mcp panel.
+    const mcpPanel = document.querySelector("[data-testid='panel-mcp']");
+    const copyBtn = mcpPanel?.querySelector("button");
+    if (copyBtn) fireEvent.click(copyBtn);
    expect(clipboardWriteText).toHaveBeenCalledWith(
      expect.stringContaining("secret-auth-token-abc"),
    );
@@ -227,7 +238,8 @@ describe("ExternalConnectModal — missing optional fields", () => {
    };
    renderAndFlush(minimalInfo);
    fireEvent.click(screen.getByRole("tab", { name: /fields/i }));
-    expect(screen.getByText("(missing)")).toBeTruthy();
+    const fieldsPanel = document.querySelector("[data-testid='panel-fields']");
+    expect(fieldsPanel?.textContent).toContain("(missing)");
  });

  it("hides the Hermes tab when hermes_channel_snippet is absent", () => {
@@ -11,13 +11,21 @@ import { render, screen, fireEvent, cleanup, act } from "@testing-library/react"
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { TestConnectionButton } from "../ui/TestConnectionButton";
 import type { SecretGroup } from "@/types/secrets";
-import { validateSecret } from "@/lib/api/secrets";
+import { validateSecret, ApiError } from "@/lib/api/secrets";

 // ─── Mock validateSecret ──────────────────────────────────────────────────────
 // vi.mock is hoisted, so validateSecret (imported above) refers to the mocked
 // namespace value once vi.mock runs. Use vi.mocked() to access it in tests.
 vi.mock("@/lib/api/secrets", () => ({
  validateSecret: vi.fn(),
+  ApiError: class ApiError extends Error {
+    status: number;
+    constructor(status: number, message: string) {
+      super(message);
+      this.name = "ApiError";
+      this.status = status;
+    }
+  },
 }));

 // SecretGroup is a string literal type: 'github' | 'anthropic' | 'openrouter' | 'custom'
@@ -102,7 +110,7 @@ describe("TestConnectionButton — state machine", () => {
    expect(screen.getByText("Permission denied")).toBeTruthy();
  });

-  it("shows generic error message on unexpected exception", async () => {
+  it("shows a connectivity message on a genuine network exception", async () => {
    vi.mocked(validateSecret).mockRejectedValue(new Error("timeout"));
    render(<TestConnectionButton provider={toGroup("anthropic")} secretValue="sk-..." />);

@@ -110,8 +118,23 @@ describe("TestConnectionButton — state machine", () => {
    await act(async () => { /* flush */ });

    expect(screen.getByRole("alert")).toBeTruthy();
-    // The error detail is hardcoded to "Connection timed out. Service may be down."
-    expect(document.body.querySelector('[role="alert"]')?.textContent).toMatch(/timed out/i);
+    // A real thrown network error → honest connectivity message (not a
+    // fabricated "service down"); see internal#492.
+    expect(document.body.querySelector('[role="alert"]')?.textContent).toMatch(
+      /could not reach the validation service/i,
+    );
+  });
+
+  it("does not claim a timeout when the validate endpoint 404s (internal#492)", async () => {
+    vi.mocked(validateSecret).mockRejectedValue(new ApiError(404, "Not Found"));
+    render(<TestConnectionButton provider={toGroup("anthropic")} secretValue="sk-..." />);
+
+    fireEvent.click(screen.getByRole("button"));
+    await act(async () => { /* flush */ });
+
+    const alert = document.body.querySelector('[role="alert"]')?.textContent ?? "";
+    expect(alert).not.toMatch(/timed out/i);
+    expect(alert).toMatch(/not available/i);
  });
 });

@@ -24,16 +24,20 @@ import {
 */
 export function DropTargetBadge() {
  const dragOverNodeId = useCanvasStore((s) => s.dragOverNodeId);
-  const targetName = useCanvasStore((s) => {
-    if (!s.dragOverNodeId) return null;
-    const n = s.nodes.find((nn) => nn.id === s.dragOverNodeId);
+  // Select nodes stably first — deriving targetName and childCount inside
+  // the same selector creates a new return value on every store mutation
+  // even when neither has changed (React error #185 / Zustand Object.is).
+  const nodes = useCanvasStore((s) => s.nodes);
+  const targetName = (() => {
+    if (!dragOverNodeId) return null;
+    const n = nodes.find((nn) => nn.id === dragOverNodeId);
    return (n?.data as WorkspaceNodeData | undefined)?.name ?? null;
-  });
-  const childCount = useCanvasStore((s) =>
-    !s.dragOverNodeId
+  })();
+  const childCount = (() =>
+    !dragOverNodeId
      ? 0
-      : s.nodes.filter((n) => n.parentId === s.dragOverNodeId).length,
-  );
+      : nodes.filter((n) => n.parentId === dragOverNodeId).length
+  )();
  const { getInternalNode, flowToScreenPosition } = useReactFlow();
  if (!dragOverNodeId || !targetName) return null;
  const internal = getInternalNode(dragOverNodeId);
@@ -1,6 +1,6 @@
 "use client";

-import { useCallback, useEffect, useRef } from "react";
+import { useCallback, useEffect, useMemo, useRef } from "react";
 import { useReactFlow } from "@xyflow/react";
 import { useCanvasStore } from "@/store/canvas";
 import { appendClass, removeClass } from "@/store/classNames";
@@ -153,10 +153,17 @@ export function useCanvasViewport() {
  // fit, the user has to manually pan + zoom to find what they just
  // created. Only fires when TRANSITIONING from some-provisioning to
  // zero-provisioning — not on every re-render.
-  const provisioningCount = useCanvasStore(
-    (s) => s.nodes.filter((n) => n.data.status === "provisioning").length,
+  //
+  // Selecting `nodes` stably (array reference) avoids the
+  // `.filter().length` anti-pattern which creates a new number on every
+  // store update and breaks the wasProvisioning/hasProvisioning
+  // transition detection (React error #185 / Zustand + React 19).
+  const nodes = useCanvasStore((s) => s.nodes);
+  const provisioningCount = useMemo(
+    () => nodes.filter((n) => n.data.status === "provisioning").length,
+    [nodes],
  );
-  const nodeCount = useCanvasStore((s) => s.nodes.length);
+  const nodeCount = nodes.length;

  useEffect(() => {
    const hasProvisioning = provisioningCount > 0;
@@ -223,6 +223,7 @@ export function MobileCanvas({
            textTransform: "uppercase",
            fontWeight: 600,
          }}
+          className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
        >
          Reset
        </button>
@@ -2,25 +2,31 @@

 // 04 · Chat — message thread + composer + sub-tabs.
 // Wired to the same /workspaces/:id/a2a (method message/send) endpoint
-// that the desktop ChatTab uses, but with a slimmer surface: no
-// attachments, no A2A topology overlay, no conversation tracing.
+// that the desktop ChatTab uses. Render parity with desktop ChatTab is
+// achieved by reusing its renderers rather than forking a reduced
+// mobile path: the Agent Comms sub-tab mounts the same AgentCommsPanel,
+// and message attachments route through the same AttachmentPreview
+// dispatch the desktop My-Chat bubble uses (#231/#232).

-import { useCallback, useEffect, useRef, useState } from "react";
+import { useEffect, useMemo, useRef, useState } from "react";
+import ReactMarkdown from "react-markdown";
+import remarkGfm from "remark-gfm";

-import { api } from "@/lib/api";
 import { useCanvasStore } from "@/store/canvas";
+import { type ChatAttachment, type ChatMessage, createMessage } from "@/components/tabs/chat/types";
+import {
+  useChatHistory,
+  useChatSend,
+  useChatSocket,
+} from "@/components/tabs/chat/hooks";
+import { AgentCommsPanel } from "@/components/tabs/chat/AgentCommsPanel";
+import { AttachmentPreview } from "@/components/tabs/chat/AttachmentPreview";
+import { downloadChatFile } from "@/components/tabs/chat/uploads";

 import { toMobileAgent } from "./components";
 import { MOBILE_FONT_MONO, MOBILE_FONT_SANS, usePalette } from "./palette";
 import { Icons, StatusDot, TierChip } from "./primitives";

-interface ChatMessage {
-  id: string;
-  role: "user" | "agent" | "system";
-  text: string;
-  ts: string;
-}
-
 const formatStoredTimestamp = (iso: string): string => {
  const d = new Date(iso);
  if (isNaN(d.getTime())) return "";
@@ -29,15 +35,170 @@ const formatStoredTimestamp = (iso: string): string => {

 type SubTab = "my" | "a2a";

-interface A2AResponseShape {
-  result?: {
-    parts?: Array<{ kind?: string; text?: string }>;
-  };
-  error?: { message?: string };
-}
+function MarkdownBubble({
+  children,
+  dark,
+  accent,
+}: {
+  children: string;
+  dark: boolean;
+  accent: string;
+}) {
+  const codeBg = dark ? "rgba(255,255,255,0.08)" : "rgba(0,0,0,0.06)";
+  const codeBlockBg = dark ? "#1a1a1a" : "#f5f5f0";
+  const linkColor = accent;
+  const quoteBorder = dark ? "rgba(255,250,240,0.15)" : "rgba(40,30,20,0.15)";

-const formatTime = (date: Date) =>
-  date.toLocaleTimeString([], { hour: "numeric", minute: "2-digit" });
+  return (
+    <ReactMarkdown
+      remarkPlugins={[remarkGfm]}
+      components={{
+        p: ({ children }) => (
+          <div style={{ margin: "2px 0", lineHeight: "inherit" }}>{children}</div>
+        ),
+        a: ({ href, children }) => (
+          <a
+            href={href}
+            target="_blank"
+            rel="noopener noreferrer"
+            style={{ color: linkColor, textDecoration: "underline" }}
+          >
+            {children}
+          </a>
+        ),
+        pre: ({ children }) => (
+          <pre
+            style={{
+              background: codeBlockBg,
+              padding: "8px 10px",
+              borderRadius: 8,
+              overflow: "auto",
+              fontSize: 12,
+              lineHeight: 1.5,
+              fontFamily: MOBILE_FONT_MONO,
+              margin: "4px 0",
+            }}
+          >
+            {children}
+          </pre>
+        ),
+        code: ({ children, className }) => {
+          const isBlock = className != null && String(className).length > 0;
+          if (isBlock) {
+            return (
+              <code style={{ fontFamily: MOBILE_FONT_MONO, fontSize: 12 }}>
+                {children}
+              </code>
+            );
+          }
+          return (
+            <code
+              style={{
+                background: codeBg,
+                padding: "1px 4px",
+                borderRadius: 4,
+                fontSize: 13,
+                fontFamily: MOBILE_FONT_MONO,
+              }}
+            >
+              {children}
+            </code>
+          );
+        },
+        ul: ({ children }) => (
+          <ul style={{ margin: "4px 0", paddingLeft: 18, listStyle: "disc" }}>
+            {children}
+          </ul>
+        ),
+        ol: ({ children }) => (
+          <ol style={{ margin: "4px 0", paddingLeft: 18, listStyle: "decimal" }}>
+            {children}
+          </ol>
+        ),
+        li: ({ children }) => <li style={{ margin: "2px 0" }}>{children}</li>,
+        strong: ({ children }) => (
+          <strong style={{ fontWeight: 600 }}>{children}</strong>
+        ),
+        em: ({ children }) => <em style={{ fontStyle: "italic" }}>{children}</em>,
+        h1: ({ children }) => (
+          <div style={{ fontSize: 16, fontWeight: 700, margin: "4px 0" }}>{children}</div>
+        ),
+        h2: ({ children }) => (
+          <div style={{ fontSize: 15, fontWeight: 700, margin: "4px 0" }}>{children}</div>
+        ),
+        h3: ({ children }) => (
+          <div style={{ fontSize: 14, fontWeight: 700, margin: "4px 0" }}>{children}</div>
+        ),
+        h4: ({ children }) => (
+          <div style={{ fontSize: 14, fontWeight: 600, margin: "4px 0" }}>{children}</div>
+        ),
+        h5: ({ children }) => (
+          <div style={{ fontSize: 13, fontWeight: 600, margin: "4px 0" }}>{children}</div>
+        ),
+        h6: ({ children }) => (
+          <div style={{ fontSize: 13, fontWeight: 600, margin: "4px 0" }}>{children}</div>
+        ),
+        blockquote: ({ children }) => (
+          <blockquote
+            style={{
+              borderLeft: `2px solid ${quoteBorder}`,
+              margin: "4px 0",
+              paddingLeft: 8,
+              opacity: 0.85,
+            }}
+          >
+            {children}
+          </blockquote>
+        ),
+        hr: () => (
+          <hr
+            style={{
+              border: "none",
+              borderTop: `0.5px solid ${quoteBorder}`,
+              margin: "6px 0",
+            }}
+          />
+        ),
+        table: ({ children }) => (
+          <table
+            style={{
+              borderCollapse: "collapse",
+              fontSize: 13,
+              margin: "4px 0",
+              width: "100%",
+            }}
+          >
+            {children}
+          </table>
+        ),
+        thead: ({ children }) => <thead style={{ fontWeight: 600 }}>{children}</thead>,
+        th: ({ children }) => (
+          <th
+            style={{
+              border: `0.5px solid ${quoteBorder}`,
+              padding: "4px 6px",
+              textAlign: "left",
+            }}
+          >
+            {children}
+          </th>
+        ),
+        td: ({ children }) => (
+          <td
+            style={{
+              border: `0.5px solid ${quoteBorder}`,
+              padding: "4px 6px",
+            }}
+          >
+            {children}
+          </td>
+        ),
+      }}
+    >
+      {children}
+    </ReactMarkdown>
+  );
+}

 export function MobileChat({
  agentId,
@@ -49,21 +210,40 @@ export function MobileChat({
  onBack: () => void;
 }) {
  const p = usePalette(dark);
-  const node = useCanvasStore((s) => s.nodes.find((n) => n.id === agentId));
-  const [messages, setMessages] = useState<ChatMessage[]>([]);
+  const nodes = useCanvasStore((s) => s.nodes);
+  const node = useMemo(() => nodes.find((n) => n.id === agentId), [nodes, agentId]);
  const [draft, setDraft] = useState("");
  const [tab, setTab] = useState<SubTab>("my");
-  const [sending, setSending] = useState(false);
-  const [error, setError] = useState<string | null>(null);
-  const [historyLoading, setHistoryLoading] = useState(true);
-  const [historyError, setHistoryError] = useState<string | null>(null);
  const scrollRef = useRef<HTMLDivElement>(null);
-  // Synchronous re-entry guard. `setSending(true)` schedules a state
-  // update but doesn't flush before a second tap can fire send() — a ref
-  // mirrors the desktop ChatTab pattern (sendInFlightRef) and closes the
-  // double-send race a stale `sending` lets through.
-  const sendInFlightRef = useRef(false);
  const composerRef = useRef<HTMLTextAreaElement>(null);
+  const fileInputRef = useRef<HTMLInputElement>(null);
+  const [pendingFiles, setPendingFiles] = useState<File[]>([]);
+
+  const {
+    messages,
+    loading: historyLoading,
+    loadError: historyError,
+    loadInitial,
+    appendMessageDeduped,
+  } = useChatHistory(agentId);
+
+  const {
+    sending,
+    uploading,
+    sendMessage,
+    error: sendError,
+    clearError,
+    releaseSendGuards,
+  } = useChatSend(agentId, {
+    getHistoryMessages: () => messages,
+    onUserMessage: appendMessageDeduped,
+    onAgentMessage: appendMessageDeduped,
+  });
+
+  useChatSocket(agentId, {
+    onAgentMessage: appendMessageDeduped,
+    onSendComplete: releaseSendGuards,
+  });

  // Auto-grow the textarea: reset height to 'auto' so the scrollHeight
  // shrinks when the user deletes text, then size to scrollHeight up to
@@ -82,73 +262,19 @@ export function MobileChat({
    }
  }, [messages]);

-  // Load chat history on mount / agent switch.
-  const loadHistory = useCallback(async () => {
-    setHistoryLoading(true);
-    setHistoryError(null);
-    try {
-      const resp = await api.get<{
-        messages: Array<{
-          id: string;
-          role: string;
-          content: string;
-          timestamp: string;
-        }>;
-      }>(`/workspaces/${agentId}/chat-history?limit=50`);
-      const loaded = (resp.messages ?? []).map((m) => ({
-        id: m.id,
-        role: m.role as "user" | "agent" | "system",
-        text: m.content,
-        ts: formatStoredTimestamp(m.timestamp),
-      }));
-      setMessages(loaded);
-    } catch (e) {
-      setHistoryError(e instanceof Error ? e.message : "Failed to load history");
-    } finally {
-      setHistoryLoading(false);
-    }
-  }, [agentId]);
-
+  // Consume any agent messages that arrived while history was loading.
+  const initialConsumeDoneRef = useRef(false);
  useEffect(() => {
-    let cancelled = false;
-    loadHistory().then(() => {
-      if (cancelled) return;
-      // Consume any agent messages that arrived while history was loading.
-      const consume = useCanvasStore.getState().consumeAgentMessages;
-      const msgs = consume(agentId);
-      if (msgs.length > 0) {
-        setMessages((prev) => [
-          ...prev,
-          ...msgs.map((m) => ({
-            id: m.id,
-            role: "agent" as const,
-            text: m.content,
-            ts: formatStoredTimestamp(m.timestamp),
-          })),
-        ]);
-      }
-    });
-    return () => { cancelled = true; };
-  }, [agentId, loadHistory]);
-
-  // Consume live agent pushes while the panel is mounted.
-  const pendingAgentMsgs = useCanvasStore((s) => s.agentMessages[agentId]);
-  useEffect(() => {
-    if (!pendingAgentMsgs || pendingAgentMsgs.length === 0) return;
+    if (historyLoading || initialConsumeDoneRef.current) return;
+    initialConsumeDoneRef.current = true;
    const consume = useCanvasStore.getState().consumeAgentMessages;
    const msgs = consume(agentId);
-    if (msgs.length > 0) {
-      setMessages((prev) => [
-        ...prev,
-        ...msgs.map((m) => ({
-          id: m.id,
-          role: "agent" as const,
-          text: m.content,
-          ts: formatStoredTimestamp(m.timestamp),
-        })),
-      ]);
+    for (const m of msgs) {
+      appendMessageDeduped(
+        createMessage("agent", m.content, m.attachments),
+      );
    }
-  }, [pendingAgentMsgs, agentId]);
+  }, [historyLoading, agentId, appendMessageDeduped]);

  if (!node) {
    return (
@@ -171,58 +297,43 @@ export function MobileChat({
  const a = toMobileAgent(node);
  const reachable = a.status === "online" || a.status === "degraded";

+  const onFilesPicked = (fileList: FileList | null) => {
+    if (!fileList) return;
+    const picked = Array.from(fileList);
+    setPendingFiles((prev) => {
+      const keyed = new Set(prev.map((f) => `${f.name}:${f.size}`));
+      return [...prev, ...picked.filter((f) => !keyed.has(`${f.name}:${f.size}`))];
+    });
+    if (fileInputRef.current) fileInputRef.current.value = "";
+  };
+
+  const removePendingFile = (index: number) =>
+    setPendingFiles((prev) => prev.filter((_, i) => i !== index));
+
+  // Route attachment downloads through the same authenticated helper
+  // the desktop ChatTab uses (downloadChatFile) so platform-scheme
+  // URIs get a real Blob with auth headers instead of about:blank.
+  const downloadAttachment = (att: ChatAttachment) => {
+    downloadChatFile(agentId, att).catch(() => {
+      // AttachmentPreview's own error affordance covers the in-bubble
+      // failure state; matches ChatTab's behaviour of not double-
+      // reporting a download failure.
+    });
+  };
+
  const send = async () => {
    const text = draft.trim();
-    if (!text || sending || !reachable) return;
-    if (sendInFlightRef.current) return;
-    sendInFlightRef.current = true;
+    if ((!text && pendingFiles.length === 0) || sending || !reachable) return;
+    clearError();
    setDraft("");
-    setError(null);
-    setSending(true);
-    const myMsg: ChatMessage = {
-      id: crypto.randomUUID(),
-      role: "user",
-      text,
-      ts: formatTime(new Date()),
-    };
-    setMessages((m) => [...m, myMsg]);
-
-    try {
-      const res = await api.post<A2AResponseShape>(`/workspaces/${agentId}/a2a`, {
-        method: "message/send",
-        params: {
-          message: {
-            role: "user",
-            messageId: crypto.randomUUID(),
-            parts: [{ kind: "text", text }],
-          },
-        },
-      });
-      const reply =
-        res.result?.parts?.find((part) => part.kind === "text")?.text ?? "";
-      if (reply) {
-        setMessages((m) => [
-          ...m,
-          {
-            id: crypto.randomUUID(),
-            role: "agent",
-            text: reply,
-            ts: formatTime(new Date()),
-          },
-        ]);
-      } else if (res.error?.message) {
-        setError(res.error.message);
-      }
-    } catch (e) {
-      setError(e instanceof Error ? e.message : "Failed to send");
-    } finally {
-      setSending(false);
-      sendInFlightRef.current = false;
-    }
+    const files = pendingFiles;
+    setPendingFiles([]);
+    await sendMessage(text, files);
  };

  return (
    <div
+      data-testid="chat-panel"
      style={{
        height: "100%",
        display: "flex",
@@ -245,6 +356,7 @@ export function MobileChat({
            type="button"
            onClick={onBack}
            aria-label="Back"
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
            style={{
              width: 36,
              height: 36,
@@ -291,6 +403,7 @@ export function MobileChat({
          <button
            type="button"
            aria-label="More"
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
            style={{
              width: 36,
              height: 36,
@@ -321,6 +434,7 @@ export function MobileChat({
                key={t.id}
                type="button"
                onClick={() => setTab(t.id)}
+                className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
                style={{
                  padding: "4px 0 8px",
                  border: "none",
@@ -339,7 +453,19 @@ export function MobileChat({
        </div>
      </div>

+      {/* Agent Comms — reuse the desktop AgentCommsPanel verbatim so
+          mobile renders the identical peer/A2A + delegation feed
+          (history GET + live socket events) instead of a placeholder
+          (#231). The panel owns its own scroll/load/error/empty
+          states, matching ChatTab's agent-comms tabpanel. */}
+      {tab === "a2a" && (
+        <div style={{ flex: 1, minHeight: 0, overflow: "hidden" }}>
+          <AgentCommsPanel workspaceId={agentId} />
+        </div>
+      )}
+
      {/* Messages */}
+      {tab === "my" && (
      <div
        ref={scrollRef}
        style={{
@@ -351,30 +477,45 @@ export function MobileChat({
          gap: 8,
        }}
      >
-        {tab === "a2a" && (
-          <div
-            style={{
-              padding: "20px 4px",
-              textAlign: "center",
-              color: p.text3,
-              fontSize: 13,
-            }}
-          >
-            Agent Comms — peer-to-peer A2A traffic surfaces in the Comms tab.
-          </div>
-        )}
        {tab === "my" && historyLoading && (
-          <div style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
+          <div role="status" aria-live="polite" style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
            Loading chat history…
          </div>
        )}
        {tab === "my" && !historyLoading && historyError && messages.length === 0 && (
-          <div style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
-            {historyError}
+          <div
+            role="alert"
+            style={{
+              padding: "14px 4px",
+              textAlign: "center",
+              color: p.failed,
+              fontSize: 13,
+            }}
+          >
+            <div style={{ marginBottom: 8 }}>Could not load chat history.</div>
+            <button
+              type="button"
+              onClick={() => {
+                loadInitial();
+              }}
+              aria-label="Retry loading chat history"
+              className="focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400"
+              style={{
+                padding: "6px 14px",
+                borderRadius: 14,
+                border: `0.5px solid ${p.failed}`,
+                background: "transparent",
+                color: p.failed,
+                fontSize: 12,
+                cursor: "pointer",
+              }}
+            >
+              Retry
+            </button>
          </div>
        )}
        {tab === "my" && !historyLoading && !historyError && messages.length === 0 && (
-          <div style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
+          <div role="status" aria-live="polite" style={{ padding: "20px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
            Send a message to start chatting.
          </div>
        )}
@@ -402,7 +543,31 @@ export function MobileChat({
                    overflowWrap: "anywhere",
                  }}
                >
-                  {m.text}
+                  {m.content && (
+                    <MarkdownBubble dark={dark} accent={p.accent}>
+                      {m.content}
+                    </MarkdownBubble>
+                  )}
+                  {m.attachments && m.attachments.length > 0 && (
+                    <div
+                      style={{
+                        display: "flex",
+                        flexWrap: "wrap",
+                        gap: 4,
+                        marginTop: m.content ? 6 : 0,
+                      }}
+                    >
+                      {m.attachments.map((att, i) => (
+                        <AttachmentPreview
+                          key={`${m.id}-${i}`}
+                          workspaceId={agentId}
+                          attachment={att}
+                          onDownload={downloadAttachment}
+                          tone={mine ? "user" : "agent"}
+                        />
+                      ))}
+                    </div>
+                  )}
                  <div
                    style={{
                      fontSize: 10,
@@ -411,13 +576,13 @@ export function MobileChat({
                      fontFamily: MOBILE_FONT_MONO,
                    }}
                  >
-                    {m.ts}
+                    {formatStoredTimestamp(m.timestamp)}
                  </div>
                </div>
              </div>
            );
          })}
-        {error && (
+        {sendError && (
          <div
            role="alert"
            style={{
@@ -429,11 +594,17 @@ export function MobileChat({
              fontSize: 12,
            }}
          >
-            {error}
+            {sendError}
          </div>
        )}
      </div>
+      )}

+      {/* Footer ID + composer belong to My Chat only. The Agent Comms
+          tab is a read-only peer/A2A feed (parity with desktop
+          ChatTab, where the agent-comms tabpanel has no composer). */}
+      {tab === "my" && (
+      <>
      {/* Footer ID */}
      <div
        style={{
@@ -460,6 +631,61 @@ export function MobileChat({
          backdropFilter: "blur(14px)",
        }}
      >
+        {pendingFiles.length > 0 && (
+          <div
+            style={{
+              display: "flex",
+              flexWrap: "wrap",
+              gap: 6,
+              marginBottom: 8,
+              paddingLeft: 2,
+            }}
+          >
+            {pendingFiles.map((f, i) => (
+              <div
+                key={`${f.name}:${f.size}`}
+                style={{
+                  display: "flex",
+                  alignItems: "center",
+                  gap: 4,
+                  padding: "3px 8px",
+                  borderRadius: 10,
+                  background: dark ? "#2a2823" : "#ece9e0",
+                  fontSize: 12,
+                  color: p.text2,
+                  maxWidth: "100%",
+                }}
+              >
+                <span
+                  style={{
+                    overflow: "hidden",
+                    textOverflow: "ellipsis",
+                    whiteSpace: "nowrap",
+                  }}
+                >
+                  {f.name}
+                </span>
+                <button
+                  type="button"
+                  onClick={() => removePendingFile(i)}
+                  aria-label={`Remove ${f.name}`}
+                  className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
+                  style={{
+                    border: "none",
+                    background: "transparent",
+                    color: p.text3,
+                    cursor: "pointer",
+                    fontSize: 12,
+                    padding: 0,
+                    lineHeight: 1,
+                  }}
+                >
+                  ✕
+                </button>
+              </div>
+            ))}
+          </div>
+        )}
        <div
          style={{
            display: "flex",
@@ -471,21 +697,33 @@ export function MobileChat({
            padding: "6px 6px 6px 12px",
          }}
        >
+          <input
+            ref={fileInputRef}
+            type="file"
+            multiple
+            style={{ display: "none" }}
+            onChange={(e) => onFilesPicked(e.target.files)}
+            aria-hidden="true"
+          />
          <button
            type="button"
+            onClick={() => fileInputRef.current?.click()}
+            disabled={!reachable || sending || uploading}
            aria-label="Attach"
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
            style={{
              width: 32,
              height: 32,
              borderRadius: 999,
              border: "none",
-              cursor: "pointer",
+              cursor: reachable && !sending && !uploading ? "pointer" : "not-allowed",
              background: "transparent",
              color: p.text3,
              flexShrink: 0,
              display: "flex",
              alignItems: "center",
              justifyContent: "center",
+              opacity: !reachable || sending || uploading ? 0.4 : 1,
            }}
          >
            {Icons.attach({ size: 16 })}
@@ -494,6 +732,7 @@ export function MobileChat({
            ref={composerRef}
            value={draft}
            onChange={(e) => setDraft(e.target.value)}
+            aria-label="Message"
            onKeyDown={(e) => {
              // Enter sends; Shift+Enter inserts a newline. Skip when the
              // IME is composing — pressing Enter to commit a Chinese/
@@ -517,7 +756,12 @@ export function MobileChat({
              border: "none",
              outline: "none",
              background: "transparent",
-              fontSize: 14.5,
+              // iOS Safari/PWA zooms the viewport when a focused textarea
+              // has a computed font-size below 16px. 14.5 triggers that
+              // focus-zoom; the page looks broken until the user pinches
+              // back (#224, same class as desktop #1434 / sibling #225).
+              // 16px is the minimum that keeps focus from zooming.
+              fontSize: 16,
              lineHeight: 1.4,
              color: p.text,
              padding: "6px 0",
@@ -531,31 +775,38 @@ export function MobileChat({
          <button
            type="button"
            onClick={send}
-            disabled={!draft.trim() || !reachable || sending}
+            disabled={(!draft.trim() && pendingFiles.length === 0) || !reachable || sending || uploading}
            aria-label="Send"
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
            style={{
              width: 36,
              height: 36,
              borderRadius: 999,
              border: "none",
-              cursor: draft.trim() && !sending ? "pointer" : "not-allowed",
+              cursor: (draft.trim() || pendingFiles.length === 0) && !sending && !uploading ? "pointer" : "not-allowed",
              flexShrink: 0,
              background:
-                draft.trim() && reachable && !sending
+                (draft.trim() || pendingFiles.length > 0) && reachable && !sending && !uploading
                  ? p.accent
                  : dark
                    ? "#2a2823"
                    : "#ece9e0",
-              color: draft.trim() && reachable && !sending ? "#fff" : p.text3,
+              color: (draft.trim() || pendingFiles.length > 0) && reachable && !sending && !uploading ? "#fff" : p.text3,
              display: "flex",
              alignItems: "center",
              justifyContent: "center",
            }}
          >
-            {Icons.send({ size: 16 })}
+            {uploading ? (
+              <span style={{ fontSize: 10, fontWeight: 600 }}>↑</span>
+            ) : (
+              Icons.send({ size: 16 })
+            )}
          </button>
        </div>
      </div>
+      </>
+      )}
    </div>
  );
 }
@@ -231,6 +231,7 @@ export function MobileComms({ dark }: { dark: boolean }) {
                fontSize: 13,
                fontWeight: 500,
              }}
+              className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
            >
              {o.label}
              <span
@@ -251,11 +252,11 @@ export function MobileComms({ dark }: { dark: boolean }) {

      <div style={{ padding: "0 14px", display: "flex", flexDirection: "column", gap: 8 }}>
        {loading && items.length === 0 ? (
-          <div style={{ padding: "30px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
+          <div role="status" aria-live="polite" style={{ padding: "30px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
            Loading recent comms…
          </div>
        ) : filtered.length === 0 ? (
-          <div style={{ padding: "30px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
+          <div role="status" aria-live="polite" style={{ padding: "30px 4px", textAlign: "center", color: p.text3, fontSize: 13 }}>
            No A2A traffic yet.
          </div>
        ) : (
@@ -2,7 +2,7 @@

 // 03 · Agent detail — pills + tabbed content (Overview/Activity/Config/Memory).

-import { useEffect, useState } from "react";
+import { useEffect, useMemo, useState } from "react";

 import { api } from "@/lib/api";
 import { useCanvasStore } from "@/store/canvas";
@@ -32,7 +32,10 @@ export function MobileDetail({
  onChat: () => void;
 }) {
  const p = usePalette(dark);
-  const node = useCanvasStore((s) => s.nodes.find((n) => n.id === agentId));
+  // Selecting `nodes` stably avoids the `.find()` anti-pattern that
+  // creates a new return value on every store update (React error #185).
+  const nodes = useCanvasStore((s) => s.nodes);
+  const node = useMemo(() => nodes.find((n) => n.id === agentId), [nodes, agentId]);
  const [tab, setTab] = useState<TabId>("overview");

  if (!node) {
@@ -80,11 +83,12 @@ export function MobileDetail({
            type="button"
            onClick={onBack}
            aria-label="Back"
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
            style={iconButtonStyle(p, dark)}
          >
            {Icons.back({ size: 18 })}
          </button>
-          <button type="button" aria-label="More" style={iconButtonStyle(p, dark)}>
+          <button type="button" aria-label="More" className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900" style={iconButtonStyle(p, dark)}>
            {Icons.more({ size: 18 })}
          </button>
        </div>
@@ -180,6 +184,7 @@ export function MobileDetail({
              key={t.id}
              type="button"
              onClick={() => setTab(t.id)}
+              className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
              style={{
                padding: "8px 14px",
                borderRadius: 999,
@@ -211,6 +216,8 @@ export function MobileDetail({
        <button
          type="button"
          onClick={onChat}
+          data-testid="mobile-chat-cta"
+          className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
          style={{
            width: "100%",
            height: 52,
@@ -412,6 +419,8 @@ function DetailActivity({ workspaceId, dark }: { workspaceId: string; dark: bool
  if (items === null) {
    return (
      <div
+        role="status"
+        aria-live="polite"
        style={{
          background: p.surface,
          borderRadius: 16,
@@ -200,6 +200,7 @@ export function MobileHome({
          justifyContent: "center",
          boxShadow: "0 8px 24px rgba(40,30,20,0.25), 0 2px 6px rgba(40,30,20,0.15)",
        }}
+        className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
      >
        {Icons.plus({ size: 22 })}
      </button>
@@ -92,6 +92,7 @@ export function MobileMe({
                    border: on ? `2px solid ${p.text}` : "2px solid transparent",
                    boxShadow: on ? `0 0 0 2px ${p.bg} inset` : "none",
                  }}
+                  className="focus:outline-none focus-visible:ring-2 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
                />
              );
            })}
@@ -184,6 +185,7 @@ function SegmentedRow({
              fontSize: 13,
              fontWeight: 600,
            }}
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
          >
            {o.label}
          </button>
@@ -148,6 +148,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
            type="button"
            onClick={onClose}
            aria-label="Close"
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
            style={{
              width: 32,
              height: 32,
@@ -170,6 +171,8 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
        <div style={{ padding: "0 14px" }}>
          {loadingTemplates ? (
            <div
+              role="status"
+              aria-live="polite"
              style={{
                padding: "24px 8px",
                textAlign: "center",
@@ -214,6 +217,8 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
                      setTplId(t.id);
                      setTier(tCode);
                    }}
+                    aria-label={`Select template: ${t.name} (tier ${t.tier})`}
+                    className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
                    style={{
                      background: on
                        ? dark
@@ -302,6 +307,7 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
          <input
            value={name}
            onChange={(e) => setName(e.target.value)}
+            aria-label="Agent name"
            placeholder={tplId
              ? (templates.find((t) => t.id === tplId)?.name ?? "agent-name")
              : "agent-name"}
@@ -312,7 +318,12 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
              border: `0.5px solid ${p.border}`,
              borderRadius: 12,
              fontFamily: MOBILE_FONT_MONO,
-              fontSize: 13.5,
+              // iOS Safari/PWA zooms the viewport when a focused input has
+              // a computed font-size below 16px; the layout jumps and the
+              // page looks broken until the user pinches back (#224 / #225,
+              // same class as desktop #1434). 16px is the minimum that
+              // suppresses that focus-zoom.
+              fontSize: 16,
              color: p.text,
              outline: "none",
              boxSizing: "border-box",
@@ -330,6 +341,8 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
                key={t}
                type="button"
                onClick={() => setTier(t)}
+                aria-label={`Select tier ${t}: ${TIER_LABEL[t]}`}
+                className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
                style={{
                  flex: 1,
                  padding: "10px 8px",
@@ -377,6 +390,8 @@ export function MobileSpawn({ dark, onClose }: { dark: boolean; onClose: () => v
            type="button"
            onClick={handleSpawn}
            disabled={busy || !tplId || templates.length === 0}
+            aria-label="Spawn agent"
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
            style={{
              width: "100%",
              height: 52,
@@ -8,11 +8,27 @@
 * NOTE: No @testing-library/jest-dom — use DOM APIs.
 */
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { cleanup, render, waitFor } from "@testing-library/react";
+import { act, cleanup, render, waitFor } from "@testing-library/react";
 import React from "react";

 import { MobileChat } from "../MobileChat";

+// ─── Mock API ─────────────────────────────────────────────────────────────────
+// vi.mock without a factory auto-mocks the module. In tests, we configure
+// api.get / api.post directly (they are vi.fn() from the auto-mock).
+// Tests that need specific behaviour use mockResolvedValueOnce on the
+// auto-mocked functions.
+vi.mock("@/lib/api");
+import { api } from "@/lib/api";
+
+// AgentCommsPanel (mounted by the Agent Comms sub-tab, #231) subscribes
+// to the global socket via useSocketEvent. Stub it to a no-op so the
+// panel mounts without the real ReconnectingSocket — the parity tests
+// only assert the panel renders (vs the old static placeholder).
+vi.mock("@/hooks/useSocketEvent", () => ({
+  useSocketEvent: vi.fn(),
+}));
+
 // ─── Mock store ───────────────────────────────────────────────────────────────

 const mockAgentId = "ws-chat-test";
@@ -28,16 +44,18 @@ const mockStoreState = {
    height?: number;
  }>,
  agentMessages: {} as Record<string, Array<{ id: string; content: string; timestamp: string }>>,
+  consumeAgentMessages: () => [],
 };

 vi.mock("@/store/canvas", () => ({
  useCanvasStore: Object.assign(
-    vi.fn((sel) => sel(mockStoreState)),
+    vi.fn((sel?: (state: typeof mockStoreState) => unknown) => {
+      if (sel) return sel(mockStoreState);
+      return mockStoreState;
+    }),
    {
-      getState: () => ({
-        ...mockStoreState,
-        consumeAgentMessages: vi.fn(() => []),
-      }),
+      getState: () => mockStoreState,
+      subscribe: vi.fn(() => vi.fn()),
    },
  ),
  summarizeWorkspaceCapabilities: vi.fn((data: Record<string, unknown>) => {
@@ -59,20 +77,6 @@ vi.mock("@/store/canvas", () => ({
  }),
 }));

-// ─── Mock API ─────────────────────────────────────────────────────────────────
-
-const { mockApiPost } = vi.hoisted(() => ({
-  mockApiPost: vi.fn().mockResolvedValue({ result: { parts: [] } }),
-}));
-
-const { mockApiGet } = vi.hoisted(() => ({
-  mockApiGet: vi.fn().mockResolvedValue({ messages: [] }),
-}));
-
-vi.mock("@/lib/api", () => ({
-  api: { get: mockApiGet, post: mockApiPost },
-}));
-
 // ─── Fixtures ────────────────────────────────────────────────────────────────

 const onlineNode = {
@@ -157,10 +161,23 @@ function renderChat(agentId: string, dark = false) {

 beforeEach(() => {
  mockOnBack.mockClear();
-  mockApiGet.mockClear();
  mockStoreState.nodes = [];
  mockStoreState.agentMessages = {};
-  mockApiPost.mockClear();
+  // jsdom doesn't implement scrollIntoView. The Agent Comms tab now
+  // mounts AgentCommsPanel (#231), which scrolls its feed to bottom on
+  // arrival; a no-op stub keeps the panel from throwing under jsdom
+  // (same stub AgentCommsPanel's own render test installs).
+  Element.prototype.scrollIntoView =
+    vi.fn() as unknown as Element["scrollIntoView"];
+  // Set up spies on the real api methods. Tests override these per-call.
+  const getSpy = vi.spyOn(api, "get");
+  const postSpy = vi.spyOn(api, "post");
+  getSpy.mockResolvedValue({ messages: [], reached_end: true });
+  postSpy.mockResolvedValue({ result: { parts: [] } });
+});
+
+afterEach(() => {
+  vi.restoreAllMocks();
 });

 afterEach(() => {
@@ -246,6 +263,20 @@ describe("MobileChat — composer", () => {
    const sendBtn = container.querySelector('[aria-label="Send"]') as HTMLButtonElement;
    expect(sendBtn.disabled).toBe(true);
  });
+
+  // Regression #224: the composer textarea must render with font-size
+  // ≥ 16px. iOS Safari and PWAs auto-zoom the viewport when a focused
+  // input has a computed font-size below 16px — the layout jumps and
+  // the page looks broken until the user pinches back. Same class as
+  // desktop #1434 / sibling MobileSpawn #225.
+  it("composer textarea renders at font-size 16px or greater (iOS focus-zoom regression #224)", () => {
+    const { container } = renderChat(mockAgentId);
+    const textarea = container.querySelector("textarea") as HTMLTextAreaElement;
+    expect(textarea).toBeTruthy();
+    const fs = Number.parseFloat(textarea.style.fontSize);
+    expect(Number.isFinite(fs)).toBe(true);
+    expect(fs).toBeGreaterThanOrEqual(16);
+  });
 });

 // ─── Tabs ─────────────────────────────────────────────────────────────────────
@@ -277,18 +308,26 @@ describe("MobileChat — empty state", () => {
  });

  it('shows "Send a message to start chatting." when no messages', async () => {
-    const { container } = renderChat(mockAgentId);
-    await waitFor(() =>
-      expect(container.textContent ?? "").toContain("Send a message to start chatting."),
-    );
+    // History fetch resolves immediately in tests (mockResolvedValue).
+    // act() flushes the microtask queue so the component reaches its
+    // post-load state before we assert.
+    let renderResult: ReturnType<typeof renderChat>;
+    await act(async () => {
+      renderResult = renderChat(mockAgentId);
+    });
+    const { container } = renderResult!;
+    expect(container.textContent ?? "").toContain("Send a message to start chatting.");
  });

  it("shows no messages when agentMessages[agentId] is absent (undefined)", async () => {
+    // Explicitly set to empty to simulate no stored messages
    mockStoreState.agentMessages = {};
-    const { container } = renderChat(mockAgentId);
-    await waitFor(() =>
-      expect(container.textContent ?? "").toContain("Send a message to start chatting."),
-    );
+    let renderResult: ReturnType<typeof renderChat>;
+    await act(async () => {
+      renderResult = renderChat(mockAgentId);
+    });
+    const { container } = renderResult!;
+    expect(container.textContent ?? "").toContain("Send a message to start chatting.");
  });
 });

@@ -334,3 +373,275 @@ describe("MobileChat — dark mode", () => {
    expect(container.querySelector('[aria-label="Back"]')).toBeTruthy();
  });
 });
+
+// ─── Chat history loading ────────────────────────────────────────────────────
+
+describe("MobileChat — chat history", () => {
+  beforeEach(() => {
+    mockStoreState.nodes = [onlineNode];
+  });
+
+  it("calls GET /workspaces/:id/chat-history on mount", async () => {
+    await act(async () => {
+      renderChat(mockAgentId);
+    });
+    expect(api.get).toHaveBeenCalledWith(
+      expect.stringContaining(`/workspaces/${mockAgentId}/chat-history`),
+    );
+  });
+
+  it("shows loading state while history is fetching", () => {
+    // Do NOT await — check the pre-resolve state.
+    const { container } = renderChat(mockAgentId);
+    expect(container.textContent ?? "").toContain("Loading chat history…");
+  });
+
+  it("shows empty state after history resolves with no messages", async () => {
+    // beforeEach already sets api.get to resolve with empty — no override needed.
+    let renderResult: ReturnType<typeof renderChat>;
+    await act(async () => {
+      renderResult = renderChat(mockAgentId);
+    });
+    const { container } = renderResult!;
+    expect(container.textContent ?? "").toContain("Send a message to start chatting.");
+  });
+
+  it("renders messages from history response", async () => {
+    vi.spyOn(api, "get").mockResolvedValueOnce({
+      messages: [
+        {
+          id: "msg-1",
+          role: "user",
+          content: "Hello agent",
+          timestamp: "2026-04-25T10:00:00Z",
+        },
+        {
+          id: "msg-2",
+          role: "agent",
+          content: "Hello back",
+          timestamp: "2026-04-25T10:00:01Z",
+        },
+      ],
+      reached_end: true,
+    });
+    let renderResult: ReturnType<typeof renderChat>;
+    await act(async () => {
+      renderResult = renderChat(mockAgentId);
+    });
+    const { container } = renderResult!;
+    expect(container.textContent ?? "").toContain("Hello agent");
+    expect(container.textContent ?? "").toContain("Hello back");
+  });
+
+  it("maps user role from API correctly", async () => {
+    vi.spyOn(api, "get").mockResolvedValueOnce({
+      messages: [
+        {
+          id: "msg-u",
+          role: "user",
+          content: "user message",
+          timestamp: "2026-04-25T10:00:00Z",
+        },
+      ],
+      reached_end: true,
+    });
+    let renderResult: ReturnType<typeof renderChat>;
+    await act(async () => {
+      renderResult = renderChat(mockAgentId);
+    });
+    // User messages render right-aligned. The text content check is sufficient
+    // to confirm the message appeared.
+    const { container } = renderResult!;
+    expect(container.textContent ?? "").toContain("user message");
+  });
+
+  it("shows error state when history fetch fails", async () => {
+    vi.spyOn(api, "get").mockRejectedValue(new Error("Network error"));
+    let renderResult: ReturnType<typeof renderChat>;
+    await act(async () => {
+      renderResult = renderChat(mockAgentId);
+    });
+    const { container } = renderResult!;
+    expect(container.textContent ?? "").toContain("Could not load chat history.");
+    expect(container.textContent ?? "").toContain("Retry");
+  });
+
+  it("Retry button re-fetches history after error", async () => {
+    // Make the initial mount call fail so the Retry button appears, then
+    // make the retry call succeed so we can verify the full flow.
+    const getSpy = vi.spyOn(api, "get");
+    getSpy
+      .mockRejectedValueOnce(new Error("Network error"))
+      .mockResolvedValueOnce({ messages: [], reached_end: true });
+
+    let renderResult: ReturnType<typeof renderChat>;
+    await act(async () => {
+      renderResult = renderChat(mockAgentId);
+    });
+    const { container } = renderResult!;
+
+    // Error state should be shown with Retry button.
+    expect(container.textContent ?? "").toContain("Could not load chat history.");
+    expect(container.textContent ?? "").toContain("Retry");
+
+    // Click Retry — the button's onClick fires api.get again.
+    // The second mockResolvedValueOnce makes it succeed.
+    const retryBtn = Array.from(container.querySelectorAll("button")).find(
+      (b) => b.textContent?.trim() === "Retry",
+    );
+    expect(retryBtn).toBeTruthy();
+    await act(async () => {
+      retryBtn?.click();
+    });
+
+    // waitFor polls until the retry resolves and component re-renders.
+    await waitFor(() => {
+      expect(container.textContent ?? "").toContain("Send a message to start chatting.");
+    });
+    // Initial call + retry = 2.
+    expect(getSpy).toHaveBeenCalledTimes(2);
+  });
+});
+
+// ─── #232 · Attachment render parity with desktop ChatTab ────────────────────
+//
+// Regression for the CTO-reported mobile bug: MobileChat used to render
+// only m.content (no attachment surface), so files sent/received in a
+// conversation were invisible on mobile while desktop showed them. The
+// fix routes m.attachments through the same AttachmentPreview the
+// desktop ChatTab bubble uses.
+
+describe("MobileChat — attachment render parity (#232)", () => {
+  beforeEach(() => {
+    mockStoreState.nodes = [onlineNode];
+  });
+
+  it("renders an attachment from a history message via AttachmentPreview", async () => {
+    const getSpy = vi.spyOn(api, "get");
+    // useChatHistory reads { messages, reached_end }.
+    getSpy.mockResolvedValueOnce({
+      messages: [
+        {
+          id: "m-att-1",
+          role: "agent",
+          content: "Here is the report",
+          attachments: [
+            {
+              name: "report.csv",
+              uri: "workspace://out/report.csv",
+              mimeType: "text/csv",
+              size: 2048,
+            },
+          ],
+          timestamp: new Date().toISOString(),
+        },
+      ],
+      reached_end: true,
+    });
+
+    let rr: ReturnType<typeof renderChat>;
+    await act(async () => {
+      rr = renderChat(mockAgentId);
+    });
+    const { container } = rr!;
+
+    // A non-image attachment renders the AttachmentChip download button
+    // with title="Download <name>" — same component the desktop bubble
+    // dispatches through AttachmentPreview.
+    await waitFor(() => {
+      const chip = container.querySelector('[title="Download report.csv"]');
+      expect(chip).toBeTruthy();
+    });
+    expect(container.textContent ?? "").toContain("report.csv");
+  });
+});
+
+// ─── #231 · Agent Comms (A2A/peer) render parity with desktop ChatTab ────────
+//
+// Regression for the CTO-reported mobile bug: the Agent Comms sub-tab
+// rendered a static placeholder string ("peer-to-peer A2A traffic
+// surfaces in the Comms tab") instead of the real feed. The fix mounts
+// the same AgentCommsPanel the desktop ChatTab agent-comms tabpanel
+// uses, so peer/A2A + delegation activity is visible on mobile.
+
+describe("MobileChat — Agent Comms render parity (#231)", () => {
+  beforeEach(() => {
+    mockStoreState.nodes = [onlineNode];
+  });
+
+  it("mounts AgentCommsPanel on the Agent Comms tab (not the old placeholder)", async () => {
+    const getSpy = vi.spyOn(api, "get");
+    // 1st GET: useChatHistory (My Chat) on mount.
+    getSpy.mockResolvedValueOnce({ messages: [], reached_end: true });
+    // 2nd GET: AgentCommsPanel's activity load when the tab is shown.
+    // Empty list → panel renders its own empty state, which still
+    // proves AgentCommsPanel mounted (vs. the removed placeholder).
+    getSpy.mockResolvedValueOnce([]);
+
+    let rr: ReturnType<typeof renderChat>;
+    await act(async () => {
+      rr = renderChat(mockAgentId);
+    });
+    const { container } = rr!;
+
+    const commsTab = Array.from(container.querySelectorAll("button")).find(
+      (b) => b.textContent?.trim() === "Agent Comms",
+    );
+    expect(commsTab).toBeTruthy();
+    await act(async () => {
+      commsTab!.click();
+    });
+
+    await waitFor(() => {
+      const text = container.textContent ?? "";
+      // The panel's empty state — proves AgentCommsPanel mounted.
+      expect(text).toContain("No agent-to-agent communications yet.");
+    });
+    // The old hard-coded placeholder must be gone.
+    expect(container.textContent ?? "").not.toContain(
+      "peer-to-peer A2A traffic surfaces in the Comms tab",
+    );
+    // The panel hit its activity endpoint.
+    expect(getSpy).toHaveBeenCalledWith(
+      expect.stringContaining(`/workspaces/${mockAgentId}/activity`),
+    );
+  });
+
+  it("renders a peer message on the Agent Comms tab", async () => {
+    const getSpy = vi.spyOn(api, "get");
+    getSpy.mockResolvedValueOnce({ messages: [], reached_end: true });
+    // a2a_receive from a peer → AgentCommsPanel.toCommMessage maps it
+    // to an inbound bubble with the request text.
+    getSpy.mockResolvedValueOnce([
+      {
+        id: "act-1",
+        activity_type: "a2a_receive",
+        source_id: "peer-ws-uuid",
+        target_id: mockAgentId,
+        method: "message/send",
+        summary: "peer asked something",
+        request_body: { task: "Please review PR 42" },
+        response_body: null,
+        status: "ok",
+        created_at: new Date().toISOString(),
+      },
+    ]);
+
+    let rr: ReturnType<typeof renderChat>;
+    await act(async () => {
+      rr = renderChat(mockAgentId);
+    });
+    const { container } = rr!;
+
+    const commsTab = Array.from(container.querySelectorAll("button")).find(
+      (b) => b.textContent?.trim() === "Agent Comms",
+    );
+    await act(async () => {
+      commsTab!.click();
+    });
+
+    await waitFor(() => {
+      expect(container.textContent ?? "").toContain("Please review PR 42");
+    });
+  });
+});
@@ -93,6 +93,24 @@ describe("MobileSpawn — render", () => {
    expect(input).toBeTruthy();
  });

+  // Regression #224 / #225: the agent-name input must render with a
+  // font-size ≥ 16px. iOS Safari and PWAs auto-zoom the viewport when a
+  // focused input has a computed font-size below 16px — the layout
+  // jumps and the page looks broken until the user pinches back.
+  it("renders the name input at font-size 16px or greater (iOS focus-zoom regression)", () => {
+    apiGetSpy.mockResolvedValue(mockTemplates);
+    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
+    const input = document.querySelector(
+      'input[aria-label="Agent name"]',
+    ) as HTMLInputElement | null;
+    expect(input).toBeTruthy();
+    // Parse the inline style font-size — jsdom doesn't run a layout
+    // engine, so getComputedStyle reports the inline value verbatim.
+    const fs = Number.parseFloat(input!.style.fontSize);
+    expect(Number.isFinite(fs)).toBe(true);
+    expect(fs).toBeGreaterThanOrEqual(16);
+  });
+
  it("renders all 4 tier buttons", () => {
    apiGetSpy.mockResolvedValue(mockTemplates);
    render(<MobileSpawn dark={true} onClose={vi.fn()} />);
@@ -133,6 +133,7 @@ export function TabBar({
            aria-label={t.label}
            onClick={() => onChange(t.id)}
            onKeyDown={(e) => handleKeyDown(e, idx)}
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
            style={{
              background: "none",
              border: "none",
@@ -288,8 +289,10 @@ export function AgentCard({
  return (
    <button
      type="button"
+      data-testid="workspace-card"
      aria-label={`${agent.name}, status: ${agent.status}, tier ${agent.tier}${agent.remote ? ", remote" : ""}`}
      onClick={onClick}
+      className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
      style={{
        display: "block",
        width: "100%",
@@ -443,6 +446,7 @@ export function FilterChips({
            type="button"
            aria-checked={on}
            onClick={() => onChange(o.id)}
+            className="focus:outline-none focus-visible:ring-2 focus-visible:ring-emerald-500 focus-visible:ring-offset-2 focus-visible:ring-offset-zinc-100 dark:focus-visible:ring-offset-zinc-900"
            style={{
              display: "inline-flex",
              alignItems: "center",
@@ -160,14 +160,14 @@ export function OrgTokensTab() {
            </code>
            <button
              onClick={handleCopy}
-              className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors"
+              className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
            >
              {copied ? 'Copied' : 'Copy'}
            </button>
          </div>
          <button
            onClick={() => setNewToken(null)}
-            className="text-[9px] text-good/60 hover:text-good transition-colors"
+            className="text-[9px] text-good/60 hover:text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
          >
            Dismiss
          </button>
@@ -219,7 +219,7 @@ export function OrgTokensTab() {
              </div>
              <button
                onClick={() => setRevokeTarget(t)}
-                className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1 shrink-0"
+                className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1 shrink-0 focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400 focus-visible:ring-offset-1"
              >
                Revoke
              </button>
@@ -3,16 +3,24 @@ import { useState, useCallback, useRef, useEffect } from 'react';
 import type { Secret, SecretGroup } from '@/types/secrets';
 import { useSecretsStore } from '@/stores/secrets-store';
 import { StatusBadge } from '@/components/ui/StatusBadge';
-import { RevealToggle } from '@/components/ui/RevealToggle';
 import { KeyValueField } from '@/components/ui/KeyValueField';
 import { ValidationHint } from '@/components/ui/ValidationHint';
 import { TestConnectionButton } from '@/components/ui/TestConnectionButton';
 import { validateSecretValue } from '@/lib/validation/secret-formats';
 import { SERVICES } from '@/lib/services';

-const AUTO_HIDE_MS = 30_000;
 const VALIDATION_DEBOUNCE_MS = 400;

+// Secret values are write-only from the browser: the server List endpoint
+// "Never exposes values", there is no per-secret decrypt route, and the
+// only decrypted path (GET /secrets/values) is bulk + token-gated for
+// remote agents. The old eye/RevealToggle was a dead affordance — it
+// flipped its own icon but could never reveal anything, which read as
+// "this doesn't work" (esp. once clicked → eye-with-slash). We show an
+// honest static indicator instead; rotation is via Edit.
+const WRITE_ONLY_TITLE =
+  'Value is write-only and cannot be revealed — use Edit to replace/rotate it';
+
 interface SecretRowProps {
  secret: Secret;
  workspaceId: string;
@@ -31,28 +39,12 @@ export function SecretRow({ secret, workspaceId }: SecretRowProps) {
  const setSecretStatus = useSecretsStore((s) => s.setSecretStatus);

  const isEditing = editingKey === secret.name;
-  const [revealed, setRevealed] = useState(false);
  const [editValue, setEditValue] = useState('');
  const [validationError, setValidationError] = useState<string | null>(null);
  const [isSaving, setIsSaving] = useState(false);
  const [saveError, setSaveError] = useState<string | null>(null);
  const debounceRef = useRef<ReturnType<typeof setTimeout>>(undefined);
  const editBtnRef = useRef<HTMLButtonElement>(null);
-  const revealTimerRef = useRef<ReturnType<typeof setTimeout>>(undefined);
-
-  // Auto-hide revealed value after 30s
-  useEffect(() => {
-    if (revealed) {
-      clearTimeout(revealTimerRef.current);
-      revealTimerRef.current = setTimeout(() => setRevealed(false), AUTO_HIDE_MS);
-      return () => clearTimeout(revealTimerRef.current);
-    }
-  }, [revealed]);
-
-  // Reset revealed state when panel closes (session-only)
-  useEffect(() => {
-    return () => setRevealed(false);
-  }, []);

  // Debounced validation
  useEffect(() => {
@@ -133,11 +125,15 @@ export function SecretRow({ secret, workspaceId }: SecretRowProps) {
          {secret.masked_value}
        </span>
        <div className="secret-row__actions">
-          <RevealToggle
-            revealed={revealed}
-            onToggle={() => setRevealed((r) => !r)}
-            label={`Toggle reveal ${secret.name}`}
-          />
+          <span
+            data-testid="write-only-indicator"
+            className="secret-row__write-only"
+            role="img"
+            aria-label={`${secret.name} value is write-only and cannot be revealed; use Edit to replace it`}
+            title={WRITE_ONLY_TITLE}
+          >
+            🔒
+          </span>
          <StatusBadge status={secret.status} />
          <button
            type="button"
@@ -16,7 +16,40 @@ interface TokensTabProps {
  workspaceId: string;
 }

+// The settings panel passes the literal sentinel "global" when no canvas
+// node is selected. Workspace tokens are inherently per-workspace — there
+// is no /workspaces/global/tokens endpoint (querying the uuid column with
+// "global" 500s on Postgres). The org-wide equivalent lives in the
+// separate "Org API Keys" tab. Mirrors the sentinel-awareness that
+// api/secrets.ts already has (workspaceId === 'global' → /settings/secrets).
+const GLOBAL_WORKSPACE_ID = 'global';
+
 export function TokensTab({ workspaceId }: TokensTabProps) {
+  if (workspaceId === GLOBAL_WORKSPACE_ID) {
+    return (
+      <div className="p-4 space-y-4">
+        <div>
+          <h3 className="text-sm font-semibold text-ink">API Tokens</h3>
+          <p className="text-[10px] text-ink-mid mt-0.5">
+            Bearer tokens for authenticating API calls to this workspace.
+          </p>
+        </div>
+        <div className="text-center py-6">
+          <p className="text-xs text-ink-mid">Select a workspace node first</p>
+          <p className="text-[10px] text-ink-mid mt-1">
+            Workspace tokens are scoped to a single workspace. Select a node
+            on the canvas to manage its tokens, or use the{' '}
+            <span className="text-accent font-medium">Org API Keys</span> tab
+            for org-wide API keys.
+          </p>
+        </div>
+      </div>
+    );
+  }
+  return <WorkspaceTokensTab workspaceId={workspaceId} />;
+}
+
+function WorkspaceTokensTab({ workspaceId }: TokensTabProps) {
  const [tokens, setTokens] = useState<Token[]>([]);
  const [loading, setLoading] = useState(true);
  const [creating, setCreating] = useState(false);
@@ -107,14 +140,14 @@ export function TokensTab({ workspaceId }: TokensTabProps) {
            </code>
            <button
              onClick={handleCopy}
-              className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors"
+              className="shrink-0 px-2 py-1.5 bg-emerald-800/40 hover:bg-emerald-700/50 border border-emerald-700/40 rounded text-[10px] text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
            >
              {copied ? 'Copied' : 'Copy'}
            </button>
          </div>
          <button
            onClick={() => setNewToken(null)}
-            className="text-[9px] text-good/60 hover:text-good transition-colors"
+            className="text-[9px] text-good/60 hover:text-good transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
          >
            Dismiss
          </button>
@@ -159,7 +192,7 @@ export function TokensTab({ workspaceId }: TokensTabProps) {
              </div>
              <button
                onClick={() => setRevokeTarget(t)}
-                className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1"
+                className="text-[10px] text-bad/70 hover:text-bad transition-colors px-2 py-1 focus:outline-none focus-visible:ring-2 focus-visible:ring-red-400 focus-visible:ring-offset-1"
              >
                Revoke
              </button>
@@ -138,14 +138,54 @@ describe("SecretRow — display mode", () => {
    expect(document.querySelector('[role="row"]')).toBeTruthy();
  });

-  it("has Reveal, Copy, Edit, Delete buttons", () => {
+  it("has Copy, Edit, Delete buttons", () => {
    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
-    expect(screen.getByTestId("reveal-toggle")).toBeTruthy();
    expect(screen.getByRole("button", { name: /copy/i })).toBeTruthy();
    expect(screen.getByRole("button", { name: /edit/i })).toBeTruthy();
    expect(screen.getByRole("button", { name: /delete/i })).toBeTruthy();
  });

+  // Regression: the reveal/eye control was a dead affordance. Clicking it
+  // flipped its own icon (eye → eye-with-slash) but never revealed the value,
+  // because secret values are write-only from the browser (server List
+  // "Never exposes values"; there is no per-secret decrypt endpoint and the
+  // client has no plaintext-fetch function). The honest fix removes the
+  // toggle and shows a static "write-only / cannot be revealed" indicator.
+  // See internal tracking issue + internal#210/#211.
+  it("does NOT render a reveal/eye toggle (values are write-only)", () => {
+    render(<SecretRow secret={GITHUB_SECRET} workspaceId="ws-1" />);
+    expect(screen.queryByTestId("reveal-toggle")).toBeNull();
+    expect(
+      screen.queryByRole("button", { name: /toggle reveal/i }),
+    ).toBeNull();
+  });
+
+  it("shows a write-only indicator explaining the value cannot be revealed", () => {
+    render(<SecretRow secret={ANTHROPIC_SECRET} workspaceId="ws-1" />);
+    const indicator = screen.getByTestId("write-only-indicator");
+    expect(indicator).toBeTruthy();
+    // Affordance must be honest: explain it cannot be revealed and that
+    // Edit is the rotate path. It must not be a clickable button.
+    const title = indicator.getAttribute("title") ?? "";
+    expect(title.toLowerCase()).toMatch(/write-only|cannot be revealed/);
+    expect(indicator.tagName).not.toBe("BUTTON");
+  });
+
+  it("write-only indicator is present for the Anthropic/OAuth-token row too", () => {
+    // The reported bug singled out CLAUDE_CODE_OAUTH_TOKEN (anthropic group);
+    // the fix is group-agnostic — every row gets the same honest affordance.
+    const OAUTH_SECRET = {
+      name: "CLAUDE_CODE_OAUTH_TOKEN",
+      masked_value: "••••••••••••••••9d2a",
+      group: "anthropic" as const,
+      status: "unverified" as const,
+      updated_at: "2024-01-04",
+    };
+    render(<SecretRow secret={OAUTH_SECRET} workspaceId="ws-1" />);
+    expect(screen.queryByTestId("reveal-toggle")).toBeNull();
+    expect(screen.getByTestId("write-only-indicator")).toBeTruthy();
+  });
+
  it("shows invalid status correctly", () => {
    render(<SecretRow secret={CUSTOM_SECRET} workspaceId="ws-1" />);
    expect(screen.getByTestId("status-badge").getAttribute("data-status")).toBe("invalid");
@@ -302,3 +302,35 @@ describe("TokensTab — error", () => {
    expect(document.querySelector('[role="status"]')).toBeNull();
  });
 });
+
+// ─── "global" sentinel (no node selected) ────────────────────────────────────
+//
+// Regression: SettingsPanel passes the literal "global" when no canvas
+// node is selected. workspace tokens are per-workspace and there is no
+// /workspaces/global/tokens endpoint — calling it 500'd
+// ("invalid input syntax for type uuid: global"). The tab must NOT call
+// the API in that state and must point the user at the Org API Keys tab.
+describe("TokensTab — global sentinel (no node selected)", () => {
+  beforeEach(() => {
+    mockApiGet.mockReset();
+    mockApiPost.mockReset();
+    mockApiGet.mockRejectedValue(new Error("should not be called"));
+  });
+
+  it("does not call the API and shows a pointer to Org API Keys", async () => {
+    render(<TokensTab workspaceId="global" />);
+    await flush();
+    expect(mockApiGet).not.toHaveBeenCalled();
+    expect(mockApiPost).not.toHaveBeenCalled();
+    expect(document.body.textContent).toContain("Select a workspace node");
+    expect(document.body.textContent).toContain("Org API Keys");
+    // No error banner, no scary 500 surfacing.
+    expect(document.querySelector(".text-bad")).toBeNull();
+  });
+
+  it("has no create button in the global state", async () => {
+    render(<TokensTab workspaceId="global" />);
+    await flush();
+    expect(document.body.textContent).not.toContain("New Token");
+  });
+});
@@ -185,7 +185,7 @@ export function ActivityTab({ workspaceId }: Props) {
      {/* Activity list */}
      <div className="flex-1 overflow-y-auto p-3 space-y-1.5">
        {loading && activities.length === 0 && (
-          <div className="text-xs text-ink-mid text-center py-8">Loading activity...</div>
+          <div role="status" aria-live="polite" className="text-xs text-ink-mid text-center py-8">Loading activity...</div>
        )}

        {error && (
@@ -243,7 +243,7 @@ export function BudgetSection({ workspaceId }: Props) {
          onClick={handleSave}
          disabled={saving}
          data-testid="budget-save-btn"
-          className="px-4 py-1.5 bg-accent-strong hover:bg-accent active:bg-accent-strong rounded-lg text-xs font-medium text-white disabled:opacity-50 transition-colors"
+          className="px-4 py-1.5 bg-accent-strong hover:bg-accent active:bg-accent-strong rounded-lg text-xs font-medium text-white disabled:opacity-50 transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-900"
        >
          {saving ? "Saving…" : "Save"}
        </button>
@@ -255,14 +255,14 @@ export function ChannelsTab({ workspaceId }: Props) {
        </h3>
        <button
          onClick={() => setShowForm(!showForm)}
-          className="text-[10px] px-2.5 py-1 rounded bg-accent-strong/20 text-accent hover:bg-accent-strong/30 transition"
+          className="text-[10px] px-2.5 py-1 rounded bg-accent-strong/20 text-accent hover:bg-accent-strong/30 transition focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-900"
        >
          {showForm ? "Cancel" : "+ Connect"}
        </button>
      </div>

      {error && (
-        <div className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+        <div role="alert" aria-live="assertive" className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
          {error}
        </div>
      )}
@@ -308,7 +308,7 @@ export function ChannelsTab({ workspaceId }: Props) {
                            <button
                              onClick={handleDiscover}
                              disabled={discovering || !formValues["bot_token"]}
-                              className="text-[10px] px-2 py-0.5 rounded bg-accent-strong/20 text-accent hover:bg-accent-strong/30 transition disabled:opacity-40"
+                              className="text-[10px] px-2 py-0.5 rounded bg-accent-strong/20 text-accent hover:bg-accent-strong/30 transition disabled:opacity-40 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-900"
                            >
                              {discovering ? "Detecting..." : "Detect Chats"}
                            </button>
@@ -81,7 +81,7 @@ function AgentCardSection({ workspaceId }: { workspaceId: string }) {
            spellCheck={false} rows={12}
            className="w-full bg-surface-card border border-line rounded p-2 text-[10px] font-mono text-ink focus:outline-none focus:border-accent resize-none"
          />
-          {error && <div className="px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">{error}</div>}
+          {error && <div role="alert" aria-live="assertive" className="px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">{error}</div>}
          <div className="flex gap-2">
            <button type="button" onClick={handleSave} disabled={saving}
              className="px-2 py-1 bg-accent hover:bg-accent-strong text-[10px] rounded text-white disabled:opacity-50 transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-surface">
@@ -109,6 +109,130 @@ function AgentCardSection({ workspaceId }: { workspaceId: string }) {
  );
 }

+// --- Agent Abilities Section ---
+//
+// Always-visible on/off controls for the two workspace-level ability flags
+// (broadcast_enabled, talk_to_user_enabled). Both are mutated through the
+// same admin endpoint the ChatTab recovery banner already uses
+// (PATCH /workspaces/:id/abilities) and reflected into the canvas store node
+// data (broadcastEnabled / talkToUserEnabled) so every surface that reads
+// useCanvasStore.nodes stays consistent without a full re-hydrate.
+//
+// Before this section there was NO canvas control for either flag: the
+// backend was fully wired (workspace_abilities.go / workspace_broadcast.go /
+// agent_message_writer.go, see commit 29b4bffb + internal#510/#511) but the
+// only frontend affordance was the ChatTab recovery banner, which renders
+// solely when talk_to_user_enabled===false and so is invisible under the
+// TRUE default and never existed at all for broadcast.
+function AgentAbilitiesSection({ workspaceId }: { workspaceId: string }) {
+  // Read the live ability flags off the canvas store node — the platform
+  // event stream hydrates these (canvas-topology.ts maps the workspace row's
+  // broadcast_enabled/talk_to_user_enabled onto node data), so this stays in
+  // sync with the recovery banner and avoids a duplicate GET. Mirrors the
+  // store-read pattern used by AgentCardSection above.
+  const node = useCanvasStore((s) =>
+    s.nodes?.find?.((n) => n.id === workspaceId),
+  );
+  // Defaults match the backend column defaults + canvas-topology mapping:
+  // broadcast_enabled defaults FALSE, talk_to_user_enabled defaults TRUE.
+  const broadcastEnabled = node?.data.broadcastEnabled ?? false;
+  const talkToUserEnabled = node?.data.talkToUserEnabled ?? true;
+
+  // Track an in-flight PATCH per field so a double-click can't fire two
+  // racing writes, and surface a one-line error if the server rejects.
+  const [pending, setPending] = useState<null | "broadcast" | "talk">(null);
+  const [error, setError] = useState<string | null>(null);
+
+  const patchAbility = async (
+    which: "broadcast" | "talk",
+    body: { broadcast_enabled: boolean } | { talk_to_user_enabled: boolean },
+    optimistic: Partial<{ broadcastEnabled: boolean; talkToUserEnabled: boolean }>,
+  ) => {
+    setError(null);
+    setPending(which);
+    // Optimistic store update — the toggle flips immediately; on failure we
+    // roll back to the server-truth value the store last held.
+    const prev = {
+      broadcastEnabled,
+      talkToUserEnabled,
+    };
+    useCanvasStore.getState().updateNodeData(workspaceId, optimistic);
+    try {
+      await api.patch(`/workspaces/${workspaceId}/abilities`, body);
+    } catch (e) {
+      // Roll back the optimistic change to last-known server truth.
+      useCanvasStore.getState().updateNodeData(workspaceId, {
+        broadcastEnabled: prev.broadcastEnabled,
+        talkToUserEnabled: prev.talkToUserEnabled,
+      });
+      setError(
+        e instanceof Error ? e.message : "Failed to update ability — try again",
+      );
+    } finally {
+      setPending(null);
+    }
+  };
+
+  return (
+    <Section title="Agent Abilities">
+      <p className="text-[10px] text-ink-mid px-1 pb-1">
+        Workspace-level permissions for this agent. Changes apply immediately
+        (no restart required).
+      </p>
+      <div className="space-y-2">
+        <div>
+          <Toggle
+            label="Talk to user"
+            checked={talkToUserEnabled}
+            onChange={(v) =>
+              pending
+                ? undefined
+                : patchAbility(
+                    "talk",
+                    { talk_to_user_enabled: v },
+                    { talkToUserEnabled: v },
+                  )
+            }
+          />
+          <p className="text-[10px] text-ink-mid mt-0.5 ml-6">
+            When off, the agent&apos;s <code className="font-mono">send_message_to_user</code>{" "}
+            and <code className="font-mono">POST /notify</code> calls are
+            rejected (403) — it must route updates through a parent workspace.
+          </p>
+        </div>
+        <div>
+          <Toggle
+            label="Broadcast to peers"
+            checked={broadcastEnabled}
+            onChange={(v) =>
+              pending
+                ? undefined
+                : patchAbility(
+                    "broadcast",
+                    { broadcast_enabled: v },
+                    { broadcastEnabled: v },
+                  )
+            }
+          />
+          <p className="text-[10px] text-ink-mid mt-0.5 ml-6">
+            When on, the agent may <code className="font-mono">POST /broadcast</code>{" "}
+            to message all non-removed agent workspaces in the org. Off by
+            default — only privileged orchestrators should hold this.
+          </p>
+        </div>
+      </div>
+      {pending && (
+        <div className="mt-2 text-[10px] text-ink-mid">Saving…</div>
+      )}
+      {error && (
+        <div role="alert" aria-live="assertive" className="mt-2 px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">
+          {error}
+        </div>
+      )}
+    </Section>
+  );
+}
+
 // --- Main ConfigTab ---

 interface ModelSpec {
@@ -176,7 +300,7 @@ export function deriveProvidersFromModels(models: ModelSpec[]): string[] {
 // exactly the point of the platform adaptor. The deep `~/.hermes/
 // config.yaml` on the container is a separate runtime-internal file,
 // not this one.
-const RUNTIMES_WITH_OWN_CONFIG = new Set<string>(["external", "kimi", "kimi-cli"]);
+const RUNTIMES_WITH_OWN_CONFIG = new Set<string>(["external", "kimi", "kimi-cli", "openclaw"]);

 const FALLBACK_RUNTIME_OPTIONS: RuntimeOption[] = [
  { value: "", label: "LangGraph (default)", models: [], providers: [] },
@@ -795,6 +919,7 @@ export function ConfigTab({ workspaceId }: Props) {
                  <label className="text-[10px] text-ink-mid block mb-1">Model</label>
                  <input
                    type="text"
+                    aria-label="Model"
                    value={currentModelId}
                    onChange={(e) => {
                      const v = e.target.value;
@@ -885,6 +1010,8 @@ export function ConfigTab({ workspaceId }: Props) {
            )}
          </Section>

+          <AgentAbilitiesSection workspaceId={workspaceId} />
+
          {/* Claude Settings — shown for claude-code runtime or claude/anthropic model names */}
          {(config.runtime === "claude-code" ||
            (config.runtime_config?.model || config.model || "").toLowerCase().includes("claude") ||
@@ -995,7 +1122,7 @@ export function ConfigTab({ workspaceId }: Props) {
      )}

      {error && (
-        <div className="mx-3 mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">{error}</div>
+        <div role="alert" aria-live="assertive" className="mx-3 mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">{error}</div>
      )}
      {!error && RUNTIMES_WITH_OWN_CONFIG.has(config.runtime || "") && (
        <div className="mx-3 mb-2 px-3 py-1.5 bg-surface-sunken/50 border border-line rounded text-xs text-ink-mid">
@@ -157,7 +157,7 @@ export function DetailsTab({ workspaceId, data }: Props) {
              </select>
            </Field>
            {saveError && (
-              <div className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+              <div role="alert" aria-live="assertive" className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
                {saveError}
              </div>
            )}
@@ -203,7 +203,7 @@ export function DetailsTab({ workspaceId, data }: Props) {
            {isRestartable && (
              <div className="pt-2">
                {restartError && (
-                  <div className="mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+                  <div role="alert" aria-live="assertive" className="mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
                    {restartError}
                  </div>
                )}
@@ -307,7 +307,7 @@ export function DetailsTab({ workspaceId, data }: Props) {
      {/* Delete */}
      <Section title="Danger Zone">
        {deleteError && (
-          <div className="mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+          <div role="alert" aria-live="assertive" className="mb-2 px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
            {deleteError}
          </div>
        )}
@@ -82,7 +82,7 @@ export function EventsTab({ workspaceId }: Props) {
      </div>

      {error && (
-        <div className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+        <div role="alert" aria-live="assertive" className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
          {error}
        </div>
      )}
@@ -102,7 +102,7 @@ export function ExternalConnectionSection({ workspaceId }: Props) {
      </div>

      {error && (
-        <div className="mt-2 px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">
+        <div role="alert" aria-live="assertive" className="mt-2 px-2 py-1 bg-red-900/30 border border-red-800 rounded text-[10px] text-bad">
          {error}
        </div>
      )}
@@ -45,11 +45,54 @@ export function FilesTab({ workspaceId, data }: Props) {
  if (data && isExternalLikeRuntime(data.runtime)) {
    return <NotAvailablePanel runtime={data.runtime} />;
  }
-  return <PlatformOwnedFilesTab workspaceId={workspaceId} />;
+  return <PlatformOwnedFilesTab workspaceId={workspaceId} runtime={data?.runtime} />;
 }

-function PlatformOwnedFilesTab({ workspaceId }: { workspaceId: string }) {
-  const [root, setRoot] = useState("/configs");
+/** Picks the initial root for the FilesTab dropdown based on the
+ *  workspace's runtime. Decision: per-runtime default (Hongming
+ *  2026-05-15, internal#425 Decisions §2).
+ *
+ *  - openclaw → `/agent-home` (the agent's identity/state — the
+ *    user-facing interesting files for that runtime live in
+ *    `~/.openclaw/` inside the container, which `/agent-home` maps to
+ *    via the Phase 2b docker-exec backend).
+ *  - everything else (claude-code, hermes, external-like, undefined)
+ *    → `/configs` (the legacy default — managed config that flows
+ *    through the per-runtime indirection in
+ *    workspace-server/internal/handlers/template_files_eic.go).
+ *
+ *  When the runtime is undefined (legacy callers that don't thread
+ *  `data` through, or a workspace whose runtime field hasn't loaded
+ *  yet) the default is `/configs` — matches today's behaviour, no
+ *  surprise.
+ *
+ *  Note on `/agent-home` pre-Phase-2b: the backend short-circuits
+ *  with HTTP 501 and the canonical "implementation pending" body.
+ *  The tab renders empty + the error banner explains. This is by
+ *  design — lets us land the canvas UX before the backend ships,
+ *  per the RFC's phased rollout. The 501 is graceful: it doesn't
+ *  poison error toasts or generate "workspace not found" noise.
+ *
+ *  Adding a new runtime that should default to `/agent-home`: add it
+ *  to the agentHomeDefaultRuntimes set below. Adding a runtime that
+ *  should default to a different root: extend this function. */
+const agentHomeDefaultRuntimes = new Set(["openclaw"]);
+
+function defaultRootForRuntime(runtime: string | undefined): string {
+  if (runtime && agentHomeDefaultRuntimes.has(runtime)) {
+    return "/agent-home";
+  }
+  return "/configs";
+}
+
+function PlatformOwnedFilesTab({
+  workspaceId,
+  runtime,
+}: {
+  workspaceId: string;
+  runtime?: string;
+}) {
+  const [root, setRoot] = useState(() => defaultRootForRuntime(runtime));
  const [selectedFile, setSelectedFile] = useState<string | null>(null);
  const [fileContent, setFileContent] = useState("");
  const [editContent, setEditContent] = useState("");
@@ -223,7 +266,7 @@ function PlatformOwnedFilesTab({ workspaceId }: { workspaceId: string }) {
        // immediately. Delete-All hovers DARKER (bg-red-700) — same AA
        // contrast trap that bit ConfirmDialog/ApprovalBanner. Cancel
        // lifts to surface-elevated instead of the prior no-op hover.
-        <div role="alertdialog" aria-labelledby="files-delete-all-msg" className="mx-3 mt-2 px-3 py-2 bg-red-950/30 border border-red-800/40 rounded space-y-1.5">
+        <div role="alertdialog" aria-modal="false" aria-labelledby="files-delete-all-msg" className="mx-3 mt-2 px-3 py-2 bg-red-950/30 border border-red-800/40 rounded space-y-1.5">
          <p id="files-delete-all-msg" className="text-xs text-bad">Delete all {files.filter((f) => !f.dir).length} files? This cannot be undone.</p>
          <div className="flex gap-2">
            <button type="button" onClick={() => { handleDeleteAll(); setShowDeleteAll(false); }} className="px-2 py-0.5 bg-red-700 hover:bg-red-600 text-[10px] rounded text-white transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-1 focus-visible:ring-offset-surface">Delete All</button>
@@ -237,7 +280,7 @@ function PlatformOwnedFilesTab({ workspaceId }: { workspaceId: string }) {
      )}

      {confirmDelete && (
-        <div role="alertdialog" aria-labelledby="files-delete-one-msg" className="mx-3 mt-2 px-3 py-2 bg-amber-950/30 border border-amber-800/40 rounded space-y-1.5">
+        <div role="alertdialog" aria-modal="false" aria-labelledby="files-delete-one-msg" className="mx-3 mt-2 px-3 py-2 bg-amber-950/30 border border-amber-800/40 rounded space-y-1.5">
          <p id="files-delete-one-msg" className="text-xs text-warm">Delete <span className="font-mono">{confirmDelete}</span>{files.find((f) => f.path === confirmDelete && f.dir) ? " and all its contents" : ""}?</p>
          <div className="flex gap-2">
            <button type="button" onClick={confirmDeleteFile} className="px-2 py-0.5 bg-red-700 hover:bg-red-600 text-[10px] rounded text-white transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-1 focus-visible:ring-offset-surface">Delete</button>
@@ -3,6 +3,22 @@
 import { useRef } from "react";
 import { getIcon } from "./tree";

+// secretShapeMarker is the canonical body the workspace-server Files
+// API returns when a file's path OR content matched a credential
+// regex (internal#425 RFC, Phase 2b — backed by
+// workspace-server/internal/secrets.ScanBytes). The marker is a
+// fixed prefix so the canvas can detect it without parsing JSON and
+// without round-tripping the matched bytes through the editor (which
+// would defeat the purpose — clipboard, browser history, log
+// surfaces would all see them).
+//
+// Today (Phase 1 / before 2b ships) the backend returns 501 for the
+// only root that uses this path, so the marker is dead code until
+// 2b lands. Wiring it in now keeps the canvas + backend contracts
+// aligned in one PR rather than a follow-up. The constant is
+// importable so a future test can pin the exact string.
+export const SECRET_SHAPE_DENIED_MARKER = "<denied: secret-shape>";
+
 interface Props {
  selectedFile: string | null;
  fileContent: string;
@@ -31,6 +47,22 @@ export function FileEditor({
  const editorRef = useRef<HTMLTextAreaElement>(null);
  const isDirty = editContent !== fileContent;

+  // internal#425 Phase 3: detect the secret-shape denial marker and
+  // render a placeholder instead of the editor. The marker comes
+  // from workspace-server Phase 2b (secrets.ScanBytes) which refuses
+  // to surface the file's bytes. We deliberately don't expose
+  // the matched pattern's Name here — the canvas just shows the
+  // generic denial. The Files API log surface has the Pattern.Name
+  // for operators who need to debug a false positive.
+  const isSecretShapeDenied = fileContent === SECRET_SHAPE_DENIED_MARKER;
+
+  // /agent-home is read-only from the canvas (Phase 2b ships read +
+  // delete; Phase-2b-followup may add write). Edits to /configs are
+  // unchanged. Until 2b ships, /agent-home returns 501 so this
+  // read-only gate is also dead code, but wiring it in now keeps
+  // the UI honest the moment 2b lands without a follow-up canvas PR.
+  const isReadOnlyRoot = root !== "/configs";
+
  if (!selectedFile) {
    return (
      <div className="flex-1 flex items-center justify-center">
@@ -75,11 +107,42 @@ export function FileEditor({
      {/* Editor area */}
      {loadingFile ? (
        <div className="p-4 text-xs text-ink-mid">Loading...</div>
+      ) : isSecretShapeDenied ? (
+        // Files API refused to surface this file's bytes because its
+        // path or content matched a credential regex
+        // (workspace-server/internal/secrets, internal#425 Phase 2b).
+        // We render a placeholder INSTEAD OF the textarea so the
+        // matched bytes never enter the DOM. Clipboard / view-source
+        // / element-inspector all see the placeholder, not the
+        // credential.
+        <div
+          role="region"
+          aria-label="File content denied"
+          className="flex-1 flex items-center justify-center p-6 bg-surface"
+        >
+          <div className="max-w-md text-center space-y-2">
+            <div className="text-2xl opacity-40">🛡️</div>
+            <p className="text-[11px] font-mono text-warm">
+              {SECRET_SHAPE_DENIED_MARKER}
+            </p>
+            <p className="text-[10px] text-ink-mid leading-relaxed">
+              The platform refused to surface this file because its
+              path or content matched a credential-shape pattern.
+              The bytes never left the workspace container.
+            </p>
+            <p className="text-[10px] text-ink-mid leading-relaxed">
+              If this is a false positive (test fixture, docs example,
+              or content that happens to share a credential's shape),
+              rename the file or adjust the content via the workspace
+              terminal so the regex no longer matches, then refresh.
+            </p>
+          </div>
+        </div>
      ) : (
        <textarea
          ref={editorRef}
          value={editContent}
-          readOnly={root !== "/configs"}
+          readOnly={isReadOnlyRoot}
          onChange={(e) => setEditContent(e.target.value)}
          onKeyDown={(e) => {
            if ((e.metaKey || e.ctrlKey) && e.key === "s") {
@@ -38,6 +38,15 @@ export function FilesToolbar({
          <option value="/home">/home</option>
          <option value="/workspace">/workspace</option>
          <option value="/plugins">/plugins</option>
+          {/* internal#425 Phase 1+3: container-internal $HOME root.
+              Backend lands the docker-exec dispatch in Phase 2b. Until
+              then the stub returns 501 with a canonical
+              "implementation pending" message — the dropdown renders
+              the option so the canvas affordance is design-frozen
+              even before the backend ships.
+              Runtime-default selection logic in FilesTab.tsx picks
+              this as the initial value for openclaw workspaces. */}
+          <option value="/agent-home">/agent-home</option>
        </select>
        <span className="text-[10px] text-ink-mid">{fileCount} files</span>
      </div>
@@ -0,0 +1,181 @@
+// @vitest-environment jsdom
+/**
+ * Tests for the /agent-home root selector + per-runtime default-root
+ * + secret-shape denial placeholder (internal#425 Phase 3).
+ *
+ * Separate file so the diff is reviewable as a unit and the existing
+ * FilesToolbar / FileEditor / FilesTab tests don't have to grow
+ * agent-home-specific cases. Once Phase 2b lands, the read-only +
+ * 501-stub assertions here can be tightened (or moved into the main
+ * test file as the agent-home root becomes a first-class affordance).
+ */
+import React from "react";
+import { render, screen, cleanup } from "@testing-library/react";
+import { afterEach, describe, expect, it, vi } from "vitest";
+
+import { FilesToolbar } from "../FilesToolbar";
+import {
+  FileEditor,
+  SECRET_SHAPE_DENIED_MARKER,
+} from "../FileEditor";
+
+afterEach(cleanup);
+
+describe("internal#425 Phase 3 — /agent-home root selector", () => {
+  it("dropdown includes /agent-home as an option", () => {
+    // Pins the affordance is in the DOM even pre-Phase-2b — the
+    // canvas design freezes today, the backend lands the dispatch
+    // later. Without this, a future refactor that drops the option
+    // would silently regress the RFC's Phase 1 contract (canvas
+    // visibility) without breaking any other test.
+    render(
+      <FilesToolbar
+        root="/configs"
+        setRoot={vi.fn()}
+        fileCount={0}
+        onNewFile={vi.fn()}
+        onUpload={vi.fn()}
+        onDownloadAll={vi.fn()}
+        onClearAll={vi.fn()}
+        onRefresh={vi.fn()}
+      />,
+    );
+    const select = screen.getByRole("combobox", {
+      name: /file root directory/i,
+    }) as HTMLSelectElement;
+    const values = Array.from(select.options).map((o) => o.value);
+    expect(values).toContain("/agent-home");
+  });
+
+  it("dropdown shows /agent-home as the SELECTED root when prop is /agent-home", () => {
+    render(
+      <FilesToolbar
+        root="/agent-home"
+        setRoot={vi.fn()}
+        fileCount={0}
+        onNewFile={vi.fn()}
+        onUpload={vi.fn()}
+        onDownloadAll={vi.fn()}
+        onClearAll={vi.fn()}
+        onRefresh={vi.fn()}
+      />,
+    );
+    const select = screen.getByRole("combobox", {
+      name: /file root directory/i,
+    }) as HTMLSelectElement;
+    expect(select.value).toBe("/agent-home");
+  });
+});
+
+describe("internal#425 Phase 3 — secret-shape denial placeholder", () => {
+  // Files API Phase 2b returns SECRET_SHAPE_DENIED_MARKER as the file
+  // body when the file's path or content matched a credential regex.
+  // The editor MUST render the marker as a placeholder, not pump it
+  // through the textarea — that would put the marker (and any future
+  // matched bytes if the backend contract changes) into the DOM
+  // value, clipboard, and inspector.
+
+  it("renders the denial placeholder INSTEAD of the textarea when fileContent is the marker", () => {
+    render(
+      <FileEditor
+        selectedFile="agent/.openclaw/secrets.env"
+        fileContent={SECRET_SHAPE_DENIED_MARKER}
+        editContent={SECRET_SHAPE_DENIED_MARKER}
+        setEditContent={vi.fn()}
+        loadingFile={false}
+        saving={false}
+        success={null}
+        root="/agent-home"
+        onSave={vi.fn()}
+        onDownload={vi.fn()}
+      />,
+    );
+    // Placeholder region present
+    expect(
+      screen.getByRole("region", { name: /file content denied/i }),
+    ).toBeTruthy();
+    // Marker text visible (so a debugging operator sees the canonical
+    // contract string without having to dig into the source).
+    expect(screen.getByText(SECRET_SHAPE_DENIED_MARKER)).toBeTruthy();
+    // Critically: NO textarea — the bytes never reach a controlled
+    // input. A regression that re-introduces the textarea path would
+    // make the matched marker (and any future content) selectable +
+    // copyable.
+    expect(screen.queryByRole("textbox")).toBeNull();
+  });
+
+  it("renders the textarea normally when fileContent is regular content", () => {
+    render(
+      <FileEditor
+        selectedFile="config.yaml"
+        fileContent="name: openclaw\n"
+        editContent="name: openclaw\n"
+        setEditContent={vi.fn()}
+        loadingFile={false}
+        saving={false}
+        success={null}
+        root="/configs"
+        onSave={vi.fn()}
+        onDownload={vi.fn()}
+      />,
+    );
+    expect(screen.getByRole("textbox")).toBeTruthy();
+    expect(screen.queryByRole("region", { name: /file content denied/i }))
+      .toBeNull();
+  });
+
+  it("/agent-home renders textarea READ-ONLY for non-denied content", () => {
+    // Phase 2b ships read + delete on /agent-home; write semantics
+    // are decided later. Until then, the canvas presents the editor
+    // as read-only so a user can't type into a buffer that the
+    // backend will refuse to PUT. Without this gate, the user would
+    // edit, hit Save, get a 501, and lose their context for why.
+    render(
+      <FileEditor
+        selectedFile=".openclaw/agent-card.json"
+        fileContent='{"name":"openclaw"}'
+        editContent='{"name":"openclaw"}'
+        setEditContent={vi.fn()}
+        loadingFile={false}
+        saving={false}
+        success={null}
+        root="/agent-home"
+        onSave={vi.fn()}
+        onDownload={vi.fn()}
+      />,
+    );
+    const textarea = screen.getByRole("textbox") as HTMLTextAreaElement;
+    expect(textarea.readOnly).toBe(true);
+  });
+
+  it("/configs renders textarea WRITABLE (regression guard for the read-only gate)", () => {
+    render(
+      <FileEditor
+        selectedFile="config.yaml"
+        fileContent="name: x\n"
+        editContent="name: x\n"
+        setEditContent={vi.fn()}
+        loadingFile={false}
+        saving={false}
+        success={null}
+        root="/configs"
+        onSave={vi.fn()}
+        onDownload={vi.fn()}
+      />,
+    );
+    const textarea = screen.getByRole("textbox") as HTMLTextAreaElement;
+    expect(textarea.readOnly).toBe(false);
+  });
+});
+
+describe("internal#425 Phase 3 — marker constant is the canonical string", () => {
+  // The marker string is part of the canvas <-> workspace-server
+  // contract. The workspace-server emits this exact body; the canvas
+  // detects it by exact-equality. A typo on either side would
+  // silently break detection — the canvas would render the literal
+  // string in the textarea instead of the placeholder. Pin the
+  // contract value here.
+  it("matches the contract value '<denied: secret-shape>'", () => {
+    expect(SECRET_SHAPE_DENIED_MARKER).toBe("<denied: secret-shape>");
+  });
+});
@@ -194,7 +194,7 @@ export function ScheduleTab({ workspaceId }: Props) {
        </span>
        <button
          onClick={() => { resetForm(); setShowForm(true); }}
-          className="text-[11px] px-2 py-0.5 bg-accent-strong/20 text-accent rounded hover:bg-accent-strong/30 transition-colors"
+          className="text-[11px] px-2 py-0.5 bg-accent-strong/20 text-accent rounded hover:bg-accent-strong/30 transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-900"
        >
          + Add Schedule
        </button>
@@ -275,7 +275,7 @@ export function ScheduleTab({ workspaceId }: Props) {
              Enabled
            </label>
          </div>
-          {error && <div className="text-[10px] text-bad">{error}</div>}
+          {error && <div role="alert" aria-live="assertive" className="text-[10px] text-bad">{error}</div>}
          <div className="flex gap-2">
            <button
              type="button"
@@ -339,7 +339,7 @@ export function ScheduleTab({ workspaceId }: Props) {
                          ? "Last run OK — click to disable"
                          : "Never run — click to enable"
                      }
-                      className={`w-2 h-2 rounded-full flex-shrink-0 ${
+                      className={`w-2 h-2 rounded-full flex-shrink-0 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-900 ${
                        sched.last_status === "error"
                          ? "bg-red-400"
                          : sched.last_status === "ok"
@@ -376,7 +376,7 @@ export function ScheduleTab({ workspaceId }: Props) {
                  <button
                    onClick={() => handleRunNow(sched)}
                    aria-label={`Run schedule ${sched.name} now`}
-                    className="text-[11px] px-1.5 py-0.5 text-accent hover:bg-accent-strong/20 rounded transition-colors"
+                    className="text-[11px] px-1.5 py-0.5 text-accent hover:bg-accent-strong/20 rounded transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-900"
                    title="Run now"
                  >
                    ▶
@@ -384,7 +384,7 @@ export function ScheduleTab({ workspaceId }: Props) {
                  <button
                    onClick={() => handleEdit(sched)}
                    aria-label={`Edit schedule ${sched.name}`}
-                    className="text-[11px] px-1.5 py-0.5 text-ink-mid hover:bg-surface-card rounded transition-colors"
+                    className="text-[11px] px-1.5 py-0.5 text-ink-mid hover:bg-surface-card rounded transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-900"
                    title="Edit"
                  >
                    ✎
@@ -392,7 +392,7 @@ export function ScheduleTab({ workspaceId }: Props) {
                  <button
                    onClick={() => setPendingDelete({ id: sched.id, name: sched.name })}
                    aria-label={`Delete schedule ${sched.name}`}
-                    className="text-[11px] px-1.5 py-0.5 text-bad hover:bg-red-600/20 rounded transition-colors"
+                    className="text-[11px] px-1.5 py-0.5 text-bad hover:bg-red-600/20 rounded transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-red-400 focus-visible:ring-offset-1 focus-visible:ring-offset-zinc-900"
                    title="Delete"
                  >
                    ✕
@@ -67,7 +67,7 @@ export function TracesTab({ workspaceId }: Props) {
      </div>

      {error && (
-        <div className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
+        <div role="alert" aria-live="assertive" className="px-3 py-1.5 bg-red-900/30 border border-red-800 rounded text-xs text-bad">
          {error}
        </div>
      )}
@@ -0,0 +1,99 @@
+// @vitest-environment jsdom
+//
+// Pins internal#212 — the chat error banner must:
+//
+//   1. Render the secret-safe failure reason (e.g. the provider's own
+//      "403 oauth_org_not_allowed: ..." string), NOT the opaque
+//      hardcoded "Agent error (Exception) — see workspace logs for
+//      details." that points at a workspace-logs tab that doesn't
+//      exist.
+//
+//   2. Offer a working "View activity log" affordance that navigates
+//      the user to the Activity tab where the full row lives.
+//
+// Tested at the banner-component seam (ChatErrorBanner). The
+// hook-level path is pinned separately by
+// chat/hooks/__tests__/useChatSocket.test.tsx — together they cover
+// wire-payload → callback → render without each test needing to drive
+// the full ChatTab send-state machinery.
+
+import { describe, it, expect, vi, afterEach, beforeEach } from "vitest";
+import { render, screen, cleanup, fireEvent } from "@testing-library/react";
+
+afterEach(cleanup);
+
+const mocks = vi.hoisted(() => ({
+  setPanelTabMock: vi.fn(),
+}));
+
+vi.mock("@/store/canvas", () => {
+  const state = {
+    setPanelTab: mocks.setPanelTabMock,
+    panelTab: "chat",
+  };
+  const hook = (selector?: (s: typeof state) => unknown) =>
+    selector ? selector(state) : state;
+  hook.getState = () => state;
+  return { useCanvasStore: hook };
+});
+
+beforeEach(() => {
+  mocks.setPanelTabMock.mockClear();
+});
+
+import { ChatErrorBanner } from "../chat/ChatErrorBanner";
+
+describe("ChatErrorBanner — surfaces actionable reason (internal#212)", () => {
+  it("renders the secret-safe failure reason verbatim, not a hardcoded opaque message", () => {
+    const reason =
+      "Anthropic 403 oauth_org_not_allowed: Your organization has disabled Claude subscription access for Claude Code — use an Anthropic API key or ask your admin to enable access.";
+    render(<ChatErrorBanner message={reason} isOnline={true} onRestart={() => {}} />);
+    expect(screen.getByText(/oauth_org_not_allowed/i)).toBeDefined();
+    expect(screen.getByText(/disabled Claude subscription access/i)).toBeDefined();
+    // The legacy boilerplate must NOT leak through when a real reason
+    // is provided.
+    expect(screen.queryByText(/see workspace logs for details/i)).toBeNull();
+  });
+
+  it("falls back to the message when it IS the legacy boilerplate (older ws-server)", () => {
+    // Graceful degradation: an older ws-server passes through the
+    // hardcoded text; the banner still renders SOMETHING — never
+    // silently swallow.
+    render(
+      <ChatErrorBanner
+        message="Agent error (Exception) — see workspace logs for details."
+        isOnline={true}
+        onRestart={() => {}}
+      />,
+    );
+    expect(
+      screen.getByText(/Agent error \(Exception\) — see workspace logs for details\./),
+    ).toBeDefined();
+  });
+
+  it("offers a 'View activity log' button that calls setPanelTab('activity')", () => {
+    render(
+      <ChatErrorBanner message="kimi 401 invalid_api_key" isOnline={true} onRestart={() => {}} />,
+    );
+    const btn = screen.getByRole("button", { name: /view activity log/i });
+    fireEvent.click(btn);
+    expect(mocks.setPanelTabMock).toHaveBeenCalledWith("activity");
+  });
+
+  it("still shows the Restart button when offline (existing behavior preserved)", () => {
+    const onRestart = vi.fn();
+    render(
+      <ChatErrorBanner message="Agent is offline" isOnline={false} onRestart={onRestart} />,
+    );
+    const btn = screen.getByRole("button", { name: /^restart$/i });
+    fireEvent.click(btn);
+    expect(onRestart).toHaveBeenCalledTimes(1);
+  });
+
+  it("renders nothing when message is null", () => {
+    const { container } = render(
+      <ChatErrorBanner message={null} isOnline={true} onRestart={() => {}} />,
+    );
+    expect(container.textContent).toBe("");
+  });
+});
@@ -0,0 +1,165 @@
+// @vitest-environment jsdom
+//
+// Tests for the always-visible "Agent Abilities" section added to ConfigTab
+// (internal#510 broadcast_enabled, internal#511 talk_to_user_enabled; backend
+// wired in commit 29b4bffb).
+//
+// Problem this pins: the two workspace ability flags had complete wired
+// backends but NO canvas control — broadcast had none at all, talk-to-user
+// only surfaced as a ChatTab recovery banner that is invisible under its
+// TRUE default. The CTO could not see or toggle either from canvas.
+//
+// What this suite pins:
+//   1. An "Agent Abilities" section renders (always visible, not gated).
+//   2. Both toggles render and reflect the store node's ability fields,
+//      including the asymmetric defaults (broadcast FALSE, talk TRUE).
+//   3. Toggling a switch calls PATCH /workspaces/:id/abilities with the
+//      correct snake_case body and optimistically updates the store.
+
+import { describe, it, expect, vi, afterEach, beforeEach } from "vitest";
+import { render, screen, cleanup, waitFor, fireEvent } from "@testing-library/react";
+import React from "react";
+
+afterEach(cleanup);
+
+const apiGet = vi.fn();
+const apiPatch = vi.fn();
+vi.mock("@/lib/api", () => ({
+  api: {
+    get: (path: string) => apiGet(path),
+    patch: (path: string, body?: unknown) => apiPatch(path, body),
+    put: vi.fn(),
+    post: vi.fn(),
+    del: vi.fn(),
+  },
+}));
+
+// Store node carries the ability flags hydrated by the platform stream
+// (canvas-topology.ts maps broadcast_enabled/talk_to_user_enabled onto
+// node.data). Mirror that shape so the section reads real values.
+const storeUpdateNodeData = vi.fn();
+const storeRestartWorkspace = vi.fn();
+let nodeData: { broadcastEnabled?: boolean; talkToUserEnabled?: boolean } = {};
+const makeState = () => ({
+  nodes: [{ id: "ws-test", data: nodeData }],
+  restartWorkspace: storeRestartWorkspace,
+  updateNodeData: storeUpdateNodeData,
+});
+vi.mock("@/store/canvas", () => ({
+  useCanvasStore: Object.assign(
+    (selector: (s: unknown) => unknown) => selector(makeState()),
+    { getState: () => makeState() },
+  ),
+}));
+
+vi.mock("../AgentCardSection", () => ({
+  AgentCardSection: () => <div data-testid="agent-card-stub" />,
+}));
+
+import { ConfigTab } from "../ConfigTab";
+
+beforeEach(() => {
+  apiGet.mockReset();
+  apiPatch.mockReset();
+  apiPatch.mockResolvedValue({ status: "updated" });
+  storeUpdateNodeData.mockReset();
+  apiGet.mockImplementation((path: string) => {
+    if (path === `/workspaces/ws-test`) {
+      return Promise.resolve({ runtime: "claude-code" });
+    }
+    if (path === `/workspaces/ws-test/model`) {
+      return Promise.resolve({ model: "claude-opus-4-7" });
+    }
+    if (path === `/workspaces/ws-test/provider`) {
+      return Promise.resolve({ provider: "anthropic-oauth", source: "default" });
+    }
+    if (path === `/workspaces/ws-test/files/config.yaml`) {
+      return Promise.resolve({ content: "name: test\nruntime: claude-code\n" });
+    }
+    if (path === "/templates") {
+      return Promise.resolve([
+        { id: "claude-code", name: "Claude Code", runtime: "claude-code", providers: [] },
+      ]);
+    }
+    return Promise.reject(new Error(`unmocked api.get: ${path}`));
+  });
+});
+
+describe("ConfigTab Agent Abilities section", () => {
+  it("renders an always-visible 'Agent Abilities' section with both toggles", async () => {
+    nodeData = {}; // unset → defaults
+    render(<ConfigTab workspaceId="ws-test" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+    expect(
+      await screen.findByRole("button", { name: /Agent Abilities/i }),
+    ).toBeTruthy();
+    expect(screen.getByText("Talk to user")).toBeTruthy();
+    expect(screen.getByText("Broadcast to peers")).toBeTruthy();
+  });
+
+  it("reflects the asymmetric defaults: talk-to-user ON, broadcast OFF", async () => {
+    nodeData = {}; // unset → backend defaults
+    render(<ConfigTab workspaceId="ws-test" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+    const talk = (await screen.findByText("Talk to user"))
+      .closest("label")!
+      .querySelector("input") as HTMLInputElement;
+    const broadcast = screen
+      .getByText("Broadcast to peers")
+      .closest("label")!
+      .querySelector("input") as HTMLInputElement;
+    expect(talk.checked).toBe(true);
+    expect(broadcast.checked).toBe(false);
+  });
+
+  it("reflects explicit store values", async () => {
+    nodeData = { broadcastEnabled: true, talkToUserEnabled: false };
+    render(<ConfigTab workspaceId="ws-test" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+    const talk = (await screen.findByText("Talk to user"))
+      .closest("label")!
+      .querySelector("input") as HTMLInputElement;
+    const broadcast = screen
+      .getByText("Broadcast to peers")
+      .closest("label")!
+      .querySelector("input") as HTMLInputElement;
+    expect(talk.checked).toBe(false);
+    expect(broadcast.checked).toBe(true);
+  });
+
+  it("PATCHes /abilities with talk_to_user_enabled and optimistically updates the store", async () => {
+    nodeData = {}; // talk defaults true
+    render(<ConfigTab workspaceId="ws-test" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+    const talk = (await screen.findByText("Talk to user"))
+      .closest("label")!
+      .querySelector("input") as HTMLInputElement;
+    fireEvent.click(talk); // true → false
+    await waitFor(() =>
+      expect(apiPatch).toHaveBeenCalledWith("/workspaces/ws-test/abilities", {
+        talk_to_user_enabled: false,
+      }),
+    );
+    expect(storeUpdateNodeData).toHaveBeenCalledWith("ws-test", {
+      talkToUserEnabled: false,
+    });
+  });
+
+  it("PATCHes /abilities with broadcast_enabled when the broadcast toggle is flipped", async () => {
+    nodeData = {}; // broadcast defaults false
+    render(<ConfigTab workspaceId="ws-test" />);
+    await waitFor(() => expect(apiGet).toHaveBeenCalled());
+    const broadcast = (await screen.findByText("Broadcast to peers"))
+      .closest("label")!
+      .querySelector("input") as HTMLInputElement;
+    fireEvent.click(broadcast); // false → true
+    await waitFor(() =>
+      expect(apiPatch).toHaveBeenCalledWith("/workspaces/ws-test/abilities", {
+        broadcast_enabled: true,
+      }),
+    );
+    expect(storeUpdateNodeData).toHaveBeenCalledWith("ws-test", {
+      broadcastEnabled: true,
+    });
+  });
+});
@@ -405,7 +405,7 @@ export function AgentCommsPanel({ workspaceId }: { workspaceId: string }) {
        </p>
        <button
          onClick={loadInitial}
-          className="text-[10px] px-2 py-0.5 rounded bg-red-800/40 text-bad hover:bg-red-700/50 transition-colors"
+          className="text-[10px] px-2 py-0.5 rounded bg-red-800/40 text-bad hover:bg-red-700/50 transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-red-500/60 focus-visible:ring-offset-1"
        >
          Retry
        </button>
@@ -610,7 +610,7 @@ function PeerTabButton({
      aria-selected={active}
      tabIndex={active ? 0 : -1}
      onClick={onClick}
-      className={`shrink-0 px-3 py-1.5 text-[10px] font-medium transition-colors whitespace-nowrap ${
+      className={`shrink-0 px-3 py-1.5 text-[10px] font-medium transition-colors whitespace-nowrap focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-cyan-500/60 focus-visible:ring-offset-1 ${
        active
          ? "border-b-2 border-cyan-500 text-cyan-200"
          : "border-b-2 border-transparent text-ink-mid hover:text-ink-mid"
@@ -33,7 +33,7 @@ export function PendingAttachmentPill({
      <button
        onClick={onRemove}
        aria-label={`Remove ${file.name}`}
-        className="ml-0.5 text-ink-mid hover:text-ink transition-colors shrink-0"
+        className="ml-0.5 text-ink-mid hover:text-ink transition-colors shrink-0 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/60 focus-visible:ring-offset-1"
      >
        <svg width="10" height="10" viewBox="0 0 16 16" fill="none" aria-hidden="true">
          <path d="M4 4l8 8M12 4l-8 8" stroke="currentColor" strokeWidth="1.6" strokeLinecap="round" />
@@ -62,8 +62,9 @@ export function AttachmentChip({
  return (
    <button
      onClick={() => onDownload(attachment)}
+      aria-label={`Download ${attachment.name}`}
      title={`Download ${attachment.name}`}
-      className={`flex items-center gap-1.5 rounded-md border px-2 py-1 text-[10px] transition-colors max-w-full ${toneClasses}`}
+      className={`flex items-center gap-1.5 rounded-md border px-2 py-1 text-[10px] transition-colors max-w-full focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/60 focus-visible:ring-offset-1 ${toneClasses}`}
    >
      <FileGlyph className="shrink-0 opacity-70" />
      <span className="truncate">{attachment.name}</span>
@@ -0,0 +1,85 @@
+"use client";
+
+/**
+ * ChatErrorBanner — error-state banner rendered under the chat
+ * message list when an agent turn fails or the workspace is offline.
+ *
+ * internal#212 closes the "see workspace logs for details" pointer-to-
+ * nowhere defect:
+ *
+ *   - The banner now renders the actionable, secret-safe failure
+ *     reason that ws-server places on `ACTIVITY_LOGGED.error_detail`
+ *     (provider HTTP status + error code + provider's own human
+ *     message). The hook (`useChatSocket`) forwards this through
+ *     `onSendError`, which the ChatTab routes into this banner's
+ *     `message` prop. No hardcoded opaque text in this component.
+ *
+ *   - A "View activity log" button navigates the user to the Activity
+ *     tab where the full row (request body, response body, timing,
+ *     full error_detail) lives. Until internal#212, the banner
+ *     mentioned "workspace logs" with no link — there is no separate
+ *     Logs tab in the side panel; the Activity tab IS the workspace-
+ *     logs surface. Routing through the existing tab makes the
+ *     reference real instead of dangling.
+ *
+ *   - The existing Restart button (shown only when the workspace is
+ *     offline) is preserved unchanged so the recovery affordance the
+ *     old banner offered does not regress.
+ *
+ * Pure presentational — no socket subscription, no state machine. Easy
+ * to unit-test in isolation and easy to compose into the ChatTab.
+ */
+
+import { useCanvasStore } from "@/store/canvas";
+
+export interface ChatErrorBannerProps {
+  /** The user-visible reason. Pass `null` to render nothing. */
+  message: string | null;
+  /** Workspace reachable state — gates the Restart affordance. */
+  isOnline: boolean;
+  /** Fires when the user clicks Restart (offline-only). */
+  onRestart: () => void;
+}
+
+export function ChatErrorBanner({ message, isOnline, onRestart }: ChatErrorBannerProps) {
+  // Pulled from the global store rather than threaded through props so
+  // the chat tab does not need to know about the side-panel tab state.
+  // Matches how Toolbar.tsx triggers the audit tab (the existing
+  // precedent for cross-tab navigation).
+  const setPanelTab = useCanvasStore((s) => s.setPanelTab);
+
+  if (!message) return null;
+
+  return (
+    <div
+      // role="alert" + aria-live mirrors the project's existing WCAG
+      // 4.1.3 banner pattern (see fix/canvas-errors-aria-alert) — a
+      // screen reader announces the failure as soon as it lands.
+      role="alert"
+      aria-live="assertive"
+      className="px-3 py-2 bg-red-900/20 border-t border-red-800/30"
+    >
+      <div className="flex items-center justify-between gap-2">
+        <span className="text-[10px] text-red-300 break-words flex-1">{message}</span>
+        <div className="flex items-center gap-1.5 shrink-0">
+          <button
+            type="button"
+            onClick={() => setPanelTab("activity")}
+            className="text-[10px] px-2 py-0.5 bg-red-900/40 hover:bg-red-800/60 border border-red-700/40 text-red-200 rounded transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent focus-visible:ring-offset-1"
+          >
+            View activity log
+          </button>
+          {!isOnline && (
+            <button
+              type="button"
+              onClick={onRestart}
+              className="text-[11px] px-2 py-0.5 bg-red-800 text-red-200 rounded hover:bg-red-700"
+            >
+              Restart
+            </button>
+          )}
+        </div>
+      </div>
+    </div>
+  );
+}
@@ -0,0 +1,140 @@
+// @vitest-environment jsdom
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { renderHook, act } from "@testing-library/react";
+
+// Capture the handler so we can drive WS events from tests. useSocketEvent
+// stores the latest handler in a ref under the hood, but since we mock
+// the hook entirely, just remember the last passed-in handler.
+let capturedHandler: ((msg: unknown) => void) | null = null;
+vi.mock("@/hooks/useSocketEvent", () => ({
+  useSocketEvent: (h: (msg: unknown) => void) => {
+    capturedHandler = h;
+  },
+}));
+
+// Canvas store mock — useChatSocket calls
+// useCanvasStore.getState().nodes for peer name resolution and reads
+// agentMessages via the selector form. Support both.
+vi.mock("@/store/canvas", () => {
+  const state = {
+    nodes: [
+      { id: "ws-self", data: { name: "Self" } },
+      { id: "ws-peer", data: { name: "Peer Agent" } },
+    ],
+    agentMessages: {} as Record<string, unknown[]>,
+    consumeAgentMessages: () => [],
+  };
+  const hook = (selector?: (s: typeof state) => unknown) =>
+    selector ? selector(state) : state;
+  hook.getState = () => state;
+  return { useCanvasStore: hook };
+});
+
+import { useChatSocket } from "../useChatSocket";
+
+beforeEach(() => {
+  capturedHandler = null;
+});
+
+afterEach(() => {
+  vi.clearAllMocks();
+});
+
+// Helper: assemble an ACTIVITY_LOGGED a2a_receive error event the way
+// the ws-server emits one when a peer call errors out. Fields mirror
+// workspace-server/internal/handlers/activity.go::logActivityExec
+// broadcast payload shape.
+function makeActivityErrorEvent(opts: { workspaceId: string; targetId?: string; errorDetail?: string | undefined }) {
+  return {
+    event: "ACTIVITY_LOGGED",
+    workspace_id: opts.workspaceId,
+    payload: {
+      activity_type: "a2a_receive",
+      method: "message/send",
+      status: "error",
+      target_id: opts.targetId ?? opts.workspaceId,
+      duration_ms: 1500,
+      ...(opts.errorDetail !== undefined ? { error_detail: opts.errorDetail } : {}),
+    },
+    timestamp: "2026-05-18T00:00:00Z",
+  };
+}
+
+describe("useChatSocket — surface error_detail to onSendError (internal#212)", () => {
+  it("forwards the secret-safe error_detail from the broadcast as the onSendError reason", () => {
+    const onSendError = vi.fn();
+    const onSendComplete = vi.fn();
+    renderHook(() =>
+      useChatSocket("ws-self", {
+        onSendError,
+        onSendComplete,
+      }),
+    );
+
+    expect(capturedHandler).not.toBeNull();
+    act(() => {
+      capturedHandler!(
+        makeActivityErrorEvent({
+          workspaceId: "ws-self",
+          errorDetail:
+            "Anthropic 403 oauth_org_not_allowed: Your organization has disabled Claude subscription access for Claude Code",
+        }),
+      );
+    });
+
+    // The hook must NOT fall back to the opaque hardcoded
+    // "Agent error (Exception) — see workspace logs for details." —
+    // that was internal#212. When the broadcast carries an
+    // error_detail, that string is the user-facing reason.
+    expect(onSendError).toHaveBeenCalledTimes(1);
+    const reason = onSendError.mock.calls[0][0] as string;
+    expect(reason).toContain("403");
+    expect(reason).toContain("oauth_org_not_allowed");
+    expect(reason).toContain("disabled Claude subscription");
+    expect(reason).not.toMatch(/see workspace logs for details/i);
+  });
+
+  it("gracefully degrades to the legacy opaque message when error_detail is absent (older ws-server)", () => {
+    // An older ws-server doesn't include error_detail in the payload.
+    // The hook must still fire onSendError with the legacy hardcoded
+    // text so the chat banner has SOMETHING to show. The fix is
+    // additive — never depend on the new field's presence.
+    const onSendError = vi.fn();
+    renderHook(() =>
+      useChatSocket("ws-self", {
+        onSendError,
+      }),
+    );
+
+    act(() => {
+      capturedHandler!(makeActivityErrorEvent({ workspaceId: "ws-self" }));
+    });
+
+    expect(onSendError).toHaveBeenCalledTimes(1);
+    const reason = onSendError.mock.calls[0][0] as string;
+    // Legacy boilerplate is the floor — never silently swallow.
+    expect(reason.length).toBeGreaterThan(0);
+  });
+
+  it("ignores errors targeted at a different workspace's peer", () => {
+    // Defense against a race where the WS hub fans out to all clients —
+    // each chat panel must only react when target_id matches its own
+    // workspace.
+    const onSendError = vi.fn();
+    renderHook(() =>
+      useChatSocket("ws-self", {
+        onSendError,
+      }),
+    );
+    act(() => {
+      capturedHandler!(
+        makeActivityErrorEvent({
+          workspaceId: "ws-self",
+          targetId: "ws-someone-else",
+          errorDetail: "irrelevant",
+        }),
+      );
+    });
+    expect(onSendError).not.toHaveBeenCalled();
+  });
+});
@@ -0,0 +1,3 @@
+export { useChatHistory } from "./useChatHistory";
+export { useChatSend } from "./useChatSend";
+export { useChatSocket } from "./useChatSocket";
@@ -0,0 +1,11 @@
+"use client";
+
+import { useCanvasStore, type WorkspaceNodeData } from "@/store/canvas";
+
+/** Resolve a workspace ID to its human-readable name.
+ *  Falls back to the first 8 chars of the ID. */
+export function resolveWorkspaceName(id: string): string {
+  const nodes = useCanvasStore.getState().nodes;
+  const node = nodes.find((n) => n.id === id);
+  return (node?.data as WorkspaceNodeData)?.name || id.slice(0, 8);
+}
@@ -0,0 +1,134 @@
+"use client";
+
+import { useCallback, useEffect, useRef, useState } from "react";
+import { api } from "@/lib/api";
+import { type ChatMessage, appendMessageDeduped as appendMessageDedupedFn } from "../types";
+
+const INITIAL_HISTORY_LIMIT = 10;
+const OLDER_HISTORY_BATCH = 20;
+
+async function loadMessagesFromDB(
+  workspaceId: string,
+  limit: number,
+  beforeTs?: string,
+): Promise<{ messages: ChatMessage[]; error: string | null; reachedEnd: boolean }> {
+  try {
+    const params = new URLSearchParams({ limit: String(limit) });
+    if (beforeTs) params.set("before_ts", beforeTs);
+    const resp = await api.get<{ messages: ChatMessage[]; reached_end: boolean }>(
+      `/workspaces/${workspaceId}/chat-history?${params.toString()}`,
+    );
+    return {
+      messages: resp.messages ?? [],
+      error: null,
+      reachedEnd: resp.reached_end,
+    };
+  } catch (err) {
+    return {
+      messages: [],
+      error: err instanceof Error ? err.message : "Failed to load chat history",
+      reachedEnd: true,
+    };
+  }
+}
+
+export interface ScrollAnchor {
+  savedDistanceFromBottom: number;
+  expectFirstIdNotEqual: string | null;
+}
+
+export function useChatHistory(
+  workspaceId: string,
+  containerRef?: React.RefObject<HTMLDivElement | null>,
+) {
+  const [messages, setMessages] = useState<ChatMessage[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [loadError, setLoadError] = useState<string | null>(null);
+  const [loadingOlder, setLoadingOlder] = useState(false);
+  const [hasMore, setHasMore] = useState(true);
+
+  const fetchTokenRef = useRef(0);
+  const oldestMessageRef = useRef<ChatMessage | null>(null);
+  const hasMoreRef = useRef(true);
+  const inflightRef = useRef(false);
+  const scrollAnchorRef = useRef<ScrollAnchor | null>(null);
+
+  useEffect(() => {
+    oldestMessageRef.current = messages[0] ?? null;
+  }, [messages]);
+
+  useEffect(() => {
+    hasMoreRef.current = hasMore;
+  }, [hasMore]);
+
+  const loadInitial = useCallback(() => {
+    setLoading(true);
+    setLoadError(null);
+    setHasMore(true);
+    fetchTokenRef.current += 1;
+    const myToken = fetchTokenRef.current;
+    return loadMessagesFromDB(workspaceId, INITIAL_HISTORY_LIMIT).then(
+      ({ messages: msgs, error: fetchErr, reachedEnd }) => {
+        if (fetchTokenRef.current !== myToken) return;
+        setMessages(msgs);
+        setLoadError(fetchErr);
+        setHasMore(!reachedEnd);
+        setLoading(false);
+      },
+    );
+  }, [workspaceId]);
+
+  useEffect(() => {
+    loadInitial();
+  }, [loadInitial]);
+
+  const loadOlder = useCallback(async () => {
+    if (inflightRef.current || !hasMoreRef.current) return;
+    const oldest = oldestMessageRef.current;
+    if (!oldest) return;
+    const container = containerRef?.current;
+    if (!container) return;
+    inflightRef.current = true;
+    scrollAnchorRef.current = {
+      savedDistanceFromBottom: container.scrollHeight - container.scrollTop,
+      expectFirstIdNotEqual: oldest.id,
+    };
+    fetchTokenRef.current += 1;
+    const myToken = fetchTokenRef.current;
+    setLoadingOlder(true);
+    try {
+      const { messages: older, reachedEnd } = await loadMessagesFromDB(
+        workspaceId,
+        OLDER_HISTORY_BATCH,
+        oldest.timestamp,
+      );
+      if (fetchTokenRef.current !== myToken) {
+        scrollAnchorRef.current = null;
+        return;
+      }
+      if (older.length > 0) {
+        setMessages((prev) => [...older, ...prev]);
+      } else {
+        scrollAnchorRef.current = null;
+      }
+      setHasMore(!reachedEnd);
+    } finally {
+      setLoadingOlder(false);
+      inflightRef.current = false;
+    }
+  }, [workspaceId, containerRef]);
+
+  return {
+    messages,
+    loading,
+    loadError,
+    loadingOlder,
+    hasMore,
+    loadInitial,
+    loadOlder,
+    appendMessageDeduped: (msg: ChatMessage) =>
+      setMessages((prev) => appendMessageDedupedFn(prev, msg)),
+    setMessages,
+    scrollAnchorRef,
+  };
+}
@@ -0,0 +1,182 @@
+"use client";
+
+import { useCallback, useRef, useState } from "react";
+import { api } from "@/lib/api";
+import { uploadChatFiles } from "../uploads";
+import { createMessage, type ChatMessage, type ChatAttachment } from "../types";
+import { extractFilesFromTask } from "../message-parser";
+
+interface A2APart {
+  kind: string;
+  text?: string;
+  file?: {
+    name?: string;
+    mimeType?: string;
+    uri?: string;
+    size?: number;
+  };
+}
+
+interface A2AResponse {
+  result?: {
+    parts?: A2APart[];
+    artifacts?: Array<{ parts: A2APart[] }>;
+  };
+}
+
+export function extractReplyText(resp: A2AResponse): string {
+  const collect = (parts: A2APart[] | undefined): string => {
+    if (!parts) return "";
+    return parts
+      .filter((p) => p.kind === "text")
+      .map((p) => p.text ?? "")
+      .filter(Boolean)
+      .join("\n");
+  };
+  const result = resp?.result;
+  const collected: string[] = [];
+  const fromParts = collect(result?.parts);
+  if (fromParts) collected.push(fromParts);
+  if (result?.artifacts) {
+    for (const a of result.artifacts) {
+      const t = collect(a.parts);
+      if (t) collected.push(t);
+    }
+  }
+  return collected.join("\n");
+}
+
+export interface UseChatSendOptions {
+  getHistoryMessages: () => ChatMessage[];
+  onUserMessage?: (msg: ChatMessage) => void;
+  onAgentMessage?: (msg: ChatMessage) => void;
+}
+
+export function useChatSend(workspaceId: string, options: UseChatSendOptions) {
+  const [sending, setSending] = useState(false);
+  const [uploading, setUploading] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+  const sendInFlightRef = useRef(false);
+  const sendingFromAPIRef = useRef(false);
+  const sendTokenRef = useRef(0);
+  const optionsRef = useRef(options);
+  optionsRef.current = options;
+
+  const releaseSendGuards = useCallback(() => {
+    setSending(false);
+    sendingFromAPIRef.current = false;
+    sendInFlightRef.current = false;
+  }, []);
+
+  const clearError = useCallback(() => setError(null), []);
+
+  const sendMessage = useCallback(
+    async (text: string, files: File[] = []) => {
+      const trimmed = text.trim();
+      if ((!trimmed && files.length === 0) || sending || uploading) return;
+      if (sendInFlightRef.current) return;
+      sendInFlightRef.current = true;
+
+      let uploaded: ChatAttachment[] = [];
+      if (files.length > 0) {
+        setUploading(true);
+        try {
+          uploaded = await uploadChatFiles(workspaceId, files);
+        } catch (e) {
+          setUploading(false);
+          sendInFlightRef.current = false;
+          setError(
+            e instanceof Error ? `Upload failed: ${e.message}` : "Upload failed",
+          );
+          return;
+        }
+        setUploading(false);
+      }
+
+      const userMsg = createMessage("user", trimmed, uploaded);
+      optionsRef.current.onUserMessage?.(userMsg);
+
+      setSending(true);
+      sendingFromAPIRef.current = true;
+      setError(null);
+      const myToken = ++sendTokenRef.current;
+
+      const history = optionsRef.current
+        .getHistoryMessages()
+        .filter((m) => m.role === "user" || m.role === "agent")
+        .slice(-20)
+        .map((m) => ({
+          role: m.role === "user" ? "user" : "agent",
+          parts: [{ kind: "text", text: m.content }],
+        }));
+
+      const parts: A2APart[] = [];
+      if (trimmed) parts.push({ kind: "text", text: trimmed });
+      for (const att of uploaded) {
+        parts.push({
+          kind: "file",
+          file: {
+            name: att.name,
+            mimeType: att.mimeType,
+            uri: att.uri,
+            size: att.size,
+          },
+        });
+      }
+
+      api
+        .post<A2AResponse>(
+          `/workspaces/${workspaceId}/a2a`,
+          {
+            method: "message/send",
+            params: {
+              message: {
+                role: "user",
+                messageId: crypto.randomUUID(),
+                parts,
+              },
+              metadata: { history },
+            },
+          },
+          { timeoutMs: 120_000 },
+        )
+        .then((resp) => {
+          if (sendTokenRef.current !== myToken) return;
+          if (!sendingFromAPIRef.current) {
+            sendInFlightRef.current = false;
+            return;
+          }
+          const replyText = extractReplyText(resp);
+          const replyFiles = extractFilesFromTask(
+            (resp?.result ?? {}) as Record<string, unknown>,
+          );
+          if (replyText || replyFiles.length > 0) {
+            optionsRef.current.onAgentMessage?.(
+              createMessage("agent", replyText, replyFiles),
+            );
+          }
+          releaseSendGuards();
+        })
+        .catch(() => {
+          if (sendTokenRef.current !== myToken) return;
+          if (!sendingFromAPIRef.current) {
+            sendInFlightRef.current = false;
+            return;
+          }
+          releaseSendGuards();
+          setError("Failed to send message — agent may be unreachable");
+        });
+    },
+    [workspaceId, sending, uploading],
+  );
+
+  return {
+    sending,
+    uploading,
+    sendMessage,
+    error,
+    clearError,
+    releaseSendGuards,
+    sendingFromAPIRef,
+  };
+}
@@ -0,0 +1,114 @@
+"use client";
+
+import { useCallback, useEffect, useRef } from "react";
+import { useCanvasStore, type WorkspaceNodeData } from "@/store/canvas";
+import { useSocketEvent } from "@/hooks/useSocketEvent";
+import { createMessage, type ChatMessage } from "../types";
+
+export interface UseChatSocketCallbacks {
+  onAgentMessage?: (msg: ChatMessage) => void;
+  onActivityLog?: (entry: string) => void;
+  onSendComplete?: () => void;
+  onSendError?: (error: string) => void;
+}
+
+export function useChatSocket(
+  workspaceId: string,
+  callbacks: UseChatSocketCallbacks,
+): void {
+  const callbacksRef = useRef(callbacks);
+  callbacksRef.current = callbacks;
+
+  // Agent push messages from global store
+  const pendingAgentMsgs = useCanvasStore((s) => s.agentMessages[workspaceId]);
+  useEffect(() => {
+    if (!pendingAgentMsgs || pendingAgentMsgs.length === 0) return;
+    const consume = useCanvasStore.getState().consumeAgentMessages;
+    const msgs = consume(workspaceId);
+    for (const m of msgs) {
+      callbacksRef.current.onAgentMessage?.(
+        createMessage("agent", m.content, m.attachments),
+      );
+    }
+    if (msgs.length > 0) {
+      callbacksRef.current.onSendComplete?.();
+    }
+  }, [pendingAgentMsgs, workspaceId]);
+
+  const resolveWorkspaceName = useCallback((id: string) => {
+    const nodes = useCanvasStore.getState().nodes;
+    const node = nodes.find((n) => n.id === id);
+    return (node?.data as WorkspaceNodeData)?.name || id.slice(0, 8);
+  }, []);
+
+  useSocketEvent((msg) => {
+    try {
+      if (msg.event === "ACTIVITY_LOGGED") {
+        if (msg.workspace_id !== workspaceId) return;
+
+        const p = msg.payload || {};
+        const type = p.activity_type as string;
+        const method = (p.method as string) || "";
+        const status = (p.status as string) || "";
+        const targetId = (p.target_id as string) || "";
+        const durationMs = p.duration_ms as number | undefined;
+        const summary = (p.summary as string) || "";
+
+        let line = "";
+        if (type === "a2a_receive" && method === "message/send") {
+          const targetName = resolveWorkspaceName(targetId || msg.workspace_id);
+          if (status === "ok" && durationMs) {
+            const sec = Math.round(durationMs / 1000);
+            line = `← ${targetName} responded (${sec}s)`;
+            const own = (targetId || msg.workspace_id) === workspaceId;
+            if (own) callbacksRef.current.onSendComplete?.();
+          } else if (status === "error") {
+            line = `⚠ ${targetName} error`;
+            const own = (targetId || msg.workspace_id) === workspaceId;
+            if (own) {
+              callbacksRef.current.onSendComplete?.();
+              // internal#212 — surface the actionable, secret-safe
+              // failure reason (provider HTTP status + error code +
+              // human-readable message) the ws-server now puts on
+              // ACTIVITY_LOGGED.error_detail. The old hardcoded
+              // "Agent error (Exception) — see workspace logs for
+              // details." is the fallback only — it pointed at a
+              // workspace-logs tab that doesn't exist, telling the
+              // user nothing they could act on.
+              //
+              // Graceful degradation: older ws-server builds don't
+              // include error_detail, so the legacy boilerplate is
+              // still the floor (never silently swallow).
+              const detail = (p.error_detail as string) || "";
+              const reason = detail
+                ? detail
+                : "Agent error (Exception) — see workspace logs for details.";
+              callbacksRef.current.onSendError?.(reason);
+            }
+          }
+        } else if (type === "a2a_send") {
+          const targetName = resolveWorkspaceName(targetId);
+          line = `→ Delegating to ${targetName}...`;
+        } else if (type === "task_update") {
+          if (summary) line = `⟳ ${summary}`;
+        } else if (type === "agent_log") {
+          if (summary) line = summary;
+        }
+
+        if (line) {
+          callbacksRef.current.onActivityLog?.(line);
+        }
+      } else if (
+        msg.event === "TASK_UPDATED" &&
+        msg.workspace_id === workspaceId
+      ) {
+        const task = (msg.payload?.current_task as string) || "";
+        if (task) {
+          callbacksRef.current.onActivityLog?.(`⟳ ${task}`);
+        }
+      }
+    } catch {
+      /* ignore */
+    }
+  });
+}
@@ -1,2 +1,5 @@
 export { type ChatMessage, createMessage, appendMessageDeduped } from "./types";
 export { extractAgentText, extractTextsFromParts, extractResponseText } from "./message-parser";
+export { useChatHistory } from "./hooks/useChatHistory";
+export { useChatSend } from "./hooks/useChatSend";
+export { useChatSocket } from "./hooks/useChatSocket";
@@ -351,8 +351,10 @@ export function SecretsSection({ workspaceId, requiredEnv }: { workspaceId: stri
          {showAdd ? (
            <div className="bg-surface-card/50 rounded p-2 space-y-1.5 border border-line/50">
              <input value={newKey} onChange={(e) => setNewKey(e.target.value.toUpperCase())} placeholder="KEY_NAME"
+                aria-label="Secret key name"
                className="w-full bg-surface-sunken border border-line rounded px-2 py-1 text-[10px] font-mono text-ink focus:outline-none focus:border-accent" />
              <input value={newValue} onChange={(e) => setNewValue(e.target.value)} placeholder="Value" type="password"
+                aria-label="Secret value"
                className="w-full bg-surface-sunken border border-line rounded px-2 py-1 text-[10px] text-ink focus:outline-none focus:border-accent" />
              <div className="flex gap-2">
                <button type="button" onClick={() => { if (newKey && newValue) handleSave(newKey, newValue); }} disabled={!newKey || !newValue}
@@ -2,7 +2,7 @@

 import { useState, useCallback, useRef, useEffect } from 'react';
 import type { TestConnectionState, SecretGroup } from '@/types/secrets';
-import { validateSecret } from '@/lib/api/secrets';
+import { validateSecret, ApiError } from '@/lib/api/secrets';

 interface TestConnectionButtonProps {
  provider: SecretGroup;
@@ -55,9 +55,23 @@ export function TestConnectionButton({
      }
      onResult?.(result.valid);
      resetTimerRef.current = setTimeout(() => setState('idle'), RESET_DELAYS[nextState]!);
-    } catch {
+    } catch (err) {
+      // Distinguish a real failure shape rather than always claiming a
+      // timeout. A reachable server that answered with an HTTP status
+      // (ApiError) did NOT time out — most commonly the validation route
+      // is not available (404/501), which must not masquerade as
+      // "service down". Only an actual thrown network/abort error is a
+      // connectivity failure.
      setState('failure');
-      setErrorDetail('Connection timed out. Service may be down.');
+      if (err instanceof ApiError) {
+        setErrorDetail(
+          err.status === 404 || err.status === 501
+            ? 'Key validation is not available for this service yet. The key was not tested.'
+            : `Could not verify key (server returned ${err.status}). Saving is unaffected.`,
+        );
+      } else {
+        setErrorDetail('Could not reach the validation service. Check your connection and try again.');
+      }
      onResult?.(false);
      resetTimerRef.current = setTimeout(() => setState('idle'), RESET_DELAYS.failure);
    }
@@ -85,7 +99,7 @@ export function TestConnectionButton({

 function Spinner() {
  return (
-    <svg className="spinner" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
+    <svg aria-hidden="true" className="spinner" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2">
      <path d="M12 2v4M12 18v4M4.93 4.93l2.83 2.83M16.24 16.24l2.83 2.83M2 12h4M18 12h4M4.93 19.07l2.83-2.83M16.24 7.76l2.83-2.83" />
    </svg>
  );
@@ -28,8 +28,20 @@ const mockValidateSecret = vi.fn();

 vi.mock("@/lib/api/secrets", () => ({
  validateSecret: (...args: unknown[]) => mockValidateSecret(...args),
+  ApiError: class ApiError extends Error {
+    status: number;
+    constructor(status: number, message: string) {
+      super(message);
+      this.name = "ApiError";
+      this.status = status;
+    }
+  },
 }));

+// Re-import the mocked ApiError so test cases construct the same class the
+// component's `instanceof` check sees.
+import { ApiError } from "@/lib/api/secrets";
+
 beforeEach(() => {
  vi.useFakeTimers();
  vi.clearAllMocks();
@@ -201,8 +213,27 @@ describe("TestConnectionButton — failure path", () => {
 });

 describe("TestConnectionButton — catch path", () => {
-  it("shows 'Connection timed out' on network error", async () => {
-    mockValidateSecret.mockRejectedValue(new Error("timeout"));
+  it("does NOT claim a timeout when the validate endpoint 404s (regression: internal#492)", async () => {
+    // The validate route is unimplemented on the server and returns a fast
+    // 404. Before the fix this rendered the misleading hardcoded string
+    // "Connection timed out. Service may be down." It must instead state
+    // honestly that validation isn't available and the key was not tested.
+    mockValidateSecret.mockRejectedValue(new ApiError(404, "Not Found"));
+    render(
+      <TestConnectionButton provider="anthropic" secretValue="sk-ant-xxx" />,
+    );
+    fireEvent.click(document.querySelector('button[type="button"]')!);
+    await act(async () => {
+      await vi.advanceTimersByTimeAsync(0);
+    });
+    expect(document.body.textContent).not.toContain("Connection timed out");
+    expect(document.body.textContent).not.toContain("Service may be down");
+    expect(document.body.textContent).toContain("not available");
+    expect(document.body.textContent).toContain("not tested");
+  });
+
+  it("reports a non-404 server error with its status, not a timeout", async () => {
+    mockValidateSecret.mockRejectedValue(new ApiError(500, "Internal Server Error"));
    render(
      <TestConnectionButton provider="github" secretValue="ghp_xxx" />,
    );
@@ -210,7 +241,20 @@ describe("TestConnectionButton — catch path", () => {
    await act(async () => {
      await vi.advanceTimersByTimeAsync(0);
    });
-    expect(document.body.textContent).toContain("Connection timed out");
+    expect(document.body.textContent).toContain("500");
+    expect(document.body.textContent).not.toContain("Connection timed out");
+  });
+
+  it("shows a connectivity message on a genuine network error", async () => {
+    mockValidateSecret.mockRejectedValue(new Error("network down"));
+    render(
+      <TestConnectionButton provider="github" secretValue="ghp_xxx" />,
+    );
+    fireEvent.click(document.querySelector('button[type="button"]')!);
+    await act(async () => {
+      await vi.advanceTimersByTimeAsync(0);
+    });
+    expect(document.body.textContent).toContain("Could not reach the validation service");
  });

  it("calls onResult(false) on network error", async () => {
--- a/Show More
+++ b/Show More