diff --git a/workspace-server/internal/channels/manager.go b/workspace-server/internal/channels/manager.go
index 3de98c912..5a30f09ce 100644
--- a/workspace-server/internal/channels/manager.go
+++ b/workspace-server/internal/channels/manager.go
@@ -508,14 +508,20 @@ func (m *Manager) FetchWorkspaceChannelContext(ctx context.Context, workspaceID
 	}
 	defer rows.Close()
 	if !rows.Next() {
+		if err := rows.Err(); err != nil {
+			log.Printf("ChannelManager: FetchWorkspaceChannelContext rows error for %s: %v", workspaceID, err)
+		}
 		return ""
 	}
 	var configJSON []byte
-	if rows.Scan(&configJSON) != nil {
+	if err := rows.Scan(&configJSON); err != nil {
+		log.Printf("ChannelManager: FetchWorkspaceChannelContext scan error for %s: %v", workspaceID, err)
 		return ""
 	}
 	var config map[string]interface{}
-	json.Unmarshal(configJSON, &config)
+	if err := json.Unmarshal(configJSON, &config); err != nil {
+		log.Printf("ChannelManager: unmarshal config: %v", err)
+	}
 	if err := DecryptSensitiveFields(config); err != nil {
 		return ""
 	}
diff --git a/workspace-server/internal/handlers/channels.go b/workspace-server/internal/handlers/channels.go
index b7167720e..fea222055 100644
--- a/workspace-server/internal/handlers/channels.go
+++ b/workspace-server/internal/handlers/channels.go
@@ -67,7 +67,9 @@ func (h *ChannelHandler) List(c *gin.Context) {
 		}
 
 		var config map[string]interface{}
-		json.Unmarshal(configJSON, &config)
+		if err := json.Unmarshal(configJSON, &config); err != nil {
+			log.Printf("Channels: unmarshal config for channel %s: %v", id, err)
+		}
 		// #319: decrypt sensitive fields first so the mask operates on
 		// plaintext (first-4 / last-4 of the real token, not the ciphertext
 		// prefix). Decrypt errors are logged but non-fatal — List must keep
@@ -86,7 +88,9 @@ func (h *ChannelHandler) List(c *gin.Context) {
 		}
 
 		var allowed []string
-		json.Unmarshal(allowedJSON, &allowed)
+		if err := json.Unmarshal(allowedJSON, &allowed); err != nil {
+			log.Printf("Channels: unmarshal allowed_users for channel %s: %v", id, err)
+		}
 
 		entry := map[string]interface{}{
 			"id":            id,
@@ -499,8 +503,12 @@ func (h *ChannelHandler) Webhook(c *gin.Context) {
 		if err := rows.Scan(&row.ID, &row.WorkspaceID, &row.ChannelType, &configJSON, &row.Enabled, &allowedJSON); err != nil {
 			continue
 		}
-		json.Unmarshal(configJSON, &row.Config)
-		json.Unmarshal(allowedJSON, &row.AllowedUsers)
+		if err := json.Unmarshal(configJSON, &row.Config); err != nil {
+			log.Printf("Channels: unmarshal config for webhook row %s: %v", row.ID, err)
+		}
+		if err := json.Unmarshal(allowedJSON, &row.AllowedUsers); err != nil {
+			log.Printf("Channels: unmarshal allowed_users for webhook row %s: %v", row.ID, err)
+		}
 		if err := channels.DecryptSensitiveFields(row.Config); err != nil {
 			log.Printf("Channels: decrypt webhook row %s: %v", row.ID, err)
 			continue
diff --git a/workspace-server/internal/messagestore/postgres_store.go b/workspace-server/internal/messagestore/postgres_store.go
index 67987569c..cf1ef7ad5 100644
--- a/workspace-server/internal/messagestore/postgres_store.go
+++ b/workspace-server/internal/messagestore/postgres_store.go
@@ -15,6 +15,7 @@ import (
 	"context"
 	"database/sql"
 	"encoding/json"
+	"log"
 	"path"
 	"strings"
 	"time"
@@ -391,7 +392,9 @@ func extractFilesFromResponse(body json.RawMessage) []ChatAttachment {
 	var probe struct {
 		Result json.RawMessage `json:"result"`
 	}
-	_ = json.Unmarshal(body, &probe)
+	if err := json.Unmarshal(body, &probe); err != nil {
+		log.Printf("messagestore: unmarshal probe body: %v", err)
+	}
 	feed := body
 	if len(probe.Result) > 0 {
 		trimmed := bytesTrimSpace(probe.Result)