diff --git a/workspace-server/internal/handlers/a2a_proxy_helpers.go b/workspace-server/internal/handlers/a2a_proxy_helpers.go
index 98c51bb7d..11916e6b1 100644
--- a/workspace-server/internal/handlers/a2a_proxy_helpers.go
+++ b/workspace-server/internal/handlers/a2a_proxy_helpers.go
@@ -407,15 +407,6 @@ func validateCallerToken(ctx context.Context, c *gin.Context, callerID string) e
 // matching (the wsauth errors are typed for the invalid case).
 var errInvalidCallerToken = errors.New("missing caller auth token")
 
-// canvasUserMessage holds the extracted user message extracted from an
-// A2A canvas request body for broadcasting to other sessions.
-type canvasUserMessage struct {
-	Message   string                               `json:"message,omitempty"`
-	Parts     []map[string]interface{}              `json:"parts,omitempty"`
-	MessageID string                               `json:"messageId,omitempty"`
-	Attachments []map[string]interface{}            `json:"attachments,omitempty"`
-}
-
 // extractCanvasUserMessage parses an A2A JSON-RPC request body and extracts
 // the user-authored text and attachments from a canvas-initiated message/send.
 // Returns nil when the body is not a canvas user message (empty, malformed,
diff --git a/workspace-server/internal/handlers/secrets.go b/workspace-server/internal/handlers/secrets.go
index f53130829..3108eb5a7 100644
--- a/workspace-server/internal/handlers/secrets.go
+++ b/workspace-server/internal/handlers/secrets.go
@@ -411,9 +411,11 @@ func (h *SecretsHandler) restartAllAffectedByGlobalKey(key string) {
 	var ids []string
 	for rows.Next() {
 		var id string
-		if err := rows.Scan(&id); err == nil {
-			ids = append(ids, id)
+		if err := rows.Scan(&id); err != nil {
+			log.Printf("Global secret %s: scan error listing affected workspace: %v", key, err)
+			continue
 		}
+		ids = append(ids, id)
 	}
 	if err := rows.Err(); err != nil {
 		log.Printf("restartAllAffectedByGlobalKey: iteration error: %v", err)