feat(kiloclaw): mint per-instance <label>.kiloclaw.ai URLs (PR3) (#3029)

* refactor(kiloclaw): consolidate catch-all proxy blocks

All four catch-all paths (/i/:instanceId/*, host-based, cookie-routed,
default personal) now share a single `proxyThroughTarget` helper.
Previously the host branch used the helper while the other three
inlined the same ~130-line HTTP + WebSocket relay; this commit
collapses them onto the helper.

The helper gains optional `unreachableHint` / `startingUpHint`
parameters so the default-personal branch can keep its user-facing
hint strings (these are test-asserted). All other behavior is
preserved — same status codes, same JSON shapes, identical
WebSocket relay semantics.

One pre-existing inconsistency is unified rather than preserved: the
cookie branch used to return `{ error: 'WebSocket upgrade failed' }`
with status 502 when the upstream returned no webSocket. The helper
(and the /i and default branches) return the raw containerResponse in
that case, which is strictly more informative. No test asserted the
cookie-branch-specific response.

src/index.ts: +48 / -393 (net -345).

* refactor(worker-utils): host label + sandbox-id helpers for cross-package reuse

Move the pure sandboxId <-> hostname-label logic (plus sandboxId <-> userId
encoding) from `services/kiloclaw/src/auth/` into
`@kilocode/worker-utils` so `apps/web` can use it to mint per-instance
URLs in PR3 without duplicating the base64url / base32hex encoding.

- New subpath exports: `@kilocode/worker-utils/hostname-label` and
  `@kilocode/worker-utils/sandbox-id`.
- The existing `services/kiloclaw/src/auth/hostname-label.ts` and
  `sandbox-id.ts` become thin re-export shims so the many existing
  `./auth/hostname-label` / `./auth/sandbox-id` imports inside the
  worker don't have to migrate all at once.
- Tests move with the implementation.

No behaviour change.

* feat(kiloclaw): route users to per-instance `<label>.kiloclaw.ai` URLs

Wires the dashboard to emit per-instance hostnames as `workerUrl` so
users of v2+ instances open their instance directly on its virtual host
instead of the single shared `claw.kilo.ai` / `claw.kilosessions.ai`
endpoint. Completes the PR3 step of the name-based routing rollout;
PR1 built the host space, PR2 taught the worker to route by Host.

- New env var `KILOCLAW_INSTANCE_URL_TEMPLATE` (e.g.
  `https://{label}.kiloclaw.ai`). Unset → legacy single-host behaviour
  (dev default, no change).
- `workerUrlForInstance` helper expands the template only when the
  instance is on `controllerCapabilitiesVersion >= 2`. Pre-v2 instances
  don't have their per-instance origin in
  `OPENCLAW_ALLOWED_ORIGINS`, so WebSocket upgrades from the new host
  would fail openclaw's exact-match origin check; keep them on the
  legacy host until they restart onto v2.
- `getStatus` tRPC procedures (personal + org) thread the new field
  through and compute `workerUrl` via the helper. No-instance sentinel
  stays on the legacy URL (no sandboxId yet to label).
- `PlatformStatusResponse` type gains `controllerCapabilitiesVersion`;
  worker DO was already emitting it, this just exposes it to callers.
- Worker `KILOCLAW_CHECKIN_URL` flipped from
  `claw.kilosessions.ai` to `claw.kiloclaw.ai`. Only affects
  newly-provisioned / restarted machines; running machines continue
  hitting the legacy URL (still live via the existing custom domain).
- Test fixtures (state tests, walkthrough) updated for the new field.
- New helper covered by 9 unit tests in `instance-url.test.ts`.

* fix(kiloclaw): address PR review — normalize WS no-upgrade, reserve 'claw' label, warn on misconfigured URL template

Three PR review findings on the PR2/PR3 routing work.

1. proxyThroughTarget: on a WebSocket request where the upstream returns
   a non-upgrade response, return a normalized 502 JSON
   `{ error: 'WebSocket upgrade failed' }` instead of the raw upstream
   response. The previous helper passed `containerResponse` straight
   through (matching the pre-refactor /i/ and default branches but
   changing the cookie-routed branch's contract, which was 502 JSON).
   Raw upstream bodies on this edge path can leak provider/controller
   error detail to the Control UI; normalize to a minimal error body
   and log the upstream status for operators. Unified across all four
   call sites.

2. Host-based routing: add an explicit `claw` reserved-label guard.
   With PR3 flipping KILOCLAW_CHECKIN_URL to `claw.kiloclaw.ai`, that
   hostname now enters the `*.kiloclaw.ai/*` wildcard route. The
   controller check-in path is registered before the catch-all so it
   works, but any other path on that host was hitting
   handleHostBasedRoute → `claw` fails label parsing → 404 "Instance
   not found" — a confusing error for a reserved operational hostname.
   Short-circuit the host branch for reserved labels so requests fall
   through to cookie/default routing and produce the normal catch-all
   responses instead. Introduces RESERVED_INSTANCE_HOST_LABELS as an
   explicit set so future reserved hostnames (`api`, `www`, etc.) are
   trivial to add.

3. workerUrlForInstance: log a one-time `console.warn` when
   KILOCLAW_INSTANCE_URL_TEMPLATE is set but missing the `{label}`
   placeholder. Silently falling back to the legacy URL hides the
   misconfiguration. Guarded by a module-level flag so the warning
   doesn't spam logs on every getStatus call.

* fix(worker-utils): drop .js extensions from sibling imports for Turbopack

Next.js / Turbopack can't resolve `./instance-id.js` when apps/web
imports @kilocode/worker-utils/hostname-label through the subpath
export — the .js rewrite convention only works in resolvers that do
the TS→JS extension mapping (Vitest, tsgo). Turbopack treats the
literal .js filename and fails.

Drop the .js suffix on the three sibling imports that crossed the
package boundary. worker-utils uses `moduleResolution: bundler`, which
accepts extensionless imports, so the typecheck and Vitest runs stay
green.

* feat(web): default KILOCLAW_INSTANCE_URL_TEMPLATE to prod on NODE_ENV=production

So the per-instance URL rollout goes live automatically on merge, without
needing a Vercel env var edit.

- New `resolveInstanceUrlTemplate(envVar, nodeEnv)` pure function with
  three-level resolution: explicit override wins (including empty string
  as a kill switch), then NODE_ENV=production defaults to the canonical
  `https://{label}.kiloclaw.ai` template, otherwise empty (dev/test).
- Operators can roll back without a code deploy by setting
  `KILOCLAW_INSTANCE_URL_TEMPLATE=` (empty) in Vercel.
- Dev/test stay on legacy localhost unless a dev opts in by setting the
  dev-parity template (`http://{label}.kiloclaw.localhost:8795`)
  explicitly.
- Factored out of the config-module scope so it's testable without
  forcing a re-import of config.server.ts, which runs production-only
  validation on unrelated secrets at module load time.

* feat(web): default per-instance URLs on in dev too, derived from KILOCLAW_API_URL

Previously `resolveInstanceUrlTemplate` only defaulted on in
production; dev/test returned empty so the dashboard kept emitting the
legacy `KILOCLAW_API_URL` (usually `http://localhost:8795`) as
`workerUrl` until a developer manually added
`KILOCLAW_INSTANCE_URL_TEMPLATE` to `apps/web/.env.local`. That hoop
defeats the point of merging the feature — local repro of the
per-instance flow is exactly what devs need to verify changes.

Make the new pattern default in dev too, derived from
`KILOCLAW_API_URL`:

- `http://localhost:8795` -> `http://{label}.kiloclaw.localhost:8795`
- `http://127.0.0.1:9000` -> `http://{label}.kiloclaw.localhost:9000`
- Non-loopback / missing / unparsable `KILOCLAW_API_URL` falls back to
  `http://{label}.kiloclaw.localhost:8795` (the wrangler dev default).

Scheme and port are preserved from `KILOCLAW_API_URL` so a dev
running wrangler on a non-default port still gets a working template.

Opt-out is unchanged: `KILOCLAW_INSTANCE_URL_TEMPLATE=` (empty) in
env returns empty and falls back to legacy routing. Tests exercise
prod default, dev defaults across loopback/non-loopback URLs, explicit
overrides, and the kill-switch opt-out.

* feat(kiloclaw): 301 redirect www.kiloclaw.ai -> apex

The `*.kiloclaw.ai/*` wildcard route catches `www.kiloclaw.ai`; without
an explicit handler it would surface as "Instance not found" 404 because
`www` fails hostname-label parsing. Add a canonical-redirect set
(currently just `www`) that 301s to the apex host derived from
`KILOCLAW_INSTANCE_HOST_SUFFIX` + `KILOCLAW_INSTANCE_URL_SCHEME`, so
dev parity works automatically (`www.kiloclaw.localhost:8795` ->
`kiloclaw.localhost:8795`) without hardcoding the apex.

Redirect target is built via URL setters (pathname/search), not string
concatenation, to sidestep the scheme-relative `//` open-redirect class
PR2 had to patch out of the capability-gate path.

Two new tests cover the prod and dev-parity cases.

DNS side: the existing proxied wildcard `AAAA * -> 100::` record on
`kiloclaw.ai` already covers `www`, and the wildcard cert SAN matches
one-label subdomains. No extra DNS / cert work needed.

* fix(kiloclaw,web): address PR review — drop www redirect, harden kill switch

Two review findings on the latest PR3 commits.

1. **www redirect removed.** `CANONICAL_APEX_REDIRECT_LABELS` and
   `buildApexRedirectUrl` lived inside `handleHostBasedRoute`, which
   runs from the catch-all route. The catch-all is behind the global
   `authGuard` middleware, so unauthenticated `www.kiloclaw.ai`
   requests would 401 before the redirect could fire — exactly the
   traffic the redirect was meant to serve. Tests passed because the
   auth middleware is mocked to always succeed in the worker test
   harness. Rather than rearrange the middleware chain to make it
   work, drop the worker-side redirect entirely: the `www` → apex
   redirect is handled by Cloudflare DNS/edge routes, which is the
   right layer for this anyway (no worker invocation cost, runs
   before any auth, always correct).

2. **Kill switch now uses an explicit `legacy` sentinel.** The
   previous `KILOCLAW_INSTANCE_URL_TEMPLATE=` (empty string) rollback
   was brittle: Vercel / Node env pipelines frequently coerce empty
   entries into "unset", making an empty-string rollback
   indistinguishable from the default-on path (fails open). Switch to
   a non-empty word sentinel: `KILOCLAW_INSTANCE_URL_TEMPLATE=legacy`
   (case-insensitive) disables per-instance URLs. Empty string now
   falls through to the production/dev defaults, matching "unset"
   semantics across all env pipelines.

Tests updated to cover the new sentinel behavior and to assert that
empty string no longer disables the feature.

Author: pandemicsyn

apps/web/src/app/(app)/claw/components/ClawOnboardingFakeWalkthrough.tsx

@@ -67,6 +67,7 @@ const fakeStatus = {
   botVibe: 'Focused, capable, effective',
   botEmoji: '🤖',
   workerUrl: 'https://claw.kilo.ai',
+  controllerCapabilitiesVersion: null,
   name: 'Fake KiloClaw',
   instanceId: 'fake-instance',
   inboundEmailAddress: null,

apps/web/src/app/(app)/claw/components/ClawOnboardingFlow.state.test.ts

@@ -48,6 +48,7 @@ function createStatus(status: KiloClawDashboardStatus['status']): KiloClawDashbo
     botVibe: null,
     botEmoji: null,
     workerUrl: 'https://claw.kilo.ai',
+    controllerCapabilitiesVersion: null,
     instanceId: null,
     inboundEmailAddress: null,
     inboundEmailEnabled: false,

apps/web/src/app/(app)/claw/components/withStatusQueryBoundary.test.ts

@@ -41,6 +41,7 @@ const baseStatus: KiloClawDashboardStatus = {
   botVibe: null,
   botEmoji: null,
   workerUrl: 'https://claw.kilo.ai',
+  controllerCapabilitiesVersion: null,
   instanceId: null,
   inboundEmailAddress: 'amber-river-quiet-maple@kiloclaw.ai',
   inboundEmailEnabled: true,

apps/web/src/app/(app)/claw/new/ClawNewClient.state.test.ts

@@ -39,6 +39,7 @@ const baseStatus: KiloClawDashboardStatus = {
   botVibe: null,
   botEmoji: null,
   workerUrl: 'https://claw.kilo.ai',
+  controllerCapabilitiesVersion: null,
   instanceId: 'instance-1',
   inboundEmailAddress: 'amber-river-quiet-maple@kiloclaw.ai',
   inboundEmailEnabled: true,

apps/web/src/lib/config.server.test.ts

@@ -0,0 +1,112 @@
+import { describe, it, expect } from '@jest/globals';
+import { resolveInstanceUrlTemplate } from './config.server';
+
+describe('resolveInstanceUrlTemplate', () => {
+  describe('kill switch (KILOCLAW_INSTANCE_URL_TEMPLATE=legacy)', () => {
+    it('returns empty (legacy routing) when set to the kill-switch sentinel in production', () => {
+      expect(resolveInstanceUrlTemplate('legacy', 'production', 'https://claw.kilo.ai')).toBe('');
+    });
+
+    it('matches the sentinel case-insensitively', () => {
+      expect(resolveInstanceUrlTemplate('Legacy', 'production', 'https://claw.kilo.ai')).toBe('');
+      expect(resolveInstanceUrlTemplate('LEGACY', 'production', 'https://claw.kilo.ai')).toBe('');
+    });
+
+    it('also disables per-instance URLs in dev when set', () => {
+      expect(resolveInstanceUrlTemplate('legacy', 'development', 'http://localhost:8795')).toBe('');
+    });
+
+    it('treats an explicit empty string as "unset" (falls through to defaults), not as a kill switch', () => {
+      // Platform env pipelines often coerce empty values to "unset", so
+      // empty string must not be the rollback signal.
+      expect(resolveInstanceUrlTemplate('', 'production', 'https://claw.kilo.ai')).toBe(
+        'https://{label}.kiloclaw.ai'
+      );
+      expect(resolveInstanceUrlTemplate('', 'development', 'http://localhost:8795')).toBe(
+        'http://{label}.kiloclaw.localhost:8795'
+      );
+    });
+  });
+
+  describe('production defaults', () => {
+    it('defaults to the canonical prod template when no override is set', () => {
+      expect(resolveInstanceUrlTemplate(undefined, 'production', 'https://claw.kilo.ai')).toBe(
+        'https://{label}.kiloclaw.ai'
+      );
+    });
+
+    it('honors an explicit override in production', () => {
+      expect(
+        resolveInstanceUrlTemplate(
+          'https://{label}.preview.kiloclaw.ai',
+          'production',
+          'https://claw.kilo.ai'
+        )
+      ).toBe('https://{label}.preview.kiloclaw.ai');
+    });
+  });
+
+  describe('development / test defaults', () => {
+    it('derives a loopback-parity template from a localhost KILOCLAW_API_URL', () => {
+      expect(resolveInstanceUrlTemplate(undefined, 'development', 'http://localhost:8795')).toBe(
+        'http://{label}.kiloclaw.localhost:8795'
+      );
+    });
+
+    it('derives a loopback-parity template from a 127.0.0.1 KILOCLAW_API_URL', () => {
+      expect(resolveInstanceUrlTemplate(undefined, 'development', 'http://127.0.0.1:8795')).toBe(
+        'http://{label}.kiloclaw.localhost:8795'
+      );
+    });
+
+    it('preserves the port from KILOCLAW_API_URL when non-default', () => {
+      expect(resolveInstanceUrlTemplate(undefined, 'development', 'http://localhost:9999')).toBe(
+        'http://{label}.kiloclaw.localhost:9999'
+      );
+    });
+
+    it('preserves the scheme from KILOCLAW_API_URL', () => {
+      expect(resolveInstanceUrlTemplate(undefined, 'development', 'https://localhost:8795')).toBe(
+        'https://{label}.kiloclaw.localhost:8795'
+      );
+    });
+
+    it('falls back to the wrangler dev port when KILOCLAW_API_URL is missing', () => {
+      expect(resolveInstanceUrlTemplate(undefined, 'development', undefined)).toBe(
+        'http://{label}.kiloclaw.localhost:8795'
+      );
+    });
+
+    it('falls back when KILOCLAW_API_URL is unparsable', () => {
+      expect(resolveInstanceUrlTemplate(undefined, 'development', 'not a url')).toBe(
+        'http://{label}.kiloclaw.localhost:8795'
+      );
+    });
+
+    it('uses the fallback template when KILOCLAW_API_URL points at a non-loopback host', () => {
+      // Remote staging — dev mode with a non-local worker. We don't try
+      // to derive a wildcard host for it; fall back to the loopback
+      // template. Operators who want a real per-instance URL on remote
+      // staging set KILOCLAW_INSTANCE_URL_TEMPLATE explicitly.
+      expect(resolveInstanceUrlTemplate(undefined, 'development', 'https://staging.kilo.ai')).toBe(
+        'http://{label}.kiloclaw.localhost:8795'
+      );
+    });
+
+    it('defaults loopback-parity in test mode too', () => {
+      expect(resolveInstanceUrlTemplate(undefined, 'test', 'http://localhost:8795')).toBe(
+        'http://{label}.kiloclaw.localhost:8795'
+      );
+    });
+
+    it('honors a dev-parity override', () => {
+      expect(
+        resolveInstanceUrlTemplate(
+          'http://{label}.kiloclaw.localhost:8795',
+          'development',
+          'http://localhost:8795'
+        )
+      ).toBe('http://{label}.kiloclaw.localhost:8795');
+    });
+  });
+});

apps/web/src/lib/config.server.ts

@@ -209,6 +209,96 @@ export const KILOCLAW_INTERNAL_API_SECRET = getEnvVariable('KILOCLAW_INTERNAL_AP
 export const KILOCLAW_INBOUND_EMAIL_DOMAIN =
   getEnvVariable('KILOCLAW_INBOUND_EMAIL_DOMAIN') || 'kiloclaw.ai';
 
+/**
+ * Per-instance worker URL template.
+ *
+ * Per-instance URLs are the default in BOTH production and dev/test so a
+ * merge of the name-based routing feature flips them on automatically,
+ * without forcing anyone to edit env files.
+ *
+ * Resolution rules (checked in order):
+ *   1. `KILOCLAW_INSTANCE_URL_TEMPLATE=legacy` (case-insensitive) is the
+ *      explicit **kill switch** — disables per-instance URLs entirely and
+ *      falls back to the single-host `KILOCLAW_API_URL`. Operators can
+ *      roll prod back without a code deploy; devs can disable locally.
+ *      A non-empty sentinel is used (rather than empty string) because
+ *      Vercel / Node env pipelines often coerce empty env entries into
+ *      "unset", making an empty-string rollback unreliable.
+ *   2. A non-empty `KILOCLAW_INSTANCE_URL_TEMPLATE` is used verbatim.
+ *      Must contain `{label}`; missing placeholder is a misconfiguration
+ *      warned about at render time (see `workerUrlForInstance`).
+ *   3. Otherwise in `NODE_ENV=production`, default to the canonical
+ *      `https://{label}.kiloclaw.ai` template.
+ *   4. Otherwise (dev/test) derive a template from `KILOCLAW_API_URL`:
+ *      if `KILOCLAW_API_URL` looks like a loopback URL (`http://localhost:<port>`
+ *      / `http://127.0.0.1:<port>`), emit
+ *      `http://{label}.kiloclaw.localhost:<port>` so the browser
+ *      auto-resolves `*.kiloclaw.localhost` to `127.0.0.1` per RFC 6761.
+ *      If `KILOCLAW_API_URL` is missing or unparsable, fall back to the
+ *      same template with the wrangler dev port (`8795`) — matches
+ *      `.dev.vars.example`.
+ *
+ * When the template ends up set and contains `{label}`, `getStatus`
+ * emits a `workerUrl` pointing at the instance's own virtual host
+ * (derived from its sandboxId) for instances whose
+ * `controllerCapabilitiesVersion >= 2`. Pre-v2 instances keep falling
+ * back to `KILOCLAW_API_URL`.
+ *
+ * Exported as a plain function so it's testable without forcing a
+ * re-import of this entire module (which triggers production-only
+ * validation of unrelated secrets).
+ */
+const DEFAULT_DEV_WRANGLER_PORT = '8795';
+
+/**
+ * Sentinel value for `KILOCLAW_INSTANCE_URL_TEMPLATE` that disables the
+ * per-instance URL pattern entirely. Case-insensitive match. Picked as
+ * a non-empty word because empty env values are unreliable across
+ * Vercel / Node / dotenv pipelines (often dropped or indistinguishable
+ * from "unset"), which would mean the kill switch silently fails open.
+ */
+const KILL_SWITCH_SENTINEL = 'legacy';
+
+function deriveDevTemplateFromWorkerUrl(workerUrl: string | undefined): string {
+  const fallback = `http://{label}.kiloclaw.localhost:${DEFAULT_DEV_WRANGLER_PORT}`;
+  if (!workerUrl) return fallback;
+  try {
+    const parsed = new URL(workerUrl);
+    // Only derive when we're pointed at a loopback dev worker. Anything
+    // else (remote staging, preview domains, etc.) uses the same
+    // fallback — operators can still override explicitly.
+    if (parsed.hostname !== 'localhost' && parsed.hostname !== '127.0.0.1') {
+      return fallback;
+    }
+    const port = parsed.port || DEFAULT_DEV_WRANGLER_PORT;
+    return `${parsed.protocol}//{label}.kiloclaw.localhost:${port}`;
+  } catch {
+    return fallback;
+  }
+}
+
+export function resolveInstanceUrlTemplate(
+  envVar: string | undefined,
+  nodeEnv: string | undefined,
+  workerUrl: string | undefined
+): string {
+  // Explicit kill switch. Empty string falls through to the production
+  // / dev defaults — operators must set `legacy` to disable, not "".
+  if (envVar !== undefined && envVar.toLowerCase() === KILL_SWITCH_SENTINEL) {
+    return '';
+  }
+  // Non-empty explicit override wins.
+  if (envVar !== undefined && envVar !== '') return envVar;
+  if (nodeEnv === 'production') return 'https://{label}.kiloclaw.ai';
+  return deriveDevTemplateFromWorkerUrl(workerUrl);
+}
+
+export const KILOCLAW_INSTANCE_URL_TEMPLATE = resolveInstanceUrlTemplate(
+  process.env.KILOCLAW_INSTANCE_URL_TEMPLATE,
+  process.env.NODE_ENV,
+  KILOCLAW_API_URL
+);
+
 // KiloClaw Early Bird Checkout
 export const STRIPE_KILOCLAW_EARLYBIRD_PRICE_ID = getEnvVariable(
   'STRIPE_KILOCLAW_EARLYBIRD_PRICE_ID'

apps/web/src/lib/kiloclaw/instance-url.test.ts

@@ -0,0 +1,136 @@
+import { describe, it, expect, jest } from '@jest/globals';
+import { workerUrlForInstance } from './instance-url';
+import { sandboxIdFromUserId, sandboxIdFromInstanceId } from '@kilocode/worker-utils/sandbox-id';
+
+const LEGACY = 'https://claw.kilo.ai';
+const TEMPLATE = 'https://{label}.kiloclaw.ai';
+
+describe('workerUrlForInstance', () => {
+  it('falls back to the legacy URL when the template is unset', () => {
+    const sandboxId = sandboxIdFromInstanceId('550e8400-e29b-41d4-a716-446655440000');
+    expect(
+      workerUrlForInstance({
+        sandboxId,
+        controllerCapabilitiesVersion: 2,
+        template: '',
+        fallback: LEGACY,
+      })
+    ).toBe(LEGACY);
+  });
+
+  it('falls back to the legacy URL and warns once when the template has no {label} placeholder', () => {
+    const sandboxId = sandboxIdFromInstanceId('550e8400-e29b-41d4-a716-446655440000');
+    const warn = jest.spyOn(console, 'warn').mockImplementation(() => {});
+    try {
+      expect(
+        workerUrlForInstance({
+          sandboxId,
+          controllerCapabilitiesVersion: 2,
+          template: 'https://claw.kiloclaw.ai',
+          fallback: LEGACY,
+        })
+      ).toBe(LEGACY);
+      // Subsequent calls with the same misconfiguration must not spam logs.
+      workerUrlForInstance({
+        sandboxId,
+        controllerCapabilitiesVersion: 2,
+        template: 'https://claw.kiloclaw.ai',
+        fallback: LEGACY,
+      });
+      expect(warn).toHaveBeenCalledTimes(1);
+      expect(warn.mock.calls[0][0]).toMatch(/missing the \{label\} placeholder/);
+    } finally {
+      warn.mockRestore();
+    }
+  });
+
+  it('falls back to the legacy URL for pre-v2 instances', () => {
+    const sandboxId = sandboxIdFromInstanceId('550e8400-e29b-41d4-a716-446655440000');
+    expect(
+      workerUrlForInstance({
+        sandboxId,
+        controllerCapabilitiesVersion: null,
+        template: TEMPLATE,
+        fallback: LEGACY,
+      })
+    ).toBe(LEGACY);
+    expect(
+      workerUrlForInstance({
+        sandboxId,
+        controllerCapabilitiesVersion: 1,
+        template: TEMPLATE,
+        fallback: LEGACY,
+      })
+    ).toBe(LEGACY);
+  });
+
+  it('falls back to the legacy URL when sandboxId is null (no-instance sentinel)', () => {
+    expect(
+      workerUrlForInstance({
+        sandboxId: null,
+        controllerCapabilitiesVersion: 2,
+        template: TEMPLATE,
+        fallback: LEGACY,
+      })
+    ).toBe(LEGACY);
+  });
+
+  it('expands the template for instance-keyed sandboxIds on v2+', () => {
+    const sandboxId = sandboxIdFromInstanceId('550e8400-e29b-41d4-a716-446655440000');
+    expect(
+      workerUrlForInstance({
+        sandboxId,
+        controllerCapabilitiesVersion: 2,
+        template: TEMPLATE,
+        fallback: LEGACY,
+      })
+    ).toBe('https://i-550e8400e29b41d4a716446655440000.kiloclaw.ai');
+  });
+
+  it('expands the template for legacy userId sandboxes on v2+', () => {
+    const sandboxId = sandboxIdFromUserId('oauth/google:118234567890');
+    expect(
+      workerUrlForInstance({
+        sandboxId,
+        controllerCapabilitiesVersion: 2,
+        template: TEMPLATE,
+        fallback: LEGACY,
+      })
+    ).toMatch(/^https:\/\/u-[0-9a-v]+\.kiloclaw\.ai$/);
+  });
+
+  it('falls back to the legacy URL when the sandboxId cannot be safely labelled', () => {
+    const overlongSandboxId = sandboxIdFromUserId('a'.repeat(39));
+    expect(
+      workerUrlForInstance({
+        sandboxId: overlongSandboxId,
+        controllerCapabilitiesVersion: 2,
+        template: TEMPLATE,
+        fallback: LEGACY,
+      })
+    ).toBe(LEGACY);
+  });
+
+  it('uses the hardcoded default when fallback is empty', () => {
+    expect(
+      workerUrlForInstance({
+        sandboxId: null,
+        controllerCapabilitiesVersion: 2,
+        template: '',
+        fallback: '',
+      })
+    ).toBe('https://claw.kilo.ai');
+  });
+
+  it('works with dev-parity templates (http + port)', () => {
+    const sandboxId = sandboxIdFromInstanceId('550e8400-e29b-41d4-a716-446655440000');
+    expect(
+      workerUrlForInstance({
+        sandboxId,
+        controllerCapabilitiesVersion: 2,
+        template: 'http://{label}.kiloclaw.localhost:8795',
+        fallback: 'http://localhost:8795',
+      })
+    ).toBe('http://i-550e8400e29b41d4a716446655440000.kiloclaw.localhost:8795');
+  });
+});