fix(multitenant): remove dead alias, duplicate origin, and tenant-scoped platform hosts (Sam & zAI)

Remove duplicate trusted origin in auth.ts where PLATFORM_INTERNAL_DOMAIN
and ai.${PLATFORM_INTERNAL_BASE} resolve to the same string.

Switch worker/browser/GUI/docs local hostnames from tenant-scoped
AGENT_INTERNAL_DOMAIN to PLATFORM_INTERNAL_BASE — these are platform
infrastructure, not tenant content.

Remove AGENT_PID_FILE dead alias — zero consumers, PLATFORM_PID_FILE
is canonical.

---
Build: pass | Tests: pass — 1812 passed (115 files)

src/auth.ts

@@ -6,7 +6,6 @@ import {
   CONTROLPLANE_API_PORT,
   BETTER_AUTH_SECRET,
   BETTER_AUTH_URL,
-  PLATFORM_INTERNAL_BASE,
   PLATFORM_INTERNAL_DOMAIN,
 } from './config.js';
 import { logger } from './logger.js';
@@ -14,12 +13,13 @@ import { logger } from './logger.js';
 export type AuthMode = 'local_trusted' | 'authenticated';
 
 export function createAuth(pool: Pool) {
-  const trustedOrigins = Array.from(new Set([
+  const trustedOrigins = Array.from(
-    `http://localhost:${CONTROLPLANE_API_PORT}`,
+    new Set([
-    `http://${PLATFORM_INTERNAL_DOMAIN}:${CONTROLPLANE_API_PORT}`,
+      `http://localhost:${CONTROLPLANE_API_PORT}`,
-    `http://10.0.0.2:${CONTROLPLANE_API_PORT}`,
+      `http://${PLATFORM_INTERNAL_DOMAIN}:${CONTROLPLANE_API_PORT}`,
-    `http://ai.${PLATFORM_INTERNAL_BASE}:${CONTROLPLANE_API_PORT}`,
+      `http://10.0.0.2:${CONTROLPLANE_API_PORT}`,
-  ]));
+    ]),
+  );
 
   const auth = betterAuth({
     baseURL: BETTER_AUTH_URL,
@@ -58,10 +58,7 @@ export function createAuth(pool: Pool) {
     },
   });
 
-  logger.info(
+  logger.info({ mode: CONTROLPLANE_AUTH_MODE }, 'Better Auth initialized');
-    { mode: CONTROLPLANE_AUTH_MODE },
-    'Better Auth initialized',
-  );
 
   return auth;
 }

src/config.ts

@@ -244,15 +244,8 @@ export const CODE_ADMIN_EXPOSURE =
 export const PUBLISHING_MODE =
   registryDefaults?.platform.publishingMode || 'disabled';
 
-export const RESERVED_HOST_LABELS =
+export const RESERVED_HOST_LABELS = registryDefaults?.platform
-  registryDefaults?.platform.reservedHostLabels || [
+  .reservedHostLabels || ['ai', 'cms', 'git', 'web', 'www', 'mail'];
-    'ai',
-    'cms',
-    'git',
-    'web',
-    'www',
-    'mail',
-  ];
 
 // ── Agent identity ───────────────────────────────────────────────────────────
 
@@ -375,7 +368,6 @@ export const SYSTEM_LOCALE = normalizeSystemLocale(
 // ── Service naming ──
 
 export const PLATFORM_PID_FILE = `${PLATFORM_SERVICE_NAME}.pid`;
-export const AGENT_PID_FILE = PLATFORM_PID_FILE;
 
 // ── Engine & provider ──
 

src/local-hosts.ts

@@ -28,10 +28,10 @@ export const GIT_LOCAL_HOST = CODE_SERVICE_INTERNAL_DOMAIN;
 export const OLLAMA_LOCAL_HOST = OLLAMA_INTERNAL_DOMAIN;
 export const LLAMA_CPP_LOCAL_HOST = LLAMA_CPP_INTERNAL_DOMAIN;
 export const CMS_LOCAL_HOST = CMS_INTERNAL_DOMAIN;
-export const WORKER_LOCAL_HOST = `worker.${AGENT_INTERNAL_DOMAIN}`;
+export const WORKER_LOCAL_HOST = `worker.${PLATFORM_INTERNAL_BASE}`;
-export const BROWSER_LOCAL_HOST = `browser.${AGENT_INTERNAL_DOMAIN}`;
+export const BROWSER_LOCAL_HOST = `browser.${PLATFORM_INTERNAL_BASE}`;
-export const GUI_LOCAL_HOST = `gui.${AGENT_INTERNAL_DOMAIN}`;
+export const GUI_LOCAL_HOST = `gui.${PLATFORM_INTERNAL_BASE}`;
-export const DOCS_LOCAL_HOST = `docs.${AGENT_INTERNAL_DOMAIN}`;
+export const DOCS_LOCAL_HOST = `docs.${PLATFORM_INTERNAL_BASE}`;
 export const AGENT_LOCAL_SITE_HOST = AGENT_INTERNAL_DOMAIN;
 
 function uniqueNames(names: string[]): string[] {