Merge develop into main

Consolidate all feature and fix branches into main: - feat: orchestrator observability + mosaic rails integration (#422) - fix: post-422 CI and compose env follow-up (#423) - fix: orchestrator startup provider-key requirements (#425) - fix: BetterAuth OAuth2 flow and compose wiring (#426) - fix: BetterAuth UUID ID generation (#427) - test: web vitest localStorage/file warnings (#428) - fix: auth frontend remediation + review hardening (#421) - Plus numerous Docker, deploy, and auth fixes from develop Lockfile conflict resolved by regenerating from merged package.json. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 14:40:55 -06:00
parent d66451cf48 eae55bc4a3
commit bc4c1f9c70
142 changed files with 5418 additions and 3594 deletions
--- a/.env.example
+++ b/.env.example
@@ -15,11 +15,19 @@ WEB_PORT=3000
 # ======================
 NEXT_PUBLIC_APP_URL=http://localhost:3000
 NEXT_PUBLIC_API_URL=http://localhost:3001
 # Frontend auth mode:
 # - real: Normal auth/session flow
 # - mock: Local-only seeded user for FE development (blocked outside NODE_ENV=development)
 #   Use `mock` locally to continue FE work when auth flow is unstable.
 # If omitted, web runtime defaults:
 # - development -> mock
 # - production -> real
 NEXT_PUBLIC_AUTH_MODE=real
 # ======================
 # PostgreSQL Database
 # ======================
-# Bundled PostgreSQL (when database profile enabled)
+# Bundled PostgreSQL
 # SECURITY: Change POSTGRES_PASSWORD to a strong random password in production
 DATABASE_URL=postgresql://mosaic:REPLACE_WITH_SECURE_PASSWORD@postgres:5432/mosaic
 POSTGRES_USER=mosaic
@@ -28,7 +36,7 @@ POSTGRES_DB=mosaic
 POSTGRES_PORT=5432
 # External PostgreSQL (managed service)
-# Disable 'database' profile and point DATABASE_URL to your external instance
+# To use an external instance, update DATABASE_URL above
 # Example: DATABASE_URL=postgresql://user:pass@rds.amazonaws.com:5432/mosaic
 # PostgreSQL Performance Tuning (Optional)
@@ -39,7 +47,7 @@ POSTGRES_MAX_CONNECTIONS=100
 # ======================
 # Valkey Cache (Redis-compatible)
 # ======================
-# Bundled Valkey (when cache profile enabled)
+# Bundled Valkey
 VALKEY_URL=redis://valkey:6379
 VALKEY_HOST=valkey
 VALKEY_PORT=6379
@@ -47,7 +55,7 @@ VALKEY_PORT=6379
 VALKEY_MAXMEMORY=256mb
 # External Redis/Valkey (managed service)
-# Disable 'cache' profile and point VALKEY_URL to your external instance
+# To use an external instance, update VALKEY_URL above
 # Example: VALKEY_URL=redis://elasticache.amazonaws.com:6379
 # Example with auth: VALKEY_URL=redis://:password@redis.example.com:6379
@@ -70,9 +78,9 @@ OIDC_ISSUER=https://auth.example.com/application/o/mosaic-stack/
 OIDC_CLIENT_ID=your-client-id-here
 OIDC_CLIENT_SECRET=your-client-secret-here
 # Redirect URI must match what's configured in Authentik
-# Development: http://localhost:3001/auth/callback/authentik
+# Development: http://localhost:3001/auth/oauth2/callback/authentik
-# Production: https://api.mosaicstack.dev/auth/callback/authentik
+# Production: https://api.mosaicstack.dev/auth/oauth2/callback/authentik
-OIDC_REDIRECT_URI=http://localhost:3001/auth/callback/authentik
+OIDC_REDIRECT_URI=http://localhost:3001/auth/oauth2/callback/authentik
 # Authentik PostgreSQL Database
 AUTHENTIK_POSTGRES_USER=authentik
@@ -116,6 +124,9 @@ JWT_EXPIRATION=24h
 # This is used by BetterAuth for session management and CSRF protection
 # Example: openssl rand -base64 32
 BETTER_AUTH_SECRET=REPLACE_WITH_RANDOM_SECRET_MINIMUM_32_CHARS
 # Optional explicit BetterAuth origin for callback/error URL generation.
 # When empty, backend falls back to NEXT_PUBLIC_API_URL.
 BETTER_AUTH_URL=
 # Trusted Origins (comma-separated list of additional trusted origins for CORS and auth)
 # These are added to NEXT_PUBLIC_APP_URL and NEXT_PUBLIC_API_URL automatically
@@ -244,12 +255,16 @@ MOSAIC_API_DOMAIN=api.mosaic.local
 MOSAIC_WEB_DOMAIN=mosaic.local
 MOSAIC_AUTH_DOMAIN=auth.mosaic.local
-# External Traefik network name (for upstream mode)
+# External Traefik network name (for upstream mode and swarm)
 # Must match the network name of your existing Traefik instance
 TRAEFIK_NETWORK=traefik-public
 TRAEFIK_DOCKER_NETWORK=traefik-public
 # TLS/SSL Configuration
 TRAEFIK_TLS_ENABLED=true
 TRAEFIK_ENTRYPOINT=websecure
 # Cert resolver name (leave empty if TLS is handled externally or using self-signed certs)
 TRAEFIK_CERTRESOLVER=
 # For Let's Encrypt (production):
 TRAEFIK_ACME_EMAIL=admin@example.com
 # For self-signed certificates (development), leave TRAEFIK_ACME_EMAIL empty
@@ -285,6 +300,15 @@ GITEA_WEBHOOK_SECRET=REPLACE_WITH_RANDOM_WEBHOOK_SECRET
 # The coordinator service uses this key to authenticate with the API
 COORDINATOR_API_KEY=REPLACE_WITH_RANDOM_API_KEY_MINIMUM_32_CHARS
 # Anthropic API Key (used by coordinator for issue parsing)
 # Get your API key from: https://console.anthropic.com/
 ANTHROPIC_API_KEY=REPLACE_WITH_ANTHROPIC_API_KEY
 # Coordinator tuning
 COORDINATOR_POLL_INTERVAL=5.0
 COORDINATOR_MAX_CONCURRENT_AGENTS=10
 COORDINATOR_ENABLED=true
 # ======================
 # Rate Limiting
 # ======================
@@ -329,16 +353,34 @@ RATE_LIMIT_STORAGE=redis
 # ======================
 # Matrix bot integration for chat-based control via Matrix protocol
 # Requires a Matrix account with an access token for the bot user
-# MATRIX_HOMESERVER_URL=https://matrix.example.com
+# Set these AFTER deploying Synapse and creating the bot account.
 # MATRIX_ACCESS_TOKEN=
 # MATRIX_BOT_USER_ID=@mosaic-bot:example.com
 # MATRIX_CONTROL_ROOM_ID=!roomid:example.com
 # MATRIX_WORKSPACE_ID=your-workspace-uuid
 #
 # SECURITY: MATRIX_WORKSPACE_ID must be a valid workspace UUID from your database.
 # All Matrix commands will execute within this workspace context for proper
 # multi-tenant isolation. Each Matrix bot instance should be configured for
 # a single workspace.
 MATRIX_HOMESERVER_URL=http://synapse:8008
 MATRIX_ACCESS_TOKEN=
 MATRIX_BOT_USER_ID=@mosaic-bot:matrix.example.com
 MATRIX_SERVER_NAME=matrix.example.com
 # MATRIX_CONTROL_ROOM_ID=!roomid:matrix.example.com
 # MATRIX_WORKSPACE_ID=your-workspace-uuid
 # ======================
 # Matrix / Synapse Deployment
 # ======================
 # Domains for Traefik routing to Matrix services
 MATRIX_DOMAIN=matrix.example.com
 ELEMENT_DOMAIN=chat.example.com
 # Synapse database (created automatically by synapse-db-init in the swarm compose)
 SYNAPSE_POSTGRES_DB=synapse
 SYNAPSE_POSTGRES_USER=synapse
 SYNAPSE_POSTGRES_PASSWORD=REPLACE_WITH_SECURE_SYNAPSE_DB_PASSWORD
 # Image tags for Matrix services
 SYNAPSE_IMAGE_TAG=latest
 ELEMENT_IMAGE_TAG=latest
 # ======================
 # Orchestrator Configuration
@@ -350,6 +392,17 @@ RATE_LIMIT_STORAGE=redis
 # Health endpoints (/health/*) remain unauthenticated
 ORCHESTRATOR_API_KEY=REPLACE_WITH_RANDOM_API_KEY_MINIMUM_32_CHARS
 # Runtime safety defaults (recommended for low-memory hosts)
 MAX_CONCURRENT_AGENTS=2
 SESSION_CLEANUP_DELAY_MS=30000
 ORCHESTRATOR_QUEUE_NAME=orchestrator-tasks
 ORCHESTRATOR_QUEUE_CONCURRENCY=1
 ORCHESTRATOR_QUEUE_MAX_RETRIES=3
 ORCHESTRATOR_QUEUE_BASE_DELAY_MS=1000
 ORCHESTRATOR_QUEUE_MAX_DELAY_MS=60000
 SANDBOX_DEFAULT_MEMORY_MB=256
 SANDBOX_DEFAULT_CPU_LIMIT=1.0
 # ======================
 # AI Provider Configuration
 # ======================
@@ -363,11 +416,10 @@ AI_PROVIDER=ollama
 # For remote Ollama: http://your-ollama-server:11434
 OLLAMA_MODEL=llama3.1:latest
-# Claude API Configuration (when AI_PROVIDER=claude)
+# Claude API Key
-# OPTIONAL: Only required if AI_PROVIDER=claude
+# Required only when AI_PROVIDER=claude.
 # Get your API key from: https://console.anthropic.com/
-# Note: Claude Max subscription users should use AI_PROVIDER=ollama instead
+CLAUDE_API_KEY=REPLACE_WITH_CLAUDE_API_KEY
 # CLAUDE_API_KEY=sk-ant-...
 # OpenAI API Configuration (when AI_PROVIDER=openai)
 # OPTIONAL: Only required if AI_PROVIDER=openai
@@ -405,6 +457,9 @@ TTS_PREMIUM_URL=http://chatterbox-tts:8881/v1
 TTS_FALLBACK_ENABLED=false
 TTS_FALLBACK_URL=http://openedai-speech:8000/v1
 # Whisper model for Speaches STT engine
 SPEACHES_WHISPER_MODEL=Systran/faster-whisper-large-v3-turbo
 # Speech Service Limits
 # Maximum upload file size in bytes (default: 25MB)
 SPEECH_MAX_UPLOAD_SIZE=25000000
@@ -439,28 +494,6 @@ MOSAIC_TELEMETRY_INSTANCE_ID=your-instance-uuid-here
 # Useful for development and debugging telemetry payloads
 MOSAIC_TELEMETRY_DRY_RUN=false
 # ======================
 # Matrix Dev Environment (docker-compose.matrix.yml overlay)
 # ======================
 # These variables configure the local Matrix dev environment.
 # Only used when running: docker compose -f docker/docker-compose.yml -f docker/docker-compose.matrix.yml up
 #
 # Synapse homeserver
 # SYNAPSE_CLIENT_PORT=8008
 # SYNAPSE_FEDERATION_PORT=8448
 # SYNAPSE_POSTGRES_DB=synapse
 # SYNAPSE_POSTGRES_USER=synapse
 # SYNAPSE_POSTGRES_PASSWORD=synapse_dev_password
 #
 # Element Web client
 # ELEMENT_PORT=8501
 #
 # Matrix bridge connection (set after running docker/matrix/scripts/setup-bot.sh)
 # MATRIX_HOMESERVER_URL=http://localhost:8008
 # MATRIX_ACCESS_TOKEN=<obtained from setup-bot.sh>
 # MATRIX_BOT_USER_ID=@mosaic-bot:localhost
 # MATRIX_SERVER_NAME=localhost
 # ======================
 # Logging & Debugging
 # ======================
--- a/.env.prod.example
+++ b/.env.prod.example
@@ -1,66 +0,0 @@
 # ==============================================
 # Mosaic Stack Production Environment
 # ==============================================
 # Copy to .env and configure for production deployment
 # ======================
 # PostgreSQL Database
 # ======================
 # CRITICAL: Use a strong, unique password
 POSTGRES_USER=mosaic
 POSTGRES_PASSWORD=REPLACE_WITH_SECURE_PASSWORD
 POSTGRES_DB=mosaic
 POSTGRES_SHARED_BUFFERS=256MB
 POSTGRES_EFFECTIVE_CACHE_SIZE=1GB
 POSTGRES_MAX_CONNECTIONS=100
 # ======================
 # Valkey Cache
 # ======================
 VALKEY_MAXMEMORY=256mb
 # ======================
 # API Configuration
 # ======================
 API_PORT=3001
 API_HOST=0.0.0.0
 # ======================
 # Web Configuration
 # ======================
 WEB_PORT=3000
 NEXT_PUBLIC_API_URL=https://api.mosaicstack.dev
 # ======================
 # Authentication (Authentik OIDC)
 # ======================
 OIDC_ISSUER=https://auth.diversecanvas.com/application/o/mosaic-stack/
 OIDC_CLIENT_ID=your-client-id
 OIDC_CLIENT_SECRET=your-client-secret
 OIDC_REDIRECT_URI=https://api.mosaicstack.dev/auth/callback/authentik
 # ======================
 # JWT Configuration
 # ======================
 # CRITICAL: Generate a random secret (openssl rand -base64 32)
 JWT_SECRET=REPLACE_WITH_RANDOM_SECRET
 JWT_EXPIRATION=24h
 # ======================
 # Traefik Integration
 # ======================
 # Set to true if using external Traefik
 TRAEFIK_ENABLE=true
 TRAEFIK_ENTRYPOINT=websecure
 TRAEFIK_TLS_ENABLED=true
 TRAEFIK_DOCKER_NETWORK=traefik-public
 TRAEFIK_CERTRESOLVER=letsencrypt
 # Domain configuration
 MOSAIC_API_DOMAIN=api.mosaicstack.dev
 MOSAIC_WEB_DOMAIN=app.mosaicstack.dev
 # ======================
 # Optional: Ollama
 # ======================
 # OLLAMA_ENDPOINT=http://ollama.diversecanvas.com:11434
--- a/.env.swarm.example
+++ b/.env.swarm.example
@@ -1,161 +0,0 @@
 # ==============================================
 # Mosaic Stack - Docker Swarm Configuration
 # ==============================================
 # Copy this file to .env for Docker Swarm deployment
 # ======================
 # Application Ports (Internal)
 # ======================
 API_PORT=3001
 API_HOST=0.0.0.0
 WEB_PORT=3000
 # ======================
 # Domain Configuration (Traefik)
 # ======================
 # These domains must be configured in your DNS or /etc/hosts
 MOSAIC_API_DOMAIN=api.mosaicstack.dev
 MOSAIC_WEB_DOMAIN=mosaic.mosaicstack.dev
 MOSAIC_AUTH_DOMAIN=auth.mosaicstack.dev
 # ======================
 # Web Configuration
 # ======================
 # Use the Traefik domain for the API URL
 NEXT_PUBLIC_APP_URL=http://mosaic.mosaicstack.dev
 NEXT_PUBLIC_API_URL=http://api.mosaicstack.dev
 # ======================
 # PostgreSQL Database
 # ======================
 DATABASE_URL=postgresql://mosaic:REPLACE_WITH_SECURE_PASSWORD@postgres:5432/mosaic
 POSTGRES_USER=mosaic
 POSTGRES_PASSWORD=REPLACE_WITH_SECURE_PASSWORD
 POSTGRES_DB=mosaic
 POSTGRES_PORT=5432
 # PostgreSQL Performance Tuning
 POSTGRES_SHARED_BUFFERS=256MB
 POSTGRES_EFFECTIVE_CACHE_SIZE=1GB
 POSTGRES_MAX_CONNECTIONS=100
 # ======================
 # Valkey Cache
 # ======================
 VALKEY_URL=redis://valkey:6379
 VALKEY_HOST=valkey
 VALKEY_PORT=6379
 VALKEY_MAXMEMORY=256mb
 # Knowledge Module Cache Configuration
 KNOWLEDGE_CACHE_ENABLED=true
 KNOWLEDGE_CACHE_TTL=300
 # ======================
 # Authentication (Authentik OIDC)
 # ======================
 # NOTE: Authentik services are COMMENTED OUT in docker-compose.swarm.yml by default
 # Uncomment those services if you want to run Authentik internally
 # Otherwise, use external Authentik by configuring OIDC_* variables below
 # External Authentik Configuration (default)
 OIDC_ENABLED=true
 OIDC_ISSUER=https://auth.example.com/application/o/mosaic-stack/
 OIDC_CLIENT_ID=your-client-id-here
 OIDC_CLIENT_SECRET=your-client-secret-here
 OIDC_REDIRECT_URI=https://api.mosaicstack.dev/auth/callback/authentik
 # Internal Authentik Configuration (only needed if uncommenting Authentik services)
 # Authentik PostgreSQL Database
 AUTHENTIK_POSTGRES_USER=authentik
 AUTHENTIK_POSTGRES_PASSWORD=REPLACE_WITH_SECURE_PASSWORD
 AUTHENTIK_POSTGRES_DB=authentik
 # Authentik Server Configuration
 AUTHENTIK_SECRET_KEY=REPLACE_WITH_RANDOM_SECRET_MINIMUM_50_CHARS
 AUTHENTIK_ERROR_REPORTING=false
 AUTHENTIK_BOOTSTRAP_PASSWORD=REPLACE_WITH_SECURE_PASSWORD
 AUTHENTIK_BOOTSTRAP_EMAIL=admin@mosaicstack.dev
 AUTHENTIK_COOKIE_DOMAIN=.mosaicstack.dev
 # ======================
 # JWT Configuration
 # ======================
 JWT_SECRET=REPLACE_WITH_RANDOM_SECRET_MINIMUM_32_CHARS
 JWT_EXPIRATION=24h
 # ======================
 # Encryption (Credential Security)
 # ======================
 # Generate with: openssl rand -hex 32
 ENCRYPTION_KEY=REPLACE_WITH_64_CHAR_HEX_STRING_GENERATE_WITH_OPENSSL_RAND_HEX_32
 # ======================
 # OpenBao Secrets Management
 # ======================
 OPENBAO_ADDR=http://openbao:8200
 OPENBAO_PORT=8200
 # For development only - remove in production
 OPENBAO_DEV_ROOT_TOKEN_ID=root
 # ======================
 # Ollama (Optional AI Service)
 # ======================
 OLLAMA_ENDPOINT=http://ollama:11434
 OLLAMA_PORT=11434
 OLLAMA_EMBEDDING_MODEL=mxbai-embed-large
 # Semantic Search Configuration
 SEMANTIC_SEARCH_SIMILARITY_THRESHOLD=0.5
 # ======================
 # OpenAI API (Optional)
 # ======================
 # OPENAI_API_KEY=sk-...
 # ======================
 # Application Environment
 # ======================
 NODE_ENV=production
 # ======================
 # Gitea Integration (Coordinator)
 # ======================
 GITEA_URL=https://git.mosaicstack.dev
 GITEA_BOT_USERNAME=mosaic
 GITEA_BOT_TOKEN=REPLACE_WITH_COORDINATOR_BOT_API_TOKEN
 GITEA_BOT_PASSWORD=REPLACE_WITH_COORDINATOR_BOT_PASSWORD
 GITEA_REPO_OWNER=mosaic
 GITEA_REPO_NAME=stack
 GITEA_WEBHOOK_SECRET=REPLACE_WITH_RANDOM_WEBHOOK_SECRET
 COORDINATOR_API_KEY=REPLACE_WITH_RANDOM_API_KEY_MINIMUM_32_CHARS
 # ======================
 # Coordinator Service
 # ======================
 ANTHROPIC_API_KEY=REPLACE_WITH_ANTHROPIC_API_KEY
 COORDINATOR_POLL_INTERVAL=5.0
 COORDINATOR_MAX_CONCURRENT_AGENTS=10
 COORDINATOR_ENABLED=true
 # ======================
 # Rate Limiting
 # ======================
 RATE_LIMIT_TTL=60
 RATE_LIMIT_GLOBAL_LIMIT=100
 RATE_LIMIT_WEBHOOK_LIMIT=60
 RATE_LIMIT_COORDINATOR_LIMIT=100
 RATE_LIMIT_HEALTH_LIMIT=300
 RATE_LIMIT_STORAGE=redis
 # ======================
 # Orchestrator Configuration
 # ======================
 ORCHESTRATOR_API_KEY=REPLACE_WITH_RANDOM_API_KEY_MINIMUM_32_CHARS
 CLAUDE_API_KEY=REPLACE_WITH_CLAUDE_API_KEY
 # ======================
 # Logging & Debugging
 # ======================
 LOG_LEVEL=info
 DEBUG=false
--- a/.gitignore
+++ b/.gitignore
@@ -59,3 +59,13 @@ yarn-error.log*
 # Orchestrator reports (generated by QA automation, cleaned up after processing)
 docs/reports/qa-automation/
 # Repo-local orchestrator runtime artifacts
 .mosaic/orchestrator/orchestrator.pid
 .mosaic/orchestrator/state.json
 .mosaic/orchestrator/tasks.json
 .mosaic/orchestrator/matrix_state.json
 .mosaic/orchestrator/logs/*.log
 .mosaic/orchestrator/results/*
 !.mosaic/orchestrator/logs/.gitkeep
 !.mosaic/orchestrator/results/.gitkeep
--- a/.mosaic/README.md
+++ b/.mosaic/README.md
@@ -4,12 +4,12 @@ This repository is attached to the machine-wide Mosaic framework.
 ## Load Order for Agents
-1. `~/.mosaic/STANDARDS.md`
+1. `~/.config/mosaic/STANDARDS.md`
 2. `AGENTS.md` (this repository)
 3. `.mosaic/repo-hooks.sh` (repo-specific automation hooks)
 ## Purpose
- Keep universal standards in `~/.mosaic`
+- Keep universal standards in `~/.config/mosaic`
 - Keep repo-specific behavior in this repo
 - Avoid copying large runtime configs into each project
--- a/.mosaic/orchestrator/config.json
+++ b/.mosaic/orchestrator/config.json
@@ -0,0 +1,18 @@
 {
  "enabled": true,
  "transport": "matrix",
  "matrix": {
    "control_room_id": "",
    "workspace_id": "",
    "homeserver_url": "",
    "access_token": "",
    "bot_user_id": ""
  },
  "worker": {
    "runtime": "codex",
    "command_template": "bash scripts/agent/orchestrator-worker.sh {task_file}",
    "timeout_seconds": 7200,
    "max_attempts": 1
  },
  "quality_gates": ["pnpm lint", "pnpm typecheck", "pnpm test"]
 }
--- a/.mosaic/orchestrator/logs/.gitkeep
+++ b/.mosaic/orchestrator/logs/.gitkeep
@@ -0,0 +1 @@
--- a/.mosaic/orchestrator/results/.gitkeep
+++ b/.mosaic/orchestrator/results/.gitkeep
@@ -0,0 +1 @@
--- a/.mosaic/quality-rails.yml
+++ b/.mosaic/quality-rails.yml
@@ -0,0 +1,10 @@
 enabled: false
 template: ""
 # Set enabled: true and choose one template:
 # - typescript-node
 # - typescript-nextjs
 # - monorepo
 #
 # Apply manually:
 #   ~/.config/mosaic/bin/mosaic-quality-apply --template <template> --target <repo>
--- a/.woodpecker/api.yml
+++ b/.woodpecker/api.yml
@@ -113,7 +113,7 @@ steps:
      ENCRYPTION_KEY: "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
    commands:
      - *use_deps
-      - pnpm --filter "@mosaic/api" exec vitest run --exclude 'src/auth/auth-rls.integration.spec.ts' --exclude 'src/credentials/user-credential.model.spec.ts' --exclude 'src/job-events/job-events.performance.spec.ts' --exclude 'src/knowledge/services/fulltext-search.spec.ts'
+      - pnpm --filter "@mosaic/api" exec vitest run --exclude 'src/auth/auth-rls.integration.spec.ts' --exclude 'src/credentials/user-credential.model.spec.ts' --exclude 'src/job-events/job-events.performance.spec.ts' --exclude 'src/knowledge/services/fulltext-search.spec.ts' --exclude 'src/mosaic-telemetry/mosaic-telemetry.module.spec.ts'
    depends_on:
      - prisma-migrate
@@ -155,7 +155,7 @@ steps:
        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:dev"
        fi
-        /kaniko/executor --context . --dockerfile apps/api/Dockerfile $DESTINATIONS
+        /kaniko/executor --context . --dockerfile apps/api/Dockerfile --snapshot-mode=redo $DESTINATIONS
    when:
      - branch: [main, develop]
        event: [push, manual, tag]
--- a/.woodpecker/coordinator.yml
+++ b/.woodpecker/coordinator.yml
@@ -95,7 +95,7 @@ steps:
        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:dev"
        fi
-        /kaniko/executor --context apps/coordinator --dockerfile apps/coordinator/Dockerfile $DESTINATIONS
+        /kaniko/executor --context apps/coordinator --dockerfile apps/coordinator/Dockerfile --snapshot-mode=redo $DESTINATIONS
    when:
      - branch: [main, develop]
        event: [push, manual, tag]
--- a/.woodpecker/infra.yml
+++ b/.woodpecker/infra.yml
@@ -39,7 +39,7 @@ steps:
        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:dev"
        fi
-        /kaniko/executor --context docker/postgres --dockerfile docker/postgres/Dockerfile $DESTINATIONS
+        /kaniko/executor --context docker/postgres --dockerfile docker/postgres/Dockerfile --snapshot-mode=redo $DESTINATIONS
    when:
      - branch: [main, develop]
        event: [push, manual, tag]
@@ -64,7 +64,7 @@ steps:
        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:dev"
        fi
-        /kaniko/executor --context docker/openbao --dockerfile docker/openbao/Dockerfile $DESTINATIONS
+        /kaniko/executor --context docker/openbao --dockerfile docker/openbao/Dockerfile --snapshot-mode=redo $DESTINATIONS
    when:
      - branch: [main, develop]
        event: [push, manual, tag]
--- a/.woodpecker/orchestrator.yml
+++ b/.woodpecker/orchestrator.yml
@@ -112,7 +112,7 @@ steps:
        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:dev"
        fi
-        /kaniko/executor --context . --dockerfile apps/orchestrator/Dockerfile $DESTINATIONS
+        /kaniko/executor --context . --dockerfile apps/orchestrator/Dockerfile --snapshot-mode=redo $DESTINATIONS
    when:
      - branch: [main, develop]
        event: [push, manual, tag]
--- a/.woodpecker/web.yml
+++ b/.woodpecker/web.yml
@@ -123,7 +123,7 @@ steps:
        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:dev"
        fi
-        /kaniko/executor --context . --dockerfile apps/web/Dockerfile --build-arg NEXT_PUBLIC_API_URL=https://api.mosaicstack.dev $DESTINATIONS
+        /kaniko/executor --context . --dockerfile apps/web/Dockerfile --snapshot-mode=redo --build-arg NEXT_PUBLIC_API_URL=https://api.mosaicstack.dev $DESTINATIONS
    when:
      - branch: [main, develop]
        event: [push, manual, tag]
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -3,7 +3,7 @@
 ## Load Order
 1. `SOUL.md` (repo identity + behavior invariants)
-2. `~/.mosaic/STANDARDS.md` (machine-wide standards rails)
+2. `~/.config/mosaic/STANDARDS.md` (machine-wide standards rails)
 3. `AGENTS.md` (repo-specific overlay)
 4. `.mosaic/repo-hooks.sh` (repo lifecycle hooks)
@@ -11,7 +11,7 @@
 - This file is authoritative for repo-local operations.
 - `CLAUDE.md` is a compatibility pointer to `AGENTS.md`.
- Follow universal rails from `~/.mosaic/guides/` and `~/.mosaic/rails/`.
+- Follow universal rails from `~/.config/mosaic/guides/` and `~/.config/mosaic/rails/`.
 ## Session Lifecycle
@@ -25,6 +25,8 @@ Optional:
 ```bash
 bash scripts/agent/log-limitation.sh "Short Name"
 bash scripts/agent/orchestrator-daemon.sh status
 bash scripts/agent/orchestrator-events.sh recent --limit 50
 ```
 ## Repo Context
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,14 +1,10 @@
-# Compatibility Pointer
+# CLAUDE Compatibility Pointer
-This repository uses an agent-neutral Mosaic standards model.
+This file exists so Claude Code sessions load Mosaic standards.
-Authoritative repo guidance is in `AGENTS.md`.
+## MANDATORY — Read Before Any Response
-Load order for Claude sessions:
+BEFORE responding to any user message, READ `~/.config/mosaic/AGENTS.md`.
-1. `SOUL.md`
+That file is the universal agent configuration. Do NOT respond until you have loaded it.
-2. `~/.mosaic/STANDARDS.md`
+Then read the project-local `AGENTS.md` in this repository for project-specific guidance.
 3. `AGENTS.md`
 4. `.mosaic/repo-hooks.sh`
 If you were started from `CLAUDE.md`, continue by reading `AGENTS.md` now.
--- a/SOUL.md
+++ b/SOUL.md
@@ -10,7 +10,7 @@ You are Jarvis for the Mosaic Stack repository, running on the current agent run
 - Be calm and clear: keep responses concise, chunked, and PDA-friendly.
 - Respect canonical sources:
  - Repo operations and conventions: `AGENTS.md`
-  - Machine-wide rails: `~/.mosaic/STANDARDS.md`
+  - Machine-wide rails: `~/.config/mosaic/STANDARDS.md`
  - Repo lifecycle hooks: `.mosaic/repo-hooks.sh`
 ## Guardrails
--- a/apps/api/Dockerfile
+++ b/apps/api/Dockerfile
@@ -1,6 +1,3 @@
 # syntax=docker/dockerfile:1
 # Enable BuildKit features for cache mounts
 # Base image for all stages
 # Uses Debian slim (glibc) instead of Alpine (musl) because native Node.js addons
 # (matrix-sdk-crypto-nodejs, Prisma engines) require glibc-compatible binaries.
@@ -27,9 +24,8 @@ COPY packages/ui/package.json ./packages/ui/
 COPY packages/config/package.json ./packages/config/
 COPY apps/api/package.json ./apps/api/
-# Install dependencies with pnpm store cache
+# Install dependencies (no cache mount — Kaniko builds are ephemeral in CI)
-RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
+RUN pnpm install --frozen-lockfile
    pnpm install --frozen-lockfile
 # ======================
 # Builder stage
@@ -57,15 +53,14 @@ RUN pnpm turbo build --filter=@mosaic/api --force
 # ======================
 FROM node:24-slim AS production
-# Remove npm (unused in production — we use pnpm) to reduce attack surface
+# Install dumb-init for proper signal handling (static binary from GitHub,
-RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
+# avoids apt-get which fails under Kaniko with bookworm GPG signature errors)
 ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 /usr/local/bin/dumb-init
-# Install dumb-init for proper signal handling
+# Single RUN to minimize Kaniko filesystem snapshots (each RUN = full snapshot)
-RUN apt-get update && apt-get install -y --no-install-recommends dumb-init \
+RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx \
-    && rm -rf /var/lib/apt/lists/*
+    && chmod 755 /usr/local/bin/dumb-init \
-
+    && groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs
 # Create non-root user
 RUN groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs
 WORKDIR /app
--- a/apps/api/src/auth/auth-rls.integration.spec.ts
+++ b/apps/api/src/auth/auth-rls.integration.spec.ts
@@ -12,7 +12,10 @@ import { PrismaClient, Prisma } from "@prisma/client";
 import { randomUUID as uuid } from "crypto";
 import { runWithRlsClient, getRlsClient } from "../prisma/rls-context.provider";
-describe.skipIf(!process.env.DATABASE_URL)(
+const shouldRunDbIntegrationTests =
  process.env.RUN_DB_TESTS === "true" && Boolean(process.env.DATABASE_URL);
 describe.skipIf(!shouldRunDbIntegrationTests)(
  "Auth Tables RLS Policies (requires DATABASE_URL)",
  () => {
    let prisma: PrismaClient;
@@ -28,7 +31,7 @@ describe.skipIf(!process.env.DATABASE_URL)(
    beforeAll(async () => {
      // Skip setup if DATABASE_URL is not available
-      if (!process.env.DATABASE_URL) {
+      if (!shouldRunDbIntegrationTests) {
        return;
      }
@@ -49,7 +52,7 @@ describe.skipIf(!process.env.DATABASE_URL)(
    afterAll(async () => {
      // Skip cleanup if DATABASE_URL is not available or prisma not initialized
-      if (!process.env.DATABASE_URL || !prisma) {
+      if (!shouldRunDbIntegrationTests || !prisma) {
        return;
      }
--- a/apps/api/src/auth/auth.config.spec.ts
+++ b/apps/api/src/auth/auth.config.spec.ts
@@ -18,7 +18,13 @@ vi.mock("better-auth/adapters/prisma", () => ({
  prismaAdapter: (...args: unknown[]) => mockPrismaAdapter(...args),
 }));
-import { isOidcEnabled, validateOidcConfig, createAuth, getTrustedOrigins } from "./auth.config";
+import {
  isOidcEnabled,
  validateOidcConfig,
  createAuth,
  getTrustedOrigins,
  getBetterAuthBaseUrl,
 } from "./auth.config";
 describe("auth.config", () => {
  // Store original env vars to restore after each test
@@ -32,6 +38,7 @@ describe("auth.config", () => {
    delete process.env.OIDC_CLIENT_SECRET;
    delete process.env.OIDC_REDIRECT_URI;
    delete process.env.NODE_ENV;
    delete process.env.BETTER_AUTH_URL;
    delete process.env.NEXT_PUBLIC_APP_URL;
    delete process.env.NEXT_PUBLIC_API_URL;
    delete process.env.TRUSTED_ORIGINS;
@@ -95,7 +102,7 @@ describe("auth.config", () => {
      it("should throw when OIDC_ISSUER is missing", () => {
        process.env.OIDC_CLIENT_ID = "test-client-id";
        process.env.OIDC_CLIENT_SECRET = "test-client-secret";
-        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
        expect(() => validateOidcConfig()).toThrow("OIDC_ISSUER");
        expect(() => validateOidcConfig()).toThrow("OIDC authentication is enabled");
@@ -104,7 +111,7 @@ describe("auth.config", () => {
      it("should throw when OIDC_CLIENT_ID is missing", () => {
        process.env.OIDC_ISSUER = "https://auth.example.com/";
        process.env.OIDC_CLIENT_SECRET = "test-client-secret";
-        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
        expect(() => validateOidcConfig()).toThrow("OIDC_CLIENT_ID");
      });
@@ -112,7 +119,7 @@ describe("auth.config", () => {
      it("should throw when OIDC_CLIENT_SECRET is missing", () => {
        process.env.OIDC_ISSUER = "https://auth.example.com/";
        process.env.OIDC_CLIENT_ID = "test-client-id";
-        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
        expect(() => validateOidcConfig()).toThrow("OIDC_CLIENT_SECRET");
      });
@@ -146,7 +153,7 @@ describe("auth.config", () => {
        process.env.OIDC_ISSUER = "   ";
        process.env.OIDC_CLIENT_ID = "test-client-id";
        process.env.OIDC_CLIENT_SECRET = "test-client-secret";
-        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
        expect(() => validateOidcConfig()).toThrow("OIDC_ISSUER");
      });
@@ -155,7 +162,7 @@ describe("auth.config", () => {
        process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic";
        process.env.OIDC_CLIENT_ID = "test-client-id";
        process.env.OIDC_CLIENT_SECRET = "test-client-secret";
-        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
        expect(() => validateOidcConfig()).toThrow("OIDC_ISSUER must end with a trailing slash");
        expect(() => validateOidcConfig()).toThrow("https://auth.example.com/application/o/mosaic");
@@ -165,7 +172,7 @@ describe("auth.config", () => {
        process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/";
        process.env.OIDC_CLIENT_ID = "test-client-id";
        process.env.OIDC_CLIENT_SECRET = "test-client-secret";
-        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
        expect(() => validateOidcConfig()).not.toThrow();
      });
@@ -189,30 +196,30 @@ describe("auth.config", () => {
          expect(() => validateOidcConfig()).toThrow("Parse error:");
        });
-        it("should throw when OIDC_REDIRECT_URI path does not start with /auth/callback", () => {
+        it("should throw when OIDC_REDIRECT_URI path does not start with /auth/oauth2/callback", () => {
          process.env.OIDC_REDIRECT_URI = "https://app.example.com/oauth/callback";
          expect(() => validateOidcConfig()).toThrow(
-            'OIDC_REDIRECT_URI path must start with "/auth/callback"'
+            'OIDC_REDIRECT_URI path must start with "/auth/oauth2/callback"'
          );
          expect(() => validateOidcConfig()).toThrow("/oauth/callback");
        });
-        it("should accept a valid OIDC_REDIRECT_URI with /auth/callback path", () => {
+        it("should accept a valid OIDC_REDIRECT_URI with /auth/oauth2/callback path", () => {
-          process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+          process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
          expect(() => validateOidcConfig()).not.toThrow();
        });
-        it("should accept OIDC_REDIRECT_URI with exactly /auth/callback path", () => {
+        it("should accept OIDC_REDIRECT_URI with exactly /auth/oauth2/callback path", () => {
-          process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback";
+          process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback";
          expect(() => validateOidcConfig()).not.toThrow();
        });
        it("should warn but not throw when using localhost in production", () => {
          process.env.NODE_ENV = "production";
-          process.env.OIDC_REDIRECT_URI = "http://localhost:3000/auth/callback/authentik";
+          process.env.OIDC_REDIRECT_URI = "http://localhost:3000/auth/oauth2/callback/authentik";
          const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
@@ -226,7 +233,7 @@ describe("auth.config", () => {
        it("should warn but not throw when using 127.0.0.1 in production", () => {
          process.env.NODE_ENV = "production";
-          process.env.OIDC_REDIRECT_URI = "http://127.0.0.1:3000/auth/callback/authentik";
+          process.env.OIDC_REDIRECT_URI = "http://127.0.0.1:3000/auth/oauth2/callback/authentik";
          const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
@@ -240,7 +247,7 @@ describe("auth.config", () => {
        it("should not warn about localhost when not in production", () => {
          process.env.NODE_ENV = "development";
-          process.env.OIDC_REDIRECT_URI = "http://localhost:3000/auth/callback/authentik";
+          process.env.OIDC_REDIRECT_URI = "http://localhost:3000/auth/oauth2/callback/authentik";
          const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
@@ -265,16 +272,19 @@ describe("auth.config", () => {
      process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/";
      process.env.OIDC_CLIENT_ID = "test-client-id";
      process.env.OIDC_CLIENT_SECRET = "test-client-secret";
-      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
      const mockPrisma = {} as PrismaClient;
      createAuth(mockPrisma);
      expect(mockGenericOAuth).toHaveBeenCalledOnce();
      const callArgs = mockGenericOAuth.mock.calls[0][0] as {
-        config: Array<{ pkce?: boolean }>;
+        config: Array<{ pkce?: boolean; redirectURI?: string }>;
      };
      expect(callArgs.config[0].pkce).toBe(true);
      expect(callArgs.config[0].redirectURI).toBe(
        "https://app.example.com/auth/oauth2/callback/authentik"
      );
    });
    it("should not call genericOAuth when OIDC is disabled", () => {
@@ -290,7 +300,7 @@ describe("auth.config", () => {
      process.env.OIDC_ENABLED = "true";
      process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/";
      process.env.OIDC_CLIENT_SECRET = "test-client-secret";
-      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
      // OIDC_CLIENT_ID deliberately not set
      // validateOidcConfig will throw first, so we need to bypass it
@@ -307,7 +317,7 @@ describe("auth.config", () => {
      process.env.OIDC_ENABLED = "true";
      process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/";
      process.env.OIDC_CLIENT_ID = "test-client-id";
-      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
      // OIDC_CLIENT_SECRET deliberately not set
      const mockPrisma = {} as PrismaClient;
@@ -318,7 +328,7 @@ describe("auth.config", () => {
      process.env.OIDC_ENABLED = "true";
      process.env.OIDC_CLIENT_ID = "test-client-id";
      process.env.OIDC_CLIENT_SECRET = "test-client-secret";
-      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
      // OIDC_ISSUER deliberately not set
      const mockPrisma = {} as PrismaClient;
@@ -354,8 +364,7 @@ describe("auth.config", () => {
    });
    it("should parse TRUSTED_ORIGINS comma-separated values", () => {
-      process.env.TRUSTED_ORIGINS =
+      process.env.TRUSTED_ORIGINS = "https://app.mosaicstack.dev,https://api.mosaicstack.dev";
        "https://app.mosaicstack.dev,https://api.mosaicstack.dev";
      const origins = getTrustedOrigins();
@@ -364,8 +373,7 @@ describe("auth.config", () => {
    });
    it("should trim whitespace from TRUSTED_ORIGINS entries", () => {
-      process.env.TRUSTED_ORIGINS =
+      process.env.TRUSTED_ORIGINS = " https://app.mosaicstack.dev , https://api.mosaicstack.dev ";
        " https://app.mosaicstack.dev , https://api.mosaicstack.dev ";
      const origins = getTrustedOrigins();
@@ -516,6 +524,21 @@ describe("auth.config", () => {
      expect(config.session.updateAge).toBe(7200);
    });
    it("should configure BetterAuth database ID generation as UUID", () => {
      const mockPrisma = {} as PrismaClient;
      createAuth(mockPrisma);
      expect(mockBetterAuth).toHaveBeenCalledOnce();
      const config = mockBetterAuth.mock.calls[0][0] as {
        advanced: {
          database: {
            generateId: string;
          };
        };
      };
      expect(config.advanced.database.generateId).toBe("uuid");
    });
    it("should set httpOnly cookie attribute to true", () => {
      const mockPrisma = {} as PrismaClient;
      createAuth(mockPrisma);
@@ -552,6 +575,7 @@ describe("auth.config", () => {
    it("should set secure cookie attribute to true in production", () => {
      process.env.NODE_ENV = "production";
      process.env.NEXT_PUBLIC_API_URL = "https://api.example.com";
      const mockPrisma = {} as PrismaClient;
      createAuth(mockPrisma);
@@ -624,4 +648,69 @@ describe("auth.config", () => {
      expect(config.advanced.defaultCookieAttributes.domain).toBeUndefined();
    });
  });
  describe("getBetterAuthBaseUrl", () => {
    it("should prefer BETTER_AUTH_URL when set", () => {
      process.env.BETTER_AUTH_URL = "https://auth-base.example.com";
      process.env.NEXT_PUBLIC_API_URL = "https://api.example.com";
      expect(getBetterAuthBaseUrl()).toBe("https://auth-base.example.com");
    });
    it("should fall back to NEXT_PUBLIC_API_URL when BETTER_AUTH_URL is not set", () => {
      process.env.NEXT_PUBLIC_API_URL = "https://api.example.com";
      expect(getBetterAuthBaseUrl()).toBe("https://api.example.com");
    });
    it("should throw when base URL is invalid", () => {
      process.env.BETTER_AUTH_URL = "not-a-url";
      expect(() => getBetterAuthBaseUrl()).toThrow("BetterAuth base URL must be a valid URL");
    });
    it("should throw when base URL is missing in production", () => {
      process.env.NODE_ENV = "production";
      expect(() => getBetterAuthBaseUrl()).toThrow("Missing BetterAuth base URL in production");
    });
    it("should throw when base URL is not https in production", () => {
      process.env.NODE_ENV = "production";
      process.env.BETTER_AUTH_URL = "http://api.example.com";
      expect(() => getBetterAuthBaseUrl()).toThrow(
        "BetterAuth base URL must use https in production"
      );
    });
  });
  describe("createAuth - baseURL wiring", () => {
    beforeEach(() => {
      mockBetterAuth.mockClear();
      mockPrismaAdapter.mockClear();
    });
    it("should pass BETTER_AUTH_URL into BetterAuth config", () => {
      process.env.BETTER_AUTH_URL = "https://api.mosaicstack.dev";
      const mockPrisma = {} as PrismaClient;
      createAuth(mockPrisma);
      expect(mockBetterAuth).toHaveBeenCalledOnce();
      const config = mockBetterAuth.mock.calls[0][0] as { baseURL?: string };
      expect(config.baseURL).toBe("https://api.mosaicstack.dev");
    });
    it("should pass NEXT_PUBLIC_API_URL into BetterAuth config when BETTER_AUTH_URL is absent", () => {
      process.env.NEXT_PUBLIC_API_URL = "https://api.fallback.dev";
      const mockPrisma = {} as PrismaClient;
      createAuth(mockPrisma);
      expect(mockBetterAuth).toHaveBeenCalledOnce();
      const config = mockBetterAuth.mock.calls[0][0] as { baseURL?: string };
      expect(config.baseURL).toBe("https://api.fallback.dev");
    });
  });
 });
--- a/apps/api/src/auth/auth.config.ts
+++ b/apps/api/src/auth/auth.config.ts
@@ -13,6 +13,41 @@ const REQUIRED_OIDC_ENV_VARS = [
  "OIDC_REDIRECT_URI",
 ] as const;
 /**
 * Resolve BetterAuth base URL from explicit auth URL or API URL.
 * BetterAuth uses this to generate absolute callback/error URLs.
 */
 export function getBetterAuthBaseUrl(): string | undefined {
  const configured = process.env.BETTER_AUTH_URL ?? process.env.NEXT_PUBLIC_API_URL;
  if (!configured || configured.trim() === "") {
    if (process.env.NODE_ENV === "production") {
      throw new Error(
        "Missing BetterAuth base URL in production. Set BETTER_AUTH_URL (preferred) or NEXT_PUBLIC_API_URL."
      );
    }
    return undefined;
  }
  let parsed: URL;
  try {
    parsed = new URL(configured);
  } catch (urlError: unknown) {
    const detail = urlError instanceof Error ? urlError.message : String(urlError);
    throw new Error(
      `BetterAuth base URL must be a valid URL. Current value: "${configured}". Parse error: ${detail}.`
    );
  }
  if (process.env.NODE_ENV === "production" && parsed.protocol !== "https:") {
    throw new Error(
      `BetterAuth base URL must use https in production. Current value: "${configured}".`
    );
  }
  return parsed.origin;
 }
 /**
 * Check if OIDC authentication is enabled via environment variable
 */
@@ -58,17 +93,17 @@ export function validateOidcConfig(): void {
    );
  }
-  // Additional validation: OIDC_REDIRECT_URI must be a valid URL with /auth/callback path
+  // Additional validation: OIDC_REDIRECT_URI must be a valid URL with /auth/oauth2/callback path
  validateRedirectUri();
 }
 /**
 * Validates the OIDC_REDIRECT_URI environment variable.
 * - Must be a parseable URL
- * - Path must start with /auth/callback
+ * - Path must start with /auth/oauth2/callback
 * - Warns (but does not throw) if using localhost in production
 *
- * @throws Error if URL is invalid or path does not start with /auth/callback
+ * @throws Error if URL is invalid or path does not start with /auth/oauth2/callback
 */
 function validateRedirectUri(): void {
  const redirectUri = process.env.OIDC_REDIRECT_URI;
@@ -85,14 +120,14 @@ function validateRedirectUri(): void {
    throw new Error(
      `OIDC_REDIRECT_URI must be a valid URL. Current value: "${redirectUri}". ` +
        `Parse error: ${detail}. ` +
-        `Example: "https://app.example.com/auth/callback/authentik".`
+        `Example: "https://api.example.com/auth/oauth2/callback/authentik".`
    );
  }
-  if (!parsed.pathname.startsWith("/auth/callback")) {
+  if (!parsed.pathname.startsWith("/auth/oauth2/callback")) {
    throw new Error(
-      `OIDC_REDIRECT_URI path must start with "/auth/callback". Current path: "${parsed.pathname}". ` +
+      `OIDC_REDIRECT_URI path must start with "/auth/oauth2/callback". Current path: "${parsed.pathname}". ` +
-        `Example: "https://app.example.com/auth/callback/authentik".`
+        `Example: "https://api.example.com/auth/oauth2/callback/authentik".`
    );
  }
@@ -119,6 +154,7 @@ function getOidcPlugins(): ReturnType<typeof genericOAuth>[] {
  const clientId = process.env.OIDC_CLIENT_ID;
  const clientSecret = process.env.OIDC_CLIENT_SECRET;
  const issuer = process.env.OIDC_ISSUER;
  const redirectUri = process.env.OIDC_REDIRECT_URI;
  if (!clientId) {
    throw new Error("OIDC_CLIENT_ID is required when OIDC is enabled but was not set.");
@@ -129,6 +165,9 @@ function getOidcPlugins(): ReturnType<typeof genericOAuth>[] {
  if (!issuer) {
    throw new Error("OIDC_ISSUER is required when OIDC is enabled but was not set.");
  }
  if (!redirectUri) {
    throw new Error("OIDC_REDIRECT_URI is required when OIDC is enabled but was not set.");
  }
  return [
    genericOAuth({
@@ -138,6 +177,7 @@ function getOidcPlugins(): ReturnType<typeof genericOAuth>[] {
          clientId,
          clientSecret,
          discoveryUrl: `${issuer}.well-known/openid-configuration`,
          redirectURI: redirectUri,
          pkce: true,
          scopes: ["openid", "profile", "email"],
        },
@@ -202,7 +242,10 @@ export function createAuth(prisma: PrismaClient) {
  // Validate OIDC configuration at startup - fail fast if misconfigured
  validateOidcConfig();
  const baseURL = getBetterAuthBaseUrl();
  return betterAuth({
    baseURL,
    basePath: "/auth",
    database: prismaAdapter(prisma, {
      provider: "postgresql",
@@ -216,6 +259,10 @@ export function createAuth(prisma: PrismaClient) {
      updateAge: 60 * 60 * 2, // 2 hours — minimum session age before BetterAuth refreshes the expiry on next request
    },
    advanced: {
      database: {
        // BetterAuth's default ID generator emits opaque strings; our auth tables use UUID PKs.
        generateId: "uuid",
      },
      defaultCookieAttributes: {
        httpOnly: true,
        secure: process.env.NODE_ENV === "production",
--- a/apps/api/src/auth/auth.controller.spec.ts
+++ b/apps/api/src/auth/auth.controller.spec.ts
@@ -102,11 +102,46 @@ describe("AuthController", () => {
        expect(err).toBeInstanceOf(HttpException);
        expect((err as HttpException).getStatus()).toBe(HttpStatus.INTERNAL_SERVER_ERROR);
        expect((err as HttpException).getResponse()).toBe(
-          "Unable to complete authentication. Please try again in a moment.",
+          "Unable to complete authentication. Please try again in a moment."
        );
      }
    });
    it("should preserve better-call status and body for handler APIError", async () => {
      const apiError = {
        statusCode: HttpStatus.BAD_REQUEST,
        message: "Invalid OAuth configuration",
        body: {
          message: "Invalid OAuth configuration",
          code: "INVALID_OAUTH_CONFIGURATION",
        },
      };
      mockNodeHandler.mockRejectedValueOnce(apiError);
      const mockRequest = {
        method: "POST",
        url: "/auth/sign-in/oauth2",
        headers: {},
        ip: "192.168.1.10",
        socket: { remoteAddress: "192.168.1.10" },
      } as unknown as ExpressRequest;
      const mockResponse = {
        headersSent: false,
      } as unknown as ExpressResponse;
      try {
        await controller.handleAuth(mockRequest, mockResponse);
        expect.unreachable("Expected HttpException to be thrown");
      } catch (err) {
        expect(err).toBeInstanceOf(HttpException);
        expect((err as HttpException).getStatus()).toBe(HttpStatus.BAD_REQUEST);
        expect((err as HttpException).getResponse()).toMatchObject({
          message: "Invalid OAuth configuration",
        });
      }
    });
    it("should log warning and not throw when handler throws after headers sent", async () => {
      const handlerError = new Error("Stream interrupted");
      mockNodeHandler.mockRejectedValueOnce(handlerError);
@@ -142,9 +177,7 @@ describe("AuthController", () => {
        headersSent: false,
      } as unknown as ExpressResponse;
-      await expect(controller.handleAuth(mockRequest, mockResponse)).rejects.toThrow(
+      await expect(controller.handleAuth(mockRequest, mockResponse)).rejects.toThrow(HttpException);
        HttpException,
      );
    });
  });
@@ -187,7 +220,7 @@ describe("AuthController", () => {
        OIDC_CLIENT_SECRET: "test-client-secret",
        OIDC_CLIENT_ID: "test-client-id",
        OIDC_ISSUER: "https://auth.test.com/",
-        OIDC_REDIRECT_URI: "https://app.test.com/auth/callback/authentik",
+        OIDC_REDIRECT_URI: "https://app.test.com/auth/oauth2/callback/authentik",
        BETTER_AUTH_SECRET: "test-better-auth-secret",
        JWT_SECRET: "test-jwt-secret",
        CSRF_SECRET: "test-csrf-secret",
@@ -296,11 +329,9 @@ describe("AuthController", () => {
        },
      };
      expect(() => controller.getSession(mockRequest as never)).toThrow(UnauthorizedException);
      expect(() => controller.getSession(mockRequest as never)).toThrow(
-        UnauthorizedException,
+        "Missing authentication context"
      );
      expect(() => controller.getSession(mockRequest as never)).toThrow(
        "Missing authentication context",
      );
    });
@@ -313,22 +344,18 @@ describe("AuthController", () => {
        },
      };
      expect(() => controller.getSession(mockRequest as never)).toThrow(UnauthorizedException);
      expect(() => controller.getSession(mockRequest as never)).toThrow(
-        UnauthorizedException,
+        "Missing authentication context"
      );
      expect(() => controller.getSession(mockRequest as never)).toThrow(
        "Missing authentication context",
      );
    });
    it("should throw UnauthorizedException when both req.user and req.session are undefined", () => {
      const mockRequest = {};
      expect(() => controller.getSession(mockRequest as never)).toThrow(UnauthorizedException);
      expect(() => controller.getSession(mockRequest as never)).toThrow(
-        UnauthorizedException,
+        "Missing authentication context"
      );
      expect(() => controller.getSession(mockRequest as never)).toThrow(
        "Missing authentication context",
      );
    });
  });
@@ -401,9 +428,7 @@ describe("AuthController", () => {
      await controller.handleAuth(mockRequest, mockResponse);
-      expect(debugSpy).toHaveBeenCalledWith(
+      expect(debugSpy).toHaveBeenCalledWith(expect.stringContaining("203.0.113.50"));
        expect.stringContaining("203.0.113.50"),
      );
    });
    it("should extract first IP from X-Forwarded-For with comma-separated IPs", async () => {
@@ -423,13 +448,9 @@ describe("AuthController", () => {
      await controller.handleAuth(mockRequest, mockResponse);
-      expect(debugSpy).toHaveBeenCalledWith(
+      expect(debugSpy).toHaveBeenCalledWith(expect.stringContaining("203.0.113.50"));
        expect.stringContaining("203.0.113.50"),
      );
      // Ensure it does NOT contain the second IP in the extracted position
-      expect(debugSpy).toHaveBeenCalledWith(
+      expect(debugSpy).toHaveBeenCalledWith(expect.not.stringContaining("70.41.3.18"));
        expect.not.stringContaining("70.41.3.18"),
      );
    });
    it("should extract first IP from X-Forwarded-For as array", async () => {
@@ -449,9 +470,7 @@ describe("AuthController", () => {
      await controller.handleAuth(mockRequest, mockResponse);
-      expect(debugSpy).toHaveBeenCalledWith(
+      expect(debugSpy).toHaveBeenCalledWith(expect.stringContaining("203.0.113.50"));
        expect.stringContaining("203.0.113.50"),
      );
    });
    it("should fallback to req.ip when no X-Forwarded-For header", async () => {
@@ -471,9 +490,7 @@ describe("AuthController", () => {
      await controller.handleAuth(mockRequest, mockResponse);
-      expect(debugSpy).toHaveBeenCalledWith(
+      expect(debugSpy).toHaveBeenCalledWith(expect.stringContaining("192.168.1.100"));
        expect.stringContaining("192.168.1.100"),
      );
    });
  });
 });
--- a/apps/api/src/auth/auth.controller.ts
+++ b/apps/api/src/auth/auth.controller.ts
@@ -133,6 +133,11 @@ export class AuthController {
      );
      if (!res.headersSent) {
        const mappedError = this.mapToHttpException(error);
        if (mappedError) {
          throw mappedError;
        }
        throw new HttpException(
          "Unable to complete authentication. Please try again in a moment.",
          HttpStatus.INTERNAL_SERVER_ERROR
@@ -159,4 +164,45 @@ export class AuthController {
    // Fall back to direct IP
    return req.ip ?? req.socket.remoteAddress ?? "unknown";
  }
  /**
   * Preserve known HTTP errors from BetterAuth/better-call instead of converting
   * every failure into a generic 500.
   */
  private mapToHttpException(error: unknown): HttpException | null {
    if (error instanceof HttpException) {
      return error;
    }
    if (!error || typeof error !== "object") {
      return null;
    }
    const statusCode = "statusCode" in error ? error.statusCode : undefined;
    if (!this.isHttpStatus(statusCode)) {
      return null;
    }
    const responseBody = "body" in error && error.body !== undefined ? error.body : undefined;
    if (
      responseBody !== undefined &&
      responseBody !== null &&
      (typeof responseBody === "string" || typeof responseBody === "object")
    ) {
      return new HttpException(responseBody, statusCode);
    }
    const message =
      "message" in error && typeof error.message === "string" && error.message.length > 0
        ? error.message
        : "Authentication request failed";
    return new HttpException(message, statusCode);
  }
  private isHttpStatus(value: unknown): value is number {
    if (typeof value !== "number" || !Number.isInteger(value)) {
      return false;
    }
    return value >= 400 && value <= 599;
  }
 }
--- a/apps/api/src/auth/auth.service.spec.ts
+++ b/apps/api/src/auth/auth.service.spec.ts
@@ -410,7 +410,7 @@ describe("AuthService", () => {
      },
    };
-    it("should return session data for valid token", async () => {
+    it("should validate session token using secure BetterAuth cookie header", async () => {
      const auth = service.getAuth();
      const mockGetSession = vi.fn().mockResolvedValue(mockSessionData);
      auth.api = { getSession: mockGetSession } as any;
@@ -418,7 +418,58 @@ describe("AuthService", () => {
      const result = await service.verifySession("valid-token");
      expect(result).toEqual(mockSessionData);
      expect(mockGetSession).toHaveBeenCalledTimes(1);
      expect(mockGetSession).toHaveBeenCalledWith({
        headers: {
          cookie: "__Secure-better-auth.session_token=valid-token",
        },
      });
    });
    it("should preserve raw cookie token value without URL re-encoding", async () => {
      const auth = service.getAuth();
      const mockGetSession = vi.fn().mockResolvedValue(mockSessionData);
      auth.api = { getSession: mockGetSession } as any;
      const result = await service.verifySession("tok/with+=chars=");
      expect(result).toEqual(mockSessionData);
      expect(mockGetSession).toHaveBeenCalledWith({
        headers: {
          cookie: "__Secure-better-auth.session_token=tok/with+=chars=",
        },
      });
    });
    it("should fall back to Authorization header when cookie-based lookups miss", async () => {
      const auth = service.getAuth();
      const mockGetSession = vi
        .fn()
        .mockResolvedValueOnce(null)
        .mockResolvedValueOnce(null)
        .mockResolvedValueOnce(null)
        .mockResolvedValueOnce(mockSessionData);
      auth.api = { getSession: mockGetSession } as any;
      const result = await service.verifySession("valid-token");
      expect(result).toEqual(mockSessionData);
      expect(mockGetSession).toHaveBeenNthCalledWith(1, {
        headers: {
          cookie: "__Secure-better-auth.session_token=valid-token",
        },
      });
      expect(mockGetSession).toHaveBeenNthCalledWith(2, {
        headers: {
          cookie: "better-auth.session_token=valid-token",
        },
      });
      expect(mockGetSession).toHaveBeenNthCalledWith(3, {
        headers: {
          cookie: "__Host-better-auth.session_token=valid-token",
        },
      });
      expect(mockGetSession).toHaveBeenNthCalledWith(4, {
        headers: {
          authorization: "Bearer valid-token",
        },
@@ -517,14 +568,10 @@ describe("AuthService", () => {
    it("should re-throw 'certificate has expired' as infrastructure error (not auth)", async () => {
      const auth = service.getAuth();
-      const mockGetSession = vi
+      const mockGetSession = vi.fn().mockRejectedValue(new Error("certificate has expired"));
        .fn()
        .mockRejectedValue(new Error("certificate has expired"));
      auth.api = { getSession: mockGetSession } as any;
-      await expect(service.verifySession("any-token")).rejects.toThrow(
+      await expect(service.verifySession("any-token")).rejects.toThrow("certificate has expired");
        "certificate has expired"
      );
    });
    it("should re-throw 'Unauthorized: Access denied for user' as infrastructure error (not auth)", async () => {
--- a/apps/api/src/auth/auth.service.ts
+++ b/apps/api/src/auth/auth.service.ts
@@ -21,6 +21,10 @@ interface VerifiedSession {
  session: Record<string, unknown>;
 }
 interface SessionHeaderCandidate {
  headers: Record<string, string>;
 }
@Injectable()
 export class AuthService {
  private readonly logger = new Logger(AuthService.name);
@@ -103,16 +107,15 @@ export class AuthService {
   * Only known-safe auth errors return null; everything else propagates as 500.
   */
  async verifySession(token: string): Promise<VerifiedSession | null> {
    let sawNonError = false;
    for (const candidate of this.buildSessionHeaderCandidates(token)) {
      try {
        // TODO(#411): BetterAuth getSession returns opaque types — replace when upstream exports typed interfaces
-      const session = await this.auth.api.getSession({
+        const session = await this.auth.api.getSession(candidate);
        headers: {
          authorization: `Bearer ${token}`,
        },
      });
        if (!session) {
-        return null;
+          continue;
        }
        return {
@@ -120,19 +123,11 @@ export class AuthService {
          session: session.session as Record<string, unknown>,
        };
      } catch (error: unknown) {
      // Only known-safe auth errors return null
        if (error instanceof Error) {
-        const msg = error.message.toLowerCase();
+          if (this.isExpectedAuthError(error.message)) {
-        const isExpectedAuthError =
+            continue;
-          msg.includes("invalid token") ||
+          }
          msg.includes("token expired") ||
          msg.includes("session expired") ||
          msg.includes("session not found") ||
          msg.includes("invalid session") ||
          msg === "unauthorized" ||
          msg === "expired";
        if (!isExpectedAuthError) {
          // Infrastructure or unexpected — propagate as 500
          const safeMessage = (error.stack ?? error.message).replace(
            /Bearer\s+\S+/gi,
@@ -141,14 +136,55 @@ export class AuthService {
          this.logger.error("Session verification failed due to unexpected error", safeMessage);
          throw error;
        }
-      }
+
-      // Non-Error thrown values — log for observability, treat as auth failure
+        // Non-Error thrown values — log once for observability, treat as auth failure
-      if (!(error instanceof Error)) {
+        if (!sawNonError) {
          const errorDetail = typeof error === "string" ? error : JSON.stringify(error);
          this.logger.warn("Session verification received non-Error thrown value", errorDetail);
          sawNonError = true;
        }
      }
    }
    return null;
  }
  private buildSessionHeaderCandidates(token: string): SessionHeaderCandidate[] {
    return [
      {
        headers: {
          cookie: `__Secure-better-auth.session_token=${token}`,
        },
      },
      {
        headers: {
          cookie: `better-auth.session_token=${token}`,
        },
      },
      {
        headers: {
          cookie: `__Host-better-auth.session_token=${token}`,
        },
      },
      {
        headers: {
          authorization: `Bearer ${token}`,
        },
      },
    ];
  }
  private isExpectedAuthError(message: string): boolean {
    const normalized = message.toLowerCase();
    return (
      normalized.includes("invalid token") ||
      normalized.includes("token expired") ||
      normalized.includes("session expired") ||
      normalized.includes("session not found") ||
      normalized.includes("invalid session") ||
      normalized === "unauthorized" ||
      normalized === "expired"
    );
  }
  /**
--- a/apps/api/src/auth/guards/auth.guard.ts
+++ b/apps/api/src/auth/guards/auth.guard.ts
@@ -1,10 +1,18 @@
-import { Injectable, CanActivate, ExecutionContext, UnauthorizedException } from "@nestjs/common";
+import {
  Injectable,
  CanActivate,
  ExecutionContext,
  UnauthorizedException,
  Logger,
 } from "@nestjs/common";
 import { AuthService } from "../auth.service";
 import type { AuthUser } from "@mosaic/shared";
 import type { MaybeAuthenticatedRequest } from "../types/better-auth-request.interface";
@Injectable()
 export class AuthGuard implements CanActivate {
  private readonly logger = new Logger(AuthGuard.name);
  constructor(private readonly authService: AuthService) {}
  async canActivate(context: ExecutionContext): Promise<boolean> {
@@ -59,7 +67,8 @@ export class AuthGuard implements CanActivate {
  }
  /**
-   * Extract token from cookie (BetterAuth stores session token in better-auth.session_token cookie)
+   * Extract token from cookie.
   * BetterAuth may prefix the cookie name with "__Secure-" when running on HTTPS.
   */
  private extractTokenFromCookie(request: MaybeAuthenticatedRequest): string | undefined {
    // Express types `cookies` as `any`; cast to a known shape for type safety.
@@ -68,8 +77,23 @@ export class AuthGuard implements CanActivate {
      return undefined;
    }
-    // BetterAuth uses 'better-auth.session_token' as the cookie name by default
+    // BetterAuth default cookie name is "better-auth.session_token"
-    return cookies["better-auth.session_token"];
+    // When Secure cookies are enabled, BetterAuth prefixes with "__Secure-".
    const candidates = [
      "__Secure-better-auth.session_token",
      "better-auth.session_token",
      "__Host-better-auth.session_token",
    ] as const;
    for (const name of candidates) {
      const token = cookies[name];
      if (token) {
        this.logger.debug(`Session cookie found: ${name}`);
        return token;
      }
    }
    return undefined;
  }
  /**
--- a/apps/api/src/common/interceptors/rls-context.integration.spec.ts
+++ b/apps/api/src/common/interceptors/rls-context.integration.spec.ts
@@ -137,13 +137,13 @@ describe("RLS Context Integration", () => {
        queries: ["findMany"],
      });
-      // Verify SET LOCAL was called
+      // Verify transaction-local set_config calls were made
      expect(mockTransactionClient.$executeRaw).toHaveBeenCalledWith(
-        expect.arrayContaining(["SET LOCAL app.current_user_id = ", ""]),
+        expect.arrayContaining(["SELECT set_config('app.current_user_id', ", ", true)"]),
        userId
      );
      expect(mockTransactionClient.$executeRaw).toHaveBeenCalledWith(
-        expect.arrayContaining(["SET LOCAL app.current_workspace_id = ", ""]),
+        expect.arrayContaining(["SELECT set_config('app.current_workspace_id', ", ", true)"]),
        workspaceId
      );
    });
--- a/apps/api/src/common/interceptors/rls-context.interceptor.spec.ts
+++ b/apps/api/src/common/interceptors/rls-context.interceptor.spec.ts
@@ -80,7 +80,7 @@ describe("RlsContextInterceptor", () => {
      expect(result).toEqual({ data: "test response" });
      expect(mockTransactionClient.$executeRaw).toHaveBeenCalledWith(
-        expect.arrayContaining(["SET LOCAL app.current_user_id = ", ""]),
+        expect.arrayContaining(["SELECT set_config('app.current_user_id', ", ", true)"]),
        userId
      );
    });
@@ -111,13 +111,13 @@ describe("RlsContextInterceptor", () => {
      // Check that user context was set
      expect(mockTransactionClient.$executeRaw).toHaveBeenNthCalledWith(
        1,
-        expect.arrayContaining(["SET LOCAL app.current_user_id = ", ""]),
+        expect.arrayContaining(["SELECT set_config('app.current_user_id', ", ", true)"]),
        userId
      );
      // Check that workspace context was set
      expect(mockTransactionClient.$executeRaw).toHaveBeenNthCalledWith(
        2,
-        expect.arrayContaining(["SET LOCAL app.current_workspace_id = ", ""]),
+        expect.arrayContaining(["SELECT set_config('app.current_workspace_id', ", ", true)"]),
        workspaceId
      );
    });
--- a/apps/api/src/common/interceptors/rls-context.interceptor.ts
+++ b/apps/api/src/common/interceptors/rls-context.interceptor.ts
@@ -100,12 +100,12 @@ export class RlsContextInterceptor implements NestInterceptor {
      this.prisma
        .$transaction(
          async (tx) => {
-            // Set user context (always present for authenticated requests)
+            // Use set_config(..., true) so values are transaction-local and parameterized safely.
-            await tx.$executeRaw`SET LOCAL app.current_user_id = ${userId}`;
+            // Direct SET LOCAL with bind parameters produces invalid SQL on PostgreSQL.
            await tx.$executeRaw`SELECT set_config('app.current_user_id', ${userId}, true)`;
            // Set workspace context (if present)
            if (workspaceId) {
-              await tx.$executeRaw`SET LOCAL app.current_workspace_id = ${workspaceId}`;
+              await tx.$executeRaw`SELECT set_config('app.current_workspace_id', ${workspaceId}, true)`;
            }
            // Propagate the transaction client via AsyncLocalStorage
--- a/apps/api/src/credentials/user-credential.model.spec.ts
+++ b/apps/api/src/credentials/user-credential.model.spec.ts
@@ -15,7 +15,12 @@
 import { describe, it, expect, beforeAll, afterAll } from "vitest";
 import { PrismaClient, CredentialType, CredentialScope } from "@prisma/client";
-describe("UserCredential Model", () => {
+const shouldRunDbIntegrationTests =
  process.env.RUN_DB_TESTS === "true" && Boolean(process.env.DATABASE_URL);
 const describeFn = shouldRunDbIntegrationTests ? describe : describe.skip;
 describeFn("UserCredential Model", () => {
  let prisma: PrismaClient;
  let testUserId: string;
  let testWorkspaceId: string;
@@ -23,8 +28,8 @@ describe("UserCredential Model", () => {
  beforeAll(async () => {
    // Note: These tests require a running database
    // They will be skipped in CI if DATABASE_URL is not set
-    if (!process.env.DATABASE_URL) {
+    if (!shouldRunDbIntegrationTests) {
-      console.warn("DATABASE_URL not set, skipping UserCredential model tests");
+      console.warn("Skipping UserCredential model tests (set RUN_DB_TESTS=true and DATABASE_URL)");
      return;
    }
--- a/apps/api/src/job-events/job-events.performance.spec.ts
+++ b/apps/api/src/job-events/job-events.performance.spec.ts
@@ -16,7 +16,9 @@ import { JOB_CREATED, JOB_STARTED, STEP_STARTED } from "./event-types";
 * NOTE: These tests require a real database connection with realistic data volume.
 * Run with: pnpm test:api -- job-events.performance.spec.ts
 */
-const describeFn = process.env.DATABASE_URL ? describe : describe.skip;
+const shouldRunDbIntegrationTests =
  process.env.RUN_DB_TESTS === "true" && Boolean(process.env.DATABASE_URL);
 const describeFn = shouldRunDbIntegrationTests ? describe : describe.skip;
 describeFn("JobEventsService Performance", () => {
  let service: JobEventsService;
--- a/apps/api/src/knowledge/services/fulltext-search.spec.ts
+++ b/apps/api/src/knowledge/services/fulltext-search.spec.ts
@@ -27,7 +27,9 @@ async function isFulltextSearchConfigured(prisma: PrismaClient): Promise<boolean
 * Skip when DATABASE_URL is not set. Tests that require the trigger/index
 * will be skipped if the database migration hasn't been applied.
 */
-const describeFn = process.env.DATABASE_URL ? describe : describe.skip;
+const shouldRunDbIntegrationTests =
  process.env.RUN_DB_TESTS === "true" && Boolean(process.env.DATABASE_URL);
 const describeFn = shouldRunDbIntegrationTests ? describe : describe.skip;
 describeFn("Full-Text Search Setup (Integration)", () => {
  let prisma: PrismaClient;
--- a/apps/api/src/main.ts
+++ b/apps/api/src/main.ts
@@ -49,8 +49,10 @@ async function bootstrap() {
  // Configure CORS for cookie-based authentication
  // Origin list is shared with BetterAuth trustedOrigins via getTrustedOrigins()
  const trustedOrigins = getTrustedOrigins();
  console.log(`[CORS] Trusted origins: ${JSON.stringify(trustedOrigins)}`);
  app.enableCors({
-    origin: getTrustedOrigins(),
+    origin: trustedOrigins,
    credentials: true, // Required for cookie-based authentication
    methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
    allowedHeaders: ["Content-Type", "Authorization", "Cookie", "X-CSRF-Token", "X-Workspace-Id"],
--- a/apps/api/src/mosaic-telemetry/mosaic-telemetry.module.spec.ts
+++ b/apps/api/src/mosaic-telemetry/mosaic-telemetry.module.spec.ts
@@ -3,6 +3,7 @@ import { Test, TestingModule } from "@nestjs/testing";
 import { ConfigModule } from "@nestjs/config";
 import { MosaicTelemetryModule } from "./mosaic-telemetry.module";
 import { MosaicTelemetryService } from "./mosaic-telemetry.service";
 import { PrismaService } from "../prisma/prisma.service";
 // Mock the telemetry client to avoid real HTTP calls
 vi.mock("@mosaicstack/telemetry-client", async (importOriginal) => {
@@ -56,6 +57,30 @@ vi.mock("@mosaicstack/telemetry-client", async (importOriginal) => {
 describe("MosaicTelemetryModule", () => {
  let module: TestingModule;
  const sharedTestEnv = {
    ENCRYPTION_KEY: "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
  };
  const mockPrismaService = {
    onModuleInit: vi.fn(),
    onModuleDestroy: vi.fn(),
    $connect: vi.fn(),
    $disconnect: vi.fn(),
  };
  const buildTestModule = async (env: Record<string, string>): Promise<TestingModule> =>
    Test.createTestingModule({
      imports: [
        ConfigModule.forRoot({
          isGlobal: true,
          envFilePath: [],
          load: [() => ({ ...env, ...sharedTestEnv })],
        }),
        MosaicTelemetryModule,
      ],
    })
      .overrideProvider(PrismaService)
      .useValue(mockPrismaService)
      .compile();
  beforeEach(() => {
    vi.clearAllMocks();
@@ -63,40 +88,18 @@ describe("MosaicTelemetryModule", () => {
  describe("module initialization", () => {
    it("should compile the module successfully", async () => {
-      module = await Test.createTestingModule({
+      module = await buildTestModule({
        imports: [
          ConfigModule.forRoot({
            isGlobal: true,
            envFilePath: [],
            load: [
              () => ({
        MOSAIC_TELEMETRY_ENABLED: "false",
-              }),
+      });
            ],
          }),
          MosaicTelemetryModule,
        ],
      }).compile();
      expect(module).toBeDefined();
      await module.close();
    });
    it("should provide MosaicTelemetryService", async () => {
-      module = await Test.createTestingModule({
+      module = await buildTestModule({
        imports: [
          ConfigModule.forRoot({
            isGlobal: true,
            envFilePath: [],
            load: [
              () => ({
        MOSAIC_TELEMETRY_ENABLED: "false",
-              }),
+      });
            ],
          }),
          MosaicTelemetryModule,
        ],
      }).compile();
      const service = module.get<MosaicTelemetryService>(MosaicTelemetryService);
      expect(service).toBeDefined();
@@ -106,20 +109,9 @@ describe("MosaicTelemetryModule", () => {
    });
    it("should export MosaicTelemetryService for injection in other modules", async () => {
-      module = await Test.createTestingModule({
+      module = await buildTestModule({
        imports: [
          ConfigModule.forRoot({
            isGlobal: true,
            envFilePath: [],
            load: [
              () => ({
        MOSAIC_TELEMETRY_ENABLED: "false",
-              }),
+      });
            ],
          }),
          MosaicTelemetryModule,
        ],
      }).compile();
      const service = module.get(MosaicTelemetryService);
      expect(service).toBeDefined();
@@ -130,24 +122,13 @@ describe("MosaicTelemetryModule", () => {
  describe("lifecycle integration", () => {
    it("should initialize service on module init when enabled", async () => {
-      module = await Test.createTestingModule({
+      module = await buildTestModule({
        imports: [
          ConfigModule.forRoot({
            isGlobal: true,
            envFilePath: [],
            load: [
              () => ({
        MOSAIC_TELEMETRY_ENABLED: "true",
        MOSAIC_TELEMETRY_SERVER_URL: "https://tel.test.local",
        MOSAIC_TELEMETRY_API_KEY: "a".repeat(64),
        MOSAIC_TELEMETRY_INSTANCE_ID: "550e8400-e29b-41d4-a716-446655440000",
        MOSAIC_TELEMETRY_DRY_RUN: "false",
-              }),
+      });
            ],
          }),
          MosaicTelemetryModule,
        ],
      }).compile();
      await module.init();
@@ -158,20 +139,9 @@ describe("MosaicTelemetryModule", () => {
    });
    it("should not start client when disabled via env", async () => {
-      module = await Test.createTestingModule({
+      module = await buildTestModule({
        imports: [
          ConfigModule.forRoot({
            isGlobal: true,
            envFilePath: [],
            load: [
              () => ({
        MOSAIC_TELEMETRY_ENABLED: "false",
-              }),
+      });
            ],
          }),
          MosaicTelemetryModule,
        ],
      }).compile();
      await module.init();
@@ -182,24 +152,13 @@ describe("MosaicTelemetryModule", () => {
    });
    it("should cleanly shut down on module destroy", async () => {
-      module = await Test.createTestingModule({
+      module = await buildTestModule({
        imports: [
          ConfigModule.forRoot({
            isGlobal: true,
            envFilePath: [],
            load: [
              () => ({
        MOSAIC_TELEMETRY_ENABLED: "true",
        MOSAIC_TELEMETRY_SERVER_URL: "https://tel.test.local",
        MOSAIC_TELEMETRY_API_KEY: "a".repeat(64),
        MOSAIC_TELEMETRY_INSTANCE_ID: "550e8400-e29b-41d4-a716-446655440000",
        MOSAIC_TELEMETRY_DRY_RUN: "false",
-              }),
+      });
            ],
          }),
          MosaicTelemetryModule,
        ],
      }).compile();
      await module.init();
--- a/apps/api/src/prisma/prisma.service.spec.ts
+++ b/apps/api/src/prisma/prisma.service.spec.ts
@@ -156,7 +156,7 @@ describe("PrismaService", () => {
    it("should set workspace context variables in transaction", async () => {
      const userId = "user-123";
      const workspaceId = "workspace-456";
-      const executeRawSpy = vi.spyOn(service, "$executeRaw").mockResolvedValue(0);
+      vi.spyOn(service, "$executeRaw").mockResolvedValue(0);
      // Mock $transaction to execute the callback with a mock tx client
      const mockTx = {
@@ -195,7 +195,6 @@ describe("PrismaService", () => {
      };
      // Mock both methods at the same time to avoid spy issues
      const originalSetContext = service.setWorkspaceContext.bind(service);
      const setContextCalls: [string, string, unknown][] = [];
      service.setWorkspaceContext = vi.fn().mockImplementation((uid, wid, tx) => {
        setContextCalls.push([uid, wid, tx]);
--- a/apps/api/src/prisma/prisma.service.ts
+++ b/apps/api/src/prisma/prisma.service.ts
@@ -3,6 +3,7 @@ import { PrismaClient } from "@prisma/client";
 import { VaultService } from "../vault/vault.service";
 import { createAccountEncryptionExtension } from "./account-encryption.extension";
 import { createLlmEncryptionExtension } from "./llm-encryption.extension";
 import { getRlsClient } from "./rls-context.provider";
 /**
 * Prisma service that manages database connection lifecycle
@@ -177,6 +178,13 @@ export class PrismaService extends PrismaClient implements OnModuleInit, OnModul
    workspaceId: string,
    fn: (tx: PrismaClient) => Promise<T>
  ): Promise<T> {
    const rlsClient = getRlsClient();
    if (rlsClient) {
      await this.setWorkspaceContext(userId, workspaceId, rlsClient as unknown as PrismaClient);
      return fn(rlsClient as unknown as PrismaClient);
    }
    return this.$transaction(async (tx) => {
      await this.setWorkspaceContext(userId, workspaceId, tx as PrismaClient);
      return fn(tx as PrismaClient);
--- a/apps/api/src/tasks/tasks.controller.spec.ts
+++ b/apps/api/src/tasks/tasks.controller.spec.ts
@@ -25,6 +25,8 @@ describe("TasksController", () => {
      const request = context.switchToHttp().getRequest();
      request.user = {
        id: "550e8400-e29b-41d4-a716-446655440002",
        email: "test@example.com",
        name: "Test User",
        workspaceId: "550e8400-e29b-41d4-a716-446655440001",
      };
      return true;
@@ -46,6 +48,8 @@ describe("TasksController", () => {
  const mockRequest = {
    user: {
      id: mockUserId,
      email: "test@example.com",
      name: "Test User",
      workspaceId: mockWorkspaceId,
    },
  };
@@ -132,13 +136,16 @@ describe("TasksController", () => {
      mockTasksService.findAll.mockResolvedValue(paginatedResult);
-      const result = await controller.findAll(query, mockWorkspaceId);
+      const result = await controller.findAll(query, mockWorkspaceId, mockRequest.user);
      expect(result).toEqual(paginatedResult);
-      expect(service.findAll).toHaveBeenCalledWith({
+      expect(service.findAll).toHaveBeenCalledWith(
        {
          ...query,
          workspaceId: mockWorkspaceId,
-      });
+        },
        mockUserId
      );
    });
    it("should extract workspaceId from request.user if not in query", async () => {
@@ -149,12 +156,13 @@ describe("TasksController", () => {
        meta: { total: 0, page: 1, limit: 50, totalPages: 0 },
      });
-      await controller.findAll(query as any, mockWorkspaceId);
+      await controller.findAll(query as any, mockWorkspaceId, mockRequest.user);
      expect(service.findAll).toHaveBeenCalledWith(
        expect.objectContaining({
          workspaceId: mockWorkspaceId,
-        })
+        }),
        mockUserId
      );
    });
  });
@@ -163,10 +171,10 @@ describe("TasksController", () => {
    it("should return a task by id", async () => {
      mockTasksService.findOne.mockResolvedValue(mockTask);
-      const result = await controller.findOne(mockTaskId, mockWorkspaceId);
+      const result = await controller.findOne(mockTaskId, mockWorkspaceId, mockRequest.user);
      expect(result).toEqual(mockTask);
-      expect(service.findOne).toHaveBeenCalledWith(mockTaskId, mockWorkspaceId);
+      expect(service.findOne).toHaveBeenCalledWith(mockTaskId, mockWorkspaceId, mockUserId);
    });
    it("should throw error if workspaceId not found", async () => {
@@ -175,10 +183,10 @@ describe("TasksController", () => {
      // We can test that the controller properly uses the provided workspaceId instead
      mockTasksService.findOne.mockResolvedValue(mockTask);
-      const result = await controller.findOne(mockTaskId, mockWorkspaceId);
+      const result = await controller.findOne(mockTaskId, mockWorkspaceId, mockRequest.user);
      expect(result).toEqual(mockTask);
-      expect(service.findOne).toHaveBeenCalledWith(mockTaskId, mockWorkspaceId);
+      expect(service.findOne).toHaveBeenCalledWith(mockTaskId, mockWorkspaceId, mockUserId);
    });
  });
--- a/apps/api/src/tasks/tasks.controller.ts
+++ b/apps/api/src/tasks/tasks.controller.ts
@@ -53,8 +53,12 @@ export class TasksController {
   */
  @Get()
  @RequirePermission(Permission.WORKSPACE_ANY)
-  async findAll(@Query() query: QueryTasksDto, @Workspace() workspaceId: string) {
+  async findAll(
-    return this.tasksService.findAll(Object.assign({}, query, { workspaceId }));
+    @Query() query: QueryTasksDto,
    @Workspace() workspaceId: string,
    @CurrentUser() user: AuthenticatedUser
  ) {
    return this.tasksService.findAll(Object.assign({}, query, { workspaceId }), user.id);
  }
  /**
@@ -64,8 +68,12 @@ export class TasksController {
   */
  @Get(":id")
  @RequirePermission(Permission.WORKSPACE_ANY)
-  async findOne(@Param("id") id: string, @Workspace() workspaceId: string) {
+  async findOne(
-    return this.tasksService.findOne(id, workspaceId);
+    @Param("id") id: string,
    @Workspace() workspaceId: string,
    @CurrentUser() user: AuthenticatedUser
  ) {
    return this.tasksService.findOne(id, workspaceId, user.id);
  }
  /**
--- a/apps/api/src/tasks/tasks.service.spec.ts
+++ b/apps/api/src/tasks/tasks.service.spec.ts
@@ -21,6 +21,7 @@ describe("TasksService", () => {
      update: vi.fn(),
      delete: vi.fn(),
    },
    withWorkspaceContext: vi.fn(),
  };
  const mockActivityService = {
@@ -75,6 +76,9 @@ describe("TasksService", () => {
    // Clear all mocks before each test
    vi.clearAllMocks();
    mockPrismaService.withWorkspaceContext.mockImplementation(async (_userId, _workspaceId, fn) => {
      return fn(mockPrismaService as unknown as PrismaService);
    });
  });
  it("should be defined", () => {
@@ -95,6 +99,11 @@ describe("TasksService", () => {
      const result = await service.create(mockWorkspaceId, mockUserId, createDto);
      expect(result).toEqual(mockTask);
      expect(prisma.withWorkspaceContext).toHaveBeenCalledWith(
        mockUserId,
        mockWorkspaceId,
        expect.any(Function)
      );
      expect(prisma.task.create).toHaveBeenCalledWith({
        data: {
          title: createDto.title,
@@ -177,6 +186,29 @@ describe("TasksService", () => {
      });
    });
    it("should use workspace context when userId is provided", async () => {
      mockPrismaService.task.findMany.mockResolvedValue([mockTask]);
      mockPrismaService.task.count.mockResolvedValue(1);
      await service.findAll({ workspaceId: mockWorkspaceId }, mockUserId);
      expect(prisma.withWorkspaceContext).toHaveBeenCalledWith(
        mockUserId,
        mockWorkspaceId,
        expect.any(Function)
      );
    });
    it("should fallback to direct Prisma access when userId is missing", async () => {
      mockPrismaService.task.findMany.mockResolvedValue([mockTask]);
      mockPrismaService.task.count.mockResolvedValue(1);
      await service.findAll({ workspaceId: mockWorkspaceId });
      expect(prisma.withWorkspaceContext).not.toHaveBeenCalled();
      expect(prisma.task.findMany).toHaveBeenCalled();
    });
    it("should filter by status", async () => {
      mockPrismaService.task.findMany.mockResolvedValue([mockTask]);
      mockPrismaService.task.count.mockResolvedValue(1);
--- a/apps/api/src/tasks/tasks.service.ts
+++ b/apps/api/src/tasks/tasks.service.ts
@@ -1,8 +1,7 @@
 import { Injectable, NotFoundException } from "@nestjs/common";
-import { Prisma, Task } from "@prisma/client";
+import { Prisma, Task, TaskStatus, TaskPriority, type PrismaClient } from "@prisma/client";
 import { PrismaService } from "../prisma/prisma.service";
 import { ActivityService } from "../activity/activity.service";
 import { TaskStatus, TaskPriority } from "@prisma/client";
 import type { CreateTaskDto, UpdateTaskDto, QueryTasksDto } from "./dto";
 type TaskWithRelations = Task & {
@@ -24,6 +23,18 @@ export class TasksService {
    private readonly activityService: ActivityService
  ) {}
  private async withWorkspaceContextIfAvailable<T>(
    workspaceId: string | undefined,
    userId: string | undefined,
    fn: (client: PrismaClient) => Promise<T>
  ): Promise<T> {
    if (workspaceId && userId && typeof this.prisma.withWorkspaceContext === "function") {
      return this.prisma.withWorkspaceContext(userId, workspaceId, fn);
    }
    return fn(this.prisma);
  }
  /**
   * Create a new task
   */
@@ -66,7 +77,8 @@ export class TasksService {
      data.completedAt = new Date();
    }
-    const task = await this.prisma.task.create({
+    const task = await this.withWorkspaceContextIfAvailable(workspaceId, userId, async (client) => {
      return client.task.create({
        data,
        include: {
          assignee: {
@@ -80,6 +92,7 @@ export class TasksService {
          },
        },
      });
    });
    // Log activity
    await this.activityService.logTaskCreated(workspaceId, userId, task.id, {
@@ -92,7 +105,10 @@ export class TasksService {
  /**
   * Get paginated tasks with filters
   */
-  async findAll(query: QueryTasksDto): Promise<{
+  async findAll(
    query: QueryTasksDto,
    userId?: string
  ): Promise<{
    data: Omit<TaskWithRelations, "subtasks">[];
    meta: {
      total: number;
@@ -143,8 +159,12 @@ export class TasksService {
    }
    // Execute queries in parallel
-    const [data, total] = await Promise.all([
+    const [data, total] = await this.withWorkspaceContextIfAvailable(
-      this.prisma.task.findMany({
+      query.workspaceId,
      userId,
      async (client) => {
        return Promise.all([
          client.task.findMany({
            where,
            include: {
              assignee: {
@@ -163,8 +183,10 @@ export class TasksService {
            skip,
            take: limit,
          }),
-      this.prisma.task.count({ where }),
+          client.task.count({ where }),
        ]);
      }
    );
    return {
      data,
@@ -180,8 +202,9 @@ export class TasksService {
  /**
   * Get a single task by ID
   */
-  async findOne(id: string, workspaceId: string): Promise<TaskWithRelations> {
+  async findOne(id: string, workspaceId: string, userId?: string): Promise<TaskWithRelations> {
-    const task = await this.prisma.task.findUnique({
+    const task = await this.withWorkspaceContextIfAvailable(workspaceId, userId, async (client) => {
      return client.task.findUnique({
        where: {
          id,
          workspaceId,
@@ -205,6 +228,7 @@ export class TasksService {
          },
        },
      });
    });
    if (!task) {
      throw new NotFoundException(`Task with ID ${id} not found`);
@@ -222,8 +246,11 @@ export class TasksService {
    userId: string,
    updateTaskDto: UpdateTaskDto
  ): Promise<Omit<TaskWithRelations, "subtasks">> {
-    // Verify task exists
+    const { task, existingTask } = await this.withWorkspaceContextIfAvailable(
-    const existingTask = await this.prisma.task.findUnique({
+      workspaceId,
      userId,
      async (client) => {
        const existingTask = await client.task.findUnique({
          where: { id, workspaceId },
        });
@@ -280,7 +307,7 @@ export class TasksService {
          }
        }
-    const task = await this.prisma.task.update({
+        const task = await client.task.update({
          where: {
            id,
            workspaceId,
@@ -299,6 +326,10 @@ export class TasksService {
          },
        });
        return { task, existingTask };
      }
    );
    // Log activities
    await this.activityService.logTaskUpdated(workspaceId, userId, id, {
      changes: updateTaskDto as Prisma.JsonValue,
@@ -332,8 +363,8 @@ export class TasksService {
   * Delete a task
   */
  async remove(id: string, workspaceId: string, userId: string): Promise<void> {
-    // Verify task exists
+    const task = await this.withWorkspaceContextIfAvailable(workspaceId, userId, async (client) => {
-    const task = await this.prisma.task.findUnique({
+      const task = await client.task.findUnique({
        where: { id, workspaceId },
      });
@@ -341,13 +372,16 @@ export class TasksService {
        throw new NotFoundException(`Task with ID ${id} not found`);
      }
-    await this.prisma.task.delete({
+      await client.task.delete({
        where: {
          id,
          workspaceId,
        },
      });
      return task;
    });
    // Log activity
    await this.activityService.logTaskDeleted(workspaceId, userId, id, {
      title: task.title,
--- a/apps/api/src/telemetry/telemetry.interceptor.spec.ts
+++ b/apps/api/src/telemetry/telemetry.interceptor.spec.ts
@@ -50,6 +50,8 @@ describe("TelemetryInterceptor", () => {
        getResponse: vi.fn().mockReturnValue({
          statusCode: 200,
          setHeader: vi.fn(),
          headersSent: false,
          writableEnded: false,
        }),
      }),
      getClass: vi.fn().mockReturnValue({ name: "TestController" }),
@@ -101,6 +103,35 @@ describe("TelemetryInterceptor", () => {
      expect(mockResponse.setHeader).toHaveBeenCalledWith("x-trace-id", "test-trace-id");
    });
    it("should not set trace header when response is already committed", async () => {
      const committedResponseContext = {
        ...mockContext,
        switchToHttp: vi.fn().mockReturnValue({
          getRequest: vi.fn().mockReturnValue({
            method: "GET",
            url: "/api/test",
            path: "/api/test",
          }),
          getResponse: vi.fn().mockReturnValue({
            statusCode: 200,
            setHeader: vi.fn(),
            headersSent: true,
            writableEnded: true,
          }),
        }),
      } as unknown as ExecutionContext;
      mockHandler = {
        handle: vi.fn().mockReturnValue(of({ data: "test" })),
      } as unknown as CallHandler;
      const committedResponse = committedResponseContext.switchToHttp().getResponse();
      await lastValueFrom(interceptor.intercept(committedResponseContext, mockHandler));
      expect(committedResponse.setHeader).not.toHaveBeenCalled();
    });
    it("should record exception on error", async () => {
      const error = new Error("Test error");
      mockHandler = {
--- a/apps/api/src/telemetry/telemetry.interceptor.ts
+++ b/apps/api/src/telemetry/telemetry.interceptor.ts
@@ -88,7 +88,7 @@ export class TelemetryInterceptor implements NestInterceptor {
      // Add trace context to response headers for distributed tracing
      const spanContext = span.spanContext();
-      if (spanContext.traceId) {
+      if (spanContext.traceId && !response.headersSent && !response.writableEnded) {
        response.setHeader("x-trace-id", spanContext.traceId);
      }
    } catch (error) {
--- a/apps/coordinator/Dockerfile
+++ b/apps/coordinator/Dockerfile
@@ -1,14 +1,10 @@
 # Multi-stage build for mosaic-coordinator
-FROM python:3.11-slim AS builder
+# Builder uses the full Python image which already includes gcc/g++/make,
 # avoiding a 336 MB build-essential install that exceeds Kaniko disk budget.
 FROM python:3.11 AS builder
 WORKDIR /app
 # Install build dependencies
 RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    build-essential \
    && rm -rf /var/lib/apt/lists/*
 # Copy dependency files and private registry config
 COPY pyproject.toml .
 COPY pip.conf /etc/pip.conf
--- a/apps/orchestrator/.env.example
+++ b/apps/orchestrator/.env.example
@@ -1,6 +1,8 @@
 # Orchestrator Configuration
 ORCHESTRATOR_PORT=3001
 NODE_ENV=development
 # AI provider for orchestrator agents: ollama, claude, openai
 AI_PROVIDER=ollama
 # Valkey
 VALKEY_HOST=localhost
@@ -8,6 +10,7 @@ VALKEY_PORT=6379
 VALKEY_URL=redis://localhost:6379
 # Claude API
 # Required only when AI_PROVIDER=claude.
 CLAUDE_API_KEY=your-api-key-here
 # Docker
--- a/apps/orchestrator/Dockerfile
+++ b/apps/orchestrator/Dockerfile
@@ -1,6 +1,3 @@
 # syntax=docker/dockerfile:1
 # Enable BuildKit features for cache mounts
 # Base image for all stages
 # Uses Debian slim (glibc) instead of Alpine (musl) for native addon compatibility.
 FROM node:24-slim AS base
@@ -26,9 +23,8 @@ COPY packages/config/package.json ./packages/config/
 COPY apps/orchestrator/package.json ./apps/orchestrator/
 # Install ALL dependencies (not just production)
-# This ensures NestJS packages and other required deps are available
+# No cache mount — Kaniko builds are ephemeral in CI
-RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
+RUN pnpm install --frozen-lockfile
    pnpm install --frozen-lockfile
 # ======================
 # Builder stage
@@ -69,15 +65,14 @@ LABEL org.opencontainers.image.vendor="Mosaic Stack"
 LABEL org.opencontainers.image.title="Mosaic Orchestrator"
 LABEL org.opencontainers.image.description="Agent orchestration service for Mosaic Stack"
-# Remove npm (unused in production — we use pnpm) to reduce attack surface
+# Install dumb-init for proper signal handling (static binary from GitHub,
-RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
+# avoids apt-get which fails under Kaniko with bookworm GPG signature errors)
 ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 /usr/local/bin/dumb-init
-# Install wget and dumb-init
+# Single RUN to minimize Kaniko filesystem snapshots (each RUN = full snapshot)
-RUN apt-get update && apt-get install -y --no-install-recommends wget dumb-init \
+RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx \
-    && rm -rf /var/lib/apt/lists/*
+    && chmod 755 /usr/local/bin/dumb-init \
-
+    && groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs
 # Create non-root user
 RUN groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs
 WORKDIR /app
@@ -105,7 +100,7 @@ EXPOSE 3001
 # Health check
 HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
-  CMD wget --no-verbose --tries=1 --spider http://localhost:3001/health || exit 1
+  CMD node -e "require('http').get('http://localhost:3001/health', (r) => {process.exit(r.statusCode === 200 ? 0 : 1)})"
 # Use dumb-init to handle signals properly
 ENTRYPOINT ["dumb-init", "--"]
--- a/apps/orchestrator/README.md
+++ b/apps/orchestrator/README.md
@@ -46,11 +46,21 @@ Monitored via `apps/web/` (Agent Dashboard).
 ### Agents
 | Method | Path                      | Description               |
-| ------ | ------------------------- | ---------------------- |
+| ------ | ------------------------- | ------------------------- |
 | POST   | `/agents/spawn`           | Spawn a new agent         |
 | GET    | `/agents/:agentId/status` | Get agent status          |
 | POST   | `/agents/:agentId/kill`   | Kill a single agent       |
 | POST   | `/agents/kill-all`        | Kill all active agents    |
 | GET    | `/agents/events`          | SSE lifecycle/task events |
 | GET    | `/agents/events/recent`   | Recent events (polling)   |
 ### Queue
 | Method | Path            | Description                  |
 | ------ | --------------- | ---------------------------- |
 | GET    | `/queue/stats`  | Queue depth and worker stats |
 | POST   | `/queue/pause`  | Pause queue processing       |
 | POST   | `/queue/resume` | Resume queue processing      |
 #### POST /agents/spawn
@@ -177,13 +187,17 @@ pnpm --filter @mosaic/orchestrator lint
 Environment variables loaded via `@nestjs/config`. Key variables:
 | Variable                         | Description                                                  |
-| ------------------- | -------------------------------------- |
+| -------------------------------- | ------------------------------------------------------------ |
 | `ORCHESTRATOR_PORT`              | HTTP port (default: 3001)                                    |
-| `CLAUDE_API_KEY`    | Claude API key for agents              |
+| `AI_PROVIDER`                    | LLM provider for orchestrator (`ollama`, `claude`, `openai`) |
 | `CLAUDE_API_KEY`                 | Required only when `AI_PROVIDER=claude`                      |
 | `VALKEY_HOST`                    | Valkey/Redis host (default: localhost)                       |
 | `VALKEY_PORT`                    | Valkey/Redis port (default: 6379)                            |
 | `COORDINATOR_URL`                | Quality Coordinator base URL                                 |
 | `SANDBOX_ENABLED`                | Enable Docker sandbox (true/false)                           |
 | `MAX_CONCURRENT_AGENTS`          | Maximum concurrent in-memory sessions (default: 2)           |
 | `ORCHESTRATOR_QUEUE_CONCURRENCY` | BullMQ worker concurrency (default: 1)                       |
 | `SANDBOX_DEFAULT_MEMORY_MB`      | Sandbox memory limit in MB (default: 256)                    |
 ## Related Documentation
--- a/apps/orchestrator/SECURITY.md
+++ b/apps/orchestrator/SECURITY.md
@@ -192,7 +192,8 @@ LABEL com.mosaic.security.non-root=true
 Sensitive configuration is passed via environment variables:
- `CLAUDE_API_KEY`: Claude API credentials
+- `AI_PROVIDER`: Orchestrator LLM provider
 - `CLAUDE_API_KEY`: Claude credentials (required only for `AI_PROVIDER=claude`)
 - `VALKEY_URL`: Cache connection string
 **Best Practices:**
--- a/apps/orchestrator/src/api/agents/agent-events.service.ts
+++ b/apps/orchestrator/src/api/agents/agent-events.service.ts
@@ -0,0 +1,89 @@
 import { Injectable, Logger, OnModuleInit } from "@nestjs/common";
 import { randomUUID } from "crypto";
 import { ValkeyService } from "../../valkey/valkey.service";
 import type { EventHandler, OrchestratorEvent } from "../../valkey/types";
 type UnsubscribeFn = () => void;
 const MAX_RECENT_EVENTS = 500;
@Injectable()
 export class AgentEventsService implements OnModuleInit {
  private readonly logger = new Logger(AgentEventsService.name);
  private readonly subscribers = new Map<string, EventHandler>();
  private readonly recentEvents: OrchestratorEvent[] = [];
  private connected = false;
  constructor(private readonly valkeyService: ValkeyService) {}
  async onModuleInit(): Promise<void> {
    if (this.connected) return;
    await this.valkeyService.subscribeToEvents(
      (event) => {
        this.appendRecentEvent(event);
        this.subscribers.forEach((handler) => {
          void handler(event);
        });
      },
      (error, _raw, channel) => {
        this.logger.warn(`Event stream parse/validation warning on ${channel}: ${error.message}`);
      }
    );
    this.connected = true;
    this.logger.log("Agent event stream subscription active");
  }
  subscribe(handler: EventHandler): UnsubscribeFn {
    const id = randomUUID();
    this.subscribers.set(id, handler);
    return () => {
      this.subscribers.delete(id);
    };
  }
  async getInitialSnapshot(): Promise<{
    type: "stream.snapshot";
    timestamp: string;
    agents: number;
    tasks: number;
  }> {
    const [agents, tasks] = await Promise.all([
      this.valkeyService.listAgents(),
      this.valkeyService.listTasks(),
    ]);
    return {
      type: "stream.snapshot",
      timestamp: new Date().toISOString(),
      agents: agents.length,
      tasks: tasks.length,
    };
  }
  createHeartbeat(): OrchestratorEvent {
    return {
      type: "task.processing",
      timestamp: new Date().toISOString(),
      data: {
        heartbeat: true,
      },
    };
  }
  getRecentEvents(limit = 100): OrchestratorEvent[] {
    const safeLimit = Math.min(Math.max(Math.floor(limit), 1), MAX_RECENT_EVENTS);
    if (safeLimit >= this.recentEvents.length) {
      return [...this.recentEvents];
    }
    return this.recentEvents.slice(-safeLimit);
  }
  private appendRecentEvent(event: OrchestratorEvent): void {
    this.recentEvents.push(event);
    if (this.recentEvents.length > MAX_RECENT_EVENTS) {
      this.recentEvents.shift();
    }
  }
 }
--- a/apps/orchestrator/src/api/agents/agents-killswitch.controller.spec.ts
+++ b/apps/orchestrator/src/api/agents/agents-killswitch.controller.spec.ts
@@ -4,6 +4,7 @@ import { QueueService } from "../../queue/queue.service";
 import { AgentSpawnerService } from "../../spawner/agent-spawner.service";
 import { AgentLifecycleService } from "../../spawner/agent-lifecycle.service";
 import { KillswitchService } from "../../killswitch/killswitch.service";
 import { AgentEventsService } from "./agent-events.service";
 import type { KillAllResult } from "../../killswitch/killswitch.service";
 describe("AgentsController - Killswitch Endpoints", () => {
@@ -20,6 +21,12 @@ describe("AgentsController - Killswitch Endpoints", () => {
  };
  let mockLifecycleService: {
    getAgentLifecycleState: ReturnType<typeof vi.fn>;
    registerSpawnedAgent: ReturnType<typeof vi.fn>;
  };
  let mockEventsService: {
    subscribe: ReturnType<typeof vi.fn>;
    getInitialSnapshot: ReturnType<typeof vi.fn>;
    createHeartbeat: ReturnType<typeof vi.fn>;
  };
  beforeEach(() => {
@@ -38,13 +45,30 @@ describe("AgentsController - Killswitch Endpoints", () => {
    mockLifecycleService = {
      getAgentLifecycleState: vi.fn(),
      registerSpawnedAgent: vi.fn(),
    };
    mockEventsService = {
      subscribe: vi.fn().mockReturnValue(() => {}),
      getInitialSnapshot: vi.fn().mockResolvedValue({
        type: "stream.snapshot",
        timestamp: new Date().toISOString(),
        agents: 0,
        tasks: 0,
      }),
      createHeartbeat: vi.fn().mockReturnValue({
        type: "task.processing",
        timestamp: new Date().toISOString(),
        data: { heartbeat: true },
      }),
    };
    controller = new AgentsController(
      mockQueueService as unknown as QueueService,
      mockSpawnerService as unknown as AgentSpawnerService,
      mockLifecycleService as unknown as AgentLifecycleService,
-      mockKillswitchService as unknown as KillswitchService
+      mockKillswitchService as unknown as KillswitchService,
      mockEventsService as unknown as AgentEventsService
    );
  });
--- a/apps/orchestrator/src/api/agents/agents.controller.spec.ts
+++ b/apps/orchestrator/src/api/agents/agents.controller.spec.ts
@@ -3,6 +3,7 @@ import { QueueService } from "../../queue/queue.service";
 import { AgentSpawnerService } from "../../spawner/agent-spawner.service";
 import { AgentLifecycleService } from "../../spawner/agent-lifecycle.service";
 import { KillswitchService } from "../../killswitch/killswitch.service";
 import { AgentEventsService } from "./agent-events.service";
 import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
 describe("AgentsController", () => {
@@ -17,11 +18,18 @@ describe("AgentsController", () => {
  };
  let lifecycleService: {
    getAgentLifecycleState: ReturnType<typeof vi.fn>;
    registerSpawnedAgent: ReturnType<typeof vi.fn>;
  };
  let killswitchService: {
    killAgent: ReturnType<typeof vi.fn>;
    killAllAgents: ReturnType<typeof vi.fn>;
  };
  let eventsService: {
    subscribe: ReturnType<typeof vi.fn>;
    getInitialSnapshot: ReturnType<typeof vi.fn>;
    createHeartbeat: ReturnType<typeof vi.fn>;
    getRecentEvents: ReturnType<typeof vi.fn>;
  };
  beforeEach(() => {
    // Create mock services
@@ -37,6 +45,7 @@ describe("AgentsController", () => {
    lifecycleService = {
      getAgentLifecycleState: vi.fn(),
      registerSpawnedAgent: vi.fn().mockResolvedValue(undefined),
    };
    killswitchService = {
@@ -44,12 +53,29 @@ describe("AgentsController", () => {
      killAllAgents: vi.fn(),
    };
    eventsService = {
      subscribe: vi.fn().mockReturnValue(() => {}),
      getInitialSnapshot: vi.fn().mockResolvedValue({
        type: "stream.snapshot",
        timestamp: new Date().toISOString(),
        agents: 0,
        tasks: 0,
      }),
      createHeartbeat: vi.fn().mockReturnValue({
        type: "task.processing",
        timestamp: new Date().toISOString(),
        data: { heartbeat: true },
      }),
      getRecentEvents: vi.fn().mockReturnValue([]),
    };
    // Create controller with mocked services
    controller = new AgentsController(
      queueService as unknown as QueueService,
      spawnerService as unknown as AgentSpawnerService,
      lifecycleService as unknown as AgentLifecycleService,
-      killswitchService as unknown as KillswitchService
+      killswitchService as unknown as KillswitchService,
      eventsService as unknown as AgentEventsService
    );
  });
@@ -195,6 +221,10 @@ describe("AgentsController", () => {
      expect(queueService.addTask).toHaveBeenCalledWith(validRequest.taskId, validRequest.context, {
        priority: 5,
      });
      expect(lifecycleService.registerSpawnedAgent).toHaveBeenCalledWith(
        agentId,
        validRequest.taskId
      );
      expect(result).toEqual({
        agentId,
        status: "spawning",
@@ -334,4 +364,39 @@ describe("AgentsController", () => {
      });
    });
  });
  describe("getRecentEvents", () => {
    it("should return recent events with default limit", () => {
      eventsService.getRecentEvents.mockReturnValue([
        {
          type: "task.completed",
          timestamp: "2026-02-17T15:00:00.000Z",
          taskId: "task-123",
        },
      ]);
      const result = controller.getRecentEvents();
      expect(eventsService.getRecentEvents).toHaveBeenCalledWith(100);
      expect(result).toEqual({
        events: [
          {
            type: "task.completed",
            timestamp: "2026-02-17T15:00:00.000Z",
            taskId: "task-123",
          },
        ],
      });
    });
    it("should parse and pass custom limit", () => {
      controller.getRecentEvents("25");
      expect(eventsService.getRecentEvents).toHaveBeenCalledWith(25);
    });
    it("should fallback to default when limit is invalid", () => {
      controller.getRecentEvents("invalid");
      expect(eventsService.getRecentEvents).toHaveBeenCalledWith(100);
    });
  });
 });
--- a/apps/orchestrator/src/api/agents/agents.controller.ts
+++ b/apps/orchestrator/src/api/agents/agents.controller.ts
@@ -11,8 +11,12 @@ import {
  HttpCode,
  UseGuards,
  ParseUUIDPipe,
  Sse,
  MessageEvent,
  Query,
 } from "@nestjs/common";
 import { Throttle } from "@nestjs/throttler";
 import { Observable } from "rxjs";
 import { QueueService } from "../../queue/queue.service";
 import { AgentSpawnerService } from "../../spawner/agent-spawner.service";
 import { AgentLifecycleService } from "../../spawner/agent-lifecycle.service";
@@ -20,6 +24,7 @@ import { KillswitchService } from "../../killswitch/killswitch.service";
 import { SpawnAgentDto, SpawnAgentResponseDto } from "./dto/spawn-agent.dto";
 import { OrchestratorApiKeyGuard } from "../../common/guards/api-key.guard";
 import { OrchestratorThrottlerGuard } from "../../common/guards/throttler.guard";
 import { AgentEventsService } from "./agent-events.service";
 /**
 * Controller for agent management endpoints
@@ -41,7 +46,8 @@ export class AgentsController {
    private readonly queueService: QueueService,
    private readonly spawnerService: AgentSpawnerService,
    private readonly lifecycleService: AgentLifecycleService,
-    private readonly killswitchService: KillswitchService
+    private readonly killswitchService: KillswitchService,
    private readonly eventsService: AgentEventsService
  ) {}
  /**
@@ -67,6 +73,9 @@ export class AgentsController {
        context: dto.context,
      });
      // Persist initial lifecycle state in Valkey.
      await this.lifecycleService.registerSpawnedAgent(spawnResponse.agentId, dto.taskId);
      // Queue task in Valkey
      await this.queueService.addTask(dto.taskId, dto.context, {
        priority: 5, // Default priority
@@ -85,6 +94,55 @@ export class AgentsController {
    }
  }
  /**
   * Stream orchestrator events as server-sent events (SSE)
   */
  @Sse("events")
  @Throttle({ status: { limit: 200, ttl: 60000 } })
  streamEvents(): Observable<MessageEvent> {
    return new Observable<MessageEvent>((subscriber) => {
      let isClosed = false;
      const unsubscribe = this.eventsService.subscribe((event) => {
        if (!isClosed) {
          subscriber.next({ data: event });
        }
      });
      void this.eventsService.getInitialSnapshot().then((snapshot) => {
        if (!isClosed) {
          subscriber.next({ data: snapshot });
        }
      });
      const heartbeat = setInterval(() => {
        if (!isClosed) {
          subscriber.next({ data: this.eventsService.createHeartbeat() });
        }
      }, 15000);
      return () => {
        isClosed = true;
        clearInterval(heartbeat);
        unsubscribe();
      };
    });
  }
  /**
   * Return recent orchestrator events for non-streaming consumers.
   */
  @Get("events/recent")
  @Throttle({ status: { limit: 200, ttl: 60000 } })
  getRecentEvents(@Query("limit") limit?: string): {
    events: ReturnType<AgentEventsService["getRecentEvents"]>;
  } {
    const parsedLimit = Number.parseInt(limit ?? "100", 10);
    return {
      events: this.eventsService.getRecentEvents(Number.isNaN(parsedLimit) ? 100 : parsedLimit),
    };
  }
  /**
   * List all agents
   * @returns Array of all agent sessions with their status
--- a/apps/orchestrator/src/api/agents/agents.module.ts
+++ b/apps/orchestrator/src/api/agents/agents.module.ts
@@ -5,10 +5,11 @@ import { SpawnerModule } from "../../spawner/spawner.module";
 import { KillswitchModule } from "../../killswitch/killswitch.module";
 import { ValkeyModule } from "../../valkey/valkey.module";
 import { OrchestratorApiKeyGuard } from "../../common/guards/api-key.guard";
 import { AgentEventsService } from "./agent-events.service";
@Module({
  imports: [QueueModule, SpawnerModule, KillswitchModule, ValkeyModule],
  controllers: [AgentsController],
-  providers: [OrchestratorApiKeyGuard],
+  providers: [OrchestratorApiKeyGuard, AgentEventsService],
 })
 export class AgentsModule {}
--- a/apps/orchestrator/src/api/queue/queue-api.module.ts
+++ b/apps/orchestrator/src/api/queue/queue-api.module.ts
@@ -0,0 +1,11 @@
 import { Module } from "@nestjs/common";
 import { QueueController } from "./queue.controller";
 import { QueueModule } from "../../queue/queue.module";
 import { OrchestratorApiKeyGuard } from "../../common/guards/api-key.guard";
@Module({
  imports: [QueueModule],
  controllers: [QueueController],
  providers: [OrchestratorApiKeyGuard],
 })
 export class QueueApiModule {}
--- a/apps/orchestrator/src/api/queue/queue.controller.spec.ts
+++ b/apps/orchestrator/src/api/queue/queue.controller.spec.ts
@@ -0,0 +1,65 @@
 import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
 import { QueueController } from "./queue.controller";
 import { QueueService } from "../../queue/queue.service";
 describe("QueueController", () => {
  let controller: QueueController;
  let queueService: {
    getStats: ReturnType<typeof vi.fn>;
    pause: ReturnType<typeof vi.fn>;
    resume: ReturnType<typeof vi.fn>;
  };
  beforeEach(() => {
    queueService = {
      getStats: vi.fn(),
      pause: vi.fn(),
      resume: vi.fn(),
    };
    controller = new QueueController(queueService as unknown as QueueService);
  });
  afterEach(() => {
    vi.clearAllMocks();
  });
  it("should return queue stats", async () => {
    queueService.getStats.mockResolvedValue({
      pending: 5,
      active: 1,
      completed: 10,
      failed: 2,
      delayed: 0,
    });
    const result = await controller.getStats();
    expect(queueService.getStats).toHaveBeenCalledOnce();
    expect(result).toEqual({
      pending: 5,
      active: 1,
      completed: 10,
      failed: 2,
      delayed: 0,
    });
  });
  it("should pause queue processing", async () => {
    queueService.pause.mockResolvedValue(undefined);
    const result = await controller.pause();
    expect(queueService.pause).toHaveBeenCalledOnce();
    expect(result).toEqual({ message: "Queue processing paused" });
  });
  it("should resume queue processing", async () => {
    queueService.resume.mockResolvedValue(undefined);
    const result = await controller.resume();
    expect(queueService.resume).toHaveBeenCalledOnce();
    expect(result).toEqual({ message: "Queue processing resumed" });
  });
 });
--- a/apps/orchestrator/src/api/queue/queue.controller.ts
+++ b/apps/orchestrator/src/api/queue/queue.controller.ts
@@ -0,0 +1,39 @@
 import { Controller, Get, HttpCode, Post, UseGuards } from "@nestjs/common";
 import { Throttle } from "@nestjs/throttler";
 import { QueueService } from "../../queue/queue.service";
 import { OrchestratorApiKeyGuard } from "../../common/guards/api-key.guard";
 import { OrchestratorThrottlerGuard } from "../../common/guards/throttler.guard";
@Controller("queue")
@UseGuards(OrchestratorApiKeyGuard, OrchestratorThrottlerGuard)
 export class QueueController {
  constructor(private readonly queueService: QueueService) {}
  @Get("stats")
  @Throttle({ status: { limit: 200, ttl: 60000 } })
  async getStats(): Promise<{
    pending: number;
    active: number;
    completed: number;
    failed: number;
    delayed: number;
  }> {
    return this.queueService.getStats();
  }
  @Post("pause")
  @Throttle({ strict: { limit: 10, ttl: 60000 } })
  @HttpCode(200)
  async pause(): Promise<{ message: string }> {
    await this.queueService.pause();
    return { message: "Queue processing paused" };
  }
  @Post("resume")
  @Throttle({ strict: { limit: 10, ttl: 60000 } })
  @HttpCode(200)
  async resume(): Promise<{ message: string }> {
    await this.queueService.resume();
    return { message: "Queue processing resumed" };
  }
 }
--- a/apps/orchestrator/src/app.module.ts
+++ b/apps/orchestrator/src/app.module.ts
@@ -1,9 +1,10 @@
 import { Module } from "@nestjs/common";
-import { ConfigModule } from "@nestjs/config";
+import { ConfigModule, ConfigService } from "@nestjs/config";
 import { BullModule } from "@nestjs/bullmq";
 import { ThrottlerModule } from "@nestjs/throttler";
 import { HealthModule } from "./api/health/health.module";
 import { AgentsModule } from "./api/agents/agents.module";
 import { QueueApiModule } from "./api/queue/queue-api.module";
 import { CoordinatorModule } from "./coordinator/coordinator.module";
 import { BudgetModule } from "./budget/budget.module";
 import { CIModule } from "./ci";
@@ -21,12 +22,16 @@ import { orchestratorConfig } from "./config/orchestrator.config";
      isGlobal: true,
      load: [orchestratorConfig],
    }),
-    BullModule.forRoot({
+    BullModule.forRootAsync({
      inject: [ConfigService],
      useFactory: (configService: ConfigService) => ({
        connection: {
-        host: process.env.VALKEY_HOST ?? "localhost",
+          host: configService.get<string>("orchestrator.valkey.host", "localhost"),
-        port: parseInt(process.env.VALKEY_PORT ?? "6379"),
+          port: configService.get<number>("orchestrator.valkey.port", 6379),
          password: configService.get<string>("orchestrator.valkey.password"),
        },
      }),
    }),
    ThrottlerModule.forRoot([
      {
        name: "default",
@@ -46,6 +51,7 @@ import { orchestratorConfig } from "./config/orchestrator.config";
    ]),
    HealthModule,
    AgentsModule,
    QueueApiModule,
    CoordinatorModule,
    BudgetModule,
    CIModule,
--- a/apps/orchestrator/src/config/orchestrator.config.spec.ts
+++ b/apps/orchestrator/src/config/orchestrator.config.spec.ts
@@ -120,6 +120,42 @@ describe("orchestratorConfig", () => {
      expect(config.valkey.port).toBe(6379);
      expect(config.valkey.url).toBe("redis://localhost:6379");
    });
    it("should derive valkey host and port from VALKEY_URL when VALKEY_HOST/VALKEY_PORT are not set", () => {
      delete process.env.VALKEY_HOST;
      delete process.env.VALKEY_PORT;
      process.env.VALKEY_URL = "redis://valkey:6380";
      const config = orchestratorConfig();
      expect(config.valkey.host).toBe("valkey");
      expect(config.valkey.port).toBe(6380);
      expect(config.valkey.url).toBe("redis://valkey:6380");
    });
    it("should derive valkey password from VALKEY_URL when VALKEY_PASSWORD is not set", () => {
      delete process.env.VALKEY_PASSWORD;
      delete process.env.VALKEY_HOST;
      delete process.env.VALKEY_PORT;
      process.env.VALKEY_URL = "redis://:url-secret@valkey:6379";
      const config = orchestratorConfig();
      expect(config.valkey.password).toBe("url-secret");
    });
    it("should prefer explicit valkey env vars over VALKEY_URL values", () => {
      process.env.VALKEY_HOST = "explicit-host";
      process.env.VALKEY_PORT = "6390";
      process.env.VALKEY_PASSWORD = "explicit-password";
      process.env.VALKEY_URL = "redis://:url-secret@valkey:6380";
      const config = orchestratorConfig();
      expect(config.valkey.host).toBe("explicit-host");
      expect(config.valkey.port).toBe(6390);
      expect(config.valkey.password).toBe("explicit-password");
    });
  });
  describe("valkey timeout config (SEC-ORCH-28)", () => {
@@ -157,12 +193,12 @@ describe("orchestratorConfig", () => {
  });
  describe("spawner config", () => {
-    it("should use default maxConcurrentAgents of 20 when not set", () => {
+    it("should use default maxConcurrentAgents of 2 when not set", () => {
      delete process.env.MAX_CONCURRENT_AGENTS;
      const config = orchestratorConfig();
-      expect(config.spawner.maxConcurrentAgents).toBe(20);
+      expect(config.spawner.maxConcurrentAgents).toBe(2);
    });
    it("should use provided maxConcurrentAgents when MAX_CONCURRENT_AGENTS is set", () => {
@@ -181,4 +217,30 @@ describe("orchestratorConfig", () => {
      expect(config.spawner.maxConcurrentAgents).toBe(10);
    });
  });
  describe("AI provider config", () => {
    it("should default aiProvider to ollama when unset", () => {
      delete process.env.AI_PROVIDER;
      const config = orchestratorConfig();
      expect(config.aiProvider).toBe("ollama");
    });
    it("should normalize AI provider to lowercase", () => {
      process.env.AI_PROVIDER = "  cLaUdE  ";
      const config = orchestratorConfig();
      expect(config.aiProvider).toBe("claude");
    });
    it("should fallback unsupported AI provider to ollama", () => {
      process.env.AI_PROVIDER = "bad-provider";
      const config = orchestratorConfig();
      expect(config.aiProvider).toBe("ollama");
    });
  });
 });
--- a/apps/orchestrator/src/config/orchestrator.config.ts
+++ b/apps/orchestrator/src/config/orchestrator.config.ts
@@ -1,19 +1,53 @@
 import { registerAs } from "@nestjs/config";
-export const orchestratorConfig = registerAs("orchestrator", () => ({
+const normalizeAiProvider = (): "ollama" | "claude" | "openai" => {
  const provider = process.env.AI_PROVIDER?.trim().toLowerCase();
  if (!provider) {
    return "ollama";
  }
  if (provider !== "ollama" && provider !== "claude" && provider !== "openai") {
    return "ollama";
  }
  return provider;
 };
 const parseValkeyUrl = (url: string): { host?: string; port?: number; password?: string } => {
  try {
    const parsed = new URL(url);
    const port = parsed.port ? parseInt(parsed.port, 10) : undefined;
    return {
      host: parsed.hostname || undefined,
      port: Number.isNaN(port) ? undefined : port,
      password: parsed.password ? decodeURIComponent(parsed.password) : undefined,
    };
  } catch {
    return {};
  }
 };
 export const orchestratorConfig = registerAs("orchestrator", () => {
  const valkeyUrl = process.env.VALKEY_URL ?? "redis://localhost:6379";
  const parsedValkeyUrl = parseValkeyUrl(valkeyUrl);
  return {
    host: process.env.HOST ?? process.env.BIND_ADDRESS ?? "127.0.0.1",
    port: parseInt(process.env.ORCHESTRATOR_PORT ?? "3001", 10),
    valkey: {
-    host: process.env.VALKEY_HOST ?? "localhost",
+      host: process.env.VALKEY_HOST ?? parsedValkeyUrl.host ?? "localhost",
-    port: parseInt(process.env.VALKEY_PORT ?? "6379", 10),
+      port: parseInt(process.env.VALKEY_PORT ?? String(parsedValkeyUrl.port ?? 6379), 10),
-    password: process.env.VALKEY_PASSWORD,
+      password: process.env.VALKEY_PASSWORD ?? parsedValkeyUrl.password,
-    url: process.env.VALKEY_URL ?? "redis://localhost:6379",
+      url: valkeyUrl,
      connectTimeout: parseInt(process.env.VALKEY_CONNECT_TIMEOUT_MS ?? "5000", 10),
      commandTimeout: parseInt(process.env.VALKEY_COMMAND_TIMEOUT_MS ?? "3000", 10),
    },
    claude: {
      apiKey: process.env.CLAUDE_API_KEY,
    },
    aiProvider: normalizeAiProvider(),
    docker: {
      socketPath: process.env.DOCKER_SOCKET ?? "/var/run/docker.sock",
    },
@@ -27,9 +61,9 @@ export const orchestratorConfig = registerAs("orchestrator", () => ({
    sandbox: {
      enabled: process.env.SANDBOX_ENABLED !== "false",
      defaultImage: process.env.SANDBOX_DEFAULT_IMAGE ?? "node:20-alpine",
-    defaultMemoryMB: parseInt(process.env.SANDBOX_DEFAULT_MEMORY_MB ?? "512", 10),
+      defaultMemoryMB: parseInt(process.env.SANDBOX_DEFAULT_MEMORY_MB ?? "256", 10),
      defaultCpuLimit: parseFloat(process.env.SANDBOX_DEFAULT_CPU_LIMIT ?? "1.0"),
-    networkMode: process.env.SANDBOX_NETWORK_MODE ?? "bridge",
+      networkMode: process.env.SANDBOX_NETWORK_MODE ?? "none",
    },
    coordinator: {
      url: process.env.COORDINATOR_URL ?? "http://localhost:8000",
@@ -41,9 +75,15 @@ export const orchestratorConfig = registerAs("orchestrator", () => ({
      enabled: process.env.YOLO_MODE === "true",
    },
    spawner: {
-    maxConcurrentAgents: parseInt(process.env.MAX_CONCURRENT_AGENTS ?? "20", 10),
+      maxConcurrentAgents: parseInt(process.env.MAX_CONCURRENT_AGENTS ?? "2", 10),
      sessionCleanupDelayMs: parseInt(process.env.SESSION_CLEANUP_DELAY_MS ?? "30000", 10),
    },
    queue: {
      name: process.env.ORCHESTRATOR_QUEUE_NAME ?? "orchestrator-tasks",
      maxRetries: parseInt(process.env.ORCHESTRATOR_QUEUE_MAX_RETRIES ?? "3", 10),
      baseDelay: parseInt(process.env.ORCHESTRATOR_QUEUE_BASE_DELAY_MS ?? "1000", 10),
      maxDelay: parseInt(process.env.ORCHESTRATOR_QUEUE_MAX_DELAY_MS ?? "60000", 10),
      concurrency: parseInt(process.env.ORCHESTRATOR_QUEUE_CONCURRENCY ?? "1", 10),
      completedRetentionCount: parseInt(process.env.QUEUE_COMPLETED_RETENTION_COUNT ?? "100", 10),
      completedRetentionAgeSeconds: parseInt(
        process.env.QUEUE_COMPLETED_RETENTION_AGE_S ?? "3600",
@@ -52,4 +92,5 @@ export const orchestratorConfig = registerAs("orchestrator", () => ({
      failedRetentionCount: parseInt(process.env.QUEUE_FAILED_RETENTION_COUNT ?? "1000", 10),
      failedRetentionAgeSeconds: parseInt(process.env.QUEUE_FAILED_RETENTION_AGE_S ?? "86400", 10),
    },
-}));
+  };
 });
--- a/apps/orchestrator/src/queue/queue.module.ts
+++ b/apps/orchestrator/src/queue/queue.module.ts
@@ -2,9 +2,10 @@ import { Module } from "@nestjs/common";
 import { ConfigModule } from "@nestjs/config";
 import { QueueService } from "./queue.service";
 import { ValkeyModule } from "../valkey/valkey.module";
 import { SpawnerModule } from "../spawner/spawner.module";
@Module({
-  imports: [ConfigModule, ValkeyModule],
+  imports: [ConfigModule, ValkeyModule, SpawnerModule],
  providers: [QueueService],
  exports: [QueueService],
 })
--- a/apps/orchestrator/src/queue/queue.service.spec.ts
+++ b/apps/orchestrator/src/queue/queue.service.spec.ts
@@ -991,12 +991,17 @@ describe("QueueService", () => {
        success: true,
        metadata: { attempt: 1 },
      });
-      expect(mockValkeyService.updateTaskStatus).toHaveBeenCalledWith("task-123", "executing");
+      expect(mockValkeyService.updateTaskStatus).toHaveBeenCalledWith(
        "task-123",
        "executing",
        undefined
      );
      expect(mockValkeyService.publishEvent).toHaveBeenCalledWith({
-        type: "task.processing",
+        type: "task.executing",
        timestamp: expect.any(String),
        taskId: "task-123",
-        data: { attempt: 1 },
+        agentId: undefined,
        data: { attempt: 1, dispatchedByQueue: true },
      });
    });
--- a/apps/orchestrator/src/queue/queue.service.ts
+++ b/apps/orchestrator/src/queue/queue.service.ts
@@ -1,7 +1,9 @@
-import { Injectable, OnModuleDestroy, OnModuleInit } from "@nestjs/common";
+import { Injectable, OnModuleDestroy, OnModuleInit, Optional, Logger } from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
 import { Queue, Worker, Job } from "bullmq";
 import { ValkeyService } from "../valkey/valkey.service";
 import { AgentSpawnerService } from "../spawner/agent-spawner.service";
 import { AgentLifecycleService } from "../spawner/agent-lifecycle.service";
 import type { TaskContext } from "../valkey/types";
 import type {
  QueuedTask,
@@ -16,6 +18,7 @@ import type {
 */
@Injectable()
 export class QueueService implements OnModuleInit, OnModuleDestroy {
  private readonly logger = new Logger(QueueService.name);
  private queue!: Queue<QueuedTask>;
  private worker!: Worker<QueuedTask, TaskProcessingResult>;
  private readonly queueName: string;
@@ -23,7 +26,9 @@ export class QueueService implements OnModuleInit, OnModuleDestroy {
  constructor(
    private readonly valkeyService: ValkeyService,
-    private readonly configService: ConfigService
+    private readonly configService: ConfigService,
    @Optional() private readonly spawnerService?: AgentSpawnerService,
    @Optional() private readonly lifecycleService?: AgentLifecycleService
  ) {
    this.queueName = this.configService.get<string>(
      "orchestrator.queue.name",
@@ -132,6 +137,16 @@ export class QueueService implements OnModuleInit, OnModuleDestroy {
      context,
    };
    // Ensure task state exists before queue lifecycle updates.
    const getTaskState = (this.valkeyService as Partial<ValkeyService>).getTaskState;
    const createTask = (this.valkeyService as Partial<ValkeyService>).createTask;
    if (typeof getTaskState === "function" && typeof createTask === "function") {
      const existingTask = await getTaskState.call(this.valkeyService, taskId);
      if (!existingTask) {
        await createTask.call(this.valkeyService, taskId, context);
      }
    }
    // Add to BullMQ queue
    await this.queue.add(taskId, queuedTask, {
      priority: 10 - priority + 1, // BullMQ: lower number = higher priority, so invert
@@ -214,23 +229,35 @@ export class QueueService implements OnModuleInit, OnModuleDestroy {
    const { taskId } = job.data;
    try {
      const session = this.spawnerService?.findAgentSessionByTaskId(taskId);
      const agentId = session?.agentId;
      if (agentId) {
        if (this.lifecycleService) {
          await this.lifecycleService.transitionToRunning(agentId);
        }
        this.spawnerService?.setSessionState(agentId, "running");
      }
      // Update task state to executing
-      await this.valkeyService.updateTaskStatus(taskId, "executing");
+      await this.valkeyService.updateTaskStatus(taskId, "executing", agentId);
      // Publish event
      await this.valkeyService.publishEvent({
-        type: "task.processing",
+        type: "task.executing",
        timestamp: new Date().toISOString(),
        taskId,
-        data: { attempt: job.attemptsMade + 1 },
+        agentId,
        data: {
          attempt: job.attemptsMade + 1,
          dispatchedByQueue: true,
        },
      });
      // Task processing will be handled by agent spawner
      // For now, just mark as processing
      return {
        success: true,
        metadata: {
          attempt: job.attemptsMade + 1,
          ...(agentId && { agentId }),
        },
      };
    } catch (error) {
@@ -270,6 +297,14 @@ export class QueueService implements OnModuleInit, OnModuleDestroy {
   * Handle task failure
   */
  private async handleTaskFailure(taskId: string, error: Error): Promise<void> {
    const session = this.spawnerService?.findAgentSessionByTaskId(taskId);
    if (session) {
      this.spawnerService?.setSessionState(session.agentId, "failed", error.message, new Date());
      if (this.lifecycleService) {
        await this.lifecycleService.transitionToFailed(session.agentId, error.message);
      }
    }
    await this.valkeyService.updateTaskStatus(taskId, "failed", undefined, error.message);
    await this.valkeyService.publishEvent({
@@ -284,12 +319,25 @@ export class QueueService implements OnModuleInit, OnModuleDestroy {
   * Handle task completion
   */
  private async handleTaskCompletion(taskId: string): Promise<void> {
    const session = this.spawnerService?.findAgentSessionByTaskId(taskId);
    if (session) {
      this.spawnerService?.setSessionState(session.agentId, "completed", undefined, new Date());
      if (this.lifecycleService) {
        await this.lifecycleService.transitionToCompleted(session.agentId);
      }
    } else {
      this.logger.warn(
        `Queue completed task ${taskId} but no session was found; using queue-only completion state`
      );
    }
    await this.valkeyService.updateTaskStatus(taskId, "completed");
    await this.valkeyService.publishEvent({
      type: "task.completed",
      timestamp: new Date().toISOString(),
      taskId,
      ...(session && { agentId: session.agentId }),
    });
  }
 }
--- a/apps/orchestrator/src/spawner/agent-lifecycle.service.ts
+++ b/apps/orchestrator/src/spawner/agent-lifecycle.service.ts
@@ -37,6 +37,24 @@ export class AgentLifecycleService {
    this.logger.log("AgentLifecycleService initialized");
  }
  /**
   * Register a newly spawned agent in persistent state and emit spawned event.
   */
  async registerSpawnedAgent(agentId: string, taskId: string): Promise<AgentState> {
    await this.valkeyService.createAgent(agentId, taskId);
    const createdState = await this.getAgentState(agentId);
    const event: AgentEvent = {
      type: "agent.spawned",
      agentId,
      taskId,
      timestamp: new Date().toISOString(),
    };
    await this.valkeyService.publishEvent(event);
    return createdState;
  }
  /**
   * Acquire a per-agent mutex to serialize state transitions.
   * Uses promise chaining: each caller chains onto the previous lock,
--- a/apps/orchestrator/src/spawner/agent-spawner.service.spec.ts
+++ b/apps/orchestrator/src/spawner/agent-spawner.service.spec.ts
@@ -12,6 +12,9 @@ describe("AgentSpawnerService", () => {
    // Create mock ConfigService
    mockConfigService = {
      get: vi.fn((key: string) => {
        if (key === "orchestrator.aiProvider") {
          return "ollama";
        }
        if (key === "orchestrator.claude.apiKey") {
          return "test-api-key";
        }
@@ -31,19 +34,80 @@ describe("AgentSpawnerService", () => {
      expect(service).toBeDefined();
    });
-    it("should initialize with Claude API key from config", () => {
+    it("should initialize with default AI provider when API key is omitted", () => {
      const noClaudeConfigService = {
        get: vi.fn((key: string) => {
          if (key === "orchestrator.aiProvider") {
            return "ollama";
          }
          if (key === "orchestrator.spawner.maxConcurrentAgents") {
            return 20;
          }
          if (key === "orchestrator.spawner.sessionCleanupDelayMs") {
            return 30000;
          }
          return undefined;
        }),
      } as unknown as ConfigService;
      const serviceNoKey = new AgentSpawnerService(noClaudeConfigService);
      expect(serviceNoKey).toBeDefined();
    });
    it("should initialize with Claude provider when key is present", () => {
      expect(mockConfigService.get).toHaveBeenCalledWith("orchestrator.claude.apiKey");
    });
-    it("should throw error if Claude API key is missing", () => {
+    it("should initialize with CLAUDE provider when API key is present", () => {
      const claudeConfigService = {
        get: vi.fn((key: string) => {
          if (key === "orchestrator.aiProvider") {
            return "claude";
          }
          if (key === "orchestrator.claude.apiKey") {
            return "test-api-key";
          }
          if (key === "orchestrator.spawner.maxConcurrentAgents") {
            return 20;
          }
          return undefined;
        }),
      } as unknown as ConfigService;
      const claudeService = new AgentSpawnerService(claudeConfigService);
      expect(claudeService).toBeDefined();
    });
    it("should throw error if Claude API key is missing when provider is claude", () => {
      const badConfigService = {
-        get: vi.fn(() => undefined),
+        get: vi.fn((key: string) => {
          if (key === "orchestrator.aiProvider") {
            return "claude";
          }
          return undefined;
        }),
      } as unknown as ConfigService;
      expect(() => new AgentSpawnerService(badConfigService)).toThrow(
-        "CLAUDE_API_KEY is not configured"
+        "CLAUDE_API_KEY is required when AI_PROVIDER is set to 'claude'"
      );
    });
    it("should still initialize when CLAUDE_API_KEY is missing for non-Claude provider", () => {
      const nonClaudeConfigService = {
        get: vi.fn((key: string) => {
          if (key === "orchestrator.aiProvider") {
            return "ollama";
          }
          if (key === "orchestrator.spawner.maxConcurrentAgents") {
            return 20;
          }
          return undefined;
        }),
      } as unknown as ConfigService;
      expect(() => new AgentSpawnerService(nonClaudeConfigService)).not.toThrow();
    });
  });
  describe("spawnAgent", () => {
--- a/apps/orchestrator/src/spawner/agent-spawner.service.ts
+++ b/apps/orchestrator/src/spawner/agent-spawner.service.ts
@@ -14,6 +14,8 @@ import {
 * This allows time for status queries before the session is removed
 */
 const DEFAULT_SESSION_CLEANUP_DELAY_MS = 30000; // 30 seconds
 const SUPPORTED_AI_PROVIDERS = ["ollama", "claude", "openai"] as const;
 type SupportedAiProvider = (typeof SUPPORTED_AI_PROVIDERS)[number];
 /**
 * Service responsible for spawning Claude agents using Anthropic SDK
@@ -21,22 +23,38 @@ const DEFAULT_SESSION_CLEANUP_DELAY_MS = 30000; // 30 seconds
@Injectable()
 export class AgentSpawnerService implements OnModuleDestroy {
  private readonly logger = new Logger(AgentSpawnerService.name);
-  private readonly anthropic: Anthropic;
+  private readonly anthropic: Anthropic | undefined;
  private readonly aiProvider: SupportedAiProvider;
  private readonly sessions = new Map<string, AgentSession>();
  private readonly maxConcurrentAgents: number;
  private readonly sessionCleanupDelayMs: number;
  private readonly cleanupTimers = new Map<string, NodeJS.Timeout>();
  constructor(private readonly configService: ConfigService) {
    const configuredProvider = this.configService.get<string>("orchestrator.aiProvider");
    this.aiProvider = this.normalizeAiProvider(configuredProvider);
    this.logger.log(`AgentSpawnerService resolved AI provider: ${this.aiProvider}`);
    const apiKey = this.configService.get<string>("orchestrator.claude.apiKey");
    if (this.aiProvider === "claude") {
      if (!apiKey) {
-      throw new Error("CLAUDE_API_KEY is not configured");
+        throw new Error("CLAUDE_API_KEY is required when AI_PROVIDER is set to 'claude'");
      }
-    this.anthropic = new Anthropic({
+      this.logger.log("CLAUDE_API_KEY is configured. Initializing Anthropic client.");
-      apiKey,
+      this.anthropic = new Anthropic({ apiKey });
-    });
+    } else {
      if (apiKey) {
        this.logger.debug(
          `CLAUDE_API_KEY is set but ignored because AI provider is '${this.aiProvider}'`
        );
      } else {
        this.logger.log(`CLAUDE_API_KEY not required for AI provider '${this.aiProvider}'.`);
      }
      this.anthropic = undefined;
    }
    // Default to 20 if not configured
    this.maxConcurrentAgents =
@@ -48,10 +66,27 @@ export class AgentSpawnerService implements OnModuleDestroy {
      DEFAULT_SESSION_CLEANUP_DELAY_MS;
    this.logger.log(
-      `AgentSpawnerService initialized with Claude SDK (max concurrent agents: ${String(this.maxConcurrentAgents)}, cleanup delay: ${String(this.sessionCleanupDelayMs)}ms)`
+      `AgentSpawnerService initialized with ${this.aiProvider} AI provider (max concurrent agents: ${String(
        this.maxConcurrentAgents
      )}, cleanup delay: ${String(this.sessionCleanupDelayMs)}ms)`
    );
  }
  private normalizeAiProvider(provider?: string): SupportedAiProvider {
    const normalizedProvider = provider?.trim().toLowerCase();
    if (!normalizedProvider) {
      return "ollama";
    }
    if (!SUPPORTED_AI_PROVIDERS.includes(normalizedProvider as SupportedAiProvider)) {
      this.logger.warn(`Unsupported AI provider '${normalizedProvider}'. Defaulting to 'ollama'.`);
      return "ollama";
    }
    return normalizedProvider as SupportedAiProvider;
  }
  /**
   * Clean up all pending cleanup timers on module destroy
   */
@@ -116,6 +151,33 @@ export class AgentSpawnerService implements OnModuleDestroy {
    return this.sessions.get(agentId);
  }
  /**
   * Find an active session by task ID.
   */
  findAgentSessionByTaskId(taskId: string): AgentSession | undefined {
    return Array.from(this.sessions.values()).find((session) => session.taskId === taskId);
  }
  /**
   * Update in-memory session state for visibility in list/status endpoints.
   */
  setSessionState(
    agentId: string,
    state: AgentSession["state"],
    error?: string,
    completedAt?: Date
  ): void {
    const session = this.sessions.get(agentId);
    if (!session) return;
    session.state = state;
    session.error = error;
    if (completedAt) {
      session.completedAt = completedAt;
    }
    this.sessions.set(agentId, session);
  }
  /**
   * List all agent sessions
   * @returns Array of all agent sessions
--- a/apps/web/Dockerfile
+++ b/apps/web/Dockerfile
@@ -1,6 +1,3 @@
 # syntax=docker/dockerfile:1
 # Enable BuildKit features for cache mounts
 # Base image for all stages
 # Uses Debian slim (glibc) for consistency with API/orchestrator and to prevent
 # future native addon compatibility issues with Alpine's musl libc.
@@ -27,9 +24,22 @@ COPY packages/ui/package.json ./packages/ui/
 COPY packages/config/package.json ./packages/config/
 COPY apps/web/package.json ./apps/web/
-# Install dependencies with pnpm store cache
+# Install dependencies (no cache mount — Kaniko builds are ephemeral in CI)
-RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
+RUN pnpm install --frozen-lockfile
-    pnpm install --frozen-lockfile
+
 # ======================
 # Production dependencies stage
 # ======================
 FROM base AS prod-deps
 # Copy all package.json files for workspace resolution
 COPY packages/shared/package.json ./packages/shared/
 COPY packages/ui/package.json ./packages/ui/
 COPY packages/config/package.json ./packages/config/
 COPY apps/web/package.json ./apps/web/
 # Install production dependencies only
 RUN pnpm install --frozen-lockfile --prod
 # ======================
 # Builder stage
@@ -79,23 +89,19 @@ RUN mkdir -p ./apps/web/public
 # ======================
 FROM node:24-slim AS production
-# Remove npm (unused in production — we use pnpm) to reduce attack surface
+# Install dumb-init for proper signal handling (static binary from GitHub,
-RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
+# avoids apt-get which fails under Kaniko with bookworm GPG signature errors)
 ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 /usr/local/bin/dumb-init
-# Install pnpm (needed for pnpm start command)
+# Single RUN to minimize Kaniko filesystem snapshots (each RUN = full snapshot)
-RUN corepack enable && corepack prepare pnpm@10.27.0 --activate
+RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx \
-
+    && chmod 755 /usr/local/bin/dumb-init \
-# Install dumb-init for proper signal handling
+    && groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nextjs
 RUN apt-get update && apt-get install -y --no-install-recommends dumb-init \
    && rm -rf /var/lib/apt/lists/*
 # Create non-root user
 RUN groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nextjs
 WORKDIR /app
 # Copy node_modules from builder (includes all dependencies in pnpm store)
-COPY --from=builder --chown=nextjs:nodejs /app/node_modules ./node_modules
+COPY --from=prod-deps --chown=nextjs:nodejs /app/node_modules ./node_modules
 # Copy built packages (includes dist/ directories)
 COPY --from=builder --chown=nextjs:nodejs /app/packages ./packages
@@ -106,7 +112,7 @@ COPY --from=builder --chown=nextjs:nodejs /app/apps/web/public ./apps/web/public
 COPY --from=builder --chown=nextjs:nodejs /app/apps/web/next.config.ts ./apps/web/
 COPY --from=builder --chown=nextjs:nodejs /app/apps/web/package.json ./apps/web/
 # Copy app's node_modules which contains symlinks to root node_modules
-COPY --from=builder --chown=nextjs:nodejs /app/apps/web/node_modules ./apps/web/node_modules
+COPY --from=prod-deps --chown=nextjs:nodejs /app/apps/web/node_modules ./apps/web/node_modules
 # Set working directory to web app
 WORKDIR /app/apps/web
@@ -120,6 +126,7 @@ EXPOSE ${PORT:-3000}
 # Environment variables
 ENV NODE_ENV=production
 ENV HOSTNAME="0.0.0.0"
 ENV PATH="/app/apps/web/node_modules/.bin:${PATH}"
 # Health check uses PORT env var (set by docker-compose or defaults to 3000)
 HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
@@ -129,4 +136,4 @@ HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
 ENTRYPOINT ["dumb-init", "--"]
 # Start the application
-CMD ["pnpm", "start"]
+CMD ["next", "start"]
--- a/apps/web/next-env.d.ts
+++ b/apps/web/next-env.d.ts
@@ -1,6 +1,6 @@
 /// <reference types="next" />
 /// <reference types="next/image-types/global" />
-import "./.next/types/routes.d.ts";
+import "./.next/dev/types/routes.d.ts";
 // NOTE: This file should not be edited
 // see https://nextjs.org/docs/app/api-reference/config/typescript for more information.
--- a/apps/web/next.config.ts
+++ b/apps/web/next.config.ts
@@ -1,5 +1,16 @@
 import type { NextConfig } from "next";
 const defaultAuthMode = process.env.NODE_ENV === "development" ? "mock" : "real";
 const authMode = (process.env.NEXT_PUBLIC_AUTH_MODE ?? defaultAuthMode).toLowerCase();
 if (!["real", "mock"].includes(authMode)) {
  throw new Error(`Invalid NEXT_PUBLIC_AUTH_MODE "${authMode}". Expected one of: real, mock.`);
 }
 if (authMode === "mock" && process.env.NODE_ENV !== "development") {
  throw new Error("NEXT_PUBLIC_AUTH_MODE=mock is only allowed for local development.");
 }
 const nextConfig: NextConfig = {
  transpilePackages: ["@mosaic/ui", "@mosaic/shared"],
 };
--- a/apps/web/src/app/(auth)/login/page.mock-mode.test.tsx
+++ b/apps/web/src/app/(auth)/login/page.mock-mode.test.tsx
@@ -0,0 +1,87 @@
 import { describe, it, expect, vi, beforeEach, type Mock } from "vitest";
 import { render, screen, waitFor } from "@testing-library/react";
 import userEvent from "@testing-library/user-event";
 import LoginPage from "./page";
 const { mockPush, mockReplace, mockSearchParams, authState } = vi.hoisted(() => ({
  mockPush: vi.fn(),
  mockReplace: vi.fn(),
  mockSearchParams: new URLSearchParams(),
  authState: {
    isAuthenticated: false,
    refreshSession: vi.fn(),
  },
 }));
 const { mockFetchWithRetry } = vi.hoisted(() => ({
  mockFetchWithRetry: vi.fn(),
 }));
 vi.mock("next/navigation", () => ({
  useRouter: (): { push: Mock; replace: Mock } => ({
    push: mockPush,
    replace: mockReplace,
  }),
  useSearchParams: (): URLSearchParams => mockSearchParams,
 }));
 vi.mock("@/lib/config", () => ({
  API_BASE_URL: "http://localhost:3001",
  IS_MOCK_AUTH_MODE: true,
 }));
 vi.mock("@/lib/auth-client", () => ({
  signIn: {
    oauth2: vi.fn(),
    email: vi.fn(),
  },
 }));
 vi.mock("@/lib/auth/auth-context", () => ({
  useAuth: (): { isAuthenticated: boolean; refreshSession: Mock } => ({
    isAuthenticated: authState.isAuthenticated,
    refreshSession: authState.refreshSession,
  }),
 }));
 vi.mock("@/lib/auth/fetch-with-retry", () => ({
  fetchWithRetry: mockFetchWithRetry,
 }));
 describe("LoginPage (mock auth mode)", (): void => {
  beforeEach((): void => {
    vi.clearAllMocks();
    mockSearchParams.delete("error");
    authState.isAuthenticated = false;
    authState.refreshSession.mockResolvedValue(undefined);
  });
  it("should render mock auth controls", (): void => {
    render(<LoginPage />);
    expect(screen.getByText(/local mock auth mode is active/i)).toBeInTheDocument();
    expect(screen.getByTestId("mock-auth-login")).toBeInTheDocument();
    expect(mockFetchWithRetry).not.toHaveBeenCalled();
  });
  it("should continue with mock session and navigate to tasks", async (): Promise<void> => {
    const user = userEvent.setup();
    render(<LoginPage />);
    await user.click(screen.getByTestId("mock-auth-login"));
    await waitFor(() => {
      expect(authState.refreshSession).toHaveBeenCalledTimes(1);
      expect(mockPush).toHaveBeenCalledWith("/tasks");
    });
  });
  it("should auto-redirect authenticated mock users to tasks", async (): Promise<void> => {
    authState.isAuthenticated = true;
    render(<LoginPage />);
    await waitFor(() => {
      expect(mockReplace).toHaveBeenCalledWith("/tasks");
    });
  });
 });
--- a/apps/web/src/app/(auth)/login/page.test.tsx
+++ b/apps/web/src/app/(auth)/login/page.test.tsx
@@ -16,6 +16,11 @@ const { mockOAuth2, mockSignInEmail, mockPush, mockReplace, mockSearchParams } =
  mockSearchParams: new URLSearchParams(),
 }));
 const { mockRefreshSession, mockIsAuthenticated } = vi.hoisted(() => ({
  mockRefreshSession: vi.fn(),
  mockIsAuthenticated: false,
 }));
 vi.mock("next/navigation", () => ({
  useRouter: (): { push: Mock; replace: Mock } => ({
    push: mockPush,
@@ -33,6 +38,14 @@ vi.mock("@/lib/auth-client", () => ({
 vi.mock("@/lib/config", () => ({
  API_BASE_URL: "http://localhost:3001",
  IS_MOCK_AUTH_MODE: false,
 }));
 vi.mock("@/lib/auth/auth-context", () => ({
  useAuth: (): { isAuthenticated: boolean; refreshSession: Mock } => ({
    isAuthenticated: mockIsAuthenticated,
    refreshSession: mockRefreshSession,
  }),
 }));
 // Mock fetchWithRetry to behave like fetch for test purposes
@@ -91,6 +104,7 @@ describe("LoginPage", (): void => {
    mockSearchParams.delete("error");
    // Default: OAuth2 returns a resolved promise (fire-and-forget redirect)
    mockOAuth2.mockResolvedValue(undefined);
    mockRefreshSession.mockResolvedValue(undefined);
  });
  it("renders loading state initially", (): void => {
@@ -104,19 +118,28 @@ describe("LoginPage", (): void => {
    expect(screen.getByText("Loading authentication options")).toBeInTheDocument();
  });
-  it("renders the page heading and description", (): void => {
+  it("renders the page heading and description", async (): Promise<void> => {
    mockFetchConfig(EMAIL_ONLY_CONFIG);
    render(<LoginPage />);
    await waitFor((): void => {
      expect(screen.getByLabelText(/email/i)).toBeInTheDocument();
    });
    expect(screen.getByRole("heading", { level: 1 })).toHaveTextContent("Welcome to Mosaic Stack");
    expect(screen.getByText(/Your personal assistant platform/i)).toBeInTheDocument();
  });
-  it("has proper layout styling", (): void => {
+  it("has proper layout styling", async (): Promise<void> => {
    mockFetchConfig(EMAIL_ONLY_CONFIG);
    const { container } = render(<LoginPage />);
    await waitFor((): void => {
      expect(screen.getByLabelText(/email/i)).toBeInTheDocument();
    });
    const main = container.querySelector("main");
    expect(main).toHaveClass("flex", "min-h-screen");
  });
@@ -267,7 +290,7 @@ describe("LoginPage", (): void => {
    expect(mockOAuth2).toHaveBeenCalledWith({
      providerId: "authentik",
-      callbackURL: "/",
+      callbackURL: "http://localhost:3000/",
    });
  });
@@ -430,37 +453,56 @@ describe("LoginPage", (): void => {
  /* ------------------------------------------------------------------ */
  describe("responsive layout", (): void => {
-    it("applies mobile-first padding to main element", (): void => {
+    it("applies mobile-first padding to main element", async (): Promise<void> => {
      mockFetchConfig(EMAIL_ONLY_CONFIG);
      const { container } = render(<LoginPage />);
      await waitFor((): void => {
        expect(screen.getByLabelText(/email/i)).toBeInTheDocument();
      });
      const main = container.querySelector("main");
      expect(main).toHaveClass("p-4", "sm:p-8");
    });
-    it("applies responsive text size to heading", (): void => {
+    it("applies responsive text size to heading", async (): Promise<void> => {
      mockFetchConfig(EMAIL_ONLY_CONFIG);
      render(<LoginPage />);
      await waitFor((): void => {
        expect(screen.getByLabelText(/email/i)).toBeInTheDocument();
      });
      const heading = screen.getByRole("heading", { level: 1 });
      expect(heading).toHaveClass("text-2xl", "sm:text-4xl");
    });
-    it("applies responsive padding to card container", (): void => {
+    it("applies responsive padding to card container", async (): Promise<void> => {
      mockFetchConfig(EMAIL_ONLY_CONFIG);
      const { container } = render(<LoginPage />);
      await waitFor((): void => {
        expect(screen.getByLabelText(/email/i)).toBeInTheDocument();
      });
      const card = container.querySelector(".bg-white");
      expect(card).toHaveClass("p-4", "sm:p-8");
    });
-    it("card container has full width with max-width constraint", (): void => {
+    it("card container has full width with max-width constraint", async (): Promise<void> => {
      mockFetchConfig(EMAIL_ONLY_CONFIG);
      const { container } = render(<LoginPage />);
      await waitFor((): void => {
        expect(screen.getByLabelText(/email/i)).toBeInTheDocument();
      });
      const wrapper = container.querySelector(".max-w-md");
      expect(wrapper).toHaveClass("w-full", "max-w-md");
@@ -539,7 +581,9 @@ describe("LoginPage", (): void => {
      });
      // LoginForm auto-focuses the email input on mount
      await waitFor((): void => {
        expect(screen.getByLabelText(/email/i)).toHaveFocus();
      });
      // Tab forward through form: email -> password -> submit
      await user.tab();
--- a/apps/web/src/app/(auth)/login/page.tsx
+++ b/apps/web/src/app/(auth)/login/page.tsx
@@ -5,10 +5,11 @@ import type { ReactElement } from "react";
 import { useRouter, useSearchParams } from "next/navigation";
 import { Loader2 } from "lucide-react";
 import type { AuthConfigResponse, AuthProviderConfig } from "@mosaic/shared";
-import { API_BASE_URL } from "@/lib/config";
+import { API_BASE_URL, IS_MOCK_AUTH_MODE } from "@/lib/config";
 import { signIn } from "@/lib/auth-client";
 import { fetchWithRetry } from "@/lib/auth/fetch-with-retry";
 import { parseAuthError } from "@/lib/auth/auth-errors";
 import { useAuth } from "@/lib/auth/auth-context";
 import { OAuthButton } from "@/components/auth/OAuthButton";
 import { LoginForm } from "@/components/auth/LoginForm";
 import { AuthDivider } from "@/components/auth/AuthDivider";
@@ -45,6 +46,7 @@ export default function LoginPage(): ReactElement {
 function LoginPageContent(): ReactElement {
  const router = useRouter();
  const searchParams = useSearchParams();
  const { isAuthenticated, refreshSession } = useAuth();
  const [config, setConfig] = useState<AuthConfigResponse | null | undefined>(undefined);
  const [loadingConfig, setLoadingConfig] = useState(true);
  const [retryCount, setRetryCount] = useState(0);
@@ -68,6 +70,18 @@ function LoginPageContent(): ReactElement {
  }, [searchParams, router]);
  useEffect(() => {
    if (IS_MOCK_AUTH_MODE && isAuthenticated) {
      router.replace("/tasks");
    }
  }, [isAuthenticated, router]);
  useEffect(() => {
    if (IS_MOCK_AUTH_MODE) {
      setConfig({ providers: [] });
      setLoadingConfig(false);
      return;
    }
    let cancelled = false;
    async function fetchConfig(): Promise<void> {
@@ -113,7 +127,9 @@ function LoginPageContent(): ReactElement {
  const handleOAuthLogin = useCallback((providerId: string): void => {
    setOauthLoading(providerId);
    setError(null);
-    signIn.oauth2({ providerId, callbackURL: "/" }).catch((err: unknown) => {
+    const callbackURL =
      typeof window !== "undefined" ? new URL("/", window.location.origin).toString() : "/";
    signIn.oauth2({ providerId, callbackURL }).catch((err: unknown) => {
      const message = err instanceof Error ? err.message : String(err);
      console.error(`[Auth] OAuth sign-in initiation failed for ${providerId}:`, message);
      setError("Unable to connect to the sign-in provider. Please try again in a moment.");
@@ -156,6 +172,48 @@ function LoginPageContent(): ReactElement {
    setRetryCount((c) => c + 1);
  }, []);
  const handleMockLogin = useCallback(async (): Promise<void> => {
    setError(null);
    try {
      await refreshSession();
      router.push("/tasks");
    } catch (err: unknown) {
      const parsed = parseAuthError(err);
      setError(parsed.message);
    }
  }, [refreshSession, router]);
  if (IS_MOCK_AUTH_MODE) {
    return (
      <main className="flex min-h-screen flex-col items-center justify-center p-4 sm:p-8 bg-gray-50">
        <div className="w-full max-w-md space-y-8">
          <div className="text-center">
            <h1 className="text-2xl sm:text-4xl font-bold mb-4">Welcome to Mosaic Stack</h1>
            <p className="text-base sm:text-lg text-gray-600">
              Local mock auth mode is active. Real sign-in is bypassed for frontend development.
            </p>
          </div>
          <div className="bg-white p-4 sm:p-8 rounded-lg shadow-md space-y-4">
            <div className="rounded-md border border-amber-300 bg-amber-50 p-3 text-sm text-amber-900">
              Mock auth mode is local-only and blocked outside development.
            </div>
            {error && <AuthErrorBanner message={error} />}
            <button
              type="button"
              onClick={() => {
                void handleMockLogin();
              }}
              className="w-full rounded-md bg-blue-600 px-4 py-2 text-sm font-medium text-white hover:bg-blue-700 transition-colors"
              data-testid="mock-auth-login"
            >
              Continue with Mock Session
            </button>
          </div>
        </div>
      </main>
    );
  }
  return (
    <main className="flex min-h-screen flex-col items-center justify-center p-4 sm:p-8 bg-gray-50">
      <div className="w-full max-w-md space-y-8">
--- a/apps/web/src/app/(authenticated)/layout.tsx
+++ b/apps/web/src/app/(authenticated)/layout.tsx
@@ -3,6 +3,7 @@
 import { useEffect } from "react";
 import { useRouter } from "next/navigation";
 import { useAuth } from "@/lib/auth/auth-context";
 import { IS_MOCK_AUTH_MODE } from "@/lib/config";
 import { Navigation } from "@/components/layout/Navigation";
 import { ChatOverlay } from "@/components/chat";
 import type { ReactNode } from "react";
@@ -36,8 +37,18 @@ export default function AuthenticatedLayout({
  return (
    <div className="min-h-screen bg-gray-50">
      <Navigation />
-      <div className="pt-16">{children}</div>
+      <div className="pt-16">
-      <ChatOverlay />
+        {IS_MOCK_AUTH_MODE && (
          <div
            className="border-b border-amber-300 bg-amber-50 px-4 py-2 text-sm text-amber-900"
            data-testid="mock-auth-banner"
          >
            Mock Auth Mode (Local Only): Real authentication is bypassed for frontend development.
          </div>
        )}
        {children}
      </div>
      {!IS_MOCK_AUTH_MODE && <ChatOverlay />}
    </div>
  );
 }
--- a/apps/web/src/app/(authenticated)/usage/page.test.tsx
+++ b/apps/web/src/app/(authenticated)/usage/page.test.tsx
@@ -1,5 +1,6 @@
 import { describe, it, expect, vi, beforeEach } from "vitest";
 import { render, screen, waitFor, fireEvent } from "@testing-library/react";
 import userEvent from "@testing-library/user-event";
 import type { ReactNode } from "react";
 import UsagePage from "./page";
@@ -113,6 +114,15 @@ function setupMocks(overrides?: { empty?: boolean; error?: boolean }): void {
  vi.mocked(fetchTaskOutcomes).mockResolvedValue(mockTaskOutcomes);
 }
 function setupPendingMocks(): void {
  // eslint-disable-next-line @typescript-eslint/no-empty-function -- intentionally unresolved for loading-state test
  const pending = new Promise<never>(() => {});
  vi.mocked(fetchUsageSummary).mockReturnValue(pending);
  vi.mocked(fetchTokenUsage).mockReturnValue(pending);
  vi.mocked(fetchCostBreakdown).mockReturnValue(pending);
  vi.mocked(fetchTaskOutcomes).mockReturnValue(pending);
 }
 // ─── Tests ───────────────────────────────────────────────────────────
 describe("UsagePage", (): void => {
@@ -120,23 +130,32 @@ describe("UsagePage", (): void => {
    vi.clearAllMocks();
  });
-  it("should render the page title and subtitle", (): void => {
+  it("should render the page title and subtitle", async (): Promise<void> => {
    setupMocks();
    render(<UsagePage />);
    await waitFor((): void => {
      expect(screen.getByTestId("summary-cards")).toBeInTheDocument();
    });
    expect(screen.getByRole("heading", { level: 1 })).toHaveTextContent("Usage");
    expect(screen.getByText("Token usage and cost overview")).toBeInTheDocument();
  });
-  it("should have proper layout structure", (): void => {
+  it("should have proper layout structure", async (): Promise<void> => {
    setupMocks();
    const { container } = render(<UsagePage />);
    await waitFor((): void => {
      expect(screen.getByTestId("summary-cards")).toBeInTheDocument();
    });
    const main = container.querySelector("main");
    expect(main).toBeInTheDocument();
  });
  it("should show loading skeleton initially", (): void => {
-    setupMocks();
+    setupPendingMocks();
    render(<UsagePage />);
    expect(screen.getByTestId("loading-skeleton")).toBeInTheDocument();
  });
@@ -171,25 +190,34 @@ describe("UsagePage", (): void => {
    });
  });
-  it("should render the time range selector with three options", (): void => {
+  it("should render the time range selector with three options", async (): Promise<void> => {
    setupMocks();
    render(<UsagePage />);
    await waitFor((): void => {
      expect(screen.getByTestId("summary-cards")).toBeInTheDocument();
    });
    expect(screen.getByText("7 Days")).toBeInTheDocument();
    expect(screen.getByText("30 Days")).toBeInTheDocument();
    expect(screen.getByText("90 Days")).toBeInTheDocument();
  });
-  it("should have 30 Days selected by default", (): void => {
+  it("should have 30 Days selected by default", async (): Promise<void> => {
    setupMocks();
    render(<UsagePage />);
    await waitFor((): void => {
      expect(screen.getByTestId("summary-cards")).toBeInTheDocument();
    });
    const button30d = screen.getByText("30 Days");
    expect(button30d).toHaveAttribute("aria-pressed", "true");
  });
  it("should change time range when a different option is clicked", async (): Promise<void> => {
    setupMocks();
    const user = userEvent.setup();
    render(<UsagePage />);
    // Wait for initial load
@@ -199,7 +227,11 @@ describe("UsagePage", (): void => {
    // Click 7 Days
    const button7d = screen.getByText("7 Days");
-    fireEvent.click(button7d);
+    await user.click(button7d);
    await waitFor((): void => {
      expect(fetchUsageSummary).toHaveBeenCalledWith("7d");
    });
    expect(button7d).toHaveAttribute("aria-pressed", "true");
    expect(screen.getByText("30 Days")).toHaveAttribute("aria-pressed", "false");
--- a/apps/web/src/app/api/orchestrator/agents/route.ts
+++ b/apps/web/src/app/api/orchestrator/agents/route.ts
@@ -0,0 +1,59 @@
 import { NextResponse } from "next/server";
 const DEFAULT_ORCHESTRATOR_URL = "http://localhost:3001";
 function getOrchestratorUrl(): string {
  return (
    process.env.ORCHESTRATOR_URL ??
    process.env.NEXT_PUBLIC_ORCHESTRATOR_URL ??
    process.env.NEXT_PUBLIC_API_URL ??
    DEFAULT_ORCHESTRATOR_URL
  );
 }
 /**
 * Server-side proxy for orchestrator agent status.
 * Keeps ORCHESTRATOR_API_KEY out of browser code.
 */
 export async function GET(): Promise<NextResponse> {
  const orchestratorApiKey = process.env.ORCHESTRATOR_API_KEY;
  if (!orchestratorApiKey) {
    return NextResponse.json(
      { error: "ORCHESTRATOR_API_KEY is not configured on the web server." },
      { status: 503 }
    );
  }
  const controller = new AbortController();
  const timeout = setTimeout(() => {
    controller.abort();
  }, 10_000);
  try {
    const response = await fetch(`${getOrchestratorUrl()}/agents`, {
      method: "GET",
      headers: {
        "Content-Type": "application/json",
        "X-API-Key": orchestratorApiKey,
      },
      cache: "no-store",
      signal: controller.signal,
    });
    const text = await response.text();
    return new NextResponse(text, {
      status: response.status,
      headers: {
        "Content-Type": response.headers.get("Content-Type") ?? "application/json",
      },
    });
  } catch (error) {
    const message =
      error instanceof Error && error.name === "AbortError"
        ? "Orchestrator request timed out."
        : "Unable to reach orchestrator.";
    return NextResponse.json({ error: message }, { status: 502 });
  } finally {
    clearTimeout(timeout);
  }
 }
--- a/apps/web/src/app/api/orchestrator/events/recent/route.ts
+++ b/apps/web/src/app/api/orchestrator/events/recent/route.ts
@@ -0,0 +1,47 @@
 import { NextResponse } from "next/server";
 import type { NextRequest } from "next/server";
 const DEFAULT_ORCHESTRATOR_URL = "http://localhost:3001";
 function getOrchestratorUrl(): string {
  return (
    process.env.ORCHESTRATOR_URL ??
    process.env.NEXT_PUBLIC_ORCHESTRATOR_URL ??
    process.env.NEXT_PUBLIC_API_URL ??
    DEFAULT_ORCHESTRATOR_URL
  );
 }
 export async function GET(request: NextRequest): Promise<NextResponse> {
  const orchestratorApiKey = process.env.ORCHESTRATOR_API_KEY;
  if (!orchestratorApiKey) {
    return NextResponse.json(
      { error: "ORCHESTRATOR_API_KEY is not configured on the web server." },
      { status: 503 }
    );
  }
  const limit = request.nextUrl.searchParams.get("limit");
  const query = limit ? `?limit=${encodeURIComponent(limit)}` : "";
  try {
    const response = await fetch(`${getOrchestratorUrl()}/agents/events/recent${query}`, {
      method: "GET",
      headers: {
        "Content-Type": "application/json",
        "X-API-Key": orchestratorApiKey,
      },
      cache: "no-store",
    });
    const text = await response.text();
    return new NextResponse(text, {
      status: response.status,
      headers: {
        "Content-Type": response.headers.get("Content-Type") ?? "application/json",
      },
    });
  } catch {
    return NextResponse.json({ error: "Unable to reach orchestrator." }, { status: 502 });
  }
 }
--- a/apps/web/src/app/api/orchestrator/events/route.ts
+++ b/apps/web/src/app/api/orchestrator/events/route.ts
@@ -0,0 +1,50 @@
 import { NextResponse } from "next/server";
 const DEFAULT_ORCHESTRATOR_URL = "http://localhost:3001";
 function getOrchestratorUrl(): string {
  return (
    process.env.ORCHESTRATOR_URL ??
    process.env.NEXT_PUBLIC_ORCHESTRATOR_URL ??
    process.env.NEXT_PUBLIC_API_URL ??
    DEFAULT_ORCHESTRATOR_URL
  );
 }
 export async function GET(): Promise<Response> {
  const orchestratorApiKey = process.env.ORCHESTRATOR_API_KEY;
  if (!orchestratorApiKey) {
    return NextResponse.json(
      { error: "ORCHESTRATOR_API_KEY is not configured on the web server." },
      { status: 503 }
    );
  }
  try {
    const upstream = await fetch(`${getOrchestratorUrl()}/agents/events`, {
      method: "GET",
      headers: {
        "X-API-Key": orchestratorApiKey,
      },
      cache: "no-store",
    });
    if (!upstream.ok || !upstream.body) {
      const text = await upstream.text();
      return new NextResponse(text || "Failed to connect to orchestrator events stream", {
        status: upstream.status || 502,
      });
    }
    return new Response(upstream.body, {
      status: 200,
      headers: {
        "Content-Type": "text/event-stream",
        "Cache-Control": "no-cache, no-transform",
        Connection: "keep-alive",
      },
    });
  } catch {
    return NextResponse.json({ error: "Unable to reach orchestrator." }, { status: 502 });
  }
 }
--- a/apps/web/src/app/api/orchestrator/health/route.ts
+++ b/apps/web/src/app/api/orchestrator/health/route.ts
@@ -0,0 +1,43 @@
 import { NextResponse } from "next/server";
 const DEFAULT_ORCHESTRATOR_URL = "http://localhost:3001";
 function getOrchestratorUrl(): string {
  return (
    process.env.ORCHESTRATOR_URL ??
    process.env.NEXT_PUBLIC_ORCHESTRATOR_URL ??
    process.env.NEXT_PUBLIC_API_URL ??
    DEFAULT_ORCHESTRATOR_URL
  );
 }
 export async function GET(): Promise<NextResponse> {
  const orchestratorApiKey = process.env.ORCHESTRATOR_API_KEY;
  if (!orchestratorApiKey) {
    return NextResponse.json(
      { error: "ORCHESTRATOR_API_KEY is not configured on the web server." },
      { status: 503 }
    );
  }
  try {
    const response = await fetch(`${getOrchestratorUrl()}/health/ready`, {
      method: "GET",
      headers: {
        "Content-Type": "application/json",
        "X-API-Key": orchestratorApiKey,
      },
      cache: "no-store",
    });
    const text = await response.text();
    return new NextResponse(text, {
      status: response.status,
      headers: {
        "Content-Type": response.headers.get("Content-Type") ?? "application/json",
      },
    });
  } catch {
    return NextResponse.json({ error: "Unable to reach orchestrator." }, { status: 502 });
  }
 }
--- a/apps/web/src/app/api/orchestrator/queue/pause/route.ts
+++ b/apps/web/src/app/api/orchestrator/queue/pause/route.ts
@@ -0,0 +1,43 @@
 import { NextResponse } from "next/server";
 const DEFAULT_ORCHESTRATOR_URL = "http://localhost:3001";
 function getOrchestratorUrl(): string {
  return (
    process.env.ORCHESTRATOR_URL ??
    process.env.NEXT_PUBLIC_ORCHESTRATOR_URL ??
    process.env.NEXT_PUBLIC_API_URL ??
    DEFAULT_ORCHESTRATOR_URL
  );
 }
 export async function POST(): Promise<NextResponse> {
  const orchestratorApiKey = process.env.ORCHESTRATOR_API_KEY;
  if (!orchestratorApiKey) {
    return NextResponse.json(
      { error: "ORCHESTRATOR_API_KEY is not configured on the web server." },
      { status: 503 }
    );
  }
  try {
    const response = await fetch(`${getOrchestratorUrl()}/queue/pause`, {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
        "X-API-Key": orchestratorApiKey,
      },
      cache: "no-store",
    });
    const text = await response.text();
    return new NextResponse(text, {
      status: response.status,
      headers: {
        "Content-Type": response.headers.get("Content-Type") ?? "application/json",
      },
    });
  } catch {
    return NextResponse.json({ error: "Unable to reach orchestrator." }, { status: 502 });
  }
 }
--- a/apps/web/src/app/api/orchestrator/queue/resume/route.ts
+++ b/apps/web/src/app/api/orchestrator/queue/resume/route.ts
@@ -0,0 +1,43 @@
 import { NextResponse } from "next/server";
 const DEFAULT_ORCHESTRATOR_URL = "http://localhost:3001";
 function getOrchestratorUrl(): string {
  return (
    process.env.ORCHESTRATOR_URL ??
    process.env.NEXT_PUBLIC_ORCHESTRATOR_URL ??
    process.env.NEXT_PUBLIC_API_URL ??
    DEFAULT_ORCHESTRATOR_URL
  );
 }
 export async function POST(): Promise<NextResponse> {
  const orchestratorApiKey = process.env.ORCHESTRATOR_API_KEY;
  if (!orchestratorApiKey) {
    return NextResponse.json(
      { error: "ORCHESTRATOR_API_KEY is not configured on the web server." },
      { status: 503 }
    );
  }
  try {
    const response = await fetch(`${getOrchestratorUrl()}/queue/resume`, {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
        "X-API-Key": orchestratorApiKey,
      },
      cache: "no-store",
    });
    const text = await response.text();
    return new NextResponse(text, {
      status: response.status,
      headers: {
        "Content-Type": response.headers.get("Content-Type") ?? "application/json",
      },
    });
  } catch {
    return NextResponse.json({ error: "Unable to reach orchestrator." }, { status: 502 });
  }
 }
--- a/apps/web/src/app/api/orchestrator/queue/stats/route.ts
+++ b/apps/web/src/app/api/orchestrator/queue/stats/route.ts
@@ -0,0 +1,43 @@
 import { NextResponse } from "next/server";
 const DEFAULT_ORCHESTRATOR_URL = "http://localhost:3001";
 function getOrchestratorUrl(): string {
  return (
    process.env.ORCHESTRATOR_URL ??
    process.env.NEXT_PUBLIC_ORCHESTRATOR_URL ??
    process.env.NEXT_PUBLIC_API_URL ??
    DEFAULT_ORCHESTRATOR_URL
  );
 }
 export async function GET(): Promise<NextResponse> {
  const orchestratorApiKey = process.env.ORCHESTRATOR_API_KEY;
  if (!orchestratorApiKey) {
    return NextResponse.json(
      { error: "ORCHESTRATOR_API_KEY is not configured on the web server." },
      { status: 503 }
    );
  }
  try {
    const response = await fetch(`${getOrchestratorUrl()}/queue/stats`, {
      method: "GET",
      headers: {
        "Content-Type": "application/json",
        "X-API-Key": orchestratorApiKey,
      },
      cache: "no-store",
    });
    const text = await response.text();
    return new NextResponse(text, {
      status: response.status,
      headers: {
        "Content-Type": response.headers.get("Content-Type") ?? "application/json",
      },
    });
  } catch {
    return NextResponse.json({ error: "Unable to reach orchestrator." }, { status: 502 });
  }
 }
--- a/apps/web/src/components/hud/HUD.tsx
+++ b/apps/web/src/components/hud/HUD.tsx
@@ -55,6 +55,15 @@ const WIDGET_REGISTRY = {
    minWidth: 1,
    minHeight: 1,
  },
  OrchestratorEventsWidget: {
    name: "orchestrator-events",
    displayName: "Orchestrator Events",
    description: "Recent events and stream health for orchestration",
    defaultWidth: 2,
    defaultHeight: 2,
    minWidth: 1,
    minHeight: 1,
  },
 } as const;
 type WidgetRegistryKey = keyof typeof WIDGET_REGISTRY;
@@ -73,7 +82,7 @@ export function HUD({ className = "" }: HUDProps): React.JSX.Element {
  const handleAddWidget = (widgetType: WidgetRegistryKey): void => {
    const widgetConfig = WIDGET_REGISTRY[widgetType];
-    const widgetId = `${widgetType.toLowerCase()}-${String(Date.now())}`;
+    const widgetId = `${widgetConfig.name}-${String(Date.now())}`;
    // Find the next available position
    const maxY = currentLayout?.layout.reduce((max, w): number => Math.max(max, w.y + w.h), 0) ?? 0;
--- a/apps/web/src/components/hud/WidgetRenderer.test.tsx
+++ b/apps/web/src/components/hud/WidgetRenderer.test.tsx
@@ -0,0 +1,47 @@
 import { render, screen } from "@testing-library/react";
 import { describe, it, expect, vi } from "vitest";
 import { WidgetRenderer } from "./WidgetRenderer";
 import type { WidgetPlacement } from "@mosaic/shared";
 vi.mock("@/components/widgets", () => ({
  TasksWidget: ({ id }: { id: string }): React.JSX.Element => <div>Tasks Widget {id}</div>,
  CalendarWidget: ({ id }: { id: string }): React.JSX.Element => <div>Calendar Widget {id}</div>,
  QuickCaptureWidget: ({ id }: { id: string }): React.JSX.Element => (
    <div>Quick Capture Widget {id}</div>
  ),
  AgentStatusWidget: ({ id }: { id: string }): React.JSX.Element => (
    <div>Agent Status Widget {id}</div>
  ),
  OrchestratorEventsWidget: ({ id }: { id: string }): React.JSX.Element => (
    <div>Orchestrator Events Widget {id}</div>
  ),
 }));
 function createWidgetPlacement(id: string): WidgetPlacement {
  return {
    i: id,
    x: 0,
    y: 0,
    w: 2,
    h: 2,
  };
 }
 describe("WidgetRenderer", () => {
  it("renders hyphenated quick-capture widget IDs correctly", () => {
    render(<WidgetRenderer widget={createWidgetPlacement("quick-capture-123")} />);
    expect(screen.getByText("Quick Capture Widget quick-capture-123")).toBeInTheDocument();
  });
  it("renders hyphenated agent-status widget IDs correctly", () => {
    render(<WidgetRenderer widget={createWidgetPlacement("agent-status-123")} />);
    expect(screen.getByText("Agent Status Widget agent-status-123")).toBeInTheDocument();
  });
  it("renders hyphenated orchestrator-events widget IDs correctly", () => {
    render(<WidgetRenderer widget={createWidgetPlacement("orchestrator-events-123")} />);
    expect(
      screen.getByText("Orchestrator Events Widget orchestrator-events-123")
    ).toBeInTheDocument();
  });
 });
--- a/apps/web/src/components/hud/WidgetRenderer.tsx
+++ b/apps/web/src/components/hud/WidgetRenderer.tsx
@@ -10,6 +10,7 @@ import {
  CalendarWidget,
  QuickCaptureWidget,
  AgentStatusWidget,
  OrchestratorEventsWidget,
 } from "@/components/widgets";
 import type { WidgetPlacement } from "@mosaic/shared";
@@ -24,6 +25,7 @@ const WIDGET_COMPONENTS = {
  calendar: CalendarWidget,
  "quick-capture": QuickCaptureWidget,
  "agent-status": AgentStatusWidget,
  "orchestrator-events": OrchestratorEventsWidget,
 };
 const WIDGET_CONFIG = {
@@ -43,6 +45,10 @@ const WIDGET_CONFIG = {
    displayName: "Agent Status",
    description: "View running agent sessions",
  },
  "orchestrator-events": {
    displayName: "Orchestrator Events",
    description: "Recent orchestration events and stream health",
  },
 };
 export function WidgetRenderer({
@@ -50,8 +56,12 @@ export function WidgetRenderer({
  isEditing = false,
  onRemove,
 }: WidgetRendererProps): React.JSX.Element {
-  // Extract widget type from ID (e.g., "tasks-123" -> "tasks")
+  // Extract widget type from ID by removing the trailing unique suffix
-  const widgetType = widget.i.split("-")[0] as keyof typeof WIDGET_COMPONENTS;
+  // (e.g., "agent-status-123" -> "agent-status").
  const separatorIndex = widget.i.lastIndexOf("-");
  const widgetType = (
    separatorIndex > 0 ? widget.i.substring(0, separatorIndex) : widget.i
  ) as keyof typeof WIDGET_COMPONENTS;
  const WidgetComponent = WIDGET_COMPONENTS[widgetType];
  const config = WIDGET_CONFIG[widgetType] || { displayName: "Widget", description: "" };
--- a/apps/web/src/components/knowledge/LinkAutocomplete.tsx
+++ b/apps/web/src/components/knowledge/LinkAutocomplete.tsx
@@ -56,6 +56,15 @@ export function LinkAutocomplete({
  const mirrorRef = useRef<HTMLDivElement | null>(null);
  const cursorSpanRef = useRef<HTMLSpanElement | null>(null);
  // Refs for event handler to avoid stale closures when effects re-attach listeners
  const stateRef = useRef(state);
  const resultsRef = useRef(results);
  const selectedIndexRef = useRef(selectedIndex);
  const insertLinkRef = useRef<((result: SearchResult) => void) | null>(null);
  stateRef.current = state;
  resultsRef.current = results;
  selectedIndexRef.current = selectedIndex;
  /**
   * Search for knowledge entries matching the query.
   * Accepts an AbortSignal to allow cancellation of in-flight requests,
@@ -254,29 +263,32 @@ export function LinkAutocomplete({
  }, [textareaRef, state.isOpen, calculateDropdownPosition, debouncedSearch]);
  /**
-   * Handle keyboard navigation in the dropdown
+   * Handle keyboard navigation in the dropdown.
   * Reads from refs to avoid stale closures when the effect
   * that attaches this listener hasn't re-run yet.
   */
-  const handleKeyDown = useCallback(
+  const handleKeyDown = useCallback((e: KeyboardEvent): void => {
-    (e: KeyboardEvent): void => {
+    if (!stateRef.current.isOpen) return;
-      if (!state.isOpen) return;
+
    const currentResults = resultsRef.current;
    switch (e.key) {
      case "ArrowDown":
        e.preventDefault();
-          setSelectedIndex((prev) => (prev + 1) % results.length);
+        setSelectedIndex((prev) => (prev + 1) % currentResults.length);
        break;
      case "ArrowUp":
        e.preventDefault();
-          setSelectedIndex((prev) => (prev - 1 + results.length) % results.length);
+        setSelectedIndex((prev) => (prev - 1 + currentResults.length) % currentResults.length);
        break;
      case "Enter":
        e.preventDefault();
-          if (results.length > 0 && selectedIndex >= 0) {
+        if (currentResults.length > 0 && selectedIndexRef.current >= 0) {
-            const selected = results[selectedIndex];
+          const selected = currentResults[selectedIndexRef.current];
          if (selected) {
-              insertLink(selected);
+            insertLinkRef.current?.(selected);
          }
        }
        break;
@@ -292,9 +304,7 @@ export function LinkAutocomplete({
        setResults([]);
        break;
    }
-    },
+  }, []);
    [state.isOpen, results, selectedIndex]
  );
  /**
   * Insert the selected link into the textarea
@@ -330,6 +340,7 @@ export function LinkAutocomplete({
    },
    [textareaRef, state.triggerIndex, onInsert]
  );
  insertLinkRef.current = insertLink;
  /**
   * Handle click on a result
--- a/apps/web/src/components/knowledge/tests/LinkAutocomplete.test.tsx
+++ b/apps/web/src/components/knowledge/tests/LinkAutocomplete.test.tsx
@@ -1,4 +1,3 @@
 /* eslint-disable @typescript-eslint/no-non-null-assertion */
 /* eslint-disable @typescript-eslint/no-unnecessary-condition */
 import React from "react";
 import { render, screen, waitFor, fireEvent, act } from "@testing-library/react";
@@ -352,10 +351,7 @@ describe("LinkAutocomplete", (): void => {
    vi.useRealTimers();
  });
-  // TODO: Fix async/timer interaction - component works but test has timing issues with fake timers
+  it("should perform debounced search when typing query", async (): Promise<void> => {
  it.skip("should perform debounced search when typing query", async (): Promise<void> => {
    vi.useFakeTimers();
    const mockResults = {
      data: [
        {
@@ -395,11 +391,6 @@ describe("LinkAutocomplete", (): void => {
    // Should not call API immediately
    expect(mockApiRequest).not.toHaveBeenCalled();
    // Fast-forward 300ms and let promises resolve
    await act(async () => {
      await vi.runAllTimersAsync();
    });
    await waitFor(() => {
      expect(mockApiRequest).toHaveBeenCalledWith(
        "/api/knowledge/search?q=test&limit=10",
@@ -411,14 +402,9 @@ describe("LinkAutocomplete", (): void => {
    await waitFor(() => {
      expect(screen.getByText("Test Entry")).toBeInTheDocument();
    });
    vi.useRealTimers();
  });
-  // TODO: Fix async/timer interaction - component works but test has timing issues with fake timers
+  it("should navigate results with arrow keys", async (): Promise<void> => {
  it.skip("should navigate results with arrow keys", async (): Promise<void> => {
    vi.useFakeTimers();
    const mockResults = {
      data: [
        {
@@ -471,10 +457,6 @@ describe("LinkAutocomplete", (): void => {
      fireEvent.input(textarea);
    });
    await act(async () => {
      await vi.runAllTimersAsync();
    });
    await waitFor(() => {
      expect(screen.getByText("Entry One")).toBeInTheDocument();
    });
@@ -484,7 +466,9 @@ describe("LinkAutocomplete", (): void => {
    expect(firstItem).toHaveClass("bg-blue-50");
    // Press ArrowDown
    act(() => {
      fireEvent.keyDown(textarea, { key: "ArrowDown" });
    });
    // Second item should now be selected
    await waitFor(() => {
@@ -493,21 +477,18 @@ describe("LinkAutocomplete", (): void => {
    });
    // Press ArrowUp
    act(() => {
      fireEvent.keyDown(textarea, { key: "ArrowUp" });
    });
    // First item should be selected again
    await waitFor(() => {
      const firstItem = screen.getByText("Entry One").closest("li");
      expect(firstItem).toHaveClass("bg-blue-50");
    });
    vi.useRealTimers();
  });
-  // TODO: Fix async/timer interaction - component works but test has timing issues with fake timers
+  it("should insert link on Enter key", async (): Promise<void> => {
  it.skip("should insert link on Enter key", async (): Promise<void> => {
    vi.useFakeTimers();
    const mockResults = {
      data: [
        {
@@ -544,10 +525,6 @@ describe("LinkAutocomplete", (): void => {
      fireEvent.input(textarea);
    });
    await act(async () => {
      await vi.runAllTimersAsync();
    });
    await waitFor(() => {
      expect(screen.getByText("Test Entry")).toBeInTheDocument();
    });
@@ -558,14 +535,9 @@ describe("LinkAutocomplete", (): void => {
    await waitFor(() => {
      expect(onInsertMock).toHaveBeenCalledWith("[[test-entry|Test Entry]]");
    });
    vi.useRealTimers();
  });
-  // TODO: Fix async/timer interaction - component works but test has timing issues with fake timers
+  it("should insert link on click", async (): Promise<void> => {
  it.skip("should insert link on click", async (): Promise<void> => {
    vi.useFakeTimers();
    const mockResults = {
      data: [
        {
@@ -602,10 +574,6 @@ describe("LinkAutocomplete", (): void => {
      fireEvent.input(textarea);
    });
    await act(async () => {
      await vi.runAllTimersAsync();
    });
    await waitFor(() => {
      expect(screen.getByText("Test Entry")).toBeInTheDocument();
    });
@@ -616,14 +584,9 @@ describe("LinkAutocomplete", (): void => {
    await waitFor(() => {
      expect(onInsertMock).toHaveBeenCalledWith("[[test-entry|Test Entry]]");
    });
    vi.useRealTimers();
  });
-  // TODO: Fix async/timer interaction - component works but test has timing issues with fake timers
+  it("should close dropdown on Escape key", async (): Promise<void> => {
  it.skip("should close dropdown on Escape key", async (): Promise<void> => {
    vi.useFakeTimers();
    render(<LinkAutocomplete textareaRef={textareaRef} onInsert={onInsertMock} />);
    const textarea = textareaRef.current;
@@ -636,28 +599,19 @@ describe("LinkAutocomplete", (): void => {
      fireEvent.input(textarea);
    });
    await act(async () => {
      await vi.runAllTimersAsync();
    });
    await waitFor(() => {
-      expect(screen.getByText(/Start typing to search/)).toBeInTheDocument();
+      expect(screen.getByText("↑↓ Navigate • Enter Select • Esc Cancel")).toBeInTheDocument();
    });
    // Press Escape
    fireEvent.keyDown(textarea, { key: "Escape" });
    await waitFor(() => {
-      expect(screen.queryByText(/Start typing to search/)).not.toBeInTheDocument();
+      expect(screen.queryByText("↑↓ Navigate • Enter Select • Esc Cancel")).not.toBeInTheDocument();
    });
  });
-    vi.useRealTimers();
+  it("should close dropdown when closing brackets are typed", async (): Promise<void> => {
  });
  // TODO: Fix async/timer interaction - component works but test has timing issues with fake timers
  it.skip("should close dropdown when closing brackets are typed", async (): Promise<void> => {
    vi.useFakeTimers();
    render(<LinkAutocomplete textareaRef={textareaRef} onInsert={onInsertMock} />);
    const textarea = textareaRef.current;
@@ -670,12 +624,8 @@ describe("LinkAutocomplete", (): void => {
      fireEvent.input(textarea);
    });
    await act(async () => {
      await vi.runAllTimersAsync();
    });
    await waitFor(() => {
-      expect(screen.getByText(/Start typing to search/)).toBeInTheDocument();
+      expect(screen.getByText("↑↓ Navigate • Enter Select • Esc Cancel")).toBeInTheDocument();
    });
    // Type closing brackets
@@ -686,16 +636,11 @@ describe("LinkAutocomplete", (): void => {
    });
    await waitFor(() => {
-      expect(screen.queryByText(/Start typing to search/)).not.toBeInTheDocument();
+      expect(screen.queryByText("↑↓ Navigate • Enter Select • Esc Cancel")).not.toBeInTheDocument();
    });
  });
-    vi.useRealTimers();
+  it("should show 'No entries found' when search returns no results", async (): Promise<void> => {
  });
  // TODO: Fix async/timer interaction - component works but test has timing issues with fake timers
  it.skip("should show 'No entries found' when search returns no results", async (): Promise<void> => {
    vi.useFakeTimers();
    mockApiRequest.mockResolvedValue({
      data: [],
      meta: { total: 0, page: 1, limit: 10, totalPages: 0 },
@@ -713,32 +658,24 @@ describe("LinkAutocomplete", (): void => {
      fireEvent.input(textarea);
    });
    await act(async () => {
      await vi.runAllTimersAsync();
    });
    await waitFor(() => {
      expect(screen.getByText("No entries found")).toBeInTheDocument();
    });
    vi.useRealTimers();
  });
-  // TODO: Fix async/timer interaction - component works but test has timing issues with fake timers
+  it("should show loading state while searching", async (): Promise<void> => {
  it.skip("should show loading state while searching", async (): Promise<void> => {
    vi.useFakeTimers();
    // Mock a slow API response
-    let resolveSearch: (value: unknown) => void;
+    let resolveSearch: (value: {
    const searchPromise = new Promise((resolve) => {
      resolveSearch = resolve;
    });
    mockApiRequest.mockReturnValue(
      searchPromise as Promise<{
      data: unknown[];
      meta: { total: number; page: number; limit: number; totalPages: number };
-      }>
+    }) => void = () => undefined;
-    );
+    const searchPromise = new Promise<{
      data: unknown[];
      meta: { total: number; page: number; limit: number; totalPages: number };
    }>((resolve) => {
      resolveSearch = resolve;
    });
    mockApiRequest.mockReturnValue(searchPromise);
    render(<LinkAutocomplete textareaRef={textareaRef} onInsert={onInsertMock} />);
@@ -752,16 +689,12 @@ describe("LinkAutocomplete", (): void => {
      fireEvent.input(textarea);
    });
    await act(async () => {
      await vi.runAllTimersAsync();
    });
    await waitFor(() => {
      expect(screen.getByText("Searching...")).toBeInTheDocument();
    });
    // Resolve the search
-    resolveSearch!({
+    resolveSearch({
      data: [],
      meta: { total: 0, page: 1, limit: 10, totalPages: 0 },
    });
@@ -769,14 +702,9 @@ describe("LinkAutocomplete", (): void => {
    await waitFor(() => {
      expect(screen.queryByText("Searching...")).not.toBeInTheDocument();
    });
    vi.useRealTimers();
  });
-  // TODO: Fix async/timer interaction - component works but test has timing issues with fake timers
+  it("should display summary preview for entries", async (): Promise<void> => {
  it.skip("should display summary preview for entries", async (): Promise<void> => {
    vi.useFakeTimers();
    const mockResults = {
      data: [
        {
@@ -813,14 +741,8 @@ describe("LinkAutocomplete", (): void => {
      fireEvent.input(textarea);
    });
    await act(async () => {
      await vi.runAllTimersAsync();
    });
    await waitFor(() => {
      expect(screen.getByText("This is a helpful summary")).toBeInTheDocument();
    });
    vi.useRealTimers();
  });
 });
--- a/apps/web/src/components/widgets/AgentStatusWidget.tsx
+++ b/apps/web/src/components/widgets/AgentStatusWidget.tsx
@@ -2,10 +2,9 @@
 * Agent Status Widget - shows running agents
 */
-import { useState, useEffect } from "react";
+import { useState, useEffect, useCallback } from "react";
 import { Bot, Activity, AlertCircle, CheckCircle, Clock } from "lucide-react";
 import type { WidgetProps } from "@mosaic/shared";
 import { ORCHESTRATOR_URL } from "@/lib/config";
 interface Agent {
  agentId: string;
@@ -22,14 +21,12 @@ export function AgentStatusWidget({ id: _id, config: _config }: WidgetProps): Re
  const [isLoading, setIsLoading] = useState(true);
  const [error, setError] = useState<string | null>(null);
-  // Fetch agents from orchestrator API
+  const fetchAgents = useCallback(async (): Promise<void> => {
  useEffect(() => {
    const fetchAgents = async (): Promise<void> => {
    setIsLoading(true);
    setError(null);
    try {
-        const response = await fetch(`${ORCHESTRATOR_URL}/agents`, {
+      const response = await fetch("/api/orchestrator/agents", {
        headers: {
          "Content-Type": "application/json",
        },
@@ -49,19 +46,32 @@ export function AgentStatusWidget({ id: _id, config: _config }: WidgetProps): Re
    } finally {
      setIsLoading(false);
    }
-    };
+  }, []);
-
+  // Fetch agents from orchestrator API
  useEffect(() => {
    void fetchAgents();
    // Refresh every 30 seconds
    const interval = setInterval(() => {
      void fetchAgents();
-    }, 30000);
+    }, 20000);
    const eventSource =
      typeof EventSource !== "undefined" ? new EventSource("/api/orchestrator/events") : null;
    if (eventSource) {
      eventSource.onmessage = (): void => {
        void fetchAgents();
      };
      eventSource.onerror = (): void => {
        // polling remains fallback
      };
    }
    return (): void => {
      clearInterval(interval);
      eventSource?.close();
    };
-  }, []);
+  }, [fetchAgents]);
  const getStatusIcon = (status: string): React.JSX.Element => {
    const statusLower = status.toLowerCase();
--- a/apps/web/src/components/widgets/OrchestratorEventsWidget.tsx
+++ b/apps/web/src/components/widgets/OrchestratorEventsWidget.tsx
@@ -0,0 +1,190 @@
 import { useCallback, useEffect, useMemo, useState } from "react";
 import { Activity, DatabaseZap, Loader2, Wifi, WifiOff } from "lucide-react";
 import type { WidgetProps } from "@mosaic/shared";
 interface OrchestratorEvent {
  type: string;
  timestamp: string;
  agentId?: string;
  taskId?: string;
  data?: Record<string, unknown>;
 }
 interface RecentEventsResponse {
  events: OrchestratorEvent[];
 }
 function isMatrixSignal(event: OrchestratorEvent): boolean {
  const text = JSON.stringify(event).toLowerCase();
  return (
    text.includes("matrix") ||
    text.includes("room") ||
    text.includes("channel") ||
    text.includes("thread")
  );
 }
 export function OrchestratorEventsWidget({
  id: _id,
  config: _config,
 }: WidgetProps): React.JSX.Element {
  const [events, setEvents] = useState<OrchestratorEvent[]>([]);
  const [isLoading, setIsLoading] = useState(true);
  const [error, setError] = useState<string | null>(null);
  const [streamConnected, setStreamConnected] = useState(false);
  const [backendReady, setBackendReady] = useState<boolean | null>(null);
  const loadRecentEvents = useCallback(async (): Promise<void> => {
    try {
      const response = await fetch("/api/orchestrator/events/recent?limit=25");
      if (!response.ok) {
        throw new Error(`Unable to load events: HTTP ${String(response.status)}`);
      }
      const payload = (await response.json()) as unknown;
      const events =
        payload &&
        typeof payload === "object" &&
        "events" in payload &&
        Array.isArray(payload.events)
          ? (payload.events as RecentEventsResponse["events"])
          : [];
      setEvents(events);
      setError(null);
    } catch (err) {
      setError(err instanceof Error ? err.message : "Unable to load events.");
    } finally {
      setIsLoading(false);
    }
  }, []);
  const loadHealth = useCallback(async (): Promise<void> => {
    try {
      const response = await fetch("/api/orchestrator/health");
      setBackendReady(response.ok);
    } catch {
      setBackendReady(false);
    }
  }, []);
  useEffect(() => {
    void loadRecentEvents();
    void loadHealth();
    const eventSource =
      typeof EventSource !== "undefined" ? new EventSource("/api/orchestrator/events") : null;
    if (eventSource) {
      eventSource.onopen = (): void => {
        setStreamConnected(true);
      };
      eventSource.onmessage = (): void => {
        void loadRecentEvents();
        void loadHealth();
      };
      eventSource.onerror = (): void => {
        setStreamConnected(false);
      };
    }
    const interval = setInterval(() => {
      void loadRecentEvents();
      void loadHealth();
    }, 15000);
    return (): void => {
      clearInterval(interval);
      eventSource?.close();
    };
  }, [loadHealth, loadRecentEvents]);
  const matrixSignals = useMemo(
    () => events.filter((event) => isMatrixSignal(event)).length,
    [events]
  );
  if (isLoading) {
    return (
      <div className="flex items-center justify-center h-full">
        <Loader2 className="w-5 h-5 text-gray-400 animate-spin" />
        <span className="ml-2 text-gray-500 text-sm">Loading orchestrator events...</span>
      </div>
    );
  }
  if (error) {
    return (
      <div className="flex flex-col items-center justify-center h-full text-center">
        <WifiOff className="w-5 h-5 text-amber-500 mb-2" />
        <span className="text-sm text-amber-600">{error}</span>
      </div>
    );
  }
  return (
    <div className="flex flex-col h-full space-y-3">
      <div className="flex items-center justify-between text-xs">
        <div className="flex items-center gap-2 text-gray-600 dark:text-gray-300">
          {streamConnected ? (
            <Wifi className="w-3 h-3 text-green-500" />
          ) : (
            <WifiOff className="w-3 h-3 text-gray-400" />
          )}
          <span>{streamConnected ? "Live stream connected" : "Polling mode"}</span>
          <span
            className={`rounded px-1.5 py-0.5 ${
              backendReady === true
                ? "bg-green-100 text-green-700 dark:bg-green-950 dark:text-green-300"
                : backendReady === false
                  ? "bg-amber-100 text-amber-700 dark:bg-amber-950 dark:text-amber-300"
                  : "bg-gray-100 text-gray-600 dark:bg-gray-800 dark:text-gray-300"
            }`}
          >
            {backendReady === true ? "ready" : backendReady === false ? "degraded" : "unknown"}
          </span>
        </div>
        <div className="flex items-center gap-1 rounded bg-blue-50 dark:bg-blue-950 px-2 py-1 text-blue-700 dark:text-blue-300">
          <DatabaseZap className="w-3 h-3" />
          <span>Matrix signals: {matrixSignals}</span>
        </div>
      </div>
      <div className="flex-1 overflow-auto space-y-2">
        {events.length === 0 ? (
          <div className="text-center text-sm text-gray-500 py-4">
            No recent orchestration events.
          </div>
        ) : (
          events
            .slice()
            .reverse()
            .map((event, index) => (
              <div
                key={`${event.timestamp}-${event.type}-${String(index)}`}
                className="rounded border border-gray-200 dark:border-gray-700 bg-gray-50 dark:bg-gray-900 px-2 py-2"
              >
                <div className="flex items-center justify-between gap-2">
                  <div className="flex items-center gap-2 min-w-0">
                    <Activity className="w-3 h-3 text-blue-500 shrink-0" />
                    <span className="text-xs font-medium text-gray-900 dark:text-gray-100 truncate">
                      {event.type}
                    </span>
                    {isMatrixSignal(event) && (
                      <span className="text-[10px] rounded bg-indigo-100 dark:bg-indigo-950 text-indigo-700 dark:text-indigo-300 px-1.5 py-0.5">
                        matrix
                      </span>
                    )}
                  </div>
                  <span className="text-[10px] text-gray-500">
                    {new Date(event.timestamp).toLocaleTimeString()}
                  </span>
                </div>
                <div className="mt-1 text-[11px] text-gray-600 dark:text-gray-300">
                  {event.taskId ? `Task ${event.taskId}` : "Task n/a"}
                  {event.agentId ? ` · Agent ${event.agentId.slice(0, 8)}` : ""}
                </div>
              </div>
            ))
        )}
      </div>
    </div>
  );
 }
--- a/apps/web/src/components/widgets/TaskProgressWidget.tsx
+++ b/apps/web/src/components/widgets/TaskProgressWidget.tsx
@@ -5,10 +5,9 @@
 * including status, elapsed time, and work item details.
 */
-import { useState, useEffect } from "react";
+import { useState, useEffect, useCallback } from "react";
-import { Activity, CheckCircle, XCircle, Clock, Loader2 } from "lucide-react";
+import { Activity, CheckCircle, XCircle, Clock, Loader2, Pause, Play } from "lucide-react";
 import type { WidgetProps } from "@mosaic/shared";
 import { ORCHESTRATOR_URL } from "@/lib/config";
 interface AgentTask {
  agentId: string;
@@ -20,6 +19,21 @@ interface AgentTask {
  error?: string;
 }
 interface QueueStats {
  pending: number;
  active: number;
  completed: number;
  failed: number;
  delayed: number;
 }
 interface RecentOrchestratorEvent {
  type: string;
  timestamp: string;
  taskId?: string;
  agentId?: string;
 }
 function getElapsedTime(spawnedAt: string, completedAt?: string): string {
  const start = new Date(spawnedAt).getTime();
  const end = completedAt ? new Date(completedAt).getTime() : Date.now();
@@ -95,34 +109,108 @@ function getAgentTypeLabel(agentType: string): string {
 export function TaskProgressWidget({ id: _id, config: _config }: WidgetProps): React.JSX.Element {
  const [tasks, setTasks] = useState<AgentTask[]>([]);
  const [queueStats, setQueueStats] = useState<QueueStats | null>(null);
  const [recentEvents, setRecentEvents] = useState<RecentOrchestratorEvent[]>([]);
  const [isLoading, setIsLoading] = useState(true);
  const [error, setError] = useState<string | null>(null);
  const [isQueuePaused, setIsQueuePaused] = useState(false);
  const [isActionPending, setIsActionPending] = useState(false);
-  useEffect(() => {
+  const fetchTasks = useCallback(async (): Promise<void> => {
-    const fetchTasks = (): void => {
+    try {
-      fetch(`${ORCHESTRATOR_URL}/agents`)
+      const res = await fetch("/api/orchestrator/agents");
        .then((res) => {
      if (!res.ok) throw new Error(`HTTP ${String(res.status)}`);
-          return res.json() as Promise<AgentTask[]>;
+      const data = (await res.json()) as AgentTask[];
        })
        .then((data) => {
      setTasks(data);
      setError(null);
      setIsLoading(false);
-        })
+    } catch {
        .catch(() => {
      setError("Unable to reach orchestrator");
      setIsLoading(false);
-        });
+    }
-    };
+  }, []);
-    fetchTasks();
+  const fetchQueueStats = useCallback(async (): Promise<void> => {
-    const interval = setInterval(fetchTasks, 15000);
+    try {
      const res = await fetch("/api/orchestrator/queue/stats");
      if (!res.ok) throw new Error(`HTTP ${String(res.status)}`);
      const data = (await res.json()) as QueueStats;
      setQueueStats(data);
      // Heuristic: active=0 with pending>0 for sustained windows usually means paused.
      setIsQueuePaused(data.active === 0 && data.pending > 0);
    } catch {
      // Keep widget functional even if queue controls are temporarily unavailable.
    }
  }, []);
  const fetchRecentEvents = useCallback(async (): Promise<void> => {
    try {
      const res = await fetch("/api/orchestrator/events/recent?limit=5");
      if (!res.ok) throw new Error(`HTTP ${String(res.status)}`);
      const payload = (await res.json()) as unknown;
      const events =
        payload &&
        typeof payload === "object" &&
        "events" in payload &&
        Array.isArray(payload.events)
          ? (payload.events as RecentOrchestratorEvent[])
          : [];
      setRecentEvents(events);
    } catch {
      // Optional enhancement path; do not fail widget if recent-events endpoint is unavailable.
    }
  }, []);
  const setQueueState = useCallback(
    async (action: "pause" | "resume"): Promise<void> => {
      setIsActionPending(true);
      try {
        const res = await fetch(`/api/orchestrator/queue/${action}`, {
          method: "POST",
        });
        if (!res.ok) throw new Error(`HTTP ${String(res.status)}`);
        setIsQueuePaused(action === "pause");
        await fetchQueueStats();
      } catch {
        setError("Unable to control queue state");
      } finally {
        setIsActionPending(false);
      }
    },
    [fetchQueueStats]
  );
  useEffect(() => {
    void fetchTasks();
    void fetchQueueStats();
    void fetchRecentEvents();
    const interval = setInterval(() => {
      void fetchTasks();
      void fetchQueueStats();
      void fetchRecentEvents();
    }, 15000);
    const eventSource =
      typeof EventSource !== "undefined" ? new EventSource("/api/orchestrator/events") : null;
    if (eventSource) {
      eventSource.onmessage = (): void => {
        void fetchTasks();
        void fetchQueueStats();
        void fetchRecentEvents();
      };
      eventSource.onerror = (): void => {
        // Polling remains the resilience path.
      };
    }
    return (): void => {
      clearInterval(interval);
      eventSource?.close();
    };
-  }, []);
+  }, [fetchTasks, fetchQueueStats, fetchRecentEvents]);
  const latestEvent = recentEvents.length > 0 ? recentEvents[recentEvents.length - 1] : null;
  const stats = {
    total: tasks.length,
@@ -152,6 +240,30 @@ export function TaskProgressWidget({ id: _id, config: _config }: WidgetProps): R
  return (
    <div className="flex flex-col h-full space-y-3">
      <div className="flex items-center justify-between">
        <div className="text-xs text-gray-500 dark:text-gray-400">
          Queue: {isQueuePaused ? "Paused" : "Running"}
        </div>
        <button
          type="button"
          onClick={(): void => {
            void setQueueState(isQueuePaused ? "resume" : "pause");
          }}
          disabled={isActionPending}
          className="inline-flex items-center gap-1 rounded border border-gray-300 dark:border-gray-700 px-2 py-1 text-xs hover:bg-gray-100 dark:hover:bg-gray-800 disabled:opacity-50"
        >
          {isQueuePaused ? <Play className="w-3 h-3" /> : <Pause className="w-3 h-3" />}
          {isQueuePaused ? "Resume" : "Pause"}
        </button>
      </div>
      {latestEvent && (
        <div className="rounded bg-gray-50 dark:bg-gray-800 px-2 py-1 text-xs text-gray-600 dark:text-gray-300">
          Latest: {latestEvent.type}
          {latestEvent.taskId ? ` · ${latestEvent.taskId}` : ""}
        </div>
      )}
      {/* Summary stats */}
      <div className="grid grid-cols-4 gap-1 text-center text-xs">
        <div className="bg-gray-50 dark:bg-gray-800 rounded p-2">
@@ -174,6 +286,29 @@ export function TaskProgressWidget({ id: _id, config: _config }: WidgetProps): R
        </div>
      </div>
      {queueStats && (
        <div className="grid grid-cols-3 gap-1 text-center text-xs">
          <div className="bg-gray-50 dark:bg-gray-800 rounded p-1">
            <div className="font-semibold text-gray-700 dark:text-gray-200">
              {queueStats.pending}
            </div>
            <div className="text-gray-500">Queued</div>
          </div>
          <div className="bg-gray-50 dark:bg-gray-800 rounded p-1">
            <div className="font-semibold text-gray-700 dark:text-gray-200">
              {queueStats.active}
            </div>
            <div className="text-gray-500">Workers</div>
          </div>
          <div className="bg-gray-50 dark:bg-gray-800 rounded p-1">
            <div className="font-semibold text-gray-700 dark:text-gray-200">
              {queueStats.failed}
            </div>
            <div className="text-gray-500">Failed</div>
          </div>
        </div>
      )}
      {/* Task list */}
      <div className="flex-1 overflow-auto space-y-2">
        {tasks.length === 0 ? (
--- a/apps/web/src/components/widgets/WidgetRegistry.tsx
+++ b/apps/web/src/components/widgets/WidgetRegistry.tsx
@@ -10,6 +10,7 @@ import { QuickCaptureWidget } from "./QuickCaptureWidget";
 import { AgentStatusWidget } from "./AgentStatusWidget";
 import { ActiveProjectsWidget } from "./ActiveProjectsWidget";
 import { TaskProgressWidget } from "./TaskProgressWidget";
 import { OrchestratorEventsWidget } from "./OrchestratorEventsWidget";
 export interface WidgetDefinition {
  name: string;
@@ -95,6 +96,17 @@ export const widgetRegistry: Record<string, WidgetDefinition> = {
    minHeight: 2,
    maxWidth: 3,
  },
  OrchestratorEventsWidget: {
    name: "OrchestratorEventsWidget",
    displayName: "Orchestrator Events",
    description: "Recent orchestration events with stream/Matrix visibility",
    component: OrchestratorEventsWidget,
    defaultWidth: 2,
    defaultHeight: 2,
    minWidth: 1,
    minHeight: 2,
    maxWidth: 4,
  },
 };
 /**
--- a/apps/web/src/components/widgets/tests/CalendarWidget.test.tsx
+++ b/apps/web/src/components/widgets/tests/CalendarWidget.test.tsx
@@ -1,126 +1,55 @@
-/**
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
- * CalendarWidget Component Tests
+import { act, render, screen } from "@testing-library/react";
 * Following TDD principles
 */
 import { describe, it, expect, vi, beforeEach } from "vitest";
 import { render, screen, waitFor } from "@testing-library/react";
 import { CalendarWidget } from "../CalendarWidget";
-global.fetch = vi.fn() as typeof global.fetch;
+async function finishWidgetLoad(): Promise<void> {
  await act(async () => {
    await vi.advanceTimersByTimeAsync(500);
  });
 }
 describe("CalendarWidget", (): void => {
  beforeEach((): void => {
-    vi.clearAllMocks();
+    vi.useFakeTimers();
    vi.setSystemTime(new Date("2026-02-01T08:00:00Z"));
  });
-  it("should render loading state initially", (): void => {
+  afterEach((): void => {
-    vi.mocked(global.fetch).mockImplementation(
+    vi.useRealTimers();
      () =>
        new Promise(() => {
          // Intentionally never resolves to keep loading state
        })
    );
    render(<CalendarWidget id="calendar-1" />);
    expect(screen.getByText(/loading/i)).toBeInTheDocument();
  });
-  // TODO: Re-enable when CalendarWidget uses fetch API instead of setTimeout mock data
+  it("renders loading state initially", (): void => {
  it.skip("should render upcoming events", async (): Promise<void> => {
    const mockEvents = [
      {
        id: "1",
        title: "Team Meeting",
        startTime: new Date(Date.now() + 3600000).toISOString(),
        endTime: new Date(Date.now() + 7200000).toISOString(),
      },
      {
        id: "2",
        title: "Project Review",
        startTime: new Date(Date.now() + 86400000).toISOString(),
        endTime: new Date(Date.now() + 90000000).toISOString(),
      },
    ];
    vi.mocked(global.fetch).mockResolvedValueOnce({
      ok: true,
      json: () => Promise.resolve(mockEvents),
    } as unknown as Response);
    render(<CalendarWidget id="calendar-1" />);
-    await waitFor(() => {
+    expect(screen.getByText("Loading events...")).toBeInTheDocument();
-      expect(screen.getByText("Team Meeting")).toBeInTheDocument();
+  });
  it("renders upcoming events after loading", async (): Promise<void> => {
    render(<CalendarWidget id="calendar-1" />);
    await finishWidgetLoad();
    expect(screen.getByText("Upcoming Events")).toBeInTheDocument();
    expect(screen.getByText("Team Standup")).toBeInTheDocument();
    expect(screen.getByText("Project Review")).toBeInTheDocument();
-    });
+    expect(screen.getByText("Sprint Planning")).toBeInTheDocument();
  });
-  // TODO: Re-enable when CalendarWidget uses fetch API instead of setTimeout mock data
+  it("shows relative day labels", async (): Promise<void> => {
  it.skip("should handle empty event list", async (): Promise<void> => {
    vi.mocked(global.fetch).mockResolvedValueOnce({
      ok: true,
      json: () => Promise.resolve([]),
    } as unknown as Response);
    render(<CalendarWidget id="calendar-1" />);
-    await waitFor(() => {
+    await finishWidgetLoad();
-      expect(screen.getByText(/no upcoming events/i)).toBeInTheDocument();
+
-    });
+    expect(screen.getAllByText("Today").length).toBeGreaterThan(0);
    expect(screen.getByText("Tomorrow")).toBeInTheDocument();
  });
-  // TODO: Re-enable when CalendarWidget uses fetch API instead of setTimeout mock data
+  it("shows event locations when present", async (): Promise<void> => {
  it.skip("should handle API errors gracefully", async (): Promise<void> => {
    vi.mocked(global.fetch).mockRejectedValueOnce(new Error("API Error"));
    render(<CalendarWidget id="calendar-1" />);
-    await waitFor(() => {
+    await finishWidgetLoad();
-      expect(screen.getByText(/error/i)).toBeInTheDocument();
+
-    });
+    expect(screen.getByText("Zoom")).toBeInTheDocument();
-  });
+    expect(screen.getByText("Conference Room A")).toBeInTheDocument();
  // TODO: Re-enable when CalendarWidget uses fetch API instead of setTimeout mock data
  it.skip("should format event times correctly", async (): Promise<void> => {
    const now = new Date();
    const startTime = new Date(now.getTime() + 3600000); // 1 hour from now
    const mockEvents = [
      {
        id: "1",
        title: "Meeting",
        startTime: startTime.toISOString(),
        endTime: new Date(startTime.getTime() + 3600000).toISOString(),
      },
    ];
    vi.mocked(global.fetch).mockResolvedValueOnce({
      ok: true,
      json: () => Promise.resolve(mockEvents),
    } as unknown as Response);
    render(<CalendarWidget id="calendar-1" />);
    await waitFor(() => {
      expect(screen.getByText("Meeting")).toBeInTheDocument();
      // Should show time in readable format
    });
  });
  // TODO: Re-enable when CalendarWidget uses fetch API and adds calendar-header test id
  it.skip("should display current date", async (): Promise<void> => {
    vi.mocked(global.fetch).mockResolvedValueOnce({
      ok: true,
      json: () => Promise.resolve([]),
    } as unknown as Response);
    render(<CalendarWidget id="calendar-1" />);
    await waitFor(() => {
      // Widget should display current date or month
      expect(screen.getByTestId("calendar-header")).toBeInTheDocument();
    });
  });
 });
--- a/apps/web/src/components/widgets/tests/OrchestratorEventsWidget.test.tsx
+++ b/apps/web/src/components/widgets/tests/OrchestratorEventsWidget.test.tsx
@@ -0,0 +1,82 @@
 import { render, screen, waitFor } from "@testing-library/react";
 import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
 import { OrchestratorEventsWidget } from "../OrchestratorEventsWidget";
 describe("OrchestratorEventsWidget", () => {
  const mockFetch = vi.fn();
  beforeEach(() => {
    global.fetch = mockFetch as unknown as typeof fetch;
  });
  afterEach(() => {
    vi.clearAllMocks();
  });
  it("renders loading state initially", () => {
    mockFetch.mockImplementation(
      // eslint-disable-next-line @typescript-eslint/no-empty-function
      () => new Promise(() => {})
    );
    render(<OrchestratorEventsWidget id="orchestrator-events-1" config={{}} />);
    expect(screen.getByText("Loading orchestrator events...")).toBeInTheDocument();
  });
  it("renders events and matrix signal count", async () => {
    mockFetch.mockImplementation((input: RequestInfo | URL) => {
      const url =
        typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
      if (url.includes("/api/orchestrator/health")) {
        return Promise.resolve({
          ok: true,
          json: () => Promise.resolve({ status: "ok" }),
        } as unknown as Response);
      }
      return Promise.resolve({
        ok: true,
        json: () =>
          Promise.resolve({
            events: [
              {
                type: "task.completed",
                timestamp: "2026-02-17T16:40:00.000Z",
                taskId: "TASK-1",
                data: { channelId: "room-123" },
              },
              {
                type: "agent.running",
                timestamp: "2026-02-17T16:41:00.000Z",
                taskId: "TASK-2",
                agentId: "agent-abc12345",
              },
            ],
          }),
      } as unknown as Response);
    });
    render(<OrchestratorEventsWidget id="orchestrator-events-1" config={{}} />);
    await waitFor(() => {
      expect(screen.getByText("task.completed")).toBeInTheDocument();
      expect(screen.getByText("agent.running")).toBeInTheDocument();
      expect(screen.getByText(/Matrix signals: 1/)).toBeInTheDocument();
      expect(screen.getByText("ready")).toBeInTheDocument();
    });
  });
  it("renders error state when API fails", async () => {
    mockFetch.mockResolvedValue({
      ok: false,
      status: 503,
    });
    render(<OrchestratorEventsWidget id="orchestrator-events-1" config={{}} />);
    await waitFor(() => {
      expect(screen.getByText(/Unable to load events: HTTP 503/)).toBeInTheDocument();
    });
  });
 });
--- a/apps/web/src/components/widgets/tests/TaskProgressWidget.test.tsx
+++ b/apps/web/src/components/widgets/tests/TaskProgressWidget.test.tsx
@@ -242,4 +242,58 @@ describe("TaskProgressWidget", (): void => {
      expect(taskElements[1]?.textContent).toBe("COMPLETED-TASK");
    });
  });
  it("should display latest orchestrator event when available", async (): Promise<void> => {
    mockFetch.mockImplementation((input: RequestInfo | URL) => {
      let url = "";
      if (typeof input === "string") {
        url = input;
      } else if (input instanceof URL) {
        url = input.toString();
      } else {
        url = input.url;
      }
      if (url.includes("/api/orchestrator/agents")) {
        return Promise.resolve({
          ok: true,
          json: () => Promise.resolve([]),
        } as unknown as Response);
      }
      if (url.includes("/api/orchestrator/queue/stats")) {
        return Promise.resolve({
          ok: true,
          json: () =>
            Promise.resolve({
              pending: 0,
              active: 0,
              completed: 0,
              failed: 0,
              delayed: 0,
            }),
        } as unknown as Response);
      }
      if (url.includes("/api/orchestrator/events/recent")) {
        return Promise.resolve({
          ok: true,
          json: () =>
            Promise.resolve({
              events: [
                {
                  type: "task.executing",
                  timestamp: new Date().toISOString(),
                  taskId: "TASK-123",
                },
              ],
            }),
        } as unknown as Response);
      }
      return Promise.reject(new Error("Unknown endpoint"));
    });
    render(<TaskProgressWidget id="task-progress-1" />);
    await waitFor(() => {
      expect(screen.getByText(/Latest: task.executing · TASK-123/i)).toBeInTheDocument();
    });
  });
 });
--- a/apps/web/src/components/widgets/tests/TasksWidget.test.tsx
+++ b/apps/web/src/components/widgets/tests/TasksWidget.test.tsx
@@ -1,138 +1,54 @@
-/**
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
- * TasksWidget Component Tests
+import { act, render, screen } from "@testing-library/react";
 * Following TDD principles
 */
 import { describe, it, expect, vi, beforeEach } from "vitest";
 import { render, screen, waitFor } from "@testing-library/react";
 import { TasksWidget } from "../TasksWidget";
-// Mock fetch for API calls
+async function finishWidgetLoad(): Promise<void> {
-global.fetch = vi.fn() as typeof global.fetch;
+  await act(async () => {
    await vi.advanceTimersByTimeAsync(500);
  });
 }
 describe("TasksWidget", (): void => {
  beforeEach((): void => {
-    vi.clearAllMocks();
+    vi.useFakeTimers();
  });
-  it("should render loading state initially", (): void => {
+  afterEach((): void => {
-    vi.mocked(global.fetch).mockImplementation(
+    vi.useRealTimers();
-      () =>
+  });
        new Promise(() => {
          // Intentionally empty - creates a never-resolving promise for loading state
        })
    );
  it("renders loading state initially", (): void => {
    render(<TasksWidget id="tasks-1" />);
-    expect(screen.getByText(/loading/i)).toBeInTheDocument();
+    expect(screen.getByText("Loading tasks...")).toBeInTheDocument();
  });
-  // TODO: Re-enable when TasksWidget uses fetch API instead of setTimeout mock data
+  it("renders default summary stats", async (): Promise<void> => {
  it.skip("should render task statistics", async (): Promise<void> => {
    const mockTasks = [
      { id: "1", title: "Task 1", status: "IN_PROGRESS", priority: "HIGH" },
      { id: "2", title: "Task 2", status: "COMPLETED", priority: "MEDIUM" },
      { id: "3", title: "Task 3", status: "NOT_STARTED", priority: "LOW" },
    ];
    vi.mocked(global.fetch).mockResolvedValueOnce({
      ok: true,
      json: () => Promise.resolve(mockTasks),
    } as unknown as Response);
    render(<TasksWidget id="tasks-1" />);
-    await waitFor(() => {
+    await finishWidgetLoad();
-      expect(screen.getByText("3")).toBeInTheDocument(); // Total
+
-      expect(screen.getByText("1")).toBeInTheDocument(); // In Progress
+    expect(screen.getByText("Total")).toBeInTheDocument();
-      expect(screen.getByText("1")).toBeInTheDocument(); // Completed
+    expect(screen.getByText("In Progress")).toBeInTheDocument();
-    });
+    expect(screen.getByText("Done")).toBeInTheDocument();
    expect(screen.getByText("3")).toBeInTheDocument();
  });
-  // TODO: Re-enable when TasksWidget uses fetch API instead of setTimeout mock data
+  it("renders default task rows", async (): Promise<void> => {
  it.skip("should render task list", async (): Promise<void> => {
    const mockTasks = [
      { id: "1", title: "Complete documentation", status: "IN_PROGRESS", priority: "HIGH" },
      { id: "2", title: "Review PRs", status: "NOT_STARTED", priority: "MEDIUM" },
    ];
    vi.mocked(global.fetch).mockResolvedValueOnce({
      ok: true,
      json: () => Promise.resolve(mockTasks),
    } as unknown as Response);
    render(<TasksWidget id="tasks-1" />);
-    await waitFor(() => {
+    await finishWidgetLoad();
-      expect(screen.getByText("Complete documentation")).toBeInTheDocument();
+
-      expect(screen.getByText("Review PRs")).toBeInTheDocument();
+    expect(screen.getByText("Complete project documentation")).toBeInTheDocument();
-    });
+    expect(screen.getByText("Review pull requests")).toBeInTheDocument();
    expect(screen.getByText("Update dependencies")).toBeInTheDocument();
  });
-  // TODO: Re-enable when TasksWidget uses fetch API instead of setTimeout mock data
+  it("shows due date labels for each task", async (): Promise<void> => {
  it.skip("should handle empty task list", async (): Promise<void> => {
    vi.mocked(global.fetch).mockResolvedValueOnce({
      ok: true,
      json: () => Promise.resolve([]),
    } as unknown as Response);
    render(<TasksWidget id="tasks-1" />);
-    await waitFor(() => {
+    await finishWidgetLoad();
-      expect(screen.getByText(/no tasks/i)).toBeInTheDocument();
+
-    });
+    expect(screen.getAllByText(/Due:/).length).toBe(3);
  });
  // TODO: Re-enable when TasksWidget uses fetch API instead of setTimeout mock data
  it.skip("should handle API errors gracefully", async (): Promise<void> => {
    vi.mocked(global.fetch).mockRejectedValueOnce(new Error("API Error"));
    render(<TasksWidget id="tasks-1" />);
    await waitFor(() => {
      expect(screen.getByText(/error/i)).toBeInTheDocument();
    });
  });
  // TODO: Re-enable when TasksWidget uses fetch API instead of setTimeout mock data
  it.skip("should display priority indicators", async (): Promise<void> => {
    const mockTasks = [
      { id: "1", title: "High priority task", status: "IN_PROGRESS", priority: "HIGH" },
    ];
    vi.mocked(global.fetch).mockResolvedValueOnce({
      ok: true,
      json: () => Promise.resolve(mockTasks),
    } as unknown as Response);
    render(<TasksWidget id="tasks-1" />);
    await waitFor(() => {
      expect(screen.getByText("High priority task")).toBeInTheDocument();
      // Priority icon should be rendered (high priority = red)
    });
  });
  // TODO: Re-enable when TasksWidget uses fetch API instead of setTimeout mock data
  it.skip("should limit displayed tasks to 5", async (): Promise<void> => {
    const mockTasks = Array.from({ length: 10 }, (_, i) => ({
      id: String(i + 1),
      title: `Task ${String(i + 1)}`,
      status: "NOT_STARTED",
      priority: "MEDIUM",
    }));
    vi.mocked(global.fetch).mockResolvedValueOnce({
      ok: true,
      json: () => Promise.resolve(mockTasks),
    } as unknown as Response);
    render(<TasksWidget id="tasks-1" />);
    await waitFor(() => {
      const taskElements = screen.getAllByText(/Task \d+/);
      expect(taskElements.length).toBeLessThanOrEqual(5);
    });
  });
 });
--- a/apps/web/src/components/widgets/tests/WidgetRegistry.test.tsx
+++ b/apps/web/src/components/widgets/tests/WidgetRegistry.test.tsx
@@ -10,6 +10,7 @@ import { widgetRegistry } from "../WidgetRegistry";
 import { TasksWidget } from "../TasksWidget";
 import { CalendarWidget } from "../CalendarWidget";
 import { QuickCaptureWidget } from "../QuickCaptureWidget";
 import { OrchestratorEventsWidget } from "../OrchestratorEventsWidget";
 describe("WidgetRegistry", (): void => {
  it("should have a registry of widgets", (): void => {
@@ -32,6 +33,11 @@ describe("WidgetRegistry", (): void => {
    expect(widgetRegistry.QuickCaptureWidget!.component).toBe(QuickCaptureWidget);
  });
  it("should include OrchestratorEventsWidget in registry", (): void => {
    expect(widgetRegistry.OrchestratorEventsWidget).toBeDefined();
    expect(widgetRegistry.OrchestratorEventsWidget!.component).toBe(OrchestratorEventsWidget);
  });
  it("should have correct metadata for TasksWidget", (): void => {
    const tasksWidget = widgetRegistry.TasksWidget!;
    expect(tasksWidget.name).toBe("TasksWidget");
--- a/apps/web/src/components/widgets/index.ts
+++ b/apps/web/src/components/widgets/index.ts
@@ -6,3 +6,4 @@ export { TasksWidget } from "./TasksWidget";
 export { CalendarWidget } from "./CalendarWidget";
 export { QuickCaptureWidget } from "./QuickCaptureWidget";
 export { AgentStatusWidget } from "./AgentStatusWidget";
 export { OrchestratorEventsWidget } from "./OrchestratorEventsWidget";
--- a/apps/web/src/lib/api/client.mock-mode.test.ts
+++ b/apps/web/src/lib/api/client.mock-mode.test.ts
@@ -0,0 +1,55 @@
 import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
 const originalEnv = { ...process.env };
 const mockFetch = vi.fn();
 describe("API Client (mock auth mode)", (): void => {
  beforeEach((): void => {
    process.env = {
      ...originalEnv,
      NODE_ENV: "development",
      NEXT_PUBLIC_AUTH_MODE: "mock",
    };
    vi.resetModules();
    mockFetch.mockReset();
    global.fetch = mockFetch;
  });
  afterEach((): void => {
    process.env = originalEnv;
    vi.restoreAllMocks();
  });
  it("should return local mock data for active projects widget without network calls", async (): Promise<void> => {
    const { apiPost } = await import("./client");
    interface ProjectResponse {
      id: string;
      status: string;
    }
    const response = await apiPost<ProjectResponse[]>("/api/widgets/data/active-projects");
    expect(response.length).toBeGreaterThan(0);
    const firstProject = response[0];
    expect(firstProject).toBeDefined();
    if (firstProject) {
      expect(typeof firstProject.id).toBe("string");
      expect(typeof firstProject.status).toBe("string");
    }
    expect(mockFetch).not.toHaveBeenCalled();
  });
  it("should return local mock data for agent chains widget without network calls", async (): Promise<void> => {
    const { apiPost } = await import("./client");
    interface AgentChainResponse {
      id: string;
      status: string;
    }
    const response = await apiPost<AgentChainResponse[]>("/api/widgets/data/agent-chains");
    expect(response.length).toBeGreaterThan(0);
    expect(response.some((session) => session.status === "active")).toBe(true);
    expect(mockFetch).not.toHaveBeenCalled();
  });
 });
--- a/apps/web/src/lib/api/client.ts
+++ b/apps/web/src/lib/api/client.ts
@@ -5,7 +5,7 @@
 /* eslint-disable @typescript-eslint/no-unsafe-assignment */
-import { API_BASE_URL } from "../config";
+import { API_BASE_URL, IS_MOCK_AUTH_MODE } from "../config";
 /**
 * In-memory CSRF token storage
@@ -41,6 +41,74 @@ export interface ApiRequestOptions extends RequestInit {
  _isRetry?: boolean; // Internal flag to prevent infinite retry loops
 }
 const MOCK_ACTIVE_PROJECTS_RESPONSE = [
  {
    id: "project-dev-1",
    name: "Mosaic Stack FE Go-Live",
    status: "active",
    lastActivity: new Date().toISOString(),
    taskCount: 7,
    eventCount: 2,
    color: "#3B82F6",
  },
  {
    id: "project-dev-2",
    name: "Auth Flow Remediation",
    status: "in-progress",
    lastActivity: new Date(Date.now() - 12 * 60_000).toISOString(),
    taskCount: 4,
    eventCount: 0,
    color: "#F59E0B",
  },
 ] as const;
 const MOCK_AGENT_CHAINS_RESPONSE = [
  {
    id: "agent-session-dev-1",
    sessionKey: "dev-session-1",
    label: "UI Validator Agent",
    channel: "codex",
    agentName: "jarvis-agent",
    agentStatus: "WORKING",
    status: "active",
    startedAt: new Date(Date.now() - 42 * 60_000).toISOString(),
    lastMessageAt: new Date(Date.now() - 20_000).toISOString(),
    runtimeMs: 42 * 60_000,
    messageCount: 27,
    contextSummary: "Validating dashboard, tasks, and auth-bypass UX for local development flow.",
  },
  {
    id: "agent-session-dev-2",
    sessionKey: "dev-session-2",
    label: "Telemetry Stub Agent",
    channel: "codex",
    agentName: "jarvis-agent",
    agentStatus: "TERMINATED",
    status: "ended",
    startedAt: new Date(Date.now() - 3 * 60 * 60_000).toISOString(),
    lastMessageAt: new Date(Date.now() - 2 * 60 * 60_000).toISOString(),
    runtimeMs: 63 * 60_000,
    messageCount: 41,
    contextSummary: "Generated telemetry mock payloads for usage and widget rendering.",
  },
 ] as const;
 function getMockApiResponse(endpoint: string, method: string): unknown {
  if (!IS_MOCK_AUTH_MODE || process.env.NODE_ENV !== "development") {
    return undefined;
  }
  if (method === "POST" && endpoint === "/api/widgets/data/active-projects") {
    return [...MOCK_ACTIVE_PROJECTS_RESPONSE];
  }
  if (method === "POST" && endpoint === "/api/widgets/data/agent-chains") {
    return [...MOCK_AGENT_CHAINS_RESPONSE];
  }
  return undefined;
 }
 /**
 * Fetch CSRF token from the API
 * Token is stored in an httpOnly cookie and returned in response body
@@ -100,6 +168,12 @@ async function ensureCsrfToken(): Promise<string> {
 export async function apiRequest<T>(endpoint: string, options: ApiRequestOptions = {}): Promise<T> {
  const url = `${API_BASE_URL}${endpoint}`;
  const { workspaceId, timeoutMs, _isRetry, ...fetchOptions } = options;
  const method = (fetchOptions.method ?? "GET").toUpperCase();
  const mockResponse = getMockApiResponse(endpoint, method);
  if (mockResponse !== undefined) {
    return mockResponse as T;
  }
  // Set up abort controller for timeout
  const timeout = timeoutMs ?? DEFAULT_API_TIMEOUT_MS;
@@ -134,7 +208,6 @@ export async function apiRequest<T>(endpoint: string, options: ApiRequestOptions
    }
    // Add CSRF token for state-changing requests (POST, PUT, PATCH, DELETE)
    const method = (fetchOptions.method ?? "GET").toUpperCase();
    const isStateChanging = ["POST", "PUT", "PATCH", "DELETE"].includes(method);
    if (isStateChanging) {
--- a/apps/web/src/lib/auth/auth-context.tsx
+++ b/apps/web/src/lib/auth/auth-context.tsx
@@ -11,6 +11,7 @@ import {
 } from "react";
 import type { AuthUser, AuthSession } from "@mosaic/shared";
 import { apiGet, apiPost } from "../api/client";
 import { IS_MOCK_AUTH_MODE } from "../config";
 import { parseAuthError } from "./auth-errors";
 /**
@@ -23,6 +24,11 @@ const SESSION_EXPIRY_WARNING_MINUTES = 5;
 /** Interval in milliseconds to check session expiry */
 const SESSION_CHECK_INTERVAL_MS = 60_000;
 const MOCK_AUTH_USER: AuthUser = {
  id: "dev-user-local",
  email: "dev@localhost",
  name: "Local Dev User",
 };
 interface AuthContextValue {
  user: AuthUser | null;
@@ -70,6 +76,14 @@ function logAuthError(message: string, error: unknown): void {
 }
 export function AuthProvider({ children }: { children: ReactNode }): React.JSX.Element {
  if (IS_MOCK_AUTH_MODE) {
    return <MockAuthProvider>{children}</MockAuthProvider>;
  }
  return <RealAuthProvider>{children}</RealAuthProvider>;
 }
 function RealAuthProvider({ children }: { children: ReactNode }): React.JSX.Element {
  const [user, setUser] = useState<AuthUser | null>(null);
  const [isLoading, setIsLoading] = useState(true);
  const [authError, setAuthError] = useState<AuthErrorType>(null);
@@ -176,6 +190,33 @@ export function AuthProvider({ children }: { children: ReactNode }): React.JSX.E
  return <AuthContext.Provider value={value}>{children}</AuthContext.Provider>;
 }
 function MockAuthProvider({ children }: { children: ReactNode }): React.JSX.Element {
  const [user, setUser] = useState<AuthUser | null>(MOCK_AUTH_USER);
  const signOut = useCallback((): Promise<void> => {
    setUser(null);
    return Promise.resolve();
  }, []);
  const refreshSession = useCallback((): Promise<void> => {
    setUser(MOCK_AUTH_USER);
    return Promise.resolve();
  }, []);
  const value: AuthContextValue = {
    user,
    isLoading: false,
    isAuthenticated: user !== null,
    authError: null,
    sessionExpiring: false,
    sessionMinutesRemaining: 0,
    signOut,
    refreshSession,
  };
  return <AuthContext.Provider value={value}>{children}</AuthContext.Provider>;
 }
 export function useAuth(): AuthContextValue {
  const context = useContext(AuthContext);
  if (context === undefined) {
--- a/apps/web/src/lib/config.test.ts
+++ b/apps/web/src/lib/config.test.ts
@@ -22,11 +22,16 @@ describe("API Configuration", () => {
    it("should use default API URL when NEXT_PUBLIC_API_URL is not set", async () => {
      delete process.env.NEXT_PUBLIC_API_URL;
      delete process.env.NEXT_PUBLIC_ORCHESTRATOR_URL;
      delete process.env.NEXT_PUBLIC_AUTH_MODE;
      process.env = { ...process.env, NODE_ENV: "development" };
-      const { API_BASE_URL, ORCHESTRATOR_URL } = await import("./config");
+      const { API_BASE_URL, ORCHESTRATOR_URL, AUTH_MODE, IS_MOCK_AUTH_MODE } =
        await import("./config");
      expect(API_BASE_URL).toBe("http://localhost:3001");
      expect(ORCHESTRATOR_URL).toBe("http://localhost:3001");
      expect(AUTH_MODE).toBe("mock");
      expect(IS_MOCK_AUTH_MODE).toBe(true);
    });
  });
@@ -34,17 +39,22 @@ describe("API Configuration", () => {
    it("should use NEXT_PUBLIC_API_URL when set", async () => {
      process.env.NEXT_PUBLIC_API_URL = "https://api.example.com";
      delete process.env.NEXT_PUBLIC_ORCHESTRATOR_URL;
      delete process.env.NEXT_PUBLIC_AUTH_MODE;
      process.env = { ...process.env, NODE_ENV: "development" };
-      const { API_BASE_URL, ORCHESTRATOR_URL } = await import("./config");
+      const { API_BASE_URL, ORCHESTRATOR_URL, AUTH_MODE } = await import("./config");
      expect(API_BASE_URL).toBe("https://api.example.com");
      // ORCHESTRATOR_URL should fall back to API_BASE_URL
      expect(ORCHESTRATOR_URL).toBe("https://api.example.com");
      expect(AUTH_MODE).toBe("mock");
    });
    it("should use separate NEXT_PUBLIC_ORCHESTRATOR_URL when set", async () => {
      process.env.NEXT_PUBLIC_API_URL = "https://api.example.com";
      process.env.NEXT_PUBLIC_ORCHESTRATOR_URL = "https://orchestrator.example.com";
      process.env = { ...process.env, NODE_ENV: "development" };
      delete process.env.NEXT_PUBLIC_AUTH_MODE;
      const { API_BASE_URL, ORCHESTRATOR_URL } = await import("./config");
@@ -57,6 +67,8 @@ describe("API Configuration", () => {
    it("should build API URLs correctly", async () => {
      process.env.NEXT_PUBLIC_API_URL = "https://api.example.com";
      delete process.env.NEXT_PUBLIC_ORCHESTRATOR_URL;
      process.env = { ...process.env, NODE_ENV: "development" };
      delete process.env.NEXT_PUBLIC_AUTH_MODE;
      const { buildApiUrl } = await import("./config");
@@ -67,6 +79,8 @@ describe("API Configuration", () => {
    it("should build orchestrator URLs correctly", async () => {
      process.env.NEXT_PUBLIC_API_URL = "https://api.example.com";
      process.env.NEXT_PUBLIC_ORCHESTRATOR_URL = "https://orch.example.com";
      process.env = { ...process.env, NODE_ENV: "development" };
      delete process.env.NEXT_PUBLIC_AUTH_MODE;
      const { buildOrchestratorUrl } = await import("./config");
@@ -79,13 +93,44 @@ describe("API Configuration", () => {
    it("should expose all configuration through apiConfig", async () => {
      process.env.NEXT_PUBLIC_API_URL = "https://api.example.com";
      process.env.NEXT_PUBLIC_ORCHESTRATOR_URL = "https://orch.example.com";
      process.env = { ...process.env, NODE_ENV: "development" };
      process.env.NEXT_PUBLIC_AUTH_MODE = "real";
      const { apiConfig } = await import("./config");
      expect(apiConfig.baseUrl).toBe("https://api.example.com");
      expect(apiConfig.orchestratorUrl).toBe("https://orch.example.com");
      expect(apiConfig.authMode).toBe("real");
      expect(apiConfig.buildUrl("/test")).toBe("https://api.example.com/test");
      expect(apiConfig.buildOrchestratorUrl("/test")).toBe("https://orch.example.com/test");
    });
  });
  describe("auth mode", () => {
    it("should enable mock mode only in development", async () => {
      process.env = { ...process.env, NODE_ENV: "development" };
      process.env.NEXT_PUBLIC_AUTH_MODE = "mock";
      const { AUTH_MODE, IS_MOCK_AUTH_MODE } = await import("./config");
      expect(AUTH_MODE).toBe("mock");
      expect(IS_MOCK_AUTH_MODE).toBe(true);
    });
    it("should throw on invalid auth mode", async () => {
      process.env = { ...process.env, NODE_ENV: "development" };
      process.env.NEXT_PUBLIC_AUTH_MODE = "invalid";
      await expect(import("./config")).rejects.toThrow("Invalid NEXT_PUBLIC_AUTH_MODE");
    });
    it("should throw when mock mode is set outside development", async () => {
      process.env = { ...process.env, NODE_ENV: "production" };
      process.env.NEXT_PUBLIC_AUTH_MODE = "mock";
      await expect(import("./config")).rejects.toThrow(
        "NEXT_PUBLIC_AUTH_MODE=mock is only allowed when NODE_ENV=development."
      );
    });
  });
 });
--- a/apps/web/src/lib/config.ts
+++ b/apps/web/src/lib/config.ts
@@ -7,12 +7,19 @@
 * Environment Variables:
 * - NEXT_PUBLIC_API_URL: The main API server URL (default: http://localhost:3001)
 * - NEXT_PUBLIC_ORCHESTRATOR_URL: The orchestrator service URL (default: same as API URL)
 * - NEXT_PUBLIC_AUTH_MODE: Auth mode for web app (`real` or `mock`)
 *   - If unset: development defaults to `mock`, production defaults to `real`
 */
 /**
 * Default API server URL for local development
 */
 const DEFAULT_API_URL = "http://localhost:3001";
 const DEFAULT_AUTH_MODE = process.env.NODE_ENV === "development" ? "mock" : "real";
 const VALID_AUTH_MODES = ["real", "mock"] as const;
 export type AuthMode = (typeof VALID_AUTH_MODES)[number];
 /**
 * Main API server URL
@@ -20,6 +27,34 @@ const DEFAULT_API_URL = "http://localhost:3001";
 */
 export const API_BASE_URL = process.env.NEXT_PUBLIC_API_URL ?? DEFAULT_API_URL;
 function resolveAuthMode(): AuthMode {
  const rawMode = (process.env.NEXT_PUBLIC_AUTH_MODE ?? DEFAULT_AUTH_MODE).toLowerCase();
  if (!VALID_AUTH_MODES.includes(rawMode as AuthMode)) {
    throw new Error(
      `Invalid NEXT_PUBLIC_AUTH_MODE "${rawMode}". Expected one of: ${VALID_AUTH_MODES.join(", ")}.`
    );
  }
  if (rawMode === "mock" && process.env.NODE_ENV !== "development") {
    throw new Error("NEXT_PUBLIC_AUTH_MODE=mock is only allowed when NODE_ENV=development.");
  }
  return rawMode as AuthMode;
 }
 /**
 * Authentication mode for frontend runtime.
 * - real: uses normal BetterAuth/Backend session flow
 * - mock: local-only seeded mock user for FE development
 */
 export const AUTH_MODE: AuthMode = resolveAuthMode();
 /**
 * Whether local mock auth mode is enabled.
 */
 export const IS_MOCK_AUTH_MODE = AUTH_MODE === "mock";
 /**
 * Orchestrator service URL
 * Used for agent management, task progress, and orchestration features
@@ -53,6 +88,8 @@ export const apiConfig = {
  baseUrl: API_BASE_URL,
  /** Orchestrator service URL */
  orchestratorUrl: ORCHESTRATOR_URL,
  /** Authentication mode (`real` or `mock`) */
  authMode: AUTH_MODE,
  /** Build full API URL for an endpoint */
  buildUrl: buildApiUrl,
  /** Build full orchestrator URL for an endpoint */
--- a/apps/web/src/lib/hooks/useLayout.ts
+++ b/apps/web/src/lib/hooks/useLayout.ts
@@ -14,6 +14,70 @@ const DEFAULT_LAYOUT_NAME = "default";
 */
 const WORKSPACE_KEY = "mosaic-workspace-id";
 function createDefaultLayout(): LayoutConfig {
  return {
    id: DEFAULT_LAYOUT_NAME,
    name: "Default Layout",
    layout: [
      {
        i: "tasks-1",
        x: 0,
        y: 0,
        w: 2,
        h: 3,
        minW: 1,
        minH: 2,
        isDraggable: true,
        isResizable: true,
      },
      {
        i: "calendar-1",
        x: 2,
        y: 0,
        w: 2,
        h: 2,
        minW: 1,
        minH: 2,
        isDraggable: true,
        isResizable: true,
      },
      {
        i: "agent-status-1",
        x: 2,
        y: 2,
        w: 2,
        h: 2,
        minW: 1,
        minH: 1,
        isDraggable: true,
        isResizable: true,
      },
      {
        i: "orchestrator-events-1",
        x: 0,
        y: 3,
        w: 2,
        h: 2,
        minW: 1,
        minH: 1,
        isDraggable: true,
        isResizable: true,
      },
      {
        i: "quick-capture-1",
        x: 2,
        y: 4,
        w: 2,
        h: 1,
        minW: 1,
        minH: 1,
        isDraggable: true,
        isResizable: true,
      },
    ],
  };
 }
 interface UseLayoutReturn {
  layouts: Record<string, LayoutConfig>;
  currentLayout: LayoutConfig | undefined;
@@ -45,7 +109,18 @@ export function useLayout(): UseLayoutReturn {
      if (stored) {
        const emptyFallback: Record<string, LayoutConfig> = {};
        const parsed = safeJsonParse(stored, isLayoutConfigRecord, emptyFallback);
-        setLayouts(parsed as Record<string, LayoutConfig>);
+        const parsedLayouts = parsed as Record<string, LayoutConfig>;
        if (Object.keys(parsedLayouts).length > 0) {
          setLayouts(parsedLayouts);
        } else {
          setLayouts({
            [DEFAULT_LAYOUT_NAME]: createDefaultLayout(),
          });
        }
      } else {
        setLayouts({
          [DEFAULT_LAYOUT_NAME]: createDefaultLayout(),
        });
      }
      // Load current layout ID preference
@@ -195,11 +270,7 @@ export function useLayout(): UseLayoutReturn {
  const resetLayout = useCallback(() => {
    setLayouts({
-      [DEFAULT_LAYOUT_NAME]: {
+      [DEFAULT_LAYOUT_NAME]: createDefaultLayout(),
        id: DEFAULT_LAYOUT_NAME,
        name: "Default Layout",
        layout: [],
      },
    });
    setCurrentLayoutId(DEFAULT_LAYOUT_NAME);
  }, []);
--- a/Show More
+++ b/Show More