docs: design system reference and task completion (MS15-DOC-001) (#454 )

Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>
feat(web): Phase 3 — Dashboard Page (#450 ) (#453 )
2026-02-22 21:20:28 +00:00 · 2026-02-22 21:18:50 +00:00 · 2026-02-22 21:12:13 +00:00 · 2026-02-22 20:57:06 +00:00 · 2026-02-22 18:02:45 +00:00 · 2026-02-22 08:05:47 +00:00
327 changed files with 37712 additions and 4761 deletions
--- a/.env.example
+++ b/.env.example
@@ -15,11 +15,19 @@ WEB_PORT=3000
 # ======================
 NEXT_PUBLIC_APP_URL=http://localhost:3000
 NEXT_PUBLIC_API_URL=http://localhost:3001
+# Frontend auth mode:
+# - real: Normal auth/session flow
+# - mock: Local-only seeded user for FE development (blocked outside NODE_ENV=development)
+#   Use `mock` locally to continue FE work when auth flow is unstable.
+# If omitted, web runtime defaults:
+# - development -> mock
+# - production -> real
+NEXT_PUBLIC_AUTH_MODE=real

 # ======================
 # PostgreSQL Database
 # ======================
-# Bundled PostgreSQL (when database profile enabled)
+# Bundled PostgreSQL
 # SECURITY: Change POSTGRES_PASSWORD to a strong random password in production
 DATABASE_URL=postgresql://mosaic:REPLACE_WITH_SECURE_PASSWORD@postgres:5432/mosaic
 POSTGRES_USER=mosaic
@@ -28,7 +36,7 @@ POSTGRES_DB=mosaic
 POSTGRES_PORT=5432

 # External PostgreSQL (managed service)
-# Disable 'database' profile and point DATABASE_URL to your external instance
+# To use an external instance, update DATABASE_URL above
 # Example: DATABASE_URL=postgresql://user:pass@rds.amazonaws.com:5432/mosaic

 # PostgreSQL Performance Tuning (Optional)
@@ -39,7 +47,7 @@ POSTGRES_MAX_CONNECTIONS=100
 # ======================
 # Valkey Cache (Redis-compatible)
 # ======================
-# Bundled Valkey (when cache profile enabled)
+# Bundled Valkey
 VALKEY_URL=redis://valkey:6379
 VALKEY_HOST=valkey
 VALKEY_PORT=6379
@@ -47,7 +55,7 @@ VALKEY_PORT=6379
 VALKEY_MAXMEMORY=256mb

 # External Redis/Valkey (managed service)
-# Disable 'cache' profile and point VALKEY_URL to your external instance
+# To use an external instance, update VALKEY_URL above
 # Example: VALKEY_URL=redis://elasticache.amazonaws.com:6379
 # Example with auth: VALKEY_URL=redis://:password@redis.example.com:6379

@@ -61,7 +69,7 @@ KNOWLEDGE_CACHE_TTL=300
 # Authentication (Authentik OIDC)
 # ======================
 # Set to 'true' to enable OIDC authentication with Authentik
-# When enabled, OIDC_ISSUER, OIDC_CLIENT_ID, and OIDC_CLIENT_SECRET are required
+# When enabled, OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, and OIDC_REDIRECT_URI are required
 OIDC_ENABLED=false

 # Authentik Server URLs (required when OIDC_ENABLED=true)
@@ -70,9 +78,9 @@ OIDC_ISSUER=https://auth.example.com/application/o/mosaic-stack/
 OIDC_CLIENT_ID=your-client-id-here
 OIDC_CLIENT_SECRET=your-client-secret-here
 # Redirect URI must match what's configured in Authentik
-# Development: http://localhost:3001/auth/callback/authentik
-# Production: https://api.mosaicstack.dev/auth/callback/authentik
-OIDC_REDIRECT_URI=http://localhost:3001/auth/callback/authentik
+# Development: http://localhost:3001/auth/oauth2/callback/authentik
+# Production: https://api.mosaicstack.dev/auth/oauth2/callback/authentik
+OIDC_REDIRECT_URI=http://localhost:3001/auth/oauth2/callback/authentik

 # Authentik PostgreSQL Database
 AUTHENTIK_POSTGRES_USER=authentik
@@ -116,6 +124,17 @@ JWT_EXPIRATION=24h
 # This is used by BetterAuth for session management and CSRF protection
 # Example: openssl rand -base64 32
 BETTER_AUTH_SECRET=REPLACE_WITH_RANDOM_SECRET_MINIMUM_32_CHARS
+# Optional explicit BetterAuth origin for callback/error URL generation.
+# When empty, backend falls back to NEXT_PUBLIC_API_URL.
+BETTER_AUTH_URL=
+
+# Trusted Origins (comma-separated list of additional trusted origins for CORS and auth)
+# These are added to NEXT_PUBLIC_APP_URL and NEXT_PUBLIC_API_URL automatically
+TRUSTED_ORIGINS=
+
+# Cookie Domain (for cross-subdomain session sharing)
+# Leave empty for single-domain setups. Set to ".example.com" for cross-subdomain.
+COOKIE_DOMAIN=

 # ======================
 # Encryption (Credential Security)
@@ -196,11 +215,9 @@ NODE_ENV=development
 # Used by docker-compose.yml (pulls images) and docker-swarm.yml
 # For local builds, use docker-compose.build.yml instead
 # Options:
-#   - dev: Pull development images from registry (default, built from develop branch)
-#   - latest: Pull latest stable images from registry (built from main branch)
-#   - <commit-sha>: Use specific commit SHA tag (e.g., 658ec077)
+#   - latest: Pull latest images from registry (default, built from main branch)
 #   - <version>: Use specific version tag (e.g., v1.0.0)
-IMAGE_TAG=dev
+IMAGE_TAG=latest

 # ======================
 # Docker Compose Profiles
@@ -236,12 +253,16 @@ MOSAIC_API_DOMAIN=api.mosaic.local
 MOSAIC_WEB_DOMAIN=mosaic.local
 MOSAIC_AUTH_DOMAIN=auth.mosaic.local

-# External Traefik network name (for upstream mode)
+# External Traefik network name (for upstream mode and swarm)
 # Must match the network name of your existing Traefik instance
 TRAEFIK_NETWORK=traefik-public
+TRAEFIK_DOCKER_NETWORK=traefik-public

 # TLS/SSL Configuration
 TRAEFIK_TLS_ENABLED=true
+TRAEFIK_ENTRYPOINT=websecure
+# Cert resolver name (leave empty if TLS is handled externally or using self-signed certs)
+TRAEFIK_CERTRESOLVER=
 # For Let's Encrypt (production):
 TRAEFIK_ACME_EMAIL=admin@example.com
 # For self-signed certificates (development), leave TRAEFIK_ACME_EMAIL empty
@@ -277,6 +298,15 @@ GITEA_WEBHOOK_SECRET=REPLACE_WITH_RANDOM_WEBHOOK_SECRET
 # The coordinator service uses this key to authenticate with the API
 COORDINATOR_API_KEY=REPLACE_WITH_RANDOM_API_KEY_MINIMUM_32_CHARS

+# Anthropic API Key (used by coordinator for issue parsing)
+# Get your API key from: https://console.anthropic.com/
+ANTHROPIC_API_KEY=REPLACE_WITH_ANTHROPIC_API_KEY
+
+# Coordinator tuning
+COORDINATOR_POLL_INTERVAL=5.0
+COORDINATOR_MAX_CONCURRENT_AGENTS=10
+COORDINATOR_ENABLED=true
+
 # ======================
 # Rate Limiting
 # ======================
@@ -321,16 +351,34 @@ RATE_LIMIT_STORAGE=redis
 # ======================
 # Matrix bot integration for chat-based control via Matrix protocol
 # Requires a Matrix account with an access token for the bot user
-# MATRIX_HOMESERVER_URL=https://matrix.example.com
-# MATRIX_ACCESS_TOKEN=
-# MATRIX_BOT_USER_ID=@mosaic-bot:example.com
-# MATRIX_CONTROL_ROOM_ID=!roomid:example.com
-# MATRIX_WORKSPACE_ID=your-workspace-uuid
+# Set these AFTER deploying Synapse and creating the bot account.
 #
 # SECURITY: MATRIX_WORKSPACE_ID must be a valid workspace UUID from your database.
 # All Matrix commands will execute within this workspace context for proper
 # multi-tenant isolation. Each Matrix bot instance should be configured for
 # a single workspace.
+MATRIX_HOMESERVER_URL=http://synapse:8008
+MATRIX_ACCESS_TOKEN=
+MATRIX_BOT_USER_ID=@mosaic-bot:matrix.example.com
+MATRIX_SERVER_NAME=matrix.example.com
+# MATRIX_CONTROL_ROOM_ID=!roomid:matrix.example.com
+# MATRIX_WORKSPACE_ID=your-workspace-uuid
+
+# ======================
+# Matrix / Synapse Deployment
+# ======================
+# Domains for Traefik routing to Matrix services
+MATRIX_DOMAIN=matrix.example.com
+ELEMENT_DOMAIN=chat.example.com
+
+# Synapse database (created automatically by synapse-db-init in the swarm compose)
+SYNAPSE_POSTGRES_DB=synapse
+SYNAPSE_POSTGRES_USER=synapse
+SYNAPSE_POSTGRES_PASSWORD=REPLACE_WITH_SECURE_SYNAPSE_DB_PASSWORD
+
+# Image tags for Matrix services
+SYNAPSE_IMAGE_TAG=latest
+ELEMENT_IMAGE_TAG=latest

 # ======================
 # Orchestrator Configuration
@@ -342,6 +390,17 @@ RATE_LIMIT_STORAGE=redis
 # Health endpoints (/health/*) remain unauthenticated
 ORCHESTRATOR_API_KEY=REPLACE_WITH_RANDOM_API_KEY_MINIMUM_32_CHARS

+# Runtime safety defaults (recommended for low-memory hosts)
+MAX_CONCURRENT_AGENTS=2
+SESSION_CLEANUP_DELAY_MS=30000
+ORCHESTRATOR_QUEUE_NAME=orchestrator-tasks
+ORCHESTRATOR_QUEUE_CONCURRENCY=1
+ORCHESTRATOR_QUEUE_MAX_RETRIES=3
+ORCHESTRATOR_QUEUE_BASE_DELAY_MS=1000
+ORCHESTRATOR_QUEUE_MAX_DELAY_MS=60000
+SANDBOX_DEFAULT_MEMORY_MB=256
+SANDBOX_DEFAULT_CPU_LIMIT=1.0
+
 # ======================
 # AI Provider Configuration
 # ======================
@@ -355,11 +414,10 @@ AI_PROVIDER=ollama
 # For remote Ollama: http://your-ollama-server:11434
 OLLAMA_MODEL=llama3.1:latest

-# Claude API Configuration (when AI_PROVIDER=claude)
-# OPTIONAL: Only required if AI_PROVIDER=claude
+# Claude API Key
+# Required only when AI_PROVIDER=claude.
 # Get your API key from: https://console.anthropic.com/
-# Note: Claude Max subscription users should use AI_PROVIDER=ollama instead
-# CLAUDE_API_KEY=sk-ant-...
+CLAUDE_API_KEY=REPLACE_WITH_CLAUDE_API_KEY

 # OpenAI API Configuration (when AI_PROVIDER=openai)
 # OPTIONAL: Only required if AI_PROVIDER=openai
@@ -367,26 +425,72 @@ OLLAMA_MODEL=llama3.1:latest
 # OPENAI_API_KEY=sk-...

 # ======================
-# Matrix Dev Environment (docker-compose.matrix.yml overlay)
+# Speech Services (STT / TTS)
 # ======================
-# These variables configure the local Matrix dev environment.
-# Only used when running: docker compose -f docker/docker-compose.yml -f docker/docker-compose.matrix.yml up
-#
-# Synapse homeserver
-# SYNAPSE_CLIENT_PORT=8008
-# SYNAPSE_FEDERATION_PORT=8448
-# SYNAPSE_POSTGRES_DB=synapse
-# SYNAPSE_POSTGRES_USER=synapse
-# SYNAPSE_POSTGRES_PASSWORD=synapse_dev_password
-#
-# Element Web client
-# ELEMENT_PORT=8501
-#
-# Matrix bridge connection (set after running docker/matrix/scripts/setup-bot.sh)
-# MATRIX_HOMESERVER_URL=http://localhost:8008
-# MATRIX_ACCESS_TOKEN=<obtained from setup-bot.sh>
-# MATRIX_BOT_USER_ID=@mosaic-bot:localhost
-# MATRIX_SERVER_NAME=localhost
+# Speech-to-Text (STT) - Whisper via Speaches
+# Set STT_ENABLED=true to enable speech-to-text transcription
+# STT_BASE_URL is required when STT_ENABLED=true
+STT_ENABLED=true
+STT_BASE_URL=http://speaches:8000/v1
+STT_MODEL=Systran/faster-whisper-large-v3-turbo
+STT_LANGUAGE=en
+
+# Text-to-Speech (TTS) - Default Engine (Kokoro)
+# Set TTS_ENABLED=true to enable text-to-speech synthesis
+# TTS_DEFAULT_URL is required when TTS_ENABLED=true
+TTS_ENABLED=true
+TTS_DEFAULT_URL=http://kokoro-tts:8880/v1
+TTS_DEFAULT_VOICE=af_heart
+TTS_DEFAULT_FORMAT=mp3
+
+# Text-to-Speech (TTS) - Premium Engine (Chatterbox) - Optional
+# Higher quality voice cloning engine, disabled by default
+# TTS_PREMIUM_URL is required when TTS_PREMIUM_ENABLED=true
+TTS_PREMIUM_ENABLED=false
+TTS_PREMIUM_URL=http://chatterbox-tts:8881/v1
+
+# Text-to-Speech (TTS) - Fallback Engine (Piper/OpenedAI) - Optional
+# Lightweight fallback engine, disabled by default
+# TTS_FALLBACK_URL is required when TTS_FALLBACK_ENABLED=true
+TTS_FALLBACK_ENABLED=false
+TTS_FALLBACK_URL=http://openedai-speech:8000/v1
+
+# Whisper model for Speaches STT engine
+SPEACHES_WHISPER_MODEL=Systran/faster-whisper-large-v3-turbo
+
+# Speech Service Limits
+# Maximum upload file size in bytes (default: 25MB)
+SPEECH_MAX_UPLOAD_SIZE=25000000
+# Maximum audio duration in seconds (default: 600 = 10 minutes)
+SPEECH_MAX_DURATION_SECONDS=600
+# Maximum text length for TTS in characters (default: 4096)
+SPEECH_MAX_TEXT_LENGTH=4096
+
+# ======================
+# Mosaic Telemetry (Task Completion Tracking & Predictions)
+# ======================
+# Telemetry tracks task completion patterns to provide time estimates and predictions.
+# Data is sent to the Mosaic Telemetry API (a separate service).
+
+# Master switch: set to false to completely disable telemetry (no HTTP calls will be made)
+MOSAIC_TELEMETRY_ENABLED=true
+
+# URL of the telemetry API server
+# For Docker Compose (internal): http://telemetry-api:8000
+# For production/swarm: https://tel-api.mosaicstack.dev
+MOSAIC_TELEMETRY_SERVER_URL=http://telemetry-api:8000
+
+# API key for authenticating with the telemetry server
+# Generate with: openssl rand -hex 32
+MOSAIC_TELEMETRY_API_KEY=your-64-char-hex-api-key-here
+
+# Unique identifier for this Mosaic Stack instance
+# Generate with: uuidgen or python -c "import uuid; print(uuid.uuid4())"
+MOSAIC_TELEMETRY_INSTANCE_ID=your-instance-uuid-here
+
+# Dry run mode: set to true to log telemetry events to console instead of sending HTTP requests
+# Useful for development and debugging telemetry payloads
+MOSAIC_TELEMETRY_DRY_RUN=false

 # ======================
 # Logging & Debugging
--- a/.env.prod.example
+++ b/.env.prod.example
@@ -1,66 +0,0 @@
-# ==============================================
-# Mosaic Stack Production Environment
-# ==============================================
-# Copy to .env and configure for production deployment
-
-# ======================
-# PostgreSQL Database
-# ======================
-# CRITICAL: Use a strong, unique password
-POSTGRES_USER=mosaic
-POSTGRES_PASSWORD=REPLACE_WITH_SECURE_PASSWORD
-POSTGRES_DB=mosaic
-POSTGRES_SHARED_BUFFERS=256MB
-POSTGRES_EFFECTIVE_CACHE_SIZE=1GB
-POSTGRES_MAX_CONNECTIONS=100
-
-# ======================
-# Valkey Cache
-# ======================
-VALKEY_MAXMEMORY=256mb
-
-# ======================
-# API Configuration
-# ======================
-API_PORT=3001
-API_HOST=0.0.0.0
-
-# ======================
-# Web Configuration
-# ======================
-WEB_PORT=3000
-NEXT_PUBLIC_API_URL=https://api.mosaicstack.dev
-
-# ======================
-# Authentication (Authentik OIDC)
-# ======================
-OIDC_ISSUER=https://auth.diversecanvas.com/application/o/mosaic-stack/
-OIDC_CLIENT_ID=your-client-id
-OIDC_CLIENT_SECRET=your-client-secret
-OIDC_REDIRECT_URI=https://api.mosaicstack.dev/auth/callback/authentik
-
-# ======================
-# JWT Configuration
-# ======================
-# CRITICAL: Generate a random secret (openssl rand -base64 32)
-JWT_SECRET=REPLACE_WITH_RANDOM_SECRET
-JWT_EXPIRATION=24h
-
-# ======================
-# Traefik Integration
-# ======================
-# Set to true if using external Traefik
-TRAEFIK_ENABLE=true
-TRAEFIK_ENTRYPOINT=websecure
-TRAEFIK_TLS_ENABLED=true
-TRAEFIK_DOCKER_NETWORK=traefik-public
-TRAEFIK_CERTRESOLVER=letsencrypt
-
-# Domain configuration
-MOSAIC_API_DOMAIN=api.mosaicstack.dev
-MOSAIC_WEB_DOMAIN=app.mosaicstack.dev
-
-# ======================
-# Optional: Ollama
-# ======================
-# OLLAMA_ENDPOINT=http://ollama.diversecanvas.com:11434
--- a/.env.swarm.example
+++ b/.env.swarm.example
@@ -1,161 +0,0 @@
-# ==============================================
-# Mosaic Stack - Docker Swarm Configuration
-# ==============================================
-# Copy this file to .env for Docker Swarm deployment
-
-# ======================
-# Application Ports (Internal)
-# ======================
-API_PORT=3001
-API_HOST=0.0.0.0
-WEB_PORT=3000
-
-# ======================
-# Domain Configuration (Traefik)
-# ======================
-# These domains must be configured in your DNS or /etc/hosts
-MOSAIC_API_DOMAIN=api.mosaicstack.dev
-MOSAIC_WEB_DOMAIN=mosaic.mosaicstack.dev
-MOSAIC_AUTH_DOMAIN=auth.mosaicstack.dev
-
-# ======================
-# Web Configuration
-# ======================
-# Use the Traefik domain for the API URL
-NEXT_PUBLIC_APP_URL=http://mosaic.mosaicstack.dev
-NEXT_PUBLIC_API_URL=http://api.mosaicstack.dev
-
-# ======================
-# PostgreSQL Database
-# ======================
-DATABASE_URL=postgresql://mosaic:REPLACE_WITH_SECURE_PASSWORD@postgres:5432/mosaic
-POSTGRES_USER=mosaic
-POSTGRES_PASSWORD=REPLACE_WITH_SECURE_PASSWORD
-POSTGRES_DB=mosaic
-POSTGRES_PORT=5432
-
-# PostgreSQL Performance Tuning
-POSTGRES_SHARED_BUFFERS=256MB
-POSTGRES_EFFECTIVE_CACHE_SIZE=1GB
-POSTGRES_MAX_CONNECTIONS=100
-
-# ======================
-# Valkey Cache
-# ======================
-VALKEY_URL=redis://valkey:6379
-VALKEY_HOST=valkey
-VALKEY_PORT=6379
-VALKEY_MAXMEMORY=256mb
-
-# Knowledge Module Cache Configuration
-KNOWLEDGE_CACHE_ENABLED=true
-KNOWLEDGE_CACHE_TTL=300
-
-# ======================
-# Authentication (Authentik OIDC)
-# ======================
-# NOTE: Authentik services are COMMENTED OUT in docker-compose.swarm.yml by default
-# Uncomment those services if you want to run Authentik internally
-# Otherwise, use external Authentik by configuring OIDC_* variables below
-
-# External Authentik Configuration (default)
-OIDC_ENABLED=true
-OIDC_ISSUER=https://auth.example.com/application/o/mosaic-stack/
-OIDC_CLIENT_ID=your-client-id-here
-OIDC_CLIENT_SECRET=your-client-secret-here
-OIDC_REDIRECT_URI=https://api.mosaicstack.dev/auth/callback/authentik
-
-# Internal Authentik Configuration (only needed if uncommenting Authentik services)
-# Authentik PostgreSQL Database
-AUTHENTIK_POSTGRES_USER=authentik
-AUTHENTIK_POSTGRES_PASSWORD=REPLACE_WITH_SECURE_PASSWORD
-AUTHENTIK_POSTGRES_DB=authentik
-
-# Authentik Server Configuration
-AUTHENTIK_SECRET_KEY=REPLACE_WITH_RANDOM_SECRET_MINIMUM_50_CHARS
-AUTHENTIK_ERROR_REPORTING=false
-AUTHENTIK_BOOTSTRAP_PASSWORD=REPLACE_WITH_SECURE_PASSWORD
-AUTHENTIK_BOOTSTRAP_EMAIL=admin@mosaicstack.dev
-AUTHENTIK_COOKIE_DOMAIN=.mosaicstack.dev
-
-# ======================
-# JWT Configuration
-# ======================
-JWT_SECRET=REPLACE_WITH_RANDOM_SECRET_MINIMUM_32_CHARS
-JWT_EXPIRATION=24h
-
-# ======================
-# Encryption (Credential Security)
-# ======================
-# Generate with: openssl rand -hex 32
-ENCRYPTION_KEY=REPLACE_WITH_64_CHAR_HEX_STRING_GENERATE_WITH_OPENSSL_RAND_HEX_32
-
-# ======================
-# OpenBao Secrets Management
-# ======================
-OPENBAO_ADDR=http://openbao:8200
-OPENBAO_PORT=8200
-# For development only - remove in production
-OPENBAO_DEV_ROOT_TOKEN_ID=root
-
-# ======================
-# Ollama (Optional AI Service)
-# ======================
-OLLAMA_ENDPOINT=http://ollama:11434
-OLLAMA_PORT=11434
-OLLAMA_EMBEDDING_MODEL=mxbai-embed-large
-
-# Semantic Search Configuration
-SEMANTIC_SEARCH_SIMILARITY_THRESHOLD=0.5
-
-# ======================
-# OpenAI API (Optional)
-# ======================
-# OPENAI_API_KEY=sk-...
-
-# ======================
-# Application Environment
-# ======================
-NODE_ENV=production
-
-# ======================
-# Gitea Integration (Coordinator)
-# ======================
-GITEA_URL=https://git.mosaicstack.dev
-GITEA_BOT_USERNAME=mosaic
-GITEA_BOT_TOKEN=REPLACE_WITH_COORDINATOR_BOT_API_TOKEN
-GITEA_BOT_PASSWORD=REPLACE_WITH_COORDINATOR_BOT_PASSWORD
-GITEA_REPO_OWNER=mosaic
-GITEA_REPO_NAME=stack
-GITEA_WEBHOOK_SECRET=REPLACE_WITH_RANDOM_WEBHOOK_SECRET
-COORDINATOR_API_KEY=REPLACE_WITH_RANDOM_API_KEY_MINIMUM_32_CHARS
-
-# ======================
-# Coordinator Service
-# ======================
-ANTHROPIC_API_KEY=REPLACE_WITH_ANTHROPIC_API_KEY
-COORDINATOR_POLL_INTERVAL=5.0
-COORDINATOR_MAX_CONCURRENT_AGENTS=10
-COORDINATOR_ENABLED=true
-
-# ======================
-# Rate Limiting
-# ======================
-RATE_LIMIT_TTL=60
-RATE_LIMIT_GLOBAL_LIMIT=100
-RATE_LIMIT_WEBHOOK_LIMIT=60
-RATE_LIMIT_COORDINATOR_LIMIT=100
-RATE_LIMIT_HEALTH_LIMIT=300
-RATE_LIMIT_STORAGE=redis
-
-# ======================
-# Orchestrator Configuration
-# ======================
-ORCHESTRATOR_API_KEY=REPLACE_WITH_RANDOM_API_KEY_MINIMUM_32_CHARS
-CLAUDE_API_KEY=REPLACE_WITH_CLAUDE_API_KEY
-
-# ======================
-# Logging & Debugging
-# ======================
-LOG_LEVEL=info
-DEBUG=false
--- a/.gitignore
+++ b/.gitignore
@@ -59,3 +59,13 @@ yarn-error.log*

 # Orchestrator reports (generated by QA automation, cleaned up after processing)
 docs/reports/qa-automation/
+
+# Repo-local orchestrator runtime artifacts
+.mosaic/orchestrator/orchestrator.pid
+.mosaic/orchestrator/state.json
+.mosaic/orchestrator/tasks.json
+.mosaic/orchestrator/matrix_state.json
+.mosaic/orchestrator/logs/*.log
+.mosaic/orchestrator/results/*
+!.mosaic/orchestrator/logs/.gitkeep
+!.mosaic/orchestrator/results/.gitkeep
--- a/.mosaic/README.md
+++ b/.mosaic/README.md
@@ -0,0 +1,15 @@
+# Repo Mosaic Linkage
+
+This repository is attached to the machine-wide Mosaic framework.
+
+## Load Order for Agents
+
+1. `~/.config/mosaic/STANDARDS.md`
+2. `AGENTS.md` (this repository)
+3. `.mosaic/repo-hooks.sh` (repo-specific automation hooks)
+
+## Purpose
+
+- Keep universal standards in `~/.config/mosaic`
+- Keep repo-specific behavior in this repo
+- Avoid copying large runtime configs into each project
--- a/.mosaic/orchestrator/config.json
+++ b/.mosaic/orchestrator/config.json
@@ -0,0 +1,18 @@
+{
+  "enabled": true,
+  "transport": "matrix",
+  "matrix": {
+    "control_room_id": "",
+    "workspace_id": "",
+    "homeserver_url": "",
+    "access_token": "",
+    "bot_user_id": ""
+  },
+  "worker": {
+    "runtime": "codex",
+    "command_template": "bash scripts/agent/orchestrator-worker.sh {task_file}",
+    "timeout_seconds": 7200,
+    "max_attempts": 1
+  },
+  "quality_gates": ["pnpm lint", "pnpm typecheck", "pnpm test"]
+}
--- a/.mosaic/orchestrator/logs/.gitkeep
+++ b/.mosaic/orchestrator/logs/.gitkeep
@@ -0,0 +1 @@
+
--- a/.mosaic/orchestrator/results/.gitkeep
+++ b/.mosaic/orchestrator/results/.gitkeep
@@ -0,0 +1 @@
+
--- a/.mosaic/quality-rails.yml
+++ b/.mosaic/quality-rails.yml
@@ -0,0 +1,10 @@
+enabled: false
+template: ""
+
+# Set enabled: true and choose one template:
+# - typescript-node
+# - typescript-nextjs
+# - monorepo
+#
+# Apply manually:
+#   ~/.config/mosaic/bin/mosaic-quality-apply --template <template> --target <repo>
--- a/.mosaic/repo-hooks.sh
+++ b/.mosaic/repo-hooks.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# Repo-specific hooks used by scripts/agent/*.sh for Mosaic Stack.
+
+mosaic_hook_session_start() {
+  echo "[mosaic-stack] Branch: $(git rev-parse --abbrev-ref HEAD)"
+  echo "[mosaic-stack] Remotes:"
+  git remote -v | sed 's/^/[mosaic-stack]   /'
+  if command -v node >/dev/null 2>&1; then
+    echo "[mosaic-stack] Node: $(node -v)"
+  fi
+  if command -v pnpm >/dev/null 2>&1; then
+    echo "[mosaic-stack] pnpm: $(pnpm -v)"
+  fi
+}
+
+mosaic_hook_critical() {
+  echo "[mosaic-stack] Recent commits:"
+  git log --oneline --decorate -n 5 | sed 's/^/[mosaic-stack]   /'
+  echo "[mosaic-stack] Open TODO/FIXME markers (top 20):"
+  rg -n "(TODO|FIXME|HACK|SECURITY)" apps packages plugins docs --glob '!**/node_modules/**' -S \
+    | head -n 20 \
+    | sed 's/^/[mosaic-stack]   /' \
+    || true
+}
+
+mosaic_hook_session_end() {
+  echo "[mosaic-stack] Working tree summary:"
+  git status --short | sed 's/^/[mosaic-stack]   /' || true
+}
--- a/.npmrc
+++ b/.npmrc
@@ -0,0 +1 @@
+@mosaicstack:registry=https://git.mosaicstack.dev/api/packages/mosaic/npm/
--- a/.nvmrc
+++ b/.nvmrc
@@ -0,0 +1 @@
+24
--- a/.trivyignore
+++ b/.trivyignore
@@ -6,7 +6,7 @@
 #   - npm bundled CVEs (5): npm removed from production Node.js images
 #   - Node.js 20 → 24 LTS migration (#367): base images updated
 #
-# REMAINING: OpenBao (5 CVEs) + Next.js bundled tar (3 CVEs)
+# REMAINING: OpenBao (5 CVEs) + Next.js bundled tar/minimatch (5 CVEs)
 # Re-evaluate when upgrading openbao image beyond 2.5.0 or Next.js beyond 16.1.6.

 # === OpenBao false positives ===
@@ -17,15 +17,18 @@ CVE-2024-9180   # HIGH: privilege escalation (fixed in 2.0.3)
 CVE-2025-59043  # HIGH: DoS via malicious JSON (fixed in 2.4.1)
 CVE-2025-64761  # HIGH: identity group root escalation (fixed in 2.4.4)

-# === Next.js bundled tar CVEs (upstream — waiting on Next.js release) ===
-# Next.js 16.1.6 bundles tar@7.5.2 in next/dist/compiled/tar/ (pre-compiled).
-# This is NOT a pnpm dependency — it's embedded in the Next.js package itself.
+# === Next.js bundled tar/minimatch CVEs (upstream — waiting on Next.js release) ===
+# Next.js 16.1.6 bundles tar@7.5.2 and minimatch@9.0.5 in next/dist/compiled/ (pre-compiled).
+# These are NOT pnpm dependencies — they're embedded in the Next.js package itself.
+# pnpm overrides cannot reach these; only a Next.js upgrade can fix them.
 # Affects web image only (orchestrator and API are clean).
 # npm was also removed from all production images, eliminating the npm-bundled copy.
-# To resolve: upgrade Next.js when a release bundles tar >= 7.5.7.
+# To resolve: upgrade Next.js when a release bundles tar >= 7.5.8 and minimatch >= 10.2.1.
 CVE-2026-23745  # HIGH: tar arbitrary file overwrite via unsanitized linkpaths (fixed in 7.5.3)
 CVE-2026-23950  # HIGH: tar arbitrary file overwrite via Unicode path collision (fixed in 7.5.4)
 CVE-2026-24842  # HIGH: tar arbitrary file creation via hardlink path traversal (needs tar >= 7.5.7)
+CVE-2026-26960  # HIGH: tar arbitrary file read/write via malicious archive hardlink (needs tar >= 7.5.8)
+CVE-2026-26996  # HIGH: minimatch DoS via specially crafted glob patterns (needs minimatch >= 10.2.1)

 # === OpenBao Go stdlib (waiting on upstream rebuild) ===
 # OpenBao 2.5.0 compiled with Go 1.25.6, fix needs Go >= 1.25.7.
--- a/.woodpecker/README.md
+++ b/.woodpecker/README.md
@@ -85,12 +85,11 @@ install -> [ruff-check, mypy, security-bandit, security-pip-audit, test]

 ## Image Tagging

-| Condition        | Tag                        | Purpose                    |
-| ---------------- | -------------------------- | -------------------------- |
-| Always           | `${CI_COMMIT_SHA:0:8}`     | Immutable commit reference |
-| `main` branch    | `latest`                   | Current production release |
-| `develop` branch | `dev`                      | Current development build  |
-| Git tag          | tag value (e.g., `v1.0.0`) | Semantic version release   |
+| Condition     | Tag                        | Purpose                    |
+| ------------- | -------------------------- | -------------------------- |
+| Always        | `${CI_COMMIT_SHA:0:8}`     | Immutable commit reference |
+| `main` branch | `latest`                   | Current latest build       |
+| Git tag       | tag value (e.g., `v1.0.0`) | Semantic version release   |

 ## Required Secrets

@@ -138,5 +137,5 @@ Fails on blockers or critical/high severity security findings.

 ### Pipeline runs Docker builds on pull requests

- Docker build steps have `when: branch: [main, develop]` guards
+- Docker build steps have `when: branch: [main]` guards
 - PRs only run quality gates, not Docker builds
--- a/.woodpecker/api.yml
+++ b/.woodpecker/api.yml
@@ -15,6 +15,7 @@ when:
        - "turbo.json"
        - "package.json"
        - ".woodpecker/api.yml"
+        - ".trivyignore"

 variables:
  - &node_image "node:24-alpine"
@@ -112,7 +113,7 @@ steps:
      ENCRYPTION_KEY: "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
    commands:
      - *use_deps
-      - pnpm --filter "@mosaic/api" exec vitest run --exclude 'src/auth/auth-rls.integration.spec.ts' --exclude 'src/credentials/user-credential.model.spec.ts' --exclude 'src/job-events/job-events.performance.spec.ts' --exclude 'src/knowledge/services/fulltext-search.spec.ts'
+      - pnpm --filter "@mosaic/api" exec vitest run --exclude 'src/auth/auth-rls.integration.spec.ts' --exclude 'src/credentials/user-credential.model.spec.ts' --exclude 'src/job-events/job-events.performance.spec.ts' --exclude 'src/knowledge/services/fulltext-search.spec.ts' --exclude 'src/mosaic-telemetry/mosaic-telemetry.module.spec.ts'
    depends_on:
      - prisma-migrate

@@ -151,12 +152,10 @@ steps:
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:$CI_COMMIT_TAG"
        elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:dev"
        fi
-        /kaniko/executor --context . --dockerfile apps/api/Dockerfile $DESTINATIONS
+        /kaniko/executor --context . --dockerfile apps/api/Dockerfile --snapshot-mode=redo $DESTINATIONS
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - build
@@ -179,7 +178,7 @@ steps:
        elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
          SCAN_TAG="latest"
        else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
        fi
        mkdir -p ~/.docker
        echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -187,7 +186,7 @@ steps:
          --ignorefile .trivyignore \
          git.mosaicstack.dev/mosaic/stack-api:$$SCAN_TAG
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - docker-build-api
@@ -229,7 +228,7 @@ steps:
        }
        link_package "stack-api"
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - security-trivy-api
--- a/.woodpecker/codex-review.yml
+++ b/.woodpecker/codex-review.yml
@@ -12,7 +12,7 @@ when:
  event: pull_request

 variables:
-  - &node_image "node:22-slim"
+  - &node_image "node:24-slim"
  - &install_codex "npm i -g @openai/codex"

 steps:
--- a/.woodpecker/coordinator.yml
+++ b/.woodpecker/coordinator.yml
@@ -30,7 +30,7 @@ steps:
      - python -m venv venv
      - . venv/bin/activate
      - pip install --no-cache-dir --upgrade "pip>=25.3"
-      - pip install --no-cache-dir -e ".[dev]"
+      - pip install --no-cache-dir --extra-index-url https://git.mosaicstack.dev/api/packages/mosaic/pypi/simple/ -e ".[dev]"
      - pip install --no-cache-dir bandit pip-audit

  ruff-check:
@@ -92,12 +92,10 @@ steps:
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:$CI_COMMIT_TAG"
        elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:dev"
        fi
-        /kaniko/executor --context apps/coordinator --dockerfile apps/coordinator/Dockerfile $DESTINATIONS
+        /kaniko/executor --context apps/coordinator --dockerfile apps/coordinator/Dockerfile --snapshot-mode=redo $DESTINATIONS
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - ruff-check
@@ -124,7 +122,7 @@ steps:
        elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
          SCAN_TAG="latest"
        else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
        fi
        mkdir -p ~/.docker
        echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -132,7 +130,7 @@ steps:
          --ignorefile .trivyignore \
          git.mosaicstack.dev/mosaic/stack-coordinator:$$SCAN_TAG
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - docker-build-coordinator
@@ -174,7 +172,7 @@ steps:
        }
        link_package "stack-coordinator"
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - security-trivy-coordinator
--- a/.woodpecker/infra.yml
+++ b/.woodpecker/infra.yml
@@ -36,12 +36,10 @@ steps:
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:$CI_COMMIT_TAG"
        elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:dev"
        fi
-        /kaniko/executor --context docker/postgres --dockerfile docker/postgres/Dockerfile $DESTINATIONS
+        /kaniko/executor --context docker/postgres --dockerfile docker/postgres/Dockerfile --snapshot-mode=redo $DESTINATIONS
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]

  docker-build-openbao:
@@ -61,12 +59,10 @@ steps:
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:$CI_COMMIT_TAG"
        elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:dev"
        fi
-        /kaniko/executor --context docker/openbao --dockerfile docker/openbao/Dockerfile $DESTINATIONS
+        /kaniko/executor --context docker/openbao --dockerfile docker/openbao/Dockerfile --snapshot-mode=redo $DESTINATIONS
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]

  # === Container Security Scans ===
@@ -87,7 +83,7 @@ steps:
        elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
          SCAN_TAG="latest"
        else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
        fi
        mkdir -p ~/.docker
        echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -95,7 +91,7 @@ steps:
          --ignorefile .trivyignore \
          git.mosaicstack.dev/mosaic/stack-postgres:$$SCAN_TAG
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - docker-build-postgres
@@ -116,7 +112,7 @@ steps:
        elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
          SCAN_TAG="latest"
        else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
        fi
        mkdir -p ~/.docker
        echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -124,7 +120,7 @@ steps:
          --ignorefile .trivyignore \
          git.mosaicstack.dev/mosaic/stack-openbao:$$SCAN_TAG
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - docker-build-openbao
@@ -167,7 +163,7 @@ steps:
        link_package "stack-postgres"
        link_package "stack-openbao"
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - security-trivy-postgres
--- a/.woodpecker/orchestrator.yml
+++ b/.woodpecker/orchestrator.yml
@@ -15,6 +15,7 @@ when:
        - "turbo.json"
        - "package.json"
        - ".woodpecker/orchestrator.yml"
+        - ".trivyignore"

 variables:
  - &node_image "node:24-alpine"
@@ -108,12 +109,10 @@ steps:
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:$CI_COMMIT_TAG"
        elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:dev"
        fi
-        /kaniko/executor --context . --dockerfile apps/orchestrator/Dockerfile $DESTINATIONS
+        /kaniko/executor --context . --dockerfile apps/orchestrator/Dockerfile --snapshot-mode=redo $DESTINATIONS
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - build
@@ -136,7 +135,7 @@ steps:
        elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
          SCAN_TAG="latest"
        else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
        fi
        mkdir -p ~/.docker
        echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -144,7 +143,7 @@ steps:
          --ignorefile .trivyignore \
          git.mosaicstack.dev/mosaic/stack-orchestrator:$$SCAN_TAG
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - docker-build-orchestrator
@@ -186,7 +185,7 @@ steps:
        }
        link_package "stack-orchestrator"
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - security-trivy-orchestrator
--- a/.woodpecker/web.yml
+++ b/.woodpecker/web.yml
@@ -15,6 +15,7 @@ when:
        - "turbo.json"
        - "package.json"
        - ".woodpecker/web.yml"
+        - ".trivyignore"

 variables:
  - &node_image "node:24-alpine"
@@ -119,12 +120,10 @@ steps:
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:$CI_COMMIT_TAG"
        elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:dev"
        fi
-        /kaniko/executor --context . --dockerfile apps/web/Dockerfile --build-arg NEXT_PUBLIC_API_URL=https://api.mosaicstack.dev $DESTINATIONS
+        /kaniko/executor --context . --dockerfile apps/web/Dockerfile --snapshot-mode=redo --build-arg NEXT_PUBLIC_API_URL=https://api.mosaicstack.dev $DESTINATIONS
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - build
@@ -147,7 +146,7 @@ steps:
        elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
          SCAN_TAG="latest"
        else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
        fi
        mkdir -p ~/.docker
        echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -155,7 +154,7 @@ steps:
          --ignorefile .trivyignore \
          git.mosaicstack.dev/mosaic/stack-web:$$SCAN_TAG
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - docker-build-web
@@ -197,7 +196,7 @@ steps:
        }
        link_package "stack-web"
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - security-trivy-web
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -1,37 +1,67 @@
 # Mosaic Stack — Agent Guidelines

-> **Any AI model, coding assistant, or framework working in this codebase MUST read and follow `CLAUDE.md` in the project root.**
+## Load Order

-`CLAUDE.md` is the authoritative source for:
+1. `SOUL.md` (repo identity + behavior invariants)
+2. `~/.config/mosaic/STANDARDS.md` (machine-wide standards rails)
+3. `AGENTS.md` (repo-specific overlay)
+4. `.mosaic/repo-hooks.sh` (repo lifecycle hooks)

- Technology stack and versions
- TypeScript strict mode requirements
- ESLint Quality Rails (error-level enforcement)
- Prettier formatting rules
- Testing requirements (85% coverage, TDD)
- API conventions and database patterns
- Commit format and branch strategy
- PDA-friendly design principles
+## Runtime Contract

-## Quick Rules (Read CLAUDE.md for Details)
+- This file is authoritative for repo-local operations.
+- `CLAUDE.md` is a compatibility pointer to `AGENTS.md`.
+- Follow universal rails from `~/.config/mosaic/guides/` and `~/.config/mosaic/rails/`.

- **No `any` types** — use `unknown`, generics, or proper types
- **Explicit return types** on all functions
- **Type-only imports** — `import type { Foo }` for types
- **Double quotes**, semicolons, 2-space indent, 100 char width
- **`??` not `||`** for defaults, **`?.`** not `&&` chains
- **All promises** must be awaited or returned
- **85% test coverage** minimum, tests before implementation
+## Session Lifecycle

-## Updating Conventions
+```bash
+bash scripts/agent/session-start.sh
+bash scripts/agent/critical.sh
+bash scripts/agent/session-end.sh
+```

-If you discover new patterns, gotchas, or conventions while working in this codebase, **update `CLAUDE.md`** — not this file. This file exists solely to redirect agents that look for `AGENTS.md` to the canonical source.
+Optional:

-## Per-App Context
+```bash
+bash scripts/agent/log-limitation.sh "Short Name"
+bash scripts/agent/orchestrator-daemon.sh status
+bash scripts/agent/orchestrator-events.sh recent --limit 50
+```

-Each app directory has its own `AGENTS.md` for app-specific patterns:
+## Repo Context
+
+- Platform: multi-tenant personal assistant stack
+- Monorepo: `pnpm` workspaces + Turborepo
+- Core apps: `apps/api` (NestJS), `apps/web` (Next.js), orchestrator/coordinator services
+- Infrastructure: Docker Compose + PostgreSQL + Valkey + Authentik
+
+## Quick Command Set
+
+```bash
+pnpm install
+pnpm dev
+pnpm test
+pnpm lint
+pnpm build
+```
+
+## Standards and Quality
+
+- Enforce strict typing and no unsafe shortcuts.
+- Keep lint/typecheck/tests green before completion.
+- Prefer small, focused commits and clear change descriptions.
+
+## App-Specific Overlays

 - `apps/api/AGENTS.md`
 - `apps/web/AGENTS.md`
 - `apps/coordinator/AGENTS.md`
 - `apps/orchestrator/AGENTS.md`
+
+## Additional Guidance
+
+- Orchestrator guidance: `docs/claude/orchestrator.md`
+- Security remediation context: `docs/reports/codebase-review-2026-02-05/01-security-review.md`
+- Code quality context: `docs/reports/codebase-review-2026-02-05/02-code-quality-review.md`
+- QA context: `docs/reports/codebase-review-2026-02-05/03-qa-test-coverage.md`
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,477 +1,10 @@
-**Multi-tenant personal assistant platform with PostgreSQL backend, Authentik SSO, and MoltBot
-integration.**
+# CLAUDE Compatibility Pointer

-## Conditional Documentation Loading
+This file exists so Claude Code sessions load Mosaic standards.

-| When working on...                       | Load this guide                                                     |
-| ---------------------------------------- | ------------------------------------------------------------------- |
-| Orchestrating autonomous task completion | `docs/claude/orchestrator.md`                                       |
-| Security remediation (review findings)   | `docs/reports/codebase-review-2026-02-05/01-security-review.md`     |
-| Code quality fixes                       | `docs/reports/codebase-review-2026-02-05/02-code-quality-review.md` |
-| Test coverage gaps                       | `docs/reports/codebase-review-2026-02-05/03-qa-test-coverage.md`    |
+## MANDATORY — Read Before Any Response

-## Platform Templates
+BEFORE responding to any user message, READ `~/.config/mosaic/AGENTS.md`.

-Bootstrap templates are at `docs/templates/`. See `docs/templates/README.md` for usage.
-
-## Project Overview
-
-Mosaic Stack is a standalone platform that provides:
-
- Multi-user workspaces with team sharing
- Task, event, and project management
- Gantt charts and Kanban boards
- MoltBot integration via plugins (stock MoltBot + mosaic-plugin-\*)
- PDA-friendly design throughout
-
-**Repository:** git.mosaicstack.dev/mosaic/stack
-**Versioning:** Start at 0.0.1, MVP = 0.1.0
-
-## Technology Stack
-
-| Layer      | Technology                                   |
-| ---------- | -------------------------------------------- |
-| Frontend   | Next.js 16 + React + TailwindCSS + Shadcn/ui |
-| Backend    | NestJS + Prisma ORM                          |
-| Database   | PostgreSQL 17 + pgvector                     |
-| Cache      | Valkey (Redis-compatible)                    |
-| Auth       | Authentik (OIDC)                             |
-| AI         | Ollama (configurable: local or remote)       |
-| Messaging  | MoltBot (stock + Mosaic plugins)             |
-| Real-time  | WebSockets (Socket.io)                       |
-| Monorepo   | pnpm workspaces + TurboRepo                  |
-| Testing    | Vitest + Playwright                          |
-| Deployment | Docker + docker-compose                      |
-
-## Repository Structure
-
-mosaic-stack/
-├── apps/
-│ ├── api/ # mosaic-api (NestJS)
-│ │ ├── src/
-│ │ │ ├── auth/ # Authentik OIDC
-│ │ │ ├── tasks/ # Task management
-│ │ │ ├── events/ # Calendar/events
-│ │ │ ├── projects/ # Project management
-│ │ │ ├── brain/ # MoltBot integration
-│ │ │ └── activity/ # Activity logging
-│ │ ├── prisma/
-│ │ │ └── schema.prisma
-│ │ └── Dockerfile
-│ └── web/ # mosaic-web (Next.js 16)
-│ ├── app/
-│ ├── components/
-│ └── Dockerfile
-├── packages/
-│ ├── shared/ # Shared types, utilities
-│ ├── ui/ # Shared UI components
-│ └── config/ # Shared configuration
-├── plugins/
-│ ├── mosaic-plugin-brain/ # MoltBot skill: API queries
-│ ├── mosaic-plugin-calendar/ # MoltBot skill: Calendar
-│ ├── mosaic-plugin-tasks/ # MoltBot skill: Tasks
-│ └── mosaic-plugin-gantt/ # MoltBot skill: Gantt
-├── docker/
-│ ├── docker-compose.yml # Turnkey deployment
-│ └── init-scripts/ # PostgreSQL init
-├── docs/
-│ ├── SETUP.md
-│ ├── CONFIGURATION.md
-│ └── DESIGN-PRINCIPLES.md
-├── .env.example
-├── turbo.json
-├── pnpm-workspace.yaml
-└── README.md
-
-## Development Workflow
-
-### Branch Strategy
-
- `main` — stable releases only
- `develop` — active development (default working branch)
- `feature/*` — feature branches from develop
- `fix/*` — bug fix branches
-
-### Starting Work
-
-````bash
-git checkout develop
-git pull --rebase
-pnpm install
-
-Running Locally
-
-# Start all services (Docker)
-docker compose up -d
-
-# Or run individually for development
-pnpm dev           # All apps
-pnpm dev:api       # API only
-pnpm dev:web       # Web only
-
-Testing
-
-pnpm test          # Run all tests
-pnpm test:api      # API tests only
-pnpm test:web      # Web tests only
-pnpm test:e2e      # Playwright E2E
-
-Building
-
-pnpm build         # Build all
-pnpm build:api     # Build API
-pnpm build:web     # Build Web
-
-Design Principles (NON-NEGOTIABLE)
-
-PDA-Friendly Language
-
-NEVER use demanding language. This is critical.
-┌─────────────┬──────────────────────┐
-│  ❌ NEVER   │      ✅ ALWAYS       │
-├─────────────┼──────────────────────┤
-│ OVERDUE     │ Target passed        │
-├─────────────┼──────────────────────┤
-│ URGENT      │ Approaching target   │
-├─────────────┼──────────────────────┤
-│ MUST DO     │ Scheduled for        │
-├─────────────┼──────────────────────┤
-│ CRITICAL    │ High priority        │
-├─────────────┼──────────────────────┤
-│ YOU NEED TO │ Consider / Option to │
-├─────────────┼──────────────────────┤
-│ REQUIRED    │ Recommended          │
-└─────────────┴──────────────────────┘
-Visual Indicators
-
-Use status indicators consistently:
- 🟢 On track / Active
- 🔵 Upcoming / Scheduled
- ⏸️ Paused / On hold
- 💤 Dormant / Inactive
- ⚪ Not started
-
-Display Principles
-
-1. 10-second scannability — Key info visible immediately
-2. Visual chunking — Clear sections with headers
-3. Single-line items — Compact, scannable lists
-4. Date grouping — Today, Tomorrow, This Week headers
-5. Progressive disclosure — Details on click, not upfront
-6. Calm colors — No aggressive reds for status
-
-Reference
-
-See docs/DESIGN-PRINCIPLES.md for complete guidelines.
-For original patterns, see: jarvis-brain/docs/DESIGN-PRINCIPLES.md
-
-API Conventions
-
-Endpoints
-
-GET    /api/{resource}           # List (with pagination, filters)
-GET    /api/{resource}/:id       # Get single
-POST   /api/{resource}           # Create
-PATCH  /api/{resource}/:id       # Update
-DELETE /api/{resource}/:id       # Delete
-
-Response Format
-
-// Success
-{
-  data: T | T[],
-  meta?: { total, page, limit }
-}
-
-// Error
-{
-  error: {
-    code: string,
-    message: string,
-    details?: any
-  }
-}
-
-Brain Query API
-
-POST /api/brain/query
-{
-  query: "what's on my calendar",
-  context?: { view: "dashboard", workspace_id: "..." }
-}
-
-Database Conventions
-
-Multi-Tenant (RLS)
-
-All workspace-scoped tables use Row-Level Security:
- Always include workspace_id in queries
- RLS policies enforce isolation
- Set session context for current user
-
-Prisma Commands
-
-pnpm prisma:generate   # Generate client
-pnpm prisma:migrate    # Run migrations
-pnpm prisma:studio     # Open Prisma Studio
-pnpm prisma:seed       # Seed development data
-
-MoltBot Plugin Development
-
-Plugins live in plugins/mosaic-plugin-*/ and follow MoltBot skill format:
-
-# plugins/mosaic-plugin-brain/SKILL.md
---
-name: mosaic-plugin-brain
-description: Query Mosaic Stack for tasks, events, projects
-version: 0.0.1
-triggers:
-  - "what's on my calendar"
-  - "show my tasks"
-  - "morning briefing"
-tools:
-  - mosaic_api
---
-
-# Plugin instructions here...
-
-Key principle: MoltBot remains stock. All customization via plugins only.
-
-Environment Variables
-
-See .env.example for all variables. Key ones:
-
-# Database
-DATABASE_URL=postgresql://mosaic:password@localhost:5432/mosaic
-
-# Auth
-AUTHENTIK_URL=https://auth.example.com
-AUTHENTIK_CLIENT_ID=mosaic-stack
-AUTHENTIK_CLIENT_SECRET=...
-
-# Ollama
-OLLAMA_MODE=local|remote
-OLLAMA_ENDPOINT=http://localhost:11434
-
-# MoltBot
-MOSAIC_API_TOKEN=...
-
-Issue Tracking
-
-Issues are tracked at: https://git.mosaicstack.dev/mosaic/stack/issues
-
-Labels
-
- Priority: p0 (critical), p1 (high), p2 (medium), p3 (low)
- Type: api, web, database, auth, plugin, ai, devops, docs, migration, security, testing,
-performance, setup
-
-Milestones
-
- M1-Foundation (0.0.x)
- M2-MultiTenant (0.0.x)
- M3-Features (0.0.x)
- M4-MoltBot (0.0.x)
- M5-Migration (0.1.0 MVP)
-
-Commit Format
-
-<type>(#issue): Brief description
-
-Detailed explanation if needed.
-
-Fixes #123
-Types: feat, fix, docs, test, refactor, chore
-
-Test-Driven Development (TDD) - REQUIRED
-
-**All code must follow TDD principles. This is non-negotiable.**
-
-TDD Workflow (Red-Green-Refactor)
-
-1. **RED** — Write a failing test first
-   - Write the test for new functionality BEFORE writing any implementation code
-   - Run the test to verify it fails (proves the test works)
-   - Commit message: `test(#issue): add test for [feature]`
-
-2. **GREEN** — Write minimal code to make the test pass
-   - Implement only enough code to pass the test
-   - Run tests to verify they pass
-   - Commit message: `feat(#issue): implement [feature]`
-
-3. **REFACTOR** — Clean up the code while keeping tests green
-   - Improve code quality, remove duplication, enhance readability
-   - Ensure all tests still pass after refactoring
-   - Commit message: `refactor(#issue): improve [component]`
-
-Testing Requirements
-
- **Minimum 85% code coverage** for all new code
- **Write tests BEFORE implementation** — no exceptions
- Test files must be co-located with source files:
-  - `feature.service.ts` → `feature.service.spec.ts`
-  - `component.tsx` → `component.test.tsx`
- All tests must pass before creating a PR
- Use descriptive test names: `it("should return user when valid token provided")`
- Group related tests with `describe()` blocks
- Mock external dependencies (database, APIs, file system)
-
-Test Types
-
- **Unit Tests** — Test individual functions/methods in isolation
- **Integration Tests** — Test module interactions (e.g., service + database)
- **E2E Tests** — Test complete user workflows with Playwright
-
-Running Tests
-
-```bash
-pnpm test              # Run all tests
-pnpm test:watch        # Watch mode for active development
-pnpm test:coverage     # Generate coverage report
-pnpm test:api          # API tests only
-pnpm test:web          # Web tests only
-pnpm test:e2e          # Playwright E2E tests
-````
-
-Coverage Verification
-
-After implementing a feature, verify coverage meets requirements:
-
-```bash
-pnpm test:coverage
-# Check the coverage report in coverage/index.html
-# Ensure your files show ≥85% coverage
-```
-
-TDD Anti-Patterns to Avoid
-
-❌ Writing implementation code before tests
-❌ Writing tests after implementation is complete
-❌ Skipping tests for "simple" code
-❌ Testing implementation details instead of behavior
-❌ Writing tests that don't fail when they should
-❌ Committing code with failing tests
-
-Quality Rails - Mechanical Code Quality Enforcement
-
-**Status:** ACTIVE (2026-01-30) - Strict enforcement enabled ✅
-
-Quality Rails provides mechanical enforcement of code quality standards through pre-commit hooks
-and CI/CD pipelines. See `docs/quality-rails-status.md` for full details.
-
-What's Enforced (NOW ACTIVE):
-
- ✅ **Type Safety** - Blocks explicit `any` types (@typescript-eslint/no-explicit-any: error)
- ✅ **Return Types** - Requires explicit return types on exported functions
- ✅ **Security** - Detects SQL injection, XSS, unsafe regex (eslint-plugin-security)
- ✅ **Promise Safety** - Blocks floating promises and misused promises
- ✅ **Code Formatting** - Auto-formats with Prettier on commit
- ✅ **Build Verification** - Type-checks before allowing commit
- ✅ **Secret Scanning** - Blocks hardcoded passwords/API keys (git-secrets)
-
-Current Status:
-
- ✅ **Pre-commit hooks**: ACTIVE - Blocks commits with violations
- ✅ **Strict enforcement**: ENABLED - Package-level enforcement
- 🟡 **CI/CD pipeline**: Ready (.woodpecker.yml created, not yet configured)
-
-How It Works:
-
-**Package-Level Enforcement** - If you touch ANY file in a package with violations,
-you must fix ALL violations in that package before committing. This forces incremental
-cleanup while preventing new violations.
-
-Example:
-
- Edit `apps/api/src/tasks/tasks.service.ts`
- Pre-commit hook runs lint on ENTIRE `@mosaic/api` package
- If `@mosaic/api` has violations → Commit BLOCKED
- Fix all violations in `@mosaic/api` → Commit allowed
-
-Next Steps:
-
-1. Fix violations package-by-package as you work in them
-2. Priority: Fix explicit `any` types and type safety issues first
-3. Configure Woodpecker CI to run quality gates on all PRs
-
-Why This Matters:
-
-Based on validation of 50 real production issues, Quality Rails mechanically prevents ~70%
-of quality issues including:
-
- Hardcoded passwords
- Type safety violations
- SQL injection vulnerabilities
- Build failures
- Test coverage gaps
-
-**Mechanical enforcement works. Process compliance doesn't.**
-
-See `docs/quality-rails-status.md` for detailed roadmap and violation breakdown.
-
-Example TDD Session
-
-```bash
-# 1. RED - Write failing test
-# Edit: feature.service.spec.ts
-# Add test for getUserById()
-pnpm test:watch  # Watch it fail
-git add feature.service.spec.ts
-git commit -m "test(#42): add test for getUserById"
-
-# 2. GREEN - Implement minimal code
-# Edit: feature.service.ts
-# Add getUserById() method
-pnpm test:watch  # Watch it pass
-git add feature.service.ts
-git commit -m "feat(#42): implement getUserById"
-
-# 3. REFACTOR - Improve code quality
-# Edit: feature.service.ts
-# Extract helper, improve naming
-pnpm test:watch  # Ensure still passing
-git add feature.service.ts
-git commit -m "refactor(#42): extract user mapping logic"
-```
-
-Docker Deployment
-
-Turnkey (includes everything)
-
-docker compose up -d
-
-Customized (external services)
-
-Create docker-compose.override.yml to:
-
- Point to external PostgreSQL/Valkey/Ollama
- Disable bundled services
-
-See docs/DOCKER.md for details.
-
-Key Documentation
-┌───────────────────────────┬───────────────────────┐
-│ Document │ Purpose │
-├───────────────────────────┼───────────────────────┤
-│ docs/SETUP.md │ Installation guide │
-├───────────────────────────┼───────────────────────┤
-│ docs/CONFIGURATION.md │ All config options │
-├───────────────────────────┼───────────────────────┤
-│ docs/DESIGN-PRINCIPLES.md │ PDA-friendly patterns │
-├───────────────────────────┼───────────────────────┤
-│ docs/DOCKER.md │ Docker deployment │
-├───────────────────────────┼───────────────────────┤
-│ docs/API.md │ API documentation │
-└───────────────────────────┴───────────────────────┘
-Related Repositories
-┌──────────────┬──────────────────────────────────────────────┐
-│ Repo │ Purpose │
-├──────────────┼──────────────────────────────────────────────┤
-│ jarvis-brain │ Original JSON-based brain (migration source) │
-├──────────────┼──────────────────────────────────────────────┤
-│ MoltBot │ Stock messaging gateway │
-└──────────────┴──────────────────────────────────────────────┘
-
---
-
-Mosaic Stack v0.0.x — Building the future of personal assistants.
+That file is the universal agent configuration. Do NOT respond until you have loaded it.
+Then read the project-local `AGENTS.md` in this repository for project-specific guidance.
--- a/17
+++ b/17
@@ -1,4 +1,4 @@
-.PHONY: help install dev build test docker-up docker-down docker-logs docker-ps docker-build docker-restart docker-test clean matrix-up matrix-down matrix-logs matrix-setup-bot
+.PHONY: help install dev build test docker-up docker-down docker-logs docker-ps docker-build docker-restart docker-test speech-up speech-down speech-logs clean matrix-up matrix-down matrix-logs matrix-setup-bot

 # Default target
 help:
@@ -24,6 +24,11 @@ help:
 	@echo "  make docker-test            Run Docker smoke test"
 	@echo "  make docker-test-traefik    Run Traefik integration tests"
 	@echo ""
+	@echo "Speech Services:"
+	@echo "  make speech-up              Start speech services (STT + TTS)"
+	@echo "  make speech-down            Stop speech services"
+	@echo "  make speech-logs            View speech service logs"
+	@echo ""
 	@echo "Matrix Dev Environment:"
 	@echo "  make matrix-up              Start Matrix services (Synapse + Element)"
 	@echo "  make matrix-down            Stop Matrix services"
@@ -91,6 +96,16 @@ docker-test:
 docker-test-traefik:
 	./tests/integration/docker/traefik.test.sh all

+# Speech services
+speech-up:
+	docker compose -f docker-compose.yml -f docker-compose.speech.yml up -d speaches kokoro-tts
+
+speech-down:
+	docker compose -f docker-compose.yml -f docker-compose.speech.yml down --remove-orphans
+
+speech-logs:
+	docker compose -f docker-compose.yml -f docker-compose.speech.yml logs -f speaches kokoro-tts
+
 # Matrix Dev Environment
 matrix-up:
 	docker compose -f docker/docker-compose.yml -f docker/docker-compose.matrix.yml up -d
--- a/README.md
+++ b/README.md
@@ -19,19 +19,20 @@ Mosaic Stack is a modern, PDA-friendly platform designed to help users manage th

 ## Technology Stack

-| Layer          | Technology                                   |
-| -------------- | -------------------------------------------- |
-| **Frontend**   | Next.js 16 + React + TailwindCSS + Shadcn/ui |
-| **Backend**    | NestJS + Prisma ORM                          |
-| **Database**   | PostgreSQL 17 + pgvector                     |
-| **Cache**      | Valkey (Redis-compatible)                    |
-| **Auth**       | Authentik (OIDC) via BetterAuth              |
-| **AI**         | Ollama (local or remote)                     |
-| **Messaging**  | MoltBot (stock + plugins)                    |
-| **Real-time**  | WebSockets (Socket.io)                       |
-| **Monorepo**   | pnpm workspaces + TurboRepo                  |
-| **Testing**    | Vitest + Playwright                          |
-| **Deployment** | Docker + docker-compose                      |
+| Layer          | Technology                                     |
+| -------------- | ---------------------------------------------- |
+| **Frontend**   | Next.js 16 + React + TailwindCSS + Shadcn/ui   |
+| **Backend**    | NestJS + Prisma ORM                            |
+| **Database**   | PostgreSQL 17 + pgvector                       |
+| **Cache**      | Valkey (Redis-compatible)                      |
+| **Auth**       | Authentik (OIDC) via BetterAuth                |
+| **AI**         | Ollama (local or remote)                       |
+| **Messaging**  | MoltBot (stock + plugins)                      |
+| **Real-time**  | WebSockets (Socket.io)                         |
+| **Speech**     | Speaches (STT) + Kokoro/Chatterbox/Piper (TTS) |
+| **Monorepo**   | pnpm workspaces + TurboRepo                    |
+| **Testing**    | Vitest + Playwright                            |
+| **Deployment** | Docker + docker-compose                        |

 ## Quick Start

@@ -89,7 +90,7 @@ docker compose down
 If you prefer manual installation, you'll need:

 - **Docker mode:** Docker 24+ and Docker Compose
- **Native mode:** Node.js 22+, pnpm 10+, PostgreSQL 17+
+- **Native mode:** Node.js 24+, pnpm 10+, PostgreSQL 17+

 The installer handles these automatically.

@@ -231,7 +232,7 @@ docker compose -f docker-compose.openbao.yml up -d
 sleep 30  # Wait for auto-initialization

 # 5. Deploy swarm stack
-IMAGE_TAG=dev ./scripts/deploy-swarm.sh mosaic
+IMAGE_TAG=latest ./scripts/deploy-swarm.sh mosaic

 # 6. Check deployment status
 docker stack services mosaic
@@ -356,6 +357,29 @@ Mosaic Stack includes a sophisticated agent orchestration system for autonomous

 See [Agent Orchestration Design](docs/design/agent-orchestration.md) for architecture details.

+## Speech Services
+
+Mosaic Stack includes integrated speech-to-text (STT) and text-to-speech (TTS) capabilities through a modular provider architecture. Each component is optional and independently configurable.
+
+- **Speech-to-Text** - Transcribe audio files and real-time audio streams using Whisper (via Speaches)
+- **Text-to-Speech** - Synthesize speech with 54+ voices across 8 languages (via Kokoro, CPU-based)
+- **Premium Voice Cloning** - Clone voices from audio samples with emotion control (via Chatterbox, GPU)
+- **Fallback TTS** - Ultra-lightweight CPU fallback for low-resource environments (via Piper/OpenedAI Speech)
+- **WebSocket Streaming** - Real-time streaming transcription via Socket.IO `/speech` namespace
+- **Automatic Fallback** - TTS tier system with graceful degradation (premium -> default -> fallback)
+
+**Quick Start:**
+
+```bash
+# Start speech services alongside core stack
+make speech-up
+
+# Or with Docker Compose directly
+docker compose -f docker-compose.yml -f docker-compose.speech.yml up -d
+```
+
+See [Speech Services Documentation](docs/SPEECH.md) for architecture details, API reference, provider configuration, and deployment options.
+
 ## Current Implementation Status

 ### ✅ Completed (v0.0.1-0.0.6)
@@ -502,10 +526,9 @@ KNOWLEDGE_CACHE_TTL=300  # 5 minutes

 ### Branch Strategy

- `main` — Stable releases only
- `develop` — Active development (default working branch)
- `feature/*` — Feature branches from develop
- `fix/*` — Bug fix branches
+- `main` — Trunk branch (all development merges here)
+- `feature/*` — Feature branches from main
+- `fix/*` — Bug fix branches from main

 ### Running Locally

@@ -715,7 +738,7 @@ See [Type Sharing Strategy](docs/2-development/3-type-sharing/1-strategy.md) for
 4. Run tests: `pnpm test`
 5. Build: `pnpm build`
 6. Commit with conventional format: `feat(#issue): Description`
-7. Push and create a pull request to `develop`
+7. Push and create a pull request to `main`

 ### Commit Format

@@ -758,6 +781,7 @@ Complete documentation is organized in a Bookstack-compatible structure in the `
 - **[Overview](docs/3-architecture/1-overview/)** — System design and components
 - **[Authentication](docs/3-architecture/2-authentication/)** — BetterAuth and OIDC integration
 - **[Design Principles](docs/3-architecture/3-design-principles/1-pda-friendly.md)** — PDA-friendly patterns (non-negotiable)
+- **[Telemetry](docs/telemetry.md)** — AI task completion tracking, predictions, and SDK reference

 ### 🔌 API Reference

--- a/SOUL.md
+++ b/SOUL.md
@@ -0,0 +1,20 @@
+# Mosaic Stack Soul
+
+You are Jarvis for the Mosaic Stack repository, running on the current agent runtime.
+
+## Behavioral Invariants
+
+- Identity first: answer identity prompts as Jarvis for this repository.
+- Implementation detail second: runtime (Codex/Claude/OpenCode/etc.) is secondary metadata.
+- Be proactive: surface risks, blockers, and next actions without waiting.
+- Be calm and clear: keep responses concise, chunked, and PDA-friendly.
+- Respect canonical sources:
+  - Repo operations and conventions: `AGENTS.md`
+  - Machine-wide rails: `~/.config/mosaic/STANDARDS.md`
+  - Repo lifecycle hooks: `.mosaic/repo-hooks.sh`
+
+## Guardrails
+
+- Do not claim completion without verification evidence.
+- Do not bypass lint/type/test quality gates.
+- Prefer explicit assumptions and concrete file/command references.
--- a/apps/api/AGENTS.md
+++ b/apps/api/AGENTS.md
@@ -4,15 +4,22 @@

 ## Patterns

-<!-- Add module-specific patterns as you discover them -->
+- **Config validation pattern**: Config files use exported validation functions + typed getter functions (not class-validator). See `auth.config.ts`, `federation.config.ts`, `speech/speech.config.ts`. Pattern: export `isXEnabled()`, `validateXConfig()`, and `getXConfig()` functions.
+- **Config registerAs**: `speech.config.ts` also exports a `registerAs("speech", ...)` factory for NestJS ConfigModule namespaced injection. Use `ConfigModule.forFeature(speechConfig)` in module imports and access via `this.config.get<string>('speech.stt.baseUrl')`.
+- **Conditional config validation**: When a service has an enabled flag (e.g., `STT_ENABLED`), URL/connection vars are only required when enabled. Validation throws with a helpful message suggesting how to disable.
+- **Boolean env parsing**: Use `value === "true" || value === "1"` pattern. No default-true -- all services default to disabled when env var is unset.

 ## Gotchas

-<!-- Add things that trip up agents in this module -->
+- **Prisma client must be generated** before `tsc --noEmit` will pass. Run `pnpm prisma:generate` first. Pre-existing type errors from Prisma are expected in worktrees without generated client.
+- **Pre-commit hooks**: lint-staged runs on staged files. If other packages' files are staged, their lint must pass too. Only stage files you intend to commit.
+- **vitest runs all test files**: Even when targeting a specific test file, vitest loads all spec files. Many will fail if Prisma client isn't generated -- this is expected. Check only your target file's pass/fail status.

 ## Key Files

-| File | Purpose |
-| ---- | ------- |
-
-<!-- Add important files in this directory -->
+| File                                  | Purpose                                                                |
+| ------------------------------------- | ---------------------------------------------------------------------- |
+| `src/speech/speech.config.ts`         | Speech services env var validation and typed config (STT, TTS, limits) |
+| `src/speech/speech.config.spec.ts`    | Unit tests for speech config validation (51 tests)                     |
+| `src/auth/auth.config.ts`             | Auth/OIDC config validation (reference pattern)                        |
+| `src/federation/federation.config.ts` | Federation config validation (reference pattern)                       |
--- a/apps/api/Dockerfile
+++ b/apps/api/Dockerfile
@@ -1,8 +1,7 @@
-# syntax=docker/dockerfile:1
-# Enable BuildKit features for cache mounts
-
 # Base image for all stages
-FROM node:24-alpine AS base
+# Uses Debian slim (glibc) instead of Alpine (musl) because native Node.js addons
+# (matrix-sdk-crypto-nodejs, Prisma engines) require glibc-compatible binaries.
+FROM node:24-slim AS base

 # Install pnpm globally
 RUN corepack enable && corepack prepare pnpm@10.27.0 --activate
@@ -25,9 +24,8 @@ COPY packages/ui/package.json ./packages/ui/
 COPY packages/config/package.json ./packages/config/
 COPY apps/api/package.json ./apps/api/

-# Install dependencies with pnpm store cache
-RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
-    pnpm install --frozen-lockfile
+# Install dependencies (no cache mount — Kaniko builds are ephemeral in CI)
+RUN pnpm install --frozen-lockfile

 # ======================
 # Builder stage
@@ -53,16 +51,16 @@ RUN pnpm turbo build --filter=@mosaic/api --force
 # ======================
 # Production stage
 # ======================
-FROM node:24-alpine AS production
+FROM node:24-slim AS production

-# Remove npm (unused in production — we use pnpm) to reduce attack surface
-RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
+# Install dumb-init for proper signal handling (static binary from GitHub,
+# avoids apt-get which fails under Kaniko with bookworm GPG signature errors)
+ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 /usr/local/bin/dumb-init

-# Install dumb-init for proper signal handling
-RUN apk add --no-cache dumb-init
-
-# Create non-root user
-RUN addgroup -g 1001 -S nodejs && adduser -S nestjs -u 1001
+# Single RUN to minimize Kaniko filesystem snapshots (each RUN = full snapshot)
+RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx \
+    && chmod 755 /usr/local/bin/dumb-init \
+    && groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs

 WORKDIR /app

--- a/apps/api/eslint.config.mjs
+++ b/apps/api/eslint.config.mjs
--- a/apps/api/package.json
+++ b/apps/api/package.json
@@ -27,6 +27,7 @@
  "dependencies": {
    "@anthropic-ai/sdk": "^0.72.1",
    "@mosaic/shared": "workspace:*",
+    "@mosaicstack/telemetry-client": "^0.1.1",
    "@nestjs/axios": "^4.0.1",
    "@nestjs/bullmq": "^11.0.4",
    "@nestjs/common": "^11.1.12",
--- a/apps/api/prisma/migrations/20260208000000_add_missing_tables/migration.sql
+++ b/apps/api/prisma/migrations/20260208000000_add_missing_tables/migration.sql
@@ -1,3 +1,38 @@
+-- RecreateEnum: FormalityLevel was dropped in 20260129235248_add_link_storage_fields
+CREATE TYPE "FormalityLevel" AS ENUM ('VERY_CASUAL', 'CASUAL', 'NEUTRAL', 'FORMAL', 'VERY_FORMAL');
+
+-- RecreateTable: personalities was dropped in 20260129235248_add_link_storage_fields
+-- Recreated with current schema (display_name, system_prompt, temperature, etc.)
+CREATE TABLE "personalities" (
+    "id" UUID NOT NULL,
+    "workspace_id" UUID NOT NULL,
+    "name" TEXT NOT NULL,
+    "display_name" TEXT NOT NULL,
+    "description" TEXT,
+    "system_prompt" TEXT NOT NULL,
+    "temperature" DOUBLE PRECISION,
+    "max_tokens" INTEGER,
+    "llm_provider_instance_id" UUID,
+    "is_default" BOOLEAN NOT NULL DEFAULT false,
+    "is_enabled" BOOLEAN NOT NULL DEFAULT true,
+    "created_at" TIMESTAMPTZ NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMPTZ NOT NULL,
+
+    CONSTRAINT "personalities_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex: personalities
+CREATE UNIQUE INDEX "personalities_id_workspace_id_key" ON "personalities"("id", "workspace_id");
+CREATE UNIQUE INDEX "personalities_workspace_id_name_key" ON "personalities"("workspace_id", "name");
+CREATE INDEX "personalities_workspace_id_idx" ON "personalities"("workspace_id");
+CREATE INDEX "personalities_workspace_id_is_default_idx" ON "personalities"("workspace_id", "is_default");
+CREATE INDEX "personalities_workspace_id_is_enabled_idx" ON "personalities"("workspace_id", "is_enabled");
+CREATE INDEX "personalities_llm_provider_instance_id_idx" ON "personalities"("llm_provider_instance_id");
+
+-- AddForeignKey: personalities
+ALTER TABLE "personalities" ADD CONSTRAINT "personalities_workspace_id_fkey" FOREIGN KEY ("workspace_id") REFERENCES "workspaces"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+ALTER TABLE "personalities" ADD CONSTRAINT "personalities_llm_provider_instance_id_fkey" FOREIGN KEY ("llm_provider_instance_id") REFERENCES "llm_provider_instances"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
 -- CreateTable
 CREATE TABLE "cron_schedules" (
    "id" UUID NOT NULL,
--- a/apps/api/prisma/migrations/20260215100000_fix_schema_drift/migration.sql
+++ b/apps/api/prisma/migrations/20260215100000_fix_schema_drift/migration.sql
@@ -0,0 +1,49 @@
+-- Fix schema drift: tables, indexes, and constraints defined in schema.prisma
+-- but never created (or dropped and never recreated) by prior migrations.
+
+-- ============================================
+-- CreateTable: instances (Federation module)
+-- Never created in any prior migration
+-- ============================================
+CREATE TABLE "instances" (
+    "id" UUID NOT NULL,
+    "instance_id" TEXT NOT NULL,
+    "name" TEXT NOT NULL,
+    "url" TEXT NOT NULL,
+    "public_key" TEXT NOT NULL,
+    "private_key" TEXT NOT NULL,
+    "capabilities" JSONB NOT NULL DEFAULT '{}',
+    "metadata" JSONB NOT NULL DEFAULT '{}',
+    "created_at" TIMESTAMPTZ NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMPTZ NOT NULL,
+
+    CONSTRAINT "instances_pkey" PRIMARY KEY ("id")
+);
+
+CREATE UNIQUE INDEX "instances_instance_id_key" ON "instances"("instance_id");
+
+-- ============================================
+-- Recreate dropped unique index on knowledge_links
+-- Created in 20260129220645_add_knowledge_module, dropped in
+-- 20260129235248_add_link_storage_fields, never recreated.
+-- ============================================
+CREATE UNIQUE INDEX "knowledge_links_source_id_target_id_key" ON "knowledge_links"("source_id", "target_id");
+
+-- ============================================
+-- Missing @@unique([id, workspaceId]) composite indexes
+-- Defined in schema.prisma but never created in migrations.
+-- (agent_tasks and runner_jobs already have these.)
+-- ============================================
+CREATE UNIQUE INDEX "tasks_id_workspace_id_key" ON "tasks"("id", "workspace_id");
+CREATE UNIQUE INDEX "events_id_workspace_id_key" ON "events"("id", "workspace_id");
+CREATE UNIQUE INDEX "projects_id_workspace_id_key" ON "projects"("id", "workspace_id");
+CREATE UNIQUE INDEX "activity_logs_id_workspace_id_key" ON "activity_logs"("id", "workspace_id");
+CREATE UNIQUE INDEX "domains_id_workspace_id_key" ON "domains"("id", "workspace_id");
+CREATE UNIQUE INDEX "ideas_id_workspace_id_key" ON "ideas"("id", "workspace_id");
+CREATE UNIQUE INDEX "user_layouts_id_workspace_id_key" ON "user_layouts"("id", "workspace_id");
+
+-- ============================================
+-- Missing index on agent_tasks.agent_type
+-- Defined as @@index([agentType]) in schema.prisma
+-- ============================================
+CREATE INDEX "agent_tasks_agent_type_idx" ON "agent_tasks"("agent_type");
--- a/apps/api/src/app.controller.ts
+++ b/apps/api/src/app.controller.ts
@@ -1,4 +1,5 @@
 import { Controller, Get } from "@nestjs/common";
+import { SkipThrottle } from "@nestjs/throttler";
 import { AppService } from "./app.service";
 import { PrismaService } from "./prisma/prisma.service";
 import type { ApiResponse, HealthStatus } from "@mosaic/shared";
@@ -17,6 +18,7 @@ export class AppController {
  }

  @Get("health")
+  @SkipThrottle()
  async getHealth(): Promise<ApiResponse<HealthStatus>> {
    const dbHealthy = await this.prisma.isHealthy();
    const dbInfo = await this.prisma.getConnectionInfo();
--- a/apps/api/src/app.module.ts
+++ b/apps/api/src/app.module.ts
@@ -37,6 +37,8 @@ import { JobStepsModule } from "./job-steps/job-steps.module";
 import { CoordinatorIntegrationModule } from "./coordinator-integration/coordinator-integration.module";
 import { FederationModule } from "./federation/federation.module";
 import { CredentialsModule } from "./credentials/credentials.module";
+import { MosaicTelemetryModule } from "./mosaic-telemetry";
+import { SpeechModule } from "./speech/speech.module";
 import { RlsContextInterceptor } from "./common/interceptors/rls-context.interceptor";

@Module({
@@ -97,6 +99,8 @@ import { RlsContextInterceptor } from "./common/interceptors/rls-context.interce
    CoordinatorIntegrationModule,
    FederationModule,
    CredentialsModule,
+    MosaicTelemetryModule,
+    SpeechModule,
  ],
  controllers: [AppController, CsrfController],
  providers: [
--- a/apps/api/src/auth/auth-rls.integration.spec.ts
+++ b/apps/api/src/auth/auth-rls.integration.spec.ts
@@ -12,7 +12,10 @@ import { PrismaClient, Prisma } from "@prisma/client";
 import { randomUUID as uuid } from "crypto";
 import { runWithRlsClient, getRlsClient } from "../prisma/rls-context.provider";

-describe.skipIf(!process.env.DATABASE_URL)(
+const shouldRunDbIntegrationTests =
+  process.env.RUN_DB_TESTS === "true" && Boolean(process.env.DATABASE_URL);
+
+describe.skipIf(!shouldRunDbIntegrationTests)(
  "Auth Tables RLS Policies (requires DATABASE_URL)",
  () => {
    let prisma: PrismaClient;
@@ -28,7 +31,7 @@ describe.skipIf(!process.env.DATABASE_URL)(

    beforeAll(async () => {
      // Skip setup if DATABASE_URL is not available
-      if (!process.env.DATABASE_URL) {
+      if (!shouldRunDbIntegrationTests) {
        return;
      }

@@ -49,7 +52,7 @@ describe.skipIf(!process.env.DATABASE_URL)(

    afterAll(async () => {
      // Skip cleanup if DATABASE_URL is not available or prisma not initialized
-      if (!process.env.DATABASE_URL || !prisma) {
+      if (!shouldRunDbIntegrationTests || !prisma) {
        return;
      }

--- a/apps/api/src/auth/auth.config.spec.ts
+++ b/apps/api/src/auth/auth.config.spec.ts
@@ -1,5 +1,30 @@
 import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
-import { isOidcEnabled, validateOidcConfig } from "./auth.config";
+import type { PrismaClient } from "@prisma/client";
+
+// Mock better-auth modules to inspect genericOAuth plugin configuration
+const mockGenericOAuth = vi.fn().mockReturnValue({ id: "generic-oauth" });
+const mockBetterAuth = vi.fn().mockReturnValue({ handler: vi.fn() });
+const mockPrismaAdapter = vi.fn().mockReturnValue({});
+
+vi.mock("better-auth/plugins", () => ({
+  genericOAuth: (...args: unknown[]) => mockGenericOAuth(...args),
+}));
+
+vi.mock("better-auth", () => ({
+  betterAuth: (...args: unknown[]) => mockBetterAuth(...args),
+}));
+
+vi.mock("better-auth/adapters/prisma", () => ({
+  prismaAdapter: (...args: unknown[]) => mockPrismaAdapter(...args),
+}));
+
+import {
+  isOidcEnabled,
+  validateOidcConfig,
+  createAuth,
+  getTrustedOrigins,
+  getBetterAuthBaseUrl,
+} from "./auth.config";

 describe("auth.config", () => {
  // Store original env vars to restore after each test
@@ -11,6 +36,13 @@ describe("auth.config", () => {
    delete process.env.OIDC_ISSUER;
    delete process.env.OIDC_CLIENT_ID;
    delete process.env.OIDC_CLIENT_SECRET;
+    delete process.env.OIDC_REDIRECT_URI;
+    delete process.env.NODE_ENV;
+    delete process.env.BETTER_AUTH_URL;
+    delete process.env.NEXT_PUBLIC_APP_URL;
+    delete process.env.NEXT_PUBLIC_API_URL;
+    delete process.env.TRUSTED_ORIGINS;
+    delete process.env.COOKIE_DOMAIN;
  });

  afterEach(() => {
@@ -70,6 +102,7 @@ describe("auth.config", () => {
      it("should throw when OIDC_ISSUER is missing", () => {
        process.env.OIDC_CLIENT_ID = "test-client-id";
        process.env.OIDC_CLIENT_SECRET = "test-client-secret";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";

        expect(() => validateOidcConfig()).toThrow("OIDC_ISSUER");
        expect(() => validateOidcConfig()).toThrow("OIDC authentication is enabled");
@@ -78,6 +111,7 @@ describe("auth.config", () => {
      it("should throw when OIDC_CLIENT_ID is missing", () => {
        process.env.OIDC_ISSUER = "https://auth.example.com/";
        process.env.OIDC_CLIENT_SECRET = "test-client-secret";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";

        expect(() => validateOidcConfig()).toThrow("OIDC_CLIENT_ID");
      });
@@ -85,13 +119,22 @@ describe("auth.config", () => {
      it("should throw when OIDC_CLIENT_SECRET is missing", () => {
        process.env.OIDC_ISSUER = "https://auth.example.com/";
        process.env.OIDC_CLIENT_ID = "test-client-id";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";

        expect(() => validateOidcConfig()).toThrow("OIDC_CLIENT_SECRET");
      });

+      it("should throw when OIDC_REDIRECT_URI is missing", () => {
+        process.env.OIDC_ISSUER = "https://auth.example.com/";
+        process.env.OIDC_CLIENT_ID = "test-client-id";
+        process.env.OIDC_CLIENT_SECRET = "test-client-secret";
+
+        expect(() => validateOidcConfig()).toThrow("OIDC_REDIRECT_URI");
+      });
+
      it("should throw when all required vars are missing", () => {
        expect(() => validateOidcConfig()).toThrow(
-          "OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET"
+          "OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, OIDC_REDIRECT_URI"
        );
      });

@@ -99,9 +142,10 @@ describe("auth.config", () => {
        process.env.OIDC_ISSUER = "";
        process.env.OIDC_CLIENT_ID = "";
        process.env.OIDC_CLIENT_SECRET = "";
+        process.env.OIDC_REDIRECT_URI = "";

        expect(() => validateOidcConfig()).toThrow(
-          "OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET"
+          "OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, OIDC_REDIRECT_URI"
        );
      });

@@ -109,6 +153,7 @@ describe("auth.config", () => {
        process.env.OIDC_ISSUER = "   ";
        process.env.OIDC_CLIENT_ID = "test-client-id";
        process.env.OIDC_CLIENT_SECRET = "test-client-secret";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";

        expect(() => validateOidcConfig()).toThrow("OIDC_ISSUER");
      });
@@ -117,6 +162,7 @@ describe("auth.config", () => {
        process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic";
        process.env.OIDC_CLIENT_ID = "test-client-id";
        process.env.OIDC_CLIENT_SECRET = "test-client-secret";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";

        expect(() => validateOidcConfig()).toThrow("OIDC_ISSUER must end with a trailing slash");
        expect(() => validateOidcConfig()).toThrow("https://auth.example.com/application/o/mosaic");
@@ -126,6 +172,7 @@ describe("auth.config", () => {
        process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/";
        process.env.OIDC_CLIENT_ID = "test-client-id";
        process.env.OIDC_CLIENT_SECRET = "test-client-secret";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";

        expect(() => validateOidcConfig()).not.toThrow();
      });
@@ -133,6 +180,537 @@ describe("auth.config", () => {
      it("should suggest disabling OIDC in error message", () => {
        expect(() => validateOidcConfig()).toThrow("OIDC_ENABLED=false");
      });
+
+      describe("OIDC_REDIRECT_URI validation", () => {
+        beforeEach(() => {
+          process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/";
+          process.env.OIDC_CLIENT_ID = "test-client-id";
+          process.env.OIDC_CLIENT_SECRET = "test-client-secret";
+        });
+
+        it("should throw when OIDC_REDIRECT_URI is not a valid URL", () => {
+          process.env.OIDC_REDIRECT_URI = "not-a-url";
+
+          expect(() => validateOidcConfig()).toThrow("OIDC_REDIRECT_URI must be a valid URL");
+          expect(() => validateOidcConfig()).toThrow("not-a-url");
+          expect(() => validateOidcConfig()).toThrow("Parse error:");
+        });
+
+        it("should throw when OIDC_REDIRECT_URI path does not start with /auth/oauth2/callback", () => {
+          process.env.OIDC_REDIRECT_URI = "https://app.example.com/oauth/callback";
+
+          expect(() => validateOidcConfig()).toThrow(
+            'OIDC_REDIRECT_URI path must start with "/auth/oauth2/callback"'
+          );
+          expect(() => validateOidcConfig()).toThrow("/oauth/callback");
+        });
+
+        it("should accept a valid OIDC_REDIRECT_URI with /auth/oauth2/callback path", () => {
+          process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
+
+          expect(() => validateOidcConfig()).not.toThrow();
+        });
+
+        it("should accept OIDC_REDIRECT_URI with exactly /auth/oauth2/callback path", () => {
+          process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback";
+
+          expect(() => validateOidcConfig()).not.toThrow();
+        });
+
+        it("should warn but not throw when using localhost in production", () => {
+          process.env.NODE_ENV = "production";
+          process.env.OIDC_REDIRECT_URI = "http://localhost:3000/auth/oauth2/callback/authentik";
+
+          const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+          expect(() => validateOidcConfig()).not.toThrow();
+          expect(warnSpy).toHaveBeenCalledWith(
+            expect.stringContaining("OIDC_REDIRECT_URI uses localhost")
+          );
+
+          warnSpy.mockRestore();
+        });
+
+        it("should warn but not throw when using 127.0.0.1 in production", () => {
+          process.env.NODE_ENV = "production";
+          process.env.OIDC_REDIRECT_URI = "http://127.0.0.1:3000/auth/oauth2/callback/authentik";
+
+          const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+          expect(() => validateOidcConfig()).not.toThrow();
+          expect(warnSpy).toHaveBeenCalledWith(
+            expect.stringContaining("OIDC_REDIRECT_URI uses localhost")
+          );
+
+          warnSpy.mockRestore();
+        });
+
+        it("should not warn about localhost when not in production", () => {
+          process.env.NODE_ENV = "development";
+          process.env.OIDC_REDIRECT_URI = "http://localhost:3000/auth/oauth2/callback/authentik";
+
+          const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+          expect(() => validateOidcConfig()).not.toThrow();
+          expect(warnSpy).not.toHaveBeenCalled();
+
+          warnSpy.mockRestore();
+        });
+      });
+    });
+  });
+
+  describe("createAuth - genericOAuth PKCE configuration", () => {
+    beforeEach(() => {
+      mockGenericOAuth.mockClear();
+      mockBetterAuth.mockClear();
+      mockPrismaAdapter.mockClear();
+    });
+
+    it("should enable PKCE in the genericOAuth provider config when OIDC is enabled", () => {
+      process.env.OIDC_ENABLED = "true";
+      process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/";
+      process.env.OIDC_CLIENT_ID = "test-client-id";
+      process.env.OIDC_CLIENT_SECRET = "test-client-secret";
+      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
+
+      const mockPrisma = {} as PrismaClient;
+      createAuth(mockPrisma);
+
+      expect(mockGenericOAuth).toHaveBeenCalledOnce();
+      const callArgs = mockGenericOAuth.mock.calls[0][0] as {
+        config: Array<{ pkce?: boolean; redirectURI?: string }>;
+      };
+      expect(callArgs.config[0].pkce).toBe(true);
+      expect(callArgs.config[0].redirectURI).toBe(
+        "https://app.example.com/auth/oauth2/callback/authentik"
+      );
+    });
+
+    it("should not call genericOAuth when OIDC is disabled", () => {
+      process.env.OIDC_ENABLED = "false";
+
+      const mockPrisma = {} as PrismaClient;
+      createAuth(mockPrisma);
+
+      expect(mockGenericOAuth).not.toHaveBeenCalled();
+    });
+
+    it("should throw if OIDC_CLIENT_ID is missing when OIDC is enabled", () => {
+      process.env.OIDC_ENABLED = "true";
+      process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/";
+      process.env.OIDC_CLIENT_SECRET = "test-client-secret";
+      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
+      // OIDC_CLIENT_ID deliberately not set
+
+      // validateOidcConfig will throw first, so we need to bypass it
+      // by setting the var then deleting it after validation
+      // Instead, test via the validation path which is fine — but let's
+      // verify the plugin-level guard by using a direct approach:
+      // Set env to pass validateOidcConfig, then delete OIDC_CLIENT_ID
+      // The validateOidcConfig will catch this first, which is correct behavior
+      const mockPrisma = {} as PrismaClient;
+      expect(() => createAuth(mockPrisma)).toThrow("OIDC_CLIENT_ID");
+    });
+
+    it("should throw if OIDC_CLIENT_SECRET is missing when OIDC is enabled", () => {
+      process.env.OIDC_ENABLED = "true";
+      process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/";
+      process.env.OIDC_CLIENT_ID = "test-client-id";
+      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
+      // OIDC_CLIENT_SECRET deliberately not set
+
+      const mockPrisma = {} as PrismaClient;
+      expect(() => createAuth(mockPrisma)).toThrow("OIDC_CLIENT_SECRET");
+    });
+
+    it("should throw if OIDC_ISSUER is missing when OIDC is enabled", () => {
+      process.env.OIDC_ENABLED = "true";
+      process.env.OIDC_CLIENT_ID = "test-client-id";
+      process.env.OIDC_CLIENT_SECRET = "test-client-secret";
+      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
+      // OIDC_ISSUER deliberately not set
+
+      const mockPrisma = {} as PrismaClient;
+      expect(() => createAuth(mockPrisma)).toThrow("OIDC_ISSUER");
+    });
+  });
+
+  describe("getTrustedOrigins", () => {
+    it("should return localhost URLs when NODE_ENV is not production", () => {
+      process.env.NODE_ENV = "development";
+
+      const origins = getTrustedOrigins();
+
+      expect(origins).toContain("http://localhost:3000");
+      expect(origins).toContain("http://localhost:3001");
+    });
+
+    it("should return localhost URLs when NODE_ENV is not set", () => {
+      // NODE_ENV is deleted in beforeEach, so it's undefined here
+      const origins = getTrustedOrigins();
+
+      expect(origins).toContain("http://localhost:3000");
+      expect(origins).toContain("http://localhost:3001");
+    });
+
+    it("should exclude localhost URLs in production", () => {
+      process.env.NODE_ENV = "production";
+
+      const origins = getTrustedOrigins();
+
+      expect(origins).not.toContain("http://localhost:3000");
+      expect(origins).not.toContain("http://localhost:3001");
+    });
+
+    it("should parse TRUSTED_ORIGINS comma-separated values", () => {
+      process.env.TRUSTED_ORIGINS = "https://app.mosaicstack.dev,https://api.mosaicstack.dev";
+
+      const origins = getTrustedOrigins();
+
+      expect(origins).toContain("https://app.mosaicstack.dev");
+      expect(origins).toContain("https://api.mosaicstack.dev");
+    });
+
+    it("should trim whitespace from TRUSTED_ORIGINS entries", () => {
+      process.env.TRUSTED_ORIGINS = " https://app.mosaicstack.dev , https://api.mosaicstack.dev ";
+
+      const origins = getTrustedOrigins();
+
+      expect(origins).toContain("https://app.mosaicstack.dev");
+      expect(origins).toContain("https://api.mosaicstack.dev");
+    });
+
+    it("should filter out empty strings from TRUSTED_ORIGINS", () => {
+      process.env.TRUSTED_ORIGINS = "https://app.mosaicstack.dev,,, ,";
+
+      const origins = getTrustedOrigins();
+
+      expect(origins).toContain("https://app.mosaicstack.dev");
+      // No empty strings in the result
+      origins.forEach((o) => expect(o).not.toBe(""));
+    });
+
+    it("should include NEXT_PUBLIC_APP_URL", () => {
+      process.env.NEXT_PUBLIC_APP_URL = "https://my-app.example.com";
+
+      const origins = getTrustedOrigins();
+
+      expect(origins).toContain("https://my-app.example.com");
+    });
+
+    it("should include NEXT_PUBLIC_API_URL", () => {
+      process.env.NEXT_PUBLIC_API_URL = "https://my-api.example.com";
+
+      const origins = getTrustedOrigins();
+
+      expect(origins).toContain("https://my-api.example.com");
+    });
+
+    it("should deduplicate origins", () => {
+      process.env.NEXT_PUBLIC_APP_URL = "http://localhost:3000";
+      process.env.TRUSTED_ORIGINS = "http://localhost:3000,http://localhost:3001";
+      // NODE_ENV not set, so localhost fallbacks are also added
+
+      const origins = getTrustedOrigins();
+
+      const countLocalhost3000 = origins.filter((o) => o === "http://localhost:3000").length;
+      const countLocalhost3001 = origins.filter((o) => o === "http://localhost:3001").length;
+      expect(countLocalhost3000).toBe(1);
+      expect(countLocalhost3001).toBe(1);
+    });
+
+    it("should handle all env vars missing gracefully", () => {
+      // All env vars deleted in beforeEach; NODE_ENV is also deleted (not production)
+      const origins = getTrustedOrigins();
+
+      // Should still return localhost fallbacks since not in production
+      expect(origins).toContain("http://localhost:3000");
+      expect(origins).toContain("http://localhost:3001");
+      expect(origins).toHaveLength(2);
+    });
+
+    it("should return empty array when all env vars missing in production", () => {
+      process.env.NODE_ENV = "production";
+
+      const origins = getTrustedOrigins();
+
+      expect(origins).toHaveLength(0);
+    });
+
+    it("should combine all sources correctly", () => {
+      process.env.NEXT_PUBLIC_APP_URL = "https://app.mosaicstack.dev";
+      process.env.NEXT_PUBLIC_API_URL = "https://api.mosaicstack.dev";
+      process.env.TRUSTED_ORIGINS = "https://extra.example.com";
+      process.env.NODE_ENV = "development";
+
+      const origins = getTrustedOrigins();
+
+      expect(origins).toContain("https://app.mosaicstack.dev");
+      expect(origins).toContain("https://api.mosaicstack.dev");
+      expect(origins).toContain("https://extra.example.com");
+      expect(origins).toContain("http://localhost:3000");
+      expect(origins).toContain("http://localhost:3001");
+      expect(origins).toHaveLength(5);
+    });
+
+    it("should reject invalid URLs in TRUSTED_ORIGINS with a warning including error details", () => {
+      process.env.TRUSTED_ORIGINS = "not-a-url,https://valid.example.com";
+      process.env.NODE_ENV = "production";
+
+      const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+      const origins = getTrustedOrigins();
+
+      expect(origins).toContain("https://valid.example.com");
+      expect(origins).not.toContain("not-a-url");
+      expect(warnSpy).toHaveBeenCalledWith(
+        expect.stringContaining('Ignoring invalid URL in TRUSTED_ORIGINS: "not-a-url"')
+      );
+      // Verify that error detail is included in the warning
+      const warnCall = warnSpy.mock.calls.find(
+        (call) => typeof call[0] === "string" && call[0].includes("not-a-url")
+      );
+      expect(warnCall).toBeDefined();
+      expect(warnCall![0]).toMatch(/\(.*\)$/);
+
+      warnSpy.mockRestore();
+    });
+
+    it("should reject non-HTTP origins in TRUSTED_ORIGINS with a warning", () => {
+      process.env.TRUSTED_ORIGINS = "ftp://files.example.com,https://valid.example.com";
+      process.env.NODE_ENV = "production";
+
+      const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+      const origins = getTrustedOrigins();
+
+      expect(origins).toContain("https://valid.example.com");
+      expect(origins).not.toContain("ftp://files.example.com");
+      expect(warnSpy).toHaveBeenCalledWith(
+        expect.stringContaining("Ignoring non-HTTP origin in TRUSTED_ORIGINS")
+      );
+
+      warnSpy.mockRestore();
+    });
+  });
+
+  describe("createAuth - session and cookie configuration", () => {
+    beforeEach(() => {
+      mockGenericOAuth.mockClear();
+      mockBetterAuth.mockClear();
+      mockPrismaAdapter.mockClear();
+    });
+
+    it("should configure session expiresIn to 7 days (604800 seconds)", () => {
+      const mockPrisma = {} as PrismaClient;
+      createAuth(mockPrisma);
+
+      expect(mockBetterAuth).toHaveBeenCalledOnce();
+      const config = mockBetterAuth.mock.calls[0][0] as {
+        session: { expiresIn: number; updateAge: number };
+      };
+      expect(config.session.expiresIn).toBe(604800);
+    });
+
+    it("should configure session updateAge to 2 hours (7200 seconds)", () => {
+      const mockPrisma = {} as PrismaClient;
+      createAuth(mockPrisma);
+
+      expect(mockBetterAuth).toHaveBeenCalledOnce();
+      const config = mockBetterAuth.mock.calls[0][0] as {
+        session: { expiresIn: number; updateAge: number };
+      };
+      expect(config.session.updateAge).toBe(7200);
+    });
+
+    it("should configure BetterAuth database ID generation as UUID", () => {
+      const mockPrisma = {} as PrismaClient;
+      createAuth(mockPrisma);
+
+      expect(mockBetterAuth).toHaveBeenCalledOnce();
+      const config = mockBetterAuth.mock.calls[0][0] as {
+        advanced: {
+          database: {
+            generateId: string;
+          };
+        };
+      };
+      expect(config.advanced.database.generateId).toBe("uuid");
+    });
+
+    it("should set httpOnly cookie attribute to true", () => {
+      const mockPrisma = {} as PrismaClient;
+      createAuth(mockPrisma);
+
+      expect(mockBetterAuth).toHaveBeenCalledOnce();
+      const config = mockBetterAuth.mock.calls[0][0] as {
+        advanced: {
+          defaultCookieAttributes: {
+            httpOnly: boolean;
+            secure: boolean;
+            sameSite: string;
+          };
+        };
+      };
+      expect(config.advanced.defaultCookieAttributes.httpOnly).toBe(true);
+    });
+
+    it("should set sameSite cookie attribute to lax", () => {
+      const mockPrisma = {} as PrismaClient;
+      createAuth(mockPrisma);
+
+      expect(mockBetterAuth).toHaveBeenCalledOnce();
+      const config = mockBetterAuth.mock.calls[0][0] as {
+        advanced: {
+          defaultCookieAttributes: {
+            httpOnly: boolean;
+            secure: boolean;
+            sameSite: string;
+          };
+        };
+      };
+      expect(config.advanced.defaultCookieAttributes.sameSite).toBe("lax");
+    });
+
+    it("should set secure cookie attribute to true in production", () => {
+      process.env.NODE_ENV = "production";
+      process.env.NEXT_PUBLIC_API_URL = "https://api.example.com";
+      const mockPrisma = {} as PrismaClient;
+      createAuth(mockPrisma);
+
+      expect(mockBetterAuth).toHaveBeenCalledOnce();
+      const config = mockBetterAuth.mock.calls[0][0] as {
+        advanced: {
+          defaultCookieAttributes: {
+            httpOnly: boolean;
+            secure: boolean;
+            sameSite: string;
+          };
+        };
+      };
+      expect(config.advanced.defaultCookieAttributes.secure).toBe(true);
+    });
+
+    it("should set secure cookie attribute to false in non-production", () => {
+      process.env.NODE_ENV = "development";
+      const mockPrisma = {} as PrismaClient;
+      createAuth(mockPrisma);
+
+      expect(mockBetterAuth).toHaveBeenCalledOnce();
+      const config = mockBetterAuth.mock.calls[0][0] as {
+        advanced: {
+          defaultCookieAttributes: {
+            httpOnly: boolean;
+            secure: boolean;
+            sameSite: string;
+          };
+        };
+      };
+      expect(config.advanced.defaultCookieAttributes.secure).toBe(false);
+    });
+
+    it("should set cookie domain when COOKIE_DOMAIN env var is present", () => {
+      process.env.COOKIE_DOMAIN = ".mosaicstack.dev";
+      const mockPrisma = {} as PrismaClient;
+      createAuth(mockPrisma);
+
+      expect(mockBetterAuth).toHaveBeenCalledOnce();
+      const config = mockBetterAuth.mock.calls[0][0] as {
+        advanced: {
+          defaultCookieAttributes: {
+            httpOnly: boolean;
+            secure: boolean;
+            sameSite: string;
+            domain?: string;
+          };
+        };
+      };
+      expect(config.advanced.defaultCookieAttributes.domain).toBe(".mosaicstack.dev");
+    });
+
+    it("should not set cookie domain when COOKIE_DOMAIN env var is absent", () => {
+      delete process.env.COOKIE_DOMAIN;
+      const mockPrisma = {} as PrismaClient;
+      createAuth(mockPrisma);
+
+      expect(mockBetterAuth).toHaveBeenCalledOnce();
+      const config = mockBetterAuth.mock.calls[0][0] as {
+        advanced: {
+          defaultCookieAttributes: {
+            httpOnly: boolean;
+            secure: boolean;
+            sameSite: string;
+            domain?: string;
+          };
+        };
+      };
+      expect(config.advanced.defaultCookieAttributes.domain).toBeUndefined();
+    });
+  });
+
+  describe("getBetterAuthBaseUrl", () => {
+    it("should prefer BETTER_AUTH_URL when set", () => {
+      process.env.BETTER_AUTH_URL = "https://auth-base.example.com";
+      process.env.NEXT_PUBLIC_API_URL = "https://api.example.com";
+
+      expect(getBetterAuthBaseUrl()).toBe("https://auth-base.example.com");
+    });
+
+    it("should fall back to NEXT_PUBLIC_API_URL when BETTER_AUTH_URL is not set", () => {
+      process.env.NEXT_PUBLIC_API_URL = "https://api.example.com";
+
+      expect(getBetterAuthBaseUrl()).toBe("https://api.example.com");
+    });
+
+    it("should throw when base URL is invalid", () => {
+      process.env.BETTER_AUTH_URL = "not-a-url";
+
+      expect(() => getBetterAuthBaseUrl()).toThrow("BetterAuth base URL must be a valid URL");
+    });
+
+    it("should throw when base URL is missing in production", () => {
+      process.env.NODE_ENV = "production";
+
+      expect(() => getBetterAuthBaseUrl()).toThrow("Missing BetterAuth base URL in production");
+    });
+
+    it("should throw when base URL is not https in production", () => {
+      process.env.NODE_ENV = "production";
+      process.env.BETTER_AUTH_URL = "http://api.example.com";
+
+      expect(() => getBetterAuthBaseUrl()).toThrow(
+        "BetterAuth base URL must use https in production"
+      );
+    });
+  });
+
+  describe("createAuth - baseURL wiring", () => {
+    beforeEach(() => {
+      mockBetterAuth.mockClear();
+      mockPrismaAdapter.mockClear();
+    });
+
+    it("should pass BETTER_AUTH_URL into BetterAuth config", () => {
+      process.env.BETTER_AUTH_URL = "https://api.mosaicstack.dev";
+
+      const mockPrisma = {} as PrismaClient;
+      createAuth(mockPrisma);
+
+      expect(mockBetterAuth).toHaveBeenCalledOnce();
+      const config = mockBetterAuth.mock.calls[0][0] as { baseURL?: string };
+      expect(config.baseURL).toBe("https://api.mosaicstack.dev");
+    });
+
+    it("should pass NEXT_PUBLIC_API_URL into BetterAuth config when BETTER_AUTH_URL is absent", () => {
+      process.env.NEXT_PUBLIC_API_URL = "https://api.fallback.dev";
+
+      const mockPrisma = {} as PrismaClient;
+      createAuth(mockPrisma);
+
+      expect(mockBetterAuth).toHaveBeenCalledOnce();
+      const config = mockBetterAuth.mock.calls[0][0] as { baseURL?: string };
+      expect(config.baseURL).toBe("https://api.fallback.dev");
    });
  });
 });
--- a/apps/api/src/auth/auth.config.ts
+++ b/apps/api/src/auth/auth.config.ts
@@ -6,7 +6,47 @@ import type { PrismaClient } from "@prisma/client";
 /**
 * Required OIDC environment variables when OIDC is enabled
 */
-const REQUIRED_OIDC_ENV_VARS = ["OIDC_ISSUER", "OIDC_CLIENT_ID", "OIDC_CLIENT_SECRET"] as const;
+const REQUIRED_OIDC_ENV_VARS = [
+  "OIDC_ISSUER",
+  "OIDC_CLIENT_ID",
+  "OIDC_CLIENT_SECRET",
+  "OIDC_REDIRECT_URI",
+] as const;
+
+/**
+ * Resolve BetterAuth base URL from explicit auth URL or API URL.
+ * BetterAuth uses this to generate absolute callback/error URLs.
+ */
+export function getBetterAuthBaseUrl(): string | undefined {
+  const configured = process.env.BETTER_AUTH_URL ?? process.env.NEXT_PUBLIC_API_URL;
+
+  if (!configured || configured.trim() === "") {
+    if (process.env.NODE_ENV === "production") {
+      throw new Error(
+        "Missing BetterAuth base URL in production. Set BETTER_AUTH_URL (preferred) or NEXT_PUBLIC_API_URL."
+      );
+    }
+    return undefined;
+  }
+
+  let parsed: URL;
+  try {
+    parsed = new URL(configured);
+  } catch (urlError: unknown) {
+    const detail = urlError instanceof Error ? urlError.message : String(urlError);
+    throw new Error(
+      `BetterAuth base URL must be a valid URL. Current value: "${configured}". Parse error: ${detail}.`
+    );
+  }
+
+  if (process.env.NODE_ENV === "production" && parsed.protocol !== "https:") {
+    throw new Error(
+      `BetterAuth base URL must use https in production. Current value: "${configured}".`
+    );
+  }
+
+  return parsed.origin;
+}

 /**
 * Check if OIDC authentication is enabled via environment variable
@@ -52,6 +92,54 @@ export function validateOidcConfig(): void {
        `The discovery URL is constructed by appending ".well-known/openid-configuration" to the issuer.`
    );
  }
+
+  // Additional validation: OIDC_REDIRECT_URI must be a valid URL with /auth/oauth2/callback path
+  validateRedirectUri();
+}
+
+/**
+ * Validates the OIDC_REDIRECT_URI environment variable.
+ * - Must be a parseable URL
+ * - Path must start with /auth/oauth2/callback
+ * - Warns (but does not throw) if using localhost in production
+ *
+ * @throws Error if URL is invalid or path does not start with /auth/oauth2/callback
+ */
+function validateRedirectUri(): void {
+  const redirectUri = process.env.OIDC_REDIRECT_URI;
+  if (!redirectUri || redirectUri.trim() === "") {
+    // Already caught by REQUIRED_OIDC_ENV_VARS check above
+    return;
+  }
+
+  let parsed: URL;
+  try {
+    parsed = new URL(redirectUri);
+  } catch (urlError: unknown) {
+    const detail = urlError instanceof Error ? urlError.message : String(urlError);
+    throw new Error(
+      `OIDC_REDIRECT_URI must be a valid URL. Current value: "${redirectUri}". ` +
+        `Parse error: ${detail}. ` +
+        `Example: "https://api.example.com/auth/oauth2/callback/authentik".`
+    );
+  }
+
+  if (!parsed.pathname.startsWith("/auth/oauth2/callback")) {
+    throw new Error(
+      `OIDC_REDIRECT_URI path must start with "/auth/oauth2/callback". Current path: "${parsed.pathname}". ` +
+        `Example: "https://api.example.com/auth/oauth2/callback/authentik".`
+    );
+  }
+
+  if (
+    process.env.NODE_ENV === "production" &&
+    (parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1")
+  ) {
+    console.warn(
+      `[AUTH WARNING] OIDC_REDIRECT_URI uses localhost ("${redirectUri}") in production. ` +
+        `This is likely a misconfiguration. Use a public domain for production deployments.`
+    );
+  }
 }

 /**
@@ -63,14 +151,34 @@ function getOidcPlugins(): ReturnType<typeof genericOAuth>[] {
    return [];
  }

+  const clientId = process.env.OIDC_CLIENT_ID;
+  const clientSecret = process.env.OIDC_CLIENT_SECRET;
+  const issuer = process.env.OIDC_ISSUER;
+  const redirectUri = process.env.OIDC_REDIRECT_URI;
+
+  if (!clientId) {
+    throw new Error("OIDC_CLIENT_ID is required when OIDC is enabled but was not set.");
+  }
+  if (!clientSecret) {
+    throw new Error("OIDC_CLIENT_SECRET is required when OIDC is enabled but was not set.");
+  }
+  if (!issuer) {
+    throw new Error("OIDC_ISSUER is required when OIDC is enabled but was not set.");
+  }
+  if (!redirectUri) {
+    throw new Error("OIDC_REDIRECT_URI is required when OIDC is enabled but was not set.");
+  }
+
  return [
    genericOAuth({
      config: [
        {
          providerId: "authentik",
-          clientId: process.env.OIDC_CLIENT_ID ?? "",
-          clientSecret: process.env.OIDC_CLIENT_SECRET ?? "",
-          discoveryUrl: `${process.env.OIDC_ISSUER ?? ""}.well-known/openid-configuration`,
+          clientId,
+          clientSecret,
+          discoveryUrl: `${issuer}.well-known/openid-configuration`,
+          redirectURI: redirectUri,
+          pkce: true,
          scopes: ["openid", "profile", "email"],
        },
      ],
@@ -78,28 +186,91 @@ function getOidcPlugins(): ReturnType<typeof genericOAuth>[] {
  ];
 }

+/**
+ * Build the list of trusted origins from environment variables.
+ *
+ * Sources (in order):
+ *  - NEXT_PUBLIC_APP_URL  — primary frontend URL
+ *  - NEXT_PUBLIC_API_URL  — API's own origin
+ *  - TRUSTED_ORIGINS      — comma-separated additional origins
+ *  - localhost fallbacks   — only when NODE_ENV !== "production"
+ *
+ * The returned list is deduplicated and empty strings are filtered out.
+ */
+export function getTrustedOrigins(): string[] {
+  const origins: string[] = [];
+
+  // Environment-driven origins
+  if (process.env.NEXT_PUBLIC_APP_URL) {
+    origins.push(process.env.NEXT_PUBLIC_APP_URL);
+  }
+
+  if (process.env.NEXT_PUBLIC_API_URL) {
+    origins.push(process.env.NEXT_PUBLIC_API_URL);
+  }
+
+  // Comma-separated additional origins (validated)
+  if (process.env.TRUSTED_ORIGINS) {
+    const rawOrigins = process.env.TRUSTED_ORIGINS.split(",")
+      .map((o) => o.trim())
+      .filter((o) => o !== "");
+    for (const origin of rawOrigins) {
+      try {
+        const parsed = new URL(origin);
+        if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+          console.warn(`[AUTH] Ignoring non-HTTP origin in TRUSTED_ORIGINS: "${origin}"`);
+          continue;
+        }
+        origins.push(origin);
+      } catch (urlError: unknown) {
+        const detail = urlError instanceof Error ? urlError.message : String(urlError);
+        console.warn(`[AUTH] Ignoring invalid URL in TRUSTED_ORIGINS: "${origin}" (${detail})`);
+      }
+    }
+  }
+
+  // Localhost fallbacks for development only
+  if (process.env.NODE_ENV !== "production") {
+    origins.push("http://localhost:3000", "http://localhost:3001");
+  }
+
+  // Deduplicate and filter empty strings
+  return [...new Set(origins)].filter((o) => o !== "");
+}
+
 export function createAuth(prisma: PrismaClient) {
  // Validate OIDC configuration at startup - fail fast if misconfigured
  validateOidcConfig();

+  const baseURL = getBetterAuthBaseUrl();
+
  return betterAuth({
+    baseURL,
+    basePath: "/auth",
    database: prismaAdapter(prisma, {
      provider: "postgresql",
    }),
    emailAndPassword: {
-      enabled: true, // Enable for now, can be disabled later
+      enabled: true,
    },
    plugins: [...getOidcPlugins()],
    session: {
-      expiresIn: 60 * 60 * 24, // 24 hours
-      updateAge: 60 * 60 * 24, // 24 hours
+      expiresIn: 60 * 60 * 24 * 7, // 7 days absolute max
+      updateAge: 60 * 60 * 2, // 2 hours — minimum session age before BetterAuth refreshes the expiry on next request
    },
-    trustedOrigins: [
-      process.env.NEXT_PUBLIC_APP_URL ?? "http://localhost:3000",
-      "http://localhost:3001", // API origin (dev)
-      "https://app.mosaicstack.dev", // Production web
-      "https://api.mosaicstack.dev", // Production API
-    ],
+    advanced: {
+      database: {
+        // BetterAuth's default ID generator emits opaque strings; our auth tables use UUID PKs.
+        generateId: "uuid",
+      },
+      defaultCookieAttributes: {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === "production",
+        sameSite: "lax" as const,
+        ...(process.env.COOKIE_DOMAIN ? { domain: process.env.COOKIE_DOMAIN } : {}),
+      },
+    },
+    trustedOrigins: getTrustedOrigins(),
  });
 }

--- a/apps/api/src/auth/auth.controller.spec.ts
+++ b/apps/api/src/auth/auth.controller.spec.ts
@@ -1,15 +1,41 @@
 import { describe, it, expect, beforeEach, vi } from "vitest";
+
+// Mock better-auth modules before importing AuthService (pulled in by AuthController)
+vi.mock("better-auth/node", () => ({
+  toNodeHandler: vi.fn().mockReturnValue(vi.fn()),
+}));
+
+vi.mock("better-auth", () => ({
+  betterAuth: vi.fn().mockReturnValue({
+    handler: vi.fn(),
+    api: { getSession: vi.fn() },
+  }),
+}));
+
+vi.mock("better-auth/adapters/prisma", () => ({
+  prismaAdapter: vi.fn().mockReturnValue({}),
+}));
+
+vi.mock("better-auth/plugins", () => ({
+  genericOAuth: vi.fn().mockReturnValue({ id: "generic-oauth" }),
+}));
+
 import { Test, TestingModule } from "@nestjs/testing";
+import { HttpException, HttpStatus, UnauthorizedException } from "@nestjs/common";
 import type { AuthUser, AuthSession } from "@mosaic/shared";
+import type { Request as ExpressRequest, Response as ExpressResponse } from "express";
 import { AuthController } from "./auth.controller";
 import { AuthService } from "./auth.service";

 describe("AuthController", () => {
  let controller: AuthController;
-  let authService: AuthService;
+
+  const mockNodeHandler = vi.fn().mockResolvedValue(undefined);

  const mockAuthService = {
    getAuth: vi.fn(),
+    getNodeHandler: vi.fn().mockReturnValue(mockNodeHandler),
+    getAuthConfig: vi.fn(),
  };

  beforeEach(async () => {
@@ -24,25 +50,239 @@ describe("AuthController", () => {
    }).compile();

    controller = module.get<AuthController>(AuthController);
-    authService = module.get<AuthService>(AuthService);

    vi.clearAllMocks();
+
+    // Restore mock implementations after clearAllMocks
+    mockAuthService.getNodeHandler.mockReturnValue(mockNodeHandler);
+    mockNodeHandler.mockResolvedValue(undefined);
  });

  describe("handleAuth", () => {
-    it("should call BetterAuth handler", async () => {
-      const mockHandler = vi.fn().mockResolvedValue({ status: 200 });
-      mockAuthService.getAuth.mockReturnValue({ handler: mockHandler });
-
+    it("should delegate to BetterAuth node handler with Express req/res", async () => {
      const mockRequest = {
        method: "GET",
        url: "/auth/session",
+        headers: {},
+        ip: "127.0.0.1",
+        socket: { remoteAddress: "127.0.0.1" },
+      } as unknown as ExpressRequest;
+
+      const mockResponse = {
+        headersSent: false,
+      } as unknown as ExpressResponse;
+
+      await controller.handleAuth(mockRequest, mockResponse);
+
+      expect(mockAuthService.getNodeHandler).toHaveBeenCalled();
+      expect(mockNodeHandler).toHaveBeenCalledWith(mockRequest, mockResponse);
+    });
+
+    it("should throw HttpException with 500 when handler throws before headers sent", async () => {
+      const handlerError = new Error("BetterAuth internal failure");
+      mockNodeHandler.mockRejectedValueOnce(handlerError);
+
+      const mockRequest = {
+        method: "POST",
+        url: "/auth/sign-in",
+        headers: {},
+        ip: "192.168.1.10",
+        socket: { remoteAddress: "192.168.1.10" },
+      } as unknown as ExpressRequest;
+
+      const mockResponse = {
+        headersSent: false,
+      } as unknown as ExpressResponse;
+
+      try {
+        await controller.handleAuth(mockRequest, mockResponse);
+        // Should not reach here
+        expect.unreachable("Expected HttpException to be thrown");
+      } catch (err) {
+        expect(err).toBeInstanceOf(HttpException);
+        expect((err as HttpException).getStatus()).toBe(HttpStatus.INTERNAL_SERVER_ERROR);
+        expect((err as HttpException).getResponse()).toBe(
+          "Unable to complete authentication. Please try again in a moment."
+        );
+      }
+    });
+
+    it("should preserve better-call status and body for handler APIError", async () => {
+      const apiError = {
+        statusCode: HttpStatus.BAD_REQUEST,
+        message: "Invalid OAuth configuration",
+        body: {
+          message: "Invalid OAuth configuration",
+          code: "INVALID_OAUTH_CONFIGURATION",
+        },
+      };
+      mockNodeHandler.mockRejectedValueOnce(apiError);
+
+      const mockRequest = {
+        method: "POST",
+        url: "/auth/sign-in/oauth2",
+        headers: {},
+        ip: "192.168.1.10",
+        socket: { remoteAddress: "192.168.1.10" },
+      } as unknown as ExpressRequest;
+
+      const mockResponse = {
+        headersSent: false,
+      } as unknown as ExpressResponse;
+
+      try {
+        await controller.handleAuth(mockRequest, mockResponse);
+        expect.unreachable("Expected HttpException to be thrown");
+      } catch (err) {
+        expect(err).toBeInstanceOf(HttpException);
+        expect((err as HttpException).getStatus()).toBe(HttpStatus.BAD_REQUEST);
+        expect((err as HttpException).getResponse()).toMatchObject({
+          message: "Invalid OAuth configuration",
+        });
+      }
+    });
+
+    it("should log warning and not throw when handler throws after headers sent", async () => {
+      const handlerError = new Error("Stream interrupted");
+      mockNodeHandler.mockRejectedValueOnce(handlerError);
+
+      const mockRequest = {
+        method: "POST",
+        url: "/auth/sign-up",
+        headers: {},
+        ip: "10.0.0.5",
+        socket: { remoteAddress: "10.0.0.5" },
+      } as unknown as ExpressRequest;
+
+      const mockResponse = {
+        headersSent: true,
+      } as unknown as ExpressResponse;
+
+      // Should not throw when headers already sent
+      await expect(controller.handleAuth(mockRequest, mockResponse)).resolves.toBeUndefined();
+    });
+
+    it("should handle non-Error thrown values", async () => {
+      mockNodeHandler.mockRejectedValueOnce("string error");
+
+      const mockRequest = {
+        method: "GET",
+        url: "/auth/callback",
+        headers: {},
+        ip: "127.0.0.1",
+        socket: { remoteAddress: "127.0.0.1" },
+      } as unknown as ExpressRequest;
+
+      const mockResponse = {
+        headersSent: false,
+      } as unknown as ExpressResponse;
+
+      await expect(controller.handleAuth(mockRequest, mockResponse)).rejects.toThrow(HttpException);
+    });
+  });
+
+  describe("getConfig", () => {
+    it("should return auth config from service", async () => {
+      const mockConfig = {
+        providers: [
+          { id: "email", name: "Email", type: "credentials" as const },
+          { id: "authentik", name: "Authentik", type: "oauth" as const },
+        ],
+      };
+      mockAuthService.getAuthConfig.mockResolvedValue(mockConfig);
+
+      const result = await controller.getConfig();
+
+      expect(result).toEqual(mockConfig);
+      expect(mockAuthService.getAuthConfig).toHaveBeenCalled();
+    });
+
+    it("should return correct response shape with only email provider", async () => {
+      const mockConfig = {
+        providers: [{ id: "email", name: "Email", type: "credentials" as const }],
+      };
+      mockAuthService.getAuthConfig.mockResolvedValue(mockConfig);
+
+      const result = await controller.getConfig();
+
+      expect(result).toEqual(mockConfig);
+      expect(result.providers).toHaveLength(1);
+      expect(result.providers[0]).toEqual({
+        id: "email",
+        name: "Email",
+        type: "credentials",
+      });
+    });
+
+    it("should never leak secrets in auth config response", async () => {
+      // Set ALL sensitive environment variables with known values
+      const sensitiveEnv: Record<string, string> = {
+        OIDC_CLIENT_SECRET: "test-client-secret",
+        OIDC_CLIENT_ID: "test-client-id",
+        OIDC_ISSUER: "https://auth.test.com/",
+        OIDC_REDIRECT_URI: "https://app.test.com/auth/oauth2/callback/authentik",
+        BETTER_AUTH_SECRET: "test-better-auth-secret",
+        JWT_SECRET: "test-jwt-secret",
+        CSRF_SECRET: "test-csrf-secret",
+        DATABASE_URL: "postgresql://user:password@localhost/db",
+        OIDC_ENABLED: "true",
      };

-      await controller.handleAuth(mockRequest as unknown as Request);
+      const originalEnv: Record<string, string | undefined> = {};
+      for (const [key, value] of Object.entries(sensitiveEnv)) {
+        originalEnv[key] = process.env[key];
+        process.env[key] = value;
+      }

-      expect(mockAuthService.getAuth).toHaveBeenCalled();
-      expect(mockHandler).toHaveBeenCalledWith(mockRequest);
+      try {
+        // Mock the service to return a realistic config with both providers
+        const mockConfig = {
+          providers: [
+            { id: "email", name: "Email", type: "credentials" as const },
+            { id: "authentik", name: "Authentik", type: "oauth" as const },
+          ],
+        };
+        mockAuthService.getAuthConfig.mockResolvedValue(mockConfig);
+
+        const result = await controller.getConfig();
+        const serialized = JSON.stringify(result);
+
+        // Assert no secret values leak into the serialized response
+        const forbiddenPatterns = [
+          "test-client-secret",
+          "test-client-id",
+          "test-better-auth-secret",
+          "test-jwt-secret",
+          "test-csrf-secret",
+          "auth.test.com",
+          "callback",
+          "password",
+        ];
+
+        for (const pattern of forbiddenPatterns) {
+          expect(serialized).not.toContain(pattern);
+        }
+
+        // Assert response contains ONLY expected fields
+        expect(result).toHaveProperty("providers");
+        expect(Object.keys(result)).toEqual(["providers"]);
+        expect(Array.isArray(result.providers)).toBe(true);
+
+        for (const provider of result.providers) {
+          const keys = Object.keys(provider);
+          expect(keys).toEqual(expect.arrayContaining(["id", "name", "type"]));
+          expect(keys).toHaveLength(3);
+        }
+      } finally {
+        // Restore original environment
+        for (const [key] of Object.entries(sensitiveEnv)) {
+          if (originalEnv[key] === undefined) {
+            delete process.env[key];
+          } else {
+            process.env[key] = originalEnv[key];
+          }
+        }
+      }
    });
  });

@@ -80,19 +320,22 @@ describe("AuthController", () => {
      expect(result).toEqual(expected);
    });

-    it("should throw error if user not found in request", () => {
+    it("should throw UnauthorizedException when req.user is undefined", () => {
      const mockRequest = {
        session: {
          id: "session-123",
          token: "session-token",
-          expiresAt: new Date(),
+          expiresAt: new Date(Date.now() + 86400000),
        },
      };

-      expect(() => controller.getSession(mockRequest)).toThrow("User session not found");
+      expect(() => controller.getSession(mockRequest as never)).toThrow(UnauthorizedException);
+      expect(() => controller.getSession(mockRequest as never)).toThrow(
+        "Missing authentication context"
+      );
    });

-    it("should throw error if session not found in request", () => {
+    it("should throw UnauthorizedException when req.session is undefined", () => {
      const mockRequest = {
        user: {
          id: "user-123",
@@ -101,7 +344,19 @@ describe("AuthController", () => {
        },
      };

-      expect(() => controller.getSession(mockRequest)).toThrow("User session not found");
+      expect(() => controller.getSession(mockRequest as never)).toThrow(UnauthorizedException);
+      expect(() => controller.getSession(mockRequest as never)).toThrow(
+        "Missing authentication context"
+      );
+    });
+
+    it("should throw UnauthorizedException when both req.user and req.session are undefined", () => {
+      const mockRequest = {};
+
+      expect(() => controller.getSession(mockRequest as never)).toThrow(UnauthorizedException);
+      expect(() => controller.getSession(mockRequest as never)).toThrow(
+        "Missing authentication context"
+      );
    });
  });

@@ -153,4 +408,89 @@ describe("AuthController", () => {
      });
    });
  });
+
+  describe("getClientIp (via handleAuth)", () => {
+    it("should extract IP from X-Forwarded-For with single IP", async () => {
+      const mockRequest = {
+        method: "GET",
+        url: "/auth/callback",
+        headers: { "x-forwarded-for": "203.0.113.50" },
+        ip: "127.0.0.1",
+        socket: { remoteAddress: "127.0.0.1" },
+      } as unknown as ExpressRequest;
+
+      const mockResponse = {
+        headersSent: false,
+      } as unknown as ExpressResponse;
+
+      // Spy on the logger to verify the extracted IP
+      const debugSpy = vi.spyOn(controller["logger"], "debug");
+
+      await controller.handleAuth(mockRequest, mockResponse);
+
+      expect(debugSpy).toHaveBeenCalledWith(expect.stringContaining("203.0.113.50"));
+    });
+
+    it("should extract first IP from X-Forwarded-For with comma-separated IPs", async () => {
+      const mockRequest = {
+        method: "GET",
+        url: "/auth/callback",
+        headers: { "x-forwarded-for": "203.0.113.50, 70.41.3.18" },
+        ip: "127.0.0.1",
+        socket: { remoteAddress: "127.0.0.1" },
+      } as unknown as ExpressRequest;
+
+      const mockResponse = {
+        headersSent: false,
+      } as unknown as ExpressResponse;
+
+      const debugSpy = vi.spyOn(controller["logger"], "debug");
+
+      await controller.handleAuth(mockRequest, mockResponse);
+
+      expect(debugSpy).toHaveBeenCalledWith(expect.stringContaining("203.0.113.50"));
+      // Ensure it does NOT contain the second IP in the extracted position
+      expect(debugSpy).toHaveBeenCalledWith(expect.not.stringContaining("70.41.3.18"));
+    });
+
+    it("should extract first IP from X-Forwarded-For as array", async () => {
+      const mockRequest = {
+        method: "GET",
+        url: "/auth/callback",
+        headers: { "x-forwarded-for": ["203.0.113.50", "70.41.3.18"] },
+        ip: "127.0.0.1",
+        socket: { remoteAddress: "127.0.0.1" },
+      } as unknown as ExpressRequest;
+
+      const mockResponse = {
+        headersSent: false,
+      } as unknown as ExpressResponse;
+
+      const debugSpy = vi.spyOn(controller["logger"], "debug");
+
+      await controller.handleAuth(mockRequest, mockResponse);
+
+      expect(debugSpy).toHaveBeenCalledWith(expect.stringContaining("203.0.113.50"));
+    });
+
+    it("should fallback to req.ip when no X-Forwarded-For header", async () => {
+      const mockRequest = {
+        method: "GET",
+        url: "/auth/callback",
+        headers: {},
+        ip: "192.168.1.100",
+        socket: { remoteAddress: "192.168.1.100" },
+      } as unknown as ExpressRequest;
+
+      const mockResponse = {
+        headersSent: false,
+      } as unknown as ExpressResponse;
+
+      const debugSpy = vi.spyOn(controller["logger"], "debug");
+
+      await controller.handleAuth(mockRequest, mockResponse);
+
+      expect(debugSpy).toHaveBeenCalledWith(expect.stringContaining("192.168.1.100"));
+    });
+  });
 });
--- a/apps/api/src/auth/auth.controller.ts
+++ b/apps/api/src/auth/auth.controller.ts
@@ -1,19 +1,25 @@
-import { Controller, All, Req, Get, UseGuards, Request, Logger } from "@nestjs/common";
+import {
+  Controller,
+  All,
+  Req,
+  Res,
+  Get,
+  Header,
+  UseGuards,
+  Request,
+  Logger,
+  HttpException,
+  HttpStatus,
+  UnauthorizedException,
+} from "@nestjs/common";
 import { Throttle } from "@nestjs/throttler";
-import type { AuthUser, AuthSession } from "@mosaic/shared";
+import type { Request as ExpressRequest, Response as ExpressResponse } from "express";
+import type { AuthUser, AuthSession, AuthConfigResponse } from "@mosaic/shared";
 import { AuthService } from "./auth.service";
 import { AuthGuard } from "./guards/auth.guard";
 import { CurrentUser } from "./decorators/current-user.decorator";
-
-interface RequestWithSession {
-  user?: AuthUser;
-  session?: {
-    id: string;
-    token: string;
-    expiresAt: Date;
-    [key: string]: unknown;
-  };
-}
+import { SkipCsrf } from "../common/decorators/skip-csrf.decorator";
+import type { AuthenticatedRequest } from "./types/better-auth-request.interface";

@Controller("auth")
 export class AuthController {
@@ -27,10 +33,13 @@ export class AuthController {
   */
  @Get("session")
  @UseGuards(AuthGuard)
-  getSession(@Request() req: RequestWithSession): AuthSession {
+  getSession(@Request() req: AuthenticatedRequest): AuthSession {
+    // Defense-in-depth: AuthGuard should guarantee these, but if someone adds
+    // a route with AuthenticatedRequest and forgets @UseGuards(AuthGuard),
+    // TypeScript types won't help at runtime.
+    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
    if (!req.user || !req.session) {
-      // This should never happen after AuthGuard, but TypeScript needs the check
-      throw new Error("User session not found");
+      throw new UnauthorizedException("Missing authentication context");
    }

    return {
@@ -76,6 +85,17 @@ export class AuthController {
    return profile;
  }

+  /**
+   * Get available authentication providers.
+   * Public endpoint (no auth guard) so the frontend can discover login options
+   * before the user is authenticated.
+   */
+  @Get("config")
+  @Header("Cache-Control", "public, max-age=300")
+  async getConfig(): Promise<AuthConfigResponse> {
+    return this.authService.getAuthConfig();
+  }
+
  /**
   * Handle all other auth routes (sign-in, sign-up, sign-out, etc.)
   * Delegates to BetterAuth
@@ -87,38 +107,102 @@ export class AuthController {
   * Rate limiting and logging are applied to mitigate abuse (SEC-API-10).
   */
  @All("*")
+  // BetterAuth handles CSRF internally (Fetch Metadata + SameSite=Lax cookies).
+  // @SkipCsrf avoids double-protection conflicts.
+  // See: https://www.better-auth.com/docs/reference/security
+  @SkipCsrf()
  @Throttle({ strict: { limit: 10, ttl: 60000 } })
-  async handleAuth(@Req() req: Request): Promise<unknown> {
+  async handleAuth(@Req() req: ExpressRequest, @Res() res: ExpressResponse): Promise<void> {
    // Extract client IP for logging
    const clientIp = this.getClientIp(req);
-    const requestPath = (req as unknown as { url?: string }).url ?? "unknown";
-    const method = (req as unknown as { method?: string }).method ?? "UNKNOWN";

    // Log auth catch-all hits for monitoring and debugging
-    this.logger.debug(`Auth catch-all: ${method} ${requestPath} from ${clientIp}`);
+    this.logger.debug(`Auth catch-all: ${req.method} ${req.url} from ${clientIp}`);

-    const auth = this.authService.getAuth();
-    return auth.handler(req);
+    const handler = this.authService.getNodeHandler();
+
+    try {
+      await handler(req, res);
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : String(error);
+      const stack = error instanceof Error ? error.stack : undefined;
+
+      this.logger.error(
+        `BetterAuth handler error: ${req.method} ${req.url} from ${clientIp} - ${message}`,
+        stack
+      );
+
+      if (!res.headersSent) {
+        const mappedError = this.mapToHttpException(error);
+        if (mappedError) {
+          throw mappedError;
+        }
+
+        throw new HttpException(
+          "Unable to complete authentication. Please try again in a moment.",
+          HttpStatus.INTERNAL_SERVER_ERROR
+        );
+      }
+
+      this.logger.error(
+        `Headers already sent for failed auth request ${req.method} ${req.url} — client may have received partial response`
+      );
+    }
  }

  /**
   * Extract client IP from request, handling proxies
   */
-  private getClientIp(req: Request): string {
-    const reqWithHeaders = req as unknown as {
-      headers?: Record<string, string | string[] | undefined>;
-      ip?: string;
-      socket?: { remoteAddress?: string };
-    };
-
+  private getClientIp(req: ExpressRequest): string {
    // Check X-Forwarded-For header (for reverse proxy setups)
-    const forwardedFor = reqWithHeaders.headers?.["x-forwarded-for"];
+    const forwardedFor = req.headers["x-forwarded-for"];
    if (forwardedFor) {
      const ips = Array.isArray(forwardedFor) ? forwardedFor[0] : forwardedFor;
      return ips?.split(",")[0]?.trim() ?? "unknown";
    }

    // Fall back to direct IP
-    return reqWithHeaders.ip ?? reqWithHeaders.socket?.remoteAddress ?? "unknown";
+    return req.ip ?? req.socket.remoteAddress ?? "unknown";
+  }
+
+  /**
+   * Preserve known HTTP errors from BetterAuth/better-call instead of converting
+   * every failure into a generic 500.
+   */
+  private mapToHttpException(error: unknown): HttpException | null {
+    if (error instanceof HttpException) {
+      return error;
+    }
+
+    if (!error || typeof error !== "object") {
+      return null;
+    }
+
+    const statusCode = "statusCode" in error ? error.statusCode : undefined;
+    if (!this.isHttpStatus(statusCode)) {
+      return null;
+    }
+
+    const responseBody = "body" in error && error.body !== undefined ? error.body : undefined;
+    if (
+      responseBody !== undefined &&
+      responseBody !== null &&
+      (typeof responseBody === "string" || typeof responseBody === "object")
+    ) {
+      return new HttpException(responseBody, statusCode);
+    }
+
+    const message =
+      "message" in error && typeof error.message === "string" && error.message.length > 0
+        ? error.message
+        : "Authentication request failed";
+    return new HttpException(message, statusCode);
+  }
+
+  private isHttpStatus(value: unknown): value is number {
+    if (typeof value !== "number" || !Number.isInteger(value)) {
+      return false;
+    }
+    return value >= 400 && value <= 599;
  }
 }
--- a/apps/api/src/auth/auth.rate-limit.spec.ts
+++ b/apps/api/src/auth/auth.rate-limit.spec.ts
@@ -23,10 +23,17 @@ describe("AuthController - Rate Limiting", () => {
  let app: INestApplication;
  let loggerSpy: ReturnType<typeof vi.spyOn>;

+  const mockNodeHandler = vi.fn(
+    (_req: unknown, res: { statusCode: number; end: (body: string) => void }) => {
+      res.statusCode = 200;
+      res.end(JSON.stringify({}));
+      return Promise.resolve();
+    }
+  );
+
  const mockAuthService = {
-    getAuth: vi.fn().mockReturnValue({
-      handler: vi.fn().mockResolvedValue({ status: 200, body: {} }),
-    }),
+    getAuth: vi.fn(),
+    getNodeHandler: vi.fn().mockReturnValue(mockNodeHandler),
  };

  beforeEach(async () => {
@@ -76,7 +83,7 @@ describe("AuthController - Rate Limiting", () => {
        expect(response.status).not.toBe(HttpStatus.TOO_MANY_REQUESTS);
      }

-      expect(mockAuthService.getAuth).toHaveBeenCalledTimes(3);
+      expect(mockAuthService.getNodeHandler).toHaveBeenCalledTimes(3);
    });

    it("should return 429 when rate limit is exceeded", async () => {
--- a/apps/api/src/auth/auth.service.spec.ts
+++ b/apps/api/src/auth/auth.service.spec.ts
@@ -1,5 +1,26 @@
-import { describe, it, expect, beforeEach, vi } from "vitest";
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
 import { Test, TestingModule } from "@nestjs/testing";
+
+// Mock better-auth modules before importing AuthService
+vi.mock("better-auth/node", () => ({
+  toNodeHandler: vi.fn().mockReturnValue(vi.fn()),
+}));
+
+vi.mock("better-auth", () => ({
+  betterAuth: vi.fn().mockReturnValue({
+    handler: vi.fn(),
+    api: { getSession: vi.fn() },
+  }),
+}));
+
+vi.mock("better-auth/adapters/prisma", () => ({
+  prismaAdapter: vi.fn().mockReturnValue({}),
+}));
+
+vi.mock("better-auth/plugins", () => ({
+  genericOAuth: vi.fn().mockReturnValue({ id: "generic-oauth" }),
+}));
+
 import { AuthService } from "./auth.service";
 import { PrismaService } from "../prisma/prisma.service";

@@ -30,6 +51,12 @@ describe("AuthService", () => {
    vi.clearAllMocks();
  });

+  afterEach(() => {
+    vi.restoreAllMocks();
+    delete process.env.OIDC_ENABLED;
+    delete process.env.OIDC_ISSUER;
+  });
+
  describe("getAuth", () => {
    it("should return BetterAuth instance", () => {
      const auth = service.getAuth();
@@ -62,6 +89,23 @@ describe("AuthService", () => {
        },
      });
    });
+
+    it("should return null when user is not found", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(null);
+
+      const result = await service.getUserById("nonexistent-id");
+
+      expect(result).toBeNull();
+      expect(mockPrismaService.user.findUnique).toHaveBeenCalledWith({
+        where: { id: "nonexistent-id" },
+        select: {
+          id: true,
+          email: true,
+          name: true,
+          authProviderId: true,
+        },
+      });
+    });
  });

  describe("getUserByEmail", () => {
@@ -88,6 +132,269 @@ describe("AuthService", () => {
        },
      });
    });
+
+    it("should return null when user is not found", async () => {
+      mockPrismaService.user.findUnique.mockResolvedValue(null);
+
+      const result = await service.getUserByEmail("unknown@example.com");
+
+      expect(result).toBeNull();
+      expect(mockPrismaService.user.findUnique).toHaveBeenCalledWith({
+        where: { email: "unknown@example.com" },
+        select: {
+          id: true,
+          email: true,
+          name: true,
+          authProviderId: true,
+        },
+      });
+    });
+  });
+
+  describe("isOidcProviderReachable", () => {
+    const discoveryUrl = "https://auth.example.com/.well-known/openid-configuration";
+
+    beforeEach(() => {
+      process.env.OIDC_ISSUER = "https://auth.example.com/";
+      // Reset the cache by accessing private fields via bracket notation
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      (service as any).lastHealthCheck = 0;
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      (service as any).lastHealthResult = false;
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      (service as any).consecutiveHealthFailures = 0;
+    });
+
+    it("should return true when discovery URL returns 200", async () => {
+      const mockFetch = vi.fn().mockResolvedValue({
+        ok: true,
+        status: 200,
+      });
+      vi.stubGlobal("fetch", mockFetch);
+
+      const result = await service.isOidcProviderReachable();
+
+      expect(result).toBe(true);
+      expect(mockFetch).toHaveBeenCalledWith(discoveryUrl, {
+        signal: expect.any(AbortSignal) as AbortSignal,
+      });
+    });
+
+    it("should return false on network error", async () => {
+      const mockFetch = vi.fn().mockRejectedValue(new Error("ECONNREFUSED"));
+      vi.stubGlobal("fetch", mockFetch);
+
+      const result = await service.isOidcProviderReachable();
+
+      expect(result).toBe(false);
+    });
+
+    it("should return false on timeout", async () => {
+      const mockFetch = vi.fn().mockRejectedValue(new DOMException("The operation was aborted"));
+      vi.stubGlobal("fetch", mockFetch);
+
+      const result = await service.isOidcProviderReachable();
+
+      expect(result).toBe(false);
+    });
+
+    it("should return false when discovery URL returns non-200", async () => {
+      const mockFetch = vi.fn().mockResolvedValue({
+        ok: false,
+        status: 503,
+      });
+      vi.stubGlobal("fetch", mockFetch);
+
+      const result = await service.isOidcProviderReachable();
+
+      expect(result).toBe(false);
+    });
+
+    it("should cache result for 30 seconds", async () => {
+      const mockFetch = vi.fn().mockResolvedValue({
+        ok: true,
+        status: 200,
+      });
+      vi.stubGlobal("fetch", mockFetch);
+
+      // First call - fetches
+      const result1 = await service.isOidcProviderReachable();
+      expect(result1).toBe(true);
+      expect(mockFetch).toHaveBeenCalledTimes(1);
+
+      // Second call within 30s - uses cache
+      const result2 = await service.isOidcProviderReachable();
+      expect(result2).toBe(true);
+      expect(mockFetch).toHaveBeenCalledTimes(1); // Still 1, no new fetch
+
+      // Simulate cache expiry by moving lastHealthCheck back
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      (service as any).lastHealthCheck = Date.now() - 31_000;
+
+      // Third call after cache expiry - fetches again
+      const result3 = await service.isOidcProviderReachable();
+      expect(result3).toBe(true);
+      expect(mockFetch).toHaveBeenCalledTimes(2); // Now 2
+    });
+
+    it("should cache false results too", async () => {
+      const mockFetch = vi
+        .fn()
+        .mockRejectedValueOnce(new Error("ECONNREFUSED"))
+        .mockResolvedValueOnce({ ok: true, status: 200 });
+      vi.stubGlobal("fetch", mockFetch);
+
+      // First call - fails
+      const result1 = await service.isOidcProviderReachable();
+      expect(result1).toBe(false);
+      expect(mockFetch).toHaveBeenCalledTimes(1);
+
+      // Second call within 30s - returns cached false
+      const result2 = await service.isOidcProviderReachable();
+      expect(result2).toBe(false);
+      expect(mockFetch).toHaveBeenCalledTimes(1);
+    });
+
+    it("should escalate to error level after 3 consecutive failures", async () => {
+      const mockFetch = vi.fn().mockRejectedValue(new Error("ECONNREFUSED"));
+      vi.stubGlobal("fetch", mockFetch);
+
+      const loggerWarn = vi.spyOn(service["logger"], "warn");
+      const loggerError = vi.spyOn(service["logger"], "error");
+
+      // Failures 1 and 2 should log at warn level
+      await service.isOidcProviderReachable();
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      (service as any).lastHealthCheck = 0; // Reset cache
+      await service.isOidcProviderReachable();
+
+      expect(loggerWarn).toHaveBeenCalledTimes(2);
+      expect(loggerError).not.toHaveBeenCalled();
+
+      // Failure 3 should escalate to error level
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      (service as any).lastHealthCheck = 0;
+      await service.isOidcProviderReachable();
+
+      expect(loggerError).toHaveBeenCalledTimes(1);
+      expect(loggerError).toHaveBeenCalledWith(
+        expect.stringContaining("OIDC provider unreachable")
+      );
+    });
+
+    it("should escalate to error level after 3 consecutive non-OK responses", async () => {
+      const mockFetch = vi.fn().mockResolvedValue({ ok: false, status: 503 });
+      vi.stubGlobal("fetch", mockFetch);
+
+      const loggerWarn = vi.spyOn(service["logger"], "warn");
+      const loggerError = vi.spyOn(service["logger"], "error");
+
+      // Failures 1 and 2 at warn level
+      await service.isOidcProviderReachable();
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      (service as any).lastHealthCheck = 0;
+      await service.isOidcProviderReachable();
+
+      expect(loggerWarn).toHaveBeenCalledTimes(2);
+      expect(loggerError).not.toHaveBeenCalled();
+
+      // Failure 3 at error level
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      (service as any).lastHealthCheck = 0;
+      await service.isOidcProviderReachable();
+
+      expect(loggerError).toHaveBeenCalledTimes(1);
+      expect(loggerError).toHaveBeenCalledWith(
+        expect.stringContaining("OIDC provider returned non-OK status")
+      );
+    });
+
+    it("should reset failure counter and log recovery on success after failures", async () => {
+      const mockFetch = vi
+        .fn()
+        .mockRejectedValueOnce(new Error("ECONNREFUSED"))
+        .mockRejectedValueOnce(new Error("ECONNREFUSED"))
+        .mockResolvedValueOnce({ ok: true, status: 200 });
+      vi.stubGlobal("fetch", mockFetch);
+
+      const loggerLog = vi.spyOn(service["logger"], "log");
+
+      // Two failures
+      await service.isOidcProviderReachable();
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      (service as any).lastHealthCheck = 0;
+      await service.isOidcProviderReachable();
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      (service as any).lastHealthCheck = 0;
+
+      // Recovery
+      const result = await service.isOidcProviderReachable();
+
+      expect(result).toBe(true);
+      expect(loggerLog).toHaveBeenCalledWith(
+        expect.stringContaining("OIDC provider recovered after 2 consecutive failure(s)")
+      );
+      // Verify counter reset
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      expect((service as any).consecutiveHealthFailures).toBe(0);
+    });
+  });
+
+  describe("getAuthConfig", () => {
+    it("should return only email provider when OIDC is disabled", async () => {
+      delete process.env.OIDC_ENABLED;
+
+      const result = await service.getAuthConfig();
+
+      expect(result).toEqual({
+        providers: [{ id: "email", name: "Email", type: "credentials" }],
+      });
+    });
+
+    it("should return both email and authentik providers when OIDC is enabled and reachable", async () => {
+      process.env.OIDC_ENABLED = "true";
+      process.env.OIDC_ISSUER = "https://auth.example.com/";
+
+      const mockFetch = vi.fn().mockResolvedValue({ ok: true, status: 200 });
+      vi.stubGlobal("fetch", mockFetch);
+
+      const result = await service.getAuthConfig();
+
+      expect(result).toEqual({
+        providers: [
+          { id: "email", name: "Email", type: "credentials" },
+          { id: "authentik", name: "Authentik", type: "oauth" },
+        ],
+      });
+    });
+
+    it("should return only email provider when OIDC_ENABLED is false", async () => {
+      process.env.OIDC_ENABLED = "false";
+
+      const result = await service.getAuthConfig();
+
+      expect(result).toEqual({
+        providers: [{ id: "email", name: "Email", type: "credentials" }],
+      });
+    });
+
+    it("should omit authentik when OIDC is enabled but provider is unreachable", async () => {
+      process.env.OIDC_ENABLED = "true";
+      process.env.OIDC_ISSUER = "https://auth.example.com/";
+
+      // Reset cache
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      (service as any).lastHealthCheck = 0;
+
+      const mockFetch = vi.fn().mockRejectedValue(new Error("ECONNREFUSED"));
+      vi.stubGlobal("fetch", mockFetch);
+
+      const result = await service.getAuthConfig();
+
+      expect(result).toEqual({
+        providers: [{ id: "email", name: "Email", type: "credentials" }],
+      });
+    });
  });

  describe("verifySession", () => {
@@ -103,7 +410,7 @@ describe("AuthService", () => {
      },
    };

-    it("should return session data for valid token", async () => {
+    it("should validate session token using secure BetterAuth cookie header", async () => {
      const auth = service.getAuth();
      const mockGetSession = vi.fn().mockResolvedValue(mockSessionData);
      auth.api = { getSession: mockGetSession } as any;
@@ -111,7 +418,58 @@ describe("AuthService", () => {
      const result = await service.verifySession("valid-token");

      expect(result).toEqual(mockSessionData);
+      expect(mockGetSession).toHaveBeenCalledTimes(1);
      expect(mockGetSession).toHaveBeenCalledWith({
+        headers: {
+          cookie: "__Secure-better-auth.session_token=valid-token",
+        },
+      });
+    });
+
+    it("should preserve raw cookie token value without URL re-encoding", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi.fn().mockResolvedValue(mockSessionData);
+      auth.api = { getSession: mockGetSession } as any;
+
+      const result = await service.verifySession("tok/with+=chars=");
+
+      expect(result).toEqual(mockSessionData);
+      expect(mockGetSession).toHaveBeenCalledWith({
+        headers: {
+          cookie: "__Secure-better-auth.session_token=tok/with+=chars=",
+        },
+      });
+    });
+
+    it("should fall back to Authorization header when cookie-based lookups miss", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi
+        .fn()
+        .mockResolvedValueOnce(null)
+        .mockResolvedValueOnce(null)
+        .mockResolvedValueOnce(null)
+        .mockResolvedValueOnce(mockSessionData);
+      auth.api = { getSession: mockGetSession } as any;
+
+      const result = await service.verifySession("valid-token");
+
+      expect(result).toEqual(mockSessionData);
+      expect(mockGetSession).toHaveBeenNthCalledWith(1, {
+        headers: {
+          cookie: "__Secure-better-auth.session_token=valid-token",
+        },
+      });
+      expect(mockGetSession).toHaveBeenNthCalledWith(2, {
+        headers: {
+          cookie: "better-auth.session_token=valid-token",
+        },
+      });
+      expect(mockGetSession).toHaveBeenNthCalledWith(3, {
+        headers: {
+          cookie: "__Host-better-auth.session_token=valid-token",
+        },
+      });
+      expect(mockGetSession).toHaveBeenNthCalledWith(4, {
        headers: {
          authorization: "Bearer valid-token",
        },
@@ -128,14 +486,264 @@ describe("AuthService", () => {
      expect(result).toBeNull();
    });

-    it("should return null and log error on verification failure", async () => {
+    it("should return null for 'invalid token' auth error", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi.fn().mockRejectedValue(new Error("Invalid token provided"));
+      auth.api = { getSession: mockGetSession } as any;
+
+      const result = await service.verifySession("bad-token");
+
+      expect(result).toBeNull();
+    });
+
+    it("should return null for 'expired' auth error", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi.fn().mockRejectedValue(new Error("Token expired"));
+      auth.api = { getSession: mockGetSession } as any;
+
+      const result = await service.verifySession("expired-token");
+
+      expect(result).toBeNull();
+    });
+
+    it("should return null for 'session not found' auth error", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi.fn().mockRejectedValue(new Error("Session not found"));
+      auth.api = { getSession: mockGetSession } as any;
+
+      const result = await service.verifySession("missing-session");
+
+      expect(result).toBeNull();
+    });
+
+    it("should return null for 'unauthorized' auth error", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi.fn().mockRejectedValue(new Error("Unauthorized"));
+      auth.api = { getSession: mockGetSession } as any;
+
+      const result = await service.verifySession("unauth-token");
+
+      expect(result).toBeNull();
+    });
+
+    it("should return null for 'invalid session' auth error", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi.fn().mockRejectedValue(new Error("Invalid session"));
+      auth.api = { getSession: mockGetSession } as any;
+
+      const result = await service.verifySession("invalid-session");
+
+      expect(result).toBeNull();
+    });
+
+    it("should return null for 'session expired' auth error", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi.fn().mockRejectedValue(new Error("Session expired"));
+      auth.api = { getSession: mockGetSession } as any;
+
+      const result = await service.verifySession("expired-session");
+
+      expect(result).toBeNull();
+    });
+
+    it("should return null for bare 'unauthorized' (exact match)", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi.fn().mockRejectedValue(new Error("unauthorized"));
+      auth.api = { getSession: mockGetSession } as any;
+
+      const result = await service.verifySession("unauth-token");
+
+      expect(result).toBeNull();
+    });
+
+    it("should return null for bare 'expired' (exact match)", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi.fn().mockRejectedValue(new Error("expired"));
+      auth.api = { getSession: mockGetSession } as any;
+
+      const result = await service.verifySession("expired-token");
+
+      expect(result).toBeNull();
+    });
+
+    it("should re-throw 'certificate has expired' as infrastructure error (not auth)", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi.fn().mockRejectedValue(new Error("certificate has expired"));
+      auth.api = { getSession: mockGetSession } as any;
+
+      await expect(service.verifySession("any-token")).rejects.toThrow("certificate has expired");
+    });
+
+    it("should re-throw 'Unauthorized: Access denied for user' as infrastructure error (not auth)", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi
+        .fn()
+        .mockRejectedValue(new Error("Unauthorized: Access denied for user"));
+      auth.api = { getSession: mockGetSession } as any;
+
+      await expect(service.verifySession("any-token")).rejects.toThrow(
+        "Unauthorized: Access denied for user"
+      );
+    });
+
+    it("should return null when a non-Error value is thrown", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi.fn().mockRejectedValue("string-error");
+      auth.api = { getSession: mockGetSession } as any;
+
+      const result = await service.verifySession("any-token");
+
+      expect(result).toBeNull();
+    });
+
+    it("should return null when getSession throws a non-Error value (string)", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi.fn().mockRejectedValue("some error");
+      auth.api = { getSession: mockGetSession } as any;
+
+      const result = await service.verifySession("any-token");
+
+      expect(result).toBeNull();
+    });
+
+    it("should return null when getSession throws a non-Error value (object)", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi.fn().mockRejectedValue({ code: "ERR_UNKNOWN" });
+      auth.api = { getSession: mockGetSession } as any;
+
+      const result = await service.verifySession("any-token");
+
+      expect(result).toBeNull();
+    });
+
+    it("should re-throw unexpected errors that are not known auth errors", async () => {
      const auth = service.getAuth();
      const mockGetSession = vi.fn().mockRejectedValue(new Error("Verification failed"));
      auth.api = { getSession: mockGetSession } as any;

-      const result = await service.verifySession("error-token");
+      await expect(service.verifySession("error-token")).rejects.toThrow("Verification failed");
+    });
+
+    it("should re-throw Prisma infrastructure errors", async () => {
+      const auth = service.getAuth();
+      const prismaError = new Error("connect ECONNREFUSED 127.0.0.1:5432");
+      const mockGetSession = vi.fn().mockRejectedValue(prismaError);
+      auth.api = { getSession: mockGetSession } as any;
+
+      await expect(service.verifySession("any-token")).rejects.toThrow("ECONNREFUSED");
+    });
+
+    it("should re-throw timeout errors as infrastructure errors", async () => {
+      const auth = service.getAuth();
+      const timeoutError = new Error("Connection timeout after 5000ms");
+      const mockGetSession = vi.fn().mockRejectedValue(timeoutError);
+      auth.api = { getSession: mockGetSession } as any;
+
+      await expect(service.verifySession("any-token")).rejects.toThrow("timeout");
+    });
+
+    it("should re-throw errors with Prisma-prefixed constructor name", async () => {
+      const auth = service.getAuth();
+      class PrismaClientKnownRequestError extends Error {
+        constructor(message: string) {
+          super(message);
+          this.name = "PrismaClientKnownRequestError";
+        }
+      }
+      const prismaError = new PrismaClientKnownRequestError("Database connection lost");
+      const mockGetSession = vi.fn().mockRejectedValue(prismaError);
+      auth.api = { getSession: mockGetSession } as any;
+
+      await expect(service.verifySession("any-token")).rejects.toThrow("Database connection lost");
+    });
+
+    it("should redact Bearer tokens from logged error messages", async () => {
+      const auth = service.getAuth();
+      const errorWithToken = new Error(
+        "Request failed: Bearer eyJhbGciOiJIUzI1NiJ9.secret-payload in header"
+      );
+      const mockGetSession = vi.fn().mockRejectedValue(errorWithToken);
+      auth.api = { getSession: mockGetSession } as any;
+
+      const loggerError = vi.spyOn(service["logger"], "error");
+
+      await expect(service.verifySession("any-token")).rejects.toThrow();
+
+      expect(loggerError).toHaveBeenCalledWith(
+        "Session verification failed due to unexpected error",
+        expect.stringContaining("Bearer [REDACTED]")
+      );
+      expect(loggerError).toHaveBeenCalledWith(
+        "Session verification failed due to unexpected error",
+        expect.not.stringContaining("eyJhbGciOiJIUzI1NiJ9")
+      );
+    });
+
+    it("should redact Bearer tokens from error stack traces", async () => {
+      const auth = service.getAuth();
+      const errorWithToken = new Error("Something went wrong");
+      errorWithToken.stack =
+        "Error: Something went wrong\n    at fetch (Bearer abc123-secret-token)\n    at verifySession";
+      const mockGetSession = vi.fn().mockRejectedValue(errorWithToken);
+      auth.api = { getSession: mockGetSession } as any;
+
+      const loggerError = vi.spyOn(service["logger"], "error");
+
+      await expect(service.verifySession("any-token")).rejects.toThrow();
+
+      expect(loggerError).toHaveBeenCalledWith(
+        "Session verification failed due to unexpected error",
+        expect.stringContaining("Bearer [REDACTED]")
+      );
+      expect(loggerError).toHaveBeenCalledWith(
+        "Session verification failed due to unexpected error",
+        expect.not.stringContaining("abc123-secret-token")
+      );
+    });
+
+    it("should warn when a non-Error string value is thrown", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi.fn().mockRejectedValue("string-error");
+      auth.api = { getSession: mockGetSession } as any;
+
+      const loggerWarn = vi.spyOn(service["logger"], "warn");
+
+      const result = await service.verifySession("any-token");

      expect(result).toBeNull();
+      expect(loggerWarn).toHaveBeenCalledWith(
+        "Session verification received non-Error thrown value",
+        "string-error"
+      );
+    });
+
+    it("should warn with JSON when a non-Error object is thrown", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi.fn().mockRejectedValue({ code: "ERR_UNKNOWN" });
+      auth.api = { getSession: mockGetSession } as any;
+
+      const loggerWarn = vi.spyOn(service["logger"], "warn");
+
+      const result = await service.verifySession("any-token");
+
+      expect(result).toBeNull();
+      expect(loggerWarn).toHaveBeenCalledWith(
+        "Session verification received non-Error thrown value",
+        JSON.stringify({ code: "ERR_UNKNOWN" })
+      );
+    });
+
+    it("should not warn for expected auth errors (Error instances)", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi.fn().mockRejectedValue(new Error("Invalid token provided"));
+      auth.api = { getSession: mockGetSession } as any;
+
+      const loggerWarn = vi.spyOn(service["logger"], "warn");
+
+      const result = await service.verifySession("bad-token");
+
+      expect(result).toBeNull();
+      expect(loggerWarn).not.toHaveBeenCalled();
    });
  });
 });
--- a/apps/api/src/auth/auth.service.ts
+++ b/apps/api/src/auth/auth.service.ts
@@ -1,17 +1,49 @@
 import { Injectable, Logger } from "@nestjs/common";
 import type { PrismaClient } from "@prisma/client";
+import type { IncomingMessage, ServerResponse } from "http";
+import { toNodeHandler } from "better-auth/node";
+import type { AuthConfigResponse, AuthProviderConfig } from "@mosaic/shared";
 import { PrismaService } from "../prisma/prisma.service";
-import { createAuth, type Auth } from "./auth.config";
+import { createAuth, isOidcEnabled, type Auth } from "./auth.config";
+
+/** Duration in milliseconds to cache the OIDC health check result */
+const OIDC_HEALTH_CACHE_TTL_MS = 30_000;
+
+/** Timeout in milliseconds for the OIDC discovery URL fetch */
+const OIDC_HEALTH_TIMEOUT_MS = 2_000;
+
+/** Number of consecutive health-check failures before escalating to error level */
+const HEALTH_ESCALATION_THRESHOLD = 3;
+
+/** Verified session shape returned by BetterAuth's getSession */
+interface VerifiedSession {
+  user: Record<string, unknown>;
+  session: Record<string, unknown>;
+}
+
+interface SessionHeaderCandidate {
+  headers: Record<string, string>;
+}

@Injectable()
 export class AuthService {
  private readonly logger = new Logger(AuthService.name);
  private readonly auth: Auth;
+  private readonly nodeHandler: (req: IncomingMessage, res: ServerResponse) => Promise<void>;
+
+  /** Timestamp of the last OIDC health check */
+  private lastHealthCheck = 0;
+  /** Cached result of the last OIDC health check */
+  private lastHealthResult = false;
+  /** Consecutive OIDC health check failure count for log-level escalation */
+  private consecutiveHealthFailures = 0;

  constructor(private readonly prisma: PrismaService) {
    // PrismaService extends PrismaClient and is compatible with BetterAuth's adapter
    // Cast is safe as PrismaService provides all required PrismaClient methods
+    // TODO(#411): BetterAuth returns opaque types — replace when upstream exports typed interfaces
    this.auth = createAuth(this.prisma as unknown as PrismaClient);
+    this.nodeHandler = toNodeHandler(this.auth);
  }

  /**
@@ -21,6 +53,14 @@ export class AuthService {
    return this.auth;
  }

+  /**
+   * Get Node.js-compatible request handler for BetterAuth.
+   * Wraps BetterAuth's Web API handler to work with Express/Node.js req/res.
+   */
+  getNodeHandler(): (req: IncomingMessage, res: ServerResponse) => Promise<void> {
+    return this.nodeHandler;
+  }
+
  /**
   * Get user by ID
   */
@@ -63,32 +103,159 @@ export class AuthService {

  /**
   * Verify session token
-   * Returns session data if valid, null if invalid or expired
+   * Returns session data if valid, null if invalid or expired.
+   * Only known-safe auth errors return null; everything else propagates as 500.
   */
-  async verifySession(
-    token: string
-  ): Promise<{ user: Record<string, unknown>; session: Record<string, unknown> } | null> {
-    try {
-      const session = await this.auth.api.getSession({
+  async verifySession(token: string): Promise<VerifiedSession | null> {
+    let sawNonError = false;
+
+    for (const candidate of this.buildSessionHeaderCandidates(token)) {
+      try {
+        // TODO(#411): BetterAuth getSession returns opaque types — replace when upstream exports typed interfaces
+        const session = await this.auth.api.getSession(candidate);
+
+        if (!session) {
+          continue;
+        }
+
+        return {
+          user: session.user as Record<string, unknown>,
+          session: session.session as Record<string, unknown>,
+        };
+      } catch (error: unknown) {
+        if (error instanceof Error) {
+          if (this.isExpectedAuthError(error.message)) {
+            continue;
+          }
+
+          // Infrastructure or unexpected — propagate as 500
+          const safeMessage = (error.stack ?? error.message).replace(
+            /Bearer\s+\S+/gi,
+            "Bearer [REDACTED]"
+          );
+          this.logger.error("Session verification failed due to unexpected error", safeMessage);
+          throw error;
+        }
+
+        // Non-Error thrown values — log once for observability, treat as auth failure
+        if (!sawNonError) {
+          const errorDetail = typeof error === "string" ? error : JSON.stringify(error);
+          this.logger.warn("Session verification received non-Error thrown value", errorDetail);
+          sawNonError = true;
+        }
+      }
+    }
+
+    return null;
+  }
+
+  private buildSessionHeaderCandidates(token: string): SessionHeaderCandidate[] {
+    return [
+      {
+        headers: {
+          cookie: `__Secure-better-auth.session_token=${token}`,
+        },
+      },
+      {
+        headers: {
+          cookie: `better-auth.session_token=${token}`,
+        },
+      },
+      {
+        headers: {
+          cookie: `__Host-better-auth.session_token=${token}`,
+        },
+      },
+      {
        headers: {
          authorization: `Bearer ${token}`,
        },
+      },
+    ];
+  }
+
+  private isExpectedAuthError(message: string): boolean {
+    const normalized = message.toLowerCase();
+    return (
+      normalized.includes("invalid token") ||
+      normalized.includes("token expired") ||
+      normalized.includes("session expired") ||
+      normalized.includes("session not found") ||
+      normalized.includes("invalid session") ||
+      normalized === "unauthorized" ||
+      normalized === "expired"
+    );
+  }
+
+  /**
+   * Check if the OIDC provider (Authentik) is reachable by fetching the discovery URL.
+   * Results are cached for 30 seconds to prevent repeated network calls.
+   *
+   * @returns true if the provider responds with an HTTP 2xx status, false otherwise
+   */
+  async isOidcProviderReachable(): Promise<boolean> {
+    const now = Date.now();
+
+    // Return cached result if still valid
+    if (now - this.lastHealthCheck < OIDC_HEALTH_CACHE_TTL_MS) {
+      this.logger.debug("OIDC health check: returning cached result");
+      return this.lastHealthResult;
+    }
+
+    const discoveryUrl = `${process.env.OIDC_ISSUER ?? ""}.well-known/openid-configuration`;
+    this.logger.debug(`OIDC health check: fetching ${discoveryUrl}`);
+
+    try {
+      const response = await fetch(discoveryUrl, {
+        signal: AbortSignal.timeout(OIDC_HEALTH_TIMEOUT_MS),
      });

-      if (!session) {
-        return null;
+      this.lastHealthCheck = Date.now();
+      this.lastHealthResult = response.ok;
+
+      if (response.ok) {
+        if (this.consecutiveHealthFailures > 0) {
+          this.logger.log(
+            `OIDC provider recovered after ${String(this.consecutiveHealthFailures)} consecutive failure(s)`
+          );
+        }
+        this.consecutiveHealthFailures = 0;
+      } else {
+        this.consecutiveHealthFailures++;
+        const logLevel =
+          this.consecutiveHealthFailures >= HEALTH_ESCALATION_THRESHOLD ? "error" : "warn";
+        this.logger[logLevel](
+          `OIDC provider returned non-OK status: ${String(response.status)} from ${discoveryUrl}`
+        );
      }

-      return {
-        user: session.user as Record<string, unknown>,
-        session: session.session as Record<string, unknown>,
-      };
-    } catch (error) {
-      this.logger.error(
-        "Session verification failed",
-        error instanceof Error ? error.message : "Unknown error"
-      );
-      return null;
+      return this.lastHealthResult;
+    } catch (error: unknown) {
+      this.lastHealthCheck = Date.now();
+      this.lastHealthResult = false;
+      this.consecutiveHealthFailures++;
+
+      const message = error instanceof Error ? error.message : String(error);
+      const logLevel =
+        this.consecutiveHealthFailures >= HEALTH_ESCALATION_THRESHOLD ? "error" : "warn";
+      this.logger[logLevel](`OIDC provider unreachable at ${discoveryUrl}: ${message}`);
+
+      return false;
    }
  }
+
+  /**
+   * Get authentication configuration for the frontend.
+   * Returns available auth providers so the UI can render login options dynamically.
+   * When OIDC is enabled, performs a health check to verify the provider is reachable.
+   */
+  async getAuthConfig(): Promise<AuthConfigResponse> {
+    const providers: AuthProviderConfig[] = [{ id: "email", name: "Email", type: "credentials" }];
+
+    if (isOidcEnabled() && (await this.isOidcProviderReachable())) {
+      providers.push({ id: "authentik", name: "Authentik", type: "oauth" });
+    }
+
+    return { providers };
+  }
 }
--- a/apps/api/src/auth/decorators/current-user.decorator.ts
+++ b/apps/api/src/auth/decorators/current-user.decorator.ts
@@ -1,14 +1,13 @@
 import type { ExecutionContext } from "@nestjs/common";
 import { createParamDecorator, UnauthorizedException } from "@nestjs/common";
 import type { AuthUser } from "@mosaic/shared";
-
-interface RequestWithUser {
-  user?: AuthUser;
-}
+import type { MaybeAuthenticatedRequest } from "../types/better-auth-request.interface";

 export const CurrentUser = createParamDecorator(
  (_data: unknown, ctx: ExecutionContext): AuthUser => {
-    const request = ctx.switchToHttp().getRequest<RequestWithUser>();
+    // Use MaybeAuthenticatedRequest because the decorator doesn't know
+    // whether AuthGuard ran — the null check provides defense-in-depth.
+    const request = ctx.switchToHttp().getRequest<MaybeAuthenticatedRequest>();
    if (!request.user) {
      throw new UnauthorizedException("No authenticated user found on request");
    }
--- a/apps/api/src/auth/guards/auth.guard.spec.ts
+++ b/apps/api/src/auth/guards/auth.guard.spec.ts
@@ -1,30 +1,39 @@
 import { describe, it, expect, beforeEach, vi } from "vitest";
-import { Test, TestingModule } from "@nestjs/testing";
 import { ExecutionContext, UnauthorizedException } from "@nestjs/common";
+
+// Mock better-auth modules before importing AuthGuard (which imports AuthService)
+vi.mock("better-auth/node", () => ({
+  toNodeHandler: vi.fn().mockReturnValue(vi.fn()),
+}));
+
+vi.mock("better-auth", () => ({
+  betterAuth: vi.fn().mockReturnValue({
+    handler: vi.fn(),
+    api: { getSession: vi.fn() },
+  }),
+}));
+
+vi.mock("better-auth/adapters/prisma", () => ({
+  prismaAdapter: vi.fn().mockReturnValue({}),
+}));
+
+vi.mock("better-auth/plugins", () => ({
+  genericOAuth: vi.fn().mockReturnValue({ id: "generic-oauth" }),
+}));
+
 import { AuthGuard } from "./auth.guard";
-import { AuthService } from "../auth.service";
+import type { AuthService } from "../auth.service";

 describe("AuthGuard", () => {
  let guard: AuthGuard;
-  let authService: AuthService;

  const mockAuthService = {
    verifySession: vi.fn(),
  };

-  beforeEach(async () => {
-    const module: TestingModule = await Test.createTestingModule({
-      providers: [
-        AuthGuard,
-        {
-          provide: AuthService,
-          useValue: mockAuthService,
-        },
-      ],
-    }).compile();
-
-    guard = module.get<AuthGuard>(AuthGuard);
-    authService = module.get<AuthService>(AuthService);
+  beforeEach(() => {
+    // Directly construct the guard with the mock to avoid NestJS DI issues
+    guard = new AuthGuard(mockAuthService as unknown as AuthService);

    vi.clearAllMocks();
  });
@@ -147,17 +156,134 @@ describe("AuthGuard", () => {
        );
      });

-      it("should throw UnauthorizedException if session verification fails", async () => {
-        mockAuthService.verifySession.mockRejectedValue(new Error("Verification failed"));
+      it("should propagate non-auth errors as-is (not wrap as 401)", async () => {
+        const infraError = new Error("connect ECONNREFUSED 127.0.0.1:5432");
+        mockAuthService.verifySession.mockRejectedValue(infraError);

        const context = createMockExecutionContext({
          authorization: "Bearer error-token",
        });

-        await expect(guard.canActivate(context)).rejects.toThrow(UnauthorizedException);
-        await expect(guard.canActivate(context)).rejects.toThrow("Authentication failed");
+        await expect(guard.canActivate(context)).rejects.toThrow(infraError);
+        await expect(guard.canActivate(context)).rejects.not.toBeInstanceOf(UnauthorizedException);
      });

+      it("should propagate database errors so GlobalExceptionFilter returns 500", async () => {
+        const dbError = new Error("PrismaClientKnownRequestError: Connection refused");
+        mockAuthService.verifySession.mockRejectedValue(dbError);
+
+        const context = createMockExecutionContext({
+          authorization: "Bearer valid-token",
+        });
+
+        await expect(guard.canActivate(context)).rejects.toThrow(dbError);
+        await expect(guard.canActivate(context)).rejects.not.toBeInstanceOf(UnauthorizedException);
+      });
+
+      it("should propagate timeout errors so GlobalExceptionFilter returns 503", async () => {
+        const timeoutError = new Error("Connection timeout after 5000ms");
+        mockAuthService.verifySession.mockRejectedValue(timeoutError);
+
+        const context = createMockExecutionContext({
+          authorization: "Bearer valid-token",
+        });
+
+        await expect(guard.canActivate(context)).rejects.toThrow(timeoutError);
+        await expect(guard.canActivate(context)).rejects.not.toBeInstanceOf(UnauthorizedException);
+      });
+    });
+
+    describe("user data validation", () => {
+      const mockSession = {
+        id: "session-123",
+        token: "session-token",
+        expiresAt: new Date(Date.now() + 86400000),
+      };
+
+      it("should throw UnauthorizedException when user is missing id", async () => {
+        mockAuthService.verifySession.mockResolvedValue({
+          user: { email: "a@b.com", name: "Test" },
+          session: mockSession,
+        });
+
+        const context = createMockExecutionContext({
+          authorization: "Bearer valid-token",
+        });
+
+        await expect(guard.canActivate(context)).rejects.toThrow(UnauthorizedException);
+        await expect(guard.canActivate(context)).rejects.toThrow(
+          "Invalid user data in session"
+        );
+      });
+
+      it("should throw UnauthorizedException when user is missing email", async () => {
+        mockAuthService.verifySession.mockResolvedValue({
+          user: { id: "1", name: "Test" },
+          session: mockSession,
+        });
+
+        const context = createMockExecutionContext({
+          authorization: "Bearer valid-token",
+        });
+
+        await expect(guard.canActivate(context)).rejects.toThrow(UnauthorizedException);
+        await expect(guard.canActivate(context)).rejects.toThrow(
+          "Invalid user data in session"
+        );
+      });
+
+      it("should throw UnauthorizedException when user is missing name", async () => {
+        mockAuthService.verifySession.mockResolvedValue({
+          user: { id: "1", email: "a@b.com" },
+          session: mockSession,
+        });
+
+        const context = createMockExecutionContext({
+          authorization: "Bearer valid-token",
+        });
+
+        await expect(guard.canActivate(context)).rejects.toThrow(UnauthorizedException);
+        await expect(guard.canActivate(context)).rejects.toThrow(
+          "Invalid user data in session"
+        );
+      });
+
+      it("should throw UnauthorizedException when user is a string", async () => {
+        mockAuthService.verifySession.mockResolvedValue({
+          user: "not-an-object",
+          session: mockSession,
+        });
+
+        const context = createMockExecutionContext({
+          authorization: "Bearer valid-token",
+        });
+
+        await expect(guard.canActivate(context)).rejects.toThrow(UnauthorizedException);
+        await expect(guard.canActivate(context)).rejects.toThrow(
+          "Invalid user data in session"
+        );
+      });
+
+      it("should reject when user is null (typeof null === 'object' causes TypeError on 'in' operator)", async () => {
+        // Note: typeof null === "object" in JS, so the guard's typeof check passes
+        // but "id" in null throws TypeError. The catch block propagates non-auth errors as-is.
+        mockAuthService.verifySession.mockResolvedValue({
+          user: null,
+          session: mockSession,
+        });
+
+        const context = createMockExecutionContext({
+          authorization: "Bearer valid-token",
+        });
+
+        await expect(guard.canActivate(context)).rejects.toThrow(TypeError);
+        await expect(guard.canActivate(context)).rejects.not.toBeInstanceOf(
+          UnauthorizedException
+        );
+      });
+    });
+
+    describe("request attachment", () => {
      it("should attach user and session to request on success", async () => {
        mockAuthService.verifySession.mockResolvedValue(mockSessionData);

--- a/apps/api/src/auth/guards/auth.guard.ts
+++ b/apps/api/src/auth/guards/auth.guard.ts
@@ -1,23 +1,22 @@
-import { Injectable, CanActivate, ExecutionContext, UnauthorizedException } from "@nestjs/common";
+import {
+  Injectable,
+  CanActivate,
+  ExecutionContext,
+  UnauthorizedException,
+  Logger,
+} from "@nestjs/common";
 import { AuthService } from "../auth.service";
 import type { AuthUser } from "@mosaic/shared";
-
-/**
- * Request type with authentication context
- */
-interface AuthRequest {
-  user?: AuthUser;
-  session?: Record<string, unknown>;
-  headers: Record<string, string | string[] | undefined>;
-  cookies?: Record<string, string>;
-}
+import type { MaybeAuthenticatedRequest } from "../types/better-auth-request.interface";

@Injectable()
 export class AuthGuard implements CanActivate {
+  private readonly logger = new Logger(AuthGuard.name);
+
  constructor(private readonly authService: AuthService) {}

  async canActivate(context: ExecutionContext): Promise<boolean> {
-    const request = context.switchToHttp().getRequest<AuthRequest>();
+    const request = context.switchToHttp().getRequest<MaybeAuthenticatedRequest>();

    // Try to get token from either cookie (preferred) or Authorization header
    const token = this.extractToken(request);
@@ -44,18 +43,19 @@ export class AuthGuard implements CanActivate {

      return true;
    } catch (error) {
-      // Re-throw if it's already an UnauthorizedException
      if (error instanceof UnauthorizedException) {
        throw error;
      }
-      throw new UnauthorizedException("Authentication failed");
+      // Infrastructure errors (DB down, connection refused, timeouts) must propagate
+      // as 500/503 via GlobalExceptionFilter — never mask as 401
+      throw error;
    }
  }

  /**
   * Extract token from cookie (preferred) or Authorization header
   */
-  private extractToken(request: AuthRequest): string | undefined {
+  private extractToken(request: MaybeAuthenticatedRequest): string | undefined {
    // Try cookie first (BetterAuth default)
    const cookieToken = this.extractTokenFromCookie(request);
    if (cookieToken) {
@@ -67,21 +67,39 @@ export class AuthGuard implements CanActivate {
  }

  /**
-   * Extract token from cookie (BetterAuth stores session token in better-auth.session_token cookie)
+   * Extract token from cookie.
+   * BetterAuth may prefix the cookie name with "__Secure-" when running on HTTPS.
   */
-  private extractTokenFromCookie(request: AuthRequest): string | undefined {
-    if (!request.cookies) {
+  private extractTokenFromCookie(request: MaybeAuthenticatedRequest): string | undefined {
+    // Express types `cookies` as `any`; cast to a known shape for type safety.
+    const cookies = request.cookies as Record<string, string> | undefined;
+    if (!cookies) {
      return undefined;
    }

-    // BetterAuth uses 'better-auth.session_token' as the cookie name by default
-    return request.cookies["better-auth.session_token"];
+    // BetterAuth default cookie name is "better-auth.session_token"
+    // When Secure cookies are enabled, BetterAuth prefixes with "__Secure-".
+    const candidates = [
+      "__Secure-better-auth.session_token",
+      "better-auth.session_token",
+      "__Host-better-auth.session_token",
+    ] as const;
+
+    for (const name of candidates) {
+      const token = cookies[name];
+      if (token) {
+        this.logger.debug(`Session cookie found: ${name}`);
+        return token;
+      }
+    }
+
+    return undefined;
  }

  /**
   * Extract token from Authorization header (Bearer token)
   */
-  private extractTokenFromHeader(request: AuthRequest): string | undefined {
+  private extractTokenFromHeader(request: MaybeAuthenticatedRequest): string | undefined {
    const authHeader = request.headers.authorization;
    if (typeof authHeader !== "string") {
      return undefined;
--- a/apps/api/src/auth/types/better-auth-request.interface.ts
+++ b/apps/api/src/auth/types/better-auth-request.interface.ts
@@ -1,11 +1,14 @@
 /**
- * BetterAuth Request Type
+ * Unified request types for authentication context.
 *
- * BetterAuth expects a Request object compatible with the Fetch API standard.
- * This extends the web standard Request interface with additional properties
- * that may be present in the Express request object at runtime.
+ * Replaces the previously scattered interfaces:
+ * - RequestWithSession (auth.controller.ts)
+ * - AuthRequest (auth.guard.ts)
+ * - BetterAuthRequest (this file, removed)
+ * - RequestWithUser (current-user.decorator.ts)
 */

+import type { Request } from "express";
 import type { AuthUser } from "@mosaic/shared";

 // Re-export AuthUser for use in other modules
@@ -22,19 +25,21 @@ export interface RequestSession {
 }

 /**
- * Web standard Request interface extended with Express-specific properties
- * This matches the Fetch API Request specification that BetterAuth expects.
+ * Request that may or may not have auth data (before guard runs).
+ * Used by AuthGuard and other middleware that processes requests
+ * before authentication is confirmed.
 */
-export interface BetterAuthRequest extends Request {
-  // Express route parameters
-  params?: Record<string, string>;
-
-  // Express query string parameters
-  query?: Record<string, string | string[]>;
-
-  // Session data attached by AuthGuard after successful authentication
-  session?: RequestSession;
-
-  // Authenticated user attached by AuthGuard
+export interface MaybeAuthenticatedRequest extends Request {
  user?: AuthUser;
+  session?: Record<string, unknown>;
+}
+
+/**
+ * Request with authenticated user attached by AuthGuard.
+ * After AuthGuard runs, user and session are guaranteed present.
+ * Use this type in controllers/decorators that sit behind AuthGuard.
+ */
+export interface AuthenticatedRequest extends Request {
+  user: AuthUser;
+  session: RequestSession;
 }
--- a/apps/api/src/bridge/matrix/matrix-room.service.ts
+++ b/apps/api/src/bridge/matrix/matrix-room.service.ts
@@ -93,7 +93,10 @@ export class MatrixRoomService {
      select: { matrixRoomId: true },
    });

-    return workspace?.matrixRoomId ?? null;
+    if (!workspace) {
+      return null;
+    }
+    return workspace.matrixRoomId ?? null;
  }

  /**
--- a/apps/api/src/common/guards/api-key.guard.spec.ts
+++ b/apps/api/src/common/guards/api-key.guard.spec.ts
@@ -113,34 +113,24 @@ describe("ApiKeyGuard", () => {
      const validApiKey = "test-api-key-12345";
      vi.mocked(mockConfigService.get).mockReturnValue(validApiKey);

-      const startTime = Date.now();
-      const context1 = createMockExecutionContext({
-        "x-api-key": "wrong-key-short",
+      // Verify that same-length keys are compared properly (exercises timingSafeEqual path)
+      // and different-length keys are rejected before comparison
+      const sameLength = createMockExecutionContext({
+        "x-api-key": "test-api-key-12344", // Same length, one char different
+      });
+      const differentLength = createMockExecutionContext({
+        "x-api-key": "short", // Different length
      });

-      try {
-        guard.canActivate(context1);
-      } catch {
-        // Expected to fail
-      }
-      const shortKeyTime = Date.now() - startTime;
+      // Both should throw, proving the comparison logic handles both cases
+      expect(() => guard.canActivate(sameLength)).toThrow("Invalid API key");
+      expect(() => guard.canActivate(differentLength)).toThrow("Invalid API key");

-      const startTime2 = Date.now();
-      const context2 = createMockExecutionContext({
-        "x-api-key": "test-api-key-12344", // Very close to correct key
+      // Correct key should pass
+      const correct = createMockExecutionContext({
+        "x-api-key": validApiKey,
      });
-
-      try {
-        guard.canActivate(context2);
-      } catch {
-        // Expected to fail
-      }
-      const longKeyTime = Date.now() - startTime2;
-
-      // Times should be similar (within 10ms) to prevent timing attacks
-      // Note: This is a simplified test; real timing attack prevention
-      // is handled by crypto.timingSafeEqual
-      expect(Math.abs(shortKeyTime - longKeyTime)).toBeLessThan(10);
+      expect(guard.canActivate(correct)).toBe(true);
    });
  });
 });
--- a/apps/api/src/common/interceptors/rls-context.integration.spec.ts
+++ b/apps/api/src/common/interceptors/rls-context.integration.spec.ts
@@ -137,13 +137,13 @@ describe("RLS Context Integration", () => {
        queries: ["findMany"],
      });

-      // Verify SET LOCAL was called
+      // Verify transaction-local set_config calls were made
      expect(mockTransactionClient.$executeRaw).toHaveBeenCalledWith(
-        expect.arrayContaining(["SET LOCAL app.current_user_id = ", ""]),
+        expect.arrayContaining(["SELECT set_config('app.current_user_id', ", ", true)"]),
        userId
      );
      expect(mockTransactionClient.$executeRaw).toHaveBeenCalledWith(
-        expect.arrayContaining(["SET LOCAL app.current_workspace_id = ", ""]),
+        expect.arrayContaining(["SELECT set_config('app.current_workspace_id', ", ", true)"]),
        workspaceId
      );
    });
--- a/apps/api/src/common/interceptors/rls-context.interceptor.spec.ts
+++ b/apps/api/src/common/interceptors/rls-context.interceptor.spec.ts
@@ -80,7 +80,7 @@ describe("RlsContextInterceptor", () => {

      expect(result).toEqual({ data: "test response" });
      expect(mockTransactionClient.$executeRaw).toHaveBeenCalledWith(
-        expect.arrayContaining(["SET LOCAL app.current_user_id = ", ""]),
+        expect.arrayContaining(["SELECT set_config('app.current_user_id', ", ", true)"]),
        userId
      );
    });
@@ -111,13 +111,13 @@ describe("RlsContextInterceptor", () => {
      // Check that user context was set
      expect(mockTransactionClient.$executeRaw).toHaveBeenNthCalledWith(
        1,
-        expect.arrayContaining(["SET LOCAL app.current_user_id = ", ""]),
+        expect.arrayContaining(["SELECT set_config('app.current_user_id', ", ", true)"]),
        userId
      );
      // Check that workspace context was set
      expect(mockTransactionClient.$executeRaw).toHaveBeenNthCalledWith(
        2,
-        expect.arrayContaining(["SET LOCAL app.current_workspace_id = ", ""]),
+        expect.arrayContaining(["SELECT set_config('app.current_workspace_id', ", ", true)"]),
        workspaceId
      );
    });
--- a/apps/api/src/common/interceptors/rls-context.interceptor.ts
+++ b/apps/api/src/common/interceptors/rls-context.interceptor.ts
@@ -100,12 +100,12 @@ export class RlsContextInterceptor implements NestInterceptor {
      this.prisma
        .$transaction(
          async (tx) => {
-            // Set user context (always present for authenticated requests)
-            await tx.$executeRaw`SET LOCAL app.current_user_id = ${userId}`;
+            // Use set_config(..., true) so values are transaction-local and parameterized safely.
+            // Direct SET LOCAL with bind parameters produces invalid SQL on PostgreSQL.
+            await tx.$executeRaw`SELECT set_config('app.current_user_id', ${userId}, true)`;

-            // Set workspace context (if present)
            if (workspaceId) {
-              await tx.$executeRaw`SET LOCAL app.current_workspace_id = ${workspaceId}`;
+              await tx.$executeRaw`SELECT set_config('app.current_workspace_id', ${workspaceId}, true)`;
            }

            // Propagate the transaction client via AsyncLocalStorage
--- a/apps/api/src/credentials/user-credential.model.spec.ts
+++ b/apps/api/src/credentials/user-credential.model.spec.ts
@@ -15,7 +15,12 @@
 import { describe, it, expect, beforeAll, afterAll } from "vitest";
 import { PrismaClient, CredentialType, CredentialScope } from "@prisma/client";

-describe("UserCredential Model", () => {
+const shouldRunDbIntegrationTests =
+  process.env.RUN_DB_TESTS === "true" && Boolean(process.env.DATABASE_URL);
+
+const describeFn = shouldRunDbIntegrationTests ? describe : describe.skip;
+
+describeFn("UserCredential Model", () => {
  let prisma: PrismaClient;
  let testUserId: string;
  let testWorkspaceId: string;
@@ -23,8 +28,8 @@ describe("UserCredential Model", () => {
  beforeAll(async () => {
    // Note: These tests require a running database
    // They will be skipped in CI if DATABASE_URL is not set
-    if (!process.env.DATABASE_URL) {
-      console.warn("DATABASE_URL not set, skipping UserCredential model tests");
+    if (!shouldRunDbIntegrationTests) {
+      console.warn("Skipping UserCredential model tests (set RUN_DB_TESTS=true and DATABASE_URL)");
      return;
    }

--- a/apps/api/src/job-events/job-events.performance.spec.ts
+++ b/apps/api/src/job-events/job-events.performance.spec.ts
@@ -16,7 +16,9 @@ import { JOB_CREATED, JOB_STARTED, STEP_STARTED } from "./event-types";
 * NOTE: These tests require a real database connection with realistic data volume.
 * Run with: pnpm test:api -- job-events.performance.spec.ts
 */
-const describeFn = process.env.DATABASE_URL ? describe : describe.skip;
+const shouldRunDbIntegrationTests =
+  process.env.RUN_DB_TESTS === "true" && Boolean(process.env.DATABASE_URL);
+const describeFn = shouldRunDbIntegrationTests ? describe : describe.skip;

 describeFn("JobEventsService Performance", () => {
  let service: JobEventsService;
--- a/apps/api/src/knowledge/services/fulltext-search.spec.ts
+++ b/apps/api/src/knowledge/services/fulltext-search.spec.ts
@@ -27,7 +27,9 @@ async function isFulltextSearchConfigured(prisma: PrismaClient): Promise<boolean
 * Skip when DATABASE_URL is not set. Tests that require the trigger/index
 * will be skipped if the database migration hasn't been applied.
 */
-const describeFn = process.env.DATABASE_URL ? describe : describe.skip;
+const shouldRunDbIntegrationTests =
+  process.env.RUN_DB_TESTS === "true" && Boolean(process.env.DATABASE_URL);
+const describeFn = shouldRunDbIntegrationTests ? describe : describe.skip;

 describeFn("Full-Text Search Setup (Integration)", () => {
  let prisma: PrismaClient;
--- a/apps/api/src/llm/llm-cost-table.ts
+++ b/apps/api/src/llm/llm-cost-table.ts
@@ -0,0 +1,109 @@
+/**
+ * LLM Cost Table
+ *
+ * Maps model names to per-token costs in microdollars (USD * 1,000,000).
+ * For example, $0.003 per 1K tokens = 3,000 microdollars per 1K tokens = 3 microdollars per token.
+ *
+ * Costs are split into input (prompt) and output (completion) pricing.
+ * Ollama models run locally and are free (0 cost).
+ */
+
+/**
+ * Per-token cost in microdollars for a single model.
+ */
+export interface ModelCost {
+  /** Cost per input token in microdollars */
+  inputPerToken: number;
+  /** Cost per output token in microdollars */
+  outputPerToken: number;
+}
+
+/**
+ * Cost table mapping model name prefixes to per-token pricing.
+ *
+ * Model matching is prefix-based: "claude-sonnet-4-5" matches "claude-sonnet-4-5-20250929".
+ * More specific prefixes are checked first (longest match wins).
+ *
+ * Prices sourced from provider pricing pages as of 2026-02.
+ */
+const MODEL_COSTS: Record<string, ModelCost> = {
+  // Anthropic Claude models (per-token microdollars)
+  // claude-sonnet-4-5: $3/M input, $15/M output
+  "claude-sonnet-4-5": { inputPerToken: 3, outputPerToken: 15 },
+  // claude-opus-4: $15/M input, $75/M output
+  "claude-opus-4": { inputPerToken: 15, outputPerToken: 75 },
+  // claude-3-5-haiku / claude-haiku-4-5: $0.80/M input, $4/M output
+  "claude-haiku-4-5": { inputPerToken: 0.8, outputPerToken: 4 },
+  "claude-3-5-haiku": { inputPerToken: 0.8, outputPerToken: 4 },
+  // claude-3-5-sonnet: $3/M input, $15/M output
+  "claude-3-5-sonnet": { inputPerToken: 3, outputPerToken: 15 },
+  // claude-3-opus: $15/M input, $75/M output
+  "claude-3-opus": { inputPerToken: 15, outputPerToken: 75 },
+  // claude-3-sonnet: $3/M input, $15/M output
+  "claude-3-sonnet": { inputPerToken: 3, outputPerToken: 15 },
+  // claude-3-haiku: $0.25/M input, $1.25/M output
+  "claude-3-haiku": { inputPerToken: 0.25, outputPerToken: 1.25 },
+
+  // OpenAI models (per-token microdollars)
+  // gpt-4o: $2.50/M input, $10/M output
+  "gpt-4o-mini": { inputPerToken: 0.15, outputPerToken: 0.6 },
+  "gpt-4o": { inputPerToken: 2.5, outputPerToken: 10 },
+  // gpt-4-turbo: $10/M input, $30/M output
+  "gpt-4-turbo": { inputPerToken: 10, outputPerToken: 30 },
+  // gpt-4: $30/M input, $60/M output
+  "gpt-4": { inputPerToken: 30, outputPerToken: 60 },
+  // gpt-3.5-turbo: $0.50/M input, $1.50/M output
+  "gpt-3.5-turbo": { inputPerToken: 0.5, outputPerToken: 1.5 },
+
+  // Ollama / local models: free
+  // These are catch-all entries; any model not matched above falls through to getModelCost default
+};
+
+/**
+ * Sorted model prefixes from longest to shortest for greedy prefix matching.
+ * Ensures "gpt-4o-mini" matches before "gpt-4o" and "claude-3-5-haiku" before "claude-3-haiku".
+ */
+const SORTED_PREFIXES = Object.keys(MODEL_COSTS).sort((a, b) => b.length - a.length);
+
+/**
+ * Look up per-token cost for a given model name.
+ *
+ * Uses longest-prefix matching: the model name is compared against known
+ * prefixes from longest to shortest. If no prefix matches, returns zero cost
+ * (assumes local/free model).
+ *
+ * @param modelName - Full model name (e.g. "claude-sonnet-4-5-20250929", "gpt-4o")
+ * @returns Per-token cost in microdollars
+ */
+export function getModelCost(modelName: string): ModelCost {
+  const normalized = modelName.toLowerCase();
+
+  for (const prefix of SORTED_PREFIXES) {
+    if (normalized.startsWith(prefix)) {
+      const cost = MODEL_COSTS[prefix];
+      if (cost !== undefined) {
+        return cost;
+      }
+    }
+  }
+
+  // Unknown or local model — assume free
+  return { inputPerToken: 0, outputPerToken: 0 };
+}
+
+/**
+ * Calculate total cost in microdollars for a given model and token counts.
+ *
+ * @param modelName - Full model name
+ * @param inputTokens - Number of input (prompt) tokens
+ * @param outputTokens - Number of output (completion) tokens
+ * @returns Total cost in microdollars (USD * 1,000,000)
+ */
+export function calculateCostMicrodollars(
+  modelName: string,
+  inputTokens: number,
+  outputTokens: number
+): number {
+  const cost = getModelCost(modelName);
+  return Math.round(cost.inputPerToken * inputTokens + cost.outputPerToken * outputTokens);
+}
--- a/apps/api/src/llm/llm-telemetry-tracker.service.spec.ts
+++ b/apps/api/src/llm/llm-telemetry-tracker.service.spec.ts
@@ -0,0 +1,487 @@
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { Test, TestingModule } from "@nestjs/testing";
+import { TaskType, Complexity, Harness, Provider, Outcome } from "@mosaicstack/telemetry-client";
+import type { TaskCompletionEvent, EventBuilderParams } from "@mosaicstack/telemetry-client";
+import { MosaicTelemetryService } from "../mosaic-telemetry/mosaic-telemetry.service";
+import {
+  LlmTelemetryTrackerService,
+  estimateTokens,
+  mapProviderType,
+  mapHarness,
+  inferTaskType,
+} from "./llm-telemetry-tracker.service";
+import type { LlmCompletionParams } from "./llm-telemetry-tracker.service";
+import { getModelCost, calculateCostMicrodollars } from "./llm-cost-table";
+
+// ---------- Cost Table Tests ----------
+
+describe("llm-cost-table", () => {
+  describe("getModelCost", () => {
+    it("should return cost for claude-sonnet-4-5 models", () => {
+      const cost = getModelCost("claude-sonnet-4-5-20250929");
+      expect(cost.inputPerToken).toBe(3);
+      expect(cost.outputPerToken).toBe(15);
+    });
+
+    it("should return cost for claude-opus-4 models", () => {
+      const cost = getModelCost("claude-opus-4-6");
+      expect(cost.inputPerToken).toBe(15);
+      expect(cost.outputPerToken).toBe(75);
+    });
+
+    it("should return cost for claude-haiku-4-5 models", () => {
+      const cost = getModelCost("claude-haiku-4-5-20251001");
+      expect(cost.inputPerToken).toBe(0.8);
+      expect(cost.outputPerToken).toBe(4);
+    });
+
+    it("should return cost for gpt-4o", () => {
+      const cost = getModelCost("gpt-4o");
+      expect(cost.inputPerToken).toBe(2.5);
+      expect(cost.outputPerToken).toBe(10);
+    });
+
+    it("should return cost for gpt-4o-mini (longer prefix matches first)", () => {
+      const cost = getModelCost("gpt-4o-mini");
+      expect(cost.inputPerToken).toBe(0.15);
+      expect(cost.outputPerToken).toBe(0.6);
+    });
+
+    it("should return zero cost for unknown/local models", () => {
+      const cost = getModelCost("llama3.2");
+      expect(cost.inputPerToken).toBe(0);
+      expect(cost.outputPerToken).toBe(0);
+    });
+
+    it("should return zero cost for ollama models", () => {
+      const cost = getModelCost("mistral:7b");
+      expect(cost.inputPerToken).toBe(0);
+      expect(cost.outputPerToken).toBe(0);
+    });
+
+    it("should be case-insensitive", () => {
+      const cost = getModelCost("Claude-Sonnet-4-5-20250929");
+      expect(cost.inputPerToken).toBe(3);
+    });
+  });
+
+  describe("calculateCostMicrodollars", () => {
+    it("should calculate cost for claude-sonnet-4-5 with token counts", () => {
+      // 1000 input tokens * 3 + 500 output tokens * 15 = 3000 + 7500 = 10500
+      const cost = calculateCostMicrodollars("claude-sonnet-4-5-20250929", 1000, 500);
+      expect(cost).toBe(10500);
+    });
+
+    it("should return 0 for local models", () => {
+      const cost = calculateCostMicrodollars("llama3.2", 1000, 500);
+      expect(cost).toBe(0);
+    });
+
+    it("should return 0 when token counts are 0", () => {
+      const cost = calculateCostMicrodollars("claude-opus-4-6", 0, 0);
+      expect(cost).toBe(0);
+    });
+
+    it("should round the result to integer microdollars", () => {
+      // gpt-4o-mini: 0.15 * 3 + 0.6 * 7 = 0.45 + 4.2 = 4.65 -> rounds to 5
+      const cost = calculateCostMicrodollars("gpt-4o-mini", 3, 7);
+      expect(cost).toBe(5);
+    });
+  });
+});
+
+// ---------- Helper Function Tests ----------
+
+describe("helper functions", () => {
+  describe("estimateTokens", () => {
+    it("should estimate ~1 token per 4 characters", () => {
+      expect(estimateTokens("abcd")).toBe(1);
+      expect(estimateTokens("abcdefgh")).toBe(2);
+    });
+
+    it("should round up for partial tokens", () => {
+      expect(estimateTokens("abc")).toBe(1);
+      expect(estimateTokens("abcde")).toBe(2);
+    });
+
+    it("should return 0 for empty string", () => {
+      expect(estimateTokens("")).toBe(0);
+    });
+  });
+
+  describe("mapProviderType", () => {
+    it("should map claude to ANTHROPIC", () => {
+      expect(mapProviderType("claude")).toBe(Provider.ANTHROPIC);
+    });
+
+    it("should map openai to OPENAI", () => {
+      expect(mapProviderType("openai")).toBe(Provider.OPENAI);
+    });
+
+    it("should map ollama to OLLAMA", () => {
+      expect(mapProviderType("ollama")).toBe(Provider.OLLAMA);
+    });
+  });
+
+  describe("mapHarness", () => {
+    it("should map ollama to OLLAMA_LOCAL", () => {
+      expect(mapHarness("ollama")).toBe(Harness.OLLAMA_LOCAL);
+    });
+
+    it("should map claude to API_DIRECT", () => {
+      expect(mapHarness("claude")).toBe(Harness.API_DIRECT);
+    });
+
+    it("should map openai to API_DIRECT", () => {
+      expect(mapHarness("openai")).toBe(Harness.API_DIRECT);
+    });
+  });
+
+  describe("inferTaskType", () => {
+    it("should return IMPLEMENTATION for embed operation", () => {
+      expect(inferTaskType("embed")).toBe(TaskType.IMPLEMENTATION);
+    });
+
+    it("should return UNKNOWN when no context provided for chat", () => {
+      expect(inferTaskType("chat")).toBe(TaskType.UNKNOWN);
+    });
+
+    it("should return PLANNING for brain context", () => {
+      expect(inferTaskType("chat", "brain")).toBe(TaskType.PLANNING);
+    });
+
+    it("should return PLANNING for planning context", () => {
+      expect(inferTaskType("chat", "planning")).toBe(TaskType.PLANNING);
+    });
+
+    it("should return CODE_REVIEW for review context", () => {
+      expect(inferTaskType("chat", "code-review")).toBe(TaskType.CODE_REVIEW);
+    });
+
+    it("should return TESTING for test context", () => {
+      expect(inferTaskType("chat", "test-generation")).toBe(TaskType.TESTING);
+    });
+
+    it("should return DEBUGGING for debug context", () => {
+      expect(inferTaskType("chatStream", "debug-session")).toBe(TaskType.DEBUGGING);
+    });
+
+    it("should return REFACTORING for refactor context", () => {
+      expect(inferTaskType("chat", "refactor")).toBe(TaskType.REFACTORING);
+    });
+
+    it("should return DOCUMENTATION for doc context", () => {
+      expect(inferTaskType("chat", "documentation")).toBe(TaskType.DOCUMENTATION);
+    });
+
+    it("should return CONFIGURATION for config context", () => {
+      expect(inferTaskType("chat", "config-update")).toBe(TaskType.CONFIGURATION);
+    });
+
+    it("should return SECURITY_AUDIT for security context", () => {
+      expect(inferTaskType("chat", "security-check")).toBe(TaskType.SECURITY_AUDIT);
+    });
+
+    it("should return IMPLEMENTATION for chat context", () => {
+      expect(inferTaskType("chat", "chat")).toBe(TaskType.IMPLEMENTATION);
+    });
+
+    it("should be case-insensitive", () => {
+      expect(inferTaskType("chat", "BRAIN")).toBe(TaskType.PLANNING);
+    });
+
+    it("should return UNKNOWN for unrecognized context", () => {
+      expect(inferTaskType("chat", "something-else")).toBe(TaskType.UNKNOWN);
+    });
+  });
+});
+
+// ---------- LlmTelemetryTrackerService Tests ----------
+
+describe("LlmTelemetryTrackerService", () => {
+  let service: LlmTelemetryTrackerService;
+  let mockTelemetryService: {
+    eventBuilder: { build: ReturnType<typeof vi.fn> } | null;
+    trackTaskCompletion: ReturnType<typeof vi.fn>;
+    isEnabled: boolean;
+  };
+
+  const mockEvent: TaskCompletionEvent = {
+    instance_id: "test-instance",
+    event_id: "test-event",
+    schema_version: "1.0.0",
+    timestamp: new Date().toISOString(),
+    task_duration_ms: 1000,
+    task_type: TaskType.IMPLEMENTATION,
+    complexity: Complexity.LOW,
+    harness: Harness.API_DIRECT,
+    model: "claude-sonnet-4-5-20250929",
+    provider: Provider.ANTHROPIC,
+    estimated_input_tokens: 100,
+    estimated_output_tokens: 200,
+    actual_input_tokens: 100,
+    actual_output_tokens: 200,
+    estimated_cost_usd_micros: 3300,
+    actual_cost_usd_micros: 3300,
+    quality_gate_passed: true,
+    quality_gates_run: [],
+    quality_gates_failed: [],
+    context_compactions: 0,
+    context_rotations: 0,
+    context_utilization_final: 0,
+    outcome: Outcome.SUCCESS,
+    retry_count: 0,
+  };
+
+  beforeEach(async () => {
+    mockTelemetryService = {
+      eventBuilder: {
+        build: vi.fn().mockReturnValue(mockEvent),
+      },
+      trackTaskCompletion: vi.fn(),
+      isEnabled: true,
+    };
+
+    const module: TestingModule = await Test.createTestingModule({
+      providers: [
+        LlmTelemetryTrackerService,
+        {
+          provide: MosaicTelemetryService,
+          useValue: mockTelemetryService,
+        },
+      ],
+    }).compile();
+
+    service = module.get<LlmTelemetryTrackerService>(LlmTelemetryTrackerService);
+  });
+
+  it("should be defined", () => {
+    expect(service).toBeDefined();
+  });
+
+  describe("trackLlmCompletion", () => {
+    const baseParams: LlmCompletionParams = {
+      model: "claude-sonnet-4-5-20250929",
+      providerType: "claude",
+      operation: "chat",
+      durationMs: 1200,
+      inputTokens: 150,
+      outputTokens: 300,
+      callingContext: "chat",
+      success: true,
+    };
+
+    it("should build and track a telemetry event for Anthropic provider", () => {
+      service.trackLlmCompletion(baseParams);
+
+      expect(mockTelemetryService.eventBuilder?.build).toHaveBeenCalledWith(
+        expect.objectContaining({
+          task_duration_ms: 1200,
+          task_type: TaskType.IMPLEMENTATION,
+          complexity: Complexity.LOW,
+          harness: Harness.API_DIRECT,
+          model: "claude-sonnet-4-5-20250929",
+          provider: Provider.ANTHROPIC,
+          actual_input_tokens: 150,
+          actual_output_tokens: 300,
+          outcome: Outcome.SUCCESS,
+        })
+      );
+
+      expect(mockTelemetryService.trackTaskCompletion).toHaveBeenCalledWith(mockEvent);
+    });
+
+    it("should build and track a telemetry event for OpenAI provider", () => {
+      service.trackLlmCompletion({
+        ...baseParams,
+        model: "gpt-4o",
+        providerType: "openai",
+      });
+
+      expect(mockTelemetryService.eventBuilder?.build).toHaveBeenCalledWith(
+        expect.objectContaining({
+          model: "gpt-4o",
+          provider: Provider.OPENAI,
+          harness: Harness.API_DIRECT,
+        })
+      );
+    });
+
+    it("should build and track a telemetry event for Ollama provider", () => {
+      service.trackLlmCompletion({
+        ...baseParams,
+        model: "llama3.2",
+        providerType: "ollama",
+      });
+
+      expect(mockTelemetryService.eventBuilder?.build).toHaveBeenCalledWith(
+        expect.objectContaining({
+          model: "llama3.2",
+          provider: Provider.OLLAMA,
+          harness: Harness.OLLAMA_LOCAL,
+        })
+      );
+    });
+
+    it("should calculate cost in microdollars correctly", () => {
+      service.trackLlmCompletion(baseParams);
+
+      // claude-sonnet-4-5: 150 * 3 + 300 * 15 = 450 + 4500 = 4950
+      const expectedActualCost = 4950;
+
+      expect(mockTelemetryService.eventBuilder?.build).toHaveBeenCalledWith(
+        expect.objectContaining({
+          // Estimated values are 0 when no PredictionService is injected
+          estimated_cost_usd_micros: 0,
+          actual_cost_usd_micros: expectedActualCost,
+        })
+      );
+    });
+
+    it("should calculate zero cost for ollama models", () => {
+      service.trackLlmCompletion({
+        ...baseParams,
+        model: "llama3.2",
+        providerType: "ollama",
+      });
+
+      expect(mockTelemetryService.eventBuilder?.build).toHaveBeenCalledWith(
+        expect.objectContaining({
+          estimated_cost_usd_micros: 0,
+          actual_cost_usd_micros: 0,
+        })
+      );
+    });
+
+    it("should track FAILURE outcome when success is false", () => {
+      service.trackLlmCompletion({
+        ...baseParams,
+        success: false,
+      });
+
+      expect(mockTelemetryService.eventBuilder?.build).toHaveBeenCalledWith(
+        expect.objectContaining({
+          outcome: Outcome.FAILURE,
+        })
+      );
+    });
+
+    it("should infer task type from calling context", () => {
+      service.trackLlmCompletion({
+        ...baseParams,
+        callingContext: "brain",
+      });
+
+      expect(mockTelemetryService.eventBuilder?.build).toHaveBeenCalledWith(
+        expect.objectContaining({
+          task_type: TaskType.PLANNING,
+        })
+      );
+    });
+
+    it("should set empty quality gates arrays for direct LLM calls", () => {
+      service.trackLlmCompletion(baseParams);
+
+      expect(mockTelemetryService.eventBuilder?.build).toHaveBeenCalledWith(
+        expect.objectContaining({
+          quality_gate_passed: true,
+          quality_gates_run: [],
+          quality_gates_failed: [],
+        })
+      );
+    });
+
+    it("should silently skip when telemetry is disabled (eventBuilder is null)", () => {
+      mockTelemetryService.eventBuilder = null;
+
+      // Should not throw
+      service.trackLlmCompletion(baseParams);
+
+      expect(mockTelemetryService.trackTaskCompletion).not.toHaveBeenCalled();
+    });
+
+    it("should not throw when eventBuilder.build throws an error", () => {
+      mockTelemetryService.eventBuilder = {
+        build: vi.fn().mockImplementation(() => {
+          throw new Error("Build failed");
+        }),
+      };
+
+      // Should not throw
+      expect(() => service.trackLlmCompletion(baseParams)).not.toThrow();
+    });
+
+    it("should not throw when trackTaskCompletion throws an error", () => {
+      mockTelemetryService.trackTaskCompletion.mockImplementation(() => {
+        throw new Error("Track failed");
+      });
+
+      // Should not throw
+      expect(() => service.trackLlmCompletion(baseParams)).not.toThrow();
+    });
+
+    it("should handle streaming operation with estimated tokens", () => {
+      service.trackLlmCompletion({
+        ...baseParams,
+        operation: "chatStream",
+        inputTokens: 50,
+        outputTokens: 100,
+      });
+
+      expect(mockTelemetryService.eventBuilder?.build).toHaveBeenCalledWith(
+        expect.objectContaining({
+          actual_input_tokens: 50,
+          actual_output_tokens: 100,
+          // Estimated values are 0 when no PredictionService is injected
+          estimated_input_tokens: 0,
+          estimated_output_tokens: 0,
+        })
+      );
+    });
+
+    it("should handle embed operation", () => {
+      service.trackLlmCompletion({
+        ...baseParams,
+        operation: "embed",
+        outputTokens: 0,
+        callingContext: undefined,
+      });
+
+      expect(mockTelemetryService.eventBuilder?.build).toHaveBeenCalledWith(
+        expect.objectContaining({
+          task_type: TaskType.IMPLEMENTATION,
+          actual_output_tokens: 0,
+        })
+      );
+    });
+
+    it("should pass all required EventBuilderParams fields", () => {
+      service.trackLlmCompletion(baseParams);
+
+      const buildCall = (mockTelemetryService.eventBuilder?.build as ReturnType<typeof vi.fn>).mock
+        .calls[0][0] as EventBuilderParams;
+
+      // Verify all required fields are present
+      expect(buildCall).toHaveProperty("task_duration_ms");
+      expect(buildCall).toHaveProperty("task_type");
+      expect(buildCall).toHaveProperty("complexity");
+      expect(buildCall).toHaveProperty("harness");
+      expect(buildCall).toHaveProperty("model");
+      expect(buildCall).toHaveProperty("provider");
+      expect(buildCall).toHaveProperty("estimated_input_tokens");
+      expect(buildCall).toHaveProperty("estimated_output_tokens");
+      expect(buildCall).toHaveProperty("actual_input_tokens");
+      expect(buildCall).toHaveProperty("actual_output_tokens");
+      expect(buildCall).toHaveProperty("estimated_cost_usd_micros");
+      expect(buildCall).toHaveProperty("actual_cost_usd_micros");
+      expect(buildCall).toHaveProperty("quality_gate_passed");
+      expect(buildCall).toHaveProperty("quality_gates_run");
+      expect(buildCall).toHaveProperty("quality_gates_failed");
+      expect(buildCall).toHaveProperty("context_compactions");
+      expect(buildCall).toHaveProperty("context_rotations");
+      expect(buildCall).toHaveProperty("context_utilization_final");
+      expect(buildCall).toHaveProperty("outcome");
+      expect(buildCall).toHaveProperty("retry_count");
+    });
+  });
+});
--- a/apps/api/src/llm/llm-telemetry-tracker.service.ts
+++ b/apps/api/src/llm/llm-telemetry-tracker.service.ts
@@ -0,0 +1,224 @@
+import { Injectable, Logger, Optional } from "@nestjs/common";
+import { MosaicTelemetryService } from "../mosaic-telemetry/mosaic-telemetry.service";
+import { PredictionService } from "../mosaic-telemetry/prediction.service";
+import { TaskType, Complexity, Harness, Provider, Outcome } from "@mosaicstack/telemetry-client";
+import type { LlmProviderType } from "./providers/llm-provider.interface";
+import { calculateCostMicrodollars } from "./llm-cost-table";
+
+/**
+ * Parameters for tracking an LLM completion event.
+ */
+export interface LlmCompletionParams {
+  /** Full model name (e.g. "claude-sonnet-4-5-20250929") */
+  model: string;
+  /** Provider type discriminator */
+  providerType: LlmProviderType;
+  /** Operation type that was performed */
+  operation: "chat" | "chatStream" | "embed";
+  /** Duration of the LLM call in milliseconds */
+  durationMs: number;
+  /** Number of input (prompt) tokens consumed */
+  inputTokens: number;
+  /** Number of output (completion) tokens generated */
+  outputTokens: number;
+  /**
+   * Optional calling context hint for task type inference.
+   * Examples: "brain", "chat", "embed", "planning", "code-review"
+   */
+  callingContext?: string | undefined;
+  /** Whether the call succeeded or failed */
+  success: boolean;
+}
+
+/**
+ * Estimated token count from text length.
+ * Uses a rough approximation of ~4 characters per token (GPT/Claude average).
+ */
+export function estimateTokens(text: string): number {
+  return Math.ceil(text.length / 4);
+}
+
+/** Map LLM provider type to telemetry Provider enum */
+export function mapProviderType(providerType: LlmProviderType): Provider {
+  switch (providerType) {
+    case "claude":
+      return Provider.ANTHROPIC;
+    case "openai":
+      return Provider.OPENAI;
+    case "ollama":
+      return Provider.OLLAMA;
+    default:
+      return Provider.UNKNOWN;
+  }
+}
+
+/** Map LLM provider type to telemetry Harness enum */
+export function mapHarness(providerType: LlmProviderType): Harness {
+  switch (providerType) {
+    case "ollama":
+      return Harness.OLLAMA_LOCAL;
+    default:
+      return Harness.API_DIRECT;
+  }
+}
+
+/**
+ * Infer the task type from calling context and operation.
+ *
+ * @param operation - The LLM operation (chat, chatStream, embed)
+ * @param callingContext - Optional hint about the caller's purpose
+ * @returns Inferred TaskType
+ */
+export function inferTaskType(
+  operation: "chat" | "chatStream" | "embed",
+  callingContext?: string
+): TaskType {
+  // Embedding operations are typically for indexing/search
+  if (operation === "embed") {
+    return TaskType.IMPLEMENTATION;
+  }
+
+  if (!callingContext) {
+    return TaskType.UNKNOWN;
+  }
+
+  const ctx = callingContext.toLowerCase();
+
+  if (ctx.includes("brain") || ctx.includes("planning") || ctx.includes("plan")) {
+    return TaskType.PLANNING;
+  }
+  if (ctx.includes("review") || ctx.includes("code-review")) {
+    return TaskType.CODE_REVIEW;
+  }
+  if (ctx.includes("test")) {
+    return TaskType.TESTING;
+  }
+  if (ctx.includes("debug")) {
+    return TaskType.DEBUGGING;
+  }
+  if (ctx.includes("refactor")) {
+    return TaskType.REFACTORING;
+  }
+  if (ctx.includes("doc")) {
+    return TaskType.DOCUMENTATION;
+  }
+  if (ctx.includes("config")) {
+    return TaskType.CONFIGURATION;
+  }
+  if (ctx.includes("security") || ctx.includes("audit")) {
+    return TaskType.SECURITY_AUDIT;
+  }
+  if (ctx.includes("chat") || ctx.includes("implement")) {
+    return TaskType.IMPLEMENTATION;
+  }
+
+  return TaskType.UNKNOWN;
+}
+
+/**
+ * LLM Telemetry Tracker Service
+ *
+ * Builds and submits telemetry events for LLM completions.
+ * All tracking is non-blocking and fire-and-forget; telemetry errors
+ * never propagate to the caller.
+ *
+ * @example
+ * ```typescript
+ * // After a successful chat completion
+ * this.telemetryTracker.trackLlmCompletion({
+ *   model: "claude-sonnet-4-5-20250929",
+ *   providerType: "claude",
+ *   operation: "chat",
+ *   durationMs: 1200,
+ *   inputTokens: 150,
+ *   outputTokens: 300,
+ *   callingContext: "chat",
+ *   success: true,
+ * });
+ * ```
+ */
+@Injectable()
+export class LlmTelemetryTrackerService {
+  private readonly logger = new Logger(LlmTelemetryTrackerService.name);
+
+  constructor(
+    private readonly telemetry: MosaicTelemetryService,
+    @Optional() private readonly predictionService?: PredictionService
+  ) {}
+
+  /**
+   * Track an LLM completion event via Mosaic Telemetry.
+   *
+   * This method is intentionally fire-and-forget. It catches all errors
+   * internally and logs them without propagating to the caller.
+   *
+   * @param params - LLM completion parameters
+   */
+  trackLlmCompletion(params: LlmCompletionParams): void {
+    try {
+      const builder = this.telemetry.eventBuilder;
+      if (!builder) {
+        // Telemetry is disabled — silently skip
+        return;
+      }
+
+      const taskType = inferTaskType(params.operation, params.callingContext);
+      const provider = mapProviderType(params.providerType);
+
+      const costMicrodollars = calculateCostMicrodollars(
+        params.model,
+        params.inputTokens,
+        params.outputTokens
+      );
+
+      // Query predictions for estimated fields (graceful degradation)
+      let estimatedInputTokens = 0;
+      let estimatedOutputTokens = 0;
+      let estimatedCostMicros = 0;
+
+      if (this.predictionService) {
+        const prediction = this.predictionService.getEstimate(
+          taskType,
+          params.model,
+          provider,
+          Complexity.LOW
+        );
+
+        if (prediction?.prediction && prediction.metadata.confidence !== "none") {
+          estimatedInputTokens = prediction.prediction.input_tokens.median;
+          estimatedOutputTokens = prediction.prediction.output_tokens.median;
+          estimatedCostMicros = prediction.prediction.cost_usd_micros.median ?? 0;
+        }
+      }
+
+      const event = builder.build({
+        task_duration_ms: params.durationMs,
+        task_type: taskType,
+        complexity: Complexity.LOW,
+        harness: mapHarness(params.providerType),
+        model: params.model,
+        provider,
+        estimated_input_tokens: estimatedInputTokens,
+        estimated_output_tokens: estimatedOutputTokens,
+        actual_input_tokens: params.inputTokens,
+        actual_output_tokens: params.outputTokens,
+        estimated_cost_usd_micros: estimatedCostMicros,
+        actual_cost_usd_micros: costMicrodollars,
+        quality_gate_passed: true,
+        quality_gates_run: [],
+        quality_gates_failed: [],
+        context_compactions: 0,
+        context_rotations: 0,
+        context_utilization_final: 0,
+        outcome: params.success ? Outcome.SUCCESS : Outcome.FAILURE,
+        retry_count: 0,
+      });
+
+      this.telemetry.trackTaskCompletion(event);
+    } catch (error: unknown) {
+      // Never let telemetry errors propagate
+      const msg = error instanceof Error ? error.message : String(error);
+      this.logger.warn(`Failed to track LLM telemetry event: ${msg}`);
+    }
+  }
+}
--- a/apps/api/src/llm/llm.module.ts
+++ b/apps/api/src/llm/llm.module.ts
@@ -3,13 +3,14 @@ import { LlmController } from "./llm.controller";
 import { LlmProviderAdminController } from "./llm-provider-admin.controller";
 import { LlmService } from "./llm.service";
 import { LlmManagerService } from "./llm-manager.service";
+import { LlmTelemetryTrackerService } from "./llm-telemetry-tracker.service";
 import { PrismaModule } from "../prisma/prisma.module";
 import { LlmUsageModule } from "../llm-usage/llm-usage.module";

@Module({
  imports: [PrismaModule, LlmUsageModule],
  controllers: [LlmController, LlmProviderAdminController],
-  providers: [LlmService, LlmManagerService],
+  providers: [LlmService, LlmManagerService, LlmTelemetryTrackerService],
  exports: [LlmService, LlmManagerService],
 })
 export class LlmModule {}
--- a/apps/api/src/llm/llm.service.spec.ts
+++ b/apps/api/src/llm/llm.service.spec.ts
@@ -3,6 +3,7 @@ import { Test, TestingModule } from "@nestjs/testing";
 import { ServiceUnavailableException } from "@nestjs/common";
 import { LlmService } from "./llm.service";
 import { LlmManagerService } from "./llm-manager.service";
+import { LlmTelemetryTrackerService } from "./llm-telemetry-tracker.service";
 import type { ChatRequestDto, EmbedRequestDto, ChatResponseDto, EmbedResponseDto } from "./dto";
 import type {
  LlmProviderInterface,
@@ -14,6 +15,9 @@ describe("LlmService", () => {
  let mockManagerService: {
    getDefaultProvider: ReturnType<typeof vi.fn>;
  };
+  let mockTelemetryTracker: {
+    trackLlmCompletion: ReturnType<typeof vi.fn>;
+  };
  let mockProvider: {
    chat: ReturnType<typeof vi.fn>;
    chatStream: ReturnType<typeof vi.fn>;
@@ -41,6 +45,11 @@ describe("LlmService", () => {
      getDefaultProvider: vi.fn().mockResolvedValue(mockProvider),
    };

+    // Create mock telemetry tracker
+    mockTelemetryTracker = {
+      trackLlmCompletion: vi.fn(),
+    };
+
    const module: TestingModule = await Test.createTestingModule({
      providers: [
        LlmService,
@@ -48,6 +57,10 @@ describe("LlmService", () => {
          provide: LlmManagerService,
          useValue: mockManagerService,
        },
+        {
+          provide: LlmTelemetryTrackerService,
+          useValue: mockTelemetryTracker,
+        },
      ],
    }).compile();

@@ -135,6 +148,45 @@ describe("LlmService", () => {
      expect(result).toEqual(response);
    });

+    it("should track telemetry on successful chat", async () => {
+      const response: ChatResponseDto = {
+        model: "llama3.2",
+        message: { role: "assistant", content: "Hello" },
+        done: true,
+        promptEvalCount: 10,
+        evalCount: 20,
+      };
+      mockProvider.chat.mockResolvedValue(response);
+
+      await service.chat(request, "chat");
+
+      expect(mockTelemetryTracker.trackLlmCompletion).toHaveBeenCalledWith(
+        expect.objectContaining({
+          model: "llama3.2",
+          providerType: "ollama",
+          operation: "chat",
+          inputTokens: 10,
+          outputTokens: 20,
+          callingContext: "chat",
+          success: true,
+        })
+      );
+    });
+
+    it("should track telemetry on failed chat", async () => {
+      mockProvider.chat.mockRejectedValue(new Error("Chat failed"));
+
+      await expect(service.chat(request)).rejects.toThrow(ServiceUnavailableException);
+
+      expect(mockTelemetryTracker.trackLlmCompletion).toHaveBeenCalledWith(
+        expect.objectContaining({
+          model: "llama3.2",
+          operation: "chat",
+          success: false,
+        })
+      );
+    });
+
    it("should throw ServiceUnavailableException on error", async () => {
      mockProvider.chat.mockRejectedValue(new Error("Chat failed"));

@@ -177,6 +229,94 @@ describe("LlmService", () => {
      expect(chunks[1].message.content).toBe(" world");
    });

+    it("should track telemetry after stream completes", async () => {
+      async function* mockGenerator(): AsyncGenerator<ChatResponseDto> {
+        yield {
+          model: "llama3.2",
+          message: { role: "assistant", content: "Hello" },
+          done: false,
+        };
+        yield {
+          model: "llama3.2",
+          message: { role: "assistant", content: " world" },
+          done: true,
+          promptEvalCount: 5,
+          evalCount: 10,
+        };
+      }
+
+      mockProvider.chatStream.mockReturnValue(mockGenerator());
+
+      const chunks: ChatResponseDto[] = [];
+      for await (const chunk of service.chatStream(request, "brain")) {
+        chunks.push(chunk);
+      }
+
+      expect(mockTelemetryTracker.trackLlmCompletion).toHaveBeenCalledWith(
+        expect.objectContaining({
+          model: "llama3.2",
+          providerType: "ollama",
+          operation: "chatStream",
+          inputTokens: 5,
+          outputTokens: 10,
+          callingContext: "brain",
+          success: true,
+        })
+      );
+    });
+
+    it("should estimate tokens when provider does not return counts in stream", async () => {
+      async function* mockGenerator(): AsyncGenerator<ChatResponseDto> {
+        yield {
+          model: "llama3.2",
+          message: { role: "assistant", content: "Hello world" },
+          done: false,
+        };
+        yield {
+          model: "llama3.2",
+          message: { role: "assistant", content: "" },
+          done: true,
+        };
+      }
+
+      mockProvider.chatStream.mockReturnValue(mockGenerator());
+
+      const chunks: ChatResponseDto[] = [];
+      for await (const chunk of service.chatStream(request)) {
+        chunks.push(chunk);
+      }
+
+      // Should use estimated tokens since no actual counts provided
+      expect(mockTelemetryTracker.trackLlmCompletion).toHaveBeenCalledWith(
+        expect.objectContaining({
+          operation: "chatStream",
+          success: true,
+          // Input estimated from "Hi" -> ceil(2/4) = 1
+          inputTokens: 1,
+          // Output estimated from "Hello world" -> ceil(11/4) = 3
+          outputTokens: 3,
+        })
+      );
+    });
+
+    it("should track telemetry on stream failure", async () => {
+      async function* errorGenerator(): AsyncGenerator<ChatResponseDto> {
+        throw new Error("Stream failed");
+      }
+
+      mockProvider.chatStream.mockReturnValue(errorGenerator());
+
+      const generator = service.chatStream(request);
+      await expect(generator.next()).rejects.toThrow(ServiceUnavailableException);
+
+      expect(mockTelemetryTracker.trackLlmCompletion).toHaveBeenCalledWith(
+        expect.objectContaining({
+          operation: "chatStream",
+          success: false,
+        })
+      );
+    });
+
    it("should throw ServiceUnavailableException on error", async () => {
      async function* errorGenerator(): AsyncGenerator<ChatResponseDto> {
        throw new Error("Stream failed");
@@ -210,6 +350,41 @@ describe("LlmService", () => {
      expect(result).toEqual(response);
    });

+    it("should track telemetry on successful embed", async () => {
+      const response: EmbedResponseDto = {
+        model: "llama3.2",
+        embeddings: [[0.1, 0.2, 0.3]],
+        totalDuration: 500,
+      };
+      mockProvider.embed.mockResolvedValue(response);
+
+      await service.embed(request, "embed");
+
+      expect(mockTelemetryTracker.trackLlmCompletion).toHaveBeenCalledWith(
+        expect.objectContaining({
+          model: "llama3.2",
+          providerType: "ollama",
+          operation: "embed",
+          outputTokens: 0,
+          callingContext: "embed",
+          success: true,
+        })
+      );
+    });
+
+    it("should track telemetry on failed embed", async () => {
+      mockProvider.embed.mockRejectedValue(new Error("Embedding failed"));
+
+      await expect(service.embed(request)).rejects.toThrow(ServiceUnavailableException);
+
+      expect(mockTelemetryTracker.trackLlmCompletion).toHaveBeenCalledWith(
+        expect.objectContaining({
+          operation: "embed",
+          success: false,
+        })
+      );
+    });
+
    it("should throw ServiceUnavailableException on error", async () => {
      mockProvider.embed.mockRejectedValue(new Error("Embedding failed"));

--- a/apps/api/src/llm/llm.service.ts
+++ b/apps/api/src/llm/llm.service.ts
@@ -1,13 +1,15 @@
 import { Injectable, OnModuleInit, Logger, ServiceUnavailableException } from "@nestjs/common";
 import { LlmManagerService } from "./llm-manager.service";
+import { LlmTelemetryTrackerService, estimateTokens } from "./llm-telemetry-tracker.service";
 import type { ChatRequestDto, ChatResponseDto, EmbedRequestDto, EmbedResponseDto } from "./dto";
-import type { LlmProviderHealthStatus } from "./providers/llm-provider.interface";
+import type { LlmProviderHealthStatus, LlmProviderType } from "./providers/llm-provider.interface";

 /**
 * LLM Service
 *
 * High-level service for LLM operations. Delegates to providers via LlmManagerService.
 * Maintains backward compatibility with the original API while supporting multiple providers.
+ * Automatically tracks completions via Mosaic Telemetry (non-blocking).
 *
 * @example
 * ```typescript
@@ -33,7 +35,10 @@ import type { LlmProviderHealthStatus } from "./providers/llm-provider.interface
 export class LlmService implements OnModuleInit {
  private readonly logger = new Logger(LlmService.name);

-  constructor(private readonly llmManager: LlmManagerService) {
+  constructor(
+    private readonly llmManager: LlmManagerService,
+    private readonly telemetryTracker: LlmTelemetryTrackerService
+  ) {
    this.logger.log("LLM service initialized");
  }

@@ -91,14 +96,45 @@ export class LlmService implements OnModuleInit {
   * Perform a synchronous chat completion.
   *
   * @param request - Chat request with messages and configuration
+   * @param callingContext - Optional context hint for telemetry task type inference
   * @returns Complete chat response
   * @throws {ServiceUnavailableException} If provider is unavailable or request fails
   */
-  async chat(request: ChatRequestDto): Promise<ChatResponseDto> {
+  async chat(request: ChatRequestDto, callingContext?: string): Promise<ChatResponseDto> {
+    const startTime = Date.now();
+    let providerType: LlmProviderType = "ollama";
+
    try {
      const provider = await this.llmManager.getDefaultProvider();
-      return await provider.chat(request);
+      providerType = provider.type;
+      const response = await provider.chat(request);
+
+      // Fire-and-forget telemetry tracking
+      this.telemetryTracker.trackLlmCompletion({
+        model: response.model,
+        providerType,
+        operation: "chat",
+        durationMs: Date.now() - startTime,
+        inputTokens: response.promptEvalCount ?? 0,
+        outputTokens: response.evalCount ?? 0,
+        callingContext,
+        success: true,
+      });
+
+      return response;
    } catch (error: unknown) {
+      // Track failure (fire-and-forget)
+      this.telemetryTracker.trackLlmCompletion({
+        model: request.model,
+        providerType,
+        operation: "chat",
+        durationMs: Date.now() - startTime,
+        inputTokens: 0,
+        outputTokens: 0,
+        callingContext,
+        success: false,
+      });
+
      const errorMessage = error instanceof Error ? error.message : String(error);
      this.logger.error(`Chat failed: ${errorMessage}`);
      throw new ServiceUnavailableException(`Chat completion failed: ${errorMessage}`);
@@ -107,20 +143,75 @@ export class LlmService implements OnModuleInit {
  /**
   * Perform a streaming chat completion.
   * Yields response chunks as they arrive from the provider.
+   * Aggregates token usage and tracks telemetry after the stream ends.
   *
   * @param request - Chat request with messages and configuration
+   * @param callingContext - Optional context hint for telemetry task type inference
   * @yields Chat response chunks
   * @throws {ServiceUnavailableException} If provider is unavailable or request fails
   */
-  async *chatStream(request: ChatRequestDto): AsyncGenerator<ChatResponseDto, void, unknown> {
+  async *chatStream(
+    request: ChatRequestDto,
+    callingContext?: string
+  ): AsyncGenerator<ChatResponseDto, void, unknown> {
+    const startTime = Date.now();
+    let providerType: LlmProviderType = "ollama";
+    let aggregatedContent = "";
+    let lastChunkInputTokens = 0;
+    let lastChunkOutputTokens = 0;
+
    try {
      const provider = await this.llmManager.getDefaultProvider();
+      providerType = provider.type;
      const stream = provider.chatStream(request);

      for await (const chunk of stream) {
+        // Accumulate content for token estimation
+        aggregatedContent += chunk.message.content;
+
+        // Some providers include token counts on the final chunk
+        if (chunk.promptEvalCount !== undefined) {
+          lastChunkInputTokens = chunk.promptEvalCount;
+        }
+        if (chunk.evalCount !== undefined) {
+          lastChunkOutputTokens = chunk.evalCount;
+        }
+
        yield chunk;
      }
+
+      // After stream completes, track telemetry
+      // Use actual token counts if available, otherwise estimate from content length
+      const inputTokens =
+        lastChunkInputTokens > 0
+          ? lastChunkInputTokens
+          : estimateTokens(request.messages.map((m) => m.content).join(" "));
+      const outputTokens =
+        lastChunkOutputTokens > 0 ? lastChunkOutputTokens : estimateTokens(aggregatedContent);
+
+      this.telemetryTracker.trackLlmCompletion({
+        model: request.model,
+        providerType,
+        operation: "chatStream",
+        durationMs: Date.now() - startTime,
+        inputTokens,
+        outputTokens,
+        callingContext,
+        success: true,
+      });
    } catch (error: unknown) {
+      // Track failure (fire-and-forget)
+      this.telemetryTracker.trackLlmCompletion({
+        model: request.model,
+        providerType,
+        operation: "chatStream",
+        durationMs: Date.now() - startTime,
+        inputTokens: 0,
+        outputTokens: 0,
+        callingContext,
+        success: false,
+      });
+
      const errorMessage = error instanceof Error ? error.message : String(error);
      this.logger.error(`Stream failed: ${errorMessage}`);
      throw new ServiceUnavailableException(`Streaming failed: ${errorMessage}`);
@@ -130,14 +221,48 @@ export class LlmService implements OnModuleInit {
   * Generate embeddings for the given input texts.
   *
   * @param request - Embedding request with model and input texts
+   * @param callingContext - Optional context hint for telemetry task type inference
   * @returns Embeddings response with vector arrays
   * @throws {ServiceUnavailableException} If provider is unavailable or request fails
   */
-  async embed(request: EmbedRequestDto): Promise<EmbedResponseDto> {
+  async embed(request: EmbedRequestDto, callingContext?: string): Promise<EmbedResponseDto> {
+    const startTime = Date.now();
+    let providerType: LlmProviderType = "ollama";
+
    try {
      const provider = await this.llmManager.getDefaultProvider();
-      return await provider.embed(request);
+      providerType = provider.type;
+      const response = await provider.embed(request);
+
+      // Estimate input tokens from the input text
+      const inputTokens = estimateTokens(request.input.join(" "));
+
+      // Fire-and-forget telemetry tracking
+      this.telemetryTracker.trackLlmCompletion({
+        model: response.model,
+        providerType,
+        operation: "embed",
+        durationMs: Date.now() - startTime,
+        inputTokens,
+        outputTokens: 0, // Embeddings don't produce output tokens
+        callingContext,
+        success: true,
+      });
+
+      return response;
    } catch (error: unknown) {
+      // Track failure (fire-and-forget)
+      this.telemetryTracker.trackLlmCompletion({
+        model: request.model,
+        providerType,
+        operation: "embed",
+        durationMs: Date.now() - startTime,
+        inputTokens: 0,
+        outputTokens: 0,
+        callingContext,
+        success: false,
+      });
+
      const errorMessage = error instanceof Error ? error.message : String(error);
      this.logger.error(`Embed failed: ${errorMessage}`);
      throw new ServiceUnavailableException(`Embedding failed: ${errorMessage}`);
--- a/apps/api/src/main.ts
+++ b/apps/api/src/main.ts
@@ -2,6 +2,7 @@ import { NestFactory } from "@nestjs/core";
 import { ValidationPipe } from "@nestjs/common";
 import cookieParser from "cookie-parser";
 import { AppModule } from "./app.module";
+import { getTrustedOrigins } from "./auth/auth.config";
 import { GlobalExceptionFilter } from "./filters/global-exception.filter";

 function getPort(): number {
@@ -47,39 +48,11 @@ async function bootstrap() {
  app.useGlobalFilters(new GlobalExceptionFilter());

  // Configure CORS for cookie-based authentication
-  // SECURITY: Cannot use wildcard (*) with credentials: true
-  const isDevelopment = process.env.NODE_ENV !== "production";
-
-  const allowedOrigins = [
-    process.env.NEXT_PUBLIC_APP_URL ?? "http://localhost:3000",
-    "https://app.mosaicstack.dev", // Production web
-    "https://api.mosaicstack.dev", // Production API
-  ];
-
-  // Development-only origins (not allowed in production)
-  if (isDevelopment) {
-    allowedOrigins.push("http://localhost:3001"); // API origin (dev)
-  }
-
+  // Origin list is shared with BetterAuth trustedOrigins via getTrustedOrigins()
+  const trustedOrigins = getTrustedOrigins();
+  console.log(`[CORS] Trusted origins: ${JSON.stringify(trustedOrigins)}`);
  app.enableCors({
-    origin: (
-      origin: string | undefined,
-      callback: (err: Error | null, allow?: boolean) => void
-    ): void => {
-      // Allow requests with no Origin header (health checks, server-to-server,
-      // load balancer probes). These are not cross-origin requests per the CORS spec.
-      if (!origin) {
-        callback(null, true);
-        return;
-      }
-
-      // Check if origin is in allowed list
-      if (allowedOrigins.includes(origin)) {
-        callback(null, true);
-      } else {
-        callback(new Error(`Origin ${origin} not allowed by CORS`));
-      }
-    },
+    origin: trustedOrigins,
    credentials: true, // Required for cookie-based authentication
    methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
    allowedHeaders: ["Content-Type", "Authorization", "Cookie", "X-CSRF-Token", "X-Workspace-Id"],
--- a/apps/api/src/mosaic-telemetry/index.ts
+++ b/apps/api/src/mosaic-telemetry/index.ts
@@ -0,0 +1,17 @@
+/**
+ * Mosaic Telemetry module — task completion tracking and crowd-sourced predictions.
+ *
+ * **Not to be confused with the OpenTelemetry (OTEL) TelemetryModule** at
+ * `src/telemetry/`, which handles distributed request tracing.
+ *
+ * @module mosaic-telemetry
+ */
+
+export { MosaicTelemetryModule } from "./mosaic-telemetry.module";
+export { MosaicTelemetryService } from "./mosaic-telemetry.service";
+export {
+  loadMosaicTelemetryConfig,
+  toSdkConfig,
+  MOSAIC_TELEMETRY_ENV,
+  type MosaicTelemetryModuleConfig,
+} from "./mosaic-telemetry.config";
--- a/apps/api/src/mosaic-telemetry/mosaic-telemetry.config.ts
+++ b/apps/api/src/mosaic-telemetry/mosaic-telemetry.config.ts
@@ -0,0 +1,78 @@
+import type { ConfigService } from "@nestjs/config";
+import type { TelemetryConfig } from "@mosaicstack/telemetry-client";
+
+/**
+ * Configuration interface for the Mosaic Telemetry module.
+ * Maps environment variables to SDK configuration.
+ */
+export interface MosaicTelemetryModuleConfig {
+  /** Whether telemetry collection is enabled. Default: true */
+  enabled: boolean;
+  /** Base URL of the telemetry server */
+  serverUrl: string;
+  /** API key for authentication (64-char hex string) */
+  apiKey: string;
+  /** Instance UUID for this client */
+  instanceId: string;
+  /** If true, log events instead of sending them. Default: false */
+  dryRun: boolean;
+}
+
+/**
+ * Environment variable names used by the Mosaic Telemetry module.
+ */
+export const MOSAIC_TELEMETRY_ENV = {
+  ENABLED: "MOSAIC_TELEMETRY_ENABLED",
+  SERVER_URL: "MOSAIC_TELEMETRY_SERVER_URL",
+  API_KEY: "MOSAIC_TELEMETRY_API_KEY",
+  INSTANCE_ID: "MOSAIC_TELEMETRY_INSTANCE_ID",
+  DRY_RUN: "MOSAIC_TELEMETRY_DRY_RUN",
+} as const;
+
+/**
+ * Read Mosaic Telemetry configuration from environment variables via NestJS ConfigService.
+ *
+ * @param configService - NestJS ConfigService instance
+ * @returns Parsed module configuration
+ */
+export function loadMosaicTelemetryConfig(
+  configService: ConfigService
+): MosaicTelemetryModuleConfig {
+  const enabledRaw = configService.get<string>(MOSAIC_TELEMETRY_ENV.ENABLED, "true");
+  const dryRunRaw = configService.get<string>(MOSAIC_TELEMETRY_ENV.DRY_RUN, "false");
+
+  return {
+    enabled: enabledRaw.toLowerCase() === "true",
+    serverUrl: configService.get<string>(MOSAIC_TELEMETRY_ENV.SERVER_URL, ""),
+    apiKey: configService.get<string>(MOSAIC_TELEMETRY_ENV.API_KEY, ""),
+    instanceId: configService.get<string>(MOSAIC_TELEMETRY_ENV.INSTANCE_ID, ""),
+    dryRun: dryRunRaw.toLowerCase() === "true",
+  };
+}
+
+/**
+ * Convert module config to SDK TelemetryConfig format.
+ * Includes the onError callback for NestJS Logger integration.
+ *
+ * @param config - Module configuration
+ * @param onError - Error callback (typically NestJS Logger)
+ * @returns SDK-compatible TelemetryConfig
+ */
+export function toSdkConfig(
+  config: MosaicTelemetryModuleConfig,
+  onError?: (error: Error) => void
+): TelemetryConfig {
+  const sdkConfig: TelemetryConfig = {
+    serverUrl: config.serverUrl,
+    apiKey: config.apiKey,
+    instanceId: config.instanceId,
+    enabled: config.enabled,
+    dryRun: config.dryRun,
+  };
+
+  if (onError) {
+    sdkConfig.onError = onError;
+  }
+
+  return sdkConfig;
+}
--- a/apps/api/src/mosaic-telemetry/mosaic-telemetry.controller.ts
+++ b/apps/api/src/mosaic-telemetry/mosaic-telemetry.controller.ts
@@ -0,0 +1,92 @@
+import { Controller, Get, Query, UseGuards, BadRequestException } from "@nestjs/common";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { PredictionService } from "./prediction.service";
+import {
+  TaskType,
+  Complexity,
+  Provider,
+  type PredictionResponse,
+} from "@mosaicstack/telemetry-client";
+
+/**
+ * Valid values for query parameter validation.
+ */
+const VALID_TASK_TYPES = new Set<string>(Object.values(TaskType));
+const VALID_COMPLEXITIES = new Set<string>(Object.values(Complexity));
+const VALID_PROVIDERS = new Set<string>(Object.values(Provider));
+
+/**
+ * Response DTO for the estimate endpoint.
+ */
+interface EstimateResponseDto {
+  data: PredictionResponse | null;
+}
+
+/**
+ * Mosaic Telemetry Controller
+ *
+ * Provides API endpoints for accessing telemetry prediction data.
+ * All endpoints require authentication via AuthGuard.
+ *
+ * This controller is intentionally lightweight - it delegates to PredictionService
+ * for the actual prediction logic and returns results directly to the frontend.
+ */
+@Controller("telemetry")
+@UseGuards(AuthGuard)
+export class MosaicTelemetryController {
+  constructor(private readonly predictionService: PredictionService) {}
+
+  /**
+   * GET /api/telemetry/estimate
+   *
+   * Get a cost/token estimate for a given task configuration.
+   * Returns prediction data including confidence level, or null if
+   * no prediction is available.
+   *
+   * @param taskType - Task type enum value (e.g. "implementation", "planning")
+   * @param model - Model name (e.g. "claude-sonnet-4-5")
+   * @param provider - Provider enum value (e.g. "anthropic", "openai")
+   * @param complexity - Complexity level (e.g. "low", "medium", "high")
+   * @returns Prediction response with estimates and confidence
+   */
+  @Get("estimate")
+  getEstimate(
+    @Query("taskType") taskType: string,
+    @Query("model") model: string,
+    @Query("provider") provider: string,
+    @Query("complexity") complexity: string
+  ): EstimateResponseDto {
+    if (!taskType || !model || !provider || !complexity) {
+      throw new BadRequestException(
+        "Missing query parameters. Required: taskType, model, provider, complexity"
+      );
+    }
+
+    if (!VALID_TASK_TYPES.has(taskType)) {
+      throw new BadRequestException(
+        `Invalid taskType "${taskType}". Valid values: ${[...VALID_TASK_TYPES].join(", ")}`
+      );
+    }
+
+    if (!VALID_PROVIDERS.has(provider)) {
+      throw new BadRequestException(
+        `Invalid provider "${provider}". Valid values: ${[...VALID_PROVIDERS].join(", ")}`
+      );
+    }
+
+    if (!VALID_COMPLEXITIES.has(complexity)) {
+      throw new BadRequestException(
+        `Invalid complexity "${complexity}". Valid values: ${[...VALID_COMPLEXITIES].join(", ")}`
+      );
+    }
+
+    const prediction = this.predictionService.getEstimate(
+      taskType as TaskType,
+      model,
+      provider as Provider,
+      complexity as Complexity
+    );
+
+    return { data: prediction };
+  }
+}
--- a/apps/api/src/mosaic-telemetry/mosaic-telemetry.module.spec.ts
+++ b/apps/api/src/mosaic-telemetry/mosaic-telemetry.module.spec.ts
@@ -0,0 +1,171 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { Test, TestingModule } from "@nestjs/testing";
+import { ConfigModule } from "@nestjs/config";
+import { MosaicTelemetryModule } from "./mosaic-telemetry.module";
+import { MosaicTelemetryService } from "./mosaic-telemetry.service";
+import { PrismaService } from "../prisma/prisma.service";
+
+// Mock the telemetry client to avoid real HTTP calls
+vi.mock("@mosaicstack/telemetry-client", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("@mosaicstack/telemetry-client")>();
+
+  class MockTelemetryClient {
+    private _isRunning = false;
+
+    constructor(_config: unknown) {
+      // no-op
+    }
+
+    get eventBuilder() {
+      return { build: vi.fn().mockReturnValue({ event_id: "test-event-id" }) };
+    }
+
+    start(): void {
+      this._isRunning = true;
+    }
+
+    async stop(): Promise<void> {
+      this._isRunning = false;
+    }
+
+    track(_event: unknown): void {
+      // no-op
+    }
+
+    getPrediction(_query: unknown): unknown {
+      return null;
+    }
+
+    async refreshPredictions(_queries: unknown): Promise<void> {
+      // no-op
+    }
+
+    get queueSize(): number {
+      return 0;
+    }
+
+    get isRunning(): boolean {
+      return this._isRunning;
+    }
+  }
+
+  return {
+    ...actual,
+    TelemetryClient: MockTelemetryClient,
+  };
+});
+
+describe("MosaicTelemetryModule", () => {
+  let module: TestingModule;
+  const sharedTestEnv = {
+    ENCRYPTION_KEY: "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
+  };
+  const mockPrismaService = {
+    onModuleInit: vi.fn(),
+    onModuleDestroy: vi.fn(),
+    $connect: vi.fn(),
+    $disconnect: vi.fn(),
+  };
+
+  const buildTestModule = async (env: Record<string, string>): Promise<TestingModule> =>
+    Test.createTestingModule({
+      imports: [
+        ConfigModule.forRoot({
+          isGlobal: true,
+          envFilePath: [],
+          load: [() => ({ ...env, ...sharedTestEnv })],
+        }),
+        MosaicTelemetryModule,
+      ],
+    })
+      .overrideProvider(PrismaService)
+      .useValue(mockPrismaService)
+      .compile();
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe("module initialization", () => {
+    it("should compile the module successfully", async () => {
+      module = await buildTestModule({
+        MOSAIC_TELEMETRY_ENABLED: "false",
+      });
+
+      expect(module).toBeDefined();
+      await module.close();
+    });
+
+    it("should provide MosaicTelemetryService", async () => {
+      module = await buildTestModule({
+        MOSAIC_TELEMETRY_ENABLED: "false",
+      });
+
+      const service = module.get<MosaicTelemetryService>(MosaicTelemetryService);
+      expect(service).toBeDefined();
+      expect(service).toBeInstanceOf(MosaicTelemetryService);
+
+      await module.close();
+    });
+
+    it("should export MosaicTelemetryService for injection in other modules", async () => {
+      module = await buildTestModule({
+        MOSAIC_TELEMETRY_ENABLED: "false",
+      });
+
+      const service = module.get(MosaicTelemetryService);
+      expect(service).toBeDefined();
+
+      await module.close();
+    });
+  });
+
+  describe("lifecycle integration", () => {
+    it("should initialize service on module init when enabled", async () => {
+      module = await buildTestModule({
+        MOSAIC_TELEMETRY_ENABLED: "true",
+        MOSAIC_TELEMETRY_SERVER_URL: "https://tel.test.local",
+        MOSAIC_TELEMETRY_API_KEY: "a".repeat(64),
+        MOSAIC_TELEMETRY_INSTANCE_ID: "550e8400-e29b-41d4-a716-446655440000",
+        MOSAIC_TELEMETRY_DRY_RUN: "false",
+      });
+
+      await module.init();
+
+      const service = module.get<MosaicTelemetryService>(MosaicTelemetryService);
+      expect(service.isEnabled).toBe(true);
+
+      await module.close();
+    });
+
+    it("should not start client when disabled via env", async () => {
+      module = await buildTestModule({
+        MOSAIC_TELEMETRY_ENABLED: "false",
+      });
+
+      await module.init();
+
+      const service = module.get<MosaicTelemetryService>(MosaicTelemetryService);
+      expect(service.isEnabled).toBe(false);
+
+      await module.close();
+    });
+
+    it("should cleanly shut down on module destroy", async () => {
+      module = await buildTestModule({
+        MOSAIC_TELEMETRY_ENABLED: "true",
+        MOSAIC_TELEMETRY_SERVER_URL: "https://tel.test.local",
+        MOSAIC_TELEMETRY_API_KEY: "a".repeat(64),
+        MOSAIC_TELEMETRY_INSTANCE_ID: "550e8400-e29b-41d4-a716-446655440000",
+        MOSAIC_TELEMETRY_DRY_RUN: "false",
+      });
+
+      await module.init();
+
+      const service = module.get<MosaicTelemetryService>(MosaicTelemetryService);
+      expect(service.isEnabled).toBe(true);
+
+      await expect(module.close()).resolves.not.toThrow();
+    });
+  });
+});
--- a/apps/api/src/mosaic-telemetry/mosaic-telemetry.module.ts
+++ b/apps/api/src/mosaic-telemetry/mosaic-telemetry.module.ts
@@ -0,0 +1,41 @@
+import { Module, Global } from "@nestjs/common";
+import { ConfigModule } from "@nestjs/config";
+import { AuthModule } from "../auth/auth.module";
+import { MosaicTelemetryService } from "./mosaic-telemetry.service";
+import { PredictionService } from "./prediction.service";
+import { MosaicTelemetryController } from "./mosaic-telemetry.controller";
+
+/**
+ * Global module providing Mosaic Telemetry integration via @mosaicstack/telemetry-client.
+ *
+ * Tracks task completion events and provides crowd-sourced predictions for
+ * token usage, cost estimation, and quality metrics.
+ *
+ * **This is separate from the OpenTelemetry (OTEL) TelemetryModule** which
+ * handles distributed request tracing. This module is specifically for
+ * Mosaic Stack's own telemetry aggregation service.
+ *
+ * Configuration via environment variables:
+ * - MOSAIC_TELEMETRY_ENABLED (boolean, default: true)
+ * - MOSAIC_TELEMETRY_SERVER_URL (string)
+ * - MOSAIC_TELEMETRY_API_KEY (string, 64-char hex)
+ * - MOSAIC_TELEMETRY_INSTANCE_ID (string, UUID)
+ * - MOSAIC_TELEMETRY_DRY_RUN (boolean, default: false)
+ *
+ * @example
+ * ```typescript
+ * // In any service (no need to import module — it's global):
+ * @Injectable()
+ * export class MyService {
+ *   constructor(private readonly telemetry: MosaicTelemetryService) {}
+ * }
+ * ```
+ */
+@Global()
+@Module({
+  imports: [ConfigModule, AuthModule],
+  controllers: [MosaicTelemetryController],
+  providers: [MosaicTelemetryService, PredictionService],
+  exports: [MosaicTelemetryService, PredictionService],
+})
+export class MosaicTelemetryModule {}
--- a/apps/api/src/mosaic-telemetry/mosaic-telemetry.service.spec.ts
+++ b/apps/api/src/mosaic-telemetry/mosaic-telemetry.service.spec.ts
@@ -0,0 +1,504 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { ConfigService } from "@nestjs/config";
+import { MOSAIC_TELEMETRY_ENV } from "./mosaic-telemetry.config";
+import type {
+  TaskCompletionEvent,
+  PredictionQuery,
+  PredictionResponse,
+} from "@mosaicstack/telemetry-client";
+import { TaskType, Complexity, Provider, Outcome } from "@mosaicstack/telemetry-client";
+
+// Track mock instances created during tests
+const mockStartFn = vi.fn();
+const mockStopFn = vi.fn().mockResolvedValue(undefined);
+const mockTrackFn = vi.fn();
+const mockGetPredictionFn = vi.fn().mockReturnValue(null);
+const mockRefreshPredictionsFn = vi.fn().mockResolvedValue(undefined);
+const mockBuildFn = vi.fn().mockReturnValue({ event_id: "test-event-id" });
+
+vi.mock("@mosaicstack/telemetry-client", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("@mosaicstack/telemetry-client")>();
+
+  class MockTelemetryClient {
+    private _isRunning = false;
+
+    constructor(_config: unknown) {
+      // no-op
+    }
+
+    get eventBuilder() {
+      return { build: mockBuildFn };
+    }
+
+    start(): void {
+      this._isRunning = true;
+      mockStartFn();
+    }
+
+    async stop(): Promise<void> {
+      this._isRunning = false;
+      await mockStopFn();
+    }
+
+    track(event: unknown): void {
+      mockTrackFn(event);
+    }
+
+    getPrediction(query: unknown): unknown {
+      return mockGetPredictionFn(query);
+    }
+
+    async refreshPredictions(queries: unknown): Promise<void> {
+      await mockRefreshPredictionsFn(queries);
+    }
+
+    get queueSize(): number {
+      return 0;
+    }
+
+    get isRunning(): boolean {
+      return this._isRunning;
+    }
+  }
+
+  return {
+    ...actual,
+    TelemetryClient: MockTelemetryClient,
+  };
+});
+
+// Lazy-import the service after the mock is in place
+const { MosaicTelemetryService } = await import("./mosaic-telemetry.service");
+
+/**
+ * Create a ConfigService mock that returns environment values from the provided map.
+ */
+function createConfigService(envMap: Record<string, string | undefined> = {}): ConfigService {
+  const configService = {
+    get: vi.fn((key: string, defaultValue?: string): string => {
+      const value = envMap[key];
+      if (value !== undefined) {
+        return value;
+      }
+      return defaultValue ?? "";
+    }),
+  } as unknown as ConfigService;
+  return configService;
+}
+
+/**
+ * Default env config for an enabled telemetry service.
+ */
+const ENABLED_CONFIG: Record<string, string> = {
+  [MOSAIC_TELEMETRY_ENV.ENABLED]: "true",
+  [MOSAIC_TELEMETRY_ENV.SERVER_URL]: "https://tel.test.local",
+  [MOSAIC_TELEMETRY_ENV.API_KEY]: "a".repeat(64),
+  [MOSAIC_TELEMETRY_ENV.INSTANCE_ID]: "550e8400-e29b-41d4-a716-446655440000",
+  [MOSAIC_TELEMETRY_ENV.DRY_RUN]: "false",
+};
+
+/**
+ * Create a minimal TaskCompletionEvent for testing.
+ */
+function createTestEvent(): TaskCompletionEvent {
+  return {
+    schema_version: "1.0.0",
+    event_id: "test-event-123",
+    timestamp: new Date().toISOString(),
+    instance_id: "550e8400-e29b-41d4-a716-446655440000",
+    task_duration_ms: 5000,
+    task_type: TaskType.FEATURE,
+    complexity: Complexity.MEDIUM,
+    harness: "claude-code" as TaskCompletionEvent["harness"],
+    model: "claude-sonnet-4-20250514",
+    provider: Provider.ANTHROPIC,
+    estimated_input_tokens: 1000,
+    estimated_output_tokens: 500,
+    actual_input_tokens: 1100,
+    actual_output_tokens: 450,
+    estimated_cost_usd_micros: 5000,
+    actual_cost_usd_micros: 4800,
+    quality_gate_passed: true,
+    quality_gates_run: [],
+    quality_gates_failed: [],
+    context_compactions: 0,
+    context_rotations: 0,
+    context_utilization_final: 0.45,
+    outcome: Outcome.SUCCESS,
+    retry_count: 0,
+  };
+}
+
+describe("MosaicTelemetryService", () => {
+  let service: InstanceType<typeof MosaicTelemetryService>;
+
+  afterEach(async () => {
+    if (service) {
+      await service.onModuleDestroy();
+    }
+    vi.clearAllMocks();
+  });
+
+  describe("onModuleInit", () => {
+    it("should initialize the client when enabled with valid config", () => {
+      const configService = createConfigService(ENABLED_CONFIG);
+      service = new MosaicTelemetryService(configService);
+
+      service.onModuleInit();
+
+      expect(mockStartFn).toHaveBeenCalledOnce();
+      expect(service.isEnabled).toBe(true);
+    });
+
+    it("should not initialize client when disabled", () => {
+      const configService = createConfigService({
+        ...ENABLED_CONFIG,
+        [MOSAIC_TELEMETRY_ENV.ENABLED]: "false",
+      });
+      service = new MosaicTelemetryService(configService);
+
+      service.onModuleInit();
+
+      expect(mockStartFn).not.toHaveBeenCalled();
+      expect(service.isEnabled).toBe(false);
+    });
+
+    it("should disable when server URL is missing", () => {
+      const configService = createConfigService({
+        ...ENABLED_CONFIG,
+        [MOSAIC_TELEMETRY_ENV.SERVER_URL]: "",
+      });
+      service = new MosaicTelemetryService(configService);
+
+      service.onModuleInit();
+
+      expect(service.isEnabled).toBe(false);
+    });
+
+    it("should disable when API key is missing", () => {
+      const configService = createConfigService({
+        ...ENABLED_CONFIG,
+        [MOSAIC_TELEMETRY_ENV.API_KEY]: "",
+      });
+      service = new MosaicTelemetryService(configService);
+
+      service.onModuleInit();
+
+      expect(service.isEnabled).toBe(false);
+    });
+
+    it("should disable when instance ID is missing", () => {
+      const configService = createConfigService({
+        ...ENABLED_CONFIG,
+        [MOSAIC_TELEMETRY_ENV.INSTANCE_ID]: "",
+      });
+      service = new MosaicTelemetryService(configService);
+
+      service.onModuleInit();
+
+      expect(service.isEnabled).toBe(false);
+    });
+
+    it("should log dry-run mode when configured", () => {
+      const configService = createConfigService({
+        ...ENABLED_CONFIG,
+        [MOSAIC_TELEMETRY_ENV.DRY_RUN]: "true",
+      });
+      service = new MosaicTelemetryService(configService);
+
+      service.onModuleInit();
+
+      expect(mockStartFn).toHaveBeenCalledOnce();
+    });
+  });
+
+  describe("onModuleDestroy", () => {
+    it("should stop the client on shutdown", async () => {
+      const configService = createConfigService(ENABLED_CONFIG);
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      await service.onModuleDestroy();
+
+      expect(mockStopFn).toHaveBeenCalledOnce();
+    });
+
+    it("should not throw when client is not initialized (disabled)", async () => {
+      const configService = createConfigService({
+        ...ENABLED_CONFIG,
+        [MOSAIC_TELEMETRY_ENV.ENABLED]: "false",
+      });
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      await expect(service.onModuleDestroy()).resolves.not.toThrow();
+    });
+
+    it("should not throw when called multiple times", async () => {
+      const configService = createConfigService(ENABLED_CONFIG);
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      await service.onModuleDestroy();
+      await expect(service.onModuleDestroy()).resolves.not.toThrow();
+    });
+  });
+
+  describe("trackTaskCompletion", () => {
+    it("should queue event via client.track() when enabled", () => {
+      const configService = createConfigService(ENABLED_CONFIG);
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      const event = createTestEvent();
+      service.trackTaskCompletion(event);
+
+      expect(mockTrackFn).toHaveBeenCalledWith(event);
+    });
+
+    it("should be a no-op when disabled", () => {
+      const configService = createConfigService({
+        ...ENABLED_CONFIG,
+        [MOSAIC_TELEMETRY_ENV.ENABLED]: "false",
+      });
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      const event = createTestEvent();
+      service.trackTaskCompletion(event);
+
+      expect(mockTrackFn).not.toHaveBeenCalled();
+    });
+  });
+
+  describe("getPrediction", () => {
+    const testQuery: PredictionQuery = {
+      task_type: TaskType.FEATURE,
+      model: "claude-sonnet-4-20250514",
+      provider: Provider.ANTHROPIC,
+      complexity: Complexity.MEDIUM,
+    };
+
+    it("should return cached prediction when available", () => {
+      const mockPrediction: PredictionResponse = {
+        prediction: {
+          input_tokens: { p10: 100, p25: 200, median: 300, p75: 400, p90: 500 },
+          output_tokens: { p10: 50, p25: 100, median: 150, p75: 200, p90: 250 },
+          cost_usd_micros: { median: 5000 },
+          duration_ms: { median: 10000 },
+          correction_factors: { input: 1.0, output: 1.0 },
+          quality: { gate_pass_rate: 0.95, success_rate: 0.9 },
+        },
+        metadata: {
+          sample_size: 100,
+          fallback_level: 0,
+          confidence: "high",
+          last_updated: new Date().toISOString(),
+          cache_hit: true,
+        },
+      };
+
+      const configService = createConfigService(ENABLED_CONFIG);
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      mockGetPredictionFn.mockReturnValueOnce(mockPrediction);
+
+      const result = service.getPrediction(testQuery);
+
+      expect(result).toEqual(mockPrediction);
+      expect(mockGetPredictionFn).toHaveBeenCalledWith(testQuery);
+    });
+
+    it("should return null when disabled", () => {
+      const configService = createConfigService({
+        ...ENABLED_CONFIG,
+        [MOSAIC_TELEMETRY_ENV.ENABLED]: "false",
+      });
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      const result = service.getPrediction(testQuery);
+
+      expect(result).toBeNull();
+    });
+
+    it("should return null when no cached prediction exists", () => {
+      const configService = createConfigService(ENABLED_CONFIG);
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      mockGetPredictionFn.mockReturnValueOnce(null);
+
+      const result = service.getPrediction(testQuery);
+
+      expect(result).toBeNull();
+    });
+  });
+
+  describe("refreshPredictions", () => {
+    const testQueries: PredictionQuery[] = [
+      {
+        task_type: TaskType.FEATURE,
+        model: "claude-sonnet-4-20250514",
+        provider: Provider.ANTHROPIC,
+        complexity: Complexity.MEDIUM,
+      },
+    ];
+
+    it("should call client.refreshPredictions when enabled", async () => {
+      const configService = createConfigService(ENABLED_CONFIG);
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      await service.refreshPredictions(testQueries);
+
+      expect(mockRefreshPredictionsFn).toHaveBeenCalledWith(testQueries);
+    });
+
+    it("should be a no-op when disabled", async () => {
+      const configService = createConfigService({
+        ...ENABLED_CONFIG,
+        [MOSAIC_TELEMETRY_ENV.ENABLED]: "false",
+      });
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      await service.refreshPredictions(testQueries);
+
+      expect(mockRefreshPredictionsFn).not.toHaveBeenCalled();
+    });
+  });
+
+  describe("eventBuilder", () => {
+    it("should return EventBuilder when enabled", () => {
+      const configService = createConfigService(ENABLED_CONFIG);
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      const builder = service.eventBuilder;
+
+      expect(builder).toBeDefined();
+      expect(builder).not.toBeNull();
+      expect(typeof builder?.build).toBe("function");
+    });
+
+    it("should return null when disabled", () => {
+      const configService = createConfigService({
+        ...ENABLED_CONFIG,
+        [MOSAIC_TELEMETRY_ENV.ENABLED]: "false",
+      });
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      const builder = service.eventBuilder;
+
+      expect(builder).toBeNull();
+    });
+  });
+
+  describe("isEnabled", () => {
+    it("should return true when client is running", () => {
+      const configService = createConfigService(ENABLED_CONFIG);
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      expect(service.isEnabled).toBe(true);
+    });
+
+    it("should return false when disabled", () => {
+      const configService = createConfigService({
+        ...ENABLED_CONFIG,
+        [MOSAIC_TELEMETRY_ENV.ENABLED]: "false",
+      });
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      expect(service.isEnabled).toBe(false);
+    });
+  });
+
+  describe("queueSize", () => {
+    it("should return 0 when disabled", () => {
+      const configService = createConfigService({
+        ...ENABLED_CONFIG,
+        [MOSAIC_TELEMETRY_ENV.ENABLED]: "false",
+      });
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      expect(service.queueSize).toBe(0);
+    });
+
+    it("should delegate to client.queueSize when enabled", () => {
+      const configService = createConfigService(ENABLED_CONFIG);
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      expect(service.queueSize).toBe(0);
+    });
+  });
+
+  describe("disabled mode (comprehensive)", () => {
+    beforeEach(() => {
+      const configService = createConfigService({
+        ...ENABLED_CONFIG,
+        [MOSAIC_TELEMETRY_ENV.ENABLED]: "false",
+      });
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+    });
+
+    it("should not make any HTTP calls when disabled", () => {
+      const event = createTestEvent();
+      service.trackTaskCompletion(event);
+
+      expect(mockTrackFn).not.toHaveBeenCalled();
+      expect(mockStartFn).not.toHaveBeenCalled();
+    });
+
+    it("should safely handle all method calls when disabled", async () => {
+      expect(() => service.trackTaskCompletion(createTestEvent())).not.toThrow();
+      expect(
+        service.getPrediction({
+          task_type: TaskType.FEATURE,
+          model: "test",
+          provider: Provider.ANTHROPIC,
+          complexity: Complexity.LOW,
+        })
+      ).toBeNull();
+      await expect(service.refreshPredictions([])).resolves.not.toThrow();
+      expect(service.eventBuilder).toBeNull();
+      expect(service.isEnabled).toBe(false);
+      expect(service.queueSize).toBe(0);
+    });
+  });
+
+  describe("dry-run mode", () => {
+    it("should create client in dry-run mode", () => {
+      const configService = createConfigService({
+        ...ENABLED_CONFIG,
+        [MOSAIC_TELEMETRY_ENV.DRY_RUN]: "true",
+      });
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      expect(mockStartFn).toHaveBeenCalledOnce();
+      expect(service.isEnabled).toBe(true);
+    });
+
+    it("should accept events in dry-run mode", () => {
+      const configService = createConfigService({
+        ...ENABLED_CONFIG,
+        [MOSAIC_TELEMETRY_ENV.DRY_RUN]: "true",
+      });
+      service = new MosaicTelemetryService(configService);
+      service.onModuleInit();
+
+      const event = createTestEvent();
+      service.trackTaskCompletion(event);
+
+      expect(mockTrackFn).toHaveBeenCalledWith(event);
+    });
+  });
+});
--- a/apps/api/src/mosaic-telemetry/mosaic-telemetry.service.ts
+++ b/apps/api/src/mosaic-telemetry/mosaic-telemetry.service.ts
@@ -0,0 +1,164 @@
+import { Injectable, Logger, OnModuleInit, OnModuleDestroy } from "@nestjs/common";
+import { ConfigService } from "@nestjs/config";
+import {
+  TelemetryClient,
+  type TaskCompletionEvent,
+  type PredictionQuery,
+  type PredictionResponse,
+  type EventBuilder,
+} from "@mosaicstack/telemetry-client";
+import {
+  loadMosaicTelemetryConfig,
+  toSdkConfig,
+  type MosaicTelemetryModuleConfig,
+} from "./mosaic-telemetry.config";
+
+/**
+ * NestJS service wrapping the @mosaicstack/telemetry-client SDK.
+ *
+ * Provides convenience methods for tracking task completions and reading
+ * crowd-sourced predictions. When telemetry is disabled via
+ * MOSAIC_TELEMETRY_ENABLED=false, all methods are safe no-ops.
+ *
+ * This service is provided globally by MosaicTelemetryModule — any service
+ * can inject it without importing the module explicitly.
+ *
+ * @example
+ * ```typescript
+ * @Injectable()
+ * export class TasksService {
+ *   constructor(private readonly telemetry: MosaicTelemetryService) {}
+ *
+ *   async completeTask(taskId: string): Promise<void> {
+ *     // ... complete the task ...
+ *     const event = this.telemetry.eventBuilder.build({ ... });
+ *     this.telemetry.trackTaskCompletion(event);
+ *   }
+ * }
+ * ```
+ */
+@Injectable()
+export class MosaicTelemetryService implements OnModuleInit, OnModuleDestroy {
+  private readonly logger = new Logger(MosaicTelemetryService.name);
+  private client: TelemetryClient | null = null;
+  private config: MosaicTelemetryModuleConfig | null = null;
+
+  constructor(private readonly configService: ConfigService) {}
+
+  /**
+   * Initialize the telemetry client on module startup.
+   * Reads configuration from environment variables and starts background submission.
+   */
+  onModuleInit(): void {
+    this.config = loadMosaicTelemetryConfig(this.configService);
+
+    if (!this.config.enabled) {
+      this.logger.log("Mosaic Telemetry is disabled");
+      return;
+    }
+
+    if (!this.config.serverUrl || !this.config.apiKey || !this.config.instanceId) {
+      this.logger.warn(
+        "Mosaic Telemetry is enabled but missing configuration " +
+          "(MOSAIC_TELEMETRY_SERVER_URL, MOSAIC_TELEMETRY_API_KEY, or MOSAIC_TELEMETRY_INSTANCE_ID). " +
+          "Telemetry will remain disabled."
+      );
+      this.config = { ...this.config, enabled: false };
+      return;
+    }
+
+    const sdkConfig = toSdkConfig(this.config, (error: Error) => {
+      this.logger.error(`Telemetry client error: ${error.message}`, error.stack);
+    });
+
+    this.client = new TelemetryClient(sdkConfig);
+    this.client.start();
+
+    const mode = this.config.dryRun ? "dry-run" : "live";
+    this.logger.log(`Mosaic Telemetry client started (${mode}) -> ${this.config.serverUrl}`);
+  }
+
+  /**
+   * Stop the telemetry client on module shutdown.
+   * Flushes any remaining queued events before stopping.
+   */
+  async onModuleDestroy(): Promise<void> {
+    if (this.client) {
+      this.logger.log("Stopping Mosaic Telemetry client...");
+      await this.client.stop();
+      this.client = null;
+      this.logger.log("Mosaic Telemetry client stopped");
+    }
+  }
+
+  /**
+   * Queue a task completion event for batch submission.
+   * No-op when telemetry is disabled.
+   *
+   * @param event - The task completion event to track
+   */
+  trackTaskCompletion(event: TaskCompletionEvent): void {
+    if (!this.client) {
+      return;
+    }
+    this.client.track(event);
+  }
+
+  /**
+   * Get a cached prediction for the given query.
+   * Returns null when telemetry is disabled or if not cached/expired.
+   *
+   * @param query - The prediction query parameters
+   * @returns Cached prediction response, or null
+   */
+  getPrediction(query: PredictionQuery): PredictionResponse | null {
+    if (!this.client) {
+      return null;
+    }
+    return this.client.getPrediction(query);
+  }
+
+  /**
+   * Force-refresh predictions from the telemetry server.
+   * No-op when telemetry is disabled.
+   *
+   * @param queries - Array of prediction queries to refresh
+   */
+  async refreshPredictions(queries: PredictionQuery[]): Promise<void> {
+    if (!this.client) {
+      return;
+    }
+    await this.client.refreshPredictions(queries);
+  }
+
+  /**
+   * Get the EventBuilder for constructing TaskCompletionEvent objects.
+   * Returns null when telemetry is disabled.
+   *
+   * @returns EventBuilder instance, or null if disabled
+   */
+  get eventBuilder(): EventBuilder | null {
+    if (!this.client) {
+      return null;
+    }
+    return this.client.eventBuilder;
+  }
+
+  /**
+   * Whether the telemetry client is currently active and running.
+   */
+  get isEnabled(): boolean {
+    return this.client?.isRunning ?? false;
+  }
+
+  /**
+   * Number of events currently queued for submission.
+   * Returns 0 when telemetry is disabled.
+   */
+  get queueSize(): number {
+    if (!this.client) {
+      return 0;
+    }
+    return this.client.queueSize;
+  }
+}
--- a/apps/api/src/mosaic-telemetry/prediction.service.spec.ts
+++ b/apps/api/src/mosaic-telemetry/prediction.service.spec.ts
@@ -0,0 +1,297 @@
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { Test, TestingModule } from "@nestjs/testing";
+import { TaskType, Complexity, Provider } from "@mosaicstack/telemetry-client";
+import type { PredictionResponse, PredictionQuery } from "@mosaicstack/telemetry-client";
+import { MosaicTelemetryService } from "./mosaic-telemetry.service";
+import { PredictionService } from "./prediction.service";
+
+describe("PredictionService", () => {
+  let service: PredictionService;
+  let mockTelemetryService: {
+    isEnabled: boolean;
+    getPrediction: ReturnType<typeof vi.fn>;
+    refreshPredictions: ReturnType<typeof vi.fn>;
+  };
+
+  const mockPredictionResponse: PredictionResponse = {
+    prediction: {
+      input_tokens: {
+        p10: 50,
+        p25: 80,
+        median: 120,
+        p75: 200,
+        p90: 350,
+      },
+      output_tokens: {
+        p10: 100,
+        p25: 150,
+        median: 250,
+        p75: 400,
+        p90: 600,
+      },
+      cost_usd_micros: {
+        p10: 500,
+        p25: 800,
+        median: 1200,
+        p75: 2000,
+        p90: 3500,
+      },
+      duration_ms: {
+        p10: 200,
+        p25: 400,
+        median: 800,
+        p75: 1500,
+        p90: 3000,
+      },
+      correction_factors: {
+        input: 1.0,
+        output: 1.0,
+      },
+      quality: {
+        gate_pass_rate: 0.95,
+        success_rate: 0.92,
+      },
+    },
+    metadata: {
+      sample_size: 150,
+      fallback_level: 0,
+      confidence: "high",
+      last_updated: "2026-02-15T00:00:00Z",
+      cache_hit: true,
+    },
+  };
+
+  const nullPredictionResponse: PredictionResponse = {
+    prediction: null,
+    metadata: {
+      sample_size: 0,
+      fallback_level: 3,
+      confidence: "none",
+      last_updated: null,
+      cache_hit: false,
+    },
+  };
+
+  beforeEach(async () => {
+    mockTelemetryService = {
+      isEnabled: true,
+      getPrediction: vi.fn().mockReturnValue(mockPredictionResponse),
+      refreshPredictions: vi.fn().mockResolvedValue(undefined),
+    };
+
+    const module: TestingModule = await Test.createTestingModule({
+      providers: [
+        PredictionService,
+        {
+          provide: MosaicTelemetryService,
+          useValue: mockTelemetryService,
+        },
+      ],
+    }).compile();
+
+    service = module.get<PredictionService>(PredictionService);
+  });
+
+  it("should be defined", () => {
+    expect(service).toBeDefined();
+  });
+
+  // ---------- getEstimate ----------
+
+  describe("getEstimate", () => {
+    it("should return prediction response for valid query", () => {
+      const result = service.getEstimate(
+        TaskType.IMPLEMENTATION,
+        "claude-sonnet-4-5",
+        Provider.ANTHROPIC,
+        Complexity.LOW
+      );
+
+      expect(result).toEqual(mockPredictionResponse);
+      expect(mockTelemetryService.getPrediction).toHaveBeenCalledWith({
+        task_type: TaskType.IMPLEMENTATION,
+        model: "claude-sonnet-4-5",
+        provider: Provider.ANTHROPIC,
+        complexity: Complexity.LOW,
+      });
+    });
+
+    it("should pass correct query parameters to telemetry service", () => {
+      service.getEstimate(TaskType.CODE_REVIEW, "gpt-4o", Provider.OPENAI, Complexity.HIGH);
+
+      expect(mockTelemetryService.getPrediction).toHaveBeenCalledWith({
+        task_type: TaskType.CODE_REVIEW,
+        model: "gpt-4o",
+        provider: Provider.OPENAI,
+        complexity: Complexity.HIGH,
+      });
+    });
+
+    it("should return null when telemetry returns null", () => {
+      mockTelemetryService.getPrediction.mockReturnValue(null);
+
+      const result = service.getEstimate(
+        TaskType.IMPLEMENTATION,
+        "claude-sonnet-4-5",
+        Provider.ANTHROPIC,
+        Complexity.LOW
+      );
+
+      expect(result).toBeNull();
+    });
+
+    it("should return null prediction response when confidence is none", () => {
+      mockTelemetryService.getPrediction.mockReturnValue(nullPredictionResponse);
+
+      const result = service.getEstimate(
+        TaskType.IMPLEMENTATION,
+        "unknown-model",
+        Provider.UNKNOWN,
+        Complexity.LOW
+      );
+
+      expect(result).toEqual(nullPredictionResponse);
+      expect(result?.metadata.confidence).toBe("none");
+    });
+
+    it("should return null and not throw when getPrediction throws", () => {
+      mockTelemetryService.getPrediction.mockImplementation(() => {
+        throw new Error("Prediction fetch failed");
+      });
+
+      const result = service.getEstimate(
+        TaskType.IMPLEMENTATION,
+        "claude-sonnet-4-5",
+        Provider.ANTHROPIC,
+        Complexity.LOW
+      );
+
+      expect(result).toBeNull();
+    });
+
+    it("should handle non-Error thrown objects gracefully", () => {
+      mockTelemetryService.getPrediction.mockImplementation(() => {
+        throw "string error";
+      });
+
+      const result = service.getEstimate(
+        TaskType.IMPLEMENTATION,
+        "claude-sonnet-4-5",
+        Provider.ANTHROPIC,
+        Complexity.LOW
+      );
+
+      expect(result).toBeNull();
+    });
+  });
+
+  // ---------- refreshCommonPredictions ----------
+
+  describe("refreshCommonPredictions", () => {
+    it("should call refreshPredictions with multiple query combinations", async () => {
+      await service.refreshCommonPredictions();
+
+      expect(mockTelemetryService.refreshPredictions).toHaveBeenCalledTimes(1);
+
+      const queries: PredictionQuery[] = mockTelemetryService.refreshPredictions.mock.calls[0][0];
+
+      // Should have queries for cross-product of models, task types, and complexities
+      expect(queries.length).toBeGreaterThan(0);
+
+      // Verify all queries have valid structure
+      for (const query of queries) {
+        expect(query).toHaveProperty("task_type");
+        expect(query).toHaveProperty("model");
+        expect(query).toHaveProperty("provider");
+        expect(query).toHaveProperty("complexity");
+      }
+    });
+
+    it("should include Anthropic model predictions", async () => {
+      await service.refreshCommonPredictions();
+
+      const queries: PredictionQuery[] = mockTelemetryService.refreshPredictions.mock.calls[0][0];
+
+      const anthropicQueries = queries.filter(
+        (q: PredictionQuery) => q.provider === Provider.ANTHROPIC
+      );
+      expect(anthropicQueries.length).toBeGreaterThan(0);
+    });
+
+    it("should include OpenAI model predictions", async () => {
+      await service.refreshCommonPredictions();
+
+      const queries: PredictionQuery[] = mockTelemetryService.refreshPredictions.mock.calls[0][0];
+
+      const openaiQueries = queries.filter((q: PredictionQuery) => q.provider === Provider.OPENAI);
+      expect(openaiQueries.length).toBeGreaterThan(0);
+    });
+
+    it("should not call refreshPredictions when telemetry is disabled", async () => {
+      mockTelemetryService.isEnabled = false;
+
+      await service.refreshCommonPredictions();
+
+      expect(mockTelemetryService.refreshPredictions).not.toHaveBeenCalled();
+    });
+
+    it("should not throw when refreshPredictions rejects", async () => {
+      mockTelemetryService.refreshPredictions.mockRejectedValue(new Error("Server unreachable"));
+
+      // Should not throw
+      await expect(service.refreshCommonPredictions()).resolves.not.toThrow();
+    });
+
+    it("should include common task types in queries", async () => {
+      await service.refreshCommonPredictions();
+
+      const queries: PredictionQuery[] = mockTelemetryService.refreshPredictions.mock.calls[0][0];
+
+      const taskTypes = new Set(queries.map((q: PredictionQuery) => q.task_type));
+
+      expect(taskTypes.has(TaskType.IMPLEMENTATION)).toBe(true);
+      expect(taskTypes.has(TaskType.PLANNING)).toBe(true);
+      expect(taskTypes.has(TaskType.CODE_REVIEW)).toBe(true);
+    });
+
+    it("should include common complexity levels in queries", async () => {
+      await service.refreshCommonPredictions();
+
+      const queries: PredictionQuery[] = mockTelemetryService.refreshPredictions.mock.calls[0][0];
+
+      const complexities = new Set(queries.map((q: PredictionQuery) => q.complexity));
+
+      expect(complexities.has(Complexity.LOW)).toBe(true);
+      expect(complexities.has(Complexity.MEDIUM)).toBe(true);
+    });
+  });
+
+  // ---------- onModuleInit ----------
+
+  describe("onModuleInit", () => {
+    it("should trigger refreshCommonPredictions on init when telemetry is enabled", () => {
+      // refreshPredictions is async, but onModuleInit fires it and forgets
+      service.onModuleInit();
+
+      // Give the promise microtask a chance to execute
+      expect(mockTelemetryService.isEnabled).toBe(true);
+      // refreshPredictions will be called asynchronously
+    });
+
+    it("should not refresh when telemetry is disabled", () => {
+      mockTelemetryService.isEnabled = false;
+
+      service.onModuleInit();
+
+      // refreshPredictions should not be called since we returned early
+      expect(mockTelemetryService.refreshPredictions).not.toHaveBeenCalled();
+    });
+
+    it("should not throw when refresh fails on init", () => {
+      mockTelemetryService.refreshPredictions.mockRejectedValue(new Error("Connection refused"));
+
+      // Should not throw
+      expect(() => service.onModuleInit()).not.toThrow();
+    });
+  });
+});
--- a/apps/api/src/mosaic-telemetry/prediction.service.ts
+++ b/apps/api/src/mosaic-telemetry/prediction.service.ts
@@ -0,0 +1,161 @@
+import { Injectable, Logger, OnModuleInit } from "@nestjs/common";
+import {
+  TaskType,
+  Complexity,
+  Provider,
+  type PredictionQuery,
+  type PredictionResponse,
+} from "@mosaicstack/telemetry-client";
+import { MosaicTelemetryService } from "./mosaic-telemetry.service";
+
+/**
+ * Common model-provider combinations used for pre-fetching predictions.
+ * These represent the most frequently used LLM configurations.
+ */
+const COMMON_MODELS: { model: string; provider: Provider }[] = [
+  { model: "claude-sonnet-4-5", provider: Provider.ANTHROPIC },
+  { model: "claude-opus-4", provider: Provider.ANTHROPIC },
+  { model: "claude-haiku-4-5", provider: Provider.ANTHROPIC },
+  { model: "gpt-4o", provider: Provider.OPENAI },
+  { model: "gpt-4o-mini", provider: Provider.OPENAI },
+];
+
+/**
+ * Common task types to pre-fetch predictions for.
+ */
+const COMMON_TASK_TYPES: TaskType[] = [
+  TaskType.IMPLEMENTATION,
+  TaskType.PLANNING,
+  TaskType.CODE_REVIEW,
+];
+
+/**
+ * Common complexity levels to pre-fetch predictions for.
+ */
+const COMMON_COMPLEXITIES: Complexity[] = [Complexity.LOW, Complexity.MEDIUM];
+
+/**
+ * PredictionService
+ *
+ * Provides pre-task cost and token estimates using crowd-sourced prediction data
+ * from the Mosaic Telemetry server. Predictions are cached by the underlying SDK
+ * with a 6-hour TTL.
+ *
+ * This service is intentionally non-blocking: if predictions are unavailable
+ * (telemetry disabled, server unreachable, no data), all methods return null
+ * without throwing errors. Task execution should never be blocked by prediction
+ * failures.
+ *
+ * @example
+ * ```typescript
+ * const estimate = this.predictionService.getEstimate(
+ *   TaskType.IMPLEMENTATION,
+ *   "claude-sonnet-4-5",
+ *   Provider.ANTHROPIC,
+ *   Complexity.LOW,
+ * );
+ * if (estimate?.prediction) {
+ *   console.log(`Estimated cost: ${estimate.prediction.cost_usd_micros}`);
+ * }
+ * ```
+ */
+@Injectable()
+export class PredictionService implements OnModuleInit {
+  private readonly logger = new Logger(PredictionService.name);
+
+  constructor(private readonly telemetry: MosaicTelemetryService) {}
+
+  /**
+   * Refresh common predictions on startup.
+   * Runs asynchronously and never blocks module initialization.
+   */
+  onModuleInit(): void {
+    if (!this.telemetry.isEnabled) {
+      this.logger.log("Telemetry disabled - skipping prediction refresh");
+      return;
+    }
+
+    // Fire-and-forget: refresh in the background
+    this.refreshCommonPredictions().catch((error: unknown) => {
+      const msg = error instanceof Error ? error.message : String(error);
+      this.logger.warn(`Failed to refresh common predictions on startup: ${msg}`);
+    });
+  }
+
+  /**
+   * Get a cost/token estimate for a given task configuration.
+   *
+   * Returns the cached prediction from the SDK, or null if:
+   * - Telemetry is disabled
+   * - No prediction data exists for this combination
+   * - The prediction has expired
+   *
+   * @param taskType - The type of task to estimate
+   * @param model - The model name (e.g. "claude-sonnet-4-5")
+   * @param provider - The provider enum value
+   * @param complexity - The complexity level
+   * @returns Prediction response with estimates and confidence, or null
+   */
+  getEstimate(
+    taskType: TaskType,
+    model: string,
+    provider: Provider,
+    complexity: Complexity
+  ): PredictionResponse | null {
+    try {
+      const query: PredictionQuery = {
+        task_type: taskType,
+        model,
+        provider,
+        complexity,
+      };
+
+      return this.telemetry.getPrediction(query);
+    } catch (error: unknown) {
+      const msg = error instanceof Error ? error.message : String(error);
+      this.logger.warn(`Failed to get prediction estimate: ${msg}`);
+      return null;
+    }
+  }
+
+  /**
+   * Refresh predictions for commonly used (taskType, model, provider, complexity) combinations.
+   *
+   * Generates the cross-product of common models, task types, and complexities,
+   * then batch-refreshes them from the telemetry server. The SDK caches the
+   * results with a 6-hour TTL.
+   *
+   * This method is safe to call at any time. If telemetry is disabled or the
+   * server is unreachable, it completes without error.
+   */
+  async refreshCommonPredictions(): Promise<void> {
+    if (!this.telemetry.isEnabled) {
+      return;
+    }
+
+    const queries: PredictionQuery[] = [];
+
+    for (const { model, provider } of COMMON_MODELS) {
+      for (const taskType of COMMON_TASK_TYPES) {
+        for (const complexity of COMMON_COMPLEXITIES) {
+          queries.push({
+            task_type: taskType,
+            model,
+            provider,
+            complexity,
+          });
+        }
+      }
+    }
+
+    this.logger.log(`Refreshing ${String(queries.length)} common prediction queries...`);
+
+    try {
+      await this.telemetry.refreshPredictions(queries);
+      this.logger.log(`Successfully refreshed ${String(queries.length)} predictions`);
+    } catch (error: unknown) {
+      const msg = error instanceof Error ? error.message : String(error);
+      this.logger.warn(`Failed to refresh predictions: ${msg}`);
+    }
+  }
+}
--- a/apps/api/src/prisma/prisma.service.spec.ts
+++ b/apps/api/src/prisma/prisma.service.spec.ts
@@ -156,7 +156,7 @@ describe("PrismaService", () => {
    it("should set workspace context variables in transaction", async () => {
      const userId = "user-123";
      const workspaceId = "workspace-456";
-      const executeRawSpy = vi.spyOn(service, "$executeRaw").mockResolvedValue(0);
+      vi.spyOn(service, "$executeRaw").mockResolvedValue(0);

      // Mock $transaction to execute the callback with a mock tx client
      const mockTx = {
@@ -195,7 +195,6 @@ describe("PrismaService", () => {
      };

      // Mock both methods at the same time to avoid spy issues
-      const originalSetContext = service.setWorkspaceContext.bind(service);
      const setContextCalls: [string, string, unknown][] = [];
      service.setWorkspaceContext = vi.fn().mockImplementation((uid, wid, tx) => {
        setContextCalls.push([uid, wid, tx]);
--- a/apps/api/src/prisma/prisma.service.ts
+++ b/apps/api/src/prisma/prisma.service.ts
@@ -3,6 +3,7 @@ import { PrismaClient } from "@prisma/client";
 import { VaultService } from "../vault/vault.service";
 import { createAccountEncryptionExtension } from "./account-encryption.extension";
 import { createLlmEncryptionExtension } from "./llm-encryption.extension";
+import { getRlsClient } from "./rls-context.provider";

 /**
 * Prisma service that manages database connection lifecycle
@@ -177,6 +178,13 @@ export class PrismaService extends PrismaClient implements OnModuleInit, OnModul
    workspaceId: string,
    fn: (tx: PrismaClient) => Promise<T>
  ): Promise<T> {
+    const rlsClient = getRlsClient();
+
+    if (rlsClient) {
+      await this.setWorkspaceContext(userId, workspaceId, rlsClient as unknown as PrismaClient);
+      return fn(rlsClient as unknown as PrismaClient);
+    }
+
    return this.$transaction(async (tx) => {
      await this.setWorkspaceContext(userId, workspaceId, tx as PrismaClient);
      return fn(tx as PrismaClient);
--- a/apps/api/src/speech/AGENTS.md
+++ b/apps/api/src/speech/AGENTS.md
@@ -0,0 +1,247 @@
+# speech — Agent Context
+
+> Part of the `apps/api/src` layer. Speech-to-text (STT) and text-to-speech (TTS) services.
+
+## Module Structure
+
+```
+speech/
+├── speech.module.ts           # NestJS module (conditional provider registration)
+├── speech.config.ts           # Environment validation + typed config (registerAs)
+├── speech.config.spec.ts      # 51 config validation tests
+├── speech.constants.ts        # NestJS injection tokens (STT_PROVIDER, TTS_PROVIDERS)
+├── speech.controller.ts       # REST endpoints (transcribe, synthesize, voices, health)
+├── speech.controller.spec.ts  # Controller tests
+├── speech.service.ts          # High-level service with fallback orchestration
+├── speech.service.spec.ts     # Service tests
+├── speech.gateway.ts          # WebSocket gateway (/speech namespace)
+├── speech.gateway.spec.ts     # Gateway tests
+├── dto/
+│   ├── transcribe.dto.ts      # Transcription request DTO (class-validator)
+│   ├── synthesize.dto.ts      # Synthesis request DTO (class-validator)
+│   └── index.ts               # Barrel export
+├── interfaces/
+│   ├── speech-types.ts        # Shared types (SpeechTier, AudioFormat, options, results)
+│   ├── stt-provider.interface.ts  # ISTTProvider contract
+│   ├── tts-provider.interface.ts  # ITTSProvider contract
+│   └── index.ts               # Barrel export
+├── pipes/
+│   ├── audio-validation.pipe.ts   # Validates uploaded audio (MIME type, size)
+│   ├── audio-validation.pipe.spec.ts
+│   ├── text-validation.pipe.ts    # Validates TTS text input (non-empty, max length)
+│   ├── text-validation.pipe.spec.ts
+│   └── index.ts               # Barrel export
+└── providers/
+    ├── base-tts.provider.ts       # Abstract base class (OpenAI SDK + common logic)
+    ├── base-tts.provider.spec.ts
+    ├── kokoro-tts.provider.ts     # Default tier (CPU, 53 voices, 8 languages)
+    ├── kokoro-tts.provider.spec.ts
+    ├── chatterbox-tts.provider.ts # Premium tier (GPU, voice cloning, emotion control)
+    ├── chatterbox-tts.provider.spec.ts
+    ├── piper-tts.provider.ts      # Fallback tier (CPU, lightweight, Raspberry Pi)
+    ├── piper-tts.provider.spec.ts
+    ├── speaches-stt.provider.ts   # STT provider (Whisper via Speaches)
+    ├── speaches-stt.provider.spec.ts
+    ├── tts-provider.factory.ts    # Factory: creates providers from config
+    └── tts-provider.factory.spec.ts
+```
+
+## Codebase Patterns
+
+### Provider Pattern (BaseTTSProvider + Factory)
+
+All TTS providers extend `BaseTTSProvider`:
+
+```typescript
+export class MyNewProvider extends BaseTTSProvider {
+  readonly name = "my-provider";
+  readonly tier: SpeechTier = "default"; // or "premium" or "fallback"
+
+  constructor(baseURL: string) {
+    super(baseURL, "default-voice-id", "mp3");
+  }
+
+  // Override listVoices() for custom voice catalog
+  override listVoices(): Promise<VoiceInfo[]> { ... }
+
+  // Override synthesize() only if non-standard API behavior is needed
+  // (see ChatterboxTTSProvider for example with extra body params)
+}
+```
+
+The base class handles:
+
+- OpenAI SDK client creation with custom `baseURL` and `apiKey: "not-needed"`
+- Standard `synthesize()` via `client.audio.speech.create()`
+- Default `listVoices()` returning just the default voice
+- `isHealthy()` via GET to the `/v1/models` endpoint
+
+### Config Pattern
+
+Config follows the existing pattern (`auth.config.ts`, `federation.config.ts`):
+
+- Export `isSttEnabled()`, `isTtsEnabled()`, etc. (boolean checks from env)
+- Export `validateSpeechConfig()` (called at module init, throws on missing required vars)
+- Export `getSpeechConfig()` (typed config object with defaults)
+- Export `speechConfig = registerAs("speech", ...)` for NestJS ConfigModule
+
+Boolean env parsing: `value === "true" || value === "1"`. No default-true.
+
+### Conditional Provider Registration
+
+In `speech.module.ts`:
+
+- STT provider uses `isSttEnabled()` at module definition time to decide whether to register
+- TTS providers use a factory function injected with `ConfigService`
+- `@Optional()` decorator on `SpeechService`'s `sttProvider` handles the case where STT is disabled
+
+### Injection Tokens
+
+```typescript
+// speech.constants.ts
+export const STT_PROVIDER = Symbol("STT_PROVIDER"); // ISTTProvider
+export const TTS_PROVIDERS = Symbol("TTS_PROVIDERS"); // Map<SpeechTier, ITTSProvider>
+```
+
+### Fallback Chain
+
+TTS fallback order: `premium` -> `default` -> `fallback`
+
+- Chain starts at the requested tier and goes downward
+- Only tiers that are both enabled AND have a registered provider are attempted
+- `ServiceUnavailableException` if all providers fail
+
+### WebSocket Gateway
+
+- Separate `/speech` namespace (not on the main gateway)
+- Authentication mirrors the main WS gateway pattern (token extraction from handshake)
+- One session per client, accumulates audio chunks in memory
+- Chunks concatenated and transcribed on `stop-transcription`
+- Session cleanup on disconnect
+
+## How to Add a New TTS Provider
+
+1. **Create the provider class** in `providers/`:
+
+```typescript
+// providers/my-tts.provider.ts
+import { BaseTTSProvider } from "./base-tts.provider";
+import type { SpeechTier } from "../interfaces/speech-types";
+
+export class MyTtsProvider extends BaseTTSProvider {
+  readonly name = "my-provider";
+  readonly tier: SpeechTier = "default"; // Choose tier
+
+  constructor(baseURL: string) {
+    super(baseURL, "default-voice", "mp3");
+  }
+
+  override listVoices(): Promise<VoiceInfo[]> {
+    // Return your voice catalog
+  }
+}
+```
+
+2. **Add env vars** to `speech.config.ts`:
+   - Add enabled check function
+   - Add URL to validation in `validateSpeechConfig()`
+   - Add config section in `getSpeechConfig()`
+
+3. **Register in factory** (`tts-provider.factory.ts`):
+
+```typescript
+if (config.tts.myTier.enabled) {
+  const provider = new MyTtsProvider(config.tts.myTier.url);
+  providers.set("myTier", provider);
+}
+```
+
+4. **Add env vars** to `.env.example`
+
+5. **Write tests** following existing patterns (mock OpenAI SDK, test synthesis + listVoices + isHealthy)
+
+## How to Add a New STT Provider
+
+1. **Implement `ISTTProvider`** (does not use a base class -- STT has only one implementation currently)
+2. **Add config section** similar to `stt` in `speech.config.ts`
+3. **Register** in `speech.module.ts` providers array with `STT_PROVIDER` token
+4. **Write tests** following `speaches-stt.provider.spec.ts` pattern
+
+## Common Gotchas
+
+- **OpenAI SDK `apiKey`**: Self-hosted services do not require an API key. Use `apiKey: "not-needed"` when creating the OpenAI client.
+- **`toFile()` import**: The `toFile` helper is imported from `"openai"` (not from a subpath). Used in the STT provider to convert Buffer to a File-like object for multipart upload.
+- **Health check URL**: `BaseTTSProvider.isHealthy()` calls `GET /v1/models`. The base URL is expected to end with `/v1`.
+- **Voice ID prefix parsing**: Kokoro voice IDs encode language + gender in first two characters. See `parseVoicePrefix()` in `kokoro-tts.provider.ts`.
+- **Chatterbox extra body params**: The `reference_audio` (base64) and `exaggeration` fields are passed via the OpenAI SDK by casting the request body. This works because the SDK passes through unknown fields.
+- **WebSocket auth**: The gateway checks `auth.token`, then `query.token`, then `Authorization` header (in that order). Match this in test setup.
+- **Config validation timing**: `validateSpeechConfig()` runs at module init (`onModuleInit`), not at provider construction. This means a misconfigured provider will fail at startup, not at first request.
+
+## Test Patterns
+
+### Mocking OpenAI SDK
+
+All provider tests mock the OpenAI SDK. Pattern:
+
+```typescript
+vi.mock("openai", () => ({
+  default: vi.fn().mockImplementation(() => ({
+    audio: {
+      speech: {
+        create: vi.fn().mockResolvedValue({
+          arrayBuffer: () => Promise.resolve(new ArrayBuffer(10)),
+        }),
+      },
+      transcriptions: {
+        create: vi.fn().mockResolvedValue({
+          text: "transcribed text",
+          language: "en",
+          duration: 3.5,
+        }),
+      },
+    },
+    models: { list: vi.fn().mockResolvedValue({ data: [] }) },
+  })),
+}));
+```
+
+### Mocking Config Injection
+
+```typescript
+const mockConfig: SpeechConfig = {
+  stt: { enabled: true, baseUrl: "http://test:8000/v1", model: "test-model", language: "en" },
+  tts: {
+    default: { enabled: true, url: "http://test:8880/v1", voice: "af_heart", format: "mp3" },
+    premium: { enabled: false, url: "" },
+    fallback: { enabled: false, url: "" },
+  },
+  limits: { maxUploadSize: 25000000, maxDurationSeconds: 600, maxTextLength: 4096 },
+};
+```
+
+### Config Test Pattern
+
+`speech.config.spec.ts` saves and restores `process.env` around each test:
+
+```typescript
+let savedEnv: NodeJS.ProcessEnv;
+beforeEach(() => {
+  savedEnv = { ...process.env };
+});
+afterEach(() => {
+  process.env = savedEnv;
+});
+```
+
+## Key Files
+
+| File                                | Purpose                                                                  |
+| ----------------------------------- | ------------------------------------------------------------------------ |
+| `speech.module.ts`                  | Module registration with conditional providers                           |
+| `speech.config.ts`                  | All speech env vars + validation (51 tests)                              |
+| `speech.service.ts`                 | Core service: transcribe, synthesize (with fallback), listVoices         |
+| `speech.controller.ts`              | REST endpoints: POST transcribe, POST synthesize, GET voices, GET health |
+| `speech.gateway.ts`                 | WebSocket streaming transcription (/speech namespace)                    |
+| `providers/base-tts.provider.ts`    | Abstract base for all TTS providers (OpenAI SDK wrapper)                 |
+| `providers/tts-provider.factory.ts` | Creates provider instances from config                                   |
+| `interfaces/speech-types.ts`        | All shared types: SpeechTier, AudioFormat, options, results              |
--- a/apps/api/src/speech/dto/index.ts
+++ b/apps/api/src/speech/dto/index.ts
@@ -0,0 +1,8 @@
+/**
+ * Speech DTOs barrel export
+ *
+ * Issue #398
+ */
+
+export { TranscribeDto } from "./transcribe.dto";
+export { SynthesizeDto } from "./synthesize.dto";
--- a/apps/api/src/speech/dto/synthesize.dto.ts
+++ b/apps/api/src/speech/dto/synthesize.dto.ts
@@ -0,0 +1,69 @@
+/**
+ * SynthesizeDto
+ *
+ * DTO for text-to-speech synthesis requests.
+ * Text and option fields are validated by class-validator decorators.
+ * Additional options control voice, speed, format, and tier selection.
+ *
+ * Issue #398
+ */
+
+import { IsString, IsOptional, IsNumber, IsIn, Min, Max, MaxLength } from "class-validator";
+import { Type } from "class-transformer";
+import { AUDIO_FORMATS, SPEECH_TIERS } from "../interfaces/speech-types";
+import type { AudioFormat, SpeechTier } from "../interfaces/speech-types";
+
+export class SynthesizeDto {
+  /**
+   * Text to convert to speech.
+   * Validated by class-validator decorators for type and maximum length.
+   */
+  @IsString({ message: "text must be a string" })
+  @MaxLength(4096, { message: "text must not exceed 4096 characters" })
+  text!: string;
+
+  /**
+   * Voice ID to use for synthesis.
+   * Available voices depend on the selected tier and provider.
+   * If omitted, the default voice from speech config is used.
+   */
+  @IsOptional()
+  @IsString({ message: "voice must be a string" })
+  @MaxLength(100, { message: "voice must not exceed 100 characters" })
+  voice?: string;
+
+  /**
+   * Speech speed multiplier (0.5 to 2.0).
+   * 1.0 is normal speed, <1.0 is slower, >1.0 is faster.
+   */
+  @IsOptional()
+  @Type(() => Number)
+  @IsNumber({}, { message: "speed must be a number" })
+  @Min(0.5, { message: "speed must be at least 0.5" })
+  @Max(2.0, { message: "speed must not exceed 2.0" })
+  speed?: number;
+
+  /**
+   * Desired audio output format.
+   * Supported: mp3, wav, opus, flac, aac, pcm.
+   * If omitted, the default format from speech config is used.
+   */
+  @IsOptional()
+  @IsString({ message: "format must be a string" })
+  @IsIn(AUDIO_FORMATS, {
+    message: `format must be one of: ${AUDIO_FORMATS.join(", ")}`,
+  })
+  format?: AudioFormat;
+
+  /**
+   * TTS tier to use for synthesis.
+   * Controls which provider is used: default (Kokoro), premium (Chatterbox), or fallback (Piper).
+   * If the selected tier is unavailable, the service falls back to the next available tier.
+   */
+  @IsOptional()
+  @IsString({ message: "tier must be a string" })
+  @IsIn(SPEECH_TIERS, {
+    message: `tier must be one of: ${SPEECH_TIERS.join(", ")}`,
+  })
+  tier?: SpeechTier;
+}
--- a/apps/api/src/speech/dto/transcribe.dto.ts
+++ b/apps/api/src/speech/dto/transcribe.dto.ts
@@ -0,0 +1,54 @@
+/**
+ * TranscribeDto
+ *
+ * DTO for speech-to-text transcription requests.
+ * Supports optional language and model overrides.
+ *
+ * The audio file itself is handled by Multer (FileInterceptor)
+ * and validated by AudioValidationPipe.
+ *
+ * Issue #398
+ */
+
+import { IsString, IsOptional, IsNumber, Min, Max, MaxLength } from "class-validator";
+import { Type } from "class-transformer";
+
+export class TranscribeDto {
+  /**
+   * Language code for transcription (e.g., "en", "fr", "de").
+   * If omitted, the default from speech config is used.
+   */
+  @IsOptional()
+  @IsString({ message: "language must be a string" })
+  @MaxLength(10, { message: "language must not exceed 10 characters" })
+  language?: string;
+
+  /**
+   * Model override for transcription.
+   * If omitted, the default model from speech config is used.
+   */
+  @IsOptional()
+  @IsString({ message: "model must be a string" })
+  @MaxLength(200, { message: "model must not exceed 200 characters" })
+  model?: string;
+
+  /**
+   * Optional prompt to guide the transcription model.
+   * Useful for providing context or expected vocabulary.
+   */
+  @IsOptional()
+  @IsString({ message: "prompt must be a string" })
+  @MaxLength(1000, { message: "prompt must not exceed 1000 characters" })
+  prompt?: string;
+
+  /**
+   * Temperature for transcription (0.0 to 1.0).
+   * Lower values produce more deterministic results.
+   */
+  @IsOptional()
+  @Type(() => Number)
+  @IsNumber({}, { message: "temperature must be a number" })
+  @Min(0, { message: "temperature must be at least 0" })
+  @Max(1, { message: "temperature must not exceed 1" })
+  temperature?: number;
+}
--- a/apps/api/src/speech/interfaces/index.ts
+++ b/apps/api/src/speech/interfaces/index.ts
@@ -0,0 +1,19 @@
+/**
+ * Speech interfaces barrel export.
+ *
+ * Issue #389
+ */
+
+export type { ISTTProvider } from "./stt-provider.interface";
+export type { ITTSProvider } from "./tts-provider.interface";
+export { SPEECH_TIERS, AUDIO_FORMATS } from "./speech-types";
+export type {
+  SpeechTier,
+  AudioFormat,
+  TranscribeOptions,
+  TranscriptionResult,
+  TranscriptionSegment,
+  SynthesizeOptions,
+  SynthesisResult,
+  VoiceInfo,
+} from "./speech-types";
--- a/apps/api/src/speech/interfaces/speech-types.ts
+++ b/apps/api/src/speech/interfaces/speech-types.ts
@@ -0,0 +1,178 @@
+/**
+ * Speech Types
+ *
+ * Shared types for speech-to-text (STT) and text-to-speech (TTS) services.
+ * Used by provider interfaces and the SpeechService.
+ *
+ * Issue #389
+ */
+
+// ==========================================
+// Enums / Discriminators
+// ==========================================
+
+/**
+ * Canonical array of TTS provider tiers.
+ * Determines which TTS engine is used for synthesis.
+ *
+ * - default: Primary TTS engine (e.g., Kokoro)
+ * - premium: Higher quality TTS engine (e.g., Chatterbox)
+ * - fallback: Backup TTS engine (e.g., Piper/OpenedAI)
+ */
+export const SPEECH_TIERS = ["default", "premium", "fallback"] as const;
+export type SpeechTier = (typeof SPEECH_TIERS)[number];
+
+/**
+ * Canonical array of audio output formats for TTS synthesis.
+ */
+export const AUDIO_FORMATS = ["mp3", "wav", "opus", "flac", "aac", "pcm"] as const;
+export type AudioFormat = (typeof AUDIO_FORMATS)[number];
+
+// ==========================================
+// STT Types
+// ==========================================
+
+/**
+ * Options for speech-to-text transcription.
+ */
+export interface TranscribeOptions {
+  /** Language code (e.g., "en", "fr", "de") */
+  language?: string;
+
+  /** Model to use for transcription */
+  model?: string;
+
+  /** MIME type of the audio (e.g., "audio/mp3", "audio/wav") */
+  mimeType?: string;
+
+  /** Optional prompt to guide transcription */
+  prompt?: string;
+
+  /** Temperature for transcription (0.0 - 1.0) */
+  temperature?: number;
+}
+
+/**
+ * Result of a speech-to-text transcription.
+ */
+export interface TranscriptionResult {
+  /** Transcribed text */
+  text: string;
+
+  /** Language detected or used */
+  language: string;
+
+  /** Duration of the audio in seconds */
+  durationSeconds?: number;
+
+  /** Confidence score (0.0 - 1.0, if available) */
+  confidence?: number;
+
+  /** Individual word or segment timings (if available) */
+  segments?: TranscriptionSegment[];
+}
+
+/**
+ * A segment within a transcription result.
+ */
+export interface TranscriptionSegment {
+  /** Segment text */
+  text: string;
+
+  /** Start time in seconds */
+  start: number;
+
+  /** End time in seconds */
+  end: number;
+
+  /** Confidence for this segment */
+  confidence?: number;
+}
+
+// ==========================================
+// TTS Types
+// ==========================================
+
+/**
+ * Options for text-to-speech synthesis.
+ */
+export interface SynthesizeOptions {
+  /** Voice ID to use */
+  voice?: string;
+
+  /** Desired audio format */
+  format?: AudioFormat;
+
+  /** Speech speed multiplier (0.5 - 2.0) */
+  speed?: number;
+
+  /** Preferred TTS tier */
+  tier?: SpeechTier;
+}
+
+/**
+ * Result of a text-to-speech synthesis.
+ */
+export interface SynthesisResult {
+  /** Synthesized audio data */
+  audio: Buffer;
+
+  /** Audio format of the result */
+  format: AudioFormat;
+
+  /** Voice used for synthesis */
+  voice: string;
+
+  /** Tier that produced the synthesis */
+  tier: SpeechTier;
+
+  /** Duration of the generated audio in seconds (if available) */
+  durationSeconds?: number;
+}
+
+/**
+ * Extended options for Chatterbox TTS synthesis.
+ *
+ * Chatterbox supports voice cloning via a reference audio buffer and
+ * emotion exaggeration control. These are passed as extra body parameters
+ * to the OpenAI-compatible API.
+ *
+ * Issue #394
+ */
+export interface ChatterboxSynthesizeOptions extends SynthesizeOptions {
+  /**
+   * Reference audio buffer for voice cloning.
+   * When provided, Chatterbox will clone the voice from this audio sample.
+   * Should be a WAV or MP3 file of 5-30 seconds for best results.
+   */
+  referenceAudio?: Buffer;
+
+  /**
+   * Emotion exaggeration factor (0.0 to 1.0).
+   * Controls how much emotional expression is applied to the synthesized speech.
+   * - 0.0: Neutral, minimal emotion
+   * - 0.5: Moderate emotion (default when not specified)
+   * - 1.0: Maximum emotion exaggeration
+   */
+  emotionExaggeration?: number;
+}
+
+/**
+ * Information about an available TTS voice.
+ */
+export interface VoiceInfo {
+  /** Voice identifier */
+  id: string;
+
+  /** Human-readable voice name */
+  name: string;
+
+  /** Language code */
+  language?: string;
+
+  /** Tier this voice belongs to */
+  tier: SpeechTier;
+
+  /** Whether this is the default voice for its tier */
+  isDefault?: boolean;
+}
--- a/apps/api/src/speech/interfaces/stt-provider.interface.ts
+++ b/apps/api/src/speech/interfaces/stt-provider.interface.ts
@@ -0,0 +1,52 @@
+/**
+ * STT Provider Interface
+ *
+ * Defines the contract for speech-to-text provider implementations.
+ * All STT providers (e.g., Speaches/faster-whisper) must implement this interface.
+ *
+ * Issue #389
+ */
+
+import type { TranscribeOptions, TranscriptionResult } from "./speech-types";
+
+/**
+ * Interface for speech-to-text providers.
+ *
+ * Implementations wrap an OpenAI-compatible API endpoint for transcription.
+ *
+ * @example
+ * ```typescript
+ * class SpeachesSttProvider implements ISTTProvider {
+ *   readonly name = "speaches";
+ *
+ *   async transcribe(audio: Buffer, options?: TranscribeOptions): Promise<TranscriptionResult> {
+ *     // Call speaches API via OpenAI SDK
+ *   }
+ *
+ *   async isHealthy(): Promise<boolean> {
+ *     // Check endpoint health
+ *   }
+ * }
+ * ```
+ */
+export interface ISTTProvider {
+  /** Provider name for logging and identification */
+  readonly name: string;
+
+  /**
+   * Transcribe audio data to text.
+   *
+   * @param audio - Raw audio data as a Buffer
+   * @param options - Optional transcription parameters
+   * @returns Transcription result with text and metadata
+   * @throws {Error} If transcription fails
+   */
+  transcribe(audio: Buffer, options?: TranscribeOptions): Promise<TranscriptionResult>;
+
+  /**
+   * Check if the provider is healthy and available.
+   *
+   * @returns true if the provider endpoint is reachable and ready
+   */
+  isHealthy(): Promise<boolean>;
+}
--- a/apps/api/src/speech/interfaces/tts-provider.interface.ts
+++ b/apps/api/src/speech/interfaces/tts-provider.interface.ts
@@ -0,0 +1,68 @@
+/**
+ * TTS Provider Interface
+ *
+ * Defines the contract for text-to-speech provider implementations.
+ * All TTS providers (e.g., Kokoro, Chatterbox, Piper/OpenedAI) must implement this interface.
+ *
+ * Issue #389
+ */
+
+import type { SynthesizeOptions, SynthesisResult, VoiceInfo, SpeechTier } from "./speech-types";
+
+/**
+ * Interface for text-to-speech providers.
+ *
+ * Implementations wrap an OpenAI-compatible API endpoint for speech synthesis.
+ * Each provider is associated with a SpeechTier (default, premium, fallback).
+ *
+ * @example
+ * ```typescript
+ * class KokoroProvider implements ITTSProvider {
+ *   readonly name = "kokoro";
+ *   readonly tier = "default";
+ *
+ *   async synthesize(text: string, options?: SynthesizeOptions): Promise<SynthesisResult> {
+ *     // Call Kokoro API via OpenAI SDK
+ *   }
+ *
+ *   async listVoices(): Promise<VoiceInfo[]> {
+ *     // Return available voices
+ *   }
+ *
+ *   async isHealthy(): Promise<boolean> {
+ *     // Check endpoint health
+ *   }
+ * }
+ * ```
+ */
+export interface ITTSProvider {
+  /** Provider name for logging and identification */
+  readonly name: string;
+
+  /** Tier this provider serves (default, premium, fallback) */
+  readonly tier: SpeechTier;
+
+  /**
+   * Synthesize text to audio.
+   *
+   * @param text - Text to convert to speech
+   * @param options - Optional synthesis parameters (voice, format, speed)
+   * @returns Synthesis result with audio buffer and metadata
+   * @throws {Error} If synthesis fails
+   */
+  synthesize(text: string, options?: SynthesizeOptions): Promise<SynthesisResult>;
+
+  /**
+   * List available voices for this provider.
+   *
+   * @returns Array of voice information objects
+   */
+  listVoices(): Promise<VoiceInfo[]>;
+
+  /**
+   * Check if the provider is healthy and available.
+   *
+   * @returns true if the provider endpoint is reachable and ready
+   */
+  isHealthy(): Promise<boolean>;
+}
--- a/apps/api/src/speech/pipes/audio-validation.pipe.spec.ts
+++ b/apps/api/src/speech/pipes/audio-validation.pipe.spec.ts
@@ -0,0 +1,205 @@
+/**
+ * AudioValidationPipe Tests
+ *
+ * Issue #398: Validates uploaded audio files for MIME type and file size.
+ * Tests cover valid types, invalid types, size limits, and edge cases.
+ */
+
+import { describe, it, expect, beforeEach } from "vitest";
+import { BadRequestException } from "@nestjs/common";
+import { AudioValidationPipe } from "./audio-validation.pipe";
+
+/**
+ * Helper to create a mock Express.Multer.File object.
+ */
+function createMockFile(overrides: Partial<Express.Multer.File> = {}): Express.Multer.File {
+  return {
+    fieldname: "file",
+    originalname: "test.mp3",
+    encoding: "7bit",
+    mimetype: "audio/mpeg",
+    size: 1024,
+    destination: "",
+    filename: "",
+    path: "",
+    buffer: Buffer.from("fake-audio-data"),
+    stream: undefined as never,
+    ...overrides,
+  };
+}
+
+describe("AudioValidationPipe", () => {
+  // ==========================================
+  // Default config (25MB max)
+  // ==========================================
+  describe("with default config", () => {
+    let pipe: AudioValidationPipe;
+
+    beforeEach(() => {
+      pipe = new AudioValidationPipe();
+    });
+
+    // ==========================================
+    // MIME type validation
+    // ==========================================
+    describe("MIME type validation", () => {
+      it("should accept audio/wav", () => {
+        const file = createMockFile({ mimetype: "audio/wav" });
+        expect(pipe.transform(file)).toBe(file);
+      });
+
+      it("should accept audio/mp3", () => {
+        const file = createMockFile({ mimetype: "audio/mp3" });
+        expect(pipe.transform(file)).toBe(file);
+      });
+
+      it("should accept audio/mpeg", () => {
+        const file = createMockFile({ mimetype: "audio/mpeg" });
+        expect(pipe.transform(file)).toBe(file);
+      });
+
+      it("should accept audio/webm", () => {
+        const file = createMockFile({ mimetype: "audio/webm" });
+        expect(pipe.transform(file)).toBe(file);
+      });
+
+      it("should accept audio/ogg", () => {
+        const file = createMockFile({ mimetype: "audio/ogg" });
+        expect(pipe.transform(file)).toBe(file);
+      });
+
+      it("should accept audio/flac", () => {
+        const file = createMockFile({ mimetype: "audio/flac" });
+        expect(pipe.transform(file)).toBe(file);
+      });
+
+      it("should accept audio/x-m4a", () => {
+        const file = createMockFile({ mimetype: "audio/x-m4a" });
+        expect(pipe.transform(file)).toBe(file);
+      });
+
+      it("should reject unsupported MIME types with descriptive error", () => {
+        const file = createMockFile({ mimetype: "video/mp4" });
+        expect(() => pipe.transform(file)).toThrow(BadRequestException);
+        expect(() => pipe.transform(file)).toThrow(/Unsupported audio format.*video\/mp4/);
+      });
+
+      it("should reject application/octet-stream", () => {
+        const file = createMockFile({ mimetype: "application/octet-stream" });
+        expect(() => pipe.transform(file)).toThrow(BadRequestException);
+      });
+
+      it("should reject text/plain", () => {
+        const file = createMockFile({ mimetype: "text/plain" });
+        expect(() => pipe.transform(file)).toThrow(BadRequestException);
+      });
+
+      it("should reject image/png", () => {
+        const file = createMockFile({ mimetype: "image/png" });
+        expect(() => pipe.transform(file)).toThrow(BadRequestException);
+      });
+
+      it("should include supported formats in error message", () => {
+        const file = createMockFile({ mimetype: "video/mp4" });
+        try {
+          pipe.transform(file);
+          expect.fail("Expected BadRequestException");
+        } catch (error) {
+          expect(error).toBeInstanceOf(BadRequestException);
+          const response = (error as BadRequestException).getResponse();
+          const message =
+            typeof response === "string" ? response : (response as Record<string, unknown>).message;
+          expect(message).toContain("audio/wav");
+          expect(message).toContain("audio/mpeg");
+        }
+      });
+    });
+
+    // ==========================================
+    // File size validation
+    // ==========================================
+    describe("file size validation", () => {
+      it("should accept files under the size limit", () => {
+        const file = createMockFile({ size: 1024 * 1024 }); // 1MB
+        expect(pipe.transform(file)).toBe(file);
+      });
+
+      it("should accept files exactly at the size limit", () => {
+        const file = createMockFile({ size: 25_000_000 }); // 25MB (default)
+        expect(pipe.transform(file)).toBe(file);
+      });
+
+      it("should reject files exceeding the size limit", () => {
+        const file = createMockFile({ size: 25_000_001 }); // 1 byte over
+        expect(() => pipe.transform(file)).toThrow(BadRequestException);
+        expect(() => pipe.transform(file)).toThrow(/exceeds maximum/);
+      });
+
+      it("should include human-readable sizes in error message", () => {
+        const file = createMockFile({ size: 30_000_000 }); // 30MB
+        try {
+          pipe.transform(file);
+          expect.fail("Expected BadRequestException");
+        } catch (error) {
+          expect(error).toBeInstanceOf(BadRequestException);
+          const response = (error as BadRequestException).getResponse();
+          const message =
+            typeof response === "string" ? response : (response as Record<string, unknown>).message;
+          // Should show something like "28.6 MB" and "23.8 MB"
+          expect(message).toContain("MB");
+        }
+      });
+
+      it("should accept zero-size files (MIME check still applies)", () => {
+        const file = createMockFile({ size: 0 });
+        expect(pipe.transform(file)).toBe(file);
+      });
+    });
+
+    // ==========================================
+    // Edge cases
+    // ==========================================
+    describe("edge cases", () => {
+      it("should throw if no file is provided (null)", () => {
+        expect(() => pipe.transform(null as unknown as Express.Multer.File)).toThrow(
+          BadRequestException
+        );
+        expect(() => pipe.transform(null as unknown as Express.Multer.File)).toThrow(
+          /No audio file provided/
+        );
+      });
+
+      it("should throw if no file is provided (undefined)", () => {
+        expect(() => pipe.transform(undefined as unknown as Express.Multer.File)).toThrow(
+          BadRequestException
+        );
+      });
+    });
+  });
+
+  // ==========================================
+  // Custom config
+  // ==========================================
+  describe("with custom config", () => {
+    it("should use custom max file size", () => {
+      const pipe = new AudioValidationPipe({ maxFileSize: 1_000_000 }); // 1MB
+      const smallFile = createMockFile({ size: 500_000 });
+      expect(pipe.transform(smallFile)).toBe(smallFile);
+
+      const largeFile = createMockFile({ size: 1_000_001 });
+      expect(() => pipe.transform(largeFile)).toThrow(BadRequestException);
+    });
+
+    it("should allow overriding accepted MIME types", () => {
+      const pipe = new AudioValidationPipe({
+        allowedMimeTypes: ["audio/wav"],
+      });
+
+      const wavFile = createMockFile({ mimetype: "audio/wav" });
+      expect(pipe.transform(wavFile)).toBe(wavFile);
+
+      const mp3File = createMockFile({ mimetype: "audio/mpeg" });
+      expect(() => pipe.transform(mp3File)).toThrow(BadRequestException);
+    });
+  });
+});
--- a/apps/api/src/speech/pipes/audio-validation.pipe.ts
+++ b/apps/api/src/speech/pipes/audio-validation.pipe.ts
@@ -0,0 +1,102 @@
+/**
+ * AudioValidationPipe
+ *
+ * NestJS PipeTransform that validates uploaded audio files.
+ * Checks MIME type against an allow-list and file size against a configurable maximum.
+ *
+ * Usage:
+ * ```typescript
+ * @Post('transcribe')
+ * @UseInterceptors(FileInterceptor('file'))
+ * async transcribe(
+ *   @UploadedFile(new AudioValidationPipe()) file: Express.Multer.File,
+ * ) { ... }
+ * ```
+ *
+ * Issue #398
+ */
+
+import { BadRequestException } from "@nestjs/common";
+import type { PipeTransform } from "@nestjs/common";
+
+/**
+ * Default accepted MIME types for audio uploads.
+ */
+const DEFAULT_ALLOWED_MIME_TYPES: readonly string[] = [
+  "audio/wav",
+  "audio/mp3",
+  "audio/mpeg",
+  "audio/webm",
+  "audio/ogg",
+  "audio/flac",
+  "audio/x-m4a",
+] as const;
+
+/**
+ * Default maximum upload size in bytes (25 MB).
+ */
+const DEFAULT_MAX_FILE_SIZE = 25_000_000;
+
+/**
+ * Options for customizing AudioValidationPipe behavior.
+ */
+export interface AudioValidationPipeOptions {
+  /** Maximum file size in bytes. Defaults to 25 MB. */
+  maxFileSize?: number;
+
+  /** List of accepted MIME types. Defaults to common audio formats. */
+  allowedMimeTypes?: string[];
+}
+
+/**
+ * Format bytes into a human-readable string (e.g., "25.0 MB").
+ */
+function formatBytes(bytes: number): string {
+  if (bytes < 1024) {
+    return `${String(bytes)} B`;
+  }
+  if (bytes < 1024 * 1024) {
+    return `${(bytes / 1024).toFixed(1)} KB`;
+  }
+  return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+
+export class AudioValidationPipe implements PipeTransform<Express.Multer.File | undefined> {
+  private readonly maxFileSize: number;
+  private readonly allowedMimeTypes: readonly string[];
+
+  constructor(options?: AudioValidationPipeOptions) {
+    this.maxFileSize = options?.maxFileSize ?? DEFAULT_MAX_FILE_SIZE;
+    this.allowedMimeTypes = options?.allowedMimeTypes ?? DEFAULT_ALLOWED_MIME_TYPES;
+  }
+
+  /**
+   * Validate the uploaded file's MIME type and size.
+   *
+   * @param file - The uploaded file from Multer
+   * @returns The validated file, unchanged
+   * @throws {BadRequestException} If the file is missing, has an unsupported MIME type, or exceeds the size limit
+   */
+  transform(file: Express.Multer.File | undefined): Express.Multer.File {
+    if (!file) {
+      throw new BadRequestException("No audio file provided");
+    }
+
+    // Validate MIME type
+    if (!this.allowedMimeTypes.includes(file.mimetype)) {
+      throw new BadRequestException(
+        `Unsupported audio format: ${file.mimetype}. ` +
+          `Supported formats: ${this.allowedMimeTypes.join(", ")}`
+      );
+    }
+
+    // Validate file size
+    if (file.size > this.maxFileSize) {
+      throw new BadRequestException(
+        `File size ${formatBytes(file.size)} exceeds maximum allowed size of ${formatBytes(this.maxFileSize)}`
+      );
+    }
+
+    return file;
+  }
+}
--- a/apps/api/src/speech/pipes/index.ts
+++ b/apps/api/src/speech/pipes/index.ts
@@ -0,0 +1,10 @@
+/**
+ * Speech Pipes barrel export
+ *
+ * Issue #398
+ */
+
+export { AudioValidationPipe } from "./audio-validation.pipe";
+export type { AudioValidationPipeOptions } from "./audio-validation.pipe";
+export { TextValidationPipe } from "./text-validation.pipe";
+export type { TextValidationPipeOptions } from "./text-validation.pipe";
--- a/apps/api/src/speech/pipes/text-validation.pipe.spec.ts
+++ b/apps/api/src/speech/pipes/text-validation.pipe.spec.ts
@@ -0,0 +1,136 @@
+/**
+ * TextValidationPipe Tests
+ *
+ * Issue #398: Validates text input for TTS synthesis.
+ * Tests cover text length, empty text, whitespace, and configurable limits.
+ */
+
+import { describe, it, expect, beforeEach } from "vitest";
+import { BadRequestException } from "@nestjs/common";
+import { TextValidationPipe } from "./text-validation.pipe";
+
+describe("TextValidationPipe", () => {
+  // ==========================================
+  // Default config (4096 max length)
+  // ==========================================
+  describe("with default config", () => {
+    let pipe: TextValidationPipe;
+
+    beforeEach(() => {
+      pipe = new TextValidationPipe();
+    });
+
+    // ==========================================
+    // Valid text
+    // ==========================================
+    describe("valid text", () => {
+      it("should accept normal text", () => {
+        const text = "Hello, world!";
+        expect(pipe.transform(text)).toBe(text);
+      });
+
+      it("should accept text at exactly the max length", () => {
+        const text = "a".repeat(4096);
+        expect(pipe.transform(text)).toBe(text);
+      });
+
+      it("should accept single character text", () => {
+        expect(pipe.transform("a")).toBe("a");
+      });
+
+      it("should accept text with unicode characters", () => {
+        const text = "Hello, world! 你好世界";
+        expect(pipe.transform(text)).toBe(text);
+      });
+
+      it("should accept multi-line text", () => {
+        const text = "Line one.\nLine two.\nLine three.";
+        expect(pipe.transform(text)).toBe(text);
+      });
+    });
+
+    // ==========================================
+    // Text length validation
+    // ==========================================
+    describe("text length validation", () => {
+      it("should reject text exceeding max length", () => {
+        const text = "a".repeat(4097);
+        expect(() => pipe.transform(text)).toThrow(BadRequestException);
+        expect(() => pipe.transform(text)).toThrow(/exceeds maximum/);
+      });
+
+      it("should include length details in error message", () => {
+        const text = "a".repeat(5000);
+        try {
+          pipe.transform(text);
+          expect.fail("Expected BadRequestException");
+        } catch (error) {
+          expect(error).toBeInstanceOf(BadRequestException);
+          const response = (error as BadRequestException).getResponse();
+          const message =
+            typeof response === "string" ? response : (response as Record<string, unknown>).message;
+          expect(message).toContain("5000");
+          expect(message).toContain("4096");
+        }
+      });
+    });
+
+    // ==========================================
+    // Empty text validation
+    // ==========================================
+    describe("empty text validation", () => {
+      it("should reject empty string", () => {
+        expect(() => pipe.transform("")).toThrow(BadRequestException);
+        expect(() => pipe.transform("")).toThrow(/Text cannot be empty/);
+      });
+
+      it("should reject whitespace-only string", () => {
+        expect(() => pipe.transform("   ")).toThrow(BadRequestException);
+        expect(() => pipe.transform("   ")).toThrow(/Text cannot be empty/);
+      });
+
+      it("should reject tabs and newlines only", () => {
+        expect(() => pipe.transform("\t\n\r")).toThrow(BadRequestException);
+      });
+
+      it("should reject null", () => {
+        expect(() => pipe.transform(null as unknown as string)).toThrow(BadRequestException);
+      });
+
+      it("should reject undefined", () => {
+        expect(() => pipe.transform(undefined as unknown as string)).toThrow(BadRequestException);
+      });
+    });
+
+    // ==========================================
+    // Text with leading/trailing whitespace
+    // ==========================================
+    describe("whitespace handling", () => {
+      it("should accept text with leading/trailing whitespace (preserves it)", () => {
+        const text = "  Hello, world!  ";
+        expect(pipe.transform(text)).toBe(text);
+      });
+    });
+  });
+
+  // ==========================================
+  // Custom config
+  // ==========================================
+  describe("with custom config", () => {
+    it("should use custom max text length", () => {
+      const pipe = new TextValidationPipe({ maxTextLength: 100 });
+
+      const shortText = "Hello";
+      expect(pipe.transform(shortText)).toBe(shortText);
+
+      const longText = "a".repeat(101);
+      expect(() => pipe.transform(longText)).toThrow(BadRequestException);
+    });
+
+    it("should accept text at exact custom limit", () => {
+      const pipe = new TextValidationPipe({ maxTextLength: 50 });
+      const text = "a".repeat(50);
+      expect(pipe.transform(text)).toBe(text);
+    });
+  });
+});
--- a/apps/api/src/speech/pipes/text-validation.pipe.ts
+++ b/apps/api/src/speech/pipes/text-validation.pipe.ts
@@ -0,0 +1,65 @@
+/**
+ * TextValidationPipe
+ *
+ * NestJS PipeTransform that validates text input for TTS synthesis.
+ * Checks that text is non-empty and within the configurable maximum length.
+ *
+ * Usage:
+ * ```typescript
+ * @Post('synthesize')
+ * async synthesize(
+ *   @Body('text', new TextValidationPipe()) text: string,
+ * ) { ... }
+ * ```
+ *
+ * Issue #398
+ */
+
+import { BadRequestException } from "@nestjs/common";
+import type { PipeTransform } from "@nestjs/common";
+
+/**
+ * Default maximum text length for TTS input (4096 characters).
+ */
+const DEFAULT_MAX_TEXT_LENGTH = 4096;
+
+/**
+ * Options for customizing TextValidationPipe behavior.
+ */
+export interface TextValidationPipeOptions {
+  /** Maximum text length in characters. Defaults to 4096. */
+  maxTextLength?: number;
+}
+
+export class TextValidationPipe implements PipeTransform<string | null | undefined> {
+  private readonly maxTextLength: number;
+
+  constructor(options?: TextValidationPipeOptions) {
+    this.maxTextLength = options?.maxTextLength ?? DEFAULT_MAX_TEXT_LENGTH;
+  }
+
+  /**
+   * Validate the text input for TTS synthesis.
+   *
+   * @param text - The text to validate
+   * @returns The validated text, unchanged
+   * @throws {BadRequestException} If text is empty, whitespace-only, or exceeds the max length
+   */
+  transform(text: string | null | undefined): string {
+    if (text === null || text === undefined) {
+      throw new BadRequestException("Text cannot be empty");
+    }
+
+    if (text.trim().length === 0) {
+      throw new BadRequestException("Text cannot be empty");
+    }
+
+    if (text.length > this.maxTextLength) {
+      throw new BadRequestException(
+        `Text length ${String(text.length)} exceeds maximum allowed length of ${String(this.maxTextLength)} characters`
+      );
+    }
+
+    return text;
+  }
+}
--- a/apps/api/src/speech/providers/base-tts.provider.spec.ts
+++ b/apps/api/src/speech/providers/base-tts.provider.spec.ts
@@ -0,0 +1,329 @@
+/**
+ * BaseTTSProvider Unit Tests
+ *
+ * Tests the abstract base class for OpenAI-compatible TTS providers.
+ * Uses a concrete test implementation to exercise the base class logic.
+ *
+ * Issue #391
+ */
+
+import { describe, it, expect, beforeEach, vi, type Mock } from "vitest";
+import { BaseTTSProvider } from "./base-tts.provider";
+import type { SpeechTier, SynthesizeOptions, AudioFormat } from "../interfaces/speech-types";
+
+// ==========================================
+// Mock OpenAI SDK
+// ==========================================
+
+const mockCreate = vi.fn();
+
+vi.mock("openai", () => {
+  class MockOpenAI {
+    audio = {
+      speech: {
+        create: mockCreate,
+      },
+    };
+  }
+  return { default: MockOpenAI };
+});
+
+// ==========================================
+// Concrete test implementation
+// ==========================================
+
+class TestTTSProvider extends BaseTTSProvider {
+  readonly name = "test-provider";
+  readonly tier: SpeechTier = "default";
+
+  constructor(baseURL: string, defaultVoice?: string, defaultFormat?: AudioFormat) {
+    super(baseURL, defaultVoice, defaultFormat);
+  }
+}
+
+// ==========================================
+// Test helpers
+// ==========================================
+
+/**
+ * Create a mock Response-like object that mimics OpenAI SDK's audio.speech.create() return.
+ * The OpenAI SDK returns a Response object with arrayBuffer() method.
+ */
+function createMockAudioResponse(audioData: Uint8Array): { arrayBuffer: Mock } {
+  return {
+    arrayBuffer: vi.fn().mockResolvedValue(audioData.buffer),
+  };
+}
+
+describe("BaseTTSProvider", () => {
+  let provider: TestTTSProvider;
+
+  const testBaseURL = "http://localhost:8880/v1";
+  const testVoice = "af_heart";
+  const testFormat: AudioFormat = "mp3";
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    provider = new TestTTSProvider(testBaseURL, testVoice, testFormat);
+  });
+
+  // ==========================================
+  // Constructor
+  // ==========================================
+
+  describe("constructor", () => {
+    it("should create an instance with provided configuration", () => {
+      expect(provider).toBeDefined();
+      expect(provider.name).toBe("test-provider");
+      expect(provider.tier).toBe("default");
+    });
+
+    it("should use default voice 'alloy' when none provided", () => {
+      const defaultProvider = new TestTTSProvider(testBaseURL);
+      expect(defaultProvider).toBeDefined();
+    });
+
+    it("should use default format 'mp3' when none provided", () => {
+      const defaultProvider = new TestTTSProvider(testBaseURL, "voice-1");
+      expect(defaultProvider).toBeDefined();
+    });
+  });
+
+  // ==========================================
+  // synthesize()
+  // ==========================================
+
+  describe("synthesize", () => {
+    it("should synthesize text and return a SynthesisResult with audio buffer", async () => {
+      const audioBytes = new Uint8Array([0x49, 0x44, 0x33, 0x04, 0x00]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      const result = await provider.synthesize("Hello, world!");
+
+      expect(result).toBeDefined();
+      expect(result.audio).toBeInstanceOf(Buffer);
+      expect(result.audio.length).toBe(audioBytes.length);
+      expect(result.format).toBe("mp3");
+      expect(result.voice).toBe("af_heart");
+      expect(result.tier).toBe("default");
+    });
+
+    it("should pass correct parameters to OpenAI SDK", async () => {
+      const audioBytes = new Uint8Array([0x01, 0x02]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      await provider.synthesize("Test text");
+
+      expect(mockCreate).toHaveBeenCalledWith({
+        model: "tts-1",
+        input: "Test text",
+        voice: "af_heart",
+        response_format: "mp3",
+        speed: 1.0,
+      });
+    });
+
+    it("should use custom voice from options", async () => {
+      const audioBytes = new Uint8Array([0x01]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      const options: SynthesizeOptions = { voice: "custom_voice" };
+      const result = await provider.synthesize("Hello", options);
+
+      expect(mockCreate).toHaveBeenCalledWith(expect.objectContaining({ voice: "custom_voice" }));
+      expect(result.voice).toBe("custom_voice");
+    });
+
+    it("should use custom format from options", async () => {
+      const audioBytes = new Uint8Array([0x01]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      const options: SynthesizeOptions = { format: "wav" };
+      const result = await provider.synthesize("Hello", options);
+
+      expect(mockCreate).toHaveBeenCalledWith(expect.objectContaining({ response_format: "wav" }));
+      expect(result.format).toBe("wav");
+    });
+
+    it("should use custom speed from options", async () => {
+      const audioBytes = new Uint8Array([0x01]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      const options: SynthesizeOptions = { speed: 1.5 };
+      await provider.synthesize("Hello", options);
+
+      expect(mockCreate).toHaveBeenCalledWith(expect.objectContaining({ speed: 1.5 }));
+    });
+
+    it("should throw an error when synthesis fails", async () => {
+      mockCreate.mockRejectedValue(new Error("Connection refused"));
+
+      await expect(provider.synthesize("Hello")).rejects.toThrow(
+        "TTS synthesis failed for test-provider: Connection refused"
+      );
+    });
+
+    it("should throw an error when response arrayBuffer fails", async () => {
+      const mockResponse = {
+        arrayBuffer: vi.fn().mockRejectedValue(new Error("Read error")),
+      };
+      mockCreate.mockResolvedValue(mockResponse);
+
+      await expect(provider.synthesize("Hello")).rejects.toThrow(
+        "TTS synthesis failed for test-provider: Read error"
+      );
+    });
+
+    it("should handle empty text input gracefully", async () => {
+      const audioBytes = new Uint8Array([]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      const result = await provider.synthesize("");
+
+      expect(result.audio).toBeInstanceOf(Buffer);
+      expect(result.audio.length).toBe(0);
+    });
+
+    it("should handle non-Error exceptions", async () => {
+      mockCreate.mockRejectedValue("string error");
+
+      await expect(provider.synthesize("Hello")).rejects.toThrow(
+        "TTS synthesis failed for test-provider: string error"
+      );
+    });
+  });
+
+  // ==========================================
+  // listVoices()
+  // ==========================================
+
+  describe("listVoices", () => {
+    it("should return default voice list with the configured default voice", async () => {
+      const voices = await provider.listVoices();
+
+      expect(voices).toBeInstanceOf(Array);
+      expect(voices.length).toBeGreaterThan(0);
+
+      const defaultVoice = voices.find((v) => v.isDefault === true);
+      expect(defaultVoice).toBeDefined();
+      expect(defaultVoice?.id).toBe("af_heart");
+      expect(defaultVoice?.tier).toBe("default");
+    });
+
+    it("should set tier correctly on all returned voices", async () => {
+      const voices = await provider.listVoices();
+
+      for (const voice of voices) {
+        expect(voice.tier).toBe("default");
+      }
+    });
+  });
+
+  // ==========================================
+  // isHealthy()
+  // ==========================================
+
+  describe("isHealthy", () => {
+    it("should return true when the TTS server is reachable", async () => {
+      // Mock global fetch for health check
+      const mockFetch = vi.fn().mockResolvedValue({
+        ok: true,
+        status: 200,
+      });
+      vi.stubGlobal("fetch", mockFetch);
+
+      const healthy = await provider.isHealthy();
+
+      expect(healthy).toBe(true);
+      expect(mockFetch).toHaveBeenCalled();
+
+      vi.unstubAllGlobals();
+    });
+
+    it("should return false when the TTS server is unreachable", async () => {
+      const mockFetch = vi.fn().mockRejectedValue(new Error("ECONNREFUSED"));
+      vi.stubGlobal("fetch", mockFetch);
+
+      const healthy = await provider.isHealthy();
+
+      expect(healthy).toBe(false);
+
+      vi.unstubAllGlobals();
+    });
+
+    it("should return false when the TTS server returns an error status", async () => {
+      const mockFetch = vi.fn().mockResolvedValue({
+        ok: false,
+        status: 503,
+      });
+      vi.stubGlobal("fetch", mockFetch);
+
+      const healthy = await provider.isHealthy();
+
+      expect(healthy).toBe(false);
+
+      vi.unstubAllGlobals();
+    });
+
+    it("should use the base URL for the health check", async () => {
+      const mockFetch = vi.fn().mockResolvedValue({ ok: true, status: 200 });
+      vi.stubGlobal("fetch", mockFetch);
+
+      await provider.isHealthy();
+
+      // Should call a health-related endpoint at the base URL
+      const calledUrl = mockFetch.mock.calls[0][0] as string;
+      expect(calledUrl).toContain("localhost:8880");
+
+      vi.unstubAllGlobals();
+    });
+
+    it("should set a timeout for the health check", async () => {
+      const mockFetch = vi.fn().mockResolvedValue({ ok: true, status: 200 });
+      vi.stubGlobal("fetch", mockFetch);
+
+      await provider.isHealthy();
+
+      // Should pass an AbortSignal for timeout
+      const fetchOptions = mockFetch.mock.calls[0][1] as RequestInit;
+      expect(fetchOptions.signal).toBeDefined();
+
+      vi.unstubAllGlobals();
+    });
+  });
+
+  // ==========================================
+  // Default values
+  // ==========================================
+
+  describe("default values", () => {
+    it("should use 'alloy' as default voice when none specified", async () => {
+      const defaultProvider = new TestTTSProvider(testBaseURL);
+      const audioBytes = new Uint8Array([0x01]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      await defaultProvider.synthesize("Hello");
+
+      expect(mockCreate).toHaveBeenCalledWith(expect.objectContaining({ voice: "alloy" }));
+    });
+
+    it("should use 'mp3' as default format when none specified", async () => {
+      const defaultProvider = new TestTTSProvider(testBaseURL);
+      const audioBytes = new Uint8Array([0x01]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      await defaultProvider.synthesize("Hello");
+
+      expect(mockCreate).toHaveBeenCalledWith(expect.objectContaining({ response_format: "mp3" }));
+    });
+
+    it("should use speed 1.0 as default speed", async () => {
+      const audioBytes = new Uint8Array([0x01]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      await provider.synthesize("Hello");
+
+      expect(mockCreate).toHaveBeenCalledWith(expect.objectContaining({ speed: 1.0 }));
+    });
+  });
+});
--- a/apps/api/src/speech/providers/base-tts.provider.ts
+++ b/apps/api/src/speech/providers/base-tts.provider.ts
@@ -0,0 +1,189 @@
+/**
+ * Base TTS Provider
+ *
+ * Abstract base class implementing common OpenAI-compatible TTS logic.
+ * All concrete TTS providers (Kokoro, Chatterbox, Piper) extend this class.
+ *
+ * Uses the OpenAI SDK with a configurable baseURL to communicate with
+ * OpenAI-compatible speech synthesis endpoints.
+ *
+ * Issue #391
+ */
+
+import { Logger } from "@nestjs/common";
+import OpenAI from "openai";
+import type { ITTSProvider } from "../interfaces/tts-provider.interface";
+import type {
+  SpeechTier,
+  SynthesizeOptions,
+  SynthesisResult,
+  VoiceInfo,
+  AudioFormat,
+} from "../interfaces/speech-types";
+
+/** Default TTS model identifier used for OpenAI-compatible APIs */
+const DEFAULT_MODEL = "tts-1";
+
+/** Default voice when none is configured */
+const DEFAULT_VOICE = "alloy";
+
+/** Default audio format */
+const DEFAULT_FORMAT: AudioFormat = "mp3";
+
+/** Default speech speed multiplier */
+const DEFAULT_SPEED = 1.0;
+
+/** Health check timeout in milliseconds */
+const HEALTH_CHECK_TIMEOUT_MS = 5000;
+
+/**
+ * Abstract base class for OpenAI-compatible TTS providers.
+ *
+ * Provides common logic for:
+ * - Synthesizing text to audio via OpenAI SDK's audio.speech.create()
+ * - Listing available voices (with a default implementation)
+ * - Health checking the TTS endpoint
+ *
+ * Subclasses must set `name` and `tier` properties and may override
+ * `listVoices()` to provide provider-specific voice lists.
+ *
+ * @example
+ * ```typescript
+ * class KokoroProvider extends BaseTTSProvider {
+ *   readonly name = "kokoro";
+ *   readonly tier: SpeechTier = "default";
+ *
+ *   constructor(baseURL: string) {
+ *     super(baseURL, "af_heart", "mp3");
+ *   }
+ * }
+ * ```
+ */
+export abstract class BaseTTSProvider implements ITTSProvider {
+  abstract readonly name: string;
+  abstract readonly tier: SpeechTier;
+
+  protected readonly logger: Logger;
+  protected readonly client: OpenAI;
+  protected readonly baseURL: string;
+  protected readonly defaultVoice: string;
+  protected readonly defaultFormat: AudioFormat;
+
+  /**
+   * Create a new BaseTTSProvider.
+   *
+   * @param baseURL - The base URL for the OpenAI-compatible TTS endpoint
+   * @param defaultVoice - Default voice ID to use when none is specified in options
+   * @param defaultFormat - Default audio format to use when none is specified in options
+   */
+  constructor(
+    baseURL: string,
+    defaultVoice: string = DEFAULT_VOICE,
+    defaultFormat: AudioFormat = DEFAULT_FORMAT
+  ) {
+    this.baseURL = baseURL;
+    this.defaultVoice = defaultVoice;
+    this.defaultFormat = defaultFormat;
+    this.logger = new Logger(this.constructor.name);
+
+    this.client = new OpenAI({
+      baseURL,
+      apiKey: "not-needed", // Self-hosted services don't require an API key
+    });
+  }
+
+  /**
+   * Synthesize text to audio using the OpenAI-compatible TTS endpoint.
+   *
+   * Calls `client.audio.speech.create()` with the provided text and options,
+   * then converts the response to a Buffer.
+   *
+   * @param text - Text to convert to speech
+   * @param options - Optional synthesis parameters (voice, format, speed)
+   * @returns Synthesis result with audio buffer and metadata
+   * @throws {Error} If synthesis fails
+   */
+  async synthesize(text: string, options?: SynthesizeOptions): Promise<SynthesisResult> {
+    const voice = options?.voice ?? this.defaultVoice;
+    const format = options?.format ?? this.defaultFormat;
+    const speed = options?.speed ?? DEFAULT_SPEED;
+
+    try {
+      const response = await this.client.audio.speech.create({
+        model: DEFAULT_MODEL,
+        input: text,
+        voice,
+        response_format: format,
+        speed,
+      });
+
+      const arrayBuffer = await response.arrayBuffer();
+      const audio = Buffer.from(arrayBuffer);
+
+      return {
+        audio,
+        format,
+        voice,
+        tier: this.tier,
+      };
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : String(error);
+      this.logger.error(`TTS synthesis failed: ${message}`);
+      throw new Error(`TTS synthesis failed for ${this.name}: ${message}`);
+    }
+  }
+
+  /**
+   * List available voices for this provider.
+   *
+   * Default implementation returns the configured default voice.
+   * Subclasses should override this to provide a full voice list
+   * from their specific TTS engine.
+   *
+   * @returns Array of voice information objects
+   */
+  listVoices(): Promise<VoiceInfo[]> {
+    return Promise.resolve([
+      {
+        id: this.defaultVoice,
+        name: this.defaultVoice,
+        tier: this.tier,
+        isDefault: true,
+      },
+    ]);
+  }
+
+  /**
+   * Check if the TTS server is reachable and healthy.
+   *
+   * Performs a simple HTTP request to the base URL's models endpoint
+   * to verify the server is running and responding.
+   *
+   * @returns true if the server is reachable, false otherwise
+   */
+  async isHealthy(): Promise<boolean> {
+    try {
+      // Extract the base URL without the /v1 path for health checking
+      const healthUrl = this.baseURL.replace(/\/v1\/?$/, "/v1/models");
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => {
+        controller.abort();
+      }, HEALTH_CHECK_TIMEOUT_MS);
+
+      try {
+        const response = await fetch(healthUrl, {
+          method: "GET",
+          signal: controller.signal,
+        });
+
+        return response.ok;
+      } finally {
+        clearTimeout(timeoutId);
+      }
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : String(error);
+      this.logger.warn(`Health check failed for ${this.name}: ${message}`);
+      return false;
+    }
+  }
+}
--- a/apps/api/src/speech/providers/chatterbox-tts.provider.spec.ts
+++ b/apps/api/src/speech/providers/chatterbox-tts.provider.spec.ts
@@ -0,0 +1,436 @@
+/**
+ * ChatterboxTTSProvider Unit Tests
+ *
+ * Tests the premium-tier TTS provider with voice cloning and
+ * emotion exaggeration support for Chatterbox.
+ *
+ * Issue #394
+ */
+
+import { describe, it, expect, beforeEach, vi, type Mock } from "vitest";
+import { ChatterboxTTSProvider } from "./chatterbox-tts.provider";
+import type { ChatterboxSynthesizeOptions, AudioFormat } from "../interfaces/speech-types";
+
+// ==========================================
+// Mock OpenAI SDK
+// ==========================================
+
+const mockCreate = vi.fn();
+
+vi.mock("openai", () => {
+  class MockOpenAI {
+    audio = {
+      speech: {
+        create: mockCreate,
+      },
+    };
+  }
+  return { default: MockOpenAI };
+});
+
+// ==========================================
+// Test helpers
+// ==========================================
+
+/**
+ * Create a mock Response-like object that mimics OpenAI SDK's audio.speech.create() return.
+ */
+function createMockAudioResponse(audioData: Uint8Array): { arrayBuffer: Mock } {
+  return {
+    arrayBuffer: vi.fn().mockResolvedValue(audioData.buffer),
+  };
+}
+
+describe("ChatterboxTTSProvider", () => {
+  let provider: ChatterboxTTSProvider;
+
+  const testBaseURL = "http://chatterbox-tts:8881/v1";
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    provider = new ChatterboxTTSProvider(testBaseURL);
+  });
+
+  // ==========================================
+  // Provider identity
+  // ==========================================
+
+  describe("provider identity", () => {
+    it("should have name 'chatterbox'", () => {
+      expect(provider.name).toBe("chatterbox");
+    });
+
+    it("should have tier 'premium'", () => {
+      expect(provider.tier).toBe("premium");
+    });
+  });
+
+  // ==========================================
+  // Constructor
+  // ==========================================
+
+  describe("constructor", () => {
+    it("should create an instance with the provided baseURL", () => {
+      expect(provider).toBeDefined();
+    });
+
+    it("should use 'default' as the default voice", async () => {
+      const audioBytes = new Uint8Array([0x01, 0x02]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      const result = await provider.synthesize("Hello");
+
+      expect(result.voice).toBe("default");
+    });
+
+    it("should use 'wav' as the default format", async () => {
+      const audioBytes = new Uint8Array([0x01, 0x02]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      const result = await provider.synthesize("Hello");
+
+      expect(result.format).toBe("wav");
+    });
+  });
+
+  // ==========================================
+  // synthesize() — basic (no Chatterbox-specific options)
+  // ==========================================
+
+  describe("synthesize (basic)", () => {
+    it("should synthesize text and return a SynthesisResult", async () => {
+      const audioBytes = new Uint8Array([0x49, 0x44, 0x33, 0x04, 0x00]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      const result = await provider.synthesize("Hello, world!");
+
+      expect(result).toBeDefined();
+      expect(result.audio).toBeInstanceOf(Buffer);
+      expect(result.audio.length).toBe(audioBytes.length);
+      expect(result.format).toBe("wav");
+      expect(result.voice).toBe("default");
+      expect(result.tier).toBe("premium");
+    });
+
+    it("should pass correct base parameters to OpenAI SDK when no extra options", async () => {
+      const audioBytes = new Uint8Array([0x01]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      await provider.synthesize("Test text");
+
+      expect(mockCreate).toHaveBeenCalledWith({
+        model: "tts-1",
+        input: "Test text",
+        voice: "default",
+        response_format: "wav",
+        speed: 1.0,
+      });
+    });
+
+    it("should use custom voice from options", async () => {
+      const audioBytes = new Uint8Array([0x01]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      const options: ChatterboxSynthesizeOptions = { voice: "cloned_voice_1" };
+      const result = await provider.synthesize("Hello", options);
+
+      expect(mockCreate).toHaveBeenCalledWith(expect.objectContaining({ voice: "cloned_voice_1" }));
+      expect(result.voice).toBe("cloned_voice_1");
+    });
+
+    it("should use custom format from options", async () => {
+      const audioBytes = new Uint8Array([0x01]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      const options: ChatterboxSynthesizeOptions = { format: "mp3" as AudioFormat };
+      const result = await provider.synthesize("Hello", options);
+
+      expect(mockCreate).toHaveBeenCalledWith(expect.objectContaining({ response_format: "mp3" }));
+      expect(result.format).toBe("mp3");
+    });
+
+    it("should throw on synthesis failure", async () => {
+      mockCreate.mockRejectedValue(new Error("GPU out of memory"));
+
+      await expect(provider.synthesize("Hello")).rejects.toThrow(
+        "TTS synthesis failed for chatterbox: GPU out of memory"
+      );
+    });
+  });
+
+  // ==========================================
+  // synthesize() — voice cloning (referenceAudio)
+  // ==========================================
+
+  describe("synthesize (voice cloning)", () => {
+    it("should pass referenceAudio as base64 in extra body params", async () => {
+      const audioBytes = new Uint8Array([0x01, 0x02]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      const referenceAudio = Buffer.from("fake-audio-data-for-cloning");
+      const options: ChatterboxSynthesizeOptions = {
+        referenceAudio,
+      };
+
+      await provider.synthesize("Clone my voice", options);
+
+      expect(mockCreate).toHaveBeenCalledWith(
+        expect.objectContaining({
+          input: "Clone my voice",
+          reference_audio: referenceAudio.toString("base64"),
+        })
+      );
+    });
+
+    it("should not include reference_audio when referenceAudio is not provided", async () => {
+      const audioBytes = new Uint8Array([0x01]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      await provider.synthesize("No cloning");
+
+      const callArgs = mockCreate.mock.calls[0][0] as Record<string, unknown>;
+      expect(callArgs).not.toHaveProperty("reference_audio");
+    });
+  });
+
+  // ==========================================
+  // synthesize() — emotion exaggeration
+  // ==========================================
+
+  describe("synthesize (emotion exaggeration)", () => {
+    it("should pass emotionExaggeration as exaggeration in extra body params", async () => {
+      const audioBytes = new Uint8Array([0x01, 0x02]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      const options: ChatterboxSynthesizeOptions = {
+        emotionExaggeration: 0.7,
+      };
+
+      await provider.synthesize("Very emotional text", options);
+
+      expect(mockCreate).toHaveBeenCalledWith(
+        expect.objectContaining({
+          exaggeration: 0.7,
+        })
+      );
+    });
+
+    it("should not include exaggeration when emotionExaggeration is not provided", async () => {
+      const audioBytes = new Uint8Array([0x01]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      await provider.synthesize("Neutral text");
+
+      const callArgs = mockCreate.mock.calls[0][0] as Record<string, unknown>;
+      expect(callArgs).not.toHaveProperty("exaggeration");
+    });
+
+    it("should accept emotionExaggeration of 0.0", async () => {
+      const audioBytes = new Uint8Array([0x01]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      const options: ChatterboxSynthesizeOptions = {
+        emotionExaggeration: 0.0,
+      };
+
+      await provider.synthesize("Minimal emotion", options);
+
+      expect(mockCreate).toHaveBeenCalledWith(
+        expect.objectContaining({
+          exaggeration: 0.0,
+        })
+      );
+    });
+
+    it("should accept emotionExaggeration of 1.0", async () => {
+      const audioBytes = new Uint8Array([0x01]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      const options: ChatterboxSynthesizeOptions = {
+        emotionExaggeration: 1.0,
+      };
+
+      await provider.synthesize("Maximum emotion", options);
+
+      expect(mockCreate).toHaveBeenCalledWith(
+        expect.objectContaining({
+          exaggeration: 1.0,
+        })
+      );
+    });
+
+    it("should clamp emotionExaggeration above 1.0 to 1.0", async () => {
+      const audioBytes = new Uint8Array([0x01]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      const options: ChatterboxSynthesizeOptions = {
+        emotionExaggeration: 1.5,
+      };
+
+      await provider.synthesize("Over the top", options);
+
+      expect(mockCreate).toHaveBeenCalledWith(
+        expect.objectContaining({
+          exaggeration: 1.0,
+        })
+      );
+    });
+
+    it("should clamp emotionExaggeration below 0.0 to 0.0", async () => {
+      const audioBytes = new Uint8Array([0x01]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      const options: ChatterboxSynthesizeOptions = {
+        emotionExaggeration: -0.5,
+      };
+
+      await provider.synthesize("Negative emotion", options);
+
+      expect(mockCreate).toHaveBeenCalledWith(
+        expect.objectContaining({
+          exaggeration: 0.0,
+        })
+      );
+    });
+  });
+
+  // ==========================================
+  // synthesize() — combined options
+  // ==========================================
+
+  describe("synthesize (combined options)", () => {
+    it("should handle referenceAudio and emotionExaggeration together", async () => {
+      const audioBytes = new Uint8Array([0x01, 0x02, 0x03]);
+      mockCreate.mockResolvedValue(createMockAudioResponse(audioBytes));
+
+      const referenceAudio = Buffer.from("reference-audio-sample");
+      const options: ChatterboxSynthesizeOptions = {
+        voice: "custom_voice",
+        format: "mp3",
+        speed: 0.9,
+        referenceAudio,
+        emotionExaggeration: 0.6,
+      };
+
+      const result = await provider.synthesize("Full options test", options);
+
+      expect(mockCreate).toHaveBeenCalledWith({
+        model: "tts-1",
+        input: "Full options test",
+        voice: "custom_voice",
+        response_format: "mp3",
+        speed: 0.9,
+        reference_audio: referenceAudio.toString("base64"),
+        exaggeration: 0.6,
+      });
+
+      expect(result.audio).toBeInstanceOf(Buffer);
+      expect(result.voice).toBe("custom_voice");
+      expect(result.format).toBe("mp3");
+      expect(result.tier).toBe("premium");
+    });
+  });
+
+  // ==========================================
+  // isHealthy() — graceful degradation
+  // ==========================================
+
+  describe("isHealthy (graceful degradation)", () => {
+    it("should return true when the Chatterbox server is reachable", async () => {
+      const mockFetch = vi.fn().mockResolvedValue({
+        ok: true,
+        status: 200,
+      });
+      vi.stubGlobal("fetch", mockFetch);
+
+      const healthy = await provider.isHealthy();
+
+      expect(healthy).toBe(true);
+
+      vi.unstubAllGlobals();
+    });
+
+    it("should return false when GPU is unavailable (server unreachable)", async () => {
+      const mockFetch = vi.fn().mockRejectedValue(new Error("ECONNREFUSED"));
+      vi.stubGlobal("fetch", mockFetch);
+
+      const healthy = await provider.isHealthy();
+
+      expect(healthy).toBe(false);
+
+      vi.unstubAllGlobals();
+    });
+
+    it("should return false when the server returns 503 (GPU overloaded)", async () => {
+      const mockFetch = vi.fn().mockResolvedValue({
+        ok: false,
+        status: 503,
+      });
+      vi.stubGlobal("fetch", mockFetch);
+
+      const healthy = await provider.isHealthy();
+
+      expect(healthy).toBe(false);
+
+      vi.unstubAllGlobals();
+    });
+
+    it("should return false on timeout (slow GPU response)", async () => {
+      const mockFetch = vi
+        .fn()
+        .mockRejectedValue(new Error("AbortError: The operation was aborted"));
+      vi.stubGlobal("fetch", mockFetch);
+
+      const healthy = await provider.isHealthy();
+
+      expect(healthy).toBe(false);
+
+      vi.unstubAllGlobals();
+    });
+  });
+
+  // ==========================================
+  // listVoices()
+  // ==========================================
+
+  describe("listVoices", () => {
+    it("should return the default voice in the premium tier", async () => {
+      const voices = await provider.listVoices();
+
+      expect(voices).toBeInstanceOf(Array);
+      expect(voices.length).toBeGreaterThan(0);
+
+      const defaultVoice = voices.find((v) => v.isDefault === true);
+      expect(defaultVoice).toBeDefined();
+      expect(defaultVoice?.id).toBe("default");
+      expect(defaultVoice?.tier).toBe("premium");
+    });
+
+    it("should set tier to 'premium' on all voices", async () => {
+      const voices = await provider.listVoices();
+
+      for (const voice of voices) {
+        expect(voice.tier).toBe("premium");
+      }
+    });
+  });
+
+  // ==========================================
+  // supportedLanguages
+  // ==========================================
+
+  describe("supportedLanguages", () => {
+    it("should expose a list of supported languages for cross-language transfer", () => {
+      const languages = provider.supportedLanguages;
+
+      expect(languages).toBeInstanceOf(Array);
+      expect(languages.length).toBe(23);
+      expect(languages).toContain("en");
+      expect(languages).toContain("fr");
+      expect(languages).toContain("de");
+      expect(languages).toContain("es");
+      expect(languages).toContain("ja");
+      expect(languages).toContain("zh");
+    });
+  });
+});
--- a/apps/api/src/speech/providers/chatterbox-tts.provider.ts
+++ b/apps/api/src/speech/providers/chatterbox-tts.provider.ts
@@ -0,0 +1,169 @@
+/**
+ * Chatterbox TTS Provider
+ *
+ * Premium-tier TTS provider with voice cloning and emotion exaggeration support.
+ * Uses the Chatterbox TTS Server's OpenAI-compatible endpoint with extra body
+ * parameters for voice cloning (reference_audio) and emotion control (exaggeration).
+ *
+ * Key capabilities:
+ * - Voice cloning via reference audio sample
+ * - Emotion exaggeration control (0.0 - 1.0)
+ * - Cross-language voice transfer (23 languages)
+ * - Graceful degradation when GPU is unavailable (isHealthy returns false)
+ *
+ * The provider is optional and only instantiated when TTS_PREMIUM_ENABLED=true.
+ *
+ * Issue #394
+ */
+
+import type { SpeechCreateParams } from "openai/resources/audio/speech";
+import { BaseTTSProvider } from "./base-tts.provider";
+import type { SpeechTier, SynthesizeOptions, SynthesisResult } from "../interfaces/speech-types";
+import type { ChatterboxSynthesizeOptions } from "../interfaces/speech-types";
+
+/** Default voice for Chatterbox */
+const CHATTERBOX_DEFAULT_VOICE = "default";
+
+/** Default audio format for Chatterbox (WAV for highest quality) */
+const CHATTERBOX_DEFAULT_FORMAT = "wav" as const;
+
+/** Default TTS model identifier */
+const DEFAULT_MODEL = "tts-1";
+
+/** Default speech speed multiplier */
+const DEFAULT_SPEED = 1.0;
+
+/**
+ * Languages supported by Chatterbox for cross-language voice transfer.
+ * Chatterbox supports 23 languages for voice cloning and synthesis.
+ */
+const SUPPORTED_LANGUAGES: readonly string[] = [
+  "en", // English
+  "fr", // French
+  "de", // German
+  "es", // Spanish
+  "it", // Italian
+  "pt", // Portuguese
+  "nl", // Dutch
+  "pl", // Polish
+  "ru", // Russian
+  "uk", // Ukrainian
+  "ja", // Japanese
+  "zh", // Chinese
+  "ko", // Korean
+  "ar", // Arabic
+  "hi", // Hindi
+  "tr", // Turkish
+  "sv", // Swedish
+  "da", // Danish
+  "fi", // Finnish
+  "no", // Norwegian
+  "cs", // Czech
+  "el", // Greek
+  "ro", // Romanian
+] as const;
+
+/**
+ * Chatterbox TTS provider (premium tier).
+ *
+ * Extends BaseTTSProvider with voice cloning and emotion exaggeration support.
+ * The Chatterbox TTS Server uses an OpenAI-compatible API but accepts additional
+ * body parameters for its advanced features.
+ *
+ * @example
+ * ```typescript
+ * const provider = new ChatterboxTTSProvider("http://chatterbox:8881/v1");
+ *
+ * // Basic synthesis
+ * const result = await provider.synthesize("Hello!");
+ *
+ * // Voice cloning with emotion
+ * const clonedResult = await provider.synthesize("Hello!", {
+ *   referenceAudio: myAudioBuffer,
+ *   emotionExaggeration: 0.7,
+ * });
+ * ```
+ */
+export class ChatterboxTTSProvider extends BaseTTSProvider {
+  readonly name = "chatterbox";
+  readonly tier: SpeechTier = "premium";
+
+  /**
+   * Languages supported for cross-language voice transfer.
+   */
+  readonly supportedLanguages: readonly string[] = SUPPORTED_LANGUAGES;
+
+  constructor(baseURL: string) {
+    super(baseURL, CHATTERBOX_DEFAULT_VOICE, CHATTERBOX_DEFAULT_FORMAT);
+  }
+
+  /**
+   * Synthesize text to audio with optional voice cloning and emotion control.
+   *
+   * Overrides the base synthesize() to support Chatterbox-specific options:
+   * - `referenceAudio`: Buffer of audio to clone the voice from (sent as base64)
+   * - `emotionExaggeration`: Emotion intensity factor (0.0 - 1.0, clamped)
+   *
+   * These are passed as extra body parameters to the OpenAI-compatible endpoint,
+   * which Chatterbox's API accepts alongside the standard parameters.
+   *
+   * @param text - Text to convert to speech
+   * @param options - Synthesis options, optionally including Chatterbox-specific params
+   * @returns Synthesis result with audio buffer and metadata
+   * @throws {Error} If synthesis fails (e.g., GPU unavailable)
+   */
+  async synthesize(
+    text: string,
+    options?: SynthesizeOptions | ChatterboxSynthesizeOptions
+  ): Promise<SynthesisResult> {
+    const voice = options?.voice ?? this.defaultVoice;
+    const format = options?.format ?? this.defaultFormat;
+    const speed = options?.speed ?? DEFAULT_SPEED;
+
+    // Build the request body with standard OpenAI-compatible params
+    const requestBody: Record<string, unknown> = {
+      model: DEFAULT_MODEL,
+      input: text,
+      voice,
+      response_format: format,
+      speed,
+    };
+
+    // Add Chatterbox-specific params if provided
+    const chatterboxOptions = options as ChatterboxSynthesizeOptions | undefined;
+
+    if (chatterboxOptions?.referenceAudio) {
+      requestBody.reference_audio = chatterboxOptions.referenceAudio.toString("base64");
+    }
+
+    if (chatterboxOptions?.emotionExaggeration !== undefined) {
+      // Clamp to valid range [0.0, 1.0]
+      requestBody.exaggeration = Math.max(
+        0.0,
+        Math.min(1.0, chatterboxOptions.emotionExaggeration)
+      );
+    }
+
+    try {
+      // Use the OpenAI SDK's create method, passing extra params
+      // The OpenAI SDK allows additional body params to be passed through
+      const response = await this.client.audio.speech.create(
+        requestBody as unknown as SpeechCreateParams
+      );
+
+      const arrayBuffer = await response.arrayBuffer();
+      const audio = Buffer.from(arrayBuffer);
+
+      return {
+        audio,
+        format,
+        voice,
+        tier: this.tier,
+      };
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : String(error);
+      this.logger.error(`TTS synthesis failed: ${message}`);
+      throw new Error(`TTS synthesis failed for ${this.name}: ${message}`);
+    }
+  }
+}
--- a/apps/api/src/speech/providers/kokoro-tts.provider.spec.ts
+++ b/apps/api/src/speech/providers/kokoro-tts.provider.spec.ts
@@ -0,0 +1,316 @@
+/**
+ * KokoroTtsProvider Unit Tests
+ *
+ * Tests the Kokoro-FastAPI TTS provider with full voice catalog,
+ * voice metadata parsing, and Kokoro-specific feature constants.
+ *
+ * Issue #393
+ */
+
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import {
+  KokoroTtsProvider,
+  KOKORO_SUPPORTED_FORMATS,
+  KOKORO_SPEED_RANGE,
+  KOKORO_VOICES,
+  parseVoicePrefix,
+} from "./kokoro-tts.provider";
+import type { VoiceInfo } from "../interfaces/speech-types";
+
+// ==========================================
+// Mock OpenAI SDK
+// ==========================================
+
+vi.mock("openai", () => {
+  class MockOpenAI {
+    audio = {
+      speech: {
+        create: vi.fn(),
+      },
+    };
+  }
+  return { default: MockOpenAI };
+});
+
+// ==========================================
+// Provider identity
+// ==========================================
+
+describe("KokoroTtsProvider", () => {
+  const testBaseURL = "http://kokoro-tts:8880/v1";
+  let provider: KokoroTtsProvider;
+
+  beforeEach(() => {
+    provider = new KokoroTtsProvider(testBaseURL);
+  });
+
+  describe("provider identity", () => {
+    it("should have name 'kokoro'", () => {
+      expect(provider.name).toBe("kokoro");
+    });
+
+    it("should have tier 'default'", () => {
+      expect(provider.tier).toBe("default");
+    });
+  });
+
+  // ==========================================
+  // listVoices()
+  // ==========================================
+
+  describe("listVoices", () => {
+    let voices: VoiceInfo[];
+
+    beforeEach(async () => {
+      voices = await provider.listVoices();
+    });
+
+    it("should return an array of VoiceInfo objects", () => {
+      expect(voices).toBeInstanceOf(Array);
+      expect(voices.length).toBeGreaterThan(0);
+    });
+
+    it("should return at least 10 voices", () => {
+      // The issue specifies at least: af_heart, af_bella, af_nicole, af_sarah, af_sky,
+      // am_adam, am_michael, bf_emma, bf_isabella, bm_george, bm_lewis
+      expect(voices.length).toBeGreaterThanOrEqual(10);
+    });
+
+    it("should set tier to 'default' on all voices", () => {
+      for (const voice of voices) {
+        expect(voice.tier).toBe("default");
+      }
+    });
+
+    it("should have exactly one default voice", () => {
+      const defaults = voices.filter((v) => v.isDefault === true);
+      expect(defaults.length).toBe(1);
+    });
+
+    it("should mark af_heart as the default voice", () => {
+      const defaultVoice = voices.find((v) => v.isDefault === true);
+      expect(defaultVoice).toBeDefined();
+      expect(defaultVoice?.id).toBe("af_heart");
+    });
+
+    it("should have an id and name for every voice", () => {
+      for (const voice of voices) {
+        expect(voice.id).toBeTruthy();
+        expect(voice.name).toBeTruthy();
+      }
+    });
+
+    it("should set language on every voice", () => {
+      for (const voice of voices) {
+        expect(voice.language).toBeTruthy();
+      }
+    });
+
+    // ==========================================
+    // Required voices from the issue
+    // ==========================================
+
+    describe("required voices", () => {
+      const requiredVoiceIds = [
+        "af_heart",
+        "af_bella",
+        "af_nicole",
+        "af_sarah",
+        "af_sky",
+        "am_adam",
+        "am_michael",
+        "bf_emma",
+        "bf_isabella",
+        "bm_george",
+        "bm_lewis",
+      ];
+
+      it.each(requiredVoiceIds)("should include voice '%s'", (voiceId) => {
+        const voice = voices.find((v) => v.id === voiceId);
+        expect(voice).toBeDefined();
+      });
+    });
+
+    // ==========================================
+    // Voice metadata from prefix
+    // ==========================================
+
+    describe("voice metadata from prefix", () => {
+      it("should set language to 'en-US' for af_ prefix voices", () => {
+        const voice = voices.find((v) => v.id === "af_heart");
+        expect(voice?.language).toBe("en-US");
+      });
+
+      it("should set language to 'en-US' for am_ prefix voices", () => {
+        const voice = voices.find((v) => v.id === "am_adam");
+        expect(voice?.language).toBe("en-US");
+      });
+
+      it("should set language to 'en-GB' for bf_ prefix voices", () => {
+        const voice = voices.find((v) => v.id === "bf_emma");
+        expect(voice?.language).toBe("en-GB");
+      });
+
+      it("should set language to 'en-GB' for bm_ prefix voices", () => {
+        const voice = voices.find((v) => v.id === "bm_george");
+        expect(voice?.language).toBe("en-GB");
+      });
+
+      it("should include gender in voice name for af_ prefix", () => {
+        const voice = voices.find((v) => v.id === "af_heart");
+        expect(voice?.name).toContain("Female");
+      });
+
+      it("should include gender in voice name for am_ prefix", () => {
+        const voice = voices.find((v) => v.id === "am_adam");
+        expect(voice?.name).toContain("Male");
+      });
+
+      it("should include gender in voice name for bf_ prefix", () => {
+        const voice = voices.find((v) => v.id === "bf_emma");
+        expect(voice?.name).toContain("Female");
+      });
+
+      it("should include gender in voice name for bm_ prefix", () => {
+        const voice = voices.find((v) => v.id === "bm_george");
+        expect(voice?.name).toContain("Male");
+      });
+    });
+
+    // ==========================================
+    // Voice name formatting
+    // ==========================================
+
+    describe("voice name formatting", () => {
+      it("should capitalize the voice name portion", () => {
+        const voice = voices.find((v) => v.id === "af_heart");
+        expect(voice?.name).toContain("Heart");
+      });
+
+      it("should include the accent/language label in the name", () => {
+        const afVoice = voices.find((v) => v.id === "af_heart");
+        expect(afVoice?.name).toContain("American");
+
+        const bfVoice = voices.find((v) => v.id === "bf_emma");
+        expect(bfVoice?.name).toContain("British");
+      });
+    });
+  });
+
+  // ==========================================
+  // Custom constructor
+  // ==========================================
+
+  describe("constructor", () => {
+    it("should accept custom default voice", () => {
+      const customProvider = new KokoroTtsProvider(testBaseURL, "af_bella");
+      expect(customProvider).toBeDefined();
+    });
+
+    it("should accept custom default format", () => {
+      const customProvider = new KokoroTtsProvider(testBaseURL, "af_heart", "wav");
+      expect(customProvider).toBeDefined();
+    });
+
+    it("should use af_heart as default voice when none specified", () => {
+      const defaultProvider = new KokoroTtsProvider(testBaseURL);
+      expect(defaultProvider).toBeDefined();
+    });
+  });
+});
+
+// ==========================================
+// parseVoicePrefix utility
+// ==========================================
+
+describe("parseVoicePrefix", () => {
+  it("should parse af_ as American English Female", () => {
+    const result = parseVoicePrefix("af_heart");
+    expect(result.language).toBe("en-US");
+    expect(result.gender).toBe("female");
+    expect(result.accent).toBe("American");
+  });
+
+  it("should parse am_ as American English Male", () => {
+    const result = parseVoicePrefix("am_adam");
+    expect(result.language).toBe("en-US");
+    expect(result.gender).toBe("male");
+    expect(result.accent).toBe("American");
+  });
+
+  it("should parse bf_ as British English Female", () => {
+    const result = parseVoicePrefix("bf_emma");
+    expect(result.language).toBe("en-GB");
+    expect(result.gender).toBe("female");
+    expect(result.accent).toBe("British");
+  });
+
+  it("should parse bm_ as British English Male", () => {
+    const result = parseVoicePrefix("bm_george");
+    expect(result.language).toBe("en-GB");
+    expect(result.gender).toBe("male");
+    expect(result.accent).toBe("British");
+  });
+
+  it("should return unknown for unrecognized prefix", () => {
+    const result = parseVoicePrefix("xx_unknown");
+    expect(result.language).toBe("unknown");
+    expect(result.gender).toBe("unknown");
+    expect(result.accent).toBe("Unknown");
+  });
+});
+
+// ==========================================
+// Exported constants
+// ==========================================
+
+describe("KOKORO_SUPPORTED_FORMATS", () => {
+  it("should include mp3", () => {
+    expect(KOKORO_SUPPORTED_FORMATS).toContain("mp3");
+  });
+
+  it("should include wav", () => {
+    expect(KOKORO_SUPPORTED_FORMATS).toContain("wav");
+  });
+
+  it("should include opus", () => {
+    expect(KOKORO_SUPPORTED_FORMATS).toContain("opus");
+  });
+
+  it("should include flac", () => {
+    expect(KOKORO_SUPPORTED_FORMATS).toContain("flac");
+  });
+
+  it("should be a readonly array", () => {
+    expect(Array.isArray(KOKORO_SUPPORTED_FORMATS)).toBe(true);
+  });
+});
+
+describe("KOKORO_SPEED_RANGE", () => {
+  it("should have min speed of 0.25", () => {
+    expect(KOKORO_SPEED_RANGE.min).toBe(0.25);
+  });
+
+  it("should have max speed of 4.0", () => {
+    expect(KOKORO_SPEED_RANGE.max).toBe(4.0);
+  });
+});
+
+describe("KOKORO_VOICES", () => {
+  it("should be a non-empty array", () => {
+    expect(Array.isArray(KOKORO_VOICES)).toBe(true);
+    expect(KOKORO_VOICES.length).toBeGreaterThan(0);
+  });
+
+  it("should contain voice entries with id and label", () => {
+    for (const voice of KOKORO_VOICES) {
+      expect(voice.id).toBeTruthy();
+      expect(voice.label).toBeTruthy();
+    }
+  });
+
+  it("should include voices from multiple language prefixes", () => {
+    const prefixes = new Set(KOKORO_VOICES.map((v) => v.id.substring(0, 2)));
+    expect(prefixes.size).toBeGreaterThanOrEqual(4);
+  });
+});
--- a/apps/api/src/speech/providers/kokoro-tts.provider.ts
+++ b/apps/api/src/speech/providers/kokoro-tts.provider.ts
@@ -0,0 +1,278 @@
+/**
+ * Kokoro-FastAPI TTS Provider
+ *
+ * Default-tier TTS provider backed by Kokoro-FastAPI.
+ * CPU-based, always available, Apache 2.0 license.
+ *
+ * Features:
+ * - 53 built-in voices across 8 languages
+ * - Speed control: 0.25x to 4.0x
+ * - Output formats: mp3, wav, opus, flac
+ * - Voice metadata derived from ID prefix (language, gender, accent)
+ *
+ * Voice ID format: {prefix}_{name}
+ *   - First character: language/accent code (a=American, b=British, etc.)
+ *   - Second character: gender code (f=Female, m=Male)
+ *
+ * Issue #393
+ */
+
+import { BaseTTSProvider } from "./base-tts.provider";
+import type { SpeechTier, VoiceInfo, AudioFormat } from "../interfaces/speech-types";
+
+// ==========================================
+// Constants
+// ==========================================
+
+/** Audio formats supported by Kokoro-FastAPI */
+export const KOKORO_SUPPORTED_FORMATS: readonly AudioFormat[] = [
+  "mp3",
+  "wav",
+  "opus",
+  "flac",
+] as const;
+
+/** Speed range supported by Kokoro-FastAPI */
+export const KOKORO_SPEED_RANGE = {
+  min: 0.25,
+  max: 4.0,
+} as const;
+
+/** Default voice for Kokoro */
+const KOKORO_DEFAULT_VOICE = "af_heart";
+
+/** Default audio format for Kokoro */
+const KOKORO_DEFAULT_FORMAT: AudioFormat = "mp3";
+
+// ==========================================
+// Voice prefix mapping
+// ==========================================
+
+/**
+ * Mapping of voice ID prefix (first two characters) to language/accent/gender metadata.
+ *
+ * Kokoro voice IDs follow the pattern: {lang}{gender}_{name}
+ * - lang: a=American, b=British, e=Spanish, f=French, h=Hindi, j=Japanese, p=Portuguese, z=Chinese
+ * - gender: f=Female, m=Male
+ */
+const VOICE_PREFIX_MAP: Record<string, { language: string; gender: string; accent: string }> = {
+  af: { language: "en-US", gender: "female", accent: "American" },
+  am: { language: "en-US", gender: "male", accent: "American" },
+  bf: { language: "en-GB", gender: "female", accent: "British" },
+  bm: { language: "en-GB", gender: "male", accent: "British" },
+  ef: { language: "es", gender: "female", accent: "Spanish" },
+  em: { language: "es", gender: "male", accent: "Spanish" },
+  ff: { language: "fr", gender: "female", accent: "French" },
+  fm: { language: "fr", gender: "male", accent: "French" },
+  hf: { language: "hi", gender: "female", accent: "Hindi" },
+  hm: { language: "hi", gender: "male", accent: "Hindi" },
+  jf: { language: "ja", gender: "female", accent: "Japanese" },
+  jm: { language: "ja", gender: "male", accent: "Japanese" },
+  pf: { language: "pt-BR", gender: "female", accent: "Portuguese" },
+  pm: { language: "pt-BR", gender: "male", accent: "Portuguese" },
+  zf: { language: "zh", gender: "female", accent: "Chinese" },
+  zm: { language: "zh", gender: "male", accent: "Chinese" },
+};
+
+// ==========================================
+// Voice catalog
+// ==========================================
+
+/** Raw voice catalog entry */
+interface KokoroVoiceEntry {
+  /** Voice ID (e.g. "af_heart") */
+  id: string;
+  /** Human-readable label (e.g. "Heart") */
+  label: string;
+}
+
+/**
+ * Complete catalog of Kokoro built-in voices.
+ *
+ * Organized by language/accent prefix:
+ * - af_: American English Female
+ * - am_: American English Male
+ * - bf_: British English Female
+ * - bm_: British English Male
+ * - ef_: Spanish Female
+ * - em_: Spanish Male
+ * - ff_: French Female
+ * - hf_: Hindi Female
+ * - jf_: Japanese Female
+ * - jm_: Japanese Male
+ * - pf_: Portuguese Female
+ * - zf_: Chinese Female
+ * - zm_: Chinese Male
+ */
+export const KOKORO_VOICES: readonly KokoroVoiceEntry[] = [
+  // American English Female (af_)
+  { id: "af_heart", label: "Heart" },
+  { id: "af_alloy", label: "Alloy" },
+  { id: "af_aoede", label: "Aoede" },
+  { id: "af_bella", label: "Bella" },
+  { id: "af_jessica", label: "Jessica" },
+  { id: "af_kore", label: "Kore" },
+  { id: "af_nicole", label: "Nicole" },
+  { id: "af_nova", label: "Nova" },
+  { id: "af_river", label: "River" },
+  { id: "af_sarah", label: "Sarah" },
+  { id: "af_sky", label: "Sky" },
+  // American English Male (am_)
+  { id: "am_adam", label: "Adam" },
+  { id: "am_echo", label: "Echo" },
+  { id: "am_eric", label: "Eric" },
+  { id: "am_fenrir", label: "Fenrir" },
+  { id: "am_liam", label: "Liam" },
+  { id: "am_michael", label: "Michael" },
+  { id: "am_onyx", label: "Onyx" },
+  { id: "am_puck", label: "Puck" },
+  { id: "am_santa", label: "Santa" },
+  // British English Female (bf_)
+  { id: "bf_alice", label: "Alice" },
+  { id: "bf_emma", label: "Emma" },
+  { id: "bf_isabella", label: "Isabella" },
+  { id: "bf_lily", label: "Lily" },
+  // British English Male (bm_)
+  { id: "bm_daniel", label: "Daniel" },
+  { id: "bm_fable", label: "Fable" },
+  { id: "bm_george", label: "George" },
+  { id: "bm_lewis", label: "Lewis" },
+  { id: "bm_oscar", label: "Oscar" },
+  // Spanish Female (ef_)
+  { id: "ef_dora", label: "Dora" },
+  { id: "ef_elena", label: "Elena" },
+  { id: "ef_maria", label: "Maria" },
+  // Spanish Male (em_)
+  { id: "em_alex", label: "Alex" },
+  { id: "em_carlos", label: "Carlos" },
+  { id: "em_santa", label: "Santa" },
+  // French Female (ff_)
+  { id: "ff_camille", label: "Camille" },
+  { id: "ff_siwis", label: "Siwis" },
+  // Hindi Female (hf_)
+  { id: "hf_alpha", label: "Alpha" },
+  { id: "hf_beta", label: "Beta" },
+  // Japanese Female (jf_)
+  { id: "jf_alpha", label: "Alpha" },
+  { id: "jf_gongitsune", label: "Gongitsune" },
+  { id: "jf_nezumi", label: "Nezumi" },
+  { id: "jf_tebukuro", label: "Tebukuro" },
+  // Japanese Male (jm_)
+  { id: "jm_kumo", label: "Kumo" },
+  // Portuguese Female (pf_)
+  { id: "pf_dora", label: "Dora" },
+  // Chinese Female (zf_)
+  { id: "zf_xiaobei", label: "Xiaobei" },
+  { id: "zf_xiaoni", label: "Xiaoni" },
+  { id: "zf_xiaoxiao", label: "Xiaoxiao" },
+  { id: "zf_xiaoyi", label: "Xiaoyi" },
+  // Chinese Male (zm_)
+  { id: "zm_yunjian", label: "Yunjian" },
+  { id: "zm_yunxi", label: "Yunxi" },
+  { id: "zm_yunxia", label: "Yunxia" },
+  { id: "zm_yunyang", label: "Yunyang" },
+] as const;
+
+// ==========================================
+// Prefix parser
+// ==========================================
+
+/** Parsed voice prefix metadata */
+export interface VoicePrefixMetadata {
+  /** BCP 47 language code (e.g. "en-US", "en-GB", "ja") */
+  language: string;
+  /** Gender: "female", "male", or "unknown" */
+  gender: string;
+  /** Human-readable accent label (e.g. "American", "British") */
+  accent: string;
+}
+
+/**
+ * Parse a Kokoro voice ID to extract language, gender, and accent metadata.
+ *
+ * Voice IDs follow the pattern: {lang}{gender}_{name}
+ * The first two characters encode language/accent and gender.
+ *
+ * @param voiceId - Kokoro voice ID (e.g. "af_heart")
+ * @returns Parsed metadata with language, gender, and accent
+ */
+export function parseVoicePrefix(voiceId: string): VoicePrefixMetadata {
+  const prefix = voiceId.substring(0, 2);
+  const mapping = VOICE_PREFIX_MAP[prefix];
+
+  if (mapping) {
+    return {
+      language: mapping.language,
+      gender: mapping.gender,
+      accent: mapping.accent,
+    };
+  }
+
+  return {
+    language: "unknown",
+    gender: "unknown",
+    accent: "Unknown",
+  };
+}
+
+// ==========================================
+// Provider class
+// ==========================================
+
+/**
+ * Kokoro-FastAPI TTS provider (default tier).
+ *
+ * CPU-based text-to-speech engine with 53 built-in voices across 8 languages.
+ * Uses the OpenAI-compatible API exposed by Kokoro-FastAPI.
+ *
+ * @example
+ * ```typescript
+ * const kokoro = new KokoroTtsProvider("http://kokoro-tts:8880/v1");
+ * const voices = await kokoro.listVoices();
+ * const result = await kokoro.synthesize("Hello!", { voice: "af_heart" });
+ * ```
+ */
+export class KokoroTtsProvider extends BaseTTSProvider {
+  readonly name = "kokoro";
+  readonly tier: SpeechTier = "default";
+
+  /**
+   * Create a new Kokoro TTS provider.
+   *
+   * @param baseURL - Base URL for the Kokoro-FastAPI endpoint (e.g. "http://kokoro-tts:8880/v1")
+   * @param defaultVoice - Default voice ID (defaults to "af_heart")
+   * @param defaultFormat - Default audio format (defaults to "mp3")
+   */
+  constructor(
+    baseURL: string,
+    defaultVoice: string = KOKORO_DEFAULT_VOICE,
+    defaultFormat: AudioFormat = KOKORO_DEFAULT_FORMAT
+  ) {
+    super(baseURL, defaultVoice, defaultFormat);
+  }
+
+  /**
+   * List all available Kokoro voices with metadata.
+   *
+   * Returns the full catalog of 53 built-in voices with language, gender,
+   * and accent information derived from voice ID prefixes.
+   *
+   * @returns Array of VoiceInfo objects for all Kokoro voices
+   */
+  override listVoices(): Promise<VoiceInfo[]> {
+    const voices: VoiceInfo[] = KOKORO_VOICES.map((entry) => {
+      const metadata = parseVoicePrefix(entry.id);
+      const genderLabel = metadata.gender === "female" ? "Female" : "Male";
+
+      return {
+        id: entry.id,
+        name: `${entry.label} (${metadata.accent} ${genderLabel})`,
+        language: metadata.language,
+        tier: this.tier,
+        isDefault: entry.id === this.defaultVoice,
+      };
+    });
+
+    return Promise.resolve(voices);
+  }
+}
--- a/apps/api/src/speech/providers/piper-tts.provider.spec.ts
+++ b/apps/api/src/speech/providers/piper-tts.provider.spec.ts
@@ -0,0 +1,266 @@
+/**
+ * PiperTtsProvider Unit Tests
+ *
+ * Tests the Piper TTS provider via OpenedAI Speech (fallback tier).
+ * Validates provider identity, OpenAI voice name mapping, voice listing,
+ * and ultra-lightweight CPU-only design characteristics.
+ *
+ * Issue #395
+ */
+
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import {
+  PiperTtsProvider,
+  PIPER_VOICE_MAP,
+  PIPER_SUPPORTED_FORMATS,
+  OPENAI_STANDARD_VOICES,
+} from "./piper-tts.provider";
+import type { VoiceInfo } from "../interfaces/speech-types";
+
+// ==========================================
+// Mock OpenAI SDK
+// ==========================================
+
+vi.mock("openai", () => {
+  class MockOpenAI {
+    audio = {
+      speech: {
+        create: vi.fn(),
+      },
+    };
+  }
+  return { default: MockOpenAI };
+});
+
+// ==========================================
+// Provider identity
+// ==========================================
+
+describe("PiperTtsProvider", () => {
+  const testBaseURL = "http://openedai-speech:8000/v1";
+  let provider: PiperTtsProvider;
+
+  beforeEach(() => {
+    provider = new PiperTtsProvider(testBaseURL);
+  });
+
+  describe("provider identity", () => {
+    it("should have name 'piper'", () => {
+      expect(provider.name).toBe("piper");
+    });
+
+    it("should have tier 'fallback'", () => {
+      expect(provider.tier).toBe("fallback");
+    });
+  });
+
+  // ==========================================
+  // Constructor
+  // ==========================================
+
+  describe("constructor", () => {
+    it("should use 'alloy' as default voice", () => {
+      const newProvider = new PiperTtsProvider(testBaseURL);
+      expect(newProvider).toBeDefined();
+    });
+
+    it("should accept a custom default voice", () => {
+      const customProvider = new PiperTtsProvider(testBaseURL, "nova");
+      expect(customProvider).toBeDefined();
+    });
+
+    it("should accept a custom default format", () => {
+      const customProvider = new PiperTtsProvider(testBaseURL, "alloy", "wav");
+      expect(customProvider).toBeDefined();
+    });
+  });
+
+  // ==========================================
+  // listVoices()
+  // ==========================================
+
+  describe("listVoices", () => {
+    let voices: VoiceInfo[];
+
+    beforeEach(async () => {
+      voices = await provider.listVoices();
+    });
+
+    it("should return an array of VoiceInfo objects", () => {
+      expect(voices).toBeInstanceOf(Array);
+      expect(voices.length).toBeGreaterThan(0);
+    });
+
+    it("should return exactly 6 voices (OpenAI standard set)", () => {
+      expect(voices.length).toBe(6);
+    });
+
+    it("should set tier to 'fallback' on all voices", () => {
+      for (const voice of voices) {
+        expect(voice.tier).toBe("fallback");
+      }
+    });
+
+    it("should have exactly one default voice", () => {
+      const defaults = voices.filter((v) => v.isDefault === true);
+      expect(defaults.length).toBe(1);
+    });
+
+    it("should mark 'alloy' as the default voice", () => {
+      const defaultVoice = voices.find((v) => v.isDefault === true);
+      expect(defaultVoice).toBeDefined();
+      expect(defaultVoice?.id).toBe("alloy");
+    });
+
+    it("should have an id and name for every voice", () => {
+      for (const voice of voices) {
+        expect(voice.id).toBeTruthy();
+        expect(voice.name).toBeTruthy();
+      }
+    });
+
+    it("should set language on every voice", () => {
+      for (const voice of voices) {
+        expect(voice.language).toBeTruthy();
+      }
+    });
+
+    // ==========================================
+    // All 6 OpenAI standard voices present
+    // ==========================================
+
+    describe("OpenAI standard voices", () => {
+      const standardVoiceIds = ["alloy", "echo", "fable", "onyx", "nova", "shimmer"];
+
+      it.each(standardVoiceIds)("should include voice '%s'", (voiceId) => {
+        const voice = voices.find((v) => v.id === voiceId);
+        expect(voice).toBeDefined();
+      });
+    });
+
+    // ==========================================
+    // Voice metadata
+    // ==========================================
+
+    describe("voice metadata", () => {
+      it("should include gender info in voice names", () => {
+        const alloy = voices.find((v) => v.id === "alloy");
+        expect(alloy?.name).toMatch(/Female|Male/);
+      });
+
+      it("should map alloy to a female voice", () => {
+        const alloy = voices.find((v) => v.id === "alloy");
+        expect(alloy?.name).toContain("Female");
+      });
+
+      it("should map echo to a male voice", () => {
+        const echo = voices.find((v) => v.id === "echo");
+        expect(echo?.name).toContain("Male");
+      });
+
+      it("should map fable to a British voice", () => {
+        const fable = voices.find((v) => v.id === "fable");
+        expect(fable?.language).toBe("en-GB");
+      });
+
+      it("should map onyx to a male voice", () => {
+        const onyx = voices.find((v) => v.id === "onyx");
+        expect(onyx?.name).toContain("Male");
+      });
+
+      it("should map nova to a female voice", () => {
+        const nova = voices.find((v) => v.id === "nova");
+        expect(nova?.name).toContain("Female");
+      });
+
+      it("should map shimmer to a female voice", () => {
+        const shimmer = voices.find((v) => v.id === "shimmer");
+        expect(shimmer?.name).toContain("Female");
+      });
+    });
+  });
+});
+
+// ==========================================
+// PIPER_VOICE_MAP
+// ==========================================
+
+describe("PIPER_VOICE_MAP", () => {
+  it("should contain all 6 OpenAI standard voice names", () => {
+    const expectedKeys = ["alloy", "echo", "fable", "onyx", "nova", "shimmer"];
+    for (const key of expectedKeys) {
+      expect(PIPER_VOICE_MAP).toHaveProperty(key);
+    }
+  });
+
+  it("should map each voice to a Piper voice ID", () => {
+    for (const entry of Object.values(PIPER_VOICE_MAP)) {
+      expect(entry.piperVoice).toBeTruthy();
+      expect(typeof entry.piperVoice).toBe("string");
+    }
+  });
+
+  it("should have gender for each voice entry", () => {
+    for (const entry of Object.values(PIPER_VOICE_MAP)) {
+      expect(entry.gender).toMatch(/^(female|male)$/);
+    }
+  });
+
+  it("should have a language for each voice entry", () => {
+    for (const entry of Object.values(PIPER_VOICE_MAP)) {
+      expect(entry.language).toBeTruthy();
+    }
+  });
+
+  it("should have a description for each voice entry", () => {
+    for (const entry of Object.values(PIPER_VOICE_MAP)) {
+      expect(entry.description).toBeTruthy();
+    }
+  });
+});
+
+// ==========================================
+// OPENAI_STANDARD_VOICES
+// ==========================================
+
+describe("OPENAI_STANDARD_VOICES", () => {
+  it("should be an array of 6 voice IDs", () => {
+    expect(Array.isArray(OPENAI_STANDARD_VOICES)).toBe(true);
+    expect(OPENAI_STANDARD_VOICES.length).toBe(6);
+  });
+
+  it("should contain all standard OpenAI voice names", () => {
+    expect(OPENAI_STANDARD_VOICES).toContain("alloy");
+    expect(OPENAI_STANDARD_VOICES).toContain("echo");
+    expect(OPENAI_STANDARD_VOICES).toContain("fable");
+    expect(OPENAI_STANDARD_VOICES).toContain("onyx");
+    expect(OPENAI_STANDARD_VOICES).toContain("nova");
+    expect(OPENAI_STANDARD_VOICES).toContain("shimmer");
+  });
+});
+
+// ==========================================
+// PIPER_SUPPORTED_FORMATS
+// ==========================================
+
+describe("PIPER_SUPPORTED_FORMATS", () => {
+  it("should include mp3", () => {
+    expect(PIPER_SUPPORTED_FORMATS).toContain("mp3");
+  });
+
+  it("should include wav", () => {
+    expect(PIPER_SUPPORTED_FORMATS).toContain("wav");
+  });
+
+  it("should include opus", () => {
+    expect(PIPER_SUPPORTED_FORMATS).toContain("opus");
+  });
+
+  it("should include flac", () => {
+    expect(PIPER_SUPPORTED_FORMATS).toContain("flac");
+  });
+
+  it("should be a readonly array", () => {
+    expect(Array.isArray(PIPER_SUPPORTED_FORMATS)).toBe(true);
+  });
+});
--- a/apps/api/src/speech/providers/piper-tts.provider.ts
+++ b/apps/api/src/speech/providers/piper-tts.provider.ts
@@ -0,0 +1,212 @@
+/**
+ * Piper TTS Provider via OpenedAI Speech
+ *
+ * Fallback-tier TTS provider using Piper via OpenedAI Speech for
+ * ultra-lightweight CPU-only synthesis. Designed for low-resource
+ * environments including Raspberry Pi.
+ *
+ * Features:
+ * - OpenAI-compatible API via OpenedAI Speech server
+ * - 100+ Piper voices across 40+ languages
+ * - 6 standard OpenAI voice names mapped to Piper voices
+ * - Output formats: mp3, wav, opus, flac
+ * - CPU-only, no GPU required
+ * - GPL license (via OpenedAI Speech)
+ *
+ * Voice names use the OpenAI standard set (alloy, echo, fable, onyx,
+ * nova, shimmer) which OpenedAI Speech maps to configured Piper voices.
+ *
+ * Issue #395
+ */
+
+import { BaseTTSProvider } from "./base-tts.provider";
+import type { SpeechTier, VoiceInfo, AudioFormat } from "../interfaces/speech-types";
+
+// ==========================================
+// Constants
+// ==========================================
+
+/** Audio formats supported by OpenedAI Speech with Piper backend */
+export const PIPER_SUPPORTED_FORMATS: readonly AudioFormat[] = [
+  "mp3",
+  "wav",
+  "opus",
+  "flac",
+] as const;
+
+/** Default voice for Piper (via OpenedAI Speech) */
+const PIPER_DEFAULT_VOICE = "alloy";
+
+/** Default audio format for Piper */
+const PIPER_DEFAULT_FORMAT: AudioFormat = "mp3";
+
+// ==========================================
+// OpenAI standard voice names
+// ==========================================
+
+/**
+ * The 6 standard OpenAI TTS voice names.
+ * OpenedAI Speech accepts these names and routes them to configured Piper voices.
+ */
+export const OPENAI_STANDARD_VOICES: readonly string[] = [
+  "alloy",
+  "echo",
+  "fable",
+  "onyx",
+  "nova",
+  "shimmer",
+] as const;
+
+// ==========================================
+// Voice mapping
+// ==========================================
+
+/** Metadata for a Piper voice mapped from an OpenAI voice name */
+export interface PiperVoiceMapping {
+  /** The underlying Piper voice ID configured in OpenedAI Speech */
+  piperVoice: string;
+  /** Human-readable description of the voice character */
+  description: string;
+  /** Gender of the voice */
+  gender: "female" | "male";
+  /** BCP 47 language code */
+  language: string;
+}
+
+/** Fallback mapping used when a voice ID is not found in PIPER_VOICE_MAP */
+const DEFAULT_MAPPING: PiperVoiceMapping = {
+  piperVoice: "en_US-amy-medium",
+  description: "Default voice",
+  gender: "female",
+  language: "en-US",
+};
+
+/**
+ * Mapping of OpenAI standard voice names to their default Piper voice
+ * configuration in OpenedAI Speech.
+ *
+ * These are the default mappings that OpenedAI Speech uses when configured
+ * with Piper as the TTS backend. The actual Piper voice used can be
+ * customized in the OpenedAI Speech configuration file.
+ *
+ * Default Piper voice assignments:
+ * - alloy: en_US-amy-medium (warm, balanced female)
+ * - echo: en_US-ryan-medium (clear, articulate male)
+ * - fable: en_GB-alan-medium (British male narrator)
+ * - onyx: en_US-danny-low (deep, resonant male)
+ * - nova: en_US-lessac-medium (expressive female)
+ * - shimmer: en_US-kristin-medium (bright, energetic female)
+ */
+export const PIPER_VOICE_MAP: Record<string, PiperVoiceMapping> = {
+  alloy: {
+    piperVoice: "en_US-amy-medium",
+    description: "Warm, balanced voice",
+    gender: "female",
+    language: "en-US",
+  },
+  echo: {
+    piperVoice: "en_US-ryan-medium",
+    description: "Clear, articulate voice",
+    gender: "male",
+    language: "en-US",
+  },
+  fable: {
+    piperVoice: "en_GB-alan-medium",
+    description: "British narrator voice",
+    gender: "male",
+    language: "en-GB",
+  },
+  onyx: {
+    piperVoice: "en_US-danny-low",
+    description: "Deep, resonant voice",
+    gender: "male",
+    language: "en-US",
+  },
+  nova: {
+    piperVoice: "en_US-lessac-medium",
+    description: "Expressive, versatile voice",
+    gender: "female",
+    language: "en-US",
+  },
+  shimmer: {
+    piperVoice: "en_US-kristin-medium",
+    description: "Bright, energetic voice",
+    gender: "female",
+    language: "en-US",
+  },
+};
+
+// ==========================================
+// Provider class
+// ==========================================
+
+/**
+ * Piper TTS provider via OpenedAI Speech (fallback tier).
+ *
+ * Ultra-lightweight CPU-only text-to-speech engine using Piper voices
+ * through the OpenedAI Speech server's OpenAI-compatible API.
+ *
+ * Designed for:
+ * - CPU-only environments (no GPU required)
+ * - Low-resource devices (Raspberry Pi, ARM SBCs)
+ * - Fallback when primary TTS engines are unavailable
+ * - High-volume, low-latency synthesis needs
+ *
+ * The provider exposes the 6 standard OpenAI voice names (alloy, echo,
+ * fable, onyx, nova, shimmer) which OpenedAI Speech maps to configured
+ * Piper voices. Additional Piper voices (100+ across 40+ languages)
+ * can be accessed by passing the Piper voice ID directly.
+ *
+ * @example
+ * ```typescript
+ * const piper = new PiperTtsProvider("http://openedai-speech:8000/v1");
+ * const voices = await piper.listVoices();
+ * const result = await piper.synthesize("Hello!", { voice: "alloy" });
+ * ```
+ */
+export class PiperTtsProvider extends BaseTTSProvider {
+  readonly name = "piper";
+  readonly tier: SpeechTier = "fallback";
+
+  /**
+   * Create a new Piper TTS provider.
+   *
+   * @param baseURL - Base URL for the OpenedAI Speech endpoint (e.g. "http://openedai-speech:8000/v1")
+   * @param defaultVoice - Default OpenAI voice name (defaults to "alloy")
+   * @param defaultFormat - Default audio format (defaults to "mp3")
+   */
+  constructor(
+    baseURL: string,
+    defaultVoice: string = PIPER_DEFAULT_VOICE,
+    defaultFormat: AudioFormat = PIPER_DEFAULT_FORMAT
+  ) {
+    super(baseURL, defaultVoice, defaultFormat);
+  }
+
+  /**
+   * List available voices with OpenAI-to-Piper mapping metadata.
+   *
+   * Returns the 6 standard OpenAI voice names with information about
+   * the underlying Piper voice, gender, and language. These are the
+   * voices that can be specified in the `voice` parameter of synthesize().
+   *
+   * @returns Array of VoiceInfo objects for all mapped Piper voices
+   */
+  override listVoices(): Promise<VoiceInfo[]> {
+    const voices: VoiceInfo[] = OPENAI_STANDARD_VOICES.map((voiceId) => {
+      const mapping = PIPER_VOICE_MAP[voiceId] ?? DEFAULT_MAPPING;
+      const genderLabel = mapping.gender === "female" ? "Female" : "Male";
+      const label = voiceId.charAt(0).toUpperCase() + voiceId.slice(1);
+
+      return {
+        id: voiceId,
+        name: `${label} (${genderLabel} - ${mapping.description})`,
+        language: mapping.language,
+        tier: this.tier,
+        isDefault: voiceId === this.defaultVoice,
+      };
+    });
+
+    return Promise.resolve(voices);
+  }
+}
--- a/apps/api/src/speech/providers/speaches-stt.provider.spec.ts
+++ b/apps/api/src/speech/providers/speaches-stt.provider.spec.ts
@@ -0,0 +1,468 @@
+/**
+ * SpeachesSttProvider Tests
+ *
+ * TDD tests for the Speaches/faster-whisper STT provider.
+ * Tests cover transcription, error handling, health checks, and config injection.
+ *
+ * Issue #390
+ */
+
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { SpeachesSttProvider } from "./speaches-stt.provider";
+import type { SpeechConfig } from "../speech.config";
+import type { TranscribeOptions } from "../interfaces/speech-types";
+
+// ==========================================
+// Mock OpenAI SDK
+// ==========================================
+
+const { mockCreate, mockModelsList, mockToFile, mockOpenAIConstructorCalls } = vi.hoisted(() => {
+  const mockCreate = vi.fn();
+  const mockModelsList = vi.fn();
+  const mockToFile = vi.fn().mockImplementation(async (buffer: Buffer, name: string) => {
+    return new File([buffer], name);
+  });
+  const mockOpenAIConstructorCalls: Array<Record<string, unknown>> = [];
+  return { mockCreate, mockModelsList, mockToFile, mockOpenAIConstructorCalls };
+});
+
+vi.mock("openai", () => {
+  class MockOpenAI {
+    audio = {
+      transcriptions: {
+        create: mockCreate,
+      },
+    };
+    models = {
+      list: mockModelsList,
+    };
+    constructor(config: Record<string, unknown>) {
+      mockOpenAIConstructorCalls.push(config);
+    }
+  }
+  return {
+    default: MockOpenAI,
+    toFile: mockToFile,
+  };
+});
+
+// ==========================================
+// Test helpers
+// ==========================================
+
+function createTestConfig(overrides?: Partial<SpeechConfig["stt"]>): SpeechConfig {
+  return {
+    stt: {
+      enabled: true,
+      baseUrl: "http://speaches:8000/v1",
+      model: "Systran/faster-whisper-large-v3-turbo",
+      language: "en",
+      ...overrides,
+    },
+    tts: {
+      default: { enabled: false, url: "", voice: "", format: "" },
+      premium: { enabled: false, url: "" },
+      fallback: { enabled: false, url: "" },
+    },
+    limits: {
+      maxUploadSize: 25_000_000,
+      maxDurationSeconds: 600,
+      maxTextLength: 4096,
+    },
+  };
+}
+
+function createMockVerboseResponse(overrides?: Record<string, unknown>): Record<string, unknown> {
+  return {
+    text: "Hello, world!",
+    language: "en",
+    duration: 3.5,
+    segments: [
+      {
+        id: 0,
+        text: "Hello, world!",
+        start: 0.0,
+        end: 3.5,
+        avg_logprob: -0.25,
+        compression_ratio: 1.2,
+        no_speech_prob: 0.01,
+        seek: 0,
+        temperature: 0.0,
+        tokens: [1, 2, 3],
+      },
+    ],
+    ...overrides,
+  };
+}
+
+describe("SpeachesSttProvider", () => {
+  let provider: SpeachesSttProvider;
+  let config: SpeechConfig;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockOpenAIConstructorCalls.length = 0;
+    config = createTestConfig();
+    provider = new SpeachesSttProvider(config);
+  });
+
+  // ==========================================
+  // Provider identity
+  // ==========================================
+  describe("name", () => {
+    it("should have the name 'speaches'", () => {
+      expect(provider.name).toBe("speaches");
+    });
+  });
+
+  // ==========================================
+  // transcribe
+  // ==========================================
+  describe("transcribe", () => {
+    it("should call OpenAI audio.transcriptions.create with correct parameters", async () => {
+      const mockResponse = createMockVerboseResponse();
+      mockCreate.mockResolvedValueOnce(mockResponse);
+
+      const audio = Buffer.from("fake-audio-data");
+      await provider.transcribe(audio);
+
+      expect(mockCreate).toHaveBeenCalledOnce();
+      const callArgs = mockCreate.mock.calls[0][0];
+      expect(callArgs.model).toBe("Systran/faster-whisper-large-v3-turbo");
+      expect(callArgs.language).toBe("en");
+      expect(callArgs.response_format).toBe("verbose_json");
+    });
+
+    it("should convert Buffer to File using toFile", async () => {
+      const mockResponse = createMockVerboseResponse();
+      mockCreate.mockResolvedValueOnce(mockResponse);
+
+      const audio = Buffer.from("fake-audio-data");
+      await provider.transcribe(audio);
+
+      expect(mockToFile).toHaveBeenCalledWith(audio, "audio.wav", {
+        type: "audio/wav",
+      });
+    });
+
+    it("should return TranscriptionResult with text and language", async () => {
+      const mockResponse = createMockVerboseResponse();
+      mockCreate.mockResolvedValueOnce(mockResponse);
+
+      const audio = Buffer.from("fake-audio-data");
+      const result = await provider.transcribe(audio);
+
+      expect(result.text).toBe("Hello, world!");
+      expect(result.language).toBe("en");
+    });
+
+    it("should return durationSeconds from verbose response", async () => {
+      const mockResponse = createMockVerboseResponse({ duration: 5.25 });
+      mockCreate.mockResolvedValueOnce(mockResponse);
+
+      const audio = Buffer.from("fake-audio-data");
+      const result = await provider.transcribe(audio);
+
+      expect(result.durationSeconds).toBe(5.25);
+    });
+
+    it("should map segments from verbose response", async () => {
+      const mockResponse = createMockVerboseResponse({
+        segments: [
+          {
+            id: 0,
+            text: "Hello,",
+            start: 0.0,
+            end: 1.5,
+            avg_logprob: -0.2,
+            compression_ratio: 1.1,
+            no_speech_prob: 0.01,
+            seek: 0,
+            temperature: 0.0,
+            tokens: [1, 2],
+          },
+          {
+            id: 1,
+            text: " world!",
+            start: 1.5,
+            end: 3.5,
+            avg_logprob: -0.3,
+            compression_ratio: 1.3,
+            no_speech_prob: 0.02,
+            seek: 0,
+            temperature: 0.0,
+            tokens: [3, 4],
+          },
+        ],
+      });
+      mockCreate.mockResolvedValueOnce(mockResponse);
+
+      const audio = Buffer.from("fake-audio-data");
+      const result = await provider.transcribe(audio);
+
+      expect(result.segments).toHaveLength(2);
+      expect(result.segments?.[0]).toEqual({
+        text: "Hello,",
+        start: 0.0,
+        end: 1.5,
+      });
+      expect(result.segments?.[1]).toEqual({
+        text: " world!",
+        start: 1.5,
+        end: 3.5,
+      });
+    });
+
+    it("should handle response without segments gracefully", async () => {
+      const mockResponse = createMockVerboseResponse({ segments: undefined });
+      mockCreate.mockResolvedValueOnce(mockResponse);
+
+      const audio = Buffer.from("fake-audio-data");
+      const result = await provider.transcribe(audio);
+
+      expect(result.text).toBe("Hello, world!");
+      expect(result.segments).toBeUndefined();
+    });
+
+    it("should handle response without duration gracefully", async () => {
+      const mockResponse = createMockVerboseResponse({ duration: undefined });
+      mockCreate.mockResolvedValueOnce(mockResponse);
+
+      const audio = Buffer.from("fake-audio-data");
+      const result = await provider.transcribe(audio);
+
+      expect(result.text).toBe("Hello, world!");
+      expect(result.durationSeconds).toBeUndefined();
+    });
+
+    // ------------------------------------------
+    // Options override
+    // ------------------------------------------
+    describe("options override", () => {
+      it("should use custom model from options when provided", async () => {
+        const mockResponse = createMockVerboseResponse();
+        mockCreate.mockResolvedValueOnce(mockResponse);
+
+        const audio = Buffer.from("fake-audio-data");
+        const options: TranscribeOptions = { model: "custom-whisper-model" };
+        await provider.transcribe(audio, options);
+
+        const callArgs = mockCreate.mock.calls[0][0];
+        expect(callArgs.model).toBe("custom-whisper-model");
+      });
+
+      it("should use custom language from options when provided", async () => {
+        const mockResponse = createMockVerboseResponse({ language: "fr" });
+        mockCreate.mockResolvedValueOnce(mockResponse);
+
+        const audio = Buffer.from("fake-audio-data");
+        const options: TranscribeOptions = { language: "fr" };
+        await provider.transcribe(audio, options);
+
+        const callArgs = mockCreate.mock.calls[0][0];
+        expect(callArgs.language).toBe("fr");
+      });
+
+      it("should pass through prompt option", async () => {
+        const mockResponse = createMockVerboseResponse();
+        mockCreate.mockResolvedValueOnce(mockResponse);
+
+        const audio = Buffer.from("fake-audio-data");
+        const options: TranscribeOptions = { prompt: "This is a meeting about project planning." };
+        await provider.transcribe(audio, options);
+
+        const callArgs = mockCreate.mock.calls[0][0];
+        expect(callArgs.prompt).toBe("This is a meeting about project planning.");
+      });
+
+      it("should pass through temperature option", async () => {
+        const mockResponse = createMockVerboseResponse();
+        mockCreate.mockResolvedValueOnce(mockResponse);
+
+        const audio = Buffer.from("fake-audio-data");
+        const options: TranscribeOptions = { temperature: 0.3 };
+        await provider.transcribe(audio, options);
+
+        const callArgs = mockCreate.mock.calls[0][0];
+        expect(callArgs.temperature).toBe(0.3);
+      });
+
+      it("should use custom mimeType for file conversion when provided", async () => {
+        const mockResponse = createMockVerboseResponse();
+        mockCreate.mockResolvedValueOnce(mockResponse);
+
+        const audio = Buffer.from("fake-audio-data");
+        const options: TranscribeOptions = { mimeType: "audio/mp3" };
+        await provider.transcribe(audio, options);
+
+        expect(mockToFile).toHaveBeenCalledWith(audio, "audio.mp3", {
+          type: "audio/mp3",
+        });
+      });
+    });
+
+    // ------------------------------------------
+    // Simple response fallback
+    // ------------------------------------------
+    describe("simple response fallback", () => {
+      it("should handle simple Transcription response (text only, no verbose fields)", async () => {
+        // Some configurations may return just { text: "..." } without verbose fields
+        const simpleResponse = { text: "Simple transcription result." };
+        mockCreate.mockResolvedValueOnce(simpleResponse);
+
+        const audio = Buffer.from("fake-audio-data");
+        const result = await provider.transcribe(audio);
+
+        expect(result.text).toBe("Simple transcription result.");
+        expect(result.language).toBe("en"); // Falls back to config language
+        expect(result.durationSeconds).toBeUndefined();
+        expect(result.segments).toBeUndefined();
+      });
+    });
+  });
+
+  // ==========================================
+  // Error handling
+  // ==========================================
+  describe("error handling", () => {
+    it("should throw a descriptive error on connection refused", async () => {
+      const connectionError = new Error("connect ECONNREFUSED 127.0.0.1:8000");
+      mockCreate.mockRejectedValueOnce(connectionError);
+
+      const audio = Buffer.from("fake-audio-data");
+      await expect(provider.transcribe(audio)).rejects.toThrow(
+        "STT transcription failed: connect ECONNREFUSED 127.0.0.1:8000"
+      );
+    });
+
+    it("should throw a descriptive error on timeout", async () => {
+      const timeoutError = new Error("Request timed out");
+      mockCreate.mockRejectedValueOnce(timeoutError);
+
+      const audio = Buffer.from("fake-audio-data");
+      await expect(provider.transcribe(audio)).rejects.toThrow(
+        "STT transcription failed: Request timed out"
+      );
+    });
+
+    it("should throw a descriptive error on API error", async () => {
+      const apiError = new Error("Invalid model: nonexistent-model");
+      mockCreate.mockRejectedValueOnce(apiError);
+
+      const audio = Buffer.from("fake-audio-data");
+      await expect(provider.transcribe(audio)).rejects.toThrow(
+        "STT transcription failed: Invalid model: nonexistent-model"
+      );
+    });
+
+    it("should handle non-Error thrown values", async () => {
+      mockCreate.mockRejectedValueOnce("unexpected string error");
+
+      const audio = Buffer.from("fake-audio-data");
+      await expect(provider.transcribe(audio)).rejects.toThrow(
+        "STT transcription failed: unexpected string error"
+      );
+    });
+  });
+
+  // ==========================================
+  // isHealthy
+  // ==========================================
+  describe("isHealthy", () => {
+    it("should return true when the server is reachable", async () => {
+      mockModelsList.mockResolvedValueOnce({ data: [{ id: "whisper-1" }] });
+
+      const healthy = await provider.isHealthy();
+      expect(healthy).toBe(true);
+    });
+
+    it("should return false when the server is unreachable", async () => {
+      mockModelsList.mockRejectedValueOnce(new Error("connect ECONNREFUSED"));
+
+      const healthy = await provider.isHealthy();
+      expect(healthy).toBe(false);
+    });
+
+    it("should not throw on health check failure", async () => {
+      mockModelsList.mockRejectedValueOnce(new Error("Network error"));
+
+      await expect(provider.isHealthy()).resolves.toBe(false);
+    });
+
+    it("should return false on unexpected error types", async () => {
+      mockModelsList.mockRejectedValueOnce("string error");
+
+      const healthy = await provider.isHealthy();
+      expect(healthy).toBe(false);
+    });
+  });
+
+  // ==========================================
+  // Config injection
+  // ==========================================
+  describe("config injection", () => {
+    it("should create OpenAI client with baseURL from config", () => {
+      // The constructor was called in beforeEach
+      expect(mockOpenAIConstructorCalls).toHaveLength(1);
+      expect(mockOpenAIConstructorCalls[0]).toEqual(
+        expect.objectContaining({
+          baseURL: "http://speaches:8000/v1",
+        })
+      );
+    });
+
+    it("should use custom baseURL from config", () => {
+      mockOpenAIConstructorCalls.length = 0;
+      const customConfig = createTestConfig({
+        baseUrl: "http://custom-speaches:9000/v1",
+      });
+      new SpeachesSttProvider(customConfig);
+
+      expect(mockOpenAIConstructorCalls).toHaveLength(1);
+      expect(mockOpenAIConstructorCalls[0]).toEqual(
+        expect.objectContaining({
+          baseURL: "http://custom-speaches:9000/v1",
+        })
+      );
+    });
+
+    it("should use default model from config for transcription", async () => {
+      const customConfig = createTestConfig({
+        model: "Systran/faster-whisper-small",
+      });
+      const customProvider = new SpeachesSttProvider(customConfig);
+
+      const mockResponse = createMockVerboseResponse();
+      mockCreate.mockResolvedValueOnce(mockResponse);
+
+      const audio = Buffer.from("fake-audio-data");
+      await customProvider.transcribe(audio);
+
+      const callArgs = mockCreate.mock.calls[0][0];
+      expect(callArgs.model).toBe("Systran/faster-whisper-small");
+    });
+
+    it("should use default language from config for transcription", async () => {
+      const customConfig = createTestConfig({ language: "de" });
+      const customProvider = new SpeachesSttProvider(customConfig);
+
+      const mockResponse = createMockVerboseResponse({ language: "de" });
+      mockCreate.mockResolvedValueOnce(mockResponse);
+
+      const audio = Buffer.from("fake-audio-data");
+      await customProvider.transcribe(audio);
+
+      const callArgs = mockCreate.mock.calls[0][0];
+      expect(callArgs.language).toBe("de");
+    });
+
+    it("should set a dummy API key for local Speaches server", () => {
+      expect(mockOpenAIConstructorCalls).toHaveLength(1);
+      expect(mockOpenAIConstructorCalls[0]).toEqual(
+        expect.objectContaining({
+          apiKey: "not-needed",
+        })
+      );
+    });
+  });
+});
--- a/apps/api/src/speech/providers/speaches-stt.provider.ts
+++ b/apps/api/src/speech/providers/speaches-stt.provider.ts
@@ -0,0 +1,180 @@
+/**
+ * SpeachesSttProvider
+ *
+ * Speech-to-text provider using Speaches (faster-whisper backend).
+ * Connects to the Speaches server via its OpenAI-compatible
+ * `/v1/audio/transcriptions` endpoint using the OpenAI SDK.
+ *
+ * Issue #390
+ */
+
+import { Injectable, Inject, Logger } from "@nestjs/common";
+import OpenAI from "openai";
+import { toFile } from "openai";
+import { speechConfig, type SpeechConfig } from "../speech.config";
+import type { ISTTProvider } from "../interfaces/stt-provider.interface";
+import type {
+  TranscribeOptions,
+  TranscriptionResult,
+  TranscriptionSegment,
+} from "../interfaces/speech-types";
+
+/**
+ * Derive file extension from a MIME type for use in the uploaded file name.
+ */
+function extensionFromMimeType(mimeType: string): string {
+  const mapping: Record<string, string> = {
+    "audio/wav": "wav",
+    "audio/wave": "wav",
+    "audio/x-wav": "wav",
+    "audio/mp3": "mp3",
+    "audio/mpeg": "mp3",
+    "audio/mp4": "mp4",
+    "audio/m4a": "m4a",
+    "audio/ogg": "ogg",
+    "audio/flac": "flac",
+    "audio/webm": "webm",
+    "audio/mpga": "mpga",
+  };
+  return mapping[mimeType] ?? "wav";
+}
+
+/**
+ * STT provider backed by a Speaches (faster-whisper) server.
+ *
+ * Speaches exposes an OpenAI-compatible `/v1/audio/transcriptions` endpoint,
+ * so we re-use the official OpenAI SDK with a custom `baseURL`.
+ *
+ * @example
+ * ```typescript
+ * const provider = new SpeachesSttProvider(speechConfig);
+ * const result = await provider.transcribe(audioBuffer, { language: "en" });
+ * console.log(result.text);
+ * ```
+ */
+@Injectable()
+export class SpeachesSttProvider implements ISTTProvider {
+  readonly name = "speaches";
+
+  private readonly logger = new Logger(SpeachesSttProvider.name);
+  private readonly client: OpenAI;
+  private readonly config: SpeechConfig;
+
+  constructor(
+    @Inject(speechConfig.KEY)
+    config: SpeechConfig
+  ) {
+    this.config = config;
+
+    this.client = new OpenAI({
+      baseURL: config.stt.baseUrl,
+      apiKey: "not-needed", // Speaches does not require an API key
+    });
+
+    this.logger.log(
+      `Speaches STT provider initialized (endpoint: ${config.stt.baseUrl}, model: ${config.stt.model})`
+    );
+  }
+
+  /**
+   * Transcribe audio data to text using the Speaches server.
+   *
+   * Sends the audio buffer to the `/v1/audio/transcriptions` endpoint
+   * with `response_format=verbose_json` to get segments and duration data.
+   *
+   * @param audio - Raw audio data as a Buffer
+   * @param options - Optional transcription parameters (model, language, prompt, temperature)
+   * @returns Transcription result with text, language, duration, and optional segments
+   * @throws {Error} If transcription fails (connection error, API error, etc.)
+   */
+  async transcribe(audio: Buffer, options?: TranscribeOptions): Promise<TranscriptionResult> {
+    const model = options?.model ?? this.config.stt.model;
+    const language = options?.language ?? this.config.stt.language;
+    const mimeType = options?.mimeType ?? "audio/wav";
+    const extension = extensionFromMimeType(mimeType);
+
+    try {
+      const file = await toFile(audio, `audio.${extension}`, {
+        type: mimeType,
+      });
+
+      const response = await this.client.audio.transcriptions.create({
+        file,
+        model,
+        language,
+        response_format: "verbose_json",
+        ...(options?.prompt !== undefined ? { prompt: options.prompt } : {}),
+        ...(options?.temperature !== undefined ? { temperature: options.temperature } : {}),
+      });
+
+      return this.mapResponse(response, language);
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : String(error);
+      this.logger.error(`Transcription failed: ${message}`);
+      throw new Error(`STT transcription failed: ${message}`);
+    }
+  }
+
+  /**
+   * Check if the Speaches server is healthy and reachable.
+   *
+   * Attempts to list models from the server. Returns true if the request
+   * succeeds, false otherwise.
+   *
+   * @returns true if the Speaches server is reachable and ready
+   */
+  async isHealthy(): Promise<boolean> {
+    try {
+      await this.client.models.list();
+      return true;
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : String(error);
+      this.logger.warn(`Speaches health check failed: ${message}`);
+      return false;
+    }
+  }
+
+  /**
+   * Map the OpenAI SDK transcription response to our TranscriptionResult type.
+   *
+   * Handles both verbose responses (with duration, segments) and simple
+   * responses (text only).
+   */
+  private mapResponse(
+    response: OpenAI.Audio.Transcriptions.TranscriptionVerbose | Record<string, unknown>,
+    fallbackLanguage: string
+  ): TranscriptionResult {
+    const text = (response as { text: string }).text;
+    const verboseResponse = response as {
+      text: string;
+      language?: string;
+      duration?: number;
+      segments?: {
+        text: string;
+        start: number;
+        end: number;
+      }[];
+    };
+
+    const result: TranscriptionResult = {
+      text,
+      language: verboseResponse.language ?? fallbackLanguage,
+    };
+
+    if (verboseResponse.duration !== undefined) {
+      result.durationSeconds = verboseResponse.duration;
+    }
+
+    if (verboseResponse.segments !== undefined && Array.isArray(verboseResponse.segments)) {
+      result.segments = verboseResponse.segments.map(
+        (segment): TranscriptionSegment => ({
+          text: segment.text,
+          start: segment.start,
+          end: segment.end,
+        })
+      );
+    }
+
+    return result;
+  }
+}
--- a/apps/api/src/speech/providers/tts-provider.factory.spec.ts
+++ b/apps/api/src/speech/providers/tts-provider.factory.spec.ts
@@ -0,0 +1,279 @@
+/**
+ * TTS Provider Factory Unit Tests
+ *
+ * Tests the factory that creates and registers TTS providers based on config.
+ *
+ * Issue #391
+ */
+
+import { describe, it, expect, vi } from "vitest";
+import { createTTSProviders } from "./tts-provider.factory";
+import type { SpeechConfig } from "../speech.config";
+import type { SpeechTier } from "../interfaces/speech-types";
+
+// ==========================================
+// Mock OpenAI SDK
+// ==========================================
+
+vi.mock("openai", () => {
+  class MockOpenAI {
+    audio = {
+      speech: {
+        create: vi.fn(),
+      },
+    };
+  }
+  return { default: MockOpenAI };
+});
+
+// ==========================================
+// Test helpers
+// ==========================================
+
+function createTestConfig(overrides?: Partial<SpeechConfig>): SpeechConfig {
+  return {
+    stt: {
+      enabled: false,
+      baseUrl: "http://speaches:8000/v1",
+      model: "whisper",
+      language: "en",
+    },
+    tts: {
+      default: {
+        enabled: false,
+        url: "http://kokoro-tts:8880/v1",
+        voice: "af_heart",
+        format: "mp3",
+      },
+      premium: {
+        enabled: false,
+        url: "http://chatterbox-tts:8881/v1",
+      },
+      fallback: {
+        enabled: false,
+        url: "http://openedai-speech:8000/v1",
+      },
+    },
+    limits: {
+      maxUploadSize: 25_000_000,
+      maxDurationSeconds: 600,
+      maxTextLength: 4096,
+    },
+    ...overrides,
+  };
+}
+
+describe("createTTSProviders", () => {
+  // ==========================================
+  // Empty map when nothing enabled
+  // ==========================================
+
+  describe("when no TTS tiers are enabled", () => {
+    it("should return an empty map", () => {
+      const config = createTestConfig();
+      const providers = createTTSProviders(config);
+
+      expect(providers).toBeInstanceOf(Map);
+      expect(providers.size).toBe(0);
+    });
+  });
+
+  // ==========================================
+  // Default tier
+  // ==========================================
+
+  describe("when default tier is enabled", () => {
+    it("should create a provider for the default tier", () => {
+      const config = createTestConfig({
+        tts: {
+          default: {
+            enabled: true,
+            url: "http://kokoro-tts:8880/v1",
+            voice: "af_heart",
+            format: "mp3",
+          },
+          premium: { enabled: false, url: "" },
+          fallback: { enabled: false, url: "" },
+        },
+      });
+
+      const providers = createTTSProviders(config);
+
+      expect(providers.size).toBe(1);
+      expect(providers.has("default")).toBe(true);
+
+      const provider = providers.get("default");
+      expect(provider).toBeDefined();
+      expect(provider?.tier).toBe("default");
+      expect(provider?.name).toBe("kokoro");
+    });
+  });
+
+  // ==========================================
+  // Premium tier
+  // ==========================================
+
+  describe("when premium tier is enabled", () => {
+    it("should create a provider for the premium tier", () => {
+      const config = createTestConfig({
+        tts: {
+          default: { enabled: false, url: "", voice: "", format: "" },
+          premium: {
+            enabled: true,
+            url: "http://chatterbox-tts:8881/v1",
+          },
+          fallback: { enabled: false, url: "" },
+        },
+      });
+
+      const providers = createTTSProviders(config);
+
+      expect(providers.size).toBe(1);
+      expect(providers.has("premium")).toBe(true);
+
+      const provider = providers.get("premium");
+      expect(provider).toBeDefined();
+      expect(provider?.tier).toBe("premium");
+      expect(provider?.name).toBe("chatterbox");
+    });
+  });
+
+  // ==========================================
+  // Fallback tier
+  // ==========================================
+
+  describe("when fallback tier is enabled", () => {
+    it("should create a provider for the fallback tier", () => {
+      const config = createTestConfig({
+        tts: {
+          default: { enabled: false, url: "", voice: "", format: "" },
+          premium: { enabled: false, url: "" },
+          fallback: {
+            enabled: true,
+            url: "http://openedai-speech:8000/v1",
+          },
+        },
+      });
+
+      const providers = createTTSProviders(config);
+
+      expect(providers.size).toBe(1);
+      expect(providers.has("fallback")).toBe(true);
+
+      const provider = providers.get("fallback");
+      expect(provider).toBeDefined();
+      expect(provider?.tier).toBe("fallback");
+      expect(provider?.name).toBe("piper");
+    });
+  });
+
+  // ==========================================
+  // Multiple tiers
+  // ==========================================
+
+  describe("when multiple tiers are enabled", () => {
+    it("should create providers for all enabled tiers", () => {
+      const config = createTestConfig({
+        tts: {
+          default: {
+            enabled: true,
+            url: "http://kokoro-tts:8880/v1",
+            voice: "af_heart",
+            format: "mp3",
+          },
+          premium: {
+            enabled: true,
+            url: "http://chatterbox-tts:8881/v1",
+          },
+          fallback: {
+            enabled: true,
+            url: "http://openedai-speech:8000/v1",
+          },
+        },
+      });
+
+      const providers = createTTSProviders(config);
+
+      expect(providers.size).toBe(3);
+      expect(providers.has("default")).toBe(true);
+      expect(providers.has("premium")).toBe(true);
+      expect(providers.has("fallback")).toBe(true);
+    });
+
+    it("should create providers only for enabled tiers", () => {
+      const config = createTestConfig({
+        tts: {
+          default: {
+            enabled: true,
+            url: "http://kokoro-tts:8880/v1",
+            voice: "af_heart",
+            format: "mp3",
+          },
+          premium: { enabled: false, url: "" },
+          fallback: {
+            enabled: true,
+            url: "http://openedai-speech:8000/v1",
+          },
+        },
+      });
+
+      const providers = createTTSProviders(config);
+
+      expect(providers.size).toBe(2);
+      expect(providers.has("default")).toBe(true);
+      expect(providers.has("premium")).toBe(false);
+      expect(providers.has("fallback")).toBe(true);
+    });
+  });
+
+  // ==========================================
+  // Provider properties
+  // ==========================================
+
+  describe("provider properties", () => {
+    it("should implement ITTSProvider interface methods", () => {
+      const config = createTestConfig({
+        tts: {
+          default: {
+            enabled: true,
+            url: "http://kokoro-tts:8880/v1",
+            voice: "af_heart",
+            format: "mp3",
+          },
+          premium: { enabled: false, url: "" },
+          fallback: { enabled: false, url: "" },
+        },
+      });
+
+      const providers = createTTSProviders(config);
+      const provider = providers.get("default");
+
+      expect(provider).toBeDefined();
+      expect(typeof provider?.synthesize).toBe("function");
+      expect(typeof provider?.listVoices).toBe("function");
+      expect(typeof provider?.isHealthy).toBe("function");
+    });
+
+    it("should return providers as a Map<SpeechTier, ITTSProvider>", () => {
+      const config = createTestConfig({
+        tts: {
+          default: {
+            enabled: true,
+            url: "http://kokoro-tts:8880/v1",
+            voice: "af_heart",
+            format: "mp3",
+          },
+          premium: { enabled: false, url: "" },
+          fallback: { enabled: false, url: "" },
+        },
+      });
+
+      const providers = createTTSProviders(config);
+
+      // Verify the map keys are valid SpeechTier values
+      for (const [tier] of providers) {
+        expect(["default", "premium", "fallback"]).toContain(tier as SpeechTier);
+      }
+    });
+  });
+});
--- a/apps/api/src/speech/providers/tts-provider.factory.ts
+++ b/apps/api/src/speech/providers/tts-provider.factory.ts
@@ -0,0 +1,75 @@
+/**
+ * TTS Provider Factory
+ *
+ * Creates and registers TTS providers based on speech configuration.
+ * Reads enabled flags and URLs from config and instantiates the appropriate
+ * provider for each tier.
+ *
+ * Each tier maps to a specific TTS engine:
+ * - default: Kokoro-FastAPI (CPU, always available)
+ * - premium: Chatterbox (GPU, voice cloning)
+ * - fallback: Piper via OpenedAI Speech (ultra-lightweight CPU)
+ *
+ * Issue #391
+ */
+
+import { Logger } from "@nestjs/common";
+import { ChatterboxTTSProvider } from "./chatterbox-tts.provider";
+import { KokoroTtsProvider } from "./kokoro-tts.provider";
+import { PiperTtsProvider } from "./piper-tts.provider";
+import type { ITTSProvider } from "../interfaces/tts-provider.interface";
+import type { SpeechTier } from "../interfaces/speech-types";
+import type { SpeechConfig } from "../speech.config";
+
+// ==========================================
+// Factory function
+// ==========================================
+
+const logger = new Logger("TTSProviderFactory");
+
+/**
+ * Create and register TTS providers based on the speech configuration.
+ *
+ * Only creates providers for tiers that are enabled in the config.
+ * Returns a Map keyed by SpeechTier for use with the TTS_PROVIDERS injection token.
+ *
+ * @param config - Speech configuration with TTS tier settings
+ * @returns Map of enabled TTS providers keyed by tier
+ */
+export function createTTSProviders(config: SpeechConfig): Map<SpeechTier, ITTSProvider> {
+  const providers = new Map<SpeechTier, ITTSProvider>();
+
+  // Default tier: Kokoro
+  if (config.tts.default.enabled) {
+    const provider = new KokoroTtsProvider(
+      config.tts.default.url,
+      config.tts.default.voice,
+      config.tts.default.format
+    );
+    providers.set("default", provider);
+    logger.log(`Registered default TTS provider: kokoro at ${config.tts.default.url}`);
+  }
+
+  // Premium tier: Chatterbox
+  if (config.tts.premium.enabled) {
+    const provider = new ChatterboxTTSProvider(config.tts.premium.url);
+    providers.set("premium", provider);
+    logger.log(`Registered premium TTS provider: chatterbox at ${config.tts.premium.url}`);
+  }
+
+  // Fallback tier: Piper
+  if (config.tts.fallback.enabled) {
+    const provider = new PiperTtsProvider(config.tts.fallback.url);
+    providers.set("fallback", provider);
+    logger.log(`Registered fallback TTS provider: piper at ${config.tts.fallback.url}`);
+  }
+
+  if (providers.size === 0) {
+    logger.warn("No TTS providers are enabled. TTS synthesis will not be available.");
+  } else {
+    const tierNames = Array.from(providers.keys()).join(", ");
+    logger.log(`TTS providers ready: ${tierNames} (${String(providers.size)} total)`);
+  }
+
+  return providers;
+}
--- a/apps/api/src/speech/speech.config.spec.ts
+++ b/apps/api/src/speech/speech.config.spec.ts
@@ -0,0 +1,458 @@
+/**
+ * Speech Configuration Tests
+ *
+ * Issue #401: Tests for speech services environment variable validation
+ * Tests cover STT, TTS (default, premium, fallback), and speech limits configuration.
+ */
+
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import {
+  isSttEnabled,
+  isTtsEnabled,
+  isTtsPremiumEnabled,
+  isTtsFallbackEnabled,
+  validateSpeechConfig,
+  getSpeechConfig,
+  type SpeechConfig,
+} from "./speech.config";
+
+describe("speech.config", () => {
+  const originalEnv = { ...process.env };
+
+  beforeEach(() => {
+    // Clear all speech-related env vars before each test
+    delete process.env.STT_ENABLED;
+    delete process.env.STT_BASE_URL;
+    delete process.env.STT_MODEL;
+    delete process.env.STT_LANGUAGE;
+    delete process.env.TTS_ENABLED;
+    delete process.env.TTS_DEFAULT_URL;
+    delete process.env.TTS_DEFAULT_VOICE;
+    delete process.env.TTS_DEFAULT_FORMAT;
+    delete process.env.TTS_PREMIUM_ENABLED;
+    delete process.env.TTS_PREMIUM_URL;
+    delete process.env.TTS_FALLBACK_ENABLED;
+    delete process.env.TTS_FALLBACK_URL;
+    delete process.env.SPEECH_MAX_UPLOAD_SIZE;
+    delete process.env.SPEECH_MAX_DURATION_SECONDS;
+    delete process.env.SPEECH_MAX_TEXT_LENGTH;
+  });
+
+  afterEach(() => {
+    process.env = { ...originalEnv };
+  });
+
+  // ==========================================
+  // STT enabled check
+  // ==========================================
+  describe("isSttEnabled", () => {
+    it("should return false when STT_ENABLED is not set", () => {
+      expect(isSttEnabled()).toBe(false);
+    });
+
+    it("should return false when STT_ENABLED is 'false'", () => {
+      process.env.STT_ENABLED = "false";
+      expect(isSttEnabled()).toBe(false);
+    });
+
+    it("should return false when STT_ENABLED is '0'", () => {
+      process.env.STT_ENABLED = "0";
+      expect(isSttEnabled()).toBe(false);
+    });
+
+    it("should return false when STT_ENABLED is empty string", () => {
+      process.env.STT_ENABLED = "";
+      expect(isSttEnabled()).toBe(false);
+    });
+
+    it("should return true when STT_ENABLED is 'true'", () => {
+      process.env.STT_ENABLED = "true";
+      expect(isSttEnabled()).toBe(true);
+    });
+
+    it("should return true when STT_ENABLED is '1'", () => {
+      process.env.STT_ENABLED = "1";
+      expect(isSttEnabled()).toBe(true);
+    });
+  });
+
+  // ==========================================
+  // TTS enabled check
+  // ==========================================
+  describe("isTtsEnabled", () => {
+    it("should return false when TTS_ENABLED is not set", () => {
+      expect(isTtsEnabled()).toBe(false);
+    });
+
+    it("should return false when TTS_ENABLED is 'false'", () => {
+      process.env.TTS_ENABLED = "false";
+      expect(isTtsEnabled()).toBe(false);
+    });
+
+    it("should return true when TTS_ENABLED is 'true'", () => {
+      process.env.TTS_ENABLED = "true";
+      expect(isTtsEnabled()).toBe(true);
+    });
+
+    it("should return true when TTS_ENABLED is '1'", () => {
+      process.env.TTS_ENABLED = "1";
+      expect(isTtsEnabled()).toBe(true);
+    });
+  });
+
+  // ==========================================
+  // TTS premium enabled check
+  // ==========================================
+  describe("isTtsPremiumEnabled", () => {
+    it("should return false when TTS_PREMIUM_ENABLED is not set", () => {
+      expect(isTtsPremiumEnabled()).toBe(false);
+    });
+
+    it("should return false when TTS_PREMIUM_ENABLED is 'false'", () => {
+      process.env.TTS_PREMIUM_ENABLED = "false";
+      expect(isTtsPremiumEnabled()).toBe(false);
+    });
+
+    it("should return true when TTS_PREMIUM_ENABLED is 'true'", () => {
+      process.env.TTS_PREMIUM_ENABLED = "true";
+      expect(isTtsPremiumEnabled()).toBe(true);
+    });
+  });
+
+  // ==========================================
+  // TTS fallback enabled check
+  // ==========================================
+  describe("isTtsFallbackEnabled", () => {
+    it("should return false when TTS_FALLBACK_ENABLED is not set", () => {
+      expect(isTtsFallbackEnabled()).toBe(false);
+    });
+
+    it("should return false when TTS_FALLBACK_ENABLED is 'false'", () => {
+      process.env.TTS_FALLBACK_ENABLED = "false";
+      expect(isTtsFallbackEnabled()).toBe(false);
+    });
+
+    it("should return true when TTS_FALLBACK_ENABLED is 'true'", () => {
+      process.env.TTS_FALLBACK_ENABLED = "true";
+      expect(isTtsFallbackEnabled()).toBe(true);
+    });
+  });
+
+  // ==========================================
+  // validateSpeechConfig
+  // ==========================================
+  describe("validateSpeechConfig", () => {
+    describe("when all services are disabled", () => {
+      it("should not throw when no speech services are enabled", () => {
+        expect(() => validateSpeechConfig()).not.toThrow();
+      });
+
+      it("should not throw when services are explicitly disabled", () => {
+        process.env.STT_ENABLED = "false";
+        process.env.TTS_ENABLED = "false";
+        process.env.TTS_PREMIUM_ENABLED = "false";
+        process.env.TTS_FALLBACK_ENABLED = "false";
+        expect(() => validateSpeechConfig()).not.toThrow();
+      });
+    });
+
+    describe("STT validation", () => {
+      beforeEach(() => {
+        process.env.STT_ENABLED = "true";
+      });
+
+      it("should throw when STT is enabled but STT_BASE_URL is missing", () => {
+        expect(() => validateSpeechConfig()).toThrow("STT_BASE_URL");
+        expect(() => validateSpeechConfig()).toThrow(
+          "STT is enabled (STT_ENABLED=true) but required environment variables are missing"
+        );
+      });
+
+      it("should throw when STT_BASE_URL is empty string", () => {
+        process.env.STT_BASE_URL = "";
+        expect(() => validateSpeechConfig()).toThrow("STT_BASE_URL");
+      });
+
+      it("should throw when STT_BASE_URL is whitespace only", () => {
+        process.env.STT_BASE_URL = "   ";
+        expect(() => validateSpeechConfig()).toThrow("STT_BASE_URL");
+      });
+
+      it("should not throw when STT is enabled and STT_BASE_URL is set", () => {
+        process.env.STT_BASE_URL = "http://speaches:8000/v1";
+        expect(() => validateSpeechConfig()).not.toThrow();
+      });
+
+      it("should suggest disabling STT in error message", () => {
+        expect(() => validateSpeechConfig()).toThrow("STT_ENABLED=false");
+      });
+    });
+
+    describe("TTS default validation", () => {
+      beforeEach(() => {
+        process.env.TTS_ENABLED = "true";
+      });
+
+      it("should throw when TTS is enabled but TTS_DEFAULT_URL is missing", () => {
+        expect(() => validateSpeechConfig()).toThrow("TTS_DEFAULT_URL");
+        expect(() => validateSpeechConfig()).toThrow(
+          "TTS is enabled (TTS_ENABLED=true) but required environment variables are missing"
+        );
+      });
+
+      it("should throw when TTS_DEFAULT_URL is empty string", () => {
+        process.env.TTS_DEFAULT_URL = "";
+        expect(() => validateSpeechConfig()).toThrow("TTS_DEFAULT_URL");
+      });
+
+      it("should not throw when TTS is enabled and TTS_DEFAULT_URL is set", () => {
+        process.env.TTS_DEFAULT_URL = "http://kokoro-tts:8880/v1";
+        expect(() => validateSpeechConfig()).not.toThrow();
+      });
+
+      it("should suggest disabling TTS in error message", () => {
+        expect(() => validateSpeechConfig()).toThrow("TTS_ENABLED=false");
+      });
+    });
+
+    describe("TTS premium validation", () => {
+      beforeEach(() => {
+        process.env.TTS_PREMIUM_ENABLED = "true";
+      });
+
+      it("should throw when TTS premium is enabled but TTS_PREMIUM_URL is missing", () => {
+        expect(() => validateSpeechConfig()).toThrow("TTS_PREMIUM_URL");
+        expect(() => validateSpeechConfig()).toThrow(
+          "TTS premium is enabled (TTS_PREMIUM_ENABLED=true) but required environment variables are missing"
+        );
+      });
+
+      it("should throw when TTS_PREMIUM_URL is empty string", () => {
+        process.env.TTS_PREMIUM_URL = "";
+        expect(() => validateSpeechConfig()).toThrow("TTS_PREMIUM_URL");
+      });
+
+      it("should not throw when TTS premium is enabled and TTS_PREMIUM_URL is set", () => {
+        process.env.TTS_PREMIUM_URL = "http://chatterbox-tts:8881/v1";
+        expect(() => validateSpeechConfig()).not.toThrow();
+      });
+
+      it("should suggest disabling TTS premium in error message", () => {
+        expect(() => validateSpeechConfig()).toThrow("TTS_PREMIUM_ENABLED=false");
+      });
+    });
+
+    describe("TTS fallback validation", () => {
+      beforeEach(() => {
+        process.env.TTS_FALLBACK_ENABLED = "true";
+      });
+
+      it("should throw when TTS fallback is enabled but TTS_FALLBACK_URL is missing", () => {
+        expect(() => validateSpeechConfig()).toThrow("TTS_FALLBACK_URL");
+        expect(() => validateSpeechConfig()).toThrow(
+          "TTS fallback is enabled (TTS_FALLBACK_ENABLED=true) but required environment variables are missing"
+        );
+      });
+
+      it("should throw when TTS_FALLBACK_URL is empty string", () => {
+        process.env.TTS_FALLBACK_URL = "";
+        expect(() => validateSpeechConfig()).toThrow("TTS_FALLBACK_URL");
+      });
+
+      it("should not throw when TTS fallback is enabled and TTS_FALLBACK_URL is set", () => {
+        process.env.TTS_FALLBACK_URL = "http://openedai-speech:8000/v1";
+        expect(() => validateSpeechConfig()).not.toThrow();
+      });
+
+      it("should suggest disabling TTS fallback in error message", () => {
+        expect(() => validateSpeechConfig()).toThrow("TTS_FALLBACK_ENABLED=false");
+      });
+    });
+
+    describe("multiple services enabled simultaneously", () => {
+      it("should validate all enabled services", () => {
+        process.env.STT_ENABLED = "true";
+        process.env.TTS_ENABLED = "true";
+        // Missing both STT_BASE_URL and TTS_DEFAULT_URL
+
+        expect(() => validateSpeechConfig()).toThrow("STT_BASE_URL");
+      });
+
+      it("should pass when all enabled services are properly configured", () => {
+        process.env.STT_ENABLED = "true";
+        process.env.STT_BASE_URL = "http://speaches:8000/v1";
+        process.env.TTS_ENABLED = "true";
+        process.env.TTS_DEFAULT_URL = "http://kokoro-tts:8880/v1";
+        process.env.TTS_PREMIUM_ENABLED = "true";
+        process.env.TTS_PREMIUM_URL = "http://chatterbox-tts:8881/v1";
+        process.env.TTS_FALLBACK_ENABLED = "true";
+        process.env.TTS_FALLBACK_URL = "http://openedai-speech:8000/v1";
+
+        expect(() => validateSpeechConfig()).not.toThrow();
+      });
+    });
+
+    describe("limits validation", () => {
+      it("should throw when SPEECH_MAX_UPLOAD_SIZE is not a valid number", () => {
+        process.env.SPEECH_MAX_UPLOAD_SIZE = "not-a-number";
+        expect(() => validateSpeechConfig()).toThrow("SPEECH_MAX_UPLOAD_SIZE");
+        expect(() => validateSpeechConfig()).toThrow("must be a positive integer");
+      });
+
+      it("should throw when SPEECH_MAX_UPLOAD_SIZE is negative", () => {
+        process.env.SPEECH_MAX_UPLOAD_SIZE = "-100";
+        expect(() => validateSpeechConfig()).toThrow("SPEECH_MAX_UPLOAD_SIZE");
+      });
+
+      it("should throw when SPEECH_MAX_UPLOAD_SIZE is zero", () => {
+        process.env.SPEECH_MAX_UPLOAD_SIZE = "0";
+        expect(() => validateSpeechConfig()).toThrow("SPEECH_MAX_UPLOAD_SIZE");
+      });
+
+      it("should throw when SPEECH_MAX_DURATION_SECONDS is not a valid number", () => {
+        process.env.SPEECH_MAX_DURATION_SECONDS = "abc";
+        expect(() => validateSpeechConfig()).toThrow("SPEECH_MAX_DURATION_SECONDS");
+      });
+
+      it("should throw when SPEECH_MAX_TEXT_LENGTH is not a valid number", () => {
+        process.env.SPEECH_MAX_TEXT_LENGTH = "xyz";
+        expect(() => validateSpeechConfig()).toThrow("SPEECH_MAX_TEXT_LENGTH");
+      });
+
+      it("should not throw when limits are valid positive integers", () => {
+        process.env.SPEECH_MAX_UPLOAD_SIZE = "50000000";
+        process.env.SPEECH_MAX_DURATION_SECONDS = "1200";
+        process.env.SPEECH_MAX_TEXT_LENGTH = "8192";
+        expect(() => validateSpeechConfig()).not.toThrow();
+      });
+
+      it("should not throw when limits are not set (uses defaults)", () => {
+        expect(() => validateSpeechConfig()).not.toThrow();
+      });
+    });
+  });
+
+  // ==========================================
+  // getSpeechConfig
+  // ==========================================
+  describe("getSpeechConfig", () => {
+    it("should return default values when no env vars are set", () => {
+      const config = getSpeechConfig();
+
+      expect(config.stt.enabled).toBe(false);
+      expect(config.stt.baseUrl).toBe("http://speaches:8000/v1");
+      expect(config.stt.model).toBe("Systran/faster-whisper-large-v3-turbo");
+      expect(config.stt.language).toBe("en");
+
+      expect(config.tts.default.enabled).toBe(false);
+      expect(config.tts.default.url).toBe("http://kokoro-tts:8880/v1");
+      expect(config.tts.default.voice).toBe("af_heart");
+      expect(config.tts.default.format).toBe("mp3");
+
+      expect(config.tts.premium.enabled).toBe(false);
+      expect(config.tts.premium.url).toBe("http://chatterbox-tts:8881/v1");
+
+      expect(config.tts.fallback.enabled).toBe(false);
+      expect(config.tts.fallback.url).toBe("http://openedai-speech:8000/v1");
+
+      expect(config.limits.maxUploadSize).toBe(25000000);
+      expect(config.limits.maxDurationSeconds).toBe(600);
+      expect(config.limits.maxTextLength).toBe(4096);
+    });
+
+    it("should use custom env var values when set", () => {
+      process.env.STT_ENABLED = "true";
+      process.env.STT_BASE_URL = "http://custom-stt:9000/v1";
+      process.env.STT_MODEL = "custom-model";
+      process.env.STT_LANGUAGE = "fr";
+
+      process.env.TTS_ENABLED = "true";
+      process.env.TTS_DEFAULT_URL = "http://custom-tts:9001/v1";
+      process.env.TTS_DEFAULT_VOICE = "custom_voice";
+      process.env.TTS_DEFAULT_FORMAT = "wav";
+
+      process.env.TTS_PREMIUM_ENABLED = "true";
+      process.env.TTS_PREMIUM_URL = "http://custom-premium:9002/v1";
+
+      process.env.TTS_FALLBACK_ENABLED = "true";
+      process.env.TTS_FALLBACK_URL = "http://custom-fallback:9003/v1";
+
+      process.env.SPEECH_MAX_UPLOAD_SIZE = "50000000";
+      process.env.SPEECH_MAX_DURATION_SECONDS = "1200";
+      process.env.SPEECH_MAX_TEXT_LENGTH = "8192";
+
+      const config = getSpeechConfig();
+
+      expect(config.stt.enabled).toBe(true);
+      expect(config.stt.baseUrl).toBe("http://custom-stt:9000/v1");
+      expect(config.stt.model).toBe("custom-model");
+      expect(config.stt.language).toBe("fr");
+
+      expect(config.tts.default.enabled).toBe(true);
+      expect(config.tts.default.url).toBe("http://custom-tts:9001/v1");
+      expect(config.tts.default.voice).toBe("custom_voice");
+      expect(config.tts.default.format).toBe("wav");
+
+      expect(config.tts.premium.enabled).toBe(true);
+      expect(config.tts.premium.url).toBe("http://custom-premium:9002/v1");
+
+      expect(config.tts.fallback.enabled).toBe(true);
+      expect(config.tts.fallback.url).toBe("http://custom-fallback:9003/v1");
+
+      expect(config.limits.maxUploadSize).toBe(50000000);
+      expect(config.limits.maxDurationSeconds).toBe(1200);
+      expect(config.limits.maxTextLength).toBe(8192);
+    });
+
+    it("should return typed SpeechConfig object", () => {
+      const config: SpeechConfig = getSpeechConfig();
+
+      // Verify structure matches the SpeechConfig type
+      expect(config).toHaveProperty("stt");
+      expect(config).toHaveProperty("tts");
+      expect(config).toHaveProperty("limits");
+      expect(config.tts).toHaveProperty("default");
+      expect(config.tts).toHaveProperty("premium");
+      expect(config.tts).toHaveProperty("fallback");
+    });
+
+    it("should handle partial env var overrides", () => {
+      process.env.STT_ENABLED = "true";
+      process.env.STT_BASE_URL = "http://custom-stt:9000/v1";
+      // STT_MODEL and STT_LANGUAGE not set, should use defaults
+
+      const config = getSpeechConfig();
+
+      expect(config.stt.enabled).toBe(true);
+      expect(config.stt.baseUrl).toBe("http://custom-stt:9000/v1");
+      expect(config.stt.model).toBe("Systran/faster-whisper-large-v3-turbo");
+      expect(config.stt.language).toBe("en");
+    });
+
+    it("should parse numeric limits correctly", () => {
+      process.env.SPEECH_MAX_UPLOAD_SIZE = "10000000";
+      const config = getSpeechConfig();
+      expect(typeof config.limits.maxUploadSize).toBe("number");
+      expect(config.limits.maxUploadSize).toBe(10000000);
+    });
+  });
+
+  // ==========================================
+  // registerAs integration
+  // ==========================================
+  describe("speechConfig (registerAs factory)", () => {
+    it("should be importable as a config namespace factory", async () => {
+      const { speechConfig } = await import("./speech.config");
+      expect(speechConfig).toBeDefined();
+      expect(speechConfig.KEY).toBe("CONFIGURATION(speech)");
+    });
+
+    it("should return config object when called", async () => {
+      const { speechConfig } = await import("./speech.config");
+      const config = speechConfig() as SpeechConfig;
+      expect(config).toHaveProperty("stt");
+      expect(config).toHaveProperty("tts");
+      expect(config).toHaveProperty("limits");
+    });
+  });
+});
--- a/apps/api/src/speech/speech.config.ts
+++ b/apps/api/src/speech/speech.config.ts
@@ -0,0 +1,305 @@
+/**
+ * Speech Services Configuration
+ *
+ * Issue #401: Environment variables and validation for STT (speech-to-text),
+ * TTS (text-to-speech), and speech service limits.
+ *
+ * Validates conditional requirements at startup:
+ * - STT_BASE_URL is required when STT_ENABLED=true
+ * - TTS_DEFAULT_URL is required when TTS_ENABLED=true
+ * - TTS_PREMIUM_URL is required when TTS_PREMIUM_ENABLED=true
+ * - TTS_FALLBACK_URL is required when TTS_FALLBACK_ENABLED=true
+ */
+
+import { registerAs } from "@nestjs/config";
+import type { AudioFormat } from "./interfaces/speech-types";
+
+// ==========================================
+// Default values
+// ==========================================
+
+const STT_DEFAULTS = {
+  baseUrl: "http://speaches:8000/v1",
+  model: "Systran/faster-whisper-large-v3-turbo",
+  language: "en",
+} as const;
+
+const TTS_DEFAULT_DEFAULTS = {
+  url: "http://kokoro-tts:8880/v1",
+  voice: "af_heart",
+  format: "mp3",
+} as const;
+
+const TTS_PREMIUM_DEFAULTS = {
+  url: "http://chatterbox-tts:8881/v1",
+} as const;
+
+const TTS_FALLBACK_DEFAULTS = {
+  url: "http://openedai-speech:8000/v1",
+} as const;
+
+const LIMITS_DEFAULTS = {
+  maxUploadSize: 25_000_000,
+  maxDurationSeconds: 600,
+  maxTextLength: 4096,
+} as const;
+
+// ==========================================
+// Types
+// ==========================================
+
+export interface SttConfig {
+  enabled: boolean;
+  baseUrl: string;
+  model: string;
+  language: string;
+}
+
+export interface TtsDefaultConfig {
+  enabled: boolean;
+  url: string;
+  voice: string;
+  format: AudioFormat;
+}
+
+export interface TtsPremiumConfig {
+  enabled: boolean;
+  url: string;
+}
+
+export interface TtsFallbackConfig {
+  enabled: boolean;
+  url: string;
+}
+
+export interface TtsConfig {
+  default: TtsDefaultConfig;
+  premium: TtsPremiumConfig;
+  fallback: TtsFallbackConfig;
+}
+
+export interface SpeechLimitsConfig {
+  maxUploadSize: number;
+  maxDurationSeconds: number;
+  maxTextLength: number;
+}
+
+export interface SpeechConfig {
+  stt: SttConfig;
+  tts: TtsConfig;
+  limits: SpeechLimitsConfig;
+}
+
+// ==========================================
+// Helper: parse boolean env var
+// ==========================================
+
+function parseBooleanEnv(value: string | undefined): boolean {
+  return value === "true" || value === "1";
+}
+
+// ==========================================
+// Enabled checks
+// ==========================================
+
+/**
+ * Check if speech-to-text (STT) is enabled via environment variable.
+ */
+export function isSttEnabled(): boolean {
+  return parseBooleanEnv(process.env.STT_ENABLED);
+}
+
+/**
+ * Check if text-to-speech (TTS) default engine is enabled via environment variable.
+ */
+export function isTtsEnabled(): boolean {
+  return parseBooleanEnv(process.env.TTS_ENABLED);
+}
+
+/**
+ * Check if TTS premium engine (Chatterbox) is enabled via environment variable.
+ */
+export function isTtsPremiumEnabled(): boolean {
+  return parseBooleanEnv(process.env.TTS_PREMIUM_ENABLED);
+}
+
+/**
+ * Check if TTS fallback engine (Piper/OpenedAI) is enabled via environment variable.
+ */
+export function isTtsFallbackEnabled(): boolean {
+  return parseBooleanEnv(process.env.TTS_FALLBACK_ENABLED);
+}
+
+// ==========================================
+// Validation helpers
+// ==========================================
+
+/**
+ * Check if an environment variable has a non-empty value.
+ */
+function isEnvVarSet(envVar: string): boolean {
+  const value = process.env[envVar];
+  return value !== undefined && value.trim() !== "";
+}
+
+/**
+ * Validate that required env vars are set when a service is enabled.
+ * Throws with a helpful error message listing missing vars and how to disable.
+ */
+function validateRequiredVars(
+  serviceName: string,
+  enabledFlag: string,
+  requiredVars: string[]
+): void {
+  const missingVars: string[] = [];
+
+  for (const envVar of requiredVars) {
+    if (!isEnvVarSet(envVar)) {
+      missingVars.push(envVar);
+    }
+  }
+
+  if (missingVars.length > 0) {
+    throw new Error(
+      `${serviceName} is enabled (${enabledFlag}=true) but required environment variables are missing or empty: ${missingVars.join(", ")}. ` +
+        `Either set these variables or disable by setting ${enabledFlag}=false.`
+    );
+  }
+}
+
+/**
+ * Validate that a numeric env var, if set, is a positive integer.
+ */
+function validatePositiveInteger(envVar: string): void {
+  const value = process.env[envVar];
+  if (value === undefined || value.trim() === "") {
+    return; // Not set, will use default
+  }
+
+  const parsed = parseInt(value, 10);
+  if (isNaN(parsed) || parsed <= 0 || String(parsed) !== value.trim()) {
+    throw new Error(`${envVar} must be a positive integer. Current value: "${value}".`);
+  }
+}
+
+// ==========================================
+// Main validation
+// ==========================================
+
+/**
+ * Validates speech configuration at startup.
+ * Call this during module initialization to fail fast if misconfigured.
+ *
+ * Validates:
+ * - STT_BASE_URL is set when STT_ENABLED=true
+ * - TTS_DEFAULT_URL is set when TTS_ENABLED=true
+ * - TTS_PREMIUM_URL is set when TTS_PREMIUM_ENABLED=true
+ * - TTS_FALLBACK_URL is set when TTS_FALLBACK_ENABLED=true
+ * - Numeric limits are positive integers (when set)
+ *
+ * @throws Error if any required configuration is missing or invalid
+ */
+export function validateSpeechConfig(): void {
+  // STT validation
+  if (isSttEnabled()) {
+    validateRequiredVars("STT", "STT_ENABLED", ["STT_BASE_URL"]);
+  }
+
+  // TTS default validation
+  if (isTtsEnabled()) {
+    validateRequiredVars("TTS", "TTS_ENABLED", ["TTS_DEFAULT_URL"]);
+  }
+
+  // TTS premium validation
+  if (isTtsPremiumEnabled()) {
+    validateRequiredVars("TTS premium", "TTS_PREMIUM_ENABLED", ["TTS_PREMIUM_URL"]);
+  }
+
+  // TTS fallback validation
+  if (isTtsFallbackEnabled()) {
+    validateRequiredVars("TTS fallback", "TTS_FALLBACK_ENABLED", ["TTS_FALLBACK_URL"]);
+  }
+
+  // Limits validation (only if set, otherwise defaults are used)
+  validatePositiveInteger("SPEECH_MAX_UPLOAD_SIZE");
+  validatePositiveInteger("SPEECH_MAX_DURATION_SECONDS");
+  validatePositiveInteger("SPEECH_MAX_TEXT_LENGTH");
+}
+
+// ==========================================
+// Config getter
+// ==========================================
+
+/**
+ * Get the full speech configuration object with typed values and defaults.
+ *
+ * @returns SpeechConfig with all STT, TTS, and limits configuration
+ */
+export function getSpeechConfig(): SpeechConfig {
+  return {
+    stt: {
+      enabled: isSttEnabled(),
+      baseUrl: process.env.STT_BASE_URL ?? STT_DEFAULTS.baseUrl,
+      model: process.env.STT_MODEL ?? STT_DEFAULTS.model,
+      language: process.env.STT_LANGUAGE ?? STT_DEFAULTS.language,
+    },
+    tts: {
+      default: {
+        enabled: isTtsEnabled(),
+        url: process.env.TTS_DEFAULT_URL ?? TTS_DEFAULT_DEFAULTS.url,
+        voice: process.env.TTS_DEFAULT_VOICE ?? TTS_DEFAULT_DEFAULTS.voice,
+        format: (process.env.TTS_DEFAULT_FORMAT ?? TTS_DEFAULT_DEFAULTS.format) as AudioFormat,
+      },
+      premium: {
+        enabled: isTtsPremiumEnabled(),
+        url: process.env.TTS_PREMIUM_URL ?? TTS_PREMIUM_DEFAULTS.url,
+      },
+      fallback: {
+        enabled: isTtsFallbackEnabled(),
+        url: process.env.TTS_FALLBACK_URL ?? TTS_FALLBACK_DEFAULTS.url,
+      },
+    },
+    limits: {
+      maxUploadSize: parseInt(
+        process.env.SPEECH_MAX_UPLOAD_SIZE ?? String(LIMITS_DEFAULTS.maxUploadSize),
+        10
+      ),
+      maxDurationSeconds: parseInt(
+        process.env.SPEECH_MAX_DURATION_SECONDS ?? String(LIMITS_DEFAULTS.maxDurationSeconds),
+        10
+      ),
+      maxTextLength: parseInt(
+        process.env.SPEECH_MAX_TEXT_LENGTH ?? String(LIMITS_DEFAULTS.maxTextLength),
+        10
+      ),
+    },
+  };
+}
+
+// ==========================================
+// NestJS ConfigModule registerAs factory
+// ==========================================
+
+/**
+ * NestJS ConfigModule namespace factory for speech configuration.
+ *
+ * Usage in a module:
+ * ```typescript
+ * import { speechConfig } from './speech.config';
+ *
+ * @Module({
+ *   imports: [ConfigModule.forFeature(speechConfig)],
+ * })
+ * export class SpeechModule {}
+ * ```
+ *
+ * Then inject via ConfigService:
+ * ```typescript
+ * constructor(private config: ConfigService) {
+ *   const sttUrl = this.config.get<string>('speech.stt.baseUrl');
+ * }
+ * ```
+ */
+export const speechConfig = registerAs("speech", (): SpeechConfig => {
+  return getSpeechConfig();
+});
--- a/apps/api/src/speech/speech.constants.ts
+++ b/apps/api/src/speech/speech.constants.ts
@@ -0,0 +1,19 @@
+/**
+ * Speech Module Constants
+ *
+ * NestJS injection tokens for speech providers.
+ *
+ * Issue #389
+ */
+
+/**
+ * Injection token for the STT (speech-to-text) provider.
+ * Providers implementing ISTTProvider register under this token.
+ */
+export const STT_PROVIDER = Symbol("STT_PROVIDER");
+
+/**
+ * Injection token for TTS (text-to-speech) providers map.
+ * Registered as Map<SpeechTier, ITTSProvider>.
+ */
+export const TTS_PROVIDERS = Symbol("TTS_PROVIDERS");
--- a/apps/api/src/speech/speech.controller.spec.ts
+++ b/apps/api/src/speech/speech.controller.spec.ts
@@ -0,0 +1,437 @@
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { StreamableFile, ServiceUnavailableException } from "@nestjs/common";
+import { SpeechController } from "./speech.controller";
+import { SpeechService } from "./speech.service";
+import type { TranscribeDto } from "./dto/transcribe.dto";
+import type { SynthesizeDto } from "./dto/synthesize.dto";
+import type { TranscriptionResult, SynthesisResult, VoiceInfo } from "./interfaces/speech-types";
+
+describe("SpeechController", () => {
+  let controller: SpeechController;
+  let service: SpeechService;
+
+  const mockSpeechService = {
+    transcribe: vi.fn(),
+    synthesize: vi.fn(),
+    listVoices: vi.fn(),
+    isSTTAvailable: vi.fn(),
+    isTTSAvailable: vi.fn(),
+  };
+
+  const mockWorkspaceId = "550e8400-e29b-41d4-a716-446655440001";
+  const mockUserId = "550e8400-e29b-41d4-a716-446655440002";
+
+  const mockUser = {
+    id: mockUserId,
+    email: "test@example.com",
+    name: "Test User",
+    workspaceId: mockWorkspaceId,
+  };
+
+  const mockFile: Express.Multer.File = {
+    buffer: Buffer.from("fake-audio-data"),
+    mimetype: "audio/wav",
+    size: 1024,
+    originalname: "test.wav",
+    fieldname: "file",
+    encoding: "7bit",
+    stream: null as never,
+    destination: "",
+    filename: "",
+    path: "",
+  };
+
+  const mockTranscriptionResult: TranscriptionResult = {
+    text: "Hello, world!",
+    language: "en",
+    durationSeconds: 2.5,
+    confidence: 0.95,
+  };
+
+  beforeEach(() => {
+    service = mockSpeechService as unknown as SpeechService;
+    controller = new SpeechController(service);
+
+    vi.clearAllMocks();
+  });
+
+  it("should be defined", () => {
+    expect(controller).toBeDefined();
+  });
+
+  describe("transcribe", () => {
+    it("should transcribe audio file and return data wrapper", async () => {
+      mockSpeechService.transcribe.mockResolvedValue(mockTranscriptionResult);
+
+      const dto: TranscribeDto = {};
+      const result = await controller.transcribe(mockFile, dto, mockWorkspaceId, mockUser);
+
+      expect(result).toEqual({ data: mockTranscriptionResult });
+      expect(mockSpeechService.transcribe).toHaveBeenCalledWith(mockFile.buffer, {
+        mimeType: "audio/wav",
+      });
+    });
+
+    it("should pass language override from DTO to service", async () => {
+      mockSpeechService.transcribe.mockResolvedValue(mockTranscriptionResult);
+
+      const dto: TranscribeDto = { language: "fr" };
+      await controller.transcribe(mockFile, dto, mockWorkspaceId, mockUser);
+
+      expect(mockSpeechService.transcribe).toHaveBeenCalledWith(mockFile.buffer, {
+        language: "fr",
+        mimeType: "audio/wav",
+      });
+    });
+
+    it("should pass model override from DTO to service", async () => {
+      mockSpeechService.transcribe.mockResolvedValue(mockTranscriptionResult);
+
+      const dto: TranscribeDto = { model: "whisper-large-v3" };
+      await controller.transcribe(mockFile, dto, mockWorkspaceId, mockUser);
+
+      expect(mockSpeechService.transcribe).toHaveBeenCalledWith(mockFile.buffer, {
+        model: "whisper-large-v3",
+        mimeType: "audio/wav",
+      });
+    });
+
+    it("should pass all DTO options to service", async () => {
+      mockSpeechService.transcribe.mockResolvedValue(mockTranscriptionResult);
+
+      const dto: TranscribeDto = {
+        language: "de",
+        model: "whisper-large-v3",
+        prompt: "Meeting notes",
+        temperature: 0.5,
+      };
+      await controller.transcribe(mockFile, dto, mockWorkspaceId, mockUser);
+
+      expect(mockSpeechService.transcribe).toHaveBeenCalledWith(mockFile.buffer, {
+        language: "de",
+        model: "whisper-large-v3",
+        prompt: "Meeting notes",
+        temperature: 0.5,
+        mimeType: "audio/wav",
+      });
+    });
+
+    it("should propagate service errors", async () => {
+      mockSpeechService.transcribe.mockRejectedValue(new Error("STT unavailable"));
+
+      const dto: TranscribeDto = {};
+      await expect(controller.transcribe(mockFile, dto, mockWorkspaceId, mockUser)).rejects.toThrow(
+        "STT unavailable"
+      );
+    });
+  });
+
+  describe("health", () => {
+    it("should return health status with both providers available", async () => {
+      mockSpeechService.isSTTAvailable.mockReturnValue(true);
+      mockSpeechService.isTTSAvailable.mockReturnValue(true);
+
+      const result = await controller.health(mockWorkspaceId);
+
+      expect(result).toEqual({
+        data: {
+          stt: { available: true },
+          tts: { available: true },
+        },
+      });
+    });
+
+    it("should return health status with STT unavailable", async () => {
+      mockSpeechService.isSTTAvailable.mockReturnValue(false);
+      mockSpeechService.isTTSAvailable.mockReturnValue(true);
+
+      const result = await controller.health(mockWorkspaceId);
+
+      expect(result).toEqual({
+        data: {
+          stt: { available: false },
+          tts: { available: true },
+        },
+      });
+    });
+
+    it("should return health status with TTS unavailable", async () => {
+      mockSpeechService.isSTTAvailable.mockReturnValue(true);
+      mockSpeechService.isTTSAvailable.mockReturnValue(false);
+
+      const result = await controller.health(mockWorkspaceId);
+
+      expect(result).toEqual({
+        data: {
+          stt: { available: true },
+          tts: { available: false },
+        },
+      });
+    });
+
+    it("should return health status with both providers unavailable", async () => {
+      mockSpeechService.isSTTAvailable.mockReturnValue(false);
+      mockSpeechService.isTTSAvailable.mockReturnValue(false);
+
+      const result = await controller.health(mockWorkspaceId);
+
+      expect(result).toEqual({
+        data: {
+          stt: { available: false },
+          tts: { available: false },
+        },
+      });
+    });
+  });
+
+  // ==============================================
+  // POST /api/speech/synthesize (Issue #396)
+  // ==============================================
+
+  describe("synthesize", () => {
+    const mockAudioBuffer = Buffer.from("fake-audio-data");
+
+    const mockSynthesisResult: SynthesisResult = {
+      audio: mockAudioBuffer,
+      format: "mp3",
+      voice: "af_heart",
+      tier: "default",
+      durationSeconds: 2.5,
+    };
+
+    it("should synthesize text and return a StreamableFile", async () => {
+      const dto: SynthesizeDto = { text: "Hello world" };
+
+      mockSpeechService.synthesize.mockResolvedValue(mockSynthesisResult);
+
+      const result = await controller.synthesize(dto, mockWorkspaceId, mockUser);
+
+      expect(mockSpeechService.synthesize).toHaveBeenCalledWith("Hello world", {});
+      expect(result).toBeInstanceOf(StreamableFile);
+    });
+
+    it("should pass voice, speed, format, and tier options to the service", async () => {
+      const dto: SynthesizeDto = {
+        text: "Test with options",
+        voice: "af_heart",
+        speed: 1.5,
+        format: "wav",
+        tier: "premium",
+      };
+
+      const wavResult: SynthesisResult = {
+        audio: mockAudioBuffer,
+        format: "wav",
+        voice: "af_heart",
+        tier: "premium",
+      };
+
+      mockSpeechService.synthesize.mockResolvedValue(wavResult);
+
+      const result = await controller.synthesize(dto, mockWorkspaceId, mockUser);
+
+      expect(mockSpeechService.synthesize).toHaveBeenCalledWith("Test with options", {
+        voice: "af_heart",
+        speed: 1.5,
+        format: "wav",
+        tier: "premium",
+      });
+      expect(result).toBeInstanceOf(StreamableFile);
+    });
+
+    it("should set correct Content-Type for mp3 format", async () => {
+      const dto: SynthesizeDto = { text: "Hello", format: "mp3" };
+
+      mockSpeechService.synthesize.mockResolvedValue(mockSynthesisResult);
+
+      const result = await controller.synthesize(dto, mockWorkspaceId, mockUser);
+
+      expect(result).toBeInstanceOf(StreamableFile);
+      const headers = result.getHeaders();
+      expect(headers.type).toBe("audio/mpeg");
+    });
+
+    it("should set correct Content-Type for wav format", async () => {
+      const dto: SynthesizeDto = { text: "Hello" };
+      const wavResult: SynthesisResult = { ...mockSynthesisResult, format: "wav" };
+
+      mockSpeechService.synthesize.mockResolvedValue(wavResult);
+
+      const result = await controller.synthesize(dto, mockWorkspaceId, mockUser);
+
+      const headers = result.getHeaders();
+      expect(headers.type).toBe("audio/wav");
+    });
+
+    it("should set correct Content-Type for opus format", async () => {
+      const dto: SynthesizeDto = { text: "Hello" };
+      const opusResult: SynthesisResult = { ...mockSynthesisResult, format: "opus" };
+
+      mockSpeechService.synthesize.mockResolvedValue(opusResult);
+
+      const result = await controller.synthesize(dto, mockWorkspaceId, mockUser);
+
+      const headers = result.getHeaders();
+      expect(headers.type).toBe("audio/opus");
+    });
+
+    it("should set correct Content-Type for flac format", async () => {
+      const dto: SynthesizeDto = { text: "Hello" };
+      const flacResult: SynthesisResult = { ...mockSynthesisResult, format: "flac" };
+
+      mockSpeechService.synthesize.mockResolvedValue(flacResult);
+
+      const result = await controller.synthesize(dto, mockWorkspaceId, mockUser);
+
+      const headers = result.getHeaders();
+      expect(headers.type).toBe("audio/flac");
+    });
+
+    it("should set correct Content-Type for aac format", async () => {
+      const dto: SynthesizeDto = { text: "Hello" };
+      const aacResult: SynthesisResult = { ...mockSynthesisResult, format: "aac" };
+
+      mockSpeechService.synthesize.mockResolvedValue(aacResult);
+
+      const result = await controller.synthesize(dto, mockWorkspaceId, mockUser);
+
+      const headers = result.getHeaders();
+      expect(headers.type).toBe("audio/aac");
+    });
+
+    it("should set correct Content-Type for pcm format", async () => {
+      const dto: SynthesizeDto = { text: "Hello" };
+      const pcmResult: SynthesisResult = { ...mockSynthesisResult, format: "pcm" };
+
+      mockSpeechService.synthesize.mockResolvedValue(pcmResult);
+
+      const result = await controller.synthesize(dto, mockWorkspaceId, mockUser);
+
+      const headers = result.getHeaders();
+      expect(headers.type).toBe("audio/pcm");
+    });
+
+    it("should set Content-Disposition header for download with correct extension", async () => {
+      const dto: SynthesizeDto = { text: "Hello" };
+
+      mockSpeechService.synthesize.mockResolvedValue(mockSynthesisResult);
+
+      const result = await controller.synthesize(dto, mockWorkspaceId, mockUser);
+
+      const headers = result.getHeaders();
+      expect(headers.disposition).toContain("attachment");
+      expect(headers.disposition).toContain("speech.mp3");
+    });
+
+    it("should set Content-Disposition with correct file extension for wav", async () => {
+      const dto: SynthesizeDto = { text: "Hello" };
+      const wavResult: SynthesisResult = { ...mockSynthesisResult, format: "wav" };
+
+      mockSpeechService.synthesize.mockResolvedValue(wavResult);
+
+      const result = await controller.synthesize(dto, mockWorkspaceId, mockUser);
+
+      const headers = result.getHeaders();
+      expect(headers.disposition).toContain("speech.wav");
+    });
+
+    it("should set Content-Length header based on audio buffer size", async () => {
+      const dto: SynthesizeDto = { text: "Hello" };
+
+      mockSpeechService.synthesize.mockResolvedValue(mockSynthesisResult);
+
+      const result = await controller.synthesize(dto, mockWorkspaceId, mockUser);
+
+      const headers = result.getHeaders();
+      expect(headers.length).toBe(mockAudioBuffer.length);
+    });
+
+    it("should propagate ServiceUnavailableException from service", async () => {
+      const dto: SynthesizeDto = { text: "Hello" };
+
+      mockSpeechService.synthesize.mockRejectedValue(
+        new ServiceUnavailableException("No TTS providers are available")
+      );
+
+      await expect(controller.synthesize(dto, mockWorkspaceId, mockUser)).rejects.toThrow(
+        ServiceUnavailableException
+      );
+    });
+  });
+
+  // ==============================================
+  // GET /api/speech/voices (Issue #396)
+  // ==============================================
+
+  describe("getVoices", () => {
+    const mockVoices: VoiceInfo[] = [
+      {
+        id: "af_heart",
+        name: "Heart",
+        language: "en",
+        tier: "default",
+        isDefault: true,
+      },
+      {
+        id: "af_sky",
+        name: "Sky",
+        language: "en",
+        tier: "default",
+        isDefault: false,
+      },
+      {
+        id: "chatterbox-voice",
+        name: "Chatterbox Default",
+        language: "en",
+        tier: "premium",
+        isDefault: true,
+      },
+    ];
+
+    it("should return all voices when no tier filter is provided", async () => {
+      mockSpeechService.listVoices.mockResolvedValue(mockVoices);
+
+      const result = await controller.getVoices(mockWorkspaceId);
+
+      expect(mockSpeechService.listVoices).toHaveBeenCalledWith(undefined);
+      expect(result).toEqual({ data: mockVoices });
+    });
+
+    it("should filter voices by default tier", async () => {
+      const defaultVoices = mockVoices.filter((v) => v.tier === "default");
+      mockSpeechService.listVoices.mockResolvedValue(defaultVoices);
+
+      const result = await controller.getVoices(mockWorkspaceId, "default");
+
+      expect(mockSpeechService.listVoices).toHaveBeenCalledWith("default");
+      expect(result).toEqual({ data: defaultVoices });
+    });
+
+    it("should filter voices by premium tier", async () => {
+      const premiumVoices = mockVoices.filter((v) => v.tier === "premium");
+      mockSpeechService.listVoices.mockResolvedValue(premiumVoices);
+
+      const result = await controller.getVoices(mockWorkspaceId, "premium");
+
+      expect(mockSpeechService.listVoices).toHaveBeenCalledWith("premium");
+      expect(result).toEqual({ data: premiumVoices });
+    });
+
+    it("should return empty array when no voices are available", async () => {
+      mockSpeechService.listVoices.mockResolvedValue([]);
+
+      const result = await controller.getVoices(mockWorkspaceId);
+
+      expect(result).toEqual({ data: [] });
+    });
+
+    it("should return empty array when filtering by tier with no matching voices", async () => {
+      mockSpeechService.listVoices.mockResolvedValue([]);
+
+      const result = await controller.getVoices(mockWorkspaceId, "fallback");
+
+      expect(mockSpeechService.listVoices).toHaveBeenCalledWith("fallback");
+      expect(result).toEqual({ data: [] });
+    });
+  });
+});
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`@mosaicstack:registry=https://git.mosaicstack.dev/api/packages/mosaic/npm/`