feat(api): add terminal session persistence with Prisma model and CRUD service

Adds database-backed TerminalSession model with ACTIVE/CLOSED status enum, migration SQL, TerminalSessionService (create/findByWorkspace/close/findById), DTO file with class-validator decorators, unit tests (12 tests), and module registration. Workspace relation and indexed columns enable efficient session listing and recovery. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
fix(web): add random suffix to fallback assistant message IDs to prevent collisions
2026-02-25 20:46:58 -06:00 · 2026-02-25 20:41:43 -06:00 · 2026-02-26 02:39:43 +00:00 · 2026-02-26 02:27:29 +00:00 · 2026-02-26 02:26:02 +00:00 · 2026-02-26 01:49:40 +00:00
236 changed files with 24397 additions and 2809 deletions
--- a/.env.example
+++ b/.env.example
@@ -15,6 +15,14 @@ WEB_PORT=3000
 # ======================
 NEXT_PUBLIC_APP_URL=http://localhost:3000
 NEXT_PUBLIC_API_URL=http://localhost:3001
+# Frontend auth mode:
+# - real: Normal auth/session flow
+# - mock: Local-only seeded user for FE development (blocked outside NODE_ENV=development)
+#   Use `mock` locally to continue FE work when auth flow is unstable.
+# If omitted, web runtime defaults:
+# - development -> mock
+# - production -> real
+NEXT_PUBLIC_AUTH_MODE=real

 # ======================
 # PostgreSQL Database
@@ -70,9 +78,9 @@ OIDC_ISSUER=https://auth.example.com/application/o/mosaic-stack/
 OIDC_CLIENT_ID=your-client-id-here
 OIDC_CLIENT_SECRET=your-client-secret-here
 # Redirect URI must match what's configured in Authentik
-# Development: http://localhost:3001/auth/callback/authentik
-# Production: https://api.mosaicstack.dev/auth/callback/authentik
-OIDC_REDIRECT_URI=http://localhost:3001/auth/callback/authentik
+# Development: http://localhost:3001/auth/oauth2/callback/authentik
+# Production: https://api.mosaicstack.dev/auth/oauth2/callback/authentik
+OIDC_REDIRECT_URI=http://localhost:3001/auth/oauth2/callback/authentik

 # Authentik PostgreSQL Database
 AUTHENTIK_POSTGRES_USER=authentik
@@ -116,6 +124,9 @@ JWT_EXPIRATION=24h
 # This is used by BetterAuth for session management and CSRF protection
 # Example: openssl rand -base64 32
 BETTER_AUTH_SECRET=REPLACE_WITH_RANDOM_SECRET_MINIMUM_32_CHARS
+# Optional explicit BetterAuth origin for callback/error URL generation.
+# When empty, backend falls back to NEXT_PUBLIC_API_URL.
+BETTER_AUTH_URL=

 # Trusted Origins (comma-separated list of additional trusted origins for CORS and auth)
 # These are added to NEXT_PUBLIC_APP_URL and NEXT_PUBLIC_API_URL automatically
@@ -204,11 +215,9 @@ NODE_ENV=development
 # Used by docker-compose.yml (pulls images) and docker-swarm.yml
 # For local builds, use docker-compose.build.yml instead
 # Options:
-#   - dev: Pull development images from registry (default, built from develop branch)
-#   - latest: Pull latest stable images from registry (built from main branch)
-#   - <commit-sha>: Use specific commit SHA tag (e.g., 658ec077)
+#   - latest: Pull latest images from registry (default, built from main branch)
 #   - <version>: Use specific version tag (e.g., v1.0.0)
-IMAGE_TAG=dev
+IMAGE_TAG=latest

 # ======================
 # Docker Compose Profiles
@@ -406,8 +415,7 @@ AI_PROVIDER=ollama
 OLLAMA_MODEL=llama3.1:latest

 # Claude API Key
-# Required by the orchestrator service in swarm deployment.
-# Also used when AI_PROVIDER=claude for other services.
+# Required only when AI_PROVIDER=claude.
 # Get your API key from: https://console.anthropic.com/
 CLAUDE_API_KEY=REPLACE_WITH_CLAUDE_API_KEY

--- a/.mosaic/orchestrator/mission.json
+++ b/.mosaic/orchestrator/mission.json
@@ -0,0 +1,14 @@
+{
+  "schema_version": 1,
+  "mission_id": "prd-implementation-20260222",
+  "name": "PRD implementation",
+  "description": "",
+  "project_path": "/home/jwoltje/src/mosaic-stack",
+  "created_at": "2026-02-23T03:20:55Z",
+  "status": "active",
+  "task_prefix": "",
+  "quality_gates": "",
+  "milestone_version": "0.0.1",
+  "milestones": [],
+  "sessions": []
+}
--- a/.trivyignore
+++ b/.trivyignore
@@ -6,7 +6,7 @@
 #   - npm bundled CVEs (5): npm removed from production Node.js images
 #   - Node.js 20 → 24 LTS migration (#367): base images updated
 #
-# REMAINING: OpenBao (5 CVEs) + Next.js bundled tar (3 CVEs)
+# REMAINING: OpenBao (5 CVEs) + Next.js bundled tar/minimatch (5 CVEs)
 # Re-evaluate when upgrading openbao image beyond 2.5.0 or Next.js beyond 16.1.6.

 # === OpenBao false positives ===
@@ -17,15 +17,18 @@ CVE-2024-9180   # HIGH: privilege escalation (fixed in 2.0.3)
 CVE-2025-59043  # HIGH: DoS via malicious JSON (fixed in 2.4.1)
 CVE-2025-64761  # HIGH: identity group root escalation (fixed in 2.4.4)

-# === Next.js bundled tar CVEs (upstream — waiting on Next.js release) ===
-# Next.js 16.1.6 bundles tar@7.5.2 in next/dist/compiled/tar/ (pre-compiled).
-# This is NOT a pnpm dependency — it's embedded in the Next.js package itself.
+# === Next.js bundled tar/minimatch CVEs (upstream — waiting on Next.js release) ===
+# Next.js 16.1.6 bundles tar@7.5.2 and minimatch@9.0.5 in next/dist/compiled/ (pre-compiled).
+# These are NOT pnpm dependencies — they're embedded in the Next.js package itself.
+# pnpm overrides cannot reach these; only a Next.js upgrade can fix them.
 # Affects web image only (orchestrator and API are clean).
 # npm was also removed from all production images, eliminating the npm-bundled copy.
-# To resolve: upgrade Next.js when a release bundles tar >= 7.5.7.
+# To resolve: upgrade Next.js when a release bundles tar >= 7.5.8 and minimatch >= 10.2.1.
 CVE-2026-23745  # HIGH: tar arbitrary file overwrite via unsanitized linkpaths (fixed in 7.5.3)
 CVE-2026-23950  # HIGH: tar arbitrary file overwrite via Unicode path collision (fixed in 7.5.4)
 CVE-2026-24842  # HIGH: tar arbitrary file creation via hardlink path traversal (needs tar >= 7.5.7)
+CVE-2026-26960  # HIGH: tar arbitrary file read/write via malicious archive hardlink (needs tar >= 7.5.8)
+CVE-2026-26996  # HIGH: minimatch DoS via specially crafted glob patterns (needs minimatch >= 10.2.1)

 # === OpenBao Go stdlib (waiting on upstream rebuild) ===
 # OpenBao 2.5.0 compiled with Go 1.25.6, fix needs Go >= 1.25.7.
--- a/.woodpecker/README.md
+++ b/.woodpecker/README.md
@@ -85,12 +85,11 @@ install -> [ruff-check, mypy, security-bandit, security-pip-audit, test]

 ## Image Tagging

-| Condition        | Tag                        | Purpose                    |
-| ---------------- | -------------------------- | -------------------------- |
-| Always           | `${CI_COMMIT_SHA:0:8}`     | Immutable commit reference |
-| `main` branch    | `latest`                   | Current production release |
-| `develop` branch | `dev`                      | Current development build  |
-| Git tag          | tag value (e.g., `v1.0.0`) | Semantic version release   |
+| Condition     | Tag                        | Purpose                    |
+| ------------- | -------------------------- | -------------------------- |
+| Always        | `${CI_COMMIT_SHA:0:8}`     | Immutable commit reference |
+| `main` branch | `latest`                   | Current latest build       |
+| Git tag       | tag value (e.g., `v1.0.0`) | Semantic version release   |

 ## Required Secrets

@@ -138,5 +137,5 @@ Fails on blockers or critical/high severity security findings.

 ### Pipeline runs Docker builds on pull requests

- Docker build steps have `when: branch: [main, develop]` guards
+- Docker build steps have `when: branch: [main]` guards
 - PRs only run quality gates, not Docker builds
--- a/.woodpecker/api.yml
+++ b/.woodpecker/api.yml
@@ -15,6 +15,7 @@ when:
        - "turbo.json"
        - "package.json"
        - ".woodpecker/api.yml"
+        - ".trivyignore"

 variables:
  - &node_image "node:24-alpine"
@@ -151,12 +152,10 @@ steps:
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:$CI_COMMIT_TAG"
        elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:dev"
        fi
        /kaniko/executor --context . --dockerfile apps/api/Dockerfile --snapshot-mode=redo $DESTINATIONS
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - build
@@ -179,7 +178,7 @@ steps:
        elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
          SCAN_TAG="latest"
        else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
        fi
        mkdir -p ~/.docker
        echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -187,7 +186,7 @@ steps:
          --ignorefile .trivyignore \
          git.mosaicstack.dev/mosaic/stack-api:$$SCAN_TAG
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - docker-build-api
@@ -229,7 +228,7 @@ steps:
        }
        link_package "stack-api"
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - security-trivy-api
--- a/.woodpecker/coordinator.yml
+++ b/.woodpecker/coordinator.yml
@@ -92,12 +92,10 @@ steps:
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:$CI_COMMIT_TAG"
        elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:dev"
        fi
        /kaniko/executor --context apps/coordinator --dockerfile apps/coordinator/Dockerfile --snapshot-mode=redo $DESTINATIONS
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - ruff-check
@@ -124,7 +122,7 @@ steps:
        elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
          SCAN_TAG="latest"
        else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
        fi
        mkdir -p ~/.docker
        echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -132,7 +130,7 @@ steps:
          --ignorefile .trivyignore \
          git.mosaicstack.dev/mosaic/stack-coordinator:$$SCAN_TAG
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - docker-build-coordinator
@@ -174,7 +172,7 @@ steps:
        }
        link_package "stack-coordinator"
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - security-trivy-coordinator
--- a/.woodpecker/infra.yml
+++ b/.woodpecker/infra.yml
@@ -36,12 +36,10 @@ steps:
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:$CI_COMMIT_TAG"
        elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:dev"
        fi
        /kaniko/executor --context docker/postgres --dockerfile docker/postgres/Dockerfile --snapshot-mode=redo $DESTINATIONS
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]

  docker-build-openbao:
@@ -61,12 +59,10 @@ steps:
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:$CI_COMMIT_TAG"
        elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:dev"
        fi
        /kaniko/executor --context docker/openbao --dockerfile docker/openbao/Dockerfile --snapshot-mode=redo $DESTINATIONS
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]

  # === Container Security Scans ===
@@ -87,7 +83,7 @@ steps:
        elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
          SCAN_TAG="latest"
        else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
        fi
        mkdir -p ~/.docker
        echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -95,7 +91,7 @@ steps:
          --ignorefile .trivyignore \
          git.mosaicstack.dev/mosaic/stack-postgres:$$SCAN_TAG
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - docker-build-postgres
@@ -116,7 +112,7 @@ steps:
        elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
          SCAN_TAG="latest"
        else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
        fi
        mkdir -p ~/.docker
        echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -124,7 +120,7 @@ steps:
          --ignorefile .trivyignore \
          git.mosaicstack.dev/mosaic/stack-openbao:$$SCAN_TAG
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - docker-build-openbao
@@ -167,7 +163,7 @@ steps:
        link_package "stack-postgres"
        link_package "stack-openbao"
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - security-trivy-postgres
--- a/.woodpecker/orchestrator.yml
+++ b/.woodpecker/orchestrator.yml
@@ -15,6 +15,7 @@ when:
        - "turbo.json"
        - "package.json"
        - ".woodpecker/orchestrator.yml"
+        - ".trivyignore"

 variables:
  - &node_image "node:24-alpine"
@@ -108,12 +109,10 @@ steps:
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:$CI_COMMIT_TAG"
        elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:dev"
        fi
        /kaniko/executor --context . --dockerfile apps/orchestrator/Dockerfile --snapshot-mode=redo $DESTINATIONS
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - build
@@ -136,7 +135,7 @@ steps:
        elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
          SCAN_TAG="latest"
        else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
        fi
        mkdir -p ~/.docker
        echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -144,7 +143,7 @@ steps:
          --ignorefile .trivyignore \
          git.mosaicstack.dev/mosaic/stack-orchestrator:$$SCAN_TAG
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - docker-build-orchestrator
@@ -186,7 +185,7 @@ steps:
        }
        link_package "stack-orchestrator"
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - security-trivy-orchestrator
--- a/.woodpecker/web.yml
+++ b/.woodpecker/web.yml
@@ -15,6 +15,7 @@ when:
        - "turbo.json"
        - "package.json"
        - ".woodpecker/web.yml"
+        - ".trivyignore"

 variables:
  - &node_image "node:24-alpine"
@@ -119,12 +120,10 @@ steps:
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:$CI_COMMIT_TAG"
        elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:dev"
        fi
        /kaniko/executor --context . --dockerfile apps/web/Dockerfile --snapshot-mode=redo --build-arg NEXT_PUBLIC_API_URL=https://api.mosaicstack.dev $DESTINATIONS
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - build
@@ -147,7 +146,7 @@ steps:
        elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
          SCAN_TAG="latest"
        else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
        fi
        mkdir -p ~/.docker
        echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -155,7 +154,7 @@ steps:
          --ignorefile .trivyignore \
          git.mosaicstack.dev/mosaic/stack-web:$$SCAN_TAG
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - docker-build-web
@@ -197,7 +196,7 @@ steps:
        }
        link_package "stack-web"
    when:
-      - branch: [main, develop]
+      - branch: [main]
        event: [push, manual, tag]
    depends_on:
      - security-trivy-web
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,14 +1,10 @@
-# Compatibility Pointer
+# CLAUDE Compatibility Pointer

-This repository uses an agent-neutral Mosaic standards model.
+This file exists so Claude Code sessions load Mosaic standards.

-Authoritative repo guidance is in `AGENTS.md`.
+## MANDATORY — Read Before Any Response

-Load order for Claude sessions:
+BEFORE responding to any user message, READ `~/.config/mosaic/AGENTS.md`.

-1. `SOUL.md`
-2. `~/.config/mosaic/STANDARDS.md`
-3. `AGENTS.md`
-4. `.mosaic/repo-hooks.sh`
-
-If you were started from `CLAUDE.md`, continue by reading `AGENTS.md` now.
+That file is the universal agent configuration. Do NOT respond until you have loaded it.
+Then read the project-local `AGENTS.md` in this repository for project-specific guidance.
--- a/README.md
+++ b/README.md
@@ -232,7 +232,7 @@ docker compose -f docker-compose.openbao.yml up -d
 sleep 30  # Wait for auto-initialization

 # 5. Deploy swarm stack
-IMAGE_TAG=dev ./scripts/deploy-swarm.sh mosaic
+IMAGE_TAG=latest ./scripts/deploy-swarm.sh mosaic

 # 6. Check deployment status
 docker stack services mosaic
@@ -526,10 +526,9 @@ KNOWLEDGE_CACHE_TTL=300  # 5 minutes

 ### Branch Strategy

- `main` — Stable releases only
- `develop` — Active development (default working branch)
- `feature/*` — Feature branches from develop
- `fix/*` — Bug fix branches
+- `main` — Trunk branch (all development merges here)
+- `feature/*` — Feature branches from main
+- `fix/*` — Bug fix branches from main

 ### Running Locally

@@ -739,7 +738,7 @@ See [Type Sharing Strategy](docs/2-development/3-type-sharing/1-strategy.md) for
 4. Run tests: `pnpm test`
 5. Build: `pnpm build`
 6. Commit with conventional format: `feat(#issue): Description`
-7. Push and create a pull request to `develop`
+7. Push and create a pull request to `main`

 ### Commit Format

--- a/apps/api/package.json
+++ b/apps/api/package.json
@@ -66,6 +66,7 @@
    "marked-gfm-heading-id": "^4.1.3",
    "marked-highlight": "^2.2.3",
    "matrix-bot-sdk": "^0.8.0",
+    "node-pty": "^1.0.0",
    "ollama": "^0.6.3",
    "openai": "^6.17.0",
    "reflect-metadata": "^0.2.2",
--- a/apps/api/prisma/migrations/20260225000000_add_terminal_sessions/migration.sql
+++ b/apps/api/prisma/migrations/20260225000000_add_terminal_sessions/migration.sql
@@ -0,0 +1,23 @@
+-- CreateEnum
+CREATE TYPE "TerminalSessionStatus" AS ENUM ('ACTIVE', 'CLOSED');
+
+-- CreateTable
+CREATE TABLE "terminal_sessions" (
+    "id" UUID NOT NULL,
+    "workspace_id" UUID NOT NULL,
+    "name" TEXT NOT NULL DEFAULT 'Terminal',
+    "status" "TerminalSessionStatus" NOT NULL DEFAULT 'ACTIVE',
+    "created_at" TIMESTAMPTZ NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "closed_at" TIMESTAMPTZ,
+
+    CONSTRAINT "terminal_sessions_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE INDEX "terminal_sessions_workspace_id_idx" ON "terminal_sessions"("workspace_id");
+
+-- CreateIndex
+CREATE INDEX "terminal_sessions_workspace_id_status_idx" ON "terminal_sessions"("workspace_id", "status");
+
+-- AddForeignKey
+ALTER TABLE "terminal_sessions" ADD CONSTRAINT "terminal_sessions_workspace_id_fkey" FOREIGN KEY ("workspace_id") REFERENCES "workspaces"("id") ON DELETE CASCADE ON UPDATE CASCADE;
--- a/apps/api/prisma/schema.prisma
+++ b/apps/api/prisma/schema.prisma
@@ -206,6 +206,11 @@ enum CredentialScope {
  SYSTEM
 }

+enum TerminalSessionStatus {
+  ACTIVE
+  CLOSED
+}
+
 // ============================================
 // MODELS
 // ============================================
@@ -297,6 +302,7 @@ model Workspace {
  federationEventSubscriptions FederationEventSubscription[]
  llmUsageLogs                 LlmUsageLog[]
  userCredentials              UserCredential[]
+  terminalSessions             TerminalSession[]

  @@index([ownerId])
  @@map("workspaces")
@@ -1507,3 +1513,23 @@ model LlmUsageLog {
  @@index([conversationId])
  @@map("llm_usage_logs")
 }
+
+// ============================================
+// TERMINAL MODULE
+// ============================================
+
+model TerminalSession {
+  id          String                @id @default(uuid()) @db.Uuid
+  workspaceId String                @map("workspace_id") @db.Uuid
+  name        String                @default("Terminal")
+  status      TerminalSessionStatus @default(ACTIVE)
+  createdAt   DateTime              @default(now()) @map("created_at") @db.Timestamptz
+  closedAt    DateTime?             @map("closed_at") @db.Timestamptz
+
+  // Relations
+  workspace Workspace @relation(fields: [workspaceId], references: [id], onDelete: Cascade)
+
+  @@index([workspaceId])
+  @@index([workspaceId, status])
+  @@map("terminal_sessions")
+}
--- a/apps/api/prisma/seed.ts
+++ b/apps/api/prisma/seed.ts
@@ -65,6 +65,136 @@ async function main() {
    },
  });

+  // ============================================
+  // WIDGET DEFINITIONS (global, not workspace-scoped)
+  // ============================================
+  const widgetDefs = [
+    {
+      name: "TasksWidget",
+      displayName: "Tasks",
+      description: "View and manage your tasks",
+      component: "TasksWidget",
+      defaultWidth: 2,
+      defaultHeight: 2,
+      minWidth: 1,
+      minHeight: 2,
+      maxWidth: 4,
+      maxHeight: null,
+      configSchema: {},
+    },
+    {
+      name: "CalendarWidget",
+      displayName: "Calendar",
+      description: "View upcoming events and schedule",
+      component: "CalendarWidget",
+      defaultWidth: 2,
+      defaultHeight: 2,
+      minWidth: 2,
+      minHeight: 2,
+      maxWidth: 4,
+      maxHeight: null,
+      configSchema: {},
+    },
+    {
+      name: "QuickCaptureWidget",
+      displayName: "Quick Capture",
+      description: "Quickly capture notes and tasks",
+      component: "QuickCaptureWidget",
+      defaultWidth: 2,
+      defaultHeight: 1,
+      minWidth: 2,
+      minHeight: 1,
+      maxWidth: 4,
+      maxHeight: 2,
+      configSchema: {},
+    },
+    {
+      name: "AgentStatusWidget",
+      displayName: "Agent Status",
+      description: "Monitor agent activity and status",
+      component: "AgentStatusWidget",
+      defaultWidth: 2,
+      defaultHeight: 2,
+      minWidth: 1,
+      minHeight: 2,
+      maxWidth: 3,
+      maxHeight: null,
+      configSchema: {},
+    },
+    {
+      name: "ActiveProjectsWidget",
+      displayName: "Active Projects & Agent Chains",
+      description: "View active projects and running agent sessions",
+      component: "ActiveProjectsWidget",
+      defaultWidth: 2,
+      defaultHeight: 3,
+      minWidth: 2,
+      minHeight: 2,
+      maxWidth: 4,
+      maxHeight: null,
+      configSchema: {},
+    },
+    {
+      name: "TaskProgressWidget",
+      displayName: "Task Progress",
+      description: "Live progress of orchestrator agent tasks",
+      component: "TaskProgressWidget",
+      defaultWidth: 2,
+      defaultHeight: 2,
+      minWidth: 1,
+      minHeight: 2,
+      maxWidth: 3,
+      maxHeight: null,
+      configSchema: {},
+    },
+    {
+      name: "OrchestratorEventsWidget",
+      displayName: "Orchestrator Events",
+      description: "Recent orchestration events with stream/Matrix visibility",
+      component: "OrchestratorEventsWidget",
+      defaultWidth: 2,
+      defaultHeight: 2,
+      minWidth: 1,
+      minHeight: 2,
+      maxWidth: 4,
+      maxHeight: null,
+      configSchema: {},
+    },
+  ];
+
+  for (const wd of widgetDefs) {
+    await prisma.widgetDefinition.upsert({
+      where: { name: wd.name },
+      update: {
+        displayName: wd.displayName,
+        description: wd.description,
+        component: wd.component,
+        defaultWidth: wd.defaultWidth,
+        defaultHeight: wd.defaultHeight,
+        minWidth: wd.minWidth,
+        minHeight: wd.minHeight,
+        maxWidth: wd.maxWidth,
+        maxHeight: wd.maxHeight,
+        configSchema: wd.configSchema,
+      },
+      create: {
+        name: wd.name,
+        displayName: wd.displayName,
+        description: wd.description,
+        component: wd.component,
+        defaultWidth: wd.defaultWidth,
+        defaultHeight: wd.defaultHeight,
+        minWidth: wd.minWidth,
+        minHeight: wd.minHeight,
+        maxWidth: wd.maxWidth,
+        maxHeight: wd.maxHeight,
+        configSchema: wd.configSchema,
+      },
+    });
+  }
+
+  console.log(`Seeded ${widgetDefs.length} widget definitions`);
+
  // Use transaction for atomic seed data reset and creation
  await prisma.$transaction(async (tx) => {
    // Delete existing seed data for idempotency (avoids duplicates on re-run)
--- a/apps/api/src/app.module.ts
+++ b/apps/api/src/app.module.ts
@@ -39,6 +39,8 @@ import { FederationModule } from "./federation/federation.module";
 import { CredentialsModule } from "./credentials/credentials.module";
 import { MosaicTelemetryModule } from "./mosaic-telemetry";
 import { SpeechModule } from "./speech/speech.module";
+import { DashboardModule } from "./dashboard/dashboard.module";
+import { TerminalModule } from "./terminal/terminal.module";
 import { RlsContextInterceptor } from "./common/interceptors/rls-context.interceptor";

@Module({
@@ -101,6 +103,8 @@ import { RlsContextInterceptor } from "./common/interceptors/rls-context.interce
    CredentialsModule,
    MosaicTelemetryModule,
    SpeechModule,
+    DashboardModule,
+    TerminalModule,
  ],
  controllers: [AppController, CsrfController],
  providers: [
--- a/apps/api/src/auth/auth.config.spec.ts
+++ b/apps/api/src/auth/auth.config.spec.ts
@@ -18,7 +18,13 @@ vi.mock("better-auth/adapters/prisma", () => ({
  prismaAdapter: (...args: unknown[]) => mockPrismaAdapter(...args),
 }));

-import { isOidcEnabled, validateOidcConfig, createAuth, getTrustedOrigins } from "./auth.config";
+import {
+  isOidcEnabled,
+  validateOidcConfig,
+  createAuth,
+  getTrustedOrigins,
+  getBetterAuthBaseUrl,
+} from "./auth.config";

 describe("auth.config", () => {
  // Store original env vars to restore after each test
@@ -32,6 +38,7 @@ describe("auth.config", () => {
    delete process.env.OIDC_CLIENT_SECRET;
    delete process.env.OIDC_REDIRECT_URI;
    delete process.env.NODE_ENV;
+    delete process.env.BETTER_AUTH_URL;
    delete process.env.NEXT_PUBLIC_APP_URL;
    delete process.env.NEXT_PUBLIC_API_URL;
    delete process.env.TRUSTED_ORIGINS;
@@ -95,7 +102,7 @@ describe("auth.config", () => {
      it("should throw when OIDC_ISSUER is missing", () => {
        process.env.OIDC_CLIENT_ID = "test-client-id";
        process.env.OIDC_CLIENT_SECRET = "test-client-secret";
-        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";

        expect(() => validateOidcConfig()).toThrow("OIDC_ISSUER");
        expect(() => validateOidcConfig()).toThrow("OIDC authentication is enabled");
@@ -104,7 +111,7 @@ describe("auth.config", () => {
      it("should throw when OIDC_CLIENT_ID is missing", () => {
        process.env.OIDC_ISSUER = "https://auth.example.com/";
        process.env.OIDC_CLIENT_SECRET = "test-client-secret";
-        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";

        expect(() => validateOidcConfig()).toThrow("OIDC_CLIENT_ID");
      });
@@ -112,7 +119,7 @@ describe("auth.config", () => {
      it("should throw when OIDC_CLIENT_SECRET is missing", () => {
        process.env.OIDC_ISSUER = "https://auth.example.com/";
        process.env.OIDC_CLIENT_ID = "test-client-id";
-        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";

        expect(() => validateOidcConfig()).toThrow("OIDC_CLIENT_SECRET");
      });
@@ -146,7 +153,7 @@ describe("auth.config", () => {
        process.env.OIDC_ISSUER = "   ";
        process.env.OIDC_CLIENT_ID = "test-client-id";
        process.env.OIDC_CLIENT_SECRET = "test-client-secret";
-        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";

        expect(() => validateOidcConfig()).toThrow("OIDC_ISSUER");
      });
@@ -155,7 +162,7 @@ describe("auth.config", () => {
        process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic";
        process.env.OIDC_CLIENT_ID = "test-client-id";
        process.env.OIDC_CLIENT_SECRET = "test-client-secret";
-        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";

        expect(() => validateOidcConfig()).toThrow("OIDC_ISSUER must end with a trailing slash");
        expect(() => validateOidcConfig()).toThrow("https://auth.example.com/application/o/mosaic");
@@ -165,7 +172,7 @@ describe("auth.config", () => {
        process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/";
        process.env.OIDC_CLIENT_ID = "test-client-id";
        process.env.OIDC_CLIENT_SECRET = "test-client-secret";
-        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+        process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";

        expect(() => validateOidcConfig()).not.toThrow();
      });
@@ -189,30 +196,30 @@ describe("auth.config", () => {
          expect(() => validateOidcConfig()).toThrow("Parse error:");
        });

-        it("should throw when OIDC_REDIRECT_URI path does not start with /auth/callback", () => {
+        it("should throw when OIDC_REDIRECT_URI path does not start with /auth/oauth2/callback", () => {
          process.env.OIDC_REDIRECT_URI = "https://app.example.com/oauth/callback";

          expect(() => validateOidcConfig()).toThrow(
-            'OIDC_REDIRECT_URI path must start with "/auth/callback"'
+            'OIDC_REDIRECT_URI path must start with "/auth/oauth2/callback"'
          );
          expect(() => validateOidcConfig()).toThrow("/oauth/callback");
        });

-        it("should accept a valid OIDC_REDIRECT_URI with /auth/callback path", () => {
-          process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+        it("should accept a valid OIDC_REDIRECT_URI with /auth/oauth2/callback path", () => {
+          process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";

          expect(() => validateOidcConfig()).not.toThrow();
        });

-        it("should accept OIDC_REDIRECT_URI with exactly /auth/callback path", () => {
-          process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback";
+        it("should accept OIDC_REDIRECT_URI with exactly /auth/oauth2/callback path", () => {
+          process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback";

          expect(() => validateOidcConfig()).not.toThrow();
        });

        it("should warn but not throw when using localhost in production", () => {
          process.env.NODE_ENV = "production";
-          process.env.OIDC_REDIRECT_URI = "http://localhost:3000/auth/callback/authentik";
+          process.env.OIDC_REDIRECT_URI = "http://localhost:3000/auth/oauth2/callback/authentik";

          const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});

@@ -226,7 +233,7 @@ describe("auth.config", () => {

        it("should warn but not throw when using 127.0.0.1 in production", () => {
          process.env.NODE_ENV = "production";
-          process.env.OIDC_REDIRECT_URI = "http://127.0.0.1:3000/auth/callback/authentik";
+          process.env.OIDC_REDIRECT_URI = "http://127.0.0.1:3000/auth/oauth2/callback/authentik";

          const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});

@@ -240,7 +247,7 @@ describe("auth.config", () => {

        it("should not warn about localhost when not in production", () => {
          process.env.NODE_ENV = "development";
-          process.env.OIDC_REDIRECT_URI = "http://localhost:3000/auth/callback/authentik";
+          process.env.OIDC_REDIRECT_URI = "http://localhost:3000/auth/oauth2/callback/authentik";

          const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});

@@ -265,16 +272,19 @@ describe("auth.config", () => {
      process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/";
      process.env.OIDC_CLIENT_ID = "test-client-id";
      process.env.OIDC_CLIENT_SECRET = "test-client-secret";
-      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";

      const mockPrisma = {} as PrismaClient;
      createAuth(mockPrisma);

      expect(mockGenericOAuth).toHaveBeenCalledOnce();
      const callArgs = mockGenericOAuth.mock.calls[0][0] as {
-        config: Array<{ pkce?: boolean }>;
+        config: Array<{ pkce?: boolean; redirectURI?: string }>;
      };
      expect(callArgs.config[0].pkce).toBe(true);
+      expect(callArgs.config[0].redirectURI).toBe(
+        "https://app.example.com/auth/oauth2/callback/authentik"
+      );
    });

    it("should not call genericOAuth when OIDC is disabled", () => {
@@ -290,7 +300,7 @@ describe("auth.config", () => {
      process.env.OIDC_ENABLED = "true";
      process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/";
      process.env.OIDC_CLIENT_SECRET = "test-client-secret";
-      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
      // OIDC_CLIENT_ID deliberately not set

      // validateOidcConfig will throw first, so we need to bypass it
@@ -307,7 +317,7 @@ describe("auth.config", () => {
      process.env.OIDC_ENABLED = "true";
      process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/";
      process.env.OIDC_CLIENT_ID = "test-client-id";
-      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
      // OIDC_CLIENT_SECRET deliberately not set

      const mockPrisma = {} as PrismaClient;
@@ -318,7 +328,7 @@ describe("auth.config", () => {
      process.env.OIDC_ENABLED = "true";
      process.env.OIDC_CLIENT_ID = "test-client-id";
      process.env.OIDC_CLIENT_SECRET = "test-client-secret";
-      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
+      process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik";
      // OIDC_ISSUER deliberately not set

      const mockPrisma = {} as PrismaClient;
@@ -354,8 +364,7 @@ describe("auth.config", () => {
    });

    it("should parse TRUSTED_ORIGINS comma-separated values", () => {
-      process.env.TRUSTED_ORIGINS =
-        "https://app.mosaicstack.dev,https://api.mosaicstack.dev";
+      process.env.TRUSTED_ORIGINS = "https://app.mosaicstack.dev,https://api.mosaicstack.dev";

      const origins = getTrustedOrigins();

@@ -364,8 +373,7 @@ describe("auth.config", () => {
    });

    it("should trim whitespace from TRUSTED_ORIGINS entries", () => {
-      process.env.TRUSTED_ORIGINS =
-        " https://app.mosaicstack.dev , https://api.mosaicstack.dev ";
+      process.env.TRUSTED_ORIGINS = " https://app.mosaicstack.dev , https://api.mosaicstack.dev ";

      const origins = getTrustedOrigins();

@@ -516,6 +524,21 @@ describe("auth.config", () => {
      expect(config.session.updateAge).toBe(7200);
    });

+    it("should configure BetterAuth database ID generation as UUID", () => {
+      const mockPrisma = {} as PrismaClient;
+      createAuth(mockPrisma);
+
+      expect(mockBetterAuth).toHaveBeenCalledOnce();
+      const config = mockBetterAuth.mock.calls[0][0] as {
+        advanced: {
+          database: {
+            generateId: string;
+          };
+        };
+      };
+      expect(config.advanced.database.generateId).toBe("uuid");
+    });
+
    it("should set httpOnly cookie attribute to true", () => {
      const mockPrisma = {} as PrismaClient;
      createAuth(mockPrisma);
@@ -552,6 +575,7 @@ describe("auth.config", () => {

    it("should set secure cookie attribute to true in production", () => {
      process.env.NODE_ENV = "production";
+      process.env.NEXT_PUBLIC_API_URL = "https://api.example.com";
      const mockPrisma = {} as PrismaClient;
      createAuth(mockPrisma);

@@ -624,4 +648,69 @@ describe("auth.config", () => {
      expect(config.advanced.defaultCookieAttributes.domain).toBeUndefined();
    });
  });
+
+  describe("getBetterAuthBaseUrl", () => {
+    it("should prefer BETTER_AUTH_URL when set", () => {
+      process.env.BETTER_AUTH_URL = "https://auth-base.example.com";
+      process.env.NEXT_PUBLIC_API_URL = "https://api.example.com";
+
+      expect(getBetterAuthBaseUrl()).toBe("https://auth-base.example.com");
+    });
+
+    it("should fall back to NEXT_PUBLIC_API_URL when BETTER_AUTH_URL is not set", () => {
+      process.env.NEXT_PUBLIC_API_URL = "https://api.example.com";
+
+      expect(getBetterAuthBaseUrl()).toBe("https://api.example.com");
+    });
+
+    it("should throw when base URL is invalid", () => {
+      process.env.BETTER_AUTH_URL = "not-a-url";
+
+      expect(() => getBetterAuthBaseUrl()).toThrow("BetterAuth base URL must be a valid URL");
+    });
+
+    it("should throw when base URL is missing in production", () => {
+      process.env.NODE_ENV = "production";
+
+      expect(() => getBetterAuthBaseUrl()).toThrow("Missing BetterAuth base URL in production");
+    });
+
+    it("should throw when base URL is not https in production", () => {
+      process.env.NODE_ENV = "production";
+      process.env.BETTER_AUTH_URL = "http://api.example.com";
+
+      expect(() => getBetterAuthBaseUrl()).toThrow(
+        "BetterAuth base URL must use https in production"
+      );
+    });
+  });
+
+  describe("createAuth - baseURL wiring", () => {
+    beforeEach(() => {
+      mockBetterAuth.mockClear();
+      mockPrismaAdapter.mockClear();
+    });
+
+    it("should pass BETTER_AUTH_URL into BetterAuth config", () => {
+      process.env.BETTER_AUTH_URL = "https://api.mosaicstack.dev";
+
+      const mockPrisma = {} as PrismaClient;
+      createAuth(mockPrisma);
+
+      expect(mockBetterAuth).toHaveBeenCalledOnce();
+      const config = mockBetterAuth.mock.calls[0][0] as { baseURL?: string };
+      expect(config.baseURL).toBe("https://api.mosaicstack.dev");
+    });
+
+    it("should pass NEXT_PUBLIC_API_URL into BetterAuth config when BETTER_AUTH_URL is absent", () => {
+      process.env.NEXT_PUBLIC_API_URL = "https://api.fallback.dev";
+
+      const mockPrisma = {} as PrismaClient;
+      createAuth(mockPrisma);
+
+      expect(mockBetterAuth).toHaveBeenCalledOnce();
+      const config = mockBetterAuth.mock.calls[0][0] as { baseURL?: string };
+      expect(config.baseURL).toBe("https://api.fallback.dev");
+    });
+  });
 });
--- a/apps/api/src/auth/auth.config.ts
+++ b/apps/api/src/auth/auth.config.ts
@@ -1,4 +1,3 @@
-import { randomUUID } from "node:crypto";
 import { betterAuth } from "better-auth";
 import { prismaAdapter } from "better-auth/adapters/prisma";
 import { genericOAuth } from "better-auth/plugins";
@@ -14,6 +13,41 @@ const REQUIRED_OIDC_ENV_VARS = [
  "OIDC_REDIRECT_URI",
 ] as const;

+/**
+ * Resolve BetterAuth base URL from explicit auth URL or API URL.
+ * BetterAuth uses this to generate absolute callback/error URLs.
+ */
+export function getBetterAuthBaseUrl(): string | undefined {
+  const configured = process.env.BETTER_AUTH_URL ?? process.env.NEXT_PUBLIC_API_URL;
+
+  if (!configured || configured.trim() === "") {
+    if (process.env.NODE_ENV === "production") {
+      throw new Error(
+        "Missing BetterAuth base URL in production. Set BETTER_AUTH_URL (preferred) or NEXT_PUBLIC_API_URL."
+      );
+    }
+    return undefined;
+  }
+
+  let parsed: URL;
+  try {
+    parsed = new URL(configured);
+  } catch (urlError: unknown) {
+    const detail = urlError instanceof Error ? urlError.message : String(urlError);
+    throw new Error(
+      `BetterAuth base URL must be a valid URL. Current value: "${configured}". Parse error: ${detail}.`
+    );
+  }
+
+  if (process.env.NODE_ENV === "production" && parsed.protocol !== "https:") {
+    throw new Error(
+      `BetterAuth base URL must use https in production. Current value: "${configured}".`
+    );
+  }
+
+  return parsed.origin;
+}
+
 /**
 * Check if OIDC authentication is enabled via environment variable
 */
@@ -59,17 +93,17 @@ export function validateOidcConfig(): void {
    );
  }

-  // Additional validation: OIDC_REDIRECT_URI must be a valid URL with /auth/callback path
+  // Additional validation: OIDC_REDIRECT_URI must be a valid URL with /auth/oauth2/callback path
  validateRedirectUri();
 }

 /**
 * Validates the OIDC_REDIRECT_URI environment variable.
 * - Must be a parseable URL
- * - Path must start with /auth/callback
+ * - Path must start with /auth/oauth2/callback
 * - Warns (but does not throw) if using localhost in production
 *
- * @throws Error if URL is invalid or path does not start with /auth/callback
+ * @throws Error if URL is invalid or path does not start with /auth/oauth2/callback
 */
 function validateRedirectUri(): void {
  const redirectUri = process.env.OIDC_REDIRECT_URI;
@@ -86,14 +120,14 @@ function validateRedirectUri(): void {
    throw new Error(
      `OIDC_REDIRECT_URI must be a valid URL. Current value: "${redirectUri}". ` +
        `Parse error: ${detail}. ` +
-        `Example: "https://app.example.com/auth/callback/authentik".`
+        `Example: "https://api.example.com/auth/oauth2/callback/authentik".`
    );
  }

-  if (!parsed.pathname.startsWith("/auth/callback")) {
+  if (!parsed.pathname.startsWith("/auth/oauth2/callback")) {
    throw new Error(
-      `OIDC_REDIRECT_URI path must start with "/auth/callback". Current path: "${parsed.pathname}". ` +
-        `Example: "https://app.example.com/auth/callback/authentik".`
+      `OIDC_REDIRECT_URI path must start with "/auth/oauth2/callback". Current path: "${parsed.pathname}". ` +
+        `Example: "https://api.example.com/auth/oauth2/callback/authentik".`
    );
  }

@@ -120,6 +154,7 @@ function getOidcPlugins(): ReturnType<typeof genericOAuth>[] {
  const clientId = process.env.OIDC_CLIENT_ID;
  const clientSecret = process.env.OIDC_CLIENT_SECRET;
  const issuer = process.env.OIDC_ISSUER;
+  const redirectUri = process.env.OIDC_REDIRECT_URI;

  if (!clientId) {
    throw new Error("OIDC_CLIENT_ID is required when OIDC is enabled but was not set.");
@@ -130,6 +165,9 @@ function getOidcPlugins(): ReturnType<typeof genericOAuth>[] {
  if (!issuer) {
    throw new Error("OIDC_ISSUER is required when OIDC is enabled but was not set.");
  }
+  if (!redirectUri) {
+    throw new Error("OIDC_REDIRECT_URI is required when OIDC is enabled but was not set.");
+  }

  return [
    genericOAuth({
@@ -139,6 +177,7 @@ function getOidcPlugins(): ReturnType<typeof genericOAuth>[] {
          clientId,
          clientSecret,
          discoveryUrl: `${issuer}.well-known/openid-configuration`,
+          redirectURI: redirectUri,
          pkce: true,
          scopes: ["openid", "profile", "email"],
        },
@@ -203,7 +242,10 @@ export function createAuth(prisma: PrismaClient) {
  // Validate OIDC configuration at startup - fail fast if misconfigured
  validateOidcConfig();

+  const baseURL = getBetterAuthBaseUrl();
+
  return betterAuth({
+    baseURL,
    basePath: "/auth",
    database: prismaAdapter(prisma, {
      provider: "postgresql",
@@ -212,12 +254,19 @@ export function createAuth(prisma: PrismaClient) {
      enabled: true,
    },
    plugins: [...getOidcPlugins()],
+    logger: {
+      disabled: false,
+      level: "error",
+    },
    session: {
      expiresIn: 60 * 60 * 24 * 7, // 7 days absolute max
      updateAge: 60 * 60 * 2, // 2 hours — minimum session age before BetterAuth refreshes the expiry on next request
    },
    advanced: {
-      generateId: () => randomUUID(),
+      database: {
+        // BetterAuth's default ID generator emits opaque strings; our auth tables use UUID PKs.
+        generateId: "uuid",
+      },
      defaultCookieAttributes: {
        httpOnly: true,
        secure: process.env.NODE_ENV === "production",
--- a/apps/api/src/auth/auth.controller.spec.ts
+++ b/apps/api/src/auth/auth.controller.spec.ts
@@ -102,11 +102,46 @@ describe("AuthController", () => {
        expect(err).toBeInstanceOf(HttpException);
        expect((err as HttpException).getStatus()).toBe(HttpStatus.INTERNAL_SERVER_ERROR);
        expect((err as HttpException).getResponse()).toBe(
-          "Unable to complete authentication. Please try again in a moment.",
+          "Unable to complete authentication. Please try again in a moment."
        );
      }
    });

+    it("should preserve better-call status and body for handler APIError", async () => {
+      const apiError = {
+        statusCode: HttpStatus.BAD_REQUEST,
+        message: "Invalid OAuth configuration",
+        body: {
+          message: "Invalid OAuth configuration",
+          code: "INVALID_OAUTH_CONFIGURATION",
+        },
+      };
+      mockNodeHandler.mockRejectedValueOnce(apiError);
+
+      const mockRequest = {
+        method: "POST",
+        url: "/auth/sign-in/oauth2",
+        headers: {},
+        ip: "192.168.1.10",
+        socket: { remoteAddress: "192.168.1.10" },
+      } as unknown as ExpressRequest;
+
+      const mockResponse = {
+        headersSent: false,
+      } as unknown as ExpressResponse;
+
+      try {
+        await controller.handleAuth(mockRequest, mockResponse);
+        expect.unreachable("Expected HttpException to be thrown");
+      } catch (err) {
+        expect(err).toBeInstanceOf(HttpException);
+        expect((err as HttpException).getStatus()).toBe(HttpStatus.BAD_REQUEST);
+        expect((err as HttpException).getResponse()).toMatchObject({
+          message: "Invalid OAuth configuration",
+        });
+      }
+    });
+
    it("should log warning and not throw when handler throws after headers sent", async () => {
      const handlerError = new Error("Stream interrupted");
      mockNodeHandler.mockRejectedValueOnce(handlerError);
@@ -142,9 +177,7 @@ describe("AuthController", () => {
        headersSent: false,
      } as unknown as ExpressResponse;

-      await expect(controller.handleAuth(mockRequest, mockResponse)).rejects.toThrow(
-        HttpException,
-      );
+      await expect(controller.handleAuth(mockRequest, mockResponse)).rejects.toThrow(HttpException);
    });
  });

@@ -187,7 +220,7 @@ describe("AuthController", () => {
        OIDC_CLIENT_SECRET: "test-client-secret",
        OIDC_CLIENT_ID: "test-client-id",
        OIDC_ISSUER: "https://auth.test.com/",
-        OIDC_REDIRECT_URI: "https://app.test.com/auth/callback/authentik",
+        OIDC_REDIRECT_URI: "https://app.test.com/auth/oauth2/callback/authentik",
        BETTER_AUTH_SECRET: "test-better-auth-secret",
        JWT_SECRET: "test-jwt-secret",
        CSRF_SECRET: "test-csrf-secret",
@@ -296,11 +329,9 @@ describe("AuthController", () => {
        },
      };

+      expect(() => controller.getSession(mockRequest as never)).toThrow(UnauthorizedException);
      expect(() => controller.getSession(mockRequest as never)).toThrow(
-        UnauthorizedException,
-      );
-      expect(() => controller.getSession(mockRequest as never)).toThrow(
-        "Missing authentication context",
+        "Missing authentication context"
      );
    });

@@ -313,22 +344,18 @@ describe("AuthController", () => {
        },
      };

+      expect(() => controller.getSession(mockRequest as never)).toThrow(UnauthorizedException);
      expect(() => controller.getSession(mockRequest as never)).toThrow(
-        UnauthorizedException,
-      );
-      expect(() => controller.getSession(mockRequest as never)).toThrow(
-        "Missing authentication context",
+        "Missing authentication context"
      );
    });

    it("should throw UnauthorizedException when both req.user and req.session are undefined", () => {
      const mockRequest = {};

+      expect(() => controller.getSession(mockRequest as never)).toThrow(UnauthorizedException);
      expect(() => controller.getSession(mockRequest as never)).toThrow(
-        UnauthorizedException,
-      );
-      expect(() => controller.getSession(mockRequest as never)).toThrow(
-        "Missing authentication context",
+        "Missing authentication context"
      );
    });
  });
@@ -401,9 +428,7 @@ describe("AuthController", () => {

      await controller.handleAuth(mockRequest, mockResponse);

-      expect(debugSpy).toHaveBeenCalledWith(
-        expect.stringContaining("203.0.113.50"),
-      );
+      expect(debugSpy).toHaveBeenCalledWith(expect.stringContaining("203.0.113.50"));
    });

    it("should extract first IP from X-Forwarded-For with comma-separated IPs", async () => {
@@ -423,13 +448,9 @@ describe("AuthController", () => {

      await controller.handleAuth(mockRequest, mockResponse);

-      expect(debugSpy).toHaveBeenCalledWith(
-        expect.stringContaining("203.0.113.50"),
-      );
+      expect(debugSpy).toHaveBeenCalledWith(expect.stringContaining("203.0.113.50"));
      // Ensure it does NOT contain the second IP in the extracted position
-      expect(debugSpy).toHaveBeenCalledWith(
-        expect.not.stringContaining("70.41.3.18"),
-      );
+      expect(debugSpy).toHaveBeenCalledWith(expect.not.stringContaining("70.41.3.18"));
    });

    it("should extract first IP from X-Forwarded-For as array", async () => {
@@ -449,9 +470,7 @@ describe("AuthController", () => {

      await controller.handleAuth(mockRequest, mockResponse);

-      expect(debugSpy).toHaveBeenCalledWith(
-        expect.stringContaining("203.0.113.50"),
-      );
+      expect(debugSpy).toHaveBeenCalledWith(expect.stringContaining("203.0.113.50"));
    });

    it("should fallback to req.ip when no X-Forwarded-For header", async () => {
@@ -471,9 +490,7 @@ describe("AuthController", () => {

      await controller.handleAuth(mockRequest, mockResponse);

-      expect(debugSpy).toHaveBeenCalledWith(
-        expect.stringContaining("192.168.1.100"),
-      );
+      expect(debugSpy).toHaveBeenCalledWith(expect.stringContaining("192.168.1.100"));
    });
  });
 });
--- a/apps/api/src/auth/auth.controller.ts
+++ b/apps/api/src/auth/auth.controller.ts
@@ -123,6 +123,14 @@ export class AuthController {

    try {
      await handler(req, res);
+
+      // BetterAuth writes responses directly — catch silent 500s that bypass NestJS error handling
+      if (res.statusCode >= 500) {
+        this.logger.error(
+          `BetterAuth returned ${String(res.statusCode)} for ${req.method} ${req.url} from ${clientIp}` +
+            ` — check container stdout for '# SERVER_ERROR' details`
+        );
+      }
    } catch (error: unknown) {
      const message = error instanceof Error ? error.message : String(error);
      const stack = error instanceof Error ? error.stack : undefined;
@@ -133,6 +141,11 @@ export class AuthController {
      );

      if (!res.headersSent) {
+        const mappedError = this.mapToHttpException(error);
+        if (mappedError) {
+          throw mappedError;
+        }
+
        throw new HttpException(
          "Unable to complete authentication. Please try again in a moment.",
          HttpStatus.INTERNAL_SERVER_ERROR
@@ -159,4 +172,45 @@ export class AuthController {
    // Fall back to direct IP
    return req.ip ?? req.socket.remoteAddress ?? "unknown";
  }
+
+  /**
+   * Preserve known HTTP errors from BetterAuth/better-call instead of converting
+   * every failure into a generic 500.
+   */
+  private mapToHttpException(error: unknown): HttpException | null {
+    if (error instanceof HttpException) {
+      return error;
+    }
+
+    if (!error || typeof error !== "object") {
+      return null;
+    }
+
+    const statusCode = "statusCode" in error ? error.statusCode : undefined;
+    if (!this.isHttpStatus(statusCode)) {
+      return null;
+    }
+
+    const responseBody = "body" in error && error.body !== undefined ? error.body : undefined;
+    if (
+      responseBody !== undefined &&
+      responseBody !== null &&
+      (typeof responseBody === "string" || typeof responseBody === "object")
+    ) {
+      return new HttpException(responseBody, statusCode);
+    }
+
+    const message =
+      "message" in error && typeof error.message === "string" && error.message.length > 0
+        ? error.message
+        : "Authentication request failed";
+    return new HttpException(message, statusCode);
+  }
+
+  private isHttpStatus(value: unknown): value is number {
+    if (typeof value !== "number" || !Number.isInteger(value)) {
+      return false;
+    }
+    return value >= 400 && value <= 599;
+  }
 }
--- a/apps/api/src/auth/auth.service.spec.ts
+++ b/apps/api/src/auth/auth.service.spec.ts
@@ -410,7 +410,7 @@ describe("AuthService", () => {
      },
    };

-    it("should return session data for valid token", async () => {
+    it("should validate session token using secure BetterAuth cookie header", async () => {
      const auth = service.getAuth();
      const mockGetSession = vi.fn().mockResolvedValue(mockSessionData);
      auth.api = { getSession: mockGetSession } as any;
@@ -418,7 +418,58 @@ describe("AuthService", () => {
      const result = await service.verifySession("valid-token");

      expect(result).toEqual(mockSessionData);
+      expect(mockGetSession).toHaveBeenCalledTimes(1);
      expect(mockGetSession).toHaveBeenCalledWith({
+        headers: {
+          cookie: "__Secure-better-auth.session_token=valid-token",
+        },
+      });
+    });
+
+    it("should preserve raw cookie token value without URL re-encoding", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi.fn().mockResolvedValue(mockSessionData);
+      auth.api = { getSession: mockGetSession } as any;
+
+      const result = await service.verifySession("tok/with+=chars=");
+
+      expect(result).toEqual(mockSessionData);
+      expect(mockGetSession).toHaveBeenCalledWith({
+        headers: {
+          cookie: "__Secure-better-auth.session_token=tok/with+=chars=",
+        },
+      });
+    });
+
+    it("should fall back to Authorization header when cookie-based lookups miss", async () => {
+      const auth = service.getAuth();
+      const mockGetSession = vi
+        .fn()
+        .mockResolvedValueOnce(null)
+        .mockResolvedValueOnce(null)
+        .mockResolvedValueOnce(null)
+        .mockResolvedValueOnce(mockSessionData);
+      auth.api = { getSession: mockGetSession } as any;
+
+      const result = await service.verifySession("valid-token");
+
+      expect(result).toEqual(mockSessionData);
+      expect(mockGetSession).toHaveBeenNthCalledWith(1, {
+        headers: {
+          cookie: "__Secure-better-auth.session_token=valid-token",
+        },
+      });
+      expect(mockGetSession).toHaveBeenNthCalledWith(2, {
+        headers: {
+          cookie: "better-auth.session_token=valid-token",
+        },
+      });
+      expect(mockGetSession).toHaveBeenNthCalledWith(3, {
+        headers: {
+          cookie: "__Host-better-auth.session_token=valid-token",
+        },
+      });
+      expect(mockGetSession).toHaveBeenNthCalledWith(4, {
        headers: {
          authorization: "Bearer valid-token",
        },
@@ -517,14 +568,10 @@ describe("AuthService", () => {

    it("should re-throw 'certificate has expired' as infrastructure error (not auth)", async () => {
      const auth = service.getAuth();
-      const mockGetSession = vi
-        .fn()
-        .mockRejectedValue(new Error("certificate has expired"));
+      const mockGetSession = vi.fn().mockRejectedValue(new Error("certificate has expired"));
      auth.api = { getSession: mockGetSession } as any;

-      await expect(service.verifySession("any-token")).rejects.toThrow(
-        "certificate has expired"
-      );
+      await expect(service.verifySession("any-token")).rejects.toThrow("certificate has expired");
    });

    it("should re-throw 'Unauthorized: Access denied for user' as infrastructure error (not auth)", async () => {
--- a/apps/api/src/auth/auth.service.ts
+++ b/apps/api/src/auth/auth.service.ts
@@ -21,6 +21,10 @@ interface VerifiedSession {
  session: Record<string, unknown>;
 }

+interface SessionHeaderCandidate {
+  headers: Record<string, string>;
+}
+
@Injectable()
 export class AuthService {
  private readonly logger = new Logger(AuthService.name);
@@ -103,36 +107,27 @@ export class AuthService {
   * Only known-safe auth errors return null; everything else propagates as 500.
   */
  async verifySession(token: string): Promise<VerifiedSession | null> {
-    try {
-      // TODO(#411): BetterAuth getSession returns opaque types — replace when upstream exports typed interfaces
-      const session = await this.auth.api.getSession({
-        headers: {
-          authorization: `Bearer ${token}`,
-        },
-      });
+    let sawNonError = false;

-      if (!session) {
-        return null;
-      }
+    for (const candidate of this.buildSessionHeaderCandidates(token)) {
+      try {
+        // TODO(#411): BetterAuth getSession returns opaque types — replace when upstream exports typed interfaces
+        const session = await this.auth.api.getSession(candidate);

-      return {
-        user: session.user as Record<string, unknown>,
-        session: session.session as Record<string, unknown>,
-      };
-    } catch (error: unknown) {
-      // Only known-safe auth errors return null
-      if (error instanceof Error) {
-        const msg = error.message.toLowerCase();
-        const isExpectedAuthError =
-          msg.includes("invalid token") ||
-          msg.includes("token expired") ||
-          msg.includes("session expired") ||
-          msg.includes("session not found") ||
-          msg.includes("invalid session") ||
-          msg === "unauthorized" ||
-          msg === "expired";
+        if (!session) {
+          continue;
+        }
+
+        return {
+          user: session.user as Record<string, unknown>,
+          session: session.session as Record<string, unknown>,
+        };
+      } catch (error: unknown) {
+        if (error instanceof Error) {
+          if (this.isExpectedAuthError(error.message)) {
+            continue;
+          }

-        if (!isExpectedAuthError) {
          // Infrastructure or unexpected — propagate as 500
          const safeMessage = (error.stack ?? error.message).replace(
            /Bearer\s+\S+/gi,
@@ -141,14 +136,55 @@ export class AuthService {
          this.logger.error("Session verification failed due to unexpected error", safeMessage);
          throw error;
        }
+
+        // Non-Error thrown values — log once for observability, treat as auth failure
+        if (!sawNonError) {
+          const errorDetail = typeof error === "string" ? error : JSON.stringify(error);
+          this.logger.warn("Session verification received non-Error thrown value", errorDetail);
+          sawNonError = true;
+        }
      }
-      // Non-Error thrown values — log for observability, treat as auth failure
-      if (!(error instanceof Error)) {
-        const errorDetail = typeof error === "string" ? error : JSON.stringify(error);
-        this.logger.warn("Session verification received non-Error thrown value", errorDetail);
-      }
-      return null;
    }
+
+    return null;
+  }
+
+  private buildSessionHeaderCandidates(token: string): SessionHeaderCandidate[] {
+    return [
+      {
+        headers: {
+          cookie: `__Secure-better-auth.session_token=${token}`,
+        },
+      },
+      {
+        headers: {
+          cookie: `better-auth.session_token=${token}`,
+        },
+      },
+      {
+        headers: {
+          cookie: `__Host-better-auth.session_token=${token}`,
+        },
+      },
+      {
+        headers: {
+          authorization: `Bearer ${token}`,
+        },
+      },
+    ];
+  }
+
+  private isExpectedAuthError(message: string): boolean {
+    const normalized = message.toLowerCase();
+    return (
+      normalized.includes("invalid token") ||
+      normalized.includes("token expired") ||
+      normalized.includes("session expired") ||
+      normalized.includes("session not found") ||
+      normalized.includes("invalid session") ||
+      normalized === "unauthorized" ||
+      normalized === "expired"
+    );
  }

  /**
--- a/apps/api/src/auth/guards/auth.guard.ts
+++ b/apps/api/src/auth/guards/auth.guard.ts
@@ -1,10 +1,18 @@
-import { Injectable, CanActivate, ExecutionContext, UnauthorizedException } from "@nestjs/common";
+import {
+  Injectable,
+  CanActivate,
+  ExecutionContext,
+  UnauthorizedException,
+  Logger,
+} from "@nestjs/common";
 import { AuthService } from "../auth.service";
 import type { AuthUser } from "@mosaic/shared";
 import type { MaybeAuthenticatedRequest } from "../types/better-auth-request.interface";

@Injectable()
 export class AuthGuard implements CanActivate {
+  private readonly logger = new Logger(AuthGuard.name);
+
  constructor(private readonly authService: AuthService) {}

  async canActivate(context: ExecutionContext): Promise<boolean> {
@@ -59,7 +67,8 @@ export class AuthGuard implements CanActivate {
  }

  /**
-   * Extract token from cookie (BetterAuth stores session token in better-auth.session_token cookie)
+   * Extract token from cookie.
+   * BetterAuth may prefix the cookie name with "__Secure-" when running on HTTPS.
   */
  private extractTokenFromCookie(request: MaybeAuthenticatedRequest): string | undefined {
    // Express types `cookies` as `any`; cast to a known shape for type safety.
@@ -68,8 +77,23 @@ export class AuthGuard implements CanActivate {
      return undefined;
    }

-    // BetterAuth uses 'better-auth.session_token' as the cookie name by default
-    return cookies["better-auth.session_token"];
+    // BetterAuth default cookie name is "better-auth.session_token"
+    // When Secure cookies are enabled, BetterAuth prefixes with "__Secure-".
+    const candidates = [
+      "__Secure-better-auth.session_token",
+      "better-auth.session_token",
+      "__Host-better-auth.session_token",
+    ] as const;
+
+    for (const name of candidates) {
+      const token = cookies[name];
+      if (token) {
+        this.logger.debug(`Session cookie found: ${name}`);
+        return token;
+      }
+    }
+
+    return undefined;
  }

  /**
--- a/apps/api/src/common/controllers/csrf.controller.ts
+++ b/apps/api/src/common/controllers/csrf.controller.ts
@@ -16,7 +16,7 @@ interface AuthenticatedRequest extends Request {
  user?: AuthenticatedUser;
 }

-@Controller("api/v1/csrf")
+@Controller("v1/csrf")
 export class CsrfController {
  constructor(private readonly csrfService: CsrfService) {}

--- a/apps/api/src/common/guards/csrf.guard.spec.ts
+++ b/apps/api/src/common/guards/csrf.guard.spec.ts
@@ -174,17 +174,19 @@ describe("CsrfGuard", () => {
  });

  describe("Session binding validation", () => {
-    it("should reject when user is not authenticated", () => {
+    it("should allow when user context is not yet available (global guard ordering)", () => {
+      // CsrfGuard runs as APP_GUARD before per-controller AuthGuard,
+      // so request.user may not be populated. Double-submit cookie match
+      // is sufficient protection in this case.
      const token = generateValidToken("user-123");
      const context = createContext(
        "POST",
        { "csrf-token": token },
        { "x-csrf-token": token },
        false
-        // No userId - unauthenticated
+        // No userId - AuthGuard hasn't run yet
      );
-      expect(() => guard.canActivate(context)).toThrow(ForbiddenException);
-      expect(() => guard.canActivate(context)).toThrow("CSRF validation requires authentication");
+      expect(guard.canActivate(context)).toBe(true);
    });

    it("should reject token from different session", () => {
--- a/apps/api/src/common/guards/csrf.guard.ts
+++ b/apps/api/src/common/guards/csrf.guard.ts
@@ -89,30 +89,30 @@ export class CsrfGuard implements CanActivate {
      throw new ForbiddenException("CSRF token mismatch");
    }

-    // Validate session binding via HMAC
+    // Validate session binding via HMAC when user context is available.
+    // CsrfGuard is a global guard (APP_GUARD) that runs before per-controller
+    // AuthGuard, so request.user may not be populated yet. In that case, the
+    // double-submit cookie match above is sufficient CSRF protection.
    const userId = request.user?.id;
-    if (!userId) {
-      this.logger.warn({
-        event: "CSRF_NO_USER_CONTEXT",
+    if (userId) {
+      if (!this.csrfService.validateToken(cookieToken, userId)) {
+        this.logger.warn({
+          event: "CSRF_SESSION_BINDING_INVALID",
+          method: request.method,
+          path: request.path,
+          securityEvent: true,
+          timestamp: new Date().toISOString(),
+        });
+
+        throw new ForbiddenException("CSRF token not bound to session");
+      }
+    } else {
+      this.logger.debug({
+        event: "CSRF_SKIP_SESSION_BINDING",
        method: request.method,
        path: request.path,
-        securityEvent: true,
-        timestamp: new Date().toISOString(),
+        reason: "User context not yet available (global guard runs before AuthGuard)",
      });
-
-      throw new ForbiddenException("CSRF validation requires authentication");
-    }
-
-    if (!this.csrfService.validateToken(cookieToken, userId)) {
-      this.logger.warn({
-        event: "CSRF_SESSION_BINDING_INVALID",
-        method: request.method,
-        path: request.path,
-        securityEvent: true,
-        timestamp: new Date().toISOString(),
-      });
-
-      throw new ForbiddenException("CSRF token not bound to session");
    }

    return true;
--- a/apps/api/src/common/interceptors/rls-context.integration.spec.ts
+++ b/apps/api/src/common/interceptors/rls-context.integration.spec.ts
@@ -137,13 +137,13 @@ describe("RLS Context Integration", () => {
        queries: ["findMany"],
      });

-      // Verify SET LOCAL was called
+      // Verify transaction-local set_config calls were made
      expect(mockTransactionClient.$executeRaw).toHaveBeenCalledWith(
-        expect.arrayContaining(["SET LOCAL app.current_user_id = ", ""]),
+        expect.arrayContaining(["SELECT set_config('app.current_user_id', ", ", true)"]),
        userId
      );
      expect(mockTransactionClient.$executeRaw).toHaveBeenCalledWith(
-        expect.arrayContaining(["SET LOCAL app.current_workspace_id = ", ""]),
+        expect.arrayContaining(["SELECT set_config('app.current_workspace_id', ", ", true)"]),
        workspaceId
      );
    });
--- a/apps/api/src/common/interceptors/rls-context.interceptor.spec.ts
+++ b/apps/api/src/common/interceptors/rls-context.interceptor.spec.ts
@@ -80,7 +80,7 @@ describe("RlsContextInterceptor", () => {

      expect(result).toEqual({ data: "test response" });
      expect(mockTransactionClient.$executeRaw).toHaveBeenCalledWith(
-        expect.arrayContaining(["SET LOCAL app.current_user_id = ", ""]),
+        expect.arrayContaining(["SELECT set_config('app.current_user_id', ", ", true)"]),
        userId
      );
    });
@@ -111,13 +111,13 @@ describe("RlsContextInterceptor", () => {
      // Check that user context was set
      expect(mockTransactionClient.$executeRaw).toHaveBeenNthCalledWith(
        1,
-        expect.arrayContaining(["SET LOCAL app.current_user_id = ", ""]),
+        expect.arrayContaining(["SELECT set_config('app.current_user_id', ", ", true)"]),
        userId
      );
      // Check that workspace context was set
      expect(mockTransactionClient.$executeRaw).toHaveBeenNthCalledWith(
        2,
-        expect.arrayContaining(["SET LOCAL app.current_workspace_id = ", ""]),
+        expect.arrayContaining(["SELECT set_config('app.current_workspace_id', ", ", true)"]),
        workspaceId
      );
    });
--- a/apps/api/src/common/interceptors/rls-context.interceptor.ts
+++ b/apps/api/src/common/interceptors/rls-context.interceptor.ts
@@ -100,12 +100,12 @@ export class RlsContextInterceptor implements NestInterceptor {
      this.prisma
        .$transaction(
          async (tx) => {
-            // Set user context (always present for authenticated requests)
-            await tx.$executeRaw`SET LOCAL app.current_user_id = ${userId}`;
+            // Use set_config(..., true) so values are transaction-local and parameterized safely.
+            // Direct SET LOCAL with bind parameters produces invalid SQL on PostgreSQL.
+            await tx.$executeRaw`SELECT set_config('app.current_user_id', ${userId}, true)`;

-            // Set workspace context (if present)
            if (workspaceId) {
-              await tx.$executeRaw`SET LOCAL app.current_workspace_id = ${workspaceId}`;
+              await tx.$executeRaw`SELECT set_config('app.current_workspace_id', ${workspaceId}, true)`;
            }

            // Propagate the transaction client via AsyncLocalStorage
--- a/apps/api/src/dashboard/dashboard.controller.spec.ts
+++ b/apps/api/src/dashboard/dashboard.controller.spec.ts
@@ -0,0 +1,143 @@
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { Test, TestingModule } from "@nestjs/testing";
+import { DashboardController } from "./dashboard.controller";
+import { DashboardService } from "./dashboard.service";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { WorkspaceGuard } from "../common/guards/workspace.guard";
+import { PermissionGuard } from "../common/guards/permission.guard";
+import type { DashboardSummaryDto } from "./dto";
+
+describe("DashboardController", () => {
+  let controller: DashboardController;
+  let service: DashboardService;
+
+  const mockWorkspaceId = "550e8400-e29b-41d4-a716-446655440001";
+
+  const mockSummary: DashboardSummaryDto = {
+    metrics: {
+      activeAgents: 3,
+      tasksCompleted: 12,
+      totalTasks: 25,
+      tasksInProgress: 5,
+      activeProjects: 4,
+      errorRate: 2.5,
+    },
+    recentActivity: [
+      {
+        id: "550e8400-e29b-41d4-a716-446655440010",
+        action: "CREATED",
+        entityType: "TASK",
+        entityId: "550e8400-e29b-41d4-a716-446655440011",
+        details: { title: "New task" },
+        userId: "550e8400-e29b-41d4-a716-446655440002",
+        createdAt: "2026-02-22T12:00:00.000Z",
+      },
+    ],
+    activeJobs: [
+      {
+        id: "550e8400-e29b-41d4-a716-446655440020",
+        type: "code-task",
+        status: "RUNNING",
+        progressPercent: 45,
+        createdAt: "2026-02-22T11:00:00.000Z",
+        updatedAt: "2026-02-22T11:30:00.000Z",
+        steps: [
+          {
+            id: "550e8400-e29b-41d4-a716-446655440030",
+            name: "Setup",
+            status: "COMPLETED",
+            phase: "SETUP",
+          },
+        ],
+      },
+    ],
+    tokenBudget: [
+      {
+        model: "agent-1",
+        used: 5000,
+        limit: 10000,
+      },
+    ],
+  };
+
+  const mockDashboardService = {
+    getSummary: vi.fn(),
+  };
+
+  const mockAuthGuard = {
+    canActivate: vi.fn(() => true),
+  };
+
+  const mockWorkspaceGuard = {
+    canActivate: vi.fn(() => true),
+  };
+
+  const mockPermissionGuard = {
+    canActivate: vi.fn(() => true),
+  };
+
+  beforeEach(async () => {
+    const module: TestingModule = await Test.createTestingModule({
+      controllers: [DashboardController],
+      providers: [
+        {
+          provide: DashboardService,
+          useValue: mockDashboardService,
+        },
+      ],
+    })
+      .overrideGuard(AuthGuard)
+      .useValue(mockAuthGuard)
+      .overrideGuard(WorkspaceGuard)
+      .useValue(mockWorkspaceGuard)
+      .overrideGuard(PermissionGuard)
+      .useValue(mockPermissionGuard)
+      .compile();
+
+    controller = module.get<DashboardController>(DashboardController);
+    service = module.get<DashboardService>(DashboardService);
+
+    vi.clearAllMocks();
+  });
+
+  it("should be defined", () => {
+    expect(controller).toBeDefined();
+  });
+
+  describe("getSummary", () => {
+    it("should return dashboard summary for workspace", async () => {
+      mockDashboardService.getSummary.mockResolvedValue(mockSummary);
+
+      const result = await controller.getSummary(mockWorkspaceId);
+
+      expect(result).toEqual(mockSummary);
+      expect(service.getSummary).toHaveBeenCalledWith(mockWorkspaceId);
+    });
+
+    it("should return empty arrays when no data exists", async () => {
+      const emptySummary: DashboardSummaryDto = {
+        metrics: {
+          activeAgents: 0,
+          tasksCompleted: 0,
+          totalTasks: 0,
+          tasksInProgress: 0,
+          activeProjects: 0,
+          errorRate: 0,
+        },
+        recentActivity: [],
+        activeJobs: [],
+        tokenBudget: [],
+      };
+
+      mockDashboardService.getSummary.mockResolvedValue(emptySummary);
+
+      const result = await controller.getSummary(mockWorkspaceId);
+
+      expect(result).toEqual(emptySummary);
+      expect(result.metrics.errorRate).toBe(0);
+      expect(result.recentActivity).toHaveLength(0);
+      expect(result.activeJobs).toHaveLength(0);
+      expect(result.tokenBudget).toHaveLength(0);
+    });
+  });
+});
--- a/apps/api/src/dashboard/dashboard.controller.ts
+++ b/apps/api/src/dashboard/dashboard.controller.ts
@@ -0,0 +1,35 @@
+import { Controller, Get, UseGuards, BadRequestException } from "@nestjs/common";
+import { DashboardService } from "./dashboard.service";
+import { AuthGuard } from "../auth/guards/auth.guard";
+import { WorkspaceGuard, PermissionGuard } from "../common/guards";
+import { Workspace, Permission, RequirePermission } from "../common/decorators";
+import type { DashboardSummaryDto } from "./dto";
+
+/**
+ * Controller for dashboard endpoints.
+ * Returns aggregated summary data for the workspace dashboard.
+ *
+ * Guards are applied in order:
+ * 1. AuthGuard - Verifies user authentication
+ * 2. WorkspaceGuard - Validates workspace access and sets RLS context
+ * 3. PermissionGuard - Checks role-based permissions
+ */
+@Controller("dashboard")
+@UseGuards(AuthGuard, WorkspaceGuard, PermissionGuard)
+export class DashboardController {
+  constructor(private readonly dashboardService: DashboardService) {}
+
+  /**
+   * GET /api/dashboard/summary
+   * Returns aggregated metrics, recent activity, active jobs, and token budgets
+   * Requires: Any workspace member (including GUEST)
+   */
+  @Get("summary")
+  @RequirePermission(Permission.WORKSPACE_ANY)
+  async getSummary(@Workspace() workspaceId: string | undefined): Promise<DashboardSummaryDto> {
+    if (!workspaceId) {
+      throw new BadRequestException("Workspace context required");
+    }
+    return this.dashboardService.getSummary(workspaceId);
+  }
+}
--- a/apps/api/src/dashboard/dashboard.module.ts
+++ b/apps/api/src/dashboard/dashboard.module.ts
@@ -0,0 +1,13 @@
+import { Module } from "@nestjs/common";
+import { DashboardController } from "./dashboard.controller";
+import { DashboardService } from "./dashboard.service";
+import { PrismaModule } from "../prisma/prisma.module";
+import { AuthModule } from "../auth/auth.module";
+
+@Module({
+  imports: [PrismaModule, AuthModule],
+  controllers: [DashboardController],
+  providers: [DashboardService],
+  exports: [DashboardService],
+})
+export class DashboardModule {}
--- a/apps/api/src/dashboard/dashboard.service.ts
+++ b/apps/api/src/dashboard/dashboard.service.ts
@@ -0,0 +1,187 @@
+import { Injectable } from "@nestjs/common";
+import { AgentStatus, ProjectStatus, RunnerJobStatus, TaskStatus } from "@prisma/client";
+import { PrismaService } from "../prisma/prisma.service";
+import type {
+  DashboardSummaryDto,
+  ActiveJobDto,
+  RecentActivityDto,
+  TokenBudgetEntryDto,
+} from "./dto";
+
+/**
+ * Service for aggregating dashboard summary data.
+ * Executes all queries in parallel to minimize latency.
+ */
+@Injectable()
+export class DashboardService {
+  constructor(private readonly prisma: PrismaService) {}
+
+  /**
+   * Get aggregated dashboard summary for a workspace
+   */
+  async getSummary(workspaceId: string): Promise<DashboardSummaryDto> {
+    const now = new Date();
+    const oneDayAgo = new Date(now.getTime() - 24 * 60 * 60 * 1000);
+
+    // Execute all queries in parallel
+    const [
+      activeAgents,
+      tasksCompleted,
+      totalTasks,
+      tasksInProgress,
+      activeProjects,
+      failedJobsLast24h,
+      totalJobsLast24h,
+      recentActivityRows,
+      activeJobRows,
+      tokenBudgetRows,
+    ] = await Promise.all([
+      // Active agents: IDLE, WORKING, WAITING
+      this.prisma.agent.count({
+        where: {
+          workspaceId,
+          status: { in: [AgentStatus.IDLE, AgentStatus.WORKING, AgentStatus.WAITING] },
+        },
+      }),
+
+      // Tasks completed
+      this.prisma.task.count({
+        where: {
+          workspaceId,
+          status: TaskStatus.COMPLETED,
+        },
+      }),
+
+      // Total tasks
+      this.prisma.task.count({
+        where: { workspaceId },
+      }),
+
+      // Tasks in progress
+      this.prisma.task.count({
+        where: {
+          workspaceId,
+          status: TaskStatus.IN_PROGRESS,
+        },
+      }),
+
+      // Active projects
+      this.prisma.project.count({
+        where: {
+          workspaceId,
+          status: ProjectStatus.ACTIVE,
+        },
+      }),
+
+      // Failed jobs in last 24h (for error rate)
+      this.prisma.runnerJob.count({
+        where: {
+          workspaceId,
+          status: RunnerJobStatus.FAILED,
+          createdAt: { gte: oneDayAgo },
+        },
+      }),
+
+      // Total jobs in last 24h (for error rate)
+      this.prisma.runnerJob.count({
+        where: {
+          workspaceId,
+          createdAt: { gte: oneDayAgo },
+        },
+      }),
+
+      // Recent activity: last 10 entries
+      this.prisma.activityLog.findMany({
+        where: { workspaceId },
+        orderBy: { createdAt: "desc" },
+        take: 10,
+      }),
+
+      // Active jobs: PENDING, QUEUED, RUNNING with steps
+      this.prisma.runnerJob.findMany({
+        where: {
+          workspaceId,
+          status: {
+            in: [RunnerJobStatus.PENDING, RunnerJobStatus.QUEUED, RunnerJobStatus.RUNNING],
+          },
+        },
+        include: {
+          steps: {
+            select: {
+              id: true,
+              name: true,
+              status: true,
+              phase: true,
+            },
+            orderBy: { ordinal: "asc" },
+          },
+        },
+        orderBy: { createdAt: "desc" },
+      }),
+
+      // Token budgets for workspace (active, not yet completed)
+      this.prisma.tokenBudget.findMany({
+        where: {
+          workspaceId,
+          completedAt: null,
+        },
+        select: {
+          agentId: true,
+          totalTokensUsed: true,
+          allocatedTokens: true,
+        },
+      }),
+    ]);
+
+    // Compute error rate
+    const errorRate = totalJobsLast24h > 0 ? (failedJobsLast24h / totalJobsLast24h) * 100 : 0;
+
+    // Map recent activity
+    const recentActivity: RecentActivityDto[] = recentActivityRows.map((row) => ({
+      id: row.id,
+      action: row.action,
+      entityType: row.entityType,
+      entityId: row.entityId,
+      details: row.details as Record<string, unknown> | null,
+      userId: row.userId,
+      createdAt: row.createdAt.toISOString(),
+    }));
+
+    // Map active jobs (RunnerJob lacks updatedAt; use startedAt or createdAt as proxy)
+    const activeJobs: ActiveJobDto[] = activeJobRows.map((row) => ({
+      id: row.id,
+      type: row.type,
+      status: row.status,
+      progressPercent: row.progressPercent,
+      createdAt: row.createdAt.toISOString(),
+      updatedAt: (row.startedAt ?? row.createdAt).toISOString(),
+      steps: row.steps.map((step) => ({
+        id: step.id,
+        name: step.name,
+        status: step.status,
+        phase: step.phase,
+      })),
+    }));
+
+    // Map token budget entries
+    const tokenBudget: TokenBudgetEntryDto[] = tokenBudgetRows.map((row) => ({
+      model: row.agentId,
+      used: row.totalTokensUsed,
+      limit: row.allocatedTokens,
+    }));
+
+    return {
+      metrics: {
+        activeAgents,
+        tasksCompleted,
+        totalTasks,
+        tasksInProgress,
+        activeProjects,
+        errorRate: Math.round(errorRate * 100) / 100,
+      },
+      recentActivity,
+      activeJobs,
+      tokenBudget,
+    };
+  }
+}
--- a/apps/api/src/dashboard/dto/dashboard-summary.dto.ts
+++ b/apps/api/src/dashboard/dto/dashboard-summary.dto.ts
@@ -0,0 +1,53 @@
+/**
+ * Dashboard Summary DTO
+ * Defines the response shape for the dashboard summary endpoint.
+ */
+
+export class DashboardMetricsDto {
+  activeAgents!: number;
+  tasksCompleted!: number;
+  totalTasks!: number;
+  tasksInProgress!: number;
+  activeProjects!: number;
+  errorRate!: number;
+}
+
+export class RecentActivityDto {
+  id!: string;
+  action!: string;
+  entityType!: string;
+  entityId!: string;
+  details!: Record<string, unknown> | null;
+  userId!: string;
+  createdAt!: string;
+}
+
+export class ActiveJobStepDto {
+  id!: string;
+  name!: string;
+  status!: string;
+  phase!: string;
+}
+
+export class ActiveJobDto {
+  id!: string;
+  type!: string;
+  status!: string;
+  progressPercent!: number;
+  createdAt!: string;
+  updatedAt!: string;
+  steps!: ActiveJobStepDto[];
+}
+
+export class TokenBudgetEntryDto {
+  model!: string;
+  used!: number;
+  limit!: number;
+}
+
+export class DashboardSummaryDto {
+  metrics!: DashboardMetricsDto;
+  recentActivity!: RecentActivityDto[];
+  activeJobs!: ActiveJobDto[];
+  tokenBudget!: TokenBudgetEntryDto[];
+}
--- a/apps/api/src/dashboard/dto/index.ts
+++ b/apps/api/src/dashboard/dto/index.ts
@@ -0,0 +1 @@
+export * from "./dashboard-summary.dto";
--- a/apps/api/src/federation/command.controller.ts
+++ b/apps/api/src/federation/command.controller.ts
@@ -12,7 +12,7 @@ import type { AuthenticatedRequest } from "../common/types/user.types";
 import type { CommandMessageDetails, CommandResponse } from "./types/message.types";
 import type { FederationMessageStatus } from "@prisma/client";

-@Controller("api/v1/federation")
+@Controller("v1/federation")
 export class CommandController {
  private readonly logger = new Logger(CommandController.name);

--- a/apps/api/src/federation/event.controller.ts
+++ b/apps/api/src/federation/event.controller.ts
@@ -23,7 +23,7 @@ import {
  IncomingEventAckDto,
 } from "./dto/event.dto";

-@Controller("api/v1/federation")
+@Controller("v1/federation")
 export class EventController {
  private readonly logger = new Logger(EventController.name);

--- a/apps/api/src/federation/federation-auth.controller.ts
+++ b/apps/api/src/federation/federation-auth.controller.ts
@@ -18,7 +18,7 @@ import {
  ValidateFederatedTokenDto,
 } from "./dto/federated-auth.dto";

-@Controller("api/v1/federation/auth")
+@Controller("v1/federation/auth")
 export class FederationAuthController {
  private readonly logger = new Logger(FederationAuthController.name);

--- a/apps/api/src/federation/federation.controller.ts
+++ b/apps/api/src/federation/federation.controller.ts
@@ -27,7 +27,7 @@ import {
 } from "./dto/connection.dto";
 import { FederationConnectionStatus } from "@prisma/client";

-@Controller("api/v1/federation")
+@Controller("v1/federation")
 export class FederationController {
  private readonly logger = new Logger(FederationController.name);

--- a/apps/api/src/federation/query.controller.ts
+++ b/apps/api/src/federation/query.controller.ts
@@ -12,7 +12,7 @@ import type { AuthenticatedRequest } from "../common/types/user.types";
 import type { QueryMessageDetails, QueryResponse } from "./types/message.types";
 import type { FederationMessageStatus } from "@prisma/client";

-@Controller("api/v1/federation")
+@Controller("v1/federation")
 export class QueryController {
  private readonly logger = new Logger(QueryController.name);

--- a/apps/api/src/main.ts
+++ b/apps/api/src/main.ts
@@ -1,5 +1,5 @@
 import { NestFactory } from "@nestjs/core";
-import { ValidationPipe } from "@nestjs/common";
+import { RequestMethod, ValidationPipe } from "@nestjs/common";
 import cookieParser from "cookie-parser";
 import { AppModule } from "./app.module";
 import { getTrustedOrigins } from "./auth/auth.config";
@@ -47,6 +47,16 @@ async function bootstrap() {

  app.useGlobalFilters(new GlobalExceptionFilter());

+  // Set global API prefix — all routes get /api/* except auth and health
+  // Auth routes are excluded because BetterAuth expects /auth/* paths
+  // Health is excluded because Docker healthchecks hit /health directly
+  app.setGlobalPrefix("api", {
+    exclude: [
+      { path: "health", method: RequestMethod.GET },
+      { path: "auth/(.*)", method: RequestMethod.ALL },
+    ],
+  });
+
  // Configure CORS for cookie-based authentication
  // Origin list is shared with BetterAuth trustedOrigins via getTrustedOrigins()
  const trustedOrigins = getTrustedOrigins();
--- a/apps/api/src/runner-jobs/runner-jobs.module.ts
+++ b/apps/api/src/runner-jobs/runner-jobs.module.ts
@@ -4,6 +4,7 @@ import { RunnerJobsService } from "./runner-jobs.service";
 import { PrismaModule } from "../prisma/prisma.module";
 import { BullMqModule } from "../bullmq/bullmq.module";
 import { AuthModule } from "../auth/auth.module";
+import { WebSocketModule } from "../websocket/websocket.module";

 /**
 * Runner Jobs Module
@@ -12,7 +13,7 @@ import { AuthModule } from "../auth/auth.module";
 * for asynchronous job processing.
 */
@Module({
-  imports: [PrismaModule, BullMqModule, AuthModule],
+  imports: [PrismaModule, BullMqModule, AuthModule, WebSocketModule],
  controllers: [RunnerJobsController],
  providers: [RunnerJobsService],
  exports: [RunnerJobsService],
--- a/apps/api/src/runner-jobs/runner-jobs.service.concurrency.spec.ts
+++ b/apps/api/src/runner-jobs/runner-jobs.service.concurrency.spec.ts
@@ -3,6 +3,7 @@ import { Test, TestingModule } from "@nestjs/testing";
 import { RunnerJobsService } from "./runner-jobs.service";
 import { PrismaService } from "../prisma/prisma.service";
 import { BullMqService } from "../bullmq/bullmq.service";
+import { WebSocketGateway } from "../websocket/websocket.gateway";
 import { RunnerJobStatus } from "@prisma/client";
 import { ConflictException, BadRequestException } from "@nestjs/common";

@@ -19,6 +20,12 @@ describe("RunnerJobsService - Concurrency", () => {
    getQueue: vi.fn(),
  };

+  const mockWebSocketGateway = {
+    emitJobCreated: vi.fn(),
+    emitJobStatusChanged: vi.fn(),
+    emitJobProgress: vi.fn(),
+  };
+
  beforeEach(async () => {
    const module: TestingModule = await Test.createTestingModule({
      providers: [
@@ -37,6 +44,10 @@ describe("RunnerJobsService - Concurrency", () => {
          provide: BullMqService,
          useValue: mockBullMqService,
        },
+        {
+          provide: WebSocketGateway,
+          useValue: mockWebSocketGateway,
+        },
      ],
    }).compile();

--- a/apps/api/src/runner-jobs/runner-jobs.service.spec.ts
+++ b/apps/api/src/runner-jobs/runner-jobs.service.spec.ts
@@ -3,6 +3,7 @@ import { Test, TestingModule } from "@nestjs/testing";
 import { RunnerJobsService } from "./runner-jobs.service";
 import { PrismaService } from "../prisma/prisma.service";
 import { BullMqService } from "../bullmq/bullmq.service";
+import { WebSocketGateway } from "../websocket/websocket.gateway";
 import { RunnerJobStatus } from "@prisma/client";
 import { NotFoundException, BadRequestException } from "@nestjs/common";
 import { CreateJobDto, QueryJobsDto } from "./dto";
@@ -32,6 +33,12 @@ describe("RunnerJobsService", () => {
    getQueue: vi.fn(),
  };

+  const mockWebSocketGateway = {
+    emitJobCreated: vi.fn(),
+    emitJobStatusChanged: vi.fn(),
+    emitJobProgress: vi.fn(),
+  };
+
  beforeEach(async () => {
    const module: TestingModule = await Test.createTestingModule({
      providers: [
@@ -44,6 +51,10 @@ describe("RunnerJobsService", () => {
          provide: BullMqService,
          useValue: mockBullMqService,
        },
+        {
+          provide: WebSocketGateway,
+          useValue: mockWebSocketGateway,
+        },
      ],
    }).compile();

--- a/apps/api/src/runner-jobs/runner-jobs.service.ts
+++ b/apps/api/src/runner-jobs/runner-jobs.service.ts
@@ -3,6 +3,7 @@ import { Prisma, RunnerJobStatus } from "@prisma/client";
 import { Response } from "express";
 import { PrismaService } from "../prisma/prisma.service";
 import { BullMqService } from "../bullmq/bullmq.service";
+import { WebSocketGateway } from "../websocket/websocket.gateway";
 import { QUEUE_NAMES } from "../bullmq/queues";
 import { ConcurrentUpdateException } from "../common/exceptions/concurrent-update.exception";
 import type { CreateJobDto, QueryJobsDto } from "./dto";
@@ -14,7 +15,8 @@ import type { CreateJobDto, QueryJobsDto } from "./dto";
 export class RunnerJobsService {
  constructor(
    private readonly prisma: PrismaService,
-    private readonly bullMq: BullMqService
+    private readonly bullMq: BullMqService,
+    private readonly wsGateway: WebSocketGateway
  ) {}

  /**
@@ -56,6 +58,8 @@ export class RunnerJobsService {
      { priority }
    );

+    this.wsGateway.emitJobCreated(workspaceId, job);
+
    return job;
  }

@@ -194,6 +198,13 @@ export class RunnerJobsService {
        throw new NotFoundException(`RunnerJob with ID ${id} not found after cancel`);
      }

+      this.wsGateway.emitJobStatusChanged(workspaceId, id, {
+        id,
+        workspaceId,
+        status: job.status,
+        previousStatus: existingJob.status,
+      });
+
      return job;
    });
  }
@@ -248,6 +259,8 @@ export class RunnerJobsService {
      { priority: existingJob.priority }
    );

+    this.wsGateway.emitJobCreated(workspaceId, newJob);
+
    return newJob;
  }

@@ -530,6 +543,13 @@ export class RunnerJobsService {
        throw new NotFoundException(`RunnerJob with ID ${id} not found after update`);
      }

+      this.wsGateway.emitJobStatusChanged(workspaceId, id, {
+        id,
+        workspaceId,
+        status: updatedJob.status,
+        previousStatus: existingJob.status,
+      });
+
      return updatedJob;
    });
  }
@@ -606,6 +626,12 @@ export class RunnerJobsService {
        throw new NotFoundException(`RunnerJob with ID ${id} not found after update`);
      }

+      this.wsGateway.emitJobProgress(workspaceId, id, {
+        id,
+        workspaceId,
+        progressPercent: updatedJob.progressPercent,
+      });
+
      return updatedJob;
    });
  }
--- a/apps/api/src/telemetry/telemetry.interceptor.spec.ts
+++ b/apps/api/src/telemetry/telemetry.interceptor.spec.ts
@@ -50,6 +50,8 @@ describe("TelemetryInterceptor", () => {
        getResponse: vi.fn().mockReturnValue({
          statusCode: 200,
          setHeader: vi.fn(),
+          headersSent: false,
+          writableEnded: false,
        }),
      }),
      getClass: vi.fn().mockReturnValue({ name: "TestController" }),
@@ -101,6 +103,35 @@ describe("TelemetryInterceptor", () => {
      expect(mockResponse.setHeader).toHaveBeenCalledWith("x-trace-id", "test-trace-id");
    });

+    it("should not set trace header when response is already committed", async () => {
+      const committedResponseContext = {
+        ...mockContext,
+        switchToHttp: vi.fn().mockReturnValue({
+          getRequest: vi.fn().mockReturnValue({
+            method: "GET",
+            url: "/api/test",
+            path: "/api/test",
+          }),
+          getResponse: vi.fn().mockReturnValue({
+            statusCode: 200,
+            setHeader: vi.fn(),
+            headersSent: true,
+            writableEnded: true,
+          }),
+        }),
+      } as unknown as ExecutionContext;
+
+      mockHandler = {
+        handle: vi.fn().mockReturnValue(of({ data: "test" })),
+      } as unknown as CallHandler;
+
+      const committedResponse = committedResponseContext.switchToHttp().getResponse();
+
+      await lastValueFrom(interceptor.intercept(committedResponseContext, mockHandler));
+
+      expect(committedResponse.setHeader).not.toHaveBeenCalled();
+    });
+
    it("should record exception on error", async () => {
      const error = new Error("Test error");
      mockHandler = {
--- a/apps/api/src/telemetry/telemetry.interceptor.ts
+++ b/apps/api/src/telemetry/telemetry.interceptor.ts
@@ -88,7 +88,7 @@ export class TelemetryInterceptor implements NestInterceptor {

      // Add trace context to response headers for distributed tracing
      const spanContext = span.spanContext();
-      if (spanContext.traceId) {
+      if (spanContext.traceId && !response.headersSent && !response.writableEnded) {
        response.setHeader("x-trace-id", spanContext.traceId);
      }
    } catch (error) {
--- a/apps/api/src/terminal/terminal-session.dto.ts
+++ b/apps/api/src/terminal/terminal-session.dto.ts
@@ -0,0 +1,53 @@
+/**
+ * Terminal Session DTOs
+ *
+ * Data Transfer Objects for terminal session persistence endpoints.
+ * Validated using class-validator decorators.
+ */
+
+import { IsString, IsOptional, MaxLength, IsEnum, IsUUID } from "class-validator";
+import { TerminalSessionStatus } from "@prisma/client";
+
+/**
+ * DTO for creating a new terminal session record.
+ */
+export class CreateTerminalSessionDto {
+  @IsString()
+  @IsUUID()
+  workspaceId!: string;
+
+  @IsOptional()
+  @IsString()
+  @MaxLength(128)
+  name?: string;
+}
+
+/**
+ * DTO for querying terminal sessions by workspace.
+ */
+export class FindTerminalSessionsByWorkspaceDto {
+  @IsString()
+  @IsUUID()
+  workspaceId!: string;
+}
+
+/**
+ * Response shape for a terminal session.
+ */
+export class TerminalSessionResponseDto {
+  id!: string;
+  workspaceId!: string;
+  name!: string;
+  status!: TerminalSessionStatus;
+  createdAt!: Date;
+  closedAt!: Date | null;
+}
+
+/**
+ * DTO for filtering terminal sessions by status.
+ */
+export class TerminalSessionStatusFilterDto {
+  @IsOptional()
+  @IsEnum(TerminalSessionStatus)
+  status?: TerminalSessionStatus;
+}
--- a/apps/api/src/terminal/terminal-session.service.spec.ts
+++ b/apps/api/src/terminal/terminal-session.service.spec.ts
@@ -0,0 +1,229 @@
+/**
+ * TerminalSessionService Tests
+ *
+ * Unit tests for database-backed terminal session CRUD:
+ * create, findByWorkspace, close, and findById.
+ * PrismaService is mocked to isolate the service logic.
+ */
+
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { NotFoundException } from "@nestjs/common";
+import { TerminalSessionStatus } from "@prisma/client";
+import type { TerminalSession } from "@prisma/client";
+import { TerminalSessionService } from "./terminal-session.service";
+
+// ==========================================
+// Helpers
+// ==========================================
+
+function makeSession(overrides: Partial<TerminalSession> = {}): TerminalSession {
+  return {
+    id: "session-uuid-1",
+    workspaceId: "workspace-uuid-1",
+    name: "Terminal",
+    status: TerminalSessionStatus.ACTIVE,
+    createdAt: new Date("2026-02-25T00:00:00Z"),
+    closedAt: null,
+    ...overrides,
+  };
+}
+
+// ==========================================
+// Mock PrismaService
+// ==========================================
+
+function makeMockPrisma() {
+  return {
+    terminalSession: {
+      create: vi.fn(),
+      findMany: vi.fn(),
+      findUnique: vi.fn(),
+      update: vi.fn(),
+    },
+  };
+}
+
+// ==========================================
+// Tests
+// ==========================================
+
+describe("TerminalSessionService", () => {
+  let service: TerminalSessionService;
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  let mockPrisma: any;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockPrisma = makeMockPrisma();
+    service = new TerminalSessionService(mockPrisma);
+  });
+
+  // ==========================================
+  // create
+  // ==========================================
+  describe("create", () => {
+    it("should call prisma.terminalSession.create with workspaceId only when no name provided", async () => {
+      const session = makeSession();
+      mockPrisma.terminalSession.create.mockResolvedValueOnce(session);
+
+      const result = await service.create("workspace-uuid-1");
+
+      expect(mockPrisma.terminalSession.create).toHaveBeenCalledWith({
+        data: { workspaceId: "workspace-uuid-1" },
+      });
+      expect(result).toEqual(session);
+    });
+
+    it("should include name in create data when name is provided", async () => {
+      const session = makeSession({ name: "My Terminal" });
+      mockPrisma.terminalSession.create.mockResolvedValueOnce(session);
+
+      const result = await service.create("workspace-uuid-1", "My Terminal");
+
+      expect(mockPrisma.terminalSession.create).toHaveBeenCalledWith({
+        data: { workspaceId: "workspace-uuid-1", name: "My Terminal" },
+      });
+      expect(result).toEqual(session);
+    });
+
+    it("should return the created session", async () => {
+      const session = makeSession();
+      mockPrisma.terminalSession.create.mockResolvedValueOnce(session);
+
+      const result = await service.create("workspace-uuid-1");
+
+      expect(result.id).toBe("session-uuid-1");
+      expect(result.status).toBe(TerminalSessionStatus.ACTIVE);
+    });
+  });
+
+  // ==========================================
+  // findByWorkspace
+  // ==========================================
+  describe("findByWorkspace", () => {
+    it("should query for ACTIVE sessions in the given workspace, ordered by createdAt desc", async () => {
+      const sessions = [makeSession(), makeSession({ id: "session-uuid-2" })];
+      mockPrisma.terminalSession.findMany.mockResolvedValueOnce(sessions);
+
+      const result = await service.findByWorkspace("workspace-uuid-1");
+
+      expect(mockPrisma.terminalSession.findMany).toHaveBeenCalledWith({
+        where: {
+          workspaceId: "workspace-uuid-1",
+          status: TerminalSessionStatus.ACTIVE,
+        },
+        orderBy: { createdAt: "desc" },
+      });
+      expect(result).toHaveLength(2);
+    });
+
+    it("should return an empty array when no active sessions exist", async () => {
+      mockPrisma.terminalSession.findMany.mockResolvedValueOnce([]);
+
+      const result = await service.findByWorkspace("workspace-uuid-empty");
+
+      expect(result).toEqual([]);
+    });
+
+    it("should not include CLOSED sessions", async () => {
+      // The where clause enforces ACTIVE status — verify it is present
+      mockPrisma.terminalSession.findMany.mockResolvedValueOnce([]);
+
+      await service.findByWorkspace("workspace-uuid-1");
+
+      const callArgs = mockPrisma.terminalSession.findMany.mock.calls[0][0] as {
+        where: { status: TerminalSessionStatus };
+      };
+      expect(callArgs.where.status).toBe(TerminalSessionStatus.ACTIVE);
+    });
+  });
+
+  // ==========================================
+  // close
+  // ==========================================
+  describe("close", () => {
+    it("should set status to CLOSED and set closedAt when session exists", async () => {
+      const existingSession = makeSession();
+      const closedSession = makeSession({
+        status: TerminalSessionStatus.CLOSED,
+        closedAt: new Date("2026-02-25T01:00:00Z"),
+      });
+
+      mockPrisma.terminalSession.findUnique.mockResolvedValueOnce(existingSession);
+      mockPrisma.terminalSession.update.mockResolvedValueOnce(closedSession);
+
+      const result = await service.close("session-uuid-1");
+
+      expect(mockPrisma.terminalSession.findUnique).toHaveBeenCalledWith({
+        where: { id: "session-uuid-1" },
+      });
+      expect(mockPrisma.terminalSession.update).toHaveBeenCalledWith({
+        where: { id: "session-uuid-1" },
+        data: {
+          status: TerminalSessionStatus.CLOSED,
+          closedAt: expect.any(Date),
+        },
+      });
+      expect(result.status).toBe(TerminalSessionStatus.CLOSED);
+    });
+
+    it("should throw NotFoundException when session does not exist", async () => {
+      mockPrisma.terminalSession.findUnique.mockResolvedValueOnce(null);
+
+      await expect(service.close("nonexistent-id")).rejects.toThrow(NotFoundException);
+      expect(mockPrisma.terminalSession.update).not.toHaveBeenCalled();
+    });
+
+    it("should include a non-null closedAt timestamp on close", async () => {
+      const existingSession = makeSession();
+      const closedSession = makeSession({
+        status: TerminalSessionStatus.CLOSED,
+        closedAt: new Date(),
+      });
+
+      mockPrisma.terminalSession.findUnique.mockResolvedValueOnce(existingSession);
+      mockPrisma.terminalSession.update.mockResolvedValueOnce(closedSession);
+
+      const result = await service.close("session-uuid-1");
+
+      expect(result.closedAt).not.toBeNull();
+    });
+  });
+
+  // ==========================================
+  // findById
+  // ==========================================
+  describe("findById", () => {
+    it("should return the session when it exists", async () => {
+      const session = makeSession();
+      mockPrisma.terminalSession.findUnique.mockResolvedValueOnce(session);
+
+      const result = await service.findById("session-uuid-1");
+
+      expect(mockPrisma.terminalSession.findUnique).toHaveBeenCalledWith({
+        where: { id: "session-uuid-1" },
+      });
+      expect(result).toEqual(session);
+    });
+
+    it("should return null when session does not exist", async () => {
+      mockPrisma.terminalSession.findUnique.mockResolvedValueOnce(null);
+
+      const result = await service.findById("no-such-id");
+
+      expect(result).toBeNull();
+    });
+
+    it("should find CLOSED sessions as well as ACTIVE ones", async () => {
+      const closedSession = makeSession({
+        status: TerminalSessionStatus.CLOSED,
+        closedAt: new Date(),
+      });
+      mockPrisma.terminalSession.findUnique.mockResolvedValueOnce(closedSession);
+
+      const result = await service.findById("session-uuid-1");
+
+      expect(result?.status).toBe(TerminalSessionStatus.CLOSED);
+    });
+  });
+});
--- a/apps/api/src/terminal/terminal-session.service.ts
+++ b/apps/api/src/terminal/terminal-session.service.ts
@@ -0,0 +1,96 @@
+/**
+ * TerminalSessionService
+ *
+ * Manages database persistence for terminal sessions.
+ * Provides CRUD operations on the TerminalSession model,
+ * enabling session tracking, recovery, and workspace-level listing.
+ *
+ * Session lifecycle:
+ * - create: record a new terminal session with ACTIVE status
+ * - findByWorkspace: return all ACTIVE sessions for a workspace
+ * - close: mark a session as CLOSED, set closedAt timestamp
+ * - findById: retrieve a single session by ID
+ */
+
+import { Injectable, NotFoundException, Logger } from "@nestjs/common";
+import { TerminalSessionStatus } from "@prisma/client";
+import type { TerminalSession } from "@prisma/client";
+import { PrismaService } from "../prisma/prisma.service";
+
+@Injectable()
+export class TerminalSessionService {
+  private readonly logger = new Logger(TerminalSessionService.name);
+
+  constructor(private readonly prisma: PrismaService) {}
+
+  /**
+   * Create a new terminal session record in the database.
+   *
+   * @param workspaceId - The workspace this session belongs to
+   * @param name - Optional display name for the session (defaults to "Terminal")
+   * @returns The created TerminalSession record
+   */
+  async create(workspaceId: string, name?: string): Promise<TerminalSession> {
+    this.logger.log(
+      `Creating terminal session for workspace ${workspaceId}${name !== undefined ? ` (name: ${name})` : ""}`
+    );
+
+    const data: { workspaceId: string; name?: string } = { workspaceId };
+    if (name !== undefined) {
+      data.name = name;
+    }
+
+    return this.prisma.terminalSession.create({ data });
+  }
+
+  /**
+   * Find all ACTIVE terminal sessions for a workspace.
+   *
+   * @param workspaceId - The workspace to query
+   * @returns Array of active TerminalSession records, ordered by creation time (newest first)
+   */
+  async findByWorkspace(workspaceId: string): Promise<TerminalSession[]> {
+    return this.prisma.terminalSession.findMany({
+      where: {
+        workspaceId,
+        status: TerminalSessionStatus.ACTIVE,
+      },
+      orderBy: { createdAt: "desc" },
+    });
+  }
+
+  /**
+   * Close a terminal session by setting its status to CLOSED and recording closedAt.
+   *
+   * @param id - The session ID to close
+   * @returns The updated TerminalSession record
+   * @throws NotFoundException if the session does not exist
+   */
+  async close(id: string): Promise<TerminalSession> {
+    const existing = await this.prisma.terminalSession.findUnique({ where: { id } });
+
+    if (!existing) {
+      throw new NotFoundException(`Terminal session ${id} not found`);
+    }
+
+    this.logger.log(`Closing terminal session ${id} (workspace: ${existing.workspaceId})`);
+
+    return this.prisma.terminalSession.update({
+      where: { id },
+      data: {
+        status: TerminalSessionStatus.CLOSED,
+        closedAt: new Date(),
+      },
+    });
+  }
+
+  /**
+   * Find a terminal session by ID.
+   *
+   * @param id - The session ID to retrieve
+   * @returns The TerminalSession record, or null if not found
+   */
+  async findById(id: string): Promise<TerminalSession | null> {
+    return this.prisma.terminalSession.findUnique({ where: { id } });
+  }
+}
--- a/apps/api/src/terminal/terminal.dto.ts
+++ b/apps/api/src/terminal/terminal.dto.ts
@@ -0,0 +1,89 @@
+/**
+ * Terminal DTOs
+ *
+ * Data Transfer Objects for terminal WebSocket events.
+ * Validated using class-validator decorators.
+ */
+
+import {
+  IsString,
+  IsOptional,
+  IsNumber,
+  IsInt,
+  Min,
+  Max,
+  MinLength,
+  MaxLength,
+} from "class-validator";
+
+/**
+ * DTO for creating a new terminal PTY session.
+ */
+export class CreateTerminalDto {
+  @IsOptional()
+  @IsString()
+  @MaxLength(128)
+  name?: string;
+
+  @IsOptional()
+  @IsInt()
+  @Min(1)
+  @Max(500)
+  cols?: number;
+
+  @IsOptional()
+  @IsInt()
+  @Min(1)
+  @Max(200)
+  rows?: number;
+
+  @IsOptional()
+  @IsString()
+  @MaxLength(4096)
+  cwd?: string;
+}
+
+/**
+ * DTO for sending input data to a terminal PTY session.
+ */
+export class TerminalInputDto {
+  @IsString()
+  @MinLength(1)
+  @MaxLength(64)
+  sessionId!: string;
+
+  @IsString()
+  data!: string;
+}
+
+/**
+ * DTO for resizing a terminal PTY session.
+ */
+export class TerminalResizeDto {
+  @IsString()
+  @MinLength(1)
+  @MaxLength(64)
+  sessionId!: string;
+
+  @IsNumber()
+  @IsInt()
+  @Min(1)
+  @Max(500)
+  cols!: number;
+
+  @IsNumber()
+  @IsInt()
+  @Min(1)
+  @Max(200)
+  rows!: number;
+}
+
+/**
+ * DTO for closing a terminal PTY session.
+ */
+export class CloseTerminalDto {
+  @IsString()
+  @MinLength(1)
+  @MaxLength(64)
+  sessionId!: string;
+}
--- a/apps/api/src/terminal/terminal.gateway.spec.ts
+++ b/apps/api/src/terminal/terminal.gateway.spec.ts
@@ -0,0 +1,501 @@
+/**
+ * TerminalGateway Tests
+ *
+ * Unit tests for WebSocket terminal gateway:
+ * - Authentication on connection
+ * - terminal:create event handling
+ * - terminal:input event handling
+ * - terminal:resize event handling
+ * - terminal:close event handling
+ * - disconnect cleanup
+ * - Error paths
+ */
+
+import { describe, it, expect, beforeEach, vi, afterEach } from "vitest";
+import type { Socket } from "socket.io";
+import { TerminalGateway } from "./terminal.gateway";
+import { TerminalService } from "./terminal.service";
+import { AuthService } from "../auth/auth.service";
+import { PrismaService } from "../prisma/prisma.service";
+
+// ==========================================
+// Mocks
+// ==========================================
+
+// Mock node-pty globally so TerminalService doesn't fail to import
+vi.mock("node-pty", () => ({
+  spawn: vi.fn(() => ({
+    onData: vi.fn(),
+    onExit: vi.fn(),
+    write: vi.fn(),
+    resize: vi.fn(),
+    kill: vi.fn(),
+    pid: 1000,
+  })),
+}));
+
+interface AuthenticatedSocket extends Socket {
+  data: {
+    userId?: string;
+    workspaceId?: string;
+  };
+}
+
+function createMockSocket(id = "test-socket-id"): AuthenticatedSocket {
+  return {
+    id,
+    emit: vi.fn(),
+    join: vi.fn(),
+    leave: vi.fn(),
+    disconnect: vi.fn(),
+    data: {},
+    handshake: {
+      auth: { token: "valid-token" },
+      query: {},
+      headers: {},
+    },
+  } as unknown as AuthenticatedSocket;
+}
+
+function createMockAuthService() {
+  return {
+    verifySession: vi.fn().mockResolvedValue({
+      user: { id: "user-123" },
+      session: { id: "session-123" },
+    }),
+  };
+}
+
+function createMockPrismaService() {
+  return {
+    workspaceMember: {
+      findFirst: vi.fn().mockResolvedValue({
+        userId: "user-123",
+        workspaceId: "workspace-456",
+        role: "MEMBER",
+      }),
+    },
+  };
+}
+
+function createMockTerminalService() {
+  return {
+    createSession: vi.fn().mockReturnValue({
+      sessionId: "session-uuid-1",
+      name: undefined,
+      cols: 80,
+      rows: 24,
+    }),
+    writeToSession: vi.fn(),
+    resizeSession: vi.fn(),
+    closeSession: vi.fn().mockReturnValue(true),
+    closeWorkspaceSessions: vi.fn(),
+    sessionBelongsToWorkspace: vi.fn().mockReturnValue(true),
+    getWorkspaceSessionCount: vi.fn().mockReturnValue(0),
+  };
+}
+
+// ==========================================
+// Tests
+// ==========================================
+
+describe("TerminalGateway", () => {
+  let gateway: TerminalGateway;
+  let mockAuthService: ReturnType<typeof createMockAuthService>;
+  let mockPrismaService: ReturnType<typeof createMockPrismaService>;
+  let mockTerminalService: ReturnType<typeof createMockTerminalService>;
+  let mockClient: AuthenticatedSocket;
+
+  beforeEach(() => {
+    mockAuthService = createMockAuthService();
+    mockPrismaService = createMockPrismaService();
+    mockTerminalService = createMockTerminalService();
+    mockClient = createMockSocket();
+
+    gateway = new TerminalGateway(
+      mockAuthService as unknown as AuthService,
+      mockPrismaService as unknown as PrismaService,
+      mockTerminalService as unknown as TerminalService
+    );
+
+    vi.clearAllMocks();
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  // ==========================================
+  // handleConnection (authentication)
+  // ==========================================
+  describe("handleConnection", () => {
+    it("should authenticate client and join workspace room on valid token", async () => {
+      mockAuthService.verifySession.mockResolvedValue({
+        user: { id: "user-123" },
+      });
+      mockPrismaService.workspaceMember.findFirst.mockResolvedValue({
+        userId: "user-123",
+        workspaceId: "workspace-456",
+        role: "MEMBER",
+      });
+
+      await gateway.handleConnection(mockClient);
+
+      expect(mockAuthService.verifySession).toHaveBeenCalledWith("valid-token");
+      expect(mockClient.data.userId).toBe("user-123");
+      expect(mockClient.data.workspaceId).toBe("workspace-456");
+      expect(mockClient.join).toHaveBeenCalledWith("terminal:workspace-456");
+    });
+
+    it("should disconnect and emit error if no token provided", async () => {
+      const clientNoToken = createMockSocket("no-token");
+      clientNoToken.handshake = {
+        auth: {},
+        query: {},
+        headers: {},
+      } as typeof clientNoToken.handshake;
+
+      await gateway.handleConnection(clientNoToken);
+
+      expect(clientNoToken.disconnect).toHaveBeenCalled();
+      expect(clientNoToken.emit).toHaveBeenCalledWith(
+        "terminal:error",
+        expect.objectContaining({ message: expect.stringContaining("no token") })
+      );
+    });
+
+    it("should disconnect and emit error if token is invalid", async () => {
+      mockAuthService.verifySession.mockResolvedValue(null);
+
+      await gateway.handleConnection(mockClient);
+
+      expect(mockClient.disconnect).toHaveBeenCalled();
+      expect(mockClient.emit).toHaveBeenCalledWith(
+        "terminal:error",
+        expect.objectContaining({ message: expect.stringContaining("invalid") })
+      );
+    });
+
+    it("should disconnect and emit error if no workspace access", async () => {
+      mockAuthService.verifySession.mockResolvedValue({ user: { id: "user-123" } });
+      mockPrismaService.workspaceMember.findFirst.mockResolvedValue(null);
+
+      await gateway.handleConnection(mockClient);
+
+      expect(mockClient.disconnect).toHaveBeenCalled();
+      expect(mockClient.emit).toHaveBeenCalledWith(
+        "terminal:error",
+        expect.objectContaining({ message: expect.stringContaining("workspace") })
+      );
+    });
+
+    it("should disconnect and emit error if auth throws", async () => {
+      mockAuthService.verifySession.mockRejectedValue(new Error("Auth service down"));
+
+      await gateway.handleConnection(mockClient);
+
+      expect(mockClient.disconnect).toHaveBeenCalled();
+      expect(mockClient.emit).toHaveBeenCalledWith(
+        "terminal:error",
+        expect.objectContaining({ message: expect.any(String) })
+      );
+    });
+
+    it("should extract token from handshake.query as fallback", async () => {
+      const clientQueryToken = createMockSocket("query-token-client");
+      clientQueryToken.handshake = {
+        auth: {},
+        query: { token: "query-token" },
+        headers: {},
+      } as typeof clientQueryToken.handshake;
+
+      mockAuthService.verifySession.mockResolvedValue({ user: { id: "user-123" } });
+      mockPrismaService.workspaceMember.findFirst.mockResolvedValue({
+        userId: "user-123",
+        workspaceId: "workspace-456",
+        role: "MEMBER",
+      });
+
+      await gateway.handleConnection(clientQueryToken);
+
+      expect(mockAuthService.verifySession).toHaveBeenCalledWith("query-token");
+    });
+
+    it("should extract token from Authorization header as last fallback", async () => {
+      const clientHeaderToken = createMockSocket("header-token-client");
+      clientHeaderToken.handshake = {
+        auth: {},
+        query: {},
+        headers: { authorization: "Bearer header-token" },
+      } as typeof clientHeaderToken.handshake;
+
+      mockAuthService.verifySession.mockResolvedValue({ user: { id: "user-123" } });
+      mockPrismaService.workspaceMember.findFirst.mockResolvedValue({
+        userId: "user-123",
+        workspaceId: "workspace-456",
+        role: "MEMBER",
+      });
+
+      await gateway.handleConnection(clientHeaderToken);
+
+      expect(mockAuthService.verifySession).toHaveBeenCalledWith("header-token");
+    });
+  });
+
+  // ==========================================
+  // handleDisconnect
+  // ==========================================
+  describe("handleDisconnect", () => {
+    it("should close all workspace sessions on disconnect", async () => {
+      await gateway.handleConnection(mockClient);
+      vi.clearAllMocks();
+
+      gateway.handleDisconnect(mockClient);
+
+      expect(mockTerminalService.closeWorkspaceSessions).toHaveBeenCalledWith("workspace-456");
+    });
+
+    it("should not throw for unauthenticated client disconnect", () => {
+      const unauthClient = createMockSocket("unauth-disconnect");
+
+      expect(() => gateway.handleDisconnect(unauthClient)).not.toThrow();
+      expect(mockTerminalService.closeWorkspaceSessions).not.toHaveBeenCalled();
+    });
+  });
+
+  // ==========================================
+  // handleCreate (terminal:create)
+  // ==========================================
+  describe("handleCreate", () => {
+    beforeEach(async () => {
+      mockAuthService.verifySession.mockResolvedValue({ user: { id: "user-123" } });
+      mockPrismaService.workspaceMember.findFirst.mockResolvedValue({
+        userId: "user-123",
+        workspaceId: "workspace-456",
+        role: "MEMBER",
+      });
+      await gateway.handleConnection(mockClient);
+      vi.clearAllMocks();
+    });
+
+    it("should create a PTY session and emit terminal:created", async () => {
+      mockTerminalService.createSession.mockReturnValue({
+        sessionId: "new-session-id",
+        cols: 80,
+        rows: 24,
+      });
+
+      await gateway.handleCreate(mockClient, {});
+
+      expect(mockTerminalService.createSession).toHaveBeenCalled();
+      expect(mockClient.emit).toHaveBeenCalledWith(
+        "terminal:created",
+        expect.objectContaining({ sessionId: "new-session-id" })
+      );
+    });
+
+    it("should pass cols, rows, cwd, name to service", async () => {
+      await gateway.handleCreate(mockClient, {
+        cols: 132,
+        rows: 50,
+        cwd: "/home/user",
+        name: "my-shell",
+      });
+
+      expect(mockTerminalService.createSession).toHaveBeenCalledWith(
+        expect.anything(),
+        expect.objectContaining({ cols: 132, rows: 50, cwd: "/home/user", name: "my-shell" })
+      );
+    });
+
+    it("should emit terminal:error if not authenticated", async () => {
+      const unauthClient = createMockSocket("unauth");
+
+      await gateway.handleCreate(unauthClient, {});
+
+      expect(unauthClient.emit).toHaveBeenCalledWith(
+        "terminal:error",
+        expect.objectContaining({ message: expect.stringContaining("authenticated") })
+      );
+    });
+
+    it("should emit terminal:error if service throws (session limit)", async () => {
+      mockTerminalService.createSession.mockImplementation(() => {
+        throw new Error("Workspace has reached the maximum of 10 concurrent terminal sessions");
+      });
+
+      await gateway.handleCreate(mockClient, {});
+
+      expect(mockClient.emit).toHaveBeenCalledWith(
+        "terminal:error",
+        expect.objectContaining({ message: expect.stringContaining("maximum") })
+      );
+    });
+
+    it("should emit terminal:error for invalid payload (negative cols)", async () => {
+      await gateway.handleCreate(mockClient, { cols: -1 });
+
+      expect(mockClient.emit).toHaveBeenCalledWith(
+        "terminal:error",
+        expect.objectContaining({ message: expect.stringContaining("Invalid payload") })
+      );
+    });
+  });
+
+  // ==========================================
+  // handleInput (terminal:input)
+  // ==========================================
+  describe("handleInput", () => {
+    beforeEach(async () => {
+      mockAuthService.verifySession.mockResolvedValue({ user: { id: "user-123" } });
+      mockPrismaService.workspaceMember.findFirst.mockResolvedValue({
+        userId: "user-123",
+        workspaceId: "workspace-456",
+        role: "MEMBER",
+      });
+      await gateway.handleConnection(mockClient);
+      vi.clearAllMocks();
+    });
+
+    it("should write data to the PTY session", async () => {
+      mockTerminalService.sessionBelongsToWorkspace.mockReturnValue(true);
+
+      await gateway.handleInput(mockClient, { sessionId: "sess-1", data: "ls\n" });
+
+      expect(mockTerminalService.writeToSession).toHaveBeenCalledWith("sess-1", "ls\n");
+    });
+
+    it("should emit terminal:error if session does not belong to workspace", async () => {
+      mockTerminalService.sessionBelongsToWorkspace.mockReturnValue(false);
+
+      await gateway.handleInput(mockClient, { sessionId: "alien-sess", data: "data" });
+
+      expect(mockClient.emit).toHaveBeenCalledWith(
+        "terminal:error",
+        expect.objectContaining({ message: expect.stringContaining("not found") })
+      );
+      expect(mockTerminalService.writeToSession).not.toHaveBeenCalled();
+    });
+
+    it("should emit terminal:error if not authenticated", async () => {
+      const unauthClient = createMockSocket("unauth");
+
+      await gateway.handleInput(unauthClient, { sessionId: "sess-1", data: "x" });
+
+      expect(unauthClient.emit).toHaveBeenCalledWith(
+        "terminal:error",
+        expect.objectContaining({ message: expect.stringContaining("authenticated") })
+      );
+    });
+
+    it("should emit terminal:error for invalid payload (missing sessionId)", async () => {
+      await gateway.handleInput(mockClient, { data: "some input" });
+
+      expect(mockClient.emit).toHaveBeenCalledWith(
+        "terminal:error",
+        expect.objectContaining({ message: expect.stringContaining("Invalid payload") })
+      );
+    });
+  });
+
+  // ==========================================
+  // handleResize (terminal:resize)
+  // ==========================================
+  describe("handleResize", () => {
+    beforeEach(async () => {
+      mockAuthService.verifySession.mockResolvedValue({ user: { id: "user-123" } });
+      mockPrismaService.workspaceMember.findFirst.mockResolvedValue({
+        userId: "user-123",
+        workspaceId: "workspace-456",
+        role: "MEMBER",
+      });
+      await gateway.handleConnection(mockClient);
+      vi.clearAllMocks();
+    });
+
+    it("should resize the PTY session", async () => {
+      mockTerminalService.sessionBelongsToWorkspace.mockReturnValue(true);
+
+      await gateway.handleResize(mockClient, { sessionId: "sess-1", cols: 120, rows: 40 });
+
+      expect(mockTerminalService.resizeSession).toHaveBeenCalledWith("sess-1", 120, 40);
+    });
+
+    it("should emit terminal:error if session does not belong to workspace", async () => {
+      mockTerminalService.sessionBelongsToWorkspace.mockReturnValue(false);
+
+      await gateway.handleResize(mockClient, { sessionId: "alien-sess", cols: 80, rows: 24 });
+
+      expect(mockClient.emit).toHaveBeenCalledWith(
+        "terminal:error",
+        expect.objectContaining({ message: expect.stringContaining("not found") })
+      );
+    });
+
+    it("should emit terminal:error for invalid payload (cols too large)", async () => {
+      await gateway.handleResize(mockClient, { sessionId: "sess-1", cols: 9999, rows: 24 });
+
+      expect(mockClient.emit).toHaveBeenCalledWith(
+        "terminal:error",
+        expect.objectContaining({ message: expect.stringContaining("Invalid payload") })
+      );
+    });
+  });
+
+  // ==========================================
+  // handleClose (terminal:close)
+  // ==========================================
+  describe("handleClose", () => {
+    beforeEach(async () => {
+      mockAuthService.verifySession.mockResolvedValue({ user: { id: "user-123" } });
+      mockPrismaService.workspaceMember.findFirst.mockResolvedValue({
+        userId: "user-123",
+        workspaceId: "workspace-456",
+        role: "MEMBER",
+      });
+      await gateway.handleConnection(mockClient);
+      vi.clearAllMocks();
+    });
+
+    it("should close an existing PTY session", async () => {
+      mockTerminalService.sessionBelongsToWorkspace.mockReturnValue(true);
+      mockTerminalService.closeSession.mockReturnValue(true);
+
+      await gateway.handleClose(mockClient, { sessionId: "sess-1" });
+
+      expect(mockTerminalService.closeSession).toHaveBeenCalledWith("sess-1");
+    });
+
+    it("should emit terminal:error if session does not belong to workspace", async () => {
+      mockTerminalService.sessionBelongsToWorkspace.mockReturnValue(false);
+
+      await gateway.handleClose(mockClient, { sessionId: "alien-sess" });
+
+      expect(mockClient.emit).toHaveBeenCalledWith(
+        "terminal:error",
+        expect.objectContaining({ message: expect.stringContaining("not found") })
+      );
+    });
+
+    it("should emit terminal:error if closeSession returns false (session gone)", async () => {
+      mockTerminalService.sessionBelongsToWorkspace.mockReturnValue(true);
+      mockTerminalService.closeSession.mockReturnValue(false);
+
+      await gateway.handleClose(mockClient, { sessionId: "gone-sess" });
+
+      expect(mockClient.emit).toHaveBeenCalledWith(
+        "terminal:error",
+        expect.objectContaining({ message: expect.stringContaining("not found") })
+      );
+    });
+
+    it("should emit terminal:error for invalid payload (missing sessionId)", async () => {
+      await gateway.handleClose(mockClient, {});
+
+      expect(mockClient.emit).toHaveBeenCalledWith(
+        "terminal:error",
+        expect.objectContaining({ message: expect.stringContaining("Invalid payload") })
+      );
+    });
+  });
+});
--- a/apps/api/src/terminal/terminal.gateway.ts
+++ b/apps/api/src/terminal/terminal.gateway.ts
@@ -0,0 +1,423 @@
+/**
+ * TerminalGateway
+ *
+ * WebSocket gateway for real-time PTY terminal sessions.
+ * Uses the `/terminal` namespace to keep terminal traffic separate
+ * from the main WebSocket gateway.
+ *
+ * Protocol:
+ * 1. Client connects with auth token in handshake
+ * 2. Client emits `terminal:create` to spawn a new PTY session
+ * 3. Server emits `terminal:created` with { sessionId }
+ * 4. Client emits `terminal:input` with { sessionId, data } to send keystrokes
+ * 5. Server emits `terminal:output` with { sessionId, data } for stdout/stderr
+ * 6. Client emits `terminal:resize` with { sessionId, cols, rows } on window resize
+ * 7. Client emits `terminal:close` with { sessionId } to terminate the PTY
+ * 8. Server emits `terminal:exit` with { sessionId, exitCode, signal } on PTY exit
+ *
+ * Authentication:
+ * - Same pattern as websocket.gateway.ts and speech.gateway.ts
+ * - Token extracted from handshake.auth.token / query.token / Authorization header
+ *
+ * Workspace isolation:
+ * - Clients join room `terminal:{workspaceId}` on connect
+ * - Sessions are scoped to workspace; cross-workspace access is denied
+ */
+
+import {
+  WebSocketGateway as WSGateway,
+  WebSocketServer,
+  SubscribeMessage,
+  OnGatewayConnection,
+  OnGatewayDisconnect,
+} from "@nestjs/websockets";
+import { Logger } from "@nestjs/common";
+import { Server, Socket } from "socket.io";
+import { AuthService } from "../auth/auth.service";
+import { PrismaService } from "../prisma/prisma.service";
+import { TerminalService } from "./terminal.service";
+import {
+  CreateTerminalDto,
+  TerminalInputDto,
+  TerminalResizeDto,
+  CloseTerminalDto,
+} from "./terminal.dto";
+import { validate } from "class-validator";
+import { plainToInstance } from "class-transformer";
+
+// ==========================================
+// Types
+// ==========================================
+
+interface AuthenticatedSocket extends Socket {
+  data: {
+    userId?: string;
+    workspaceId?: string;
+  };
+}
+
+// ==========================================
+// Gateway
+// ==========================================
+
+@WSGateway({
+  namespace: "/terminal",
+  cors: {
+    origin: process.env.WEB_URL ?? "http://localhost:3000",
+    credentials: true,
+  },
+})
+export class TerminalGateway implements OnGatewayConnection, OnGatewayDisconnect {
+  @WebSocketServer()
+  server!: Server;
+
+  private readonly logger = new Logger(TerminalGateway.name);
+  private readonly CONNECTION_TIMEOUT_MS = 5000;
+
+  constructor(
+    private readonly authService: AuthService,
+    private readonly prisma: PrismaService,
+    private readonly terminalService: TerminalService
+  ) {}
+
+  // ==========================================
+  // Connection lifecycle
+  // ==========================================
+
+  /**
+   * Authenticate client on connection using handshake token.
+   * Validates workspace membership and joins the workspace-scoped room.
+   */
+  async handleConnection(client: Socket): Promise<void> {
+    const authenticatedClient = client as AuthenticatedSocket;
+
+    const timeoutId = setTimeout(() => {
+      if (!authenticatedClient.data.userId) {
+        this.logger.warn(
+          `Terminal client ${authenticatedClient.id} timed out during authentication`
+        );
+        authenticatedClient.emit("terminal:error", {
+          message: "Authentication timed out.",
+        });
+        authenticatedClient.disconnect();
+      }
+    }, this.CONNECTION_TIMEOUT_MS);
+
+    try {
+      const token = this.extractTokenFromHandshake(authenticatedClient);
+
+      if (!token) {
+        this.logger.warn(`Terminal client ${authenticatedClient.id} connected without token`);
+        authenticatedClient.emit("terminal:error", {
+          message: "Authentication failed: no token provided.",
+        });
+        authenticatedClient.disconnect();
+        clearTimeout(timeoutId);
+        return;
+      }
+
+      const sessionData = await this.authService.verifySession(token);
+
+      if (!sessionData) {
+        this.logger.warn(`Terminal client ${authenticatedClient.id} has invalid token`);
+        authenticatedClient.emit("terminal:error", {
+          message: "Authentication failed: invalid or expired token.",
+        });
+        authenticatedClient.disconnect();
+        clearTimeout(timeoutId);
+        return;
+      }
+
+      const user = sessionData.user as { id: string };
+      const userId = user.id;
+
+      const workspaceMembership = await this.prisma.workspaceMember.findFirst({
+        where: { userId },
+        select: { workspaceId: true, userId: true, role: true },
+      });
+
+      if (!workspaceMembership) {
+        this.logger.warn(`Terminal user ${userId} has no workspace access`);
+        authenticatedClient.emit("terminal:error", {
+          message: "Authentication failed: no workspace access.",
+        });
+        authenticatedClient.disconnect();
+        clearTimeout(timeoutId);
+        return;
+      }
+
+      authenticatedClient.data.userId = userId;
+      authenticatedClient.data.workspaceId = workspaceMembership.workspaceId;
+
+      // Join workspace-scoped terminal room
+      const room = this.getWorkspaceRoom(workspaceMembership.workspaceId);
+      await authenticatedClient.join(room);
+
+      clearTimeout(timeoutId);
+      this.logger.log(
+        `Terminal client ${authenticatedClient.id} connected (user: ${userId}, workspace: ${workspaceMembership.workspaceId})`
+      );
+    } catch (error) {
+      clearTimeout(timeoutId);
+      this.logger.error(
+        `Authentication failed for terminal client ${authenticatedClient.id}:`,
+        error instanceof Error ? error.message : "Unknown error"
+      );
+      authenticatedClient.emit("terminal:error", {
+        message: "Authentication failed: an unexpected error occurred.",
+      });
+      authenticatedClient.disconnect();
+    }
+  }
+
+  /**
+   * Clean up all PTY sessions for this client's workspace on disconnect.
+   */
+  handleDisconnect(client: Socket): void {
+    const authenticatedClient = client as AuthenticatedSocket;
+    const { workspaceId, userId } = authenticatedClient.data;
+
+    if (workspaceId) {
+      this.terminalService.closeWorkspaceSessions(workspaceId);
+
+      const room = this.getWorkspaceRoom(workspaceId);
+      void authenticatedClient.leave(room);
+      this.logger.log(
+        `Terminal client ${authenticatedClient.id} disconnected (user: ${userId ?? "unknown"}, workspace: ${workspaceId})`
+      );
+    } else {
+      this.logger.debug(`Terminal client ${authenticatedClient.id} disconnected (unauthenticated)`);
+    }
+  }
+
+  // ==========================================
+  // Terminal events
+  // ==========================================
+
+  /**
+   * Spawn a new PTY session for the connected client.
+   *
+   * Emits `terminal:created` with { sessionId, name, cols, rows } on success.
+   * Emits `terminal:error` on failure.
+   */
+  @SubscribeMessage("terminal:create")
+  async handleCreate(client: Socket, payload: unknown): Promise<void> {
+    const authenticatedClient = client as AuthenticatedSocket;
+    const { userId, workspaceId } = authenticatedClient.data;
+
+    if (!userId || !workspaceId) {
+      authenticatedClient.emit("terminal:error", {
+        message: "Not authenticated. Connect with a valid token.",
+      });
+      return;
+    }
+
+    // Validate DTO
+    const dto = plainToInstance(CreateTerminalDto, payload ?? {});
+    const errors = await validate(dto);
+    if (errors.length > 0) {
+      const messages = errors.map((e) => Object.values(e.constraints ?? {}).join(", ")).join("; ");
+      authenticatedClient.emit("terminal:error", {
+        message: `Invalid payload: ${messages}`,
+      });
+      return;
+    }
+
+    try {
+      const result = this.terminalService.createSession(authenticatedClient, {
+        workspaceId,
+        socketId: authenticatedClient.id,
+        ...(dto.name !== undefined ? { name: dto.name } : {}),
+        ...(dto.cols !== undefined ? { cols: dto.cols } : {}),
+        ...(dto.rows !== undefined ? { rows: dto.rows } : {}),
+        ...(dto.cwd !== undefined ? { cwd: dto.cwd } : {}),
+      });
+
+      authenticatedClient.emit("terminal:created", {
+        sessionId: result.sessionId,
+        name: result.name,
+        cols: result.cols,
+        rows: result.rows,
+      });
+
+      this.logger.log(
+        `Terminal session ${result.sessionId} created for client ${authenticatedClient.id} (workspace: ${workspaceId})`
+      );
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      this.logger.error(
+        `Failed to create terminal session for client ${authenticatedClient.id}: ${message}`
+      );
+      authenticatedClient.emit("terminal:error", { message });
+    }
+  }
+
+  /**
+   * Write input data to an existing PTY session.
+   *
+   * Emits `terminal:error` if the session is not found or unauthorized.
+   */
+  @SubscribeMessage("terminal:input")
+  async handleInput(client: Socket, payload: unknown): Promise<void> {
+    const authenticatedClient = client as AuthenticatedSocket;
+    const { userId, workspaceId } = authenticatedClient.data;
+
+    if (!userId || !workspaceId) {
+      authenticatedClient.emit("terminal:error", {
+        message: "Not authenticated. Connect with a valid token.",
+      });
+      return;
+    }
+
+    const dto = plainToInstance(TerminalInputDto, payload ?? {});
+    const errors = await validate(dto);
+    if (errors.length > 0) {
+      const messages = errors.map((e) => Object.values(e.constraints ?? {}).join(", ")).join("; ");
+      authenticatedClient.emit("terminal:error", {
+        message: `Invalid payload: ${messages}`,
+      });
+      return;
+    }
+
+    if (!this.terminalService.sessionBelongsToWorkspace(dto.sessionId, workspaceId)) {
+      authenticatedClient.emit("terminal:error", {
+        message: `Terminal session ${dto.sessionId} not found or unauthorized.`,
+      });
+      return;
+    }
+
+    try {
+      this.terminalService.writeToSession(dto.sessionId, dto.data);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      this.logger.warn(`Failed to write to terminal session ${dto.sessionId}: ${message}`);
+      authenticatedClient.emit("terminal:error", { message });
+    }
+  }
+
+  /**
+   * Resize an existing PTY session.
+   *
+   * Emits `terminal:error` if the session is not found or unauthorized.
+   */
+  @SubscribeMessage("terminal:resize")
+  async handleResize(client: Socket, payload: unknown): Promise<void> {
+    const authenticatedClient = client as AuthenticatedSocket;
+    const { userId, workspaceId } = authenticatedClient.data;
+
+    if (!userId || !workspaceId) {
+      authenticatedClient.emit("terminal:error", {
+        message: "Not authenticated. Connect with a valid token.",
+      });
+      return;
+    }
+
+    const dto = plainToInstance(TerminalResizeDto, payload ?? {});
+    const errors = await validate(dto);
+    if (errors.length > 0) {
+      const messages = errors.map((e) => Object.values(e.constraints ?? {}).join(", ")).join("; ");
+      authenticatedClient.emit("terminal:error", {
+        message: `Invalid payload: ${messages}`,
+      });
+      return;
+    }
+
+    if (!this.terminalService.sessionBelongsToWorkspace(dto.sessionId, workspaceId)) {
+      authenticatedClient.emit("terminal:error", {
+        message: `Terminal session ${dto.sessionId} not found or unauthorized.`,
+      });
+      return;
+    }
+
+    try {
+      this.terminalService.resizeSession(dto.sessionId, dto.cols, dto.rows);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      this.logger.warn(`Failed to resize terminal session ${dto.sessionId}: ${message}`);
+      authenticatedClient.emit("terminal:error", { message });
+    }
+  }
+
+  /**
+   * Kill and close an existing PTY session.
+   *
+   * Emits `terminal:error` if the session is not found or unauthorized.
+   */
+  @SubscribeMessage("terminal:close")
+  async handleClose(client: Socket, payload: unknown): Promise<void> {
+    const authenticatedClient = client as AuthenticatedSocket;
+    const { userId, workspaceId } = authenticatedClient.data;
+
+    if (!userId || !workspaceId) {
+      authenticatedClient.emit("terminal:error", {
+        message: "Not authenticated. Connect with a valid token.",
+      });
+      return;
+    }
+
+    const dto = plainToInstance(CloseTerminalDto, payload ?? {});
+    const errors = await validate(dto);
+    if (errors.length > 0) {
+      const messages = errors.map((e) => Object.values(e.constraints ?? {}).join(", ")).join("; ");
+      authenticatedClient.emit("terminal:error", {
+        message: `Invalid payload: ${messages}`,
+      });
+      return;
+    }
+
+    if (!this.terminalService.sessionBelongsToWorkspace(dto.sessionId, workspaceId)) {
+      authenticatedClient.emit("terminal:error", {
+        message: `Terminal session ${dto.sessionId} not found or unauthorized.`,
+      });
+      return;
+    }
+
+    const closed = this.terminalService.closeSession(dto.sessionId);
+    if (!closed) {
+      authenticatedClient.emit("terminal:error", {
+        message: `Terminal session ${dto.sessionId} not found.`,
+      });
+      return;
+    }
+
+    this.logger.log(`Terminal session ${dto.sessionId} closed by client ${authenticatedClient.id}`);
+  }
+
+  // ==========================================
+  // Private helpers
+  // ==========================================
+
+  /**
+   * Extract authentication token from Socket.IO handshake.
+   * Checks auth.token, query.token, and Authorization header (in that order).
+   */
+  private extractTokenFromHandshake(client: Socket): string | undefined {
+    const authToken = client.handshake.auth.token as unknown;
+    if (typeof authToken === "string" && authToken.length > 0) {
+      return authToken;
+    }
+
+    const queryToken = client.handshake.query.token as unknown;
+    if (typeof queryToken === "string" && queryToken.length > 0) {
+      return queryToken;
+    }
+
+    const authHeader = client.handshake.headers.authorization as unknown;
+    if (typeof authHeader === "string") {
+      const parts = authHeader.split(" ");
+      const [type, token] = parts;
+      if (type === "Bearer" && token) {
+        return token;
+      }
+    }
+
+    return undefined;
+  }
+
+  /**
+   * Get the workspace-scoped room name for the terminal namespace.
+   */
+  private getWorkspaceRoom(workspaceId: string): string {
+    return `terminal:${workspaceId}`;
+  }
+}
--- a/apps/api/src/terminal/terminal.module.ts
+++ b/apps/api/src/terminal/terminal.module.ts
@@ -0,0 +1,31 @@
+/**
+ * TerminalModule
+ *
+ * NestJS module for WebSocket-based terminal sessions via node-pty.
+ *
+ * Imports:
+ * - AuthModule for WebSocket authentication (verifySession)
+ * - PrismaModule for workspace membership queries and session persistence
+ *
+ * Providers:
+ * - TerminalService: manages PTY session lifecycle (in-memory)
+ * - TerminalSessionService: persists session records to the database
+ * - TerminalGateway: WebSocket gateway on /terminal namespace
+ *
+ * The module does not export providers; terminal sessions are
+ * self-contained within this module.
+ */
+
+import { Module } from "@nestjs/common";
+import { TerminalGateway } from "./terminal.gateway";
+import { TerminalService } from "./terminal.service";
+import { TerminalSessionService } from "./terminal-session.service";
+import { AuthModule } from "../auth/auth.module";
+import { PrismaModule } from "../prisma/prisma.module";
+
+@Module({
+  imports: [AuthModule, PrismaModule],
+  providers: [TerminalGateway, TerminalService, TerminalSessionService],
+  exports: [TerminalSessionService],
+})
+export class TerminalModule {}
--- a/apps/api/src/terminal/terminal.service.spec.ts
+++ b/apps/api/src/terminal/terminal.service.spec.ts
@@ -0,0 +1,337 @@
+/**
+ * TerminalService Tests
+ *
+ * Unit tests for PTY session management: create, write, resize, close,
+ * workspace cleanup, and access control.
+ */
+
+import { describe, it, expect, beforeEach, vi, afterEach } from "vitest";
+import type { Socket } from "socket.io";
+import { TerminalService, MAX_SESSIONS_PER_WORKSPACE } from "./terminal.service";
+
+// ==========================================
+// Mocks
+// ==========================================
+
+// Mock node-pty before importing service
+const mockPtyProcess = {
+  onData: vi.fn(),
+  onExit: vi.fn(),
+  write: vi.fn(),
+  resize: vi.fn(),
+  kill: vi.fn(),
+  pid: 12345,
+};
+
+vi.mock("node-pty", () => ({
+  spawn: vi.fn(() => mockPtyProcess),
+}));
+
+function createMockSocket(id = "socket-1"): Socket {
+  return {
+    id,
+    emit: vi.fn(),
+    join: vi.fn(),
+    leave: vi.fn(),
+    disconnect: vi.fn(),
+    data: {},
+  } as unknown as Socket;
+}
+
+// ==========================================
+// Tests
+// ==========================================
+
+describe("TerminalService", () => {
+  let service: TerminalService;
+  let mockSocket: Socket;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    // Reset mock implementations
+    mockPtyProcess.onData.mockImplementation((_cb: (data: string) => void) => {});
+    mockPtyProcess.onExit.mockImplementation(
+      (_cb: (e: { exitCode: number; signal?: number }) => void) => {}
+    );
+    service = new TerminalService();
+    mockSocket = createMockSocket();
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  // ==========================================
+  // createSession
+  // ==========================================
+  describe("createSession", () => {
+    it("should create a PTY session and return sessionId", () => {
+      const result = service.createSession(mockSocket, {
+        workspaceId: "ws-1",
+        socketId: "socket-1",
+      });
+
+      expect(result.sessionId).toBeDefined();
+      expect(typeof result.sessionId).toBe("string");
+      expect(result.cols).toBe(80);
+      expect(result.rows).toBe(24);
+    });
+
+    it("should use provided cols and rows", () => {
+      const result = service.createSession(mockSocket, {
+        workspaceId: "ws-1",
+        socketId: "socket-1",
+        cols: 120,
+        rows: 40,
+      });
+
+      expect(result.cols).toBe(120);
+      expect(result.rows).toBe(40);
+    });
+
+    it("should return the provided session name", () => {
+      const result = service.createSession(mockSocket, {
+        workspaceId: "ws-1",
+        socketId: "socket-1",
+        name: "my-terminal",
+      });
+
+      expect(result.name).toBe("my-terminal");
+    });
+
+    it("should wire PTY onData to emit terminal:output", () => {
+      let dataCallback: ((data: string) => void) | undefined;
+      mockPtyProcess.onData.mockImplementation((cb: (data: string) => void) => {
+        dataCallback = cb;
+      });
+
+      const result = service.createSession(mockSocket, {
+        workspaceId: "ws-1",
+        socketId: "socket-1",
+      });
+
+      expect(dataCallback).toBeDefined();
+      dataCallback!("hello world");
+
+      expect(mockSocket.emit).toHaveBeenCalledWith("terminal:output", {
+        sessionId: result.sessionId,
+        data: "hello world",
+      });
+    });
+
+    it("should wire PTY onExit to emit terminal:exit and cleanup", () => {
+      let exitCallback: ((e: { exitCode: number; signal?: number }) => void) | undefined;
+      mockPtyProcess.onExit.mockImplementation(
+        (cb: (e: { exitCode: number; signal?: number }) => void) => {
+          exitCallback = cb;
+        }
+      );
+
+      const result = service.createSession(mockSocket, {
+        workspaceId: "ws-1",
+        socketId: "socket-1",
+      });
+
+      expect(exitCallback).toBeDefined();
+      exitCallback!({ exitCode: 0 });
+
+      expect(mockSocket.emit).toHaveBeenCalledWith("terminal:exit", {
+        sessionId: result.sessionId,
+        exitCode: 0,
+        signal: undefined,
+      });
+
+      // Session should be cleaned up
+      expect(service.sessionBelongsToWorkspace(result.sessionId, "ws-1")).toBe(false);
+      expect(service.getWorkspaceSessionCount("ws-1")).toBe(0);
+    });
+
+    it("should throw when workspace session limit is reached", () => {
+      const limit = MAX_SESSIONS_PER_WORKSPACE;
+
+      for (let i = 0; i < limit; i++) {
+        service.createSession(createMockSocket(`socket-${String(i)}`), {
+          workspaceId: "ws-limit",
+          socketId: `socket-${String(i)}`,
+        });
+      }
+
+      expect(() =>
+        service.createSession(createMockSocket("socket-overflow"), {
+          workspaceId: "ws-limit",
+          socketId: "socket-overflow",
+        })
+      ).toThrow(/maximum/i);
+    });
+
+    it("should allow sessions in different workspaces independently", () => {
+      service.createSession(mockSocket, { workspaceId: "ws-a", socketId: "s1" });
+      service.createSession(createMockSocket("s2"), { workspaceId: "ws-b", socketId: "s2" });
+
+      expect(service.getWorkspaceSessionCount("ws-a")).toBe(1);
+      expect(service.getWorkspaceSessionCount("ws-b")).toBe(1);
+    });
+  });
+
+  // ==========================================
+  // writeToSession
+  // ==========================================
+  describe("writeToSession", () => {
+    it("should write data to PTY", () => {
+      const result = service.createSession(mockSocket, {
+        workspaceId: "ws-1",
+        socketId: "socket-1",
+      });
+
+      service.writeToSession(result.sessionId, "ls -la\n");
+
+      expect(mockPtyProcess.write).toHaveBeenCalledWith("ls -la\n");
+    });
+
+    it("should throw for unknown sessionId", () => {
+      expect(() => service.writeToSession("nonexistent-id", "data")).toThrow(/not found/i);
+    });
+  });
+
+  // ==========================================
+  // resizeSession
+  // ==========================================
+  describe("resizeSession", () => {
+    it("should resize PTY dimensions", () => {
+      const result = service.createSession(mockSocket, {
+        workspaceId: "ws-1",
+        socketId: "socket-1",
+      });
+
+      service.resizeSession(result.sessionId, 132, 50);
+
+      expect(mockPtyProcess.resize).toHaveBeenCalledWith(132, 50);
+    });
+
+    it("should throw for unknown sessionId", () => {
+      expect(() => service.resizeSession("nonexistent-id", 80, 24)).toThrow(/not found/i);
+    });
+  });
+
+  // ==========================================
+  // closeSession
+  // ==========================================
+  describe("closeSession", () => {
+    it("should kill PTY and return true for existing session", () => {
+      const result = service.createSession(mockSocket, {
+        workspaceId: "ws-1",
+        socketId: "socket-1",
+      });
+
+      const closed = service.closeSession(result.sessionId);
+
+      expect(closed).toBe(true);
+      expect(mockPtyProcess.kill).toHaveBeenCalled();
+      expect(service.sessionBelongsToWorkspace(result.sessionId, "ws-1")).toBe(false);
+    });
+
+    it("should return false for nonexistent sessionId", () => {
+      const closed = service.closeSession("does-not-exist");
+      expect(closed).toBe(false);
+    });
+
+    it("should clean up workspace tracking after close", () => {
+      const result = service.createSession(mockSocket, {
+        workspaceId: "ws-1",
+        socketId: "socket-1",
+      });
+
+      expect(service.getWorkspaceSessionCount("ws-1")).toBe(1);
+      service.closeSession(result.sessionId);
+      expect(service.getWorkspaceSessionCount("ws-1")).toBe(0);
+    });
+
+    it("should not throw if PTY kill throws", () => {
+      mockPtyProcess.kill.mockImplementationOnce(() => {
+        throw new Error("PTY already dead");
+      });
+
+      const result = service.createSession(mockSocket, {
+        workspaceId: "ws-1",
+        socketId: "socket-1",
+      });
+
+      expect(() => service.closeSession(result.sessionId)).not.toThrow();
+    });
+  });
+
+  // ==========================================
+  // closeWorkspaceSessions
+  // ==========================================
+  describe("closeWorkspaceSessions", () => {
+    it("should kill all sessions for a workspace", () => {
+      service.createSession(mockSocket, { workspaceId: "ws-1", socketId: "s1" });
+      service.createSession(createMockSocket("s2"), { workspaceId: "ws-1", socketId: "s2" });
+
+      expect(service.getWorkspaceSessionCount("ws-1")).toBe(2);
+
+      service.closeWorkspaceSessions("ws-1");
+
+      expect(service.getWorkspaceSessionCount("ws-1")).toBe(0);
+      expect(mockPtyProcess.kill).toHaveBeenCalledTimes(2);
+    });
+
+    it("should not affect sessions in other workspaces", () => {
+      service.createSession(mockSocket, { workspaceId: "ws-1", socketId: "s1" });
+      service.createSession(createMockSocket("s2"), { workspaceId: "ws-2", socketId: "s2" });
+
+      service.closeWorkspaceSessions("ws-1");
+
+      expect(service.getWorkspaceSessionCount("ws-1")).toBe(0);
+      expect(service.getWorkspaceSessionCount("ws-2")).toBe(1);
+    });
+
+    it("should not throw for workspaces with no sessions", () => {
+      expect(() => service.closeWorkspaceSessions("ws-nonexistent")).not.toThrow();
+    });
+  });
+
+  // ==========================================
+  // sessionBelongsToWorkspace
+  // ==========================================
+  describe("sessionBelongsToWorkspace", () => {
+    it("should return true for a session belonging to the workspace", () => {
+      const result = service.createSession(mockSocket, {
+        workspaceId: "ws-1",
+        socketId: "socket-1",
+      });
+
+      expect(service.sessionBelongsToWorkspace(result.sessionId, "ws-1")).toBe(true);
+    });
+
+    it("should return false for a session in a different workspace", () => {
+      const result = service.createSession(mockSocket, {
+        workspaceId: "ws-1",
+        socketId: "socket-1",
+      });
+
+      expect(service.sessionBelongsToWorkspace(result.sessionId, "ws-2")).toBe(false);
+    });
+
+    it("should return false for a nonexistent sessionId", () => {
+      expect(service.sessionBelongsToWorkspace("no-such-id", "ws-1")).toBe(false);
+    });
+  });
+
+  // ==========================================
+  // getWorkspaceSessionCount
+  // ==========================================
+  describe("getWorkspaceSessionCount", () => {
+    it("should return 0 for workspace with no sessions", () => {
+      expect(service.getWorkspaceSessionCount("empty-ws")).toBe(0);
+    });
+
+    it("should track session count accurately", () => {
+      service.createSession(mockSocket, { workspaceId: "ws-count", socketId: "s1" });
+      expect(service.getWorkspaceSessionCount("ws-count")).toBe(1);
+
+      service.createSession(createMockSocket("s2"), { workspaceId: "ws-count", socketId: "s2" });
+      expect(service.getWorkspaceSessionCount("ws-count")).toBe(2);
+    });
+  });
+});
--- a/apps/api/src/terminal/terminal.service.ts
+++ b/apps/api/src/terminal/terminal.service.ts
@@ -0,0 +1,251 @@
+/**
+ * TerminalService
+ *
+ * Manages PTY (pseudo-terminal) sessions for workspace users.
+ * Spawns real shell processes via node-pty, streams I/O to connected sockets,
+ * and enforces per-workspace session limits.
+ *
+ * Session lifecycle:
+ * - createSession: spawn a new PTY, wire onData/onExit, return sessionId
+ * - writeToSession: send input data to PTY stdin
+ * - resizeSession: resize PTY dimensions (cols x rows)
+ * - closeSession: kill PTY process, emit terminal:exit, cleanup
+ * - closeWorkspaceSessions: kill all sessions for a workspace (on disconnect)
+ */
+
+import { Injectable, Logger } from "@nestjs/common";
+import * as pty from "node-pty";
+import type { Socket } from "socket.io";
+import { randomUUID } from "node:crypto";
+
+/** Maximum concurrent PTY sessions per workspace */
+export const MAX_SESSIONS_PER_WORKSPACE = parseInt(
+  process.env.TERMINAL_MAX_SESSIONS_PER_WORKSPACE ?? "10",
+  10
+);
+
+/** Default PTY dimensions */
+const DEFAULT_COLS = 80;
+const DEFAULT_ROWS = 24;
+
+export interface TerminalSession {
+  sessionId: string;
+  workspaceId: string;
+  pty: pty.IPty;
+  name?: string;
+  createdAt: Date;
+}
+
+export interface CreateSessionOptions {
+  name?: string;
+  cols?: number;
+  rows?: number;
+  cwd?: string;
+  workspaceId: string;
+  socketId: string;
+}
+
+export interface SessionCreatedResult {
+  sessionId: string;
+  name?: string;
+  cols: number;
+  rows: number;
+}
+
+@Injectable()
+export class TerminalService {
+  private readonly logger = new Logger(TerminalService.name);
+
+  /**
+   * Map of sessionId -> TerminalSession
+   */
+  private readonly sessions = new Map<string, TerminalSession>();
+
+  /**
+   * Map of workspaceId -> Set<sessionId> for fast per-workspace lookups
+   */
+  private readonly workspaceSessions = new Map<string, Set<string>>();
+
+  /**
+   * Create a new PTY session for the given workspace and socket.
+   * Wires PTY onData -> emit terminal:output and onExit -> emit terminal:exit.
+   *
+   * @throws Error if workspace session limit is exceeded
+   */
+  createSession(socket: Socket, options: CreateSessionOptions): SessionCreatedResult {
+    const { workspaceId, name, cwd, socketId } = options;
+    const cols = options.cols ?? DEFAULT_COLS;
+    const rows = options.rows ?? DEFAULT_ROWS;
+
+    // Enforce per-workspace session limit
+    const workspaceSessionIds = this.workspaceSessions.get(workspaceId) ?? new Set<string>();
+    if (workspaceSessionIds.size >= MAX_SESSIONS_PER_WORKSPACE) {
+      throw new Error(
+        `Workspace ${workspaceId} has reached the maximum of ${String(MAX_SESSIONS_PER_WORKSPACE)} concurrent terminal sessions`
+      );
+    }
+
+    const sessionId = randomUUID();
+    const shell = process.env.SHELL ?? "/bin/bash";
+
+    this.logger.log(
+      `Spawning PTY session ${sessionId} for workspace ${workspaceId} (socket: ${socketId}, shell: ${shell}, ${String(cols)}x${String(rows)})`
+    );
+
+    const ptyProcess = pty.spawn(shell, [], {
+      name: "xterm-256color",
+      cols,
+      rows,
+      cwd: cwd ?? process.cwd(),
+      env: process.env as Record<string, string>,
+    });
+
+    const session: TerminalSession = {
+      sessionId,
+      workspaceId,
+      pty: ptyProcess,
+      ...(name !== undefined ? { name } : {}),
+      createdAt: new Date(),
+    };
+
+    this.sessions.set(sessionId, session);
+
+    // Track by workspace
+    if (!this.workspaceSessions.has(workspaceId)) {
+      this.workspaceSessions.set(workspaceId, new Set());
+    }
+    const wsSet = this.workspaceSessions.get(workspaceId);
+    if (wsSet) {
+      wsSet.add(sessionId);
+    }
+
+    // Wire PTY stdout/stderr -> terminal:output
+    ptyProcess.onData((data: string) => {
+      socket.emit("terminal:output", { sessionId, data });
+    });
+
+    // Wire PTY exit -> terminal:exit, cleanup
+    ptyProcess.onExit(({ exitCode, signal }) => {
+      this.logger.log(
+        `PTY session ${sessionId} exited (exitCode: ${String(exitCode)}, signal: ${String(signal ?? "none")})`
+      );
+      socket.emit("terminal:exit", { sessionId, exitCode, signal });
+      this.cleanupSession(sessionId, workspaceId);
+    });
+
+    return { sessionId, ...(name !== undefined ? { name } : {}), cols, rows };
+  }
+
+  /**
+   * Write input data to a PTY session's stdin.
+   *
+   * @throws Error if session not found
+   */
+  writeToSession(sessionId: string, data: string): void {
+    const session = this.sessions.get(sessionId);
+    if (!session) {
+      throw new Error(`Terminal session ${sessionId} not found`);
+    }
+    session.pty.write(data);
+  }
+
+  /**
+   * Resize a PTY session's terminal dimensions.
+   *
+   * @throws Error if session not found
+   */
+  resizeSession(sessionId: string, cols: number, rows: number): void {
+    const session = this.sessions.get(sessionId);
+    if (!session) {
+      throw new Error(`Terminal session ${sessionId} not found`);
+    }
+    session.pty.resize(cols, rows);
+    this.logger.debug(`Resized PTY session ${sessionId} to ${String(cols)}x${String(rows)}`);
+  }
+
+  /**
+   * Kill and clean up a specific PTY session.
+   * Returns true if the session existed, false if it was already gone.
+   */
+  closeSession(sessionId: string): boolean {
+    const session = this.sessions.get(sessionId);
+    if (!session) {
+      return false;
+    }
+
+    this.logger.log(`Closing PTY session ${sessionId} for workspace ${session.workspaceId}`);
+
+    try {
+      session.pty.kill();
+    } catch (error) {
+      this.logger.warn(
+        `Error killing PTY session ${sessionId}: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+
+    this.cleanupSession(sessionId, session.workspaceId);
+    return true;
+  }
+
+  /**
+   * Close all PTY sessions for a workspace (called on client disconnect).
+   */
+  closeWorkspaceSessions(workspaceId: string): void {
+    const sessionIds = this.workspaceSessions.get(workspaceId);
+    if (!sessionIds || sessionIds.size === 0) {
+      return;
+    }
+
+    this.logger.log(
+      `Closing ${String(sessionIds.size)} PTY session(s) for workspace ${workspaceId} (disconnect)`
+    );
+
+    // Copy to array to avoid mutation during iteration
+    const ids = Array.from(sessionIds);
+    for (const sessionId of ids) {
+      const session = this.sessions.get(sessionId);
+      if (session) {
+        try {
+          session.pty.kill();
+        } catch (error) {
+          this.logger.warn(
+            `Error killing PTY session ${sessionId} on disconnect: ${error instanceof Error ? error.message : String(error)}`
+          );
+        }
+        this.cleanupSession(sessionId, workspaceId);
+      }
+    }
+  }
+
+  /**
+   * Get the number of active sessions for a workspace.
+   */
+  getWorkspaceSessionCount(workspaceId: string): number {
+    return this.workspaceSessions.get(workspaceId)?.size ?? 0;
+  }
+
+  /**
+   * Check if a session belongs to a given workspace.
+   * Used for access control in the gateway.
+   */
+  sessionBelongsToWorkspace(sessionId: string, workspaceId: string): boolean {
+    const session = this.sessions.get(sessionId);
+    return session?.workspaceId === workspaceId;
+  }
+
+  /**
+   * Internal cleanup: remove session from tracking maps.
+   * Does NOT kill the PTY (caller is responsible).
+   */
+  private cleanupSession(sessionId: string, workspaceId: string): void {
+    this.sessions.delete(sessionId);
+
+    const workspaceSessionIds = this.workspaceSessions.get(workspaceId);
+    if (workspaceSessionIds) {
+      workspaceSessionIds.delete(sessionId);
+      if (workspaceSessionIds.size === 0) {
+        this.workspaceSessions.delete(workspaceId);
+      }
+    }
+  }
+}
--- a/apps/orchestrator/.env.example
+++ b/apps/orchestrator/.env.example
@@ -1,6 +1,8 @@
 # Orchestrator Configuration
 ORCHESTRATOR_PORT=3001
 NODE_ENV=development
+# AI provider for orchestrator agents: ollama, claude, openai
+AI_PROVIDER=ollama

 # Valkey
 VALKEY_HOST=localhost
@@ -8,6 +10,7 @@ VALKEY_PORT=6379
 VALKEY_URL=redis://localhost:6379

 # Claude API
+# Required only when AI_PROVIDER=claude.
 CLAUDE_API_KEY=your-api-key-here

 # Docker
--- a/apps/orchestrator/README.md
+++ b/apps/orchestrator/README.md
@@ -186,17 +186,18 @@ pnpm --filter @mosaic/orchestrator lint

 Environment variables loaded via `@nestjs/config`. Key variables:

-| Variable                         | Description                                        |
-| -------------------------------- | -------------------------------------------------- |
-| `ORCHESTRATOR_PORT`              | HTTP port (default: 3001)                          |
-| `CLAUDE_API_KEY`                 | Claude API key for agents                          |
-| `VALKEY_HOST`                    | Valkey/Redis host (default: localhost)             |
-| `VALKEY_PORT`                    | Valkey/Redis port (default: 6379)                  |
-| `COORDINATOR_URL`                | Quality Coordinator base URL                       |
-| `SANDBOX_ENABLED`                | Enable Docker sandbox (true/false)                 |
-| `MAX_CONCURRENT_AGENTS`          | Maximum concurrent in-memory sessions (default: 2) |
-| `ORCHESTRATOR_QUEUE_CONCURRENCY` | BullMQ worker concurrency (default: 1)             |
-| `SANDBOX_DEFAULT_MEMORY_MB`      | Sandbox memory limit in MB (default: 256)          |
+| Variable                         | Description                                                  |
+| -------------------------------- | ------------------------------------------------------------ |
+| `ORCHESTRATOR_PORT`              | HTTP port (default: 3001)                                    |
+| `AI_PROVIDER`                    | LLM provider for orchestrator (`ollama`, `claude`, `openai`) |
+| `CLAUDE_API_KEY`                 | Required only when `AI_PROVIDER=claude`                      |
+| `VALKEY_HOST`                    | Valkey/Redis host (default: localhost)                       |
+| `VALKEY_PORT`                    | Valkey/Redis port (default: 6379)                            |
+| `COORDINATOR_URL`                | Quality Coordinator base URL                                 |
+| `SANDBOX_ENABLED`                | Enable Docker sandbox (true/false)                           |
+| `MAX_CONCURRENT_AGENTS`          | Maximum concurrent in-memory sessions (default: 2)           |
+| `ORCHESTRATOR_QUEUE_CONCURRENCY` | BullMQ worker concurrency (default: 1)                       |
+| `SANDBOX_DEFAULT_MEMORY_MB`      | Sandbox memory limit in MB (default: 256)                    |

 ## Related Documentation

--- a/apps/orchestrator/SECURITY.md
+++ b/apps/orchestrator/SECURITY.md
@@ -192,7 +192,8 @@ LABEL com.mosaic.security.non-root=true

 Sensitive configuration is passed via environment variables:

- `CLAUDE_API_KEY`: Claude API credentials
+- `AI_PROVIDER`: Orchestrator LLM provider
+- `CLAUDE_API_KEY`: Claude credentials (required only for `AI_PROVIDER=claude`)
 - `VALKEY_URL`: Cache connection string

 **Best Practices:**
--- a/apps/orchestrator/src/app.module.ts
+++ b/apps/orchestrator/src/app.module.ts
@@ -1,5 +1,5 @@
 import { Module } from "@nestjs/common";
-import { ConfigModule } from "@nestjs/config";
+import { ConfigModule, ConfigService } from "@nestjs/config";
 import { BullModule } from "@nestjs/bullmq";
 import { ThrottlerModule } from "@nestjs/throttler";
 import { HealthModule } from "./api/health/health.module";
@@ -22,11 +22,15 @@ import { orchestratorConfig } from "./config/orchestrator.config";
      isGlobal: true,
      load: [orchestratorConfig],
    }),
-    BullModule.forRoot({
-      connection: {
-        host: process.env.VALKEY_HOST ?? "localhost",
-        port: parseInt(process.env.VALKEY_PORT ?? "6379"),
-      },
+    BullModule.forRootAsync({
+      inject: [ConfigService],
+      useFactory: (configService: ConfigService) => ({
+        connection: {
+          host: configService.get<string>("orchestrator.valkey.host", "localhost"),
+          port: configService.get<number>("orchestrator.valkey.port", 6379),
+          password: configService.get<string>("orchestrator.valkey.password"),
+        },
+      }),
    }),
    ThrottlerModule.forRoot([
      {
--- a/apps/orchestrator/src/config/orchestrator.config.spec.ts
+++ b/apps/orchestrator/src/config/orchestrator.config.spec.ts
@@ -120,6 +120,42 @@ describe("orchestratorConfig", () => {
      expect(config.valkey.port).toBe(6379);
      expect(config.valkey.url).toBe("redis://localhost:6379");
    });
+
+    it("should derive valkey host and port from VALKEY_URL when VALKEY_HOST/VALKEY_PORT are not set", () => {
+      delete process.env.VALKEY_HOST;
+      delete process.env.VALKEY_PORT;
+      process.env.VALKEY_URL = "redis://valkey:6380";
+
+      const config = orchestratorConfig();
+
+      expect(config.valkey.host).toBe("valkey");
+      expect(config.valkey.port).toBe(6380);
+      expect(config.valkey.url).toBe("redis://valkey:6380");
+    });
+
+    it("should derive valkey password from VALKEY_URL when VALKEY_PASSWORD is not set", () => {
+      delete process.env.VALKEY_PASSWORD;
+      delete process.env.VALKEY_HOST;
+      delete process.env.VALKEY_PORT;
+      process.env.VALKEY_URL = "redis://:url-secret@valkey:6379";
+
+      const config = orchestratorConfig();
+
+      expect(config.valkey.password).toBe("url-secret");
+    });
+
+    it("should prefer explicit valkey env vars over VALKEY_URL values", () => {
+      process.env.VALKEY_HOST = "explicit-host";
+      process.env.VALKEY_PORT = "6390";
+      process.env.VALKEY_PASSWORD = "explicit-password";
+      process.env.VALKEY_URL = "redis://:url-secret@valkey:6380";
+
+      const config = orchestratorConfig();
+
+      expect(config.valkey.host).toBe("explicit-host");
+      expect(config.valkey.port).toBe(6390);
+      expect(config.valkey.password).toBe("explicit-password");
+    });
  });

  describe("valkey timeout config (SEC-ORCH-28)", () => {
@@ -181,4 +217,30 @@ describe("orchestratorConfig", () => {
      expect(config.spawner.maxConcurrentAgents).toBe(10);
    });
  });
+
+  describe("AI provider config", () => {
+    it("should default aiProvider to ollama when unset", () => {
+      delete process.env.AI_PROVIDER;
+
+      const config = orchestratorConfig();
+
+      expect(config.aiProvider).toBe("ollama");
+    });
+
+    it("should normalize AI provider to lowercase", () => {
+      process.env.AI_PROVIDER = "  cLaUdE  ";
+
+      const config = orchestratorConfig();
+
+      expect(config.aiProvider).toBe("claude");
+    });
+
+    it("should fallback unsupported AI provider to ollama", () => {
+      process.env.AI_PROVIDER = "bad-provider";
+
+      const config = orchestratorConfig();
+
+      expect(config.aiProvider).toBe("ollama");
+    });
+  });
 });
--- a/apps/orchestrator/src/config/orchestrator.config.ts
+++ b/apps/orchestrator/src/config/orchestrator.config.ts
@@ -1,61 +1,96 @@
 import { registerAs } from "@nestjs/config";

-export const orchestratorConfig = registerAs("orchestrator", () => ({
-  host: process.env.HOST ?? process.env.BIND_ADDRESS ?? "127.0.0.1",
-  port: parseInt(process.env.ORCHESTRATOR_PORT ?? "3001", 10),
-  valkey: {
-    host: process.env.VALKEY_HOST ?? "localhost",
-    port: parseInt(process.env.VALKEY_PORT ?? "6379", 10),
-    password: process.env.VALKEY_PASSWORD,
-    url: process.env.VALKEY_URL ?? "redis://localhost:6379",
-    connectTimeout: parseInt(process.env.VALKEY_CONNECT_TIMEOUT_MS ?? "5000", 10),
-    commandTimeout: parseInt(process.env.VALKEY_COMMAND_TIMEOUT_MS ?? "3000", 10),
-  },
-  claude: {
-    apiKey: process.env.CLAUDE_API_KEY,
-  },
-  docker: {
-    socketPath: process.env.DOCKER_SOCKET ?? "/var/run/docker.sock",
-  },
-  git: {
-    userName: process.env.GIT_USER_NAME ?? "Mosaic Orchestrator",
-    userEmail: process.env.GIT_USER_EMAIL ?? "orchestrator@mosaicstack.dev",
-  },
-  killswitch: {
-    enabled: process.env.KILLSWITCH_ENABLED === "true",
-  },
-  sandbox: {
-    enabled: process.env.SANDBOX_ENABLED !== "false",
-    defaultImage: process.env.SANDBOX_DEFAULT_IMAGE ?? "node:20-alpine",
-    defaultMemoryMB: parseInt(process.env.SANDBOX_DEFAULT_MEMORY_MB ?? "256", 10),
-    defaultCpuLimit: parseFloat(process.env.SANDBOX_DEFAULT_CPU_LIMIT ?? "1.0"),
-    networkMode: process.env.SANDBOX_NETWORK_MODE ?? "none",
-  },
-  coordinator: {
-    url: process.env.COORDINATOR_URL ?? "http://localhost:8000",
-    timeout: parseInt(process.env.COORDINATOR_TIMEOUT_MS ?? "30000", 10),
-    retries: parseInt(process.env.COORDINATOR_RETRIES ?? "3", 10),
-    apiKey: process.env.COORDINATOR_API_KEY,
-  },
-  yolo: {
-    enabled: process.env.YOLO_MODE === "true",
-  },
-  spawner: {
-    maxConcurrentAgents: parseInt(process.env.MAX_CONCURRENT_AGENTS ?? "2", 10),
-    sessionCleanupDelayMs: parseInt(process.env.SESSION_CLEANUP_DELAY_MS ?? "30000", 10),
-  },
-  queue: {
-    name: process.env.ORCHESTRATOR_QUEUE_NAME ?? "orchestrator-tasks",
-    maxRetries: parseInt(process.env.ORCHESTRATOR_QUEUE_MAX_RETRIES ?? "3", 10),
-    baseDelay: parseInt(process.env.ORCHESTRATOR_QUEUE_BASE_DELAY_MS ?? "1000", 10),
-    maxDelay: parseInt(process.env.ORCHESTRATOR_QUEUE_MAX_DELAY_MS ?? "60000", 10),
-    concurrency: parseInt(process.env.ORCHESTRATOR_QUEUE_CONCURRENCY ?? "1", 10),
-    completedRetentionCount: parseInt(process.env.QUEUE_COMPLETED_RETENTION_COUNT ?? "100", 10),
-    completedRetentionAgeSeconds: parseInt(
-      process.env.QUEUE_COMPLETED_RETENTION_AGE_S ?? "3600",
-      10
-    ),
-    failedRetentionCount: parseInt(process.env.QUEUE_FAILED_RETENTION_COUNT ?? "1000", 10),
-    failedRetentionAgeSeconds: parseInt(process.env.QUEUE_FAILED_RETENTION_AGE_S ?? "86400", 10),
-  },
-}));
+const normalizeAiProvider = (): "ollama" | "claude" | "openai" => {
+  const provider = process.env.AI_PROVIDER?.trim().toLowerCase();
+
+  if (!provider) {
+    return "ollama";
+  }
+
+  if (provider !== "ollama" && provider !== "claude" && provider !== "openai") {
+    return "ollama";
+  }
+
+  return provider;
+};
+
+const parseValkeyUrl = (url: string): { host?: string; port?: number; password?: string } => {
+  try {
+    const parsed = new URL(url);
+    const port = parsed.port ? parseInt(parsed.port, 10) : undefined;
+
+    return {
+      host: parsed.hostname || undefined,
+      port: Number.isNaN(port) ? undefined : port,
+      password: parsed.password ? decodeURIComponent(parsed.password) : undefined,
+    };
+  } catch {
+    return {};
+  }
+};
+
+export const orchestratorConfig = registerAs("orchestrator", () => {
+  const valkeyUrl = process.env.VALKEY_URL ?? "redis://localhost:6379";
+  const parsedValkeyUrl = parseValkeyUrl(valkeyUrl);
+
+  return {
+    host: process.env.HOST ?? process.env.BIND_ADDRESS ?? "127.0.0.1",
+    port: parseInt(process.env.ORCHESTRATOR_PORT ?? "3001", 10),
+    valkey: {
+      host: process.env.VALKEY_HOST ?? parsedValkeyUrl.host ?? "localhost",
+      port: parseInt(process.env.VALKEY_PORT ?? String(parsedValkeyUrl.port ?? 6379), 10),
+      password: process.env.VALKEY_PASSWORD ?? parsedValkeyUrl.password,
+      url: valkeyUrl,
+      connectTimeout: parseInt(process.env.VALKEY_CONNECT_TIMEOUT_MS ?? "5000", 10),
+      commandTimeout: parseInt(process.env.VALKEY_COMMAND_TIMEOUT_MS ?? "3000", 10),
+    },
+    claude: {
+      apiKey: process.env.CLAUDE_API_KEY,
+    },
+    aiProvider: normalizeAiProvider(),
+    docker: {
+      socketPath: process.env.DOCKER_SOCKET ?? "/var/run/docker.sock",
+    },
+    git: {
+      userName: process.env.GIT_USER_NAME ?? "Mosaic Orchestrator",
+      userEmail: process.env.GIT_USER_EMAIL ?? "orchestrator@mosaicstack.dev",
+    },
+    killswitch: {
+      enabled: process.env.KILLSWITCH_ENABLED === "true",
+    },
+    sandbox: {
+      enabled: process.env.SANDBOX_ENABLED !== "false",
+      defaultImage: process.env.SANDBOX_DEFAULT_IMAGE ?? "node:20-alpine",
+      defaultMemoryMB: parseInt(process.env.SANDBOX_DEFAULT_MEMORY_MB ?? "256", 10),
+      defaultCpuLimit: parseFloat(process.env.SANDBOX_DEFAULT_CPU_LIMIT ?? "1.0"),
+      networkMode: process.env.SANDBOX_NETWORK_MODE ?? "none",
+    },
+    coordinator: {
+      url: process.env.COORDINATOR_URL ?? "http://localhost:8000",
+      timeout: parseInt(process.env.COORDINATOR_TIMEOUT_MS ?? "30000", 10),
+      retries: parseInt(process.env.COORDINATOR_RETRIES ?? "3", 10),
+      apiKey: process.env.COORDINATOR_API_KEY,
+    },
+    yolo: {
+      enabled: process.env.YOLO_MODE === "true",
+    },
+    spawner: {
+      maxConcurrentAgents: parseInt(process.env.MAX_CONCURRENT_AGENTS ?? "2", 10),
+      sessionCleanupDelayMs: parseInt(process.env.SESSION_CLEANUP_DELAY_MS ?? "30000", 10),
+    },
+    queue: {
+      name: process.env.ORCHESTRATOR_QUEUE_NAME ?? "orchestrator-tasks",
+      maxRetries: parseInt(process.env.ORCHESTRATOR_QUEUE_MAX_RETRIES ?? "3", 10),
+      baseDelay: parseInt(process.env.ORCHESTRATOR_QUEUE_BASE_DELAY_MS ?? "1000", 10),
+      maxDelay: parseInt(process.env.ORCHESTRATOR_QUEUE_MAX_DELAY_MS ?? "60000", 10),
+      concurrency: parseInt(process.env.ORCHESTRATOR_QUEUE_CONCURRENCY ?? "1", 10),
+      completedRetentionCount: parseInt(process.env.QUEUE_COMPLETED_RETENTION_COUNT ?? "100", 10),
+      completedRetentionAgeSeconds: parseInt(
+        process.env.QUEUE_COMPLETED_RETENTION_AGE_S ?? "3600",
+        10
+      ),
+      failedRetentionCount: parseInt(process.env.QUEUE_FAILED_RETENTION_COUNT ?? "1000", 10),
+      failedRetentionAgeSeconds: parseInt(process.env.QUEUE_FAILED_RETENTION_AGE_S ?? "86400", 10),
+    },
+  };
+});
--- a/apps/orchestrator/src/spawner/agent-spawner.service.spec.ts
+++ b/apps/orchestrator/src/spawner/agent-spawner.service.spec.ts
@@ -12,6 +12,9 @@ describe("AgentSpawnerService", () => {
    // Create mock ConfigService
    mockConfigService = {
      get: vi.fn((key: string) => {
+        if (key === "orchestrator.aiProvider") {
+          return "ollama";
+        }
        if (key === "orchestrator.claude.apiKey") {
          return "test-api-key";
        }
@@ -31,19 +34,80 @@ describe("AgentSpawnerService", () => {
      expect(service).toBeDefined();
    });

-    it("should initialize with Claude API key from config", () => {
+    it("should initialize with default AI provider when API key is omitted", () => {
+      const noClaudeConfigService = {
+        get: vi.fn((key: string) => {
+          if (key === "orchestrator.aiProvider") {
+            return "ollama";
+          }
+          if (key === "orchestrator.spawner.maxConcurrentAgents") {
+            return 20;
+          }
+          if (key === "orchestrator.spawner.sessionCleanupDelayMs") {
+            return 30000;
+          }
+          return undefined;
+        }),
+      } as unknown as ConfigService;
+
+      const serviceNoKey = new AgentSpawnerService(noClaudeConfigService);
+      expect(serviceNoKey).toBeDefined();
+    });
+
+    it("should initialize with Claude provider when key is present", () => {
      expect(mockConfigService.get).toHaveBeenCalledWith("orchestrator.claude.apiKey");
    });

-    it("should throw error if Claude API key is missing", () => {
+    it("should initialize with CLAUDE provider when API key is present", () => {
+      const claudeConfigService = {
+        get: vi.fn((key: string) => {
+          if (key === "orchestrator.aiProvider") {
+            return "claude";
+          }
+          if (key === "orchestrator.claude.apiKey") {
+            return "test-api-key";
+          }
+          if (key === "orchestrator.spawner.maxConcurrentAgents") {
+            return 20;
+          }
+          return undefined;
+        }),
+      } as unknown as ConfigService;
+
+      const claudeService = new AgentSpawnerService(claudeConfigService);
+      expect(claudeService).toBeDefined();
+    });
+
+    it("should throw error if Claude API key is missing when provider is claude", () => {
      const badConfigService = {
-        get: vi.fn(() => undefined),
+        get: vi.fn((key: string) => {
+          if (key === "orchestrator.aiProvider") {
+            return "claude";
+          }
+          return undefined;
+        }),
      } as unknown as ConfigService;

      expect(() => new AgentSpawnerService(badConfigService)).toThrow(
-        "CLAUDE_API_KEY is not configured"
+        "CLAUDE_API_KEY is required when AI_PROVIDER is set to 'claude'"
      );
    });
+
+    it("should still initialize when CLAUDE_API_KEY is missing for non-Claude provider", () => {
+      const nonClaudeConfigService = {
+        get: vi.fn((key: string) => {
+          if (key === "orchestrator.aiProvider") {
+            return "ollama";
+          }
+          if (key === "orchestrator.spawner.maxConcurrentAgents") {
+            return 20;
+          }
+          return undefined;
+        }),
+      } as unknown as ConfigService;
+
+      expect(() => new AgentSpawnerService(nonClaudeConfigService)).not.toThrow();
+    });
  });

  describe("spawnAgent", () => {
--- a/apps/orchestrator/src/spawner/agent-spawner.service.ts
+++ b/apps/orchestrator/src/spawner/agent-spawner.service.ts
@@ -14,6 +14,8 @@ import {
 * This allows time for status queries before the session is removed
 */
 const DEFAULT_SESSION_CLEANUP_DELAY_MS = 30000; // 30 seconds
+const SUPPORTED_AI_PROVIDERS = ["ollama", "claude", "openai"] as const;
+type SupportedAiProvider = (typeof SUPPORTED_AI_PROVIDERS)[number];

 /**
 * Service responsible for spawning Claude agents using Anthropic SDK
@@ -21,22 +23,38 @@ const DEFAULT_SESSION_CLEANUP_DELAY_MS = 30000; // 30 seconds
@Injectable()
 export class AgentSpawnerService implements OnModuleDestroy {
  private readonly logger = new Logger(AgentSpawnerService.name);
-  private readonly anthropic: Anthropic;
+  private readonly anthropic: Anthropic | undefined;
+  private readonly aiProvider: SupportedAiProvider;
  private readonly sessions = new Map<string, AgentSession>();
  private readonly maxConcurrentAgents: number;
  private readonly sessionCleanupDelayMs: number;
  private readonly cleanupTimers = new Map<string, NodeJS.Timeout>();

  constructor(private readonly configService: ConfigService) {
+    const configuredProvider = this.configService.get<string>("orchestrator.aiProvider");
+    this.aiProvider = this.normalizeAiProvider(configuredProvider);
+
+    this.logger.log(`AgentSpawnerService resolved AI provider: ${this.aiProvider}`);
+
    const apiKey = this.configService.get<string>("orchestrator.claude.apiKey");

-    if (!apiKey) {
-      throw new Error("CLAUDE_API_KEY is not configured");
-    }
+    if (this.aiProvider === "claude") {
+      if (!apiKey) {
+        throw new Error("CLAUDE_API_KEY is required when AI_PROVIDER is set to 'claude'");
+      }

-    this.anthropic = new Anthropic({
-      apiKey,
-    });
+      this.logger.log("CLAUDE_API_KEY is configured. Initializing Anthropic client.");
+      this.anthropic = new Anthropic({ apiKey });
+    } else {
+      if (apiKey) {
+        this.logger.debug(
+          `CLAUDE_API_KEY is set but ignored because AI provider is '${this.aiProvider}'`
+        );
+      } else {
+        this.logger.log(`CLAUDE_API_KEY not required for AI provider '${this.aiProvider}'.`);
+      }
+      this.anthropic = undefined;
+    }

    // Default to 20 if not configured
    this.maxConcurrentAgents =
@@ -48,10 +66,27 @@ export class AgentSpawnerService implements OnModuleDestroy {
      DEFAULT_SESSION_CLEANUP_DELAY_MS;

    this.logger.log(
-      `AgentSpawnerService initialized with Claude SDK (max concurrent agents: ${String(this.maxConcurrentAgents)}, cleanup delay: ${String(this.sessionCleanupDelayMs)}ms)`
+      `AgentSpawnerService initialized with ${this.aiProvider} AI provider (max concurrent agents: ${String(
+        this.maxConcurrentAgents
+      )}, cleanup delay: ${String(this.sessionCleanupDelayMs)}ms)`
    );
  }

+  private normalizeAiProvider(provider?: string): SupportedAiProvider {
+    const normalizedProvider = provider?.trim().toLowerCase();
+
+    if (!normalizedProvider) {
+      return "ollama";
+    }
+
+    if (!SUPPORTED_AI_PROVIDERS.includes(normalizedProvider as SupportedAiProvider)) {
+      this.logger.warn(`Unsupported AI provider '${normalizedProvider}'. Defaulting to 'ollama'.`);
+      return "ollama";
+    }
+
+    return normalizedProvider as SupportedAiProvider;
+  }
+
  /**
   * Clean up all pending cleanup timers on module destroy
   */
--- a/apps/web/Dockerfile
+++ b/apps/web/Dockerfile
@@ -27,6 +27,20 @@ COPY apps/web/package.json ./apps/web/
 # Install dependencies (no cache mount — Kaniko builds are ephemeral in CI)
 RUN pnpm install --frozen-lockfile

+# ======================
+# Production dependencies stage
+# ======================
+FROM base AS prod-deps
+
+# Copy all package.json files for workspace resolution
+COPY packages/shared/package.json ./packages/shared/
+COPY packages/ui/package.json ./packages/ui/
+COPY packages/config/package.json ./packages/config/
+COPY apps/web/package.json ./apps/web/
+
+# Install production dependencies only
+RUN pnpm install --frozen-lockfile --prod
+
 # ======================
 # Builder stage
 # ======================
@@ -81,14 +95,13 @@ ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x

 # Single RUN to minimize Kaniko filesystem snapshots (each RUN = full snapshot)
 RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx \
-    && corepack enable && corepack prepare pnpm@10.27.0 --activate \
    && chmod 755 /usr/local/bin/dumb-init \
    && groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nextjs

 WORKDIR /app

 # Copy node_modules from builder (includes all dependencies in pnpm store)
-COPY --from=builder --chown=nextjs:nodejs /app/node_modules ./node_modules
+COPY --from=prod-deps --chown=nextjs:nodejs /app/node_modules ./node_modules

 # Copy built packages (includes dist/ directories)
 COPY --from=builder --chown=nextjs:nodejs /app/packages ./packages
@@ -99,7 +112,7 @@ COPY --from=builder --chown=nextjs:nodejs /app/apps/web/public ./apps/web/public
 COPY --from=builder --chown=nextjs:nodejs /app/apps/web/next.config.ts ./apps/web/
 COPY --from=builder --chown=nextjs:nodejs /app/apps/web/package.json ./apps/web/
 # Copy app's node_modules which contains symlinks to root node_modules
-COPY --from=builder --chown=nextjs:nodejs /app/apps/web/node_modules ./apps/web/node_modules
+COPY --from=prod-deps --chown=nextjs:nodejs /app/apps/web/node_modules ./apps/web/node_modules

 # Set working directory to web app
 WORKDIR /app/apps/web
@@ -113,6 +126,7 @@ EXPOSE ${PORT:-3000}
 # Environment variables
 ENV NODE_ENV=production
 ENV HOSTNAME="0.0.0.0"
+ENV PATH="/app/apps/web/node_modules/.bin:${PATH}"

 # Health check uses PORT env var (set by docker-compose or defaults to 3000)
 HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
@@ -122,4 +136,4 @@ HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
 ENTRYPOINT ["dumb-init", "--"]

 # Start the application
-CMD ["pnpm", "start"]
+CMD ["next", "start"]
--- a/apps/web/next.config.ts
+++ b/apps/web/next.config.ts
@@ -1,5 +1,16 @@
 import type { NextConfig } from "next";

+const defaultAuthMode = process.env.NODE_ENV === "development" ? "mock" : "real";
+const authMode = (process.env.NEXT_PUBLIC_AUTH_MODE ?? defaultAuthMode).toLowerCase();
+
+if (!["real", "mock"].includes(authMode)) {
+  throw new Error(`Invalid NEXT_PUBLIC_AUTH_MODE "${authMode}". Expected one of: real, mock.`);
+}
+
+if (authMode === "mock" && process.env.NODE_ENV !== "development") {
+  throw new Error("NEXT_PUBLIC_AUTH_MODE=mock is only allowed for local development.");
+}
+
 const nextConfig: NextConfig = {
  transpilePackages: ["@mosaic/ui", "@mosaic/shared"],
 };
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -18,15 +18,27 @@
    "@dnd-kit/core": "^6.3.1",
    "@dnd-kit/sortable": "^9.0.0",
    "@dnd-kit/utilities": "^3.2.2",
+    "@hello-pangea/dnd": "^18.0.1",
    "@mosaic/shared": "workspace:*",
    "@mosaic/ui": "workspace:*",
    "@tanstack/react-query": "^5.90.20",
+    "@tiptap/extension-code-block-lowlight": "^3.20.0",
+    "@tiptap/extension-link": "^3.20.0",
+    "@tiptap/extension-placeholder": "^3.20.0",
+    "@tiptap/extension-table": "^3.20.0",
+    "@tiptap/extension-table-cell": "^3.20.0",
+    "@tiptap/extension-table-header": "^3.20.0",
+    "@tiptap/extension-table-row": "^3.20.0",
+    "@tiptap/pm": "^3.20.0",
+    "@tiptap/react": "^3.20.0",
+    "@tiptap/starter-kit": "^3.20.0",
    "@types/dompurify": "^3.2.0",
    "@xyflow/react": "^12.5.3",
    "better-auth": "^1.4.17",
    "date-fns": "^4.1.0",
    "dompurify": "^3.3.1",
    "elkjs": "^0.9.3",
+    "lowlight": "^3.3.0",
    "lucide-react": "^0.563.0",
    "mermaid": "^11.4.1",
    "next": "^16.1.6",
@@ -34,7 +46,8 @@
    "react-dom": "^19.0.0",
    "react-grid-layout": "^2.2.2",
    "recharts": "^3.7.0",
-    "socket.io-client": "^4.8.3"
+    "socket.io-client": "^4.8.3",
+    "tiptap-markdown": "^0.9.0"
  },
  "devDependencies": {
    "@mosaic/config": "workspace:*",
@@ -47,7 +60,10 @@
    "@types/react-grid-layout": "^2.1.0",
    "@vitejs/plugin-react": "^4.3.4",
    "@vitest/coverage-v8": "^3.2.4",
+    "autoprefixer": "^10.4.24",
    "jsdom": "^26.0.0",
+    "postcss": "^8.5.6",
+    "tailwindcss": "^3.4.19",
    "typescript": "^5.8.2",
    "vitest": "^3.0.8"
  }
--- a/apps/web/postcss.config.mjs
+++ b/apps/web/postcss.config.mjs
@@ -0,0 +1,8 @@
+const config = {
+  plugins: {
+    tailwindcss: {},
+    autoprefixer: {},
+  },
+};
+
+export default config;
--- a/apps/web/src/app/(auth)/login/page.mock-mode.test.tsx
+++ b/apps/web/src/app/(auth)/login/page.mock-mode.test.tsx
@@ -0,0 +1,87 @@
+import { describe, it, expect, vi, beforeEach, type Mock } from "vitest";
+import { render, screen, waitFor } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
+import LoginPage from "./page";
+
+const { mockPush, mockReplace, mockSearchParams, authState } = vi.hoisted(() => ({
+  mockPush: vi.fn(),
+  mockReplace: vi.fn(),
+  mockSearchParams: new URLSearchParams(),
+  authState: {
+    isAuthenticated: false,
+    refreshSession: vi.fn(),
+  },
+}));
+
+const { mockFetchWithRetry } = vi.hoisted(() => ({
+  mockFetchWithRetry: vi.fn(),
+}));
+
+vi.mock("next/navigation", () => ({
+  useRouter: (): { push: Mock; replace: Mock } => ({
+    push: mockPush,
+    replace: mockReplace,
+  }),
+  useSearchParams: (): URLSearchParams => mockSearchParams,
+}));
+
+vi.mock("@/lib/config", () => ({
+  API_BASE_URL: "http://localhost:3001",
+  IS_MOCK_AUTH_MODE: true,
+}));
+
+vi.mock("@/lib/auth-client", () => ({
+  signIn: {
+    oauth2: vi.fn(),
+    email: vi.fn(),
+  },
+}));
+
+vi.mock("@/lib/auth/auth-context", () => ({
+  useAuth: (): { isAuthenticated: boolean; refreshSession: Mock } => ({
+    isAuthenticated: authState.isAuthenticated,
+    refreshSession: authState.refreshSession,
+  }),
+}));
+
+vi.mock("@/lib/auth/fetch-with-retry", () => ({
+  fetchWithRetry: mockFetchWithRetry,
+}));
+
+describe("LoginPage (mock auth mode)", (): void => {
+  beforeEach((): void => {
+    vi.clearAllMocks();
+    mockSearchParams.delete("error");
+    authState.isAuthenticated = false;
+    authState.refreshSession.mockResolvedValue(undefined);
+  });
+
+  it("should render mock auth controls", (): void => {
+    render(<LoginPage />);
+
+    expect(screen.getByText(/local mock auth mode is active/i)).toBeInTheDocument();
+    expect(screen.getByTestId("mock-auth-login")).toBeInTheDocument();
+    expect(mockFetchWithRetry).not.toHaveBeenCalled();
+  });
+
+  it("should continue with mock session and navigate to tasks", async (): Promise<void> => {
+    const user = userEvent.setup();
+    render(<LoginPage />);
+
+    await user.click(screen.getByTestId("mock-auth-login"));
+
+    await waitFor(() => {
+      expect(authState.refreshSession).toHaveBeenCalledTimes(1);
+      expect(mockPush).toHaveBeenCalledWith("/tasks");
+    });
+  });
+
+  it("should auto-redirect authenticated mock users to tasks", async (): Promise<void> => {
+    authState.isAuthenticated = true;
+    render(<LoginPage />);
+
+    await waitFor(() => {
+      expect(mockReplace).toHaveBeenCalledWith("/tasks");
+    });
+  });
+});
--- a/apps/web/src/app/(auth)/login/page.test.tsx
+++ b/apps/web/src/app/(auth)/login/page.test.tsx
@@ -16,6 +16,11 @@ const { mockOAuth2, mockSignInEmail, mockPush, mockReplace, mockSearchParams } =
  mockSearchParams: new URLSearchParams(),
 }));

+const { mockRefreshSession, mockIsAuthenticated } = vi.hoisted(() => ({
+  mockRefreshSession: vi.fn(),
+  mockIsAuthenticated: false,
+}));
+
 vi.mock("next/navigation", () => ({
  useRouter: (): { push: Mock; replace: Mock } => ({
    push: mockPush,
@@ -33,6 +38,14 @@ vi.mock("@/lib/auth-client", () => ({

 vi.mock("@/lib/config", () => ({
  API_BASE_URL: "http://localhost:3001",
+  IS_MOCK_AUTH_MODE: false,
+}));
+
+vi.mock("@/lib/auth/auth-context", () => ({
+  useAuth: (): { isAuthenticated: boolean; refreshSession: Mock } => ({
+    isAuthenticated: mockIsAuthenticated,
+    refreshSession: mockRefreshSession,
+  }),
 }));

 // Mock fetchWithRetry to behave like fetch for test purposes
@@ -91,6 +104,7 @@ describe("LoginPage", (): void => {
    mockSearchParams.delete("error");
    // Default: OAuth2 returns a resolved promise (fire-and-forget redirect)
    mockOAuth2.mockResolvedValue(undefined);
+    mockRefreshSession.mockResolvedValue(undefined);
  });

  it("renders loading state initially", (): void => {
@@ -113,8 +127,8 @@ describe("LoginPage", (): void => {
      expect(screen.getByLabelText(/email/i)).toBeInTheDocument();
    });

-    expect(screen.getByRole("heading", { level: 1 })).toHaveTextContent("Welcome to Mosaic Stack");
-    expect(screen.getByText(/Your personal assistant platform/i)).toBeInTheDocument();
+    expect(screen.getByRole("heading", { level: 1 })).toHaveTextContent("Command Center");
+    expect(screen.getByText(/Sign in to your orchestration platform/i)).toBeInTheDocument();
  });

  it("has proper layout styling", async (): Promise<void> => {
@@ -172,7 +186,7 @@ describe("LoginPage", (): void => {
      expect(screen.getByRole("button", { name: /continue with authentik/i })).toBeInTheDocument();
    });

-    expect(screen.getByText(/or continue with email/i)).toBeInTheDocument();
+    expect(screen.getByText(/or continue with/i)).toBeInTheDocument();
    expect(screen.getByLabelText(/email/i)).toBeInTheDocument();
    expect(screen.getByLabelText(/password/i)).toBeInTheDocument();
  });
@@ -186,7 +200,11 @@ describe("LoginPage", (): void => {
      expect(screen.getByRole("button", { name: /continue with authentik/i })).toBeInTheDocument();
    });

-    expect(screen.queryByText(/or continue with email/i)).not.toBeInTheDocument();
+    // The divider element should not appear (no credentials provider)
+    const dividerTexts = screen.queryAllByText(/or continue with/i);
+    // OAuthButton text contains "Continue with" so filter for the divider specifically
+    const dividerOnly = dividerTexts.filter((el) => el.textContent === "or continue with");
+    expect(dividerOnly).toHaveLength(0);
  });

  it("shows error state with retry button on fetch failure instead of silent fallback", async (): Promise<void> => {
@@ -201,7 +219,6 @@ describe("LoginPage", (): void => {
    // Should NOT silently fall back to email form
    expect(screen.queryByLabelText(/email/i)).not.toBeInTheDocument();
    expect(screen.queryByLabelText(/password/i)).not.toBeInTheDocument();
-    expect(screen.queryByRole("button", { name: /continue with/i })).not.toBeInTheDocument();

    // Should show the error banner with helpful message
    expect(
@@ -276,7 +293,7 @@ describe("LoginPage", (): void => {

    expect(mockOAuth2).toHaveBeenCalledWith({
      providerId: "authentik",
-      callbackURL: "/",
+      callbackURL: "http://localhost:3000/",
    });
  });

@@ -439,7 +456,7 @@ describe("LoginPage", (): void => {
  /* ------------------------------------------------------------------ */

  describe("responsive layout", (): void => {
-    it("applies mobile-first padding to main element", async (): Promise<void> => {
+    it("applies AuthShell layout classes to main element", async (): Promise<void> => {
      mockFetchConfig(EMAIL_ONLY_CONFIG);

      const { container } = render(<LoginPage />);
@@ -449,8 +466,7 @@ describe("LoginPage", (): void => {
      });

      const main = container.querySelector("main");
-
-      expect(main).toHaveClass("p-4", "sm:p-8");
+      expect(main).toHaveClass("min-h-screen", "items-center", "justify-center");
    });

    it("applies responsive text size to heading", async (): Promise<void> => {
@@ -463,10 +479,10 @@ describe("LoginPage", (): void => {
      });

      const heading = screen.getByRole("heading", { level: 1 });
-      expect(heading).toHaveClass("text-2xl", "sm:text-4xl");
+      expect(heading).toHaveClass("text-xl", "sm:text-2xl");
    });

-    it("applies responsive padding to card container", async (): Promise<void> => {
+    it("AuthCard applies card styling with padding", async (): Promise<void> => {
      mockFetchConfig(EMAIL_ONLY_CONFIG);

      const { container } = render(<LoginPage />);
@@ -475,12 +491,12 @@ describe("LoginPage", (): void => {
        expect(screen.getByLabelText(/email/i)).toBeInTheDocument();
      });

-      const card = container.querySelector(".bg-white");
-
-      expect(card).toHaveClass("p-4", "sm:p-8");
+      // AuthCard uses rounded-b-2xl and p-6 sm:p-10
+      const card = container.querySelector(".rounded-b-2xl");
+      expect(card).toHaveClass("p-6", "sm:p-10");
    });

-    it("card container has full width with max-width constraint", async (): Promise<void> => {
+    it("AuthShell constrains card width", async (): Promise<void> => {
      mockFetchConfig(EMAIL_ONLY_CONFIG);

      const { container } = render(<LoginPage />);
@@ -489,9 +505,9 @@ describe("LoginPage", (): void => {
        expect(screen.getByLabelText(/email/i)).toBeInTheDocument();
      });

-      const wrapper = container.querySelector(".max-w-md");
-
-      expect(wrapper).toHaveClass("w-full", "max-w-md");
+      // AuthShell wraps children in max-w-[27rem]
+      const wrapper = container.querySelector(".max-w-\\[27rem\\]");
+      expect(wrapper).toHaveClass("w-full");
    });
  });

--- a/apps/web/src/app/(auth)/login/page.tsx
+++ b/apps/web/src/app/(auth)/login/page.tsx
@@ -5,10 +5,12 @@ import type { ReactElement } from "react";
 import { useRouter, useSearchParams } from "next/navigation";
 import { Loader2 } from "lucide-react";
 import type { AuthConfigResponse, AuthProviderConfig } from "@mosaic/shared";
-import { API_BASE_URL } from "@/lib/config";
+import { AuthShell, AuthCard, AuthBrand, AuthStatusPill } from "@mosaic/ui";
+import { API_BASE_URL, IS_MOCK_AUTH_MODE } from "@/lib/config";
 import { signIn } from "@/lib/auth-client";
 import { fetchWithRetry } from "@/lib/auth/fetch-with-retry";
 import { parseAuthError } from "@/lib/auth/auth-errors";
+import { useAuth } from "@/lib/auth/auth-context";
 import { OAuthButton } from "@/components/auth/OAuthButton";
 import { LoginForm } from "@/components/auth/LoginForm";
 import { AuthDivider } from "@/components/auth/AuthDivider";
@@ -18,23 +20,21 @@ export default function LoginPage(): ReactElement {
  return (
    <Suspense
      fallback={
-        <main className="flex min-h-screen flex-col items-center justify-center p-4 sm:p-8 bg-gray-50">
-          <div className="w-full max-w-md space-y-8">
-            <div className="text-center">
-              <h1 className="text-2xl sm:text-4xl font-bold mb-4">Welcome to Mosaic Stack</h1>
-            </div>
-            <div className="bg-white p-4 sm:p-8 rounded-lg shadow-md">
+        <AuthShell>
+          <AuthCard>
+            <div className="flex flex-col items-center gap-6">
+              <AuthBrand />
              <div
                className="flex items-center justify-center py-8"
                role="status"
                aria-label="Loading authentication options"
              >
-                <Loader2 className="h-8 w-8 animate-spin text-blue-500" aria-hidden="true" />
+                <Loader2 className="h-8 w-8 animate-spin text-[#56a0ff]" aria-hidden="true" />
                <span className="sr-only">Loading authentication options</span>
              </div>
            </div>
-          </div>
-        </main>
+          </AuthCard>
+        </AuthShell>
      }
    >
      <LoginPageContent />
@@ -45,6 +45,7 @@ export default function LoginPage(): ReactElement {
 function LoginPageContent(): ReactElement {
  const router = useRouter();
  const searchParams = useSearchParams();
+  const { isAuthenticated, refreshSession } = useAuth();
  const [config, setConfig] = useState<AuthConfigResponse | null | undefined>(undefined);
  const [loadingConfig, setLoadingConfig] = useState(true);
  const [retryCount, setRetryCount] = useState(0);
@@ -68,6 +69,18 @@ function LoginPageContent(): ReactElement {
  }, [searchParams, router]);

  useEffect(() => {
+    if (IS_MOCK_AUTH_MODE && isAuthenticated) {
+      router.replace("/tasks");
+    }
+  }, [isAuthenticated, router]);
+
+  useEffect(() => {
+    if (IS_MOCK_AUTH_MODE) {
+      setConfig({ providers: [] });
+      setLoadingConfig(false);
+      return;
+    }
+
    let cancelled = false;

    async function fetchConfig(): Promise<void> {
@@ -113,12 +126,33 @@ function LoginPageContent(): ReactElement {
  const handleOAuthLogin = useCallback((providerId: string): void => {
    setOauthLoading(providerId);
    setError(null);
-    signIn.oauth2({ providerId, callbackURL: "/" }).catch((err: unknown) => {
-      const message = err instanceof Error ? err.message : String(err);
-      console.error(`[Auth] OAuth sign-in initiation failed for ${providerId}:`, message);
-      setError("Unable to connect to the sign-in provider. Please try again in a moment.");
-      setOauthLoading(null);
-    });
+    const callbackURL =
+      typeof window !== "undefined" ? new URL("/", window.location.origin).toString() : "/";
+    signIn
+      .oauth2({ providerId, callbackURL })
+      .then((result) => {
+        // BetterAuth returns Data | Error union — check for error or missing redirect URL
+        const hasError = "error" in result && result.error;
+        const hasUrl = "data" in result && result.data?.url;
+        if (hasError || !hasUrl) {
+          const errObj = hasError ? result.error : null;
+          const message =
+            errObj && typeof errObj === "object" && "message" in errObj
+              ? String(errObj.message)
+              : "no redirect URL";
+          console.error(`[Auth] OAuth sign-in failed for ${providerId}:`, message);
+          setError("Unable to connect to the sign-in provider. Please try again in a moment.");
+          setOauthLoading(null);
+        }
+        // If data.url exists, BetterAuth's client will redirect the browser automatically.
+        // No need to reset loading — the page is navigating away.
+      })
+      .catch((err: unknown) => {
+        const message = err instanceof Error ? err.message : String(err);
+        console.error(`[Auth] OAuth sign-in initiation failed for ${providerId}:`, message);
+        setError("Unable to connect to the sign-in provider. Please try again in a moment.");
+        setOauthLoading(null);
+      });
  }, []);

  const handleCredentialsLogin = useCallback(
@@ -156,18 +190,64 @@ function LoginPageContent(): ReactElement {
    setRetryCount((c) => c + 1);
  }, []);

+  const handleMockLogin = useCallback(async (): Promise<void> => {
+    setError(null);
+    try {
+      await refreshSession();
+      router.push("/tasks");
+    } catch (err: unknown) {
+      const parsed = parseAuthError(err);
+      setError(parsed.message);
+    }
+  }, [refreshSession, router]);
+
+  if (IS_MOCK_AUTH_MODE) {
+    return (
+      <AuthShell>
+        <AuthCard>
+          <div className="flex flex-col items-center gap-6">
+            <AuthBrand />
+            <div className="text-center">
+              <h1 className="text-xl font-bold tracking-tight sm:text-2xl">Command Center</h1>
+              <p className="mt-1 text-sm text-[#5a6a87] dark:text-[#8f9db7]">
+                Local mock auth mode is active
+              </p>
+            </div>
+          </div>
+
+          <div className="mt-6 space-y-4">
+            <AuthStatusPill label="Mock mode" tone="warning" className="w-full justify-center" />
+            {error && <AuthErrorBanner message={error} />}
+            <button
+              type="button"
+              onClick={() => {
+                void handleMockLogin();
+              }}
+              className="w-full inline-flex items-center justify-center gap-2 rounded-lg px-4 py-3 text-sm font-semibold text-white bg-[linear-gradient(135deg,#2f80ff,#8b5cf6)] transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-[#56a0ff]/60 hover:-translate-y-0.5 hover:shadow-[0_10px_30px_rgba(47,128,255,0.38)]"
+              data-testid="mock-auth-login"
+            >
+              Continue with Mock Session
+            </button>
+          </div>
+        </AuthCard>
+      </AuthShell>
+    );
+  }
+
  return (
-    <main className="flex min-h-screen flex-col items-center justify-center p-4 sm:p-8 bg-gray-50">
-      <div className="w-full max-w-md space-y-8">
-        <div className="text-center">
-          <h1 className="text-2xl sm:text-4xl font-bold mb-4">Welcome to Mosaic Stack</h1>
-          <p className="text-base sm:text-lg text-gray-600">
-            Your personal assistant platform. Organize tasks, events, and projects with a
-            PDA-friendly approach.
-          </p>
+    <AuthShell>
+      <AuthCard>
+        <div className="flex flex-col items-center gap-6">
+          <AuthBrand />
+          <div className="text-center">
+            <h1 className="text-xl font-bold tracking-tight sm:text-2xl">Command Center</h1>
+            <p className="mt-1 text-sm text-[#5a6a87] dark:text-[#8f9db7]">
+              Sign in to your orchestration platform
+            </p>
+          </div>
        </div>

-        <div className="bg-white p-4 sm:p-8 rounded-lg shadow-md">
+        <div className="mt-6">
          {loadingConfig ? (
            <div
              className="flex items-center justify-center py-8"
@@ -175,7 +255,7 @@ function LoginPageContent(): ReactElement {
              role="status"
              aria-label="Loading authentication options"
            >
-              <Loader2 className="h-8 w-8 animate-spin text-blue-500" aria-hidden="true" />
+              <Loader2 className="h-8 w-8 animate-spin text-[#56a0ff]" aria-hidden="true" />
              <span className="sr-only">Loading authentication options</span>
            </div>
          ) : config === null ? (
@@ -185,47 +265,35 @@ function LoginPageContent(): ReactElement {
                <button
                  type="button"
                  onClick={handleRetry}
-                  className="px-4 py-2 text-sm font-medium text-white bg-blue-600 rounded-md hover:bg-blue-700 focus:outline-none focus:ring-2 focus:ring-blue-500 focus:ring-offset-2"
+                  className="inline-flex items-center justify-center gap-2 rounded-lg px-4 py-2.5 text-sm font-semibold text-white bg-[linear-gradient(135deg,#2f80ff,#8b5cf6)] transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-[#56a0ff]/60 hover:-translate-y-0.5 hover:shadow-[0_10px_30px_rgba(47,128,255,0.38)]"
                >
                  Try again
                </button>
              </div>
            </div>
          ) : (
-            <>
+            <div className="space-y-0">
              {urlError && (
-                <AuthErrorBanner
-                  message={urlError}
-                  onDismiss={(): void => {
-                    setUrlError(null);
-                  }}
-                />
+                <div className="mb-4">
+                  <AuthErrorBanner
+                    message={urlError}
+                    onDismiss={(): void => {
+                      setUrlError(null);
+                    }}
+                  />
+                </div>
              )}

              {error && !hasCredentials && (
-                <AuthErrorBanner
-                  message={error}
-                  onDismiss={(): void => {
-                    setError(null);
-                  }}
-                />
-              )}
-
-              {hasOAuth &&
-                oauthProviders.map((provider) => (
-                  <OAuthButton
-                    key={provider.id}
-                    providerName={provider.name}
-                    providerId={provider.id}
-                    onClick={(): void => {
-                      handleOAuthLogin(provider.id);
+                <div className="mb-4">
+                  <AuthErrorBanner
+                    message={error}
+                    onDismiss={(): void => {
+                      setError(null);
                    }}
-                    isLoading={oauthLoading === provider.id}
-                    disabled={oauthLoading !== null && oauthLoading !== provider.id}
                  />
-                ))}
-
-              {hasOAuth && hasCredentials && <AuthDivider />}
+                </div>
+              )}

              {hasCredentials && (
                <LoginForm
@@ -234,10 +302,33 @@ function LoginPageContent(): ReactElement {
                  error={error}
                />
              )}
-            </>
+
+              {hasOAuth && hasCredentials && <AuthDivider />}
+
+              {hasOAuth && (
+                <div className="space-y-2">
+                  {oauthProviders.map((provider) => (
+                    <OAuthButton
+                      key={provider.id}
+                      providerName={provider.name}
+                      providerId={provider.id}
+                      onClick={(): void => {
+                        handleOAuthLogin(provider.id);
+                      }}
+                      isLoading={oauthLoading === provider.id}
+                      disabled={oauthLoading !== null && oauthLoading !== provider.id}
+                    />
+                  ))}
+                </div>
+              )}
+            </div>
          )}
        </div>
-      </div>
-    </main>
+
+        <div className="mt-6 flex justify-center">
+          <AuthStatusPill label="Mosaic v0.1" tone="neutral" />
+        </div>
+      </AuthCard>
+    </AuthShell>
  );
 }
--- a/apps/web/src/app/(authenticated)/calendar/page.test.tsx
+++ b/apps/web/src/app/(authenticated)/calendar/page.test.tsx
@@ -1,5 +1,6 @@
-import { describe, it, expect, vi } from "vitest";
+import { describe, it, expect, vi, beforeEach } from "vitest";
 import { render, screen, waitFor } from "@testing-library/react";
+import type { Event } from "@mosaic/shared";
 import CalendarPage from "./page";

 // Mock the Calendar component
@@ -15,15 +16,94 @@ vi.mock("@/components/calendar/Calendar", () => ({
  ),
 }));

+// Mock MosaicSpinner
+vi.mock("@/components/ui/MosaicSpinner", () => ({
+  MosaicSpinner: ({ label }: { label?: string }): React.JSX.Element => (
+    <div data-testid="mosaic-spinner">{label ?? "Loading..."}</div>
+  ),
+}));
+
+// Mock useWorkspaceId
+const mockUseWorkspaceId = vi.fn<() => string | null>();
+vi.mock("@/lib/hooks", () => ({
+  useWorkspaceId: (): string | null => mockUseWorkspaceId(),
+}));
+
+// Mock fetchEvents
+const mockFetchEvents = vi.fn<() => Promise<Event[]>>();
+vi.mock("@/lib/api/events", () => ({
+  fetchEvents: (...args: unknown[]): Promise<Event[]> => mockFetchEvents(...(args as [])),
+}));
+
+const fakeEvents: Event[] = [
+  {
+    id: "event-1",
+    title: "Team standup",
+    description: "Daily standup meeting",
+    startTime: new Date("2026-02-20T09:00:00Z"),
+    endTime: new Date("2026-02-20T09:30:00Z"),
+    allDay: false,
+    location: null,
+    recurrence: null,
+    creatorId: "user-1",
+    projectId: null,
+    workspaceId: "ws-1",
+    metadata: {},
+    createdAt: new Date("2026-01-28"),
+    updatedAt: new Date("2026-01-28"),
+  },
+  {
+    id: "event-2",
+    title: "Sprint planning",
+    description: "Bi-weekly sprint planning",
+    startTime: new Date("2026-02-21T14:00:00Z"),
+    endTime: new Date("2026-02-21T15:00:00Z"),
+    allDay: false,
+    location: null,
+    recurrence: null,
+    creatorId: "user-1",
+    projectId: null,
+    workspaceId: "ws-1",
+    metadata: {},
+    createdAt: new Date("2026-01-28"),
+    updatedAt: new Date("2026-01-28"),
+  },
+  {
+    id: "event-3",
+    title: "All-day workshop",
+    description: null,
+    startTime: new Date("2026-02-22T00:00:00Z"),
+    endTime: null,
+    allDay: true,
+    location: "Conference Room A",
+    recurrence: null,
+    creatorId: "user-1",
+    projectId: null,
+    workspaceId: "ws-1",
+    metadata: {},
+    createdAt: new Date("2026-01-28"),
+    updatedAt: new Date("2026-01-28"),
+  },
+];
+
 describe("CalendarPage", (): void => {
+  beforeEach((): void => {
+    vi.clearAllMocks();
+    mockUseWorkspaceId.mockReturnValue("ws-1");
+    mockFetchEvents.mockResolvedValue(fakeEvents);
+  });
+
  it("should render the page title", (): void => {
    render(<CalendarPage />);
    expect(screen.getByRole("heading", { level: 1 })).toHaveTextContent("Calendar");
  });

  it("should show loading state initially", (): void => {
+    // Never resolve so we stay in loading state
+    // eslint-disable-next-line @typescript-eslint/no-empty-function
+    mockFetchEvents.mockReturnValue(new Promise<Event[]>(() => {}));
    render(<CalendarPage />);
-    expect(screen.getByTestId("calendar")).toHaveTextContent("Loading");
+    expect(screen.getByTestId("mosaic-spinner")).toBeInTheDocument();
  });

  it("should render the Calendar with events after loading", async (): Promise<void> => {
@@ -43,4 +123,31 @@ describe("CalendarPage", (): void => {
    render(<CalendarPage />);
    expect(screen.getByText("View your schedule at a glance")).toBeInTheDocument();
  });
+
+  it("should show empty state when no events exist", async (): Promise<void> => {
+    mockFetchEvents.mockResolvedValue([]);
+    render(<CalendarPage />);
+    await waitFor((): void => {
+      expect(screen.getByText("No events scheduled")).toBeInTheDocument();
+    });
+  });
+
+  it("should show error state on API failure", async (): Promise<void> => {
+    mockFetchEvents.mockRejectedValue(new Error("Network error"));
+    render(<CalendarPage />);
+    await waitFor((): void => {
+      expect(screen.getByText("Network error")).toBeInTheDocument();
+    });
+    expect(screen.getByRole("button", { name: /try again/i })).toBeInTheDocument();
+  });
+
+  it("should not fetch when workspace ID is not available", async (): Promise<void> => {
+    mockUseWorkspaceId.mockReturnValue(null);
+    render(<CalendarPage />);
+
+    // Wait a tick to ensure useEffect ran
+    await waitFor((): void => {
+      expect(mockFetchEvents).not.toHaveBeenCalled();
+    });
+  });
 });
--- a/apps/web/src/app/(authenticated)/calendar/page.tsx
+++ b/apps/web/src/app/(authenticated)/calendar/page.tsx
@@ -3,57 +3,161 @@
 import { useState, useEffect } from "react";
 import type { ReactElement } from "react";
 import { Calendar } from "@/components/calendar/Calendar";
-import { mockEvents } from "@/lib/api/events";
+import { fetchEvents } from "@/lib/api/events";
+import { MosaicSpinner } from "@/components/ui/MosaicSpinner";
+import { useWorkspaceId } from "@/lib/hooks";
 import type { Event } from "@mosaic/shared";

 export default function CalendarPage(): ReactElement {
+  const workspaceId = useWorkspaceId();
  const [events, setEvents] = useState<Event[]>([]);
  const [isLoading, setIsLoading] = useState(true);
  const [error, setError] = useState<string | null>(null);

  useEffect(() => {
-    void loadEvents();
-  }, []);
-
-  async function loadEvents(): Promise<void> {
-    setIsLoading(true);
-    setError(null);
-
-    try {
-      // TODO: Replace with real API call when backend is ready
-      // const data = await fetchEvents();
-      await new Promise((resolve) => setTimeout(resolve, 300));
-      setEvents(mockEvents);
-    } catch (err) {
-      setError(
-        err instanceof Error
-          ? err.message
-          : "We had trouble loading your calendar. Please try again when you're ready."
-      );
-    } finally {
+    if (!workspaceId) {
      setIsLoading(false);
+      return;
    }
+
+    const wsId = workspaceId;
+    let cancelled = false;
+    setError(null);
+    setIsLoading(true);
+
+    async function loadEvents(): Promise<void> {
+      try {
+        const data = await fetchEvents(wsId);
+        if (!cancelled) {
+          setEvents(data);
+        }
+      } catch (err: unknown) {
+        console.error("[Calendar] Failed to fetch events:", err);
+        if (!cancelled) {
+          setError(
+            err instanceof Error
+              ? err.message
+              : "We had trouble loading your calendar. Please try again when you're ready."
+          );
+        }
+      } finally {
+        if (!cancelled) {
+          setIsLoading(false);
+        }
+      }
+    }
+
+    void loadEvents();
+
+    return (): void => {
+      cancelled = true;
+    };
+  }, [workspaceId]);
+
+  function handleRetry(): void {
+    if (!workspaceId) return;
+
+    const wsId = workspaceId;
+    setError(null);
+    setIsLoading(true);
+
+    fetchEvents(wsId)
+      .then((data) => {
+        setEvents(data);
+      })
+      .catch((err: unknown) => {
+        console.error("[Calendar] Retry failed:", err);
+        setError(
+          err instanceof Error
+            ? err.message
+            : "We had trouble loading your calendar. Please try again when you're ready."
+        );
+      })
+      .finally(() => {
+        setIsLoading(false);
+      });
+  }
+
+  if (isLoading) {
+    return (
+      <main className="container mx-auto px-4 py-8">
+        <div className="mb-8">
+          <h1 className="text-3xl font-bold" style={{ color: "var(--text)" }}>
+            Calendar
+          </h1>
+          <p style={{ color: "var(--text-muted)" }} className="mt-2">
+            View your schedule at a glance
+          </p>
+        </div>
+        <div className="flex justify-center py-16">
+          <MosaicSpinner label="Loading calendar..." />
+        </div>
+      </main>
+    );
+  }
+
+  if (error !== null) {
+    return (
+      <main className="container mx-auto px-4 py-8">
+        <div className="mb-8">
+          <h1 className="text-3xl font-bold" style={{ color: "var(--text)" }}>
+            Calendar
+          </h1>
+          <p style={{ color: "var(--text-muted)" }} className="mt-2">
+            View your schedule at a glance
+          </p>
+        </div>
+        <div
+          className="rounded-lg p-6 text-center"
+          style={{
+            background: "var(--surface)",
+            border: "1px solid var(--border)",
+          }}
+        >
+          <p style={{ color: "var(--danger)" }}>{error}</p>
+          <button
+            onClick={handleRetry}
+            className="mt-4 rounded-md px-4 py-2 text-sm font-medium transition-colors"
+            style={{
+              background: "var(--accent)",
+              color: "var(--surface)",
+            }}
+          >
+            Try again
+          </button>
+        </div>
+      </main>
+    );
  }

  return (
    <main className="container mx-auto px-4 py-8">
      <div className="mb-8">
-        <h1 className="text-3xl font-bold text-gray-900">Calendar</h1>
-        <p className="text-gray-600 mt-2">View your schedule at a glance</p>
+        <h1 className="text-3xl font-bold" style={{ color: "var(--text)" }}>
+          Calendar
+        </h1>
+        <p style={{ color: "var(--text-muted)" }} className="mt-2">
+          View your schedule at a glance
+        </p>
      </div>

-      {error !== null ? (
-        <div className="rounded-lg border border-amber-200 bg-amber-50 p-6 text-center">
-          <p className="text-amber-800">{error}</p>
-          <button
-            onClick={() => void loadEvents()}
-            className="mt-4 rounded-md bg-amber-600 px-4 py-2 text-sm font-medium text-white hover:bg-amber-700 transition-colors"
-          >
-            Try again
-          </button>
+      {events.length === 0 ? (
+        <div
+          className="rounded-lg p-8 text-center"
+          style={{
+            background: "var(--surface)",
+            border: "1px solid var(--border)",
+          }}
+        >
+          <p className="text-lg" style={{ color: "var(--text-muted)" }}>
+            No events scheduled
+          </p>
+          <p className="text-sm mt-2" style={{ color: "var(--text-muted)" }}>
+            Your calendar is clear
+          </p>
        </div>
      ) : (
-        <Calendar events={events} isLoading={isLoading} />
+        <Calendar events={events} isLoading={false} />
      )}
    </main>
  );
--- a/apps/web/src/app/(authenticated)/files/page.tsx
+++ b/apps/web/src/app/(authenticated)/files/page.tsx
--- a/apps/web/src/app/(authenticated)/kanban/page.tsx
+++ b/apps/web/src/app/(authenticated)/kanban/page.tsx
@@ -0,0 +1,765 @@
+"use client";
+
+import { useState, useEffect, useCallback, useMemo } from "react";
+import type { ReactElement } from "react";
+import { useSearchParams, useRouter } from "next/navigation";
+import { DragDropContext, Droppable, Draggable } from "@hello-pangea/dnd";
+import type {
+  DropResult,
+  DroppableProvided,
+  DraggableProvided,
+  DraggableStateSnapshot,
+} from "@hello-pangea/dnd";
+
+import { MosaicSpinner } from "@/components/ui/MosaicSpinner";
+import { fetchTasks, updateTask, type TaskFilters } from "@/lib/api/tasks";
+import { fetchProjects, type Project } from "@/lib/api/projects";
+import { useWorkspaceId } from "@/lib/hooks";
+import type { Task } from "@mosaic/shared";
+import { TaskStatus, TaskPriority } from "@mosaic/shared";
+
+/* ---------------------------------------------------------------------------
+   Column configuration
+   --------------------------------------------------------------------------- */
+
+interface ColumnConfig {
+  status: TaskStatus;
+  label: string;
+  accent: string;
+}
+
+const COLUMNS: ColumnConfig[] = [
+  { status: TaskStatus.NOT_STARTED, label: "To Do", accent: "var(--ms-blue-400)" },
+  { status: TaskStatus.IN_PROGRESS, label: "In Progress", accent: "var(--ms-amber-400)" },
+  { status: TaskStatus.PAUSED, label: "Paused", accent: "var(--ms-purple-400)" },
+  { status: TaskStatus.COMPLETED, label: "Done", accent: "var(--ms-teal-400)" },
+  { status: TaskStatus.ARCHIVED, label: "Archived", accent: "var(--muted)" },
+];
+
+const PRIORITY_OPTIONS: { value: string; label: string }[] = [
+  { value: "", label: "All Priorities" },
+  { value: TaskPriority.HIGH, label: "High" },
+  { value: TaskPriority.MEDIUM, label: "Medium" },
+  { value: TaskPriority.LOW, label: "Low" },
+];
+
+/* ---------------------------------------------------------------------------
+   Filter select shared styles
+   --------------------------------------------------------------------------- */
+
+const selectStyle: React.CSSProperties = {
+  padding: "6px 10px",
+  borderRadius: "var(--r)",
+  border: "1px solid var(--border)",
+  background: "var(--surface)",
+  color: "var(--text)",
+  fontSize: "0.83rem",
+  outline: "none",
+  minWidth: 130,
+};
+
+const inputStyle: React.CSSProperties = {
+  ...selectStyle,
+  minWidth: 180,
+};
+
+/* ---------------------------------------------------------------------------
+   Priority badge helper
+   --------------------------------------------------------------------------- */
+
+interface PriorityStyle {
+  label: string;
+  bg: string;
+  color: string;
+}
+
+function getPriorityStyle(priority: TaskPriority): PriorityStyle {
+  switch (priority) {
+    case TaskPriority.HIGH:
+      return { label: "High", bg: "rgba(229,72,77,0.15)", color: "var(--danger)" };
+    case TaskPriority.MEDIUM:
+      return { label: "Medium", bg: "rgba(245,158,11,0.15)", color: "var(--warn)" };
+    case TaskPriority.LOW:
+      return { label: "Low", bg: "rgba(143,157,183,0.15)", color: "var(--muted)" };
+    default:
+      return { label: String(priority), bg: "rgba(143,157,183,0.15)", color: "var(--muted)" };
+  }
+}
+
+/* ---------------------------------------------------------------------------
+   Task Card
+   --------------------------------------------------------------------------- */
+
+interface TaskCardProps {
+  task: Task;
+  provided: DraggableProvided;
+  snapshot: DraggableStateSnapshot;
+  columnAccent: string;
+}
+
+function TaskCard({ task, provided, snapshot, columnAccent }: TaskCardProps): ReactElement {
+  const [hovered, setHovered] = useState(false);
+  const priorityStyle = getPriorityStyle(task.priority);
+
+  return (
+    <div
+      ref={provided.innerRef}
+      {...provided.draggableProps}
+      {...provided.dragHandleProps}
+      onMouseEnter={() => {
+        setHovered(true);
+      }}
+      onMouseLeave={() => {
+        setHovered(false);
+      }}
+      style={{
+        background: "var(--surface)",
+        border: `1px solid ${hovered || snapshot.isDragging ? columnAccent : "var(--border)"}`,
+        borderRadius: "var(--r)",
+        padding: 12,
+        marginBottom: 8,
+        cursor: "grab",
+        transition: "border-color 0.15s, box-shadow 0.15s",
+        boxShadow: snapshot.isDragging ? "var(--shadow-lg)" : "none",
+        ...provided.draggableProps.style,
+      }}
+    >
+      {/* Title */}
+      <div
+        style={{
+          fontWeight: 600,
+          color: "var(--text)",
+          fontSize: "0.875rem",
+          marginBottom: 6,
+          overflow: "hidden",
+          textOverflow: "ellipsis",
+          whiteSpace: "nowrap",
+        }}
+      >
+        {task.title}
+      </div>
+
+      {/* Priority badge */}
+      <span
+        style={{
+          display: "inline-block",
+          padding: "1px 8px",
+          borderRadius: "var(--r-sm)",
+          background: priorityStyle.bg,
+          color: priorityStyle.color,
+          fontSize: "0.7rem",
+          fontWeight: 500,
+          marginBottom: 6,
+        }}
+      >
+        {priorityStyle.label}
+      </span>
+
+      {/* Description */}
+      {task.description && (
+        <p
+          style={{
+            color: "var(--muted)",
+            fontSize: "0.8rem",
+            margin: 0,
+            overflow: "hidden",
+            textOverflow: "ellipsis",
+            display: "-webkit-box",
+            WebkitLineClamp: 2,
+            WebkitBoxOrient: "vertical",
+            lineHeight: 1.4,
+          }}
+        >
+          {task.description}
+        </p>
+      )}
+    </div>
+  );
+}
+
+/* ---------------------------------------------------------------------------
+   Kanban Column
+   --------------------------------------------------------------------------- */
+
+interface KanbanColumnProps {
+  config: ColumnConfig;
+  tasks: Task[];
+}
+
+function KanbanColumn({ config, tasks }: KanbanColumnProps): ReactElement {
+  return (
+    <div
+      style={{
+        minWidth: 280,
+        maxWidth: 340,
+        flex: "1 0 280px",
+        display: "flex",
+        flexDirection: "column",
+        background: "var(--bg-mid)",
+        borderRadius: "var(--r-lg)",
+        overflow: "hidden",
+      }}
+    >
+      {/* Column header */}
+      <div
+        style={{
+          borderTop: `3px solid ${config.accent}`,
+          padding: "12px 16px",
+          display: "flex",
+          alignItems: "center",
+          justifyContent: "space-between",
+        }}
+      >
+        <span
+          style={{
+            fontWeight: 600,
+            fontSize: "0.85rem",
+            color: "var(--text)",
+          }}
+        >
+          {config.label}
+        </span>
+        <span
+          style={{
+            display: "inline-flex",
+            alignItems: "center",
+            justifyContent: "center",
+            minWidth: 22,
+            height: 22,
+            padding: "0 6px",
+            borderRadius: "var(--r)",
+            background: `color-mix(in srgb, ${config.accent} 15%, transparent)`,
+            color: config.accent,
+            fontSize: "0.75rem",
+            fontWeight: 600,
+            fontFamily: "var(--mono)",
+          }}
+        >
+          {tasks.length}
+        </span>
+      </div>
+
+      {/* Droppable area */}
+      <Droppable droppableId={config.status}>
+        {(provided: DroppableProvided) => (
+          <div
+            ref={provided.innerRef}
+            {...provided.droppableProps}
+            style={{
+              padding: "8px 12px 12px",
+              flex: 1,
+              minHeight: 80,
+              overflowY: "auto",
+            }}
+          >
+            {tasks.map((task, index) => (
+              <Draggable key={task.id} draggableId={task.id} index={index}>
+                {(dragProvided: DraggableProvided, dragSnapshot: DraggableStateSnapshot) => (
+                  <TaskCard
+                    task={task}
+                    provided={dragProvided}
+                    snapshot={dragSnapshot}
+                    columnAccent={config.accent}
+                  />
+                )}
+              </Draggable>
+            ))}
+            {provided.placeholder}
+          </div>
+        )}
+      </Droppable>
+    </div>
+  );
+}
+
+/* ---------------------------------------------------------------------------
+   Filter Bar
+   --------------------------------------------------------------------------- */
+
+interface FilterBarProps {
+  projects: Project[];
+  projectId: string;
+  priority: string;
+  search: string;
+  myTasks: boolean;
+  onProjectChange: (value: string) => void;
+  onPriorityChange: (value: string) => void;
+  onSearchChange: (value: string) => void;
+  onMyTasksToggle: () => void;
+  onClear: () => void;
+  hasActiveFilters: boolean;
+}
+
+function FilterBar({
+  projects,
+  projectId,
+  priority,
+  search,
+  myTasks,
+  onProjectChange,
+  onPriorityChange,
+  onSearchChange,
+  onMyTasksToggle,
+  onClear,
+  hasActiveFilters,
+}: FilterBarProps): ReactElement {
+  return (
+    <div
+      style={{
+        display: "flex",
+        alignItems: "center",
+        flexWrap: "wrap",
+        gap: 8,
+        padding: "10px 14px",
+        background: "var(--surface)",
+        border: "1px solid var(--border)",
+        borderRadius: "var(--r-lg)",
+        marginBottom: 16,
+      }}
+    >
+      {/* Search */}
+      <input
+        type="text"
+        placeholder="Search tasks..."
+        value={search}
+        onChange={(e): void => {
+          onSearchChange(e.target.value);
+        }}
+        style={inputStyle}
+      />
+
+      {/* Project filter */}
+      <select
+        value={projectId}
+        onChange={(e): void => {
+          onProjectChange(e.target.value);
+        }}
+        style={selectStyle}
+      >
+        <option value="">All Projects</option>
+        {projects.map((p) => (
+          <option key={p.id} value={p.id}>
+            {p.name}
+          </option>
+        ))}
+      </select>
+
+      {/* Priority filter */}
+      <select
+        value={priority}
+        onChange={(e): void => {
+          onPriorityChange(e.target.value);
+        }}
+        style={selectStyle}
+      >
+        {PRIORITY_OPTIONS.map((opt) => (
+          <option key={opt.value} value={opt.value}>
+            {opt.label}
+          </option>
+        ))}
+      </select>
+
+      {/* My Tasks toggle */}
+      <button
+        type="button"
+        onClick={onMyTasksToggle}
+        style={{
+          padding: "6px 12px",
+          borderRadius: "var(--r)",
+          border: myTasks ? "1px solid var(--primary)" : "1px solid var(--border)",
+          background: myTasks ? "var(--primary)" : "transparent",
+          color: myTasks ? "#fff" : "var(--text-2)",
+          fontSize: "0.83rem",
+          fontWeight: 500,
+          cursor: "pointer",
+          transition: "all 0.12s ease",
+          whiteSpace: "nowrap",
+        }}
+      >
+        My Tasks
+      </button>
+
+      {/* Clear filters */}
+      {hasActiveFilters && (
+        <button
+          type="button"
+          onClick={onClear}
+          style={{
+            padding: "6px 12px",
+            borderRadius: "var(--r)",
+            border: "1px solid var(--border)",
+            background: "transparent",
+            color: "var(--muted)",
+            fontSize: "0.83rem",
+            fontWeight: 500,
+            cursor: "pointer",
+            whiteSpace: "nowrap",
+          }}
+        >
+          Clear
+        </button>
+      )}
+    </div>
+  );
+}
+
+/* ---------------------------------------------------------------------------
+   Kanban Board Page
+   --------------------------------------------------------------------------- */
+
+export default function KanbanPage(): ReactElement {
+  const workspaceId = useWorkspaceId();
+  const router = useRouter();
+  const searchParams = useSearchParams();
+
+  const [tasks, setTasks] = useState<Task[]>([]);
+  const [projects, setProjects] = useState<Project[]>([]);
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  // Read filters from URL params
+  const filterProject = searchParams.get("project") ?? "";
+  const filterPriority = searchParams.get("priority") ?? "";
+  const filterSearch = searchParams.get("q") ?? "";
+  const filterMyTasks = searchParams.get("my") === "1";
+
+  const hasActiveFilters =
+    filterProject !== "" || filterPriority !== "" || filterSearch !== "" || filterMyTasks;
+
+  /** Update a single URL param (preserving others) */
+  const setParam = useCallback(
+    (key: string, value: string) => {
+      const params = new URLSearchParams(searchParams.toString());
+      if (value) {
+        params.set(key, value);
+      } else {
+        params.delete(key);
+      }
+      router.replace(`/kanban?${params.toString()}`, { scroll: false });
+    },
+    [searchParams, router]
+  );
+
+  const handleProjectChange = useCallback(
+    (value: string) => {
+      setParam("project", value);
+    },
+    [setParam]
+  );
+
+  const handlePriorityChange = useCallback(
+    (value: string) => {
+      setParam("priority", value);
+    },
+    [setParam]
+  );
+
+  const handleSearchChange = useCallback(
+    (value: string) => {
+      setParam("q", value);
+    },
+    [setParam]
+  );
+
+  const handleMyTasksToggle = useCallback(() => {
+    setParam("my", filterMyTasks ? "" : "1");
+  }, [setParam, filterMyTasks]);
+
+  const handleClearFilters = useCallback(() => {
+    router.replace("/kanban", { scroll: false });
+  }, [router]);
+
+  /* --- data fetching --- */
+
+  const loadTasks = useCallback(async (wsId: string | null): Promise<void> => {
+    try {
+      setIsLoading(true);
+      setError(null);
+      const filters = wsId !== null ? { workspaceId: wsId } : {};
+      const data = await fetchTasks(filters);
+      setTasks(data);
+    } catch (err: unknown) {
+      console.error("[Kanban] Failed to fetch tasks:", err);
+      setError(
+        err instanceof Error
+          ? err.message
+          : "Something went wrong loading tasks. You could try again when ready."
+      );
+    } finally {
+      setIsLoading(false);
+    }
+  }, []);
+
+  useEffect(() => {
+    if (!workspaceId) {
+      setIsLoading(false);
+      return;
+    }
+
+    const ac = new AbortController();
+
+    async function load(): Promise<void> {
+      try {
+        setIsLoading(true);
+        setError(null);
+        const filters: TaskFilters = {};
+        if (workspaceId) filters.workspaceId = workspaceId;
+        const [taskData, projectData] = await Promise.all([
+          fetchTasks(filters),
+          fetchProjects(workspaceId ?? undefined),
+        ]);
+        if (ac.signal.aborted) return;
+        setTasks(taskData);
+        setProjects(projectData);
+      } catch (err: unknown) {
+        console.error("[Kanban] Failed to fetch tasks:", err);
+        if (ac.signal.aborted) return;
+        setError(
+          err instanceof Error
+            ? err.message
+            : "Something went wrong loading tasks. You could try again when ready."
+        );
+      } finally {
+        if (!ac.signal.aborted) {
+          setIsLoading(false);
+        }
+      }
+    }
+
+    void load();
+
+    return (): void => {
+      ac.abort();
+    };
+  }, [workspaceId]);
+
+  /* --- apply client-side filters --- */
+
+  const filteredTasks = useMemo(() => {
+    let result = tasks;
+
+    if (filterProject) {
+      result = result.filter((t) => t.projectId === filterProject);
+    }
+
+    if (filterPriority) {
+      result = result.filter((t) => t.priority === (filterPriority as TaskPriority));
+    }
+
+    if (filterSearch) {
+      const q = filterSearch.toLowerCase();
+      result = result.filter(
+        (t) => t.title.toLowerCase().includes(q) || t.description?.toLowerCase().includes(q)
+      );
+    }
+
+    if (filterMyTasks) {
+      // "My Tasks" filters to tasks assigned to the current user.
+      // Since we don't have the current userId readily available,
+      // filter by assigneeId being non-null (assigned tasks).
+      // A proper implementation would compare against the logged-in user's ID.
+      result = result.filter((t) => t.assigneeId !== null);
+    }
+
+    return result;
+  }, [tasks, filterProject, filterPriority, filterSearch, filterMyTasks]);
+
+  /* --- group tasks by status --- */
+
+  function groupByStatus(allTasks: Task[]): Record<TaskStatus, Task[]> {
+    const grouped: Record<TaskStatus, Task[]> = {
+      [TaskStatus.NOT_STARTED]: [],
+      [TaskStatus.IN_PROGRESS]: [],
+      [TaskStatus.PAUSED]: [],
+      [TaskStatus.COMPLETED]: [],
+      [TaskStatus.ARCHIVED]: [],
+    };
+
+    for (const task of allTasks) {
+      grouped[task.status].push(task);
+    }
+
+    return grouped;
+  }
+
+  const grouped = groupByStatus(filteredTasks);
+
+  /* --- drag-and-drop handler --- */
+
+  const handleDragEnd = useCallback(
+    (result: DropResult) => {
+      const { source, destination, draggableId } = result;
+
+      // Dropped outside a droppable area
+      if (!destination) return;
+
+      // Dropped in same position
+      if (source.droppableId === destination.droppableId && source.index === destination.index) {
+        return;
+      }
+
+      const newStatus = destination.droppableId as TaskStatus;
+      const taskId = draggableId;
+
+      // Optimistic update: move card in local state
+      setTasks((prev) => prev.map((t) => (t.id === taskId ? { ...t, status: newStatus } : t)));
+
+      // Persist to API
+      const wsId = workspaceId ?? undefined;
+      updateTask(taskId, { status: newStatus }, wsId).catch((err: unknown) => {
+        console.error("[Kanban] Failed to update task status:", err);
+        // Revert on failure by re-fetching
+        void loadTasks(workspaceId);
+      });
+    },
+    [workspaceId, loadTasks]
+  );
+
+  /* --- retry handler --- */
+
+  function handleRetry(): void {
+    void loadTasks(workspaceId);
+  }
+
+  /* --- render --- */
+
+  return (
+    <main style={{ padding: "32px 24px", minHeight: "100%" }}>
+      {/* Page header */}
+      <div style={{ marginBottom: 16 }}>
+        <h1
+          style={{
+            fontSize: "1.875rem",
+            fontWeight: 700,
+            color: "var(--text)",
+            margin: 0,
+          }}
+        >
+          Kanban Board
+        </h1>
+        <p
+          style={{
+            fontSize: "0.9rem",
+            color: "var(--muted)",
+            marginTop: 4,
+          }}
+        >
+          Visualize and manage task progress across stages
+        </p>
+      </div>
+
+      {/* Filter bar */}
+      <FilterBar
+        projects={projects}
+        projectId={filterProject}
+        priority={filterPriority}
+        search={filterSearch}
+        myTasks={filterMyTasks}
+        onProjectChange={handleProjectChange}
+        onPriorityChange={handlePriorityChange}
+        onSearchChange={handleSearchChange}
+        onMyTasksToggle={handleMyTasksToggle}
+        onClear={handleClearFilters}
+        hasActiveFilters={hasActiveFilters}
+      />
+
+      {/* Loading state */}
+      {isLoading ? (
+        <div className="flex justify-center py-16">
+          <MosaicSpinner label="Loading tasks..." />
+        </div>
+      ) : error !== null ? (
+        /* Error state */
+        <div
+          style={{
+            background: "var(--surface)",
+            border: "1px solid var(--border)",
+            borderRadius: "var(--r-lg)",
+            padding: 32,
+            textAlign: "center",
+          }}
+        >
+          <p style={{ color: "var(--danger)", margin: "0 0 16px" }}>{error}</p>
+          <button
+            onClick={handleRetry}
+            style={{
+              padding: "8px 16px",
+              background: "var(--danger)",
+              border: "none",
+              borderRadius: "var(--r)",
+              color: "#fff",
+              fontSize: "0.85rem",
+              fontWeight: 500,
+              cursor: "pointer",
+            }}
+          >
+            Try again
+          </button>
+        </div>
+      ) : filteredTasks.length === 0 && tasks.length > 0 ? (
+        /* No results (filtered) */
+        <div
+          style={{
+            background: "var(--surface)",
+            border: "1px solid var(--border)",
+            borderRadius: "var(--r-lg)",
+            padding: 48,
+            textAlign: "center",
+          }}
+        >
+          <p style={{ color: "var(--muted)", margin: 0, fontSize: "0.9rem" }}>
+            No tasks match your filters.
+          </p>
+          <button
+            type="button"
+            onClick={handleClearFilters}
+            style={{
+              marginTop: 12,
+              padding: "6px 14px",
+              borderRadius: "var(--r)",
+              border: "1px solid var(--border)",
+              background: "transparent",
+              color: "var(--text-2)",
+              fontSize: "0.83rem",
+              cursor: "pointer",
+            }}
+          >
+            Clear filters
+          </button>
+        </div>
+      ) : tasks.length === 0 ? (
+        /* Empty state */
+        <div
+          style={{
+            background: "var(--surface)",
+            border: "1px solid var(--border)",
+            borderRadius: "var(--r-lg)",
+            padding: 48,
+            textAlign: "center",
+          }}
+        >
+          <p style={{ color: "var(--muted)", margin: 0, fontSize: "0.9rem" }}>
+            No tasks yet. Create some tasks to see them here.
+          </p>
+        </div>
+      ) : (
+        /* Board */
+        <DragDropContext onDragEnd={handleDragEnd}>
+          <div
+            style={{
+              display: "flex",
+              gap: 16,
+              overflowX: "auto",
+              paddingBottom: 16,
+              minHeight: 400,
+            }}
+          >
+            {COLUMNS.map((col) => (
+              <KanbanColumn key={col.status} config={col} tasks={grouped[col.status]} />
+            ))}
+          </div>
+        </DragDropContext>
+      )}
+    </main>
+  );
+}
--- a/apps/web/src/app/(authenticated)/knowledge/page.tsx
+++ b/apps/web/src/app/(authenticated)/knowledge/page.tsx
@@ -2,23 +2,25 @@

 import type { ReactElement } from "react";

-import { useState, useMemo } from "react";
+import { useState, useEffect, useCallback } from "react";
+import type { KnowledgeEntryWithTags, KnowledgeTag } from "@mosaic/shared";
 import type { EntryStatus } from "@mosaic/shared";
 import { EntryList } from "@/components/knowledge/EntryList";
 import { EntryFilters } from "@/components/knowledge/EntryFilters";
 import { ImportExportActions } from "@/components/knowledge";
-import { mockEntries, mockTags } from "@/lib/api/knowledge";
+import { fetchEntries, fetchTags } from "@/lib/api/knowledge";
+import type { EntriesResponse } from "@/lib/api/knowledge";
+import { MosaicSpinner } from "@/components/ui/MosaicSpinner";
 import Link from "next/link";
 import { Plus } from "lucide-react";

 export default function KnowledgePage(): ReactElement {
-  // TODO: Replace with real API call when backend is ready
-  // const { data: entries, isLoading } = useQuery({
-  //   queryKey: ["knowledge-entries"],
-  //   queryFn: fetchEntries,
-  // });
-
-  const [isLoading] = useState(false);
+  // Data state
+  const [entries, setEntries] = useState<KnowledgeEntryWithTags[]>([]);
+  const [tags, setTags] = useState<KnowledgeTag[]>([]);
+  const [totalEntries, setTotalEntries] = useState(0);
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);

  // Filter and sort state
  const [selectedStatus, setSelectedStatus] = useState<EntryStatus | "all">("all");
@@ -31,60 +33,65 @@ export default function KnowledgePage(): ReactElement {
  const [currentPage, setCurrentPage] = useState(1);
  const itemsPerPage = 10;

-  // Client-side filtering and sorting
-  const filteredAndSortedEntries = useMemo(() => {
-    let filtered = [...mockEntries];
+  // Load tags on mount
+  useEffect(() => {
+    let cancelled = false;

-    // Filter by status
-    if (selectedStatus !== "all") {
-      filtered = filtered.filter((entry) => entry.status === selectedStatus);
-    }
+    fetchTags()
+      .then((result) => {
+        if (!cancelled) {
+          setTags(result);
+        }
+      })
+      .catch((err: unknown) => {
+        console.error("Failed to load tags:", err);
+      });

-    // Filter by tag
-    if (selectedTag !== "all") {
-      filtered = filtered.filter((entry) =>
-        entry.tags.some((tag: { slug: string }) => tag.slug === selectedTag)
-      );
-    }
+    return (): void => {
+      cancelled = true;
+    };
+  }, []);

-    // Filter by search query
-    if (searchQuery.trim()) {
-      const query = searchQuery.toLowerCase();
-      filtered = filtered.filter(
-        (entry) =>
-          entry.title.toLowerCase().includes(query) ||
-          (entry.summary?.toLowerCase().includes(query) ?? false) ||
-          entry.tags.some((tag: { name: string }): boolean =>
-            tag.name.toLowerCase().includes(query)
-          )
-      );
-    }
+  // Load entries when filters/sort/page change
+  const loadEntries = useCallback(async (): Promise<void> => {
+    setIsLoading(true);
+    setError(null);

-    // Sort entries
-    filtered.sort((a, b) => {
-      let comparison = 0;
+    try {
+      const filters: Record<string, unknown> = {
+        page: currentPage,
+        limit: itemsPerPage,
+        sortBy,
+        sortOrder,
+      };

-      if (sortBy === "title") {
-        comparison = a.title.localeCompare(b.title);
-      } else if (sortBy === "createdAt") {
-        comparison = new Date(a.createdAt).getTime() - new Date(b.createdAt).getTime();
-      } else {
-        // updatedAt
-        comparison = new Date(a.updatedAt).getTime() - new Date(b.updatedAt).getTime();
+      if (selectedStatus !== "all") {
+        filters.status = selectedStatus;
+      }
+      if (selectedTag !== "all") {
+        filters.tag = selectedTag;
+      }
+      if (searchQuery.trim()) {
+        filters.search = searchQuery.trim();
      }

-      return sortOrder === "asc" ? comparison : -comparison;
-    });
+      const response: EntriesResponse = await fetchEntries(
+        filters as Parameters<typeof fetchEntries>[0]
+      );
+      setEntries(response.data);
+      setTotalEntries(response.meta?.total ?? response.data.length);
+    } catch (err: unknown) {
+      setError(err instanceof Error ? err.message : "Failed to load entries");
+    } finally {
+      setIsLoading(false);
+    }
+  }, [currentPage, itemsPerPage, sortBy, sortOrder, selectedStatus, selectedTag, searchQuery]);

-    return filtered;
-  }, [selectedStatus, selectedTag, searchQuery, sortBy, sortOrder]);
+  useEffect(() => {
+    void loadEntries();
+  }, [loadEntries]);

-  // Pagination
-  const totalPages = Math.ceil(filteredAndSortedEntries.length / itemsPerPage);
-  const paginatedEntries = filteredAndSortedEntries.slice(
-    (currentPage - 1) * itemsPerPage,
-    currentPage * itemsPerPage
-  );
+  const totalPages = Math.max(1, Math.ceil(totalEntries / itemsPerPage));

  // Reset to page 1 when filters change
  const handleFilterChange = (callback: () => void): void => {
@@ -101,6 +108,16 @@ export default function KnowledgePage(): ReactElement {
    setCurrentPage(1);
  };

+  if (isLoading && entries.length === 0) {
+    return (
+      <main className="container mx-auto px-4 py-8 max-w-5xl">
+        <div className="flex justify-center items-center py-20">
+          <MosaicSpinner size={48} label="Loading knowledge base..." />
+        </div>
+      </main>
+    );
+  }
+
  return (
    <main className="container mx-auto px-4 py-8 max-w-5xl">
      {/* Header */}
@@ -125,14 +142,37 @@ export default function KnowledgePage(): ReactElement {
        <div className="flex justify-end">
          <ImportExportActions
            onImportComplete={() => {
-              // TODO: Refresh the entry list when real API is connected
-              // For now, this would trigger a refetch of the entries
-              window.location.reload();
+              void loadEntries();
            }}
          />
        </div>
      </div>

+      {/* Error state */}
+      {error && (
+        <div
+          className="mb-6 p-4 rounded-lg border"
+          style={{
+            borderColor: "var(--danger)",
+            background: "rgba(229,72,77,0.08)",
+          }}
+        >
+          <p className="text-sm" style={{ color: "var(--danger)" }}>
+            {error}
+          </p>
+          <button
+            type="button"
+            onClick={() => {
+              void loadEntries();
+            }}
+            className="mt-2 text-sm font-medium underline"
+            style={{ color: "var(--danger)" }}
+          >
+            Retry
+          </button>
+        </div>
+      )}
+
      {/* Filters */}
      <EntryFilters
        selectedStatus={selectedStatus}
@@ -140,7 +180,7 @@ export default function KnowledgePage(): ReactElement {
        searchQuery={searchQuery}
        sortBy={sortBy}
        sortOrder={sortOrder}
-        tags={mockTags}
+        tags={tags}
        onStatusChange={(status) => {
          handleFilterChange(() => {
            setSelectedStatus(status);
@@ -161,7 +201,7 @@ export default function KnowledgePage(): ReactElement {

      {/* Entry list */}
      <EntryList
-        entries={paginatedEntries}
+        entries={entries}
        isLoading={isLoading}
        currentPage={currentPage}
        totalPages={totalPages}
--- a/apps/web/src/app/(authenticated)/layout.tsx
+++ b/apps/web/src/app/(authenticated)/layout.tsx
@@ -3,10 +3,80 @@
 import { useEffect } from "react";
 import { useRouter } from "next/navigation";
 import { useAuth } from "@/lib/auth/auth-context";
-import { Navigation } from "@/components/layout/Navigation";
+import { IS_MOCK_AUTH_MODE } from "@/lib/config";
+import { AppHeader } from "@/components/layout/AppHeader";
+import { AppSidebar } from "@/components/layout/AppSidebar";
+import { SidebarProvider, useSidebar } from "@/components/layout/SidebarContext";
 import { ChatOverlay } from "@/components/chat";
+import { MosaicSpinner } from "@/components/ui/MosaicSpinner";
 import type { ReactNode } from "react";

+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+const SIDEBAR_EXPANDED_WIDTH = "240px";
+const SIDEBAR_COLLAPSED_WIDTH = "60px";
+
+// ---------------------------------------------------------------------------
+// Inner shell — must be a child of SidebarProvider to use useSidebar
+// ---------------------------------------------------------------------------
+
+interface AppShellProps {
+  children: ReactNode;
+}
+
+function AppShell({ children }: AppShellProps): React.JSX.Element {
+  const { collapsed, isMobile } = useSidebar();
+
+  // On tablet (md–lg), hide sidebar from the grid when the sidebar is collapsed.
+  // On mobile, the sidebar is fixed-position so the grid is always single-column.
+  const sidebarHidden = !isMobile && collapsed;
+
+  return (
+    <div
+      className="app-shell"
+      data-sidebar-hidden={sidebarHidden ? "true" : undefined}
+      style={
+        {
+          "--sidebar-w": collapsed ? SIDEBAR_COLLAPSED_WIDTH : SIDEBAR_EXPANDED_WIDTH,
+          transition: "grid-template-columns 0.2s var(--ease, ease)",
+        } as React.CSSProperties
+      }
+    >
+      {/* Full-width header — grid-column: 1 / -1 via .app-header CSS class */}
+      <AppHeader />
+
+      {/* Sidebar — left column, row 2, via .app-sidebar CSS class */}
+      <AppSidebar />
+
+      {/* Main content — right column, row 2, via .app-main CSS class */}
+      <main className="app-main" id="main-content">
+        {IS_MOCK_AUTH_MODE && (
+          <div
+            className="border-b px-4 py-2 text-xs font-medium flex-shrink-0"
+            style={{
+              borderColor: "var(--ms-amber-500)",
+              background: "rgba(245, 158, 11, 0.08)",
+              color: "var(--ms-amber-400)",
+            }}
+            data-testid="mock-auth-banner"
+          >
+            Mock Auth Mode (Local Only): Real authentication is bypassed for frontend development.
+          </div>
+        )}
+        <div className="flex-1 overflow-y-auto p-5">{children}</div>
+      </main>
+
+      {!IS_MOCK_AUTH_MODE && <ChatOverlay />}
+    </div>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Authenticated layout — handles auth guard + provides sidebar context
+// ---------------------------------------------------------------------------
+
 export default function AuthenticatedLayout({
  children,
 }: {
@@ -22,11 +92,7 @@ export default function AuthenticatedLayout({
  }, [isAuthenticated, isLoading, router]);

  if (isLoading) {
-    return (
-      <div className="flex min-h-screen items-center justify-center">
-        <div className="animate-spin rounded-full h-12 w-12 border-b-2 border-gray-900"></div>
-      </div>
-    );
+    return <MosaicSpinner size={48} fullPage />;
  }

  if (!isAuthenticated) {
@@ -34,10 +100,8 @@ export default function AuthenticatedLayout({
  }

  return (
-    <div className="min-h-screen bg-gray-50">
-      <Navigation />
-      <div className="pt-16">{children}</div>
-      <ChatOverlay />
-    </div>
+    <SidebarProvider>
+      <AppShell>{children}</AppShell>
+    </SidebarProvider>
  );
 }
--- a/apps/web/src/app/(authenticated)/logs/page.tsx
+++ b/apps/web/src/app/(authenticated)/logs/page.tsx
@@ -0,0 +1,851 @@
+"use client";
+
+import { useState, useEffect, useCallback, useRef } from "react";
+import type { ReactElement } from "react";
+
+import { MosaicSpinner } from "@/components/ui/MosaicSpinner";
+import { fetchRunnerJobs, fetchJobSteps, RunnerJobStatus } from "@/lib/api/runner-jobs";
+import type { RunnerJob, JobStep } from "@/lib/api/runner-jobs";
+import { useWorkspaceId } from "@/lib/hooks";
+
+// ─── Constants ────────────────────────────────────────────────────────
+
+type StatusFilter = "all" | "running" | "completed" | "failed" | "queued";
+type DateRange = "24h" | "7d" | "30d" | "all";
+
+const STATUS_OPTIONS: { value: StatusFilter; label: string }[] = [
+  { value: "all", label: "All statuses" },
+  { value: "running", label: "Running" },
+  { value: "completed", label: "Completed" },
+  { value: "failed", label: "Failed" },
+  { value: "queued", label: "Queued" },
+];
+
+const DATE_RANGES: { value: DateRange; label: string }[] = [
+  { value: "24h", label: "Last 24h" },
+  { value: "7d", label: "7d" },
+  { value: "30d", label: "30d" },
+  { value: "all", label: "All" },
+];
+
+const STATUS_FILTER_TO_ENUM: Record<StatusFilter, RunnerJobStatus[] | undefined> = {
+  all: undefined,
+  running: [RunnerJobStatus.RUNNING],
+  completed: [RunnerJobStatus.COMPLETED],
+  failed: [RunnerJobStatus.FAILED],
+  queued: [RunnerJobStatus.QUEUED, RunnerJobStatus.PENDING],
+};
+
+const POLL_INTERVAL_MS = 5_000;
+
+// ─── Helpers ──────────────────────────────────────────────────────────
+
+function getStatusColor(status: string): string {
+  switch (status) {
+    case "RUNNING":
+      return "var(--ms-amber-400)";
+    case "COMPLETED":
+      return "var(--ms-teal-400)";
+    case "FAILED":
+    case "CANCELLED":
+      return "var(--danger)";
+    case "QUEUED":
+    case "PENDING":
+      return "var(--ms-blue-400)";
+    default:
+      return "var(--muted)";
+  }
+}
+
+function formatRelativeTime(dateStr: string | null): string {
+  if (!dateStr) return "\u2014";
+  const date = new Date(dateStr);
+  const now = Date.now();
+  const diffMs = now - date.getTime();
+  const diffSec = Math.floor(diffMs / 1_000);
+  const diffMin = Math.floor(diffSec / 60);
+  const diffHr = Math.floor(diffMin / 60);
+  const diffDay = Math.floor(diffHr / 24);
+
+  if (diffSec < 60) return "just now";
+  if (diffMin < 60) return `${String(diffMin)}m ago`;
+  if (diffHr < 24) return `${String(diffHr)}h ago`;
+  if (diffDay < 30) return `${String(diffDay)}d ago`;
+  return date.toLocaleDateString();
+}
+
+function formatDuration(startedAt: string | null, completedAt: string | null): string {
+  if (!startedAt) return "\u2014";
+  const start = new Date(startedAt).getTime();
+  const end = completedAt ? new Date(completedAt).getTime() : Date.now();
+  const ms = end - start;
+  if (ms < 1_000) return `${String(ms)}ms`;
+  const sec = Math.floor(ms / 1_000);
+  if (sec < 60) return `${String(sec)}s`;
+  const min = Math.floor(sec / 60);
+  const remainSec = sec % 60;
+  return `${String(min)}m ${String(remainSec)}s`;
+}
+
+function formatStepDuration(durationMs: number | null): string {
+  if (durationMs === null) return "\u2014";
+  if (durationMs < 1_000) return `${String(durationMs)}ms`;
+  const sec = Math.floor(durationMs / 1_000);
+  if (sec < 60) return `${String(sec)}s`;
+  const min = Math.floor(sec / 60);
+  const remainSec = sec % 60;
+  return `${String(min)}m ${String(remainSec)}s`;
+}
+
+function isWithinDateRange(dateStr: string, range: DateRange): boolean {
+  if (range === "all") return true;
+  const date = new Date(dateStr);
+  const now = Date.now();
+  const hours = range === "24h" ? 24 : range === "7d" ? 168 : 720;
+  return now - date.getTime() < hours * 60 * 60 * 1_000;
+}
+
+// ─── Status Badge ─────────────────────────────────────────────────────
+
+function StatusBadge({ status }: { status: string }): ReactElement {
+  const color = getStatusColor(status);
+  const isRunning = status === "RUNNING";
+
+  return (
+    <span
+      style={{
+        display: "inline-flex",
+        alignItems: "center",
+        gap: 6,
+        padding: "2px 10px",
+        borderRadius: 9999,
+        fontSize: "0.75rem",
+        fontWeight: 600,
+        color,
+        background: `color-mix(in srgb, ${color} 15%, transparent)`,
+        border: `1px solid color-mix(in srgb, ${color} 30%, transparent)`,
+        textTransform: "capitalize",
+      }}
+    >
+      {isRunning && (
+        <span
+          style={{
+            width: 6,
+            height: 6,
+            borderRadius: "50%",
+            background: color,
+            animation: "pulse 1.5s ease-in-out infinite",
+          }}
+        />
+      )}
+      {status.toLowerCase()}
+    </span>
+  );
+}
+
+// ─── Main Page Component ──────────────────────────────────────────────
+
+export default function LogsPage(): ReactElement {
+  const workspaceId = useWorkspaceId();
+
+  // Data state
+  const [jobs, setJobs] = useState<RunnerJob[]>([]);
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  // Expanded job and steps
+  const [expandedJobId, setExpandedJobId] = useState<string | null>(null);
+  const [jobStepsMap, setJobStepsMap] = useState<Record<string, JobStep[]>>({});
+  const [stepsLoading, setStepsLoading] = useState<Set<string>>(new Set());
+
+  // Filters
+  const [statusFilter, setStatusFilter] = useState<StatusFilter>("all");
+  const [dateRange, setDateRange] = useState<DateRange>("7d");
+  const [searchQuery, setSearchQuery] = useState("");
+
+  // Auto-refresh
+  const [autoRefresh, setAutoRefresh] = useState(false);
+  const intervalRef = useRef<ReturnType<typeof setInterval> | null>(null);
+
+  // Hover state
+  const [hoveredRowId, setHoveredRowId] = useState<string | null>(null);
+
+  // ─── Data Loading ─────────────────────────────────────────────────
+
+  const loadJobs = useCallback(async (): Promise<void> => {
+    try {
+      const statusEnums = STATUS_FILTER_TO_ENUM[statusFilter];
+      const filters: Parameters<typeof fetchRunnerJobs>[0] = {};
+      if (workspaceId) {
+        filters.workspaceId = workspaceId;
+      }
+      if (statusEnums) {
+        filters.status = statusEnums;
+      }
+
+      const data = await fetchRunnerJobs(filters);
+      setJobs(data);
+      setError(null);
+    } catch (err: unknown) {
+      console.error("[Logs] Failed to fetch runner jobs:", err);
+      setError(
+        err instanceof Error
+          ? err.message
+          : "We had trouble loading jobs. Please try again when you're ready."
+      );
+    }
+  }, [workspaceId, statusFilter]);
+
+  // Initial load
+  useEffect(() => {
+    let cancelled = false;
+    setIsLoading(true);
+
+    loadJobs()
+      .then(() => {
+        if (!cancelled) {
+          setIsLoading(false);
+        }
+      })
+      .catch(() => {
+        if (!cancelled) {
+          setIsLoading(false);
+        }
+      });
+
+    return (): void => {
+      cancelled = true;
+    };
+  }, [loadJobs]);
+
+  // Auto-refresh polling
+  useEffect(() => {
+    if (autoRefresh) {
+      intervalRef.current = setInterval(() => {
+        void loadJobs();
+      }, POLL_INTERVAL_MS);
+    } else if (intervalRef.current) {
+      clearInterval(intervalRef.current);
+      intervalRef.current = null;
+    }
+
+    return (): void => {
+      if (intervalRef.current) {
+        clearInterval(intervalRef.current);
+        intervalRef.current = null;
+      }
+    };
+  }, [autoRefresh, loadJobs]);
+
+  // ─── Steps Loading ────────────────────────────────────────────────
+
+  const toggleExpand = useCallback(
+    (jobId: string) => {
+      if (expandedJobId === jobId) {
+        setExpandedJobId(null);
+        return;
+      }
+
+      setExpandedJobId(jobId);
+
+      // Load steps if not already loaded
+      if (!jobStepsMap[jobId] && !stepsLoading.has(jobId)) {
+        setStepsLoading((prev) => new Set(prev).add(jobId));
+
+        fetchJobSteps(jobId, workspaceId ?? undefined)
+          .then((steps) => {
+            setJobStepsMap((prev) => ({ ...prev, [jobId]: steps }));
+          })
+          .catch((err: unknown) => {
+            console.error("[Logs] Failed to fetch steps for job:", jobId, err);
+            setJobStepsMap((prev) => ({ ...prev, [jobId]: [] }));
+          })
+          .finally(() => {
+            setStepsLoading((prev) => {
+              const next = new Set(prev);
+              next.delete(jobId);
+              return next;
+            });
+          });
+      }
+    },
+    [expandedJobId, jobStepsMap, stepsLoading, workspaceId]
+  );
+
+  // ─── Filtering ────────────────────────────────────────────────────
+
+  const filteredJobs = jobs.filter((job) => {
+    // Date range filter
+    if (!isWithinDateRange(job.createdAt, dateRange)) return false;
+
+    // Search filter
+    if (searchQuery.trim()) {
+      const q = searchQuery.toLowerCase();
+      const matchesType = job.type.toLowerCase().includes(q);
+      const matchesId = job.id.toLowerCase().includes(q);
+      if (!matchesType && !matchesId) return false;
+    }
+
+    return true;
+  });
+
+  // ─── Manual Refresh ───────────────────────────────────────────────
+
+  const handleManualRefresh = (): void => {
+    setIsLoading(true);
+    void loadJobs().finally(() => {
+      setIsLoading(false);
+    });
+  };
+
+  const handleRetry = (): void => {
+    setError(null);
+    handleManualRefresh();
+  };
+
+  // ─── Render ───────────────────────────────────────────────────────
+
+  return (
+    <main className="container mx-auto px-4 py-8">
+      {/* Pulse animation for running status */}
+      <style>{`
+        @keyframes pulse {
+          0%, 100% { opacity: 1; }
+          50% { opacity: 0.4; }
+        }
+        @keyframes auto-refresh-spin {
+          from { transform: rotate(0deg); }
+          to { transform: rotate(360deg); }
+        }
+      `}</style>
+
+      {/* ─── Header ─────────────────────────────────────────────── */}
+      <div
+        style={{
+          display: "flex",
+          flexWrap: "wrap",
+          alignItems: "center",
+          justifyContent: "space-between",
+          gap: 16,
+          marginBottom: 32,
+        }}
+      >
+        <div>
+          <h1 className="text-3xl font-bold" style={{ color: "var(--text)" }}>
+            Logs &amp; Telemetry
+          </h1>
+          <p className="mt-1" style={{ color: "var(--text-muted)" }}>
+            Runner job history and step-level detail
+          </p>
+        </div>
+
+        <div style={{ display: "flex", alignItems: "center", gap: 12 }}>
+          {/* Auto-refresh toggle */}
+          <button
+            onClick={() => {
+              setAutoRefresh((prev) => !prev);
+            }}
+            style={{
+              display: "inline-flex",
+              alignItems: "center",
+              gap: 8,
+              padding: "8px 14px",
+              borderRadius: 8,
+              fontSize: "0.82rem",
+              fontWeight: 500,
+              cursor: "pointer",
+              border: `1px solid ${autoRefresh ? "var(--ms-teal-400)" : "var(--border)"}`,
+              background: autoRefresh
+                ? "color-mix(in srgb, var(--ms-teal-400) 12%, transparent)"
+                : "var(--surface)",
+              color: autoRefresh ? "var(--ms-teal-400)" : "var(--text-muted)",
+              transition: "all 150ms ease",
+            }}
+          >
+            {autoRefresh && (
+              <span
+                style={{
+                  width: 8,
+                  height: 8,
+                  borderRadius: "50%",
+                  background: "var(--ms-teal-400)",
+                  animation: "pulse 1.5s ease-in-out infinite",
+                }}
+              />
+            )}
+            Auto-refresh {autoRefresh ? "on" : "off"}
+          </button>
+
+          {/* Manual refresh */}
+          <button
+            onClick={handleManualRefresh}
+            disabled={isLoading}
+            style={{
+              padding: "8px 14px",
+              borderRadius: 8,
+              fontSize: "0.82rem",
+              fontWeight: 500,
+              cursor: isLoading ? "not-allowed" : "pointer",
+              border: "1px solid var(--border)",
+              background: "var(--surface)",
+              color: "var(--text-muted)",
+              opacity: isLoading ? 0.5 : 1,
+              transition: "all 150ms ease",
+            }}
+          >
+            Refresh
+          </button>
+        </div>
+      </div>
+
+      {/* ─── Filter Bar ─────────────────────────────────────────── */}
+      <div
+        style={{
+          display: "flex",
+          flexWrap: "wrap",
+          alignItems: "center",
+          gap: 12,
+          marginBottom: 24,
+        }}
+      >
+        {/* Status filter */}
+        <select
+          value={statusFilter}
+          onChange={(e) => {
+            setStatusFilter(e.target.value as StatusFilter);
+          }}
+          style={{
+            padding: "8px 12px",
+            borderRadius: 8,
+            fontSize: "0.82rem",
+            border: "1px solid var(--border)",
+            background: "var(--surface)",
+            color: "var(--text)",
+            cursor: "pointer",
+            minWidth: 140,
+          }}
+        >
+          {STATUS_OPTIONS.map((opt) => (
+            <option key={opt.value} value={opt.value}>
+              {opt.label}
+            </option>
+          ))}
+        </select>
+
+        {/* Date range tabs */}
+        <div
+          style={{
+            display: "flex",
+            borderRadius: 8,
+            overflow: "hidden",
+            border: "1px solid var(--border)",
+          }}
+        >
+          {DATE_RANGES.map((range) => (
+            <button
+              key={range.value}
+              onClick={() => {
+                setDateRange(range.value);
+              }}
+              style={{
+                padding: "8px 14px",
+                fontSize: "0.82rem",
+                fontWeight: 500,
+                cursor: "pointer",
+                border: "none",
+                borderRight: "1px solid var(--border)",
+                background: dateRange === range.value ? "var(--primary)" : "var(--surface)",
+                color: dateRange === range.value ? "#fff" : "var(--text-muted)",
+                transition: "all 150ms ease",
+              }}
+            >
+              {range.label}
+            </button>
+          ))}
+        </div>
+
+        {/* Search input */}
+        <input
+          type="text"
+          placeholder="Search by job type..."
+          value={searchQuery}
+          onChange={(e) => {
+            setSearchQuery(e.target.value);
+          }}
+          style={{
+            padding: "8px 12px",
+            borderRadius: 8,
+            fontSize: "0.82rem",
+            border: "1px solid var(--border)",
+            background: "var(--surface)",
+            color: "var(--text)",
+            minWidth: 200,
+            flex: "1 1 200px",
+            maxWidth: 320,
+          }}
+        />
+      </div>
+
+      {/* ─── Content ────────────────────────────────────────────── */}
+      {isLoading && jobs.length === 0 ? (
+        <div className="flex justify-center py-16">
+          <MosaicSpinner label="Loading jobs..." />
+        </div>
+      ) : error !== null ? (
+        <div
+          className="rounded-lg p-6 text-center"
+          style={{
+            background: "var(--surface)",
+            border: "1px solid var(--border)",
+          }}
+        >
+          <p style={{ color: "var(--danger)" }}>{error}</p>
+          <button
+            onClick={handleRetry}
+            className="mt-4 rounded-md px-4 py-2 text-sm font-medium text-white transition-colors"
+            style={{ background: "var(--danger)", cursor: "pointer", border: "none" }}
+          >
+            Try again
+          </button>
+        </div>
+      ) : filteredJobs.length === 0 ? (
+        <div
+          className="rounded-lg p-8 text-center"
+          style={{
+            background: "var(--surface)",
+            border: "1px solid var(--border)",
+          }}
+        >
+          <p style={{ color: "var(--text-muted)" }}>No jobs found</p>
+        </div>
+      ) : (
+        /* ─── Job Table ──────────────────────────────────────────── */
+        <div
+          style={{
+            borderRadius: 12,
+            border: "1px solid var(--border)",
+            overflow: "hidden",
+          }}
+        >
+          <div style={{ overflowX: "auto" }}>
+            <table style={{ width: "100%", borderCollapse: "collapse" }}>
+              <thead>
+                <tr
+                  style={{
+                    background: "var(--bg-mid)",
+                  }}
+                >
+                  {["Job Type", "Status", "Started", "Duration", "Steps"].map((header) => (
+                    <th
+                      key={header}
+                      style={{
+                        padding: "10px 16px",
+                        textAlign: "left",
+                        fontSize: "0.75rem",
+                        fontWeight: 600,
+                        textTransform: "uppercase",
+                        letterSpacing: "0.05em",
+                        color: "var(--muted)",
+                        fontFamily: "var(--mono)",
+                        whiteSpace: "nowrap",
+                      }}
+                    >
+                      {header}
+                    </th>
+                  ))}
+                </tr>
+              </thead>
+              <tbody>
+                {filteredJobs.map((job) => {
+                  const isExpanded = expandedJobId === job.id;
+                  const isHovered = hoveredRowId === job.id;
+                  const steps = jobStepsMap[job.id];
+                  const isStepsLoading = stepsLoading.has(job.id);
+
+                  return (
+                    <JobRow
+                      key={job.id}
+                      job={job}
+                      isExpanded={isExpanded}
+                      isHovered={isHovered}
+                      steps={steps}
+                      isStepsLoading={isStepsLoading}
+                      onToggle={() => {
+                        toggleExpand(job.id);
+                      }}
+                      onMouseEnter={() => {
+                        setHoveredRowId(job.id);
+                      }}
+                      onMouseLeave={() => {
+                        setHoveredRowId(null);
+                      }}
+                    />
+                  );
+                })}
+              </tbody>
+            </table>
+          </div>
+        </div>
+      )}
+    </main>
+  );
+}
+
+// ─── Job Row Component ────────────────────────────────────────────────
+
+function JobRow({
+  job,
+  isExpanded,
+  isHovered,
+  steps,
+  isStepsLoading,
+  onToggle,
+  onMouseEnter,
+  onMouseLeave,
+}: {
+  job: RunnerJob;
+  isExpanded: boolean;
+  isHovered: boolean;
+  steps: JobStep[] | undefined;
+  isStepsLoading: boolean;
+  onToggle: () => void;
+  onMouseEnter: () => void;
+  onMouseLeave: () => void;
+}): ReactElement {
+  return (
+    <>
+      <tr
+        onClick={onToggle}
+        onMouseEnter={onMouseEnter}
+        onMouseLeave={onMouseLeave}
+        style={{
+          background: isExpanded
+            ? "var(--surface-2)"
+            : isHovered
+              ? "var(--surface-2)"
+              : "var(--surface)",
+          cursor: "pointer",
+          borderBottom: isExpanded ? "none" : "1px solid var(--border)",
+          transition: "background 100ms ease",
+        }}
+      >
+        <td
+          style={{
+            padding: "12px 16px",
+            fontSize: "0.85rem",
+            fontWeight: 500,
+            color: "var(--text)",
+            whiteSpace: "nowrap",
+          }}
+        >
+          <span style={{ display: "inline-flex", alignItems: "center", gap: 8 }}>
+            <span
+              style={{
+                display: "inline-block",
+                width: 16,
+                textAlign: "center",
+                fontSize: "0.7rem",
+                color: "var(--muted)",
+                transition: "transform 150ms ease",
+                transform: isExpanded ? "rotate(90deg)" : "rotate(0deg)",
+              }}
+            >
+              &#9654;
+            </span>
+            {job.type}
+          </span>
+        </td>
+        <td style={{ padding: "12px 16px" }}>
+          <StatusBadge status={job.status} />
+        </td>
+        <td
+          style={{
+            padding: "12px 16px",
+            fontSize: "0.82rem",
+            fontFamily: "var(--mono)",
+            color: "var(--text-muted)",
+            whiteSpace: "nowrap",
+          }}
+        >
+          {formatRelativeTime(job.startedAt ?? job.createdAt)}
+        </td>
+        <td
+          style={{
+            padding: "12px 16px",
+            fontSize: "0.82rem",
+            fontFamily: "var(--mono)",
+            color: "var(--text-muted)",
+            whiteSpace: "nowrap",
+          }}
+        >
+          {formatDuration(job.startedAt, job.completedAt)}
+        </td>
+        <td
+          style={{
+            padding: "12px 16px",
+            fontSize: "0.82rem",
+            fontFamily: "var(--mono)",
+            color: "var(--text-muted)",
+          }}
+        >
+          {steps ? String(steps.length) : "\u2014"}
+        </td>
+      </tr>
+
+      {/* Expanded Steps Section */}
+      {isExpanded && (
+        <tr>
+          <td
+            colSpan={5}
+            style={{
+              padding: 0,
+              borderBottom: "1px solid var(--border)",
+            }}
+          >
+            <div
+              style={{
+                background: "var(--bg-mid)",
+                padding: "12px 16px 12px 48px",
+              }}
+            >
+              {isStepsLoading ? (
+                <div style={{ display: "flex", justifyContent: "center", padding: 16 }}>
+                  <MosaicSpinner size={24} label="Loading steps..." />
+                </div>
+              ) : !steps || steps.length === 0 ? (
+                <p
+                  style={{
+                    fontSize: "0.82rem",
+                    color: "var(--text-muted)",
+                    padding: "8px 0",
+                  }}
+                >
+                  No steps recorded for this job
+                </p>
+              ) : (
+                <table style={{ width: "100%", borderCollapse: "collapse" }}>
+                  <thead>
+                    <tr>
+                      {["#", "Name", "Phase", "Status", "Duration"].map((header) => (
+                        <th
+                          key={header}
+                          style={{
+                            padding: "6px 12px",
+                            textAlign: "left",
+                            fontSize: "0.7rem",
+                            fontWeight: 600,
+                            textTransform: "uppercase",
+                            letterSpacing: "0.05em",
+                            color: "var(--muted)",
+                            fontFamily: "var(--mono)",
+                            borderBottom: "1px solid var(--border)",
+                            whiteSpace: "nowrap",
+                          }}
+                        >
+                          {header}
+                        </th>
+                      ))}
+                    </tr>
+                  </thead>
+                  <tbody>
+                    {steps
+                      .sort((a, b) => a.ordinal - b.ordinal)
+                      .map((step) => (
+                        <StepRow key={step.id} step={step} />
+                      ))}
+                  </tbody>
+                </table>
+              )}
+
+              {/* Job error message if failed */}
+              {job.error && (
+                <div
+                  style={{
+                    marginTop: 12,
+                    padding: "8px 12px",
+                    borderRadius: 6,
+                    fontSize: "0.78rem",
+                    fontFamily: "var(--mono)",
+                    color: "var(--danger)",
+                    background: "color-mix(in srgb, var(--danger) 8%, transparent)",
+                    border: "1px solid color-mix(in srgb, var(--danger) 20%, transparent)",
+                    wordBreak: "break-all",
+                  }}
+                >
+                  {job.error}
+                </div>
+              )}
+            </div>
+          </td>
+        </tr>
+      )}
+    </>
+  );
+}
+
+// ─── Step Row Component ───────────────────────────────────────────────
+
+function StepRow({ step }: { step: JobStep }): ReactElement {
+  const [hovered, setHovered] = useState(false);
+
+  return (
+    <tr
+      onMouseEnter={() => {
+        setHovered(true);
+      }}
+      onMouseLeave={() => {
+        setHovered(false);
+      }}
+      style={{
+        background: hovered ? "color-mix(in srgb, var(--surface) 50%, transparent)" : "transparent",
+        borderBottom: "1px solid color-mix(in srgb, var(--border) 50%, transparent)",
+        transition: "background 100ms ease",
+      }}
+    >
+      <td
+        style={{
+          padding: "6px 12px",
+          fontSize: "0.78rem",
+          fontFamily: "var(--mono)",
+          color: "var(--muted)",
+        }}
+      >
+        {String(step.ordinal)}
+      </td>
+      <td
+        style={{
+          padding: "6px 12px",
+          fontSize: "0.8rem",
+          color: "var(--text)",
+        }}
+      >
+        {step.name}
+      </td>
+      <td
+        style={{
+          padding: "6px 12px",
+          fontSize: "0.75rem",
+          fontFamily: "var(--mono)",
+          color: "var(--text-muted)",
+          textTransform: "lowercase",
+        }}
+      >
+        {step.phase}
+      </td>
+      <td style={{ padding: "6px 12px" }}>
+        <StatusBadge status={step.status} />
+      </td>
+      <td
+        style={{
+          padding: "6px 12px",
+          fontSize: "0.78rem",
+          fontFamily: "var(--mono)",
+          color: "var(--text-muted)",
+          whiteSpace: "nowrap",
+        }}
+      >
+        {formatStepDuration(step.durationMs)}
+      </td>
+    </tr>
+  );
+}
--- a/apps/web/src/app/(authenticated)/not-found.tsx
+++ b/apps/web/src/app/(authenticated)/not-found.tsx
@@ -0,0 +1,160 @@
+import type { ReactElement } from "react";
+import Link from "next/link";
+
+export default function AuthenticatedNotFound(): ReactElement {
+  return (
+    <div
+      style={{
+        display: "flex",
+        alignItems: "center",
+        justifyContent: "center",
+        minHeight: "60vh",
+      }}
+    >
+      <div
+        style={{
+          display: "flex",
+          flexDirection: "column",
+          alignItems: "center",
+          gap: "24px",
+          padding: "48px 40px",
+          background: "var(--surface)",
+          border: "1px solid var(--border)",
+          borderRadius: "var(--r-xl)",
+          boxShadow: "var(--shadow-md)",
+          textAlign: "center",
+          maxWidth: "420px",
+          width: "100%",
+        }}
+      >
+        {/* Compass icon in blue-tinted icon well */}
+        <div
+          style={{
+            display: "flex",
+            alignItems: "center",
+            justifyContent: "center",
+            width: 56,
+            height: 56,
+            borderRadius: "var(--r-lg)",
+            background: "rgba(47, 128, 255, 0.1)",
+            color: "var(--ms-blue-400)",
+          }}
+        >
+          <svg
+            width="28"
+            height="28"
+            viewBox="0 0 24 24"
+            fill="none"
+            stroke="currentColor"
+            strokeWidth="1.5"
+            strokeLinecap="round"
+            strokeLinejoin="round"
+            aria-hidden="true"
+          >
+            <circle cx="12" cy="12" r="10" />
+            <polygon
+              points="16.24 7.76 14.12 14.12 7.76 16.24 9.88 9.88 16.24 7.76"
+              fill="currentColor"
+              stroke="none"
+              opacity="0.3"
+            />
+            <polygon points="16.24 7.76 14.12 14.12 7.76 16.24 9.88 9.88 16.24 7.76" />
+          </svg>
+        </div>
+
+        {/* 404 badge pill */}
+        <span
+          style={{
+            display: "inline-flex",
+            alignItems: "center",
+            padding: "4px 12px",
+            borderRadius: "9999px",
+            fontSize: "0.75rem",
+            fontWeight: 600,
+            fontFamily: "var(--mono)",
+            background: "rgba(47, 128, 255, 0.15)",
+            color: "var(--ms-blue-400)",
+          }}
+        >
+          404
+        </span>
+
+        {/* Heading + description */}
+        <div style={{ display: "flex", flexDirection: "column", gap: "8px" }}>
+          <h2
+            style={{
+              fontSize: "1.25rem",
+              fontWeight: 600,
+              color: "var(--text)",
+              margin: 0,
+              letterSpacing: "-0.01em",
+            }}
+          >
+            Page not found
+          </h2>
+          <p
+            style={{
+              fontSize: "0.875rem",
+              color: "var(--muted)",
+              margin: 0,
+              lineHeight: 1.6,
+            }}
+          >
+            This page doesn&apos;t exist or you may not have permission to view it.
+          </p>
+        </div>
+
+        {/* Action buttons */}
+        <div
+          style={{
+            display: "flex",
+            alignItems: "center",
+            gap: "12px",
+            marginTop: "8px",
+          }}
+        >
+          {/* Primary: Dashboard */}
+          <Link
+            href="/"
+            style={{
+              display: "inline-flex",
+              alignItems: "center",
+              justifyContent: "center",
+              padding: "9px 20px",
+              background: "var(--ms-blue-500)",
+              color: "#ffffff",
+              borderRadius: "var(--r)",
+              fontSize: "0.875rem",
+              fontWeight: 500,
+              textDecoration: "none",
+              transition: "opacity 0.15s ease",
+            }}
+          >
+            Dashboard
+          </Link>
+
+          {/* Ghost: Settings */}
+          <Link
+            href="/settings"
+            style={{
+              display: "inline-flex",
+              alignItems: "center",
+              justifyContent: "center",
+              padding: "9px 20px",
+              background: "transparent",
+              color: "var(--text-2)",
+              border: "1px solid var(--border)",
+              borderRadius: "var(--r)",
+              fontSize: "0.875rem",
+              fontWeight: 500,
+              textDecoration: "none",
+              transition: "all 0.15s ease",
+            }}
+          >
+            Settings
+          </Link>
+        </div>
+      </div>
+    </div>
+  );
+}
--- a/apps/web/src/app/(authenticated)/page.test.tsx
+++ b/apps/web/src/app/(authenticated)/page.test.tsx
@@ -1,85 +1,154 @@
-import { describe, it, expect, vi } from "vitest";
-import { render, screen, waitFor } from "@testing-library/react";
+import { describe, it, expect, vi, beforeEach, beforeAll } from "vitest";
+import { render, screen, waitFor, act } from "@testing-library/react";
 import DashboardPage from "./page";
+import * as layoutsApi from "@/lib/api/layouts";
+import type { UserLayout, WidgetPlacement } from "@mosaic/shared";

-// Mock dashboard widgets
-vi.mock("@/components/dashboard/RecentTasksWidget", () => ({
-  RecentTasksWidget: ({
-    tasks,
-    isLoading,
+// ResizeObserver is not available in jsdom
+beforeAll((): void => {
+  global.ResizeObserver = vi.fn().mockImplementation(() => ({
+    observe: vi.fn(),
+    unobserve: vi.fn(),
+    disconnect: vi.fn(),
+  }));
+});
+
+// Mock WidgetGrid to avoid react-grid-layout dependency in tests
+vi.mock("@/components/widgets/WidgetGrid", () => ({
+  WidgetGrid: ({
+    layout,
+    isEditing,
  }: {
-    tasks: unknown[];
-    isLoading: boolean;
+    layout: WidgetPlacement[];
+    isEditing?: boolean;
  }): React.JSX.Element => (
-    <div data-testid="recent-tasks">
-      {isLoading ? "Loading tasks" : `${String(tasks.length)} tasks`}
+    <div data-testid="widget-grid" data-editing={isEditing}>
+      {layout.map((item) => (
+        <div key={item.i} data-testid={`widget-${item.i}`}>
+          {item.i}
+        </div>
+      ))}
    </div>
  ),
 }));

-vi.mock("@/components/dashboard/UpcomingEventsWidget", () => ({
-  UpcomingEventsWidget: ({
-    events,
-    isLoading,
-  }: {
-    events: unknown[];
-    isLoading: boolean;
-  }): React.JSX.Element => (
-    <div data-testid="upcoming-events">
-      {isLoading ? "Loading events" : `${String(events.length)} events`}
-    </div>
-  ),
+// Mock hooks
+vi.mock("@/lib/hooks", () => ({
+  useWorkspaceId: (): string | null => "ws-test-123",
 }));

-vi.mock("@/components/dashboard/QuickCaptureWidget", () => ({
-  QuickCaptureWidget: (): React.JSX.Element => <div data-testid="quick-capture">Quick Capture</div>,
-}));
+// Mock layout API
+vi.mock("@/lib/api/layouts");

-vi.mock("@/components/dashboard/DomainOverviewWidget", () => ({
-  DomainOverviewWidget: ({
-    tasks,
-    isLoading,
-  }: {
-    tasks: unknown[];
-    isLoading: boolean;
-  }): React.JSX.Element => (
-    <div data-testid="domain-overview">
-      {isLoading ? "Loading overview" : `${String(tasks.length)} tasks overview`}
-    </div>
-  ),
-}));
+const mockExistingLayout: UserLayout = {
+  id: "layout-1",
+  workspaceId: "ws-test-123",
+  userId: "user-1",
+  name: "Default",
+  isDefault: true,
+  layout: [
+    { i: "TasksWidget-default", x: 0, y: 0, w: 4, h: 2 },
+    { i: "CalendarWidget-default", x: 4, y: 0, w: 4, h: 2 },
+  ],
+  metadata: {},
+  createdAt: new Date("2026-01-01T00:00:00Z"),
+  updatedAt: new Date("2026-01-01T00:00:00Z"),
+};

 describe("DashboardPage", (): void => {
-  it("should render the page title", (): void => {
-    render(<DashboardPage />);
-    expect(screen.getByRole("heading", { level: 1 })).toHaveTextContent("Dashboard");
+  beforeEach((): void => {
+    vi.clearAllMocks();
  });

-  it("should show loading state initially", (): void => {
-    render(<DashboardPage />);
-    expect(screen.getByTestId("recent-tasks")).toHaveTextContent("Loading tasks");
-    expect(screen.getByTestId("upcoming-events")).toHaveTextContent("Loading events");
-    expect(screen.getByTestId("domain-overview")).toHaveTextContent("Loading overview");
-  });
+  it("should render WidgetGrid with saved layout", async (): Promise<void> => {
+    vi.mocked(layoutsApi.fetchDefaultLayout).mockResolvedValue(mockExistingLayout);

-  it("should render all widgets with data after loading", async (): Promise<void> => {
    render(<DashboardPage />);
+
    await waitFor((): void => {
-      expect(screen.getByTestId("recent-tasks")).toHaveTextContent("4 tasks");
-      expect(screen.getByTestId("upcoming-events")).toHaveTextContent("3 events");
-      expect(screen.getByTestId("domain-overview")).toHaveTextContent("4 tasks overview");
-      expect(screen.getByTestId("quick-capture")).toBeInTheDocument();
+      expect(screen.getByTestId("widget-grid")).toBeInTheDocument();
+    });
+
+    expect(screen.getByTestId("widget-TasksWidget-default")).toBeInTheDocument();
+    expect(screen.getByTestId("widget-CalendarWidget-default")).toBeInTheDocument();
+  });
+
+  it("should create default layout when none exists", async (): Promise<void> => {
+    vi.mocked(layoutsApi.fetchDefaultLayout).mockResolvedValue(null);
+    vi.mocked(layoutsApi.createLayout).mockResolvedValue({
+      ...mockExistingLayout,
+      layout: [{ i: "TasksWidget-default", x: 0, y: 0, w: 4, h: 2 }],
+    });
+
+    render(<DashboardPage />);
+
+    await waitFor((): void => {
+      expect(layoutsApi.createLayout).toHaveBeenCalledWith("ws-test-123", {
+        name: "Default",
+        isDefault: true,
+        layout: expect.arrayContaining([
+          expect.objectContaining({ i: "TasksWidget-default" }),
+        ]) as WidgetPlacement[],
+      });
    });
  });

-  it("should have proper layout structure", (): void => {
-    const { container } = render(<DashboardPage />);
-    const main = container.querySelector("main");
-    expect(main).toBeInTheDocument();
+  it("should show loading spinner initially", (): void => {
+    // Never-resolving promise to test loading state
+    vi.mocked(layoutsApi.fetchDefaultLayout).mockReturnValue(
+      // eslint-disable-next-line @typescript-eslint/no-empty-function -- intentionally never-resolving
+      new Promise(() => {})
+    );
+
+    render(<DashboardPage />);
+
+    expect(screen.getByText("Loading dashboard...")).toBeInTheDocument();
  });

-  it("should render the welcome subtitle", (): void => {
+  it("should fall back to default layout on API error", async (): Promise<void> => {
+    vi.mocked(layoutsApi.fetchDefaultLayout).mockRejectedValue(new Error("Network error"));
+
    render(<DashboardPage />);
-    expect(screen.getByText(/Welcome back/)).toBeInTheDocument();
+
+    await waitFor((): void => {
+      expect(screen.getByTestId("widget-grid")).toBeInTheDocument();
+    });
+  });
+
+  it("should render Dashboard heading", async (): Promise<void> => {
+    vi.mocked(layoutsApi.fetchDefaultLayout).mockResolvedValue(mockExistingLayout);
+
+    render(<DashboardPage />);
+
+    await waitFor((): void => {
+      expect(screen.getByText("Dashboard")).toBeInTheDocument();
+    });
+  });
+
+  it("should render Edit Layout button", async (): Promise<void> => {
+    vi.mocked(layoutsApi.fetchDefaultLayout).mockResolvedValue(mockExistingLayout);
+
+    render(<DashboardPage />);
+
+    await waitFor((): void => {
+      expect(screen.getByText("Edit Layout")).toBeInTheDocument();
+    });
+  });
+
+  it("should toggle edit mode on button click", async (): Promise<void> => {
+    vi.mocked(layoutsApi.fetchDefaultLayout).mockResolvedValue(mockExistingLayout);
+
+    render(<DashboardPage />);
+
+    await waitFor((): void => {
+      expect(screen.getByText("Edit Layout")).toBeInTheDocument();
+    });
+
+    act((): void => {
+      screen.getByText("Edit Layout").click();
+    });
+
+    expect(screen.getByText("Done")).toBeInTheDocument();
+    expect(screen.getByTestId("widget-grid").getAttribute("data-editing")).toBe("true");
  });
 });
--- a/apps/web/src/app/(authenticated)/page.tsx
+++ b/apps/web/src/app/(authenticated)/page.tsx
@@ -1,78 +1,242 @@
 "use client";

-import { useState, useEffect } from "react";
+import { useState, useEffect, useCallback, useRef } from "react";
 import type { ReactElement } from "react";
-import { RecentTasksWidget } from "@/components/dashboard/RecentTasksWidget";
-import { UpcomingEventsWidget } from "@/components/dashboard/UpcomingEventsWidget";
-import { QuickCaptureWidget } from "@/components/dashboard/QuickCaptureWidget";
-import { DomainOverviewWidget } from "@/components/dashboard/DomainOverviewWidget";
-import { mockTasks } from "@/lib/api/tasks";
-import { mockEvents } from "@/lib/api/events";
-import type { Task, Event } from "@mosaic/shared";
+import type { WidgetPlacement } from "@mosaic/shared";
+import { WidgetGrid } from "@/components/widgets/WidgetGrid";
+import { WidgetPicker } from "@/components/widgets/WidgetPicker";
+import { WidgetConfigDialog } from "@/components/widgets/WidgetConfigDialog";
+import { DEFAULT_LAYOUT } from "@/components/widgets/defaultLayout";
+import { fetchDefaultLayout, createLayout, updateLayout } from "@/lib/api/layouts";
+import { useWorkspaceId } from "@/lib/hooks";

 export default function DashboardPage(): ReactElement {
-  const [tasks, setTasks] = useState<Task[]>([]);
-  const [events, setEvents] = useState<Event[]>([]);
+  const workspaceId = useWorkspaceId();
+  const [layout, setLayout] = useState<WidgetPlacement[]>(DEFAULT_LAYOUT);
+  const [layoutId, setLayoutId] = useState<string | null>(null);
+  const [isEditing, setIsEditing] = useState(false);
+  const [isPickerOpen, setIsPickerOpen] = useState(false);
+  const [configWidgetId, setConfigWidgetId] = useState<string | null>(null);
  const [isLoading, setIsLoading] = useState(true);
-  const [error, setError] = useState<string | null>(null);

+  // Debounce timer for auto-saving layout changes
+  const saveTimerRef = useRef<ReturnType<typeof setTimeout> | null>(null);
+
+  // Load the user's default layout (or create one)
  useEffect(() => {
-    void loadDashboardData();
-  }, []);
+    if (!workspaceId) {
+      setIsLoading(false);
+      return;
+    }

-  async function loadDashboardData(): Promise<void> {
-    setIsLoading(true);
-    setError(null);
+    const wsId = workspaceId;
+    const ac = new AbortController();

-    try {
-      // TODO: Replace with real API calls when backend is ready
-      // const [tasksData, eventsData] = await Promise.all([fetchTasks(), fetchEvents()]);
-      await new Promise((resolve) => setTimeout(resolve, 300));
-      setTasks(mockTasks);
-      setEvents(mockEvents);
-    } catch (err) {
-      setError(
-        err instanceof Error
-          ? err.message
-          : "We had trouble loading your dashboard. Please try again when you're ready."
-      );
-    } finally {
+    async function loadLayout(): Promise<void> {
+      try {
+        const existing = await fetchDefaultLayout(wsId);
+        if (ac.signal.aborted) return;
+
+        if (existing) {
+          setLayout(existing.layout);
+          setLayoutId(existing.id);
+        } else {
+          const created = await createLayout(wsId, {
+            name: "Default",
+            isDefault: true,
+            layout: DEFAULT_LAYOUT,
+          });
+          // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- aborted can change during await
+          if (ac.signal.aborted) return;
+          setLayout(created.layout);
+          setLayoutId(created.id);
+        }
+      } catch (err: unknown) {
+        console.error("[Dashboard] Failed to load layout:", err);
+      }
      setIsLoading(false);
    }
+
+    void loadLayout();
+
+    return (): void => {
+      ac.abort();
+    };
+  }, [workspaceId]);
+
+  // Save layout changes with debounce
+  const saveLayout = useCallback(
+    (newLayout: WidgetPlacement[]) => {
+      if (!workspaceId || !layoutId) return;
+
+      if (saveTimerRef.current) {
+        clearTimeout(saveTimerRef.current);
+      }
+
+      saveTimerRef.current = setTimeout(() => {
+        void updateLayout(workspaceId, layoutId, { layout: newLayout }).catch((err: unknown) => {
+          console.error("[Dashboard] Failed to save layout:", err);
+        });
+      }, 800);
+    },
+    [workspaceId, layoutId]
+  );
+
+  const handleLayoutChange = useCallback(
+    (newLayout: WidgetPlacement[]) => {
+      setLayout(newLayout);
+      saveLayout(newLayout);
+    },
+    [saveLayout]
+  );
+
+  const handleRemoveWidget = useCallback(
+    (widgetId: string) => {
+      const updated = layout.filter((item) => item.i !== widgetId);
+      setLayout(updated);
+      saveLayout(updated);
+    },
+    [layout, saveLayout]
+  );
+
+  const handleAddWidget = useCallback(
+    (placement: WidgetPlacement) => {
+      const updated = [...layout, placement];
+      setLayout(updated);
+      saveLayout(updated);
+    },
+    [layout, saveLayout]
+  );
+
+  const handleResetLayout = useCallback((): void => {
+    setLayout(DEFAULT_LAYOUT);
+    saveLayout(DEFAULT_LAYOUT);
+  }, [saveLayout]);
+
+  const handleEditWidget = useCallback((widgetId: string): void => {
+    setConfigWidgetId(widgetId);
+  }, []);
+
+  if (isLoading) {
+    return (
+      <div className="flex items-center justify-center" style={{ minHeight: 400 }}>
+        <div className="flex flex-col items-center gap-2">
+          <div
+            className="w-8 h-8 border-2 border-t-transparent rounded-full animate-spin"
+            style={{ borderColor: "var(--primary)", borderTopColor: "transparent" }}
+          />
+          <span className="text-sm" style={{ color: "var(--muted)" }}>
+            Loading dashboard...
+          </span>
+        </div>
+      </div>
+    );
  }

  return (
-    <main className="container mx-auto px-4 py-8">
-      <div className="mb-8">
-        <h1 className="text-3xl font-bold text-gray-900">Dashboard</h1>
-        <p className="text-gray-600 mt-2">Welcome back! Here&apos;s your overview</p>
-      </div>
-
-      {error !== null ? (
-        <div className="rounded-lg border border-amber-200 bg-amber-50 p-6 text-center">
-          <p className="text-amber-800">{error}</p>
+    <div style={{ display: "flex", flexDirection: "column", gap: 16 }}>
+      {/* Dashboard header with edit toggle */}
+      <div className="flex items-center justify-between">
+        <h1
+          style={{
+            fontSize: "1.5rem",
+            fontWeight: 700,
+            color: "var(--text)",
+            margin: 0,
+          }}
+        >
+          Dashboard
+        </h1>
+        <div className="flex items-center gap-2">
+          {isEditing && (
+            <>
+              <button
+                onClick={handleResetLayout}
+                style={{
+                  padding: "6px 14px",
+                  borderRadius: "var(--r)",
+                  border: "1px solid var(--border)",
+                  background: "transparent",
+                  color: "var(--muted)",
+                  fontSize: "0.83rem",
+                  fontWeight: 500,
+                  cursor: "pointer",
+                  transition: "all 0.15s ease",
+                }}
+              >
+                Reset
+              </button>
+              <button
+                onClick={(): void => {
+                  setIsPickerOpen(true);
+                }}
+                style={{
+                  padding: "6px 14px",
+                  borderRadius: "var(--r)",
+                  border: "1px solid var(--border)",
+                  background: "transparent",
+                  color: "var(--text-2)",
+                  fontSize: "0.83rem",
+                  fontWeight: 500,
+                  cursor: "pointer",
+                  transition: "all 0.15s ease",
+                }}
+              >
+                + Add Widget
+              </button>
+            </>
+          )}
          <button
-            onClick={() => void loadDashboardData()}
-            className="mt-4 rounded-md bg-amber-600 px-4 py-2 text-sm font-medium text-white hover:bg-amber-700 transition-colors"
+            onClick={(): void => {
+              setIsEditing((prev) => !prev);
+              if (isEditing) setIsPickerOpen(false);
+            }}
+            style={{
+              padding: "6px 14px",
+              borderRadius: "var(--r)",
+              border: isEditing ? "1px solid var(--primary)" : "1px solid var(--border)",
+              background: isEditing ? "var(--primary)" : "transparent",
+              color: isEditing ? "#fff" : "var(--text-2)",
+              fontSize: "0.83rem",
+              fontWeight: 500,
+              cursor: "pointer",
+              transition: "all 0.15s ease",
+            }}
          >
-            Try again
+            {isEditing ? "Done" : "Edit Layout"}
          </button>
        </div>
-      ) : (
-        <div className="grid grid-cols-1 lg:grid-cols-2 gap-6">
-          {/* Top row: Domain Overview and Quick Capture */}
-          <div className="lg:col-span-2">
-            <DomainOverviewWidget tasks={tasks} isLoading={isLoading} />
-          </div>
+      </div>

-          <RecentTasksWidget tasks={tasks} isLoading={isLoading} />
-          <UpcomingEventsWidget events={events} isLoading={isLoading} />
+      {/* Widget grid */}
+      <WidgetGrid
+        layout={layout}
+        onLayoutChange={handleLayoutChange}
+        {...(isEditing && { onRemoveWidget: handleRemoveWidget })}
+        {...(isEditing && { onEditWidget: handleEditWidget })}
+        isEditing={isEditing}
+      />

-          <div className="lg:col-span-2">
-            <QuickCaptureWidget />
-          </div>
-        </div>
+      {/* Widget config dialog */}
+      {configWidgetId && (
+        <WidgetConfigDialog
+          widgetId={configWidgetId}
+          open
+          onClose={(): void => {
+            setConfigWidgetId(null);
+          }}
+        />
      )}
-    </main>
+
+      {/* Widget picker drawer */}
+      <WidgetPicker
+        open={isPickerOpen}
+        onClose={(): void => {
+          setIsPickerOpen(false);
+        }}
+        onAddWidget={handleAddWidget}
+        currentLayout={layout}
+      />
+    </div>
  );
 }
--- a/apps/web/src/app/(authenticated)/profile/page.tsx
+++ b/apps/web/src/app/(authenticated)/profile/page.tsx
@@ -0,0 +1,467 @@
+"use client";
+
+import { useState, useEffect, useCallback } from "react";
+import type { ReactElement } from "react";
+import Link from "next/link";
+import { useAuth } from "@/lib/auth/auth-context";
+import { apiGet } from "@/lib/api/client";
+
+// ─── Types ────────────────────────────────────────────────────────────
+
+interface UserPreferences {
+  id: string;
+  userId: string;
+  theme: string;
+  locale: string;
+  timezone: string | null;
+  settings: Record<string, unknown>;
+  updatedAt: string;
+}
+
+// ─── Sub-components ───────────────────────────────────────────────────
+
+interface PreferenceRowProps {
+  label: string;
+  value: string;
+}
+
+function PreferenceRow({ label, value }: PreferenceRowProps): ReactElement {
+  return (
+    <div
+      style={{
+        display: "flex",
+        justifyContent: "space-between",
+        alignItems: "center",
+        padding: "12px 0",
+        borderBottom: "1px solid var(--border)",
+      }}
+    >
+      <span style={{ fontSize: "0.9rem", color: "var(--text-2)" }}>{label}</span>
+      <span
+        style={{
+          fontSize: "0.9rem",
+          fontWeight: 500,
+          color: "var(--text)",
+          fontFamily: "var(--mono)",
+        }}
+      >
+        {value}
+      </span>
+    </div>
+  );
+}
+
+function PreferencesSkeleton(): ReactElement {
+  return (
+    <div style={{ display: "flex", flexDirection: "column", gap: 12 }}>
+      {Array.from({ length: 3 }).map((_, i) => (
+        <div
+          key={i}
+          style={{
+            display: "flex",
+            justifyContent: "space-between",
+            padding: "12px 0",
+            borderBottom: "1px solid var(--border)",
+          }}
+        >
+          <div
+            style={{
+              width: 80,
+              height: 16,
+              borderRadius: 4,
+              background: "var(--surface-2)",
+              animation: "pulse 1.5s ease-in-out infinite",
+            }}
+          />
+          <div
+            style={{
+              width: 120,
+              height: 16,
+              borderRadius: 4,
+              background: "var(--surface-2)",
+              animation: "pulse 1.5s ease-in-out infinite",
+            }}
+          />
+        </div>
+      ))}
+    </div>
+  );
+}
+
+// ─── Main Page Component ──────────────────────────────────────────────
+
+export default function ProfilePage(): ReactElement {
+  const { user, signOut } = useAuth();
+  const [preferences, setPreferences] = useState<UserPreferences | null>(null);
+  const [prefsLoading, setPrefsLoading] = useState(true);
+  const [prefsError, setPrefsError] = useState<string | null>(null);
+  const [signOutHovered, setSignOutHovered] = useState(false);
+  const [settingsHovered, setSettingsHovered] = useState(false);
+
+  const loadPreferences = useCallback(async (): Promise<void> => {
+    setPrefsLoading(true);
+    setPrefsError(null);
+
+    try {
+      const data = await apiGet<UserPreferences>("/users/me/preferences");
+      setPreferences(data);
+    } catch (err: unknown) {
+      const message = err instanceof Error ? err.message : "Could not load preferences";
+      setPrefsError(message);
+    } finally {
+      setPrefsLoading(false);
+    }
+  }, []);
+
+  useEffect(() => {
+    void loadPreferences();
+  }, [loadPreferences]);
+
+  // User initials for avatar fallback
+  const initials = user?.name
+    ? user.name
+        .split(" ")
+        .slice(0, 2)
+        .map((part) => part[0])
+        .join("")
+        .toUpperCase()
+    : user?.email
+      ? (user.email[0] ?? "?").toUpperCase()
+      : "?";
+
+  return (
+    <div className="max-w-3xl mx-auto p-6">
+      {/* ── Page Header ── */}
+      <div style={{ marginBottom: 32 }}>
+        <h1
+          style={{
+            fontSize: "1.875rem",
+            fontWeight: 700,
+            color: "var(--text)",
+            margin: 0,
+          }}
+        >
+          Profile
+        </h1>
+        <p
+          style={{
+            fontSize: "0.9rem",
+            color: "var(--muted)",
+            margin: "8px 0 0 0",
+          }}
+        >
+          Your account information and preferences
+        </p>
+      </div>
+
+      {/* ── User Info Card ── */}
+      <div
+        style={{
+          background: "var(--surface)",
+          border: "1px solid var(--border)",
+          borderRadius: "var(--r-xl)",
+          padding: 28,
+          marginBottom: 24,
+        }}
+      >
+        <div style={{ display: "flex", alignItems: "center", gap: 20 }}>
+          {/* Avatar (64px) */}
+          <div
+            style={{
+              width: 64,
+              height: 64,
+              borderRadius: "50%",
+              background: user?.image
+                ? "none"
+                : "linear-gradient(135deg, var(--ms-blue-500), var(--ms-purple-500))",
+              display: "flex",
+              alignItems: "center",
+              justifyContent: "center",
+              flexShrink: 0,
+              overflow: "hidden",
+            }}
+          >
+            {user?.image ? (
+              <img
+                src={user.image}
+                alt={user.name || user.email || "User avatar"}
+                style={{ width: "100%", height: "100%", objectFit: "cover" }}
+              />
+            ) : (
+              <span
+                style={{
+                  fontSize: "1.25rem",
+                  fontWeight: 700,
+                  color: "#fff",
+                  letterSpacing: "0.02em",
+                  lineHeight: 1,
+                }}
+              >
+                {initials}
+              </span>
+            )}
+          </div>
+
+          {/* Name, email, role, status */}
+          <div style={{ flex: 1, minWidth: 0 }}>
+            <div style={{ display: "flex", alignItems: "center", gap: 10 }}>
+              <h2
+                style={{
+                  fontSize: "1.25rem",
+                  fontWeight: 700,
+                  color: "var(--text)",
+                  margin: 0,
+                  overflow: "hidden",
+                  textOverflow: "ellipsis",
+                  whiteSpace: "nowrap",
+                }}
+              >
+                {user?.name ?? "User"}
+              </h2>
+
+              {/* Online indicator */}
+              <div
+                style={{
+                  display: "flex",
+                  alignItems: "center",
+                  gap: 6,
+                }}
+              >
+                <div
+                  style={{
+                    width: 8,
+                    height: 8,
+                    borderRadius: "50%",
+                    background: "var(--success)",
+                    boxShadow: "0 0 6px var(--success)",
+                    flexShrink: 0,
+                  }}
+                  aria-hidden="true"
+                />
+                <span
+                  style={{
+                    fontSize: "0.75rem",
+                    color: "var(--success)",
+                    fontWeight: 500,
+                  }}
+                >
+                  Online
+                </span>
+              </div>
+            </div>
+
+            {user?.email && (
+              <p
+                style={{
+                  fontSize: "0.9rem",
+                  color: "var(--muted)",
+                  margin: "4px 0 0 0",
+                  overflow: "hidden",
+                  textOverflow: "ellipsis",
+                  whiteSpace: "nowrap",
+                }}
+              >
+                {user.email}
+              </p>
+            )}
+
+            {user?.workspaceRole && (
+              <span
+                style={{
+                  display: "inline-block",
+                  marginTop: 8,
+                  padding: "3px 10px",
+                  borderRadius: "var(--r)",
+                  background: "rgba(47, 128, 255, 0.1)",
+                  color: "var(--ms-blue-400)",
+                  fontSize: "0.75rem",
+                  fontWeight: 600,
+                  textTransform: "capitalize",
+                }}
+              >
+                {user.workspaceRole}
+              </span>
+            )}
+          </div>
+        </div>
+      </div>
+
+      {/* ── Preferences Section ── */}
+      <div
+        style={{
+          background: "var(--surface)",
+          border: "1px solid var(--border)",
+          borderRadius: "var(--r-xl)",
+          padding: 28,
+          marginBottom: 24,
+        }}
+      >
+        <h3
+          style={{
+            fontSize: "1.125rem",
+            fontWeight: 600,
+            color: "var(--text)",
+            margin: "0 0 16px 0",
+          }}
+        >
+          Preferences
+        </h3>
+
+        {prefsLoading ? (
+          <PreferencesSkeleton />
+        ) : prefsError ? (
+          <div
+            style={{
+              padding: "16px 20px",
+              borderRadius: "var(--r)",
+              background: "rgba(245, 158, 11, 0.08)",
+              border: "1px solid rgba(245, 158, 11, 0.2)",
+              color: "var(--text-2)",
+              fontSize: "0.85rem",
+              lineHeight: 1.5,
+            }}
+          >
+            <span style={{ fontWeight: 500 }}>Preferences unavailable</span>
+            <span style={{ color: "var(--muted)", marginLeft: 8 }}>&mdash; {prefsError}</span>
+          </div>
+        ) : preferences ? (
+          <div>
+            <PreferenceRow label="Theme" value={preferences.theme} />
+            <PreferenceRow label="Locale" value={preferences.locale} />
+            <PreferenceRow label="Timezone" value={preferences.timezone ?? "Not set"} />
+            {Object.keys(preferences.settings).length > 0 && (
+              <>
+                <div
+                  style={{
+                    fontSize: "0.83rem",
+                    fontWeight: 600,
+                    color: "var(--text-2)",
+                    margin: "16px 0 8px 0",
+                  }}
+                >
+                  Custom Settings
+                </div>
+                {Object.entries(preferences.settings).map(([key, value]) => (
+                  <PreferenceRow key={key} label={key} value={String(value)} />
+                ))}
+              </>
+            )}
+          </div>
+        ) : (
+          <p
+            style={{
+              fontSize: "0.9rem",
+              color: "var(--muted)",
+              margin: 0,
+            }}
+          >
+            No preferences configured yet.
+          </p>
+        )}
+      </div>
+
+      {/* ── Account Actions ── */}
+      <div
+        style={{
+          background: "var(--surface)",
+          border: "1px solid var(--border)",
+          borderRadius: "var(--r-xl)",
+          padding: 28,
+        }}
+      >
+        <h3
+          style={{
+            fontSize: "1.125rem",
+            fontWeight: 600,
+            color: "var(--text)",
+            margin: "0 0 16px 0",
+          }}
+        >
+          Account
+        </h3>
+
+        <div style={{ display: "flex", alignItems: "center", gap: 12 }}>
+          {/* Settings link */}
+          <Link
+            href="/settings"
+            style={{
+              display: "inline-flex",
+              alignItems: "center",
+              gap: 8,
+              padding: "10px 20px",
+              borderRadius: "var(--r)",
+              background: settingsHovered ? "var(--surface-2)" : "var(--surface)",
+              border: "1px solid var(--border)",
+              color: "var(--text)",
+              fontSize: "0.9rem",
+              fontWeight: 500,
+              textDecoration: "none",
+              cursor: "pointer",
+              transition: "background 0.15s ease, border-color 0.15s ease",
+            }}
+            onMouseEnter={() => {
+              setSettingsHovered(true);
+            }}
+            onMouseLeave={() => {
+              setSettingsHovered(false);
+            }}
+          >
+            <svg
+              width="16"
+              height="16"
+              viewBox="0 0 16 16"
+              fill="none"
+              stroke="currentColor"
+              strokeWidth="1.5"
+              aria-hidden="true"
+            >
+              <circle cx="8" cy="8" r="2.5" />
+              <path d="M8 1v1.5M8 13.5V15M1 8h1.5M13.5 8H15M3.05 3.05l1.06 1.06M11.89 11.89l1.06 1.06M3.05 12.95l1.06-1.06M11.89 4.11l1.06-1.06" />
+            </svg>
+            Settings
+          </Link>
+
+          {/* Sign Out button */}
+          <button
+            onClick={() => {
+              void signOut();
+            }}
+            style={{
+              display: "inline-flex",
+              alignItems: "center",
+              gap: 8,
+              padding: "10px 20px",
+              borderRadius: "var(--r)",
+              background: signOutHovered ? "rgba(239, 68, 68, 0.1)" : "transparent",
+              border: "1px solid var(--danger)",
+              color: "var(--danger)",
+              fontSize: "0.9rem",
+              fontWeight: 500,
+              cursor: "pointer",
+              transition: "background 0.15s ease",
+            }}
+            onMouseEnter={() => {
+              setSignOutHovered(true);
+            }}
+            onMouseLeave={() => {
+              setSignOutHovered(false);
+            }}
+          >
+            <svg
+              width="16"
+              height="16"
+              viewBox="0 0 16 16"
+              fill="none"
+              stroke="currentColor"
+              strokeWidth="1.5"
+              aria-hidden="true"
+            >
+              <path d="M6 2H3a1 1 0 0 0-1 1v10a1 1 0 0 0 1 1h3M10 11l4-4-4-4M14 8H6" />
+            </svg>
+            Sign Out
+          </button>
+        </div>
+      </div>
+    </div>
+  );
+}
--- a/apps/web/src/app/(authenticated)/projects/page.tsx
+++ b/apps/web/src/app/(authenticated)/projects/page.tsx
@@ -0,0 +1,809 @@
+"use client";
+
+import { useState, useEffect, useCallback } from "react";
+import type { ReactElement, SyntheticEvent } from "react";
+import { useRouter } from "next/navigation";
+import { Plus, Trash2 } from "lucide-react";
+
+import { MosaicSpinner } from "@/components/ui/MosaicSpinner";
+import {
+  Dialog,
+  DialogContent,
+  DialogHeader,
+  DialogTitle,
+  DialogDescription,
+  DialogFooter,
+} from "@/components/ui/dialog";
+import { fetchProjects, createProject, deleteProject, ProjectStatus } from "@/lib/api/projects";
+import type { Project, CreateProjectDto } from "@/lib/api/projects";
+import { useWorkspaceId } from "@/lib/hooks";
+
+/* ---------------------------------------------------------------------------
+   Status badge helpers
+   --------------------------------------------------------------------------- */
+
+interface StatusStyle {
+  label: string;
+  bg: string;
+  color: string;
+}
+
+function getStatusStyle(status: ProjectStatus): StatusStyle {
+  switch (status) {
+    case ProjectStatus.PLANNING:
+      return { label: "Planning", bg: "rgba(47,128,255,0.15)", color: "var(--primary)" };
+    case ProjectStatus.ACTIVE:
+      return { label: "Active", bg: "rgba(20,184,166,0.15)", color: "var(--success)" };
+    case ProjectStatus.PAUSED:
+      return { label: "Paused", bg: "rgba(245,158,11,0.15)", color: "var(--warn)" };
+    case ProjectStatus.COMPLETED:
+      return { label: "Completed", bg: "rgba(139,92,246,0.15)", color: "var(--purple)" };
+    case ProjectStatus.ARCHIVED:
+      return { label: "Archived", bg: "rgba(143,157,183,0.15)", color: "var(--muted)" };
+    default:
+      return { label: String(status), bg: "rgba(143,157,183,0.15)", color: "var(--muted)" };
+  }
+}
+
+function formatTimestamp(iso: string): string {
+  try {
+    return new Date(iso).toLocaleDateString("en-US", {
+      month: "short",
+      day: "numeric",
+      year: "numeric",
+    });
+  } catch {
+    return iso;
+  }
+}
+
+/* ---------------------------------------------------------------------------
+   ProjectCard
+   --------------------------------------------------------------------------- */
+
+interface ProjectCardProps {
+  project: Project;
+  onDelete: (id: string) => void;
+  onClick: (id: string) => void;
+}
+
+function ProjectCard({ project, onDelete, onClick }: ProjectCardProps): ReactElement {
+  const [hovered, setHovered] = useState(false);
+  const status = getStatusStyle(project.status);
+
+  return (
+    <div
+      role="button"
+      tabIndex={0}
+      onClick={() => {
+        onClick(project.id);
+      }}
+      onKeyDown={(e) => {
+        if (e.key === "Enter" || e.key === " ") {
+          e.preventDefault();
+          onClick(project.id);
+        }
+      }}
+      onMouseEnter={() => {
+        setHovered(true);
+      }}
+      onMouseLeave={() => {
+        setHovered(false);
+      }}
+      style={{
+        background: "var(--surface)",
+        border: `1px solid ${hovered ? "var(--primary)" : "var(--border)"}`,
+        borderRadius: "var(--r-lg)",
+        padding: 20,
+        cursor: "pointer",
+        transition: "border-color 0.2s var(--ease)",
+        display: "flex",
+        flexDirection: "column",
+        gap: 12,
+        position: "relative",
+      }}
+    >
+      {/* Header row: name + delete button */}
+      <div style={{ display: "flex", alignItems: "flex-start", justifyContent: "space-between" }}>
+        <div style={{ flex: 1, minWidth: 0 }}>
+          <h3
+            style={{
+              fontWeight: 600,
+              color: "var(--text)",
+              fontSize: "1rem",
+              margin: 0,
+              overflow: "hidden",
+              textOverflow: "ellipsis",
+              whiteSpace: "nowrap",
+            }}
+          >
+            {project.name}
+          </h3>
+        </div>
+
+        {/* Delete button */}
+        <button
+          aria-label={`Delete project ${project.name}`}
+          onClick={(e) => {
+            e.stopPropagation();
+            onDelete(project.id);
+          }}
+          onKeyDown={(e) => {
+            e.stopPropagation();
+          }}
+          style={{
+            background: "transparent",
+            border: "none",
+            cursor: "pointer",
+            padding: 4,
+            borderRadius: "var(--r-sm)",
+            color: "var(--muted)",
+            transition: "color 0.15s, background 0.15s",
+            display: "flex",
+            alignItems: "center",
+            justifyContent: "center",
+            flexShrink: 0,
+            marginLeft: 8,
+          }}
+          onMouseEnter={(e) => {
+            e.currentTarget.style.color = "var(--danger)";
+            e.currentTarget.style.background = "rgba(229,72,77,0.1)";
+          }}
+          onMouseLeave={(e) => {
+            e.currentTarget.style.color = "var(--muted)";
+            e.currentTarget.style.background = "transparent";
+          }}
+        >
+          <Trash2 size={16} />
+        </button>
+      </div>
+
+      {/* Description */}
+      {project.description ? (
+        <p
+          style={{
+            color: "var(--muted)",
+            fontSize: "0.85rem",
+            margin: 0,
+            overflow: "hidden",
+            textOverflow: "ellipsis",
+            display: "-webkit-box",
+            WebkitLineClamp: 2,
+            WebkitBoxOrient: "vertical",
+            lineHeight: 1.5,
+          }}
+        >
+          {project.description}
+        </p>
+      ) : (
+        <p style={{ color: "var(--muted)", fontSize: "0.85rem", margin: 0, fontStyle: "italic" }}>
+          No description
+        </p>
+      )}
+
+      {/* Footer: status + timestamps */}
+      <div
+        style={{
+          display: "flex",
+          alignItems: "center",
+          justifyContent: "space-between",
+          marginTop: "auto",
+        }}
+      >
+        {/* Status badge */}
+        <span
+          style={{
+            display: "inline-block",
+            padding: "2px 10px",
+            borderRadius: "var(--r)",
+            background: status.bg,
+            color: status.color,
+            fontSize: "0.75rem",
+            fontWeight: 500,
+          }}
+        >
+          {status.label}
+        </span>
+
+        {/* Timestamps */}
+        <span
+          style={{
+            fontSize: "0.75rem",
+            color: "var(--muted)",
+            fontFamily: "var(--mono)",
+          }}
+        >
+          {formatTimestamp(project.createdAt)}
+        </span>
+      </div>
+    </div>
+  );
+}
+
+/* ---------------------------------------------------------------------------
+   Create Project Dialog
+   --------------------------------------------------------------------------- */
+
+interface CreateDialogProps {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  onSubmit: (data: CreateProjectDto) => Promise<void>;
+  isSubmitting: boolean;
+}
+
+function CreateProjectDialog({
+  open,
+  onOpenChange,
+  onSubmit,
+  isSubmitting,
+}: CreateDialogProps): ReactElement {
+  const [name, setName] = useState("");
+  const [description, setDescription] = useState("");
+  const [formError, setFormError] = useState<string | null>(null);
+
+  function resetForm(): void {
+    setName("");
+    setDescription("");
+    setFormError(null);
+  }
+
+  async function handleSubmit(e: SyntheticEvent): Promise<void> {
+    e.preventDefault();
+    setFormError(null);
+
+    const trimmedName = name.trim();
+    if (!trimmedName) {
+      setFormError("Project name is required.");
+      return;
+    }
+
+    try {
+      const payload: CreateProjectDto = { name: trimmedName };
+      const trimmedDesc = description.trim();
+      if (trimmedDesc) {
+        payload.description = trimmedDesc;
+      }
+      await onSubmit(payload);
+      resetForm();
+    } catch (err: unknown) {
+      setFormError(err instanceof Error ? err.message : "Failed to create project.");
+    }
+  }
+
+  return (
+    <Dialog
+      open={open}
+      onOpenChange={(isOpen) => {
+        if (!isOpen) resetForm();
+        onOpenChange(isOpen);
+      }}
+    >
+      <DialogContent>
+        <div
+          style={{
+            background: "var(--surface)",
+            borderRadius: "var(--r-lg)",
+            border: "1px solid var(--border)",
+            padding: 24,
+            position: "relative",
+          }}
+        >
+          <DialogHeader>
+            <DialogTitle>
+              <span style={{ color: "var(--text)" }}>New Project</span>
+            </DialogTitle>
+            <DialogDescription>
+              <span style={{ color: "var(--muted)" }}>
+                Give your project a name and optional description.
+              </span>
+            </DialogDescription>
+          </DialogHeader>
+
+          <form
+            onSubmit={(e) => {
+              void handleSubmit(e);
+            }}
+            style={{ marginTop: 16 }}
+          >
+            {/* Name */}
+            <div style={{ marginBottom: 16 }}>
+              <label
+                htmlFor="project-name"
+                style={{
+                  display: "block",
+                  marginBottom: 6,
+                  fontSize: "0.85rem",
+                  fontWeight: 500,
+                  color: "var(--text-2)",
+                }}
+              >
+                Name <span style={{ color: "var(--danger)" }}>*</span>
+              </label>
+              <input
+                id="project-name"
+                type="text"
+                value={name}
+                onChange={(e) => {
+                  setName(e.target.value);
+                }}
+                placeholder="e.g. Website Redesign"
+                maxLength={255}
+                autoFocus
+                style={{
+                  width: "100%",
+                  padding: "8px 12px",
+                  background: "var(--bg)",
+                  border: "1px solid var(--border)",
+                  borderRadius: "var(--r)",
+                  color: "var(--text)",
+                  fontSize: "0.9rem",
+                  outline: "none",
+                  boxSizing: "border-box",
+                }}
+              />
+            </div>
+
+            {/* Description */}
+            <div style={{ marginBottom: 16 }}>
+              <label
+                htmlFor="project-description"
+                style={{
+                  display: "block",
+                  marginBottom: 6,
+                  fontSize: "0.85rem",
+                  fontWeight: 500,
+                  color: "var(--text-2)",
+                }}
+              >
+                Description
+              </label>
+              <textarea
+                id="project-description"
+                value={description}
+                onChange={(e) => {
+                  setDescription(e.target.value);
+                }}
+                placeholder="A brief summary of this project..."
+                rows={3}
+                maxLength={10000}
+                style={{
+                  width: "100%",
+                  padding: "8px 12px",
+                  background: "var(--bg)",
+                  border: "1px solid var(--border)",
+                  borderRadius: "var(--r)",
+                  color: "var(--text)",
+                  fontSize: "0.9rem",
+                  outline: "none",
+                  resize: "vertical",
+                  fontFamily: "inherit",
+                  boxSizing: "border-box",
+                }}
+              />
+            </div>
+
+            {/* Form error */}
+            {formError !== null && (
+              <p style={{ color: "var(--danger)", fontSize: "0.85rem", margin: "0 0 12px" }}>
+                {formError}
+              </p>
+            )}
+
+            <DialogFooter>
+              <button
+                type="button"
+                onClick={() => {
+                  onOpenChange(false);
+                }}
+                disabled={isSubmitting}
+                style={{
+                  padding: "8px 16px",
+                  background: "transparent",
+                  border: "1px solid var(--border)",
+                  borderRadius: "var(--r)",
+                  color: "var(--text-2)",
+                  fontSize: "0.85rem",
+                  cursor: "pointer",
+                }}
+              >
+                Cancel
+              </button>
+              <button
+                type="submit"
+                disabled={isSubmitting || !name.trim()}
+                style={{
+                  padding: "8px 16px",
+                  background: "var(--primary)",
+                  border: "none",
+                  borderRadius: "var(--r)",
+                  color: "#fff",
+                  fontSize: "0.85rem",
+                  fontWeight: 500,
+                  cursor: isSubmitting || !name.trim() ? "not-allowed" : "pointer",
+                  opacity: isSubmitting || !name.trim() ? 0.6 : 1,
+                }}
+              >
+                {isSubmitting ? "Creating..." : "Create Project"}
+              </button>
+            </DialogFooter>
+          </form>
+        </div>
+      </DialogContent>
+    </Dialog>
+  );
+}
+
+/* ---------------------------------------------------------------------------
+   Delete Confirmation Dialog
+   --------------------------------------------------------------------------- */
+
+interface DeleteDialogProps {
+  open: boolean;
+  projectName: string;
+  onConfirm: () => void;
+  onCancel: () => void;
+  isDeleting: boolean;
+}
+
+function DeleteConfirmDialog({
+  open,
+  projectName,
+  onConfirm,
+  onCancel,
+  isDeleting,
+}: DeleteDialogProps): ReactElement {
+  return (
+    <Dialog
+      open={open}
+      onOpenChange={(isOpen) => {
+        if (!isOpen) onCancel();
+      }}
+    >
+      <DialogContent>
+        <div
+          style={{
+            background: "var(--surface)",
+            borderRadius: "var(--r-lg)",
+            border: "1px solid var(--border)",
+            padding: 24,
+          }}
+        >
+          <DialogHeader>
+            <DialogTitle>
+              <span style={{ color: "var(--text)" }}>Delete Project</span>
+            </DialogTitle>
+            <DialogDescription>
+              <span style={{ color: "var(--muted)" }}>
+                {"This will permanently delete "}
+                <strong style={{ color: "var(--text)" }}>{projectName}</strong>
+                {". This action cannot be undone."}
+              </span>
+            </DialogDescription>
+          </DialogHeader>
+
+          <DialogFooter>
+            <button
+              type="button"
+              onClick={onCancel}
+              disabled={isDeleting}
+              style={{
+                padding: "8px 16px",
+                background: "transparent",
+                border: "1px solid var(--border)",
+                borderRadius: "var(--r)",
+                color: "var(--text-2)",
+                fontSize: "0.85rem",
+                cursor: "pointer",
+              }}
+            >
+              Cancel
+            </button>
+            <button
+              type="button"
+              onClick={onConfirm}
+              disabled={isDeleting}
+              style={{
+                padding: "8px 16px",
+                background: "var(--danger)",
+                border: "none",
+                borderRadius: "var(--r)",
+                color: "#fff",
+                fontSize: "0.85rem",
+                fontWeight: 500,
+                cursor: isDeleting ? "not-allowed" : "pointer",
+                opacity: isDeleting ? 0.6 : 1,
+              }}
+            >
+              {isDeleting ? "Deleting..." : "Delete"}
+            </button>
+          </DialogFooter>
+        </div>
+      </DialogContent>
+    </Dialog>
+  );
+}
+
+/* ---------------------------------------------------------------------------
+   Projects Page
+   --------------------------------------------------------------------------- */
+
+export default function ProjectsPage(): ReactElement {
+  const router = useRouter();
+  const workspaceId = useWorkspaceId();
+
+  const [projects, setProjects] = useState<Project[]>([]);
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  // Create dialog state
+  const [createOpen, setCreateOpen] = useState(false);
+  const [isCreating, setIsCreating] = useState(false);
+
+  // Delete dialog state
+  const [deleteTarget, setDeleteTarget] = useState<Project | null>(null);
+  const [isDeleting, setIsDeleting] = useState(false);
+
+  const loadProjects = useCallback(async (wsId: string | null): Promise<void> => {
+    try {
+      setIsLoading(true);
+      setError(null);
+      const data = await fetchProjects(wsId ?? undefined);
+      setProjects(data);
+    } catch (err: unknown) {
+      console.error("[Projects] Failed to fetch projects:", err);
+      setError(
+        err instanceof Error
+          ? err.message
+          : "Something went wrong loading projects. You could try again when ready."
+      );
+    } finally {
+      setIsLoading(false);
+    }
+  }, []);
+
+  useEffect(() => {
+    if (!workspaceId) {
+      setIsLoading(false);
+      return;
+    }
+
+    let cancelled = false;
+    const wsId = workspaceId;
+
+    async function load(): Promise<void> {
+      try {
+        setIsLoading(true);
+        setError(null);
+        const data = await fetchProjects(wsId);
+        if (!cancelled) {
+          setProjects(data);
+        }
+      } catch (err: unknown) {
+        console.error("[Projects] Failed to fetch projects:", err);
+        if (!cancelled) {
+          setError(
+            err instanceof Error
+              ? err.message
+              : "Something went wrong loading projects. You could try again when ready."
+          );
+        }
+      } finally {
+        if (!cancelled) {
+          setIsLoading(false);
+        }
+      }
+    }
+
+    void load();
+
+    return (): void => {
+      cancelled = true;
+    };
+  }, [workspaceId]);
+
+  function handleRetry(): void {
+    void loadProjects(workspaceId);
+  }
+
+  async function handleCreate(data: CreateProjectDto): Promise<void> {
+    setIsCreating(true);
+    try {
+      await createProject(data, workspaceId ?? undefined);
+      setCreateOpen(false);
+      void loadProjects(workspaceId);
+    } finally {
+      setIsCreating(false);
+    }
+  }
+
+  function handleDeleteRequest(projectId: string): void {
+    const target = projects.find((p) => p.id === projectId);
+    if (target) {
+      setDeleteTarget(target);
+    }
+  }
+
+  async function handleDeleteConfirm(): Promise<void> {
+    if (!deleteTarget) return;
+    setIsDeleting(true);
+    try {
+      await deleteProject(deleteTarget.id, workspaceId ?? undefined);
+      setDeleteTarget(null);
+      void loadProjects(workspaceId);
+    } catch (err: unknown) {
+      console.error("[Projects] Failed to delete project:", err);
+      setError(err instanceof Error ? err.message : "Failed to delete project.");
+      setDeleteTarget(null);
+    } finally {
+      setIsDeleting(false);
+    }
+  }
+
+  function handleCardClick(projectId: string): void {
+    router.push(`/projects/${projectId}`);
+  }
+
+  return (
+    <main className="container mx-auto px-4 py-8" style={{ maxWidth: 960 }}>
+      {/* Header */}
+      <div
+        style={{
+          display: "flex",
+          alignItems: "flex-start",
+          justifyContent: "space-between",
+          marginBottom: 32,
+          flexWrap: "wrap",
+          gap: 16,
+        }}
+      >
+        <div>
+          <h1
+            style={{
+              fontSize: "1.875rem",
+              fontWeight: 700,
+              color: "var(--text)",
+              margin: 0,
+            }}
+          >
+            Projects
+          </h1>
+          <p
+            style={{
+              fontSize: "0.9rem",
+              color: "var(--muted)",
+              marginTop: 4,
+            }}
+          >
+            Organize and track your work across different initiatives
+          </p>
+        </div>
+
+        <button
+          onClick={() => {
+            setCreateOpen(true);
+          }}
+          style={{
+            display: "inline-flex",
+            alignItems: "center",
+            gap: 8,
+            padding: "8px 16px",
+            background: "var(--primary)",
+            border: "none",
+            borderRadius: "var(--r)",
+            color: "#fff",
+            fontSize: "0.85rem",
+            fontWeight: 500,
+            cursor: "pointer",
+          }}
+        >
+          <Plus size={16} />
+          New Project
+        </button>
+      </div>
+
+      {/* Loading */}
+      {isLoading ? (
+        <div className="flex justify-center py-16">
+          <MosaicSpinner label="Loading projects..." />
+        </div>
+      ) : error !== null ? (
+        /* Error */
+        <div
+          style={{
+            background: "var(--surface)",
+            border: "1px solid var(--border)",
+            borderRadius: "var(--r-lg)",
+            padding: 32,
+            textAlign: "center",
+          }}
+        >
+          <p style={{ color: "var(--danger)", margin: "0 0 16px" }}>{error}</p>
+          <button
+            onClick={handleRetry}
+            style={{
+              padding: "8px 16px",
+              background: "var(--danger)",
+              border: "none",
+              borderRadius: "var(--r)",
+              color: "#fff",
+              fontSize: "0.85rem",
+              fontWeight: 500,
+              cursor: "pointer",
+            }}
+          >
+            Try again
+          </button>
+        </div>
+      ) : projects.length === 0 ? (
+        /* Empty */
+        <div
+          style={{
+            background: "var(--surface)",
+            border: "1px solid var(--border)",
+            borderRadius: "var(--r-lg)",
+            padding: 48,
+            textAlign: "center",
+          }}
+        >
+          <p style={{ color: "var(--muted)", margin: "0 0 16px", fontSize: "0.9rem" }}>
+            No projects yet. Create your first project to get started.
+          </p>
+          <button
+            onClick={() => {
+              setCreateOpen(true);
+            }}
+            style={{
+              display: "inline-flex",
+              alignItems: "center",
+              gap: 8,
+              padding: "8px 16px",
+              background: "var(--primary)",
+              border: "none",
+              borderRadius: "var(--r)",
+              color: "#fff",
+              fontSize: "0.85rem",
+              fontWeight: 500,
+              cursor: "pointer",
+            }}
+          >
+            <Plus size={16} />
+            Create Project
+          </button>
+        </div>
+      ) : (
+        /* Projects grid */
+        <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
+          {projects.map((project) => (
+            <ProjectCard
+              key={project.id}
+              project={project}
+              onDelete={handleDeleteRequest}
+              onClick={handleCardClick}
+            />
+          ))}
+        </div>
+      )}
+
+      {/* Create Dialog */}
+      <CreateProjectDialog
+        open={createOpen}
+        onOpenChange={setCreateOpen}
+        onSubmit={handleCreate}
+        isSubmitting={isCreating}
+      />
+
+      {/* Delete Confirmation Dialog */}
+      <DeleteConfirmDialog
+        open={deleteTarget !== null}
+        projectName={deleteTarget?.name ?? ""}
+        onConfirm={() => {
+          void handleDeleteConfirm();
+        }}
+        onCancel={() => {
+          setDeleteTarget(null);
+        }}
+        isDeleting={isDeleting}
+      />
+    </main>
+  );
+}
--- a/apps/web/src/app/(authenticated)/settings/appearance/page.tsx
+++ b/apps/web/src/app/(authenticated)/settings/appearance/page.tsx
@@ -0,0 +1,324 @@
+"use client";
+
+import { useState, useCallback } from "react";
+import type { ReactElement } from "react";
+import Link from "next/link";
+import { useTheme } from "@/providers/ThemeProvider";
+import { getAllThemes, type ThemeDefinition } from "@/themes";
+import { apiPatch } from "@/lib/api/client";
+
+function ThemeCard({
+  theme,
+  isActive,
+  onSelect,
+}: {
+  theme: ThemeDefinition;
+  isActive: boolean;
+  onSelect: () => void;
+}): ReactElement {
+  const [hovered, setHovered] = useState(false);
+
+  return (
+    <button
+      onClick={onSelect}
+      onMouseEnter={() => {
+        setHovered(true);
+      }}
+      onMouseLeave={() => {
+        setHovered(false);
+      }}
+      style={{
+        display: "flex",
+        flexDirection: "column",
+        gap: 12,
+        padding: 16,
+        borderRadius: "var(--r-lg)",
+        background: isActive ? "var(--surface-2)" : hovered ? "var(--surface)" : "transparent",
+        border: isActive
+          ? "2px solid var(--primary)"
+          : `1px solid ${hovered ? "var(--border)" : "transparent"}`,
+        cursor: "pointer",
+        textAlign: "left",
+        transition: "all 0.15s ease",
+        position: "relative",
+        width: "100%",
+      }}
+      aria-label={`Select ${theme.name} theme`}
+      aria-pressed={isActive}
+    >
+      {/* Color preview swatches */}
+      <div
+        style={{
+          display: "flex",
+          gap: 0,
+          borderRadius: "var(--r)",
+          overflow: "hidden",
+          height: 48,
+          width: "100%",
+          border: "1px solid rgba(128, 128, 128, 0.15)",
+        }}
+      >
+        {theme.colorPreview.map((color, i) => (
+          <div
+            key={i}
+            style={{
+              flex: 1,
+              background: color,
+            }}
+          />
+        ))}
+      </div>
+
+      {/* Theme info */}
+      <div style={{ display: "flex", alignItems: "center", gap: 8 }}>
+        <span
+          style={{
+            fontSize: "0.9rem",
+            fontWeight: 600,
+            color: "var(--text)",
+          }}
+        >
+          {theme.name}
+        </span>
+        {isActive && (
+          <svg
+            width="14"
+            height="14"
+            viewBox="0 0 16 16"
+            fill="none"
+            stroke="var(--primary)"
+            strokeWidth="2"
+            strokeLinecap="round"
+            strokeLinejoin="round"
+            aria-hidden="true"
+          >
+            <polyline points="13 4 6 12 3 9" />
+          </svg>
+        )}
+        <span
+          style={{
+            fontSize: "0.7rem",
+            padding: "2px 6px",
+            borderRadius: "var(--r-sm)",
+            background: theme.isDark ? "rgba(128,128,128,0.15)" : "rgba(245,158,11,0.12)",
+            color: theme.isDark ? "var(--muted)" : "var(--warn)",
+            fontWeight: 500,
+            marginLeft: "auto",
+          }}
+        >
+          {theme.isDark ? "Dark" : "Light"}
+        </span>
+      </div>
+
+      <p
+        style={{
+          fontSize: "0.78rem",
+          color: "var(--muted)",
+          margin: 0,
+          lineHeight: 1.4,
+        }}
+      >
+        {theme.description}
+      </p>
+    </button>
+  );
+}
+
+function SystemThemeCard({
+  isActive,
+  onSelect,
+}: {
+  isActive: boolean;
+  onSelect: () => void;
+}): ReactElement {
+  const [hovered, setHovered] = useState(false);
+
+  return (
+    <button
+      onClick={onSelect}
+      onMouseEnter={() => {
+        setHovered(true);
+      }}
+      onMouseLeave={() => {
+        setHovered(false);
+      }}
+      style={{
+        display: "flex",
+        flexDirection: "column",
+        gap: 12,
+        padding: 16,
+        borderRadius: "var(--r-lg)",
+        background: isActive ? "var(--surface-2)" : hovered ? "var(--surface)" : "transparent",
+        border: isActive
+          ? "2px solid var(--primary)"
+          : `1px solid ${hovered ? "var(--border)" : "transparent"}`,
+        cursor: "pointer",
+        textAlign: "left",
+        transition: "all 0.15s ease",
+        width: "100%",
+      }}
+      aria-label="Use system theme preference"
+      aria-pressed={isActive}
+    >
+      {/* Split preview (dark | light) */}
+      <div
+        style={{
+          display: "flex",
+          gap: 0,
+          borderRadius: "var(--r)",
+          overflow: "hidden",
+          height: 48,
+          width: "100%",
+          border: "1px solid rgba(128, 128, 128, 0.15)",
+        }}
+      >
+        <div style={{ flex: 1, background: "#0f141d" }} />
+        <div style={{ flex: 1, background: "#1b2331" }} />
+        <div style={{ flex: 1, background: "#f0f4fc" }} />
+        <div style={{ flex: 1, background: "#dde4f2" }} />
+        <div
+          style={{
+            flex: 1,
+            background: "linear-gradient(135deg, #2f80ff 50%, #8b5cf6 50%)",
+          }}
+        />
+      </div>
+
+      <div style={{ display: "flex", alignItems: "center", gap: 8 }}>
+        <span style={{ fontSize: "0.9rem", fontWeight: 600, color: "var(--text)" }}>System</span>
+        {isActive && (
+          <svg
+            width="14"
+            height="14"
+            viewBox="0 0 16 16"
+            fill="none"
+            stroke="var(--primary)"
+            strokeWidth="2"
+            strokeLinecap="round"
+            strokeLinejoin="round"
+            aria-hidden="true"
+          >
+            <polyline points="13 4 6 12 3 9" />
+          </svg>
+        )}
+        <span
+          style={{
+            fontSize: "0.7rem",
+            padding: "2px 6px",
+            borderRadius: "var(--r-sm)",
+            background: "rgba(47, 128, 255, 0.12)",
+            color: "var(--primary-l)",
+            fontWeight: 500,
+            marginLeft: "auto",
+          }}
+        >
+          Auto
+        </span>
+      </div>
+
+      <p
+        style={{
+          fontSize: "0.78rem",
+          color: "var(--muted)",
+          margin: 0,
+          lineHeight: 1.4,
+        }}
+      >
+        Follows your operating system appearance preference
+      </p>
+    </button>
+  );
+}
+
+export default function AppearanceSettingsPage(): ReactElement {
+  const { theme: preference, setTheme: setLocalTheme } = useTheme();
+  const [saving, setSaving] = useState(false);
+  const allThemes = getAllThemes();
+
+  const handleThemeSelect = useCallback(
+    async (themeId: string) => {
+      setLocalTheme(themeId);
+      setSaving(true);
+      try {
+        await apiPatch("/users/me/preferences", { theme: themeId });
+      } catch {
+        // Theme is still applied locally even if API save fails
+      } finally {
+        setSaving(false);
+      }
+    },
+    [setLocalTheme]
+  );
+
+  return (
+    <div className="max-w-4xl mx-auto p-6">
+      {/* Breadcrumb */}
+      <div style={{ marginBottom: 8 }}>
+        <Link
+          href="/settings"
+          style={{
+            fontSize: "0.83rem",
+            color: "var(--muted)",
+            textDecoration: "none",
+          }}
+        >
+          Settings
+        </Link>
+        <span style={{ fontSize: "0.83rem", color: "var(--muted)", margin: "0 6px" }}>/</span>
+        <span style={{ fontSize: "0.83rem", color: "var(--text-2)" }}>Appearance</span>
+      </div>
+
+      {/* Page header */}
+      <div style={{ marginBottom: 32 }}>
+        <h1
+          style={{
+            fontSize: "1.875rem",
+            fontWeight: 700,
+            color: "var(--text)",
+            margin: 0,
+          }}
+        >
+          Appearance
+        </h1>
+        <p
+          style={{
+            fontSize: "0.9rem",
+            color: "var(--muted)",
+            margin: "8px 0 0 0",
+          }}
+        >
+          Choose a theme for the Mosaic interface
+          {saving && (
+            <span style={{ marginLeft: 12, color: "var(--primary-l)", fontStyle: "italic" }}>
+              Saving...
+            </span>
+          )}
+        </p>
+      </div>
+
+      {/* Theme grid */}
+      <div
+        className="grid gap-3"
+        style={{
+          gridTemplateColumns: "repeat(auto-fill, minmax(220px, 1fr))",
+        }}
+      >
+        {/* System option first */}
+        <SystemThemeCard
+          isActive={preference === "system"}
+          onSelect={() => void handleThemeSelect("system")}
+        />
+
+        {/* All registered themes */}
+        {allThemes.map((t) => (
+          <ThemeCard
+            key={t.id}
+            theme={t}
+            isActive={preference === t.id}
+            onSelect={() => void handleThemeSelect(t.id)}
+          />
+        ))}
+      </div>
+    </div>
+  );
+}
--- a/apps/web/src/app/(authenticated)/settings/page.tsx
+++ b/apps/web/src/app/(authenticated)/settings/page.tsx
@@ -0,0 +1,264 @@
+"use client";
+
+import { useState } from "react";
+import type { ReactElement, ReactNode } from "react";
+import Link from "next/link";
+
+interface CategoryConfig {
+  title: string;
+  description: string;
+  href: string;
+  accent: string;
+  iconBg: string;
+  icon: ReactNode;
+}
+
+interface SettingsCategoryCardProps {
+  category: CategoryConfig;
+}
+
+function SettingsCategoryCard({ category }: SettingsCategoryCardProps): ReactElement {
+  const [hovered, setHovered] = useState(false);
+
+  return (
+    <Link href={category.href} style={{ textDecoration: "none" }}>
+      <div
+        onMouseEnter={(): void => {
+          setHovered(true);
+        }}
+        onMouseLeave={(): void => {
+          setHovered(false);
+        }}
+        style={{
+          background: hovered ? "var(--surface-2)" : "var(--surface)",
+          border: `1px solid ${hovered ? category.accent : "var(--border)"}`,
+          borderRadius: "var(--r-lg)",
+          padding: 20,
+          transition: "background 0.15s ease, border-color 0.15s ease, box-shadow 0.15s ease",
+          boxShadow: hovered ? "0 4px 16px rgba(0,0,0,0.2)" : "none",
+          cursor: "pointer",
+          display: "flex",
+          flexDirection: "column",
+          gap: 12,
+          height: "100%",
+        }}
+      >
+        {/* Icon well */}
+        <div
+          style={{
+            width: 40,
+            height: 40,
+            borderRadius: "var(--r)",
+            background: category.iconBg,
+            display: "flex",
+            alignItems: "center",
+            justifyContent: "center",
+            color: category.accent,
+            transition: "transform 0.15s ease",
+            transform: hovered ? "scale(1.05)" : "scale(1)",
+          }}
+        >
+          {category.icon}
+        </div>
+
+        {/* Title */}
+        <div style={{ fontSize: "1rem", fontWeight: 700, color: "var(--text)" }}>
+          {category.title}
+        </div>
+
+        {/* Description */}
+        <div
+          style={{
+            fontSize: "0.83rem",
+            color: "var(--muted)",
+            lineHeight: 1.55,
+          }}
+        >
+          {category.description}
+        </div>
+
+        {/* CTA */}
+        <div
+          style={{
+            fontSize: "0.83rem",
+            color: hovered ? category.accent : "var(--muted)",
+            fontWeight: 500,
+            marginTop: "auto",
+            transition: "color 0.15s ease",
+          }}
+        >
+          Manage &rarr;
+        </div>
+      </div>
+    </Link>
+  );
+}
+
+const categories: CategoryConfig[] = [
+  {
+    title: "Appearance",
+    description:
+      "Choose a theme for the interface. Switch between Dark, Light, Nord, Dracula, and more.",
+    href: "/settings/appearance",
+    accent: "var(--ms-pink-500)",
+    iconBg: "rgba(236, 72, 153, 0.12)",
+    icon: (
+      <svg
+        width="20"
+        height="20"
+        viewBox="0 0 20 20"
+        fill="none"
+        stroke="currentColor"
+        strokeWidth="1.5"
+        strokeLinecap="round"
+        strokeLinejoin="round"
+        aria-hidden="true"
+      >
+        <circle cx="10" cy="10" r="7.5" />
+        <path d="M10 2.5v15" />
+        <path d="M10 2.5a7.5 7.5 0 0 1 0 15" fill="currentColor" opacity="0.15" />
+      </svg>
+    ),
+  },
+  {
+    title: "Credentials",
+    description:
+      "Securely store and manage API keys, tokens, and passwords used by agents and integrations.",
+    href: "/settings/credentials",
+    accent: "var(--ms-blue-400)",
+    iconBg: "rgba(47, 128, 255, 0.12)",
+    icon: (
+      <svg
+        width="20"
+        height="20"
+        viewBox="0 0 20 20"
+        fill="none"
+        stroke="currentColor"
+        strokeWidth="1.5"
+        strokeLinecap="round"
+        strokeLinejoin="round"
+        aria-hidden="true"
+      >
+        <rect x="5" y="9" width="10" height="8" rx="1.5" />
+        <path d="M7 9V6a3 3 0 0 1 6 0v3" />
+        <circle cx="10" cy="13" r="1" />
+      </svg>
+    ),
+  },
+  {
+    title: "Domains",
+    description:
+      "Organize tasks and projects by life areas or functional domains within your workspace.",
+    href: "/settings/domains",
+    accent: "var(--ms-teal-400)",
+    iconBg: "rgba(20, 184, 166, 0.12)",
+    icon: (
+      <svg
+        width="20"
+        height="20"
+        viewBox="0 0 20 20"
+        fill="none"
+        stroke="currentColor"
+        strokeWidth="1.5"
+        strokeLinecap="round"
+        strokeLinejoin="round"
+        aria-hidden="true"
+      >
+        <circle cx="10" cy="10" r="7.5" />
+        <line x1="2.5" y1="10" x2="17.5" y2="10" />
+        <path d="M10 2.5c2 2.5 3 5 3 7.5s-1 5-3 7.5" />
+        <path d="M10 2.5c-2 2.5-3 5-3 7.5s1 5 3 7.5" />
+      </svg>
+    ),
+  },
+  {
+    title: "AI Personalities",
+    description:
+      "Customize how the AI assistant communicates \u2014 tone, formality, and response style.",
+    href: "/settings/personalities",
+    accent: "var(--ms-purple-400)",
+    iconBg: "rgba(139, 92, 246, 0.12)",
+    icon: (
+      <svg
+        width="20"
+        height="20"
+        viewBox="0 0 20 20"
+        fill="none"
+        stroke="currentColor"
+        strokeWidth="1.5"
+        strokeLinecap="round"
+        strokeLinejoin="round"
+        aria-hidden="true"
+      >
+        <circle cx="10" cy="6" r="3" />
+        <path d="M4 17c0-3.3 2.7-6 6-6s6 2.7 6 6" />
+        <path d="M14 10l1.5 1.5 3-3" stroke="currentColor" />
+      </svg>
+    ),
+  },
+  {
+    title: "Workspaces",
+    description:
+      "Create and manage workspaces to organize projects and collaborate with your team.",
+    href: "/settings/workspaces",
+    accent: "var(--ms-amber-400)",
+    iconBg: "rgba(245, 158, 11, 0.12)",
+    icon: (
+      <svg
+        width="20"
+        height="20"
+        viewBox="0 0 20 20"
+        fill="none"
+        stroke="currentColor"
+        strokeWidth="1.5"
+        strokeLinecap="round"
+        strokeLinejoin="round"
+        aria-hidden="true"
+      >
+        <circle cx="10" cy="10" r="2" />
+        <circle cx="4" cy="5" r="1.5" />
+        <circle cx="16" cy="5" r="1.5" />
+        <circle cx="16" cy="15" r="1.5" />
+        <line x1="8.3" y1="8.7" x2="5.3" y2="6.2" />
+        <line x1="11.7" y1="8.7" x2="14.7" y2="6.2" />
+        <line x1="11.7" y1="11.3" x2="14.7" y2="13.8" />
+      </svg>
+    ),
+  },
+];
+
+export default function SettingsPage(): ReactElement {
+  return (
+    <div className="max-w-6xl mx-auto p-6">
+      {/* Page header */}
+      <div style={{ marginBottom: 24 }}>
+        <h1
+          style={{
+            fontSize: "1.875rem",
+            fontWeight: 700,
+            color: "var(--text)",
+            margin: 0,
+          }}
+        >
+          Settings
+        </h1>
+        <p
+          style={{
+            fontSize: "0.9rem",
+            color: "var(--muted)",
+            margin: "8px 0 0 0",
+          }}
+        >
+          Configure your workspace, credentials, and preferences
+        </p>
+      </div>
+
+      {/* Category grid */}
+      <div className="grid grid-cols-1 md:grid-cols-2 gap-4">
+        {categories.map((category) => (
+          <SettingsCategoryCard key={category.href} category={category} />
+        ))}
+      </div>
+    </div>
+  );
+}
--- a/apps/web/src/app/(authenticated)/tasks/page.test.tsx
+++ b/apps/web/src/app/(authenticated)/tasks/page.test.tsx
@@ -1,5 +1,8 @@
-import { describe, it, expect, vi } from "vitest";
+import { describe, it, expect, vi, beforeEach } from "vitest";
 import { render, screen, waitFor } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
+import type { Task } from "@mosaic/shared";
+import { TaskStatus, TaskPriority } from "@mosaic/shared";
 import TasksPage from "./page";

 // Mock the TaskList component
@@ -9,21 +12,121 @@ vi.mock("@/components/tasks/TaskList", () => ({
  ),
 }));

+// Mock MosaicSpinner
+vi.mock("@/components/ui/MosaicSpinner", () => ({
+  MosaicSpinner: ({ label }: { label?: string }): React.JSX.Element => (
+    <div data-testid="mosaic-spinner">{label ?? "Loading..."}</div>
+  ),
+}));
+
+// Mock useWorkspaceId
+const mockUseWorkspaceId = vi.fn<() => string | null>();
+vi.mock("@/lib/hooks", () => ({
+  useWorkspaceId: (): string | null => mockUseWorkspaceId(),
+}));
+
+// Mock fetchTasks
+const mockFetchTasks = vi.fn<() => Promise<Task[]>>();
+vi.mock("@/lib/api/tasks", () => ({
+  fetchTasks: (...args: unknown[]): Promise<Task[]> => mockFetchTasks(...(args as [])),
+}));
+
+const fakeTasks: Task[] = [
+  {
+    id: "task-1",
+    title: "Test task 1",
+    description: "Description 1",
+    status: TaskStatus.IN_PROGRESS,
+    priority: TaskPriority.HIGH,
+    dueDate: new Date("2026-02-01"),
+    creatorId: "user-1",
+    assigneeId: "user-1",
+    workspaceId: "ws-1",
+    projectId: null,
+    parentId: null,
+    sortOrder: 0,
+    metadata: {},
+    completedAt: null,
+    createdAt: new Date("2026-01-28"),
+    updatedAt: new Date("2026-01-28"),
+  },
+  {
+    id: "task-2",
+    title: "Test task 2",
+    description: "Description 2",
+    status: TaskStatus.NOT_STARTED,
+    priority: TaskPriority.MEDIUM,
+    dueDate: new Date("2026-02-02"),
+    creatorId: "user-1",
+    assigneeId: "user-1",
+    workspaceId: "ws-1",
+    projectId: null,
+    parentId: null,
+    sortOrder: 1,
+    metadata: {},
+    completedAt: null,
+    createdAt: new Date("2026-01-28"),
+    updatedAt: new Date("2026-01-28"),
+  },
+];
+
 describe("TasksPage", (): void => {
+  beforeEach((): void => {
+    vi.clearAllMocks();
+    mockUseWorkspaceId.mockReturnValue("ws-1");
+    mockFetchTasks.mockResolvedValue(fakeTasks);
+  });
+
  it("should render the page title", (): void => {
    render(<TasksPage />);
    expect(screen.getByRole("heading", { level: 1 })).toHaveTextContent("Tasks");
  });

-  it("should show loading state initially", (): void => {
+  it("should show loading spinner initially", (): void => {
+    // Never resolve so we stay in loading state
+    // eslint-disable-next-line @typescript-eslint/no-empty-function
+    mockFetchTasks.mockReturnValue(new Promise<Task[]>(() => {}));
    render(<TasksPage />);
-    expect(screen.getByTestId("task-list")).toHaveTextContent("Loading");
+    expect(screen.getByTestId("mosaic-spinner")).toBeInTheDocument();
  });

  it("should render the TaskList with tasks after loading", async (): Promise<void> => {
    render(<TasksPage />);
    await waitFor((): void => {
-      expect(screen.getByTestId("task-list")).toHaveTextContent("4 tasks");
+      expect(screen.getByTestId("task-list")).toHaveTextContent("2 tasks");
+    });
+  });
+
+  it("should show empty state when no tasks exist", async (): Promise<void> => {
+    mockFetchTasks.mockResolvedValue([]);
+    render(<TasksPage />);
+    await waitFor((): void => {
+      expect(screen.getByText("No tasks found")).toBeInTheDocument();
+    });
+  });
+
+  it("should show error state on API failure", async (): Promise<void> => {
+    mockFetchTasks.mockRejectedValue(new Error("Network error"));
+    render(<TasksPage />);
+    await waitFor((): void => {
+      expect(screen.getByText("Network error")).toBeInTheDocument();
+    });
+    expect(screen.getByRole("button", { name: /try again/i })).toBeInTheDocument();
+  });
+
+  it("should retry fetching on retry button click", async (): Promise<void> => {
+    mockFetchTasks.mockRejectedValueOnce(new Error("Network error"));
+    render(<TasksPage />);
+    await waitFor((): void => {
+      expect(screen.getByText("Network error")).toBeInTheDocument();
+    });
+
+    mockFetchTasks.mockResolvedValueOnce(fakeTasks);
+    const user = userEvent.setup();
+    await user.click(screen.getByRole("button", { name: /try again/i }));
+
+    await waitFor((): void => {
+      expect(screen.getByTestId("task-list")).toHaveTextContent("2 tasks");
    });
  });

@@ -37,4 +140,14 @@ describe("TasksPage", (): void => {
    render(<TasksPage />);
    expect(screen.getByText("Organize your work at your own pace")).toBeInTheDocument();
  });
+
+  it("should not fetch when workspace ID is not available", async (): Promise<void> => {
+    mockUseWorkspaceId.mockReturnValue(null);
+    render(<TasksPage />);
+
+    // Wait a tick to ensure useEffect ran
+    await waitFor((): void => {
+      expect(mockFetchTasks).not.toHaveBeenCalled();
+    });
+  });
 });
--- a/apps/web/src/app/(authenticated)/tasks/page.tsx
+++ b/apps/web/src/app/(authenticated)/tasks/page.tsx
@@ -4,57 +4,123 @@ import { useState, useEffect } from "react";
 import type { ReactElement } from "react";

 import { TaskList } from "@/components/tasks/TaskList";
-import { mockTasks } from "@/lib/api/tasks";
+import { MosaicSpinner } from "@/components/ui/MosaicSpinner";
+import { fetchTasks } from "@/lib/api/tasks";
+import { useWorkspaceId } from "@/lib/hooks";
 import type { Task } from "@mosaic/shared";

 export default function TasksPage(): ReactElement {
+  const workspaceId = useWorkspaceId();
  const [tasks, setTasks] = useState<Task[]>([]);
  const [isLoading, setIsLoading] = useState(true);
  const [error, setError] = useState<string | null>(null);

  useEffect(() => {
-    void loadTasks();
-  }, []);
-
-  async function loadTasks(): Promise<void> {
-    setIsLoading(true);
-    setError(null);
-
-    try {
-      // TODO: Replace with real API call when backend is ready
-      // const data = await fetchTasks();
-      await new Promise((resolve) => setTimeout(resolve, 300));
-      setTasks(mockTasks);
-    } catch (err) {
-      setError(
-        err instanceof Error
-          ? err.message
-          : "We had trouble loading your tasks. Please try again when you're ready."
-      );
-    } finally {
+    if (!workspaceId) {
      setIsLoading(false);
+      return;
    }
+
+    let cancelled = false;
+    setError(null);
+    setIsLoading(true);
+
+    async function loadTasks(): Promise<void> {
+      try {
+        const filters = workspaceId !== null ? { workspaceId } : {};
+        const data = await fetchTasks(filters);
+        if (!cancelled) {
+          setTasks(data);
+        }
+      } catch (err: unknown) {
+        console.error("[Tasks] Failed to fetch tasks:", err);
+        if (!cancelled) {
+          setError(
+            err instanceof Error
+              ? err.message
+              : "We had trouble loading your tasks. Please try again when you're ready."
+          );
+        }
+      } finally {
+        if (!cancelled) {
+          setIsLoading(false);
+        }
+      }
+    }
+
+    void loadTasks();
+
+    return (): void => {
+      cancelled = true;
+    };
+  }, [workspaceId]);
+
+  function handleRetry(): void {
+    if (!workspaceId) return;
+    setError(null);
+    setIsLoading(true);
+
+    fetchTasks({ workspaceId })
+      .then((data) => {
+        setTasks(data);
+      })
+      .catch((err: unknown) => {
+        console.error("[Tasks] Retry failed:", err);
+        setError(
+          err instanceof Error
+            ? err.message
+            : "We had trouble loading your tasks. Please try again when you're ready."
+        );
+      })
+      .finally(() => {
+        setIsLoading(false);
+      });
  }

  return (
    <main className="container mx-auto px-4 py-8">
      <div className="mb-8">
-        <h1 className="text-3xl font-bold text-gray-900">Tasks</h1>
-        <p className="text-gray-600 mt-2">Organize your work at your own pace</p>
+        <h1 className="text-3xl font-bold" style={{ color: "var(--text)" }}>
+          Tasks
+        </h1>
+        <p className="mt-2" style={{ color: "var(--text-muted)" }}>
+          Organize your work at your own pace
+        </p>
      </div>

-      {error !== null ? (
-        <div className="rounded-lg border border-amber-200 bg-amber-50 p-6 text-center">
-          <p className="text-amber-800">{error}</p>
+      {isLoading ? (
+        <div className="flex justify-center py-16">
+          <MosaicSpinner label="Loading tasks..." />
+        </div>
+      ) : error !== null ? (
+        <div
+          className="rounded-lg p-6 text-center"
+          style={{
+            background: "var(--surface)",
+            border: "1px solid var(--border)",
+          }}
+        >
+          <p style={{ color: "var(--danger)" }}>{error}</p>
          <button
-            onClick={() => void loadTasks()}
-            className="mt-4 rounded-md bg-amber-600 px-4 py-2 text-sm font-medium text-white hover:bg-amber-700 transition-colors"
+            onClick={handleRetry}
+            className="mt-4 rounded-md px-4 py-2 text-sm font-medium text-white transition-colors"
+            style={{ background: "var(--danger)" }}
          >
            Try again
          </button>
        </div>
+      ) : tasks.length === 0 ? (
+        <div
+          className="rounded-lg p-8 text-center"
+          style={{
+            background: "var(--surface)",
+            border: "1px solid var(--border)",
+          }}
+        >
+          <p style={{ color: "var(--text-muted)" }}>No tasks found</p>
+        </div>
      ) : (
-        <TaskList tasks={tasks} isLoading={isLoading} />
+        <TaskList tasks={tasks} isLoading={false} />
      )}
    </main>
  );
--- a/apps/web/src/app/(authenticated)/workspace/page.tsx
+++ b/apps/web/src/app/(authenticated)/workspace/page.tsx
--- a/apps/web/src/app/globals.css
+++ b/apps/web/src/app/globals.css
@@ -3,147 +3,303 @@
@tailwind utilities;

 /* =============================================================================
-   DESIGN C: PROFESSIONAL/ENTERPRISE DESIGN SYSTEM
-   Philosophy: "Good design is as little design as possible." - Dieter Rams
+   MOSAIC DESIGN SYSTEM — Reference token system from dashboard design
   ============================================================================= */

 /* -----------------------------------------------------------------------------
-   CSS Custom Properties - Light Theme (Default)
+   Primitive Tokens (Dark-first — dark is the default theme)
   ----------------------------------------------------------------------------- */
 :root {
-  /* Base colors - increased contrast from surfaces */
-  --color-background: 245 247 250;
-  --color-foreground: 15 23 42;
+  /* Mosaic design tokens — dark palette (default) */
+  --ms-bg-950: #080b12;
+  --ms-bg-900: #0f141d;
+  --ms-bg-850: #151b26;
+  --ms-surface-800: #1b2331;
+  --ms-surface-750: #232d3f;
+  --ms-border-700: #2f3b52;
+  --ms-text-100: #eef3ff;
+  --ms-text-300: #c5d0e6;
+  --ms-text-500: #8f9db7;
+  --ms-blue-500: #2f80ff;
+  --ms-blue-400: #56a0ff;
+  --ms-red-500: #e5484d;
+  --ms-red-400: #f06a6f;
+  --ms-purple-500: #8b5cf6;
+  --ms-purple-400: #a78bfa;
+  --ms-teal-500: #14b8a6;
+  --ms-teal-400: #2dd4bf;
+  --ms-amber-500: #f59e0b;
+  --ms-amber-400: #fbbf24;
+  --ms-pink-500: #ec4899;
+  --ms-emerald-500: #10b981;
+  --ms-orange-500: #f97316;
+  --ms-cyan-500: #06b6d4;
+  --ms-indigo-500: #6366f1;

-  /* Surface hierarchy (elevation levels) - improved contrast */
-  --surface-0: 255 255 255;
-  --surface-1: 250 251 252;
-  --surface-2: 241 245 249;
-  --surface-3: 226 232 240;
+  /* Semantic aliases — dark theme is default */
+  --bg: var(--ms-bg-900);
+  --bg-deep: var(--ms-bg-950);
+  --bg-mid: var(--ms-bg-850);
+  --surface: var(--ms-surface-800);
+  --surface-2: var(--ms-surface-750);
+  --border: var(--ms-border-700);
+  --text: var(--ms-text-100);
+  --text-2: var(--ms-text-300);
+  --muted: var(--ms-text-500);
+  --primary: var(--ms-blue-500);
+  --primary-l: var(--ms-blue-400);
+  --danger: var(--ms-red-500);
+  --success: var(--ms-teal-500);
+  --warn: var(--ms-amber-500);
+  --purple: var(--ms-purple-500);

-  /* Text hierarchy */
-  --text-primary: 15 23 42;
-  --text-secondary: 51 65 85;
-  --text-tertiary: 71 85 105;
-  --text-muted: 100 116 139;
+  /* Typography */
+  --font: var(--font-outfit, 'Outfit'), system-ui, sans-serif;
+  --mono: var(--font-fira-code, 'Fira Code'), 'Cascadia Code', monospace;

-  /* Border colors - stronger borders for light mode */
-  --border-default: 203 213 225;
-  --border-subtle: 226 232 240;
-  --border-strong: 148 163 184;
+  /* Radius scale */
+  --r: 8px;
+  --r-sm: 5px;
+  --r-lg: 12px;
+  --r-xl: 16px;

-  /* Brand accent - Indigo (professional, trustworthy) */
-  --accent-primary: 79 70 229;
-  --accent-primary-hover: 67 56 202;
-  --accent-primary-light: 238 242 255;
-  --accent-primary-muted: 199 210 254;
+  /* Layout dimensions */
+  --sidebar-w: 260px;
+  --topbar-h: 56px;
+  --terminal-h: 220px;

-  /* Semantic colors - Success (Emerald) */
-  --semantic-success: 16 185 129;
-  --semantic-success-light: 209 250 229;
-  --semantic-success-dark: 6 95 70;
+  /* Easing */
+  --ease: cubic-bezier(0.16, 1, 0.3, 1);

-  /* Semantic colors - Warning (Amber) */
-  --semantic-warning: 245 158 11;
-  --semantic-warning-light: 254 243 199;
-  --semantic-warning-dark: 146 64 14;
-
-  /* Semantic colors - Error (Rose) */
-  --semantic-error: 244 63 94;
-  --semantic-error-light: 255 228 230;
-  --semantic-error-dark: 159 18 57;
-
-  /* Semantic colors - Info (Sky) */
-  --semantic-info: 14 165 233;
-  --semantic-info-light: 224 242 254;
-  --semantic-info-dark: 3 105 161;
-
-  /* Focus ring */
-  --focus-ring: 99 102 241;
-  --focus-ring-offset: 255 255 255;
-
-  /* Shadows - visible but subtle */
-  --shadow-sm: 0 1px 2px 0 rgb(0 0 0 / 0.05), 0 1px 3px 0 rgb(0 0 0 / 0.05);
-  --shadow-md: 0 4px 6px -1px rgb(0 0 0 / 0.08), 0 2px 4px -2px rgb(0 0 0 / 0.06);
-  --shadow-lg: 0 10px 15px -3px rgb(0 0 0 / 0.1), 0 4px 6px -4px rgb(0 0 0 / 0.08);
-}
-
-/* -----------------------------------------------------------------------------
-   CSS Custom Properties - Dark Theme
-   ----------------------------------------------------------------------------- */
-.dark {
-  --color-background: 3 7 18;
-  --color-foreground: 248 250 252;
-
-  /* Surface hierarchy (elevation levels) */
-  --surface-0: 15 23 42;
-  --surface-1: 30 41 59;
-  --surface-2: 51 65 85;
-  --surface-3: 71 85 105;
-
-  /* Text hierarchy */
-  --text-primary: 248 250 252;
-  --text-secondary: 203 213 225;
-  --text-tertiary: 148 163 184;
-  --text-muted: 100 116 139;
-
-  /* Border colors */
-  --border-default: 51 65 85;
-  --border-subtle: 30 41 59;
-  --border-strong: 71 85 105;
-
-  /* Brand accent adjustments for dark mode */
-  --accent-primary: 129 140 248;
-  --accent-primary-hover: 165 180 252;
-  --accent-primary-light: 30 27 75;
-  --accent-primary-muted: 55 48 163;
-
-  /* Semantic colors adjustments */
-  --semantic-success: 52 211 153;
-  --semantic-success-light: 6 78 59;
-  --semantic-success-dark: 167 243 208;
-
-  --semantic-warning: 251 191 36;
-  --semantic-warning-light: 120 53 15;
-  --semantic-warning-dark: 253 230 138;
-
-  --semantic-error: 251 113 133;
-  --semantic-error-light: 136 19 55;
-  --semantic-error-dark: 253 164 175;
-
-  --semantic-info: 56 189 248;
-  --semantic-info-light: 12 74 110;
-  --semantic-info-dark: 186 230 253;
-
-  /* Focus ring */
-  --focus-ring: 129 140 248;
-  --focus-ring-offset: 15 23 42;
-
-  /* Shadows - subtle glow in dark mode */
+  /* Legacy shadow tokens (retained for component compat) */
  --shadow-sm: 0 1px 2px 0 rgb(0 0 0 / 0.3);
  --shadow-md: 0 4px 6px -1px rgb(0 0 0 / 0.4), 0 2px 4px -2px rgb(0 0 0 / 0.3);
  --shadow-lg: 0 10px 15px -3px rgb(0 0 0 / 0.5), 0 4px 6px -4px rgb(0 0 0 / 0.4);
 }

+/* -----------------------------------------------------------------------------
+   Light Theme Override — applied via data-theme attribute on <html>
+   ----------------------------------------------------------------------------- */
+[data-theme="light"] {
+  --ms-bg-950: #f8faff;
+  --ms-bg-900: #f0f4fc;
+  --ms-bg-850: #e8edf8;
+  --ms-surface-800: #dde4f2;
+  --ms-surface-750: #d0d9ec;
+  --ms-border-700: #b8c4de;
+  --ms-text-100: #0f141d;
+  --ms-text-300: #2f3b52;
+  --ms-text-500: #5a6a87;
+
+  /* Re-alias semantics for light — identical structure, primitive tokens differ */
+  --bg: var(--ms-bg-900);
+  --bg-deep: var(--ms-bg-950);
+  --bg-mid: var(--ms-bg-850);
+  --surface: var(--ms-surface-800);
+  --surface-2: var(--ms-surface-750);
+  --border: var(--ms-border-700);
+  --text: var(--ms-text-100);
+  --text-2: var(--ms-text-300);
+  --muted: var(--ms-text-500);
+
+  /* Lighter shadows for light mode */
+  --shadow-sm: 0 1px 2px 0 rgb(0 0 0 / 0.05), 0 1px 3px 0 rgb(0 0 0 / 0.05);
+  --shadow-md: 0 4px 6px -1px rgb(0 0 0 / 0.08), 0 2px 4px -2px rgb(0 0 0 / 0.06);
+  --shadow-lg: 0 10px 15px -3px rgb(0 0 0 / 0.1), 0 4px 6px -4px rgb(0 0 0 / 0.08);
+}
+
 /* -----------------------------------------------------------------------------
   Base Styles
   ----------------------------------------------------------------------------- */
-* {
+*,
+*::before,
+*::after {
  box-sizing: border-box;
 }

 html {
+  font-size: 15px;
  font-feature-settings: "cv02", "cv03", "cv04", "cv11";
  -webkit-font-smoothing: antialiased;
  -moz-osx-font-smoothing: grayscale;
 }

 body {
-  color: rgb(var(--text-primary));
-  background: rgb(var(--color-background));
-  font-size: 14px;
+  font-family: var(--font);
+  background: var(--bg);
+  color: var(--text);
  line-height: 1.5;
-  transition: background-color 0.15s ease, color 0.15s ease;
+}
+
+a {
+  color: inherit;
+  text-decoration: none;
+}
+
+button {
+  font-family: inherit;
+  cursor: pointer;
+  border: none;
+  background: none;
+  color: inherit;
+}
+
+input,
+select,
+textarea {
+  font-family: inherit;
+}
+
+ul {
+  list-style: none;
+}
+
+/* Subtle grain/noise overlay for texture */
+body::before {
+  content: '';
+  position: fixed;
+  inset: 0;
+  pointer-events: none;
+  z-index: 9999;
+  background-image: url("data:image/svg+xml,%3Csvg viewBox='0 0 200 200' xmlns='http://www.w3.org/2000/svg'%3E%3Cfilter id='n'%3E%3CfeTurbulence type='fractalNoise' baseFrequency='0.9' numOctaves='4' stitchTiles='stitch'/%3E%3C/filter%3E%3Crect width='100%25' height='100%25' filter='url(%23n)' opacity='1'/%3E%3C/svg%3E");
+  opacity: 0.025;
+}
+
+/* -----------------------------------------------------------------------------
+   Focus States - Accessible & Visible
+   ----------------------------------------------------------------------------- */
+@layer base {
+  :focus-visible {
+    outline: 2px solid var(--ms-blue-400);
+    outline-offset: 2px;
+  }
+
+  :focus:not(:focus-visible) {
+    outline: none;
+  }
+}
+
+/* -----------------------------------------------------------------------------
+   Scrollbar Styling - Minimal & Professional
+   ----------------------------------------------------------------------------- */
+::-webkit-scrollbar {
+  width: 6px;
+  height: 6px;
+}
+
+::-webkit-scrollbar-track {
+  background: transparent;
+}
+
+::-webkit-scrollbar-thumb {
+  background: var(--border);
+  border-radius: 3px;
+}
+
+::-webkit-scrollbar-thumb:hover {
+  background: var(--muted);
+}
+
+/* Firefox */
+* {
+  scrollbar-width: thin;
+  scrollbar-color: var(--border) transparent;
+}
+
+/* -----------------------------------------------------------------------------
+   App Shell Grid Layout
+   ----------------------------------------------------------------------------- */
+.app-shell {
+  display: grid;
+  grid-template-columns: var(--sidebar-w) 1fr;
+  grid-template-rows: var(--topbar-h) 1fr;
+  height: 100vh;
+  overflow: hidden;
+}
+
+.app-header {
+  grid-column: 1 / -1;
+  grid-row: 1;
+  background: var(--bg-deep);
+  border-bottom: 1px solid var(--border);
+  display: flex;
+  align-items: center;
+  padding: 0 20px;
+  gap: 12px;
+  z-index: 100;
+}
+
+.app-sidebar {
+  grid-column: 1;
+  grid-row: 2;
+  background: var(--bg-deep);
+  border-right: 1px solid var(--border);
+  display: flex;
+  flex-direction: column;
+  overflow: hidden;
+}
+
+.app-main {
+  grid-column: 2;
+  grid-row: 2;
+  background: var(--bg);
+  display: flex;
+  flex-direction: column;
+  overflow: hidden;
+  position: relative;
+}
+
+/* -----------------------------------------------------------------------------
+   Responsive App Shell — Mobile (< 768px): single-column, sidebar as overlay
+   ----------------------------------------------------------------------------- */
+@media (max-width: 767px) {
+  .app-shell {
+    grid-template-columns: 1fr;
+  }
+
+  .app-sidebar {
+    position: fixed;
+    left: 0;
+    top: var(--topbar-h);
+    bottom: 0;
+    width: 240px;
+    z-index: 150;
+    transform: translateX(-100%);
+    transition: transform 0.2s ease;
+  }
+
+  .app-sidebar[data-mobile-open="true"] {
+    transform: translateX(0);
+  }
+
+  .app-main {
+    grid-column: 1;
+  }
+
+  .app-header {
+    grid-column: 1;
+  }
+}
+
+/* -----------------------------------------------------------------------------
+   Responsive App Shell — Tablet (768px–1023px): sidebar toggleable, pushes content
+   ----------------------------------------------------------------------------- */
+@media (min-width: 768px) and (max-width: 1023px) {
+  .app-shell[data-sidebar-hidden="true"] {
+    grid-template-columns: 1fr;
+  }
+
+  .app-shell[data-sidebar-hidden="true"] .app-sidebar {
+    display: none;
+  }
+
+  .app-shell[data-sidebar-hidden="true"] .app-main {
+    grid-column: 1;
+  }
+
+  .app-shell[data-sidebar-hidden="true"] .app-header {
+    grid-column: 1;
+  }
 }

 /* -----------------------------------------------------------------------------
@@ -182,102 +338,10 @@ body {
  }

  .text-mono {
-    font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, monospace;
+    font-family: var(--mono);
    font-size: 0.8125rem;
    line-height: 1.25rem;
  }
-
-  /* Text color utilities */
-  .text-primary {
-    color: rgb(var(--text-primary));
-  }
-
-  .text-secondary {
-    color: rgb(var(--text-secondary));
-  }
-
-  .text-tertiary {
-    color: rgb(var(--text-tertiary));
-  }
-
-  .text-muted {
-    color: rgb(var(--text-muted));
-  }
-}
-
-/* -----------------------------------------------------------------------------
-   Surface & Card Utilities
-   ----------------------------------------------------------------------------- */
-@layer utilities {
-  .surface-0 {
-    background-color: rgb(var(--surface-0));
-  }
-
-  .surface-1 {
-    background-color: rgb(var(--surface-1));
-  }
-
-  .surface-2 {
-    background-color: rgb(var(--surface-2));
-  }
-
-  .surface-3 {
-    background-color: rgb(var(--surface-3));
-  }
-
-  .border-default {
-    border-color: rgb(var(--border-default));
-  }
-
-  .border-subtle {
-    border-color: rgb(var(--border-subtle));
-  }
-
-  .border-strong {
-    border-color: rgb(var(--border-strong));
-  }
-}
-
-/* -----------------------------------------------------------------------------
-   Focus States - Accessible & Visible
-   ----------------------------------------------------------------------------- */
-@layer base {
-  :focus-visible {
-    outline: 2px solid rgb(var(--focus-ring));
-    outline-offset: 2px;
-  }
-
-  /* Remove default focus for mouse users */
-  :focus:not(:focus-visible) {
-    outline: none;
-  }
-}
-
-/* -----------------------------------------------------------------------------
-   Scrollbar Styling - Minimal & Professional
-   ----------------------------------------------------------------------------- */
-::-webkit-scrollbar {
-  width: 6px;
-  height: 6px;
-}
-
-::-webkit-scrollbar-track {
-  background: transparent;
-}
-
-::-webkit-scrollbar-thumb {
-  background: rgb(var(--text-muted) / 0.4);
-  border-radius: 3px;
-}
-
-::-webkit-scrollbar-thumb:hover {
-  background: rgb(var(--text-muted) / 0.6);
-}
-
-/* Firefox */
-* {
-  scrollbar-width: thin;
-  scrollbar-color: rgb(var(--text-muted) / 0.4) transparent;
 }

 /* -----------------------------------------------------------------------------
@@ -292,40 +356,46 @@ body {

  .btn-primary {
    @apply btn px-4 py-2;
-    background-color: rgb(var(--accent-primary));
+    background: linear-gradient(135deg, var(--ms-blue-500), var(--ms-purple-500));
    color: white;
+    border-radius: var(--r);
  }

  .btn-primary:hover:not(:disabled) {
-    background-color: rgb(var(--accent-primary-hover));
+    box-shadow: 0 8px 28px rgba(47, 128, 255, 0.38);
+    transform: translateY(-1px);
  }

  .btn-secondary {
    @apply btn px-4 py-2;
-    background-color: rgb(var(--surface-2));
-    color: rgb(var(--text-primary));
-    border: 1px solid rgb(var(--border-default));
+    background-color: var(--surface);
+    color: var(--text-2);
+    border: 1px solid var(--border);
+    border-radius: var(--r);
  }

  .btn-secondary:hover:not(:disabled) {
-    background-color: rgb(var(--surface-3));
+    background-color: var(--surface-2);
+    color: var(--text);
  }

  .btn-ghost {
    @apply btn px-3 py-2;
    background-color: transparent;
-    color: rgb(var(--text-secondary));
+    color: var(--muted);
+    border-radius: var(--r);
  }

  .btn-ghost:hover:not(:disabled) {
-    background-color: rgb(var(--surface-2));
-    color: rgb(var(--text-primary));
+    background-color: var(--surface);
+    color: var(--text);
  }

  .btn-danger {
    @apply btn px-4 py-2;
-    background-color: rgb(var(--semantic-error));
+    background-color: var(--danger);
    color: white;
+    border-radius: var(--r);
  }

  .btn-danger:hover:not(:disabled) {
@@ -346,34 +416,36 @@ body {
   ----------------------------------------------------------------------------- */
@layer components {
  .input {
-    @apply w-full rounded-md px-3 py-2 text-sm transition-all duration-150;
-    @apply focus:outline-none focus:ring-2 focus:ring-offset-0;
-    background-color: rgb(var(--surface-0));
-    border: 1px solid rgb(var(--border-default));
-    color: rgb(var(--text-primary));
+    @apply w-full text-sm transition-all duration-150;
+    @apply focus:outline-none;
+    background-color: var(--bg);
+    border: 1px solid var(--border);
+    border-radius: var(--r);
+    color: var(--text);
+    padding: 11px 14px;
  }

  .input::placeholder {
-    color: rgb(var(--text-muted));
+    color: var(--muted);
  }

  .input:focus {
-    border-color: rgb(var(--accent-primary));
-    box-shadow: 0 0 0 3px rgb(var(--accent-primary) / 0.1);
+    border-color: var(--primary);
+    box-shadow: 0 0 0 3px rgba(47, 128, 255, 0.12);
  }

  .input:disabled {
    @apply opacity-50 cursor-not-allowed;
-    background-color: rgb(var(--surface-1));
+    background-color: var(--surface);
  }

  .input-error {
-    border-color: rgb(var(--semantic-error));
+    border-color: var(--danger);
  }

  .input-error:focus {
-    border-color: rgb(var(--semantic-error));
-    box-shadow: 0 0 0 3px rgb(var(--semantic-error) / 0.1);
+    border-color: var(--danger);
+    box-shadow: 0 0 0 3px rgba(229, 72, 77, 0.12);
  }
 }

@@ -383,8 +455,8 @@ body {
@layer components {
  .card {
    @apply rounded-lg p-4;
-    background-color: rgb(var(--surface-0));
-    border: 1px solid rgb(var(--border-default));
+    background-color: var(--surface);
+    border: 1px solid var(--border);
    box-shadow: var(--shadow-sm);
  }

@@ -398,7 +470,7 @@ body {
  }

  .card-interactive:hover {
-    border-color: rgb(var(--border-strong));
+    border-color: var(--muted);
    box-shadow: var(--shadow-md);
  }
 }
@@ -412,33 +484,33 @@ body {
  }

  .badge-success {
-    background-color: rgb(var(--semantic-success-light));
-    color: rgb(var(--semantic-success-dark));
+    background-color: rgba(20, 184, 166, 0.15);
+    color: var(--ms-teal-400);
  }

  .badge-warning {
-    background-color: rgb(var(--semantic-warning-light));
-    color: rgb(var(--semantic-warning-dark));
+    background-color: rgba(245, 158, 11, 0.15);
+    color: var(--ms-amber-400);
  }

  .badge-error {
-    background-color: rgb(var(--semantic-error-light));
-    color: rgb(var(--semantic-error-dark));
+    background-color: rgba(229, 72, 77, 0.15);
+    color: var(--ms-red-400);
  }

  .badge-info {
-    background-color: rgb(var(--semantic-info-light));
-    color: rgb(var(--semantic-info-dark));
+    background-color: rgba(47, 128, 255, 0.15);
+    color: var(--ms-blue-400);
  }

  .badge-neutral {
-    background-color: rgb(var(--surface-2));
-    color: rgb(var(--text-secondary));
+    background-color: var(--surface-2);
+    color: var(--text-2);
  }

  .badge-primary {
-    background-color: rgb(var(--accent-primary-light));
-    color: rgb(var(--accent-primary));
+    background-color: rgba(47, 128, 255, 0.15);
+    color: var(--primary-l);
  }
 }

@@ -451,26 +523,29 @@ body {
  }

  .status-dot-success {
-    background-color: rgb(var(--semantic-success));
+    background-color: var(--success);
+    box-shadow: 0 0 5px var(--success);
  }

  .status-dot-warning {
-    background-color: rgb(var(--semantic-warning));
+    background-color: var(--warn);
+    box-shadow: 0 0 5px var(--warn);
  }

  .status-dot-error {
-    background-color: rgb(var(--semantic-error));
+    background-color: var(--danger);
+    box-shadow: 0 0 5px var(--danger);
  }

  .status-dot-info {
-    background-color: rgb(var(--semantic-info));
+    background-color: var(--primary);
+    box-shadow: 0 0 5px var(--primary);
  }

  .status-dot-neutral {
-    background-color: rgb(var(--text-muted));
+    background-color: var(--muted);
  }

-  /* Pulsing indicator for live/active status */
  .status-dot-pulse {
    @apply relative;
  }
@@ -489,12 +564,12 @@ body {
@layer components {
  .kbd {
    @apply inline-flex items-center justify-center rounded px-1.5 py-0.5 text-xs font-medium;
-    background-color: rgb(var(--surface-2));
-    border: 1px solid rgb(var(--border-default));
-    color: rgb(var(--text-tertiary));
-    font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, monospace;
+    background-color: var(--surface-2);
+    border: 1px solid var(--border);
+    color: var(--muted);
+    font-family: var(--mono);
    min-width: 1.5rem;
-    box-shadow: 0 1px 0 rgb(var(--border-strong));
+    box-shadow: 0 1px 0 var(--border);
  }

  .kbd-group {
@@ -512,13 +587,13 @@ body {

  .table-pro thead {
    @apply sticky top-0;
-    background-color: rgb(var(--surface-1));
-    border-bottom: 1px solid rgb(var(--border-default));
+    background-color: var(--surface);
+    border-bottom: 1px solid var(--border);
  }

  .table-pro th {
    @apply px-4 py-3 text-left text-xs font-semibold uppercase tracking-wider;
-    color: rgb(var(--text-tertiary));
+    color: var(--muted);
  }

  .table-pro th.sortable {
@@ -526,16 +601,16 @@ body {
  }

  .table-pro th.sortable:hover {
-    color: rgb(var(--text-primary));
+    color: var(--text);
  }

  .table-pro tbody tr {
-    border-bottom: 1px solid rgb(var(--border-subtle));
+    border-bottom: 1px solid var(--border);
    transition: background-color 0.1s ease;
  }

  .table-pro tbody tr:hover {
-    background-color: rgb(var(--surface-1));
+    background-color: var(--surface);
  }

  .table-pro td {
@@ -555,9 +630,9 @@ body {
    @apply animate-pulse rounded;
    background: linear-gradient(
      90deg,
-      rgb(var(--surface-2)) 0%,
-      rgb(var(--surface-1)) 50%,
-      rgb(var(--surface-2)) 100%
+      var(--surface) 0%,
+      var(--surface-2) 50%,
+      var(--surface) 100%
    );
    background-size: 200% 100%;
  }
@@ -590,15 +665,16 @@ body {
  }

  .modal-content {
-    @apply relative max-h-[90vh] w-full max-w-lg overflow-y-auto rounded-lg;
-    background-color: rgb(var(--surface-0));
-    border: 1px solid rgb(var(--border-default));
+    @apply relative max-h-[90vh] w-full max-w-lg overflow-y-auto;
+    background-color: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: var(--r-lg);
    box-shadow: var(--shadow-lg);
  }

  .modal-header {
    @apply flex items-center justify-between p-4 border-b;
-    border-color: rgb(var(--border-default));
+    border-color: var(--border);
  }

  .modal-body {
@@ -607,7 +683,7 @@ body {

  .modal-footer {
    @apply flex items-center justify-end gap-3 p-4 border-t;
-    border-color: rgb(var(--border-default));
+    border-color: var(--border);
  }
 }

@@ -617,9 +693,10 @@ body {
@layer components {
  .tooltip {
    @apply absolute z-50 rounded px-2 py-1 text-xs font-medium;
-    background-color: rgb(var(--text-primary));
-    color: rgb(var(--color-background));
+    background-color: var(--text);
+    color: var(--bg);
    box-shadow: var(--shadow-md);
+    border-radius: var(--r-sm);
  }

  .tooltip::before {
@@ -630,7 +707,7 @@ body {

  .tooltip-top::before {
    @apply left-1/2 top-full -translate-x-1/2;
-    border-top-color: rgb(var(--text-primary));
+    border-top-color: var(--text);
  }
 }

@@ -680,16 +757,92 @@ body {
  animation: scaleIn 0.15s ease-out;
 }

-/* Message animation - subtle for chat */
 .message-animate {
  animation: slideIn 0.2s ease-out;
 }

-/* Menu dropdown animation */
 .animate-menu-enter {
  animation: scaleIn 0.1s ease-out;
 }

+/* Streaming cursor for real-time token rendering */
+@keyframes streaming-cursor-blink {
+  0%,
+  100% {
+    opacity: 1;
+  }
+  50% {
+    opacity: 0;
+  }
+}
+
+.streaming-cursor {
+  display: inline-block;
+  width: 2px;
+  height: 1em;
+  background-color: rgb(var(--accent-primary));
+  border-radius: 1px;
+  animation: streaming-cursor-blink 1s step-end infinite;
+  vertical-align: text-bottom;
+  margin-left: 1px;
+}
+
+/* -----------------------------------------------------------------------------
+   Dashboard Layout — Responsive Grids
+   ----------------------------------------------------------------------------- */
+.metrics-strip {
+  display: grid;
+  grid-template-columns: repeat(var(--ms-cols, 6), 1fr);
+  gap: 0;
+  border-radius: var(--r-lg);
+  overflow: hidden;
+  border: 1px solid var(--border);
+}
+
+.metric-cell {
+  border-left: 1px solid var(--border);
+}
+
+.metric-cell:first-child {
+  border-left: none;
+}
+
+@media (max-width: 900px) {
+  .metrics-strip {
+    grid-template-columns: repeat(3, 1fr);
+  }
+
+  .metric-cell:nth-child(3n + 1) {
+    border-left: none;
+  }
+}
+
+@media (max-width: 640px) {
+  .metrics-strip {
+    grid-template-columns: repeat(2, 1fr);
+  }
+
+  .metric-cell:nth-child(3n + 1) {
+    border-left: 1px solid var(--border);
+  }
+
+  .metric-cell:nth-child(2n + 1) {
+    border-left: none;
+  }
+}
+
+.dash-grid {
+  display: grid;
+  grid-template-columns: 1fr 320px;
+  gap: 16px;
+}
+
+@media (max-width: 900px) {
+  .dash-grid {
+    grid-template-columns: 1fr;
+  }
+}
+
 /* -----------------------------------------------------------------------------
   Responsive Typography Adjustments
   ----------------------------------------------------------------------------- */
@@ -710,13 +863,8 @@ body {
   ----------------------------------------------------------------------------- */
@media (prefers-contrast: high) {
  :root {
-    --border-default: 100 116 139;
-    --border-strong: 71 85 105;
-  }
-
-  .dark {
-    --border-default: 148 163 184;
-    --border-strong: 203 213 225;
+    --border: #4a5a78;
+    --muted: #a0b0cc;
  }
 }

--- a/apps/web/src/app/layout.tsx
+++ b/apps/web/src/app/layout.tsx
@@ -1,18 +1,56 @@
 import type { Metadata } from "next";
 import type { ReactNode } from "react";
+import { Outfit, Fira_Code } from "next/font/google";
 import { AuthProvider } from "@/lib/auth/auth-context";
 import { ErrorBoundary } from "@/components/error-boundary";
 import { ThemeProvider } from "@/providers/ThemeProvider";
 import "./globals.css";

+export const dynamic = "force-dynamic";
+
 export const metadata: Metadata = {
  title: "Mosaic Stack",
  description: "Mosaic Stack Web Application",
 };

+const outfit = Outfit({
+  subsets: ["latin"],
+  variable: "--font-outfit",
+  display: "swap",
+});
+
+const firaCode = Fira_Code({
+  subsets: ["latin"],
+  variable: "--font-fira-code",
+  display: "swap",
+});
+
+/**
+ * Runtime env vars injected as a synchronous script so client-side modules
+ * can read them before React hydration.  This allows Docker env vars to
+ * override the build-time baked NEXT_PUBLIC_* values.
+ */
+function runtimeEnvScript(): string {
+  const env: Record<string, string> = {};
+  for (const key of [
+    "NEXT_PUBLIC_API_URL",
+    "NEXT_PUBLIC_ORCHESTRATOR_URL",
+    "NEXT_PUBLIC_AUTH_MODE",
+  ]) {
+    const value = process.env[key];
+    if (value) {
+      env[key] = value;
+    }
+  }
+  return `window.__MOSAIC_ENV__=${JSON.stringify(env)};`;
+}
+
 export default function RootLayout({ children }: { children: ReactNode }): React.JSX.Element {
  return (
-    <html lang="en">
+    <html lang="en" className={`${outfit.variable} ${firaCode.variable}`}>
+      <head>
+        <script dangerouslySetInnerHTML={{ __html: runtimeEnvScript() }} />
+      </head>
      <body>
        <ThemeProvider>
          <ErrorBoundary>
--- a/apps/web/src/app/not-found.tsx
+++ b/apps/web/src/app/not-found.tsx
@@ -0,0 +1,175 @@
+import type { Metadata } from "next";
+import type { ReactElement } from "react";
+import Link from "next/link";
+
+export const metadata: Metadata = {
+  title: "404 — Page Not Found | Mosaic Stack",
+};
+
+export default function NotFound(): ReactElement {
+  return (
+    <div
+      style={{
+        display: "flex",
+        flexDirection: "column",
+        alignItems: "center",
+        justifyContent: "center",
+        minHeight: "100vh",
+        background: "var(--bg)",
+        padding: "24px",
+        textAlign: "center",
+        gap: "32px",
+      }}
+    >
+      {/* Mosaic logo mark — inline spans replicating the 5-element logo */}
+      <div
+        style={{
+          width: 48,
+          height: 48,
+          position: "relative",
+          flexShrink: 0,
+        }}
+        role="img"
+        aria-label="Mosaic logo"
+      >
+        {/* Top-left: blue */}
+        <span
+          style={{
+            position: "absolute",
+            top: 0,
+            left: 0,
+            width: 19,
+            height: 19,
+            borderRadius: 4,
+            background: "var(--ms-blue-500)",
+          }}
+        />
+        {/* Top-right: purple */}
+        <span
+          style={{
+            position: "absolute",
+            top: 0,
+            right: 0,
+            width: 19,
+            height: 19,
+            borderRadius: 4,
+            background: "var(--ms-purple-500)",
+          }}
+        />
+        {/* Bottom-right: teal */}
+        <span
+          style={{
+            position: "absolute",
+            bottom: 0,
+            right: 0,
+            width: 19,
+            height: 19,
+            borderRadius: 4,
+            background: "var(--ms-teal-500)",
+          }}
+        />
+        {/* Bottom-left: amber */}
+        <span
+          style={{
+            position: "absolute",
+            bottom: 0,
+            left: 0,
+            width: 19,
+            height: 19,
+            borderRadius: 4,
+            background: "var(--ms-amber-500)",
+          }}
+        />
+        {/* Center: pink circle */}
+        <span
+          style={{
+            position: "absolute",
+            top: "50%",
+            left: "50%",
+            transform: "translate(-50%, -50%)",
+            width: 15,
+            height: 15,
+            borderRadius: "50%",
+            background: "var(--ms-pink-500)",
+          }}
+        />
+      </div>
+
+      {/* 404 gradient text */}
+      <h1
+        style={{
+          fontFamily: "var(--mono)",
+          fontSize: "6rem",
+          fontWeight: 700,
+          lineHeight: 1,
+          margin: 0,
+          background: "linear-gradient(135deg, var(--ms-blue-400), var(--ms-purple-500))",
+          WebkitBackgroundClip: "text",
+          WebkitTextFillColor: "transparent",
+          backgroundClip: "text",
+        }}
+      >
+        404
+      </h1>
+
+      {/* Heading + description */}
+      <div style={{ display: "flex", flexDirection: "column", gap: "12px" }}>
+        <h2
+          style={{
+            fontSize: "1.5rem",
+            fontWeight: 600,
+            color: "var(--text)",
+            margin: 0,
+            letterSpacing: "-0.025em",
+          }}
+        >
+          Page not found
+        </h2>
+        <p
+          style={{
+            fontSize: "0.9375rem",
+            color: "var(--muted)",
+            margin: 0,
+            maxWidth: "400px",
+            lineHeight: 1.6,
+          }}
+        >
+          The page you&apos;re looking for doesn&apos;t exist or has been moved.
+        </p>
+      </div>
+
+      {/* Dashboard link styled as button */}
+      <Link
+        href="/"
+        style={{
+          display: "inline-flex",
+          alignItems: "center",
+          justifyContent: "center",
+          padding: "10px 24px",
+          background: "var(--ms-blue-500)",
+          color: "#ffffff",
+          borderRadius: "var(--r)",
+          fontSize: "0.875rem",
+          fontWeight: 500,
+          textDecoration: "none",
+          transition: "opacity 0.15s ease",
+        }}
+      >
+        Go to Dashboard
+      </Link>
+
+      {/* Subtle status footer */}
+      <p
+        style={{
+          fontFamily: "var(--mono)",
+          fontSize: "0.75rem",
+          color: "var(--muted)",
+          margin: 0,
+          opacity: 0.6,
+        }}
+      >
+        HTTP 404 — Not Found
+      </p>
+    </div>
+  );
+}
--- a/apps/web/src/app/page.test.tsx
+++ b/apps/web/src/app/page.test.tsx
@@ -1,52 +0,0 @@
-import { describe, expect, it, vi, beforeEach } from "vitest";
-import { render } from "@testing-library/react";
-import Home from "./page";
-
-// Mock Next.js navigation
-const mockPush = vi.fn();
-vi.mock("next/navigation", () => ({
-  useRouter: (): {
-    push: typeof mockPush;
-    replace: ReturnType<typeof vi.fn>;
-    prefetch: ReturnType<typeof vi.fn>;
-  } => ({
-    push: mockPush,
-    replace: vi.fn(),
-    prefetch: vi.fn(),
-  }),
-}));
-
-// Mock auth context
-vi.mock("@/lib/auth/auth-context", () => ({
-  useAuth: (): {
-    user: null;
-    isLoading: boolean;
-    isAuthenticated: boolean;
-    signOut: ReturnType<typeof vi.fn>;
-    refreshSession: ReturnType<typeof vi.fn>;
-  } => ({
-    user: null,
-    isLoading: false,
-    isAuthenticated: false,
-    signOut: vi.fn(),
-    refreshSession: vi.fn(),
-  }),
-}));
-
-describe("Home", (): void => {
-  beforeEach((): void => {
-    mockPush.mockClear();
-  });
-
-  it("should render loading spinner", (): void => {
-    const { container } = render(<Home />);
-    // The home page shows a loading spinner while redirecting
-    const spinner = container.querySelector(".animate-spin");
-    expect(spinner).toBeInTheDocument();
-  });
-
-  it("should redirect unauthenticated users to login", (): void => {
-    render(<Home />);
-    expect(mockPush).toHaveBeenCalledWith("/login");
-  });
-});
--- a/apps/web/src/app/page.tsx
+++ b/apps/web/src/app/page.tsx
@@ -1,28 +0,0 @@
-"use client";
-
-import type { ReactElement } from "react";
-
-import { useEffect } from "react";
-import { useRouter } from "next/navigation";
-import { useAuth } from "@/lib/auth/auth-context";
-
-export default function Home(): ReactElement {
-  const router = useRouter();
-  const { isAuthenticated, isLoading } = useAuth();
-
-  useEffect(() => {
-    if (!isLoading) {
-      if (isAuthenticated) {
-        router.push("/tasks");
-      } else {
-        router.push("/login");
-      }
-    }
-  }, [isAuthenticated, isLoading, router]);
-
-  return (
-    <div className="flex min-h-screen items-center justify-center">
-      <div className="animate-spin rounded-full h-12 w-12 border-b-2 border-gray-900"></div>
-    </div>
-  );
-}
--- a/apps/web/src/components/auth/AuthDivider.test.tsx
+++ b/apps/web/src/components/auth/AuthDivider.test.tsx
@@ -5,7 +5,7 @@ import { AuthDivider } from "./AuthDivider";
 describe("AuthDivider", (): void => {
  it("should render with default text", (): void => {
    render(<AuthDivider />);
-    expect(screen.getByText("or continue with email")).toBeInTheDocument();
+    expect(screen.getByText("or continue with")).toBeInTheDocument();
  });

  it("should render with custom text", (): void => {
@@ -13,10 +13,10 @@ describe("AuthDivider", (): void => {
    expect(screen.getByText("or sign up")).toBeInTheDocument();
  });

-  it("should render a horizontal divider line", (): void => {
+  it("should render horizontal divider lines", (): void => {
    const { container } = render(<AuthDivider />);
-    const line = container.querySelector("span.border-t");
-    expect(line).toBeInTheDocument();
+    const lines = container.querySelectorAll("[aria-hidden='true'].h-px");
+    expect(lines.length).toBe(2);
  });

  it("should apply uppercase styling to text", (): void => {
--- a/apps/web/src/components/auth/AuthDivider.tsx
+++ b/apps/web/src/components/auth/AuthDivider.tsx
@@ -1,18 +1,2 @@
-interface AuthDividerProps {
-  text?: string;
-}
-
-export function AuthDivider({
-  text = "or continue with email",
-}: AuthDividerProps): React.ReactElement {
-  return (
-    <div className="relative my-6">
-      <div className="absolute inset-0 flex items-center">
-        <span className="w-full border-t border-slate-200" />
-      </div>
-      <div className="relative flex justify-center text-xs uppercase">
-        <span className="bg-white px-2 text-slate-500">{text}</span>
-      </div>
-    </div>
-  );
-}
+export { AuthDivider } from "@mosaic/ui";
+export type { AuthDividerProps } from "@mosaic/ui";
--- a/apps/web/src/components/auth/AuthErrorBanner.test.tsx
+++ b/apps/web/src/components/auth/AuthErrorBanner.test.tsx
@@ -18,17 +18,10 @@ describe("AuthErrorBanner", (): void => {
    expect(alert).toHaveAttribute("aria-live", "polite");
  });

-  it("should render the info icon, not a warning icon", (): void => {
+  it("should render an icon", (): void => {
    const { container } = render(<AuthErrorBanner message="Test message" />);
-    // Info icon from lucide-react renders as an SVG
    const svgs = container.querySelectorAll("svg");
    expect(svgs.length).toBeGreaterThanOrEqual(1);
-    // The container should use blue styling, not red/yellow
-    const alert = screen.getByRole("alert");
-    expect(alert.className).toContain("bg-blue-50");
-    expect(alert.className).toContain("text-blue-700");
-    expect(alert.className).not.toContain("red");
-    expect(alert.className).not.toContain("yellow");
  });

  it("should render dismiss button when onDismiss is provided", (): void => {
@@ -54,14 +47,6 @@ describe("AuthErrorBanner", (): void => {
    expect(onDismiss).toHaveBeenCalledTimes(1);
  });

-  it("should use blue info styling, not red or alarming colors", (): void => {
-    render(<AuthErrorBanner message="Test" />);
-    const alert = screen.getByRole("alert");
-    expect(alert.className).toContain("bg-blue-50");
-    expect(alert.className).toContain("border-blue-200");
-    expect(alert.className).toContain("text-blue-700");
-  });
-
  it("should render all PDA-friendly error messages", (): void => {
    const messages = [
      "Authentication paused. Please try again when ready.",
--- a/apps/web/src/components/auth/AuthErrorBanner.tsx
+++ b/apps/web/src/components/auth/AuthErrorBanner.tsx
@@ -13,7 +13,7 @@ export function AuthErrorBanner({ message, onDismiss }: AuthErrorBannerProps): R
    <div
      role="alert"
      aria-live="polite"
-      className="bg-blue-50 border border-blue-200 text-blue-700 rounded-lg p-4 flex items-start gap-3"
+      className="flex items-start gap-3 rounded-lg border border-[#f06a6f]/55 bg-[#fff1f2] p-4 text-[#9f1239] dark:border-[#e5484d]/55 dark:bg-[#3a111b]/70 dark:text-[#fecdd3]"
    >
      <Info className="h-5 w-5 flex-shrink-0 mt-0.5" aria-hidden="true" />
      <span className="flex-1 text-sm">{message}</span>
@@ -21,7 +21,7 @@ export function AuthErrorBanner({ message, onDismiss }: AuthErrorBannerProps): R
        <button
          type="button"
          onClick={onDismiss}
-          className="flex-shrink-0 text-blue-500 hover:text-blue-700 transition-colors"
+          className="flex-shrink-0 text-[#be123c] transition-colors hover:text-[#881337] dark:text-[#fda4af] dark:hover:text-[#ffe4e6]"
          aria-label="Dismiss"
        >
          <X className="h-4 w-4" aria-hidden="true" />
--- a/apps/web/src/components/auth/LoginForm.tsx
+++ b/apps/web/src/components/auth/LoginForm.tsx
@@ -9,12 +9,14 @@ export interface LoginFormProps {
  onSubmit: (email: string, password: string) => void | Promise<void>;
  isLoading?: boolean;
  error?: string | null;
+  disabled?: boolean;
 }

 export function LoginForm({
  onSubmit,
  isLoading = false,
  error = null,
+  disabled = false,
 }: LoginFormProps): ReactElement {
  const emailRef = useRef<HTMLInputElement>(null);
  const [email, setEmail] = useState("");
@@ -77,7 +79,10 @@ export function LoginForm({
      )}

      <div>
-        <label htmlFor="login-email" className="block text-sm font-medium text-gray-700 mb-1">
+        <label
+          htmlFor="login-email"
+          className="mb-2 block text-[0.72rem] font-semibold uppercase tracking-[0.08em] text-[#2f3b52] dark:text-[#c5d0e6]"
+        >
          Email
        </label>
        <input
@@ -91,13 +96,17 @@ export function LoginForm({
              validateEmail(e.target.value);
            }
          }}
-          disabled={isLoading}
+          disabled={isLoading || disabled}
          autoComplete="email"
          className={[
-            "w-full px-3 py-2 border rounded-md",
-            "focus:outline-none focus:ring-2 focus:ring-blue-500 transition-colors",
-            emailError ? "border-blue-400" : "border-gray-300",
-            isLoading ? "opacity-50" : "",
+            "w-full rounded-lg border px-3.5 py-2.5 text-sm",
+            "bg-[#f8faff]/90 text-[#0f141d] placeholder:text-[#5a6a87]",
+            "transition-colors focus:outline-none focus:ring-2 focus:ring-[#56a0ff]/25",
+            "dark:bg-[#0f141d]/80 dark:text-[#eef3ff] dark:placeholder:text-[#8f9db7]",
+            emailError
+              ? "border-[#f06a6f] focus:border-[#e5484d]"
+              : "border-[#b8c4de] focus:border-[#2f80ff] dark:border-[#2f3b52] dark:focus:border-[#56a0ff]",
+            isLoading || disabled ? "opacity-50" : "",
          ]
            .filter(Boolean)
            .join(" ")}
@@ -105,14 +114,21 @@ export function LoginForm({
          aria-describedby={emailError ? "login-email-error" : undefined}
        />
        {emailError && (
-          <p id="login-email-error" className="mt-1 text-sm text-blue-600" role="alert">
+          <p
+            id="login-email-error"
+            className="mt-1 text-sm text-[#b91c1c] dark:text-[#fda4af]"
+            role="alert"
+          >
            {emailError}
          </p>
        )}
      </div>

      <div>
-        <label htmlFor="login-password" className="block text-sm font-medium text-gray-700 mb-1">
+        <label
+          htmlFor="login-password"
+          className="mb-2 block text-[0.72rem] font-semibold uppercase tracking-[0.08em] text-[#2f3b52] dark:text-[#c5d0e6]"
+        >
          Password
        </label>
        <input
@@ -125,13 +141,17 @@ export function LoginForm({
              validatePassword(e.target.value);
            }
          }}
-          disabled={isLoading}
+          disabled={isLoading || disabled}
          autoComplete="current-password"
          className={[
-            "w-full px-3 py-2 border rounded-md",
-            "focus:outline-none focus:ring-2 focus:ring-blue-500 transition-colors",
-            passwordError ? "border-blue-400" : "border-gray-300",
-            isLoading ? "opacity-50" : "",
+            "w-full rounded-lg border px-3.5 py-2.5 text-sm",
+            "bg-[#f8faff]/90 text-[#0f141d] placeholder:text-[#5a6a87]",
+            "transition-colors focus:outline-none focus:ring-2 focus:ring-[#56a0ff]/25",
+            "dark:bg-[#0f141d]/80 dark:text-[#eef3ff] dark:placeholder:text-[#8f9db7]",
+            passwordError
+              ? "border-[#f06a6f] focus:border-[#e5484d]"
+              : "border-[#b8c4de] focus:border-[#2f80ff] dark:border-[#2f3b52] dark:focus:border-[#56a0ff]",
+            isLoading || disabled ? "opacity-50" : "",
          ]
            .filter(Boolean)
            .join(" ")}
@@ -139,7 +159,11 @@ export function LoginForm({
          aria-describedby={passwordError ? "login-password-error" : undefined}
        />
        {passwordError && (
-          <p id="login-password-error" className="mt-1 text-sm text-blue-600" role="alert">
+          <p
+            id="login-password-error"
+            className="mt-1 text-sm text-[#b91c1c] dark:text-[#fda4af]"
+            role="alert"
+          >
            {passwordError}
          </p>
        )}
@@ -147,13 +171,13 @@ export function LoginForm({

      <button
        type="submit"
-        disabled={isLoading}
+        disabled={isLoading || disabled}
        className={[
-          "w-full inline-flex items-center justify-center gap-2",
-          "rounded-md px-4 py-2 text-base font-medium",
-          "bg-blue-600 text-white hover:bg-blue-700",
-          "transition-colors focus:outline-none focus:ring-2 focus:ring-blue-500",
-          isLoading ? "opacity-50 pointer-events-none" : "",
+          "w-full inline-flex items-center justify-center gap-2 rounded-lg px-4 py-3 text-sm font-semibold text-white",
+          "bg-[linear-gradient(135deg,#2f80ff,#8b5cf6)]",
+          "transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-[#56a0ff]/60",
+          "hover:-translate-y-0.5 hover:shadow-[0_10px_30px_rgba(47,128,255,0.38)]",
+          isLoading || disabled ? "opacity-50 pointer-events-none" : "",
        ]
          .filter(Boolean)
          .join(" ")}
--- a/apps/web/src/components/auth/OAuthButton.tsx
+++ b/apps/web/src/components/auth/OAuthButton.tsx
@@ -13,10 +13,12 @@ export interface OAuthButtonProps {

 export function OAuthButton({
  providerName,
+  providerId,
  onClick,
  isLoading = false,
  disabled = false,
 }: OAuthButtonProps): ReactElement {
+  const accentColor = resolveProviderAccent(providerId);
  const isDisabled = disabled || isLoading;

  return (
@@ -27,10 +29,12 @@ export function OAuthButton({
      disabled={isDisabled}
      aria-label={isLoading ? "Connecting" : `Continue with ${providerName}`}
      className={[
-        "w-full inline-flex items-center justify-center gap-2",
-        "rounded-md px-4 py-2 text-base font-medium",
-        "bg-blue-600 text-white hover:bg-blue-700",
-        "transition-colors focus:outline-none focus:ring-2 focus:ring-blue-500",
+        "w-full inline-flex items-center justify-center gap-2 rounded-lg",
+        "border border-[#b8c4de] bg-[#f8faff]/90 px-4 py-3 text-sm font-semibold text-[#2f3b52]",
+        "transition-all duration-200 focus:outline-none focus:ring-2 focus:ring-[#56a0ff]/60",
+        "hover:border-[#2f80ff] hover:bg-[#dde4f2] hover:text-[#0f141d]",
+        "dark:border-[#2f3b52] dark:bg-[#0f141d]/75 dark:text-[#c5d0e6]",
+        "dark:hover:border-[#2f80ff] dark:hover:bg-[#232d3f] dark:hover:text-[#eef3ff]",
        isDisabled ? "opacity-50 pointer-events-none" : "",
      ]
        .filter(Boolean)
@@ -42,8 +46,33 @@ export function OAuthButton({
          <span>Connecting...</span>
        </>
      ) : (
-        <span>Continue with {providerName}</span>
+        <>
+          <span
+            aria-hidden="true"
+            className="h-2 w-2 rounded-full"
+            style={{ backgroundColor: accentColor }}
+          />
+          <span>Continue with {providerName}</span>
+        </>
      )}
    </button>
  );
 }
+
+function resolveProviderAccent(providerId: string): string {
+  const normalized = providerId.toLowerCase();
+
+  if (normalized.includes("github")) {
+    return "#8b5cf6";
+  }
+
+  if (normalized.includes("google")) {
+    return "#e5484d";
+  }
+
+  if (normalized.includes("ldap")) {
+    return "#14b8a6";
+  }
+
+  return "#2f80ff";
+}
--- a/apps/web/src/components/chat/Chat.test.tsx
+++ b/apps/web/src/components/chat/Chat.test.tsx
@@ -64,10 +64,12 @@ function createMockUseChatReturn(
      },
    ],
    isLoading: false,
+    isStreaming: false,
    error: null,
    conversationId: null,
    conversationTitle: null,
    sendMessage: vi.fn().mockResolvedValue(undefined),
+    abortStream: vi.fn(),
    loadConversation: vi.fn().mockResolvedValue(undefined),
    startNewConversation: vi.fn(),
    setMessages: vi.fn(),
--- a/Show More
+++ b/Show More