diff --git a/.gitignore b/.gitignore
index 0c32f90c..d80ef49a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -85,3 +85,6 @@ tools/bruno/collection.bru
 !CHANGELOG.md
 !SECURITY.md
 !frontend/**/*.md
+
+# Local-only planning / design notes (internal toolchain output)
+docs/superpowers/
diff --git a/cmd/api/handlers/environments.go b/cmd/api/handlers/environments.go
index 3f4eee0a..557223cb 100644
--- a/cmd/api/handlers/environments.go
+++ b/cmd/api/handlers/environments.go
@@ -1,7 +1,10 @@
 package handlers
 
 import (
+	"crypto/x509"
+	"encoding/base64"
 	"encoding/json"
+	"encoding/pem"
 	"fmt"
 	"net/http"
 	"strings"
@@ -243,6 +246,14 @@ func (h *HandlersApi) EnvEnrollHandler(w http.ResponseWriter, r *http.Request) {
 		returnData = env.Certificate
 	case settings.DownloadFlags:
 		returnData = env.Flags
+	case settings.DownloadFlagsLinux:
+		returnData = substitutePlatformPaths(env.Flags, env.Name, "/etc/osquery", "/")
+	case settings.DownloadFlagsMac:
+		returnData = substitutePlatformPaths(env.Flags, env.Name, "/private/var/osquery", "/")
+	case settings.DownloadFlagsWin:
+		returnData = substitutePlatformPaths(env.Flags, env.Name, "C:\\Program Files\\osquery", "\\")
+	case settings.DownloadFlagsFreeBSD:
+		returnData = substitutePlatformPaths(env.Flags, env.Name, "/usr/local/etc", "/")
 	case environments.EnrollShell:
 		returnData, err = environments.QuickAddOneLinerShell((env.Certificate != ""), env)
 		if err != nil {
@@ -657,3 +668,140 @@ func (h *HandlersApi) EnvActionsHandler(w http.ResponseWriter, r *http.Request)
 	h.AuditLog.EnvAction(ctx[ctxUser], e.Action+" - "+e.Name, strings.Split(r.RemoteAddr, ":")[0], auditlog.NoEnvironment)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, types.ApiGenericResponse{Message: msgReturn})
 }
+
+// EnvConfigurationHandler - GET handler returning the assembled osquery
+// configuration JSON for an environment. Returns the stored composed blob
+// (options + schedule + packs + decorators + ATC). The composition is
+// kept up to date by RefreshConfiguration, which fires from every parts
+// mutation (UpdateOptions / UpdateSchedule / UpdatePacks / etc. in
+// pkg/environments/osqueryconf.go), so reading the cached value is
+// safe — the agents see the exact same blob.
+//
+// SECURITY: deliberately a pure read. The first cut of this handler
+// called RefreshConfiguration on every GET, which turned the endpoint
+// into a CSRF-via-GET shape and a hot-loop DB-write hazard when
+// React-Query's stale refetch path hit it. The mutation path on the
+// parts is the canonical place for the recompose.
+func (h *HandlersApi) EnvConfigurationHandler(w http.ResponseWriter, r *http.Request) {
+	if h.DebugHTTPConfig.EnableHTTP {
+		utils.DebugHTTPDump(h.DebugHTTP, r, h.DebugHTTPConfig.ShowBody)
+	}
+	envVar := r.PathValue("env")
+	if envVar == "" {
+		apiErrorResponse(w, "error getting environment", http.StatusBadRequest, nil)
+		return
+	}
+	env, err := h.Envs.Get(envVar)
+	if err != nil {
+		if err.Error() == "record not found" {
+			apiErrorResponse(w, "environment not found", http.StatusNotFound, err)
+		} else {
+			apiErrorResponse(w, "error getting environment", http.StatusInternalServerError, err)
+		}
+		return
+	}
+	ctx := r.Context().Value(ContextKey(contextAPI)).(ContextValue)
+	if !h.Users.CheckPermissions(ctx[ctxUser], users.AdminLevel, env.UUID) {
+		h.denyEnv(w, r, ctx, env.ID, "permission check failed")
+		return
+	}
+	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, types.ApiDataResponse{Data: env.Configuration})
+}
+
+// envCertUploadRequest is the body shape for EnvCertUploadHandler. The PEM
+// is sent base64-encoded so the upload survives clients that mangle raw
+// newlines (curl --data, browser fetch with a plain string body, etc.).
+type envCertUploadRequest struct {
+	CertificateB64 string `json:"certificate_b64"`
+}
+
+// EnvCertUploadHandler - POST handler to upload the enrollment certificate
+// for an environment. Body: { "certificate_b64": "<base64 PEM>" }. The PEM
+// must parse as one or more CERTIFICATE blocks and the leaf must be a real
+// x509 cert — we don't accept "looks like base64 of something." Legacy
+// admin's equivalent path skipped this validation; the SPA target gets it
+// so a typo'd paste fails fast instead of breaking enrollment downloads.
+func (h *HandlersApi) EnvCertUploadHandler(w http.ResponseWriter, r *http.Request) {
+	if h.DebugHTTPConfig.EnableHTTP {
+		utils.DebugHTTPDump(h.DebugHTTP, r, h.DebugHTTPConfig.ShowBody)
+	}
+	envVar := r.PathValue("env")
+	if envVar == "" {
+		apiErrorResponse(w, "error getting environment", http.StatusBadRequest, nil)
+		return
+	}
+	env, err := h.Envs.Get(envVar)
+	if err != nil {
+		if err.Error() == "record not found" {
+			apiErrorResponse(w, "environment not found", http.StatusNotFound, err)
+		} else {
+			apiErrorResponse(w, "error getting environment", http.StatusInternalServerError, err)
+		}
+		return
+	}
+	ctx := r.Context().Value(ContextKey(contextAPI)).(ContextValue)
+	if !h.Users.CheckPermissions(ctx[ctxUser], users.AdminLevel, env.UUID) {
+		h.denyEnv(w, r, ctx, env.ID, "permission check failed")
+		return
+	}
+	// Cap the request body at 64 KiB. A realistic PEM chain is well under
+	// 16 KiB; nginx alone allows up to 20 MiB and the cert upload is the
+	// worst-case amplifier (one big base64 string blows up ~1.33x on JSON
+	// decode + another 0.75x on base64 decode). 64 KiB leaves headroom
+	// for legitimate multi-cert chains while preventing a privileged
+	// operator account from being turned into an OOM lever.
+	r.Body = http.MaxBytesReader(w, r.Body, 64<<10)
+	var req envCertUploadRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		apiErrorResponse(w, "error parsing POST body", http.StatusBadRequest, err)
+		return
+	}
+	if req.CertificateB64 == "" {
+		apiErrorResponse(w, "empty certificate", http.StatusBadRequest, nil)
+		return
+	}
+	pemBytes, err := base64.StdEncoding.DecodeString(req.CertificateB64)
+	if err != nil {
+		apiErrorResponse(w, "error decoding certificate", http.StatusBadRequest, err)
+		return
+	}
+	block, _ := pem.Decode(pemBytes)
+	if block == nil || block.Type != "CERTIFICATE" {
+		apiErrorResponse(w, "invalid PEM: no CERTIFICATE block", http.StatusBadRequest, nil)
+		return
+	}
+	if _, err := x509.ParseCertificate(block.Bytes); err != nil {
+		apiErrorResponse(w, "invalid x509 certificate", http.StatusBadRequest, err)
+		return
+	}
+	if err := h.Envs.UpdateCertificate(env.UUID, string(pemBytes)); err != nil {
+		apiErrorResponse(w, "error saving certificate", http.StatusInternalServerError, err)
+		return
+	}
+	log.Debug().Msgf("Certificate updated for environment %s", env.Name)
+	h.AuditLog.EnvAction(ctx[ctxUser], "upload certificate for environment "+env.Name, strings.Split(r.RemoteAddr, ":")[0], env.ID)
+	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, types.ApiGenericResponse{Message: "certificate uploaded successfully"})
+}
+
+// substitutePlatformPaths fills the __SECRET_FILE__ / __CERT_FILE__ placeholders
+// in the env.Flags template with the canonical install paths for a given OS.
+// This is the same substitution legacy admin's download path performs (see
+// cmd/admin/handlers/utils.go generateFlags); centralising it here keeps the
+// API's per-OS flag downloads producing the exact bytes operators expect to
+// drop into /etc/osquery/osctrl-{env}.flags (or the platform equivalent).
+//
+// sep is the path separator the OS uses ("/" for everything except Windows).
+//
+// strings.ReplaceAll is deliberate even though the flag template ships with
+// one occurrence of each placeholder today. If an operator ever edits the
+// template to reference the secret/cert path twice (e.g. an additional
+// --logger_tls_endpoint that needs the same path), the single-replace
+// would silently leave the second placeholder unsubstituted — a footgun
+// that costs a real outage.
+func substitutePlatformPaths(flags, envName, dir, sep string) string {
+	secretPath := dir + sep + "osctrl-" + envName + ".secret"
+	certPath := dir + sep + "osctrl-" + envName + ".crt"
+	out := strings.ReplaceAll(flags, "__SECRET_FILE__", secretPath)
+	out = strings.ReplaceAll(out, "__CERT_FILE__", certPath)
+	return out
+}
diff --git a/cmd/api/handlers/environments_crud.go b/cmd/api/handlers/environments_crud.go
index ee6bab0b..b5ce072e 100644
--- a/cmd/api/handlers/environments_crud.go
+++ b/cmd/api/handlers/environments_crud.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/jmpsec/osctrl/pkg/auditlog"
 	"github.com/jmpsec/osctrl/pkg/environments"
 	"github.com/jmpsec/osctrl/pkg/tags"
 	"github.com/jmpsec/osctrl/pkg/types"
@@ -27,7 +28,7 @@ func (h *HandlersApi) EnvironmentCreateHandler(w http.ResponseWriter, r *http.Re
 	}
 	ctx := r.Context().Value(ContextKey(contextAPI)).(ContextValue)
 	if !h.Users.CheckPermissions(ctx[ctxUser], users.AdminLevel, users.NoEnvironment) {
-		apiErrorResponse(w, "no access", http.StatusForbidden, fmt.Errorf("attempt to use API by user %s", ctx[ctxUser]))
+		h.denyEnv(w, r, ctx, auditlog.NoEnvironment, "permission check failed")
 		return
 	}
 	var body types.EnvCreateRequest
@@ -114,7 +115,7 @@ func (h *HandlersApi) EnvironmentUpdateHandler(w http.ResponseWriter, r *http.Re
 	}
 	ctx := r.Context().Value(ContextKey(contextAPI)).(ContextValue)
 	if !h.Users.CheckPermissions(ctx[ctxUser], users.AdminLevel, users.NoEnvironment) {
-		apiErrorResponse(w, "no access", http.StatusForbidden, fmt.Errorf("attempt to use API by user %s", ctx[ctxUser]))
+		h.denyEnv(w, r, ctx, auditlog.NoEnvironment, "permission check failed")
 		return
 	}
 	envVar := r.PathValue("env")
@@ -231,7 +232,7 @@ func (h *HandlersApi) EnvironmentDeleteHandler(w http.ResponseWriter, r *http.Re
 	}
 	ctx := r.Context().Value(ContextKey(contextAPI)).(ContextValue)
 	if !h.Users.CheckPermissions(ctx[ctxUser], users.AdminLevel, users.NoEnvironment) {
-		apiErrorResponse(w, "no access", http.StatusForbidden, fmt.Errorf("attempt to use API by user %s", ctx[ctxUser]))
+		h.denyEnv(w, r, ctx, auditlog.NoEnvironment, "permission check failed")
 		return
 	}
 	envVar := r.PathValue("env")
@@ -281,7 +282,7 @@ func (h *HandlersApi) EnvironmentConfigHandler(w http.ResponseWriter, r *http.Re
 	}
 	ctx := r.Context().Value(ContextKey(contextAPI)).(ContextValue)
 	if !h.Users.CheckPermissions(ctx[ctxUser], users.AdminLevel, env.UUID) {
-		apiErrorResponse(w, "no access", http.StatusForbidden, fmt.Errorf("attempt to use API by user %s", ctx[ctxUser]))
+		h.denyEnv(w, r, ctx, env.ID, "permission check failed")
 		return
 	}
 	resp := types.EnvConfigResponse{
@@ -321,7 +322,7 @@ func (h *HandlersApi) EnvironmentConfigPatchHandler(w http.ResponseWriter, r *ht
 	}
 	ctx := r.Context().Value(ContextKey(contextAPI)).(ContextValue)
 	if !h.Users.CheckPermissions(ctx[ctxUser], users.AdminLevel, env.UUID) {
-		apiErrorResponse(w, "no access", http.StatusForbidden, fmt.Errorf("attempt to use API by user %s", ctx[ctxUser]))
+		h.denyEnv(w, r, ctx, env.ID, "permission check failed")
 		return
 	}
 	var body types.EnvConfigPatchRequest
@@ -434,7 +435,7 @@ func (h *HandlersApi) EnvironmentIntervalsPatchHandler(w http.ResponseWriter, r
 	}
 	ctx := r.Context().Value(ContextKey(contextAPI)).(ContextValue)
 	if !h.Users.CheckPermissions(ctx[ctxUser], users.AdminLevel, env.UUID) {
-		apiErrorResponse(w, "no access", http.StatusForbidden, fmt.Errorf("attempt to use API by user %s", ctx[ctxUser]))
+		h.denyEnv(w, r, ctx, env.ID, "permission check failed")
 		return
 	}
 	var body types.EnvIntervalsPatchRequest
@@ -503,7 +504,7 @@ func (h *HandlersApi) EnvironmentExpirationPatchHandler(w http.ResponseWriter, r
 	}
 	ctx := r.Context().Value(ContextKey(contextAPI)).(ContextValue)
 	if !h.Users.CheckPermissions(ctx[ctxUser], users.AdminLevel, env.UUID) {
-		apiErrorResponse(w, "no access", http.StatusForbidden, fmt.Errorf("attempt to use API by user %s", ctx[ctxUser]))
+		h.denyEnv(w, r, ctx, env.ID, "permission check failed")
 		return
 	}
 	var body types.EnvExpirationPatchRequest
diff --git a/cmd/api/handlers/queries.go b/cmd/api/handlers/queries.go
index bf52bda2..6ff97680 100644
--- a/cmd/api/handlers/queries.go
+++ b/cmd/api/handlers/queries.go
@@ -75,10 +75,34 @@ func (h *HandlersApi) QueryShowHandler(w http.ResponseWriter, r *http.Request) {
 		}
 		return
 	}
+	// Targets — the creation-time scope (platform/uuid/hostname/tag rows
+	// stored in the query_targets table). The legacy admin shows them
+	// in a small Type/Value table on the query detail page; surface
+	// them here so the SPA can render the same. Best-effort: a fetch
+	// error doesn't fail the request — we still return the query.
+	type queryTarget struct {
+		Type  string `json:"type"`
+		Value string `json:"value"`
+	}
+	targets := []queryTarget{}
+	if rows, terr := h.Queries.GetTargets(name); terr == nil {
+		for _, t := range rows {
+			targets = append(targets, queryTarget{Type: t.Type, Value: t.Value})
+		}
+	} else {
+		log.Debug().Err(terr).Msgf("query targets fetch failed for %s", name)
+	}
+	resp := struct {
+		queries.DistributedQuery
+		Targets []queryTarget `json:"targets"`
+	}{
+		DistributedQuery: query,
+		Targets:          targets,
+	}
 	// Serialize and serve JSON
 	log.Debug().Msgf("Returned query %s", name)
 	h.AuditLog.Visit(ctx[ctxUser], r.URL.Path, strings.Split(r.RemoteAddr, ":")[0], env.ID)
-	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, query)
+	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, resp)
 }
 
 // QueriesRunHandler - POST Handler to run a query
diff --git a/cmd/api/handlers/users_profile.go b/cmd/api/handlers/users_profile.go
index bae2ee27..5c9aa083 100644
--- a/cmd/api/handlers/users_profile.go
+++ b/cmd/api/handlers/users_profile.go
@@ -1,11 +1,14 @@
 package handlers
 
 import (
+	"crypto/rand"
+	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/jmpsec/osctrl/pkg/types"
 	"github.com/jmpsec/osctrl/pkg/users"
@@ -294,6 +297,44 @@ func (h *HandlersApi) RefreshUserTokenHandler(w http.ResponseWriter, r *http.Req
 		apiErrorResponse(w, "error persisting token", http.StatusInternalServerError, err)
 		return
 	}
+	// Self-rotate: the JWT in the caller's osctrl_token cookie was just
+	// invalidated against handlerAuthCheck's APIToken match. Re-issue
+	// the session cookies with the new token (and a fresh CSRF) so the
+	// caller stays logged in. For other-user rotate, the caller's own
+	// session is unaffected — no cookie work needed.
+	if isSelf {
+		csrfBytes := make([]byte, 16)
+		if _, err := rand.Read(csrfBytes); err != nil {
+			apiErrorResponse(w, "error generating csrf token", http.StatusInternalServerError, err)
+			return
+		}
+		csrfToken := hex.EncodeToString(csrfBytes)
+		if err := h.Users.UpdateMetadata(strings.Split(r.RemoteAddr, ":")[0], r.UserAgent(), username, csrfToken); err != nil {
+			apiErrorResponse(w, "error persisting csrf token", http.StatusInternalServerError, err)
+			return
+		}
+		maxAge := int(time.Until(expires).Seconds())
+		if maxAge > 0 {
+			http.SetCookie(w, &http.Cookie{
+				Name:     "osctrl_token",
+				Value:    token,
+				Path:     "/",
+				MaxAge:   maxAge,
+				HttpOnly: true,
+				Secure:   true,
+				SameSite: http.SameSiteLaxMode,
+			})
+			http.SetCookie(w, &http.Cookie{
+				Name:     "osctrl_csrf",
+				Value:    csrfToken,
+				Path:     "/",
+				MaxAge:   maxAge,
+				HttpOnly: false,
+				Secure:   true,
+				SameSite: http.SameSiteLaxMode,
+			})
+		}
+	}
 	h.AuditLog.NewToken(username, strings.Split(r.RemoteAddr, ":")[0])
 	log.Debug().Msgf("refreshed API token for %s (requested by %s)", username, requester)
 	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, types.TokenResponse{Token: token, Expires: expires})
diff --git a/cmd/api/main.go b/cmd/api/main.go
index 421295ae..bd58f462 100644
--- a/cmd/api/main.go
+++ b/cmd/api/main.go
@@ -637,6 +637,12 @@ func osctrlAPIService() {
 	muxAPI.Handle(
 		"GET "+_apiPath(apiEnvironmentsPath)+"/{env}/enroll/{target}",
 		handlerAuthCheck(http.HandlerFunc(handlersApi.EnvEnrollHandler), flagParams.Service.Auth, flagParams.JWT.JWTSecret))
+	muxAPI.Handle(
+		"GET "+_apiPath(apiEnvironmentsPath)+"/{env}/configuration/assembled",
+		handlerAuthCheck(http.HandlerFunc(handlersApi.EnvConfigurationHandler), flagParams.Service.Auth, flagParams.JWT.JWTSecret))
+	muxAPI.Handle(
+		"POST "+_apiPath(apiEnvironmentsPath)+"/{env}/enroll/cert",
+		handlerAuthCheck(http.HandlerFunc(handlersApi.EnvCertUploadHandler), flagParams.Service.Auth, flagParams.JWT.JWTSecret))
 	muxAPI.Handle(
 		"POST "+_apiPath(apiEnvironmentsPath)+"/{env}/enroll/{action}",
 		handlerAuthCheck(http.HandlerFunc(handlersApi.EnvEnrollActionsHandler), flagParams.Service.Auth, flagParams.JWT.JWTSecret))
diff --git a/frontend/index.html b/frontend/index.html
index 0d913ecb..9169c797 100644
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -4,7 +4,7 @@
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <meta name="theme-color" content="#2bc4be" />
-    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
+    <link rel="icon" type="image/png" href="/favicon.png" />
     <title>osctrl</title>
     <!-- Theme bootstrap runs blocking from a static asset so `script-src 'self'`
          covers it without a CSP hash to maintain. -->
diff --git a/frontend/public/favicon.png b/frontend/public/favicon.png
new file mode 100644
index 00000000..fc69cc17
Binary files /dev/null and b/frontend/public/favicon.png differ
diff --git a/frontend/public/fonts/bai-jamjuree-500.woff2 b/frontend/public/fonts/bai-jamjuree-500.woff2
new file mode 100644
index 00000000..0779eba6
Binary files /dev/null and b/frontend/public/fonts/bai-jamjuree-500.woff2 differ
diff --git a/frontend/public/fonts/bai-jamjuree-600.woff2 b/frontend/public/fonts/bai-jamjuree-600.woff2
new file mode 100644
index 00000000..bb1ec06e
Binary files /dev/null and b/frontend/public/fonts/bai-jamjuree-600.woff2 differ
diff --git a/frontend/public/fonts/bai-jamjuree-700.woff2 b/frontend/public/fonts/bai-jamjuree-700.woff2
new file mode 100644
index 00000000..f03d5368
Binary files /dev/null and b/frontend/public/fonts/bai-jamjuree-700.woff2 differ
diff --git a/frontend/public/img/circuit.svg b/frontend/public/img/circuit.svg
new file mode 100644
index 00000000..02217542
--- /dev/null
+++ b/frontend/public/img/circuit.svg
@@ -0,0 +1 @@
+<svg width='304' height='304' viewBox='0 0 304 304' fill='%23000000' fill-opacity='1' xmlns='http://www.w3.org/2000/svg'><path d='M44.1 224c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H0v-2h44.1zm160 48c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H82v-2h122.1zm57.8-46c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H304v2h-42.1zm0 16c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H304v2h-42.1zm6.2-114c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4h-86.2c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4h86.2zm-256-48c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H0v-2h12.1zm185.8 34c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4h86.2c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4h-86.2zM258 12.1c2.282.463 4 2.48 4 4.9 0 2.76-2.24 5-5 5s-5-2.24-5-5c0-2.42 1.718-4.437 4-4.9V0h2v12.1zm-64 208c2.282.463 4 2.48 4 4.9 0 2.76-2.24 5-5 5s-5-2.24-5-5c0-2.42 1.718-4.437 4-4.9v-54.2c-2.282-.463-4-2.48-4-4.9 0-2.76 2.24-5 5-5s5 2.24 5 5c0 2.42-1.718 4.437-4 4.9v54.2zm48-198.2c2.282-.463 4-2.48 4-4.9 0-2.76-2.24-5-5-5s-5 2.24-5 5c0 2.42 1.718 4.437 4 4.9V82h64v-2h-62V21.9zm16 16c2.282-.463 4-2.48 4-4.9 0-2.76-2.24-5-5-5s-5 2.24-5 5c0 2.42 1.718 4.437 4 4.9V66h48v-2h-46V37.9zm-128 96c2.282-.463 4-2.48 4-4.9 0-2.76-2.24-5-5-5s-5 2.24-5 5c0 2.42 1.718 4.437 4 4.9V210h16v10.1c-2.282.463-4 2.48-4 4.9 0 2.76 2.24 5 5 5s5-2.24 5-5c0-2.42-1.718-4.437-4-4.9V208h-16v-74.1zm-5.9-21.9c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H114v48H85.9c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H112v-48h12.1zm-6.2 130c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H176v-74.1c-2.282-.463-4-2.48-4-4.9 0-2.76 2.24-5 5-5s5 2.24 5 5c0 2.42-1.718 4.437-4 4.9V242h-60.1zm-16-64c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H114v48h10.1c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H112v-48h-10.1zM66 284.1c2.282.463 4 2.48 4 4.9 0 2.76-2.24 5-5 5s-5-2.24-5-5c0-2.42 1.718-4.437 4-4.9V274H50v30h-2v-32h18v12.1zM236.1 176c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H226v94h48v32h-2v-30h-48v-98h12.1zm25.8-30c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H274v44.1c2.282.463 4 2.48 4 4.9 0 2.76-2.24 5-5 5s-5-2.24-5-5c0-2.42 1.718-4.437 4-4.9V146h-10.1zm-64 96c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H208v-80h16v-14h-42.1c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H226v18h-16v80h-12.1zm86.2-210c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H272V0h2v32h10.1zM98 101.9c2.282-.463 4-2.48 4-4.9 0-2.76-2.24-5-5-5s-5 2.24-5 5c0 2.42 1.718 4.437 4 4.9V144H53.9c-.463-2.282-2.48-4-4.9-4-2.76 0-5 2.24-5 5s2.24 5 5 5c2.42 0 4.437-1.718 4.9-4H98v-44.1zM53.9 34c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H80V0h2v34H53.9zm60.1 3.9c2.282-.463 4-2.48 4-4.9 0-2.76-2.24-5-5-5s-5 2.24-5 5c0 2.42 1.718 4.437 4 4.9V64H80v64H69.9c-.463-2.282-2.48-4-4.9-4-2.76 0-5 2.24-5 5s2.24 5 5 5c2.42 0 4.437-1.718 4.9-4H82V66h32V37.9zM101.9 82c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H128V37.9c-2.282-.463-4-2.48-4-4.9 0-2.76 2.24-5 5-5s5 2.24 5 5c0 2.42-1.718 4.437-4 4.9V82h-28.1zm16-64c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H146v44.1c2.282.463 4 2.48 4 4.9 0 2.76-2.24 5-5 5s-5-2.24-5-5c0-2.42 1.718-4.437 4-4.9V18h-26.1zm102.2 270c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H98v14h-2v-16h124.1zM242 149.9c2.282-.463 4-2.48 4-4.9 0-2.76-2.24-5-5-5s-5 2.24-5 5c0 2.42 1.718 4.437 4 4.9V162h16v30h-16v66h48v46h2v-48h-48v-62h16v-34h-16v-10.1zM53.9 18c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H64V2H48V0h18v18H53.9zm112 32c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H192V0h50v2h-48v48h-28.1zm-48-48c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5 0-.342.034-.677.1-1h2.07c-.11.313-.17.65-.17 1 0 1.657 1.343 3 3 3s3-1.343 3-3c0-.35-.06-.687-.17-1H178v34h-18V21.9c-2.282-.463-4-2.48-4-4.9 0-2.76 2.24-5 5-5s5 2.24 5 5c0 2.42-1.718 4.437-4 4.9V32h14V2h-58.1zm0 96c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H137l32-32h39V21.9c-2.282-.463-4-2.48-4-4.9 0-2.76 2.24-5 5-5s5 2.24 5 5c0 2.42-1.718 4.437-4 4.9V66h-40.172l-32 32H117.9zm28.1 90.1c2.282.463 4 2.48 4 4.9 0 2.76-2.24 5-5 5s-5-2.24-5-5c0-2.42 1.718-4.437 4-4.9v-76.513L175.586 80H224V21.9c-2.282-.463-4-2.48-4-4.9 0-2.76 2.24-5 5-5s5 2.24 5 5c0 2.42-1.718 4.437-4 4.9V82h-49.586L146 112.414V188.1zm16 32c2.282.463 4 2.48 4 4.9 0 2.76-2.24 5-5 5s-5-2.24-5-5c0-2.42 1.718-4.437 4-4.9v-99.513L184.586 96H300.1c.398-1.96 1.94-3.502 3.9-3.9v2.07c-1.165.413-2 1.524-2 2.83s.835 2.417 2 2.83v2.07c-1.96-.398-3.502-1.94-3.9-3.9H185.414L162 121.414V220.1zm-144-64c2.282.463 4 2.48 4 4.9 0 2.76-2.24 5-5 5s-5-2.24-5-5c0-2.42 1.718-4.437 4-4.9v-3.513l48-48V48h32V0h2v50H66v55.413l-48 48v2.687zM50 53.9c2.282-.463 4-2.48 4-4.9 0-2.76-2.24-5-5-5s-5 2.24-5 5c0 2.42 1.718 4.437 4 4.9v42.686l-48 48V210h28.1c.463 2.282 2.48 4 4.9 4 2.76 0 5-2.24 5-5s-2.24-5-5-5c-2.42 0-4.437 1.718-4.9 4H2v-62.586l48-48V53.9zm-16 16c2.282-.463 4-2.48 4-4.9 0-2.76-2.24-5-5-5s-5 2.24-5 5c0 2.42 1.718 4.437 4 4.9v18.686l-32 32v2.828l34-34V69.9zM12.1 32c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H9.414L0 43.414v-2.828L8.586 32H12.1zm265.8 18c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4h18.686L304 40.586v2.828L297.414 50H277.9zm-16 160c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H288V136.587l16-16v2.827l-14 14V210h-28.1zm-208 32c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H64v-22.586L40.586 194H21.9c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4h19.513L66 216.586V242H53.9zm150.2 14c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H96v-56.598L56.598 162H37.9c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4h19.502L98 200.598V256h106.1zm-150.2 2c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H80v-46.586L48.586 178H21.9c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4h27.513L82 208.586V258H53.9zM97 100c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0-16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm-48 32c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm32 48c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm-16 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm32-16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0-32c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16 32c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm32 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0-16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm-16-64c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16 0c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16 96c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16-144c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0 32c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16-32c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16-16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm-96 0c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16-32c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm96 0c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm-16-64c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16-16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm-32 0c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0-16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm-16 0c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm-16 0c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm-16 0c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zM49 36c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm-32 0c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm32 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zM33 68c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16-48c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0 240c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16 32c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm-16-64c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm-16-32c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm80-176c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16 0c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm-16-16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm32 48c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16-16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0-32c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm112 176c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm-16 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zM17 180c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0-32c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16 0c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zM17 84c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm32 64c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16-16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zM34 39.793V0h-2v40.586L8.586 64H0v2h9.413L34 41.414v-1.62zM2 300.1V258h14v46h2v-48H0V302.17c.313-.11.65-.17 1-.17 1.306 0 2.417.835 2.83 2H5.9c-.398-1.96-1.94-3.502-3.9-3.9zM34 241v63h-2v-62H0v-2h34v1zM17 18h1V0h-2v16H0v2h17zm273-2V0h-2v18h16v-2h-14zm-32 273v15h-2v-14h-14v14h-2v-16h18v1zM0 92.1c.323-.066.658-.1 1-.1 2.76 0 5 2.24 5 5s-2.24 5-5 5c-.342 0-.677-.034-1-.1v-2.07c.313.11.65.17 1 .17 1.657 0 3-1.343 3-3s-1.343-3-3-3c-.35 0-.687.06-1 .17V92.1zM80 272h2v32h-2v-32zm37.9 32c-.463-2.282-2.48-4-4.9-4-2.42 0-4.437 1.718-4.9 4h2.07c.413-1.165 1.524-2 2.83-2s2.417.835 2.83 2h2.07zM5.9 0c.066.323.1.658.1 1 0 2.76-2.24 5-5 5-.342 0-.677-.034-1-.1V3.83C.313 3.94.65 4 1 4c1.657 0 3-1.343 3-3 0-.35-.06-.687-.17-1H5.9zm294.2 0c-.066.323-.1.658-.1 1 0 2.42 1.718 4.437 4 4.9V3.83c-1.165-.413-2-1.524-2-2.83 0-.35.06-.687.17-1h-2.07zm3.9 300.1c-1.96.398-3.502 1.94-3.9 3.9h2.07c.302-.852.978-1.528 1.83-1.83v-2.07z' fill-rule='evenodd'/></svg>
diff --git a/frontend/public/img/osctrl-logo-dark.png b/frontend/public/img/osctrl-logo-dark.png
new file mode 100644
index 00000000..ac534b25
Binary files /dev/null and b/frontend/public/img/osctrl-logo-dark.png differ
diff --git a/frontend/public/img/osctrl-logo.png b/frontend/public/img/osctrl-logo.png
new file mode 100644
index 00000000..b384e439
Binary files /dev/null and b/frontend/public/img/osctrl-logo.png differ
diff --git a/frontend/public/img/osctrl-mark.svg b/frontend/public/img/osctrl-mark.svg
new file mode 100644
index 00000000..2f377f79
--- /dev/null
+++ b/frontend/public/img/osctrl-mark.svg
@@ -0,0 +1,39 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 20010904//EN"
+ "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
+<svg version="1.0" xmlns="http://www.w3.org/2000/svg"
+ width="400.000000pt" height="400.000000pt" viewBox="0 0 400.000000 400.000000"
+ preserveAspectRatio="xMidYMid meet">
+<metadata>
+Created by potrace 1.16, written by Peter Selinger 2001-2019
+</metadata>
+<g transform="translate(0.000000,400.000000) scale(0.100000,-0.100000)"
+fill="currentColor" stroke="none">
+<path d="M1806 3930 c-340 -39 -646 -171 -913 -393 -51 -43 -93 -83 -93 -90 0
+-7 27 -39 59 -71 l59 -59 54 50 c215 200 489 329 806 379 129 20 385 14 501
+-11 280 -62 507 -173 715 -350 l78 -68 62 62 61 62 -60 56 c-230 213 -543 366
+-860 419 -111 18 -363 26 -469 14z"/>
+<path d="M1785 3455 c-158 -29 -302 -86 -429 -168 -96 -63 -216 -163 -216
+-180 0 -7 27 -39 59 -71 l60 -59 59 54 c109 101 250 180 399 225 108 32 318
+44 441 24 192 -31 377 -123 530 -264 l43 -40 62 63 62 62 -55 51 c-165 154
+-388 265 -609 303 -101 18 -309 18 -406 0z"/>
+<path d="M1840 2994 c-96 -21 -218 -86 -294 -156 -36 -33 -66 -65 -66 -72 0
+-6 27 -38 60 -71 l60 -59 30 36 c43 52 141 114 217 138 88 27 213 27 294 0 78
+-27 131 -60 197 -124 l53 -51 62 64 61 63 -71 68 c-157 150 -384 212 -603 164z"/>
+<path d="M1767 2472 c-12 -13 -17 -43 -19 -117 l-3 -100 -157 -5 c-127 -4
+-160 -8 -173 -21 -9 -9 -75 -106 -146 -215 -87 -134 -129 -208 -129 -227 0
+-15 11 -50 25 -77 14 -27 25 -51 25 -54 0 -2 -34 -6 -76 -8 -65 -3 -79 -7 -95
+-27 -10 -13 -19 -31 -19 -41 0 -25 336 -672 357 -687 9 -7 40 -13 69 -13 l52
+0 4 -124 c4 -145 14 -166 80 -166 l38 0 0 -254 c0 -159 4 -265 11 -285 19 -54
+79 -69 117 -28 21 22 22 32 24 292 l3 270 245 0 245 0 3 -270 c2 -260 3 -270
+24 -292 38 -41 98 -26 117 28 7 20 11 126 11 285 l0 254 38 0 c66 0 76 21 80
+166 l4 124 52 0 c29 0 60 6 69 13 21 15 357 662 357 687 0 10 -9 28 -19 41
+-16 20 -30 24 -95 27 -42 2 -76 6 -76 8 0 3 11 27 25 54 14 27 25 62 25 77 0
+19 -42 93 -129 227 -71 109 -137 206 -146 215 -12 13 -45 17 -158 21 l-142 5
+-3 52 c-3 58 -25 83 -72 83 -45 0 -64 -23 -70 -81 l-5 -54 -120 0 -120 0 -3
+100 c-3 115 -14 135 -72 135 -23 0 -43 -7 -53 -18z m830 -519 c53 -82 98 -155
+100 -164 3 -9 -9 -44 -26 -78 l-31 -61 -640 0 -640 0 -31 61 c-17 34 -29 69
+-26 78 2 9 47 82 100 164 l97 147 500 0 501 0 96 -147z m-227 -1148 l0 -75
+-370 0 -370 0 0 75 0 75 370 0 370 0 0 -75z"/>
+</g>
+</svg>
diff --git a/frontend/src/api/client.ts b/frontend/src/api/client.ts
index ca7297c2..e4c8cba4 100644
--- a/frontend/src/api/client.ts
+++ b/frontend/src/api/client.ts
@@ -14,6 +14,15 @@ export function getCsrfToken(): string | null {
 }
 
 export function isAuthenticated(): boolean {
+  // Mirror the apiFetch fallback: if memory is empty but the browser
+  // still holds the osctrl_csrf cookie, prime from it before answering
+  // false. Without this, every soft navigation through a route with a
+  // beforeLoad auth guard could bounce a logged-in user to /login the
+  // moment csrfTokenInMemory is reset (e.g., a brief race during token
+  // rotation, or any code path that called setCsrfToken(null)).
+  if (csrfTokenInMemory === null) {
+    primeCsrfFromCookie();
+  }
   return csrfTokenInMemory !== null;
 }
 
@@ -91,9 +100,20 @@ export async function apiFetch<T>(
     headers.set('Accept', 'application/json');
   }
 
-  const csrf = getCsrfToken();
-  if (MUTATING_VERBS.has(method) && csrf) {
-    headers.set('X-CSRF-Token', csrf);
+  if (MUTATING_VERBS.has(method)) {
+    // Belt-and-braces: if the in-memory CSRF is null (we never primed
+    // from the cookie this boot, or a stale clear happened) but the
+    // browser still holds the osctrl_csrf cookie, re-prime now so
+    // mutating requests don't ship without the header. Without this,
+    // a single dropped prime turns every mutation into "csrf token
+    // missing or invalid" until the user logs out and back in.
+    if (!getCsrfToken()) {
+      primeCsrfFromCookie();
+    }
+    const csrf = getCsrfToken();
+    if (csrf) {
+      headers.set('X-CSRF-Token', csrf);
+    }
   }
 
   const res = await fetch(path, {
diff --git a/frontend/src/api/enrollment.ts b/frontend/src/api/enrollment.ts
index 6de0bf93..5bf14b94 100644
--- a/frontend/src/api/enrollment.ts
+++ b/frontend/src/api/enrollment.ts
@@ -22,7 +22,11 @@ import { apiFetch } from './client';
 export type EnrollTarget =
   | 'secret' // raw enroll secret (string)
   | 'cert' // env certificate PEM
-  | 'flags' // raw osquery flags file content
+  | 'flags' // raw osquery flags file content (template — paths unsubstituted)
+  | 'flagsLinux' // flags file with __SECRET_FILE__/__CERT_FILE__ → /etc/osquery/... paths
+  | 'flagsMac' // flags file with paths → /private/var/osquery/...
+  | 'flagsWindows' // flags file with paths → C:\Program Files\osquery\...
+  | 'flagsFreeBSD' // flags file with paths → /usr/local/etc/...
   | 'enroll.sh' // bash one-liner installer
   | 'enroll.ps1'; // powershell one-liner installer
 
@@ -114,3 +118,22 @@ export function removeAction(
     },
   );
 }
+
+// ---------------------------------------------------------------------------
+// POST /environments/{env}/enroll/cert — upload a replacement enrollment cert.
+// The API validates: base64 → PEM CERTIFICATE block → x509.ParseCertificate.
+// Caller passes the raw PEM as a string; we base64-encode here so JSON-body
+// quoting and newline handling stays clean (raw PEM strings break otherwise).
+// ---------------------------------------------------------------------------
+export function uploadCertificate(env: string, pem: string): Promise<MessageResponse> {
+  // btoa handles ASCII; a PEM is ASCII (base64 + dashes + newlines), so it's safe.
+  const b64 = btoa(pem);
+  return apiFetch<MessageResponse>(
+    `/api/v1/environments/${encodeURIComponent(env)}/enroll/cert`,
+    {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ certificate_b64: b64 }),
+    },
+  );
+}
diff --git a/frontend/src/api/environments.ts b/frontend/src/api/environments.ts
index e54a0d17..3c953987 100644
--- a/frontend/src/api/environments.ts
+++ b/frontend/src/api/environments.ts
@@ -146,6 +146,20 @@ export function getEnvironmentConfig(env: string): Promise<EnvConfigResponse> {
   );
 }
 
+/**
+ * GET /api/v1/environments/{env}/configuration/assembled
+ *
+ * Returns the env's options + schedule + packs + decorators + ATC
+ * recomposed into the canonical osquery configuration blob — same bytes
+ * the TLS endpoint serves agents. Backend re-runs RefreshConfiguration
+ * before reading, so the result is always fresh.
+ */
+export function getEnvironmentAssembledConfig(env: string): Promise<{ data: string }> {
+  return apiFetch<{ data: string }>(
+    `/api/v1/environments/${encodeURIComponent(env)}/configuration/assembled`,
+  );
+}
+
 /** PATCH /api/v1/environments/config/{env} — atomic JSON-validated patch. */
 export function patchEnvironmentConfig(
   env: string,
diff --git a/frontend/src/api/nodes.ts b/frontend/src/api/nodes.ts
index 89c35b11..bde21bb2 100644
--- a/frontend/src/api/nodes.ts
+++ b/frontend/src/api/nodes.ts
@@ -45,6 +45,25 @@ export function getNode(env: string, uuid: string): Promise<OsqueryNode> {
   );
 }
 
+/**
+ * POST /api/v1/nodes/{env}/delete — archive + delete a node.
+ *
+ * The backend's ArchiveDeleteByUUID always snapshots the node into the
+ * archive table before removing the live row, so the data is recoverable
+ * via the archive tables even though the row disappears from the active
+ * nodes list. AdminLevel-gated server-side.
+ */
+export function deleteNode(env: string, uuid: string): Promise<{ message: string }> {
+  return apiFetch<{ message: string }>(
+    `/api/v1/nodes/${encodeURIComponent(env)}/delete`,
+    {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ uuid }),
+    },
+  );
+}
+
 export function listNodeLogs(
   env: string,
   uuid: string,
diff --git a/frontend/src/api/types.ts b/frontend/src/api/types.ts
index c981da67..e4a3d69b 100644
--- a/frontend/src/api/types.ts
+++ b/frontend/src/api/types.ts
@@ -150,6 +150,17 @@ export interface DistributedQuery {
   extra_data: string;
   expiration: string;
   target: string;
+  /**
+   * Targets the query was launched against — populated by
+   * GET /queries/{env}/{name}; list endpoints leave it out so it may
+   * be undefined depending on the call site.
+   */
+  targets?: QueryTargetRow[];
+}
+
+export interface QueryTargetRow {
+  type: string;
+  value: string;
 }
 
 export interface QueriesPagedResponse {
diff --git a/frontend/src/components/atoms/DocsLink.tsx b/frontend/src/components/atoms/DocsLink.tsx
new file mode 100644
index 00000000..4ed899f5
--- /dev/null
+++ b/frontend/src/components/atoms/DocsLink.tsx
@@ -0,0 +1,69 @@
+import { cn } from '$/lib/cn';
+
+/**
+ * DocsLink — small "docs" affordance that opens an external documentation
+ * URL in a new tab. Designed to live in section headers next to a title.
+ *
+ * Visual: a "?" glyph + the word "docs" in dim mono-tabular text, both
+ * tucked into a low-contrast pill that brightens on hover. The link goes
+ * through `rel="noopener noreferrer"` since the target is third-party
+ * (typically osquery's read-the-docs site) and we don't want the docs
+ * tab to be able to navigate the SPA back via window.opener.
+ */
+export function DocsLink({
+  href,
+  label = 'docs',
+  className,
+}: {
+  href: string;
+  label?: string;
+  className?: string;
+}) {
+  // The bare <a target=_blank> form rendered as un-clickable in the live
+  // build (suspected CSP/router interception). First attempt at a fix
+  // used window.open with a 'noopener,noreferrer' feature string as the
+  // 3rd arg — but Chromium treats any non-empty feature string as a
+  // popup request which collapses the target argument, so the new tab
+  // opened to about:blank.
+  //
+  // Correct path: let the <a target=_blank> + rel=noopener noreferrer
+  // do the work via assignment to window.location of an opened tab.
+  // Open with no feature string so target=_blank means "new tab", then
+  // explicitly null the opener for noopener semantics.
+  function handleClick(e: React.MouseEvent<HTMLAnchorElement>) {
+    // Let cmd/ctrl/shift/middle clicks fall through to the browser's
+    // own new-tab behaviour. Only the plain left-click goes through
+    // our window.open path.
+    if (e.metaKey || e.ctrlKey || e.shiftKey || e.button !== 0) return;
+    if (!href) return;
+    e.preventDefault();
+    const win = window.open(href, '_blank');
+    if (win) win.opener = null;
+  }
+
+  return (
+    <a
+      href={href}
+      target="_blank"
+      rel="noopener noreferrer"
+      onClick={handleClick}
+      aria-label={`Open documentation: ${label}`}
+      title={`Open ${label} (${href})`}
+      className={cn(
+        'inline-flex items-center gap-1 px-1.5 py-0.5 rounded cursor-pointer',
+        'text-[10px] font-mono-tabular text-[color:var(--text-3)]',
+        'hover:text-[color:var(--text-1)] hover:bg-[color:var(--bg-2)]',
+        'transition-colors',
+        'focus-visible:outline focus-visible:outline-2 focus-visible:outline-[color:var(--signal)]',
+        className,
+      )}
+    >
+      <svg viewBox="0 0 24 24" width="11" height="11" fill="none" stroke="currentColor" strokeWidth="2" aria-hidden>
+        <circle cx="12" cy="12" r="10" />
+        <path d="M9.09 9a3 3 0 015.83 1c0 2-3 3-3 3" />
+        <line x1="12" y1="17" x2="12.01" y2="17" />
+      </svg>
+      <span>{label}</span>
+    </a>
+  );
+}
diff --git a/frontend/src/components/atoms/Logo.tsx b/frontend/src/components/atoms/Logo.tsx
index 0ee1e12b..816b3561 100644
--- a/frontend/src/components/atoms/Logo.tsx
+++ b/frontend/src/components/atoms/Logo.tsx
@@ -6,23 +6,45 @@ interface LogoProps {
   decorative?: boolean;
 }
 
+/**
+ * Original osctrl tower mark from cmd/admin/static/img/logo.png — the
+ * artwork legacy operators already recognise. Two PNG variants exist:
+ *
+ *   /img/osctrl-logo.png      — original (dark outline, light-blue
+ *                                cabin windows). Used in light theme.
+ *   /img/osctrl-logo-dark.png — manually recolored (light outline,
+ *                                brand-info blue cabin windows). Used
+ *                                in dark theme.
+ *
+ * The .osctrl-logo CSS rule in base.css shows one or the other based
+ * on data-theme, no JS state needed. This replaces the previous
+ * filter:invert() hack which Tailwind's minifier kept breaking.
+ */
 export function Logo({ size = 32, className, decorative = false }: LogoProps) {
   return (
-    <svg
-      viewBox="0 0 64 64"
-      width={size}
-      height={size}
-      className={cn('text-[color:var(--signal)]', className)}
+    <span
+      className={cn('osctrl-logo', className)}
       role={decorative ? undefined : 'img'}
-      aria-hidden={decorative ? true : undefined}
       aria-label={decorative ? undefined : 'osctrl logo'}
+      aria-hidden={decorative ? true : undefined}
+      style={{ display: 'inline-block', width: size, height: size }}
     >
-      <path d="M14 22 Q32 4 50 22" stroke="currentColor" strokeWidth="3" strokeLinecap="round" fill="none" />
-      <path d="M20 28 Q32 18 44 28" stroke="currentColor" strokeWidth="3" strokeLinecap="round" fill="none" />
-      <circle cx="32" cy="32" r="2" fill="currentColor" />
-      <path d="M20 38 L44 38 L40 46 L24 46 Z" fill="currentColor" />
-      <rect x="29.5" y="46" width="5" height="10" fill="currentColor" rx="1" />
-      <rect x="22" y="56" width="20" height="3" fill="currentColor" rx="1" />
-    </svg>
+      <img
+        src="/img/osctrl-logo.png"
+        width={size}
+        height={size}
+        alt=""
+        className="osctrl-logo-light"
+        style={{ display: 'block', width: '100%', height: '100%' }}
+      />
+      <img
+        src="/img/osctrl-logo-dark.png"
+        width={size}
+        height={size}
+        alt=""
+        className="osctrl-logo-dark"
+        style={{ display: 'block', width: '100%', height: '100%' }}
+      />
+    </span>
   );
 }
diff --git a/frontend/src/components/chrome/SideNav.tsx b/frontend/src/components/chrome/SideNav.tsx
index 2d745e7e..ee430faa 100644
--- a/frontend/src/components/chrome/SideNav.tsx
+++ b/frontend/src/components/chrome/SideNav.tsx
@@ -123,6 +123,7 @@ export function SideNav() {
   const carvesPath = `/_app/env/${currentEnv}/carves`;
   const tagsPath = `/_app/env/${currentEnv}/tags`;
   const enrollPath = `/_app/env/${currentEnv}/enroll`;
+  const configPath = `/_app/env/${currentEnv}/config`;
   // Distinguish "/queries" (and its subroutes) from "/saved-queries".
   const isSavedQueriesActive = pathname.startsWith(`/_app/env/${currentEnv}/saved-queries`);
   const isQueriesActive =
@@ -130,6 +131,7 @@ export function SideNav() {
   const isCarvesActive = pathname.startsWith(`/_app/env/${currentEnv}/carves`);
   const isTagsActive = pathname.startsWith(`/_app/env/${currentEnv}/tags`);
   const isEnrollActive = pathname.startsWith(`/_app/env/${currentEnv}/enroll`);
+  const isConfigActive = pathname.startsWith(`/_app/env/${currentEnv}/config`);
   const isUsersActive = pathname.startsWith('/_app/users') || pathname === '/users';
   const isProfileActive = pathname.startsWith('/_app/profile') || pathname === '/profile';
   const isEnvironmentsActive =
@@ -142,22 +144,26 @@ export function SideNav() {
 
   return (
     <aside
-      className="w-60 shrink-0 flex flex-col border-r border-[color:var(--border)] px-2 py-3"
-      style={{
-        background:
-          'linear-gradient(180deg, rgba(var(--halo-r), var(--halo-g), var(--halo-b), 0.04) 0%, transparent 280px), var(--bg-0)',
-      }}
+      // The .sidenav-circuit class (base.css) layers the legacy circuit
+      // SVG behind the rail content. Background-image inherits the
+      // brand teal at theme-tuned alpha so dark and light read at
+      // similar density. The teal sheen from the previous background
+      // gradient is preserved via the linear-gradient layered on top
+      // of the SVG — the SVG sits at the bottom of the stack.
+      className="sidenav-circuit w-60 shrink-0 flex flex-col border-r border-[color:var(--border)] px-2 py-3"
     >
-      {/* Wordmark */}
-      <div className="px-2 py-2 flex items-center gap-2.5 mb-4">
-        <Logo size={30} decorative />
-        <div>
-          <div className="font-display text-[15px] font-bold tracking-tight text-[color:var(--text-1)]">
-            osctrl
-          </div>
-          <div className="text-[10px] font-mono-tabular text-[color:var(--text-3)] leading-none mt-0.5">
-            CONTROL
-          </div>
+      {/* Wordmark — mirrors the login card header (stacked logo +
+          "osctrl" wordmark + "OSQUERY CONTROL" tagline) so the brand
+          presentation stays consistent between the unauth surface and
+          the app shell. Font sizes are tuned down a step versus the
+          login card because the sidenav rail is narrower (~240px). */}
+      <div className="flex flex-col items-center px-2 py-3 mb-4">
+        <Logo size={40} decorative />
+        <div className="mt-2 font-wordmark text-lg font-bold tracking-tight text-[color:var(--text-1)] leading-none">
+          osctrl
+        </div>
+        <div className="mt-1 text-[10px] font-mono-tabular text-[color:var(--text-3)] uppercase tracking-[0.1em] leading-none">
+          Osquery Control
         </div>
       </div>
 
@@ -260,6 +266,22 @@ export function SideNav() {
             Enrollment
           </NavItem>
         )}
+        {canManageEnv && (
+          <NavItem
+            active={isConfigActive}
+            to={configPath}
+            icon={
+              <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5">
+                {/* settings-cog glyph — config covers pull intervals,
+                    expiration, and the six osquery config sections. */}
+                <circle cx="12" cy="12" r="3" />
+                <path d="M19.4 15a1.65 1.65 0 00.33 1.82l.06.06a2 2 0 01-2.83 2.83l-.06-.06a1.65 1.65 0 00-1.82-.33 1.65 1.65 0 00-1 1.51V21a2 2 0 01-4 0v-.09A1.65 1.65 0 009 19.4a1.65 1.65 0 00-1.82.33l-.06.06a2 2 0 01-2.83-2.83l.06-.06a1.65 1.65 0 00.33-1.82 1.65 1.65 0 00-1.51-1H3a2 2 0 010-4h.09A1.65 1.65 0 004.6 9a1.65 1.65 0 00-.33-1.82l-.06-.06a2 2 0 012.83-2.83l.06.06a1.65 1.65 0 001.82.33H9a1.65 1.65 0 001-1.51V3a2 2 0 014 0v.09a1.65 1.65 0 001 1.51 1.65 1.65 0 001.82-.33l.06-.06a2 2 0 012.83 2.83l-.06.06a1.65 1.65 0 00-.33 1.82V9a1.65 1.65 0 001.51 1H21a2 2 0 010 4h-.09a1.65 1.65 0 00-1.51 1z" />
+              </svg>
+            }
+          >
+            Configuration
+          </NavItem>
+        )}
         {/* Audit Trail is visible to everyone. Super-admins see all
             operator activity; non-admins see only their own (the api
             force-clamps the username filter to the requester
diff --git a/frontend/src/features/carves/CarveDetailPage.tsx b/frontend/src/features/carves/CarveDetailPage.tsx
index 7d5b130b..14a1f027 100644
--- a/frontend/src/features/carves/CarveDetailPage.tsx
+++ b/frontend/src/features/carves/CarveDetailPage.tsx
@@ -1,6 +1,7 @@
 import { useParams, useNavigate, Link } from '@tanstack/react-router';
 import { useQuery } from '@tanstack/react-query';
 import { getCarve, getCarveArchiveUrl } from '$/api/carves';
+import { listNodes } from '$/api/nodes';
 import { AuthError } from '$/api/client';
 import type { CarveFile } from '$/api/types';
 import { formatRelative } from '$/lib/time';
@@ -52,6 +53,19 @@ export function CarveDetailPage() {
     refetchInterval: 15_000,
   });
 
+  // Nodes lookup so the carve file rows can render hostname → link to the
+  // node detail page, matching the legacy admin's behaviour where the
+  // node column was a hyperlink. Same shape as QueryDetailPage uses.
+  const { data: nodesData } = useQuery({
+    queryKey: ['carve-nodes-lookup', env],
+    queryFn: () => listNodes({ env, pageSize: 500 }),
+    staleTime: 60_000,
+  });
+  const uuidToHostname = new Map<string, string>();
+  for (const n of nodesData?.items ?? []) {
+    uuidToHostname.set(n.uuid, n.hostname || n.localname || n.uuid);
+  }
+
   if (isError && error instanceof AuthError) {
     void navigate({ to: '/login' });
     return null;
@@ -161,7 +175,7 @@ export function CarveDetailPage() {
                   scope="col"
                   className="px-3 py-2 text-left text-xs font-medium text-[color:var(--text-2)] uppercase tracking-wide"
                 >
-                  Node UUID
+                  Node
                 </th>
                 <th
                   scope="col"
@@ -198,8 +212,15 @@ export function CarveDetailPage() {
                     key={f.carve_id || f.session_id}
                     className="border-b border-[color:var(--border)] hover:bg-[color:var(--bg-2)] transition-colors"
                   >
-                    <td className="px-3 py-2 font-mono-tabular text-xs text-[color:var(--text-1)]">
-                      <span title={f.uuid}>{f.uuid.slice(0, 12)}…</span>
+                    <td className="px-3 py-2 font-mono-tabular text-xs">
+                      <Link
+                        to="/_app/env/$env/nodes/$uuid"
+                        params={{ env, uuid: f.uuid }}
+                        className="text-[color:var(--signal)] hover:underline"
+                        title={f.uuid}
+                      >
+                        {uuidToHostname.get(f.uuid) ?? `${f.uuid.slice(0, 12)}…`}
+                      </Link>
                     </td>
                     <td className="px-3 py-2">
                       <StatusBadge status={f.status} />
diff --git a/frontend/src/features/dashboard/DashboardPage.tsx b/frontend/src/features/dashboard/DashboardPage.tsx
index bcae0881..1aba2510 100644
--- a/frontend/src/features/dashboard/DashboardPage.tsx
+++ b/frontend/src/features/dashboard/DashboardPage.tsx
@@ -154,6 +154,70 @@ function InlineSparkline({
   );
 }
 
+// ---------------------------------------------------------------------------
+// Time-series chart category palette.
+// Defaults match what was hard-coded in the chart before this hook landed:
+//   Config = violet  (chart-local, distinct from --signal so it doesn't
+//                     collide with the query series in the green-teal corner)
+//   Query  = signal-teal
+//   Carve  = warning amber
+//   Enroll = info blue
+// Stored in localStorage per-browser so operators can re-map colors to match
+// their mental model (e.g. "Carve is always red for me").
+// ---------------------------------------------------------------------------
+export type ChartCategory = 'config' | 'query' | 'carve' | 'enroll';
+type ChartPalette = Record<ChartCategory, string>;
+
+const DEFAULT_PALETTE: ChartPalette = {
+  config: '#a78bfa', // violet — chart-local, distinct from --signal
+  query:  '#2bc4be', // matches --signal (dark theme)
+  carve:  '#fbbf24', // matches --warning (dark theme)
+  enroll: '#67c0ff', // matches --info (dark theme)
+};
+
+const PALETTE_STORAGE_KEY = 'osctrl.dashboard-chart-palette';
+
+function useChartPalette(): [ChartPalette, (key: ChartCategory, hex: string) => void, () => void] {
+  const [palette, setPalette] = useState<ChartPalette>(() => {
+    if (typeof window === 'undefined') return DEFAULT_PALETTE;
+    try {
+      const stored = window.localStorage.getItem(PALETTE_STORAGE_KEY);
+      if (!stored) return DEFAULT_PALETTE;
+      const parsed = JSON.parse(stored) as Partial<ChartPalette>;
+      // Defensive merge — if the user has only set 2 of 4 keys (e.g. from
+      // an older build that wrote a subset), the missing ones get the
+      // current defaults rather than rendering as undefined.
+      return { ...DEFAULT_PALETTE, ...parsed };
+    } catch {
+      return DEFAULT_PALETTE;
+    }
+  });
+
+  const update = (key: ChartCategory, hex: string) => {
+    setPalette((prev) => {
+      const next = { ...prev, [key]: hex };
+      try {
+        window.localStorage.setItem(PALETTE_STORAGE_KEY, JSON.stringify(next));
+      } catch {
+        // localStorage blocked — keep the in-memory state; we lose
+        // persistence but don't crash the page.
+      }
+      return next;
+    });
+  };
+
+  const reset = () => {
+    setPalette(DEFAULT_PALETTE);
+    try {
+      window.localStorage.removeItem(PALETTE_STORAGE_KEY);
+    } catch {
+      /* ignore */
+    }
+  };
+
+  return [palette, update, reset];
+}
+
 // ---------------------------------------------------------------------------
 // Time-series chart — 24h stacked area of audit-log activity, by category.
 // Wired to the env-activity endpoint via aggregateBuckets.
@@ -164,18 +228,23 @@ function TimeSeriesChart({
   carve,
   enroll,
   intervalLabel,
+  palette,
 }: {
   config: number[];
   query: number[];
   carve: number[];
   enroll: number[];
   intervalLabel: '24h' | '7d';
+  palette: ChartPalette;
 }) {
   const W = 600;
   const H = 200;
   const padL = 40;
   const padR = 10;
-  const padT = 30;
+  // padT used to reserve 30px for the now-removed in-chart legend.
+  // Tighten so the chart uses the freed space; the palette/legend
+  // row above the SVG is rendered by DashboardPage.
+  const padT = 10;
   const padB = 30;
   const innerW = W - padL - padR;
   const innerH = H - padT - padB;
@@ -214,24 +283,11 @@ function TimeSeriesChart({
 
   return (
     <svg viewBox={`0 0 ${W} ${H}`} className="w-full h-auto" role="img" aria-label="24-hour fleet activity by category">
-      <defs>
-        <linearGradient id="ts-enroll" x1="0" y1="0" x2="0" y2="1">
-          <stop offset="0%" stopColor="var(--info)" stopOpacity="0.55" />
-          <stop offset="100%" stopColor="var(--info)" stopOpacity="0.18" />
-        </linearGradient>
-        <linearGradient id="ts-carve" x1="0" y1="0" x2="0" y2="1">
-          <stop offset="0%" stopColor="var(--warning)" stopOpacity="0.55" />
-          <stop offset="100%" stopColor="var(--warning)" stopOpacity="0.18" />
-        </linearGradient>
-        <linearGradient id="ts-query" x1="0" y1="0" x2="0" y2="1">
-          <stop offset="0%" stopColor="var(--signal)" stopOpacity="0.55" />
-          <stop offset="100%" stopColor="var(--signal)" stopOpacity="0.18" />
-        </linearGradient>
-        <linearGradient id="ts-config" x1="0" y1="0" x2="0" y2="1">
-          <stop offset="0%" stopColor="var(--success)" stopOpacity="0.55" />
-          <stop offset="100%" stopColor="var(--success)" stopOpacity="0.18" />
-        </linearGradient>
-      </defs>
+      {/* Flat fills, not gradients. Stacked layers represent additive
+          amounts; gradients made overlapping bands read muddy and
+          inverted the visual hierarchy. Each layer now reads as a
+          solid color band; the per-series top outline + gridlines
+          carry depth. */}
       {/* gridlines */}
       <g stroke="var(--border)" strokeDasharray="2 4" strokeWidth="1">
         {[0, 0.25, 0.5, 0.75, 1].map((t) => (
@@ -246,16 +302,19 @@ function TimeSeriesChart({
           </text>
         ))}
       </g>
-      {/* Stacked layers, bottom-to-top */}
-      <path d={layerPath(enrollTop, zero)} fill="url(#ts-enroll)" />
-      <path d={layerPath(carveTop, enrollTop)} fill="url(#ts-carve)" />
-      <path d={layerPath(queryTop, carveTop)} fill="url(#ts-query)" />
-      <path d={layerPath(configTop, queryTop)} fill="url(#ts-config)" />
+      {/* Stacked layers, bottom-to-top — flat fills.
+          Colors come from the operator-tunable ChartPalette so each
+          band can be remapped. Default mapping matches the previous
+          hard-coded scheme. */}
+      <path d={layerPath(enrollTop, zero)} fill={palette.enroll} fillOpacity="0.65" />
+      <path d={layerPath(carveTop, enrollTop)} fill={palette.carve} fillOpacity="0.65" />
+      <path d={layerPath(queryTop, carveTop)} fill={palette.query} fillOpacity="0.65" />
+      <path d={layerPath(configTop, queryTop)} fill={palette.config} fillOpacity="0.65" />
       {/* Top-of-stack outline so the chart has a defined edge */}
       <path
         d={configTop.map((v, i) => `${i === 0 ? 'M' : 'L'}${(padL + i * stepX).toFixed(1)},${yFor(v).toFixed(1)}`).join(' ')}
         fill="none"
-        stroke="var(--success)"
+        stroke={palette.config}
         strokeWidth="1.5"
         strokeLinejoin="round"
       />
@@ -279,17 +338,9 @@ function TimeSeriesChart({
           );
         })}
       </g>
-      {/* Legend */}
-      <g className="font-mono-tabular" fontSize="11" fontWeight="500">
-        <circle cx={padL + 4} cy={padT - 14} r="3" fill="var(--success)" />
-        <text x={padL + 12} y={padT - 10} fill="var(--text-2)">Config</text>
-        <circle cx={padL + 70} cy={padT - 14} r="3" fill="var(--signal)" />
-        <text x={padL + 78} y={padT - 10} fill="var(--text-2)">Query</text>
-        <circle cx={padL + 130} cy={padT - 14} r="3" fill="var(--warning)" />
-        <text x={padL + 138} y={padT - 10} fill="var(--text-2)">Carve</text>
-        <circle cx={padL + 190} cy={padT - 14} r="3" fill="var(--info)" />
-        <text x={padL + 198} y={padT - 10} fill="var(--text-2)">Enroll</text>
-      </g>
+      {/* In-chart SVG legend removed — the always-visible palette row
+          rendered above the chart (DashboardPage) now serves as the
+          legend AND the per-category color picker in one control. */}
     </svg>
   );
 }
@@ -410,19 +461,30 @@ function HeroKpi({
     warning: 'bg-[color:var(--warning)]/10 text-[color:var(--warning)] border-[color:var(--warning)]/25',
     danger: 'bg-[color:var(--danger)]/10 text-[color:var(--danger)] border-[color:var(--danger)]/25',
   };
+  // Diagonal-sweep gradient background — replaces the previous
+  // absolute-positioned halo blob. linear-gradient(225deg) pours from
+  // the top-right in the card's semantic tone, fading into the regular
+  // --bg-1 surface around 65% so the left half (label + description +
+  // value text) sits on a clean reading surface for contrast.
+  const toneGradient: Record<string, string> = {
+    success:
+      'linear-gradient(225deg, rgba(var(--success-r), var(--success-g), var(--success-b), 0.22) 0%, var(--bg-1) 65%)',
+    info:
+      'linear-gradient(225deg, rgba(var(--info-r), var(--info-g), var(--info-b), 0.22) 0%, var(--bg-1) 65%)',
+    warning:
+      'linear-gradient(225deg, rgba(var(--warning-r), var(--warning-g), var(--warning-b), 0.22) 0%, var(--bg-1) 65%)',
+    danger:
+      'linear-gradient(225deg, rgba(var(--danger-r), var(--danger-g), var(--danger-b), 0.22) 0%, var(--bg-1) 65%)',
+  };
   return (
     <div
       className={cn(
-        'relative overflow-hidden rounded-xl border border-[color:var(--border)] bg-[color:var(--bg-1)]',
+        'relative overflow-hidden rounded-xl border border-[color:var(--border)]',
         'px-5 py-4 flex flex-col h-full min-h-[120px]',
         'transition-shadow duration-[120ms] hover:shadow-[0_0_0_1px_var(--signal)]',
       )}
+      style={{ background: toneGradient[tone] }}
     >
-      <div
-        aria-hidden
-        className="absolute -top-12 -right-12 w-32 h-32 rounded-full opacity-50"
-        style={{ background: 'rgba(var(--halo-r), var(--halo-g), var(--halo-b), 0.22)' }}
-      />
       <div className="text-sm font-display font-semibold text-[color:var(--text-1)]">{label}</div>
       <div className="text-[11px] text-[color:var(--text-3)] mt-0.5">{description}</div>
       <div className="font-display tabular-nums mt-3 flex items-baseline gap-2 text-[color:var(--text-1)]" style={{ fontSize: 44, fontWeight: 700, letterSpacing: '-0.03em', lineHeight: 1 }}>
@@ -523,7 +585,7 @@ function avatarGradient(username: string): string {
   let h = 0;
   for (let i = 0; i < username.length; i++) h = (h * 31 + username.charCodeAt(i)) % 360;
   const h2 = (h + 40) % 360;
-  return `linear-gradient(135deg, hsl(${h},60%,48%), hsl(${h2},70%,38%))`;
+  return `linear-gradient(225deg, hsl(${h},60%,48%), hsl(${h2},70%,38%))`;
 }
 function initials(username: string): string {
   const parts = username.replace(/_/g, ' ').split(/\s+/);
@@ -1028,6 +1090,8 @@ export function DashboardPage() {
     refetchIntervalInBackground: false,
   });
 
+  const [palette, setPaletteEntry, resetPalette] = useChartPalette();
+
   const is401 = isError && error instanceof AuthError;
 
   const { data: auditData, isLoading: auditLoading } = useQuery({
@@ -1284,6 +1348,43 @@ export function DashboardPage() {
               </button>
             </div>
           </div>
+          {/* Palette row — always visible. Doubles as the chart's
+              legend (swatch + label per category) and as the per-user
+              color picker. Each swatch is a native <input type="color">
+              bound to localStorage; a Reset link returns to defaults. */}
+          <div className="px-5 pb-2">
+            <div
+              className={cn(
+                'flex items-center gap-3 flex-wrap p-2.5 rounded-md',
+                'bg-[color:var(--bg-2)] border border-[color:var(--border)]',
+                'text-xs text-[color:var(--text-2)]',
+              )}
+            >
+              {(['config', 'query', 'carve', 'enroll'] as ChartCategory[]).map((key) => (
+                <label key={key} className="flex items-center gap-1.5 cursor-pointer">
+                  <input
+                    type="color"
+                    value={palette[key]}
+                    onChange={(e) => setPaletteEntry(key, e.target.value)}
+                    className="w-5 h-5 rounded border border-[color:var(--border)] cursor-pointer p-0"
+                    aria-label={`${key} color`}
+                  />
+                  <span className="capitalize">{key}</span>
+                </label>
+              ))}
+              <button
+                type="button"
+                onClick={resetPalette}
+                className={cn(
+                  'ml-auto px-2 py-0.5 text-[10px] rounded',
+                  'text-[color:var(--text-3)] hover:text-[color:var(--text-1)]',
+                  'hover:bg-[color:var(--bg-1)]',
+                )}
+              >
+                Reset to defaults
+              </button>
+            </div>
+          </div>
           <div className="p-5">
             <TimeSeriesChart
               config={fleet24.config}
@@ -1291,6 +1392,7 @@ export function DashboardPage() {
               carve={fleet24.carve}
               enroll={fleet24.enroll}
               intervalLabel={activityInterval === '7d' ? '7d' : '24h'}
+              palette={palette}
             />
           </div>
         </div>
diff --git a/frontend/src/features/enrollment/AssembledConfigCard.tsx b/frontend/src/features/enrollment/AssembledConfigCard.tsx
new file mode 100644
index 00000000..6e54f8f6
--- /dev/null
+++ b/frontend/src/features/enrollment/AssembledConfigCard.tsx
@@ -0,0 +1,141 @@
+import { useState } from 'react';
+import { useQuery, useQueryClient } from '@tanstack/react-query';
+import { getEnvironmentAssembledConfig } from '$/api/environments';
+import { Button } from '$/components/atoms/Button';
+import { CodeEditor } from '$/components/forms/CodeEditor';
+import { cn } from '$/lib/cn';
+
+/**
+ * AssembledConfigCard — read-only Monaco viewer for the env's assembled
+ * osquery configuration JSON.
+ *
+ * Wraps GET /api/v1/environments/{env}/configuration/assembled, which
+ * re-runs RefreshConfiguration server-side before reading. The result is
+ * the exact JSON the TLS endpoint serves to agents — so this card is
+ * the canonical preview of what each node will actually receive on its
+ * next config refresh, including any unsaved edits that have already
+ * landed via the parts endpoints.
+ *
+ * The body is read-only (configuration is composed from parts, not
+ * written directly) — Copy / Download are the two affordances.
+ */
+export function AssembledConfigCard({ env }: { env: string }) {
+  const qc = useQueryClient();
+  const [copied, setCopied] = useState(false);
+  const [copyErr, setCopyErr] = useState<string | null>(null);
+
+  const cfgQuery = useQuery({
+    queryKey: ['env', env, 'assembled-config'],
+    queryFn: () => getEnvironmentAssembledConfig(env),
+    staleTime: 30_000,
+  });
+
+  async function handleCopy() {
+    if (!cfgQuery.data?.data) return;
+    try {
+      await navigator.clipboard.writeText(cfgQuery.data.data);
+      setCopied(true);
+      setCopyErr(null);
+      setTimeout(() => setCopied(false), 1500);
+    } catch {
+      setCopyErr('Clipboard blocked by browser');
+    }
+  }
+
+  function handleDownload() {
+    if (!cfgQuery.data?.data) return;
+    const blob = new Blob([cfgQuery.data.data], { type: 'application/json' });
+    const url = URL.createObjectURL(blob);
+    const a = document.createElement('a');
+    a.href = url;
+    a.download = `osctrl-${env}-config.json`;
+    document.body.appendChild(a);
+    a.click();
+    document.body.removeChild(a);
+    URL.revokeObjectURL(url);
+  }
+
+  function handleRefresh() {
+    void qc.invalidateQueries({ queryKey: ['env', env, 'assembled-config'] });
+  }
+
+  // Sum the byte length so operators eyeball how heavy the config is
+  // before downloading. Useful when a packs section gets out of hand.
+  const sizeKb = cfgQuery.data?.data ? (cfgQuery.data.data.length / 1024).toFixed(1) : null;
+
+  return (
+    <section
+      className="rounded-xl border border-[color:var(--border)] bg-[color:var(--bg-1)] p-4"
+      aria-label="Assembled osquery configuration"
+    >
+      <div className="mb-3 flex items-center justify-between gap-2 flex-wrap">
+        <div className="flex items-center gap-2">
+          <h2 className="text-[12px] font-display font-semibold text-[color:var(--text-1)]">
+            Assembled configuration
+          </h2>
+          <span
+            className="text-[10px] text-[color:var(--text-3)] cursor-help"
+            title="The env's options + schedule + packs + decorators + ATC composed into the canonical osquery configuration JSON. Same bytes the TLS endpoint serves to agents on /config refresh — useful for previewing fleet-wide changes before they propagate."
+          >
+            ⓘ
+          </span>
+          {sizeKb && (
+            <span className="text-[10px] font-mono-tabular text-[color:var(--text-3)]">
+              {sizeKb} KB
+            </span>
+          )}
+        </div>
+        <Button variant="ghost" size="sm" onClick={handleRefresh}>
+          Refresh
+        </Button>
+      </div>
+
+      <div className="flex items-center justify-between mb-2">
+        <span className="text-[10px] font-mono-tabular uppercase tracking-[0.14em] text-[color:var(--text-3)]">
+          read-only · agents pull this
+        </span>
+        <div className="flex items-center gap-1.5">
+          <Button
+            variant="ghost"
+            size="sm"
+            onClick={handleCopy}
+            disabled={!cfgQuery.data?.data}
+          >
+            {copied ? 'Copied ✓' : 'Copy'}
+          </Button>
+          <Button
+            variant="ghost"
+            size="sm"
+            onClick={handleDownload}
+            disabled={!cfgQuery.data?.data}
+          >
+            Download
+          </Button>
+        </div>
+      </div>
+
+      {cfgQuery.isError ? (
+        <div
+          className={cn(
+            'rounded-md border border-[color:var(--danger)]/30 bg-[color:var(--danger)]/10',
+            'px-3 py-2 text-xs text-[color:var(--danger)]',
+          )}
+        >
+          {(cfgQuery.error as Error | undefined)?.message ?? 'Failed to load configuration'}
+        </div>
+      ) : (
+        <CodeEditor
+          value={cfgQuery.data?.data ?? ''}
+          language="json"
+          height="360px"
+          readOnly
+          aria-label={`Assembled osquery configuration for environment ${env}`}
+        />
+      )}
+
+      {copyErr && (
+        <p className="mt-1.5 text-[10px] text-[color:var(--danger)]">{copyErr}</p>
+      )}
+    </section>
+  );
+}
diff --git a/frontend/src/features/enrollment/CertificateCard.tsx b/frontend/src/features/enrollment/CertificateCard.tsx
new file mode 100644
index 00000000..e65d9dc7
--- /dev/null
+++ b/frontend/src/features/enrollment/CertificateCard.tsx
@@ -0,0 +1,229 @@
+import { useRef, useState } from 'react';
+import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
+import { getEnrollData, uploadCertificate } from '$/api/enrollment';
+import { ApiError } from '$/api/client';
+import { Button } from '$/components/atoms/Button';
+import { Skeleton } from '$/components/data/Skeleton';
+import { cn } from '$/lib/cn';
+
+/**
+ * CertificateCard — view, copy, download, and replace the env's enrollment
+ * certificate. Slots into the EnrollPage right rail beside the two
+ * LifecycleCards. The card always displays a short fingerprint preview
+ * (first + last PEM lines) so operators can sanity-check at a glance
+ * without copy/pasting the whole thing.
+ *
+ * Upload path: paste full PEM into the textarea, click Upload. The API
+ * does the PEM + x509 validation server-side — we surface its rejection
+ * verbatim under the textarea on 400, and re-fetch the cert on 200.
+ *
+ * Notes on layout: matches the LifecycleCard chrome exactly (rounded-xl,
+ * border, p-4, h2 heading) so the rail stays visually coherent.
+ */
+export function CertificateCard({ env }: { env: string }) {
+  const qc = useQueryClient();
+  const [paste, setPaste] = useState('');
+  const [feedback, setFeedback] = useState<{ kind: 'success' | 'error'; msg: string } | null>(
+    null,
+  );
+  const [copied, setCopied] = useState(false);
+  const fileInputRef = useRef<HTMLInputElement>(null);
+
+  const certQuery = useQuery({
+    queryKey: ['enrollment', env, 'cert'],
+    queryFn: () => getEnrollData(env, 'cert'),
+    staleTime: 60_000,
+  });
+
+  const uploadMut = useMutation({
+    mutationFn: (pem: string) => uploadCertificate(env, pem),
+    onSuccess: (res) => {
+      setFeedback({ kind: 'success', msg: res.message });
+      setPaste('');
+      void qc.invalidateQueries({ queryKey: ['enrollment', env, 'cert'] });
+    },
+    onError: (err) =>
+      setFeedback({
+        kind: 'error',
+        msg: err instanceof ApiError ? err.message : 'Upload failed',
+      }),
+  });
+
+  function handleUpload() {
+    const trimmed = paste.trim();
+    if (!trimmed) {
+      setFeedback({ kind: 'error', msg: 'Empty certificate' });
+      return;
+    }
+    setFeedback(null);
+    uploadMut.mutate(trimmed);
+  }
+
+  async function handleFile(file: File) {
+    try {
+      const text = await file.text();
+      setPaste(text);
+      setFeedback(null);
+    } catch {
+      setFeedback({ kind: 'error', msg: 'Could not read file' });
+    }
+  }
+
+  async function handleCopy() {
+    if (!certQuery.data?.data) return;
+    try {
+      await navigator.clipboard.writeText(certQuery.data.data);
+      setCopied(true);
+      setTimeout(() => setCopied(false), 1500);
+    } catch {
+      setFeedback({ kind: 'error', msg: 'Clipboard blocked by browser' });
+    }
+  }
+
+  function handleDownload() {
+    if (!certQuery.data?.data) return;
+    const blob = new Blob([certQuery.data.data], { type: 'application/x-pem-file' });
+    const url = URL.createObjectURL(blob);
+    const a = document.createElement('a');
+    a.href = url;
+    a.download = `osctrl-${env}.crt`;
+    document.body.appendChild(a);
+    a.click();
+    document.body.removeChild(a);
+    URL.revokeObjectURL(url);
+  }
+
+  // Build a one-glance preview: first PEM line + last 60 chars of body.
+  const preview = (() => {
+    const pem = certQuery.data?.data ?? '';
+    if (!pem) return null;
+    const lines = pem.trim().split('\n');
+    if (lines.length < 3) return pem;
+    const body = lines.slice(1, -1).join('');
+    const tail = body.slice(-60);
+    return `${lines[0]}\n…${tail}\n${lines[lines.length - 1]}`;
+  })();
+
+  return (
+    <section
+      className="rounded-xl border border-[color:var(--border)] bg-[color:var(--bg-1)] p-4"
+      aria-label="Enrollment certificate"
+    >
+      <div className="mb-3 flex items-center justify-between gap-2">
+        <h2 className="text-[12px] font-display font-semibold text-[color:var(--text-1)]">
+          Certificate
+        </h2>
+        <span
+          className="text-[10px] text-[color:var(--text-3)] cursor-help"
+          title="The PEM-encoded TLS certificate agents pin to when they enroll. Replace this when rotating CAs or after a compromise."
+        >
+          ⓘ
+        </span>
+      </div>
+
+      {/* Preview */}
+      <pre
+        className={cn(
+          'text-[10px] font-mono-tabular',
+          'bg-[color:var(--bg-2)] border border-[color:var(--border)] rounded-md',
+          'p-2 min-h-[60px] overflow-hidden whitespace-pre-wrap break-all',
+          'text-[color:var(--text-2)]',
+        )}
+      >
+        {certQuery.isLoading ? (
+          <Skeleton className="h-4 w-full" />
+        ) : certQuery.isError ? (
+          <span className="text-[color:var(--danger)]">
+            {(certQuery.error as Error | undefined)?.message ?? 'Failed to load'}
+          </span>
+        ) : (
+          preview ?? <span className="text-[color:var(--text-3)]">No certificate set</span>
+        )}
+      </pre>
+
+      <div className="mt-2 flex items-center gap-1.5">
+        <Button
+          variant="ghost"
+          size="sm"
+          onClick={handleCopy}
+          disabled={!certQuery.data?.data}
+        >
+          {copied ? 'Copied ✓' : 'Copy'}
+        </Button>
+        <Button
+          variant="ghost"
+          size="sm"
+          onClick={handleDownload}
+          disabled={!certQuery.data?.data}
+        >
+          Download
+        </Button>
+      </div>
+
+      {/* Replace */}
+      <div className="mt-4 pt-3 border-t border-[color:var(--border)]">
+        <div className="mb-2 flex items-center justify-between">
+          <span className="text-[10px] font-mono-tabular uppercase tracking-[0.14em] text-[color:var(--text-3)]">
+            Replace certificate
+          </span>
+          <input
+            ref={fileInputRef}
+            type="file"
+            accept=".crt,.pem,.cer,application/x-pem-file"
+            className="hidden"
+            onChange={(ev) => {
+              const f = ev.target.files?.[0];
+              if (f) void handleFile(f);
+              ev.target.value = '';
+            }}
+          />
+          <Button
+            variant="ghost"
+            size="sm"
+            onClick={() => fileInputRef.current?.click()}
+          >
+            Pick file…
+          </Button>
+        </div>
+        <textarea
+          value={paste}
+          onChange={(ev) => {
+            setPaste(ev.target.value);
+            setFeedback(null);
+          }}
+          placeholder="-----BEGIN CERTIFICATE-----&#10;...&#10;-----END CERTIFICATE-----"
+          className={cn(
+            'w-full px-2.5 py-2 rounded-md text-[10px] font-mono-tabular',
+            'bg-[color:var(--bg-2)] border border-[color:var(--border)]',
+            'text-[color:var(--text-1)] placeholder:text-[color:var(--text-3)]',
+            'focus:outline-none focus:ring-2 focus:ring-[color:var(--signal)] focus:border-transparent',
+            'min-h-[80px] resize-y',
+          )}
+          spellCheck={false}
+        />
+        {feedback && (
+          <p
+            className={cn(
+              'mt-1.5 text-[10px]',
+              feedback.kind === 'success'
+                ? 'text-[color:var(--success)]'
+                : 'text-[color:var(--danger)]',
+            )}
+          >
+            {feedback.msg}
+          </p>
+        )}
+        <div className="mt-2 flex justify-end">
+          <Button
+            variant="primary"
+            size="sm"
+            onClick={handleUpload}
+            disabled={uploadMut.isPending || !paste.trim()}
+          >
+            {uploadMut.isPending ? 'Uploading…' : 'Upload'}
+          </Button>
+        </div>
+      </div>
+    </section>
+  );
+}
diff --git a/frontend/src/features/enrollment/EnrollPage.tsx b/frontend/src/features/enrollment/EnrollPage.tsx
index ad04143a..e9b9d029 100644
--- a/frontend/src/features/enrollment/EnrollPage.tsx
+++ b/frontend/src/features/enrollment/EnrollPage.tsx
@@ -16,27 +16,44 @@ import { Button } from '$/components/atoms/Button';
 import { Skeleton } from '$/components/data/Skeleton';
 import { cn } from '$/lib/cn';
 import { formatRelative } from '$/lib/time';
+import { CertificateCard } from './CertificateCard';
+import { FlagsCard } from './FlagsCard';
+import { AssembledConfigCard } from './AssembledConfigCard';
+import { DocsLink } from '$/components/atoms/DocsLink';
 
 /**
- * EnrollPage (v2) — env-scoped node enrollment portal.
+ * EnrollPage (v3) — tabbed env-scoped enrollment portal.
  *
- * Layout (xl+):
  *   ┌─────────────────────────────────────────────────────────────────┐
- *   │ Header                                                          │
+ *   │ Header — env name + accepting-enrolls badge                     │
  *   ├─────────────────────────────────────────────────────────────────┤
- *   │ NotAcceptingBanner (only when accept_enrolls=false)             │
- *   ├──────────────────────────────────────┬──────────────────────────┤
- *   │ ScriptPanel                          │ LifecycleCard (enroll)   │
- *   │  ScriptViewToggle (Install / Remove) │ LifecycleCard (remove)   │
- *   │  PlatformTabs    (Linux / Windows)   │ PackageUrlCard           │
- *   │  Single <pre>                        │  (sticky on xl)          │
- *   └──────────────────────────────────────┴──────────────────────────┘
+ *   │ Install  ·  Configuration  ·  Lifecycle                         │
+ *   ├─────────────────────────────────────────────────────────────────┤
+ *   │ ┌─ Install ────────────────────────────────────────────────────┐│
+ *   │ │ ScriptPanel (Install/Remove · Linux/Windows · one-liner)     ││
+ *   │ │ Pre-built package URLs (collapsed by default)                ││
+ *   │ └──────────────────────────────────────────────────────────────┘│
+ *   │ ┌─ Configuration ──────────────────────────────────────────────┐│
+ *   │ │ FlagsCard (per-OS, substituted)                              ││
+ *   │ │ AssembledConfigCard (Monaco read-only)                       ││
+ *   │ └──────────────────────────────────────────────────────────────┘│
+ *   │ ┌─ Lifecycle ──────────────────────────────────────────────────┐│
+ *   │ │ LifecycleCard (enroll secret) · LifecycleCard (remove secret)││
+ *   │ │ CertificateCard (full — view + replace)                      ││
+ *   │ └──────────────────────────────────────────────────────────────┘│
+ *   └─────────────────────────────────────────────────────────────────┘
+ *
+ * Tab choice optimises for the modal trip: an operator who comes here
+ * to grab a script doesn't see six cards stacked. Lifecycle (destructive
+ * + secret-bearing) lives behind its own tab so it's out of the
+ * accidental-click path. Configuration is the rare debugging trip.
  *
  * Data layer lives in $/api/enrollment.
  */
 
 type Direction = 'install' | 'remove';
 type Platform = 'sh' | 'ps1';
+type PageTab = 'install' | 'configuration' | 'lifecycle';
 
 type DataResult = UseQueryResult<{ data: string }, Error>;
 
@@ -47,11 +64,21 @@ export function EnrollPage() {
   const [serverError, setServerError] = useState<string | null>(null);
   const [copied, setCopied] = useState<string | null>(null);
 
-  // Tab state — toggling these only swaps which prefetched query
-  // we render inside ScriptPanel's single <pre>.
+  // Page-level tab — splits the page into Install (default), Configuration,
+  // and Lifecycle so an operator who comes here just to grab a script
+  // doesn't have to wade through six cards. Inner ScriptPanel still has
+  // its own Install/Remove + platform toggles.
+  const [pageTab, setPageTab] = useState<PageTab>('install');
+
+  // State for the inner ScriptPanel — toggling these only swaps which
+  // prefetched query is rendered inside its <pre>.
   const [scriptView, setScriptView] = useState<Direction>('install');
   const [platform, setPlatform] = useState<Platform>('sh');
 
+  // Package URLs section is collapsible on the Install tab so the
+  // primary affordance (the script) gets prime real estate.
+  const [pkgOpen, setPkgOpen] = useState(false);
+
   const envQuery = useQuery({
     queryKey: ['env', env],
     queryFn: () => getEnvironment(env),
@@ -147,6 +174,13 @@ export function EnrollPage() {
 
   const notAccepting = !!e && !e.accept_enrolls;
 
+  // The Install tab needs the not-accepting dim treatment because scripts +
+  // package URLs are useless when enrolls are closed. Configuration and
+  // Lifecycle tabs stay fully interactive — those are how the operator
+  // FIXES the not-accepting state.
+  const installDimCls = cn(notAccepting && 'opacity-50 pointer-events-none');
+  const installAriaHidden = notAccepting || undefined;
+
   return (
     <div className="flex flex-col h-full min-h-0">
       {/* ── Page header ───────────────────────────────────────────────── */}
@@ -172,6 +206,11 @@ export function EnrollPage() {
                 ? 'bg-[color:var(--success)]/10 text-[color:var(--success)] border border-[color:var(--success)]/30'
                 : 'bg-[color:var(--danger)]/10 text-[color:var(--danger)] border border-[color:var(--danger)]/30',
             )}
+            title={
+              e.accept_enrolls
+                ? 'New nodes can enroll right now.'
+                : 'Enrolls are closed. Use Lifecycle → Rotate to reopen.'
+            }
           >
             <span aria-hidden className="w-1.5 h-1.5 rounded-full bg-current" />
             {e.accept_enrolls ? 'accepting enrolls' : 'not accepting enrolls'}
@@ -179,8 +218,32 @@ export function EnrollPage() {
         )}
       </div>
 
-      {/* ── Full-bleed NotAcceptingBanner ─────────────────────────────── */}
-      <NotAcceptingBanner show={notAccepting} />
+      {/* ── Page tab bar ──────────────────────────────────────────────── */}
+      <div
+        role="tablist"
+        aria-label="Enrollment sections"
+        className="flex items-center gap-1 px-4 border-b border-[color:var(--border)] overflow-x-auto"
+      >
+        <PageTabButton
+          id="install"
+          label="Install"
+          active={pageTab === 'install'}
+          onClick={() => setPageTab('install')}
+        />
+        <PageTabButton
+          id="configuration"
+          label="Configuration"
+          active={pageTab === 'configuration'}
+          onClick={() => setPageTab('configuration')}
+        />
+        <PageTabButton
+          id="lifecycle"
+          label="Lifecycle"
+          active={pageTab === 'lifecycle'}
+          onClick={() => setPageTab('lifecycle')}
+          warn={notAccepting}
+        />
+      </div>
 
       {/* ── Content ───────────────────────────────────────────────────── */}
       <div className="flex-1 min-h-0 overflow-auto">
@@ -191,119 +254,263 @@ export function EnrollPage() {
             </div>
           )}
 
-          {/* 2-col @ xl: scripts flex + sticky 320px right rail.        *
-           *  When enrolls are off, left column is dimmed but right     *
-           *  rail stays interactive so operators can rotate to resume. */}
-          <div className="flex flex-col xl:flex-row gap-5 items-start">
-            <div
-              className={cn(
-                'flex-1 min-w-0 w-full transition-opacity',
-                notAccepting && 'opacity-50 pointer-events-none',
+          {/* ── Install tab ─────────────────────────────────────────── */}
+          {pageTab === 'install' && (
+            <div role="tabpanel" aria-labelledby="tab-install" className="space-y-5">
+              <div className="flex items-center justify-end -mt-2">
+                <DocsLink
+                  href="https://osquery.readthedocs.io/en/latest/deployment/remote/"
+                  label="enrollment docs"
+                />
+              </div>
+              {notAccepting && (
+                <NotAcceptingHint
+                  onJumpToLifecycle={() => setPageTab('lifecycle')}
+                />
               )}
-              aria-hidden={notAccepting || undefined}
-            >
-              <ScriptPanel
-                scriptView={scriptView}
-                setScriptView={setScriptView}
-                platform={platform}
-                setPlatform={setPlatform}
-                enrollSh={enrollSh}
-                enrollPs1={enrollPs1}
-                removeSh={removeSh}
-                removePs1={removePs1}
-                copied={copied}
-                onCopy={copy}
-              />
+              <div className={installDimCls} aria-hidden={installAriaHidden}>
+                <ScriptPanel
+                  scriptView={scriptView}
+                  setScriptView={setScriptView}
+                  platform={platform}
+                  setPlatform={setPlatform}
+                  enrollSh={enrollSh}
+                  enrollPs1={enrollPs1}
+                  removeSh={removeSh}
+                  removePs1={removePs1}
+                  copied={copied}
+                  onCopy={copy}
+                />
+              </div>
+
+              {/* Collapsible package URLs — secondary affordance, so we
+                  give the script all the room first and only expand
+                  this row on demand. */}
+              <div className={installDimCls} aria-hidden={installAriaHidden}>
+                <Collapsible
+                  open={pkgOpen}
+                  onToggle={() => setPkgOpen((v) => !v)}
+                  title="Pre-built package URLs"
+                  subtitle="optional · DEB · RPM · PKG · MSI"
+                >
+                  <PackageUrlCard
+                    debUrl={debUrl}
+                    setDebUrl={setDebUrl}
+                    rpmUrl={rpmUrl}
+                    setRpmUrl={setRpmUrl}
+                    pkgUrl={pkgUrl}
+                    setPkgUrl={setPkgUrl}
+                    msiUrl={msiUrl}
+                    setMsiUrl={setMsiUrl}
+                    isPending={pkgMut.isPending}
+                    onSave={(action, body) => pkgMut.mutate({ action, body })}
+                  />
+                </Collapsible>
+              </div>
             </div>
+          )}
 
-            <aside className="w-full xl:w-80 xl:flex-shrink-0 xl:sticky xl:top-6 space-y-4">
-              <LifecycleCard
-                label="Enroll secret"
-                expireValue={e?.enroll_expire}
-                onAction={(a) => enrollMut.mutate(a as EnrollAction)}
-                isPending={enrollMut.isPending}
-              />
-              <LifecycleCard
-                label="Remove secret"
-                expireValue={e?.remove_expire}
-                onAction={(a) => removeMut.mutate(a as RemoveAction)}
-                isPending={removeMut.isPending}
-              />
-            </aside>
-          </div>
+          {/* ── Configuration tab ───────────────────────────────────── */}
+          {pageTab === 'configuration' && (
+            <div role="tabpanel" aria-labelledby="tab-configuration" className="space-y-5">
+              <div className="flex items-center justify-end -mt-2 gap-3">
+                <DocsLink
+                  href="https://osquery.readthedocs.io/en/latest/installation/cli-flags/"
+                  label="flags docs"
+                />
+                <DocsLink
+                  href="https://osquery.readthedocs.io/en/latest/deployment/configuration/"
+                  label="config docs"
+                />
+              </div>
+              <FlagsCard env={env} />
+              <AssembledConfigCard env={env} />
+            </div>
+          )}
 
-          {/* Full-width package URL setters below the 2-col block. The
-              four input rows ([label][url input][Save]) are too cramped
-              in the 320px right rail, so they get the whole content
-              width here. Inherits the same dim-on-not-accepting state
-              as the left column above. */}
-          <div
-            className={cn(
-              'mt-5 transition-opacity',
-              notAccepting && 'opacity-50 pointer-events-none',
-            )}
-            aria-hidden={notAccepting || undefined}
-          >
-            <PackageUrlCard
-              debUrl={debUrl}
-              setDebUrl={setDebUrl}
-              rpmUrl={rpmUrl}
-              setRpmUrl={setRpmUrl}
-              pkgUrl={pkgUrl}
-              setPkgUrl={setPkgUrl}
-              msiUrl={msiUrl}
-              setMsiUrl={setMsiUrl}
-              isPending={pkgMut.isPending}
-              onSave={(action, body) => pkgMut.mutate({ action, body })}
-            />
-          </div>
+          {/* ── Lifecycle tab ───────────────────────────────────────── */}
+          {pageTab === 'lifecycle' && (
+            <div role="tabpanel" aria-labelledby="tab-lifecycle" className="space-y-5">
+              <div className="flex items-center justify-end -mt-2">
+                <DocsLink
+                  href="https://osquery.readthedocs.io/en/latest/deployment/remote/#tls-server"
+                  label="enroll/cert docs"
+                />
+              </div>
+              {/* 2-col @ lg: secret cards next to each other; certificate
+                  full-width below (Replace textarea needs the room). */}
+              <div className="grid grid-cols-1 lg:grid-cols-2 gap-5">
+                <LifecycleCard
+                  label="Enroll secret"
+                  expireValue={e?.enroll_expire}
+                  onAction={(a) => enrollMut.mutate(a as EnrollAction)}
+                  isPending={enrollMut.isPending}
+                />
+                <LifecycleCard
+                  label="Remove secret"
+                  expireValue={e?.remove_expire}
+                  onAction={(a) => removeMut.mutate(a as RemoveAction)}
+                  isPending={removeMut.isPending}
+                />
+              </div>
+              <CertificateCard env={env} />
+            </div>
+          )}
         </div>
       </div>
     </div>
   );
 }
 
-export default EnrollPage;
+// ---------------------------------------------------------------------------
+// PageTabButton — underline tab matching the rest of the SPA (same
+// styling as the EnvConfigPage TabButton). `warn` paints a small amber
+// dot to the right of the label when the corresponding tab needs
+// operator attention (e.g. enrolls closed → Lifecycle tab).
+// ---------------------------------------------------------------------------
+function PageTabButton({
+  id,
+  label,
+  active,
+  warn,
+  onClick,
+}: {
+  id: string;
+  label: string;
+  active: boolean;
+  warn?: boolean;
+  onClick: () => void;
+}) {
+  return (
+    <button
+      type="button"
+      role="tab"
+      id={`tab-${id}`}
+      aria-selected={active}
+      onClick={onClick}
+      className={cn(
+        'inline-flex items-center gap-1.5 px-3 pt-2 pb-1.5 text-xs whitespace-nowrap',
+        'border-b-2 transition-colors',
+        'focus-visible:outline focus-visible:outline-2 focus-visible:outline-[color:var(--signal)]',
+        active
+          ? 'border-[color:var(--signal)] text-[color:var(--text-1)] font-semibold'
+          : 'border-transparent text-[color:var(--text-3)] hover:text-[color:var(--text-1)]',
+      )}
+    >
+      {label}
+      {warn && (
+        <span
+          aria-hidden
+          className="w-1.5 h-1.5 rounded-full bg-[color:var(--warning)]"
+          title="Needs attention"
+        />
+      )}
+    </button>
+  );
+}
 
 // ---------------------------------------------------------------------------
-// NotAcceptingBanner — full-bleed danger-tinted strip shown only when an env
-// is not accepting enrolls. Returns null when `show` is false so the consumer
-// can render unconditionally.
+// NotAcceptingHint — compact inline alert on the Install tab when enrolls
+// are closed, with a one-click jump to the Lifecycle tab where Rotate
+// will reopen them. Replaces the old full-bleed NotAcceptingBanner.
 // ---------------------------------------------------------------------------
-function NotAcceptingBanner({ show }: { show: boolean }) {
-  if (!show) return null;
+function NotAcceptingHint({ onJumpToLifecycle }: { onJumpToLifecycle: () => void }) {
   return (
     <div
       role="alert"
       className={cn(
-        'px-6 py-3 border-b border-[color:var(--danger)]/30',
+        'rounded-lg border border-[color:var(--danger)]/30',
         'bg-[color:var(--danger)]/10 text-[color:var(--danger)]',
+        'px-3 py-2.5 flex items-start gap-3',
       )}
     >
-      <div className="flex items-start gap-3 max-w-[1400px] mx-auto">
+      <svg aria-hidden viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5" className="w-4 h-4 flex-shrink-0 mt-0.5">
+        <circle cx="12" cy="12" r="10" />
+        <path d="M12 8v4M12 16h.01" />
+      </svg>
+      <div className="flex-1 text-xs">
+        <p className="font-semibold">This environment is not accepting enrolls.</p>
+        <p className="text-[color:var(--danger)]/90 mt-0.5">
+          Install scripts are disabled until enrollment reopens.
+        </p>
+      </div>
+      <button
+        type="button"
+        onClick={onJumpToLifecycle}
+        className={cn(
+          'px-2 py-1 rounded text-[11px] font-medium',
+          'border border-[color:var(--danger)]/40 text-[color:var(--danger)]',
+          'hover:bg-[color:var(--danger)] hover:text-white transition-colors',
+        )}
+      >
+        Open Lifecycle →
+      </button>
+    </div>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Collapsible — generic header + chevron toggle wrapping a child. Used by
+// the Install tab to keep the Package URLs row tucked away by default;
+// header stays visible so the affordance is discoverable.
+// ---------------------------------------------------------------------------
+function Collapsible({
+  open,
+  onToggle,
+  title,
+  subtitle,
+  children,
+}: {
+  open: boolean;
+  onToggle: () => void;
+  title: string;
+  subtitle?: string;
+  children: React.ReactNode;
+}) {
+  return (
+    <div className="rounded-xl border border-[color:var(--border)] bg-[color:var(--bg-1)] overflow-hidden">
+      <button
+        type="button"
+        onClick={onToggle}
+        aria-expanded={open}
+        className={cn(
+          'w-full flex items-center gap-2 px-4 py-3 text-left',
+          'hover:bg-[color:var(--bg-2)] transition-colors',
+          'focus-visible:outline focus-visible:outline-2 focus-visible:outline-[color:var(--signal)]',
+        )}
+      >
         <svg
-          aria-hidden
           viewBox="0 0 24 24"
           fill="none"
           stroke="currentColor"
-          strokeWidth="1.5"
-          className="w-5 h-5 flex-shrink-0 mt-0.5"
+          strokeWidth="2"
+          className={cn(
+            'w-3.5 h-3.5 flex-shrink-0 text-[color:var(--text-3)] transition-transform',
+            open && 'rotate-90',
+          )}
+          aria-hidden
         >
-          <circle cx="12" cy="12" r="10" />
-          <path d="M12 8v4M12 16h.01" />
+          <path d="M9 18l6-6-6-6" />
         </svg>
-        <div>
-          <p className="text-sm font-semibold">This environment is not accepting enrolls.</p>
-          <p className="text-xs mt-0.5 text-[color:var(--danger)]/90">
-            Install scripts are hidden until enroll acceptance is re-enabled — use the lifecycle
-            controls on the right to rotate or extend the enroll secret and resume.
-          </p>
-        </div>
-      </div>
+        <span className="text-[12px] font-display font-semibold text-[color:var(--text-1)]">
+          {title}
+        </span>
+        {subtitle && (
+          <span className="text-[10px] text-[color:var(--text-3)] font-mono-tabular">
+            · {subtitle}
+          </span>
+        )}
+      </button>
+      {open && (
+        <div className="border-t border-[color:var(--border)]">{children}</div>
+      )}
     </div>
   );
 }
 
+export default EnrollPage;
+
+
 // ---------------------------------------------------------------------------
 // ScriptViewToggle — full-width segmented control (Install / Remove).
 // ---------------------------------------------------------------------------
diff --git a/frontend/src/features/enrollment/FlagsCard.tsx b/frontend/src/features/enrollment/FlagsCard.tsx
new file mode 100644
index 00000000..702b8f1d
--- /dev/null
+++ b/frontend/src/features/enrollment/FlagsCard.tsx
@@ -0,0 +1,198 @@
+import { useState } from 'react';
+import { useQuery, useQueryClient } from '@tanstack/react-query';
+import { getEnrollData, type EnrollTarget } from '$/api/enrollment';
+import { Button } from '$/components/atoms/Button';
+import { Skeleton } from '$/components/data/Skeleton';
+import { cn } from '$/lib/cn';
+
+/**
+ * FlagsCard — view, copy, and per-OS download the osquery flags file.
+ *
+ * The flag template ships with __SECRET_FILE__ and __CERT_FILE__
+ * placeholders. The four per-OS targets ({flagsLinux,flagsMac,
+ * flagsWindows,flagsFreeBSD}) ask the API to substitute the canonical
+ * install path for that platform — same bytes osquery expects to read
+ * from /etc/osquery/osctrl-{env}.flags (or platform equivalent).
+ *
+ * Layout: full-width card under the 2-col block on EnrollPage, so the
+ * preview gets the same horizontal room as PackageUrlCard. Tabs across
+ * the top switch which substituted variant is shown + which file the
+ * Download button writes.
+ */
+
+type OS = 'linux' | 'mac' | 'windows' | 'freebsd';
+
+const TABS: { id: OS; label: string; target: EnrollTarget; filename: string }[] = [
+  { id: 'linux',   label: 'Linux',   target: 'flagsLinux',   filename: 'osquery.flags' },
+  { id: 'mac',     label: 'macOS',   target: 'flagsMac',     filename: 'osquery.flags' },
+  { id: 'windows', label: 'Windows', target: 'flagsWindows', filename: 'osquery.flags' },
+  { id: 'freebsd', label: 'FreeBSD', target: 'flagsFreeBSD', filename: 'osquery.flags' },
+];
+
+export function FlagsCard({ env }: { env: string }) {
+  const qc = useQueryClient();
+  const [os, setOs] = useState<OS>('linux');
+  const [copied, setCopied] = useState(false);
+  const [copyErr, setCopyErr] = useState<string | null>(null);
+
+  // Warm all four queries so tab switching is instant. Each result is the
+  // env's flag template with __SECRET_FILE__/__CERT_FILE__ substituted for
+  // the platform's canonical install path. (Four explicit hooks rather than
+  // .map(useQuery) to satisfy Rules of Hooks.)
+  const linux = useQuery({
+    queryKey: ['enrollment', env, 'flagsLinux'],
+    queryFn: () => getEnrollData(env, 'flagsLinux'),
+    staleTime: 60_000,
+  });
+  const mac = useQuery({
+    queryKey: ['enrollment', env, 'flagsMac'],
+    queryFn: () => getEnrollData(env, 'flagsMac'),
+    staleTime: 60_000,
+  });
+  const windows = useQuery({
+    queryKey: ['enrollment', env, 'flagsWindows'],
+    queryFn: () => getEnrollData(env, 'flagsWindows'),
+    staleTime: 60_000,
+  });
+  const freebsd = useQuery({
+    queryKey: ['enrollment', env, 'flagsFreeBSD'],
+    queryFn: () => getEnrollData(env, 'flagsFreeBSD'),
+    staleTime: 60_000,
+  });
+  const byOs: Record<OS, typeof linux> = {
+    linux,
+    mac,
+    windows,
+    freebsd,
+  };
+  const active = byOs[os];
+  const activeTab = TABS.find((t) => t.id === os)!;
+
+  async function handleCopy() {
+    if (!active.data?.data) return;
+    try {
+      await navigator.clipboard.writeText(active.data.data);
+      setCopied(true);
+      setCopyErr(null);
+      setTimeout(() => setCopied(false), 1500);
+    } catch {
+      setCopyErr('Clipboard blocked by browser');
+    }
+  }
+
+  function handleDownload() {
+    if (!active.data?.data) return;
+    const blob = new Blob([active.data.data], { type: 'text/plain' });
+    const url = URL.createObjectURL(blob);
+    const a = document.createElement('a');
+    a.href = url;
+    a.download = activeTab.filename;
+    document.body.appendChild(a);
+    a.click();
+    document.body.removeChild(a);
+    URL.revokeObjectURL(url);
+  }
+
+  function handleRefresh() {
+    // Force re-fetch — useful after the user changed env.Flags via the
+    // legacy settings page or via a `flagsXxx` API call from elsewhere.
+    void qc.invalidateQueries({ queryKey: ['enrollment', env, activeTab.target] });
+  }
+
+  return (
+    <section
+      className="rounded-xl border border-[color:var(--border)] bg-[color:var(--bg-1)] p-4"
+      aria-label="osquery flags"
+    >
+      <div className="mb-3 flex items-center justify-between gap-2 flex-wrap">
+        <div className="flex items-center gap-2">
+          <h2 className="text-[12px] font-display font-semibold text-[color:var(--text-1)]">
+            osquery flags
+          </h2>
+          <span
+            className="text-[10px] text-[color:var(--text-3)] cursor-help"
+            title="The flag template with __SECRET_FILE__ / __CERT_FILE__ substituted for the canonical install path of the selected OS. Drop this at /etc/osquery/osctrl-<env>.flags (or platform equivalent)."
+          >
+            ⓘ
+          </span>
+        </div>
+        <Button variant="ghost" size="sm" onClick={handleRefresh}>
+          Refresh
+        </Button>
+      </div>
+
+      {/* OS tabs */}
+      <div role="tablist" aria-label="Target OS" className="flex items-center gap-4 mb-3">
+        {TABS.map((t) => {
+          const isActive = t.id === os;
+          return (
+            <button
+              key={t.id}
+              type="button"
+              role="tab"
+              aria-selected={isActive}
+              onClick={() => setOs(t.id)}
+              className={cn(
+                'pb-1.5 text-xs transition-colors border-b-2',
+                'focus-visible:outline focus-visible:outline-2 focus-visible:outline-[color:var(--signal)]',
+                isActive
+                  ? 'border-[color:var(--signal)] text-[color:var(--text-1)] font-semibold'
+                  : 'border-transparent text-[color:var(--text-3)] hover:text-[color:var(--text-1)]',
+              )}
+            >
+              {t.label}
+            </button>
+          );
+        })}
+      </div>
+
+      <div className="flex items-center justify-between mb-2">
+        <span className="text-[10px] font-mono-tabular uppercase tracking-[0.14em] text-[color:var(--text-3)]">
+          flag file · {activeTab.label.toLowerCase()}
+        </span>
+        <div className="flex items-center gap-1.5">
+          <Button
+            variant="ghost"
+            size="sm"
+            onClick={handleCopy}
+            disabled={!active.data?.data}
+          >
+            {copied ? 'Copied ✓' : 'Copy'}
+          </Button>
+          <Button
+            variant="ghost"
+            size="sm"
+            onClick={handleDownload}
+            disabled={!active.data?.data}
+          >
+            Download
+          </Button>
+        </div>
+      </div>
+      <pre
+        className={cn(
+          'text-xs font-mono-tabular',
+          'bg-[color:var(--bg-2)] border border-[color:var(--border)] rounded-md',
+          'p-3 overflow-auto whitespace-pre-wrap break-all',
+          'text-[color:var(--text-1)] min-h-[180px] max-h-[420px]',
+        )}
+      >
+        {active.isLoading ? (
+          <Skeleton className="h-4 w-full" />
+        ) : active.isError ? (
+          <span className="text-[color:var(--danger)]">
+            {(active.error as Error | undefined)?.message ?? 'Failed to load'}
+          </span>
+        ) : (
+          active.data?.data
+        )}
+      </pre>
+      {copyErr && (
+        <p className="mt-1.5 text-[10px] text-[color:var(--danger)]">{copyErr}</p>
+      )}
+      <p className="mt-2 text-[10px] text-[color:var(--text-3)]">
+        Save as <span className="font-mono-tabular text-[color:var(--text-2)]">{activeTab.filename}</span> next to the secret + cert files this environment expects.
+      </p>
+    </section>
+  );
+}
diff --git a/frontend/src/features/environments/EnvConfigPage.tsx b/frontend/src/features/environments/EnvConfigPage.tsx
index 4e58fabd..e4b8fe83 100644
--- a/frontend/src/features/environments/EnvConfigPage.tsx
+++ b/frontend/src/features/environments/EnvConfigPage.tsx
@@ -15,18 +15,74 @@ import { AuthError, ApiError } from '$/api/client';
 import { cn } from '$/lib/cn';
 import { CodeEditor } from '$/components/forms/CodeEditor';
 import { DiffView } from '$/components/forms/DiffView';
+import { DocsLink } from '$/components/atoms/DocsLink';
 
 type SectionKey = 'options' | 'schedule' | 'packs' | 'decorators' | 'atc' | 'flags';
 
-const SECTIONS: { key: SectionKey; label: string; language: string; help: string }[] = [
-  { key: 'options', label: 'Options', language: 'json', help: 'Top-level osquery `options` block.' },
-  { key: 'schedule', label: 'Schedule', language: 'json', help: 'Scheduled query map keyed by name.' },
-  { key: 'packs', label: 'Packs', language: 'json', help: 'Named query packs delivered with the config.' },
-  { key: 'decorators', label: 'Decorators', language: 'json', help: 'Decorator queries that prefix every result.' },
-  { key: 'atc', label: 'ATC', language: 'json', help: 'Auto Table Construction — third-party SQLite virtual tables.' },
-  { key: 'flags', label: 'Flags', language: 'plaintext', help: 'CLI flags appended to osquery on startup.' },
+// docs URLs point at the upstream osquery read-the-docs anchors so an
+// operator can jump from the section header straight to the canonical
+// reference for that part of the config. `latest` is intentional — pinning
+// to a version would drift as osquery releases.
+const SECTIONS: {
+  key: SectionKey;
+  label: string;
+  language: string;
+  help: string;
+  docsUrl: string;
+}[] = [
+  {
+    key: 'options',
+    label: 'Options',
+    language: 'json',
+    help: 'Top-level osquery `options` block.',
+    docsUrl: 'https://osquery.readthedocs.io/en/latest/installation/cli-flags/#configuration-control-flags',
+  },
+  {
+    key: 'schedule',
+    label: 'Schedule',
+    language: 'json',
+    help: 'Scheduled query map keyed by name.',
+    docsUrl: 'https://osquery.readthedocs.io/en/latest/deployment/configuration/#schedule',
+  },
+  {
+    key: 'packs',
+    label: 'Packs',
+    language: 'json',
+    help: 'Named query packs delivered with the config.',
+    docsUrl: 'https://osquery.readthedocs.io/en/latest/deployment/configuration/#query-packs',
+  },
+  {
+    key: 'decorators',
+    label: 'Decorators',
+    language: 'json',
+    help: 'Decorator queries that prefix every result.',
+    docsUrl: 'https://osquery.readthedocs.io/en/latest/deployment/configuration/#decorator-queries',
+  },
+  {
+    key: 'atc',
+    label: 'ATC',
+    language: 'json',
+    help: 'Auto Table Construction — third-party SQLite virtual tables.',
+    docsUrl: 'https://osquery.readthedocs.io/en/latest/deployment/configuration/#automatic-table-construction',
+  },
+  {
+    key: 'flags',
+    label: 'Flags',
+    language: 'plaintext',
+    help: 'CLI flags appended to osquery on startup.',
+    docsUrl: 'https://osquery.readthedocs.io/en/latest/installation/cli-flags/',
+  },
 ];
 
+// Names that JavaScript treats specially on an object literal. Assigning
+// to `__proto__` mutates the prototype chain instead of creating an own
+// property, so the surrounding JSON.stringify silently drops the entry —
+// confusing UX, and a real prototype-pollution bug waiting to happen if
+// someone copies the AddOptionForm / AddScheduledQueryForm pattern into a
+// path that reads off `parsed` later. Rejected up front by both inline
+// forms below.
+const RESERVED_OPTION_NAMES = new Set(['__proto__', 'constructor', 'prototype']);
+
 export function EnvConfigPage() {
   const { env } = useParams({ from: '/_app/env/$env/config' });
   const navigate = useNavigate({ from: '/_app/env/$env/config' });
@@ -58,6 +114,13 @@ export function EnvConfigPage() {
     flags: false,
   });
 
+  // Page is tabbed: 'settings' (intervals + expiration) plus one tab per
+  // config SECTION. The "settings" default keeps the slider-based forms
+  // up-front so an operator who lands here to tune pull intervals doesn't
+  // scroll past six 280px Monaco editors first.
+  type TabKey = 'settings' | SectionKey;
+  const [activeTab, setActiveTab] = useState<TabKey>('settings');
+
   useEffect(() => {
     if (cfgQuery.data && draft === null) {
       setDraft(cfgQuery.data);
@@ -204,6 +267,34 @@ export function EnvConfigPage() {
         </div>
       </div>
 
+      {/* ── Tab bar ──
+          Settings tab first (slider-based, no Monaco) so the page loads
+          cheap on first view. Each section tab carries its dirty-state
+          dot so operators can see at a glance which sections have
+          pending edits without clicking through every tab. */}
+      <div
+        role="tablist"
+        aria-label="Configuration sections"
+        className="flex items-center gap-1 px-2 border-b border-[color:var(--border)] overflow-x-auto"
+      >
+        <TabButton
+          id="settings"
+          label="Settings"
+          active={activeTab === 'settings'}
+          onClick={() => setActiveTab('settings')}
+        />
+        {SECTIONS.map(({ key, label }) => (
+          <TabButton
+            key={key}
+            id={key}
+            label={label}
+            active={activeTab === key}
+            dirty={dirty.has(key)}
+            onClick={() => setActiveTab(key)}
+          />
+        ))}
+      </div>
+
       {saveErr && (
         <div className="px-4 py-2 border-b border-[color:var(--border)]">
           <p
@@ -216,13 +307,19 @@ export function EnvConfigPage() {
       )}
 
       <div className="flex-1 overflow-auto min-h-0 p-4 space-y-4">
-        {envInfo && (
-          <IntervalsCard env={env} envInfo={envInfo} qc={qc} />
-        )}
-        {envInfo && (
-          <ExpirationCard env={env} qc={qc} />
+        {activeTab === 'settings' && (
+          <>
+            {envInfo && (
+              <IntervalsCard env={env} envInfo={envInfo} qc={qc} />
+            )}
+            {envInfo && (
+              <ExpirationCard env={env} qc={qc} />
+            )}
+          </>
         )}
-        {SECTIONS.map(({ key, label, language, help }) => {
+
+        {SECTIONS.map(({ key, label, language, help, docsUrl }) => {
+          if (activeTab !== key) return null;
           const isDirty = dirty.has(key);
           const before = cfgQuery.data?.[key] ?? '';
           const after = draft[key];
@@ -230,6 +327,8 @@ export function EnvConfigPage() {
             <section
               key={key}
               className="border border-[color:var(--border)] rounded-md overflow-hidden bg-[color:var(--bg-1)]"
+              role="tabpanel"
+              aria-labelledby={`tab-${key}`}
             >
               <header className="flex items-center gap-3 px-3 py-2 bg-[color:var(--bg-0)] border-b border-[color:var(--border)]">
                 <h2
@@ -238,6 +337,7 @@ export function EnvConfigPage() {
                 >
                   {label}
                 </h2>
+                <DocsLink href={docsUrl} label={`${label.toLowerCase()} docs`} />
                 <p className="text-[10px] text-[color:var(--text-3)] truncate flex-1">{help}</p>
                 {isDirty && (
                   <span className="px-2 py-0.5 rounded-full text-[10px] font-medium bg-[rgba(var(--warning-r),var(--warning-g),var(--warning-b),0.12)] text-[color:var(--warning)]">
@@ -270,6 +370,30 @@ export function EnvConfigPage() {
                   Save section
                 </button>
               </header>
+
+              {/* Per-section inline form: Options + Schedule get the
+                  legacy admin's add-row affordance so operators don't
+                  have to know JSON to append a new entry. The forms
+                  parse the current draft, mutate the parsed object,
+                  re-serialize, and stuff it back into the draft state —
+                  same path Save section already validates. */}
+              {key === 'options' && (
+                <AddOptionForm
+                  draftValue={after}
+                  onAdd={(next) =>
+                    setDraft((d) => (d ? { ...d, options: next } : d))
+                  }
+                />
+              )}
+              {key === 'schedule' && (
+                <AddScheduledQueryForm
+                  draftValue={after}
+                  onAdd={(next) =>
+                    setDraft((d) => (d ? { ...d, schedule: next } : d))
+                  }
+                />
+              )}
+
               <CodeEditor
                 aria-labelledby={`section-${key}-label`}
                 value={after}
@@ -277,7 +401,7 @@ export function EnvConfigPage() {
                 onChange={(v) =>
                   setDraft((d) => (d ? { ...d, [key]: v } : d))
                 }
-                height="280px"
+                height="420px"
               />
               {isDirty && diffsOpen[key] && (
                 <div className="p-3 border-t border-[color:var(--border)]">
@@ -292,6 +416,52 @@ export function EnvConfigPage() {
   );
 }
 
+// ---------------------------------------------------------------------------
+// TabButton — underline tab matching the rest of the SPA. Renders a small
+// dot to the right of the label when `dirty` so unsaved edits in non-active
+// sections are visible without switching tabs.
+// ---------------------------------------------------------------------------
+function TabButton({
+  id,
+  label,
+  active,
+  dirty,
+  onClick,
+}: {
+  id: string;
+  label: string;
+  active: boolean;
+  dirty?: boolean;
+  onClick: () => void;
+}) {
+  return (
+    <button
+      type="button"
+      role="tab"
+      id={`tab-${id}`}
+      aria-selected={active}
+      onClick={onClick}
+      className={cn(
+        'inline-flex items-center gap-1.5 px-3 pt-2 pb-1.5 text-xs whitespace-nowrap',
+        'border-b-2 transition-colors',
+        'focus-visible:outline focus-visible:outline-2 focus-visible:outline-[color:var(--signal)]',
+        active
+          ? 'border-[color:var(--signal)] text-[color:var(--text-1)] font-semibold'
+          : 'border-transparent text-[color:var(--text-3)] hover:text-[color:var(--text-1)]',
+      )}
+    >
+      {label}
+      {dirty && (
+        <span
+          aria-hidden
+          className="w-1.5 h-1.5 rounded-full bg-[color:var(--warning)]"
+          title="Unsaved changes"
+        />
+      )}
+    </button>
+  );
+}
+
 // ---------------------------------------------------------------------------
 // Intervals card
 // ---------------------------------------------------------------------------
@@ -348,10 +518,40 @@ function IntervalsCard({
       <p className="text-[10px] text-[color:var(--text-3)] mb-3">
         How often each node should poll for config / log / query updates (seconds).
       </p>
-      <div className="grid grid-cols-3 gap-3">
-        <IntervalField id="iv-cfg" label="config_interval" value={cfg} onChange={setCfg} />
-        <IntervalField id="iv-log" label="log_interval" value={lg} onChange={setLg} />
-        <IntervalField id="iv-qry" label="query_interval" value={qr} onChange={setQr} />
+      {/* Ranges match the legacy admin's conf.html sliders exactly:
+            Configuration  10–600, step 10
+            Logging        10–600, step 10
+            Query          10–300, step 1
+          Same min/max/step keeps fleets that were tuned on legacy
+          render identically here. */}
+      <div className="grid grid-cols-1 md:grid-cols-3 gap-4">
+        <IntervalField
+          id="iv-cfg"
+          label="Configuration Interval"
+          value={cfg}
+          onChange={setCfg}
+          min={10}
+          max={600}
+          step={10}
+        />
+        <IntervalField
+          id="iv-log"
+          label="Logging Interval"
+          value={lg}
+          onChange={setLg}
+          min={10}
+          max={600}
+          step={10}
+        />
+        <IntervalField
+          id="iv-qry"
+          label="Query Interval"
+          value={qr}
+          onChange={setQr}
+          min={10}
+          max={300}
+          step={1}
+        />
       </div>
 
       {err && (
@@ -381,40 +581,82 @@ function IntervalsCard({
   );
 }
 
+/**
+ * IntervalField — range slider with live numeric readout, mirroring the
+ * legacy admin's conf.html intervals form. min/max/step come from the
+ * caller so different fields can have different ranges (the legacy
+ * template has Query as 10–300 step 1 while Config/Logging are 10–600
+ * step 10). Bounds are also enforced when typing into the number input
+ * so the slider and the number stay in sync.
+ */
 function IntervalField({
   id,
   label,
   value,
   onChange,
+  min,
+  max,
+  step,
 }: {
   id: string;
   label: string;
   value: number;
   onChange: (v: number) => void;
+  min: number;
+  max: number;
+  step: number;
 }) {
+  function clamp(v: number) {
+    if (Number.isNaN(v)) return value;
+    return Math.min(max, Math.max(min, v));
+  }
   return (
     <div>
       <label
         htmlFor={id}
-        className="block text-xs font-semibold text-[color:var(--text-2)] mb-1 font-mono-tabular"
+        className="block text-xs font-medium text-[color:var(--text-2)] mb-1.5"
       >
-        {label}
+        {label}:{' '}
+        <span className="font-mono-tabular font-semibold text-[color:var(--text-1)] tabular-nums">
+          {value}
+        </span>{' '}
+        <span className="text-[color:var(--text-3)]">seconds</span>
       </label>
       <input
         id={id}
-        type="number"
-        min={1}
+        type="range"
+        min={min}
+        max={max}
+        step={step}
         value={value}
-        onChange={(e) => {
-          const v = Number(e.target.value);
-          if (!Number.isNaN(v) && v >= 1) onChange(v);
-        }}
+        onChange={(e) => onChange(clamp(Number(e.target.value)))}
         className={cn(
-          'w-full px-3 py-2 text-sm rounded-md border border-[color:var(--border)]',
-          'bg-[color:var(--bg-2)] text-[color:var(--text-1)] font-mono-tabular',
-          'focus:outline focus:outline-2 focus:outline-[color:var(--signal)]',
+          'w-full accent-[color:var(--signal)] cursor-pointer',
+          'focus-visible:outline focus-visible:outline-2 focus-visible:outline-[color:var(--signal)]',
         )}
+        aria-valuemin={min}
+        aria-valuemax={max}
+        aria-valuenow={value}
       />
+      <div className="flex items-center justify-between mt-1 text-[10px] font-mono-tabular text-[color:var(--text-3)] tabular-nums">
+        <span>{min}</span>
+        <input
+          type="number"
+          min={min}
+          max={max}
+          step={step}
+          value={value}
+          onChange={(e) => onChange(clamp(Number(e.target.value)))}
+          className={cn(
+            'w-16 px-1.5 py-0.5 text-[10px] rounded',
+            'bg-[color:var(--bg-2)] border border-[color:var(--border)]',
+            'text-[color:var(--text-1)] font-mono-tabular text-center tabular-nums',
+            'focus:outline focus:outline-1 focus:outline-[color:var(--signal)]',
+          )}
+          aria-label={`${label} numeric value`}
+        />
+        <span>{max}</span>
+      </div>
     </div>
   );
 }
@@ -496,4 +738,263 @@ function ExpirationCard({
   );
 }
 
+// ---------------------------------------------------------------------------
+// AddOptionForm — inline form for the Options section. Lets operators
+// append an option flag (key + typed value) without hand-editing JSON.
+//
+// On Add: parse the current draft as a JSON object, assign the new
+// key with the typed value, re-serialize with 2-space indent so the
+// CodeEditor's formatter doesn't re-pivot the whole document, and
+// push the result back via onAdd. If the draft doesn't parse cleanly
+// we error inline — the operator can fix the JSON manually first,
+// then re-use the form.
+// ---------------------------------------------------------------------------
+function AddOptionForm({
+  draftValue,
+  onAdd,
+}: {
+  draftValue: string;
+  onAdd: (next: string) => void;
+}) {
+  const [name, setName] = useState('');
+  const [value, setValue] = useState('');
+  const [type, setType] = useState<'string' | 'integer' | 'boolean'>('string');
+  const [err, setErr] = useState<string | null>(null);
+
+  function handleAdd() {
+    setErr(null);
+    const trimmedName = name.trim();
+    if (!trimmedName) {
+      setErr('Option name is required.');
+      return;
+    }
+    if (RESERVED_OPTION_NAMES.has(trimmedName)) {
+      setErr(`"${trimmedName}" is a reserved JavaScript property name and can't be used as an option key.`);
+      return;
+    }
+    let parsed: Record<string, unknown>;
+    try {
+      const obj = JSON.parse(draftValue || '{}') as unknown;
+      if (typeof obj !== 'object' || obj === null || Array.isArray(obj)) {
+        setErr('Options section is not a JSON object — fix it manually first.');
+        return;
+      }
+      parsed = obj as Record<string, unknown>;
+    } catch {
+      setErr('Options section has invalid JSON — fix it manually first.');
+      return;
+    }
+    let coerced: unknown = value;
+    if (type === 'integer') {
+      const n = Number(value);
+      if (!Number.isFinite(n)) {
+        setErr('Integer value must be a number.');
+        return;
+      }
+      coerced = n;
+    } else if (type === 'boolean') {
+      if (value !== 'true' && value !== 'false') {
+        setErr('Boolean value must be "true" or "false".');
+        return;
+      }
+      coerced = value === 'true';
+    }
+    parsed[trimmedName] = coerced;
+    onAdd(JSON.stringify(parsed, null, 2));
+    setName('');
+    setValue('');
+  }
+
+  return (
+    <div className="px-3 py-2 border-b border-[color:var(--border)] bg-[color:var(--bg-1)]">
+      <div className="flex items-center gap-2 flex-wrap">
+        <span className="text-[10px] font-mono-tabular uppercase tracking-[0.14em] text-[color:var(--text-3)] mr-1">
+          Add option
+        </span>
+        <input
+          type="text"
+          value={name}
+          onChange={(e) => setName(e.target.value)}
+          placeholder="option_name"
+          className={cn(
+            'flex-1 min-w-[120px] px-2 py-1 rounded text-xs font-mono-tabular',
+            'bg-[color:var(--bg-2)] border border-[color:var(--border)] text-[color:var(--text-1)]',
+            'focus:outline focus:outline-2 focus:outline-[color:var(--signal)]',
+          )}
+        />
+        <select
+          value={type}
+          onChange={(e) => setType(e.target.value as typeof type)}
+          className={cn(
+            'px-2 py-1 rounded text-xs font-mono-tabular',
+            'bg-[color:var(--bg-2)] border border-[color:var(--border)] text-[color:var(--text-2)]',
+            'focus:outline focus:outline-2 focus:outline-[color:var(--signal)]',
+          )}
+          aria-label="Option value type"
+        >
+          <option value="string">string</option>
+          <option value="integer">integer</option>
+          <option value="boolean">boolean</option>
+        </select>
+        <input
+          type="text"
+          value={value}
+          onChange={(e) => setValue(e.target.value)}
+          placeholder={type === 'boolean' ? 'true | false' : type === 'integer' ? '0' : 'value'}
+          className={cn(
+            'flex-1 min-w-[120px] px-2 py-1 rounded text-xs font-mono-tabular',
+            'bg-[color:var(--bg-2)] border border-[color:var(--border)] text-[color:var(--text-1)]',
+            'focus:outline focus:outline-2 focus:outline-[color:var(--signal)]',
+          )}
+        />
+        <button
+          type="button"
+          onClick={handleAdd}
+          className={cn(
+            'text-xs px-3 py-1 rounded font-medium',
+            'bg-[color:var(--signal)] text-black hover:bg-[color:var(--signal-bright)]',
+            'transition-colors',
+          )}
+        >
+          Add
+        </button>
+      </div>
+      {err && (
+        <p role="alert" className="mt-1.5 text-[11px] text-[color:var(--danger)]">
+          {err}
+        </p>
+      )}
+    </div>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// AddScheduledQueryForm — inline form for the Schedule section.
+//
+// Same shape as AddOptionForm but the value is an object
+//   { "name": { "query": "<SQL>", "interval": <int> } }
+// per osquery's schedule format. interval defaults to 60s, matching
+// what the legacy admin's add-row affordance seeded the field with.
+// ---------------------------------------------------------------------------
+function AddScheduledQueryForm({
+  draftValue,
+  onAdd,
+}: {
+  draftValue: string;
+  onAdd: (next: string) => void;
+}) {
+  const [name, setName] = useState('');
+  const [query, setQuery] = useState('');
+  const [interval, setInterval] = useState(60);
+  const [err, setErr] = useState<string | null>(null);
+
+  function handleAdd() {
+    setErr(null);
+    const trimmedName = name.trim();
+    const trimmedQuery = query.trim();
+    if (!trimmedName) {
+      setErr('Query name is required.');
+      return;
+    }
+    if (!trimmedQuery) {
+      setErr('Query SQL is required.');
+      return;
+    }
+    if (!Number.isFinite(interval) || interval < 1) {
+      setErr('Interval must be a positive integer (seconds).');
+      return;
+    }
+    if (RESERVED_OPTION_NAMES.has(trimmedName)) {
+      setErr(`"${trimmedName}" is a reserved JavaScript property name and can't be used as a query name.`);
+      return;
+    }
+    let parsed: Record<string, unknown>;
+    try {
+      const obj = JSON.parse(draftValue || '{}') as unknown;
+      if (typeof obj !== 'object' || obj === null || Array.isArray(obj)) {
+        setErr('Schedule section is not a JSON object — fix it manually first.');
+        return;
+      }
+      parsed = obj as Record<string, unknown>;
+    } catch {
+      setErr('Schedule section has invalid JSON — fix it manually first.');
+      return;
+    }
+    if (Object.prototype.hasOwnProperty.call(parsed, trimmedName)) {
+      setErr(`A query named "${trimmedName}" already exists in the schedule.`);
+      return;
+    }
+    parsed[trimmedName] = { query: trimmedQuery, interval };
+    onAdd(JSON.stringify(parsed, null, 2));
+    setName('');
+    setQuery('');
+    setInterval(60);
+  }
+
+  return (
+    <div className="px-3 py-2 border-b border-[color:var(--border)] bg-[color:var(--bg-1)] space-y-2">
+      <div className="flex items-center gap-2">
+        <span className="text-[10px] font-mono-tabular uppercase tracking-[0.14em] text-[color:var(--text-3)]">
+          Add scheduled query
+        </span>
+      </div>
+      <div className="flex items-start gap-2 flex-wrap">
+        <input
+          type="text"
+          value={name}
+          onChange={(e) => setName(e.target.value)}
+          placeholder="query_name"
+          className={cn(
+            'w-[180px] px-2 py-1 rounded text-xs font-mono-tabular',
+            'bg-[color:var(--bg-2)] border border-[color:var(--border)] text-[color:var(--text-1)]',
+            'focus:outline focus:outline-2 focus:outline-[color:var(--signal)]',
+          )}
+        />
+        <input
+          type="text"
+          value={query}
+          onChange={(e) => setQuery(e.target.value)}
+          placeholder="SELECT … FROM osquery_info;"
+          className={cn(
+            'flex-1 min-w-[220px] px-2 py-1 rounded text-xs font-mono-tabular',
+            'bg-[color:var(--bg-2)] border border-[color:var(--border)] text-[color:var(--text-1)]',
+            'focus:outline focus:outline-2 focus:outline-[color:var(--signal)]',
+          )}
+        />
+        <label className="flex items-center gap-1 text-[10px] font-mono-tabular text-[color:var(--text-3)]">
+          interval
+          <input
+            type="number"
+            min={1}
+            value={interval}
+            onChange={(e) => setInterval(Number(e.target.value))}
+            className={cn(
+              'w-16 px-2 py-1 rounded text-xs font-mono-tabular text-center tabular-nums',
+              'bg-[color:var(--bg-2)] border border-[color:var(--border)] text-[color:var(--text-1)]',
+              'focus:outline focus:outline-2 focus:outline-[color:var(--signal)]',
+            )}
+          />
+          s
+        </label>
+        <button
+          type="button"
+          onClick={handleAdd}
+          className={cn(
+            'text-xs px-3 py-1 rounded font-medium',
+            'bg-[color:var(--signal)] text-black hover:bg-[color:var(--signal-bright)]',
+            'transition-colors',
+          )}
+        >
+          Add
+        </button>
+      </div>
+      {err && (
+        <p role="alert" className="text-[11px] text-[color:var(--danger)]">
+          {err}
+        </p>
+      )}
+    </div>
+  );
+}
+
 export default EnvConfigPage;
diff --git a/frontend/src/features/environments/EnvironmentsPage.tsx b/frontend/src/features/environments/EnvironmentsPage.tsx
index 3c458a5a..6598b11f 100644
--- a/frontend/src/features/environments/EnvironmentsPage.tsx
+++ b/frontend/src/features/environments/EnvironmentsPage.tsx
@@ -26,6 +26,12 @@ export function EnvironmentsPage() {
   const qc = useQueryClient();
   const [modal, setModal] = useState<ModalMode>({ kind: 'closed' });
 
+  // Multi-select state — matches the dock pattern used on Tags / Carves
+  // / Nodes / Users. Keyed by env name since DELETE /environments/{env}
+  // accepts the name as the path param.
+  const [selectedNames, setSelectedNames] = useState<Set<string>>(new Set());
+  const [bulkError, setBulkError] = useState<string | null>(null);
+
   const { data, isLoading, isFetching, isError, error, refetch } = useQuery({
     queryKey: ['environments'],
     queryFn: () => listEnvironments(),
@@ -44,6 +50,80 @@ export function EnvironmentsPage() {
     void refetch();
   }
 
+  // Header checkbox state — same shape as TagsPage's toggleAll.
+  const allVisibleNames = envs.map((e) => e.name);
+  const allChecked =
+    allVisibleNames.length > 0 &&
+    allVisibleNames.every((n) => selectedNames.has(n));
+  const someChecked = allVisibleNames.some((n) => selectedNames.has(n));
+
+  function toggleAll() {
+    if (allChecked) {
+      setSelectedNames(new Set());
+    } else {
+      setSelectedNames(new Set(allVisibleNames));
+    }
+  }
+
+  function toggleOne(name: string) {
+    setSelectedNames((prev) => {
+      const next = new Set(prev);
+      if (next.has(name)) next.delete(name);
+      else next.add(name);
+      return next;
+    });
+  }
+
+  // Bulk delete — the backend's Environments.Delete is a hard
+  // (unscoped) DB delete with no cascade check, so we surface the
+  // destructive nature in the confirm prompt. Per-name Promise.allSettled
+  // so a failing env doesn't block the rest.
+  const bulkDeleteMut = useMutation({
+    mutationFn: async (names: string[]) => {
+      const settled = await Promise.allSettled(
+        names.map((name) => deleteEnvironment(name)),
+      );
+      const failed = settled.filter((r) => r.status === 'rejected').length;
+      return { total: names.length, failed };
+    },
+    onSuccess: ({ total, failed }) => {
+      setSelectedNames(new Set());
+      if (failed > 0) {
+        setBulkError(`Deleted ${total - failed} of ${total} env(s); ${failed} failed.`);
+      } else {
+        setBulkError(null);
+      }
+      invalidate();
+    },
+    onError: (err) => {
+      if (err instanceof AuthError) {
+        void navigate({ to: '/login' });
+        return;
+      }
+      setBulkError(
+        err instanceof ApiError
+          ? err.message
+          : err instanceof Error
+            ? err.message
+            : 'Bulk delete failed',
+      );
+    },
+  });
+
+  function handleBulkDelete() {
+    const names = Array.from(selectedNames);
+    if (names.length === 0) return;
+    if (
+      !confirm(
+        `Delete ${names.length} environment${names.length === 1 ? '' : 's'}?\n\nNodes, queries, carves, and tags scoped to ${names.length === 1 ? 'this env' : 'these envs'} will be orphaned. This is not recoverable.`,
+      )
+    ) {
+      return;
+    }
+    setBulkError(null);
+    bulkDeleteMut.mutate(names);
+  }
+
   return (
     <div className="flex flex-col h-full min-h-0">
       <div className="flex items-center gap-3 px-4 py-3 border-b border-[color:var(--border)] flex-wrap">
@@ -83,6 +163,18 @@ export function EnvironmentsPage() {
         <table className="w-full text-sm border-collapse">
           <thead>
             <tr className="border-b border-[color:var(--border)] bg-[color:var(--bg-0)] sticky top-0 z-10">
+              <th scope="col" className="px-4 py-3 w-10">
+                <input
+                  type="checkbox"
+                  aria-label="Select all visible environments"
+                  checked={allChecked}
+                  ref={(el) => {
+                    if (el) el.indeterminate = someChecked && !allChecked;
+                  }}
+                  onChange={toggleAll}
+                  className="rounded border-[color:var(--border)] accent-[color:var(--signal)] cursor-pointer"
+                />
+              </th>
               <th scope="col" className="px-4 py-3 text-left text-xs font-medium text-[color:var(--text-2)] uppercase tracking-wide">
                 Name
               </th>
@@ -103,11 +195,11 @@ export function EnvironmentsPage() {
           </thead>
           <tbody>
             {isLoading &&
-              Array.from({ length: 4 }).map((_, i) => <SkeletonRow key={i} cells={6} />)}
+              Array.from({ length: 4 }).map((_, i) => <SkeletonRow key={i} cells={7} />)}
 
             {isError && !isLoading && (
               <tr>
-                <td colSpan={6}>
+                <td colSpan={7}>
                   <EmptyState
                     icon={
                       <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5">
@@ -132,7 +224,7 @@ export function EnvironmentsPage() {
 
             {!isLoading && !isError && envs.length === 0 && (
               <tr>
-                <td colSpan={6}>
+                <td colSpan={7}>
                   <EmptyState
                     icon={
                       <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5">
@@ -157,11 +249,25 @@ export function EnvironmentsPage() {
 
             {!isLoading &&
               !isError &&
-              envs.map((env) => (
+              envs.map((env) => {
+                const isSelected = selectedNames.has(env.name);
+                return (
                 <tr
                   key={env.id}
-                  className="border-b border-[color:var(--border)] hover:bg-[color:var(--bg-2)] transition-colors"
+                  className={cn(
+                    'border-b border-[color:var(--border)] hover:bg-[color:var(--bg-2)] transition-colors',
+                    isSelected && 'bg-[color:var(--signal)]/5',
+                  )}
                 >
+                  <td className="px-4 py-3">
+                    <input
+                      type="checkbox"
+                      aria-label={`Select environment ${env.name}`}
+                      checked={isSelected}
+                      onChange={() => toggleOne(env.name)}
+                      className="rounded border-[color:var(--border)] accent-[color:var(--signal)] cursor-pointer"
+                    />
+                  </td>
                   <td className="px-4 py-3">
                     <span className="text-sm font-semibold text-[color:var(--text-1)] font-mono-tabular">
                       {env.name}
@@ -219,11 +325,78 @@ export function EnvironmentsPage() {
                     </button>
                   </td>
                 </tr>
-              ))}
+                );
+              })}
           </tbody>
         </table>
       </div>
 
+      {/* Multi-select dock — matches CarvesListPage / TagsPage / UsersPage. */}
+      {selectedNames.size > 0 && (
+        <div
+          role="toolbar"
+          aria-label="Bulk actions"
+          className={cn(
+            'fixed bottom-6 left-1/2 -translate-x-1/2',
+            'flex items-center gap-3 px-4 py-2.5 rounded-xl',
+            'bg-[color:var(--bg-1)] border border-[color:var(--border-strong)]',
+            'shadow-[0_8px_32px_rgba(0,0,0,0.32)]',
+            'text-sm font-medium',
+            'z-50',
+          )}
+        >
+          <span className="text-[color:var(--text-2)] text-xs font-mono-tabular">
+            {selectedNames.size} selected
+          </span>
+          <div className="w-px h-4 bg-[color:var(--border)]" aria-hidden />
+          {bulkError && (
+            <span className="text-xs text-[color:var(--danger)]">{bulkError}</span>
+          )}
+          <button
+            type="button"
+            disabled={bulkDeleteMut.isPending}
+            aria-label="Delete selected environments"
+            className="px-3 py-1 text-xs font-medium rounded text-[color:var(--danger)] hover:bg-[color:var(--bg-2)] transition-colors disabled:opacity-50"
+            onClick={handleBulkDelete}
+          >
+            {bulkDeleteMut.isPending ? 'Deleting…' : 'Delete'}
+          </button>
+          <div className="w-px h-4 bg-[color:var(--border)]" aria-hidden />
+          <button
+            type="button"
+            aria-label="Clear selection"
+            onClick={() => setSelectedNames(new Set())}
+            className="px-2 py-1 text-xs font-medium rounded text-[color:var(--text-3)] hover:text-[color:var(--text-1)] hover:bg-[color:var(--bg-2)] transition-colors"
+          >
+            Clear
+          </button>
+        </div>
+      )}
+
+      {/* Bulk-error toast after selection clears. */}
+      {bulkError && selectedNames.size === 0 && (
+        <div
+          role="alert"
+          className={cn(
+            'fixed bottom-6 left-1/2 -translate-x-1/2 z-50',
+            'flex items-center gap-3 px-4 py-2.5 rounded-xl',
+            'bg-[color:var(--bg-1)] border border-[color:var(--danger)]/40',
+            'shadow-[0_8px_32px_rgba(0,0,0,0.32)]',
+            'text-xs text-[color:var(--danger)]',
+          )}
+        >
+          <span>{bulkError}</span>
+          <button
+            type="button"
+            onClick={() => setBulkError(null)}
+            className="text-[color:var(--text-3)] hover:text-[color:var(--text-1)]"
+            aria-label="Dismiss"
+          >
+            ×
+          </button>
+        </div>
+      )}
+
       {modal.kind === 'create' && (
         <CreateEnvModal
           onClose={() => setModal({ kind: 'closed' })}
diff --git a/frontend/src/features/login/LoginPage.tsx b/frontend/src/features/login/LoginPage.tsx
index a6e929d6..c714c7a3 100644
--- a/frontend/src/features/login/LoginPage.tsx
+++ b/frontend/src/features/login/LoginPage.tsx
@@ -5,11 +5,13 @@ import { z } from 'zod';
 import { useRouter } from '@tanstack/react-router';
 import { useQuery } from '@tanstack/react-query';
 import { cn } from '$/lib/cn';
-import { Logo } from '$/components/atoms/Logo';
 import { Button } from '$/components/atoms/Button';
 import { Input } from '$/components/atoms/Input';
 import { Label } from '$/components/atoms/Label';
 import { login, listAuthMethods } from '$/api/client';
+import { toggleTheme, getInitialTheme } from '$/lib/theme';
+import type { Theme } from '$/lib/design-tokens';
+import './login-trace-map.css';
 
 const loginSchema = z.object({
   username: z.string().min(1, 'Username is required'),
@@ -20,8 +22,13 @@ type LoginFormValues = z.infer<typeof loginSchema>;
 
 export function LoginPage() {
   const [serverError, setServerError] = useState<string | null>(null);
+  const [theme, setTheme] = useState<Theme>(() => getInitialTheme());
   const router = useRouter();
 
+  function onToggleTheme() {
+    setTheme(toggleTheme());
+  }
+
   const { data: authMethods } = useQuery({
     queryKey: ['auth-methods'],
     queryFn: () => listAuthMethods(),
@@ -55,15 +62,72 @@ export function LoginPage() {
 
   return (
     <div
-      className="min-h-screen flex items-center justify-center px-4"
-      style={{
-        background:
-          'radial-gradient(900px 600px at 50% 30%, rgba(var(--halo-r), var(--halo-g), var(--halo-b), 0.07) 0%, transparent 60%), var(--bg-0)',
-      }}
+      className="relative min-h-screen flex items-center justify-center px-4 overflow-hidden"
+      style={{ background: 'var(--bg-0)' }}
     >
+      {/* ── Trace Map background — three layered elements ──
+          1. Drifting circuit pattern (var(--circuit-url)) — repeats
+             diagonally over 25s, picking up the brand teal at low alpha.
+          2. Scanning spotlight — a bright teal disc that translates
+             across the viewport on a 12s loop, brightening the
+             traces underneath as it passes.
+          3. Static brand halo — radial gradient anchored behind the
+             card so the eye stays on the form.
+          All three layers respect prefers-reduced-motion (see
+          login-trace-map.css below — animations get killed).
+          z-index: 0 = circuit + spotlight, 1 = halo, 5 = card. */}
       <div
+        aria-hidden
+        className="login-trace-circuit"
+        style={{ position: 'absolute', inset: '-200px', zIndex: 0 }}
+      />
+      <div aria-hidden className="login-trace-spotlight" />
+      <div
+        aria-hidden
+        className="absolute inset-0 pointer-events-none"
+        style={{
+          background:
+            'radial-gradient(900px 600px at 50% 50%, rgba(var(--halo-r), var(--halo-g), var(--halo-b), 0.12) 0%, transparent 60%)',
+          zIndex: 1,
+        }}
+      />
+
+      {/* Theme toggle — fixed top-right; available pre-auth so operators
+          who land on a system in the wrong theme can flip without
+          logging in. Hugs the same visual language as the rest of the
+          SPA (border + bg-2 hover + teal focus ring). */}
+      <button
+        type="button"
+        onClick={onToggleTheme}
+        aria-label={`Switch to ${theme === 'dark' ? 'light' : 'dark'} theme`}
+        title={`Switch to ${theme === 'dark' ? 'light' : 'dark'} theme`}
         className={cn(
-          'w-full max-w-sm',
+          'absolute top-4 right-4 z-10',
+          'inline-flex items-center justify-center w-9 h-9 rounded-md',
+          'bg-[color:var(--bg-1)]/80 backdrop-blur border border-[color:var(--border)]',
+          'text-[color:var(--text-2)] hover:text-[color:var(--text-1)]',
+          'hover:border-[color:var(--signal)] transition-colors duration-150',
+          'focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2',
+          'focus-visible:outline-[color:var(--signal)]',
+        )}
+      >
+        {theme === 'dark' ? (
+          // sun (switch to light)
+          <svg viewBox="0 0 24 24" width="16" height="16" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" aria-hidden>
+            <circle cx="12" cy="12" r="4" />
+            <path d="M12 2v2M12 20v2M4.93 4.93l1.41 1.41M17.66 17.66l1.41 1.41M2 12h2M20 12h2M4.93 19.07l1.41-1.41M17.66 6.34l1.41-1.41" />
+          </svg>
+        ) : (
+          // moon (switch to dark)
+          <svg viewBox="0 0 24 24" width="16" height="16" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" aria-hidden>
+            <path d="M21 12.79A9 9 0 1 1 11.21 3 7 7 0 0 0 21 12.79z" />
+          </svg>
+        )}
+      </button>
+
+      <div
+        className={cn(
+          'relative z-5 w-full max-w-sm',
           'bg-[color:var(--bg-1)] border border-[color:var(--border)]',
           'rounded-2xl p-8',
           'shadow-[0_10px_28px_rgba(0,0,0,0.32)]'
@@ -71,8 +135,30 @@ export function LoginPage() {
       >
         {/* Wordmark */}
         <div className="flex flex-col items-center mb-8">
-          <Logo size={48} />
-          <div className="mt-3 font-display text-2xl font-bold tracking-tight text-[color:var(--text-1)]">
+          {/* Original osctrl tower mark — two PNG variants ship, light
+              and dark. .osctrl-logo + the inner show/hide rules in
+              base.css pick the right one per theme. Same pattern as
+              the Logo atom uses for the in-app SideNav. */}
+          <span
+            className="osctrl-logo"
+            role="img"
+            aria-label="osctrl logo"
+            style={{ display: 'inline-block', width: 48, height: 48 }}
+          >
+            <img
+              src="/img/osctrl-logo.png"
+              alt=""
+              className="osctrl-logo-light"
+              style={{ display: 'block', width: '100%', height: '100%' }}
+            />
+            <img
+              src="/img/osctrl-logo-dark.png"
+              alt=""
+              className="osctrl-logo-dark"
+              style={{ display: 'block', width: '100%', height: '100%' }}
+            />
+          </span>
+          <div className="mt-3 font-wordmark text-2xl font-bold tracking-tight text-[color:var(--text-1)]">
             osctrl
           </div>
           <p className="mt-1 text-xs text-[color:var(--text-3)] font-mono-tabular uppercase tracking-[0.1em]">
diff --git a/frontend/src/features/login/login-trace-map.css b/frontend/src/features/login/login-trace-map.css
new file mode 100644
index 00000000..c947dcaf
--- /dev/null
+++ b/frontend/src/features/login/login-trace-map.css
@@ -0,0 +1,120 @@
+/* login-trace-map.css — Trace Map background animations for the login
+ * page. Two animated layers:
+ *
+ *   .login-trace-circuit — a tiled circuit-board SVG that scrolls
+ *     diagonally over 25s. The same asset is used in dark and light
+ *     themes; the SVG's fill is hardcoded to the brand teal at a low
+ *     alpha so it reads quietly on either background.
+ *
+ *   .login-trace-spotlight — a single soft-edged teal disc that
+ *     translates around the viewport on a 12s loop. Drives the
+ *     "something is alive here" feeling that the legacy login lacked.
+ *
+ * Both animations are disabled under prefers-reduced-motion so the
+ * page remains accessible per the brand guide motion rules. The
+ * spotlight is rendered with `mix-blend-mode: screen` so it
+ * brightens the circuit pattern beneath instead of stacking on top
+ * as a flat disc — costs almost nothing on modern GPUs.
+ */
+
+/* The circuit SVG is used as a CSS mask so its color and opacity come
+ * from CSS tokens, not the asset itself. Dark theme reads at ~10%
+ * teal alpha (subtle); light theme bumps to ~28% (so the pattern is
+ * legible on the brighter surface). The .circuit-color element does
+ * the actual painting; .login-trace-circuit handles the drift
+ * animation on top of it. */
+.login-trace-circuit {
+  /* The mask SVG is now a solid black silhouette of the circuit. We
+   * paint background-color at the alpha we actually want to see, the
+   * mask cuts away the negative space, and the result is a teal
+   * circuit pattern at exactly the chosen opacity. Earlier the SVG
+   * carried fill-opacity=0.06 which compounded with the mask and
+   * produced a far fainter result than the preview HTML. */
+  background-color: rgba(var(--halo-r), var(--halo-g), var(--halo-b), 0.14);
+  -webkit-mask-image: url(/img/circuit.svg);
+  mask-image: url(/img/circuit.svg);
+  -webkit-mask-repeat: repeat;
+  mask-repeat: repeat;
+  -webkit-mask-size: 200px 200px;
+  mask-size: 200px 200px;
+  animation: login-trace-drift 25s linear infinite;
+}
+[data-theme='light'] .login-trace-circuit {
+  background-color: rgba(var(--halo-r), var(--halo-g), var(--halo-b), 0.32);
+}
+
+.login-trace-spotlight {
+  position: absolute;
+  top: -120px;
+  left: -120px;
+  width: 320px;
+  height: 320px;
+  z-index: 0;
+  background: radial-gradient(
+    circle at center,
+    rgba(var(--halo-r), var(--halo-g), var(--halo-b), 0.45) 0%,
+    rgba(var(--halo-r), var(--halo-g), var(--halo-b), 0.18) 25%,
+    rgba(var(--halo-r), var(--halo-g), var(--halo-b), 0.06) 55%,
+    transparent 80%
+  );
+  filter: blur(8px);
+  /* Dark theme: screen blends the teal disc as a brightening highlight
+   * against --bg-0 (#07090c). Visible because there's plenty of room
+   * to brighten. */
+  mix-blend-mode: screen;
+  pointer-events: none;
+  animation: login-trace-scan 12s ease-in-out infinite;
+}
+/* Light theme: screen on a near-white surface produces no visible
+ * brightening — the disc effectively disappears. Switch to multiply
+ * so the disc darkens what it passes over (teal-tinted shadow effect)
+ * and bump opacity so the motion reads at all. */
+[data-theme='light'] .login-trace-spotlight {
+  background: radial-gradient(
+    circle at center,
+    rgba(var(--halo-r), var(--halo-g), var(--halo-b), 0.65) 0%,
+    rgba(var(--halo-r), var(--halo-g), var(--halo-b), 0.32) 25%,
+    rgba(var(--halo-r), var(--halo-g), var(--halo-b), 0.12) 55%,
+    transparent 80%
+  );
+  mix-blend-mode: multiply;
+}
+
+@keyframes login-trace-drift {
+  from {
+    background-position: 0 0;
+  }
+  to {
+    background-position: 400px 400px;
+  }
+}
+
+/* Move the spotlight disc around the tile. translate3d so the browser
+ * can promote to its own layer for smooth motion on integrated GPUs. */
+@keyframes login-trace-scan {
+  0% {
+    transform: translate3d(0, 0, 0);
+  }
+  20% {
+    transform: translate3d(60vw, 10vh, 0);
+  }
+  40% {
+    transform: translate3d(80vw, 50vh, 0);
+  }
+  60% {
+    transform: translate3d(20vw, 70vh, 0);
+  }
+  80% {
+    transform: translate3d(5vw, 30vh, 0);
+  }
+  100% {
+    transform: translate3d(0, 0, 0);
+  }
+}
+
+@media (prefers-reduced-motion: reduce) {
+  .login-trace-circuit,
+  .login-trace-spotlight {
+    animation: none !important;
+  }
+}
diff --git a/frontend/src/features/nodes/NodeDetailPage.tsx b/frontend/src/features/nodes/NodeDetailPage.tsx
index 04b384b9..408e2a30 100644
--- a/frontend/src/features/nodes/NodeDetailPage.tsx
+++ b/frontend/src/features/nodes/NodeDetailPage.tsx
@@ -1,7 +1,7 @@
 import { useState, useRef, useEffect } from 'react';
 import { useParams, Link, useNavigate } from '@tanstack/react-router';
-import { useQuery } from '@tanstack/react-query';
-import { getNode, listNodeLogs } from '$/api/nodes';
+import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
+import { getNode, listNodeLogs, deleteNode } from '$/api/nodes';
 import { getMe } from '$/api/users';
 import { listEnvironments } from '$/api/environments';
 import {
@@ -541,6 +541,36 @@ export function NodeDetailPage() {
     me?.admin === true ||
     (envUuid !== undefined && me?.permissions?.[envUuid]?.admin === true);
 
+  // Archive the current node. The backend's POST /nodes/{env}/delete
+  // handler maps to ArchiveDeleteByUUID — it always snapshots into the
+  // archive table BEFORE removing the live row, so every removal goes
+  // through the archive. We deliberately only expose this single op
+  // (no separate hard-delete) so accidental clicks remain forensically
+  // recoverable. Until an /archive page lands the recovery is "query
+  // archive_osquery_nodes" — but the snapshot exists.
+  const qc = useQueryClient();
+  const [actionError, setActionError] = useState<string | null>(null);
+  const archiveMut = useMutation({
+    mutationFn: () => deleteNode(env, uuid),
+    onSuccess: () => {
+      setActionError(null);
+      // Bust the listing caches so the Nodes table reflects removal
+      // before we land back on it.
+      void qc.invalidateQueries({ queryKey: ['nodes', env] });
+      void qc.invalidateQueries({ queryKey: ['node', env, uuid] });
+      void navigate({ to: '/_app/env/$env/nodes', params: { env } });
+    },
+    onError: (err) =>
+      setActionError(err instanceof Error ? err.message : 'Action failed'),
+  });
+
+  function handleArchive() {
+    if (!confirm(`Archive node ${node?.hostname ?? uuid}?\n\nThe node is snapshotted into the archive table and removed from the active list. A forensic record is retained.`)) {
+      return;
+    }
+    archiveMut.mutate();
+  }
+
   // Node-scoped activity heatmap — only fetched while the Activity tab is the
   // active panel, so flipping between Details/Status/Result doesn't keep a
   // dormant 30s polling timer alive in the background.
@@ -618,53 +648,42 @@ export function NodeDetailPage() {
                 archive=true, which the server gates on env-admin —
                 so the button hides for non-admins same as Delete. */}
             <div className="flex items-center gap-2 flex-shrink-0">
+              {/* Single archive action — no separate hard-delete button.
+                  Archive snapshots the node into archive_osquery_nodes
+                  before removing the live row, so every removal is
+                  forensically recoverable. The two-button shape that
+                  used to live here looked like soft vs hard but mapped
+                  to the same backend op, which read as misleading. If
+                  a true hard-delete is ever needed it should land as a
+                  separate package-level call gated behind a stronger
+                  confirmation. */}
               {canDeleteNode && (
                 <button
                   type="button"
                   aria-label="Archive this node"
-                  onClick={() => {
-                    // TODO: POST /api/v1/nodes/{env}/delete with { uuid, archive: true }
-                    // Awaits the bulk-action archive endpoint contract in pkg/nodes.
-                  }}
-                  className={cn(
-                    'px-3 py-1.5 text-xs font-medium rounded',
-                    'border border-[color:var(--border)] text-[color:var(--text-2)]',
-                    'bg-[color:var(--bg-2)]',
-                    'hover:border-[color:var(--border-strong)] hover:text-[color:var(--text-1)]',
-                    'transition-colors',
-                    'focus-visible:outline focus-visible:outline-2 focus-visible:outline-[color:var(--signal)]',
-                  )}
-                >
-                  Archive
-                </button>
-              )}
-
-              {/* Refresh button intentionally absent — POST
-                  /nodes/{env}/refresh isn't implemented yet. We
-                  used to render a disabled placeholder with a "API
-                  not yet available" tooltip; operators found the
-                  greyed-out button confusing (looked broken).
-                  Restore as a live button when the endpoint lands. */}
-
-              {canDeleteNode && (
-                <button
-                  type="button"
-                  aria-label="Delete this node"
-                  onClick={() => {
-                    // TODO: open delete confirmation modal (polish)
-                  }}
+                  onClick={handleArchive}
+                  disabled={archiveMut.isPending}
                   className={cn(
                     'px-3 py-1.5 text-xs font-medium rounded',
                     'border border-[color:var(--danger)] text-[color:var(--danger)]',
                     'hover:bg-[color:var(--danger)] hover:text-white',
                     'transition-colors',
                     'focus-visible:outline focus-visible:outline-2 focus-visible:outline-[color:var(--signal)]',
+                    'disabled:opacity-50 disabled:cursor-not-allowed',
                   )}
                 >
-                  Delete
+                  {archiveMut.isPending ? 'Archiving…' : 'Archive'}
                 </button>
               )}
             </div>
+            {actionError && (
+              <div
+                role="alert"
+                className="mt-2 w-full text-xs text-[color:var(--danger)] font-mono-tabular"
+              >
+                {actionError}
+              </div>
+            )}
           </>
         ) : isError ? (
           <EmptyState
diff --git a/frontend/src/features/nodes/NodesTablePage.test.tsx b/frontend/src/features/nodes/NodesTablePage.test.tsx
index 41b3bfa4..5ad0c96f 100644
--- a/frontend/src/features/nodes/NodesTablePage.test.tsx
+++ b/frontend/src/features/nodes/NodesTablePage.test.tsx
@@ -211,7 +211,10 @@ describe('NodesTablePage', () => {
       expect(screen.getByText('web-server-01')).toBeInTheDocument();
     });
 
-    const activeTab = screen.getByRole('button', { name: /^active$/i });
+    // The status filter is now part of QuickFiltersGroup (chip pad)
+    // which exposes itself via aria-label="Filter: Active" rather than
+    // the bare button text 'active' that the old inline status pad used.
+    const activeTab = screen.getByRole('button', { name: /^filter: active/i });
     await user.click(activeTab);
 
     await waitFor(() => {
diff --git a/frontend/src/features/nodes/NodesTablePage.tsx b/frontend/src/features/nodes/NodesTablePage.tsx
index a266ecaf..644b43e0 100644
--- a/frontend/src/features/nodes/NodesTablePage.tsx
+++ b/frontend/src/features/nodes/NodesTablePage.tsx
@@ -1,7 +1,7 @@
 import { useState } from 'react';
 import { useParams, useSearch, useNavigate, Link } from '@tanstack/react-router';
 import { useQuery, useMutation } from '@tanstack/react-query';
-import { listNodes, type NodePlatform } from '$/api/nodes';
+import { listNodes, deleteNode, type NodePlatform } from '$/api/nodes';
 import { getStats, getNodeActivityBatch, type NodeActivityBucket } from '$/api/stats';
 import { listEnvTags, tagNode } from '$/api/tags';
 import { getMe } from '$/api/users';
@@ -83,12 +83,16 @@ interface QuickFilter {
   onClick: () => void;
 }
 
-function QuickFiltersRow({ filters }: { filters: QuickFilter[] }) {
+function QuickFiltersGroup({ filters }: { filters: QuickFilter[] }) {
+  // Same StatusTabs-style segmented pad as before, but without the
+  // surrounding row chrome — meant to slot into the main toolbar
+  // alongside the page title and search box so the whole header reads
+  // as a single line (matches CarvesListPage layout).
   return (
     <div
       role="toolbar"
       aria-label="Quick filters"
-      className="flex items-center gap-1.5 px-4 py-2.5 border-b border-[color:var(--border)] overflow-x-auto"
+      className="flex items-center gap-1 rounded-md bg-[color:var(--bg-2)] p-0.5 border border-[color:var(--border)]"
     >
       {filters.map((f) => (
         <button
@@ -98,12 +102,12 @@ function QuickFiltersRow({ filters }: { filters: QuickFilter[] }) {
           aria-pressed={f.active}
           aria-label={`Filter: ${f.label}${f.count != null ? ` (${f.count})` : ''}`}
           className={cn(
-            'inline-flex items-center gap-1.5 px-2.5 py-1 rounded-full',
-            'text-[11px] font-medium transition-colors duration-[120ms]',
-            'border focus-visible:outline focus-visible:outline-2 focus-visible:outline-[color:var(--signal)]',
+            'inline-flex items-center gap-1.5 px-3 py-1 rounded',
+            'text-xs font-medium transition-colors',
+            'focus-visible:outline focus-visible:outline-2 focus-visible:outline-[color:var(--signal)]',
             f.active
-              ? 'bg-[color:var(--signal)]/12 text-[color:var(--signal-bright,var(--signal))] border-[color:var(--signal)]/40'
-              : 'bg-[color:var(--bg-2)] text-[color:var(--text-2)] border-[color:var(--border)] hover:text-[color:var(--text-1)] hover:border-[color:var(--border-strong)]',
+              ? 'bg-[color:var(--bg-1)] text-[color:var(--text-1)] shadow-sm'
+              : 'text-[color:var(--text-2)] hover:text-[color:var(--text-1)]',
           )}
         >
           <span>{f.label}</span>
@@ -111,7 +115,7 @@ function QuickFiltersRow({ filters }: { filters: QuickFilter[] }) {
             <span
               className={cn(
                 'font-mono-tabular tabular-nums text-[10px]',
-                f.active ? 'text-[color:var(--signal-bright,var(--signal))]' : 'text-[color:var(--text-3)]',
+                f.active ? 'text-[color:var(--text-2)]' : 'text-[color:var(--text-3)]',
               )}
             >
               {f.count.toLocaleString()}
@@ -343,6 +347,7 @@ export function NodesTablePage() {
 
   const [selectedUuids, setSelectedUuids] = useState<Set<string>>(new Set());
   const [tagModalOpen, setTagModalOpen] = useState(false);
+  const [bulkError, setBulkError] = useState<string | null>(null);
 
   function updateSearch(patch: Record<string, string | number | undefined>) {
     void navigate({
@@ -398,6 +403,43 @@ export function NodesTablePage() {
     placeholderData: (prev: NodesPagedResponse | undefined) => prev,
   });
 
+  // Bulk archive + delete the selected nodes. Backend exposes one
+  // per-uuid endpoint (POST /nodes/{env}/delete) which is also the
+  // legacy admin's archive-and-remove op. We fire one request per
+  // uuid and collect per-row failures so a partial success can still
+  // surface "deleted 7, failed 2" rather than the whole batch
+  // turning red on the first 404.
+  const bulkArchiveMut = useMutation({
+    mutationFn: async (uuids: string[]) => {
+      const settled = await Promise.allSettled(
+        uuids.map((uuid) => deleteNode(env, uuid)),
+      );
+      const failed = settled.filter((r) => r.status === 'rejected').length;
+      return { total: uuids.length, failed };
+    },
+    onSuccess: ({ total, failed }) => {
+      setSelectedUuids(new Set());
+      if (failed > 0) {
+        setBulkError(`Archived ${total - failed} of ${total} node(s); ${failed} failed.`);
+      } else {
+        setBulkError(null);
+      }
+      void refetch();
+    },
+    onError: (err) =>
+      setBulkError(err instanceof Error ? err.message : 'Bulk archive failed'),
+  });
+
+  function handleBulkArchive() {
+    const uuids = Array.from(selectedUuids);
+    if (uuids.length === 0) return;
+    if (!confirm(`Archive ${uuids.length} node${uuids.length === 1 ? '' : 's'}?\n\nEach node is snapshotted into the archive table and removed from the active list. Forensic records are retained.`)) {
+      return;
+    }
+    setBulkError(null);
+    bulkArchiveMut.mutate(uuids);
+  }
+
   // Stats — drives the QuickFilters chip counts. Cross-env totals; we surface
   // the per-env subset from data?.total_items when active.
   const { data: statsData } = useQuery({
@@ -524,36 +566,17 @@ export function NodesTablePage() {
   // ---------------------------------------------------------------------------
   return (
     <div className="flex flex-col h-full min-h-0">
-      {/* ── QuickFilters chip row ── */}
-      <QuickFiltersRow filters={quickFilters} />
-
-      {/* ── Toolbar (status tabs + search + page size) ── */}
-      <div className="flex items-center gap-3 px-4 py-2.5 border-b border-[color:var(--border)] flex-wrap">
-        {/*
-          Status tabs preserved alongside the QuickFilters row. The chip row
-          is the visually-loud entry point; the status tab triplet stays for
-          keyboard parity, screen-reader users who scan toolbars, and so the
-          existing test fixtures (`getByRole('button', {name: /^active$/i})`)
-          keep finding a match.
-        */}
-        <div className="flex items-center gap-1 rounded-md bg-[color:var(--bg-2)] p-0.5 border border-[color:var(--border)]">
-          {(['all', 'active', 'inactive'] as NodeStatus[]).map((s) => (
-            <button
-              key={s}
-              type="button"
-              onClick={() => updateSearch({ status: s === 'all' ? undefined : s, page: 1 })}
-              className={cn(
-                'px-3 py-1 text-xs font-medium rounded transition-colors capitalize',
-                'focus-visible:outline focus-visible:outline-2 focus-visible:outline-[color:var(--signal)]',
-                status === s
-                  ? 'bg-[color:var(--bg-1)] text-[color:var(--text-1)] shadow-sm'
-                  : 'text-[color:var(--text-2)] hover:text-[color:var(--text-1)]',
-              )}
-            >
-              {s}
-            </button>
-          ))}
-        </div>
+      {/* ── Toolbar — single line matching CarvesListPage:
+              [Title] [Status+platform chip pad] [Search] [Page size] [Refreshing…]
+          Previously the chip pad lived in its own row above the search
+          bar; folding both into one toolbar trims a row of vertical
+          chrome and matches the env's other list pages. ── */}
+      <div className="flex items-center gap-3 px-4 py-3 border-b border-[color:var(--border)] flex-wrap">
+        <h1 className="font-display text-lg font-semibold text-[color:var(--text-1)] mr-2">
+          Nodes
+        </h1>
+
+        <QuickFiltersGroup filters={quickFilters} />
 
         <div className="flex-1 max-w-xs">
           <SearchInput
@@ -839,13 +862,16 @@ export function NodesTablePage() {
           {canDeleteNodes && (
             <button
               type="button"
-              aria-label="Delete selected nodes"
-              className="px-3 py-1 text-xs font-medium rounded text-[color:var(--danger)] hover:bg-[color:var(--bg-2)] transition-colors"
-              onClick={() => {
-                // TODO: wire delete mutation when DeleteNodeHandler integration tests are written
-              }}
+              aria-label="Archive selected nodes"
+              disabled={bulkArchiveMut.isPending}
+              className={cn(
+                'px-3 py-1 text-xs font-medium rounded text-[color:var(--danger)]',
+                'hover:bg-[color:var(--bg-2)] transition-colors',
+                'disabled:opacity-50 disabled:cursor-not-allowed',
+              )}
+              onClick={handleBulkArchive}
             >
-              Delete…
+              {bulkArchiveMut.isPending ? 'Archiving…' : 'Archive…'}
             </button>
           )}
           <div className="w-px h-4 bg-[color:var(--border)]" aria-hidden />
@@ -872,6 +898,31 @@ export function NodesTablePage() {
           }}
         />
       )}
+
+      {/* Bulk-action result toast — sits at the bottom centre when no
+          selection exists (so it doesn't overlap the dock toolbar). */}
+      {bulkError && selectedUuids.size === 0 && (
+        <div
+          role="alert"
+          className={cn(
+            'fixed bottom-6 left-1/2 -translate-x-1/2 z-50',
+            'flex items-center gap-3 px-4 py-2.5 rounded-xl',
+            'bg-[color:var(--bg-1)] border border-[color:var(--danger)]/40',
+            'shadow-[0_8px_32px_rgba(0,0,0,0.32)]',
+            'text-xs text-[color:var(--danger)]',
+          )}
+        >
+          <span>{bulkError}</span>
+          <button
+            type="button"
+            onClick={() => setBulkError(null)}
+            className="text-[color:var(--text-3)] hover:text-[color:var(--text-1)]"
+            aria-label="Dismiss"
+          >
+            ×
+          </button>
+        </div>
+      )}
     </div>
   );
 }
diff --git a/frontend/src/features/profile/ProfilePage.tsx b/frontend/src/features/profile/ProfilePage.tsx
index 21571151..f41d3c09 100644
--- a/frontend/src/features/profile/ProfilePage.tsx
+++ b/frontend/src/features/profile/ProfilePage.tsx
@@ -8,7 +8,7 @@ import {
   refreshUserToken,
   deleteUserToken,
 } from '$/api/users';
-import { AuthError, ApiError } from '$/api/client';
+import { AuthError, ApiError, primeCsrfFromCookie } from '$/api/client';
 import { cn } from '$/lib/cn';
 import { formatRelative } from '$/lib/time';
 import { toggleTheme, getInitialTheme } from '$/lib/theme';
@@ -114,6 +114,13 @@ export function ProfilePage() {
       return refreshUserToken(me.username);
     },
     onSuccess: () => {
+      // Self-rotate: the API just re-issued osctrl_token + osctrl_csrf
+      // cookies with the freshly minted JWT. Re-prime the in-memory
+      // CSRF from the new cookie so subsequent X-CSRF-Token headers
+      // carry the rotated value — otherwise the next mutation
+      // (e.g. revoke or password change) sends a stale CSRF and the
+      // server rejects it.
+      primeCsrfFromCookie();
       setTokenErr(null);
       setTokenMsg('Token rotated. Store it now — it will not be shown again.');
       void refetch();
@@ -150,11 +157,14 @@ export function ProfilePage() {
 
   // Derived display bits for the hero strip.
   const initials = me ? deriveInitials(me.fullname || me.username) : '';
-  const roleLabel = me?.admin ? 'super-admin' : me?.service ? 'service' : 'operator';
 
   return (
     <div className="flex flex-col h-full min-h-0 overflow-auto">
-      {/* ── Page header ─────────────────────────────────────────────────── */}
+      {/* ── Page header ──
+          Slim two-line: kicker + h1. The previous subtitle restated
+          what the four cards below already say (account · password ·
+          token · theme) so it's redundant; the kicker plus the cards'
+          own titles carry the same information without the noise. */}
       <div className="px-6 py-4 border-b border-[color:var(--border)]">
         <div className="text-[10px] font-mono-tabular uppercase tracking-[0.14em] text-[color:var(--text-3)] mb-0.5 select-none">
           account · profile
@@ -162,9 +172,6 @@ export function ProfilePage() {
         <h1 className="font-display text-lg font-semibold text-[color:var(--text-1)]">
           Your profile
         </h1>
-        <p className="text-sm text-[color:var(--text-2)] mt-0.5">
-          Update your contact details, password, API token and theme preference.
-        </p>
       </div>
 
       {/* ── Hero strip ──────────────────────────────────────────────────── */}
@@ -220,7 +227,9 @@ export function ProfilePage() {
             {/* Spacer */}
             <div className="flex-1 min-w-0" />
 
-            {/* Timestamps */}
+            {/* Last access — Token expires used to live here too but it's
+                already shown inside the API token card below; duplicating
+                it in the hero was visual noise. */}
             <div className="flex items-center gap-6 flex-wrap">
               <div>
                 <div className="text-[10px] font-mono-tabular uppercase tracking-[0.14em] text-[color:var(--text-3)] mb-0.5">
@@ -233,278 +242,261 @@ export function ProfilePage() {
                   {formatRelative(me.last_access)}
                 </div>
               </div>
-              <div>
-                <div className="text-[10px] font-mono-tabular uppercase tracking-[0.14em] text-[color:var(--text-3)] mb-0.5">
-                  Token expires
-                </div>
-                <div
-                  className="text-xs tnum text-[color:var(--text-1)]"
-                  title={me.token_expire}
-                >
-                  {formatRelative(me.token_expire)}
-                </div>
-              </div>
             </div>
           </div>
         )}
       </div>
 
-      {/* ── Body ────────────────────────────────────────────────────────── */}
-      <div className="flex flex-col xl:flex-row gap-6 p-6">
-        {/* ─ Left column: My account ─────────────────────────────────── */}
-        <div className="flex-1 max-w-xl">
-          {isLoading || !me ? (
-            <Panel id="profile-section-title" title="My account">
-              <div className="space-y-4">
-                <Skeleton className="h-9 w-full" />
-                <Skeleton className="h-9 w-full" />
-                <Skeleton className="h-8 w-32" />
+      {/* ── Body ──
+          Four focused cards in a responsive 2-col grid. The previous
+          single "Security" mega-card stacked password / token / theme
+          / role under one heading, which forced operators to mentally
+          parse hairlines as section dividers. One card per job balances
+          the page and matches the brand kit's "cards differentiate by
+          border + faint bg shift" guidance. Role used to be tacked at
+          the bottom of Security too — the hero badge already shows it,
+          so it's gone from here. */}
+      <div className="grid grid-cols-1 lg:grid-cols-2 gap-5 p-6">
+        {/* ─ Account ─ */}
+        {isLoading || !me ? (
+          <Panel id="profile-section-title" title="Account">
+            <div className="space-y-4">
+              <Skeleton className="h-9 w-full" />
+              <Skeleton className="h-9 w-full" />
+              <Skeleton className="h-8 w-32" />
+            </div>
+          </Panel>
+        ) : (
+          <Panel id="profile-section-title" title="Account">
+            <form
+              onSubmit={(e) => {
+                e.preventDefault();
+                profileMutation.mutate();
+              }}
+              className="space-y-4"
+              aria-labelledby="profile-section-title"
+            >
+              <div>
+                <FieldLabel htmlFor="profile-email">Email</FieldLabel>
+                <Input
+                  id="profile-email"
+                  type="email"
+                  value={email}
+                  onChange={(e) => setEmail(e.target.value)}
+                  autoComplete="email"
+                />
               </div>
-            </Panel>
-          ) : (
-            <Panel id="profile-section-title" title="My account">
-              <form
-                onSubmit={(e) => {
-                  e.preventDefault();
-                  profileMutation.mutate();
-                }}
-                className="space-y-4"
-                aria-labelledby="profile-section-title"
-              >
-                <div>
-                  <FieldLabel htmlFor="profile-email">Email</FieldLabel>
-                  <Input
-                    id="profile-email"
-                    type="email"
-                    value={email}
-                    onChange={(e) => setEmail(e.target.value)}
-                    autoComplete="email"
-                  />
-                </div>
-                <div>
-                  <FieldLabel htmlFor="profile-fullname">Full name</FieldLabel>
-                  <Input
-                    id="profile-fullname"
-                    type="text"
-                    value={fullname}
-                    onChange={(e) => setFullname(e.target.value)}
-                    autoComplete="name"
-                  />
-                </div>
-
-                {profileErr && <Feedback kind="error" message={profileErr} />}
-                {profileOK && <Feedback kind="success" message={profileOK} />}
-
-                <div className="pt-1">
-                  <Button
-                    type="submit"
-                    variant="primary"
-                    size="sm"
-                    disabled={profileMutation.isPending}
-                  >
-                    {profileMutation.isPending ? 'Saving…' : 'Save changes'}
-                  </Button>
-                </div>
-              </form>
-            </Panel>
-          )}
-        </div>
-
-        {/* ─ Right column: Security ──────────────────────────────────── */}
-        <div className="w-full xl:w-[360px] flex-shrink-0">
-          {isLoading || !me ? (
-            <Panel title="Security">
-              <div className="space-y-4">
-                <Skeleton className="h-9 w-full" />
-                <Skeleton className="h-9 w-full" />
-                <Skeleton className="h-9 w-full" />
-                <Skeleton className="h-8 w-32" />
+              <div>
+                <FieldLabel htmlFor="profile-fullname">Full name</FieldLabel>
+                <Input
+                  id="profile-fullname"
+                  type="text"
+                  value={fullname}
+                  onChange={(e) => setFullname(e.target.value)}
+                  autoComplete="name"
+                />
               </div>
-            </Panel>
-          ) : (
-            <Panel title="Security">
-              {/* ── Change password ──────────────────────────────────── */}
-              <form
-                onSubmit={(e) => {
-                  e.preventDefault();
-                  passwordMutation.mutate();
-                }}
-                className="space-y-4"
-                aria-label="Change password"
-              >
-                <div className="text-[10px] font-mono-tabular uppercase tracking-[0.14em] text-[color:var(--text-3)] select-none">
-                  Change password
-                </div>
-
-                <div>
-                  <FieldLabel htmlFor="pwd-current">Current password</FieldLabel>
-                  <Input
-                    id="pwd-current"
-                    type="password"
-                    value={currentPwd}
-                    onChange={(e) => setCurrentPwd(e.target.value)}
-                    autoComplete="current-password"
-                  />
-                </div>
-                <div>
-                  <FieldLabel htmlFor="pwd-new">New password</FieldLabel>
-                  <Input
-                    id="pwd-new"
-                    type="password"
-                    value={newPwd}
-                    onChange={(e) => setNewPwd(e.target.value)}
-                    autoComplete="new-password"
-                    minLength={8}
-                  />
-                  <p className="mt-1 text-[10px] text-[color:var(--text-3)]">
-                    Minimum 8 characters.
-                  </p>
-                </div>
-                <div>
-                  <FieldLabel htmlFor="pwd-confirm">Confirm new password</FieldLabel>
-                  <Input
-                    id="pwd-confirm"
-                    type="password"
-                    value={confirmPwd}
-                    onChange={(e) => setConfirmPwd(e.target.value)}
-                    autoComplete="new-password"
-                    minLength={8}
-                  />
-                </div>
-
-                {pwdErr && <Feedback kind="error" message={pwdErr} />}
-                {pwdOK && <Feedback kind="success" message={pwdOK} />}
-
-                <div className="pt-1">
-                  <Button
-                    type="submit"
-                    variant="primary"
-                    size="sm"
-                    disabled={passwordMutation.isPending}
-                  >
-                    {passwordMutation.isPending ? 'Changing…' : 'Change password'}
-                  </Button>
-                </div>
-              </form>
 
-              {/* ── Divider ──────────────────────────────────────────── */}
-              <div className="border-t border-[color:var(--border)] my-5" />
+              {profileErr && <Feedback kind="error" message={profileErr} />}
+              {profileOK && <Feedback kind="success" message={profileOK} />}
 
-              {/* ── API token ────────────────────────────────────────── */}
-              <div className="space-y-3">
-                <div className="text-[10px] font-mono-tabular uppercase tracking-[0.14em] text-[color:var(--text-3)] select-none">
-                  API token
-                </div>
-
-                <div
-                  className={cn(
-                    'flex items-center justify-between gap-3 px-3 py-2',
-                    'rounded-md border border-[color:var(--border)] bg-[color:var(--bg-2)]',
-                  )}
+              <div className="pt-1">
+                <Button
+                  type="submit"
+                  variant="primary"
+                  size="sm"
+                  disabled={profileMutation.isPending}
                 >
-                  <span
-                    className="font-mono-tabular text-xs text-[color:var(--text-2)] tracking-wider truncate"
-                    aria-label="Token (masked)"
-                  >
-                    ········••••
-                  </span>
-                  <span
-                    className="text-[10px] font-mono-tabular text-[color:var(--text-3)] tnum whitespace-nowrap"
-                    title={me.token_expire}
-                  >
-                    expires {formatRelative(me.token_expire)}
-                  </span>
-                </div>
+                  {profileMutation.isPending ? 'Saving…' : 'Save changes'}
+                </Button>
+              </div>
+            </form>
+          </Panel>
+        )}
 
-                <p className="text-[10px] text-[color:var(--text-3)] leading-relaxed">
-                  The raw token is never displayed after issuance. Rotate to mint a
-                  new one — the previous token will stop working immediately.
+        {/* ─ Password ─ */}
+        {isLoading || !me ? (
+          <Panel title="Password">
+            <div className="space-y-4">
+              <Skeleton className="h-9 w-full" />
+              <Skeleton className="h-9 w-full" />
+              <Skeleton className="h-9 w-full" />
+              <Skeleton className="h-8 w-32" />
+            </div>
+          </Panel>
+        ) : (
+          <Panel title="Password">
+            <form
+              onSubmit={(e) => {
+                e.preventDefault();
+                passwordMutation.mutate();
+              }}
+              className="space-y-4"
+              aria-label="Change password"
+            >
+              <div>
+                <FieldLabel htmlFor="pwd-current">Current password</FieldLabel>
+                <Input
+                  id="pwd-current"
+                  type="password"
+                  value={currentPwd}
+                  onChange={(e) => setCurrentPwd(e.target.value)}
+                  autoComplete="current-password"
+                />
+              </div>
+              <div>
+                <FieldLabel htmlFor="pwd-new">New password</FieldLabel>
+                <Input
+                  id="pwd-new"
+                  type="password"
+                  value={newPwd}
+                  onChange={(e) => setNewPwd(e.target.value)}
+                  autoComplete="new-password"
+                  minLength={8}
+                />
+                <p className="mt-1 text-[10px] text-[color:var(--text-3)]">
+                  Minimum 8 characters.
                 </p>
+              </div>
+              <div>
+                <FieldLabel htmlFor="pwd-confirm">Confirm new password</FieldLabel>
+                <Input
+                  id="pwd-confirm"
+                  type="password"
+                  value={confirmPwd}
+                  onChange={(e) => setConfirmPwd(e.target.value)}
+                  autoComplete="new-password"
+                  minLength={8}
+                />
+              </div>
 
-                {tokenErr && <Feedback kind="error" message={tokenErr} />}
-                {tokenMsg && <Feedback kind="success" message={tokenMsg} />}
+              {pwdErr && <Feedback kind="error" message={pwdErr} />}
+              {pwdOK && <Feedback kind="success" message={pwdOK} />}
 
-                <div className="flex items-center gap-2 flex-wrap">
-                  <Button
-                    type="button"
-                    variant="ghost"
-                    size="sm"
-                    disabled={rotateMutation.isPending || revokeMutation.isPending}
-                    onClick={() => rotateMutation.mutate()}
-                  >
-                    {rotateMutation.isPending ? 'Rotating…' : 'Rotate token'}
-                  </Button>
-                  <Button
-                    type="button"
-                    variant="danger"
-                    size="sm"
-                    disabled={revokeMutation.isPending || rotateMutation.isPending}
-                    onClick={() => revokeMutation.mutate()}
-                  >
-                    {revokeMutation.isPending ? 'Revoking…' : 'Revoke'}
-                  </Button>
-                </div>
+              <div className="pt-1">
+                <Button
+                  type="submit"
+                  variant="primary"
+                  size="sm"
+                  disabled={passwordMutation.isPending}
+                >
+                  {passwordMutation.isPending ? 'Changing…' : 'Change password'}
+                </Button>
               </div>
+            </form>
+          </Panel>
+        )}
 
-              {/* ── Divider ──────────────────────────────────────────── */}
-              <div className="border-t border-[color:var(--border)] my-5" />
+        {/* ─ API token ─ */}
+        {isLoading || !me ? (
+          <Panel title="API token">
+            <div className="space-y-3">
+              <Skeleton className="h-10 w-full" />
+              <Skeleton className="h-8 w-40" />
+            </div>
+          </Panel>
+        ) : (
+          <Panel title="API token">
+            <div className="space-y-3">
+              <div
+                className={cn(
+                  'flex items-center justify-between gap-3 px-3 py-2',
+                  'rounded-md border border-[color:var(--border)] bg-[color:var(--bg-2)]',
+                )}
+              >
+                <span
+                  className="font-mono-tabular text-xs text-[color:var(--text-2)] tracking-wider truncate"
+                  aria-label="Token (masked)"
+                >
+                  ········••••
+                </span>
+                <span
+                  className="text-[10px] font-mono-tabular text-[color:var(--text-3)] tnum whitespace-nowrap"
+                  title={me.token_expire}
+                >
+                  expires {formatRelative(me.token_expire)}
+                </span>
+              </div>
 
-              {/* ── Preferences ──────────────────────────────────────── */}
-              <div className="space-y-3">
-                <div className="text-[10px] font-mono-tabular uppercase tracking-[0.14em] text-[color:var(--text-3)] select-none">
-                  Preferences
+              <p className="text-[10px] text-[color:var(--text-3)] leading-relaxed">
+                The raw token is never displayed after issuance. Rotate to mint a
+                new one — the previous token will stop working immediately.
+              </p>
+
+              {tokenErr && <Feedback kind="error" message={tokenErr} />}
+              {tokenMsg && <Feedback kind="success" message={tokenMsg} />}
+
+              <div className="flex items-center gap-2 flex-wrap">
+                <Button
+                  type="button"
+                  variant="ghost"
+                  size="sm"
+                  disabled={rotateMutation.isPending || revokeMutation.isPending}
+                  onClick={() => rotateMutation.mutate()}
+                >
+                  {rotateMutation.isPending ? 'Rotating…' : 'Rotate token'}
+                </Button>
+                <Button
+                  type="button"
+                  variant="danger"
+                  size="sm"
+                  disabled={revokeMutation.isPending || rotateMutation.isPending}
+                  onClick={() => revokeMutation.mutate()}
+                >
+                  {revokeMutation.isPending ? 'Revoking…' : 'Revoke'}
+                </Button>
+              </div>
+            </div>
+          </Panel>
+        )}
+
+        {/* ─ Preferences ─ */}
+        {isLoading || !me ? (
+          <Panel title="Preferences">
+            <Skeleton className="h-10 w-full" />
+          </Panel>
+        ) : (
+          <Panel title="Preferences">
+            <div className="flex items-center justify-between gap-3">
+              <div>
+                <div className="text-xs text-[color:var(--text-1)] font-medium">
+                  Color theme
                 </div>
+                <div className="text-[10px] text-[color:var(--text-3)]">
+                  Persists across reloads.
+                </div>
+              </div>
 
-                <div className="flex items-center justify-between gap-3">
-                  <div>
-                    <div className="text-xs text-[color:var(--text-1)] font-medium">
-                      Color theme
-                    </div>
-                    <div className="text-[10px] text-[color:var(--text-3)]">
-                      Persists across reloads.
-                    </div>
-                  </div>
-
-                  <div
-                    role="group"
-                    aria-label="Toggle color theme"
+              <div
+                role="group"
+                aria-label="Toggle color theme"
+                className={cn(
+                  'flex items-center gap-0.5 p-1 rounded-full',
+                  'bg-[color:var(--bg-2)] border border-[color:var(--border)]',
+                )}
+              >
+                {(['dark', 'light'] as const).map((t) => (
+                  <button
+                    key={t}
+                    type="button"
+                    onClick={() => handleThemeSwitch(t)}
+                    aria-pressed={theme === t}
                     className={cn(
-                      'flex items-center gap-0.5 p-1 rounded-full',
-                      'bg-[color:var(--bg-2)] border border-[color:var(--border)]',
+                      'px-2.5 py-1 rounded-full text-[11px] font-medium font-mono-tabular uppercase tracking-[0.04em]',
+                      'transition-colors duration-[120ms] ease-out',
+                      'focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-1 focus-visible:outline-[color:var(--signal)]',
+                      theme === t
+                        ? 'bg-[color:var(--bg-3)] text-[color:var(--text-1)]'
+                        : 'text-[color:var(--text-2)] hover:text-[color:var(--text-1)]',
                     )}
                   >
-                    {(['dark', 'light'] as const).map((t) => (
-                      <button
-                        key={t}
-                        type="button"
-                        onClick={() => handleThemeSwitch(t)}
-                        aria-pressed={theme === t}
-                        className={cn(
-                          'px-2.5 py-1 rounded-full text-[11px] font-medium font-mono-tabular uppercase tracking-[0.04em]',
-                          'transition-colors duration-[120ms] ease-out',
-                          'focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-1 focus-visible:outline-[color:var(--signal)]',
-                          theme === t
-                            ? 'bg-[color:var(--bg-3)] text-[color:var(--text-1)]'
-                            : 'text-[color:var(--text-2)] hover:text-[color:var(--text-1)]',
-                        )}
-                      >
-                        {t.toUpperCase()}
-                      </button>
-                    ))}
-                  </div>
-                </div>
+                    {t.toUpperCase()}
+                  </button>
+                ))}
               </div>
-
-              {/* ─────────────────────────────────────────────────────── */}
-              <div className="mt-5 text-[10px] text-[color:var(--text-3)]">
-                Role:{' '}
-                <span className="font-mono-tabular text-[color:var(--text-2)]">
-                  {roleLabel}
-                </span>
-              </div>
-            </Panel>
-          )}
-        </div>
+            </div>
+          </Panel>
+        )}
       </div>
     </div>
   );
diff --git a/frontend/src/features/queries/QueryDetailPage.tsx b/frontend/src/features/queries/QueryDetailPage.tsx
index 652253a9..dbb212dd 100644
--- a/frontend/src/features/queries/QueryDetailPage.tsx
+++ b/frontend/src/features/queries/QueryDetailPage.tsx
@@ -1,6 +1,7 @@
 import { useParams, useNavigate, useSearch, Link } from '@tanstack/react-router';
-import { useQuery } from '@tanstack/react-query';
+import { useQuery, useQueryClient } from '@tanstack/react-query';
 import { getQuery, listQueryResults, getQueryResultsCSVUrl } from '$/api/queries';
+import { listNodes } from '$/api/nodes';
 import { AuthError } from '$/api/client';
 import { formatRelative } from '$/lib/time';
 import { cn } from '$/lib/cn';
@@ -19,6 +20,18 @@ function QueryStatusBadge({ q }: { q: { active: boolean; completed: boolean; exp
   return <Badge variant="dim" label="Unknown" />;
 }
 
+// osquery distributed result `status` codes:
+//   0 → ok        (query ran, returned rows)
+//   1 → error     (query failed on the agent — usually SQL syntax / table not present)
+//   2 → other     (osquery has used this for transient state in past versions)
+// Anything else gets a neutral "code N" rendering so we don't silently hide it.
+function StatusBadge({ code }: { code: number }) {
+  if (code === 0) return <Badge variant="success" label="ok" />;
+  if (code === 1) return <Badge variant="danger" label="error" />;
+  if (code === 2) return <Badge variant="warning" label="other" />;
+  return <Badge variant="dim" label={`code ${code}`} />;
+}
+
 function Badge({
   variant,
   label,
@@ -68,6 +81,8 @@ export function QueryDetailPage() {
     refetchInterval: 15_000,
   });
 
+  const qc = useQueryClient();
+
   // Paginated query results
   const {
     data: resultsData,
@@ -82,6 +97,22 @@ export function QueryDetailPage() {
     enabled: !!query,
   });
 
+  // Nodes lookup map — used to turn the raw uuid on each result row into a
+  // human-friendly hostname. Cached for 60s so result-page renders don't
+  // hammer the nodes endpoint; staler-than-staleTime gets a quiet refetch
+  // on next mount. The nodes query is keyed by env so a small fleet (this
+  // is the dev scope, not multi-tenant) pulls the whole list once.
+  const { data: nodesData } = useQuery({
+    queryKey: ['query-results-nodes-lookup', env],
+    queryFn: () => listNodes({ env, pageSize: 500 }),
+    staleTime: 60_000,
+    enabled: !!query,
+  });
+  const uuidToHostname = new Map<string, string>();
+  for (const n of nodesData?.items ?? []) {
+    uuidToHostname.set(n.uuid, n.hostname || n.localname || n.uuid);
+  }
+
   // Redirect to login on 401
   if ((metaError && metaErr instanceof AuthError) || (resultsError && resultsErr instanceof AuthError)) {
     void navigate({ to: '/login' });
@@ -89,31 +120,58 @@ export function QueryDetailPage() {
   }
 
   // ---------------------------------------------------------------------------
-  // Build rows + column union from this page of items
+  // Build rows from this page of items.
+  //
+  // Each item.data is a JSON string of shape
+  //   { name, status, message, result: [{...}, {...}, ...] }
+  // where `result` is the array of row objects the node returned for this
+  // distributed query write. Different nodes (and different runs) may
+  // return different shapes, so we keep each item's result set in its own
+  // nested data table inside the Data cell — same approach as the legacy
+  // admin's queries-logs template. This is much friendlier to the common
+  // case (multi-row tables like `processes` or `apps`) than extruding
+  // every key onto the outer table.
   // ---------------------------------------------------------------------------
   const items = resultsData?.items ?? [];
   const totalItems = resultsData?.total_items ?? 0;
   const totalPages = resultsData?.total_pages ?? 0;
 
-  // Cell values can be nested objects when osquery returns JSON-typed columns
-  // (uptime returns `{days,hours,minutes,seconds}`, some apps tables return
-  // `{name,version,arch}` per row). Typing as `unknown` keeps us honest; the
-  // render path below stringifies anything non-primitive instead of letting
-  // React throw error #31 when it sees an object child.
-  const rows: Array<{ id: number; uuid: string; cols: Record<string, unknown> }> = [];
-  const colSet = new Set<string>();
+  const rows: Array<{
+    id: number;
+    uuid: string;
+    createdAt: string;
+    status: number;
+    results: Array<Record<string, unknown>>;
+    parseError: string | null;
+  }> = [];
 
   for (const item of items) {
-    let cols: Record<string, unknown> = {};
+    let results: Array<Record<string, unknown>> = [];
+    let parseError: string | null = null;
     try {
-      cols = JSON.parse(item.data) as Record<string, unknown>;
-    } catch {
-      cols = { data: item.data };
+      const parsed = JSON.parse(item.data) as {
+        result?: Array<Record<string, unknown>>;
+      };
+      // osquery distributed writes always wrap rows in `.result`. Tolerate
+      // the older legacy double-encoding by re-parsing once if we got a
+      // string back instead of an object.
+      const inner =
+        typeof parsed === 'string'
+          ? (JSON.parse(parsed) as { result?: Array<Record<string, unknown>> })
+          : parsed;
+      results = Array.isArray(inner?.result) ? inner.result : [];
+    } catch (e) {
+      parseError = e instanceof Error ? e.message : 'parse error';
     }
-    for (const k of Object.keys(cols)) colSet.add(k);
-    rows.push({ id: item.id, uuid: item.uuid, cols });
+    rows.push({
+      id: item.id,
+      uuid: item.uuid,
+      createdAt: item.created_at,
+      status: item.status,
+      results,
+      parseError,
+    });
   }
-  const colHeaders = Array.from(colSet).sort();
 
   const csvUrl = getQueryResultsCSVUrl(env, name);
 
@@ -169,6 +227,40 @@ export function QueryDetailPage() {
             </pre>
           </div>
         )}
+
+        {/* Targets — creation-time scope (platform / uuid / hostname /
+            tag rows). Matches the legacy admin's Targets table on the
+            query detail page so operators can answer "why didn't host
+            X run this." Empty list rendered as a quiet hint. */}
+        {query && query.targets !== undefined && (
+          <div className="mt-3">
+            <div className="text-[10px] uppercase tracking-[0.12em] text-[color:var(--text-3)] mb-1">
+              Targets
+            </div>
+            {query.targets.length === 0 ? (
+              <div className="text-xs text-[color:var(--text-3)] italic">
+                No targets recorded.
+              </div>
+            ) : (
+              <div className="flex flex-wrap gap-1.5">
+                {query.targets.map((t, i) => (
+                  <span
+                    key={`${t.type}-${t.value}-${i}`}
+                    className={cn(
+                      'inline-flex items-center gap-1 px-2 py-0.5 rounded-md',
+                      'text-[11px] font-mono-tabular',
+                      'border border-[color:var(--border)] bg-[color:var(--bg-2)]',
+                      'text-[color:var(--text-2)]',
+                    )}
+                  >
+                    <span className="text-[color:var(--text-3)]">{t.type}:</span>
+                    <span className="text-[color:var(--text-1)] font-semibold">{t.value}</span>
+                  </span>
+                ))}
+              </div>
+            )}
+          </div>
+        )}
       </div>
 
       {/* ── Results section header ── */}
@@ -181,59 +273,90 @@ export function QueryDetailPage() {
             </span>
           )}
         </h2>
-        {totalItems > 0 && (
-          <a
-            href={csvUrl}
-            download
+        <div className="ml-auto flex items-center gap-2">
+          {/* Refresh button — mirrors the legacy admin's "Refresh table" control.
+              The page also polls every 15s via TanStack Query's refetchInterval,
+              but an explicit button gives operators the same control they had
+              in legacy when watching a long-running distributed query land. */}
+          <button
+            type="button"
+            onClick={() => {
+              void qc.invalidateQueries({ queryKey: ['query', env, name] });
+              void qc.invalidateQueries({ queryKey: ['query-results', env, name] });
+            }}
             className={cn(
-              'ml-auto px-3 py-1 text-xs font-medium rounded-md',
+              'px-3 py-1 text-xs font-medium rounded-md',
               'border border-[color:var(--border)] text-[color:var(--text-2)]',
               'hover:text-[color:var(--text-1)] hover:bg-[color:var(--bg-2)] transition-colors',
               'focus-visible:outline focus-visible:outline-2 focus-visible:outline-[color:var(--signal)]',
             )}
-            aria-label={`Download CSV of ${name} results`}
+            aria-label="Refresh query results"
+            title="Refresh now"
           >
-            Download CSV
-          </a>
-        )}
+            Refresh
+          </button>
+          {totalItems > 0 && (
+            <a
+              href={csvUrl}
+              download
+              className={cn(
+                'px-3 py-1 text-xs font-medium rounded-md',
+                'border border-[color:var(--border)] text-[color:var(--text-2)]',
+                'hover:text-[color:var(--text-1)] hover:bg-[color:var(--bg-2)] transition-colors',
+                'focus-visible:outline focus-visible:outline-2 focus-visible:outline-[color:var(--signal)]',
+              )}
+              aria-label={`Download CSV of ${name} results`}
+            >
+              Download CSV
+            </a>
+          )}
+        </div>
       </div>
 
-      {/* ── Results table ── */}
+      {/* ── Results table ──
+          Three outer columns: Created · Node · Data. The Data cell holds a
+          fully nested table of that result item's rows (one per osquery
+          result row) — same shape as the legacy admin renders, so a
+          processes-table query with 30 rows from one node renders as 30
+          inner rows under one outer row, not 30 outer rows with sparse
+          cells. Status is overlaid on the Created cell as a small badge so
+          we don't sacrifice horizontal room to a near-always-"ok" column. */}
       <div className="flex-1 overflow-auto min-h-0">
         <table className="w-full text-sm border-collapse">
-          {colHeaders.length > 0 && (
-            <thead>
-              <tr className="border-b border-[color:var(--border)] bg-[color:var(--bg-0)] sticky top-0 z-10">
-                <th
-                  scope="col"
-                  className="px-4 py-3 text-left text-xs font-medium text-[color:var(--text-2)] uppercase tracking-wide"
-                >
-                  Node UUID
-                </th>
-                {colHeaders.map((col) => (
-                  <th
-                    key={col}
-                    scope="col"
-                    className="px-4 py-3 text-left text-xs font-medium text-[color:var(--text-2)] uppercase tracking-wide"
-                  >
-                    {col}
-                  </th>
-                ))}
-              </tr>
-            </thead>
-          )}
+          <thead>
+            <tr className="border-b border-[color:var(--border)] bg-[color:var(--bg-0)] sticky top-0 z-10">
+              <th
+                scope="col"
+                className="w-[160px] px-4 py-3 text-left text-xs font-medium text-[color:var(--text-2)] uppercase tracking-wide whitespace-nowrap"
+              >
+                Created
+              </th>
+              <th
+                scope="col"
+                className="w-[200px] px-4 py-3 text-left text-xs font-medium text-[color:var(--text-2)] uppercase tracking-wide"
+              >
+                Node
+              </th>
+              <th
+                scope="col"
+                className="px-4 py-3 text-left text-xs font-medium text-[color:var(--text-2)] uppercase tracking-wide"
+              >
+                Data
+              </th>
+            </tr>
+          </thead>
 
           <tbody>
             {/* Loading skeleton */}
             {resultsLoading &&
               Array.from({ length: 5 }).map((_, i) => (
-                <SkeletonRow key={i} cells={colHeaders.length + 1 || 4} />
+                <SkeletonRow key={i} cells={3} />
               ))}
 
             {/* Error state */}
             {resultsError && !resultsLoading && (
               <tr>
-                <td colSpan={colHeaders.length + 1 || 4}>
+                <td colSpan={3}>
                   <EmptyState
                     icon={
                       <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5">
@@ -250,7 +373,7 @@ export function QueryDetailPage() {
             {/* Empty state (HTTP 200, items: []) */}
             {!resultsLoading && !resultsError && rows.length === 0 && (
               <tr>
-                <td colSpan={4}>
+                <td colSpan={3}>
                   <EmptyState
                     icon={
                       <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5">
@@ -266,40 +389,38 @@ export function QueryDetailPage() {
             {/* Data rows */}
             {!resultsLoading &&
               !resultsError &&
-              rows.map((row) => (
-                <tr
-                  key={row.id}
-                  className="border-b border-[color:var(--border)] hover:bg-[color:var(--bg-2)] transition-colors"
-                >
-                  <td className="px-4 py-2 font-mono-tabular text-xs text-[color:var(--signal)]">
-                    {row.uuid.slice(0, 8)}
-                    <span className="text-[color:var(--text-3)]">…</span>
-                  </td>
-                  {colHeaders.map((col) => {
-                    // osquery cells can be nested objects (e.g. uptime's
-                    // `{days, hours, minutes, seconds}`), not just strings —
-                    // the typed cast on JSON.parse lies. Coerce non-primitive
-                    // values to a compact JSON string so React renders them
-                    // safely instead of throwing minified error #31.
-                    const raw = row.cols[col];
-                    const display =
-                      raw == null
-                        ? '—'
-                        : typeof raw === 'object'
-                          ? JSON.stringify(raw)
-                          : String(raw);
-                    return (
-                      <td
-                        key={col}
-                        className="px-4 py-2 text-xs text-[color:var(--text-1)] max-w-xs truncate"
-                        title={display}
+              rows.map((row) => {
+                const hostname = uuidToHostname.get(row.uuid);
+                return (
+                  <tr
+                    key={row.id}
+                    className="border-b border-[color:var(--border)] hover:bg-[color:var(--bg-2)] transition-colors align-top"
+                  >
+                    <td
+                      className="px-4 py-2 font-mono-tabular text-xs text-[color:var(--text-2)] whitespace-nowrap"
+                      title={row.createdAt}
+                    >
+                      <div className="flex items-center gap-2">
+                        <span>{formatRelative(row.createdAt)}</span>
+                        <StatusBadge code={row.status} />
+                      </div>
+                    </td>
+                    <td className="px-4 py-2 font-mono-tabular text-xs">
+                      <Link
+                        to="/_app/env/$env/nodes/$uuid"
+                        params={{ env, uuid: row.uuid }}
+                        className="text-[color:var(--signal)] hover:underline"
+                        title={row.uuid}
                       >
-                        {display}
-                      </td>
-                    );
-                  })}
-                </tr>
-              ))}
+                        {hostname ?? `${row.uuid.slice(0, 8)}…`}
+                      </Link>
+                    </td>
+                    <td className="px-4 py-2">
+                      <ResultPayload results={row.results} parseError={row.parseError} />
+                    </td>
+                  </tr>
+                );
+              })}
           </tbody>
         </table>
       </div>
@@ -324,3 +445,97 @@ export function QueryDetailPage() {
 }
 
 export default QueryDetailPage;
+
+// ---------------------------------------------------------------------------
+// ResultPayload — renders one item's `result` array as a compact nested
+// table. Columns are the union of keys across THIS result set so a small
+// query (3 process rows) shows 30 columns and a wide query (apps with 10
+// fields) shows 10 — same shape the legacy admin uses. Object/array cell
+// values get JSON.stringify'd so React doesn't choke on non-primitive
+// children.
+// ---------------------------------------------------------------------------
+function ResultPayload({
+  results,
+  parseError,
+}: {
+  results: Array<Record<string, unknown>>;
+  parseError: string | null;
+}) {
+  if (parseError) {
+    return (
+      <div className="text-xs text-[color:var(--danger)] font-mono-tabular">
+        parse error: {parseError}
+      </div>
+    );
+  }
+  if (results.length === 0) {
+    return (
+      <div className="text-xs text-[color:var(--text-3)] italic">No rows.</div>
+    );
+  }
+  // Union of all keys in this result set, preserving first-seen order so
+  // the most common column (often `pid` / `name`) shows up on the left
+  // without us having to special-case it.
+  const seen = new Set<string>();
+  const cols: string[] = [];
+  for (const r of results) {
+    for (const k of Object.keys(r)) {
+      if (!seen.has(k)) {
+        seen.add(k);
+        cols.push(k);
+      }
+    }
+  }
+  return (
+    <div className="overflow-x-auto rounded-md border border-[color:var(--border)] bg-[color:var(--bg-2)]">
+      <table className="w-full text-[11px] border-collapse">
+        <thead>
+          <tr className="bg-[color:var(--bg-1)] border-b border-[color:var(--border)]">
+            {cols.map((c) => (
+              <th
+                key={c}
+                scope="col"
+                className={cn(
+                  'px-2 py-1.5 text-left font-mono-tabular font-medium',
+                  'text-[color:var(--text-2)] whitespace-nowrap',
+                )}
+              >
+                {c}
+              </th>
+            ))}
+          </tr>
+        </thead>
+        <tbody>
+          {results.map((row, i) => (
+            <tr
+              key={i}
+              className="border-b border-[color:var(--border)] last:border-b-0"
+            >
+              {cols.map((c) => {
+                const raw = row[c];
+                const display =
+                  raw == null
+                    ? ''
+                    : typeof raw === 'object'
+                      ? JSON.stringify(raw)
+                      : String(raw);
+                return (
+                  <td
+                    key={c}
+                    className={cn(
+                      'px-2 py-1 font-mono-tabular text-[color:var(--text-1)]',
+                      'max-w-[280px] truncate',
+                    )}
+                    title={display}
+                  >
+                    {display}
+                  </td>
+                );
+              })}
+            </tr>
+          ))}
+        </tbody>
+      </table>
+    </div>
+  );
+}
diff --git a/frontend/src/features/settings/SettingsPage.tsx b/frontend/src/features/settings/SettingsPage.tsx
index e5f1bf44..5967d6aa 100644
--- a/frontend/src/features/settings/SettingsPage.tsx
+++ b/frontend/src/features/settings/SettingsPage.tsx
@@ -43,27 +43,12 @@ export function SettingsPage() {
 
   return (
     <div className="flex flex-col h-full min-h-0">
+      {/* Toolbar row — page title only, matching EnvConfigPage's pattern
+          where the section tabs live in their own row underneath. */}
       <div className="flex items-center gap-3 px-4 py-3 border-b border-[color:var(--border)] flex-wrap">
         <h1 className="font-display text-lg font-semibold text-[color:var(--text-1)] mr-2">
           Settings
         </h1>
-        <nav aria-label="settings service tabs" className="flex items-center gap-1">
-          {SERVICES.map((s) => (
-            <Link
-              key={s}
-              to="/_app/settings/$service"
-              params={{ service: s }}
-              className={cn(
-                'px-3 py-1.5 text-xs font-mono-tabular rounded-md transition-colors',
-                s === service
-                  ? 'bg-[color:var(--bg-2)] text-[color:var(--text-1)] shadow-[inset_0_-2px_0_var(--signal)]'
-                  : 'text-[color:var(--text-3)] hover:text-[color:var(--text-1)] hover:bg-[color:var(--bg-2)]',
-              )}
-            >
-              {s}
-            </Link>
-          ))}
-        </nav>
         {isFetching && !isLoading && (
           <span
             aria-live="polite"
@@ -75,6 +60,35 @@ export function SettingsPage() {
         )}
       </div>
 
+      {/* Service tabs — same underline TabButton pattern as EnvConfigPage
+          and the EnrollPage v3 reorg, so all the SPA's tabbed config
+          surfaces read with one visual voice. */}
+      <div
+        role="tablist"
+        aria-label="Settings service tabs"
+        className="flex items-center gap-1 px-2 border-b border-[color:var(--border)] overflow-x-auto"
+      >
+        {SERVICES.map((s) => (
+          <Link
+            key={s}
+            to="/_app/settings/$service"
+            params={{ service: s }}
+            role="tab"
+            aria-selected={s === service}
+            className={cn(
+              'inline-flex items-center gap-1.5 px-3 pt-2 pb-1.5 text-xs whitespace-nowrap',
+              'border-b-2 transition-colors',
+              'focus-visible:outline focus-visible:outline-2 focus-visible:outline-[color:var(--signal)]',
+              s === service
+                ? 'border-[color:var(--signal)] text-[color:var(--text-1)] font-semibold'
+                : 'border-transparent text-[color:var(--text-3)] hover:text-[color:var(--text-1)]',
+            )}
+          >
+            osctrl-{s}
+          </Link>
+        ))}
+      </div>
+
       <div className="flex-1 overflow-auto min-h-0 p-4">
         {isLoading && (
           <div className="space-y-2">
@@ -194,24 +208,56 @@ function SettingRow({
     },
   });
 
+  // Section-style chrome matching EnvConfigPage: rounded card with a
+  // bg-0 header strip holding name + type chip + info + dirty/save
+  // controls, body underneath. Per-row Save is intentionally preserved
+  // (the settings list is a flat catalogue of unrelated knobs, so
+  // saving the whole list at once would be a worse UX than saving
+  // each one when ready).
   return (
-    <div className="border border-[color:var(--border)] rounded-md p-3 bg-[color:var(--bg-1)]">
-      <div className="flex items-baseline gap-3 mb-2">
-        <span className="font-display text-sm font-semibold text-[color:var(--text-1)] font-mono-tabular">
+    <section
+      className="border border-[color:var(--border)] rounded-md overflow-hidden bg-[color:var(--bg-1)]"
+      aria-labelledby={`setting-${setting.Name}-label`}
+    >
+      <header className="flex items-center gap-3 px-3 py-2 bg-[color:var(--bg-0)] border-b border-[color:var(--border)]">
+        <h2
+          id={`setting-${setting.Name}-label`}
+          className="font-display text-sm font-semibold text-[color:var(--text-1)] font-mono-tabular"
+        >
           {setting.Name}
-        </span>
+        </h2>
         <span className="px-1.5 py-0.5 rounded text-[10px] font-mono-tabular text-[color:var(--text-3)] bg-[color:var(--bg-2)]">
           {setting.Type}
         </span>
         {setting.Info && (
-          <span className="text-[10px] text-[color:var(--text-3)]">{setting.Info}</span>
+          <p className="text-[10px] text-[color:var(--text-3)] truncate flex-1">
+            {setting.Info}
+          </p>
+        )}
+        {!setting.Info && <div className="flex-1" />}
+        {dirty && (
+          <span className="px-2 py-0.5 rounded-full text-[10px] font-medium bg-[rgba(var(--warning-r),var(--warning-g),var(--warning-b),0.12)] text-[color:var(--warning)]">
+            pending
+          </span>
         )}
-        <span className="ml-auto text-[10px] tnum text-[color:var(--text-3)]" title={setting.UpdatedAt}>
+        <span className="text-[10px] tnum text-[color:var(--text-3)] whitespace-nowrap" title={setting.UpdatedAt}>
           updated {formatRelative(setting.UpdatedAt)}
         </span>
-      </div>
+        <button
+          type="button"
+          disabled={!dirty || mutation.isPending}
+          onClick={() => mutation.mutate()}
+          className={cn(
+            'text-[10px] px-2 py-0.5 rounded font-medium',
+            'bg-[color:var(--signal)] text-black hover:bg-[color:var(--signal-bright)]',
+            'disabled:opacity-40 disabled:cursor-not-allowed',
+          )}
+        >
+          {mutation.isPending ? 'Saving…' : savedFlash ? 'Saved ✓' : 'Save'}
+        </button>
+      </header>
 
-      <div className="flex items-center gap-2">
+      <div className="p-3">
         <SettingInput
           name={setting.Name}
           type={setting.Type}
@@ -222,29 +268,17 @@ function SettingRow({
           onBool={setPendingBool}
           onInt={setPendingInt}
         />
-        <button
-          type="button"
-          disabled={!dirty || mutation.isPending}
-          onClick={() => mutation.mutate()}
-          className={cn(
-            'px-3 py-1.5 text-xs font-medium rounded-md',
-            'bg-[color:var(--signal)] text-black hover:bg-[color:var(--signal-bright)]',
-            'transition-colors disabled:opacity-50 disabled:cursor-not-allowed',
-          )}
-        >
-          {mutation.isPending ? 'Saving…' : savedFlash ? 'Saved' : 'Save'}
-        </button>
-      </div>
 
-      {err && (
-        <p
-          role="alert"
-          className="mt-2 text-xs text-[color:var(--danger)] bg-[rgba(var(--danger-r),var(--danger-g),var(--danger-b),0.08)] px-3 py-1.5 rounded-md"
-        >
-          {err}
-        </p>
-      )}
-    </div>
+        {err && (
+          <p
+            role="alert"
+            className="mt-2 text-xs text-[color:var(--danger)] bg-[rgba(var(--danger-r),var(--danger-g),var(--danger-b),0.08)] px-3 py-1.5 rounded-md"
+          >
+            {err}
+          </p>
+        )}
+      </div>
+    </section>
   );
 }
 
@@ -298,7 +332,7 @@ function SettingInput({
           if (!Number.isNaN(v)) onInt(v);
         }}
         className={cn(
-          'flex-1 px-3 py-1.5 text-sm rounded-md border border-[color:var(--border)]',
+          'w-full px-3 py-1.5 text-sm rounded-md border border-[color:var(--border)]',
           'bg-[color:var(--bg-2)] text-[color:var(--text-1)] font-mono-tabular',
           'focus:outline focus:outline-2 focus:outline-[color:var(--signal)]',
         )}
@@ -313,7 +347,7 @@ function SettingInput({
       value={stringValue}
       onChange={(e) => onString(e.target.value)}
       className={cn(
-        'flex-1 px-3 py-1.5 text-sm rounded-md border border-[color:var(--border)]',
+        'w-full px-3 py-1.5 text-sm rounded-md border border-[color:var(--border)]',
         'bg-[color:var(--bg-2)] text-[color:var(--text-1)] font-mono-tabular',
         'focus:outline focus:outline-2 focus:outline-[color:var(--signal)]',
       )}
diff --git a/frontend/src/features/tags/TagsPage.tsx b/frontend/src/features/tags/TagsPage.tsx
index 7ceede37..2a160c9d 100644
--- a/frontend/src/features/tags/TagsPage.tsx
+++ b/frontend/src/features/tags/TagsPage.tsx
@@ -26,6 +26,12 @@ export function TagsPage() {
   const qc = useQueryClient();
   const [modal, setModal] = useState<ModalMode>({ kind: 'closed' });
 
+  // Multi-select state — matches the dock pattern used on Carves /
+  // Queries / Nodes. Tag names are unique per env so the set keys on
+  // name without needing to thread an id around.
+  const [selectedNames, setSelectedNames] = useState<Set<string>>(new Set());
+  const [bulkError, setBulkError] = useState<string | null>(null);
+
   const queryKey = ['tags', env] as const;
 
   const { data, isLoading, isFetching, isError, error, refetch } = useQuery({
@@ -47,6 +53,81 @@ export function TagsPage() {
     void refetch();
   }
 
+  // Header checkbox state — same pattern as CarvesListPage's toggleAll.
+  const allVisibleNames = tags.map((t) => t.name);
+  const allChecked =
+    allVisibleNames.length > 0 &&
+    allVisibleNames.every((n) => selectedNames.has(n));
+  const someChecked = allVisibleNames.some((n) => selectedNames.has(n));
+
+  function toggleAll() {
+    if (allChecked) {
+      setSelectedNames(new Set());
+    } else {
+      setSelectedNames(new Set(allVisibleNames));
+    }
+  }
+
+  function toggleOne(name: string) {
+    setSelectedNames((prev) => {
+      const next = new Set(prev);
+      if (next.has(name)) next.delete(name);
+      else next.add(name);
+      return next;
+    });
+  }
+
+  // Bulk delete — fans out one POST /tags/{env}/remove per name and
+  // collects per-name failures so a partial success still reports
+  // 'deleted 5 of 7; 2 failed' instead of going red on first reject.
+  const bulkDeleteMut = useMutation({
+    mutationFn: async (names: string[]) => {
+      const settled = await Promise.allSettled(
+        names.map((name) =>
+          tagsAction(env, 'remove', { name }),
+        ),
+      );
+      const failed = settled.filter((r) => r.status === 'rejected').length;
+      return { total: names.length, failed };
+    },
+    onSuccess: ({ total, failed }) => {
+      setSelectedNames(new Set());
+      if (failed > 0) {
+        setBulkError(`Deleted ${total - failed} of ${total} tag(s); ${failed} failed.`);
+      } else {
+        setBulkError(null);
+      }
+      invalidate();
+    },
+    onError: (err) => {
+      if (err instanceof AuthError) {
+        void navigate({ to: '/login' });
+        return;
+      }
+      setBulkError(
+        err instanceof ApiError
+          ? err.message
+          : err instanceof Error
+            ? err.message
+            : 'Bulk delete failed',
+      );
+    },
+  });
+
+  function handleBulkDelete() {
+    const names = Array.from(selectedNames);
+    if (names.length === 0) return;
+    if (
+      !confirm(
+        `Delete ${names.length} tag${names.length === 1 ? '' : 's'}?\n\nNodes currently carrying the tag will lose it.`,
+      )
+    ) {
+      return;
+    }
+    setBulkError(null);
+    bulkDeleteMut.mutate(names);
+  }
+
   return (
     <div className="flex flex-col h-full min-h-0">
       <div className="flex items-center gap-3 px-4 py-3 border-b border-[color:var(--border)] flex-wrap">
@@ -86,6 +167,18 @@ export function TagsPage() {
         <table className="w-full text-sm border-collapse">
           <thead>
             <tr className="border-b border-[color:var(--border)] bg-[color:var(--bg-0)] sticky top-0 z-10">
+              <th scope="col" className="px-4 py-3 w-10">
+                <input
+                  type="checkbox"
+                  aria-label="Select all visible tags"
+                  checked={allChecked}
+                  ref={(el) => {
+                    if (el) el.indeterminate = someChecked && !allChecked;
+                  }}
+                  onChange={toggleAll}
+                  className="rounded border-[color:var(--border)] accent-[color:var(--signal)] cursor-pointer"
+                />
+              </th>
               <th scope="col" className="px-4 py-3 text-left text-xs font-medium text-[color:var(--text-2)] uppercase tracking-wide">
                 Tag
               </th>
@@ -103,11 +196,11 @@ export function TagsPage() {
           </thead>
           <tbody>
             {isLoading &&
-              Array.from({ length: 6 }).map((_, i) => <SkeletonRow key={i} cells={5} />)}
+              Array.from({ length: 6 }).map((_, i) => <SkeletonRow key={i} cells={6} />)}
 
             {isError && !isLoading && (
               <tr>
-                <td colSpan={5}>
+                <td colSpan={6}>
                   <EmptyState
                     icon={
                       <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5">
@@ -132,7 +225,7 @@ export function TagsPage() {
 
             {!isLoading && !isError && tags.length === 0 && (
               <tr>
-                <td colSpan={5}>
+                <td colSpan={6}>
                   <EmptyState
                     icon={
                       <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5">
@@ -156,11 +249,25 @@ export function TagsPage() {
 
             {!isLoading &&
               !isError &&
-              tags.map((tag) => (
+              tags.map((tag) => {
+                const isSelected = selectedNames.has(tag.name);
+                return (
                 <tr
                   key={tag.id}
-                  className="border-b border-[color:var(--border)] hover:bg-[color:var(--bg-2)] transition-colors"
+                  className={cn(
+                    'border-b border-[color:var(--border)] hover:bg-[color:var(--bg-2)] transition-colors',
+                    isSelected && 'bg-[color:var(--signal)]/5',
+                  )}
                 >
+                  <td className="px-4 py-3">
+                    <input
+                      type="checkbox"
+                      aria-label={`Select tag ${tag.name}`}
+                      checked={isSelected}
+                      onChange={() => toggleOne(tag.name)}
+                      className="rounded border-[color:var(--border)] accent-[color:var(--signal)] cursor-pointer"
+                    />
+                  </td>
                   <td className="px-4 py-3">
                     <span
                       className="inline-flex items-center gap-1.5 px-2 py-0.5 rounded-full text-xs font-medium"
@@ -199,11 +306,81 @@ export function TagsPage() {
                     </button>
                   </td>
                 </tr>
-              ))}
+                );
+              })}
           </tbody>
         </table>
       </div>
 
+      {/* Multi-select dock — matches CarvesListPage chrome exactly so
+          every env-scoped list page reads with one bulk-action voice. */}
+      {selectedNames.size > 0 && (
+        <div
+          role="toolbar"
+          aria-label="Bulk actions"
+          className={cn(
+            'fixed bottom-6 left-1/2 -translate-x-1/2',
+            'flex items-center gap-3 px-4 py-2.5 rounded-xl',
+            'bg-[color:var(--bg-1)] border border-[color:var(--border-strong)]',
+            'shadow-[0_8px_32px_rgba(0,0,0,0.32)]',
+            'text-sm font-medium',
+            'z-50',
+          )}
+        >
+          <span className="text-[color:var(--text-2)] text-xs font-mono-tabular">
+            {selectedNames.size} selected
+          </span>
+          <div className="w-px h-4 bg-[color:var(--border)]" aria-hidden />
+          {bulkError && (
+            <span className="text-xs text-[color:var(--danger)]">{bulkError}</span>
+          )}
+          <button
+            type="button"
+            disabled={bulkDeleteMut.isPending}
+            aria-label="Delete selected tags"
+            className="px-3 py-1 text-xs font-medium rounded text-[color:var(--danger)] hover:bg-[color:var(--bg-2)] transition-colors disabled:opacity-50"
+            onClick={handleBulkDelete}
+          >
+            {bulkDeleteMut.isPending ? 'Deleting…' : 'Delete'}
+          </button>
+          <div className="w-px h-4 bg-[color:var(--border)]" aria-hidden />
+          <button
+            type="button"
+            aria-label="Clear selection"
+            onClick={() => setSelectedNames(new Set())}
+            className="px-2 py-1 text-xs font-medium rounded text-[color:var(--text-3)] hover:text-[color:var(--text-1)] hover:bg-[color:var(--bg-2)] transition-colors"
+          >
+            Clear
+          </button>
+        </div>
+      )}
+
+      {/* Bulk-error toast when no selection remains — same pattern as
+          NodesTablePage so the operator sees what happened even after
+          the selection clears. */}
+      {bulkError && selectedNames.size === 0 && (
+        <div
+          role="alert"
+          className={cn(
+            'fixed bottom-6 left-1/2 -translate-x-1/2 z-50',
+            'flex items-center gap-3 px-4 py-2.5 rounded-xl',
+            'bg-[color:var(--bg-1)] border border-[color:var(--danger)]/40',
+            'shadow-[0_8px_32px_rgba(0,0,0,0.32)]',
+            'text-xs text-[color:var(--danger)]',
+          )}
+        >
+          <span>{bulkError}</span>
+          <button
+            type="button"
+            onClick={() => setBulkError(null)}
+            className="text-[color:var(--text-3)] hover:text-[color:var(--text-1)]"
+            aria-label="Dismiss"
+          >
+            ×
+          </button>
+        </div>
+      )}
+
       {modal.kind === 'create' && (
         <TagFormModal
           env={env}
diff --git a/frontend/src/features/users/UsersPage.tsx b/frontend/src/features/users/UsersPage.tsx
index 59cef363..3bce99db 100644
--- a/frontend/src/features/users/UsersPage.tsx
+++ b/frontend/src/features/users/UsersPage.tsx
@@ -36,6 +36,12 @@ export function UsersPage() {
   const qc = useQueryClient();
   const [modal, setModal] = useState<ModalMode>({ kind: 'closed' });
 
+  // Multi-select state matches the dock pattern used on Tags / Carves /
+  // Nodes — username is the unique key the server uses for /users/{u},
+  // so the set is keyed on username (not id).
+  const [selectedUsernames, setSelectedUsernames] = useState<Set<string>>(new Set());
+  const [bulkError, setBulkError] = useState<string | null>(null);
+
   const { data, isLoading, isError, error, refetch } = useQuery({
     queryKey: ['users'],
     queryFn: () => listUsers(),
@@ -67,6 +73,84 @@ export function UsersPage() {
     void refetch();
   }
 
+  // Header checkbox state — operates on the deletable subset, since the
+  // current operator's own row can't be selected for deletion. If the
+  // only visible users are non-deletable (e.g. you're the only super-admin)
+  // the header checkbox is disabled rather than misleading.
+  const deletableUsernames = users
+    .filter((u) => u.username !== me?.username)
+    .map((u) => u.username);
+  const allChecked =
+    deletableUsernames.length > 0 &&
+    deletableUsernames.every((n) => selectedUsernames.has(n));
+  const someChecked = deletableUsernames.some((n) => selectedUsernames.has(n));
+
+  function toggleAll() {
+    if (allChecked) {
+      setSelectedUsernames(new Set());
+    } else {
+      setSelectedUsernames(new Set(deletableUsernames));
+    }
+  }
+
+  function toggleOne(username: string) {
+    setSelectedUsernames((prev) => {
+      const next = new Set(prev);
+      if (next.has(username)) next.delete(username);
+      else next.add(username);
+      return next;
+    });
+  }
+
+  // Bulk delete — Promise.allSettled over the selected usernames so a
+  // partial 403/404 reports 'deleted N of M; X failed' instead of
+  // hard-failing the whole batch.
+  const bulkDeleteMut = useMutation({
+    mutationFn: async (usernames: string[]) => {
+      const settled = await Promise.allSettled(
+        usernames.map((u) => deleteUser(u)),
+      );
+      const failed = settled.filter((r) => r.status === 'rejected').length;
+      return { total: usernames.length, failed };
+    },
+    onSuccess: ({ total, failed }) => {
+      setSelectedUsernames(new Set());
+      if (failed > 0) {
+        setBulkError(`Deleted ${total - failed} of ${total} user(s); ${failed} failed.`);
+      } else {
+        setBulkError(null);
+      }
+      invalidate();
+    },
+    onError: (err) => {
+      if (err instanceof AuthError) {
+        void navigate({ to: '/login' });
+        return;
+      }
+      setBulkError(
+        err instanceof ApiError
+          ? err.message
+          : err instanceof Error
+            ? err.message
+            : 'Bulk delete failed',
+      );
+    },
+  });
+
+  function handleBulkDelete() {
+    const usernames = Array.from(selectedUsernames);
+    if (usernames.length === 0) return;
+    if (
+      !confirm(
+        `Delete ${usernames.length} operator${usernames.length === 1 ? '' : 's'}?\n\nThis revokes their access immediately. Any active sessions stop working on next refresh.`,
+      )
+    ) {
+      return;
+    }
+    setBulkError(null);
+    bulkDeleteMut.mutate(usernames);
+  }
+
   return (
     <div className="flex flex-col h-full min-h-0">
       <div className="flex items-center gap-3 px-4 py-3 border-b border-[color:var(--border)] flex-wrap">
@@ -89,6 +173,19 @@ export function UsersPage() {
         <table className="w-full text-sm border-collapse">
           <thead>
             <tr className="border-b border-[color:var(--border)] bg-[color:var(--bg-0)] sticky top-0 z-10">
+              <th scope="col" className="px-4 py-3 w-10">
+                <input
+                  type="checkbox"
+                  aria-label="Select all deletable users"
+                  checked={allChecked}
+                  disabled={deletableUsernames.length === 0}
+                  ref={(el) => {
+                    if (el) el.indeterminate = someChecked && !allChecked;
+                  }}
+                  onChange={toggleAll}
+                  className="rounded border-[color:var(--border)] accent-[color:var(--signal)] cursor-pointer disabled:cursor-not-allowed disabled:opacity-50"
+                />
+              </th>
               <th scope="col" className="px-4 py-3 text-left text-xs font-medium text-[color:var(--text-2)] uppercase tracking-wide">
                 Username
               </th>
@@ -106,11 +203,11 @@ export function UsersPage() {
           </thead>
           <tbody>
             {isLoading &&
-              Array.from({ length: 6 }).map((_, i) => <SkeletonRow key={i} cells={5} />)}
+              Array.from({ length: 6 }).map((_, i) => <SkeletonRow key={i} cells={6} />)}
 
             {isError && !isLoading && (
               <tr>
-                <td colSpan={5}>
+                <td colSpan={6}>
                   <EmptyState
                     icon={
                       <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5">
@@ -135,7 +232,7 @@ export function UsersPage() {
 
             {!isLoading && !isError && users.length === 0 && (
               <tr>
-                <td colSpan={5}>
+                <td colSpan={6}>
                   <EmptyState
                     icon={
                       <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="1.5">
@@ -151,11 +248,34 @@ export function UsersPage() {
 
             {!isLoading &&
               !isError &&
-              users.map((u) => (
+              users.map((u) => {
+                const isSelf = me?.username === u.username;
+                const isSelected = selectedUsernames.has(u.username);
+                return (
                 <tr
                   key={u.id}
-                  className="border-b border-[color:var(--border)] hover:bg-[color:var(--bg-2)] transition-colors"
+                  className={cn(
+                    'border-b border-[color:var(--border)] hover:bg-[color:var(--bg-2)] transition-colors',
+                    isSelected && 'bg-[color:var(--signal)]/5',
+                  )}
                 >
+                  <td className="px-4 py-3">
+                    {isSelf ? (
+                      <span
+                        aria-label="You can't select your own account"
+                        title="You can't delete your own account."
+                        className="inline-block w-4 h-4"
+                      />
+                    ) : (
+                      <input
+                        type="checkbox"
+                        aria-label={`Select user ${u.username}`}
+                        checked={isSelected}
+                        onChange={() => toggleOne(u.username)}
+                        className="rounded border-[color:var(--border)] accent-[color:var(--signal)] cursor-pointer"
+                      />
+                    )}
+                  </td>
                   <td className="px-4 py-3">
                     <span className="text-sm font-medium font-mono-tabular text-[color:var(--text-1)]">
                       {u.username}
@@ -234,11 +354,78 @@ export function UsersPage() {
                     )}
                   </td>
                 </tr>
-              ))}
+                );
+              })}
           </tbody>
         </table>
       </div>
 
+      {/* Multi-select dock — matches CarvesListPage / TagsPage chrome. */}
+      {selectedUsernames.size > 0 && (
+        <div
+          role="toolbar"
+          aria-label="Bulk actions"
+          className={cn(
+            'fixed bottom-6 left-1/2 -translate-x-1/2',
+            'flex items-center gap-3 px-4 py-2.5 rounded-xl',
+            'bg-[color:var(--bg-1)] border border-[color:var(--border-strong)]',
+            'shadow-[0_8px_32px_rgba(0,0,0,0.32)]',
+            'text-sm font-medium',
+            'z-50',
+          )}
+        >
+          <span className="text-[color:var(--text-2)] text-xs font-mono-tabular">
+            {selectedUsernames.size} selected
+          </span>
+          <div className="w-px h-4 bg-[color:var(--border)]" aria-hidden />
+          {bulkError && (
+            <span className="text-xs text-[color:var(--danger)]">{bulkError}</span>
+          )}
+          <button
+            type="button"
+            disabled={bulkDeleteMut.isPending}
+            aria-label="Delete selected users"
+            className="px-3 py-1 text-xs font-medium rounded text-[color:var(--danger)] hover:bg-[color:var(--bg-2)] transition-colors disabled:opacity-50"
+            onClick={handleBulkDelete}
+          >
+            {bulkDeleteMut.isPending ? 'Deleting…' : 'Delete'}
+          </button>
+          <div className="w-px h-4 bg-[color:var(--border)]" aria-hidden />
+          <button
+            type="button"
+            aria-label="Clear selection"
+            onClick={() => setSelectedUsernames(new Set())}
+            className="px-2 py-1 text-xs font-medium rounded text-[color:var(--text-3)] hover:text-[color:var(--text-1)] hover:bg-[color:var(--bg-2)] transition-colors"
+          >
+            Clear
+          </button>
+        </div>
+      )}
+
+      {/* Bulk-error toast after selection clears. */}
+      {bulkError && selectedUsernames.size === 0 && (
+        <div
+          role="alert"
+          className={cn(
+            'fixed bottom-6 left-1/2 -translate-x-1/2 z-50',
+            'flex items-center gap-3 px-4 py-2.5 rounded-xl',
+            'bg-[color:var(--bg-1)] border border-[color:var(--danger)]/40',
+            'shadow-[0_8px_32px_rgba(0,0,0,0.32)]',
+            'text-xs text-[color:var(--danger)]',
+          )}
+        >
+          <span>{bulkError}</span>
+          <button
+            type="button"
+            onClick={() => setBulkError(null)}
+            className="text-[color:var(--text-3)] hover:text-[color:var(--text-1)]"
+            aria-label="Dismiss"
+          >
+            ×
+          </button>
+        </div>
+      )}
+
       {modal.kind === 'permissions' && (
         <PermissionsModal
           user={modal.user}
diff --git a/frontend/src/styles/base.css b/frontend/src/styles/base.css
index 62c15873..e09c6e55 100644
--- a/frontend/src/styles/base.css
+++ b/frontend/src/styles/base.css
@@ -1,6 +1,34 @@
 @import "tailwindcss";
 @import "./tokens.css";
 
+/* Bai Jamjuree — wordmark font, self-hosted from /fonts/.
+ * Originally loaded from Google Fonts, but Google's font CDN is
+ * blocked by some ad blockers and corporate proxies. Self-hosting
+ * makes the font part of the SPA's own asset bundle so it always
+ * loads. Only the Latin subset at weights 500/600/700 ships —
+ * everything we need for the wordmark, ~36KB total. */
+@font-face {
+  font-family: 'Bai Jamjuree';
+  font-style: normal;
+  font-weight: 500;
+  font-display: swap;
+  src: url('/fonts/bai-jamjuree-500.woff2') format('woff2');
+}
+@font-face {
+  font-family: 'Bai Jamjuree';
+  font-style: normal;
+  font-weight: 600;
+  font-display: swap;
+  src: url('/fonts/bai-jamjuree-600.woff2') format('woff2');
+}
+@font-face {
+  font-family: 'Bai Jamjuree';
+  font-style: normal;
+  font-weight: 700;
+  font-display: swap;
+  src: url('/fonts/bai-jamjuree-700.woff2') format('woff2');
+}
+
 html,
 body {
   background: var(--bg-0);
@@ -15,6 +43,15 @@ body {
   letter-spacing: -0.015em;
 }
 
+/* Wordmark font — Bai Jamjuree at 700, loaded from Google Fonts in
+ * index.html. The wordmark is the only surface that uses it; the rest
+ * of the SPA stays on Inter + Space Grotesk + IBM Plex Mono. */
+.font-wordmark {
+  font-family: 'Bai Jamjuree', 'Space Grotesk', sans-serif;
+  font-weight: 700;
+  letter-spacing: -0.01em;
+}
+
 .font-mono-tabular {
   font-family: 'IBM Plex Mono', ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;
   font-variant-numeric: tabular-nums;
@@ -30,6 +67,63 @@ body {
   backdrop-filter: blur(10px);
 }
 
+/* Original osctrl PNG mark — two variants ship as separate PNGs:
+ *
+ *   osctrl-logo.png      — original, dark outline + light-blue cabin
+ *                          windows. Used on the light theme where the
+ *                          dark outline reads naturally on white.
+ *   osctrl-logo-dark.png — manually recolored, light outline + bright
+ *                          brand-info cabin windows. Used on the dark
+ *                          theme.
+ *
+ * The Logo component renders both <img>s; CSS picks which one shows
+ * based on data-theme. We avoid CSS filter recoloring because
+ * Tailwind v4's optimizer silently broke our filter:invert() chain
+ * by dropping the argument, and this two-PNG approach gives pixel-
+ * perfect control over both variants. */
+.osctrl-logo-light,
+.osctrl-logo-dark {
+  display: none !important;
+}
+[data-theme="light"] .osctrl-logo .osctrl-logo-light {
+  display: block !important;
+}
+[data-theme="dark"] .osctrl-logo .osctrl-logo-dark {
+  display: block !important;
+}
+/* No data-theme set yet (first paint before theme-bootstrap.js runs) —
+ * default to the light variant so the page isn't logo-less briefly. */
+:root:not([data-theme="dark"]) .osctrl-logo .osctrl-logo-light {
+  display: block !important;
+}
+
+/* SideNav circuit background — the legacy login screen's circuit-trace
+ * SVG, tiled at low alpha behind the rail. Layered with the previous
+ * subtle teal sheen at the top so the rail still feels lit-from-above.
+ *
+ * Uses background-image with the brand color baked into the inline SVG
+ * URL (rather than mask-image) for the widest browser compatibility.
+ * Two per-theme rules tune the alpha so dark and light read at similar
+ * perceived density. Pattern is intentionally static — operators stare
+ * at the rail constantly and motion would be a distraction. */
+.sidenav-circuit {
+  background-color: var(--bg-0);
+}
+[data-theme="dark"] .sidenav-circuit {
+  background-image:
+    linear-gradient(180deg, rgba(var(--halo-r), var(--halo-g), var(--halo-b), 0.04) 0%, transparent 280px),
+    url("data:image/svg+xml;utf8,<svg width='304' height='304' viewBox='0 0 304 304' fill='%232bc4be' fill-opacity='0.08' xmlns='http://www.w3.org/2000/svg'><path d='M44.1 224c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H0v-2h44.1zm160 48c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H82v-2h122.1zm57.8-46c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H304v2h-42.1zm0 16c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H304v2h-42.1zm6.2-114c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4h-86.2c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4h86.2zm-256-48c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H0v-2h12.1zm185.8 34c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4h86.2c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4h-86.2zM258 12.1c2.282.463 4 2.48 4 4.9 0 2.76-2.24 5-5 5s-5-2.24-5-5c0-2.42 1.718-4.437 4-4.9V0h2v12.1zm-64 208c2.282.463 4 2.48 4 4.9 0 2.76-2.24 5-5 5s-5-2.24-5-5c0-2.42 1.718-4.437 4-4.9v-54.2c-2.282-.463-4-2.48-4-4.9 0-2.76 2.24-5 5-5s5 2.24 5 5c0 2.42-1.718 4.437-4 4.9v54.2zm48-198.2c2.282-.463 4-2.48 4-4.9 0-2.76-2.24-5-5-5s-5 2.24-5 5c0 2.42 1.718 4.437 4 4.9V82h64v-2h-62V21.9zm16 16c2.282-.463 4-2.48 4-4.9 0-2.76-2.24-5-5-5s-5 2.24-5 5c0 2.42 1.718 4.437 4 4.9V66h48v-2h-46V37.9zm-128 96c2.282-.463 4-2.48 4-4.9 0-2.76-2.24-5-5-5s-5 2.24-5 5c0 2.42 1.718 4.437 4 4.9V210h16v10.1c-2.282.463-4 2.48-4 4.9 0 2.76 2.24 5 5 5s5-2.24 5-5c0-2.42-1.718-4.437-4-4.9V208h-16v-74.1zm-5.9-21.9c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H114v48H85.9c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H112v-48h12.1zm-6.2 130c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H176v-74.1c-2.282-.463-4-2.48-4-4.9 0-2.76 2.24-5 5-5s5 2.24 5 5c0 2.42-1.718 4.437-4 4.9V242h-60.1zm-16-64c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H114v48h10.1c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H112v-48h-10.1zM97 100c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0-16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3z' fill-rule='evenodd'/></svg>");
+  background-size: auto, 200px 200px;
+  background-repeat: no-repeat, repeat;
+}
+[data-theme="light"] .sidenav-circuit {
+  background-image:
+    linear-gradient(180deg, rgba(var(--halo-r), var(--halo-g), var(--halo-b), 0.06) 0%, transparent 280px),
+    url("data:image/svg+xml;utf8,<svg width='304' height='304' viewBox='0 0 304 304' fill='%230a8a85' fill-opacity='0.10' xmlns='http://www.w3.org/2000/svg'><path d='M44.1 224c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H0v-2h44.1zm160 48c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H82v-2h122.1zm57.8-46c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H304v2h-42.1zm0 16c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H304v2h-42.1zm6.2-114c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4h-86.2c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4h86.2zm-256-48c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H0v-2h12.1zm185.8 34c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4h86.2c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4h-86.2zM258 12.1c2.282.463 4 2.48 4 4.9 0 2.76-2.24 5-5 5s-5-2.24-5-5c0-2.42 1.718-4.437 4-4.9V0h2v12.1zm-64 208c2.282.463 4 2.48 4 4.9 0 2.76-2.24 5-5 5s-5-2.24-5-5c0-2.42 1.718-4.437 4-4.9v-54.2c-2.282-.463-4-2.48-4-4.9 0-2.76 2.24-5 5-5s5 2.24 5 5c0 2.42-1.718 4.437-4 4.9v54.2zm48-198.2c2.282-.463 4-2.48 4-4.9 0-2.76-2.24-5-5-5s-5 2.24-5 5c0 2.42 1.718 4.437 4 4.9V82h64v-2h-62V21.9zm16 16c2.282-.463 4-2.48 4-4.9 0-2.76-2.24-5-5-5s-5 2.24-5 5c0 2.42 1.718 4.437 4 4.9V66h48v-2h-46V37.9zm-128 96c2.282-.463 4-2.48 4-4.9 0-2.76-2.24-5-5-5s-5 2.24-5 5c0 2.42 1.718 4.437 4 4.9V210h16v10.1c-2.282.463-4 2.48-4 4.9 0 2.76 2.24 5 5 5s5-2.24 5-5c0-2.42-1.718-4.437-4-4.9V208h-16v-74.1zm-5.9-21.9c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H114v48H85.9c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H112v-48h12.1zm-6.2 130c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H176v-74.1c-2.282-.463-4-2.48-4-4.9 0-2.76 2.24-5 5-5s5 2.24 5 5c0 2.42-1.718 4.437-4 4.9V242h-60.1zm-16-64c-.463 2.282-2.48 4-4.9 4-2.76 0-5-2.24-5-5s2.24-5 5-5c2.42 0 4.437 1.718 4.9 4H114v48h10.1c.463-2.282 2.48-4 4.9-4 2.76 0 5 2.24 5 5s-2.24 5-5 5c-2.42 0-4.437-1.718-4.9-4H112v-48h-10.1zM97 100c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0-16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm16 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3zm0 16c1.657 0 3-1.343 3-3s-1.343-3-3-3-3 1.343-3 3 1.343 3 3 3z' fill-rule='evenodd'/></svg>");
+  background-size: auto, 200px 200px;
+  background-repeat: no-repeat, repeat;
+}
+
 /* --- Status pip pulse (live indicator) --- */
 @keyframes pip-pulse {
   0%   { transform: scale(0.8); opacity: 0.7; }