From 9ea847923c792b80de568da8c4253327ee1d1c14 Mon Sep 17 00:00:00 2001
From: pptx704 <rafeed@omukk.dev>
Date: Thu, 16 Apr 2026 06:11:42 +0600
Subject: [PATCH] Fix concurrency, security, and correctness issues across
 backend and frontend
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- C1: Add sync.RWMutex to vm.Manager to protect concurrent vms map access
- H1: Fix IP arithmetic overflow in network slot addressing (byte truncation)
- H5: Fix MultiplexedChannel.Fork() TOCTOU race (move exited check inside lock)
- H8: Remove snapshot overwrite — return template_name_taken conflict instead
- H9: Wrap DeleteAccount DB ops in a transaction, make team deletion fatal
- H10: Sanitize serviceErrToHTTP to stop leaking internal error messages
- H11: Add deleted_at IS NULL to GetUserByEmail/GetUserByID queries
- H12: Add id DESC to audit log composite index for cursor pagination
- H15: Delete dead AuthModal.svelte component
- H17: Move JWT from WebSocket URL query param to first WS message
- H18: Fix $derived to $derived.by in FilesTab breadcrumbs
---
 db/migrations/20260310094104_initial.sql      |   2 +-
 db/queries/users.sql                          |   4 +-
 .../services/process/handler/multiplex.go     |  10 +-
 frontend/src/app.css                          |   6 +-
 frontend/src/lib/components/AuthModal.svelte  | 210 ------------------
 frontend/src/lib/components/FilesTab.svelte   |   6 +-
 .../src/lib/components/MetricsPanel.svelte    |   3 +-
 .../src/lib/components/TerminalTab.svelte     |  10 +-
 frontend/src/lib/components/Toaster.svelte    |   1 +
 .../src/routes/admin/capsules/+page.svelte    |   2 +-
 frontend/src/routes/admin/hosts/+page.svelte  |  10 +
 frontend/src/routes/admin/teams/+page.svelte  |   2 +-
 .../src/routes/admin/templates/+page.svelte   |  11 +
 frontend/src/routes/admin/users/+page.svelte  |   2 +-
 .../src/routes/dashboard/audit/+page.svelte   |  10 +-
 .../src/routes/dashboard/billing/+page.svelte |  13 +-
 .../routes/dashboard/capsules/+page.svelte    |  21 +-
 .../routes/dashboard/channels/+page.svelte    |  19 +-
 .../src/routes/dashboard/hosts/+page.svelte   |  10 +-
 .../src/routes/dashboard/keys/+page.svelte    |  10 +-
 .../routes/dashboard/settings/+page.svelte    |  10 +-
 .../src/routes/dashboard/team/+page.svelte    |  57 ++---
 .../routes/dashboard/templates/+page.svelte   |  19 +-
 .../src/routes/dashboard/usage/+page.svelte   |  13 +-
 .../src/routes/forgot-password/+page.svelte   |   4 +-
 internal/api/handlers_exec_stream.go          |  56 ++++-
 internal/api/handlers_me.go                   |  29 ++-
 internal/api/handlers_process.go              |  66 ++++--
 internal/api/handlers_pty.go                  |  58 ++++-
 internal/api/handlers_snapshots.go            |  19 +-
 internal/api/helpers_ws.go                    | 109 +++++++++
 internal/api/middleware.go                    |  20 +-
 internal/api/middleware_admin.go              |  13 ++
 internal/api/middleware_auth.go               |  14 +-
 internal/api/middleware_jwt.go                |  14 +-
 internal/api/server.go                        |   8 +-
 internal/network/setup.go                     |  17 +-
 internal/vm/manager.go                        |  20 +-
 pkg/db/users.sql.go                           |   4 +-
 39 files changed, 532 insertions(+), 380 deletions(-)
 delete mode 100644 frontend/src/lib/components/AuthModal.svelte
 create mode 100644 internal/api/helpers_ws.go

diff --git a/db/migrations/20260310094104_initial.sql b/db/migrations/20260310094104_initial.sql
index 6c8afc4..22544a5 100644
--- a/db/migrations/20260310094104_initial.sql
+++ b/db/migrations/20260310094104_initial.sql
@@ -171,7 +171,7 @@ CREATE TABLE audit_logs (
     metadata      JSONB NOT NULL DEFAULT '{}',
     created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
-CREATE INDEX idx_audit_logs_team_time ON audit_logs(team_id, created_at DESC);
+CREATE INDEX idx_audit_logs_team_time ON audit_logs(team_id, created_at DESC, id DESC);
 CREATE INDEX idx_audit_logs_team_resource ON audit_logs(team_id, resource_type, created_at DESC);
 
 -- sandbox_metrics_snapshots
diff --git a/db/queries/users.sql b/db/queries/users.sql
index 1c902a3..783f22b 100644
--- a/db/queries/users.sql
+++ b/db/queries/users.sql
@@ -4,10 +4,10 @@ VALUES ($1, $2, $3, $4)
 RETURNING *;
 
 -- name: GetUserByEmail :one
-SELECT * FROM users WHERE email = $1;
+SELECT * FROM users WHERE email = $1 AND deleted_at IS NULL;
 
 -- name: GetUserByID :one
-SELECT * FROM users WHERE id = $1;
+SELECT * FROM users WHERE id = $1 AND deleted_at IS NULL;
 
 -- name: InsertUserOAuth :one
 INSERT INTO users (id, email, name)
diff --git a/envd/internal/services/process/handler/multiplex.go b/envd/internal/services/process/handler/multiplex.go
index a3f6ea3..88f0916 100644
--- a/envd/internal/services/process/handler/multiplex.go
+++ b/envd/internal/services/process/handler/multiplex.go
@@ -35,27 +35,27 @@ func NewMultiplexedChannel[T any](buffer int) *MultiplexedChannel[T] {
 			c.mu.RUnlock()
 		}
 
+		c.mu.Lock()
 		c.exited.Store(true)
-
 		for _, cons := range c.channels {
 			close(cons)
 		}
+		c.mu.Unlock()
 	}()
 
 	return c
 }
 
 func (m *MultiplexedChannel[T]) Fork() (chan T, func()) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
 	if m.exited.Load() {
 		ch := make(chan T)
 		close(ch)
-
 		return ch, func() {}
 	}
 
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
 	consumer := make(chan T, 4096)
 
 	m.channels = append(m.channels, consumer)
diff --git a/frontend/src/app.css b/frontend/src/app.css
index 823f8ce..d76358b 100644
--- a/frontend/src/app.css
+++ b/frontend/src/app.css
@@ -180,9 +180,11 @@ body {
 	50%       { transform: translateY(-6px); }
 }
 
-/* CSS containment — isolate layout/paint for independent UI regions */
+/* CSS containment — isolate paint for independent UI regions.
+   Note: `contain: layout` is omitted because it creates a containing block
+   that breaks `position: fixed` popups rendered inside <main>. */
 main {
-	contain: layout style;
+	contain: style;
 }
 
 /* Respect user motion preferences — covers both CSS class animations and inline style animations */
diff --git a/frontend/src/lib/components/AuthModal.svelte b/frontend/src/lib/components/AuthModal.svelte
deleted file mode 100644
index fddedaa..0000000
--- a/frontend/src/lib/components/AuthModal.svelte
+++ /dev/null
@@ -1,210 +0,0 @@
-<script lang="ts">
-	import { Dialog } from 'bits-ui';
-	import {
-		IconGithub,
-		IconMail,
-		IconLock,
-		IconUser,
-		IconX,
-		IconEye,
-		IconEyeOff
-	} from './icons';
-
-	let {
-		mode = $bindable('signin'),
-		open = $bindable(false),
-		onSwitchMode
-	}: {
-		mode: 'signin' | 'signup';
-		open: boolean;
-		onSwitchMode: () => void;
-	} = $props();
-
-	let email = $state('');
-	let password = $state('');
-	let name = $state('');
-	let showPassword = $state(false);
-
-	const title = $derived(mode === 'signin' ? 'Welcome back' : 'Create account');
-	const subtitle = $derived(
-		mode === 'signin' ? 'Sign in to your Wrenn account' : 'Get started with Wrenn'
-	);
-	const submitLabel = $derived(mode === 'signin' ? 'Sign in' : 'Create account');
-	const switchText = $derived(
-		mode === 'signin' ? "Don't have an account?" : 'Already have an account?'
-	);
-	const switchAction = $derived(mode === 'signin' ? 'Sign up' : 'Sign in');
-
-	function handleSubmit(e: Event) {
-		e.preventDefault();
-	}
-</script>
-
-<Dialog.Root bind:open>
-	<Dialog.Portal>
-		<Dialog.Overlay
-			class="fixed inset-0 z-50 bg-black/70 backdrop-blur-[3px]"
-			style="animation: overlayFadeIn 200ms ease"
-		/>
-		<Dialog.Content
-			class="fixed left-1/2 top-1/2 z-50 w-[calc(100%-2rem)] max-w-[400px] -translate-x-1/2 -translate-y-1/2 rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-0"
-			style="animation: contentSlideIn 250ms cubic-bezier(0.16, 1, 0.3, 1)"
-		>
-			<!-- Close button -->
-			<Dialog.Close
-				class="absolute right-3 top-3 flex h-7 w-7 items-center justify-center rounded-[var(--radius-button)] border border-transparent text-[var(--color-text-tertiary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:bg-[var(--color-bg-4)] hover:text-[var(--color-text-secondary)]"
-			>
-				<IconX size={14} />
-			</Dialog.Close>
-
-			<div class="px-7 pb-7 pt-8">
-				<!-- Header -->
-				<div class="mb-7">
-					<Dialog.Title
-						class="font-serif text-page text-[var(--color-text-bright)]"
-					>
-						{title}
-					</Dialog.Title>
-					<Dialog.Description
-						class="mt-1 text-ui text-[var(--color-text-secondary)]"
-					>
-						{subtitle}
-					</Dialog.Description>
-				</div>
-
-				<!-- GitHub OAuth -->
-				<button
-					type="button"
-					class="flex w-full items-center justify-center gap-2.5 rounded-[var(--radius-button)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] px-4 py-2.5 text-ui font-medium text-[var(--color-text-bright)] transition-all duration-150 hover:border-[var(--color-accent)] hover:text-[var(--color-text-bright)]"
-				>
-					<IconGithub size={16} />
-					Continue with GitHub
-				</button>
-
-				<!-- Divider -->
-				<div class="my-5 flex items-center gap-3">
-					<div class="h-px flex-1 bg-[var(--color-border)]"></div>
-					<span
-						class="font-mono text-badge uppercase tracking-[0.1em] text-[var(--color-text-muted)]"
-						>or</span
-					>
-					<div class="h-px flex-1 bg-[var(--color-border)]"></div>
-				</div>
-
-				<!-- Form -->
-				<form onsubmit={handleSubmit} class="space-y-3">
-					{#if mode === 'signup'}
-						<div class="group relative">
-							<div
-								class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
-							>
-								<IconUser size={14} />
-							</div>
-							<input
-								type="text"
-								bind:value={name}
-								placeholder="Full name"
-								autocomplete="name"
-								class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-2.5 pl-9 pr-3 text-ui text-[var(--color-text-bright)] outline-none transition-all duration-150 placeholder:text-[var(--color-text-muted)] focus:border-[var(--color-accent)]"
-							/>
-						</div>
-					{/if}
-
-					<div class="group relative">
-						<div
-							class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
-						>
-							<IconMail size={14} />
-						</div>
-						<input
-							type="email"
-							bind:value={email}
-							placeholder="Email address"
-							autocomplete="email"
-							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-2.5 pl-9 pr-3 text-ui text-[var(--color-text-bright)] outline-none transition-all duration-150 placeholder:text-[var(--color-text-muted)] focus:border-[var(--color-accent)]"
-						/>
-					</div>
-
-					<div class="group relative">
-						<div
-							class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
-						>
-							<IconLock size={14} />
-						</div>
-						<input
-							type={showPassword ? 'text' : 'password'}
-							bind:value={password}
-							placeholder="Password"
-							autocomplete={mode === 'signin' ? 'current-password' : 'new-password'}
-							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-2.5 pl-9 pr-10 text-ui text-[var(--color-text-bright)] outline-none transition-all duration-150 placeholder:text-[var(--color-text-muted)] focus:border-[var(--color-accent)]"
-						/>
-						<button
-							type="button"
-							onclick={() => (showPassword = !showPassword)}
-							class="absolute right-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 hover:text-[var(--color-text-secondary)]"
-							tabindex={-1}
-						>
-							{#if showPassword}
-								<IconEyeOff size={14} />
-							{:else}
-								<IconEye size={14} />
-							{/if}
-						</button>
-					</div>
-
-					{#if mode === 'signin'}
-						<div class="flex justify-end">
-							<button
-								type="button"
-								class="text-meta text-[var(--color-text-secondary)] transition-colors duration-150 hover:text-[var(--color-accent-mid)]"
-							>
-								Forgot password?
-							</button>
-						</div>
-					{/if}
-
-					<button
-						type="submit"
-						class="!mt-5 w-full rounded-[var(--radius-button)] bg-[var(--color-accent)] px-4 py-2.5 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0"
-					>
-						{submitLabel}
-					</button>
-				</form>
-
-				<!-- Switch mode -->
-				<p class="mt-5 text-center text-meta text-[var(--color-text-secondary)]">
-					{switchText}
-					<button
-						type="button"
-						onclick={onSwitchMode}
-						class="font-medium text-[var(--color-text-primary)] transition-colors duration-150 hover:text-[var(--color-text-bright)]"
-					>
-						{switchAction}
-					</button>
-				</p>
-			</div>
-		</Dialog.Content>
-	</Dialog.Portal>
-</Dialog.Root>
-
-<style>
-	@keyframes overlayFadeIn {
-		from {
-			opacity: 0;
-		}
-		to {
-			opacity: 1;
-		}
-	}
-
-	@keyframes contentSlideIn {
-		from {
-			opacity: 0;
-			transform: translate(-50%, -48%) scale(0.96);
-		}
-		to {
-			opacity: 1;
-			transform: translate(-50%, -50%) scale(1);
-		}
-	}
-</style>
diff --git a/frontend/src/lib/components/FilesTab.svelte b/frontend/src/lib/components/FilesTab.svelte
index bdc2a75..46c2d4a 100644
--- a/frontend/src/lib/components/FilesTab.svelte
+++ b/frontend/src/lib/components/FilesTab.svelte
@@ -81,7 +81,7 @@
 	);
 
 	// Breadcrumb segments from currentPath
-	const breadcrumbs = $derived(() => {
+	const breadcrumbs = $derived.by(() => {
 		const parts = currentPath.split('/').filter(Boolean);
 		const crumbs: { name: string; path: string }[] = [{ name: '/', path: '/' }];
 		for (let i = 0; i < parts.length; i++) {
@@ -517,7 +517,7 @@
 					</svg>
 				</button>
 				<span class="w-px h-4 bg-[var(--color-border)] shrink-0 mx-1"></span>
-				{#each breadcrumbs() as crumb, i}
+				{#each breadcrumbs as crumb, i}
 					{#if i > 0}
 						<svg class="shrink-0 text-[var(--color-text-muted)]" width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
 							<polyline points="9 18 15 12 9 6" />
@@ -526,7 +526,7 @@
 					<button
 						onclick={() => navigateTo(crumb.path)}
 						class="shrink-0 rounded-[3px] px-1.5 py-0.5 font-mono text-label transition-colors hover:bg-[var(--color-bg-4)] hover:text-[var(--color-text-primary)]
-							{i === breadcrumbs().length - 1
+							{i === breadcrumbs.length - 1
 								? 'text-[var(--color-text-primary)]'
 								: 'text-[var(--color-text-tertiary)]'}"
 					>
diff --git a/frontend/src/lib/components/MetricsPanel.svelte b/frontend/src/lib/components/MetricsPanel.svelte
index 61a7e37..38a424d 100644
--- a/frontend/src/lib/components/MetricsPanel.svelte
+++ b/frontend/src/lib/components/MetricsPanel.svelte
@@ -20,8 +20,9 @@
 		layout?: 'full' | 'compact';
 	};
 
-	let { capsuleId, available, initialRange = '10m', apiBasePath = '/api/v1/capsules', layout = 'full' }: Props = $props();
+	let { capsuleId, available, initialRange = '10m' as MetricRange, apiBasePath = '/api/v1/capsules', layout = 'full' }: Props = $props();
 
+	// svelte-ignore state_referenced_locally
 	let range = $state<MetricRange>(initialRange);
 	let points = $state<MetricPoint[]>([]);
 	let metricsLoading = $state(true);
diff --git a/frontend/src/lib/components/TerminalTab.svelte b/frontend/src/lib/components/TerminalTab.svelte
index ab3774a..e7eadf4 100644
--- a/frontend/src/lib/components/TerminalTab.svelte
+++ b/frontend/src/lib/components/TerminalTab.svelte
@@ -93,8 +93,7 @@
 
 	function getWsUrl(): string {
 		const proto = window.location.protocol === 'https:' ? 'wss:' : 'ws:';
-		const token = auth.token ? `?token=${encodeURIComponent(auth.token)}` : '';
-		return `${proto}//${window.location.host}${apiBasePath}/${capsuleId}/pty${token}`;
+		return `${proto}//${window.location.host}${apiBasePath}/${capsuleId}/pty`;
 	}
 
 	function wsSend(ws: WebSocket | null, data: string) {
@@ -256,6 +255,11 @@
 		const int = internals.get(id);
 		if (!int) return;
 
+		if (!auth.token) {
+			updateSession(id, { state: 'error', errorMessage: 'Not authenticated' });
+			return;
+		}
+
 		const display = sessions.find(s => s.id === id);
 		const tag = reconnectTag ?? display?.ptyTag;
 
@@ -264,6 +268,8 @@
 		updateSession(id, { state: 'connecting', errorMessage: null });
 
 		ws.onopen = () => {
+			// Send auth as the first message (JWT no longer in URL).
+			wsSend(ws, JSON.stringify({ type: 'auth', token: auth.token }));
 			const { cols, rows } = int.term;
 			const msg: Record<string, unknown> = {
 				type: tag ? 'connect' : 'start',
diff --git a/frontend/src/lib/components/Toaster.svelte b/frontend/src/lib/components/Toaster.svelte
index bb846dc..d81917f 100644
--- a/frontend/src/lib/components/Toaster.svelte
+++ b/frontend/src/lib/components/Toaster.svelte
@@ -13,6 +13,7 @@
 			<span class="flex-1 leading-relaxed">{t.message}</span>
 			<button
 				onclick={() => toast.dismiss(t.id)}
+				aria-label="Dismiss"
 				class="mt-0.5 shrink-0 opacity-50 transition-opacity hover:opacity-100"
 			>
 				<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
diff --git a/frontend/src/routes/admin/capsules/+page.svelte b/frontend/src/routes/admin/capsules/+page.svelte
index ccba40a..b0f1923 100644
--- a/frontend/src/routes/admin/capsules/+page.svelte
+++ b/frontend/src/routes/admin/capsules/+page.svelte
@@ -501,7 +501,7 @@
 
 		<!-- Status bar -->
 		<footer
-			class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-8"
+			class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7"
 		>
 			<div class="flex items-center gap-1.5">
 				<span class="relative flex h-[5px] w-[5px]">
diff --git a/frontend/src/routes/admin/hosts/+page.svelte b/frontend/src/routes/admin/hosts/+page.svelte
index 5bf899b..30b3ad5 100644
--- a/frontend/src/routes/admin/hosts/+page.svelte
+++ b/frontend/src/routes/admin/hosts/+page.svelte
@@ -294,6 +294,16 @@
 		</div>
 	</main>
 
+	<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+		<div class="flex items-center gap-1.5">
+			<span class="relative flex h-[5px] w-[5px]">
+				<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+				<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+			</span>
+			<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+		</div>
+	</footer>
+
 {#snippet skeletonRows()}
 	<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] overflow-hidden shadow-sm">
 		<table class="w-full">
diff --git a/frontend/src/routes/admin/teams/+page.svelte b/frontend/src/routes/admin/teams/+page.svelte
index a09b3d9..90a8db2 100644
--- a/frontend/src/routes/admin/teams/+page.svelte
+++ b/frontend/src/routes/admin/teams/+page.svelte
@@ -360,7 +360,7 @@
 		</div>
 
 		<!-- Status bar -->
-		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-8">
+		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
 			<div class="flex items-center gap-1.5">
 				<span class="relative flex h-[5px] w-[5px]">
 					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
diff --git a/frontend/src/routes/admin/templates/+page.svelte b/frontend/src/routes/admin/templates/+page.svelte
index 14514ae..ae678ed 100644
--- a/frontend/src/routes/admin/templates/+page.svelte
+++ b/frontend/src/routes/admin/templates/+page.svelte
@@ -365,6 +365,16 @@
 		</div>
 </main>
 
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+	</div>
+</footer>
+
 <!-- ── Snippets ─────────────────────────────────────────────────────── -->
 
 {#snippet skeletonRows(count: number, headers: string[])}
@@ -838,6 +848,7 @@
 								<span class="font-mono">{createForm.archive.name}</span>
 								<button
 									onclick={() => { createForm.archive = null; }}
+									aria-label="Remove file"
 									class="text-[var(--color-text-muted)] hover:text-[var(--color-red)] transition-colors"
 								>
 									<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>
diff --git a/frontend/src/routes/admin/users/+page.svelte b/frontend/src/routes/admin/users/+page.svelte
index ca1960e..3630f4f 100644
--- a/frontend/src/routes/admin/users/+page.svelte
+++ b/frontend/src/routes/admin/users/+page.svelte
@@ -282,7 +282,7 @@
 		</div>
 
 		<!-- Status bar -->
-		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-8">
+		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
 			<div class="flex items-center gap-1.5">
 				<span class="relative flex h-[5px] w-[5px]">
 					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
diff --git a/frontend/src/routes/dashboard/audit/+page.svelte b/frontend/src/routes/dashboard/audit/+page.svelte
index 3539f5a..3923155 100644
--- a/frontend/src/routes/dashboard/audit/+page.svelte
+++ b/frontend/src/routes/dashboard/audit/+page.svelte
@@ -540,7 +540,15 @@
 			</div>
 		</main>
 
-<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+	</div>
+</footer>
 
 <style>
 	/* fadeUp and iconFloat are defined globally in app.css — no need to redeclare them here */
diff --git a/frontend/src/routes/dashboard/billing/+page.svelte b/frontend/src/routes/dashboard/billing/+page.svelte
index a74b6de..f82fccc 100644
--- a/frontend/src/routes/dashboard/billing/+page.svelte
+++ b/frontend/src/routes/dashboard/billing/+page.svelte
@@ -49,10 +49,9 @@
 				<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
 					Subscription, invoices, and payment methods for your team.
 				</p>
+				<div class="mt-6 border-b border-[var(--color-border)]"></div>
 			</div>
 
-			<div class="mt-6 border-b border-[var(--color-border)]"></div>
-
 			<!-- Content -->
 			<div class="p-8" style="animation: fadeUp 0.35s ease both">
 				{#if status === 'loading'}
@@ -115,4 +114,12 @@
 			</div>
 	</main>
 
-<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+	</div>
+</footer>
diff --git a/frontend/src/routes/dashboard/capsules/+page.svelte b/frontend/src/routes/dashboard/capsules/+page.svelte
index be158e7..d7fd84c 100644
--- a/frontend/src/routes/dashboard/capsules/+page.svelte
+++ b/frontend/src/routes/dashboard/capsules/+page.svelte
@@ -371,7 +371,7 @@
 	{/if}
 
 	<!-- Table -->
-	<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] overflow-hidden">
+	<div class="min-w-0 rounded-[var(--radius-card)] border border-[var(--color-border)] overflow-hidden">
 		<!-- Table header -->
 		<div class="grid grid-cols-[1.6fr_0.8fr_0.5fr_0.5fr_0.6fr_1fr_0.9fr] rounded-t-[var(--radius-card)] border-b border-[var(--color-border)] bg-[var(--color-bg-3)]">
 			<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">ID</div>
@@ -380,7 +380,7 @@
 			{@render sortableHeader('Memory', 'memory_mb')}
 			{@render sortableHeader('Idle Timeout', 'timeout_sec')}
 			{@render sortableHeader('Started', 'started_at')}
-			{@render sortableHeader('Status', 'status')}
+			{@render sortableHeader('Status', 'status', 'right')}
 		</div>
 
 		{#if loading && capsules.length === 0}
@@ -456,7 +456,7 @@
 					<div class="row-stripe pointer-events-none absolute left-0 top-0 h-full w-0.5 {stripeColor}"></div>
 
 					<!-- ID with status dot -->
-					<div class="flex items-center gap-2.5 px-5 py-4">
+					<div class="flex min-w-0 items-center gap-2.5 px-5 py-4">
 						{#if capsule.status === 'running'}
 							<span class="relative flex h-[6px] w-[6px] shrink-0">
 								<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
@@ -469,9 +469,9 @@
 						{/if}
 						{#if searchQuery && capsule.id.toLowerCase().includes(searchQuery.toLowerCase())}
 							{@const matchIdx = capsule.id.toLowerCase().indexOf(searchQuery.toLowerCase())}
-							<a href="/dashboard/capsules/{capsule.id}" class="font-mono text-ui text-[var(--color-text-bright)] hover:text-[var(--color-accent-bright)] transition-colors duration-150">{capsule.id.slice(0, matchIdx)}<mark class="rounded-[2px] bg-[var(--color-accent-glow-mid)] px-0.5 text-[var(--color-accent-bright)] not-italic">{capsule.id.slice(matchIdx, matchIdx + searchQuery.length)}</mark>{capsule.id.slice(matchIdx + searchQuery.length)}</a>
+							<a href="/dashboard/capsules/{capsule.id}" class="truncate font-mono text-ui text-[var(--color-text-bright)] hover:text-[var(--color-accent-bright)] transition-colors duration-150">{capsule.id.slice(0, matchIdx)}<mark class="rounded-[2px] bg-[var(--color-accent-glow-mid)] px-0.5 text-[var(--color-accent-bright)] not-italic">{capsule.id.slice(matchIdx, matchIdx + searchQuery.length)}</mark>{capsule.id.slice(matchIdx + searchQuery.length)}</a>
 						{:else}
-							<a href="/dashboard/capsules/{capsule.id}" class="font-mono text-ui text-[var(--color-text-bright)] hover:text-[var(--color-accent-bright)] transition-colors duration-150">{capsule.id}</a>
+							<a href="/dashboard/capsules/{capsule.id}" class="truncate font-mono text-ui text-[var(--color-text-bright)] hover:text-[var(--color-accent-bright)] transition-colors duration-150">{capsule.id}</a>
 						{/if}
 						<CopyButton value={capsule.id} />
 					</div>
@@ -505,7 +505,7 @@
 					</div>
 
 					<!-- Status button with popover -->
-					<div class="relative px-5 py-4 status-menu-container">
+					<div class="relative flex items-center justify-end px-5 py-4 status-menu-container">
 						{#if actionLoading === capsule.id}
 							<span class="inline-flex items-center gap-1.5 text-ui text-[var(--color-text-secondary)]">
 								<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
@@ -522,10 +522,13 @@
 										const rect = (e.currentTarget as HTMLElement).getBoundingClientRect();
 										const menuW = 180;
 										const menuH = 140; // approximate max menu height
+										const vw = document.documentElement.clientWidth;
 										const top = rect.bottom + 4 + menuH > window.innerHeight
 											? rect.top - menuH - 4
 											: rect.bottom + 4;
-										const left = Math.max(8, Math.min(rect.right - menuW, window.innerWidth - menuW - 8));
+										// Anchor right edge of menu to right edge of button, clamped within viewport
+										const idealLeft = rect.right - menuW;
+										const left = Math.min(Math.max(8, idealLeft), vw - menuW - 8);
 										menuPos = { top, left };
 										openMenuId = capsule.id;
 									}
@@ -641,10 +644,10 @@
 	oncreated={handleCapsuleCreated}
 />
 
-{#snippet sortableHeader(label: string, key: SortKey)}
+{#snippet sortableHeader(label: string, key: SortKey, align: 'left' | 'right' = 'left')}
 	<button
 		onclick={() => toggleSort(key)}
-		class="flex items-center gap-1 px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)] transition-colors duration-150 hover:text-[var(--color-text-secondary)]"
+		class="flex items-center gap-1 px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)] transition-colors duration-150 hover:text-[var(--color-text-secondary)] {align === 'right' ? 'ml-auto' : ''}"
 	>
 		{label}
 		{#if sortKey === key}
diff --git a/frontend/src/routes/dashboard/channels/+page.svelte b/frontend/src/routes/dashboard/channels/+page.svelte
index 71c78ed..2f5cb0d 100644
--- a/frontend/src/routes/dashboard/channels/+page.svelte
+++ b/frontend/src/routes/dashboard/channels/+page.svelte
@@ -523,6 +523,7 @@
 													openDropdownId = ch.id;
 												}
 											}}
+											aria-label="More actions"
 											class="flex items-center px-2 py-1.5 text-[var(--color-text-secondary)] transition-colors duration-150 hover:bg-[var(--color-bg-4)] hover:text-[var(--color-text-bright)]"
 										>
 											<svg
@@ -544,10 +545,10 @@
 		<!-- Status bar -->
 		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
 			<div class="flex items-center gap-1.5">
-				<span
-					class="inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"
-					style="animation: wrenn-glow 2.4s ease-in-out infinite"
-				></span>
+				<span class="relative flex h-[5px] w-[5px]">
+					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+					<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+				</span>
 				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 			</div>
 		</footer>
@@ -660,11 +661,12 @@
 
 				<!-- Provider -->
 				<div class="mt-4">
-					<label class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
+					<label for="provider-select" class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
 						Provider
 					</label>
 					<div class="relative" bind:this={providerDropdownEl}>
 						<button
+							id="provider-select"
 							onclick={() => { providerDropdownOpen = !providerDropdownOpen; }}
 							disabled={creating}
 							class="flex w-full items-center justify-between rounded-[var(--radius-input)] border px-3 py-2 text-ui transition-colors duration-150 disabled:opacity-60
@@ -799,11 +801,12 @@
 
 				<!-- Events dropdown -->
 				<div class="mt-5">
-					<label class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
+					<label for="events-select" class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
 						Events
 					</label>
 					<div class="relative" bind:this={eventsDropdownEl}>
 						<button
+							id="events-select"
 							onclick={() => { eventsDropdownOpen = !eventsDropdownOpen; }}
 							disabled={creating}
 							class="flex w-full items-center justify-between rounded-[var(--radius-input)] border px-3 py-2 text-ui transition-colors duration-150 disabled:opacity-60
@@ -850,6 +853,7 @@
 								{ev}
 								<button
 									onclick={() => { createEvents = createEvents.filter((e) => e !== ev); }}
+									aria-label="Remove {ev}"
 									class="flex items-center justify-center text-[var(--color-accent)] opacity-60 transition-opacity duration-100 hover:opacity-100"
 								>
 									<svg width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round">
@@ -1020,11 +1024,12 @@
 
 			<!-- Events -->
 			<div class="mt-5">
-				<label class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
+				<label for="edit-events-select" class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
 					Events
 				</label>
 				<div class="relative" bind:this={editEventsDropdownEl}>
 					<button
+						id="edit-events-select"
 						onclick={() => { editEventsDropdownOpen = !editEventsDropdownOpen; }}
 						disabled={editing}
 						class="flex w-full items-center justify-between rounded-[var(--radius-input)] border px-3 py-2 text-ui transition-colors duration-150 disabled:opacity-60
diff --git a/frontend/src/routes/dashboard/hosts/+page.svelte b/frontend/src/routes/dashboard/hosts/+page.svelte
index c48f063..0b7e134 100644
--- a/frontend/src/routes/dashboard/hosts/+page.svelte
+++ b/frontend/src/routes/dashboard/hosts/+page.svelte
@@ -317,7 +317,15 @@
 			</div>
 	</main>
 
-<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+	</div>
+</footer>
 
 {#snippet skeletonRows()}
 	<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] overflow-hidden">
diff --git a/frontend/src/routes/dashboard/keys/+page.svelte b/frontend/src/routes/dashboard/keys/+page.svelte
index 0b004b5..89828f8 100644
--- a/frontend/src/routes/dashboard/keys/+page.svelte
+++ b/frontend/src/routes/dashboard/keys/+page.svelte
@@ -237,7 +237,15 @@
 			</div>
 	</main>
 
-<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+	</div>
+</footer>
 
 <!-- Create Key Dialog -->
 {#if showCreate}
diff --git a/frontend/src/routes/dashboard/settings/+page.svelte b/frontend/src/routes/dashboard/settings/+page.svelte
index a8d3c36..92d3479 100644
--- a/frontend/src/routes/dashboard/settings/+page.svelte
+++ b/frontend/src/routes/dashboard/settings/+page.svelte
@@ -498,7 +498,15 @@
 				{/if}
 			</div>
 		</main>
-<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+	</div>
+</footer>
 
 <!-- Disconnect GitHub dialog -->
 {#if showDisconnectConfirm}
diff --git a/frontend/src/routes/dashboard/team/+page.svelte b/frontend/src/routes/dashboard/team/+page.svelte
index 8146a16..d8f9823 100644
--- a/frontend/src/routes/dashboard/team/+page.svelte
+++ b/frontend/src/routes/dashboard/team/+page.svelte
@@ -459,26 +459,18 @@
 											<p class="mt-1.5 text-meta text-[var(--color-red)]">{nameError}</p>
 										{/if}
 									{:else}
-										<!-- svelte-ignore a11y_click_events_have_key_events -->
-										<div
-											class="group flex items-center gap-2"
-											onclick={canManage ? startEditName : undefined}
-											role={canManage ? 'button' : undefined}
-											tabindex={canManage ? 0 : undefined}
-											onkeydown={canManage
-												? (e) => {
-														if (e.key === 'Enter' || e.key === ' ') startEditName();
-													}
-												: undefined}
-											class:cursor-pointer={canManage}
-											title={canManage ? 'Click to edit' : undefined}
-										>
-											<span
-												class="text-ui font-medium transition-colors duration-300 {nameSavedFlash ? 'text-[var(--color-accent-mid)]' : 'text-[var(--color-text-bright)]'} {canManage ? 'group-hover:text-[var(--color-text-bright)]' : ''}"
+										{#if canManage}
+											<button
+												type="button"
+												class="group flex items-center gap-2 cursor-pointer"
+												onclick={startEditName}
+												title="Click to edit"
 											>
-												{team.name}
-											</span>
-											{#if canManage}
+												<span
+													class="text-ui font-medium transition-colors duration-300 {nameSavedFlash ? 'text-[var(--color-accent-mid)]' : 'text-[var(--color-text-bright)]'} group-hover:text-[var(--color-text-bright)]"
+												>
+													{team.name}
+												</span>
 												<svg
 													width="12"
 													height="12"
@@ -495,8 +487,14 @@
 													/>
 													<path d="M18.5 2.5a2.121 2.121 0 0 1 3 3L12 15l-4 1 1-4 9.5-9.5z" />
 												</svg>
-											{/if}
-										</div>
+											</button>
+										{:else}
+											<span
+												class="text-ui font-medium text-[var(--color-text-bright)]"
+											>
+												{team.name}
+											</span>
+										{/if}
 									{/if}
 								</div>
 							</div>
@@ -710,6 +708,7 @@
 												<div class="w-px shrink-0 bg-[var(--color-border-mid)]"></div>
 												<!-- Chevron: Make Admin / Make Member -->
 												<button
+													aria-label="Role actions"
 													onclick={(e) => {
 														e.stopPropagation();
 														if (openDropdownId === member.user_id) {
@@ -804,7 +803,15 @@
 			</div>
 		</main>
 
-	<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+	<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+		<div class="flex items-center gap-1.5">
+			<span class="relative flex h-[5px] w-[5px]">
+				<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+				<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+			</span>
+			<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+		</div>
+	</footer>
 
 <!-- Split button dropdown -->
 {#if openDropdownId}
@@ -884,7 +891,7 @@
 
 		<div
 			class="relative w-full max-w-[400px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6"
-			style="animation: fadeUp 0.2s ease both"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
 		>
 			<h2
 				class="font-serif text-heading text-[var(--color-text-bright)]"
@@ -1021,7 +1028,7 @@
 
 		<div
 			class="relative w-full max-w-[380px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6"
-			style="animation: fadeUp 0.2s ease both"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
 		>
 			<h2
 				class="font-serif text-heading text-[var(--color-text-bright)]"
@@ -1095,7 +1102,7 @@
 
 		<div
 			class="relative w-full max-w-[400px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6"
-			style="animation: fadeUp 0.2s ease both"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
 		>
 			{#if myRole === 'owner'}
 				<h2
diff --git a/frontend/src/routes/dashboard/templates/+page.svelte b/frontend/src/routes/dashboard/templates/+page.svelte
index f48d09e..f159ed1 100644
--- a/frontend/src/routes/dashboard/templates/+page.svelte
+++ b/frontend/src/routes/dashboard/templates/+page.svelte
@@ -151,7 +151,7 @@
 
 	<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<!-- Header -->
-			<div class="px-8 pt-8">
+			<div class="px-7 pt-8">
 				<div class="flex items-start justify-between">
 					<div>
 						<h1 class="font-serif text-page text-[var(--color-text-bright)]">
@@ -417,6 +417,7 @@
 												<div class="w-px shrink-0 bg-[var(--color-border-mid)]"></div>
 												<!-- Chevron / dropdown trigger -->
 												<button
+													aria-label="More actions"
 													disabled={snapshot.platform}
 													onclick={(e) => {
 														e.stopPropagation();
@@ -459,12 +460,12 @@
 		</main>
 
 		<!-- Status bar -->
-		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-8">
+		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
 			<div class="flex items-center gap-1.5">
-				<span
-					class="inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"
-					style="animation: wrenn-glow 2.4s ease-in-out infinite"
-				></span>
+				<span class="relative flex h-[5px] w-[5px]">
+					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+					<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+				</span>
 				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 			</div>
 		</footer>
@@ -501,8 +502,10 @@
 <!-- Delete Confirmation Dialog -->
 {#if deleteTarget}
 	<div class="fixed inset-0 z-50 flex items-center justify-center">
+		<!-- svelte-ignore a11y_no_static_element_interactions -->
 		<div
 			class="absolute inset-0 bg-black/60"
+			role="presentation"
 			onclick={() => { if (!deleting) deleteTarget = null; }}
 			onkeydown={(e) => { if (e.key === 'Escape' && !deleting) deleteTarget = null; }}
 		></div>
@@ -594,9 +597,9 @@
 
 			<!-- Template name (readonly) -->
 			<div class="mt-5">
-				<label class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
+				<span class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
 					Template
-				</label>
+				</span>
 				<div class="flex items-center gap-2 rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-0)] px-3 py-2">
 					{#if launchTarget.type === 'snapshot'}
 						<span class="h-1.5 w-1.5 shrink-0 rounded-full bg-[var(--color-accent)]"></span>
diff --git a/frontend/src/routes/dashboard/usage/+page.svelte b/frontend/src/routes/dashboard/usage/+page.svelte
index c6edb74..216a8f5 100644
--- a/frontend/src/routes/dashboard/usage/+page.svelte
+++ b/frontend/src/routes/dashboard/usage/+page.svelte
@@ -49,10 +49,9 @@
 				<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
 					Resource consumption and execution metrics across your team.
 				</p>
+				<div class="mt-6 border-b border-[var(--color-border)]"></div>
 			</div>
 
-			<div class="mt-6 border-b border-[var(--color-border)]"></div>
-
 			<!-- Content -->
 			<div class="p-8" style="animation: fadeUp 0.35s ease both">
 				{#if status === 'loading'}
@@ -114,4 +113,12 @@
 			</div>
 	</main>
 
-<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+	</div>
+</footer>
diff --git a/frontend/src/routes/forgot-password/+page.svelte b/frontend/src/routes/forgot-password/+page.svelte
index 0cd8730..4395366 100644
--- a/frontend/src/routes/forgot-password/+page.svelte
+++ b/frontend/src/routes/forgot-password/+page.svelte
@@ -25,8 +25,8 @@
 	<div class="w-full max-w-[400px]" style="animation: fadeUp 0.35s ease both">
 		<!-- Brand -->
 		<div class="mb-8 flex items-center gap-3">
-			<img src="/logo.svg" alt="Wrenn" class="h-8 w-8 rounded-[var(--radius-logo)]" />
-			<span class="font-brand text-[1.5rem] text-[var(--color-text-bright)]">Wrenn</span>
+			<img src="/logo.svg" alt="Wrenn" class="h-10 w-10 rounded-[var(--radius-logo)]" />
+			<span class="font-brand text-page text-[var(--color-text-bright)]">Wrenn</span>
 		</div>
 
 		{#if submitted}
diff --git a/internal/api/handlers_exec_stream.go b/internal/api/handlers_exec_stream.go
index a47c228..c8b101f 100644
--- a/internal/api/handlers_exec_stream.go
+++ b/internal/api/handlers_exec_stream.go
@@ -20,12 +20,13 @@ import (
 )
 
 type execStreamHandler struct {
-	db   *db.Queries
-	pool *lifecycle.HostClientPool
+	db        *db.Queries
+	pool      *lifecycle.HostClientPool
+	jwtSecret []byte
 }
 
-func newExecStreamHandler(db *db.Queries, pool *lifecycle.HostClientPool) *execStreamHandler {
-	return &execStreamHandler{db: db, pool: pool}
+func newExecStreamHandler(db *db.Queries, pool *lifecycle.HostClientPool, jwtSecret []byte) *execStreamHandler {
+	return &execStreamHandler{db: db, pool: pool, jwtSecret: jwtSecret}
 }
 
 var upgrader = websocket.Upgrader{
@@ -51,7 +52,6 @@ type wsOutMsg struct {
 func (h *execStreamHandler) ExecStream(w http.ResponseWriter, r *http.Request) {
 	sandboxIDStr := chi.URLParam(r, "id")
 	ctx := r.Context()
-	ac := auth.MustFromContext(ctx)
 
 	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
 	if err != nil {
@@ -59,13 +59,31 @@ func (h *execStreamHandler) ExecStream(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
-	if err != nil {
-		writeError(w, http.StatusNotFound, "not_found", "sandbox not found")
-		return
-	}
-	if sb.Status != "running" {
-		writeError(w, http.StatusConflict, "invalid_state", "sandbox is not running (status: "+sb.Status+")")
+	// Authenticate: use context from middleware (API key) or WS first message (JWT).
+	ac, hasAuth := auth.FromContext(ctx)
+
+	if !hasAuth {
+		conn, err := upgrader.Upgrade(w, r, nil)
+		if err != nil {
+			slog.Error("websocket upgrade failed", "error", err)
+			return
+		}
+		defer conn.Close()
+
+		var wsAC auth.AuthContext
+		var authErr error
+		if isAdminWSRoute(ctx) {
+			wsAC, authErr = wsAuthenticateAdmin(ctx, conn, h.jwtSecret, h.db)
+		} else {
+			wsAC, authErr = wsAuthenticate(ctx, conn, h.jwtSecret, h.db)
+		}
+		if authErr != nil {
+			sendWSError(conn, "authentication failed")
+			return
+		}
+		ac = wsAC
+
+		h.runExecStream(ctx, conn, ac, sandboxID, sandboxIDStr)
 		return
 	}
 
@@ -76,6 +94,20 @@ func (h *execStreamHandler) ExecStream(w http.ResponseWriter, r *http.Request) {
 	}
 	defer conn.Close()
 
+	h.runExecStream(ctx, conn, ac, sandboxID, sandboxIDStr)
+}
+
+func (h *execStreamHandler) runExecStream(ctx context.Context, conn *websocket.Conn, ac auth.AuthContext, sandboxID pgtype.UUID, sandboxIDStr string) {
+	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
+	if err != nil {
+		sendWSError(conn, "sandbox not found")
+		return
+	}
+	if sb.Status != "running" {
+		sendWSError(conn, "sandbox is not running (status: "+sb.Status+")")
+		return
+	}
+
 	// Read the start message.
 	var startMsg wsStartMsg
 	if err := conn.ReadJSON(&startMsg); err != nil {
diff --git a/internal/api/handlers_me.go b/internal/api/handlers_me.go
index c70e302..15aa0bb 100644
--- a/internal/api/handlers_me.go
+++ b/internal/api/handlers_me.go
@@ -512,6 +512,9 @@ func (h *meHandler) DeleteAccount(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Delete all teams the user solely owns (no other members).
+	// Team deletion involves RPC calls (sandbox destruction) that cannot be
+	// transactional, so we do those first as best-effort, then wrap the
+	// DB-only cleanup in a transaction.
 	soleTeams, err := h.db.ListSoleOwnedTeams(ctx, ac.UserID)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "db_error", "failed to list owned teams")
@@ -519,20 +522,36 @@ func (h *meHandler) DeleteAccount(w http.ResponseWriter, r *http.Request) {
 	}
 	for _, teamID := range soleTeams {
 		if err := h.teamSvc.DeleteTeamInternal(ctx, teamID); err != nil {
-			slog.Warn("account delete: failed to delete sole-owned team",
-				"team_id", id.FormatTeamID(teamID), "error", err)
+			writeError(w, http.StatusInternalServerError, "db_error",
+				fmt.Sprintf("failed to delete sole-owned team %s", id.FormatTeamID(teamID)))
+			return
 		}
 	}
 
-	if err := h.db.DeleteAPIKeysByCreator(ctx, ac.UserID); err != nil {
-		slog.Warn("account delete: failed to delete user's API keys", "error", err)
+	tx, err := h.pool.Begin(ctx)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to start transaction")
+		return
+	}
+	defer tx.Rollback(ctx)
+
+	qtx := h.db.WithTx(tx)
+
+	if err := qtx.DeleteAPIKeysByCreator(ctx, ac.UserID); err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to delete user's API keys")
+		return
 	}
 
-	if err := h.db.SoftDeleteUser(ctx, ac.UserID); err != nil {
+	if err := qtx.SoftDeleteUser(ctx, ac.UserID); err != nil {
 		writeError(w, http.StatusInternalServerError, "db_error", "failed to delete account")
 		return
 	}
 
+	if err := tx.Commit(ctx); err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to commit account deletion")
+		return
+	}
+
 	slog.Info("account soft-deleted", "user_id", id.FormatUserID(ac.UserID), "email", user.Email)
 
 	go func() {
diff --git a/internal/api/handlers_process.go b/internal/api/handlers_process.go
index 9d62729..2bb6bb9 100644
--- a/internal/api/handlers_process.go
+++ b/internal/api/handlers_process.go
@@ -20,12 +20,13 @@ import (
 )
 
 type processHandler struct {
-	db   *db.Queries
-	pool *lifecycle.HostClientPool
+	db        *db.Queries
+	pool      *lifecycle.HostClientPool
+	jwtSecret []byte
 }
 
-func newProcessHandler(db *db.Queries, pool *lifecycle.HostClientPool) *processHandler {
-	return &processHandler{db: db, pool: pool}
+func newProcessHandler(db *db.Queries, pool *lifecycle.HostClientPool, jwtSecret []byte) *processHandler {
+	return &processHandler{db: db, pool: pool, jwtSecret: jwtSecret}
 }
 
 // processResponse is a single entry in the process list.
@@ -158,7 +159,6 @@ func (h *processHandler) ConnectProcess(w http.ResponseWriter, r *http.Request)
 	sandboxIDStr := chi.URLParam(r, "id")
 	selectorStr := chi.URLParam(r, "selector")
 	ctx := r.Context()
-	ac := auth.MustFromContext(ctx)
 
 	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
 	if err != nil {
@@ -166,19 +166,31 @@ func (h *processHandler) ConnectProcess(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
-	if err != nil {
-		writeError(w, http.StatusNotFound, "not_found", "sandbox not found")
-		return
-	}
-	if sb.Status != "running" {
-		writeError(w, http.StatusConflict, "invalid_state", "sandbox is not running (status: "+sb.Status+")")
-		return
-	}
+	// Authenticate: use context from middleware (API key) or WS first message (JWT).
+	ac, hasAuth := auth.FromContext(ctx)
 
-	agent, err := agentForHost(ctx, h.db, h.pool, sb.HostID)
-	if err != nil {
-		writeError(w, http.StatusServiceUnavailable, "host_unavailable", "sandbox host is not reachable")
+	if !hasAuth {
+		conn, err := upgrader.Upgrade(w, r, nil)
+		if err != nil {
+			slog.Error("process stream websocket upgrade failed", "error", err)
+			return
+		}
+		defer conn.Close()
+
+		var wsAC auth.AuthContext
+		var authErr error
+		if isAdminWSRoute(ctx) {
+			wsAC, authErr = wsAuthenticateAdmin(ctx, conn, h.jwtSecret, h.db)
+		} else {
+			wsAC, authErr = wsAuthenticate(ctx, conn, h.jwtSecret, h.db)
+		}
+		if authErr != nil {
+			sendProcessWSError(conn, "authentication failed")
+			return
+		}
+		ac = wsAC
+
+		h.runConnectProcess(ctx, conn, ac, sandboxID, sandboxIDStr, selectorStr)
 		return
 	}
 
@@ -189,6 +201,26 @@ func (h *processHandler) ConnectProcess(w http.ResponseWriter, r *http.Request)
 	}
 	defer conn.Close()
 
+	h.runConnectProcess(ctx, conn, ac, sandboxID, sandboxIDStr, selectorStr)
+}
+
+func (h *processHandler) runConnectProcess(ctx context.Context, conn *websocket.Conn, ac auth.AuthContext, sandboxID pgtype.UUID, sandboxIDStr, selectorStr string) {
+	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
+	if err != nil {
+		sendProcessWSError(conn, "sandbox not found")
+		return
+	}
+	if sb.Status != "running" {
+		sendProcessWSError(conn, "sandbox is not running (status: "+sb.Status+")")
+		return
+	}
+
+	agent, err := agentForHost(ctx, h.db, h.pool, sb.HostID)
+	if err != nil {
+		sendProcessWSError(conn, "sandbox host is not reachable")
+		return
+	}
+
 	// Build the connect request with PID or tag selector.
 	connectReq := &pb.ConnectProcessRequest{
 		SandboxId: sandboxIDStr,
diff --git a/internal/api/handlers_pty.go b/internal/api/handlers_pty.go
index 8d571ae..181fc9d 100644
--- a/internal/api/handlers_pty.go
+++ b/internal/api/handlers_pty.go
@@ -30,12 +30,13 @@ const (
 )
 
 type ptyHandler struct {
-	db   *db.Queries
-	pool *lifecycle.HostClientPool
+	db        *db.Queries
+	pool      *lifecycle.HostClientPool
+	jwtSecret []byte
 }
 
-func newPtyHandler(db *db.Queries, pool *lifecycle.HostClientPool) *ptyHandler {
-	return &ptyHandler{db: db, pool: pool}
+func newPtyHandler(db *db.Queries, pool *lifecycle.HostClientPool, jwtSecret []byte) *ptyHandler {
+	return &ptyHandler{db: db, pool: pool, jwtSecret: jwtSecret}
 }
 
 // --- WebSocket message types ---
@@ -82,7 +83,6 @@ func (w *wsWriter) writeJSON(v any) {
 func (h *ptyHandler) PtySession(w http.ResponseWriter, r *http.Request) {
 	sandboxIDStr := chi.URLParam(r, "id")
 	ctx := r.Context()
-	ac := auth.MustFromContext(ctx)
 
 	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
 	if err != nil {
@@ -90,13 +90,34 @@ func (h *ptyHandler) PtySession(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
-	if err != nil {
-		writeError(w, http.StatusNotFound, "not_found", "sandbox not found")
-		return
-	}
-	if sb.Status != "running" {
-		writeError(w, http.StatusConflict, "invalid_state", "sandbox is not running (status: "+sb.Status+")")
+	// API key auth is handled by middleware (sets context).
+	// For browser JWT auth, we authenticate after upgrade via first WS message.
+	ac, hasAuth := auth.FromContext(ctx)
+
+	if !hasAuth {
+		// No pre-upgrade auth — upgrade first, then authenticate via WS message.
+		conn, err := upgrader.Upgrade(w, r, nil)
+		if err != nil {
+			slog.Error("pty websocket upgrade failed", "error", err)
+			return
+		}
+		defer conn.Close()
+
+		ws := &wsWriter{conn: conn}
+
+		var wsAC auth.AuthContext
+		if isAdminWSRoute(ctx) {
+			wsAC, err = wsAuthenticateAdmin(ctx, conn, h.jwtSecret, h.db)
+		} else {
+			wsAC, err = wsAuthenticate(ctx, conn, h.jwtSecret, h.db)
+		}
+		if err != nil {
+			ws.writeJSON(wsPtyOut{Type: "error", Data: "authentication failed", Fatal: true})
+			return
+		}
+		ac = wsAC
+
+		h.runPtySession(ctx, ws, conn, ac, sandboxID, sandboxIDStr)
 		return
 	}
 
@@ -108,6 +129,19 @@ func (h *ptyHandler) PtySession(w http.ResponseWriter, r *http.Request) {
 	defer conn.Close()
 
 	ws := &wsWriter{conn: conn}
+	h.runPtySession(ctx, ws, conn, ac, sandboxID, sandboxIDStr)
+}
+
+func (h *ptyHandler) runPtySession(ctx context.Context, ws *wsWriter, conn *websocket.Conn, ac auth.AuthContext, sandboxID pgtype.UUID, sandboxIDStr string) {
+	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
+	if err != nil {
+		ws.writeJSON(wsPtyOut{Type: "error", Data: "sandbox not found", Fatal: true})
+		return
+	}
+	if sb.Status != "running" {
+		ws.writeJSON(wsPtyOut{Type: "error", Data: "sandbox is not running (status: " + sb.Status + ")", Fatal: true})
+		return
+	}
 
 	// Read the first message to determine start vs connect.
 	var firstMsg wsPtyIn
diff --git a/internal/api/handlers_snapshots.go b/internal/api/handlers_snapshots.go
index e141b7a..43d3148 100644
--- a/internal/api/handlers_snapshots.go
+++ b/internal/api/handlers_snapshots.go
@@ -133,7 +133,6 @@ func (h *snapshotHandler) Create(w http.ResponseWriter, r *http.Request) {
 
 	ctx := r.Context()
 	ac := auth.MustFromContext(ctx)
-	overwrite := r.URL.Query().Get("overwrite") == "true"
 
 	// Check for global name collision.
 	if _, err := h.db.GetPlatformTemplateByName(ctx, req.Name); err == nil {
@@ -142,20 +141,10 @@ func (h *snapshotHandler) Create(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Check if name already exists for this team.
-	if existing, err := h.db.GetTemplateByTeam(ctx, db.GetTemplateByTeamParams{Name: req.Name, TeamID: ac.TeamID}); err == nil {
-		if !overwrite {
-			writeError(w, http.StatusConflict, "already_exists", "snapshot name already exists; use ?overwrite=true to replace")
-			return
-		}
-		// Delete old snapshot files from all hosts before removing the DB record.
-		if err := deleteSnapshotBroadcast(ctx, h.db, h.pool, existing.TeamID, existing.ID); err != nil {
-			writeError(w, http.StatusInternalServerError, "agent_error", "failed to delete existing snapshot files")
-			return
-		}
-		if err := h.db.DeleteTemplateByTeam(ctx, db.DeleteTemplateByTeamParams{Name: req.Name, TeamID: ac.TeamID}); err != nil {
-			writeError(w, http.StatusInternalServerError, "db_error", "failed to remove existing template record")
-			return
-		}
+	if _, err := h.db.GetTemplateByTeam(ctx, db.GetTemplateByTeamParams{Name: req.Name, TeamID: ac.TeamID}); err == nil {
+		writeError(w, http.StatusConflict, "template_name_taken",
+			"snapshot name already exists; delete the existing snapshot first to reuse this name")
+		return
 	}
 
 	// Verify sandbox exists, belongs to team, and is running or paused.
diff --git a/internal/api/helpers_ws.go b/internal/api/helpers_ws.go
new file mode 100644
index 0000000..ec1c126
--- /dev/null
+++ b/internal/api/helpers_ws.go
@@ -0,0 +1,109 @@
+package api
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/gorilla/websocket"
+
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+)
+
+// isWebSocketUpgrade returns true if the request is a WebSocket upgrade.
+func isWebSocketUpgrade(r *http.Request) bool {
+	return strings.EqualFold(r.Header.Get("Upgrade"), "websocket")
+}
+
+// ctxKeyAdminWS is a context key for flagging admin WS routes.
+type ctxKeyAdminWS struct{}
+
+// setAdminWSFlag marks the context as an admin WebSocket route.
+func setAdminWSFlag(ctx context.Context) context.Context {
+	return context.WithValue(ctx, ctxKeyAdminWS{}, true)
+}
+
+// isAdminWSRoute checks if the request context was marked as admin WS.
+func isAdminWSRoute(ctx context.Context) bool {
+	v, _ := ctx.Value(ctxKeyAdminWS{}).(bool)
+	return v
+}
+
+// wsAuthMsg is the first message a browser WS client sends to authenticate.
+type wsAuthMsg struct {
+	Type  string `json:"type"`
+	Token string `json:"token"`
+}
+
+// wsAuthenticate reads a JWT auth message from the WebSocket and returns the
+// authenticated context. The caller must send this as the first message after
+// connecting.
+func wsAuthenticate(ctx context.Context, conn *websocket.Conn, jwtSecret []byte, queries *db.Queries) (auth.AuthContext, error) {
+	conn.SetReadDeadline(time.Now().Add(5 * time.Second))
+
+	var msg wsAuthMsg
+	if err := conn.ReadJSON(&msg); err != nil {
+		return auth.AuthContext{}, fmt.Errorf("read auth message: %w", err)
+	}
+
+	conn.SetReadDeadline(time.Time{}) // clear deadline
+
+	if msg.Type != "auth" || msg.Token == "" {
+		return auth.AuthContext{}, fmt.Errorf("first message must be type 'auth' with a token")
+	}
+
+	claims, err := auth.VerifyJWT(jwtSecret, msg.Token)
+	if err != nil {
+		return auth.AuthContext{}, fmt.Errorf("invalid or expired token: %w", err)
+	}
+
+	teamID, err := id.ParseTeamID(claims.TeamID)
+	if err != nil {
+		return auth.AuthContext{}, fmt.Errorf("invalid team ID in token: %w", err)
+	}
+
+	userID, err := id.ParseUserID(claims.Subject)
+	if err != nil {
+		return auth.AuthContext{}, fmt.Errorf("invalid user ID in token: %w", err)
+	}
+
+	user, err := queries.GetUserByID(ctx, userID)
+	if err != nil {
+		return auth.AuthContext{}, fmt.Errorf("user not found")
+	}
+	if user.Status != "active" {
+		return auth.AuthContext{}, fmt.Errorf("account deactivated")
+	}
+
+	return auth.AuthContext{
+		TeamID: teamID,
+		UserID: userID,
+		Email:  claims.Email,
+		Name:   claims.Name,
+		Role:   claims.Role,
+	}, nil
+}
+
+// wsAuthenticateAdmin performs WS-based auth and verifies admin status,
+// returning an AuthContext with the platform team ID.
+func wsAuthenticateAdmin(ctx context.Context, conn *websocket.Conn, jwtSecret []byte, queries *db.Queries) (auth.AuthContext, error) {
+	ac, err := wsAuthenticate(ctx, conn, jwtSecret, queries)
+	if err != nil {
+		return auth.AuthContext{}, err
+	}
+
+	user, err := queries.GetUserByID(ctx, ac.UserID)
+	if err != nil {
+		return auth.AuthContext{}, fmt.Errorf("user not found")
+	}
+	if !user.IsAdmin {
+		return auth.AuthContext{}, fmt.Errorf("admin access required")
+	}
+
+	ac.TeamID = id.PlatformTeamID
+	return ac, nil
+}
diff --git a/internal/api/middleware.go b/internal/api/middleware.go
index 5053b78..b1c9f00 100644
--- a/internal/api/middleware.go
+++ b/internal/api/middleware.go
@@ -94,21 +94,25 @@ func serviceErrToHTTP(err error) (int, string, string) {
 	}
 
 	// Map well-known service error patterns.
+	// Return generic messages for most cases to avoid leaking internal details.
 	switch {
 	case strings.Contains(msg, "not found"):
-		return http.StatusNotFound, "not_found", msg
-	case strings.Contains(msg, "not running"), strings.Contains(msg, "not paused"):
-		return http.StatusConflict, "invalid_state", msg
+		return http.StatusNotFound, "not_found", "resource not found"
+	case strings.Contains(msg, "not running"):
+		return http.StatusConflict, "invalid_state", "resource is not running"
+	case strings.Contains(msg, "not paused"):
+		return http.StatusConflict, "invalid_state", "resource is not paused"
 	case strings.Contains(msg, "conflict:"):
-		return http.StatusConflict, "conflict", msg
+		return http.StatusConflict, "conflict", strings.TrimPrefix(msg, "conflict: ")
 	case strings.Contains(msg, "forbidden"):
-		return http.StatusForbidden, "forbidden", msg
+		return http.StatusForbidden, "forbidden", "forbidden"
 	case strings.Contains(msg, "invalid or expired"):
-		return http.StatusUnauthorized, "unauthorized", msg
+		return http.StatusUnauthorized, "unauthorized", "invalid or expired credentials"
 	case strings.Contains(msg, "invalid"):
-		return http.StatusBadRequest, "invalid_request", msg
+		return http.StatusBadRequest, "invalid_request", "invalid request"
 	default:
-		return http.StatusInternalServerError, "internal_error", msg
+		slog.Error("unhandled service error", "error", err)
+		return http.StatusInternalServerError, "internal_error", "an internal error occurred"
 	}
 }
 
diff --git a/internal/api/middleware_admin.go b/internal/api/middleware_admin.go
index cf23dce..670c586 100644
--- a/internal/api/middleware_admin.go
+++ b/internal/api/middleware_admin.go
@@ -14,6 +14,11 @@ import (
 func injectPlatformTeam() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if _, ok := auth.FromContext(r.Context()); !ok {
+				// No auth context yet (WS upgrade); handler will inject platform team after WS auth.
+				next.ServeHTTP(w, r)
+				return
+			}
 			ac := auth.MustFromContext(r.Context())
 			ac.TeamID = id.PlatformTeamID
 			ctx := auth.WithAuthContext(r.Context(), ac)
@@ -26,11 +31,19 @@ func injectPlatformTeam() func(http.Handler) http.Handler {
 // Must run after requireJWT (depends on AuthContext being present).
 // Re-validates against the DB — the JWT is_admin claim is for UI only;
 // the DB is the source of truth for admin access.
+// WebSocket upgrade requests without auth context are passed through —
+// admin WS handlers verify admin status after upgrade via wsAuthenticateAdmin.
 func requireAdmin(queries *db.Queries) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ac, ok := auth.FromContext(r.Context())
 			if !ok {
+				if isWebSocketUpgrade(r) {
+					ctx := r.Context()
+					ctx = setAdminWSFlag(ctx)
+					next.ServeHTTP(w, r.WithContext(ctx))
+					return
+				}
 				writeError(w, http.StatusUnauthorized, "unauthorized", "authentication required")
 				return
 			}
diff --git a/internal/api/middleware_auth.go b/internal/api/middleware_auth.go
index 6122ce8..b671047 100644
--- a/internal/api/middleware_auth.go
+++ b/internal/api/middleware_auth.go
@@ -38,12 +38,10 @@ func requireAPIKeyOrJWT(queries *db.Queries, jwtSecret []byte) func(http.Handler
 				return
 			}
 
-			// Try JWT bearer token (header or query param for WebSocket).
+			// Try JWT bearer token from Authorization header.
 			tokenStr := ""
 			if header := r.Header.Get("Authorization"); strings.HasPrefix(header, "Bearer ") {
 				tokenStr = strings.TrimPrefix(header, "Bearer ")
-			} else if t := r.URL.Query().Get("token"); t != "" {
-				tokenStr = t
 			}
 			if tokenStr != "" {
 				claims, err := auth.VerifyJWT(jwtSecret, tokenStr)
@@ -87,7 +85,15 @@ func requireAPIKeyOrJWT(queries *db.Queries, jwtSecret []byte) func(http.Handler
 				return
 			}
 
+			// WebSocket upgrade requests may not carry auth headers (browsers
+			// cannot set custom headers on WS connections). Pass through —
+			// the WS handler authenticates via the first message after upgrade.
+			if isWebSocketUpgrade(r) {
+				next.ServeHTTP(w, r)
+				return
+			}
+
 			writeError(w, http.StatusUnauthorized, "unauthorized", "X-API-Key or Authorization: Bearer <token> required")
 		})
 	}
-}
+}
\ No newline at end of file
diff --git a/internal/api/middleware_jwt.go b/internal/api/middleware_jwt.go
index 1b28405..b19c838 100644
--- a/internal/api/middleware_jwt.go
+++ b/internal/api/middleware_jwt.go
@@ -10,19 +10,25 @@ import (
 	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )
 
-// requireJWT validates a JWT from the Authorization: Bearer header or the
-// ?token= query parameter (for WebSocket connections that cannot send headers).
+// requireJWT validates a JWT from the Authorization: Bearer header.
 // It also verifies the user is still active in the database.
+// WebSocket upgrade requests without an Authorization header are passed through
+// — WS handlers authenticate via the first message after upgrade.
 func requireJWT(secret []byte, queries *db.Queries) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			var tokenStr string
 			if header := r.Header.Get("Authorization"); strings.HasPrefix(header, "Bearer ") {
 				tokenStr = strings.TrimPrefix(header, "Bearer ")
-			} else if t := r.URL.Query().Get("token"); t != "" {
-				tokenStr = t
 			}
 			if tokenStr == "" {
+				// WebSocket upgrade requests may not have an Authorization header
+				// (browsers cannot set custom headers on WS connections). Let them
+				// through — the handler authenticates via the first WS message.
+				if isWebSocketUpgrade(r) {
+					next.ServeHTTP(w, r)
+					return
+				}
 				writeError(w, http.StatusUnauthorized, "unauthorized", "Authorization: Bearer <token> required")
 				return
 			}
diff --git a/internal/api/server.go b/internal/api/server.go
index 6433644..af1e738 100644
--- a/internal/api/server.go
+++ b/internal/api/server.go
@@ -65,7 +65,7 @@ func New(
 
 	sandbox := newSandboxHandler(sandboxSvc, al)
 	exec := newExecHandler(queries, pool)
-	execStream := newExecStreamHandler(queries, pool)
+	execStream := newExecStreamHandler(queries, pool, jwtSecret)
 	files := newFilesHandler(queries, pool)
 	filesStream := newFilesStreamHandler(queries, pool)
 	fsH := newFSHandler(queries, pool)
@@ -81,8 +81,8 @@ func New(
 	metricsH := newSandboxMetricsHandler(queries, pool)
 	buildH := newBuildHandler(buildSvc, queries, pool)
 	channelH := newChannelHandler(channelSvc, al)
-	ptyH := newPtyHandler(queries, pool)
-	processH := newProcessHandler(queries, pool)
+	ptyH := newPtyHandler(queries, pool, jwtSecret)
+	processH := newProcessHandler(queries, pool, jwtSecret)
 	adminCapsules := newAdminCapsuleHandler(sandboxSvc, queries, pool, al)
 	meH := newMeHandler(queries, pgPool, rdb, jwtSecret, mailer, oauthRegistry, oauthRedirectURL, teamSvc)
 
@@ -144,6 +144,8 @@ func New(
 	r.With(requireJWT(jwtSecret, queries)).Get("/v1/users/search", usersH.Search)
 
 	// Capsule lifecycle: accepts API key or JWT bearer token.
+	// WebSocket upgrade requests without auth headers are passed through by
+	// requireAPIKeyOrJWT — the WS handlers authenticate via first message.
 	r.Route("/v1/capsules", func(r chi.Router) {
 		r.Use(requireAPIKeyOrJWT(queries, jwtSecret))
 		r.Post("/", sandbox.Create)
diff --git a/internal/network/setup.go b/internal/network/setup.go
index 614235a..3874c79 100644
--- a/internal/network/setup.go
+++ b/internal/network/setup.go
@@ -131,26 +131,31 @@ type Slot struct {
 }
 
 // NewSlot computes the addressing for the given slot index (1-based).
+// Index must be in [1, 32767] so that veth offset (index*2) fits in 16 bits.
 func NewSlot(index int) *Slot {
+	if index < 1 || index > 32767 {
+		panic(fmt.Sprintf("slot index %d out of range [1, 32767]", index))
+	}
+
 	hostBaseIP := net.ParseIP(hostBase).To4()
 	vrtBaseIP := net.ParseIP(vrtBase).To4()
 
 	hostIP := make(net.IP, 4)
 	copy(hostIP, hostBaseIP)
-	hostIP[2] += byte(index >> 8)
-	hostIP[3] += byte(index & 0xFF)
+	hostIP[2] = hostBaseIP[2] + byte(index>>8)
+	hostIP[3] = hostBaseIP[3] + byte(index&0xFF)
 
 	vethOffset := index * vrtAddressesPerSlot
 	vethIP := make(net.IP, 4)
 	copy(vethIP, vrtBaseIP)
-	vethIP[2] += byte(vethOffset >> 8)
-	vethIP[3] += byte(vethOffset & 0xFF)
+	vethIP[2] = vrtBaseIP[2] + byte(vethOffset>>8)
+	vethIP[3] = vrtBaseIP[3] + byte(vethOffset&0xFF)
 
 	vpeerOffset := vethOffset + 1
 	vpeerIP := make(net.IP, 4)
 	copy(vpeerIP, vrtBaseIP)
-	vpeerIP[2] += byte(vpeerOffset >> 8)
-	vpeerIP[3] += byte(vpeerOffset & 0xFF)
+	vpeerIP[2] = vrtBaseIP[2] + byte(vpeerOffset>>8)
+	vpeerIP[3] = vrtBaseIP[3] + byte(vpeerOffset&0xFF)
 
 	return &Slot{
 		Index:        index,
diff --git a/internal/vm/manager.go b/internal/vm/manager.go
index 9e9466f..99dbfe3 100644
--- a/internal/vm/manager.go
+++ b/internal/vm/manager.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"log/slog"
 	"os"
+	"sync"
 	"time"
 )
 
@@ -17,6 +18,7 @@ type VM struct {
 
 // Manager handles the lifecycle of Firecracker microVMs.
 type Manager struct {
+	mu sync.RWMutex
 	// vms tracks running VMs by sandbox ID.
 	vms map[string]*VM
 }
@@ -84,7 +86,9 @@ func (m *Manager) Create(ctx context.Context, cfg VMConfig) (*VM, error) {
 		client:  client,
 	}
 
+	m.mu.Lock()
 	m.vms[cfg.SandboxID] = vm
+	m.mu.Unlock()
 
 	slog.Info("VM started successfully", "sandbox", cfg.SandboxID)
 
@@ -126,7 +130,9 @@ func configureVM(ctx context.Context, client *fcClient, cfg *VMConfig) error {
 
 // Pause pauses a running VM.
 func (m *Manager) Pause(ctx context.Context, sandboxID string) error {
+	m.mu.RLock()
 	vm, ok := m.vms[sandboxID]
+	m.mu.RUnlock()
 	if !ok {
 		return fmt.Errorf("VM not found: %s", sandboxID)
 	}
@@ -141,7 +147,9 @@ func (m *Manager) Pause(ctx context.Context, sandboxID string) error {
 
 // Resume resumes a paused VM.
 func (m *Manager) Resume(ctx context.Context, sandboxID string) error {
+	m.mu.RLock()
 	vm, ok := m.vms[sandboxID]
+	m.mu.RUnlock()
 	if !ok {
 		return fmt.Errorf("VM not found: %s", sandboxID)
 	}
@@ -156,10 +164,14 @@ func (m *Manager) Resume(ctx context.Context, sandboxID string) error {
 
 // Destroy stops and cleans up a VM.
 func (m *Manager) Destroy(ctx context.Context, sandboxID string) error {
+	m.mu.Lock()
 	vm, ok := m.vms[sandboxID]
 	if !ok {
+		m.mu.Unlock()
 		return fmt.Errorf("VM not found: %s", sandboxID)
 	}
+	delete(m.vms, sandboxID)
+	m.mu.Unlock()
 
 	slog.Info("destroying VM", "sandbox", sandboxID)
 
@@ -171,8 +183,6 @@ func (m *Manager) Destroy(ctx context.Context, sandboxID string) error {
 	// Clean up the API socket.
 	os.Remove(vm.Config.SocketPath)
 
-	delete(m.vms, sandboxID)
-
 	slog.Info("VM destroyed", "sandbox", sandboxID)
 	return nil
 }
@@ -180,7 +190,9 @@ func (m *Manager) Destroy(ctx context.Context, sandboxID string) error {
 // Snapshot creates a VM snapshot. The VM must already be paused.
 // snapshotType is "Full" (all memory) or "Diff" (only dirty pages since last resume).
 func (m *Manager) Snapshot(ctx context.Context, sandboxID, snapPath, memPath, snapshotType string) error {
+	m.mu.RLock()
 	vm, ok := m.vms[sandboxID]
+	m.mu.RUnlock()
 	if !ok {
 		return fmt.Errorf("VM not found: %s", sandboxID)
 	}
@@ -263,7 +275,9 @@ func (m *Manager) CreateFromSnapshot(ctx context.Context, cfg VMConfig, snapPath
 		client:  client,
 	}
 
+	m.mu.Lock()
 	m.vms[cfg.SandboxID] = vm
+	m.mu.Unlock()
 
 	slog.Info("VM restored from snapshot", "sandbox", cfg.SandboxID)
 	return vm, nil
@@ -277,7 +291,9 @@ func (v *VM) PID() int {
 
 // Get returns a running VM by sandbox ID.
 func (m *Manager) Get(sandboxID string) (*VM, bool) {
+	m.mu.RLock()
 	vm, ok := m.vms[sandboxID]
+	m.mu.RUnlock()
 	return vm, ok
 }
 
diff --git a/pkg/db/users.sql.go b/pkg/db/users.sql.go
index 2bfb6ed..fc30a95 100644
--- a/pkg/db/users.sql.go
+++ b/pkg/db/users.sql.go
@@ -142,7 +142,7 @@ func (q *Queries) GetAdminUsers(ctx context.Context) ([]User, error) {
 }
 
 const getUserByEmail = `-- name: GetUserByEmail :one
-SELECT id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status FROM users WHERE email = $1
+SELECT id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status FROM users WHERE email = $1 AND deleted_at IS NULL
 `
 
 func (q *Queries) GetUserByEmail(ctx context.Context, email string) (User, error) {
@@ -163,7 +163,7 @@ func (q *Queries) GetUserByEmail(ctx context.Context, email string) (User, error
 }
 
 const getUserByID = `-- name: GetUserByID :one
-SELECT id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status FROM users WHERE id = $1
+SELECT id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status FROM users WHERE id = $1 AND deleted_at IS NULL
 `
 
 func (q *Queries) GetUserByID(ctx context.Context, id pgtype.UUID) (User, error) {