From e91109d69c4d6b16195a494da80720243e8982e0 Mon Sep 17 00:00:00 2001
From: pptx704 <rafeed@omukk.dev>
Date: Thu, 16 Apr 2026 05:29:02 +0600
Subject: [PATCH 1/4] Fix API key cleanup on user deactivation and build
 archive race condition

Delete all API keys created by a user when their account is disabled,
deleted, or soft-deleted. Store build archives before enqueuing to Redis
so workers never dequeue a build with missing files.
---
 db/queries/api_keys.sql     |  3 +++
 internal/api/handlers_me.go |  4 ++++
 pkg/db/api_keys.sql.go      |  9 +++++++++
 pkg/service/build.go        | 12 ++++++------
 pkg/service/user.go         |  6 ++++++
 5 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/db/queries/api_keys.sql b/db/queries/api_keys.sql
index be064a1..f57bf5b 100644
--- a/db/queries/api_keys.sql
+++ b/db/queries/api_keys.sql
@@ -25,3 +25,6 @@ UPDATE team_api_keys SET last_used = NOW() WHERE id = $1;
 
 -- name: DeleteAPIKeysByTeam :exec
 DELETE FROM team_api_keys WHERE team_id = $1;
+
+-- name: DeleteAPIKeysByCreator :exec
+DELETE FROM team_api_keys WHERE created_by = $1;
diff --git a/internal/api/handlers_me.go b/internal/api/handlers_me.go
index aefb7d7..c70e302 100644
--- a/internal/api/handlers_me.go
+++ b/internal/api/handlers_me.go
@@ -524,6 +524,10 @@ func (h *meHandler) DeleteAccount(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	if err := h.db.DeleteAPIKeysByCreator(ctx, ac.UserID); err != nil {
+		slog.Warn("account delete: failed to delete user's API keys", "error", err)
+	}
+
 	if err := h.db.SoftDeleteUser(ctx, ac.UserID); err != nil {
 		writeError(w, http.StatusInternalServerError, "db_error", "failed to delete account")
 		return
diff --git a/pkg/db/api_keys.sql.go b/pkg/db/api_keys.sql.go
index 55f1bce..b157931 100644
--- a/pkg/db/api_keys.sql.go
+++ b/pkg/db/api_keys.sql.go
@@ -25,6 +25,15 @@ func (q *Queries) DeleteAPIKey(ctx context.Context, arg DeleteAPIKeyParams) erro
 	return err
 }
 
+const deleteAPIKeysByCreator = `-- name: DeleteAPIKeysByCreator :exec
+DELETE FROM team_api_keys WHERE created_by = $1
+`
+
+func (q *Queries) DeleteAPIKeysByCreator(ctx context.Context, createdBy pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, deleteAPIKeysByCreator, createdBy)
+	return err
+}
+
 const deleteAPIKeysByTeam = `-- name: DeleteAPIKeysByTeam :exec
 DELETE FROM team_api_keys WHERE team_id = $1
 `
diff --git a/pkg/service/build.go b/pkg/service/build.go
index 70e67f7..bdb1620 100644
--- a/pkg/service/build.go
+++ b/pkg/service/build.go
@@ -139,16 +139,16 @@ func (s *BuildService) Create(ctx context.Context, p BuildCreateParams) (db.Temp
 		return db.TemplateBuild{}, fmt.Errorf("insert build: %w", err)
 	}
 
-	// Enqueue build ID (as formatted string) to Redis for workers to pick up.
-	if err := s.Redis.RPush(ctx, buildQueueKey, buildIDStr).Err(); err != nil {
-		return db.TemplateBuild{}, fmt.Errorf("enqueue build: %w", err)
-	}
-
-	// Store archive for the worker if provided.
+	// Store archive before enqueue so the worker never dequeues without files.
 	if len(p.Archive) > 0 {
 		s.storeArchive(buildIDStr, p.Archive)
 	}
 
+	if err := s.Redis.RPush(ctx, buildQueueKey, buildIDStr).Err(); err != nil {
+		s.takeArchive(buildIDStr) // clean up on enqueue failure
+		return db.TemplateBuild{}, fmt.Errorf("enqueue build: %w", err)
+	}
+
 	return build, nil
 }
 
diff --git a/pkg/service/user.go b/pkg/service/user.go
index db687c0..9a3a66c 100644
--- a/pkg/service/user.go
+++ b/pkg/service/user.go
@@ -3,6 +3,7 @@ package service
 import (
 	"context"
 	"fmt"
+	"log/slog"
 	"time"
 
 	"github.com/jackc/pgx/v5/pgtype"
@@ -66,5 +67,10 @@ func (s *UserService) SetUserStatus(ctx context.Context, userID pgtype.UUID, sta
 	}); err != nil {
 		return fmt.Errorf("set user status: %w", err)
 	}
+	if status == "disabled" || status == "deleted" {
+		if err := s.DB.DeleteAPIKeysByCreator(ctx, userID); err != nil {
+			slog.Warn("failed to delete API keys for deactivated user", "user_id", userID, "error", err)
+		}
+	}
 	return nil
 }

From ed2222c80ca5a257fdee7f1ecd99fc575c9771cb Mon Sep 17 00:00:00 2001
From: pptx704 <rafeed@omukk.dev>
Date: Thu, 16 Apr 2026 05:34:47 +0600
Subject: [PATCH 2/4] Move sidebar into layout files and fix timer cleanup
 across frontend

Sidebar and AdminSidebar were re-instantiated on every page navigation
(17 pages total), causing unnecessary DOM teardown/rebuild and redundant
localStorage reads. Now each lives in its respective +layout.svelte as a
single persistent instance.

Also adds onDestroy cleanup for leaked timers (settings, team, login RAF
loop) and CSS containment on <main> to isolate layout recalculations.
---
 frontend/src/app.css                          |   5 +
 frontend/src/routes/admin/+layout.svelte      |  14 +-
 .../src/routes/admin/capsules/+page.svelte    |  17 +-
 .../routes/admin/capsules/[id]/+page.svelte   |  15 +-
 frontend/src/routes/admin/hosts/+page.svelte  |  29 ++--
 frontend/src/routes/admin/teams/+page.svelte  |  17 +-
 .../src/routes/admin/templates/+page.svelte   |  19 +--
 frontend/src/routes/admin/users/+page.svelte  |  19 +--
 frontend/src/routes/dashboard/+layout.svelte  |  14 +-
 .../src/routes/dashboard/audit/+page.svelte   |  17 +-
 .../src/routes/dashboard/billing/+page.svelte |  19 +--
 .../routes/dashboard/capsules/+layout.svelte  | 145 ++++++++----------
 .../routes/dashboard/channels/+page.svelte    |  15 +-
 .../src/routes/dashboard/hosts/+page.svelte   |  19 +--
 .../src/routes/dashboard/keys/+page.svelte    |  19 +--
 .../src/routes/dashboard/metrics/+page.svelte |  15 +-
 .../routes/dashboard/settings/+page.svelte    |  24 +--
 .../src/routes/dashboard/team/+page.svelte    |  23 +--
 .../routes/dashboard/templates/+page.svelte   |  15 +-
 .../src/routes/dashboard/usage/+page.svelte   |  19 +--
 frontend/src/routes/login/+page.svelte        |   6 +-
 21 files changed, 159 insertions(+), 326 deletions(-)

diff --git a/frontend/src/app.css b/frontend/src/app.css
index 7cad308..823f8ce 100644
--- a/frontend/src/app.css
+++ b/frontend/src/app.css
@@ -180,6 +180,11 @@ body {
 	50%       { transform: translateY(-6px); }
 }
 
+/* CSS containment — isolate layout/paint for independent UI regions */
+main {
+	contain: layout style;
+}
+
 /* Respect user motion preferences — covers both CSS class animations and inline style animations */
 @media (prefers-reduced-motion: reduce) {
 	*,
diff --git a/frontend/src/routes/admin/+layout.svelte b/frontend/src/routes/admin/+layout.svelte
index 599de61..de91ec9 100644
--- a/frontend/src/routes/admin/+layout.svelte
+++ b/frontend/src/routes/admin/+layout.svelte
@@ -1,7 +1,19 @@
 <script lang="ts">
+	import AdminSidebar from '$lib/components/AdminSidebar.svelte';
 	import Toaster from '$lib/components/Toaster.svelte';
 	let { children } = $props();
+
+	let collapsed = $state(
+		typeof window !== 'undefined'
+			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
+			: false
+	);
 </script>
 
+<div class="flex h-screen overflow-hidden">
+	<AdminSidebar bind:collapsed />
+	<div class="flex flex-1 flex-col overflow-hidden">
+		{@render children()}
+	</div>
+</div>
 <Toaster />
-{@render children()}
diff --git a/frontend/src/routes/admin/capsules/+page.svelte b/frontend/src/routes/admin/capsules/+page.svelte
index 7c7e4b7..ccba40a 100644
--- a/frontend/src/routes/admin/capsules/+page.svelte
+++ b/frontend/src/routes/admin/capsules/+page.svelte
@@ -1,5 +1,4 @@
 <script lang="ts">
-	import AdminSidebar from '$lib/components/AdminSidebar.svelte';
 	import CreateCapsuleDialog from '$lib/components/CreateCapsuleDialog.svelte';
 	import DestroyDialog from '$lib/components/DestroyDialog.svelte';
 	import CopyButton from '$lib/components/CopyButton.svelte';
@@ -15,12 +14,6 @@
 	const REFRESH_INTERVAL = 15;
 	const SPIN_DURATION = 600;
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	let capsules = $state<Capsule[]>([]);
 	let loading = $state(true);
 	let error = $state<string | null>(null);
@@ -243,11 +236,8 @@
 	}
 </style>
 
-<div class="flex h-screen overflow-hidden bg-[var(--color-bg-0)]">
-	<AdminSidebar bind:collapsed />
-
-	<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
-		<!-- Header -->
+<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
+	<!-- Header -->
 		<div class="shrink-0 px-8 pt-8 pb-6">
 			<div class="flex items-center justify-between">
 				<div>
@@ -521,8 +511,7 @@
 				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 			</div>
 		</footer>
-	</main>
-</div>
+</main>
 
 <CreateCapsuleDialog
 	open={showCreateDialog}
diff --git a/frontend/src/routes/admin/capsules/[id]/+page.svelte b/frontend/src/routes/admin/capsules/[id]/+page.svelte
index ef2a841..0c9d587 100644
--- a/frontend/src/routes/admin/capsules/[id]/+page.svelte
+++ b/frontend/src/routes/admin/capsules/[id]/+page.svelte
@@ -2,7 +2,6 @@
 	import { onMount, onDestroy } from 'svelte';
 	import { page } from '$app/stores';
 	import { goto } from '$app/navigation';
-	import AdminSidebar from '$lib/components/AdminSidebar.svelte';
 	import TerminalTab from '$lib/components/TerminalTab.svelte';
 	import FilesTab from '$lib/components/FilesTab.svelte';
 	import MetricsPanel from '$lib/components/MetricsPanel.svelte';
@@ -19,12 +18,6 @@
 	const capsuleId: string = $page.params.id ?? '';
 	const API_BASE = '/api/v1/admin/capsules';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	let capsule = $state<Capsule | null>(null);
 	let capsuleLoading = $state(true);
 	let capsuleError = $state<string | null>(null);
@@ -129,10 +122,7 @@
 	<title>Wrenn Admin — {capsuleId}</title>
 </svelte:head>
 
-<div class="flex h-screen overflow-hidden bg-[var(--color-bg-0)]">
-	<AdminSidebar bind:collapsed />
-
-	<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
+<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
 		{#if capsuleLoading}
 			<div class="flex flex-1 items-center justify-center">
 				<div class="flex items-center gap-3 text-ui text-[var(--color-text-secondary)]">
@@ -237,8 +227,7 @@
 				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 			</div>
 		</footer>
-	</main>
-</div>
+</main>
 
 <!-- Snapshot dialog -->
 {#if showSnapshot}
diff --git a/frontend/src/routes/admin/hosts/+page.svelte b/frontend/src/routes/admin/hosts/+page.svelte
index 66faf70..5bf899b 100644
--- a/frontend/src/routes/admin/hosts/+page.svelte
+++ b/frontend/src/routes/admin/hosts/+page.svelte
@@ -1,5 +1,4 @@
 <script lang="ts">
-	import AdminSidebar from '$lib/components/AdminSidebar.svelte';
 	import { onMount } from 'svelte';
 	import { toast } from '$lib/toast.svelte';
 	import { formatDate, timeAgo } from '$lib/utils/format';
@@ -16,12 +15,6 @@
 
 	const PAGE_SIZE = 50;
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	let activeTab = $state<'platform' | 'byoc'>('platform');
 
 	// All hosts fetched once
@@ -163,19 +156,16 @@
 	onMount(fetchHosts);
 </script>
 
-<div class="flex h-screen overflow-hidden bg-[var(--color-bg-0)]">
-	<AdminSidebar bind:collapsed />
+<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
+	<!-- Header -->
+	<header class="relative shrink-0 border-b border-[var(--color-border)] bg-[var(--color-bg-1)]">
+		<!-- Subtle gradient wash behind header for depth -->
+		<div class="absolute inset-0 bg-gradient-to-b from-[var(--color-accent)]/[0.02] to-transparent pointer-events-none"></div>
 
-	<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
-		<!-- Header -->
-		<header class="relative shrink-0 border-b border-[var(--color-border)] bg-[var(--color-bg-1)]">
-			<!-- Subtle gradient wash behind header for depth -->
-			<div class="absolute inset-0 bg-gradient-to-b from-[var(--color-accent)]/[0.02] to-transparent pointer-events-none"></div>
-
-			<div class="relative flex items-start justify-between px-8 pt-7 pb-5">
-				<div>
-					<h1 class="font-serif text-page leading-none text-[var(--color-text-bright)]">
-						Hosts
+		<div class="relative flex items-start justify-between px-8 pt-7 pb-5">
+			<div>
+				<h1 class="font-serif text-page leading-none text-[var(--color-text-bright)]">
+					Hosts
 					</h1>
 					<p class="mt-2 text-ui text-[var(--color-text-tertiary)]">
 						Platform and BYOC compute across all teams.
@@ -303,7 +293,6 @@
 			{/if}
 		</div>
 	</main>
-</div>
 
 {#snippet skeletonRows()}
 	<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] overflow-hidden shadow-sm">
diff --git a/frontend/src/routes/admin/teams/+page.svelte b/frontend/src/routes/admin/teams/+page.svelte
index bdf3a32..a09b3d9 100644
--- a/frontend/src/routes/admin/teams/+page.svelte
+++ b/frontend/src/routes/admin/teams/+page.svelte
@@ -1,5 +1,4 @@
 <script lang="ts">
-	import AdminSidebar from '$lib/components/AdminSidebar.svelte';
 	import { onMount } from 'svelte';
 	import { toast } from '$lib/toast.svelte';
 	import { formatDate } from '$lib/utils/format';
@@ -11,12 +10,6 @@
 		type AdminTeamsResponse
 	} from '$lib/api/team';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	// Data state
 	let teams = $state<AdminTeam[]>([]);
 	let loading = $state(true);
@@ -145,11 +138,8 @@
 	}
 </style>
 
-<div class="flex h-screen overflow-hidden bg-[var(--color-bg-0)]">
-	<AdminSidebar bind:collapsed />
-
-	<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
-		<!-- Header -->
+<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
+	<!-- Header -->
 		<header class="relative shrink-0 border-b border-[var(--color-border)] bg-[var(--color-bg-1)]">
 			<div class="absolute inset-0 bg-gradient-to-b from-[var(--color-accent)]/[0.02] to-transparent pointer-events-none"></div>
 
@@ -379,8 +369,7 @@
 				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 			</div>
 		</footer>
-	</main>
-</div>
+</main>
 
 <!-- BYOC confirmation dialog -->
 {#if byocTarget}
diff --git a/frontend/src/routes/admin/templates/+page.svelte b/frontend/src/routes/admin/templates/+page.svelte
index d0da96b..14514ae 100644
--- a/frontend/src/routes/admin/templates/+page.svelte
+++ b/frontend/src/routes/admin/templates/+page.svelte
@@ -1,5 +1,4 @@
 <script lang="ts">
-	import AdminSidebar from '$lib/components/AdminSidebar.svelte';
 	import CopyButton from '$lib/components/CopyButton.svelte';
 	import { onMount, onDestroy } from 'svelte';
 	import { toast } from '$lib/toast.svelte';
@@ -15,12 +14,6 @@
 		type AdminTemplate
 	} from '$lib/api/builds';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	let activeTab = $state<'templates' | 'builds'>('templates');
 
 	// Templates state
@@ -265,12 +258,9 @@
 	});
 </script>
 
-<div class="flex h-screen overflow-hidden bg-[var(--color-bg-0)]">
-	<AdminSidebar bind:collapsed />
-
-	<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
-		<!-- Header -->
-		<header class="relative shrink-0 border-b border-[var(--color-border)] bg-[var(--color-bg-1)]">
+<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
+	<!-- Header -->
+	<header class="relative shrink-0 border-b border-[var(--color-border)] bg-[var(--color-bg-1)]">
 			<!-- Subtle gradient wash behind header for depth -->
 			<div class="absolute inset-0 bg-gradient-to-b from-[var(--color-accent)]/[0.02] to-transparent pointer-events-none"></div>
 
@@ -373,8 +363,7 @@
 				{/if}
 			{/if}
 		</div>
-	</main>
-</div>
+</main>
 
 <!-- ── Snippets ─────────────────────────────────────────────────────── -->
 
diff --git a/frontend/src/routes/admin/users/+page.svelte b/frontend/src/routes/admin/users/+page.svelte
index e933dc3..ca1960e 100644
--- a/frontend/src/routes/admin/users/+page.svelte
+++ b/frontend/src/routes/admin/users/+page.svelte
@@ -1,5 +1,4 @@
 <script lang="ts">
-	import AdminSidebar from '$lib/components/AdminSidebar.svelte';
 	import { onMount } from 'svelte';
 	import { toast } from '$lib/toast.svelte';
 	import { formatDate } from '$lib/utils/format';
@@ -9,12 +8,6 @@
 		type AdminUser,
 	} from '$lib/api/admin-users';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	// Data state
 	let users = $state<AdminUser[]>([]);
 	let loading = $state(true);
@@ -112,12 +105,9 @@
 	}
 </style>
 
-<div class="flex h-screen overflow-hidden bg-[var(--color-bg-0)]">
-	<AdminSidebar bind:collapsed />
-
-	<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
-		<!-- Header -->
-		<header class="relative shrink-0 border-b border-[var(--color-border)] bg-[var(--color-bg-1)]">
+<main class="flex min-w-0 flex-1 flex-col overflow-hidden">
+	<!-- Header -->
+	<header class="relative shrink-0 border-b border-[var(--color-border)] bg-[var(--color-bg-1)]">
 			<div class="absolute inset-0 bg-gradient-to-b from-[var(--color-accent)]/[0.02] to-transparent pointer-events-none"></div>
 
 			<div class="relative flex items-start justify-between px-8 pt-7 pb-5">
@@ -301,5 +291,4 @@
 				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 			</div>
 		</footer>
-	</main>
-</div>
+</main>
diff --git a/frontend/src/routes/dashboard/+layout.svelte b/frontend/src/routes/dashboard/+layout.svelte
index 404b561..910fc04 100644
--- a/frontend/src/routes/dashboard/+layout.svelte
+++ b/frontend/src/routes/dashboard/+layout.svelte
@@ -1,7 +1,19 @@
 <script lang="ts">
+	import Sidebar from '$lib/components/Sidebar.svelte';
 	import Toaster from '$lib/components/Toaster.svelte';
 	let { children } = $props();
+
+	let collapsed = $state(
+		typeof window !== 'undefined'
+			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
+			: false
+	);
 </script>
 
-{@render children()}
+<div class="flex h-screen overflow-hidden">
+	<Sidebar bind:collapsed />
+	<div class="flex flex-1 flex-col overflow-hidden">
+		{@render children()}
+	</div>
+</div>
 <Toaster />
diff --git a/frontend/src/routes/dashboard/audit/+page.svelte b/frontend/src/routes/dashboard/audit/+page.svelte
index b4ee5d0..3539f5a 100644
--- a/frontend/src/routes/dashboard/audit/+page.svelte
+++ b/frontend/src/routes/dashboard/audit/+page.svelte
@@ -1,14 +1,7 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
 	import { onMount } from 'svelte';
 	import { listAuditLogs, type AuditLog } from '$lib/api/audit';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	// ─── Data state ───────────────────────────────────────────────────────────
 
 	let logs = $state<AuditLog[]>([]);
@@ -282,11 +275,7 @@
 	<title>Wrenn — Audit Logs</title>
 </svelte:head>
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 
 			<!-- Header -->
 			<div class="px-7 pt-8">
@@ -551,9 +540,7 @@
 			</div>
 		</main>
 
-		<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
-	</div>
-</div>
+<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
 
 <style>
 	/* fadeUp and iconFloat are defined globally in app.css — no need to redeclare them here */
diff --git a/frontend/src/routes/dashboard/billing/+page.svelte b/frontend/src/routes/dashboard/billing/+page.svelte
index bb85b0a..a74b6de 100644
--- a/frontend/src/routes/dashboard/billing/+page.svelte
+++ b/frontend/src/routes/dashboard/billing/+page.svelte
@@ -1,14 +1,7 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
 	import { onMount } from 'svelte';
 	import { auth } from '$lib/auth.svelte';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	type EndpointStatus = 'loading' | 'available' | 'not_available' | 'error';
 	let status = $state<EndpointStatus>('loading');
 	let errorMsg = $state<string | null>(null);
@@ -47,11 +40,7 @@
 	<title>Wrenn — Billing</title>
 </svelte:head>
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<!-- Header -->
 			<div class="px-7 pt-8">
 				<h1 class="font-serif text-page text-[var(--color-text-bright)]">
@@ -124,8 +113,6 @@
 					</div>
 				{/if}
 			</div>
-		</main>
+	</main>
 
-		<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
-	</div>
-</div>
+<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
diff --git a/frontend/src/routes/dashboard/capsules/+layout.svelte b/frontend/src/routes/dashboard/capsules/+layout.svelte
index ea44edb..d2080a7 100644
--- a/frontend/src/routes/dashboard/capsules/+layout.svelte
+++ b/frontend/src/routes/dashboard/capsules/+layout.svelte
@@ -1,94 +1,81 @@
 <script lang="ts">
 	import { page } from '$app/stores';
-	import Sidebar from '$lib/components/Sidebar.svelte';
 	import CopyButton from '$lib/components/CopyButton.svelte';
 	import { capsuleRunningCount } from '$lib/capsule-store.svelte';
 
 	let { children } = $props();
-
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
 </script>
 
 <svelte:head>
 	<title>Wrenn — Capsules</title>
 </svelte:head>
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex flex-1 flex-col overflow-y-auto bg-[var(--color-bg-0)]">
-			<!-- Header area -->
-			{#if $page.params.id}
-				<!-- Breadcrumb header for capsule detail (no border-b — tabs provide it) -->
-				<div class="px-7 pt-8">
-					<div class="flex items-center gap-2.5">
-						<a
-							href="/dashboard/capsules"
-							class="font-serif text-page leading-none text-[var(--color-text-secondary)] transition-colors duration-150 hover:text-[var(--color-text-bright)]"
-						>
-							Capsules
-						</a>
-						<span class="text-[var(--color-text-muted)] select-none" style="font-size: 1.1rem">›</span>
-						<span class="copy-host flex items-center gap-1.5">
-							<span class="font-mono text-[1.1rem] leading-none text-[var(--color-text-bright)]">
-								{$page.params.id}
-							</span>
-							<CopyButton value={$page.params.id} />
-						</span>
-					</div>
-				</div>
-			{:else}
-				<!-- Default list header -->
-				<div class="px-7 pt-8">
-					<div class="flex items-center justify-between">
-						<div>
-							<h1 class="font-serif text-page text-[var(--color-text-bright)]">
-								Capsules
-							</h1>
-							<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
-								All active and recent capsules across your team.
-							</p>
-						</div>
-
-						<div class="flex items-center gap-3">
-							<div
-								class="flex items-center gap-2.5 rounded-[var(--radius-card)] border border-[var(--color-accent)]/20 bg-[var(--color-bg-2)] px-3.5 py-2"
-							>
-								<span class="relative flex h-[8px] w-[8px]">
-									<span
-										class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"
-									></span>
-									<span class="relative inline-flex h-[8px] w-[8px] rounded-full bg-[var(--color-accent)]"></span>
-								</span>
-								<span class="font-mono text-body font-semibold text-[var(--color-accent-bright)]">{capsuleRunningCount.value}</span>
-								<span class="text-ui text-[var(--color-text-secondary)]">running now</span>
-							</div>
-						</div>
-					</div>
-
-					<div class="mt-6 border-b border-[var(--color-border)]"></div>
-				</div>
-			{/if}
-
-			{@render children()}
-		</main>
-
-		<!-- Status bar -->
-		<footer
-			class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7"
-		>
-			<div class="flex items-center gap-1.5">
-				<span class="relative flex h-[5px] w-[5px]">
-					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
-					<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+<main class="flex flex-1 flex-col overflow-y-auto bg-[var(--color-bg-0)]">
+	<!-- Header area -->
+	{#if $page.params.id}
+		<!-- Breadcrumb header for capsule detail (no border-b — tabs provide it) -->
+		<div class="px-7 pt-8">
+			<div class="flex items-center gap-2.5">
+				<a
+					href="/dashboard/capsules"
+					class="font-serif text-page leading-none text-[var(--color-text-secondary)] transition-colors duration-150 hover:text-[var(--color-text-bright)]"
+				>
+					Capsules
+				</a>
+				<span class="text-[var(--color-text-muted)] select-none" style="font-size: 1.1rem">›</span>
+				<span class="copy-host flex items-center gap-1.5">
+					<span class="font-mono text-[1.1rem] leading-none text-[var(--color-text-bright)]">
+						{$page.params.id}
+					</span>
+					<CopyButton value={$page.params.id} />
 				</span>
-				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 			</div>
-		</footer>
+		</div>
+	{:else}
+		<!-- Default list header -->
+		<div class="px-7 pt-8">
+			<div class="flex items-center justify-between">
+				<div>
+					<h1 class="font-serif text-page text-[var(--color-text-bright)]">
+						Capsules
+					</h1>
+					<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
+						All active and recent capsules across your team.
+					</p>
+				</div>
+
+				<div class="flex items-center gap-3">
+					<div
+						class="flex items-center gap-2.5 rounded-[var(--radius-card)] border border-[var(--color-accent)]/20 bg-[var(--color-bg-2)] px-3.5 py-2"
+					>
+						<span class="relative flex h-[8px] w-[8px]">
+							<span
+								class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"
+							></span>
+							<span class="relative inline-flex h-[8px] w-[8px] rounded-full bg-[var(--color-accent)]"></span>
+						</span>
+						<span class="font-mono text-body font-semibold text-[var(--color-accent-bright)]">{capsuleRunningCount.value}</span>
+						<span class="text-ui text-[var(--color-text-secondary)]">running now</span>
+					</div>
+				</div>
+			</div>
+
+			<div class="mt-6 border-b border-[var(--color-border)]"></div>
+		</div>
+	{/if}
+
+	{@render children()}
+</main>
+
+<!-- Status bar -->
+<footer
+	class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7"
+>
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 	</div>
-</div>
+</footer>
diff --git a/frontend/src/routes/dashboard/channels/+page.svelte b/frontend/src/routes/dashboard/channels/+page.svelte
index 0a57631..71c78ed 100644
--- a/frontend/src/routes/dashboard/channels/+page.svelte
+++ b/frontend/src/routes/dashboard/channels/+page.svelte
@@ -1,5 +1,4 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
 	import { onMount } from 'svelte';
 	import { fly } from 'svelte/transition';
 	import { cubicIn, cubicOut } from 'svelte/easing';
@@ -17,12 +16,6 @@
 	import { toast } from '$lib/toast.svelte';
 	import { formatDate, timeAgo } from '$lib/utils/format';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	// List state
 	let channels = $state<Channel[]>([]);
 	let loading = $state(true);
@@ -345,11 +338,7 @@
 	}}
 />
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<!-- Header -->
 			<div class="px-7 pt-8">
 				<div class="flex items-center justify-between">
@@ -562,8 +551,6 @@
 				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 			</div>
 		</footer>
-	</div>
-</div>
 
 <!-- Split button dropdown -->
 {#if openDropdownId}
diff --git a/frontend/src/routes/dashboard/hosts/+page.svelte b/frontend/src/routes/dashboard/hosts/+page.svelte
index e26e7e5..c48f063 100644
--- a/frontend/src/routes/dashboard/hosts/+page.svelte
+++ b/frontend/src/routes/dashboard/hosts/+page.svelte
@@ -1,5 +1,4 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
 	import { onMount } from 'svelte';
 	import { auth } from '$lib/auth.svelte';
 	import { toast } from '$lib/toast.svelte';
@@ -15,12 +14,6 @@
 		type CreateHostResult
 	} from '$lib/api/hosts';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	let canManage = $derived(auth.role === 'owner' || auth.role === 'admin');
 
 	// List state
@@ -156,11 +149,7 @@
 	<title>Wrenn — Hosts</title>
 </svelte:head>
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<!-- Header -->
 			<div class="px-7 pt-8">
 				<div class="flex items-center justify-between">
@@ -326,11 +315,9 @@
 					</p>
 				{/if}
 			</div>
-		</main>
+	</main>
 
-		<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
-	</div>
-</div>
+<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
 
 {#snippet skeletonRows()}
 	<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] overflow-hidden">
diff --git a/frontend/src/routes/dashboard/keys/+page.svelte b/frontend/src/routes/dashboard/keys/+page.svelte
index d82104d..0b004b5 100644
--- a/frontend/src/routes/dashboard/keys/+page.svelte
+++ b/frontend/src/routes/dashboard/keys/+page.svelte
@@ -1,16 +1,9 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
 	import { onMount } from 'svelte';
 	import { listKeys, createKey, revokeKey, type APIKey } from '$lib/api/keys';
 	import { toast } from '$lib/toast.svelte';
 	import { formatDate, timeAgo } from '$lib/utils/format';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	// List state
 	let keys = $state<APIKey[]>([]);
 	let loading = $state(true);
@@ -108,11 +101,7 @@
 	<title>Wrenn — API Keys</title>
 </svelte:head>
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<!-- Header -->
 			<div class="px-7 pt-8">
 				<div class="flex items-center justify-between">
@@ -246,11 +235,9 @@
 					</p>
 				{/if}
 			</div>
-		</main>
+	</main>
 
-		<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
-	</div>
-</div>
+<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
 
 <!-- Create Key Dialog -->
 {#if showCreate}
diff --git a/frontend/src/routes/dashboard/metrics/+page.svelte b/frontend/src/routes/dashboard/metrics/+page.svelte
index eba5a19..80d747c 100644
--- a/frontend/src/routes/dashboard/metrics/+page.svelte
+++ b/frontend/src/routes/dashboard/metrics/+page.svelte
@@ -1,15 +1,8 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
 	import StatsPanel from '$lib/components/StatsPanel.svelte';
 	import CreateCapsuleDialog from '$lib/components/CreateCapsuleDialog.svelte';
 	import { auth } from '$lib/auth.svelte';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	let showCreateDialog = $state(false);
 </script>
 
@@ -17,11 +10,7 @@
 	<title>Wrenn — Metrics</title>
 </svelte:head>
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+	<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<div class="px-7 pt-8">
 				<h1 class="font-serif text-page text-[var(--color-text-bright)]">
 					Metrics
@@ -50,8 +39,6 @@
 				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 			</div>
 		</footer>
-	</div>
-</div>
 
 <CreateCapsuleDialog
 	open={showCreateDialog}
diff --git a/frontend/src/routes/dashboard/settings/+page.svelte b/frontend/src/routes/dashboard/settings/+page.svelte
index 490b8b1..a8d3c36 100644
--- a/frontend/src/routes/dashboard/settings/+page.svelte
+++ b/frontend/src/routes/dashboard/settings/+page.svelte
@@ -1,6 +1,5 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
-	import { onMount } from 'svelte';
+	import { onMount, onDestroy } from 'svelte';
 	import { page } from '$app/stores';
 	import { goto } from '$app/navigation';
 	import { auth } from '$lib/auth.svelte';
@@ -16,12 +15,6 @@
 		type MeResponse
 	} from '$lib/api/me';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	let me = $state<MeResponse | null>(null);
 	let loadError = $state<string | null>(null);
 
@@ -189,17 +182,18 @@
 			toast.error(connectErrors[connectErr] ?? 'Failed to connect account.');
 		}
 	});
+
+	onDestroy(() => {
+		if (nameSavedTimer) clearTimeout(nameSavedTimer);
+		if (passwordSavedTimer) clearTimeout(passwordSavedTimer);
+	});
 </script>
 
 <svelte:head>
 	<title>Wrenn — Settings</title>
 </svelte:head>
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<!-- Header -->
 			<div class="px-7 pt-8">
 				<div>
@@ -504,9 +498,7 @@
 				{/if}
 			</div>
 		</main>
-		<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
-	</div>
-</div>
+<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
 
 <!-- Disconnect GitHub dialog -->
 {#if showDisconnectConfirm}
diff --git a/frontend/src/routes/dashboard/team/+page.svelte b/frontend/src/routes/dashboard/team/+page.svelte
index 5470cfd..8146a16 100644
--- a/frontend/src/routes/dashboard/team/+page.svelte
+++ b/frontend/src/routes/dashboard/team/+page.svelte
@@ -1,6 +1,5 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
-	import { onMount } from 'svelte';
+	import { onMount, onDestroy } from 'svelte';
 	import { goto } from '$app/navigation';
 	import { fly } from 'svelte/transition';
 	import { cubicOut } from 'svelte/easing';
@@ -23,12 +22,6 @@
 	} from '$lib/api/team';
 	import { teams as teamsStore } from '$lib/teams.svelte';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	// Page data
 	let team = $state<TeamInfo | null>(null);
 	let members = $state<TeamMember[]>([]);
@@ -284,6 +277,10 @@
 	}
 
 	onMount(fetchTeam);
+
+	onDestroy(() => {
+		if (searchTimeout) clearTimeout(searchTimeout);
+	});
 </script>
 
 <svelte:head>
@@ -318,11 +315,7 @@
 	}}
 />
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<!-- Header -->
 			<div class="px-7 pt-8">
 				<h1 class="font-serif text-page text-[var(--color-text-bright)]">
@@ -811,9 +804,7 @@
 			</div>
 		</main>
 
-		<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
-	</div>
-</div>
+	<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
 
 <!-- Split button dropdown -->
 {#if openDropdownId}
diff --git a/frontend/src/routes/dashboard/templates/+page.svelte b/frontend/src/routes/dashboard/templates/+page.svelte
index 550e9b5..f48d09e 100644
--- a/frontend/src/routes/dashboard/templates/+page.svelte
+++ b/frontend/src/routes/dashboard/templates/+page.svelte
@@ -1,5 +1,4 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
 	import CopyButton from '$lib/components/CopyButton.svelte';
 	import { onMount } from 'svelte';
 	import { goto } from '$app/navigation';
@@ -13,12 +12,6 @@
 	} from '$lib/api/capsules';
 	import { formatDate, timeAgo } from '$lib/utils/format';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	// Page tab — Images is disabled/future
 	let pageTab = $state<'snapshots' | 'images'>('snapshots');
 
@@ -156,11 +149,7 @@
 	}}
 />
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+	<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<!-- Header -->
 			<div class="px-8 pt-8">
 				<div class="flex items-start justify-between">
@@ -479,8 +468,6 @@
 				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 			</div>
 		</footer>
-	</div>
-</div>
 
 <!-- Split button dropdown -->
 {#if openDropdownName}
diff --git a/frontend/src/routes/dashboard/usage/+page.svelte b/frontend/src/routes/dashboard/usage/+page.svelte
index e09b7f7..c6edb74 100644
--- a/frontend/src/routes/dashboard/usage/+page.svelte
+++ b/frontend/src/routes/dashboard/usage/+page.svelte
@@ -1,14 +1,7 @@
 <script lang="ts">
-	import Sidebar from '$lib/components/Sidebar.svelte';
 	import { onMount } from 'svelte';
 	import { auth } from '$lib/auth.svelte';
 
-	let collapsed = $state(
-		typeof window !== 'undefined'
-			? localStorage.getItem('wrenn_sidebar_collapsed') === 'true'
-			: false
-	);
-
 	type EndpointStatus = 'loading' | 'available' | 'not_available' | 'error';
 	let status = $state<EndpointStatus>('loading');
 	let errorMsg = $state<string | null>(null);
@@ -47,11 +40,7 @@
 	<title>Wrenn — Usage</title>
 </svelte:head>
 
-<div class="flex h-screen overflow-hidden">
-	<Sidebar bind:collapsed />
-
-	<div class="flex flex-1 flex-col overflow-hidden">
-		<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
+<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<!-- Header -->
 			<div class="px-7 pt-8">
 				<h1 class="font-serif text-page text-[var(--color-text-bright)]">
@@ -123,8 +112,6 @@
 					</div>
 				{/if}
 			</div>
-		</main>
+	</main>
 
-		<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
-	</div>
-</div>
+<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
diff --git a/frontend/src/routes/login/+page.svelte b/frontend/src/routes/login/+page.svelte
index 2751add..f895cd0 100644
--- a/frontend/src/routes/login/+page.svelte
+++ b/frontend/src/routes/login/+page.svelte
@@ -1,6 +1,6 @@
 <script lang="ts">
 	import { goto } from '$app/navigation';
-	import { onMount } from 'svelte';
+	import { onMount, onDestroy } from 'svelte';
 	import { page } from '$app/stores';
 	import { auth } from '$lib/auth.svelte';
 	import { teams } from '$lib/teams.svelte';
@@ -83,6 +83,10 @@
 		}
 	}
 
+	onDestroy(() => {
+		if (rafId !== null) cancelAnimationFrame(rafId);
+	});
+
 	const title = $derived(mode === 'signin' ? 'Welcome back' : 'Create account');
 	const subtitle = $derived(
 		mode === 'signin' ? 'Sign in to your Wrenn account' : 'Get started with Wrenn'

From 9ea847923c792b80de568da8c4253327ee1d1c14 Mon Sep 17 00:00:00 2001
From: pptx704 <rafeed@omukk.dev>
Date: Thu, 16 Apr 2026 06:11:42 +0600
Subject: [PATCH 3/4] Fix concurrency, security, and correctness issues across
 backend and frontend
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- C1: Add sync.RWMutex to vm.Manager to protect concurrent vms map access
- H1: Fix IP arithmetic overflow in network slot addressing (byte truncation)
- H5: Fix MultiplexedChannel.Fork() TOCTOU race (move exited check inside lock)
- H8: Remove snapshot overwrite — return template_name_taken conflict instead
- H9: Wrap DeleteAccount DB ops in a transaction, make team deletion fatal
- H10: Sanitize serviceErrToHTTP to stop leaking internal error messages
- H11: Add deleted_at IS NULL to GetUserByEmail/GetUserByID queries
- H12: Add id DESC to audit log composite index for cursor pagination
- H15: Delete dead AuthModal.svelte component
- H17: Move JWT from WebSocket URL query param to first WS message
- H18: Fix $derived to $derived.by in FilesTab breadcrumbs
---
 db/migrations/20260310094104_initial.sql      |   2 +-
 db/queries/users.sql                          |   4 +-
 .../services/process/handler/multiplex.go     |  10 +-
 frontend/src/app.css                          |   6 +-
 frontend/src/lib/components/AuthModal.svelte  | 210 ------------------
 frontend/src/lib/components/FilesTab.svelte   |   6 +-
 .../src/lib/components/MetricsPanel.svelte    |   3 +-
 .../src/lib/components/TerminalTab.svelte     |  10 +-
 frontend/src/lib/components/Toaster.svelte    |   1 +
 .../src/routes/admin/capsules/+page.svelte    |   2 +-
 frontend/src/routes/admin/hosts/+page.svelte  |  10 +
 frontend/src/routes/admin/teams/+page.svelte  |   2 +-
 .../src/routes/admin/templates/+page.svelte   |  11 +
 frontend/src/routes/admin/users/+page.svelte  |   2 +-
 .../src/routes/dashboard/audit/+page.svelte   |  10 +-
 .../src/routes/dashboard/billing/+page.svelte |  13 +-
 .../routes/dashboard/capsules/+page.svelte    |  21 +-
 .../routes/dashboard/channels/+page.svelte    |  19 +-
 .../src/routes/dashboard/hosts/+page.svelte   |  10 +-
 .../src/routes/dashboard/keys/+page.svelte    |  10 +-
 .../routes/dashboard/settings/+page.svelte    |  10 +-
 .../src/routes/dashboard/team/+page.svelte    |  57 ++---
 .../routes/dashboard/templates/+page.svelte   |  19 +-
 .../src/routes/dashboard/usage/+page.svelte   |  13 +-
 .../src/routes/forgot-password/+page.svelte   |   4 +-
 internal/api/handlers_exec_stream.go          |  56 ++++-
 internal/api/handlers_me.go                   |  29 ++-
 internal/api/handlers_process.go              |  66 ++++--
 internal/api/handlers_pty.go                  |  58 ++++-
 internal/api/handlers_snapshots.go            |  19 +-
 internal/api/helpers_ws.go                    | 109 +++++++++
 internal/api/middleware.go                    |  20 +-
 internal/api/middleware_admin.go              |  13 ++
 internal/api/middleware_auth.go               |  14 +-
 internal/api/middleware_jwt.go                |  14 +-
 internal/api/server.go                        |   8 +-
 internal/network/setup.go                     |  17 +-
 internal/vm/manager.go                        |  20 +-
 pkg/db/users.sql.go                           |   4 +-
 39 files changed, 532 insertions(+), 380 deletions(-)
 delete mode 100644 frontend/src/lib/components/AuthModal.svelte
 create mode 100644 internal/api/helpers_ws.go

diff --git a/db/migrations/20260310094104_initial.sql b/db/migrations/20260310094104_initial.sql
index 6c8afc4..22544a5 100644
--- a/db/migrations/20260310094104_initial.sql
+++ b/db/migrations/20260310094104_initial.sql
@@ -171,7 +171,7 @@ CREATE TABLE audit_logs (
     metadata      JSONB NOT NULL DEFAULT '{}',
     created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
-CREATE INDEX idx_audit_logs_team_time ON audit_logs(team_id, created_at DESC);
+CREATE INDEX idx_audit_logs_team_time ON audit_logs(team_id, created_at DESC, id DESC);
 CREATE INDEX idx_audit_logs_team_resource ON audit_logs(team_id, resource_type, created_at DESC);
 
 -- sandbox_metrics_snapshots
diff --git a/db/queries/users.sql b/db/queries/users.sql
index 1c902a3..783f22b 100644
--- a/db/queries/users.sql
+++ b/db/queries/users.sql
@@ -4,10 +4,10 @@ VALUES ($1, $2, $3, $4)
 RETURNING *;
 
 -- name: GetUserByEmail :one
-SELECT * FROM users WHERE email = $1;
+SELECT * FROM users WHERE email = $1 AND deleted_at IS NULL;
 
 -- name: GetUserByID :one
-SELECT * FROM users WHERE id = $1;
+SELECT * FROM users WHERE id = $1 AND deleted_at IS NULL;
 
 -- name: InsertUserOAuth :one
 INSERT INTO users (id, email, name)
diff --git a/envd/internal/services/process/handler/multiplex.go b/envd/internal/services/process/handler/multiplex.go
index a3f6ea3..88f0916 100644
--- a/envd/internal/services/process/handler/multiplex.go
+++ b/envd/internal/services/process/handler/multiplex.go
@@ -35,27 +35,27 @@ func NewMultiplexedChannel[T any](buffer int) *MultiplexedChannel[T] {
 			c.mu.RUnlock()
 		}
 
+		c.mu.Lock()
 		c.exited.Store(true)
-
 		for _, cons := range c.channels {
 			close(cons)
 		}
+		c.mu.Unlock()
 	}()
 
 	return c
 }
 
 func (m *MultiplexedChannel[T]) Fork() (chan T, func()) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
 	if m.exited.Load() {
 		ch := make(chan T)
 		close(ch)
-
 		return ch, func() {}
 	}
 
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
 	consumer := make(chan T, 4096)
 
 	m.channels = append(m.channels, consumer)
diff --git a/frontend/src/app.css b/frontend/src/app.css
index 823f8ce..d76358b 100644
--- a/frontend/src/app.css
+++ b/frontend/src/app.css
@@ -180,9 +180,11 @@ body {
 	50%       { transform: translateY(-6px); }
 }
 
-/* CSS containment — isolate layout/paint for independent UI regions */
+/* CSS containment — isolate paint for independent UI regions.
+   Note: `contain: layout` is omitted because it creates a containing block
+   that breaks `position: fixed` popups rendered inside <main>. */
 main {
-	contain: layout style;
+	contain: style;
 }
 
 /* Respect user motion preferences — covers both CSS class animations and inline style animations */
diff --git a/frontend/src/lib/components/AuthModal.svelte b/frontend/src/lib/components/AuthModal.svelte
deleted file mode 100644
index fddedaa..0000000
--- a/frontend/src/lib/components/AuthModal.svelte
+++ /dev/null
@@ -1,210 +0,0 @@
-<script lang="ts">
-	import { Dialog } from 'bits-ui';
-	import {
-		IconGithub,
-		IconMail,
-		IconLock,
-		IconUser,
-		IconX,
-		IconEye,
-		IconEyeOff
-	} from './icons';
-
-	let {
-		mode = $bindable('signin'),
-		open = $bindable(false),
-		onSwitchMode
-	}: {
-		mode: 'signin' | 'signup';
-		open: boolean;
-		onSwitchMode: () => void;
-	} = $props();
-
-	let email = $state('');
-	let password = $state('');
-	let name = $state('');
-	let showPassword = $state(false);
-
-	const title = $derived(mode === 'signin' ? 'Welcome back' : 'Create account');
-	const subtitle = $derived(
-		mode === 'signin' ? 'Sign in to your Wrenn account' : 'Get started with Wrenn'
-	);
-	const submitLabel = $derived(mode === 'signin' ? 'Sign in' : 'Create account');
-	const switchText = $derived(
-		mode === 'signin' ? "Don't have an account?" : 'Already have an account?'
-	);
-	const switchAction = $derived(mode === 'signin' ? 'Sign up' : 'Sign in');
-
-	function handleSubmit(e: Event) {
-		e.preventDefault();
-	}
-</script>
-
-<Dialog.Root bind:open>
-	<Dialog.Portal>
-		<Dialog.Overlay
-			class="fixed inset-0 z-50 bg-black/70 backdrop-blur-[3px]"
-			style="animation: overlayFadeIn 200ms ease"
-		/>
-		<Dialog.Content
-			class="fixed left-1/2 top-1/2 z-50 w-[calc(100%-2rem)] max-w-[400px] -translate-x-1/2 -translate-y-1/2 rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-0"
-			style="animation: contentSlideIn 250ms cubic-bezier(0.16, 1, 0.3, 1)"
-		>
-			<!-- Close button -->
-			<Dialog.Close
-				class="absolute right-3 top-3 flex h-7 w-7 items-center justify-center rounded-[var(--radius-button)] border border-transparent text-[var(--color-text-tertiary)] transition-colors duration-150 hover:border-[var(--color-border-mid)] hover:bg-[var(--color-bg-4)] hover:text-[var(--color-text-secondary)]"
-			>
-				<IconX size={14} />
-			</Dialog.Close>
-
-			<div class="px-7 pb-7 pt-8">
-				<!-- Header -->
-				<div class="mb-7">
-					<Dialog.Title
-						class="font-serif text-page text-[var(--color-text-bright)]"
-					>
-						{title}
-					</Dialog.Title>
-					<Dialog.Description
-						class="mt-1 text-ui text-[var(--color-text-secondary)]"
-					>
-						{subtitle}
-					</Dialog.Description>
-				</div>
-
-				<!-- GitHub OAuth -->
-				<button
-					type="button"
-					class="flex w-full items-center justify-center gap-2.5 rounded-[var(--radius-button)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] px-4 py-2.5 text-ui font-medium text-[var(--color-text-bright)] transition-all duration-150 hover:border-[var(--color-accent)] hover:text-[var(--color-text-bright)]"
-				>
-					<IconGithub size={16} />
-					Continue with GitHub
-				</button>
-
-				<!-- Divider -->
-				<div class="my-5 flex items-center gap-3">
-					<div class="h-px flex-1 bg-[var(--color-border)]"></div>
-					<span
-						class="font-mono text-badge uppercase tracking-[0.1em] text-[var(--color-text-muted)]"
-						>or</span
-					>
-					<div class="h-px flex-1 bg-[var(--color-border)]"></div>
-				</div>
-
-				<!-- Form -->
-				<form onsubmit={handleSubmit} class="space-y-3">
-					{#if mode === 'signup'}
-						<div class="group relative">
-							<div
-								class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
-							>
-								<IconUser size={14} />
-							</div>
-							<input
-								type="text"
-								bind:value={name}
-								placeholder="Full name"
-								autocomplete="name"
-								class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-2.5 pl-9 pr-3 text-ui text-[var(--color-text-bright)] outline-none transition-all duration-150 placeholder:text-[var(--color-text-muted)] focus:border-[var(--color-accent)]"
-							/>
-						</div>
-					{/if}
-
-					<div class="group relative">
-						<div
-							class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
-						>
-							<IconMail size={14} />
-						</div>
-						<input
-							type="email"
-							bind:value={email}
-							placeholder="Email address"
-							autocomplete="email"
-							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-2.5 pl-9 pr-3 text-ui text-[var(--color-text-bright)] outline-none transition-all duration-150 placeholder:text-[var(--color-text-muted)] focus:border-[var(--color-accent)]"
-						/>
-					</div>
-
-					<div class="group relative">
-						<div
-							class="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 group-focus-within:text-[var(--color-accent)]"
-						>
-							<IconLock size={14} />
-						</div>
-						<input
-							type={showPassword ? 'text' : 'password'}
-							bind:value={password}
-							placeholder="Password"
-							autocomplete={mode === 'signin' ? 'current-password' : 'new-password'}
-							class="w-full rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-2)] py-2.5 pl-9 pr-10 text-ui text-[var(--color-text-bright)] outline-none transition-all duration-150 placeholder:text-[var(--color-text-muted)] focus:border-[var(--color-accent)]"
-						/>
-						<button
-							type="button"
-							onclick={() => (showPassword = !showPassword)}
-							class="absolute right-3 top-1/2 -translate-y-1/2 text-[var(--color-text-muted)] transition-colors duration-150 hover:text-[var(--color-text-secondary)]"
-							tabindex={-1}
-						>
-							{#if showPassword}
-								<IconEyeOff size={14} />
-							{:else}
-								<IconEye size={14} />
-							{/if}
-						</button>
-					</div>
-
-					{#if mode === 'signin'}
-						<div class="flex justify-end">
-							<button
-								type="button"
-								class="text-meta text-[var(--color-text-secondary)] transition-colors duration-150 hover:text-[var(--color-accent-mid)]"
-							>
-								Forgot password?
-							</button>
-						</div>
-					{/if}
-
-					<button
-						type="submit"
-						class="!mt-5 w-full rounded-[var(--radius-button)] bg-[var(--color-accent)] px-4 py-2.5 text-ui font-semibold text-white transition-all duration-150 hover:brightness-115 hover:-translate-y-px active:translate-y-0"
-					>
-						{submitLabel}
-					</button>
-				</form>
-
-				<!-- Switch mode -->
-				<p class="mt-5 text-center text-meta text-[var(--color-text-secondary)]">
-					{switchText}
-					<button
-						type="button"
-						onclick={onSwitchMode}
-						class="font-medium text-[var(--color-text-primary)] transition-colors duration-150 hover:text-[var(--color-text-bright)]"
-					>
-						{switchAction}
-					</button>
-				</p>
-			</div>
-		</Dialog.Content>
-	</Dialog.Portal>
-</Dialog.Root>
-
-<style>
-	@keyframes overlayFadeIn {
-		from {
-			opacity: 0;
-		}
-		to {
-			opacity: 1;
-		}
-	}
-
-	@keyframes contentSlideIn {
-		from {
-			opacity: 0;
-			transform: translate(-50%, -48%) scale(0.96);
-		}
-		to {
-			opacity: 1;
-			transform: translate(-50%, -50%) scale(1);
-		}
-	}
-</style>
diff --git a/frontend/src/lib/components/FilesTab.svelte b/frontend/src/lib/components/FilesTab.svelte
index bdc2a75..46c2d4a 100644
--- a/frontend/src/lib/components/FilesTab.svelte
+++ b/frontend/src/lib/components/FilesTab.svelte
@@ -81,7 +81,7 @@
 	);
 
 	// Breadcrumb segments from currentPath
-	const breadcrumbs = $derived(() => {
+	const breadcrumbs = $derived.by(() => {
 		const parts = currentPath.split('/').filter(Boolean);
 		const crumbs: { name: string; path: string }[] = [{ name: '/', path: '/' }];
 		for (let i = 0; i < parts.length; i++) {
@@ -517,7 +517,7 @@
 					</svg>
 				</button>
 				<span class="w-px h-4 bg-[var(--color-border)] shrink-0 mx-1"></span>
-				{#each breadcrumbs() as crumb, i}
+				{#each breadcrumbs as crumb, i}
 					{#if i > 0}
 						<svg class="shrink-0 text-[var(--color-text-muted)]" width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
 							<polyline points="9 18 15 12 9 6" />
@@ -526,7 +526,7 @@
 					<button
 						onclick={() => navigateTo(crumb.path)}
 						class="shrink-0 rounded-[3px] px-1.5 py-0.5 font-mono text-label transition-colors hover:bg-[var(--color-bg-4)] hover:text-[var(--color-text-primary)]
-							{i === breadcrumbs().length - 1
+							{i === breadcrumbs.length - 1
 								? 'text-[var(--color-text-primary)]'
 								: 'text-[var(--color-text-tertiary)]'}"
 					>
diff --git a/frontend/src/lib/components/MetricsPanel.svelte b/frontend/src/lib/components/MetricsPanel.svelte
index 61a7e37..38a424d 100644
--- a/frontend/src/lib/components/MetricsPanel.svelte
+++ b/frontend/src/lib/components/MetricsPanel.svelte
@@ -20,8 +20,9 @@
 		layout?: 'full' | 'compact';
 	};
 
-	let { capsuleId, available, initialRange = '10m', apiBasePath = '/api/v1/capsules', layout = 'full' }: Props = $props();
+	let { capsuleId, available, initialRange = '10m' as MetricRange, apiBasePath = '/api/v1/capsules', layout = 'full' }: Props = $props();
 
+	// svelte-ignore state_referenced_locally
 	let range = $state<MetricRange>(initialRange);
 	let points = $state<MetricPoint[]>([]);
 	let metricsLoading = $state(true);
diff --git a/frontend/src/lib/components/TerminalTab.svelte b/frontend/src/lib/components/TerminalTab.svelte
index ab3774a..e7eadf4 100644
--- a/frontend/src/lib/components/TerminalTab.svelte
+++ b/frontend/src/lib/components/TerminalTab.svelte
@@ -93,8 +93,7 @@
 
 	function getWsUrl(): string {
 		const proto = window.location.protocol === 'https:' ? 'wss:' : 'ws:';
-		const token = auth.token ? `?token=${encodeURIComponent(auth.token)}` : '';
-		return `${proto}//${window.location.host}${apiBasePath}/${capsuleId}/pty${token}`;
+		return `${proto}//${window.location.host}${apiBasePath}/${capsuleId}/pty`;
 	}
 
 	function wsSend(ws: WebSocket | null, data: string) {
@@ -256,6 +255,11 @@
 		const int = internals.get(id);
 		if (!int) return;
 
+		if (!auth.token) {
+			updateSession(id, { state: 'error', errorMessage: 'Not authenticated' });
+			return;
+		}
+
 		const display = sessions.find(s => s.id === id);
 		const tag = reconnectTag ?? display?.ptyTag;
 
@@ -264,6 +268,8 @@
 		updateSession(id, { state: 'connecting', errorMessage: null });
 
 		ws.onopen = () => {
+			// Send auth as the first message (JWT no longer in URL).
+			wsSend(ws, JSON.stringify({ type: 'auth', token: auth.token }));
 			const { cols, rows } = int.term;
 			const msg: Record<string, unknown> = {
 				type: tag ? 'connect' : 'start',
diff --git a/frontend/src/lib/components/Toaster.svelte b/frontend/src/lib/components/Toaster.svelte
index bb846dc..d81917f 100644
--- a/frontend/src/lib/components/Toaster.svelte
+++ b/frontend/src/lib/components/Toaster.svelte
@@ -13,6 +13,7 @@
 			<span class="flex-1 leading-relaxed">{t.message}</span>
 			<button
 				onclick={() => toast.dismiss(t.id)}
+				aria-label="Dismiss"
 				class="mt-0.5 shrink-0 opacity-50 transition-opacity hover:opacity-100"
 			>
 				<svg width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round">
diff --git a/frontend/src/routes/admin/capsules/+page.svelte b/frontend/src/routes/admin/capsules/+page.svelte
index ccba40a..b0f1923 100644
--- a/frontend/src/routes/admin/capsules/+page.svelte
+++ b/frontend/src/routes/admin/capsules/+page.svelte
@@ -501,7 +501,7 @@
 
 		<!-- Status bar -->
 		<footer
-			class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-8"
+			class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7"
 		>
 			<div class="flex items-center gap-1.5">
 				<span class="relative flex h-[5px] w-[5px]">
diff --git a/frontend/src/routes/admin/hosts/+page.svelte b/frontend/src/routes/admin/hosts/+page.svelte
index 5bf899b..30b3ad5 100644
--- a/frontend/src/routes/admin/hosts/+page.svelte
+++ b/frontend/src/routes/admin/hosts/+page.svelte
@@ -294,6 +294,16 @@
 		</div>
 	</main>
 
+	<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+		<div class="flex items-center gap-1.5">
+			<span class="relative flex h-[5px] w-[5px]">
+				<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+				<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+			</span>
+			<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+		</div>
+	</footer>
+
 {#snippet skeletonRows()}
 	<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] bg-[var(--color-bg-1)] overflow-hidden shadow-sm">
 		<table class="w-full">
diff --git a/frontend/src/routes/admin/teams/+page.svelte b/frontend/src/routes/admin/teams/+page.svelte
index a09b3d9..90a8db2 100644
--- a/frontend/src/routes/admin/teams/+page.svelte
+++ b/frontend/src/routes/admin/teams/+page.svelte
@@ -360,7 +360,7 @@
 		</div>
 
 		<!-- Status bar -->
-		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-8">
+		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
 			<div class="flex items-center gap-1.5">
 				<span class="relative flex h-[5px] w-[5px]">
 					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
diff --git a/frontend/src/routes/admin/templates/+page.svelte b/frontend/src/routes/admin/templates/+page.svelte
index 14514ae..ae678ed 100644
--- a/frontend/src/routes/admin/templates/+page.svelte
+++ b/frontend/src/routes/admin/templates/+page.svelte
@@ -365,6 +365,16 @@
 		</div>
 </main>
 
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+	</div>
+</footer>
+
 <!-- ── Snippets ─────────────────────────────────────────────────────── -->
 
 {#snippet skeletonRows(count: number, headers: string[])}
@@ -838,6 +848,7 @@
 								<span class="font-mono">{createForm.archive.name}</span>
 								<button
 									onclick={() => { createForm.archive = null; }}
+									aria-label="Remove file"
 									class="text-[var(--color-text-muted)] hover:text-[var(--color-red)] transition-colors"
 								>
 									<svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"/><line x1="6" y1="6" x2="18" y2="18"/></svg>
diff --git a/frontend/src/routes/admin/users/+page.svelte b/frontend/src/routes/admin/users/+page.svelte
index ca1960e..3630f4f 100644
--- a/frontend/src/routes/admin/users/+page.svelte
+++ b/frontend/src/routes/admin/users/+page.svelte
@@ -282,7 +282,7 @@
 		</div>
 
 		<!-- Status bar -->
-		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-8">
+		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
 			<div class="flex items-center gap-1.5">
 				<span class="relative flex h-[5px] w-[5px]">
 					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
diff --git a/frontend/src/routes/dashboard/audit/+page.svelte b/frontend/src/routes/dashboard/audit/+page.svelte
index 3539f5a..3923155 100644
--- a/frontend/src/routes/dashboard/audit/+page.svelte
+++ b/frontend/src/routes/dashboard/audit/+page.svelte
@@ -540,7 +540,15 @@
 			</div>
 		</main>
 
-<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+	</div>
+</footer>
 
 <style>
 	/* fadeUp and iconFloat are defined globally in app.css — no need to redeclare them here */
diff --git a/frontend/src/routes/dashboard/billing/+page.svelte b/frontend/src/routes/dashboard/billing/+page.svelte
index a74b6de..f82fccc 100644
--- a/frontend/src/routes/dashboard/billing/+page.svelte
+++ b/frontend/src/routes/dashboard/billing/+page.svelte
@@ -49,10 +49,9 @@
 				<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
 					Subscription, invoices, and payment methods for your team.
 				</p>
+				<div class="mt-6 border-b border-[var(--color-border)]"></div>
 			</div>
 
-			<div class="mt-6 border-b border-[var(--color-border)]"></div>
-
 			<!-- Content -->
 			<div class="p-8" style="animation: fadeUp 0.35s ease both">
 				{#if status === 'loading'}
@@ -115,4 +114,12 @@
 			</div>
 	</main>
 
-<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+	</div>
+</footer>
diff --git a/frontend/src/routes/dashboard/capsules/+page.svelte b/frontend/src/routes/dashboard/capsules/+page.svelte
index be158e7..d7fd84c 100644
--- a/frontend/src/routes/dashboard/capsules/+page.svelte
+++ b/frontend/src/routes/dashboard/capsules/+page.svelte
@@ -371,7 +371,7 @@
 	{/if}
 
 	<!-- Table -->
-	<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] overflow-hidden">
+	<div class="min-w-0 rounded-[var(--radius-card)] border border-[var(--color-border)] overflow-hidden">
 		<!-- Table header -->
 		<div class="grid grid-cols-[1.6fr_0.8fr_0.5fr_0.5fr_0.6fr_1fr_0.9fr] rounded-t-[var(--radius-card)] border-b border-[var(--color-border)] bg-[var(--color-bg-3)]">
 			<div class="px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)]">ID</div>
@@ -380,7 +380,7 @@
 			{@render sortableHeader('Memory', 'memory_mb')}
 			{@render sortableHeader('Idle Timeout', 'timeout_sec')}
 			{@render sortableHeader('Started', 'started_at')}
-			{@render sortableHeader('Status', 'status')}
+			{@render sortableHeader('Status', 'status', 'right')}
 		</div>
 
 		{#if loading && capsules.length === 0}
@@ -456,7 +456,7 @@
 					<div class="row-stripe pointer-events-none absolute left-0 top-0 h-full w-0.5 {stripeColor}"></div>
 
 					<!-- ID with status dot -->
-					<div class="flex items-center gap-2.5 px-5 py-4">
+					<div class="flex min-w-0 items-center gap-2.5 px-5 py-4">
 						{#if capsule.status === 'running'}
 							<span class="relative flex h-[6px] w-[6px] shrink-0">
 								<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
@@ -469,9 +469,9 @@
 						{/if}
 						{#if searchQuery && capsule.id.toLowerCase().includes(searchQuery.toLowerCase())}
 							{@const matchIdx = capsule.id.toLowerCase().indexOf(searchQuery.toLowerCase())}
-							<a href="/dashboard/capsules/{capsule.id}" class="font-mono text-ui text-[var(--color-text-bright)] hover:text-[var(--color-accent-bright)] transition-colors duration-150">{capsule.id.slice(0, matchIdx)}<mark class="rounded-[2px] bg-[var(--color-accent-glow-mid)] px-0.5 text-[var(--color-accent-bright)] not-italic">{capsule.id.slice(matchIdx, matchIdx + searchQuery.length)}</mark>{capsule.id.slice(matchIdx + searchQuery.length)}</a>
+							<a href="/dashboard/capsules/{capsule.id}" class="truncate font-mono text-ui text-[var(--color-text-bright)] hover:text-[var(--color-accent-bright)] transition-colors duration-150">{capsule.id.slice(0, matchIdx)}<mark class="rounded-[2px] bg-[var(--color-accent-glow-mid)] px-0.5 text-[var(--color-accent-bright)] not-italic">{capsule.id.slice(matchIdx, matchIdx + searchQuery.length)}</mark>{capsule.id.slice(matchIdx + searchQuery.length)}</a>
 						{:else}
-							<a href="/dashboard/capsules/{capsule.id}" class="font-mono text-ui text-[var(--color-text-bright)] hover:text-[var(--color-accent-bright)] transition-colors duration-150">{capsule.id}</a>
+							<a href="/dashboard/capsules/{capsule.id}" class="truncate font-mono text-ui text-[var(--color-text-bright)] hover:text-[var(--color-accent-bright)] transition-colors duration-150">{capsule.id}</a>
 						{/if}
 						<CopyButton value={capsule.id} />
 					</div>
@@ -505,7 +505,7 @@
 					</div>
 
 					<!-- Status button with popover -->
-					<div class="relative px-5 py-4 status-menu-container">
+					<div class="relative flex items-center justify-end px-5 py-4 status-menu-container">
 						{#if actionLoading === capsule.id}
 							<span class="inline-flex items-center gap-1.5 text-ui text-[var(--color-text-secondary)]">
 								<svg class="animate-spin" width="13" height="13" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
@@ -522,10 +522,13 @@
 										const rect = (e.currentTarget as HTMLElement).getBoundingClientRect();
 										const menuW = 180;
 										const menuH = 140; // approximate max menu height
+										const vw = document.documentElement.clientWidth;
 										const top = rect.bottom + 4 + menuH > window.innerHeight
 											? rect.top - menuH - 4
 											: rect.bottom + 4;
-										const left = Math.max(8, Math.min(rect.right - menuW, window.innerWidth - menuW - 8));
+										// Anchor right edge of menu to right edge of button, clamped within viewport
+										const idealLeft = rect.right - menuW;
+										const left = Math.min(Math.max(8, idealLeft), vw - menuW - 8);
 										menuPos = { top, left };
 										openMenuId = capsule.id;
 									}
@@ -641,10 +644,10 @@
 	oncreated={handleCapsuleCreated}
 />
 
-{#snippet sortableHeader(label: string, key: SortKey)}
+{#snippet sortableHeader(label: string, key: SortKey, align: 'left' | 'right' = 'left')}
 	<button
 		onclick={() => toggleSort(key)}
-		class="flex items-center gap-1 px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)] transition-colors duration-150 hover:text-[var(--color-text-secondary)]"
+		class="flex items-center gap-1 px-5 py-3 text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-muted)] transition-colors duration-150 hover:text-[var(--color-text-secondary)] {align === 'right' ? 'ml-auto' : ''}"
 	>
 		{label}
 		{#if sortKey === key}
diff --git a/frontend/src/routes/dashboard/channels/+page.svelte b/frontend/src/routes/dashboard/channels/+page.svelte
index 71c78ed..2f5cb0d 100644
--- a/frontend/src/routes/dashboard/channels/+page.svelte
+++ b/frontend/src/routes/dashboard/channels/+page.svelte
@@ -523,6 +523,7 @@
 													openDropdownId = ch.id;
 												}
 											}}
+											aria-label="More actions"
 											class="flex items-center px-2 py-1.5 text-[var(--color-text-secondary)] transition-colors duration-150 hover:bg-[var(--color-bg-4)] hover:text-[var(--color-text-bright)]"
 										>
 											<svg
@@ -544,10 +545,10 @@
 		<!-- Status bar -->
 		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
 			<div class="flex items-center gap-1.5">
-				<span
-					class="inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"
-					style="animation: wrenn-glow 2.4s ease-in-out infinite"
-				></span>
+				<span class="relative flex h-[5px] w-[5px]">
+					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+					<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+				</span>
 				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 			</div>
 		</footer>
@@ -660,11 +661,12 @@
 
 				<!-- Provider -->
 				<div class="mt-4">
-					<label class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
+					<label for="provider-select" class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
 						Provider
 					</label>
 					<div class="relative" bind:this={providerDropdownEl}>
 						<button
+							id="provider-select"
 							onclick={() => { providerDropdownOpen = !providerDropdownOpen; }}
 							disabled={creating}
 							class="flex w-full items-center justify-between rounded-[var(--radius-input)] border px-3 py-2 text-ui transition-colors duration-150 disabled:opacity-60
@@ -799,11 +801,12 @@
 
 				<!-- Events dropdown -->
 				<div class="mt-5">
-					<label class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
+					<label for="events-select" class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
 						Events
 					</label>
 					<div class="relative" bind:this={eventsDropdownEl}>
 						<button
+							id="events-select"
 							onclick={() => { eventsDropdownOpen = !eventsDropdownOpen; }}
 							disabled={creating}
 							class="flex w-full items-center justify-between rounded-[var(--radius-input)] border px-3 py-2 text-ui transition-colors duration-150 disabled:opacity-60
@@ -850,6 +853,7 @@
 								{ev}
 								<button
 									onclick={() => { createEvents = createEvents.filter((e) => e !== ev); }}
+									aria-label="Remove {ev}"
 									class="flex items-center justify-center text-[var(--color-accent)] opacity-60 transition-opacity duration-100 hover:opacity-100"
 								>
 									<svg width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round">
@@ -1020,11 +1024,12 @@
 
 			<!-- Events -->
 			<div class="mt-5">
-				<label class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
+				<label for="edit-events-select" class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
 					Events
 				</label>
 				<div class="relative" bind:this={editEventsDropdownEl}>
 					<button
+						id="edit-events-select"
 						onclick={() => { editEventsDropdownOpen = !editEventsDropdownOpen; }}
 						disabled={editing}
 						class="flex w-full items-center justify-between rounded-[var(--radius-input)] border px-3 py-2 text-ui transition-colors duration-150 disabled:opacity-60
diff --git a/frontend/src/routes/dashboard/hosts/+page.svelte b/frontend/src/routes/dashboard/hosts/+page.svelte
index c48f063..0b7e134 100644
--- a/frontend/src/routes/dashboard/hosts/+page.svelte
+++ b/frontend/src/routes/dashboard/hosts/+page.svelte
@@ -317,7 +317,15 @@
 			</div>
 	</main>
 
-<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+	</div>
+</footer>
 
 {#snippet skeletonRows()}
 	<div class="rounded-[var(--radius-card)] border border-[var(--color-border)] overflow-hidden">
diff --git a/frontend/src/routes/dashboard/keys/+page.svelte b/frontend/src/routes/dashboard/keys/+page.svelte
index 0b004b5..89828f8 100644
--- a/frontend/src/routes/dashboard/keys/+page.svelte
+++ b/frontend/src/routes/dashboard/keys/+page.svelte
@@ -237,7 +237,15 @@
 			</div>
 	</main>
 
-<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+	</div>
+</footer>
 
 <!-- Create Key Dialog -->
 {#if showCreate}
diff --git a/frontend/src/routes/dashboard/settings/+page.svelte b/frontend/src/routes/dashboard/settings/+page.svelte
index a8d3c36..92d3479 100644
--- a/frontend/src/routes/dashboard/settings/+page.svelte
+++ b/frontend/src/routes/dashboard/settings/+page.svelte
@@ -498,7 +498,15 @@
 				{/if}
 			</div>
 		</main>
-<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+	</div>
+</footer>
 
 <!-- Disconnect GitHub dialog -->
 {#if showDisconnectConfirm}
diff --git a/frontend/src/routes/dashboard/team/+page.svelte b/frontend/src/routes/dashboard/team/+page.svelte
index 8146a16..d8f9823 100644
--- a/frontend/src/routes/dashboard/team/+page.svelte
+++ b/frontend/src/routes/dashboard/team/+page.svelte
@@ -459,26 +459,18 @@
 											<p class="mt-1.5 text-meta text-[var(--color-red)]">{nameError}</p>
 										{/if}
 									{:else}
-										<!-- svelte-ignore a11y_click_events_have_key_events -->
-										<div
-											class="group flex items-center gap-2"
-											onclick={canManage ? startEditName : undefined}
-											role={canManage ? 'button' : undefined}
-											tabindex={canManage ? 0 : undefined}
-											onkeydown={canManage
-												? (e) => {
-														if (e.key === 'Enter' || e.key === ' ') startEditName();
-													}
-												: undefined}
-											class:cursor-pointer={canManage}
-											title={canManage ? 'Click to edit' : undefined}
-										>
-											<span
-												class="text-ui font-medium transition-colors duration-300 {nameSavedFlash ? 'text-[var(--color-accent-mid)]' : 'text-[var(--color-text-bright)]'} {canManage ? 'group-hover:text-[var(--color-text-bright)]' : ''}"
+										{#if canManage}
+											<button
+												type="button"
+												class="group flex items-center gap-2 cursor-pointer"
+												onclick={startEditName}
+												title="Click to edit"
 											>
-												{team.name}
-											</span>
-											{#if canManage}
+												<span
+													class="text-ui font-medium transition-colors duration-300 {nameSavedFlash ? 'text-[var(--color-accent-mid)]' : 'text-[var(--color-text-bright)]'} group-hover:text-[var(--color-text-bright)]"
+												>
+													{team.name}
+												</span>
 												<svg
 													width="12"
 													height="12"
@@ -495,8 +487,14 @@
 													/>
 													<path d="M18.5 2.5a2.121 2.121 0 0 1 3 3L12 15l-4 1 1-4 9.5-9.5z" />
 												</svg>
-											{/if}
-										</div>
+											</button>
+										{:else}
+											<span
+												class="text-ui font-medium text-[var(--color-text-bright)]"
+											>
+												{team.name}
+											</span>
+										{/if}
 									{/if}
 								</div>
 							</div>
@@ -710,6 +708,7 @@
 												<div class="w-px shrink-0 bg-[var(--color-border-mid)]"></div>
 												<!-- Chevron: Make Admin / Make Member -->
 												<button
+													aria-label="Role actions"
 													onclick={(e) => {
 														e.stopPropagation();
 														if (openDropdownId === member.user_id) {
@@ -804,7 +803,15 @@
 			</div>
 		</main>
 
-	<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+	<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+		<div class="flex items-center gap-1.5">
+			<span class="relative flex h-[5px] w-[5px]">
+				<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+				<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+			</span>
+			<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+		</div>
+	</footer>
 
 <!-- Split button dropdown -->
 {#if openDropdownId}
@@ -884,7 +891,7 @@
 
 		<div
 			class="relative w-full max-w-[400px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6"
-			style="animation: fadeUp 0.2s ease both"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
 		>
 			<h2
 				class="font-serif text-heading text-[var(--color-text-bright)]"
@@ -1021,7 +1028,7 @@
 
 		<div
 			class="relative w-full max-w-[380px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6"
-			style="animation: fadeUp 0.2s ease both"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
 		>
 			<h2
 				class="font-serif text-heading text-[var(--color-text-bright)]"
@@ -1095,7 +1102,7 @@
 
 		<div
 			class="relative w-full max-w-[400px] rounded-[var(--radius-card)] border border-[var(--color-border-mid)] bg-[var(--color-bg-2)] p-6"
-			style="animation: fadeUp 0.2s ease both"
+			style="animation: fadeUp 0.2s ease both; box-shadow: var(--shadow-dialog)"
 		>
 			{#if myRole === 'owner'}
 				<h2
diff --git a/frontend/src/routes/dashboard/templates/+page.svelte b/frontend/src/routes/dashboard/templates/+page.svelte
index f48d09e..f159ed1 100644
--- a/frontend/src/routes/dashboard/templates/+page.svelte
+++ b/frontend/src/routes/dashboard/templates/+page.svelte
@@ -151,7 +151,7 @@
 
 	<main class="flex-1 overflow-y-auto bg-[var(--color-bg-0)]">
 			<!-- Header -->
-			<div class="px-8 pt-8">
+			<div class="px-7 pt-8">
 				<div class="flex items-start justify-between">
 					<div>
 						<h1 class="font-serif text-page text-[var(--color-text-bright)]">
@@ -417,6 +417,7 @@
 												<div class="w-px shrink-0 bg-[var(--color-border-mid)]"></div>
 												<!-- Chevron / dropdown trigger -->
 												<button
+													aria-label="More actions"
 													disabled={snapshot.platform}
 													onclick={(e) => {
 														e.stopPropagation();
@@ -459,12 +460,12 @@
 		</main>
 
 		<!-- Status bar -->
-		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-8">
+		<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
 			<div class="flex items-center gap-1.5">
-				<span
-					class="inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"
-					style="animation: wrenn-glow 2.4s ease-in-out infinite"
-				></span>
+				<span class="relative flex h-[5px] w-[5px]">
+					<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+					<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+				</span>
 				<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
 			</div>
 		</footer>
@@ -501,8 +502,10 @@
 <!-- Delete Confirmation Dialog -->
 {#if deleteTarget}
 	<div class="fixed inset-0 z-50 flex items-center justify-center">
+		<!-- svelte-ignore a11y_no_static_element_interactions -->
 		<div
 			class="absolute inset-0 bg-black/60"
+			role="presentation"
 			onclick={() => { if (!deleting) deleteTarget = null; }}
 			onkeydown={(e) => { if (e.key === 'Escape' && !deleting) deleteTarget = null; }}
 		></div>
@@ -594,9 +597,9 @@
 
 			<!-- Template name (readonly) -->
 			<div class="mt-5">
-				<label class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
+				<span class="mb-1.5 block text-label font-semibold uppercase tracking-[0.05em] text-[var(--color-text-tertiary)]">
 					Template
-				</label>
+				</span>
 				<div class="flex items-center gap-2 rounded-[var(--radius-input)] border border-[var(--color-border)] bg-[var(--color-bg-0)] px-3 py-2">
 					{#if launchTarget.type === 'snapshot'}
 						<span class="h-1.5 w-1.5 shrink-0 rounded-full bg-[var(--color-accent)]"></span>
diff --git a/frontend/src/routes/dashboard/usage/+page.svelte b/frontend/src/routes/dashboard/usage/+page.svelte
index c6edb74..216a8f5 100644
--- a/frontend/src/routes/dashboard/usage/+page.svelte
+++ b/frontend/src/routes/dashboard/usage/+page.svelte
@@ -49,10 +49,9 @@
 				<p class="mt-2 text-ui text-[var(--color-text-secondary)]">
 					Resource consumption and execution metrics across your team.
 				</p>
+				<div class="mt-6 border-b border-[var(--color-border)]"></div>
 			</div>
 
-			<div class="mt-6 border-b border-[var(--color-border)]"></div>
-
 			<!-- Content -->
 			<div class="p-8" style="animation: fadeUp 0.35s ease both">
 				{#if status === 'loading'}
@@ -114,4 +113,12 @@
 			</div>
 	</main>
 
-<footer class="h-px shrink-0 bg-[var(--color-border)]"></footer>
+<footer class="flex h-7 shrink-0 items-center justify-end border-t border-[var(--color-border)] bg-[var(--color-bg-1)] px-7">
+	<div class="flex items-center gap-1.5">
+		<span class="relative flex h-[5px] w-[5px]">
+			<span class="animate-status-ping absolute inline-flex h-full w-full rounded-full bg-[var(--color-accent)]"></span>
+			<span class="relative inline-flex h-[5px] w-[5px] rounded-full bg-[var(--color-accent)]"></span>
+		</span>
+		<span class="font-mono text-label uppercase tracking-[0.04em] text-[var(--color-text-secondary)]">All systems operational</span>
+	</div>
+</footer>
diff --git a/frontend/src/routes/forgot-password/+page.svelte b/frontend/src/routes/forgot-password/+page.svelte
index 0cd8730..4395366 100644
--- a/frontend/src/routes/forgot-password/+page.svelte
+++ b/frontend/src/routes/forgot-password/+page.svelte
@@ -25,8 +25,8 @@
 	<div class="w-full max-w-[400px]" style="animation: fadeUp 0.35s ease both">
 		<!-- Brand -->
 		<div class="mb-8 flex items-center gap-3">
-			<img src="/logo.svg" alt="Wrenn" class="h-8 w-8 rounded-[var(--radius-logo)]" />
-			<span class="font-brand text-[1.5rem] text-[var(--color-text-bright)]">Wrenn</span>
+			<img src="/logo.svg" alt="Wrenn" class="h-10 w-10 rounded-[var(--radius-logo)]" />
+			<span class="font-brand text-page text-[var(--color-text-bright)]">Wrenn</span>
 		</div>
 
 		{#if submitted}
diff --git a/internal/api/handlers_exec_stream.go b/internal/api/handlers_exec_stream.go
index a47c228..c8b101f 100644
--- a/internal/api/handlers_exec_stream.go
+++ b/internal/api/handlers_exec_stream.go
@@ -20,12 +20,13 @@ import (
 )
 
 type execStreamHandler struct {
-	db   *db.Queries
-	pool *lifecycle.HostClientPool
+	db        *db.Queries
+	pool      *lifecycle.HostClientPool
+	jwtSecret []byte
 }
 
-func newExecStreamHandler(db *db.Queries, pool *lifecycle.HostClientPool) *execStreamHandler {
-	return &execStreamHandler{db: db, pool: pool}
+func newExecStreamHandler(db *db.Queries, pool *lifecycle.HostClientPool, jwtSecret []byte) *execStreamHandler {
+	return &execStreamHandler{db: db, pool: pool, jwtSecret: jwtSecret}
 }
 
 var upgrader = websocket.Upgrader{
@@ -51,7 +52,6 @@ type wsOutMsg struct {
 func (h *execStreamHandler) ExecStream(w http.ResponseWriter, r *http.Request) {
 	sandboxIDStr := chi.URLParam(r, "id")
 	ctx := r.Context()
-	ac := auth.MustFromContext(ctx)
 
 	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
 	if err != nil {
@@ -59,13 +59,31 @@ func (h *execStreamHandler) ExecStream(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
-	if err != nil {
-		writeError(w, http.StatusNotFound, "not_found", "sandbox not found")
-		return
-	}
-	if sb.Status != "running" {
-		writeError(w, http.StatusConflict, "invalid_state", "sandbox is not running (status: "+sb.Status+")")
+	// Authenticate: use context from middleware (API key) or WS first message (JWT).
+	ac, hasAuth := auth.FromContext(ctx)
+
+	if !hasAuth {
+		conn, err := upgrader.Upgrade(w, r, nil)
+		if err != nil {
+			slog.Error("websocket upgrade failed", "error", err)
+			return
+		}
+		defer conn.Close()
+
+		var wsAC auth.AuthContext
+		var authErr error
+		if isAdminWSRoute(ctx) {
+			wsAC, authErr = wsAuthenticateAdmin(ctx, conn, h.jwtSecret, h.db)
+		} else {
+			wsAC, authErr = wsAuthenticate(ctx, conn, h.jwtSecret, h.db)
+		}
+		if authErr != nil {
+			sendWSError(conn, "authentication failed")
+			return
+		}
+		ac = wsAC
+
+		h.runExecStream(ctx, conn, ac, sandboxID, sandboxIDStr)
 		return
 	}
 
@@ -76,6 +94,20 @@ func (h *execStreamHandler) ExecStream(w http.ResponseWriter, r *http.Request) {
 	}
 	defer conn.Close()
 
+	h.runExecStream(ctx, conn, ac, sandboxID, sandboxIDStr)
+}
+
+func (h *execStreamHandler) runExecStream(ctx context.Context, conn *websocket.Conn, ac auth.AuthContext, sandboxID pgtype.UUID, sandboxIDStr string) {
+	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
+	if err != nil {
+		sendWSError(conn, "sandbox not found")
+		return
+	}
+	if sb.Status != "running" {
+		sendWSError(conn, "sandbox is not running (status: "+sb.Status+")")
+		return
+	}
+
 	// Read the start message.
 	var startMsg wsStartMsg
 	if err := conn.ReadJSON(&startMsg); err != nil {
diff --git a/internal/api/handlers_me.go b/internal/api/handlers_me.go
index c70e302..15aa0bb 100644
--- a/internal/api/handlers_me.go
+++ b/internal/api/handlers_me.go
@@ -512,6 +512,9 @@ func (h *meHandler) DeleteAccount(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Delete all teams the user solely owns (no other members).
+	// Team deletion involves RPC calls (sandbox destruction) that cannot be
+	// transactional, so we do those first as best-effort, then wrap the
+	// DB-only cleanup in a transaction.
 	soleTeams, err := h.db.ListSoleOwnedTeams(ctx, ac.UserID)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "db_error", "failed to list owned teams")
@@ -519,20 +522,36 @@ func (h *meHandler) DeleteAccount(w http.ResponseWriter, r *http.Request) {
 	}
 	for _, teamID := range soleTeams {
 		if err := h.teamSvc.DeleteTeamInternal(ctx, teamID); err != nil {
-			slog.Warn("account delete: failed to delete sole-owned team",
-				"team_id", id.FormatTeamID(teamID), "error", err)
+			writeError(w, http.StatusInternalServerError, "db_error",
+				fmt.Sprintf("failed to delete sole-owned team %s", id.FormatTeamID(teamID)))
+			return
 		}
 	}
 
-	if err := h.db.DeleteAPIKeysByCreator(ctx, ac.UserID); err != nil {
-		slog.Warn("account delete: failed to delete user's API keys", "error", err)
+	tx, err := h.pool.Begin(ctx)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to start transaction")
+		return
+	}
+	defer tx.Rollback(ctx)
+
+	qtx := h.db.WithTx(tx)
+
+	if err := qtx.DeleteAPIKeysByCreator(ctx, ac.UserID); err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to delete user's API keys")
+		return
 	}
 
-	if err := h.db.SoftDeleteUser(ctx, ac.UserID); err != nil {
+	if err := qtx.SoftDeleteUser(ctx, ac.UserID); err != nil {
 		writeError(w, http.StatusInternalServerError, "db_error", "failed to delete account")
 		return
 	}
 
+	if err := tx.Commit(ctx); err != nil {
+		writeError(w, http.StatusInternalServerError, "db_error", "failed to commit account deletion")
+		return
+	}
+
 	slog.Info("account soft-deleted", "user_id", id.FormatUserID(ac.UserID), "email", user.Email)
 
 	go func() {
diff --git a/internal/api/handlers_process.go b/internal/api/handlers_process.go
index 9d62729..2bb6bb9 100644
--- a/internal/api/handlers_process.go
+++ b/internal/api/handlers_process.go
@@ -20,12 +20,13 @@ import (
 )
 
 type processHandler struct {
-	db   *db.Queries
-	pool *lifecycle.HostClientPool
+	db        *db.Queries
+	pool      *lifecycle.HostClientPool
+	jwtSecret []byte
 }
 
-func newProcessHandler(db *db.Queries, pool *lifecycle.HostClientPool) *processHandler {
-	return &processHandler{db: db, pool: pool}
+func newProcessHandler(db *db.Queries, pool *lifecycle.HostClientPool, jwtSecret []byte) *processHandler {
+	return &processHandler{db: db, pool: pool, jwtSecret: jwtSecret}
 }
 
 // processResponse is a single entry in the process list.
@@ -158,7 +159,6 @@ func (h *processHandler) ConnectProcess(w http.ResponseWriter, r *http.Request)
 	sandboxIDStr := chi.URLParam(r, "id")
 	selectorStr := chi.URLParam(r, "selector")
 	ctx := r.Context()
-	ac := auth.MustFromContext(ctx)
 
 	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
 	if err != nil {
@@ -166,19 +166,31 @@ func (h *processHandler) ConnectProcess(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
-	if err != nil {
-		writeError(w, http.StatusNotFound, "not_found", "sandbox not found")
-		return
-	}
-	if sb.Status != "running" {
-		writeError(w, http.StatusConflict, "invalid_state", "sandbox is not running (status: "+sb.Status+")")
-		return
-	}
+	// Authenticate: use context from middleware (API key) or WS first message (JWT).
+	ac, hasAuth := auth.FromContext(ctx)
 
-	agent, err := agentForHost(ctx, h.db, h.pool, sb.HostID)
-	if err != nil {
-		writeError(w, http.StatusServiceUnavailable, "host_unavailable", "sandbox host is not reachable")
+	if !hasAuth {
+		conn, err := upgrader.Upgrade(w, r, nil)
+		if err != nil {
+			slog.Error("process stream websocket upgrade failed", "error", err)
+			return
+		}
+		defer conn.Close()
+
+		var wsAC auth.AuthContext
+		var authErr error
+		if isAdminWSRoute(ctx) {
+			wsAC, authErr = wsAuthenticateAdmin(ctx, conn, h.jwtSecret, h.db)
+		} else {
+			wsAC, authErr = wsAuthenticate(ctx, conn, h.jwtSecret, h.db)
+		}
+		if authErr != nil {
+			sendProcessWSError(conn, "authentication failed")
+			return
+		}
+		ac = wsAC
+
+		h.runConnectProcess(ctx, conn, ac, sandboxID, sandboxIDStr, selectorStr)
 		return
 	}
 
@@ -189,6 +201,26 @@ func (h *processHandler) ConnectProcess(w http.ResponseWriter, r *http.Request)
 	}
 	defer conn.Close()
 
+	h.runConnectProcess(ctx, conn, ac, sandboxID, sandboxIDStr, selectorStr)
+}
+
+func (h *processHandler) runConnectProcess(ctx context.Context, conn *websocket.Conn, ac auth.AuthContext, sandboxID pgtype.UUID, sandboxIDStr, selectorStr string) {
+	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
+	if err != nil {
+		sendProcessWSError(conn, "sandbox not found")
+		return
+	}
+	if sb.Status != "running" {
+		sendProcessWSError(conn, "sandbox is not running (status: "+sb.Status+")")
+		return
+	}
+
+	agent, err := agentForHost(ctx, h.db, h.pool, sb.HostID)
+	if err != nil {
+		sendProcessWSError(conn, "sandbox host is not reachable")
+		return
+	}
+
 	// Build the connect request with PID or tag selector.
 	connectReq := &pb.ConnectProcessRequest{
 		SandboxId: sandboxIDStr,
diff --git a/internal/api/handlers_pty.go b/internal/api/handlers_pty.go
index 8d571ae..181fc9d 100644
--- a/internal/api/handlers_pty.go
+++ b/internal/api/handlers_pty.go
@@ -30,12 +30,13 @@ const (
 )
 
 type ptyHandler struct {
-	db   *db.Queries
-	pool *lifecycle.HostClientPool
+	db        *db.Queries
+	pool      *lifecycle.HostClientPool
+	jwtSecret []byte
 }
 
-func newPtyHandler(db *db.Queries, pool *lifecycle.HostClientPool) *ptyHandler {
-	return &ptyHandler{db: db, pool: pool}
+func newPtyHandler(db *db.Queries, pool *lifecycle.HostClientPool, jwtSecret []byte) *ptyHandler {
+	return &ptyHandler{db: db, pool: pool, jwtSecret: jwtSecret}
 }
 
 // --- WebSocket message types ---
@@ -82,7 +83,6 @@ func (w *wsWriter) writeJSON(v any) {
 func (h *ptyHandler) PtySession(w http.ResponseWriter, r *http.Request) {
 	sandboxIDStr := chi.URLParam(r, "id")
 	ctx := r.Context()
-	ac := auth.MustFromContext(ctx)
 
 	sandboxID, err := id.ParseSandboxID(sandboxIDStr)
 	if err != nil {
@@ -90,13 +90,34 @@ func (h *ptyHandler) PtySession(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
-	if err != nil {
-		writeError(w, http.StatusNotFound, "not_found", "sandbox not found")
-		return
-	}
-	if sb.Status != "running" {
-		writeError(w, http.StatusConflict, "invalid_state", "sandbox is not running (status: "+sb.Status+")")
+	// API key auth is handled by middleware (sets context).
+	// For browser JWT auth, we authenticate after upgrade via first WS message.
+	ac, hasAuth := auth.FromContext(ctx)
+
+	if !hasAuth {
+		// No pre-upgrade auth — upgrade first, then authenticate via WS message.
+		conn, err := upgrader.Upgrade(w, r, nil)
+		if err != nil {
+			slog.Error("pty websocket upgrade failed", "error", err)
+			return
+		}
+		defer conn.Close()
+
+		ws := &wsWriter{conn: conn}
+
+		var wsAC auth.AuthContext
+		if isAdminWSRoute(ctx) {
+			wsAC, err = wsAuthenticateAdmin(ctx, conn, h.jwtSecret, h.db)
+		} else {
+			wsAC, err = wsAuthenticate(ctx, conn, h.jwtSecret, h.db)
+		}
+		if err != nil {
+			ws.writeJSON(wsPtyOut{Type: "error", Data: "authentication failed", Fatal: true})
+			return
+		}
+		ac = wsAC
+
+		h.runPtySession(ctx, ws, conn, ac, sandboxID, sandboxIDStr)
 		return
 	}
 
@@ -108,6 +129,19 @@ func (h *ptyHandler) PtySession(w http.ResponseWriter, r *http.Request) {
 	defer conn.Close()
 
 	ws := &wsWriter{conn: conn}
+	h.runPtySession(ctx, ws, conn, ac, sandboxID, sandboxIDStr)
+}
+
+func (h *ptyHandler) runPtySession(ctx context.Context, ws *wsWriter, conn *websocket.Conn, ac auth.AuthContext, sandboxID pgtype.UUID, sandboxIDStr string) {
+	sb, err := h.db.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: ac.TeamID})
+	if err != nil {
+		ws.writeJSON(wsPtyOut{Type: "error", Data: "sandbox not found", Fatal: true})
+		return
+	}
+	if sb.Status != "running" {
+		ws.writeJSON(wsPtyOut{Type: "error", Data: "sandbox is not running (status: " + sb.Status + ")", Fatal: true})
+		return
+	}
 
 	// Read the first message to determine start vs connect.
 	var firstMsg wsPtyIn
diff --git a/internal/api/handlers_snapshots.go b/internal/api/handlers_snapshots.go
index e141b7a..43d3148 100644
--- a/internal/api/handlers_snapshots.go
+++ b/internal/api/handlers_snapshots.go
@@ -133,7 +133,6 @@ func (h *snapshotHandler) Create(w http.ResponseWriter, r *http.Request) {
 
 	ctx := r.Context()
 	ac := auth.MustFromContext(ctx)
-	overwrite := r.URL.Query().Get("overwrite") == "true"
 
 	// Check for global name collision.
 	if _, err := h.db.GetPlatformTemplateByName(ctx, req.Name); err == nil {
@@ -142,20 +141,10 @@ func (h *snapshotHandler) Create(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Check if name already exists for this team.
-	if existing, err := h.db.GetTemplateByTeam(ctx, db.GetTemplateByTeamParams{Name: req.Name, TeamID: ac.TeamID}); err == nil {
-		if !overwrite {
-			writeError(w, http.StatusConflict, "already_exists", "snapshot name already exists; use ?overwrite=true to replace")
-			return
-		}
-		// Delete old snapshot files from all hosts before removing the DB record.
-		if err := deleteSnapshotBroadcast(ctx, h.db, h.pool, existing.TeamID, existing.ID); err != nil {
-			writeError(w, http.StatusInternalServerError, "agent_error", "failed to delete existing snapshot files")
-			return
-		}
-		if err := h.db.DeleteTemplateByTeam(ctx, db.DeleteTemplateByTeamParams{Name: req.Name, TeamID: ac.TeamID}); err != nil {
-			writeError(w, http.StatusInternalServerError, "db_error", "failed to remove existing template record")
-			return
-		}
+	if _, err := h.db.GetTemplateByTeam(ctx, db.GetTemplateByTeamParams{Name: req.Name, TeamID: ac.TeamID}); err == nil {
+		writeError(w, http.StatusConflict, "template_name_taken",
+			"snapshot name already exists; delete the existing snapshot first to reuse this name")
+		return
 	}
 
 	// Verify sandbox exists, belongs to team, and is running or paused.
diff --git a/internal/api/helpers_ws.go b/internal/api/helpers_ws.go
new file mode 100644
index 0000000..ec1c126
--- /dev/null
+++ b/internal/api/helpers_ws.go
@@ -0,0 +1,109 @@
+package api
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/gorilla/websocket"
+
+	"git.omukk.dev/wrenn/wrenn/pkg/auth"
+	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
+)
+
+// isWebSocketUpgrade returns true if the request is a WebSocket upgrade.
+func isWebSocketUpgrade(r *http.Request) bool {
+	return strings.EqualFold(r.Header.Get("Upgrade"), "websocket")
+}
+
+// ctxKeyAdminWS is a context key for flagging admin WS routes.
+type ctxKeyAdminWS struct{}
+
+// setAdminWSFlag marks the context as an admin WebSocket route.
+func setAdminWSFlag(ctx context.Context) context.Context {
+	return context.WithValue(ctx, ctxKeyAdminWS{}, true)
+}
+
+// isAdminWSRoute checks if the request context was marked as admin WS.
+func isAdminWSRoute(ctx context.Context) bool {
+	v, _ := ctx.Value(ctxKeyAdminWS{}).(bool)
+	return v
+}
+
+// wsAuthMsg is the first message a browser WS client sends to authenticate.
+type wsAuthMsg struct {
+	Type  string `json:"type"`
+	Token string `json:"token"`
+}
+
+// wsAuthenticate reads a JWT auth message from the WebSocket and returns the
+// authenticated context. The caller must send this as the first message after
+// connecting.
+func wsAuthenticate(ctx context.Context, conn *websocket.Conn, jwtSecret []byte, queries *db.Queries) (auth.AuthContext, error) {
+	conn.SetReadDeadline(time.Now().Add(5 * time.Second))
+
+	var msg wsAuthMsg
+	if err := conn.ReadJSON(&msg); err != nil {
+		return auth.AuthContext{}, fmt.Errorf("read auth message: %w", err)
+	}
+
+	conn.SetReadDeadline(time.Time{}) // clear deadline
+
+	if msg.Type != "auth" || msg.Token == "" {
+		return auth.AuthContext{}, fmt.Errorf("first message must be type 'auth' with a token")
+	}
+
+	claims, err := auth.VerifyJWT(jwtSecret, msg.Token)
+	if err != nil {
+		return auth.AuthContext{}, fmt.Errorf("invalid or expired token: %w", err)
+	}
+
+	teamID, err := id.ParseTeamID(claims.TeamID)
+	if err != nil {
+		return auth.AuthContext{}, fmt.Errorf("invalid team ID in token: %w", err)
+	}
+
+	userID, err := id.ParseUserID(claims.Subject)
+	if err != nil {
+		return auth.AuthContext{}, fmt.Errorf("invalid user ID in token: %w", err)
+	}
+
+	user, err := queries.GetUserByID(ctx, userID)
+	if err != nil {
+		return auth.AuthContext{}, fmt.Errorf("user not found")
+	}
+	if user.Status != "active" {
+		return auth.AuthContext{}, fmt.Errorf("account deactivated")
+	}
+
+	return auth.AuthContext{
+		TeamID: teamID,
+		UserID: userID,
+		Email:  claims.Email,
+		Name:   claims.Name,
+		Role:   claims.Role,
+	}, nil
+}
+
+// wsAuthenticateAdmin performs WS-based auth and verifies admin status,
+// returning an AuthContext with the platform team ID.
+func wsAuthenticateAdmin(ctx context.Context, conn *websocket.Conn, jwtSecret []byte, queries *db.Queries) (auth.AuthContext, error) {
+	ac, err := wsAuthenticate(ctx, conn, jwtSecret, queries)
+	if err != nil {
+		return auth.AuthContext{}, err
+	}
+
+	user, err := queries.GetUserByID(ctx, ac.UserID)
+	if err != nil {
+		return auth.AuthContext{}, fmt.Errorf("user not found")
+	}
+	if !user.IsAdmin {
+		return auth.AuthContext{}, fmt.Errorf("admin access required")
+	}
+
+	ac.TeamID = id.PlatformTeamID
+	return ac, nil
+}
diff --git a/internal/api/middleware.go b/internal/api/middleware.go
index 5053b78..b1c9f00 100644
--- a/internal/api/middleware.go
+++ b/internal/api/middleware.go
@@ -94,21 +94,25 @@ func serviceErrToHTTP(err error) (int, string, string) {
 	}
 
 	// Map well-known service error patterns.
+	// Return generic messages for most cases to avoid leaking internal details.
 	switch {
 	case strings.Contains(msg, "not found"):
-		return http.StatusNotFound, "not_found", msg
-	case strings.Contains(msg, "not running"), strings.Contains(msg, "not paused"):
-		return http.StatusConflict, "invalid_state", msg
+		return http.StatusNotFound, "not_found", "resource not found"
+	case strings.Contains(msg, "not running"):
+		return http.StatusConflict, "invalid_state", "resource is not running"
+	case strings.Contains(msg, "not paused"):
+		return http.StatusConflict, "invalid_state", "resource is not paused"
 	case strings.Contains(msg, "conflict:"):
-		return http.StatusConflict, "conflict", msg
+		return http.StatusConflict, "conflict", strings.TrimPrefix(msg, "conflict: ")
 	case strings.Contains(msg, "forbidden"):
-		return http.StatusForbidden, "forbidden", msg
+		return http.StatusForbidden, "forbidden", "forbidden"
 	case strings.Contains(msg, "invalid or expired"):
-		return http.StatusUnauthorized, "unauthorized", msg
+		return http.StatusUnauthorized, "unauthorized", "invalid or expired credentials"
 	case strings.Contains(msg, "invalid"):
-		return http.StatusBadRequest, "invalid_request", msg
+		return http.StatusBadRequest, "invalid_request", "invalid request"
 	default:
-		return http.StatusInternalServerError, "internal_error", msg
+		slog.Error("unhandled service error", "error", err)
+		return http.StatusInternalServerError, "internal_error", "an internal error occurred"
 	}
 }
 
diff --git a/internal/api/middleware_admin.go b/internal/api/middleware_admin.go
index cf23dce..670c586 100644
--- a/internal/api/middleware_admin.go
+++ b/internal/api/middleware_admin.go
@@ -14,6 +14,11 @@ import (
 func injectPlatformTeam() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if _, ok := auth.FromContext(r.Context()); !ok {
+				// No auth context yet (WS upgrade); handler will inject platform team after WS auth.
+				next.ServeHTTP(w, r)
+				return
+			}
 			ac := auth.MustFromContext(r.Context())
 			ac.TeamID = id.PlatformTeamID
 			ctx := auth.WithAuthContext(r.Context(), ac)
@@ -26,11 +31,19 @@ func injectPlatformTeam() func(http.Handler) http.Handler {
 // Must run after requireJWT (depends on AuthContext being present).
 // Re-validates against the DB — the JWT is_admin claim is for UI only;
 // the DB is the source of truth for admin access.
+// WebSocket upgrade requests without auth context are passed through —
+// admin WS handlers verify admin status after upgrade via wsAuthenticateAdmin.
 func requireAdmin(queries *db.Queries) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ac, ok := auth.FromContext(r.Context())
 			if !ok {
+				if isWebSocketUpgrade(r) {
+					ctx := r.Context()
+					ctx = setAdminWSFlag(ctx)
+					next.ServeHTTP(w, r.WithContext(ctx))
+					return
+				}
 				writeError(w, http.StatusUnauthorized, "unauthorized", "authentication required")
 				return
 			}
diff --git a/internal/api/middleware_auth.go b/internal/api/middleware_auth.go
index 6122ce8..b671047 100644
--- a/internal/api/middleware_auth.go
+++ b/internal/api/middleware_auth.go
@@ -38,12 +38,10 @@ func requireAPIKeyOrJWT(queries *db.Queries, jwtSecret []byte) func(http.Handler
 				return
 			}
 
-			// Try JWT bearer token (header or query param for WebSocket).
+			// Try JWT bearer token from Authorization header.
 			tokenStr := ""
 			if header := r.Header.Get("Authorization"); strings.HasPrefix(header, "Bearer ") {
 				tokenStr = strings.TrimPrefix(header, "Bearer ")
-			} else if t := r.URL.Query().Get("token"); t != "" {
-				tokenStr = t
 			}
 			if tokenStr != "" {
 				claims, err := auth.VerifyJWT(jwtSecret, tokenStr)
@@ -87,7 +85,15 @@ func requireAPIKeyOrJWT(queries *db.Queries, jwtSecret []byte) func(http.Handler
 				return
 			}
 
+			// WebSocket upgrade requests may not carry auth headers (browsers
+			// cannot set custom headers on WS connections). Pass through —
+			// the WS handler authenticates via the first message after upgrade.
+			if isWebSocketUpgrade(r) {
+				next.ServeHTTP(w, r)
+				return
+			}
+
 			writeError(w, http.StatusUnauthorized, "unauthorized", "X-API-Key or Authorization: Bearer <token> required")
 		})
 	}
-}
+}
\ No newline at end of file
diff --git a/internal/api/middleware_jwt.go b/internal/api/middleware_jwt.go
index 1b28405..b19c838 100644
--- a/internal/api/middleware_jwt.go
+++ b/internal/api/middleware_jwt.go
@@ -10,19 +10,25 @@ import (
 	"git.omukk.dev/wrenn/wrenn/pkg/id"
 )
 
-// requireJWT validates a JWT from the Authorization: Bearer header or the
-// ?token= query parameter (for WebSocket connections that cannot send headers).
+// requireJWT validates a JWT from the Authorization: Bearer header.
 // It also verifies the user is still active in the database.
+// WebSocket upgrade requests without an Authorization header are passed through
+// — WS handlers authenticate via the first message after upgrade.
 func requireJWT(secret []byte, queries *db.Queries) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			var tokenStr string
 			if header := r.Header.Get("Authorization"); strings.HasPrefix(header, "Bearer ") {
 				tokenStr = strings.TrimPrefix(header, "Bearer ")
-			} else if t := r.URL.Query().Get("token"); t != "" {
-				tokenStr = t
 			}
 			if tokenStr == "" {
+				// WebSocket upgrade requests may not have an Authorization header
+				// (browsers cannot set custom headers on WS connections). Let them
+				// through — the handler authenticates via the first WS message.
+				if isWebSocketUpgrade(r) {
+					next.ServeHTTP(w, r)
+					return
+				}
 				writeError(w, http.StatusUnauthorized, "unauthorized", "Authorization: Bearer <token> required")
 				return
 			}
diff --git a/internal/api/server.go b/internal/api/server.go
index 6433644..af1e738 100644
--- a/internal/api/server.go
+++ b/internal/api/server.go
@@ -65,7 +65,7 @@ func New(
 
 	sandbox := newSandboxHandler(sandboxSvc, al)
 	exec := newExecHandler(queries, pool)
-	execStream := newExecStreamHandler(queries, pool)
+	execStream := newExecStreamHandler(queries, pool, jwtSecret)
 	files := newFilesHandler(queries, pool)
 	filesStream := newFilesStreamHandler(queries, pool)
 	fsH := newFSHandler(queries, pool)
@@ -81,8 +81,8 @@ func New(
 	metricsH := newSandboxMetricsHandler(queries, pool)
 	buildH := newBuildHandler(buildSvc, queries, pool)
 	channelH := newChannelHandler(channelSvc, al)
-	ptyH := newPtyHandler(queries, pool)
-	processH := newProcessHandler(queries, pool)
+	ptyH := newPtyHandler(queries, pool, jwtSecret)
+	processH := newProcessHandler(queries, pool, jwtSecret)
 	adminCapsules := newAdminCapsuleHandler(sandboxSvc, queries, pool, al)
 	meH := newMeHandler(queries, pgPool, rdb, jwtSecret, mailer, oauthRegistry, oauthRedirectURL, teamSvc)
 
@@ -144,6 +144,8 @@ func New(
 	r.With(requireJWT(jwtSecret, queries)).Get("/v1/users/search", usersH.Search)
 
 	// Capsule lifecycle: accepts API key or JWT bearer token.
+	// WebSocket upgrade requests without auth headers are passed through by
+	// requireAPIKeyOrJWT — the WS handlers authenticate via first message.
 	r.Route("/v1/capsules", func(r chi.Router) {
 		r.Use(requireAPIKeyOrJWT(queries, jwtSecret))
 		r.Post("/", sandbox.Create)
diff --git a/internal/network/setup.go b/internal/network/setup.go
index 614235a..3874c79 100644
--- a/internal/network/setup.go
+++ b/internal/network/setup.go
@@ -131,26 +131,31 @@ type Slot struct {
 }
 
 // NewSlot computes the addressing for the given slot index (1-based).
+// Index must be in [1, 32767] so that veth offset (index*2) fits in 16 bits.
 func NewSlot(index int) *Slot {
+	if index < 1 || index > 32767 {
+		panic(fmt.Sprintf("slot index %d out of range [1, 32767]", index))
+	}
+
 	hostBaseIP := net.ParseIP(hostBase).To4()
 	vrtBaseIP := net.ParseIP(vrtBase).To4()
 
 	hostIP := make(net.IP, 4)
 	copy(hostIP, hostBaseIP)
-	hostIP[2] += byte(index >> 8)
-	hostIP[3] += byte(index & 0xFF)
+	hostIP[2] = hostBaseIP[2] + byte(index>>8)
+	hostIP[3] = hostBaseIP[3] + byte(index&0xFF)
 
 	vethOffset := index * vrtAddressesPerSlot
 	vethIP := make(net.IP, 4)
 	copy(vethIP, vrtBaseIP)
-	vethIP[2] += byte(vethOffset >> 8)
-	vethIP[3] += byte(vethOffset & 0xFF)
+	vethIP[2] = vrtBaseIP[2] + byte(vethOffset>>8)
+	vethIP[3] = vrtBaseIP[3] + byte(vethOffset&0xFF)
 
 	vpeerOffset := vethOffset + 1
 	vpeerIP := make(net.IP, 4)
 	copy(vpeerIP, vrtBaseIP)
-	vpeerIP[2] += byte(vpeerOffset >> 8)
-	vpeerIP[3] += byte(vpeerOffset & 0xFF)
+	vpeerIP[2] = vrtBaseIP[2] + byte(vpeerOffset>>8)
+	vpeerIP[3] = vrtBaseIP[3] + byte(vpeerOffset&0xFF)
 
 	return &Slot{
 		Index:        index,
diff --git a/internal/vm/manager.go b/internal/vm/manager.go
index 9e9466f..99dbfe3 100644
--- a/internal/vm/manager.go
+++ b/internal/vm/manager.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"log/slog"
 	"os"
+	"sync"
 	"time"
 )
 
@@ -17,6 +18,7 @@ type VM struct {
 
 // Manager handles the lifecycle of Firecracker microVMs.
 type Manager struct {
+	mu sync.RWMutex
 	// vms tracks running VMs by sandbox ID.
 	vms map[string]*VM
 }
@@ -84,7 +86,9 @@ func (m *Manager) Create(ctx context.Context, cfg VMConfig) (*VM, error) {
 		client:  client,
 	}
 
+	m.mu.Lock()
 	m.vms[cfg.SandboxID] = vm
+	m.mu.Unlock()
 
 	slog.Info("VM started successfully", "sandbox", cfg.SandboxID)
 
@@ -126,7 +130,9 @@ func configureVM(ctx context.Context, client *fcClient, cfg *VMConfig) error {
 
 // Pause pauses a running VM.
 func (m *Manager) Pause(ctx context.Context, sandboxID string) error {
+	m.mu.RLock()
 	vm, ok := m.vms[sandboxID]
+	m.mu.RUnlock()
 	if !ok {
 		return fmt.Errorf("VM not found: %s", sandboxID)
 	}
@@ -141,7 +147,9 @@ func (m *Manager) Pause(ctx context.Context, sandboxID string) error {
 
 // Resume resumes a paused VM.
 func (m *Manager) Resume(ctx context.Context, sandboxID string) error {
+	m.mu.RLock()
 	vm, ok := m.vms[sandboxID]
+	m.mu.RUnlock()
 	if !ok {
 		return fmt.Errorf("VM not found: %s", sandboxID)
 	}
@@ -156,10 +164,14 @@ func (m *Manager) Resume(ctx context.Context, sandboxID string) error {
 
 // Destroy stops and cleans up a VM.
 func (m *Manager) Destroy(ctx context.Context, sandboxID string) error {
+	m.mu.Lock()
 	vm, ok := m.vms[sandboxID]
 	if !ok {
+		m.mu.Unlock()
 		return fmt.Errorf("VM not found: %s", sandboxID)
 	}
+	delete(m.vms, sandboxID)
+	m.mu.Unlock()
 
 	slog.Info("destroying VM", "sandbox", sandboxID)
 
@@ -171,8 +183,6 @@ func (m *Manager) Destroy(ctx context.Context, sandboxID string) error {
 	// Clean up the API socket.
 	os.Remove(vm.Config.SocketPath)
 
-	delete(m.vms, sandboxID)
-
 	slog.Info("VM destroyed", "sandbox", sandboxID)
 	return nil
 }
@@ -180,7 +190,9 @@ func (m *Manager) Destroy(ctx context.Context, sandboxID string) error {
 // Snapshot creates a VM snapshot. The VM must already be paused.
 // snapshotType is "Full" (all memory) or "Diff" (only dirty pages since last resume).
 func (m *Manager) Snapshot(ctx context.Context, sandboxID, snapPath, memPath, snapshotType string) error {
+	m.mu.RLock()
 	vm, ok := m.vms[sandboxID]
+	m.mu.RUnlock()
 	if !ok {
 		return fmt.Errorf("VM not found: %s", sandboxID)
 	}
@@ -263,7 +275,9 @@ func (m *Manager) CreateFromSnapshot(ctx context.Context, cfg VMConfig, snapPath
 		client:  client,
 	}
 
+	m.mu.Lock()
 	m.vms[cfg.SandboxID] = vm
+	m.mu.Unlock()
 
 	slog.Info("VM restored from snapshot", "sandbox", cfg.SandboxID)
 	return vm, nil
@@ -277,7 +291,9 @@ func (v *VM) PID() int {
 
 // Get returns a running VM by sandbox ID.
 func (m *Manager) Get(sandboxID string) (*VM, bool) {
+	m.mu.RLock()
 	vm, ok := m.vms[sandboxID]
+	m.mu.RUnlock()
 	return vm, ok
 }
 
diff --git a/pkg/db/users.sql.go b/pkg/db/users.sql.go
index 2bfb6ed..fc30a95 100644
--- a/pkg/db/users.sql.go
+++ b/pkg/db/users.sql.go
@@ -142,7 +142,7 @@ func (q *Queries) GetAdminUsers(ctx context.Context) ([]User, error) {
 }
 
 const getUserByEmail = `-- name: GetUserByEmail :one
-SELECT id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status FROM users WHERE email = $1
+SELECT id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status FROM users WHERE email = $1 AND deleted_at IS NULL
 `
 
 func (q *Queries) GetUserByEmail(ctx context.Context, email string) (User, error) {
@@ -163,7 +163,7 @@ func (q *Queries) GetUserByEmail(ctx context.Context, email string) (User, error
 }
 
 const getUserByID = `-- name: GetUserByID :one
-SELECT id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status FROM users WHERE id = $1
+SELECT id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status FROM users WHERE id = $1 AND deleted_at IS NULL
 `
 
 func (q *Queries) GetUserByID(ctx context.Context, id pgtype.UUID) (User, error) {

From fb4b67adb392b54900cb8e1001b107cdf297a3c8 Mon Sep 17 00:00:00 2001
From: pptx704 <rafeed@omukk.dev>
Date: Thu, 16 Apr 2026 06:37:51 +0600
Subject: [PATCH 4/4] Destroy owned sandboxes on user disable and fix OAuth
 login resilience

When an admin disables a user, all active sandboxes (running, paused,
hibernated) for teams they own are now destroyed and their API keys
are deleted. User queries now filter by status column instead of
deleted_at, so re-enabling a user always works. OAuth login paths
use ensureDefaultTeam to auto-create a team if the user has none,
matching the email/password login behavior.
---
 db/queries/teams.sql                   |  8 +++++++
 db/queries/users.sql                   |  8 +++----
 frontend/src/routes/login/+page.svelte |  2 +-
 internal/api/handlers_oauth.go         | 24 ++++++++++++++-----
 internal/api/server.go                 |  2 +-
 pkg/db/teams.sql.go                    | 29 ++++++++++++++++++++++
 pkg/db/users.sql.go                    |  8 +++----
 pkg/service/user.go                    | 33 +++++++++++++++++++++++++-
 8 files changed, 97 insertions(+), 17 deletions(-)

diff --git a/db/queries/teams.sql b/db/queries/teams.sql
index 3444b8c..f4de808 100644
--- a/db/queries/teams.sql
+++ b/db/queries/teams.sql
@@ -86,6 +86,14 @@ WHERE ut.user_id = $1
       WHERE ut2.team_id = t.id AND ut2.user_id <> $1
   );
 
+-- name: GetOwnedTeamIDs :many
+-- Returns team IDs where the given user has the 'owner' role.
+SELECT t.id FROM teams t
+JOIN users_teams ut ON ut.team_id = t.id
+WHERE ut.user_id = $1
+  AND ut.role = 'owner'
+  AND t.deleted_at IS NULL;
+
 -- name: CountTeamsAdmin :one
 SELECT COUNT(*)::int AS total
 FROM teams
diff --git a/db/queries/users.sql b/db/queries/users.sql
index 783f22b..eb41d00 100644
--- a/db/queries/users.sql
+++ b/db/queries/users.sql
@@ -4,10 +4,10 @@ VALUES ($1, $2, $3, $4)
 RETURNING *;
 
 -- name: GetUserByEmail :one
-SELECT * FROM users WHERE email = $1 AND deleted_at IS NULL;
+SELECT * FROM users WHERE email = $1 AND status != 'deleted';
 
 -- name: GetUserByID :one
-SELECT * FROM users WHERE id = $1 AND deleted_at IS NULL;
+SELECT * FROM users WHERE id = $1 AND status != 'deleted';
 
 -- name: InsertUserOAuth :one
 INSERT INTO users (id, email, name)
@@ -63,14 +63,14 @@ SELECT
     (SELECT COUNT(*) FROM users_teams ut WHERE ut.user_id = u.id)::int AS teams_joined,
     (SELECT COUNT(*) FROM users_teams ut WHERE ut.user_id = u.id AND ut.role = 'owner')::int AS teams_owned
 FROM users u
-WHERE u.deleted_at IS NULL
+WHERE u.status != 'deleted'
 ORDER BY u.created_at DESC
 LIMIT $1 OFFSET $2;
 
 -- name: CountUsersAdmin :one
 SELECT COUNT(*)::int AS total
 FROM users
-WHERE deleted_at IS NULL;
+WHERE status != 'deleted';
 
 -- name: SetUserStatus :exec
 UPDATE users SET status = $2, updated_at = NOW() WHERE id = $1;
diff --git a/frontend/src/routes/login/+page.svelte b/frontend/src/routes/login/+page.svelte
index f895cd0..18c55fa 100644
--- a/frontend/src/routes/login/+page.svelte
+++ b/frontend/src/routes/login/+page.svelte
@@ -25,7 +25,7 @@
 	let signupDone = $state(false);
 
 	const oauthErrorMessages: Record<string, string> = {
-		account_deactivated: 'Your account has been deactivated — contact your administrator to regain access',
+		account_deactivated: 'Your account has been deactivated — contact the administrator to regain access',
 		access_denied: 'Access was denied by the provider',
 		email_taken: 'An account with this email already exists',
 		exchange_failed: 'Authentication failed — please try again',
diff --git a/internal/api/handlers_oauth.go b/internal/api/handlers_oauth.go
index 98aac78..9c9a14a 100644
--- a/internal/api/handlers_oauth.go
+++ b/internal/api/handlers_oauth.go
@@ -212,6 +212,11 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 	if err == nil {
 		// Existing OAuth user — log them in.
 		user, err := h.db.GetUserByID(ctx, existing.UserID)
+		if errors.Is(err, pgx.ErrNoRows) {
+			slog.Warn("oauth login: user no longer exists", "user_id", existing.UserID)
+			redirectWithError(w, r, redirectBase, "account_deactivated")
+			return
+		}
 		if err != nil {
 			slog.Error("oauth login: failed to get user", "error", err)
 			redirectWithError(w, r, redirectBase, "db_error")
@@ -222,13 +227,14 @@ func (h *oauthHandler) Callback(w http.ResponseWriter, r *http.Request) {
 			redirectWithError(w, r, redirectBase, "account_deactivated")
 			return
 		}
-		team, role, err := loginTeam(ctx, h.db, user.ID)
+		team, role, isFirstUser, err := ensureDefaultTeam(ctx, h.db, h.pool, user.ID, user.Name)
 		if err != nil {
-			slog.Error("oauth login: failed to get team", "error", err)
+			slog.Error("oauth login: failed to ensure team", "error", err)
 			redirectWithError(w, r, redirectBase, "db_error")
 			return
 		}
-		token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role, user.IsAdmin)
+		isAdmin := user.IsAdmin || isFirstUser
+		token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role, isAdmin)
 		if err != nil {
 			slog.Error("oauth login: failed to sign jwt", "error", err)
 			redirectWithError(w, r, redirectBase, "internal_error")
@@ -376,6 +382,11 @@ func (h *oauthHandler) retryAsLogin(w http.ResponseWriter, r *http.Request, prov
 		return
 	}
 	user, err := h.db.GetUserByID(ctx, existing.UserID)
+	if errors.Is(err, pgx.ErrNoRows) {
+		slog.Warn("oauth: retry login: user no longer exists", "user_id", existing.UserID)
+		redirectWithError(w, r, redirectBase, "account_deactivated")
+		return
+	}
 	if err != nil {
 		slog.Error("oauth: retry login: failed to get user", "error", err)
 		redirectWithError(w, r, redirectBase, "db_error")
@@ -386,13 +397,14 @@ func (h *oauthHandler) retryAsLogin(w http.ResponseWriter, r *http.Request, prov
 		redirectWithError(w, r, redirectBase, "account_deactivated")
 		return
 	}
-	team, role, err := loginTeam(ctx, h.db, user.ID)
+	team, role, isFirstUser, err := ensureDefaultTeam(ctx, h.db, h.pool, user.ID, user.Name)
 	if err != nil {
-		slog.Error("oauth: retry login: failed to get team", "error", err)
+		slog.Error("oauth: retry login: failed to ensure team", "error", err)
 		redirectWithError(w, r, redirectBase, "db_error")
 		return
 	}
-	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role, user.IsAdmin)
+	isAdmin := user.IsAdmin || isFirstUser
+	token, err := auth.SignJWT(h.jwtSecret, user.ID, team.ID, user.Email, user.Name, role, isAdmin)
 	if err != nil {
 		slog.Error("oauth: retry login: failed to sign jwt", "error", err)
 		redirectWithError(w, r, redirectBase, "internal_error")
diff --git a/internal/api/server.go b/internal/api/server.go
index af1e738..47a1b44 100644
--- a/internal/api/server.go
+++ b/internal/api/server.go
@@ -58,7 +58,7 @@ func New(
 	templateSvc := &service.TemplateService{DB: queries}
 	hostSvc := &service.HostService{DB: queries, Redis: rdb, JWT: jwtSecret, Pool: pool, CA: ca}
 	teamSvc := &service.TeamService{DB: queries, Pool: pgPool, HostPool: pool}
-	userSvc := &service.UserService{DB: queries}
+	userSvc := &service.UserService{DB: queries, SandboxSvc: sandboxSvc}
 	auditSvc := &service.AuditService{DB: queries}
 	statsSvc := &service.StatsService{DB: queries, Pool: pgPool}
 	buildSvc := &service.BuildService{DB: queries, Redis: rdb, Pool: pool, Scheduler: sched}
diff --git a/pkg/db/teams.sql.go b/pkg/db/teams.sql.go
index 7947107..30874b3 100644
--- a/pkg/db/teams.sql.go
+++ b/pkg/db/teams.sql.go
@@ -90,6 +90,35 @@ func (q *Queries) GetDefaultTeamForUser(ctx context.Context, userID pgtype.UUID)
 	return i, err
 }
 
+const getOwnedTeamIDs = `-- name: GetOwnedTeamIDs :many
+SELECT t.id FROM teams t
+JOIN users_teams ut ON ut.team_id = t.id
+WHERE ut.user_id = $1
+  AND ut.role = 'owner'
+  AND t.deleted_at IS NULL
+`
+
+// Returns team IDs where the given user has the 'owner' role.
+func (q *Queries) GetOwnedTeamIDs(ctx context.Context, userID pgtype.UUID) ([]pgtype.UUID, error) {
+	rows, err := q.db.Query(ctx, getOwnedTeamIDs, userID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []pgtype.UUID
+	for rows.Next() {
+		var id pgtype.UUID
+		if err := rows.Scan(&id); err != nil {
+			return nil, err
+		}
+		items = append(items, id)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
 const getTeam = `-- name: GetTeam :one
 SELECT id, name, slug, is_byoc, created_at, deleted_at FROM teams WHERE id = $1
 `
diff --git a/pkg/db/users.sql.go b/pkg/db/users.sql.go
index fc30a95..c48d9c9 100644
--- a/pkg/db/users.sql.go
+++ b/pkg/db/users.sql.go
@@ -54,7 +54,7 @@ func (q *Queries) CountUsers(ctx context.Context) (int64, error) {
 const countUsersAdmin = `-- name: CountUsersAdmin :one
 SELECT COUNT(*)::int AS total
 FROM users
-WHERE deleted_at IS NULL
+WHERE status != 'deleted'
 `
 
 func (q *Queries) CountUsersAdmin(ctx context.Context) (int32, error) {
@@ -142,7 +142,7 @@ func (q *Queries) GetAdminUsers(ctx context.Context) ([]User, error) {
 }
 
 const getUserByEmail = `-- name: GetUserByEmail :one
-SELECT id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status FROM users WHERE email = $1 AND deleted_at IS NULL
+SELECT id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status FROM users WHERE email = $1 AND status != 'deleted'
 `
 
 func (q *Queries) GetUserByEmail(ctx context.Context, email string) (User, error) {
@@ -163,7 +163,7 @@ func (q *Queries) GetUserByEmail(ctx context.Context, email string) (User, error
 }
 
 const getUserByID = `-- name: GetUserByID :one
-SELECT id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status FROM users WHERE id = $1 AND deleted_at IS NULL
+SELECT id, email, password_hash, name, is_admin, created_at, updated_at, deleted_at, status FROM users WHERE id = $1 AND status != 'deleted'
 `
 
 func (q *Queries) GetUserByID(ctx context.Context, id pgtype.UUID) (User, error) {
@@ -345,7 +345,7 @@ SELECT
     (SELECT COUNT(*) FROM users_teams ut WHERE ut.user_id = u.id)::int AS teams_joined,
     (SELECT COUNT(*) FROM users_teams ut WHERE ut.user_id = u.id AND ut.role = 'owner')::int AS teams_owned
 FROM users u
-WHERE u.deleted_at IS NULL
+WHERE u.status != 'deleted'
 ORDER BY u.created_at DESC
 LIMIT $1 OFFSET $2
 `
diff --git a/pkg/service/user.go b/pkg/service/user.go
index 9a3a66c..f07b3f4 100644
--- a/pkg/service/user.go
+++ b/pkg/service/user.go
@@ -13,7 +13,8 @@ import (
 
 // UserService provides user management operations.
 type UserService struct {
-	DB *db.Queries
+	DB         *db.Queries
+	SandboxSvc *SandboxService
 }
 
 // AdminUserRow is the shape returned by AdminListUsers.
@@ -71,6 +72,36 @@ func (s *UserService) SetUserStatus(ctx context.Context, userID pgtype.UUID, sta
 		if err := s.DB.DeleteAPIKeysByCreator(ctx, userID); err != nil {
 			slog.Warn("failed to delete API keys for deactivated user", "user_id", userID, "error", err)
 		}
+		s.destroySandboxesForOwnedTeams(ctx, userID)
 	}
 	return nil
 }
+
+// destroySandboxesForOwnedTeams destroys all active sandboxes (running, paused,
+// hibernated, starting) for every team the user owns. Best-effort: errors are
+// logged but do not prevent the user from being disabled.
+func (s *UserService) destroySandboxesForOwnedTeams(ctx context.Context, userID pgtype.UUID) {
+	if s.SandboxSvc == nil {
+		return
+	}
+
+	teamIDs, err := s.DB.GetOwnedTeamIDs(ctx, userID)
+	if err != nil {
+		slog.Warn("failed to list owned teams for sandbox cleanup", "user_id", userID, "error", err)
+		return
+	}
+
+	for _, teamID := range teamIDs {
+		sandboxes, err := s.DB.ListActiveSandboxesByTeam(ctx, teamID)
+		if err != nil {
+			slog.Warn("failed to list active sandboxes for team", "team_id", teamID, "user_id", userID, "error", err)
+			continue
+		}
+		for _, sb := range sandboxes {
+			if err := s.SandboxSvc.Destroy(ctx, sb.ID, teamID); err != nil {
+				slog.Warn("failed to destroy sandbox during user disable",
+					"sandbox_id", sb.ID, "team_id", teamID, "user_id", userID, "error", err)
+			}
+		}
+	}
+}