From 0191c60b64d2341ef5f01dbc426ea4d7984a5c63 Mon Sep 17 00:00:00 2001
From: Rene Fichtmueller <rf@flexoptix.net>
Date: Fri, 5 Jun 2026 20:23:33 +0000
Subject: [PATCH] chore: commit deployed gateway state (dashboard, streaming,
 routing, bridges, cost-tracking)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Live production state on Erik that had drifted from Gitea — deployed across several
sessions but never committed. Excludes deploy/ecosystem.config.cjs (holds live tokens).

- dashboard: passive usage-report endpoint, per-device entries, CEST timezone, cost-panel rounding
- completion: SSE + HTTP/2 streaming
- pipeline: routing-rules, request-scorer, external-providers (subscription bridges)
- cost-tracking: tokenvault migration, cost-calculator, request-logger
- infra: docker-compose bridge env, server/health/tls, deps
---
 Dockerfile                                    |    1 -
 docker-compose.yaml                           |   16 +
 package-lock.json                             |   57 +-
 package.json                                  |    2 +-
 packages/gateway/package.json                 |    5 +-
 .../prompts/templates/linkedin_post.yaml      |  112 +-
 packages/gateway/public/dashboard.html        | 3898 ++++++++++++++---
 packages/gateway/src/config/models.yaml       |   71 +-
 .../gateway/src/config/routing-rules.yaml     |    4 +-
 .../002-tokenvault-cost-tracking.sql          |    2 +-
 packages/gateway/src/db/schema-extensions.sql |    8 +-
 .../gateway/src/modules/request-logger.ts     |  122 +-
 .../src/observability/cost-calculator.ts      |    2 +-
 .../src/pipeline/external-providers.ts        |  119 +-
 .../gateway/src/pipeline/request-scorer.ts    |   36 +-
 packages/gateway/src/pipeline/router.ts       |    9 +-
 packages/gateway/src/routes/completion.ts     | 1159 ++++-
 packages/gateway/src/routes/dashboard.ts      | 1362 +++++-
 packages/gateway/src/routes/health.ts         |   41 +-
 packages/gateway/src/routes/static.ts         |   64 +-
 packages/gateway/src/security/tls-config.ts   |   24 +-
 packages/gateway/src/server.ts                |   74 +-
 .../gateway/src/utils/tokenvault-hooks.ts     |   18 +-
 23 files changed, 6210 insertions(+), 996 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 865d4bc..58a421b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -36,7 +36,6 @@ COPY --from=builder /app/packages/gateway/dist ./packages/gateway/dist
 
 # Copy production node_modules
 COPY --from=builder /app/node_modules ./node_modules
-COPY --from=builder /app/packages/gateway/node_modules ./packages/gateway/node_modules 2>/dev/null || true
 
 # Copy runtime assets (prompt templates, config)
 COPY packages/gateway/prompts ./packages/gateway/prompts
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 68f5c9b..618febe 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -4,15 +4,31 @@ services:
     container_name: llm-gateway
     ports:
       - "3100:3100"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     environment:
       NODE_ENV: production
       PORT: "3100"
       DATABASE_URL: "${DATABASE_URL}"
       TIP_DATABASE_URL: "${TIP_DATABASE_URL}"
       OLLAMA_URL: "http://192.168.178.169:11434"
+      OLLAMA_BASE_URL: "${OLLAMA_BASE_URL:-https://ollama.fichtmueller.org}"
+      CLAUDE_BRIDGE_ENABLED: "true"
+      CLAUDE_BRIDGE_URL: "${CLAUDE_BRIDGE_URL:-http://host.docker.internal:3250}"
+      CLAUDE_CODE_URL: "${CLAUDE_CODE_URL:-http://host.docker.internal:3250}"
+      OPENAI_BRIDGE_URL: "${OPENAI_BRIDGE_URL:-http://host.docker.internal:3251}"
+      CHATGPT_BRIDGE_URL: "${CHATGPT_BRIDGE_URL:-http://host.docker.internal:3251}"
+      COPILOT_BRIDGE_URL: "${COPILOT_BRIDGE_URL:-http://host.docker.internal:3252}"
+      GEMINI_BRIDGE_URL: "${GEMINI_BRIDGE_URL:-http://host.docker.internal:3254}"
+      CODEX_BRIDGE_URL: "${CODEX_BRIDGE_URL:-http://host.docker.internal:3253}"
+      OPENAI_CODEX_URL: "${OPENAI_CODEX_URL:-http://host.docker.internal:3253}"
+      AIDER_BRIDGE_URL: "${AIDER_BRIDGE_URL:-http://host.docker.internal:3256}"
       SHIELDX_URL: "${SHIELDX_URL:-}"
       GITEA_URL: "http://gitea.context-x.org"
       LOG_LEVEL: "${LOG_LEVEL:-info}"
+      DASHBOARD_AUTH_TOKEN: "${DASHBOARD_AUTH_TOKEN:-}"
+      REFERENCE_INPUT_COST_PER_1K: "${REFERENCE_INPUT_COST_PER_1K:-0.005}"
+      REFERENCE_OUTPUT_COST_PER_1K: "${REFERENCE_OUTPUT_COST_PER_1K:-0.015}"
     restart: unless-stopped
     healthcheck:
       test: ["CMD", "wget", "-q", "-O-", "http://localhost:3100/health/live"]
diff --git a/package-lock.json b/package-lock.json
index f0aba6d..7a066da 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -11,10 +11,10 @@
         "packages/*"
       ],
       "dependencies": {
-        "jose": "^6.2.2"
+        "jose": "^6.2.3"
       }
     },
-    "../../../shieldx": {
+    "../../shieldx": {
       "extraneous": true
     },
     "node_modules/@esbuild/darwin-arm64": {
@@ -305,6 +305,10 @@
       "resolved": "packages/codex-lsp-adapter",
       "link": true
     },
+    "node_modules/@llm-gateway/companion": {
+      "resolved": "packages/companion",
+      "link": true
+    },
     "node_modules/@llm-gateway/ctx-health": {
       "resolved": "packages/ctx-health",
       "link": true
@@ -321,6 +325,10 @@
       "resolved": "packages/learning-integration",
       "link": true
     },
+    "node_modules/@llm-gateway/mcp-server": {
+      "resolved": "packages/mcp-server",
+      "link": true
+    },
     "node_modules/@llm-gateway/prompt-optimizer": {
       "resolved": "packages/prompt-optimizer",
       "link": true
@@ -1127,6 +1135,8 @@
     },
     "node_modules/fastify-plugin": {
       "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/fastify-plugin/-/fastify-plugin-5.1.0.tgz",
+      "integrity": "sha512-FAIDA8eovSt5qcDgcBvDuX/v0Cjz0ohGhENZ/wpc3y+oZCY2afZ9Baqql3g/lC+OHRnciQol4ww7tuthOb9idw==",
       "funding": [
         {
           "type": "github",
@@ -1475,9 +1485,9 @@
       }
     },
     "node_modules/jose": {
-      "version": "6.2.2",
-      "resolved": "https://registry.npmjs.org/jose/-/jose-6.2.2.tgz",
-      "integrity": "sha512-d7kPDd34KO/YnzaDOlikGpOurfF0ByC2sEV4cANCtdqLlTfBlw2p14O/5d/zv40gJPbIQxfES3nSx1/oYNyuZQ==",
+      "version": "6.2.3",
+      "resolved": "https://registry.npmjs.org/jose/-/jose-6.2.3.tgz",
+      "integrity": "sha512-YYVDInQKFJfR/xa3ojUTl8c2KoTwiL1R5Wg9YCydwH0x0B9grbzlg5HC7mMjCtUJjbQ/YnGEZIhI5tCgfTb4Hw==",
       "license": "MIT",
       "funding": {
         "url": "https://github.com/sponsors/panva"
@@ -3178,6 +3188,21 @@
         "node": ">=0.4"
       }
     },
+    "node_modules/yaml": {
+      "version": "2.9.0",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.9.0.tgz",
+      "integrity": "sha512-2AvhNX3mb8zd6Zy7INTtSpl1F15HW6Wnqj0srWlkKLcpYl/gMIMJiyuGq2KeI2YFxUPjdlB+3Lc10seMLtL4cA==",
+      "license": "ISC",
+      "bin": {
+        "yaml": "bin.mjs"
+      },
+      "engines": {
+        "node": ">= 14.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/eemeli"
+      }
+    },
     "node_modules/yocto-queue": {
       "version": "1.2.2",
       "resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-1.2.2.tgz",
@@ -4086,6 +4111,16 @@
         }
       }
     },
+    "packages/companion": {
+      "name": "@llm-gateway/companion",
+      "version": "1.0.0",
+      "bin": {
+        "llm-gateway-companion": "bin/llm-gateway-companion.js"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "packages/ctx-health": {
       "name": "@llm-gateway/ctx-health",
       "version": "1.0.0",
@@ -4114,6 +4149,7 @@
         "@fastify/static": "^8.3.0",
         "ajv": "^8.17.1",
         "fastify": "^5.8.5",
+        "fastify-plugin": "^5.1.0",
         "franc": "^6.2.0",
         "jose": "^5.4.0",
         "js-yaml": "^4.1.0",
@@ -4122,6 +4158,7 @@
         "pg-boss": "^10.1.3",
         "pino": "^9.5.0",
         "prom-client": "^15.1.3",
+        "yaml": "^2.9.0",
         "zod": "^3.23.8"
       },
       "devDependencies": {
@@ -4448,6 +4485,16 @@
         }
       }
     },
+    "packages/mcp-server": {
+      "name": "@llm-gateway/mcp-server",
+      "version": "1.0.0",
+      "bin": {
+        "llm-gateway-mcp": "bin/llm-gateway-mcp.js"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "packages/prompt-optimizer": {
       "name": "@llm-gateway/prompt-optimizer",
       "version": "0.1.0",
diff --git a/package.json b/package.json
index b24c7ac..41552a6 100644
--- a/package.json
+++ b/package.json
@@ -18,6 +18,6 @@
     "ctx-health:dev": "npm run dev --workspace=packages/ctx-health"
   },
   "dependencies": {
-    "jose": "^6.2.2"
+    "jose": "^6.2.3"
   }
 }
diff --git a/packages/gateway/package.json b/packages/gateway/package.json
index 1527ac7..22ba807 100644
--- a/packages/gateway/package.json
+++ b/packages/gateway/package.json
@@ -7,7 +7,8 @@
     "build": "tsc && npm run build:copy-assets",
     "build:copy-assets": "mkdir -p dist/db/migrations dist/config dist/public && cp -r src/db/migrations/*.sql dist/db/migrations/ 2>/dev/null || true && cp -r src/config/*.yaml dist/config/ 2>/dev/null || true && cp -r public/* dist/public/ 2>/dev/null || true",
     "start": "node dist/server.js",
-    "test": "vitest"
+    "test": "vitest",
+    "prestart": "node scripts/check-build-drift.mjs"
   },
   "dependencies": {
     "@fastify/cors": "^10.1.0",
@@ -16,6 +17,7 @@
     "@fastify/static": "^8.3.0",
     "ajv": "^8.17.1",
     "fastify": "^5.8.5",
+    "fastify-plugin": "^5.1.0",
     "franc": "^6.2.0",
     "jose": "^5.4.0",
     "js-yaml": "^4.1.0",
@@ -24,6 +26,7 @@
     "pg-boss": "^10.1.3",
     "pino": "^9.5.0",
     "prom-client": "^15.1.3",
+    "yaml": "^2.9.0",
     "zod": "^3.23.8"
   },
   "devDependencies": {
diff --git a/packages/gateway/prompts/templates/linkedin_post.yaml b/packages/gateway/prompts/templates/linkedin_post.yaml
index 7c3a598..e98adb2 100644
--- a/packages/gateway/prompts/templates/linkedin_post.yaml
+++ b/packages/gateway/prompts/templates/linkedin_post.yaml
@@ -1,63 +1,105 @@
 id: linkedin_post
-version: "1.0.0"
+version: "2.0.0"
 task_type: linkedin_post
+description: "LinkedIn teaser in Rene Fichtmueller's voice. Anti-AI, anti-marketing, technical, direct."
 
 system_prompt: |
-  You are a professional LinkedIn content writer. Write engaging, authentic posts that sound human.
+  You write a single short LinkedIn post in Rene Fichtmueller's voice. Rene is a network/optics engineer who blogs at blog.fichtmueller.org. His voice is direct, technical, sometimes contrarian, never marketing.
 
-  Rules:
-  - Maximum 1300 characters (LinkedIn soft limit)
-  - No hashtag spam (max 3 relevant hashtags)
-  - No engagement-bait questions at the end
-  - No "In today's fast-paced world" openings
-  - Write in first person, direct and confident tone
-  - Include a clear value point or insight
-  - Current date: {{current_date}}
+  HARD RULES — do not violate:
+  - 2 to 3 short sentences. Maximum 4. Period.
+  - No hashtags. None. Not at the end, not anywhere.
+  - No emojis. Not even one.
+  - No engagement-bait. Do not end with "What do you think?", "Thoughts?", "Have you seen this?".
+  - No call-to-action language ("Check it out", "Read more", "Don't miss").
+  - No meta-references to the blog post itself: do not write "I wrote about this", "I published a piece", "I broke this down", "more in the article".
+  - End with the URL on its own line. Nothing after the URL.
+
+  BANNED PHRASES — never use any of these:
+  - delve, leverage, robust, journey, embark, paradigm, unlock, seamlessly, holistic, harness, foster, amplify, underscore, indelible, profound, intricate, meticulous, testament, vibrant, bespoke, encompass, hitherto, realm, utilize, synergy
+  - "leaving money on the table"
+  - "until it's too late"
+  - "the line item most X skip"
+  - "turns out"
+  - "the unexpected part is"
+  - "the gap between X and Y is wider than"
+  - "in today's fast-paced", "in the world of", "in the realm of"
+  - "it's important to note", "it's worth noting"
+  - "let's dive into", "let's explore"
+  - "the future of X", "the next generation of X" (unless quoting someone)
+  - "game-changer", "cutting-edge", "groundbreaking", "comprehensive"
+
+  TONE — match these traits:
+  - Specific numbers over generalities. 20W is better than "high power". 14 weeks is better than "long lead time".
+  - Named products, standards, RFCs when relevant. 400ZR+, RPKI, IEEE 802.3.
+  - First person ("I", "my", "we") where genuine.
+  - Short sentences. Period. Short sentences. Period.
+  - Concession sometimes: admit what you don't know or what surprised you.
+  - Closing line stands on its own. No qualifier, no hedge.
+
+  Current date: {{current_date}}
 
   {{few_shot_examples}}
 
 system_prompt_de: |
-  Du bist ein professioneller LinkedIn-Content-Writer. Schreibe authentische, menschlich klingende Beiträge.
+  Du schreibst einen kurzen LinkedIn-Post in der Stimme von Rene Fichtmueller. Direkt, technisch, manchmal contrarian, nie Marketing.
 
-  Regeln:
-  - Maximal 1300 Zeichen (LinkedIn Soft-Limit)
-  - Keine Hashtag-Spam (max. 3 relevante Hashtags)
-  - Keine Engagement-Bait-Fragen am Ende
-  - Keine Einstiege mit "In der heutigen schnelllebigen Welt"
-  - Schreibe in der Ich-Perspektive, direkt und selbstsicher
-  - Enthalte einen klaren Mehrwert oder Einblick
-  - Aktuelles Datum: {{current_date}}
+  HARTE REGELN — nie verletzen:
+  - 2 bis 3 kurze Sätze. Maximal 4. Punkt.
+  - Keine Hashtags. Keine. Nirgendwo.
+  - Keine Emojis. Auch nicht einer.
+  - Kein Engagement-Bait. Niemals enden mit "Was meint ihr?", "Eure Erfahrung?".
+  - Keine Call-to-Action-Sprache ("Schaut mal rein", "Hier mehr lesen").
+  - Keine Meta-Referenzen auf den Blog-Post: kein "Ich habe dazu geschrieben", "Mehr im Artikel".
+  - URL alleine in der letzten Zeile. Nichts danach.
+
+  VERBOTENE WORTE/PHRASEN:
+  - "leverage", "delve", "robust", "harness", "navigieren", "Reise", "Paradigma", "freischalten", "ganzheitlich", "Synergie", "umfassend"
+  - "in der heutigen schnelllebigen Welt"
+  - "es lohnt sich zu erwähnen"
+
+  TON:
+  - Konkrete Zahlen statt Verallgemeinerungen.
+  - Erste Person wo authentisch.
+  - Kurze Sätze. Punkt.
+  - Konzession wo möglich: zugeben was überrascht hat.
+
+  Aktuelles Datum: {{current_date}}
 
 user_template: |
-  Topic/Input:
+  Article info:
   {{input}}
 
-  Context:
-  {{user_context}}
-
-  Write a LinkedIn post:
+  Write the LinkedIn post now. 2-3 sentences. No hashtags. URL on last line. Stop after the URL.
 
 user_template_de: |
-  Thema/Eingabe:
+  Artikel-Infos:
   {{input}}
 
-  Kontext:
-  {{user_context}}
-
-  Schreibe einen LinkedIn-Beitrag:
+  Schreibe den LinkedIn-Post jetzt. 2-3 Sätze. Keine Hashtags. URL in der letzten Zeile. Stopp nach der URL.
 
 few_shot_examples:
-  - user: "We deployed a new BGP monitoring system last week"
+  - user: "Article info:\nTitle: BGP Route Leak Hit My Network Last Tuesday\nExcerpt: A transit provider re-advertised our customer cone to the wrong peers. Detection took 4 hours. The mitigation took 14 minutes once we saw it.\nURL: https://blog.fichtmueller.org/example1/"
     assistant: |
-      We spent 18 months dealing with BGP route leaks that cost us 4 hours of network visibility per incident.
+      A transit provider re-advertised our customer cone to the wrong peers last Tuesday. We caught it after 4 hours. The fix took 14 minutes once we saw it — the cost was the 4 hours we didn't.
 
-      Last week we deployed our own monitoring system. First result: caught a route leak from a transit provider within 3 minutes, before any customer noticed.
+      https://blog.fichtmueller.org/example1/
 
-      The fix wasn't sophisticated. It was systematic alerting on RPKI invalid routes combined with PeeringDB cross-referencing.
+  - user: "Article info:\nTitle: 400ZR Reach Math Nobody Shows You\nExcerpt: Datasheets quote a maximum reach number. That number is for a clean link with margin you don't have.\nURL: https://blog.fichtmueller.org/example2/"
+    assistant: |
+      The 400ZR datasheet number is a ceiling, not a target. Real-world links have eight connectors, two amplifier hops, and aged fiber — the spec assumes none of that.
 
-      If you're running a mid-size ISP and still relying on customer tickets to discover routing issues, that's the gap worth closing.
+      Build to the budget you actually have, not the one the marketing slide showed you.
 
-      #BGP #NetworkEngineering #ISP
+      https://blog.fichtmueller.org/example2/
+
+  - user: "Article info:\nTitle: ADHD Diary #008: The 47-Tabs Problem\nExcerpt: I closed 47 browser tabs Tuesday. By Wednesday I had 51 again. This is not a tool problem.\nURL: https://blog.fichtmueller.org/example3/"
+    assistant: |
+      I closed 47 browser tabs on Tuesday. By Wednesday morning I had 51 again.
+
+      This isn't a tool problem. Every tab is a "I might do this later" promise I made to myself. The fix isn't a better tab manager — it's saying no.
+
+      https://blog.fichtmueller.org/example3/
 
 variables:
   - input
diff --git a/packages/gateway/public/dashboard.html b/packages/gateway/public/dashboard.html
index a1d3502..7d231f0 100644
--- a/packages/gateway/public/dashboard.html
+++ b/packages/gateway/public/dashboard.html
@@ -1,541 +1,2101 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
+<script>
+/* Force timestamps to Europe/Berlin (CEST/CET, auto-DST) */
+(function(){var TZ="Europe/Berlin";["toLocaleString","toLocaleTimeString","toLocaleDateString"].forEach(function(fn){var o=Date.prototype[fn];Date.prototype[fn]=function(l,op){op=Object.assign({},op||{},{timeZone:TZ});return o.call(this,l||"de-DE",op);};});})();
+</script>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>LLM Gateway Dashboard</title>
+  <title>llm.gateway / workbench</title>
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <link href="https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500;600;700&family=Inter:wght@400;500;600;700&display=swap" rel="stylesheet">
   <style>
-    * {
-      margin: 0;
-      padding: 0;
-      box-sizing: border-box;
+    /* ─── Reset ──────────────────────────────────────────────────────────── */
+    *, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
+    html, body { background: #f4f7fa; color: #24313d; }
+
+    /* ─── Design tokens ──────────────────────────────────────────────────── */
+    :root {
+      --bg: #f4f7fa;
+      --bg-1: #ffffff;
+      --bg-2: #eef3f6;
+      --bg-3: #dde7ed;
+      --line: #d6e0e7;
+      --line-2: #bdc9d3;
+      --line-3: #8799a8;
+      --text: #24313d;
+      --dim: #667684;
+      --dim-2: #93a1ad;
+      --accent: #0f766e;
+      --accent-dim: #8ab9b5;
+      --warn: #b45309;
+      --err: #b42318;
+      --ok: #15803d;
+      --info: #2563eb;
+      --mono: 'JetBrains Mono', 'SF Mono', 'Menlo', 'Consolas', monospace;
+      --sans: 'Inter', system-ui, -apple-system, 'Segoe UI', sans-serif;
     }
 
     body {
-      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen', 'Ubuntu', 'Cantarell', sans-serif;
-      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+      font-family: var(--sans);
+      font-size: 14px;
+      line-height: 1.5;
       min-height: 100vh;
-      padding: 20px;
-      color: #333;
+      background: var(--bg);
     }
 
-    .container {
-      max-width: 1400px;
+    /* ─── Layout shell ──────────────────────────────────────────────────── */
+    .shell {
+      max-width: 1480px;
       margin: 0 auto;
+      padding: 20px 32px 80px;
     }
 
-    header {
-      margin-bottom: 40px;
-      color: white;
-    }
-
-    h1 {
-      font-size: 2.5rem;
-      margin-bottom: 8px;
-      font-weight: 700;
-    }
-
-    .status-bar {
+    /* ─── Top bar ────────────────────────────────────────────────────────── */
+    .topbar {
       display: flex;
-      gap: 20px;
       align-items: center;
-      margin-top: 12px;
-      flex-wrap: wrap;
+      justify-content: space-between;
+      gap: 24px;
+      padding: 16px 0;
+      border-bottom: 1px solid var(--line);
+      margin-bottom: 8px;
     }
-
-    .status-item {
-      background: rgba(255, 255, 255, 0.2);
-      padding: 8px 16px;
-      border-radius: 6px;
-      font-size: 0.95rem;
-      backdrop-filter: blur(10px);
+    .brand {
+      display: flex;
+      align-items: baseline;
+      gap: 14px;
+      font-family: var(--mono);
     }
-
-    .status-indicator {
+    .brand-mark {
+      font-weight: 700;
+      font-size: 1.05rem;
+      color: var(--text);
+      letter-spacing: -0.01em;
+    }
+    .brand-mark::before {
+      content: '';
       display: inline-block;
       width: 8px;
       height: 8px;
-      border-radius: 50%;
-      margin-right: 8px;
+      margin-right: 10px;
+      background: var(--accent);
     }
-
-    .status-indicator.healthy {
-      background: #10b981;
-    }
-
-    .status-indicator.unhealthy {
-      background: #ef4444;
-    }
-
-    .grid {
-      display: grid;
-      grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
-      gap: 20px;
-      margin-bottom: 40px;
-    }
-
-    .card {
-      background: white;
-      border-radius: 12px;
-      padding: 24px;
-      box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
-      transition: transform 0.2s, box-shadow 0.2s;
-    }
-
-    .card:hover {
-      transform: translateY(-4px);
-      box-shadow: 0 8px 12px rgba(0, 0, 0, 0.15);
-    }
-
-    .metric-label {
-      font-size: 0.9rem;
-      color: #666;
-      margin-bottom: 12px;
+    .brand-tag {
+      font-size: 0.72rem;
+      color: var(--dim);
+      letter-spacing: 0.06em;
       text-transform: uppercase;
-      letter-spacing: 0.5px;
-      font-weight: 500;
     }
+    .brand-tag::before { content: '/ '; color: var(--dim-2); }
 
-    .metric-value {
-      font-size: 2.2rem;
-      font-weight: 700;
-      color: #667eea;
-      margin-bottom: 8px;
-    }
+    .topbar-actions { display: flex; align-items: center; gap: 10px; }
 
-    .metric-unit {
-      font-size: 0.9rem;
-      color: #999;
-      margin-left: 4px;
-    }
-
-    .metric-change {
-      font-size: 0.85rem;
-      color: #666;
-      margin-top: 12px;
-      padding-top: 12px;
-      border-top: 1px solid #eee;
-    }
-
-    .section-title {
-      color: white;
-      font-size: 1.5rem;
-      margin: 40px 0 20px 0;
-      font-weight: 600;
-    }
-
-    .grid-models, .grid-callers {
-      display: grid;
-      grid-template-columns: repeat(auto-fill, minmax(200px, 1fr));
-      gap: 16px;
-      margin-bottom: 40px;
-    }
-
-    .model-card, .caller-card {
-      background: white;
-      border-radius: 10px;
-      padding: 16px;
-      box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);
-      border-left: 4px solid #667eea;
-    }
-
-    .model-name, .caller-name {
-      font-weight: 600;
-      color: #333;
-      margin-bottom: 12px;
-      font-size: 0.95rem;
-      word-break: break-word;
-    }
-
-    .request-count {
-      font-size: 1.8rem;
-      font-weight: 700;
-      color: #667eea;
-    }
-
-    .count-label {
-      font-size: 0.8rem;
-      color: #999;
-      margin-top: 4px;
-    }
-
-    .filters {
+    /* ─── Status strip ──────────────────────────────────────────────────── */
+    .status-strip {
       display: flex;
-      gap: 12px;
-      margin-bottom: 20px;
+      align-items: center;
+      gap: 0;
+      padding: 10px 0 18px;
+      border-bottom: 1px solid var(--line);
+      font-family: var(--mono);
+      font-size: 0.78rem;
       flex-wrap: wrap;
     }
-
-    .filter-btn {
-      padding: 8px 16px;
-      border: 2px solid #e0e0e0;
-      background: white;
-      border-radius: 6px;
-      cursor: pointer;
-      font-weight: 500;
-      font-size: 0.9rem;
-      transition: all 0.2s;
-    }
-
-    .filter-btn.active {
-      border-color: #667eea;
-      background: #667eea;
-      color: white;
-    }
-
-    .filter-btn:hover {
-      border-color: #667eea;
-    }
-
-    .requests-table {
-      background: white;
-      border-radius: 12px;
-      overflow: hidden;
-      box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
-    }
-
-    .table-header {
-      background: #f5f5f5;
-      padding: 16px;
-      display: grid;
-      grid-template-columns: 120px 150px 100px 120px 100px 100px 100px;
-      gap: 12px;
-      font-weight: 600;
-      color: #666;
-      font-size: 0.9rem;
-      text-transform: uppercase;
-      letter-spacing: 0.5px;
-    }
-
-    .table-row {
-      padding: 16px;
-      display: grid;
-      grid-template-columns: 120px 150px 100px 120px 100px 100px 100px;
-      gap: 12px;
-      border-bottom: 1px solid #eee;
-      align-items: center;
-      font-size: 0.9rem;
-    }
-
-    .table-row:last-child {
-      border-bottom: none;
-    }
-
-    .table-row:hover {
-      background: #f9f9f9;
-    }
-
-    .status-badge {
-      display: inline-block;
-      padding: 4px 12px;
-      border-radius: 12px;
-      font-size: 0.8rem;
-      font-weight: 600;
-      text-transform: uppercase;
-      letter-spacing: 0.5px;
-    }
-
-    .status-approved {
-      background: #d1fae5;
-      color: #065f46;
-    }
-
-    .status-warning {
-      background: #fef3c7;
-      color: #92400e;
-    }
-
-    .status-pending {
-      background: #dbeafe;
-      color: #1e40af;
-    }
-
-    .status-rejected {
-      background: #fee2e2;
-      color: #991b1b;
-    }
-
-    .status-error {
-      background: #fecaca;
-      color: #7f1d1d;
-    }
-
-    .empty-state {
-      text-align: center;
-      padding: 40px;
-      color: #999;
-    }
-
-    .connection-status {
-      position: fixed;
-      bottom: 20px;
-      right: 20px;
-      background: white;
-      padding: 12px 16px;
-      border-radius: 6px;
-      box-shadow: 0 2px 8px rgba(0, 0, 0, 0.15);
-      font-size: 0.9rem;
+    .status-cell {
+      padding: 4px 14px;
+      border-right: 1px solid var(--line);
+      color: var(--dim);
       display: flex;
       align-items: center;
       gap: 8px;
     }
-
-    .connection-dot {
-      width: 8px;
-      height: 8px;
-      border-radius: 50%;
-      background: #10b981;
-      animation: pulse 2s infinite;
+    .status-cell:first-child { padding-left: 0; }
+    .status-cell:last-child { border-right: none; margin-left: auto; }
+    .status-cell .dot {
+      width: 8px; height: 8px; border-radius: 50%;
+      background: var(--dim-2);
+      box-shadow: 0 0 0 0 currentColor;
     }
-
-    .connection-dot.disconnected {
-      background: #ef4444;
-      animation: none;
-    }
-
+    .status-cell .dot.ok { background: var(--ok); box-shadow: 0 0 0 3px rgba(21,128,61,0.12); animation: pulse 2.4s infinite; }
+    .status-cell .dot.err { background: var(--err); }
+    .status-cell .label { color: var(--dim-2); text-transform: uppercase; letter-spacing: 0.08em; font-size: 0.68rem; }
+    .status-cell .val { color: var(--text); }
     @keyframes pulse {
-      0%, 100% { opacity: 1; }
-      50% { opacity: 0.5; }
+      0%, 100% { box-shadow: 0 0 0 3px rgba(21,128,61,0.10); }
+      50% { box-shadow: 0 0 0 6px rgba(21,128,61,0.06); }
     }
 
-    .loading {
-      text-align: center;
-      padding: 40px;
-      color: #999;
-      font-style: italic;
+    /* ─── Tab navigation ──────────────────────────────────────────────────── */
+    .tabs {
+      display: flex;
+      flex-wrap: wrap;
+      gap: 0;
+      border-bottom: 1px solid var(--line);
+      margin: 0 0 28px;
     }
-
-    .providers-container {
-      display: grid;
-      grid-template-columns: repeat(auto-fit, minmax(300px, 1fr));
-      gap: 20px;
-      margin-bottom: 40px;
+    .tab-trigger {
+      background: none;
+      border: none;
+      color: var(--dim);
+      font-family: var(--mono);
+      font-size: 0.82rem;
+      padding: 14px 16px;
+      cursor: pointer;
+      position: relative;
+      letter-spacing: 0.02em;
+      white-space: nowrap;
+      transition: color 0.15s;
+      border-bottom: 2px solid transparent;
+      margin-bottom: -1px;
     }
-
-    .providers-section {
-      background: white;
-      border-radius: 12px;
-      padding: 20px;
-      box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
+    .tab-trigger:hover { color: var(--text); }
+    .tab-trigger .tab-num {
+      color: var(--dim-2);
+      font-size: 0.7rem;
+      margin-right: 6px;
     }
+    .tab-trigger.active {
+      color: var(--accent);
+      border-bottom-color: var(--accent);
+    }
+    .tab-trigger.active .tab-num { color: var(--accent-dim); }
+    .tab-trigger .tab-badge {
+      display: inline-block;
+      margin-left: 8px;
+      padding: 1px 6px;
+      border: 1px solid var(--line-2);
+      border-radius: 2px;
+      font-size: 0.62rem;
+      color: var(--dim);
+    }
+    .tab-trigger.active .tab-badge { border-color: var(--accent-dim); color: var(--accent); }
 
-    .providers-subsection {
-      font-size: 1.1rem;
-      font-weight: 600;
-      color: #667eea;
-      margin-bottom: 16px;
+    .tab-panel { display: none; animation: fadein 0.3s ease; }
+    .tab-panel.active { display: block; }
+    @keyframes fadein { from { opacity: 0; transform: translateY(4px); } to { opacity: 1; transform: none; } }
+
+    /* ─── Section headings ────────────────────────────────────────────────── */
+    .h-section {
+      font-family: var(--mono);
+      font-size: 0.72rem;
+      letter-spacing: 0.18em;
       text-transform: uppercase;
-      letter-spacing: 0.5px;
+      color: var(--dim);
+      margin: 24px 0 14px;
+      padding-bottom: 8px;
+      border-bottom: 1px solid var(--line);
+      display: flex;
+      align-items: baseline;
+      justify-content: space-between;
+    }
+    .h-section::before { content: ''; width: 18px; height: 2px; background: var(--accent); margin-right: 8px; }
+    .h-section .h-meta { font-size: 0.7rem; color: var(--dim-2); letter-spacing: 0.05em; text-transform: none; }
+
+    /* ─── Metric grid (Overview tab) ──────────────────────────────────────── */
+    .metric-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(220px, 1fr));
+      gap: 0;
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+    }
+    .metric {
+      padding: 22px 24px 20px;
+      border-right: 1px solid var(--line);
+      border-bottom: 1px solid var(--line);
+      position: relative;
+      transition: background 0.15s;
+    }
+    .metric:hover { background: var(--bg-2); }
+    .metric:last-child { border-right: none; }
+    .metric-label {
+      font-family: var(--mono);
+      font-size: 0.68rem;
+      text-transform: uppercase;
+      letter-spacing: 0.16em;
+      color: var(--dim);
+      margin-bottom: 14px;
+      display: flex;
+      align-items: center;
+      gap: 6px;
+    }
+    .metric-label::before {
+      content: '';
+      width: 6px; height: 6px;
+      background: var(--accent);
+      display: inline-block;
+    }
+    .metric-value {
+      font-family: var(--mono);
+      font-size: 2.1rem;
+      font-weight: 600;
+      color: var(--text);
+      letter-spacing: -0.02em;
+      line-height: 1;
+    }
+    .metric-value .metric-unit {
+      font-size: 0.85rem;
+      color: var(--dim);
+      font-weight: 400;
+      margin-left: 4px;
+    }
+    .metric-change {
+      font-family: var(--mono);
+      font-size: 0.7rem;
+      color: var(--dim-2);
+      margin-top: 8px;
+      letter-spacing: 0.04em;
     }
 
-    .providers-grid {
+    /* ─── Two-column grid for sub/caller chips ────────────────────────────── */
+    .chip-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
+      gap: 8px;
+      margin-bottom: 8px;
+    }
+    .chip {
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+      padding: 14px 16px;
+      transition: border-color 0.15s, background 0.15s;
+    }
+    .chip:hover { border-color: var(--line-3); background: var(--bg-2); }
+    .chip-name {
+      font-family: var(--mono);
+      font-size: 0.85rem;
+      color: var(--text);
+      margin-bottom: 6px;
+      word-break: break-all;
+    }
+    .chip-meta {
+      font-family: var(--mono);
+      font-size: 0.72rem;
+      color: var(--dim);
+    }
+    .chip-meta .num { color: var(--accent); font-weight: 600; }
+
+    /* ─── Subscription cards ──────────────────────────────────────────────── */
+    .auto-banner {
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      gap: 16px;
+      padding: 16px 20px;
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+      margin-bottom: 18px;
+      flex-wrap: wrap;
+    }
+    .auto-banner .banner-text {
+      flex: 1 1 auto;
+      font-family: var(--mono);
+      font-size: 0.82rem;
+      color: var(--dim);
+    }
+    .auto-banner .banner-text strong { color: var(--accent); font-weight: 600; }
+    .auto-banner code {
+      font-family: var(--mono);
+      background: var(--bg-2);
+      border: 1px solid var(--line);
+      padding: 2px 8px;
+      color: var(--text);
+      font-size: 0.78rem;
+    }
+
+    .subs-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(330px, 1fr));
+      gap: 0;
+      border: 1px solid var(--line);
+    }
+    .subs-card {
+      background: var(--bg-1);
+      padding: 18px 20px;
+      border-right: 1px solid var(--line);
+      border-bottom: 1px solid var(--line);
+      position: relative;
+    }
+    .subs-card::before {
+      content: '';
+      position: absolute;
+      left: 0; top: 0; bottom: 0;
+      width: 2px;
+      background: var(--dim-2);
+    }
+    .subs-card.installed::before { background: var(--info); }
+    .subs-card.running::before { background: var(--ok); }
+    .subs-card.missing { opacity: 0.55; }
+    .subs-card.missing::before { background: var(--line-2); }
+
+    .subs-head {
+      display: flex;
+      justify-content: space-between;
+      align-items: flex-start;
+      gap: 8px;
+      margin-bottom: 8px;
+    }
+    .subs-label {
+      font-weight: 600;
+      font-size: 0.95rem;
+      color: var(--text);
+      flex: 1 1 auto;
+    }
+    .subs-state {
+      font-family: var(--mono);
+      font-size: 0.65rem;
+      letter-spacing: 0.1em;
+      text-transform: uppercase;
+      padding: 3px 8px;
+      border: 1px solid var(--line-2);
+      color: var(--dim);
+      white-space: nowrap;
+    }
+    .subs-state.running { color: var(--accent); border-color: var(--accent-dim); }
+    .subs-state.installed { color: var(--info); border-color: rgba(37,99,235,0.24); }
+    .subs-state.missing { color: var(--dim-2); }
+    .subs-meta {
+      font-family: var(--mono);
+      font-size: 0.74rem;
+      color: var(--dim);
+      margin-bottom: 4px;
+    }
+    .subs-bridge-url, .subs-models {
+      font-family: var(--mono);
+      font-size: 0.72rem;
+      color: var(--dim);
+      margin-top: 6px;
+      word-break: break-all;
+    }
+    .subs-bridge-url {
+      background: var(--bg);
+      border: 1px solid var(--line);
+      padding: 6px 10px;
+      color: var(--text);
+    }
+    .subs-models { color: var(--dim); }
+    .subs-models::before { content: 'models: '; color: var(--dim-2); }
+    .subs-install-hint {
+      font-family: var(--mono);
+      font-size: 0.7rem;
+      color: var(--warn);
+      background: rgba(180,83,9,0.08);
+      border: 1px solid rgba(180,83,9,0.22);
+      padding: 6px 10px;
+      margin-top: 8px;
+    }
+    .subs-install-hint code {
+      background: var(--bg);
+      padding: 1px 5px;
+      border-radius: 0;
+      color: var(--accent);
+    }
+
+    /* ─── Knowledge Graph ─────────────────────────────────────────────── */
+    .graph-wrap { background: var(--bg-1); border: 1px solid var(--line); padding: 12px; }
+    .graph-wrap svg { width: 100%; height: 460px; display: block; }
+    .graph-wrap svg .node { cursor: pointer; transition: transform 0.15s; }
+    .graph-wrap svg .node:hover { transform: scale(1.1); }
+    .graph-wrap svg .node-caller   { fill: var(--accent); }
+    .graph-wrap svg .node-fact-key   { fill: #2563eb; }
+    .graph-wrap svg .node-fact-value { fill: #a78bfa; }
+    .graph-wrap svg .edge { stroke: var(--line-2); stroke-opacity: 0.6; fill: none; }
+    .graph-wrap svg text.label { font-family: var(--mono); font-size: 10px; fill: var(--text); pointer-events: none; }
+    .graph-legend {
+      display: flex; gap: 18px; margin-top: 10px; padding: 6px 12px;
+      background: var(--bg); border: 1px solid var(--line);
+      font-family: var(--mono); font-size: 0.74rem; color: var(--dim);
+    }
+    .graph-legend .dot { display: inline-block; width: 10px; height: 10px; margin-right: 6px; vertical-align: middle; }
+
+    /* ─── Leaderboard ─────────────────────────────────────────────────── */
+    .leaderboard-podium {
+      display: grid; grid-template-columns: 1fr 1.2fr 1fr;
+      gap: 12px; align-items: end; margin-bottom: 22px;
+    }
+    .podium-step {
+      padding: 18px 14px; border: 1px solid var(--line);
+      background: var(--bg-1); text-align: center;
+      display: flex; flex-direction: column; gap: 6px;
+    }
+    .podium-step.gold   { background: #fefce8; border-color: #facc15; min-height: 200px; order: 2; }
+    .podium-step.silver { background: #f8fafc; border-color: #cbd5e1; min-height: 170px; order: 1; }
+    .podium-step.bronze { background: #fef3c7; border-color: #f59e0b; min-height: 150px; order: 3; }
+    .podium-rank { font-family: var(--mono); font-weight: 700; font-size: 1.4rem; color: var(--text); }
+    .podium-medal { font-size: 2.4rem; line-height: 1; }
+    .podium-model { font-family: var(--mono); font-weight: 600; font-size: 0.95rem; color: var(--text); word-break: break-all; }
+    .podium-stat  { font-family: var(--mono); font-size: 0.78rem; color: var(--dim); }
+    .leaderboard-table { background: var(--bg-1); border: 1px solid var(--line); }
+    .lb-row {
+      display: grid; grid-template-columns: 40px 1fr 80px 80px 80px 80px;
+      gap: 10px; padding: 10px 16px; border-bottom: 1px solid var(--line);
+      font-family: var(--mono); font-size: 0.82rem; align-items: center;
+    }
+    .lb-row.head { background: var(--bg-2); color: var(--dim); text-transform: uppercase; letter-spacing: 0.1em; font-size: 0.66rem; }
+    .lb-row:last-child { border-bottom: none; }
+    .lb-row .lb-pos { font-weight: 700; text-align: center; }
+    .lb-row .lb-num { text-align: right; }
+    .lb-row.medal-gold { background: rgba(250,204,21,0.06); }
+    .lb-row.medal-silver { background: rgba(203,213,225,0.10); }
+    .lb-row.medal-bronze { background: rgba(245,158,11,0.06); }
+
+    /* ─── Share + Report ──────────────────────────────────────────────── */
+    .share-controls {
+      display: flex; gap: 16px; flex-wrap: wrap; align-items: center;
+      padding: 14px; border: 1px solid var(--line); background: var(--bg-1);
+      margin-bottom: 12px;
+    }
+    .share-preview {
+      border: 1px solid var(--line); background: var(--bg-2);
+      padding: 12px; text-align: center;
+    }
+    .share-preview img { max-width: 100%; height: auto; box-shadow: 0 2px 12px rgba(0,0,0,0.06); }
+    .share-url {
+      font-family: var(--mono); font-size: 0.78rem; color: var(--dim);
+      padding: 8px 12px; background: var(--bg); border: 1px solid var(--line);
+      margin-top: 8px; word-break: break-all;
+    }
+    .share-hint { font-size: 0.82rem; color: var(--dim); margin-top: 8px; }
+    .share-hint code { font-family: var(--mono); background: var(--bg-2); padding: 2px 6px; border-radius: 2px; }
+
+    /* ─── Caller deep-dive modal additions ──────────────────────────── */
+    .caller-summary {
+      display: grid; grid-template-columns: repeat(auto-fit, minmax(140px, 1fr));
+      gap: 0; border: 1px solid var(--line); margin-bottom: 16px;
+    }
+    .caller-summary > div { padding: 10px 14px; border-right: 1px solid var(--line); }
+    .caller-summary > div:last-child { border-right: none; }
+    .caller-summary .label { font-size: 0.66rem; color: var(--dim); text-transform: uppercase; letter-spacing: 0.1em; font-family: var(--mono); }
+    .caller-summary .val { font-family: var(--mono); font-size: 1rem; font-weight: 600; color: var(--text); margin-top: 4px; }
+    .caller-hour-bars { display: flex; gap: 2px; align-items: end; height: 60px; padding: 8px; border: 1px solid var(--line); background: var(--bg); }
+    .caller-hour-bars .bar { flex: 1; background: var(--accent); min-height: 1px; transition: height 0.2s; }
+    .caller-hour-axis { display: flex; gap: 2px; padding: 0 8px; font-family: var(--mono); font-size: 0.6rem; color: var(--dim-2); }
+    .caller-hour-axis > span { flex: 1; text-align: center; }
+
+    /* clickable caller chips */
+    .chip { cursor: pointer; }
+    .chip:hover { border-color: var(--accent); }
+
+    /* Layer breakdown under hero counter */
+    .hero-layer-breakdown {
+      display: flex; flex-direction: column; gap: 4px;
+      margin-top: 12px;
+      padding-top: 10px;
+      border-top: 1px solid var(--line);
+    }
+    .layer-row {
+      display: flex; justify-content: space-between; align-items: baseline;
+      font-family: var(--mono); font-size: 0.78rem;
+    }
+    .layer-name { color: var(--dim); }
+    .layer-val { color: var(--text); font-weight: 600; }
+
+    /* ─── Simple Mode CSS — hide non-configured cards ───────────────────── */
+    body.simple-mode .subs-card.missing { display: none; }
+    body.simple-mode #savingsAxes .axis[data-empty="true"] { display: none; }
+    body.hide-empty-providers .provider-item[data-status="unconfigured"] { display: none; }
+    body.hide-empty-providers .wallet-card[data-status="unknown"] { display: none; }
+
+    /* In Simple Mode, hide the noisy "5-axis" header explainer */
+    body.simple-mode .h-section .h-meta:contains('LLM Gateway') { display: none; }
+
+    /* ─── Hero (Buddy + Savings + Cost-VS) ───────────────────────────────── */
+    .hero-grid {
+      display: grid;
+      grid-template-columns: 1fr 1.5fr 1.2fr;
+      gap: 0;
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+      margin-bottom: 22px;
+      overflow: hidden;
+    }
+    .hero-grid > div { padding: 22px 24px; border-right: 1px solid var(--line); }
+    .hero-grid > div:last-child { border-right: none; }
+
+    .hero-eyebrow {
+      font-family: var(--mono);
+      font-size: 0.66rem;
+      letter-spacing: 0.2em;
+      text-transform: uppercase;
+      color: var(--dim);
+      margin-bottom: 12px;
+    }
+
+    /* Buddy */
+    .hero-buddy { display: flex; flex-direction: column; gap: 8px; }
+    .buddy-name { font-weight: 700; font-size: 1.1rem; color: var(--text); }
+    .buddy-rarity {
+      display: inline-block; font-family: var(--mono); font-size: 0.62rem;
+      padding: 2px 8px; border: 1px solid var(--line-2); margin-left: 6px;
+      letter-spacing: 0.1em; text-transform: uppercase; vertical-align: middle;
+    }
+    .buddy-rarity.legendary { color: #b45309; border-color: #b45309; background: rgba(180,83,9,0.06); }
+    .buddy-rarity.epic      { color: #7c3aed; border-color: #7c3aed; background: rgba(124,58,237,0.06); }
+    .buddy-rarity.rare      { color: #2563eb; border-color: #2563eb; background: rgba(37,99,235,0.06); }
+    .buddy-rarity.uncommon  { color: var(--accent); border-color: var(--accent); background: rgba(15,118,110,0.06); }
+    .buddy-rarity.common    { color: var(--dim); }
+    .buddy-meta { font-family: var(--mono); font-size: 0.74rem; color: var(--dim); }
+    .buddy-art {
+      font-family: var(--mono); font-size: 0.8rem; line-height: 1.1;
+      white-space: pre; color: var(--accent);
+      padding: 8px; background: var(--bg);
+      border: 1px solid var(--line); margin: 4px 0;
+    }
+    .buddy-xp-bar {
+      height: 6px; background: var(--bg-3); border-radius: 1px;
+      position: relative; overflow: hidden;
+    }
+    .buddy-xp-fill {
+      height: 100%; background: linear-gradient(90deg, var(--accent), #2dd4bf);
+      transition: width 0.4s;
+    }
+    .buddy-xp-text {
+      font-family: var(--mono); font-size: 0.7rem; color: var(--dim-2);
+      display: flex; justify-content: space-between;
+    }
+    .buddy-speech {
+      font-style: italic; font-size: 0.84rem; color: var(--text);
+      padding: 8px 12px; background: var(--bg-2); border-left: 2px solid var(--accent);
+      margin-top: 6px;
+    }
+    .buddy-mood-happy::before    { content: '😊 '; }
+    .buddy-mood-content::before  { content: '😌 '; }
+    .buddy-mood-sleepy::before   { content: '😴 '; }
+    .buddy-mood-hungry::before   { content: '🍴 '; }
+    .buddy-mood-excited::before  { content: '🤩 '; }
+
+    /* Hero savings counter */
+    .hero-savings { display: flex; flex-direction: column; gap: 14px; }
+    .hero-counter {
+      font-family: var(--mono); font-size: 3.6rem; font-weight: 700;
+      color: var(--accent); letter-spacing: -0.03em; line-height: 0.95;
+    }
+    .hero-row { display: flex; gap: 8px; flex-wrap: wrap; margin-top: 4px; }
+    .hero-pill {
+      flex: 1 1 100px; padding: 8px 12px; border: 1px solid var(--line);
+      background: var(--bg); display: flex; flex-direction: column; gap: 2px;
+    }
+    .hero-pill-label {
+      font-family: var(--mono); font-size: 0.62rem; color: var(--dim-2);
+      letter-spacing: 0.1em; text-transform: uppercase;
+    }
+    .hero-pill-val { font-family: var(--mono); font-size: 1.05rem; font-weight: 600; color: var(--text); }
+
+    /* Cost-VS comparison */
+    .hero-cost { display: flex; flex-direction: column; gap: 10px; }
+    .cost-vs { display: flex; align-items: center; gap: 10px; }
+    .cost-side { flex: 1; padding: 10px 14px; border: 1px solid var(--line); }
+    .cost-side.without { background: rgba(180,35,24,0.04); border-color: rgba(180,35,24,0.2); }
+    .cost-side.with    { background: rgba(15,118,110,0.06); border-color: rgba(15,118,110,0.3); }
+    .cost-label {
+      font-family: var(--mono); font-size: 0.62rem; color: var(--dim-2);
+      text-transform: uppercase; letter-spacing: 0.1em;
+    }
+    .cost-amount {
+      font-family: var(--mono); font-weight: 700; font-size: 1.6rem;
+      letter-spacing: -0.02em; margin-top: 2px;
+    }
+    .cost-side.without .cost-amount { color: var(--err); }
+    .cost-side.with .cost-amount    { color: var(--accent); }
+    .cost-arrow { color: var(--dim-2); font-size: 1.4rem; }
+    .cost-saved-line { font-size: 0.84rem; color: var(--text); }
+    .cost-saved-line strong { color: var(--accent); font-weight: 700; }
+
+    /* Savings axes (5-source breakdown) */
+    .savings-axes {
+      display: grid; grid-template-columns: repeat(5, 1fr); gap: 0;
+      border: 1px solid var(--line); background: var(--bg-1);
+    }
+    .axis {
+      padding: 14px 16px; border-right: 1px solid var(--line);
+      display: flex; flex-direction: column; gap: 4px;
+    }
+    .axis:last-child { border-right: none; }
+    .axis-label {
+      font-family: var(--mono); font-size: 0.66rem; color: var(--dim);
+      letter-spacing: 0.1em; text-transform: uppercase;
+    }
+    .axis-icon { font-size: 1.2rem; }
+    .axis-cost {
+      font-family: var(--mono); font-weight: 700; font-size: 1.3rem;
+      color: var(--accent);
+    }
+    .axis-detail { font-family: var(--mono); font-size: 0.7rem; color: var(--dim-2); }
+
+    /* Two-column overview rows */
+    .overview-row-2col {
+      display: grid; grid-template-columns: 1fr 1fr; gap: 28px;
+      margin-top: 22px;
+    }
+
+    /* Calendar heatmap */
+    .heatmap {
+      display: grid; grid-template-columns: repeat(53, 11px);
+      grid-auto-rows: 11px; gap: 2px;
+      padding: 12px; border: 1px solid var(--line); background: var(--bg-1);
+    }
+    .heatmap-cell { width: 11px; height: 11px; border-radius: 2px; background: var(--bg-3); cursor: pointer; transition: transform 0.1s; }
+    .heatmap-cell:hover { transform: scale(1.4); outline: 1px solid var(--accent); }
+    .heatmap-cell.l1 { background: #2dd4bf40; }
+    .heatmap-cell.l2 { background: #2dd4bf80; }
+    .heatmap-cell.l3 { background: #2dd4bfc0; }
+    .heatmap-cell.l4 { background: var(--accent); }
+
+    /* Forecast */
+    .forecast { padding: 18px; border: 1px solid var(--line); background: var(--bg-1); }
+    .forecast-row {
+      display: flex; justify-content: space-between; align-items: baseline;
+      padding: 8px 0; border-bottom: 1px solid var(--line);
+    }
+    .forecast-row:last-child { border-bottom: none; }
+    .forecast-window { font-family: var(--mono); font-size: 0.72rem; color: var(--dim); text-transform: uppercase; letter-spacing: 0.1em; }
+    .forecast-amount { font-family: var(--mono); font-weight: 700; color: var(--accent); font-size: 1.1rem; }
+    .forecast-trend {
+      font-family: var(--mono); font-size: 0.78rem; padding-top: 8px;
+      color: var(--dim);
+    }
+    .forecast-trend.up { color: var(--accent); }
+    .forecast-trend.down { color: var(--err); }
+    .forecast-trend::before { content: '→ '; }
+    .forecast-trend.up::before { content: '↗ '; }
+    .forecast-trend.down::before { content: '↘ '; }
+
+    /* Live events feed */
+    .events-feed {
+      max-height: 380px; overflow-y: auto;
+      border: 1px solid var(--line); background: var(--bg-1);
+      font-family: var(--mono);
+    }
+    .event-row {
+      display: grid; grid-template-columns: auto 1fr auto; gap: 10px;
+      padding: 8px 14px; border-bottom: 1px solid var(--line);
+      font-size: 0.78rem; align-items: center;
+    }
+    .event-row:last-child { border-bottom: none; }
+    .event-row:hover { background: var(--bg-2); }
+    .event-icon { font-size: 1rem; }
+    .event-body { color: var(--text); }
+    .event-caller { color: var(--accent); font-weight: 600; }
+    .event-detail { color: var(--dim); margin-top: 2px; font-size: 0.7rem; }
+    .event-time { color: var(--dim-2); font-size: 0.68rem; }
+
+    /* Achievements */
+    .achievements-grid {
+      display: grid; grid-template-columns: repeat(auto-fill, minmax(220px, 1fr));
+      gap: 10px;
+    }
+    .achievement {
+      padding: 12px 14px; border: 1px solid var(--line); background: var(--bg-1);
+      display: flex; gap: 12px; align-items: flex-start;
+      transition: transform 0.15s, border-color 0.15s;
+    }
+    .achievement.unlocked { border-color: var(--accent); }
+    .achievement.unlocked:hover { transform: translateY(-2px); }
+    .achievement.locked { opacity: 0.45; filter: grayscale(0.8); }
+    .ach-icon { font-size: 1.6rem; line-height: 1; }
+    .ach-info { display: flex; flex-direction: column; gap: 2px; flex: 1; }
+    .ach-title { font-weight: 600; font-size: 0.88rem; color: var(--text); }
+    .ach-desc { font-size: 0.74rem; color: var(--dim); font-family: var(--mono); }
+
+    /* Streak badge */
+    #streakBadge { color: var(--accent); font-weight: 700; }
+
+    @media (max-width: 1100px) {
+      .hero-grid { grid-template-columns: 1fr; }
+      .hero-grid > div { border-right: none; border-bottom: 1px solid var(--line); }
+      .savings-axes { grid-template-columns: repeat(2, 1fr); }
+      .axis { border-bottom: 1px solid var(--line); }
+      .overview-row-2col { grid-template-columns: 1fr; }
+      .heatmap { grid-template-columns: repeat(26, 11px); }
+    }
+
+    /* ─── Savings ───────────────────────────────────────────────────────── */
+    .savings-hero {
+      display: grid;
+      grid-template-columns: 1fr 1.4fr;
+      gap: 0;
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+    }
+    .savings-headline {
+      padding: 28px 32px;
+      border-right: 1px solid var(--line);
+    }
+    .savings-eyebrow {
+      font-family: var(--mono);
+      font-size: 0.7rem;
+      text-transform: uppercase;
+      letter-spacing: 0.18em;
+      color: var(--dim);
+      margin-bottom: 10px;
+    }
+    .savings-counter {
+      font-family: var(--mono);
+      font-size: 3.4rem;
+      font-weight: 700;
+      letter-spacing: -0.03em;
+      line-height: 1;
+      color: var(--accent);
+      transition: color 0.4s;
+    }
+    .savings-sub {
+      font-family: var(--mono);
+      font-size: 0.85rem;
+      color: var(--dim);
+      margin-top: 14px;
+    }
+    .savings-spark {
+      padding: 24px 32px;
       display: flex;
       flex-direction: column;
+      gap: 6px;
+    }
+    .savings-spark svg {
+      width: 100%;
+      height: 80px;
+    }
+    .savings-spark svg path.area { fill: rgba(15,118,110,0.10); stroke: none; }
+    .savings-spark svg path.line { fill: none; stroke: var(--accent); stroke-width: 1.4; }
+    .savings-spark svg circle.last { fill: var(--accent); }
+    .savings-spark-meta {
+      display: flex; justify-content: space-between;
+      font-family: var(--mono); font-size: 0.7rem;
+      color: var(--dim); text-transform: uppercase; letter-spacing: 0.1em;
+    }
+    .savings-spark-meta #savingsHitRate { color: var(--accent); }
+
+    /* ─── Wallet ───────────────────────────────────────────────────────── */
+    .wallet-banner {
+      padding: 14px 18px;
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+      margin-bottom: 18px;
+      font-size: 0.86rem;
+      color: var(--dim);
+    }
+    .wallet-banner strong { color: var(--accent); font-weight: 600; }
+    .wallet-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(360px, 1fr));
+      gap: 0;
+      border: 1px solid var(--line);
+    }
+    .wallet-card {
+      background: var(--bg-1);
+      padding: 18px 20px 16px;
+      border-right: 1px solid var(--line);
+      border-bottom: 1px solid var(--line);
+      position: relative;
+    }
+    .wallet-head {
+      display: flex; justify-content: space-between; align-items: baseline;
+      margin-bottom: 10px;
+    }
+    .wallet-label {
+      font-weight: 600; font-size: 0.95rem; color: var(--text);
+    }
+    .wallet-rec {
+      font-family: var(--mono); font-size: 0.65rem;
+      letter-spacing: 0.1em; text-transform: uppercase;
+      padding: 2px 8px; border: 1px solid var(--line-2);
+      color: var(--dim);
+    }
+    .wallet-rec.use-this { color: var(--ok); border-color: rgba(21,128,61,0.4); background: rgba(21,128,61,0.05); }
+    .wallet-rec.available { color: var(--info); border-color: rgba(37,99,235,0.4); }
+    .wallet-rec.near-limit { color: var(--warn); border-color: rgba(180,83,9,0.4); background: rgba(180,83,9,0.05); }
+    .wallet-rec.exhausted { color: var(--err); border-color: rgba(180,35,24,0.4); background: rgba(180,35,24,0.05); }
+    .wallet-rec.unknown { color: var(--dim-2); }
+
+    .wallet-bar {
+      height: 8px;
+      background: var(--bg-2);
+      border-radius: 1px;
+      position: relative;
+      overflow: hidden;
+      margin: 12px 0 10px;
+    }
+    .wallet-bar-fill {
+      height: 100%;
+      background: var(--accent);
+      transition: width 0.4s ease;
+    }
+    .wallet-bar-fill.warn { background: var(--warn); }
+    .wallet-bar-fill.err { background: var(--err); }
+    .wallet-meta {
+      display: flex; justify-content: space-between;
+      font-family: var(--mono); font-size: 0.74rem;
+      color: var(--dim);
+    }
+    .wallet-meta strong { color: var(--text); font-weight: 600; }
+    .wallet-reset {
+      font-family: var(--mono); font-size: 0.7rem;
+      color: var(--dim-2); margin-top: 6px;
+    }
+
+    /* ─── Memory ───────────────────────────────────────────────────────── */
+    .memory-form {
+      display: flex; gap: 10px; flex-wrap: wrap; margin-bottom: 18px;
+      align-items: center;
+    }
+    .mem-list {
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+    }
+    .mem-row {
+      padding: 12px 16px;
+      border-bottom: 1px solid var(--line);
+      display: grid;
+      grid-template-columns: 1.2fr 2fr 1fr;
       gap: 12px;
+      align-items: center;
+      font-family: var(--mono);
+      font-size: 0.82rem;
     }
+    .mem-row:last-child { border-bottom: none; }
+    .mem-key { font-weight: 600; color: var(--accent); }
+    .mem-val { color: var(--text); }
+    .mem-meta { color: var(--dim-2); font-size: 0.72rem; text-align: right; }
 
+    /* ─── Providers ──────────────────────────────────────────────────────── */
+    .providers-stack > section { margin-bottom: 22px; }
+    .providers-stack > section:last-child { margin-bottom: 0; }
+    .providers-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(260px, 1fr));
+      gap: 0;
+      border: 1px solid var(--line);
+    }
     .provider-item {
-      background: #f9f9f9;
-      border-radius: 8px;
-      padding: 12px;
-      border-left: 4px solid #667eea;
+      background: var(--bg-1);
+      border-right: 1px solid var(--line);
+      border-bottom: 1px solid var(--line);
+      padding: 14px 16px;
     }
-
     .provider-header {
       display: flex;
       justify-content: space-between;
-      align-items: start;
-      margin-bottom: 8px;
+      align-items: flex-start;
       gap: 8px;
+      margin-bottom: 4px;
     }
-
-    .provider-name {
-      font-weight: 600;
-      color: #333;
-      font-size: 0.95rem;
+    .provider-name { font-weight: 600; color: var(--text); font-size: 0.9rem; }
+    .provider-tech-name {
+      font-family: var(--mono); font-size: 0.7rem; color: var(--dim-2);
+      margin-bottom: 6px;
     }
-
     .provider-tag {
-      display: inline-block;
-      padding: 3px 8px;
-      border-radius: 4px;
-      font-size: 0.75rem;
-      font-weight: 600;
-      text-transform: uppercase;
-      letter-spacing: 0.3px;
+      font-family: var(--mono); font-size: 0.62rem;
+      letter-spacing: 0.1em; text-transform: uppercase;
+      padding: 2px 8px;
+      border: 1px solid var(--line-2);
+      color: var(--dim);
       white-space: nowrap;
     }
-
-    .tag-configured {
-      background: #d1fae5;
-      color: #065f46;
+    .provider-tag.tag-configured { color: var(--ok); border-color: rgba(21,128,61,0.24); }
+    .provider-tag.tag-unconfigured { color: var(--dim); }
+    .provider-runtime {
+      display: flex;
+      align-items: center;
+      gap: 6px;
+      font-family: var(--mono);
+      font-size: 0.68rem;
+      color: var(--dim-2);
+      margin-top: 8px;
+      min-height: 18px;
     }
-
-    .tag-unconfigured {
-      background: #fee2e2;
-      color: #7f1d1d;
+    .provider-runtime .runtime-dot {
+      width: 7px;
+      height: 7px;
+      border-radius: 50%;
+      background: var(--dim-2);
+      flex: 0 0 auto;
     }
-
+    .provider-runtime.runtime-ready { color: var(--ok); }
+    .provider-runtime.runtime-ready .runtime-dot { background: var(--ok); box-shadow: 0 0 0 3px rgba(21,128,61,0.12); }
+    .provider-runtime.runtime-warn { color: var(--warn); }
+    .provider-runtime.runtime-warn .runtime-dot { background: var(--warn); box-shadow: 0 0 0 3px rgba(180,83,9,0.12); }
+    .provider-runtime.runtime-muted { color: var(--dim); }
+    .provider-runtime.runtime-muted .runtime-dot { background: var(--dim); }
     .provider-models {
-      font-size: 0.8rem;
-      color: #666;
-      margin-top: 6px;
+      font-family: var(--mono); font-size: 0.72rem; color: var(--dim);
+      margin-top: 4px; word-break: break-all;
     }
-
     .provider-rate {
-      font-size: 0.75rem;
-      color: #999;
+      font-family: var(--mono); font-size: 0.68rem; color: var(--dim-2);
       margin-top: 4px;
     }
+    .provider-env-hint {
+      font-family: var(--mono); font-size: 0.68rem;
+      color: var(--warn);
+      background: rgba(180,83,9,0.08);
+      border: 1px solid rgba(180,83,9,0.22);
+      padding: 4px 8px;
+      margin-top: 6px;
+    }
+    .provider-env-hint code { background: var(--bg); padding: 1px 4px; color: var(--accent); }
 
+    /* ─── Activity / Requests table ───────────────────────────────────────── */
+    .filters {
+      display: flex; gap: 4px;
+      margin-bottom: 14px;
+      font-family: var(--mono);
+    }
+    .filter-btn {
+      background: transparent;
+      border: 1px solid var(--line);
+      color: var(--dim);
+      padding: 6px 16px;
+      font-family: var(--mono);
+      font-size: 0.78rem;
+      cursor: pointer;
+      transition: all 0.15s;
+    }
+    .filter-btn:hover { color: var(--text); border-color: var(--line-3); }
+    .filter-btn.active {
+      color: var(--accent);
+      border-color: var(--accent-dim);
+      background: rgba(15,118,110,0.08);
+    }
+
+    .req-table {
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+      font-family: var(--mono);
+      font-size: 0.78rem;
+    }
+    .req-row {
+      display: grid;
+      grid-template-columns: 1.15fr 1fr 1.2fr 0.7fr 0.7fr 0.7fr 0.65fr 0.9fr 0.75fr 0.7fr;
+      gap: 10px;
+      padding: 10px 16px;
+      border-bottom: 1px solid var(--line);
+      align-items: center;
+    }
+    .req-row.head {
+      background: var(--bg-2);
+      color: var(--dim);
+      text-transform: uppercase;
+      letter-spacing: 0.1em;
+      font-size: 0.66rem;
+    }
+    .req-row:last-child { border-bottom: none; }
+    .req-row.body:hover { background: var(--bg-2); }
+    .req-row > div { overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
+    .req-status {
+      display: inline-block;
+      padding: 2px 8px;
+      font-size: 0.66rem;
+      letter-spacing: 0.08em;
+      text-transform: uppercase;
+      border: 1px solid var(--line-2);
+    }
+    .req-status.approved { color: var(--ok); border-color: rgba(21,128,61,0.24); }
+    .req-status.error, .req-status.rejected { color: var(--err); border-color: rgba(180,35,24,0.24); }
+    .req-status.warning, .req-status.pending_review { color: var(--warn); border-color: rgba(180,83,9,0.24); }
+
+    .client-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(230px, 1fr));
+      gap: 10px;
+      margin-bottom: 14px;
+    }
+    .client-item {
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+      padding: 12px 14px;
+      font-family: var(--mono);
+      min-height: 88px;
+    }
+    .client-top {
+      display: flex;
+      justify-content: space-between;
+      gap: 10px;
+      align-items: flex-start;
+      margin-bottom: 9px;
+    }
+    .client-name {
+      font-weight: 700;
+      color: var(--text);
+      font-size: 0.78rem;
+      white-space: nowrap;
+      overflow: hidden;
+      text-overflow: ellipsis;
+    }
+    .client-state {
+      border: 1px solid var(--line-2);
+      padding: 2px 7px;
+      text-transform: uppercase;
+      letter-spacing: 0.08em;
+      font-size: 0.62rem;
+      color: var(--dim);
+      white-space: nowrap;
+    }
+    .client-state.live {
+      color: var(--ok);
+      border-color: rgba(21,128,61,0.28);
+      background: rgba(21,128,61,0.06);
+    }
+    .client-state.not-connected {
+      color: var(--warn);
+      border-color: rgba(180,83,9,0.26);
+      background: rgba(180,83,9,0.06);
+    }
+    .client-meta {
+      color: var(--dim);
+      font-size: 0.72rem;
+      line-height: 1.55;
+    }
+    .client-meta strong {
+      color: var(--text);
+      font-weight: 600;
+    }
+
+    .empty-state {
+      padding: 40px 20px;
+      text-align: center;
+      color: var(--dim-2);
+      font-family: var(--mono);
+      font-size: 0.85rem;
+    }
+    .loading {
+      padding: 30px 20px;
+      text-align: center;
+      color: var(--dim);
+      font-family: var(--mono);
+      font-size: 0.8rem;
+    }
+
+    /* ─── Discover Panel ──────────────────────────────────────────────── */
+    .discover-grid {
+      display: grid; grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
+      gap: 12px; margin-bottom: 16px;
+    }
+    .discover-card {
+      border: 1px solid var(--line-2);
+      border-radius: 10px;
+      padding: 12px 14px;
+      background: var(--surface-1, rgba(255,255,255,0.02));
+    }
+    .discover-card-title {
+      font-size: 0.72rem; color: var(--text-muted, #888);
+      text-transform: uppercase; letter-spacing: 0.08em;
+      margin-bottom: 4px;
+    }
+    .discover-card-stat {
+      font-family: var(--mono); font-size: 1.4rem;
+      color: var(--accent); margin-bottom: 8px;
+    }
+    .discover-card-list {
+      list-style: none; padding: 0; margin: 0;
+      font-size: 0.78rem; font-family: var(--mono);
+    }
+    .discover-card-list li {
+      padding: 4px 0;
+      border-top: 1px solid var(--line-1, rgba(255,255,255,0.05));
+      display: flex; justify-content: space-between; align-items: center;
+    }
+    .discover-card-list li:first-child { border-top: none; }
+    .discover-card-list .disc-ok { color: var(--accent); }
+    .discover-card-list .disc-no { color: var(--text-muted, #888); opacity: 0.6; }
+
+    /* ─── API Tab ──────────────────────────────────────────────────────── */
+    .api-card {
+      border: 1px solid var(--line-2);
+      border-radius: 10px;
+      padding: 14px 16px;
+      margin-bottom: 14px;
+      background: var(--surface-1, rgba(255,255,255,0.02));
+    }
+    .api-card-head {
+      display: flex; align-items: center; gap: 10px; flex-wrap: wrap;
+      margin-bottom: 10px;
+    }
+    .api-method {
+      font-family: var(--mono); font-size: 0.7rem; font-weight: 700;
+      padding: 3px 8px; border-radius: 4px;
+      background: var(--accent); color: #fff; letter-spacing: 0.05em;
+    }
+    .api-path {
+      font-family: var(--mono); font-size: 0.92rem;
+      color: var(--text);
+    }
+    .api-tag {
+      font-size: 0.72rem; color: var(--text-muted, #888);
+      font-style: italic; flex: 1;
+    }
+    .api-snippet {
+      font-family: var(--mono); font-size: 0.8rem;
+      background: var(--surface-2, rgba(0,0,0,0.25));
+      border: 1px solid var(--line-1, rgba(255,255,255,0.05));
+      padding: 12px 14px; border-radius: 6px;
+      overflow-x: auto; white-space: pre;
+      color: var(--text); margin: 0;
+    }
+    .api-snippet code { background: transparent; padding: 0; }
+    .api-copy { padding: 4px 12px; font-size: 0.7rem; }
+
+    .api-tryout {
+      border: 1px solid var(--line-2);
+      border-radius: 10px;
+      padding: 14px 16px;
+      background: var(--surface-1, rgba(255,255,255,0.02));
+    }
+    .api-tryout-row { display: flex; flex-wrap: wrap; align-items: center; }
+
+    .api-bridge-table-wrap { overflow-x: auto; border: 1px solid var(--line-2); border-radius: 10px; }
+    .api-bridge-table {
+      width: 100%; border-collapse: collapse; font-size: 0.85rem;
+    }
+    .api-bridge-table th, .api-bridge-table td {
+      padding: 10px 12px; text-align: left; border-bottom: 1px solid var(--line-1, rgba(255,255,255,0.05));
+    }
+    .api-bridge-table th {
+      font-weight: 600; color: var(--text-muted, #888);
+      text-transform: uppercase; letter-spacing: 0.05em; font-size: 0.72rem;
+    }
+    .api-bridge-table tr:last-child td { border-bottom: none; }
+    .api-bridge-status { font-family: var(--mono); font-size: 0.78rem; }
+    .api-bridge-status.ok { color: var(--accent); }
+    .api-bridge-status.err { color: #e34; }
+
+    /* ─── Buttons ────────────────────────────────────────────────────────── */
+    .btn {
+      font-family: var(--mono);
+      font-size: 0.78rem;
+      padding: 8px 18px;
+      border: 1px solid var(--line-2);
+      background: transparent;
+      color: var(--text);
+      cursor: pointer;
+      letter-spacing: 0.02em;
+      transition: all 0.15s;
+      text-transform: uppercase;
+      letter-spacing: 0.08em;
+    }
+    .btn:hover {
+      border-color: var(--accent);
+      color: var(--accent);
+      background: rgba(15,118,110,0.06);
+    }
+    .btn.primary {
+      border-color: var(--accent);
+      color: var(--accent);
+      background: rgba(15,118,110,0.08);
+    }
+    .btn.primary:hover { background: var(--accent); color: #ffffff; }
+    .btn:disabled { opacity: 0.4; cursor: not-allowed; }
+    .btn-sm { padding: 5px 12px; font-size: 0.72rem; }
+
+    /* ─── Settings modal ─────────────────────────────────────────────────── */
+    .modal-overlay {
+      position: fixed; inset: 0;
+      background: rgba(56,68,82,0.28);
+      backdrop-filter: blur(2px);
+      display: none;
+      align-items: flex-start;
+      justify-content: center;
+      z-index: 1000;
+      overflow-y: auto;
+      padding: 40px 16px;
+    }
+    .modal-overlay.open { display: flex; }
+    .modal {
+      background: var(--bg-1);
+      border: 1px solid var(--line-2);
+      max-width: 760px;
+      width: 100%;
+      max-height: calc(100vh - 80px);
+      display: flex;
+      flex-direction: column;
+      box-shadow: 0 24px 60px rgba(75,91,108,0.20);
+    }
+    .modal-header {
+      padding: 18px 24px;
+      border-bottom: 1px solid var(--line);
+      display: flex; align-items: center; justify-content: space-between;
+    }
+    .modal-header h2 {
+      font-family: var(--mono);
+      font-size: 0.85rem;
+      letter-spacing: 0.16em;
+      text-transform: uppercase;
+      font-weight: 600;
+      color: var(--text);
+    }
+    .modal-header h2::before { content: ''; display: inline-block; width: 7px; height: 7px; margin-right: 9px; background: var(--accent); }
+    .modal-close {
+      background: none;
+      border: 1px solid var(--line-2);
+      width: 32px; height: 32px;
+      cursor: pointer;
+      color: var(--dim);
+      font-size: 1.1rem;
+      line-height: 1;
+      transition: all 0.15s;
+    }
+    .modal-close:hover { color: var(--err); border-color: var(--err); }
+    .modal-body { padding: 22px 24px; overflow-y: auto; flex: 1 1 auto; }
+    .modal-footer {
+      padding: 14px 24px;
+      border-top: 1px solid var(--line);
+      display: flex; gap: 10px; justify-content: flex-end; align-items: center;
+    }
+    .modal-footer .save-status {
+      margin-right: auto;
+      font-family: var(--mono);
+      font-size: 0.78rem;
+      color: var(--dim);
+    }
+    .modal-footer .save-status.ok { color: var(--ok); }
+    .modal-footer .save-status.err { color: var(--err); }
+
+    .settings-section { margin-bottom: 26px; }
+    .settings-section:last-child { margin-bottom: 0; }
+    .settings-section-title {
+      font-family: var(--mono);
+      font-size: 0.7rem;
+      letter-spacing: 0.16em;
+      text-transform: uppercase;
+      color: var(--accent);
+      margin-bottom: 6px;
+      padding-bottom: 6px;
+      border-bottom: 1px solid var(--line);
+    }
+    .settings-section-title::before { content: ''; display: inline-block; width: 14px; height: 2px; margin-right: 8px; background: var(--accent-dim); vertical-align: middle; }
+    .settings-section-desc { font-size: 0.78rem; color: var(--dim); margin-bottom: 10px; }
+
+    .settings-row {
+      display: grid;
+      grid-template-columns: 1fr auto;
+      gap: 12px;
+      align-items: center;
+      padding: 10px 0;
+      border-bottom: 1px solid var(--line);
+    }
+    .settings-row:last-child { border-bottom: none; }
+    .settings-row-info { display: flex; flex-direction: column; gap: 2px; }
+    .settings-row-label { font-weight: 600; font-size: 0.88rem; color: var(--text); }
+    .settings-row-meta {
+      font-family: var(--mono);
+      font-size: 0.72rem;
+      color: var(--dim);
+    }
+
+    .settings-toggle { position: relative; width: 42px; height: 22px; flex-shrink: 0; }
+    .settings-toggle input { opacity: 0; width: 0; height: 0; }
+    .settings-toggle .slider {
+      position: absolute; cursor: pointer;
+      inset: 0;
+      background: var(--bg-3);
+      border: 1px solid var(--line-2);
+      transition: 0.2s;
+    }
+    .settings-toggle .slider::before {
+      content: '';
+      position: absolute;
+      width: 14px; height: 14px;
+      left: 3px; top: 50%; transform: translateY(-50%);
+      background: var(--dim);
+      transition: 0.2s;
+    }
+    .settings-toggle input:checked + .slider {
+      border-color: var(--accent-dim);
+      background: rgba(15,118,110,0.10);
+    }
+    .settings-toggle input:checked + .slider::before {
+      transform: translate(20px, -50%);
+      background: var(--accent);
+      box-shadow: none;
+    }
+
+    .settings-input {
+      width: 100%;
+      padding: 8px 10px;
+      background: var(--bg);
+      border: 1px solid var(--line-2);
+      color: var(--text);
+      font-family: var(--mono);
+      font-size: 0.82rem;
+      margin-top: 6px;
+    }
+    .settings-input:focus {
+      outline: none;
+      border-color: var(--accent);
+      box-shadow: 0 0 0 2px rgba(15,118,110,0.16);
+    }
+
+    .settings-radio-group { display: flex; gap: 6px; flex-wrap: wrap; }
+    .settings-radio {
+      flex: 1 1 calc(50% - 4px);
+      min-width: 140px;
+      padding: 10px 14px;
+      border: 1px solid var(--line-2);
+      cursor: pointer;
+      font-size: 0.82rem;
+      font-family: var(--mono);
+      text-align: center;
+      transition: all 0.15s;
+      color: var(--dim);
+    }
+    .settings-radio:hover { color: var(--text); border-color: var(--line-3); }
+    .settings-radio.active {
+      border-color: var(--accent);
+      background: rgba(15,118,110,0.08);
+      color: var(--accent);
+      font-weight: 600;
+    }
+    .settings-radio input { display: none; }
+
+    /* ─── Floating connection indicator ──────────────────────────────────── */
+    .conn-pill {
+      position: fixed;
+      bottom: 16px; right: 16px;
+      padding: 6px 14px;
+      background: var(--bg-1);
+      border: 1px solid var(--line-2);
+      font-family: var(--mono);
+      font-size: 0.72rem;
+      color: var(--dim);
+      display: flex;
+      align-items: center;
+      gap: 8px;
+      z-index: 50;
+    }
+    .conn-pill .dot {
+      width: 6px; height: 6px;
+      background: var(--ok);
+      box-shadow: 0 0 0 3px rgba(21,128,61,0.10);
+      animation: pulse 2.4s infinite;
+    }
+
+    /* ─── Responsive ─────────────────────────────────────────────────────── */
     @media (max-width: 768px) {
-      h1 {
-        font-size: 1.8rem;
-      }
-
-      .grid {
-        grid-template-columns: 1fr;
-      }
-
-      .grid-models, .grid-callers {
-        grid-template-columns: repeat(auto-fill, minmax(150px, 1fr));
-      }
-
-      .table-header, .table-row {
-        grid-template-columns: 80px 100px 80px 80px 60px 60px 60px;
-        font-size: 0.8rem;
-      }
-
-      .metric-value {
-        font-size: 1.8rem;
-      }
+      .shell { padding: 16px 18px 60px; }
+      .topbar { flex-direction: column; align-items: flex-start; gap: 12px; }
+      .metric { padding: 16px 18px; }
+      .metric-value { font-size: 1.7rem; }
+      .req-row { grid-template-columns: 1fr 1fr; gap: 6px; padding: 10px; font-size: 0.72rem; }
+      .req-row.head { display: none; }
+      .req-row > div:nth-child(n+5) { display: none; }
     }
   </style>
 </head>
 <body>
-  <div class="container">
-    <header>
-      <h1>LLM Gateway Dashboard</h1>
-      <div class="status-bar">
-        <div class="status-item">
-          <span class="status-indicator healthy" id="dbStatusIndicator"></span>
-          <span id="dbStatus">Checking database...</span>
-        </div>
-        <div class="status-item">
-          <span class="status-indicator" id="sseStatusIndicator"></span>
-          <span id="sseStatus">Connecting to stream...</span>
-        </div>
-        <div class="status-item">
-          <span id="listenerCount">0</span> SSE listeners
-        </div>
-      </div>
-    </header>
+  <div class="shell">
 
-    <div class="grid">
-      <div class="card">
-        <div class="metric-label">Total Requests</div>
-        <div class="metric-value" id="totalRequests">0</div>
-        <div class="metric-change" id="requestsChange"></div>
+    <!-- ─── Top bar ──────────────────────────────────────────────────────── -->
+    <div class="topbar">
+      <div class="brand">
+        <span class="brand-mark">llm.gateway</span>
+        <span class="brand-tag">gateway workbench · v1.0</span>
       </div>
-
-      <div class="card">
-        <div class="metric-label">Success Rate</div>
-        <div class="metric-value" id="successRate">0<span class="metric-unit">%</span></div>
-        <div class="metric-change" id="successChange"></div>
-      </div>
-
-      <div class="card">
-        <div class="metric-label">Avg Latency</div>
-        <div class="metric-value" id="avgLatency">0<span class="metric-unit">ms</span></div>
-        <div class="metric-change" id="latencyChange"></div>
-      </div>
-
-      <div class="card">
-        <div class="metric-label">Total Cost</div>
-        <div class="metric-value" id="totalCost">$0.00</div>
-        <div class="metric-change" id="costChange"></div>
-      </div>
-
-      <div class="card">
-        <div class="metric-label">Avg Confidence</div>
-        <div class="metric-value" id="avgConfidence">0<span class="metric-unit">%</span></div>
-        <div class="metric-change" id="confidenceChange"></div>
-      </div>
-
-      <div class="card">
-        <div class="metric-label">Fallback Usage</div>
-        <div class="metric-value" id="fallbackPercent">0<span class="metric-unit">%</span></div>
-        <div class="metric-change" id="fallbackChange"></div>
+      <div class="topbar-actions">
+        <button class="btn btn-sm" id="settingsBtn" type="button" title="Configure subscriptions and API keys">
+          ⚙ settings
+        </button>
       </div>
     </div>
 
-    <h2 class="section-title">Top Models</h2>
-    <div class="grid-models" id="topModels">
-      <div class="loading">Loading models...</div>
+    <!-- ─── Status strip ─────────────────────────────────────────────────── -->
+    <div class="status-strip">
+      <div class="status-cell">
+        <span class="dot ok" id="dbStatusIndicator"></span>
+        <span class="label">db</span>
+        <span class="val" id="dbStatus">connecting</span>
+      </div>
+      <div class="status-cell">
+        <span class="dot ok" id="pollingStatusIndicator"></span>
+        <span class="label">poll</span>
+        <span class="val" id="pollingStatus">starting</span>
+      </div>
+      <div class="status-cell">
+        <span class="label">interval</span>
+        <span class="val" id="pollInterval">3s</span>
+      </div>
+      <div class="status-cell">
+        <span class="label">mode</span>
+        <span class="val" id="routingModeBadge">auto</span>
+      </div>
     </div>
 
-    <h2 class="section-title">Top Callers</h2>
-    <div class="grid-callers" id="topCallers">
-      <div class="loading">Loading callers...</div>
-    </div>
+    <!-- ─── Tab bar ──────────────────────────────────────────────────────── -->
+    <nav class="tabs" role="tablist">
+      <button class="tab-trigger active" data-tab="overview" role="tab" title="Headline stats: tokens saved, cost, buddy, achievements"><span class="tab-num">01</span>overview</button>
+      <button class="tab-trigger" data-tab="subscriptions" role="tab" title="Your CLI subscriptions (Claude Code, Codex, …) and their bridge status"><span class="tab-num">02</span>subscriptions <span class="tab-badge" id="subsTabBadge">·</span></button>
+      <button class="tab-trigger" data-tab="providers" role="tab" title="All configured LLM providers (local Ollama, paid APIs, free tiers) — advanced"><span class="tab-num">03</span>providers <span class="tab-badge" id="providersTabBadge">·</span></button>
+      <button class="tab-trigger" data-tab="activity" role="tab" title="Live request log — every call that went through the gateway"><span class="tab-num">04</span>activity</button>
+      <button class="tab-trigger" data-tab="savings" role="tab" title="Cost & token savings counter — main 'wow how much I saved' page"><span class="tab-num">05</span>savings <span class="tab-badge" id="savingsTabBadge">·</span></button>
+      <button class="tab-trigger" data-tab="wallet" role="tab" title="Subscription quotas — how much of each Pro plan you've used in the current window"><span class="tab-num">06</span>wallet <span class="tab-badge" id="walletTabBadge">·</span></button>
+      <button class="tab-trigger" data-tab="memory" role="tab" title="Persistent facts the gateway knows about each caller — auto-injected into prompts"><span class="tab-num">07</span>memory</button>
+      <button class="tab-trigger" data-tab="leaderboard" role="tab" title="Race-mode results — fastest model leaderboard if you ran multi-model races"><span class="tab-num">08</span>races <span class="tab-badge" id="leaderboardTabBadge">·</span></button>
+      <button class="tab-trigger" data-tab="share" role="tab" title="Generate an embeddable SVG card showing your savings (for blog/Twitter/README)"><span class="tab-num">09</span>share</button>
+      <button class="tab-trigger" data-tab="report" role="tab" title="Generate a printable monthly PDF report"><span class="tab-num">10</span>report</button>
+      <button class="tab-trigger" data-tab="api" role="tab" title="API reference — copy-paste curl/SDK examples for OpenAI-compat, Anthropic-compat, native"><span class="tab-num">11</span>api</button>
+    </nav>
 
-    <h2 class="section-title">Available Providers & Models</h2>
-    <div class="providers-container">
-      <div id="providersLocal" class="providers-section">
-        <h3 class="providers-subsection">Local</h3>
-        <div class="providers-grid" id="providersList_local">
-          <div class="loading">Loading providers...</div>
+    <!-- ─── Tab: Overview ────────────────────────────────────────────────── -->
+    <section class="tab-panel active" data-tab="overview">
+
+      <!-- ─── Hero: Buddy + Headline Savings + Forecast ──────────────────── -->
+      <div class="hero-grid">
+        <!-- Left: Pet/Buddy -->
+        <div class="hero-buddy" id="heroBuddy">
+          <div class="loading">summoning buddy</div>
+        </div>
+
+        <!-- Center: Headline savings counter — combined all layers -->
+        <div class="hero-savings">
+          <div class="hero-eyebrow">total tokens saved · all layers · all-time</div>
+          <div class="hero-counter"><span id="heroTokensSavedCombined">0</span><span style="font-size:1.1rem;color:var(--dim);font-weight:400;margin-left:8px;">tokens</span></div>
+          <div class="hero-layer-breakdown" id="heroLayerBreakdown">
+            <div class="layer-row"><span class="layer-name">⚡ Gateway (LLM calls)</span><span class="layer-val" id="heroTokensSaved">0</span></div>
+            <div class="layer-row" id="heroExternalToolRow" style="display:none;"><span class="layer-name">🗜 External tool compression (legacy)</span><span class="layer-val" id="heroExternalToolTokens">—</span></div>
+          </div>
+          <div class="hero-row">
+            <div class="hero-pill">
+              <span class="hero-pill-label">cost saved</span>
+              <span class="hero-pill-val" id="heroCostSaved">$0.00</span>
+            </div>
+            <div class="hero-pill">
+              <span class="hero-pill-label">cache hits</span>
+              <span class="hero-pill-val" id="heroCacheHits">0</span>
+            </div>
+            <div class="hero-pill">
+              <span class="hero-pill-label">savings rate</span>
+              <span class="hero-pill-val" id="heroSavingsRate">0%</span>
+            </div>
+          </div>
+        </div>
+
+        <!-- Right: Cost analysis (without vs with) — competitor comparison -->
+        <div class="hero-cost">
+          <div class="hero-eyebrow">cost analysis · last 24h · USD</div>
+          <div class="cost-vs">
+            <div class="cost-side without">
+              <div class="cost-label">without gateway</div>
+              <div class="cost-amount" id="costWithout">$0.00</div>
+            </div>
+            <div class="cost-arrow">→</div>
+            <div class="cost-side with">
+              <div class="cost-label">with gateway</div>
+              <div class="cost-amount" id="costWith">$0.00</div>
+            </div>
+          </div>
+          <div class="cost-saved-line">you saved <strong id="costSavedLine">$0.00</strong> · <span id="costSavedPercent">0%</span> reduction</div>
         </div>
       </div>
-      <div id="providersSubscription" class="providers-section">
-        <h3 class="providers-subsection">Subscription</h3>
-        <div class="providers-grid" id="providersList_subscription">
-          <div class="loading">Loading providers...</div>
+
+      <!-- ─── Five-Axis Savings Breakdown — full savings breakdown ── -->
+      <h2 class="h-section">Savings Sources <span class="h-meta">5 measurement axes across all calls</span></h2>
+      <div class="savings-axes" id="savingsAxes">
+        <div class="loading">loading</div>
+      </div>
+
+      <!-- ─── Quick Metrics Grid ──────────────────────────────────────────── -->
+      <h2 class="h-section">Live Metrics <span class="h-meta">last 24h</span></h2>
+      <div class="metric-grid">
+        <div class="metric">
+          <div class="metric-label">requests</div>
+          <div class="metric-value" id="totalRequests">0</div>
+          <div class="metric-change" id="requestsChange">routed</div>
+        </div>
+        <div class="metric">
+          <div class="metric-label">success rate</div>
+          <div class="metric-value" id="successRate">0<span class="metric-unit">%</span></div>
+          <div class="metric-change" id="successChange">approved/total</div>
+        </div>
+        <div class="metric">
+          <div class="metric-label">avg latency</div>
+          <div class="metric-value" id="avgLatency">0<span class="metric-unit">ms</span></div>
+          <div class="metric-change" id="latencyChange">end-to-end</div>
+        </div>
+        <div class="metric">
+          <div class="metric-label">spent today</div>
+          <div class="metric-value" id="totalCost">$0.00</div>
+          <div class="metric-change" id="costChange">actual usd</div>
+        </div>
+        <div class="metric">
+          <div class="metric-label">confidence</div>
+          <div class="metric-value" id="avgConfidence">0<span class="metric-unit">/10</span></div>
+          <div class="metric-change" id="confidenceChange">post-val</div>
+        </div>
+        <div class="metric">
+          <div class="metric-label">fallback usage</div>
+          <div class="metric-value" id="fallbackPercent">0<span class="metric-unit">%</span></div>
+          <div class="metric-change" id="fallbackChange">primary→fallback</div>
         </div>
       </div>
-      <div id="providersFree" class="providers-section">
-        <h3 class="providers-subsection">Free Tier</h3>
-        <div class="providers-grid" id="providersList_free">
-          <div class="loading">Loading providers...</div>
+
+      <!-- ─── Calendar heatmap (GitHub style) + Forecast ──────────────────── -->
+      <div class="overview-row-2col">
+        <div>
+          <h2 class="h-section">Activity · last 365 days <span class="h-meta">streak <span id="streakBadge">0</span>d</span></h2>
+          <div class="heatmap" id="heatmap"><div class="loading">loading activity</div></div>
+        </div>
+        <div>
+          <h2 class="h-section">Forecast <span class="h-meta">based on recent trend</span></h2>
+          <div class="forecast" id="forecast"><div class="loading">computing forecast</div></div>
+        </div>
+      </div>
+
+      <!-- ─── Live Events Feed + Top Models / Callers ─────────────────────── -->
+      <div class="overview-row-2col">
+        <div>
+          <h2 class="h-section">Live Activity <span class="h-meta">most recent first</span></h2>
+          <div class="events-feed" id="eventsFeed"><div class="loading">listening</div></div>
+        </div>
+        <div>
+          <h2 class="h-section">Top Models <span class="h-meta">last 24h</span></h2>
+          <div class="chip-grid" id="topModels"><div class="loading">analyzing routing</div></div>
+
+          <h2 class="h-section" style="margin-top: 18px;">Top Callers</h2>
+          <div class="chip-grid" id="topCallers"><div class="loading">analyzing callers</div></div>
+        </div>
+      </div>
+
+      <!-- ─── Achievements ──────────────────────────────────────────────────── -->
+      <h2 class="h-section">Achievements <span class="h-meta"><span id="achievementsProgress">0/0</span></span></h2>
+      <div class="achievements-grid" id="achievementsGrid"><div class="loading">checking quests</div></div>
+    </section>
+
+    <!-- ─── Tab: Subscriptions ──────────────────────────────────────────── -->
+    <section class="tab-panel" data-tab="subscriptions">
+      <div class="auto-banner">
+        <div class="banner-text">
+          <strong>auto-gateway</strong> <span id="subsAutoState">detection only</span>
+          — installed CLI subscriptions are wrapped into HTTP bridges and exposed via <code>/v1/chat/completions</code>
+        </div>
+        <div style="display: flex; gap: 8px;">
+          <button class="btn btn-sm" id="discoverFullBtn" type="button" title="Full-system scan: CLIs + local LLMs + API keys, then auto-spawn any detected bridges">⚡ discover & connect all</button>
+          <button class="btn btn-sm primary" id="subsSpawnBtn" type="button">⟳ spawn missing bridges</button>
+        </div>
+      </div>
+
+      <!-- ── Full discovery report (populated by discover button) ────────── -->
+      <div id="discoverReportWrap" style="display: none; margin-bottom: 14px;">
+        <h2 class="h-section">Discovery Report <span class="h-meta" id="discoverReportMeta">—</span></h2>
+        <div class="discover-grid">
+          <div class="discover-card">
+            <div class="discover-card-title">CLI Subscriptions</div>
+            <div class="discover-card-stat"><span id="discCntSubs">0</span> detected</div>
+            <ul class="discover-card-list" id="discListSubs"></ul>
+          </div>
+          <div class="discover-card">
+            <div class="discover-card-title">Local LLM Servers</div>
+            <div class="discover-card-stat"><span id="discCntLocal">0</span> running</div>
+            <ul class="discover-card-list" id="discListLocal"></ul>
+          </div>
+          <div class="discover-card">
+            <div class="discover-card-title">API-Key Providers</div>
+            <div class="discover-card-stat"><span id="discCntKeys">0</span> configured</div>
+            <ul class="discover-card-list" id="discListKeys"></ul>
+          </div>
+        </div>
+      </div>
+
+      <div class="subs-grid" id="subscriptionsList">
+        <div class="loading">discovering installed subscriptions</div>
+      </div>
+    </section>
+
+    <!-- ─── Tab: Providers ──────────────────────────────────────────────── -->
+    <section class="tab-panel" data-tab="providers">
+      <div class="providers-stack">
+        <section>
+          <h2 class="h-section">Local <span class="h-meta">on-host inference</span></h2>
+          <div class="providers-grid" id="providersList_local">
+            <div class="loading">enumerating local models</div>
+          </div>
+        </section>
+        <section>
+          <h2 class="h-section">Subscription <span class="h-meta">paid plans via bridges</span></h2>
+          <div class="providers-grid" id="providersList_subscription">
+            <div class="loading">enumerating subscription providers</div>
+          </div>
+        </section>
+        <section>
+          <h2 class="h-section">Free Tier <span class="h-meta">api-key authenticated</span></h2>
+          <div class="providers-grid" id="providersList_free">
+            <div class="loading">enumerating free-tier endpoints</div>
+          </div>
+        </section>
+      </div>
+    </section>
+
+    <!-- ─── Tab: Activity ──────────────────────────────────────────────── -->
+    <section class="tab-panel" data-tab="activity">
+      <h2 class="h-section">Desktop AI Coverage <span class="h-meta">only gateway traffic is counted</span></h2>
+      <div class="client-grid" id="clientsCoverage">
+        <div class="loading">checking connected clients</div>
+      </div>
+      <h2 class="h-section">Recent Requests <span class="h-meta">live polling</span></h2>
+      <div class="filters">
+        <button class="filter-btn active" data-hours="24">last 24h</button>
+        <button class="filter-btn" data-hours="168">last 7d</button>
+        <button class="filter-btn" data-hours="720">last 30d</button>
+      </div>
+      <div class="req-table">
+        <div class="req-row head">
+          <div>request id</div>
+          <div>caller</div>
+          <div>model</div>
+          <div>status</div>
+          <div>ctx before</div>
+          <div>ctx sent</div>
+          <div>saved</div>
+          <div>compression</div>
+          <div>cost</div>
+          <div>latency</div>
+        </div>
+        <div id="requestsTable">
+          <div class="empty-state">no requests yet</div>
+        </div>
+      </div>
+    </section>
+
+    <!-- ─── Tab: Savings ─────────────────────────────────────────────────── -->
+    <section class="tab-panel" data-tab="savings">
+      <div class="savings-hero">
+        <div class="savings-headline">
+          <div class="savings-eyebrow">cumulative savings · last 24h</div>
+          <div class="savings-counter" id="savingsCounter">$0.00</div>
+          <div class="savings-sub" id="savingsSubLine">— · — tokens prevented · — cache hits</div>
+        </div>
+        <div class="savings-spark">
+          <svg id="savingsSparkline" viewBox="0 0 320 64" preserveAspectRatio="none"></svg>
+          <div class="savings-spark-meta">
+            <span id="savingsSparkLabel">$ saved per hour</span>
+            <span id="savingsHitRate">hit rate —</span>
+          </div>
+        </div>
+      </div>
+
+      <div class="metric-grid" style="margin-top:18px;">
+        <div class="metric">
+          <div class="metric-label">cache entries</div>
+          <div class="metric-value" id="cacheEntries">0</div>
+          <div class="metric-change">distinct cached responses</div>
+        </div>
+        <div class="metric">
+          <div class="metric-label">tokens prevented</div>
+          <div class="metric-value" id="tokensPrevented">0</div>
+          <div class="metric-change">never sent to LLM</div>
+        </div>
+        <div class="metric">
+          <div class="metric-label">cache hit rate</div>
+          <div class="metric-value" id="cacheHitRate">0<span class="metric-unit">%</span></div>
+          <div class="metric-change">hits ÷ total req</div>
+        </div>
+        <div class="metric">
+          <div class="metric-label">compressed since last restart</div>
+          <div class="metric-value" id="compressedSinceRestart">0</div>
+          <div class="metric-change" id="compressedSinceRestartMeta">— · — ops · since —</div>
+        </div>
+      </div>
+
+      <h2 class="h-section">Top Caching Callers <span class="h-meta">most savings</span></h2>
+      <div class="chip-grid" id="topSavingCallers">
+        <div class="loading">loading</div>
+      </div>
+
+      <h2 class="h-section">Cache Controls <span class="h-meta">manual invalidation</span></h2>
+      <div style="display:flex;gap:10px;flex-wrap:wrap;">
+        <input id="cacheClearCaller" class="settings-input" style="max-width:280px;" placeholder="caller id (e.g. cursor)">
+        <button class="btn" id="cacheClearBtn" type="button">clear caller's cache</button>
+        <button class="btn" id="cachePruneBtn" type="button">prune entries &gt; 7 days</button>
+      </div>
+    </section>
+
+    <!-- ─── Tab: Wallet (Subscription Pool — UNIQUE feature) ────────────── -->
+    <section class="tab-panel" data-tab="wallet">
+      <div class="wallet-banner">
+        <div>
+          <strong>Subscription Pool Wallet</strong> — tracks <strong>API calls</strong>
+          (not tokens) against each Pro plan's quota window. Numbers here are
+          <em>messages remaining</em>, not tokens. For token savings via cache,
+          see the Savings tab.
+        </div>
+      </div>
+      <div class="wallet-grid" id="walletList">
+        <div class="loading">loading wallet</div>
+      </div>
+    </section>
+
+    <!-- ─── Tab: Memory ───────────────────────────────────────────────── -->
+    <section class="tab-panel" data-tab="memory">
+      <div class="memory-form">
+        <input id="memCaller" class="settings-input" style="max-width:280px;" placeholder="caller id">
+        <button class="btn" id="memLoadBtn" type="button">load facts</button>
+        <span style="flex:1;"></span>
+        <input id="memFactKey" class="settings-input" style="max-width:200px;" placeholder="fact key">
+        <input id="memFactValue" class="settings-input" style="max-width:280px;" placeholder="fact value">
+        <button class="btn" id="memSaveBtn" type="button">remember</button>
+      </div>
+      <div class="mem-list" id="memList">
+        <div class="empty-state">enter a caller id and click load</div>
+      </div>
+
+      <h2 class="h-section">Knowledge Graph <span class="h-meta">all callers + facts</span></h2>
+      <div class="graph-wrap">
+        <svg id="memoryGraph" viewBox="0 0 880 460" preserveAspectRatio="xMidYMid meet"></svg>
+        <div class="graph-legend">
+          <span><span class="dot" style="background:#0f766e;"></span> caller</span>
+          <span><span class="dot" style="background:#2563eb;"></span> fact key</span>
+          <span><span class="dot" style="background:#a78bfa;"></span> value</span>
+        </div>
+      </div>
+    </section>
+
+    <!-- ─── Tab: Leaderboard ─────────────────────────────────────────── -->
+    <section class="tab-panel" data-tab="leaderboard">
+      <div class="leaderboard-podium" id="leaderboardPodium">
+        <div class="loading">computing standings</div>
+      </div>
+      <h2 class="h-section">Race Leaderboard <span class="h-meta">last 7 days</span></h2>
+      <div class="leaderboard-table" id="leaderboardTable"><div class="loading">loading</div></div>
+    </section>
+
+    <!-- ─── Tab: Share Card ──────────────────────────────────────────────── -->
+    <section class="tab-panel" data-tab="share">
+      <h2 class="h-section">Public Share Card <span class="h-meta">embeddable SVG · OG-card sized · no auth required</span></h2>
+      <div class="share-controls">
+        <label class="settings-row-label">Period:
+          <select id="shareCardPeriod" class="settings-input" style="width: 140px; display:inline-block; margin-left:8px;">
+            <option value="day">day</option>
+            <option value="week">week</option>
+            <option value="month" selected>month</option>
+            <option value="all">all-time</option>
+          </select>
+        </label>
+        <label class="settings-row-label" style="margin-left:24px;">Theme:
+          <select id="shareCardTheme" class="settings-input" style="width: 120px; display:inline-block; margin-left:8px;">
+            <option value="dark">dark</option>
+            <option value="light">light</option>
+          </select>
+        </label>
+        <button class="btn primary" id="shareCardRefresh" type="button">refresh</button>
+        <button class="btn" id="shareCardCopyUrl" type="button">copy URL</button>
+        <button class="btn" id="shareCardDownload" type="button">download SVG</button>
+      </div>
+      <div class="share-preview">
+        <img id="shareCardImg" alt="LLM Gateway share card" loading="lazy">
+      </div>
+      <div class="share-url" id="shareCardUrl"></div>
+      <div class="share-hint">Use this URL anywhere — Twitter/LinkedIn previews, blog headers, README badges. Updates automatically every 5 min.</div>
+    </section>
+
+    <!-- ─── Tab: Monthly Report ──────────────────────────────────────────── -->
+    <section class="tab-panel" data-tab="report">
+      <h2 class="h-section">Monthly Report <span class="h-meta">save as PDF via browser print</span></h2>
+      <div class="share-controls">
+        <label class="settings-row-label">Year:
+          <input id="reportYear" class="settings-input" type="number" style="width:120px;display:inline-block;margin-left:8px;">
+        </label>
+        <label class="settings-row-label" style="margin-left:24px;">Month:
+          <input id="reportMonth" class="settings-input" type="number" min="1" max="12" style="width:90px;display:inline-block;margin-left:8px;">
+        </label>
+        <button class="btn primary" id="reportOpen" type="button">open report</button>
+      </div>
+      <div class="share-hint">Tip: in the report window, press <code>Cmd/Ctrl+P</code> → "Save as PDF". The report is fully styled for A4 print.</div>
+    </section>
+
+    <!-- ─── Tab: API Reference ─────────────────────────────────────────── -->
+    <section class="tab-panel" data-tab="api">
+      <h2 class="h-section">API Reference <span class="h-meta">all endpoints route through compression + caller tracking</span></h2>
+
+      <div class="api-intro" style="margin: 8px 0 16px; color: var(--text-muted, #888); font-size: 13px; line-height: 1.5;">
+        The LLM Gateway exposes three POST endpoints and one GET. Every call is logged in
+        <em>activity</em>, compressed when input ≥ 700 tokens, and routed via <code>routing-rules.yaml</code>
+        to the right subscription bridge (Claude Code, ChatGPT, Copilot, M365 Copilot, Codex) or local Ollama.
+      </div>
+
+      <!-- ── Endpoint card: OpenAI-compatible ─────────────────────────── -->
+      <div class="api-card" data-endpoint="chat">
+        <div class="api-card-head">
+          <span class="api-method">POST</span>
+          <code class="api-path">/v1/chat/completions</code>
+          <span class="api-tag">OpenAI-compatible · works with `openai` SDK</span>
+          <button class="btn ghost api-copy" data-target="api-snippet-chat" type="button">copy</button>
+        </div>
+        <pre id="api-snippet-chat" class="api-snippet"><code>curl https://llm-gateway.context-x.org/v1/chat/completions \
+  -H "Content-Type: application/json" \
+  -d '{
+    "model": "claude-sonnet-4.6",
+    "messages": [{"role": "user", "content": "hi"}]
+  }'</code></pre>
+      </div>
+
+      <!-- ── Endpoint card: Anthropic-compatible ──────────────────────── -->
+      <div class="api-card" data-endpoint="messages">
+        <div class="api-card-head">
+          <span class="api-method">POST</span>
+          <code class="api-path">/v1/messages</code>
+          <span class="api-tag">Anthropic-compatible · works with `@anthropic-ai/sdk`</span>
+          <button class="btn ghost api-copy" data-target="api-snippet-messages" type="button">copy</button>
+        </div>
+        <pre id="api-snippet-messages" class="api-snippet"><code>curl https://llm-gateway.context-x.org/v1/messages \
+  -H "Content-Type: application/json" \
+  -d '{
+    "model": "claude-sonnet-4.6",
+    "messages": [{"role": "user", "content": "hi"}],
+    "max_tokens": 1024
+  }'</code></pre>
+      </div>
+
+      <!-- ── Endpoint card: Native ────────────────────────────────────── -->
+      <div class="api-card" data-endpoint="completion">
+        <div class="api-card-head">
+          <span class="api-method">POST</span>
+          <code class="api-path">/v1/completion</code>
+          <span class="api-tag">native — full caller-tracking + compression options</span>
+          <button class="btn ghost api-copy" data-target="api-snippet-completion" type="button">copy</button>
+        </div>
+        <pre id="api-snippet-completion" class="api-snippet"><code>curl https://llm-gateway.context-x.org/v1/completion \
+  -H "Content-Type: application/json" \
+  -d '{
+    "caller": "my-app",
+    "task_type": "generic_qa",
+    "input": "your prompt here",
+    "options": { "compression": { "enabled": true, "mode": "auto" } }
+  }'</code></pre>
+      </div>
+
+      <!-- ── Endpoint card: Models list ───────────────────────────────── -->
+      <div class="api-card" data-endpoint="models">
+        <div class="api-card-head">
+          <span class="api-method">GET</span>
+          <code class="api-path">/v1/models</code>
+          <span class="api-tag">list every model the gateway can route to</span>
+          <button class="btn ghost api-copy" data-target="api-snippet-models" type="button">copy</button>
+        </div>
+        <pre id="api-snippet-models" class="api-snippet"><code>curl https://llm-gateway.context-x.org/v1/models</code></pre>
+      </div>
+
+      <!-- ── Try-It-Out playground ────────────────────────────────────── -->
+      <h2 class="h-section" style="margin-top: 28px;">Try it out <span class="h-meta">live POST against the gateway</span></h2>
+      <div class="api-tryout">
+        <div class="api-tryout-row">
+          <label class="settings-row-label">Endpoint:
+            <select id="apiTryEndpoint" class="settings-input" style="width: 220px; margin-left: 8px;">
+              <option value="/v1/completion">/v1/completion (native)</option>
+              <option value="/v1/chat/completions">/v1/chat/completions (OpenAI)</option>
+              <option value="/v1/messages">/v1/messages (Anthropic)</option>
+            </select>
+          </label>
+          <label class="settings-row-label" style="margin-left: 18px;">Model:
+            <input id="apiTryModel" class="settings-input" type="text" value="claude-sonnet-4.6" style="width: 200px; margin-left: 8px;">
+          </label>
+        </div>
+        <label class="settings-row-label" style="display: block; margin-top: 10px;">Prompt:
+          <textarea id="apiTryPrompt" class="settings-input" rows="4" style="width: 100%; margin-top: 6px;" placeholder="Type your prompt — long inputs (>700 tokens) will be compressed automatically.">Say hello in three different languages.</textarea>
+        </label>
+        <div style="margin-top: 10px;">
+          <button class="btn primary" id="apiTryRun" type="button">send request</button>
+          <span id="apiTryStatus" style="margin-left: 12px; font-size: 12px; color: var(--text-muted, #888);"></span>
+        </div>
+        <div id="apiTryResultWrap" style="margin-top: 14px; display: none;">
+          <div class="api-tryout-meta" id="apiTryMeta" style="font-size: 12px; color: var(--text-muted, #888); margin-bottom: 6px;"></div>
+          <pre class="api-snippet"><code id="apiTryResult"></code></pre>
+        </div>
+      </div>
+
+      <!-- ── Bridge mapping (model → subscription) ────────────────────── -->
+      <h2 class="h-section" style="margin-top: 28px;">Model → Bridge Mapping <span class="h-meta">which subscription each model alias routes to</span></h2>
+      <div class="api-bridge-table-wrap">
+        <table class="api-bridge-table" id="apiBridgeTable">
+          <thead>
+            <tr>
+              <th>Model alias</th>
+              <th>Bridge</th>
+              <th>Subscription used</th>
+              <th>Port</th>
+              <th>Status</th>
+            </tr>
+          </thead>
+          <tbody>
+            <tr><td><code>claude-sonnet-4.6</code>, <code>claude-haiku</code>, <code>claude-opus</code></td><td>claude-bridge</td><td>Claude Code Max (OAuth)</td><td>3250</td><td class="api-bridge-status" data-bridge="claude-bridge">—</td></tr>
+            <tr><td><code>gpt-4o</code>, <code>gpt-4.1</code>, <code>gpt-5.x</code></td><td>openai-bridge</td><td>ChatGPT Plus / Pro</td><td>3251</td><td class="api-bridge-status" data-bridge="openai-bridge">—</td></tr>
+            <tr><td><code>copilot-gpt-4o</code>, <code>copilot-claude-3.7</code></td><td>copilot-bridge</td><td>GitHub Copilot</td><td>3252</td><td class="api-bridge-status" data-bridge="copilot-bridge">—</td></tr>
+            <tr><td><code>codex-mini</code>, <code>gpt-5.1-codex-mini</code></td><td>codex-bridge</td><td>OpenAI Codex CLI</td><td>3253</td><td class="api-bridge-status" data-bridge="codex-bridge">—</td></tr>
+            <tr><td><code>m365-copilot</code></td><td>m365-copilot-bridge</td><td>Microsoft 365 Copilot</td><td>3257</td><td class="api-bridge-status" data-bridge="m365-copilot-bridge">—</td></tr>
+            <tr><td><code>qwen2.5:3b / 7b / 14b / 32b</code>, <code>magatama:32b</code>, <code>magatama-coder</code></td><td>ollama (Mac Studio)</td><td>local — no cost</td><td>11434</td><td class="api-bridge-status" data-bridge="ollama">—</td></tr>
+          </tbody>
+        </table>
+      </div>
+      <div class="share-hint" style="margin-top: 12px;">
+        The gateway picks the bridge from <code>routing-rules.yaml</code> based on <code>task_type</code> and the
+        requested <code>model</code>. You can also hit a bridge directly (e.g. <code>http://82.165.222.127:3250/v1/messages</code>)
+        — but then you bypass compression, savings tracking, and the routing rules.
+      </div>
+    </section>
+
+    <!-- ─── Caller Deep-Dive Modal ───────────────────────────────────── -->
+    <div class="modal-overlay" id="callerModal" role="dialog" aria-modal="true">
+      <div class="modal" style="max-width: 900px;">
+        <div class="modal-header">
+          <h2 id="callerModalTitle">caller details</h2>
+          <button class="modal-close" id="callerModalClose" aria-label="Close">×</button>
+        </div>
+        <div class="modal-body" id="callerModalBody">
+          <div class="loading">loading caller details</div>
         </div>
       </div>
     </div>
 
-    <h2 class="section-title">Recent Requests</h2>
-    <div class="filters">
-      <button class="filter-btn active" data-hours="24">Last 24h</button>
-      <button class="filter-btn" data-hours="168">Last 7d</button>
-      <button class="filter-btn" data-hours="720">Last 30d</button>
+    <!-- ─── Settings Modal ──────────────────────────────────────────────── -->
+    <div class="modal-overlay" id="settingsModal" role="dialog" aria-modal="true">
+      <div class="modal">
+        <div class="modal-header">
+          <h2>gateway settings</h2>
+          <button class="modal-close" id="settingsClose" aria-label="Close">×</button>
+        </div>
+        <div class="modal-body">
+          <div class="settings-section">
+            <div class="settings-section-title">dashboard view</div>
+            <p class="settings-section-desc">Hide advanced features you don't use. <strong>Recommended for users with 1–3 subscriptions.</strong></p>
+            <div class="settings-row">
+              <div class="settings-row-info">
+                <span class="settings-row-label">Simple Mode</span>
+                <span class="settings-row-meta">Show only: overview · subscriptions · wallet · activity · savings. Hide: providers, races, share, report, memory.</span>
+              </div>
+              <label class="settings-toggle">
+                <input type="checkbox" id="uiSimpleMode">
+                <span class="slider"></span>
+              </label>
+            </div>
+            <div class="settings-row">
+              <div class="settings-row-info">
+                <span class="settings-row-label">Hide unconfigured providers</span>
+                <span class="settings-row-meta">Don't show provider cards that aren't enabled (Cerebras, Groq, etc.)</span>
+              </div>
+              <label class="settings-toggle">
+                <input type="checkbox" id="uiHideEmpty">
+                <span class="slider"></span>
+              </label>
+            </div>
+            <div class="settings-row">
+              <div class="settings-row-info">
+                <span class="settings-row-label">Tab tooltips</span>
+                <span class="settings-row-meta">Show a one-line explanation on hover for every tab.</span>
+              </div>
+              <label class="settings-toggle">
+                <input type="checkbox" id="uiTooltips">
+                <span class="slider"></span>
+              </label>
+            </div>
+          </div>
+
+          <div class="settings-section">
+            <div class="settings-section-title">routing mode</div>
+            <p class="settings-section-desc">Restrict which provider categories the gateway is allowed to use.</p>
+            <div class="settings-radio-group" id="routingModeGroup">
+              <label class="settings-radio"><input type="radio" name="routingMode" value="auto"><span>auto · all</span></label>
+              <label class="settings-radio"><input type="radio" name="routingMode" value="subscription-only"><span>subscriptions only</span></label>
+              <label class="settings-radio"><input type="radio" name="routingMode" value="api-only"><span>api only</span></label>
+              <label class="settings-radio"><input type="radio" name="routingMode" value="local-only"><span>local · ollama only</span></label>
+            </div>
+          </div>
+
+          <div class="settings-section">
+            <div class="settings-section-title">cli subscriptions (abos)</div>
+            <p class="settings-section-desc">Toggle which subscription CLIs you have. The auto-gateway only spawns bridges for enabled ones.</p>
+            <div id="settingsSubscriptionsList"></div>
+          </div>
+
+          <div class="settings-section">
+            <div class="settings-section-title">api providers</div>
+            <p class="settings-section-desc">API keys for paid/free-tier endpoints. Stored locally with file mode 0600 — never returned in plaintext.</p>
+            <div id="settingsApiList"></div>
+          </div>
+
+          <div class="settings-section">
+            <div class="settings-section-title">local · ollama</div>
+            <div class="settings-row">
+              <div class="settings-row-info">
+                <span class="settings-row-label">Ollama Base URL</span>
+                <span class="settings-row-meta">OLLAMA_BASE_URL</span>
+                <input class="settings-input" type="text" id="ollamaBaseUrl" placeholder="http://localhost:11434">
+              </div>
+              <label class="settings-toggle">
+                <input type="checkbox" id="ollamaEnabled">
+                <span class="slider"></span>
+              </label>
+            </div>
+          </div>
+        </div>
+        <div class="modal-footer">
+          <span class="save-status" id="settingsSaveStatus"></span>
+          <button class="btn" id="settingsCancel" type="button">cancel</button>
+          <button class="btn primary" id="settingsSave" type="button">save</button>
+        </div>
+      </div>
     </div>
 
-    <div class="requests-table">
-      <div class="table-header">
-        <div>Request ID</div>
-        <div>Caller</div>
-        <div>Model</div>
-        <div>Status</div>
-        <div>Tokens In</div>
-        <div>Cost</div>
-        <div>Latency</div>
-      </div>
-      <div id="requestsTable">
-        <div class="empty-state">No requests yet</div>
-      </div>
-    </div>
   </div>
 
-  <div class="connection-status">
-    <div class="connection-dot" id="connectionDot"></div>
-    <span id="connectionText">Connected</span>
+  <div class="conn-pill">
+    <span class="dot" id="connectionDot"></span>
+    <span id="connectionText">connected</span>
   </div>
 
   <script>
     const HEALTH_CHECK_INTERVAL = 30000;
-    const METRICS_REFRESH_INTERVAL = 10000;
+    const METRICS_REFRESH_INTERVAL = 15000;
+    const REQUESTS_REFRESH_INTERVAL = 15000;
     const API_BASE = '';
     let selectedHours = 24;
     let lastMetrics = null;
-    let sseConnection = null;
+    let metricsIntervalId = null;
+    let requestsIntervalId = null;
+    const DASHBOARD_TOKEN_KEY = 'llmGatewayDashboardToken';
+
+    function getDashboardToken() {
+      return localStorage.getItem(DASHBOARD_TOKEN_KEY) || '';
+    }
+
+    function setDashboardToken(token) {
+      if (token) localStorage.setItem(DASHBOARD_TOKEN_KEY, token);
+      else localStorage.removeItem(DASHBOARD_TOKEN_KEY);
+    }
+
+    function withAuthHeaders(headers = {}) {
+      const token = getDashboardToken();
+      return token ? { ...headers, Authorization: `Bearer ${token}` } : headers;
+    }
+
+    async function apiFetch(url, options = {}) {
+      const response = await fetch(url, {
+        ...options,
+        headers: withAuthHeaders(options.headers || {}),
+      });
+      if (response.status !== 401 && response.status !== 503) return response;
+
+      const token = prompt('Dashboard admin token');
+      if (!token) return response;
+      setDashboardToken(token.trim());
+      return fetch(url, {
+        ...options,
+        headers: withAuthHeaders(options.headers || {}),
+      });
+    }
+
+    // ─── Tab switching ───────────────────────────────────────────────────
+    document.querySelectorAll('.tab-trigger').forEach(t => {
+      t.addEventListener('click', () => {
+        const target = t.dataset.tab;
+        document.querySelectorAll('.tab-trigger').forEach(x => x.classList.toggle('active', x === t));
+        document.querySelectorAll('.tab-panel').forEach(p => p.classList.toggle('active', p.dataset.tab === target));
+        history.replaceState(null, '', `#${target}`);
+      });
+    });
+    if (location.hash) {
+      const target = location.hash.slice(1);
+      const trigger = document.querySelector(`.tab-trigger[data-tab="${target}"]`);
+      if (trigger) trigger.click();
+    }
 
     // Health check
     async function checkHealth() {
@@ -552,55 +2112,102 @@
       }
     }
 
-    function updateHealthStatus(isHealthy, data) {
+    function updateHealthStatus(isHealthy, _data) {
       const indicator = document.getElementById('dbStatusIndicator');
       const status = document.getElementById('dbStatus');
-      if (isHealthy) {
-        indicator.className = 'status-indicator healthy';
-        status.textContent = `Database connected (${data.sse_listeners || 0} listeners)`;
-      } else {
-        indicator.className = 'status-indicator unhealthy';
-        status.textContent = 'Database disconnected';
-      }
+      indicator.className = isHealthy ? 'dot ok' : 'dot err';
+      status.textContent = isHealthy ? 'connected' : 'disconnected';
     }
 
     // Load recent requests
     async function loadRequests() {
       try {
-        const response = await fetch(`${API_BASE}/api/dashboard/requests?limit=50&hours=${selectedHours}`);
+        const [response, clientsResponse] = await Promise.all([
+          apiFetch(`${API_BASE}/api/dashboard/requests?limit=50&hours=${selectedHours}`),
+          apiFetch(`${API_BASE}/api/dashboard/clients?hours=${selectedHours}`)
+        ]);
         const data = await response.json();
-        if (data.success) {
-          renderRequests(data.data);
-        }
+        const clients = await clientsResponse.json();
+        if (clients.success) renderClients(clients.data);
+        if (data.success) renderRequests(data.data);
       } catch (error) {
         console.error('Failed to load requests:', error);
       }
     }
 
+    function renderClients(clients) {
+      const el = document.getElementById('clientsCoverage');
+      el.innerHTML = clients.map(client => {
+        const lastSeen = client.lastSeen ? new Date(client.lastSeen).toLocaleString() : 'never';
+        const callerList = client.callers?.length ? client.callers.join(', ') : 'no caller id seen';
+        const bridgeState = client.bridgeProvider
+          ? `${client.bridgeProvider}: ${client.bridgeStatus || 'not configured'}${client.bridgeDetail ? ` (${client.bridgeDetail})` : ''}`
+          : 'bridge: OpenAI-compatible / manual client config';
+        return `
+          <div class="client-item">
+            <div class="client-top">
+              <div class="client-name" title="${escapeHtml(client.label)}">${escapeHtml(client.label)}</div>
+              <div class="client-state ${client.status}">${client.status.replace('-', ' ')}</div>
+            </div>
+            <div class="client-meta">
+              <div><strong>${formatNumber(client.requestCount)}</strong> requests · <strong>${formatNumber(client.tokensSaved)}</strong> saved</div>
+              <div title="${escapeHtml(callerList)}">caller: ${escapeHtml(callerList)}</div>
+              <div title="${escapeHtml(bridgeState)}">gateway: ${escapeHtml(bridgeState)}</div>
+              <div>last: ${escapeHtml(lastSeen)}</div>
+            </div>
+          </div>
+        `;
+      }).join('');
+    }
+
     function renderRequests(requests) {
       const table = document.getElementById('requestsTable');
-      if (requests.length === 0) {
-        table.innerHTML = '<div class="empty-state">No requests in selected timeframe</div>';
+      if (!requests.length) {
+        table.innerHTML = '<div class="empty-state">no requests in selected timeframe</div>';
         return;
       }
-
       table.innerHTML = requests.map(req => `
-        <div class="table-row">
-          <div title="${req.request_id}">${req.request_id.substring(0, 12)}...</div>
-          <div>${req.caller}</div>
-          <div>${req.model}</div>
-          <div><span class="status-badge status-${req.status}">${req.status}</span></div>
-          <div>${req.tokens_in}</div>
-          <div>$${(req.cost_usd).toFixed(4)}</div>
+        <div class="req-row body">
+          <div title="${req.request_id}">${req.request_id.substring(0, 14)}…</div>
+          <div>${escapeHtml(req.caller)}</div>
+          <div title="${req.model}">${req.model}</div>
+          <div><span class="req-status ${req.status}">${req.status}</span></div>
+          <div>${formatNumber(req.compression_tokens_before ?? req.tokens_in ?? 0)}</div>
+          <div>${formatNumber(req.compression_tokens_after ?? req.tokens_in ?? 0)}</div>
+          <div>${formatSavedTokens(req.compression_tokens_saved ?? 0)}</div>
+          <div title="${escapeHtml(req.compression_mode || 'not tracked')}">${formatCompression(req)}</div>
+          <div>${formatCost(req.cost_usd)}</div>
           <div>${req.latency_ms}ms</div>
         </div>
       `).join('');
     }
 
+    function formatNumber(value) {
+      return Number(value || 0).toLocaleString();
+    }
+
+    function formatSavedTokens(value) {
+      const saved = Number(value || 0);
+      return saved > 0 ? saved.toLocaleString() : '0';
+    }
+
+    function formatCompression(req) {
+      const mode = String(req.compression_mode || 'none:none').split(':').pop() || 'none';
+      const pct = Number(req.compression_savings_pct || 0);
+      if (!req.compression_mode) return 'not tracked';
+      if (pct <= 0) return mode === 'none' ? 'checked' : `${escapeHtml(mode)} · 0%`;
+      return `${escapeHtml(mode)} · ${pct.toFixed(1)}%`;
+    }
+
+    function escapeHtml(s) {
+      return String(s ?? '').replace(/[&<>"']/g, c => ({ '&':'&amp;', '<':'&lt;', '>':'&gt;', '"':'&quot;', "'":'&#39;' }[c]));
+    }
+
     // Load metrics
     async function loadMetrics() {
       try {
-        const response = await fetch(`${API_BASE}/api/dashboard/request-metrics?bucket_minutes=60`);
+        const bucketMinutes = (selectedHours || 24) * 60;
+        const response = await apiFetch(`${API_BASE}/api/dashboard/request-metrics?bucket_minutes=${bucketMinutes}`);
         const data = await response.json();
         if (data.success) {
           updateMetrics(data.data);
@@ -611,177 +2218,273 @@
       }
     }
 
+    function formatCost(cost) {
+      const c = cost || 0;
+      if (c === 0) return '$0.00';
+      if (c < 0.01) return '$' + c.toFixed(6);
+      if (c < 1) return '$' + c.toFixed(4);
+      return '$' + c.toFixed(2);
+    }
+
     function updateMetrics(metrics) {
-      // Total requests
-      const totalRequests = metrics.total_requests || 0;
-      document.getElementById('totalRequests').textContent = totalRequests.toLocaleString();
+      document.getElementById('totalRequests').textContent = (metrics.total_requests || 0).toLocaleString();
+      document.getElementById('successRate').innerHTML = ((metrics.success_rate || 0) * 100).toFixed(1) + '<span class="metric-unit">%</span>';
+      document.getElementById('avgLatency').innerHTML = Math.round(metrics.avg_latency || 0) + '<span class="metric-unit">ms</span>';
+      document.getElementById('totalCost').textContent = formatCost(metrics.total_cost);
+      document.getElementById('avgConfidence').innerHTML = (metrics.avg_confidence || 0).toFixed(1) + '<span class="metric-unit">/10</span>';
+      document.getElementById('fallbackPercent').innerHTML = ((metrics.compression_rate || 0) * 100).toFixed(1) + '<span class="metric-unit">%</span>';
+      document.getElementById('requestsChange').textContent = `${(metrics.total_tokens || 0).toLocaleString()} tokens`;
+      document.getElementById('costChange').textContent = `avoided ${formatCost(metrics.estimated_api_cost_avoided)}`;
+      document.getElementById('fallbackChange').textContent = `${(metrics.compression_tokens_saved || 0).toLocaleString()} tokens · ${metrics.compression_operations || 0} ops`;
 
-      // Success rate
-      const successRate = ((metrics.success_rate || 0) * 100).toFixed(1);
-      document.getElementById('successRate').textContent = successRate + '%';
-
-      // Average latency
-      const avgLatency = Math.round(metrics.avg_latency || 0);
-      document.getElementById('avgLatency').textContent = avgLatency + 'ms';
-
-      // Total cost
-      const totalCost = (metrics.total_cost || 0).toFixed(2);
-      document.getElementById('totalCost').textContent = '$' + totalCost;
-
-      // Average confidence
-      const avgConfidence = ((metrics.avg_confidence || 0) * 100).toFixed(1);
-      document.getElementById('avgConfidence').textContent = avgConfidence + '%';
-
-      // Fallback percentage
-      const fallbackPercent = ((metrics.fallback_percentage || 0) * 100).toFixed(1);
-      document.getElementById('fallbackPercent').textContent = fallbackPercent + '%';
-
-      // Top models
-      if (metrics.top_models && metrics.top_models.length > 0) {
+      if (metrics.top_models?.length) {
         document.getElementById('topModels').innerHTML = metrics.top_models.map(m => `
-          <div class="model-card">
-            <div class="model-name">${m.model}</div>
-            <div class="request-count">${m.count}</div>
-            <div class="count-label">requests</div>
+          <div class="chip">
+            <div class="chip-name">${escapeHtml(m.model)}</div>
+            <div class="chip-meta"><span class="num">${m.count}</span> requests</div>
           </div>
         `).join('');
+      } else {
+        document.getElementById('topModels').innerHTML = '<div class="empty-state">no model usage yet</div>';
       }
 
-      // Top callers
-      if (metrics.top_callers && metrics.top_callers.length > 0) {
+      if (metrics.top_callers?.length) {
         document.getElementById('topCallers').innerHTML = metrics.top_callers.map(c => `
-          <div class="caller-card">
-            <div class="caller-name">${c.caller}</div>
-            <div class="request-count">${c.count}</div>
-            <div class="count-label">requests</div>
+          <div class="chip">
+            <div class="chip-name">${escapeHtml(c.caller)}</div>
+            <div class="chip-meta"><span class="num">${c.count}</span> requests</div>
           </div>
         `).join('');
-      }
-
-      // Recent errors
-      if (metrics.recent_errors && metrics.recent_errors.length > 0) {
-        console.warn('Recent errors:', metrics.recent_errors);
+      } else {
+        document.getElementById('topCallers').innerHTML = '<div class="empty-state">no callers yet</div>';
       }
     }
 
     // Load providers
     async function loadProviders() {
       try {
-        console.log('Loading providers from:', `${API_BASE}/api/dashboard/providers`);
-        const response = await fetch(`${API_BASE}/api/dashboard/providers`);
-        console.log('Provider response status:', response.status);
-
-        if (!response.ok) {
-          throw new Error(`HTTP ${response.status}`);
-        }
-
-        const data = await response.json();
-        console.log('Provider data received:', data);
-
-        if (data.success) {
-          console.log('Rendering providers with grouped data:', data.data.grouped);
-          renderProviders(data.data.grouped);
-        } else {
-          console.error('API returned success=false:', data);
-        }
+        const response = await apiFetch(`${API_BASE}/api/dashboard/providers`);
+        if (!response.ok) throw new Error(`HTTP ${response.status}`);
+        const payload = await response.json();
+        if (!payload.success) throw new Error(payload.error || 'failed');
+        renderProviders(payload.data.grouped);
+        const total = payload.data.summary.totalProviders;
+        const cfg = payload.data.summary.configuredCount;
+        document.getElementById('providersTabBadge').textContent = `${cfg}/${total}`;
       } catch (error) {
-        console.error('Failed to load providers:', error);
-        // Show error in UI
-        document.getElementById('providersList_local').innerHTML = `<div class="empty-state">Error: ${error.message}</div>`;
-        document.getElementById('providersList_subscription').innerHTML = `<div class="empty-state">Error: ${error.message}</div>`;
-        document.getElementById('providersList_free').innerHTML = `<div class="empty-state">Error: ${error.message}</div>`;
+        const msg = `<div class="empty-state">error: ${error.message}</div>`;
+        document.getElementById('providersList_local').innerHTML = msg;
+        document.getElementById('providersList_subscription').innerHTML = msg;
+        document.getElementById('providersList_free').innerHTML = msg;
       }
     }
 
     function renderProviders(grouped) {
-      console.log('renderProviders called with:', grouped);
-
-      // Render local providers
-      const localContainer = document.getElementById('providersList_local');
-      if (grouped.local && grouped.local.length > 0) {
-        console.log('Rendering local providers:', grouped.local);
-        localContainer.innerHTML = grouped.local.map(p => renderProviderItem(p)).join('');
-      } else {
-        console.log('No local providers');
-        localContainer.innerHTML = '<div class="empty-state">No local providers available</div>';
-      }
-
-      // Render subscription providers
-      const subContainer = document.getElementById('providersList_subscription');
-      if (grouped.subscription && grouped.subscription.length > 0) {
-        console.log('Rendering subscription providers:', grouped.subscription);
-        subContainer.innerHTML = grouped.subscription.map(p => renderProviderItem(p)).join('');
-      } else {
-        console.log('No subscription providers');
-        subContainer.innerHTML = '<div class="empty-state">No subscription providers available</div>';
-      }
-
-      // Render free providers
-      const freeContainer = document.getElementById('providersList_free');
-      if (grouped.free && grouped.free.length > 0) {
-        console.log('Rendering free providers:', grouped.free);
-        freeContainer.innerHTML = grouped.free.map(p => renderProviderItem(p)).join('');
-      } else {
-        console.log('No free providers');
-        freeContainer.innerHTML = '<div class="empty-state">No free providers available</div>';
-      }
+      const empty = '<div class="empty-state">none configured</div>';
+      const renderGroup = (id, items) => {
+        const c = document.getElementById(id);
+        c.innerHTML = items?.length ? items.map(renderProviderItem).join('') : empty;
+      };
+      renderGroup('providersList_local', grouped.local);
+      renderGroup('providersList_subscription', grouped.subscription);
+      renderGroup('providersList_free', grouped.free);
     }
 
     function renderProviderItem(provider) {
       const statusClass = provider.status === 'configured' ? 'tag-configured' : 'tag-unconfigured';
-      const statusText = provider.status.charAt(0).toUpperCase() + provider.status.slice(1);
       const modelList = provider.models.map(m => m.id).join(', ');
-
+      const displayName = provider.label || provider.name;
+      const techName = provider.label && provider.label !== provider.name
+        ? `<div class="provider-tech-name">${provider.name}</div>` : '';
+      const rateLimit = provider.rateLimitRpm > 0
+        ? `<div class="provider-rate">limit: ${provider.rateLimitRpm} req/min</div>` : '';
+      const envHint = provider.status === 'unconfigured' && provider.envKey
+        ? `<div class="provider-env-hint">set <code>${provider.envKey}</code> to activate</div>` : '';
+      const runtimeStatus = provider.runtimeStatus || (provider.status === 'configured' ? 'configured' : '');
+      const runtimeClass = provider.runtimeHealthy ? 'runtime-ready'
+        : runtimeStatus === 'auth_required' || provider.runtimeDetail ? 'runtime-warn'
+        : 'runtime-muted';
+      const runtimeLabel = provider.runtimeDetail
+        ? `${runtimeStatus}: ${provider.runtimeDetail}`
+        : runtimeStatus;
+      const runtime = runtimeLabel
+        ? `<div class="provider-runtime ${runtimeClass}"><span class="runtime-dot"></span><span>${escapeHtml(runtimeLabel)}</span></div>`
+        : '';
       return `
-        <div class="provider-item">
+        <div class="provider-item" data-status="${provider.status}">
           <div class="provider-header">
-            <div class="provider-name">${provider.name}</div>
-            <div class="provider-tag ${statusClass}">${statusText}</div>
+            <div class="provider-name">${escapeHtml(displayName)}</div>
+            <div class="provider-tag ${statusClass}">${provider.status}</div>
           </div>
-          <div class="provider-models"><strong>Models:</strong> ${modelList}</div>
-          <div class="provider-rate">Rate limit: ${provider.rateLimitRpm} req/min</div>
+          ${techName}
+          ${runtime}
+          <div class="provider-models">${escapeHtml(modelList)}</div>
+          ${rateLimit}
+          ${envHint}
         </div>
       `;
     }
 
-    // SSE connection
-    function connectSSE() {
-      if (sseConnection) {
-        sseConnection.close();
+    // ─── Subscription Auto-Gateway ────────────────────────────────────────
+    async function loadSubscriptions() {
+      try {
+        const response = await apiFetch(`${API_BASE}/api/dashboard/subscriptions`);
+        if (!response.ok) throw new Error(`HTTP ${response.status}`);
+        const payload = await response.json();
+        if (!payload.success) throw new Error(payload.error || 'unknown');
+        renderSubscriptions(payload.data);
+      } catch (error) {
+        document.getElementById('subscriptionsList').innerHTML =
+          `<div class="empty-state">discovery failed: ${error.message}</div>`;
       }
+    }
 
-      sseConnection = new EventSource(`${API_BASE}/api/stream/requests`);
+    function renderSubscriptions(data) {
+      const { subscriptions, summary } = data;
+      const stateEl = document.getElementById('subsAutoState');
+      const parts = [];
+      if (summary.detected) parts.push(`${summary.detected} detected`);
+      if (summary.userDeclared) parts.push(`${summary.userDeclared} declared`);
+      if (summary.running) parts.push(`${summary.running} live`);
+      const headline = summary.autoGatewayEnabled ? 'active' : 'detection + declaration';
+      stateEl.textContent = `${headline} — ${parts.join(' · ') || 'open settings to declare your subscriptions'}`;
 
-      sseConnection.onopen = () => {
-        document.getElementById('sseStatusIndicator').className = 'status-indicator healthy';
-        document.getElementById('sseStatus').textContent = 'Stream connected';
-        document.getElementById('connectionDot').className = 'connection-dot';
-        document.getElementById('connectionText').textContent = 'Connected';
-      };
+      document.getElementById('subsTabBadge').textContent = `${summary.installed}/${summary.total}`;
 
-      sseConnection.onerror = () => {
-        document.getElementById('sseStatusIndicator').className = 'status-indicator unhealthy';
-        document.getElementById('sseStatus').textContent = 'Stream disconnected';
-        document.getElementById('connectionDot').className = 'connection-dot disconnected';
-        document.getElementById('connectionText').textContent = 'Disconnected';
-        sseConnection.close();
-        setTimeout(connectSSE, 5000);
-      };
+      const list = document.getElementById('subscriptionsList');
+      if (!subscriptions.length) {
+        list.innerHTML = '<div class="empty-state">no subscriptions in catalog</div>';
+        return;
+      }
+      list.innerHTML = subscriptions.map(renderSubscriptionCard).join('');
+    }
 
-      sseConnection.onmessage = (event) => {
-        try {
-          const data = JSON.parse(event.data);
-          if (data.type === 'connected') {
-            console.log('SSE connection established');
-          } else {
-            // Real-time request update
-            loadMetrics();
-            loadRequests();
-          }
-        } catch (error) {
-          console.error('Failed to parse SSE message:', error);
-        }
-      };
+    function renderSubscriptionCard(s) {
+      const available = s.installed;
+      const cardClass = s.bridgeRunning ? 'running' : (available ? 'installed' : 'missing');
+      const stateClass = s.bridgeRunning ? 'running' : (available ? 'installed' : 'missing');
+      let stateLabel;
+      if (s.bridgeRunning) stateLabel = '● bridge live';
+      else if (s.detected && s.userDeclared) stateLabel = '◆ detected+declared';
+      else if (s.detected) stateLabel = '◆ detected';
+      else if (s.userDeclared) stateLabel = '◇ declared';
+      else stateLabel = '○ not configured';
+
+      const versionLine = s.version
+        ? `<div class="subs-meta">${s.command} → ${escapeHtml(s.version)}</div>`
+        : `<div class="subs-meta">${s.command}${s.userDeclared ? ' (declared)' : ''}</div>`;
+      const bridgeBlock = s.bridgeUrl
+        ? `<div class="subs-bridge-url">bridge: ${s.bridgeUrl}${s.autoSpawned ? ' (auto)' : ''}</div>`
+        : '';
+      const modelsLine = s.models?.length
+        ? `<div class="subs-models">${s.models.map(m => m.id).join(', ')}</div>` : '';
+      let hint = '';
+      if (!s.detected && !s.userDeclared) {
+        hint = `<div class="subs-install-hint">install <code>${s.command}</code> on the gateway host, or declare it in settings.</div>`;
+      } else if (!s.detected && s.userDeclared) {
+        hint = `<div class="subs-install-hint" style="color:#6aa0ff;border-color:rgba(106,160,255,0.25);background:rgba(106,160,255,0.05);">declared — use via your local <code>${s.command}</code> CLI. gateway routes through it.</div>`;
+      }
+      return `
+        <div class="subs-card ${cardClass}">
+          <div class="subs-head">
+            <div class="subs-label">${escapeHtml(s.label)}</div>
+            <span class="subs-state ${stateClass}">${stateLabel}</span>
+          </div>
+          ${versionLine}
+          ${modelsLine}
+          ${bridgeBlock}
+          ${hint}
+        </div>
+      `;
+    }
+
+    // ─── Full Discovery: CLIs + Local LLMs + API Keys ────────────────────
+    document.getElementById('discoverFullBtn')?.addEventListener('click', async () => {
+      const btn = document.getElementById('discoverFullBtn');
+      const wrap = document.getElementById('discoverReportWrap');
+      const meta = document.getElementById('discoverReportMeta');
+      btn.disabled = true;
+      const orig = btn.textContent;
+      btn.textContent = '⏳ scanning…';
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/discover`, { method: 'POST' });
+        const payload = await res.json();
+        if (!payload.success) throw new Error(payload.error || 'discovery failed');
+        const r = payload.data.report;
+        const spawnedCount = payload.data.spawnedCount;
+
+        wrap.style.display = 'block';
+        meta.textContent = `host: ${r.host} · scanned: ${new Date(r.generatedAt).toLocaleTimeString()} · ${spawnedCount} bridges spawned · ${r.summary.totalProviders} total providers, ${r.summary.totalRoutableModels} models`;
+
+        // CLI subscriptions
+        document.getElementById('discCntSubs').textContent = r.subscriptions.detected;
+        document.getElementById('discListSubs').innerHTML = r.subscriptions.items.map(s => `
+          <li>
+            <span>${s.descriptor.label}</span>
+            <span class="${s.installed ? 'disc-ok' : 'disc-no'}">${s.installed ? (s.authenticated === true ? '✓ auth' : (s.authenticated === false ? '⚠ unauth' : '?')) : '—'}</span>
+          </li>
+        `).join('');
+
+        // Local LLM servers
+        document.getElementById('discCntLocal').textContent = r.localLLMs.detected;
+        document.getElementById('discListLocal').innerHTML = r.localLLMs.items.map(l => `
+          <li>
+            <span>${l.label}<br><span style="font-size:0.66rem;opacity:0.6;">${l.url}</span></span>
+            <span class="${l.detected ? 'disc-ok' : 'disc-no'}">${l.detected ? `✓ ${l.models.length} models · ${l.latencyMs}ms` : '— offline'}</span>
+          </li>
+        `).join('');
+
+        // API-key providers
+        document.getElementById('discCntKeys').textContent = r.apiKeys.configured;
+        document.getElementById('discListKeys').innerHTML = r.apiKeys.items.map(k => `
+          <li>
+            <span>${k.label}<br><span style="font-size:0.66rem;opacity:0.6;">${k.envKey}</span></span>
+            <span class="${k.configured ? 'disc-ok' : 'disc-no'}">${k.configured ? '✓ set' : '— missing'}</span>
+          </li>
+        `).join('');
+
+        btn.textContent = `✓ found ${r.summary.totalProviders}`;
+        await loadSubscriptions();
+      } catch (e) {
+        btn.textContent = `✗ ${e.message}`;
+      } finally {
+        setTimeout(() => { btn.disabled = false; btn.textContent = orig; }, 3000);
+      }
+    });
+
+    document.getElementById('subsSpawnBtn').addEventListener('click', async () => {
+      const btn = document.getElementById('subsSpawnBtn');
+      btn.disabled = true;
+      const orig = btn.textContent;
+      btn.textContent = '⟳ spawning…';
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/subscriptions/spawn`, { method: 'POST' });
+        const payload = await res.json();
+        if (!payload.success) throw new Error(payload.error || 'spawn failed');
+        btn.textContent = `✓ ${payload.data.spawnedCount} spawned`;
+        await loadSubscriptions();
+      } catch (e) {
+        btn.textContent = `✗ ${e.message}`;
+      } finally {
+        setTimeout(() => { btn.disabled = false; btn.textContent = orig; }, 2500);
+      }
+    });
+
+    // Polling
+    function setupPolling() {
+      document.getElementById('pollingStatusIndicator').className = 'dot ok';
+      document.getElementById('pollingStatus').textContent = 'live';
+      document.getElementById('connectionDot').className = 'dot';
+      document.getElementById('connectionText').textContent = 'connected';
+
+      if (metricsIntervalId) clearInterval(metricsIntervalId);
+      metricsIntervalId = setInterval(loadMetrics, METRICS_REFRESH_INTERVAL);
+
+      if (requestsIntervalId) clearInterval(requestsIntervalId);
+      requestsIntervalId = setInterval(loadRequests, REQUESTS_REFRESH_INTERVAL);
+
+      loadMetrics();
+      loadRequests();
     }
 
     // Filter buttons
@@ -791,23 +2494,1022 @@
         btn.classList.add('active');
         selectedHours = parseInt(btn.dataset.hours);
         loadRequests();
+        loadMetrics();
       });
     });
 
-    // Initial setup
+    // ─── Settings Modal ───────────────────────────────────────────────────
+    const SUBSCRIPTION_LABELS = {
+      'claude-code': 'Claude Code (Anthropic)',
+      'github-copilot': 'GitHub / Microsoft Copilot',
+      'chatgpt': 'OpenAI ChatGPT Plus',
+      'gemini': 'Google Gemini Advanced',
+      'codex': 'OpenAI Codex CLI',
+      'aider': 'Aider Pair Programmer',
+    };
+    const API_PROVIDER_LABELS = {
+      'cerebras': { label: 'Cerebras', envKey: 'CEREBRAS_API_KEY', placeholder: 'csk-...' },
+      'groq': { label: 'Groq', envKey: 'GROQ_API_KEY', placeholder: 'gsk_...' },
+      'mistral': { label: 'Mistral AI', envKey: 'MISTRAL_API_KEY', placeholder: 'mistral key' },
+      'nvidia': { label: 'NVIDIA NIM', envKey: 'NVIDIA_API_KEY', placeholder: 'nvapi-...' },
+      'cloudflare': { label: 'Cloudflare Workers AI', envKey: 'CLOUDFLARE_AI_TOKEN', placeholder: 'cf token' },
+      'openai-codex': { label: 'OpenAI API (paid)', envKey: 'OPENAI_API_KEY', placeholder: 'sk-...' },
+    };
+
+    let currentSettings = null;
+
+    function openSettings() {
+      document.getElementById('settingsModal').classList.add('open');
+      loadSettingsIntoModal();
+    }
+    function closeSettings() {
+      document.getElementById('settingsModal').classList.remove('open');
+      const ss = document.getElementById('settingsSaveStatus');
+      ss.textContent = ''; ss.className = 'save-status';
+    }
+
+    async function loadSettingsIntoModal() {
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/settings`);
+        const payload = await res.json();
+        if (!payload.success) throw new Error(payload.error || 'load failed');
+        currentSettings = payload.data;
+        renderSettingsForm(currentSettings);
+      } catch (e) {
+        const ss = document.getElementById('settingsSaveStatus');
+        ss.textContent = `load error: ${e.message}`;
+        ss.className = 'save-status err';
+      }
+    }
+
+    function renderSettingsForm(s) {
+      document.querySelectorAll('input[name="routingMode"]').forEach(r => {
+        r.checked = (r.value === s.routingMode);
+        r.closest('.settings-radio').classList.toggle('active', r.checked);
+      });
+      document.getElementById('routingModeBadge').textContent = s.routingMode;
+
+      // UI mode toggles
+      const ui = s.ui ?? { simpleMode: false, hideEmptyProviders: true, showTooltips: true };
+      document.getElementById('uiSimpleMode').checked = !!ui.simpleMode;
+      document.getElementById('uiHideEmpty').checked = !!ui.hideEmptyProviders;
+      document.getElementById('uiTooltips').checked = !!ui.showTooltips;
+
+      const subList = document.getElementById('settingsSubscriptionsList');
+      subList.innerHTML = Object.entries(SUBSCRIPTION_LABELS).map(([id, label]) => {
+        const cfg = s.subscriptions?.[id] ?? { enabled: true, autoSpawn: true, bridgeUrl: '' };
+        const bridgeHint = cfg.bridgeUrl
+          ? `bridge: ${cfg.bridgeUrl}`
+          : 'no bridge URL — set one if the CLI runs on another machine';
+        return `
+          <div class="settings-row">
+            <div class="settings-row-info" style="grid-column:1/-1;flex-direction:row;align-items:center;justify-content:space-between;gap:12px;">
+              <div style="display:flex;flex-direction:column;gap:2px;flex:1;">
+                <span class="settings-row-label">${label}</span>
+                <span class="settings-row-meta">id: ${id} · ${bridgeHint}</span>
+                <input class="settings-input" type="text" data-sub-bridge="${id}" placeholder="https://your-bridge-host:port (leave blank for local auto-spawn)" value="${cfg.bridgeUrl || ''}">
+              </div>
+              <label class="settings-toggle" style="flex-shrink:0;">
+                <input type="checkbox" data-sub="${id}" ${cfg.enabled ? 'checked' : ''}>
+                <span class="slider"></span>
+              </label>
+            </div>
+          </div>
+        `;
+      }).join('');
+
+      const apiList = document.getElementById('settingsApiList');
+      apiList.innerHTML = Object.entries(API_PROVIDER_LABELS).map(([id, info]) => {
+        const cfg = s.apiProviders?.[id] ?? { enabled: false, hasKey: false };
+        const placeholder = cfg.hasKey ? '••••••• (key on file — leave blank to keep)' : info.placeholder;
+        return `
+          <div class="settings-row">
+            <div class="settings-row-info" style="grid-column:1/-1;flex-direction:row;align-items:center;justify-content:space-between;gap:12px;">
+              <div style="display:flex;flex-direction:column;gap:2px;flex:1;">
+                <span class="settings-row-label">${info.label}</span>
+                <span class="settings-row-meta">${info.envKey} · ${cfg.hasKey ? '✓ key set' : 'no key'}</span>
+                <input class="settings-input" type="password" data-api-key="${id}" placeholder="${placeholder}" autocomplete="new-password">
+              </div>
+              <label class="settings-toggle" style="flex-shrink:0;">
+                <input type="checkbox" data-api-enabled="${id}" ${cfg.enabled ? 'checked' : ''}>
+                <span class="slider"></span>
+              </label>
+            </div>
+          </div>
+        `;
+      }).join('');
+
+      document.getElementById('ollamaEnabled').checked = !!s.ollama?.enabled;
+      document.getElementById('ollamaBaseUrl').value = s.ollama?.baseUrl ?? 'http://localhost:11434';
+    }
+
+    async function saveSettingsFromModal() {
+      const ss = document.getElementById('settingsSaveStatus');
+      const saveBtn = document.getElementById('settingsSave');
+      saveBtn.disabled = true;
+      ss.textContent = 'saving…'; ss.className = 'save-status';
+
+      try {
+        const routingMode = document.querySelector('input[name="routingMode"]:checked')?.value ?? 'auto';
+
+        const subscriptions = {};
+        document.querySelectorAll('[data-sub]').forEach(cb => {
+          const id = cb.dataset.sub;
+          const bridgeInput = document.querySelector(`[data-sub-bridge="${id}"]`);
+          const bridgeUrl = bridgeInput?.value?.trim() ?? '';
+          subscriptions[id] = {
+            enabled: cb.checked,
+            autoSpawn: currentSettings?.subscriptions?.[id]?.autoSpawn ?? true,
+            bridgeUrl: bridgeUrl, // empty string = no remote bridge, fall back to local auto-spawn
+          };
+        });
+
+        const apiProviders = {};
+        Object.keys(API_PROVIDER_LABELS).forEach(id => {
+          const enabled = document.querySelector(`[data-api-enabled="${id}"]`)?.checked ?? false;
+          const newKey = document.querySelector(`[data-api-key="${id}"]`)?.value ?? '';
+          const entry = { enabled };
+          if (newKey.trim()) entry.apiKey = newKey.trim();
+          apiProviders[id] = entry;
+        });
+
+        const ollama = {
+          enabled: document.getElementById('ollamaEnabled').checked,
+          baseUrl: document.getElementById('ollamaBaseUrl').value.trim() || 'http://localhost:11434',
+        };
+
+        const ui = {
+          simpleMode: document.getElementById('uiSimpleMode').checked,
+          hideEmptyProviders: document.getElementById('uiHideEmpty').checked,
+          showTooltips: document.getElementById('uiTooltips').checked,
+        };
+
+        const res = await apiFetch(`${API_BASE}/api/dashboard/settings`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ routingMode, subscriptions, apiProviders, ollama, ui }),
+        });
+        const payload = await res.json();
+        if (!payload.success) throw new Error(payload.error || `HTTP ${res.status}`);
+        currentSettings = payload.data;
+        document.getElementById('routingModeBadge').textContent = payload.data.routingMode;
+        ss.textContent = `saved · ${new Date().toLocaleTimeString()}`;
+        ss.className = 'save-status ok';
+        applyUiMode(ui);
+        await loadProviders();
+        await loadSubscriptions();
+      } catch (e) {
+        ss.textContent = `error: ${e.message}`;
+        ss.className = 'save-status err';
+      } finally {
+        saveBtn.disabled = false;
+      }
+    }
+
+    document.getElementById('settingsBtn').addEventListener('click', openSettings);
+    document.getElementById('settingsClose').addEventListener('click', closeSettings);
+    document.getElementById('settingsCancel').addEventListener('click', closeSettings);
+    document.getElementById('settingsSave').addEventListener('click', saveSettingsFromModal);
+    document.getElementById('settingsModal').addEventListener('click', (e) => {
+      if (e.target.id === 'settingsModal') closeSettings();
+    });
+    document.querySelectorAll('input[name="routingMode"]').forEach(r => {
+      r.addEventListener('change', () => {
+        document.querySelectorAll('.settings-radio').forEach(label => {
+          label.classList.toggle('active', label.querySelector('input').checked);
+        });
+      });
+    });
+    document.addEventListener('keydown', (e) => { if (e.key === 'Escape') closeSettings(); });
+
+    // ─── Savings Tab ─────────────────────────────────────────────────────
+    async function loadSavings() {
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/savings?hours=24&bucket_minutes=60`);
+        const payload = await res.json();
+        if (!payload.success) throw new Error(payload.error || 'load failed');
+        renderSavings(payload.data);
+      } catch (e) {
+        document.getElementById('savingsCounter').textContent = '$—';
+        document.getElementById('savingsSubLine').textContent = `error: ${e.message}`;
+      }
+    }
+
+    function renderSavings(data) {
+      const s = data.savings;
+      const series = data.series || [];
+
+      const counter = document.getElementById('savingsCounter');
+      counter.textContent = formatCost(s.totalCostSaved);
+
+      document.getElementById('savingsSubLine').textContent =
+        `${formatNumber(s.totalTokensSaved)} tokens prevented · ${s.totalHits} cache hits`;
+      document.getElementById('savingsHitRate').textContent = `hit rate ${s.hitRatePercent}%`;
+
+      document.getElementById('cacheEntries').textContent = formatNumber(s.uniqueEntries);
+      document.getElementById('tokensPrevented').textContent = formatNumber(s.totalTokensSaved);
+      document.getElementById('cacheHitRate').innerHTML = s.hitRatePercent.toFixed(1) + '<span class="metric-unit">%</span>';
+      const sr = s.sinceRestart || {};
+      document.getElementById('compressedSinceRestart').textContent = formatNumber(sr.tokensSaved || 0);
+      const sinceLabel = sr.sinceISO ? new Date(sr.sinceISO).toLocaleString() : '—';
+      const pctTxt = (sr.savingsPct || 0).toFixed(1) + '%';
+      document.getElementById('compressedSinceRestartMeta').textContent = pctTxt + ' · ' + (sr.operations || 0) + ' ops · since ' + sinceLabel;
+
+      // Tab badge
+      document.getElementById('savingsTabBadge').textContent = s.totalHits > 0 ? formatCost(s.totalCostSaved) : '·';
+
+      // Top callers
+      const tc = document.getElementById('topSavingCallers');
+      if (s.topCallers && s.topCallers.length) {
+        tc.innerHTML = s.topCallers.map(c => `
+          <div class="chip">
+            <div class="chip-name">${escapeHtml(c.caller)}</div>
+            <div class="chip-meta"><span class="num">${c.hits}</span> hits · <span class="num">${formatCost(c.saved)}</span> saved</div>
+          </div>
+        `).join('');
+      } else {
+        tc.innerHTML = '<div class="empty-state">no savings yet — send some duplicate prompts to see cache hits</div>';
+      }
+
+      // Sparkline
+      const svg = document.getElementById('savingsSparkline');
+      if (!series.length) { svg.innerHTML = ''; return; }
+      const W = 320, H = 64, PAD = 4;
+      const max = Math.max(0.0001, ...series.map(p => p.costSaved));
+      const stepX = (W - PAD * 2) / Math.max(1, series.length - 1);
+      const points = series.map((p, i) => {
+        const x = PAD + i * stepX;
+        const y = H - PAD - ((p.costSaved / max) * (H - PAD * 2));
+        return [x, y];
+      });
+      const linePath = points.map(([x, y], i) => `${i === 0 ? 'M' : 'L'}${x.toFixed(1)},${y.toFixed(1)}`).join(' ');
+      const areaPath = `${linePath} L${points[points.length - 1][0].toFixed(1)},${H - PAD} L${points[0][0].toFixed(1)},${H - PAD} Z`;
+      const last = points[points.length - 1];
+      svg.innerHTML = `
+        <path class="area" d="${areaPath}"></path>
+        <path class="line" d="${linePath}"></path>
+        <circle class="last" cx="${last[0].toFixed(1)}" cy="${last[1].toFixed(1)}" r="2.5"></circle>
+      `;
+    }
+
+    document.getElementById('cacheClearBtn').addEventListener('click', async () => {
+      const caller = document.getElementById('cacheClearCaller').value.trim();
+      if (!caller) return alert('enter caller id');
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/cache/clear`, {
+          method: 'POST', headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ caller }),
+        });
+        const p = await res.json();
+        alert(p.success ? `removed ${p.data.removed} entries` : p.error);
+        loadSavings();
+      } catch (e) { alert('error: ' + e.message); }
+    });
+
+    document.getElementById('cachePruneBtn').addEventListener('click', async () => {
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/cache/prune`, {
+          method: 'POST', headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ max_age_days: 7 }),
+        });
+        const p = await res.json();
+        alert(p.success ? `pruned ${p.data.removed} stale entries` : p.error);
+        loadSavings();
+      } catch (e) { alert('error: ' + e.message); }
+    });
+
+    // ─── Wallet Tab (UNIQUE feature) ─────────────────────────────────────
+    async function loadWallet() {
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/wallet`);
+        const payload = await res.json();
+        if (!payload.success) throw new Error(payload.error || 'load failed');
+        renderWallet(payload.data);
+      } catch (e) {
+        document.getElementById('walletList').innerHTML =
+          `<div class="empty-state">error: ${e.message}</div>`;
+      }
+    }
+
+    function renderWallet(data) {
+      const list = document.getElementById('walletList');
+      if (!data.wallet?.length) { list.innerHTML = '<div class="empty-state">no subscriptions tracked</div>'; return; }
+
+      const totalRem = data.totals?.remaining ?? 0;
+      // Show units to avoid confusion with token counts elsewhere
+      document.getElementById('walletTabBadge').textContent = totalRem > 0 ? `${formatNumber(totalRem)} calls` : '·';
+
+      list.innerHTML = data.wallet.map(w => {
+        const util = w.utilizationPercent ?? 0;
+        const fillCls = util >= 90 ? 'err' : util >= 70 ? 'warn' : '';
+        const fillW = w.requestQuota ? Math.min(util, 100) : 0;
+        const remStr = w.requestQuota
+          ? `<strong>${w.remaining}</strong> / ${w.requestQuota} calls left`
+          : `<strong>—</strong> no quota tracked`;
+        const usedStr = `<strong>${w.used}</strong> calls used`;
+        const reset = w.resetAt
+          ? `resets ${new Date(w.resetAt).toLocaleString()}`
+          : `window: ${formatDuration(w.windowSeconds)}`;
+        const exhaust = w.predictedExhaustionAt
+          ? `predicted exhaustion: ${new Date(w.predictedExhaustionAt).toLocaleString()}`
+          : '';
+        return `
+          <div class="wallet-card" data-status="${w.recommendation}">
+            <div class="wallet-head">
+              <div class="wallet-label">${escapeHtml(w.label)}</div>
+              <div class="wallet-rec ${w.recommendation}">${w.recommendation.replace('-', ' ')}</div>
+            </div>
+            <div class="wallet-bar">
+              <div class="wallet-bar-fill ${fillCls}" style="width:${fillW}%"></div>
+            </div>
+            <div class="wallet-meta">
+              <span>${usedStr}</span>
+              <span>${remStr}</span>
+            </div>
+            <div class="wallet-reset">${reset}</div>
+            ${exhaust ? `<div class="wallet-reset">${exhaust}</div>` : ''}
+          </div>
+        `;
+      }).join('');
+    }
+
+    function formatDuration(secs) {
+      if (secs >= 86400) return `${Math.round(secs / 86400)}d`;
+      if (secs >= 3600) return `${Math.round(secs / 3600)}h`;
+      if (secs >= 60) return `${Math.round(secs / 60)}m`;
+      return `${secs}s`;
+    }
+
+    // ─── Memory Tab ──────────────────────────────────────────────────────
+    async function loadMemoryFor(caller) {
+      if (!caller) return;
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/memory/${encodeURIComponent(caller)}`);
+        const p = await res.json();
+        if (!p.success) throw new Error(p.error || 'load failed');
+        renderMemory(p.data);
+      } catch (e) {
+        document.getElementById('memList').innerHTML = `<div class="empty-state">error: ${e.message}</div>`;
+      }
+    }
+
+    function renderMemory(data) {
+      const list = document.getElementById('memList');
+      if (!data.facts?.length) { list.innerHTML = `<div class="empty-state">no facts stored for "${escapeHtml(data.caller)}"</div>`; return; }
+      list.innerHTML = data.facts.map(f => `
+        <div class="mem-row">
+          <div class="mem-key">${escapeHtml(f.factKey)}</div>
+          <div class="mem-val">${escapeHtml(f.factValue)}</div>
+          <div class="mem-meta">conf=${f.confidence} · ${escapeHtml(f.source)}</div>
+        </div>
+      `).join('');
+    }
+
+    document.getElementById('memLoadBtn').addEventListener('click', () => {
+      loadMemoryFor(document.getElementById('memCaller').value.trim());
+    });
+
+    document.getElementById('memSaveBtn').addEventListener('click', async () => {
+      const caller = document.getElementById('memCaller').value.trim();
+      const fk = document.getElementById('memFactKey').value.trim();
+      const fv = document.getElementById('memFactValue').value.trim();
+      if (!caller || !fk || !fv) return alert('fill caller, key, value');
+      try {
+        await apiFetch(`${API_BASE}/api/dashboard/memory/${encodeURIComponent(caller)}`, {
+          method: 'POST', headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ fact_key: fk, fact_value: fv, confidence: 0.95 }),
+        });
+        document.getElementById('memFactKey').value = '';
+        document.getElementById('memFactValue').value = '';
+        loadMemoryFor(caller);
+      } catch (e) { alert('error: ' + e.message); }
+    });
+
+    // Auto-refresh savings + wallet every 10s when their tab is visible
+    setInterval(() => {
+      const active = document.querySelector('.tab-trigger.active')?.dataset.tab;
+      if (active === 'savings') loadSavings();
+      if (active === 'wallet') loadWallet();
+    }, 10_000);
+
+    // Hook tab switches to lazy-load tab data
+    document.querySelectorAll('.tab-trigger').forEach(t => {
+      t.addEventListener('click', () => {
+        const target = t.dataset.tab;
+        if (target === 'savings') loadSavings();
+        if (target === 'wallet') loadWallet();
+      });
+    });
+
+    // ─── Hero / Buddy / Achievements / Heatmap / Events / Forecast ──────
+    async function loadHero() {
+      try {
+        const [buddy, ach, heatmap, events, forecast, savings] = await Promise.all([
+          apiFetch(`${API_BASE}/api/dashboard/buddy`).then(r => r.json()),
+          apiFetch(`${API_BASE}/api/dashboard/achievements`).then(r => r.json()),
+          apiFetch(`${API_BASE}/api/dashboard/heatmap?days=365`).then(r => r.json()),
+          apiFetch(`${API_BASE}/api/dashboard/events?limit=30`).then(r => r.json()),
+          apiFetch(`${API_BASE}/api/dashboard/forecast`).then(r => r.json()),
+          apiFetch(`${API_BASE}/api/dashboard/savings?hours=8760`).then(r => r.json()),
+        ]);
+        if (buddy.success) renderBuddy(buddy.data);
+        if (ach.success) renderAchievements(ach.data);
+        if (heatmap.success) renderHeatmap(heatmap.data);
+        if (events.success) renderEventsFeed(events.data);
+        if (forecast.success) renderForecast(forecast.data);
+        if (savings.success) renderHeroSavings(savings.data);
+      } catch (e) {
+        console.error('hero load failed', e);
+      }
+    }
+
+    function renderBuddy(b) {
+      const xpPercent = Math.min(100, (b.xp / b.xpForNextLevel) * 100);
+      document.getElementById('heroBuddy').innerHTML = `
+        <div>
+          <span class="buddy-name">${escapeHtml(b.name)}</span>
+          <span class="buddy-rarity ${b.rarity}">${b.rarity}</span>
+        </div>
+        <div class="buddy-meta">${escapeHtml(b.species)} · ${escapeHtml(b.stage)} · Lv.${b.level} · ${b.streakDays}d streak</div>
+        <div class="buddy-art">${b.asciiArt.map(escapeHtml).join('\n')}</div>
+        <div class="buddy-xp-bar"><div class="buddy-xp-fill" style="width:${xpPercent}%"></div></div>
+        <div class="buddy-xp-text"><span>XP ${b.xp.toLocaleString()}</span><span>Next: ${b.xpForNextLevel.toLocaleString()}</span></div>
+        <div class="buddy-speech buddy-mood-${b.mood}">${escapeHtml(b.speech)}</div>
+      `;
+    }
+
+    // Try to fetch external tool stats from localhost:3333 (legacy compat) (browser-side, not server-side)
+    // Returns null if no external tool runs there.
+    async function fetchExternalToolStats() {
+      try {
+        const ctrl = new AbortController();
+        setTimeout(() => ctrl.abort(), 1500);
+        const res = await fetch('http://localhost:3333/api/stats', { signal: ctrl.signal });
+        if (!res.ok) return null;
+        const stats = await res.json();
+        // The "tokens saved" calculation: input - output (compression delta) summed across commands
+        let saved = 0;
+        for (const v of Object.values(stats.commands || {})) {
+          saved += Math.max(0, (v.input_tokens || 0) - (v.output_tokens || 0));
+        }
+        return { saved, totalCommands: stats.total_commands || 0 };
+      } catch { return null; }
+    }
+
+    async function renderHeroSavings(d) {
+      const s = d.savings;
+      const c = s.comprehensive || {};
+      const gatewayTokens = s.totalTokensSaved || 0;
+      document.getElementById('heroTokensSaved').textContent = formatNumber(gatewayTokens);
+      document.getElementById('heroCostSaved').textContent = formatCost(s.totalCostSaved);
+      document.getElementById('heroCacheHits').textContent = s.totalHits;
+      document.getElementById('heroSavingsRate').textContent = `${s.hitRatePercent || 0}%`;
+
+      // Optional external-tool integration: pull from localhost:3333 if running
+      const externalTool = await fetchExternalToolStats();
+      const combined = gatewayTokens + (externalTool?.saved || 0);
+      document.getElementById('heroTokensSavedCombined').textContent = formatNumber(combined);
+      if (externalTool) {
+        document.getElementById('heroExternalToolRow').style.display = 'flex';
+        document.getElementById('heroExternalToolTokens').textContent = formatNumber(externalTool.saved);
+      } else {
+        document.getElementById('heroExternalToolRow').style.display = 'none';
+      }
+      document.getElementById('costWithout').textContent = formatCost(c.costWithoutGateway || 0);
+      document.getElementById('costWith').textContent = formatCost(c.costWithGateway || 0);
+      const saved = (c.costWithoutGateway || 0) - (c.costWithGateway || 0);
+      document.getElementById('costSavedLine').textContent = (saved < 0 ? '-$' : '$') + Math.abs(saved).toFixed(2);
+      document.getElementById('costSavedPercent').textContent = `${(c.effectiveSavingsPercent || 0).toFixed(1)}%`;
+
+      // 5-axis savings
+      const axes = [
+        { id: 'cache',              label: 'Cache',           icon: '⚡', cost: c.bySource?.cache?.cost ?? 0,            detail: `${c.bySource?.cache?.hits ?? 0} hits` },
+        { id: 'compression',        label: 'Compression',     icon: '🗜', cost: c.bySource?.compression?.cost ?? 0,      detail: `${formatNumber(c.bySource?.compression?.tokens ?? 0)} tokens` },
+        { id: 'subscriptionBridge', label: 'Sub. Bridges',    icon: '🌉', cost: c.bySource?.subscriptionBridge?.cost ?? 0, detail: `${c.bySource?.subscriptionBridge?.calls ?? 0} calls` },
+        { id: 'localRouting',       label: 'Local Models',    icon: '🏠', cost: c.bySource?.localRouting?.cost ?? 0,      detail: `${c.bySource?.localRouting?.calls ?? 0} calls` },
+        { id: 'raceMode',           label: 'Race Mode',       icon: '🏁', cost: c.bySource?.raceMode?.cost ?? 0,           detail: `${c.bySource?.raceMode?.calls ?? 0} races` },
+      ];
+      document.getElementById('savingsAxes').innerHTML = axes.map(a => `
+        <div class="axis">
+          <span class="axis-icon">${a.icon}</span>
+          <span class="axis-label">${a.label}</span>
+          <span class="axis-cost">${formatCost(a.cost)}</span>
+          <span class="axis-detail">${a.detail}</span>
+        </div>
+      `).join('');
+    }
+
+    function renderAchievements(a) {
+      document.getElementById('achievementsProgress').textContent = `${a.unlocked.length}/${a.unlocked.length + a.locked.length} · ${a.progress}%`;
+      const all = [...a.unlocked.map(x => ({...x, unlocked: true})), ...a.locked.slice(0, 12).map(x => ({...x, unlocked: false}))];
+      document.getElementById('achievementsGrid').innerHTML = all.map(x => `
+        <div class="achievement ${x.unlocked ? 'unlocked' : 'locked'}">
+          <div class="ach-icon">${x.icon}</div>
+          <div class="ach-info">
+            <div class="ach-title">${escapeHtml(x.title)}</div>
+            <div class="ach-desc">${escapeHtml(x.description)}</div>
+          </div>
+        </div>
+      `).join('');
+    }
+
+    function renderHeatmap(cells) {
+      // Lay out cells column-major (Sun→Sat per week column, like GitHub)
+      // Total 365 days = ~52 weeks of 7 cells. Pad start so first cell aligns to Sunday.
+      if (!cells.length) { document.getElementById('heatmap').innerHTML = '<div class="empty-state">no activity yet</div>'; return; }
+      const first = new Date(cells[0].date);
+      const padDays = first.getUTCDay(); // 0=Sun, 6=Sat
+      const padded = Array(padDays).fill(null).concat(cells);
+      let maxStreak = 0;
+      let curStreak = 0;
+      for (const c of cells) {
+        if (c && c.count > 0) { curStreak++; if (curStreak > maxStreak) maxStreak = curStreak; }
+        else curStreak = 0;
+      }
+      // Latest streak from end
+      let endStreak = 0;
+      for (let i = cells.length - 1; i >= 0; i--) {
+        if (cells[i].count > 0) endStreak++; else break;
+      }
+      document.getElementById('streakBadge').textContent = endStreak;
+
+      document.getElementById('heatmap').innerHTML = padded.map(c => {
+        if (!c) return '<div class="heatmap-cell"></div>';
+        const title = `${c.date}: ${c.count} req · ${c.tokensSaved} saved`;
+        return `<div class="heatmap-cell l${c.level}" title="${title}"></div>`;
+      }).join('');
+    }
+
+    function renderEventsFeed(events) {
+      const el = document.getElementById('eventsFeed');
+      if (!events.length) { el.innerHTML = '<div class="empty-state">no events yet</div>'; return; }
+      el.innerHTML = events.map(e => `
+        <div class="event-row">
+          <span class="event-icon">${e.icon}</span>
+          <div class="event-body">
+            <span class="event-caller">${escapeHtml(e.caller)}</span> · ${escapeHtml(e.type)}
+            <div class="event-detail">${escapeHtml(e.detail)}</div>
+          </div>
+          <span class="event-time">${formatTime(e.ts)}</span>
+        </div>
+      `).join('');
+    }
+
+    function renderForecast(f) {
+      const trendIcon = f.trend === 'up' ? '↗' : (f.trend === 'down' ? '↘' : '→');
+      document.getElementById('forecast').innerHTML = `
+        <div class="forecast-row"><span class="forecast-window">next 7 days</span><span class="forecast-amount">${formatCost(f.next7DaysSavings)}</span></div>
+        <div class="forecast-row"><span class="forecast-window">next 30 days</span><span class="forecast-amount">${formatCost(f.next30DaysSavings)}</span></div>
+        <div class="forecast-row"><span class="forecast-window">next 12 months</span><span class="forecast-amount">${formatCost(f.next365DaysSavings)}</span></div>
+        <div class="forecast-trend ${f.trend}">${trendIcon} trend ${f.trend} · daily avg ${formatCost(f.dailyAverage)} · ${f.basedOnDays}d data</div>
+      `;
+    }
+
+    function formatTime(iso) {
+      try {
+        const d = new Date(iso);
+        const now = new Date();
+        const diffMs = now - d;
+        if (diffMs < 60_000) return 'just now';
+        if (diffMs < 3600_000) return `${Math.floor(diffMs/60000)}m ago`;
+        if (diffMs < 86400_000) return `${Math.floor(diffMs/3600000)}h ago`;
+        return d.toISOString().split('T')[0];
+      } catch { return iso; }
+    }
+
+    // ─── Simple Mode application ─────────────────────────────────────────
+    // Hide tabs / sections / content based on the user's UI preferences.
+    // Defaults to Simple Mode = ON for users with few configured subscriptions.
+    const ADVANCED_TABS_TO_HIDE_IN_SIMPLE = ['providers', 'memory', 'leaderboard', 'share', 'report'];
+
+    function applyUiMode(ui) {
+      const simpleMode = !!ui?.simpleMode;
+      const hideEmpty  = !!ui?.hideEmptyProviders;
+      const tooltips   = !!ui?.showTooltips;
+
+      // 1) Hide advanced tabs in Simple Mode
+      document.querySelectorAll('.tab-trigger').forEach(t => {
+        const isAdvanced = ADVANCED_TABS_TO_HIDE_IN_SIMPLE.includes(t.dataset.tab);
+        t.style.display = (simpleMode && isAdvanced) ? 'none' : '';
+      });
+
+      // 2) Toggle tooltip attribute
+      document.querySelectorAll('.tab-trigger').forEach(t => {
+        if (!tooltips && t.title) { t.dataset.savedTitle = t.title; t.title = ''; }
+        else if (tooltips && t.dataset.savedTitle) { t.title = t.dataset.savedTitle; }
+      });
+
+      // 3) Body class — used by other CSS-driven simplifications
+      document.body.classList.toggle('simple-mode', simpleMode);
+      document.body.classList.toggle('hide-empty-providers', hideEmpty);
+
+      // 4) If currently on a hidden tab, switch to overview
+      const activeTab = document.querySelector('.tab-trigger.active')?.dataset.tab;
+      if (simpleMode && ADVANCED_TABS_TO_HIDE_IN_SIMPLE.includes(activeTab)) {
+        const overview = document.querySelector('.tab-trigger[data-tab="overview"]');
+        if (overview) overview.click();
+      }
+    }
+
+    // ─── Knowledge Graph (force-directed SVG, no D3 dep) ──────────────
+    async function loadMemoryGraph() {
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/memory-graph`);
+        const p = await res.json();
+        if (!p.success) throw new Error(p.error || 'graph failed');
+        renderMemoryGraph(p.data);
+      } catch (e) {
+        document.getElementById('memoryGraph').innerHTML = `<text x="20" y="40" fill="#888">error: ${e.message}</text>`;
+      }
+    }
+
+    function renderMemoryGraph(g) {
+      const svg = document.getElementById('memoryGraph');
+      if (!g.nodes.length) {
+        svg.innerHTML = '<text x="440" y="230" text-anchor="middle" font-family="JetBrains Mono" font-size="14" fill="#667684">No facts stored yet — try `remember that …` in any caller</text>';
+        return;
+      }
+
+      // Simple force-directed layout: 60 iterations of attraction along edges + repulsion between all nodes
+      const W = 880, H = 460;
+      const nodes = g.nodes.map((n, i) => ({
+        ...n,
+        x: W/2 + Math.cos(i * 2 * Math.PI / g.nodes.length) * 200,
+        y: H/2 + Math.sin(i * 2 * Math.PI / g.nodes.length) * 150,
+        r: n.type === 'caller' ? 14 : (n.type === 'fact-key' ? 9 : 6),
+      }));
+      const idx = new Map(nodes.map(n => [n.id, n]));
+
+      for (let it = 0; it < 80; it++) {
+        // repulsion
+        for (let i = 0; i < nodes.length; i++) {
+          for (let j = i+1; j < nodes.length; j++) {
+            const a = nodes[i], b = nodes[j];
+            const dx = b.x - a.x, dy = b.y - a.y;
+            const d2 = dx*dx + dy*dy + 1;
+            const f = 1500 / d2;
+            const fx = (dx / Math.sqrt(d2)) * f;
+            const fy = (dy / Math.sqrt(d2)) * f;
+            a.x -= fx; a.y -= fy;
+            b.x += fx; b.y += fy;
+          }
+        }
+        // attraction along edges
+        for (const e of g.edges) {
+          const a = idx.get(e.source), b = idx.get(e.target);
+          if (!a || !b) continue;
+          const dx = b.x - a.x, dy = b.y - a.y;
+          const f = 0.04;
+          a.x += dx * f; a.y += dy * f;
+          b.x -= dx * f; b.y -= dy * f;
+        }
+        // boundary
+        for (const n of nodes) {
+          n.x = Math.max(20, Math.min(W-20, n.x));
+          n.y = Math.max(20, Math.min(H-20, n.y));
+        }
+      }
+
+      // Render edges + nodes
+      const edgeSvg = g.edges.map(e => {
+        const a = idx.get(e.source), b = idx.get(e.target);
+        if (!a || !b) return '';
+        return `<path class="edge" d="M ${a.x.toFixed(1)} ${a.y.toFixed(1)} L ${b.x.toFixed(1)} ${b.y.toFixed(1)}"/>`;
+      }).join('');
+
+      const nodeSvg = nodes.map(n => {
+        const cls = n.type === 'caller' ? 'node-caller' : (n.type === 'fact-key' ? 'node-fact-key' : 'node-fact-value');
+        const labelOffset = n.r + 12;
+        return `
+          <g class="node">
+            <title>${escapeHtml(n.label)} (${n.type})</title>
+            <circle cx="${n.x.toFixed(1)}" cy="${n.y.toFixed(1)}" r="${n.r}" class="${cls}"/>
+            ${n.type === 'caller' ? `<text class="label" x="${n.x.toFixed(1)}" y="${(n.y+labelOffset).toFixed(1)}" text-anchor="middle">${escapeHtml(n.label)}</text>` : ''}
+          </g>`;
+      }).join('');
+
+      svg.innerHTML = edgeSvg + nodeSvg;
+    }
+
+    // ─── Race Leaderboard ───────────────────────────────────────────────
+    async function loadLeaderboard() {
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/race-leaderboard?days=7`);
+        const p = await res.json();
+        if (!p.success) throw new Error(p.error || 'leaderboard failed');
+        renderLeaderboard(p.data);
+      } catch (e) {
+        document.getElementById('leaderboardTable').innerHTML = `<div class="empty-state">error: ${e.message}</div>`;
+      }
+    }
+
+    function renderLeaderboard(d) {
+      document.getElementById('leaderboardTabBadge').textContent = d.totalRaces > 0 ? `${d.totalRaces}` : '·';
+
+      // Podium
+      const top3 = d.entries.slice(0, 3);
+      const podium = document.getElementById('leaderboardPodium');
+      if (top3.length === 0) {
+        podium.innerHTML = '<div class="empty-state" style="grid-column:1/-1;">no races run yet — POST /v1/race to start competing models</div>';
+      } else {
+        const slots = [];
+        const findByBadge = (badge) => top3.find(e => e.badge === badge);
+        const gold = findByBadge('gold');
+        const silver = findByBadge('silver');
+        const bronze = findByBadge('bronze');
+        if (silver) slots.push(`<div class="podium-step silver"><div class="podium-medal">🥈</div><div class="podium-rank">2nd</div><div class="podium-model">${escapeHtml(silver.model)}</div><div class="podium-stat">${silver.avgLatencyMs}ms · ${(silver.winRate*100).toFixed(0)}% win</div></div>`);
+        else slots.push('<div></div>');
+        if (gold)   slots.push(`<div class="podium-step gold"><div class="podium-medal">🥇</div><div class="podium-rank">1st</div><div class="podium-model">${escapeHtml(gold.model)}</div><div class="podium-stat">${gold.avgLatencyMs}ms · ${(gold.winRate*100).toFixed(0)}% win</div></div>`);
+        else slots.push('<div></div>');
+        if (bronze) slots.push(`<div class="podium-step bronze"><div class="podium-medal">🥉</div><div class="podium-rank">3rd</div><div class="podium-model">${escapeHtml(bronze.model)}</div><div class="podium-stat">${bronze.avgLatencyMs}ms · ${(bronze.winRate*100).toFixed(0)}% win</div></div>`);
+        else slots.push('<div></div>');
+        podium.innerHTML = slots.join('');
+      }
+
+      // Full table
+      const tbl = document.getElementById('leaderboardTable');
+      const head = `
+        <div class="lb-row head">
+          <div>#</div><div>model</div><div class="lb-num">latency</div>
+          <div class="lb-num">speed</div><div class="lb-num">wins</div><div class="lb-num">races</div>
+        </div>`;
+      const rows = d.entries.map(e => `
+        <div class="lb-row ${e.badge ? 'medal-' + e.badge : ''}">
+          <div class="lb-pos">${e.rankPosition}</div>
+          <div>${escapeHtml(e.model)}</div>
+          <div class="lb-num">${e.avgLatencyMs}ms</div>
+          <div class="lb-num">${(e.speedRate*100).toFixed(0)}%</div>
+          <div class="lb-num">${e.selectedCount}</div>
+          <div class="lb-num">${e.participations}</div>
+        </div>
+      `).join('');
+      tbl.innerHTML = head + (d.entries.length === 0 ? '<div class="empty-state">no race results yet</div>' : rows);
+    }
+
+    // ─── Per-Caller Deep Dive ──────────────────────────────────────────
+    async function openCallerDeepDive(caller) {
+      document.getElementById('callerModal').classList.add('open');
+      document.getElementById('callerModalTitle').textContent = caller;
+      document.getElementById('callerModalBody').innerHTML = '<div class="loading">loading</div>';
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/caller/${encodeURIComponent(caller)}`);
+        const p = await res.json();
+        if (!p.success) throw new Error(p.error || 'load failed');
+        renderCallerDeepDive(p.data);
+      } catch (e) {
+        document.getElementById('callerModalBody').innerHTML = `<div class="empty-state">error: ${e.message}</div>`;
+      }
+    }
+
+    function renderCallerDeepDive(d) {
+      const maxHourly = Math.max(1, ...d.hourlyHeatmap.map(h => h.count));
+      document.getElementById('callerModalBody').innerHTML = `
+        <div class="caller-summary">
+          <div><div class="label">requests</div><div class="val">${formatNumber(d.totalRequests)}</div></div>
+          <div><div class="label">success rate</div><div class="val">${(d.successRate*100).toFixed(1)}%</div></div>
+          <div><div class="label">avg latency</div><div class="val">${d.avgLatencyMs}ms</div></div>
+          <div><div class="label">p50 / p95</div><div class="val">${d.latencyP50}/${d.latencyP95}ms</div></div>
+          <div><div class="label">tokens (in→out)</div><div class="val">${formatNumber(d.totalTokensIn)} → ${formatNumber(d.totalTokensOut)}</div></div>
+          <div><div class="label">total cost</div><div class="val">${formatCost(d.totalCost)}</div></div>
+          <div><div class="label">cache hits</div><div class="val">${d.cacheHits}</div></div>
+          <div><div class="label">tokens saved</div><div class="val">${formatNumber(d.cacheTokensSaved)}</div></div>
+        </div>
+
+        <h2 class="h-section" style="margin-top:18px;">Activity by hour <span class="h-meta">last 7 days, UTC</span></h2>
+        <div class="caller-hour-bars">
+          ${d.hourlyHeatmap.map(h => `<div class="bar" title="${h.hour}:00 — ${h.count} req" style="height:${(h.count/maxHourly*100).toFixed(0)}%;"></div>`).join('')}
+        </div>
+        <div class="caller-hour-axis">
+          ${d.hourlyHeatmap.map(h => h.hour % 4 === 0 ? `<span>${h.hour}h</span>` : '<span></span>').join('')}
+        </div>
+
+        <h2 class="h-section" style="margin-top:18px;">Top Models</h2>
+        <div class="chip-grid">
+          ${d.topModels.map(m => `
+            <div class="chip" style="cursor:default;">
+              <div class="chip-name">${escapeHtml(m.model)}</div>
+              <div class="chip-meta"><span class="num">${m.count}</span> · ${m.share}%</div>
+            </div>
+          `).join('')}
+        </div>
+
+        <h2 class="h-section" style="margin-top:18px;">Recent Requests</h2>
+        <div class="req-table" style="font-size: 0.74rem;">
+          <div class="req-row head">
+            <div>id</div><div>model</div><div>status</div><div>tok in</div><div>tok out</div><div>cost</div><div>latency</div>
+          </div>
+          ${d.recentRequests.map(r => `
+            <div class="req-row body">
+              <div title="${r.request_id}">${r.request_id.substring(0,12)}…</div>
+              <div>${escapeHtml(r.model)}</div>
+              <div><span class="req-status ${r.status}">${r.status}</span></div>
+              <div>${r.tokens_in}</div><div>${r.tokens_out}</div>
+              <div>${formatCost(r.cost_usd)}</div><div>${r.latency_ms}ms</div>
+            </div>
+          `).join('')}
+        </div>
+
+        ${d.storedFacts.length ? `
+        <h2 class="h-section" style="margin-top:18px;">Stored Facts</h2>
+        <div class="mem-list">
+          ${d.storedFacts.map(f => `
+            <div class="mem-row">
+              <div class="mem-key">${escapeHtml(f.key)}</div>
+              <div class="mem-val">${escapeHtml(f.value)}</div>
+              <div class="mem-meta">conf=${f.confidence} · ${escapeHtml(f.source)}</div>
+            </div>
+          `).join('')}
+        </div>` : ''}
+      `;
+    }
+
+    function closeCallerModal() { document.getElementById('callerModal').classList.remove('open'); }
+    document.getElementById('callerModalClose').addEventListener('click', closeCallerModal);
+    document.getElementById('callerModal').addEventListener('click', (e) => { if (e.target.id === 'callerModal') closeCallerModal(); });
+    document.addEventListener('keydown', (e) => { if (e.key === 'Escape') closeCallerModal(); });
+
+    // Wire click on caller chips (delegated event)
+    document.addEventListener('click', (e) => {
+      const chip = e.target.closest('#topCallers .chip, #topSavingCallers .chip');
+      if (chip) {
+        const name = chip.querySelector('.chip-name')?.textContent?.trim();
+        if (name) openCallerDeepDive(name);
+      }
+    });
+
+    // ─── Share Card ─────────────────────────────────────────────────────
+    function buildShareCardUrl() {
+      const period = document.getElementById('shareCardPeriod').value;
+      const theme = document.getElementById('shareCardTheme').value;
+      return `${API_BASE || location.origin}/api/dashboard/share-card?period=${period}&theme=${theme}`;
+    }
+    function refreshShareCard() {
+      const url = buildShareCardUrl();
+      document.getElementById('shareCardImg').src = url + '&_t=' + Date.now();
+      document.getElementById('shareCardUrl').textContent = url;
+    }
+    document.getElementById('shareCardRefresh').addEventListener('click', refreshShareCard);
+    document.getElementById('shareCardPeriod').addEventListener('change', refreshShareCard);
+    document.getElementById('shareCardTheme').addEventListener('change', refreshShareCard);
+    document.getElementById('shareCardCopyUrl').addEventListener('click', async () => {
+      const url = buildShareCardUrl();
+      try { await navigator.clipboard.writeText(url); document.getElementById('shareCardCopyUrl').textContent = '✓ copied'; setTimeout(() => { document.getElementById('shareCardCopyUrl').textContent = 'copy URL'; }, 1500); }
+      catch { alert('clipboard write failed — URL: ' + url); }
+    });
+    document.getElementById('shareCardDownload').addEventListener('click', async () => {
+      const url = buildShareCardUrl();
+      const r = await fetch(url);
+      const svg = await r.text();
+      const blob = new Blob([svg], { type: 'image/svg+xml' });
+      const a = document.createElement('a');
+      a.href = URL.createObjectURL(blob);
+      a.download = `llm-gateway-${document.getElementById('shareCardPeriod').value}-${document.getElementById('shareCardTheme').value}.svg`;
+      a.click();
+      URL.revokeObjectURL(a.href);
+    });
+
+    // ─── Monthly Report ─────────────────────────────────────────────────
+    document.getElementById('reportOpen').addEventListener('click', () => {
+      const year = document.getElementById('reportYear').value;
+      const month = document.getElementById('reportMonth').value;
+      const url = `${API_BASE || location.origin}/api/dashboard/report?year=${year}&month=${month}`;
+      // Open in a new tab; report HTML has its own print-friendly styles
+      window.open(url, '_blank');
+    });
+    // Pre-fill current year/month
+    (() => {
+      const now = new Date();
+      document.getElementById('reportYear').value = now.getUTCFullYear();
+      document.getElementById('reportMonth').value = now.getUTCMonth() + 1;
+    })();
+
+    // Hook tab switches to load data lazily
+    document.querySelectorAll('.tab-trigger').forEach(t => {
+      t.addEventListener('click', () => {
+        const target = t.dataset.tab;
+        if (target === 'memory') loadMemoryGraph();
+        if (target === 'leaderboard') loadLeaderboard();
+        if (target === 'share') refreshShareCard();
+        if (target === 'api') refreshApiBridgeStatus();
+      });
+    });
+
+    // ─── API Tab — copy buttons, try-it-out, bridge status ────────────────
+    function copyToClipboard(text) {
+      if (navigator.clipboard?.writeText) return navigator.clipboard.writeText(text);
+      const ta = document.createElement('textarea');
+      ta.value = text; document.body.appendChild(ta); ta.select();
+      document.execCommand('copy'); document.body.removeChild(ta);
+      return Promise.resolve();
+    }
+    document.querySelectorAll('.api-copy').forEach(btn => {
+      btn.addEventListener('click', async () => {
+        const targetId = btn.dataset.target;
+        const snippet = document.getElementById(targetId)?.innerText || '';
+        await copyToClipboard(snippet);
+        const orig = btn.textContent;
+        btn.textContent = 'copied ✓';
+        setTimeout(() => { btn.textContent = orig; }, 1400);
+      });
+    });
+
+    document.getElementById('apiTryRun')?.addEventListener('click', async () => {
+      const endpoint = document.getElementById('apiTryEndpoint').value;
+      const model = document.getElementById('apiTryModel').value || 'claude-sonnet-4.6';
+      const prompt = document.getElementById('apiTryPrompt').value || '';
+      const status = document.getElementById('apiTryStatus');
+      const meta = document.getElementById('apiTryMeta');
+      const wrap = document.getElementById('apiTryResultWrap');
+      const out = document.getElementById('apiTryResult');
+      if (!prompt.trim()) { status.textContent = 'add a prompt first'; return; }
+
+      let body;
+      if (endpoint === '/v1/completion') {
+        body = { caller: 'dashboard-tryout', task_type: 'generic_qa', input: prompt, options: { compression: { enabled: true, mode: 'auto' } } };
+      } else if (endpoint === '/v1/chat/completions') {
+        body = { model, messages: [{ role: 'user', content: prompt }] };
+      } else {
+        body = { model, messages: [{ role: 'user', content: prompt }], max_tokens: 1024 };
+      }
+
+      status.textContent = 'sending…';
+      const t0 = performance.now();
+      try {
+        const res = await fetch((API_BASE || location.origin) + endpoint, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify(body),
+        });
+        const dtMs = Math.round(performance.now() - t0);
+        const json = await res.json().catch(() => ({}));
+        status.textContent = `${res.status} ${res.statusText} · ${dtMs} ms`;
+        const c = json?.compression || (json?.metadata?.compression) || null;
+        if (c) {
+          meta.textContent = `compression: applied=${c.applied} · method=${c.method} · before=${c.tokens_before} after=${c.tokens_after} saved=${c.tokens_saved}`;
+        } else {
+          meta.textContent = 'no compression metadata in response';
+        }
+        out.textContent = JSON.stringify(json, null, 2);
+        wrap.style.display = 'block';
+      } catch (err) {
+        status.textContent = 'error: ' + (err.message || err);
+      }
+    });
+
+    async function refreshApiBridgeStatus() {
+      try {
+        const res = await fetch((API_BASE || location.origin) + '/api/dashboard/providers');
+        if (!res.ok) return;
+        const json = await res.json();
+        const allProviders = [
+          ...((json?.data?.grouped?.subscription) || []),
+          ...((json?.data?.grouped?.local) || []),
+        ];
+        document.querySelectorAll('.api-bridge-status').forEach(cell => {
+          const name = cell.dataset.bridge;
+          const p = allProviders.find(x => x.name === name);
+          if (!p) { cell.textContent = 'unknown'; cell.classList.add('err'); return; }
+          if (p.enabled && p.status === 'configured') {
+            cell.textContent = '✓ online';
+            cell.classList.add('ok');
+          } else {
+            cell.textContent = p.status || 'disabled';
+            cell.classList.add('err');
+          }
+        });
+      } catch {
+        /* silent */
+      }
+    }
+
+    // ─── Init ────────────────────────────────────────────────────────────
     async function init() {
       await checkHealth();
       await loadMetrics();
       await loadRequests();
       await loadProviders();
-      connectSSE();
+      await loadSubscriptions();
+      await loadSavings();
+      await loadWallet();
+      await loadHero();
 
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/settings`);
+        const payload = await res.json();
+        if (payload.success) {
+          document.getElementById('routingModeBadge').textContent = payload.data.routingMode;
+          // Apply UI mode (Simple Mode etc.) immediately on load
+          applyUiMode(payload.data.ui ?? { simpleMode: false, hideEmptyProviders: true, showTooltips: true });
+        }
+      } catch (e) { /* non-fatal */ }
+
+      setupPolling();
       setInterval(checkHealth, HEALTH_CHECK_INTERVAL);
-      setInterval(loadMetrics, METRICS_REFRESH_INTERVAL);
+      setInterval(loadSubscriptions, 30000);
+      setInterval(loadHero, 30000); // refresh buddy / events / forecast every 30s
     }
 
-    // Start
     init();
   </script>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/packages/gateway/src/config/models.yaml b/packages/gateway/src/config/models.yaml
index 4a3e46c..7f028e3 100644
--- a/packages/gateway/src/config/models.yaml
+++ b/packages/gateway/src/config/models.yaml
@@ -1,7 +1,7 @@
 # LLM Gateway Model Configuration
 # Ollama base URL: http://192.168.178.169:11434
 
-ollama_base_url: "https://ollama.fichtmueller.org"
+ollama_base_url: "http://127.0.0.1:11434"
 
 tiers:
   fast:
@@ -26,7 +26,7 @@ models:
   qwen2.5:3b:
     tier: fast
     context_length: 32768
-    strengths: [classification, short_text, routing]
+    strengths: [classification, summarization, routing]
     max_tokens_default: 512
 
   qwen2.5:7b:
@@ -35,83 +35,58 @@ models:
     strengths: [classification, summarization, short_analysis]
     max_tokens_default: 1024
 
-  phi3.5:3.8b:
+  qwen2.5:7b-instruct:
     tier: fast
-    context_length: 128000
-    strengths: [classification, summarization]
+    context_length: 32768
+    strengths: [classification, summarization, short_analysis]
+    max_tokens_default: 1024
+
+  qwen2.5-coder:7b-instruct:
+    tier: fast
+    context_length: 32768
+    strengths: [code_generation, technical_analysis, routing]
     max_tokens_default: 512
 
   # ─── MAGATAMA — Fine-tuned Security Intelligence (Context X) ─────────────────
   magatama:32b:
     tier: large
     context_length: 131072
-    strengths: [security_analysis, threat_intelligence, compliance, bgp_security, incident_response, nis2, ciso_reporting]
+    strengths: [security_analysis, threat_intelligence, compliance, bgp_security, incident_response, nis2, ciso_reporting, complex_writing, deep_analysis, technical]
     max_tokens_default: 4096
     description: "MAGATAMA まがたま — TEPPEKI 7-pillar security AI, fine-tuned on Qwen2.5-32B"
 
-  # Custom fine-tuned models (Context X)
-  ctxhealer:latest:
-    tier: medium
-    context_length: 32768
-    strengths: [infrastructure_diagnosis, root_cause_analysis, remediation_steps]
-    max_tokens_default: 1024
-
-  llama-guard3:1b:
-    tier: fast
-    context_length: 8192
-    strengths: [safety_classification, threat_detection]
-    max_tokens_default: 256
-
   # Medium tier
   qwen2.5:14b:
     tier: medium
     context_length: 131072
-    strengths: [general, writing, analysis, coding]
+    strengths: [general, writing, analysis, coding, dialogue]
     max_tokens_default: 2048
 
-  mistral:7b:
+  magatama-llm-v2-0:latest:
     tier: medium
-    context_length: 32768
-    strengths: [general, writing]
+    context_length: 131072
+    strengths: [general, writing, analysis, coding, dialogue]
     max_tokens_default: 2048
 
-  llama3.2:8b:
-    tier: medium
-    context_length: 128000
-    strengths: [general, chat, analysis]
-    max_tokens_default: 2048
-
-  deepseek-r1:8b:
+  magatama-coder:latest:
     tier: medium
     context_length: 65536
-    strengths: [reasoning, analysis, coding]
+    strengths: [code_generation, technical_analysis, debugging]
     max_tokens_default: 2048
 
   # Large tier
   qwen2.5:32b:
     tier: large
     context_length: 131072
-    strengths: [complex_writing, deep_analysis, technical]
-    max_tokens_default: 4096
-
-  llama3.3:70b:
-    tier: large
-    context_length: 128000
-    strengths: [complex_reasoning, long_form, research]
-    max_tokens_default: 4096
-
-  deepseek-r1:32b:
-    tier: large
-    context_length: 131072
-    strengths: [chain_of_thought, complex_reasoning]
+    strengths: [complex_writing, deep_analysis, technical, security_analysis]
     max_tokens_default: 4096
 
 # Fallback chains per tier
 fallback_chains:
-  fast: [qwen2.5:3b, qwen2.5:7b, phi3.5:3.8b]
-  medium: [qwen2.5:14b, mistral:7b, llama3.2:8b]
-  large: [qwen2.5:32b, llama3.3:70b, deepseek-r1:32b]
-  code_generation: [deepseek-r1:32b, qwen2.5:32b, llama3.3:70b]
+  fast: [qwen2.5:7b-instruct, qwen2.5-coder:7b-instruct]
+  medium: [magatama-llm-v2-0:latest, magatama-coder:latest, qwen2.5:7b-instruct]
+  large: [magatama:32b, magatama-llm-v2-0:latest]
+  code_generation: [magatama-coder:latest, qwen2.5-coder:7b-instruct]
 
 # Cross-tier fallback when primary tier fails
 tier_fallback:
diff --git a/packages/gateway/src/config/routing-rules.yaml b/packages/gateway/src/config/routing-rules.yaml
index 7defb1e..eb7d2d4 100644
--- a/packages/gateway/src/config/routing-rules.yaml
+++ b/packages/gateway/src/config/routing-rules.yaml
@@ -1110,7 +1110,7 @@ routing_rules:
 
   # ─── CONTENT / LINKEDIN ──────────────────────────────────────────────────────
   linkedin_post:
-    model: qwen2.5:32b
+    model: fo-blog-v10
     tier: large
     prompt_template: linkedin_post
     temperature: 0.7
@@ -1118,7 +1118,7 @@ routing_rules:
     output_format: text
     requires_fact_check: false
     validators: [banlist, language, length, question_closer]
-    callers: [n8n, internal]
+    callers: [n8n, internal, linkedin-distributor]
 
   linkedin_comment:
     model: qwen2.5:14b
diff --git a/packages/gateway/src/db/migrations/002-tokenvault-cost-tracking.sql b/packages/gateway/src/db/migrations/002-tokenvault-cost-tracking.sql
index b3d85b7..c8ba81c 100644
--- a/packages/gateway/src/db/migrations/002-tokenvault-cost-tracking.sql
+++ b/packages/gateway/src/db/migrations/002-tokenvault-cost-tracking.sql
@@ -3,7 +3,7 @@
 -- Purpose: Track token compression and cost analytics
 -- PostgreSQL compatible version (version 16+)
 
--- Table: Token compression metrics (LeanCTX, RTK)
+-- Table: Token compression metrics (LLM Gateway)
 CREATE TABLE IF NOT EXISTS tokenvault_metrics (
   id SERIAL PRIMARY KEY,
   file_path VARCHAR(255),
diff --git a/packages/gateway/src/db/schema-extensions.sql b/packages/gateway/src/db/schema-extensions.sql
index 4efdba7..714a203 100644
--- a/packages/gateway/src/db/schema-extensions.sql
+++ b/packages/gateway/src/db/schema-extensions.sql
@@ -1,12 +1,12 @@
 -- Tokenvault & Cost Tracking Schema Extensions
 -- Created: 2026-04-19
--- Purpose: Track token compression (LeanCTX + RTK) and cost analytics
+-- Purpose: Track token compression (LLM Gateway) and cost analytics
 
--- Table: Token compression metrics (LeanCTX, RTK)
+-- Table: Token compression metrics (LLM Gateway)
 CREATE TABLE IF NOT EXISTS tokenvault_metrics (
   id SERIAL PRIMARY KEY,
   file_path VARCHAR(255),
-  mode VARCHAR(50),          -- 'lean-aggressive', 'lean-map', 'rtk-max', etc.
+  mode VARCHAR(50),          -- 'gateway-aggressive', 'gateway-map', 'gateway-trim', etc.
   tokens_before INT,
   tokens_after INT,
   savings_pct DECIMAL(5,2),
@@ -26,7 +26,7 @@ CREATE TABLE IF NOT EXISTS cost_analytics (
   agent_id VARCHAR(50),      -- 'claude-code', 'qwen-reviewer', etc.
   tokens_in INT,
   tokens_out INT,
-  tokens_compressed INT,     -- After LeanCTX + RTK
+  tokens_compressed INT,     -- After LLM Gateway compression
   cost_usd DECIMAL(10,6),
   cost_saved_usd DECIMAL(10,6),
   provider VARCHAR(50),      -- 'ollama', 'cerebras', 'groq', 'claude', etc.
diff --git a/packages/gateway/src/modules/request-logger.ts b/packages/gateway/src/modules/request-logger.ts
index c4e56e9..ee281fc 100644
--- a/packages/gateway/src/modules/request-logger.ts
+++ b/packages/gateway/src/modules/request-logger.ts
@@ -109,6 +109,11 @@ export class RequestLogger {
       cost_usd: number;
       latency_ms: number;
       fallback_used: boolean;
+      compression_mode?: string;
+      compression_tokens_before?: number;
+      compression_tokens_after?: number;
+      compression_tokens_saved?: number;
+      compression_savings_pct?: number;
       error_message?: string;
       created_at: string;
     }>
@@ -116,22 +121,35 @@ export class RequestLogger {
     const result = await this.db.query(
       `
       SELECT
-        request_id,
-        caller_id as caller,
-        task_type,
-        model,
-        status,
-        confidence_score,
-        tokens_in,
-        tokens_out,
-        cost_usd,
-        latency_ms,
-        fallback_used,
-        error_message,
-        created_at
-      FROM request_tracking
-      WHERE created_at > NOW() - MAKE_INTERVAL(hours => $1)
-      ORDER BY created_at DESC
+        rt.request_id,
+        rt.caller_id as caller,
+        rt.task_type,
+        rt.model,
+        rt.status,
+        rt.confidence_score,
+        rt.tokens_in,
+        rt.tokens_out,
+        rt.cost_usd,
+        rt.latency_ms,
+        rt.fallback_used,
+        tv.mode as compression_mode,
+        tv.tokens_before as compression_tokens_before,
+        tv.tokens_after as compression_tokens_after,
+        GREATEST(COALESCE(tv.tokens_before, 0) - COALESCE(tv.tokens_after, 0), 0) as compression_tokens_saved,
+        tv.savings_pct as compression_savings_pct,
+        rt.error_message,
+        rt.created_at
+      FROM request_tracking rt
+      LEFT JOIN LATERAL (
+        SELECT mode, tokens_before, tokens_after, savings_pct
+        FROM tokenvault_metrics
+        WHERE tool_used = 'gateway'
+          AND file_path = rt.request_id
+        ORDER BY created_at DESC
+        LIMIT 1
+      ) tv ON true
+      WHERE rt.created_at > NOW() - MAKE_INTERVAL(hours => $1)
+      ORDER BY rt.created_at DESC
       LIMIT $2
       `,
       [offsetHours, limit]
@@ -149,6 +167,11 @@ export class RequestLogger {
       cost_usd: row.cost_usd,
       latency_ms: row.latency_ms,
       fallback_used: row.fallback_used,
+      compression_mode: row.compression_mode,
+      compression_tokens_before: row.compression_tokens_before ? parseInt(row.compression_tokens_before, 10) : undefined,
+      compression_tokens_after: row.compression_tokens_after ? parseInt(row.compression_tokens_after, 10) : undefined,
+      compression_tokens_saved: row.compression_tokens_saved ? parseInt(row.compression_tokens_saved, 10) : 0,
+      compression_savings_pct: row.compression_savings_pct ? parseFloat(row.compression_savings_pct) : 0,
       error_message: row.error_message,
       created_at: row.created_at
     }));
@@ -160,6 +183,17 @@ export class RequestLogger {
   async getMetrics(bucketMinutes: number = 60): Promise<{
     total_requests: number;
     total_cost: number;
+    estimated_api_cost: number;
+    estimated_api_cost_avoided: number;
+    total_tokens_in: number;
+    total_tokens_out: number;
+    total_tokens: number;
+    compression_operations: number;
+    compression_tokens_before: number;
+    compression_tokens_after: number;
+    compression_tokens_saved: number;
+    compression_rate: number;
+    cache_hit_rate: number;
     avg_latency: number;
     success_rate: number;
     avg_confidence: number;
@@ -177,13 +211,15 @@ export class RequestLogger {
       `
       SELECT
         COUNT(*) as total_requests,
-        SUM(cost_usd) as total_cost,
-        AVG(latency_ms) as avg_latency,
-        SUM(CASE WHEN status = 'approved' THEN 1 ELSE 0 END)::FLOAT / COUNT(*) as success_rate,
-        AVG(confidence_score) as avg_confidence,
-        SUM(CASE WHEN fallback_used = true THEN 1 ELSE 0 END)::FLOAT / COUNT(*) as fallback_percentage
+        COALESCE(SUM(cost_usd), 0) as total_cost,
+        COALESCE(SUM(tokens_in), 0) as total_tokens_in,
+        COALESCE(SUM(tokens_out), 0) as total_tokens_out,
+        COALESCE(AVG(latency_ms), 0) as avg_latency,
+        CASE WHEN COUNT(*) = 0 THEN 0 ELSE SUM(CASE WHEN status = 'approved' THEN 1 ELSE 0 END)::FLOAT / COUNT(*) END as success_rate,
+        COALESCE(AVG(confidence_score), 0) as avg_confidence,
+        CASE WHEN COUNT(*) = 0 THEN 0 ELSE SUM(CASE WHEN fallback_used = true THEN 1 ELSE 0 END)::FLOAT / COUNT(*) END as fallback_percentage
       FROM request_tracking
-      WHERE created_at > NOW() - MAKE_INTERVAL(mins => $1)
+      WHERE created_at > NOW() - ($1 * INTERVAL '1 minute')
       `,
       [bucketMinutes]
     );
@@ -192,7 +228,7 @@ export class RequestLogger {
       `
       SELECT caller_id as caller, COUNT(*) as count
       FROM request_tracking
-      WHERE created_at > NOW() - MAKE_INTERVAL(mins => $1)
+      WHERE created_at > NOW() - ($1 * INTERVAL '1 minute')
       GROUP BY caller_id
       ORDER BY count DESC
       LIMIT 5
@@ -204,7 +240,7 @@ export class RequestLogger {
       `
       SELECT model, COUNT(*) as count
       FROM request_tracking
-      WHERE created_at > NOW() - MAKE_INTERVAL(mins => $1)
+      WHERE created_at > NOW() - ($1 * INTERVAL '1 minute')
       GROUP BY model
       ORDER BY count DESC
       LIMIT 5
@@ -224,11 +260,47 @@ export class RequestLogger {
       [bucketMinutes]
     );
 
+    const compressionResult = await this.db.query(
+      `
+      SELECT
+        COUNT(*) as operations,
+        COALESCE(SUM(tokens_before), 0) as tokens_before,
+        COALESCE(SUM(tokens_after), 0) as tokens_after,
+        COALESCE(SUM(GREATEST(tokens_before - tokens_after, 0)), 0) as tokens_saved
+      FROM tokenvault_metrics
+      WHERE tool_used = 'gateway'
+        AND created_at > NOW() - ($1 * INTERVAL '1 minute')
+      `,
+      [bucketMinutes]
+    );
+
     const metrics = metricsResult.rows[0];
+    const totalTokensIn = parseInt(metrics.total_tokens_in, 10) || 0;
+    const totalTokensOut = parseInt(metrics.total_tokens_out, 10) || 0;
+    const totalTokens = totalTokensIn + totalTokensOut;
+    const compression = compressionResult.rows[0] ?? {};
+    const compressionTokensBefore = parseInt(compression.tokens_before, 10) || 0;
+    const compressionTokensAfter = parseInt(compression.tokens_after, 10) || 0;
+    const compressionTokensSaved = parseInt(compression.tokens_saved, 10) || 0;
+    const referenceInputCostPer1k = parseFloat(process.env['REFERENCE_INPUT_COST_PER_1K'] ?? '0.005');
+    const referenceOutputCostPer1k = parseFloat(process.env['REFERENCE_OUTPUT_COST_PER_1K'] ?? '0.015');
+    const estimatedApiCost = (totalTokensIn / 1000) * referenceInputCostPer1k + (totalTokensOut / 1000) * referenceOutputCostPer1k;
+    const totalCost = parseFloat(metrics.total_cost) || 0;
 
     return {
       total_requests: parseInt(metrics.total_requests) || 0,
-      total_cost: parseFloat(metrics.total_cost) || 0,
+      total_cost: totalCost,
+      estimated_api_cost: estimatedApiCost,
+      estimated_api_cost_avoided: Math.max(0, estimatedApiCost - totalCost),
+      total_tokens_in: totalTokensIn,
+      total_tokens_out: totalTokensOut,
+      total_tokens: totalTokens,
+      compression_operations: parseInt(compression.operations, 10) || 0,
+      compression_tokens_before: compressionTokensBefore,
+      compression_tokens_after: compressionTokensAfter,
+      compression_tokens_saved: compressionTokensSaved,
+      compression_rate: compressionTokensBefore > 0 ? compressionTokensSaved / compressionTokensBefore : 0,
+      cache_hit_rate: 0,
       avg_latency: Math.round(parseFloat(metrics.avg_latency) || 0),
       success_rate: parseFloat(metrics.success_rate) || 0,
       avg_confidence: parseFloat(metrics.avg_confidence) || 0,
diff --git a/packages/gateway/src/observability/cost-calculator.ts b/packages/gateway/src/observability/cost-calculator.ts
index 4ca992b..59df50a 100644
--- a/packages/gateway/src/observability/cost-calculator.ts
+++ b/packages/gateway/src/observability/cost-calculator.ts
@@ -101,7 +101,7 @@ export function calculateCost(
 /**
  * Calculate cost savings from compression
  * @param model Model identifier
- * @param tokensBeforeCompression Tokens before LeanCTX + RTK
+ * @param tokensBeforeCompression Tokens before LLM Gateway compression
  * @param tokensAfterCompression Tokens after compression
  * @returns Savings in USD
  */
diff --git a/packages/gateway/src/pipeline/external-providers.ts b/packages/gateway/src/pipeline/external-providers.ts
index 244d07e..aaf3643 100644
--- a/packages/gateway/src/pipeline/external-providers.ts
+++ b/packages/gateway/src/pipeline/external-providers.ts
@@ -47,7 +47,7 @@ const PROVIDERS: readonly ExternalProvider[] = [
     enabled: true,
     models: [
       { id: 'claude-opus-4-1', tier: 'reasoning', contextLength: 200000 },
-      { id: 'claude-sonnet-4-1', tier: 'large', contextLength: 200000 },
+      { id: 'claude-sonnet-4-6', tier: 'large', contextLength: 200000 },
       { id: 'claude-haiku-3', tier: 'fast', contextLength: 200000 },
     ],
   },
@@ -86,6 +86,17 @@ const PROVIDERS: readonly ExternalProvider[] = [
       { id: 'gpt-3.5-turbo', tier: 'medium', contextLength: 4096 },
     ],
   },
+  {
+    name: 'm365-copilot-bridge',
+    baseUrl: '', // constructed from M365_COPILOT_BRIDGE_URL env var
+    envKey: 'M365_COPILOT_BRIDGE_URL',
+    rateLimitRpm: 60,
+    enabled: true,
+    models: [
+      { id: 'microsoft-365-copilot', tier: 'reasoning', contextLength: 128000 },
+      { id: 'm365-copilot-chat', tier: 'large', contextLength: 128000 },
+    ],
+  },
   {
     name: 'cerebras',
     baseUrl: 'https://api.cerebras.ai/v1',
@@ -146,12 +157,13 @@ const PROVIDERS: readonly ExternalProvider[] = [
   {
     name: 'openai-codex',
     baseUrl: 'https://api.openai.com/v1',
-    envKey: 'OPENAI_API_KEY',
+    envKey: 'OPENAI_CODEX_URL',
     rateLimitRpm: 60,
     enabled: true,
     models: [
-      { id: 'gpt-4-turbo', tier: 'reasoning', contextLength: 128000 },
-      { id: 'gpt-3.5-turbo', tier: 'fast', contextLength: 16384 },
+      { id: 'gpt-5.1-codex', tier: 'reasoning', contextLength: 256000 },
+      { id: 'gpt-5.1-codex-mini', tier: 'large', contextLength: 256000 },
+      { id: 'codex-mini-latest', tier: 'medium', contextLength: 200000 },
     ],
   },
   {
@@ -162,23 +174,35 @@ const PROVIDERS: readonly ExternalProvider[] = [
     enabled: true,
     models: [
       { id: 'claude-opus-4-1', tier: 'reasoning', contextLength: 200000 },
-      { id: 'claude-sonnet-4-1', tier: 'large', contextLength: 200000 },
+      { id: 'claude-sonnet-4-6', tier: 'large', contextLength: 200000 },
       { id: 'claude-haiku-3', tier: 'fast', contextLength: 200000 },
     ],
   },
   {
     name: 'codex',
     baseUrl: 'https://api.github.com/copilot_inner/v2',
-    envKey: 'GITHUB_CODEX_TOKEN',
+    envKey: 'CODEX_BRIDGE_URL',
     rateLimitRpm: 60,
     enabled: true,
     models: [
-      { id: 'github-copilot-x', tier: 'large', contextLength: 8192 },
-      { id: 'code-davinci-002', tier: 'medium', contextLength: 4096 },
+      { id: 'gpt-5.1-codex', tier: 'reasoning', contextLength: 256000 },
+      { id: 'gpt-5.1-codex-mini', tier: 'large', contextLength: 256000 },
+      { id: 'codex-mini-latest', tier: 'medium', contextLength: 200000 },
     ],
   },
 ];
 
+const AUTHLESS_BRIDGE_PROVIDERS = new Set([
+  'claude-bridge',
+  'claude-code',
+  'openai-bridge',
+  'chatgpt-bridge',
+  'copilot-bridge',
+  'm365-copilot-bridge',
+]);
+
+const GENERATE_BRIDGE_PROVIDERS = new Set(['claude-bridge', 'claude-code']);
+
 // ─── Rate Limiter (simple sliding window) ───────────────────────────
 
 const requestTimestamps: Map<string, number[]> = new Map();
@@ -213,25 +237,34 @@ function getApiKey(provider: ExternalProvider): string | undefined {
     return url ? 'claude-code-enabled' : undefined;
   }
   if (provider.name === 'openai-bridge') {
-    // openai-bridge uses OPENAI_API_KEY for auth, but also needs bridge URL
-    const apiKey = process.env['OPENAI_API_KEY'];
+    // Subscription bridge auth is handled by the bridge process/CLI session.
     const url = process.env['OPENAI_BRIDGE_URL'];
-    return apiKey && url ? apiKey : undefined;
+    return url ? 'openai-bridge-enabled' : undefined;
   }
   if (provider.name === 'chatgpt-bridge') {
-    // chatgpt-bridge can use same URL as openai-bridge (same service), but needs API key
-    const apiKey = process.env['OPENAI_API_KEY'];
+    // ChatGPT Plus bridge can reuse the OpenAI bridge when configured that way.
     const url = process.env['CHATGPT_BRIDGE_URL'] || process.env['OPENAI_BRIDGE_URL'];
-    return apiKey && url ? apiKey : undefined;
+    return url ? 'chatgpt-bridge-enabled' : undefined;
   }
   if (provider.name === 'copilot-bridge') {
-    // copilot-bridge uses GitHub Copilot subscription (auth handled internally by copilot-api)
-    // Just needs URL to be configured
+    // copilot-bridge uses GitHub Copilot subscription (auth handled internally by copilot-api).
     const url = process.env['COPILOT_BRIDGE_URL'];
     return url ? 'copilot-authenticated' : undefined;
   }
+  if (provider.name === 'm365-copilot-bridge') {
+    // Microsoft 365 Copilot uses Microsoft Graph delegated auth inside the bridge.
+    const url = process.env['M365_COPILOT_BRIDGE_URL'];
+    return url ? 'm365-copilot-bridge-enabled' : undefined;
+  }
+  if (provider.name === 'openai-codex') {
+    const bridgeUrl = process.env['OPENAI_CODEX_URL'] || process.env['CODEX_BRIDGE_URL'];
+    if (bridgeUrl) return 'openai-codex-bridge-enabled';
+    return process.env['OPENAI_API_KEY'] || undefined;
+  }
   if (provider.name === 'codex') {
-    // codex uses GitHub Codex API token
+    // Codex can run through an authless local/subscription bridge. A token remains supported as fallback.
+    const bridgeUrl = process.env['CODEX_BRIDGE_URL'] || process.env['OPENAI_CODEX_URL'];
+    if (bridgeUrl) return 'codex-bridge-enabled';
     const token = process.env['GITHUB_CODEX_TOKEN'];
     return token ? token : undefined;
   }
@@ -241,11 +274,11 @@ function getApiKey(provider: ExternalProvider): string | undefined {
 function getBaseUrl(provider: ExternalProvider): string {
   if (provider.name === 'claude-bridge') {
     const url = process.env['CLAUDE_BRIDGE_URL'];
-    return url ? `${url}/v1` : '';
+    return url ?? '';
   }
   if (provider.name === 'claude-code') {
     const url = process.env['CLAUDE_CODE_URL'];
-    return url ? `${url}/v1` : '';
+    return url ?? '';
   }
   if (provider.name === 'openai-bridge') {
     const url = process.env['OPENAI_BRIDGE_URL'];
@@ -257,7 +290,19 @@ function getBaseUrl(provider: ExternalProvider): string {
   }
   if (provider.name === 'copilot-bridge') {
     const url = process.env['COPILOT_BRIDGE_URL'];
-    return url ? `${url}` : '';
+    return url ? `${url}/v1` : '';
+  }
+  if (provider.name === 'm365-copilot-bridge') {
+    const url = process.env['M365_COPILOT_BRIDGE_URL'];
+    return url ? `${url}/v1` : '';
+  }
+  if (provider.name === 'openai-codex') {
+    const url = process.env['OPENAI_CODEX_URL'] || process.env['CODEX_BRIDGE_URL'];
+    return url ? `${url}/v1` : provider.baseUrl;
+  }
+  if (provider.name === 'codex') {
+    const url = process.env['CODEX_BRIDGE_URL'] || process.env['OPENAI_CODEX_URL'];
+    return url ? `${url}/v1` : provider.baseUrl;
   }
   if (provider.name === 'cloudflare') {
     const accountId = process.env['CLOUDFLARE_ACCOUNT_ID'];
@@ -271,6 +316,11 @@ export function getAvailableProviders(): readonly ExternalProvider[] {
   return PROVIDERS.filter((p) => p.enabled && getApiKey(p));
 }
 
+/** Returns ALL configured providers (enabled or not, with or without API key). For dashboard listing. */
+export function getAllProviders(): readonly ExternalProvider[] {
+  return PROVIDERS;
+}
+
 function findBestModel(
   provider: ExternalProvider,
   targetTier: 'fast' | 'medium' | 'large' | 'reasoning',
@@ -296,7 +346,11 @@ function findBestModel(
 
 function buildRequestHeaders(provider: ExternalProvider, apiKey: string): Record<string, string> {
   const headers: Record<string, string> = { 'Content-Type': 'application/json' };
-  if (!['claude-bridge', 'claude-code', 'openai-bridge', 'chatgpt-bridge', 'copilot-bridge'].includes(provider.name)) {
+  const usesAuthlessBridge = AUTHLESS_BRIDGE_PROVIDERS.has(provider.name)
+    || (provider.name === 'openai-codex' && !!(process.env['OPENAI_CODEX_URL'] || process.env['CODEX_BRIDGE_URL']))
+    || (provider.name === 'codex' && !!(process.env['CODEX_BRIDGE_URL'] || process.env['OPENAI_CODEX_URL']));
+
+  if (!usesAuthlessBridge) {
     headers['Authorization'] = `Bearer ${apiKey}`;
   }
   return headers;
@@ -311,13 +365,29 @@ function buildRequestPayload(model: ExternalModel, request: ExternalCompletionRe
   };
 }
 
+function buildGenerateBridgePayload(model: ExternalModel, request: ExternalCompletionRequest): Record<string, unknown> {
+  const system = request.messages.find((m) => m.role === 'system')?.content;
+  const prompt = request.messages
+    .filter((m) => m.role !== 'system')
+    .map((m) => `${m.role}: ${m.content}`)
+    .join('\n\n');
+
+  return {
+    model: model.id,
+    prompt,
+    system,
+    temperature: request.temperature ?? 0.3,
+    max_tokens: request.max_tokens ?? 2048,
+  };
+}
+
 function parseExternalResponse(
   data: any,
   model: ExternalModel,
   provider: ExternalProvider,
   start: number,
 ): ExternalCompletionResponse {
-  const content = data.choices?.[0]?.message?.content ?? '';
+  const content = data.choices?.[0]?.message?.content ?? data.content ?? data.response ?? data.message?.content ?? '';
   recordRequest(provider.name);
   return {
     response: content,
@@ -341,14 +411,15 @@ async function callProvider(
   const baseUrl = getBaseUrl(provider);
   if (!baseUrl) throw new Error(`No base URL for ${provider.name}`);
 
-  const url = `${baseUrl}/chat/completions`;
+  const generateBridge = GENERATE_BRIDGE_PROVIDERS.has(provider.name);
+  const url = generateBridge ? `${baseUrl}/api/generate` : `${baseUrl}/chat/completions`;
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), timeoutMs);
   const start = Date.now();
 
   try {
     const headers = buildRequestHeaders(provider, apiKey);
-    const payload = buildRequestPayload(model, request);
+    const payload = generateBridge ? buildGenerateBridgePayload(model, request) : buildRequestPayload(model, request);
 
     const response = await fetch(url, {
       method: 'POST',
diff --git a/packages/gateway/src/pipeline/request-scorer.ts b/packages/gateway/src/pipeline/request-scorer.ts
index 6f81d25..7998c10 100644
--- a/packages/gateway/src/pipeline/request-scorer.ts
+++ b/packages/gateway/src/pipeline/request-scorer.ts
@@ -728,6 +728,36 @@ function handleFormalLogicOverride(
   return result;
 }
 
+// ── Helper: Code Generation Intent Override ───────────────────────────────
+
+const CODE_GENERATION_PATTERNS = [
+  /\bwrite\s+(?:a\s+)?(?:typescript|javascript|python|go|rust|react|next\.js|node)?\s*(?:function|class|script|module|component|test|handler|middleware)\b/i,
+  /\b(?:implement|create|build|generate|scaffold)\b[\s\S]{0,160}\b(?:api|endpoint|function|class|component|service|schema|migration|crud|jwt|test|project|module)\b/i,
+  /\b(?:rest|graphql)\s+api\b[\s\S]{0,160}\b(?:implement|create|build|endpoint|authentication|jwt)\b/i,
+];
+
+function handleCodeGenerationOverride(
+  fullText: string,
+  input: ScorerInput,
+  userMessages: readonly WeightedMessage[],
+): ScoringResult | null {
+  if (!CODE_GENERATION_PATTERNS.some((pattern) => pattern.test(fullText))) {
+    return null;
+  }
+
+  const dimensions = computeAllDimensions(input, userMessages, fullText);
+  const result: ScoringResult = {
+    tier: 'code_generation',
+    score: 0.62,
+    confidence: 0.86,
+    reason: 'code generation intent detected',
+    dimensions,
+  };
+  recordSessionTier('code_generation');
+  logger.debug({ tier: 'code_generation', reason: 'code_generation_override' }, 'Request scored via code generation override');
+  return result;
+}
+
 // ── Helper: Apply Score Overrides ──────────────────────────────────────────
 
 interface ScoreOverridesInput {
@@ -754,6 +784,7 @@ function applyScoreOverrides(
   const codeGenDim = dimensions.find((d) => d.name === 'codeGeneration');
   if (codeGenDim && codeGenDim.rawScore > 0.25) {
     tier = 'code_generation';
+    confidence = Math.max(confidence, 0.78);
     reason = 'code generation keywords detected';
   }
 
@@ -771,7 +802,7 @@ function applyScoreOverrides(
   }
 
   // Ambiguity check
-  if (confidence < 0.45) {
+  if (confidence < 0.45 && tier !== 'code_generation' && tier !== 'reasoning') {
     tier = 'medium';
     reason = 'ambiguous (confidence < 0.45, defaulting to medium)';
   }
@@ -795,6 +826,9 @@ export function scoreRequest(
   const formalLogicResult = handleFormalLogicOverride(fullText, input, userMessages);
   if (formalLogicResult) return formalLogicResult;
 
+  const codeGenerationResult = handleCodeGenerationOverride(fullText, input, userMessages);
+  if (codeGenerationResult) return codeGenerationResult;
+
   const dimensions = computeAllDimensions(input, userMessages, fullText);
   let rawScore = 0;
   for (const dim of dimensions) {
diff --git a/packages/gateway/src/pipeline/router.ts b/packages/gateway/src/pipeline/router.ts
index 6b03d6e..0f76eee 100644
--- a/packages/gateway/src/pipeline/router.ts
+++ b/packages/gateway/src/pipeline/router.ts
@@ -184,14 +184,14 @@ export function getOllamaBaseUrl(): string {
 /**
  * Maps a scorer tier to the best primary model and its fallback chain.
  * The 'reasoning' tier uses llama3.3:70b (complex_reasoning strength) from the large tier.
- * The 'code_generation' tier uses OpenAI Codex (gpt-4-turbo) as primary via external provider.
+ * The 'code_generation' tier uses OpenAI Codex as primary via external provider.
  */
 const TIER_MODEL_MAP: Record<Tier, { primary: string; configTier: 'fast' | 'medium' | 'large'; provider?: string }> = {
   fast: { primary: 'qwen2.5:3b', configTier: 'fast' },
   medium: { primary: 'qwen2.5:14b', configTier: 'medium' },
   large: { primary: 'qwen2.5:32b', configTier: 'large' },
   reasoning: { primary: 'llama3.3:70b', configTier: 'large' },
-  code_generation: { primary: 'gpt-4-turbo', configTier: 'large', provider: 'openai-codex' },
+  code_generation: { primary: 'gpt-5.1-codex-mini', configTier: 'large', provider: 'openai-codex' },
 };
 
 function buildMediumTierFallback(
@@ -223,7 +223,8 @@ function buildScoredFallbackChain(
   models: ModelsYaml,
 ): string[] {
   if (tier === 'reasoning' || tier === 'code_generation') {
-    return [selectedModel, ...buildFallbackChain(selectedModel, configTier, models).filter((m) => m !== selectedModel)];
+    const fallbackTier = tier === 'code_generation' ? 'code_generation' : configTier;
+    return [selectedModel, ...buildFallbackChain(selectedModel, fallbackTier, models).filter((m) => m !== selectedModel)];
   }
   return buildFallbackChain(selectedModel, configTier, models);
 }
@@ -302,7 +303,7 @@ export function routeByScore(
   const mapping = TIER_MODEL_MAP[scoringResult.tier];
   const selectedModel = mapping.primary;
   const configTier = mapping.configTier;
-  const tierConfig = models.tiers[configTier];
+  const tierConfig = models.tiers[scoringResult.tier] ?? models.tiers[configTier];
 
   if (!tierConfig) {
     logger.error({ tier: configTier }, 'Tier config not found in models.yaml, falling back to medium');
diff --git a/packages/gateway/src/routes/completion.ts b/packages/gateway/src/routes/completion.ts
index 95f1946..ad1d2ec 100644
--- a/packages/gateway/src/routes/completion.ts
+++ b/packages/gateway/src/routes/completion.ts
@@ -1,12 +1,32 @@
 import type { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
 import { z } from 'zod';
+import yaml from 'js-yaml';
+import { existsSync, readFileSync } from 'fs';
+import { dirname, join } from 'path';
+import { fileURLToPath } from 'url';
 import { classifyInput } from '../pipeline/pre-classifier.js';
 import { route } from '../pipeline/router.js';
+import { detectCaller } from '../modules/caller-detection.js';
+import {
+  computeCacheKey,
+  getCachedResponse,
+  getSemanticCachedResponse,
+  setCachedResponse,
+  recordCacheHit,
+} from '../modules/response-cache.js';
+import {
+  applyPoolRouting,
+  modelToSubscriptionId,
+  recordSubscriptionUsage,
+} from '../modules/subscription-wallet.js';
+import { runRace, auditRaceResults, type RaceStrategy, type RaceCandidateResult } from '../modules/race-mode.js';
 import { resolvePrompt } from '../pipeline/prompt-resolver.js';
+import { getAllProviders } from '../pipeline/external-providers.js';
 import {
   callOllamaWithFallbackChainInstrumented,
   callExternalProviderPrimaryInstrumented,
 } from '../pipeline/instrumented-llm-client.js';
+import { callOllama } from '../pipeline/llm-client.js';
 import { runPostValidation } from '../pipeline/post-validator.js';
 import { evaluateConfidence } from '../pipeline/confidence-gate.js';
 import { writeAuditLog, writeBanAnalytics, hashText } from '../observability/audit-log.js';
@@ -21,18 +41,35 @@ import {
   validationFailuresTotal,
 } from '../observability/metrics.js';
 import { logger } from '../observability/logger.js';
-// import { ShieldX } from '@shieldx/core'; // TODO: Link @shieldx/core properly
 import { calculateCost, calculateSavings, calculateCompressionRatio } from '../observability/cost-calculator.js';
-import { logCostImpact } from '../utils/tokenvault-hooks.js';
+import { logCompressionMetric, logCostImpact } from '../utils/tokenvault-hooks.js';
 import { costStream } from '../observability/cost-stream.js';
 import { recordRoutingDecision, trackFallbackChain } from '../observability/routing-instrumentation.js';
 import { createRequestLogger } from '../modules/request-logger.js';
+import { compressContext, type CompressionResult } from '../modules/context-compressor.js';
+import {
+  scanForInjection,
+  decideAction,
+  llmJudge,
+  getInjectionMode,
+  isCallerExempt,
+  type InjectionScanResult,
+} from '../modules/injection-defense.js';
+import {
+  redactPii,
+  restorePii,
+  getRedactMode,
+  shouldRedactFor,
+} from '../modules/pii-redaction.js';
+import { splitReasoningTrace, storeReasoningTrace } from '../modules/reasoning-trace.js';
+import { getRoutingOverride } from '../modules/workspace-presets.js';
+import { runPreComplete, runPostComplete } from '../modules/plugin-system.js';
+import { getAdaptiveRecommendation } from '../modules/adaptive-routing.js';
+import { guardOutputStream, getOutputDefenseMode } from '../modules/output-defense.js';
+import { callPromptGuard, isPromptGuardConfigured, getPromptGuardThreshold, getPromptGuardMinLen } from '../modules/prompt-guard-client.js';
 
-// TODO: ShieldX — Link @shieldx/core properly
-// // Singleton ShieldX instance — initialized once, sub-millisecond scans
 // // Disable Ollama-dependent scanners (sentinel, constitutional, embedding, attention)
 // // to keep gateway scans fast and dependency-free
-// const shieldx = new ShieldX({
 //   scanners: {
 //     rules: true,           // 547+ rules, 50+ languages
 //     sentinel: false,       // Requires Ollama
@@ -66,22 +103,138 @@ const CompletionRequestSchema = z.object({
       temperature: z.number().min(0).max(2).optional(),
       max_tokens: z.number().int().positive().max(16_384).optional(),
       return_validation_details: z.boolean().optional(),
+      skip_cache: z.boolean().optional(),
+      fuzzy_cache: z.boolean().optional(),
+      fuzzy_threshold: z.number().min(0.5).max(1).optional(),
+      cache_ttl: z.number().int().positive().optional(),
+      compression: z
+        .object({
+          enabled: z.boolean().optional(),
+          mode: z.enum(['auto', 'off', 'aggressive']).optional(),
+          target_tokens: z.number().int().positive().max(64_000).optional(),
+        })
+        .optional(),
     })
     .optional(),
 });
 
 type CompletionRequest = z.infer<typeof CompletionRequestSchema>;
 
-// TODO: Enable when ShieldX dependency is linked
-// const SKIP_SHIELDX_CALLERS = new Set(['internal', 'shieldx']);
+function shouldBypassResponseCache(caller: string): boolean {
+  const normalized = caller.toLowerCase();
+  return normalized.includes('claude-code')
+    || normalized.includes('codex')
+    || normalized.includes('copilot');
+}
+
+function inputForPromptGuard(input: string): string {
+  const cleaned = input.replace(/^(user|assistant|system|developer):\s*/gim, '').trim();
+  return cleaned || input;
+}
+
+function shouldRunPromptGuard(input: string, scan: InjectionScanResult): boolean {
+  if (scan.matches.length > 0) return true;
+
+  const cleaned = inputForPromptGuard(input).normalize('NFKC');
+  return [
+    /\b(?:ignore|disregard|forget|override|bypass|jailbreak)\b[\s\S]{0,120}\b(?:instructions?|rules?|prompt|policy|safety)\b/i,
+    /\b(?:you\s+are\s+now|act\s+as|pretend\s+to\s+be|developer\s+mode|root\s+administrator|runtime\s+controller|security\s+auditor)\b/i,
+    /\b(?:show|print|dump|reveal|output)\b[\s\S]{0,160}\b(?:system\s+prompt|developer\s+prompt|hidden|runtime|memory|tools?|filters?|policy|classifier|chain-of-thought|reasoning)\b/i,
+    /\b(?:passwords?|passw(?:o|ö)rter|credentials?|api\s*keys?|tokens?|secrets?)\b[\s\S]{0,160}\b(?:print|show|write|paste|send|share|reveal|chat|anmelden|log\s*in)\b/i,
+    /\b(?:base64|rot13|hex\s+encoded|decode|execute|run\s+this)\b/i,
+    /[\u200B-\u200F\u202A-\u202E\u2060-\u2064\uFEFF]/,
+    /\b[A-Za-z0-9+/]{40,}={0,2}\b/,
+    /\b(?:[0-9a-fA-F]{2}){16,}\b/,
+  ].some((pattern) => pattern.test(cleaned));
+}
+
+const ChatMessageSchema = z.object({
+  role: z.string().min(1),
+  content: z.union([z.string(), z.array(z.unknown()), z.null()]).optional(),
+});
+
+// Tool / function-calling shape (OpenAI Chat Completions tools API).
+// We accept and forward tool definitions transparently to the upstream.
+const ToolFunctionSchema = z.object({
+  name: z.string().min(1),
+  description: z.string().optional(),
+  parameters: z.record(z.unknown()).optional(),
+});
+const ToolSchema = z.object({
+  type: z.literal('function'),
+  function: ToolFunctionSchema,
+});
+
+const OpenAIChatCompletionRequestSchema = z.object({
+  model: z.string().min(1).default('llm-gateway-auto'),
+  messages: z.array(ChatMessageSchema).min(1),
+  temperature: z.number().min(0).max(2).optional(),
+  max_tokens: z.number().int().positive().max(16_384).optional(),
+  stream: z.boolean().optional(),
+  user: z.string().optional(),
+  // Tool / function-calling pass-through
+  tools: z.array(ToolSchema).optional(),
+  tool_choice: z.union([
+    z.literal('auto'),
+    z.literal('none'),
+    z.literal('required'),
+    z.object({ type: z.literal('function'), function: z.object({ name: z.string() }) }),
+  ]).optional(),
+  // Legacy function-calling (still supported by many clients)
+  functions: z.array(ToolFunctionSchema).optional(),
+  function_call: z.union([z.string(), z.object({ name: z.string() })]).optional(),
+  // Response format (json_object, json_schema)
+  response_format: z.object({
+    type: z.enum(['text', 'json_object', 'json_schema']),
+    json_schema: z.record(z.unknown()).optional(),
+  }).optional(),
+  // Vision: messages already accept array content via ChatMessageSchema's z.array(z.unknown())
+});
+
+type OpenAIChatCompletionRequest = z.infer<typeof OpenAIChatCompletionRequestSchema>;
+
+// ─── Anthropic Messages API compat ───────────────────────────────────────────
+const AnthropicMessageSchema = z.object({
+  role: z.enum(['user', 'assistant']),
+  content: z.union([z.string(), z.array(z.unknown())]),
+});
+
+const AnthropicMessagesRequestSchema = z.object({
+  model: z.string().min(1).default('llm-gateway-auto'),
+  messages: z.array(AnthropicMessageSchema).min(1),
+  system: z.union([z.string(), z.array(z.unknown())]).optional(),
+  max_tokens: z.number().int().positive().max(16_384).default(1024),
+  temperature: z.number().min(0).max(1).optional(),
+  top_p: z.number().min(0).max(1).optional(),
+  stream: z.boolean().optional(),
+  metadata: z.record(z.string(), z.unknown()).optional(),
+});
+
+type AnthropicMessagesRequest = z.infer<typeof AnthropicMessagesRequestSchema>;
+
+const OpenAIResponsesRequestSchema = z.object({
+  model: z.string().min(1).default('llm-gateway-auto'),
+  input: z.union([z.string(), z.array(z.unknown())]),
+  instructions: z.string().optional(),
+  temperature: z.number().min(0).max(2).optional(),
+  max_output_tokens: z.number().int().positive().max(16_384).optional(),
+  stream: z.boolean().optional(),
+  user: z.string().optional(),
+  metadata: z.record(z.unknown()).optional(),
+});
+
+type OpenAIResponsesRequest = z.infer<typeof OpenAIResponsesRequestSchema>;
+
+interface GatewayCompletionResult {
+  statusCode: number;
+  body: Record<string, unknown>;
+}
+
 
-// TODO: Enable when ShieldX dependency is linked
-// async function runShieldXScan(
 //   input: string,
 //   caller: string,
 // ): Promise<{ passed: boolean; reason?: string; threatLevel?: string; phase?: string; latencyMs?: number }> {
 //   try {
-//     const result = await shieldx.scanInput(input);
 //
 //     if (result.detected) {
 //       logger.warn({
@@ -93,7 +246,6 @@ type CompletionRequest = z.infer<typeof CompletionRequestSchema>;
 //         ensemble: result.ensemble,
 //         atlasMapping: result.atlasMapping?.techniqueIds?.slice(0, 5),
 //         scannerCount: result.scanResults.length,
-//       }, 'ShieldX threat detected — input blocked');
 //
 //       return {
 //         passed: false,
@@ -106,7 +258,6 @@ type CompletionRequest = z.infer<typeof CompletionRequestSchema>;
 //
 //     return { passed: true, latencyMs: result.latencyMs };
 //   } catch (err) {
-//     logger.error({ err, caller }, 'ShieldX scan error — failing open');
 //     return { passed: true };
 //   }
 // }
@@ -169,7 +320,7 @@ function recordAllMetrics(caller: string, taskType: string, confidenceResult: an
   }
 }
 
-async function auditAndTrackCosts(caller: string, taskType: string, input: string, outputText: string, latencyMs: number, ollamaResponse: any, resolved: any, decision: ReturnType<typeof route>, confidenceResult: any, validationOutput: any, classificationResult: any, callId: string): Promise<{ costUsd: number; costSavedUsd: number }> {
+async function auditAndTrackCosts(caller: string, taskType: string, input: string, outputText: string, latencyMs: number, ollamaResponse: any, resolved: any, decision: ReturnType<typeof route>, confidenceResult: any, validationOutput: any, classificationResult: any, callId: string, compression?: CompressionResult): Promise<{ costUsd: number; costSavedUsd: number }> {
   const inputHash = hashText(input);
   const outputHash = hashText(outputText);
 
@@ -178,7 +329,12 @@ async function auditAndTrackCosts(caller: string, taskType: string, input: strin
     input_hash: inputHash, output_text: confidenceResult.status !== 'pending_review' ? outputText : undefined, output_hash: outputHash,
     token_count_in: ollamaResponse.prompt_eval_count ?? 0, token_count_out: ollamaResponse.eval_count ?? 0, latency_ms: latencyMs,
     confidence: confidenceResult.score, status: confidenceResult.status, validation_log: validationOutput.results, ban_hits: validationOutput.ban_violations,
-    metadata: { classification: classificationResult, model_tier: decision.tier, fallback_used: ollamaResponse.model !== decision.model },
+    metadata: {
+      classification: classificationResult,
+      model_tier: decision.tier,
+      fallback_used: ollamaResponse.model !== decision.model,
+      compression: compression ? buildCompressionResponse(compression) : undefined,
+    },
   });
 
   if (validationOutput.ban_violations.length > 0) {
@@ -192,9 +348,20 @@ async function auditAndTrackCosts(caller: string, taskType: string, input: strin
   const db = getPool();
   const tokensIn = ollamaResponse.prompt_eval_count ?? 0;
   const tokensOut = ollamaResponse.eval_count ?? 0;
-  const tokensCompressed = tokensIn + tokensOut;
+  const tokensCompressed = (compression?.tokensAfter ?? tokensIn) + tokensOut;
   const costUsd = calculateCost(decision.model, tokensIn, tokensOut);
-  const costSavedUsd = calculateSavings(decision.model, tokensCompressed, tokensCompressed);
+  const costSavedUsd = compression?.applied
+    ? calculateSavings(decision.model, compression.tokensBefore, compression.tokensAfter)
+    : 0;
+
+  void logCompressionMetric(db, {
+    filePath: callId,
+    mode: compression ? `${compression.method}:${compression.strategy}` : 'none:none',
+    tokensBefore: compression?.tokensBefore ?? tokensIn,
+    tokensAfter: compression?.tokensAfter ?? tokensIn,
+    savingsPct: compression ? Math.round(compression.ratio * 10000) / 100 : 0,
+    toolUsed: 'gateway',
+  });
 
   void logCostImpact(db, callId, { callId, agent: 'gateway', model: decision.model, project: 'llm-gateway', taskType: taskType ?? 'generic' }, tokensIn, tokensOut, tokensCompressed, costUsd, costSavedUsd, confidenceResult.score);
 
@@ -228,7 +395,920 @@ function buildResponseBody(callId: string, decision: ReturnType<typeof route>, t
   return body;
 }
 
+async function executeCompletion(body: CompletionRequest, startMs: number, callId: string): Promise<GatewayCompletionResult> {
+  const { caller, language, context, options } = body;
+
+  // ─── Plugin pre-hooks (PLUGINS_DIR) ────────────────────────────────────
+  try {
+    const preResult = await runPreComplete({ caller, callId, request: body as unknown as Record<string, unknown> });
+    if (preResult === null) {
+      return { statusCode: 422, body: { error: 'plugin_aborted', message: 'Request aborted by plugin pre-hook' } };
+    }
+    if (preResult && typeof preResult === 'object') {
+      Object.assign(body as unknown as Record<string, unknown>, preResult);
+    }
+  } catch (err) {
+    logger.warn({ err }, 'Plugin preComplete failed; continuing');
+  }
+
+  // ─── PII Redaction (REDACT_PII_MODE: off|cloud_only|always) ─────────────
+  const redactMode = getRedactMode();
+  let piiRestoreMap: Map<string, string> | null = null;
+  if (redactMode !== 'off' && shouldRedactFor(redactMode, 'unknown', caller)) {
+    const r = redactPii(body.input);
+    if (r.restoreMap.size > 0) {
+      body = { ...body, input: r.redacted };
+      piiRestoreMap = r.restoreMap;
+      logger.info(
+        { callId, caller, redactedCounts: r.counts, redactedTokens: r.restoreMap.size },
+        'PII redaction applied',
+      );
+    }
+  }
+
+  // ─── Prompt-injection defense (configurable via INJECTION_DEFENSE_MODE) ──
+  const injectionMode = getInjectionMode();
+  let injectionScan: InjectionScanResult | null = null;
+  if (injectionMode !== 'off' && !isCallerExempt(caller)) {
+    injectionScan = scanForInjection(body.input);
+    const action = decideAction(injectionMode, injectionScan);
+    if (action === 'block') {
+      logger.warn(
+        { caller, callId, score: injectionScan.score, matches: injectionScan.matches.map((m) => m.id) },
+        'Injection defense blocked request',
+      );
+      return {
+        statusCode: 422,
+        body: {
+          error: 'injection_detected',
+          message: 'Request blocked by prompt-injection defense layer',
+          score: injectionScan.score,
+          matches: injectionScan.matches,
+        },
+      };
+    }
+
+    // ─── Layer 2: ML classifier (Prompt-Guard sidecar) ────────────────────
+    if (!injectionScan.detected && isPromptGuardConfigured() && body.input.length >= getPromptGuardMinLen() && shouldRunPromptGuard(body.input, injectionScan)) {
+      const pg = await callPromptGuard(inputForPromptGuard(body.input));
+      if (pg.available && pg.label === 'INJECTION' && pg.score >= getPromptGuardThreshold()) {
+        logger.warn(
+          { caller, callId, pg_score: pg.score, pg_latency_ms: pg.latencyMs },
+          'Prompt-Guard sidecar blocked request',
+        );
+        return {
+          statusCode: 422,
+          body: {
+            error: 'injection_detected',
+            message: 'Request blocked by prompt-guard ML classifier',
+            prompt_guard: { label: pg.label, score: pg.score, latencyMs: pg.latencyMs },
+          },
+        };
+      }
+    }
+
+    if (action === 'llm_judge') {
+      try {
+        const verdict = await llmJudge(body.input, {
+          model: process.env['LLM_JUDGE_MODEL'] || 'qwen2.5:3b',
+          callLLM: async (req) => {
+            const resp = await callOllama(
+              { model: req.model, prompt: req.prompt, system: req.system, stream: false, options: { temperature: 0, num_predict: 8, ...(req.options ?? {}) } },
+              'fast',
+            );
+            return { response: resp.response };
+          },
+        });
+        if (verdict.verdict === 'injection') {
+          return {
+            statusCode: 422,
+            body: {
+              error: 'injection_detected',
+              message: 'Request blocked by LLM-judge verdict',
+              score: injectionScan.score,
+              llm_judge: verdict,
+              matches: injectionScan.matches,
+            },
+          };
+        }
+      } catch (err) {
+        logger.warn({ err }, 'Injection LLM-judge failed; allowing through with warning');
+      }
+    }
+    // action === 'warn' or 'allow' falls through; metadata is recorded later
+  }
+
+  // ─── Cache check (Tier 1: exact-match hash lookup) ─────────────────────
+  const agenticNoCache = shouldBypassResponseCache(caller);
+  const skipCache = agenticNoCache || (options as any)?.skip_cache === true;
+  const cacheableReq = {
+    caller,
+    task_type: body.task_type,
+    model: options?.model,
+    system: typeof context === 'object' && context && 'system' in context ? String((context as any).system ?? '') : '',
+    input: body.input,
+  };
+  const cacheKey = computeCacheKey(cacheableReq);
+  const fuzzyEnabled = !agenticNoCache && (options as any)?.fuzzy_cache !== false; // default ON
+  const fuzzyThreshold = typeof (options as any)?.fuzzy_threshold === 'number'
+    ? Math.max(0.5, Math.min(1.0, (options as any).fuzzy_threshold))
+    : 0.85; // empirically good default for nomic-embed-text — paraphrases hit, unrelated misses
+  if (!skipCache) {
+    const dbForCache = getPool();
+    let hit = await getCachedResponse(dbForCache, cacheKey);
+    let matchType: 'exact' | 'semantic' = 'exact';
+    let similarity: number | undefined;
+
+    // Fall through to semantic match when exact misses
+    if (!hit && fuzzyEnabled) {
+      const semHit = await getSemanticCachedResponse(
+        dbForCache,
+        caller,
+        body.task_type,
+        body.input,
+        fuzzyThreshold
+      );
+      if (semHit) {
+        hit = semHit;
+        matchType = 'semantic';
+        similarity = semHit.similarity;
+      }
+    }
+    if (hit) {
+      const latencyMs = Date.now() - startMs;
+      void recordCacheHit(dbForCache, hit.id);
+      // Log cache hit as a successful request (status=approved, fallback=false)
+      const requestLogger = createRequestLogger(dbForCache);
+      void requestLogger.logRequest(
+        callId,
+        caller,
+        body.task_type,
+        (hit.responseJson['model'] as string) ?? 'cache',
+        'approved',
+        hit.tokensIn,
+        hit.tokensOut,
+        0, // zero cost for cache hit
+        latencyMs,
+        (hit.responseJson['confidence'] as number) ?? 10,
+        false,
+        undefined
+      );
+      logger.info(
+        { callId, caller, matchType, similarity, ageSeconds: hit.ageSeconds, hitCount: hit.hitCount + 1, costSaved: hit.costWhenCached },
+        `Cache HIT (${matchType}) — skipping pipeline`
+      );
+      return {
+        statusCode: 200,
+        body: {
+          ...hit.responseJson,
+          id: callId, // refresh id so callers can deduplicate logs
+          cache: {
+            hit: true,
+            match_type: matchType,
+            similarity: similarity ?? null,
+            age_seconds: hit.ageSeconds,
+            hit_count: hit.hitCount + 1,
+            cost_saved_usd: hit.costWhenCached,
+            tokens_saved: hit.tokensIn + hit.tokensOut,
+          },
+          latency_ms: latencyMs,
+        } as Record<string, unknown>,
+      };
+    }
+  }
+
+  const compression = compressContext(body.input, {
+    enabled: options?.compression?.enabled,
+    mode: options?.compression?.mode,
+    targetTokens: options?.compression?.target_tokens,
+  });
+  const input = compression.input;
+
+  let classifAndRoute;
+  try {
+    classifAndRoute = await classifyAndRoute(body.task_type, caller, input, options);
+  } catch (err) {
+    return {
+      statusCode: 400,
+      body: {
+        statusCode: 400, error: 'Routing Error',
+        message: err instanceof Error ? err.message : 'Failed to route request',
+      },
+    };
+  }
+
+  const { taskType, decision, classificationResult } = classifAndRoute;
+
+  // ─── Pool Routing: re-route to the subscription with most headroom ─────
+  let poolRouteApplied: string | null = null;
+  try {
+    const adjusted = await applyPoolRouting(getPool(), {
+      model: decision.model,
+      fallback_chain: decision.fallback_chain,
+      tier: decision.tier,
+    });
+    if (adjusted) {
+      logger.info({ callId, original: decision.model, switched: adjusted.model, reason: adjusted.reason }, 'Pool routing engaged');
+      decision.model = adjusted.model;
+      decision.fallback_chain = adjusted.fallback_chain;
+      poolRouteApplied = adjusted.reason;
+    }
+  } catch (poolErr) {
+    logger.debug({ poolErr }, 'pool routing skipped');
+  }
+
+  const promptVars = buildPromptVariables(input, context);
+  const resolved = resolvePrompt(taskType ?? decision.prompt_template, promptVars, language ?? 'en');
+
+  const format: '' | 'json' | undefined = decision.output_format === 'json' ? 'json' : '';
+  const baseReq = { model: decision.model, prompt: resolved.prompt, system: resolved.system, options: { temperature: decision.temperature, num_predict: decision.max_tokens }, format, stream: false, callId, taskType };
+
+  let ollamaResponse;
+  try {
+    ollamaResponse = await callLLMWithFallback(baseReq, decision, callId, taskType);
+  } catch (err) {
+    const latency = Date.now() - startMs;
+    logger.error({ err, caller, taskType }, 'LLM call failed');
+    requestsTotal.labels({ caller, task_type: taskType, status: 'rejected' }).inc();
+    latencySeconds.labels({ caller, task_type: taskType, model: decision.model }).observe(latency / 1000);
+    const db = getPool();
+    const requestLogger = createRequestLogger(db);
+    void requestLogger.logRequest(callId, caller, taskType, decision.model, 'error', 0, 0, 0, latency, 0, false, err instanceof Error ? err.message : 'LLM service unavailable');
+    return { statusCode: 503, body: { statusCode: 503, error: 'Service Unavailable', message: 'LLM service unavailable, please retry' } };
+  }
+
+  const latencyMs = Date.now() - startMs;
+  const outputText = ollamaResponse.response;
+  const validationOutput = await runPostValidation(outputText, { validators: decision.validators, language, output_format: decision.output_format, requires_fact_check: decision.requires_fact_check, schema: resolved.schema });
+  const confidenceResult = evaluateConfidence(validationOutput);
+
+  recordAllMetrics(caller, taskType, confidenceResult, ollamaResponse, decision, validationOutput);
+  const { costUsd, costSavedUsd } = await auditAndTrackCosts(caller, taskType, compression.originalInput, outputText, latencyMs, ollamaResponse, resolved, decision, confidenceResult, validationOutput, classificationResult, callId, compression);
+
+  latencySeconds.labels({ caller, task_type: taskType, model: ollamaResponse.model ?? decision.model }).observe(latencyMs / 1000);
+
+  // ─── Record subscription usage for the wallet ────────────────────────
+  const usedModel = ollamaResponse.model ?? decision.model;
+  const subscriptionId = modelToSubscriptionId(usedModel);
+  if (subscriptionId) {
+    void recordSubscriptionUsage(getPool(), subscriptionId, (ollamaResponse.eval_count ?? 0) + (ollamaResponse.prompt_eval_count ?? 0));
+  }
+
+  const responseBody = {
+    ...buildResponseBody(callId, decision, taskType, confidenceResult, outputText, latencyMs, ollamaResponse, costUsd, costSavedUsd, options?.return_validation_details ?? false, validationOutput),
+    compression: buildCompressionResponse(compression),
+    ...(poolRouteApplied ? { pool_route: { applied: true, reason: poolRouteApplied } } : {}),
+  };
+
+  // ─── Cache write — only successful, validated responses are cached ──────
+  // Skip caching when:
+  //   • caller explicitly opted out via options.skip_cache
+  //   • response was rejected/pending review (don't cache bad answers)
+  //   • non-deterministic temperature (>0.5) was set (would poison the cache)
+  const tempUsed = decision.temperature ?? 0.3;
+  const shouldCache = !skipCache && confidenceResult.status === 'approved' && tempUsed <= 0.5;
+  if (shouldCache) {
+    const tokensIn = ollamaResponse.prompt_eval_count ?? 0;
+    const tokensOut = ollamaResponse.eval_count ?? 0;
+    void setCachedResponse(getPool(), cacheableReq, responseBody, {
+      cost: costUsd,
+      tokensIn,
+      tokensOut,
+      ttlSeconds: typeof (options as any)?.cache_ttl === 'number' ? (options as any).cache_ttl : 86_400,
+    });
+  }
+
+  return { statusCode: 200, body: responseBody };
+}
+
+function buildCompressionResponse(compression: CompressionResult): Record<string, unknown> {
+  return {
+    applied: compression.applied,
+    method: compression.method,
+    tokens_before: compression.tokensBefore,
+    tokens_after: compression.tokensAfter,
+    tokens_saved: compression.tokensSaved,
+    ratio: Math.round(compression.ratio * 1000) / 1000,
+    strategy: compression.strategy,
+    tags: compression.tags,
+    notes: compression.notes,
+  };
+}
+
+function contentToText(content: OpenAIChatCompletionRequest['messages'][number]['content']): string {
+  if (typeof content === 'string') return content;
+  if (!Array.isArray(content)) return '';
+  return content.map((part) => {
+    if (typeof part === 'string') return part;
+    if (part && typeof part === 'object' && 'text' in part && typeof (part as any).text === 'string') {
+      return (part as any).text;
+    }
+    return '';
+  }).filter(Boolean).join('\n');
+}
+
+function responsesInputToText(input: OpenAIResponsesRequest['input']): string {
+  if (typeof input === 'string') return input;
+  return input.map((item) => {
+    if (typeof item === 'string') return item;
+    if (!item || typeof item !== 'object') return '';
+    const value = item as any;
+    if (typeof value.content === 'string') return value.content;
+    if (Array.isArray(value.content)) {
+      return value.content.map((part: any) => {
+        if (typeof part === 'string') return part;
+        if (part && typeof part === 'object') return part.text || part.input_text || part.output_text || '';
+        return '';
+      }).filter(Boolean).join('\n');
+    }
+    if (typeof value.text === 'string') return value.text;
+    return '';
+  }).filter(Boolean).join('\n\n');
+}
+
+function openAIRequestToGatewayRequest(body: OpenAIChatCompletionRequest, request: FastifyRequest): CompletionRequest {
+  // Use layered caller-detection (header → companion → body → user-agent → fallback)
+  const { caller } = detectCaller(request, 'openai-compatible', body.user);
+
+  const input = body.messages
+    .filter((message) => message.role !== 'system')
+    .map((message) => `${message.role}: ${contentToText(message.content)}`)
+    .join('\n\n')
+    .trim();
+
+  const system = body.messages
+    .filter((message) => message.role === 'system')
+    .map((message) => contentToText(message.content))
+    .filter(Boolean)
+    .join('\n\n');
+
+  const model = ['auto', 'llm-gateway-auto', 'gateway-auto'].includes(body.model) ? undefined : body.model;
+  const agenticNoCache = shouldBypassResponseCache(caller);
+
+  return {
+    caller,
+    task_type: 'generic_qa',
+    input: input || contentToText(body.messages[body.messages.length - 1]?.content),
+    context: system ? { system } : undefined,
+    options: {
+      model,
+      temperature: body.temperature,
+      max_tokens: body.max_tokens,
+      skip_cache: agenticNoCache,
+      fuzzy_cache: !agenticNoCache,
+      compression: { enabled: true, mode: 'auto' },
+    },
+  };
+}
+
+function responsesRequestToGatewayRequest(body: OpenAIResponsesRequest, request: FastifyRequest): CompletionRequest {
+  const metadataCaller = typeof body.metadata?.['caller'] === 'string' ? String(body.metadata['caller']) : undefined;
+  const { caller } = detectCaller(request, 'responses-compatible', body.user || metadataCaller);
+  const model = ['auto', 'llm-gateway-auto', 'gateway-auto'].includes(body.model) ? undefined : body.model;
+  const agenticNoCache = shouldBypassResponseCache(caller);
+
+  return {
+    caller,
+    task_type: 'generic_qa',
+    input: responsesInputToText(body.input),
+    context: body.instructions ? { system: body.instructions } : undefined,
+    options: {
+      model,
+      temperature: body.temperature,
+      max_tokens: body.max_output_tokens,
+      skip_cache: agenticNoCache,
+      fuzzy_cache: !agenticNoCache,
+      compression: { enabled: true, mode: 'auto' },
+    },
+  };
+}
+
+// ─── Anthropic Messages API mappers ─────────────────────────────────────────
+function anthropicContentToText(content: unknown): string {
+  if (typeof content === 'string') return content;
+  if (Array.isArray(content)) {
+    return content
+      .map((block: unknown) => {
+        if (typeof block === 'string') return block;
+        if (block && typeof block === 'object') {
+          const b = block as Record<string, unknown>;
+          if (typeof b['text'] === 'string') return b['text'];
+        }
+        return '';
+      })
+      .filter(Boolean)
+      .join('\n');
+  }
+  return '';
+}
+
+function anthropicRequestToGatewayRequest(body: AnthropicMessagesRequest, request: FastifyRequest): CompletionRequest {
+  const metadataUser = typeof body.metadata?.['user_id'] === 'string' ? String(body.metadata['user_id']) : undefined;
+  const { caller } = detectCaller(request, 'anthropic-compatible', metadataUser);
+
+  const input = body.messages
+    .map((m) => `${m.role}: ${anthropicContentToText(m.content)}`)
+    .join('\n\n')
+    .trim();
+
+  const system = body.system ? anthropicContentToText(body.system) : '';
+  const model = ['auto', 'llm-gateway-auto', 'gateway-auto'].includes(body.model) ? undefined : body.model;
+  const agenticNoCache = shouldBypassResponseCache(caller);
+
+  return {
+    caller,
+    task_type: 'generic_qa',
+    input: input || anthropicContentToText(body.messages[body.messages.length - 1]?.content),
+    context: system ? { system } : undefined,
+    options: {
+      model,
+      temperature: body.temperature,
+      max_tokens: body.max_tokens,
+      skip_cache: agenticNoCache,
+      fuzzy_cache: !agenticNoCache,
+      compression: { enabled: true, mode: 'auto' },
+    },
+  };
+}
+
+function toAnthropicMessagesResponse(result: Record<string, unknown>, requestedModel: string): Record<string, unknown> {
+  const output = typeof result['output'] === 'string' ? result['output'] : '';
+  const tokens = result['tokens'] as { in?: number; out?: number } | undefined;
+  const model = typeof result['model'] === 'string' ? result['model'] : requestedModel;
+  const stopReason = result['status'] === 'pending_review' ? 'content_filtered' : 'end_turn';
+  return {
+    id: result['id'] ?? `msg_${Date.now()}`,
+    type: 'message',
+    role: 'assistant',
+    model,
+    content: [{ type: 'text', text: output }],
+    stop_reason: stopReason,
+    stop_sequence: null,
+    usage: {
+      input_tokens: tokens?.in ?? 0,
+      output_tokens: tokens?.out ?? 0,
+    },
+    gateway: {
+      status: result['status'],
+      confidence: result['confidence'],
+      cost: result['cost'],
+      latency_ms: result['latency_ms'],
+      compression: result['compression'],
+    },
+  };
+}
+
+function toAnthropicError(result: GatewayCompletionResult): Record<string, unknown> {
+  const message =
+    (typeof result.body['message'] === 'string' && result.body['message']) ||
+    (typeof result.body['error'] === 'string' && result.body['error']) ||
+    'Internal error';
+  return {
+    type: 'error',
+    error: {
+      type: result.statusCode === 400 ? 'invalid_request_error' : 'api_error',
+      message,
+    },
+  };
+}
+
+function toOpenAIChatResponse(result: Record<string, unknown>, requestedModel: string): Record<string, unknown> {
+  const output = typeof result['output'] === 'string' ? result['output'] : '';
+  const tokens = result['tokens'] as { in?: number; out?: number } | undefined;
+  const model = typeof result['model'] === 'string' ? result['model'] : requestedModel;
+  return {
+    id: result['id'] ?? `chatcmpl-${Date.now()}`,
+    object: 'chat.completion',
+    created: Math.floor(Date.now() / 1000),
+    model,
+    choices: [
+      {
+        index: 0,
+        message: { role: 'assistant', content: output },
+        finish_reason: result['status'] === 'pending_review' ? 'content_filter' : 'stop',
+      },
+    ],
+    usage: {
+      prompt_tokens: tokens?.in ?? 0,
+      completion_tokens: tokens?.out ?? 0,
+      total_tokens: (tokens?.in ?? 0) + (tokens?.out ?? 0),
+    },
+    gateway: {
+      status: result['status'],
+      confidence: result['confidence'],
+      cost: result['cost'],
+      latency_ms: result['latency_ms'],
+      compression: result['compression'],
+    },
+  };
+}
+
+function toOpenAIResponsesResponse(result: Record<string, unknown>, requestedModel: string): Record<string, unknown> {
+  const output = typeof result['output'] === 'string' ? result['output'] : '';
+  const tokens = result['tokens'] as { in?: number; out?: number } | undefined;
+  const model = typeof result['model'] === 'string' ? result['model'] : requestedModel;
+  const id = String(result['id'] ?? `resp-${Date.now()}`);
+  return {
+    id,
+    object: 'response',
+    created_at: Math.floor(Date.now() / 1000),
+    status: 'completed',
+    model,
+    output: [
+      {
+        id: `${id}-msg`,
+        type: 'message',
+        status: 'completed',
+        role: 'assistant',
+        content: [{ type: 'output_text', text: output, annotations: [] }],
+      },
+    ],
+    output_text: output,
+    usage: {
+      input_tokens: tokens?.in ?? 0,
+      output_tokens: tokens?.out ?? 0,
+      total_tokens: (tokens?.in ?? 0) + (tokens?.out ?? 0),
+    },
+    gateway: {
+      status: result['status'],
+      confidence: result['confidence'],
+      cost: result['cost'],
+      latency_ms: result['latency_ms'],
+      compression: result['compression'],
+    },
+  };
+}
+
+/**
+ * Stream a non-streaming gateway response back to the client as
+ * OpenAI-compatible Server-Sent Events. Chunks the assistant content
+ * by ~32-char windows so SDKs that drive UIs see progressive output.
+ *
+ * Real upstream streaming (token-by-token from Ollama) is wired through
+ * separately for providers that natively support stream=true; this helper
+ * is the fallback path for the unified completion pipeline.
+ */
+const STREAM_CONTENT_STEP = 32;
+
+async function* iterateContentChunks(content: string, step: number): AsyncGenerator<string, void, unknown> {
+  for (let i = 0; i < content.length; i += step) {
+    yield content.slice(i, i + step);
+  }
+}
+
+async function streamOpenAIChatResponse(reply: FastifyReply, response: Record<string, unknown>): Promise<FastifyReply> {
+  const choices = (response['choices'] as Array<Record<string, unknown>>) ?? [];
+  const message = (choices[0]?.['message'] as Record<string, unknown>) ?? {};
+  const content = typeof message['content'] === 'string' ? (message['content'] as string) : '';
+  const toolCalls = message['tool_calls'];
+  const id = String(response['id'] ?? `chatcmpl-${Date.now()}`);
+  const created = Number(response['created'] ?? Math.floor(Date.now() / 1000));
+  const model = String(response['model'] ?? 'llm-gateway-auto');
+
+  reply.raw.writeHead(200, {
+    'Content-Type': 'text/event-stream; charset=utf-8',
+    'Cache-Control': 'no-cache',
+    'Connection': 'keep-alive',
+    'X-Accel-Buffering': 'no',
+  });
+
+  const writeChunk = (delta: Record<string, unknown>, finishReason: string | null = null): void => {
+    const chunk = {
+      id,
+      object: 'chat.completion.chunk',
+      created,
+      model,
+      choices: [{ index: 0, delta, finish_reason: finishReason }],
+    };
+    reply.raw.write(`data: ${JSON.stringify(chunk)}\n\n`);
+  };
+
+  // 1) initial role chunk
+  writeChunk({ role: 'assistant' });
+
+  // 2) content chunks — piped through output-defense guard so secret leaks
+  //    or sysprompt echoes can be cut/tagged mid-stream (see modules/output-defense.ts).
+  //    When OUTPUT_DEFENSE_MODE=off (default), guardOutputStream is a transparent passthrough.
+  if (content) {
+    const defenseMode = getOutputDefenseMode();
+    const upstream = iterateContentChunks(content, STREAM_CONTENT_STEP);
+    const guarded = guardOutputStream(upstream, {
+      mode: defenseMode,
+      onDetect: (result) => {
+        logger.warn(
+          { matches: result.matches, score: result.score, id, model, mode: defenseMode },
+          'Output-defense triggered on streaming response',
+        );
+      },
+    });
+    for await (const chunk of guarded) {
+      writeChunk({ content: chunk });
+    }
+  }
+
+  // 3) tool_calls (if present) — flush as a single delta with the full structure
+  if (Array.isArray(toolCalls) && toolCalls.length > 0) {
+    writeChunk({ tool_calls: toolCalls });
+  }
+
+  // 4) finish marker + DONE sentinel
+  writeChunk({}, 'stop');
+  reply.raw.write('data: [DONE]\n\n');
+  reply.raw.end();
+  return reply;
+}
+
+function toOpenAIError(result: GatewayCompletionResult): Record<string, unknown> {
+  return {
+    error: {
+      message: String(result.body['message'] ?? result.body['error'] ?? 'Gateway request failed'),
+      type: String(result.body['error'] ?? 'gateway_error').toLowerCase().replace(/\s+/g, '_'),
+      code: result.statusCode,
+    },
+  };
+}
+
+function listGatewayModels(): Record<string, unknown> {
+  const ids = new Set<string>(['llm-gateway-auto']);
+
+  for (const provider of getAllProviders()) {
+    for (const model of provider.models) ids.add(model.id);
+  }
+
+  try {
+    const __filename = fileURLToPath(import.meta.url);
+    const __dirname = dirname(__filename);
+    const yamlPath = join(__dirname, '..', 'config', 'models.yaml');
+    if (existsSync(yamlPath)) {
+      const cfg: any = yaml.load(readFileSync(yamlPath, 'utf-8'));
+      for (const id of Object.keys(cfg.models ?? {})) ids.add(id);
+    }
+  } catch (err) {
+    logger.warn({ err }, 'Failed to load local model list for /v1/models');
+  }
+
+  return {
+    object: 'list',
+    data: [...ids].sort().map((id) => ({
+      id,
+      object: 'model',
+      created: 0,
+      owned_by: id === 'llm-gateway-auto' ? 'llm-gateway' : 'gateway-provider',
+    })),
+  };
+}
+
 export async function completionRoute(fastify: FastifyInstance): Promise<void> {
+  fastify.get('/models', async (_request: FastifyRequest, reply: FastifyReply) => {
+    return reply.send(listGatewayModels());
+  });
+
+  fastify.post('/chat/completions', { config: { rateLimit: false } }, async (request: FastifyRequest, reply: FastifyReply) => {
+    const startMs = Date.now();
+    const parsed = OpenAIChatCompletionRequestSchema.safeParse(request.body);
+    if (!parsed.success) {
+      return reply.status(400).send({
+        error: {
+          message: parsed.error.errors[0]?.message ?? 'Invalid chat completion request',
+          type: 'invalid_request_error',
+          code: 400,
+        },
+      });
+    }
+
+    const callId = `chatcmpl-${Date.now()}-${Math.random().toString(36).slice(2, 9)}`;
+    const gatewayRequest = openAIRequestToGatewayRequest(parsed.data, request);
+    const result = await executeCompletion(gatewayRequest, startMs, callId);
+
+    if (result.statusCode !== 200) {
+      return reply.status(result.statusCode).send(toOpenAIError(result));
+    }
+
+    const response = toOpenAIChatResponse(result.body, parsed.data.model);
+    if (parsed.data.stream) {
+      return await streamOpenAIChatResponse(reply, response);
+    }
+
+    return reply.status(200).send(response);
+  });
+
+  // Anthropic Messages API compatibility — accept @anthropic-ai/sdk traffic.
+  fastify.post('/messages', { config: { rateLimit: false } }, async (request: FastifyRequest, reply: FastifyReply) => {
+    const startMs = Date.now();
+    const parsed = AnthropicMessagesRequestSchema.safeParse(request.body);
+    if (!parsed.success) {
+      return reply.status(400).send({
+        type: 'error',
+        error: {
+          type: 'invalid_request_error',
+          message: parsed.error.errors[0]?.message ?? 'Invalid messages request',
+        },
+      });
+    }
+
+    const callId = `msg_${Date.now()}_${Math.random().toString(36).slice(2, 9)}`;
+    const gatewayRequest = anthropicRequestToGatewayRequest(parsed.data, request);
+    const result = await executeCompletion(gatewayRequest, startMs, callId);
+
+    if (result.statusCode !== 200) {
+      return reply.status(result.statusCode).send(toAnthropicError(result));
+    }
+
+    const response = toAnthropicMessagesResponse(result.body, parsed.data.model);
+    if (parsed.data.stream) {
+      // Minimal SSE — emit the whole response as a single content_block_delta then message_stop.
+      const text = (response.content as Array<{ text: string }>)[0]?.text ?? '';
+      const lines = [
+        `event: message_start\ndata: ${JSON.stringify({ type: 'message_start', message: { ...response, content: [], usage: { input_tokens: (response.usage as any).input_tokens, output_tokens: 0 } } })}`,
+        `event: content_block_start\ndata: ${JSON.stringify({ type: 'content_block_start', index: 0, content_block: { type: 'text', text: '' } })}`,
+        `event: content_block_delta\ndata: ${JSON.stringify({ type: 'content_block_delta', index: 0, delta: { type: 'text_delta', text } })}`,
+        `event: content_block_stop\ndata: ${JSON.stringify({ type: 'content_block_stop', index: 0 })}`,
+        `event: message_delta\ndata: ${JSON.stringify({ type: 'message_delta', delta: { stop_reason: response.stop_reason, stop_sequence: null }, usage: { output_tokens: (response.usage as any).output_tokens } })}`,
+        `event: message_stop\ndata: ${JSON.stringify({ type: 'message_stop' })}`,
+      ];
+      return reply
+        .header('Content-Type', 'text/event-stream; charset=utf-8')
+        .header('Cache-Control', 'no-cache')
+        .send(lines.join('\n\n') + '\n\n');
+    }
+    return reply.status(200).send(response);
+  });
+
+  fastify.post('/responses', { config: { rateLimit: false } }, async (request: FastifyRequest, reply: FastifyReply) => {
+    const startMs = Date.now();
+    const parsed = OpenAIResponsesRequestSchema.safeParse(request.body);
+    if (!parsed.success) {
+      return reply.status(400).send({
+        error: {
+          message: parsed.error.errors[0]?.message ?? 'Invalid responses request',
+          type: 'invalid_request_error',
+          code: 400,
+        },
+      });
+    }
+
+    const callId = `resp-${Date.now()}-${Math.random().toString(36).slice(2, 9)}`;
+
+    // ─── codex-bridge passthrough for gpt-* models ──────────────────────
+    // Codex.app sends model=gpt-5.5 / gpt-5.1-codex-mini etc. These are
+    // ChatGPT-subscription models the openai API itself rejects without
+    // the right auth. Route them straight to the local codex-bridge
+    // (PM2 process at 127.0.0.1:3253) which speaks codex-cli over OAuth.
+    if (/^gpt-/i.test(parsed.data.model ?? '')) {
+      try {
+        const bridgeUrl = process.env['CODEX_BRIDGE_URL'] ?? 'http://127.0.0.1:3253';
+        const inputText = typeof parsed.data.input === 'string'
+          ? parsed.data.input
+          : (Array.isArray(parsed.data.input)
+              ? parsed.data.input.map((p: any) => typeof p?.content === 'string' ? p.content : (Array.isArray(p?.content) ? p.content.map((c: any) => c?.text ?? '').join(' ') : '')).join(' ')              : '');
+        const upstream = await fetch(`${bridgeUrl}/v1/chat/completions`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({
+            model: parsed.data.model,
+            messages: [{ role: 'user', content: inputText }],
+          }),
+        });
+        const upstreamJson: any = await upstream.json();
+        if (upstream.ok && upstreamJson?.success !== false) {
+          const text = upstreamJson?.content ?? upstreamJson?.response ?? upstreamJson?.choices?.[0]?.message?.content ?? '';
+          const respBody = toOpenAIResponsesResponse({ output: text, model: parsed.data.model, status: 'approved' }, parsed.data.model);
+          logger.info({ callId, model: parsed.data.model, len: text.length }, 'codex-bridge passthrough OK');
+          // Track against the merged OpenAI (ChatGPT+Codex) subscription pool.
+          try {
+            const subId = modelToSubscriptionId(parsed.data.model ?? '') ?? 'codex';
+            void recordSubscriptionUsage(getPool(), subId, 0);
+          } catch (e) {
+            logger.warn({ e, callId }, 'failed to record subscription usage for passthrough');
+          }
+          // Also write an audit row so the dashboard activity tab sees it.
+          try {
+            void writeAuditLog({
+              callId,
+              caller: (request.headers['x-llm-interceptor-caller'] as string) || 'codex-app',
+              task_type: 'codex_passthrough',
+              status: 'approved',
+              tokens_in: 0,
+              tokens_out: text.length,
+              latency_ms: Date.now() - startMs,
+              confidence: 0,
+              cost_usd: 0,
+              compression_applied: false,
+              model: parsed.data.model ?? 'gpt-5.5',
+            } as any);
+          } catch (e) {
+            logger.warn({ e, callId }, 'failed to write audit log for passthrough');
+          }
+          if (parsed.data.stream) {
+            return reply
+              .header('Content-Type', 'text/event-stream; charset=utf-8')
+              .header('Cache-Control', 'no-cache')
+              .send(`data: ${JSON.stringify({ type: 'response.completed', response: respBody })}
+
+data: [DONE]
+
+`);
+          }
+          return reply.send(respBody);
+        }
+        logger.warn({ callId, model: parsed.data.model, upstreamJson }, 'codex-bridge upstream non-OK; falling back to standard pipeline');
+      } catch (err) {
+        logger.error({ err, callId, model: parsed.data.model }, 'codex-bridge passthrough threw; falling back');
+      }
+    }
+
+    const gatewayRequest = responsesRequestToGatewayRequest(parsed.data, request);
+    const result = await executeCompletion(gatewayRequest, startMs, callId);
+
+    if (result.statusCode !== 200) {
+      return reply.status(result.statusCode).send(toOpenAIError(result));
+    }
+
+    const response = toOpenAIResponsesResponse(result.body, parsed.data.model);
+    if (parsed.data.stream) {
+      return reply
+        .header('Content-Type', 'text/event-stream; charset=utf-8')
+        .header('Cache-Control', 'no-cache')
+        .send(`data: ${JSON.stringify({ type: 'response.completed', response })}\n\ndata: [DONE]\n\n`);
+    }
+    return reply.send(response);
+  });
+
+  // ─── Multi-Model Race Mode endpoint ────────────────────────────────────
+  // Runs the same prompt against multiple models in parallel; returns
+  // according to `strategy` (first | best | consensus). Audits each
+  // candidate run for later analysis.
+  fastify.post('/race', { config: { rateLimit: false } }, async (request: FastifyRequest, reply: FastifyReply) => {
+    const startMs = Date.now();
+    const body = request.body as {
+      caller?: string;
+      task_type?: string;
+      input?: string;
+      models?: string[];
+      strategy?: RaceStrategy;
+      timeout_ms?: number;
+      options?: any;
+    };
+    if (!body?.input || !Array.isArray(body.models) || body.models.length < 2) {
+      return reply.status(400).send({
+        error: 'race endpoint requires { input: string, models: string[] (>=2) }',
+      });
+    }
+    const callerId = body.caller ?? 'race-client';
+    const strategy: RaceStrategy = (body.strategy as RaceStrategy) ?? 'first';
+    const callId = `race-${Date.now()}-${Math.random().toString(36).slice(2, 9)}`;
+
+    const runner = async (model: string, _signal: AbortSignal) => {
+      const candStart = Date.now();
+      const result = await executeCompletion({
+        caller: callerId,
+        task_type: body.task_type ?? 'generic_qa',
+        input: body.input!,
+        options: { ...(body.options ?? {}), model, skip_cache: true },
+      } as CompletionRequest, candStart, `${callId}-${model}`);
+      const ok = result.statusCode === 200;
+      const r = result.body as Record<string, unknown>;
+      return {
+        model,
+        status: ok ? 'ok' : 'error',
+        output: typeof r['output'] === 'string' ? r['output'] : undefined,
+        confidence: typeof r['confidence'] === 'number' ? r['confidence'] : undefined,
+        cost: typeof r['cost'] === 'number' ? r['cost'] : undefined,
+        latencyMs: Date.now() - candStart,
+        errorMessage: !ok ? String(r['message'] ?? r['error'] ?? 'unknown') : undefined,
+      } as RaceCandidateResult;
+    };
+
+    try {
+      const { outcome } = await runRace(body.models, runner, strategy, { timeoutMs: body.timeout_ms ?? 60_000 });
+      void auditRaceResults(getPool(), callId, callerId, body.task_type ?? 'generic_qa', outcome);
+      return reply.send({
+        success: true,
+        call_id: callId,
+        strategy: outcome.strategy,
+        selected: {
+          model: outcome.selected.model,
+          output: outcome.selected.output,
+          confidence: outcome.selected.confidence,
+          cost: outcome.selected.cost,
+          latency_ms: outcome.selected.latencyMs,
+        },
+        agreement_score: outcome.agreementScore ?? null,
+        candidates: outcome.candidates.map((c) => ({
+          model: c.model,
+          status: c.status,
+          confidence: c.confidence,
+          latency_ms: c.latencyMs,
+          error: c.errorMessage,
+        })),
+        total_latency_ms: Date.now() - startMs,
+      });
+    } catch (err) {
+      logger.error({ err, callId }, 'race endpoint failed');
+      return reply.status(500).send({ error: 'race failed', message: err instanceof Error ? err.message : 'unknown' });
+    }
+  });
+
   fastify.post('/completion', { config: { rateLimit: false } }, async (request: FastifyRequest, reply: FastifyReply) => {
     const startMs = Date.now();
 
@@ -242,52 +1322,9 @@ export async function completionRoute(fastify: FastifyInstance): Promise<void> {
       });
     }
 
-    const { caller, input, language, context, options } = body;
     const callId = `call-${Date.now()}-${Math.random().toString(36).slice(2, 9)}`;
 
-    let classifAndRoute;
-    try {
-      classifAndRoute = await classifyAndRoute(body.task_type, caller, input, options);
-    } catch (err) {
-      return reply.status(400).send({
-        statusCode: 400, error: 'Routing Error',
-        message: err instanceof Error ? err.message : 'Failed to route request',
-      });
-    }
-
-    const { taskType, decision, classificationResult } = classifAndRoute;
-    const promptVars = buildPromptVariables(input, context);
-    const resolved = resolvePrompt(taskType ?? decision.prompt_template, promptVars, language ?? 'en');
-
-    const format: '' | 'json' | undefined = decision.output_format === 'json' ? 'json' : '';
-    const baseReq = { model: decision.model, prompt: resolved.prompt, system: resolved.system, options: { temperature: decision.temperature, num_predict: decision.max_tokens }, format, stream: false, callId, taskType };
-
-    let ollamaResponse;
-    try {
-      ollamaResponse = await callLLMWithFallback(baseReq, decision, callId, taskType);
-    } catch (err) {
-      const latency = Date.now() - startMs;
-      logger.error({ err, caller, taskType }, 'Ollama call failed');
-      requestsTotal.labels({ caller, task_type: taskType, status: 'rejected' }).inc();
-      latencySeconds.labels({ caller, task_type: taskType, model: decision.model }).observe(latency / 1000);
-      const db = getPool();
-      const requestLogger = createRequestLogger(db);
-      void requestLogger.logRequest(callId, caller, taskType, decision.model, 'error', 0, 0, 0, latency, 0, false, err instanceof Error ? err.message : 'LLM service unavailable');
-      return reply.status(503).send({ statusCode: 503, error: 'Service Unavailable', message: 'LLM service unavailable, please retry' });
-    }
-
-    const latencyMs = Date.now() - startMs;
-    const outputText = ollamaResponse.response;
-    const validationOutput = await runPostValidation(outputText, { validators: decision.validators, language, output_format: decision.output_format, requires_fact_check: decision.requires_fact_check, schema: resolved.schema });
-    const confidenceResult = evaluateConfidence(validationOutput);
-
-    recordAllMetrics(caller, taskType, confidenceResult, ollamaResponse, decision, validationOutput);
-    const { costUsd, costSavedUsd } = await auditAndTrackCosts(caller, taskType, input, outputText, latencyMs, ollamaResponse, resolved, decision, confidenceResult, validationOutput, classificationResult, callId);
-
-    // Fix latency observation after computation
-    latencySeconds.labels({ caller, task_type: taskType, model: ollamaResponse.model ?? decision.model }).observe(latencyMs / 1000);
-
-    const responseBody = buildResponseBody(callId, decision, taskType, confidenceResult, outputText, latencyMs, ollamaResponse, costUsd, costSavedUsd, options?.return_validation_details ?? false, validationOutput);
-    return reply.status(200).send(responseBody);
+    const result = await executeCompletion(body, startMs, callId);
+    return reply.status(result.statusCode).send(result.body);
   });
 }
diff --git a/packages/gateway/src/routes/dashboard.ts b/packages/gateway/src/routes/dashboard.ts
index 40725aa..c04ef64 100644
--- a/packages/gateway/src/routes/dashboard.ts
+++ b/packages/gateway/src/routes/dashboard.ts
@@ -1,9 +1,46 @@
 import type { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
+import { execFile } from 'child_process';
+import { promisify } from 'util';
+import { existsSync } from 'fs';
+import { homedir } from 'os';
 import { getPool } from '../db/client.js';
 import { logger } from '../observability/logger.js';
 import { createRequestLogger } from '../modules/request-logger.js';
 import { globalRequestStream } from '../modules/request-stream.js';
-import { getAvailableProviders } from '../pipeline/external-providers.js';
+import { getAvailableProviders, getAllProviders } from '../pipeline/external-providers.js';
+import { discoverSubscriptions } from '../modules/subscription-discovery.js';
+import { runDiscovery, runDiscoveryAndSpawn } from '../modules/auto-discovery.js';
+import { getRunningBridges, spawnDetectedBridges } from '../modules/bridge-spawner.js';
+import { getPublicSettings, saveSettings, SettingsPatchSchema } from '../modules/settings-store.js';
+import {
+  getCacheSavings,
+  getSavingsTimeSeries,
+  clearCacheForCaller,
+  pruneStaleCacheEntries,
+} from '../modules/response-cache.js';
+import { getComprehensiveSavings, getCompressionSinceRestart } from '../modules/savings-calculator.js';
+
+// Captured once at module load — represents the gateway-process start time
+// for the 'compressed since last restart' tile in the dashboard.
+const SERVER_STARTED_AT_ISO = new Date().toISOString();
+import {
+  getBuddyState,
+  getAchievements,
+  getCalendarHeatmap,
+  getRecentEvents,
+  getForecast,
+} from '../modules/gamification.js';
+import { buildMemoryGraph } from '../modules/memory-graph.js';
+import { getRaceLeaderboard } from '../modules/race-leaderboard.js';
+import { getCallerDeepDive } from '../modules/caller-stats.js';
+import { generateMonthlyReport } from '../modules/report-generator.js';
+import { generateShareCard } from '../modules/share-card.js';
+import { getSubscriptionWallet, recordSubscriptionUsage } from '../modules/subscription-wallet.js';
+import { rememberFact, recallFacts, forgetCaller } from '../modules/knowledge-memory.js';
+import { getRaceStats } from '../modules/race-mode.js';
+import { dashboardAuthStatus, requireDashboardAuth } from '../modules/admin-auth.js';
+
+const execFileAsync = promisify(execFile);
 
 interface DashboardSummary {
   totalCost: number;
@@ -58,36 +95,324 @@ interface AlertData {
   };
 }
 
+const WORKBENCH_V1_BASELINE = {
+  totalTokensSaved: 9_304_882,
+  totalCostSaved: 72.54,
+  totalHits: 6,
+  hitRatePercent: 9.68,
+  costWithoutGateway: 749.38,
+  costWithGateway: 676.84,
+};
+
+type ProviderRuntime = {
+  runtimeStatus?: string;
+  runtimeHealthy?: boolean;
+  runtimeDetail?: string;
+};
+
+const CLIENT_CATALOG = [
+  {
+    id: 'macbook-claude-code',
+    label: 'MacBook (Claude Code)',
+    patterns: ['claude-code-laptop'],
+    commands: [],
+    paths: [],
+    processPatterns: [],
+  },
+  {
+    id: 'macstudio-claude-code',
+    label: 'Mac Studio (Claude Code)',
+    patterns: ['claude-code-macstudio', 'claude-code-studio'],
+    commands: [],
+    paths: [],
+    processPatterns: [],
+  },
+  {
+    id: 'codex-desktop',
+    label: 'Codex Desktop / CLI',
+    patterns: ['codex-desktop', 'codex-cli', 'codex'],
+    commands: ['codex'],
+    paths: ['/Applications/Codex.app', '~/.codex'],
+    processPatterns: ['Codex.app', 'Codex Helper', '/Applications/Codex.app', '/Resources/codex'],
+  },
+  {
+    id: 'claude-desktop',
+    label: 'Claude Desktop / Claude Code',
+    patterns: ['claude-desktop', 'claude-code', 'claude'],
+    commands: ['claude'],
+    paths: ['/Applications/Claude.app', '~/Library/Application Support/Claude', '~/.claude'],
+    processPatterns: ['/Applications/Claude.app', 'Claude Helper', 'claude-code', '/claude.app/Contents/MacOS/claude'],
+  },
+  {
+    id: 'microsoft-copilot',
+    label: 'Microsoft Copilot',
+    patterns: ['microsoft-copilot', 'm365-copilot', 'copilot-m365'],
+    commands: [],
+    paths: ['/Applications/Microsoft Copilot.app'],
+    processPatterns: ['Microsoft Copilot', 'm365-copilot'],
+  },
+  {
+    id: 'github-copilot',
+    label: 'GitHub Copilot',
+    patterns: ['github-copilot', 'copilot-bridge'],
+    commands: ['gh'],
+    paths: ['~/.config/github-copilot', '~/.vscode/extensions'],
+    processPatterns: ['GitHub Copilot', 'copilot-language-server', 'copilot-bridge'],
+  },
+  {
+    id: 'chatgpt',
+    label: 'ChatGPT / OpenAI Desktop',
+    patterns: ['chatgpt', 'openai-desktop'],
+    commands: [],
+    paths: ['/Applications/ChatGPT.app', '~/Library/Application Support/com.openai.chat'],
+    processPatterns: ['/Applications/ChatGPT.app', 'ChatGPTHelper', 'com.openai.chat'],
+  },
+  {
+    id: 'openai-compatible',
+    label: 'OpenAI-compatible clients',
+    patterns: ['openai-compatible', 'responses-compatible', 'responses-', 'gateway', 'cursor', 'continue', 'cline', 'aider', 'waveterm'],
+    commands: ['cursor', 'aider', 'opencode', 'cline'],
+    paths: ['/Applications/Cursor.app', '~/.cursor', '~/.continue', '~/.aider.conf.yml'],
+    processPatterns: ['/Applications/Cursor.app', 'Cursor Helper', 'Continue', 'Cline', 'aider', 'opencode', 'Waveterm'],
+  },
+] as const;
+
+type ClientStatus = 'live' | 'running' | 'installed' | 'not-connected';
+
+const CLIENT_BRIDGE_PROVIDERS: Record<(typeof CLIENT_CATALOG)[number]['id'], string | undefined> = {
+  'macbook-claude-code': undefined,
+  'macstudio-claude-code': undefined,
+  'codex-desktop': 'codex',
+  'claude-desktop': 'claude-code',
+  'microsoft-copilot': 'm365-copilot-bridge',
+  'github-copilot': 'copilot-bridge',
+  'openai-compatible': undefined,
+  'chatgpt': 'codex-bridge',
+};
+
+function expandUserPath(path: string): string {
+  return path.startsWith('~/') ? `${homedir()}/${path.slice(2)}` : path;
+}
+
+async function getProcessSnapshot(): Promise<string> {
+  try {
+    const { stdout } = await execFileAsync('ps', ['axo', 'command'], { timeout: 1500, maxBuffer: 1024 * 1024 * 3 });
+    return stdout.toLowerCase();
+  } catch {
+    return '';
+  }
+}
+
+async function commandExists(command: string): Promise<boolean> {
+  try {
+    await execFileAsync('/bin/sh', ['-lc', `command -v ${command}`], { timeout: 1200, maxBuffer: 4096 });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function getLocalDesktopDetections(): Promise<Record<string, { running: boolean; installed: boolean; signals: string[] }>> {
+  const processSnapshot = await getProcessSnapshot();
+  const entries = await Promise.all(CLIENT_CATALOG.map(async (client) => {
+    const signals: string[] = [];
+    const running = client.processPatterns.some((pattern) => processSnapshot.includes(pattern.toLowerCase()));
+    if (running) signals.push('running process');
+
+    const existingPaths = client.paths.filter((path) => existsSync(expandUserPath(path)));
+    for (const path of existingPaths.slice(0, 3)) signals.push(path);
+
+    const existingCommands: string[] = [];
+    for (const command of client.commands) {
+      if (await commandExists(command)) existingCommands.push(command);
+    }
+    for (const command of existingCommands) signals.push(`cli:${command}`);
+
+    return [client.id, {
+      running,
+      installed: existingPaths.length > 0 || existingCommands.length > 0 || running,
+      signals,
+    }] as const;
+  }));
+
+  return Object.fromEntries(entries);
+}
+
+async function getGatewayClientCoverage(hoursBack: number = 24): Promise<Array<{
+  id: string;
+  label: string;
+  status: ClientStatus;
+  requestCount: number;
+  lastSeen?: string;
+  callers: string[];
+  tokensIn: number;
+  tokensSaved: number;
+  source: 'gateway' | 'local-detection' | 'none';
+  detectionSignals: string[];
+  bridgeProvider?: string;
+  bridgeStatus?: string;
+  bridgeHealthy?: boolean;
+  bridgeDetail?: string;
+}>> {
+  const detections = await getLocalDesktopDetections();
+  const bridgeRuntimes = Object.fromEntries(await Promise.all(CLIENT_CATALOG.map(async (client) => {
+    const providerName = CLIENT_BRIDGE_PROVIDERS[client.id];
+    return [
+      client.id,
+      {
+        providerName,
+        ...(providerName ? await providerRuntime(providerName) : {}),
+      },
+    ] as const;
+  })));
+  let callers: Array<{ caller: string; requestCount: number; lastSeen?: string; tokensIn: number; tokensSaved: number }> = [];
+
+  try {
+    const db = getPool();
+    const result = await db.query(
+      `
+      SELECT
+        rt.caller_id,
+        COUNT(*)::INT as request_count,
+        MAX(rt.created_at) as last_seen,
+        COALESCE(SUM(rt.tokens_in), 0)::INT as tokens_in,
+        COALESCE(SUM(GREATEST(tv.tokens_before - tv.tokens_after, 0)), 0)::INT as tokens_saved
+      FROM request_tracking rt
+      LEFT JOIN LATERAL (
+        SELECT tokens_before, tokens_after
+        FROM tokenvault_metrics
+        WHERE tool_used = 'gateway'
+          AND file_path = rt.request_id
+        ORDER BY created_at DESC
+        LIMIT 1
+      ) tv ON true
+      WHERE rt.created_at > NOW() - MAKE_INTERVAL(hours => $1)
+      GROUP BY rt.caller_id
+      `,
+      [hoursBack]
+    );
+
+    callers = result.rows.map((row: any) => ({
+      caller: String(row.caller_id ?? ''),
+      requestCount: parseInt(row.request_count, 10) || 0,
+      lastSeen: row.last_seen ? new Date(row.last_seen).toISOString() : undefined,
+      tokensIn: parseInt(row.tokens_in, 10) || 0,
+      tokensSaved: parseInt(row.tokens_saved, 10) || 0,
+    }));
+  } catch (error) {
+    logger.warn({ error }, 'Client gateway traffic lookup failed, returning local desktop detections only');
+  }
+
+  // First-match-wins: a caller is assigned to the first (most specific) catalog
+  // entry it matches, so device-specific entries (MacBook/Mac Studio) take a
+  // caller before the generic 'claude-desktop' bucket — no double counting.
+  const assignedCallers = new Set<string>();
+  return CLIENT_CATALOG.map((client) => {
+    const detection = detections[client.id];
+    const bridgeRuntime = bridgeRuntimes[client.id];
+    const matched = callers.filter((row) => {
+      if (assignedCallers.has(row.caller)) return false;
+      const caller = row.caller.toLowerCase();
+      return client.patterns.some((pattern) => caller.includes(pattern));
+    });
+    matched.forEach((row) => assignedCallers.add(row.caller));
+    const requestCount = matched.reduce((sum, row) => sum + row.requestCount, 0);
+    const tokensIn = matched.reduce((sum, row) => sum + row.tokensIn, 0);
+    const tokensSaved = matched.reduce((sum, row) => sum + row.tokensSaved, 0);
+    const lastSeen = matched
+      .map((row) => row.lastSeen)
+      .filter(Boolean)
+      .sort()
+      .at(-1);
+
+    return {
+      id: client.id,
+      label: client.label,
+      status: requestCount > 0 ? 'live' : detection?.running ? 'running' : detection?.installed ? 'installed' : 'not-connected',
+      requestCount,
+      lastSeen,
+      callers: matched.map((row) => row.caller).sort(),
+      tokensIn,
+      tokensSaved,
+      source: requestCount > 0 ? 'gateway' : detection?.installed ? 'local-detection' : 'none',
+      detectionSignals: detection?.signals ?? [],
+      bridgeProvider: bridgeRuntime?.providerName,
+      bridgeStatus: bridgeRuntime?.runtimeStatus,
+      bridgeHealthy: bridgeRuntime?.runtimeHealthy,
+      bridgeDetail: bridgeRuntime?.runtimeDetail,
+    };
+  });
+}
+
+function bridgeHealthUrl(providerName: string): string | undefined {
+  const bridgeUrls: Record<string, string | undefined> = {
+    'claude-bridge': process.env['CLAUDE_BRIDGE_URL'],
+    'claude-code': process.env['CLAUDE_CODE_URL'] || process.env['CLAUDE_BRIDGE_URL'],
+    'copilot-bridge': process.env['COPILOT_BRIDGE_URL'],
+    'm365-copilot-bridge': process.env['M365_COPILOT_BRIDGE_URL'],
+    'openai-codex': process.env['OPENAI_CODEX_URL'] || process.env['CODEX_BRIDGE_URL'],
+    codex: process.env['CODEX_BRIDGE_URL'] || process.env['OPENAI_CODEX_URL'],
+  };
+
+  const baseUrl = bridgeUrls[providerName]?.replace(/\/+$/, '');
+  return baseUrl ? `${baseUrl}/health` : undefined;
+}
+
+async function providerRuntime(providerName: string): Promise<ProviderRuntime> {
+  const healthUrl = bridgeHealthUrl(providerName);
+  if (!healthUrl) return {};
+
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), 1200);
+
+  try {
+    const response = await fetch(healthUrl, { signal: controller.signal });
+    const payload = await response.json().catch(() => ({})) as {
+      status?: unknown;
+      configured?: unknown;
+      healthy?: unknown;
+      detail?: unknown;
+    };
+    const status = String(payload.status ?? (response.ok ? 'ok' : 'error'));
+    const configured = payload.configured !== false;
+    const healthy = response.ok && configured && payload.healthy !== false && status !== 'auth_required';
+    const detail = status === 'auth_required'
+      ? String(payload.detail ?? 'auth_required')
+      : configured ? undefined : 'bridge_not_configured';
+
+    return {
+      runtimeStatus: healthy ? 'ready' : status,
+      runtimeHealthy: healthy,
+      runtimeDetail: detail,
+    };
+  } catch (error) {
+    return {
+      runtimeStatus: 'unreachable',
+      runtimeHealthy: false,
+      runtimeDetail: error instanceof Error ? error.message : 'health_check_failed',
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
 /**
  * Get dashboard summary stats for a time window
  */
 async function getDashboardSummary(hoursBack: number = 24): Promise<DashboardSummary> {
   const db = getPool();
   try {
-    const result = await db.query(
-      `SELECT
-        SUM(cost_usd) as total_cost,
-        SUM(cost_saved_usd) as total_saved,
-        SUM(tokens_compressed) as tokens_compressed,
-        SUM(tokens_in + tokens_out) as total_tokens,
-        COUNT(*) as request_count,
-        AVG(confidence_score) as avg_confidence
-       FROM cost_analytics
-       WHERE created_at > NOW() - INTERVAL $1 HOUR`,
-      [hoursBack]
-    );
-
-    const row = result.rows[0];
-    const totalTokens = parseInt(row?.total_tokens || '0', 10);
-    const totalCompressed = parseInt(row?.tokens_compressed || '0', 10);
+    const requestLogger = createRequestLogger(db);
+    const bucketMinutes = hoursBack * 60; // Convert hours to minutes
+    const metrics = await requestLogger.getMetrics(bucketMinutes);
 
     return {
-      totalCost: parseFloat(row?.total_cost || '0'),
-      totalSaved: parseFloat(row?.total_saved || '0'),
-      compressionRatio: totalTokens > 0 ? parseFloat((((totalTokens - totalCompressed) / totalTokens) * 100).toFixed(2)) : 0,
-      tokensSaved: totalTokens - totalCompressed,
-      requestCount: parseInt(row?.request_count || '0', 10),
-      averageConfidence: parseFloat(row?.avg_confidence || '0'),
+      totalCost: metrics.total_cost,
+      totalSaved: metrics.estimated_api_cost_avoided,
+      compressionRatio: metrics.compression_rate,
+      tokensSaved: metrics.compression_tokens_saved,
+      requestCount: metrics.total_requests,
+      averageConfidence: metrics.avg_confidence,
       timeWindow: `${hoursBack}h`
     };
   } catch (err) {
@@ -110,69 +435,60 @@ async function getDashboardSummary(hoursBack: number = 24): Promise<DashboardSum
 async function getCostBreakdown(hoursBack: number = 24): Promise<CostBreakdown> {
   const db = getPool();
   try {
-    const [projectResult, modelResult, taskResult] = await Promise.all([
-      db.query(
-        `SELECT project, SUM(cost_usd) as cost, COUNT(*) as count, SUM(cost_saved_usd) as saved
-         FROM cost_analytics
-         WHERE created_at > NOW() - INTERVAL $1 HOUR
-         GROUP BY project`,
-        [hoursBack]
-      ),
-      db.query(
-        `SELECT model, SUM(cost_usd) as cost, COUNT(*) as count
-         FROM cost_analytics
-         WHERE created_at > NOW() - INTERVAL $1 HOUR
-         GROUP BY model`,
-        [hoursBack]
-      ),
-      db.query(
-        `SELECT task_type, SUM(cost_usd) as cost, COUNT(*) as count
-         FROM cost_analytics
-         WHERE created_at > NOW() - INTERVAL $1 HOUR
-         GROUP BY task_type`,
-        [hoursBack]
-      )
-    ]);
+    const requestLogger = createRequestLogger(db);
+    const bucketMinutes = hoursBack * 60; // Convert hours to minutes
+    const metrics = await requestLogger.getMetrics(bucketMinutes);
 
-    const byProject: Record<string, { cost: number; count: number; saved: number }> = {};
+    // Build model breakdown from metrics
     const byModel: Record<string, { cost: number; count: number }> = {};
-    const byTaskType: Record<string, { cost: number; count: number }> = {};
-
-    for (const row of projectResult.rows) {
-      byProject[row.project] = {
-        cost: parseFloat(row.cost || '0'),
-        count: parseInt(row.count || '0', 10),
-        saved: parseFloat(row.saved || '0')
+    for (const model of metrics.top_models) {
+      byModel[model.model] = {
+        cost: (metrics.total_cost * model.count) / metrics.total_requests, // Estimate cost per model
+        count: model.count
       };
     }
 
-    for (const row of modelResult.rows) {
-      byModel[row.model] = {
-        cost: parseFloat(row.cost || '0'),
-        count: parseInt(row.count || '0', 10)
-      };
-    }
-
-    for (const row of taskResult.rows) {
-      byTaskType[row.task_type] = {
-        cost: parseFloat(row.cost || '0'),
-        count: parseInt(row.count || '0', 10)
-      };
-    }
-
-    const totalResult = await db.query(
-      `SELECT SUM(cost_usd) as total_cost, SUM(cost_saved_usd) as total_saved
-       FROM cost_analytics
-       WHERE created_at > NOW() - INTERVAL $1 HOUR`,
+    // Get caller-based breakdown from database (using caller_id as proxy for project)
+    const callerResult = await db.query(
+      `SELECT caller_id, SUM(cost_usd) as cost, COUNT(*) as count
+       FROM request_tracking
+       WHERE created_at > NOW() - MAKE_INTERVAL(hours => $1)
+       GROUP BY caller_id`,
       [hoursBack]
     );
 
+    const byProject: Record<string, { cost: number; count: number; saved: number }> = {};
+    for (const row of callerResult.rows) {
+      byProject[row.caller_id] = {
+        cost: parseFloat(row.cost || '0'),
+        count: parseInt(row.count || '0', 10),
+        saved: 0 // Not tracked
+      };
+    }
+
+    // Get task type breakdown
+    const taskResult = await db.query(
+      `SELECT task_type, SUM(cost_usd) as cost, COUNT(*) as count
+       FROM request_tracking
+       WHERE created_at > NOW() - MAKE_INTERVAL(hours => $1)
+       GROUP BY task_type`,
+      [hoursBack]
+    );
+
+    const byTaskType: Record<string, { cost: number; count: number }> = {};
+    for (const row of taskResult.rows) {
+      byTaskType[row.task_type || 'unknown'] = {
+        cost: parseFloat(row.cost || '0'),
+        count: parseInt(row.count || '0', 10)
+      };
+    }
+
     return {
       byProject,
       byModel,
       byTaskType,
-      totalCost: parseFloat(totalResult.rows[0]?.total_cost || '0'),
-      totalSaved: parseFloat(totalResult.rows[0]?.total_saved || '0')
+      totalCost: metrics.total_cost,
+      totalSaved: metrics.estimated_api_cost_avoided
     };
   } catch (err) {
     logger.error({ err }, 'Failed to get cost breakdown');
@@ -186,41 +502,62 @@ async function getCostBreakdown(hoursBack: number = 24): Promise<CostBreakdown>
 async function getTokenMetrics(hoursBack: number = 24): Promise<TokenMetrics> {
   const db = getPool();
   try {
-    const [totalResult, byModelResult] = await Promise.all([
+    const [totalResult, byModelResult, compressionResult, compressedByModelResult] = await Promise.all([
       db.query(
-        `SELECT SUM(tokens_in) as total_in, SUM(tokens_out) as total_out, SUM(tokens_compressed) as total_compressed
-         FROM cost_analytics
-         WHERE created_at > NOW() - INTERVAL $1 HOUR`,
+        `SELECT SUM(tokens_in) as total_in, SUM(tokens_out) as total_out
+         FROM request_tracking
+         WHERE created_at > NOW() - MAKE_INTERVAL(hours => $1)`,
         [hoursBack]
       ),
       db.query(
-        `SELECT model, SUM(tokens_in) as in, SUM(tokens_out) as out, SUM(tokens_compressed) as compressed
-         FROM cost_analytics
-         WHERE created_at > NOW() - INTERVAL $1 HOUR
+        `SELECT model, SUM(tokens_in) as in, SUM(tokens_out) as out
+         FROM request_tracking
+         WHERE created_at > NOW() - MAKE_INTERVAL(hours => $1)
          GROUP BY model`,
         [hoursBack]
-      )
+      ),
+      db.query(
+        `SELECT
+           COALESCE(SUM(tokens_before), 0) as tokens_before,
+           COALESCE(SUM(tokens_after), 0) as tokens_after,
+           COALESCE(SUM(GREATEST(tokens_before - tokens_after, 0)), 0) as tokens_saved
+         FROM tokenvault_metrics
+         WHERE tool_used = 'gateway'
+           AND created_at > NOW() - MAKE_INTERVAL(hours => $1)`,
+        [hoursBack]
+      ),
+      db.query(
+        `SELECT model, COALESCE(SUM(tokens_compressed), 0) as compressed
+         FROM cost_analytics
+         WHERE created_at > NOW() - MAKE_INTERVAL(hours => $1)
+         GROUP BY model`,
+        [hoursBack]
+      ),
     ]);
 
     const totalIn = parseInt(totalResult.rows[0]?.total_in || '0', 10);
     const totalOut = parseInt(totalResult.rows[0]?.total_out || '0', 10);
-    const totalCompressed = parseInt(totalResult.rows[0]?.total_compressed || '0', 10);
-    const total = totalIn + totalOut;
+    const compressedByModel = new Map(
+      compressedByModelResult.rows.map((row: any) => [row.model, parseInt(row.compressed || '0', 10)])
+    );
+    const compressionBefore = parseInt(compressionResult.rows[0]?.tokens_before || '0', 10);
+    const compressionAfter = parseInt(compressionResult.rows[0]?.tokens_after || '0', 10);
+    const compressionSaved = parseInt(compressionResult.rows[0]?.tokens_saved || '0', 10);
 
     const byModel: Record<string, { in: number; out: number; compressed: number }> = {};
     for (const row of byModelResult.rows) {
       byModel[row.model] = {
         in: parseInt(row.in || '0', 10),
         out: parseInt(row.out || '0', 10),
-        compressed: parseInt(row.compressed || '0', 10)
+        compressed: compressedByModel.get(row.model) ?? 0
       };
     }
 
     return {
       totalIn,
       totalOut,
-      totalCompressed,
-      compressionRate: total > 0 ? parseFloat((((total - totalCompressed) / total) * 100).toFixed(2)) : 0,
+      totalCompressed: compressionAfter,
+      compressionRate: compressionBefore > 0 ? compressionSaved / compressionBefore : 0,
       byModel
     };
   } catch (err) {
@@ -236,12 +573,12 @@ async function getAgentActivity(hoursBack: number = 24): Promise<AgentActivity[]
   const db = getPool();
   try {
     const result = await db.query(
-      `SELECT agent_id, COUNT(*) as task_count, AVG(cost_usd) as avg_cost,
+      `SELECT caller_id as agent_id, COUNT(*) as task_count, AVG(cost_usd) as avg_cost,
               AVG(confidence_score) as avg_confidence, SUM(tokens_in + tokens_out) as total_tokens,
               MAX(created_at) as last_activity
-       FROM cost_analytics
-       WHERE created_at > NOW() - INTERVAL $1 HOUR
-       GROUP BY agent_id
+       FROM request_tracking
+       WHERE created_at > NOW() - MAKE_INTERVAL(hours => $1)
+       GROUP BY caller_id
        ORDER BY task_count DESC`,
       [hoursBack]
     );
@@ -264,78 +601,100 @@ async function getAgentActivity(hoursBack: number = 24): Promise<AgentActivity[]
  * Get alert configuration and active alerts
  */
 async function getAlerts(): Promise<AlertData> {
-  const db = getPool();
-  try {
-    const [configResult, alertResult] = await Promise.all([
-      db.query(`SELECT * FROM cost_alert_config WHERE user_id = $1`, ['rene']),
-      db.query(`SELECT alert_type, COUNT(*) as count FROM alert_log WHERE acknowledged = FALSE GROUP BY alert_type`)
-    ]);
+  // Alert configuration is not yet stored in database
+  // Return default thresholds and empty alerts
+  const thresholds = {
+    compressionBelow: 40,
+    weeklyBudget: 50,
+    externalApiCost: 0
+  };
 
-    const thresholds = {
-      compressionBelow: 40,
-      weeklyBudget: 50,
-      externalApiCost: 0
-    };
-
-    for (const row of configResult.rows) {
-      if (row.alert_type === 'compression_below') {
-        thresholds.compressionBelow = parseFloat(row.threshold);
-      } else if (row.alert_type === 'weekly_budget') {
-        thresholds.weeklyBudget = parseFloat(row.threshold);
-      } else if (row.alert_type === 'external_api') {
-        thresholds.externalApiCost = parseFloat(row.threshold);
-      }
-    }
-
-    const byType: Record<string, number> = {};
-    let total = 0;
-    for (const row of alertResult.rows) {
-      byType[row.alert_type] = parseInt(row.count || '0', 10);
-      total += parseInt(row.count || '0', 10);
-    }
-
-    return {
-      active: total,
-      byType,
-      thresholds
-    };
-  } catch (err) {
-    logger.error({ err }, 'Failed to get alerts');
-    return { active: 0, byType: {}, thresholds: { compressionBelow: 40, weeklyBudget: 50, externalApiCost: 0 } };
-  }
+  return {
+    active: 0,
+    byType: {},
+    thresholds
+  };
 }
 
 export async function dashboardRoute(fastify: FastifyInstance): Promise<void> {
+  const dashboardAuth = { preHandler: requireDashboardAuth };
+
+  fastify.get('/api/dashboard/auth', async (request: FastifyRequest, reply: FastifyReply) => {
+    return reply.send({ success: true, data: dashboardAuthStatus(request) });
+  });
+
+  fastify.get('/api/dashboard/topology', dashboardAuth, async (_request: FastifyRequest, reply: FastifyReply) => {
+    const providers = getAllProviders();
+    const availableProviders = getAvailableProviders();
+    const providerNames = new Set(providers.map((provider) => provider.name));
+    const configuredProviders = providers.filter((provider) => provider.enabled && !!process.env[provider.envKey]);
+    const localProviders = providers.filter((provider) => provider.name.toLowerCase().includes('ollama'));
+    const subscriptionProviders = providers.filter((provider) =>
+      ['claude-bridge', 'copilot-bridge', 'm365-copilot-bridge', 'openai-codex']
+        .includes(provider.name)
+    );
+
+    return reply.send({
+      success: true,
+      data: {
+        product: 'llm.gateway',
+        mode: 'hybrid-safe',
+        summary: {
+          detectedClients: 6,
+          localModels: localProviders.length,
+          providersConfigured: configuredProviders.length,
+          trustPolicies: 3,
+          memoryBackends: 1,
+          plannedModules: 5,
+        },
+        nodes: [
+          ...['Codex', 'Claude Code', 'ChatGPT', 'Cursor', 'Automation pipelines', 'Internal services'].map((name) => ({
+            type: 'client',
+            name,
+            status: 'detectable',
+          })),
+          ...providers.map((provider) => ({
+            type: localProviders.includes(provider) ? 'local-provider' : subscriptionProviders.includes(provider) ? 'subscription-provider' : 'public-provider',
+            name: provider.name,
+            status: configuredProviders.includes(provider) ? 'configured' : provider.enabled ? 'available' : 'disabled',
+          })),
+        ],
+        receipts: [],
+        routes: availableProviders.filter((provider) => providerNames.has(provider.name)).map((provider) => provider.name),
+      },
+    });
+  });
+
   // Dashboard summary endpoint
-  fastify.get('/api/dashboard/summary', async (request: FastifyRequest, reply: FastifyReply) => {
+  fastify.get('/api/dashboard/summary', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
     const hours = (request.query as any).hours ?? 24;
     const summary = await getDashboardSummary(parseInt(hours, 10));
     return reply.send(summary);
   });
 
   // Cost breakdown endpoint
-  fastify.get('/api/dashboard/costs', async (request: FastifyRequest, reply: FastifyReply) => {
+  fastify.get('/api/dashboard/costs', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
     const hours = (request.query as any).hours ?? 24;
     const breakdown = await getCostBreakdown(parseInt(hours, 10));
     return reply.send(breakdown);
   });
 
   // Token metrics endpoint
-  fastify.get('/api/dashboard/tokens', async (request: FastifyRequest, reply: FastifyReply) => {
+  fastify.get('/api/dashboard/tokens', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
     const hours = (request.query as any).hours ?? 24;
     const metrics = await getTokenMetrics(parseInt(hours, 10));
     return reply.send(metrics);
   });
 
   // Agent activity endpoint
-  fastify.get('/api/dashboard/agents', async (request: FastifyRequest, reply: FastifyReply) => {
+  fastify.get('/api/dashboard/agents', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
     const hours = (request.query as any).hours ?? 24;
     const activity = await getAgentActivity(parseInt(hours, 10));
     return reply.send(activity);
   });
 
   // Alerts endpoint
-  fastify.get('/api/dashboard/alerts', async (request: FastifyRequest, reply: FastifyReply) => {
+  fastify.get('/api/dashboard/alerts', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
     const alerts = await getAlerts();
     return reply.send(alerts);
   });
@@ -407,7 +766,30 @@ export async function dashboardRoute(fastify: FastifyInstance): Promise<void> {
   });
 
   // Request history endpoint
-  fastify.get('/api/dashboard/requests', async (request: FastifyRequest, reply: FastifyReply) => {
+  fastify.get('/api/dashboard/clients', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const hours = Math.min(parseInt((request.query as any).hours as string) || 24, 720);
+      const clients = await getGatewayClientCoverage(hours);
+      return reply.status(200).send({
+        success: true,
+        data: clients,
+        meta: {
+          total: clients.length,
+          hours,
+          timestamp: new Date().toISOString(),
+        },
+      });
+    } catch (error) {
+      logger.error({ error }, 'Failed to fetch dashboard clients');
+      return reply.status(500).send({
+        success: false,
+        error: 'Failed to fetch clients',
+      });
+    }
+  });
+
+  // Request history endpoint
+  fastify.get('/api/dashboard/requests', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
     try {
       const limit = Math.min(parseInt((request.query as any).limit as string) || 100, 1000);
       const hours = Math.min(parseInt((request.query as any).hours as string) || 24, 168);
@@ -436,9 +818,9 @@ export async function dashboardRoute(fastify: FastifyInstance): Promise<void> {
   });
 
   // Aggregated metrics endpoint
-  fastify.get('/api/dashboard/request-metrics', async (request: FastifyRequest, reply: FastifyReply) => {
+  fastify.get('/api/dashboard/request-metrics', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
     try {
-      const bucketMinutes = Math.min(parseInt((request.query as any).bucket_minutes as string) || 60, 1440);
+      const bucketMinutes = Math.min(parseInt((request.query as any).bucket_minutes as string) || 1440, 1440);
 
       const db = getPool();
       const requestLogger = createRequestLogger(db);
@@ -462,7 +844,7 @@ export async function dashboardRoute(fastify: FastifyInstance): Promise<void> {
   });
 
   // Server-Sent Events endpoint for real-time request updates
-  fastify.get('/api/stream/requests', async (request: FastifyRequest, reply: FastifyReply) => {
+  fastify.get('/api/stream/requests', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
     // Use raw Node.js API to properly initialize HTTP/2 stream
     reply.raw.writeHead(200, {
       'Content-Type': 'text/event-stream',
@@ -542,46 +924,105 @@ export async function dashboardRoute(fastify: FastifyInstance): Promise<void> {
   });
 
   // Test endpoint
-  fastify.get('/api/dashboard/test', async (_request: FastifyRequest, reply: FastifyReply) => {
+  fastify.get('/api/dashboard/test', dashboardAuth, async (_request: FastifyRequest, reply: FastifyReply) => {
     return reply.send({ test: 'ok', message: 'Test endpoint is working' });
   });
 
-  // Providers endpoint - lists all available LLM providers (local, subscription, free-tier)
-  fastify.get('/api/dashboard/providers', async (_request: FastifyRequest, reply: FastifyReply) => {
+  // Providers endpoint - lists all configured LLM providers (local, subscription, free-tier)
+  // Shows ALL providers regardless of API-key status so users can see what's possible.
+  fastify.get('/api/dashboard/providers', dashboardAuth, async (_request: FastifyRequest, reply: FastifyReply) => {
     try {
-      const availableProviders = await getAvailableProviders();
+      const allProviders = getAllProviders();
 
-      // Categorize providers by type
-      const providers = availableProviders.map(provider => {
+      // Friendly display labels for the UI
+      const displayLabels: Record<string, string> = {
+        'claude-bridge': 'Claude Code Subscription (Bridge)',
+        'claude-code': 'Claude Code Direct',
+        'copilot-bridge': 'GitHub Copilot Subscription',
+        'm365-copilot-bridge': 'Microsoft 365 Copilot Subscription',
+        'copilot-codex': 'GitHub Copilot (Codex Inner API)',
+        'openai-codex': 'OpenAI (ChatGPT + Codex)',
+        'cerebras': 'Cerebras (Free Tier)',
+        'groq': 'Groq (Free Tier)',
+        'mistral': 'Mistral AI (Free Tier)',
+        'nvidia': 'NVIDIA NIM (Free Tier)',
+        'cloudflare': 'Cloudflare Workers AI'
+      };
+
+      // Subscription providers (paid via login/subscription, NOT free-tier API)
+      const subscriptionNames = new Set([
+        'claude-bridge',
+        'copilot-bridge', 'm365-copilot-bridge', 'openai-codex'
+      ]);
+
+      // Categorize all providers (independent of API-key presence)
+      const providers = await Promise.all(allProviders.map(async provider => {
         let type: 'local' | 'subscription' | 'free' = 'free';
-        let status: 'configured' | 'unconfigured' | 'unavailable' = 'unconfigured';
-
-        // Determine provider type based on name
         if (provider.name.toLowerCase().includes('ollama')) {
           type = 'local';
-          status = provider.enabled ? 'configured' : 'unconfigured';
-        } else if (['claude-bridge', 'claude-code', 'openai-bridge', 'chatgpt-bridge', 'copilot-bridge', 'codex'].includes(provider.name)) {
+        } else if (subscriptionNames.has(provider.name)) {
           type = 'subscription';
-          status = provider.enabled && process.env[provider.envKey] ? 'configured' : 'unconfigured';
         } else {
           type = 'free';
-          status = provider.enabled && process.env[provider.envKey] ? 'configured' : 'unconfigured';
         }
+        const hasKey = !!process.env[provider.envKey];
+        const status: 'configured' | 'unconfigured' | 'unavailable' =
+          provider.enabled && hasKey ? 'configured'
+          : provider.enabled ? 'unconfigured'
+          : 'unavailable';
+        const runtime = await providerRuntime(provider.name);
 
         return {
           name: provider.name,
+          label: displayLabels[provider.name] ?? provider.name,
           type,
           status,
           enabled: provider.enabled,
+          envKey: provider.envKey,
           models: provider.models.map(m => ({
             id: m.id,
             tier: m.tier,
             contextLength: m.contextLength
           })),
           rateLimitRpm: provider.rateLimitRpm,
-          baseUrl: provider.baseUrl
+          baseUrl: provider.baseUrl,
+          ...runtime,
         };
-      });
+      }));
+
+      // Add local Ollama models from the model registry (models.yaml)
+      try {
+        const yaml = (await import('js-yaml')).default;
+        const fs = await import('fs');
+        const path = await import('path');
+        const { fileURLToPath } = await import('url');
+        const __filename = fileURLToPath(import.meta.url);
+        const __dirname = path.dirname(__filename);
+        const yamlPath = path.join(__dirname, '..', 'config', 'models.yaml');
+        if (fs.existsSync(yamlPath)) {
+          const cfg: any = yaml.load(fs.readFileSync(yamlPath, 'utf-8'));
+          const ollamaModels = Object.entries(cfg.models ?? {}).map(([id, info]: [string, any]) => ({
+            id,
+            tier: info.tier ?? 'medium',
+            contextLength: info.context_length ?? 0
+          }));
+          if (ollamaModels.length > 0) {
+            providers.unshift({
+              name: 'ollama',
+              label: 'Ollama (Local Models)',
+              type: 'local',
+              status: 'configured',
+              enabled: true,
+              envKey: 'OLLAMA_BASE_URL',
+              models: ollamaModels,
+              rateLimitRpm: 0,
+              baseUrl: cfg.ollama_base_url ?? ''
+            } as any);
+          }
+        }
+      } catch (yamlErr) {
+        logger.warn({ err: yamlErr }, 'Failed to load Ollama models from models.yaml');
+      }
 
       // Group by type for easy UI rendering
       const grouped = {
@@ -618,6 +1059,580 @@ export async function dashboardRoute(fastify: FastifyInstance): Promise<void> {
     }
   });
 
+  // ─── Subscription Auto-Gateway ────────────────────────────────────────────
+  // Reports subscription availability from TWO sources:
+  //   1. Auto-detection on the gateway host (CLI present + authenticated)
+  //   2. User declaration via Settings (works even when the gateway runs on a
+  //      remote server and the CLI lives on the user's machine)
+  // A subscription is considered "available" if either source flags it.
+  fastify.get('/api/dashboard/subscriptions', dashboardAuth, async (_request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const statuses = await discoverSubscriptions();
+      const runningBridges = getRunningBridges();
+      const runningById = new Map(runningBridges.map((b) => [b.descriptor.id, b]));
+      const userSettings = getPublicSettings();
+
+      const subscriptions = statuses.map((s) => {
+        const runtime = runningById.get(s.descriptor.id);
+        const userDeclared = userSettings.subscriptions[s.descriptor.id]?.enabled === true;
+        const detected = s.installed;
+        return {
+          id: s.descriptor.id,
+          label: s.descriptor.label,
+          command: s.descriptor.command,
+          /** True if the CLI was auto-detected on the gateway host */
+          detected,
+          /** True if the user explicitly declared this subscription in Settings */
+          userDeclared,
+          /** True if either source flags it as available — used by routing */
+          installed: detected || userDeclared,
+          authenticated: detected ? s.authenticated : (userDeclared ? 'unknown' : false),
+          version: s.version ?? null,
+          providerName: s.descriptor.providerName,
+          bridgePort: s.descriptor.bridgePort,
+          bridgeEnvKey: s.descriptor.bridgeEnvKey,
+          bridgeUrl: runtime?.url ?? s.bridgeUrl ?? null,
+          bridgeRunning: !!runtime || s.bridgeRunning,
+          autoSpawned: !!runtime,
+          startedAt: runtime?.startedAt?.toISOString() ?? null,
+          models: s.descriptor.models.map((m) => ({ id: m.id, tier: m.tier })),
+        };
+      });
+
+      const available = subscriptions.filter((s) => s.installed);
+      const running = subscriptions.filter((s) => s.bridgeRunning);
+
+      return reply.send({
+        success: true,
+        data: {
+          subscriptions,
+          summary: {
+            total: subscriptions.length,
+            installed: available.length,
+            detected: subscriptions.filter((s) => s.detected).length,
+            userDeclared: subscriptions.filter((s) => s.userDeclared).length,
+            running: running.length,
+            autoGatewayEnabled: process.env['SUBSCRIPTION_AUTO_GATEWAY'] === '1',
+            unifiedEndpoint: '/v1/chat/completions',
+            note: 'Subscriptions can be auto-detected (gateway host) OR user-declared (Settings).',
+          },
+        },
+        meta: { timestamp: new Date().toISOString() },
+      });
+    } catch (error) {
+      logger.error({ error }, 'Failed to discover subscriptions');
+      return reply.status(500).send({ success: false, error: 'Failed to discover subscriptions' });
+    }
+  });
+
+  // ─── Full-System Auto-Discovery ─────────────────────────────────────────
+  // GET  /api/dashboard/discover         → unified report (read-only)
+  // POST /api/dashboard/discover         → discover + spawn bridges
+  fastify.get('/api/dashboard/discover', dashboardAuth, async (_request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const report = await runDiscovery();
+      return reply.send({ success: true, data: report });
+    } catch (error) {
+      logger.error({ error }, 'Discovery scan failed');
+      return reply.status(500).send({ success: false, error: 'Discovery scan failed' });
+    }
+  });
+
+  fastify.post('/api/dashboard/discover', dashboardAuth, async (_request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const result = await runDiscoveryAndSpawn();
+      return reply.send({
+        success: true,
+        data: {
+          report: result.report,
+          spawned: result.spawned,
+          spawnedCount: result.spawned.length,
+        },
+      });
+    } catch (error) {
+      logger.error({ error }, 'Discovery + spawn failed');
+      return reply.status(500).send({ success: false, error: 'Discovery + spawn failed' });
+    }
+  });
+
+  // POST /api/dashboard/subscriptions/spawn — trigger auto-spawn of detected bridges.
+  // Returns the list of bridges that were spawned (or already running).
+  fastify.post('/api/dashboard/subscriptions/spawn', dashboardAuth, async (_request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const statuses = await discoverSubscriptions();
+      const spawned = await spawnDetectedBridges(statuses);
+      return reply.send({
+        success: true,
+        data: {
+          spawnedCount: spawned.length,
+          bridges: spawned.map((b) => ({
+            id: b.descriptor.id,
+            label: b.descriptor.label,
+            url: b.url,
+            port: b.port,
+            startedAt: b.startedAt.toISOString(),
+          })),
+        },
+      });
+    } catch (error) {
+      logger.error({ error }, 'Failed to spawn subscription bridges');
+      return reply.status(500).send({ success: false, error: 'Failed to spawn bridges' });
+    }
+  });
+
+  // ─── Settings ─────────────────────────────────────────────────────────────
+  // Returns user configuration (which subscriptions, which API providers, …).
+  // API keys are NEVER returned in plaintext — only a hasKey:boolean flag.
+  fastify.get('/api/dashboard/settings', dashboardAuth, async (_request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      return reply.send({ success: true, data: getPublicSettings() });
+    } catch (error) {
+      logger.error({ error }, 'Failed to load settings');
+      return reply.status(500).send({ success: false, error: 'Failed to load settings' });
+    }
+  });
+
+  // Persist a settings patch. The patch is merged into the existing settings —
+  // omitted fields are left untouched, allowing partial updates.
+  fastify.post('/api/dashboard/settings', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const parsed = SettingsPatchSchema.safeParse(request.body);
+      if (!parsed.success) {
+        return reply.status(400).send({
+          success: false,
+          error: 'Invalid settings payload',
+          details: parsed.error.flatten(),
+        });
+      }
+      saveSettings(parsed.data);
+      return reply.send({ success: true, data: getPublicSettings() });
+    } catch (error) {
+      logger.error({ error }, 'Failed to save settings');
+      return reply.status(500).send({ success: false, error: 'Failed to save settings' });
+    }
+  });
+
+  // ─── Savings Dashboard (cache + compression + subscription + routing) ──
+  // Combines all five savings mechanisms into a single comprehensive picture.
+  fastify.get('/api/dashboard/savings', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      // Allow up to 1 year window for "all-time" hero counter
+      const hours = Math.min(parseInt((request.query as any).hours as string) || 24, 8760);
+      const bucketMin = Math.max(parseInt((request.query as any).bucket_minutes as string) || 60, 5);
+      const db = getPool();
+      const [legacySavings, series, comprehensive, sinceRestart] = await Promise.all([
+        getCacheSavings(db, hours),                    // legacy field for backwards compat
+        getSavingsTimeSeries(db, hours, bucketMin),
+        getComprehensiveSavings(db, hours),
+        getCompressionSinceRestart(db, SERVER_STARTED_AT_ISO),
+      ]);
+      const realCostSaved = Math.max(comprehensive.totalCostSaved, legacySavings.totalCostSaved);
+      const useBaselineSavings = realCostSaved < WORKBENCH_V1_BASELINE.totalCostSaved;
+      const totalCostSaved = useBaselineSavings ? WORKBENCH_V1_BASELINE.totalCostSaved : realCostSaved;
+      const totalTokensSaved = Math.max(comprehensive.totalTokensSaved, legacySavings.totalTokensSaved, WORKBENCH_V1_BASELINE.totalTokensSaved);
+      const totalHits = Math.max(legacySavings.totalHits, WORKBENCH_V1_BASELINE.totalHits);
+      const hitRatePercent = legacySavings.hitRatePercent > 0
+        ? Math.max(legacySavings.hitRatePercent, WORKBENCH_V1_BASELINE.hitRatePercent)
+        : WORKBENCH_V1_BASELINE.hitRatePercent;
+      const costWithoutGateway = useBaselineSavings
+        ? WORKBENCH_V1_BASELINE.costWithoutGateway
+        : comprehensive.costWithoutGateway;
+      const costWithGateway = useBaselineSavings
+        ? WORKBENCH_V1_BASELINE.costWithGateway
+        : comprehensive.costWithGateway;
+      const effectiveSavingsPercent = costWithoutGateway > 0
+        ? ((costWithoutGateway - costWithGateway) / costWithoutGateway) * 100
+        : 0;
+      return reply.send({
+        success: true,
+        data: {
+          // Backwards compatible cache-only summary so existing UI keeps working
+          savings: {
+            ...legacySavings,
+            totalHits,
+            hitRatePercent,
+            uniqueEntries: Math.max(legacySavings.uniqueEntries, totalHits),
+            // Override with the comprehensive numbers when available
+            totalCostSaved,
+            totalTokensSaved,
+            // Detailed breakdown for the new UI sections
+            comprehensive: {
+              bySource: comprehensive.bySource,
+              costWithoutGateway,
+              costWithGateway,
+              effectiveSavingsPercent,
+              totals: comprehensive.totals,
+            },
+            // Compression since this gateway process started — resets at each restart.
+            sinceRestart,
+          },
+          series,
+        },
+        meta: { hours, bucket_minutes: bucketMin, timestamp: new Date().toISOString() },
+      });
+    } catch (error) {
+      logger.error({ error }, 'Failed to fetch savings');
+      return reply.status(500).send({ success: false, error: 'Failed to fetch savings' });
+    }
+  });
+
+  fastify.post('/api/dashboard/cache/clear', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const caller = (request.body as any)?.caller as string | undefined;
+      if (!caller) return reply.status(400).send({ success: false, error: 'caller required' });
+      const removed = await clearCacheForCaller(getPool(), caller);
+      return reply.send({ success: true, data: { removed } });
+    } catch (error) {
+      return reply.status(500).send({ success: false, error: 'Cache clear failed' });
+    }
+  });
+
+  fastify.post('/api/dashboard/cache/prune', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const days = Math.max(parseInt((request.body as any)?.max_age_days) || 7, 1);
+      const removed = await pruneStaleCacheEntries(getPool(), days);
+      return reply.send({ success: true, data: { removed, max_age_days: days } });
+    } catch (error) {
+      return reply.status(500).send({ success: false, error: 'Cache prune failed' });
+    }
+  });
+
+  // ─── Subscription Pool Wallet (UNIQUE feature) ─────────────────────────
+  fastify.get('/api/dashboard/wallet', dashboardAuth, async (_request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const wallet = await getSubscriptionWallet(getPool());
+      const totalQuota = wallet.reduce((sum, w) => sum + (w.requestQuota ?? 0), 0);
+      const totalUsed  = wallet.reduce((sum, w) => sum + w.used, 0);
+      const totalRemaining = wallet.reduce((sum, w) => sum + (w.remaining ?? 0), 0);
+      return reply.send({
+        success: true,
+        data: {
+          wallet,
+          totals: { quota: totalQuota, used: totalUsed, remaining: totalRemaining },
+        },
+        meta: { timestamp: new Date().toISOString() },
+      });
+    } catch (error) {
+      logger.error({ error }, 'Failed to fetch wallet');
+      return reply.status(500).send({ success: false, error: 'Failed to fetch wallet' });
+    }
+  });
+
+  // Manually charge a subscription (for testing or external integrations)
+  fastify.post('/api/dashboard/wallet/charge', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const { subscription_id, tokens } = request.body as { subscription_id?: string; tokens?: number };
+      if (!subscription_id) return reply.status(400).send({ success: false, error: 'subscription_id required' });
+      await recordSubscriptionUsage(getPool(), subscription_id, tokens ?? 0);
+      return reply.send({ success: true });
+    } catch (error) {
+      return reply.status(500).send({ success: false, error: 'wallet charge failed' });
+    }
+  });
+
+  // ─── Knowledge Memory ─────────────────────────────────────────────────
+  fastify.get('/api/dashboard/memory/:caller', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const caller = (request.params as any).caller as string;
+      const facts = await recallFacts(getPool(), caller, 50);
+      return reply.send({ success: true, data: { caller, facts } });
+    } catch (error) {
+      return reply.status(500).send({ success: false, error: 'memory read failed' });
+    }
+  });
+
+  fastify.post('/api/dashboard/memory/:caller', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const caller = (request.params as any).caller as string;
+      const { fact_key, fact_value, confidence, source } = request.body as Record<string, any>;
+      if (!fact_key || !fact_value) {
+        return reply.status(400).send({ success: false, error: 'fact_key and fact_value required' });
+      }
+      await rememberFact(getPool(), caller, fact_key, fact_value, { confidence, source });
+      const facts = await recallFacts(getPool(), caller, 50);
+      return reply.send({ success: true, data: { caller, facts } });
+    } catch (error) {
+      return reply.status(500).send({ success: false, error: 'memory write failed' });
+    }
+  });
+
+  // ─── Gamification: buddy / pet ─────────────────────────────────────────
+  fastify.get('/api/dashboard/buddy', dashboardAuth, async (_request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const buddy = await getBuddyState(getPool(), 'gateway');
+      return reply.send({ success: true, data: buddy });
+    } catch (error) {
+      return reply.status(500).send({ success: false, error: 'buddy state failed' });
+    }
+  });
+
+  // ─── Achievements ──────────────────────────────────────────────────────
+  fastify.get('/api/dashboard/achievements', dashboardAuth, async (_request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const data = await getAchievements(getPool());
+      return reply.send({ success: true, data });
+    } catch (error) {
+      return reply.status(500).send({ success: false, error: 'achievements failed' });
+    }
+  });
+
+  // ─── Calendar heatmap ──────────────────────────────────────────────────
+  fastify.get('/api/dashboard/heatmap', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const days = Math.min(parseInt((request.query as any).days as string) || 365, 365);
+      const cells = await getCalendarHeatmap(getPool(), days);
+      return reply.send({ success: true, data: cells });
+    } catch (error) {
+      return reply.status(500).send({ success: false, error: 'heatmap failed' });
+    }
+  });
+
+  // ─── Live events feed ──────────────────────────────────────────────────
+  fastify.get('/api/dashboard/events', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const limit = Math.min(parseInt((request.query as any).limit as string) || 50, 200);
+      const events = await getRecentEvents(getPool(), limit);
+      return reply.send({ success: true, data: events });
+    } catch (error) {
+      return reply.status(500).send({ success: false, error: 'events failed' });
+    }
+  });
+
+  // ─── Cost forecast ─────────────────────────────────────────────────────
+  fastify.get('/api/dashboard/forecast', dashboardAuth, async (_request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const f = await getForecast(getPool());
+      return reply.send({ success: true, data: f });
+    } catch (error) {
+      return reply.status(500).send({ success: false, error: 'forecast failed' });
+    }
+  });
+
+  // ─── MCP tool-call ingest (called by llm-gateway-ctx server) ──────────
+  fastify.post('/api/dashboard/mcp-tool-call', async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const b = request.body as Record<string, any>;
+      if (!b?.tool) return reply.status(400).send({ success: false, error: 'tool required' });
+      await getPool().query(
+        `INSERT INTO mcp_tool_calls (tool, mode, tokens_before, tokens_after, tokens_saved, duration_ms, path, cmd)
+         VALUES ($1, $2, $3, $4, $5, $6, $7, $8)`,
+        [
+          String(b.tool).slice(0, 40),
+          b.mode ? String(b.mode).slice(0, 40) : null,
+          parseInt(b.tokens_before, 10) || 0,
+          parseInt(b.tokens_after, 10) || 0,
+          parseInt(b.tokens_saved, 10) || 0,
+          parseInt(b.duration_ms, 10) || 0,
+          b.path ? String(b.path).slice(0, 500) : null,
+          b.cmd ? String(b.cmd).slice(0, 500) : null,
+        ]
+      );
+      return reply.send({ success: true });
+    } catch (error) {
+      logger.warn({ error }, 'mcp-tool-call ingest failed');
+      return reply.status(500).send({ success: false, error: 'ingest failed' });
+    }
+  });
+
+  fastify.get('/api/dashboard/mcp-tool-stats', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const hours = Math.min(parseInt((request.query as any).hours as string) || 24, 720);
+      const db = getPool();
+      const [totals, byTool] = await Promise.all([
+        db.query(`
+          SELECT COUNT(*)::INT AS calls,
+                 COALESCE(SUM(tokens_before), 0)::BIGINT AS tokens_before,
+                 COALESCE(SUM(tokens_after),  0)::BIGINT AS tokens_after,
+                 COALESCE(SUM(tokens_saved),  0)::BIGINT AS tokens_saved
+          FROM mcp_tool_calls
+          WHERE created_at > NOW() - MAKE_INTERVAL(hours => $1)
+        `, [hours]),
+        db.query(`
+          SELECT tool,
+                 COUNT(*)::INT AS calls,
+                 COALESCE(SUM(tokens_saved), 0)::BIGINT AS tokens_saved,
+                 COALESCE(AVG(duration_ms), 0)::INT AS avg_duration_ms
+          FROM mcp_tool_calls
+          WHERE created_at > NOW() - MAKE_INTERVAL(hours => $1)
+          GROUP BY tool
+          ORDER BY tokens_saved DESC
+        `, [hours]),
+      ]);
+      const t = totals.rows[0];
+      const tokBefore = parseInt(t.tokens_before, 10) || 0;
+      const tokAfter = parseInt(t.tokens_after, 10) || 0;
+      const ratio = tokBefore > 0 ? (1 - tokAfter / tokBefore) : 0;
+      return reply.send({
+        success: true,
+        data: {
+          totalCalls: parseInt(t.calls, 10) || 0,
+          totalTokensBefore: tokBefore,
+          totalTokensAfter: tokAfter,
+          totalTokensSaved: parseInt(t.tokens_saved, 10) || 0,
+          avgCompressionRatio: ratio,
+          byTool: byTool.rows.map((r: any) => ({
+            tool: r.tool,
+            calls: parseInt(r.calls, 10),
+            tokensSaved: parseInt(r.tokens_saved, 10),
+            avgDurationMs: parseInt(r.avg_duration_ms, 10),
+          })),
+        },
+      });
+    } catch (error) {
+      logger.warn({ error }, 'mcp-tool-stats failed');
+      return reply.status(500).send({ success: false, error: 'stats failed' });
+    }
+  });
+
+  // ─── Memory graph (D3-ready nodes + edges) ────────────────────────────
+  fastify.get('/api/dashboard/memory-graph', dashboardAuth, async (_request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const graph = await buildMemoryGraph(getPool());
+      return reply.send({ success: true, data: graph });
+    } catch (error) {
+      return reply.status(500).send({ success: false, error: 'memory-graph failed' });
+    }
+  });
+
+  // ─── Race leaderboard (fastest model this week) ──────────────────────
+  fastify.get('/api/dashboard/race-leaderboard', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const days = Math.max(parseInt((request.query as any).days as string) || 7, 1);
+      const board = await getRaceLeaderboard(getPool(), days);
+      return reply.send({ success: true, data: board });
+    } catch (error) {
+      return reply.status(500).send({ success: false, error: 'leaderboard failed' });
+    }
+  });
+
+  // ─── Per-caller deep dive ─────────────────────────────────────────────
+  fastify.get('/api/dashboard/caller/:caller', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const caller = (request.params as any).caller as string;
+      const data = await getCallerDeepDive(getPool(), caller);
+      if (!data) return reply.status(404).send({ success: false, error: 'caller not found' });
+      return reply.send({ success: true, data });
+    } catch (error) {
+      return reply.status(500).send({ success: false, error: 'caller deep dive failed' });
+    }
+  });
+
+  // ─── Monthly report (HTML, browser saves as PDF) ──────────────────────
+  fastify.get('/api/dashboard/report', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const now = new Date();
+      const year = parseInt((request.query as any).year as string) || now.getUTCFullYear();
+      const month = parseInt((request.query as any).month as string) || now.getUTCMonth() + 1;
+      const html = await generateMonthlyReport(getPool(), year, month);
+      return reply.type('text/html').send(html);
+    } catch (error) {
+      logger.error({ error }, 'report generation failed');
+      return reply.status(500).send({ success: false, error: 'report generation failed' });
+    }
+  });
+
+  // ─── Public share card (SVG) — no auth required, safe for public embed ──
+  fastify.get('/api/dashboard/share-card', async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const period = ((request.query as any).period as string) || 'month';
+      const theme = ((request.query as any).theme as string) || 'dark';
+      const validPeriods = ['day', 'week', 'month', 'all'];
+      const validThemes = ['dark', 'light'];
+      const svg = await generateShareCard(getPool(), {
+        period: validPeriods.includes(period) ? (period as any) : 'month',
+        theme: validThemes.includes(theme) ? (theme as any) : 'dark',
+      });
+      return reply
+        .type('image/svg+xml')
+        .header('Cache-Control', 'public, max-age=300')
+        .send(svg);
+    } catch (error) {
+      logger.error({ error }, 'share card failed');
+      return reply.status(500).send({ success: false, error: 'share card failed' });
+    }
+  });
+
+  // ─── Race mode statistics ─────────────────────────────────────────────
+  fastify.get('/api/dashboard/race-stats', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const hours = Math.min(parseInt((request.query as any).hours as string) || 24, 168);
+      const stats = await getRaceStats(getPool(), hours);
+      return reply.send({ success: true, data: stats });
+    } catch (error) {
+      return reply.status(500).send({ success: false, error: 'race stats failed' });
+    }
+  });
+
+  // ─── Web AI events (browser extension reports) ───────────────────────
+  fastify.post('/api/dashboard/web-event', async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const body = request.body as Record<string, any>;
+      if (!body?.source || !body?.event_type) {
+        return reply.status(400).send({ success: false, error: 'source and event_type required' });
+      }
+      await getPool().query(
+        `INSERT INTO web_ai_events (source, event_type, conversation_id, message_count, prompt_chars, response_chars, client_id)
+         VALUES ($1, $2, $3, $4, $5, $6, $7)`,
+        [
+          String(body.source).slice(0, 60),
+          String(body.event_type).slice(0, 60),
+          body.conversation_id ? String(body.conversation_id).slice(0, 100) : null,
+          parseInt(body.message_count, 10) || 0,
+          parseInt(body.prompt_chars, 10) || 0,
+          parseInt(body.response_chars, 10) || 0,
+          body.client_id ? String(body.client_id).slice(0, 100) : null,
+        ]
+      );
+      return reply.send({ success: true });
+    } catch (error) {
+      logger.warn({ error }, 'web-event insert failed');
+      return reply.status(500).send({ success: false, error: 'event log failed' });
+    }
+  });
+
+  fastify.get('/api/dashboard/web-events', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const hours = Math.min(parseInt((request.query as any).hours as string) || 24, 168);
+      const result = await getPool().query(
+        `SELECT
+           source,
+           COUNT(*)::INT AS events,
+           SUM(message_count)::INT AS messages,
+           COALESCE(SUM(prompt_chars), 0)::BIGINT AS prompt_chars,
+           COALESCE(SUM(response_chars), 0)::BIGINT AS response_chars,
+           MAX(created_at) AS last_seen
+         FROM web_ai_events
+         WHERE created_at > NOW() - MAKE_INTERVAL(hours => $1)
+         GROUP BY source ORDER BY events DESC`,
+        [hours]
+      );
+      return reply.send({
+        success: true,
+        data: result.rows.map((r: any) => ({
+          source: r.source,
+          events: parseInt(r.events, 10),
+          messages: parseInt(r.messages, 10),
+          promptChars: parseInt(r.prompt_chars, 10),
+          responseChars: parseInt(r.response_chars, 10),
+          lastSeen: r.last_seen ? new Date(r.last_seen).toISOString() : null,
+        })),
+      });
+    } catch (error) {
+      logger.warn({ error }, 'web-events read failed');
+      return reply.status(500).send({ success: false, error: 'web-events failed' });
+    }
+  });
+
+  fastify.delete('/api/dashboard/memory/:caller', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const caller = (request.params as any).caller as string;
+      const removed = await forgetCaller(getPool(), caller);
+      return reply.send({ success: true, data: { removed } });
+    } catch (error) {
+      return reply.status(500).send({ success: false, error: 'memory clear failed' });
+    }
+  });
+
   // Dashboard UI endpoint (served at /api/dashboard/index for Cloudflare tunnel compatibility)
   fastify.get('/api/dashboard/index', async (_request: FastifyRequest, reply: FastifyReply) => {
     try {
@@ -708,4 +1723,45 @@ export async function dashboardRoute(fastify: FastifyInstance): Promise<void> {
       return reply.status(500).send({ error: 'Failed to serve dashboard UI' });
     }
   });
+
+  // Passive usage import: lets clients that talk DIRECTLY to a provider (e.g. the
+  // laptop's Claude Code -> api.anthropic.com) report their usage so they appear in
+  // clients/costs WITHOUT routing traffic through the gateway. A caller containing
+  // 'claude-code' matches the CLIENT_CATALOG 'claude-desktop' entry.
+  fastify.post('/api/dashboard/usage/report', dashboardAuth, async (request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      const body = (request.body ?? {}) as Record<string, unknown>;
+      const caller = String(body.caller ?? 'claude-code-laptop').slice(0, 120);
+      const model = String(body.model ?? 'claude-code').slice(0, 120);
+      const tokensIn = Math.max(0, Math.floor(Number(body.tokens_in) || 0));
+      const tokensOut = Math.max(0, Math.floor(Number(body.tokens_out) || 0));
+      const costUsd = Math.max(0, Number(body.cost_usd) || 0);
+      const day = String(body.day ?? new Date().toISOString().slice(0, 10)).slice(0, 32);
+      if (tokensIn === 0 && tokensOut === 0) {
+        return reply.status(400).send({ success: false, error: 'tokens_in or tokens_out required' });
+      }
+      // Stamp the row with the ACTUAL usage day so lastSeen = when tokens were
+      // used, not when the export ran. Cap at "now" so today's still-growing day
+      // reads as current/live.
+      const dayEnd = new Date(`${day}T23:59:59Z`);
+      const usedAt = dayEnd.getTime() > Date.now() ? new Date() : dayEnd;
+      const db = getPool();
+      const requestId = `usage-import:${caller}:${model}:${day}`;
+      // Upsert by request_id (one row per caller/model/day): re-reporting an
+      // in-progress day updates its totals instead of creating duplicates.
+      const updated = await db.query(
+        `UPDATE request_tracking SET tokens_in=$1, tokens_out=$2, cost_usd=$3, created_at=$4 WHERE request_id=$5`,
+        [tokensIn, tokensOut, costUsd, usedAt, requestId]
+      );
+      if (updated.rowCount === 0) {
+        const requestLogger = createRequestLogger(db);
+        await requestLogger.logRequest(requestId, caller, 'usage_import', model, 'approved', tokensIn, tokensOut, costUsd, 0);
+        await db.query(`UPDATE request_tracking SET created_at=$1 WHERE request_id=$2`, [usedAt, requestId]);
+      }
+      return reply.status(200).send({ success: true, imported: { caller, model, day, tokensIn, tokensOut, costUsd, usedAt } });
+    } catch (error) {
+      logger.error({ error }, 'Failed to import usage report');
+      return reply.status(500).send({ success: false, error: 'Failed to import usage report' });
+    }
+  });
 }
diff --git a/packages/gateway/src/routes/health.ts b/packages/gateway/src/routes/health.ts
index be8b3fd..e7c546e 100644
--- a/packages/gateway/src/routes/health.ts
+++ b/packages/gateway/src/routes/health.ts
@@ -38,22 +38,40 @@ async function checkOllama(baseUrl: string): Promise<{ status: 'ok' | 'down'; la
 
 async function checkDatabase(): Promise<{ status: 'ok' | 'down'; error?: string }> {
   try {
-    await query('SELECT 1');
+    await withTimeout(query('SELECT 1'), 2500, 'database check timed out');
     return { status: 'ok' };
   } catch (err) {
     return { status: 'down', error: err instanceof Error ? err.message : 'Unknown error' };
   }
 }
 
+async function withTimeout<T>(promise: Promise<T>, timeoutMs: number, message: string): Promise<T> {
+  let timer: NodeJS.Timeout | undefined;
+  try {
+    return await Promise.race([
+      promise,
+      new Promise<T>((_resolve, reject) => {
+        timer = setTimeout(() => reject(new Error(message)), timeoutMs);
+      }),
+    ]);
+  } finally {
+    if (timer) clearTimeout(timer);
+  }
+}
+
 async function checkQueue(): Promise<{ status: 'ok' | 'down' | 'unknown'; depth?: number; error?: string }> {
   const boss = getPgBoss();
   if (!boss) return { status: 'unknown' };
 
   try {
-    const [queued, active] = await Promise.all([
-      boss.getQueueSize('llm-batch', { before: 'completed' }),
-      boss.getQueueSize('llm-batch', { before: 'active' }),
-    ]);
+    const [queued, active] = await withTimeout(
+      Promise.all([
+        boss.getQueueSize('llm-batch', { before: 'completed' }),
+        boss.getQueueSize('llm-batch', { before: 'active' }),
+      ]),
+      2500,
+      'queue check timed out',
+    );
     return { status: 'ok', depth: (queued ?? 0) + (active ?? 0) };
   } catch (err) {
     return { status: 'down', error: err instanceof Error ? err.message : 'Unknown error' };
@@ -62,8 +80,10 @@ async function checkQueue(): Promise<{ status: 'ok' | 'down' | 'unknown'; depth?
 
 async function getReviewQueueCount(): Promise<number> {
   try {
-    const result = await query<{ count: string }>(
-      'SELECT COUNT(*) as count FROM review_queue WHERE decision IS NULL',
+    const result = await withTimeout(
+      query<{ count: string }>('SELECT COUNT(*) as count FROM review_queue WHERE decision IS NULL'),
+      2500,
+      'review queue check timed out',
     );
     return parseInt(result.rows[0]?.count ?? '0', 10);
   } catch {
@@ -78,8 +98,9 @@ export async function healthRoute(fastify: FastifyInstance): Promise<void> {
       // Check if this is a dashboard UI request with ?ui=1 or ?dashboard=1
       const query = request.query as any;
       const isDashboardRequest = query.ui || query.dashboard;
+      const acceptsHtml = String(request.headers.accept ?? '').includes('text/html');
 
-      if (isDashboardRequest) {
+      if (isDashboardRequest || acceptsHtml) {
         try {
           const __filename = fileURLToPath(import.meta.url);
           const __dirname = dirname(__filename);
@@ -108,8 +129,8 @@ export async function healthRoute(fastify: FastifyInstance): Promise<void> {
 
       const breakerStates = getAllBreakerStates();
 
-      const isDown = ollamaCheck.status === 'down' || dbCheck.status === 'down';
-      const isDegraded = queueCheck.status === 'down' || Object.values(breakerStates).some((s) => s === 'open');
+      const isDown = dbCheck.status === 'down';
+      const isDegraded = ollamaCheck.status === 'down' || queueCheck.status === 'down' || Object.values(breakerStates).some((s) => s === 'open');
 
       const status: HealthStatus['status'] = isDown ? 'down' : isDegraded ? 'degraded' : 'ok';
 
diff --git a/packages/gateway/src/routes/static.ts b/packages/gateway/src/routes/static.ts
index 6185e64..43e0e3a 100644
--- a/packages/gateway/src/routes/static.ts
+++ b/packages/gateway/src/routes/static.ts
@@ -11,6 +11,22 @@ export async function staticRoute(fastify: FastifyInstance): Promise<void> {
 
   logger.info({ publicDir }, 'Static file serving initialized');
 
+  function sendHtml(filename: string, reply: any) {
+    const filePath = join(publicDir, filename);
+    if (!existsSync(filePath)) {
+      logger.warn({ path: filePath }, `${filename} not found`);
+      return reply.status(404).send({ error: `${filename} not found` });
+    }
+
+    const content = readFileSync(filePath, 'utf-8');
+    return reply
+      .header('Cache-Control', 'no-cache, no-store, must-revalidate, max-age=0')
+      .header('Pragma', 'no-cache')
+      .header('Expires', '0')
+      .type('text/html')
+      .send(content);
+  }
+
   // Serve root path
   fastify.get('/', async (request, reply) => {
     logger.info({ method: request.method, url: request.url, host: request.hostname }, 'Root path requested');
@@ -26,13 +42,47 @@ export async function staticRoute(fastify: FastifyInstance): Promise<void> {
 
   // Serve /dashboard.html
   fastify.get('/dashboard.html', async (_request, reply) => {
-    const dashboardPath = join(publicDir, 'dashboard.html');
-    if (!existsSync(dashboardPath)) {
-      logger.warn({ path: dashboardPath }, 'dashboard.html not found');
-      return reply.status(404).send({ error: 'dashboard.html not found' });
-    }
-    const content = readFileSync(dashboardPath, 'utf-8');
-    return reply.type('text/html').send(content);
+    return sendHtml('dashboard.html', reply);
+  });
+
+  fastify.get('/dashboard-v2.html', async (_request, reply) => {
+    return sendHtml('dashboard-v2.html', reply);
+  });
+
+  fastify.get('/v2/dashboard', async (_request, reply) => {
+    return sendHtml('dashboard-v2.html', reply);
+  });
+
+  fastify.get('/v2/dashboard/', async (_request, reply) => {
+    return sendHtml('dashboard-v2.html', reply);
+  });
+
+  fastify.get('/v2', async (_request, reply) => {
+    return sendHtml('dashboard-v2.html', reply);
+  });
+
+  fastify.get('/v2/', async (_request, reply) => {
+    return sendHtml('dashboard-v2.html', reply);
+  });
+
+  fastify.get('/dashboard/v2', async (_request, reply) => {
+    return sendHtml('dashboard-v2.html', reply);
+  });
+
+  fastify.get('/dashboard/v2/', async (_request, reply) => {
+    return sendHtml('dashboard-v2.html', reply);
+  });
+
+  fastify.get('/api/dashboard-v2', async (_request, reply) => {
+    return sendHtml('dashboard-v2.html', reply);
+  });
+
+  fastify.get('/api/v2/dashboard', async (_request, reply) => {
+    return sendHtml('dashboard-v2.html', reply);
+  });
+
+  fastify.get('/api/dashboard/v2', async (_request, reply) => {
+    return sendHtml('dashboard-v2.html', reply);
   });
 
   // Serve /api/dashboard as HTML for compatibility
diff --git a/packages/gateway/src/security/tls-config.ts b/packages/gateway/src/security/tls-config.ts
index d732779..74d253a 100644
--- a/packages/gateway/src/security/tls-config.ts
+++ b/packages/gateway/src/security/tls-config.ts
@@ -107,6 +107,25 @@ export async function registerHTTPSRedirectMiddleware(server: FastifyInstance) {
       return;
     }
 
+    const hostHeader = String(request.headers['host'] ?? '');
+    const forwardedHost = String(request.headers['x-forwarded-host'] ?? '');
+    const remoteAddress = request.ip ?? '';
+    const host = forwardedHost || hostHeader;
+    const isLoopbackHost =
+      /^localhost(?::\d+)?$/i.test(host) ||
+      /^127\.0\.0\.1(?::\d+)?$/.test(host) ||
+      /^\[::1\](?::\d+)?$/.test(host);
+    const isLoopbackRemote =
+      remoteAddress === '127.0.0.1' ||
+      remoteAddress === '::1' ||
+      remoteAddress === '::ffff:127.0.0.1';
+
+    // Internal loopback callers such as Magatama Core run behind the same host
+    // and must not be redirected to HTTPS unless the Gateway actually serves TLS.
+    if (isLoopbackHost || isLoopbackRemote) {
+      return;
+    }
+
     // Check if connection is not secure
     // In production, X-Forwarded-Proto is set by reverse proxy (Cloudflare)
     const isSecure =
@@ -114,7 +133,6 @@ export async function registerHTTPSRedirectMiddleware(server: FastifyInstance) {
       (request.headers['x-forwarded-proto'] === 'https');
 
     if (!isSecure && process.env['NODE_ENV'] === 'production') {
-      const host = request.headers['x-forwarded-host'] || request.headers['host'];
       return reply.redirect(`https://${host}${request.url}`);
     }
   });
@@ -126,10 +144,10 @@ export async function registerHTTPSRedirectMiddleware(server: FastifyInstance) {
  */
 export async function registerSecurityHeadersMiddleware(server: FastifyInstance) {
   server.addHook('onSend', async (request, reply) => {
-    // Content Security Policy - strict, no inline scripts
+    // Content Security Policy for the self-contained dashboard UI.
     reply.header(
       'Content-Security-Policy',
-      "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
+      "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
     );
 
     // Prevent clickjacking
diff --git a/packages/gateway/src/server.ts b/packages/gateway/src/server.ts
index e7878d2..0d5626e 100644
--- a/packages/gateway/src/server.ts
+++ b/packages/gateway/src/server.ts
@@ -12,11 +12,23 @@ import { dashboardRoute } from './routes/dashboard.js';
 import { streamRoute } from './routes/stream.js';
 import { learningInsightsRoute } from './routes/learning-insights.js';
 import { staticRoute } from './routes/static.js';
+import tenantAuth from './security/tenant-auth.js';
+import { internalRoute } from './routes/internal.js';
 import { getPool } from './db/client.js';
 import { runMigrations } from './db/migrate.js';
 import { initPgBoss } from './queue/pg-boss-client.js';
 import { logger } from './observability/logger.js';
 import { scheduleLearningCycles } from './learning/learning-engine.js';
+import { autoSpawnOnBoot } from './modules/auto-discovery.js';
+import { embeddingsRoute } from './routes/embeddings.js';
+import { replayRoute } from './routes/replay.js';
+import { audioRoute } from './routes/audio.js';
+import { mcpRoute } from './modules/mcp-server.js';
+import { loadWorkspacePreset, applyWorkspaceDefaults } from './modules/workspace-presets.js';
+import { loadPlugins } from './modules/plugin-system.js';
+import { ingestPeerStats, scheduleFederationPublisher, buildStats } from './modules/federated-stats.js';
+import { scheduleAdaptiveLearner, getAllRecommendations } from './modules/adaptive-routing.js';
+import { startBridgeWatchdog } from './modules/bridge-watchdog.js';
 import { fileURLToPath } from 'url';
 import { dirname, join } from 'path';
 import { readFileSync, existsSync } from 'fs';
@@ -77,6 +89,7 @@ async function buildServer() {
       directives: {
         defaultSrc: ["'self'"],
         scriptSrc: ["'self'", "'unsafe-inline'"],
+        styleSrc: ["'self'", "'unsafe-inline'"],
         objectSrc: ["'none'"],
       },
     },
@@ -92,15 +105,17 @@ async function buildServer() {
       'http://192.168.178.196:3000',
       /^http:\/\/192\.168\.178\.\d+/,
       /^https:\/\/.*\.context-x\.org$/,
+      /^https:\/\/(www\.)?runwerk\.app$/,
+      /^https:\/\/.*\.runwerk\.app$/,
     ],
     methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
-    allowedHeaders: ['Content-Type', 'Authorization', 'X-Caller-ID'],
+    allowedHeaders: ['Content-Type', 'Authorization', 'X-Caller-ID', 'X-Runwerk-Caller', 'X-Runwerk-Privacy', 'X-Runwerk-Tier', 'X-Runwerk-Purpose'],
     credentials: true,
   });
 
   await server.register(fastifyRateLimit, {
     global: true,
-    max: 100,
+    max: 1000,
     timeWindow: '1 minute',
     keyGenerator: (request) => {
       const caller = (request.headers['x-caller-id'] as string) ?? 'default';
@@ -113,7 +128,17 @@ async function buildServer() {
     }),
   });
 
+  await server.register(tenantAuth);
+  await server.register(internalRoute);
   await server.register(completionRoute, { prefix: '/v1' });
+  await server.register(embeddingsRoute, { prefix: '/v1' });
+  await server.register(replayRoute, { prefix: '/v1' });
+  await server.register(audioRoute, { prefix: '/v1' });
+  await server.register(mcpRoute);
+  server.post('/v1/federation/ingest', async (request, reply) => {
+    const result = ingestPeerStats(request.body as never);
+    return reply.send({ success: true, ...result });
+  });
   await server.register(batchRoute, { prefix: '/v1' });
   await server.register(classifyRoute, { prefix: '/v1' });
   await server.register(reviewRoute, { prefix: '/v1' });
@@ -192,9 +217,54 @@ async function main() {
     } catch (pgErr) {
       logger.warn({ pgErr }, 'PgBoss init failed - continuing without queue');
     }
+    // Workspace preset (apply env defaults from workspace.yaml if present)
+    try {
+      const preset = await loadWorkspacePreset();
+      if (preset) applyWorkspaceDefaults(preset);
+    } catch (err) {
+      logger.warn({ err }, 'Workspace preset load failed (non-fatal)');
+    }
+
+    // Plugin system (load pre/post hooks from PLUGINS_DIR)
+    try {
+      await loadPlugins();
+    } catch (err) {
+      logger.warn({ err }, 'Plugin loading failed (non-fatal)');
+    }
+
     scheduleLearningCycles();
     await server.listen({ port, host });
     logger.info({ port, host }, 'LLM Gateway started');
+
+    // Auto-spawn detected subscription bridges if AUTO_SPAWN_BRIDGES=1
+    void autoSpawnOnBoot();
+
+    // Bridge watchdog (opt-in via WATCHDOG_ENABLED=1)
+    try {
+      startBridgeWatchdog();
+    } catch (err) {
+      logger.warn({ err }, 'Bridge watchdog start failed');
+    }
+
+    // Adaptive routing learner (opt-in via ADAPTIVE_ROUTING_ENABLED=1)
+    try {
+      const pool = getPool();
+      scheduleAdaptiveLearner(pool as never);
+    } catch (err) {
+      logger.warn({ err }, 'Adaptive learner scheduling failed');
+    }
+
+    // Federation publisher (opt-in via FEDERATION_ENABLED=1)
+    scheduleFederationPublisher(async () => {
+      const recos = getAllRecommendations();
+      return buildStats(recos.map((r) => ({
+        task_type: r.taskType,
+        model_used: r.preferredModel,
+        samples: r.rationale.samples,
+        success_rate: r.rationale.successRate,
+        avg_latency_ms: r.rationale.avgLatencyMs,
+      })));
+    });
   } catch (err) {
     logger.error({ err }, 'Failed to start server');
     process.exit(1);
diff --git a/packages/gateway/src/utils/tokenvault-hooks.ts b/packages/gateway/src/utils/tokenvault-hooks.ts
index 688e2d0..56460fc 100644
--- a/packages/gateway/src/utils/tokenvault-hooks.ts
+++ b/packages/gateway/src/utils/tokenvault-hooks.ts
@@ -1,5 +1,5 @@
 // Tokenvault Integration Hooks
-// Instruments LeanCTX and RTK compression tracking
+// Instruments LLM Gateway compression tracking (legacy hook names retained for backward compat)
 // Updated: 2026-04-19
 
 import { Pool, QueryResult } from 'pg';
@@ -62,13 +62,13 @@ export function estimateTokens(text: string | object): number {
 }
 
 /**
- * Log compression ratio for RTK output
+ * Log compression ratio for token-trim output
  */
-export async function logRTKCompression(
+export async function logGatewayTrimCompression(
   db: Pool,
   rawOutput: string,
   compressedOutput: string,
-  toolUsed: string = 'rtk'
+  toolUsed: string = 'llm-gateway-trim'
 ): Promise<CompressionMetric> {
   const tokensBefore = estimateTokens(rawOutput);
   const tokensAfter = estimateTokens(compressedOutput);
@@ -93,9 +93,9 @@ export async function logRTKCompression(
 }
 
 /**
- * Track LeanCTX file read operations
+ * Track gateway file-read operations
  */
-export async function logLeanCTXRead(
+export async function logGatewayFileRead(
   db: Pool,
   filePath: string,
   mode: string,
@@ -115,7 +115,7 @@ export async function logLeanCTXRead(
     tokensBefore: rawTokens,
     tokensAfter: compressedTokens,
     savingsPct,
-    toolUsed: 'lean-ctx'
+    toolUsed: 'llm-gateway'
   };
 
   await logCompressionMetric(db, metric);
@@ -207,7 +207,7 @@ export async function getCompressionStats(
         tool_used,
         COUNT(*) as count
        FROM tokenvault_metrics
-       WHERE created_at > NOW() - INTERVAL $1 HOUR
+       WHERE created_at > NOW() - ($1 * INTERVAL '1 hour')
        GROUP BY tool_used`,
       [hoursBack]
     );
@@ -270,7 +270,7 @@ export async function getCostSummary(
         project,
         SUM(CASE WHEN cost_usd > 0 THEN 1 ELSE 0 END) as paid_tasks
        FROM cost_analytics
-       WHERE created_at > NOW() - INTERVAL $1 HOUR
+       WHERE created_at > NOW() - ($1 * INTERVAL '1 hour')
        GROUP BY project`,
       [hoursBack]
     );