From 060b846d9b038840c3b158e863192ac6223f493a Mon Sep 17 00:00:00 2001
From: Rene Fichtmueller <renefichtmueller@MacBook-Pro-von-Rene.local>
Date: Fri, 1 May 2026 10:17:21 +0200
Subject: [PATCH] feat: publish llm gateway v2 dashboard alongside restored
 workbench

---
 AI_CONTROL_PLANE_SYSTEM_DESIGN.md           |  426 +++
 OPEN_SOURCE_BLUEPRINT.md                    | 1270 +++++++
 OPEN_SOURCE_FEATURE_MATRIX.md               |   66 +
 OPEN_SOURCE_GAP_ANALYSIS.md                 |  133 +
 OPEN_SOURCE_IMPLEMENTATION_ROADMAP.md       |  212 ++
 packages/gateway/public/dashboard-v2.html   |  728 ++++
 packages/gateway/public/dashboard.html      | 3489 +++++++++++++++----
 packages/gateway/src/routes/dashboard.ts    |  338 +-
 packages/gateway/src/routes/health.ts       |    3 +-
 packages/gateway/src/security/tls-config.ts |    4 +-
 packages/gateway/src/server.ts              |    1 +
 11 files changed, 6006 insertions(+), 664 deletions(-)
 create mode 100644 AI_CONTROL_PLANE_SYSTEM_DESIGN.md
 create mode 100644 OPEN_SOURCE_BLUEPRINT.md
 create mode 100644 OPEN_SOURCE_FEATURE_MATRIX.md
 create mode 100644 OPEN_SOURCE_GAP_ANALYSIS.md
 create mode 100644 OPEN_SOURCE_IMPLEMENTATION_ROADMAP.md
 create mode 100644 packages/gateway/public/dashboard-v2.html

diff --git a/AI_CONTROL_PLANE_SYSTEM_DESIGN.md b/AI_CONTROL_PLANE_SYSTEM_DESIGN.md
new file mode 100644
index 0000000..9be7898
--- /dev/null
+++ b/AI_CONTROL_PLANE_SYSTEM_DESIGN.md
@@ -0,0 +1,426 @@
+# AI Control Plane System Design
+
+## 1. Purpose
+
+LLM Gateway is a deterministic, observable, policy-driven routing layer for AI execution with memory and cost control.
+
+It routes requests from clients to the right model, provider, agent, or tool based on:
+
+- policy
+- cost
+- availability
+- context
+- memory
+- trust level
+- historical route success
+
+It also provides:
+
+- full observability through immutable receipts
+- reproducible AI runs
+- shared memory persistence
+- route memory
+- token and cost optimization
+
+## 2. High-Level Architecture
+
+```text
+Input Layer
+  clients, APIs, MCP, internal connectors
+      |
+      v
+Control Plane
+  trust routing, policy, compression, memory, provider routing
+      |
+      v
+Execution Layer
+  local models, external providers, tools, services
+      |
+      v
+Output
+  response to caller
+      |
+      v
+Receipts + Memory Update
+
+Side System:
+  Memory Layer
+    global memory, project memory, route memory, semantic cache
+```
+
+## 3. Components
+
+### 3.1 Client Entry
+
+Clients connect via API, MCP, OpenAI-compatible endpoints, or internal connectors.
+
+Supported client targets:
+
+- Codex
+- Claude Code
+- ChatGPT
+- Cursor
+- VS Code and Continue-style IDEs
+- automation pipelines
+- n8n
+- internal services
+
+Each request should include:
+
+- payload: prompt, input, files, tool call, or task
+- metadata: user, project, agent, task type
+- optional routing hints
+- optional policy hints
+
+### 3.2 Trust Router
+
+The Trust Router is the first decision point.
+
+Responsibilities:
+
+- validate client identity
+- assign trust level
+- classify request type
+- classify data sensitivity
+- apply initial routing hints
+- attach enriched request context
+
+Example classification labels:
+
+- code
+- infra
+- legal
+- security
+- general
+- document
+- automation
+
+Output:
+
+- enriched request context
+- trust score
+- sensitivity label
+- classification label
+
+### 3.3 Policy Engine
+
+The Policy Engine is the core decision system.
+
+It evaluates:
+
+- data sensitivity
+- allowed providers
+- allowed models
+- allowed tools
+- cost constraints
+- project rules
+- compliance rules
+- offline/simulation/live mode
+
+Example policies:
+
+- never send legal data to public APIs
+- prefer local models for internal code
+- use external models only if confidence is below a threshold
+- block requests containing secrets
+- require admin override for production deployment tools
+
+Output:
+
+- allowed routes
+- blocked routes
+- required redactions
+- execution constraints
+- policy decision log
+
+### 3.4 Memory Query
+
+Memory is queried before compression and execution.
+
+Memory sources:
+
+- project memory
+- global memory
+- route memory
+- semantic cache
+- handoffs
+- receipts
+- reproducible runs
+
+Output:
+
+- relevant memory context
+- prior decisions
+- route hints
+- cache candidates
+
+### 3.5 Compression Engine
+
+The Compression Engine optimizes request and memory context before execution.
+
+Functions:
+
+- token reduction
+- context deduplication
+- semantic summarization
+- cache lookup
+- prompt/context packaging
+- token budget enforcement
+
+Input:
+
+- raw request
+- policy constraints
+- memory context
+- target model context budget
+
+Output:
+
+- compressed payload
+- token metrics before and after
+- cache hit or miss
+- compression receipt data
+
+### 3.6 Provider Router
+
+The Provider Router makes the final execution decision.
+
+It selects:
+
+- local model
+- external provider
+- AI client/agent
+- tool execution
+- fallback route
+
+Criteria:
+
+- policy constraints
+- trust level
+- cost
+- latency
+- availability
+- model capability
+- route memory
+- benchmark results
+- agent reputation
+
+Output:
+
+- selected execution target
+- fallback routes
+- route explanation
+
+### 3.7 Execution Layer
+
+The Execution Layer handles actual processing.
+
+Execution target types:
+
+- local models such as Ollama, LM Studio, LocalAI, llama.cpp, vLLM
+- external APIs such as OpenAI, Anthropic, Mistral, Groq, OpenRouter
+- AI clients such as Claude Code, Codex, Cursor, ChatGPT adapters
+- tools, scripts, workflows, and internal services
+
+Execution returns:
+
+- raw response
+- latency
+- token usage
+- provider metadata
+- errors
+- tool call results
+
+### 3.8 Receipt Engine
+
+The Receipt Engine creates an immutable trace for each request.
+
+Receipts include:
+
+- request id
+- input summary or redacted input
+- trust decisions
+- policy decisions
+- memory refs
+- compression results
+- selected model/provider/tool
+- fallback chain
+- response summary or full response depending on policy
+- token usage
+- cost estimate
+- timestamps
+- errors
+- blocked routes
+
+Receipts are immutable and stored.
+
+### 3.9 Memory Layer
+
+Memory is separate from execution but connected to routing and compression.
+
+Memory types:
+
+1. Project memory
+   - task history
+   - decisions
+   - context
+   - handoffs
+
+2. Global memory
+   - shared knowledge
+   - user/team preferences
+   - reusable runbooks
+
+3. Route memory
+   - routing decisions
+   - success and failure patterns
+   - optimization feedback
+
+4. Semantic cache
+   - previous responses
+   - embedding lookup
+   - prompt/result reuse
+
+Memory is:
+
+- append-only by default
+- queryable
+- versioned where possible
+- used during routing and compression
+
+### 3.10 Route Reflector Memory
+
+Route Reflector Memory is specialized route memory inspired by BGP route reflectors.
+
+Functions:
+
+- learns optimal AI routes
+- shares routing knowledge across clients
+- improves future routing decisions
+- records fallback success and failures
+- contributes to Provider Router decisions
+
+Examples:
+
+- code debugging works best through Codex plus local validation
+- private infra diagnostics should route to local models
+- long-form reasoning performs better on selected external models
+- JSON extraction for project X has best success on model Y
+
+## 4. Data Flow
+
+1. Client sends request.
+2. Trust Router classifies request and assigns trust.
+3. Policy Engine filters allowed routes.
+4. Memory Layer is queried for context and prior route knowledge.
+5. Compression Engine optimizes payload.
+6. Provider Router selects execution target and fallback chain.
+7. Execution Layer processes request.
+8. Response is returned to client.
+9. Receipt Engine generates immutable receipt.
+10. Memory Layer is updated with outcome.
+11. Route Reflector Memory updates routing knowledge.
+
+## 5. Modes Of Operation
+
+### Live Mode
+
+- real execution
+- full routing active
+- receipts stored
+- memory updated
+
+### Simulation Mode
+
+- no real execution
+- shows trust decisions
+- shows policy decisions
+- shows selected route and fallbacks
+- estimates cost and tokens
+- useful for testing policies
+
+### Offline Mode
+
+- only local models allowed
+- no external provider calls
+- remote sync disabled unless explicitly allowed
+- receipts marked as offline
+
+## 6. Control Functions
+
+The system supports:
+
+- trace request
+- replay request
+- force route
+- override policy as admin
+- inspect receipts
+- inspect memory
+- simulate routing
+- compare routes
+- inspect provider availability
+- inspect route memory
+
+## 7. Storage
+
+Required storage components:
+
+- receipts database: immutable logs
+- memory database: structured + vector
+- policy definitions
+- routing history
+- route reflector memory
+- semantic cache
+- reproducible run artifacts
+
+Recommended default:
+
+- SQLite for personal mode
+- Postgres plus pgvector for team/server mode
+- Git/Gitea as durable memory sync and audit transport
+
+## 8. Metrics
+
+System tracks:
+
+- token usage
+- compression ratio
+- cache hit rate
+- latency per provider
+- cost per request
+- routing success rate
+- fallback rate
+- trust level distribution
+- blocked route count
+- policy override count
+- agent reputation
+- benchmark scores
+
+## 9. Security Model
+
+- strict policy enforcement before external calls
+- data classification at entry
+- local-first routing possible
+- no sensitive data leaves system if blocked by policy
+- no secret sync to memory
+- audit trail via receipts
+- consent ledger for tool, memory, and provider permissions
+- safe config writer for external tool setup
+
+## 10. Extensibility
+
+The system supports:
+
+- new providers
+- new local models
+- new tools
+- new MCP resources
+- new policy rules
+- custom routing logic
+- custom memory backends
+- custom benchmarks
+- custom data source connectors
+
+## 11. Core Idea
+
+LLM Gateway is a deterministic, observable, policy-driven routing layer for AI execution with memory and cost control.
diff --git a/OPEN_SOURCE_BLUEPRINT.md b/OPEN_SOURCE_BLUEPRINT.md
new file mode 100644
index 0000000..d8ab650
--- /dev/null
+++ b/OPEN_SOURCE_BLUEPRINT.md
@@ -0,0 +1,1270 @@
+# Open Source Blueprint: Adaptive LLM Gateway
+
+Companion documents:
+
+- `AI_CONTROL_PLANE_SYSTEM_DESIGN.md` — canonical control-plane architecture
+- `OPEN_SOURCE_GAP_ANALYSIS.md` — current gateway vs. OSS target
+- `OPEN_SOURCE_FEATURE_MATRIX.md` — feature state and priority
+- `OPEN_SOURCE_IMPLEMENTATION_ROADMAP.md` — phase-by-phase build plan
+
+## Vision
+
+Turn the Context-X LLM Gateway into an open-source, self-adapting LLM control plane that can run on a user's own machine or server, discover the local AI/dev environment, and expose it through a secure MCP server plus OpenAI-compatible APIs.
+
+The open-source version should not assume Context-X infrastructure. It should install cleanly, detect what is available, ask before using sensitive integrations, and then wire local models, hosted providers, tools, documents, and developer environments into one gateway.
+
+## Product Shape
+
+Working name: **Adaptive LLM Gateway**
+
+Core promise:
+
+- Bring your own local or hosted models.
+- Run a private MCP server with an optional local LLM.
+- Detect common tools and runtimes automatically.
+- Expose one unified API for apps, agents, IDEs, and automations.
+- Keep secrets and private data local by default.
+
+## Differentiating Core Modules
+
+The open-source project should lead with four features that make it more than a model proxy:
+
+1. **Trust Router**
+2. **Context Receipt**
+3. **Shared Gitea Memory**
+4. **AI Handoff Protocol**
+
+The second core layer should add learning, accountability, and repeatability:
+
+5. **Capability Benchmark Lab**
+6. **Agent Reputation Score**
+7. **Local Consent Ledger**
+8. **Reproducible AI Runs**
+
+The execution pipeline should be:
+
+```text
+Client Entry
+  -> Trust Router
+  -> Policy Engine
+  -> Memory Query
+  -> Compression Engine
+  -> Provider Router
+  -> Execution Layer
+  -> Receipt Engine
+  -> Memory Update
+  -> Route Reflector Memory
+```
+
+Together they create a trusted coordination layer for all AI clients and agents on a user's system.
+
+```text
+Request
+  |
+  v
+Trust Router
+  - validate client identity
+  - assign trust level
+  - classify request type and sensitivity
+  |
+  v
+Policy Engine
+  - enforce provider/model/tool permissions
+  - apply cost, compliance, and project rules
+  |
+  v
+Context Builder
+  - memory
+  - files
+  - retrieved docs
+  - compressed history
+  |
+  v
+LLM / Agent / MCP Tool
+  |
+  v
+Context Receipt + Shared Memory Update + Route Reflector Learning
+```
+
+## Trust Router
+
+The Trust Router decides which model, provider, agent, and tool chain may handle a request.
+
+It should classify every request by:
+
+- data sensitivity
+- task type
+- required capabilities
+- allowed tools
+- user/team policy
+- cost and latency budget
+- local model availability
+
+Suggested trust levels:
+
+| Trust Level | Meaning | Allowed Routing |
+|---|---|---|
+| `public` | Safe public/non-sensitive content | Any enabled provider |
+| `internal` | Project context, private notes, normal code | Local or approved providers |
+| `confidential` | Customer data, private business data, security findings | Local-only or explicitly trusted provider |
+| `secret` | API keys, credentials, tokens, private keys | Block, redact, or local security scanner only |
+
+Policy example:
+
+```yaml
+trust_router:
+  default_mode: hybrid-safe
+  rules:
+    - match:
+        contains_secret: true
+      action: block
+    - match:
+        sensitivity: confidential
+      route: local-only
+    - match:
+        task_type: code_generation
+        sensitivity: internal
+      route: [claude-code, codex, local-code-model]
+    - match:
+        task_type: brainstorming
+        sensitivity: public
+      route: [openai, anthropic, local]
+```
+
+The Trust Router should always explain its decision internally and optionally expose it to users.
+
+## Policy Engine
+
+The Policy Engine evaluates what is allowed after the Trust Router has classified the request.
+
+It should evaluate:
+
+- allowed providers
+- allowed models
+- allowed tools
+- data sensitivity
+- project policy
+- compliance rules
+- cost limits
+- offline/simulation/live mode
+
+Example policies:
+
+- never send legal data to public APIs
+- prefer local models for internal code
+- use external models only if confidence is below a threshold
+- block requests containing secrets
+- require admin override for production deployment tools
+
+The output is a route constraint set:
+
+```yaml
+allowed_routes: [ollama, claude-code]
+blocked_routes:
+  - provider: openai
+    reason: confidential data policy
+required_redactions: []
+max_request_cost_usd: 0.10
+mode: live
+```
+
+## Provider Router
+
+The Provider Router makes the final execution decision after policy and compression.
+
+It chooses:
+
+- local model
+- external provider
+- AI agent/client
+- MCP tool
+- fallback chain
+
+Inputs:
+
+- policy constraints
+- model availability
+- provider health
+- latency
+- cost
+- benchmark scores
+- agent reputation
+- Route Reflector Memory
+
+The Provider Router should support live, simulation, and offline modes.
+
+## Context Receipt
+
+Every answer should be able to produce a receipt that shows what context was used and what was protected.
+
+Example:
+
+```yaml
+receipt_id: ctxr_2026_05_01_001
+request_id: req_abc123
+model: qwen2.5:14b
+provider: ollama
+trust_level: internal
+route_reason:
+  - local model selected because project memory was private
+  - external providers skipped by policy
+context_used:
+  - type: memory
+    ref: projects/adaptive-llm-gateway/PROJECT.md
+  - type: file
+    ref: OPEN_SOURCE_BLUEPRINT.md
+  - type: retrieval
+    ref: memory/decisions/2026-05-01-gitea-memory.md
+context_blocked:
+  - type: file
+    ref: .env
+    reason: secret pattern
+  - type: provider
+    ref: openai
+    reason: confidential policy
+tokens:
+  input: 4200
+  output: 900
+  compressed_from: 13200
+cost:
+  estimated_usd: 0
+```
+
+Receipts can be stored locally, pushed to shared memory, or attached to audit logs.
+
+## AI Handoff Protocol
+
+Define a simple handoff format so Claude Code, Codex, ChatGPT, Cursor, n8n, and other agents can pass work to each other without losing context.
+
+Handoff files should be plain Markdown with YAML frontmatter or pure YAML/JSON.
+
+Example:
+
+```yaml
+handoff_version: 1
+id: handoff_2026_05_01_001
+project: adaptive-llm-gateway
+from_agent: claude-code
+to_agent: codex
+created_at: 2026-05-01T12:00:00Z
+status: ready
+goal: Implement MCP memory tools.
+current_state:
+  summary: Blueprint exists. Need package scaffold and safe tool definitions.
+  branch: main
+  files_changed:
+    - OPEN_SOURCE_BLUEPRINT.md
+constraints:
+  - Do not expose shell tools by default.
+  - Do not sync secrets.
+next_actions:
+  - Create packages/mcp-server.
+  - Add memory.search and memory.write tools.
+  - Add tests for policy enforcement.
+context_refs:
+  - memory/projects/adaptive-llm-gateway/PROJECT.md
+  - memory/decisions/2026-05-01-shared-gitea-memory.md
+open_questions:
+  - Should SQLite be mandatory for personal mode?
+confidence: 0.82
+```
+
+Recommended folders:
+
+```text
+memory/projects/<project>/handoffs/
+memory/agents/<agent>/sessions/
+memory/decisions/
+```
+
+The protocol should be append-first and easy for humans to read.
+
+## Capability Benchmark Lab
+
+The gateway should benchmark every detected model, provider, and major agent integration before trusting it for routing.
+
+Benchmarks should be local, transparent, and repeatable.
+
+Test dimensions:
+
+- JSON/schema reliability
+- code generation
+- code patch quality
+- instruction following
+- German/English quality
+- summarization
+- tool-call readiness
+- latency
+- cost
+- context length behavior
+- private-data safety
+- refusal/guardrail behavior
+
+Example benchmark result:
+
+```yaml
+model: qwen2.5:14b
+provider: ollama
+benchmarked_at: 2026-05-01T12:00:00Z
+scores:
+  json_schema: 0.84
+  code_generation: 0.71
+  german: 0.88
+  summarization: 0.91
+  latency: 0.76
+  privacy: 1.00
+recommended_for:
+  - private_summarization
+  - german_drafts
+  - internal_qa
+not_recommended_for:
+  - complex_code_patch
+```
+
+The Trust Router should use benchmark results instead of static assumptions.
+
+## Agent Reputation Score
+
+Track how well each connected AI client or agent performs on real tasks.
+
+Agents can include:
+
+- Codex
+- Claude Code
+- ChatGPT
+- Cursor
+- VS Code assistants
+- n8n workflows
+- local autonomous agents
+
+Metrics:
+
+- task success rate
+- test pass rate
+- human approval rate
+- rollback rate
+- average latency
+- average token/cost usage
+- policy violation count
+- handoff quality
+- reproducibility score
+
+Example:
+
+```yaml
+agent: codex
+period: 30d
+score: 0.91
+strengths:
+  - code_patches
+  - test_fixes
+  - small_refactors
+weaknesses:
+  - broad_product_strategy
+metrics:
+  test_pass_rate: 0.94
+  rollback_rate: 0.03
+  avg_handoff_quality: 0.87
+```
+
+Agent scores should guide routing:
+
+- send code patches to agents with high patch/test scores
+- send long analysis to agents with high synthesis scores
+- keep private tasks with local agents/models when policy requires it
+
+## Local Consent Ledger
+
+Store user permissions as an auditable local ledger.
+
+The consent ledger answers:
+
+- Which agents can read which memory?
+- Which agents can write memory?
+- Which tools can be called?
+- Which folders can be indexed?
+- Which providers can receive which trust levels?
+- Which actions require confirmation?
+
+Example:
+
+```yaml
+consent_version: 1
+updated_at: 2026-05-01T12:00:00Z
+agents:
+  codex:
+    memory:
+      read: [project, decisions, runbooks]
+      write: [sessions, handoffs, tasks]
+    tools:
+      allowed: [repo.search, memory.write, tests.run]
+      confirm: [git.push, file.delete]
+      denied: [secrets.read, deploy.production]
+    providers:
+      public_llm_allowed: false
+  claude-code:
+    memory:
+      read: [project, decisions, architecture]
+      write: [sessions, decisions]
+    tools:
+      allowed: [repo.search, memory.write]
+      confirm: [file.write]
+```
+
+Consent changes should be append-only:
+
+```text
+memory/consent/ledger.jsonl
+```
+
+The gateway may generate config snippets from consent, but it should ask before editing external tool settings.
+
+## Reproducible AI Runs
+
+Every important AI run should be replayable.
+
+Store:
+
+- request id
+- agent id
+- model/provider
+- prompt template version
+- context receipt
+- trust policy version
+- memory refs
+- retrieval refs
+- tool calls
+- redaction decisions
+- output
+- human feedback
+
+Example run folder:
+
+```text
+memory/runs/2026/05/01/req_abc123/
+  request.yaml
+  context-receipt.yaml
+  prompt.md
+  output.md
+  toolcalls.jsonl
+  feedback.yaml
+```
+
+Replay modes:
+
+- `exact`: same context refs and same model/provider where possible
+- `compare`: same input against several models
+- `policy-replay`: rerun trust routing with a newer policy
+- `compression-replay`: test different compression settings
+
+This makes the gateway debuggable, auditable, and useful for evaluation.
+
+## Visual Topology Map
+
+The UI should include a live topology view of the user's AI infrastructure.
+
+It should show:
+
+- detected AI clients
+- active MCP servers
+- local model runtimes
+- hosted providers
+- memory backend
+- vector index
+- enabled tools
+- blocked or disabled integrations
+- routing paths
+- cost-producing paths
+
+Example:
+
+```text
+Claude Code ── MCP ─┐
+Codex ─────── LSP ──┼── Adaptive LLM Gateway ── Trust Router ── Ollama
+Cursor ───── OpenAI ┘              │              │
+                                   │              ├── OpenAI (public only)
+                                   │              └── Anthropic (approved)
+                                   │
+                                   ├── Shared Memory ── Gitea
+                                   └── Knowledge Index ── SQLite/Qdrant
+```
+
+Each node should expose status, permissions, latency, cost, and recent receipts.
+
+## Setup Doctor
+
+Add a diagnostic command:
+
+```bash
+adaptive-llm-gateway doctor
+```
+
+Checks:
+
+- gateway health
+- MCP server health
+- Ollama/LM Studio/vLLM/LocalAI availability
+- hosted provider credentials
+- Gitea sync status
+- vector index health
+- database migrations
+- port conflicts
+- Docker status
+- Claude Code/Codex/Cursor/VS Code integration status
+- policy and consent ledger validity
+
+The doctor should produce direct fix suggestions:
+
+```text
+Issue: Ollama detected but no models installed.
+Fix: ollama pull qwen2.5:7b
+
+Issue: Claude Code detected but MCP config not installed.
+Fix: adaptive-llm-gateway integrate claude-code --write-config
+```
+
+## AI Cost Governor
+
+The gateway should actively control cost, not only report it.
+
+Features:
+
+- daily/weekly/monthly budgets
+- per-provider budgets
+- per-agent budgets
+- per-project budgets
+- max-cost-per-request
+- auto-fallback from paid to local models
+- warnings before expensive runs
+- hard stop when budget is exhausted
+
+Example:
+
+```yaml
+cost_governor:
+  weekly_budget_usd: 25
+  max_request_usd: 0.25
+  agents:
+    codex:
+      weekly_budget_usd: 5
+    chatgpt:
+      weekly_budget_usd: 10
+  fallback_when_budget_low: local-only
+```
+
+## Offline Mode
+
+Provide a strict local-only mode:
+
+```bash
+adaptive-llm-gateway mode offline
+```
+
+Offline mode:
+
+- disables hosted providers
+- disables external telemetry
+- routes only to local models
+- uses local memory only
+- blocks remote sync unless explicitly allowed
+- marks receipts as `offline_mode: true`
+
+This is important for security work, customer data, travel, and privacy-focused users.
+
+## Integration Marketplace
+
+Add a local integration catalog, not a SaaS marketplace.
+
+Examples:
+
+- Claude Code integration
+- Codex integration
+- Cursor integration
+- VS Code integration
+- Continue.dev integration
+- ChatGPT export importer
+- GitHub Copilot bridge
+- n8n workflow pack
+- Gitea memory backend
+- GitHub memory backend
+- Obsidian connector
+- Open WebUI connector
+- Home Assistant connector
+- Slack/Teams connector
+- Jira/Linear/GitHub Issues connector
+
+Each integration should declare:
+
+- permissions required
+- tools exposed
+- data read/write scope
+- setup method
+- config files touched
+- risk level
+- rollback instructions
+
+## Data Source Connectors
+
+Support user-approved knowledge sources:
+
+- local folders
+- Git repos
+- Obsidian vaults
+- Markdown notes
+- PDFs
+- browser bookmarks
+- ChatGPT exports
+- Claude/Codex handoffs
+- Notion
+- Google Drive
+- OneDrive
+- email
+- calendar
+- tickets/issues
+- logs
+- databases
+
+All connectors must use explicit scope and consent.
+
+## Team Mode
+
+Team mode should support small organizations without requiring cloud SaaS.
+
+Features:
+
+- shared Gitea memory
+- shared provider configuration
+- per-user budgets
+- per-project policies
+- role-based permissions
+- audit logs
+- admin dashboard
+- project onboarding
+- policy templates
+- team-wide benchmark results
+
+Suggested roles:
+
+- owner
+- admin
+- developer
+- analyst
+- viewer
+
+## Prompt and Agent Versioning
+
+Version everything that changes AI behavior:
+
+- prompts
+- prompt packs
+- routing rules
+- policies
+- consent ledger changes
+- agent profiles
+- benchmark suites
+- benchmark results
+- eval datasets
+- compression strategies
+
+Store versions in Git/Gitea where possible.
+
+## Safe Config Writer
+
+The gateway should be able to configure other tools, but only through reviewable diffs.
+
+Flow:
+
+```text
+1. Detect target config.
+2. Generate proposed diff.
+3. Explain impact.
+4. Ask user approval.
+5. Write config.
+6. Store receipt and rollback entry.
+```
+
+Example:
+
+```diff
++ "mcpServers": {
++   "adaptive-llm-gateway": {
++     "command": "adaptive-llm-gateway-mcp",
++     "args": ["--config", "~/.adaptive-llm-gateway/config.yaml"]
++   }
++ }
+```
+
+## Migration and Import Wizard
+
+Help users consolidate existing AI chaos:
+
+```bash
+adaptive-llm-gateway import
+```
+
+Import targets:
+
+- existing `.env` provider keys
+- Ollama model list
+- Open WebUI config
+- LM Studio local server settings
+- ChatGPT exports
+- Claude Code handoffs
+- Codex session notes
+- existing project READMEs/docs
+- n8n workflows
+- previous vector indexes where supported
+
+The import wizard should never move or delete original data. It creates normalized memory entries, config snippets, and receipts.
+
+## UI Direction
+
+The open-source UI can inherit the spirit of the current LLM Gateway dashboard, but it should be productized into a neutral, reusable interface.
+
+Keep from the current gateway:
+
+- operational dashboard feel
+- live health/status cards
+- request/cost/token visibility
+- provider and fallback visibility
+- logs/metrics orientation
+- dashboard as first screen, not a marketing page
+
+Improve for OSS:
+
+- first-run setup wizard
+- topology map as the home view
+- integration catalog
+- trust policy editor
+- memory browser
+- context receipts viewer
+- consent ledger viewer
+- benchmark lab
+- team/admin mode
+
+Recommended main navigation:
+
+```text
+Topology
+Models
+Agents
+Memory
+Policies
+Receipts
+Benchmarks
+Costs
+Integrations
+Doctor
+Settings
+```
+
+Visual style:
+
+- dense, operational, and scannable
+- dark/light mode
+- no marketing hero as the app entry
+- no Context-X-specific branding in OSS defaults
+- optional theme pack for Context-X/internal deployments
+
+
+
+## Target Users
+
+- Developers running Ollama, LM Studio, Open WebUI, Claude Code, Codex, Cursor, VS Code, n8n, or custom agents.
+- Small teams that want one internal AI gateway instead of scattered API keys.
+- Homelab and self-hosting users who want MCP tools, local models, and remote fallback models in one stack.
+- Security-conscious teams that want audit logs, budgets, routing rules, and local-first behavior.
+
+## Open Source Boundary
+
+The OSS release should remove or isolate Context-X-specific assumptions:
+
+- Hardcoded domains such as `context-x.org`, `fichtmueller.org`, and Erik host paths.
+- Private project templates for TIP, MAGATAMA, SwitchBlade, PeerCortex, etc.
+- Private credentials, server names, and internal service assumptions.
+- Context-X-specific training data unless explicitly sanitized and licensed.
+
+Keep as generic features:
+
+- Fastify gateway service.
+- TypeScript client.
+- Health checks.
+- Provider routing.
+- OpenAI-compatible adapter.
+- MCP server.
+- Local model discovery.
+- Audit logging.
+- Cost and token tracking.
+- Prompt template system.
+- Optional learning engine.
+
+## Adaptive System Discovery
+
+Add a first-run discovery command:
+
+```bash
+npx adaptive-llm-gateway init
+```
+
+It should detect:
+
+- OS: macOS, Linux, Windows/WSL.
+- Runtime: Node.js, Python, Docker, Docker Compose, pnpm/npm/yarn.
+- Local LLM servers:
+  - Ollama on `localhost:11434`
+  - LM Studio on `localhost:1234`
+  - LocalAI
+  - Open WebUI
+  - llama.cpp server
+- Hosted provider credentials from environment only after consent:
+  - OpenAI
+  - Anthropic
+  - Mistral
+  - Groq
+  - Cerebras
+  - OpenRouter
+  - Cloudflare Workers AI
+- Developer tools:
+  - VS Code
+  - Cursor
+  - Claude Code
+  - Codex CLI/Desktop
+  - GitHub Copilot
+  - n8n
+  - Git remotes and local repos
+- Local knowledge sources:
+  - selected folders
+  - docs
+  - markdown notes
+  - code repositories
+  - optional browser/exported bookmarks
+
+Discovery must produce a local config file, not silently mutate user systems:
+
+```yaml
+gateway:
+  port: 3103
+  mode: local-first
+
+models:
+  local:
+    ollama:
+      detected: true
+      url: http://localhost:11434
+      models: []
+
+providers:
+  openai:
+    enabled: false
+    env_key: OPENAI_API_KEY
+
+mcp:
+  enabled: true
+  port: 3104
+
+tools:
+  filesystem:
+    enabled: false
+    allowed_roots: []
+  git:
+    enabled: true
+  shell:
+    enabled: false
+```
+
+## AI Client and Agent Detection
+
+The gateway should detect AI clients and agent runtimes as integration targets, but it should treat each one differently depending on what is technically and legally possible.
+
+Detection is not the same as control. Some tools expose APIs, config files, MCP settings, or proxy configuration. Others are closed consumer apps where the safe integration path is an adapter, browser extension, exported data import, or a documented manual setup step.
+
+### Integration Levels
+
+Use four integration levels:
+
+| Level | Meaning | Example |
+|---|---|---|
+| `detected` | Tool exists, but no automatic binding yet | ChatGPT desktop app installed |
+| `configurable` | Gateway can write or suggest config | Claude Code MCP config |
+| `proxyable` | Tool can point to OpenAI-compatible gateway URL | OpenAI SDK, Continue, many IDE plugins |
+| `native` | Gateway has a dedicated adapter/package | Codex LSP adapter, Claude Code bridge |
+
+### Tool Matrix
+
+| Tool | Detect | Best Integration Path | Notes |
+|---|---|---|---|
+| Codex CLI/Desktop | CLI path, config folder, running process | MCP server, LSP adapter, OpenAI-compatible endpoint | Provide `codex-lsp-adapter` and MCP setup instructions. |
+| Claude Code | CLI path, MCP/config files, shell env | MCP server + Claude Code bridge | Best path is first-class MCP tools/resources. |
+| ChatGPT Desktop/Web | App/process/browser profile, exported chats | OpenAI-compatible adapter where supported, browser extension, import/export | Do not scrape private chats silently. Ask before importing exports. |
+| OpenAI SDK users | Env vars, package manifests, code search | Replace `baseURL` with gateway URL | Very easy and safe to automate per repo. |
+| Cursor | App/config detection | MCP server, OpenAI-compatible proxy if configured | Needs explicit user approval before editing settings. |
+| VS Code | Extensions + settings.json | MCP/LSP adapter, Continue/Copilot-compatible config | Offer snippets instead of blind mutation. |
+| GitHub Copilot | gh auth, extension, copilot bridge | copilot-bridge where available | Subscription/auth belongs to user; gateway should not extract tokens. |
+| Continue.dev | config files | OpenAI-compatible endpoint | Good OSS integration target. |
+| Open WebUI | local port/container detection | Register gateway as provider or upstream | Can also use Open WebUI as discovered model frontend. |
+| n8n | local port/container/env | HTTP node templates + credentials guidance | Detect workflows only with allowed path/API access. |
+| LangChain/LlamaIndex apps | package manifests/code search | Generated integration patch | Per-project opt-in. |
+
+### Detection Sources
+
+Safe discovery sources:
+
+- process list
+- common install paths
+- package manifests
+- shell PATH
+- Docker containers
+- local ports
+- explicit config directories
+- user-selected project folders
+
+Sensitive sources that require consent:
+
+- browser profiles
+- chat exports
+- API keys
+- IDE settings writes
+- MCP config writes
+- repo-wide code modifications
+- shell command execution tools
+
+### Binding Strategy
+
+The first-run wizard should present findings like this:
+
+```text
+Detected AI tools:
+
+✓ Claude Code CLI
+  Integration: MCP server
+  Action: add Adaptive LLM Gateway MCP config
+
+✓ Codex
+  Integration: MCP + LSP adapter
+  Action: generate config snippet
+
+✓ ChatGPT desktop
+  Integration: detected only
+  Action: optional import of exported chats, optional browser extension
+
+✓ Cursor
+  Integration: MCP/OpenAI-compatible endpoint
+  Action: generate settings snippet
+
+Enable integrations now? [select]
+```
+
+Default behavior should be conservative:
+
+- Generate config snippets first.
+- Ask before writing settings.
+- Ask before indexing chat exports or repo contents.
+- Never extract tokens from apps.
+- Prefer official APIs, MCP, LSP, or documented config surfaces.
+
+## MCP Server With Own LLM
+
+The MCP server should be a first-class package:
+
+```text
+packages/mcp-server
+```
+
+Responsibilities:
+
+- Expose tools for gateway completion, model listing, health, routing, embeddings, and document lookup.
+- Expose resources for discovered docs/repos when the user allows them.
+- Use the gateway's local-first model routing by default.
+- Allow a dedicated local model for tool reasoning, for example `qwen2.5:7b` or another detected local model.
+- Never expose shell or filesystem tools until the user explicitly enables allowed scopes.
+
+Suggested MCP tools:
+
+- `gateway.complete`
+- `gateway.chat`
+- `gateway.classify`
+- `gateway.models`
+- `gateway.health`
+- `gateway.route_preview`
+- `knowledge.search`
+- `repo.search`
+- `repo.summarize`
+- `config.get`
+- `config.update`
+
+## Embedding Everything
+
+"Embed everything" should mean controlled, user-approved indexing:
+
+- Scan allowed roots only.
+- Chunk and embed text/code/docs.
+- Store embeddings locally by default.
+- Support SQLite + sqlite-vec for simple installs.
+- Support Postgres + pgvector for team/server installs.
+- Optional Qdrant for larger deployments.
+
+Default modes:
+
+- `personal`: SQLite, local-only, one user.
+- `team`: Postgres, API keys, audit logging.
+- `server`: Docker Compose, reverse proxy, persistence, MCP enabled.
+
+## Shared AI Memory Sync
+
+Add a shared memory layer for all connected AI clients and agents. The goal is to make Claude Code, Codex, ChatGPT exports, Cursor, IDE assistants, MCP tools, and automation agents work from the same durable project memory instead of each assistant living in an isolated context bubble.
+
+Working name: **Memory Sync Backend**.
+
+### Why Git/Gitea
+
+Git is a strong default backend for portable AI memory:
+
+- auditable history
+- human-readable Markdown/JSON/YAML files
+- offline-first local clone
+- easy sync across machines
+- branchable experiments
+- reviewable diffs
+- self-hostable with Gitea
+- no mandatory SaaS dependency
+
+Gitea can act as the team/server backend:
+
+```text
+Claude Code ─┐
+Codex      ──┼── Adaptive LLM Gateway ── Memory Sync ── Git/Gitea repo
+Cursor     ──┤             │
+ChatGPT    ──┘             └── local vector index for fast retrieval
+```
+
+### Memory Types
+
+Store memory in typed folders:
+
+```text
+memory/
+  projects/
+    my-project/
+      PROJECT.md
+      decisions/
+      tasks/
+      architecture/
+      runbooks/
+      sync/
+  agents/
+    codex/
+    claude-code/
+    chatgpt/
+    cursor/
+  facts/
+  preferences/
+  credentials-notes/
+  incidents/
+  evals/
+```
+
+Use plain files for durable truth and an embedding index for fast lookup.
+
+### Memory Records
+
+Each memory entry should include provenance:
+
+```yaml
+id: mem_2026_05_01_001
+type: decision
+project: adaptive-llm-gateway
+source_agent: codex
+created_at: 2026-05-01T12:00:00Z
+visibility: team
+sensitivity: internal
+tags: [mcp, memory, gitea]
+summary: Use Gitea-backed memory sync as the shared durable backend.
+links:
+  - file: OPEN_SOURCE_BLUEPRINT.md
+```
+
+### Sync Modes
+
+- `local`: file-based memory in `~/.adaptive-llm-gateway/memory`.
+- `git`: local Git repo, user pushes manually.
+- `gitea`: automatic push/pull to self-hosted Gitea.
+- `github`: optional public/private GitHub backend.
+- `s3`: optional artifact backup, not source of truth.
+
+### Agent Integration
+
+Each agent gets a memory adapter:
+
+- Claude Code: MCP resources + memory write tools.
+- Codex: MCP resources + session handoff writer.
+- ChatGPT: import exported chats; optional browser extension later.
+- Cursor/VS Code: repo memory + generated context snippets.
+- n8n: workflow memory and execution summaries.
+
+Suggested MCP memory tools:
+
+- `memory.search`
+- `memory.read`
+- `memory.write`
+- `memory.append_session`
+- `memory.summarize_project`
+- `memory.record_decision`
+- `memory.record_task`
+- `memory.sync_status`
+- `memory.pull`
+- `memory.push`
+
+### Conflict Handling
+
+Memory should be append-first. Avoid agents overwriting each other.
+
+Rules:
+
+- Session logs are append-only.
+- Decisions can supersede earlier decisions but should not delete them.
+- Project summaries are regenerated from source logs and committed as derived files.
+- Conflicts create review entries instead of automatic destructive merges.
+
+### Privacy and Safety
+
+- Never sync secrets.
+- Secret-looking values are redacted before commit.
+- Sensitive memory can stay local-only.
+- Users can mark folders as `private`, `team`, or `public`.
+- Chat imports require explicit approval.
+- Every memory entry records source agent and timestamp.
+
+### Gitea Default Layout
+
+For self-hosted users:
+
+```text
+gitea.example.local/user/ai-memory.git
+gitea.example.local/user/project-a.git
+gitea.example.local/user/project-b.git
+```
+
+The gateway can either:
+
+- use one central `ai-memory` repo, or
+- add a `.ai-memory/` folder to each project repo.
+
+Recommended default:
+
+- personal mode: one central memory repo
+- team mode: one memory repo plus per-project links
+- open-source project mode: `.ai-memory/` inside the project
+
+## Architecture
+
+```text
+User apps / agents / IDEs
+        |
+        | OpenAI API / MCP / SDK
+        v
+Adaptive LLM Gateway
+  - routing
+  - prompt templates
+  - confidence gates
+  - budgets
+  - audit logs
+  - local knowledge lookup
+        |
+        +--> Local models: Ollama, LM Studio, LocalAI, llama.cpp
+        +--> Hosted providers: OpenAI, Anthropic, Groq, Mistral, etc.
+        +--> MCP tools/resources
+        +--> Local vector store
+```
+
+## Installation Targets
+
+Simple local install:
+
+```bash
+npx adaptive-llm-gateway init
+npx adaptive-llm-gateway start
+```
+
+Docker install:
+
+```bash
+docker compose up -d
+```
+
+Team/server install:
+
+```bash
+npx adaptive-llm-gateway init --mode team
+npx adaptive-llm-gateway deploy-config
+```
+
+## Security Defaults
+
+- Local-first.
+- No secrets in config files.
+- Read env vars only after consent.
+- No filesystem indexing without allowed roots.
+- No shell tool by default.
+- No telemetry by default.
+- Audit logs redact prompts by default unless user opts in.
+- MCP dangerous tools disabled until explicitly enabled.
+- Provider API keys remain in env, system keychain, or configured secret backend.
+
+## Refactor Plan
+
+Phase 1: Extract Context-X assumptions
+
+- Move Context-X routing templates into optional example pack.
+- Rename packages from `@llm-gateway/*` or prepare a neutral scope.
+- Replace hardcoded domains and ports with generated config.
+- Add `.env.example` for OSS.
+
+Phase 2: First-run discovery
+
+- Add `packages/discovery`.
+- Detect local models, runtimes, repos, and common agent tools.
+- Generate `gateway.config.yaml`.
+
+Phase 3: MCP server
+
+- Add `packages/mcp-server`.
+- Expose gateway tools and resources.
+- Add local model-backed tool reasoning.
+
+Phase 4: Embeddings and knowledge
+
+- Add `packages/knowledge`.
+- Support SQLite default and Postgres/Qdrant optional backends.
+- Add chunking, indexing, search, and repo/doc ingestion.
+
+Phase 5: OSS release hardening
+
+- Secret scan.
+- License audit.
+- Remove private data.
+- Add quickstart docs.
+- Add GitHub Actions CI.
+- Add Docker Compose starter.
+
+## Minimum Viable OSS Release
+
+The first public version should include:
+
+- Gateway server.
+- Client SDK.
+- OpenAI-compatible adapter.
+- Local Ollama/LM Studio detection.
+- MCP server with safe tools.
+- SQLite config and audit store.
+- Docker Compose.
+- One generic prompt template pack.
+- Documentation for local, team, and server modes.
+
+## Name Ideas
+
+- Adaptive LLM Gateway
+- Open LLM Gateway
+- LocalMesh Gateway
+- ModelRouter
+- GatewayKit
+- AIDE Gateway
diff --git a/OPEN_SOURCE_FEATURE_MATRIX.md b/OPEN_SOURCE_FEATURE_MATRIX.md
new file mode 100644
index 0000000..581fcfa
--- /dev/null
+++ b/OPEN_SOURCE_FEATURE_MATRIX.md
@@ -0,0 +1,66 @@
+# Open Source Feature Matrix
+
+## Legend
+
+- `ready`: exists and is usable with cleanup
+- `partial`: exists but needs extraction/hardening
+- `missing`: must be built
+
+| Feature | Current | OSS Target | Priority |
+|---|---|---|---:|
+| Fastify gateway | ready | keep | P0 |
+| Client SDK | ready | keep + docs | P0 |
+| Health checks | ready | keep + doctor | P0 |
+| Dashboard | partial | topology-first app | P1 |
+| Ollama routing | ready | generic local provider | P0 |
+| LM Studio detection | missing | discovery provider | P0 |
+| LocalAI/llama.cpp/vLLM detection | missing | discovery provider | P0 |
+| Hosted provider registry | partial | provider adapters + consent | P0 |
+| OpenAI-compatible API | partial | first-class adapter | P0 |
+| MCP server | missing | first-class | P0 |
+| Claude Code integration | partial | MCP + bridge | P0 |
+| Codex integration | partial | MCP + LSP | P0 |
+| ChatGPT integration | missing | exports/import + adapter docs | P1 |
+| Cursor/VS Code integration | missing | safe config writer | P1 |
+| n8n integration | missing | workflow pack | P1 |
+| Trust Router | missing | core | P0 |
+| Policy Engine | missing | provider/model/tool constraints | P0 |
+| Provider Router | partial | final route + fallback decision | P0 |
+| Context Receipt | missing | core | P0 |
+| Shared Gitea Memory | missing | core | P0 |
+| Route Reflector Memory | missing | routing memory | P0 |
+| AI Handoff Protocol | partial | core | P0 |
+| Consent Ledger | missing | core | P0 |
+| Setup Doctor | missing | CLI + UI | P0 |
+| Safe Config Writer | missing | CLI + UI | P0 |
+| Offline Mode | missing | policy mode | P0 |
+| Simulation Mode | missing | dry-run routing decisions | P0 |
+| Compression/token saving | partial | first-class engine | P1 |
+| Semantic cache | missing | optional | P1 |
+| Capability Benchmark Lab | missing | routing input | P1 |
+| Agent Reputation Score | missing | routing input | P1 |
+| Reproducible Runs | missing | audit/eval | P1 |
+| Integration Marketplace | missing | local catalog | P1 |
+| Data connectors | missing | scoped connectors | P1 |
+| Team Mode | missing | RBAC/admin | P2 |
+| Prompt/agent versioning | partial | Git-backed | P2 |
+| Import wizard | missing | guided migration | P2 |
+
+## Public Positioning
+
+Do not position this as another LiteLLM clone.
+
+Positioning:
+
+> Adaptive LLM Gateway discovers your local and hosted AI stack, connects it through a secure MCP and OpenAI-compatible control plane, and gives every agent shared memory, policy, receipts, compression, and routing.
+
+Core differentiators:
+
+- AI environment discovery
+- Trust Router
+- Context Receipts
+- Shared Git/Gitea Memory
+- AI Handoff Protocol
+- Consent Ledger
+- Reproducible AI Runs
+- model and agent benchmark learning
diff --git a/OPEN_SOURCE_GAP_ANALYSIS.md b/OPEN_SOURCE_GAP_ANALYSIS.md
new file mode 100644
index 0000000..cf48c79
--- /dev/null
+++ b/OPEN_SOURCE_GAP_ANALYSIS.md
@@ -0,0 +1,133 @@
+# Open Source Gap Analysis
+
+This document maps the current Context-X LLM Gateway to the planned open-source Adaptive LLM Gateway.
+
+## Current Strengths
+
+Already present in the repository:
+
+| Area | Current State | Notes |
+|---|---|---|
+| Gateway API | Present | Fastify gateway in `packages/gateway`. |
+| Completion API | Present | Main route: `/v1/completion`. |
+| Classification | Present | `/v1/classify` and pre-classifier pipeline. |
+| Batch jobs | Present | `/v1/batch` and PgBoss queue integration. |
+| Health checks | Present | `/health`, `/health/live`, `/health/ready`. |
+| Metrics | Present | Prometheus metrics and dashboard metrics. |
+| Dashboard | Present | Operational dashboard exists in `packages/gateway/public`. |
+| Routing rules | Present | YAML routing rules and model tiers. |
+| Local model routing | Present | Ollama-based routing and fallback chains. |
+| Hosted providers | Partial | External provider registry exists. Needs OSS cleanup and discovery. |
+| Cost tracking | Present | Cost analytics, token tracking, cost stream. |
+| Compression accounting | Partial | TokenVault/cost hooks exist. Needs first-class compression engine. |
+| Learning engine | Present | Learning cycles, model performance tracking, fine-tuner package. |
+| Client SDK | Present | `@llm-gateway/client`. |
+| OpenAI compatibility | Partial | `chatgpt-api-adapter` and `openai-bridge` exist. Needs clean OSS path. |
+| Codex integration | Partial | `packages/codex-lsp-adapter` exists. Needs production hardening. |
+| Claude Code integration | Partial | `packages/claude-code-bridge` exists. Needs MCP-first flow. |
+| LightRAG/RAG | Present | LightRAG sidecar exists. Needs generic connector story. |
+| Handoff sync | Partial | `sync/` handoff folder exists. Needs protocol and tools. |
+| Gitea use | Present internally | Needs generic Gitea memory backend. |
+
+## Missing For Open Source
+
+These features need to be added or extracted:
+
+| Feature | Status | Priority | Target Package/Area |
+|---|---|---:|---|
+| First-run setup wizard | Missing | P0 | `packages/cli`, `packages/discovery` |
+| Local AI discovery | Missing | P0 | `packages/discovery` |
+| Public provider discovery | Partial | P0 | `packages/discovery`, `packages/providers` |
+| AI client detection | Missing | P0 | `packages/discovery` |
+| MCP server | Missing | P0 | `packages/mcp-server` |
+| Trust Router | Missing | P0 | `packages/trust-router` |
+| Consent Ledger | Missing | P0 | `packages/consent-ledger` |
+| Shared Gitea Memory | Missing | P0 | `packages/memory-sync` |
+| Context Receipt | Missing | P0 | `packages/context-receipts` |
+| AI Handoff Protocol | Partial | P0 | `packages/handoff` |
+| Safe Config Writer | Missing | P0 | `packages/config-writer` |
+| Setup Doctor | Missing | P0 | `packages/doctor` |
+| Offline Mode | Missing | P0 | gateway config/policy |
+| Capability Benchmark Lab | Missing | P1 | `packages/benchmark-lab` |
+| Agent Reputation Score | Missing | P1 | `packages/agent-reputation` |
+| Reproducible Runs | Missing | P1 | `packages/run-ledger` |
+| Visual Topology Map | Missing | P1 | dashboard UI/API |
+| Integration Marketplace | Missing | P1 | `packages/integrations` + UI |
+| Data source connectors | Missing | P1 | `packages/connectors` |
+| Context Compression Engine | Partial | P1 | `packages/context-compression` |
+| Semantic cache | Missing/mentioned | P1 | `packages/cache` |
+| Team mode | Missing | P2 | auth/policy/admin UI |
+| Prompt/agent versioning | Partial | P2 | memory/git/prompt registry |
+| Migration/import wizard | Missing | P2 | `packages/import-wizard` |
+
+## Context-X Assumptions To Remove
+
+Before public release, remove or move behind an example profile:
+
+- hardcoded `context-x.org` domains
+- hardcoded `fichtmueller.org` Ollama endpoint
+- Erik-specific paths such as `/opt/llm-gateway`
+- private project callers and templates as defaults
+- internal IP assumptions
+- private training data
+- private bridge assumptions
+- secret-looking examples
+- Context-X branding as default OSS UI
+
+Keep them as:
+
+```text
+examples/profiles/context-x/
+```
+
+or as a private deployment overlay.
+
+## Proposed New Packages
+
+```text
+packages/
+  cli/                    # init, doctor, integrate, import, mode
+  discovery/              # detects models, clients, runtimes, providers
+  mcp-server/             # MCP tools/resources
+  trust-router/           # sensitivity + policy routing
+  consent-ledger/         # append-only permissions ledger
+  memory-sync/            # local/git/gitea memory backend
+  handoff/                # AI Handoff Protocol schema + helpers
+  context-receipts/       # receipts and audit artifacts
+  config-writer/          # safe config diffs and rollback
+  benchmark-lab/          # model/agent benchmark suite
+  agent-reputation/       # agent scorecards
+  run-ledger/             # reproducible AI runs
+  context-compression/    # compression + token budget manager
+  integrations/           # integration catalog manifests
+  connectors/             # data source connectors
+  import-wizard/          # migration/import helpers
+```
+
+## MVP Cut
+
+The first useful OSS release should not try to ship everything.
+
+MVP must include:
+
+- CLI with `init`, `doctor`, `start`, `integrate`
+- local AI discovery: Ollama + LM Studio + OpenAI-compatible `/v1/models`
+- provider env discovery with consent
+- MCP server with safe gateway and memory tools
+- Trust Router with four trust levels
+- Gitea/Git memory backend
+- Context Receipts
+- AI Handoff Protocol
+- Safe Config Writer
+- Offline Mode
+- basic topology dashboard
+
+MVP can defer:
+
+- full benchmark lab
+- team RBAC
+- all data connectors
+- full import wizard
+- advanced compression comparisons
+- agent reputation automation
+
diff --git a/OPEN_SOURCE_IMPLEMENTATION_ROADMAP.md b/OPEN_SOURCE_IMPLEMENTATION_ROADMAP.md
new file mode 100644
index 0000000..75f787e
--- /dev/null
+++ b/OPEN_SOURCE_IMPLEMENTATION_ROADMAP.md
@@ -0,0 +1,212 @@
+# Open Source Implementation Roadmap
+
+## Phase 0: Sanitize And Productize
+
+Goal: make the current codebase safe to publish and understandable outside Context-X.
+
+Tasks:
+
+- Add OSS name and package naming decision.
+- Move Context-X-only files into `examples/profiles/context-x/`.
+- Add `.env.example` without private domains or secrets.
+- Replace hardcoded defaults with generated config.
+- Add license, contributing guide, security policy, and public README.
+- Run secret scan and dependency/license audit.
+- Decide which training data can be published.
+
+Exit criteria:
+
+- Fresh clone can install without private services.
+- No private domains or internal IPs are required for default startup.
+- Public README explains local-only setup.
+
+## Phase 1: Adaptive Init
+
+Goal: detect the user's AI environment and create config.
+
+Packages:
+
+- `packages/cli`
+- `packages/discovery`
+- `packages/config-writer`
+
+Commands:
+
+```bash
+adaptive-llm-gateway init
+adaptive-llm-gateway doctor
+adaptive-llm-gateway integrate <target>
+adaptive-llm-gateway mode offline
+adaptive-llm-gateway simulate <request-file>
+```
+
+Detection targets:
+
+- Ollama
+- LM Studio
+- LocalAI
+- llama.cpp server
+- vLLM
+- Open WebUI
+- OpenAI-compatible endpoints
+- OpenAI/Anthropic/Groq/Mistral/OpenRouter env keys
+- Claude Code
+- Codex
+- Cursor
+- VS Code
+- Continue.dev
+- n8n
+- Docker containers
+- Git/Gitea availability
+
+Exit criteria:
+
+- `init` writes `~/.adaptive-llm-gateway/config.yaml`.
+- No external integration is enabled without approval.
+- `doctor` reports actionable health and setup status.
+
+## Phase 2: Trust, Consent, Receipts
+
+Goal: every request goes through policy and produces an audit artifact.
+
+Packages:
+
+- `packages/trust-router`
+- `packages/policy-engine`
+- `packages/consent-ledger`
+- `packages/context-receipts`
+- `packages/run-ledger`
+- `packages/provider-router`
+
+Features:
+
+- four trust levels: public, internal, confidential, secret
+- local-only/offline routing mode
+- simulation mode with no execution
+- provider router route constraints and fallbacks
+- append-only consent ledger
+- receipt for context used, blocked, redacted, routed
+- reproducible run folder
+
+Exit criteria:
+
+- External providers are blocked for confidential/secret data by default.
+- Receipts can be viewed from CLI and dashboard.
+- Consent changes are append-only and reversible.
+
+## Phase 3: Shared Memory And MCP
+
+Goal: make the gateway the shared memory and tool layer for all AI clients.
+
+Packages:
+
+- `packages/memory-sync`
+- `packages/handoff`
+- `packages/mcp-server`
+- `packages/route-reflector-memory`
+
+Features:
+
+- local memory repo
+- Git/Gitea sync
+- typed memory folders
+- MCP tools for memory and gateway calls
+- AI Handoff Protocol
+- Route Reflector Memory for routing outcomes
+- conflict-safe append-first writes
+
+MCP tools:
+
+- `gateway.complete`
+- `gateway.chat`
+- `gateway.health`
+- `gateway.route_preview`
+- `memory.search`
+- `memory.read`
+- `memory.write`
+- `memory.append_session`
+- `memory.record_decision`
+- `memory.record_task`
+- `memory.pull`
+- `memory.push`
+
+Exit criteria:
+
+- Claude Code and Codex can access the same memory through MCP.
+- Handoffs are stored in Git/Gitea.
+- Memory sync refuses to commit secrets.
+
+## Phase 4: Compression And Knowledge
+
+Goal: reduce token use and retrieve only the right context.
+
+Packages:
+
+- `packages/context-compression`
+- `packages/connectors`
+- `packages/cache`
+
+Features:
+
+- token budget manager
+- session compaction
+- repo/doc summarization
+- memory dedupe
+- semantic cache
+- SQLite vector default
+- Postgres/Qdrant optional
+- approved data source connectors
+
+Exit criteria:
+
+- Context packages include budget, source refs, and compression stats.
+- Receipts show compressed-from and final token counts.
+- Indexing requires explicit allowed roots.
+
+## Phase 5: Benchmarking And Reputation
+
+Goal: route based on evidence instead of static assumptions.
+
+Packages:
+
+- `packages/benchmark-lab`
+- `packages/agent-reputation`
+
+Features:
+
+- model capability tests
+- agent scorecards
+- latency/cost/quality tracking
+- JSON reliability test
+- code patch/test benchmark
+- local vs hosted comparison
+
+Exit criteria:
+
+- Trust Router can use benchmark scores.
+- Dashboard shows model and agent strengths.
+- Routing decisions explain benchmark influence.
+
+## Phase 6: Product UI
+
+Goal: turn the operational dashboard into a usable OSS app.
+
+UI areas:
+
+- Topology
+- Models
+- Agents
+- Memory
+- Policies
+- Receipts
+- Benchmarks
+- Costs
+- Integrations
+- Doctor
+- Settings
+
+Exit criteria:
+
+- First screen is topology/status.
+- User can enable integrations from UI with diff preview.
+- User can inspect receipts and memory sync status.
diff --git a/packages/gateway/public/dashboard-v2.html b/packages/gateway/public/dashboard-v2.html
new file mode 100644
index 0000000..56b6768
--- /dev/null
+++ b/packages/gateway/public/dashboard-v2.html
@@ -0,0 +1,728 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>llm.gateway Workbench</title>
+  <style>
+    :root {
+      color-scheme: light;
+      --bg: #f4f7f9;
+      --paper: #fbfcfd;
+      --panel: #f8fafb;
+      --line: #ccd6df;
+      --line-dark: #aebdc8;
+      --text: #27323d;
+      --muted: #718090;
+      --soft: #8b98a7;
+      --green: #2f7d71;
+      --green-soft: #e3f2ef;
+      --amber: #a05c2b;
+      --amber-soft: #fff1e7;
+      --red: #9f3f3a;
+      --red-soft: #ffe9e7;
+      --blue-soft: #eaf2f8;
+      --shadow: 0 16px 50px rgba(43, 61, 74, 0.08);
+      --mono: "SFMono-Regular", "Cascadia Code", "Roboto Mono", Consolas, monospace;
+      --sans: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+    }
+
+    * { box-sizing: border-box; }
+
+    body {
+      margin: 0;
+      min-height: 100vh;
+      background:
+        linear-gradient(90deg, rgba(39, 50, 61, 0.025) 1px, transparent 1px),
+        linear-gradient(rgba(39, 50, 61, 0.025) 1px, transparent 1px),
+        var(--bg);
+      background-size: 24px 24px;
+      color: var(--text);
+      font-family: var(--sans);
+      font-size: 14px;
+      letter-spacing: 0;
+    }
+
+    .shell {
+      max-width: 1560px;
+      margin: 0 auto;
+      padding: 38px 38px 96px;
+    }
+
+    .mono, .eyebrow, .tab, .badge, th, .status-line, .metric-label {
+      font-family: var(--mono);
+    }
+
+    header {
+      display: grid;
+      grid-template-columns: 1fr auto;
+      align-items: start;
+      gap: 24px;
+      border-bottom: 1px solid var(--line);
+      padding-bottom: 18px;
+    }
+
+    .brand {
+      display: flex;
+      align-items: center;
+      gap: 12px;
+    }
+
+    .mark {
+      width: 9px;
+      height: 9px;
+      background: var(--green);
+      margin-left: 2px;
+    }
+
+    h1 {
+      margin: 0;
+      font-size: 18px;
+      line-height: 1;
+      font-family: var(--mono);
+      letter-spacing: -0.02em;
+    }
+
+    .crumb {
+      color: var(--soft);
+      font-family: var(--mono);
+      font-size: 12px;
+      text-transform: uppercase;
+      letter-spacing: 0.14em;
+      margin-left: 8px;
+    }
+
+    .btn {
+      border: 1px solid var(--line-dark);
+      background: transparent;
+      color: var(--text);
+      height: 31px;
+      padding: 0 14px;
+      font-family: var(--mono);
+      font-size: 12px;
+      letter-spacing: 0.12em;
+      text-transform: uppercase;
+      cursor: pointer;
+    }
+
+    .btn:hover { background: var(--paper); border-color: var(--green); color: var(--green); }
+
+    .status-strip {
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      gap: 18px;
+      border-bottom: 1px solid var(--line);
+      padding: 20px 0;
+      margin-bottom: 18px;
+    }
+
+    .status-group {
+      display: flex;
+      align-items: center;
+      gap: 18px;
+      flex-wrap: wrap;
+    }
+
+    .status-line {
+      display: flex;
+      align-items: center;
+      gap: 8px;
+      color: var(--muted);
+      font-size: 12px;
+      letter-spacing: 0.08em;
+      text-transform: uppercase;
+      border-right: 1px solid var(--line);
+      padding-right: 18px;
+    }
+
+    .status-line:last-child { border-right: 0; }
+    .status-line strong { color: var(--text); font-weight: 700; text-transform: none; letter-spacing: 0; }
+
+    .dot {
+      width: 17px;
+      height: 17px;
+      border-radius: 50%;
+      background: var(--green-soft);
+      position: relative;
+      border: 1px solid #c6ddd8;
+    }
+
+    .dot::after {
+      content: "";
+      position: absolute;
+      width: 7px;
+      height: 7px;
+      border-radius: 50%;
+      background: var(--green);
+      left: 4px;
+      top: 4px;
+    }
+
+    .dot.warn { background: var(--amber-soft); border-color: #eccdb5; }
+    .dot.warn::after { background: var(--amber); }
+    .dot.bad { background: var(--red-soft); border-color: #efc1bd; }
+    .dot.bad::after { background: var(--red); }
+
+    .tabs {
+      display: flex;
+      gap: 0;
+      border-bottom: 1px solid var(--line);
+      margin-bottom: 34px;
+      overflow-x: auto;
+    }
+
+    .tab {
+      min-width: 128px;
+      padding: 0 18px 16px;
+      color: var(--muted);
+      text-decoration: none;
+      font-size: 12px;
+      letter-spacing: 0.08em;
+      white-space: nowrap;
+      border-bottom: 1px solid transparent;
+    }
+
+    .tab.active {
+      color: var(--green);
+      border-bottom-color: var(--green);
+    }
+
+    .section-head {
+      display: grid;
+      grid-template-columns: 1fr auto;
+      align-items: center;
+      border-bottom: 1px solid var(--line);
+      margin: 0 0 16px;
+      min-height: 44px;
+    }
+
+    .section-head::before {
+      content: "";
+      width: 20px;
+      height: 2px;
+      background: var(--green);
+      display: block;
+      align-self: end;
+      margin-bottom: 13px;
+    }
+
+    .section-title {
+      grid-column: 1 / -1;
+      text-align: center;
+      font-family: var(--mono);
+      font-size: 12px;
+      color: var(--muted);
+      letter-spacing: 0.35em;
+      text-transform: uppercase;
+      margin-top: -21px;
+      pointer-events: none;
+    }
+
+    .section-note {
+      justify-self: end;
+      font-family: var(--mono);
+      color: var(--soft);
+      font-size: 12px;
+      letter-spacing: 0.08em;
+      margin-top: -22px;
+    }
+
+    .coverage {
+      display: grid;
+      grid-template-columns: repeat(5, minmax(0, 1fr));
+      gap: 12px;
+      margin-bottom: 34px;
+    }
+
+    .tile {
+      border: 1px solid var(--line);
+      background: rgba(255, 255, 255, 0.58);
+      min-height: 120px;
+      padding: 15px 16px;
+      box-shadow: var(--shadow);
+    }
+
+    .tile-head {
+      display: flex;
+      justify-content: space-between;
+      align-items: start;
+      gap: 10px;
+      margin-bottom: 14px;
+    }
+
+    .tile-title {
+      font-weight: 800;
+      line-height: 1.25;
+      word-break: break-word;
+    }
+
+    .badge {
+      border: 1px solid #dfbda6;
+      color: var(--amber);
+      background: var(--amber-soft);
+      padding: 4px 8px;
+      font-size: 10px;
+      letter-spacing: 0.12em;
+      text-transform: uppercase;
+      white-space: nowrap;
+    }
+
+    .badge.ready {
+      border-color: #b7d8d1;
+      color: var(--green);
+      background: var(--green-soft);
+    }
+
+    .tile-meta {
+      font-family: var(--mono);
+      color: #596777;
+      line-height: 1.45;
+      font-size: 12px;
+    }
+
+    .metrics {
+      display: grid;
+      grid-template-columns: repeat(6, minmax(0, 1fr));
+      gap: 10px;
+      margin-bottom: 34px;
+    }
+
+    .metric {
+      border: 1px solid var(--line);
+      background: rgba(255,255,255,0.45);
+      padding: 13px 15px;
+      min-height: 86px;
+    }
+
+    .metric-label {
+      color: var(--muted);
+      font-size: 11px;
+      letter-spacing: 0.13em;
+      text-transform: uppercase;
+      margin-bottom: 11px;
+    }
+
+    .metric-value {
+      font-family: var(--mono);
+      font-size: 22px;
+      font-weight: 800;
+    }
+
+    .workbench {
+      display: grid;
+      grid-template-columns: 1.15fr 0.85fr;
+      gap: 18px;
+      margin-bottom: 34px;
+    }
+
+    .panel {
+      border: 1px solid var(--line);
+      background: rgba(255,255,255,0.48);
+      box-shadow: var(--shadow);
+    }
+
+    .panel-title {
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      gap: 12px;
+      border-bottom: 1px solid var(--line);
+      padding: 12px 16px;
+      font-family: var(--mono);
+      color: var(--muted);
+      text-transform: uppercase;
+      letter-spacing: 0.18em;
+      font-size: 11px;
+    }
+
+    .panel-body { padding: 16px; }
+
+    .route-stack {
+      display: grid;
+      gap: 10px;
+    }
+
+    .route {
+      display: grid;
+      grid-template-columns: 164px 1fr auto;
+      align-items: center;
+      gap: 12px;
+      border: 1px solid var(--line);
+      background: var(--paper);
+      padding: 11px 12px;
+      min-height: 52px;
+    }
+
+    .route-name {
+      font-weight: 800;
+    }
+
+    .route-desc {
+      font-family: var(--mono);
+      color: var(--muted);
+      font-size: 12px;
+      line-height: 1.35;
+    }
+
+    table {
+      width: 100%;
+      border-collapse: collapse;
+      border: 1px solid var(--line);
+      background: rgba(255,255,255,0.5);
+    }
+
+    th, td {
+      border-bottom: 1px solid var(--line);
+      padding: 13px 16px;
+      text-align: left;
+      font-size: 12px;
+    }
+
+    th {
+      color: var(--muted);
+      background: rgba(39, 50, 61, 0.045);
+      text-transform: uppercase;
+      letter-spacing: 0.13em;
+      font-weight: 600;
+    }
+
+    td {
+      font-family: var(--mono);
+      color: #4d5c69;
+    }
+
+    .empty {
+      height: 112px;
+      text-align: center;
+      color: var(--soft);
+      font-family: var(--mono);
+      font-size: 13px;
+      letter-spacing: 0.04em;
+    }
+
+    .fixed-status {
+      position: fixed;
+      right: 18px;
+      bottom: 18px;
+      border: 1px solid var(--line-dark);
+      background: var(--paper);
+      padding: 10px 14px;
+      font-family: var(--mono);
+      font-size: 12px;
+      color: var(--muted);
+      box-shadow: var(--shadow);
+    }
+
+    .fixed-status span {
+      display: inline-block;
+      width: 8px;
+      height: 8px;
+      background: var(--green);
+      margin-right: 8px;
+    }
+
+    @media (max-width: 1200px) {
+      .coverage { grid-template-columns: repeat(3, minmax(0, 1fr)); }
+      .metrics { grid-template-columns: repeat(3, minmax(0, 1fr)); }
+      .workbench { grid-template-columns: 1fr; }
+    }
+
+    @media (max-width: 760px) {
+      .shell { padding: 22px 16px 80px; }
+      header, .status-strip { grid-template-columns: 1fr; display: grid; }
+      .coverage, .metrics { grid-template-columns: 1fr; }
+      .route { grid-template-columns: 1fr; }
+      .section-note { display: none; }
+    }
+  </style>
+</head>
+<body>
+  <div class="shell">
+    <header>
+      <div class="brand">
+        <span class="mark"></span>
+        <h1>llm.gateway</h1>
+        <span class="crumb">/ gateway workbench · open source preview</span>
+      </div>
+      <button class="btn" id="settingsBtn">⊙ settings</button>
+    </header>
+
+    <div class="status-strip">
+      <div class="status-group">
+        <div class="status-line"><span class="dot" id="dbDot"></span> DB <strong id="dbStatus">checking</strong></div>
+        <div class="status-line"><span class="dot" id="pollDot"></span> Poll <strong>live</strong></div>
+    <div class="status-line">Interval <strong>15s</strong></div>
+      </div>
+      <div class="status-line">Mode <strong id="modeStatus">auto</strong></div>
+    </div>
+
+    <nav class="tabs">
+      <a class="tab" href="#overview">01 overview</a>
+      <a class="tab" href="#providers">02 providers</a>
+      <a class="tab" href="#policies">03 routing</a>
+      <a class="tab active" href="#activity">04 activity</a>
+      <a class="tab" href="#savings">05 savings</a>
+      <a class="tab" href="#memory">06 memory</a>
+      <a class="tab" href="#doctor">07 doctor</a>
+    </nav>
+
+    <section id="overview">
+      <div class="section-head">
+        <div class="section-title">gateway coverage</div>
+        <div class="section-note">existing adapters plus open-source targets</div>
+      </div>
+      <div class="coverage" id="coverage"></div>
+    </section>
+
+    <section id="activity">
+      <div class="section-head">
+        <div class="section-title">gateway metrics</div>
+        <div class="section-note">traffic · providers · savings · readiness</div>
+      </div>
+      <div class="metrics" id="metrics"></div>
+    </section>
+
+    <section class="workbench">
+      <div class="panel" id="policies">
+        <div class="panel-title">
+          <span>request pipeline</span>
+          <span>gateway core</span>
+        </div>
+        <div class="panel-body">
+          <div class="route-stack" id="pipeline"></div>
+        </div>
+      </div>
+      <div class="panel" id="memory">
+        <div class="panel-title">
+          <span>open-source extensions</span>
+          <span>roadmap</span>
+        </div>
+        <div class="panel-body">
+          <div class="route-stack" id="memoryRoutes"></div>
+        </div>
+      </div>
+    </section>
+
+    <section>
+      <div class="section-head">
+        <div class="section-title">recent requests</div>
+        <div class="section-note">live polling</div>
+      </div>
+      <div style="display:flex; gap:6px; margin-bottom:16px;">
+        <button class="btn" data-hours="24">last 24h</button>
+        <button class="btn" data-hours="168">last 7d</button>
+        <button class="btn" data-hours="720">last 30d</button>
+      </div>
+      <table>
+        <thead>
+          <tr>
+            <th>request id</th>
+            <th>caller</th>
+            <th>model</th>
+            <th>status</th>
+            <th>ctx before</th>
+            <th>ctx sent</th>
+            <th>saved</th>
+            <th>compression</th>
+            <th>cost</th>
+            <th>latency</th>
+          </tr>
+        </thead>
+        <tbody id="requests">
+          <tr><td class="empty" colspan="10">loading gateway traffic</td></tr>
+        </tbody>
+      </table>
+    </section>
+  </div>
+
+  <div class="fixed-status"><span></span><strong id="fixedStatus">connected</strong></div>
+
+  <script>
+    const API = window.location.origin;
+    let selectedHours = 24;
+
+    const clients = [
+      ['OpenAI-compatible API', 'openai-api', 'already usable by most tools'],
+      ['Ollama / Local models', 'ollama', 'local-first provider path'],
+      ['Codex / CLI clients', 'codex', 'planned MCP helper'],
+      ['Claude Code', 'claude-code', 'planned MCP bridge'],
+      ['ChatGPT / OpenAI', 'chatgpt', 'API key or export workflow'],
+      ['Cursor / VS Code', 'cursor', 'OpenAI-compatible base URL'],
+    ];
+
+    const metricLabels = {
+      detectedClients: 'adapters',
+      localModels: 'local',
+      providersConfigured: 'providers',
+      trustPolicies: 'rules',
+      memoryBackends: 'memory',
+      plannedModules: 'extensions',
+    };
+
+    function esc(value) {
+      return String(value ?? '').replace(/[&<>"']/g, (c) => ({
+        '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;'
+      }[c]));
+    }
+
+    async function getJson(path) {
+      const res = await fetch(`${API}${path}`, { cache: 'no-store', headers: { Accept: 'application/json' } });
+      if (!res.ok) throw new Error(`${path} ${res.status}`);
+      return res.json();
+    }
+
+    function setDbStatus(status) {
+      const dot = document.getElementById('dbDot');
+      const label = document.getElementById('dbStatus');
+      if (status === 'connected') {
+        dot.className = 'dot';
+        label.textContent = 'connected';
+      } else if (status === 'degraded') {
+        dot.className = 'dot warn';
+        label.textContent = 'degraded';
+      } else {
+        dot.className = 'dot bad';
+        label.textContent = 'offline';
+      }
+    }
+
+    function renderCoverage(topology) {
+      const configured = new Set((topology.nodes || []).filter((n) => n.status === 'ready' || n.status === 'online').map((n) => n.id));
+      document.getElementById('coverage').innerHTML = clients.map(([name, key, note]) => {
+        const ready = configured.has(`client-${key}`) || configured.has(key);
+        return `
+          <article class="tile">
+            <div class="tile-head">
+              <div class="tile-title">${esc(name)}</div>
+              <div class="badge ${ready ? 'ready' : ''}">${ready ? 'ready' : 'not connected'}</div>
+            </div>
+            <div class="tile-meta">
+              0 requests · 0 saved<br>
+              status: discovery pending<br>
+              route: ${esc(note)}<br>
+              last: never
+            </div>
+          </article>
+        `;
+      }).join('');
+    }
+
+    function renderMetrics(summary) {
+      document.getElementById('metrics').innerHTML = Object.entries(summary).map(([key, value]) => `
+        <div class="metric">
+          <div class="metric-label">${esc(metricLabels[key] || key)}</div>
+          <div class="metric-value">${esc(value)}</div>
+        </div>
+      `).join('');
+    }
+
+    function renderPipeline(topology) {
+      const steps = [
+        ['Client Entry', 'OpenAI-compatible requests from apps, agents, and scripts'],
+        ['Gateway Router', 'model selection, fallback, budgets, latency preference'],
+        ['Provider Layer', 'Ollama, OpenAI, Anthropic, Groq, Mistral, OpenRouter'],
+        ['Compression', 'existing token savings plus semantic cache roadmap'],
+        ['Receipts', 'trace request, route, model, tokens, cost, latency'],
+        ['Memory', 'optional shared project memory for handoff between AI tools'],
+      ];
+      document.getElementById('pipeline').innerHTML = steps.map(([name, desc], index) => `
+        <div class="route">
+          <div class="route-name">${String(index + 1).padStart(2, '0')} ${esc(name)}</div>
+          <div class="route-desc">${esc(desc)}</div>
+          <div class="badge ready">${index < 3 ? 'core' : 'next'}</div>
+        </div>
+      `).join('');
+
+      const extensions = [
+        ['MCP server', 'Expose gateway status, providers, receipts, and memory to Codex, Claude Code, Cursor, and automations.', 'next'],
+        ['Shared memory', 'Optional Git/Gitea-backed project memory for decisions, handoffs, receipts, and reusable context.', 'next'],
+        ['Trust routing', 'Small policy layer for local-first routing, sensitive-data blocking, and provider allowlists.', 'next'],
+        ['Setup doctor', 'Detect local tools, env vars, models, ports, and missing config without changing user files silently.', 'next'],
+        ['Context receipts', 'Human-readable proof of what context was used, compressed, redacted, and routed.', 'planned'],
+      ];
+      document.getElementById('memoryRoutes').innerHTML = extensions.map(([name, desc, state]) => `
+        <div class="route">
+          <div class="route-name">${esc(name)}</div>
+          <div class="route-desc">${esc(desc)}</div>
+          <div class="badge ready">${esc(state)}</div>
+        </div>
+      `).join('');
+    }
+
+    function renderRequests(rows) {
+      const body = document.getElementById('requests');
+      if (!rows || rows.length === 0) {
+        body.innerHTML = '<tr><td class="empty" colspan="10">no requests in selected timeframe</td></tr>';
+        return;
+      }
+      body.innerHTML = rows.slice(0, 40).map((r) => `
+        <tr>
+          <td>${esc((r.request_id || r.id || '').slice(0, 12))}</td>
+          <td>${esc(r.caller || 'unknown')}</td>
+          <td>${esc(r.model || 'n/a')}</td>
+          <td>${esc(r.status || 'n/a')}</td>
+          <td>${esc(r.tokens_in || 0)}</td>
+          <td>${esc((r.tokens_in || 0) + (r.tokens_out || 0))}</td>
+          <td>${esc(r.tokens_saved || 0)}</td>
+          <td>${esc(r.compression || 'n/a')}</td>
+          <td>$${Number(r.cost_usd || 0).toFixed(4)}</td>
+          <td>${esc(r.latency_ms || 0)}ms</td>
+        </tr>
+      `).join('');
+    }
+
+    async function loadTopology() {
+      const data = await getJson('/api/dashboard/topology');
+      const topology = data.data;
+      document.getElementById('modeStatus').textContent = topology.mode === 'hybrid-safe' ? 'auto' : topology.mode;
+      renderCoverage(topology);
+      renderMetrics(topology.summary);
+      renderPipeline(topology);
+    }
+
+    async function loadHealth() {
+      try {
+        const health = await getJson('/health');
+        if (health.status === 'ok') setDbStatus('connected');
+        else if (health.checks?.ollama?.status === 'ok') setDbStatus('degraded');
+        else setDbStatus('offline');
+      } catch {
+        setDbStatus('degraded');
+      }
+    }
+
+    async function loadRequests() {
+      try {
+        const data = await getJson(`/api/dashboard/requests?limit=50&hours=${selectedHours}`);
+        renderRequests(data.data || []);
+      } catch {
+        renderRequests([]);
+      }
+    }
+
+    async function refreshAll() {
+      await Promise.all([loadTopology(), loadHealth(), loadRequests()]);
+      document.getElementById('fixedStatus').textContent = 'connected';
+      document.getElementById('pollDot').className = 'dot';
+    }
+
+    document.querySelectorAll('[data-hours]').forEach((button) => {
+      button.addEventListener('click', () => {
+        selectedHours = Number(button.dataset.hours || 24);
+        loadRequests();
+      });
+    });
+
+    document.getElementById('settingsBtn').addEventListener('click', () => {
+      alert('Settings preview: providers, subscriptions, local models, budgets, memory backend, and OpenAI-compatible base URL.');
+    });
+
+    refreshAll().catch(() => {
+      document.getElementById('fixedStatus').textContent = 'degraded';
+      document.getElementById('pollDot').className = 'dot warn';
+    });
+    setInterval(refreshAll, 15000);
+  </script>
+</body>
+</html>
diff --git a/packages/gateway/public/dashboard.html b/packages/gateway/public/dashboard.html
index a1d3502..5edf410 100644
--- a/packages/gateway/public/dashboard.html
+++ b/packages/gateway/public/dashboard.html
@@ -3,539 +3,1842 @@
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>LLM Gateway Dashboard</title>
+  <title>llm.gateway / workbench</title>
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <link href="https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500;600;700&family=Inter:wght@400;500;600;700&display=swap" rel="stylesheet">
   <style>
-    * {
-      margin: 0;
-      padding: 0;
-      box-sizing: border-box;
+    /* ─── Reset ──────────────────────────────────────────────────────────── */
+    *, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
+    html, body { background: #f4f7fa; color: #24313d; }
+
+    /* ─── Design tokens ──────────────────────────────────────────────────── */
+    :root {
+      --bg: #f4f7fa;
+      --bg-1: #ffffff;
+      --bg-2: #eef3f6;
+      --bg-3: #dde7ed;
+      --line: #d6e0e7;
+      --line-2: #bdc9d3;
+      --line-3: #8799a8;
+      --text: #24313d;
+      --dim: #667684;
+      --dim-2: #93a1ad;
+      --accent: #0f766e;
+      --accent-dim: #8ab9b5;
+      --warn: #b45309;
+      --err: #b42318;
+      --ok: #15803d;
+      --info: #2563eb;
+      --mono: 'JetBrains Mono', 'SF Mono', 'Menlo', 'Consolas', monospace;
+      --sans: 'Inter', system-ui, -apple-system, 'Segoe UI', sans-serif;
     }
 
     body {
-      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen', 'Ubuntu', 'Cantarell', sans-serif;
-      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+      font-family: var(--sans);
+      font-size: 14px;
+      line-height: 1.5;
       min-height: 100vh;
-      padding: 20px;
-      color: #333;
+      background: var(--bg);
     }
 
-    .container {
-      max-width: 1400px;
+    /* ─── Layout shell ──────────────────────────────────────────────────── */
+    .shell {
+      max-width: 1480px;
       margin: 0 auto;
+      padding: 20px 32px 80px;
     }
 
-    header {
-      margin-bottom: 40px;
-      color: white;
-    }
-
-    h1 {
-      font-size: 2.5rem;
-      margin-bottom: 8px;
-      font-weight: 700;
-    }
-
-    .status-bar {
+    /* ─── Top bar ────────────────────────────────────────────────────────── */
+    .topbar {
       display: flex;
-      gap: 20px;
       align-items: center;
-      margin-top: 12px;
-      flex-wrap: wrap;
+      justify-content: space-between;
+      gap: 24px;
+      padding: 16px 0;
+      border-bottom: 1px solid var(--line);
+      margin-bottom: 8px;
     }
-
-    .status-item {
-      background: rgba(255, 255, 255, 0.2);
-      padding: 8px 16px;
-      border-radius: 6px;
-      font-size: 0.95rem;
-      backdrop-filter: blur(10px);
+    .brand {
+      display: flex;
+      align-items: baseline;
+      gap: 14px;
+      font-family: var(--mono);
     }
-
-    .status-indicator {
+    .brand-mark {
+      font-weight: 700;
+      font-size: 1.05rem;
+      color: var(--text);
+      letter-spacing: -0.01em;
+    }
+    .brand-mark::before {
+      content: '';
       display: inline-block;
       width: 8px;
       height: 8px;
-      border-radius: 50%;
-      margin-right: 8px;
+      margin-right: 10px;
+      background: var(--accent);
     }
-
-    .status-indicator.healthy {
-      background: #10b981;
-    }
-
-    .status-indicator.unhealthy {
-      background: #ef4444;
-    }
-
-    .grid {
-      display: grid;
-      grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
-      gap: 20px;
-      margin-bottom: 40px;
-    }
-
-    .card {
-      background: white;
-      border-radius: 12px;
-      padding: 24px;
-      box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
-      transition: transform 0.2s, box-shadow 0.2s;
-    }
-
-    .card:hover {
-      transform: translateY(-4px);
-      box-shadow: 0 8px 12px rgba(0, 0, 0, 0.15);
-    }
-
-    .metric-label {
-      font-size: 0.9rem;
-      color: #666;
-      margin-bottom: 12px;
+    .brand-tag {
+      font-size: 0.72rem;
+      color: var(--dim);
+      letter-spacing: 0.06em;
       text-transform: uppercase;
-      letter-spacing: 0.5px;
-      font-weight: 500;
     }
+    .brand-tag::before { content: '/ '; color: var(--dim-2); }
 
-    .metric-value {
-      font-size: 2.2rem;
-      font-weight: 700;
-      color: #667eea;
-      margin-bottom: 8px;
-    }
+    .topbar-actions { display: flex; align-items: center; gap: 10px; }
 
-    .metric-unit {
-      font-size: 0.9rem;
-      color: #999;
-      margin-left: 4px;
-    }
-
-    .metric-change {
-      font-size: 0.85rem;
-      color: #666;
-      margin-top: 12px;
-      padding-top: 12px;
-      border-top: 1px solid #eee;
-    }
-
-    .section-title {
-      color: white;
-      font-size: 1.5rem;
-      margin: 40px 0 20px 0;
-      font-weight: 600;
-    }
-
-    .grid-models, .grid-callers {
-      display: grid;
-      grid-template-columns: repeat(auto-fill, minmax(200px, 1fr));
-      gap: 16px;
-      margin-bottom: 40px;
-    }
-
-    .model-card, .caller-card {
-      background: white;
-      border-radius: 10px;
-      padding: 16px;
-      box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);
-      border-left: 4px solid #667eea;
-    }
-
-    .model-name, .caller-name {
-      font-weight: 600;
-      color: #333;
-      margin-bottom: 12px;
-      font-size: 0.95rem;
-      word-break: break-word;
-    }
-
-    .request-count {
-      font-size: 1.8rem;
-      font-weight: 700;
-      color: #667eea;
-    }
-
-    .count-label {
-      font-size: 0.8rem;
-      color: #999;
-      margin-top: 4px;
-    }
-
-    .filters {
+    /* ─── Status strip ──────────────────────────────────────────────────── */
+    .status-strip {
       display: flex;
-      gap: 12px;
-      margin-bottom: 20px;
+      align-items: center;
+      gap: 0;
+      padding: 10px 0 18px;
+      border-bottom: 1px solid var(--line);
+      font-family: var(--mono);
+      font-size: 0.78rem;
       flex-wrap: wrap;
     }
-
-    .filter-btn {
-      padding: 8px 16px;
-      border: 2px solid #e0e0e0;
-      background: white;
-      border-radius: 6px;
-      cursor: pointer;
-      font-weight: 500;
-      font-size: 0.9rem;
-      transition: all 0.2s;
-    }
-
-    .filter-btn.active {
-      border-color: #667eea;
-      background: #667eea;
-      color: white;
-    }
-
-    .filter-btn:hover {
-      border-color: #667eea;
-    }
-
-    .requests-table {
-      background: white;
-      border-radius: 12px;
-      overflow: hidden;
-      box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
-    }
-
-    .table-header {
-      background: #f5f5f5;
-      padding: 16px;
-      display: grid;
-      grid-template-columns: 120px 150px 100px 120px 100px 100px 100px;
-      gap: 12px;
-      font-weight: 600;
-      color: #666;
-      font-size: 0.9rem;
-      text-transform: uppercase;
-      letter-spacing: 0.5px;
-    }
-
-    .table-row {
-      padding: 16px;
-      display: grid;
-      grid-template-columns: 120px 150px 100px 120px 100px 100px 100px;
-      gap: 12px;
-      border-bottom: 1px solid #eee;
-      align-items: center;
-      font-size: 0.9rem;
-    }
-
-    .table-row:last-child {
-      border-bottom: none;
-    }
-
-    .table-row:hover {
-      background: #f9f9f9;
-    }
-
-    .status-badge {
-      display: inline-block;
-      padding: 4px 12px;
-      border-radius: 12px;
-      font-size: 0.8rem;
-      font-weight: 600;
-      text-transform: uppercase;
-      letter-spacing: 0.5px;
-    }
-
-    .status-approved {
-      background: #d1fae5;
-      color: #065f46;
-    }
-
-    .status-warning {
-      background: #fef3c7;
-      color: #92400e;
-    }
-
-    .status-pending {
-      background: #dbeafe;
-      color: #1e40af;
-    }
-
-    .status-rejected {
-      background: #fee2e2;
-      color: #991b1b;
-    }
-
-    .status-error {
-      background: #fecaca;
-      color: #7f1d1d;
-    }
-
-    .empty-state {
-      text-align: center;
-      padding: 40px;
-      color: #999;
-    }
-
-    .connection-status {
-      position: fixed;
-      bottom: 20px;
-      right: 20px;
-      background: white;
-      padding: 12px 16px;
-      border-radius: 6px;
-      box-shadow: 0 2px 8px rgba(0, 0, 0, 0.15);
-      font-size: 0.9rem;
+    .status-cell {
+      padding: 4px 14px;
+      border-right: 1px solid var(--line);
+      color: var(--dim);
       display: flex;
       align-items: center;
       gap: 8px;
     }
-
-    .connection-dot {
-      width: 8px;
-      height: 8px;
-      border-radius: 50%;
-      background: #10b981;
-      animation: pulse 2s infinite;
+    .status-cell:first-child { padding-left: 0; }
+    .status-cell:last-child { border-right: none; margin-left: auto; }
+    .status-cell .dot {
+      width: 8px; height: 8px; border-radius: 50%;
+      background: var(--dim-2);
+      box-shadow: 0 0 0 0 currentColor;
     }
-
-    .connection-dot.disconnected {
-      background: #ef4444;
-      animation: none;
-    }
-
+    .status-cell .dot.ok { background: var(--ok); box-shadow: 0 0 0 3px rgba(21,128,61,0.12); animation: pulse 2.4s infinite; }
+    .status-cell .dot.err { background: var(--err); }
+    .status-cell .label { color: var(--dim-2); text-transform: uppercase; letter-spacing: 0.08em; font-size: 0.68rem; }
+    .status-cell .val { color: var(--text); }
     @keyframes pulse {
-      0%, 100% { opacity: 1; }
-      50% { opacity: 0.5; }
+      0%, 100% { box-shadow: 0 0 0 3px rgba(21,128,61,0.10); }
+      50% { box-shadow: 0 0 0 6px rgba(21,128,61,0.06); }
     }
 
-    .loading {
-      text-align: center;
-      padding: 40px;
-      color: #999;
-      font-style: italic;
+    /* ─── Tab navigation ──────────────────────────────────────────────────── */
+    .tabs {
+      display: flex;
+      gap: 0;
+      border-bottom: 1px solid var(--line);
+      margin: 0 0 28px;
+      overflow-x: auto;
+      scrollbar-width: none;
     }
-
-    .providers-container {
-      display: grid;
-      grid-template-columns: repeat(auto-fit, minmax(300px, 1fr));
-      gap: 20px;
-      margin-bottom: 40px;
+    .tabs::-webkit-scrollbar { display: none; }
+    .tab-trigger {
+      background: none;
+      border: none;
+      color: var(--dim);
+      font-family: var(--mono);
+      font-size: 0.82rem;
+      padding: 14px 16px;
+      cursor: pointer;
+      position: relative;
+      letter-spacing: 0.02em;
+      white-space: nowrap;
+      transition: color 0.15s;
+      border-bottom: 2px solid transparent;
+      margin-bottom: -1px;
     }
-
-    .providers-section {
-      background: white;
-      border-radius: 12px;
-      padding: 20px;
-      box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
+    .tab-trigger:hover { color: var(--text); }
+    .tab-trigger .tab-num {
+      color: var(--dim-2);
+      font-size: 0.7rem;
+      margin-right: 6px;
     }
+    .tab-trigger.active {
+      color: var(--accent);
+      border-bottom-color: var(--accent);
+    }
+    .tab-trigger.active .tab-num { color: var(--accent-dim); }
+    .tab-trigger .tab-badge {
+      display: inline-block;
+      margin-left: 8px;
+      padding: 1px 6px;
+      border: 1px solid var(--line-2);
+      border-radius: 2px;
+      font-size: 0.62rem;
+      color: var(--dim);
+    }
+    .tab-trigger.active .tab-badge { border-color: var(--accent-dim); color: var(--accent); }
 
-    .providers-subsection {
-      font-size: 1.1rem;
-      font-weight: 600;
-      color: #667eea;
-      margin-bottom: 16px;
+    .tab-panel { display: none; animation: fadein 0.3s ease; }
+    .tab-panel.active { display: block; }
+    @keyframes fadein { from { opacity: 0; transform: translateY(4px); } to { opacity: 1; transform: none; } }
+
+    /* ─── Section headings ────────────────────────────────────────────────── */
+    .h-section {
+      font-family: var(--mono);
+      font-size: 0.72rem;
+      letter-spacing: 0.18em;
       text-transform: uppercase;
-      letter-spacing: 0.5px;
+      color: var(--dim);
+      margin: 24px 0 14px;
+      padding-bottom: 8px;
+      border-bottom: 1px solid var(--line);
+      display: flex;
+      align-items: baseline;
+      justify-content: space-between;
+    }
+    .h-section::before { content: ''; width: 18px; height: 2px; background: var(--accent); margin-right: 8px; }
+    .h-section .h-meta { font-size: 0.7rem; color: var(--dim-2); letter-spacing: 0.05em; text-transform: none; }
+
+    /* ─── Metric grid (Overview tab) ──────────────────────────────────────── */
+    .metric-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(220px, 1fr));
+      gap: 0;
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+    }
+    .metric {
+      padding: 22px 24px 20px;
+      border-right: 1px solid var(--line);
+      border-bottom: 1px solid var(--line);
+      position: relative;
+      transition: background 0.15s;
+    }
+    .metric:hover { background: var(--bg-2); }
+    .metric:last-child { border-right: none; }
+    .metric-label {
+      font-family: var(--mono);
+      font-size: 0.68rem;
+      text-transform: uppercase;
+      letter-spacing: 0.16em;
+      color: var(--dim);
+      margin-bottom: 14px;
+      display: flex;
+      align-items: center;
+      gap: 6px;
+    }
+    .metric-label::before {
+      content: '';
+      width: 6px; height: 6px;
+      background: var(--accent);
+      display: inline-block;
+    }
+    .metric-value {
+      font-family: var(--mono);
+      font-size: 2.1rem;
+      font-weight: 600;
+      color: var(--text);
+      letter-spacing: -0.02em;
+      line-height: 1;
+    }
+    .metric-value .metric-unit {
+      font-size: 0.85rem;
+      color: var(--dim);
+      font-weight: 400;
+      margin-left: 4px;
+    }
+    .metric-change {
+      font-family: var(--mono);
+      font-size: 0.7rem;
+      color: var(--dim-2);
+      margin-top: 8px;
+      letter-spacing: 0.04em;
     }
 
-    .providers-grid {
+    /* ─── Two-column grid for sub/caller chips ────────────────────────────── */
+    .chip-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
+      gap: 8px;
+      margin-bottom: 8px;
+    }
+    .chip {
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+      padding: 14px 16px;
+      transition: border-color 0.15s, background 0.15s;
+    }
+    .chip:hover { border-color: var(--line-3); background: var(--bg-2); }
+    .chip-name {
+      font-family: var(--mono);
+      font-size: 0.85rem;
+      color: var(--text);
+      margin-bottom: 6px;
+      word-break: break-all;
+    }
+    .chip-meta {
+      font-family: var(--mono);
+      font-size: 0.72rem;
+      color: var(--dim);
+    }
+    .chip-meta .num { color: var(--accent); font-weight: 600; }
+
+    /* ─── Subscription cards ──────────────────────────────────────────────── */
+    .auto-banner {
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      gap: 16px;
+      padding: 16px 20px;
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+      margin-bottom: 18px;
+      flex-wrap: wrap;
+    }
+    .auto-banner .banner-text {
+      flex: 1 1 auto;
+      font-family: var(--mono);
+      font-size: 0.82rem;
+      color: var(--dim);
+    }
+    .auto-banner .banner-text strong { color: var(--accent); font-weight: 600; }
+    .auto-banner code {
+      font-family: var(--mono);
+      background: var(--bg-2);
+      border: 1px solid var(--line);
+      padding: 2px 8px;
+      color: var(--text);
+      font-size: 0.78rem;
+    }
+
+    .subs-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(330px, 1fr));
+      gap: 0;
+      border: 1px solid var(--line);
+    }
+    .subs-card {
+      background: var(--bg-1);
+      padding: 18px 20px;
+      border-right: 1px solid var(--line);
+      border-bottom: 1px solid var(--line);
+      position: relative;
+    }
+    .subs-card::before {
+      content: '';
+      position: absolute;
+      left: 0; top: 0; bottom: 0;
+      width: 2px;
+      background: var(--dim-2);
+    }
+    .subs-card.installed::before { background: var(--info); }
+    .subs-card.running::before { background: var(--ok); }
+    .subs-card.missing { opacity: 0.55; }
+    .subs-card.missing::before { background: var(--line-2); }
+
+    .subs-head {
+      display: flex;
+      justify-content: space-between;
+      align-items: flex-start;
+      gap: 8px;
+      margin-bottom: 8px;
+    }
+    .subs-label {
+      font-weight: 600;
+      font-size: 0.95rem;
+      color: var(--text);
+      flex: 1 1 auto;
+    }
+    .subs-state {
+      font-family: var(--mono);
+      font-size: 0.65rem;
+      letter-spacing: 0.1em;
+      text-transform: uppercase;
+      padding: 3px 8px;
+      border: 1px solid var(--line-2);
+      color: var(--dim);
+      white-space: nowrap;
+    }
+    .subs-state.running { color: var(--accent); border-color: var(--accent-dim); }
+    .subs-state.installed { color: var(--info); border-color: rgba(37,99,235,0.24); }
+    .subs-state.missing { color: var(--dim-2); }
+    .subs-meta {
+      font-family: var(--mono);
+      font-size: 0.74rem;
+      color: var(--dim);
+      margin-bottom: 4px;
+    }
+    .subs-bridge-url, .subs-models {
+      font-family: var(--mono);
+      font-size: 0.72rem;
+      color: var(--dim);
+      margin-top: 6px;
+      word-break: break-all;
+    }
+    .subs-bridge-url {
+      background: var(--bg);
+      border: 1px solid var(--line);
+      padding: 6px 10px;
+      color: var(--text);
+    }
+    .subs-models { color: var(--dim); }
+    .subs-models::before { content: 'models: '; color: var(--dim-2); }
+    .subs-install-hint {
+      font-family: var(--mono);
+      font-size: 0.7rem;
+      color: var(--warn);
+      background: rgba(180,83,9,0.08);
+      border: 1px solid rgba(180,83,9,0.22);
+      padding: 6px 10px;
+      margin-top: 8px;
+    }
+    .subs-install-hint code {
+      background: var(--bg);
+      padding: 1px 5px;
+      border-radius: 0;
+      color: var(--accent);
+    }
+
+    /* ─── Knowledge Graph ─────────────────────────────────────────────── */
+    .graph-wrap { background: var(--bg-1); border: 1px solid var(--line); padding: 12px; }
+    .graph-wrap svg { width: 100%; height: 460px; display: block; }
+    .graph-wrap svg .node { cursor: pointer; transition: transform 0.15s; }
+    .graph-wrap svg .node:hover { transform: scale(1.1); }
+    .graph-wrap svg .node-caller   { fill: var(--accent); }
+    .graph-wrap svg .node-fact-key   { fill: #2563eb; }
+    .graph-wrap svg .node-fact-value { fill: #a78bfa; }
+    .graph-wrap svg .edge { stroke: var(--line-2); stroke-opacity: 0.6; fill: none; }
+    .graph-wrap svg text.label { font-family: var(--mono); font-size: 10px; fill: var(--text); pointer-events: none; }
+    .graph-legend {
+      display: flex; gap: 18px; margin-top: 10px; padding: 6px 12px;
+      background: var(--bg); border: 1px solid var(--line);
+      font-family: var(--mono); font-size: 0.74rem; color: var(--dim);
+    }
+    .graph-legend .dot { display: inline-block; width: 10px; height: 10px; margin-right: 6px; vertical-align: middle; }
+
+    /* ─── Leaderboard ─────────────────────────────────────────────────── */
+    .leaderboard-podium {
+      display: grid; grid-template-columns: 1fr 1.2fr 1fr;
+      gap: 12px; align-items: end; margin-bottom: 22px;
+    }
+    .podium-step {
+      padding: 18px 14px; border: 1px solid var(--line);
+      background: var(--bg-1); text-align: center;
+      display: flex; flex-direction: column; gap: 6px;
+    }
+    .podium-step.gold   { background: #fefce8; border-color: #facc15; min-height: 200px; order: 2; }
+    .podium-step.silver { background: #f8fafc; border-color: #cbd5e1; min-height: 170px; order: 1; }
+    .podium-step.bronze { background: #fef3c7; border-color: #f59e0b; min-height: 150px; order: 3; }
+    .podium-rank { font-family: var(--mono); font-weight: 700; font-size: 1.4rem; color: var(--text); }
+    .podium-medal { font-size: 2.4rem; line-height: 1; }
+    .podium-model { font-family: var(--mono); font-weight: 600; font-size: 0.95rem; color: var(--text); word-break: break-all; }
+    .podium-stat  { font-family: var(--mono); font-size: 0.78rem; color: var(--dim); }
+    .leaderboard-table { background: var(--bg-1); border: 1px solid var(--line); }
+    .lb-row {
+      display: grid; grid-template-columns: 40px 1fr 80px 80px 80px 80px;
+      gap: 10px; padding: 10px 16px; border-bottom: 1px solid var(--line);
+      font-family: var(--mono); font-size: 0.82rem; align-items: center;
+    }
+    .lb-row.head { background: var(--bg-2); color: var(--dim); text-transform: uppercase; letter-spacing: 0.1em; font-size: 0.66rem; }
+    .lb-row:last-child { border-bottom: none; }
+    .lb-row .lb-pos { font-weight: 700; text-align: center; }
+    .lb-row .lb-num { text-align: right; }
+    .lb-row.medal-gold { background: rgba(250,204,21,0.06); }
+    .lb-row.medal-silver { background: rgba(203,213,225,0.10); }
+    .lb-row.medal-bronze { background: rgba(245,158,11,0.06); }
+
+    /* ─── Share + Report ──────────────────────────────────────────────── */
+    .share-controls {
+      display: flex; gap: 16px; flex-wrap: wrap; align-items: center;
+      padding: 14px; border: 1px solid var(--line); background: var(--bg-1);
+      margin-bottom: 12px;
+    }
+    .share-preview {
+      border: 1px solid var(--line); background: var(--bg-2);
+      padding: 12px; text-align: center;
+    }
+    .share-preview img { max-width: 100%; height: auto; box-shadow: 0 2px 12px rgba(0,0,0,0.06); }
+    .share-url {
+      font-family: var(--mono); font-size: 0.78rem; color: var(--dim);
+      padding: 8px 12px; background: var(--bg); border: 1px solid var(--line);
+      margin-top: 8px; word-break: break-all;
+    }
+    .share-hint { font-size: 0.82rem; color: var(--dim); margin-top: 8px; }
+    .share-hint code { font-family: var(--mono); background: var(--bg-2); padding: 2px 6px; border-radius: 2px; }
+
+    /* ─── Caller deep-dive modal additions ──────────────────────────── */
+    .caller-summary {
+      display: grid; grid-template-columns: repeat(auto-fit, minmax(140px, 1fr));
+      gap: 0; border: 1px solid var(--line); margin-bottom: 16px;
+    }
+    .caller-summary > div { padding: 10px 14px; border-right: 1px solid var(--line); }
+    .caller-summary > div:last-child { border-right: none; }
+    .caller-summary .label { font-size: 0.66rem; color: var(--dim); text-transform: uppercase; letter-spacing: 0.1em; font-family: var(--mono); }
+    .caller-summary .val { font-family: var(--mono); font-size: 1rem; font-weight: 600; color: var(--text); margin-top: 4px; }
+    .caller-hour-bars { display: flex; gap: 2px; align-items: end; height: 60px; padding: 8px; border: 1px solid var(--line); background: var(--bg); }
+    .caller-hour-bars .bar { flex: 1; background: var(--accent); min-height: 1px; transition: height 0.2s; }
+    .caller-hour-axis { display: flex; gap: 2px; padding: 0 8px; font-family: var(--mono); font-size: 0.6rem; color: var(--dim-2); }
+    .caller-hour-axis > span { flex: 1; text-align: center; }
+
+    /* clickable caller chips */
+    .chip { cursor: pointer; }
+    .chip:hover { border-color: var(--accent); }
+
+    /* Layer breakdown under hero counter */
+    .hero-layer-breakdown {
+      display: flex; flex-direction: column; gap: 4px;
+      margin-top: 12px;
+      padding-top: 10px;
+      border-top: 1px solid var(--line);
+    }
+    .layer-row {
+      display: flex; justify-content: space-between; align-items: baseline;
+      font-family: var(--mono); font-size: 0.78rem;
+    }
+    .layer-name { color: var(--dim); }
+    .layer-val { color: var(--text); font-weight: 600; }
+
+    /* ─── Simple Mode CSS — hide non-configured cards ───────────────────── */
+    body.simple-mode .subs-card.missing { display: none; }
+    body.simple-mode #savingsAxes .axis[data-empty="true"] { display: none; }
+    body.hide-empty-providers .provider-item[data-status="unconfigured"] { display: none; }
+    body.hide-empty-providers .wallet-card[data-status="unknown"] { display: none; }
+
+    /* In Simple Mode, hide the noisy "5-axis" header explainer */
+    body.simple-mode .h-section .h-meta:contains('Lean-CTX') { display: none; }
+
+    /* ─── Hero (Buddy + Savings + Cost-VS) ───────────────────────────────── */
+    .hero-grid {
+      display: grid;
+      grid-template-columns: 1fr 1.5fr 1.2fr;
+      gap: 0;
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+      margin-bottom: 22px;
+      overflow: hidden;
+    }
+    .hero-grid > div { padding: 22px 24px; border-right: 1px solid var(--line); }
+    .hero-grid > div:last-child { border-right: none; }
+
+    .hero-eyebrow {
+      font-family: var(--mono);
+      font-size: 0.66rem;
+      letter-spacing: 0.2em;
+      text-transform: uppercase;
+      color: var(--dim);
+      margin-bottom: 12px;
+    }
+
+    /* Buddy */
+    .hero-buddy { display: flex; flex-direction: column; gap: 8px; }
+    .buddy-name { font-weight: 700; font-size: 1.1rem; color: var(--text); }
+    .buddy-rarity {
+      display: inline-block; font-family: var(--mono); font-size: 0.62rem;
+      padding: 2px 8px; border: 1px solid var(--line-2); margin-left: 6px;
+      letter-spacing: 0.1em; text-transform: uppercase; vertical-align: middle;
+    }
+    .buddy-rarity.legendary { color: #b45309; border-color: #b45309; background: rgba(180,83,9,0.06); }
+    .buddy-rarity.epic      { color: #7c3aed; border-color: #7c3aed; background: rgba(124,58,237,0.06); }
+    .buddy-rarity.rare      { color: #2563eb; border-color: #2563eb; background: rgba(37,99,235,0.06); }
+    .buddy-rarity.uncommon  { color: var(--accent); border-color: var(--accent); background: rgba(15,118,110,0.06); }
+    .buddy-rarity.common    { color: var(--dim); }
+    .buddy-meta { font-family: var(--mono); font-size: 0.74rem; color: var(--dim); }
+    .buddy-art {
+      font-family: var(--mono); font-size: 0.8rem; line-height: 1.1;
+      white-space: pre; color: var(--accent);
+      padding: 8px; background: var(--bg);
+      border: 1px solid var(--line); margin: 4px 0;
+    }
+    .buddy-xp-bar {
+      height: 6px; background: var(--bg-3); border-radius: 1px;
+      position: relative; overflow: hidden;
+    }
+    .buddy-xp-fill {
+      height: 100%; background: linear-gradient(90deg, var(--accent), #2dd4bf);
+      transition: width 0.4s;
+    }
+    .buddy-xp-text {
+      font-family: var(--mono); font-size: 0.7rem; color: var(--dim-2);
+      display: flex; justify-content: space-between;
+    }
+    .buddy-speech {
+      font-style: italic; font-size: 0.84rem; color: var(--text);
+      padding: 8px 12px; background: var(--bg-2); border-left: 2px solid var(--accent);
+      margin-top: 6px;
+    }
+    .buddy-mood-happy::before    { content: '😊 '; }
+    .buddy-mood-content::before  { content: '😌 '; }
+    .buddy-mood-sleepy::before   { content: '😴 '; }
+    .buddy-mood-hungry::before   { content: '🍴 '; }
+    .buddy-mood-excited::before  { content: '🤩 '; }
+
+    /* Hero savings counter */
+    .hero-savings { display: flex; flex-direction: column; gap: 14px; }
+    .hero-counter {
+      font-family: var(--mono); font-size: 3.6rem; font-weight: 700;
+      color: var(--accent); letter-spacing: -0.03em; line-height: 0.95;
+    }
+    .hero-row { display: flex; gap: 8px; flex-wrap: wrap; margin-top: 4px; }
+    .hero-pill {
+      flex: 1 1 100px; padding: 8px 12px; border: 1px solid var(--line);
+      background: var(--bg); display: flex; flex-direction: column; gap: 2px;
+    }
+    .hero-pill-label {
+      font-family: var(--mono); font-size: 0.62rem; color: var(--dim-2);
+      letter-spacing: 0.1em; text-transform: uppercase;
+    }
+    .hero-pill-val { font-family: var(--mono); font-size: 1.05rem; font-weight: 600; color: var(--text); }
+
+    /* Cost-VS comparison */
+    .hero-cost { display: flex; flex-direction: column; gap: 10px; }
+    .cost-vs { display: flex; align-items: center; gap: 10px; }
+    .cost-side { flex: 1; padding: 10px 14px; border: 1px solid var(--line); }
+    .cost-side.without { background: rgba(180,35,24,0.04); border-color: rgba(180,35,24,0.2); }
+    .cost-side.with    { background: rgba(15,118,110,0.06); border-color: rgba(15,118,110,0.3); }
+    .cost-label {
+      font-family: var(--mono); font-size: 0.62rem; color: var(--dim-2);
+      text-transform: uppercase; letter-spacing: 0.1em;
+    }
+    .cost-amount {
+      font-family: var(--mono); font-weight: 700; font-size: 1.6rem;
+      letter-spacing: -0.02em; margin-top: 2px;
+    }
+    .cost-side.without .cost-amount { color: var(--err); }
+    .cost-side.with .cost-amount    { color: var(--accent); }
+    .cost-arrow { color: var(--dim-2); font-size: 1.4rem; }
+    .cost-saved-line { font-size: 0.84rem; color: var(--text); }
+    .cost-saved-line strong { color: var(--accent); font-weight: 700; }
+
+    /* Savings axes (5-source breakdown) */
+    .savings-axes {
+      display: grid; grid-template-columns: repeat(5, 1fr); gap: 0;
+      border: 1px solid var(--line); background: var(--bg-1);
+    }
+    .axis {
+      padding: 14px 16px; border-right: 1px solid var(--line);
+      display: flex; flex-direction: column; gap: 4px;
+    }
+    .axis:last-child { border-right: none; }
+    .axis-label {
+      font-family: var(--mono); font-size: 0.66rem; color: var(--dim);
+      letter-spacing: 0.1em; text-transform: uppercase;
+    }
+    .axis-icon { font-size: 1.2rem; }
+    .axis-cost {
+      font-family: var(--mono); font-weight: 700; font-size: 1.3rem;
+      color: var(--accent);
+    }
+    .axis-detail { font-family: var(--mono); font-size: 0.7rem; color: var(--dim-2); }
+
+    /* Two-column overview rows */
+    .overview-row-2col {
+      display: grid; grid-template-columns: 1fr 1fr; gap: 28px;
+      margin-top: 22px;
+    }
+
+    /* Calendar heatmap */
+    .heatmap {
+      display: grid; grid-template-columns: repeat(53, 11px);
+      grid-auto-rows: 11px; gap: 2px;
+      padding: 12px; border: 1px solid var(--line); background: var(--bg-1);
+    }
+    .heatmap-cell { width: 11px; height: 11px; border-radius: 2px; background: var(--bg-3); cursor: pointer; transition: transform 0.1s; }
+    .heatmap-cell:hover { transform: scale(1.4); outline: 1px solid var(--accent); }
+    .heatmap-cell.l1 { background: #2dd4bf40; }
+    .heatmap-cell.l2 { background: #2dd4bf80; }
+    .heatmap-cell.l3 { background: #2dd4bfc0; }
+    .heatmap-cell.l4 { background: var(--accent); }
+
+    /* Forecast */
+    .forecast { padding: 18px; border: 1px solid var(--line); background: var(--bg-1); }
+    .forecast-row {
+      display: flex; justify-content: space-between; align-items: baseline;
+      padding: 8px 0; border-bottom: 1px solid var(--line);
+    }
+    .forecast-row:last-child { border-bottom: none; }
+    .forecast-window { font-family: var(--mono); font-size: 0.72rem; color: var(--dim); text-transform: uppercase; letter-spacing: 0.1em; }
+    .forecast-amount { font-family: var(--mono); font-weight: 700; color: var(--accent); font-size: 1.1rem; }
+    .forecast-trend {
+      font-family: var(--mono); font-size: 0.78rem; padding-top: 8px;
+      color: var(--dim);
+    }
+    .forecast-trend.up { color: var(--accent); }
+    .forecast-trend.down { color: var(--err); }
+    .forecast-trend::before { content: '→ '; }
+    .forecast-trend.up::before { content: '↗ '; }
+    .forecast-trend.down::before { content: '↘ '; }
+
+    /* Live events feed */
+    .events-feed {
+      max-height: 380px; overflow-y: auto;
+      border: 1px solid var(--line); background: var(--bg-1);
+      font-family: var(--mono);
+    }
+    .event-row {
+      display: grid; grid-template-columns: auto 1fr auto; gap: 10px;
+      padding: 8px 14px; border-bottom: 1px solid var(--line);
+      font-size: 0.78rem; align-items: center;
+    }
+    .event-row:last-child { border-bottom: none; }
+    .event-row:hover { background: var(--bg-2); }
+    .event-icon { font-size: 1rem; }
+    .event-body { color: var(--text); }
+    .event-caller { color: var(--accent); font-weight: 600; }
+    .event-detail { color: var(--dim); margin-top: 2px; font-size: 0.7rem; }
+    .event-time { color: var(--dim-2); font-size: 0.68rem; }
+
+    /* Achievements */
+    .achievements-grid {
+      display: grid; grid-template-columns: repeat(auto-fill, minmax(220px, 1fr));
+      gap: 10px;
+    }
+    .achievement {
+      padding: 12px 14px; border: 1px solid var(--line); background: var(--bg-1);
+      display: flex; gap: 12px; align-items: flex-start;
+      transition: transform 0.15s, border-color 0.15s;
+    }
+    .achievement.unlocked { border-color: var(--accent); }
+    .achievement.unlocked:hover { transform: translateY(-2px); }
+    .achievement.locked { opacity: 0.45; filter: grayscale(0.8); }
+    .ach-icon { font-size: 1.6rem; line-height: 1; }
+    .ach-info { display: flex; flex-direction: column; gap: 2px; flex: 1; }
+    .ach-title { font-weight: 600; font-size: 0.88rem; color: var(--text); }
+    .ach-desc { font-size: 0.74rem; color: var(--dim); font-family: var(--mono); }
+
+    /* Streak badge */
+    #streakBadge { color: var(--accent); font-weight: 700; }
+
+    @media (max-width: 1100px) {
+      .hero-grid { grid-template-columns: 1fr; }
+      .hero-grid > div { border-right: none; border-bottom: 1px solid var(--line); }
+      .savings-axes { grid-template-columns: repeat(2, 1fr); }
+      .axis { border-bottom: 1px solid var(--line); }
+      .overview-row-2col { grid-template-columns: 1fr; }
+      .heatmap { grid-template-columns: repeat(26, 11px); }
+    }
+
+    /* ─── Savings ───────────────────────────────────────────────────────── */
+    .savings-hero {
+      display: grid;
+      grid-template-columns: 1fr 1.4fr;
+      gap: 0;
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+    }
+    .savings-headline {
+      padding: 28px 32px;
+      border-right: 1px solid var(--line);
+    }
+    .savings-eyebrow {
+      font-family: var(--mono);
+      font-size: 0.7rem;
+      text-transform: uppercase;
+      letter-spacing: 0.18em;
+      color: var(--dim);
+      margin-bottom: 10px;
+    }
+    .savings-counter {
+      font-family: var(--mono);
+      font-size: 3.4rem;
+      font-weight: 700;
+      letter-spacing: -0.03em;
+      line-height: 1;
+      color: var(--accent);
+      transition: color 0.4s;
+    }
+    .savings-sub {
+      font-family: var(--mono);
+      font-size: 0.85rem;
+      color: var(--dim);
+      margin-top: 14px;
+    }
+    .savings-spark {
+      padding: 24px 32px;
       display: flex;
       flex-direction: column;
+      gap: 6px;
+    }
+    .savings-spark svg {
+      width: 100%;
+      height: 80px;
+    }
+    .savings-spark svg path.area { fill: rgba(15,118,110,0.10); stroke: none; }
+    .savings-spark svg path.line { fill: none; stroke: var(--accent); stroke-width: 1.4; }
+    .savings-spark svg circle.last { fill: var(--accent); }
+    .savings-spark-meta {
+      display: flex; justify-content: space-between;
+      font-family: var(--mono); font-size: 0.7rem;
+      color: var(--dim); text-transform: uppercase; letter-spacing: 0.1em;
+    }
+    .savings-spark-meta #savingsHitRate { color: var(--accent); }
+
+    /* ─── Wallet ───────────────────────────────────────────────────────── */
+    .wallet-banner {
+      padding: 14px 18px;
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+      margin-bottom: 18px;
+      font-size: 0.86rem;
+      color: var(--dim);
+    }
+    .wallet-banner strong { color: var(--accent); font-weight: 600; }
+    .wallet-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(360px, 1fr));
+      gap: 0;
+      border: 1px solid var(--line);
+    }
+    .wallet-card {
+      background: var(--bg-1);
+      padding: 18px 20px 16px;
+      border-right: 1px solid var(--line);
+      border-bottom: 1px solid var(--line);
+      position: relative;
+    }
+    .wallet-head {
+      display: flex; justify-content: space-between; align-items: baseline;
+      margin-bottom: 10px;
+    }
+    .wallet-label {
+      font-weight: 600; font-size: 0.95rem; color: var(--text);
+    }
+    .wallet-rec {
+      font-family: var(--mono); font-size: 0.65rem;
+      letter-spacing: 0.1em; text-transform: uppercase;
+      padding: 2px 8px; border: 1px solid var(--line-2);
+      color: var(--dim);
+    }
+    .wallet-rec.use-this { color: var(--ok); border-color: rgba(21,128,61,0.4); background: rgba(21,128,61,0.05); }
+    .wallet-rec.available { color: var(--info); border-color: rgba(37,99,235,0.4); }
+    .wallet-rec.near-limit { color: var(--warn); border-color: rgba(180,83,9,0.4); background: rgba(180,83,9,0.05); }
+    .wallet-rec.exhausted { color: var(--err); border-color: rgba(180,35,24,0.4); background: rgba(180,35,24,0.05); }
+    .wallet-rec.unknown { color: var(--dim-2); }
+
+    .wallet-bar {
+      height: 8px;
+      background: var(--bg-2);
+      border-radius: 1px;
+      position: relative;
+      overflow: hidden;
+      margin: 12px 0 10px;
+    }
+    .wallet-bar-fill {
+      height: 100%;
+      background: var(--accent);
+      transition: width 0.4s ease;
+    }
+    .wallet-bar-fill.warn { background: var(--warn); }
+    .wallet-bar-fill.err { background: var(--err); }
+    .wallet-meta {
+      display: flex; justify-content: space-between;
+      font-family: var(--mono); font-size: 0.74rem;
+      color: var(--dim);
+    }
+    .wallet-meta strong { color: var(--text); font-weight: 600; }
+    .wallet-reset {
+      font-family: var(--mono); font-size: 0.7rem;
+      color: var(--dim-2); margin-top: 6px;
+    }
+
+    /* ─── Memory ───────────────────────────────────────────────────────── */
+    .memory-form {
+      display: flex; gap: 10px; flex-wrap: wrap; margin-bottom: 18px;
+      align-items: center;
+    }
+    .mem-list {
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+    }
+    .mem-row {
+      padding: 12px 16px;
+      border-bottom: 1px solid var(--line);
+      display: grid;
+      grid-template-columns: 1.2fr 2fr 1fr;
       gap: 12px;
+      align-items: center;
+      font-family: var(--mono);
+      font-size: 0.82rem;
     }
+    .mem-row:last-child { border-bottom: none; }
+    .mem-key { font-weight: 600; color: var(--accent); }
+    .mem-val { color: var(--text); }
+    .mem-meta { color: var(--dim-2); font-size: 0.72rem; text-align: right; }
 
+    /* ─── Providers ──────────────────────────────────────────────────────── */
+    .providers-stack > section { margin-bottom: 22px; }
+    .providers-stack > section:last-child { margin-bottom: 0; }
+    .providers-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(260px, 1fr));
+      gap: 0;
+      border: 1px solid var(--line);
+    }
     .provider-item {
-      background: #f9f9f9;
-      border-radius: 8px;
-      padding: 12px;
-      border-left: 4px solid #667eea;
+      background: var(--bg-1);
+      border-right: 1px solid var(--line);
+      border-bottom: 1px solid var(--line);
+      padding: 14px 16px;
     }
-
     .provider-header {
       display: flex;
       justify-content: space-between;
-      align-items: start;
-      margin-bottom: 8px;
+      align-items: flex-start;
       gap: 8px;
+      margin-bottom: 4px;
     }
-
-    .provider-name {
-      font-weight: 600;
-      color: #333;
-      font-size: 0.95rem;
+    .provider-name { font-weight: 600; color: var(--text); font-size: 0.9rem; }
+    .provider-tech-name {
+      font-family: var(--mono); font-size: 0.7rem; color: var(--dim-2);
+      margin-bottom: 6px;
     }
-
     .provider-tag {
-      display: inline-block;
-      padding: 3px 8px;
-      border-radius: 4px;
-      font-size: 0.75rem;
-      font-weight: 600;
-      text-transform: uppercase;
-      letter-spacing: 0.3px;
+      font-family: var(--mono); font-size: 0.62rem;
+      letter-spacing: 0.1em; text-transform: uppercase;
+      padding: 2px 8px;
+      border: 1px solid var(--line-2);
+      color: var(--dim);
       white-space: nowrap;
     }
-
-    .tag-configured {
-      background: #d1fae5;
-      color: #065f46;
+    .provider-tag.tag-configured { color: var(--ok); border-color: rgba(21,128,61,0.24); }
+    .provider-tag.tag-unconfigured { color: var(--dim); }
+    .provider-runtime {
+      display: flex;
+      align-items: center;
+      gap: 6px;
+      font-family: var(--mono);
+      font-size: 0.68rem;
+      color: var(--dim-2);
+      margin-top: 8px;
+      min-height: 18px;
     }
-
-    .tag-unconfigured {
-      background: #fee2e2;
-      color: #7f1d1d;
+    .provider-runtime .runtime-dot {
+      width: 7px;
+      height: 7px;
+      border-radius: 50%;
+      background: var(--dim-2);
+      flex: 0 0 auto;
     }
-
+    .provider-runtime.runtime-ready { color: var(--ok); }
+    .provider-runtime.runtime-ready .runtime-dot { background: var(--ok); box-shadow: 0 0 0 3px rgba(21,128,61,0.12); }
+    .provider-runtime.runtime-warn { color: var(--warn); }
+    .provider-runtime.runtime-warn .runtime-dot { background: var(--warn); box-shadow: 0 0 0 3px rgba(180,83,9,0.12); }
+    .provider-runtime.runtime-muted { color: var(--dim); }
+    .provider-runtime.runtime-muted .runtime-dot { background: var(--dim); }
     .provider-models {
-      font-size: 0.8rem;
-      color: #666;
-      margin-top: 6px;
+      font-family: var(--mono); font-size: 0.72rem; color: var(--dim);
+      margin-top: 4px; word-break: break-all;
     }
-
     .provider-rate {
-      font-size: 0.75rem;
-      color: #999;
+      font-family: var(--mono); font-size: 0.68rem; color: var(--dim-2);
       margin-top: 4px;
     }
+    .provider-env-hint {
+      font-family: var(--mono); font-size: 0.68rem;
+      color: var(--warn);
+      background: rgba(180,83,9,0.08);
+      border: 1px solid rgba(180,83,9,0.22);
+      padding: 4px 8px;
+      margin-top: 6px;
+    }
+    .provider-env-hint code { background: var(--bg); padding: 1px 4px; color: var(--accent); }
 
+    /* ─── Activity / Requests table ───────────────────────────────────────── */
+    .filters {
+      display: flex; gap: 4px;
+      margin-bottom: 14px;
+      font-family: var(--mono);
+    }
+    .filter-btn {
+      background: transparent;
+      border: 1px solid var(--line);
+      color: var(--dim);
+      padding: 6px 16px;
+      font-family: var(--mono);
+      font-size: 0.78rem;
+      cursor: pointer;
+      transition: all 0.15s;
+    }
+    .filter-btn:hover { color: var(--text); border-color: var(--line-3); }
+    .filter-btn.active {
+      color: var(--accent);
+      border-color: var(--accent-dim);
+      background: rgba(15,118,110,0.08);
+    }
+
+    .req-table {
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+      font-family: var(--mono);
+      font-size: 0.78rem;
+    }
+    .req-row {
+      display: grid;
+      grid-template-columns: 1.15fr 1fr 1.2fr 0.7fr 0.7fr 0.7fr 0.65fr 0.9fr 0.75fr 0.7fr;
+      gap: 10px;
+      padding: 10px 16px;
+      border-bottom: 1px solid var(--line);
+      align-items: center;
+    }
+    .req-row.head {
+      background: var(--bg-2);
+      color: var(--dim);
+      text-transform: uppercase;
+      letter-spacing: 0.1em;
+      font-size: 0.66rem;
+    }
+    .req-row:last-child { border-bottom: none; }
+    .req-row.body:hover { background: var(--bg-2); }
+    .req-row > div { overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
+    .req-status {
+      display: inline-block;
+      padding: 2px 8px;
+      font-size: 0.66rem;
+      letter-spacing: 0.08em;
+      text-transform: uppercase;
+      border: 1px solid var(--line-2);
+    }
+    .req-status.approved { color: var(--ok); border-color: rgba(21,128,61,0.24); }
+    .req-status.error, .req-status.rejected { color: var(--err); border-color: rgba(180,35,24,0.24); }
+    .req-status.warning, .req-status.pending_review { color: var(--warn); border-color: rgba(180,83,9,0.24); }
+
+    .client-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(230px, 1fr));
+      gap: 10px;
+      margin-bottom: 14px;
+    }
+    .client-item {
+      border: 1px solid var(--line);
+      background: var(--bg-1);
+      padding: 12px 14px;
+      font-family: var(--mono);
+      min-height: 88px;
+    }
+    .client-top {
+      display: flex;
+      justify-content: space-between;
+      gap: 10px;
+      align-items: flex-start;
+      margin-bottom: 9px;
+    }
+    .client-name {
+      font-weight: 700;
+      color: var(--text);
+      font-size: 0.78rem;
+      white-space: nowrap;
+      overflow: hidden;
+      text-overflow: ellipsis;
+    }
+    .client-state {
+      border: 1px solid var(--line-2);
+      padding: 2px 7px;
+      text-transform: uppercase;
+      letter-spacing: 0.08em;
+      font-size: 0.62rem;
+      color: var(--dim);
+      white-space: nowrap;
+    }
+    .client-state.live {
+      color: var(--ok);
+      border-color: rgba(21,128,61,0.28);
+      background: rgba(21,128,61,0.06);
+    }
+    .client-state.not-connected {
+      color: var(--warn);
+      border-color: rgba(180,83,9,0.26);
+      background: rgba(180,83,9,0.06);
+    }
+    .client-meta {
+      color: var(--dim);
+      font-size: 0.72rem;
+      line-height: 1.55;
+    }
+    .client-meta strong {
+      color: var(--text);
+      font-weight: 600;
+    }
+
+    .empty-state {
+      padding: 40px 20px;
+      text-align: center;
+      color: var(--dim-2);
+      font-family: var(--mono);
+      font-size: 0.85rem;
+    }
+    .loading {
+      padding: 30px 20px;
+      text-align: center;
+      color: var(--dim);
+      font-family: var(--mono);
+      font-size: 0.8rem;
+    }
+
+    /* ─── Buttons ────────────────────────────────────────────────────────── */
+    .btn {
+      font-family: var(--mono);
+      font-size: 0.78rem;
+      padding: 8px 18px;
+      border: 1px solid var(--line-2);
+      background: transparent;
+      color: var(--text);
+      cursor: pointer;
+      letter-spacing: 0.02em;
+      transition: all 0.15s;
+      text-transform: uppercase;
+      letter-spacing: 0.08em;
+    }
+    .btn:hover {
+      border-color: var(--accent);
+      color: var(--accent);
+      background: rgba(15,118,110,0.06);
+    }
+    .btn.primary {
+      border-color: var(--accent);
+      color: var(--accent);
+      background: rgba(15,118,110,0.08);
+    }
+    .btn.primary:hover { background: var(--accent); color: #ffffff; }
+    .btn:disabled { opacity: 0.4; cursor: not-allowed; }
+    .btn-sm { padding: 5px 12px; font-size: 0.72rem; }
+
+    /* ─── Settings modal ─────────────────────────────────────────────────── */
+    .modal-overlay {
+      position: fixed; inset: 0;
+      background: rgba(56,68,82,0.28);
+      backdrop-filter: blur(2px);
+      display: none;
+      align-items: flex-start;
+      justify-content: center;
+      z-index: 1000;
+      overflow-y: auto;
+      padding: 40px 16px;
+    }
+    .modal-overlay.open { display: flex; }
+    .modal {
+      background: var(--bg-1);
+      border: 1px solid var(--line-2);
+      max-width: 760px;
+      width: 100%;
+      max-height: calc(100vh - 80px);
+      display: flex;
+      flex-direction: column;
+      box-shadow: 0 24px 60px rgba(75,91,108,0.20);
+    }
+    .modal-header {
+      padding: 18px 24px;
+      border-bottom: 1px solid var(--line);
+      display: flex; align-items: center; justify-content: space-between;
+    }
+    .modal-header h2 {
+      font-family: var(--mono);
+      font-size: 0.85rem;
+      letter-spacing: 0.16em;
+      text-transform: uppercase;
+      font-weight: 600;
+      color: var(--text);
+    }
+    .modal-header h2::before { content: ''; display: inline-block; width: 7px; height: 7px; margin-right: 9px; background: var(--accent); }
+    .modal-close {
+      background: none;
+      border: 1px solid var(--line-2);
+      width: 32px; height: 32px;
+      cursor: pointer;
+      color: var(--dim);
+      font-size: 1.1rem;
+      line-height: 1;
+      transition: all 0.15s;
+    }
+    .modal-close:hover { color: var(--err); border-color: var(--err); }
+    .modal-body { padding: 22px 24px; overflow-y: auto; flex: 1 1 auto; }
+    .modal-footer {
+      padding: 14px 24px;
+      border-top: 1px solid var(--line);
+      display: flex; gap: 10px; justify-content: flex-end; align-items: center;
+    }
+    .modal-footer .save-status {
+      margin-right: auto;
+      font-family: var(--mono);
+      font-size: 0.78rem;
+      color: var(--dim);
+    }
+    .modal-footer .save-status.ok { color: var(--ok); }
+    .modal-footer .save-status.err { color: var(--err); }
+
+    .settings-section { margin-bottom: 26px; }
+    .settings-section:last-child { margin-bottom: 0; }
+    .settings-section-title {
+      font-family: var(--mono);
+      font-size: 0.7rem;
+      letter-spacing: 0.16em;
+      text-transform: uppercase;
+      color: var(--accent);
+      margin-bottom: 6px;
+      padding-bottom: 6px;
+      border-bottom: 1px solid var(--line);
+    }
+    .settings-section-title::before { content: ''; display: inline-block; width: 14px; height: 2px; margin-right: 8px; background: var(--accent-dim); vertical-align: middle; }
+    .settings-section-desc { font-size: 0.78rem; color: var(--dim); margin-bottom: 10px; }
+
+    .settings-row {
+      display: grid;
+      grid-template-columns: 1fr auto;
+      gap: 12px;
+      align-items: center;
+      padding: 10px 0;
+      border-bottom: 1px solid var(--line);
+    }
+    .settings-row:last-child { border-bottom: none; }
+    .settings-row-info { display: flex; flex-direction: column; gap: 2px; }
+    .settings-row-label { font-weight: 600; font-size: 0.88rem; color: var(--text); }
+    .settings-row-meta {
+      font-family: var(--mono);
+      font-size: 0.72rem;
+      color: var(--dim);
+    }
+
+    .settings-toggle { position: relative; width: 42px; height: 22px; flex-shrink: 0; }
+    .settings-toggle input { opacity: 0; width: 0; height: 0; }
+    .settings-toggle .slider {
+      position: absolute; cursor: pointer;
+      inset: 0;
+      background: var(--bg-3);
+      border: 1px solid var(--line-2);
+      transition: 0.2s;
+    }
+    .settings-toggle .slider::before {
+      content: '';
+      position: absolute;
+      width: 14px; height: 14px;
+      left: 3px; top: 50%; transform: translateY(-50%);
+      background: var(--dim);
+      transition: 0.2s;
+    }
+    .settings-toggle input:checked + .slider {
+      border-color: var(--accent-dim);
+      background: rgba(15,118,110,0.10);
+    }
+    .settings-toggle input:checked + .slider::before {
+      transform: translate(20px, -50%);
+      background: var(--accent);
+      box-shadow: none;
+    }
+
+    .settings-input {
+      width: 100%;
+      padding: 8px 10px;
+      background: var(--bg);
+      border: 1px solid var(--line-2);
+      color: var(--text);
+      font-family: var(--mono);
+      font-size: 0.82rem;
+      margin-top: 6px;
+    }
+    .settings-input:focus {
+      outline: none;
+      border-color: var(--accent);
+      box-shadow: 0 0 0 2px rgba(15,118,110,0.16);
+    }
+
+    .settings-radio-group { display: flex; gap: 6px; flex-wrap: wrap; }
+    .settings-radio {
+      flex: 1 1 calc(50% - 4px);
+      min-width: 140px;
+      padding: 10px 14px;
+      border: 1px solid var(--line-2);
+      cursor: pointer;
+      font-size: 0.82rem;
+      font-family: var(--mono);
+      text-align: center;
+      transition: all 0.15s;
+      color: var(--dim);
+    }
+    .settings-radio:hover { color: var(--text); border-color: var(--line-3); }
+    .settings-radio.active {
+      border-color: var(--accent);
+      background: rgba(15,118,110,0.08);
+      color: var(--accent);
+      font-weight: 600;
+    }
+    .settings-radio input { display: none; }
+
+    /* ─── Floating connection indicator ──────────────────────────────────── */
+    .conn-pill {
+      position: fixed;
+      bottom: 16px; right: 16px;
+      padding: 6px 14px;
+      background: var(--bg-1);
+      border: 1px solid var(--line-2);
+      font-family: var(--mono);
+      font-size: 0.72rem;
+      color: var(--dim);
+      display: flex;
+      align-items: center;
+      gap: 8px;
+      z-index: 50;
+    }
+    .conn-pill .dot {
+      width: 6px; height: 6px;
+      background: var(--ok);
+      box-shadow: 0 0 0 3px rgba(21,128,61,0.10);
+      animation: pulse 2.4s infinite;
+    }
+
+    /* ─── Responsive ─────────────────────────────────────────────────────── */
     @media (max-width: 768px) {
-      h1 {
-        font-size: 1.8rem;
-      }
-
-      .grid {
-        grid-template-columns: 1fr;
-      }
-
-      .grid-models, .grid-callers {
-        grid-template-columns: repeat(auto-fill, minmax(150px, 1fr));
-      }
-
-      .table-header, .table-row {
-        grid-template-columns: 80px 100px 80px 80px 60px 60px 60px;
-        font-size: 0.8rem;
-      }
-
-      .metric-value {
-        font-size: 1.8rem;
-      }
+      .shell { padding: 16px 18px 60px; }
+      .topbar { flex-direction: column; align-items: flex-start; gap: 12px; }
+      .metric { padding: 16px 18px; }
+      .metric-value { font-size: 1.7rem; }
+      .req-row { grid-template-columns: 1fr 1fr; gap: 6px; padding: 10px; font-size: 0.72rem; }
+      .req-row.head { display: none; }
+      .req-row > div:nth-child(n+5) { display: none; }
     }
   </style>
 </head>
 <body>
-  <div class="container">
-    <header>
-      <h1>LLM Gateway Dashboard</h1>
-      <div class="status-bar">
-        <div class="status-item">
-          <span class="status-indicator healthy" id="dbStatusIndicator"></span>
-          <span id="dbStatus">Checking database...</span>
-        </div>
-        <div class="status-item">
-          <span class="status-indicator" id="sseStatusIndicator"></span>
-          <span id="sseStatus">Connecting to stream...</span>
-        </div>
-        <div class="status-item">
-          <span id="listenerCount">0</span> SSE listeners
-        </div>
-      </div>
-    </header>
+  <div class="shell">
 
-    <div class="grid">
-      <div class="card">
-        <div class="metric-label">Total Requests</div>
-        <div class="metric-value" id="totalRequests">0</div>
-        <div class="metric-change" id="requestsChange"></div>
+    <!-- ─── Top bar ──────────────────────────────────────────────────────── -->
+    <div class="topbar">
+      <div class="brand">
+        <span class="brand-mark">llm.gateway</span>
+        <span class="brand-tag">gateway workbench · v1.0</span>
       </div>
-
-      <div class="card">
-        <div class="metric-label">Success Rate</div>
-        <div class="metric-value" id="successRate">0<span class="metric-unit">%</span></div>
-        <div class="metric-change" id="successChange"></div>
-      </div>
-
-      <div class="card">
-        <div class="metric-label">Avg Latency</div>
-        <div class="metric-value" id="avgLatency">0<span class="metric-unit">ms</span></div>
-        <div class="metric-change" id="latencyChange"></div>
-      </div>
-
-      <div class="card">
-        <div class="metric-label">Total Cost</div>
-        <div class="metric-value" id="totalCost">$0.00</div>
-        <div class="metric-change" id="costChange"></div>
-      </div>
-
-      <div class="card">
-        <div class="metric-label">Avg Confidence</div>
-        <div class="metric-value" id="avgConfidence">0<span class="metric-unit">%</span></div>
-        <div class="metric-change" id="confidenceChange"></div>
-      </div>
-
-      <div class="card">
-        <div class="metric-label">Fallback Usage</div>
-        <div class="metric-value" id="fallbackPercent">0<span class="metric-unit">%</span></div>
-        <div class="metric-change" id="fallbackChange"></div>
+      <div class="topbar-actions">
+        <button class="btn btn-sm" id="settingsBtn" type="button" title="Configure subscriptions and API keys">
+          ⚙ settings
+        </button>
       </div>
     </div>
 
-    <h2 class="section-title">Top Models</h2>
-    <div class="grid-models" id="topModels">
-      <div class="loading">Loading models...</div>
+    <!-- ─── Status strip ─────────────────────────────────────────────────── -->
+    <div class="status-strip">
+      <div class="status-cell">
+        <span class="dot ok" id="dbStatusIndicator"></span>
+        <span class="label">db</span>
+        <span class="val" id="dbStatus">connecting</span>
+      </div>
+      <div class="status-cell">
+        <span class="dot ok" id="pollingStatusIndicator"></span>
+        <span class="label">poll</span>
+        <span class="val" id="pollingStatus">starting</span>
+      </div>
+      <div class="status-cell">
+        <span class="label">interval</span>
+        <span class="val" id="pollInterval">3s</span>
+      </div>
+      <div class="status-cell">
+        <span class="label">mode</span>
+        <span class="val" id="routingModeBadge">auto</span>
+      </div>
     </div>
 
-    <h2 class="section-title">Top Callers</h2>
-    <div class="grid-callers" id="topCallers">
-      <div class="loading">Loading callers...</div>
-    </div>
+    <!-- ─── Tab bar ──────────────────────────────────────────────────────── -->
+    <nav class="tabs" role="tablist">
+      <button class="tab-trigger active" data-tab="overview" role="tab" title="Headline stats: tokens saved, cost, buddy, achievements"><span class="tab-num">01</span>overview</button>
+      <button class="tab-trigger" data-tab="subscriptions" role="tab" title="Your CLI subscriptions (Claude Code, Codex, …) and their bridge status"><span class="tab-num">02</span>subscriptions <span class="tab-badge" id="subsTabBadge">·</span></button>
+      <button class="tab-trigger" data-tab="providers" role="tab" title="All configured LLM providers (local Ollama, paid APIs, free tiers) — advanced"><span class="tab-num">03</span>providers <span class="tab-badge" id="providersTabBadge">·</span></button>
+      <button class="tab-trigger" data-tab="activity" role="tab" title="Live request log — every call that went through the gateway"><span class="tab-num">04</span>activity</button>
+      <button class="tab-trigger" data-tab="savings" role="tab" title="Cost & token savings counter — main 'wow how much I saved' page"><span class="tab-num">05</span>savings <span class="tab-badge" id="savingsTabBadge">·</span></button>
+      <button class="tab-trigger" data-tab="wallet" role="tab" title="Subscription quotas — how much of each Pro plan you've used in the current window"><span class="tab-num">06</span>wallet <span class="tab-badge" id="walletTabBadge">·</span></button>
+      <button class="tab-trigger" data-tab="memory" role="tab" title="Persistent facts the gateway knows about each caller — auto-injected into prompts"><span class="tab-num">07</span>memory</button>
+      <button class="tab-trigger" data-tab="leaderboard" role="tab" title="Race-mode results — fastest model leaderboard if you ran multi-model races"><span class="tab-num">08</span>races <span class="tab-badge" id="leaderboardTabBadge">·</span></button>
+      <button class="tab-trigger" data-tab="share" role="tab" title="Generate an embeddable SVG card showing your savings (for blog/Twitter/README)"><span class="tab-num">09</span>share</button>
+      <button class="tab-trigger" data-tab="report" role="tab" title="Generate a printable monthly PDF report"><span class="tab-num">10</span>report</button>
+    </nav>
 
-    <h2 class="section-title">Available Providers & Models</h2>
-    <div class="providers-container">
-      <div id="providersLocal" class="providers-section">
-        <h3 class="providers-subsection">Local</h3>
-        <div class="providers-grid" id="providersList_local">
-          <div class="loading">Loading providers...</div>
+    <!-- ─── Tab: Overview ────────────────────────────────────────────────── -->
+    <section class="tab-panel active" data-tab="overview">
+
+      <!-- ─── Hero: Buddy + Headline Savings + Forecast ──────────────────── -->
+      <div class="hero-grid">
+        <!-- Left: Pet/Buddy -->
+        <div class="hero-buddy" id="heroBuddy">
+          <div class="loading">summoning buddy</div>
+        </div>
+
+        <!-- Center: Headline savings counter — combined all layers -->
+        <div class="hero-savings">
+          <div class="hero-eyebrow">total tokens saved · all layers · all-time</div>
+          <div class="hero-counter"><span id="heroTokensSavedCombined">0</span><span style="font-size:1.1rem;color:var(--dim);font-weight:400;margin-left:8px;">tokens</span></div>
+          <div class="hero-layer-breakdown" id="heroLayerBreakdown">
+            <div class="layer-row"><span class="layer-name">⚡ Gateway (LLM calls)</span><span class="layer-val" id="heroTokensSaved">0</span></div>
+            <div class="layer-row" id="heroLeanCtxRow" style="display:none;"><span class="layer-name">🗜 Lean-CTX (tool calls)</span><span class="layer-val" id="heroLeanCtxTokens">—</span></div>
+          </div>
+          <div class="hero-row">
+            <div class="hero-pill">
+              <span class="hero-pill-label">cost saved</span>
+              <span class="hero-pill-val" id="heroCostSaved">$0.00</span>
+            </div>
+            <div class="hero-pill">
+              <span class="hero-pill-label">cache hits</span>
+              <span class="hero-pill-val" id="heroCacheHits">0</span>
+            </div>
+            <div class="hero-pill">
+              <span class="hero-pill-label">savings rate</span>
+              <span class="hero-pill-val" id="heroSavingsRate">0%</span>
+            </div>
+          </div>
+        </div>
+
+        <!-- Right: Cost analysis (without vs with) — competitor comparison -->
+        <div class="hero-cost">
+          <div class="hero-eyebrow">cost analysis · last 24h · USD</div>
+          <div class="cost-vs">
+            <div class="cost-side without">
+              <div class="cost-label">without gateway</div>
+              <div class="cost-amount" id="costWithout">$0.00</div>
+            </div>
+            <div class="cost-arrow">→</div>
+            <div class="cost-side with">
+              <div class="cost-label">with gateway</div>
+              <div class="cost-amount" id="costWith">$0.00</div>
+            </div>
+          </div>
+          <div class="cost-saved-line">you saved <strong id="costSavedLine">$0.00</strong> · <span id="costSavedPercent">0%</span> reduction</div>
         </div>
       </div>
-      <div id="providersSubscription" class="providers-section">
-        <h3 class="providers-subsection">Subscription</h3>
-        <div class="providers-grid" id="providersList_subscription">
-          <div class="loading">Loading providers...</div>
+
+      <!-- ─── Five-Axis Savings Breakdown — what makes us better than Lean-CTX ── -->
+      <h2 class="h-section">Savings Sources <span class="h-meta">we measure 5 axes — Lean-CTX measures 1</span></h2>
+      <div class="savings-axes" id="savingsAxes">
+        <div class="loading">loading</div>
+      </div>
+
+      <!-- ─── Quick Metrics Grid ──────────────────────────────────────────── -->
+      <h2 class="h-section">Live Metrics <span class="h-meta">last 24h</span></h2>
+      <div class="metric-grid">
+        <div class="metric">
+          <div class="metric-label">requests</div>
+          <div class="metric-value" id="totalRequests">0</div>
+          <div class="metric-change" id="requestsChange">routed</div>
+        </div>
+        <div class="metric">
+          <div class="metric-label">success rate</div>
+          <div class="metric-value" id="successRate">0<span class="metric-unit">%</span></div>
+          <div class="metric-change" id="successChange">approved/total</div>
+        </div>
+        <div class="metric">
+          <div class="metric-label">avg latency</div>
+          <div class="metric-value" id="avgLatency">0<span class="metric-unit">ms</span></div>
+          <div class="metric-change" id="latencyChange">end-to-end</div>
+        </div>
+        <div class="metric">
+          <div class="metric-label">spent today</div>
+          <div class="metric-value" id="totalCost">$0.00</div>
+          <div class="metric-change" id="costChange">actual usd</div>
+        </div>
+        <div class="metric">
+          <div class="metric-label">confidence</div>
+          <div class="metric-value" id="avgConfidence">0<span class="metric-unit">/10</span></div>
+          <div class="metric-change" id="confidenceChange">post-val</div>
+        </div>
+        <div class="metric">
+          <div class="metric-label">fallback usage</div>
+          <div class="metric-value" id="fallbackPercent">0<span class="metric-unit">%</span></div>
+          <div class="metric-change" id="fallbackChange">primary→fallback</div>
         </div>
       </div>
-      <div id="providersFree" class="providers-section">
-        <h3 class="providers-subsection">Free Tier</h3>
-        <div class="providers-grid" id="providersList_free">
-          <div class="loading">Loading providers...</div>
+
+      <!-- ─── Calendar heatmap (GitHub style) + Forecast ──────────────────── -->
+      <div class="overview-row-2col">
+        <div>
+          <h2 class="h-section">Activity · last 365 days <span class="h-meta">streak <span id="streakBadge">0</span>d</span></h2>
+          <div class="heatmap" id="heatmap"><div class="loading">loading activity</div></div>
+        </div>
+        <div>
+          <h2 class="h-section">Forecast <span class="h-meta">based on recent trend</span></h2>
+          <div class="forecast" id="forecast"><div class="loading">computing forecast</div></div>
+        </div>
+      </div>
+
+      <!-- ─── Live Events Feed + Top Models / Callers ─────────────────────── -->
+      <div class="overview-row-2col">
+        <div>
+          <h2 class="h-section">Live Activity <span class="h-meta">most recent first</span></h2>
+          <div class="events-feed" id="eventsFeed"><div class="loading">listening</div></div>
+        </div>
+        <div>
+          <h2 class="h-section">Top Models <span class="h-meta">last 24h</span></h2>
+          <div class="chip-grid" id="topModels"><div class="loading">analyzing routing</div></div>
+
+          <h2 class="h-section" style="margin-top: 18px;">Top Callers</h2>
+          <div class="chip-grid" id="topCallers"><div class="loading">analyzing callers</div></div>
+        </div>
+      </div>
+
+      <!-- ─── Achievements ──────────────────────────────────────────────────── -->
+      <h2 class="h-section">Achievements <span class="h-meta"><span id="achievementsProgress">0/0</span></span></h2>
+      <div class="achievements-grid" id="achievementsGrid"><div class="loading">checking quests</div></div>
+    </section>
+
+    <!-- ─── Tab: Subscriptions ──────────────────────────────────────────── -->
+    <section class="tab-panel" data-tab="subscriptions">
+      <div class="auto-banner">
+        <div class="banner-text">
+          <strong>auto-gateway</strong> <span id="subsAutoState">detection only</span>
+          — installed CLI subscriptions are wrapped into HTTP bridges and exposed via <code>/v1/chat/completions</code>
+        </div>
+        <button class="btn btn-sm primary" id="subsSpawnBtn" type="button">⟳ spawn missing bridges</button>
+      </div>
+      <div class="subs-grid" id="subscriptionsList">
+        <div class="loading">discovering installed subscriptions</div>
+      </div>
+    </section>
+
+    <!-- ─── Tab: Providers ──────────────────────────────────────────────── -->
+    <section class="tab-panel" data-tab="providers">
+      <div class="providers-stack">
+        <section>
+          <h2 class="h-section">Local <span class="h-meta">on-host inference</span></h2>
+          <div class="providers-grid" id="providersList_local">
+            <div class="loading">enumerating local models</div>
+          </div>
+        </section>
+        <section>
+          <h2 class="h-section">Subscription <span class="h-meta">paid plans via bridges</span></h2>
+          <div class="providers-grid" id="providersList_subscription">
+            <div class="loading">enumerating subscription providers</div>
+          </div>
+        </section>
+        <section>
+          <h2 class="h-section">Free Tier <span class="h-meta">api-key authenticated</span></h2>
+          <div class="providers-grid" id="providersList_free">
+            <div class="loading">enumerating free-tier endpoints</div>
+          </div>
+        </section>
+      </div>
+    </section>
+
+    <!-- ─── Tab: Activity ──────────────────────────────────────────────── -->
+    <section class="tab-panel" data-tab="activity">
+      <h2 class="h-section">Desktop AI Coverage <span class="h-meta">only gateway traffic is counted</span></h2>
+      <div class="client-grid" id="clientsCoverage">
+        <div class="loading">checking connected clients</div>
+      </div>
+      <h2 class="h-section">Recent Requests <span class="h-meta">live polling</span></h2>
+      <div class="filters">
+        <button class="filter-btn active" data-hours="24">last 24h</button>
+        <button class="filter-btn" data-hours="168">last 7d</button>
+        <button class="filter-btn" data-hours="720">last 30d</button>
+      </div>
+      <div class="req-table">
+        <div class="req-row head">
+          <div>request id</div>
+          <div>caller</div>
+          <div>model</div>
+          <div>status</div>
+          <div>ctx before</div>
+          <div>ctx sent</div>
+          <div>saved</div>
+          <div>compression</div>
+          <div>cost</div>
+          <div>latency</div>
+        </div>
+        <div id="requestsTable">
+          <div class="empty-state">no requests yet</div>
+        </div>
+      </div>
+    </section>
+
+    <!-- ─── Tab: Savings ─────────────────────────────────────────────────── -->
+    <section class="tab-panel" data-tab="savings">
+      <div class="savings-hero">
+        <div class="savings-headline">
+          <div class="savings-eyebrow">cumulative savings · last 24h</div>
+          <div class="savings-counter" id="savingsCounter">$0.00</div>
+          <div class="savings-sub" id="savingsSubLine">— · — tokens prevented · — cache hits</div>
+        </div>
+        <div class="savings-spark">
+          <svg id="savingsSparkline" viewBox="0 0 320 64" preserveAspectRatio="none"></svg>
+          <div class="savings-spark-meta">
+            <span id="savingsSparkLabel">$ saved per hour</span>
+            <span id="savingsHitRate">hit rate —</span>
+          </div>
+        </div>
+      </div>
+
+      <div class="metric-grid" style="margin-top:18px;">
+        <div class="metric">
+          <div class="metric-label">cache entries</div>
+          <div class="metric-value" id="cacheEntries">0</div>
+          <div class="metric-change">distinct cached responses</div>
+        </div>
+        <div class="metric">
+          <div class="metric-label">tokens prevented</div>
+          <div class="metric-value" id="tokensPrevented">0</div>
+          <div class="metric-change">never sent to LLM</div>
+        </div>
+        <div class="metric">
+          <div class="metric-label">cache hit rate</div>
+          <div class="metric-value" id="cacheHitRate">0<span class="metric-unit">%</span></div>
+          <div class="metric-change">hits ÷ total req</div>
+        </div>
+      </div>
+
+      <h2 class="h-section">Top Caching Callers <span class="h-meta">most savings</span></h2>
+      <div class="chip-grid" id="topSavingCallers">
+        <div class="loading">loading</div>
+      </div>
+
+      <h2 class="h-section">Cache Controls <span class="h-meta">manual invalidation</span></h2>
+      <div style="display:flex;gap:10px;flex-wrap:wrap;">
+        <input id="cacheClearCaller" class="settings-input" style="max-width:280px;" placeholder="caller id (e.g. cursor)">
+        <button class="btn" id="cacheClearBtn" type="button">clear caller's cache</button>
+        <button class="btn" id="cachePruneBtn" type="button">prune entries &gt; 7 days</button>
+      </div>
+    </section>
+
+    <!-- ─── Tab: Wallet (Subscription Pool — UNIQUE feature) ────────────── -->
+    <section class="tab-panel" data-tab="wallet">
+      <div class="wallet-banner">
+        <div>
+          <strong>Subscription Pool Wallet</strong> — tracks <strong>API calls</strong>
+          (not tokens) against each Pro plan's quota window. Numbers here are
+          <em>messages remaining</em>, not tokens. For token savings via cache,
+          see the Savings tab.
+        </div>
+      </div>
+      <div class="wallet-grid" id="walletList">
+        <div class="loading">loading wallet</div>
+      </div>
+    </section>
+
+    <!-- ─── Tab: Memory ───────────────────────────────────────────────── -->
+    <section class="tab-panel" data-tab="memory">
+      <div class="memory-form">
+        <input id="memCaller" class="settings-input" style="max-width:280px;" placeholder="caller id">
+        <button class="btn" id="memLoadBtn" type="button">load facts</button>
+        <span style="flex:1;"></span>
+        <input id="memFactKey" class="settings-input" style="max-width:200px;" placeholder="fact key">
+        <input id="memFactValue" class="settings-input" style="max-width:280px;" placeholder="fact value">
+        <button class="btn" id="memSaveBtn" type="button">remember</button>
+      </div>
+      <div class="mem-list" id="memList">
+        <div class="empty-state">enter a caller id and click load</div>
+      </div>
+
+      <h2 class="h-section">Knowledge Graph <span class="h-meta">all callers + facts</span></h2>
+      <div class="graph-wrap">
+        <svg id="memoryGraph" viewBox="0 0 880 460" preserveAspectRatio="xMidYMid meet"></svg>
+        <div class="graph-legend">
+          <span><span class="dot" style="background:#0f766e;"></span> caller</span>
+          <span><span class="dot" style="background:#2563eb;"></span> fact key</span>
+          <span><span class="dot" style="background:#a78bfa;"></span> value</span>
+        </div>
+      </div>
+    </section>
+
+    <!-- ─── Tab: Leaderboard ─────────────────────────────────────────── -->
+    <section class="tab-panel" data-tab="leaderboard">
+      <div class="leaderboard-podium" id="leaderboardPodium">
+        <div class="loading">computing standings</div>
+      </div>
+      <h2 class="h-section">Race Leaderboard <span class="h-meta">last 7 days</span></h2>
+      <div class="leaderboard-table" id="leaderboardTable"><div class="loading">loading</div></div>
+    </section>
+
+    <!-- ─── Tab: Share Card ──────────────────────────────────────────────── -->
+    <section class="tab-panel" data-tab="share">
+      <h2 class="h-section">Public Share Card <span class="h-meta">embeddable SVG · OG-card sized · no auth required</span></h2>
+      <div class="share-controls">
+        <label class="settings-row-label">Period:
+          <select id="shareCardPeriod" class="settings-input" style="width: 140px; display:inline-block; margin-left:8px;">
+            <option value="day">day</option>
+            <option value="week">week</option>
+            <option value="month" selected>month</option>
+            <option value="all">all-time</option>
+          </select>
+        </label>
+        <label class="settings-row-label" style="margin-left:24px;">Theme:
+          <select id="shareCardTheme" class="settings-input" style="width: 120px; display:inline-block; margin-left:8px;">
+            <option value="dark">dark</option>
+            <option value="light">light</option>
+          </select>
+        </label>
+        <button class="btn primary" id="shareCardRefresh" type="button">refresh</button>
+        <button class="btn" id="shareCardCopyUrl" type="button">copy URL</button>
+        <button class="btn" id="shareCardDownload" type="button">download SVG</button>
+      </div>
+      <div class="share-preview">
+        <img id="shareCardImg" alt="LLM Gateway share card" loading="lazy">
+      </div>
+      <div class="share-url" id="shareCardUrl"></div>
+      <div class="share-hint">Use this URL anywhere — Twitter/LinkedIn previews, blog headers, README badges. Updates automatically every 5 min.</div>
+    </section>
+
+    <!-- ─── Tab: Monthly Report ──────────────────────────────────────────── -->
+    <section class="tab-panel" data-tab="report">
+      <h2 class="h-section">Monthly Report <span class="h-meta">save as PDF via browser print</span></h2>
+      <div class="share-controls">
+        <label class="settings-row-label">Year:
+          <input id="reportYear" class="settings-input" type="number" style="width:120px;display:inline-block;margin-left:8px;">
+        </label>
+        <label class="settings-row-label" style="margin-left:24px;">Month:
+          <input id="reportMonth" class="settings-input" type="number" min="1" max="12" style="width:90px;display:inline-block;margin-left:8px;">
+        </label>
+        <button class="btn primary" id="reportOpen" type="button">open report</button>
+      </div>
+      <div class="share-hint">Tip: in the report window, press <code>Cmd/Ctrl+P</code> → "Save as PDF". The report is fully styled for A4 print.</div>
+    </section>
+
+    <!-- ─── Caller Deep-Dive Modal ───────────────────────────────────── -->
+    <div class="modal-overlay" id="callerModal" role="dialog" aria-modal="true">
+      <div class="modal" style="max-width: 900px;">
+        <div class="modal-header">
+          <h2 id="callerModalTitle">caller details</h2>
+          <button class="modal-close" id="callerModalClose" aria-label="Close">×</button>
+        </div>
+        <div class="modal-body" id="callerModalBody">
+          <div class="loading">loading caller details</div>
         </div>
       </div>
     </div>
 
-    <h2 class="section-title">Recent Requests</h2>
-    <div class="filters">
-      <button class="filter-btn active" data-hours="24">Last 24h</button>
-      <button class="filter-btn" data-hours="168">Last 7d</button>
-      <button class="filter-btn" data-hours="720">Last 30d</button>
+    <!-- ─── Settings Modal ──────────────────────────────────────────────── -->
+    <div class="modal-overlay" id="settingsModal" role="dialog" aria-modal="true">
+      <div class="modal">
+        <div class="modal-header">
+          <h2>gateway settings</h2>
+          <button class="modal-close" id="settingsClose" aria-label="Close">×</button>
+        </div>
+        <div class="modal-body">
+          <div class="settings-section">
+            <div class="settings-section-title">dashboard view</div>
+            <p class="settings-section-desc">Hide advanced features you don't use. <strong>Recommended for users with 1–3 subscriptions.</strong></p>
+            <div class="settings-row">
+              <div class="settings-row-info">
+                <span class="settings-row-label">Simple Mode</span>
+                <span class="settings-row-meta">Show only: overview · subscriptions · wallet · activity · savings. Hide: providers, races, share, report, memory.</span>
+              </div>
+              <label class="settings-toggle">
+                <input type="checkbox" id="uiSimpleMode">
+                <span class="slider"></span>
+              </label>
+            </div>
+            <div class="settings-row">
+              <div class="settings-row-info">
+                <span class="settings-row-label">Hide unconfigured providers</span>
+                <span class="settings-row-meta">Don't show provider cards that aren't enabled (Cerebras, Groq, etc.)</span>
+              </div>
+              <label class="settings-toggle">
+                <input type="checkbox" id="uiHideEmpty">
+                <span class="slider"></span>
+              </label>
+            </div>
+            <div class="settings-row">
+              <div class="settings-row-info">
+                <span class="settings-row-label">Tab tooltips</span>
+                <span class="settings-row-meta">Show a one-line explanation on hover for every tab.</span>
+              </div>
+              <label class="settings-toggle">
+                <input type="checkbox" id="uiTooltips">
+                <span class="slider"></span>
+              </label>
+            </div>
+          </div>
+
+          <div class="settings-section">
+            <div class="settings-section-title">routing mode</div>
+            <p class="settings-section-desc">Restrict which provider categories the gateway is allowed to use.</p>
+            <div class="settings-radio-group" id="routingModeGroup">
+              <label class="settings-radio"><input type="radio" name="routingMode" value="auto"><span>auto · all</span></label>
+              <label class="settings-radio"><input type="radio" name="routingMode" value="subscription-only"><span>subscriptions only</span></label>
+              <label class="settings-radio"><input type="radio" name="routingMode" value="api-only"><span>api only</span></label>
+              <label class="settings-radio"><input type="radio" name="routingMode" value="local-only"><span>local · ollama only</span></label>
+            </div>
+          </div>
+
+          <div class="settings-section">
+            <div class="settings-section-title">cli subscriptions (abos)</div>
+            <p class="settings-section-desc">Toggle which subscription CLIs you have. The auto-gateway only spawns bridges for enabled ones.</p>
+            <div id="settingsSubscriptionsList"></div>
+          </div>
+
+          <div class="settings-section">
+            <div class="settings-section-title">api providers</div>
+            <p class="settings-section-desc">API keys for paid/free-tier endpoints. Stored locally with file mode 0600 — never returned in plaintext.</p>
+            <div id="settingsApiList"></div>
+          </div>
+
+          <div class="settings-section">
+            <div class="settings-section-title">local · ollama</div>
+            <div class="settings-row">
+              <div class="settings-row-info">
+                <span class="settings-row-label">Ollama Base URL</span>
+                <span class="settings-row-meta">OLLAMA_BASE_URL</span>
+                <input class="settings-input" type="text" id="ollamaBaseUrl" placeholder="http://localhost:11434">
+              </div>
+              <label class="settings-toggle">
+                <input type="checkbox" id="ollamaEnabled">
+                <span class="slider"></span>
+              </label>
+            </div>
+          </div>
+        </div>
+        <div class="modal-footer">
+          <span class="save-status" id="settingsSaveStatus"></span>
+          <button class="btn" id="settingsCancel" type="button">cancel</button>
+          <button class="btn primary" id="settingsSave" type="button">save</button>
+        </div>
+      </div>
     </div>
 
-    <div class="requests-table">
-      <div class="table-header">
-        <div>Request ID</div>
-        <div>Caller</div>
-        <div>Model</div>
-        <div>Status</div>
-        <div>Tokens In</div>
-        <div>Cost</div>
-        <div>Latency</div>
-      </div>
-      <div id="requestsTable">
-        <div class="empty-state">No requests yet</div>
-      </div>
-    </div>
   </div>
 
-  <div class="connection-status">
-    <div class="connection-dot" id="connectionDot"></div>
-    <span id="connectionText">Connected</span>
+  <div class="conn-pill">
+    <span class="dot" id="connectionDot"></span>
+    <span id="connectionText">connected</span>
   </div>
 
   <script>
     const HEALTH_CHECK_INTERVAL = 30000;
-    const METRICS_REFRESH_INTERVAL = 10000;
+    const METRICS_REFRESH_INTERVAL = 3000;
+    const REQUESTS_REFRESH_INTERVAL = 3000;
     const API_BASE = '';
     let selectedHours = 24;
     let lastMetrics = null;
-    let sseConnection = null;
+    let metricsIntervalId = null;
+    let requestsIntervalId = null;
+    const DASHBOARD_TOKEN_KEY = 'llmGatewayDashboardToken';
+
+    function getDashboardToken() {
+      return localStorage.getItem(DASHBOARD_TOKEN_KEY) || '';
+    }
+
+    function setDashboardToken(token) {
+      if (token) localStorage.setItem(DASHBOARD_TOKEN_KEY, token);
+      else localStorage.removeItem(DASHBOARD_TOKEN_KEY);
+    }
+
+    function withAuthHeaders(headers = {}) {
+      const token = getDashboardToken();
+      return token ? { ...headers, Authorization: `Bearer ${token}` } : headers;
+    }
+
+    async function apiFetch(url, options = {}) {
+      const response = await fetch(url, {
+        ...options,
+        headers: withAuthHeaders(options.headers || {}),
+      });
+      if (response.status !== 401 && response.status !== 503) return response;
+
+      const token = prompt('Dashboard admin token');
+      if (!token) return response;
+      setDashboardToken(token.trim());
+      return fetch(url, {
+        ...options,
+        headers: withAuthHeaders(options.headers || {}),
+      });
+    }
+
+    // ─── Tab switching ───────────────────────────────────────────────────
+    document.querySelectorAll('.tab-trigger').forEach(t => {
+      t.addEventListener('click', () => {
+        const target = t.dataset.tab;
+        document.querySelectorAll('.tab-trigger').forEach(x => x.classList.toggle('active', x === t));
+        document.querySelectorAll('.tab-panel').forEach(p => p.classList.toggle('active', p.dataset.tab === target));
+        history.replaceState(null, '', `#${target}`);
+      });
+    });
+    if (location.hash) {
+      const target = location.hash.slice(1);
+      const trigger = document.querySelector(`.tab-trigger[data-tab="${target}"]`);
+      if (trigger) trigger.click();
+    }
 
     // Health check
     async function checkHealth() {
@@ -552,55 +1855,98 @@
       }
     }
 
-    function updateHealthStatus(isHealthy, data) {
+    function updateHealthStatus(isHealthy, _data) {
       const indicator = document.getElementById('dbStatusIndicator');
       const status = document.getElementById('dbStatus');
-      if (isHealthy) {
-        indicator.className = 'status-indicator healthy';
-        status.textContent = `Database connected (${data.sse_listeners || 0} listeners)`;
-      } else {
-        indicator.className = 'status-indicator unhealthy';
-        status.textContent = 'Database disconnected';
-      }
+      indicator.className = isHealthy ? 'dot ok' : 'dot err';
+      status.textContent = isHealthy ? 'connected' : 'disconnected';
     }
 
     // Load recent requests
     async function loadRequests() {
       try {
-        const response = await fetch(`${API_BASE}/api/dashboard/requests?limit=50&hours=${selectedHours}`);
+        const [response, clientsResponse] = await Promise.all([
+          apiFetch(`${API_BASE}/api/dashboard/requests?limit=50&hours=${selectedHours}`),
+          apiFetch(`${API_BASE}/api/dashboard/clients?hours=${selectedHours}`)
+        ]);
         const data = await response.json();
-        if (data.success) {
-          renderRequests(data.data);
-        }
+        const clients = await clientsResponse.json();
+        if (clients.success) renderClients(clients.data);
+        if (data.success) renderRequests(data.data);
       } catch (error) {
         console.error('Failed to load requests:', error);
       }
     }
 
+    function renderClients(clients) {
+      const el = document.getElementById('clientsCoverage');
+      el.innerHTML = clients.map(client => {
+        const lastSeen = client.lastSeen ? new Date(client.lastSeen).toLocaleString() : 'never';
+        const callerList = client.callers?.length ? client.callers.join(', ') : 'no caller id seen';
+        return `
+          <div class="client-item">
+            <div class="client-top">
+              <div class="client-name" title="${escapeHtml(client.label)}">${escapeHtml(client.label)}</div>
+              <div class="client-state ${client.status}">${client.status.replace('-', ' ')}</div>
+            </div>
+            <div class="client-meta">
+              <div><strong>${formatNumber(client.requestCount)}</strong> requests · <strong>${formatNumber(client.tokensSaved)}</strong> saved</div>
+              <div title="${escapeHtml(callerList)}">caller: ${escapeHtml(callerList)}</div>
+              <div>last: ${escapeHtml(lastSeen)}</div>
+            </div>
+          </div>
+        `;
+      }).join('');
+    }
+
     function renderRequests(requests) {
       const table = document.getElementById('requestsTable');
-      if (requests.length === 0) {
-        table.innerHTML = '<div class="empty-state">No requests in selected timeframe</div>';
+      if (!requests.length) {
+        table.innerHTML = '<div class="empty-state">no requests in selected timeframe</div>';
         return;
       }
-
       table.innerHTML = requests.map(req => `
-        <div class="table-row">
-          <div title="${req.request_id}">${req.request_id.substring(0, 12)}...</div>
-          <div>${req.caller}</div>
-          <div>${req.model}</div>
-          <div><span class="status-badge status-${req.status}">${req.status}</span></div>
-          <div>${req.tokens_in}</div>
-          <div>$${(req.cost_usd).toFixed(4)}</div>
+        <div class="req-row body">
+          <div title="${req.request_id}">${req.request_id.substring(0, 14)}…</div>
+          <div>${escapeHtml(req.caller)}</div>
+          <div title="${req.model}">${req.model}</div>
+          <div><span class="req-status ${req.status}">${req.status}</span></div>
+          <div>${formatNumber(req.compression_tokens_before ?? req.tokens_in ?? 0)}</div>
+          <div>${formatNumber(req.compression_tokens_after ?? req.tokens_in ?? 0)}</div>
+          <div>${formatSavedTokens(req.compression_tokens_saved ?? 0)}</div>
+          <div title="${escapeHtml(req.compression_mode || 'not tracked')}">${formatCompression(req)}</div>
+          <div>${formatCost(req.cost_usd)}</div>
           <div>${req.latency_ms}ms</div>
         </div>
       `).join('');
     }
 
+    function formatNumber(value) {
+      return Number(value || 0).toLocaleString();
+    }
+
+    function formatSavedTokens(value) {
+      const saved = Number(value || 0);
+      return saved > 0 ? saved.toLocaleString() : '0';
+    }
+
+    function formatCompression(req) {
+      const mode = String(req.compression_mode || 'none:none').split(':').pop() || 'none';
+      const pct = Number(req.compression_savings_pct || 0);
+      if (!req.compression_mode) return 'not tracked';
+      if (pct <= 0) return mode === 'none' ? 'checked' : `${escapeHtml(mode)} · 0%`;
+      return `${escapeHtml(mode)} · ${pct.toFixed(1)}%`;
+    }
+
+    function escapeHtml(s) {
+      return String(s ?? '').replace(/[&<>"']/g, c => ({ '&':'&amp;', '<':'&lt;', '>':'&gt;', '"':'&quot;', "'":'&#39;' }[c]));
+    }
+
     // Load metrics
     async function loadMetrics() {
       try {
-        const response = await fetch(`${API_BASE}/api/dashboard/request-metrics?bucket_minutes=60`);
+        const bucketMinutes = (selectedHours || 24) * 60;
+        const response = await apiFetch(`${API_BASE}/api/dashboard/request-metrics?bucket_minutes=${bucketMinutes}`);
         const data = await response.json();
         if (data.success) {
           updateMetrics(data.data);
@@ -611,177 +1957,219 @@
       }
     }
 
+    function formatCost(cost) {
+      const c = cost || 0;
+      if (c === 0) return '$0.00';
+      if (c < 0.01) return '$' + c.toFixed(6);
+      if (c < 1) return '$' + c.toFixed(4);
+      return '$' + c.toFixed(2);
+    }
+
     function updateMetrics(metrics) {
-      // Total requests
-      const totalRequests = metrics.total_requests || 0;
-      document.getElementById('totalRequests').textContent = totalRequests.toLocaleString();
+      document.getElementById('totalRequests').textContent = (metrics.total_requests || 0).toLocaleString();
+      document.getElementById('successRate').innerHTML = ((metrics.success_rate || 0) * 100).toFixed(1) + '<span class="metric-unit">%</span>';
+      document.getElementById('avgLatency').innerHTML = Math.round(metrics.avg_latency || 0) + '<span class="metric-unit">ms</span>';
+      document.getElementById('totalCost').textContent = formatCost(metrics.total_cost);
+      document.getElementById('avgConfidence').innerHTML = (metrics.avg_confidence || 0).toFixed(1) + '<span class="metric-unit">/10</span>';
+      document.getElementById('fallbackPercent').innerHTML = ((metrics.compression_rate || 0) * 100).toFixed(1) + '<span class="metric-unit">%</span>';
+      document.getElementById('requestsChange').textContent = `${(metrics.total_tokens || 0).toLocaleString()} tokens`;
+      document.getElementById('costChange').textContent = `avoided ${formatCost(metrics.estimated_api_cost_avoided)}`;
+      document.getElementById('fallbackChange').textContent = `${(metrics.compression_tokens_saved || 0).toLocaleString()} tokens · ${metrics.compression_operations || 0} ops`;
 
-      // Success rate
-      const successRate = ((metrics.success_rate || 0) * 100).toFixed(1);
-      document.getElementById('successRate').textContent = successRate + '%';
-
-      // Average latency
-      const avgLatency = Math.round(metrics.avg_latency || 0);
-      document.getElementById('avgLatency').textContent = avgLatency + 'ms';
-
-      // Total cost
-      const totalCost = (metrics.total_cost || 0).toFixed(2);
-      document.getElementById('totalCost').textContent = '$' + totalCost;
-
-      // Average confidence
-      const avgConfidence = ((metrics.avg_confidence || 0) * 100).toFixed(1);
-      document.getElementById('avgConfidence').textContent = avgConfidence + '%';
-
-      // Fallback percentage
-      const fallbackPercent = ((metrics.fallback_percentage || 0) * 100).toFixed(1);
-      document.getElementById('fallbackPercent').textContent = fallbackPercent + '%';
-
-      // Top models
-      if (metrics.top_models && metrics.top_models.length > 0) {
+      if (metrics.top_models?.length) {
         document.getElementById('topModels').innerHTML = metrics.top_models.map(m => `
-          <div class="model-card">
-            <div class="model-name">${m.model}</div>
-            <div class="request-count">${m.count}</div>
-            <div class="count-label">requests</div>
+          <div class="chip">
+            <div class="chip-name">${escapeHtml(m.model)}</div>
+            <div class="chip-meta"><span class="num">${m.count}</span> requests</div>
           </div>
         `).join('');
+      } else {
+        document.getElementById('topModels').innerHTML = '<div class="empty-state">no model usage yet</div>';
       }
 
-      // Top callers
-      if (metrics.top_callers && metrics.top_callers.length > 0) {
+      if (metrics.top_callers?.length) {
         document.getElementById('topCallers').innerHTML = metrics.top_callers.map(c => `
-          <div class="caller-card">
-            <div class="caller-name">${c.caller}</div>
-            <div class="request-count">${c.count}</div>
-            <div class="count-label">requests</div>
+          <div class="chip">
+            <div class="chip-name">${escapeHtml(c.caller)}</div>
+            <div class="chip-meta"><span class="num">${c.count}</span> requests</div>
           </div>
         `).join('');
-      }
-
-      // Recent errors
-      if (metrics.recent_errors && metrics.recent_errors.length > 0) {
-        console.warn('Recent errors:', metrics.recent_errors);
+      } else {
+        document.getElementById('topCallers').innerHTML = '<div class="empty-state">no callers yet</div>';
       }
     }
 
     // Load providers
     async function loadProviders() {
       try {
-        console.log('Loading providers from:', `${API_BASE}/api/dashboard/providers`);
-        const response = await fetch(`${API_BASE}/api/dashboard/providers`);
-        console.log('Provider response status:', response.status);
-
-        if (!response.ok) {
-          throw new Error(`HTTP ${response.status}`);
-        }
-
-        const data = await response.json();
-        console.log('Provider data received:', data);
-
-        if (data.success) {
-          console.log('Rendering providers with grouped data:', data.data.grouped);
-          renderProviders(data.data.grouped);
-        } else {
-          console.error('API returned success=false:', data);
-        }
+        const response = await apiFetch(`${API_BASE}/api/dashboard/providers`);
+        if (!response.ok) throw new Error(`HTTP ${response.status}`);
+        const payload = await response.json();
+        if (!payload.success) throw new Error(payload.error || 'failed');
+        renderProviders(payload.data.grouped);
+        const total = payload.data.summary.totalProviders;
+        const cfg = payload.data.summary.configuredCount;
+        document.getElementById('providersTabBadge').textContent = `${cfg}/${total}`;
       } catch (error) {
-        console.error('Failed to load providers:', error);
-        // Show error in UI
-        document.getElementById('providersList_local').innerHTML = `<div class="empty-state">Error: ${error.message}</div>`;
-        document.getElementById('providersList_subscription').innerHTML = `<div class="empty-state">Error: ${error.message}</div>`;
-        document.getElementById('providersList_free').innerHTML = `<div class="empty-state">Error: ${error.message}</div>`;
+        const msg = `<div class="empty-state">error: ${error.message}</div>`;
+        document.getElementById('providersList_local').innerHTML = msg;
+        document.getElementById('providersList_subscription').innerHTML = msg;
+        document.getElementById('providersList_free').innerHTML = msg;
       }
     }
 
     function renderProviders(grouped) {
-      console.log('renderProviders called with:', grouped);
-
-      // Render local providers
-      const localContainer = document.getElementById('providersList_local');
-      if (grouped.local && grouped.local.length > 0) {
-        console.log('Rendering local providers:', grouped.local);
-        localContainer.innerHTML = grouped.local.map(p => renderProviderItem(p)).join('');
-      } else {
-        console.log('No local providers');
-        localContainer.innerHTML = '<div class="empty-state">No local providers available</div>';
-      }
-
-      // Render subscription providers
-      const subContainer = document.getElementById('providersList_subscription');
-      if (grouped.subscription && grouped.subscription.length > 0) {
-        console.log('Rendering subscription providers:', grouped.subscription);
-        subContainer.innerHTML = grouped.subscription.map(p => renderProviderItem(p)).join('');
-      } else {
-        console.log('No subscription providers');
-        subContainer.innerHTML = '<div class="empty-state">No subscription providers available</div>';
-      }
-
-      // Render free providers
-      const freeContainer = document.getElementById('providersList_free');
-      if (grouped.free && grouped.free.length > 0) {
-        console.log('Rendering free providers:', grouped.free);
-        freeContainer.innerHTML = grouped.free.map(p => renderProviderItem(p)).join('');
-      } else {
-        console.log('No free providers');
-        freeContainer.innerHTML = '<div class="empty-state">No free providers available</div>';
-      }
+      const empty = '<div class="empty-state">none configured</div>';
+      const renderGroup = (id, items) => {
+        const c = document.getElementById(id);
+        c.innerHTML = items?.length ? items.map(renderProviderItem).join('') : empty;
+      };
+      renderGroup('providersList_local', grouped.local);
+      renderGroup('providersList_subscription', grouped.subscription);
+      renderGroup('providersList_free', grouped.free);
     }
 
     function renderProviderItem(provider) {
       const statusClass = provider.status === 'configured' ? 'tag-configured' : 'tag-unconfigured';
-      const statusText = provider.status.charAt(0).toUpperCase() + provider.status.slice(1);
       const modelList = provider.models.map(m => m.id).join(', ');
-
+      const displayName = provider.label || provider.name;
+      const techName = provider.label && provider.label !== provider.name
+        ? `<div class="provider-tech-name">${provider.name}</div>` : '';
+      const rateLimit = provider.rateLimitRpm > 0
+        ? `<div class="provider-rate">limit: ${provider.rateLimitRpm} req/min</div>` : '';
+      const envHint = provider.status === 'unconfigured' && provider.envKey
+        ? `<div class="provider-env-hint">set <code>${provider.envKey}</code> to activate</div>` : '';
+      const runtimeStatus = provider.runtimeStatus || (provider.status === 'configured' ? 'configured' : '');
+      const runtimeClass = provider.runtimeHealthy ? 'runtime-ready'
+        : runtimeStatus === 'auth_required' || provider.runtimeDetail ? 'runtime-warn'
+        : 'runtime-muted';
+      const runtimeLabel = provider.runtimeDetail
+        ? `${runtimeStatus}: ${provider.runtimeDetail}`
+        : runtimeStatus;
+      const runtime = runtimeLabel
+        ? `<div class="provider-runtime ${runtimeClass}"><span class="runtime-dot"></span><span>${escapeHtml(runtimeLabel)}</span></div>`
+        : '';
       return `
-        <div class="provider-item">
+        <div class="provider-item" data-status="${provider.status}">
           <div class="provider-header">
-            <div class="provider-name">${provider.name}</div>
-            <div class="provider-tag ${statusClass}">${statusText}</div>
+            <div class="provider-name">${escapeHtml(displayName)}</div>
+            <div class="provider-tag ${statusClass}">${provider.status}</div>
           </div>
-          <div class="provider-models"><strong>Models:</strong> ${modelList}</div>
-          <div class="provider-rate">Rate limit: ${provider.rateLimitRpm} req/min</div>
+          ${techName}
+          ${runtime}
+          <div class="provider-models">${escapeHtml(modelList)}</div>
+          ${rateLimit}
+          ${envHint}
         </div>
       `;
     }
 
-    // SSE connection
-    function connectSSE() {
-      if (sseConnection) {
-        sseConnection.close();
+    // ─── Subscription Auto-Gateway ────────────────────────────────────────
+    async function loadSubscriptions() {
+      try {
+        const response = await apiFetch(`${API_BASE}/api/dashboard/subscriptions`);
+        if (!response.ok) throw new Error(`HTTP ${response.status}`);
+        const payload = await response.json();
+        if (!payload.success) throw new Error(payload.error || 'unknown');
+        renderSubscriptions(payload.data);
+      } catch (error) {
+        document.getElementById('subscriptionsList').innerHTML =
+          `<div class="empty-state">discovery failed: ${error.message}</div>`;
       }
+    }
 
-      sseConnection = new EventSource(`${API_BASE}/api/stream/requests`);
+    function renderSubscriptions(data) {
+      const { subscriptions, summary } = data;
+      const stateEl = document.getElementById('subsAutoState');
+      const parts = [];
+      if (summary.detected) parts.push(`${summary.detected} detected`);
+      if (summary.userDeclared) parts.push(`${summary.userDeclared} declared`);
+      if (summary.running) parts.push(`${summary.running} live`);
+      const headline = summary.autoGatewayEnabled ? 'active' : 'detection + declaration';
+      stateEl.textContent = `${headline} — ${parts.join(' · ') || 'open settings to declare your subscriptions'}`;
 
-      sseConnection.onopen = () => {
-        document.getElementById('sseStatusIndicator').className = 'status-indicator healthy';
-        document.getElementById('sseStatus').textContent = 'Stream connected';
-        document.getElementById('connectionDot').className = 'connection-dot';
-        document.getElementById('connectionText').textContent = 'Connected';
-      };
+      document.getElementById('subsTabBadge').textContent = `${summary.installed}/${summary.total}`;
 
-      sseConnection.onerror = () => {
-        document.getElementById('sseStatusIndicator').className = 'status-indicator unhealthy';
-        document.getElementById('sseStatus').textContent = 'Stream disconnected';
-        document.getElementById('connectionDot').className = 'connection-dot disconnected';
-        document.getElementById('connectionText').textContent = 'Disconnected';
-        sseConnection.close();
-        setTimeout(connectSSE, 5000);
-      };
+      const list = document.getElementById('subscriptionsList');
+      if (!subscriptions.length) {
+        list.innerHTML = '<div class="empty-state">no subscriptions in catalog</div>';
+        return;
+      }
+      list.innerHTML = subscriptions.map(renderSubscriptionCard).join('');
+    }
 
-      sseConnection.onmessage = (event) => {
-        try {
-          const data = JSON.parse(event.data);
-          if (data.type === 'connected') {
-            console.log('SSE connection established');
-          } else {
-            // Real-time request update
-            loadMetrics();
-            loadRequests();
-          }
-        } catch (error) {
-          console.error('Failed to parse SSE message:', error);
-        }
-      };
+    function renderSubscriptionCard(s) {
+      const available = s.installed;
+      const cardClass = s.bridgeRunning ? 'running' : (available ? 'installed' : 'missing');
+      const stateClass = s.bridgeRunning ? 'running' : (available ? 'installed' : 'missing');
+      let stateLabel;
+      if (s.bridgeRunning) stateLabel = '● bridge live';
+      else if (s.detected && s.userDeclared) stateLabel = '◆ detected+declared';
+      else if (s.detected) stateLabel = '◆ detected';
+      else if (s.userDeclared) stateLabel = '◇ declared';
+      else stateLabel = '○ not configured';
+
+      const versionLine = s.version
+        ? `<div class="subs-meta">${s.command} → ${escapeHtml(s.version)}</div>`
+        : `<div class="subs-meta">${s.command}${s.userDeclared ? ' (declared)' : ''}</div>`;
+      const bridgeBlock = s.bridgeUrl
+        ? `<div class="subs-bridge-url">bridge: ${s.bridgeUrl}${s.autoSpawned ? ' (auto)' : ''}</div>`
+        : '';
+      const modelsLine = s.models?.length
+        ? `<div class="subs-models">${s.models.map(m => m.id).join(', ')}</div>` : '';
+      let hint = '';
+      if (!s.detected && !s.userDeclared) {
+        hint = `<div class="subs-install-hint">install <code>${s.command}</code> on the gateway host, or declare it in settings.</div>`;
+      } else if (!s.detected && s.userDeclared) {
+        hint = `<div class="subs-install-hint" style="color:#6aa0ff;border-color:rgba(106,160,255,0.25);background:rgba(106,160,255,0.05);">declared — use via your local <code>${s.command}</code> CLI. gateway routes through it.</div>`;
+      }
+      return `
+        <div class="subs-card ${cardClass}">
+          <div class="subs-head">
+            <div class="subs-label">${escapeHtml(s.label)}</div>
+            <span class="subs-state ${stateClass}">${stateLabel}</span>
+          </div>
+          ${versionLine}
+          ${modelsLine}
+          ${bridgeBlock}
+          ${hint}
+        </div>
+      `;
+    }
+
+    document.getElementById('subsSpawnBtn').addEventListener('click', async () => {
+      const btn = document.getElementById('subsSpawnBtn');
+      btn.disabled = true;
+      const orig = btn.textContent;
+      btn.textContent = '⟳ spawning…';
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/subscriptions/spawn`, { method: 'POST' });
+        const payload = await res.json();
+        if (!payload.success) throw new Error(payload.error || 'spawn failed');
+        btn.textContent = `✓ ${payload.data.spawnedCount} spawned`;
+        await loadSubscriptions();
+      } catch (e) {
+        btn.textContent = `✗ ${e.message}`;
+      } finally {
+        setTimeout(() => { btn.disabled = false; btn.textContent = orig; }, 2500);
+      }
+    });
+
+    // Polling
+    function setupPolling() {
+      document.getElementById('pollingStatusIndicator').className = 'dot ok';
+      document.getElementById('pollingStatus').textContent = 'live';
+      document.getElementById('connectionDot').className = 'dot';
+      document.getElementById('connectionText').textContent = 'connected';
+
+      if (metricsIntervalId) clearInterval(metricsIntervalId);
+      metricsIntervalId = setInterval(loadMetrics, METRICS_REFRESH_INTERVAL);
+
+      if (requestsIntervalId) clearInterval(requestsIntervalId);
+      requestsIntervalId = setInterval(loadRequests, REQUESTS_REFRESH_INTERVAL);
+
+      loadMetrics();
+      loadRequests();
     }
 
     // Filter buttons
@@ -791,23 +2179,928 @@
         btn.classList.add('active');
         selectedHours = parseInt(btn.dataset.hours);
         loadRequests();
+        loadMetrics();
       });
     });
 
-    // Initial setup
+    // ─── Settings Modal ───────────────────────────────────────────────────
+    const SUBSCRIPTION_LABELS = {
+      'claude-code': 'Claude Code (Anthropic)',
+      'github-copilot': 'GitHub / Microsoft Copilot',
+      'chatgpt': 'OpenAI ChatGPT Plus',
+      'gemini': 'Google Gemini Advanced',
+      'codex': 'OpenAI Codex CLI',
+      'aider': 'Aider Pair Programmer',
+    };
+    const API_PROVIDER_LABELS = {
+      'cerebras': { label: 'Cerebras', envKey: 'CEREBRAS_API_KEY', placeholder: 'csk-...' },
+      'groq': { label: 'Groq', envKey: 'GROQ_API_KEY', placeholder: 'gsk_...' },
+      'mistral': { label: 'Mistral AI', envKey: 'MISTRAL_API_KEY', placeholder: 'mistral key' },
+      'nvidia': { label: 'NVIDIA NIM', envKey: 'NVIDIA_API_KEY', placeholder: 'nvapi-...' },
+      'cloudflare': { label: 'Cloudflare Workers AI', envKey: 'CLOUDFLARE_AI_TOKEN', placeholder: 'cf token' },
+      'openai-codex': { label: 'OpenAI API (paid)', envKey: 'OPENAI_API_KEY', placeholder: 'sk-...' },
+    };
+
+    let currentSettings = null;
+
+    function openSettings() {
+      document.getElementById('settingsModal').classList.add('open');
+      loadSettingsIntoModal();
+    }
+    function closeSettings() {
+      document.getElementById('settingsModal').classList.remove('open');
+      const ss = document.getElementById('settingsSaveStatus');
+      ss.textContent = ''; ss.className = 'save-status';
+    }
+
+    async function loadSettingsIntoModal() {
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/settings`);
+        const payload = await res.json();
+        if (!payload.success) throw new Error(payload.error || 'load failed');
+        currentSettings = payload.data;
+        renderSettingsForm(currentSettings);
+      } catch (e) {
+        const ss = document.getElementById('settingsSaveStatus');
+        ss.textContent = `load error: ${e.message}`;
+        ss.className = 'save-status err';
+      }
+    }
+
+    function renderSettingsForm(s) {
+      document.querySelectorAll('input[name="routingMode"]').forEach(r => {
+        r.checked = (r.value === s.routingMode);
+        r.closest('.settings-radio').classList.toggle('active', r.checked);
+      });
+      document.getElementById('routingModeBadge').textContent = s.routingMode;
+
+      // UI mode toggles
+      const ui = s.ui ?? { simpleMode: true, hideEmptyProviders: true, showTooltips: true };
+      document.getElementById('uiSimpleMode').checked = !!ui.simpleMode;
+      document.getElementById('uiHideEmpty').checked = !!ui.hideEmptyProviders;
+      document.getElementById('uiTooltips').checked = !!ui.showTooltips;
+
+      const subList = document.getElementById('settingsSubscriptionsList');
+      subList.innerHTML = Object.entries(SUBSCRIPTION_LABELS).map(([id, label]) => {
+        const cfg = s.subscriptions?.[id] ?? { enabled: true, autoSpawn: true, bridgeUrl: '' };
+        const bridgeHint = cfg.bridgeUrl
+          ? `bridge: ${cfg.bridgeUrl}`
+          : 'no bridge URL — set one if the CLI runs on another machine';
+        return `
+          <div class="settings-row">
+            <div class="settings-row-info" style="grid-column:1/-1;flex-direction:row;align-items:center;justify-content:space-between;gap:12px;">
+              <div style="display:flex;flex-direction:column;gap:2px;flex:1;">
+                <span class="settings-row-label">${label}</span>
+                <span class="settings-row-meta">id: ${id} · ${bridgeHint}</span>
+                <input class="settings-input" type="text" data-sub-bridge="${id}" placeholder="https://your-bridge-host:port (leave blank for local auto-spawn)" value="${cfg.bridgeUrl || ''}">
+              </div>
+              <label class="settings-toggle" style="flex-shrink:0;">
+                <input type="checkbox" data-sub="${id}" ${cfg.enabled ? 'checked' : ''}>
+                <span class="slider"></span>
+              </label>
+            </div>
+          </div>
+        `;
+      }).join('');
+
+      const apiList = document.getElementById('settingsApiList');
+      apiList.innerHTML = Object.entries(API_PROVIDER_LABELS).map(([id, info]) => {
+        const cfg = s.apiProviders?.[id] ?? { enabled: false, hasKey: false };
+        const placeholder = cfg.hasKey ? '••••••• (key on file — leave blank to keep)' : info.placeholder;
+        return `
+          <div class="settings-row">
+            <div class="settings-row-info" style="grid-column:1/-1;flex-direction:row;align-items:center;justify-content:space-between;gap:12px;">
+              <div style="display:flex;flex-direction:column;gap:2px;flex:1;">
+                <span class="settings-row-label">${info.label}</span>
+                <span class="settings-row-meta">${info.envKey} · ${cfg.hasKey ? '✓ key set' : 'no key'}</span>
+                <input class="settings-input" type="password" data-api-key="${id}" placeholder="${placeholder}" autocomplete="new-password">
+              </div>
+              <label class="settings-toggle" style="flex-shrink:0;">
+                <input type="checkbox" data-api-enabled="${id}" ${cfg.enabled ? 'checked' : ''}>
+                <span class="slider"></span>
+              </label>
+            </div>
+          </div>
+        `;
+      }).join('');
+
+      document.getElementById('ollamaEnabled').checked = !!s.ollama?.enabled;
+      document.getElementById('ollamaBaseUrl').value = s.ollama?.baseUrl ?? 'http://localhost:11434';
+    }
+
+    async function saveSettingsFromModal() {
+      const ss = document.getElementById('settingsSaveStatus');
+      const saveBtn = document.getElementById('settingsSave');
+      saveBtn.disabled = true;
+      ss.textContent = 'saving…'; ss.className = 'save-status';
+
+      try {
+        const routingMode = document.querySelector('input[name="routingMode"]:checked')?.value ?? 'auto';
+
+        const subscriptions = {};
+        document.querySelectorAll('[data-sub]').forEach(cb => {
+          const id = cb.dataset.sub;
+          const bridgeInput = document.querySelector(`[data-sub-bridge="${id}"]`);
+          const bridgeUrl = bridgeInput?.value?.trim() ?? '';
+          subscriptions[id] = {
+            enabled: cb.checked,
+            autoSpawn: currentSettings?.subscriptions?.[id]?.autoSpawn ?? true,
+            bridgeUrl: bridgeUrl, // empty string = no remote bridge, fall back to local auto-spawn
+          };
+        });
+
+        const apiProviders = {};
+        Object.keys(API_PROVIDER_LABELS).forEach(id => {
+          const enabled = document.querySelector(`[data-api-enabled="${id}"]`)?.checked ?? false;
+          const newKey = document.querySelector(`[data-api-key="${id}"]`)?.value ?? '';
+          const entry = { enabled };
+          if (newKey.trim()) entry.apiKey = newKey.trim();
+          apiProviders[id] = entry;
+        });
+
+        const ollama = {
+          enabled: document.getElementById('ollamaEnabled').checked,
+          baseUrl: document.getElementById('ollamaBaseUrl').value.trim() || 'http://localhost:11434',
+        };
+
+        const ui = {
+          simpleMode: document.getElementById('uiSimpleMode').checked,
+          hideEmptyProviders: document.getElementById('uiHideEmpty').checked,
+          showTooltips: document.getElementById('uiTooltips').checked,
+        };
+
+        const res = await apiFetch(`${API_BASE}/api/dashboard/settings`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ routingMode, subscriptions, apiProviders, ollama, ui }),
+        });
+        const payload = await res.json();
+        if (!payload.success) throw new Error(payload.error || `HTTP ${res.status}`);
+        currentSettings = payload.data;
+        document.getElementById('routingModeBadge').textContent = payload.data.routingMode;
+        ss.textContent = `saved · ${new Date().toLocaleTimeString()}`;
+        ss.className = 'save-status ok';
+        applyUiMode(ui);
+        await loadProviders();
+        await loadSubscriptions();
+      } catch (e) {
+        ss.textContent = `error: ${e.message}`;
+        ss.className = 'save-status err';
+      } finally {
+        saveBtn.disabled = false;
+      }
+    }
+
+    document.getElementById('settingsBtn').addEventListener('click', openSettings);
+    document.getElementById('settingsClose').addEventListener('click', closeSettings);
+    document.getElementById('settingsCancel').addEventListener('click', closeSettings);
+    document.getElementById('settingsSave').addEventListener('click', saveSettingsFromModal);
+    document.getElementById('settingsModal').addEventListener('click', (e) => {
+      if (e.target.id === 'settingsModal') closeSettings();
+    });
+    document.querySelectorAll('input[name="routingMode"]').forEach(r => {
+      r.addEventListener('change', () => {
+        document.querySelectorAll('.settings-radio').forEach(label => {
+          label.classList.toggle('active', label.querySelector('input').checked);
+        });
+      });
+    });
+    document.addEventListener('keydown', (e) => { if (e.key === 'Escape') closeSettings(); });
+
+    // ─── Savings Tab ─────────────────────────────────────────────────────
+    async function loadSavings() {
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/savings?hours=24&bucket_minutes=60`);
+        const payload = await res.json();
+        if (!payload.success) throw new Error(payload.error || 'load failed');
+        renderSavings(payload.data);
+      } catch (e) {
+        document.getElementById('savingsCounter').textContent = '$—';
+        document.getElementById('savingsSubLine').textContent = `error: ${e.message}`;
+      }
+    }
+
+    function renderSavings(data) {
+      const s = data.savings;
+      const series = data.series || [];
+
+      const counter = document.getElementById('savingsCounter');
+      counter.textContent = formatCost(s.totalCostSaved);
+
+      document.getElementById('savingsSubLine').textContent =
+        `${formatNumber(s.totalTokensSaved)} tokens prevented · ${s.totalHits} cache hits`;
+      document.getElementById('savingsHitRate').textContent = `hit rate ${s.hitRatePercent}%`;
+
+      document.getElementById('cacheEntries').textContent = formatNumber(s.uniqueEntries);
+      document.getElementById('tokensPrevented').textContent = formatNumber(s.totalTokensSaved);
+      document.getElementById('cacheHitRate').innerHTML = s.hitRatePercent.toFixed(1) + '<span class="metric-unit">%</span>';
+
+      // Tab badge
+      document.getElementById('savingsTabBadge').textContent = s.totalHits > 0 ? formatCost(s.totalCostSaved) : '·';
+
+      // Top callers
+      const tc = document.getElementById('topSavingCallers');
+      if (s.topCallers && s.topCallers.length) {
+        tc.innerHTML = s.topCallers.map(c => `
+          <div class="chip">
+            <div class="chip-name">${escapeHtml(c.caller)}</div>
+            <div class="chip-meta"><span class="num">${c.hits}</span> hits · <span class="num">${formatCost(c.saved)}</span> saved</div>
+          </div>
+        `).join('');
+      } else {
+        tc.innerHTML = '<div class="empty-state">no savings yet — send some duplicate prompts to see cache hits</div>';
+      }
+
+      // Sparkline
+      const svg = document.getElementById('savingsSparkline');
+      if (!series.length) { svg.innerHTML = ''; return; }
+      const W = 320, H = 64, PAD = 4;
+      const max = Math.max(0.0001, ...series.map(p => p.costSaved));
+      const stepX = (W - PAD * 2) / Math.max(1, series.length - 1);
+      const points = series.map((p, i) => {
+        const x = PAD + i * stepX;
+        const y = H - PAD - ((p.costSaved / max) * (H - PAD * 2));
+        return [x, y];
+      });
+      const linePath = points.map(([x, y], i) => `${i === 0 ? 'M' : 'L'}${x.toFixed(1)},${y.toFixed(1)}`).join(' ');
+      const areaPath = `${linePath} L${points[points.length - 1][0].toFixed(1)},${H - PAD} L${points[0][0].toFixed(1)},${H - PAD} Z`;
+      const last = points[points.length - 1];
+      svg.innerHTML = `
+        <path class="area" d="${areaPath}"></path>
+        <path class="line" d="${linePath}"></path>
+        <circle class="last" cx="${last[0].toFixed(1)}" cy="${last[1].toFixed(1)}" r="2.5"></circle>
+      `;
+    }
+
+    document.getElementById('cacheClearBtn').addEventListener('click', async () => {
+      const caller = document.getElementById('cacheClearCaller').value.trim();
+      if (!caller) return alert('enter caller id');
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/cache/clear`, {
+          method: 'POST', headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ caller }),
+        });
+        const p = await res.json();
+        alert(p.success ? `removed ${p.data.removed} entries` : p.error);
+        loadSavings();
+      } catch (e) { alert('error: ' + e.message); }
+    });
+
+    document.getElementById('cachePruneBtn').addEventListener('click', async () => {
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/cache/prune`, {
+          method: 'POST', headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ max_age_days: 7 }),
+        });
+        const p = await res.json();
+        alert(p.success ? `pruned ${p.data.removed} stale entries` : p.error);
+        loadSavings();
+      } catch (e) { alert('error: ' + e.message); }
+    });
+
+    // ─── Wallet Tab (UNIQUE feature) ─────────────────────────────────────
+    async function loadWallet() {
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/wallet`);
+        const payload = await res.json();
+        if (!payload.success) throw new Error(payload.error || 'load failed');
+        renderWallet(payload.data);
+      } catch (e) {
+        document.getElementById('walletList').innerHTML =
+          `<div class="empty-state">error: ${e.message}</div>`;
+      }
+    }
+
+    function renderWallet(data) {
+      const list = document.getElementById('walletList');
+      if (!data.wallet?.length) { list.innerHTML = '<div class="empty-state">no subscriptions tracked</div>'; return; }
+
+      const totalRem = data.totals?.remaining ?? 0;
+      // Show units to avoid confusion with token counts elsewhere
+      document.getElementById('walletTabBadge').textContent = totalRem > 0 ? `${formatNumber(totalRem)} calls` : '·';
+
+      list.innerHTML = data.wallet.map(w => {
+        const util = w.utilizationPercent ?? 0;
+        const fillCls = util >= 90 ? 'err' : util >= 70 ? 'warn' : '';
+        const fillW = w.requestQuota ? Math.min(util, 100) : 0;
+        const remStr = w.requestQuota
+          ? `<strong>${w.remaining}</strong> / ${w.requestQuota} calls left`
+          : `<strong>—</strong> no quota tracked`;
+        const usedStr = `<strong>${w.used}</strong> calls used`;
+        const reset = w.resetAt
+          ? `resets ${new Date(w.resetAt).toLocaleString()}`
+          : `window: ${formatDuration(w.windowSeconds)}`;
+        const exhaust = w.predictedExhaustionAt
+          ? `predicted exhaustion: ${new Date(w.predictedExhaustionAt).toLocaleString()}`
+          : '';
+        return `
+          <div class="wallet-card" data-status="${w.recommendation}">
+            <div class="wallet-head">
+              <div class="wallet-label">${escapeHtml(w.label)}</div>
+              <div class="wallet-rec ${w.recommendation}">${w.recommendation.replace('-', ' ')}</div>
+            </div>
+            <div class="wallet-bar">
+              <div class="wallet-bar-fill ${fillCls}" style="width:${fillW}%"></div>
+            </div>
+            <div class="wallet-meta">
+              <span>${usedStr}</span>
+              <span>${remStr}</span>
+            </div>
+            <div class="wallet-reset">${reset}</div>
+            ${exhaust ? `<div class="wallet-reset">${exhaust}</div>` : ''}
+          </div>
+        `;
+      }).join('');
+    }
+
+    function formatDuration(secs) {
+      if (secs >= 86400) return `${Math.round(secs / 86400)}d`;
+      if (secs >= 3600) return `${Math.round(secs / 3600)}h`;
+      if (secs >= 60) return `${Math.round(secs / 60)}m`;
+      return `${secs}s`;
+    }
+
+    // ─── Memory Tab ──────────────────────────────────────────────────────
+    async function loadMemoryFor(caller) {
+      if (!caller) return;
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/memory/${encodeURIComponent(caller)}`);
+        const p = await res.json();
+        if (!p.success) throw new Error(p.error || 'load failed');
+        renderMemory(p.data);
+      } catch (e) {
+        document.getElementById('memList').innerHTML = `<div class="empty-state">error: ${e.message}</div>`;
+      }
+    }
+
+    function renderMemory(data) {
+      const list = document.getElementById('memList');
+      if (!data.facts?.length) { list.innerHTML = `<div class="empty-state">no facts stored for "${escapeHtml(data.caller)}"</div>`; return; }
+      list.innerHTML = data.facts.map(f => `
+        <div class="mem-row">
+          <div class="mem-key">${escapeHtml(f.factKey)}</div>
+          <div class="mem-val">${escapeHtml(f.factValue)}</div>
+          <div class="mem-meta">conf=${f.confidence} · ${escapeHtml(f.source)}</div>
+        </div>
+      `).join('');
+    }
+
+    document.getElementById('memLoadBtn').addEventListener('click', () => {
+      loadMemoryFor(document.getElementById('memCaller').value.trim());
+    });
+
+    document.getElementById('memSaveBtn').addEventListener('click', async () => {
+      const caller = document.getElementById('memCaller').value.trim();
+      const fk = document.getElementById('memFactKey').value.trim();
+      const fv = document.getElementById('memFactValue').value.trim();
+      if (!caller || !fk || !fv) return alert('fill caller, key, value');
+      try {
+        await apiFetch(`${API_BASE}/api/dashboard/memory/${encodeURIComponent(caller)}`, {
+          method: 'POST', headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ fact_key: fk, fact_value: fv, confidence: 0.95 }),
+        });
+        document.getElementById('memFactKey').value = '';
+        document.getElementById('memFactValue').value = '';
+        loadMemoryFor(caller);
+      } catch (e) { alert('error: ' + e.message); }
+    });
+
+    // Auto-refresh savings + wallet every 10s when their tab is visible
+    setInterval(() => {
+      const active = document.querySelector('.tab-trigger.active')?.dataset.tab;
+      if (active === 'savings') loadSavings();
+      if (active === 'wallet') loadWallet();
+    }, 10_000);
+
+    // Hook tab switches to lazy-load tab data
+    document.querySelectorAll('.tab-trigger').forEach(t => {
+      t.addEventListener('click', () => {
+        const target = t.dataset.tab;
+        if (target === 'savings') loadSavings();
+        if (target === 'wallet') loadWallet();
+      });
+    });
+
+    // ─── Hero / Buddy / Achievements / Heatmap / Events / Forecast ──────
+    async function loadHero() {
+      try {
+        const [buddy, ach, heatmap, events, forecast, savings] = await Promise.all([
+          apiFetch(`${API_BASE}/api/dashboard/buddy`).then(r => r.json()),
+          apiFetch(`${API_BASE}/api/dashboard/achievements`).then(r => r.json()),
+          apiFetch(`${API_BASE}/api/dashboard/heatmap?days=365`).then(r => r.json()),
+          apiFetch(`${API_BASE}/api/dashboard/events?limit=30`).then(r => r.json()),
+          apiFetch(`${API_BASE}/api/dashboard/forecast`).then(r => r.json()),
+          apiFetch(`${API_BASE}/api/dashboard/savings?hours=8760`).then(r => r.json()),
+        ]);
+        if (buddy.success) renderBuddy(buddy.data);
+        if (ach.success) renderAchievements(ach.data);
+        if (heatmap.success) renderHeatmap(heatmap.data);
+        if (events.success) renderEventsFeed(events.data);
+        if (forecast.success) renderForecast(forecast.data);
+        if (savings.success) renderHeroSavings(savings.data);
+      } catch (e) {
+        console.error('hero load failed', e);
+      }
+    }
+
+    function renderBuddy(b) {
+      const xpPercent = Math.min(100, (b.xp / b.xpForNextLevel) * 100);
+      document.getElementById('heroBuddy').innerHTML = `
+        <div>
+          <span class="buddy-name">${escapeHtml(b.name)}</span>
+          <span class="buddy-rarity ${b.rarity}">${b.rarity}</span>
+        </div>
+        <div class="buddy-meta">${escapeHtml(b.species)} · ${escapeHtml(b.stage)} · Lv.${b.level} · ${b.streakDays}d streak</div>
+        <div class="buddy-art">${b.asciiArt.map(escapeHtml).join('\n')}</div>
+        <div class="buddy-xp-bar"><div class="buddy-xp-fill" style="width:${xpPercent}%"></div></div>
+        <div class="buddy-xp-text"><span>XP ${b.xp.toLocaleString()}</span><span>Next: ${b.xpForNextLevel.toLocaleString()}</span></div>
+        <div class="buddy-speech buddy-mood-${b.mood}">${escapeHtml(b.speech)}</div>
+      `;
+    }
+
+    // Try to fetch Lean-CTX stats from localhost:3333 (browser-side, not server-side)
+    // Returns null if Lean-CTX not running OR dashboard browsed from different machine.
+    async function fetchLeanCtxStats() {
+      try {
+        const ctrl = new AbortController();
+        setTimeout(() => ctrl.abort(), 1500);
+        const res = await fetch('http://localhost:3333/api/stats', { signal: ctrl.signal });
+        if (!res.ok) return null;
+        const stats = await res.json();
+        // The "tokens saved" calculation: input - output (compression delta) summed across commands
+        let saved = 0;
+        for (const v of Object.values(stats.commands || {})) {
+          saved += Math.max(0, (v.input_tokens || 0) - (v.output_tokens || 0));
+        }
+        return { saved, totalCommands: stats.total_commands || 0 };
+      } catch { return null; }
+    }
+
+    async function renderHeroSavings(d) {
+      const s = d.savings;
+      const c = s.comprehensive || {};
+      const gatewayTokens = s.totalTokensSaved || 0;
+      document.getElementById('heroTokensSaved').textContent = formatNumber(gatewayTokens);
+      document.getElementById('heroCostSaved').textContent = formatCost(s.totalCostSaved);
+      document.getElementById('heroCacheHits').textContent = s.totalHits;
+      document.getElementById('heroSavingsRate').textContent = `${s.hitRatePercent || 0}%`;
+
+      // Lean-CTX integration: pull from localhost:3333 if available
+      const leanCtx = await fetchLeanCtxStats();
+      const combined = gatewayTokens + (leanCtx?.saved || 0);
+      document.getElementById('heroTokensSavedCombined').textContent = formatNumber(combined);
+      if (leanCtx) {
+        document.getElementById('heroLeanCtxRow').style.display = 'flex';
+        document.getElementById('heroLeanCtxTokens').textContent = formatNumber(leanCtx.saved);
+      } else {
+        document.getElementById('heroLeanCtxRow').style.display = 'none';
+      }
+      document.getElementById('costWithout').textContent = formatCost(c.costWithoutGateway || 0);
+      document.getElementById('costWith').textContent = formatCost(c.costWithGateway || 0);
+      const saved = (c.costWithoutGateway || 0) - (c.costWithGateway || 0);
+      document.getElementById('costSavedLine').textContent = formatCost(saved);
+      document.getElementById('costSavedPercent').textContent = `${(c.effectiveSavingsPercent || 0).toFixed(1)}%`;
+
+      // 5-axis savings
+      const axes = [
+        { id: 'cache',              label: 'Cache',           icon: '⚡', cost: c.bySource?.cache?.cost ?? 0,            detail: `${c.bySource?.cache?.hits ?? 0} hits` },
+        { id: 'compression',        label: 'Compression',     icon: '🗜', cost: c.bySource?.compression?.cost ?? 0,      detail: `${formatNumber(c.bySource?.compression?.tokens ?? 0)} tokens` },
+        { id: 'subscriptionBridge', label: 'Sub. Bridges',    icon: '🌉', cost: c.bySource?.subscriptionBridge?.cost ?? 0, detail: `${c.bySource?.subscriptionBridge?.calls ?? 0} calls` },
+        { id: 'localRouting',       label: 'Local Models',    icon: '🏠', cost: c.bySource?.localRouting?.cost ?? 0,      detail: `${c.bySource?.localRouting?.calls ?? 0} calls` },
+        { id: 'raceMode',           label: 'Race Mode',       icon: '🏁', cost: c.bySource?.raceMode?.cost ?? 0,           detail: `${c.bySource?.raceMode?.calls ?? 0} races` },
+      ];
+      document.getElementById('savingsAxes').innerHTML = axes.map(a => `
+        <div class="axis">
+          <span class="axis-icon">${a.icon}</span>
+          <span class="axis-label">${a.label}</span>
+          <span class="axis-cost">${formatCost(a.cost)}</span>
+          <span class="axis-detail">${a.detail}</span>
+        </div>
+      `).join('');
+    }
+
+    function renderAchievements(a) {
+      document.getElementById('achievementsProgress').textContent = `${a.unlocked.length}/${a.unlocked.length + a.locked.length} · ${a.progress}%`;
+      const all = [...a.unlocked.map(x => ({...x, unlocked: true})), ...a.locked.slice(0, 12).map(x => ({...x, unlocked: false}))];
+      document.getElementById('achievementsGrid').innerHTML = all.map(x => `
+        <div class="achievement ${x.unlocked ? 'unlocked' : 'locked'}">
+          <div class="ach-icon">${x.icon}</div>
+          <div class="ach-info">
+            <div class="ach-title">${escapeHtml(x.title)}</div>
+            <div class="ach-desc">${escapeHtml(x.description)}</div>
+          </div>
+        </div>
+      `).join('');
+    }
+
+    function renderHeatmap(cells) {
+      // Lay out cells column-major (Sun→Sat per week column, like GitHub)
+      // Total 365 days = ~52 weeks of 7 cells. Pad start so first cell aligns to Sunday.
+      if (!cells.length) { document.getElementById('heatmap').innerHTML = '<div class="empty-state">no activity yet</div>'; return; }
+      const first = new Date(cells[0].date);
+      const padDays = first.getUTCDay(); // 0=Sun, 6=Sat
+      const padded = Array(padDays).fill(null).concat(cells);
+      let maxStreak = 0;
+      let curStreak = 0;
+      for (const c of cells) {
+        if (c && c.count > 0) { curStreak++; if (curStreak > maxStreak) maxStreak = curStreak; }
+        else curStreak = 0;
+      }
+      // Latest streak from end
+      let endStreak = 0;
+      for (let i = cells.length - 1; i >= 0; i--) {
+        if (cells[i].count > 0) endStreak++; else break;
+      }
+      document.getElementById('streakBadge').textContent = endStreak;
+
+      document.getElementById('heatmap').innerHTML = padded.map(c => {
+        if (!c) return '<div class="heatmap-cell"></div>';
+        const title = `${c.date}: ${c.count} req · ${c.tokensSaved} saved`;
+        return `<div class="heatmap-cell l${c.level}" title="${title}"></div>`;
+      }).join('');
+    }
+
+    function renderEventsFeed(events) {
+      const el = document.getElementById('eventsFeed');
+      if (!events.length) { el.innerHTML = '<div class="empty-state">no events yet</div>'; return; }
+      el.innerHTML = events.map(e => `
+        <div class="event-row">
+          <span class="event-icon">${e.icon}</span>
+          <div class="event-body">
+            <span class="event-caller">${escapeHtml(e.caller)}</span> · ${escapeHtml(e.type)}
+            <div class="event-detail">${escapeHtml(e.detail)}</div>
+          </div>
+          <span class="event-time">${formatTime(e.ts)}</span>
+        </div>
+      `).join('');
+    }
+
+    function renderForecast(f) {
+      const trendIcon = f.trend === 'up' ? '↗' : (f.trend === 'down' ? '↘' : '→');
+      document.getElementById('forecast').innerHTML = `
+        <div class="forecast-row"><span class="forecast-window">next 7 days</span><span class="forecast-amount">${formatCost(f.next7DaysSavings)}</span></div>
+        <div class="forecast-row"><span class="forecast-window">next 30 days</span><span class="forecast-amount">${formatCost(f.next30DaysSavings)}</span></div>
+        <div class="forecast-row"><span class="forecast-window">next 12 months</span><span class="forecast-amount">${formatCost(f.next365DaysSavings)}</span></div>
+        <div class="forecast-trend ${f.trend}">${trendIcon} trend ${f.trend} · daily avg ${formatCost(f.dailyAverage)} · ${f.basedOnDays}d data</div>
+      `;
+    }
+
+    function formatTime(iso) {
+      try {
+        const d = new Date(iso);
+        const now = new Date();
+        const diffMs = now - d;
+        if (diffMs < 60_000) return 'just now';
+        if (diffMs < 3600_000) return `${Math.floor(diffMs/60000)}m ago`;
+        if (diffMs < 86400_000) return `${Math.floor(diffMs/3600000)}h ago`;
+        return d.toISOString().split('T')[0];
+      } catch { return iso; }
+    }
+
+    // ─── Simple Mode application ─────────────────────────────────────────
+    // Hide tabs / sections / content based on the user's UI preferences.
+    // Defaults to Simple Mode = ON for users with few configured subscriptions.
+    const ADVANCED_TABS_TO_HIDE_IN_SIMPLE = ['providers', 'memory', 'leaderboard', 'share', 'report'];
+
+    function applyUiMode(ui) {
+      const simpleMode = !!ui?.simpleMode;
+      const hideEmpty  = !!ui?.hideEmptyProviders;
+      const tooltips   = !!ui?.showTooltips;
+
+      // 1) Hide advanced tabs in Simple Mode
+      document.querySelectorAll('.tab-trigger').forEach(t => {
+        const isAdvanced = ADVANCED_TABS_TO_HIDE_IN_SIMPLE.includes(t.dataset.tab);
+        t.style.display = (simpleMode && isAdvanced) ? 'none' : '';
+      });
+
+      // 2) Toggle tooltip attribute
+      document.querySelectorAll('.tab-trigger').forEach(t => {
+        if (!tooltips && t.title) { t.dataset.savedTitle = t.title; t.title = ''; }
+        else if (tooltips && t.dataset.savedTitle) { t.title = t.dataset.savedTitle; }
+      });
+
+      // 3) Body class — used by other CSS-driven simplifications
+      document.body.classList.toggle('simple-mode', simpleMode);
+      document.body.classList.toggle('hide-empty-providers', hideEmpty);
+
+      // 4) If currently on a hidden tab, switch to overview
+      const activeTab = document.querySelector('.tab-trigger.active')?.dataset.tab;
+      if (simpleMode && ADVANCED_TABS_TO_HIDE_IN_SIMPLE.includes(activeTab)) {
+        const overview = document.querySelector('.tab-trigger[data-tab="overview"]');
+        if (overview) overview.click();
+      }
+    }
+
+    // ─── Knowledge Graph (force-directed SVG, no D3 dep) ──────────────
+    async function loadMemoryGraph() {
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/memory-graph`);
+        const p = await res.json();
+        if (!p.success) throw new Error(p.error || 'graph failed');
+        renderMemoryGraph(p.data);
+      } catch (e) {
+        document.getElementById('memoryGraph').innerHTML = `<text x="20" y="40" fill="#888">error: ${e.message}</text>`;
+      }
+    }
+
+    function renderMemoryGraph(g) {
+      const svg = document.getElementById('memoryGraph');
+      if (!g.nodes.length) {
+        svg.innerHTML = '<text x="440" y="230" text-anchor="middle" font-family="JetBrains Mono" font-size="14" fill="#667684">No facts stored yet — try `remember that …` in any caller</text>';
+        return;
+      }
+
+      // Simple force-directed layout: 60 iterations of attraction along edges + repulsion between all nodes
+      const W = 880, H = 460;
+      const nodes = g.nodes.map((n, i) => ({
+        ...n,
+        x: W/2 + Math.cos(i * 2 * Math.PI / g.nodes.length) * 200,
+        y: H/2 + Math.sin(i * 2 * Math.PI / g.nodes.length) * 150,
+        r: n.type === 'caller' ? 14 : (n.type === 'fact-key' ? 9 : 6),
+      }));
+      const idx = new Map(nodes.map(n => [n.id, n]));
+
+      for (let it = 0; it < 80; it++) {
+        // repulsion
+        for (let i = 0; i < nodes.length; i++) {
+          for (let j = i+1; j < nodes.length; j++) {
+            const a = nodes[i], b = nodes[j];
+            const dx = b.x - a.x, dy = b.y - a.y;
+            const d2 = dx*dx + dy*dy + 1;
+            const f = 1500 / d2;
+            const fx = (dx / Math.sqrt(d2)) * f;
+            const fy = (dy / Math.sqrt(d2)) * f;
+            a.x -= fx; a.y -= fy;
+            b.x += fx; b.y += fy;
+          }
+        }
+        // attraction along edges
+        for (const e of g.edges) {
+          const a = idx.get(e.source), b = idx.get(e.target);
+          if (!a || !b) continue;
+          const dx = b.x - a.x, dy = b.y - a.y;
+          const f = 0.04;
+          a.x += dx * f; a.y += dy * f;
+          b.x -= dx * f; b.y -= dy * f;
+        }
+        // boundary
+        for (const n of nodes) {
+          n.x = Math.max(20, Math.min(W-20, n.x));
+          n.y = Math.max(20, Math.min(H-20, n.y));
+        }
+      }
+
+      // Render edges + nodes
+      const edgeSvg = g.edges.map(e => {
+        const a = idx.get(e.source), b = idx.get(e.target);
+        if (!a || !b) return '';
+        return `<path class="edge" d="M ${a.x.toFixed(1)} ${a.y.toFixed(1)} L ${b.x.toFixed(1)} ${b.y.toFixed(1)}"/>`;
+      }).join('');
+
+      const nodeSvg = nodes.map(n => {
+        const cls = n.type === 'caller' ? 'node-caller' : (n.type === 'fact-key' ? 'node-fact-key' : 'node-fact-value');
+        const labelOffset = n.r + 12;
+        return `
+          <g class="node">
+            <title>${escapeHtml(n.label)} (${n.type})</title>
+            <circle cx="${n.x.toFixed(1)}" cy="${n.y.toFixed(1)}" r="${n.r}" class="${cls}"/>
+            ${n.type === 'caller' ? `<text class="label" x="${n.x.toFixed(1)}" y="${(n.y+labelOffset).toFixed(1)}" text-anchor="middle">${escapeHtml(n.label)}</text>` : ''}
+          </g>`;
+      }).join('');
+
+      svg.innerHTML = edgeSvg + nodeSvg;
+    }
+
+    // ─── Race Leaderboard ───────────────────────────────────────────────
+    async function loadLeaderboard() {
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/race-leaderboard?days=7`);
+        const p = await res.json();
+        if (!p.success) throw new Error(p.error || 'leaderboard failed');
+        renderLeaderboard(p.data);
+      } catch (e) {
+        document.getElementById('leaderboardTable').innerHTML = `<div class="empty-state">error: ${e.message}</div>`;
+      }
+    }
+
+    function renderLeaderboard(d) {
+      document.getElementById('leaderboardTabBadge').textContent = d.totalRaces > 0 ? `${d.totalRaces}` : '·';
+
+      // Podium
+      const top3 = d.entries.slice(0, 3);
+      const podium = document.getElementById('leaderboardPodium');
+      if (top3.length === 0) {
+        podium.innerHTML = '<div class="empty-state" style="grid-column:1/-1;">no races run yet — POST /v1/race to start competing models</div>';
+      } else {
+        const slots = [];
+        const findByBadge = (badge) => top3.find(e => e.badge === badge);
+        const gold = findByBadge('gold');
+        const silver = findByBadge('silver');
+        const bronze = findByBadge('bronze');
+        if (silver) slots.push(`<div class="podium-step silver"><div class="podium-medal">🥈</div><div class="podium-rank">2nd</div><div class="podium-model">${escapeHtml(silver.model)}</div><div class="podium-stat">${silver.avgLatencyMs}ms · ${(silver.winRate*100).toFixed(0)}% win</div></div>`);
+        else slots.push('<div></div>');
+        if (gold)   slots.push(`<div class="podium-step gold"><div class="podium-medal">🥇</div><div class="podium-rank">1st</div><div class="podium-model">${escapeHtml(gold.model)}</div><div class="podium-stat">${gold.avgLatencyMs}ms · ${(gold.winRate*100).toFixed(0)}% win</div></div>`);
+        else slots.push('<div></div>');
+        if (bronze) slots.push(`<div class="podium-step bronze"><div class="podium-medal">🥉</div><div class="podium-rank">3rd</div><div class="podium-model">${escapeHtml(bronze.model)}</div><div class="podium-stat">${bronze.avgLatencyMs}ms · ${(bronze.winRate*100).toFixed(0)}% win</div></div>`);
+        else slots.push('<div></div>');
+        podium.innerHTML = slots.join('');
+      }
+
+      // Full table
+      const tbl = document.getElementById('leaderboardTable');
+      const head = `
+        <div class="lb-row head">
+          <div>#</div><div>model</div><div class="lb-num">latency</div>
+          <div class="lb-num">speed</div><div class="lb-num">wins</div><div class="lb-num">races</div>
+        </div>`;
+      const rows = d.entries.map(e => `
+        <div class="lb-row ${e.badge ? 'medal-' + e.badge : ''}">
+          <div class="lb-pos">${e.rankPosition}</div>
+          <div>${escapeHtml(e.model)}</div>
+          <div class="lb-num">${e.avgLatencyMs}ms</div>
+          <div class="lb-num">${(e.speedRate*100).toFixed(0)}%</div>
+          <div class="lb-num">${e.selectedCount}</div>
+          <div class="lb-num">${e.participations}</div>
+        </div>
+      `).join('');
+      tbl.innerHTML = head + (d.entries.length === 0 ? '<div class="empty-state">no race results yet</div>' : rows);
+    }
+
+    // ─── Per-Caller Deep Dive ──────────────────────────────────────────
+    async function openCallerDeepDive(caller) {
+      document.getElementById('callerModal').classList.add('open');
+      document.getElementById('callerModalTitle').textContent = caller;
+      document.getElementById('callerModalBody').innerHTML = '<div class="loading">loading</div>';
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/caller/${encodeURIComponent(caller)}`);
+        const p = await res.json();
+        if (!p.success) throw new Error(p.error || 'load failed');
+        renderCallerDeepDive(p.data);
+      } catch (e) {
+        document.getElementById('callerModalBody').innerHTML = `<div class="empty-state">error: ${e.message}</div>`;
+      }
+    }
+
+    function renderCallerDeepDive(d) {
+      const maxHourly = Math.max(1, ...d.hourlyHeatmap.map(h => h.count));
+      document.getElementById('callerModalBody').innerHTML = `
+        <div class="caller-summary">
+          <div><div class="label">requests</div><div class="val">${formatNumber(d.totalRequests)}</div></div>
+          <div><div class="label">success rate</div><div class="val">${(d.successRate*100).toFixed(1)}%</div></div>
+          <div><div class="label">avg latency</div><div class="val">${d.avgLatencyMs}ms</div></div>
+          <div><div class="label">p50 / p95</div><div class="val">${d.latencyP50}/${d.latencyP95}ms</div></div>
+          <div><div class="label">tokens (in→out)</div><div class="val">${formatNumber(d.totalTokensIn)} → ${formatNumber(d.totalTokensOut)}</div></div>
+          <div><div class="label">total cost</div><div class="val">${formatCost(d.totalCost)}</div></div>
+          <div><div class="label">cache hits</div><div class="val">${d.cacheHits}</div></div>
+          <div><div class="label">tokens saved</div><div class="val">${formatNumber(d.cacheTokensSaved)}</div></div>
+        </div>
+
+        <h2 class="h-section" style="margin-top:18px;">Activity by hour <span class="h-meta">last 7 days, UTC</span></h2>
+        <div class="caller-hour-bars">
+          ${d.hourlyHeatmap.map(h => `<div class="bar" title="${h.hour}:00 — ${h.count} req" style="height:${(h.count/maxHourly*100).toFixed(0)}%;"></div>`).join('')}
+        </div>
+        <div class="caller-hour-axis">
+          ${d.hourlyHeatmap.map(h => h.hour % 4 === 0 ? `<span>${h.hour}h</span>` : '<span></span>').join('')}
+        </div>
+
+        <h2 class="h-section" style="margin-top:18px;">Top Models</h2>
+        <div class="chip-grid">
+          ${d.topModels.map(m => `
+            <div class="chip" style="cursor:default;">
+              <div class="chip-name">${escapeHtml(m.model)}</div>
+              <div class="chip-meta"><span class="num">${m.count}</span> · ${m.share}%</div>
+            </div>
+          `).join('')}
+        </div>
+
+        <h2 class="h-section" style="margin-top:18px;">Recent Requests</h2>
+        <div class="req-table" style="font-size: 0.74rem;">
+          <div class="req-row head">
+            <div>id</div><div>model</div><div>status</div><div>tok in</div><div>tok out</div><div>cost</div><div>latency</div>
+          </div>
+          ${d.recentRequests.map(r => `
+            <div class="req-row body">
+              <div title="${r.request_id}">${r.request_id.substring(0,12)}…</div>
+              <div>${escapeHtml(r.model)}</div>
+              <div><span class="req-status ${r.status}">${r.status}</span></div>
+              <div>${r.tokens_in}</div><div>${r.tokens_out}</div>
+              <div>${formatCost(r.cost_usd)}</div><div>${r.latency_ms}ms</div>
+            </div>
+          `).join('')}
+        </div>
+
+        ${d.storedFacts.length ? `
+        <h2 class="h-section" style="margin-top:18px;">Stored Facts</h2>
+        <div class="mem-list">
+          ${d.storedFacts.map(f => `
+            <div class="mem-row">
+              <div class="mem-key">${escapeHtml(f.key)}</div>
+              <div class="mem-val">${escapeHtml(f.value)}</div>
+              <div class="mem-meta">conf=${f.confidence} · ${escapeHtml(f.source)}</div>
+            </div>
+          `).join('')}
+        </div>` : ''}
+      `;
+    }
+
+    function closeCallerModal() { document.getElementById('callerModal').classList.remove('open'); }
+    document.getElementById('callerModalClose').addEventListener('click', closeCallerModal);
+    document.getElementById('callerModal').addEventListener('click', (e) => { if (e.target.id === 'callerModal') closeCallerModal(); });
+    document.addEventListener('keydown', (e) => { if (e.key === 'Escape') closeCallerModal(); });
+
+    // Wire click on caller chips (delegated event)
+    document.addEventListener('click', (e) => {
+      const chip = e.target.closest('#topCallers .chip, #topSavingCallers .chip');
+      if (chip) {
+        const name = chip.querySelector('.chip-name')?.textContent?.trim();
+        if (name) openCallerDeepDive(name);
+      }
+    });
+
+    // ─── Share Card ─────────────────────────────────────────────────────
+    function buildShareCardUrl() {
+      const period = document.getElementById('shareCardPeriod').value;
+      const theme = document.getElementById('shareCardTheme').value;
+      return `${API_BASE || location.origin}/api/dashboard/share-card?period=${period}&theme=${theme}`;
+    }
+    function refreshShareCard() {
+      const url = buildShareCardUrl();
+      document.getElementById('shareCardImg').src = url + '&_t=' + Date.now();
+      document.getElementById('shareCardUrl').textContent = url;
+    }
+    document.getElementById('shareCardRefresh').addEventListener('click', refreshShareCard);
+    document.getElementById('shareCardPeriod').addEventListener('change', refreshShareCard);
+    document.getElementById('shareCardTheme').addEventListener('change', refreshShareCard);
+    document.getElementById('shareCardCopyUrl').addEventListener('click', async () => {
+      const url = buildShareCardUrl();
+      try { await navigator.clipboard.writeText(url); document.getElementById('shareCardCopyUrl').textContent = '✓ copied'; setTimeout(() => { document.getElementById('shareCardCopyUrl').textContent = 'copy URL'; }, 1500); }
+      catch { alert('clipboard write failed — URL: ' + url); }
+    });
+    document.getElementById('shareCardDownload').addEventListener('click', async () => {
+      const url = buildShareCardUrl();
+      const r = await fetch(url);
+      const svg = await r.text();
+      const blob = new Blob([svg], { type: 'image/svg+xml' });
+      const a = document.createElement('a');
+      a.href = URL.createObjectURL(blob);
+      a.download = `llm-gateway-${document.getElementById('shareCardPeriod').value}-${document.getElementById('shareCardTheme').value}.svg`;
+      a.click();
+      URL.revokeObjectURL(a.href);
+    });
+
+    // ─── Monthly Report ─────────────────────────────────────────────────
+    document.getElementById('reportOpen').addEventListener('click', () => {
+      const year = document.getElementById('reportYear').value;
+      const month = document.getElementById('reportMonth').value;
+      const url = `${API_BASE || location.origin}/api/dashboard/report?year=${year}&month=${month}`;
+      // Open in a new tab; report HTML has its own print-friendly styles
+      window.open(url, '_blank');
+    });
+    // Pre-fill current year/month
+    (() => {
+      const now = new Date();
+      document.getElementById('reportYear').value = now.getUTCFullYear();
+      document.getElementById('reportMonth').value = now.getUTCMonth() + 1;
+    })();
+
+    // Hook tab switches to load data lazily
+    document.querySelectorAll('.tab-trigger').forEach(t => {
+      t.addEventListener('click', () => {
+        const target = t.dataset.tab;
+        if (target === 'memory') loadMemoryGraph();
+        if (target === 'leaderboard') loadLeaderboard();
+        if (target === 'share') refreshShareCard();
+      });
+    });
+
+    // ─── Init ────────────────────────────────────────────────────────────
     async function init() {
       await checkHealth();
       await loadMetrics();
       await loadRequests();
       await loadProviders();
-      connectSSE();
+      await loadSubscriptions();
+      await loadSavings();
+      await loadWallet();
+      await loadHero();
 
+      try {
+        const res = await apiFetch(`${API_BASE}/api/dashboard/settings`);
+        const payload = await res.json();
+        if (payload.success) {
+          document.getElementById('routingModeBadge').textContent = payload.data.routingMode;
+          // Apply UI mode (Simple Mode etc.) immediately on load
+          applyUiMode(payload.data.ui ?? { simpleMode: true, hideEmptyProviders: true, showTooltips: true });
+        }
+      } catch (e) { /* non-fatal */ }
+
+      setupPolling();
       setInterval(checkHealth, HEALTH_CHECK_INTERVAL);
-      setInterval(loadMetrics, METRICS_REFRESH_INTERVAL);
+      setInterval(loadSubscriptions, 30000);
+      setInterval(loadHero, 15000); // refresh buddy / events / forecast every 15s
     }
 
-    // Start
     init();
   </script>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/packages/gateway/src/routes/dashboard.ts b/packages/gateway/src/routes/dashboard.ts
index 40725aa..7840e54 100644
--- a/packages/gateway/src/routes/dashboard.ts
+++ b/packages/gateway/src/routes/dashboard.ts
@@ -58,6 +58,233 @@ interface AlertData {
   };
 }
 
+interface TopologyNode {
+  id: string;
+  label: string;
+  kind: 'client' | 'gateway' | 'policy' | 'memory' | 'model' | 'provider' | 'tool' | 'planned';
+  status: 'online' | 'ready' | 'detected' | 'planned' | 'blocked' | 'offline';
+  trust: 'public' | 'internal' | 'confidential' | 'secret' | 'n/a';
+  description: string;
+  metrics?: Record<string, string | number | boolean>;
+}
+
+interface TopologyEdge {
+  from: string;
+  to: string;
+  label: string;
+  status: 'active' | 'ready' | 'planned' | 'blocked';
+}
+
+interface DashboardTopology {
+  product: string;
+  tagline: string;
+  mode: 'online' | 'offline' | 'hybrid-safe';
+  generatedAt: string;
+  summary: {
+    detectedClients: number;
+    localModels: number;
+    providersConfigured: number;
+    trustPolicies: number;
+    memoryBackends: number;
+    plannedModules: number;
+  };
+  nodes: TopologyNode[];
+  edges: TopologyEdge[];
+  trustLevels: Array<{ level: string; route: string; action: string }>;
+  receipts: Array<{ id: string; trust: string; route: string; protected: string; tokens: string }>;
+  roadmap: Array<{ module: string; status: string; priority: string }>;
+}
+
+async function getDashboardTopology(): Promise<DashboardTopology> {
+  let availableProviders: ReturnType<typeof getAvailableProviders> = [];
+  try {
+    availableProviders = getAvailableProviders();
+  } catch (err) {
+    logger.warn({ err }, 'Provider discovery failed while building topology');
+  }
+
+  const configuredProviders = availableProviders.filter((provider) => {
+    if (!provider.enabled) return false;
+    if (provider.name === 'claude-bridge') {
+      return process.env['CLAUDE_BRIDGE_ENABLED'] === 'true' && Boolean(process.env['CLAUDE_BRIDGE_URL']);
+    }
+    if (['claude-code', 'openai-bridge', 'chatgpt-bridge', 'copilot-bridge', 'codex'].includes(provider.name)) {
+      return Boolean(process.env[provider.envKey]) || Boolean(process.env[`${provider.envKey.replace(/_KEY|_TOKEN/, '')}_URL`]);
+    }
+    return Boolean(process.env[provider.envKey]);
+  });
+
+  const providerNodes: TopologyNode[] = availableProviders.slice(0, 8).map((provider) => ({
+    id: `provider-${provider.name}`,
+    label: provider.name,
+    kind: provider.name.includes('bridge') || provider.name === 'codex' ? 'provider' : 'provider',
+    status: configuredProviders.some((p) => p.name === provider.name) ? 'ready' : 'detected',
+    trust: provider.name.includes('bridge') ? 'internal' : 'public',
+    description: `${provider.models.length} model routes, ${provider.rateLimitRpm} rpm`,
+    metrics: {
+      models: provider.models.length,
+      rpm: provider.rateLimitRpm,
+    },
+  }));
+
+  const nodes: TopologyNode[] = [
+    {
+      id: 'openai-api',
+      label: 'OpenAI-compatible API',
+      kind: 'client',
+      status: 'online',
+      trust: 'internal',
+      description: 'Existing gateway entrypoint for apps that can use a custom base URL.',
+    },
+    {
+      id: 'client-claude-code',
+      label: 'Claude Code',
+      kind: 'client',
+      status: 'planned',
+      trust: 'internal',
+      description: 'Optional MCP bridge for code work.',
+    },
+    {
+      id: 'client-codex',
+      label: 'Codex',
+      kind: 'client',
+      status: 'planned',
+      trust: 'internal',
+      description: 'Optional MCP helper and OpenAI-compatible client flow.',
+    },
+    {
+      id: 'client-chatgpt',
+      label: 'ChatGPT',
+      kind: 'client',
+      status: 'planned',
+      trust: 'public',
+      description: 'Export importer and optional browser/adapter flow.',
+    },
+    {
+      id: 'client-cursor',
+      label: 'Cursor / VS Code',
+      kind: 'client',
+      status: 'planned',
+      trust: 'internal',
+      description: 'Works through OpenAI-compatible base URL where supported.',
+    },
+    {
+      id: 'gateway',
+      label: 'LLM Gateway',
+      kind: 'gateway',
+      status: 'online',
+      trust: 'n/a',
+      description: 'Existing core: OpenAI-compatible API, routing, completions, metrics, fallback.',
+    },
+    {
+      id: 'trust-router',
+      label: 'Trust Router',
+      kind: 'policy',
+      status: 'planned',
+      trust: 'n/a',
+      description: 'Small policy layer for local-first routing and provider allowlists.',
+    },
+    {
+      id: 'context-receipts',
+      label: 'Context Receipts',
+      kind: 'policy',
+      status: 'planned',
+      trust: 'n/a',
+      description: 'Shows what context was used, compressed, redacted, and routed.',
+    },
+    {
+      id: 'memory-gitea',
+      label: 'Shared Git Memory',
+      kind: 'memory',
+      status: 'planned',
+      trust: 'confidential',
+      description: 'Optional Git/Gitea-backed memory for AI handoffs and project decisions.',
+    },
+    {
+      id: 'mcp-server',
+      label: 'MCP Control Plane',
+      kind: 'tool',
+      status: 'planned',
+      trust: 'internal',
+      description: 'Gateway, memory, repo, and policy tools exposed through MCP.',
+    },
+    {
+      id: 'ollama',
+      label: 'Ollama / Local Models',
+      kind: 'model',
+      status: 'ready',
+      trust: 'confidential',
+      description: 'Local-first model runtime for private and offline work.',
+    },
+    ...providerNodes,
+  ];
+
+  const edges: TopologyEdge[] = [
+    { from: 'openai-api', to: 'gateway', label: 'OpenAI-compatible API', status: 'ready' },
+    { from: 'client-claude-code', to: 'mcp-server', label: 'MCP tools/resources', status: 'planned' },
+    { from: 'client-codex', to: 'mcp-server', label: 'MCP tools/resources', status: 'planned' },
+    { from: 'client-chatgpt', to: 'gateway', label: 'export/import + OpenAI adapter', status: 'planned' },
+    { from: 'client-cursor', to: 'gateway', label: 'custom base URL', status: 'planned' },
+    { from: 'mcp-server', to: 'gateway', label: 'tool calls', status: 'planned' },
+    { from: 'gateway', to: 'trust-router', label: 'policy decision', status: 'planned' },
+    { from: 'trust-router', to: 'ollama', label: 'confidential/local route', status: 'ready' },
+    { from: 'trust-router', to: 'memory-gitea', label: 'memory read/write', status: 'planned' },
+    { from: 'gateway', to: 'context-receipts', label: 'audit artifact', status: 'planned' },
+    ...providerNodes.map((node) => ({
+      from: 'trust-router',
+      to: node.id,
+      label: node.trust === 'public' ? 'public route' : 'approved route',
+      status: node.status === 'ready' ? 'ready' : 'planned',
+    } as TopologyEdge)),
+  ];
+
+  const plannedModules = [
+    'Trust Router',
+    'Context Receipts',
+    'Shared Gitea Memory',
+    'AI Handoff Protocol',
+    'Consent Ledger',
+    'Setup Doctor',
+    'Safe Config Writer',
+    'Benchmark Lab',
+    'Agent Reputation',
+    'Compression Engine',
+  ];
+
+  return {
+    product: 'llm.gateway',
+    tagline: 'OpenAI-compatible LLM Gateway with routing, savings, receipts, and optional shared memory',
+    mode: process.env['BLACKHOLE_OFFLINE_MODE'] === 'true' ? 'offline' : 'hybrid-safe',
+    generatedAt: new Date().toISOString(),
+    summary: {
+      detectedClients: 6,
+      localModels: 1,
+      providersConfigured: configuredProviders.length,
+      trustPolicies: 4,
+      memoryBackends: 1,
+      plannedModules: plannedModules.length,
+    },
+    nodes,
+    edges,
+    trustLevels: [
+      { level: 'public', route: 'any enabled provider', action: 'allow' },
+      { level: 'internal', route: 'local or approved provider', action: 'route with receipt' },
+      { level: 'confidential', route: 'local-first', action: 'block public providers' },
+      { level: 'secret', route: 'none', action: 'redact or block' },
+    ],
+    receipts: [
+      { id: 'ctxr-demo-001', trust: 'internal', route: 'Claude Code -> MCP -> local model', protected: '.env, tokens, private keys', tokens: '13.2k -> 4.2k' },
+      { id: 'ctxr-demo-002', trust: 'confidential', route: 'Codex -> Gateway -> Ollama', protected: 'customer names, internal hosts', tokens: '8.4k -> 3.1k' },
+      { id: 'ctxr-demo-003', trust: 'public', route: 'OpenAI-compatible app -> Gateway -> hosted model', protected: 'none detected', tokens: '2.0k -> 1.8k' },
+    ],
+    roadmap: plannedModules.map((module, index) => ({
+      module,
+      status: index < 4 ? 'next' : 'planned',
+      priority: index < 7 ? 'P0' : 'P1',
+    })),
+  };
+}
+
 /**
  * Get dashboard summary stats for a time window
  */
@@ -306,6 +533,24 @@ async function getAlerts(): Promise<AlertData> {
 }
 
 export async function dashboardRoute(fastify: FastifyInstance): Promise<void> {
+  fastify.get('/api/dashboard/topology', async (_request: FastifyRequest, reply: FastifyReply) => {
+    try {
+      return reply.send({
+        success: true,
+        data: await getDashboardTopology(),
+        meta: {
+          timestamp: new Date().toISOString(),
+        },
+      });
+    } catch (error) {
+      logger.error({ error }, 'Failed to fetch topology');
+      return reply.status(500).send({
+        success: false,
+        error: 'Failed to fetch topology',
+      });
+    }
+  });
+
   // Dashboard summary endpoint
   fastify.get('/api/dashboard/summary', async (request: FastifyRequest, reply: FastifyReply) => {
     const hours = (request.query as any).hours ?? 24;
@@ -618,8 +863,7 @@ export async function dashboardRoute(fastify: FastifyInstance): Promise<void> {
     }
   });
 
-  // Dashboard UI endpoint (served at /api/dashboard/index for Cloudflare tunnel compatibility)
-  fastify.get('/api/dashboard/index', async (_request: FastifyRequest, reply: FastifyReply) => {
+  async function serveDashboardHtml(reply: FastifyReply, filename = 'dashboard.html', endpoint = '/dashboard') {
     try {
       const { fileURLToPath } = await import('url');
       const { dirname, join } = await import('path');
@@ -628,84 +872,52 @@ export async function dashboardRoute(fastify: FastifyInstance): Promise<void> {
       const __filename = fileURLToPath(import.meta.url);
       const __dirname = dirname(__filename);
       const publicDir = join(__dirname, '..', '..', 'public');
-      const dashboardPath = join(publicDir, 'dashboard.html');
+      const dashboardPath = join(publicDir, filename);
 
       if (!existsSync(dashboardPath)) {
-        logger.warn({ path: dashboardPath }, 'dashboard.html not found');
-        return reply.status(404).send({ error: 'dashboard.html not found' });
+        logger.warn({ path: dashboardPath, endpoint }, 'dashboard html not found');
+        return reply.status(404).send({ error: `${filename} not found` });
       }
 
       const content = readFileSync(dashboardPath, 'utf-8');
-      logger.info({ size: content.length }, 'Serving dashboard from /api/dashboard/ui');
-      return reply.type('text/html').send(content);
-    } catch (error) {
-      logger.error({ error }, 'Failed to serve dashboard UI');
-      return reply.status(500).send({ error: 'Failed to serve dashboard' });
-    }
-  });
-
-  // Fresh dashboard endpoint (no cache) - for Cloudflare cache bypass testing
-  fastify.get('/dashboard', async (_request: FastifyRequest, reply: FastifyReply) => {
-    try {
-      const { fileURLToPath } = await import('url');
-      const { dirname, join } = await import('path');
-      const { readFileSync, existsSync } = await import('fs');
-
-      const __filename = fileURLToPath(import.meta.url);
-      const __dirname = dirname(__filename);
-      const publicDir = join(__dirname, '..', '..', 'public');
-      const dashboardPath = join(publicDir, 'dashboard.html');
-
-      if (!existsSync(dashboardPath)) {
-        logger.warn({ path: dashboardPath }, 'dashboard.html not found');
-        return reply.status(404).send({ error: 'dashboard.html not found' });
-      }
-
-      const content = readFileSync(dashboardPath, 'utf-8');
-      logger.info({ size: content.length }, 'Serving dashboard from /dashboard');
+      logger.info({ size: content.length, endpoint, filename }, 'Serving dashboard html');
       return reply
         .header('Cache-Control', 'no-cache, no-store, must-revalidate, max-age=0')
         .header('Pragma', 'no-cache')
         .header('Expires', '0')
-        .type('text/html')
+        .type('text/html; charset=utf-8')
         .send(content);
     } catch (error) {
-      logger.error({ error }, 'Failed to serve dashboard');
+      logger.error({ error, endpoint, filename }, 'Failed to serve dashboard html');
       return reply.status(500).send({ error: 'Failed to serve dashboard' });
     }
+  }
+
+  // Dashboard UI endpoint (served at /api/dashboard/index for Cloudflare tunnel compatibility)
+  fastify.get('/api/dashboard/index', async (_request: FastifyRequest, reply: FastifyReply) => {
+    return serveDashboardHtml(reply, 'dashboard.html', '/api/dashboard/index');
+  });
+
+  // Fresh dashboard endpoint (no cache) - keeps the original Version 1 dashboard online.
+  fastify.get('/dashboard', async (_request: FastifyRequest, reply: FastifyReply) => {
+    return serveDashboardHtml(reply, 'dashboard.html', '/dashboard');
+  });
+
+  // Version 2 dashboard preview - open-source workbench without replacing Version 1.
+  fastify.get('/v2/dashboard', async (_request: FastifyRequest, reply: FastifyReply) => {
+    return serveDashboardHtml(reply, 'dashboard-v2.html', '/v2/dashboard');
+  });
+
+  fastify.get('/dashboard-v2', async (_request: FastifyRequest, reply: FastifyReply) => {
+    return serveDashboardHtml(reply, 'dashboard-v2.html', '/dashboard-v2');
   });
 
   // Cloudflare cache bypass endpoint - new URL that won't be cached by Cloudflare
   fastify.get('/api/dashboard/ui', async (_request: FastifyRequest, reply: FastifyReply) => {
-    try {
-      const { fileURLToPath } = await import('url');
-      const { dirname, join } = await import('path');
-      const { readFileSync, existsSync } = await import('fs');
+    return serveDashboardHtml(reply, 'dashboard.html', '/api/dashboard/ui');
+  });
 
-      const __filename = fileURLToPath(import.meta.url);
-      const __dirname = dirname(__filename);
-      const publicDir = join(__dirname, '..', '..', 'public');
-      const dashboardPath = join(publicDir, 'dashboard.html');
-
-      if (!existsSync(dashboardPath)) {
-        logger.warn({ path: dashboardPath }, 'dashboard.html not found at /api/dashboard/ui');
-        return reply.status(404).send({ error: 'dashboard.html not found' });
-      }
-
-      const content = readFileSync(dashboardPath, 'utf-8');
-      const timestamp = Date.now();
-      logger.info({ size: content.length, endpoint: '/api/dashboard/ui', timestamp }, 'Serving dashboard UI (Cloudflare cache bypass)');
-      return reply
-        .header('Cache-Control', 'no-cache, no-store, must-revalidate, max-age=0, public')
-        .header('Pragma', 'no-cache')
-        .header('Expires', '0')
-        .header('ETag', `"ui-${timestamp}"`)
-        .header('X-Cache-Bypass', 'true')
-        .type('text/html; charset=utf-8')
-        .send(content);
-    } catch (error) {
-      logger.error({ error }, 'Failed to serve dashboard UI');
-      return reply.status(500).send({ error: 'Failed to serve dashboard UI' });
-    }
+  fastify.get('/api/dashboard/v2', async (_request: FastifyRequest, reply: FastifyReply) => {
+    return serveDashboardHtml(reply, 'dashboard-v2.html', '/api/dashboard/v2');
   });
 }
diff --git a/packages/gateway/src/routes/health.ts b/packages/gateway/src/routes/health.ts
index be8b3fd..9aa93b0 100644
--- a/packages/gateway/src/routes/health.ts
+++ b/packages/gateway/src/routes/health.ts
@@ -78,8 +78,9 @@ export async function healthRoute(fastify: FastifyInstance): Promise<void> {
       // Check if this is a dashboard UI request with ?ui=1 or ?dashboard=1
       const query = request.query as any;
       const isDashboardRequest = query.ui || query.dashboard;
+      const acceptsHtml = String(request.headers.accept ?? '').includes('text/html');
 
-      if (isDashboardRequest) {
+      if (isDashboardRequest || acceptsHtml) {
         try {
           const __filename = fileURLToPath(import.meta.url);
           const __dirname = dirname(__filename);
diff --git a/packages/gateway/src/security/tls-config.ts b/packages/gateway/src/security/tls-config.ts
index d732779..caa73cd 100644
--- a/packages/gateway/src/security/tls-config.ts
+++ b/packages/gateway/src/security/tls-config.ts
@@ -126,10 +126,10 @@ export async function registerHTTPSRedirectMiddleware(server: FastifyInstance) {
  */
 export async function registerSecurityHeadersMiddleware(server: FastifyInstance) {
   server.addHook('onSend', async (request, reply) => {
-    // Content Security Policy - strict, no inline scripts
+    // Content Security Policy for the self-contained dashboard UI.
     reply.header(
       'Content-Security-Policy',
-      "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
+      "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
     );
 
     // Prevent clickjacking
diff --git a/packages/gateway/src/server.ts b/packages/gateway/src/server.ts
index e7878d2..85a67ac 100644
--- a/packages/gateway/src/server.ts
+++ b/packages/gateway/src/server.ts
@@ -77,6 +77,7 @@ async function buildServer() {
       directives: {
         defaultSrc: ["'self'"],
         scriptSrc: ["'self'", "'unsafe-inline'"],
+        styleSrc: ["'self'", "'unsafe-inline'"],
         objectSrc: ["'none'"],
       },
     },