diff --git a/.agents/rules/realtime.md b/.agents/rules/realtime.md
index 49574c6660..a541fb284a 100644
--- a/.agents/rules/realtime.md
+++ b/.agents/rules/realtime.md
@@ -6,6 +6,7 @@
 
 `[Authorize] AppHub` mapped at **`/api/v1/realtime/hub`**. Groups: `user:{userId}`, `tenant:{tenantId}`, `channel:{channelId}`.
 
+- **Channel-group join is connect-time + on-demand.** `OnConnectedAsync` auto-joins `user:{id}`, `tenant:{id}`, and every `channel:{id}` the user is *already* a member of. A channel that becomes relevant **after** the socket is live (a new DM, or being added to a channel) is **not** auto-joined — the client must call the membership-gated **`JoinChannel(channelId)`** hub method (the dashboard does this on channel open + reconnect). Without it, group broadcasts silently miss that connection until a page reload re-runs `OnConnectedAsync`. New-DM creation pushes `ChatChannelAdded` to each other participant's `user:{id}` group so their channel list refreshes.
 - **⚠️ Read the user from `Context.User`, NOT `ICurrentUser`.** `ICurrentUser` flows through `IHttpContextAccessor`, but the negotiate `HttpContext` isn't pinned to subsequent hub invocations → `ICurrentUser` returns nulls inside the hub. Use `Context.User` (the hub's `GetUserId()`/`GetTenantId()` helpers).
 - Broadcasts are **scoped to groups** (`tenant:{id}`, `user:{id}`, `channel:{id}`), never `Clients.All`. `PresenceChanged` goes to the tenant group.
 - Redis backplane is added automatically when `CachingOptions:Redis` is set (channel prefix `fsh-signalr`) — required for multi-replica.
diff --git a/clients/admin/index.html b/clients/admin/index.html
index dd72e62969..f3ece6e87f 100644
--- a/clients/admin/index.html
+++ b/clients/admin/index.html
@@ -8,7 +8,7 @@
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
     <link
       rel="stylesheet"
-      href="https://fonts.googleapis.com/css2?family=Fraunces:opsz,wght@9..144,400;9..144,500;9..144,600;9..144,700&family=JetBrains+Mono:wght@400;500;600&display=swap"
+      href="https://fonts.googleapis.com/css2?family=Figtree:wght@300..900&family=JetBrains+Mono:ital,wght@0,100..800;1,100..800&family=Outfit:wght@100..900&display=swap"
     />
     <title>FullStackHero — Admin</title>
   </head>
diff --git a/clients/admin/src/api/files.ts b/clients/admin/src/api/files.ts
new file mode 100644
index 0000000000..4b063e6d78
--- /dev/null
+++ b/clients/admin/src/api/files.ts
@@ -0,0 +1,138 @@
+import { apiFetch } from "@/lib/api-client";
+import type { PagedResponse } from "@/lib/api-types";
+
+// Mirrors FSH.Modules.Files.Domain.Visibility — Public/Private numeric codes
+// match the server's int? Visibility shape on the FileAssetDto.
+export const Visibility = {
+  Public: 0,
+  Private: 1,
+} as const;
+export type VisibilityValue = (typeof Visibility)[keyof typeof Visibility];
+
+// Mirrors FSH.Modules.Files.Domain.FileAssetStatus.
+export const FileAssetStatus = {
+  PendingUpload: 0,
+  Available: 1,
+  Quarantined: 2,
+} as const;
+export type FileAssetStatusValue = (typeof FileAssetStatus)[keyof typeof FileAssetStatus];
+
+// Mirrors FSH.Modules.Files.Contracts.v1.DTOs.FileAssetDto.
+export type FileAssetDto = {
+  id: string;
+  ownerType: string;
+  ownerId?: string | null;
+  originalFileName: string;
+  contentType: string;
+  sizeBytes: number;
+  visibility: VisibilityValue;
+  status: FileAssetStatusValue;
+  scanStatus: number;
+  createdAtUtc: string;
+  publicUrl?: string | null;
+  /** The user that uploaded the file. Use with useUserDisplay to resolve a name.
+   *  Older server versions before the field was added send "" — guard against it
+   *  when deciding whether to render an "uploaded by" attribution row. */
+  createdByUserId: string;
+  deletedOnUtc?: string | null;
+  deletedBy?: string | null;
+};
+
+export type PresignedUploadResponse = {
+  fileAssetId: string;
+  uploadUrl: string;
+  requiredHeaders: Record<string, string>;
+  expiresAt: string;
+};
+
+export type PresignedDownloadResponse = {
+  url: string;
+  expiresAt: string;
+};
+
+export type RequestUploadUrlInput = {
+  ownerType: string;
+  ownerId?: string | null;
+  fileName: string;
+  contentType: string;
+  sizeBytes: number;
+  visibility: VisibilityValue;
+  category: string;
+};
+
+export function requestUploadUrl(input: RequestUploadUrlInput): Promise<PresignedUploadResponse> {
+  return apiFetch<PresignedUploadResponse>("/api/v1/files/upload-url", {
+    method: "POST",
+    body: JSON.stringify(input),
+  });
+}
+
+export function finalizeUpload(fileAssetId: string): Promise<FileAssetDto> {
+  return apiFetch<FileAssetDto>(
+    `/api/v1/files/${encodeURIComponent(fileAssetId)}/finalize`,
+    { method: "POST" },
+  );
+}
+
+export function getFileMetadata(fileAssetId: string): Promise<FileAssetDto> {
+  return apiFetch<FileAssetDto>(`/api/v1/files/${encodeURIComponent(fileAssetId)}`);
+}
+
+export function getFileDownloadUrl(
+  fileAssetId: string,
+  options: { inline?: boolean } = {},
+): Promise<PresignedDownloadResponse> {
+  const qs = options.inline ? "?inline=true" : "";
+  return apiFetch<PresignedDownloadResponse>(
+    `/api/v1/files/${encodeURIComponent(fileAssetId)}/url${qs}`,
+  );
+}
+
+export function listMyFiles(page = 1, pageSize = 20): Promise<FileAssetDto[]> {
+  return apiFetch<FileAssetDto[]>(
+    `/api/v1/files/mine?page=${page}&pageSize=${pageSize}`,
+  );
+}
+
+export function listSharedFiles(page = 1, pageSize = 20): Promise<FileAssetDto[]> {
+  return apiFetch<FileAssetDto[]>(
+    `/api/v1/files/shared?page=${page}&pageSize=${pageSize}`,
+  );
+}
+
+/** Flip a file's visibility. Server returns the refreshed DTO so the client can patch
+ *  its preview/list without a follow-up GET. */
+export function changeFileVisibility(
+  fileAssetId: string,
+  visibility: VisibilityValue,
+): Promise<FileAssetDto> {
+  return apiFetch<FileAssetDto>(
+    `/api/v1/files/${encodeURIComponent(fileAssetId)}/visibility`,
+    {
+      method: "PATCH",
+      body: JSON.stringify({ visibility }),
+    },
+  );
+}
+
+export function deleteFile(fileAssetId: string): Promise<void> {
+  return apiFetch<void>(`/api/v1/files/${encodeURIComponent(fileAssetId)}`, {
+    method: "DELETE",
+  });
+}
+
+export function listTrashedFiles(
+  pageNumber = 1,
+  pageSize = 20,
+): Promise<PagedResponse<FileAssetDto>> {
+  return apiFetch<PagedResponse<FileAssetDto>>(
+    `/api/v1/files/trash?pageNumber=${pageNumber}&pageSize=${pageSize}`,
+  );
+}
+
+export function restoreFile(fileAssetId: string): Promise<void> {
+  return apiFetch<void>(
+    `/api/v1/files/${encodeURIComponent(fileAssetId)}/restore`,
+    { method: "POST" },
+  );
+}
diff --git a/clients/admin/src/components/auth/demo-accounts-dialog.tsx b/clients/admin/src/components/auth/demo-accounts-dialog.tsx
new file mode 100644
index 0000000000..e0f8b25c84
--- /dev/null
+++ b/clients/admin/src/components/auth/demo-accounts-dialog.tsx
@@ -0,0 +1,173 @@
+import { useEffect } from "react";
+import { ArrowUpRight, ShieldCheck } from "lucide-react";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogTitle,
+} from "@/components/ui/dialog";
+import { ADMIN_DEMO_ACCOUNTS, type DemoAccount } from "@/pages/login.demo-accounts";
+
+// ────────────────────────────────────────────────────────────────────────
+// DemoAccountsDialog — dev-only demo account picker for the admin app.
+//
+// Admin surfaces a single root/superadmin account (vs. the dashboard's
+// multi-tenant tenant-picker). The layout is a single-pane account list
+// rather than the dashboard's two-pane tenant-rail, since there's only
+// one operator tenant. Tapping an account signs in instantly and closes
+// the dialog. Gating (import.meta.env.DEV) is the caller's responsibility.
+// ────────────────────────────────────────────────────────────────────────
+
+interface DemoAccountsDialogProps {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  /** Fired when an account row is tapped — caller signs in with these creds. */
+  onPick: (account: DemoAccount) => void;
+}
+
+export function DemoAccountsDialog({ open, onOpenChange, onPick }: DemoAccountsDialogProps) {
+  // Nothing to reset on re-open (single account list, no tenant rail).
+  useEffect(() => {}, [open]);
+
+  const handlePick = (account: DemoAccount) => {
+    onOpenChange(false);
+    onPick(account);
+  };
+
+  return (
+    <Dialog open={open} onOpenChange={onOpenChange}>
+      <DialogContent className="overflow-hidden rounded-2xl border-border/70 p-0 sm:max-w-[480px]">
+        <DialogTitle className="sr-only">Demo accounts</DialogTitle>
+        <DialogDescription className="sr-only">
+          Pick a demo account to sign in to the admin console.
+        </DialogDescription>
+
+        {/* Atmospheric gradient wash */}
+        <div
+          className="pointer-events-none absolute -top-32 -right-32 size-[320px] rounded-full bg-[radial-gradient(closest-side,color-mix(in_srgb,var(--color-primary)_14%,transparent),transparent)] blur-3xl"
+          aria-hidden
+        />
+        <div
+          className="pointer-events-none absolute -bottom-24 -left-24 size-[240px] rounded-full bg-[radial-gradient(closest-side,color-mix(in_srgb,var(--color-accent-signal,var(--color-primary))_10%,transparent),transparent)] blur-3xl"
+          aria-hidden
+        />
+
+        {/* Header */}
+        <header className="fsh-enter relative px-7 pt-7 pb-5">
+          <div className="mb-2.5 flex items-center gap-2">
+            <span className="relative flex size-1.5">
+              <span className="absolute inline-flex h-full w-full animate-ping rounded-full bg-[var(--color-primary)] opacity-75" />
+              <span className="relative inline-flex size-1.5 rounded-full bg-[var(--color-primary)]" />
+            </span>
+            <span className="font-mono text-[10px] font-semibold uppercase tracking-[0.22em] text-[oklch(from_var(--color-primary)_l_c_h_/_0.85)]">
+              Dev · demo
+            </span>
+          </div>
+          <h2 className="font-display text-[20px] font-semibold leading-[1.15] tracking-[-0.01em] text-[var(--color-foreground)]">
+            Sign in as operator.
+          </h2>
+          <p className="mt-1.5 text-[12.5px] leading-relaxed text-[var(--color-muted-foreground)]/80">
+            Tap an account below — we'll fill the credentials and sign you in instantly.
+          </p>
+        </header>
+
+        {/* Account list */}
+        <div className="relative border-t border-[var(--color-border)]/60 bg-[var(--color-background)]/30 px-4 py-3">
+          <div className="mb-2 flex items-baseline gap-2 px-2">
+            <span className="font-mono text-[9.5px] font-semibold uppercase tabular-nums tracking-[0.18em] text-[oklch(from_var(--color-primary)_l_c_h_/_0.55)]">
+              Operator accounts
+            </span>
+            <div className="relative top-[-2px] h-px flex-1 bg-[var(--color-border)]/70" />
+            <span className="font-mono text-[9.5px] uppercase tracking-[0.15em] text-[var(--color-muted-foreground)]/50">
+              tap to sign in
+            </span>
+          </div>
+
+          <div className="space-y-0.5">
+            {ADMIN_DEMO_ACCOUNTS.map((account, i) => (
+              <AccountRow
+                key={account.email}
+                account={account}
+                delay={i * 40}
+                onPick={handlePick}
+              />
+            ))}
+          </div>
+        </div>
+
+        {/* Footer */}
+        <div className="relative flex items-center justify-between border-t border-[var(--color-border)]/60 bg-[var(--color-background)]/40 px-7 py-3">
+          <p className="flex items-center gap-1.5 text-[10.5px] text-[var(--color-muted-foreground)]/60">
+            <ShieldCheck className="size-3 shrink-0" />
+            <span>
+              <span className="font-mono text-[var(--color-muted-foreground)]/80">dev only</span>
+              <span className="mx-2 text-[var(--color-muted-foreground)]/30">·</span>
+              Not visible in production.
+            </span>
+          </p>
+          <kbd className="hidden items-center gap-1 rounded border border-[var(--color-border)]/60 bg-[var(--color-background)]/60 px-1.5 py-0.5 font-mono text-[9.5px] text-[var(--color-muted-foreground)]/60 sm:inline-flex">
+            esc
+          </kbd>
+        </div>
+      </DialogContent>
+    </Dialog>
+  );
+}
+
+// ─── AccountRow ──────────────────────────────────────────────────────────────
+
+function AccountRow({
+  account,
+  delay,
+  onPick,
+}: {
+  account: DemoAccount;
+  delay: number;
+  onPick: (account: DemoAccount) => void;
+}) {
+  return (
+    <button
+      type="button"
+      onClick={() => onPick(account)}
+      style={{ animationDelay: `${delay}ms` }}
+      className="fsh-enter group relative flex w-full cursor-pointer items-center gap-3 overflow-hidden rounded-lg px-2 py-2.5 text-left outline-none transition-all duration-200 hover:translate-x-0.5 focus-visible:bg-[var(--color-primary)]/[0.04] active:scale-[0.99]"
+    >
+      {/* Hover gradient wash */}
+      <span
+        className="pointer-events-none absolute inset-0 rounded-lg bg-[linear-gradient(90deg,color-mix(in_srgb,var(--color-primary)_9%,transparent),transparent_70%)] opacity-0 transition-opacity duration-300 group-hover:opacity-100"
+        aria-hidden
+      />
+
+      {/* Avatar */}
+      <span className="relative flex size-9 shrink-0 items-center justify-center rounded-full border border-[var(--color-border)]/70 bg-[var(--color-background)] font-mono text-[11px] font-semibold text-[var(--color-muted-foreground)]/80 transition-all duration-300 group-hover:border-[var(--color-primary)] group-hover:bg-[var(--color-primary)] group-hover:text-[var(--color-primary-foreground)] group-hover:shadow-[0_0_0_3px_color-mix(in_srgb,var(--color-primary)_18%,transparent)]">
+        {account.initials}
+      </span>
+
+      {/* Content */}
+      <div className="relative min-w-0 flex-1">
+        <div className="flex flex-wrap items-baseline gap-2">
+          <span className="text-[13px] font-semibold leading-tight tracking-tight text-[var(--color-foreground)]">
+            {account.label}
+          </span>
+          <span className="rounded bg-[var(--color-muted)] px-1.5 py-0.5 font-mono text-[9.5px] uppercase tracking-wider text-[var(--color-muted-foreground)]/70 transition-colors duration-200 group-hover:text-[var(--color-primary)]/80">
+            {account.tenant}
+          </span>
+        </div>
+        <div className="mt-0.5 truncate font-mono text-[10.5px] leading-tight text-[var(--color-muted-foreground)]/55">
+          {account.email}
+        </div>
+        <div className="mt-0.5 text-[11px] italic leading-tight text-[var(--color-muted-foreground)]/60">
+          {account.persona}
+        </div>
+      </div>
+
+      {/* Arrow indicator */}
+      <span
+        className="relative flex size-6 shrink-0 -translate-x-1 items-center justify-center rounded-md text-[var(--color-muted-foreground)]/30 opacity-0 transition-all duration-300 group-hover:translate-x-0 group-hover:bg-[var(--color-primary)]/10 group-hover:text-[var(--color-primary)] group-hover:opacity-100"
+        aria-hidden
+      >
+        <ArrowUpRight className="size-3.5" strokeWidth={2.25} />
+      </span>
+    </button>
+  );
+}
diff --git a/clients/admin/src/components/brand-mark.tsx b/clients/admin/src/components/brand-mark.tsx
index f0bdd05403..cbfbcc14d6 100644
--- a/clients/admin/src/components/brand-mark.tsx
+++ b/clients/admin/src/components/brand-mark.tsx
@@ -1,32 +1,44 @@
 import { cn } from "@/lib/cn";
 
 /**
- * BrandMark — the Console wordmark. Two glyphs side-by-side:
- *   • A small chartreuse square "punctuation" mark (the only place chrome
- *     uses the accent at full saturation).
- *   • A mono "FSH" lockup with tight letter-spacing.
- * Designed to feel like a system header line rather than a logo.
+ * BrandMark — the compact inline lockup used in the sidebar brand row and
+ * any surface that needs a sub-header-sized reference to the product.
+ *
+ * Matches the dashboard's brand treatment: a small gradient square carrying
+ * the "F" initial, paired with the "fullstackhero" wordmark with a tinted
+ * accent on "hero", and a small "Admin" sub-label.
+ *
+ * The chartreuse signal colour from the old Console identity is retired here.
+ * Colour-identity is now driven purely by the shared `--color-primary` token.
  */
 export function BrandMark({ className }: { className?: string }) {
   return (
-    <div className={cn("inline-flex items-center gap-2 select-none", className)}>
+    <div className={cn("inline-flex select-none items-center gap-2.5", className)}>
       <span
         aria-hidden
-        className="block h-2.5 w-2.5 rounded-[2px] bg-[var(--color-accent-signal)] shadow-[0_0_12px_oklch(from_var(--color-accent-signal)_l_c_h_/_0.45)]"
-      />
-      <span className="font-mono text-[13px] font-semibold tracking-[0.16em] uppercase text-[var(--color-foreground)]">
-        FSH
-        <span className="text-[var(--color-muted-foreground)]">/admin</span>
+        className={cn(
+          "brand-mark grid size-8 shrink-0 place-items-center rounded-lg",
+          "font-display text-[12px] font-bold text-[var(--color-primary-foreground)]",
+        )}
+      >
+        F
       </span>
+      <div className="flex flex-col">
+        <span className="whitespace-nowrap font-display text-[15px] font-bold leading-none tracking-tight text-[var(--color-foreground)]">
+          fullstack<span className="text-[var(--color-primary)]">hero</span>
+        </span>
+        <span className="mt-0.5 text-[10px] font-semibold uppercase tracking-wider text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.7)]">
+          Admin
+        </span>
+      </div>
     </div>
   );
 }
 
 /**
  * BrandMarkXL — splash version for the Login page. Leads with the FSH logo
- * mark + "fullstackhero" wordmark, then the "Console." display monogram and
- * a one-line system blurb. The chartreuse signal carries through the wordmark
- * accent and the monogram period.
+ * mark + "fullstackhero" wordmark, then a display monogram and a one-line
+ * system blurb.
  */
 export function BrandMarkXL({ className }: { className?: string }) {
   return (
@@ -38,14 +50,16 @@ export function BrandMarkXL({ className }: { className?: string }) {
           className="size-7 object-contain"
         />
         <span className="font-display text-[18px] font-semibold tracking-tight text-[var(--color-foreground)]">
-          fullstack<span className="text-[var(--color-accent-signal)]">hero</span>
+          fullstack<span className="text-[var(--color-primary)]">hero</span>
+        </span>
+        <span className="font-mono text-[10px] font-medium uppercase tracking-wider text-[var(--color-muted-foreground)]">
+          · platform admin
         </span>
-        <span className="meta text-[var(--color-muted-foreground)]">· platform admin</span>
       </div>
       <h1 className="font-display text-[clamp(3rem,7vw,5.5rem)] font-semibold leading-[0.95] tracking-[var(--tracking-display)]">
-        Console<span className="text-[var(--color-accent-signal)]">.</span>
+        Admin<span className="text-[var(--color-primary)]">.</span>
       </h1>
-      <p className="max-w-md text-sm text-[var(--color-muted-foreground)] leading-relaxed">
+      <p className="max-w-md text-sm leading-relaxed text-[var(--color-muted-foreground)]">
         Operate every tenant on this instance — identity, multitenancy, billing,
         and the rest of the system surface, from one place.
       </p>
diff --git a/clients/admin/src/components/file/image-input.tsx b/clients/admin/src/components/file/image-input.tsx
new file mode 100644
index 0000000000..7a9c9c1f74
--- /dev/null
+++ b/clients/admin/src/components/file/image-input.tsx
@@ -0,0 +1,197 @@
+import { useState } from "react";
+import { useMutation } from "@tanstack/react-query";
+import { Image as ImageIcon, Loader2, Upload, X, Link as LinkIcon } from "lucide-react";
+import { toast } from "sonner";
+import { Button } from "@/components/ui/button";
+import { Input } from "@/components/ui/input";
+import { cn } from "@/lib/cn";
+import { useFileUpload, formatBytes } from "@/hooks/use-file-upload";
+import { getFileMetadata, Visibility } from "@/api/files";
+import { ApiRequestError } from "@/lib/api-client";
+
+type Props = {
+  /** Current image URL (or empty). The component is fully controlled. */
+  value: string;
+  onChange: (next: string) => void;
+  /**
+   * Owner binding for the upload. The Files module's per-OwnerType IFileAccessPolicy
+   * decides who can attach what. For user avatars, ownerType="User" + the user id.
+   */
+  ownerType: string;
+  ownerId?: string | null;
+  /** Allowed extensions (lower-case w/ leading dot). Server enforces too. */
+  allowedExtensions?: string[];
+  maxBytes?: number;
+  /** Visual treatment for the preview tile — "square" for general images, "circle" for avatars. */
+  shape?: "square" | "circle";
+  className?: string;
+};
+
+const IMAGE_EXTS = [".jpg", ".jpeg", ".png", ".webp", ".gif"];
+
+/**
+ * ImageInput — composite control that lets a user either upload a new image
+ * (presigned PUT to S3/MinIO) OR paste an external URL. After a successful
+ * upload the component fetches the FileAsset metadata to retrieve the durable
+ * `publicUrl` and forwards it through `onChange`.
+ */
+export function ImageInput({
+  value,
+  onChange,
+  ownerType,
+  ownerId,
+  allowedExtensions = IMAGE_EXTS,
+  maxBytes = 10 * 1024 * 1024,
+  shape = "square",
+  className,
+}: Props) {
+  const [mode, setMode] = useState<"upload" | "url">("upload");
+  const { upload, progress, isUploading, reset } = useFileUpload({
+    ownerType,
+    ownerId,
+    category: "Image",
+    visibility: Visibility.Public, // public so we get a durable URL we can persist on the entity
+    allowedExtensions,
+    maxBytes,
+  });
+
+  // After upload+finalize, fetch metadata so we get the durable publicUrl.
+  const resolveUrl = useMutation({
+    mutationFn: async (fileAssetId: string) => {
+      const dto = await getFileMetadata(fileAssetId);
+      if (!dto.publicUrl) {
+        throw new Error("Server returned no publicUrl for this file.");
+      }
+      return dto.publicUrl;
+    },
+  });
+
+  const handlePick = () => {
+    const input = document.createElement("input");
+    input.type = "file";
+    input.accept = "image/*";
+    input.onchange = async () => {
+      const file = input.files?.[0];
+      if (!file) return;
+      try {
+        const asset = await upload(file);
+        const url = await resolveUrl.mutateAsync(asset.id);
+        onChange(url);
+        toast.success("Image uploaded");
+        // Clear progress so the dropzone re-arms for another upload.
+        setTimeout(reset, 1500);
+      } catch (e) {
+        const message =
+          e instanceof ApiRequestError
+            ? (e.problem?.detail ?? e.problem?.title ?? e.message)
+            : e instanceof Error
+              ? e.message
+              : "Upload failed";
+        toast.error(message);
+      }
+    };
+    input.click();
+  };
+
+  const hasImage = value.length > 0;
+  const isWorking = isUploading || resolveUrl.isPending;
+  const tileClass = shape === "circle" ? "rounded-full" : "rounded-xl";
+
+  return (
+    <div className={cn("space-y-3", className)}>
+      {/* Mode toggle */}
+      <div className="flex gap-1">
+        <ModeChip active={mode === "upload"} onClick={() => setMode("upload")} icon={<Upload className="h-3.5 w-3.5" />}>
+          Upload
+        </ModeChip>
+        <ModeChip active={mode === "url"} onClick={() => setMode("url")} icon={<LinkIcon className="h-3.5 w-3.5" />}>
+          Paste URL
+        </ModeChip>
+      </div>
+
+      {/* Preview + controls row */}
+      <div className="flex items-start gap-4">
+        <div
+          className={cn(
+            "relative grid place-items-center overflow-hidden bg-[var(--color-muted)] ring-1 ring-inset ring-border",
+            shape === "circle" ? "h-20 w-20 rounded-full" : "h-24 w-24 rounded-xl",
+          )}
+        >
+          {hasImage ? (
+            <img src={value} alt="" className={cn("h-full w-full object-cover", tileClass)} />
+          ) : isWorking ? (
+            <Loader2 className="h-5 w-5 animate-spin text-[var(--color-primary)]" />
+          ) : (
+            <ImageIcon className="h-5 w-5 text-[var(--color-muted-foreground)]" />
+          )}
+        </div>
+
+        <div className="flex-1 space-y-2">
+          {mode === "upload" ? (
+            <div className="flex flex-wrap items-center gap-2">
+              <Button type="button" size="sm" onClick={handlePick} disabled={isWorking}>
+                {isWorking
+                  ? <Loader2 className="h-3.5 w-3.5 animate-spin" />
+                  : <Upload className="h-3.5 w-3.5" />}
+                {hasImage ? "Replace image" : "Choose image"}
+              </Button>
+              {hasImage && !isWorking && (
+                <Button type="button" size="sm" variant="outline" onClick={() => onChange("")}>
+                  <X className="h-3.5 w-3.5" />
+                  Remove
+                </Button>
+              )}
+              {isUploading && progress && (
+                <span className="text-[11px] tabular-nums text-[var(--color-muted-foreground)]">
+                  {progress.percent}% · {formatBytes(progress.loaded)} / {formatBytes(progress.totalBytes)}
+                </span>
+              )}
+            </div>
+          ) : (
+            <Input
+              type="url"
+              value={value}
+              onChange={(e) => onChange(e.target.value)}
+              placeholder="https://…"
+              maxLength={512}
+            />
+          )}
+
+          <p className="text-xs text-[var(--color-muted-foreground)]">
+            {mode === "upload"
+              ? `JPG/PNG/WebP/GIF · up to ${formatBytes(maxBytes)}`
+              : "Direct link to an image you host elsewhere."}
+          </p>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+function ModeChip({
+  active,
+  onClick,
+  icon,
+  children,
+}: {
+  active: boolean;
+  onClick: () => void;
+  icon: React.ReactNode;
+  children: React.ReactNode;
+}) {
+  return (
+    <button
+      type="button"
+      onClick={onClick}
+      className={cn(
+        "inline-flex h-7 cursor-pointer items-center gap-1.5 rounded-full px-2.5 text-xs font-medium transition-colors duration-[var(--duration-fast)]",
+        active
+          ? "bg-[var(--color-primary)] text-[var(--color-primary-foreground)]"
+          : "text-[var(--color-muted-foreground)] hover:bg-[var(--color-muted)]",
+      )}
+    >
+      {icon}
+      {children}
+    </button>
+  );
+}
diff --git a/clients/admin/src/components/impersonation/active-grants-card.tsx b/clients/admin/src/components/impersonation/active-grants-card.tsx
index 6694db1e4a..b938e09298 100644
--- a/clients/admin/src/components/impersonation/active-grants-card.tsx
+++ b/clients/admin/src/components/impersonation/active-grants-card.tsx
@@ -9,7 +9,7 @@ import type { UserDto } from "@/api/users";
 import { useAuth } from "@/auth/use-auth";
 import { Button } from "@/components/ui/button";
 import { Badge } from "@/components/ui/badge";
-import { FormSection, FormShell } from "@/components/list";
+import { SettingsSection } from "@/components/list";
 import { ImpersonateDialog } from "@/components/impersonation/impersonate-dialog";
 import { RevokeGrantDialog } from "@/components/impersonation/revoke-grant-dialog";
 import { IdentityPermissions } from "@/lib/permissions";
@@ -65,61 +65,28 @@ export function ActiveGrantsCard({ tenantId }: { tenantId: string }) {
 
   return (
     <>
-      <FormShell>
-        <FormSection
-          title="Active impersonations"
-          description="Operators currently signed in as users in this tenant. Revoking immediately invalidates the issued token; the dashboard tab will 401 on its next request."
-        >
-          <ul className="divide-y divide-[var(--color-border)] border-y border-[var(--color-border)]">
-            {items.map((g) => (
-              <li
-                key={g.id}
-                className="grid grid-cols-[auto_1fr_auto] items-center gap-4 py-3"
-              >
-                <span
-                  aria-hidden
-                  className="pulse-dot"
-                  title="Active session"
-                />
-                <div className="min-w-0">
-                  <div className="flex flex-wrap items-baseline gap-2">
-                    <span className="text-sm">
-                      <span className="font-medium">
-                        {g.actorUserName ?? g.actorUserId}
-                      </span>
-                      <span className="mx-1.5 text-[var(--color-muted-foreground)]">→</span>
-                      <span className="font-medium">
-                        {g.impersonatedUserName ?? g.impersonatedUserId}
-                      </span>
-                    </span>
-                    <Badge variant="brand" className="font-mono uppercase tracking-[0.14em]">
-                      Active
-                    </Badge>
-                  </div>
-                  <div className="mt-0.5 truncate font-mono text-[10.5px] text-[var(--color-muted-foreground)]">
-                    started {new Date(g.startedAtUtc).toLocaleTimeString()} · expires{" "}
-                    {new Date(g.expiresAtUtc).toLocaleTimeString()}
-                    {g.reason && <> · {truncate(g.reason, 80)}</>}
-                  </div>
-                </div>
-                <RowActions
-                  canRevoke={canRevoke}
-                  // Re-open: operator's own grant + still Active + has start perm.
-                  // Closed-browser recovery path — issues a fresh token, leaves
-                  // the original grant alive until natural expiry or revoke.
-                  canReopen={
-                    canImpersonate &&
-                    currentUserId !== null &&
-                    g.actorUserId === currentUserId
-                  }
-                  onRevoke={() => setTargetGrant(g)}
-                  onReopen={() => setReopenGrant(g)}
-                />
-              </li>
-            ))}
-          </ul>
-        </FormSection>
-      </FormShell>
+      <SettingsSection
+        title="Active impersonations"
+        icon={UserCog}
+        description="Operators currently signed in as users in this tenant. Revoking immediately invalidates the issued token; the dashboard tab will 401 on its next request."
+      >
+        <ul className="divide-y divide-[var(--color-border)]">
+          {items.map((g) => (
+            <GrantRow
+              key={g.id}
+              grant={g}
+              canRevoke={canRevoke}
+              canReopen={
+                canImpersonate &&
+                currentUserId !== null &&
+                g.actorUserId === currentUserId
+              }
+              onRevoke={() => setTargetGrant(g)}
+              onReopen={() => setReopenGrant(g)}
+            />
+          ))}
+        </ul>
+      </SettingsSection>
 
       <RevokeGrantDialog
         grant={targetGrant}
@@ -137,6 +104,69 @@ export function ActiveGrantsCard({ tenantId }: { tenantId: string }) {
   );
 }
 
+// ─────────────────────────────────────────────────────────────────────────
+// GrantRow — a single active impersonation session row
+// ─────────────────────────────────────────────────────────────────────────
+
+function GrantRow({
+  grant: g,
+  canRevoke,
+  canReopen,
+  onRevoke,
+  onReopen,
+}: {
+  grant: ImpersonationGrantDto;
+  canRevoke: boolean;
+  canReopen: boolean;
+  onRevoke: () => void;
+  onReopen: () => void;
+}) {
+  return (
+    <li className="grid grid-cols-[auto_1fr_auto] items-center gap-4 py-3 first:pt-0 last:pb-0">
+      {/* Live-session pulse dot */}
+      <span
+        aria-hidden
+        className="pulse-dot"
+        title="Active session"
+      />
+
+      {/* Session detail */}
+      <div className="min-w-0">
+        <div className="flex flex-wrap items-baseline gap-2">
+          <span className="text-[13px]">
+            <span className="font-medium text-[var(--color-foreground)]">
+              {g.actorUserName ?? g.actorUserId}
+            </span>
+            <span className="mx-1.5 text-[var(--color-muted-foreground)]">→</span>
+            <span className="font-medium text-[var(--color-foreground)]">
+              {g.impersonatedUserName ?? g.impersonatedUserId}
+            </span>
+          </span>
+          <Badge variant="brand" className="font-mono uppercase tracking-[0.14em]">
+            Active
+          </Badge>
+        </div>
+        <div className="mt-0.5 truncate font-mono text-[10.5px] text-[var(--color-muted-foreground)]">
+          started {new Date(g.startedAtUtc).toLocaleTimeString()} · expires{" "}
+          {new Date(g.expiresAtUtc).toLocaleTimeString()}
+          {g.reason && <> · {truncate(g.reason, 80)}</>}
+        </div>
+      </div>
+
+      {/* Row actions */}
+      <RowActions
+        canRevoke={canRevoke}
+        // Re-open: operator's own grant + still Active + has start perm.
+        // Closed-browser recovery path — issues a fresh token, leaves
+        // the original grant alive until natural expiry or revoke.
+        canReopen={canReopen}
+        onRevoke={onRevoke}
+        onReopen={onReopen}
+      />
+    </li>
+  );
+}
+
 function RowActions({
   canRevoke,
   canReopen,
diff --git a/clients/admin/src/components/layout/app-shell.tsx b/clients/admin/src/components/layout/app-shell.tsx
index 044cf0f084..4777db39b8 100644
--- a/clients/admin/src/components/layout/app-shell.tsx
+++ b/clients/admin/src/components/layout/app-shell.tsx
@@ -2,65 +2,66 @@ import { Suspense } from "react";
 import { Outlet } from "react-router-dom";
 import { Sidebar } from "@/components/layout/sidebar";
 import { Topbar } from "@/components/layout/topbar";
+import {
+  MobileNavProvider,
+  MobileNavRoot,
+} from "@/components/layout/mobile-nav";
 
 /**
- * AppShell — three-area layout: sidebar / topbar / canvas. The canvas owns
- * the 4px subgrid texture that telegraphs "this is a console." A subtle
- * radial vignette at the top-right adds depth in dark mode without
- * competing with content.
+ * AppShell — three-area layout: sidebar / topbar / main content.
+ *
+ * Structure mirrors the dashboard shell:
+ *   - Desktop sidebar collapses to a 52px icon rail via localStorage state.
+ *   - MobileNavRoot mounts the Sheet drawer; MobileNavTrigger in the Topbar
+ *     opens it on screens below `md`.
+ *   - Suspense boundary in main catches lazy-loaded route chunks.
+ *
+ * Note: admin does not yet have an ImpersonationBanner — the admin app is
+ * the operator surface so it doesn't impersonate itself. If that changes,
+ * add a banner component here that reads from admin's AuthContext.
  */
 export function AppShell() {
   return (
-    <div className="flex h-screen bg-[var(--color-background)] text-[var(--color-foreground)]">
-      {/* Skip link — first focusable element so keyboard/AT users can jump
-          past the sidebar + topbar straight to page content. */}
+    <MobileNavProvider>
+      {/* Skip-to-content link — first focusable element. */}
       <a
         href="#main-content"
-        className="sr-only z-[100] rounded-md bg-[var(--color-foreground)] px-4 py-2 text-sm font-medium text-[var(--color-background)] focus:not-sr-only focus:absolute focus:left-4 focus:top-4 focus:outline-none focus:ring-2 focus:ring-[var(--color-ring)]"
+        className="sr-only z-[100] rounded-md bg-[var(--color-foreground)] px-4 py-2 text-sm font-medium text-[var(--color-background)] focus:not-sr-only focus:fixed focus:left-3 focus:top-3 focus:outline-none focus:ring-2 focus:ring-[var(--color-ring)]"
       >
         Skip to content
       </a>
-      <Sidebar />
-      <div className="flex min-w-0 flex-1 flex-col">
-        <Topbar />
-        <main id="main-content" tabIndex={-1} className="relative flex-1 overflow-auto outline-none">
-          {/* A soft corner vignette only — the canvas-grid texture used to
-              live here too but read as visual noise on dense list surfaces.
-              Login + Dashboard hero still apply canvas-mesh locally where
-              the editorial reading matters. */}
-          <div
-            className="pointer-events-none absolute inset-0"
-            aria-hidden
-            style={{
-              background:
-                "radial-gradient(60rem 28rem at 92% -4%, oklch(from var(--color-accent-signal) l c h / 0.06), transparent 70%)",
-            }}
-          />
-          {/* Container width is full-bleed by default. If a page needs a
-              narrower measure (settings, single-form surfaces), opt into a
-              child wrapper there — never widen here.
 
-              Suspense boundary catches lazy-loaded routes during chunk
-              fetch — fallback is a tiny mono-caps slug rather than a
-              full skeleton, since most chunks are 10–40 KB gzipped and
-              resolve in well under a frame. */}
-          <div className="relative w-full px-6 py-8 lg:px-10">
-            <Suspense
-              fallback={
-                <div
-                  role="status"
-                  className="flex min-h-[40vh] items-center justify-center text-sm font-mono uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]"
-                >
-                  Loading view
-                  <span className="caret text-[var(--color-accent-signal)]" aria-hidden />
-                </div>
-              }
+      <div className="flex h-screen flex-col overflow-hidden bg-[var(--color-background)] text-[var(--color-foreground)]">
+        <div className="flex min-h-0 flex-1">
+          <Sidebar />
+          <div className="flex min-w-0 flex-1 flex-col">
+            <Topbar />
+            <main
+              id="main-content"
+              tabIndex={-1}
+              className="flex-1 overflow-auto p-4 focus:outline-none md:p-6"
             >
-              <Outlet />
-            </Suspense>
+              {/* Suspense boundary catches lazy-loaded route chunks.
+                  Fallback is kept minimal — most chunks resolve quickly. */}
+              <Suspense
+                fallback={
+                  <div
+                    role="status"
+                    className="flex min-h-[40vh] items-center justify-center text-sm text-[var(--color-muted-foreground)]"
+                  >
+                    Loading&hellip;
+                  </div>
+                }
+              >
+                <Outlet />
+              </Suspense>
+            </main>
           </div>
-        </main>
+        </div>
       </div>
-    </div>
+
+      {/* Mobile drawer — mounted at root so it portals above the shell. */}
+      <MobileNavRoot />
+    </MobileNavProvider>
   );
 }
diff --git a/clients/admin/src/components/layout/mobile-nav.tsx b/clients/admin/src/components/layout/mobile-nav.tsx
index 9c16c33044..c055286731 100644
--- a/clients/admin/src/components/layout/mobile-nav.tsx
+++ b/clients/admin/src/components/layout/mobile-nav.tsx
@@ -1,101 +1,169 @@
-import { useEffect, useRef, useState } from "react";
+import {
+  createContext,
+  useCallback,
+  useContext,
+  useEffect,
+  useMemo,
+  useState,
+  type ReactNode,
+} from "react";
 import { useLocation } from "react-router-dom";
-import { Menu, X } from "lucide-react";
-import { SidebarContent } from "@/components/layout/sidebar-content";
+import { Menu } from "lucide-react";
+import {
+  Dialog as Sheet,
+  SheetContent,
+  DialogTitle,
+  DialogDescription,
+} from "@/components/ui/dialog";
+import { SidebarNavBody } from "@/components/layout/sidebar";
+import { findSectionForPath, sections, filterNavSpec } from "@/components/layout/nav-items";
+import { useAuth } from "@/auth/use-auth";
 import { cn } from "@/lib/cn";
+import type { NavSection } from "@/components/layout/nav-items";
 
 /**
- * MobileNav — hamburger trigger + slide-over drawer for screens below `md`.
- * Closes on route change, on Escape, and on backdrop click. The drawer
- * uses the same SidebarContent as the desktop rail so numbering and
- * active-state styling stay identical.
+ * Mobile nav drawer.
+ *
+ * Below `md`, the desktop <Sidebar> is hidden. <MobileNavProvider> mounts
+ * a left-edge Sheet that the Topbar's hamburger triggers. The drawer reuses
+ * <SidebarNavBody> so there is one source of truth for the nav.
+ *
+ * Composition:
+ *   <MobileNavProvider>
+ *     <MobileNavRoot />       ← renders the Sheet (mount once at root)
+ *     <MobileNavTrigger />    ← the hamburger (place in Topbar)
+ *   </MobileNavProvider>
  */
-export function MobileNav() {
+
+type MobileNavContextValue = {
+  open: boolean;
+  setOpen: (next: boolean) => void;
+};
+
+const MobileNavContext = createContext<MobileNavContextValue | null>(null);
+
+export function useMobileNav() {
+  const ctx = useContext(MobileNavContext);
+  if (!ctx) throw new Error("useMobileNav must be used within MobileNavProvider");
+  return ctx;
+}
+
+export function MobileNavProvider({ children }: { children: ReactNode }) {
   const [open, setOpen] = useState(false);
+  const value = useMemo(() => ({ open, setOpen }), [open]);
+  return (
+    <MobileNavContext.Provider value={value}>{children}</MobileNavContext.Provider>
+  );
+}
+
+/**
+ * The Sheet itself — mount once near the root (inside the provider).
+ * Auto-closes on route changes.
+ */
+export function MobileNavRoot() {
+  const { open, setOpen } = useMobileNav();
   const location = useLocation();
-  const buttonRef = useRef<HTMLButtonElement>(null);
+  const { user, permissionsHydrated } = useAuth();
+
+  const granted = permissionsHydrated ? (user?.permissions ?? []) : [];
+  const visibleSections: NavSection[] = useMemo(
+    () =>
+      sections
+        .map((s) => ({ ...s, items: filterNavSpec(s.items, granted) }))
+        .filter((s) => s.items.length > 0),
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+    [granted.join(",")],
+  );
+
+  const [openSection, setOpenSection] = useState<string | null>(() =>
+    findSectionForPath(location.pathname),
+  );
 
-  // Close on route change. We intentionally listen on pathname only — the
-  // search/hash changing shouldn't dismiss the drawer.
   useEffect(() => {
-    setOpen(false);
+    setOpenSection(findSectionForPath(location.pathname));
   }, [location.pathname]);
 
-  // Close on Escape; lock body scroll while open.
+  // Close the drawer on route changes (e.g. browser back/forward).
   useEffect(() => {
-    if (!open) return;
-    // Capture the trigger node now (it's stable) so the cleanup focuses the
-    // right element without reading a possibly-changed ref at teardown.
-    const trigger = buttonRef.current;
-    const onKey = (e: KeyboardEvent) => {
-      if (e.key === "Escape") setOpen(false);
-    };
-    const previousOverflow = document.body.style.overflow;
-    document.body.style.overflow = "hidden";
-    document.addEventListener("keydown", onKey);
-    return () => {
-      document.body.style.overflow = previousOverflow;
-      document.removeEventListener("keydown", onKey);
-      // Return focus to the trigger so the next tap-target is the menu button.
-      trigger?.focus();
-    };
-  }, [open]);
+    setOpen(false);
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [location.pathname]);
 
   return (
-    <>
-      <button
-        ref={buttonRef}
-        type="button"
-        onClick={() => setOpen(true)}
-        aria-label="Open navigation"
-        aria-expanded={open}
-        className="inline-flex h-8 w-8 items-center justify-center rounded-md border border-transparent text-[var(--color-muted-foreground)] transition-colors hover:border-[var(--color-border)] hover:text-[var(--color-foreground)] focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)] md:hidden"
-      >
-        <Menu className="h-4 w-4" />
-      </button>
-
-      {/* Drawer + backdrop */}
-      <div
-        aria-hidden={!open}
-        className={cn(
-          "fixed inset-0 z-50 md:hidden",
-          open ? "pointer-events-auto" : "pointer-events-none",
-        )}
-      >
-        {/* Backdrop — dim + slight blur. canvas-grid sits under it so the
-            console texture stays continuous through the dim. */}
-        <button
-          type="button"
-          aria-label="Close navigation"
-          onClick={() => setOpen(false)}
-          className={cn(
-            "absolute inset-0 cursor-default bg-[oklch(0_0_0_/_0.55)] backdrop-blur-sm transition-opacity duration-200",
-            open ? "opacity-100" : "opacity-0",
-          )}
-        />
+    <Sheet open={open} onOpenChange={setOpen}>
+      <SheetContent side="left" className="flex flex-col p-0">
+        {/* Radix Dialog requires a Title for the accessible tree. */}
+        <DialogTitle className="sr-only">Primary navigation</DialogTitle>
+        <DialogDescription className="sr-only">
+          Admin sections and account links.
+        </DialogDescription>
 
-        {/* Drawer */}
-        <aside
-          role="dialog"
-          aria-modal="true"
-          aria-label="Navigation"
-          className={cn(
-            "absolute inset-y-0 left-0 flex w-72 max-w-[85vw] flex-col border-r border-[var(--color-border)] bg-[var(--color-surface-2)] shadow-2xl transition-transform duration-300 ease-[var(--ease-out-cubic)]",
-            open ? "translate-x-0" : "-translate-x-full",
-          )}
-        >
-          {/* Close button positioned in the brand row so it doesn't push content */}
-          <button
-            type="button"
-            onClick={() => setOpen(false)}
-            aria-label="Close navigation"
-            className="absolute right-3 top-3 z-10 inline-flex h-8 w-8 items-center justify-center rounded-md text-[var(--color-muted-foreground)] transition-colors hover:bg-[var(--color-accent)] hover:text-[var(--color-foreground)]"
+        {/* Brand row — matches Topbar height */}
+        <div className="flex h-14 shrink-0 items-center gap-2.5 border-b border-[var(--color-border)] px-4">
+          <span
+            aria-hidden
+            className={cn(
+              "brand-mark grid h-7 w-7 place-items-center rounded-md shrink-0",
+              "text-[11px] font-bold tracking-tight text-[var(--color-primary-foreground)]",
+              "shadow-[0_1px_0_oklch(1_0_0_/_0.18)_inset,0_4px_14px_-4px_oklch(from_var(--color-primary)_l_c_h_/_0.45)]",
+            )}
           >
-            <X className="h-4 w-4" />
-          </button>
-          <SidebarContent onNavigate={() => setOpen(false)} />
-        </aside>
-      </div>
-    </>
+            F
+          </span>
+          <div className="flex flex-col">
+            <span className="whitespace-nowrap font-display text-[15px] font-bold leading-none tracking-tight text-[var(--color-foreground)]">
+              fullstack<span className="text-[var(--color-primary)]">hero</span>
+            </span>
+            <span className="mt-0.5 text-[10px] font-semibold uppercase tracking-wider text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.7)]">
+              Admin
+            </span>
+          </div>
+        </div>
+
+        <SidebarNavBody
+          collapsed={false}
+          openSection={openSection}
+          setOpenSection={setOpenSection}
+          visibleSections={visibleSections}
+          onNavigate={() => setOpen(false)}
+        />
+
+        <div className="border-t border-[var(--color-border)] px-5 py-3">
+          <p className="font-mono text-[10.5px] uppercase tracking-[0.12em] text-[var(--color-muted-foreground)]">
+            v0.1 · admin
+          </p>
+        </div>
+      </SheetContent>
+    </Sheet>
   );
 }
+
+/**
+ * Hamburger trigger — `md:hidden`. Place in the Topbar.
+ */
+export function MobileNavTrigger({ className }: { className?: string }) {
+  const { setOpen } = useMobileNav();
+  const onClick = useCallback(() => setOpen(true), [setOpen]);
+  return (
+    <button
+      type="button"
+      aria-label="Open navigation menu"
+      onClick={onClick}
+      className={cn(
+        "grid h-9 w-9 cursor-pointer place-items-center rounded-md md:hidden",
+        "text-[var(--color-muted-foreground)] hover:bg-[var(--color-accent)] hover:text-[var(--color-foreground)]",
+        "transition-colors duration-[var(--duration-fast)] ease-[var(--ease-out-cubic)]",
+        "focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)]",
+        className,
+      )}
+    >
+      <Menu className="h-4 w-4" aria-hidden />
+    </button>
+  );
+}
+
+/**
+ * @deprecated Use MobileNavTrigger + MobileNavProvider + MobileNavRoot instead.
+ * Kept only for any lingering direct usages of the old <MobileNav />.
+ */
+export { MobileNavTrigger as MobileNav };
diff --git a/clients/admin/src/components/layout/nav-items.ts b/clients/admin/src/components/layout/nav-items.ts
index 0afda68aaf..c31223454c 100644
--- a/clients/admin/src/components/layout/nav-items.ts
+++ b/clients/admin/src/components/layout/nav-items.ts
@@ -4,6 +4,7 @@ import {
   LayoutDashboard,
   Receipt,
   ScrollText,
+  Settings,
   ShieldCheck,
   UserCog,
   UsersRound,
@@ -17,28 +18,147 @@ import {
   MultitenancyPermissions,
 } from "@/lib/permissions";
 
-export type NavItem = {
+/** A single nav destination — label, route, icon, optional perm guard. */
+export type NavSpec = {
   to: string;
   label: string;
   icon: LucideIcon;
-  /** Sub-path prefix that should also light this nav item. */
-  matchPrefix?: string;
-  /**
-   * Permissions the user must hold to see this item in the sidebar. Mirrors
-   * the route's RouteGuard exactly — if the user can't reach the page they
-   * shouldn't see the link. Omit (or pass []) for surfaces every signed-in
-   * user can hit (Overview, Health).
-   */
+  /** One or more permissions the user must hold to see this item. */
   perms?: readonly string[];
 };
 
-/**
- * Primary navigation. Shared between the desktop sidebar and the mobile
- * drawer so the magazine-table-of-contents numbering stays consistent.
- *
- * Per-entry `perms` are kept in lockstep with routes.tsx — see useVisibleNavItems
- * for the filtering. If a route's gating changes, update both places.
- */
+/** A collapsible section that groups related NavSpecs. */
+export type NavSection = {
+  id: string;
+  caption: string;
+  icon: LucideIcon;
+  items: NavSpec[];
+};
+
+// ─── Top-level singletons ────────────────────────────────────────────────────
+
+export const topNavTop: NavSpec[] = [
+  { to: "/", label: "Overview", icon: LayoutDashboard },
+];
+
+export const topNavBottom: NavSpec[] = [
+  { to: "/settings", label: "Settings", icon: Settings },
+];
+
+// ─── Section accordions ──────────────────────────────────────────────────────
+
+export const sections: NavSection[] = [
+  {
+    id: "multitenancy",
+    caption: "Tenants",
+    icon: Building2,
+    items: [
+      {
+        to: "/tenants",
+        label: "Tenants",
+        icon: Building2,
+        perms: [MultitenancyPermissions.Tenants.View],
+      },
+    ],
+  },
+  {
+    id: "identity",
+    caption: "Identity",
+    icon: UsersRound,
+    items: [
+      {
+        to: "/users",
+        label: "Users",
+        icon: UsersRound,
+        perms: [IdentityPermissions.Users.View],
+      },
+      {
+        to: "/roles",
+        label: "Roles",
+        icon: ShieldCheck,
+        perms: [IdentityPermissions.Roles.View],
+      },
+      {
+        to: "/impersonation",
+        label: "Impersonation",
+        icon: UserCog,
+        perms: [IdentityPermissions.Impersonation.View],
+      },
+    ],
+  },
+  {
+    id: "operations",
+    caption: "Operations",
+    icon: Activity,
+    items: [
+      {
+        to: "/billing",
+        label: "Billing",
+        icon: Receipt,
+        perms: [BillingPermissions.View],
+      },
+      {
+        to: "/webhooks",
+        label: "Webhooks",
+        icon: Webhook,
+      },
+      {
+        to: "/audits",
+        label: "Audits",
+        icon: ScrollText,
+        perms: [AuditingPermissions.AuditTrails.View],
+      },
+      {
+        to: "/health",
+        label: "Health",
+        icon: Activity,
+      },
+    ],
+  },
+];
+
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+
+/** Find the section id whose items contain the given path (best prefix match). */
+export function findSectionForPath(pathname: string): string | null {
+  let bestId: string | null = null;
+  let bestLen = 0;
+  for (const s of sections) {
+    for (const item of s.items) {
+      if (
+        (item.to === "/" && pathname === "/") ||
+        (item.to !== "/" && pathname.startsWith(item.to))
+      ) {
+        if (item.to.length > bestLen) {
+          bestLen = item.to.length;
+          bestId = s.id;
+        }
+      }
+    }
+  }
+  return bestId;
+}
+
+/** Returns true when the given NavSpec is the active route. */
+export function isNavItemActive(item: NavSpec, pathname: string): boolean {
+  if (item.to === "/") return pathname === "/";
+  return pathname === item.to || pathname.startsWith(`${item.to}/`);
+}
+
+/** Filter nav items (and sections) based on granted permissions. */
+export function filterNavSpec(items: NavSpec[], granted: readonly string[]): NavSpec[] {
+  return items.filter((item) => {
+    if (!item.perms || item.perms.length === 0) return true;
+    return item.perms.every((p) => granted.includes(p));
+  });
+}
+
+// ── Legacy flat export (used by sidebar-content & permission gating elsewhere) ──
+
+/** @deprecated Use sections / topNavTop / topNavBottom instead. */
+export type NavItem = NavSpec & { matchPrefix?: string };
+
+/** @deprecated Flat list kept only for call-sites still importing NAV_ITEMS. */
 export const NAV_ITEMS: NavItem[] = [
   { to: "/", label: "Overview", icon: LayoutDashboard },
   {
@@ -92,13 +212,7 @@ export const NAV_ITEMS: NavItem[] = [
   { to: "/health", label: "Health", icon: Activity, matchPrefix: "/health" },
 ];
 
-export function isNavItemActive(item: NavItem, pathname: string): boolean {
-  if (item.matchPrefix) {
-    return pathname === item.matchPrefix || pathname.startsWith(`${item.matchPrefix}/`);
-  }
-  return pathname === item.to;
-}
-
+/** @deprecated Use filterNavSpec instead. */
 export function filterNavItems(items: NavItem[], grantedPermissions: readonly string[]): NavItem[] {
   return items.filter((item) => {
     if (!item.perms || item.perms.length === 0) return true;
diff --git a/clients/admin/src/components/layout/sidebar-content.tsx b/clients/admin/src/components/layout/sidebar-content.tsx
index 819e3c6a88..54af66d4cc 100644
--- a/clients/admin/src/components/layout/sidebar-content.tsx
+++ b/clients/admin/src/components/layout/sidebar-content.tsx
@@ -1,96 +1,8 @@
-import { useMemo } from "react";
-import { NavLink, useLocation } from "react-router-dom";
-import { BrandMark } from "@/components/brand-mark";
-import { NAV_ITEMS, filterNavItems, isNavItemActive } from "@/components/layout/nav-items";
-import { useAuth } from "@/auth/use-auth";
-import { cn } from "@/lib/cn";
-
-type SidebarContentProps = {
-  /** Optional click hook — used by the mobile drawer to close on navigate. */
-  onNavigate?: () => void;
-};
-
 /**
- * SidebarContent — the inner nav layout shared between the desktop Sidebar
- * and the mobile drawer. Magazine TOC numbering (01, 02, …), chartreuse
- * active-rail on the left of the selected entry, mono footer kicker.
+ * sidebar-content.tsx — compatibility shim.
+ *
+ * The sidebar's nav body now lives in sidebar.tsx as <SidebarNavBody>.
+ * This file is kept so any lingering imports (e.g. tests) don't break.
+ * Mobile nav uses <SidebarNavBody> directly.
  */
-export function SidebarContent({ onNavigate }: SidebarContentProps) {
-  const location = useLocation();
-  const { user, permissionsHydrated } = useAuth();
-  // Render the unfiltered list while permissions are still loading so the
-  // sidebar doesn't flash empty on cold-start. Filter once they're known.
-  const items = useMemo(() => {
-    if (!permissionsHydrated) return NAV_ITEMS;
-    return filterNavItems(NAV_ITEMS, user?.permissions ?? []);
-  }, [permissionsHydrated, user?.permissions]);
-  return (
-    <div className="flex h-full flex-col">
-      {/* Brand block */}
-      <div className="flex h-14 items-center border-b border-[var(--color-border)] px-5">
-        <BrandMark />
-      </div>
-
-      {/* Section marker */}
-      <div className="px-5 pt-5">
-        <div className="meta text-[var(--color-muted-foreground)]">// Navigation</div>
-      </div>
-
-      {/* Nav */}
-      <nav className="flex-1 overflow-y-auto px-3 py-3" aria-label="Primary">
-        <ul className="space-y-0.5">
-          {items.map((item, idx) => {
-            const isActive = isNavItemActive(item, location.pathname);
-            const indexLabel = String(idx + 1).padStart(2, "0");
-            const Icon = item.icon;
-            return (
-              <li key={item.to}>
-                <NavLink
-                  to={item.to}
-                  end={item.to === "/"}
-                  onClick={onNavigate}
-                  className={cn(
-                    "group relative flex items-center gap-3 rounded-md px-3 py-2 text-sm font-medium transition-colors",
-                    isActive
-                      ? "bg-[var(--color-accent)] text-[var(--color-foreground)]"
-                      : "text-[var(--color-muted-foreground)] hover:bg-[var(--color-accent)] hover:text-[var(--color-foreground)]",
-                  )}
-                >
-                  <span
-                    aria-hidden
-                    className={cn(
-                      "absolute left-0 top-1.5 bottom-1.5 w-[3px] rounded-r-sm transition-opacity",
-                      isActive
-                        ? "bg-[var(--color-accent-signal)] opacity-100"
-                        : "bg-[var(--color-accent-signal)] opacity-0",
-                    )}
-                  />
-                  <span className="font-mono text-[10.5px] font-medium tracking-tight text-[var(--color-muted-foreground)] tabular-nums">
-                    {indexLabel}
-                  </span>
-                  <Icon
-                    className={cn(
-                      "h-4 w-4 transition-colors",
-                      isActive
-                        ? "text-[var(--color-foreground)]"
-                        : "text-[var(--color-muted-foreground)] group-hover:text-[var(--color-foreground)]",
-                    )}
-                  />
-                  <span className="font-medium">{item.label}</span>
-                </NavLink>
-              </li>
-            );
-          })}
-        </ul>
-      </nav>
-
-      {/* Footer credit */}
-      <div className="border-t border-[var(--color-border)] px-5 py-4">
-        <div className="meta text-[var(--color-muted-foreground)]">v0.1 · console</div>
-        <div className="mt-1 font-mono text-[10.5px] text-[var(--color-muted-foreground)] leading-relaxed">
-          platform · administration · interface
-        </div>
-      </div>
-    </div>
-  );
-}
+export { SidebarNavBody as SidebarContent } from "@/components/layout/sidebar";
diff --git a/clients/admin/src/components/layout/sidebar.tsx b/clients/admin/src/components/layout/sidebar.tsx
index e5e8259fe6..ce3e5aba82 100644
--- a/clients/admin/src/components/layout/sidebar.tsx
+++ b/clients/admin/src/components/layout/sidebar.tsx
@@ -1,14 +1,423 @@
-import { SidebarContent } from "@/components/layout/sidebar-content";
+import { useCallback, useEffect, useMemo, useState } from "react";
+import { NavLink, useLocation } from "react-router-dom";
+import { ChevronDown, PanelLeftClose, PanelLeftOpen } from "lucide-react";
+import { cn } from "@/lib/cn";
+import { useAuth } from "@/auth/use-auth";
+import {
+  findSectionForPath,
+  filterNavSpec,
+  sections,
+  topNavBottom,
+  topNavTop,
+  type NavSection,
+  type NavSpec,
+} from "@/components/layout/nav-items";
+
+const COLLAPSED_KEY = "fsh.admin.sidebar.collapsed";
+
+/** Persisted collapsed state, reads localStorage on mount. */
+function useCollapsedSidebar() {
+  const [collapsed, setRaw] = useState<boolean>(() => {
+    if (typeof window === "undefined") return false;
+    try {
+      return window.localStorage.getItem(COLLAPSED_KEY) === "true";
+    } catch {
+      return false;
+    }
+  });
+  const setCollapsed = useCallback((next: boolean) => {
+    setRaw(next);
+    try {
+      window.localStorage.setItem(COLLAPSED_KEY, String(next));
+    } catch {
+      /* storage unavailable */
+    }
+  }, []);
+  return { collapsed, toggle: () => setCollapsed(!collapsed) };
+}
 
-/**
- * Sidebar — desktop-only fixed-width rail. Below `md` the AppShell mounts
- * <MobileNav /> instead, which uses the same <SidebarContent /> in a
- * slide-over drawer.
- */
 export function Sidebar() {
+  const { collapsed, toggle } = useCollapsedSidebar();
+  const location = useLocation();
+  const { user, permissionsHydrated } = useAuth();
+
+  // Permission-filtered sections
+  const granted = permissionsHydrated ? (user?.permissions ?? []) : [];
+  const visibleSections: NavSection[] = useMemo(
+    () =>
+      sections
+        .map((s) => ({ ...s, items: filterNavSpec(s.items, granted) }))
+        .filter((s) => s.items.length > 0),
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+    [granted.join(",")],
+  );
+
+  // Single-select accordion: which section is currently open.
+  const [openSection, setOpenSection] = useState<string | null>(() =>
+    findSectionForPath(location.pathname),
+  );
+
+  // Re-sync the open section on every route change.
+  useEffect(() => {
+    const next = findSectionForPath(location.pathname);
+    setOpenSection(next);
+  }, [location.pathname]);
+
   return (
-    <aside className="hidden w-64 shrink-0 border-r border-[var(--color-border)] bg-[var(--color-surface-2)] md:flex md:flex-col">
-      <SidebarContent />
+    <aside
+      data-collapsed={collapsed || undefined}
+      aria-label="Primary navigation"
+      className={cn(
+        "hidden shrink-0 flex-col border-r border-[var(--color-border)]",
+        "bg-[oklch(from_var(--color-card)_l_c_h_/_0.85)] backdrop-blur-xl backdrop-saturate-150 md:flex",
+        "transition-[width] duration-[var(--duration-default)] ease-[var(--ease-out-cubic)]",
+        collapsed ? "w-[52px]" : "w-[220px]",
+      )}
+    >
+      {/* Brand row */}
+      <div
+        className={cn(
+          "flex h-14 shrink-0 items-center border-b border-[var(--color-border)]",
+          collapsed ? "justify-center px-0" : "justify-between px-4",
+        )}
+      >
+        <div className={cn("flex items-center", collapsed ? "" : "gap-2.5")}>
+          <span
+            aria-hidden
+            className={cn(
+              "brand-mark grid size-8 place-items-center rounded-lg shrink-0",
+              "font-display text-[12px] font-bold text-[var(--color-primary-foreground)]",
+            )}
+          >
+            F
+          </span>
+          {!collapsed && (
+            <div className="flex flex-col">
+              <span className="whitespace-nowrap font-display text-[15px] font-bold leading-none tracking-tight text-[var(--color-foreground)]">
+                fullstack<span className="text-[var(--color-primary)]">hero</span>
+              </span>
+              <span className="mt-1 text-[10px] font-semibold uppercase tracking-wider text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.7)]">
+                Admin
+              </span>
+            </div>
+          )}
+        </div>
+
+        {!collapsed && (
+          <button
+            type="button"
+            onClick={toggle}
+            aria-label="Collapse sidebar"
+            aria-expanded={!collapsed}
+            title="Collapse sidebar"
+            className={cn(
+              "grid h-7 w-7 shrink-0 cursor-pointer place-items-center rounded-md",
+              "text-[var(--color-muted-foreground)] hover:bg-[var(--color-accent)] hover:text-[var(--color-foreground)]",
+              "transition-colors duration-[var(--duration-fast)] ease-[var(--ease-out-cubic)]",
+              "focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)]",
+            )}
+          >
+            <PanelLeftClose className="h-4 w-4" aria-hidden />
+          </button>
+        )}
+      </div>
+
+      <SidebarNavBody
+        collapsed={collapsed}
+        openSection={openSection}
+        setOpenSection={setOpenSection}
+        visibleSections={visibleSections}
+      />
+
+      {/* Footer */}
+      <div
+        className={cn(
+          "border-t border-[var(--color-border)]",
+          collapsed ? "flex justify-center p-2" : "px-5 py-3",
+        )}
+      >
+        {collapsed ? (
+          <button
+            type="button"
+            onClick={toggle}
+            aria-label="Expand sidebar"
+            aria-expanded={false}
+            title="Expand sidebar"
+            className={cn(
+              "grid h-7 w-7 shrink-0 cursor-pointer place-items-center rounded-md",
+              "text-[var(--color-muted-foreground)] hover:bg-[var(--color-accent)] hover:text-[var(--color-foreground)]",
+              "transition-colors duration-[var(--duration-fast)] ease-[var(--ease-out-cubic)]",
+              "focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)]",
+            )}
+          >
+            <PanelLeftOpen className="h-4 w-4" aria-hidden />
+          </button>
+        ) : (
+          <p className="font-mono text-[10.5px] uppercase tracking-[0.12em] text-[var(--color-muted-foreground)]">
+            v0.1 · admin
+          </p>
+        )}
+      </div>
     </aside>
   );
 }
+
+// ─────────────────────────────────────────────────────────────────────────────
+// SidebarNavBody — the nav (top singletons + section accordions + bottom).
+// Extracted so the desktop Sidebar and the mobile drawer share one source.
+// ─────────────────────────────────────────────────────────────────────────────
+
+export function SidebarNavBody({
+  collapsed,
+  openSection,
+  setOpenSection,
+  visibleSections,
+  onNavigate,
+}: {
+  collapsed: boolean;
+  openSection: string | null;
+  setOpenSection: React.Dispatch<React.SetStateAction<string | null>>;
+  visibleSections: NavSection[];
+  /** Called after a nav item click — used by the mobile sheet to close itself. */
+  onNavigate?: () => void;
+}) {
+  return (
+    <nav
+      className="flex-1 space-y-1.5 overflow-y-auto overflow-x-clip px-2.5 py-3.5"
+      aria-label="Primary"
+    >
+      {/* Top-level singletons: Overview */}
+      <div className="space-y-0.5">
+        {topNavTop.map((item) => (
+          <NavItemLink
+            key={item.to}
+            item={item}
+            collapsed={collapsed}
+            indent={false}
+            onNavigate={onNavigate}
+          />
+        ))}
+      </div>
+
+      {/* Section accordions (expanded mode) */}
+      {!collapsed && (
+        <div className="space-y-1.5 pt-1.5">
+          {visibleSections.map((section) => (
+            <AccordionSection
+              key={section.id}
+              section={section}
+              isOpen={openSection === section.id}
+              onToggle={() =>
+                setOpenSection((cur) => (cur === section.id ? null : section.id))
+              }
+              onNavigate={onNavigate}
+            />
+          ))}
+        </div>
+      )}
+
+      {/* Collapsed mode — flat icon stack with thin dividers between sections. */}
+      {collapsed && (
+        <div className="space-y-1 pt-1.5">
+          {visibleSections.map((section, idx) => (
+            <div key={section.id}>
+              {idx > 0 && (
+                <div
+                  aria-hidden
+                  className="mx-2 my-2 h-px bg-[var(--color-border)]"
+                />
+              )}
+              <div className="space-y-0.5">
+                {section.items.map((item) => (
+                  <NavItemLink
+                    key={item.to}
+                    item={item}
+                    collapsed
+                    indent={false}
+                    onNavigate={onNavigate}
+                  />
+                ))}
+              </div>
+            </div>
+          ))}
+        </div>
+      )}
+
+      {/* Bottom singletons: Settings */}
+      <div className="space-y-0.5 pt-1.5">
+        {topNavBottom.map((item) => (
+          <NavItemLink
+            key={item.to}
+            item={item}
+            collapsed={collapsed}
+            indent={false}
+            onNavigate={onNavigate}
+          />
+        ))}
+      </div>
+    </nav>
+  );
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// AccordionSection
+// ─────────────────────────────────────────────────────────────────────────────
+
+function AccordionSection({
+  section,
+  isOpen,
+  onToggle,
+  onNavigate,
+}: {
+  section: NavSection;
+  isOpen: boolean;
+  onToggle: () => void;
+  onNavigate?: () => void;
+}) {
+  const SectionIcon = section.icon;
+  return (
+    <div
+      className={cn(
+        "rounded-lg",
+        "transition-[background-color,border-color,box-shadow,padding] duration-[var(--duration-default)] ease-[var(--ease-out-cubic)]",
+        isOpen
+          ? "border border-[var(--color-border)] bg-[var(--color-muted)] p-1.5"
+          : "border border-transparent p-0",
+      )}
+    >
+      <button
+        type="button"
+        onClick={onToggle}
+        aria-expanded={isOpen}
+        aria-controls={`nav-section-${section.id}`}
+        className={cn(
+          "flex h-9 w-full cursor-pointer items-center gap-3 rounded-md px-3",
+          "text-left text-sm font-medium",
+          "transition-colors duration-[var(--duration-fast)] ease-[var(--ease-out-cubic)]",
+          "focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)]",
+          isOpen
+            ? "text-[var(--color-foreground)]"
+            : "text-[var(--color-muted-foreground)] hover:bg-[var(--color-accent)] hover:text-[var(--color-foreground)]",
+        )}
+      >
+        <SectionIcon className="h-4 w-4 shrink-0" aria-hidden />
+        <span className="flex-1 truncate">{section.caption}</span>
+        <ChevronDown
+          aria-hidden
+          className={cn(
+            "h-3.5 w-3.5 shrink-0 transition-transform duration-[var(--duration-default)] ease-[var(--ease-out-cubic)]",
+            isOpen
+              ? "rotate-180 text-[var(--color-foreground)]"
+              : "rotate-0 text-[var(--color-muted-foreground)]",
+          )}
+        />
+      </button>
+
+      {/* Animated open/close via grid-template-rows trick */}
+      <div
+        id={`nav-section-${section.id}`}
+        className={cn(
+          "grid",
+          "transition-[grid-template-rows,margin-top] duration-[var(--duration-default)] ease-[var(--ease-out-cubic)]",
+          isOpen ? "mt-1 grid-rows-[1fr]" : "mt-0 grid-rows-[0fr]",
+        )}
+      >
+        <div className="min-h-0 overflow-hidden">
+          <div
+            aria-hidden={!isOpen}
+            className={cn(
+              "space-y-0.5",
+              "transition-opacity ease-[var(--ease-out-cubic)]",
+              isOpen
+                ? "opacity-100 duration-[var(--duration-default)] delay-[80ms]"
+                : "opacity-0 duration-[var(--duration-fast)]",
+            )}
+          >
+            {section.items.map((item) => (
+              <NavItemLink
+                key={item.to}
+                item={item}
+                collapsed={false}
+                indent
+                onNavigate={onNavigate}
+              />
+            ))}
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// NavItemLink — used for top-level singletons, accordion children, and
+// collapsed-mode icon stacks.
+// ─────────────────────────────────────────────────────────────────────────────
+
+function NavItemLink({
+  item,
+  collapsed,
+  onNavigate,
+}: {
+  item: NavSpec;
+  collapsed: boolean;
+  /** Reserved for layout variants — not yet used but kept in the call-site API. */
+  indent?: boolean;
+  onNavigate?: () => void;
+}) {
+  const Icon = item.icon;
+  return (
+    <NavLink
+      to={item.to}
+      end={item.to === "/"}
+      title={collapsed ? item.label : undefined}
+      aria-label={collapsed ? item.label : undefined}
+      onClick={onNavigate}
+      className={({ isActive }) =>
+        cn(
+          "group/nav relative flex h-9 items-center gap-3 rounded-md text-sm font-medium",
+          "transition-colors duration-[var(--duration-fast)] ease-[var(--ease-out-cubic)]",
+          "focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)]",
+          isActive
+            ? "bg-[var(--color-primary-soft)] text-[var(--color-primary)]"
+            : "text-[var(--color-muted-foreground)] hover:bg-[var(--color-accent)] hover:text-[var(--color-foreground)]",
+          collapsed ? "justify-center px-0" : "px-3",
+        )
+      }
+    >
+      {({ isActive }) => (
+        <>
+          {/* 2px brand bar for active item */}
+          <span
+            aria-hidden
+            className={cn(
+              "absolute left-0 top-1/2 h-4 w-0.5 -translate-y-1/2 rounded-r-full bg-[var(--color-primary)]",
+              "transition-opacity duration-[var(--duration-default)]",
+              isActive ? "opacity-100" : "opacity-0",
+            )}
+          />
+
+          <Icon className="h-4 w-4 shrink-0" aria-hidden />
+
+          {!collapsed && <span className="whitespace-nowrap">{item.label}</span>}
+
+          {/* Tooltip in collapsed mode */}
+          {collapsed && (
+            <span
+              role="tooltip"
+              className={cn(
+                "pointer-events-none absolute left-full top-1/2 z-50 ml-3 -translate-y-1/2 whitespace-nowrap",
+                "rounded-md border border-[var(--color-border)] bg-[var(--color-popover)] px-2 py-1",
+                "text-xs text-[var(--color-popover-foreground)] shadow-[var(--shadow-md)]",
+                "opacity-0 transition-opacity duration-[var(--duration-fast)] ease-[var(--ease-out-cubic)]",
+                "group-hover/nav:opacity-100 group-focus-visible/nav:opacity-100",
+              )}
+            >
+              {item.label}
+            </span>
+          )}
+        </>
+      )}
+    </NavLink>
+  );
+}
diff --git a/clients/admin/src/components/layout/topbar.tsx b/clients/admin/src/components/layout/topbar.tsx
index a92884b431..31359e5db0 100644
--- a/clients/admin/src/components/layout/topbar.tsx
+++ b/clients/admin/src/components/layout/topbar.tsx
@@ -1,108 +1,342 @@
-import { Link, useLocation } from "react-router-dom";
-import { LogOut, Settings } from "lucide-react";
-import { Button } from "@/components/ui/button";
-import { ThemeToggle } from "@/components/theme/theme-toggle";
-import { MobileNav } from "@/components/layout/mobile-nav";
+import { useState } from "react";
+import { useNavigate } from "react-router-dom";
+import {
+  Check,
+  ChevronsUpDown,
+  LogOut,
+  Moon,
+  Settings as SettingsIcon,
+  Sun,
+  UserRound,
+} from "lucide-react";
+import { MobileNavTrigger } from "@/components/layout/mobile-nav";
 import { NotificationBell } from "@/components/notifications/notification-bell";
+import { Button } from "@/components/ui/button";
+import {
+  Dialog,
+  DialogBody,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
+import {
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuLabel,
+  DropdownMenuSeparator,
+  DropdownMenuTrigger,
+} from "@/components/ui/dropdown-menu";
+import { Avatar } from "@/components/ui/avatar";
 import { useAuth } from "@/auth/use-auth";
+import { useTheme } from "@/components/theme/theme-provider";
+import { cn } from "@/lib/cn";
 
-/**
- * Topbar — section breadcrumb + tenant indicator + theme toggle + account.
- *
- * The breadcrumb is derived from the URL so it tracks deep routes
- * (/billing/invoices/123 → BILLING / INVOICES / 123) without needing route
- * declarations to carry display metadata. The tenant indicator has a
- * blinking caret because this is, after all, a console.
- */
-export function Topbar() {
-  const { user, logout } = useAuth();
-  const location = useLocation();
-  const crumbs = breadcrumbFromPath(location.pathname);
+// ─────────────────────────────────────────────────────────────────────────────
+// Helpers
+// ─────────────────────────────────────────────────────────────────────────────
 
+/** Up-to-2-char initials from a display name. */
+function initialsOf(name?: string | null): string {
+  if (!name) return "U";
+  const parts = name
+    .split(/\s+/)
+    .filter((w) => w.length > 0 && !w.endsWith("."));
+  if (parts.length === 0) return name[0]?.toUpperCase() ?? "U";
+  return parts
+    .map((w) => w[0])
+    .join("")
+    .slice(0, 2)
+    .toUpperCase();
+}
+
+function ThemeMenuItem({
+  icon: Icon,
+  label,
+  active,
+  onSelect,
+}: {
+  icon: React.ComponentType<{ className?: string }>;
+  label: string;
+  active: boolean;
+  onSelect: () => void;
+}) {
   return (
-    <header className="relative flex h-14 shrink-0 items-center justify-between gap-4 border-b border-[var(--color-border)] bg-[var(--color-background)] px-4 md:px-6">
-      {/* Left — mobile menu trigger + section breadcrumb */}
-      <div className="flex min-w-0 items-center gap-3">
-        <MobileNav />
-        <span className="meta hidden text-[var(--color-muted-foreground)] sm:inline">{"//"}</span>
-        <ol className="flex min-w-0 items-center gap-1.5 truncate font-mono text-[11px] uppercase tracking-[var(--tracking-meta)]">
-          {crumbs.map((crumb, i) => {
-            const last = i === crumbs.length - 1;
-            return (
-              <li key={`${crumb}-${i}`} className="flex shrink-0 items-center gap-1.5">
-                <span
-                  className={
-                    last
-                      ? "text-[var(--color-foreground)]"
-                      : "text-[var(--color-muted-foreground)]"
-                  }
-                >
-                  {crumb}
-                </span>
-                {!last && (
-                  <span className="text-[var(--color-muted-foreground)]/60" aria-hidden>
-                    /
-                  </span>
-                )}
-              </li>
-            );
-          })}
-        </ol>
-      </div>
-
-      {/* Right — tenant indicator + theme toggle + account */}
-      <div className="flex items-center gap-4">
-        <TenantIndicator tenant={user?.tenant} />
-        <div className="hidden text-right md:block">
-          <div className="text-sm font-medium leading-tight">
-            {user?.name ?? user?.email ?? "Unknown"}
-          </div>
-          {user?.email && user.name && (
-            <div className="font-mono text-[10.5px] text-[var(--color-muted-foreground)] leading-tight">
-              {user.email}
-            </div>
-          )}
-        </div>
-        <div className="flex items-center gap-1.5">
-          <NotificationBell />
-          <Button asChild variant="ghost" size="icon" aria-label="Settings">
-            <Link to="/settings/profile">
-              <Settings className="h-4 w-4" />
-            </Link>
-          </Button>
-          <ThemeToggle />
-          <Button variant="ghost" size="sm" onClick={logout} aria-label="Sign out">
-            <LogOut className="h-4 w-4" />
-            <span className="sr-only md:not-sr-only">Sign out</span>
-          </Button>
-        </div>
-      </div>
-    </header>
+    <DropdownMenuItem
+      onSelect={onSelect}
+      className="!my-0 flex cursor-pointer items-center gap-2.5 rounded-md !px-2.5 !py-1.5"
+    >
+      <Icon className="size-3.5 shrink-0 text-[var(--color-muted-foreground)]" />
+      <span className="flex-1 text-[12.5px] font-medium text-[var(--color-foreground)]">
+        {label}
+      </span>
+      {active && (
+        <Check className="size-3.5 shrink-0 text-[var(--color-primary)]" aria-hidden />
+      )}
+    </DropdownMenuItem>
   );
 }
 
-function TenantIndicator({ tenant }: { tenant?: string }) {
+function SimpleMenuItem({
+  icon: Icon,
+  label,
+  onSelect,
+}: {
+  icon: React.ComponentType<{ className?: string }>;
+  label: string;
+  onSelect: () => void;
+}) {
+  return (
+    <DropdownMenuItem
+      onSelect={onSelect}
+      className="!my-0 flex cursor-pointer items-center gap-2.5 rounded-md !px-2.5 !py-1.5"
+    >
+      <Icon className="size-3.5 shrink-0 text-[var(--color-muted-foreground)]" />
+      <span className="text-[12.5px] font-medium text-[var(--color-foreground)]">
+        {label}
+      </span>
+    </DropdownMenuItem>
+  );
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// TenantChip — tenant indicator in the topbar right zone.
+// ─────────────────────────────────────────────────────────────────────────────
+
+function TenantChip({ tenant }: { tenant?: string }) {
   return (
     <div
-      className="hidden items-center gap-2 rounded-md border border-[var(--color-border)] bg-[var(--color-surface-2)] px-2.5 py-1 md:inline-flex"
+      className="hidden items-center gap-2 rounded-md border border-[var(--color-border)] bg-[var(--color-muted)] px-2.5 py-1 md:inline-flex"
       title="Active tenant"
     >
-      <span className="pulse-dot" aria-hidden />
-      <span className="meta text-[var(--color-muted-foreground)]">tenant</span>
+      <span
+        aria-hidden
+        className="inline-flex h-1.5 w-1.5 rounded-full bg-[var(--color-success)]"
+        style={{ color: "var(--color-success)" }}
+      />
+      <span className="font-mono text-[10px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]">
+        tenant
+      </span>
       <span className="font-mono text-[12px] font-medium tracking-tight text-[var(--color-foreground)]">
         {tenant ?? "—"}
-        <span className="caret text-[var(--color-accent-signal)]" aria-hidden />
       </span>
     </div>
   );
 }
 
-// ─── helpers ─────────────────────────────────────────────────────────
+// ─────────────────────────────────────────────────────────────────────────────
+// Topbar
+// ─────────────────────────────────────────────────────────────────────────────
+
+export function Topbar() {
+  const { user, logout } = useAuth();
+  const { theme, setTheme } = useTheme();
+  const navigate = useNavigate();
+  const [confirmOpen, setConfirmOpen] = useState(false);
+
+  const onConfirmSignOut = () => {
+    setConfirmOpen(false);
+    logout();
+  };
 
-function breadcrumbFromPath(pathname: string): string[] {
-  if (pathname === "/" || pathname === "") return ["OVERVIEW"];
-  return pathname
-    .split("/")
-    .filter(Boolean)
-    .map((segment) => decodeURIComponent(segment).toUpperCase());
+  return (
+    <header
+      className={cn(
+        "sticky top-0 z-30 flex h-14 shrink-0 items-center gap-2",
+        "border-b border-[var(--color-border)] bg-[oklch(from_var(--color-background)_l_c_h_/_0.8)]",
+        "px-3 backdrop-blur-sm md:px-5",
+      )}
+    >
+      {/* Mobile nav trigger — leading edge on small screens */}
+      <MobileNavTrigger />
+
+      {/* Spacer pushes right-side actions to the trailing edge */}
+      <div className="flex-1" />
+
+      {/* Tenant chip */}
+      <TenantChip tenant={user?.tenant} />
+
+      {/* Notification bell */}
+      <NotificationBell />
+
+      {/* User dropdown — `modal={false}` so the sign-out confirmation
+          Dialog doesn't deadlock pointer-events via nested modals. */}
+      <DropdownMenu modal={false}>
+        <DropdownMenuTrigger asChild>
+          <button
+            type="button"
+            aria-label="Open profile menu"
+            className={cn(
+              "group flex cursor-pointer items-center gap-2.5 rounded-lg py-1 pl-1 pr-2 outline-none",
+              "transition-colors duration-[var(--duration-fast)] ease-[var(--ease-out-cubic)]",
+              "hover:bg-[var(--color-accent)]",
+              "focus-visible:ring-2 focus-visible:ring-[var(--color-ring)]",
+              "data-[state=open]:bg-[var(--color-accent)]",
+            )}
+          >
+          {/* Square initials tile */}
+          <span
+            aria-hidden
+            className={cn(
+              "grid size-8 shrink-0 place-items-center rounded-lg",
+              "bg-[oklch(from_var(--color-primary)_l_c_h_/_0.15)] text-[var(--color-primary)]",
+              "font-display text-[11px] font-bold tracking-tight",
+            )}
+          >
+            {initialsOf(user?.name ?? user?.email)}
+          </span>
+          {/* Name + tenant — desktop only */}
+          <div className="hidden min-w-0 text-left md:block">
+            <p className="truncate text-[12px] font-medium leading-none text-[var(--color-foreground)]">
+              {user?.name ?? user?.email ?? "Unknown"}
+            </p>
+            <p className="mt-1 truncate text-[10px] leading-none text-[var(--color-muted-foreground)]">
+              {user?.tenant ?? "—"}
+            </p>
+          </div>
+          <ChevronsUpDown
+            className={cn(
+              "size-3.5 shrink-0 text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.5)]",
+              "transition-colors duration-[var(--duration-fast)]",
+              "group-hover:text-[var(--color-muted-foreground)]",
+            )}
+            aria-hidden
+          />
+          </button>
+        </DropdownMenuTrigger>
+
+        <DropdownMenuContent align="end" sideOffset={6} className="w-[240px] p-0">
+          {/* User info header */}
+          <div className="px-3 py-2.5">
+            <p className="truncate text-[12px] font-semibold text-[var(--color-foreground)]">
+              {user?.name ?? user?.email ?? "Unknown"}
+            </p>
+            {user?.email && user.name && (
+              <p className="mt-0.5 truncate text-[10.5px] text-[var(--color-muted-foreground)]">
+                {user.email}
+              </p>
+            )}
+            {user?.tenant && (
+              <div className="mt-1.5 flex items-center gap-1.5">
+                <span
+                  aria-hidden
+                  className="inline-flex h-1.5 w-1.5 rounded-full bg-[var(--color-success)]"
+                />
+                <span className="text-[10px] text-[var(--color-muted-foreground)]">
+                  {user.tenant}
+                </span>
+              </div>
+            )}
+          </div>
+
+          <DropdownMenuSeparator className="!my-0" />
+
+          {/* Theme */}
+          <DropdownMenuLabel className="px-3 pt-2 pb-1 text-[10px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]">
+            Theme
+          </DropdownMenuLabel>
+          <div className="px-1 pb-1">
+            <ThemeMenuItem
+              icon={Sun}
+              label="Light"
+              active={theme === "light"}
+              onSelect={() => setTheme("light")}
+            />
+            <ThemeMenuItem
+              icon={Moon}
+              label="Dark"
+              active={theme === "dark"}
+              onSelect={() => setTheme("dark")}
+            />
+          </div>
+
+          <DropdownMenuSeparator className="!my-0" />
+
+          {/* Account quick actions */}
+          <DropdownMenuLabel className="px-3 pt-2 pb-1 text-[10px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]">
+            Account
+          </DropdownMenuLabel>
+          <div className="px-1 pb-1">
+            <SimpleMenuItem
+              icon={UserRound}
+              label="Profile"
+              onSelect={() => navigate("/settings/profile")}
+            />
+            <SimpleMenuItem
+              icon={SettingsIcon}
+              label="Settings"
+              onSelect={() => navigate("/settings")}
+            />
+          </div>
+
+          <DropdownMenuSeparator className="!my-0" />
+
+          {/* Sign out */}
+          <div className="px-1 py-1">
+            <DropdownMenuItem
+              destructive
+              onSelect={() => setConfirmOpen(true)}
+              className="!my-0 cursor-pointer rounded-md !px-2.5 !py-1.5"
+            >
+              <LogOut className="size-3.5" />
+              <span className="text-[12.5px] font-medium">Sign out</span>
+            </DropdownMenuItem>
+          </div>
+        </DropdownMenuContent>
+      </DropdownMenu>
+
+      {/* Sign-out confirmation dialog */}
+      <Dialog open={confirmOpen} onOpenChange={setConfirmOpen}>
+        <DialogContent>
+          <DialogHeader>
+            <DialogTitle>Sign out of FullStackHero?</DialogTitle>
+            <DialogDescription>
+              You'll need to sign in again to access this admin. Any unsaved
+              work in this session will be lost.
+            </DialogDescription>
+          </DialogHeader>
+          <DialogBody>
+            <div className="flex items-center gap-3 rounded-md border border-[var(--color-border)] bg-[var(--color-muted)] px-3 py-2.5">
+              <Avatar name={user?.name ?? user?.email ?? "?"} size="md" />
+              <div className="min-w-0 flex-1">
+                <div className="truncate text-sm font-medium tracking-tight">
+                  {user?.name ?? user?.email ?? "Unknown"}
+                </div>
+                {user?.email && user.name && (
+                  <div className="truncate text-xs text-[var(--color-muted-foreground)]">
+                    {user.email}
+                  </div>
+                )}
+              </div>
+              {user?.tenant && (
+                <code className="rounded bg-[var(--color-muted)] px-1.5 py-0.5 font-mono text-[11px]">
+                  {user.tenant}
+                </code>
+              )}
+            </div>
+          </DialogBody>
+          <DialogFooter>
+            <Button
+              variant="outline"
+              size="sm"
+              onClick={() => setConfirmOpen(false)}
+            >
+              Cancel
+            </Button>
+            <Button
+              variant="destructive"
+              size="sm"
+              onClick={onConfirmSignOut}
+              autoFocus
+            >
+              <LogOut className="mr-1.5 h-3.5 w-3.5" />
+              Sign out
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
+    </header>
+  );
 }
diff --git a/clients/admin/src/components/list/entity-page-header.tsx b/clients/admin/src/components/list/entity-page-header.tsx
new file mode 100644
index 0000000000..a6aecee23f
--- /dev/null
+++ b/clients/admin/src/components/list/entity-page-header.tsx
@@ -0,0 +1,61 @@
+import * as React from "react";
+import type { LucideIcon } from "lucide-react";
+import { ToneIconTile, type ToneIconTileTone } from "./tone-icon-tile";
+
+// ───────────────────────────────────────────────────────────────────────
+//  EntityPageHeader — tone-tinted icon tile + Outfit title + count chip
+//  + description on the left, action buttons on the right.
+//  Replaces the dashboard-divergent FormShell page-title area with the
+//  unified header rhythm used across the dashboard app.
+// ───────────────────────────────────────────────────────────────────────
+
+export function EntityPageHeader({
+  icon,
+  title,
+  tone = "primary",
+  total,
+  unit = "item",
+  description,
+  children,
+}: {
+  icon: LucideIcon;
+  title: React.ReactNode;
+  /** Icon tile tone. Defaults to `primary`.
+   *  Pick `saffron` / `info` / etc. for pages where the rose tile
+   *  fights the page's own accent. */
+  tone?: ToneIconTileTone;
+  total?: number | null;
+  unit?: string;
+  description?: React.ReactNode;
+  /** Action buttons rendered on the right (stack full-width on mobile). */
+  children?: React.ReactNode;
+}) {
+  return (
+    <div className="flex flex-col gap-3 sm:flex-row sm:items-end sm:justify-between">
+      <div className="flex items-start gap-3.5">
+        <ToneIconTile icon={icon} tone={tone} size="lg" />
+        <div className="min-w-0">
+          <div className="flex items-baseline gap-2">
+            <h1 className="font-display text-display-page font-semibold tracking-tight text-[var(--color-foreground)]">
+              {title}
+            </h1>
+            {total !== undefined && total !== null && (
+              <span className="font-mono text-[11px] text-[var(--color-muted-foreground)]">
+                {total} {total === 1 ? unit : `${unit}s`}
+              </span>
+            )}
+          </div>
+          {description && (
+            <p className="mt-0.5 text-[13px] text-[var(--color-muted-foreground)]">
+              {description}
+            </p>
+          )}
+        </div>
+      </div>
+
+      {children && (
+        <div className="flex w-full gap-2 sm:w-auto">{children}</div>
+      )}
+    </div>
+  );
+}
diff --git a/clients/admin/src/components/list/index.ts b/clients/admin/src/components/list/index.ts
index 7b281cea27..707fa5cdc2 100644
--- a/clients/admin/src/components/list/index.ts
+++ b/clients/admin/src/components/list/index.ts
@@ -7,3 +7,8 @@ export { Select, type SelectOption } from "./select";
 export { LoadingRow } from "./loading";
 export { FilterBar } from "./filter-bar";
 export { FormShell, FormSection, FormActions } from "./form-shell";
+// ── Phase-2 unified design-system primitives ──────────────────────────
+export { ToneIconTile, type ToneIconTileTone, type ToneIconTileSize } from "./tone-icon-tile";
+export { EntityPageHeader } from "./entity-page-header";
+export { SettingsSection } from "./settings-section";
+export { SettingsField } from "./settings-field";
diff --git a/clients/admin/src/components/list/settings-field.tsx b/clients/admin/src/components/list/settings-field.tsx
new file mode 100644
index 0000000000..cd68375284
--- /dev/null
+++ b/clients/admin/src/components/list/settings-field.tsx
@@ -0,0 +1,37 @@
+import * as React from "react";
+import { Label } from "@/components/ui/label";
+
+// ───────────────────────────────────────────────────────────────────────
+//  SettingsField — lightweight label wrapper used inside SettingsSection
+//  body grids. Renders an uppercase tracked label above its child control.
+//  Use the existing `Field` component when you need aria-invalid wiring,
+//  error messages, or hint text; use SettingsField when the section
+//  already supplies context and you just need the label rhythm.
+//
+//  Usage:
+//    <SettingsField id="first-name" label="First name">
+//      <Input id="first-name" … />
+//    </SettingsField>
+// ───────────────────────────────────────────────────────────────────────
+
+export function SettingsField({
+  id,
+  label,
+  children,
+}: {
+  id: string;
+  label: string;
+  children: React.ReactNode;
+}) {
+  return (
+    <div>
+      <Label
+        htmlFor={id}
+        className="mb-1.5 block text-[11.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]"
+      >
+        {label}
+      </Label>
+      {children}
+    </div>
+  );
+}
diff --git a/clients/admin/src/components/list/settings-section.tsx b/clients/admin/src/components/list/settings-section.tsx
new file mode 100644
index 0000000000..b1dee5c506
--- /dev/null
+++ b/clients/admin/src/components/list/settings-section.tsx
@@ -0,0 +1,67 @@
+import * as React from "react";
+import type { LucideIcon } from "lucide-react";
+import { cn } from "@/lib/cn";
+
+// ───────────────────────────────────────────────────────────────────────
+//  SettingsSection — compact section card with header bar, body, and
+//  optional footer bar. Replaces the 18rem-aside FormSection layout with
+//  a dashboard-style card: icon + title + description in a header stripe,
+//  content in a padded body, optional action row in a footer stripe.
+//
+//  Usage:
+//    <SettingsSection title="Identity" icon={UserCircle2} description="…"
+//      footer={<Button>Save</Button>}>
+//      {children}
+//    </SettingsSection>
+// ───────────────────────────────────────────────────────────────────────
+
+export function SettingsSection({
+  title,
+  icon: Icon,
+  description,
+  footer,
+  className,
+  children,
+}: {
+  title?: string;
+  icon?: LucideIcon;
+  description?: React.ReactNode;
+  footer?: React.ReactNode;
+  className?: string;
+  children: React.ReactNode;
+}) {
+  return (
+    <section
+      className={cn(
+        "overflow-hidden rounded-xl border border-[var(--color-border)] bg-[var(--color-card)]",
+        "shadow-xs",
+        className,
+      )}
+    >
+      {title && (
+        <div className="border-b border-[oklch(from_var(--color-border)_l_c_h_/_0.5)] px-5 py-3">
+          <h2 className="flex items-center gap-2 text-[13px] font-semibold text-[var(--color-foreground)]">
+            {Icon && (
+              <Icon
+                aria-hidden
+                className="size-3.5 text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.5)]"
+              />
+            )}
+            {title}
+          </h2>
+          {description && (
+            <p className="mt-1 text-[12px] text-[var(--color-muted-foreground)]">
+              {description}
+            </p>
+          )}
+        </div>
+      )}
+      <div className="px-5 py-5">{children}</div>
+      {footer && (
+        <div className="border-t border-[oklch(from_var(--color-border)_l_c_h_/_0.5)] px-5 py-3">
+          {footer}
+        </div>
+      )}
+    </section>
+  );
+}
diff --git a/clients/admin/src/components/list/tone-icon-tile.tsx b/clients/admin/src/components/list/tone-icon-tile.tsx
new file mode 100644
index 0000000000..509bcb0b2d
--- /dev/null
+++ b/clients/admin/src/components/list/tone-icon-tile.tsx
@@ -0,0 +1,75 @@
+import type { LucideIcon } from "lucide-react";
+import { cn } from "@/lib/cn";
+
+// ───────────────────────────────────────────────────────────────────────
+//  ToneIconTile — tone-tinted icon square.
+//  A rounded tile with a 10%-alpha background fill, a 22%-alpha inset
+//  ring, and an icon in the tone's full colour.
+//
+//  Usage:
+//    <ToneIconTile icon={Package} tone="primary" size="lg" />
+//
+//  All seven semantic tones are supported. The default (`primary` / `lg`)
+//  matches `EntityPageHeader`'s tile so the page header stays visually
+//  identical when refactored to use this primitive directly.
+// ───────────────────────────────────────────────────────────────────────
+
+export type ToneIconTileTone =
+  | "primary"
+  | "saffron"
+  | "success"
+  | "warning"
+  | "destructive"
+  | "info"
+  | "muted";
+
+export type ToneIconTileSize = "sm" | "md" | "lg";
+
+const TONE_VAR: Record<ToneIconTileTone, string> = {
+  primary:     "--color-primary",
+  saffron:     "--color-saffron",
+  success:     "--color-success",
+  warning:     "--color-warning",
+  destructive: "--color-destructive",
+  info:        "--color-info",
+  muted:       "--color-muted-foreground",
+};
+
+const SIZE_MAP: Record<ToneIconTileSize, { tile: string; icon: string; radius: string }> = {
+  sm: { tile: "size-7",  icon: "size-3.5", radius: "rounded-md" },
+  md: { tile: "size-9",  icon: "size-4",   radius: "rounded-lg" },
+  lg: { tile: "size-10", icon: "size-5",   radius: "rounded-xl" },
+};
+
+export function ToneIconTile({
+  icon: Icon,
+  tone = "primary",
+  size = "lg",
+  className,
+}: {
+  icon: LucideIcon;
+  tone?: ToneIconTileTone;
+  size?: ToneIconTileSize;
+  className?: string;
+}) {
+  const dims = SIZE_MAP[size];
+  const v = TONE_VAR[tone];
+  return (
+    <span
+      aria-hidden
+      className={cn(
+        "grid shrink-0 place-items-center",
+        dims.tile,
+        dims.radius,
+        className,
+      )}
+      style={{
+        backgroundColor: `oklch(from var(${v}) l c h / 0.10)`,
+        boxShadow: `inset 0 0 0 1px oklch(from var(${v}) l c h / 0.22)`,
+        color: `var(${v})`,
+      }}
+    >
+      <Icon className={dims.icon} />
+    </span>
+  );
+}
diff --git a/clients/admin/src/components/roles/create-role-dialog.tsx b/clients/admin/src/components/roles/create-role-dialog.tsx
new file mode 100644
index 0000000000..95fb0628f7
--- /dev/null
+++ b/clients/admin/src/components/roles/create-role-dialog.tsx
@@ -0,0 +1,165 @@
+import { useNavigate } from "react-router-dom";
+import { useMutation, useQueryClient } from "@tanstack/react-query";
+import { useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+import { Shield } from "lucide-react";
+import { toast } from "sonner";
+import { upsertRole, type RoleDto } from "@/api/roles";
+import { Button } from "@/components/ui/button";
+import { Input } from "@/components/ui/input";
+import { Field } from "@/components/list";
+import {
+  Dialog,
+  DialogContent,
+  DialogHeader,
+  DialogTitle,
+  DialogDescription,
+  DialogBody,
+  DialogFooter,
+} from "@/components/ui/dialog";
+import { ApiRequestError } from "@/lib/api-client";
+
+// ─── Schema (identical to the old create page) ───────────────────────────────
+
+const schema = z.object({
+  name: z
+    .string()
+    .trim()
+    .min(2, "At least 2 characters.")
+    .max(64, "Keep under 64 characters."),
+  description: z.string().trim().max(256, "Keep under 256 characters.").optional(),
+});
+
+type FormValues = z.infer<typeof schema>;
+
+// ─── Dialog ───────────────────────────────────────────────────────────────────
+
+export function CreateRoleDialog({
+  open,
+  onOpenChange,
+}: {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+}) {
+  const navigate = useNavigate();
+  const queryClient = useQueryClient();
+
+  const {
+    register,
+    handleSubmit,
+    reset,
+    formState: { errors, isSubmitting },
+  } = useForm<FormValues>({
+    resolver: zodResolver(schema),
+    defaultValues: { name: "", description: "" },
+  });
+
+  const mutation = useMutation<RoleDto, Error, FormValues>({
+    // Pass values via mutate(arg) — no closed-over state captured at submit time.
+    mutationFn: (values) =>
+      upsertRole({
+        id: "",
+        name: values.name,
+        description: values.description?.trim() ? values.description : null,
+      }),
+    onSuccess: (result) => {
+      toast.success(`Role ${result.name} created`);
+      queryClient.invalidateQueries({ queryKey: ["roles"] });
+      handleClose();
+      navigate(`/roles/${result.id}`);
+    },
+    onError: (err) => {
+      const detail =
+        err instanceof ApiRequestError
+          ? err.problem?.detail ?? err.problem?.title ?? err.message
+          : err.message;
+      toast.error("Create failed", { description: detail });
+    },
+  });
+
+  function handleClose() {
+    reset();
+    onOpenChange(false);
+  }
+
+  const onSubmit = handleSubmit((values) => mutation.mutate(values));
+  const submitting = isSubmitting || mutation.isPending;
+
+  return (
+    <Dialog
+      open={open}
+      onOpenChange={(o) => {
+        if (!o) handleClose();
+        else onOpenChange(true);
+      }}
+    >
+      <DialogContent size="md">
+        {/* ── Header ── */}
+        <DialogHeader>
+          <div className="flex items-center gap-3">
+            <span
+              aria-hidden
+              className="relative grid h-9 w-9 shrink-0 place-items-center overflow-hidden rounded-xl
+                bg-[oklch(from_var(--color-primary)_l_c_h_/_0.12)]
+                text-[var(--color-primary)]
+                ring-1 ring-inset ring-[oklch(from_var(--color-primary)_l_c_h_/_0.18)]"
+            >
+              <Shield className="h-[18px] w-[18px]" />
+            </span>
+            <div className="min-w-0">
+              <DialogTitle className="text-[16px]">New role</DialogTitle>
+            </div>
+          </div>
+          <DialogDescription className="mt-1">
+            Create a role, then grant it permissions on its detail page. The role name is what shows
+            up in user role assignments — choose something descriptive.
+          </DialogDescription>
+        </DialogHeader>
+
+        {/* ── Form ── */}
+        <form onSubmit={onSubmit}>
+          <DialogBody className="space-y-4">
+            <Field id="cr-name" label="Name" required error={errors.name?.message}>
+              <Input
+                id="cr-name"
+                placeholder="Support agent"
+                autoComplete="off"
+                aria-invalid={errors.name ? true : undefined}
+                {...register("name")}
+              />
+            </Field>
+            <Field
+              id="cr-description"
+              label="Description"
+              hint="Optional. Plain English explaining what this role is for."
+              error={errors.description?.message}
+            >
+              <Input
+                id="cr-description"
+                placeholder="Inbound support · read-only on billing"
+                aria-invalid={errors.description ? true : undefined}
+                {...register("description")}
+              />
+            </Field>
+          </DialogBody>
+
+          {/* ── Footer ── */}
+          <DialogFooter>
+            <Button
+              type="button"
+              variant="outline"
+              onClick={handleClose}
+              disabled={submitting}
+            >
+              Cancel
+            </Button>
+            <Button type="submit" disabled={submitting}>
+              {submitting ? "Saving…" : "Create role"}
+            </Button>
+          </DialogFooter>
+        </form>
+      </DialogContent>
+    </Dialog>
+  );
+}
diff --git a/clients/admin/src/components/tenants/create-tenant-dialog.tsx b/clients/admin/src/components/tenants/create-tenant-dialog.tsx
new file mode 100644
index 0000000000..44032cc637
--- /dev/null
+++ b/clients/admin/src/components/tenants/create-tenant-dialog.tsx
@@ -0,0 +1,324 @@
+import { useNavigate } from "react-router-dom";
+import { useMutation, useQueryClient } from "@tanstack/react-query";
+import { useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+import {
+  Building2,
+  Database,
+  KeyRound,
+  UserRound,
+  Sparkles,
+} from "lucide-react";
+import { toast } from "sonner";
+import { createTenant } from "@/api/tenants";
+import { Button } from "@/components/ui/button";
+import { Input } from "@/components/ui/input";
+import { Field } from "@/components/list";
+import {
+  Dialog,
+  DialogContent,
+  DialogHeader,
+  DialogTitle,
+  DialogDescription,
+  DialogBody,
+  DialogFooter,
+} from "@/components/ui/dialog";
+import { ApiRequestError } from "@/lib/api-client";
+
+// ─── Schema (identical to the old page) ─────────────────────────────────────
+
+const TENANT_ID_RE = /^[a-z0-9][a-z0-9-]{1,62}[a-z0-9]$/;
+
+const schema = z.object({
+  id: z
+    .string()
+    .trim()
+    .regex(
+      TENANT_ID_RE,
+      "Lowercase letters, digits, hyphens. 3–64 chars. No leading/trailing hyphen.",
+    ),
+  name: z.string().trim().min(2, "At least 2 characters.").max(128),
+  adminEmail: z.string().trim().email("Enter a valid email."),
+  adminPassword: z
+    .string()
+    .min(8, "At least 8 characters.")
+    .max(128, "Maximum 128 characters."),
+  issuer: z.string().trim().min(2, "Required.").max(256),
+  connectionString: z.string().trim().max(2048).optional(),
+});
+
+type FormValues = z.infer<typeof schema>;
+
+// ─── Section header (inline, no card — we're inside the dialog already) ─────
+
+function SectionLabel({
+  icon: Icon,
+  title,
+  description,
+}: {
+  icon: React.ComponentType<{ className?: string; "aria-hidden"?: boolean | "true" }>;
+  title: string;
+  description: string;
+}) {
+  return (
+    <div className="flex items-start gap-2.5 pb-1">
+      <span
+        aria-hidden
+        className="mt-0.5 grid h-6 w-6 shrink-0 place-items-center rounded-md bg-[var(--color-accent)] text-[var(--color-muted-foreground)]"
+      >
+        <Icon className="h-3.5 w-3.5" aria-hidden />
+      </span>
+      <div className="min-w-0">
+        <p className="text-[12.5px] font-semibold text-[var(--color-foreground)]">{title}</p>
+        <p className="text-[11.5px] leading-relaxed text-[var(--color-muted-foreground)]">
+          {description}
+        </p>
+      </div>
+    </div>
+  );
+}
+
+// ─── Dialog ──────────────────────────────────────────────────────────────────
+
+export function CreateTenantDialog({
+  open,
+  onOpenChange,
+}: {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+}) {
+  const navigate = useNavigate();
+  const queryClient = useQueryClient();
+
+  const {
+    register,
+    handleSubmit,
+    reset,
+    formState: { errors, isSubmitting },
+  } = useForm<FormValues>({
+    resolver: zodResolver(schema),
+    defaultValues: {
+      id: "",
+      name: "",
+      adminEmail: "",
+      adminPassword: "",
+      issuer: "",
+      connectionString: "",
+    },
+  });
+
+  const mutation = useMutation({
+    // Pass values via mutate(arg) — no closed-over state captured at submit time.
+    mutationFn: (values: FormValues) =>
+      createTenant({
+        id: values.id,
+        name: values.name,
+        adminEmail: values.adminEmail,
+        adminPassword: values.adminPassword,
+        issuer: values.issuer,
+        connectionString: values.connectionString?.trim() ? values.connectionString : null,
+      }),
+    onSuccess: (result) => {
+      toast.success(`Tenant ${result.id} created`, {
+        description:
+          "Provisioning runs in the background. Track progress on the detail page.",
+      });
+      queryClient.invalidateQueries({ queryKey: ["tenants"] });
+      handleClose();
+      navigate(`/tenants/${result.id}`);
+    },
+    onError: (err) => {
+      const detail =
+        err instanceof ApiRequestError
+          ? err.problem?.detail ?? err.problem?.title ?? err.message
+          : (err as Error).message;
+      toast.error("Create failed", { description: detail });
+    },
+  });
+
+  function handleClose() {
+    reset();
+    onOpenChange(false);
+  }
+
+  const onSubmit = handleSubmit((values) => mutation.mutate(values));
+  const submitting = isSubmitting || mutation.isPending;
+
+  return (
+    <Dialog
+      open={open}
+      onOpenChange={(o) => {
+        if (!o) handleClose();
+        else onOpenChange(true);
+      }}
+    >
+      <DialogContent size="lg">
+        {/* ── Header ── */}
+        <DialogHeader>
+          <div className="flex items-center gap-3">
+            {/* Icon badge — geometric accent tile */}
+            <span
+              aria-hidden
+              className="relative grid h-9 w-9 shrink-0 place-items-center overflow-hidden rounded-xl
+                bg-[oklch(from_var(--color-primary)_l_c_h_/_0.12)]
+                text-[var(--color-primary)]
+                ring-1 ring-inset ring-[oklch(from_var(--color-primary)_l_c_h_/_0.18)]"
+            >
+              <Building2 className="h-[18px] w-[18px]" />
+              {/* Subtle sparkle accent — top-right corner */}
+              <Sparkles
+                className="absolute right-0.5 top-0.5 h-2.5 w-2.5 opacity-40"
+              />
+            </span>
+            <div className="min-w-0">
+              <DialogTitle className="text-[16px]">New tenant</DialogTitle>
+            </div>
+          </div>
+          <DialogDescription className="mt-1">
+            Provision a new tenant and its seed admin user. The identifier is the
+            URL-safe slug used in subdomain-like routing and JWT claims.
+          </DialogDescription>
+        </DialogHeader>
+
+        {/* ── Form ── */}
+        <form onSubmit={onSubmit}>
+          <DialogBody className="space-y-6">
+            {/* ── Identity section ── */}
+            <div className="space-y-3">
+              <SectionLabel
+                icon={UserRound}
+                title="Identity"
+                description="How the tenant is named on the platform. The identifier is immutable."
+              />
+              {/* Ruled separator */}
+              <div className="h-px bg-[var(--color-border)] opacity-60" />
+              <div className="grid gap-4 sm:grid-cols-2">
+                <Field
+                  id="ct-id"
+                  label="Identifier"
+                  required
+                  hint="Lowercase letters, digits, and hyphens. 3–64 characters."
+                  error={errors.id?.message}
+                >
+                  <Input
+                    id="ct-id"
+                    autoComplete="off"
+                    placeholder="acme-corp"
+                    className="font-mono"
+                    {...register("id")}
+                  />
+                </Field>
+
+                <Field
+                  id="ct-name"
+                  label="Display name"
+                  required
+                  error={errors.name?.message}
+                >
+                  <Input
+                    id="ct-name"
+                    placeholder="Acme Corp"
+                    {...register("name")}
+                  />
+                </Field>
+
+                <Field
+                  id="ct-adminEmail"
+                  label="Admin email"
+                  required
+                  error={errors.adminEmail?.message}
+                >
+                  <Input
+                    id="ct-adminEmail"
+                    type="email"
+                    placeholder="admin@acme.example"
+                    className="font-mono"
+                    {...register("adminEmail")}
+                  />
+                </Field>
+
+                <Field
+                  id="ct-adminPassword"
+                  label="Initial admin password"
+                  required
+                  hint="The first admin signs in with this. They can rotate it after first login."
+                  error={errors.adminPassword?.message}
+                >
+                  <Input
+                    id="ct-adminPassword"
+                    type="password"
+                    autoComplete="new-password"
+                    placeholder="Min 8 characters"
+                    {...register("adminPassword")}
+                  />
+                </Field>
+              </div>
+            </div>
+
+            {/* ── Security section ── */}
+            <div className="space-y-3">
+              <SectionLabel
+                icon={KeyRound}
+                title="Security"
+                description="JWT issuer claim emitted by tokens for this tenant. Used to scope sessions."
+              />
+              <div className="h-px bg-[var(--color-border)] opacity-60" />
+              <Field
+                id="ct-issuer"
+                label="JWT issuer"
+                required
+                error={errors.issuer?.message}
+              >
+                <Input
+                  id="ct-issuer"
+                  placeholder="acme-corp.issuer"
+                  className="font-mono"
+                  {...register("issuer")}
+                />
+              </Field>
+            </div>
+
+            {/* ── Database section ── */}
+            <div className="space-y-3">
+              <SectionLabel
+                icon={Database}
+                title="Database"
+                description="Optional dedicated connection string. Leave blank to share the default database."
+              />
+              <div className="h-px bg-[var(--color-border)] opacity-60" />
+              <Field
+                id="ct-connectionString"
+                label="Connection string"
+                hint="Optional. Leave blank to use the shared catalog."
+                error={errors.connectionString?.message}
+              >
+                <Input
+                  id="ct-connectionString"
+                  placeholder="Host=…;Database=…"
+                  className="font-mono"
+                  {...register("connectionString")}
+                />
+              </Field>
+            </div>
+          </DialogBody>
+
+          {/* ── Footer ── */}
+          <DialogFooter>
+            <Button
+              type="button"
+              variant="outline"
+              onClick={handleClose}
+              disabled={submitting}
+            >
+              Cancel
+            </Button>
+            <Button type="submit" disabled={submitting}>
+              {submitting ? "Provisioning…" : "Create tenant"}
+            </Button>
+          </DialogFooter>
+        </form>
+      </DialogContent>
+    </Dialog>
+  );
+}
diff --git a/clients/admin/src/components/tenants/tenant-branding-card.tsx b/clients/admin/src/components/tenants/tenant-branding-card.tsx
index e01cff6498..6d25b4aaa1 100644
--- a/clients/admin/src/components/tenants/tenant-branding-card.tsx
+++ b/clients/admin/src/components/tenants/tenant-branding-card.tsx
@@ -5,13 +5,7 @@ import { Loader2, Palette, RotateCcw, Save } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Badge } from "@/components/ui/badge";
-import {
-  ErrorBand,
-  Field,
-  FormSection,
-  FormShell,
-  LoadingRow,
-} from "@/components/list";
+import { ErrorBand, Field, LoadingRow, SettingsSection } from "@/components/list";
 import {
   DEFAULT_DARK_PALETTE,
   DEFAULT_LIGHT_PALETTE,
@@ -87,24 +81,21 @@ export function TenantBrandingCard({ tenantId }: { tenantId: string }) {
 
   if (themeQuery.isLoading) {
     return (
-      <FormShell>
-        <FormSection
-          title="Branding"
-          description="Operator-controlled colors + brand assets that drive this tenant's UI."
-        >
-          <LoadingRow label="Loading branding" />
-        </FormSection>
-      </FormShell>
+      <SettingsSection
+        title="Branding"
+        icon={Palette}
+        description="Operator-controlled colors + brand assets that drive this tenant's UI."
+      >
+        <LoadingRow label="Loading branding" />
+      </SettingsSection>
     );
   }
 
   if (themeQuery.isError) {
     return (
-      <FormShell>
-        <FormSection title="Branding" description="">
-          <ErrorBand message={apiErr(themeQuery.error)} />
-        </FormSection>
-      </FormShell>
+      <SettingsSection title="Branding" icon={Palette}>
+        <ErrorBand message={apiErr(themeQuery.error)} />
+      </SettingsSection>
     );
   }
 
@@ -120,53 +111,21 @@ export function TenantBrandingCard({ tenantId }: { tenantId: string }) {
   const onAssets = (next: Partial<BrandAssetsDto>) =>
     setDraft((d) => (d ? { ...d, brandAssets: { ...d.brandAssets, ...next } } : d));
 
-  return (
-    <FormShell>
-      <FormSection
-        title="Branding"
-        description={
-          <span className="flex flex-wrap items-center gap-2">
-            <Palette className="h-3.5 w-3.5 text-[var(--color-accent-signal)]" />
-            <span>
-              Theme tokens consumed by this tenant's apps (admin + dashboard)
-              on sign-in. Live preview shows how the primary action would render.
-            </span>
-            {draft.isDefault && !dirty && (
-              <Badge variant="outline" className="font-mono uppercase tracking-[0.14em]">
-                default
-              </Badge>
-            )}
-            {dirty && (
-              <Badge variant="warning" className="font-mono uppercase tracking-[0.14em]">
-                unsaved
-              </Badge>
-            )}
-          </span>
-        }
-      >
-        <div className="space-y-6">
-          <ThemePreview palette={draft.lightPalette} label="Light preview" />
-
-          <div className="grid gap-6 lg:grid-cols-2">
-            <PaletteEditor
-              title="Light palette"
-              palette={draft.lightPalette}
-              onChange={onLight}
-              defaults={DEFAULT_LIGHT_PALETTE}
-            />
-            <PaletteEditor
-              title="Dark palette"
-              palette={draft.darkPalette}
-              onChange={onDark}
-              defaults={DEFAULT_DARK_PALETTE}
-            />
-          </div>
-
-          <BrandAssetsEditor assets={draft.brandAssets} onChange={onAssets} />
-        </div>
-      </FormSection>
-
-      <div className="flex flex-wrap items-center justify-end gap-2 border-t border-[var(--color-border)] px-6 py-3">
+  const footer = (
+    <div className="flex flex-wrap items-center justify-between gap-2">
+      <div className="flex items-center gap-2">
+        {draft.isDefault && !dirty && (
+          <Badge variant="outline" className="font-mono uppercase tracking-[0.14em]">
+            default
+          </Badge>
+        )}
+        {dirty && (
+          <Badge variant="warning" className="font-mono uppercase tracking-[0.14em]">
+            unsaved
+          </Badge>
+        )}
+      </div>
+      <div className="flex items-center gap-2">
         <Button
           type="button"
           variant="ghost"
@@ -191,7 +150,37 @@ export function TenantBrandingCard({ tenantId }: { tenantId: string }) {
           {saveMutation.isPending ? "Saving…" : "Save branding"}
         </Button>
       </div>
-    </FormShell>
+    </div>
+  );
+
+  return (
+    <SettingsSection
+      title="Branding"
+      icon={Palette}
+      description="Theme tokens consumed by this tenant's apps on sign-in. Live preview reflects the primary action with the chosen palette."
+      footer={footer}
+    >
+      <div className="space-y-6">
+        <ThemePreview palette={draft.lightPalette} label="Light preview" />
+
+        <div className="grid gap-5 lg:grid-cols-2">
+          <PaletteEditor
+            title="Light palette"
+            palette={draft.lightPalette}
+            onChange={onLight}
+            defaults={DEFAULT_LIGHT_PALETTE}
+          />
+          <PaletteEditor
+            title="Dark palette"
+            palette={draft.darkPalette}
+            onChange={onDark}
+            defaults={DEFAULT_DARK_PALETTE}
+          />
+        </div>
+
+        <BrandAssetsEditor assets={draft.brandAssets} onChange={onAssets} />
+      </div>
+    </SettingsSection>
   );
 }
 
@@ -223,18 +212,21 @@ function PaletteEditor({
   defaults: PaletteDto;
 }) {
   return (
-    <div className="space-y-3 rounded-md border border-[var(--color-border)] bg-[var(--color-surface-2)] p-4">
-      <div className="flex items-center justify-between">
-        <h4 className="text-sm font-medium tracking-tight">{title}</h4>
+    <div className="overflow-hidden rounded-xl border border-[var(--color-border)] bg-[var(--color-surface-2)]">
+      <div className="flex items-center justify-between border-b border-[oklch(from_var(--color-border)_l_c_h_/_0.5)] px-4 py-2.5">
+        <h4 className="text-[12.5px] font-semibold tracking-tight text-[var(--color-foreground)]">
+          {title}
+        </h4>
         <button
           type="button"
-          className="meta text-[var(--color-muted-foreground)] underline-offset-4 hover:text-[var(--color-foreground)] hover:underline"
+          className="inline-flex items-center gap-1 rounded-md px-2 py-1 text-[11px] font-medium text-[var(--color-muted-foreground)] transition-colors hover:bg-[var(--color-muted)] hover:text-[var(--color-foreground)]"
           onClick={() => onChange(defaults)}
         >
-          // reset this palette
+          <RotateCcw className="h-2.5 w-2.5" aria-hidden />
+          Reset palette
         </button>
       </div>
-      <div className="grid gap-2 sm:grid-cols-2">
+      <div className="grid gap-2 p-4 sm:grid-cols-2">
         {PALETTE_FIELDS.map(({ key, label }) => (
           <ColorRow
             key={key}
@@ -259,11 +251,12 @@ function ColorRow({
 }) {
   const valid = /^#[0-9a-f]{6}$/i.test(value);
   return (
-    <div className="flex items-center gap-2">
+    <div className="flex items-center gap-2.5">
+      {/* Color chip — clicking opens the native color picker */}
       <label
-        className="grid h-8 w-8 shrink-0 cursor-pointer place-items-center rounded-md ring-1 ring-inset ring-[var(--color-border)]"
+        className="relative grid h-8 w-8 shrink-0 cursor-pointer place-items-center overflow-hidden rounded-lg shadow-sm ring-1 ring-inset ring-[var(--color-border)]"
         style={{ backgroundColor: valid ? value : undefined }}
-        title={`Edit ${label}`}
+        title={`Pick ${label} color`}
       >
         <input
           type="color"
@@ -273,8 +266,8 @@ function ColorRow({
           aria-label={`${label} color`}
         />
       </label>
-      <div className="flex-1">
-        <div className="font-mono text-[10px] uppercase tracking-[0.14em] text-[var(--color-muted-foreground)]">
+      <div className="min-w-0 flex-1">
+        <div className="mb-0.5 text-[10px] font-semibold uppercase tracking-[0.12em] text-[var(--color-muted-foreground)]">
           {label}
         </div>
         <Input
@@ -285,7 +278,7 @@ function ColorRow({
           maxLength={9}
           className={cn(
             "h-7 px-2 font-mono text-[11.5px]",
-            !valid && "border-[var(--color-destructive)]/60",
+            !valid && "border-[var(--color-destructive)]/60 focus-visible:ring-[var(--color-destructive)]/40",
           )}
         />
       </div>
@@ -305,13 +298,17 @@ function BrandAssetsEditor({
   onChange: (next: Partial<BrandAssetsDto>) => void;
 }) {
   return (
-    <div className="space-y-3 rounded-md border border-[var(--color-border)] bg-[var(--color-surface-2)] p-4">
-      <h4 className="text-sm font-medium tracking-tight">Brand assets</h4>
-      <p className="text-xs leading-relaxed text-[var(--color-muted-foreground)]">
-        URLs to your hosted brand assets. For uploads, host the file via the
-        Files module first and paste the resulting public URL here.
-      </p>
-      <div className="space-y-3">
+    <div className="overflow-hidden rounded-xl border border-[var(--color-border)] bg-[var(--color-surface-2)]">
+      <div className="border-b border-[oklch(from_var(--color-border)_l_c_h_/_0.5)] px-4 py-2.5">
+        <h4 className="text-[12.5px] font-semibold tracking-tight text-[var(--color-foreground)]">
+          Brand assets
+        </h4>
+        <p className="mt-0.5 text-[11.5px] leading-relaxed text-[var(--color-muted-foreground)]">
+          URLs to your hosted brand assets. Upload via the Files module first,
+          then paste the resulting public URL here.
+        </p>
+      </div>
+      <div className="space-y-4 p-4">
         <AssetField
           id="logo-url"
           label="Logo URL"
@@ -374,7 +371,7 @@ function AssetField({
             onError={(e) => {
               (e.currentTarget as HTMLImageElement).style.display = "none";
             }}
-            className="h-9 w-9 shrink-0 rounded-md object-contain ring-1 ring-inset ring-[var(--color-border)] bg-[var(--color-background)]"
+            className="h-9 w-9 shrink-0 rounded-lg object-contain ring-1 ring-inset ring-[var(--color-border)] bg-[var(--color-background)]"
           />
         )}
       </div>
@@ -383,70 +380,98 @@ function AssetField({
 }
 
 // ─────────────────────────────────────────────────────────────────────────
-// Live preview swatch
+// Live preview — shows how primary-action buttons + surface tokens render
 // ─────────────────────────────────────────────────────────────────────────
 
 function ThemePreview({ palette, label }: { palette: PaletteDto; label: string }) {
   return (
     <div
-      className="rounded-md border border-[var(--color-border)] p-4"
-      style={{ backgroundColor: palette.background, color: palette.secondary }}
+      className="overflow-hidden rounded-xl border border-[var(--color-border)]"
+      style={{ backgroundColor: palette.background }}
     >
-      <div className="meta mb-3 opacity-70">// {label}</div>
+      {/* Preview header bar */}
       <div
-        className="rounded-md p-4"
-        style={{ backgroundColor: palette.surface }}
+        className="flex items-center justify-between border-b px-4 py-2"
+        style={{
+          borderColor: `${palette.surface}55`,
+          backgroundColor: palette.surface,
+        }}
       >
-        <div className="mb-3 flex items-center justify-between gap-2">
-          <span
-            className="text-sm font-semibold"
-            style={{ color: palette.secondary }}
-          >
-            Sample tenant page
-          </span>
-          <span
-            className="rounded-full px-2 py-0.5 text-[10px] uppercase tracking-[0.14em]"
-            style={{ backgroundColor: palette.success, color: palette.surface }}
-          >
-            active
-          </span>
-        </div>
-        <p
-          className="mb-3 text-[12.5px] leading-relaxed"
-          style={{ color: palette.secondary, opacity: 0.75 }}
+        <span
+          className="text-[11px] font-semibold uppercase tracking-[0.12em] opacity-60"
+          style={{ color: palette.secondary }}
         >
-          A short paragraph rendered with the chosen body color over the chosen
-          surface, on the chosen page background. Action buttons use the primary token.
-        </p>
-        <div className="flex flex-wrap gap-2">
-          <span
-            className="rounded-md px-3 py-1.5 text-xs font-medium"
-            style={{ backgroundColor: palette.primary, color: palette.surface }}
-          >
-            Primary action
-          </span>
-          <span
-            className="rounded-md border px-3 py-1.5 text-xs font-medium"
-            style={{
-              borderColor: palette.primary,
-              color: palette.primary,
-              backgroundColor: "transparent",
-            }}
-          >
-            Secondary
-          </span>
-          <span
-            className="rounded-md px-2 py-1 text-[10.5px] font-mono uppercase tracking-[0.14em]"
-            style={{ backgroundColor: palette.warning, color: palette.background }}
-          >
-            warn
-          </span>
-          <span
-            className="rounded-md px-2 py-1 text-[10.5px] font-mono uppercase tracking-[0.14em]"
-            style={{ backgroundColor: palette.error, color: palette.surface }}
+          {label}
+        </span>
+        <span
+          className="rounded-full px-2 py-0.5 text-[10px] font-medium uppercase tracking-[0.1em]"
+          style={{ backgroundColor: palette.success, color: palette.surface }}
+        >
+          live
+        </span>
+      </div>
+
+      {/* Preview body */}
+      <div className="p-4">
+        <div
+          className="rounded-xl p-4"
+          style={{ backgroundColor: palette.surface }}
+        >
+          <div className="mb-3 flex items-center justify-between gap-2">
+            <span
+              className="text-[13px] font-semibold"
+              style={{ color: palette.secondary }}
+            >
+              Sample tenant page
+            </span>
+            <span
+              className="rounded-full px-2 py-0.5 text-[10px] font-medium uppercase tracking-[0.1em]"
+              style={{ backgroundColor: palette.success, color: palette.surface }}
+            >
+              active
+            </span>
+          </div>
+          <p
+            className="mb-4 text-[12.5px] leading-relaxed"
+            style={{ color: palette.secondary, opacity: 0.72 }}
           >
-            error
-          </span>
+            A short paragraph rendered with the chosen body color over the chosen
+            surface, on the chosen page background. Action buttons use the primary token.
+          </p>
+          <div className="flex flex-wrap gap-2">
+            {/* Primary action */}
+            <span
+              className="inline-flex items-center rounded-lg px-3 py-1.5 text-xs font-medium shadow-sm"
+              style={{ backgroundColor: palette.primary, color: palette.surface }}
+            >
+              Primary action
+            </span>
+            {/* Outline secondary */}
+            <span
+              className="inline-flex items-center rounded-lg border px-3 py-1.5 text-xs font-medium"
+              style={{
+                borderColor: palette.primary,
+                color: palette.primary,
+                backgroundColor: "transparent",
+              }}
+            >
+              Secondary
+            </span>
+            {/* Warning pill */}
+            <span
+              className="inline-flex items-center rounded-lg px-2.5 py-1 text-[10.5px] font-mono font-medium uppercase tracking-[0.1em]"
+              style={{ backgroundColor: palette.warning, color: palette.background }}
+            >
+              warn
+            </span>
+            {/* Error pill */}
+            <span
+              className="inline-flex items-center rounded-lg px-2.5 py-1 text-[10.5px] font-mono font-medium uppercase tracking-[0.1em]"
+              style={{ backgroundColor: palette.error, color: palette.surface }}
+            >
+              error
+            </span>
+          </div>
         </div>
       </div>
     </div>
diff --git a/clients/admin/src/components/ui/avatar.tsx b/clients/admin/src/components/ui/avatar.tsx
new file mode 100644
index 0000000000..5ef000c645
--- /dev/null
+++ b/clients/admin/src/components/ui/avatar.tsx
@@ -0,0 +1,129 @@
+import * as React from "react";
+import { cn } from "@/lib/cn";
+
+type AvatarSize = "xs" | "sm" | "md" | "lg";
+
+type AvatarProps = React.HTMLAttributes<HTMLSpanElement> & {
+  /** Display name; up to two leading characters become the fallback initials. */
+  name?: string | null;
+  /** Optional image URL. Falls back to the initials when missing or fails to load. */
+  src?: string | null;
+  size?: AvatarSize;
+  /** When true, emits a small pulsing status dot at the bottom-right. */
+  status?: "online" | "offline" | "warning";
+  /** Adds a soft brand halo around the avatar (used in the dropdown hero). */
+  halo?: boolean;
+};
+
+const sizeClass: Record<AvatarSize, string> = {
+  xs: "h-5 w-5 text-[10px]",
+  sm: "h-7 w-7 text-[11px]",
+  md: "h-9 w-9 text-[13px]",
+  lg: "h-12 w-12 text-[16px]",
+};
+
+// Pixel dims mirror `sizeClass`. Setting width + height on the <img>
+// prevents avatar swap-in from triggering CLS while the image loads.
+const sizePx: Record<AvatarSize, number> = {
+  xs: 20,
+  sm: 28,
+  md: 36,
+  lg: 48,
+};
+
+const dotSize: Record<AvatarSize, string> = {
+  xs: "h-1 w-1",
+  sm: "h-1.5 w-1.5",
+  md: "h-2 w-2",
+  lg: "h-2.5 w-2.5",
+};
+
+function getInitials(name?: string | null): string {
+  if (!name) return "?";
+  const trimmed = name.trim();
+  if (trimmed.length === 0) return "?";
+  const parts = trimmed.split(/\s+/).slice(0, 2);
+  return parts.map((p) => p.charAt(0).toUpperCase()).join("");
+}
+
+function statusColor(status: AvatarProps["status"]): string | undefined {
+  switch (status) {
+    case "online":
+      return "var(--color-success)";
+    case "warning":
+      return "var(--color-warning)";
+    case "offline":
+      return "var(--color-muted-foreground)";
+    default:
+      return undefined;
+  }
+}
+
+/**
+ * Avatar — circular surface that carries the brand-mark vocabulary.
+ * The base is the rotating conic gradient under a top-edge highlight;
+ * the user's initial sits on top in primary-foreground. When `src` is
+ * provided, the image covers the gradient. An optional status dot
+ * anchors at the bottom-right and pulses for `online`.
+ */
+export const Avatar = React.forwardRef<HTMLSpanElement, AvatarProps>(
+  ({ name, src, size = "md", status, halo, className, ...props }, ref) => {
+    const initials = getInitials(name);
+    const dotColor = statusColor(status);
+    const [imgFailed, setImgFailed] = React.useState(false);
+    const showImage = Boolean(src) && !imgFailed;
+
+    return (
+      <span
+        ref={ref}
+        aria-label={name ?? undefined}
+        className={cn(
+          "relative inline-flex shrink-0",
+          halo && [
+            "rounded-full",
+            "shadow-[0_0_0_4px_var(--color-primary-soft),0_8px_28px_-8px_oklch(from_var(--color-primary)_l_c_h_/_0.35)]",
+          ],
+          className,
+        )}
+        {...props}
+      >
+        <span
+          className={cn(
+            "brand-mark grid place-items-center overflow-hidden rounded-full",
+            "font-semibold tracking-tight text-[var(--color-primary-foreground)]",
+            "shadow-[0_1px_0_oklch(1_0_0_/_0.22)_inset,0_4px_14px_-4px_oklch(from_var(--color-primary)_l_c_h_/_0.45)]",
+            sizeClass[size],
+          )}
+        >
+          {showImage ? (
+            <img
+              src={src ?? undefined}
+              alt={name ?? ""}
+              referrerPolicy="no-referrer"
+              loading="lazy"
+              decoding="async"
+              width={sizePx[size]}
+              height={sizePx[size]}
+              onError={() => setImgFailed(true)}
+              className="h-full w-full object-cover"
+            />
+          ) : (
+            <span className="relative z-[2] leading-none">{initials}</span>
+          )}
+        </span>
+        {dotColor && (
+          <span
+            aria-hidden
+            className={cn(
+              "absolute bottom-0 right-0 rounded-full ring-2 ring-[var(--color-surface-1)]",
+              status === "online" && "pulse-dot",
+              dotSize[size],
+            )}
+            style={{ backgroundColor: dotColor, color: dotColor }}
+          />
+        )}
+      </span>
+    );
+  },
+);
+Avatar.displayName = "Avatar";
diff --git a/clients/admin/src/components/ui/badge.tsx b/clients/admin/src/components/ui/badge.tsx
index bf8584bcb3..657622bd74 100644
--- a/clients/admin/src/components/ui/badge.tsx
+++ b/clients/admin/src/components/ui/badge.tsx
@@ -3,10 +3,12 @@ import { cva, type VariantProps } from "class-variance-authority";
 import { cn } from "@/lib/cn";
 
 /**
- * Badge — compact status pill. Variants map to semantic status tokens; a
- * brand re-tone propagates without touching call sites. Status backgrounds
- * use the `oklch(from … / α)` relative-color syntax so the tint always
- * matches the active foreground hue.
+ * Badge — compact status pill. Variants map to semantic tokens so a
+ * brand re-tone propagates without touching call sites. The `soft`
+ * style uses the matching `*-soft` background where defined and falls
+ * back to a tinted layer otherwise.
+ *
+ * Admin-specific variant `muted` is preserved for call-site compat.
  */
 const badgeVariants = cva(
   "inline-flex items-center gap-1.5 rounded-full border px-2 py-0.5 text-[11px] font-medium tracking-tight whitespace-nowrap",
@@ -14,11 +16,12 @@ const badgeVariants = cva(
     variants: {
       variant: {
         default:
-          "border-[var(--color-border)] bg-[var(--color-surface-2)] text-[var(--color-foreground)]",
+          "border-[var(--color-border)] bg-[var(--color-card)] text-[var(--color-foreground)]",
+        brand:
+          "border-transparent bg-[var(--color-primary-soft)] text-[var(--color-primary)]",
+        // `muted` kept for admin call-site compat.
         muted:
           "border-transparent bg-[var(--color-muted)] text-[var(--color-muted-foreground)]",
-        brand:
-          "border-transparent bg-[var(--color-primary-soft)] text-[var(--color-foreground)]",
         success:
           "border-transparent bg-[oklch(from_var(--color-success)_l_c_h_/_0.14)] text-[var(--color-success)]",
         warning:
diff --git a/clients/admin/src/components/ui/button.tsx b/clients/admin/src/components/ui/button.tsx
index 08d80a6cbc..aafde77c93 100644
--- a/clients/admin/src/components/ui/button.tsx
+++ b/clients/admin/src/components/ui/button.tsx
@@ -4,51 +4,61 @@ import { cva, type VariantProps } from "class-variance-authority";
 import { cn } from "@/lib/cn";
 
 /**
- * Button — Console primitives.
+ * Button — FSH unified design system.
  *
- * Variants:
- *   • default — solid primary (near-black/near-white based on theme).
- *   • signal  — chartreuse accent. The hero CTA, used SPARINGLY.
- *               Reserved for single primary actions per surface.
- *   • outline — hairline border, transparent fill. Default neutral action.
- *   • secondary — filled secondary surface.
- *   • ghost   — text-only, hover surfaces the accent background.
+ * Variants (preserved + extended):
+ *   • default     — solid primary brand fill with hover lift shadow.
+ *   • signal      — maps to primary (was Console chartreuse; kept for admin call-site compat).
  *   • destructive — danger tone.
- *   • link    — inline text link.
+ *   • outline     — hairline border, transparent fill.
+ *   • secondary   — filled secondary surface.
+ *   • ghost       — text-only, hover surfaces the accent background.
+ *   • link        — inline text link with underline.
+ *   • soft        — primary-soft tinted background.
+ *   • saffron     — saffron accent (warm second channel).
  */
 const buttonVariants = cva(
   [
-    "inline-flex items-center justify-center gap-2 whitespace-nowrap",
-    "rounded-md text-sm font-medium",
-    "transition-[background-color,color,border-color,box-shadow,transform]",
-    "duration-[var(--duration-fast)] ease-[var(--ease-out-cubic)]",
-    "focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)] focus-visible:ring-offset-2 focus-visible:ring-offset-[var(--color-background)]",
+    "inline-flex shrink-0 cursor-pointer select-none items-center justify-center gap-2 whitespace-nowrap",
+    "rounded-md text-sm font-medium font-sans tracking-tight",
+    "transition-all duration-[var(--duration-fast)] ease-[var(--ease-out-cubic)]",
+    "outline-none focus-visible:ring-[3px] focus-visible:ring-[oklch(from_var(--color-ring)_l_c_h_/_0.5)] focus-visible:border-[var(--color-ring)]",
     "disabled:pointer-events-none disabled:opacity-50",
-    "active:scale-[0.985]",
+    "[&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
+    "active:scale-[0.98]",
   ].join(" "),
   {
     variants: {
       variant: {
         default:
-          "bg-[var(--color-primary)] text-[var(--color-primary-foreground)] hover:bg-[oklch(from_var(--color-primary)_calc(l_-_0.04)_c_h)]",
+          "bg-[var(--color-primary)] text-[var(--color-primary-foreground)] hover:brightness-[1.05] hover:shadow-[0_4px_18px_-6px_oklch(from_var(--color-primary)_l_c_h_/_0.45)]",
+        // `signal` kept for admin call-site compat — maps to primary.
         signal:
-          "bg-[var(--color-accent-signal)] text-[var(--color-accent-signal-foreground)] shadow-[0_0_0_1px_oklch(from_var(--color-accent-signal)_calc(l_-_0.10)_c_h)] hover:bg-[oklch(from_var(--color-accent-signal)_calc(l_-_0.04)_c_h)]",
+          "bg-[var(--color-primary)] text-[var(--color-primary-foreground)] hover:brightness-[1.05] hover:shadow-[0_4px_18px_-6px_oklch(from_var(--color-primary)_l_c_h_/_0.45)]",
         destructive:
-          "bg-[var(--color-destructive)] text-[var(--color-destructive-foreground)] hover:opacity-90",
-        outline:
-          "border border-[var(--color-border-strong)] bg-transparent text-[var(--color-foreground)] hover:bg-[var(--color-accent)] hover:text-[var(--color-accent-foreground)]",
+          "bg-[var(--color-destructive)] text-[var(--color-destructive-foreground)] hover:brightness-[1.05]",
+        outline: [
+          "border border-[var(--color-input)] bg-[var(--color-card)] text-[var(--color-foreground)] shadow-xs",
+          "hover:bg-[var(--color-accent)] hover:text-[var(--color-accent-foreground)]",
+        ].join(" "),
         secondary:
-          "bg-[var(--color-secondary)] text-[var(--color-secondary-foreground)] hover:bg-[var(--color-accent)]",
+          "bg-[var(--color-secondary)] text-[var(--color-secondary-foreground)] hover:opacity-90",
         ghost:
           "text-[var(--color-foreground)] hover:bg-[var(--color-accent)] hover:text-[var(--color-accent-foreground)]",
-        link:
-          "text-[var(--color-foreground)] underline-offset-4 hover:underline decoration-[var(--color-accent-signal)] decoration-2",
+        link: "text-[var(--color-primary)] underline-offset-4 hover:underline",
+        soft: "bg-[var(--color-primary-soft)] text-[var(--color-primary)] hover:brightness-[1.06]",
+        saffron:
+          "bg-[var(--color-saffron)] text-[var(--color-saffron-foreground)] hover:brightness-[1.05] hover:shadow-[0_4px_18px_-6px_oklch(from_var(--color-saffron)_l_c_h_/_0.45)]",
       },
       size: {
-        default: "h-9 px-4 py-2",
-        sm: "h-8 rounded-md px-3 text-xs",
-        lg: "h-10 rounded-md px-5",
-        icon: "h-9 w-9",
+        default: "h-9 px-4 py-2 has-[>svg]:px-3",
+        xs: "h-7 gap-1 rounded-md px-2 text-xs has-[>svg]:px-1.5 [&_svg:not([class*='size-'])]:size-3",
+        sm: "h-8 gap-1.5 rounded-md px-3 has-[>svg]:px-2.5",
+        lg: "h-10 rounded-md px-6 has-[>svg]:px-4",
+        icon: "size-9",
+        "icon-xs": "size-7 rounded-md [&_svg:not([class*='size-'])]:size-3.5",
+        "icon-sm": "size-9",
+        "icon-lg": "size-10",
       },
     },
     defaultVariants: {
@@ -68,7 +78,14 @@ export const Button = React.forwardRef<HTMLButtonElement, ButtonProps>(
   ({ className, variant, size, asChild = false, ...props }, ref) => {
     const Comp = asChild ? Slot : "button";
     return (
-      <Comp className={cn(buttonVariants({ variant, size, className }))} ref={ref} {...props} />
+      <Comp
+        data-slot="button"
+        data-variant={variant ?? "default"}
+        data-size={size ?? "default"}
+        className={cn(buttonVariants({ variant, size, className }))}
+        ref={ref}
+        {...props}
+      />
     );
   },
 );
diff --git a/clients/admin/src/components/ui/card.tsx b/clients/admin/src/components/ui/card.tsx
index be40926f6f..098e8ac76e 100644
--- a/clients/admin/src/components/ui/card.tsx
+++ b/clients/admin/src/components/ui/card.tsx
@@ -2,22 +2,29 @@ import * as React from "react";
 import { cn } from "@/lib/cn";
 
 type CardProps = React.HTMLAttributes<HTMLDivElement> & {
-  /** When true, the card softens its shadow in on hover. */
+  /** When true, the card softens its border + shadow on hover. */
   interactive?: boolean;
 };
 
 /**
- * Card — primary surface. The `card-shell` utility (in globals.css) owns the
- * visual treatment so cards across the app stay coherent; this component is
- * mostly a typed forwardRef + interactive opt-in.
+ * Card — calm neutral surface. A 1px hairline + a low resting
+ * shadow that lifts the card off the canvas just enough to read as
+ * "sheet on a desk." Interactive variant darkens the border and adds
+ * a hint of lift on hover — no pillow shadows, no gradient borders.
+ *
+ * Note: `card-shell` and `card-shell-interactive` CSS utility classes
+ * (defined in globals.css) remain available for direct className usage
+ * in legacy admin consumers during phase migration.
  */
 export const Card = React.forwardRef<HTMLDivElement, CardProps>(
   ({ className, interactive, ...props }, ref) => (
     <div
       ref={ref}
+      data-slot="card"
       className={cn(
-        "card-shell text-[var(--color-card-foreground)]",
-        interactive && "card-shell-interactive",
+        "flex flex-col rounded-lg border border-[var(--color-border)] bg-[var(--color-card)] text-[var(--color-card-foreground)] shadow-sm",
+        interactive &&
+          "transition-[border-color,box-shadow,transform] duration-[var(--duration-default)] ease-[var(--ease-out-cubic)] hover:border-[var(--color-border-strong)] hover:shadow-md hover:-translate-y-px",
         className,
       )}
       {...props}
@@ -28,7 +35,12 @@ Card.displayName = "Card";
 
 export const CardHeader = React.forwardRef<HTMLDivElement, React.HTMLAttributes<HTMLDivElement>>(
   ({ className, ...props }, ref) => (
-    <div ref={ref} className={cn("flex flex-col gap-1.5 px-6 pt-5 pb-3", className)} {...props} />
+    <div
+      ref={ref}
+      data-slot="card-header"
+      className={cn("flex flex-col gap-1.5 px-6 pt-6 pb-3", className)}
+      {...props}
+    />
   ),
 );
 CardHeader.displayName = "CardHeader";
@@ -37,7 +49,8 @@ export const CardTitle = React.forwardRef<HTMLDivElement, React.HTMLAttributes<H
   ({ className, ...props }, ref) => (
     <div
       ref={ref}
-      className={cn("text-base font-semibold leading-none tracking-tight", className)}
+      data-slot="card-title"
+      className={cn("font-display text-base font-semibold leading-none tracking-tight", className)}
       {...props}
     />
   ),
@@ -48,6 +61,7 @@ export const CardDescription = React.forwardRef<HTMLDivElement, React.HTMLAttrib
   ({ className, ...props }, ref) => (
     <div
       ref={ref}
+      data-slot="card-description"
       className={cn("text-sm leading-relaxed text-[var(--color-muted-foreground)]", className)}
       {...props}
     />
@@ -57,7 +71,7 @@ CardDescription.displayName = "CardDescription";
 
 export const CardContent = React.forwardRef<HTMLDivElement, React.HTMLAttributes<HTMLDivElement>>(
   ({ className, ...props }, ref) => (
-    <div ref={ref} className={cn("px-6 pb-5 pt-1", className)} {...props} />
+    <div ref={ref} data-slot="card-content" className={cn("px-6 pb-6", className)} {...props} />
   ),
 );
 CardContent.displayName = "CardContent";
@@ -66,10 +80,8 @@ export const CardFooter = React.forwardRef<HTMLDivElement, React.HTMLAttributes<
   ({ className, ...props }, ref) => (
     <div
       ref={ref}
-      className={cn(
-        "flex items-center gap-2 border-t border-[var(--color-border)] px-6 py-3",
-        className,
-      )}
+      data-slot="card-footer"
+      className={cn("flex items-center gap-2 border-t border-[var(--color-border)] px-6 py-4", className)}
       {...props}
     />
   ),
diff --git a/clients/admin/src/components/ui/dialog.tsx b/clients/admin/src/components/ui/dialog.tsx
index 066dc9907e..1818cc2221 100644
--- a/clients/admin/src/components/ui/dialog.tsx
+++ b/clients/admin/src/components/ui/dialog.tsx
@@ -4,8 +4,8 @@ import { X } from "lucide-react";
 import { cn } from "@/lib/cn";
 
 /**
- * Dialog — Console-flavored Radix Dialog.
- * Pattern:
+ * Dialog primitives — Radix-based, styled to the FSH design system.
+ * Usage:
  *   <Dialog open={open} onOpenChange={setOpen}>
  *     <DialogContent>
  *       <DialogHeader>
@@ -16,6 +16,10 @@ import { cn } from "@/lib/cn";
  *       <DialogFooter>...</DialogFooter>
  *     </DialogContent>
  *   </Dialog>
+ *
+ * Open/close transitions are driven by [data-state] attributes Radix
+ * sets on the overlay and content, paired with the keyframes in
+ * globals.css.
  */
 
 export const Dialog = DialogPrimitive.Root;
@@ -29,9 +33,10 @@ export const DialogOverlay = React.forwardRef<
 >(({ className, ...props }, ref) => (
   <DialogPrimitive.Overlay
     ref={ref}
+    data-slot="dialog-overlay"
     className={cn(
-      "fixed inset-0 z-50 bg-[oklch(from_var(--color-background)_l_c_h_/_0.55)] backdrop-blur-md",
-      "transition-opacity duration-200 data-[state=open]:opacity-100 data-[state=closed]:opacity-0",
+      "fixed inset-0 z-50 bg-[oklch(0_0_0_/_0.4)] backdrop-blur-[6px]",
+      "data-[state=open]:animate-fsh-overlay-in data-[state=closed]:animate-fsh-overlay-out",
       className,
     )}
     {...props}
@@ -42,43 +47,48 @@ DialogOverlay.displayName = "DialogOverlay";
 export const DialogContent = React.forwardRef<
   React.ComponentRef<typeof DialogPrimitive.Content>,
   React.ComponentPropsWithoutRef<typeof DialogPrimitive.Content> & {
-    /** Max width — defaults to `md` (28rem). Use `lg`/`xl` for richer dialogs. */
+    /**
+     * Max width — defaults to `md`. Preserved for admin call-site compat.
+     * `sm` = max-w-sm, `md` = max-w-lg (≈ dashboard default), `lg` = max-w-2xl, `xl` = max-w-4xl.
+     */
     size?: "sm" | "md" | "lg" | "xl";
   }
 >(({ className, children, size = "md", ...props }, ref) => {
   const sizeClass: Record<NonNullable<typeof size>, string> = {
-    sm: "max-w-sm",
-    md: "max-w-md",
-    lg: "max-w-2xl",
-    xl: "max-w-4xl",
+    sm: "sm:max-w-sm",
+    md: "sm:max-w-lg",
+    lg: "sm:max-w-2xl",
+    xl: "sm:max-w-4xl",
   };
   return (
     <DialogPortal>
       <DialogOverlay />
       <DialogPrimitive.Content
         ref={ref}
+        data-slot="dialog-content"
         className={cn(
-          "fixed left-1/2 top-1/2 z-50 w-[calc(100vw-2rem)] -translate-x-1/2 -translate-y-1/2",
+          "fixed left-1/2 top-1/2 z-50 grid w-full max-w-[calc(100%-2rem)] -translate-x-1/2 -translate-y-1/2",
           sizeClass[size],
-          "card-shell rounded-xl shadow-[0_24px_64px_-24px_oklch(0_0_0/0.30),0_8px_24px_-8px_oklch(0_0_0/0.18)]",
-          "transition-[opacity,transform] duration-[var(--duration-default)] ease-[var(--ease-out-cubic)]",
-          "data-[state=open]:opacity-100 data-[state=closed]:opacity-0",
-          "data-[state=open]:scale-100 data-[state=closed]:scale-[0.97]",
+          "rounded-xl border border-[var(--color-border)] bg-[var(--color-card)]",
+          "shadow-xl outline-none",
+          "data-[state=open]:animate-fsh-dialog-in data-[state=closed]:animate-fsh-dialog-out",
           className,
         )}
         {...props}
       >
         {children}
         <DialogPrimitive.Close
+          data-slot="dialog-close"
           aria-label="Close"
           className={cn(
-            "absolute right-3 top-3 grid h-7 w-7 place-items-center rounded-md",
-            "text-[var(--color-muted-foreground)] transition-colors",
-            "hover:bg-[var(--color-accent)] hover:text-[var(--color-foreground)]",
-            "focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)]",
+            "absolute top-3.5 right-3.5 size-9 rounded-lg flex items-center justify-center",
+            "text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.6)] hover:text-[var(--color-foreground)]",
+            "hover:bg-[var(--color-accent)] transition-colors cursor-pointer outline-none",
+            "focus-visible:border-[var(--color-ring)] focus-visible:ring-[3px] focus-visible:ring-[oklch(from_var(--color-ring)_l_c_h_/_0.5)]",
+            "[&_svg]:pointer-events-none [&_svg]:shrink-0",
           )}
         >
-          <X className="h-4 w-4" />
+          <X className="size-4" />
         </DialogPrimitive.Close>
       </DialogPrimitive.Content>
     </DialogPortal>
@@ -88,14 +98,13 @@ DialogContent.displayName = "DialogContent";
 
 export function DialogHeader({ className, ...props }: React.HTMLAttributes<HTMLDivElement>) {
   return (
-    <div className={cn("flex flex-col gap-1.5 px-6 pb-3 pt-6 text-left", className)} {...props} />
+    <div
+      className={cn("flex flex-col gap-1.5 px-6 pb-3 pt-6 text-left", className)}
+      {...props}
+    />
   );
 }
 
-export function DialogBody({ className, ...props }: React.HTMLAttributes<HTMLDivElement>) {
-  return <div className={cn("px-6 pb-5 pt-1", className)} {...props} />;
-}
-
 export function DialogFooter({ className, ...props }: React.HTMLAttributes<HTMLDivElement>) {
   return (
     <div
@@ -132,3 +141,65 @@ export const DialogDescription = React.forwardRef<
   />
 ));
 DialogDescription.displayName = "DialogDescription";
+
+export function DialogBody({ className, ...props }: React.HTMLAttributes<HTMLDivElement>) {
+  return <div className={cn("px-6 pb-5 pt-1", className)} {...props} />;
+}
+
+// ─────────────────────────────────────────────────────────────────────────
+// Sheet — edge-anchored Dialog variant. Same Radix primitive (so it gets
+// focus-trap, scroll-lock, ESC dismissal, overlay click-to-close for free)
+// but slides in from a side instead of centering.
+// ─────────────────────────────────────────────────────────────────────────
+
+type SheetSide = "left" | "right" | "top" | "bottom";
+
+const sheetSideClasses: Record<SheetSide, string> = {
+  left: "inset-y-0 left-0 h-full w-[min(20rem,85vw)] border-r data-[state=open]:animate-fsh-sheet-in-left data-[state=closed]:animate-fsh-sheet-out-left",
+  right: "inset-y-0 right-0 h-full w-[min(20rem,85vw)] border-l data-[state=open]:animate-fsh-sheet-in-right data-[state=closed]:animate-fsh-sheet-out-right",
+  top: "inset-x-0 top-0 w-full max-h-[85vh] border-b data-[state=open]:animate-fsh-sheet-in-top data-[state=closed]:animate-fsh-sheet-out-top",
+  bottom: "inset-x-0 bottom-0 w-full max-h-[85vh] border-t data-[state=open]:animate-fsh-sheet-in-bottom data-[state=closed]:animate-fsh-sheet-out-bottom",
+};
+
+export const SheetContent = React.forwardRef<
+  React.ComponentRef<typeof DialogPrimitive.Content>,
+  React.ComponentPropsWithoutRef<typeof DialogPrimitive.Content> & {
+    side?: SheetSide;
+    /** Render the built-in close button. Defaults to true. */
+    showClose?: boolean;
+  }
+>(({ className, children, side = "right", showClose = true, ...props }, ref) => (
+  <DialogPortal>
+    <DialogOverlay />
+    <DialogPrimitive.Content
+      ref={ref}
+      className={cn(
+        "fixed z-50 flex flex-col bg-[var(--color-surface-1)] border-[var(--color-border)] shadow-[var(--shadow-lift)]",
+        sheetSideClasses[side],
+        className,
+      )}
+      {...props}
+    >
+      {children}
+      {showClose && (
+        <DialogPrimitive.Close
+          aria-label="Close"
+          className={cn(
+            "absolute right-3 top-3 grid h-7 w-7 place-items-center rounded-md",
+            "text-[var(--color-muted-foreground)] transition-colors",
+            "hover:bg-[var(--color-accent)] hover:text-[var(--color-foreground)]",
+            "focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)]",
+          )}
+        >
+          <X className="h-4 w-4" />
+        </DialogPrimitive.Close>
+      )}
+    </DialogPrimitive.Content>
+  </DialogPortal>
+));
+SheetContent.displayName = "SheetContent";
+
+// Aliases for call-site clarity when using sheet semantics.
+export const Sheet = DialogPrimitive.Root;
+export const SheetTrigger = DialogPrimitive.Trigger;
+export const SheetClose = DialogPrimitive.Close;
diff --git a/clients/admin/src/components/ui/dropdown-menu.tsx b/clients/admin/src/components/ui/dropdown-menu.tsx
new file mode 100644
index 0000000000..02ffb675c1
--- /dev/null
+++ b/clients/admin/src/components/ui/dropdown-menu.tsx
@@ -0,0 +1,127 @@
+import * as React from "react";
+import * as DropdownMenuPrimitive from "@radix-ui/react-dropdown-menu";
+import { ChevronRight } from "lucide-react";
+import { cn } from "@/lib/cn";
+
+/**
+ * Dropdown primitives — Radix-based, styled to the FSH design system.
+ * Trigger transitions are driven by [data-state] attributes Radix sets
+ * on the content, paired with the dialog-in/out keyframes from
+ * globals.css. Content uses the gradient-border + frosted treatment so
+ * it shares vocabulary with Card and Dialog.
+ */
+
+export const DropdownMenu = DropdownMenuPrimitive.Root;
+export const DropdownMenuTrigger = DropdownMenuPrimitive.Trigger;
+export const DropdownMenuPortal = DropdownMenuPrimitive.Portal;
+export const DropdownMenuGroup = DropdownMenuPrimitive.Group;
+
+export const DropdownMenuContent = React.forwardRef<
+  React.ComponentRef<typeof DropdownMenuPrimitive.Content>,
+  React.ComponentPropsWithoutRef<typeof DropdownMenuPrimitive.Content>
+>(({ className, sideOffset = 6, ...props }, ref) => (
+  <DropdownMenuPortal>
+    <DropdownMenuPrimitive.Content
+      ref={ref}
+      data-slot="dropdown-menu-content"
+      sideOffset={sideOffset}
+      className={cn(
+        "z-50 min-w-[12rem] max-h-[var(--radix-dropdown-menu-content-available-height)]",
+        "overflow-x-hidden overflow-y-auto",
+        "rounded-lg border border-[var(--color-border)] bg-[var(--color-popover)] p-1",
+        "text-[var(--color-popover-foreground)] shadow-md",
+        "origin-[var(--radix-dropdown-menu-content-transform-origin)]",
+        "data-[state=open]:animate-fsh-dialog-in data-[state=closed]:animate-fsh-dialog-out",
+        className,
+      )}
+      {...props}
+    />
+  </DropdownMenuPortal>
+));
+DropdownMenuContent.displayName = "DropdownMenuContent";
+
+export const DropdownMenuItem = React.forwardRef<
+  React.ComponentRef<typeof DropdownMenuPrimitive.Item>,
+  React.ComponentPropsWithoutRef<typeof DropdownMenuPrimitive.Item> & {
+    destructive?: boolean;
+  }
+>(({ className, destructive, ...props }, ref) => (
+  <DropdownMenuPrimitive.Item
+    ref={ref}
+    className={cn(
+      "group relative mx-1 my-0.5 flex cursor-pointer select-none items-center gap-2.5 rounded-md px-2.5 py-2 text-sm",
+      "data-[disabled]:cursor-not-allowed",
+      "outline-none focus:outline-none focus-visible:outline-none focus-visible:shadow-none",
+      "transition-colors duration-[var(--duration-fast)] ease-[var(--ease-out-cubic)]",
+      "data-[highlighted]:bg-[var(--color-accent)]",
+      destructive
+        ? "text-[var(--color-destructive)] data-[highlighted]:bg-[oklch(from_var(--color-destructive)_l_c_h_/_0.10)] data-[highlighted]:text-[var(--color-destructive)]"
+        : "text-[var(--color-foreground)] data-[highlighted]:text-[var(--color-foreground)]",
+      "data-[disabled]:pointer-events-none data-[disabled]:opacity-50",
+      className,
+    )}
+    {...props}
+  />
+));
+DropdownMenuItem.displayName = "DropdownMenuItem";
+
+export const DropdownMenuLinkItem = React.forwardRef<
+  React.ComponentRef<typeof DropdownMenuPrimitive.Item>,
+  React.ComponentPropsWithoutRef<typeof DropdownMenuPrimitive.Item> & {
+    href: string;
+  }
+>(({ href, children, ...props }, ref) => {
+  return (
+    <DropdownMenuItem ref={ref} asChild {...props}>
+      <a href={href} className="w-full">
+        {children}
+        <ChevronRight className="ml-auto h-3.5 w-3.5 text-[var(--color-muted-foreground)]" aria-hidden />
+      </a>
+    </DropdownMenuItem>
+  );
+});
+DropdownMenuLinkItem.displayName = "DropdownMenuLinkItem";
+
+export const DropdownMenuLabel = React.forwardRef<
+  React.ComponentRef<typeof DropdownMenuPrimitive.Label>,
+  React.ComponentPropsWithoutRef<typeof DropdownMenuPrimitive.Label>
+>(({ className, ...props }, ref) => (
+  <DropdownMenuPrimitive.Label
+    ref={ref}
+    className={cn(
+      "px-3 pt-3 pb-1 font-mono text-[10.5px] font-medium uppercase tracking-[0.12em] text-[var(--color-muted-foreground)]",
+      className,
+    )}
+    {...props}
+  />
+));
+DropdownMenuLabel.displayName = "DropdownMenuLabel";
+
+export const DropdownMenuSeparator = React.forwardRef<
+  React.ComponentRef<typeof DropdownMenuPrimitive.Separator>,
+  React.ComponentPropsWithoutRef<typeof DropdownMenuPrimitive.Separator>
+>(({ className, ...props }, ref) => (
+  <DropdownMenuPrimitive.Separator
+    ref={ref}
+    className={cn("my-1 h-px bg-[var(--color-border)]", className)}
+    {...props}
+  />
+));
+DropdownMenuSeparator.displayName = "DropdownMenuSeparator";
+
+/**
+ * A non-interactive row meant to host arbitrary content (e.g. a
+ * segmented theme toggle). Sits on the same horizontal rail as items
+ * but doesn't participate in roving focus.
+ */
+export function DropdownMenuRow({
+  className,
+  ...props
+}: React.HTMLAttributes<HTMLDivElement>) {
+  return (
+    <div
+      className={cn("mx-1 my-0.5 flex items-center gap-2.5 rounded-md px-2.5 py-2", className)}
+      {...props}
+    />
+  );
+}
diff --git a/clients/admin/src/components/ui/input.tsx b/clients/admin/src/components/ui/input.tsx
index 32eb49f2f6..0071d0ea95 100644
--- a/clients/admin/src/components/ui/input.tsx
+++ b/clients/admin/src/components/ui/input.tsx
@@ -4,28 +4,33 @@ import { cn } from "@/lib/cn";
 export type InputProps = React.InputHTMLAttributes<HTMLInputElement>;
 
 /**
- * Input — flat bottom-border-emphasized field in the Console language.
- * Resting state: hairline border, transparent fill. Hover: stronger border.
- * Focus: signal-colored ring + subtle background lift. No floating labels;
- * label sits above via the Label primitive.
+ * Input — h-9 hairline-bordered field with a 3px brand-tinted focus
+ * ring. Sits on transparent so it inherits the surface it's placed on
+ * (card vs. canvas); in dark mode picks up a faint input tint so
+ * inputs read as recessed wells on graphite. No floating-label
+ * monster — labels live above the field as plain <Label>s.
  */
 export const Input = React.forwardRef<HTMLInputElement, InputProps>(
   ({ className, type, ...props }, ref) => {
     return (
       <input
         type={type}
-        ref={ref}
+        data-slot="input"
         className={cn(
-          "flex h-9 w-full rounded-md border border-[var(--color-input)] bg-transparent",
-          "px-3 py-1 text-sm font-sans",
-          "placeholder:text-[var(--color-muted-foreground)] placeholder:font-mono placeholder:text-xs placeholder:tracking-tight",
-          "transition-[border-color,background-color,box-shadow] duration-[var(--duration-fast)] ease-[var(--ease-out-cubic)]",
-          "hover:border-[var(--color-border-strong)]",
-          "focus-visible:outline-none focus-visible:border-[var(--color-accent-signal)] focus-visible:ring-2 focus-visible:ring-[oklch(from_var(--color-accent-signal)_l_c_h_/_0.25)] focus-visible:bg-[var(--color-surface-2)]",
-          "disabled:cursor-not-allowed disabled:opacity-50",
-          "aria-[invalid=true]:border-[var(--color-destructive)] aria-[invalid=true]:focus-visible:ring-[oklch(from_var(--color-destructive)_l_c_h_/_0.25)]",
+          "h-9 w-full min-w-0 rounded-lg border border-[var(--color-input)] bg-transparent px-3 py-1",
+          "text-sm shadow-xs outline-none",
+          "transition-[color,box-shadow,border-color,background-color] duration-[var(--duration-fast)] ease-[var(--ease-out-cubic)]",
+          "selection:bg-[var(--color-primary)] selection:text-[var(--color-primary-foreground)]",
+          "file:inline-flex file:h-7 file:border-0 file:bg-transparent file:text-sm file:font-medium file:text-[var(--color-foreground)]",
+          "placeholder:text-[var(--color-muted-foreground)]",
+          "disabled:pointer-events-none disabled:cursor-not-allowed disabled:opacity-50",
+          "md:text-sm",
+          "dark:bg-[oklch(from_var(--color-input)_l_c_h_/_0.3)]",
+          "focus-visible:border-[var(--color-ring)] focus-visible:ring-[3px] focus-visible:ring-[oklch(from_var(--color-ring)_l_c_h_/_0.5)]",
+          "aria-invalid:border-[var(--color-destructive)] aria-invalid:ring-[oklch(from_var(--color-destructive)_l_c_h_/_0.2)]",
           className,
         )}
+        ref={ref}
         {...props}
       />
     );
diff --git a/clients/admin/src/components/ui/label.tsx b/clients/admin/src/components/ui/label.tsx
index 9f8ebe6188..a9fb7a1bc1 100644
--- a/clients/admin/src/components/ui/label.tsx
+++ b/clients/admin/src/components/ui/label.tsx
@@ -2,11 +2,6 @@ import * as React from "react";
 import * as LabelPrimitive from "@radix-ui/react-label";
 import { cn } from "@/lib/cn";
 
-/**
- * Label — Console treatment: mono crumb above the field rather than the
- * usual sans label. Reads as "this is what you're entering" the same way
- * a section rule reads as "this is the section."
- */
 export const Label = React.forwardRef<
   React.ElementRef<typeof LabelPrimitive.Root>,
   React.ComponentPropsWithoutRef<typeof LabelPrimitive.Root>
@@ -14,7 +9,7 @@ export const Label = React.forwardRef<
   <LabelPrimitive.Root
     ref={ref}
     className={cn(
-      "meta text-[var(--color-muted-foreground)] peer-disabled:cursor-not-allowed peer-disabled:opacity-70",
+      "text-sm font-medium leading-none peer-disabled:cursor-not-allowed peer-disabled:opacity-70",
       className,
     )}
     {...props}
diff --git a/clients/admin/src/components/ui/select.tsx b/clients/admin/src/components/ui/select.tsx
new file mode 100644
index 0000000000..19a0c00753
--- /dev/null
+++ b/clients/admin/src/components/ui/select.tsx
@@ -0,0 +1,150 @@
+import { Check, ChevronDown } from "lucide-react";
+import {
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
+} from "@/components/ui/dropdown-menu";
+import { cn } from "@/lib/cn";
+
+export type SelectOption<T extends string = string> = {
+  value: T;
+  label: string;
+  hint?: string;
+};
+
+export type SelectProps<T extends string = string> = {
+  /** Currently-selected value. Pass "" to indicate the "all / empty" state. */
+  value: T | "";
+  onChange: (value: T | "") => void;
+  options: SelectOption<T>[];
+  /**
+   * When provided, a leading option with value="" is rendered with this label
+   * (e.g. "All statuses", "Any role"). When the user picks it, onChange is
+   * called with "".
+   */
+  placeholder?: string;
+  /** Optional visible label rendered before the trigger button. */
+  label?: string;
+  className?: string;
+  disabled?: boolean;
+  /** Minimum width applied to both trigger and content. Defaults to 10rem. */
+  minWidth?: string;
+};
+
+/**
+ * Select — a modern single-select dropdown built on the existing Radix
+ * DropdownMenu primitive. Replaces the native <select> filter controls
+ * throughout the admin app.
+ *
+ * Design goals:
+ *   • Trigger button matches the outline Button visual language (border,
+ *     rounded-lg, h-9, font-sans text-sm).
+ *   • Selected option gets a rose brand check mark and tinted background.
+ *   • Content panel shares the frosted/gradient-border vocabulary already
+ *     used by DropdownMenuContent (no new visual primitives).
+ *   • Fully keyboard-accessible via Radix roving focus.
+ */
+export function Select<T extends string = string>({
+  value,
+  onChange,
+  options,
+  placeholder,
+  label,
+  className,
+  disabled = false,
+  minWidth = "10rem",
+}: SelectProps<T>) {
+  const allOptions: SelectOption<string>[] = placeholder
+    ? [{ value: "", label: placeholder }, ...options]
+    : [...options];
+
+  const current =
+    allOptions.find((o) => o.value === value) ??
+    (placeholder ? { value: "", label: placeholder } : allOptions[0]);
+
+  const displayLabel = current?.label ?? placeholder ?? "Select…";
+  const hasSelection = value !== "";
+
+  return (
+    <div className={cn("flex items-center gap-2", className)}>
+      {label && (
+        <span className="shrink-0 font-mono text-[0.6875rem] uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]">
+          {label}
+        </span>
+      )}
+
+      <DropdownMenu>
+        <DropdownMenuTrigger
+          disabled={disabled}
+          style={{ minWidth }}
+          className={cn(
+            // Base shape — matches outline Button
+            "group inline-flex h-9 items-center justify-between gap-2 rounded-lg border border-[var(--color-input)]",
+            "bg-[var(--color-card)] px-3 py-2 text-sm font-sans shadow-xs",
+            // Colour
+            hasSelection
+              ? "text-[var(--color-foreground)]"
+              : "text-[var(--color-muted-foreground)]",
+            // Interactions
+            "transition-[border-color,box-shadow,background-color] duration-[var(--duration-fast)] ease-[var(--ease-out-cubic)]",
+            "hover:border-[var(--color-border-strong)] hover:bg-[var(--color-accent)]",
+            "focus-visible:outline-none focus-visible:border-[var(--color-ring)] focus-visible:ring-[3px] focus-visible:ring-[oklch(from_var(--color-ring)_l_c_h_/_0.5)]",
+            "data-[state=open]:border-[var(--color-ring)] data-[state=open]:ring-[3px] data-[state=open]:ring-[oklch(from_var(--color-ring)_l_c_h_/_0.5)]",
+            "disabled:cursor-not-allowed disabled:opacity-50",
+          )}
+        >
+          <span className="truncate">{displayLabel}</span>
+          <ChevronDown
+            aria-hidden
+            className={cn(
+              "h-4 w-4 shrink-0 text-[var(--color-muted-foreground)]",
+              "transition-transform duration-[var(--duration-fast)] ease-[var(--ease-out-cubic)]",
+              "group-data-[state=open]:rotate-180",
+            )}
+          />
+        </DropdownMenuTrigger>
+
+        <DropdownMenuContent
+          align="start"
+          style={{ minWidth }}
+          className="py-1"
+        >
+          {allOptions.map((opt) => {
+            const selected = opt.value === value;
+            return (
+              <DropdownMenuItem
+                key={opt.value}
+                onSelect={() => onChange(opt.value as T | "")}
+                className={cn(
+                  selected && [
+                    // Rose-primary active state — tinted background + primary text
+                    "bg-[oklch(from_var(--color-primary)_l_c_h_/_0.08)]",
+                    "text-[var(--color-primary)]",
+                    "data-[highlighted]:bg-[oklch(from_var(--color-primary)_l_c_h_/_0.12)]",
+                    "data-[highlighted]:text-[var(--color-primary)]",
+                  ],
+                )}
+              >
+                <span className="flex-1 truncate">
+                  {opt.label}
+                  {opt.hint && (
+                    <span className="ml-1.5 text-[var(--color-muted-foreground)] text-xs">
+                      — {opt.hint}
+                    </span>
+                  )}
+                </span>
+                {selected && (
+                  <Check
+                    aria-hidden
+                    className="ml-auto h-3.5 w-3.5 shrink-0 text-[var(--color-primary)]"
+                  />
+                )}
+              </DropdownMenuItem>
+            );
+          })}
+        </DropdownMenuContent>
+      </DropdownMenu>
+    </div>
+  );
+}
diff --git a/clients/admin/src/components/ui/switch.tsx b/clients/admin/src/components/ui/switch.tsx
new file mode 100644
index 0000000000..47a50a70f1
--- /dev/null
+++ b/clients/admin/src/components/ui/switch.tsx
@@ -0,0 +1,51 @@
+import * as React from "react";
+import { cn } from "@/lib/cn";
+
+type SwitchProps = {
+  checked: boolean;
+  onCheckedChange: (checked: boolean) => void;
+  disabled?: boolean;
+  id?: string;
+  "aria-label"?: string;
+  "aria-labelledby"?: string;
+};
+
+/**
+ * Switch — accessible toggle. Tracks a controlled boolean and slides a
+ * thumb between off and on. Keyboard: space / enter activates (button
+ * default). The thumb position is tweened with motion tokens.
+ */
+export const Switch = React.forwardRef<HTMLButtonElement, SwitchProps>(
+  ({ checked, onCheckedChange, disabled, ...props }, ref) => {
+    return (
+      <button
+        ref={ref}
+        type="button"
+        role="switch"
+        aria-checked={checked}
+        disabled={disabled}
+        onClick={() => onCheckedChange(!checked)}
+        className={cn(
+          "relative inline-flex h-5 w-9 shrink-0 cursor-pointer items-center rounded-full",
+          "transition-colors duration-[var(--duration-default)] ease-[var(--ease-out-cubic)]",
+          "focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)] focus-visible:ring-offset-2 focus-visible:ring-offset-[var(--color-background)]",
+          "disabled:cursor-not-allowed disabled:opacity-50",
+          checked
+            ? "bg-[var(--color-primary)]"
+            : "bg-[var(--color-input)]",
+        )}
+        {...props}
+      >
+        <span
+          aria-hidden
+          className={cn(
+            "pointer-events-none inline-block h-4 w-4 rounded-full bg-[var(--color-overlay-foreground)] shadow-[0_1px_2px_oklch(0_0_0_/_0.20)]",
+            "transition-transform duration-[var(--duration-default)] ease-[var(--ease-out-cubic)]",
+            checked ? "translate-x-[18px]" : "translate-x-0.5",
+          )}
+        />
+      </button>
+    );
+  },
+);
+Switch.displayName = "Switch";
diff --git a/clients/admin/src/components/ui/table.tsx b/clients/admin/src/components/ui/table.tsx
index 6de80565d3..7a33926d99 100644
--- a/clients/admin/src/components/ui/table.tsx
+++ b/clients/admin/src/components/ui/table.tsx
@@ -2,8 +2,8 @@ import * as React from "react";
 import { cn } from "@/lib/cn";
 
 /**
- * Table — Console treatment. Mono uppercase headers with wide tracking,
- * hairline row borders, hover row tinted in the muted surface.
+ * Table — FSH unified design tokens. Mono uppercase headers with wide
+ * tracking, hairline row borders, hover row tinted in the accent surface.
  */
 export const Table = React.forwardRef<HTMLTableElement, React.HTMLAttributes<HTMLTableElement>>(
   ({ className, ...props }, ref) => (
@@ -24,7 +24,7 @@ export const TableHeader = React.forwardRef<
 >(({ className, ...props }, ref) => (
   <thead
     ref={ref}
-    className={cn("[&_tr]:border-b [&_tr]:border-[var(--color-border-strong)]", className)}
+    className={cn("[&_tr]:border-b [&_tr]:border-[var(--color-border)]", className)}
     {...props}
   />
 ));
@@ -45,7 +45,7 @@ export const TableRow = React.forwardRef<
   <tr
     ref={ref}
     className={cn(
-      "border-b border-[var(--color-border)] transition-colors hover:bg-[var(--color-muted)] data-[state=selected]:bg-[var(--color-muted)]",
+      "border-b border-[var(--color-border)] transition-colors hover:bg-[var(--color-accent)] data-[state=selected]:bg-[var(--color-accent)]",
       className,
     )}
     {...props}
diff --git a/clients/admin/src/components/users/create-user-dialog.tsx b/clients/admin/src/components/users/create-user-dialog.tsx
new file mode 100644
index 0000000000..adeb0580be
--- /dev/null
+++ b/clients/admin/src/components/users/create-user-dialog.tsx
@@ -0,0 +1,327 @@
+import { useNavigate } from "react-router-dom";
+import { useMutation, useQueryClient } from "@tanstack/react-query";
+import { useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+import { KeyRound, User as UserIcon, Users } from "lucide-react";
+import { toast } from "sonner";
+import { registerUser } from "@/api/users";
+import { Button } from "@/components/ui/button";
+import { Input } from "@/components/ui/input";
+import { Field } from "@/components/list";
+import {
+  Dialog,
+  DialogContent,
+  DialogHeader,
+  DialogTitle,
+  DialogDescription,
+  DialogBody,
+  DialogFooter,
+} from "@/components/ui/dialog";
+import { ApiRequestError } from "@/lib/api-client";
+
+// ─── Schema (identical to the old create page) ───────────────────────────────
+
+const USERNAME_RE = /^[a-zA-Z][a-zA-Z0-9._-]{2,31}$/;
+
+const schema = z
+  .object({
+    firstName: z.string().trim().min(1, "Required.").max(64),
+    lastName: z.string().trim().min(1, "Required.").max(64),
+    userName: z
+      .string()
+      .trim()
+      .regex(USERNAME_RE, "3–32 chars. Letters, digits, dot, dash, underscore. Start with a letter."),
+    email: z.string().trim().email("Enter a valid email."),
+    phoneNumber: z.string().trim().max(32).optional(),
+    password: z.string().min(8, "At least 8 characters."),
+    confirmPassword: z.string().min(8),
+  })
+  .refine((d) => d.password === d.confirmPassword, {
+    path: ["confirmPassword"],
+    message: "Passwords don't match.",
+  });
+
+type FormValues = z.infer<typeof schema>;
+
+// ─── Section label ────────────────────────────────────────────────────────────
+
+function SectionLabel({
+  icon: Icon,
+  title,
+  description,
+}: {
+  icon: React.ComponentType<{ className?: string; "aria-hidden"?: boolean | "true" }>;
+  title: string;
+  description: string;
+}) {
+  return (
+    <div className="flex items-start gap-2.5 pb-1">
+      <span
+        aria-hidden
+        className="mt-0.5 grid h-6 w-6 shrink-0 place-items-center rounded-md bg-[var(--color-accent)] text-[var(--color-muted-foreground)]"
+      >
+        <Icon className="h-3.5 w-3.5" aria-hidden />
+      </span>
+      <div className="min-w-0">
+        <p className="text-[12.5px] font-semibold text-[var(--color-foreground)]">{title}</p>
+        <p className="text-[11.5px] leading-relaxed text-[var(--color-muted-foreground)]">
+          {description}
+        </p>
+      </div>
+    </div>
+  );
+}
+
+// ─── Dialog ───────────────────────────────────────────────────────────────────
+
+export function CreateUserDialog({
+  open,
+  onOpenChange,
+}: {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+}) {
+  const navigate = useNavigate();
+  const queryClient = useQueryClient();
+
+  const {
+    register,
+    handleSubmit,
+    reset,
+    formState: { errors, isSubmitting },
+  } = useForm<FormValues>({
+    resolver: zodResolver(schema),
+    defaultValues: {
+      firstName: "",
+      lastName: "",
+      userName: "",
+      email: "",
+      phoneNumber: "",
+      password: "",
+      confirmPassword: "",
+    },
+  });
+
+  const mutation = useMutation({
+    // Pass values via mutate(arg) — no closed-over state captured at submit time.
+    mutationFn: (values: FormValues) =>
+      registerUser({
+        firstName: values.firstName,
+        lastName: values.lastName,
+        userName: values.userName,
+        email: values.email,
+        password: values.password,
+        confirmPassword: values.confirmPassword,
+        phoneNumber: values.phoneNumber?.trim() || undefined,
+      }),
+    onSuccess: (result) => {
+      toast.success("User created", {
+        description: result.message ?? "Confirmation email queued.",
+      });
+      queryClient.invalidateQueries({ queryKey: ["users"] });
+      handleClose();
+      navigate(result.userId ? `/users/${result.userId}` : "/users");
+    },
+    onError: (err) => {
+      const detail =
+        err instanceof ApiRequestError
+          ? err.problem?.detail ?? err.problem?.title ?? err.message
+          : (err as Error).message;
+      toast.error("Create failed", { description: detail });
+    },
+  });
+
+  function handleClose() {
+    reset();
+    onOpenChange(false);
+  }
+
+  const onSubmit = handleSubmit((values) => mutation.mutate(values));
+  const submitting = isSubmitting || mutation.isPending;
+
+  return (
+    <Dialog
+      open={open}
+      onOpenChange={(o) => {
+        if (!o) handleClose();
+        else onOpenChange(true);
+      }}
+    >
+      <DialogContent size="lg">
+        {/* ── Header ── */}
+        <DialogHeader>
+          <div className="flex items-center gap-3">
+            <span
+              aria-hidden
+              className="relative grid h-9 w-9 shrink-0 place-items-center overflow-hidden rounded-xl
+                bg-[oklch(from_var(--color-primary)_l_c_h_/_0.12)]
+                text-[var(--color-primary)]
+                ring-1 ring-inset ring-[oklch(from_var(--color-primary)_l_c_h_/_0.18)]"
+            >
+              <Users className="h-[18px] w-[18px]" />
+            </span>
+            <div className="min-w-0">
+              <DialogTitle className="text-[16px]">New account</DialogTitle>
+            </div>
+          </div>
+          <DialogDescription className="mt-1">
+            The new user is created in the current tenant and emailed a confirmation link. Roles can
+            be assigned from the detail page after creation.
+          </DialogDescription>
+        </DialogHeader>
+
+        {/* ── Form ── */}
+        <form onSubmit={onSubmit}>
+          <DialogBody className="space-y-6">
+            {/* ── Identity section ── */}
+            <div className="space-y-3">
+              <SectionLabel
+                icon={UserIcon}
+                title="Identity"
+                description="Personal details and the username they'll use to sign in."
+              />
+              <div className="h-px bg-[var(--color-border)] opacity-60" />
+              <div className="space-y-4">
+                <div className="grid gap-4 sm:grid-cols-2">
+                  <Field
+                    id="cu-firstName"
+                    label="First name"
+                    required
+                    error={errors.firstName?.message}
+                  >
+                    <Input
+                      id="cu-firstName"
+                      autoComplete="given-name"
+                      aria-invalid={errors.firstName ? true : undefined}
+                      {...register("firstName")}
+                    />
+                  </Field>
+                  <Field
+                    id="cu-lastName"
+                    label="Last name"
+                    required
+                    error={errors.lastName?.message}
+                  >
+                    <Input
+                      id="cu-lastName"
+                      autoComplete="family-name"
+                      aria-invalid={errors.lastName ? true : undefined}
+                      {...register("lastName")}
+                    />
+                  </Field>
+                </div>
+
+                <Field
+                  id="cu-userName"
+                  label="Username"
+                  required
+                  hint="Letters, digits, dot, dash or underscore. 3–32 characters."
+                  error={errors.userName?.message}
+                >
+                  <Input
+                    id="cu-userName"
+                    placeholder="m.chen"
+                    autoComplete="off"
+                    className="font-mono"
+                    aria-invalid={errors.userName ? true : undefined}
+                    {...register("userName")}
+                  />
+                </Field>
+
+                <Field
+                  id="cu-email"
+                  label="Email"
+                  required
+                  error={errors.email?.message}
+                >
+                  <Input
+                    id="cu-email"
+                    type="email"
+                    placeholder="user@example.com"
+                    autoComplete="email"
+                    className="font-mono"
+                    aria-invalid={errors.email ? true : undefined}
+                    {...register("email")}
+                  />
+                </Field>
+
+                <Field
+                  id="cu-phoneNumber"
+                  label="Phone (optional)"
+                  error={errors.phoneNumber?.message}
+                >
+                  <Input
+                    id="cu-phoneNumber"
+                    type="tel"
+                    placeholder="+1 555 0100"
+                    autoComplete="tel"
+                    className="font-mono"
+                    {...register("phoneNumber")}
+                  />
+                </Field>
+              </div>
+            </div>
+
+            {/* ── Credentials section ── */}
+            <div className="space-y-3">
+              <SectionLabel
+                icon={KeyRound}
+                title="Credentials"
+                description="Initial password. The user is encouraged to change it on first sign-in."
+              />
+              <div className="h-px bg-[var(--color-border)] opacity-60" />
+              <div className="grid gap-4 sm:grid-cols-2">
+                <Field
+                  id="cu-password"
+                  label="Password"
+                  required
+                  error={errors.password?.message}
+                >
+                  <Input
+                    id="cu-password"
+                    type="password"
+                    autoComplete="new-password"
+                    className="font-mono"
+                    aria-invalid={errors.password ? true : undefined}
+                    {...register("password")}
+                  />
+                </Field>
+                <Field
+                  id="cu-confirmPassword"
+                  label="Confirm password"
+                  required
+                  error={errors.confirmPassword?.message}
+                >
+                  <Input
+                    id="cu-confirmPassword"
+                    type="password"
+                    autoComplete="new-password"
+                    className="font-mono"
+                    aria-invalid={errors.confirmPassword ? true : undefined}
+                    {...register("confirmPassword")}
+                  />
+                </Field>
+              </div>
+            </div>
+          </DialogBody>
+
+          {/* ── Footer ── */}
+          <DialogFooter>
+            <Button
+              type="button"
+              variant="outline"
+              onClick={handleClose}
+              disabled={submitting}
+            >
+              Cancel
+            </Button>
+            <Button type="submit" disabled={submitting}>
+              {submitting ? "Creating…" : "Create account"}
+            </Button>
+          </DialogFooter>
+        </form>
+      </DialogContent>
+    </Dialog>
+  );
+}
diff --git a/clients/admin/src/hooks/use-file-upload.ts b/clients/admin/src/hooks/use-file-upload.ts
new file mode 100644
index 0000000000..4ed92c4c56
--- /dev/null
+++ b/clients/admin/src/hooks/use-file-upload.ts
@@ -0,0 +1,261 @@
+import { useCallback, useRef, useState } from "react";
+import {
+  finalizeUpload,
+  requestUploadUrl,
+  type FileAssetDto,
+  type RequestUploadUrlInput,
+  Visibility,
+  type VisibilityValue,
+} from "@/api/files";
+import { ApiRequestError } from "@/lib/api-client";
+
+export type UploadOptions = {
+  ownerType?: string;
+  ownerId?: string | null;
+  /**
+   * Server-side category — must match a key in appsettings Files:Categories (e.g. Image, Document,
+   * Archive). Can be a static string OR a function that picks the category per file based on its
+   * type/extension, so a single dropzone can accept multiple categories at once.
+   */
+  category: string | ((file: File) => string);
+  visibility?: VisibilityValue;
+  /**
+   * Optional client-side allowed extensions (lower-case, with leading dot, e.g. [".pdf", ".docx"]).
+   * Defense-in-depth: the server enforces this too. When omitted, only the server-side check runs.
+   */
+  allowedExtensions?: string[];
+  /** Optional client-side max bytes for an early reject. Server enforces too. */
+  maxBytes?: number;
+};
+
+export type UploadProgress = {
+  /** File-system name of the upload. */
+  fileName: string;
+  /** Total bytes the browser will PUT. */
+  totalBytes: number;
+  /** Bytes the browser has confirmed sent so far. */
+  loaded: number;
+  /** 0-100, never NaN. */
+  percent: number;
+  /** Lifecycle of the upload. `done` only after finalize succeeds. */
+  status: "preparing" | "uploading" | "finalizing" | "done" | "error";
+  /** Server-allocated id, populated after the upload-url call returns. */
+  fileAssetId?: string;
+  /** Populated when status === "error". */
+  error?: string;
+  /** Populated when status === "done". */
+  fileAsset?: FileAssetDto;
+};
+
+export type UseFileUploadResult = {
+  /** Begin a single upload. Resolves with the finalized FileAssetDto, or rejects on failure. */
+  upload: (file: File) => Promise<FileAssetDto>;
+  /** Live progress snapshot — re-renders the consumer on every change. */
+  progress: UploadProgress | null;
+  /** Convenience: true while the hook is mid-flight. */
+  isUploading: boolean;
+  /** Cancel an in-flight upload. */
+  cancel: () => void;
+  /** Clear progress so the consumer can re-arm for the next file. */
+  reset: () => void;
+};
+
+const DEFAULT_OPTIONS = {
+  ownerType: "MyFiles",
+  visibility: Visibility.Private,
+} satisfies Partial<UploadOptions>;
+
+/**
+ * Orchestrates the three-step presigned-upload protocol:
+ *   1. POST /api/v1/files/upload-url  — server mints presigned PUT + reserves a FileAsset row
+ *   2. PUT  <uploadUrl>                — browser pushes bytes straight to S3/MinIO (XHR for progress)
+ *   3. POST /api/v1/files/{id}/finalize — server HEADs the object, transitions to Available
+ *
+ * Progress is reported via the in-state `progress` snapshot — XMLHttpRequest is used (instead of fetch)
+ * because the Streams API for `fetch` upload progress is still gated behind flags on most browsers.
+ */
+export function useFileUpload(options: UploadOptions): UseFileUploadResult {
+  const [progress, setProgress] = useState<UploadProgress | null>(null);
+  const xhrRef = useRef<XMLHttpRequest | null>(null);
+  const cancelledRef = useRef(false);
+
+  const reset = useCallback(() => {
+    cancelledRef.current = false;
+    xhrRef.current = null;
+    setProgress(null);
+  }, []);
+
+  const cancel = useCallback(() => {
+    cancelledRef.current = true;
+    xhrRef.current?.abort();
+  }, []);
+
+  const upload = useCallback(
+    async (file: File): Promise<FileAssetDto> => {
+      cancelledRef.current = false;
+      const opts: UploadOptions = { ...DEFAULT_OPTIONS, ...options };
+
+      // ── Client-side guard rails (defense-in-depth) ─────────────
+      if (opts.allowedExtensions && opts.allowedExtensions.length > 0) {
+        const dot = file.name.lastIndexOf(".");
+        const ext = dot >= 0 ? file.name.slice(dot).toLowerCase() : "";
+        if (!opts.allowedExtensions.includes(ext)) {
+          const message = `Extension ${ext || "(none)"} is not allowed.`;
+          setProgress({
+            fileName: file.name,
+            totalBytes: file.size,
+            loaded: 0,
+            percent: 0,
+            status: "error",
+            error: message,
+          });
+          throw new Error(message);
+        }
+      }
+      if (opts.maxBytes !== undefined && file.size > opts.maxBytes) {
+        const message = `File is ${formatBytes(file.size)}; limit is ${formatBytes(opts.maxBytes)}.`;
+        setProgress({
+          fileName: file.name,
+          totalBytes: file.size,
+          loaded: 0,
+          percent: 0,
+          status: "error",
+          error: message,
+        });
+        throw new Error(message);
+      }
+
+      setProgress({
+        fileName: file.name,
+        totalBytes: file.size,
+        loaded: 0,
+        percent: 0,
+        status: "preparing",
+      });
+
+      // ── Step 1 — mint the presigned URL ─────────────────────────
+      const resolvedCategory =
+        typeof opts.category === "function" ? opts.category(file) : opts.category;
+      const requestInput: RequestUploadUrlInput = {
+        ownerType: opts.ownerType ?? DEFAULT_OPTIONS.ownerType,
+        ownerId: opts.ownerId ?? null,
+        fileName: file.name,
+        contentType: file.type || "application/octet-stream",
+        sizeBytes: file.size,
+        visibility: opts.visibility ?? DEFAULT_OPTIONS.visibility,
+        category: resolvedCategory,
+      };
+
+      let presigned;
+      try {
+        presigned = await requestUploadUrl(requestInput);
+      } catch (e) {
+        const message = describeError(e);
+        setProgress((p) =>
+          p ? { ...p, status: "error", error: message } : null,
+        );
+        throw e;
+      }
+      if (cancelledRef.current) throw new Error("Upload cancelled.");
+
+      setProgress((p) =>
+        p ? { ...p, status: "uploading", fileAssetId: presigned.fileAssetId } : null,
+      );
+
+      // ── Step 2 — PUT bytes via XHR for progress events ──────────
+      try {
+        await xhrPut(presigned.uploadUrl, file, presigned.requiredHeaders, (loaded, total) => {
+          const t = total || file.size;
+          setProgress((p) =>
+            p
+              ? {
+                  ...p,
+                  loaded,
+                  totalBytes: t,
+                  percent: t > 0 ? Math.min(99, Math.round((loaded / t) * 100)) : 0,
+                }
+              : null,
+          );
+        }, (xhr) => {
+          xhrRef.current = xhr;
+        });
+      } catch (e) {
+        const message = describeError(e);
+        setProgress((p) => (p ? { ...p, status: "error", error: message } : null));
+        throw e instanceof Error ? e : new Error(message);
+      }
+      if (cancelledRef.current) throw new Error("Upload cancelled.");
+
+      setProgress((p) => (p ? { ...p, status: "finalizing", percent: 99 } : null));
+
+      // ── Step 3 — finalize ──────────────────────────────────────
+      let dto: FileAssetDto;
+      try {
+        dto = await finalizeUpload(presigned.fileAssetId);
+      } catch (e) {
+        const message = describeError(e);
+        setProgress((p) => (p ? { ...p, status: "error", error: message } : null));
+        throw e;
+      }
+
+      setProgress((p) =>
+        p ? { ...p, status: "done", percent: 100, fileAsset: dto } : null,
+      );
+      xhrRef.current = null;
+      return dto;
+    },
+    [options],
+  );
+
+  return {
+    upload,
+    progress,
+    isUploading:
+      progress?.status === "preparing"
+      || progress?.status === "uploading"
+      || progress?.status === "finalizing",
+    cancel,
+    reset,
+  };
+}
+
+function xhrPut(
+  url: string,
+  body: Blob,
+  headers: Record<string, string>,
+  onProgress: (loaded: number, total: number) => void,
+  hookXhr: (xhr: XMLHttpRequest) => void,
+): Promise<void> {
+  return new Promise((resolve, reject) => {
+    const xhr = new XMLHttpRequest();
+    xhr.open("PUT", url, true);
+    Object.entries(headers).forEach(([k, v]) => xhr.setRequestHeader(k, v));
+    hookXhr(xhr);
+
+    xhr.upload.onprogress = (e) => {
+      if (e.lengthComputable) onProgress(e.loaded, e.total);
+    };
+    xhr.onload = () => {
+      if (xhr.status >= 200 && xhr.status < 300) resolve();
+      else reject(new Error(`PUT failed: ${xhr.status} ${xhr.statusText || ""}`.trim()));
+    };
+    xhr.onerror = () => reject(new Error("Network error during upload."));
+    xhr.onabort = () => reject(new Error("Upload cancelled."));
+    xhr.send(body);
+  });
+}
+
+function describeError(e: unknown): string {
+  if (e instanceof ApiRequestError) {
+    return e.problem?.detail ?? e.problem?.title ?? e.message;
+  }
+  if (e instanceof Error) return e.message;
+  return "Unknown error";
+}
+
+export function formatBytes(bytes: number): string {
+  if (bytes < 1024) return `${bytes} B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+  if (bytes < 1024 * 1024 * 1024) return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+  return `${(bytes / (1024 * 1024 * 1024)).toFixed(2)} GB`;
+}
diff --git a/clients/admin/src/pages/audits/detail.tsx b/clients/admin/src/pages/audits/detail.tsx
index f38701682f..96f6f1b185 100644
--- a/clients/admin/src/pages/audits/detail.tsx
+++ b/clients/admin/src/pages/audits/detail.tsx
@@ -1,144 +1,181 @@
 import { useMemo, useState } from "react";
-import { useNavigate, useParams } from "react-router-dom";
 import { useQuery } from "@tanstack/react-query";
 import {
   AlertTriangle,
-  ArrowLeft,
   Check,
   ClipboardCheck,
   Copy,
   FileText,
   Fingerprint,
+  ScrollText,
+  X,
 } from "lucide-react";
 import { getAudit, type AuditDetailDto } from "@/api/audits";
 import { Button } from "@/components/ui/button";
 import { Badge } from "@/components/ui/badge";
-import { PageHeader, ErrorBand, LoadingRow } from "@/components/list";
+import { ErrorBand, LoadingRow } from "@/components/list";
 import { ApiRequestError } from "@/lib/api-client";
+import {
+  Sheet,
+  SheetContent,
+} from "@/components/ui/dialog";
 import { cn } from "@/lib/cn";
 
-/**
- * Audit detail — forensic record view.
- *
- * Layout is purpose-built for the data shape (12+ short metadata fields
- * + one large JSON payload) rather than the generic FormShell aside-rail
- * pattern, which left huge horizontal whitespace and let long stack-trace
- * lines blow out the page width.
- *
- * Sections, top to bottom:
- *   1. Identity strip — h1 + event-type + severity chips + occurred-at
- *   2. Correlation strip — trace / span / correlation / request IDs as
- *      copyable chips. Operators paste these into Grafana / Loki / Jaeger
- *      as their first move, so they get top billing.
- *   3. Context grid — auto-fit fact tiles for everything else.
- *   4. Payload viewer — full-width JSON pane with bounded inner scroll
- *      (both axes) so no payload, however ugly, ever pushes the page wider
- *      than the viewport.
- *
- * Page caps at `max-w-7xl mx-auto` so it doesn't sprawl on ultra-wide
- * monitors; sections themselves are full width inside that cap.
- */
-export function AuditDetailPage() {
-  const { id } = useParams<{ id: string }>();
-  const navigate = useNavigate();
+// ─────────────────────────────────────────────────────────────────────────
+// AuditDetailSheet — side sheet shown when an audit row is clicked on the
+// list page. Fetches the full record by id and renders the same 4 sections
+// the old full-page route showed.
+// ─────────────────────────────────────────────────────────────────────────
+
+export interface AuditDetailSheetProps {
+  /** The audit id to load, or null / undefined when the sheet is closed. */
+  auditId: string | null | undefined;
+  onClose: () => void;
+}
+
+export function AuditDetailSheet({ auditId, onClose }: AuditDetailSheetProps) {
+  const open = Boolean(auditId);
+
+  return (
+    <Sheet open={open} onOpenChange={(v) => !v && onClose()}>
+      <SheetContent
+        side="right"
+        showClose={false}
+        className="w-[min(640px,95vw)] max-w-none overflow-hidden p-0"
+      >
+        <AuditDetailSheetBody auditId={auditId ?? null} onClose={onClose} />
+      </SheetContent>
+    </Sheet>
+  );
+}
+
+// ─────────────────────────────────────────────────────────────────────────
+// Inner body — data-fetch + layout. Exported so it can be composed
+// independently if needed.
+// ─────────────────────────────────────────────────────────────────────────
 
+export function AuditDetailSheetBody({
+  auditId,
+  onClose,
+}: {
+  auditId: string | null;
+  onClose: () => void;
+}) {
   const query = useQuery({
-    queryKey: ["audits", id],
-    queryFn: () => getAudit(id!),
-    enabled: Boolean(id),
+    queryKey: ["audits", auditId],
+    queryFn: () => getAudit(auditId!),
+    enabled: Boolean(auditId),
+    staleTime: 60_000,
   });
 
   const event = query.data;
 
   return (
-    <div className="mx-auto w-full max-w-7xl space-y-6">
-      <PageHeader
-        crumbs={[
-          { label: "\\ Audits" },
-          { label: id ? `${id.slice(0, 8)}…` : "—", muted: true },
-        ]}
-        trailing={event ? formatEventType(event.eventType).toUpperCase() : "—"}
-        title={event ? `${formatEventType(event.eventType)} event` : "Audit event"}
-        description={
-          event
-            ? "Forensic record · captured by the audit pipeline. Use the correlation strip below to cross-reference logs and traces."
-            : "Loading event details…"
-        }
-        actions={
-          <Button variant="ghost" size="sm" onClick={() => navigate(-1)}>
-            <ArrowLeft className="mr-1 h-3.5 w-3.5" /> Back
-          </Button>
-        }
-      />
-
-      {query.isError && (
-        <ErrorBand
-          message={
-            query.error instanceof ApiRequestError
-              ? query.error.problem?.detail ?? query.error.message
-              : "Failed to load event."
-          }
-        />
-      )}
+    <div className="flex h-full flex-col">
+      {/* Header */}
+      <div className="flex items-start justify-between gap-3 border-b border-[var(--color-border)] px-6 py-5">
+        <div className="flex items-center gap-2.5">
+          <span className="grid h-8 w-8 shrink-0 place-items-center rounded-lg bg-[var(--color-muted)]">
+            <ScrollText className="h-4 w-4 text-[var(--color-muted-foreground)]" />
+          </span>
+          <div>
+            <div className="text-[13px] font-semibold leading-tight tracking-tight text-[var(--color-foreground)]">
+              {event ? `${formatEventType(event.eventType)} event` : "Audit event"}
+            </div>
+            <div className="mt-0.5 font-mono text-[10.5px] text-[var(--color-muted-foreground)]">
+              {event ? formatTimestamp(event.occurredAtUtc) : "Loading…"}
+            </div>
+          </div>
+        </div>
+        <button
+          type="button"
+          aria-label="Close"
+          onClick={onClose}
+          className={cn(
+            "grid h-7 w-7 shrink-0 place-items-center rounded-md",
+            "text-[var(--color-muted-foreground)] transition-colors",
+            "hover:bg-[var(--color-accent)] hover:text-[var(--color-foreground)]",
+            "focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)]",
+          )}
+        >
+          <X className="h-4 w-4" />
+        </button>
+      </div>
 
-      {query.isLoading && !event && <LoadingRow label="Loading event" />}
+      {/* Scrollable body */}
+      <div className="min-h-0 flex-1 overflow-y-auto">
+        {query.isLoading && !event && (
+          <div className="p-6">
+            <LoadingRow label="Loading event" />
+          </div>
+        )}
 
-      {event && (
-        <>
-          <IdentityBand event={event} />
-          <CorrelationBand event={event} />
-          <ContextGrid event={event} />
-          <PayloadPanel payload={event.payload} />
-        </>
-      )}
+        {query.isError && (
+          <div className="p-6">
+            <ErrorBand
+              message={
+                query.error instanceof ApiRequestError
+                  ? query.error.problem?.detail ?? query.error.message
+                  : "Failed to load event."
+              }
+            />
+          </div>
+        )}
+
+        {event && (
+          <div className="space-y-0 divide-y divide-[var(--color-border)]">
+            <IdentityBand event={event} />
+            <CorrelationBand event={event} />
+            <ContextGrid event={event} />
+            <PayloadPanel payload={event.payload} />
+          </div>
+        )}
+      </div>
     </div>
   );
 }
 
 // ─────────────────────────────────────────────────────────────────────────
-// 1. Identity band — first thing the operator reads. eventType + severity
-//    chips, the source line, and a quick contextual line. Acts like a
-//    rich page subtitle and gives the page its sense of identity at a
-//    glance without making the user scan a metadata table first.
+// 1. Identity band — eventType + severity chips, the source line.
 // ─────────────────────────────────────────────────────────────────────────
 
 function IdentityBand({ event }: { event: AuditDetailDto }) {
   const sev = severityTone(event.severity);
   const eventLabel = formatEventType(event.eventType);
   return (
-    <section
-      className="card-shell flex flex-wrap items-center gap-x-5 gap-y-3 px-5 py-4 sm:px-6"
-      aria-label="Event identity"
-    >
-      <Badge
-        variant={eventTypeVariant(eventLabel)}
-        className="font-mono uppercase tracking-[0.16em]"
-      >
-        {eventLabel}
-      </Badge>
-      <Badge
-        variant={sev.variant}
-        className="font-mono uppercase tracking-[0.16em]"
-      >
-        {event.severity}
-      </Badge>
-      {event.source && (
-        <span className="min-w-0 truncate font-mono text-[12px] text-[var(--color-muted-foreground)]">
-          <span className="opacity-60">source · </span>
-          <span className="text-[var(--color-foreground)]">{event.source}</span>
+    <div className="px-6 py-4" aria-label="Event identity">
+      <div className="mb-2 font-mono text-[10px] font-medium uppercase tracking-[0.12em] text-[var(--color-muted-foreground)]">
+        Identity
+      </div>
+      <div className="flex flex-wrap items-center gap-x-5 gap-y-2">
+        <Badge
+          variant={eventTypeVariant(eventLabel)}
+          className="font-mono uppercase tracking-[0.16em]"
+        >
+          {eventLabel}
+        </Badge>
+        <Badge
+          variant={sev.variant}
+          className="font-mono uppercase tracking-[0.16em]"
+        >
+          {event.severity}
+        </Badge>
+        {event.source && (
+          <span className="min-w-0 truncate font-mono text-[12px] text-[var(--color-muted-foreground)]">
+            <span className="opacity-60">source · </span>
+            <span className="text-[var(--color-foreground)]">{event.source}</span>
+          </span>
+        )}
+        <span className="ml-auto shrink-0 font-mono text-[11px] uppercase tracking-[0.14em] text-[var(--color-muted-foreground)]">
+          {formatTimestamp(event.occurredAtUtc)}
         </span>
-      )}
-      <span className="ml-auto shrink-0 font-mono text-[11px] uppercase tracking-[0.14em] text-[var(--color-muted-foreground)]">
-        {formatTimestamp(event.occurredAtUtc)}
-      </span>
-    </section>
+      </div>
+    </div>
   );
 }
 
 // ─────────────────────────────────────────────────────────────────────────
-// 2. Correlation band — the most-used widget on the page. Each chip is a
-//    self-contained copy-to-clipboard target so operators can fire IDs
-//    into Grafana / Loki / Jaeger without text-selecting from a table row.
+// 2. Correlation band — copyable ID chips.
 // ─────────────────────────────────────────────────────────────────────────
 
 function CorrelationBand({ event }: { event: AuditDetailDto }) {
@@ -150,28 +187,28 @@ function CorrelationBand({ event }: { event: AuditDetailDto }) {
   ];
 
   return (
-    <section className="card-shell overflow-hidden" aria-label="Correlation identifiers">
-      <header className="flex items-center justify-between gap-3 border-b border-[var(--color-border)] px-5 py-3 sm:px-6">
-        <span className="flex items-center gap-2 font-mono text-[10.5px] uppercase tracking-[0.22em]">
-          <Fingerprint className="h-3 w-3 text-[var(--color-accent-signal)]" aria-hidden />
-          {"\\ Correlation"}
+    <div className="px-6 py-4">
+      <div className="mb-2 flex items-center gap-1.5">
+        <Fingerprint className="h-3.5 w-3.5 text-[var(--color-muted-foreground)]" />
+        <span className="font-mono text-[10px] font-medium uppercase tracking-[0.12em] text-[var(--color-muted-foreground)]">
+          Correlation
         </span>
-        <span className="text-[10.5px] text-[var(--color-muted-foreground)]">
-          paste into your observability stack
+        <span className="ml-1 text-[10.5px] text-[var(--color-muted-foreground)]">
+          — paste into your observability stack
         </span>
-      </header>
-      <div className="grid grid-cols-1 divide-y divide-[var(--color-border)] sm:grid-cols-2 sm:divide-x sm:divide-y-0 lg:grid-cols-4 lg:divide-y-0">
+      </div>
+      <div className="grid grid-cols-1 gap-1 sm:grid-cols-2">
         {slots.map((s) => (
           <CorrelationChip key={s.label} label={s.label} value={s.value ?? null} />
         ))}
       </div>
-    </section>
+    </div>
   );
 }
 
 function CorrelationChip({ label, value }: { label: string; value: string | null }) {
   const [copied, setCopied] = useState(false);
-  const hasValue = value && value !== "—";
+  const hasValue = Boolean(value && value !== "—");
 
   const onCopy = async () => {
     if (!hasValue) return;
@@ -190,18 +227,18 @@ function CorrelationChip({ label, value }: { label: string; value: string | null
       onClick={onCopy}
       disabled={!hasValue}
       className={cn(
-        "group/chip flex min-w-0 items-start gap-3 px-5 py-3.5 text-left transition-colors sm:px-6",
+        "group/chip flex min-w-0 items-start gap-3 rounded-lg border border-[var(--color-border)] px-3 py-2.5 text-left transition-colors",
         hasValue
           ? "hover:bg-[var(--color-muted)]/50"
           : "opacity-60",
       )}
       aria-label={hasValue ? `Copy ${label}` : `${label} not available`}
     >
-      <div className="min-w-0 flex-1 space-y-1">
-        <div className="meta truncate text-[var(--color-muted-foreground)]">
+      <div className="min-w-0 flex-1 space-y-0.5">
+        <div className="font-mono text-[10px] uppercase tracking-[0.14em] text-[var(--color-muted-foreground)]">
           {label}
         </div>
-        <div className="truncate font-mono text-[12px] text-[var(--color-foreground)]">
+        <div className="truncate font-mono text-[11.5px] text-[var(--color-foreground)]">
           {hasValue ? value : "—"}
         </div>
       </div>
@@ -209,12 +246,12 @@ function CorrelationChip({ label, value }: { label: string; value: string | null
         <span
           aria-hidden
           className={cn(
-            "grid h-6 w-6 shrink-0 place-items-center rounded-md text-[var(--color-muted-foreground)] transition-all",
+            "grid h-5 w-5 shrink-0 place-items-center rounded text-[var(--color-muted-foreground)] transition-all",
             "opacity-0 group-hover/chip:opacity-100 group-focus-visible/chip:opacity-100",
             copied && "opacity-100 text-[var(--color-success)]",
           )}
         >
-          {copied ? <Check className="h-3.5 w-3.5" /> : <Copy className="h-3.5 w-3.5" />}
+          {copied ? <Check className="h-3 w-3" /> : <Copy className="h-3 w-3" />}
         </span>
       )}
     </button>
@@ -222,9 +259,7 @@ function CorrelationChip({ label, value }: { label: string; value: string | null
 }
 
 // ─────────────────────────────────────────────────────────────────────────
-// 3. Context grid — auto-fit fact tiles. minmax(15rem, 1fr) gives ~4 cols
-//    on a wide editor pane, ~2 on a tablet, ~1 on phone, without any
-//    media queries. Each tile is self-contained so it can wrap freely.
+// 3. Context grid — who/where/when fact tiles.
 // ─────────────────────────────────────────────────────────────────────────
 
 function ContextGrid({ event }: { event: AuditDetailDto }) {
@@ -244,25 +279,22 @@ function ContextGrid({ event }: { event: AuditDetailDto }) {
   ];
 
   return (
-    <section className="card-shell overflow-hidden" aria-label="Event context">
-      <header className="flex items-center justify-between gap-3 border-b border-[var(--color-border)] px-5 py-3 sm:px-6">
-        <span className="flex items-center gap-2 font-mono text-[10.5px] uppercase tracking-[0.22em]">
-          <AlertTriangle className="h-3 w-3 text-[var(--color-accent-signal)]" aria-hidden />
-          {"\\ Context"}
-        </span>
-        <span className="text-[10.5px] text-[var(--color-muted-foreground)]">
-          who, where, when — the surrounding facts
+    <div className="px-6 py-4">
+      <div className="mb-2 flex items-center gap-1.5">
+        <AlertTriangle className="h-3.5 w-3.5 text-[var(--color-muted-foreground)]" />
+        <span className="font-mono text-[10px] font-medium uppercase tracking-[0.12em] text-[var(--color-muted-foreground)]">
+          Context
         </span>
-      </header>
+      </div>
       <div
-        className="grid gap-px bg-[var(--color-border)]"
-        style={{ gridTemplateColumns: "repeat(auto-fit, minmax(15rem, 1fr))" }}
+        className="grid gap-2"
+        style={{ gridTemplateColumns: "repeat(auto-fit, minmax(13rem, 1fr))" }}
       >
         {tiles.map((t) => (
           <FactTile key={t.label} label={t.label} value={t.value} mono={t.mono} />
         ))}
       </div>
-    </section>
+    </div>
   );
 }
 
@@ -276,12 +308,14 @@ function FactTile({
   mono?: boolean;
 }) {
   return (
-    <div className="min-w-0 space-y-1 bg-[var(--color-card)] px-5 py-3.5 sm:px-6">
-      <div className="meta text-[var(--color-muted-foreground)]">{label}</div>
+    <div className="min-w-0 space-y-1 rounded-lg border border-[var(--color-border)] bg-[var(--color-surface-1)] px-3 py-2.5">
+      <div className="font-mono text-[10px] uppercase tracking-[0.14em] text-[var(--color-muted-foreground)]">
+        {label}
+      </div>
       <div
         className={cn(
           "min-w-0 break-words text-sm text-[var(--color-foreground)]",
-          mono && "font-mono text-[12.5px]",
+          mono && "font-mono text-[12px]",
         )}
       >
         {value}
@@ -291,13 +325,7 @@ function FactTile({
 }
 
 // ─────────────────────────────────────────────────────────────────────────
-// 4. Payload — full-width JSON pane.
-//
-//    The width-blowout fix is `min-w-0` on the OUTER section. Without it,
-//    the inner <pre> (whitespace: pre, default) reports its natural width
-//    to the parent grid/flex which then exceeds the page, forcing a
-//    horizontal scroll on the whole document. With min-w-0 in place the
-//    pre's own overflow-x:auto correctly takes over.
+// 4. Payload — JSON pane with copy button.
 // ─────────────────────────────────────────────────────────────────────────
 
 function PayloadPanel({ payload }: { payload: unknown }) {
@@ -317,43 +345,33 @@ function PayloadPanel({ payload }: { payload: unknown }) {
   const lineCount = useMemo(() => json.split("\n").length, [json]);
 
   return (
-    <section className="card-shell min-w-0 overflow-hidden" aria-label="Payload">
-      <header className="flex flex-wrap items-center justify-between gap-3 border-b border-[var(--color-border)] px-5 py-3 sm:px-6">
-        <span className="flex items-center gap-2 font-mono text-[10.5px] uppercase tracking-[0.22em]">
-          <FileText className="h-3 w-3 text-[var(--color-accent-signal)]" aria-hidden />
-          {"\\ Payload"}
-        </span>
-        <div className="flex items-center gap-3">
-          <span className="font-mono text-[10.5px] uppercase tracking-[0.14em] text-[var(--color-muted-foreground)]">
-            application/json · {lineCount} lines
+    <div className="px-6 py-4">
+      <div className="mb-2 flex items-center justify-between gap-2">
+        <div className="flex items-center gap-1.5">
+          <FileText className="h-3.5 w-3.5 text-[var(--color-muted-foreground)]" />
+          <span className="font-mono text-[10px] font-medium uppercase tracking-[0.12em] text-[var(--color-muted-foreground)]">
+            Payload
+          </span>
+          <span className="text-[10.5px] text-[var(--color-muted-foreground)]">
+            · {lineCount} lines
           </span>
-          <Button variant="ghost" size="sm" onClick={copy} className="h-7 px-2 text-xs">
-            {copied ? (
-              <>
-                <ClipboardCheck className="mr-1 h-3.5 w-3.5" /> Copied
-              </>
-            ) : (
-              <>
-                <Copy className="mr-1 h-3.5 w-3.5" /> Copy
-              </>
-            )}
-          </Button>
         </div>
-      </header>
-
-      {/* Gutter + scrollable code. The outer wrapper sets `min-w-0` so the
-          page never widens past the viewport regardless of payload shape;
-          the inner <pre> then scrolls horizontally on its own. */}
-      <div className="min-w-0 bg-[var(--color-surface-2)]">
-        <pre
-          className={cn(
-            "max-h-[70vh] min-w-0 overflow-auto px-5 py-4 font-mono text-[12px] leading-relaxed text-[var(--color-foreground)] sm:px-6",
+        <Button variant="ghost" size="sm" onClick={copy} className="h-6 px-2 text-[11px]">
+          {copied ? (
+            <>
+              <ClipboardCheck className="mr-1 h-3 w-3" /> Copied
+            </>
+          ) : (
+            <>
+              <Copy className="mr-1 h-3 w-3" /> Copy
+            </>
           )}
-        >
-          <code>{json}</code>
-        </pre>
+        </Button>
       </div>
-    </section>
+      <pre className="max-h-[50vh] overflow-auto rounded-lg border border-[var(--color-border)] bg-[var(--color-surface-2)] px-4 py-3 font-mono text-[11.5px] leading-relaxed text-[var(--color-foreground)]">
+        <code>{json}</code>
+      </pre>
+    </div>
   );
 }
 
@@ -362,9 +380,6 @@ function PayloadPanel({ payload }: { payload: unknown }) {
 // ─────────────────────────────────────────────────────────────────────────
 
 function formatEventType(raw: unknown): string {
-  // Defensive — the API boundary coerces to a string union, but if an
-  // unknown shape ever sneaks through we render something instead of
-  // crashing on .toUpperCase().
   return typeof raw === "string" && raw.length > 0 ? raw : "Event";
 }
 
diff --git a/clients/admin/src/pages/audits/list.tsx b/clients/admin/src/pages/audits/list.tsx
index 0f2b11a243..cf50c91e65 100644
--- a/clients/admin/src/pages/audits/list.tsx
+++ b/clients/admin/src/pages/audits/list.tsx
@@ -1,5 +1,5 @@
 import { useMemo, useState, useEffect } from "react";
-import { useNavigate, useSearchParams } from "react-router-dom";
+import { useSearchParams } from "react-router-dom";
 import { useQuery, keepPreviousData } from "@tanstack/react-query";
 import { ChevronRight, RefreshCw, ScrollText, X } from "lucide-react";
 import {
@@ -16,7 +16,7 @@ import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Badge } from "@/components/ui/badge";
 import {
-  PageHeader,
+  EntityPageHeader,
   ErrorBand,
   Pagination,
   StatStrip,
@@ -28,6 +28,7 @@ import {
 import { EmptyState } from "@/components/empty-state";
 import { ApiRequestError } from "@/lib/api-client";
 import { AuditingPermissions } from "@/lib/permissions";
+import { AuditDetailSheet } from "@/pages/audits/detail";
 import { cn } from "@/lib/cn";
 
 const PAGE_SIZE = 25;
@@ -37,8 +38,8 @@ const PAGE_SIZE = 25;
 const SEARCH_DEBOUNCE_MS = 250;
 
 export function AuditsListPage() {
-  const navigate = useNavigate();
   const { user } = useAuth();
+  const [selectedId, setSelectedId] = useState<string | null>(null);
   const [params, setParams] = useSearchParams();
 
   const canCrossTenant = (user?.permissions ?? []).includes(
@@ -125,27 +126,24 @@ export function AuditsListPage() {
 
   return (
     <div className="space-y-8">
-      <PageHeader
-        crumbs={[{ label: "\\ Audits" }, { label: "Trail", muted: true }]}
-        trailing={
-          data
-            ? `${data.totalCount.toLocaleString()} EVENTS`
-            : "—"
-        }
+      <EntityPageHeader
+        icon={ScrollText}
         title="Audit trail"
+        total={data?.totalCount ?? null}
+        unit="event"
         description="Every security action, entity change, and exception captured by the auditing pipeline. Filter by event type, severity, or correlation id to follow a request end-to-end."
-        actions={
-          <Button
-            variant="outline"
-            size="sm"
-            disabled={query.isFetching}
-            onClick={() => query.refetch()}
-          >
-            <RefreshCw className={cn("mr-1.5 h-3.5 w-3.5", query.isFetching && "animate-spin")} />
-            Refresh
-          </Button>
-        }
-      />
+      >
+        <Button
+          variant="outline"
+          size="sm"
+          disabled={query.isFetching}
+          onClick={() => query.refetch()}
+          className="flex-1 sm:flex-none"
+        >
+          <RefreshCw className={cn("mr-1.5 h-3.5 w-3.5", query.isFetching && "animate-spin")} />
+          Refresh
+        </Button>
+      </EntityPageHeader>
 
       <StatStrip cols={4}>
         <Stat label="Total events" value={summary.isLoading ? "—" : summaryStats.total.toLocaleString()} hint="across all event types" />
@@ -243,7 +241,7 @@ export function AuditsListPage() {
       {items.length > 0 && (
         <ol className="divide-y divide-[var(--color-border)] border-y border-[var(--color-border)]">
           {items.map((event) => (
-            <AuditRow key={event.id} event={event} onClick={() => navigate(`/audits/${event.id}`)} />
+            <AuditRow key={event.id} event={event} onClick={() => setSelectedId(event.id)} />
           ))}
         </ol>
       )}
@@ -262,6 +260,9 @@ export function AuditsListPage() {
           noun="events"
         />
       )}
+
+      {/* Audit detail side sheet */}
+      <AuditDetailSheet auditId={selectedId} onClose={() => setSelectedId(null)} />
     </div>
   );
 }
diff --git a/clients/admin/src/pages/auth/confirm-email.tsx b/clients/admin/src/pages/auth/confirm-email.tsx
index 3348e00c9e..b67b59c01e 100644
--- a/clients/admin/src/pages/auth/confirm-email.tsx
+++ b/clients/admin/src/pages/auth/confirm-email.tsx
@@ -1,8 +1,7 @@
 import { useEffect, useState } from "react";
 import { Link, useSearchParams } from "react-router-dom";
-import { AlertCircle, CheckCircle2, Loader2 } from "lucide-react";
+import { AlertCircle, ArrowRight, CheckCircle2, Loader2 } from "lucide-react";
 import { Button } from "@/components/ui/button";
-import { AuthShell } from "@/components/auth/auth-shell";
 import { confirmEmail } from "@/api/users";
 import { ApiRequestError } from "@/lib/api-client";
 
@@ -15,9 +14,9 @@ type Status =
  * Confirm-email landing — admin variant.
  *
  * Same shape as the dashboard's: auto-fire GET on mount, surface stable
- * success or failure state with recovery affordances. Uses the admin's
- * editorial split-screen shell so the page reads as part of the same
- * surface as the login page.
+ * success or failure state with recovery affordances. Uses the unified
+ * centered-card auth shell so the page reads as part of the same surface
+ * as the login and other auth pages.
  */
 export function ConfirmEmailPage() {
   const [params] = useSearchParams();
@@ -63,88 +62,147 @@ export function ConfirmEmailPage() {
   }, [userId, code, tenant, malformed]);
 
   return (
-    <AuthShell
-      crumbLeft="// VERIFY EMAIL"
-      crumbRight={
-        status.kind === "loading"
-          ? "validating…"
-          : status.kind === "success"
-            ? "confirmed"
-            : "failed"
-      }
-      blurb={
-        status.kind === "loading"
-          ? "Checking the confirmation token with the server."
-          : status.kind === "success"
-            ? "Your email is now verified for this tenant."
-            : "We couldn't verify that confirmation token."
-      }
-    >
-      {status.kind === "loading" && (
-        <div className="space-y-4 py-2 text-center">
-          <div className="grid place-items-center pt-1">
-            <span
-              aria-hidden
-              className="grid h-12 w-12 place-items-center rounded-full border border-[var(--color-border)] bg-[var(--color-muted)] text-[var(--color-muted-foreground)]"
-            >
-              <Loader2 className="h-5 w-5 animate-spin" />
+    <div className="relative flex min-h-screen items-center justify-center overflow-hidden bg-[var(--color-background)] px-5 py-8 sm:py-12">
+      {/* Atmospheric background orbs */}
+      <div className="pointer-events-none absolute inset-0" aria-hidden>
+        <div
+          className="absolute -top-[25%] -left-[15%] h-[70vw] w-[70vw] rounded-full blur-[140px]"
+          style={{ backgroundColor: "oklch(from var(--color-primary) l c h / 0.05)" }}
+        />
+        <div
+          className="absolute -bottom-[20%] -right-[10%] h-[55vw] w-[55vw] rounded-full blur-[120px]"
+          style={{ backgroundColor: "oklch(from var(--color-saffron, var(--color-primary)) l c h / 0.07)" }}
+        />
+        <div
+          className="absolute top-[10%] right-[5%] h-[30vw] w-[30vw] rounded-full blur-[80px]"
+          style={{ backgroundColor: "oklch(from var(--color-primary) l c h / 0.025)" }}
+        />
+      </div>
+
+      {/* Card column */}
+      <div className="relative z-10 w-full max-w-[420px] fsh-enter fsh-enter-1">
+        {/* Brand lockup */}
+        <div className="mb-8 flex flex-col items-center">
+          <div className="flex items-center gap-2.5">
+            <img
+              src="/logo-fullstackhero.png"
+              alt="FullStackHero"
+              className="size-9 object-contain"
+            />
+            <span className="font-display text-[26px] font-semibold tracking-tight text-[var(--color-foreground)]">
+              fullstack<span className="text-[var(--color-primary)]">hero</span>
             </span>
           </div>
+          <div className="mt-3 flex items-center gap-2 text-[10px] font-semibold uppercase tracking-[0.2em] text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.7)]">
+            <span aria-hidden className="h-px w-6 bg-[var(--color-border)]" />
+            <span>.NET 10 Starter Kit</span>
+            <span aria-hidden className="h-px w-6 bg-[var(--color-border)]" />
+          </div>
         </div>
-      )}
 
-      {status.kind === "success" && (
-        <div className="space-y-5">
-          <div className="grid place-items-center">
-            <span
-              aria-hidden
-              className="grid h-12 w-12 place-items-center rounded-full border border-[oklch(from_var(--color-success)_l_c_h_/_0.30)] bg-[oklch(from_var(--color-success)_l_c_h_/_0.10)] text-[var(--color-success)]"
-            >
-              <CheckCircle2 className="h-5 w-5" />
-            </span>
+        {/* Status card */}
+        <div className="rounded-xl border border-[var(--color-border)] bg-[oklch(from_var(--color-card)_l_c_h_/_0.85)] shadow-[0_1px_3px_oklch(0_0_0_/_0.04),0_8px_24px_oklch(0_0_0_/_0.06)] backdrop-blur-xl">
+          <div className="px-6 py-7 sm:px-8 sm:py-9">
+            {status.kind === "loading" && (
+              <div className="space-y-5 text-center">
+                <div className="grid place-items-center">
+                  <span
+                    aria-hidden
+                    className="grid size-14 place-items-center rounded-2xl bg-[var(--color-muted)] text-[var(--color-muted-foreground)]"
+                  >
+                    <Loader2 className="size-6 animate-spin" />
+                  </span>
+                </div>
+                <div>
+                  <h1 className="mb-1.5 font-display text-[22px] font-semibold tracking-tight text-[var(--color-foreground)]">
+                    Verifying your{" "}
+                    <span className="text-[var(--color-primary)]">email…</span>
+                  </h1>
+                  <p className="text-[13px] leading-relaxed text-[var(--color-muted-foreground)]">
+                    One moment — checking the confirmation token with the server.
+                  </p>
+                </div>
+              </div>
+            )}
+
+            {status.kind === "success" && (
+              <div className="fsh-enter space-y-5 text-center">
+                <div className="grid place-items-center">
+                  <span
+                    aria-hidden
+                    className="grid size-14 place-items-center rounded-2xl bg-[oklch(from_var(--color-success)_l_c_h_/_0.10)] text-[var(--color-success)]"
+                  >
+                    <CheckCircle2 className="size-6" />
+                  </span>
+                </div>
+                <div>
+                  <h1 className="mb-1.5 font-display text-[22px] font-semibold tracking-tight text-[var(--color-foreground)]">
+                    Email{" "}
+                    <span className="text-[var(--color-primary)]">confirmed</span>
+                  </h1>
+                  <p className="text-[13px] leading-relaxed text-[var(--color-muted-foreground)]">
+                    {status.message}
+                  </p>
+                </div>
+                <Link to="/login" className="block">
+                  <Button type="button" className="group h-11 w-full text-[14px] font-semibold">
+                    <span>Continue to sign in</span>
+                    <ArrowRight className="size-[14px] opacity-60 transition-all duration-200 group-hover:translate-x-0.5 group-hover:opacity-100" />
+                  </Button>
+                </Link>
+              </div>
+            )}
+
+            {status.kind === "error" && (
+              <div className="fsh-enter space-y-5 text-center">
+                <div className="grid place-items-center">
+                  <span
+                    aria-hidden
+                    className="grid size-14 place-items-center rounded-2xl bg-[oklch(from_var(--color-destructive)_l_c_h_/_0.10)] text-[var(--color-destructive)]"
+                  >
+                    <AlertCircle className="size-6" />
+                  </span>
+                </div>
+                <div>
+                  <h1 className="mb-1.5 font-display text-[22px] font-semibold tracking-tight text-[var(--color-foreground)]">
+                    Couldn't{" "}
+                    <span className="text-[var(--color-primary)]">confirm</span>{" "}
+                    your email
+                  </h1>
+                  <p className="text-[13px] leading-relaxed text-[var(--color-muted-foreground)]">
+                    {status.message}
+                  </p>
+                  <p className="mt-2 text-[12px] leading-relaxed text-[var(--color-muted-foreground)]">
+                    The link may have expired or been used already. If you've signed in since
+                    this email was sent, you can ignore it.
+                  </p>
+                </div>
+                <div className="flex items-center justify-center gap-2 pt-1">
+                  <Link to="/login">
+                    <Button type="button" variant="outline">
+                      Back to sign in
+                    </Button>
+                  </Link>
+                  <Link to="/forgot-password">
+                    <Button type="button" variant="ghost">
+                      Reset password instead
+                    </Button>
+                  </Link>
+                </div>
+              </div>
+            )}
           </div>
-          <p className="text-center text-sm leading-relaxed text-[var(--color-muted-foreground)]">
-            {status.message}
-          </p>
-          <Link to="/login" className="block">
-            <Button type="button" variant="signal" className="w-full">
-              Continue to sign in →
-            </Button>
-          </Link>
         </div>
-      )}
 
-      {status.kind === "error" && (
-        <div className="space-y-5">
-          <div className="grid place-items-center">
-            <span
-              aria-hidden
-              className="grid h-12 w-12 place-items-center rounded-full border border-[var(--color-destructive)]/40 bg-[oklch(from_var(--color-destructive)_l_c_h_/_0.10)] text-[var(--color-destructive)]"
-            >
-              <AlertCircle className="h-5 w-5" />
-            </span>
-          </div>
-          <p className="text-center text-sm leading-relaxed text-[var(--color-muted-foreground)]">
-            {status.message}
-          </p>
-          <p className="text-center text-xs leading-relaxed text-[var(--color-muted-foreground)]">
-            The link may have expired or been used already. If you've signed in since
-            this email was sent, you can ignore it.
-          </p>
-          <div className="flex items-center gap-2">
-            <Link to="/login">
-              <Button type="button" variant="outline">
-                Back to sign in
-              </Button>
-            </Link>
-            <Link to="/forgot-password" className="ml-auto">
-              <Button type="button" variant="ghost">
-                Reset password instead
-              </Button>
-            </Link>
-          </div>
+        <div className="mt-6 text-center">
+          <Link
+            to="/login"
+            className="text-[12.5px] text-[var(--color-muted-foreground)] underline-offset-4 hover:text-[var(--color-foreground)] hover:underline"
+          >
+            ← Back to sign in
+          </Link>
         </div>
-      )}
-    </AuthShell>
+      </div>
+    </div>
   );
 }
diff --git a/clients/admin/src/pages/auth/forgot-password.tsx b/clients/admin/src/pages/auth/forgot-password.tsx
index ba2ab5fbaf..4264153963 100644
--- a/clients/admin/src/pages/auth/forgot-password.tsx
+++ b/clients/admin/src/pages/auth/forgot-password.tsx
@@ -1,14 +1,23 @@
 import { useState, type FormEvent } from "react";
 import { Link, Navigate } from "react-router-dom";
 import { useMutation } from "@tanstack/react-query";
-import { AlertCircle, Check, MailCheck } from "lucide-react";
+import {
+  AlertCircle,
+  ArrowRight,
+  Building2,
+  Check,
+  Loader2,
+  Mail,
+  MailCheck,
+  ShieldCheck,
+} from "lucide-react";
 import { useAuth } from "@/auth/use-auth";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
-import { AuthShell } from "@/components/auth/auth-shell";
 import { requestPasswordReset } from "@/api/users";
 import { ApiRequestError } from "@/lib/api-client";
+import { cn } from "@/lib/cn";
 import { env } from "@/env";
 
 /**
@@ -46,124 +55,218 @@ export function ForgotPasswordPage() {
   };
 
   return (
-    <AuthShell
-      crumbLeft="// RECOVER ACCOUNT"
-      crumbRight="issue reset token"
-      blurb={
-        submitted
-          ? "We routed a reset link to that mailbox. Hit your inbox."
-          : "Enter the email + tenant you sign in with. We'll dispatch a one-time reset link."
-      }
-    >
-      {submitted ? (
-        <div className="fsh-enter space-y-5">
-          <div className="grid place-items-center">
-            <span
-              aria-hidden
-              className="grid h-12 w-12 place-items-center rounded-full border border-[oklch(from_var(--color-success)_l_c_h_/_0.30)] bg-[oklch(from_var(--color-success)_l_c_h_/_0.10)] text-[var(--color-success)]"
-            >
-              <MailCheck className="h-5 w-5" />
+    <div className="relative flex min-h-screen items-center justify-center overflow-hidden bg-[var(--color-background)] px-5 py-8 sm:py-12">
+      {/* Atmospheric background orbs */}
+      <div className="pointer-events-none absolute inset-0" aria-hidden>
+        <div
+          className="absolute -top-[25%] -left-[15%] h-[70vw] w-[70vw] rounded-full blur-[140px]"
+          style={{ backgroundColor: "oklch(from var(--color-primary) l c h / 0.05)" }}
+        />
+        <div
+          className="absolute -bottom-[20%] -right-[10%] h-[55vw] w-[55vw] rounded-full blur-[120px]"
+          style={{ backgroundColor: "oklch(from var(--color-saffron, var(--color-primary)) l c h / 0.07)" }}
+        />
+        <div
+          className="absolute top-[10%] right-[5%] h-[30vw] w-[30vw] rounded-full blur-[80px]"
+          style={{ backgroundColor: "oklch(from var(--color-primary) l c h / 0.025)" }}
+        />
+      </div>
+
+      {/* Card column */}
+      <div className="relative z-10 w-full max-w-[420px] fsh-enter fsh-enter-1">
+        {/* Brand lockup */}
+        <div className="mb-8 flex flex-col items-center">
+          <div className="flex items-center gap-2.5">
+            <img
+              src="/logo-fullstackhero.png"
+              alt="FullStackHero"
+              className="size-9 object-contain"
+            />
+            <span className="font-display text-[26px] font-semibold tracking-tight text-[var(--color-foreground)]">
+              fullstack<span className="text-[var(--color-primary)]">hero</span>
             </span>
           </div>
-          <div className="space-y-2 text-center">
-            <h2 className="text-base font-semibold tracking-tight">Check your inbox.</h2>
-            <p className="text-sm leading-relaxed text-[var(--color-muted-foreground)]">
-              If an account exists for{" "}
-              <code className="rounded bg-[var(--color-muted)] px-1.5 py-0.5 font-mono text-[12px] text-[var(--color-foreground)]">
-                {email}
-              </code>{" "}
-              in tenant{" "}
-              <code className="rounded bg-[var(--color-muted)] px-1.5 py-0.5 font-mono text-[12px] text-[var(--color-foreground)]">
-                {tenant}
-              </code>
-              , a one-time reset link is on its way. The link expires in 30 minutes.
-            </p>
-          </div>
-          <ul className="space-y-1.5 text-[12.5px] text-[var(--color-muted-foreground)]">
-            <li className="flex items-start gap-2">
-              <Check className="mt-0.5 h-3.5 w-3.5 shrink-0 text-[var(--color-success)]" />
-              Didn't get it? Wait a minute, then check spam.
-            </li>
-            <li className="flex items-start gap-2">
-              <Check className="mt-0.5 h-3.5 w-3.5 shrink-0 text-[var(--color-success)]" />
-              Still nothing? Confirm the email + tenant and retry.
-            </li>
-          </ul>
-          <div className="flex items-center gap-2">
-            <Button
-              type="button"
-              variant="outline"
-              onClick={() => {
-                setSubmitted(false);
-                setError(null);
-              }}
-            >
-              Try a different address
-            </Button>
-            <Link to="/login" className="ml-auto">
-              <Button type="button" variant="ghost">
-                Back to sign in
-              </Button>
-            </Link>
+          <div className="mt-3 flex items-center gap-2 text-[10px] font-semibold uppercase tracking-[0.2em] text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.7)]">
+            <span aria-hidden className="h-px w-6 bg-[var(--color-border)]" />
+            <span>.NET 10 Starter Kit</span>
+            <span aria-hidden className="h-px w-6 bg-[var(--color-border)]" />
           </div>
         </div>
-      ) : (
-        <form onSubmit={onSubmit} className="space-y-4">
-          <div className="space-y-1.5">
-            <Label htmlFor="reset-tenant">Tenant</Label>
-            <Input
-              id="reset-tenant"
-              value={tenant}
-              onChange={(e) => setTenant(e.target.value)}
-              required
-              autoComplete="organization"
-              placeholder="root"
-            />
-          </div>
-          <div className="space-y-1.5">
-            <Label htmlFor="reset-email">Email</Label>
-            <Input
-              id="reset-email"
-              type="email"
-              value={email}
-              onChange={(e) => setEmail(e.target.value)}
-              required
-              autoComplete="email"
-              autoFocus
-              placeholder="operator@root.example"
-            />
-          </div>
 
-          {error && (
-            <div
-              role="alert"
-              className="flex items-start gap-2 rounded-md border border-[var(--color-destructive)]/40 bg-[oklch(from_var(--color-destructive)_l_c_h_/_0.08)] px-3 py-2 text-sm text-[var(--color-destructive)]"
-            >
-              <AlertCircle className="mt-0.5 h-4 w-4 shrink-0" />
-              <span className="leading-snug">{error}</span>
-            </div>
-          )}
+        {/* Form card */}
+        <div className="rounded-xl border border-[var(--color-border)] bg-[oklch(from_var(--color-card)_l_c_h_/_0.85)] shadow-[0_1px_3px_oklch(0_0_0_/_0.04),0_8px_24px_oklch(0_0_0_/_0.06)] backdrop-blur-xl">
+          <div className="px-6 py-7 sm:px-8 sm:py-9">
+            {submitted ? (
+              <div className="fsh-enter space-y-5 text-center">
+                <div className="grid place-items-center">
+                  <span
+                    aria-hidden
+                    className="grid size-14 place-items-center rounded-2xl bg-[oklch(from_var(--color-success)_l_c_h_/_0.10)] text-[var(--color-success)]"
+                  >
+                    <MailCheck className="size-6" />
+                  </span>
+                </div>
+                <div>
+                  <h1 className="mb-1.5 font-display text-[22px] font-semibold tracking-tight text-[var(--color-foreground)]">
+                    Check your{" "}
+                    <span className="text-[var(--color-primary)]">inbox</span>
+                  </h1>
+                  <p className="text-[13px] leading-relaxed text-[var(--color-muted-foreground)]">
+                    If an account exists for{" "}
+                    <span className="text-[var(--color-foreground)]">{email}</span> in tenant{" "}
+                    <span className="text-[var(--color-foreground)]">{tenant}</span>, a one-time
+                    reset link is on its way. The link expires in 30 minutes.
+                  </p>
+                </div>
+                <ul className="space-y-1.5 text-left text-[12.5px] text-[var(--color-muted-foreground)]">
+                  <li className="flex items-start gap-2">
+                    <Check className="mt-0.5 size-3.5 shrink-0 text-[var(--color-success)]" />
+                    Didn't get it? Wait a minute, then check spam.
+                  </li>
+                  <li className="flex items-start gap-2">
+                    <Check className="mt-0.5 size-3.5 shrink-0 text-[var(--color-success)]" />
+                    Still nothing? Confirm the email + tenant and retry.
+                  </li>
+                </ul>
+                <div className="flex items-center gap-2 pt-1">
+                  <Button
+                    type="button"
+                    variant="ghost"
+                    onClick={() => {
+                      setSubmitted(false);
+                      setError(null);
+                    }}
+                  >
+                    Try a different address
+                  </Button>
+                  <Link to="/login" className="ml-auto">
+                    <Button type="button" variant="outline">
+                      Back to sign in
+                    </Button>
+                  </Link>
+                </div>
+              </div>
+            ) : (
+              <>
+                <div className="mb-6 sm:mb-8">
+                  <h1 className="mb-1.5 font-display text-[22px] font-semibold tracking-tight text-[var(--color-foreground)]">
+                    Reset your{" "}
+                    <span className="text-[var(--color-primary)]">password</span>
+                  </h1>
+                  <p className="text-[13px] text-[var(--color-muted-foreground)]">
+                    Enter the email + tenant you sign in with. We'll dispatch a one-time link.
+                  </p>
+                </div>
 
-          <Button
-            type="submit"
-            variant="signal"
-            className="w-full"
-            disabled={mutation.isPending || !email || !tenant}
-          >
-            {mutation.isPending ? "Dispatching link…" : "Send reset link →"}
-          </Button>
+                <form
+                  onSubmit={onSubmit}
+                  className="space-y-5"
+                  noValidate
+                  aria-describedby={error ? "forgot-error" : undefined}
+                >
+                  <div className="space-y-1.5">
+                    <Label
+                      htmlFor="reset-tenant"
+                      className="block text-[11.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]"
+                    >
+                      Tenant
+                    </Label>
+                    <div className="relative">
+                      <Building2 className="pointer-events-none absolute left-3.5 top-1/2 size-4 -translate-y-1/2 text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.6)]" />
+                      <Input
+                        id="reset-tenant"
+                        value={tenant}
+                        onChange={(e) => setTenant(e.target.value)}
+                        required
+                        autoComplete="organization"
+                        placeholder="root"
+                        aria-invalid={error ? true : undefined}
+                        aria-describedby={error ? "forgot-error" : undefined}
+                        className="h-11 pl-10 text-[14px]"
+                      />
+                    </div>
+                  </div>
+                  <div className="space-y-1.5">
+                    <Label
+                      htmlFor="reset-email"
+                      className="block text-[11.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]"
+                    >
+                      Email
+                    </Label>
+                    <div className="relative">
+                      <Mail className="pointer-events-none absolute left-3.5 top-1/2 size-4 -translate-y-1/2 text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.6)]" />
+                      <Input
+                        id="reset-email"
+                        type="email"
+                        value={email}
+                        onChange={(e) => setEmail(e.target.value)}
+                        required
+                        autoComplete="email"
+                        autoFocus
+                        placeholder="operator@root.example"
+                        aria-invalid={error ? true : undefined}
+                        aria-describedby={error ? "forgot-error" : undefined}
+                        className="h-11 pl-10 text-[14px]"
+                      />
+                    </div>
+                  </div>
 
-          <div className="text-center text-xs text-[var(--color-muted-foreground)]">
-            Remembered it?{" "}
-            <Link
-              to="/login"
-              className="text-[var(--color-foreground)] underline-offset-4 hover:underline"
-            >
-              Sign in
-            </Link>
+                  {error && (
+                    <div
+                      id="forgot-error"
+                      role="alert"
+                      className={cn(
+                        "fsh-enter flex items-start gap-2 rounded-lg border px-3 py-2 text-sm",
+                        "border-[oklch(from_var(--color-destructive)_l_c_h_/_0.30)]",
+                        "bg-[oklch(from_var(--color-destructive)_l_c_h_/_0.06)]",
+                        "text-[var(--color-destructive)]",
+                      )}
+                    >
+                      <AlertCircle className="mt-0.5 size-4 shrink-0" />
+                      <span className="leading-snug">{error}</span>
+                    </div>
+                  )}
+
+                  <div className="pt-1.5">
+                    <Button
+                      type="submit"
+                      disabled={mutation.isPending || !email || !tenant}
+                      className="group h-11 w-full text-[14px] font-semibold"
+                    >
+                      {mutation.isPending ? (
+                        <>
+                          <Loader2 className="size-4 animate-spin" />
+                          <span>Dispatching link…</span>
+                        </>
+                      ) : (
+                        <>
+                          <span>Send reset link</span>
+                          <ArrowRight className="size-[14px] opacity-60 transition-all duration-200 group-hover:translate-x-0.5 group-hover:opacity-100" />
+                        </>
+                      )}
+                    </Button>
+                  </div>
+                </form>
+              </>
+            )}
           </div>
-        </form>
-      )}
-    </AuthShell>
+        </div>
+
+        <div className="mt-6 text-center text-[12.5px] text-[var(--color-muted-foreground)]">
+          Remembered it?{" "}
+          <Link
+            to="/login"
+            className="text-[var(--color-foreground)] underline-offset-4 hover:underline"
+          >
+            Sign in
+          </Link>
+        </div>
+
+        <div className="mt-4 flex items-center justify-center gap-1.5 text-[11px] text-[var(--color-muted-foreground)]">
+          <ShieldCheck className="size-3" />
+          <span>Encrypted in transit · JWT-secured session</span>
+        </div>
+      </div>
+    </div>
   );
 }
diff --git a/clients/admin/src/pages/auth/reset-password.tsx b/clients/admin/src/pages/auth/reset-password.tsx
index 5c0b2959bf..610f3a3ba0 100644
--- a/clients/admin/src/pages/auth/reset-password.tsx
+++ b/clients/admin/src/pages/auth/reset-password.tsx
@@ -1,13 +1,20 @@
 import { useEffect, useMemo, useState, type FormEvent } from "react";
 import { Link, Navigate, useNavigate, useSearchParams } from "react-router-dom";
 import { useMutation } from "@tanstack/react-query";
-import { AlertCircle, Check } from "lucide-react";
+import {
+  AlertCircle,
+  ArrowRight,
+  Check,
+  Eye,
+  EyeOff,
+  Loader2,
+  ShieldCheck,
+} from "lucide-react";
 import { toast } from "sonner";
 import { useAuth } from "@/auth/use-auth";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
-import { AuthShell } from "@/components/auth/auth-shell";
 import { resetPassword } from "@/api/users";
 import { ApiRequestError } from "@/lib/api-client";
 import { cn } from "@/lib/cn";
@@ -47,6 +54,8 @@ export function ResetPasswordPage() {
   const [password, setPassword] = useState("");
   const [confirm, setConfirm] = useState("");
   const [error, setError] = useState<string | null>(null);
+  const [showPassword, setShowPassword] = useState(false);
+  const [showConfirm, setShowConfirm] = useState(false);
 
   const strength = useMemo(() => scorePassword(password), [password]);
   const matches = password.length > 0 && password === confirm;
@@ -87,135 +96,236 @@ export function ResetPasswordPage() {
     mutation.mutate();
   };
 
-  if (malformed) {
-    return (
-      <AuthShell
-        crumbLeft="// RECOVER ACCOUNT"
-        crumbRight="token · scoped"
-        blurb="This reset link is incomplete and can't be used as-is."
-      >
-        <div className="space-y-3">
-          <p className="text-sm leading-relaxed text-[var(--color-muted-foreground)]">
-            The link is missing one of{" "}
-            <code className="rounded bg-[var(--color-muted)] px-1 font-mono text-[11.5px]">token</code>,{" "}
-            <code className="rounded bg-[var(--color-muted)] px-1 font-mono text-[11.5px]">email</code>, or{" "}
-            <code className="rounded bg-[var(--color-muted)] px-1 font-mono text-[11.5px]">tenant</code>.
-            Some email clients clip long URLs — try copy-pasting the full link from the
-            original email into your browser's address bar, or request a new one.
-          </p>
-          <div className="flex gap-2 pt-1">
-            <Link to="/forgot-password">
-              <Button type="button" variant="signal">
-                Request a new link
-              </Button>
-            </Link>
-            <Link to="/login">
-              <Button type="button" variant="ghost">
-                Back to sign in
-              </Button>
-            </Link>
+  return (
+    <div className="relative flex min-h-screen items-center justify-center overflow-hidden bg-[var(--color-background)] px-5 py-8 sm:py-12">
+      {/* Atmospheric background orbs */}
+      <div className="pointer-events-none absolute inset-0" aria-hidden>
+        <div
+          className="absolute -top-[25%] -left-[15%] h-[70vw] w-[70vw] rounded-full blur-[140px]"
+          style={{ backgroundColor: "oklch(from var(--color-primary) l c h / 0.05)" }}
+        />
+        <div
+          className="absolute -bottom-[20%] -right-[10%] h-[55vw] w-[55vw] rounded-full blur-[120px]"
+          style={{ backgroundColor: "oklch(from var(--color-saffron, var(--color-primary)) l c h / 0.07)" }}
+        />
+        <div
+          className="absolute top-[10%] right-[5%] h-[30vw] w-[30vw] rounded-full blur-[80px]"
+          style={{ backgroundColor: "oklch(from var(--color-primary) l c h / 0.025)" }}
+        />
+      </div>
+
+      {/* Card column */}
+      <div className="relative z-10 w-full max-w-[420px] fsh-enter fsh-enter-1">
+        {/* Brand lockup */}
+        <div className="mb-8 flex flex-col items-center">
+          <div className="flex items-center gap-2.5">
+            <img
+              src="/logo-fullstackhero.png"
+              alt="FullStackHero"
+              className="size-9 object-contain"
+            />
+            <span className="font-display text-[26px] font-semibold tracking-tight text-[var(--color-foreground)]">
+              fullstack<span className="text-[var(--color-primary)]">hero</span>
+            </span>
+          </div>
+          <div className="mt-3 flex items-center gap-2 text-[10px] font-semibold uppercase tracking-[0.2em] text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.7)]">
+            <span aria-hidden className="h-px w-6 bg-[var(--color-border)]" />
+            <span>.NET 10 Starter Kit</span>
+            <span aria-hidden className="h-px w-6 bg-[var(--color-border)]" />
           </div>
         </div>
-      </AuthShell>
-    );
-  }
 
-  return (
-    <AuthShell
-      crumbLeft="// RECOVER ACCOUNT"
-      crumbRight="set new password"
-      blurb={
-        <>
-          Resetting password for{" "}
-          <span className="text-[var(--color-foreground)]">{email}</span> on{" "}
-          <code className="rounded bg-[var(--color-muted)] px-1 font-mono text-[11.5px] text-[var(--color-foreground)]">
-            {tenant}
-          </code>
-          .
-        </>
-      }
-    >
-      <form onSubmit={onSubmit} className="space-y-4" noValidate>
-        <div className="space-y-1.5">
-          <Label htmlFor="new-password">New password</Label>
-          <Input
-            id="new-password"
-            type="password"
-            value={password}
-            onChange={(e) => setPassword(e.target.value)}
-            required
-            autoComplete="new-password"
-            autoFocus
-            minLength={8}
-            className="font-mono"
-          />
-          {strength && (
-            <div className="flex items-center gap-2 pt-1">
-              <div className="h-1 flex-1 overflow-hidden rounded-full bg-[var(--color-border)]/60">
-                <div
-                  className={cn(
-                    "h-full transition-all duration-[var(--duration-default)]",
-                    STRENGTH_META[strength].fill,
-                    STRENGTH_META[strength].bar,
-                  )}
-                />
+        {/* Form card */}
+        <div className="rounded-xl border border-[var(--color-border)] bg-[oklch(from_var(--color-card)_l_c_h_/_0.85)] shadow-[0_1px_3px_oklch(0_0_0_/_0.04),0_8px_24px_oklch(0_0_0_/_0.06)] backdrop-blur-xl">
+          <div className="px-6 py-7 sm:px-8 sm:py-9">
+            {malformed ? (
+              <div className="space-y-4">
+                <div className="mb-2">
+                  <h1 className="mb-1.5 font-display text-[22px] font-semibold tracking-tight text-[var(--color-foreground)]">
+                    This link is{" "}
+                    <span className="text-[var(--color-primary)]">incomplete</span>
+                  </h1>
+                  <p className="text-[13px] leading-relaxed text-[var(--color-muted-foreground)]">
+                    The link is missing one of{" "}
+                    <span className="text-[var(--color-foreground)]">token</span>,{" "}
+                    <span className="text-[var(--color-foreground)]">email</span>, or{" "}
+                    <span className="text-[var(--color-foreground)]">tenant</span>. Some email
+                    clients clip long URLs — try copy-pasting the full link from the original
+                    email into your browser's address bar, or request a new one.
+                  </p>
+                </div>
+                <div className="flex gap-2 pt-1">
+                  <Link to="/forgot-password">
+                    <Button type="button" variant="outline">
+                      Request a new link
+                    </Button>
+                  </Link>
+                  <Link to="/login">
+                    <Button type="button" variant="ghost">
+                      Back to sign in
+                    </Button>
+                  </Link>
+                </div>
               </div>
-              <span className="min-w-[3.5rem] text-right font-mono text-[10px] uppercase tracking-[0.14em] text-[var(--color-muted-foreground)]">
-                {STRENGTH_META[strength].label}
-              </span>
-            </div>
-          )}
-        </div>
+            ) : (
+              <>
+                <div className="mb-6 sm:mb-8">
+                  <h1 className="mb-1.5 font-display text-[22px] font-semibold tracking-tight text-[var(--color-foreground)]">
+                    Set a new{" "}
+                    <span className="text-[var(--color-primary)]">password</span>
+                  </h1>
+                  <p className="text-[13px] text-[var(--color-muted-foreground)]">
+                    Resetting password for{" "}
+                    <span className="text-[var(--color-foreground)]">{email}</span> on{" "}
+                    <span className="text-[var(--color-foreground)]">{tenant}</span>.
+                  </p>
+                </div>
 
-        <div className="space-y-1.5">
-          <Label htmlFor="confirm-password">Confirm password</Label>
-          <Input
-            id="confirm-password"
-            type="password"
-            value={confirm}
-            onChange={(e) => setConfirm(e.target.value)}
-            required
-            autoComplete="new-password"
-            minLength={8}
-            className="font-mono"
-          />
-          {confirm.length > 0 && (
-            <div
-              className={cn(
-                "flex items-center gap-1.5 pt-1 text-[11.5px]",
-                matches
-                  ? "text-[var(--color-success)]"
-                  : "text-[var(--color-muted-foreground)]",
-              )}
-            >
-              <Check
-                className={cn("h-3.5 w-3.5", matches ? "opacity-100" : "opacity-40")}
-              />
-              <span>{matches ? "Passwords match" : "Doesn't match yet"}</span>
-            </div>
-          )}
-        </div>
+                <form
+                  onSubmit={onSubmit}
+                  className="space-y-5"
+                  noValidate
+                  aria-describedby={error ? "reset-error" : undefined}
+                >
+                  <div className="space-y-1.5">
+                    <Label
+                      htmlFor="new-password"
+                      className="block text-[11.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]"
+                    >
+                      New password
+                    </Label>
+                    <div className="relative">
+                      <Input
+                        id="new-password"
+                        type={showPassword ? "text" : "password"}
+                        value={password}
+                        onChange={(e) => setPassword(e.target.value)}
+                        required
+                        autoComplete="new-password"
+                        autoFocus
+                        minLength={8}
+                        placeholder="At least 8 characters"
+                        aria-invalid={error ? true : undefined}
+                        aria-describedby={error ? "reset-error" : undefined}
+                        className="h-11 pr-11 text-[14px]"
+                      />
+                      <button
+                        type="button"
+                        onClick={() => setShowPassword((v) => !v)}
+                        aria-label={showPassword ? "Hide password" : "Show password"}
+                        className="absolute right-3.5 top-1/2 grid h-6 w-6 -translate-y-1/2 cursor-pointer place-items-center rounded text-[var(--color-muted-foreground)] transition-colors hover:text-[var(--color-foreground)] focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)]"
+                      >
+                        {showPassword ? <EyeOff className="size-4" /> : <Eye className="size-4" />}
+                      </button>
+                    </div>
+                    {strength && (
+                      <div className="fsh-enter flex items-center gap-2 pt-1.5">
+                        <div className="h-1 flex-1 overflow-hidden rounded-full bg-[var(--color-muted)]">
+                          <div
+                            className={cn(
+                              "h-full transition-all duration-200",
+                              STRENGTH_META[strength].fill,
+                              STRENGTH_META[strength].bar,
+                            )}
+                          />
+                        </div>
+                        <span className="min-w-[3.5rem] text-right text-[10px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]">
+                          {STRENGTH_META[strength].label}
+                        </span>
+                      </div>
+                    )}
+                  </div>
 
-        {error && (
-          <div
-            role="alert"
-            className="flex items-start gap-2 rounded-md border border-[var(--color-destructive)]/40 bg-[oklch(from_var(--color-destructive)_l_c_h_/_0.08)] px-3 py-2 text-sm text-[var(--color-destructive)]"
-          >
-            <AlertCircle className="mt-0.5 h-4 w-4 shrink-0" />
-            <span className="leading-snug">{error}</span>
+                  <div className="space-y-1.5">
+                    <Label
+                      htmlFor="confirm-password"
+                      className="block text-[11.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]"
+                    >
+                      Confirm password
+                    </Label>
+                    <div className="relative">
+                      <Input
+                        id="confirm-password"
+                        type={showConfirm ? "text" : "password"}
+                        value={confirm}
+                        onChange={(e) => setConfirm(e.target.value)}
+                        required
+                        autoComplete="new-password"
+                        minLength={8}
+                        placeholder="Re-enter password"
+                        aria-invalid={error ? true : undefined}
+                        aria-describedby={error ? "reset-error" : undefined}
+                        className="h-11 pr-11 text-[14px]"
+                      />
+                      <button
+                        type="button"
+                        onClick={() => setShowConfirm((v) => !v)}
+                        aria-label={showConfirm ? "Hide password" : "Show password"}
+                        className="absolute right-3.5 top-1/2 grid h-6 w-6 -translate-y-1/2 cursor-pointer place-items-center rounded text-[var(--color-muted-foreground)] transition-colors hover:text-[var(--color-foreground)] focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)]"
+                      >
+                        {showConfirm ? <EyeOff className="size-4" /> : <Eye className="size-4" />}
+                      </button>
+                    </div>
+                    {confirm.length > 0 && (
+                      <div
+                        className={cn(
+                          "flex items-center gap-1.5 pt-1 text-[11.5px]",
+                          matches
+                            ? "text-[var(--color-success)]"
+                            : "text-[var(--color-muted-foreground)]",
+                        )}
+                      >
+                        <Check
+                          className={cn("size-3.5", matches ? "opacity-100" : "opacity-40")}
+                        />
+                        <span>{matches ? "Passwords match" : "Doesn't match yet"}</span>
+                      </div>
+                    )}
+                  </div>
+
+                  {error && (
+                    <div
+                      id="reset-error"
+                      role="alert"
+                      className={cn(
+                        "fsh-enter flex items-start gap-2 rounded-lg border px-3 py-2 text-sm",
+                        "border-[oklch(from_var(--color-destructive)_l_c_h_/_0.30)]",
+                        "bg-[oklch(from_var(--color-destructive)_l_c_h_/_0.06)]",
+                        "text-[var(--color-destructive)]",
+                      )}
+                    >
+                      <AlertCircle className="mt-0.5 size-4 shrink-0" />
+                      <span className="leading-snug">{error}</span>
+                    </div>
+                  )}
+
+                  <div className="pt-1.5">
+                    <Button
+                      type="submit"
+                      disabled={mutation.isPending || !matches || password.length < 8}
+                      className="group h-11 w-full text-[14px] font-semibold"
+                    >
+                      {mutation.isPending ? (
+                        <>
+                          <Loader2 className="size-4 animate-spin" />
+                          <span>Updating password…</span>
+                        </>
+                      ) : (
+                        <>
+                          <ShieldCheck className="size-4" />
+                          <span>Set new password</span>
+                          <ArrowRight className="size-[14px] opacity-60 transition-all duration-200 group-hover:translate-x-0.5 group-hover:opacity-100" />
+                        </>
+                      )}
+                    </Button>
+                  </div>
+                </form>
+              </>
+            )}
           </div>
-        )}
-
-        <Button
-          type="submit"
-          variant="signal"
-          className="w-full"
-          disabled={mutation.isPending || !matches || password.length < 8}
-        >
-          {mutation.isPending ? "Updating password…" : "Set new password →"}
-        </Button>
-
-        <div className="text-center text-xs text-[var(--color-muted-foreground)]">
+        </div>
+
+        <div className="mt-6 text-center text-[12.5px] text-[var(--color-muted-foreground)]">
           Changed your mind?{" "}
           <Link
             to="/login"
@@ -224,7 +334,7 @@ export function ResetPasswordPage() {
             Sign in
           </Link>
         </div>
-      </form>
-    </AuthShell>
+      </div>
+    </div>
   );
 }
diff --git a/clients/admin/src/pages/billing/invoice-detail.tsx b/clients/admin/src/pages/billing/invoice-detail.tsx
index 1143617ec4..d75034a8cb 100644
--- a/clients/admin/src/pages/billing/invoice-detail.tsx
+++ b/clients/admin/src/pages/billing/invoice-detail.tsx
@@ -1,29 +1,21 @@
 import { useState } from "react";
 import { useNavigate, useParams } from "react-router-dom";
 import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
-import { ArrowLeft, Ban, CheckCircle2, Send } from "lucide-react";
+import { ArrowLeft, Ban, CheckCircle2, FileText, Send } from "lucide-react";
 import { toast } from "sonner";
 import {
   getInvoice,
   issueInvoice,
   markInvoicePaid,
   voidInvoice,
-  type InvoiceDto,
   type InvoiceStatus,
   type InvoiceLineItemDto,
 } from "@/api/billing";
 import { Button } from "@/components/ui/button";
-import {
-  Card,
-  CardContent,
-  CardDescription,
-  CardHeader,
-  CardTitle,
-} from "@/components/ui/card";
 import { Badge } from "@/components/ui/badge";
 import { Skeleton } from "@/components/ui/skeleton";
 import { Input } from "@/components/ui/input";
-import { Label } from "@/components/ui/label";
+import { EntityPageHeader, SettingsSection, Field } from "@/components/list";
 import { ApiRequestError } from "@/lib/api-client";
 import { cn } from "@/lib/cn";
 
@@ -131,7 +123,7 @@ export function InvoiceDetailPage() {
   return (
     <div className="space-y-6">
       <div>
-        <Button variant="ghost" size="sm" onClick={() => navigate("/billing/invoices")} className="-ml-2 mb-2">
+        <Button variant="ghost" size="sm" onClick={() => navigate("/billing/invoices")} className="-ml-2 mb-4">
           <ArrowLeft className="mr-1 h-4 w-4" /> All invoices
         </Button>
 
@@ -145,190 +137,174 @@ export function InvoiceDetailPage() {
             {describe(query.error, "Failed to load invoice.")}
           </div>
         ) : invoice ? (
-          <InvoiceHero invoice={invoice} />
+          <EntityPageHeader
+            icon={FileText}
+            tone="saffron"
+            title={formatMoney(invoice.subtotalAmount, invoice.currency)}
+            description={
+              <span className="flex flex-wrap items-center gap-2">
+                <code className="rounded bg-[var(--color-surface-2)] px-1.5 py-0.5 font-mono text-[11px] font-medium tracking-tight">
+                  {invoice.invoiceNumber}
+                </code>
+                <Badge variant={statusVariant(invoice.status)}>{invoice.status}</Badge>
+                <span className="font-mono text-[11px] text-[var(--color-muted-foreground)]">
+                  tenant {invoice.tenantId} · period {formatPeriod(invoice.periodYear, invoice.periodMonth)} · created {formatDate(invoice.createdAtUtc)}
+                  {invoice.issuedAtUtc && ` · issued ${formatDate(invoice.issuedAtUtc)}`}
+                  {invoice.dueAtUtc && invoice.status === "Issued" && (
+                    <span className="text-[var(--color-warning)]"> · due {formatDate(invoice.dueAtUtc)}</span>
+                  )}
+                  {invoice.paidAtUtc && (
+                    <span className="text-[var(--color-success)]"> · paid {formatDate(invoice.paidAtUtc)}</span>
+                  )}
+                  {invoice.voidedAtUtc && (
+                    <span className="text-[var(--color-destructive)]"> · voided {formatDate(invoice.voidedAtUtc)}</span>
+                  )}
+                </span>
+              </span>
+            }
+          />
         ) : null}
       </div>
 
       <div className="grid gap-6 lg:grid-cols-[1fr_320px]">
         {/* Line items */}
-        <Card>
-          <CardHeader>
-            <CardTitle>Line items</CardTitle>
-            <CardDescription>
-              {invoice ? `${invoice.lineItems.length} line${invoice.lineItems.length === 1 ? "" : "s"}` : "Loading…"}
-            </CardDescription>
-          </CardHeader>
-          <CardContent className="p-0">
-            {query.isLoading ? (
-              <ul className="divide-y divide-[var(--color-border)]">
-                {Array.from({ length: 2 }).map((_, i) => (
-                  <li key={i} className="px-6 py-4">
-                    <Skeleton className="h-4 w-1/2" />
-                    <Skeleton className="mt-2 h-3 w-1/4" />
-                  </li>
-                ))}
-              </ul>
-            ) : invoice && invoice.lineItems.length === 0 ? (
-              <div className="px-6 py-8 text-center text-sm text-[var(--color-muted-foreground)]">
-                No line items.
-              </div>
-            ) : invoice ? (
-              <ul>
-                {invoice.lineItems.map((li, i) => (
-                  <LineItemRow key={li.id} item={li} currency={invoice.currency} delayIndex={i} />
-                ))}
-                <li className="grid grid-cols-[1fr_auto] items-baseline gap-x-6 border-t-2 border-[var(--color-border-strong)] px-6 py-4">
-                  <div className="font-mono text-[11px] uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]">
-                    subtotal
-                  </div>
-                  <div className="text-display text-xl font-semibold tabular-nums">
-                    {formatMoney(invoice.subtotalAmount, invoice.currency)}
-                  </div>
+        <SettingsSection
+          title="Line items"
+          description={
+            invoice
+              ? `${invoice.lineItems.length} line${invoice.lineItems.length === 1 ? "" : "s"}`
+              : "Loading…"
+          }
+        >
+          {query.isLoading ? (
+            <ul className="-mx-5 divide-y divide-[var(--color-border)] border-t border-[var(--color-border)]">
+              {Array.from({ length: 2 }).map((_, i) => (
+                <li key={i} className="px-5 py-4">
+                  <Skeleton className="h-4 w-1/2" />
+                  <Skeleton className="mt-2 h-3 w-1/4" />
                 </li>
-              </ul>
-            ) : null}
-          </CardContent>
-        </Card>
+              ))}
+            </ul>
+          ) : invoice && invoice.lineItems.length === 0 ? (
+            <div className="py-8 text-center text-sm text-[var(--color-muted-foreground)]">
+              No line items.
+            </div>
+          ) : invoice ? (
+            <ul className="-mx-5 border-t border-[var(--color-border)]">
+              {invoice.lineItems.map((li, i) => (
+                <LineItemRow key={li.id} item={li} currency={invoice.currency} delayIndex={i} />
+              ))}
+              <li className="grid grid-cols-[1fr_auto] items-baseline gap-x-6 border-t-2 border-[var(--color-border-strong)] px-5 py-4">
+                <div className="font-mono text-[11px] uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]">
+                  subtotal
+                </div>
+                <div className="text-display text-xl font-semibold tabular-nums">
+                  {formatMoney(invoice.subtotalAmount, invoice.currency)}
+                </div>
+              </li>
+            </ul>
+          ) : null}
+        </SettingsSection>
 
         {/* Actions side panel */}
         <div className="space-y-4">
-          <Card>
-            <CardHeader>
-              <CardTitle>Lifecycle actions</CardTitle>
-              <CardDescription>
-                Each action enforces the invoice state machine on the server.
-              </CardDescription>
-            </CardHeader>
-            <CardContent className="space-y-4">
-              {invoice && (
-                <>
-                  {/* Issue */}
-                  <div
-                    className={cn(
-                      "rounded-md border border-[var(--color-border)] bg-[var(--color-surface-2)] p-3",
-                      invoice.status !== "Draft" && "opacity-60",
-                    )}
+          {invoice && (
+            <>
+              {/* Issue */}
+              <SettingsSection
+                icon={Send}
+                title="Issue"
+                description="Transition from Draft to Issued status."
+              >
+                <div className={cn("space-y-3", invoice.status !== "Draft" && "opacity-60")}>
+                  <Field id="dueAt" label="Due date" hint="Leave blank for server default (+14 days).">
+                    <Input
+                      id="dueAt"
+                      type="date"
+                      value={dueAt}
+                      onChange={(e) => setDueAt(e.target.value)}
+                      disabled={invoice.status !== "Draft" || issueMutation.isPending}
+                    />
+                  </Field>
+                  <Button
+                    size="sm"
+                    disabled={invoice.status !== "Draft" || issueMutation.isPending}
+                    onClick={() => issueMutation.mutate()}
+                    className="w-full"
                   >
-                    <div className="mb-2 flex items-center gap-2">
-                      <Send className="h-3.5 w-3.5 text-[var(--color-info)]" />
-                      <span className="text-sm font-medium">Issue</span>
-                      <span className="font-mono text-[10px] uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]">
-                        from draft
-                      </span>
-                    </div>
-                    <div className="space-y-2">
-                      <Label htmlFor="dueAt" className="text-xs text-[var(--color-muted-foreground)]">
-                        Due date (optional)
-                      </Label>
-                      <Input
-                        id="dueAt"
-                        type="date"
-                        value={dueAt}
-                        onChange={(e) => setDueAt(e.target.value)}
-                        disabled={invoice.status !== "Draft" || issueMutation.isPending}
-                      />
-                      <p className="text-[11px] text-[var(--color-muted-foreground)]">
-                        Leave blank for the server default of +14 days from issue time.
-                      </p>
-                      <Button
-                        size="sm"
-                        disabled={invoice.status !== "Draft" || issueMutation.isPending}
-                        onClick={() => issueMutation.mutate()}
-                        className="w-full"
-                      >
-                        {issueMutation.isPending ? "Issuing…" : "Issue invoice"}
-                      </Button>
-                    </div>
-                  </div>
+                    {issueMutation.isPending ? "Issuing…" : "Issue invoice"}
+                  </Button>
+                </div>
+              </SettingsSection>
 
-                  {/* Mark paid */}
-                  <div
-                    className={cn(
-                      "rounded-md border border-[var(--color-border)] bg-[var(--color-surface-2)] p-3",
-                      invoice.status !== "Issued" && "opacity-60",
-                    )}
+              {/* Mark paid */}
+              <SettingsSection
+                icon={CheckCircle2}
+                title="Mark paid"
+                description="Records manual payment receipt. Idempotent."
+              >
+                <div className={cn(invoice.status !== "Issued" && "opacity-60")}>
+                  <Button
+                    size="sm"
+                    disabled={invoice.status !== "Issued" || payMutation.isPending}
+                    onClick={() => payMutation.mutate()}
+                    className="w-full"
                   >
-                    <div className="mb-2 flex items-center gap-2">
-                      <CheckCircle2 className="h-3.5 w-3.5 text-[var(--color-success)]" />
-                      <span className="text-sm font-medium">Mark paid</span>
-                      <span className="font-mono text-[10px] uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]">
-                        from issued
-                      </span>
-                    </div>
-                    <p className="text-[11px] text-[var(--color-muted-foreground)]">
-                      Records manual payment receipt. Idempotent.
-                    </p>
-                    <Button
-                      size="sm"
-                      disabled={invoice.status !== "Issued" || payMutation.isPending}
-                      onClick={() => payMutation.mutate()}
-                      className="mt-2 w-full"
-                    >
-                      {payMutation.isPending ? "Saving…" : "Mark as paid"}
-                    </Button>
-                  </div>
+                    {payMutation.isPending ? "Saving…" : "Mark as paid"}
+                  </Button>
+                </div>
+              </SettingsSection>
 
-                  {/* Void */}
-                  <div
-                    className={cn(
-                      "rounded-md border border-[var(--color-border)] bg-[var(--color-surface-2)] p-3",
-                      invoice.status === "Paid" || invoice.status === "Void"
-                        ? "opacity-60"
-                        : null,
-                    )}
+              {/* Void */}
+              <SettingsSection
+                icon={Ban}
+                title="Void"
+                description="Cancel from Draft or Issued. Irreversible."
+              >
+                <div
+                  className={cn(
+                    "space-y-3",
+                    (invoice.status === "Paid" || invoice.status === "Void") && "opacity-60",
+                  )}
+                >
+                  <Field id="voidReason" label="Reason" hint="Optional — appended to notes.">
+                    <Input
+                      id="voidReason"
+                      placeholder="duplicate · disputed · …"
+                      value={voidReason}
+                      onChange={(e) => setVoidReason(e.target.value)}
+                      disabled={
+                        invoice.status === "Paid" ||
+                        invoice.status === "Void" ||
+                        voidMutation.isPending
+                      }
+                    />
+                  </Field>
+                  <Button
+                    variant="destructive"
+                    size="sm"
+                    disabled={
+                      invoice.status === "Paid" ||
+                      invoice.status === "Void" ||
+                      voidMutation.isPending
+                    }
+                    onClick={() => voidMutation.mutate()}
+                    className="w-full"
                   >
-                    <div className="mb-2 flex items-center gap-2">
-                      <Ban className="h-3.5 w-3.5 text-[var(--color-destructive)]" />
-                      <span className="text-sm font-medium">Void</span>
-                      <span className="font-mono text-[10px] uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]">
-                        from draft / issued
-                      </span>
-                    </div>
-                    <div className="space-y-2">
-                      <Label htmlFor="voidReason" className="text-xs text-[var(--color-muted-foreground)]">
-                        Reason (optional, appended to notes)
-                      </Label>
-                      <Input
-                        id="voidReason"
-                        placeholder="duplicate · disputed · …"
-                        value={voidReason}
-                        onChange={(e) => setVoidReason(e.target.value)}
-                        disabled={
-                          invoice.status === "Paid" ||
-                          invoice.status === "Void" ||
-                          voidMutation.isPending
-                        }
-                      />
-                      <Button
-                        variant="destructive"
-                        size="sm"
-                        disabled={
-                          invoice.status === "Paid" ||
-                          invoice.status === "Void" ||
-                          voidMutation.isPending
-                        }
-                        onClick={() => voidMutation.mutate()}
-                        className="w-full"
-                      >
-                        {voidMutation.isPending ? "Voiding…" : "Void invoice"}
-                      </Button>
-                    </div>
-                  </div>
+                    {voidMutation.isPending ? "Voiding…" : "Void invoice"}
+                  </Button>
+                </div>
+              </SettingsSection>
 
-                  {invoice.notes && (
-                    <div className="rounded-md border border-[var(--color-border)] p-3">
-                      <div className="mb-1 font-mono text-[10px] uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]">
-                        notes
-                      </div>
-                      <p className="whitespace-pre-line text-xs text-[var(--color-foreground)]">
-                        {invoice.notes}
-                      </p>
-                    </div>
-                  )}
-                </>
+              {invoice.notes && (
+                <SettingsSection title="Notes">
+                  <p className="whitespace-pre-line text-xs text-[var(--color-foreground)]">
+                    {invoice.notes}
+                  </p>
+                </SettingsSection>
               )}
-            </CardContent>
-          </Card>
+            </>
+          )}
         </div>
       </div>
     </div>
@@ -337,51 +313,6 @@ export function InvoiceDetailPage() {
 
 // ─── subcomponents ───────────────────────────────────────────────────
 
-function InvoiceHero({ invoice }: { invoice: InvoiceDto }) {
-  return (
-    <div className="space-y-2">
-      <div className="flex flex-wrap items-center gap-2">
-        <code className="rounded bg-[var(--color-surface-2)] px-2 py-0.5 font-mono text-xs font-medium tracking-tight">
-          {invoice.invoiceNumber}
-        </code>
-        <Badge variant={statusVariant(invoice.status)}>{invoice.status}</Badge>
-      </div>
-      <h2 className="font-display text-3xl font-semibold leading-tight tracking-tight">
-        {formatMoney(invoice.subtotalAmount, invoice.currency)}
-      </h2>
-      <div className="font-mono text-[11px] tracking-tight text-[var(--color-muted-foreground)]">
-        tenant <span className="text-[var(--color-foreground)]">{invoice.tenantId}</span> ·
-        period {formatPeriod(invoice.periodYear, invoice.periodMonth)} ·
-        created {formatDate(invoice.createdAtUtc)}
-        {invoice.issuedAtUtc && (
-          <>
-            {" · "}
-            issued {formatDate(invoice.issuedAtUtc)}
-          </>
-        )}
-        {invoice.dueAtUtc && invoice.status === "Issued" && (
-          <>
-            {" · "}
-            <span className="text-[var(--color-warning)]">due {formatDate(invoice.dueAtUtc)}</span>
-          </>
-        )}
-        {invoice.paidAtUtc && (
-          <>
-            {" · "}
-            <span className="text-[var(--color-success)]">paid {formatDate(invoice.paidAtUtc)}</span>
-          </>
-        )}
-        {invoice.voidedAtUtc && (
-          <>
-            {" · "}
-            <span className="text-[var(--color-destructive)]">voided {formatDate(invoice.voidedAtUtc)}</span>
-          </>
-        )}
-      </div>
-    </div>
-  );
-}
-
 function LineItemRow({
   item,
   currency,
@@ -393,7 +324,7 @@ function LineItemRow({
 }) {
   return (
     <li
-      className="fsh-enter grid grid-cols-[1fr_auto] items-baseline gap-x-6 border-t border-[var(--color-border)] px-6 py-3 first:border-t-0"
+      className="fsh-enter grid grid-cols-[1fr_auto] items-baseline gap-x-6 border-b border-[var(--color-border)] last:border-b-0 px-5 py-3"
       style={{ animationDelay: `${Math.min(delayIndex, 6) * 30}ms` }}
     >
       <div className="min-w-0">
@@ -418,3 +349,4 @@ function LineItemRow({
     </li>
   );
 }
+
diff --git a/clients/admin/src/pages/billing/layout.tsx b/clients/admin/src/pages/billing/layout.tsx
index 543c463de1..08762e5475 100644
--- a/clients/admin/src/pages/billing/layout.tsx
+++ b/clients/admin/src/pages/billing/layout.tsx
@@ -1,5 +1,7 @@
 import { NavLink, Outlet } from "react-router-dom";
+import { CreditCard } from "lucide-react";
 import { cn } from "@/lib/cn";
+import { EntityPageHeader } from "@/components/list";
 
 type Tab = { to: string; label: string };
 
@@ -10,31 +12,17 @@ const TABS: Tab[] = [
 
 /**
  * BillingLayout — page hero + horizontal tabbed sub-nav. Child routes render
- * inside `<Outlet />`. Hero uses the editorial section-rule so Billing slots
- * into the existing admin language even with the new chromatic status chrome
- * landing in the body content below.
+ * inside `<Outlet />`.
  */
 export function BillingLayout() {
   return (
     <div className="space-y-6">
-      <header className="space-y-3">
-        <div className="section-rule">
-          <span className="section-rule__crumb">// BILLING</span>
-          <span className="section-rule__crumb section-rule__crumb--muted">
-            platform pricing &amp; ledger
-          </span>
-        </div>
-        <div className="flex flex-wrap items-end justify-between gap-3">
-          <div>
-            <h1 className="font-display text-3xl font-semibold tracking-tight">
-              Billing
-            </h1>
-            <p className="mt-1 text-sm text-[var(--color-muted-foreground)]">
-              Manage plans, subscriptions, and invoices across every tenant on this instance.
-            </p>
-          </div>
-        </div>
-      </header>
+      <EntityPageHeader
+        icon={CreditCard}
+        tone="saffron"
+        title="Billing"
+        description="Manage plans, subscriptions, and invoices across every tenant on this instance."
+      />
 
       <nav
         className="flex items-center gap-1 border-b border-[var(--color-border)]"
diff --git a/clients/admin/src/pages/billing/plan-form.tsx b/clients/admin/src/pages/billing/plan-form.tsx
index a208ebd743..184a9cc97e 100644
--- a/clients/admin/src/pages/billing/plan-form.tsx
+++ b/clients/admin/src/pages/billing/plan-form.tsx
@@ -1,7 +1,7 @@
 import { useEffect, useMemo, useState, type FormEvent } from "react";
 import { useNavigate, useParams } from "react-router-dom";
 import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
-import { ArrowLeft } from "lucide-react";
+import { ArrowLeft, CreditCard } from "lucide-react";
 import { toast } from "sonner";
 import {
   createPlan,
@@ -11,16 +11,8 @@ import {
   type QuotaResource,
 } from "@/api/billing";
 import { Button } from "@/components/ui/button";
-import {
-  Card,
-  CardContent,
-  CardDescription,
-  CardFooter,
-  CardHeader,
-  CardTitle,
-} from "@/components/ui/card";
 import { Input } from "@/components/ui/input";
-import { Label } from "@/components/ui/label";
+import { EntityPageHeader, SettingsSection, Field } from "@/components/list";
 import { ApiRequestError } from "@/lib/api-client";
 
 // Plan keys are canonical lowercase slugs (a-z 0-9 -), 2-64 chars.
@@ -69,7 +61,6 @@ export function PlanFormPage() {
   const [overage, setOverage] = useState<OverageState>({});
 
   // ── load existing plan when editing ────────────────────────────────
-  // Include inactive plans so editing a deactivated plan still works.
   const plansQuery = useQuery({
     queryKey: ["billing", "plans", { includeInactive: true }],
     queryFn: () => getPlans(true),
@@ -151,173 +142,133 @@ export function PlanFormPage() {
   return (
     <div className="space-y-6">
       <div>
-        <Button variant="ghost" size="sm" onClick={() => navigate("/billing/plans")} className="-ml-2 mb-2">
+        <Button variant="ghost" size="sm" onClick={() => navigate("/billing/plans")} className="-ml-2 mb-4">
           <ArrowLeft className="mr-1 h-4 w-4" /> All plans
         </Button>
-        <h2 className="font-display text-2xl font-semibold tracking-tight">
-          {isEdit ? `Edit plan` : "New plan"}
-        </h2>
-        <p className="text-sm text-[var(--color-muted-foreground)]">
-          {isEdit
-            ? "Update name, base price, or overage rates. Key and currency are immutable."
-            : "Plan keys are canonical slugs used by tenant subscriptions and quota configuration."}
-        </p>
+        <EntityPageHeader
+          icon={CreditCard}
+          tone="saffron"
+          title={isEdit ? "Edit plan" : "New plan"}
+          description={
+            isEdit
+              ? "Update name, base price, or overage rates. Key and currency are immutable."
+              : "Plan keys are canonical slugs used by tenant subscriptions and quota configuration."
+          }
+        />
       </div>
 
-      <Card className="max-w-2xl">
-        <form onSubmit={onSubmit}>
-          <CardHeader>
-            <CardTitle>Plan details</CardTitle>
-            <CardDescription>
-              {isEdit
-                ? loadingExisting
-                  ? "Loading current plan…"
-                  : existing
-                    ? `Currently ${existing.isActive ? "active" : "inactive"}.`
-                    : "Plan not found."
-                : "Created plans are active by default."}
-            </CardDescription>
-          </CardHeader>
-          <CardContent className="space-y-4">
+      <form onSubmit={onSubmit} className="max-w-2xl space-y-4">
+        <SettingsSection
+          icon={CreditCard}
+          title="Plan details"
+          description={
+            isEdit
+              ? loadingExisting
+                ? "Loading current plan…"
+                : existing
+                  ? `Currently ${existing.isActive ? "active" : "inactive"}.`
+                  : "Plan not found."
+              : "Created plans are active by default."
+          }
+          footer={
+            <div className="flex gap-2">
+              <Button type="submit" disabled={pending || loadingExisting || keyInvalid || priceInvalid}>
+                {pending ? "Saving…" : isEdit ? "Save changes" : "Create plan"}
+              </Button>
+              <Button
+                type="button"
+                variant="outline"
+                onClick={() => navigate("/billing/plans")}
+                disabled={pending}
+              >
+                Cancel
+              </Button>
+            </div>
+          }
+        >
+          <div className="space-y-4">
             <Field
               id="key"
               label="Key"
               hint="Lowercase letters, digits, and hyphens. Used as a stable identifier (e.g. 'pro', 'team-2025')."
-              value={key}
-              onChange={setKey}
-              placeholder="pro"
               required={!isEdit}
               error={keyInvalid ? "Invalid slug." : undefined}
-              disabled={isEdit}
-              autoComplete="off"
-            />
-            <Field
-              id="name"
-              label="Display name"
-              value={name}
-              onChange={setName}
-              required
-              placeholder="Pro"
-            />
+            >
+              <Input
+                id="key"
+                value={key}
+                onChange={(e) => setKey(e.target.value)}
+                placeholder="pro"
+                required={!isEdit}
+                disabled={isEdit}
+                autoComplete="off"
+              />
+            </Field>
+            <Field id="name" label="Display name" required>
+              <Input
+                id="name"
+                value={name}
+                onChange={(e) => setName(e.target.value)}
+                required
+                placeholder="Pro"
+              />
+            </Field>
             <div className="grid grid-cols-1 gap-4 sm:grid-cols-[1fr_1fr]">
               <Field
                 id="currency"
                 label="Currency"
                 hint="ISO 4217 code. Locked after creation."
-                value={currency}
-                onChange={(v) => setCurrency(v.toUpperCase())}
                 required={!isEdit}
-                disabled={isEdit}
-                placeholder="USD"
-                autoComplete="off"
-              />
+              >
+                <Input
+                  id="currency"
+                  value={currency}
+                  onChange={(e) => setCurrency(e.target.value.toUpperCase())}
+                  required={!isEdit}
+                  disabled={isEdit}
+                  placeholder="USD"
+                  autoComplete="off"
+                />
+              </Field>
               <Field
                 id="monthlyBasePrice"
                 label="Monthly base price"
                 hint="Recurring fee charged each billing period."
-                value={monthlyBasePrice}
-                onChange={setMonthlyBasePrice}
-                inputMode="decimal"
                 required
-                placeholder="29.00"
                 error={priceInvalid ? "Must be a non-negative number." : undefined}
-              />
+              >
+                <Input
+                  id="monthlyBasePrice"
+                  value={monthlyBasePrice}
+                  onChange={(e) => setMonthlyBasePrice(e.target.value)}
+                  inputMode="decimal"
+                  required
+                  placeholder="29.00"
+                />
+              </Field>
             </div>
 
-            <div className="mt-2 space-y-3 rounded-md border border-[var(--color-border)] bg-[var(--color-surface-2)] p-4">
-              <div className="flex items-baseline justify-between">
-                <div>
-                  <h3 className="text-sm font-medium">Overage rates</h3>
-                  <p className="text-xs text-[var(--color-muted-foreground)]">
-                    Per-unit price when a tenant exceeds the plan limit. Leave blank to skip a resource.
-                  </p>
-                </div>
-                <span className="font-mono text-[10.5px] uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]">
-                  optional
-                </span>
-              </div>
+            <SettingsSection
+              title="Overage rates"
+              description="Per-unit price when a tenant exceeds the plan limit. Leave blank to skip a resource."
+            >
               <div className="grid grid-cols-1 gap-3 sm:grid-cols-2">
                 {OVERAGE_RESOURCES.map((res) => (
-                  <Field
-                    key={res.key}
-                    id={`overage-${res.key}`}
-                    label={res.label}
-                    value={overage[res.key] ?? ""}
-                    onChange={(v) => setOverage((s) => ({ ...s, [res.key]: v }))}
-                    inputMode="decimal"
-                    placeholder={res.placeholder}
-                  />
+                  <Field key={res.key} id={`overage-${res.key}`} label={res.label}>
+                    <Input
+                      id={`overage-${res.key}`}
+                      value={overage[res.key] ?? ""}
+                      onChange={(e) => setOverage((s) => ({ ...s, [res.key]: e.target.value }))}
+                      inputMode="decimal"
+                      placeholder={res.placeholder}
+                    />
+                  </Field>
                 ))}
               </div>
-            </div>
-          </CardContent>
-          <CardFooter className="gap-2">
-            <Button type="submit" disabled={pending || loadingExisting || keyInvalid || priceInvalid}>
-              {pending ? "Saving…" : isEdit ? "Save changes" : "Create plan"}
-            </Button>
-            <Button
-              type="button"
-              variant="outline"
-              onClick={() => navigate("/billing/plans")}
-              disabled={pending}
-            >
-              Cancel
-            </Button>
-          </CardFooter>
-        </form>
-      </Card>
-    </div>
-  );
-}
-
-// ─── local field primitive (mirrors clients/admin/src/pages/tenants/create.tsx) ─
-
-type FieldProps = {
-  id: string;
-  label: string;
-  value: string;
-  onChange: (value: string) => void;
-  type?: string;
-  inputMode?: React.HTMLAttributes<HTMLInputElement>["inputMode"];
-  required?: boolean;
-  hint?: string;
-  error?: string;
-  placeholder?: string;
-  autoComplete?: string;
-  disabled?: boolean;
-};
-
-function Field({
-  id,
-  label,
-  value,
-  onChange,
-  type,
-  inputMode,
-  required,
-  hint,
-  error,
-  placeholder,
-  autoComplete,
-  disabled,
-}: FieldProps) {
-  return (
-    <div className="space-y-1.5">
-      <Label htmlFor={id}>{label}</Label>
-      <Input
-        id={id}
-        type={type ?? "text"}
-        inputMode={inputMode}
-        value={value}
-        onChange={(e) => onChange(e.target.value)}
-        required={required}
-        placeholder={placeholder}
-        autoComplete={autoComplete}
-        disabled={disabled}
-        aria-invalid={error ? true : undefined}
-      />
-      {hint && <p className="text-xs text-[var(--color-muted-foreground)]">{hint}</p>}
-      {error && <p className="text-xs text-[var(--color-destructive)]">{error}</p>}
+            </SettingsSection>
+          </div>
+        </SettingsSection>
+      </form>
     </div>
   );
 }
diff --git a/clients/admin/src/pages/billing/plans-list.tsx b/clients/admin/src/pages/billing/plans-list.tsx
index e51417a199..647980d430 100644
--- a/clients/admin/src/pages/billing/plans-list.tsx
+++ b/clients/admin/src/pages/billing/plans-list.tsx
@@ -1,13 +1,12 @@
 import { useMemo } from "react";
 import { useNavigate } from "react-router-dom";
 import { useQuery } from "@tanstack/react-query";
-import { Pencil, Plus } from "lucide-react";
+import { Pencil, Plus, Tag } from "lucide-react";
 import { getPlans, type BillingPlanDto } from "@/api/billing";
 import { Button } from "@/components/ui/button";
-import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
 import { Badge } from "@/components/ui/badge";
 import { Skeleton } from "@/components/ui/skeleton";
-import { KpiTile } from "@/components/kpi-tile";
+import { StatStrip, Stat, SettingsSection } from "@/components/list";
 import { ApiRequestError } from "@/lib/api-client";
 
 // ─── helpers ──────────────────────────────────────────────────────────
@@ -38,15 +37,11 @@ function describe(err: unknown): string {
 
 export function PlansListPage() {
   const navigate = useNavigate();
-  // Plans are typically a small set — fetch everything (including inactive) so
-  // admins can see deactivated rows and the average-price KPI reflects truth.
   const query = useQuery({
     queryKey: ["billing", "plans", { includeInactive: true }],
     queryFn: () => getPlans(true),
   });
 
-  // useMemo dependencies need a stable reference; wrap the optional list once
-  // so the totals memo can depend on it without a fresh array on each render.
   const plans = useMemo<BillingPlanDto[]>(() => query.data ?? [], [query.data]);
 
   const totals = useMemo(() => {
@@ -66,18 +61,18 @@ export function PlansListPage() {
   return (
     <div className="space-y-6">
       {/* KPI strip */}
-      <div className="grid grid-cols-1 gap-3 sm:grid-cols-3">
-        <KpiTile
+      <StatStrip cols={3}>
+        <Stat
           label="Plans"
           value={query.isLoading ? <Skeleton className="h-7 w-16" /> : totals.count}
-          subtitle={`${totals.active} active`}
+          hint={`${totals.active} active`}
         />
-        <KpiTile
+        <Stat
           label="Active"
           value={query.isLoading ? <Skeleton className="h-7 w-16" /> : totals.active}
-          subtitle={totals.count - totals.active > 0 ? `${totals.count - totals.active} inactive` : "all active"}
+          hint={totals.count - totals.active > 0 ? `${totals.count - totals.active} inactive` : "all active"}
         />
-        <KpiTile
+        <Stat
           label="Average base"
           value={
             query.isLoading ? (
@@ -86,98 +81,91 @@ export function PlansListPage() {
               formatMoney(totals.averagePrice, totals.currency)
             )
           }
-          subtitle="monthly subscription fee"
+          hint="monthly subscription fee"
         />
-      </div>
+      </StatStrip>
 
-      {/* List card */}
-      <Card>
-        <CardHeader className="flex flex-row items-center justify-between">
-          <div>
-            <CardTitle>All plans</CardTitle>
-            <CardDescription>
-              Pricing schedule used by tenant subscriptions and invoice generation.
-            </CardDescription>
-          </div>
+      {/* Plans list */}
+      <SettingsSection
+        icon={Tag}
+        title="All plans"
+        description="Pricing schedule used by tenant subscriptions and invoice generation."
+        footer={
           <Button onClick={() => navigate("/billing/plans/new")}>
             <Plus className="mr-1 h-4 w-4" /> New plan
           </Button>
-        </CardHeader>
-        <CardContent className="p-0">
-          {query.isError && (
-            <div className="border-t border-[var(--color-border)] px-6 py-4 text-sm text-[var(--color-destructive)]">
-              {describe(query.error)}
-            </div>
-          )}
+        }
+      >
+        {query.isError && (
+          <div className="mb-4 rounded-md border border-[oklch(from_var(--color-destructive)_l_c_h_/_0.30)] bg-[oklch(from_var(--color-destructive)_l_c_h_/_0.05)] px-4 py-3 text-sm text-[var(--color-destructive)]">
+            {describe(query.error)}
+          </div>
+        )}
 
-          {query.isLoading ? (
-            <ul className="divide-y divide-[var(--color-border)]">
-              {Array.from({ length: 3 }).map((_, i) => (
-                <li key={i} className="px-6 py-5">
-                  <Skeleton className="h-5 w-1/3" />
-                  <Skeleton className="mt-2 h-3 w-1/2" />
-                </li>
-              ))}
-            </ul>
-          ) : plans.length === 0 ? (
-            <div className="px-6 py-10 text-center text-sm text-[var(--color-muted-foreground)]">
-              No plans yet. Create your first plan to start charging tenants.
-            </div>
-          ) : (
-            <ul>
-              {plans.map((plan, i) => (
-                <li
-                  key={plan.id}
-                  className={
-                    "fsh-enter grid grid-cols-[1fr_auto] items-center gap-x-6 gap-y-1 border-t border-[var(--color-border)] px-6 py-4 transition-colors hover:bg-[var(--color-muted)] first:border-t-0"
-                  }
-                  style={{ animationDelay: `${Math.min(i, 6) * 30}ms` }}
-                >
-                  {/* Identity column */}
-                  <div className="min-w-0">
-                    <div className="flex flex-wrap items-center gap-2">
-                      <code className="rounded bg-[var(--color-surface-2)] px-1.5 py-0.5 font-mono text-[11px] font-medium tracking-tight">
-                        {plan.key}
-                      </code>
-                      <span className="font-display text-base font-semibold">{plan.name}</span>
-                      {plan.isActive ? (
-                        <Badge variant="success">Active</Badge>
-                      ) : (
-                        <Badge variant="muted">Inactive</Badge>
-                      )}
-                    </div>
-                    <div className="mt-1 font-mono text-[11px] tracking-tight text-[var(--color-muted-foreground)]">
-                      currency {plan.currency} ·
-                      {" "}
-                      overage {formatOverageRates(plan.overageRates, plan.currency)}
-                    </div>
+        {query.isLoading ? (
+          <ul className="-mx-5 divide-y divide-[var(--color-border)] border-t border-[var(--color-border)]">
+            {Array.from({ length: 3 }).map((_, i) => (
+              <li key={i} className="px-5 py-5">
+                <Skeleton className="h-5 w-1/3" />
+                <Skeleton className="mt-2 h-3 w-1/2" />
+              </li>
+            ))}
+          </ul>
+        ) : plans.length === 0 ? (
+          <div className="py-10 text-center text-sm text-[var(--color-muted-foreground)]">
+            No plans yet. Create your first plan to start charging tenants.
+          </div>
+        ) : (
+          <ul className="-mx-5 border-t border-[var(--color-border)]">
+            {plans.map((plan, i) => (
+              <li
+                key={plan.id}
+                className="fsh-enter grid grid-cols-[1fr_auto] items-center gap-x-6 gap-y-1 border-b border-[var(--color-border)] last:border-b-0 px-5 py-4 transition-colors hover:bg-[var(--color-muted)]"
+                style={{ animationDelay: `${Math.min(i, 6) * 30}ms` }}
+              >
+                {/* Identity column */}
+                <div className="min-w-0">
+                  <div className="flex flex-wrap items-center gap-2">
+                    <code className="rounded bg-[var(--color-surface-2)] px-1.5 py-0.5 font-mono text-[11px] font-medium tracking-tight">
+                      {plan.key}
+                    </code>
+                    <span className="font-display text-base font-semibold">{plan.name}</span>
+                    {plan.isActive ? (
+                      <Badge variant="success">Active</Badge>
+                    ) : (
+                      <Badge variant="muted">Inactive</Badge>
+                    )}
+                  </div>
+                  <div className="mt-1 font-mono text-[11px] tracking-tight text-[var(--color-muted-foreground)]">
+                    currency {plan.currency} ·{" "}
+                    overage {formatOverageRates(plan.overageRates, plan.currency)}
                   </div>
+                </div>
 
-                  {/* Right column — price + edit */}
-                  <div className="flex items-center gap-4">
-                    <div className="text-right">
-                      <div className="text-display text-lg font-semibold leading-none tabular-nums">
-                        {formatMoney(plan.monthlyBasePrice, plan.currency)}
-                      </div>
-                      <div className="mt-1 font-mono text-[10.5px] uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]">
-                        per month
-                      </div>
+                {/* Right column — price + edit */}
+                <div className="flex items-center gap-4">
+                  <div className="text-right">
+                    <div className="text-display text-lg font-semibold leading-none tabular-nums">
+                      {formatMoney(plan.monthlyBasePrice, plan.currency)}
+                    </div>
+                    <div className="mt-1 font-mono text-[10.5px] uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]">
+                      per month
                     </div>
-                    <Button
-                      variant="ghost"
-                      size="icon"
-                      aria-label={`Edit ${plan.name}`}
-                      onClick={() => navigate(`/billing/plans/${plan.id}`)}
-                    >
-                      <Pencil className="h-4 w-4" />
-                    </Button>
                   </div>
-                </li>
-              ))}
-            </ul>
-          )}
-        </CardContent>
-      </Card>
+                  <Button
+                    variant="ghost"
+                    size="icon"
+                    aria-label={`Edit ${plan.name}`}
+                    onClick={() => navigate(`/billing/plans/${plan.id}`)}
+                  >
+                    <Pencil className="h-4 w-4" />
+                  </Button>
+                </div>
+              </li>
+            ))}
+          </ul>
+        )}
+      </SettingsSection>
     </div>
   );
 }
diff --git a/clients/admin/src/pages/dashboard.tsx b/clients/admin/src/pages/dashboard.tsx
index 0736fb3f6a..a1449d08a4 100644
--- a/clients/admin/src/pages/dashboard.tsx
+++ b/clients/admin/src/pages/dashboard.tsx
@@ -1,24 +1,24 @@
 import { Link } from "react-router-dom";
 import { useQuery } from "@tanstack/react-query";
-import { ArrowUpRight, Building2, FileText, Receipt, UsersRound } from "lucide-react";
+import {
+  ArrowRight,
+  Building2,
+  FileText,
+  LayoutDashboard,
+  Receipt,
+  UsersRound,
+} from "lucide-react";
 import { listTenants } from "@/api/tenants";
 import { listInvoices, getPlans } from "@/api/billing";
-import {
-  Card,
-  CardContent,
-  CardDescription,
-  CardHeader,
-  CardTitle,
-} from "@/components/ui/card";
-import { KpiTile } from "@/components/kpi-tile";
 import { Skeleton } from "@/components/ui/skeleton";
+import { EntityPageHeader, Stat, StatStrip, ToneIconTile, type ToneIconTileTone } from "@/components/list";
 import { useAuth } from "@/auth/use-auth";
+import { cn } from "@/lib/cn";
 
 /**
- * DashboardPage — the Console "overview." A live system status header, four
- * KPI tiles drawing from real data, then quick-pivot cards into the rest of
- * the app. No fake "Coming soon" filler; every panel is either real data
- * or removed.
+ * DashboardPage — the operator overview. EntityPageHeader greeting,
+ * four KPI stat tiles drawing from real data, then pivot cards into
+ * the rest of the app. No fake "Coming soon" filler.
  */
 export function DashboardPage() {
   const { user } = useAuth();
@@ -43,37 +43,29 @@ export function DashboardPage() {
   const outstandingCount =
     invoicesPage?.items.filter((i) => i.status === "Issued").length ?? 0;
 
+  const firstName = user?.name?.split(" ")[0];
+
   return (
-    <div className="space-y-8">
-      {/* ── Hero header ──────────────────────────────────────────────── */}
-      <header className="fsh-enter space-y-3">
-        <div className="section-rule">
-          <span className="section-rule__crumb">// OVERVIEW</span>
-          <span className="section-rule__crumb section-rule__crumb--muted">
-            platform status
-          </span>
-          <span className="ml-auto inline-flex items-center gap-2">
-            <span className="pulse-dot" aria-hidden />
-            <span className="meta text-[var(--color-muted-foreground)]">live</span>
-          </span>
-        </div>
-        <div className="flex flex-wrap items-end justify-between gap-3">
-          <div>
-            <h1 className="font-display text-4xl font-semibold leading-none tracking-tight">
-              Console{user?.name ? <span className="text-[var(--color-muted-foreground)]">, {user.name.split(" ")[0]}</span> : null}
-              <span className="text-[var(--color-accent-signal)]">.</span>
-            </h1>
-            <p className="mt-2 max-w-xl text-sm text-[var(--color-muted-foreground)] leading-relaxed">
-              Operate every tenant on this instance — identity, multitenancy, billing,
-              and the rest of the system surface, from one place.
-            </p>
-          </div>
-        </div>
-      </header>
+    <div className="space-y-6">
+      {/* ── Page header ──────────────────────────────────────────────── */}
+      <div className="fsh-enter">
+        <EntityPageHeader
+          icon={LayoutDashboard}
+          title={
+            <>
+              Overview{firstName ? (
+                <span className="text-[var(--color-muted-foreground)]">, {firstName}</span>
+              ) : null}
+            </>
+          }
+          tone="primary"
+          description="Operate every tenant on this instance — identity, multitenancy, billing, and the rest of the system surface."
+        />
+      </div>
 
-      {/* ── KPI strip ────────────────────────────────────────────────── */}
-      <section className="fsh-enter fsh-enter-2 grid grid-cols-1 gap-3 sm:grid-cols-2 lg:grid-cols-4">
-        <KpiTile
+      {/* ── KPI stat strip ───────────────────────────────────────────── */}
+      <StatStrip cols={4} className="fsh-enter fsh-enter-2">
+        <Stat
           label="Tenants"
           value={
             tenantsQuery.isLoading ? (
@@ -82,9 +74,9 @@ export function DashboardPage() {
               tenantsTotal?.toLocaleString() ?? "—"
             )
           }
-          subtitle="registered on this instance"
+          hint="registered on this instance"
         />
-        <KpiTile
+        <Stat
           label="Plans"
           value={
             plansQuery.isLoading ? (
@@ -93,10 +85,10 @@ export function DashboardPage() {
               plans.length.toLocaleString()
             )
           }
-          subtitle={`${activePlans} active`}
+          hint={`${activePlans} active`}
         />
-        <KpiTile
-          label="Invoices · this page"
+        <Stat
+          label="Invoices"
           value={
             invoicesQuery.isLoading ? (
               <Skeleton className="h-7 w-16" />
@@ -104,13 +96,13 @@ export function DashboardPage() {
               invoicesPage?.items.length.toLocaleString() ?? "—"
             )
           }
-          subtitle={
+          hint={
             invoicesPage
               ? `${invoicesPage.totalCount.toLocaleString()} total ledger`
               : "loading…"
           }
         />
-        <KpiTile
+        <Stat
           label="Outstanding"
           value={
             invoicesQuery.isLoading ? (
@@ -119,37 +111,44 @@ export function DashboardPage() {
               outstandingCount.toLocaleString()
             )
           }
-          subtitle="issued, awaiting payment"
+          hint="issued, awaiting payment"
+          tone={outstandingCount > 0 ? "warning" : "default"}
         />
-      </section>
+      </StatStrip>
 
       {/* ── Quick pivots ─────────────────────────────────────────────── */}
       <section className="fsh-enter fsh-enter-3 space-y-3">
-        <div className="meta text-[var(--color-muted-foreground)]">// ENTRY POINTS</div>
-        <div className="grid gap-3 sm:grid-cols-2 lg:grid-cols-3">
+        <p className="text-[11px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]">
+          Entry points
+        </p>
+        <div className="grid gap-3 sm:grid-cols-2 lg:grid-cols-4">
           <PivotCard
             to="/tenants"
             icon={Building2}
+            tone="info"
             title="Tenants"
-            description="Provision, suspend, and inspect tenants. Watch provisioning runs in real time."
+            description="Provision, suspend, and inspect tenants."
           />
           <PivotCard
             to="/users"
             icon={UsersRound}
+            tone="primary"
             title="Users"
-            description="Root-tenant operators. Tenant-scoped users live in each tenant's own dashboard."
+            description="Root-tenant operators and role management."
           />
           <PivotCard
             to="/billing/plans"
             icon={Receipt}
+            tone="success"
             title="Billing"
-            description="Plans, subscriptions, invoices. Drive pricing and the invoice state machine."
+            description="Plans, subscriptions, invoices and pricing."
           />
           <PivotCard
             to="/billing/invoices"
             icon={FileText}
+            tone="warning"
             title="Invoices"
-            description="Cross-tenant ledger with filters. Issue, mark paid, void — all guarded server-side."
+            description="Cross-tenant ledger. Issue, mark paid, void."
           />
         </div>
       </section>
@@ -162,33 +161,40 @@ export function DashboardPage() {
 function PivotCard({
   to,
   icon: Icon,
+  tone,
   title,
   description,
 }: {
   to: string;
   icon: typeof Building2;
+  tone: ToneIconTileTone;
   title: string;
   description: string;
 }) {
   return (
     <Link to={to} className="group block focus:outline-none">
-      <Card interactive className="h-full">
-        <CardHeader className="flex flex-row items-start justify-between gap-3">
-          <div className="space-y-1">
-            <span
-              aria-hidden
-              className="inline-grid h-9 w-9 place-items-center rounded-md border border-[var(--color-border)] bg-[var(--color-surface-2)] text-[var(--color-muted-foreground)] transition-colors group-hover:text-[var(--color-foreground)]"
-            >
-              <Icon className="h-4 w-4" />
-            </span>
-            <CardTitle className="font-display text-xl">{title}</CardTitle>
+      <div
+        className={cn(
+          "flex h-full flex-col gap-3 rounded-xl border border-[var(--color-border)] bg-[var(--color-card)] p-4 shadow-xs",
+          "transition-colors duration-200 hover:border-[var(--color-border-strong)] hover:bg-[var(--color-accent)]",
+        )}
+      >
+        <div className="flex items-start justify-between">
+          <ToneIconTile icon={Icon} tone={tone} size="md" />
+          <ArrowRight
+            aria-hidden
+            className="size-3.5 text-[var(--color-muted-foreground)] opacity-0 transition-all duration-200 group-hover:translate-x-0.5 group-hover:opacity-100"
+          />
+        </div>
+        <div>
+          <div className="font-display text-[14px] font-semibold tracking-tight text-[var(--color-foreground)]">
+            {title}
           </div>
-          <ArrowUpRight className="h-4 w-4 text-[var(--color-muted-foreground)] transition-[color,transform] duration-200 group-hover:translate-x-0.5 group-hover:-translate-y-0.5 group-hover:text-[var(--color-accent-signal)]" />
-        </CardHeader>
-        <CardContent>
-          <CardDescription>{description}</CardDescription>
-        </CardContent>
-      </Card>
+          <p className="mt-0.5 text-[12px] leading-snug text-[var(--color-muted-foreground)]">
+            {description}
+          </p>
+        </div>
+      </div>
     </Link>
   );
 }
diff --git a/clients/admin/src/pages/health/page.tsx b/clients/admin/src/pages/health/page.tsx
index 06f90f6fb7..026360e131 100644
--- a/clients/admin/src/pages/health/page.tsx
+++ b/clients/admin/src/pages/health/page.tsx
@@ -1,9 +1,10 @@
+import { useState } from "react";
 import { useQuery } from "@tanstack/react-query";
-import { Activity, ChevronRight, RefreshCw } from "lucide-react";
+import { Activity, ChevronRight, Heart, RefreshCw } from "lucide-react";
 import { getLiveness, getReadiness, type HealthEntry, type HealthResult, type HealthStatus } from "@/api/health";
 import { Button } from "@/components/ui/button";
 import { Badge } from "@/components/ui/badge";
-import { PageHeader, ErrorBand, StatStrip, Stat } from "@/components/list";
+import { EntityPageHeader, ErrorBand, SettingsSection, StatStrip, Stat } from "@/components/list";
 import { cn } from "@/lib/cn";
 
 const REFRESH_INTERVAL_MS = 10_000;
@@ -43,9 +44,9 @@ export function HealthPage() {
 
   return (
     <div className="space-y-8">
-      <PageHeader
-        crumbs={[{ label: "\\ Health" }, { label: "Probes", muted: true }]}
-        trailing={isFetching ? "POLLING" : `EVERY ${REFRESH_INTERVAL_MS / 1000}S`}
+      <EntityPageHeader
+        icon={Heart}
+        tone="success"
         title="Health"
         description={
           <>
@@ -55,13 +56,12 @@ export function HealthPage() {
             scraped by load balancers and uptime monitors.
           </>
         }
-        actions={
-          <Button variant="outline" size="sm" disabled={isFetching} onClick={refetchAll}>
-            <RefreshCw className={cn("mr-1.5 h-3.5 w-3.5", isFetching && "animate-spin")} />
-            Refresh
-          </Button>
-        }
-      />
+      >
+        <Button variant="outline" size="sm" disabled={isFetching} onClick={refetchAll} className="flex-1 sm:flex-none">
+          <RefreshCw className={cn("mr-1.5 h-3.5 w-3.5", isFetching && "animate-spin")} />
+          Refresh
+        </Button>
+      </EntityPageHeader>
 
       <StatStrip cols={4}>
         <Stat
@@ -142,26 +142,20 @@ function ProbeSection({
   description: string;
 }) {
   return (
-    <section className="space-y-4">
-      <div className="flex items-end justify-between gap-4 border-b border-[var(--color-border)] pb-2">
-        <div>
-          <div className="flex items-center gap-2">
-            <h2 className="font-display text-2xl font-semibold tracking-tight">{title}</h2>
-            {result && <StatusBadge status={result.status} />}
-          </div>
-          <p className="mt-1 max-w-2xl text-sm text-[var(--color-muted-foreground)]">
-            {description}
-          </p>
+    <SettingsSection
+      title={title}
+      description={description}
+      footer={
+        <div className="flex items-center justify-between">
+          {result && <StatusBadge status={result.status} />}
+          <code className="code-chip ml-auto">{path}</code>
         </div>
-        <code className="code-chip">{path}</code>
-      </div>
-
+      }
+    >
       {loading ? (
-        <div className="card-shell px-5 py-6 text-sm font-mono uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]">
-          Probing<span className="caret text-[var(--color-accent-signal)]" />
-        </div>
+        <div className="py-6 text-sm text-[var(--color-muted-foreground)]">Probing…</div>
       ) : !result || result.results.length === 0 ? (
-        <div className="card-shell flex items-center gap-3 px-5 py-5">
+        <div className="flex items-center gap-3 py-5">
           <Activity className="h-4 w-4 text-[var(--color-muted-foreground)]" />
           <div>
             <div className="text-sm font-medium">No dependency checks reported.</div>
@@ -171,52 +165,79 @@ function ProbeSection({
           </div>
         </div>
       ) : (
-        <ul className="card-shell divide-y divide-[var(--color-border)] overflow-hidden">
+        <ul className="-mx-5 divide-y divide-[var(--color-border)] border-t border-[var(--color-border)]">
           {result.results.map((entry) => (
             <CheckRow key={entry.name} entry={entry} />
           ))}
         </ul>
       )}
-    </section>
+    </SettingsSection>
   );
 }
 
 function CheckRow({ entry }: { entry: HealthEntry }) {
+  const [open, setOpen] = useState(false);
+  const hasDetails = !!entry.details && Object.keys(entry.details).length > 0;
+
+  const rowInner = (
+    <>
+      <StatusDot status={entry.status} />
+      <div className="min-w-0">
+        <div className="truncate font-mono text-[13px] font-medium">{entry.name}</div>
+        {entry.description && (
+          <div className="mt-0.5 truncate text-xs text-[var(--color-muted-foreground)]">
+            {entry.description}
+          </div>
+        )}
+      </div>
+      <span className="font-mono text-[11px] tabular-nums text-[var(--color-muted-foreground)]">
+        {entry.durationMs.toFixed(1)}ms
+      </span>
+      {hasDetails ? (
+        <ChevronRight
+          className={cn(
+            "h-4 w-4 text-[var(--color-muted-foreground)] transition-transform",
+            open && "rotate-90",
+          )}
+        />
+      ) : (
+        <span className="h-4 w-4" aria-hidden />
+      )}
+    </>
+  );
+
   return (
     <li>
-      <details className="group">
-        <summary className="grid cursor-pointer grid-cols-[auto_1fr_auto_auto] items-center gap-4 px-5 py-3.5 transition-colors hover:bg-[var(--color-muted)]/50">
-          <StatusDot status={entry.status} />
-          <div className="min-w-0">
-            <div className="truncate font-mono text-[13px] font-medium">{entry.name}</div>
-            {entry.description && (
-              <div className="mt-0.5 truncate text-xs text-[var(--color-muted-foreground)]">
-                {entry.description}
+      {hasDetails ? (
+        <button
+          type="button"
+          onClick={() => setOpen((v) => !v)}
+          aria-expanded={open}
+          className="grid w-full grid-cols-[auto_1fr_auto_auto] items-center gap-4 px-5 py-3.5 text-left transition-colors hover:bg-[var(--color-muted)]/50 focus-visible:bg-[var(--color-muted)]/50 focus-visible:outline-none"
+        >
+          {rowInner}
+        </button>
+      ) : (
+        <div className="grid grid-cols-[auto_1fr_auto_auto] items-center gap-4 px-5 py-3.5">
+          {rowInner}
+        </div>
+      )}
+      {hasDetails && open && (
+        <div className="border-t border-[var(--color-border)] bg-[var(--color-surface-2)] px-5 py-3">
+          <dl className="grid grid-cols-1 gap-x-6 gap-y-1.5 sm:grid-cols-2">
+            {Object.entries(entry.details ?? {}).map(([k, v]) => (
+              <div key={k} className="flex items-baseline justify-between gap-3 border-b border-dashed border-[var(--color-border)] py-1.5">
+                <dt className="font-mono text-[10.5px] uppercase tracking-[0.16em] text-[var(--color-muted-foreground)]">
+                  {k}
+                </dt>
+                <dd className="truncate font-mono text-[12px] text-[var(--color-foreground)]">
+                  {String(v)}
+                </dd>
               </div>
-            )}
-          </div>
-          <span className="font-mono text-[11px] tabular-nums text-[var(--color-muted-foreground)]">
-            {entry.durationMs.toFixed(1)}ms
-          </span>
-          <ChevronRight className="h-4 w-4 text-[var(--color-muted-foreground)] transition-transform group-open:rotate-90" />
-        </summary>
-        {entry.details && Object.keys(entry.details).length > 0 && (
-          <div className="border-t border-[var(--color-border)] bg-[var(--color-surface-2)] px-5 py-3">
-            <dl className="grid grid-cols-1 gap-x-6 gap-y-1.5 sm:grid-cols-2">
-              {Object.entries(entry.details).map(([k, v]) => (
-                <div key={k} className="flex items-baseline justify-between gap-3 border-b border-dashed border-[var(--color-border)] py-1.5">
-                  <dt className="font-mono text-[10.5px] uppercase tracking-[0.16em] text-[var(--color-muted-foreground)]">
-                    {k}
-                  </dt>
-                  <dd className="truncate font-mono text-[12px] text-[var(--color-foreground)]">
-                    {String(v)}
-                  </dd>
-                </div>
-              ))}
-            </dl>
-          </div>
-        )}
-      </details>
+            ))}
+          </dl>
+        </div>
+      )}
     </li>
   );
 }
diff --git a/clients/admin/src/pages/impersonation/list.tsx b/clients/admin/src/pages/impersonation/list.tsx
index 7074496a9c..9120543bd6 100644
--- a/clients/admin/src/pages/impersonation/list.tsx
+++ b/clients/admin/src/pages/impersonation/list.tsx
@@ -11,14 +11,14 @@ import { useAuth } from "@/auth/use-auth";
 import { Badge } from "@/components/ui/badge";
 import { Button } from "@/components/ui/button";
 import {
-  PageHeader,
+  EntityPageHeader,
   ErrorBand,
   LoadingRow,
   StatStrip,
   Stat,
   FilterBar,
-  Select,
 } from "@/components/list";
+import { Select } from "@/components/ui/select";
 import { EmptyState } from "@/components/empty-state";
 import { ImpersonateDialog } from "@/components/impersonation/impersonate-dialog";
 import { RevokeGrantDialog } from "@/components/impersonation/revoke-grant-dialog";
@@ -74,23 +74,23 @@ export function ImpersonationListPage() {
 
   return (
     <div className="space-y-8">
-      <PageHeader
-        crumbs={[{ label: "\\ Impersonation" }, { label: "Grants", muted: true }]}
-        trailing={`POLL EVERY ${REFRESH_INTERVAL_MS / 1000}S`}
+      <EntityPageHeader
+        icon={UserCog}
+        tone="warning"
         title="Impersonation"
         description="Every impersonation token issued by the server is tracked here. Active grants can be revoked — the token is rejected by the JWT validation hook within seconds."
-        actions={
-          <Button
-            variant="outline"
-            size="sm"
-            disabled={grants.isFetching}
-            onClick={() => grants.refetch()}
-          >
-            <RefreshCw className={cn("mr-1.5 h-3.5 w-3.5", grants.isFetching && "animate-spin")} />
-            Refresh
-          </Button>
-        }
-      />
+      >
+        <Button
+          variant="outline"
+          size="sm"
+          disabled={grants.isFetching}
+          onClick={() => grants.refetch()}
+          className="flex-1 sm:flex-none"
+        >
+          <RefreshCw className={cn("mr-1.5 h-3.5 w-3.5", grants.isFetching && "animate-spin")} />
+          Refresh
+        </Button>
+      </EntityPageHeader>
 
       <StatStrip cols={4}>
         <Stat label="Active" value={grants.isLoading ? "—" : counts.active.toString()} hint="in-flight tokens" tone={counts.active > 0 ? "signal" : "default"} />
@@ -102,10 +102,10 @@ export function ImpersonationListPage() {
       <FilterBar>
         <Select
           value={status}
-          onValueChange={(v) => setStatus(v as ImpersonationGrantStatus | "")}
+          onChange={(v) => setStatus(v as ImpersonationGrantStatus | "")}
           options={STATUS_OPTIONS}
-          emptyLabel="All statuses"
-          className="min-w-[12rem]"
+          placeholder="All statuses"
+          minWidth="12rem"
         />
       </FilterBar>
 
@@ -322,7 +322,7 @@ function Details({ grant }: { grant: ImpersonationGrantDto }) {
 function DRow({ label, children, wide }: { label: string; children: React.ReactNode; wide?: boolean }) {
   return (
     <div className={cn("flex items-baseline gap-2", wide && "sm:col-span-2")}>
-      <dt className="meta w-32 shrink-0 text-[var(--color-muted-foreground)]">{label}</dt>
+      <dt className="font-mono text-[10.5px] uppercase tracking-[0.14em] w-32 shrink-0 text-[var(--color-muted-foreground)]">{label}</dt>
       <dd className="min-w-0 truncate">{children}</dd>
     </div>
   );
diff --git a/clients/admin/src/pages/login.demo-accounts.ts b/clients/admin/src/pages/login.demo-accounts.ts
new file mode 100644
index 0000000000..209b7a1e0c
--- /dev/null
+++ b/clients/admin/src/pages/login.demo-accounts.ts
@@ -0,0 +1,35 @@
+// Admin demo accounts — mirrors src/Host/FSH.Starter.Api/DevSeeding (keep in sync).
+// Static — no API call — because the login page is unauthenticated and the
+// API can't safely advertise credentials. Admin only surfaces the root /
+// operator superadmin; tenant-level demo users live in the dashboard app.
+
+export type DemoAccount = {
+  email: string;
+  password: string;
+  tenant: string;
+  /** Short display label */
+  label: string;
+  /** Initials rendered in the avatar */
+  initials: string;
+  /** One-line persona explainer */
+  persona: string;
+};
+
+export const DEMO_PASSWORD = "Password123!";
+
+/**
+ * Admin exposes a single demo account: the root superadmin.
+ * In the Aspire dev stack the demo seeder (`seed-demo`) aligns this
+ * account's password to the shared DEMO_PASSWORD so it works out of
+ * the box in local dev.
+ */
+export const ADMIN_DEMO_ACCOUNTS: DemoAccount[] = [
+  {
+    email: "superadmin@root.com",
+    password: DEMO_PASSWORD,
+    tenant: "root",
+    label: "SuperAdmin",
+    initials: "SA",
+    persona: "Platform operator · cross-tenant control",
+  },
+];
diff --git a/clients/admin/src/pages/login.tsx b/clients/admin/src/pages/login.tsx
index 4fabccefc9..0280cbc344 100644
--- a/clients/admin/src/pages/login.tsx
+++ b/clients/admin/src/pages/login.tsx
@@ -1,31 +1,36 @@
 import { useState, type FormEvent } from "react";
 import { Link, Navigate, useLocation, useNavigate } from "react-router-dom";
-import { ClipboardCheck, Copy, FlaskConical } from "lucide-react";
+import {
+  AlertCircle,
+  ArrowRight,
+  Eye,
+  EyeOff,
+  Loader2,
+  ShieldCheck,
+  Sparkles,
+} from "lucide-react";
 import { useAuth } from "@/auth/use-auth";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
-import { BrandMarkXL } from "@/components/brand-mark";
+import { DemoAccountsDialog } from "@/components/auth/demo-accounts-dialog";
 import { ApiRequestError } from "@/lib/api-client";
 import { cn } from "@/lib/cn";
 import { env } from "@/env";
+import type { DemoAccount } from "@/pages/login.demo-accounts";
 
-type LocationState = { from?: { pathname: string } };
+// ────────────────────────────────────────────────────────────────────────
+// Login — FSH Admin operator sign-in.
+// Chrome mirrors the dashboard's AuthShell: atmospheric orbs, FSH logo
+// lockup, warm-paper card with backdrop blur.
+// The dev demo button ("Sign in with a demo account") opens the same
+// popup dialog UX the dashboard uses — pick an account → fills
+// tenant/email/password → instant sign-in. Gated on import.meta.env.DEV
+// (admin has no runtime demoMode flag).
+// ────────────────────────────────────────────────────────────────────────
 
-const DEMO_PASSWORD = "Password123!";
-const DEMO_SUPERADMIN = {
-  tenant: "root",
-  email: "superadmin@root.com",
-  label: "SuperAdmin",
-  persona: "Platform operator · cross-tenant control",
-} as const;
+type LocationState = { from?: { pathname: string } };
 
-/**
- * LoginPage — editorial split-screen. Left pane (hidden below lg) is the
- * brand stage: 32px coordinate-grid mesh + ASCII-style monogram + a soft
- * chartreuse vignette anchored top-left. Right pane is the form, which
- * gets the same hairline-everything treatment as the rest of Console.
- */
 export function LoginPage() {
   const { isAuthenticated, login } = useAuth();
   const navigate = useNavigate();
@@ -37,18 +42,18 @@ export function LoginPage() {
   const [tenant, setTenant] = useState(env.defaultTenant);
   const [submitting, setSubmitting] = useState(false);
   const [error, setError] = useState<string | null>(null);
-  const [copied, setCopied] = useState(false);
+  const [demoOpen, setDemoOpen] = useState(false);
+  const [showPassword, setShowPassword] = useState(false);
 
   if (isAuthenticated) {
     return <Navigate to={from} replace />;
   }
 
-  const onSubmit = async (e: FormEvent<HTMLFormElement>) => {
-    e.preventDefault();
+  const performLogin = async (creds: { email: string; password: string; tenant: string }) => {
     setError(null);
     setSubmitting(true);
     try {
-      await login({ email, password, tenant });
+      await login(creds);
       navigate(from, { replace: true });
     } catch (err) {
       const message =
@@ -63,309 +68,225 @@ export function LoginPage() {
     }
   };
 
-  const onPickDemo = () => {
-    setError(null);
-    setEmail(DEMO_SUPERADMIN.email);
-    setPassword(DEMO_PASSWORD);
-    setTenant(DEMO_SUPERADMIN.tenant);
+  const onSubmit = async (e: FormEvent<HTMLFormElement>) => {
+    e.preventDefault();
+    await performLogin({ email, password, tenant });
   };
 
-  const onCopyPassword = async () => {
-    try {
-      await navigator.clipboard.writeText(DEMO_PASSWORD);
-      setCopied(true);
-      window.setTimeout(() => setCopied(false), 1400);
-    } catch {
-      // ignore
-    }
+  // Demo picker → reflect the chosen creds in the form, then sign in instantly.
+  const onPickDemo = (account: DemoAccount) => {
+    setEmail(account.email);
+    setPassword(account.password);
+    setTenant(account.tenant);
+    void performLogin({ email: account.email, password: account.password, tenant: account.tenant });
   };
 
   return (
-    <div className="grid min-h-screen bg-[var(--color-background)] text-[var(--color-foreground)] lg:grid-cols-[1.1fr_1fr]">
-      {/* ─── Left pane — brand stage ───────────────────────────────── */}
-      <aside className="relative hidden overflow-hidden border-r border-[var(--color-border)] lg:flex lg:flex-col">
-        {/* Coordinate-grid mesh */}
-        <div className="canvas-mesh pointer-events-none absolute inset-0" aria-hidden />
-
-        {/* Top-left chartreuse vignette */}
-        <div
-          className="pointer-events-none absolute inset-0"
-          aria-hidden
-          style={{
-            background:
-              "radial-gradient(48rem 32rem at 0% 0%, oklch(from var(--color-accent-signal) l c h / 0.18), transparent 65%)",
-          }}
-        />
-
-        {/* Corner ticks — magazine-style coordinate marks */}
-        <CornerTicks />
-
-        <div className="relative flex flex-1 flex-col justify-between p-12 xl:p-16">
-          {/* Top crumb */}
-          <div className="meta text-[var(--color-muted-foreground)] fsh-enter">
-            // FSH / CONSOLE / SIGN IN
-          </div>
-
-          {/* Hero monogram */}
-          <BrandMarkXL className="fsh-enter fsh-enter-2 max-w-lg" />
-
-          {/* Bottom meta */}
-          <div className="fsh-enter fsh-enter-4 flex items-end justify-between gap-6">
-            <div className="space-y-1">
-              <div className="meta text-[var(--color-muted-foreground)]">authorized personnel</div>
-              <div className="font-mono text-[12px] text-[var(--color-muted-foreground)] leading-relaxed">
-                Tenant administrators sign in through their tenant dashboard.
-                <br />
-                This surface is for the root tenant operator.
-              </div>
-            </div>
-            <div className="meta text-right text-[var(--color-muted-foreground)]">
-              v0.1
-              <br />
-              build · live
-            </div>
-          </div>
+    <>
+      {/* ── Outer shell — matches dashboard AuthShell exactly ─────────── */}
+      <div className="relative flex min-h-screen items-center justify-center overflow-hidden bg-[var(--color-background)] px-5 py-8 sm:py-12">
+        {/* Atmospheric background orbs */}
+        <div className="pointer-events-none absolute inset-0" aria-hidden>
+          <div
+            className="absolute -top-[25%] -left-[15%] h-[70vw] w-[70vw] rounded-full blur-[140px]"
+            style={{ backgroundColor: "oklch(from var(--color-primary) l c h / 0.05)" }}
+          />
+          <div
+            className="absolute -bottom-[20%] -right-[10%] h-[55vw] w-[55vw] rounded-full blur-[120px]"
+            style={{ backgroundColor: "oklch(from var(--color-primary) l c h / 0.07)" }}
+          />
+          <div
+            className="absolute top-[10%] right-[5%] h-[30vw] w-[30vw] rounded-full blur-[80px]"
+            style={{ backgroundColor: "oklch(from var(--color-primary) l c h / 0.025)" }}
+          />
         </div>
-      </aside>
 
-      {/* ─── Right pane — form ─────────────────────────────────────── */}
-      <main className="relative flex flex-col items-center justify-center p-6 lg:p-10">
-        {/* Subtle subgrid on the form pane too */}
-        <div className="canvas-grid pointer-events-none absolute inset-0" aria-hidden />
-
-        <div className="relative w-full max-w-md space-y-6 fsh-enter">
-          {/* Mobile-only brand (lg+ uses the left pane) */}
-          <div className="lg:hidden">
-            <BrandMarkXL />
-          </div>
-
-          {/* Section rule + form header */}
-          <div className="space-y-3">
-            <div className="section-rule">
-              <span className="section-rule__crumb">// AUTHENTICATE</span>
-              <span className="section-rule__crumb section-rule__crumb--muted">
-                request a session
+        {/* Card column */}
+        <div className="relative z-10 w-full max-w-[420px] fsh-enter fsh-enter-1">
+          {/* ── Brand lockup — same as dashboard AuthShell ─────────────── */}
+          <div className="mb-8 flex flex-col items-center">
+            <div className="flex items-center gap-2.5">
+              <img
+                src="/logo-fullstackhero.png"
+                alt="FullStackHero"
+                className="size-9 object-contain"
+              />
+              <span className="font-display text-[26px] font-semibold tracking-tight text-[var(--color-foreground)]">
+                fullstack<span className="text-[var(--color-primary)]">hero</span>
               </span>
             </div>
-            <p className="text-sm text-[var(--color-muted-foreground)]">
-              Use a root-tenant operator account. Tenant administrators sign in through their own tenant.
-            </p>
+            <div className="mt-3 flex items-center gap-2 text-[10px] font-semibold uppercase tracking-[0.2em] text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.7)]">
+              <span aria-hidden className="h-px w-6 bg-[var(--color-border)]" />
+              <span>Platform Admin</span>
+              <span aria-hidden className="h-px w-6 bg-[var(--color-border)]" />
+            </div>
           </div>
 
-          <form onSubmit={onSubmit} className="space-y-4">
-            <Field
-              id="tenant"
-              label="Tenant"
-              value={tenant}
-              onChange={setTenant}
-              autoComplete="organization"
-              placeholder="root"
-              required
-            />
-            <Field
-              id="email"
-              label="Email"
-              type="email"
-              value={email}
-              onChange={setEmail}
-              autoComplete="email"
-              placeholder="operator@root.example"
-              required
-            />
-            <Field
-              id="password"
-              label="Password"
-              type="password"
-              value={password}
-              onChange={setPassword}
-              autoComplete="current-password"
-              required
-            />
-
-            {error && (
-              <div
-                role="alert"
-                className="rounded-md border border-[var(--color-destructive)]/40 bg-[oklch(from_var(--color-destructive)_l_c_h_/_0.08)] px-3 py-2 text-sm text-[var(--color-destructive)]"
-              >
-                {error}
+          {/* Form card */}
+          <div className="rounded-xl border border-[var(--color-border)] bg-[oklch(from_var(--color-card)_l_c_h_/_0.85)] shadow-[0_1px_3px_oklch(0_0_0_/_0.04),0_8px_24px_oklch(0_0_0_/_0.06)] backdrop-blur-xl">
+            <div className="px-6 py-7 sm:px-8 sm:py-9">
+              <div className="mb-6 sm:mb-8">
+                <h1 className="mb-1.5 font-display text-[22px] font-semibold tracking-tight text-[var(--color-foreground)]">
+                  Welcome back
+                </h1>
+                <p className="text-[13px] text-[var(--color-muted-foreground)]">
+                  Sign in to your operator account
+                </p>
               </div>
-            )}
 
-            <Button type="submit" variant="signal" className="w-full" disabled={submitting}>
-              {submitting ? "Authenticating…" : "Sign in →"}
-            </Button>
-
-            <div className="flex justify-end">
-              <Link
-                to="/forgot-password"
-                className="meta text-[var(--color-muted-foreground)] underline-offset-4 transition-colors hover:text-[var(--color-foreground)] hover:underline"
+              <form
+                onSubmit={onSubmit}
+                className="space-y-5"
+                noValidate
+                aria-describedby={error ? "login-error" : undefined}
               >
-                // forgot password?
-              </Link>
-            </div>
-          </form>
+                {/* Tenant */}
+                <div className="space-y-1.5">
+                  <Label
+                    htmlFor="tenant"
+                    className="block text-[11.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]"
+                  >
+                    Tenant
+                  </Label>
+                  <Input
+                    id="tenant"
+                    value={tenant}
+                    onChange={(e) => setTenant(e.target.value)}
+                    autoComplete="organization"
+                    placeholder="root"
+                    required
+                    aria-invalid={error ? true : undefined}
+                    className="h-11 text-[14px]"
+                  />
+                </div>
 
-          {import.meta.env.DEV && (
-            <DevDemoCallout
-              active={email === DEMO_SUPERADMIN.email && tenant === DEMO_SUPERADMIN.tenant}
-              copied={copied}
-              onPick={onPickDemo}
-              onCopy={onCopyPassword}
-            />
-          )}
-        </div>
-      </main>
-    </div>
-  );
-}
+                {/* Email */}
+                <div className="space-y-1.5">
+                  <Label
+                    htmlFor="email"
+                    className="block text-[11.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]"
+                  >
+                    Email
+                  </Label>
+                  <Input
+                    id="email"
+                    type="email"
+                    value={email}
+                    onChange={(e) => setEmail(e.target.value)}
+                    autoComplete="email"
+                    placeholder="operator@root.example"
+                    required
+                    aria-invalid={error ? true : undefined}
+                    className="h-11 text-[14px]"
+                  />
+                </div>
 
-// ─── subcomponents ───────────────────────────────────────────────────
+                {/* Password */}
+                <div className="space-y-1.5">
+                  <div className="flex items-center justify-between">
+                    <Label
+                      htmlFor="password"
+                      className="text-[11.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]"
+                    >
+                      Password
+                    </Label>
+                    <Link
+                      to="/forgot-password"
+                      className="text-[11px] font-medium text-[var(--color-muted-foreground)] underline-offset-4 transition-colors hover:text-[var(--color-primary)] hover:underline"
+                    >
+                      Forgot?
+                    </Link>
+                  </div>
+                  <div className="relative">
+                    <Input
+                      id="password"
+                      type={showPassword ? "text" : "password"}
+                      value={password}
+                      onChange={(e) => setPassword(e.target.value)}
+                      autoComplete="current-password"
+                      placeholder="Enter your password"
+                      required
+                      aria-invalid={error ? true : undefined}
+                      className="h-11 pr-11 text-[14px]"
+                    />
+                    <button
+                      type="button"
+                      onClick={() => setShowPassword((v) => !v)}
+                      aria-label={showPassword ? "Hide password" : "Show password"}
+                      className="absolute right-3.5 top-1/2 grid h-6 w-6 -translate-y-1/2 cursor-pointer place-items-center rounded text-[var(--color-muted-foreground)] transition-colors hover:text-[var(--color-foreground)] focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)]"
+                    >
+                      {showPassword ? <EyeOff className="size-4" /> : <Eye className="size-4" />}
+                    </button>
+                  </div>
+                </div>
 
-function CornerTicks() {
-  // L-shaped tick marks at each corner, in the chartreuse signal.
-  // Reads as "this surface has coordinates" without being a literal crosshair.
-  const TICK = "h-3 w-3 border-[var(--color-accent-signal)]";
-  return (
-    <>
-      <span className={cn("pointer-events-none absolute left-6 top-6 border-l-2 border-t-2", TICK)} aria-hidden />
-      <span className={cn("pointer-events-none absolute right-6 top-6 border-r-2 border-t-2", TICK)} aria-hidden />
-      <span className={cn("pointer-events-none absolute left-6 bottom-6 border-l-2 border-b-2", TICK)} aria-hidden />
-      <span className={cn("pointer-events-none absolute right-6 bottom-6 border-r-2 border-b-2", TICK)} aria-hidden />
-    </>
-  );
-}
+                {error && (
+                  <div
+                    id="login-error"
+                    role="alert"
+                    className={cn(
+                      "fsh-enter flex items-start gap-2 rounded-lg border px-3 py-2 text-sm",
+                      "border-[oklch(from_var(--color-destructive)_l_c_h_/_0.30)]",
+                      "bg-[oklch(from_var(--color-destructive)_l_c_h_/_0.06)]",
+                      "text-[var(--color-destructive)]",
+                    )}
+                  >
+                    <AlertCircle className="mt-0.5 size-4 shrink-0" />
+                    <span className="leading-snug">{error}</span>
+                  </div>
+                )}
 
-type FieldProps = {
-  id: string;
-  label: string;
-  value: string;
-  onChange: (v: string) => void;
-  type?: string;
-  required?: boolean;
-  placeholder?: string;
-  autoComplete?: string;
-};
+                <div className="pt-1.5">
+                  <Button
+                    type="submit"
+                    disabled={submitting || !email || !password || !tenant}
+                    className="group h-11 w-full text-[14px] font-semibold"
+                  >
+                    {submitting ? (
+                      <>
+                        <Loader2 className="size-4 animate-spin" />
+                        <span>Signing in…</span>
+                      </>
+                    ) : (
+                      <>
+                        <span>Sign in</span>
+                        <ArrowRight className="size-[14px] opacity-60 transition-all duration-200 group-hover:translate-x-0.5 group-hover:opacity-100" />
+                      </>
+                    )}
+                  </Button>
+                </div>
+              </form>
 
-function Field({
-  id,
-  label,
-  value,
-  onChange,
-  type,
-  required,
-  placeholder,
-  autoComplete,
-}: FieldProps) {
-  return (
-    <div className="space-y-1.5">
-      <Label htmlFor={id}>{label}</Label>
-      <Input
-        id={id}
-        type={type ?? "text"}
-        value={value}
-        onChange={(e) => onChange(e.target.value)}
-        required={required}
-        placeholder={placeholder}
-        autoComplete={autoComplete}
-      />
-    </div>
-  );
-}
-
-function DevDemoCallout({
-  active,
-  copied,
-  onPick,
-  onCopy,
-}: {
-  active: boolean;
-  copied: boolean;
-  onPick: () => void;
-  onCopy: () => void;
-}) {
-  return (
-    <div
-      role="region"
-      aria-label="Development demo account"
-      className="relative overflow-hidden rounded-md border border-[var(--color-border)] bg-[var(--color-surface-2)] p-3.5"
-    >
-      <div className="flex items-start gap-2.5">
-        <span
-          aria-hidden
-          className="grid h-7 w-7 shrink-0 place-items-center rounded-md bg-[oklch(from_var(--color-warning)_l_c_h_/_0.16)] text-[var(--color-warning)] ring-1 ring-inset ring-[oklch(from_var(--color-warning)_l_c_h_/_0.4)]"
-        >
-          <FlaskConical className="h-3.5 w-3.5" />
-        </span>
-        <div className="min-w-0 flex-1">
-          <div className="meta flex items-center gap-2 text-[var(--color-warning)]">
-            DEV · demo account
-          </div>
-          <button
-            type="button"
-            onClick={onPick}
-            aria-pressed={active}
-            className={cn(
-              "mt-2 flex w-full items-center gap-2 rounded-md border px-2.5 py-1.5 text-left transition-colors",
-              active
-                ? "border-[var(--color-accent-signal)] bg-[oklch(from_var(--color-accent-signal)_l_c_h_/_0.10)]"
-                : "border-[var(--color-border)] bg-transparent hover:bg-[var(--color-muted)]",
-            )}
-          >
-            <span className="grid h-7 w-7 shrink-0 place-items-center rounded-full bg-[var(--color-primary)] text-[10px] font-bold text-[var(--color-primary-foreground)]">
-              SA
-            </span>
-            <span className="min-w-0 flex-1">
-              <span className="flex items-center gap-1.5">
-                <span className="text-[12.5px] font-semibold tracking-tight">
-                  {DEMO_SUPERADMIN.label}
-                </span>
-                <span className="code-chip">root</span>
-              </span>
-              <span className="mt-0.5 block truncate font-mono text-[11px] text-[var(--color-muted-foreground)]">
-                {DEMO_SUPERADMIN.email}
-              </span>
-              <span className="mt-0.5 block text-[11px] italic text-[var(--color-muted-foreground)]/80">
-                {DEMO_SUPERADMIN.persona}
-              </span>
-            </span>
-            <span
-              className={cn(
-                "shrink-0 font-mono text-[10px] uppercase tracking-[0.14em]",
-                active ? "text-[var(--color-accent-signal)]" : "text-[var(--color-muted-foreground)]",
+              {/* Demo accounts — dev-only, same dashed-button pattern as dashboard. */}
+              {import.meta.env.DEV && (
+                <div className="mt-7">
+                  <button
+                    type="button"
+                    onClick={() => setDemoOpen(true)}
+                    className="flex h-10 w-full cursor-pointer items-center justify-center gap-2 rounded-lg border border-dashed border-[var(--color-primary)]/25 bg-transparent text-[12.5px] font-medium text-[var(--color-primary)]/70 transition-all duration-150 hover:border-[var(--color-primary)]/40 hover:bg-[var(--color-primary)]/[0.04] hover:text-[var(--color-primary)]"
+                  >
+                    <Sparkles className="size-[13px]" />
+                    <span>Sign in with a demo account</span>
+                  </button>
+                </div>
               )}
-            >
-              {active ? "loaded" : "use →"}
-            </span>
-          </button>
+            </div>
+          </div>
 
-          <div className="mt-3 flex items-center justify-between text-[11px]">
-            <span className="flex items-center gap-1.5 text-[var(--color-muted-foreground)]">
-              <span className="meta">password</span>
-              <code className="code-chip">{DEMO_PASSWORD}</code>
-            </span>
-            <button
-              type="button"
-              onClick={onCopy}
-              className={cn(
-                "inline-flex h-6 cursor-pointer items-center gap-1 rounded-md px-2 font-mono text-[10px] uppercase tracking-[0.14em] transition-colors",
-                copied
-                  ? "bg-[oklch(from_var(--color-success)_l_c_h_/_0.16)] text-[var(--color-success)]"
-                  : "text-[var(--color-muted-foreground)] hover:bg-[var(--color-muted)]",
-              )}
-            >
-              {copied ? (
-                <>
-                  <ClipboardCheck className="h-3 w-3" /> copied
-                </>
-              ) : (
-                <>
-                  <Copy className="h-3 w-3" /> copy
-                </>
-              )}
-            </button>
+          <div className="mt-6 flex items-center justify-center gap-1.5 text-[11px] text-[var(--color-muted-foreground)]">
+            <ShieldCheck className="size-3" />
+            <span>Encrypted in transit · JWT-secured session</span>
           </div>
+          <p className="mt-4 text-center text-[10px] font-medium uppercase tracking-wider text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.5)]">
+            FullStackHero Administration
+          </p>
         </div>
       </div>
-    </div>
+
+      {/* Demo dialog — rendered outside the shell to escape any overflow clipping. */}
+      {import.meta.env.DEV && (
+        <DemoAccountsDialog open={demoOpen} onOpenChange={setDemoOpen} onPick={onPickDemo} />
+      )}
+    </>
   );
 }
diff --git a/clients/admin/src/pages/not-found.tsx b/clients/admin/src/pages/not-found.tsx
index 81d7f50cc2..239c9bdacc 100644
--- a/clients/admin/src/pages/not-found.tsx
+++ b/clients/admin/src/pages/not-found.tsx
@@ -1,34 +1,77 @@
-import { Link } from "react-router-dom";
+import { Link, useLocation, useNavigate } from "react-router-dom";
+import { ArrowLeft, FileQuestion, Home } from "lucide-react";
 import { Button } from "@/components/ui/button";
 
+/**
+ * NotFoundPage — calm centered "page not found" card.
+ *
+ * Matches the dashboard's not-found vocabulary: atmospheric orbs, a muted
+ * icon tile, an Outfit headline, a soft body line, and primary affordances.
+ * Mounted at the root via `path: "*"`.
+ */
 export function NotFoundPage() {
+  const navigate = useNavigate();
+  const location = useLocation();
+  const requested = location.pathname + location.search;
+
   return (
-    <div className="relative flex min-h-screen items-center justify-center bg-[var(--color-background)] text-[var(--color-foreground)] p-6">
-      <div className="canvas-mesh pointer-events-none absolute inset-0" aria-hidden />
-      <div
-        className="pointer-events-none absolute inset-0"
-        aria-hidden
-        style={{
-          background:
-            "radial-gradient(36rem 24rem at 50% 110%, oklch(from var(--color-accent-signal) l c h / 0.12), transparent 70%)",
-        }}
-      />
-      <div className="fsh-enter relative max-w-md space-y-6 text-center">
-        <div className="meta text-[var(--color-muted-foreground)]">
-          // SYSTEM RESPONSE
+    <div className="relative flex min-h-screen items-center justify-center overflow-hidden bg-[var(--color-background)] px-5 py-8 sm:py-12">
+      {/* Atmospheric background — same primary/saffron orbs as the auth pages */}
+      <div className="pointer-events-none absolute inset-0" aria-hidden>
+        <div
+          className="absolute -top-[25%] -left-[15%] h-[70vw] w-[70vw] rounded-full blur-[140px]"
+          style={{ backgroundColor: "oklch(from var(--color-primary) l c h / 0.05)" }}
+        />
+        <div
+          className="absolute -bottom-[20%] -right-[10%] h-[55vw] w-[55vw] rounded-full blur-[120px]"
+          style={{ backgroundColor: "oklch(from var(--color-saffron, var(--color-primary)) l c h / 0.07)" }}
+        />
+      </div>
+
+      <div className="relative z-10 flex w-full max-w-[460px] flex-col items-center text-center fsh-enter fsh-enter-1">
+        {/* Icon tile — muted bg + rounded-2xl, matching dashboard EntityEmpty */}
+        <div className="mb-5 grid size-14 place-items-center rounded-2xl bg-[var(--color-muted)]">
+          <FileQuestion className="size-6 text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.5)]" />
         </div>
-        <h1 className="font-display text-[clamp(5rem,12vw,8rem)] font-semibold leading-[0.95] tracking-[var(--tracking-display)]">
-          404<span className="text-[var(--color-accent-signal)]">.</span>
+
+        <h1 className="mb-2 font-display text-[clamp(1.5rem,5vw,2rem)] font-semibold tracking-tight text-[var(--color-foreground)]">
+          Page not found
         </h1>
-        <p className="font-mono text-sm text-[var(--color-muted-foreground)]">
-          requested resource &nbsp;<span className="code-chip">not_found</span>
+        <p className="mb-2 max-w-[380px] text-[14px] leading-relaxed text-[var(--color-muted-foreground)]">
+          We couldn't find anything at that address. It may be a stale link, a
+          renamed route, or a path that never existed.
         </p>
-        <p className="text-sm text-[var(--color-foreground)] leading-relaxed">
-          The URL you requested doesn't map to any page in this console.
+
+        {/* Requested path — soft inline display */}
+        <p
+          className="mb-7 inline-flex max-w-full items-center gap-1.5 text-[12px] text-[var(--color-muted-foreground)]"
+          title={requested}
+        >
+          <span className="text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.6)]">
+            Requested
+          </span>
+          <span className="truncate text-[var(--color-foreground)]">{requested}</span>
         </p>
-        <Button asChild variant="signal">
-          <Link to="/">Return to overview →</Link>
-        </Button>
+
+        {/* Primary actions */}
+        <div className="flex w-full flex-col items-center gap-2 sm:flex-row sm:justify-center">
+          <Button asChild className="group h-11 px-5 text-[14px] font-semibold">
+            <Link to="/">
+              <Home className="size-4" />
+              <span>Back home</span>
+            </Link>
+          </Button>
+        </div>
+
+        {/* Tertiary — go-back */}
+        <button
+          type="button"
+          onClick={() => navigate(-1)}
+          className="mt-5 inline-flex items-center gap-1.5 text-[12px] text-[var(--color-muted-foreground)] transition-colors hover:text-[var(--color-foreground)]"
+        >
+          <ArrowLeft className="size-3.5" />
+          <span>Go back to the previous page</span>
+        </button>
       </div>
     </div>
   );
diff --git a/clients/admin/src/pages/notifications/inbox.tsx b/clients/admin/src/pages/notifications/inbox.tsx
index f6233bf2a3..c3f1d30e49 100644
--- a/clients/admin/src/pages/notifications/inbox.tsx
+++ b/clients/admin/src/pages/notifications/inbox.tsx
@@ -12,10 +12,10 @@ import { useRealtimeEvent } from "@/realtime/realtime-context";
 import { Button } from "@/components/ui/button";
 import { Badge } from "@/components/ui/badge";
 import {
+  EntityPageHeader,
   ErrorBand,
   FilterBar,
   LoadingRow,
-  PageHeader,
   Select,
 } from "@/components/list";
 import { EmptyState } from "@/components/empty-state";
@@ -64,34 +64,34 @@ export function NotificationsInboxPage() {
 
   return (
     <div className="space-y-8">
-      <PageHeader
-        crumbs={[{ label: "\\ Notifications" }, { label: "Inbox", muted: true }]}
-        trailing={`${items.length} ITEMS`}
+      <EntityPageHeader
+        icon={Bell}
         title="Notifications"
+        total={items.length}
+        unit="item"
         description="Events the system has surfaced for you. Live-updates as new notifications arrive — no refresh needed."
-        actions={
-          <>
-            <Button
-              variant="outline"
-              size="sm"
-              disabled={query.isFetching}
-              onClick={() => query.refetch()}
-            >
-              <RefreshCw className={cn("mr-1.5 h-3.5 w-3.5", query.isFetching && "animate-spin")} />
-              Refresh
-            </Button>
-            <Button
-              variant="signal"
-              size="sm"
-              onClick={() => markAll.mutate()}
-              disabled={markAll.isPending}
-            >
-              <CheckCheck className="mr-1.5 h-3.5 w-3.5" />
-              {markAll.isPending ? "Marking…" : "Mark all read"}
-            </Button>
-          </>
-        }
-      />
+      >
+        <Button
+          variant="outline"
+          size="sm"
+          disabled={query.isFetching}
+          onClick={() => query.refetch()}
+          className="flex-1 sm:flex-none"
+        >
+          <RefreshCw className={cn("mr-1.5 h-3.5 w-3.5", query.isFetching && "animate-spin")} />
+          Refresh
+        </Button>
+        <Button
+          variant="signal"
+          size="sm"
+          onClick={() => markAll.mutate()}
+          disabled={markAll.isPending}
+          className="flex-1 sm:flex-none"
+        >
+          <CheckCheck className="mr-1.5 h-3.5 w-3.5" />
+          {markAll.isPending ? "Marking…" : "Mark all read"}
+        </Button>
+      </EntityPageHeader>
 
       <FilterBar>
         <Select
diff --git a/clients/admin/src/pages/roles/create.tsx b/clients/admin/src/pages/roles/create.tsx
index 40aab7bf7f..c362a8acca 100644
--- a/clients/admin/src/pages/roles/create.tsx
+++ b/clients/admin/src/pages/roles/create.tsx
@@ -1,135 +1,8 @@
-import { useNavigate } from "react-router-dom";
-import { useMutation, useQueryClient } from "@tanstack/react-query";
-import { useForm } from "react-hook-form";
-import { zodResolver } from "@hookform/resolvers/zod";
-import { z } from "zod";
-import { ArrowLeft } from "lucide-react";
-import { toast } from "sonner";
-import { upsertRole, type RoleDto } from "@/api/roles";
-import { Button } from "@/components/ui/button";
-import { Input } from "@/components/ui/input";
-import {
-  PageHeader,
-  Field,
-  FormShell,
-  FormSection,
-  FormActions,
-} from "@/components/list";
-import { ApiRequestError } from "@/lib/api-client";
-
-const schema = z.object({
-  name: z
-    .string()
-    .trim()
-    .min(2, "At least 2 characters.")
-    .max(64, "Keep under 64 characters."),
-  description: z.string().trim().max(256, "Keep under 256 characters.").optional(),
-});
-
-type FormValues = z.infer<typeof schema>;
+import { Navigate } from "react-router-dom";
 
+// Role creation is now a dialog launched from the list page.
+// This page is kept (and the route lazily loads it) so that any bookmarked
+// /roles/new links continue to work — they redirect seamlessly to /roles.
 export function CreateRolePage() {
-  const navigate = useNavigate();
-  const queryClient = useQueryClient();
-
-  const {
-    register,
-    handleSubmit,
-    formState: { errors, isSubmitting },
-  } = useForm<FormValues>({
-    resolver: zodResolver(schema),
-    defaultValues: { name: "", description: "" },
-  });
-
-  const mutation = useMutation<RoleDto, Error, FormValues>({
-    mutationFn: (values) =>
-      upsertRole({
-        id: "",
-        name: values.name,
-        description: values.description?.trim() ? values.description : null,
-      }),
-    onSuccess: (result) => {
-      toast.success(`Role ${result.name} created`);
-      queryClient.invalidateQueries({ queryKey: ["roles"] });
-      navigate(`/roles/${result.id}`);
-    },
-    onError: (err) => {
-      const detail =
-        err instanceof ApiRequestError
-          ? err.problem?.detail ?? err.problem?.title ?? err.message
-          : err.message;
-      toast.error("Create failed", { description: detail });
-    },
-  });
-
-  const onSubmit = handleSubmit((values) => mutation.mutate(values));
-  const submitting = isSubmitting || mutation.isPending;
-
-  return (
-    <div className="space-y-8">
-      <PageHeader
-        crumbs={[{ label: "\\ Roles" }, { label: "New", muted: true }]}
-        trailing="Role · Draft"
-        title="New role"
-        description="Create a role, then grant it permissions on its detail page."
-        actions={
-          <Button variant="ghost" size="sm" onClick={() => navigate("/roles")}>
-            <ArrowLeft className="mr-1 h-3.5 w-3.5" /> Registry
-          </Button>
-        }
-      />
-
-      <form onSubmit={onSubmit}>
-        <FormShell maxWidth="md">
-          <FormSection
-            title="Identity"
-            description={
-              <>
-                The role name is what shows up in user role assignments. Choose
-                something descriptive — &ldquo;Support agent&rdquo; reads better
-                than &ldquo;Tier-2&rdquo;.
-              </>
-            }
-          >
-            <Field id="name" label="Name" required error={errors.name?.message}>
-              <Input
-                id="name"
-                placeholder="Support agent"
-                autoComplete="off"
-                aria-invalid={errors.name ? true : undefined}
-                {...register("name")}
-              />
-            </Field>
-            <Field
-              id="description"
-              label="Description"
-              hint="Optional. Plain English explaining what this role is for."
-              error={errors.description?.message}
-            >
-              <Input
-                id="description"
-                placeholder="Inbound support · read-only on billing"
-                aria-invalid={errors.description ? true : undefined}
-                {...register("description")}
-              />
-            </Field>
-          </FormSection>
-
-          <FormActions>
-            <Button type="submit" disabled={submitting}>
-              {submitting ? "Saving…" : "Create role"}
-            </Button>
-            <Button
-              type="button"
-              variant="outline"
-              onClick={() => navigate("/roles")}
-              disabled={submitting}
-            >
-              Cancel
-            </Button>
-          </FormActions>
-        </FormShell>
-      </form>
-    </div>
-  );
+  return <Navigate to="/roles" replace />;
 }
diff --git a/clients/admin/src/pages/roles/detail.tsx b/clients/admin/src/pages/roles/detail.tsx
index c796e0c2fa..9879289f10 100644
--- a/clients/admin/src/pages/roles/detail.tsx
+++ b/clients/admin/src/pages/roles/detail.tsx
@@ -4,7 +4,7 @@ import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
 import { useForm } from "react-hook-form";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { z } from "zod";
-import { ArrowLeft, ShieldCheck, Trash2 } from "lucide-react";
+import { ArrowLeft, Lock, Shield, ShieldCheck, Trash2 } from "lucide-react";
 import { toast } from "sonner";
 import {
   deleteRole,
@@ -17,13 +17,11 @@ import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Badge } from "@/components/ui/badge";
 import {
-  PageHeader,
+  EntityPageHeader,
   ErrorBand,
   Field,
   LoadingRow,
-  FormShell,
-  FormSection,
-  FormActions,
+  SettingsSection,
 } from "@/components/list";
 import {
   PERMISSION_CATALOG,
@@ -55,38 +53,30 @@ export function RoleDetailPage() {
   const isSystem = role ? SYSTEM_ROLE_NAMES.has(role.name) : false;
 
   return (
-    <div className="space-y-8">
-      <PageHeader
-        crumbs={[
-          { label: "\\ Roles" },
-          { label: role?.name ?? "…", muted: true },
-        ]}
-        trailing={
-          role ? (
-            <span className="flex items-center gap-2">
-              {isSystem && (
-                <Badge variant="outline" className="font-mono uppercase tracking-[0.14em]">
-                  system
-                </Badge>
-              )}
-              <span>
-                {(role.permissions?.length ?? 0).toString().padStart(2, "0")} grants
-              </span>
-            </span>
-          ) : (
-            "—"
-          )
-        }
+    <div className="space-y-6">
+      <EntityPageHeader
+        icon={Shield}
         title={role?.name ?? "Role"}
+        total={role ? (role.permissions?.length ?? 0) : null}
+        unit="grant"
         description={
           role?.description ?? "Inspect and edit this role's profile and permission grants."
         }
-        actions={
-          <Button variant="ghost" size="sm" onClick={() => navigate("/roles")}>
-            <ArrowLeft className="mr-1 h-3.5 w-3.5" /> Registry
-          </Button>
-        }
-      />
+      >
+        {isSystem && (
+          <Badge variant="outline" className="font-mono text-[10px] uppercase tracking-[0.14em]">
+            <Lock className="mr-1 h-3 w-3" /> System
+          </Badge>
+        )}
+        <Button
+          variant="ghost"
+          size="sm"
+          onClick={() => navigate("/roles")}
+          className="h-9 gap-1.5 rounded-lg px-3 text-[13px]"
+        >
+          <ArrowLeft className="size-3.5" /> Registry
+        </Button>
+      </EntityPageHeader>
 
       {query.isError && (
         <ErrorBand
@@ -100,10 +90,35 @@ export function RoleDetailPage() {
 
       {query.isLoading && <LoadingRow label="Loading role" />}
 
+      {isSystem && role && (
+        <div
+          role="status"
+          aria-live="polite"
+          className="flex items-start gap-3 rounded-xl border border-[var(--color-border)] bg-[var(--color-muted)] px-4 py-3"
+        >
+          <span
+            aria-hidden
+            className="grid h-7 w-7 shrink-0 place-items-center rounded-md bg-[var(--color-muted)] text-[var(--color-muted-foreground)]"
+          >
+            <Lock className="h-3.5 w-3.5" />
+          </span>
+          <div className="min-w-0 text-sm leading-relaxed">
+            <p className="font-medium text-[var(--color-foreground)]">
+              Built-in role — read only
+            </p>
+            <p className="mt-0.5 text-[12.5px] text-[var(--color-muted-foreground)]">
+              <span className="font-mono font-medium">{role.name}</span> ships with the framework.
+              Its name, description, and permissions are managed centrally. Create a custom role if
+              you need a different set of grants.
+            </p>
+          </div>
+        </div>
+      )}
+
       {role && (
         <>
           <ProfileSection role={role} disabled={isSystem} />
-          <PermissionEditor role={role} disabled={false /* allow editing on all roles */} />
+          <PermissionEditor role={role} disabled={false} />
           {!isSystem && (
             <DangerZone
               role={role}
@@ -166,20 +181,36 @@ function ProfileSection({ role, disabled }: { role: RoleDto; disabled: boolean }
 
   return (
     <form onSubmit={handleSubmit((v) => mutation.mutate(v))}>
-      <FormShell>
-        <FormSection
-          title="Profile"
-          description={
-            <>
-              Name and description shown to operators when assigning users to this role.
-              {disabled && (
-                <span className="mt-1 block text-[var(--color-warning)]">
-                  System roles cannot be renamed.
-                </span>
-              )}
-            </>
-          }
-        >
+      <SettingsSection
+        title="Profile"
+        icon={ShieldCheck}
+        description={
+          disabled
+            ? "Name and description — system roles cannot be renamed."
+            : "Name and description shown to operators when assigning users to this role."
+        }
+        footer={
+          <div className="flex items-center gap-2">
+            <Button
+              type="submit"
+              disabled={!isDirty || submitting || disabled}
+              className="h-9 rounded-lg px-4 text-[13px]"
+            >
+              {submitting ? "Saving…" : "Save profile"}
+            </Button>
+            <Button
+              type="button"
+              variant="outline"
+              onClick={() => reset()}
+              disabled={!isDirty || submitting}
+              className="h-9 rounded-lg px-4 text-[13px]"
+            >
+              Reset
+            </Button>
+          </div>
+        }
+      >
+        <div className="grid gap-4 md:grid-cols-2">
           <Field id="name" label="Name" required error={errors.name?.message}>
             <Input
               id="name"
@@ -195,22 +226,8 @@ function ProfileSection({ role, disabled }: { role: RoleDto; disabled: boolean }
               {...register("description")}
             />
           </Field>
-        </FormSection>
-
-        <FormActions>
-          <Button type="submit" disabled={!isDirty || submitting || disabled}>
-            {submitting ? "Saving…" : "Save profile"}
-          </Button>
-          <Button
-            type="button"
-            variant="outline"
-            onClick={() => reset()}
-            disabled={!isDirty || submitting}
-          >
-            Reset
-          </Button>
-        </FormActions>
-      </FormShell>
+        </div>
+      </SettingsSection>
     </form>
   );
 }
@@ -270,89 +287,148 @@ function PermissionEditor({ role, disabled }: { role: RoleDto; disabled: boolean
   };
 
   return (
-    <FormShell>
-      <FormSection
-        title="Permissions"
-        description={
-          <>
-            Pick what holders of this role can do. Root-only permissions are visually
-            marked — they take effect only on roles assigned in the root tenant.
-            <span className="mt-2 block font-mono text-[10.5px] uppercase tracking-[0.18em]">
-              {String(selected.size).padStart(2, "0")} of {String(total).padStart(2, "0")} granted
-            </span>
-          </>
-        }
-      >
-        <div className="space-y-6">
+    <SettingsSection
+      title="Permissions"
+      icon={ShieldCheck}
+      description={`Pick what holders of this role can do. Root-only permissions take effect only on roles assigned in the root tenant.`}
+      footer={
+        !disabled ? (
+          <div className="flex flex-wrap items-center justify-between gap-3">
+            <div className="text-[11.5px] font-medium text-[var(--color-muted-foreground)]">
+              {dirty ? (
+                <span className="inline-flex items-center gap-1.5 text-[var(--color-warning)]">
+                  <span className="inline-block h-1.5 w-1.5 rounded-full bg-[var(--color-warning)]" />
+                  Unsaved changes · {String(selected.size).padStart(2, "0")} of{" "}
+                  {String(total).padStart(2, "0")} granted
+                </span>
+              ) : (
+                <span>
+                  All changes saved · {String(selected.size).padStart(2, "0")} of{" "}
+                  {String(total).padStart(2, "0")} granted
+                </span>
+              )}
+            </div>
+            <div className="flex items-center gap-2">
+              <Button
+                type="button"
+                variant="outline"
+                size="sm"
+                disabled={!dirty || mutation.isPending}
+                onClick={() => setSelected(new Set(initial))}
+                className="h-9 rounded-lg px-3 text-[13px]"
+              >
+                Discard
+              </Button>
+              <Button
+                type="button"
+                size="sm"
+                disabled={!dirty || mutation.isPending || disabled}
+                onClick={() => mutation.mutate()}
+                className="h-9 rounded-lg px-3 text-[13px]"
+              >
+                <ShieldCheck className="mr-1 h-3.5 w-3.5" />
+                {mutation.isPending ? "Saving…" : "Save permissions"}
+              </Button>
+            </div>
+          </div>
+        ) : undefined
+      }
+    >
+      <div className="space-y-4">
         {PERMISSION_CATALOG.map((group) => {
           const groupCount = group.entries.filter((e) => selected.has(e.name)).length;
           const allOn = groupCount === group.entries.length;
           const someOn = groupCount > 0 && groupCount < group.entries.length;
           return (
-            <div key={group.category} className="card-shell px-5 py-4">
-              <div className="flex flex-wrap items-baseline justify-between gap-3 border-b border-[var(--color-border)] pb-3">
+            <div
+              key={group.category}
+              className="overflow-hidden rounded-lg border border-[var(--color-border)] bg-[var(--color-card)]"
+            >
+              <div className="flex flex-wrap items-baseline justify-between gap-3 border-b border-[var(--color-border)] bg-[var(--color-muted)]/40 px-4 py-3">
                 <div className="min-w-0">
                   <div className="flex items-baseline gap-3">
-                    <h3 className="font-display text-lg font-medium tracking-tight">
+                    <h3 className="text-[13px] font-semibold tracking-tight text-[var(--color-foreground)]">
                       {group.category}
                     </h3>
-                    <span className="font-mono text-[10.5px] uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]">
+                    <span className="font-mono text-[11px] tabular-nums text-[var(--color-muted-foreground)]">
                       {String(groupCount).padStart(2, "0")} / {String(group.entries.length).padStart(2, "0")}
                     </span>
                   </div>
-                  <p className="mt-0.5 text-xs text-[var(--color-muted-foreground)]">
+                  <p className="mt-0.5 text-[11.5px] text-[var(--color-muted-foreground)]">
                     {group.blurb}
                   </p>
                 </div>
-                <Button
+                <button
                   type="button"
-                  variant="ghost"
-                  size="sm"
                   disabled={disabled}
                   onClick={() => toggleGroup(group, !allOn)}
-                  className="text-xs"
+                  className={cn(
+                    "cursor-pointer rounded-full px-2.5 py-0.5 text-[10.5px] font-medium uppercase tracking-wider",
+                    "text-[var(--color-muted-foreground)] hover:bg-[var(--color-accent)] hover:text-[var(--color-foreground)]",
+                    "transition-colors",
+                    disabled && "cursor-not-allowed opacity-40 hover:bg-transparent hover:text-[var(--color-muted-foreground)]",
+                  )}
                 >
                   {allOn ? "Clear all" : someOn ? "Select remaining" : "Select all"}
-                </Button>
+                </button>
               </div>
 
-              <ul className="grid grid-cols-1 gap-0 sm:grid-cols-2 sm:gap-x-6">
+              <ul className="grid grid-cols-1 divide-y divide-[var(--color-border)] sm:grid-cols-2 sm:divide-y-0">
                 {group.entries.map((entry) => {
                   const checked = selected.has(entry.name);
                   return (
-                    <li key={entry.name} className="border-b border-dashed border-[var(--color-border)] py-2 last:border-0">
+                    <li
+                      key={entry.name}
+                      className="border-b border-[oklch(from_var(--color-border)_l_c_h_/_0.5)] last:border-b-0"
+                    >
                       <label
                         className={cn(
-                          "flex cursor-pointer items-start gap-3 rounded-md px-1.5 py-1.5 transition-colors",
+                          "flex cursor-pointer items-start gap-3 px-4 py-3 text-[12.5px] transition-colors",
                           disabled && "cursor-not-allowed opacity-60",
-                          !disabled && "hover:bg-[var(--color-muted)]/60",
+                          !disabled && checked && "bg-[oklch(from_var(--color-primary)_l_c_h_/_0.04)] hover:bg-[oklch(from_var(--color-primary)_l_c_h_/_0.07)]",
+                          !disabled && !checked && "hover:bg-[var(--color-accent)]",
                         )}
                       >
+                        {/* Custom checkbox */}
+                        <span
+                          aria-hidden
+                          className={cn(
+                            "mt-0.5 grid size-4 shrink-0 place-items-center rounded border transition-all",
+                            checked
+                              ? "border-[var(--color-primary)] bg-[var(--color-primary)] text-[var(--color-primary-foreground)]"
+                              : "border-[var(--color-input)] bg-transparent",
+                          )}
+                        >
+                          {checked && (
+                            <svg width="10" height="10" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="3" strokeLinecap="round" strokeLinejoin="round" aria-hidden><polyline points="20 6 9 17 4 12"/></svg>
+                          )}
+                        </span>
                         <input
                           type="checkbox"
                           checked={checked}
                           disabled={disabled}
                           onChange={() => toggle(entry.name)}
-                          className="mt-1 h-4 w-4 cursor-pointer accent-[var(--color-accent-signal)]"
+                          className="sr-only"
                         />
                         <div className="min-w-0 flex-1">
-                          <div className="flex flex-wrap items-baseline gap-2">
-                            <span className="text-sm font-medium">{entry.description}</span>
+                          <div className="flex flex-wrap items-baseline gap-1.5">
+                            <span
+                              className={cn(
+                                "text-[13px] font-medium",
+                                checked ? "text-[var(--color-foreground)]" : "text-[var(--color-muted-foreground)]",
+                              )}
+                            >
+                              {entry.description}
+                            </span>
                             {entry.root && (
-                              <Badge
-                                variant="warning"
-                                className="font-mono uppercase tracking-[0.14em]"
-                              >
+                              <span className="rounded-full bg-[oklch(from_var(--color-warning)_l_c_h_/_0.16)] px-1.5 py-0.5 text-[9px] font-semibold uppercase tracking-[0.12em] text-[var(--color-warning)]">
                                 root
-                              </Badge>
+                              </span>
                             )}
                             {entry.basic && (
-                              <Badge
-                                variant="muted"
-                                className="font-mono uppercase tracking-[0.14em]"
-                              >
+                              <span className="rounded-full bg-[oklch(from_var(--color-info)_l_c_h_/_0.16)] px-1.5 py-0.5 text-[9px] font-semibold uppercase tracking-[0.12em] text-[var(--color-info)]">
                                 basic
-                              </Badge>
+                              </span>
                             )}
                           </div>
                           <div className="mt-0.5 truncate font-mono text-[10.5px] text-[var(--color-muted-foreground)]">
@@ -367,40 +443,8 @@ function PermissionEditor({ role, disabled }: { role: RoleDto; disabled: boolean
             </div>
           );
         })}
-
-          <div className="sticky bottom-4 z-10 flex items-center justify-between gap-3 rounded-md border border-[var(--color-border)] bg-[var(--color-surface-2)] px-4 py-3 shadow-[var(--shadow-card)]">
-            <div className="meta text-[var(--color-muted-foreground)]">
-              {dirty ? (
-                <span className="text-[var(--color-warning)]">unsaved changes</span>
-              ) : (
-                "all changes saved"
-              )}
-            </div>
-            <div className="flex items-center gap-2">
-              <Button
-                type="button"
-                variant="outline"
-                size="sm"
-                disabled={!dirty || mutation.isPending}
-                onClick={() => setSelected(new Set(initial))}
-              >
-                Discard
-              </Button>
-              <Button
-                type="button"
-                variant="signal"
-                size="sm"
-                disabled={!dirty || mutation.isPending || disabled}
-                onClick={() => mutation.mutate()}
-              >
-                <ShieldCheck className="mr-1 h-3.5 w-3.5" />
-                {mutation.isPending ? "Saving…" : "Save permissions"}
-              </Button>
-            </div>
-          </div>
-        </div>
-      </FormSection>
-    </FormShell>
+      </div>
+    </SettingsSection>
   );
 }
 
@@ -427,37 +471,36 @@ function DangerZone({ role, onDeleted }: { role: RoleDto; onDeleted: () => void
   const ready = confirm.trim() === role.name;
 
   return (
-    <FormShell>
-      <FormSection
-        title="Danger zone"
-        tone="danger"
-        description="Delete this role. Users assigned to it will lose every permission this role grants — this is not reversible."
-      >
-        <div className="space-y-4 rounded-md border border-[var(--color-destructive)]/40 bg-[oklch(from_var(--color-destructive)_l_c_h_/_0.04)] p-5">
-          <div>
-            <p className="text-sm font-medium">
-              Type <code className="code-chip">{role.name}</code> to confirm deletion.
-            </p>
-            <Input
-              value={confirm}
-              onChange={(e) => setConfirm(e.target.value)}
-              placeholder={role.name}
-              className="mt-2 max-w-sm"
-              autoComplete="off"
-            />
-          </div>
-          <Button
-            type="button"
-            variant="destructive"
-            disabled={!ready || mutation.isPending}
-            onClick={() => mutation.mutate()}
-          >
-            <Trash2 className="mr-1.5 h-3.5 w-3.5" />
-            {mutation.isPending ? "Deleting…" : "Delete role"}
-          </Button>
+    <SettingsSection
+      title="Danger zone"
+      icon={Trash2}
+      description="Delete this role. Users assigned to it will lose every permission this role grants — this is not reversible."
+    >
+      <div className="space-y-4 rounded-lg border border-[var(--color-destructive)]/40 bg-[oklch(from_var(--color-destructive)_l_c_h_/_0.04)] p-5">
+        <div>
+          <p className="text-[13px] font-medium text-[var(--color-foreground)]">
+            Type <code className="rounded bg-[var(--color-muted)] px-1 py-0.5 font-mono text-[12px]">{role.name}</code> to confirm deletion.
+          </p>
+          <Input
+            value={confirm}
+            onChange={(e) => setConfirm(e.target.value)}
+            placeholder={role.name}
+            className="mt-2 max-w-sm"
+            autoComplete="off"
+          />
         </div>
-      </FormSection>
-    </FormShell>
+        <Button
+          type="button"
+          variant="destructive"
+          disabled={!ready || mutation.isPending}
+          onClick={() => mutation.mutate()}
+          className="h-9 rounded-lg px-4 text-[13px]"
+        >
+          <Trash2 className="mr-1.5 h-3.5 w-3.5" />
+          {mutation.isPending ? "Deleting…" : "Delete role"}
+        </Button>
+      </div>
+    </SettingsSection>
   );
 }
 
diff --git a/clients/admin/src/pages/roles/list.tsx b/clients/admin/src/pages/roles/list.tsx
index 60194512f8..0581be88a8 100644
--- a/clients/admin/src/pages/roles/list.tsx
+++ b/clients/admin/src/pages/roles/list.tsx
@@ -1,18 +1,32 @@
-import { useMemo } from "react";
+import { useEffect, useMemo, useState } from "react";
 import { useNavigate } from "react-router-dom";
 import { useQuery } from "@tanstack/react-query";
-import { Plus, ShieldCheck, ChevronRight } from "lucide-react";
+import { ChevronRight, Plus, Shield, ShieldCheck } from "lucide-react";
 import { listRoles, type RoleDto } from "@/api/roles";
 import { Button } from "@/components/ui/button";
 import { Badge } from "@/components/ui/badge";
-import { PageHeader, ErrorBand, LoadingRow } from "@/components/list";
+import { EntityPageHeader, ErrorBand, LoadingRow } from "@/components/list";
 import { EmptyState } from "@/components/empty-state";
 import { ApiRequestError } from "@/lib/api-client";
+import { CreateRoleDialog } from "@/components/roles/create-role-dialog";
 
 const ROOT_ROLE_NAMES = new Set(["Admin", "Basic"]);
 
+// Desktop grid template — shared by header + rows.
+const DESKTOP_COLS =
+  "grid-cols-[1fr_120px_24px] lg:grid-cols-[1.4fr_2fr_120px_24px]";
+
 export function RolesListPage() {
   const navigate = useNavigate();
+  const [search, setSearch] = useState("");
+  const [debounced, setDebounced] = useState("");
+  const [createOpen, setCreateOpen] = useState(false);
+
+  useEffect(() => {
+    const t = setTimeout(() => setDebounced(search.trim().toLowerCase()), 200);
+    return () => clearTimeout(t);
+  }, [search]);
+
   const query = useQuery({ queryKey: ["roles"], queryFn: listRoles });
 
   const roles = useMemo(() => {
@@ -26,19 +40,49 @@ export function RolesListPage() {
     });
   }, [query.data]);
 
+  const filtered = useMemo(() => {
+    if (!debounced) return roles;
+    return roles.filter(
+      (r) =>
+        r.name.toLowerCase().includes(debounced) ||
+        (r.description ?? "").toLowerCase().includes(debounced),
+    );
+  }, [roles, debounced]);
+
+  const searchActive = debounced.length > 0;
+
   return (
-    <div className="space-y-8">
-      <PageHeader
-        crumbs={[{ label: "\\ Roles" }, { label: "Registry", muted: true }]}
-        trailing={roles.length ? `${String(roles.length).padStart(2, "0")} roles` : "—"}
+    <div className="space-y-4 sm:space-y-6">
+      <EntityPageHeader
+        icon={Shield}
         title="Roles"
+        total={query.data ? roles.length : null}
+        unit="role"
         description="Define what people can do. Each role bundles a set of permissions; users inherit a role's permissions by being assigned to it."
-        actions={
-          <Button onClick={() => navigate("/roles/new")}>
-            <Plus className="mr-1 h-4 w-4" /> New role
-          </Button>
-        }
-      />
+      >
+        <Button
+          onClick={() => setCreateOpen(true)}
+          className="h-9 flex-1 gap-1.5 rounded-lg px-4 text-[13px] font-semibold sm:flex-none"
+        >
+          <Plus className="size-4" />
+          New role
+        </Button>
+      </EntityPageHeader>
+
+      {/* Search */}
+      <div className="relative w-full max-w-sm">
+        <span className="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-muted-foreground)]">
+          <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" aria-hidden><circle cx="11" cy="11" r="8"/><path d="m21 21-4.35-4.35"/></svg>
+        </span>
+        <input
+          type="search"
+          value={search}
+          onChange={(e) => setSearch(e.target.value)}
+          placeholder="Search by name or description…"
+          aria-label="Search roles"
+          className="h-9 w-full rounded-md border border-[var(--color-input)] bg-transparent pl-9 pr-3 text-[13px] outline-none transition-colors placeholder:text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.7)] focus-visible:border-[var(--color-ring)] focus-visible:ring-[3px] focus-visible:ring-[oklch(from_var(--color-ring)_l_c_h_/_0.5)]"
+        />
+      </div>
 
       {query.isError && (
         <ErrorBand
@@ -50,88 +94,216 @@ export function RolesListPage() {
         />
       )}
 
-      <div className="border-t border-[var(--color-border)]">
-        {query.isLoading && <LoadingRow label="Loading roles" />}
+      {query.isLoading && <LoadingRow label="Loading roles" />}
 
-        {!query.isLoading && roles.length === 0 && !query.isError && (
+      {!query.isLoading && filtered.length === 0 && !query.isError && (
+        searchActive ? (
+          <div className="py-16 text-center">
+            <p className="font-display text-2xl">No roles found.</p>
+            <p className="mt-1 text-sm text-[var(--color-muted-foreground)]">
+              Nothing matches &ldquo;{debounced}&rdquo;. Try a different term.
+            </p>
+            <Button
+              variant="outline"
+              className="mt-4 h-9 rounded-lg px-4 text-[13px]"
+              onClick={() => setSearch("")}
+            >
+              Clear search
+            </Button>
+          </div>
+        ) : (
           <EmptyState
             icon={ShieldCheck}
             kicker="// no roles"
             title="No roles defined yet."
             description="Create your first role to start bundling permissions."
             action={
-              <Button onClick={() => navigate("/roles/new")}>
-                <Plus className="mr-1 h-4 w-4" /> New role
+              <Button onClick={() => setCreateOpen(true)} className="h-9 rounded-lg px-4 text-[13px]">
+                <Plus className="mr-1.5 h-4 w-4" /> New role
               </Button>
             }
           />
-        )}
+        )
+      )}
+
+      {filtered.length > 0 && (
+        <div>
+          <p className="mb-3 text-[12px] font-medium text-[var(--color-muted-foreground)]">
+            {filtered.length} role{filtered.length !== 1 ? "s" : ""} found
+          </p>
 
-        {roles.length > 0 && (
-          <ol className="divide-y divide-[var(--color-border)]">
-            {roles.map((role, i) => (
-              <RoleRow
+          {/* Mobile card list */}
+          <div className="space-y-2 md:hidden">
+            {filtered.map((role) => (
+              <RoleMobileCard
                 key={role.id}
-                index={i + 1}
                 role={role}
                 onClick={() => navigate(`/roles/${role.id}`)}
               />
             ))}
-          </ol>
-        )}
-      </div>
+          </div>
+
+          {/* Desktop table */}
+          <div className="hidden overflow-hidden rounded-xl border border-[var(--color-border)] bg-[var(--color-card)] shadow-xs md:block">
+            {/* Table header */}
+            <div
+              className={`grid items-center gap-3 border-b border-[var(--color-border)] bg-[var(--color-muted)]/40 px-4 py-2.5 ${DESKTOP_COLS}`}
+            >
+              <span className="text-[11.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]">
+                Name
+              </span>
+              <span className="hidden text-[11.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)] lg:block">
+                Description
+              </span>
+              <span className="text-[11.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]">
+                Permissions
+              </span>
+              <span />
+            </div>
+
+            <ol className="divide-y divide-[var(--color-border)]">
+              {filtered.map((role, i) => (
+                <RoleDesktopRow
+                  key={role.id}
+                  role={role}
+                  isLast={i === filtered.length - 1}
+                  onClick={() => navigate(`/roles/${role.id}`)}
+                />
+              ))}
+            </ol>
+          </div>
+        </div>
+      )}
+
+      <CreateRoleDialog open={createOpen} onOpenChange={setCreateOpen} />
     </div>
   );
 }
 
-function RoleRow({
+// ─── Mobile card ────────────────────────────────────────────────────────
+
+function RoleMobileCard({
   role,
-  index,
   onClick,
 }: {
   role: RoleDto;
-  index: number;
   onClick: () => void;
 }) {
-  const num = String(index).padStart(2, "0");
   const isSystem = ROOT_ROLE_NAMES.has(role.name);
   return (
-    <li>
+    <li className="list-none">
       <button
         type="button"
         onClick={onClick}
-        className="group grid w-full grid-cols-[3rem_auto_1fr_auto] items-center gap-4 px-1 py-4 text-left transition-colors hover:bg-[var(--color-muted)]/50 focus:outline-none focus-visible:bg-[var(--color-muted)]/50"
+        aria-label={`Open role ${role.name}`}
+        className="group w-full overflow-hidden rounded-xl border border-[var(--color-border)] bg-[var(--color-card)] p-4 text-left shadow-xs transition-colors hover:border-[var(--color-border-strong)] hover:bg-[var(--color-accent)] focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)]"
       >
-        <span className="font-mono text-xs tabular-nums text-[var(--color-muted-foreground)]">
-          #{num}
-        </span>
-
-        <span className="grid h-9 w-9 place-items-center rounded-md border border-[var(--color-border)] bg-[var(--color-surface-2)] text-[var(--color-muted-foreground)]">
-          <ShieldCheck className="h-4 w-4" />
-        </span>
-
-        <div className="min-w-0">
-          <div className="flex flex-wrap items-baseline gap-2">
-            <span className="truncate font-display text-lg font-medium tracking-tight">
-              {role.name}
+        <div className="flex items-center justify-between">
+          <div className="flex min-w-0 items-center gap-3">
+            <span
+              aria-hidden
+              className="grid size-10 shrink-0 place-items-center rounded-lg"
+              style={{
+                backgroundColor: "oklch(from var(--color-primary) l c h / 0.10)",
+                boxShadow: "inset 0 0 0 1px oklch(from var(--color-primary) l c h / 0.22)",
+                color: "var(--color-primary)",
+              }}
+            >
+              <Shield className="size-4" />
             </span>
-            {isSystem && (
-              <Badge variant="outline" className="font-mono uppercase tracking-[0.14em]">
-                system
-              </Badge>
-            )}
-          </div>
-          {role.description && (
-            <div className="mt-0.5 truncate text-xs text-[var(--color-muted-foreground)]">
-              {role.description}
+            <div className="min-w-0">
+              <div className="flex items-center gap-1.5">
+                <p className="truncate text-[14px] font-medium text-[var(--color-foreground)]">
+                  {role.name}
+                </p>
+                {isSystem && (
+                  <Badge variant="outline" className="font-mono text-[10px] uppercase tracking-[0.14em]">
+                    System
+                  </Badge>
+                )}
+              </div>
+              <p className="mt-0.5 truncate text-[11px] text-[var(--color-muted-foreground)]">
+                {role.description ?? <span className="italic opacity-60">No description on file.</span>}
+              </p>
             </div>
-          )}
-          <div className="mt-1 font-mono text-[10.5px] uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]">
-            id · <code className="code-chip ml-1">{role.id}</code>
           </div>
+          <ChevronRight className="size-4 shrink-0 text-[var(--color-border)] transition-colors group-hover:text-[var(--color-muted-foreground)]" />
+        </div>
+        {role.permissions != null && (
+          <div className="mt-2 ml-[52px]">
+            <span className="inline-flex items-center rounded-full bg-[oklch(from_var(--color-info)_l_c_h_/_0.12)] px-2 py-0.5 text-[10.5px] font-medium text-[var(--color-info)]">
+              {role.permissions.length}{" "}
+              {role.permissions.length === 1 ? "permission" : "permissions"}
+            </span>
+          </div>
+        )}
+      </button>
+    </li>
+  );
+}
+
+// ─── Desktop row ────────────────────────────────────────────────────────
+
+function RoleDesktopRow({
+  role,
+  isLast,
+  onClick,
+}: {
+  role: RoleDto;
+  isLast: boolean;
+  onClick: () => void;
+}) {
+  const isSystem = ROOT_ROLE_NAMES.has(role.name);
+  const permLabel =
+    role.permissions === undefined || role.permissions === null
+      ? "—"
+      : `${role.permissions.length} ${role.permissions.length === 1 ? "permission" : "permissions"}`;
+
+  return (
+    <li className="list-none">
+      <button
+        type="button"
+        onClick={onClick}
+        className={`group grid w-full items-center gap-3 px-4 py-3.5 text-left transition-colors hover:bg-[var(--color-accent)] focus-visible:outline-none focus-visible:bg-[var(--color-accent)] ${DESKTOP_COLS} ${isLast ? "" : ""}`}
+      >
+        {/* Name */}
+        <div className="flex min-w-0 items-center gap-3">
+          <span
+            aria-hidden
+            className="grid size-9 shrink-0 place-items-center rounded-lg"
+            style={{
+              backgroundColor: "oklch(from var(--color-primary) l c h / 0.10)",
+              boxShadow: "inset 0 0 0 1px oklch(from var(--color-primary) l c h / 0.22)",
+              color: "var(--color-primary)",
+            }}
+          >
+            <Shield className="size-4" />
+          </span>
+          <span className="truncate text-[14px] font-medium text-[var(--color-foreground)] transition-colors group-hover:text-[var(--color-primary)]">
+            {role.name}
+          </span>
+          {isSystem && (
+            <Badge variant="outline" className="shrink-0 font-mono text-[10px] uppercase tracking-[0.14em]">
+              System
+            </Badge>
+          )}
+        </div>
+
+        {/* Description (lg+) */}
+        <div className="hidden lg:block">
+          <p className="truncate text-[12.5px] text-[var(--color-muted-foreground)]">
+            {role.description ?? <span className="italic opacity-60">No description on file.</span>}
+          </p>
         </div>
 
-        <ChevronRight className="h-4 w-4 text-[var(--color-muted-foreground)] transition-transform group-hover:translate-x-0.5" />
+        {/* Permission count */}
+        <span className="font-mono text-[12px] tabular-nums text-[var(--color-muted-foreground)]">
+          {permLabel}
+        </span>
+
+        <div className="flex items-center justify-end">
+          <ChevronRight className="size-4 text-[var(--color-border)] transition-colors group-hover:text-[var(--color-muted-foreground)]" />
+        </div>
       </button>
     </li>
   );
diff --git a/clients/admin/src/pages/settings/appearance.tsx b/clients/admin/src/pages/settings/appearance.tsx
index 50856f0bb3..5496869562 100644
--- a/clients/admin/src/pages/settings/appearance.tsx
+++ b/clients/admin/src/pages/settings/appearance.tsx
@@ -1,18 +1,33 @@
-import { Moon, Sun } from "lucide-react";
+import { Moon, Palette, Sun } from "lucide-react";
 import { useTheme } from "@/components/theme/theme-provider";
 import { Button } from "@/components/ui/button";
-import { FormSection, FormShell } from "@/components/list";
+import { SettingsSection } from "@/components/list";
 import { cn } from "@/lib/cn";
 
 type Mode = "light" | "dark";
 
-const MODES: { value: Mode; label: string; icon: typeof Sun; blurb: string }[] = [
-  { value: "light", label: "Light", icon: Sun, blurb: "Paper-white surfaces, magazine-print mood." },
-  { value: "dark", label: "Dark", icon: Moon, blurb: "Console-default. Lower glare for long sessions." },
+const MODES: {
+  value: Mode;
+  label: string;
+  icon: typeof Sun;
+  blurb: string;
+}[] = [
+  {
+    value: "light",
+    label: "Light",
+    icon: Sun,
+    blurb: "Paper-white surfaces, magazine-print mood.",
+  },
+  {
+    value: "dark",
+    label: "Dark",
+    icon: Moon,
+    blurb: "Console-default. Lower glare for long sessions.",
+  },
 ];
 
 /**
- * AppearanceSettings — theme picker. ThemeProvider only carries a binary
+ * AppearanceSettings — theme picker. ThemeProvider carries a binary
  * light/dark today; a future "Follow system" mode would extend the provider
  * to a tri-state. Persistence is handled by the provider; we just call setTheme.
  */
@@ -20,9 +35,11 @@ export function AppearanceSettings() {
   const { theme, setTheme } = useTheme();
 
   return (
-    <FormShell>
-      <FormSection
+    <div className="space-y-5 fsh-enter">
+      {/* Theme */}
+      <SettingsSection
         title="Theme"
+        icon={Palette}
         description="Console looks good in both modes — the editorial-terminal language is built around tone-neutral surfaces with a single chartreuse accent that reads identically on either."
       >
         <div className="grid grid-cols-1 gap-3 sm:grid-cols-2">
@@ -35,31 +52,58 @@ export function AppearanceSettings() {
                 onClick={() => setTheme(value)}
                 aria-pressed={active}
                 className={cn(
-                  "group/card flex flex-col items-start gap-2 rounded-md border px-4 py-3 text-left transition-colors",
+                  "group/card relative overflow-hidden flex flex-col items-start gap-2 rounded-xl border p-4 text-left",
+                  "transition-colors duration-[var(--duration-default)]",
+                  "focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)] focus-visible:ring-offset-2",
                   active
                     ? "border-[var(--color-accent-signal)] bg-[oklch(from_var(--color-accent-signal)_l_c_h_/_0.08)]"
-                    : "border-[var(--color-border)] hover:bg-[var(--color-muted)]/60",
+                    : "border-[var(--color-border)] bg-[var(--color-card)] hover:bg-[var(--color-muted)]",
                 )}
               >
-                <span className="grid h-8 w-8 place-items-center rounded-md bg-[var(--color-surface-2)] text-[var(--color-foreground)]">
-                  <Icon className="h-4 w-4" />
+                <div className="flex w-full items-center justify-between">
+                  <span
+                    className={cn(
+                      "grid h-8 w-8 place-items-center rounded-md",
+                      active
+                        ? "bg-[oklch(from_var(--color-accent-signal)_l_c_h_/_0.12)] text-[var(--color-accent-signal)]"
+                        : "bg-[var(--color-muted)] text-[var(--color-muted-foreground)]",
+                    )}
+                  >
+                    <Icon className="h-4 w-4" />
+                  </span>
+                  {active && (
+                    <span className="text-[10px] font-semibold uppercase tracking-wider text-[var(--color-accent-signal)]">
+                      Active
+                    </span>
+                  )}
+                </div>
+                <span
+                  className={cn(
+                    "text-sm font-semibold tracking-tight",
+                    active && "text-[var(--color-accent-signal)]",
+                  )}
+                >
+                  {label}
+                </span>
+                <span className="text-xs leading-relaxed text-[var(--color-muted-foreground)]">
+                  {blurb}
                 </span>
-                <span className="text-sm font-medium">{label}</span>
-                <span className="text-xs text-[var(--color-muted-foreground)]">{blurb}</span>
               </button>
             );
           })}
         </div>
-      </FormSection>
+      </SettingsSection>
 
-      <FormSection
+      {/* Density — placeholder for a future compact toggle */}
+      <SettingsSection
         title="Density"
-        description="Coming soon — admin will get a compact-rows toggle for dense tables, similar to the dashboard's density-toggle."
+        icon={Palette}
+        description="Compact mode will reduce card padding and row height for data-dense screens — similar to the dashboard's density toggle."
       >
         <Button variant="outline" size="sm" disabled>
           Compact rows · coming soon
         </Button>
-      </FormSection>
-    </FormShell>
+      </SettingsSection>
+    </div>
   );
 }
diff --git a/clients/admin/src/pages/settings/layout.tsx b/clients/admin/src/pages/settings/layout.tsx
index fba40547b7..5d58e8a01b 100644
--- a/clients/admin/src/pages/settings/layout.tsx
+++ b/clients/admin/src/pages/settings/layout.tsx
@@ -1,64 +1,206 @@
-import { NavLink, Outlet } from "react-router-dom";
-import { MonitorSmartphone, Palette, ShieldCheck, UserRound } from "lucide-react";
-import { PageHeader } from "@/components/list";
+import { NavLink, Outlet, useLocation } from "react-router-dom";
+import {
+  ChevronRight,
+  MonitorSmartphone,
+  Palette,
+  Settings,
+  ShieldCheck,
+  UserRound,
+} from "lucide-react";
+import type { LucideIcon } from "lucide-react";
+import { EntityPageHeader } from "@/components/list";
 import { cn } from "@/lib/cn";
 
 type Tab = {
   to: string;
   label: string;
-  icon: React.ComponentType<{ className?: string }>;
+  hint: string;
+  icon: LucideIcon;
 };
 
 const TABS: Tab[] = [
-  { to: "/settings/profile", label: "Profile", icon: UserRound },
-  { to: "/settings/security", label: "Security", icon: ShieldCheck },
-  { to: "/settings/sessions", label: "Sessions", icon: MonitorSmartphone },
-  { to: "/settings/appearance", label: "Appearance", icon: Palette },
+  {
+    to: "/settings/profile",
+    label: "Profile",
+    hint: "Your identity and avatar",
+    icon: UserRound,
+  },
+  {
+    to: "/settings/security",
+    label: "Security",
+    hint: "Password and two-factor auth",
+    icon: ShieldCheck,
+  },
+  {
+    to: "/settings/sessions",
+    label: "Sessions",
+    hint: "Active devices and sign-outs",
+    icon: MonitorSmartphone,
+  },
+  {
+    to: "/settings/appearance",
+    label: "Appearance",
+    hint: "Theme and visual preferences",
+    icon: Palette,
+  },
 ];
 
+const pad2 = (n: number) => n.toString().padStart(2, "0");
+
 /**
- * SettingsLayout — header + pill tab nav + outlet for the active tab.
- * Mirrors dashboard's settings shell but in Console aesthetic: mono-caps
- * labels in the active pill, hairline borders, no brand-soft fills.
+ * SettingsLayout — editorial numbered left-nav + content parity with the
+ * dashboard settings shell. Desktop: `lg:grid-cols-[260px_1fr]` with a
+ * sticky vertical "Sections" rail; active item shows a primary brand bar on
+ * the left edge. Mobile: horizontal pill tabs (overflow-x scroll). Masthead
+ * resolves to "Settings · {active section}" so the active context is always
+ * visible at page level. Child routes render via <Outlet />.
  */
 export function SettingsLayout() {
+  const location = useLocation();
+  const activeIndex = Math.max(
+    0,
+    TABS.findIndex((t) => location.pathname.startsWith(t.to)),
+  );
+  const active = TABS[activeIndex] ?? TABS[0]!;
+
   return (
-    <div className="space-y-7">
-      <PageHeader
-        crumbs={[{ label: "\\ Settings" }, { label: "Account", muted: true }]}
-        title="Settings"
-        description="Manage your profile, credentials, sessions, and appearance preferences."
+    <div className="space-y-6">
+      {/* Page header — resolves to "Settings · {active section}" so the
+          active context is visible without stacking a second header. */}
+      <EntityPageHeader
+        icon={Settings}
+        title={
+          <span className="flex flex-wrap items-baseline gap-x-2.5 gap-y-1">
+            <span>Settings</span>
+            <span
+              aria-hidden
+              className="text-[oklch(from_var(--color-border-strong)_l_c_h_/_0.7)]"
+            >
+              ·
+            </span>
+            <span className="font-display text-[20px] font-semibold tracking-tight text-[var(--color-foreground)]">
+              {active.label}
+            </span>
+          </span>
+        }
+        description={active.hint}
       />
 
-      <nav
-        aria-label="Settings sections"
-        className="-mx-1 flex flex-wrap items-center gap-1 border-b border-[var(--color-border)] pb-0 fsh-enter fsh-enter-2"
-      >
-        {TABS.map(({ to, label, icon: Icon }) => (
-          <NavLink
-            key={to}
-            to={to}
-            end
-            className={({ isActive }) =>
-              cn(
-                "relative inline-flex h-10 items-center gap-1.5 px-3.5 text-sm font-medium",
-                "transition-colors duration-[var(--duration-fast)]",
-                "focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)] focus-visible:ring-offset-2",
-                isActive
-                  ? "text-[var(--color-foreground)] after:absolute after:inset-x-2 after:-bottom-px after:h-[2px] after:bg-[var(--color-accent-signal)]"
-                  : "text-[var(--color-muted-foreground)] hover:text-[var(--color-foreground)]",
-              )
-            }
-          >
-            <Icon className="h-3.5 w-3.5" aria-hidden />
-            {label}
-          </NavLink>
-        ))}
-      </nav>
+      <div className="grid grid-cols-1 gap-6 lg:grid-cols-[260px_1fr] lg:gap-10">
+        {/* ─── Editorial left nav ─── */}
+        <nav aria-label="Settings sections">
+          {/* Desktop: sticky vertical numbered list */}
+          <div className="sticky top-6 hidden lg:block">
+            <p className="mb-4 pl-5 text-[10px] font-semibold uppercase tracking-[0.18em] text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.6)]">
+              Sections
+            </p>
+            <ul className="relative space-y-px">
+              {/* Faint vertical rail tying the numbers together */}
+              <div
+                aria-hidden
+                className="absolute bottom-1 left-[14px] top-1 w-px bg-[oklch(from_var(--color-border)_l_c_h_/_0.6)]"
+              />
+              {TABS.map((t, i) => {
+                const num = pad2(i + 1);
+                return (
+                  <li key={t.to}>
+                    <NavLink
+                      to={t.to}
+                      end
+                      className={({ isActive }) =>
+                        cn(
+                          "group relative flex w-full cursor-pointer items-start gap-3 rounded-lg py-3 pl-5 pr-3 text-left transition-all",
+                          isActive
+                            ? "bg-[var(--color-card)] shadow-xs"
+                            : "hover:bg-[oklch(from_var(--color-muted)_l_c_h_/_0.4)]",
+                        )
+                      }
+                    >
+                      {({ isActive }) => (
+                        <>
+                          {isActive && (
+                            <span
+                              aria-hidden
+                              className="absolute left-0 top-1/2 h-7 w-[3px] -translate-y-1/2 rounded-full bg-[var(--color-primary)]"
+                            />
+                          )}
+                          <span
+                            className={cn(
+                              "z-10 mt-0.5 bg-[var(--color-background)] px-1 font-display text-[11px] font-semibold leading-5 tabular-nums transition-colors",
+                              isActive
+                                ? "text-[var(--color-primary)]"
+                                : "text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.5)]",
+                            )}
+                          >
+                            {num}
+                          </span>
+                          <span className="min-w-0 flex-1">
+                            <span
+                              className={cn(
+                                "block text-[13px] font-semibold transition-colors",
+                                isActive
+                                  ? "text-[var(--color-foreground)]"
+                                  : "text-[var(--color-muted-foreground)] group-hover:text-[var(--color-foreground)]",
+                              )}
+                            >
+                              {t.label}
+                            </span>
+                            <span className="mt-0.5 block truncate text-[11px] text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.6)]">
+                              {t.hint}
+                            </span>
+                          </span>
+                          <ChevronRight
+                            aria-hidden
+                            className={cn(
+                              "mt-1 size-3.5 shrink-0 transition-all",
+                              isActive
+                                ? "translate-x-0.5 text-[var(--color-primary)]"
+                                : "text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.3)] group-hover:text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.5)]",
+                            )}
+                          />
+                        </>
+                      )}
+                    </NavLink>
+                  </li>
+                );
+              })}
+            </ul>
+          </div>
+
+          {/* Mobile: horizontal pill tabs (overflow scroll) */}
+          <div className="-mx-2 overflow-x-auto pb-1 lg:hidden">
+            <div className="flex gap-1 px-2">
+              {TABS.map(({ to, label, icon: Icon }) => (
+                <NavLink
+                  key={to}
+                  to={to}
+                  end
+                  className={({ isActive }) =>
+                    cn(
+                      "inline-flex h-9 shrink-0 items-center gap-1.5 rounded-full px-3.5 text-[12px] font-medium",
+                      "transition-colors duration-[var(--duration-fast)] ease-[var(--ease-out-cubic)]",
+                      "focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)] focus-visible:ring-offset-2",
+                      isActive
+                        ? "bg-[var(--color-primary-soft)] text-[var(--color-primary)]"
+                        : "text-[var(--color-muted-foreground)] hover:bg-[var(--color-accent)] hover:text-[var(--color-foreground)]",
+                    )
+                  }
+                >
+                  <Icon className="size-3.5" aria-hidden />
+                  {label}
+                </NavLink>
+              ))}
+            </div>
+          </div>
+        </nav>
 
-      <section>
-        <Outlet />
-      </section>
+        {/* ─── Tab content ─── */}
+        <div className="min-w-0">
+          <div className="space-y-5">
+            <Outlet />
+          </div>
+        </div>
+      </div>
     </div>
   );
 }
diff --git a/clients/admin/src/pages/settings/profile.tsx b/clients/admin/src/pages/settings/profile.tsx
index b327de88bf..dbfc2fc656 100644
--- a/clients/admin/src/pages/settings/profile.tsx
+++ b/clients/admin/src/pages/settings/profile.tsx
@@ -1,39 +1,49 @@
-import { useEffect, useRef, useState } from "react";
 import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
-import { Loader2, Trash2, Upload } from "lucide-react";
+import { Fingerprint, ShieldCheck, UserRound } from "lucide-react";
 import { toast } from "sonner";
 import { getMyProfile, setProfileImage } from "@/api/users";
-import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Badge } from "@/components/ui/badge";
-import {
-  ErrorBand,
-  Field,
-  FormShell,
-  FormSection,
-  LoadingRow,
-} from "@/components/list";
-import { Monogram } from "@/components/monogram";
+import { ErrorBand, LoadingRow, SettingsSection, SettingsField } from "@/components/list";
+import { ImageInput } from "@/components/file/image-input";
 import { ApiRequestError } from "@/lib/api-client";
 
 /**
  * ProfileSettings — read-only view of identity fields (server doesn't expose
- * an /update-me endpoint for these yet) plus avatar upload via the existing
- * /profile/image flow. Username, email, and name are intentionally not
- * editable from here — they require admin involvement, which is correct for
- * a multi-tenant operator console.
+ * an /update-me endpoint for these yet) plus avatar upload via the presigned
+ * ImageInput flow. Username, email, and name are intentionally not editable
+ * from here — they require admin involvement, which is correct for a
+ * multi-tenant operator console.
+ *
+ * Avatar fix: uses ImageInput + presigned upload (durable URL via Files module)
+ * instead of the old base64 data: URL approach that hit the 2048-char limit.
  */
 export function ProfileSettings() {
   const queryClient = useQueryClient();
   const profile = useQuery({ queryKey: ["identity", "profile"], queryFn: getMyProfile });
 
+  const imageMutation = useMutation({
+    mutationFn: (url: string | null) => setProfileImage(url),
+    onSuccess: () => {
+      toast.success("Profile image updated");
+      void queryClient.invalidateQueries({ queryKey: ["identity", "profile"] });
+    },
+    onError: (err: unknown) => {
+      const message =
+        err instanceof ApiRequestError
+          ? (err.problem?.detail ?? err.problem?.title ?? err.message)
+          : "Failed to update profile image";
+      toast.error(message);
+    },
+  });
+
   if (profile.isLoading) return <LoadingRow label="Loading profile" />;
   if (profile.isError) {
     return (
       <ErrorBand
         message={
           profile.error instanceof ApiRequestError
-            ? profile.error.problem?.detail ?? profile.error.message
+            ? (profile.error.problem?.detail ?? profile.error.message)
             : "Failed to load profile."
         }
       />
@@ -48,178 +58,98 @@ export function ProfileSettings() {
     "Account";
 
   return (
-    <FormShell>
-      <FormSection
+    <div className="space-y-5 fsh-enter">
+      {/* Avatar — presigned upload via ImageInput, no base64 data: URLs */}
+      <SettingsSection
         title="Avatar"
-        description="A square image, at least 96×96. PNG or JPG, under 2 MB."
+        icon={UserRound}
+        description="Shown in the topbar and on your activity. Square crops work best — JPG, PNG, or WebP."
       >
-        <AvatarEditor
-          name={displayName}
-          userId={user.id ?? "x"}
-          imageUrl={user.imageUrl ?? null}
-          onUpdated={() => queryClient.invalidateQueries({ queryKey: ["identity", "profile"] })}
+        <ImageInput
+          value={user.imageUrl ?? ""}
+          onChange={(next) => imageMutation.mutate(next.length > 0 ? next : null)}
+          ownerType="User"
+          ownerId={user.id ?? null}
+          shape="circle"
         />
-      </FormSection>
+      </SettingsSection>
 
-      <FormSection
+      {/* Identity — read-only; admin must update these server-side */}
+      <SettingsSection
         title="Identity"
+        icon={Fingerprint}
         description="Your account details. These are managed by an administrator — contact one if changes are needed."
       >
-        <Field id="profile-username" label="Username">
-          <Input id="profile-username" value={user.userName ?? ""} readOnly className="font-mono bg-[var(--color-surface-2)]" />
-        </Field>
-        <Field id="profile-display" label="Display name">
-          <Input id="profile-display" value={displayName} readOnly className="bg-[var(--color-surface-2)]" />
-        </Field>
-        <Field id="profile-email" label="Email" hint={user.emailConfirmed ? "Verified" : "Not yet verified"}>
-          <Input id="profile-email" value={user.email ?? ""} readOnly className="font-mono bg-[var(--color-surface-2)]" />
-        </Field>
-        <Field id="profile-phone" label="Phone">
-          <Input id="profile-phone" value={user.phoneNumber ?? "—"} readOnly className="font-mono bg-[var(--color-surface-2)]" />
-        </Field>
-        <div className="flex flex-wrap items-center gap-2 pt-1">
-          <Badge variant={user.isActive ? "success" : "muted"} className="font-mono uppercase tracking-[0.14em]">
+        <div className="grid gap-5 sm:grid-cols-2">
+          <SettingsField id="profile-username" label="Username">
+            <Input
+              id="profile-username"
+              value={user.userName ?? ""}
+              readOnly
+              className="font-mono bg-[var(--color-muted)] cursor-not-allowed"
+            />
+          </SettingsField>
+          <SettingsField id="profile-display" label="Display name">
+            <Input
+              id="profile-display"
+              value={displayName}
+              readOnly
+              className="bg-[var(--color-muted)] cursor-not-allowed"
+            />
+          </SettingsField>
+          <SettingsField id="profile-email" label="Email">
+            <Input
+              id="profile-email"
+              type="email"
+              value={user.email ?? ""}
+              readOnly
+              className="font-mono bg-[var(--color-muted)] cursor-not-allowed"
+            />
+            {user.emailConfirmed !== undefined && (
+              <p className="mt-1 text-[11px] text-[var(--color-muted-foreground)]">
+                {user.emailConfirmed ? "Address verified" : "Not yet verified"}
+              </p>
+            )}
+          </SettingsField>
+          <SettingsField id="profile-phone" label="Phone">
+            <Input
+              id="profile-phone"
+              value={user.phoneNumber ?? "—"}
+              readOnly
+              className="font-mono bg-[var(--color-muted)] cursor-not-allowed"
+            />
+          </SettingsField>
+        </div>
+      </SettingsSection>
+
+      {/* Status badges */}
+      <SettingsSection
+        title="Account status"
+        icon={ShieldCheck}
+        description="Runtime flags on this account. Contact an operator to change them."
+      >
+        <div className="flex flex-wrap items-center gap-2">
+          <Badge
+            variant={user.isActive ? "success" : "muted"}
+            className="font-mono uppercase tracking-[0.14em]"
+          >
             {user.isActive ? "Active" : "Disabled"}
           </Badge>
-          <Badge variant={user.emailConfirmed ? "info" : "warning"} className="font-mono uppercase tracking-[0.14em]">
+          <Badge
+            variant={user.emailConfirmed ? "info" : "warning"}
+            className="font-mono uppercase tracking-[0.14em]"
+          >
             {user.emailConfirmed ? "Email confirmed" : "Email pending"}
           </Badge>
-          <Badge variant={user.twoFactorEnabled ? "success" : "outline"} className="font-mono uppercase tracking-[0.14em]">
+          <Badge
+            variant={user.twoFactorEnabled ? "success" : "outline"}
+            className="font-mono uppercase tracking-[0.14em]"
+          >
             {user.twoFactorEnabled ? "2FA enabled" : "2FA off"}
           </Badge>
         </div>
-      </FormSection>
-    </FormShell>
-  );
-}
-
-// ─── Avatar editor ──────────────────────────────────────────────────────
-
-const MAX_IMAGE_BYTES = 2 * 1024 * 1024;
-const ACCEPTED_TYPES = ["image/png", "image/jpeg", "image/webp"];
-
-function AvatarEditor({
-  name,
-  userId,
-  imageUrl,
-  onUpdated,
-}: {
-  name: string;
-  userId: string;
-  imageUrl: string | null;
-  onUpdated: () => void;
-}) {
-  const fileRef = useRef<HTMLInputElement>(null);
-  const [preview, setPreview] = useState<string | null>(null);
-
-  useEffect(() => {
-    // The data: URL preview is short-lived; revoke the previous one when
-    // a new file is picked or the component unmounts.
-    return () => {
-      if (preview && preview.startsWith("blob:")) URL.revokeObjectURL(preview);
-    };
-  }, [preview]);
-
-  const mutation = useMutation({
-    mutationFn: async (file: File | null) => {
-      if (file === null) {
-        await setProfileImage(null);
-        return null;
-      }
-      // The server's /profile/image endpoint takes a durable URL, not raw
-      // bytes — the Files module's presigned upload returns one. Here we
-      // skip that round-trip for v1 and inline a data: URL, which keeps the
-      // demo working without a storage bucket configured. Production
-      // deployments should switch to presigned uploads.
-      const dataUrl = await fileToDataUrl(file);
-      await setProfileImage(dataUrl);
-      return dataUrl;
-    },
-    onSuccess: (newUrl) => {
-      toast.success(newUrl === null ? "Avatar removed" : "Avatar updated");
-      setPreview(null);
-      onUpdated();
-    },
-    onError: (err: unknown) => {
-      const detail =
-        err instanceof ApiRequestError
-          ? err.problem?.detail ?? err.problem?.title ?? err.message
-          : (err as Error).message;
-      toast.error("Update failed", { description: detail });
-    },
-  });
-
-  const onPick = (file: File | null) => {
-    if (!file) return;
-    if (!ACCEPTED_TYPES.includes(file.type)) {
-      toast.error("Unsupported format", { description: "Use PNG, JPG, or WebP." });
-      return;
-    }
-    if (file.size > MAX_IMAGE_BYTES) {
-      toast.error("Too large", { description: "Keep avatars under 2 MB." });
-      return;
-    }
-    if (preview && preview.startsWith("blob:")) URL.revokeObjectURL(preview);
-    setPreview(URL.createObjectURL(file));
-    mutation.mutate(file);
-  };
-
-  const currentSrc = preview ?? imageUrl ?? null;
-
-  return (
-    <div className="flex flex-wrap items-center gap-5">
-      <div className="grid h-20 w-20 place-items-center overflow-hidden rounded-md border border-[var(--color-border)] bg-[var(--color-surface-2)]">
-        {currentSrc ? (
-          // Avatar preview — object-cover so non-square images crop centrally.
-          <img src={currentSrc} alt="Avatar" className="h-full w-full object-cover" />
-        ) : (
-          <Monogram seed={userId} fallback={name} size="lg" />
-        )}
-      </div>
-      <div className="flex flex-wrap items-center gap-2">
-        <input
-          ref={fileRef}
-          type="file"
-          accept={ACCEPTED_TYPES.join(",")}
-          className="sr-only"
-          onChange={(e) => onPick(e.target.files?.[0] ?? null)}
-        />
-        <Button
-          type="button"
-          variant="outline"
-          size="sm"
-          disabled={mutation.isPending}
-          onClick={() => fileRef.current?.click()}
-        >
-          {mutation.isPending ? (
-            <Loader2 className="mr-1.5 h-3.5 w-3.5 animate-spin" />
-          ) : (
-            <Upload className="mr-1.5 h-3.5 w-3.5" />
-          )}
-          Upload new
-        </Button>
-        {imageUrl && (
-          <Button
-            type="button"
-            variant="ghost"
-            size="sm"
-            disabled={mutation.isPending}
-            onClick={() => mutation.mutate(null)}
-            className="text-[var(--color-destructive)] hover:bg-[oklch(from_var(--color-destructive)_l_c_h_/_0.08)]"
-          >
-            <Trash2 className="mr-1.5 h-3.5 w-3.5" /> Remove
-          </Button>
-        )}
-      </div>
+      </SettingsSection>
     </div>
   );
 }
 
-function fileToDataUrl(file: File): Promise<string> {
-  return new Promise((resolve, reject) => {
-    const reader = new FileReader();
-    reader.onload = () => resolve(reader.result as string);
-    reader.onerror = () => reject(reader.error ?? new Error("read failed"));
-    reader.readAsDataURL(file);
-  });
-}
diff --git a/clients/admin/src/pages/settings/security.tsx b/clients/admin/src/pages/settings/security.tsx
index f476c386dd..4ca3dd2960 100644
--- a/clients/admin/src/pages/settings/security.tsx
+++ b/clients/admin/src/pages/settings/security.tsx
@@ -3,7 +3,14 @@ import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
 import { useForm } from "react-hook-form";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { z } from "zod";
-import { ClipboardCheck, Copy, KeyRound, ShieldCheck, ShieldOff } from "lucide-react";
+import {
+  AlertCircle,
+  ClipboardCheck,
+  Copy,
+  KeyRound,
+  ShieldCheck,
+  ShieldOff,
+} from "lucide-react";
 import { toast } from "sonner";
 import { changePassword, getMyProfile } from "@/api/users";
 import {
@@ -15,21 +22,29 @@ import {
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Badge } from "@/components/ui/badge";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
+import { Label } from "@/components/ui/label";
 import {
   ErrorBand,
   Field,
-  FormActions,
-  FormSection,
-  FormShell,
   LoadingRow,
+  SettingsSection,
 } from "@/components/list";
 import { ApiRequestError } from "@/lib/api-client";
 import { cn } from "@/lib/cn";
 
 /**
  * SecuritySettings — combines password change + 2FA enrollment/disable
- * into one tab. Profile query fuels both: we read TwoFactorEnabled to
+ * into one tab. Profile query fuels both: we read twoFactorEnabled to
  * decide whether to render the enroll wizard or the disable controls.
+ * Password change is driven through a Dialog (mirrors dashboard pattern).
  */
 export function SecuritySettings() {
   const profile = useQuery({ queryKey: ["identity", "profile"], queryFn: getMyProfile });
@@ -40,7 +55,7 @@ export function SecuritySettings() {
       <ErrorBand
         message={
           profile.error instanceof ApiRequestError
-            ? profile.error.problem?.detail ?? profile.error.message
+            ? (profile.error.problem?.detail ?? profile.error.message)
             : "Failed to load security state."
         }
       />
@@ -50,14 +65,14 @@ export function SecuritySettings() {
   const twoFactorEnabled = profile.data?.twoFactorEnabled ?? false;
 
   return (
-    <div className="space-y-7">
+    <div className="space-y-5 fsh-enter">
       <PasswordSection />
       <TwoFactorSection enabled={twoFactorEnabled} />
     </div>
   );
 }
 
-// ─── Password section ───────────────────────────────────────────────────
+// ─── Password section ────────────────────────────────────────────────────
 
 const passwordSchema = z
   .object({
@@ -77,6 +92,38 @@ const passwordSchema = z
 type PasswordValues = z.infer<typeof passwordSchema>;
 
 function PasswordSection() {
+  const [dialogOpen, setDialogOpen] = useState(false);
+
+  return (
+    <>
+      <SettingsSection
+        title="Password"
+        icon={KeyRound}
+        description="Used to sign in to this console. Choose a strong, unique passphrase of 16+ characters."
+      >
+        <div className="flex items-center justify-between gap-4">
+          <p className="text-sm text-[var(--color-muted-foreground)]">
+            Changing your password does not revoke other sessions automatically — visit the Sessions
+            tab to sign out other devices.
+          </p>
+          <Button variant="outline" size="sm" onClick={() => setDialogOpen(true)}>
+            Change password
+          </Button>
+        </div>
+      </SettingsSection>
+
+      <ChangePasswordDialog open={dialogOpen} onOpenChange={setDialogOpen} />
+    </>
+  );
+}
+
+function ChangePasswordDialog({
+  open,
+  onOpenChange,
+}: {
+  open: boolean;
+  onOpenChange: (next: boolean) => void;
+}) {
   const {
     register,
     handleSubmit,
@@ -87,6 +134,11 @@ function PasswordSection() {
     defaultValues: { current: "", next: "", confirm: "" },
   });
 
+  // Reset form every time the dialog opens so stale values don't bleed.
+  useEffect(() => {
+    if (open) reset({ current: "", next: "", confirm: "" });
+  }, [open, reset]);
+
   const mutation = useMutation({
     mutationFn: (v: PasswordValues) =>
       changePassword({
@@ -98,12 +150,12 @@ function PasswordSection() {
       toast.success("Password changed", {
         description: "Other active sessions remain valid until you revoke them.",
       });
-      reset();
+      onOpenChange(false);
     },
     onError: (err) => {
       const detail =
         err instanceof ApiRequestError
-          ? err.problem?.detail ?? err.problem?.title ?? err.message
+          ? (err.problem?.detail ?? err.problem?.title ?? err.message)
           : (err as Error).message;
       toast.error("Change failed", { description: detail });
     },
@@ -113,12 +165,17 @@ function PasswordSection() {
   const submitting = isSubmitting || mutation.isPending;
 
   return (
-    <form onSubmit={onSubmit}>
-      <FormShell>
-        <FormSection
-          title="Password"
-          description="Changing your password does NOT revoke other sessions automatically — visit the Sessions tab to sign out other devices."
-        >
+    <Dialog open={open} onOpenChange={onOpenChange}>
+      <DialogContent>
+        <DialogHeader>
+          <DialogTitle>Change password</DialogTitle>
+          <DialogDescription>
+            Sign-out events for other devices aren't fired automatically — visit the Sessions tab
+            below to end them after rotating your password.
+          </DialogDescription>
+        </DialogHeader>
+
+        <form onSubmit={onSubmit} className="space-y-3" noValidate>
           <Field id="pw-current" label="Current password" required error={errors.current?.message}>
             <Input
               id="pw-current"
@@ -126,10 +183,17 @@ function PasswordSection() {
               autoComplete="current-password"
               className="font-mono"
               aria-invalid={errors.current ? true : undefined}
+              autoFocus
               {...register("current")}
             />
           </Field>
-          <Field id="pw-next" label="New password" required hint="At least 8 characters." error={errors.next?.message}>
+          <Field
+            id="pw-next"
+            label="New password"
+            required
+            hint="At least 8 characters."
+            error={errors.next?.message}
+          >
             <Input
               id="pw-next"
               type="password"
@@ -139,7 +203,12 @@ function PasswordSection() {
               {...register("next")}
             />
           </Field>
-          <Field id="pw-confirm" label="Confirm new password" required error={errors.confirm?.message}>
+          <Field
+            id="pw-confirm"
+            label="Confirm new password"
+            required
+            error={errors.confirm?.message}
+          >
             <Input
               id="pw-confirm"
               type="password"
@@ -149,24 +218,31 @@ function PasswordSection() {
               {...register("confirm")}
             />
           </Field>
-        </FormSection>
-        <FormActions>
-          <Button type="submit" disabled={submitting}>
-            <KeyRound className="mr-1 h-3.5 w-3.5" />
-            {submitting ? "Updating…" : "Update password"}
-          </Button>
-        </FormActions>
-      </FormShell>
-    </form>
+
+          <DialogFooter>
+            <Button
+              type="button"
+              variant="ghost"
+              onClick={() => onOpenChange(false)}
+              disabled={submitting}
+            >
+              Cancel
+            </Button>
+            <Button type="submit" disabled={submitting}>
+              <KeyRound className="mr-1 h-3.5 w-3.5" />
+              {submitting ? "Updating…" : "Update password"}
+            </Button>
+          </DialogFooter>
+        </form>
+      </DialogContent>
+    </Dialog>
   );
 }
 
-// ─── Two-factor section ─────────────────────────────────────────────────
+// ─── Two-factor section ──────────────────────────────────────────────────
 
 function TwoFactorSection({ enabled }: { enabled: boolean }) {
-  if (enabled) {
-    return <TwoFactorDisable />;
-  }
+  if (enabled) return <TwoFactorDisable />;
   return <TwoFactorEnroll />;
 }
 
@@ -183,7 +259,7 @@ function TwoFactorEnroll() {
     onError: (err: unknown) => {
       const detail =
         err instanceof ApiRequestError
-          ? err.problem?.detail ?? err.problem?.title ?? err.message
+          ? (err.problem?.detail ?? err.problem?.title ?? err.message)
           : (err as Error).message;
       toast.error("Enrollment failed", { description: detail });
     },
@@ -199,7 +275,7 @@ function TwoFactorEnroll() {
         setEnrollment(null);
         setCode("");
         setQrSvg(null);
-        queryClient.invalidateQueries({ queryKey: ["identity", "profile"] });
+        void queryClient.invalidateQueries({ queryKey: ["identity", "profile"] });
       } else {
         toast.error("Verification failed", { description: "That code didn't match. Try again." });
       }
@@ -207,7 +283,7 @@ function TwoFactorEnroll() {
     onError: (err: unknown) => {
       const detail =
         err instanceof ApiRequestError
-          ? err.problem?.detail ?? err.problem?.title ?? err.message
+          ? (err.problem?.detail ?? err.problem?.title ?? err.message)
           : (err as Error).message;
       toast.error("Verification failed", { description: detail });
     },
@@ -221,7 +297,7 @@ function TwoFactorEnroll() {
       return;
     }
     let cancelled = false;
-    // Lazy-load the ~50KB qrcode lib only when 2FA enrollment actually starts.
+    // Lazy-load the ~50 KB qrcode lib only when 2FA enrollment actually starts.
     import("qrcode")
       .then(({ default: QRCode }) =>
         QRCode.toString(enrollment.authenticatorUri, {
@@ -234,7 +310,6 @@ function TwoFactorEnroll() {
       .then((svg) => {
         if (cancelled) return;
         // Strip the default white background so the QR adapts to dark mode.
-        // currentColor + black-on-transparent reads well on both surfaces.
         const themed = svg
           .replace(/fill="#ffffff"/gi, 'fill="transparent"')
           .replace(/fill="#FFFFFF"/gi, 'fill="transparent"')
@@ -255,116 +330,124 @@ function TwoFactorEnroll() {
       setCopiedKey(true);
       window.setTimeout(() => setCopiedKey(false), 1500);
     } catch {
-      /* noop */
+      /* clipboard unavailable — silently noop */
     }
   };
 
   return (
-    <FormShell>
-      <FormSection
-        title="Two-factor authentication"
-        description={
-          <>
-            Adds an authenticator app code on top of your password. Recommended for every
-            operator account.
-            <Badge variant="outline" className="ml-2 font-mono uppercase tracking-[0.14em]">
-              off
-            </Badge>
-          </>
-        }
-      >
-        {!enrollment ? (
-          <div className="flex flex-wrap items-center gap-3">
-            <Button onClick={() => beginMutation.mutate()} disabled={beginMutation.isPending}>
-              <ShieldCheck className="mr-1.5 h-3.5 w-3.5" />
-              {beginMutation.isPending ? "Generating…" : "Enable two-factor"}
-            </Button>
-            <span className="text-xs text-[var(--color-muted-foreground)]">
-              You'll scan a QR code in your authenticator app (1Password, Google Authenticator, Authy…).
-            </span>
-          </div>
-        ) : (
-          <div className="space-y-5">
-            <div className="grid gap-5 sm:grid-cols-[14rem_1fr] sm:items-start">
-              <div className="grid h-52 w-52 place-items-center rounded-md border border-[var(--color-border)] bg-[var(--color-surface-2)] p-2 text-[var(--color-foreground)]">
-                {qrSvg ? (
-                  <div
-                    aria-label="Two-factor QR code"
-                    role="img"
-                    className="h-full w-full [&_svg]:h-full [&_svg]:w-full"
-                    // qrSvg is locally generated by the qrcode lib from the
-                    // authenticator URI (not server/user HTML) — safe to inline.
-                    dangerouslySetInnerHTML={{ __html: qrSvg }}
-                  />
-                ) : (
-                  <span className="meta text-[var(--color-muted-foreground)]">
-                    Rendering<span className="caret text-[var(--color-accent-signal)]" />
-                  </span>
-                )}
-              </div>
-              <div className="space-y-3">
-                <div>
-                  <div className="meta text-[var(--color-muted-foreground)]">
-                    can't scan? enter manually
-                  </div>
-                  <div className="mt-1 flex items-center gap-2">
-                    <code className="code-chip break-all">{enrollment.sharedKey}</code>
-                    <button
-                      type="button"
-                      onClick={copyKey}
-                      className="inline-flex h-7 items-center gap-1 rounded-md px-2 font-mono text-[10px] uppercase tracking-[0.14em] text-[var(--color-muted-foreground)] transition-colors hover:bg-[var(--color-muted)] hover:text-[var(--color-foreground)]"
-                    >
-                      {copiedKey ? (
-                        <>
-                          <ClipboardCheck className="h-3 w-3" /> copied
-                        </>
-                      ) : (
-                        <>
-                          <Copy className="h-3 w-3" /> copy
-                        </>
-                      )}
-                    </button>
-                  </div>
+    <SettingsSection
+      title="Two-factor authentication"
+      icon={ShieldCheck}
+      description={
+        <span className="flex flex-wrap items-center gap-2">
+          Adds an authenticator app code on top of your password. Recommended for every operator
+          account.
+          <Badge variant="outline" className="font-mono uppercase tracking-[0.14em]">
+            off
+          </Badge>
+        </span>
+      }
+    >
+      {!enrollment ? (
+        <div className="flex flex-wrap items-center gap-3">
+          <Button
+            onClick={() => beginMutation.mutate()}
+            disabled={beginMutation.isPending}
+          >
+            <ShieldCheck className="mr-1.5 h-3.5 w-3.5" />
+            {beginMutation.isPending ? "Generating…" : "Enable two-factor"}
+          </Button>
+          <span className="text-xs text-[var(--color-muted-foreground)]">
+            You'll scan a QR code in your authenticator app (1Password, Google Authenticator, Authy…).
+          </span>
+        </div>
+      ) : (
+        <div className="space-y-5">
+          <div className="grid gap-5 sm:grid-cols-[14rem_1fr] sm:items-start">
+            <div className="grid h-52 w-52 place-items-center rounded-md border border-[var(--color-border)] bg-[var(--color-muted)] p-2 text-[var(--color-foreground)]">
+              {qrSvg ? (
+                <div
+                  aria-label="Two-factor QR code"
+                  role="img"
+                  className="h-full w-full [&_svg]:h-full [&_svg]:w-full"
+                  // qrSvg is locally generated by the qrcode lib from the
+                  // authenticator URI (not server/user HTML) — safe to inline.
+                  dangerouslySetInnerHTML={{ __html: qrSvg }}
+                />
+              ) : (
+                <span className="text-[11px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]">
+                  Rendering…
+                </span>
+              )}
+            </div>
+            <div className="space-y-3">
+              <div>
+                <div className="text-[11px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]">
+                  Can't scan? Enter manually
                 </div>
-
-                <Field id="totp-code" label="6-digit code from your app" required>
-                  <Input
-                    id="totp-code"
-                    inputMode="numeric"
-                    autoComplete="one-time-code"
-                    placeholder="123 456"
-                    maxLength={8}
-                    value={code}
-                    onChange={(e) => setCode(e.target.value.replace(/\s/g, ""))}
-                    className={cn("font-mono text-lg tracking-[0.4em]", code.length >= 6 && "border-[var(--color-accent-signal)]")}
-                  />
-                </Field>
-
-                <div className="flex flex-wrap items-center gap-2 pt-1">
-                  <Button
-                    onClick={() => verifyMutation.mutate(code)}
-                    disabled={code.length < 6 || verifyMutation.isPending}
-                    variant="signal"
+                <div className="mt-1 flex items-center gap-2">
+                  <code className="break-all rounded-md border border-[var(--color-border)] bg-[var(--color-muted)] px-2 py-1 font-mono text-[11px]">
+                    {enrollment.sharedKey}
+                  </code>
+                  <button
+                    type="button"
+                    onClick={copyKey}
+                    className="inline-flex h-7 items-center gap-1 rounded-md px-2 text-[11px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)] transition-colors hover:bg-[var(--color-muted)] hover:text-[var(--color-foreground)]"
                   >
-                    {verifyMutation.isPending ? "Verifying…" : "Confirm & enable"}
-                  </Button>
-                  <Button
-                    variant="ghost"
-                    onClick={() => {
-                      setEnrollment(null);
-                      setCode("");
-                    }}
-                    disabled={verifyMutation.isPending}
-                  >
-                    Cancel
-                  </Button>
+                    {copiedKey ? (
+                      <>
+                        <ClipboardCheck className="h-3 w-3" /> copied
+                      </>
+                    ) : (
+                      <>
+                        <Copy className="h-3 w-3" /> copy
+                      </>
+                    )}
+                  </button>
                 </div>
               </div>
+
+              <div className="space-y-1.5">
+                <Label htmlFor="totp-code">6-digit code from your app</Label>
+                <Input
+                  id="totp-code"
+                  inputMode="numeric"
+                  autoComplete="one-time-code"
+                  placeholder="123 456"
+                  maxLength={8}
+                  value={code}
+                  onChange={(e) => setCode(e.target.value.replace(/\s/g, ""))}
+                  className={cn(
+                    "font-mono text-lg tracking-[0.4em]",
+                    code.length >= 6 && "border-[var(--color-accent-signal)]",
+                  )}
+                />
+              </div>
+
+              <div className="flex flex-wrap items-center gap-2 pt-1">
+                <Button
+                  onClick={() => verifyMutation.mutate(code)}
+                  disabled={code.length < 6 || verifyMutation.isPending}
+                  variant="signal"
+                >
+                  {verifyMutation.isPending ? "Verifying…" : "Confirm & enable"}
+                </Button>
+                <Button
+                  variant="ghost"
+                  onClick={() => {
+                    setEnrollment(null);
+                    setCode("");
+                  }}
+                  disabled={verifyMutation.isPending}
+                >
+                  Cancel
+                </Button>
+              </div>
             </div>
           </div>
-        )}
-      </FormSection>
-    </FormShell>
+        </div>
+      )}
+    </SettingsSection>
   );
 }
 
@@ -378,7 +461,7 @@ function TwoFactorDisable() {
       if (data.success) {
         toast.success("Two-factor disabled");
         setPassword("");
-        queryClient.invalidateQueries({ queryKey: ["identity", "profile"] });
+        void queryClient.invalidateQueries({ queryKey: ["identity", "profile"] });
       } else {
         toast.error("Disable failed", { description: "Password verification failed." });
       }
@@ -386,27 +469,42 @@ function TwoFactorDisable() {
     onError: (err: unknown) => {
       const detail =
         err instanceof ApiRequestError
-          ? err.problem?.detail ?? err.problem?.title ?? err.message
+          ? (err.problem?.detail ?? err.problem?.title ?? err.message)
           : (err as Error).message;
       toast.error("Disable failed", { description: detail });
     },
   });
 
   return (
-    <FormShell>
-      <FormSection
-        title="Two-factor authentication"
-        description={
-          <>
-            Two-factor is currently enabled on your account. Confirm your password to disable —
-            this rotates the authenticator secret, so a fresh enroll will generate a new QR.
-            <Badge variant="success" className="ml-2 font-mono uppercase tracking-[0.14em]">
-              enabled
-            </Badge>
-          </>
-        }
-      >
-        <Field id="disable-pw" label="Current password" required>
+    <SettingsSection
+      title="Two-factor authentication"
+      icon={ShieldOff}
+      description={
+        <span className="flex flex-wrap items-center gap-2">
+          Two-factor is currently enabled on your account. Confirm your password to disable — this
+          rotates the authenticator secret, so a fresh enroll will generate a new QR.
+          <Badge variant="success" className="font-mono uppercase tracking-[0.14em]">
+            enabled
+          </Badge>
+        </span>
+      }
+      footer={
+        <div className="flex items-center justify-end gap-2">
+          <Button
+            type="button"
+            variant="destructive"
+            onClick={() => mutation.mutate(password)}
+            disabled={password.length === 0 || mutation.isPending}
+          >
+            <ShieldOff className="mr-1 h-3.5 w-3.5" />
+            {mutation.isPending ? "Disabling…" : "Disable two-factor"}
+          </Button>
+        </div>
+      }
+    >
+      <div className="grid gap-3 sm:grid-cols-[1fr_auto] sm:items-end">
+        <div className="space-y-1.5">
+          <Label htmlFor="disable-pw">Current password</Label>
           <Input
             id="disable-pw"
             type="password"
@@ -415,19 +513,36 @@ function TwoFactorDisable() {
             onChange={(e) => setPassword(e.target.value)}
             className="font-mono"
           />
-        </Field>
-      </FormSection>
-      <FormActions>
-        <Button
-          type="button"
-          variant="destructive"
-          onClick={() => mutation.mutate(password)}
-          disabled={password.length === 0 || mutation.isPending}
+        </div>
+        {/* Inline action for the sm breakpoint — the footer handles the
+            final CTA at all widths but this grid-col-auto slot keeps
+            things tidy on desktop. */}
+        <div className="hidden sm:block">
+          <Button
+            type="button"
+            variant="destructive"
+            onClick={() => mutation.mutate(password)}
+            disabled={password.length === 0 || mutation.isPending}
+          >
+            <ShieldOff className="mr-1 h-3.5 w-3.5" />
+            {mutation.isPending ? "Disabling…" : "Disable"}
+          </Button>
+        </div>
+      </div>
+
+      {mutation.isError && (
+        <div
+          role="alert"
+          className="mt-3 flex items-start gap-2 rounded-md border border-[oklch(from_var(--color-destructive)_l_c_h_/_0.40)] bg-[oklch(from_var(--color-destructive)_l_c_h_/_0.08)] px-3 py-2 text-sm text-[var(--color-destructive)]"
         >
-          <ShieldOff className="mr-1 h-3.5 w-3.5" />
-          {mutation.isPending ? "Disabling…" : "Disable two-factor"}
-        </Button>
-      </FormActions>
-    </FormShell>
+          <AlertCircle className="mt-0.5 h-4 w-4 shrink-0" />
+          <span>
+            {mutation.error instanceof ApiRequestError
+              ? (mutation.error.problem?.detail ?? mutation.error.message)
+              : (mutation.error as Error).message}
+          </span>
+        </div>
+      )}
+    </SettingsSection>
   );
 }
diff --git a/clients/admin/src/pages/settings/sessions.tsx b/clients/admin/src/pages/settings/sessions.tsx
index e8c6b78403..b99c1fb02a 100644
--- a/clients/admin/src/pages/settings/sessions.tsx
+++ b/clients/admin/src/pages/settings/sessions.tsx
@@ -5,6 +5,7 @@ import {
   LogOut,
   Monitor,
   MoreHorizontal,
+  MonitorSmartphone,
   Smartphone,
 } from "lucide-react";
 import { toast } from "sonner";
@@ -16,12 +17,7 @@ import {
 } from "@/api/sessions";
 import { Button } from "@/components/ui/button";
 import { Badge } from "@/components/ui/badge";
-import {
-  ErrorBand,
-  FormSection,
-  FormShell,
-  LoadingRow,
-} from "@/components/list";
+import { ErrorBand, LoadingRow, SettingsSection } from "@/components/list";
 import { ApiRequestError } from "@/lib/api-client";
 import { cn } from "@/lib/cn";
 
@@ -44,7 +40,7 @@ export function SessionsSettings() {
     onMutate: (sessionId) => setBusyIds((prev) => new Set(prev).add(sessionId)),
     onSuccess: () => {
       toast.success("Session revoked");
-      queryClient.invalidateQueries({ queryKey: ["identity", "sessions", "me"] });
+      void queryClient.invalidateQueries({ queryKey: ["identity", "sessions", "me"] });
     },
     onError: (err) => toast.error("Revoke failed", { description: describe(err) }),
     onSettled: (_d, _e, sessionId) =>
@@ -58,8 +54,10 @@ export function SessionsSettings() {
   const revokeAll = useMutation({
     mutationFn: revokeAllMySessions,
     onSuccess: (data) => {
-      toast.success(`Revoked ${data.revokedCount} other ${data.revokedCount === 1 ? "session" : "sessions"}`);
-      queryClient.invalidateQueries({ queryKey: ["identity", "sessions", "me"] });
+      toast.success(
+        `Revoked ${data.revokedCount} other ${data.revokedCount === 1 ? "session" : "sessions"}`,
+      );
+      void queryClient.invalidateQueries({ queryKey: ["identity", "sessions", "me"] });
     },
     onError: (err) => toast.error("Revoke all failed", { description: describe(err) }),
   });
@@ -70,7 +68,7 @@ export function SessionsSettings() {
       <ErrorBand
         message={
           query.error instanceof ApiRequestError
-            ? query.error.problem?.detail ?? query.error.message
+            ? (query.error.problem?.detail ?? query.error.message)
             : "Failed to load sessions."
         }
       />
@@ -78,17 +76,44 @@ export function SessionsSettings() {
   }
 
   return (
-    <FormShell>
-      <FormSection
+    <div className="space-y-5 fsh-enter">
+      <SettingsSection
         title="Active sessions"
-        description="Every browser or device currently signed into your account. Revoking a session signs that device out within ~10 seconds (the session-cleanup background job + JWT cache TTL)."
+        icon={MonitorSmartphone}
+        description="Every browser or device currently signed into your account. Revoking a session signs that device out within ~10 seconds."
+        footer={
+          activeOtherCount > 0 ? (
+            <div className="flex flex-wrap items-center justify-between gap-3">
+              <div className="flex items-start gap-2 text-xs">
+                <AlertTriangle
+                  className="mt-0.5 h-3.5 w-3.5 shrink-0 text-[var(--color-warning)]"
+                  aria-hidden
+                />
+                <span className="text-[var(--color-muted-foreground)]">
+                  {activeOtherCount} other{" "}
+                  {activeOtherCount === 1 ? "session is" : "sessions are"} active.
+                  Sign them all out at once if you suspect an account compromise.
+                </span>
+              </div>
+              <Button
+                variant="outline"
+                size="sm"
+                onClick={() => revokeAll.mutate()}
+                disabled={revokeAll.isPending}
+              >
+                <LogOut className="mr-1.5 h-3.5 w-3.5" />
+                {revokeAll.isPending ? "Signing out…" : "Sign out everywhere else"}
+              </Button>
+            </div>
+          ) : undefined
+        }
       >
         {sorted.length === 0 ? (
           <p className="text-sm text-[var(--color-muted-foreground)]">
             No active sessions found. (Including this one? That would be a bug — please refresh.)
           </p>
         ) : (
-          <ul className="divide-y divide-[var(--color-border)] border-y border-[var(--color-border)]">
+          <ul className="divide-y divide-[var(--color-border)]">
             {sorted.map((s) => (
               <SessionRow
                 key={s.id}
@@ -99,29 +124,8 @@ export function SessionsSettings() {
             ))}
           </ul>
         )}
-
-        {activeOtherCount > 0 && (
-          <div className="flex flex-wrap items-center justify-between gap-3 rounded-md border border-[var(--color-warning)]/30 bg-[oklch(from_var(--color-warning)_l_c_h_/_0.06)] px-3.5 py-2.5">
-            <div className="flex items-start gap-2 text-xs">
-              <AlertTriangle className="mt-0.5 h-3.5 w-3.5 text-[var(--color-warning)]" aria-hidden />
-              <span>
-                {activeOtherCount} other {activeOtherCount === 1 ? "session is" : "sessions are"} active.
-                Sign them all out at once if you suspect an account compromise.
-              </span>
-            </div>
-            <Button
-              variant="outline"
-              size="sm"
-              onClick={() => revokeAll.mutate()}
-              disabled={revokeAll.isPending}
-            >
-              <LogOut className="mr-1.5 h-3.5 w-3.5" />
-              {revokeAll.isPending ? "Signing out…" : "Sign out everywhere else"}
-            </Button>
-          </div>
-        )}
-      </FormSection>
-    </FormShell>
+      </SettingsSection>
+    </div>
   );
 }
 
@@ -134,15 +138,24 @@ function SessionRow({
   busy: boolean;
   onRevoke: () => void;
 }) {
-  const Icon = (session.deviceType ?? "").toLowerCase().includes("mobile") ? Smartphone : Monitor;
+  const isMobile = (session.deviceType ?? "").toLowerCase().includes("mobile");
+  const Icon = isMobile ? Smartphone : Monitor;
+
   return (
     <li
       className={cn(
-        "grid grid-cols-[auto_1fr_auto] items-center gap-4 px-1 py-3",
+        "grid grid-cols-[auto_1fr_auto] items-center gap-4 py-3",
         !session.isActive && "opacity-60",
       )}
     >
-      <span className="grid h-9 w-9 place-items-center rounded-md border border-[var(--color-border)] bg-[var(--color-surface-2)] text-[var(--color-muted-foreground)]">
+      <span
+        className={cn(
+          "grid h-9 w-9 place-items-center rounded-full ring-1 ring-inset shrink-0",
+          session.isCurrentSession
+            ? "bg-[var(--color-primary-soft,oklch(from_var(--color-accent-signal)_l_c_h_/_0.12))] text-[var(--color-accent-signal)] ring-[oklch(from_var(--color-accent-signal)_l_c_h_/_0.30)]"
+            : "bg-[var(--color-muted)] text-[var(--color-muted-foreground)] ring-[var(--color-border)]",
+        )}
+      >
         <Icon className="h-4 w-4" />
       </span>
       <div className="min-w-0">
@@ -166,8 +179,8 @@ function SessionRow({
         </div>
       </div>
       {session.isCurrentSession ? (
-        <span className="meta text-[var(--color-muted-foreground)]">
-          <MoreHorizontal className="inline h-3.5 w-3.5" aria-hidden /> use Sign out
+        <span className="text-[10.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]/60 flex items-center gap-1">
+          <MoreHorizontal className="h-3.5 w-3.5" aria-hidden /> use Sign out
         </span>
       ) : session.isActive ? (
         <Button variant="outline" size="sm" onClick={onRevoke} disabled={busy}>
@@ -181,11 +194,9 @@ function SessionRow({
   );
 }
 
-// ─── helpers ────────────────────────────────────────────────────────────
+// ─── helpers ─────────────────────────────────────────────────────────────
 
 function sortSessions(rows: UserSessionDto[]): UserSessionDto[] {
-  // Current session pinned to top; then active sessions by last-activity desc;
-  // then inactive sessions also by last-activity desc.
   return [...rows].sort((a, b) => {
     if (a.isCurrentSession && !b.isCurrentSession) return -1;
     if (!a.isCurrentSession && b.isCurrentSession) return 1;
diff --git a/clients/admin/src/pages/tenants/create.tsx b/clients/admin/src/pages/tenants/create.tsx
index d230940d3b..1481bdca70 100644
--- a/clients/admin/src/pages/tenants/create.tsx
+++ b/clients/admin/src/pages/tenants/create.tsx
@@ -1,212 +1,11 @@
-import { useNavigate } from "react-router-dom";
-import { useMutation, useQueryClient } from "@tanstack/react-query";
-import { useForm } from "react-hook-form";
-import { zodResolver } from "@hookform/resolvers/zod";
-import { z } from "zod";
-import { ArrowLeft } from "lucide-react";
-import { toast } from "sonner";
-import { createTenant } from "@/api/tenants";
-import { Button } from "@/components/ui/button";
-import { Input } from "@/components/ui/input";
-import {
-  PageHeader,
-  Field,
-  FormShell,
-  FormSection,
-  FormActions,
-} from "@/components/list";
-import { ApiRequestError } from "@/lib/api-client";
-
-const TENANT_ID_RE = /^[a-z0-9][a-z0-9-]{1,62}[a-z0-9]$/;
-
-const schema = z.object({
-  id: z
-    .string()
-    .trim()
-    .regex(TENANT_ID_RE, "Lowercase letters, digits, hyphens. 3–64 chars. No leading/trailing hyphen."),
-  name: z.string().trim().min(2, "At least 2 characters.").max(128),
-  adminEmail: z.string().trim().email("Enter a valid email."),
-  adminPassword: z
-    .string()
-    .min(8, "At least 8 characters.")
-    .max(128, "Maximum 128 characters."),
-  issuer: z.string().trim().min(2, "Required.").max(256),
-  connectionString: z.string().trim().max(2048).optional(),
-});
-
-type FormValues = z.infer<typeof schema>;
+/**
+ * /tenants/new — redirects to the tenant list.
+ *
+ * Tenant creation is now a dialog launched from the list page "New tenant"
+ * button. This redirect keeps any existing bookmarks or links working.
+ */
+import { Navigate } from "react-router-dom";
 
 export function CreateTenantPage() {
-  const navigate = useNavigate();
-  const queryClient = useQueryClient();
-
-  const {
-    register,
-    handleSubmit,
-    formState: { errors, isSubmitting },
-  } = useForm<FormValues>({
-    resolver: zodResolver(schema),
-    defaultValues: {
-      id: "",
-      name: "",
-      adminEmail: "",
-      adminPassword: "",
-      issuer: "",
-      connectionString: "",
-    },
-  });
-
-  const mutation = useMutation({
-    mutationFn: (values: FormValues) =>
-      createTenant({
-        id: values.id,
-        name: values.name,
-        adminEmail: values.adminEmail,
-        adminPassword: values.adminPassword,
-        issuer: values.issuer,
-        connectionString: values.connectionString?.trim() ? values.connectionString : null,
-      }),
-    onSuccess: (result) => {
-      toast.success(`Tenant ${result.id} created`, {
-        description: "Provisioning runs in the background. Track progress on the detail page.",
-      });
-      queryClient.invalidateQueries({ queryKey: ["tenants"] });
-      navigate(`/tenants/${result.id}`);
-    },
-    onError: (err) => {
-      const detail =
-        err instanceof ApiRequestError
-          ? err.problem?.detail ?? err.problem?.title ?? err.message
-          : (err as Error).message;
-      toast.error("Create failed", { description: detail });
-    },
-  });
-
-  const onSubmit = handleSubmit((values) => mutation.mutate(values));
-  const submitting = isSubmitting || mutation.isPending;
-
-  return (
-    <div className="space-y-8">
-      <PageHeader
-        crumbs={[{ label: "\\ Tenants" }, { label: "New", muted: true }]}
-        trailing="Tenant · Draft"
-        title="New tenant"
-        description="Provision a new tenant and its seed admin user. The identifier is the URL-safe slug used in subdomain-like routing and JWT claims."
-        actions={
-          <Button variant="ghost" size="sm" onClick={() => navigate("/tenants")}>
-            <ArrowLeft className="mr-1 h-3.5 w-3.5" /> Registry
-          </Button>
-        }
-      />
-
-      <form onSubmit={onSubmit}>
-        <FormShell>
-          <FormSection
-            title="Identity"
-            description="How the tenant is named on the platform. The identifier is immutable."
-          >
-            <Field
-              id="id"
-              label="Identifier"
-              required
-              hint="Lowercase letters, digits, and hyphens. 3–64 characters."
-              error={errors.id?.message}
-            >
-              <Input
-                id="id"
-                autoComplete="off"
-                placeholder="acme-corp"
-                className="font-mono"
-                aria-invalid={errors.id ? true : undefined}
-                {...register("id")}
-              />
-            </Field>
-            <Field id="name" label="Display name" required error={errors.name?.message}>
-              <Input
-                id="name"
-                placeholder="Acme Corp"
-                aria-invalid={errors.name ? true : undefined}
-                {...register("name")}
-              />
-            </Field>
-            <Field id="adminEmail" label="Admin email" required error={errors.adminEmail?.message}>
-              <Input
-                id="adminEmail"
-                type="email"
-                placeholder="admin@acme.example"
-                className="font-mono"
-                aria-invalid={errors.adminEmail ? true : undefined}
-                {...register("adminEmail")}
-              />
-            </Field>
-            <Field
-              id="adminPassword"
-              label="Initial admin password"
-              required
-              hint="The first admin will sign in with this. They can rotate it after first login."
-              error={errors.adminPassword?.message}
-            >
-              <Input
-                id="adminPassword"
-                type="password"
-                autoComplete="new-password"
-                placeholder="Min 8 characters"
-                aria-invalid={errors.adminPassword ? true : undefined}
-                {...register("adminPassword")}
-              />
-            </Field>
-          </FormSection>
-
-          <FormSection
-            title="Security"
-            description="JWT issuer claim emitted by tokens for this tenant. Used to scope sessions."
-          >
-            <Field id="issuer" label="JWT issuer" required error={errors.issuer?.message}>
-              <Input
-                id="issuer"
-                placeholder="acme-corp.issuer"
-                className="font-mono"
-                aria-invalid={errors.issuer ? true : undefined}
-                {...register("issuer")}
-              />
-            </Field>
-          </FormSection>
-
-          <FormSection
-            title="Database"
-            description="Optional dedicated connection string. Leave blank to share the default database with row-level tenant scoping."
-          >
-            <Field
-              id="connectionString"
-              label="Connection string"
-              hint="Optional. Leave blank to use the shared catalog."
-              error={errors.connectionString?.message}
-            >
-              <Input
-                id="connectionString"
-                placeholder="Host=…;Database=…"
-                className="font-mono"
-                aria-invalid={errors.connectionString ? true : undefined}
-                {...register("connectionString")}
-              />
-            </Field>
-          </FormSection>
-
-          <FormActions>
-            <Button type="submit" disabled={submitting}>
-              {submitting ? "Provisioning…" : "Create tenant"}
-            </Button>
-            <Button
-              type="button"
-              variant="outline"
-              onClick={() => navigate("/tenants")}
-              disabled={submitting}
-            >
-              Cancel
-            </Button>
-          </FormActions>
-        </FormShell>
-      </form>
-    </div>
-  );
+  return <Navigate to="/tenants" replace />;
 }
diff --git a/clients/admin/src/pages/tenants/detail.tsx b/clients/admin/src/pages/tenants/detail.tsx
index fbc9cc66fc..9c205e2dc1 100644
--- a/clients/admin/src/pages/tenants/detail.tsx
+++ b/clients/admin/src/pages/tenants/detail.tsx
@@ -1,7 +1,22 @@
 import { useState } from "react";
 import { useNavigate, useParams } from "react-router-dom";
 import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
-import { ArrowLeft, CheckCircle2, CircleDashed, Loader2, RefreshCw, UserCog, XCircle } from "lucide-react";
+import {
+  ArrowLeft,
+  Building2,
+  CalendarClock,
+  CheckCircle2,
+  CircleDashed,
+  ClipboardList,
+  Info,
+  KeyRound,
+  Loader2,
+  Mail,
+  RefreshCw,
+  ServerCrash,
+  UserCog,
+  XCircle,
+} from "lucide-react";
 import { toast } from "sonner";
 import { useAuth } from "@/auth/use-auth";
 import { ImpersonateDialog } from "@/components/impersonation/impersonate-dialog";
@@ -19,11 +34,10 @@ import { Button } from "@/components/ui/button";
 import { Badge } from "@/components/ui/badge";
 import { Monogram } from "@/components/monogram";
 import {
-  PageHeader,
+  EntityPageHeader,
   ErrorBand,
   LoadingRow,
-  FormShell,
-  FormSection,
+  SettingsSection,
 } from "@/components/list";
 import { ApiRequestError } from "@/lib/api-client";
 import { cn } from "@/lib/cn";
@@ -49,8 +63,8 @@ export function TenantDetailPage() {
     queryFn: () => getTenantProvisioningStatus(id),
     enabled: !!id,
     // A 404 means this tenant was never run through the provisioning pipeline
-    // (e.g. demo/directly-created tenants). That's a terminal "not tracked"
-    // state, not a transient failure — don't retry or poll it.
+    // (e.g. demo/directly-created tenants) — a terminal "not tracked" state,
+    // not a transient failure. Don't retry or poll it.
     retry: (failureCount, err) =>
       !(err instanceof ApiRequestError && err.status === 404) && failureCount < 3,
     // Poll while provisioning is in flight; stop once terminal (or not tracked).
@@ -91,20 +105,16 @@ export function TenantDetailPage() {
 
   return (
     <div className="space-y-8">
-      <PageHeader
-        crumbs={[
-          { label: "\\ Tenants" },
-          { label: tenant?.name ?? id, muted: true },
-        ]}
-        trailing={id ? `ID · ${shortId(id)}` : undefined}
+      <EntityPageHeader
+        icon={Building2}
         title={tenant?.name ?? "Tenant"}
+        tone="info"
         description={tenant?.adminEmail}
-        actions={
-          <Button variant="ghost" size="sm" onClick={() => navigate("/tenants")}>
-            <ArrowLeft className="mr-1 h-3.5 w-3.5" /> Registry
-          </Button>
-        }
-      />
+      >
+        <Button variant="ghost" size="sm" onClick={() => navigate("/tenants")}>
+          <ArrowLeft className="mr-1 h-3.5 w-3.5" /> Registry
+        </Button>
+      </EntityPageHeader>
 
       {tenantQuery.isError && (
         <ErrorBand message={describe(tenantQuery.error)} />
@@ -114,59 +124,71 @@ export function TenantDetailPage() {
 
       {tenant && (
         <>
-          <header className="card-shell flex flex-col items-start gap-6 px-6 py-6 sm:px-8 md:flex-row md:items-center md:justify-between">
-            <div className="flex items-center gap-5">
-              <Monogram seed={tenant.id} fallback={tenant.name} size="lg" />
-              <div>
-                <h2 className="font-display text-2xl font-semibold tracking-tight md:text-3xl">
-                  {tenant.name}
-                </h2>
-                <div className="mt-1 flex flex-wrap items-baseline gap-x-4 gap-y-1 font-mono text-xs text-[var(--color-muted-foreground)]">
-                  <code className="code-chip">{tenant.id}</code>
-                  <span className="truncate">{tenant.adminEmail}</span>
-                </div>
-                <div className="mt-3 flex flex-wrap items-center gap-2">
-                  <Badge variant={tenant.isActive ? "success" : "muted"} className="font-mono uppercase tracking-[0.14em]">
-                    {tenant.isActive ? "Active" : "Inactive"}
-                  </Badge>
-                  <Badge variant="outline" className="font-mono uppercase tracking-[0.14em]">
-                    valid · {formatDate(tenant.validUpto)}
-                  </Badge>
-                  {tenant.issuer && (
-                    <Badge variant="outline" className="font-mono uppercase tracking-[0.14em]">
-                      iss · {tenant.issuer}
+          {/* ── Hero identity card ─────────────────────────────────────── */}
+          <SettingsSection title="Overview" icon={Building2}>
+            <div className="flex flex-col gap-5 sm:flex-row sm:items-start sm:justify-between">
+              {/* Left: monogram + name + meta + badges */}
+              <div className="flex items-start gap-4">
+                <Monogram seed={tenant.id} fallback={tenant.name} size="lg" />
+                <div className="min-w-0">
+                  <h2 className="font-display text-2xl font-semibold tracking-tight md:text-3xl">
+                    {tenant.name}
+                  </h2>
+                  <div className="mt-1.5 flex flex-wrap items-center gap-x-3 gap-y-1">
+                    <span className="inline-flex items-center gap-1.5 text-[12px] text-[var(--color-muted-foreground)]">
+                      <Mail className="h-3 w-3 shrink-0" />
+                      {tenant.adminEmail}
+                    </span>
+                    <span className="inline-flex items-center gap-1.5 font-mono text-[11px] text-[var(--color-muted-foreground)]">
+                      <KeyRound className="h-3 w-3 shrink-0" />
+                      <code>{tenant.id}</code>
+                    </span>
+                  </div>
+                  <div className="mt-3 flex flex-wrap items-center gap-2">
+                    <Badge variant={tenant.isActive ? "success" : "muted"}>
+                      {tenant.isActive ? "Active" : "Inactive"}
                     </Badge>
-                  )}
+                    <Badge variant="outline">
+                      <CalendarClock className="h-3 w-3" />
+                      Valid until {formatDate(tenant.validUpto)}
+                    </Badge>
+                    {tenant.issuer && (
+                      <Badge variant="outline" className="font-mono text-[10.5px]">
+                        iss · {tenant.issuer}
+                      </Badge>
+                    )}
+                  </div>
                 </div>
               </div>
-            </div>
 
-            <div className="flex flex-wrap items-center gap-2">
-              {canImpersonate && tenant.isActive && (
+              {/* Right: action buttons */}
+              <div className="flex shrink-0 flex-wrap items-center gap-2">
+                {canImpersonate && tenant.isActive && (
+                  <Button
+                    variant="signal"
+                    onClick={() => setImpersonateOpen(true)}
+                    className="shrink-0"
+                    title="Sign in as a user inside this tenant"
+                  >
+                    <UserCog className="mr-1.5 h-3.5 w-3.5" />
+                    Impersonate user
+                  </Button>
+                )}
                 <Button
-                  variant="signal"
-                  onClick={() => setImpersonateOpen(true)}
+                  variant={tenant.isActive ? "outline" : "default"}
+                  onClick={() => activationMutation.mutate(!tenant.isActive)}
+                  disabled={activationMutation.isPending}
                   className="shrink-0"
-                  title="Sign in as a user inside this tenant"
                 >
-                  <UserCog className="mr-1.5 h-3.5 w-3.5" />
-                  Impersonate user
+                  {activationMutation.isPending
+                    ? "Updating…"
+                    : tenant.isActive
+                      ? "Deactivate tenant"
+                      : "Activate tenant"}
                 </Button>
-              )}
-              <Button
-                variant={tenant.isActive ? "outline" : "default"}
-                onClick={() => activationMutation.mutate(!tenant.isActive)}
-                disabled={activationMutation.isPending}
-                className="shrink-0"
-              >
-                {activationMutation.isPending
-                  ? "Updating…"
-                  : tenant.isActive
-                    ? "Deactivate tenant"
-                    : "Activate tenant"}
-              </Button>
+              </div>
             </div>
-          </header>
+          </SettingsSection>
 
           <ImpersonateDialog
             open={impersonateOpen}
@@ -179,75 +201,107 @@ export function TenantDetailPage() {
 
           <TenantBrandingCard tenantId={tenant.id} />
 
-          <FormShell>
-            <FormSection
-              title="Details"
-              description="The tenant's identity, contact, and subscription window. Identifiers are immutable; the issuer is used to scope JWTs."
-            >
-              <dl className="divide-y divide-[var(--color-border)]">
-                <DetailRow label="Identifier" mono>{tenant.id}</DetailRow>
-                <DetailRow label="Name">{tenant.name}</DetailRow>
-                <DetailRow label="Admin email" mono>{tenant.adminEmail}</DetailRow>
-                <DetailRow label="JWT issuer" mono>{tenant.issuer ?? "—"}</DetailRow>
-                <DetailRow label="Valid until">{formatDate(tenant.validUpto)}</DetailRow>
-                <DetailRow label="Status">{tenant.isActive ? "Active" : "Inactive"}</DetailRow>
-              </dl>
-            </FormSection>
-          </FormShell>
-
-          <FormShell>
-            <FormSection
-              title="Provisioning"
-              description={
-                <>
-                  Live status of the background pipeline that seeds the tenant database,
-                  default roles, and admin user. Polls every 2 seconds while running.
-                </>
-              }
-            >
-              <ProvisioningPanel
-                steps={provisioning?.steps ?? []}
-                status={provisioning?.status}
-                currentStep={provisioning?.currentStep ?? undefined}
-                errorBody={provisioning?.error ?? undefined}
-                loading={provisioningQuery.isLoading}
-                // A 404 isn't an error to surface — it just means this tenant
-                // was never run through the pipeline. Swallow it here and let
-                // the panel render its neutral "not tracked" state instead.
-                error={provisioningNotTracked ? undefined : provisioningQuery.error}
-                notTracked={provisioningNotTracked}
-                onRetry={() => retryMutation.mutate()}
-                retryPending={retryMutation.isPending}
-              />
-            </FormSection>
-          </FormShell>
+          {/* ── Details section ────────────────────────────────────────── */}
+          <SettingsSection
+            title="Details"
+            icon={Info}
+            description="The tenant's identity, contact, and subscription window. Identifiers are immutable; the issuer scopes JWTs to this tenant."
+          >
+            <div className="space-y-0">
+              <InfoRow label="Identifier" mono>{tenant.id}</InfoRow>
+              <InfoRow label="Name">{tenant.name}</InfoRow>
+              <InfoRow label="Admin email" mono>{tenant.adminEmail}</InfoRow>
+              <InfoRow label="JWT issuer" mono>{tenant.issuer ?? "—"}</InfoRow>
+              <InfoRow label="Valid until">
+                <span className="flex items-center gap-1.5">
+                  <CalendarClock className="h-3.5 w-3.5 text-[var(--color-muted-foreground)]" />
+                  {formatDate(tenant.validUpto)}
+                </span>
+              </InfoRow>
+              <InfoRow label="Status" isLast>
+                <Badge variant={tenant.isActive ? "success" : "muted"}>
+                  {tenant.isActive ? "Active" : "Inactive"}
+                </Badge>
+              </InfoRow>
+            </div>
+          </SettingsSection>
+
+          {/* ── Provisioning section ───────────────────────────────────── */}
+          <SettingsSection
+            title="Provisioning"
+            icon={ClipboardList}
+            description="Live status of the background pipeline that seeds the tenant database, default roles, and admin user. Polls every 2 seconds while running."
+          >
+            <ProvisioningPanel
+              steps={provisioning?.steps ?? []}
+              status={provisioning?.status}
+              currentStep={provisioning?.currentStep ?? undefined}
+              errorBody={provisioning?.error ?? undefined}
+              loading={provisioningQuery.isLoading}
+              // A 404 isn't an error to surface — the tenant was just never run
+              // through the pipeline. Swallow it and show the neutral state.
+              error={provisioningNotTracked ? undefined : provisioningQuery.error}
+              notTracked={provisioningNotTracked}
+              onRetry={() => retryMutation.mutate()}
+              retryPending={retryMutation.isPending}
+            />
+          </SettingsSection>
         </>
       )}
     </div>
   );
 }
 
-// ─── subcomponents ──────────────────────────────────────────────────────
+// ─── subcomponents ──────────────────────────────────────────────────────────
 
-function DetailRow({
+/**
+ * InfoRow — a single key/value row inside the Details card.
+ * Matches the `ProfileRow` pattern from the dashboard's user-detail page:
+ * label on the left (muted, small), value on the right (foreground, readable).
+ * Separated by a subtle half-opacity border.
+ */
+function InfoRow({
   label,
   children,
   mono,
+  isLast,
 }: {
   label: string;
   children: React.ReactNode;
   mono?: boolean;
+  isLast?: boolean;
 }) {
   return (
-    <div className="grid grid-cols-[10rem_1fr] items-baseline gap-4 py-2.5">
-      <dt className="meta text-[var(--color-muted-foreground)]">{label}</dt>
-      <dd className={cn("min-w-0 break-words text-sm", mono && "font-mono text-[0.8125rem]")}>
+    <div
+      className={cn(
+        "flex items-center justify-between gap-4 py-2.5",
+        !isLast &&
+          "border-b border-[oklch(from_var(--color-border)_l_c_h_/_0.5)]",
+      )}
+    >
+      <span className="shrink-0 text-[11.5px] font-medium text-[var(--color-muted-foreground)]">
+        {label}
+      </span>
+      <span
+        className={cn(
+          "min-w-0 truncate text-right text-[13px] text-[var(--color-foreground)]",
+          mono && "font-mono text-[12px]",
+        )}
+      >
         {children}
-      </dd>
+      </span>
     </div>
   );
 }
 
+/**
+ * ProvisioningPanel — live pipeline status.
+ * Renders a status badge + retry action, then either:
+ *  - a "not tracked" neutral state (provisioningNotTracked)
+ *  - a timeline-style step list
+ *  - loading / empty / error states
+ * The 404/notTracked logic is intentionally preserved verbatim.
+ */
 function ProvisioningPanel({
   steps,
   status,
@@ -270,6 +324,7 @@ function ProvisioningPanel({
   retryPending: boolean;
 }) {
   const overall = notTracked ? "Not tracked" : status ?? (loading ? "Loading" : "Unknown");
+
   const overallVariant =
     status === "Completed"
       ? "success"
@@ -281,47 +336,53 @@ function ProvisioningPanel({
 
   return (
     <div className="space-y-5">
+      {/* Status bar */}
       <div className="flex flex-wrap items-center justify-between gap-3">
-        <Badge variant={overallVariant} className="font-mono uppercase tracking-[0.14em]">
-          {status === "Failed"
-            ? `Failed at ${currentStep ?? "unknown step"}`
-            : currentStep
-              ? `${overall} · ${currentStep}`
-              : overall}
-        </Badge>
+        <div className="flex items-center gap-2.5">
+          <OverallStatusDot status={notTracked ? "NotTracked" : (status ?? "Unknown")} />
+          <Badge variant={overallVariant}>
+            {status === "Failed"
+              ? `Failed at ${currentStep ?? "unknown step"}`
+              : currentStep
+                ? `${overall} · ${currentStep}`
+                : overall}
+          </Badge>
+        </div>
         {status === "Failed" && (
           <Button size="sm" variant="outline" onClick={onRetry} disabled={retryPending}>
-            <RefreshCw className={cn("mr-1 h-3.5 w-3.5", retryPending && "animate-spin")} />
+            <RefreshCw className={cn("mr-1.5 h-3.5 w-3.5", retryPending && "animate-spin")} />
             {retryPending ? "Re-queuing…" : "Retry provisioning"}
           </Button>
         )}
       </div>
 
+      {/* Body */}
       {error ? (
         <ErrorBand message={describe(error)} />
       ) : loading && steps.length === 0 ? (
-        <p className="meta text-[var(--color-muted-foreground)]">
-          Loading<span className="caret text-[var(--color-accent-signal)]" />
-        </p>
+        <p className="text-[13px] text-[var(--color-muted-foreground)]">Loading…</p>
       ) : notTracked ? (
-        <p className="text-sm text-[var(--color-muted-foreground)]">
-          This tenant wasn't created through the provisioning pipeline, so there's no run
-          history to show. Tenants created via the console report their seed/migrate steps here.
-        </p>
+        <div className="flex items-start gap-3 rounded-lg border border-[var(--color-border)] bg-[var(--color-muted)] px-4 py-3.5">
+          <ServerCrash
+            aria-hidden
+            className="mt-0.5 h-4 w-4 shrink-0 text-[var(--color-muted-foreground)]"
+          />
+          <p className="text-[13px] leading-relaxed text-[var(--color-muted-foreground)]">
+            This tenant wasn't created through the provisioning pipeline, so there's no run
+            history to show. Tenants created via the console report their seed/migrate steps here.
+          </p>
+        </div>
       ) : steps.length === 0 ? (
-        <p className="text-sm text-[var(--color-muted-foreground)]">
+        <p className="text-[13px] text-[var(--color-muted-foreground)]">
           No provisioning runs recorded.
         </p>
       ) : (
-        <ol className="divide-y divide-[var(--color-border)] border-y border-[var(--color-border)]">
-          {steps.map((step, i) => (
-            <StepRow key={step.step} step={step} index={i + 1} />
-          ))}
-        </ol>
+        <StepTimeline steps={steps} />
       )}
 
+      {/* Error body (failed step detail) */}
       {errorBody && (
-        <pre className="max-h-44 overflow-auto rounded-md border border-[var(--color-destructive)]/40 bg-[oklch(from_var(--color-destructive)_l_c_h_/_0.06)] p-3 font-mono text-[11px] whitespace-pre-wrap text-[var(--color-destructive)]">
+        <pre className="max-h-44 overflow-auto rounded-lg border border-[var(--color-destructive)]/40 bg-[oklch(from_var(--color-destructive)_l_c_h_/_0.06)] p-3.5 font-mono text-[11px] whitespace-pre-wrap text-[var(--color-destructive)]">
           {errorBody}
         </pre>
       )}
@@ -329,23 +390,97 @@ function ProvisioningPanel({
   );
 }
 
-function StepRow({ step, index }: { step: TenantProvisioningStep; index: number }) {
-  const tone =
-    step.status === "Completed"
-      ? "text-[var(--color-success)]"
-      : step.status === "Failed"
-        ? "text-[var(--color-destructive)]"
-        : step.status === "Running"
-          ? "text-[var(--color-info)]"
-          : "text-[var(--color-muted-foreground)]";
-  const Icon =
-    step.status === "Completed"
-      ? CheckCircle2
-      : step.status === "Failed"
-        ? XCircle
-        : step.status === "Running"
-          ? Loader2
-          : CircleDashed;
+/**
+ * OverallStatusDot — an animated pulsing dot that conveys overall
+ * pipeline status at a glance alongside the badge text.
+ */
+function OverallStatusDot({ status }: { status: string }) {
+  const color =
+    status === "Completed"
+      ? "bg-[var(--color-success)]"
+      : status === "Failed"
+        ? "bg-[var(--color-destructive)]"
+        : status === "Running"
+          ? "bg-[var(--color-info)]"
+          : "bg-[var(--color-muted-foreground)]";
+
+  const pulse = status === "Running";
+
+  return (
+    <span className="relative inline-flex h-2.5 w-2.5 shrink-0">
+      {pulse && (
+        <span
+          className={cn(
+            "absolute inline-flex h-full w-full animate-ping rounded-full opacity-60",
+            color,
+          )}
+        />
+      )}
+      <span className={cn("relative inline-flex h-2.5 w-2.5 rounded-full", color)} />
+    </span>
+  );
+}
+
+/**
+ * StepTimeline — renders provisioning steps as a connected vertical
+ * timeline instead of a flat `<ol>` with dividers.
+ * Each step has: a status icon track, step name, duration, and status label.
+ */
+function StepTimeline({ steps }: { steps: TenantProvisioningStep[] }) {
+  return (
+    <ol className="space-y-0">
+      {steps.map((step, i) => (
+        <StepRow key={step.step} step={step} index={i + 1} isLast={i === steps.length - 1} />
+      ))}
+    </ol>
+  );
+}
+
+function StepRow({
+  step,
+  index,
+  isLast,
+}: {
+  step: TenantProvisioningStep;
+  index: number;
+  isLast: boolean;
+}) {
+  const isCompleted = step.status === "Completed";
+  const isFailed = step.status === "Failed";
+  const isRunning = step.status === "Running";
+  const isPending = !isCompleted && !isFailed && !isRunning;
+
+  const iconColor = isCompleted
+    ? "text-[var(--color-success)]"
+    : isFailed
+      ? "text-[var(--color-destructive)]"
+      : isRunning
+        ? "text-[var(--color-info)]"
+        : "text-[var(--color-muted-foreground)]";
+
+  const Icon = isCompleted
+    ? CheckCircle2
+    : isFailed
+      ? XCircle
+      : isRunning
+        ? Loader2
+        : CircleDashed;
+
+  const trackColor = isCompleted
+    ? "bg-[var(--color-success)]"
+    : isFailed
+      ? "bg-[var(--color-destructive)]"
+      : isRunning
+        ? "bg-[var(--color-info)]"
+        : "bg-[var(--color-border-strong)]";
+
+  const statusVariant = isCompleted
+    ? "success"
+    : isFailed
+      ? "danger"
+      : isRunning
+        ? "info"
+        : ("outline" as const);
 
   const duration =
     step.startedUtc && step.completedUtc
@@ -355,28 +490,71 @@ function StepRow({ step, index }: { step: TenantProvisioningStep; index: number
         : null;
 
   return (
-    <li className="grid grid-cols-[2rem_auto_1fr_auto_auto] items-center gap-3 py-2.5">
-      <span className="font-mono text-[10.5px] tabular-nums text-[var(--color-muted-foreground)]">
-        {String(index).padStart(2, "0")}
-      </span>
-      <Icon className={cn("h-4 w-4", tone, step.status === "Running" && "animate-spin")} />
-      <span className="truncate font-mono text-[13px]">{step.step}</span>
-      {duration && (
-        <span className="font-mono text-[10.5px] tabular-nums text-[var(--color-muted-foreground)]">
-          {duration}
+    <li className="flex items-stretch gap-3">
+      {/* Timeline track column */}
+      <div className="flex w-8 shrink-0 flex-col items-center">
+        {/* Icon */}
+        <span
+          className={cn(
+            "relative z-10 grid h-8 w-8 shrink-0 place-items-center rounded-full",
+            "border border-[var(--color-border)] bg-[var(--color-card)]",
+            iconColor,
+          )}
+        >
+          <Icon
+            className={cn("h-3.5 w-3.5", isRunning && "animate-spin")}
+          />
         </span>
-      )}
-      <span className={cn("meta", tone)}>{step.status}</span>
+        {/* Vertical connector line — hidden on last item */}
+        {!isLast && (
+          <div
+            className={cn("mt-1 w-[2px] flex-1 rounded-full opacity-30", trackColor)}
+            style={{ minHeight: "1.25rem" }}
+          />
+        )}
+      </div>
+
+      {/* Content */}
+      <div
+        className={cn(
+          "flex min-w-0 flex-1 flex-wrap items-center justify-between gap-x-4 gap-y-0.5 pb-4",
+          isLast && "pb-0",
+        )}
+      >
+        {/* Step index + name */}
+        <div className="flex items-center gap-2 min-w-0">
+          <span className="font-mono text-[10.5px] tabular-nums text-[var(--color-muted-foreground)] opacity-60">
+            {String(index).padStart(2, "0")}
+          </span>
+          <span
+            className={cn(
+              "truncate font-mono text-[13px]",
+              isPending
+                ? "text-[var(--color-muted-foreground)]"
+                : "text-[var(--color-foreground)]",
+            )}
+          >
+            {step.step}
+          </span>
+        </div>
+
+        {/* Duration + status */}
+        <div className="flex shrink-0 items-center gap-2.5">
+          {duration && (
+            <span className="font-mono text-[11px] tabular-nums text-[var(--color-muted-foreground)]">
+              {duration}
+            </span>
+          )}
+          <Badge variant={statusVariant} className="font-mono uppercase tracking-[0.12em]">
+            {step.status}
+          </Badge>
+        </div>
+      </div>
     </li>
   );
 }
 
-// ─── helpers ────────────────────────────────────────────────────────────
-
-function shortId(id: string): string {
-  if (id.length <= 12) return id;
-  return `${id.slice(0, 4)}…${id.slice(-4)}`;
-}
+// ─── helpers ────────────────────────────────────────────────────────────────
 
 function formatDate(value: string | undefined): string {
   if (!value) return "—";
diff --git a/clients/admin/src/pages/tenants/list.tsx b/clients/admin/src/pages/tenants/list.tsx
index 10393a699a..3ba41c4e42 100644
--- a/clients/admin/src/pages/tenants/list.tsx
+++ b/clients/admin/src/pages/tenants/list.tsx
@@ -1,16 +1,20 @@
 import { useMemo, useState } from "react";
 import { useNavigate } from "react-router-dom";
 import { useQuery, keepPreviousData } from "@tanstack/react-query";
-import { ChevronLeft, ChevronRight, Plus } from "lucide-react";
+import { Building2, ChevronLeft, ChevronRight, Plus } from "lucide-react";
 import { listTenants, type TenantDto } from "@/api/tenants";
 import { Button } from "@/components/ui/button";
 import { Monogram } from "@/components/monogram";
-import { SectionRule } from "@/components/section-rule";
+import { EntityPageHeader, ErrorBand } from "@/components/list";
 import { ApiRequestError } from "@/lib/api-client";
 import { cn } from "@/lib/cn";
+import { CreateTenantDialog } from "@/components/tenants/create-tenant-dialog";
 
 const PAGE_SIZE = 12;
 
+// Desktop grid template — shared by header + rows.
+const DESKTOP_COLS = "grid-cols-[1fr_140px_24px] lg:grid-cols-[1.6fr_1.4fr_140px_24px]";
+
 function formatDate(value: string): string {
   const date = new Date(value);
   return Number.isNaN(date.getTime()) ? value : date.toLocaleDateString();
@@ -18,6 +22,7 @@ function formatDate(value: string): string {
 
 export function TenantsListPage() {
   const [pageNumber, setPageNumber] = useState(1);
+  const [createOpen, setCreateOpen] = useState(false);
   const navigate = useNavigate();
 
   const query = useQuery({
@@ -28,7 +33,6 @@ export function TenantsListPage() {
 
   const data = query.data;
   const items: TenantDto[] = data?.items ?? [];
-  const baseIndex = ((data?.pageNumber ?? 1) - 1) * (data?.pageSize ?? PAGE_SIZE);
 
   const pageBadge = useMemo(() => {
     if (!data) return "—";
@@ -38,70 +42,101 @@ export function TenantsListPage() {
   }, [data]);
 
   return (
-    <div className="space-y-8">
-      <SectionRule
-        crumbs={[{ label: "\\ Tenants" }, { label: "Registry", muted: true }]}
-        trailing={pageBadge.toUpperCase()}
-      />
+    <div className="space-y-4 sm:space-y-6">
+      <EntityPageHeader
+        icon={Building2}
+        title="Registry"
+        tone="info"
+        total={data?.totalCount ?? null}
+        unit="tenant"
+        description={
+          data
+            ? `${data.totalCount} ${data.totalCount === 1 ? "tenant" : "tenants"} registered on this instance.`
+            : "Loading the registry…"
+        }
+      >
+        <Button
+          onClick={() => setCreateOpen(true)}
+          className="h-9 flex-1 gap-1.5 rounded-lg px-4 text-[13px] font-semibold sm:flex-none"
+        >
+          <Plus className="size-4" /> New tenant
+        </Button>
+      </EntityPageHeader>
 
-      <div className="flex flex-wrap items-end justify-between gap-4">
-        <div>
-          <h1 className="font-display text-4xl font-semibold tracking-tight md:text-5xl">
-            Registry
-          </h1>
-          <p className="mt-2 max-w-xl text-sm text-[var(--color-muted-foreground)]">
-            {data
-              ? `${data.totalCount} ${data.totalCount === 1 ? "tenant" : "tenants"} registered on this instance.`
-              : "Loading the registry…"}
+      {query.isError && (
+        <ErrorBand
+          message={
+            query.error instanceof ApiRequestError
+              ? query.error.problem?.detail ?? query.error.message
+              : "Failed to load tenants."
+          }
+        />
+      )}
+
+      {query.isLoading && items.length === 0 && (
+        <div
+          role="status"
+          className="py-12 text-center font-mono text-sm uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]"
+        >
+          Loading…
+        </div>
+      )}
+
+      {!query.isLoading && items.length === 0 && !query.isError && (
+        <div className="py-16 text-center">
+          <p className="font-display text-2xl text-[var(--color-foreground)]">No tenants yet.</p>
+          <p className="mt-1 text-sm text-[var(--color-muted-foreground)]">
+            Provision the first tenant to get started.
           </p>
         </div>
-        <Button onClick={() => navigate("/tenants/new")} className="shrink-0">
-          <Plus className="mr-1 h-4 w-4" /> New tenant
-        </Button>
-      </div>
-
-      {/* Roster */}
-      <div className="border-t border-[var(--color-border)]">
-        {query.isError && (
-          <div
-            role="alert"
-            className="border-b border-[var(--color-border)] px-1 py-4 text-sm text-[var(--color-destructive)]"
-          >
-            {query.error instanceof ApiRequestError
-              ? query.error.problem?.detail ?? query.error.message
-              : "Failed to load tenants."}
-          </div>
-        )}
+      )}
 
-        {query.isLoading && items.length === 0 && (
-          <div
-            role="status"
-            className="px-1 py-12 text-center text-sm font-mono uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]"
-          >
-            Loading…
-          </div>
-        )}
+      {items.length > 0 && (
+        <div>
+          <p className="mb-3 text-[12px] font-medium text-[var(--color-muted-foreground)]">
+            {data?.totalCount ?? 0} tenant{(data?.totalCount ?? 0) !== 1 ? "s" : ""} registered
+          </p>
 
-        {!query.isLoading && items.length === 0 && (
-          <div className="px-1 py-16 text-center">
-            <p className="font-display text-2xl">No tenants yet.</p>
-            <p className="mt-1 text-sm text-[var(--color-muted-foreground)]">
-              Provision the first tenant to get started.
-            </p>
+          {/* Mobile card list */}
+          <div className="space-y-2 md:hidden">
+            {items.map((tenant, i) => (
+              <TenantMobileCard
+                key={tenant.id ?? i}
+                tenant={tenant}
+                onClick={() => navigate(`/tenants/${tenant.id}`)}
+              />
+            ))}
           </div>
-        )}
 
-        <ol className="divide-y divide-[var(--color-border)]">
-          {items.map((tenant, i) => (
-            <TenantRow
-              key={tenant.id}
-              tenant={tenant}
-              index={baseIndex + i + 1}
-              onClick={() => navigate(`/tenants/${tenant.id}`)}
-            />
-          ))}
-        </ol>
-      </div>
+          {/* Desktop table */}
+          <div className="hidden overflow-hidden rounded-xl border border-[var(--color-border)] bg-[var(--color-card)] shadow-xs md:block">
+            <div
+              className={`grid items-center gap-3 border-b border-[var(--color-border)] bg-[var(--color-muted)]/40 px-4 py-2.5 ${DESKTOP_COLS}`}
+            >
+              <span className="text-[11.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]">
+                Tenant
+              </span>
+              <span className="hidden text-[11.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)] lg:block">
+                Admin email
+              </span>
+              <span className="text-[11.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]">
+                Status
+              </span>
+              <span />
+            </div>
+
+            <ol className="divide-y divide-[var(--color-border)]">
+              {items.map((tenant, i) => (
+                <TenantDesktopRow
+                  key={tenant.id ?? i}
+                  tenant={tenant}
+                  onClick={() => navigate(`/tenants/${tenant.id}`)}
+                />
+              ))}
+            </ol>
+          </div>
+        </div>
+      )}
 
       {/* Pagination */}
       {data && data.totalPages > 1 && (
@@ -115,6 +150,7 @@ export function TenantsListPage() {
               size="sm"
               disabled={!data.hasPrevious || query.isFetching}
               onClick={() => setPageNumber((p) => Math.max(1, p - 1))}
+              className="h-9 rounded-lg px-3 text-[13px]"
             >
               <ChevronLeft className="mr-1 h-3.5 w-3.5" /> Previous
             </Button>
@@ -123,73 +159,117 @@ export function TenantsListPage() {
               size="sm"
               disabled={!data.hasNext || query.isFetching}
               onClick={() => setPageNumber((p) => p + 1)}
+              className="h-9 rounded-lg px-3 text-[13px]"
             >
               Next <ChevronRight className="ml-1 h-3.5 w-3.5" />
             </Button>
           </div>
         </div>
       )}
+
+      <CreateTenantDialog open={createOpen} onOpenChange={setCreateOpen} />
     </div>
   );
 }
 
-function TenantRow({
-  tenant,
-  index,
-  onClick,
-}: {
-  tenant: TenantDto;
-  index: number;
-  onClick: () => void;
-}) {
-  const num = String(index).padStart(3, "0");
+// ─── Status pill ─────────────────────────────────────────────────────────
+
+function StatusPill({ active }: { active: boolean }) {
+  return (
+    <span
+      className={cn(
+        "inline-flex items-center rounded-full px-1.5 py-0.5 text-[10.5px] font-medium",
+        active
+          ? "bg-[oklch(from_var(--color-success)_l_c_h_/_0.12)] text-[var(--color-success)]"
+          : "bg-[var(--color-muted)] text-[var(--color-muted-foreground)]",
+      )}
+    >
+      {active ? "Active" : "Inactive"}
+    </span>
+  );
+}
+
+// ─── Mobile card ───────────────────────────────────────────────────────────
+
+function TenantMobileCard({ tenant, onClick }: { tenant: TenantDto; onClick: () => void }) {
   return (
-    <li>
+    <li className="list-none">
       <button
         type="button"
         onClick={onClick}
-        className="group grid w-full grid-cols-[3.5rem_2.5rem_1fr_auto] items-center gap-4 px-1 py-4 text-left transition-colors hover:bg-[var(--color-muted)]/50 focus:outline-none focus-visible:bg-[var(--color-muted)]/50"
+        aria-label={`Open tenant ${tenant.name}`}
+        className={cn(
+          "group w-full overflow-hidden rounded-xl border border-[var(--color-border)] bg-[var(--color-card)] p-4 text-left shadow-xs",
+          "transition-colors hover:border-[var(--color-border-strong)] hover:bg-[var(--color-accent)]",
+          "focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)]",
+          !tenant.isActive && "opacity-75",
+        )}
       >
-        <span className="font-mono text-xs tabular-nums text-[var(--color-muted-foreground)]">
-          #{num}
-        </span>
-
-        <Monogram seed={tenant.id} fallback={tenant.name} size="md" />
-
-        <div className="min-w-0">
-          <div className="flex items-baseline gap-2">
-            <span className="truncate font-display text-lg font-medium tracking-tight">
-              {tenant.name}
-            </span>
-            <span className="truncate font-mono text-xs text-[var(--color-muted-foreground)]">
-              {tenant.id}
-            </span>
-          </div>
-          <div className="mt-0.5 flex flex-wrap items-center gap-3 text-xs text-[var(--color-muted-foreground)]">
-            <span className="truncate font-mono">{tenant.adminEmail}</span>
-            <span className="font-mono text-[10.5px] uppercase tracking-[0.18em]">
-              valid · {formatDate(tenant.validUpto)}
-            </span>
+        <div className="flex items-center justify-between">
+          <div className="flex min-w-0 items-center gap-3">
+            <Monogram seed={tenant.id} fallback={tenant.name} size="md" />
+            <div className="min-w-0">
+              <p className="truncate text-[14px] font-medium text-[var(--color-foreground)]">
+                {tenant.name}
+              </p>
+              <p className="mt-0.5 truncate font-mono text-[11px] text-[var(--color-muted-foreground)]">
+                {tenant.id}
+              </p>
+            </div>
           </div>
+          <ChevronRight className="size-4 shrink-0 text-[var(--color-border)] transition-colors group-hover:text-[var(--color-muted-foreground)]" />
+        </div>
+        <div className="mt-2 ml-[52px] flex flex-wrap items-center gap-2">
+          <StatusPill active={tenant.isActive} />
+          <span className="truncate font-mono text-[11px] text-[var(--color-muted-foreground)]">
+            {tenant.adminEmail}
+          </span>
         </div>
-
-        <StatusDot active={tenant.isActive} />
       </button>
     </li>
   );
 }
 
-function StatusDot({ active }: { active: boolean }) {
+// ─── Desktop row ────────────────────────────────────────────────────────────
+
+function TenantDesktopRow({ tenant, onClick }: { tenant: TenantDto; onClick: () => void }) {
   return (
-    <span className="flex items-center gap-2 font-mono text-[0.6875rem] uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]">
-      <span
-        aria-hidden
+    <li className="list-none">
+      <button
+        type="button"
+        onClick={onClick}
         className={cn(
-          "h-1.5 w-1.5 rounded-full",
-          active ? "bg-[var(--color-foreground)]" : "border border-[var(--color-foreground)]/40 bg-transparent",
+          `group grid w-full items-center gap-3 px-4 py-3.5 text-left transition-colors hover:bg-[var(--color-accent)] focus-visible:bg-[var(--color-accent)] focus-visible:outline-none ${DESKTOP_COLS}`,
+          !tenant.isActive && "opacity-75",
         )}
-      />
-      {active ? "Active" : "Inactive"}
-    </span>
+      >
+        {/* Name + id */}
+        <div className="flex min-w-0 items-center gap-3">
+          <Monogram seed={tenant.id} fallback={tenant.name} size="md" />
+          <div className="min-w-0">
+            <span className="block truncate text-[14px] font-medium text-[var(--color-foreground)] transition-colors group-hover:text-[var(--color-primary)]">
+              {tenant.name}
+            </span>
+            <span className="block truncate font-mono text-[12px] text-[var(--color-muted-foreground)]">
+              {tenant.id} · valid {formatDate(tenant.validUpto)}
+            </span>
+          </div>
+        </div>
+
+        {/* Admin email (lg+) */}
+        <code className="hidden truncate font-mono text-[12px] text-[var(--color-muted-foreground)] lg:block">
+          {tenant.adminEmail}
+        </code>
+
+        {/* Status */}
+        <div className="flex items-center">
+          <StatusPill active={tenant.isActive} />
+        </div>
+
+        <div className="flex items-center justify-end">
+          <ChevronRight className="size-4 text-[var(--color-border)] transition-colors group-hover:text-[var(--color-muted-foreground)]" />
+        </div>
+      </button>
+    </li>
   );
 }
diff --git a/clients/admin/src/pages/users/create.tsx b/clients/admin/src/pages/users/create.tsx
index 9494c4b5de..2f58683458 100644
--- a/clients/admin/src/pages/users/create.tsx
+++ b/clients/admin/src/pages/users/create.tsx
@@ -1,223 +1,8 @@
-import { useNavigate } from "react-router-dom";
-import { useMutation, useQueryClient } from "@tanstack/react-query";
-import { useForm } from "react-hook-form";
-import { zodResolver } from "@hookform/resolvers/zod";
-import { z } from "zod";
-import { ArrowLeft } from "lucide-react";
-import { toast } from "sonner";
-import { registerUser } from "@/api/users";
-import { Button } from "@/components/ui/button";
-import { Input } from "@/components/ui/input";
-import {
-  PageHeader,
-  Field,
-  FormShell,
-  FormSection,
-  FormActions,
-} from "@/components/list";
-import { ApiRequestError } from "@/lib/api-client";
-
-const USERNAME_RE = /^[a-zA-Z][a-zA-Z0-9._-]{2,31}$/;
-
-const schema = z
-  .object({
-    firstName: z.string().trim().min(1, "Required.").max(64),
-    lastName: z.string().trim().min(1, "Required.").max(64),
-    userName: z
-      .string()
-      .trim()
-      .regex(USERNAME_RE, "3–32 chars. Letters, digits, dot, dash, underscore. Start with a letter."),
-    email: z.string().trim().email("Enter a valid email."),
-    phoneNumber: z.string().trim().max(32).optional(),
-    password: z.string().min(8, "At least 8 characters."),
-    confirmPassword: z.string().min(8),
-  })
-  .refine((d) => d.password === d.confirmPassword, {
-    path: ["confirmPassword"],
-    message: "Passwords don't match.",
-  });
-
-type FormValues = z.infer<typeof schema>;
+import { Navigate } from "react-router-dom";
 
+// User creation is now a dialog launched from the list page.
+// This page is kept (and the route lazily loads it) so that any bookmarked
+// /users/new links continue to work — they redirect seamlessly to /users.
 export function CreateUserPage() {
-  const navigate = useNavigate();
-  const queryClient = useQueryClient();
-
-  const {
-    register,
-    handleSubmit,
-    formState: { errors, isSubmitting },
-  } = useForm<FormValues>({
-    resolver: zodResolver(schema),
-    defaultValues: {
-      firstName: "",
-      lastName: "",
-      userName: "",
-      email: "",
-      phoneNumber: "",
-      password: "",
-      confirmPassword: "",
-    },
-  });
-
-  const mutation = useMutation({
-    mutationFn: registerUser,
-    onSuccess: (result) => {
-      toast.success("User created", {
-        description: result.message ?? "Confirmation email queued.",
-      });
-      queryClient.invalidateQueries({ queryKey: ["users"] });
-      navigate(result.userId ? `/users/${result.userId}` : "/users");
-    },
-    onError: (err) => {
-      const detail =
-        err instanceof ApiRequestError
-          ? err.problem?.detail ?? err.problem?.title ?? err.message
-          : (err as Error).message;
-      toast.error("Create failed", { description: detail });
-    },
-  });
-
-  const onSubmit = handleSubmit((values) =>
-    mutation.mutate({
-      firstName: values.firstName,
-      lastName: values.lastName,
-      userName: values.userName,
-      email: values.email,
-      password: values.password,
-      confirmPassword: values.confirmPassword,
-      phoneNumber: values.phoneNumber?.trim() || undefined,
-    }),
-  );
-
-  const submitting = isSubmitting || mutation.isPending;
-
-  return (
-    <div className="space-y-8">
-      <PageHeader
-        crumbs={[{ label: "\\ Users" }, { label: "New", muted: true }]}
-        trailing="Account · Draft"
-        title="New account"
-        description="The new user is created in the current tenant and emailed a confirmation link. Roles can be assigned from the detail page after creation."
-        actions={
-          <Button variant="ghost" size="sm" onClick={() => navigate("/users")}>
-            <ArrowLeft className="mr-1 h-3.5 w-3.5" /> Directory
-          </Button>
-        }
-      />
-
-      <form onSubmit={onSubmit}>
-        <FormShell>
-          <FormSection
-            title="Identity"
-            description="Personal details and the username they'll use to sign in."
-          >
-            <div className="grid gap-5 sm:grid-cols-2">
-              <Field id="firstName" label="First name" required error={errors.firstName?.message}>
-                <Input
-                  id="firstName"
-                  autoComplete="given-name"
-                  aria-invalid={errors.firstName ? true : undefined}
-                  {...register("firstName")}
-                />
-              </Field>
-              <Field id="lastName" label="Last name" required error={errors.lastName?.message}>
-                <Input
-                  id="lastName"
-                  autoComplete="family-name"
-                  aria-invalid={errors.lastName ? true : undefined}
-                  {...register("lastName")}
-                />
-              </Field>
-            </div>
-
-            <Field
-              id="userName"
-              label="Username"
-              required
-              hint="Letters, digits, dot, dash or underscore. 3–32 characters."
-              error={errors.userName?.message}
-            >
-              <Input
-                id="userName"
-                placeholder="m.chen"
-                autoComplete="off"
-                className="font-mono"
-                aria-invalid={errors.userName ? true : undefined}
-                {...register("userName")}
-              />
-            </Field>
-
-            <Field id="email" label="Email" required error={errors.email?.message}>
-              <Input
-                id="email"
-                type="email"
-                placeholder="user@example.com"
-                autoComplete="email"
-                className="font-mono"
-                aria-invalid={errors.email ? true : undefined}
-                {...register("email")}
-              />
-            </Field>
-
-            <Field id="phoneNumber" label="Phone (optional)" error={errors.phoneNumber?.message}>
-              <Input
-                id="phoneNumber"
-                type="tel"
-                placeholder="+1 555 0100"
-                autoComplete="tel"
-                className="font-mono"
-                {...register("phoneNumber")}
-              />
-            </Field>
-          </FormSection>
-
-          <FormSection
-            title="Credentials"
-            description="Initial password. The user is encouraged to change it on first sign-in."
-          >
-            <Field id="password" label="Password" required error={errors.password?.message}>
-              <Input
-                id="password"
-                type="password"
-                autoComplete="new-password"
-                className="font-mono"
-                aria-invalid={errors.password ? true : undefined}
-                {...register("password")}
-              />
-            </Field>
-            <Field
-              id="confirmPassword"
-              label="Confirm password"
-              required
-              error={errors.confirmPassword?.message}
-            >
-              <Input
-                id="confirmPassword"
-                type="password"
-                autoComplete="new-password"
-                className="font-mono"
-                aria-invalid={errors.confirmPassword ? true : undefined}
-                {...register("confirmPassword")}
-              />
-            </Field>
-          </FormSection>
-
-          <FormActions>
-            <Button type="submit" disabled={submitting}>
-              {submitting ? "Creating…" : "Create account"}
-            </Button>
-            <Button
-              type="button"
-              variant="outline"
-              onClick={() => navigate("/users")}
-              disabled={submitting}
-            >
-              Cancel
-            </Button>
-          </FormActions>
-        </FormShell>
-      </form>
-    </div>
-  );
+  return <Navigate to="/users" replace />;
 }
diff --git a/clients/admin/src/pages/users/detail.tsx b/clients/admin/src/pages/users/detail.tsx
index 4029d88a57..fde0e92e71 100644
--- a/clients/admin/src/pages/users/detail.tsx
+++ b/clients/admin/src/pages/users/detail.tsx
@@ -1,7 +1,7 @@
 import { useEffect, useMemo, useState } from "react";
 import { useNavigate, useParams } from "react-router-dom";
 import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
-import { ArrowLeft, Check, Mail, ShieldCheck } from "lucide-react";
+import { ArrowLeft, Check, Mail, ShieldCheck, User as UserIcon, Users } from "lucide-react";
 import { toast } from "sonner";
 import {
   assignUserRoles,
@@ -15,12 +15,10 @@ import { Badge } from "@/components/ui/badge";
 import { Monogram } from "@/components/monogram";
 import { UserSessionsCard } from "@/components/sessions/user-sessions-card";
 import {
-  PageHeader,
+  EntityPageHeader,
   ErrorBand,
   LoadingRow,
-  FormShell,
-  FormSection,
-  FormActions,
+  SettingsSection,
 } from "@/components/list";
 import { ApiRequestError } from "@/lib/api-client";
 import { cn } from "@/lib/cn";
@@ -49,7 +47,7 @@ export function UserDetailPage() {
       queryClient.invalidateQueries({ queryKey: ["user", id] });
       queryClient.invalidateQueries({ queryKey: ["users"] });
     },
-    onError: (err) => toast.error("Status change failed", { description: describe(err) }),
+    onError: (err) => toast.error("Status change failed", { description: describeErr(err) }),
   });
 
   const user = userQuery.data;
@@ -62,105 +60,125 @@ export function UserDetailPage() {
     id;
 
   return (
-    <div className="space-y-8">
-      <PageHeader
-        crumbs={[
-          { label: "\\ Users" },
-          { label: user?.userName ?? user?.email ?? id, muted: true },
-        ]}
-        trailing={id ? `ID · ${shortId(id)}` : undefined}
+    <div className="space-y-6">
+      <EntityPageHeader
+        icon={Users}
         title={displayName}
-        description={user?.email}
-        actions={
-          <Button variant="ghost" size="sm" onClick={() => navigate("/users")}>
-            <ArrowLeft className="mr-1 h-3.5 w-3.5" /> Directory
-          </Button>
-        }
-      />
+        description={user?.email ?? undefined}
+      >
+        <Button
+          variant="ghost"
+          size="sm"
+          onClick={() => navigate("/users")}
+          className="h-9 gap-1.5 rounded-lg px-3 text-[13px]"
+        >
+          <ArrowLeft className="size-3.5" /> Directory
+        </Button>
+      </EntityPageHeader>
 
-      {userQuery.isError && <ErrorBand message={describe(userQuery.error)} />}
+      {userQuery.isError && <ErrorBand message={describeErr(userQuery.error)} />}
 
       {userQuery.isLoading && !user && <LoadingRow label="Loading account" />}
 
       {user && (
         <>
-          <header className="card-shell flex flex-col items-start gap-6 px-6 py-6 sm:px-8 md:flex-row md:items-center md:justify-between">
-            <div className="flex items-center gap-5">
-              <Monogram
-                seed={user.id ?? user.userName ?? "user"}
-                firstName={user.firstName ?? undefined}
-                lastName={user.lastName ?? undefined}
-                fallback={user.userName ?? user.email ?? undefined}
-                size="lg"
-              />
-              <div>
-                <h2 className="font-display text-2xl font-semibold tracking-tight md:text-3xl">
-                  {displayName}
-                </h2>
-                <div className="mt-1 flex flex-wrap items-baseline gap-x-4 gap-y-1 font-mono text-xs text-[var(--color-muted-foreground)]">
-                  {user.userName && <code className="code-chip">@{user.userName}</code>}
-                  {user.email && <span className="truncate">{user.email}</span>}
-                </div>
-                <div className="mt-3 flex flex-wrap items-center gap-2">
-                  <Badge
-                    variant={user.isActive ? "success" : "muted"}
-                    className="font-mono uppercase tracking-[0.14em]"
-                  >
-                    {user.isActive ? "Active" : "Disabled"}
-                  </Badge>
-                  <Badge
-                    variant={user.emailConfirmed ? "info" : "warning"}
-                    className="font-mono uppercase tracking-[0.14em]"
-                  >
-                    <Mail className="h-3 w-3" />
-                    {user.emailConfirmed ? "Email confirmed" : "Email pending"}
-                  </Badge>
+          {/* Hero card */}
+          <div className="overflow-hidden rounded-xl border border-[var(--color-border)] bg-[var(--color-card)] shadow-xs">
+            <div className="flex flex-col items-start gap-6 px-6 py-6 sm:flex-row sm:items-center sm:justify-between sm:px-8">
+              <div className="flex items-center gap-5">
+                <Monogram
+                  seed={user.id ?? user.userName ?? "user"}
+                  firstName={user.firstName ?? undefined}
+                  lastName={user.lastName ?? undefined}
+                  fallback={user.userName ?? user.email ?? undefined}
+                  size="lg"
+                />
+                <div>
+                  <h2 className="font-display text-2xl font-semibold tracking-tight md:text-3xl">
+                    {displayName}
+                  </h2>
+                  <div className="mt-1 flex flex-wrap items-baseline gap-x-4 gap-y-1 font-mono text-xs text-[var(--color-muted-foreground)]">
+                    {user.userName && (
+                      <code className="rounded bg-[var(--color-muted)] px-1 py-0.5 text-[11px]">
+                        @{user.userName}
+                      </code>
+                    )}
+                    {user.email && <span className="truncate">{user.email}</span>}
+                  </div>
+                  <div className="mt-3 flex flex-wrap items-center gap-2">
+                    <Badge
+                      variant={user.isActive ? "success" : "muted"}
+                      className="font-mono text-[10px] uppercase tracking-[0.14em]"
+                    >
+                      {user.isActive ? "Active" : "Disabled"}
+                    </Badge>
+                    <Badge
+                      variant={user.emailConfirmed ? "info" : "warning"}
+                      className="font-mono text-[10px] uppercase tracking-[0.14em]"
+                    >
+                      <Mail className="h-3 w-3" />
+                      {user.emailConfirmed ? "Email confirmed" : "Email pending"}
+                    </Badge>
+                  </div>
                 </div>
               </div>
-            </div>
 
-            <Button
-              variant={user.isActive ? "outline" : "default"}
-              onClick={() => toggleMutation.mutate(!user.isActive)}
-              disabled={toggleMutation.isPending}
-              className="shrink-0"
-            >
-              {toggleMutation.isPending
-                ? "Updating…"
-                : user.isActive
-                  ? "Deactivate account"
-                  : "Activate account"}
-            </Button>
-          </header>
+              <Button
+                variant={user.isActive ? "outline" : "default"}
+                onClick={() => toggleMutation.mutate(!user.isActive)}
+                disabled={toggleMutation.isPending}
+                className="shrink-0 h-9 rounded-lg px-4 text-[13px]"
+              >
+                {toggleMutation.isPending
+                  ? "Updating…"
+                  : user.isActive
+                    ? "Deactivate account"
+                    : "Activate account"}
+              </Button>
+            </div>
+          </div>
 
-          <FormShell>
-            <FormSection
-              title="Identity"
+          <div className="grid gap-4 lg:grid-cols-[minmax(0,1fr)_minmax(0,1fr)]">
+            {/* Identity details */}
+            <SettingsSection
+              title="Identity card"
+              icon={UserIcon}
               description="Account identifiers and contact details captured at registration."
             >
-              <dl className="divide-y divide-[var(--color-border)]">
-                <DetailRow label="User ID" mono>{user.id ?? "—"}</DetailRow>
-                <DetailRow label="Username" mono>{user.userName ?? "—"}</DetailRow>
-                <DetailRow label="Email" mono>{user.email ?? "—"}</DetailRow>
-                <DetailRow label="Phone" mono>{user.phoneNumber ?? "—"}</DetailRow>
-                <DetailRow label="Status">{user.isActive ? "Active" : "Disabled"}</DetailRow>
+              <dl className="space-y-0 divide-y divide-[oklch(from_var(--color-border)_l_c_h_/_0.5)]">
+                <DetailRow label="User ID" mono>
+                  {user.id ?? "—"}
+                </DetailRow>
+                <DetailRow label="Username" mono>
+                  {user.userName ?? "—"}
+                </DetailRow>
+                <DetailRow label="Email" mono>
+                  {user.email ?? "—"}
+                </DetailRow>
+                <DetailRow label="Phone" mono>
+                  {user.phoneNumber ?? "—"}
+                </DetailRow>
+                <DetailRow label="Status">
+                  {user.isActive ? "Active" : "Disabled"}
+                </DetailRow>
                 <DetailRow label="Email confirmed">
                   {user.emailConfirmed ? "Yes" : "Pending confirmation"}
                 </DetailRow>
               </dl>
-            </FormSection>
-          </FormShell>
+            </SettingsSection>
 
-          <RolesEditor
-            userId={user.id ?? id}
-            roles={roles ?? []}
-            loading={rolesQuery.isLoading}
-            error={rolesQuery.error}
-            onSaved={() => {
-              queryClient.invalidateQueries({ queryKey: ["user", id, "roles"] });
-              queryClient.invalidateQueries({ queryKey: ["users"] });
-            }}
-          />
+            {/* Roles editor */}
+            <RolesEditor
+              userId={user.id ?? id}
+              roles={roles ?? []}
+              loading={rolesQuery.isLoading}
+              error={rolesQuery.error}
+              onSaved={() => {
+                queryClient.invalidateQueries({ queryKey: ["user", id, "roles"] });
+                queryClient.invalidateQueries({ queryKey: ["users"] });
+              }}
+            />
+          </div>
 
           <UserSessionsCard userId={user.id ?? id} />
         </>
@@ -181,9 +199,16 @@ function DetailRow({
   mono?: boolean;
 }) {
   return (
-    <div className="grid grid-cols-[10rem_1fr] items-baseline gap-4 py-2.5">
-      <dt className="meta text-[var(--color-muted-foreground)]">{label}</dt>
-      <dd className={cn("min-w-0 break-words text-sm", mono && "font-mono text-[0.8125rem]")}>
+    <div className="flex items-baseline justify-between gap-3 py-2.5">
+      <dt className="shrink-0 text-[11.5px] font-medium text-[var(--color-muted-foreground)]">
+        {label}
+      </dt>
+      <dd
+        className={cn(
+          "min-w-0 truncate text-right text-[13px] text-[var(--color-foreground)]",
+          mono && "font-mono text-[11.5px]",
+        )}
+      >
         {children}
       </dd>
     </div>
@@ -230,7 +255,7 @@ function RolesEditor({
       queryClient.invalidateQueries({ queryKey: ["user", userId, "roles"] });
       onSaved();
     },
-    onError: (err) => toast.error("Role update failed", { description: describe(err) }),
+    onError: (err) => toast.error("Role update failed", { description: describeErr(err) }),
   });
 
   const onSave = () => {
@@ -240,65 +265,66 @@ function RolesEditor({
   const onDiscard = () => setDraft(original);
 
   return (
-    <FormShell>
-      <FormSection
-        title="Roles"
-        description={
-          <>
-            Tap any role to toggle. Changes are batched — review and save when ready.
-            <span className="mt-2 block font-mono text-[10.5px] uppercase tracking-[0.18em]">
-              {dirtyCount === 0
-                ? "no pending changes"
-                : `${dirtyCount} ${dirtyCount === 1 ? "change" : "changes"} pending`}
-            </span>
-          </>
-        }
-      >
-        {error ? (
-          <ErrorBand message={describe(error)} />
-        ) : loading ? (
-          <p className="meta text-[var(--color-muted-foreground)]">
-            Loading<span className="caret text-[var(--color-accent-signal)]" />
-          </p>
-        ) : roles.length === 0 ? (
-          <p className="text-sm text-[var(--color-muted-foreground)]">
-            No roles defined for this tenant.
-          </p>
-        ) : (
-          <div className="flex flex-wrap gap-2">
-            {roles.map((r) => (
-              <RoleChip
-                key={r.roleId}
-                role={r}
-                enabled={!!draft[r.roleId]}
-                changed={Boolean(draft[r.roleId]) !== Boolean(original[r.roleId])}
-                onToggle={() => setDraft((d) => ({ ...d, [r.roleId]: !d[r.roleId] }))}
-              />
-            ))}
+    <SettingsSection
+      title="Role assignment"
+      icon={ShieldCheck}
+      description={
+        dirtyCount > 0
+          ? `${dirtyCount} pending change${dirtyCount === 1 ? "" : "s"} — review and save when ready.`
+          : "Tap any role to toggle. Changes are batched — review and save when ready."
+      }
+      footer={
+        !loading && roles.length > 0 ? (
+          <div className="flex items-center gap-2">
+            <Button
+              onClick={onSave}
+              disabled={dirtyCount === 0 || mutation.isPending}
+              className="h-9 rounded-lg px-4 text-[13px]"
+            >
+              <Check className="mr-1 h-3.5 w-3.5" />
+              {mutation.isPending ? "Saving…" : "Save changes"}
+            </Button>
+            <Button
+              variant="outline"
+              onClick={onDiscard}
+              disabled={dirtyCount === 0 || mutation.isPending}
+              className="h-9 rounded-lg px-4 text-[13px]"
+            >
+              Discard
+            </Button>
           </div>
-        )}
-      </FormSection>
-
-      {!loading && roles.length > 0 && (
-        <FormActions>
-          <Button onClick={onSave} disabled={dirtyCount === 0 || mutation.isPending}>
-            <Check className="mr-1 h-3.5 w-3.5" />
-            {mutation.isPending ? "Saving…" : "Save changes"}
-          </Button>
-          <Button
-            variant="outline"
-            onClick={onDiscard}
-            disabled={dirtyCount === 0 || mutation.isPending}
-          >
-            Discard
-          </Button>
-        </FormActions>
+        ) : undefined
+      }
+    >
+      {error ? (
+        <ErrorBand message={describeErr(error)} />
+      ) : loading ? (
+        <p className="text-sm text-[var(--color-muted-foreground)]">
+          Loading
+          <span className="caret text-[var(--color-accent-signal)]" />
+        </p>
+      ) : roles.length === 0 ? (
+        <p className="text-sm text-[var(--color-muted-foreground)]">
+          No roles defined for this tenant.
+        </p>
+      ) : (
+        <ul className="divide-y divide-[var(--color-border)]">
+          {roles.map((r) => (
+            <RoleRow
+              key={r.roleId}
+              role={r}
+              enabled={!!draft[r.roleId]}
+              changed={Boolean(draft[r.roleId]) !== Boolean(original[r.roleId])}
+              onToggle={() => setDraft((d) => ({ ...d, [r.roleId]: !d[r.roleId] }))}
+            />
+          ))}
+        </ul>
       )}
-    </FormShell>
+    </SettingsSection>
   );
 }
 
-function RoleChip({
+function RoleRow({
   role,
   enabled,
   changed,
@@ -308,38 +334,73 @@ function RoleChip({
   enabled: boolean;
   changed: boolean;
   onToggle: () => void;
+}) {
+  return (
+    <li className="flex items-center justify-between gap-3 py-3 first:pt-0 last:pb-0">
+      <div className="min-w-0">
+        <div className="flex items-center gap-2">
+          <span className="text-[13px] font-medium tracking-tight text-[var(--color-foreground)]">
+            {role.roleName ?? "Untitled role"}
+          </span>
+          {changed && (
+            <span
+              className="inline-block h-1.5 w-1.5 rounded-full bg-[var(--color-warning)]"
+              aria-label="modified"
+            />
+          )}
+        </div>
+        {role.description && (
+          <div className="mt-0.5 line-clamp-1 text-[11.5px] text-[var(--color-muted-foreground)]">
+            {role.description}
+          </div>
+        )}
+      </div>
+      <RoleChip
+        enabled={enabled}
+        changed={changed}
+        onToggle={onToggle}
+        label={role.roleName ?? "role"}
+      />
+    </li>
+  );
+}
+
+function RoleChip({
+  enabled,
+  changed,
+  onToggle,
+  label,
+}: {
+  enabled: boolean;
+  changed: boolean;
+  onToggle: () => void;
+  label: string;
 }) {
   return (
     <button
       type="button"
       onClick={onToggle}
-      title={role.description ?? role.roleName}
+      aria-label={`Toggle ${label}`}
       className={cn(
-        "group inline-flex items-center gap-1.5 rounded-sm border px-2.5 py-1.5 font-mono text-xs transition-colors",
+        "inline-flex shrink-0 items-center gap-1.5 rounded-full border px-2.5 py-1 font-mono text-[11px] transition-colors",
         enabled
           ? "border-[var(--color-foreground)] bg-[var(--color-foreground)] text-[var(--color-background)]"
           : "border-[var(--color-border)] text-[var(--color-foreground)] hover:bg-[var(--color-muted)]",
         changed &&
-          "ring-1 ring-offset-2 ring-offset-[var(--color-background)] ring-[var(--color-accent-signal)]/60",
+          "ring-1 ring-offset-2 ring-offset-[var(--color-background)] ring-[var(--color-warning)]/60",
       )}
     >
-      <ShieldCheck
-        className={cn("h-3 w-3", enabled ? "" : "opacity-40 group-hover:opacity-70")}
-      />
-      <span className="tracking-wide">{role.roleName}</span>
+      <ShieldCheck className={cn("h-3 w-3", enabled ? "" : "opacity-40")} />
+      <span>{enabled ? "On" : "Off"}</span>
     </button>
   );
 }
 
 // ─── helpers ────────────────────────────────────────────────────────────
 
-function shortId(id: string): string {
-  if (id.length <= 12) return id;
-  return `${id.slice(0, 4)}…${id.slice(-4)}`;
-}
-
-function describe(err: unknown): string {
-  if (err instanceof ApiRequestError) return err.problem?.detail ?? err.problem?.title ?? err.message;
+function describeErr(err: unknown): string {
+  if (err instanceof ApiRequestError)
+    return err.problem?.detail ?? err.problem?.title ?? err.message;
   if (err instanceof Error) return err.message;
   return String(err);
 }
diff --git a/clients/admin/src/pages/users/list.tsx b/clients/admin/src/pages/users/list.tsx
index 0c3620cd26..d69fb86b57 100644
--- a/clients/admin/src/pages/users/list.tsx
+++ b/clients/admin/src/pages/users/list.tsx
@@ -1,15 +1,16 @@
 import { useEffect, useMemo, useState } from "react";
 import { useNavigate } from "react-router-dom";
 import { useQuery, keepPreviousData } from "@tanstack/react-query";
-import { ChevronLeft, ChevronRight, Plus, Search } from "lucide-react";
+import { ChevronLeft, ChevronRight, Plus, Users } from "lucide-react";
 import { searchUsers, type UserDto } from "@/api/users";
 import { listRoles } from "@/api/roles";
 import { Button } from "@/components/ui/button";
-import { Input } from "@/components/ui/input";
+import { Select } from "@/components/ui/select";
 import { Monogram } from "@/components/monogram";
-import { SectionRule } from "@/components/section-rule";
+import { EntityPageHeader, ErrorBand } from "@/components/list";
 import { ApiRequestError } from "@/lib/api-client";
 import { cn } from "@/lib/cn";
+import { CreateUserDialog } from "@/components/users/create-user-dialog";
 
 const PAGE_SIZE = 12;
 
@@ -21,6 +22,10 @@ function triToBool(v: Tri): boolean | undefined {
   return undefined;
 }
 
+// Desktop grid template — shared by header + rows.
+const DESKTOP_COLS =
+  "grid-cols-[1fr_140px_24px] lg:grid-cols-[1.6fr_140px_180px_24px]";
+
 export function UsersListPage() {
   const navigate = useNavigate();
 
@@ -30,6 +35,7 @@ export function UsersListPage() {
   const [activeFilter, setActiveFilter] = useState<Tri>("any");
   const [confirmedFilter, setConfirmedFilter] = useState<Tri>("any");
   const [roleId, setRoleId] = useState<string>("");
+  const [createOpen, setCreateOpen] = useState(false);
 
   // Debounce the search input → searchTerm
   useEffect(() => {
@@ -79,39 +85,49 @@ export function UsersListPage() {
     return `Page ${p} of ${t}`;
   }, [data]);
 
-  return (
-    <div className="space-y-8">
-      <SectionRule
-        crumbs={[{ label: "\\ Users" }, { label: "Directory", muted: true }]}
-        trailing={pageBadge.toUpperCase()}
-      />
+  const filtersActive =
+    activeFilter !== "any" || confirmedFilter !== "any" || roleId !== "";
+  const searchActive = searchTerm.length > 0 || filtersActive;
 
-      <div className="flex items-end justify-between gap-4">
-        <div>
-          <h1 className="font-display text-4xl font-semibold tracking-tight md:text-5xl">
-            Directory
-          </h1>
-          <p className="mt-2 text-sm text-[var(--color-muted-foreground)]">
-            {data
-              ? `${data.totalCount} ${data.totalCount === 1 ? "account" : "accounts"} on this tenant.`
-              : "Loading the roster…"}
-          </p>
-        </div>
-        <Button onClick={() => navigate("/users/new")} className="shrink-0">
-          <Plus className="mr-1 h-4 w-4" /> New user
+  const clearFilters = () => {
+    setSearchInput("");
+    setActiveFilter("any");
+    setConfirmedFilter("any");
+    setRoleId("");
+  };
+
+  return (
+    <div className="space-y-4 sm:space-y-6">
+      <EntityPageHeader
+        icon={Users}
+        title="Directory"
+        total={data?.totalCount ?? null}
+        unit="account"
+        description={data
+          ? `${data.totalCount} ${data.totalCount === 1 ? "account" : "accounts"} on this tenant.`
+          : "Loading the roster…"}
+      >
+        <Button
+          onClick={() => setCreateOpen(true)}
+          className="h-9 flex-1 gap-1.5 rounded-lg px-4 text-[13px] font-semibold sm:flex-none"
+        >
+          <Plus className="size-4" /> New user
         </Button>
-      </div>
+      </EntityPageHeader>
 
       {/* Filter row */}
       <div className="flex flex-wrap items-center gap-3">
         <div className="relative w-full max-w-sm">
-          <Search className="pointer-events-none absolute left-3 top-1/2 h-3.5 w-3.5 -translate-y-1/2 text-[var(--color-muted-foreground)]" />
-          <Input
+          <span className="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 text-[var(--color-muted-foreground)]">
+            <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" aria-hidden><circle cx="11" cy="11" r="8"/><path d="m21 21-4.35-4.35"/></svg>
+          </span>
+          <input
+            type="search"
             value={searchInput}
             onChange={(e) => setSearchInput(e.target.value)}
             placeholder="Search name, username, email…"
             aria-label="Search users"
-            className="pl-9 font-mono text-xs placeholder:font-mono placeholder:text-xs"
+            className="h-9 w-full rounded-md border border-[var(--color-input)] bg-transparent pl-9 pr-3 font-mono text-[12.5px] outline-none transition-colors placeholder:text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.7)] focus-visible:border-[var(--color-ring)] focus-visible:ring-[3px] focus-visible:ring-[oklch(from_var(--color-ring)_l_c_h_/_0.5)]"
           />
         </div>
 
@@ -136,65 +152,104 @@ export function UsersListPage() {
           ]}
         />
 
-        <label className="flex items-center gap-2 text-[0.6875rem] font-mono uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]">
-          Role
-          <select
-            value={roleId}
-            onChange={(e) => setRoleId(e.target.value)}
-            className="h-8 rounded-sm border border-[var(--color-border)] bg-transparent px-2 text-xs font-mono normal-case tracking-normal text-[var(--color-foreground)] focus:outline-none focus:ring-2 focus:ring-[var(--color-ring)]"
-          >
-            <option value="">Any role</option>
-            {rolesQuery.data?.map((r) => (
-              <option key={r.id} value={r.id}>
-                {r.name}
-              </option>
-            ))}
-          </select>
-        </label>
+        <Select
+          label="Role"
+          value={roleId}
+          onChange={(v) => setRoleId(v)}
+          options={(rolesQuery.data ?? []).map((r) => ({ value: r.id ?? "", label: r.name ?? r.id ?? "" }))}
+          placeholder="Any role"
+          minWidth="9rem"
+        />
       </div>
 
-      {/* Roster */}
-      <div className="border-t border-[var(--color-border)]">
-        {usersQuery.isError && (
-          <div
-            role="alert"
-            className="border-b border-[var(--color-border)] px-1 py-4 text-sm text-[var(--color-destructive)]"
-          >
-            {usersQuery.error instanceof ApiRequestError
+      {usersQuery.isError && (
+        <ErrorBand
+          message={
+            usersQuery.error instanceof ApiRequestError
               ? usersQuery.error.problem?.detail ?? usersQuery.error.message
-              : "Failed to load users."}
-          </div>
-        )}
+              : "Failed to load users."
+          }
+        />
+      )}
 
-        {usersQuery.isLoading && items.length === 0 && (
-          <div
-            role="status"
-            className="px-1 py-12 text-center text-sm text-[var(--color-muted-foreground)] font-mono uppercase tracking-[0.18em]"
-          >
-            Loading…
-          </div>
-        )}
+      {usersQuery.isLoading && items.length === 0 && (
+        <div
+          role="status"
+          className="py-12 text-center font-mono text-sm uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]"
+        >
+          Loading…
+        </div>
+      )}
+
+      {!usersQuery.isLoading && items.length === 0 && !usersQuery.isError && (
+        <div className="py-16 text-center">
+          <p className="font-display text-2xl text-[var(--color-foreground)]">No matches.</p>
+          <p className="mt-1 text-sm text-[var(--color-muted-foreground)]">
+            {searchActive
+              ? "Adjust filters or invite a new user."
+              : "Register the first member to seed this tenant."}
+          </p>
+          {searchActive && (
+            <Button
+              variant="outline"
+              className="mt-4 h-9 rounded-lg px-4 text-[13px]"
+              onClick={clearFilters}
+            >
+              Clear filters
+            </Button>
+          )}
+        </div>
+      )}
 
-        {!usersQuery.isLoading && items.length === 0 && (
-          <div className="px-1 py-16 text-center">
-            <p className="font-display text-2xl">No matches.</p>
-            <p className="mt-1 text-sm text-[var(--color-muted-foreground)]">
-              Adjust filters or invite a new user.
-            </p>
+      {items.length > 0 && (
+        <div>
+          <p className="mb-3 text-[12px] font-medium text-[var(--color-muted-foreground)]">
+            {data?.totalCount ?? 0} user{(data?.totalCount ?? 0) !== 1 ? "s" : ""} found
+          </p>
+
+          {/* Mobile card list */}
+          <div className="space-y-2 md:hidden">
+            {items.map((user, i) => (
+              <UserMobileCard
+                key={user.id ?? i}
+                user={user}
+                index={baseIndex + i + 1}
+                onClick={() => user.id && navigate(`/users/${user.id}`)}
+              />
+            ))}
           </div>
-        )}
 
-        <ol className="divide-y divide-[var(--color-border)]">
-          {items.map((user, i) => (
-            <UserRow
-              key={user.id ?? i}
-              user={user}
-              index={baseIndex + i + 1}
-              onClick={() => user.id && navigate(`/users/${user.id}`)}
-            />
-          ))}
-        </ol>
-      </div>
+          {/* Desktop table */}
+          <div className="hidden overflow-hidden rounded-xl border border-[var(--color-border)] bg-[var(--color-card)] shadow-xs md:block">
+            {/* Table header */}
+            <div
+              className={`grid items-center gap-3 border-b border-[var(--color-border)] bg-[var(--color-muted)]/40 px-4 py-2.5 ${DESKTOP_COLS}`}
+            >
+              <span className="text-[11.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]">
+                Name
+              </span>
+              <span className="text-[11.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]">
+                Username
+              </span>
+              <span className="hidden text-[11.5px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)] lg:block">
+                Status
+              </span>
+              <span />
+            </div>
+
+            <ol className="divide-y divide-[var(--color-border)]">
+              {items.map((user, i) => (
+                <UserDesktopRow
+                  key={user.id ?? i}
+                  user={user}
+                  isLast={i === items.length - 1}
+                  onClick={() => user.id && navigate(`/users/${user.id}`)}
+                />
+              ))}
+            </ol>
+          </div>
+        </div>
+      )}
 
       {/* Pagination */}
       {data && data.totalPages > 1 && (
@@ -208,6 +263,7 @@ export function UsersListPage() {
               size="sm"
               disabled={!data.hasPrevious || usersQuery.isFetching}
               onClick={() => setPageNumber((p) => Math.max(1, p - 1))}
+              className="h-9 rounded-lg px-3 text-[13px]"
             >
               <ChevronLeft className="mr-1 h-3.5 w-3.5" /> Previous
             </Button>
@@ -216,17 +272,22 @@ export function UsersListPage() {
               size="sm"
               disabled={!data.hasNext || usersQuery.isFetching}
               onClick={() => setPageNumber((p) => p + 1)}
+              className="h-9 rounded-lg px-3 text-[13px]"
             >
               Next <ChevronRight className="ml-1 h-3.5 w-3.5" />
             </Button>
           </div>
         </div>
       )}
+
+      <CreateUserDialog open={createOpen} onOpenChange={setCreateOpen} />
     </div>
   );
 }
 
-function UserRow({
+// ─── Mobile card ────────────────────────────────────────────────────────
+
+function UserMobileCard({
   user,
   index,
   onClick,
@@ -237,69 +298,156 @@ function UserRow({
 }) {
   const fullName = [user.firstName, user.lastName].filter(Boolean).join(" ").trim();
   const display = fullName || user.userName || user.email || "Unnamed";
-  const num = String(index).padStart(3, "0");
 
   return (
-    <li>
+    <li className="list-none">
       <button
         type="button"
         onClick={onClick}
-        className="group grid w-full grid-cols-[3.5rem_2.5rem_1fr_auto] items-center gap-4 px-1 py-4 text-left transition-colors hover:bg-[var(--color-muted)]/50 focus:outline-none focus-visible:bg-[var(--color-muted)]/50"
+        aria-label={`Open user ${display}`}
+        className={cn(
+          "group w-full overflow-hidden rounded-xl border border-[var(--color-border)] bg-[var(--color-card)] p-4 text-left shadow-xs",
+          "transition-colors hover:border-[var(--color-border-strong)] hover:bg-[var(--color-accent)]",
+          "focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-[var(--color-ring)]",
+          !user.isActive && "opacity-75",
+        )}
       >
-        <span className="font-mono text-xs text-[var(--color-muted-foreground)] tabular-nums">
-          #{num}
-        </span>
-
-        <Monogram
-          seed={user.id ?? user.userName ?? num}
-          firstName={user.firstName}
-          lastName={user.lastName}
-          fallback={user.userName ?? user.email}
-          size="md"
-        />
-
-        <div className="min-w-0">
-          <div className="flex items-baseline gap-2">
-            <span className="truncate font-display text-lg font-medium tracking-tight">
-              {display}
-            </span>
-            {user.userName && (
-              <span className="truncate font-mono text-xs text-[var(--color-muted-foreground)]">
-                @{user.userName}
-              </span>
-            )}
+        <div className="flex items-center justify-between">
+          <div className="flex min-w-0 items-center gap-3">
+            <Monogram
+              seed={user.id ?? user.userName ?? String(index)}
+              firstName={user.firstName}
+              lastName={user.lastName}
+              fallback={user.userName ?? user.email}
+              size="md"
+            />
+            <div className="min-w-0">
+              <p className="truncate text-[14px] font-medium text-[var(--color-foreground)]">
+                {display}
+              </p>
+              <p className="mt-0.5 truncate text-[11px] text-[var(--color-muted-foreground)]">
+                {user.email ?? "no email"}
+              </p>
+            </div>
           </div>
-          <div className="mt-0.5 flex items-center gap-3 text-xs text-[var(--color-muted-foreground)]">
-            <span className="truncate font-mono">{user.email ?? "—"}</span>
-            {!user.emailConfirmed && (
-              <span className="shrink-0 font-mono uppercase tracking-[0.18em] text-[var(--color-destructive)]/80">
-                · pending
-              </span>
+          <ChevronRight className="size-4 shrink-0 text-[var(--color-border)] transition-colors group-hover:text-[var(--color-muted-foreground)]" />
+        </div>
+        <div className="mt-2 ml-[52px] flex flex-wrap items-center gap-1.5">
+          <span
+            className={cn(
+              "inline-flex items-center gap-1 rounded-full px-1.5 py-0.5 text-[10.5px] font-medium",
+              user.isActive
+                ? "bg-[oklch(from_var(--color-success)_l_c_h_/_0.12)] text-[var(--color-success)]"
+                : "bg-[var(--color-muted)] text-[var(--color-muted-foreground)]",
             )}
-          </div>
+          >
+            {user.isActive ? "Active" : "Inactive"}
+          </span>
+          <span
+            className={cn(
+              "inline-flex items-center gap-1 rounded-full px-1.5 py-0.5 text-[10.5px] font-medium",
+              user.emailConfirmed
+                ? "bg-[oklch(from_var(--color-info)_l_c_h_/_0.12)] text-[var(--color-info)]"
+                : "bg-[oklch(from_var(--color-warning)_l_c_h_/_0.12)] text-[var(--color-warning)]",
+            )}
+          >
+            {user.emailConfirmed ? "Email confirmed" : "Email pending"}
+          </span>
         </div>
-
-        <StatusDot active={user.isActive} />
       </button>
     </li>
   );
 }
 
-function StatusDot({ active }: { active: boolean }) {
+// ─── Desktop row ────────────────────────────────────────────────────────
+
+function UserDesktopRow({
+  user,
+  onClick,
+}: {
+  user: UserDto;
+  isLast?: boolean;
+  onClick: () => void;
+}) {
+  const fullName = [user.firstName, user.lastName].filter(Boolean).join(" ").trim();
+  const display = fullName || user.userName || user.email || "Unnamed";
+
   return (
-    <span className="flex items-center gap-2 font-mono text-[0.6875rem] uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]">
-      <span
-        aria-hidden
+    <li className="list-none">
+      <button
+        type="button"
+        onClick={onClick}
         className={cn(
-          "h-1.5 w-1.5 rounded-full",
-          active ? "bg-[var(--color-foreground)]" : "border border-[var(--color-foreground)]/40 bg-transparent",
+          `group grid w-full items-center gap-3 px-4 py-3.5 text-left transition-colors hover:bg-[var(--color-accent)] focus-visible:bg-[var(--color-accent)] focus-visible:outline-none ${DESKTOP_COLS}`,
+          !user.isActive && "opacity-75",
         )}
-      />
-      {active ? "Active" : "Disabled"}
-    </span>
+      >
+        {/* Name + email */}
+        <div className="flex min-w-0 items-center gap-3">
+          <Monogram
+            seed={user.id ?? user.userName ?? "user"}
+            firstName={user.firstName}
+            lastName={user.lastName}
+            fallback={user.userName ?? user.email}
+            size="md"
+          />
+          <div className="min-w-0">
+            <span className="block truncate text-[14px] font-medium text-[var(--color-foreground)] transition-colors group-hover:text-[var(--color-primary)]">
+              {display}
+            </span>
+            <span
+              className={cn(
+                "block truncate text-[12px] text-[var(--color-muted-foreground)]",
+                !user.email && "italic opacity-60",
+              )}
+            >
+              {user.email ?? "no email on file"}
+            </span>
+          </div>
+        </div>
+
+        {/* Username */}
+        <code
+          title={user.userName ?? undefined}
+          className="truncate font-mono text-[12px] text-[var(--color-muted-foreground)]"
+        >
+          {user.userName ? `@${user.userName}` : "—"}
+        </code>
+
+        {/* Status (lg+) */}
+        <div className="hidden items-center gap-1.5 lg:flex">
+          <span
+            className={cn(
+              "inline-flex items-center rounded-full px-1.5 py-0.5 text-[10.5px] font-medium",
+              user.isActive
+                ? "bg-[oklch(from_var(--color-success)_l_c_h_/_0.12)] text-[var(--color-success)]"
+                : "bg-[var(--color-muted)] text-[var(--color-muted-foreground)]",
+            )}
+          >
+            {user.isActive ? "Active" : "Inactive"}
+          </span>
+          <span
+            className={cn(
+              "inline-flex items-center rounded-full px-1.5 py-0.5 text-[10.5px] font-medium",
+              user.emailConfirmed
+                ? "bg-[oklch(from_var(--color-info)_l_c_h_/_0.12)] text-[var(--color-info)]"
+                : "bg-[oklch(from_var(--color-warning)_l_c_h_/_0.12)] text-[var(--color-warning)]",
+            )}
+          >
+            {user.emailConfirmed ? "Confirmed" : "Pending"}
+          </span>
+        </div>
+
+        <div className="flex items-center justify-end">
+          <ChevronRight className="size-4 text-[var(--color-border)] transition-colors group-hover:text-[var(--color-muted-foreground)]" />
+        </div>
+      </button>
+    </li>
   );
 }
 
+// ─── Segmented filter control ────────────────────────────────────────────
+
 type SegmentedProps<T extends string> = {
   label: string;
   value: T;
@@ -311,7 +459,7 @@ function Segmented<T extends string>({ label, value, onChange, options }: Segmen
   return (
     <div className="flex items-center gap-2 text-[0.6875rem] font-mono uppercase tracking-[0.18em] text-[var(--color-muted-foreground)]">
       <span id={`seg-${label}`}>{label}</span>
-      <div role="group" aria-labelledby={`seg-${label}`} className="flex overflow-hidden rounded-sm border border-[var(--color-border)]">
+      <div role="group" aria-labelledby={`seg-${label}`} className="flex overflow-hidden rounded-md border border-[var(--color-border)]">
         {options.map((o) => {
           const selected = o.value === value;
           return (
diff --git a/clients/admin/src/pages/webhooks/detail.tsx b/clients/admin/src/pages/webhooks/detail.tsx
index c1024f7ac9..553962753a 100644
--- a/clients/admin/src/pages/webhooks/detail.tsx
+++ b/clients/admin/src/pages/webhooks/detail.tsx
@@ -9,6 +9,8 @@ import {
 import {
   ArrowLeft,
   CheckCircle2,
+  Link2,
+  List,
   RefreshCw,
   Send,
   Trash2,
@@ -27,11 +29,10 @@ import { Button } from "@/components/ui/button";
 import { Badge } from "@/components/ui/badge";
 import {
   ErrorBand,
-  FormSection,
-  FormShell,
   LoadingRow,
   PageHeader,
   Pagination,
+  SettingsSection,
 } from "@/components/list";
 import { ApiRequestError } from "@/lib/api-client";
 import { cn } from "@/lib/cn";
@@ -113,24 +114,13 @@ export function WebhookDetailPage() {
       )}
 
       {sub && (
-        <>
-          <FormShell>
-            <FormSection
-              title="Endpoint"
-              description="Where we POST event payloads."
-            >
-              <dl className="divide-y divide-[var(--color-border)]">
-                <Row label="URL" mono value={sub.url} />
-                <Row label="Status" value={
-                  <Badge variant={sub.isActive ? "success" : "muted"} className="font-mono uppercase tracking-[0.14em]">
-                    {sub.isActive ? "Active" : "Inactive"}
-                  </Badge>
-                } />
-                <Row label="Subscription id" mono value={sub.id} />
-                <Row label="Created" mono value={new Date(sub.createdAtUtc).toLocaleString()} />
-              </dl>
-
-              <div className="flex flex-wrap items-center gap-2 pt-2">
+        <div className="space-y-4">
+          <SettingsSection
+            icon={Link2}
+            title="Endpoint"
+            description="Where we POST event payloads."
+            footer={
+              <div className="flex flex-wrap items-center gap-2">
                 <Button variant="outline" size="sm" onClick={() => test.mutate()} disabled={test.isPending}>
                   <Send className="mr-1.5 h-3.5 w-3.5" />
                   {test.isPending ? "Sending…" : "Send test event"}
@@ -150,30 +140,41 @@ export function WebhookDetailPage() {
                   {remove.isPending ? "Deleting…" : "Delete subscription"}
                 </Button>
               </div>
-            </FormSection>
+            }
+          >
+            <dl className="grid grid-cols-1 gap-y-3 sm:grid-cols-2">
+              <FieldRow label="URL" mono value={sub.url} />
+              <FieldRow label="Status" value={
+                <Badge variant={sub.isActive ? "success" : "muted"} className="font-mono uppercase tracking-[0.14em]">
+                  {sub.isActive ? "Active" : "Inactive"}
+                </Badge>
+              } />
+              <FieldRow label="Subscription id" mono value={sub.id} />
+              <FieldRow label="Created" mono value={new Date(sub.createdAtUtc).toLocaleString()} />
+            </dl>
+          </SettingsSection>
 
-            <FormSection
-              title="Events"
-              description="Event types this endpoint subscribes to."
-            >
-              <div className="flex flex-wrap gap-1.5">
-                {sub.events.map((e) => (
-                  <code key={e} className="code-chip">{e}</code>
-                ))}
-                {sub.events.length === 0 && (
-                  <span className="text-sm text-[var(--color-muted-foreground)]">— no events; subscription would never fire</span>
-                )}
-              </div>
-            </FormSection>
-          </FormShell>
+          <SettingsSection
+            icon={List}
+            title="Events"
+            description="Event types this endpoint subscribes to."
+          >
+            <div className="flex flex-wrap gap-1.5">
+              {sub.events.map((e) => (
+                <code key={e} className="code-chip">{e}</code>
+              ))}
+              {sub.events.length === 0 && (
+                <span className="text-sm text-[var(--color-muted-foreground)]">— no events; subscription would never fire</span>
+              )}
+            </div>
+          </SettingsSection>
 
-          <FormShell>
-            <FormSection
-              title="Deliveries"
-              description="Recent attempts to POST events to this endpoint. Auto-refreshes every 10s."
-            >
-              <div className="flex items-center justify-between gap-2 pb-2">
-                <span className="meta text-[var(--color-muted-foreground)]">
+          <SettingsSection
+            title="Deliveries"
+            description="Recent attempts to POST events to this endpoint. Auto-refreshes every 10s."
+            footer={
+              <div className="flex items-center justify-between gap-2">
+                <span className="font-mono text-[11px] uppercase tracking-[0.14em] text-[var(--color-muted-foreground)]">
                   {deliveries.data ? `${deliveries.data.totalCount} attempts` : "—"}
                 </span>
                 <Button
@@ -186,23 +187,25 @@ export function WebhookDetailPage() {
                   Refresh
                 </Button>
               </div>
-
-              {deliveries.isError ? (
-                <ErrorBand message={describe(deliveries.error)} />
-              ) : deliveries.isLoading ? (
-                <LoadingRow label="Loading deliveries" />
-              ) : (deliveries.data?.items.length ?? 0) === 0 ? (
-                <p className="text-sm text-[var(--color-muted-foreground)]">
-                  No deliveries yet. Try the test button above, or wait for matching events to fire.
-                </p>
-              ) : (
-                <>
-                  <ol className="divide-y divide-[var(--color-border)] border-y border-[var(--color-border)]">
-                    {(deliveries.data!.items ?? []).map((d) => (
-                      <DeliveryRow key={d.id} delivery={d} />
-                    ))}
-                  </ol>
-                  {deliveries.data!.totalPages > 1 && (
+            }
+          >
+            {deliveries.isError ? (
+              <ErrorBand message={describe(deliveries.error)} />
+            ) : deliveries.isLoading ? (
+              <LoadingRow label="Loading deliveries" />
+            ) : (deliveries.data?.items.length ?? 0) === 0 ? (
+              <p className="text-sm text-[var(--color-muted-foreground)]">
+                No deliveries yet. Try the test button above, or wait for matching events to fire.
+              </p>
+            ) : (
+              <>
+                <ol className="-mx-5 divide-y divide-[var(--color-border)] border-y border-[var(--color-border)]">
+                  {(deliveries.data!.items ?? []).map((d) => (
+                    <DeliveryRow key={d.id} delivery={d} />
+                  ))}
+                </ol>
+                {deliveries.data!.totalPages > 1 && (
+                  <div className="mt-4">
                     <Pagination
                       page={deliveries.data!.pageNumber}
                       totalPages={deliveries.data!.totalPages}
@@ -215,12 +218,12 @@ export function WebhookDetailPage() {
                       onNext={() => setDeliveryPage((p) => p + 1)}
                       noun="deliveries"
                     />
-                  )}
-                </>
-              )}
-            </FormSection>
-          </FormShell>
-        </>
+                  </div>
+                )}
+              </>
+            )}
+          </SettingsSection>
+        </div>
       )}
     </div>
   );
@@ -230,7 +233,7 @@ function DeliveryRow({ delivery }: { delivery: WebhookDeliveryDto }) {
   const Icon = delivery.success ? CheckCircle2 : XCircle;
   const tone = delivery.success ? "text-[var(--color-success)]" : "text-[var(--color-destructive)]";
   return (
-    <li className="grid grid-cols-[auto_8rem_auto_1fr_auto_auto] items-center gap-3 py-2.5">
+    <li className="grid grid-cols-[auto_8rem_auto_1fr_auto_auto] items-center gap-3 px-5 py-2.5">
       <Icon className={cn("h-4 w-4", tone)} />
       <span className="font-mono text-[11px] tabular-nums text-[var(--color-muted-foreground)]">
         {formatTimestamp(delivery.attemptedAtUtc)}
@@ -252,10 +255,10 @@ function DeliveryRow({ delivery }: { delivery: WebhookDeliveryDto }) {
   );
 }
 
-function Row({ label, value, mono }: { label: string; value: React.ReactNode; mono?: boolean }) {
+function FieldRow({ label, value, mono }: { label: string; value: React.ReactNode; mono?: boolean }) {
   return (
-    <div className="grid grid-cols-[10rem_1fr] items-baseline gap-4 py-2.5">
-      <dt className="meta text-[var(--color-muted-foreground)]">{label}</dt>
+    <div className="grid grid-cols-[10rem_1fr] items-baseline gap-4">
+      <dt className="font-mono text-[10.5px] uppercase tracking-[0.14em] text-[var(--color-muted-foreground)]">{label}</dt>
       <dd className={cn("min-w-0 break-words text-sm", mono && "font-mono text-[0.8125rem]")}>
         {value}
       </dd>
diff --git a/clients/admin/src/pages/webhooks/list.tsx b/clients/admin/src/pages/webhooks/list.tsx
index 0977e1fdda..ff9278c0b1 100644
--- a/clients/admin/src/pages/webhooks/list.tsx
+++ b/clients/admin/src/pages/webhooks/list.tsx
@@ -24,9 +24,9 @@ import {
 import { Button } from "@/components/ui/button";
 import { Badge } from "@/components/ui/badge";
 import {
+  EntityPageHeader,
   ErrorBand,
   LoadingRow,
-  PageHeader,
   Pagination,
 } from "@/components/list";
 import { EmptyState } from "@/components/empty-state";
@@ -83,28 +83,27 @@ export function WebhooksListPage() {
 
   return (
     <div className="space-y-8">
-      <PageHeader
-        crumbs={[{ label: "\\ Webhooks" }, { label: "Subscriptions", muted: true }]}
-        trailing={data ? `${data.totalCount} TOTAL` : "—"}
+      <EntityPageHeader
+        icon={Webhook}
         title="Webhooks"
+        total={data?.totalCount ?? null}
+        unit="subscription"
         description="Subscribe HTTP endpoints to domain events. Payloads are signed with HMAC-SHA256 using the secret you provide — verify the X-FSH-Signature header on your side before trusting the body."
-        actions={
-          <>
-            <Button
-              variant="outline"
-              size="sm"
-              disabled={query.isFetching}
-              onClick={() => query.refetch()}
-            >
-              <RefreshCw className={cn("mr-1.5 h-3.5 w-3.5", query.isFetching && "animate-spin")} />
-              Refresh
-            </Button>
-            <Button onClick={() => setCreateOpen(true)}>
-              <Plus className="mr-1 h-4 w-4" /> New subscription
-            </Button>
-          </>
-        }
-      />
+      >
+        <Button
+          variant="outline"
+          size="sm"
+          disabled={query.isFetching}
+          onClick={() => query.refetch()}
+          className="flex-1 sm:flex-none"
+        >
+          <RefreshCw className={cn("mr-1.5 h-3.5 w-3.5", query.isFetching && "animate-spin")} />
+          Refresh
+        </Button>
+        <Button onClick={() => setCreateOpen(true)} className="flex-1 sm:flex-none">
+          <Plus className="mr-1 h-4 w-4" /> New subscription
+        </Button>
+      </EntityPageHeader>
 
       {query.isError && (
         <ErrorBand
diff --git a/clients/admin/src/routes.tsx b/clients/admin/src/routes.tsx
index 4e11925cd4..adf5af27a8 100644
--- a/clients/admin/src/routes.tsx
+++ b/clients/admin/src/routes.tsx
@@ -27,13 +27,10 @@ const lazyNamed = <T extends string>(
   });
 
 const TenantsListPage = lazyNamed(() => import("@/pages/tenants/list"), "TenantsListPage");
-const CreateTenantPage = lazyNamed(() => import("@/pages/tenants/create"), "CreateTenantPage");
 const TenantDetailPage = lazyNamed(() => import("@/pages/tenants/detail"), "TenantDetailPage");
 const UsersListPage = lazyNamed(() => import("@/pages/users/list"), "UsersListPage");
-const CreateUserPage = lazyNamed(() => import("@/pages/users/create"), "CreateUserPage");
 const UserDetailPage = lazyNamed(() => import("@/pages/users/detail"), "UserDetailPage");
 const RolesListPage = lazyNamed(() => import("@/pages/roles/list"), "RolesListPage");
-const CreateRolePage = lazyNamed(() => import("@/pages/roles/create"), "CreateRolePage");
 const RoleDetailPage = lazyNamed(() => import("@/pages/roles/detail"), "RoleDetailPage");
 const BillingLayout = lazyNamed(() => import("@/pages/billing/layout"), "BillingLayout");
 const PlansListPage = lazyNamed(() => import("@/pages/billing/plans-list"), "PlansListPage");
@@ -41,7 +38,6 @@ const PlanFormPage = lazyNamed(() => import("@/pages/billing/plan-form"), "PlanF
 const InvoicesListPage = lazyNamed(() => import("@/pages/billing/invoices-list"), "InvoicesListPage");
 const InvoiceDetailPage = lazyNamed(() => import("@/pages/billing/invoice-detail"), "InvoiceDetailPage");
 const AuditsListPage = lazyNamed(() => import("@/pages/audits/list"), "AuditsListPage");
-const AuditDetailPage = lazyNamed(() => import("@/pages/audits/detail"), "AuditDetailPage");
 const HealthPage = lazyNamed(() => import("@/pages/health/page"), "HealthPage");
 const ImpersonationListPage = lazyNamed(() => import("@/pages/impersonation/list"), "ImpersonationListPage");
 const WebhooksListPage = lazyNamed(() => import("@/pages/webhooks/list"), "WebhooksListPage");
@@ -94,12 +90,10 @@ export const router = createBrowserRouter([
             ),
           },
           {
+            // /tenants/new — creation is now a dialog on the list page.
+            // Redirect any bookmarked links back to /tenants.
             path: "tenants/new",
-            element: (
-              <RouteGuard perms={[MultitenancyPermissions.Tenants.Create]}>
-                <CreateTenantPage />
-              </RouteGuard>
-            ),
+            element: <Navigate to="/tenants" replace />,
           },
           {
             path: "tenants/:id",
@@ -120,12 +114,10 @@ export const router = createBrowserRouter([
             ),
           },
           {
+            // /users/new — creation is now a dialog on the list page.
+            // Redirect any bookmarked links back to /users.
             path: "users/new",
-            element: (
-              <RouteGuard perms={[IdentityPermissions.Users.Create]}>
-                <CreateUserPage />
-              </RouteGuard>
-            ),
+            element: <Navigate to="/users" replace />,
           },
           {
             path: "users/:id",
@@ -146,12 +138,10 @@ export const router = createBrowserRouter([
             ),
           },
           {
+            // /roles/new — creation is now a dialog on the list page.
+            // Redirect any bookmarked links back to /roles.
             path: "roles/new",
-            element: (
-              <RouteGuard perms={[IdentityPermissions.Roles.Create]}>
-                <CreateRolePage />
-              </RouteGuard>
-            ),
+            element: <Navigate to="/roles" replace />,
           },
           {
             path: "roles/:id",
@@ -190,7 +180,8 @@ export const router = createBrowserRouter([
             ),
           },
 
-          // Audits
+          // Audits — detail opens as a side sheet on the list page.
+          // Redirect any bookmarked /audits/:id links back to /audits.
           {
             path: "audits",
             element: (
@@ -201,11 +192,7 @@ export const router = createBrowserRouter([
           },
           {
             path: "audits/:id",
-            element: (
-              <RouteGuard perms={[AuditingPermissions.AuditTrails.View]}>
-                <AuditDetailPage />
-              </RouteGuard>
-            ),
+            element: <Navigate to="/audits" replace />,
           },
 
           // Webhooks — any signed-in user can manage their tenant's subscriptions
diff --git a/clients/admin/src/styles/globals.css b/clients/admin/src/styles/globals.css
index 041a5cff27..35ea1bfced 100644
--- a/clients/admin/src/styles/globals.css
+++ b/clients/admin/src/styles/globals.css
@@ -1,75 +1,78 @@
 @import "tailwindcss";
 
-/* Typeface system — modern duo on a single family:
-   · Geist        — display + body sans. Sharp grotesque made for screens.
-   · Geist Mono   — every fact: IDs, timestamps, status, table data, crumbs.
-   One family across display + body + code so weights cascade consistently.
-   Both free from Google Fonts. */
-@import url("https://fonts.googleapis.com/css2?family=Geist:wght@300;400;500;600;700;800&family=Geist+Mono:wght@400;500;600&display=swap");
-
 @custom-variant dark (&:is(.dark *));
 
 /* ============================================================================
-   "Console" — Editorial-terminal design tokens
+   FullStackHero Dashboard — Design Tokens
    ----------------------------------------------------------------------------
-   The admin app sits at the intersection of a Bloomberg terminal and an
-   editorial magazine: dense, factual, opinionated, beautifully typeset. The
-   palette is monochrome with a single chartreuse-lime signal accent. Mono
-   is load-bearing — anywhere you see mono, you are looking at data.
-
-   Architecture (top-down):
-     1. PRIMITIVES   — raw oklch scales. Never reference in components.
-     2. SEMANTICS    — purpose-named tokens (--background, --primary, …).
-     3. SURFACES     — explicit elevation tiers for layout chrome.
-     4. SYSTEM       — typography, motion, radii, shadows.
+   Architecture (read top-down):
+     1. PRIMITIVES — raw oklch scales. Never reference these in components.
+     2. SEMANTICS  — purpose-named vars (--background, --primary, …). The
+                     public API. Components reference these.
+     3. SURFACES   — explicit elevation steps for layout chrome.
+     4. SYSTEM     — typography, motion, radii, shadows.
+   Theme contract: shadcn-compatible. The classic --color-* names all exist
+   so existing primitives (Button, Card, Input, Label) keep working.
    ========================================================================== */
 
 :root {
   /* ── 1. PRIMITIVES ──────────────────────────────────────────────────── */
 
-  /* Neutrals — cool-cast (hue 240, near-zero chroma) for a quiet,
-     deliberately not-quite-grey chassis that gives the accent room. */
-  --neutral-0:    oklch(1.000 0.000 240);
-  --neutral-50:   oklch(0.985 0.003 240);
-  --neutral-100:  oklch(0.965 0.004 240);
-  --neutral-200:  oklch(0.928 0.006 240);
-  --neutral-300:  oklch(0.870 0.008 240);
-  --neutral-400:  oklch(0.745 0.010 240);
-  --neutral-500:  oklch(0.585 0.012 240);
-  --neutral-600:  oklch(0.475 0.014 240);
-  --neutral-700:  oklch(0.380 0.014 240);
-  --neutral-800:  oklch(0.265 0.012 240);
-  --neutral-850:  oklch(0.205 0.012 240);
-  --neutral-900:  oklch(0.165 0.010 240);
-  --neutral-925:  oklch(0.135 0.008 240);
-  --neutral-950:  oklch(0.115 0.006 240);
-  --neutral-1000: oklch(0.085 0.005 240);
-
-  /* Signal — chartreuse-lime. The only chromatic stop allowed in chrome.
-     One accent, deliberately recognizable. Reserved for primary affordances,
-     active nav, the "live" pulse, and the brand mark. Not for "this is OK"
-     — that's what `--success` is for. */
-  --signal-300:  oklch(0.940 0.140 125);
-  --signal-400:  oklch(0.900 0.180 125);
-  --signal-500:  oklch(0.860 0.200 125);
-  --signal-600:  oklch(0.770 0.205 125);
-  --signal-700:  oklch(0.660 0.180 125);
-
-  /* Status scales — emerald / amber / cyan / rose. Only show up on
-     status badges and status pills; never used for chrome. */
-  --success-500: oklch(0.690 0.160 162);
-  --success-600: oklch(0.605 0.160 162);
-  --warning-500: oklch(0.790 0.150  76);
-  --warning-600: oklch(0.700 0.150  76);
-  --info-500:    oklch(0.720 0.130 215);
-  --info-600:    oklch(0.635 0.135 215);
-  --danger-500:  oklch(0.680 0.205  22);
-  --danger-600:  oklch(0.585 0.215  22);
-
-  /* ── 2. SEMANTICS — light theme is the *secondary* surface. Dark is
-     primary and the file's defaults follow that mental model below.
-     But we write light first so users who land here in light see a
-     fully-considered scheme too. ───────────────────────────────────── */
+  /* Neutrals — true greys (chroma 0). The earlier "warm paper" chassis
+     tinted every surface yellow-cream, which fought with non-rose
+     accent palettes and read as a global yellow cast in dark mode.
+     Neutrals are now untinted so the selected accent (rose, indigo,
+     violet, sky, emerald, amber) is the only colour in the room. */
+  --neutral-0:    oklch(1.000 0  0);
+  --neutral-50:   oklch(0.985 0  0);
+  --neutral-100:  oklch(0.960 0  0);
+  --neutral-200:  oklch(0.920 0  0);
+  --neutral-300:  oklch(0.870 0  0);
+  --neutral-400:  oklch(0.735 0  0);
+  --neutral-500:  oklch(0.575 0  0);
+  --neutral-600:  oklch(0.460 0  0);
+  --neutral-700:  oklch(0.360 0  0);
+  --neutral-800:  oklch(0.245 0  0);
+  --neutral-850:  oklch(0.200 0  0);
+  --neutral-900:  oklch(0.155 0  0);
+  --neutral-950:  oklch(0.110 0  0);
+  --neutral-1000: oklch(0.075 0  0);
+
+  /* Brand — confident rose (#f91942 at the 600 stop). 600 is the
+     workhorse; 500 is for dark mode. Override these eleven stops via
+     an `accent-{id}` class on :root (defined further down) to swap the
+     entire brand palette. */
+  --brand-50:   oklch(0.972 0.022  13);
+  --brand-100:  oklch(0.945 0.045  13);
+  --brand-200:  oklch(0.895 0.090  13);
+  --brand-300:  oklch(0.825 0.145  13);
+  --brand-400:  oklch(0.720 0.195  13);
+  --brand-500:  oklch(0.640 0.225  13);
+  --brand-600:  oklch(0.575 0.232  13);
+  --brand-700:  oklch(0.495 0.215  13);
+  --brand-800:  oklch(0.410 0.180  13);
+  --brand-900:  oklch(0.330 0.140  13);
+  --brand-950:  oklch(0.235 0.095  13);
+
+  /* Saffron — secondary warm accent. Used sparingly for the second
+     channel of warmth against rose (gradient endpoints, hero numerals,
+     trust marks). Mirrors dentalOS #e8a54b. */
+  --saffron-400: oklch(0.815 0.115  72);
+  --saffron-500: oklch(0.760 0.137  72);
+  --saffron-600: oklch(0.680 0.135  68);
+
+  /* Status scales — emerald, amber, sky, rose. All at L≈0.6/0.7 so they
+     read as a coherent set when stacked next to each other. */
+  --success-500: oklch(0.660 0.155 162);
+  --success-600: oklch(0.575 0.155 162);
+  --warning-500: oklch(0.770 0.155  76);
+  --warning-600: oklch(0.685 0.155  76);
+  --info-500:    oklch(0.685 0.150 232);
+  --info-600:    oklch(0.605 0.150 232);
+  --danger-500:  oklch(0.625 0.220  20);
+  --danger-600:  oklch(0.555 0.220  20);
+
+  /* ── 2. SEMANTICS (light) ──────────────────────────────────────────── */
   --background:                 var(--neutral-50);
   --foreground:                 var(--neutral-950);
 
@@ -78,243 +81,379 @@
   --popover:                    var(--neutral-0);
   --popover-foreground:         var(--neutral-950);
 
-  --primary:                    var(--neutral-950);
-  --primary-foreground:         var(--neutral-50);
-  --primary-soft:               oklch(0.115 0.006 240 / 0.08);
+  --primary:                    var(--brand-600);
+  /* Derive from the active brand stop so accent swaps re-tone these
+     too. The `from <color>` relative-color syntax resolves at runtime. */
+  --primary-foreground:         oklch(from var(--brand-600) 0.990 0.005 h);
+  --primary-hover:              var(--brand-700);
+  --primary-soft:               oklch(from var(--brand-600) l c h / 0.10);
 
-  /* Signal/accent — same in both modes (chartreuse needs no inversion). */
-  --accent-signal:              var(--signal-500);
-  --accent-signal-soft:         oklch(0.860 0.200 125 / 0.14);
-  --accent-signal-foreground:   var(--neutral-1000);
+  /* Theme-independent. For content that sits on top of imagery or a dark
+     scrim (caption text, overlay action icons) and for the thumb of a
+     filled control — white stays legible in both light and dark, so these
+     are intentionally NOT flipped in the .dark block. */
+  --overlay:                    oklch(0 0 0 / 0.55);
+  --overlay-foreground:         oklch(1 0 0);
 
   --secondary:                  var(--neutral-100);
   --secondary-foreground:       var(--neutral-900);
 
   --muted:                      var(--neutral-100);
-  --muted-foreground:           var(--neutral-500);
-
-  --accent:                     var(--neutral-100);
-  --accent-foreground:          var(--neutral-900);
+  /* Bumped from neutral-500 (L=0.575) to L=0.500 so that all muted body
+     copy and micro-labels clear WCAG 2.2 AA 4.5:1 contrast on every
+     surface, including the alpha-mask variants used for placeholders
+     and chevrons. */
+  --muted-foreground:           oklch(0.500 0  0);
+
+  /* Accent = neutral hover chip. Was previously a warm cream tint that
+     contributed to the global yellow cast; same L as before but with
+     zero chroma, so it still reads as a distinct hover chip a notch
+     darker than --muted / --secondary. */
+  --accent:                     oklch(0.940 0  0);
+  --accent-foreground:          var(--neutral-800);
+  --saffron:                    var(--saffron-500);
+  --saffron-foreground:         oklch(0.250 0.060  68);
 
   --destructive:                var(--danger-600);
-  --destructive-foreground:     oklch(0.990 0.005 22);
+  --destructive-foreground:     oklch(0.990 0.005  20);
 
   --success:                    var(--success-600);
   --success-foreground:         oklch(0.990 0.005 162);
   --warning:                    var(--warning-600);
   --warning-foreground:         var(--neutral-950);
   --info:                       var(--info-600);
-  --info-foreground:            oklch(0.990 0.005 215);
+  --info-foreground:            oklch(0.990 0.005 232);
 
-  --border:                     oklch(0.870 0.008 240 / 0.55);
-  --border-strong:              oklch(0.745 0.010 240);
-  --border-emphasis:            var(--neutral-900);
+  --border:                     oklch(0.895 0  0 / 0.85);
+  --border-strong:              oklch(0.840 0  0);
   --input:                      var(--neutral-200);
-  --ring:                       var(--signal-500);
-
-  /* ── 3. SURFACES — elevation tiers. ─────────────────────────────────── */
-  --surface-1:                  var(--neutral-50);   /* page canvas */
-  --surface-2:                  var(--neutral-0);    /* sidebar, panels, code chips */
-  --surface-3:                  var(--neutral-0);    /* cards */
+  --ring:                       var(--brand-500);
+
+  /* ── 3. SURFACES — explicit elevation. Use these instead of mixing
+     card/muted/accent ad-hoc.
+     Light mode: canvas → tier-2 panel → tier-3 popover/sticky → tier-4 hover.
+     Each tier is one perceptual step distinct so cards visually float
+     above the canvas instead of merging into a hairline-edged plane. */
+  --surface-1:                  var(--neutral-50);   /* canvas */
+  --surface-2:                  var(--neutral-0);    /* sidebar, panels */
+  --surface-3:                  oklch(0.992 0  0);   /* cards, popovers, sticky chrome */
   --surface-4:                  var(--neutral-100);  /* hover, raised */
-  --surface-overlay:            oklch(0.115 0.006 240 / 0.35);
+  --surface-1-hover:            var(--neutral-100);
+  --surface-2-hover:            var(--neutral-50);
+
+  /* ── Charts — laddered around the rose brand axis. Saffron is the
+     primary counter-hue (warm pair), with teal/emerald/violet rounding
+     out the harmonic ladder. ────────────────────────────────────────── */
+  --chart-1: var(--brand-500);                       /* rose */
+  --chart-2: var(--saffron-500);                     /* saffron */
+  --chart-3: oklch(0.700 0.135 195);                 /* teal */
+  --chart-4: oklch(0.660 0.180 320);                 /* violet */
+  --chart-5: oklch(0.665 0.155 162);                 /* emerald */
+  --chart-grid: oklch(0.895 0  0 / 0.6);
+
+  /* ── 4. SYSTEM ─────────────────────────────────────────────────────── */
+  /* Display = Outfit (rounded geometric, headings + hero numerals).
+     Body = Figtree (warm open sans-serif, everything else).
+     Mono = JetBrains Mono (terminal/console flourishes, tabular data). */
+  --font-display: "Outfit", ui-sans-serif, system-ui, -apple-system, "Segoe UI", sans-serif;
+  --font-sans: "Figtree", ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, sans-serif;
+  --font-mono: "JetBrains Mono", ui-monospace, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace;
+  /* Body uses tabular numerals so times, tokens, and costs don't jitter
+     between digits. Display reads with default proportional numerals
+     except where overridden (.text-display, mono numerics in lists). */
+  --font-feature-default: "tnum";
+  --font-feature-tabular: "tnum";
+
+  --radius:     0.625rem;
+  --radius-sm:  calc(var(--radius) - 4px);
+  --radius-md:  calc(var(--radius) - 2px);
+  --radius-lg:  var(--radius);
+  --radius-xl:  calc(var(--radius) + 4px);
+  --radius-2xl: calc(var(--radius) + 8px);
 
-  /* Grid texture alpha — 4px hairline subgrid on the canvas. Light-mode
-     subtle; dark-mode slightly more visible since the near-black canvas
-     needs more contrast to read the texture. */
-  --grid-alpha:                 0.04;
+  --ease-out-cubic:    cubic-bezier(0.215, 0.610, 0.355, 1.000);
+  --ease-out-quart:    cubic-bezier(0.165, 0.840, 0.440, 1.000);
+  --ease-in-out-cubic: cubic-bezier(0.645, 0.045, 0.355, 1.000);
+  --duration-fast:     120ms;
+  --duration-default:  200ms;
+  --duration-slow:     320ms;
+
+  /* Neutral shadows — cast in pure black so they read as a cool
+     shadow on any chassis (no warm tint bleeding into the canvas). */
+  --shadow-xs: 0 1px 2px 0 oklch(0 0 0 / 0.05);
+  --shadow-sm: 0 1px 2px 0 oklch(0 0 0 / 0.06),
+               0 1px 3px 0 oklch(0 0 0 / 0.07);
+  --shadow-md: 0 4px 6px -1px oklch(0 0 0 / 0.08),
+               0 2px 4px -2px oklch(0 0 0 / 0.06);
+  --shadow-lg: 0 10px 15px -3px oklch(0 0 0 / 0.10),
+               0 4px 6px -4px oklch(0 0 0 / 0.06);
+  --shadow-lift: 0 12px 32px -16px oklch(0 0 0 / 0.22),
+                 0 4px 8px -4px oklch(0 0 0 / 0.12);
+
+  /* Top-edge highlight — kept very subtle. Earlier value (0.55 alpha)
+     read as 2014-era glassmorphism gloss; toned to 0.14 so it
+     whispers rather than shouts. Only present on surfaces that
+     explicitly opt in via `surface-edge`, `gradient-border`, etc. */
+  --highlight-top: inset 0 1px 0 oklch(1 0 0 / 0.14);
+
+  /* Display-weight tracking ratio applied to hero headings and page
+     titles. Tighter than body, slightly heavier optical weight. */
+  --tracking-display: -0.025em;
+  --tracking-tight:   -0.015em;
 
   --color-scheme: light;
 }
 
+/* ─────────────────────────────────────────────────────────────────────────
+   ACCENT PALETTES — each class overrides the 11 brand stops with a
+   different hue, keeping the L/C ramp identical. Apply by toggling a
+   single class on :root (e.g. `accent-violet`).
+   Hue chosen per accent:
+     rose (default) → 13 · indigo → 268 · violet → 305 · sky → 232
+     emerald → 152 · amber → 76
+   Rose is the default in :root above so no `.accent-rose` is needed
+   unless an upstream selection persists. Indigo is an opt-in for
+   teams that prefer the cool Linear chassis.
+   ─────────────────────────────────────────────────────────────────────── */
+.accent-rose {
+  --brand-50:   oklch(0.972 0.022  13);
+  --brand-100:  oklch(0.945 0.045  13);
+  --brand-200:  oklch(0.895 0.090  13);
+  --brand-300:  oklch(0.825 0.145  13);
+  --brand-400:  oklch(0.720 0.195  13);
+  --brand-500:  oklch(0.640 0.225  13);
+  --brand-600:  oklch(0.575 0.232  13);
+  --brand-700:  oklch(0.495 0.215  13);
+  --brand-800:  oklch(0.410 0.180  13);
+  --brand-900:  oklch(0.330 0.140  13);
+  --brand-950:  oklch(0.235 0.095  13);
+}
+.accent-indigo {
+  --brand-50:   oklch(0.972 0.020 268);
+  --brand-100:  oklch(0.945 0.040 268);
+  --brand-200:  oklch(0.895 0.078 268);
+  --brand-300:  oklch(0.825 0.130 268);
+  --brand-400:  oklch(0.720 0.180 268);
+  --brand-500:  oklch(0.620 0.210 268);
+  --brand-600:  oklch(0.555 0.220 268);
+  --brand-700:  oklch(0.485 0.205 268);
+  --brand-800:  oklch(0.405 0.175 268);
+  --brand-900:  oklch(0.325 0.135 268);
+  --brand-950:  oklch(0.230 0.090 268);
+}
+.accent-violet {
+  --brand-50:   oklch(0.972 0.020 305);
+  --brand-100:  oklch(0.945 0.040 305);
+  --brand-200:  oklch(0.895 0.078 305);
+  --brand-300:  oklch(0.825 0.130 305);
+  --brand-400:  oklch(0.720 0.180 305);
+  --brand-500:  oklch(0.620 0.210 305);
+  --brand-600:  oklch(0.555 0.220 305);
+  --brand-700:  oklch(0.485 0.205 305);
+  --brand-800:  oklch(0.405 0.175 305);
+  --brand-900:  oklch(0.325 0.135 305);
+  --brand-950:  oklch(0.230 0.090 305);
+}
+.accent-sky {
+  --brand-50:   oklch(0.972 0.020 232);
+  --brand-100:  oklch(0.945 0.040 232);
+  --brand-200:  oklch(0.895 0.078 232);
+  --brand-300:  oklch(0.825 0.130 232);
+  --brand-400:  oklch(0.720 0.170 232);
+  --brand-500:  oklch(0.620 0.180 232);
+  --brand-600:  oklch(0.555 0.180 232);
+  --brand-700:  oklch(0.485 0.170 232);
+  --brand-800:  oklch(0.405 0.150 232);
+  --brand-900:  oklch(0.325 0.115 232);
+  --brand-950:  oklch(0.230 0.078 232);
+}
+.accent-emerald {
+  --brand-50:   oklch(0.972 0.020 152);
+  --brand-100:  oklch(0.945 0.040 152);
+  --brand-200:  oklch(0.895 0.078 152);
+  --brand-300:  oklch(0.825 0.120 152);
+  --brand-400:  oklch(0.720 0.155 152);
+  --brand-500:  oklch(0.620 0.170 152);
+  --brand-600:  oklch(0.545 0.170 152);
+  --brand-700:  oklch(0.470 0.155 152);
+  --brand-800:  oklch(0.395 0.135 152);
+  --brand-900:  oklch(0.320 0.110 152);
+  --brand-950:  oklch(0.225 0.075 152);
+}
+.accent-amber {
+  --brand-50:   oklch(0.972 0.025  76);
+  --brand-100:  oklch(0.945 0.050  76);
+  --brand-200:  oklch(0.895 0.090  76);
+  --brand-300:  oklch(0.840 0.130  76);
+  --brand-400:  oklch(0.770 0.155  76);
+  --brand-500:  oklch(0.700 0.170  76);
+  --brand-600:  oklch(0.620 0.165  76);
+  --brand-700:  oklch(0.530 0.150  76);
+  --brand-800:  oklch(0.440 0.130  76);
+  --brand-900:  oklch(0.355 0.105  76);
+  --brand-950:  oklch(0.255 0.075  76);
+}
+/* ─────────────────────────────────────────────────────────────────────────
+   DARK MODE — values flip; semantic names stay.
+   ─────────────────────────────────────────────────────────────────────── */
 .dark {
+  /* Deep graphite, untinted. Earlier value carried a warm undertone
+     (h≈66) that read as a yellow cast across every dark surface;
+     neutralised so the chosen accent is the only hue on screen. */
   --background:                 var(--neutral-1000);
-  --foreground:                 var(--neutral-50);
-
-  --card:                       var(--neutral-925);
-  --card-foreground:            var(--neutral-50);
-  --popover:                    var(--neutral-900);
-  --popover-foreground:         var(--neutral-50);
+  --foreground:                 oklch(0.925 0  0);
 
-  --primary:                    var(--neutral-50);
-  --primary-foreground:         var(--neutral-1000);
-  --primary-soft:               oklch(0.985 0.003 240 / 0.10);
+  --card:                       var(--neutral-900);
+  --card-foreground:            oklch(0.925 0  0);
+  --popover:                    var(--neutral-850);
+  --popover-foreground:         oklch(0.925 0  0);
 
-  --accent-signal:              var(--signal-500);
-  --accent-signal-soft:         oklch(0.860 0.200 125 / 0.18);
-  --accent-signal-foreground:   var(--neutral-1000);
+  --primary:                    var(--brand-500);
+  --primary-foreground:         oklch(from var(--brand-500) 0.990 0.005 h);
+  --primary-hover:              var(--brand-400);
+  --primary-soft:               oklch(from var(--brand-500) l c h / 0.18);
 
-  --secondary:                  var(--neutral-800);
-  --secondary-foreground:       var(--neutral-50);
+  --secondary:                  var(--neutral-850);
+  --secondary-foreground:       oklch(0.925 0  0);
 
-  --muted:                      var(--neutral-900);
-  --muted-foreground:           var(--neutral-400);
+  --muted:                      var(--neutral-850);
+  /* Bumped from L=0.680 to L=0.730 so muted body copy clears 4.5:1
+     against the graphite background even when consumers apply an
+     /0.6 alpha mask (placeholders, chevrons, micro-meta). */
+  --muted-foreground:           oklch(0.730 0  0);
 
-  --accent:                     var(--neutral-900);
-  --accent-foreground:          var(--neutral-50);
+  --accent:                     var(--neutral-800);
+  --accent-foreground:          oklch(0.925 0  0);
+  --saffron:                    var(--saffron-500);
+  --saffron-foreground:         oklch(0.115 0.025  62);
 
   --destructive:                var(--danger-500);
-  --destructive-foreground:     oklch(0.145 0.040 22);
+  --destructive-foreground:     oklch(0.990 0.005  20);
 
   --success:                    var(--success-500);
-  --success-foreground:         oklch(0.145 0.040 162);
   --warning:                    var(--warning-500);
-  --warning-foreground:         var(--neutral-1000);
   --info:                       var(--info-500);
-  --info-foreground:            oklch(0.145 0.040 215);
 
-  --border:                     oklch(0.265 0.012 240 / 0.75);
-  --border-strong:              oklch(0.345 0.012 240);
-  --border-emphasis:            var(--neutral-50);
+  --border:                     oklch(0.260 0  0 / 0.85);
+  --border-strong:              oklch(0.380 0  0);
   --input:                      var(--neutral-800);
-  --ring:                       var(--signal-500);
+  --ring:                       var(--brand-400);
 
   --surface-1:                  var(--neutral-1000);
-  --surface-2:                  var(--neutral-925);
-  --surface-3:                  var(--neutral-900);
-  --surface-4:                  var(--neutral-850);
-  --surface-overlay:            oklch(0.085 0.005 240 / 0.60);
-
-  --grid-alpha:                 0.045;
+  --surface-2:                  var(--neutral-900);
+  --surface-3:                  var(--neutral-850);
+  --surface-4:                  var(--neutral-800);
+  --surface-1-hover:            var(--neutral-950);
+  --surface-2-hover:            var(--neutral-850);
+
+  --chart-1: var(--brand-400);
+  --chart-2: var(--saffron-400);
+  --chart-3: oklch(0.745 0.135 195);
+  --chart-4: oklch(0.705 0.180 320);
+  --chart-5: oklch(0.710 0.155 162);
+  --chart-grid: oklch(0.260 0  0 / 0.6);
+
+  --highlight-top: inset 0 1px 0 oklch(1 0 0 / 0.06);
+
+  --shadow-sm: 0 1px 2px 0 oklch(0 0 0 / 0.20),
+               0 1px 3px 0 oklch(0 0 0 / 0.24);
+  --shadow-md: 0 4px 6px -1px oklch(0 0 0 / 0.28),
+               0 2px 4px -2px oklch(0 0 0 / 0.20);
+  --shadow-lg: 0 10px 15px -3px oklch(0 0 0 / 0.34),
+               0 4px 6px -4px oklch(0 0 0 / 0.22);
+  --shadow-lift: 0 16px 36px -18px oklch(0 0 0 / 0.55),
+                 0 6px 12px -6px oklch(0 0 0 / 0.35);
 
   --color-scheme: dark;
 }
 
+/* ─────────────────────────────────────────────────────────────────────────
+   THEME BLOCK — exposes semantics as Tailwind v4 utilities.
+   `bg-[var(--color-X)]` and `bg-{X}` both work.
+   ─────────────────────────────────────────────────────────────────────── */
 @theme inline {
-  --color-background:                 var(--background);
-  --color-foreground:                 var(--foreground);
-  --color-card:                       var(--card);
-  --color-card-foreground:            var(--card-foreground);
-  --color-popover:                    var(--popover);
-  --color-popover-foreground:         var(--popover-foreground);
-  --color-primary:                    var(--primary);
-  --color-primary-foreground:         var(--primary-foreground);
-  --color-primary-soft:               var(--primary-soft);
-  --color-accent-signal:              var(--accent-signal);
-  --color-accent-signal-soft:         var(--accent-signal-soft);
-  --color-accent-signal-foreground:   var(--accent-signal-foreground);
-  --color-secondary:                  var(--secondary);
-  --color-secondary-foreground:       var(--secondary-foreground);
-  --color-muted:                      var(--muted);
-  --color-muted-foreground:           var(--muted-foreground);
-  --color-accent:                     var(--accent);
-  --color-accent-foreground:          var(--accent-foreground);
-  --color-destructive:                var(--destructive);
-  --color-destructive-foreground:     var(--destructive-foreground);
-  --color-success:                    var(--success);
-  --color-success-foreground:         var(--success-foreground);
-  --color-warning:                    var(--warning);
-  --color-warning-foreground:         var(--warning-foreground);
-  --color-info:                       var(--info);
-  --color-info-foreground:            var(--info-foreground);
-  --color-border:                     var(--border);
-  --color-border-strong:              var(--border-strong);
-  --color-border-emphasis:            var(--border-emphasis);
-  --color-input:                      var(--input);
-  --color-ring:                       var(--ring);
-  --color-surface-1:                  var(--surface-1);
-  --color-surface-2:                  var(--surface-2);
-  --color-surface-3:                  var(--surface-3);
-  --color-surface-4:                  var(--surface-4);
-
-  --radius:     0.5rem;          /* 8 — buttons */
-  --radius-sm:  calc(var(--radius) - 4px);
-  --radius-md:  calc(var(--radius) - 2px);
-  --radius-lg:  calc(var(--radius) + 2px);   /* 10 */
-  --radius-xl:  1rem;            /* 16 — cards */
-  --radius-2xl: 1.25rem;         /* 20 — sheets / hero cards */
-
-  /* Card elevation — multi-stop, intentionally restrained. The hover
-     state lifts slightly and adds a chartreuse-tinted outer ring at
-     extremely low alpha; depth from elevation, not chrome. */
-  --shadow-card:
-    0 1px 2px 0 oklch(0 0 0 / 0.04),
-    0 1px 3px -1px oklch(0 0 0 / 0.05);
-  --shadow-card-hover:
-    0 1px 2px 0 oklch(0 0 0 / 0.04),
-    0 8px 16px -8px oklch(0 0 0 / 0.10),
-    0 14px 32px -16px oklch(0 0 0 / 0.16);
-  --shadow-card-hover-dark:
-    0 1px 2px 0 oklch(0 0 0 / 0.40),
-    0 8px 16px -8px oklch(0 0 0 / 0.45),
-    0 18px 40px -16px oklch(0 0 0 / 0.55);
-
-  /* Top-edge highlight — the subtle "lit from above" line that gives
-     elevated surfaces depth without a heavy border. */
-  --highlight-top-light: inset 0 1px 0 oklch(1 0 0 / 0.55);
-  --highlight-top-dark:  inset 0 1px 0 oklch(1 0 0 / 0.04);
-
-  --font-display: "Geist", ui-sans-serif, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
-  --font-sans:    "Geist", ui-sans-serif, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
-  --font-mono:    "Geist Mono", "JetBrains Mono", ui-monospace, "SF Mono", Menlo, Consolas, monospace;
-
-  --ease-out-cubic:    cubic-bezier(0.215, 0.610, 0.355, 1.000);
-  --ease-out-quart:    cubic-bezier(0.165, 0.840, 0.440, 1.000);
-  --ease-in-out-cubic: cubic-bezier(0.645, 0.045, 0.355, 1.000);
-  --duration-fast:     140ms;
-  --duration-default:  240ms;
-  --duration-slow:     360ms;
-
-  --tracking-display: -0.028em;
-  --tracking-tight:   -0.012em;
-  --tracking-meta:    0.22em;
+  --color-background:             var(--background);
+  --color-foreground:             var(--foreground);
+  --color-card:                   var(--card);
+  --color-card-foreground:        var(--card-foreground);
+  --color-popover:                var(--popover);
+  --color-popover-foreground:     var(--popover-foreground);
+  --color-primary:                var(--primary);
+  --color-primary-foreground:     var(--primary-foreground);
+  --color-primary-hover:          var(--primary-hover);
+  --color-primary-soft:           var(--primary-soft);
+  --color-overlay:                var(--overlay);
+  --color-overlay-foreground:     var(--overlay-foreground);
+  --color-secondary:              var(--secondary);
+  --color-secondary-foreground:   var(--secondary-foreground);
+  --color-muted:                  var(--muted);
+  --color-muted-foreground:       var(--muted-foreground);
+  --color-accent:                 var(--accent);
+  --color-accent-foreground:      var(--accent-foreground);
+  --color-saffron:                var(--saffron);
+  --color-saffron-foreground:     var(--saffron-foreground);
+  --color-destructive:            var(--destructive);
+  --color-destructive-foreground: var(--destructive-foreground);
+  --color-success:                var(--success);
+  --color-success-foreground:     var(--success-foreground);
+  --color-warning:                var(--warning);
+  --color-warning-foreground:     var(--warning-foreground);
+  --color-info:                   var(--info);
+  --color-info-foreground:        var(--info-foreground);
+  --color-border:                 var(--border);
+  --color-border-strong:          var(--border-strong);
+  --color-input:                  var(--input);
+  --color-ring:                   var(--ring);
+
+  --color-surface-1:              var(--surface-1);
+  --color-surface-2:              var(--surface-2);
+  --color-surface-3:              var(--surface-3);
+  --color-surface-4:              var(--surface-4);
+
+  --color-chart-1: var(--chart-1);
+  --color-chart-2: var(--chart-2);
+  --color-chart-3: var(--chart-3);
+  --color-chart-4: var(--chart-4);
+  --color-chart-5: var(--chart-5);
+
+  --radius-sm:  var(--radius-sm);
+  --radius-md:  var(--radius-md);
+  --radius-lg:  var(--radius-lg);
+  --radius-xl:  var(--radius-xl);
+  --radius-2xl: var(--radius-2xl);
+
+  --font-sans:    var(--font-sans);
+  --font-mono:    var(--font-mono);
+  --font-display: var(--font-display);
+
+  /* Type scale — canonical display sizes consumed by page primitives.
+     Page = top-of-page hero (list & detail).
+     Section = nested section header inside a page (role-detail, etc.).
+     Card = card-level title.
+     Stat = big numerals on stat cards / billing widgets.
+     Tailwind v4 auto-generates `text-display-page` etc. utilities from
+     these tokens. */
+  --text-display-page:    1.5rem;        /* 24px */
+  --text-display-section: 1.25rem;       /* 20px */
+  --text-display-card:    1.0625rem;     /* 17px */
+  --text-display-stat:    1.75rem;       /* 28px */
 }
 
-/* ============================================================================
-   Base layer
-   ========================================================================== */
-
+/* ─────────────────────────────────────────────────────────────────────────
+   BASE LAYER — global treatments
+   ─────────────────────────────────────────────────────────────────────── */
 @layer base {
-  *,
-  *::before,
-  *::after {
+  *, ::before, ::after {
     border-color: var(--color-border);
   }
 
-  html {
+  :root {
     color-scheme: var(--color-scheme);
-    background-color: var(--color-background);
-    -webkit-font-smoothing: antialiased;
-    -moz-osx-font-smoothing: grayscale;
-    text-rendering: optimizeLegibility;
-  }
-
-  body {
-    font-family: var(--font-sans);
-    background-color: var(--color-background);
-    color: var(--color-foreground);
-    font-feature-settings: "ss01", "cv11";
-    letter-spacing: var(--tracking-tight);
-  }
-
-  /* Selection reads as "selected by the system" — chartreuse signal. */
-  ::selection {
-    background-color: oklch(from var(--color-accent-signal) l c h / 0.35);
-    color: var(--color-foreground);
-  }
-
-  /* Scrollbar — thin, monochrome, never indigo. */
-  * {
-    scrollbar-width: thin;
-    scrollbar-color: var(--color-border-strong) transparent;
-  }
-  *::-webkit-scrollbar { width: 9px; height: 9px; }
-  *::-webkit-scrollbar-track { background: transparent; }
-  *::-webkit-scrollbar-thumb {
-    background-color: oklch(from var(--color-border-strong) l c h / 0.65);
-    border-radius: 8px;
-    border: 2px solid transparent;
-    background-clip: content-box;
-  }
-
-  h1, h2, h3 {
-    font-family: var(--font-display);
-    letter-spacing: var(--tracking-display);
   }
 
   /* Cursor affordance — restore the classic "anything clickable shows a
      pointer" behavior. Tailwind v4 follows the new browser default of
-     `cursor: default` on <button>, which leaves operators guessing whether
+     `cursor: default` on <button>, which leaves users guessing whether
      an element is interactive. We override globally so every actionable
      surface (native controls, ARIA-roled widgets, labels bound to inputs,
      <summary> for collapsibles) reads as a clickable from the cursor alone.
@@ -366,34 +505,736 @@
   fieldset:disabled * {
     cursor: not-allowed;
   }
+
+  html {
+    font-family: var(--font-sans);
+    font-feature-settings: var(--font-feature-default);
+    text-rendering: optimizeLegibility;
+    -webkit-font-smoothing: antialiased;
+    -moz-osx-font-smoothing: grayscale;
+  }
+
+  html, body {
+    background-color: var(--color-background);
+    color: var(--color-foreground);
+  }
+
+  /* Atmospheric background — a single soft glow in the chosen brand
+     colour. The earlier two-channel layout paired this with a saffron
+     glow on the upper-right, but the second warm channel was the bulk
+     of the yellow cast people read as a "tint" — dropped. */
+  body {
+    background-image:
+      radial-gradient(ellipse 60% 40% at 15% -5%, oklch(from var(--brand-600) l c h / 0.10), transparent 70%);
+  }
+
+  .dark body {
+    background-image:
+      radial-gradient(ellipse 60% 40% at 15% -5%, oklch(from var(--brand-500) l c h / 0.12), transparent 70%);
+  }
+
+  /* Paper grain overlay — fine ink dots multiplying into the canvas.
+     Visible only on light surfaces, removed in dark so the graphite
+     stays clean. Positioned fixed so it tiles consistently as you
+     scroll, but z-index 0 keeps it behind every app surface. */
+  body::before {
+    content: "";
+    position: fixed;
+    inset: 0;
+    pointer-events: none;
+    z-index: 0;
+    opacity: 0.32;
+    mix-blend-mode: multiply;
+    background-image: radial-gradient(
+      circle at 1px 1px,
+      oklch(0 0 0 / 0.05) 1px,
+      transparent 0
+    );
+    background-size: 3px 3px;
+  }
+  .dark body::before { opacity: 0; }
+
+  /* Tabular numerals everywhere a number is rendered as data. */
+  table, .tabular-nums, [data-tabular="true"], .font-mono, code, kbd, samp, pre {
+    font-variant-numeric: tabular-nums;
+    font-feature-settings: var(--font-feature-tabular);
+  }
+
+  /* Focus indicator — clean 2px outline, no bloom. The previous outer
+     brand-tinted halo (box-shadow) read as garish, especially in dark
+     mode and on input fields. The outline alone is enough for keyboard
+     accessibility and matches the rest of the dashboard's restraint. */
+  :focus-visible {
+    outline: 2px solid var(--color-ring);
+    outline-offset: 2px;
+  }
+
+  /* Brand-tinted text selection. */
+  ::selection {
+    background-color: oklch(from var(--color-primary) l c h / 0.30);
+    color: var(--color-foreground);
+  }
+
+  /* Restrained scrollbars — Linear-style hairlines. */
+  * {
+    scrollbar-width: thin;
+    scrollbar-color: var(--color-border-strong) transparent;
+  }
+  *::-webkit-scrollbar { width: 8px; height: 8px; }
+  *::-webkit-scrollbar-track { background: transparent; }
+  *::-webkit-scrollbar-thumb {
+    background-color: oklch(from var(--color-border-strong) l c h / 0.6);
+    border-radius: 9999px;
+    border: 2px solid transparent;
+    background-clip: padding-box;
+  }
+  *::-webkit-scrollbar-thumb:hover {
+    background-color: var(--color-muted-foreground);
+  }
+
+  /* Heading rhythm — every heading wears the display face (Outfit) for
+     a refined, editorial weight that contrasts with Figtree body. */
+  h1, h2, h3, h4, h5, h6 {
+    font-family: var(--font-display);
+    font-weight: 600;
+    letter-spacing: var(--tracking-tight);
+  }
+  h1 { letter-spacing: var(--tracking-display); }
+
+  .font-display {
+    font-family: var(--font-display);
+    letter-spacing: var(--tracking-tight);
+  }
+
+  /* Display class for hero numbers / page titles. Tight, heavy, with
+     tabular numerals so big counters don't jitter as they animate. */
+  .text-display {
+    font-family: var(--font-display);
+    font-weight: 600;
+    letter-spacing: var(--tracking-display);
+    font-feature-settings: "tnum";
+  }
+
+  /* ──────────────────────────────────────────────────────────────────
+     Theme cross-fade.
+
+     Primary mechanism: View Transitions API. The browser snapshots the
+     page bitmap before/after the dark-class flip and crossfades
+     between them. This is the only technique that morphs gradients,
+     box-shadows, conic backgrounds, SVG fills, and image-based
+     surfaces uniformly with text and surfaces — per-property CSS
+     transitions cannot interpolate any of those.
+
+     Fallback: `.theme-switching` blanket transition for browsers
+     without View Transitions (Firefox today). Limited to the
+     interpolatable subset. Better than nothing, worse than VT.
+
+     Reduced-motion users skip both paths via JS and never see either
+     transition. The block below also nukes view-transition animations
+     defensively in case the user toggles the OS pref mid-session.
+     ──────────────────────────────────────────────────────────────── */
+
+  html.theme-switching,
+  html.theme-switching *,
+  html.theme-switching *::before,
+  html.theme-switching *::after {
+    transition:
+      background-color var(--duration-default) var(--ease-out-cubic),
+      background-image var(--duration-default) var(--ease-out-cubic),
+      border-color     var(--duration-default) var(--ease-out-cubic),
+      color            var(--duration-default) var(--ease-out-cubic),
+      fill             var(--duration-default) var(--ease-out-cubic),
+      stroke           var(--duration-default) var(--ease-out-cubic),
+      box-shadow       var(--duration-default) var(--ease-out-cubic) !important;
+  }
 }
 
-/* ============================================================================
-   Utilities — typography
-   ========================================================================== */
+/* ─────────────────────────────────────────────────────────────────────────
+   COMPONENT UTILITIES
+   ─────────────────────────────────────────────────────────────────────── */
+@layer components {
+  .surface-1 { background-color: var(--color-surface-1); }
+  .surface-2 { background-color: var(--color-surface-2); }
+  .surface-3 { background-color: var(--color-surface-3); }
+  .surface-4 { background-color: var(--color-surface-4); }
+
+  /* Brand mark — flat warm rose tile with a quiet inner top-edge
+     highlight so the "F" reads as embossed paper, not Linear chrome.
+     No rotating conic gradient (that was 2014-era chrome) — the calm
+     paper aesthetic doesn't want spinning ornaments. */
+  .brand-mark {
+    position: relative;
+    isolation: isolate;
+    background: var(--color-primary);
+    box-shadow:
+      inset 0 1px 0 oklch(1 0 0 / 0.18),
+      0 4px 14px -6px oklch(from var(--color-primary) l c h / 0.45);
+  }
+  .brand-mark > * { position: relative; z-index: 1; }
+
+
+  /* Skeleton — placeholder block with a slow brand-tinted shimmer.
+     Tuned for the architectural card vocabulary: a softer resting fill
+     (so the skeleton doesn't compete with adjacent content) and a
+     longer, more ambient shimmer cycle that reads as "loading" rather
+     than "anxious." */
+  .skeleton {
+    position: relative;
+    overflow: hidden;
+    background: oklch(from var(--color-muted) l c h / 0.5);
+    border-radius: var(--radius-sm);
+    /* Subtle inner ring so the skeleton has a defined edge when nested
+       inside a card-shell — without it the placeholder visually melts
+       into the card surface. */
+    box-shadow: inset 0 0 0 1px oklch(from var(--color-border) l c h / 0.55);
+  }
+  .skeleton::after {
+    content: "";
+    position: absolute;
+    inset: 0;
+    /* Brand-tinted sweep — alpha is intentionally low so the highlight
+       is more "atmosphere" than "wave." */
+    background: linear-gradient(
+      90deg,
+      transparent,
+      oklch(from var(--color-primary) l c h / 0.08),
+      oklch(from var(--color-foreground) l c h / 0.06),
+      transparent
+    );
+    transform: translateX(-100%);
+    animation: fsh-shimmer 2.4s var(--ease-in-out-cubic) infinite;
+  }
+  .dark .skeleton {
+    background: oklch(from var(--color-muted) l c h / 0.45);
+    box-shadow: inset 0 0 0 1px oklch(1 0 0 / 0.04);
+  }
+  .dark .skeleton::after {
+    background: linear-gradient(
+      90deg,
+      transparent,
+      oklch(from var(--color-primary) l c h / 0.12),
+      oklch(1 0 0 / 0.06),
+      transparent
+    );
+  }
+
+  /* Status dot with breathing pulse. Used by SSE indicator when live. */
+  .pulse-dot {
+    position: relative;
+  }
+  .pulse-dot::before {
+    content: "";
+    position: absolute;
+    inset: -4px;
+    border-radius: 9999px;
+    background: currentColor;
+    opacity: 0.35;
+    animation: fsh-pulse 2.2s var(--ease-out-cubic) infinite;
+  }
+
+  /* (Removed dead classes: glow-frame, text-gradient-brand, btn-shimmer,
+     parallax-orb / parallax-orb-2, float-field, card-spotlight,
+     dot-grid-base / dot-grid-bright. None of these were referenced from
+     TSX/HTML anywhere — they were vestiges of earlier design eras the
+     dentalOS aesthetic moved past. If you grep for one and land here,
+     that's why nothing else turns up.) */
+
+  /* ─────────────────────────────────────────────────────────────────────
+     TOASTS — sonner override · "editorial card" treatment.
+
+     Calm warm-paper card with a single 3px tone-accent stripe pinned
+     to the left edge. The icon sits in a soft tinted square chip; the
+     title wears the display face; description sits in muted body. No
+     backdrop blur, no gradient border, no atmospheric glow, no drain
+     bar — just a refined card that reads as a printed note dropped on
+     the desk.
+  --------------------------------------------------------------------- */
+
+  /* Token map — per-type tone color carried via custom property. */
+  [data-sonner-toaster] [data-sonner-toast].fsh-toast {
+    --fsh-toast-tone: var(--color-foreground);
+  }
+  [data-sonner-toast][data-type="success"].fsh-toast { --fsh-toast-tone: var(--color-success); }
+  [data-sonner-toast][data-type="error"].fsh-toast   { --fsh-toast-tone: var(--color-destructive); }
+  [data-sonner-toast][data-type="warning"].fsh-toast { --fsh-toast-tone: var(--color-warning); }
+  [data-sonner-toast][data-type="info"].fsh-toast    { --fsh-toast-tone: var(--color-info); }
+  [data-sonner-toast][data-type="loading"].fsh-toast { --fsh-toast-tone: var(--color-primary); }
+
+  /* Base shell — warm paper card, soft warm shadow, 14px radius. */
+  [data-sonner-toaster] [data-sonner-toast].fsh-toast {
+    position: relative;
+    display: flex !important;
+    align-items: flex-start;
+    gap: 12px;
+    width: 100%;
+    min-width: 340px;
+    max-width: 380px;
+    padding: 14px 16px 14px 18px;
+
+    background: var(--color-card);
+    color: var(--color-foreground) !important;
+    border: 1px solid var(--color-border);
+    border-radius: 14px;
+    overflow: hidden;
+    font-family: var(--font-sans);
+
+    box-shadow:
+      0 1px 0 0 oklch(1 0 0 / 0.6) inset,
+      0 1px 2px oklch(0 0 0 / 0.04),
+      0 8px 24px -8px oklch(0 0 0 / 0.12),
+      0 24px 48px -16px oklch(0 0 0 / 0.08);
+  }
+  .dark [data-sonner-toaster] [data-sonner-toast].fsh-toast {
+    box-shadow:
+      0 1px 0 0 oklch(1 0 0 / 0.03) inset,
+      0 1px 2px oklch(0 0 0 / 0.4),
+      0 8px 24px -8px oklch(0 0 0 / 0.5),
+      0 24px 48px -16px oklch(0 0 0 / 0.6);
+  }
+
+  /* Left accent stripe — the signature detail. 3px wide, inset from
+     top/bottom by 10px so it reads as a marker, not a border. */
+  [data-sonner-toast].fsh-toast::before {
+    content: "";
+    position: absolute;
+    left: 0;
+    top: 10px;
+    bottom: 10px;
+    width: 3px;
+    border-radius: 0 3px 3px 0;
+    background: var(--fsh-toast-tone);
+  }
+
+  /* Sonner content wrapper — keep its block layout (we use flex on the
+     toast root, not grid). */
+  [data-sonner-toast].fsh-toast > [data-content] {
+    display: flex;
+    flex-direction: column;
+    gap: 2px;
+    min-width: 0;
+    flex: 1;
+    padding-top: 1px;
+  }
+
+  /* Icon chip — soft tinted square. Sonner injects the Lucide glyph
+     via App.tsx's `icons` prop into this slot. */
+  [data-sonner-toast].fsh-toast [data-icon] {
+    flex-shrink: 0;
+    display: inline-flex !important;
+    align-items: center;
+    justify-content: center;
+    width: 30px;
+    height: 30px;
+    margin: 1px 0 0 0 !important;
+    border-radius: 9px;
+    background: color-mix(in oklab, var(--fsh-toast-tone) 12%, var(--color-card));
+    color: var(--fsh-toast-tone);
+    box-shadow: inset 0 0 0 1px color-mix(in oklab, var(--fsh-toast-tone) 22%, transparent);
+  }
+  [data-sonner-toast][data-type="loading"].fsh-toast [data-icon] {
+    background: color-mix(in oklab, var(--color-primary) 10%, var(--color-card));
+  }
+
+  /* Glyph sizing — Lucide icon rendered inside the chip. */
+  [data-sonner-toast].fsh-toast .fsh-toast-glyph {
+    width: 18px;
+    height: 18px;
+    color: var(--fsh-toast-tone);
+  }
+  [data-sonner-toast].fsh-toast .fsh-toast-glyph-spin {
+    animation: fsh-toast-glyph-spin 900ms linear infinite;
+  }
+  @keyframes fsh-toast-glyph-spin { to { transform: rotate(360deg); } }
+
+  /* Title — display face, 14px, tight letter-spacing. */
+  [data-sonner-toast].fsh-toast .fsh-toast-title {
+    font-family: var(--font-display);
+    font-size: 14px;
+    font-weight: 600;
+    line-height: 1.35;
+    letter-spacing: -0.015em;
+    color: var(--color-foreground);
+    margin: 0;
+  }
+  [data-sonner-toast].fsh-toast .fsh-toast-title::before {
+    display: none !important;
+  }
+
+  /* Description — muted body sans-face. */
+  [data-sonner-toast].fsh-toast .fsh-toast-description {
+    font-family: var(--font-sans);
+    font-size: 12.5px;
+    font-weight: 400;
+    line-height: 1.45;
+    color: var(--color-muted-foreground);
+    margin: 0;
+  }
+
+  /* Close — hover-reveal X button pinned top-right. */
+  [data-sonner-toast].fsh-toast .fsh-toast-close {
+    position: absolute !important;
+    top: 10px !important;
+    right: 10px !important;
+    left: auto !important;
+    width: 20px !important;
+    height: 20px !important;
+    padding: 0 !important;
+    display: inline-flex !important;
+    align-items: center !important;
+    justify-content: center !important;
+    border-radius: 6px !important;
+    background: transparent !important;
+    border: 1px solid transparent !important;
+    color: var(--color-muted-foreground) !important;
+    opacity: 0;
+    transform: none !important;
+    cursor: pointer;
+    transition:
+      opacity 150ms ease,
+      background-color 150ms ease,
+      color 150ms ease;
+  }
+  [data-sonner-toast].fsh-toast:hover .fsh-toast-close {
+    opacity: 1;
+  }
+  [data-sonner-toast].fsh-toast .fsh-toast-close:hover {
+    background: var(--color-muted) !important;
+    color: var(--color-foreground) !important;
+  }
+  [data-sonner-toast].fsh-toast .fsh-toast-close svg {
+    width: 11px;
+    height: 11px;
+  }
+
+  /* Action + cancel — inline-block under the description. */
+  [data-sonner-toast].fsh-toast .fsh-toast-action {
+    margin-left: auto;
+    margin-top: 6px;
+    padding: 6px 12px !important;
+    font-family: var(--font-sans) !important;
+    font-size: 12px !important;
+    font-weight: 600 !important;
+    letter-spacing: 0.01em;
+    border-radius: 8px !important;
+    background: var(--color-foreground) !important;
+    color: var(--color-background) !important;
+    border: none !important;
+    cursor: pointer;
+    transition: transform 120ms ease, opacity 120ms ease;
+  }
+  [data-sonner-toast].fsh-toast .fsh-toast-action:hover {
+    opacity: 0.9;
+    transform: translateY(-1px);
+  }
+  [data-sonner-toast].fsh-toast .fsh-toast-cancel {
+    margin-top: 6px;
+    padding: 6px 12px !important;
+    font-size: 12px !important;
+    font-weight: 500 !important;
+    border-radius: 8px !important;
+    background: transparent !important;
+    color: var(--color-muted-foreground) !important;
+    border: 1px solid var(--color-border) !important;
+  }
+
+  /* Entrance: slide-from-right + fade. */
+  [data-sonner-toaster][data-y-position="top"] [data-sonner-toast].fsh-toast[data-mounted="true"] {
+    animation: fsh-toast-enter 320ms var(--ease-out-cubic) both;
+  }
+  @keyframes fsh-toast-enter {
+    0%   { opacity: 0; transform: translateX(20px) scale(0.98); }
+    100% { opacity: 1; transform: translateX(0)    scale(1);    }
+  }
+  [data-sonner-toaster] [data-sonner-toast].fsh-toast[data-removed="true"] {
+    animation: fsh-toast-exit 200ms var(--ease-out-cubic) forwards;
+  }
+  @keyframes fsh-toast-exit {
+    from { opacity: 1; transform: translateX(0)    scale(1);    }
+    to   { opacity: 0; transform: translateX(14px) scale(0.98); }
+  }
+
+  @media (prefers-reduced-motion: reduce) {
+    [data-sonner-toast].fsh-toast,
+    [data-sonner-toast].fsh-toast .fsh-toast-glyph-spin {
+      animation: none !important;
+    }
+    [data-sonner-toaster] [data-sonner-toast].fsh-toast[data-mounted="true"] {
+      animation: fsh-toast-fade-in 200ms var(--ease-out-cubic) both;
+    }
+    @keyframes fsh-toast-fade-in { from { opacity: 0; } to { opacity: 1; } }
+  }
+
+  /* ── CHAT TOASTS — opt out of the console-card treatment.
+        Sonner appends per-toast `className` to the toaster's global
+        classNames.toast, so the wrapper li carries BOTH .fsh-toast (from
+        FshToaster) AND .fsh-chat-toast-wrapper (per-toast). The rules
+        below neutralise every piece of console-card chrome — the
+        gradient border, the frosted surface, the atmospheric glow, the
+        icon disc, the drain bar, the close button — so the chat card
+        rendered inside the title slot can paint edge-to-edge without
+        the surrounding toast peeking through.
+
+        We deliberately DO NOT `display: none` the title element itself,
+        because sonner hosts the custom JSX inside it. ────────────── */
+  [data-sonner-toast].fsh-toast.fsh-chat-toast-wrapper {
+    display: block !important;
+    grid-template-columns: none !important;
+    grid-template-areas: none !important;
+    background: transparent !important;
+    border: none !important;
+    padding: 0 !important;
+    box-shadow: none !important;
+    backdrop-filter: none !important;
+    -webkit-backdrop-filter: none !important;
+  }
+  [data-sonner-toast].fsh-toast.fsh-chat-toast-wrapper::before,
+  [data-sonner-toast].fsh-toast.fsh-chat-toast-wrapper::after {
+    display: none !important;
+  }
+  [data-sonner-toast].fsh-toast.fsh-chat-toast-wrapper [data-icon],
+  [data-sonner-toast].fsh-toast.fsh-chat-toast-wrapper .fsh-toast-close {
+    display: none !important;
+  }
+  [data-sonner-toast].fsh-toast.fsh-chat-toast-wrapper .fsh-toast-title {
+    grid-area: unset !important;
+    padding: 0 !important;
+    margin: 0 !important;
+    display: block !important;
+    color: inherit !important;
+  }
+  [data-sonner-toast].fsh-toast.fsh-chat-toast-wrapper .fsh-toast-title::before {
+    content: none !important;
+    display: none !important;
+  }
+}
+
+/* ─────────────────────────────────────────────────────────────────────────
+   DENSITY MODE — when `.density-compact` is on :root, tighten the
+   high-leverage paddings and rhythm tokens. Scope to `main` so chrome
+   (sidebar, topbar, dropdown menus) is unaffected.
+
+   The overrides target Tailwind utility classes that the Card / list
+   surfaces use directly, with !important to win the cascade. This is
+   pragmatic rather than purist — if more granular control is needed
+   later, swap to a `--card-py / --card-px` token system on the
+   primitives themselves.
+   ─────────────────────────────────────────────────────────────────────── */
+.density-compact main .space-y-7 > * + * { margin-top: 1.25rem; }
+.density-compact main .space-y-6 > * + * { margin-top: 1rem; }
+.density-compact main .space-y-5 > * + * { margin-top: 0.875rem; }
+.density-compact main .px-6 { padding-left: 1rem !important; padding-right: 1rem !important; }
+.density-compact main .pt-5 { padding-top: 0.75rem !important; }
+.density-compact main .pb-5 { padding-bottom: 0.75rem !important; }
+.density-compact main .py-3 { padding-top: 0.5rem !important; padding-bottom: 0.5rem !important; }
+.density-compact main .py-3\.5 { padding-top: 0.5rem !important; padding-bottom: 0.5rem !important; }
+.density-compact main .py-4 { padding-top: 0.625rem !important; padding-bottom: 0.625rem !important; }
+
+/* ─────────────────────────────────────────────────────────────────────────
+   ENTRY ANIMATIONS — orchestrated stagger on first paint.
+   ─────────────────────────────────────────────────────────────────────── */
+@keyframes fsh-enter {
+  from { opacity: 0; transform: translateY(6px); }
+  to   { opacity: 1; transform: none; }
+}
+.fsh-enter   { animation: fsh-enter var(--duration-slow) var(--ease-out-cubic) both; }
+.fsh-enter-1 { animation-delay:  40ms; }
+.fsh-enter-2 { animation-delay:  90ms; }
+.fsh-enter-3 { animation-delay: 140ms; }
+.fsh-enter-4 { animation-delay: 200ms; }
+.fsh-enter-5 { animation-delay: 260ms; }
 
-.font-display {
-  font-family: var(--font-display);
-  font-weight: 600;
-  letter-spacing: var(--tracking-display);
-  font-feature-settings: "ss01", "ss02";
+/* Modern micro-animations referenced by .brand-mark, .skeleton, .pulse-dot */
+@keyframes fsh-spin    { to { transform: rotate(360deg); } }
+@keyframes fsh-shimmer { to { transform: translateX(100%); } }
+
+@keyframes fsh-pulse {
+  0%   { transform: scale(1);   opacity: 0.40; }
+  70%  { transform: scale(1.7); opacity: 0.00; }
+  100% { transform: scale(1.7); opacity: 0.00; }
+}
+
+/* Dialog enter/exit — overlay fades; content fades + scales + translates
+   from -2px so the dialog "rises" into place.  */
+@keyframes fsh-overlay-in  { from { opacity: 0; }                                   to { opacity: 1; } }
+@keyframes fsh-overlay-out { from { opacity: 1; }                                   to { opacity: 0; } }
+@keyframes fsh-dialog-in   { from { opacity: 0; transform: translate(-50%, -48%) scale(0.96); } to { opacity: 1; transform: translate(-50%, -50%) scale(1); } }
+@keyframes fsh-dialog-out  { from { opacity: 1; transform: translate(-50%, -50%) scale(1); }     to { opacity: 0; transform: translate(-50%, -48%) scale(0.96); } }
+.animate-fsh-overlay-in  { animation: fsh-overlay-in  var(--duration-default) var(--ease-out-cubic) both; }
+.animate-fsh-overlay-out { animation: fsh-overlay-out var(--duration-fast)    var(--ease-out-cubic) both; }
+.animate-fsh-dialog-in   { animation: fsh-dialog-in   var(--duration-slow)    var(--ease-out-cubic) both; }
+.animate-fsh-dialog-out  { animation: fsh-dialog-out  var(--duration-fast)    var(--ease-out-cubic) both; }
+
+/* Sheet (Radix Dialog with side variant) — slides in from the four
+   edges. Consumed by mobile drawer + side sheets. */
+@keyframes fsh-sheet-in-right   { from { transform: translateX( 100%); } to { transform: translateX(0); } }
+@keyframes fsh-sheet-out-right  { from { transform: translateX(0); }     to { transform: translateX( 100%); } }
+@keyframes fsh-sheet-in-left    { from { transform: translateX(-100%); } to { transform: translateX(0); } }
+@keyframes fsh-sheet-out-left   { from { transform: translateX(0); }     to { transform: translateX(-100%); } }
+@keyframes fsh-sheet-in-top     { from { transform: translateY(-100%); } to { transform: translateY(0); } }
+@keyframes fsh-sheet-out-top    { from { transform: translateY(0); }     to { transform: translateY(-100%); } }
+@keyframes fsh-sheet-in-bottom  { from { transform: translateY( 100%); } to { transform: translateY(0); } }
+@keyframes fsh-sheet-out-bottom { from { transform: translateY(0); }     to { transform: translateY( 100%); } }
+.animate-fsh-sheet-in-right   { animation: fsh-sheet-in-right   var(--duration-slow) var(--ease-out-cubic) both; }
+.animate-fsh-sheet-out-right  { animation: fsh-sheet-out-right  var(--duration-fast) var(--ease-out-cubic) both; }
+.animate-fsh-sheet-in-left    { animation: fsh-sheet-in-left    var(--duration-slow) var(--ease-out-cubic) both; }
+.animate-fsh-sheet-out-left   { animation: fsh-sheet-out-left   var(--duration-fast) var(--ease-out-cubic) both; }
+.animate-fsh-sheet-in-top     { animation: fsh-sheet-in-top     var(--duration-slow) var(--ease-out-cubic) both; }
+.animate-fsh-sheet-out-top    { animation: fsh-sheet-out-top    var(--duration-fast) var(--ease-out-cubic) both; }
+.animate-fsh-sheet-in-bottom  { animation: fsh-sheet-in-bottom  var(--duration-slow) var(--ease-out-cubic) both; }
+.animate-fsh-sheet-out-bottom { animation: fsh-sheet-out-bottom var(--duration-fast) var(--ease-out-cubic) both; }
+
+/* Aurora drift — the rose + saffron upper-corner glows breathe slowly.
+   Kept very low amplitude (≤6% drift) so it stays peripheral, never
+   distracting. Two layers now (was three) since the SVG noise tile was
+   replaced with the multiplicative paper grain on body::before. */
+@keyframes fsh-aurora {
+  0%   { background-position:  0% 0%, 100% 0%; }
+  50%  { background-position:  6% 3%,  94% 5%; }
+  100% { background-position:  0% 0%, 100% 0%; }
+}
+
+/* Dot-grid pulse — the mask travels through five waypoints over 16s on
+   a closed path, so the bright zone reads as a single spotlight that's
+   slowly pacing the grid. Position values are sized for a 60% mask. */
+@keyframes fsh-dot-pulse {
+  0%   { -webkit-mask-position: 10%  20%; mask-position: 10%  20%; }
+  25%  { -webkit-mask-position: 70%  10%; mask-position: 70%  10%; }
+  50%  { -webkit-mask-position: 80%  70%; mask-position: 80%  70%; }
+  75%  { -webkit-mask-position: 20%  80%; mask-position: 20%  80%; }
+  100% { -webkit-mask-position: 10%  20%; mask-position: 10%  20%; }
+}
+@media (prefers-reduced-motion: no-preference) {
+  body {
+    background-size: 130% 130%, 130% 130%;
+    animation: fsh-aurora 72s var(--ease-in-out-cubic) infinite;
+  }
+}
+
+/* View Transitions API — owns the dark/light crossfade in Chromium and
+   Safari. The default UA animations cross-dissolve; we only tune
+   duration and easing so the swap matches the rest of the motion
+   system. `mix-blend-mode: normal` overrides the spec's default
+   (`plus-lighter`), which can briefly flash white through bright
+   surfaces during the dissolve. The body's aurora animation pauses on
+   the snapshot — `animation-name: none` on the group prevents it from
+   re-triggering inside the captured pseudo-element. */
+@supports (view-transition-name: root) {
+  ::view-transition-old(root),
+  ::view-transition-new(root) {
+    animation-duration: 260ms;
+    animation-timing-function: var(--ease-out-cubic);
+    mix-blend-mode: normal;
+  }
+  ::view-transition-group(root) { animation-duration: 260ms; }
+}
+
+/* Honour user motion preferences. */
+@media (prefers-reduced-motion: reduce) {
+  *, *::before, *::after {
+    animation-duration: 0.01ms !important;
+    animation-delay: 0ms !important;
+    transition-duration: 0.01ms !important;
+  }
+  body { background-image: none; }
+}
+
+/* App-level override: the Appearance > "Reduce motion" toggle adds
+   `.reduce-motion` on :root to force the same reductions regardless of the
+   OS setting. Mirrors the media query above. */
+.reduce-motion *,
+.reduce-motion *::before,
+.reduce-motion *::after {
+  animation-duration: 0.01ms !important;
+  animation-delay: 0ms !important;
+  transition-duration: 0.01ms !important;
+}
+.reduce-motion body { background-image: none; }
+
+/* CHAT-ONLY page chrome (.chat-typing-dot, .chat-unread-divider,
+   .chat-day-rule, .chat-reaction-chip, .chat-channel-header,
+   .chat-jump-pill, .chat-mention) lives in `pages/chat/chat.css` so
+   Vite extracts it into the chat-route CSS chunk — every other page
+   stops shipping ~3 KB gzip of selectors it'll never use.
+
+   The .chat-status-pill family below stays here because the same
+   primitive is consumed by the global notification-bell footer via
+   RealtimeStatusPill. */
+
+/* Connection-state pill — used in the rail footer + bell footer to honestly
+   reflect SignalR status. The dot pulses while reconnecting. */
+@keyframes fsh-chat-status-pulse {
+  0%, 100% { opacity: 1;   transform: scale(1);    }
+  50%      { opacity: 0.4; transform: scale(0.78); }
+}
+.chat-status-pill {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.4rem;
+  font-family: var(--font-mono);
+  font-size: 10px;
+  letter-spacing: 0.12em;
+  text-transform: uppercase;
+  color: var(--color-muted-foreground);
+}
+.chat-status-pill[data-status="connected"] .chat-status-dot {
+  background-color: var(--color-success);
+  box-shadow: 0 0 0 3px oklch(from var(--color-success) l c h / 0.18);
+}
+.chat-status-pill[data-status="reconnecting"] .chat-status-dot,
+.chat-status-pill[data-status="connecting"]   .chat-status-dot {
+  background-color: var(--color-warning);
+  box-shadow: 0 0 0 3px oklch(from var(--color-warning) l c h / 0.18);
+  animation: fsh-chat-status-pulse 1.2s var(--ease-in-out-cubic) infinite;
 }
+.chat-status-pill[data-status="error"] .chat-status-dot,
+.chat-status-pill[data-status="idle"]  .chat-status-dot {
+  background-color: var(--color-destructive);
+  box-shadow: 0 0 0 3px oklch(from var(--color-destructive) l c h / 0.18);
+}
+.chat-status-dot {
+  width: 6px;
+  height: 6px;
+  border-radius: 9999px;
+  flex-shrink: 0;
+}
+
 
-.font-sans  { font-family: var(--font-sans); }
-.font-mono  { font-family: var(--font-mono); }
+/* ============================================================================
+   LEGACY ADMIN SHIM — temporary bridge during the design unification.
+   ----------------------------------------------------------------------------
+   The admin app is being migrated onto this (the dashboard's) design system
+   phase by phase. Until every admin page/component stops referencing the old
+   "Console" tokens and utility classes, this block keeps them resolving
+   against the new palette so nothing renders broken mid-migration. Each entry
+   is deleted as its consumers migrate (Phases 2–4). Do not add to this block.
+   See docs/superpowers/specs/2026-05-28-admin-dashboard-design-unification-design.md
+   ========================================================================== */
 
-/* Display weight applied to KPI / hero numbers. Tabular figures so columns
-   align when nested in tables; tighter tracking than body. */
-.text-display {
-  font-family: var(--font-display);
-  font-weight: 600;
-  letter-spacing: -0.030em;
-  font-feature-settings: "ss01", "ss02", "tnum";
-  font-variant-numeric: tabular-nums;
+:root {
+  /* Console accent (chartreuse signal) → unified brand. */
+  --accent-signal:              var(--primary);
+  --accent-signal-soft:         var(--primary-soft);
+  --accent-signal-foreground:   var(--primary-foreground);
+  --color-accent-signal:             var(--primary);
+  --color-accent-signal-soft:        var(--primary-soft);
+  --color-accent-signal-foreground:  var(--primary-foreground);
+
+  /* Misc console tokens mapped onto the dashboard system. */
+  --border-emphasis:        var(--foreground);
+  --color-border-emphasis:  var(--foreground);
+  --grid-alpha:             0.04;
+  --tracking-meta:          0.22em;
+
+  /* Card shadow aliases → dashboard elevation steps. */
+  --shadow-card:             var(--shadow-sm);
+  --shadow-card-hover:       var(--shadow-lg);
+  --shadow-card-hover-dark:  var(--shadow-lift);
+  --highlight-top-light:     var(--highlight-top);
+  --highlight-top-dark:      var(--highlight-top);
 }
+.dark { --grid-alpha: 0.05; }
 
-/* Mono crumb — the all-caps lockup used in section rules, KPI tile
-   labels, status meta. Mono + wide tracking + tiny size. */
+/* — Mono crumb (section rule labels, KPI labels, status meta). */
 .meta {
   font-family: var(--font-mono);
   font-size: 0.6875rem;
@@ -403,12 +1244,7 @@
   line-height: 1;
 }
 
-/* ============================================================================
-   Utilities — section rule
-   The double-slash crumb headline used to introduce every page section.
-   The chartreuse hairline overlay at the start is small but recognisable.
-   ========================================================================== */
-
+/* — Double-slash section rule headline. */
 .section-rule {
   position: relative;
   display: flex;
@@ -424,7 +1260,7 @@
   left: 0;
   width: 56px;
   height: 2px;
-  background-color: var(--color-accent-signal);
+  background-color: var(--color-primary);
 }
 .section-rule__crumb {
   font-family: var(--font-mono);
@@ -434,17 +1270,9 @@
   text-transform: uppercase;
   color: var(--color-foreground);
 }
-.section-rule__crumb--muted {
-  color: var(--color-muted-foreground);
-  font-weight: 400;
-}
-
-/* ============================================================================
-   Utilities — gridded canvas
-   Barely-visible 4px subgrid on the page background. Telegraphs "this is
-   a console" without competing with content.
-   ========================================================================== */
+.section-rule__crumb--muted { color: var(--color-muted-foreground); font-weight: 400; }
 
+/* — Gridded canvas + coordinate mesh (console backdrop). */
 .canvas-grid {
   background-image:
     linear-gradient(to right,  currentColor 1px, transparent 1px),
@@ -453,8 +1281,6 @@
   color: oklch(0 0 0 / var(--grid-alpha));
 }
 .dark .canvas-grid { color: oklch(1 0 0 / var(--grid-alpha)); }
-
-/* 32px coordinate grid + 4px subgrid used on Login + Dashboard hero. */
 .canvas-mesh {
   background-image:
     linear-gradient(to right,  oklch(from var(--color-foreground) l c h / 0.06) 1px, transparent 1px),
@@ -464,15 +1290,8 @@
   background-size: 32px 32px, 32px 32px, 4px 4px, 4px 4px;
 }
 
-/* ============================================================================
-   Utilities — terminal caret
-   Slow blink, reads as "system idle, awaiting input" rather than misbehaving.
-   ========================================================================== */
-
-@keyframes caret-blink {
-  0%, 49%   { opacity: 1; }
-  50%, 100% { opacity: 0; }
-}
+/* — Terminal caret. */
+@keyframes caret-blink { 0%, 49% { opacity: 1; } 50%, 100% { opacity: 0; } }
 .caret {
   display: inline-block;
   width: 0.55ch;
@@ -482,131 +1301,24 @@
   background-color: currentColor;
   animation: caret-blink 1.05s steps(1, end) infinite;
 }
-@media (prefers-reduced-motion: reduce) {
-  .caret { animation: none; opacity: 0.6; }
-  /* Tailwind's spinner utility isn't a custom keyframe, so stop it too. */
-  .animate-spin { animation: none; }
-}
-
-/* ============================================================================
-   Utilities — pulse (live indicator)
-   Chartreuse dot with a slow halo expansion. Used on live data + realtime.
-   ========================================================================== */
-
-@keyframes pulse-ring {
-  0%   { transform: scale(1);   opacity: 0.55; }
-  70%  { transform: scale(2.4); opacity: 0;    }
-  100% { transform: scale(2.4); opacity: 0;    }
-}
-.pulse-dot {
-  position: relative;
-  display: inline-block;
-  width: 0.45rem;
-  height: 0.45rem;
-  border-radius: 9999px;
-  background-color: var(--color-accent-signal);
-}
-.pulse-dot::after {
-  content: "";
-  position: absolute;
-  inset: 0;
-  border-radius: 9999px;
-  background-color: var(--color-accent-signal);
-  animation: pulse-ring 2.4s var(--ease-out-cubic) infinite;
-}
-@media (prefers-reduced-motion: reduce) {
-  .pulse-dot::after { animation: none; opacity: 0; }
-}
 
-/* ============================================================================
-   Utilities — entrance animations
-   ========================================================================== */
-
-@keyframes fsh-enter {
-  from { opacity: 0; transform: translateY(6px); }
-  to   { opacity: 1; transform: translateY(0); }
-}
-.fsh-enter   { animation: fsh-enter var(--duration-slow) var(--ease-out-cubic) both; }
+/* — Entrance delays + rule draw (base .fsh-enter comes from the new system). */
 .fsh-enter-1 { animation-delay:  40ms; }
 .fsh-enter-2 { animation-delay:  90ms; }
 .fsh-enter-3 { animation-delay: 140ms; }
 .fsh-enter-4 { animation-delay: 200ms; }
 .fsh-enter-5 { animation-delay: 260ms; }
+@keyframes rule-draw { from { transform: scaleX(0); } to { transform: scaleX(1); } }
+.rule-draw { transform-origin: left; animation: rule-draw var(--duration-slow) var(--ease-out-quart) both; }
 
-@keyframes rule-draw {
-  from { transform: scaleX(0); }
-  to   { transform: scaleX(1); }
-}
-.rule-draw {
-  transform-origin: left;
-  animation: rule-draw var(--duration-slow) var(--ease-out-quart) both;
-}
-
-@media (prefers-reduced-motion: reduce) {
-  .fsh-enter, .fsh-enter-1, .fsh-enter-2, .fsh-enter-3, .fsh-enter-4, .fsh-enter-5,
-  .rule-draw {
-    animation: none;
-  }
-}
-
-/* ============================================================================
-   Utilities — skeleton shimmer
-   ========================================================================== */
-
-.skeleton {
-  position: relative;
-  overflow: hidden;
-  background-color: var(--color-muted);
-  border-radius: var(--radius-md);
-}
-.skeleton::after {
-  content: "";
-  position: absolute;
-  inset: 0;
-  background: linear-gradient(90deg,
-    transparent 0%,
-    oklch(1 0 0 / 0.12) 50%,
-    transparent 100%);
-  animation: skeleton-sweep 1.4s linear infinite;
-}
-.dark .skeleton::after {
-  background: linear-gradient(90deg,
-    transparent 0%,
-    oklch(1 0 0 / 0.05) 50%,
-    transparent 100%);
-}
-@keyframes skeleton-sweep {
-  from { transform: translateX(-100%); }
-  to   { transform: translateX(100%);  }
-}
-@media (prefers-reduced-motion: reduce) {
-  .skeleton::after { animation: none; }
-}
-
-/* ============================================================================
-   Utilities — card surface
-   ========================================================================== */
-
-/* Card — luminous base treatment. The top-edge highlight gives even resting
-   cards a "lit from above" feel; depth comes from elevation rather than
-   border weight (border alpha is intentionally low). */
+/* — Card surfaces. */
 .card-shell {
   background-color: var(--color-card);
   color: var(--color-card-foreground);
   border: 1px solid var(--color-border);
   border-radius: var(--radius-xl);
-  box-shadow: var(--shadow-card), var(--highlight-top-light);
-}
-.dark .card-shell {
-  box-shadow:
-    0 1px 2px 0 oklch(0 0 0 / 0.30),
-    0 1px 3px -1px oklch(0 0 0 / 0.40),
-    var(--highlight-top-dark);
+  box-shadow: var(--shadow-card), var(--highlight-top);
 }
-
-/* Interactive card — a slight lift, a deeper shadow, and a hint of
-   chartreuse on the outer ring at hover. The cubic-bezier matches Apple's
-   standard curve for natural "tap" response. */
 .card-shell-interactive {
   transition:
     transform var(--duration-default) var(--ease-out-cubic),
@@ -617,59 +1329,22 @@
 .card-shell-interactive:hover {
   transform: translateY(-1px);
   border-color: var(--color-border-strong);
-  box-shadow:
-    var(--shadow-card-hover),
-    var(--highlight-top-light),
-    0 0 0 1px oklch(from var(--color-accent-signal) l c h / 0.05);
-}
-.dark .card-shell-interactive:hover {
-  box-shadow:
-    var(--shadow-card-hover-dark),
-    var(--highlight-top-dark),
-    0 0 0 1px oklch(from var(--color-accent-signal) l c h / 0.10);
-}
-@media (prefers-reduced-motion: reduce) {
-  .card-shell-interactive:hover { transform: none; }
+  box-shadow: var(--shadow-card-hover), var(--highlight-top);
 }
-
-/* Card — "luminous" marquee variant. Uses an opt-in gradient border via
-   the background-clip + mask trick. Only apply to genuine hero cards
-   (Login pane, dashboard hero); otherwise prefer the plain card-shell. */
 .card-luminous {
   position: relative;
   border: 1px solid transparent;
   border-radius: var(--radius-xl);
   background:
     linear-gradient(var(--color-card), var(--color-card)) padding-box,
-    linear-gradient(
-      135deg,
-      oklch(from var(--color-accent-signal) l c h / 0.45),
+    linear-gradient(135deg,
+      oklch(from var(--color-primary) l c h / 0.45),
       oklch(from var(--color-border) l c h / 0.6) 35%,
-      oklch(from var(--color-border) l c h / 0.4) 100%
-    ) border-box;
-  box-shadow: var(--shadow-card), var(--highlight-top-light);
-}
-.dark .card-luminous {
-  background:
-    linear-gradient(var(--color-card), var(--color-card)) padding-box,
-    linear-gradient(
-      135deg,
-      oklch(from var(--color-accent-signal) l c h / 0.45),
-      oklch(0.30 0.012 240) 35%,
-      oklch(0.22 0.012 240) 100%
-    ) border-box;
-  box-shadow:
-    0 1px 2px 0 oklch(0 0 0 / 0.30),
-    0 1px 3px -1px oklch(0 0 0 / 0.40),
-    var(--highlight-top-dark);
+      oklch(from var(--color-border) l c h / 0.4) 100%) border-box;
+  box-shadow: var(--shadow-card), var(--highlight-top);
 }
 
-/* ============================================================================
-   Utilities — code chip
-   Mono pill used for IDs, plan keys, invoice numbers. Replaces ad-hoc
-   "we used a Badge for a code thing" inconsistencies.
-   ========================================================================== */
-
+/* — Code chip (IDs, plan keys, invoice numbers). */
 .code-chip {
   display: inline-flex;
   align-items: center;
@@ -685,11 +1360,7 @@
   white-space: nowrap;
 }
 
-/* ============================================================================
-   Misc — legacy monogram tones kept for back-compat (deterministic colour
-   by tenant id, used by the avatar component).
-   ========================================================================== */
-
+/* — Monogram tones (avatar fallback). */
 .mono-tone-0 { background: oklch(0.94 0 0); color: oklch(0.20 0 0); }
 .mono-tone-1 { background: oklch(0.86 0 0); color: oklch(0.18 0 0); }
 .mono-tone-2 { background: oklch(0.32 0 0); color: oklch(0.96 0 0); }
@@ -699,203 +1370,8 @@
 .dark .mono-tone-2 { background: oklch(0.86 0 0); color: oklch(0.18 0 0); }
 .dark .mono-tone-3 { background: oklch(0.96 0 0); color: oklch(0.18 0 0); }
 
-/* ============================================================================
-   Sonner toasts — console card with a per-type tone. Left accent stripe +
-   tinted icon chip carry the semantic; the description is lifted toward the
-   foreground (not pure muted) so it stays legible on the near-black surface.
-   Class names are wired in App.tsx's <FshToaster> toastOptions.classNames.
-   ========================================================================== */
-
-/* Per-type tone, carried via a custom property. */
-[data-sonner-toaster] [data-sonner-toast].fsh-toast { --fsh-toast-tone: var(--color-foreground); }
-[data-sonner-toast][data-type="success"].fsh-toast { --fsh-toast-tone: var(--color-success); }
-[data-sonner-toast][data-type="error"].fsh-toast   { --fsh-toast-tone: var(--color-destructive); }
-[data-sonner-toast][data-type="warning"].fsh-toast { --fsh-toast-tone: var(--color-warning); }
-[data-sonner-toast][data-type="info"].fsh-toast    { --fsh-toast-tone: var(--color-info); }
-[data-sonner-toast][data-type="loading"].fsh-toast { --fsh-toast-tone: var(--color-primary); }
-
-/* Base shell. */
-[data-sonner-toaster] [data-sonner-toast].fsh-toast {
-  position: relative;
-  display: flex !important;
-  align-items: flex-start;
-  gap: 12px;
-  width: 100%;
-  min-width: 340px;
-  max-width: 400px;
-  padding: 13px 16px 13px 18px;
-
-  background: var(--color-card);
-  color: var(--color-foreground) !important;
-  border: 1px solid var(--color-border-strong);
-  border-radius: 12px;
-  overflow: hidden;
-  font-family: var(--font-sans);
-
-  box-shadow:
-    0 1px 0 0 oklch(1 0 0 / 0.5) inset,
-    0 1px 2px oklch(0 0 0 / 0.05),
-    0 10px 28px -10px oklch(0 0 0 / 0.18);
-}
-.dark [data-sonner-toaster] [data-sonner-toast].fsh-toast {
-  box-shadow:
-    0 1px 0 0 oklch(1 0 0 / 0.04) inset,
-    0 1px 2px oklch(0 0 0 / 0.45),
-    0 12px 32px -10px oklch(0 0 0 / 0.6);
-}
-
-/* Left accent stripe — 3px marker inset from the rounded corners. */
-[data-sonner-toast].fsh-toast::before {
-  content: "";
-  position: absolute;
-  left: 0;
-  top: 10px;
-  bottom: 10px;
-  width: 3px;
-  border-radius: 0 3px 3px 0;
-  background: var(--fsh-toast-tone);
-}
-
-/* Content column (sonner wraps title + description in [data-content]). */
-[data-sonner-toast].fsh-toast > [data-content] {
-  display: flex;
-  flex-direction: column;
-  gap: 2px;
-  min-width: 0;
-  flex: 1;
-  padding-top: 1px;
-}
-
-/* Icon chip — soft tinted square holding the Lucide glyph. */
-[data-sonner-toast].fsh-toast [data-icon] {
-  flex-shrink: 0;
-  display: inline-flex !important;
-  align-items: center;
-  justify-content: center;
-  width: 30px;
-  height: 30px;
-  margin: 1px 0 0 0 !important;
-  border-radius: 8px;
-  background: color-mix(in oklab, var(--fsh-toast-tone) 13%, var(--color-card));
-  color: var(--fsh-toast-tone);
-  box-shadow: inset 0 0 0 1px color-mix(in oklab, var(--fsh-toast-tone) 24%, transparent);
-}
-[data-sonner-toast][data-type="loading"].fsh-toast [data-icon] {
-  background: color-mix(in oklab, var(--color-primary) 10%, var(--color-card));
-}
-[data-sonner-toast].fsh-toast .fsh-toast-glyph {
-  width: 18px;
-  height: 18px;
-  color: var(--fsh-toast-tone);
-}
-[data-sonner-toast].fsh-toast .fsh-toast-glyph-spin {
-  animation: fsh-toast-glyph-spin 900ms linear infinite;
-}
-@keyframes fsh-toast-glyph-spin { to { transform: rotate(360deg); } }
-
-/* Title — display face, tight. */
-[data-sonner-toast].fsh-toast .fsh-toast-title {
-  font-family: var(--font-display);
-  font-size: 14px;
-  font-weight: 600;
-  line-height: 1.35;
-  letter-spacing: -0.015em;
-  color: var(--color-foreground);
-  margin: 0;
-}
-[data-sonner-toast].fsh-toast .fsh-toast-title::before { display: none !important; }
-
-/* Description — lifted toward foreground for readability (the fix). */
-[data-sonner-toast].fsh-toast .fsh-toast-description {
-  font-family: var(--font-sans);
-  font-size: 12.5px;
-  font-weight: 400;
-  line-height: 1.5;
-  color: color-mix(in oklab, var(--color-foreground) 62%, var(--color-muted-foreground)) !important;
-  margin: 0;
-}
-
-/* Close — hover-reveal X pinned top-right. */
-[data-sonner-toast].fsh-toast .fsh-toast-close {
-  position: absolute !important;
-  top: 9px !important;
-  right: 9px !important;
-  left: auto !important;
-  width: 20px !important;
-  height: 20px !important;
-  padding: 0 !important;
-  display: inline-flex !important;
-  align-items: center !important;
-  justify-content: center !important;
-  border-radius: 6px !important;
-  background: transparent !important;
-  border: 1px solid transparent !important;
-  color: var(--color-muted-foreground) !important;
-  opacity: 0;
-  transform: none !important;
-  cursor: pointer;
-  transition: opacity 150ms ease, background-color 150ms ease, color 150ms ease;
-}
-[data-sonner-toast].fsh-toast:hover .fsh-toast-close,
-[data-sonner-toast].fsh-toast:focus-within .fsh-toast-close { opacity: 1; }
-[data-sonner-toast].fsh-toast .fsh-toast-close:hover {
-  background: var(--color-muted) !important;
-  color: var(--color-foreground) !important;
-}
-[data-sonner-toast].fsh-toast .fsh-toast-close svg { width: 11px; height: 11px; }
-
-/* Action + cancel buttons. */
-[data-sonner-toast].fsh-toast .fsh-toast-action {
-  margin-left: auto;
-  margin-top: 6px;
-  padding: 6px 12px !important;
-  font-family: var(--font-sans) !important;
-  font-size: 12px !important;
-  font-weight: 600 !important;
-  letter-spacing: 0.01em;
-  border-radius: 8px !important;
-  background: var(--color-foreground) !important;
-  color: var(--color-background) !important;
-  border: none !important;
-  cursor: pointer;
-  transition: transform 120ms ease, opacity 120ms ease;
-}
-[data-sonner-toast].fsh-toast .fsh-toast-action:hover {
-  opacity: 0.9;
-  transform: translateY(-1px);
-}
-[data-sonner-toast].fsh-toast .fsh-toast-cancel {
-  margin-top: 6px;
-  padding: 6px 12px !important;
-  font-size: 12px !important;
-  font-weight: 500 !important;
-  border-radius: 8px !important;
-  background: transparent !important;
-  color: var(--color-muted-foreground) !important;
-  border: 1px solid var(--color-border) !important;
-}
-
-/* Entrance / exit. */
-[data-sonner-toaster][data-y-position="top"] [data-sonner-toast].fsh-toast[data-mounted="true"] {
-  animation: fsh-toast-enter 300ms var(--ease-out-cubic) both;
-}
-@keyframes fsh-toast-enter {
-  0%   { opacity: 0; transform: translateX(18px) scale(0.98); }
-  100% { opacity: 1; transform: translateX(0)    scale(1);    }
-}
-[data-sonner-toaster] [data-sonner-toast].fsh-toast[data-removed="true"] {
-  animation: fsh-toast-exit 180ms var(--ease-out-cubic) forwards;
-}
-@keyframes fsh-toast-exit {
-  from { opacity: 1; transform: translateX(0)    scale(1);    }
-  to   { opacity: 0; transform: translateX(14px) scale(0.98); }
-}
-
 @media (prefers-reduced-motion: reduce) {
-  [data-sonner-toast].fsh-toast,
-  [data-sonner-toast].fsh-toast .fsh-toast-glyph-spin { animation: none !important; }
-  [data-sonner-toaster] [data-sonner-toast].fsh-toast[data-mounted="true"] {
-    animation: fsh-toast-fade-in 180ms var(--ease-out-cubic) both;
-  }
-  @keyframes fsh-toast-fade-in { from { opacity: 0; } to { opacity: 1; } }
+  .caret { animation: none; opacity: 0.6; }
+  .fsh-enter-1, .fsh-enter-2, .fsh-enter-3, .fsh-enter-4, .fsh-enter-5, .rule-draw { animation: none; }
+  .card-shell-interactive:hover { transform: none; }
 }
diff --git a/clients/dashboard/src/components/layout/impersonation-banner.tsx b/clients/dashboard/src/components/layout/impersonation-banner.tsx
index 6c122493b3..3e367ee5a9 100644
--- a/clients/dashboard/src/components/layout/impersonation-banner.tsx
+++ b/clients/dashboard/src/components/layout/impersonation-banner.tsx
@@ -79,19 +79,6 @@ export function ImpersonationBanner() {
         backgroundColor: "var(--color-muted)",
       }}
     >
-      {/* Soft tone wash — radial in the tone color from the top-left.
-          Replaces the previous diagonal-stripe alarm with the editorial
-          surface treatment used on the overview welcome panel. */}
-      <span
-        aria-hidden
-        className="pointer-events-none absolute inset-0 -z-10"
-        style={{
-          background: `radial-gradient(60% 90% at 0% 0%, oklch(from ${tone} l c h / ${
-            isCrossTenant ? 0.14 : 0.10
-          }), transparent 75%)`,
-        }}
-      />
-
       {/* Left ribbon — 2px tone strip only for cross-tenant. Subtle but
           scannable for an operator skimming the chrome. */}
       {isCrossTenant && (
@@ -109,7 +96,7 @@ export function ImpersonationBanner() {
           aria-hidden
           className="grid h-8 w-8 shrink-0 place-items-center rounded-xl"
           style={{
-            background: `linear-gradient(135deg, oklch(from ${tone} l c h / 0.22), oklch(from ${tone} l c h / 0.04))`,
+            backgroundColor: `oklch(from ${tone} l c h / 0.14)`,
             color: tone,
             boxShadow: `inset 0 0 0 1px oklch(from ${tone} l c h / 0.32)`,
           }}
diff --git a/clients/dashboard/src/components/layout/mobile-nav.tsx b/clients/dashboard/src/components/layout/mobile-nav.tsx
index 0192e677b4..5ac6f81630 100644
--- a/clients/dashboard/src/components/layout/mobile-nav.tsx
+++ b/clients/dashboard/src/components/layout/mobile-nav.tsx
@@ -116,7 +116,7 @@ export function MobileNavRoot() {
 
         <div className="border-t border-[var(--color-border)] px-5 py-3">
           <p className="font-mono text-[10.5px] uppercase tracking-[0.12em] text-[var(--color-muted-foreground)]">
-            v0.1 · console
+            v0.1 · dashboard
           </p>
         </div>
       </SheetContent>
diff --git a/clients/dashboard/src/components/layout/sidebar.tsx b/clients/dashboard/src/components/layout/sidebar.tsx
index 931791d6d1..0bdf8c9921 100644
--- a/clients/dashboard/src/components/layout/sidebar.tsx
+++ b/clients/dashboard/src/components/layout/sidebar.tsx
@@ -102,7 +102,7 @@ export function Sidebar() {
                 fullstack<span className="text-[var(--color-primary)]">hero</span>
               </span>
               <span className="mt-1 text-[10px] font-semibold uppercase tracking-wider text-[oklch(from_var(--color-muted-foreground)_l_c_h_/_0.7)]">
-                Console
+                Dashboard
               </span>
             </div>
           )}
@@ -158,7 +158,7 @@ export function Sidebar() {
           </button>
         ) : (
           <p className="font-mono text-[10.5px] uppercase tracking-[0.12em] text-[var(--color-muted-foreground)]">
-            v0.1 · console
+            v0.1 · dashboard
           </p>
         )}
       </div>
diff --git a/clients/dashboard/src/pages/chat/channel-rail.tsx b/clients/dashboard/src/pages/chat/channel-rail.tsx
index d93ab858cc..b452fbe003 100644
--- a/clients/dashboard/src/pages/chat/channel-rail.tsx
+++ b/clients/dashboard/src/pages/chat/channel-rail.tsx
@@ -25,6 +25,7 @@ import { RealtimeStatusPill } from "@/components/realtime/realtime-status-pill";
 import { cn } from "@/lib/cn";
 import { useUserDisplay } from "@/lib/use-user-display";
 import { usePresence } from "@/realtime/use-presence";
+import { useRealtimeEvent } from "@/realtime/realtime-context";
 import { channelTitle } from "@/pages/chat/chat-utils";
 
 /**
@@ -53,12 +54,25 @@ export function ChannelRail({
   const [createChannelOpen, setCreateChannelOpen] = useState(false);
   const [newDmOpen, setNewDmOpen] = useState(false);
 
+  const queryClient = useQueryClient();
+
   const channelsQuery = useQuery({
     queryKey: ["chat", "my-channels"],
     queryFn: () => listMyChannels({ pageSize: 100 }),
     staleTime: 30_000,
   });
 
+  // A new conversation just became relevant to us (someone DM'd us, or we were
+  // added to a channel). The hub pushes ChatChannelAdded to our user:{id} group —
+  // which every tab joins on connect — so refresh the rail to surface it without a
+  // reload. Opening the conversation then joins its channel:{id} group for live
+  // messages (see chat-page's JoinChannel invoke).
+  useRealtimeEvent<{ channelId: string }>(
+    "ChatChannelAdded",
+    () => void queryClient.invalidateQueries({ queryKey: ["chat", "my-channels"] }),
+    [queryClient],
+  );
+
   const channels = useMemo(() => channelsQuery.data ?? [], [channelsQuery.data]);
 
   const { namedChannels, dms } = useMemo(() => {
diff --git a/clients/dashboard/src/pages/chat/chat-page.tsx b/clients/dashboard/src/pages/chat/chat-page.tsx
index ed4f073264..9f926ba6ef 100644
--- a/clients/dashboard/src/pages/chat/chat-page.tsx
+++ b/clients/dashboard/src/pages/chat/chat-page.tsx
@@ -25,7 +25,7 @@ import {
 import { useAuth } from "@/auth/use-auth";
 import { ChannelRail } from "@/pages/chat/channel-rail";
 import { ChannelSettingsDialog } from "@/pages/chat/channel-settings";
-import { ChatPinnedDropdown } from "@/pages/chat/chat-pinned";
+import { ChatPinnedBar } from "@/pages/chat/chat-pinned";
 import { ChatSearchOverlay } from "@/pages/chat/chat-search";
 import { Composer } from "@/pages/chat/composer";
 import {
@@ -36,6 +36,7 @@ import { TypingIndicator } from "@/pages/chat/typing-indicator";
 import { channelTitle } from "@/pages/chat/chat-utils";
 import { cn } from "@/lib/cn";
 import { useUserDisplay } from "@/lib/use-user-display";
+import { useRealtime } from "@/realtime/realtime-context";
 
 /**
  * /chat — top-level chat shell.
@@ -151,6 +152,17 @@ function ActiveChannel({
   const [searching, setSearching] = useState(false);
   const [settingsOpen, setSettingsOpen] = useState(false);
   const messageListRef = useRef<MessageListHandle | null>(null);
+  const { invoke, status } = useRealtime();
+
+  // Join this channel's realtime group whenever it's opened, and re-join when the
+  // socket (re)connects. AppHub.OnConnectedAsync only pre-joins channels that existed
+  // at connect time, so a DM/channel opened later — or created after the socket came
+  // up — wouldn't receive live messages until a reload without this. The hub method is
+  // membership-gated and idempotent, so calling it on every open/reconnect is safe.
+  useEffect(() => {
+    if (status !== "connected") return;
+    void invoke("JoinChannel", channelId);
+  }, [channelId, status, invoke]);
 
   // Clear ephemeral state when the user switches channels.
   useEffect(() => {
@@ -285,15 +297,6 @@ function ActiveChannel({
           >
             <Search className="size-3.5" />
           </button>
-          <ChatPinnedDropdown
-            channelId={channelId}
-            onJump={(id) => {
-              const ok = messageListRef.current?.jumpToMessage(id) ?? false;
-              if (!ok) {
-                toast.info("That message is older than the loaded window.");
-              }
-            }}
-          />
           {channel.type === 2 && (
             <button
               type="button"
@@ -315,6 +318,18 @@ function ActiveChannel({
         selfUserId={selfUserId}
       />
 
+      {/* Pinned-messages bar — slim strip under the header; hidden when the
+          channel has nothing pinned. Click to review/jump to pins. */}
+      <ChatPinnedBar
+        channelId={channelId}
+        onJump={(id) => {
+          const ok = messageListRef.current?.jumpToMessage(id) ?? false;
+          if (!ok) {
+            toast.info("That message is older than the loaded window.");
+          }
+        }}
+      />
+
       {/* Message list — fills the remaining height. */}
       <div className="min-h-0 flex-1">
         <MessageList
diff --git a/clients/dashboard/src/pages/chat/chat-pinned.tsx b/clients/dashboard/src/pages/chat/chat-pinned.tsx
index 586235110f..8c4d20fb63 100644
--- a/clients/dashboard/src/pages/chat/chat-pinned.tsx
+++ b/clients/dashboard/src/pages/chat/chat-pinned.tsx
@@ -1,6 +1,6 @@
 import { useState } from "react";
 import { useQuery } from "@tanstack/react-query";
-import { Pin } from "lucide-react";
+import { ChevronDown, Pin } from "lucide-react";
 import { listPinnedMessages, type MessageDto } from "@/api/chat";
 import {
   DropdownMenu,
@@ -13,12 +13,14 @@ import { useUserDisplay } from "@/lib/use-user-display";
 import { shortDateTime } from "@/pages/chat/chat-utils";
 
 /**
- * Pinned messages dropdown — anchored to a Pin icon button in the channel
- * header. Lists pinned messages most-recently-pinned-first; click a row
- * to jump to the message in the feed (which scrolls + flashes via the
+ * Pinned-messages bar — a slim strip under the channel header that surfaces
+ * how many messages are pinned and opens a list to review/jump to them.
+ * Renders nothing when the channel has no pins. Replaces the old unlabelled
+ * header pin glyph: a labelled, counted bar is far more discoverable.
+ * Clicking a row jumps the feed to the message (scroll + flash via the
  * MessageList handle).
  */
-export function ChatPinnedDropdown({
+export function ChatPinnedBar({
   channelId,
   onJump,
 }: {
@@ -27,56 +29,69 @@ export function ChatPinnedDropdown({
 }) {
   const [open, setOpen] = useState(false);
 
+  // Eager (not gated on `open`) so the bar knows the count and can show or
+  // hide itself. Kept fresh by the pin/unpin mutation + realtime handlers,
+  // which invalidate this exact key.
   const pinnedQuery = useQuery({
     queryKey: ["chat", "pinned", channelId],
     queryFn: () => listPinnedMessages(channelId),
-    enabled: open,
     staleTime: 60_000,
   });
 
   const pinned = pinnedQuery.data ?? [];
+  // No bar until there's something pinned — keeps the chrome quiet by default.
+  if (pinned.length === 0) return null;
 
   return (
     <DropdownMenu open={open} onOpenChange={setOpen}>
       <DropdownMenuTrigger asChild>
         <button
           type="button"
-          aria-label="Pinned messages"
-          title="Pinned messages"
+          aria-label={`${pinned.length} pinned ${pinned.length === 1 ? "message" : "messages"}, click to review`}
           className={cn(
-            "grid h-8 w-8 cursor-pointer place-items-center rounded-md",
-            "text-[var(--color-muted-foreground)] hover:bg-[var(--color-accent)] hover:text-[var(--color-foreground)]",
+            "flex w-full shrink-0 cursor-pointer items-center gap-2 px-4 py-1.5 text-[12px]",
+            "border-b border-[var(--color-border)] bg-[oklch(from_var(--color-primary)_l_c_h_/_0.06)]",
+            "text-[var(--color-muted-foreground)]",
             "transition-colors duration-[var(--duration-fast)] ease-[var(--ease-out-cubic)]",
+            "hover:bg-[oklch(from_var(--color-primary)_l_c_h_/_0.10)] hover:text-[var(--color-foreground)]",
           )}
         >
-          <Pin className="h-3.5 w-3.5" />
+          <Pin className="h-3.5 w-3.5 shrink-0 text-[var(--color-primary)]" aria-hidden />
+          <span className="font-medium">
+            {pinned.length} pinned {pinned.length === 1 ? "message" : "messages"}
+          </span>
+          <ChevronDown
+            className={cn(
+              "ml-auto h-3.5 w-3.5 transition-transform duration-[var(--duration-fast)]",
+              open && "rotate-180",
+            )}
+            aria-hidden
+          />
         </button>
       </DropdownMenuTrigger>
-      <DropdownMenuContent align="end" className="w-[320px] p-0">
+      <DropdownMenuContent
+        align="start"
+        sideOffset={0}
+        className="w-[min(420px,calc(100vw-2rem))] p-0"
+      >
         <div className="border-b border-[var(--color-border)] px-3 py-2">
           <p className="text-[11px] font-semibold uppercase tracking-wider text-[var(--color-muted-foreground)]">
             Pinned messages
           </p>
         </div>
         <div className="max-h-[60vh] overflow-y-auto">
-          {pinnedQuery.isLoading ? (
-            <Placeholder label="Loading…" />
-          ) : pinned.length === 0 ? (
-            <Placeholder label="Nothing pinned in this channel yet." />
-          ) : (
-            <ul className="divide-y divide-[var(--color-border)]">
-              {pinned.map((m) => (
-                <PinnedRow
-                  key={m.id}
-                  message={m}
-                  onPick={() => {
-                    onJump(m.id);
-                    setOpen(false);
-                  }}
-                />
-              ))}
-            </ul>
-          )}
+          <ul className="divide-y divide-[var(--color-border)]">
+            {pinned.map((m) => (
+              <PinnedRow
+                key={m.id}
+                message={m}
+                onPick={() => {
+                  onJump(m.id);
+                  setOpen(false);
+                }}
+              />
+            ))}
+          </ul>
         </div>
       </DropdownMenuContent>
     </DropdownMenu>
@@ -133,12 +148,3 @@ function PinnedRow({
   );
 }
 
-function Placeholder({ label }: { label: string; mono?: boolean }) {
-  return (
-    <div className="px-3 py-8 text-center">
-      <p className="text-[13px] text-[var(--color-muted-foreground)]">
-        {label}
-      </p>
-    </div>
-  );
-}
diff --git a/clients/dashboard/src/pages/chat/message.tsx b/clients/dashboard/src/pages/chat/message.tsx
index fcc69d1dca..4ef86b9359 100644
--- a/clients/dashboard/src/pages/chat/message.tsx
+++ b/clients/dashboard/src/pages/chat/message.tsx
@@ -1,4 +1,4 @@
-import { useEffect, useLayoutEffect, useMemo, useRef, useState } from "react";
+import { forwardRef, useEffect, useLayoutEffect, useMemo, useRef, useState } from "react";
 import { useNavigate } from "react-router-dom";
 import { useMutation, useQueryClient } from "@tanstack/react-query";
 import { Download, Eye, Paperclip, Pencil, Pin, PinOff, SmilePlus, Trash2 } from "lucide-react";
@@ -157,7 +157,7 @@ export function Message({
 
       <div
         className={cn(
-          "flex min-w-0 max-w-[78%] flex-col",
+          "relative flex min-w-0 max-w-[78%] flex-col",
           isOwn ? "items-end" : "items-start",
         )}
       >
@@ -264,6 +264,11 @@ export function Message({
           )}
         </div>
 
+        {/* Hover action rail — anchored to the bubble's column so it tucks
+            into the margin right beside the bubble (left of own messages,
+            right of others) instead of drifting to the far pane edge. */}
+        <MessageActions message={message} isOwn={isOwn} onReply={onReply} />
+
         {/* Reactions — align toward the bubble's outer edge. */}
         {reactions.length > 0 && (
           <div
@@ -293,10 +298,6 @@ export function Message({
           />
         )}
       </div>
-
-      {/* Hover action rail — floats in the empty space opposite the bubble
-          (left side for own, right side for others). */}
-      <MessageActions message={message} isOwn={isOwn} onReply={onReply} />
     </div>
   );
 }
@@ -741,17 +742,52 @@ function MessageActions({
     <>
       <div
         className={cn(
-          "absolute top-1 z-10 hidden gap-0.5 rounded-lg border border-[var(--color-border)]",
+          "absolute top-0 z-10 hidden gap-0.5 rounded-lg border border-[var(--color-border)]",
           "bg-[var(--color-popover)] p-0.5 shadow-[var(--shadow-md)]",
-          "group-hover/message:flex",
-          // Float on the empty side: own messages sit right, so the rail
-          // floats on the left; other messages sit left, so the rail floats right.
-          isOwn ? "left-3" : "right-3",
+          // Keep the rail mounted while its emoji picker is open so the
+          // portaled picker stays anchored to a visible trigger.
+          pickerOpen ? "flex" : "group-hover/message:flex",
+          // Float in the margin immediately beside the bubble (anchored to the
+          // bubble's column, not the pane): own messages sit right so the rail
+          // tucks just left of the bubble; others sit left so it tucks right.
+          isOwn ? "right-full mr-1.5" : "left-full ml-1.5",
         )}
       >
-        <ActionButton title="React" onClick={() => setPickerOpen((v) => !v)}>
-          <SmilePlus className="h-3.5 w-3.5" />
-        </ActionButton>
+        {/* React — a portaled menu so the picker can't be clipped or
+            click-blocked by the next virtualized message row (the old
+            absolutely-positioned picker overflowed its row and the row
+            below stole the clicks). */}
+        <DropdownMenu open={pickerOpen} onOpenChange={setPickerOpen}>
+          <DropdownMenuTrigger asChild>
+            <ActionButton title="React">
+              <SmilePlus className="h-3.5 w-3.5" />
+            </ActionButton>
+          </DropdownMenuTrigger>
+          <DropdownMenuContent
+            side="top"
+            align={isOwn ? "end" : "start"}
+            className="flex w-auto min-w-0 gap-1 p-1"
+          >
+            {QUICK_REACTIONS.map((emoji) => (
+              <button
+                key={emoji}
+                type="button"
+                aria-label={`React with ${emoji}`}
+                onClick={() => {
+                  reactMutation.mutate(emoji);
+                  setPickerOpen(false);
+                }}
+                className={cn(
+                  "grid h-8 w-8 cursor-pointer place-items-center rounded-md text-base",
+                  "hover:bg-[var(--color-accent)]",
+                  "transition-transform duration-[var(--duration-fast)] hover:scale-110",
+                )}
+              >
+                {emoji}
+              </button>
+            ))}
+          </DropdownMenuContent>
+        </DropdownMenu>
         {!message.parentMessageId && onReply && (
           <ActionButton title="Reply" onClick={() => onReply(message)}>
             <span className="text-[12px] font-semibold leading-none">↪</span>
@@ -783,35 +819,6 @@ function MessageActions({
         )}
       </div>
 
-      {pickerOpen && (
-        <div
-          className={cn(
-            "absolute top-9 z-20 flex gap-1 rounded-lg border border-[var(--color-border)]",
-            "bg-[var(--color-popover)] p-1 shadow-[var(--shadow-lg)]",
-            isOwn ? "left-3" : "right-3",
-          )}
-        >
-          {QUICK_REACTIONS.map((emoji) => (
-            <button
-              key={emoji}
-              type="button"
-              aria-label={`React with ${emoji}`}
-              onClick={() => {
-                reactMutation.mutate(emoji);
-                setPickerOpen(false);
-              }}
-              className={cn(
-                "grid h-8 w-8 cursor-pointer place-items-center rounded-md text-base",
-                "hover:bg-[var(--color-accent)]",
-                "transition-transform duration-[var(--duration-fast)] hover:scale-110",
-              )}
-            >
-              {emoji}
-            </button>
-          ))}
-        </div>
-      )}
-
       {editing && (
         <EditMessageInline
           message={message}
@@ -888,35 +895,33 @@ function DeleteMessageDialog({
   );
 }
 
-function ActionButton({
-  title,
-  onClick,
-  destructive,
-  children,
-}: {
-  title: string;
-  onClick: () => void;
-  destructive?: boolean;
-  children: React.ReactNode;
-}) {
+// forwardRef + prop spread so this can serve as a Radix `asChild` trigger
+// (the React button is a DropdownMenuTrigger) — Radix injects ref, onClick,
+// and aria/data-state props that must reach the underlying <button>.
+const ActionButton = forwardRef<
+  HTMLButtonElement,
+  React.ComponentPropsWithoutRef<"button"> & { destructive?: boolean }
+>(function ActionButton({ title, destructive, children, className, ...rest }, ref) {
   return (
     <button
-      type="button"
+      ref={ref}
       title={title}
       aria-label={title}
-      onClick={onClick}
       className={cn(
         "grid h-7 w-7 cursor-pointer place-items-center rounded-md",
         "transition-colors duration-[var(--duration-fast)] ease-[var(--ease-out-cubic)]",
         destructive
           ? "text-[var(--color-destructive)] hover:bg-[oklch(from_var(--color-destructive)_l_c_h_/_0.10)]"
           : "text-[var(--color-muted-foreground)] hover:bg-[var(--color-accent)] hover:text-[var(--color-foreground)]",
+        className,
       )}
+      {...rest}
+      type="button"
     >
       {children}
     </button>
   );
-}
+});
 
 function EditMessageInline({
   message,
@@ -965,7 +970,7 @@ function EditMessageInline({
   };
 
   return (
-    <div className="ml-12 mt-1.5 space-y-1.5">
+    <div className="mt-1.5 w-full space-y-1.5">
       <div
         className={cn(
           "relative rounded-xl border bg-[var(--color-card)] transition-all",
diff --git a/docs/superpowers/specs/2026-05-28-admin-dashboard-design-unification-design.md b/docs/superpowers/specs/2026-05-28-admin-dashboard-design-unification-design.md
new file mode 100644
index 0000000000..13d95794a6
--- /dev/null
+++ b/docs/superpowers/specs/2026-05-28-admin-dashboard-design-unification-design.md
@@ -0,0 +1,212 @@
+# Admin → Dashboard Design Unification
+
+- **Date:** 2026-05-28
+- **Status:** Draft (awaiting review)
+- **Author:** Claude (with Mukesh)
+- **Approach:** A — copy/mirror the dashboard's design system into the admin app
+- **Tracking branch:** `feat/admin-dashboard-unification`
+
+## 1. Summary
+
+Reskin the operator app (`clients/admin`) so it adopts the tenant app's
+(`clients/dashboard`) design system **wholesale** — tokens, component library,
+layout chrome, and page structures — until the two apps are visually
+indistinguishable in look-and-feel (differing only in their feature sets and
+navigation targets).
+
+This is a **multi-phase program**, not a single change. Each phase is built,
+linted, type-checked, and visually eyeballed before the next begins.
+
+## 2. Context
+
+The repo ships two React 19 + Vite 7 SPAs that already share an architecture
+(TanStack Query v5, React Router 7, Radix + Tailwind v4 shadcn-style, a
+hand-written `apiFetch`, runtime `/config.json`). They deliberately diverged in
+*visual language*:
+
+- **admin** — "Console": an editorial-terminal aesthetic. `// CONSOLE`
+  masthead, `\ SECTION` mono-caps markers, sharp dark-first chrome, a
+  chartreuse-lime (`--signal-*`) accent, a grid-texture canvas, and a
+  documentation-aside form layout (`FormShell`/`FormSection` with a fixed 18rem
+  left rail).
+- **dashboard** — a warmer, calmer editorial card system: header-bar section
+  cards (`SettingsSection`), a warm brand/saffron accent, softer surfaces, an
+  editorial numbered settings nav, a command palette, and space-efficient
+  `sm:grid-cols-2` field layouts.
+
+**Decision (owner):** unify on the **dashboard's** language. The admin app's
+distinct console identity (masthead, `\` markers, chartreuse signal, grid
+texture) is intentionally retired in favor of one consistent system.
+
+### Why this is worth doing
+- The dashboard layout is materially more space-efficient — the admin's 18rem
+  description rail and width-capped single-column forms waste horizontal space
+  on every editor page.
+- The dashboard's component set is richer and more polished (dropdown-menu,
+  avatar, switch, command palette, presigned `ImageInput`, a complete toast
+  theme).
+- One language across both apps lowers cognitive load for operators who use
+  both and reduces design drift.
+
+## 3. End state ("done" looks like)
+
+- `clients/admin/src/styles/globals.css` is a copy of the dashboard's token
+  system (palette, surfaces, radii, shadows, motion, fonts, base, utilities),
+  adapted only where admin genuinely needs an extra token.
+- `clients/admin/src/components/ui/*` matches the dashboard's component set and
+  styling (plus the dashboard-only components admin now needs: `avatar`,
+  `dropdown-menu`, `switch`).
+- The admin app shell (sidebar + topbar) reads as the dashboard's shell, not
+  the `// CONSOLE` masthead.
+- Every admin page uses the dashboard's section-card / field-grid layout
+  vocabulary. No page still uses `FormShell`/`FormSection`'s 18rem rail.
+- Avatar upload uses the dashboard's presigned `ImageInput` (fixes the current
+  data-URL-vs-2048-cap bug as a by-product).
+- `npm run build` (tsc + vite) and `eslint` pass for `clients/admin`; the
+  Playwright suite still passes (selectors updated where markup changed).
+
+## 4. Approach
+
+**Chosen: A — copy/mirror.** Port the dashboard's tokens/components/pages into
+admin file-by-file. Two independent apps that happen to look identical. Simplest
+mental model, no monorepo/workspace tooling, each app still builds and deploys
+on its own.
+
+**Rejected for now:**
+- **B — shared design-system package.** Single source of truth, zero drift, but
+  a large upfront refactor (workspace tooling, move components, rewire imports
+  in *both* apps) before any visible result.
+- **C — hybrid (copy now, extract later).** Reasonable, but the owner chose a
+  clean copy/mirror; extraction can be reconsidered if maintaining two copies
+  becomes painful (see Open Questions).
+
+**Consequence of A:** any future design change must be applied to both apps.
+Accepted.
+
+## 5. Non-goals
+
+- No backend/API changes (except none — purely `clients/admin`).
+- No change to admin's **routes, permissions, RouteGuards, or data layer**
+  (`src/api/*`, query keys). This is a visual/structural reskin only.
+- Not touching `clients/dashboard` (it is the reference, not a target).
+- Not introducing new features to admin; pages keep their current capabilities.
+- Not adopting dashboard-only *features* that admin has no backend for (e.g.
+  command palette is optional and deferred — see Phase 3).
+
+## 6. Inventory
+
+### 6.1 Token layer
+Both apps expose the same semantic layer via `@theme inline`
+(`--color-foreground`, `--color-card`, `--color-border`, `--color-primary`,
+`--color-muted-foreground`, `--surface-1..4`, `--color-success/warning/info/
+destructive`, `--ease-out-cubic`, `--font-display/mono`, …). This shared
+surface is what makes copy/mirror safe — components keep referencing the same
+names; only the *values* change.
+
+| | admin (current) | dashboard (target) |
+|---|---|---|
+| Accent scale | `--signal-*` (chartreuse) | `--brand-*` + `--color-saffron` (warm) |
+| Neutrals | `--neutral-*` hue 240 | dashboard neutrals (untinted; see memory) |
+| Extras | `--accent-signal*`, `--grid-alpha` | `--color-overlay`, `--color-primary-hover`, `--chart-*`, `--font-feature-*` |
+
+**Reconciliation:** copy the dashboard's `:root`/`.dark`/`@theme inline`
+blocks verbatim, then add the *handful* of admin-only tokens still referenced by
+not-yet-migrated admin code so nothing breaks mid-migration; remove them as the
+referencing components migrate.
+
+### 6.2 Components
+
+| Group | admin has | dashboard has | action |
+|---|---|---|---|
+| `ui/` | badge, button, card, dialog, input, label, skeleton, table | + avatar, dropdown-menu, switch (no table) | port dashboard versions; **keep** admin's `table` (dashboard has none), restyled to tokens |
+| layout | app-shell, sidebar, topbar, mobile-nav, nav-items, sidebar-content | layout/* (dashboard shell) | rebuild admin shell on the dashboard pattern |
+| list | `FormShell`/`FormSection`/`FormActions`, `PageHeader`, `SectionRule` | `SettingsSection`, `Field`, `EntityPageHeader`, list primitives | replace admin form primitives with dashboard equivalents |
+| file | — | `ImageInput` + `use-file-upload` + `api/files` | port for avatar + any image fields |
+
+### 6.3 Pages (admin → dashboard analog)
+audits (list/detail) · auth (confirm-email/forgot-password/reset-password) ·
+billing (invoices/plans/layout) · dashboard(overview) · health · impersonation ·
+login · not-found · notifications/inbox · roles (list/create/detail) · settings
+(layout/profile/security/sessions/appearance) · tenants (list/create/detail) ·
+users (list/create/detail) · webhooks (list/detail).
+
+The dashboard has close analogs for most (identity↔roles/users, settings/*,
+health, audits, login, auth/*, overview↔dashboard). Admin-only pages (tenants,
+impersonation, billing-plan authoring, webhooks) get the *vocabulary* applied
+without a 1:1 source page.
+
+## 7. The program (phases)
+
+> Ordering is bottom-up: foundation first so each later layer renders correctly
+> against the new base. Every phase ends green (build + lint + type-check) and
+> is committed before the next starts.
+
+### Phase 1 — Tokens & global styles
+Port the dashboard's `globals.css` into admin (palette, surfaces, radii,
+shadows, motion, fonts, base layer, shared utilities, sonner block). Reconcile
+token names (§6.1). Drop admin's grid-texture canvas + `// CONSOLE` chrome
+styling. **Exit:** admin builds; pages render with the new palette (some still
+structurally old — acceptable mid-program).
+
+### Phase 2 — Shared UI primitives + form layout
+Port/align `ui/*` (button, input, badge, card, dialog, label, skeleton; add
+avatar, dropdown-menu, switch; restyle `table`). Replace `FormShell`/
+`FormSection`/`FormActions` usages with `SettingsSection` + `Field`. Port the
+`list/` primitives and `EntityPageHeader`. **Exit:** primitives match the
+dashboard; a sample page (Settings/Profile) fully converted as the reference.
+
+### Phase 3 — App shell
+Rebuild `components/layout/*` (sidebar, topbar, mobile-nav) on the dashboard's
+shell. Retire the `// CONSOLE` masthead and `platform · administration ·
+interface` footer. Command palette: **deferred/optional** (port only if low
+effort; not required for "done"). **Exit:** navigating admin feels like the
+dashboard shell.
+
+### Phase 4 — Pages (sub-phased, each its own commit)
+Apply the section-card/field-grid vocabulary page-group by page-group, in
+rising blast-radius order:
+1. **settings/** (profile + **presigned avatar via `ImageInput`**, security,
+   sessions, appearance, layout)
+2. **roles/** + **users/** (list/create/detail)
+3. **tenants/** (list/create/detail — reuses the already-fixed provisioning UI)
+4. **billing/**, **webhooks/**, **audits/**, **notifications/**, **health/**,
+   **impersonation/**
+5. **auth/** + **login** + **not-found** + **dashboard(overview)**
+
+**Exit:** no page references retired primitives; Playwright selectors updated.
+
+## 8. Verification (every phase)
+- `cd clients/admin && npm run build` (tsc -b + vite build) — must pass
+  (`TreatWarningsAsErrors` analog: tsc is strict).
+- `npx eslint .` — clean.
+- `npx playwright test` for the touched suites — green (update route-mocked
+  selectors where markup changed; mocks themselves shouldn't need changes since
+  the data layer is untouched).
+- Manual: run the admin dev server, eyeball the migrated pages in light + dark.
+
+## 9. Risks & mitigations
+- **Mid-migration breakage** (a component restyled before its consumers) →
+  keep admin-only tokens alive until their consumers migrate (§6.1); phases are
+  bottom-up so consumers migrate after primitives.
+- **Playwright drift** — markup/class changes break selectors → update
+  selectors per page-group in the same commit; data mocks stay valid (data
+  layer untouched).
+- **Scope creep into features** — strict non-goals (§5); reskin only.
+- **Unrelated in-flight work** — the working tree currently carries someone
+  else's uncommitted chat/realtime changes; this program touches only
+  `clients/admin/**` (+ this spec) and never stages those files.
+- **Identity loss is intentional** — the console aesthetic is being retired by
+  explicit owner decision; not a regression.
+
+## 10. Rollback
+Each phase is an isolated commit on `feat/admin-dashboard-unification`. Any
+phase can be reverted independently. The whole program lives behind one PR; if
+abandoned, the branch is dropped with zero impact on `main` or the dashboard.
+
+## 11. Open questions
+- **Shared package later?** If drift between the two copies becomes painful,
+  revisit Approach B (extract `packages/ui`). Out of scope for this program.
+- **Command palette in admin?** Deferred. Decide during Phase 3 based on effort.
+- **`table` primitive** — admin has one the dashboard lacks; keep + restyle, or
+  replace admin's table-using pages with the dashboard's list-row pattern?
+  Resolve when Phase 4 reaches the first table page.
diff --git a/src/BuildingBlocks/Web/Realtime/AppHub.cs b/src/BuildingBlocks/Web/Realtime/AppHub.cs
index 092d6386ec..bab929aca5 100644
--- a/src/BuildingBlocks/Web/Realtime/AppHub.cs
+++ b/src/BuildingBlocks/Web/Realtime/AppHub.cs
@@ -173,6 +173,29 @@ await Clients.OthersInGroup($"channel:{channelId}")
             .SendAsync("ChatTypingStarted", new { channelId, userId }, Context.ConnectionAborted)
             .ConfigureAwait(false);
     }
+
+    /// <summary>
+    /// Client invokes <c>JoinChannel(channelId)</c> when it opens a conversation.
+    /// <see cref="OnConnectedAsync"/> only pre-joins the channels that existed — and that the user
+    /// was already a member of — at connect time. A DM/channel created, or a membership granted,
+    /// <em>after</em> the socket is live would otherwise never receive <c>channel:{id}</c> broadcasts
+    /// until the page reloads and a fresh connection re-enumerates memberships. This joins the group
+    /// on demand, gated by the same membership check used for typing. Idempotent — re-joining a group
+    /// you're already in is a no-op, so the client can call it freely on open and on reconnect.
+    /// </summary>
+    public async Task JoinChannel(Guid channelId)
+    {
+        var userId = GetUserId();
+        if (string.IsNullOrEmpty(userId)) return;
+
+        if (!await _membership.IsMemberAsync(channelId, userId, Context.ConnectionAborted).ConfigureAwait(false))
+        {
+            return;
+        }
+
+        await Groups.AddToGroupAsync(Context.ConnectionId, $"channel:{channelId}", Context.ConnectionAborted)
+            .ConfigureAwait(false);
+    }
 }
 
 internal static partial class AppHubLog
diff --git a/src/Modules/Chat/Modules.Chat/Features/v1/Channels/FindOrCreateDm/FindOrCreateDmCommandHandler.cs b/src/Modules/Chat/Modules.Chat/Features/v1/Channels/FindOrCreateDm/FindOrCreateDmCommandHandler.cs
index 6ff5839067..1bca898711 100644
--- a/src/Modules/Chat/Modules.Chat/Features/v1/Channels/FindOrCreateDm/FindOrCreateDmCommandHandler.cs
+++ b/src/Modules/Chat/Modules.Chat/Features/v1/Channels/FindOrCreateDm/FindOrCreateDmCommandHandler.cs
@@ -1,15 +1,18 @@
 using FSH.Framework.Core.Context;
 using FSH.Framework.Core.Exceptions;
+using FSH.Framework.Web.Realtime;
 using FSH.Modules.Chat.Contracts.v1.Commands;
 using FSH.Modules.Chat.Data;
 using FSH.Modules.Chat.Domain;
 using Mediator;
+using Microsoft.AspNetCore.SignalR;
 using Microsoft.EntityFrameworkCore;
 
 namespace FSH.Modules.Chat.Features.v1.Channels.FindOrCreateDm;
 
 public sealed class FindOrCreateDmCommandHandler(
     ChatDbContext db,
+    IHubContext<AppHub> hub,
     ICurrentUser currentUser)
     : ICommandHandler<FindOrCreateDmCommand, Guid>
 {
@@ -42,6 +45,7 @@ public async ValueTask<Guid> Handle(FindOrCreateDmCommand cmd, CancellationToken
             var dm = ChatChannel.CreateDirect(currentUserId, otherIds[0]);
             db.Channels.Add(dm);
             await db.SaveChangesAsync(cancellationToken).ConfigureAwait(false);
+            await NotifyChannelAddedAsync(dm.Id, otherIds, cancellationToken).ConfigureAwait(false);
             return dm.Id;
         }
 
@@ -51,6 +55,24 @@ public async ValueTask<Guid> Handle(FindOrCreateDmCommand cmd, CancellationToken
         var group = ChatChannel.CreateGroupDm(allUserIds, currentUserId);
         db.Channels.Add(group);
         await db.SaveChangesAsync(cancellationToken).ConfigureAwait(false);
+        await NotifyChannelAddedAsync(group.Id, otherIds, cancellationToken).ConfigureAwait(false);
         return group.Id;
     }
+
+    /// <summary>
+    /// Tell every other participant's open tabs that a new conversation exists so their channel rail
+    /// refreshes without a reload. Targets each user's <c>user:{id}</c> group — always joined on connect
+    /// (see <see cref="AppHub.OnConnectedAsync"/>) — because their live sockets aren't in the new
+    /// <c>channel:{id}</c> group yet; the client joins that on demand when it opens the conversation.
+    /// The caller's own rail refreshes via the mutation's <c>onSuccess</c> on the client.
+    /// </summary>
+    private async Task NotifyChannelAddedAsync(Guid channelId, IEnumerable<string> otherUserIds, CancellationToken cancellationToken)
+    {
+        foreach (var uid in otherUserIds)
+        {
+            await hub.Clients.Group($"user:{uid}")
+                .SendAsync("ChatChannelAdded", new { channelId }, cancellationToken)
+                .ConfigureAwait(false);
+        }
+    }
 }
diff --git a/src/Modules/Multitenancy/Modules.Multitenancy/MultitenancyModule.cs b/src/Modules/Multitenancy/Modules.Multitenancy/MultitenancyModule.cs
index 13924065dd..06c74ad78e 100644
--- a/src/Modules/Multitenancy/Modules.Multitenancy/MultitenancyModule.cs
+++ b/src/Modules/Multitenancy/Modules.Multitenancy/MultitenancyModule.cs
@@ -5,6 +5,7 @@
 using Finbuckle.MultiTenant.EntityFrameworkCore.Stores;
 using Finbuckle.MultiTenant.Extensions;
 using Finbuckle.MultiTenant.Stores;
+using FSH.Framework.Core.Exceptions;
 using FSH.Framework.Persistence;
 using FSH.Framework.Shared.Constants;
 using FSH.Framework.Shared.Multitenancy;
@@ -148,6 +149,45 @@ public void ConfigureMiddleware(IApplicationBuilder app)
             }
             await next(ctx).ConfigureAwait(false);
         });
+
+        // ── Deactivated-tenant guard ───────────────────────────────────
+        // Deactivation was previously a data-only flag with no enforcement:
+        // a deactivated tenant's users could still log in and call the API
+        // (the token handler never checked it, and Finbuckle resolves inactive
+        // tenants like any other). This post-auth guard — running before every
+        // endpoint, so it also covers the anonymous login/refresh requests —
+        // rejects any request whose resolved tenant is non-root and inactive.
+        //
+        // Operators (callers whose JWT tenant claim is "root") are exempt so
+        // they can still manage/reactivate or inspect a deactivated tenant
+        // cross-tenant (incl. via the root-operator override above).
+        app.Use(async (ctx, next) =>
+        {
+            var callerTenant = ctx.User?.FindFirstValue(ClaimConstants.Tenant);
+            var isOperator = string.Equals(callerTenant, MultitenancyConstants.Root.Id, StringComparison.Ordinal);
+            if (!isOperator)
+            {
+                var accessor = ctx.RequestServices.GetRequiredService<IMultiTenantContextAccessor<AppTenantInfo>>();
+                var tenant = accessor.MultiTenantContext?.TenantInfo;
+
+                // Finbuckle's claim strategy no-ops pre-auth, so an authenticated
+                // request carrying its tenant only in the JWT (no header) may have
+                // no resolved tenant here — fall back to the caller's claim.
+                if (tenant is null && !string.IsNullOrEmpty(callerTenant))
+                {
+                    var store = ctx.RequestServices.GetRequiredService<IMultiTenantStore<AppTenantInfo>>();
+                    tenant = await store.GetAsync(callerTenant).ConfigureAwait(false);
+                }
+
+                if (tenant is { IsActive: false } &&
+                    !string.Equals(tenant.Id, MultitenancyConstants.Root.Id, StringComparison.Ordinal))
+                {
+                    throw new ForbiddenException("This tenant has been deactivated. Contact your administrator.");
+                }
+            }
+
+            await next(ctx).ConfigureAwait(false);
+        });
     }
 
     public void MapEndpoints(IEndpointRouteBuilder endpoints)
diff --git a/src/Modules/Multitenancy/Modules.Multitenancy/Services/TenantService.cs b/src/Modules/Multitenancy/Modules.Multitenancy/Services/TenantService.cs
index ddff37a99b..2382b76369 100644
--- a/src/Modules/Multitenancy/Modules.Multitenancy/Services/TenantService.cs
+++ b/src/Modules/Multitenancy/Modules.Multitenancy/Services/TenantService.cs
@@ -1,4 +1,5 @@
 using Finbuckle.MultiTenant.Abstractions;
+using Finbuckle.MultiTenant.Stores;
 using FSH.Framework.Core.Exceptions;
 using FSH.Framework.Persistence;
 using FSH.Framework.Shared.Multitenancy;
@@ -52,6 +53,7 @@ public async Task<string> ActivateAsync(string id, CancellationToken cancellatio
         tenant.Activate();
 
         await _tenantStore.UpdateAsync(tenant).ConfigureAwait(false);
+        await RefreshTenantCacheAsync(tenant).ConfigureAwait(false);
 
         return $"tenant {id} is now activated";
     }
@@ -119,6 +121,7 @@ public async Task<string> DeactivateAsync(string id, CancellationToken cancellat
 
         tenant.Deactivate();
         await _tenantStore.UpdateAsync(tenant).ConfigureAwait(false);
+        await RefreshTenantCacheAsync(tenant).ConfigureAwait(false);
         return $"tenant {id} is now deactivated";
     }
 
@@ -174,4 +177,21 @@ public async Task<DateTime> UpgradeSubscriptionAsync(string id, DateTime extende
     private async Task<AppTenantInfo> GetTenantInfoAsync(string id, CancellationToken cancellationToken = default) =>
         await _tenantStore.GetAsync(id).ConfigureAwait(false)
             ?? throw new NotFoundException($"{typeof(AppTenantInfo).Name} {id} Not Found.");
+
+    // Finbuckle resolves tenants through the distributed-cache store first
+    // (60-min TTL), and the injected store above only writes to the EF store —
+    // so an IsActive flip wouldn't take effect until the cache expired, and the
+    // deactivated-tenant guard would keep seeing the stale "active" copy. Push
+    // the new state straight into the cache store so the guard (and tenant
+    // resolution everywhere) sees it on the very next request.
+    private async Task RefreshTenantCacheAsync(AppTenantInfo tenant)
+    {
+        var cacheStore = _serviceProvider
+            .GetServices<IMultiTenantStore<AppTenantInfo>>()
+            .FirstOrDefault(s => s.GetType() == typeof(DistributedCacheStore<AppTenantInfo>));
+        if (cacheStore is not null)
+        {
+            await cacheStore.UpdateAsync(tenant).ConfigureAwait(false);
+        }
+    }
 }
\ No newline at end of file
diff --git a/src/Tests/Integration.Tests/Tests/Chat/JoinChannelTests.cs b/src/Tests/Integration.Tests/Tests/Chat/JoinChannelTests.cs
new file mode 100644
index 0000000000..1167ad2a9b
--- /dev/null
+++ b/src/Tests/Integration.Tests/Tests/Chat/JoinChannelTests.cs
@@ -0,0 +1,230 @@
+using System.Net.Http.Json;
+using Finbuckle.MultiTenant;
+using Finbuckle.MultiTenant.Abstractions;
+using FSH.Framework.Shared.Multitenancy;
+using FSH.Modules.Chat.Contracts.v1.DTOs;
+using FSH.Modules.Identity.Domain;
+using Integration.Tests.Infrastructure;
+using Integration.Tests.Infrastructure.Extensions;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.SignalR.Client;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Integration.Tests.Tests.Chat;
+
+/// <summary>
+/// Covers the <c>JoinChannel</c> hub method: <see cref="FSH.Framework.Web.Realtime.AppHub.OnConnectedAsync"/>
+/// only pre-joins channels that existed (and the user was a member of) at connect time, so a channel that
+/// becomes relevant *after* the socket is live needs an on-demand join or its group broadcasts never arrive
+/// until the page reloads. This is the root cause of "the recipient doesn't see the message until refresh".
+/// </summary>
+[Collection(FshCollectionDefinition.Name)]
+public sealed class JoinChannelTests
+{
+    private const string ChatBasePath = "/api/v1/chat";
+    private const string HubPath = "/api/v1/realtime/hub";
+    private static readonly TimeSpan EventTimeout = TimeSpan.FromSeconds(5);
+
+    private readonly FshWebApplicationFactory _factory;
+    private readonly AuthHelper _auth;
+
+    public JoinChannelTests(FshWebApplicationFactory factory)
+    {
+        _factory = factory;
+        _auth = new AuthHelper(factory);
+    }
+
+    [Fact]
+    public async Task JoinChannel_Should_Deliver_Messages_For_A_Channel_Joined_After_Connect()
+    {
+        using var adminClient = await _auth.CreateRootAdminClientAsync();
+        var (peer, peerToken) = await RegisterAndSignInAsync(adminClient, "joiner");
+
+        // Channel exists, but the peer connects BEFORE being added — so OnConnectedAsync
+        // does not pre-join them to channel:{id}. This is the live-conversation scenario.
+        var channelId = await CreateChannelAsync(adminClient, Unique("Join"));
+        await using var peerHub = await ConnectAsync(peerToken);
+        using var peerInbox = new EventInbox<MessageDto>(peerHub, "ChatMessageCreated");
+
+        await AddMemberAsync(adminClient, channelId, peer.Id);
+
+        // The fix: the client joins the group on demand once the channel is open.
+        await peerHub.InvokeAsync("JoinChannel", channelId);
+
+        await SendMessageAsync(adminClient, channelId, "live to a late joiner");
+
+        var received = await peerInbox.WaitForFirstAsync(m => m.ChannelId == channelId, EventTimeout);
+        received.ShouldNotBeNull("a member that joined the channel after connecting should receive live messages");
+        received.Body.ShouldBe("live to a late joiner");
+    }
+
+    [Fact]
+    public async Task JoinChannel_Should_Not_Add_NonMembers_To_The_Group()
+    {
+        using var adminClient = await _auth.CreateRootAdminClientAsync();
+        var (_, peerToken) = await RegisterAndSignInAsync(adminClient, "outsider");
+
+        // Peer is never added as a member.
+        var channelId = await CreateChannelAsync(adminClient, Unique("Guard"));
+        await using var peerHub = await ConnectAsync(peerToken);
+        using var peerInbox = new EventInbox<MessageDto>(peerHub, "ChatMessageCreated");
+
+        // Membership check must reject this — the connection stays out of the group.
+        await peerHub.InvokeAsync("JoinChannel", channelId);
+
+        await SendMessageAsync(adminClient, channelId, "should not leak");
+
+        var received = await peerInbox.WaitForFirstAsync(m => m.ChannelId == channelId, TimeSpan.FromSeconds(2));
+        received.ShouldBeNull("a non-member must not be added to the channel group by JoinChannel");
+    }
+
+    // ─── helpers ─────────────────────────────────────────────────────
+
+    private static string Unique(string prefix) => $"chat-{prefix}-{Guid.NewGuid().ToString("N")[..8]}";
+
+    private async Task<HubConnection> ConnectAsync(string accessToken)
+    {
+        var connection = new HubConnectionBuilder()
+            .WithUrl(
+                $"http://localhost{HubPath}?access_token={Uri.EscapeDataString(accessToken)}",
+                options =>
+                {
+                    options.HttpMessageHandlerFactory = _ => _factory.Server.CreateHandler();
+                    options.WebSocketFactory = (_, _) => throw new NotSupportedException();
+                    options.SkipNegotiation = false;
+                    options.Transports = Microsoft.AspNetCore.Http.Connections.HttpTransportType.LongPolling;
+                    options.Headers["tenant"] = TestConstants.RootTenantId;
+                })
+            .Build();
+        await connection.StartAsync();
+        return connection;
+    }
+
+    private static async Task<Guid> CreateChannelAsync(HttpClient client, string name)
+    {
+        using var response = await client.PostAsJsonAsync($"{ChatBasePath}/channels", new
+        {
+            name,
+            description = (string?)null,
+            isPrivate = false,
+        });
+        return await response.DeserializeAsync<Guid>();
+    }
+
+    private static async Task AddMemberAsync(HttpClient client, Guid channelId, string userId)
+    {
+        using var response = await client.PostAsJsonAsync($"{ChatBasePath}/channels/{channelId}/members", new
+        {
+            channelId,
+            userIds = new[] { userId },
+        });
+        response.StatusCode.ShouldBe(System.Net.HttpStatusCode.NoContent);
+    }
+
+    private static async Task SendMessageAsync(HttpClient client, Guid channelId, string body)
+    {
+        using var response = await client.PostAsJsonAsync(
+            $"{ChatBasePath}/channels/{channelId}/messages",
+            new { body, parentMessageId = (Guid?)null, attachments = Array.Empty<object>() });
+        response.EnsureSuccessStatusCode();
+    }
+
+    private async Task<(UserCredentials user, string accessToken)> RegisterAndSignInAsync(HttpClient adminClient, string prefix)
+    {
+        var unique = Guid.NewGuid().ToString("N")[..8];
+        var email = $"{prefix}-{unique}@example.com";
+        var userName = $"{prefix}{unique}";
+        const string password = "Test@1234!";
+
+        using var response = await adminClient.PostAsJsonAsync($"{TestConstants.IdentityBasePath}/register", new
+        {
+            firstName = prefix,
+            lastName = "Test",
+            email,
+            userName,
+            password,
+            confirmPassword = password,
+        });
+        response.StatusCode.ShouldBe(System.Net.HttpStatusCode.Created);
+        var registered = await response.DeserializeAsync<RegisterResult>();
+
+        // Bypass /register's email-confirmation gate.
+        using var scope = _factory.Services.CreateScope();
+        var tenant = await scope.ServiceProvider.GetRequiredService<IMultiTenantStore<AppTenantInfo>>()
+            .GetAsync(TestConstants.RootTenantId);
+        scope.ServiceProvider.GetRequiredService<IMultiTenantContextSetter>().MultiTenantContext =
+            new MultiTenantContext<AppTenantInfo>(tenant);
+        var userManager = scope.ServiceProvider.GetRequiredService<UserManager<FshUser>>();
+        var user = await userManager.FindByIdAsync(registered.UserId);
+        user.ShouldNotBeNull();
+        if (!user!.EmailConfirmed)
+        {
+            user.EmailConfirmed = true;
+            (await userManager.UpdateAsync(user)).Succeeded.ShouldBeTrue();
+        }
+
+        var token = await _auth.GetTokenAsync(email, password);
+        return (new UserCredentials(registered.UserId, userName, email), token.AccessToken);
+    }
+
+    private sealed record UserCredentials(string Id, string UserName, string Email);
+
+    private sealed class EventInbox<T> : IDisposable
+    {
+        private readonly System.Collections.Concurrent.ConcurrentQueue<T> _items = new();
+        private readonly System.Threading.SemaphoreSlim _signal = new(0);
+        private readonly IDisposable _subscription;
+
+        public EventInbox(HubConnection connection, string eventName)
+        {
+            _subscription = connection.On<T>(eventName, payload =>
+            {
+                _items.Enqueue(payload);
+                _signal.Release();
+            });
+        }
+
+        public async Task<T?> WaitForFirstAsync(Func<T, bool> predicate, TimeSpan timeout)
+        {
+            using var cts = new CancellationTokenSource(timeout);
+            if (TryFindMatch(predicate, out var prearrived))
+            {
+                return prearrived;
+            }
+            try
+            {
+                while (await _signal.WaitAsync(timeout, cts.Token).ConfigureAwait(false))
+                {
+                    if (TryFindMatch(predicate, out var hit)) return hit;
+                }
+            }
+            catch (OperationCanceledException) { /* timeout — return default */ }
+            return default;
+        }
+
+        private bool TryFindMatch(Func<T, bool> predicate, out T match)
+        {
+            var snapshot = new List<T>();
+            while (_items.TryDequeue(out var item)) snapshot.Add(item);
+            int idx = snapshot.FindIndex(p => predicate(p));
+            if (idx < 0)
+            {
+                foreach (var item in snapshot) _items.Enqueue(item);
+                match = default!;
+                return false;
+            }
+            match = snapshot[idx];
+            for (int i = 0; i < snapshot.Count; i++)
+            {
+                if (i != idx) _items.Enqueue(snapshot[i]);
+            }
+            return true;
+        }
+
+        public void Dispose()
+        {
+            _subscription.Dispose();
+            _signal.Dispose();
+        }
+    }
+}
diff --git a/src/Tests/Integration.Tests/Tests/Multitenancy/TenantActivationTests.cs b/src/Tests/Integration.Tests/Tests/Multitenancy/TenantActivationTests.cs
index b919d54daf..101997e44d 100644
--- a/src/Tests/Integration.Tests/Tests/Multitenancy/TenantActivationTests.cs
+++ b/src/Tests/Integration.Tests/Tests/Multitenancy/TenantActivationTests.cs
@@ -5,10 +5,12 @@ namespace Integration.Tests.Tests.Multitenancy;
 [Collection(FshCollectionDefinition.Name)]
 public sealed class TenantActivationTests
 {
+    private readonly FshWebApplicationFactory _factory;
     private readonly AuthHelper _auth;
 
     public TenantActivationTests(FshWebApplicationFactory factory)
     {
+        _factory = factory;
         _auth = new AuthHelper(factory);
     }
 
@@ -68,4 +70,52 @@ public async Task ChangeTenantActivation_Should_DeactivateAndReactivate_When_Ten
         // Both should succeed if provisioning completed, otherwise at least one
         (deactivateResponse.IsSuccessStatusCode || reactivateResponse.IsSuccessStatusCode).ShouldBeTrue();
     }
+
+    [Fact]
+    public async Task DeactivatedTenant_Should_Be_Denied_At_Login()
+    {
+        using var adminClient = await _auth.CreateRootAdminClientAsync();
+        var uniqueId = Guid.NewGuid().ToString("N")[..8];
+        var tenantId = $"blocked-{uniqueId}";
+
+        var createResponse = await adminClient.PostAsJsonAsync(TestConstants.TenantsBasePath, new
+        {
+            id = tenantId,
+            name = $"Blocked Tenant {uniqueId}",
+            connectionString = (string?)null,
+            adminEmail = $"blocked-{uniqueId}@tenant.com",
+            adminPassword = TestConstants.DefaultPassword,
+            issuer = "blocked.issuer"
+        });
+        createResponse.StatusCode.ShouldBe(HttpStatusCode.Created);
+
+        // While active, a login attempt reaches the token handler (and fails on
+        // credentials) — the tenant guard does NOT short-circuit it.
+        (await TryIssueTokenAsync(tenantId)).ShouldNotBe(HttpStatusCode.Forbidden);
+
+        var deactivate = await adminClient.PostAsJsonAsync(
+            $"{TestConstants.TenantsBasePath}/{tenantId}/activation",
+            new { tenantId, isActive = false });
+        deactivate.StatusCode.ShouldBe(HttpStatusCode.OK);
+
+        // Once deactivated, the tenant guard rejects the request before the
+        // token handler runs → 403. Regression guard for "a deactivated tenant
+        // can still log in via the dashboard".
+        (await TryIssueTokenAsync(tenantId)).ShouldBe(HttpStatusCode.Forbidden);
+    }
+
+    // Anonymous token request scoped to a tenant via the `tenant` header, with
+    // deliberately invalid credentials. We assert on the status the pipeline
+    // returns (401 when the handler runs, 403 when the tenant guard blocks it),
+    // so the test never depends on the tenant's admin being provisioned yet.
+    private async Task<HttpStatusCode> TryIssueTokenAsync(string tenantId)
+    {
+        using var client = _factory.CreateClient();
+        using var request = new HttpRequestMessage(
+            HttpMethod.Post, $"{TestConstants.IdentityBasePath}/token/issue");
+        request.Headers.Add("tenant", tenantId);
+        request.Content = JsonContent.Create(new { email = "nobody@example.com", password = "Wrong-Password-1!" });
+        using var response = await client.SendAsync(request);
+        return response.StatusCode;
+    }
 }