diff --git a/.claude/launch.json b/.claude/launch.json
index 3d042e0..f613898 100644
--- a/.claude/launch.json
+++ b/.claude/launch.json
@@ -4,7 +4,7 @@
     {
       "name": "production",
       "runtimeExecutable": "pnpm",
-      "runtimeArgs": ["--filter", "@redline/api", "dev"],
+      "runtimeArgs": ["--filter", "@unsyphn/api", "dev"],
       "port": 3005,
       "env": { "PORT": "3005" },
       "autoPort": false
@@ -12,8 +12,8 @@
     {
       "name": "web",
       "runtimeExecutable": "pnpm",
-      "runtimeArgs": ["--filter", "@redline/web", "dev"],
-      "port": 4004,
+      "runtimeArgs": ["--filter", "@unsyphn/web", "dev"],
+      "port": 4321,
       "autoPort": false
     }
   ]
diff --git a/BUILD.md b/BUILD.md
new file mode 100644
index 0000000..2c7d7de
--- /dev/null
+++ b/BUILD.md
@@ -0,0 +1,346 @@
+# BUILD.md — Multi-Agent Execution Plan
+
+**Spec:** [plan.md](plan.md) (locked, do not re-debate during build).
+**Branch:** `saasb2b` · **Mode:** parallel where safe, sequential where required.
+
+---
+
+## Overview
+
+Five waves. **Strict file-ownership boundaries** prevent agent collisions
+(no two agents touch the same file in the same wave). **Hard gates** between
+waves: `pnpm typecheck && pnpm test` must be green before the next wave starts.
+**Max 3 concurrent agents per wave** (global rule: coordination cost dominates beyond that).
+
+```
+Wave 1  Foundation        ───3 agents in parallel───►  GATE: typecheck + grep clean
+Wave 2  App shell         ───1 agent (sequential)──►   GATE: shell renders, body.app-mode toggles
+Wave 3  Screens           ───3 agents in parallel───►  GATE: each route renders w/ seed data
+Wave 4  Cross-cutting     ───2 agents in parallel───►  GATE: ⌘K + role param both work
+Wave 5  Polish + review   ───1 build + 1 reviewer───►  GATE: AA clean, PR ready
+```
+
+---
+
+## Architecture Changes (file ownership matrix)
+
+| Path | Owner agent | Wave |
+|---|---|---|
+| `apps/web/src/styles/tokens.css` (new) | A | 1 |
+| `apps/web/src/styles/app.css` (new) | A | 1 |
+| `apps/web/src/styles.css` (delete) | A | 1 |
+| `apps/api/src/db/change-reports.ts` (delete) | B | 1 |
+| `apps/api/src/db/changeReports.ts` | B | 1 |
+| `apps/api/src/seed/loader.ts` | B | 1 |
+| `apps/api/src/routes/changes.ts` | B | 1 |
+| `public/app/**/*` (delete all) | C | 1 |
+| `apps/web/public/app/**/*` (delete all) | C | 1 |
+| Global "Unsyphn" → "Unsyphn" (grep -ril) | C | 1 |
+| `apps/web/src/App.tsx` | D | 2 |
+| `apps/web/index.html` | D | 2 |
+| `apps/web/src/main.tsx` | D | 2 |
+| `apps/web/src/lib/role.ts` (new) | D | 2 |
+| `apps/web/src/screens/Portfolio.tsx` (new) | E | 3 |
+| `apps/web/src/components/VendorCard.tsx` (new) | E | 3 |
+| `apps/web/src/components/FleetStats.tsx` (new) | E | 3 |
+| `apps/web/src/screens/ChangeReport.tsx` (new) | F | 3 |
+| `apps/web/src/components/Drawer.tsx` (new) | F | 3 |
+| `apps/web/src/components/SeverityBadge.tsx` (new) | F | 3 |
+| `apps/web/src/screens/SensoBrief.tsx` (restyle) | G | 3 |
+| `apps/web/src/screens/StripeModal.tsx` (UX-1 fix) | G | 3 |
+| `apps/web/src/screens/Onboarding.tsx` (new, replaces VendorOnboarding) | G | 3 |
+| `apps/api/src/routes/evidence.ts` (add `/bundle.html`) | G | 3 |
+| `apps/web/src/components/CommandPalette.tsx` (new) | H | 4 |
+| `apps/web/src/lib/keyboard.ts` (new) | H | 4 |
+| `apps/web/src/components/RoleSwitcher.tsx` (new) | I | 4 |
+| `apps/web/src/lib/role.ts` (extend) | I | 4 |
+| `PAGE_AUDIT.md` (refresh) | J | 5 |
+
+**No path appears under more than one agent in the same wave.**
+Cross-wave reuse is fine because of hard gates.
+
+---
+
+## Implementation Phases
+
+### Wave 1 — Foundation (3 parallel)
+
+Run all three in one message. None depends on the others. Each has a tight,
+self-contained brief.
+
+#### Agent A — Design tokens & global CSS
+- **Type:** `frontend-architect`
+- **Owns:** `apps/web/src/styles/tokens.css`, `apps/web/src/styles/app.css`
+- **Brief:**
+  > Create `apps/web/src/styles/tokens.css` with the exact token block from
+  > [plan.md](plan.md) §1.1. Create `apps/web/src/styles/app.css` with global
+  > resets, body defaults (Helvetica Neue, font-weight 300), and `body.app-mode`
+  > dark scope. Delete `apps/web/src/styles.css`. Do NOT touch React components
+  > (the shell wave imports the new CSS). Verify: file paths exist, no other
+  > files modified.
+- **Risk:** Low (additive + one delete).
+
+#### Agent B — API bug fixes
+- **Type:** `backend-architect`
+- **Owns:** `apps/api/src/db/change-reports.ts`, `apps/api/src/db/changeReports.ts`, `apps/api/src/seed/loader.ts`, `apps/api/src/routes/changes.ts`
+- **Brief:**
+  > Fix the lifecycle 404 bug documented in REGRESSION_REPORT.md §A2. The
+  > legacy `db/change-reports.ts` and canonical `db/changeReports.ts` are two
+  > stores. Migrate `seed/loader.ts` and `routes/changes.ts` to use the
+  > canonical repo only. Delete `db/change-reports.ts`. Verify with
+  > `pnpm test` (lifecycle tests must pass on seeded data) and
+  > `curl -X POST .../v1/changes/chg_seed_notion/acknowledge` returns 200.
+- **Risk:** Medium (touches production state machine; tests are the safety net).
+
+#### Agent C — Static demo delete + brand rename
+- **Type:** `general-purpose`
+- **Owns:** `public/app/**/*`, `apps/web/public/app/**/*`, all "Unsyphn" occurrences
+- **Brief:**
+  > Two mechanical sweeps. (1) Delete `public/app/` and `apps/web/public/app/`
+  > directories entirely — audit confirmed non-load-bearing. (2) Global rename
+  > "Unsyphn" → "Unsyphn" across `apps/`, `public/`, `packages/`. Use case-aware
+  > replacement (Unsyphn / UNSYPHN / unsyphn → Unsyphn / UNSYPHN / unsyphn).
+  > Skip `node_modules`, `dist`, `.git`. Verify: `grep -ril "unsyphn"` returns
+  > zero. Do NOT change any logo asset references yet (logo stays as
+  > `unsyphlogo.png` until Wave 2 swaps it).
+- **Risk:** Medium (broad search-replace; verify with grep before declaring done).
+
+**Wave 1 GATE (run after all three return):**
+```bash
+pnpm typecheck                       # must be 0 errors
+pnpm test                            # 98+ tests pass (B added lifecycle coverage)
+grep -ril "unsyphn" apps/ public/ packages/  # must be empty
+test ! -d public/app                 # must not exist
+test ! -d apps/web/public/app        # must not exist
+test -f apps/web/src/styles/tokens.css
+test ! -f apps/web/src/styles.css
+```
+
+---
+
+### Wave 2 — App shell (1 agent)
+
+#### Agent D — Routes, mount, role plumbing
+- **Type:** `frontend-architect`
+- **Owns:** `apps/web/src/App.tsx`, `apps/web/index.html`, `apps/web/src/main.tsx`, `apps/web/src/lib/role.ts` (new)
+- **Brief:**
+  > Rewrite `App.tsx` against the 6-route IA in [plan.md](plan.md) §2:
+  > `/app` (Portfolio), `/app/vendor/:id`, `/app/change/:id`, `/app/evidence/:id`,
+  > `/app/policy`, `/app/onboarding`, `/app/settings`. Each route is a
+  > placeholder screen for this wave (`<div>Portfolio coming in W3</div>`).
+  > Add top bar with brand mark + nav + role dropdown slot. Import
+  > `styles/tokens.css` and `styles/app.css` in `main.tsx`. Toggle
+  > `body.app-mode` on `/app/*` routes via `useEffect`. Create
+  > `lib/role.ts` exporting `parseRole(search): Role` and `useRole(): Role`
+  > hook (reads `?role=`). Verify: every route returns 200, body class toggles
+  > correctly, landing at `/` unaffected.
+- **Risk:** Medium (router is the spine; placeholder screens prevent over-scoping).
+
+**Wave 2 GATE:**
+```bash
+pnpm dev:web &
+sleep 3
+curl -s localhost:4004/ | grep -q "Unsyphn"           # landing renders
+curl -s localhost:4004/app | grep -q "Portfolio"      # placeholder route works
+# manual: body.app-mode applies on /app, not on /
+```
+
+---
+
+### Wave 3 — Screens (3 parallel)
+
+All three depend on Wave 2 (shell exists, tokens loaded). They own disjoint screens
+and components.
+
+#### Agent E — Portfolio + Vendor cards
+- **Type:** `frontend-architect`
+- **Owns:** `apps/web/src/screens/Portfolio.tsx`, `apps/web/src/components/VendorCard.tsx`, `apps/web/src/components/FleetStats.tsx`
+- **Brief:**
+  > Implement Portfolio per [plan.md](plan.md) §3 step 1. Fleet stats strip
+  > (`143 vendors · 12 changes · 3 P1 · $84k at-risk`) pulls from
+  > `/v1/dashboard/summary` (already exists). Vendor card grid (6–8 cards)
+  > with posture chip, renewal date, owner avatar. Click vendor →
+  > `/app/vendor/:id`. Click change chip → `/app/change/:id`. Use tokens from
+  > Wave 1. No new API endpoints — read what exists.
+- **Risk:** Low.
+
+#### Agent F — ChangeReport + Drawer + lifecycle wiring
+- **Type:** `frontend-architect`
+- **Owns:** `apps/web/src/screens/ChangeReport.tsx`, `apps/web/src/components/Drawer.tsx`, `apps/web/src/components/SeverityBadge.tsx`
+- **Brief:**
+  > Port `public/app/screen-change.jsx` to React TSX with new tokens. Header
+  > (vendor + severity badge), diff cards with citations, 4 lifecycle action
+  > buttons (acknowledge/snooze/resolve/escalate). Wire to the canonical
+  > `/v1/changes/:id/*` endpoints (Wave 1 Agent B fixed these). Escalate
+  > opens a modal (use Drawer component). Render at `/app/change/:id`.
+- **Risk:** Medium (lifecycle integration — verify with seed data).
+
+#### Agent G — Evidence + Bundle + Onboarding + Stripe fix
+- **Type:** `frontend-architect`
+- **Owns:** `apps/web/src/screens/SensoBrief.tsx`, `apps/web/src/screens/StripeModal.tsx`, `apps/web/src/screens/Onboarding.tsx` (new), `apps/api/src/routes/evidence.ts`
+- **Brief:**
+  > Three jobs.
+  > (1) Restyle `SensoBrief.tsx` to new tokens; preserve print stylesheet.
+  > Add "Generate Compliance Bundle" button.
+  > (2) Add `GET /v1/evidence/:id/bundle.html` to `routes/evidence.ts` —
+  > server-rendered printable HTML (ChangeReport + citations + routed actions).
+  > (3) Create `Onboarding.tsx` with 4 tier cards (Team/Business/Enterprise +
+  > Compliance Pack add-on per PDF §10). CTA opens existing `StripeModal`.
+  > Fix `StripeModal` UX-1 (× button inert in already-entitled branch) —
+  > one wire fix from REGRESSION_REPORT.
+- **Risk:** Medium (touches API + 3 React files; all logic boundaries are well-defined).
+
+**Wave 3 GATE:**
+```bash
+pnpm typecheck                     # 0 errors
+pnpm test                          # all green
+pnpm build                         # ≤ 320kB JS bundle
+# manual via preview MCP:
+#   /app shows Portfolio with seed data
+#   /app/change/chg_seed_notion shows ChangeReport, acknowledge button returns 200
+#   /app/evidence/chg_seed_notion renders Senso brief
+#   /app/onboarding shows 4 tier cards; Stripe modal opens + closes
+```
+
+---
+
+### Wave 4 — Cross-cutting (2 parallel)
+
+#### Agent H — Command palette + keyboard
+- **Type:** `frontend-architect`
+- **Owns:** `apps/web/src/components/CommandPalette.tsx`, `apps/web/src/lib/keyboard.ts`
+- **Brief:**
+  > Global `⌘K` palette. Items: Jump to vendor (fuzzy match against
+  > `/v1/dashboard/summary` vendor list), Open recent change, Switch role,
+  > Generate Bundle, Open settings. Up/Down navigates, Enter executes,
+  > Esc closes. Mount in App.tsx via React portal so it overlays any route.
+  > Keyboard registry must respect text input focus (don't fire ⌘K when typing).
+- **Risk:** Low (purely additive overlay).
+
+#### Agent I — Role switcher
+- **Type:** `frontend-architect`
+- **Owns:** `apps/web/src/components/RoleSwitcher.tsx`, `apps/web/src/lib/role.ts` (extend)
+- **Brief:**
+  > Top-bar dropdown (Procurement / Legal / Security / Finance). Selecting
+  > a role updates `?role=` query param via `history.replaceState`. Hook
+  > `useRole()` (created in Wave 2) returns current role. Three of four
+  > views can show placeholder copy in their screens for v1 — only
+  > Procurement is real. Mount into the App.tsx top bar slot Agent D left.
+- **Risk:** Low.
+
+**Wave 4 GATE:**
+```bash
+pnpm typecheck && pnpm test && pnpm build
+# manual: ⌘K opens palette from /app and /app/vendor/notion; role dropdown
+# updates URL; back/forward preserves role
+```
+
+---
+
+### Wave 5 — Polish + review
+
+#### Agent J — A11y + audit refresh
+- **Type:** `quality-engineer`
+- **Owns:** any file with an a11y violation; `PAGE_AUDIT.md`
+- **Brief:**
+  > Run axe on every route. Fix: missing labels, contrast violations,
+  > focus traps in drawer + palette, keyboard reach for all interactive
+  > elements, focus restore on modal close. Refresh `PAGE_AUDIT.md`
+  > to reflect new IA. Update score card. **Do not refactor unrelated
+  > code.** Report violations fixed, count by severity.
+- **Risk:** Low.
+
+#### Code review (final, by reviewer agent — not parallel with J)
+- **Type:** `code-reviewer`
+- **Brief:**
+  > Review the full `saasb2b` branch diff vs `main`. Focus: security
+  > (Stripe path, evidence public route auth, SSE token handling),
+  > silent failures, mock leftovers, dead code, TASTE check
+  > (Slate × Seven applied or drifted?). Block on CRITICAL; else
+  > produce sign-off table.
+
+**Wave 5 GATE (release):**
+- `pnpm typecheck && pnpm test && pnpm build` all green
+- `grep -ril "unsyphn"` empty
+- axe AA clean on every route
+- 3-min demo script runs end-to-end without dead ends
+- `code-reviewer` returns no CRITICAL findings
+- PR opened, branch ready to merge
+
+---
+
+## Concurrency rules
+
+1. **Max 3 agents in any one message.** Coordination cost beats marginal speed past 3.
+2. **No file appears under two owners in the same wave.** Re-read the matrix before dispatch.
+3. **Each agent gets its file list verbatim in its brief.** Agents must error rather than touch unlisted paths.
+4. **Hard gate between waves.** Do not start Wave N+1 until Wave N gate passes.
+5. **Background allowed, not required.** Wave 1 agents can run foreground (we need their work before Wave 2).
+6. **Worktree isolation NOT used** — file boundaries already prevent collisions; worktree adds merge cost without benefit here.
+
+---
+
+## Testing strategy
+
+### Per-wave verification
+- **Wave 1:** typecheck, full test suite, grep for forbidden strings, file-existence asserts.
+- **Wave 2:** dev server boots, both routes (landing + placeholder app) render, body class toggles.
+- **Wave 3:** typecheck + tests + build size budget; manual preview MCP walk of 4 routes.
+- **Wave 4:** typecheck + tests; manual ⌘K + role-switcher flow.
+- **Wave 5:** axe AA clean + code-reviewer sign-off.
+
+### Test coverage targets (global rules)
+- Unit (Vitest): `lib/role.ts` parser, `keyboard.ts` registry, `lib/evidence-bundle.ts` HTML render. Add tests when shape stabilizes (Wave 4+).
+- Integration: lifecycle endpoint (already tested; Agent B widens coverage).
+- E2E: 3-min demo script as a Playwright test (Wave 5, optional but high value).
+
+### What we don't test pre-build
+- Layout pixel-perfection — visual via preview MCP screenshots is enough.
+- Static screen content — covered by snapshot if it stabilizes; otherwise manual.
+
+---
+
+## Risks & Mitigations
+
+| Risk | Likelihood | Impact | Mitigation |
+|---|---|---|---|
+| Agents collide on shared file | Low (matrix prevents it) | High (lost work) | File-ownership matrix; each brief lists owned paths explicitly. |
+| Agent B's store migration breaks lifecycle in prod path | Medium | High | `pnpm test` covers it; Wave 1 gate requires green tests. Roll back single commit if red. |
+| Brand rename catches false positives ("Unsync", etc.) | Low | Low | Case-aware replace, exclude `node_modules`. Grep verifies cleanup. |
+| Wave 3 agents pull conflicting design decisions | Medium | Medium | Tokens are the single source of truth from Wave 1. Each agent reads plan.md §1 before starting. |
+| StripeModal UX-1 fix has unseen side effects | Low | Medium | Existing webhook tests in place; manual verification of both branches (entitled vs not). |
+| Static demo deletion removes something React app secretly imports | Low (audit checked) | Medium | Wave 1 ends with typecheck — failure indicates a hidden import; restore selectively. |
+| Wave 4 keyboard registry conflicts with native shortcuts | Medium | Low | Scope to `/app/*` routes; honor `e.target.tagName === "INPUT"`; document conflicts. |
+| Wave 5 a11y agent over-reaches and refactors | Medium | Medium | Brief is explicit: fix only violations, don't refactor. Reviewer agent catches it. |
+
+---
+
+## Success criteria
+
+The build is done when, in a single `pnpm dev` session:
+
+1. `/` renders the existing landing page on dark Slate paint.
+2. `/app` renders Portfolio with fleet stats and 6+ vendor cards.
+3. Clicking a vendor card → vendor detail (placeholder OK for v1).
+4. Clicking a change chip → `/app/change/:id` with working acknowledge/escalate.
+5. Escalate flow opens drawer → modal → confirmation → `/app/evidence/:id`.
+6. Evidence brief renders with Senso URL semantics + Generate Bundle button.
+7. Bundle button serves a print-ready HTML page.
+8. `/app/onboarding` → 4 tier cards → Stripe modal → test-mode checkout → success state with × that closes.
+9. `⌘K` opens palette anywhere in `/app/*`.
+10. Role dropdown updates `?role=` and back/forward preserves it.
+11. `pnpm typecheck && pnpm test && pnpm build` green.
+12. No "Unsyphn" string anywhere.
+13. axe AA clean on every route.
+14. `code-reviewer` agent returns no CRITICAL.
+
+---
+
+## STOP — awaiting your call
+
+Reply with one of:
+- **`yes`** / **`proceed`** → I dispatch Wave 1 (Agents A, B, C in parallel).
+- **`modify: <changes>`** → I revise this orchestration and stop again.
+- **`abort`** → drop it.
+
+I will not dispatch any agent until you confirm.
diff --git a/PAGE_AUDIT.md b/PAGE_AUDIT.md
index 1e05477..619152a 100644
--- a/PAGE_AUDIT.md
+++ b/PAGE_AUDIT.md
@@ -148,14 +148,14 @@ flows route to `/app/` (the static Babel-JSX demo).
 ## K. React app — App.tsx routing/header
 
 - **K.0** [**CRITICAL**] `apps/web/index.html` missing `#root` + main.tsx script — entire React tree unreachable
-- K.1 [brk] Default route "/" falls to `<RedlineApp />` = Add Vendor (not a dashboard)
-- K.4 [brk] Header brand text `.app__mark` says **"Redline"** — mismatch with landing "UNSYPHN"
+- K.1 [brk] Default route "/" falls to `<UnsyphnApp />` = Add Vendor (not a dashboard)
+- K.4 [brk] Header brand text `.app__mark` says **"Unsyphn"** — mismatch with landing "UNSYPHN"
 - K.5 [ok] Header nav buttons wired
 - K.7 [wrn] Breadcrumb is `<span>`, should be `<nav aria-label="breadcrumb">`
 
 ## L. Brand inconsistency (cross-app)
 
-- L.1 [brk] **Landing: "UNSYPHN"**, **App: "Redline"** — same product, two names
+- L.1 [brk] **Landing: "UNSYPHN"**, **App: "Unsyphn"** — same product, two names
 - L.2 [brk] No logo image asset referenced anywhere — only CSS gradient marks
 - L.3 [ok] Dark theme palette consistent
 - L.4 [ok] Brief light theme is print-friendly
@@ -167,7 +167,7 @@ flows route to `/app/` (the static Babel-JSX demo).
 | # | Pri | Item | File | Fix |
 |---|---|---|---|---|
 | 1 | **P0** | React app has no mount point | `apps/web/index.html` | Add `<div id="root">` + `<script type="module" src="/src/main.tsx">` |
-| 2 | **P0** | Brand split "Redline" vs "UNSYPHN" | `apps/web/src/App.tsx` + styles.css | Replace text mark with logo, rename "Redline" → "Unsyphn" everywhere |
+| 2 | **P0** | Brand split "Unsyphn" vs "UNSYPHN" | `apps/web/src/App.tsx` + styles.css | Replace text mark with logo, rename "Unsyphn" → "Unsyphn" everywhere |
 | 3 | **P0** | No logo on any surface | All 3 surfaces | Distribute `unsyphlogo.png` (198x144 RGBA) → favicons + nav marks |
 | 4 | **P0** | Static demo dead file ref kills Babel pipeline | `public/app/index.html:43` | Remove `<script src="screen-onboarding.jsx">` |
 | 5 | **P1** | Static demo `live.js` 401s | `public/app/live.js` | Use seed token; add SSE subscription to `/v1/stream` |
diff --git a/REGRESSION_REPORT.md b/REGRESSION_REPORT.md
index 5c35759..00047c1 100644
--- a/REGRESSION_REPORT.md
+++ b/REGRESSION_REPORT.md
@@ -25,7 +25,7 @@ Date: 2026-05-24 · Method: 3 background source-audit agents + foreground browse
 
 ```
 pnpm install             → clean
-pnpm --filter @redline/shared build → ok
+pnpm --filter @unsyphn/shared build → ok
 pnpm typecheck           → 0 errors (3 workspaces)
 pnpm test                → 98/98 passing in 1.32s
 pnpm build               → 287.64 kB JS (89 kB gzip), 9.28 kB CSS
@@ -105,7 +105,7 @@ This is the duplicate-file debt explicitly called out in the merged PR's "Known
 - `export-diff` uses Blob+anchor (no `data:` URI)
 - `share-audit` feature-detects `navigator.clipboard` with `window.prompt` fallback
 - Forward/More buttons absent from screen-change.jsx + screen-evidence.jsx
-- Bearer token sourced from `meta[name="redline-bearer"]` in screen-onboarding.jsx
+- Bearer token sourced from `meta[name="unsyphn-bearer"]` in screen-onboarding.jsx
 - live.js has SSE EventSource subscription
 - **Full mirror parity** (`diff -q` returns zero differences across 7 file pairs)
 
@@ -117,7 +117,7 @@ This is the duplicate-file debt explicitly called out in the merged PR's "Known
 - `useEffect` toggles `body.app-mode` on/off
 - Logo image (`/logo.png`) in both DashboardApp + VendorOnboardingApp headers
 - Semantic `<nav aria-label="breadcrumb">` wrap
-- Zero "Redline" hits in `grep -rn "Redline" apps/web/src/`
+- Zero "Unsyphn" hits in `grep -rn "Unsyphn" apps/web/src/`
 - SensoBrief says "Unsyphn · Evidence brief" + "Generated by Unsyphn"
 - Onboard uses CSS-based required asterisks (`.field__label--required::after { content: " *" }`)
 - Auto-dismiss error `useEffect` with `setTimeout` cleanup
diff --git a/RESEARCH_PROMPT.md b/RESEARCH_PROMPT.md
new file mode 100644
index 0000000..4552913
--- /dev/null
+++ b/RESEARCH_PROMPT.md
@@ -0,0 +1,189 @@
+# Deep Research Prompt — Unsyphn (Rocket Money for Enterprise SaaS)
+
+> Copy everything below the line into ChatGPT Pro Deep Research, Gemini Advanced Deep Research, and/or Claude Deep Research. Run in parallel; merge the outputs.
+
+---
+
+# Research brief: build the most intuitive enterprise SaaS-vendor management app of 2026
+
+## 1. Who I am building for
+
+**Product**: **Unsyphn** — an enterprise software platform positioned as **"Rocket Money for the 200–1,000 SaaS apps your company runs."** It auto-discovers every SaaS vendor in the org (via SSO, expense cards, browser plugins), watches each vendor's pricing/terms/security pages continuously, identifies waste (unused seats, duplicate apps, shadow IT), surfaces price hikes + sub-processor changes + posture drift, routes alerts to the right owner in Slack/Jira/email, drafts renegotiation packets, and exports audit-ready evidence bundles. The hero promise: **"recover $135k a quarter from SaaS you didn't know you were wasting."**
+
+**Buyers / primary personas**:
+- **CFO / VP Finance** — wants the total SaaS spend number to go down, predictable renewals, no surprise mid-year price hikes.
+- **Head of Procurement** — wants leverage at renewal, benchmark pricing, automated negotiation packets.
+- **CISO / GRC Lead** — wants continuous SOC 2 / sub-processor watch, evidence bundles for audits, no manual sub-processor diff tracking.
+- **General Counsel / Legal Ops** — wants ToS/DPA change alerts with diff, liability creep monitoring, unsyphn-ready clauses.
+- **IT Admin / Vendor Owner** — wants one Slack DM when anything material changes, automatic ticket creation, less context-switching.
+- **Internal Audit** — wants chronology + citations + immutable evidence on demand.
+
+**Market context (already validated)**: enterprises run ~291 SaaS apps on average (473 for large), 51% of seats go unused, $18M wasted per enterprise per year, 70% of IT leaders say SaaS sprawl is their top operational challenge. ([Cloudnuro 2026](https://www.cloudnuro.ai/blog/saas-statistics-2026), [Certero](https://www.certero.com/blog/five-surprising-stats-about-saas-waste-in-enterprise-it/)).
+
+## 2. What I have today (current state — what to improve from)
+
+Existing app on the saasb2b branch:
+
+- 6 in-app routes: `/app` Portfolio (vendor grid + fleet stats), `/app/vendor/:id`, `/app/change/:id` (ChangeReport diff card), `/app/evidence/:id` (public Senso brief), `/app/policy` (placeholder), `/app/onboarding` (4 pricing tiers + Stripe checkout), `/app/settings` (placeholder).
+- ⌘K command palette with role switcher (Procurement / Legal / Security / Finance).
+- Dark mode with periwinkle accent ("Slate") + Helvetica Neue ("Seven") — but I want to **switch to a clean LIGHT mode** with a more intuitive layout.
+- Landing page has a 3D Halo cube animation but **cube faces are random colors, not vendor logos** — I want them to show real SaaS vendor logos (Notion, Microsoft 365, Salesforce, Figma, Slack, GitHub, Datadog, Stripe, etc.).
+- The brand should be **Unsyphn** (not Unsyphn — currently mis-branded).
+- The in-app experience **feels empty** — placeholder screens, no real workflows, no inbox/queue, no negotiation copilot UI, no spend visualizations, no vendor logos, no usage charts, no policy editor, no settings depth.
+
+## 3. What I need from you (the research)
+
+Produce a single structured report with the following sections. Be opinionated. Cite every concrete claim with a source URL. Prioritize 2025–2026 data and product references.
+
+### A. Competitive landscape — full feature inventory (the table)
+
+Build a feature comparison matrix covering at least these 12 products:
+
+1. **Vendr** (vendr.com)
+2. **Sastrify** (sastrify.com)
+3. **Spendflo** (spendflo.com)
+4. **Tropic** (tropicapp.io)
+5. **Zylo** (zylo.com)
+6. **Cledara** (cledara.com)
+7. **Productiv** (productiv.com)
+8. **BetterCloud** (bettercloud.com)
+9. **Zluri** (zluri.com)
+10. **Nudge Security** (nudgesecurity.com)
+11. **Torii** (toriihq.com)
+12. **Spendesk / Spendhound** (spendesk.com / spendhound.com)
+13. Optional: **Vanta** + **OneTrust** for the GRC overlap.
+
+For each, list:
+- Core product modules (e.g. Discovery, Renewal Calendar, Negotiation, Compliance, etc.)
+- Onboarding mechanism (SSO connectors, expense-card import, browser extension, Finance system pull, etc.)
+- Pricing model (per-vendor, per-user, % of savings, flat platform fee, enterprise custom)
+- Key UI patterns they use (inbox-first, calendar-first, list-first, dashboard-first, command palette, etc.)
+- 1-line differentiator and 1-line weakness
+
+Then synthesize: **what is the union of all features across these products?** Group into the canonical modules an enterprise SaaS management product *must* have in 2026.
+
+### B. The full feature set — must / should / nice (the priority list)
+
+Based on (A) plus the personas in §1, produce a categorized feature list:
+
+- **MUST-HAVE** (table stakes — competitors all have these)
+- **SHOULD-HAVE** (most competitors; differentiates from bottom-tier)
+- **NICE-TO-HAVE** (only some; potential wedge)
+- **NOVEL** (no competitor has it yet but personas need it)
+
+Cover at minimum: **Discovery & Inventory · Spend & Cost · Renewal Management · Contract & Document Vault · Usage & Adoption Analytics · Vendor Risk & Compliance · Negotiation & Procurement Workflows · Policy & Approval Workflows · Integrations · Reporting & Dashboards · Notifications & Routing · Audit & Evidence · Onboarding · Mobile & In-Context · AI / Agent Capabilities**.
+
+For each feature, also note: which persona benefits, typical screen/affordance, typical data source.
+
+### C. User workflows / Jobs To Be Done (the customer journeys)
+
+For each of the 6 personas in §1, write 3–5 concrete JTBD narratives in the format:
+> "When [trigger / context], I want to [job], so I can [outcome]."
+
+Then for each JTBD, sketch the **minimum-step ideal workflow** (3–7 steps) inside Unsyphn. Specify which screen, which input, which output, and which integration is involved at each step. Cite which competitor's product (if any) does this well today, and what they do badly.
+
+### D. Information architecture (the page tree)
+
+Design the **ideal IA** for Unsyphn given §B and §C. Recommend:
+
+- **Top-level nav items** (how many, named what)
+- **Whether the primary surface is**: inbox / calendar / vendor list / dashboard / something else — and **why**
+- **Detail-page structure** for: a single vendor, a single contract, a single change/alert, a single renewal
+- **Workspace partitioning**: does role-based view (Procurement / Legal / Security / Finance) live in the URL, a workspace switcher, a sidebar lens, or a per-card chip? What's the evidence-best pattern?
+- **Empty states** for each main route — what should users see on day 1 vs day 30?
+- **Mobile vs desktop** — what's mobile-essential, what's desktop-only?
+
+Compare to specific 2025–2026 references: **Linear**, **Vercel**, **Notion**, **Cursor**, **Raycast**, **Pylon**, **Attio**, **Plain** — pull specific design decisions from each that apply.
+
+### E. Visual design language — LIGHT MODE specifically
+
+I want to switch from a dark theme to a clean, intuitive **light** theme. Research and recommend:
+
+- **Color palette**: surfaces (white / off-white / cool gray hierarchy), borders (hairline grays), 1 primary action color, 3 semantic colors (success / warning / danger), 1 informational color. Hex values. Contrast ratios on white.
+- **Typography**: pick a primary font + a mono font. Compare Inter vs Geist vs SF Pro vs Helvetica Neue vs Söhne vs ABC Diatype for an enterprise B2B SaaS in 2026. State weight pairs (display + body).
+- **Spacing scale** (4px or 8px base)
+- **Radius scale**
+- **Elevation language** — light mode usually leans on borders + soft shadows; recommend a 3-step shadow scale
+- **Icon system** — Lucide vs Phosphor vs Heroicons vs Tabler vs Iconoir. Which fits a finance/procurement enterprise tool best? Why?
+- **Vendor logo system** — see §F separately
+- **Reference companies that nailed light-mode B2B SaaS** (Stripe Dashboard, Linear "light", Vercel "light", Notion, Attio, Pylon, Mercury Banking, Ramp, Brex). Specific URLs to screenshots if possible.
+
+### F. Vendor logo & icon strategy (the cube + everywhere)
+
+The landing page has a 3D rotating cube; today its faces are random colors. I want each face / each card / each row of the app to show real SaaS vendor logos.
+
+Research:
+
+1. **Open vendor logo sources** — comprehensive list of free, hotlinkable, CDN-served logo libraries. Include at minimum:
+   - Clearbit Logo API (clearbit.com/logo)
+   - Logo.dev (logo.dev)
+   - Brandfetch (brandfetch.com)
+   - simple-icons.org
+   - cdn.jsdelivr.net/gh/simple-icons
+   - Worldvectorlogo, Logosearch, vectorlogo.zone, SVG Repo
+2. For each: **license terms**, **rate limits**, **does it require an API key**, **coverage** (do they have all the apps we'd plot: Notion, Slack, Figma, Microsoft 365, Salesforce, Stripe, Datadog, GitHub, AWS, Adobe, Zoom, HubSpot, Asana, Linear, Jira, Confluence, Okta, Vanta, etc.)
+3. **Recommendation**: which source(s) to use for production-grade enterprise app, balancing license, reliability, coverage, and design consistency (some are flat brand color, some are full-color, some have transparency — pick the visually coherent one).
+4. **Logo rendering pattern**: how should the logo show up — square avatar with vendor name, monogram fallback when missing, on-brand color background or neutral, etc.
+5. **The cube specifically**: what's the design pattern for showing N vendor logos rotating on faces of a 3D cube? Look for references from Stripe Connect's homepage, Datadog's logo wall, Brex / Ramp marketing pages. Should it be 6 faces × 1 logo, or 6 faces with a grid of logos?
+
+### G. Onboarding flow (the wedge)
+
+Rocket Money's onboarding is one button: connect your bank. What's the equivalent for Unsyphn? Research:
+
+- What does **Vendr / Sastrify / Tropic / Zluri / Productiv** actually ask for on signup?
+- What's the **fastest "time to first wow"** any competitor has? Cite specific numbers from public reviews/case studies.
+- What's the **minimum viable connection set** that makes the rest of the product work (SSO? expense card? both?)
+- **Cold-start problem**: how does a competitor populate the vendor list on day 1 when no data is connected? (Manual? Vendor library? AI predict-from-domain?)
+- Recommend a **single-screen onboarding** that goes from email → fleet visible in < 60 seconds.
+
+### H. Pricing & packaging (mid-market + enterprise)
+
+Research public + leaked pricing for the 12 competitors in §A. For each: tier names, list prices, what's included where, what's the upsell trap. Synthesize:
+
+- **Recommended Unsyphn pricing**: 3–4 tiers + add-ons. Specific $ amounts based on what's defensible.
+- **Free tier yes/no?** Pros and cons.
+- **Pricing axis**: per-vendor, per-employee, % of savings, flat platform — which works best for which buyer?
+- **What does the buyer expect to see on the pricing page** (feature matrix, FAQ, ROI calculator, sample savings number)?
+
+### I. The novel/contrarian wedge
+
+Based on all the above, what could Unsyphn ship that **no other competitor does**? Brainstorm 5–10 specific feature ideas that match the personas and the "Rocket Money for enterprise" framing. Examples to spark thinking (don't copy these — generate better ones):
+
+- Auto-cancel-unused-seat one-click with vendor API
+- AI counter-offer generator (drafts negotiation email from public benchmarks)
+- Shadow-IT detection from browser extension telemetry
+- Vendor "report card" sharable externally
+- Sub-processor jurisdiction heatmap with auto 30-day customer notification draft
+
+For each idea you generate, rate it on: **value-to-persona (1-5)**, **engineering difficulty (1-5)**, **moat depth (1-5)**.
+
+### J. Integration ecosystem (the trust ring)
+
+List, in priority order, the integrations Unsyphn must have to be enterprise-credible. Group as **Inbound** (data sources) vs **Outbound** (action sinks). For each, note: which API to use, OAuth vs API key, what data Unsyphn pulls/pushes, which competitors already have it.
+
+Cover at minimum: Okta · Google Workspace · Azure AD · OneLogin · Brex · Ramp · Spendesk · NetSuite · QuickBooks · Slack · Microsoft Teams · Jira · Linear · Google Calendar · Outlook · Gmail · Notion · Ironclad · Lexion · DocuSign · Vanta · Drata · OneTrust · Datadog · Webhooks/SIEM.
+
+### K. Trust & defensibility
+
+What features make enterprise buyers say yes? Research and list specific things competitors do for: data residency (US/EU pinning), SSO + SCIM, no-train guarantees on AI, audit-trail immutability, RBAC scopes, citation-grounded outputs. Cite what specific enterprise contracts (e.g. Vanta, Drata customer pages) require.
+
+### L. Demo / sales narrative
+
+Look at how Vendr, Sastrify, Tropic open their demo. What's the **first 30 seconds**? Synthesize a 3-minute demo narrative for Unsyphn that lands the "Rocket Money for enterprise" framing, hits the $135k recoverable number early, and closes on a transact moment.
+
+## 4. Output format requirements
+
+- **Markdown** with clear `##` section headers matching A–L above.
+- **Cite every concrete claim** with a markdown link. No claim-without-source for $ figures, feature lists, or competitor positioning.
+- **Comparison tables** wherever 3+ competitors are compared.
+- **Use 2025–2026 data**. Skip anything older than 2024 unless it's the only source.
+- **At the end**: a **30-item ranked feature priority list** (1 = ship immediately, 30 = year-2 nice-to-have) with effort estimate (S/M/L) for each, and which competitor already has it (or "novel").
+- **Append a one-page "What Unsyphn must ship next" memo** synthesizing everything into 5 concrete recommendations for the next 4 weeks of build.
+
+## 5. Out of scope
+
+Do not research: payroll, HRIS, expense reimbursement, P-card issuance, ERP replacement, devops tooling, code analysis, fundraising mechanics. Stay strictly on **SaaS vendor management / spend / risk / renewal / negotiation / audit**.
+
+---
+
+**Run depth**: spend the full deep-research budget. I'd rather wait 20 minutes for a sourced 12,000-word report than get a 2,000-word summary in 4 minutes.
diff --git a/STRATEGY.md b/STRATEGY.md
new file mode 100644
index 0000000..5053e79
--- /dev/null
+++ b/STRATEGY.md
@@ -0,0 +1,723 @@
+# Unsyphn — Product Strategy (synthesized)
+
+**Source:** three deep-research reports (ChatGPT, Claude, Gemini) run against `RESEARCH_PROMPT.md`.
+**Date:** May 24, 2026.
+**Purpose:** lock the product direction so the long-term plan can be built on it.
+
+> Where reports agreed, the decision is stated as fact.
+> Where they conflicted, the divergence is shown and a call is made with reasoning.
+
+---
+
+## 0. Executive summary — what's decided
+
+| Decision | Direction | Confidence |
+|---|---|---|
+| Brand | **Unsyphn** (kill all "Redline") | 3/3 reports + user |
+| Theme | **Light mode primary**, dark deferred to year 2 | 3/3 + user |
+| Positioning | **Vendor Change & Savings Operating System** — discover, prove what changed, route, evidence | 3/3 |
+| Primary surface | **Inbox** (not dashboard) | 3/3 — strongest signal in the research |
+| Nav | **7 top-level routes** (Inbox · Vendors · Renewals · Requests · Evidence · Policies · Settings) | 3/3 converge |
+| Object model | 5 canonical objects: **Vendor · Renewal · Material Change · Request · Evidence Bundle** | 3/3 |
+| Role partitioning | **Sidebar lens chips**, not URL workspaces | 3/3 |
+| Primary onboarding | **One screen: Google Workspace / M365 OAuth** (Nudge model + email metadata) | 3/3 |
+| Time-to-first-wow | **<60 seconds** beats Nudge's "5 minutes" | 3/3 |
+| Logo CDN | **Simple Icons (CC0)** primary → **Brandfetch** fallback → **Logo.dev** only if licensed | 2/3 agree on this stack; Report 2 has the strongest license analysis |
+| Icon system | **Lucide** for product UI | 3/3 unanimous |
+| Type | **Inter** body + **Geist Mono** (or IBM Plex Mono) for numeric/tabular | 2/3 say Inter primary; defer premium fonts (Söhne, Diatype) to year 2 |
+| Accent color | **Indigo `#4F46E5`** — preserves the periwinkle DNA from current build | 2/3 say indigo; Report 2 proposed teal but reasoning ("money + trust") doesn't beat continuity |
+| Marketing cube | **6 faces × 4-9 logo grid per face**, on white background, logos in brand color | 2/3 (Reports 1 & 3) — Stripe-Connect-style 1-logo-per-face read as toy in 2/3 evaluations |
+| Pricing axis | **Flat platform fee** (NOT per-seat, NOT % of savings as default) | 2/3; Report 2 allows % of savings as Enterprise add-on with cap |
+| Free tier | **Yes — narrowly scoped** (1 source, ≤50 vendors, top-N findings, no automation, "Powered by Unsyphn" branding) | 3/3 |
+| Pricing levels | **4 tiers: Free → Growth $1,500-2,500/mo → Scale $3,500-6,000/mo → Enterprise from $30K + add-ons** | Reports converge in middle; Enterprise pricing diverges from $30K (R2) to $72K (R3) |
+| Top-3 novel wedges | (1) **Material Change Feed** · (2) **Renegotiation Packet** · (3) **Sub-processor heatmap + customer-notice auto-draft** | 3/3 unanimous |
+
+**Strongest line in any of the three reports** (from Gemini's report 3, worth printing on the wall):
+
+> Every screen should answer four questions instantly:
+> **What changed · Why it matters · Who owns it · What happens next.**
+> If a screen cannot answer those, it is probably not ready.
+
+That is the product test.
+
+---
+
+## 1. Positioning & the wedge
+
+### 1.1 What Unsyphn is, in one paragraph
+
+Unsyphn is the **Vendor Change & Savings Operating System** for enterprise SaaS. It auto-discovers every SaaS vendor in the organization in under 60 seconds via a single Google or Microsoft 365 OAuth, watches every vendor's pricing/terms/sub-processor/security pages continuously, surfaces material changes ranked by dollar/legal/security impact, routes each change to the right owner in Slack/Jira with evidence attached, drafts the renegotiation or compliance response, and exports audit-grade immutable bundles on demand. **Rocket Money for the 200–1,000 SaaS apps your company runs.**
+
+### 1.2 The market gap (all three reports agree)
+
+Twelve credible competitors exist. None combine the three things that matter:
+
+1. **Continuous external monitoring** of vendor pricing/terms/sub-processors (no SMP has this today)
+2. **Opinionated cross-functional routing** with persona-aware action cards
+3. **Immutable, citation-grounded evidence bundles** as a first-class export
+
+Procurement tools (Vendr, Sastrify, Spendflo, Tropic) cover negotiation. SMPs (Zylo, BetterCloud, Zluri, Torii, Productiv) cover discovery and lifecycle. GRC tools (Vanta, OneTrust, Drata) cover compliance posture. **No one sits in the middle and makes the connections visible.** That is Unsyphn's defensible position.
+
+### 1.3 Who buys
+
+Six personas, two are the budget owners:
+
+- **Buyers (sign the contract)**: CFO/VP Finance, Head of Procurement.
+- **Champions (drive adoption)**: CISO/GRC Lead, General Counsel/Legal Ops.
+- **Power users (live in the app)**: IT Admin/Vendor Owner.
+- **Validators (audit windows)**: Internal Audit.
+
+The CFO is the dollar conversation. Procurement is the daily user. Security/Legal are the wedge against incumbents. Sell to the CFO; design for Procurement; defend with Security/Legal.
+
+---
+
+## 2. Competitive landscape — synthesized matrix
+
+Reports 1 and 2 produced detailed competitor tables; Report 3 added pricing transparency depth. Below is the merged, conflict-resolved table.
+
+| Product | Core wedge | Onboarding | Pricing (verified 2025–26) | UI default | Strongest feature | Biggest weakness |
+|---|---|---|---|---|---|---|
+| **Vendr** | Negotiation + benchmarks ($15B+ spend dataset, 130K+ deals) | Sales-led | $36K / $78K / $120K per year (G2/Tekpon) | Workflow + dashboard | Largest negotiation dataset in market | Procurement-only; no continuous monitoring; long sales cycle |
+| **Sastrify** | EU procurement + compliance intelligence | SSO + ERP + Slack-bot | €12.5K/yr Software Mgmt + €15K/yr Vendor Benchmarks (modular) | Dashboard + procurement queue | DORA/NIS2 compliance packs; 6.5× ROI claim | Procurement-first; thin on lifecycle/identity |
+| **Spendflo** | AI procurement + managed sourcing | Sales-led; "live in 14 days" | ~$18K start; opaque | Workflow + intake | Procurement-as-a-service hybrid | Opaque pricing; deployment requires heavy consultation |
+| **Tropic** | Intake-to-procure + SaaS *and* non-SaaS spend | SSO + ERP (NetSuite) | ~$10–22K/yr starting | Intake + supplier intelligence | Broader scope (covers non-SaaS) | Not built for continuous security/legal monitoring |
+| **Zylo** | Finance-grade system of record | ERP + financial + Usage Connect no-code | Quote-only; ~$38–50K/yr typical (AWS marketplace anchor) | Spend-first dashboard | Largest benchmark dataset ($75B+); deep consumption tracking | Visibility-strong but weak remediation; manual data cleansing |
+| **Cledara** | SaaS spend via virtual cards | Issue virtual cards = discovery | $75 / $200 / $500+/mo tiered by app count | Card-led + invoice inbox | Payment-method-as-discovery (unique angle) | Caps app counts; UK/EU flavor; thin security |
+| **Productiv** | Feature-level usage analytics + AI contract scanning | SSO + 20,000+ app connectors + CASB | Quote-only Enterprise | Analytics-first | Best-in-class engagement depth (Slack Huddles vs login, not just login) | Action/automation thin; unpredictable syncing |
+| **BetterCloud** | IT automation + lifecycle workflows | SSO + browser ext + IdP | $3 / $6 / $10 per user/mo ($17K–$111K/yr typical) | Workflow + admin grid | Most mature no-code workflow engine | Per-seat scales painfully; setup measured in weeks |
+| **Zluri** | SaaS mgmt + identity governance (IGA) | 9 discovery methods (SSO, browser/desktop agents, finance, HRIS, MDM) | ~$4–8/user/mo; $35K AWS anchor; median ~$38K | Discovery list + access workflows | "300+ direct APIs", "239K+ apps" in catalog | Setup time-consuming; manual workarounds; fragmented packaging |
+| **Nudge Security** | Shadow-IT discovery via email metadata | Single Google or M365 OAuth — **the speed benchmark** | $750/mo flat (<150 accounts); $5/user/mo (150–2,500) | Inbox-of-discoveries + per-app card | "Got 5 minutes? See everything—today" — fastest TTV in category | Light on contracts/renewals/negotiation |
+| **Torii** | Discovery + lifecycle automation + IGA | SSO + browser ext + 120+ HRIS/ITSM | Quote-only; "weeks to value" | Lifecycle workflow canvas | Drag-and-drop workflow engine; "immediate" discovery TTV | Reporting depth limited; browser-ext-dependent |
+| **Spendhound** | Renewal tracking + benchmarks | ERP/billing sync | **Free** under 1,000 employees; $10K/yr Enterprise with $150K savings guarantee | Renewal-calendar-first | Ghostwritten renegotiation emails within 24h via Slack | No automation/lifecycle; SMB tilt |
+| **Vanta** *(GRC overlap)* | Compliance + TPRM + Trust Center; 2025 Customer Commitments extraction | 375+ integrations via OAuth | Quote-only; 8,000+ customers, $100M+ ARR | Compliance-program dashboard | Customer Commitments auto-extraction (sub-processor notices, deletion SLAs, incident SLAs) — *recently launched, perfect cross-reference target for Unsyphn* | Not a SaaS spend tool — complementary, not competitive |
+| **OneTrust** *(GRC overlap)* | Enterprise TPRM + privacy | Enterprise CMDB integration | Custom enterprise | Risk-register-first | Deepest privacy + sub-processor jurisdiction tooling | Heavy, slow, expensive |
+
+### 2.1 The unified 12 (or 15) canonical modules
+
+After de-duplication, "what an enterprise SMP must include in 2026":
+
+1. Discovery & inventory (multi-source)
+2. Spend visibility (by vendor, dept, cost center, billing cycle)
+3. Usage & adoption analytics (license utilization + feature-level)
+4. Contract & document vault (with LLM clause extraction)
+5. Renewal management (calendar + workbench)
+6. Procurement intake & approvals
+7. Benchmarking & negotiation support
+8. Vendor risk & compliance posture
+9. Identity & lifecycle automation (onboard/offboard)
+10. Notifications & workflow routing (Slack, Jira, email)
+11. Reporting & executive dashboards
+12. Audit & evidence (immutable, exportable)
+13. AI / agent capabilities (always with citations)
+14. Mobile / in-context approvals
+15. Integration breadth (inbound + outbound)
+
+Unsyphn must hit 1–12 at MVP credibility; 13–15 are differentiators.
+
+---
+
+## 3. Personas → Jobs To Be Done → Workflows
+
+Synthesized from the strongest JTBDs across all three reports. Each persona gets the top three jobs that anchor the product.
+
+### 3.1 CFO / VP Finance
+
+| JTBD | Workflow (steps) |
+|---|---|
+| "When quarterly planning hits, show me the top reclaimable waste so I can cut without random budget hacks" | Open Inbox → sort by recoverable dollars → vendor compare card → approve right-size/cancel/renegotiate → export CFO summary PDF |
+| "When a vendor announces a mid-term price hike, show me the dollar exposure and the leverage we have" | Material change appears in Inbox → click Impact → contract scope + spend exposure + benchmark + notice window → "Send counteroffer brief" |
+| "When the board asks 'what did we save?', generate a one-page report" | Reports → Savings YoY → toggle quarter → branded PDF |
+
+**Done well by**: Zylo (depth), Cledara (clean UI), BetterCloud (savings framing).
+**Done badly**: Vendr (procurement-buried), Spendhound (top-200 vendors only).
+
+### 3.2 Head of Procurement
+
+| JTBD | Workflow |
+|---|---|
+| "When a vendor sends a renewal quote, generate a benchmark-backed counter-offer email I can send same-day" | Vendor card → "Renegotiation Packet" button → review packet (usage + benchmark + 3 drafted emails) → send via Gmail handoff |
+| "When a renewal is 30 days out, show me the vendor's pricing-page diff over the last 90 days so I know what's likely to change before the call" | Renewal alert → vendor "Change Feed" tab → pricing diff + sub-processor delta + SLA-language changes — **done by no competitor today** |
+| "When a new SaaS request hits intake, triage for duplicates and security review automatically" | Inbox → request card → auto-detected "similar tools" + auto-routed approvals |
+
+**Done well by**: Spendhound (24h ghostwritten emails), Tropic (intake-first IA).
+**Done badly**: Productiv (analytics-heavy, action-thin).
+
+### 3.3 CISO / GRC Lead
+
+| JTBD | Workflow |
+|---|---|
+| "When a vendor adds a sub-processor in a high-risk jurisdiction, tell me immediately AND cross-reference whether our customer contracts require us to notify customers" | Slack alert → vendor card → "Sub-processor diff" → "Affected customer contracts" (cross-referenced via Vanta-style Customer Commitments) → draft customer notice — **done by no one today** |
+| "When a vendor's SOC2 attestation expires, auto-open a Jira ticket to the owner" | Continuous polling of vendor trust centers → policy fires on expiration → Jira ticket + Slack DM |
+| "When auditors ask 'what did we know and when', give me an immutable chronology" | Vendor page → Evidence tab → timeline → export signed bundle |
+
+**Done well by**: Nudge Security (discovery + posture), Vanta (Customer Commitments — 2025 launch).
+**Cross-reference gap**: nobody connects sub-processor changes to customer contract obligations. That is Unsyphn's wedge.
+
+### 3.4 General Counsel / Legal Ops
+
+| JTBD | Workflow |
+|---|---|
+| "When a vendor publishes new ToS language, show me a redline diff against the version we agreed to so I can push back" | Inbox alert → Change Report → Git-style diff highlighting liability/indemnity/AI-training/sub-processor/term clauses → "Draft objection" button → email to vendor — **done by no one at scale today** |
+| "When reviewing a new MSA, show clauses that deviate from our standard playbook so I focus my review on the 5 things that matter" | Contract upload → clause extraction → playbook comparison → flag deviations |
+| "When an auditor asks 'what did this vendor commit to', search across all contracts for the obligation" | Search → Customer Commitments index → cited result — **Vanta launched parity in 2025; ship in v1** |
+
+### 3.5 IT Admin / Vendor Owner
+
+| JTBD | Workflow |
+|---|---|
+| "When assigned a vendor I've never heard of, show me who uses it and whether we still need it in 5 minutes" | Vendor page → Usage tab → active-user list + license utilization + spend → keep/consolidate/kill chips |
+| "When an employee offboards, auto-deprovision everywhere — sanctioned and shadow apps" | HRIS webhook → offboarding run → revoke SSO + direct API + virtual card pause + summary report |
+| "When shadow IT appears, ping the buyer in Slack asking for security justification" | Discovery event → Slack DM to buyer → response routes to security queue or auto-onboards under SSO |
+
+**Done well by**: BetterCloud, Torii, Zluri (lifecycle).
+**Done badly**: Vendr/Sastrify/Spendhound (out of scope for them).
+
+### 3.6 Internal Audit
+
+| JTBD | Workflow |
+|---|---|
+| "When SOC2 fieldwork begins, hand the auditor a read-only link to all vendor evidence" | Auditor Mode → time-boxed link → watermarked PDFs → viewer activity log |
+| "When verifying offboarding SLAs, cross-reference HR termination timestamps with identity revocation timestamps" | Audit query → compliance dashboard → HRIS × IdP timestamp join → exportable report |
+| "When spot-checking high-risk vendor, see immutable decision history" | Vendor page → Activity tab → full append-only event log |
+
+---
+
+## 4. Information architecture (final)
+
+### 4.1 Top-level navigation — 7 routes
+
+```
+┌────────────────────────────────────────────────────────────────┐
+│ Unsyphn   Inbox  Vendors  Renewals  Requests  Evidence  ...  │
+└────────────────────────────────────────────────────────────────┘
+
+/app/inbox        — material changes, approvals, renewals due, alerts (HOME)
+/app/vendors      — full directory; logo-rich rows; filterable
+/app/renewals     — calendar + kanban + workbench
+/app/requests     — intake; approvals; policy checks
+/app/evidence     — audit bundles; chronology exports; share links
+/app/policies     — rule editor; materiality thresholds; clause library
+/app/settings     — integrations; RBAC; team; billing; branding
+```
+
+**Why Inbox-first and not Dashboard-first?** Three reports converged independently on this. The product's job is triage of material events (price hikes, sub-processor changes, expiring certs, renewals due, requests waiting). Vendr/Zluri/Sastrify default to dashboards and that's exactly why customers describe them as "too many tabs to remember to check." Linear, Pylon, Plain, and the modern Attio prove that operators want a queue at home, not vanity tiles.
+
+**Vendor and Senso brief are not top-level** — they're detail pages reached via the Inbox or Vendors list. Vendor lives at `/app/vendors/:id`. The public evidence brief lives at `/evidence/:id` (no `/app/` prefix — it's externally shareable, auth-optional).
+
+### 4.2 The 5 canonical objects
+
+Every URL and every screen maps to one of five objects:
+
+| Object | URL | Purpose |
+|---|---|---|
+| **Vendor** | `/app/vendors/:id` | Canonical record for a single SaaS app |
+| **Renewal** | `/app/renewals/:id` | A specific upcoming or past renewal cycle |
+| **Material Change** | `/app/inbox/:changeId` | A diff event (price/terms/sub-processor/posture) |
+| **Request** | `/app/requests/:id` | An intake for a new vendor / change to existing |
+| **Evidence Bundle** | `/evidence/:bundleId` (public) | An immutable signed export |
+
+Every other surface is a list, filter, or lens over these five.
+
+### 4.3 Detail page anatomy
+
+**Vendor page** — header (logo + name + owner + spend tier + risk tier + renewal countdown), 6 tabs (Overview · Spend & Usage · Contracts & Renewals · Risk & Legal · Change Feed · Activity & Evidence), right rail with sticky next-action.
+
+**Contract page** — clause-first, not file-first. Extracted clauses above (term length, notice window, auto-renewal flag, price escalators, AI rights, sub-processors, liability cap, DPA status). Document viewer below.
+
+**Material Change page** — the **hero object**. Top: "What changed · Why it matters · Who owns · What's next · Proof." Middle: redline diff or before/after card. Right rail: affected customer contracts (cross-ref) + suggested action + Slack/Jira route buttons. This page is what makes Unsyphn memorable.
+
+**Renewal page** — decision workbench. 4 panels: benchmark delta · usage/waste · legal/risk blockers · recommended action. Bottom third: drafted renegotiation packet (one click to send/export).
+
+### 4.4 Role partitioning — sidebar lens, not URL workspaces
+
+All three reports converged: **do not put roles in the URL**. A vendor is `/app/vendors/notion`, not `/procurement/vendors/notion`. Roles change the *ranking* and *default tabs*, never the *URL*. This keeps Slack deep-links stable, evidence URLs stable, and cross-functional handoffs friction-free.
+
+Implementation:
+- Lens chips in top bar: `Procurement · Legal · Security · Finance · IT · Audit`
+- Selecting a lens changes saved-view defaults across every list (Inbox, Vendors, Renewals)
+- Per-card persona chip (`👤 CFO + CISO`) signals which roles care about this row
+- Lens preference persisted to user profile + URL param (for sharing)
+
+This is the Attio pattern. Linear does a lighter version with "Views." Notion does it heavier with "Teamspaces." Pick the Attio pattern.
+
+### 4.5 Empty states — never blank charts
+
+| Route | Day 1 (cold start) | Day 30 (activated) |
+|---|---|---|
+| Inbox | Sample 3 demo changes + "Connect Google Workspace to see your real inbox" | Real ranked queue |
+| Vendors | AI-predicted vendor list from email domain + checkbox "Confirm" | 200–500 cards filterable |
+| Renewals | Sample renewal card from uploaded contract or demo seed | Calendar + kanban |
+| Requests | Pre-built intake form template + policy presets | Live pipeline with SLAs |
+| Evidence | One sample bundle showing chronology + citations | Searchable library |
+| Policies | 5 prebuilt rules (renewal notice, price hike, AI rights, sub-processor, cert expiry) | Real exception counts |
+
+The current app's "empty screens" problem is solved here.
+
+### 4.6 Mobile
+
+Mobile is intentionally narrow: **inbox triage, approve/reject, view critical alert, assign owner, view renewal countdown.** Anything analytical (compare, clause review, policy editing, dashboards) is desktop-only. Slack approval cards do 80% of the mobile job. Native iOS app is year-2; mobile-responsive PWA is year-1.
+
+---
+
+## 5. Visual system — LIGHT mode
+
+Switch from current dark Slate to light. Light mode is the right default for the Finance / Procurement / Legal audience who work in glare-prone rooms during business hours. Mercury, Ramp, Brex, Stripe Dashboard, Linear (post-2025 warm-gray refresh) all prove this. Dev tools default dark; we are not selling to devs.
+
+### 5.1 Color tokens (final)
+
+```css
+:root {
+  /* Surfaces — warm neutral hierarchy */
+  --bg:               #F7F8FA;  /* canvas */
+  --surface:          #FFFFFF;  /* cards, tables, modals */
+  --surface-2:        #F3F5F7;  /* secondary panels, filters */
+  --surface-3:        #EDEDEB;  /* hover, active */
+
+  /* Borders */
+  --border:           #E5E7EB;  /* hairline dividers */
+  --border-strong:    #D1D5DB;  /* inputs, selected */
+
+  /* Text */
+  --text:             #0F172A;  /* primary, 16:1 on white ✓ AAA */
+  --text-2:           #475569;  /* secondary, 8.4:1 ✓ AAA */
+  --text-muted:       #64748B;  /* tertiary, 5.7:1 ✓ AA */
+  --text-disabled:    #A3A3A3;  /* decorative only */
+
+  /* Brand accent — Indigo. Preserves periwinkle DNA. */
+  --accent:           #4F46E5;  /* Indigo 600, 8.6:1 on white ✓ AAA */
+  --accent-hover:     #4338CA;  /* Indigo 700 */
+  --accent-soft:      rgba(79,70,229,0.10);
+  --accent-ring:      rgba(79,70,229,0.30);
+
+  /* Semantic — traffic light */
+  --success:          #16A34A;  /* savings recovered, passed checks */
+  --warning:          #D97706;  /* renew soon, needs review */
+  --danger:           #DC2626;  /* high risk, expired, rejected */
+  --info:             #0EA5E9;  /* sub-processor change, FYI */
+
+  /* Type */
+  --font-display:     "Geist", "Inter", system-ui, sans-serif;  /* marketing hero */
+  --font-text:        "Inter", system-ui, sans-serif;            /* product UI */
+  --font-mono:        "Geist Mono", "IBM Plex Mono", ui-monospace, monospace;
+
+  /* Scale */
+  --space-base:       8px;
+  --space-tight:      4px;
+  --space-card:       16px;
+  --space-section:    24px;
+  --space-page:       32px;
+
+  --radius-sm:        6px;
+  --radius-md:        8px;
+  --radius-lg:        12px;
+  --radius-pill:      999px;
+
+  /* Elevation — light mode leans on borders not shadows */
+  --shadow-1:         0 1px 2px rgba(15,23,42,0.04);
+  --shadow-2:         0 4px 10px rgba(15,23,42,0.06);
+  --shadow-3:         0 12px 24px rgba(15,23,42,0.10);
+
+  --ring-focus:       0 0 0 2px white, 0 0 0 4px var(--accent-ring);
+}
+```
+
+**Why indigo over teal?**
+Two of three reports proposed indigo (`#6366F1` and `#4F46E5`). The third proposed teal (`#0F766E`) with "money + trust" reasoning. The current build uses periwinkle `#7C8CFA`, which is in the indigo family. Continuity wins; switching to teal would require regenerating brand assets that don't yet exist. Pick `#4F46E5` — slightly deeper than current periwinkle for better contrast on white.
+
+### 5.2 Typography
+
+| Use | Font | Weight | Size |
+|---|---|---|---|
+| Hero (marketing) | Geist | 600 | 56–72px |
+| Screen titles | Inter | 600 | 28–40px |
+| Section headings | Inter | 600 | 20–24px |
+| Body | Inter | 400 | 15–16px |
+| Table cells | Inter | 400 | 13–14px |
+| Labels / buttons | Inter | 500 | 13px |
+| Numerals / monospace | Geist Mono | 500 | matches context |
+
+**Why Inter, not Geist, for body?** Inter is the global default for enterprise B2B (414B Google Fonts hits in the year ending May 2025 per FullStop Insights). Geist is "Inter + 10% polish" and looks great on marketing pages, but its weights at small UI sizes are less battle-tested for dense tables. Use Geist on marketing pages (`/`), Inter in-app.
+
+**Why Geist Mono for numbers?** Tabular figures. Aligning `$135,247` over `$9,432` over `$1,247,891` requires monospace numerals. Inter has tabular-nums, but Geist Mono's metrics are perfect.
+
+**Premium fonts (Söhne, Diatype, TWK Lausanne)** — defer to year 2. Each is $200–500/yr per weight; the ROI doesn't justify until brand maturity. Inter + Geist is the right zero-cost stack.
+
+### 5.3 Spacing, radius, elevation
+
+8px base scale: `4 / 8 / 12 / 16 / 20 / 24 / 32 / 40 / 48 / 64 / 96`.
+Radius: 6px default (cards, inputs, buttons), 12px modals.
+Shadow: 3 steps; cards mostly flat with border, shadows reserved for popovers / modals / palette.
+
+### 5.4 Icon system
+
+**Lucide.** All three reports unanimous. Open source (MIT), 1,500+ icons, 24px grid, 2px stroke, the default for shadcn/ui ecosystem, ~5M weekly npm downloads. Backward-compatible with Feather (so the existing visual language doesn't shift).
+
+Considered and rejected: Phosphor (too illustrative for finance), Heroicons (only 292 icons), Tabler (stroke inconsistency at small sizes), Iconoir (smaller ecosystem).
+
+### 5.5 Light-mode references to study in Figma
+
+- **Stripe Dashboard** — gold standard for financial light mode; perceptually-uniform color system.
+- **Linear (light)** — warm-gray surfaces, Geist typography, density done right.
+- **Vercel Dashboard** — hairline borders, restraint.
+- **Mercury Banking** — fintech-grade numeric precision in light mode.
+- **Ramp** — TWK Lausanne typeface, dense data tables done right.
+- **Brex** — finance-grade authority.
+- **Attio** — flexible objects, sidebar-driven IA (model for our role lens).
+- **Pylon** — modern inbox metaphor for B2B operators.
+
+---
+
+## 6. Vendor logo strategy
+
+### 6.1 The post-Clearbit landscape
+
+Clearbit Logo API was deprecated December 8, 2025 (Logo.dev's own docs confirm). Three viable successors. Reports diverged on which to use as primary; the strongest analysis (Report 2) flagged a Logo.dev gotcha that decides the choice.
+
+| Source | Coverage | Free tier | Attribution required? | License clarity |
+|---|---|---|---|---|
+| **Logo.dev** | 30M+ companies | 500K req/mo | **YES on free** — strict: must link to logo.dev on production site, no `rel="noreferrer"`, must pass referrer data. Removed only at $300+/yr | Disclaims third-party logo IP — customer responsible for fair use |
+| **Brandfetch** | 50M+ brands | 500K req/mo (soft); 2,400 req per 5 min throttle | No attribution required | "Logo usage must comply with fair use"; non-endorsement, non-alteration |
+| **Simple Icons** | ~3,400 popular brands | Unlimited via CDN | No attribution | **CC0 1.0** for the icon project; trademarks still owned by brands |
+| Google s2 favicons | Virtually any domain | Free, no key | No | Unofficial/undocumented per Chromium team — fragile |
+
+### 6.2 Recommendation — three-tier resolver
+
+```typescript
+// resolve in this order, cache aggressively
+1. Simple Icons via cdn.simpleicons.org/{slug}     // primary; CC0; no attribution; covers top 200
+2. Brandfetch Logo API                              // fallback for long tail; no attribution
+3. Monogram fallback (2-letter on hashed pastel)   // last resort
+```
+
+**Why Simple Icons over Logo.dev primary?** Logo.dev's free-tier requires a `logo.dev` backlink visible on production. For an enterprise B2B SaaS, surfacing a third-party brand-attribution link in customer environments is a sales objection waiting to happen. Simple Icons is CC0, requires nothing, ships via jsDelivr or unpkg CDN, and covers all 18 vendors named in the brief plus the top 200 enterprise SaaS apps. Brandfetch fills the long tail for free.
+
+**Logo.dev gets considered at $300+/yr** once revenue justifies it for the long tail beyond Brandfetch's free tier.
+
+### 6.3 Logo rendering pattern
+
+- **Container**: 32×32 (lists), 48×48 (cards), 64×64 (vendor header). 6px radius. 1px `--border` border. White background (`--surface`).
+- **Logo**: vendor brand color preserved (logos look wrong in monochrome). Centered. Max 80% of container to leave breathing room.
+- **Monogram fallback**: 2 letters of vendor name in 500 weight. Background: deterministically-hashed pastel from a 12-color palette (no two adjacent vendors share a color).
+- **Always show vendor name next to logos ≤32px** — small logos alone are unreadable for non-globally-famous brands.
+
+### 6.4 The marketing cube — replace random colors with vendor logos
+
+Current state: cube faces have random colors. Two design options surfaced in research:
+
+**Option A — 1 logo per face, big.** Stripe-Connect-style. 6 faces × 1 logo each, rotating slowly.
+**Option B — Grid per face, 4–9 logos.** Each face is a dense mini-grid; conveys app sprawl. 2 of 3 reports recommend this.
+
+**Decision: Option B.** "Too many vendors in one shape" is the actual product message. A single logo per face reads as a toy showcase. A grid per face conveys the 291-apps-per-enterprise statistic visually.
+
+**Build pattern**:
+- 6 faces, each a 3×3 CSS grid of vendor logos (54 logos total, picked from top enterprise SaaS by recognition).
+- White face background, logos render in brand color.
+- Slow rotation (15–20s per revolution), random-pause on hover.
+- Honor `prefers-reduced-motion` — static on those devices.
+- Below the fold: a static "Datadog-style logo wall" with 100+ "Supported integrations" logos as a trust signal.
+- Mobile: cube collapses to a single 4×4 grid of 16 logos.
+
+---
+
+## 7. Onboarding — the 60-second wedge
+
+### 7.1 What the bar is
+
+Nudge Security: **"Got 5 minutes? See everything—today."** (homepage verbatim). That's the bar to beat.
+
+Other competitors: Sastrify "5 minutes" (third-party claim), Spendflo "14 days," Zluri "time-consuming," Vendr "sales-led / no self-serve."
+
+**Unsyphn's target: 60 seconds from email to populated fleet.**
+
+### 7.2 Minimum viable connection set
+
+**One connection: Google Workspace or Microsoft 365 OAuth.** That single connection unlocks:
+- **Email metadata discovery** — every SaaS that has sent a billing email, invite, or password reset to a corp address (Nudge's exact wedge)
+- **OAuth grants** — third-party apps with scopes
+- **Calendar metadata** — vendor meeting cadence as a proxy for active relationships
+- **Directory** — user roster for ownership assignment
+
+Add expense-card OAuth (Brex/Ramp) on screen 2 as optional. Defer SSO connectors, browser extensions, HRIS, contract uploads to "after the wow."
+
+### 7.3 The single-screen flow
+
+```
+┌──────────────────────────────────────────────────────────────┐
+│                                                              │
+│                       UNSYPHN                                │
+│                                                              │
+│       Find every SaaS your company is wasting money on.      │
+│                                                              │
+│                                                              │
+│   [ Sign in with Google Workspace ]   [ Microsoft 365 ]      │
+│                                                              │
+│                                                              │
+│   We only read OAuth grants, email senders, and calendar     │
+│   metadata. We never read message bodies or attachments.     │
+│                                                              │
+│   SOC 2 Type II  ·  No-train AI guarantee  ·  GDPR-ready     │
+│                                                              │
+│                  Skip → Connect later                        │
+│                                                              │
+└──────────────────────────────────────────────────────────────┘
+```
+
+### 7.4 The 60-second sequence
+
+| Time | What happens |
+|---|---|
+| 0:00 | User enters work email |
+| 0:15 | OAuth consent |
+| 0:30 | Discovery starts; skeleton vendor grid materializes; logos resolve from Simple Icons CDN |
+| 0:45 | Vendor count ticker climbs ("Found 84... 137... 247 apps") |
+| 1:00 | Fleet visible. Headline metric: **"We found 247 SaaS apps. 89 weren't in your IT inventory."** |
+| 1:30 | First wow card surfaces: "Biggest waste we can see: 412 unused Salesforce seats at $165/mo = $815K/yr. Draft renegotiation email?" |
+| 2:00 | One-click drafts the email. "Send to AE" or "Schedule for renewal date" buttons. |
+| 3:00 | User has signed up, seen real waste, and engaged with first action. Activation criterion met. |
+
+### 7.5 Cold start problem (when there's literally no data)
+
+Three techniques (use in combination):
+1. **AI predict-from-domain** — sign-up email `cfo@acme.com` → industry classification → render 50 most-likely apps with confidence scores. Checkboxes to confirm/deny.
+2. **Vendor library of 10,000+ pre-categorized apps** — show top 100 by industry as "starter cards."
+3. **One-click CSV import** from finance as fallback.
+
+---
+
+## 8. Pricing & packaging
+
+### 8.1 Where the market sits
+
+| Vendor | Anchor price | Axis |
+|---|---|---|
+| Vendr | $36K → $78K → $120K (with savings guarantees) | Platform + negotiation credits |
+| Sastrify | €12.5K + €15K modular | Modular |
+| Spendflo | ~$18K start | Platform + managed |
+| Tropic | ~$10–22K start | Platform |
+| Zylo | ~$38–50K typical | Per-employee + spend-managed |
+| Cledara | $75 → $200 → $500+/mo | App-count tier |
+| BetterCloud | $3 / $6 / $10 per user/mo | Per-user-per-month |
+| Zluri | ~$35K base | Per-user blended |
+| **Nudge** | **$5/user/mo or $750/mo flat** | Per active user — most transparent |
+| Torii | Quote-only | Per-user/per-app blended |
+| **Spendhound** | **Free under 1,000 employees; $10K Enterprise** | Free; monetizes data |
+| Spendesk | Subscription + transaction fee | Spend mgmt, not pure SMP |
+
+### 8.2 Decision — Unsyphn pricing
+
+**Axis: flat platform fee.** Not per-seat (penalizes growth), not pure % of savings (creates trust friction). Add % of savings as an optional Enterprise add-on with a cap (Vendr-pattern) for very large deals.
+
+**4 tiers + 2 add-ons:**
+
+| Tier | Price | Best for | What's in |
+|---|---|---|---|
+| **Discover** (free) | $0 | Anyone (PLG funnel, pre-qualification) | Single Google/M365 connection · email-metadata + OAuth-grant discovery · Top-100 vendor cards with benchmark hints · 5 contract uploads · Slack alerts · "Powered by Unsyphn" footer in shared reports |
+| **Growth** | **$1,500/mo flat** ($18K/yr) | 50–250 employees | + Material Change Feed · unlimited contracts · Renegotiation packets · Jira/Slack routing · 3 integrations · audit log · remove branding |
+| **Scale** | **$3,500/mo flat** ($42K/yr) | 250–1,000 employees | + Sub-processor heatmap · Customer Commitments extraction · unlimited integrations · RBAC · SCIM · 1 dedicated CSM hour/wk |
+| **Enterprise** | **$30K platform + 15% of net savings (capped at $200K/yr)** | 1,000+ employees | + Data residency (US/EU pinning) · custom SSO · dedicated negotiation analyst · on-prem SIEM webhook · audit-mode workspaces · private API · 99.9% SLA |
+
+**Add-ons (sold across tiers):**
+- **Negotiation Concierge** — $10K/quarter — human procurement analyst handles 5 negotiations per quarter end-to-end. Vendr-style managed motion.
+- **GRC Bridge** — $1,000/mo — deep two-way Vanta + Drata + OneTrust integration; auto-Trust-Center sync.
+
+### 8.3 Why a free tier
+
+Spendhound is free and growing. Comparison articles will mark Unsyphn as a con without one. Free funnels mid-market the way Rocket Money's free tier funnels consumers. Constraints prevent value leak: 5 contracts max, top-100 vendors only, no automation, no audit export, branded footer.
+
+### 8.4 The pricing page
+
+Must include:
+1. Three tiers visible at first scroll; Enterprise via "Contact sales."
+2. Feature matrix below.
+3. **ROI calculator** — slider for employee count → estimated waste → estimated recovery → payback weeks.
+4. FAQ: "Why no per-seat pricing? · What counts as net savings? · Where is my data stored? · No-train AI guarantee."
+5. **Sample savings number** at top: *"Companies on Growth average $135K recovered per quarter in their first year."* — defensible against Vendr's published 17.13% average savings × 9.5× ROI; for a $3M/yr SaaS spend, 17% = $510K/yr ≈ $128K/quarter.
+
+---
+
+## 9. Novel wedges — top 5 to ship
+
+From the 30 ideas brainstormed across reports, these five are the consensus high-value novel features that no competitor combines.
+
+| # | Wedge | Personas | Value | Diff | Moat |
+|---|---|---|---|---|---|
+| 1 | **Material Change Feed** — daily diff of every vendor's pricing, terms, sub-processor, security pages; surfaces as ranked Inbox items | CFO, GC, CISO, PROC | 5 | 4 | 5 |
+| 2 | **One-click Renegotiation Packet** — benchmark + usage + 3 drafted counter-offer emails + Slack-to-AE handoff | PROC, CFO | 5 | 3 | 3 |
+| 3 | **Sub-processor jurisdiction heatmap + Customer Commitments cross-ref** — when a vendor adds sub-processor in non-adequate region, cross-check *your* customer DPAs to see which require 30-day notification, auto-draft those notices | CISO, GC | 5 | 4 | 5 |
+| 4 | **Auditor Mode** — time-boxed read-only workspace with watermarked PDFs + viewer activity log | AUD, CISO | 4 | 3 | 3 |
+| 5 | **AI-predict-from-domain cold start** — fleet visible before any integration is connected | All | 4 | 2 | 2 |
+
+These five together = the "Rocket Money for enterprise" story:
+- Continuous external monitoring (no SMP has this) — #1
+- Opinionated action (most SMPs are read-only) — #2
+- Cross-system glue (no one connects sub-processor → customer DPA) — #3
+- Audit-grade evidence (Vanta does this, no SMP does) — #4
+- Zero-friction cold start (Nudge does this, but only on Google/M365) — #5
+
+**Deferred to year 2** (good ideas, not the wedge): browser-extension shadow IT, virtual-card auto-pause, vendor report cards, Slack-bot "Vendor Whisperer," feature-level usage analytics (Productiv territory), full lifecycle/IGA (BetterCloud/Torii/Zluri territory).
+
+---
+
+## 10. Integration roadmap
+
+**Phase 1 (MVP)** — what makes the wedge work:
+
+| # | Integration | Direction | What it pulls/pushes |
+|---|---|---|---|
+| 1 | Google Workspace | In | OAuth grants, email metadata, calendar, license usage |
+| 2 | Microsoft 365 / Entra | In | Same |
+| 3 | Okta | In | SSO catalog, user assignments |
+| 4 | Brex | In | Transactions, receipts |
+| 5 | Ramp | In | Transactions, vendors, AP |
+| 6 | NetSuite | In | Vendors, bills, GL, departments |
+| 7 | QuickBooks | In | Vendors, bills |
+| 8 | Slack | Out | Alerts, intake, approvals, drafted vendor emails |
+| 9 | Jira | Out | Tickets to owner / security / legal queues |
+| 10 | Email (SES/SendGrid) | Out | Renewal alerts, drafted emails with "send via Gmail" handoff |
+| 11 | Webhooks | Out | Generic for SIEM, ticketing, BI |
+
+**Phase 2 (mid-year)** — bake-off vs Zluri/Sastrify:
+
+12. Microsoft Teams · 13. Linear · 14. HRIS (Workday/BambooHR/Rippling) · 15. Spendesk · 16. Vanta (Customer Commitments) · 17. Drata · 18. DocuSign · 19. OneLogin · 20. SIEM (Splunk, Datadog, Sumo)
+
+**Phase 3 (year 2)**:
+
+21. OneTrust · 22. Ironclad · 23. Lexion · 24. Embedded BI (Looker, Sigma, Hex) · 25. Browser extension · 26. Custom ERP connectors
+
+---
+
+## 11. Trust & compliance posture
+
+What enterprise buyers require — Unsyphn ships parity with Vanta from day one (table stakes, not differentiator).
+
+| Requirement | What Unsyphn ships |
+|---|---|
+| **SSO + SCIM** on all paid tiers (no "SSO tax") | SAML + OIDC on all tiers; SCIM on Scale + Enterprise |
+| **RBAC** with persona scopes | Roles: Finance, Procurement, Security, Legal, IT, Audit, Admin, Owner |
+| **Immutable audit trail** | Append-only event log per workspace; 7-year retention default; exportable as audit-grade CSV + JSON + signed PDF |
+| **No-train AI guarantee** | Verbatim mirror of Vanta's policy: "Unsyphn does not train models on customer data today. Should this change, we will provide customers with advance notice." Sensitive operations (clause extraction, Customer Commitments) on internally-hosted LLMs; third-party API use only with explicit DPA terms |
+| **Data residency** | US/EU pinning at Enterprise tier (Vanta-pattern, separate EU instance) |
+| **Citation-grounded AI** | Every AI output (clause extraction, counter-offer draft, sub-processor flag) cites source: clickable link to contract paragraph or vendor webpage with fetch timestamp. **No bare assertions.** |
+| **Workspace isolation** | Multi-BU / M&A use cases; separate subsidiaries with shared central governance |
+| **Trust Center** | Public page with SOC 2, DPA, sub-processor list, security appendix |
+
+**Certifications, priority order**: SOC 2 Type II (year 1) → ISO 27001 (year 1) → GDPR + DPF (year 1 EU) → ISO 27701 (year 2 privacy) → ISO 42001 (year 2 AI) → HIPAA-ready (year 2 if healthcare) → FedRAMP Moderate (year 3 if pubsec).
+
+**Customer Commitments primitives** (Vanta launched these in 2025; Unsyphn ships parity):
+- 30-day sub-processor change notice (HubSpot DPA verbatim sets the standard: "we will notify you at least 30 days prior")
+- Incident notification SLAs (24–72h typical)
+- Certificate of deletion within 90 days of termination
+- Audit rights with reasonable notice
+
+---
+
+## 12. Demo narrative — 3 minutes
+
+### The hook (0:00–0:30)
+
+> "Most companies can tell you what they *budgeted* for software. Very few can tell you what *changed* across their vendor fleet this week. Unsyphn fixes that. We discover your vendors in 60 seconds, watch every pricing page, every DPA, every sub-processor list, and turn material changes into one action queue. In this demo account, Unsyphn found **$135,000 recoverable** this quarter from duplicate apps, unused seats, and one renewal with both benchmark and clause-drift risk."
+
+### Discovery (0:30–1:00)
+
+Live: "Sign in with Google Workspace" → vendor logos materialize via Simple Icons CDN → "247 apps found, 89 weren't in your IT inventory." Real-time logo wall builds on screen.
+
+### The wedge (1:00–2:00) — material change cards
+
+Open Inbox. Show three cards in sequence:
+
+1. **Price hike detected.** Salesforce updated their AI add-on pricing page yesterday. Diff: $20/seat surcharge. Affected: 412 active seats. Slack DM already sent to VP RevOps.
+2. **Legal change detected.** Datadog quietly added a sub-processor in India three days ago. Diff highlighted. Your customer contracts require 30-day notice → Unsyphn already drafted notice email to top 12 affected customers.
+3. **Waste detected.** Figma utilization dropped 30%. Duplicate design tools in product team. Recoverable: $1,800/yr.
+
+Open card 1. Show: what changed · why it matters · who owns · proof (citation) · drafted counter-offer email. One click: send.
+
+### Audit close (2:00–2:30)
+
+Jump to Evidence. Click "Generate Bundle" on Datadog. Watermarked, time-boxed, signed PDF. "What used to take two weeks now takes 90 seconds."
+
+### The transact (2:30–3:00)
+
+> "We're $1,500 a month, flat. No per-seat tax. Sign up with your Google account, see your fleet in 60 seconds. For enterprises with $5M+ in SaaS, we'll guarantee $200K+ recovered or you don't pay the variable component. Where do you want to start?"
+
+Two CTAs: self-serve free / enterprise contact-sales.
+
+---
+
+## 13. Final 30-item priority list (synthesized)
+
+| # | Feature | Effort | Wave | Already-has |
+|---|---|---|---|---|
+| 1 | **Brand rename Redline → Unsyphn** everywhere | S | 0 | — |
+| 2 | **Light-mode token swap** (replace current Slate tokens with §5.1 above) | M | 0 | — |
+| 3 | **Inbox as new home route** (`/app` → `/app/inbox`, redirect current Portfolio) | M | 0 | — |
+| 4 | **Google + M365 OAuth onboarding** (email metadata + OAuth grants) | M | 1 | Nudge Security |
+| 5 | **Vendor card with logo** (Simple Icons primary, Brandfetch fallback, monogram last) | S | 1 | All |
+| 6 | **AI-predict-from-domain cold start** | M | 1 | Novel |
+| 7 | **Brex/Ramp/NetSuite/QuickBooks expense ingestion** | M | 1 | Sastrify, Cledara, Spendhound |
+| 8 | **Continuous Vendor Change Feed** (pricing + terms + sub-processors, 200 hardcoded vendors initially) | L | 1 | Novel |
+| 9 | **Renewal calendar with 30/60/90-day Slack alerts** | S | 1 | All |
+| 10 | **One-click Renegotiation Packet** with benchmark + drafted email + Gmail handoff | M | 2 | Vendr (manual), Spendhound (24h ghostwriting) |
+| 11 | **Contract vault with LLM clause extraction** | M | 2 | Vendr, Sastrify, Tropic |
+| 12 | **Slack + Jira routing per persona** | S | 2 | BetterCloud, Torii |
+| 13 | **Vendor-detail page with persona "lens chips"** (6 tabs) | M | 2 | Novel |
+| 14 | **License utilization & inactive-seat reclamation list** | M | 2 | Zluri, Productiv, BetterCloud |
+| 15 | **Sub-processor jurisdiction heatmap + Customer Commitments cross-ref** | L | 3 | Novel |
+| 16 | **Auto-draft 30-day customer notice on sub-processor change** | M | 3 | Novel |
+| 17 | **CFO scorecard dashboard** (waste, savings, YoY) | M | 3 | Zylo, Cledara |
+| 18 | **"Two tools, same job" duplicate detector** with savings estimate | M | 3 | Partially BetterCloud, Productiv |
+| 19 | **Auditor Mode** (time-boxed read-only watermarked workspace) | M | 3 | Novel |
+| 20 | **OAuth-grant inventory & risk scoring** | M | 3 | Nudge Security |
+| 21 | **Vanta + Drata bidirectional integration** | M | 4 | Few cross-integrate |
+| 22 | **SAML SSO on all paid tiers; SCIM on Scale+** | M | 4 | All enterprise SMPs |
+| 23 | **Marketing cube refresh** (6 faces × 3×3 logo grids, real SaaS vendors) | M | 4 | Stripe Connect pattern |
+| 24 | **Pricing page + ROI calculator** | M | 4 | All competitors |
+| 25 | **Trust Center page** (SOC2 in audit, no-train AI, DPA, sub-processors) | M | 4 | Vanta-pattern |
+| 26 | **HRIS-driven owner assignment + offboarding deprovisioning** | L | 5 | Torii, Zluri, BetterCloud |
+| 27 | **Browser extension for personal-device discovery** | L | 5 | BetterCloud, Zluri, Torii |
+| 28 | **Auto-cancel-unused-seat one-click** (Slack/Notion/Figma admin APIs) | L | 5 | Novel |
+| 29 | **Mobile-responsive web + Slack approval cards** | S | 5 | All |
+| 30 | **Public Vendor Report Cards** (shareable external URL) | M | 6 | Novel |
+
+---
+
+## 14. Where reports disagreed (for the record)
+
+These are the open questions that need user/team calls. The decisions above reflect my synthesis; the user can override.
+
+| Question | Report 1 | Report 2 | Report 3 | My call | Why |
+|---|---|---|---|---|---|
+| Primary accent color | Indigo `#6366F1` | Teal `#0F766E` | Indigo `#4F46E5` | **Indigo `#4F46E5`** | Continuity with existing periwinkle; 2/3 agree on indigo family |
+| Primary body font | Geist | Inter (UI) + Geist (marketing) | Inter | **Inter UI + Geist marketing** | Inter is the safer enterprise default; Geist for hero pages |
+| Numeric font | Geist Mono | Geist Mono | IBM Plex Mono | **Geist Mono** | Stays in Geist family |
+| Cube design | 4×4 grid per face | 1 logo per face (Stripe Connect) | 4-9 logo grid per face | **3×3 grid per face** | Conveys sprawl better than single logo; matches user request for real vendor logos |
+| Pricing axis | Per-employee | Flat platform + % savings on Enterprise | Flat platform | **Flat platform; %savings as Enterprise option** | Hybrid of R2/R3 — clean and defensible |
+| Free tier | Yes (Free Audit) | Yes (Discover) | Yes (constrained) | **Yes — Discover tier with branded footer** | Unanimous; constraints from R3 |
+| Enterprise base price | Custom from $5K | $30K + 15% savings | $72K | **$30K + 15% savings (capped $200K)** | R2 has the most defensible structure |
+| Logo CDN primary | Logo.dev | Simple Icons | Logo.dev | **Simple Icons + Brandfetch fallback** | R2's analysis of Logo.dev attribution gotcha decides it |
+| Top wedge | Auto-cancel-unused-seat | Vendor Change Feed | Material Change Graph + Evidence Ledger | **Material Change Feed** (= R2 + R3 same idea) | 2/3 converge; R1's auto-cancel is downstream of detection |
+| % savings pricing | Doesn't mention | Yes with cap (Enterprise) | Avoid entirely | **Optional add-on, not the main axis** | R3's trust concern is real; R2's cap addresses it |
+| Onboarding primary connection | Email scan (Google/M365) | Email scan (Google/M365) | Finance source OR identity | **Google/M365 OAuth** | 2/3 + the Nudge precedent is the strongest single proof in the research |
+
+---
+
+## 15. What this document supersedes
+
+- `plan.md` — original Slate × Seven dark-mode plan with Redline branding. **Superseded.** Some sections (visual system, IA basics) still apply with the swaps above (dark→light, Redline→Unsyphn, periwinkle accent retained as Indigo `#4F46E5`).
+- `BUILD.md` — original 5-wave execution plan. **Needs rewrite** against the new IA (7 routes, Inbox-first, light mode, logo work).
+- `RESEARCH_PROMPT.md` — kept for future research runs.
+- `PAGE_AUDIT.md` and `REGRESSION_REPORT.md` — historical; still useful for "what was already shipped under Redline" context.
+
+The codebase as of `saasb2b` branch is the current build state. Wave 1–5 shipped under Redline; everything in this strategy doc is the delta to get to Unsyphn v1.
+
+---
+
+## Next step
+
+Now we build the **long-term plan** on top of this strategy:
+
+1. **Roadmap** — 4 quarters, what ships when, with success metrics per quarter.
+2. **Engineering plan** — rewrite `BUILD.md` against the new 7-route IA + light mode + Material Change Feed wedge.
+3. **Go-to-market** — pricing page launch, design partner program, content plan.
+4. **Metrics** — leading indicators (activation rate, time-to-first-wow, fleet-visible-in-60s rate), lagging (recovered $ per customer, NRR).
+
+When ready, say the word and I'll draft the long-term plan referencing this doc as the source of truth.
diff --git a/UNSYPHN_BUILD.md b/UNSYPHN_BUILD.md
new file mode 100644
index 0000000..0e188e3
--- /dev/null
+++ b/UNSYPHN_BUILD.md
@@ -0,0 +1,64 @@
+# UNSYPHN_BUILD.md — Multi-Agent Execution Plan v2
+
+**Spec:** [STRATEGY.md](STRATEGY.md) (locked, do not re-debate during build).
+**Supersedes:** `BUILD.md` (Redline / dark / 6-route — now obsolete).
+**Branch:** `saasb2b`. **Mode:** parallel where safe, sequential where required.
+**22 agents, 7 waves, never more than 4 concurrent.**
+
+---
+
+## Overview
+
+```
+Wave 1  Foundation flip     ───4 agents in parallel───►  GATE: brand+light+routes+API
+Wave 2  Logos + cube + icons ───3 agents in parallel───►  GATE: every vendor row has a logo
+Wave 3  Inbox (the hero)    ───3 agents in parallel───►  GATE: /app/inbox is real
+Wave 4  Detail + Renewals + Requests ───3 in parallel─►  GATE: 3 routes real
+Wave 5  Onboarding + Lens + Pricing ───3 in parallel──►  GATE: 60-sec flow + 6 chips + 4 tiers
+Wave 6  Wedge features      ───3 agents in parallel───►  GATE: 3 novel wedges live
+Wave 7  Trust + Settings + Polish ───3 in parallel────►  GATE: AA clean, PR-ready
+```
+
+**Hard gates** between waves: `pnpm typecheck && pnpm test && pnpm build` must pass + visual smoke via preview MCP.
+
+---
+
+## File-ownership matrix (master)
+
+See plan in conversation — full matrix locked. No path appears under more than one agent in the same wave.
+
+---
+
+## Wave summaries (brief)
+
+| Wave | Agents | Goal |
+|---|---|---|
+| 1 | A · B · C · D | Kill Redline brand · light tokens · 5 API stubs · 7-route shell |
+| 2 | E · F · G | Logo CDN resolver · marketing cube refresh · Lucide swap |
+| 3 | H · I · J | Inbox + MaterialChangeCard · ChangeDrawer + DiffViewer · seed expansion |
+| 4 | K · L · M | Vendor detail 6-tab · Renewals workbench · Requests intake |
+| 5 | N · O · P | 60-sec OAuth onboarding · 6 lens chips · 4-tier pricing |
+| 6 | Q · R · S | Renegotiation Packet · Sub-processor heatmap + customer notice · Auditor Mode |
+| 7 | T · U · V | Trust Center · Settings tabs · a11y + code review + ship |
+
+Each agent gets a self-contained brief referencing STRATEGY.md sections. Full briefs and gates appear in conversation history; this doc is the index.
+
+---
+
+## Success criteria (final)
+
+- `pnpm typecheck && pnpm test && pnpm build` all green
+- `grep -ril "redline"` returns empty
+- 7 routes all render with real data
+- 3 wedge features (Material Change Feed, Renegotiation Packet, Sub-processor heatmap) live
+- Marketing cube shows real vendor logos in 3×3 grids
+- axe AA clean on all routes
+- code-reviewer agent returns no CRITICAL
+- 3-minute demo script runs end-to-end
+- Bundle ≤ 380 kB JS
+
+---
+
+## Execution log
+
+Wave 1: dispatching now (Agents A, B, C, D in parallel)
diff --git a/apps/api/package.json b/apps/api/package.json
index 3ca8dd8..9ba8e3d 100644
--- a/apps/api/package.json
+++ b/apps/api/package.json
@@ -1,5 +1,5 @@
 {
-  "name": "@redline/api",
+  "name": "@unsyphn/api",
   "version": "0.1.0",
   "private": true,
   "type": "module",
@@ -13,8 +13,9 @@
   "dependencies": {
     "@clickhouse/client": "^1.8.0",
     "@hono/node-server": "^1.19.6",
-    "@redline/shared": "workspace:*",
+    "@unsyphn/shared": "workspace:*",
     "hono": "^4.10.7",
+    "pdfkit": "^0.18.0",
     "pino": "^10.3.1",
     "stripe": "^17.4.0",
     "ulid": "^2.3.0",
@@ -22,6 +23,7 @@
   },
   "devDependencies": {
     "@types/node": "^24.10.2",
+    "@types/pdfkit": "^0.17.6",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3"
   }
diff --git a/apps/api/src/agent/queue.ts b/apps/api/src/agent/queue.ts
index 56bf810..4bd809e 100644
--- a/apps/api/src/agent/queue.ts
+++ b/apps/api/src/agent/queue.ts
@@ -1,4 +1,4 @@
-import type { AgentRun } from "@redline/shared";
+import type { AgentRun } from "@unsyphn/shared";
 import { newId } from "../lib/ids.js";
 import { runStore } from "../db/run-store.js";
 import { runStub, type StubRunnerOptions } from "./stub-runner.js";
diff --git a/apps/api/src/agent/router.ts b/apps/api/src/agent/router.ts
index 048ebed..1b75ca2 100644
--- a/apps/api/src/agent/router.ts
+++ b/apps/api/src/agent/router.ts
@@ -9,7 +9,7 @@ import type {
   SlackPayload,
   User,
   Vendor,
-} from "@redline/shared";
+} from "@unsyphn/shared";
 import type { ActionRepository } from "../db/actions.js";
 import { publishActionDelivered, type EventPublisher } from "../stream/events.js";
 import { createSlackProvider, renderSlackAlert, type SlackProvider } from "../providers/slack.js";
@@ -171,13 +171,13 @@ function createJiraPayload(input: RouteChangeReportInput, projectKey: string): J
     summary: `${input.changeReport.severity}: ${input.vendor.name} - ${headline}`,
     description: createPlainTextBody(input),
     priority: input.changeReport.severity,
-    labels: ["redline", "vendor-risk", jiraLabel(input.vendor.name)],
+    labels: ["unsyphn", "vendor-risk", jiraLabel(input.vendor.name)],
     assigneeUserId: input.vendor.ownerId,
   };
 }
 
 function createEmailPayload(input: RouteChangeReportInput, to: string): EmailPayload {
-  const subject = `${input.changeReport.severity} Redline alert: ${input.vendor.name}`;
+  const subject = `${input.changeReport.severity} Unsyphn alert: ${input.vendor.name}`;
   const text = createPlainTextBody(input);
   const headline = input.changeReport.headline ?? input.changeReport.recommendation.copy;
 
@@ -195,7 +195,7 @@ function createCalendarPayload(input: RouteChangeReportInput, eventKind: string)
   const endsAt = addMinutes(startsAt, 30);
 
   return {
-    title: `Redline ${eventKind}: ${input.vendor.name}`,
+    title: `Unsyphn ${eventKind}: ${input.vendor.name}`,
     startsAt: startsAt.toISOString(),
     endsAt: endsAt.toISOString(),
     attendees: owner?.email ? [owner.email] : [],
@@ -247,7 +247,7 @@ function jiraLabel(value: string): string {
 }
 
 function resolveBaseUrl(input: RouteChangeReportInput): string {
-  return input.baseUrl ?? process.env.REDLINE_BASE_URL ?? "http://localhost:8787";
+  return input.baseUrl ?? process.env.UNSYPHN_BASE_URL ?? "http://localhost:8787";
 }
 
 function addMinutes(date: Date, minutes: number): Date {
diff --git a/apps/api/src/agent/stub-runner.ts b/apps/api/src/agent/stub-runner.ts
index 1212e62..b88fa24 100644
--- a/apps/api/src/agent/stub-runner.ts
+++ b/apps/api/src/agent/stub-runner.ts
@@ -1,4 +1,4 @@
-import type { RunStage } from "@redline/shared";
+import type { RunStage } from "@unsyphn/shared";
 import { bus } from "../lib/bus.js";
 import { runStore } from "../db/run-store.js";
 import { logger } from "../logger.js";
diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index d4ab1cd..9159113 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -12,10 +12,22 @@ import { logger } from "./logger.js";
 import { billingRoute } from "./routes/billing.js";
 import { createChangesRouter } from "./routes/changes.js";
 import { dashboardRoute } from "./routes/dashboard.js";
-import { evidenceRoute } from "./routes/evidence.js";
+import { createEvidenceRouter } from "./routes/evidence.js";
 import { createStreamRouter } from "./routes/stream.js";
-import { vendorsRoute } from "./routes/vendors.js";
+import { createVendorsRouter } from "./routes/vendors.js";
 import { stripeWebhookRoute } from "./routes/webhooks-stripe.js";
+import { inboxRoute } from "./routes/inbox.js";
+import { integrationsRoute } from "./routes/integrations.js";
+import { renewalsRoute } from "./routes/renewals.js";
+import { requestsRoute } from "./routes/requests.js";
+import { recoverableRoute } from "./routes/recoverable.js";
+import { onboardingRoute } from "./routes/onboarding.js";
+import { auditorRoute } from "./routes/auditor.js";
+import { subProcessorsRoute } from "./routes/sub-processors.js";
+import { renegotiationRoute } from "./routes/renegotiation.js";
+import { teamRoute } from "./routes/team.js";
+import { findingsRoute } from "./routes/findings.js";
+import { reportsRoute } from "./routes/reports.js";
 import { createEventBroker, type EventBroker } from "./stream/broker.js";
 
 // serveStatic resolves `root` against process.cwd(). Compute the public/
@@ -52,12 +64,24 @@ export function createApp(deps: AppDeps = {}): Hono {
 
   app.get("/health", (c) => c.json({ ok: true }));
   app.route("/webhooks/stripe", stripeWebhookRoute);
-  app.route("/v1/evidence", evidenceRoute);
+  app.route("/v1/evidence", createEvidenceRouter(reports));
+  app.route("/v1/auditor", auditorRoute);
   app.use("/v1/*", createAuthMiddleware(deps.seedData?.tokens));
-  app.route("/v1/vendors", vendorsRoute);
+  app.route("/v1/vendors", createVendorsRouter({ reports }));
   app.route("/v1/billing", billingRoute);
   app.route("/v1/dashboard", dashboardRoute);
   app.route("/v1/changes", createChangesRouter({ reports, events, ...(deps.now ? { now: deps.now } : {}) }));
+  app.route("/v1/inbox", inboxRoute);
+  app.route("/v1/integrations", integrationsRoute);
+  app.route("/v1/renewals", renewalsRoute);
+  app.route("/v1/requests", requestsRoute);
+  app.route("/v1/recoverable", recoverableRoute);
+  app.route("/v1/onboarding", onboardingRoute);
+  app.route("/v1/vendors", subProcessorsRoute);
+  app.route("/v1/vendors", renegotiationRoute);
+  app.route("/v1/team", teamRoute);
+  app.route("/v1/findings", findingsRoute);
+  app.route("/v1/reports", reportsRoute);
   app.route(
     "/v1/stream",
     createStreamRouter({ events, ...(deps.heartbeatIntervalMs === undefined ? {} : { heartbeatIntervalMs: deps.heartbeatIntervalMs }) }),
diff --git a/apps/api/src/auth.ts b/apps/api/src/auth.ts
index ad29a86..8479d85 100644
--- a/apps/api/src/auth.ts
+++ b/apps/api/src/auth.ts
@@ -1,5 +1,5 @@
 import type { MiddlewareHandler } from "hono";
-import type { OrgId, UserId } from "@redline/shared";
+import type { OrgId, UserId } from "@unsyphn/shared";
 import { errorResponse } from "./errors.js";
 import { resolveBearer } from "./seed/loader.js";
 
diff --git a/apps/api/src/db/actions.ts b/apps/api/src/db/actions.ts
index bccae23..f192668 100644
--- a/apps/api/src/db/actions.ts
+++ b/apps/api/src/db/actions.ts
@@ -7,7 +7,7 @@ import {
   type ActionStatus,
   type ChangeReportId,
   type OrgId,
-} from "@redline/shared";
+} from "@unsyphn/shared";
 import { clickhouse } from "./client.js";
 
 export interface ActionRepositoryOptions {
diff --git a/apps/api/src/db/change-reports.ts b/apps/api/src/db/change-reports.ts
deleted file mode 100644
index ba4b1a0..0000000
--- a/apps/api/src/db/change-reports.ts
+++ /dev/null
@@ -1,29 +0,0 @@
-import type { ChangeReport } from "@redline/shared";
-
-// ChangeReports are persisted to ClickHouse by the agent runner (Track A's
-// work). For the public evidence brief fallback we additionally keep an
-// in-memory cache seeded from seed/change-reports.json so /evidence/:id can
-// render demo data without depending on a live agent run.
-
-export class ChangeReportStore {
-  private byId = new Map<string, ChangeReport>();
-
-  load(reports: ChangeReport[]): void {
-    this.byId.clear();
-    for (const r of reports) this.byId.set(r.id, r);
-  }
-
-  add(report: ChangeReport): void {
-    this.byId.set(report.id, report);
-  }
-
-  get(id: string): ChangeReport | undefined {
-    return this.byId.get(id);
-  }
-
-  list(orgId: string): ChangeReport[] {
-    return [...this.byId.values()].filter((r) => r.orgId === orgId);
-  }
-}
-
-export const changeReportStore = new ChangeReportStore();
diff --git a/apps/api/src/db/changeReports.ts b/apps/api/src/db/changeReports.ts
index 5fea506..06e5b3a 100644
--- a/apps/api/src/db/changeReports.ts
+++ b/apps/api/src/db/changeReports.ts
@@ -1,9 +1,17 @@
-import type { ChangeReport, ChangeReportId, OrgId } from "@redline/shared";
+import type {
+  ChangeReport,
+  ChangeReportId,
+  EscalationRecord,
+  OrgId,
+} from "@unsyphn/shared";
 
 export interface ChangeReportRepository {
   getLatest(orgId: OrgId, id: ChangeReportId): Promise<ChangeReport | null>;
   insertVersion(report: ChangeReport): Promise<void>;
   listVersions(orgId: OrgId, id: ChangeReportId): Promise<ChangeReport[]>;
+  findById(id: ChangeReportId): Promise<ChangeReport | null>;
+  addEscalation(id: ChangeReportId, escalation: EscalationRecord): Promise<void>;
+  listEscalations(id: ChangeReportId): Promise<EscalationRecord[]>;
 }
 
 function copyReport(report: ChangeReport): ChangeReport {
@@ -16,6 +24,7 @@ function key(orgId: OrgId, id: ChangeReportId): string {
 
 export class InMemoryChangeReportRepository implements ChangeReportRepository {
   private readonly rows = new Map<string, ChangeReport[]>();
+  private readonly escalations = new Map<ChangeReportId, EscalationRecord[]>();
 
   constructor(seed: ChangeReport[] = []) {
     for (const report of seed) {
@@ -54,4 +63,21 @@ export class InMemoryChangeReportRepository implements ChangeReportRepository {
   async listVersions(orgId: OrgId, id: ChangeReportId): Promise<ChangeReport[]> {
     return (this.rows.get(key(orgId, id)) ?? []).map(copyReport);
   }
+
+  async findById(id: ChangeReportId): Promise<ChangeReport | null> {
+    for (const versions of this.rows.values()) {
+      const match = versions.find((r) => r.id === id);
+      if (match) return copyReport(match);
+    }
+    return null;
+  }
+
+  async addEscalation(id: ChangeReportId, escalation: EscalationRecord): Promise<void> {
+    const existing = this.escalations.get(id) ?? [];
+    this.escalations.set(id, [...existing, { ...escalation }]);
+  }
+
+  async listEscalations(id: ChangeReportId): Promise<EscalationRecord[]> {
+    return (this.escalations.get(id) ?? []).map((e) => ({ ...e }));
+  }
 }
diff --git a/apps/api/src/db/contracts-store.ts b/apps/api/src/db/contracts-store.ts
new file mode 100644
index 0000000..72d190d
--- /dev/null
+++ b/apps/api/src/db/contracts-store.ts
@@ -0,0 +1,49 @@
+import type { VendorId } from "@unsyphn/shared";
+
+// Contracts uploaded by the user against a vendor. In-memory per the demo
+// constraints — production would push the file blob to object storage and
+// keep only metadata here.
+
+export interface ContractRecord {
+  id: string;
+  vendorId: VendorId;
+  filename: string;
+  sizeBytes: number;
+  contentBase64: string;
+  uploadedBy: string;
+  uploadedAt: string;
+}
+
+export class ContractsStore {
+  private byVendor = new Map<VendorId, ContractRecord[]>();
+  private sequence = 0;
+
+  add(record: Omit<ContractRecord, "id">): ContractRecord {
+    this.sequence += 1;
+    const stored: ContractRecord = {
+      ...record,
+      id: `ctr_${String(this.sequence).padStart(6, "0")}`,
+    };
+    const existing = this.byVendor.get(record.vendorId) ?? [];
+    this.byVendor.set(record.vendorId, [...existing, stored]);
+    return { ...stored };
+  }
+
+  listByVendor(vendorId: VendorId): ContractRecord[] {
+    return (this.byVendor.get(vendorId) ?? []).map((r) => ({ ...r }));
+  }
+
+  getById(vendorId: VendorId, contractId: string): ContractRecord | undefined {
+    const found = (this.byVendor.get(vendorId) ?? []).find(
+      (r) => r.id === contractId,
+    );
+    return found ? { ...found } : undefined;
+  }
+
+  reset(): void {
+    this.byVendor.clear();
+    this.sequence = 0;
+  }
+}
+
+export const contractsStore = new ContractsStore();
diff --git a/apps/api/src/db/customer-contracts-store.ts b/apps/api/src/db/customer-contracts-store.ts
new file mode 100644
index 0000000..ed4b501
--- /dev/null
+++ b/apps/api/src/db/customer-contracts-store.ts
@@ -0,0 +1,42 @@
+// Customer contracts (i.e. Acme's downstream customers) live in-memory per
+// handoff/Data Model. Used by the sub-processor heatmap to compute customer
+// notification obligations.
+
+export interface CustomerContractRecord {
+  id: string;
+  customerId: string;
+  customerName: string;
+  contractId: string;
+  domain: string;
+  contractStart: string;
+  contractEnd: string;
+  annualValueUsd: number;
+  dataResidency: string;
+  dpaClause: string;
+  noticeDays: number;
+  notifiedSubProcessors: string[];
+}
+
+export class CustomerContractsStore {
+  private byId = new Map<string, CustomerContractRecord>();
+
+  load(records: CustomerContractRecord[]): void {
+    this.byId.clear();
+    for (const r of records) this.byId.set(r.id, r);
+  }
+
+  get(id: string): CustomerContractRecord | undefined {
+    return this.byId.get(id);
+  }
+
+  list(): CustomerContractRecord[] {
+    return [...this.byId.values()];
+  }
+
+  // Customers who must be notified when a flagged sub-processor is added.
+  listNotificationCandidates(): CustomerContractRecord[] {
+    return this.list().filter((c) => c.notifiedSubProcessors.length > 0);
+  }
+}
+
+export const customerContractsStore = new CustomerContractsStore();
diff --git a/apps/api/src/db/integrations-store.ts b/apps/api/src/db/integrations-store.ts
new file mode 100644
index 0000000..b4dff84
--- /dev/null
+++ b/apps/api/src/db/integrations-store.ts
@@ -0,0 +1,151 @@
+// Integrations catalog lives in-memory per handoff/Data Model. Seeded from
+// seed/integrations.json. The Settings screen reads this list to render the
+// connector catalog and posts to mutate connection state.
+
+export type IntegrationCategory = "inbound" | "outbound";
+export type IntegrationAuthType = "oauth" | "api-key" | "saml";
+
+export interface IntegrationField {
+  key: string;
+  label: string;
+  placeholder?: string;
+  sensitive?: boolean;
+  optional?: boolean;
+}
+
+export interface IntegrationRecord {
+  id: string;
+  name: string;
+  slug: string;
+  category: IntegrationCategory;
+  description: string;
+  authType: IntegrationAuthType;
+  iconSlug?: string;
+  iconColor?: string;
+  requiredFields: IntegrationField[];
+  defaultScopes: string[];
+  connected: boolean;
+  scopes?: string[];
+  connectedAs?: string;
+  connectedAt?: string;
+  lastSyncedAt?: string;
+}
+
+export interface SyncRecord {
+  id: string;
+  startedAt: string;
+  durationMs: number;
+  recordsScanned: number;
+  status: "success" | "partial";
+}
+
+interface ConnectInput {
+  values?: Record<string, string>;
+  scopes?: string[];
+  connectedAs?: string;
+}
+
+export class IntegrationsStore {
+  private byId = new Map<string, IntegrationRecord>();
+  // Sensitive values are kept out of the public IntegrationRecord and live in
+  // a side map. Demo only — production would push these into a secret store.
+  private valuesById = new Map<string, Record<string, string>>();
+  private historyById = new Map<string, SyncRecord[]>();
+
+  load(records: IntegrationRecord[]): void {
+    this.byId.clear();
+    this.valuesById.clear();
+    this.historyById.clear();
+    for (const r of records) this.byId.set(r.id, r);
+  }
+
+  get(id: string): IntegrationRecord | undefined {
+    return this.byId.get(id);
+  }
+
+  list(filter?: { category?: IntegrationCategory }): IntegrationRecord[] {
+    const all = [...this.byId.values()];
+    return filter?.category ? all.filter((r) => r.category === filter.category) : all;
+  }
+
+  connect(id: string, input: ConnectInput): IntegrationRecord | undefined {
+    const current = this.byId.get(id);
+    if (!current) return undefined;
+    const now = new Date().toISOString();
+    const updated: IntegrationRecord = {
+      ...current,
+      connected: true,
+      scopes: input.scopes ?? current.defaultScopes,
+      ...(input.connectedAs ? { connectedAs: input.connectedAs } : {}),
+      connectedAt: now,
+      lastSyncedAt: now,
+    };
+    this.byId.set(id, updated);
+    if (input.values && Object.keys(input.values).length > 0) {
+      this.valuesById.set(id, { ...input.values });
+    }
+    return updated;
+  }
+
+  disconnect(id: string): IntegrationRecord | undefined {
+    const current = this.byId.get(id);
+    if (!current) return undefined;
+    const updated: IntegrationRecord = {
+      ...current,
+      connected: false,
+      scopes: undefined,
+      connectedAs: undefined,
+      connectedAt: undefined,
+      lastSyncedAt: undefined,
+    };
+    this.byId.set(id, updated);
+    this.valuesById.delete(id);
+    this.historyById.delete(id);
+    return updated;
+  }
+
+  recordSync(id: string, recordsScanned: number): SyncRecord | undefined {
+    const current = this.byId.get(id);
+    if (!current) return undefined;
+    const now = new Date().toISOString();
+    const sync: SyncRecord = {
+      id: `sync_${Date.now()}`,
+      startedAt: now,
+      durationMs: 1500 + Math.floor(Math.random() * 4000),
+      recordsScanned,
+      status: "success",
+    };
+    const history = this.historyById.get(id) ?? this.seedHistory(id);
+    this.historyById.set(id, [sync, ...history].slice(0, 20));
+    this.byId.set(id, { ...current, lastSyncedAt: now });
+    return sync;
+  }
+
+  syncHistory(id: string, limit = 5): SyncRecord[] {
+    const current = this.byId.get(id);
+    if (!current?.connected) return [];
+    const cached = this.historyById.get(id);
+    if (cached) return cached.slice(0, limit);
+    const seeded = this.seedHistory(id);
+    this.historyById.set(id, seeded);
+    return seeded.slice(0, limit);
+  }
+
+  // Deterministic synthetic history: 5 syncs across the last ~7 days, descending.
+  private seedHistory(id: string): SyncRecord[] {
+    const hash = Array.from(id).reduce((acc, ch) => (acc * 31 + ch.charCodeAt(0)) >>> 0, 7);
+    const now = Date.now();
+    return Array.from({ length: 5 }, (_, i) => {
+      const offsetMs = ((hash + i * 13) % 168) * 60 * 60 * 1000 + i * 6 * 60 * 60 * 1000;
+      return {
+        id: `sync_${id}_${i}`,
+        startedAt: new Date(now - offsetMs).toISOString(),
+        durationMs: 2000 + ((hash + i * 7) % 6000),
+        recordsScanned: 80 + ((hash + i * 53) % 7900),
+        status: i === 4 ? "partial" : "success",
+      };
+    });
+  }
+}
+
+export const integrationsStore = new IntegrationsStore();
diff --git a/apps/api/src/db/renewals-store.ts b/apps/api/src/db/renewals-store.ts
new file mode 100644
index 0000000..7e88159
--- /dev/null
+++ b/apps/api/src/db/renewals-store.ts
@@ -0,0 +1,58 @@
+import type { UserId, VendorId } from "@unsyphn/shared";
+
+// Renewals live in-memory per handoff/Data Model. Seeded at boot from
+// seed/renewals.json; column moves and closure flags persist for the life
+// of the process so the Renewals board can demonstrate drag-and-drop state.
+
+export type RenewalColumn = "triage" | "negotiate" | "sign";
+
+export interface RenewalRecord {
+  id: string;
+  vendorId: VendorId;
+  vendorName: string;
+  renewsAt: string;
+  annualSpendUsd: number;
+  currentColumn: RenewalColumn;
+  ownerId: UserId;
+  priceDeltaPct: number;
+  seatUtilizationPct: number;
+  blockerCount: number;
+  recommendedAction: string;
+  declined?: boolean;
+  autoRenewed?: boolean;
+}
+
+export type RenewalPatch = Partial<
+  Pick<RenewalRecord, "currentColumn" | "ownerId" | "declined" | "autoRenewed">
+>;
+
+export class RenewalsStore {
+  private byId = new Map<string, RenewalRecord>();
+
+  load(records: RenewalRecord[]): void {
+    this.byId.clear();
+    for (const r of records) this.byId.set(r.id, r);
+  }
+
+  get(id: string): RenewalRecord | undefined {
+    return this.byId.get(id);
+  }
+
+  list(): RenewalRecord[] {
+    return [...this.byId.values()];
+  }
+
+  update(id: string, patch: RenewalPatch): RenewalRecord | undefined {
+    const current = this.byId.get(id);
+    if (!current) return undefined;
+    const updated: RenewalRecord = { ...current, ...patch };
+    this.byId.set(id, updated);
+    return updated;
+  }
+
+  setColumn(id: string, column: RenewalColumn): RenewalRecord | undefined {
+    return this.update(id, { currentColumn: column });
+  }
+}
+
+export const renewalsStore = new RenewalsStore();
diff --git a/apps/api/src/db/requests-store.ts b/apps/api/src/db/requests-store.ts
new file mode 100644
index 0000000..2068b17
--- /dev/null
+++ b/apps/api/src/db/requests-store.ts
@@ -0,0 +1,150 @@
+import type { OrgId, UserId } from "@unsyphn/shared";
+
+// Intake requests live in-memory per handoff/Data Model. Seeded from
+// seed/requests.json; new submissions append at runtime, decisions and
+// comments mutate the existing record.
+
+export type RequestStatus = "pending" | "approved" | "rejected" | "routed";
+
+export interface RequestComment {
+  id: string;
+  by: UserId;
+  at: string;
+  text: string;
+}
+
+export type RouteTarget =
+  | "legal"
+  | "security"
+  | "finance"
+  | "procurement"
+  | "it"
+  | "audit";
+
+export interface IntakeRequestRecord {
+  id: string;
+  orgId: OrgId;
+  requesterId: UserId;
+  vendorName: string;
+  category: string;
+  expectedSpendUsd: number;
+  justification: string;
+  similarTools: string[];
+  status: RequestStatus;
+  submittedAt: string;
+  approverId?: UserId;
+  decidedAt?: string;
+  routeTo?: RouteTarget;
+  comments: RequestComment[];
+}
+
+interface CreateInput {
+  id: string;
+  orgId: OrgId;
+  requesterId: UserId;
+  vendorName: string;
+  category: string;
+  expectedSpendUsd: number;
+  justification: string;
+  similarTools?: string[];
+  submittedAt: string;
+}
+
+interface DecideInput {
+  // Allow `pending` so Recall (routed → pending) and Re-open (rejected →
+  // pending) can flow through the same code path.
+  status: RequestStatus;
+  approverId: UserId;
+  decidedAt: string;
+  note?: string;
+  routeTo?: RouteTarget;
+}
+
+interface CommentInput {
+  by: UserId;
+  at: string;
+  text: string;
+}
+
+export class RequestsStore {
+  private byId = new Map<string, IntakeRequestRecord>();
+
+  load(records: IntakeRequestRecord[]): void {
+    this.byId.clear();
+    for (const r of records) this.byId.set(r.id, r);
+  }
+
+  get(id: string): IntakeRequestRecord | undefined {
+    return this.byId.get(id);
+  }
+
+  list(orgId: OrgId, filter?: { status?: RequestStatus }): IntakeRequestRecord[] {
+    const all = [...this.byId.values()].filter((r) => r.orgId === orgId);
+    return filter?.status ? all.filter((r) => r.status === filter.status) : all;
+  }
+
+  create(input: CreateInput): IntakeRequestRecord {
+    const record: IntakeRequestRecord = {
+      id: input.id,
+      orgId: input.orgId,
+      requesterId: input.requesterId,
+      vendorName: input.vendorName,
+      category: input.category,
+      expectedSpendUsd: input.expectedSpendUsd,
+      justification: input.justification,
+      similarTools: input.similarTools ?? [],
+      status: "pending",
+      submittedAt: input.submittedAt,
+      comments: [],
+    };
+    this.byId.set(record.id, record);
+    return record;
+  }
+
+  decide(id: string, decision: DecideInput): IntakeRequestRecord | undefined {
+    const current = this.byId.get(id);
+    if (!current) return undefined;
+    const updated: IntakeRequestRecord = {
+      ...current,
+      status: decision.status,
+      approverId: decision.approverId,
+      decidedAt: decision.decidedAt,
+    };
+    if (decision.routeTo !== undefined) {
+      updated.routeTo = decision.routeTo;
+    } else if (decision.status !== "routed") {
+      // Clear stale route target when leaving the routed lane.
+      delete updated.routeTo;
+    }
+    if (decision.note) {
+      const comment: RequestComment = {
+        id: `cmt_${id}_${updated.comments.length + 1}`,
+        by: decision.approverId,
+        at: decision.decidedAt,
+        text: decision.note,
+      };
+      updated.comments = [...current.comments, comment];
+    }
+    this.byId.set(id, updated);
+    return updated;
+  }
+
+  addComment(id: string, comment: CommentInput): IntakeRequestRecord | undefined {
+    const current = this.byId.get(id);
+    if (!current) return undefined;
+    const next: RequestComment = {
+      id: `cmt_${id}_${current.comments.length + 1}`,
+      by: comment.by,
+      at: comment.at,
+      text: comment.text,
+    };
+    const updated: IntakeRequestRecord = {
+      ...current,
+      comments: [...current.comments, next],
+    };
+    this.byId.set(id, updated);
+    return updated;
+  }
+}
+
+export const requestsStore = new RequestsStore();
diff --git a/apps/api/src/db/run-store.ts b/apps/api/src/db/run-store.ts
index 48bff99..a90472d 100644
--- a/apps/api/src/db/run-store.ts
+++ b/apps/api/src/db/run-store.ts
@@ -1,4 +1,4 @@
-import type { AgentRun, RunStatus, RunStage } from "@redline/shared";
+import type { AgentRun, RunStatus, RunStage } from "@unsyphn/shared";
 import { clickhouse } from "./client.js";
 
 // AgentRun persistence. ClickHouse-backed in prod (per handoff/Data Model §04);
diff --git a/apps/api/src/db/vendor-events-store.ts b/apps/api/src/db/vendor-events-store.ts
new file mode 100644
index 0000000..f085d69
--- /dev/null
+++ b/apps/api/src/db/vendor-events-store.ts
@@ -0,0 +1,47 @@
+import type { VendorId } from "@unsyphn/shared";
+
+// Vendor-level audit log entries: PATCH mutations, contract uploads,
+// renegotiation packet generations. Aggregated with ChangeReport state
+// transitions + escalations to render the Activity tab.
+
+export type VendorEventKind =
+  | "vendor.patch"
+  | "contract.upload"
+  | "packet.generated"
+  | "scan.triggered";
+
+export interface VendorEvent {
+  id: string;
+  vendorId: VendorId;
+  kind: VendorEventKind;
+  actor: string;
+  occurredAt: string;
+  detail?: Record<string, unknown>;
+}
+
+export class VendorEventsStore {
+  private byVendor = new Map<VendorId, VendorEvent[]>();
+  private sequence = 0;
+
+  add(input: Omit<VendorEvent, "id">): VendorEvent {
+    this.sequence += 1;
+    const stored: VendorEvent = {
+      ...input,
+      id: `vev_${String(this.sequence).padStart(6, "0")}`,
+    };
+    const existing = this.byVendor.get(input.vendorId) ?? [];
+    this.byVendor.set(input.vendorId, [...existing, stored]);
+    return { ...stored };
+  }
+
+  listByVendor(vendorId: VendorId): VendorEvent[] {
+    return (this.byVendor.get(vendorId) ?? []).map((e) => ({ ...e }));
+  }
+
+  reset(): void {
+    this.byVendor.clear();
+    this.sequence = 0;
+  }
+}
+
+export const vendorEventsStore = new VendorEventsStore();
diff --git a/apps/api/src/db/vendor-store.ts b/apps/api/src/db/vendor-store.ts
index c7fcb11..aa83103 100644
--- a/apps/api/src/db/vendor-store.ts
+++ b/apps/api/src/db/vendor-store.ts
@@ -1,4 +1,4 @@
-import type { Vendor } from "@redline/shared";
+import type { Vendor } from "@unsyphn/shared";
 
 // Vendors live in-memory per handoff/Data Model §05. Seeded at boot; the Add
 // Vendor flow appends to this cache at runtime.
@@ -39,6 +39,14 @@ export class VendorStore {
     return [...this.byId.values()].filter((v) => v.orgId === orgId);
   }
 
+  update(id: string, patch: Partial<Vendor>): Vendor | undefined {
+    const current = this.byId.get(id);
+    if (!current) return undefined;
+    const next: Vendor = { ...current, ...patch, id: current.id, orgId: current.orgId };
+    this.byId.set(id, next);
+    return next;
+  }
+
   findByHomepage(orgId: string, homepageUrl: string): Vendor | undefined {
     const key = normalizeHomepage(homepageUrl);
     const id = this.idByNormalizedHomepage.get(key);
diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
index 92efee6..0ce42e6 100644
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -26,7 +26,7 @@ async function main(): Promise<void> {
   }
   const app = buildApp({ seedChangeReports: getSeededChangeReports() });
   serve({ fetch: app.fetch, port: e.PORT }, (info) => {
-    logger.info({ port: info.port }, "Redline API listening");
+    logger.info({ port: info.port }, "Unsyphn API listening");
   });
 }
 
diff --git a/apps/api/src/lib/bus.ts b/apps/api/src/lib/bus.ts
index e9c2944..8e93d99 100644
--- a/apps/api/src/lib/bus.ts
+++ b/apps/api/src/lib/bus.ts
@@ -1,4 +1,4 @@
-import type { SseEvent } from "@redline/shared";
+import type { SseEvent } from "@unsyphn/shared";
 
 // Tiny in-process pub/sub. SSE subscribers register here; the stub runner
 // publishes scheduler.tick / run.stage / run.completed. Per-org ring buffer
diff --git a/apps/api/src/lib/change-report-views.ts b/apps/api/src/lib/change-report-views.ts
new file mode 100644
index 0000000..5fcfaf0
--- /dev/null
+++ b/apps/api/src/lib/change-report-views.ts
@@ -0,0 +1,111 @@
+import type { ChangeReport, InboxItem, Lens } from "@unsyphn/shared";
+import { vendorStore } from "../db/vendor-store.js";
+import { getUser } from "../seed/loader.js";
+
+// ChangeReport carries the canonical record (used by lifecycle mutations and
+// evidence brief). Two surfaces consume it in derived shapes:
+//   1. Inbox cards (vendor name, owner email, dollar impact, headline)
+//   2. Vendor-detail / renewals feed (raw diff + citations for DiffViewer)
+// These mappers project a ChangeReport into those shapes so the data stays
+// consistent and seed expansion in seed/change-reports.json benefits every
+// surface at once.
+
+const VALID_LENSES: ReadonlyArray<Lens> = [
+  "procurement",
+  "legal",
+  "security",
+  "finance",
+  "it",
+  "audit",
+];
+
+type ChangeReportWithLensTags = ChangeReport & { lensTags?: Lens[] };
+
+export function readLensTags(report: ChangeReport): Lens[] {
+  const candidate = (report as ChangeReportWithLensTags).lensTags;
+  if (!Array.isArray(candidate)) return [];
+  return candidate.filter((t): t is Lens => (VALID_LENSES as ReadonlyArray<string>).includes(t));
+}
+
+function vendorName(report: ChangeReport): string {
+  return vendorStore.get(report.vendorId)?.name ?? report.vendorId.replace(/^vnd_/, "");
+}
+
+function ownerEmail(report: ChangeReport): string {
+  return getUser(report.ownerId)?.email ?? `${report.ownerId}@acme.dev`;
+}
+
+function headline(report: ChangeReport): string {
+  if (report.headline && report.headline.trim().length > 0) return report.headline;
+  return report.changes[0]?.summary ?? "Change detected";
+}
+
+function dollarImpact(report: ChangeReport): number | null {
+  for (const ch of report.changes) {
+    if (ch.dollarImpact?.annualUsd != null) return ch.dollarImpact.annualUsd;
+  }
+  return null;
+}
+
+export function toInboxItem(report: ChangeReport): InboxItem {
+  return {
+    id: report.id,
+    kind: "change",
+    vendorId: report.vendorId,
+    vendorName: vendorName(report),
+    title: headline(report),
+    summary: report.recommendation.copy,
+    severity: report.severity,
+    dollarImpact: dollarImpact(report),
+    ownerEmail: ownerEmail(report),
+    occurredAt: report.detectedAt,
+    lensTags: readLensTags(report),
+    state: report.state,
+  };
+}
+
+export interface FeedChange {
+  id: string;
+  kind: "change";
+  vendorId: string;
+  vendorName: string;
+  title: string;
+  summary: string;
+  severity: ChangeReport["severity"];
+  dollarImpact: number | null;
+  ownerEmail: string;
+  occurredAt: string;
+  category: string | null;
+  lensTags: Lens[];
+  diff: { before: string; after: string } | null;
+  citations: Array<{ url?: string; quote?: string; fetchedAt?: string }>;
+}
+
+export function toFeedChange(report: ChangeReport): FeedChange {
+  const first = report.changes[0];
+  const diff =
+    first && (first.before != null || first.after != null)
+      ? { before: first.before ?? "", after: first.after ?? "" }
+      : null;
+  const citations = (first?.citations ?? []).map((c) => ({
+    ...(c.url !== undefined ? { url: c.url } : {}),
+    ...(c.quote !== undefined ? { quote: c.quote } : {}),
+    ...(c.fetchedAt !== undefined ? { fetchedAt: c.fetchedAt } : {}),
+  }));
+  return {
+    id: report.id,
+    kind: "change",
+    vendorId: report.vendorId,
+    vendorName: vendorName(report),
+    title: headline(report),
+    summary: report.recommendation.copy,
+    severity: report.severity,
+    dollarImpact: dollarImpact(report),
+    ownerEmail: ownerEmail(report),
+    occurredAt: report.detectedAt,
+    category: first?.category ?? null,
+    lensTags: readLensTags(report),
+    diff,
+    citations,
+  };
+}
diff --git a/apps/api/src/lib/coupons.ts b/apps/api/src/lib/coupons.ts
new file mode 100644
index 0000000..2556d17
--- /dev/null
+++ b/apps/api/src/lib/coupons.ts
@@ -0,0 +1,37 @@
+// Phase 8 — coupon registry. Demo-only; production would back this with a
+// per-tenant table and Stripe Coupon objects. The known codes here are
+// flat-rate percent-off or "first month free" (treated as 100% off for the
+// one-time PaymentIntent flow used by the modal).
+
+export interface Coupon {
+  code: string;
+  /** Percent discount applied to amountUsdCents. 25 means 25% off. */
+  percentOff: number;
+  label: string;
+}
+
+const COUPONS: ReadonlyArray<Coupon> = [
+  { code: "HACKATHON25", percentOff: 25, label: "25% off" },
+  { code: "FOUNDER50", percentOff: 50, label: "50% off" },
+  { code: "LAUNCH", percentOff: 100, label: "First month free" },
+] as const;
+
+export function findCoupon(code: string | undefined): Coupon | undefined {
+  if (!code) return undefined;
+  const upper = code.trim().toUpperCase();
+  return COUPONS.find((c) => c.code === upper);
+}
+
+export function applyCoupon(
+  amountUsdCents: number,
+  code: string | undefined,
+): { amount: number; coupon?: Coupon } {
+  const coupon = findCoupon(code);
+  if (!coupon) return { amount: amountUsdCents };
+  // Round to nearest cent — Stripe rejects fractional cents.
+  const discounted = Math.max(
+    0,
+    Math.round(amountUsdCents * (1 - coupon.percentOff / 100)),
+  );
+  return { amount: discounted, coupon };
+}
diff --git a/apps/api/src/lib/discovery.ts b/apps/api/src/lib/discovery.ts
index 5446234..5e980b0 100644
--- a/apps/api/src/lib/discovery.ts
+++ b/apps/api/src/lib/discovery.ts
@@ -1,4 +1,4 @@
-import type { VendorUrls } from "@redline/shared";
+import type { VendorUrls } from "@unsyphn/shared";
 
 // Discover the six monitored URLs from a homepage. For each URL kind we probe
 // a short list of common paths under the homepage origin via HEAD; the first
diff --git a/apps/api/src/lib/entitlements.ts b/apps/api/src/lib/entitlements.ts
index ea62f47..7061804 100644
--- a/apps/api/src/lib/entitlements.ts
+++ b/apps/api/src/lib/entitlements.ts
@@ -1,4 +1,4 @@
-import type { Org } from "@redline/shared";
+import type { Org } from "@unsyphn/shared";
 import { bus } from "./bus.js";
 import { getOrg } from "../seed/loader.js";
 
diff --git a/apps/api/src/lib/errors.ts b/apps/api/src/lib/errors.ts
index c641c6b..694a8bd 100644
--- a/apps/api/src/lib/errors.ts
+++ b/apps/api/src/lib/errors.ts
@@ -1,5 +1,5 @@
-import type { ApiErrorEnvelope } from "@redline/shared";
-import { ErrorCodes, type ErrorCode } from "@redline/shared";
+import type { ApiErrorEnvelope } from "@unsyphn/shared";
+import { ErrorCodes, type ErrorCode } from "@unsyphn/shared";
 
 // Maps stable error codes to HTTP status (handoff/API §01).
 const StatusByCode: Record<string, number> = {
diff --git a/apps/api/src/lib/invoice-pdf.ts b/apps/api/src/lib/invoice-pdf.ts
new file mode 100644
index 0000000..53bcedd
--- /dev/null
+++ b/apps/api/src/lib/invoice-pdf.ts
@@ -0,0 +1,258 @@
+import PDFDocument from "pdfkit";
+
+// Mirrors the public invoice shape returned by GET /v1/billing/invoices.
+// Lives here (not in routes) so the generator stays framework-free and
+// trivially testable.
+export interface InvoiceForPdf {
+  id: string;
+  period: string;
+  amountUsdCents: number;
+  status: string;
+  issuedAt: string;
+  plan?: string;
+  paymentIntentId?: string;
+  paidAt?: string;
+}
+
+export interface OrgForPdf {
+  name: string;
+  seatCount?: number;
+  billingEmail?: string;
+}
+
+export interface InvoicePdfInput {
+  invoice: InvoiceForPdf;
+  org: OrgForPdf;
+}
+
+// Brand palette — kept inline so the generator has no external style deps.
+const NAVY = "#0f172a";
+const SLATE = "#64748b";
+const BORDER = "#cbd5e1";
+
+const PAGE_MARGIN = 72; // 1 inch in PDF points
+const TAX_RATE = 0; // Stripe-handled, displayed as a row for legibility.
+
+function dollars(cents: number): string {
+  return (
+    "$" +
+    (cents / 100).toLocaleString("en-US", {
+      minimumFractionDigits: 2,
+      maximumFractionDigits: 2,
+    })
+  );
+}
+
+function formatDate(iso: string): string {
+  const d = new Date(iso);
+  if (Number.isNaN(d.getTime())) return iso;
+  return d.toLocaleDateString("en-US", {
+    year: "numeric",
+    month: "long",
+    day: "numeric",
+  });
+}
+
+function descriptionFor(invoice: InvoiceForPdf): string {
+  const plan = (invoice.plan ?? "Subscription").replace(/^./, (c) => c.toUpperCase());
+  return `${plan} subscription — ${invoice.period}`;
+}
+
+function drawHeader(doc: PDFKit.PDFDocument, invoice: InvoiceForPdf): void {
+  doc.fillColor(NAVY).font("Helvetica-Bold").fontSize(26).text("UNSYPHN", PAGE_MARGIN, PAGE_MARGIN);
+
+  const rightX = doc.page.width - PAGE_MARGIN - 220;
+  doc
+    .fillColor(NAVY)
+    .font("Helvetica-Bold")
+    .fontSize(20)
+    .text("INVOICE", rightX, PAGE_MARGIN, { width: 220, align: "right" });
+  doc
+    .fillColor(SLATE)
+    .font("Helvetica")
+    .fontSize(10)
+    .text(`Invoice no. ${invoice.id}`, rightX, PAGE_MARGIN + 26, { width: 220, align: "right" })
+    .text(`Issued ${formatDate(invoice.issuedAt)}`, rightX, PAGE_MARGIN + 40, {
+      width: 220,
+      align: "right",
+    });
+}
+
+function drawBillTo(doc: PDFKit.PDFDocument, org: OrgForPdf): number {
+  const top = PAGE_MARGIN + 90;
+  doc.fillColor(SLATE).font("Helvetica").fontSize(9).text("BILL TO", PAGE_MARGIN, top);
+  doc
+    .fillColor(NAVY)
+    .font("Helvetica-Bold")
+    .fontSize(12)
+    .text(org.name, PAGE_MARGIN, top + 14);
+
+  const lines: string[] = [];
+  if (typeof org.seatCount === "number") {
+    lines.push(`${org.seatCount.toLocaleString("en-US")} seats`);
+  }
+  if (org.billingEmail) lines.push(org.billingEmail);
+
+  doc.fillColor(SLATE).font("Helvetica").fontSize(10);
+  let y = top + 30;
+  for (const line of lines) {
+    doc.text(line, PAGE_MARGIN, y);
+    y += 14;
+  }
+  return y;
+}
+
+interface Column {
+  label: string;
+  x: number;
+  width: number;
+  align: "left" | "right";
+}
+
+function drawItemsTable(
+  doc: PDFKit.PDFDocument,
+  invoice: InvoiceForPdf,
+  startY: number,
+): number {
+  const left = PAGE_MARGIN;
+  const right = doc.page.width - PAGE_MARGIN;
+  const contentWidth = right - left;
+
+  const columns: Column[] = [
+    { label: "Description", x: left, width: contentWidth - 240, align: "left" },
+    {
+      label: "Period",
+      x: left + (contentWidth - 240),
+      width: 140,
+      align: "left",
+    },
+    { label: "Amount", x: right - 100, width: 100, align: "right" },
+  ];
+
+  // Header row
+  doc.fillColor(SLATE).font("Helvetica-Bold").fontSize(9);
+  for (const col of columns) {
+    doc.text(col.label.toUpperCase(), col.x, startY, {
+      width: col.width,
+      align: col.align,
+    });
+  }
+  const headerBottom = startY + 16;
+  doc
+    .strokeColor(BORDER)
+    .lineWidth(0.75)
+    .moveTo(left, headerBottom)
+    .lineTo(right, headerBottom)
+    .stroke();
+
+  // Data row
+  const rowY = headerBottom + 12;
+  doc.fillColor(NAVY).font("Helvetica").fontSize(10);
+  doc.text(descriptionFor(invoice), columns[0]!.x, rowY, {
+    width: columns[0]!.width,
+    align: "left",
+  });
+  doc.text(invoice.period, columns[1]!.x, rowY, {
+    width: columns[1]!.width,
+    align: "left",
+  });
+  doc.text(dollars(invoice.amountUsdCents), columns[2]!.x, rowY, {
+    width: columns[2]!.width,
+    align: "right",
+  });
+
+  return rowY + 30;
+}
+
+function drawTotals(
+  doc: PDFKit.PDFDocument,
+  invoice: InvoiceForPdf,
+  startY: number,
+): number {
+  const right = doc.page.width - PAGE_MARGIN;
+  const labelX = right - 240;
+  const valueX = right - 100;
+
+  const subtotal = invoice.amountUsdCents;
+  const tax = Math.round(subtotal * TAX_RATE);
+  const total = subtotal + tax;
+
+  doc
+    .strokeColor(BORDER)
+    .lineWidth(0.5)
+    .moveTo(labelX, startY)
+    .lineTo(right, startY)
+    .stroke();
+
+  let y = startY + 10;
+  const rows: Array<{ label: string; value: string; bold?: boolean }> = [
+    { label: "Subtotal", value: dollars(subtotal) },
+    { label: "Tax", value: dollars(tax) },
+    { label: "Total", value: dollars(total), bold: true },
+  ];
+
+  for (const row of rows) {
+    doc.fillColor(row.bold ? NAVY : SLATE);
+    doc.font(row.bold ? "Helvetica-Bold" : "Helvetica").fontSize(row.bold ? 12 : 10);
+    doc.text(row.label, labelX, y, { width: 140, align: "left" });
+    doc.text(row.value, valueX, y, { width: 100, align: "right" });
+    y += row.bold ? 22 : 16;
+  }
+  return y;
+}
+
+function drawFooter(doc: PDFKit.PDFDocument, invoice: InvoiceForPdf): void {
+  const bottom = doc.page.height - PAGE_MARGIN;
+  const parts = ["Paid via Stripe"];
+  if (invoice.paymentIntentId) parts.push(invoice.paymentIntentId);
+  if (invoice.paidAt) parts.push(`paid ${formatDate(invoice.paidAt)}`);
+
+  doc
+    .strokeColor(BORDER)
+    .lineWidth(0.5)
+    .moveTo(PAGE_MARGIN, bottom - 40)
+    .lineTo(doc.page.width - PAGE_MARGIN, bottom - 40)
+    .stroke();
+
+  doc
+    .fillColor(SLATE)
+    .font("Helvetica")
+    .fontSize(9)
+    .text(parts.join(" · "), PAGE_MARGIN, bottom - 28, {
+      width: doc.page.width - PAGE_MARGIN * 2,
+      align: "left",
+    })
+    .text(
+      "Unsyphn Inc. · Payment receipt for services rendered. Retain for your records.",
+      PAGE_MARGIN,
+      bottom - 14,
+      { width: doc.page.width - PAGE_MARGIN * 2, align: "left" },
+    );
+}
+
+export function generateInvoicePdf({ invoice, org }: InvoicePdfInput): Promise<Buffer> {
+  return new Promise<Buffer>((resolve, reject) => {
+    const doc = new PDFDocument({
+      size: "LETTER",
+      margins: { top: PAGE_MARGIN, bottom: PAGE_MARGIN, left: PAGE_MARGIN, right: PAGE_MARGIN },
+      info: {
+        Title: `Unsyphn invoice ${invoice.id}`,
+        Author: "Unsyphn",
+        Subject: descriptionFor(invoice),
+      },
+    });
+
+    const chunks: Buffer[] = [];
+    doc.on("data", (chunk: Buffer) => chunks.push(chunk));
+    doc.on("end", () => resolve(Buffer.concat(chunks)));
+    doc.on("error", reject);
+
+    drawHeader(doc, invoice);
+    const billToBottom = drawBillTo(doc, org);
+    const itemsBottom = drawItemsTable(doc, invoice, billToBottom + 32);
+    drawTotals(doc, invoice, itemsBottom);
+    drawFooter(doc, invoice);
+
+    doc.end();
+  });
+}
diff --git a/apps/api/src/logger.ts b/apps/api/src/logger.ts
index 848e8ac..1b56d95 100644
--- a/apps/api/src/logger.ts
+++ b/apps/api/src/logger.ts
@@ -3,6 +3,6 @@ import pino from "pino";
 export const logger = pino({
   base: null,
   level: process.env.LOG_LEVEL ?? "info",
-  name: "redline-api",
+  name: "unsyphn-api",
   timestamp: pino.stdTimeFunctions.isoTime,
 });
diff --git a/apps/api/src/providers/slack.ts b/apps/api/src/providers/slack.ts
index 10cfbc9..6e4828c 100644
--- a/apps/api/src/providers/slack.ts
+++ b/apps/api/src/providers/slack.ts
@@ -1,5 +1,5 @@
-import type { ChangeReport, SlackPayload, Vendor } from "@redline/shared";
-import { slackPayloadSchema } from "@redline/shared";
+import type { ChangeReport, SlackPayload, Vendor } from "@unsyphn/shared";
+import { slackPayloadSchema } from "@unsyphn/shared";
 
 export interface SlackRenderInput {
   changeReport: ChangeReport;
@@ -68,7 +68,7 @@ export function renderSlackAlert(input: SlackRenderInput): SlackPayload {
   const policyName = input.changeReport.policyFired?.name ?? input.changeReport.policyFiredId;
   const targetPrefix = input.target.startsWith("@") ? `<${input.target}> ` : "";
   const payload: SlackPayload = {
-    text: `${input.changeReport.severity} Redline alert for ${input.vendor.name}: ${headline}`,
+    text: `${input.changeReport.severity} Unsyphn alert for ${input.vendor.name}: ${headline}`,
     recipient: input.target,
     changeReportUrl,
     ...(evidenceUrl ? { evidenceUrl } : {}),
@@ -77,7 +77,7 @@ export function renderSlackAlert(input: SlackRenderInput): SlackPayload {
         type: "header",
         text: {
           type: "plain_text",
-          text: `${input.changeReport.severity} · ${input.vendor.name} · Redline alert`,
+          text: `${input.changeReport.severity} · ${input.vendor.name} · Unsyphn alert`,
           emoji: true,
         },
       },
@@ -111,7 +111,7 @@ export function renderSlackAlert(input: SlackRenderInput): SlackPayload {
         elements: [
           {
             type: "button",
-            text: { type: "plain_text", text: "Open in Redline" },
+            text: { type: "plain_text", text: "Open in Unsyphn" },
             url: changeReportUrl,
             style: "primary",
           },
diff --git a/apps/api/src/routes/auditor.ts b/apps/api/src/routes/auditor.ts
new file mode 100644
index 0000000..cf77714
--- /dev/null
+++ b/apps/api/src/routes/auditor.ts
@@ -0,0 +1,200 @@
+import { createHmac, timingSafeEqual, randomUUID } from "node:crypto";
+import { Hono } from "hono";
+import { z } from "zod";
+import type { OrgId } from "@unsyphn/shared";
+import { errorResponse } from "../errors.js";
+import { resolveBearer, getUser } from "../seed/loader.js";
+import { vendorStore } from "../db/vendor-store.js";
+
+const AUDITOR_SECRET = process.env.AUDITOR_SECRET ?? "demo-secret-rotate-in-prod";
+const PUBLIC_BASE_URL = process.env.PUBLIC_BASE_URL ?? "http://localhost:4321";
+
+interface AuditorPayload {
+  sessionId: string;
+  orgId: OrgId;
+  vendorIds?: string[];
+  expiresAt: number;
+}
+
+interface VendorSummary {
+  id: string;
+  name: string;
+  ownerEmail: string;
+  annualSpendUsd: number;
+  changeCount: number;
+  posture: string;
+}
+
+interface ChangeReport {
+  id: string;
+  vendorId: string;
+  vendorName: string;
+  severity: string;
+  title: string;
+  actor: string;
+  timestamp: string;
+}
+
+interface ActivityEvent {
+  id: string;
+  kind: string;
+  vendorId: string;
+  vendorName: string;
+  actor: string;
+  timestamp: string;
+  detail: string;
+}
+
+function sign(payload: string): string {
+  return createHmac("sha256", AUDITOR_SECRET).update(payload).digest("base64url");
+}
+
+function buildToken(payload: AuditorPayload): string {
+  const encoded = Buffer.from(JSON.stringify(payload)).toString("base64url");
+  return `${encoded}.${sign(encoded)}`;
+}
+
+function verifyToken(token: string): AuditorPayload | null {
+  const dotIdx = token.lastIndexOf(".");
+  if (dotIdx === -1) return null;
+
+  const encoded = token.slice(0, dotIdx);
+  const sig = token.slice(dotIdx + 1);
+
+  const expected = sign(encoded);
+  try {
+    const expectedBuf = Buffer.from(expected, "utf8");
+    const actualBuf = Buffer.from(sig, "utf8");
+    if (expectedBuf.length !== actualBuf.length) return null;
+    if (!timingSafeEqual(expectedBuf, actualBuf)) return null;
+  } catch {
+    return null;
+  }
+
+  try {
+    const payload = JSON.parse(Buffer.from(encoded, "base64url").toString("utf8")) as AuditorPayload;
+    if (payload.expiresAt < Date.now()) return null;
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+const CreateSessionSchema = z.object({
+  vendorIds: z.array(z.string()).optional(),
+  expiresInDays: z.number().int().min(1).max(365),
+});
+
+export const auditorRoute = new Hono();
+
+auditorRoute.post("/sessions", async (c) => {
+  const bearerToken = c.req.header("authorization")?.match(/^Bearer\s+(.+)$/i)?.[1];
+  if (!bearerToken) return errorResponse(c, 401, "unauthenticated", "Missing bearer token");
+
+  const orgId = resolveBearer(bearerToken);
+  if (!orgId) return errorResponse(c, 401, "unauthenticated", "Invalid bearer token");
+
+  let body: unknown;
+  try {
+    body = await c.req.json();
+  } catch {
+    return errorResponse(c, 422, "unprocessable", "Invalid JSON body");
+  }
+
+  const parsed = CreateSessionSchema.safeParse(body);
+  if (!parsed.success) {
+    return errorResponse(c, 422, "validation-failed", parsed.error.issues[0]?.message ?? "Validation failed");
+  }
+
+  const { vendorIds, expiresInDays } = parsed.data;
+  const expiresAt = Date.now() + expiresInDays * 24 * 60 * 60 * 1000;
+
+  const payload: AuditorPayload = {
+    sessionId: `sess_${randomUUID().replace(/-/g, "").slice(0, 8)}`,
+    orgId: orgId as OrgId,
+    expiresAt,
+    ...(vendorIds ? { vendorIds } : {}),
+  };
+
+  const sessionToken = buildToken(payload);
+  const shareUrl = `${PUBLIC_BASE_URL}/auditor/${sessionToken}`;
+
+  return c.json({ sessionToken, shareUrl, expiresAt: new Date(expiresAt).toISOString() });
+});
+
+auditorRoute.get("/sessions/:token", async (c) => {
+  const token = c.req.param("token");
+  const payload = verifyToken(token);
+
+  if (!payload) return errorResponse(c, 401, "unauthenticated", "Auditor link has expired or is invalid");
+
+  const { orgId, vendorIds } = payload;
+
+  const allVendors = vendorStore.list(orgId);
+  const scoped = vendorIds
+    ? allVendors.filter((v) => vendorIds.includes(v.id))
+    : allVendors;
+
+  const vendors: VendorSummary[] = scoped.map((v) => {
+    const owner = v.ownerId ? getUser(v.ownerId) : undefined;
+    return {
+      id: v.id,
+      name: v.name,
+      ownerEmail: owner?.email ?? "unknown@org.dev",
+      annualSpendUsd: v.contract?.annualSpendUsd ?? 0,
+      changeCount: v.latestChangeId ? 1 : 0,
+      posture: v.posture ?? "ok",
+    };
+  });
+
+  const changes: ChangeReport[] = scoped
+    .filter((v) => v.latestChangeId)
+    .map((v) => ({
+      id: v.latestChangeId ?? "",
+      vendorId: v.id,
+      vendorName: v.name,
+      severity: "P2",
+      title: `Change detected for ${v.name}`,
+      actor: "system",
+      timestamp: v.lastScanAt ?? new Date().toISOString(),
+    }));
+
+  const activityLog: ActivityEvent[] = scoped.flatMap((v) => {
+    const events: ActivityEvent[] = [];
+    if (v.lastScanAt) {
+      events.push({
+        id: `evt_scan_${v.id}`,
+        kind: "scan.completed",
+        vendorId: v.id,
+        vendorName: v.name,
+        actor: "system",
+        timestamp: v.lastScanAt,
+        detail: `Monitoring scan completed for ${v.name}`,
+      });
+    }
+    if (v.latestChangeId) {
+      events.push({
+        id: `evt_change_${v.id}`,
+        kind: "change.detected",
+        vendorId: v.id,
+        vendorName: v.name,
+        actor: "system",
+        timestamp: v.lastScanAt ?? new Date().toISOString(),
+        detail: `Material change detected`,
+      });
+    }
+    return events;
+  });
+
+  activityLog.sort((a, b) => b.timestamp.localeCompare(a.timestamp));
+
+  return c.json({
+    orgId,
+    vendorIds: vendorIds ?? null,
+    expiresAt: new Date(payload.expiresAt).toISOString(),
+    sessionId: payload.sessionId,
+    vendors,
+    changes,
+    activityLog,
+  });
+});
diff --git a/apps/api/src/routes/billing.ts b/apps/api/src/routes/billing.ts
index 6cfad22..573aae8 100644
--- a/apps/api/src/routes/billing.ts
+++ b/apps/api/src/routes/billing.ts
@@ -1,6 +1,6 @@
 import { Hono } from "hono";
 import { z } from "zod";
-import { ErrorCodes } from "@redline/shared";
+import { ErrorCodes } from "@unsyphn/shared";
 import { ApiError } from "../lib/errors.js";
 import { env } from "../env.js";
 import {
@@ -12,11 +12,64 @@ import { getOrg } from "../seed/loader.js";
 import { newId } from "../lib/ids.js";
 import { actionStore } from "../db/actions.js";
 import { setEntitlement } from "../lib/entitlements.js";
+import { applyCoupon } from "../lib/coupons.js";
+import { generateInvoicePdf, type InvoiceForPdf } from "../lib/invoice-pdf.js";
 
 export const billingRoute = new Hono();
 
+export interface SyntheticInvoice {
+  id: string;
+  period: string;
+  amountUsdCents: number;
+  status: string;
+  issuedAt: string;
+  pdfUrl: string;
+  plan: string;
+  paymentIntentId: string;
+  paidAt: string;
+}
+
+// Synthetic invoice history. Deterministic per (orgId, current month) so the
+// list endpoint and the by-id lookup agree within a request. A real
+// implementation would page through Stripe invoices for the org's customer id.
+function buildInvoices(orgId: string, now: Date = new Date()): SyntheticInvoice[] {
+  return Array.from({ length: 6 }, (_, i) => {
+    const d = new Date(now.getFullYear(), now.getMonth() - i, 1);
+    const period = d.toLocaleDateString("en-US", { month: "short", year: "numeric" });
+    const id = `INV-${d.getFullYear()}-${String(d.getMonth() + 1).padStart(2, "0")}`;
+    const paidAt = new Date(d.getFullYear(), d.getMonth(), 3).toISOString();
+    return {
+      id,
+      period,
+      amountUsdCents: i === 5 ? 150_000 : 1_899_900,
+      status: "paid",
+      issuedAt: d.toISOString(),
+      pdfUrl: `/v1/billing/invoices/${id}/pdf`,
+      plan: i === 5 ? "Growth" : "Scale",
+      paymentIntentId: `pi_demo_${orgId}_${id}`,
+      paidAt,
+    };
+  });
+}
+
+export function getInvoiceById(orgId: string, id: string): SyntheticInvoice | undefined {
+  return buildInvoices(orgId).find((inv) => inv.id === id);
+}
+
+// Phase 8: in addition to the original Compliance Pack, the public Pricing
+// page now subscribes to the tier SKUs. Prices below are the monthly billed
+// amounts in USD cents; the modal client converts to annual on the front end.
+const TIER_AMOUNT_CENTS: Record<string, number> = {
+  [COMPLIANCE_PACK.id]: COMPLIANCE_PACK.amountUsdCents,
+  starter: 30_000,
+  growth: 150_000,
+  scale: 350_000,
+};
+
 const PaymentIntentBodySchema = z.object({
-  sku: z.literal(COMPLIANCE_PACK.id),
+  sku: z.enum([COMPLIANCE_PACK.id, "starter", "growth", "scale"]),
+  coupon: z.string().trim().max(64).optional(),
+  addOns: z.array(z.string().trim().max(64)).max(8).optional(),
 });
 
 billingRoute.get("/products", (c) => {
@@ -51,12 +104,6 @@ billingRoute.post("/payment-intents", async (c) => {
   if (!org) {
     throw new ApiError(ErrorCodes.NotFound, `Org ${orgId} not found`);
   }
-  if (org.entitlements.compliancePack) {
-    throw new ApiError(
-      ErrorCodes.Conflict,
-      "Org already has the Compliance Pack entitlement",
-    );
-  }
 
   let body: unknown;
   try {
@@ -74,6 +121,16 @@ billingRoute.post("/payment-intents", async (c) => {
     );
   }
 
+  const { sku, coupon: couponCode, addOns } = parsed.data;
+  // The Compliance Pack is a one-time entitlement-bearing purchase; reject if
+  // already entitled. Tier subscriptions can be re-purchased.
+  if (sku === COMPLIANCE_PACK.id && org.entitlements.compliancePack) {
+    throw new ApiError(
+      ErrorCodes.Conflict,
+      "Org already has the Compliance Pack entitlement",
+    );
+  }
+
   await ensureStripeProducts();
   const e = env();
   if (!e.STRIPE_PUBLISHABLE_KEY) {
@@ -83,19 +140,29 @@ billingRoute.post("/payment-intents", async (c) => {
     );
   }
 
+  const baseAmount = TIER_AMOUNT_CENTS[sku] ?? COMPLIANCE_PACK.amountUsdCents;
+  const { amount: amountUsdCents, coupon } = applyCoupon(baseAmount, couponCode);
+
   try {
     const intent = await stripe().paymentIntents.create({
-      amount: COMPLIANCE_PACK.amountUsdCents,
+      amount: amountUsdCents,
       currency: COMPLIANCE_PACK.currency,
       automatic_payment_methods: { enabled: true },
-      metadata: { orgId, sku: COMPLIANCE_PACK.id },
+      metadata: {
+        orgId,
+        sku,
+        coupon: coupon?.code ?? "",
+        addOns: addOns?.join(",") ?? "",
+      },
     });
     return c.json({
       paymentIntentId: intent.id,
       clientSecret: intent.client_secret,
-      amountUsdCents: COMPLIANCE_PACK.amountUsdCents,
+      amountUsdCents,
+      originalAmountUsdCents: baseAmount,
       currency: COMPLIANCE_PACK.currency,
       publishableKey: e.STRIPE_PUBLISHABLE_KEY,
+      coupon: coupon ? { code: coupon.code, percentOff: coupon.percentOff, label: coupon.label } : undefined,
     });
   } catch (err) {
     const message = err instanceof Error ? err.message : "stripe error";
@@ -105,6 +172,69 @@ billingRoute.post("/payment-intents", async (c) => {
   }
 });
 
+// Coupon validation endpoint — used by the modal to show "valid coupon"
+// feedback without round-tripping a full payment intent.
+billingRoute.get("/coupons/:code", (c) => {
+  const code = c.req.param("code");
+  const result = applyCoupon(100, code);
+  if (!result.coupon) {
+    throw new ApiError(ErrorCodes.NotFound, "Invalid coupon");
+  }
+  return c.json({
+    code: result.coupon.code,
+    percentOff: result.coupon.percentOff,
+    label: result.coupon.label,
+  });
+});
+
+billingRoute.get("/invoices", (c) => {
+  const orgId = c.get("orgId");
+  const invoices = buildInvoices(orgId).map(
+    ({ plan: _plan, paymentIntentId: _pi, paidAt: _pa, ...rest }) => rest,
+  );
+  return c.json({ invoices });
+});
+
+billingRoute.get("/invoices/:id/pdf", async (c) => {
+  const orgId = c.get("orgId");
+  const org = getOrg(orgId);
+  if (!org) throw new ApiError(ErrorCodes.NotFound, `Org ${orgId} not found`);
+
+  const invoice = getInvoiceById(orgId, c.req.param("id"));
+  if (!invoice) throw new ApiError(ErrorCodes.NotFound, "Invoice not found");
+
+  const pdfPayload: InvoiceForPdf = {
+    id: invoice.id,
+    period: invoice.period,
+    amountUsdCents: invoice.amountUsdCents,
+    status: invoice.status,
+    issuedAt: invoice.issuedAt,
+    plan: invoice.plan,
+    paymentIntentId: invoice.paymentIntentId,
+    paidAt: invoice.paidAt,
+  };
+  const buffer = await generateInvoicePdf({
+    invoice: pdfPayload,
+    org: {
+      name: org.name,
+      ...(org.seatCount !== undefined ? { seatCount: org.seatCount } : {}),
+      billingEmail: `billing@${org.name.toLowerCase().replace(/[^a-z0-9]+/g, "")}.example`,
+    },
+  });
+
+  // Hono's c.body wants Uint8Array<ArrayBuffer>; Node Buffer is
+  // Uint8Array<ArrayBufferLike>, so copy into a fresh ArrayBuffer-backed view.
+  const body = new Uint8Array(buffer.byteLength);
+  body.set(buffer);
+  c.header("Content-Type", "application/pdf");
+  c.header(
+    "Content-Disposition",
+    `attachment; filename="unsyphn-invoice-${invoice.id}.pdf"`,
+  );
+  c.header("Content-Length", String(body.byteLength));
+  return c.body(body);
+});
+
 // Runbook F5 fallback: when Stripe Elements fails on stage, the modal's hidden
 // Shift+Enter handler hits this endpoint to simulate the same effect as a real
 // payment_intent.succeeded webhook. Disabled in production.
diff --git a/apps/api/src/routes/changes.ts b/apps/api/src/routes/changes.ts
index eec6853..b592e3d 100644
--- a/apps/api/src/routes/changes.ts
+++ b/apps/api/src/routes/changes.ts
@@ -1,18 +1,23 @@
 import { Hono, type Context } from "hono";
 import {
   acknowledgeChangeRequestSchema,
+  escalateChangeRequestSchema,
   resolveChangeRequestSchema,
   snoozeChangeRequestSchema,
   type AcknowledgeChangeResponse,
   type ChangeReport,
   type ChangeReportId,
+  type EscalateChangeResponse,
+  type EscalationRecord,
   type ResolveChangeResponse,
   type SnoozeChangeResponse,
   type UserId,
-} from "@redline/shared";
+} from "@unsyphn/shared";
 import type { ZodType } from "zod";
 import type { ChangeReportRepository } from "../db/changeReports.js";
 import { errorResponse } from "../errors.js";
+import { toFeedChange } from "../lib/change-report-views.js";
+import { getSeededChangeReports } from "../seed/loader.js";
 import type { EventBroker } from "../stream/broker.js";
 
 export interface ChangesRouteDeps {
@@ -140,6 +145,26 @@ async function runMutation<TPayload>(c: Context, deps: ChangesRouteDeps, options
 export function createChangesRouter(deps: ChangesRouteDeps): Hono {
   const router = new Hono();
 
+  // /feed must be registered before /:id so it isn't swallowed by the param route
+  router.get("/feed", (c) => {
+    const vendorId = c.req.query("vendorId");
+    const category = c.req.query("category");
+
+    let changes = getSeededChangeReports().map(toFeedChange);
+
+    if (vendorId) {
+      changes = changes.filter((ch) => ch.vendorId === vendorId);
+    }
+
+    if (category && category !== "all") {
+      changes = changes.filter((ch) => ch.category === category);
+    }
+
+    changes.sort((a, b) => b.occurredAt.localeCompare(a.occurredAt));
+
+    return c.json({ changes });
+  });
+
   router.get("/:id", async (c) => {
     const auth = c.get("auth");
     const current = await deps.reports.getLatest(auth.orgId, c.req.param("id") as ChangeReportId);
@@ -192,5 +217,61 @@ export function createChangesRouter(deps: ChangesRouteDeps): Hono {
     });
   });
 
+  router.post("/:id/escalate", async (c) => {
+    const auth = c.get("auth");
+    const parsed = escalateChangeRequestSchema.safeParse(await readJsonBody(c));
+    if (!parsed.success) {
+      return errorResponse(c, 422, "unprocessable", "Request body is invalid", parsed.error.flatten());
+    }
+
+    const id = c.req.param("id") as ChangeReportId;
+    const current = await deps.reports.getLatest(auth.orgId, id);
+    if (!current) {
+      return errorResponse(c, 404, "not-found", "Change id not in org");
+    }
+
+    const at = (deps.now ?? (() => new Date()))();
+    const { toRole, note } = parsed.data;
+    const jiraKey = `UNS-${Math.floor(1000 + Math.random() * 9000)}`;
+    const escalation: EscalationRecord = {
+      toRole,
+      byUserId: auth.userId,
+      ...(note ? { note } : {}),
+      escalatedAt: at.toISOString(),
+      slackChannel: `#${toRole}-channel`,
+      jiraKey,
+    };
+
+    await deps.reports.addEscalation(id, escalation);
+
+    deps.events.publish(auth.orgId, "change.escalated", {
+      id,
+      toRole,
+      byUserId: auth.userId,
+      at: escalation.escalatedAt,
+      slackChannel: escalation.slackChannel,
+      jiraKey: escalation.jiraKey,
+    });
+
+    const response: EscalateChangeResponse = { id, escalation };
+    return c.json(response);
+  });
+
+  router.get("/:id/escalations", async (c) => {
+    const auth = c.get("auth");
+    const id = c.req.param("id") as ChangeReportId;
+    const current = await deps.reports.getLatest(auth.orgId, id);
+    if (!current) {
+      return errorResponse(c, 404, "not-found", "Change id not in org");
+    }
+    const escalations = await deps.reports.listEscalations(id);
+    return c.json({ id, escalations });
+  });
+
+  // TODO(phase-2-E): comment thread endpoints
+  //   POST /:id/comments  body { body: string }
+  //   GET  /:id/comments  -> { comments: Array<{ id, userId, body, postedAt }> }
+  // In-memory map analogous to escalations on the repo. Deferred from Phase 2.
+
   return router;
 }
diff --git a/apps/api/src/routes/evidence.ts b/apps/api/src/routes/evidence.ts
index a94e4b1..f7d5029 100644
--- a/apps/api/src/routes/evidence.ts
+++ b/apps/api/src/routes/evidence.ts
@@ -1,49 +1,382 @@
 import { Hono } from "hono";
-import type { EvidenceBriefResponse } from "@redline/shared";
-import { ErrorCodes } from "@redline/shared";
+import type { Change, Citation, EvidenceBriefResponse } from "@unsyphn/shared";
+import { ErrorCodes } from "@unsyphn/shared";
 import { ApiError } from "../lib/errors.js";
-import { changeReportStore } from "../db/change-reports.js";
+import type { ChangeReportRepository } from "../db/changeReports.js";
 import { policyStore } from "../db/policy-store.js";
 import { vendorStore } from "../db/vendor-store.js";
+import { newId } from "../lib/ids.js";
 
 // Public evidence brief fallback. The API is /v1/evidence/:id so it does not
 // collide with the SPA /evidence/:id history route.
 
-export const evidenceRoute = new Hono();
-
-evidenceRoute.get("/:id", (c) => {
-  const id = c.req.param("id");
-  const report = changeReportStore.get(id);
-  if (!report) {
-    throw new ApiError(
-      ErrorCodes.NotFound,
-      `No evidence brief for id ${id}`,
-    );
-  }
-
-  const vendor = vendorStore.get(report.vendorId);
-  const policyFired = policyStore.get(report.policyFiredId);
-  const policyAlsoMatched = report.policyAlsoMatched
-    .map((pid) => policyStore.get(pid))
-    .filter((p): p is NonNullable<typeof p> => p !== undefined)
-    .map((p) => ({ id: p.id, name: p.name }));
-
-  const response: EvidenceBriefResponse = {
-    changeReport: report,
-    vendor: {
-      id: vendor?.id ?? report.vendorId,
-      name: vendor?.name ?? "Unknown vendor",
-      category: vendor?.category ?? "uncategorized",
-    },
-    policyFired: {
-      id: policyFired?.id ?? report.policyFiredId,
-      name: policyFired?.name ?? "Unknown policy",
-    },
-    policyAlsoMatched,
-    // Actions are persisted to ClickHouse by the agent runner; for seeded
-    // reports the array is empty until Track A's runner produces them.
-    actionSummary: [],
-  };
-
-  return c.json(response);
-});
+function escHtml(s: string): string {
+  return s
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;");
+}
+
+function fmtTs(iso: string): string {
+  try { return new Date(iso).toUTCString(); } catch { return iso; }
+}
+
+function fmtDollar(value: number): string {
+  const abs = Math.abs(value);
+  const sign = value >= 0 ? "+" : "−";
+  return `${sign}$${abs.toLocaleString("en-US")}`;
+}
+
+function renderCitation(c: Citation): string {
+  const quote = escHtml(c.quote ?? "");
+  const section = c.section ? `<span>${escHtml(c.section)} · </span>` : "";
+  const url = c.url
+    ? `<a href="${escHtml(c.url)}">${escHtml(c.url)}</a>`
+    : "";
+  const fetched = c.fetchedAt
+    ? `<span> · Fetched ${escHtml(fmtTs(c.fetchedAt))}</span>`
+    : "";
+  const country = c.country ? `<span> · ${escHtml(c.country)}</span>` : "";
+  return `<li class="citation">
+    <p class="citation-quote">"${quote}"</p>
+    <p class="citation-meta">${section}${url}${fetched}${country}</p>
+  </li>`;
+}
+
+function renderChange(ch: Change): string {
+  const citations = (ch.citations ?? []).map(renderCitation).join("");
+  const impact = ch.dollarImpact
+    ? `<p class="change-impact">Impact: <strong>${escHtml(fmtDollar(ch.dollarImpact.annualUsd))}/yr</strong>${
+        ch.dollarImpact.pctChange !== undefined
+          ? ` (${ch.dollarImpact.pctChange > 0 ? "+" : ""}${ch.dollarImpact.pctChange.toFixed(2)}%)`
+          : ""
+      }</p>`
+    : "";
+  return `<div class="change">
+    <p class="change-cat">${escHtml(ch.category ?? "")} · ${escHtml(ch.materiality ?? "")}</p>
+    <h3 class="change-summary">${escHtml(ch.summary ?? "")}</h3>
+    <div class="change-diff">
+      <div class="change-before"><em>BEFORE</em>${escHtml(ch.before ?? "")}</div>
+      <div class="change-after"><em>AFTER</em>${escHtml(ch.after ?? "")}</div>
+    </div>
+    ${impact}
+    <ul class="citations">${citations}</ul>
+  </div>`;
+}
+
+function renderBundleHtml(brief: EvidenceBriefResponse, bundleId: string, generatedAt: string): string {
+  const { changeReport: report, vendor, policyFired, policyAlsoMatched, actionSummary } = brief;
+  const changes = report.changes.map(renderChange).join("");
+  const alsoMatched = policyAlsoMatched.length > 0
+    ? `<p class="also-matched">Also matched: ${policyAlsoMatched.map(p => escHtml(p.name)).join(" · ")}</p>`
+    : "";
+  const actions = actionSummary.length > 0
+    ? actionSummary.map(a =>
+        `<tr><td>${escHtml(a.kind)}</td><td>${escHtml(a.target)}</td><td>${escHtml(a.status)}</td><td>${escHtml(fmtTs(a.firedAt))}</td></tr>`
+      ).join("")
+    : `<tr><td colspan="4" class="empty">No routed actions recorded.</td></tr>`;
+
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>Unsyphn Evidence Bundle · ${escHtml(report.id)}</title>
+<style>
+  *, *::before, *::after { box-sizing: border-box; }
+  body {
+    font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+    font-size: 11pt;
+    font-weight: 400;
+    color: #111;
+    background: #fff;
+    margin: 0;
+    padding: 0;
+    line-height: 1.5;
+  }
+  .page { max-width: 820px; margin: 0 auto; padding: 48px 32px 80px; }
+  .bundle-header {
+    border-bottom: 2px solid #111;
+    padding-bottom: 16px;
+    margin-bottom: 32px;
+  }
+  .bundle-mark {
+    font-size: 9pt;
+    font-weight: 700;
+    letter-spacing: 0.12em;
+    text-transform: uppercase;
+    color: #444;
+  }
+  .bundle-title {
+    font-size: 22pt;
+    font-weight: 700;
+    margin: 8px 0 4px;
+    letter-spacing: -0.02em;
+    line-height: 1.15;
+  }
+  .bundle-meta {
+    font-size: 9pt;
+    color: #555;
+    margin: 0;
+  }
+  .section { margin: 28px 0; }
+  .section-label {
+    font-size: 8pt;
+    font-weight: 700;
+    letter-spacing: 0.1em;
+    text-transform: uppercase;
+    color: #666;
+    margin: 0 0 10px;
+    border-bottom: 1px solid #ddd;
+    padding-bottom: 4px;
+  }
+  .severity {
+    display: inline-block;
+    padding: 2px 10px;
+    border-radius: 999px;
+    font-size: 9pt;
+    font-weight: 700;
+    letter-spacing: 0.04em;
+    margin-bottom: 10px;
+  }
+  .severity-P1 { background: #fee2e2; color: #991b1b; }
+  .severity-P2 { background: #ffedd5; color: #9a3412; }
+  .severity-P3 { background: #dcfce7; color: #166534; }
+  .policy-box {
+    border: 1px solid #ddd;
+    border-radius: 6px;
+    padding: 12px 16px;
+    background: #f9f9f9;
+  }
+  .policy-box strong { display: block; font-size: 11pt; margin-bottom: 2px; }
+  .policy-box .policy-id { font-size: 8pt; color: #666; }
+  .also-matched { margin-top: 8px; font-size: 9pt; color: #555; }
+  .change {
+    border: 1px solid #ddd;
+    border-radius: 6px;
+    padding: 14px 16px;
+    margin-bottom: 16px;
+    page-break-inside: avoid;
+  }
+  .change-cat {
+    font-size: 8pt;
+    text-transform: uppercase;
+    letter-spacing: 0.08em;
+    color: #666;
+    margin: 0 0 4px;
+  }
+  .change-summary {
+    font-size: 13pt;
+    font-weight: 600;
+    margin: 0 0 10px;
+  }
+  .change-diff {
+    display: grid;
+    grid-template-columns: 1fr 1fr;
+    gap: 10px;
+    margin-bottom: 10px;
+  }
+  .change-before, .change-after {
+    padding: 8px 10px;
+    border-radius: 4px;
+    font-size: 9pt;
+    background: #f4f4f4;
+  }
+  .change-before { border-left: 3px solid #d97706; }
+  .change-after  { border-left: 3px solid #16a34a; }
+  .change-before em, .change-after em {
+    display: block;
+    font-style: normal;
+    font-size: 7.5pt;
+    font-weight: 700;
+    letter-spacing: 0.08em;
+    text-transform: uppercase;
+    color: #888;
+    margin-bottom: 4px;
+  }
+  .change-impact { font-size: 9pt; color: #555; margin: 6px 0 8px; }
+  .change-impact strong { color: #111; }
+  .citations { list-style: none; padding: 0; margin: 0; }
+  .citation {
+    border-left: 2px solid #bbb;
+    padding: 6px 12px;
+    margin: 6px 0;
+    background: #fafafa;
+    font-size: 9pt;
+    page-break-inside: avoid;
+  }
+  .citation-quote { font-style: italic; margin: 0 0 4px; }
+  .citation-meta { font-size: 8pt; color: #666; margin: 0; }
+  .citation-meta a { color: #1d4ed8; text-decoration: none; }
+  .actions-table { width: 100%; border-collapse: collapse; font-size: 9pt; }
+  .actions-table th {
+    text-align: left;
+    font-size: 8pt;
+    font-weight: 700;
+    letter-spacing: 0.05em;
+    text-transform: uppercase;
+    border-bottom: 1px solid #ddd;
+    padding: 4px 8px;
+    color: #555;
+  }
+  .actions-table td { padding: 5px 8px; border-bottom: 1px solid #eee; }
+  .actions-table tr:last-child td { border-bottom: none; }
+  .empty { color: #888; font-style: italic; }
+  .bundle-footer {
+    margin-top: 48px;
+    padding-top: 12px;
+    border-top: 1px solid #ccc;
+    font-size: 8pt;
+    color: #666;
+    text-align: center;
+  }
+  @media print {
+    body { font-size: 10pt; }
+    .page { padding: 16px; max-width: none; }
+    .bundle-header { page-break-after: avoid; }
+    .change { page-break-inside: avoid; }
+    .citation { page-break-inside: avoid; }
+    a[href]::after { content: " (" attr(href) ")"; font-size: 8pt; color: #888; }
+  }
+</style>
+</head>
+<body>
+<div class="page">
+  <div class="bundle-header">
+    <p class="bundle-mark">UNSYPHN EVIDENCE BUNDLE</p>
+    <h1 class="bundle-title">${escHtml(vendor.name)} — ${escHtml(report.changes[0]?.summary ?? "Change detected")}</h1>
+    <p class="bundle-meta">
+      Report ID: ${escHtml(report.id)} &nbsp;·&nbsp;
+      Detected: ${escHtml(fmtTs(report.detectedAt))} &nbsp;·&nbsp;
+      Bundle generated: ${escHtml(generatedAt)}
+    </p>
+  </div>
+
+  <div class="section">
+    <p class="section-label">Severity &amp; State</p>
+    <span class="severity severity-${escHtml(report.severity)}">${escHtml(report.severity)}</span>
+    <span style="margin-left:8px;font-size:9pt;color:#555;">${escHtml(report.state)}</span>
+  </div>
+
+  <div class="section">
+    <p class="section-label">Vendor</p>
+    <p><strong>${escHtml(vendor.name)}</strong> · ${escHtml(vendor.category)}</p>
+  </div>
+
+  <div class="section">
+    <p class="section-label">Policy Fired</p>
+    <div class="policy-box">
+      <strong>${escHtml(policyFired.name)}</strong>
+      <span class="policy-id">${escHtml(policyFired.id)}</span>
+      ${alsoMatched}
+    </div>
+  </div>
+
+  <div class="section">
+    <p class="section-label">Recommendation</p>
+    <p><strong>${escHtml(report.recommendation?.action ?? "")}</strong> — ${escHtml(report.recommendation?.copy ?? "")}</p>
+  </div>
+
+  <div class="section">
+    <p class="section-label">Changes (${report.changes.length})</p>
+    ${changes}
+  </div>
+
+  <div class="section">
+    <p class="section-label">Routed Actions</p>
+    <table class="actions-table">
+      <thead><tr><th>Kind</th><th>Target</th><th>Status</th><th>Fired At</th></tr></thead>
+      <tbody>${actions}</tbody>
+    </table>
+  </div>
+
+  <div class="bundle-footer">
+    Generated by Unsyphn at ${escHtml(generatedAt)}.
+    This bundle is immutable. Bundle id: ${escHtml(bundleId)}
+  </div>
+</div>
+</body>
+</html>`;
+}
+
+export function createEvidenceRouter(reports: ChangeReportRepository): Hono {
+  const router = new Hono();
+
+  // Must be registered before /:id to avoid Hono matching "bundle.html" as an id.
+  router.get("/:id/bundle.html", async (c) => {
+    const id = c.req.param("id");
+    const report = await reports.findById(id as Parameters<typeof reports.findById>[0]);
+    if (!report) {
+      throw new ApiError(
+        ErrorCodes.NotFound,
+        `No evidence brief for id ${id}`,
+      );
+    }
+
+    const vendor = vendorStore.get(report.vendorId);
+    const policyFired = policyStore.get(report.policyFiredId);
+    const policyAlsoMatched = report.policyAlsoMatched
+      .map((pid) => policyStore.get(pid))
+      .filter((p): p is NonNullable<typeof p> => p !== undefined)
+      .map((p) => ({ id: p.id, name: p.name }));
+
+    const brief: EvidenceBriefResponse = {
+      changeReport: report,
+      vendor: {
+        id: vendor?.id ?? report.vendorId,
+        name: vendor?.name ?? "Unknown vendor",
+        category: vendor?.category ?? "uncategorized",
+      },
+      policyFired: {
+        id: policyFired?.id ?? report.policyFiredId,
+        name: policyFired?.name ?? "Unknown policy",
+      },
+      policyAlsoMatched,
+      actionSummary: [],
+    };
+
+    const bundleId = `bun_${newId("bundle").replace("bnd_", "")}`;
+    const generatedAt = new Date().toISOString();
+    const html = renderBundleHtml(brief, bundleId, generatedAt);
+
+    return c.html(html);
+  });
+
+  router.get("/:id", async (c) => {
+    const id = c.req.param("id");
+    const report = await reports.findById(id as Parameters<typeof reports.findById>[0]);
+    if (!report) {
+      throw new ApiError(
+        ErrorCodes.NotFound,
+        `No evidence brief for id ${id}`,
+      );
+    }
+
+    const vendor = vendorStore.get(report.vendorId);
+    const policyFired = policyStore.get(report.policyFiredId);
+    const policyAlsoMatched = report.policyAlsoMatched
+      .map((pid) => policyStore.get(pid))
+      .filter((p): p is NonNullable<typeof p> => p !== undefined)
+      .map((p) => ({ id: p.id, name: p.name }));
+
+    const response: EvidenceBriefResponse = {
+      changeReport: report,
+      vendor: {
+        id: vendor?.id ?? report.vendorId,
+        name: vendor?.name ?? "Unknown vendor",
+        category: vendor?.category ?? "uncategorized",
+      },
+      policyFired: {
+        id: policyFired?.id ?? report.policyFiredId,
+        name: policyFired?.name ?? "Unknown policy",
+      },
+      policyAlsoMatched,
+      actionSummary: [],
+    };
+
+    return c.json(response);
+  });
+
+  return router;
+}
diff --git a/apps/api/src/routes/findings.ts b/apps/api/src/routes/findings.ts
new file mode 100644
index 0000000..f1b81e0
--- /dev/null
+++ b/apps/api/src/routes/findings.ts
@@ -0,0 +1,269 @@
+import { readFileSync } from "node:fs";
+import { resolve, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import { Hono } from "hono";
+import { z } from "zod";
+import type { Lens, Severity, Vendor } from "@unsyphn/shared";
+import { ApiError } from "../lib/errors.js";
+import { ErrorCodes } from "@unsyphn/shared";
+import { vendorStore } from "../db/vendor-store.js";
+import { getSeededChangeReports } from "../seed/loader.js";
+import { readLensTags } from "../lib/change-report-views.js";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+export type FindingType = "change" | "compliance" | "subprocessor" | "spend" | "security";
+export type FindingState = "open" | "under-review" | "resolved";
+
+export interface Finding {
+  id: string;
+  type: FindingType;
+  severity: Severity;
+  title: string;
+  summary: string;
+  vendorId: string;
+  vendorName: string;
+  detectedAt: string;
+  state: FindingState;
+  ownerId?: string;
+  sourceUrl?: string;
+  lensTags: Lens[];
+}
+
+// State overrides live in-memory because findings are derived per-request.
+// Mutations write here; aggregation reads here last.
+const stateOverrides = new Map<string, FindingState>();
+
+// --- Sub-processor seed loader ----------------------------------------------
+
+interface SubProcessor {
+  name: string;
+  jurisdiction: string;
+  purpose: string;
+  adequate: boolean;
+  addedAt: string;
+  flagged?: boolean;
+  flagReason?: string;
+}
+
+interface VendorSeedEntry {
+  vendorName: string;
+  subProcessors: SubProcessor[];
+  lastChangeAt: string;
+}
+
+type SubProcessorSeed = Record<string, VendorSeedEntry>;
+
+function loadSubProcessorSeed(): SubProcessorSeed {
+  const path = resolve(__dirname, "../seed/sub-processors.json");
+  return JSON.parse(readFileSync(path, "utf8")) as SubProcessorSeed;
+}
+
+// --- Synthetic helpers ------------------------------------------------------
+
+function hashString(s: string): number {
+  let h = 0;
+  for (let i = 0; i < s.length; i += 1) {
+    h = (h * 31 + s.charCodeAt(i)) | 0;
+  }
+  return Math.abs(h);
+}
+
+const SOC2_BASE_DATE = Date.parse("2026-07-01T00:00:00Z");
+
+function syntheticSoc2Expiry(vendorId: string): string {
+  // Deterministic 0-179 day offset from a fixed base so the date never drifts.
+  const offsetDays = hashString(vendorId) % 180;
+  return new Date(SOC2_BASE_DATE + offsetDays * 86_400_000).toISOString();
+}
+
+function daysBetween(later: string, now: Date): number {
+  return Math.round((Date.parse(later) - now.getTime()) / 86_400_000);
+}
+
+function slugify(s: string): string {
+  return s.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "");
+}
+
+// --- Aggregation ------------------------------------------------------------
+
+function fromChangeReports(orgId: string): Finding[] {
+  return getSeededChangeReports()
+    .filter((r) => r.orgId === orgId && r.state !== "resolved")
+    .map<Finding>((r) => {
+      const vendor = vendorStore.get(r.vendorId);
+      const title = r.headline ?? r.changes[0]?.summary ?? "Material change detected";
+      const finding: Finding = {
+        id: `find_chg_${r.id}`,
+        type: "change",
+        severity: r.severity,
+        title,
+        summary: r.recommendation.copy,
+        vendorId: r.vendorId,
+        vendorName: vendor?.name ?? r.vendorId,
+        detectedAt: r.detectedAt,
+        state: r.state === "new" ? "open" : "under-review",
+        sourceUrl: `/app/change/${encodeURIComponent(r.id)}`,
+        lensTags: readLensTags(r),
+      };
+      if (r.ownerId) finding.ownerId = r.ownerId;
+      return finding;
+    });
+}
+
+function fromSubProcessors(orgId: string): Finding[] {
+  const seed = loadSubProcessorSeed();
+  const findings: Finding[] = [];
+  for (const [vendorId, entry] of Object.entries(seed)) {
+    const vendor = vendorStore.get(vendorId);
+    if (!vendor || vendor.orgId !== orgId) continue;
+    for (const sp of entry.subProcessors) {
+      if (sp.flagged !== true) continue;
+      findings.push({
+        id: `find_sp_${vendorId}_${slugify(sp.name)}`,
+        type: "subprocessor",
+        severity: "P2",
+        title: `New sub-processor ${sp.name} in ${sp.jurisdiction}`,
+        summary: sp.flagReason ?? `${sp.name} processes ${sp.purpose} from ${sp.jurisdiction}, a non-adequate jurisdiction.`,
+        vendorId,
+        vendorName: entry.vendorName,
+        detectedAt: sp.addedAt,
+        state: "open",
+        sourceUrl: `/app/vendors/${encodeURIComponent(vendorId)}?tab=subprocessors`,
+        lensTags: ["security", "legal"],
+      });
+    }
+  }
+  return findings;
+}
+
+function isComplianceCandidate(v: Vendor): boolean {
+  if (v.category === "security" || v.category === "infrastructure") return true;
+  return (v.dataClasses ?? []).includes("pii");
+}
+
+function fromCompliance(orgId: string, now: Date): Finding[] {
+  return vendorStore
+    .list(orgId)
+    .filter(isComplianceCandidate)
+    .map<Finding>((v) => {
+      const expiresAt = syntheticSoc2Expiry(v.id);
+      const days = daysBetween(expiresAt, now);
+      const severity: Severity = days < 30 ? "P1" : days < 90 ? "P2" : "P3";
+      return {
+        id: `find_compl_${v.id}`,
+        type: "compliance",
+        severity,
+        title: `SOC 2 Type II expires in ${days} day${days === 1 ? "" : "s"}`,
+        summary: `${v.name}'s SOC 2 attestation expires ${new Date(expiresAt).toISOString().slice(0, 10)}. Request a renewed report before the audit window closes.`,
+        vendorId: v.id,
+        vendorName: v.name,
+        detectedAt: now.toISOString(),
+        state: "open",
+        sourceUrl: `/app/vendors/${encodeURIComponent(v.id)}`,
+        lensTags: ["audit", "security", "legal"],
+      };
+    });
+}
+
+function fromSpend(orgId: string, now: Date): Finding[] {
+  return vendorStore
+    .list(orgId)
+    .filter((v) => (v.contract?.annualSpendUsd ?? 0) > 100_000 && v.posture === "watch")
+    .map<Finding>((v) => ({
+      id: `find_spend_${v.id}`,
+      type: "spend",
+      severity: "P2",
+      title: `Above benchmark — renegotiation candidate`,
+      summary: `${v.name} spend of $${Math.round((v.contract?.annualSpendUsd ?? 0) / 1000)}k is above peer median. Open renegotiation talks before renewal.`,
+      vendorId: v.id,
+      vendorName: v.name,
+      detectedAt: now.toISOString(),
+      state: "open",
+      sourceUrl: `/app/vendors/${encodeURIComponent(v.id)}`,
+      lensTags: ["finance", "procurement"],
+    }));
+}
+
+function applyOverrides(findings: Finding[]): Finding[] {
+  return findings.map((f) => {
+    const override = stateOverrides.get(f.id);
+    return override ? { ...f, state: override } : f;
+  });
+}
+
+// --- Route ------------------------------------------------------------------
+
+const QuerySchema = z.object({
+  type: z.enum(["change", "compliance", "subprocessor", "spend", "security"]).optional(),
+  severity: z.enum(["P1", "P2", "P3"]).optional(),
+  state: z.enum(["open", "under-review", "resolved"]).optional(),
+  lens: z.enum(["procurement", "legal", "security", "finance", "it", "audit"]).optional(),
+  vendorId: z.string().optional(),
+});
+
+const StateBodySchema = z.object({
+  state: z.enum(["open", "under-review", "resolved"]),
+});
+
+export const findingsRoute = new Hono();
+
+findingsRoute.get("/", (c) => {
+  const orgId = c.get("orgId");
+  const parsed = QuerySchema.safeParse({
+    type: c.req.query("type"),
+    severity: c.req.query("severity"),
+    state: c.req.query("state"),
+    lens: c.req.query("lens"),
+    vendorId: c.req.query("vendorId"),
+  });
+  if (!parsed.success) {
+    throw new ApiError(ErrorCodes.ValidationFailed, "Invalid query parameter", {
+      issues: parsed.error.issues,
+    });
+  }
+  const q = parsed.data;
+  const now = new Date();
+
+  let findings: Finding[] = [
+    ...fromChangeReports(orgId),
+    ...fromSubProcessors(orgId),
+    ...fromCompliance(orgId, now),
+    ...fromSpend(orgId, now),
+  ];
+
+  findings = applyOverrides(findings);
+
+  if (q.vendorId) findings = findings.filter((f) => f.vendorId === q.vendorId);
+  if (q.type) findings = findings.filter((f) => f.type === q.type);
+  if (q.severity) findings = findings.filter((f) => f.severity === q.severity);
+  if (q.state) findings = findings.filter((f) => f.state === q.state);
+  if (q.lens) findings = findings.filter((f) => f.lensTags.includes(q.lens as Lens));
+
+  findings.sort((a, b) => b.detectedAt.localeCompare(a.detectedAt));
+
+  return c.json({ findings });
+});
+
+findingsRoute.post("/:id/state", async (c) => {
+  const id = c.req.param("id");
+  let body: unknown;
+  try {
+    body = await c.req.json();
+  } catch {
+    throw new ApiError(ErrorCodes.ValidationFailed, "Body must be JSON");
+  }
+  const parsed = StateBodySchema.safeParse(body);
+  if (!parsed.success) {
+    throw new ApiError(ErrorCodes.ValidationFailed, "Invalid state", {
+      issues: parsed.error.issues,
+    });
+  }
+  stateOverrides.set(id, parsed.data.state);
+  return c.json({ id, state: parsed.data.state });
+});
+
+// Test-only — keeps unit suites isolated.
+export function _resetFindingState(): void {
+  stateOverrides.clear();
+}
diff --git a/apps/api/src/routes/inbox.ts b/apps/api/src/routes/inbox.ts
new file mode 100644
index 0000000..2ba0860
--- /dev/null
+++ b/apps/api/src/routes/inbox.ts
@@ -0,0 +1,47 @@
+import { Hono } from "hono";
+import type { Lens, Severity } from "@unsyphn/shared";
+import { getSeededChangeReports } from "../seed/loader.js";
+import { toInboxItem } from "../lib/change-report-views.js";
+
+export const inboxRoute = new Hono();
+
+inboxRoute.get("/", (c) => {
+  const filter = c.req.query("filter") ?? "all";
+  const severity = c.req.query("severity") ?? "all";
+  const lens = c.req.query("lens");
+  const limit = Math.min(Number(c.req.query("limit") ?? 50), 200);
+
+  const reports = getSeededChangeReports().filter((r) => r.state !== "resolved");
+  let items = reports.map(toInboxItem);
+
+  // Inbox kind has only been "change" since material-changes.json was retired;
+  // legacy callers still send filter=changes|all, treat both as no-op filters
+  // and let the kind enum guard future expansion.
+  if (filter !== "all" && filter !== "changes") {
+    items = items.filter((item) => item.kind === filter);
+  }
+
+  if (severity !== "all") {
+    items = items.filter((item) => item.severity === (severity as Severity));
+  }
+
+  // Phase 2: LensChips now sends the active role. Apply lens filter when set;
+  // if the filter empties the list, fall back to the unfiltered set so the
+  // user doesn't see a bare inbox on a quiet role-lens. When nothing exists
+  // pre-filter, return empty so the client can render its per-role empty copy.
+  if (lens && lens !== "all") {
+    const filtered = items.filter((item) =>
+      (item.lensTags as string[]).includes(lens as Lens),
+    );
+    if (filtered.length > 0 || items.length === 0) {
+      items = filtered;
+    }
+  }
+
+  items = items
+    .slice()
+    .sort((a, b) => Date.parse(b.occurredAt) - Date.parse(a.occurredAt))
+    .slice(0, limit);
+
+  return c.json({ items, total: items.length });
+});
diff --git a/apps/api/src/routes/integrations.ts b/apps/api/src/routes/integrations.ts
new file mode 100644
index 0000000..4813798
--- /dev/null
+++ b/apps/api/src/routes/integrations.ts
@@ -0,0 +1,93 @@
+import { Hono } from "hono";
+import { z } from "zod";
+import { ErrorCodes } from "@unsyphn/shared";
+import {
+  integrationsStore,
+  type IntegrationCategory,
+} from "../db/integrations-store.js";
+import { ApiError } from "../lib/errors.js";
+
+const VALID_CATEGORIES: ReadonlyArray<IntegrationCategory> = ["inbound", "outbound"];
+
+const connectSchema = z
+  .object({
+    // Phase 7 — primary field name. `fields` retained for backwards compat
+    // with the earliest Phase 0 spike clients before they upgrade.
+    values: z.record(z.string(), z.string()).optional(),
+    fields: z.record(z.string(), z.string()).optional(),
+    scopes: z.array(z.string()).optional(),
+    connectedAs: z.string().optional(),
+  })
+  .strict();
+
+export const integrationsRoute = new Hono();
+
+integrationsRoute.get("/", (c) => {
+  const category = c.req.query("category");
+  if (category && !(VALID_CATEGORIES as ReadonlyArray<string>).includes(category)) {
+    throw new ApiError(
+      ErrorCodes.Unprocessable,
+      `category must be one of: ${VALID_CATEGORIES.join(", ")}`,
+    );
+  }
+  const integrations = integrationsStore.list(
+    category ? { category: category as IntegrationCategory } : undefined,
+  );
+  return c.json({ integrations });
+});
+
+integrationsRoute.post("/:id/connect", async (c) => {
+  const id = c.req.param("id");
+  const parsed = connectSchema.safeParse(await c.req.json().catch(() => ({})));
+  if (!parsed.success) {
+    throw new ApiError(ErrorCodes.Unprocessable, "Request body is invalid", {
+      issues: parsed.error.flatten(),
+    });
+  }
+  const values = parsed.data.values ?? parsed.data.fields;
+  const updated = integrationsStore.connect(id, {
+    ...(values ? { values } : {}),
+    ...(parsed.data.scopes ? { scopes: parsed.data.scopes } : {}),
+    ...(parsed.data.connectedAs ? { connectedAs: parsed.data.connectedAs } : {}),
+  });
+  if (!updated) {
+    throw new ApiError(ErrorCodes.NotFound, `No integration found with id ${id}`);
+  }
+  return c.json({ integration: updated });
+});
+
+integrationsRoute.post("/:id/disconnect", (c) => {
+  const id = c.req.param("id");
+  const updated = integrationsStore.disconnect(id);
+  if (!updated) {
+    throw new ApiError(ErrorCodes.NotFound, `No integration found with id ${id}`);
+  }
+  return c.json({ integration: updated });
+});
+
+integrationsRoute.post("/:id/sync", (c) => {
+  const id = c.req.param("id");
+  const existing = integrationsStore.get(id);
+  if (!existing) {
+    throw new ApiError(ErrorCodes.NotFound, `No integration found with id ${id}`);
+  }
+  if (!existing.connected) {
+    throw new ApiError(
+      ErrorCodes.Unprocessable,
+      "Integration must be connected before it can sync",
+    );
+  }
+  const recordsScanned = 100 + Math.floor(Math.random() * 7900);
+  const sync = integrationsStore.recordSync(id, recordsScanned);
+  return c.json({ synced: true, recordsScanned, sync });
+});
+
+integrationsRoute.get("/:id/syncs", (c) => {
+  const id = c.req.param("id");
+  const existing = integrationsStore.get(id);
+  if (!existing) {
+    throw new ApiError(ErrorCodes.NotFound, `No integration found with id ${id}`);
+  }
+  const syncs = integrationsStore.syncHistory(id, 5);
+  return c.json({ syncs });
+});
diff --git a/apps/api/src/routes/onboarding.ts b/apps/api/src/routes/onboarding.ts
new file mode 100644
index 0000000..949d3d4
--- /dev/null
+++ b/apps/api/src/routes/onboarding.ts
@@ -0,0 +1,105 @@
+import { Hono } from "hono";
+import { z } from "zod";
+import type { DiscoveryJob } from "@unsyphn/shared";
+import { errorResponse } from "../errors.js";
+
+const discoverBodySchema = z.object({
+  provider: z.enum(["google", "microsoft"]),
+  domain: z.string().min(1),
+});
+
+const EXISTING_VENDORS = [
+  { id: "vnd_notion", name: "Notion", domain: "notion.so", category: "productivity", spendUsd: 36000, confidence: 1.0 },
+  { id: "vnd_stripe", name: "Stripe", domain: "stripe.com", category: "billing", spendUsd: 120000, confidence: 1.0 },
+  { id: "vnd_figma", name: "Figma", domain: "figma.com", category: "design", spendUsd: 48000, confidence: 1.0 },
+  { id: "vnd_slack", name: "Slack", domain: "slack.com", category: "productivity", spendUsd: 180000, confidence: 1.0 },
+  { id: "vnd_datadog", name: "Datadog", domain: "datadoghq.com", category: "productivity", spendUsd: 240000, confidence: 1.0 },
+  { id: "vnd_salesforce", name: "Salesforce", domain: "salesforce.com", category: "productivity", spendUsd: 815000, confidence: 1.0 },
+  { id: "vnd_github", name: "GitHub", domain: "github.com", category: "productivity", spendUsd: 72000, confidence: 1.0 },
+  { id: "vnd_aws", name: "AWS", domain: "aws.amazon.com", category: "productivity", spendUsd: 980000, confidence: 1.0 },
+];
+
+const NEW_VENDOR_NAMES = [
+  "HubSpot", "Asana", "Linear", "Jira", "Confluence",
+  "Zoom", "Adobe Creative Cloud", "Microsoft 365", "Google Workspace",
+  "Okta", "Vanta", "Brex",
+];
+
+const VENDOR_CATEGORIES: Record<string, string> = {
+  HubSpot: "productivity",
+  Asana: "productivity",
+  Linear: "productivity",
+  Jira: "productivity",
+  Confluence: "productivity",
+  Zoom: "productivity",
+  "Adobe Creative Cloud": "design",
+  "Microsoft 365": "productivity",
+  "Google Workspace": "productivity",
+  Okta: "identity",
+  Vanta: "security",
+  Brex: "billing",
+};
+
+const VENDOR_DOMAINS: Record<string, string> = {
+  HubSpot: "hubspot.com",
+  Asana: "asana.com",
+  Linear: "linear.app",
+  Jira: "atlassian.com",
+  Confluence: "atlassian.com",
+  Zoom: "zoom.us",
+  "Adobe Creative Cloud": "adobe.com",
+  "Microsoft 365": "microsoft.com",
+  "Google Workspace": "workspace.google.com",
+  Okta: "okta.com",
+  Vanta: "vanta.com",
+  Brex: "brex.com",
+};
+
+const SPEND_SEEDS: Record<string, number> = {
+  HubSpot: 42000,
+  Asana: 18000,
+  Linear: 12000,
+  Jira: 36000,
+  Confluence: 24000,
+  Zoom: 30000,
+  "Adobe Creative Cloud": 48000,
+  "Microsoft 365": 120000,
+  "Google Workspace": 96000,
+  Okta: 60000,
+  Vanta: 45000,
+  Brex: 9000,
+};
+
+const NEW_DISCOVERED = NEW_VENDOR_NAMES.map((name) => ({
+  id: `vnd_${name.toLowerCase().replace(/[^a-z0-9]/g, "_")}`,
+  name,
+  domain: VENDOR_DOMAINS[name] ?? `${name.toLowerCase().replace(/\s+/g, "")}.com`,
+  category: VENDOR_CATEGORIES[name] ?? "productivity",
+  spendUsd: SPEND_SEEDS[name] ?? 20000,
+  confidence: 0.95,
+}));
+
+const STUB_JOB: DiscoveryJob = {
+  jobId: "job_demo_001",
+  estimatedSeconds: 45,
+  expectedVendors: 247,
+  discoveredVendors: [...EXISTING_VENDORS, ...NEW_DISCOVERED],
+};
+
+export const onboardingRoute = new Hono();
+
+onboardingRoute.post("/discover", async (c) => {
+  let rawBody: unknown;
+  try {
+    rawBody = await c.req.json();
+  } catch {
+    return errorResponse(c, 422, "unprocessable", "Request body must be valid JSON");
+  }
+
+  const parsed = discoverBodySchema.safeParse(rawBody);
+  if (!parsed.success) {
+    return errorResponse(c, 422, "unprocessable", "Invalid request body", parsed.error.flatten());
+  }
+
+  return c.json(STUB_JOB);
+});
diff --git a/apps/api/src/routes/recoverable.ts b/apps/api/src/routes/recoverable.ts
new file mode 100644
index 0000000..1e567b3
--- /dev/null
+++ b/apps/api/src/routes/recoverable.ts
@@ -0,0 +1,16 @@
+import { Hono } from "hono";
+import type { Recoverable } from "@unsyphn/shared";
+
+const RECOVERABLE_STUB: Recoverable = {
+  totalUsd: 135000,
+  breakdown: {
+    unusedSeatsUsd: 42000,
+    priceHikesUsd: 28000,
+    duplicateAppsUsd: 18000,
+    atRiskUsd: 47000,
+  },
+};
+
+export const recoverableRoute = new Hono();
+
+recoverableRoute.get("/", (c) => c.json(RECOVERABLE_STUB));
diff --git a/apps/api/src/routes/renegotiation.ts b/apps/api/src/routes/renegotiation.ts
new file mode 100644
index 0000000..b3ccfb8
--- /dev/null
+++ b/apps/api/src/routes/renegotiation.ts
@@ -0,0 +1,592 @@
+import { Hono } from "hono";
+
+type Tone = "firm" | "friendly" | "aggressive";
+
+interface Draft {
+  tone: Tone;
+  subject: string;
+  body: string;
+}
+
+interface PacketResponse {
+  vendorId: string;
+  vendorName: string;
+  currentSpend: number;
+  benchmarkRange: { low: number; high: number };
+  usagePct: number;
+  recoverableUsd: number;
+  drafts: Draft[];
+  talkingPoints: string[];
+}
+
+const VENDOR_PACKETS: Record<string, Omit<PacketResponse, "vendorId">> = {
+  vnd_salesforce: {
+    vendorName: "Salesforce",
+    currentSpend: 815000,
+    benchmarkRange: { low: 620000, high: 700000 },
+    usagePct: 51,
+    recoverableUsd: 312000,
+    talkingPoints: [
+      "Active utilization at 51% (industry avg: 68%) — 412 of 850 seats in use",
+      "Benchmark range $1,400–$1,550/seat vs current $1,800/seat on Enterprise Cloud",
+      "Comparable companies negotiated -18% to -25% YoY on similar ARR profiles",
+      "Renewal on Jul 9, 2026 — 47 days to close without disruption",
+    ],
+    drafts: [
+      {
+        tone: "firm",
+        subject: "Salesforce renewal — request for 22% adjustment ahead of Jul 9 expiry",
+        body: `Hi [AE],
+
+Our annual contract is up for renewal on July 9, 2026. Before we sign for another term, I want to share what we're seeing internally and discuss adjustments.
+
+Over the past 12 months, our active seat count has been 438 against 850 provisioned — a 51% utilization rate. At our current $1,800 per-seat annual rate, that's $740k in unused capacity.
+
+Comparable companies (similar ARR and headcount profile) are paying $1,400–$1,550 per seat on Enterprise Cloud, per our benchmark data. Our current rate sits above that band.
+
+We're requesting: a 22% adjustment to $1,400/seat, with a seat reduction to 500 active. That puts our annual at $700k — still a meaningful expansion for Salesforce against your peer accounts.
+
+If that's not workable, we'll need to evaluate alternative platforms ahead of the renewal date. Happy to set up a call this week.
+
+Thanks,
+[Procurement]`,
+      },
+      {
+        tone: "friendly",
+        subject: "Salesforce renewal — let's align on terms ahead of July",
+        body: `Hi [AE],
+
+We've had a great partnership with Salesforce this year and want to set up another strong term together. As we head into renewal on July 9, I wanted to share a few data points so we're aligned before the paperwork.
+
+Our team has 438 active users out of 850 provisioned — about 51% utilization. We've been working to right-size, and a seat reduction to around 500 would better match our actual footprint.
+
+Looking at market benchmarks, similar companies are renewing in the $1,400–$1,550/seat range. Our current $1,800/seat rate is a bit above that, so we'd love to explore moving closer to $1,450/seat for the renewal term.
+
+That gets us to around $725k annually — a fair deal for both sides. Would you have time for a quick call this week to align?
+
+Looking forward to continuing the partnership.
+
+Best,
+[Procurement]`,
+      },
+      {
+        tone: "aggressive",
+        subject: "Salesforce renewal — 22% reduction required or we evaluate alternatives",
+        body: `Hi [AE],
+
+We need to resolve Salesforce pricing before July 9. Here's where we stand: 51% seat utilization (438 of 850), $740k sitting in unused capacity at your current $1,800/seat rate, and benchmark data showing peers closing deals at $1,400–$1,550/seat.
+
+We've modeled switching costs to HubSpot and Microsoft Dynamics. Neither is our preference, but both are viable at these price points.
+
+Our ask is direct: $1,400/seat on 500 seats, $700k total annual. We need confirmation by June 20 to stay on track for July 9 signatures.
+
+If we don't get to $1,400/seat, we'll be issuing an RFP to two competitors this month. This isn't a bluff — our board has already approved the budget to switch.
+
+Please escalate if needed. We want to stay on Salesforce but not at current rates.
+
+[Procurement]`,
+      },
+    ],
+  },
+
+  vnd_notion: {
+    vendorName: "Notion",
+    currentSpend: 84000,
+    benchmarkRange: { low: 60000, high: 70000 },
+    usagePct: 69,
+    recoverableUsd: 22000,
+    talkingPoints: [
+      "69% active utilization — 412 of 600 seats in use, 188 idle",
+      "Benchmark range $8–$10/seat/month vs current $11.67/seat/month",
+      "Peer companies at similar scale renewing at $9–$10/seat",
+      "Renewal Jul 4 — 40 days to lock in terms",
+    ],
+    drafts: [
+      {
+        tone: "firm",
+        subject: "Notion renewal — 17% adjustment requested before Jul 4",
+        body: `Hi Notion team,
+
+Our contract renews on July 4, 2026. Before we move forward, we want to discuss our current rate.
+
+We're at $11.67/seat/month across 600 seats, with 412 actively using the product (69% utilization). Benchmark data puts comparable teams at $9–$10/seat/month for our workspace size.
+
+We're requesting a reduction to $9.50/seat/month and a seat adjustment to 450 — bringing our annual to approximately $51,300. That's a 17% reduction from current spend of $84k.
+
+If you can confirm this by June 20, we can execute contracts quickly.
+
+Thanks,
+[Procurement]`,
+      },
+      {
+        tone: "friendly",
+        subject: "Notion renewal — quick alignment before July",
+        body: `Hi Notion team,
+
+The team loves Notion — it's become core to how we document and collaborate. As we head into our July 4 renewal, I wanted to share a few data points.
+
+We have 412 active users out of 600 provisioned (69% utilization). We'd like to right-size to around 450 seats and bring the per-seat rate closer to the $9–$10 range we're seeing from peer companies.
+
+That would put us around $51k–$54k annually, down from our current $84k. Happy to lock in a two-year term if that helps on your side.
+
+Can we schedule 20 minutes this week?
+
+Best,
+[Procurement]`,
+      },
+      {
+        tone: "aggressive",
+        subject: "Notion renewal — must resolve rate before Jun 25 or we switch to Confluence",
+        body: `Hi Notion team,
+
+Our renewal is July 4. We're paying $84k annually at $11.67/seat with 69% utilization. Confluence and Coda are both quoting us $8–$9/seat for comparable feature sets.
+
+We need $9.50/seat on 450 seats ($51,300/yr) confirmed by June 25. If we don't have a revised order form by then, we'll execute the Confluence migration we have scoped.
+
+This isn't a negotiating position — our engineering team already has a migration playbook. The only question is whether Notion matches market rate.
+
+Please respond with a revised quote or an escalation contact.
+
+[Procurement]`,
+      },
+    ],
+  },
+
+  vnd_stripe: {
+    vendorName: "Stripe",
+    currentSpend: 62000,
+    benchmarkRange: { low: 45000, high: 55000 },
+    usagePct: 90,
+    recoverableUsd: 12000,
+    talkingPoints: [
+      "Usage at 90% — 18 of 20 seats active; minimal seat waste but rate is above benchmark",
+      "Current blended rate runs 11% above peer companies at similar transaction volume",
+      "Volume discount tier not applied — we qualify for the $250k+/yr rate card",
+      "Renewal Jul 18 — opportunity to lock in volume pricing before next tier resets",
+    ],
+    drafts: [
+      {
+        tone: "firm",
+        subject: "Stripe platform renewal — volume discount adjustment before Jul 18",
+        body: `Hi Stripe team,
+
+Our platform agreement renews July 18, 2026. I want to discuss our rate before we sign.
+
+At current transaction volume, we qualify for Stripe's $250k+ annual volume tier. Our blended rate isn't reflecting that, and benchmark data puts comparable companies at $45k–$55k annually for our profile.
+
+We're asking for the volume discount tier to be applied, bringing our annual to approximately $50k. That's a 19% reduction from current $62k — in line with your published rate card for our volume.
+
+Please send a revised quote by July 1 so we have time to execute before renewal.
+
+Thanks,
+[Finance]`,
+      },
+      {
+        tone: "friendly",
+        subject: "Stripe renewal — aligning on volume pricing for next term",
+        body: `Hi Stripe team,
+
+We've been a happy Stripe customer and plan to stay so for the long term. As we approach our July 18 renewal, we'd like to discuss rate alignment.
+
+Our transaction volume puts us in the $250k+ annual tier, and we'd expect our rate to reflect that. Benchmark data shows comparable companies at $45k–$55k/yr. We're currently at $62k.
+
+Would love to get this resolved before July 1 so we can execute cleanly. We're also open to a 2-year commitment if that unlocks better terms.
+
+Happy to jump on a call.
+
+Best,
+[Finance]`,
+      },
+      {
+        tone: "aggressive",
+        subject: "Stripe renewal — volume discount must apply or we evaluate Adyen",
+        body: `Hi Stripe team,
+
+Our transaction volume qualifies for your $250k+ rate card. Our current contract doesn't reflect that, and we're paying $62k annually against a benchmark of $45k–$55k for companies at our scale.
+
+We've had preliminary conversations with Adyen and Braintree. Both quoted meaningfully lower. Stripe is our preference for ecosystem reasons, but not at a 25% premium over market.
+
+We need a revised quote at $50k or below by July 5. If we don't receive it, we'll begin the migration process.
+
+This is a straightforward ask — apply the volume discount we've earned.
+
+[Finance]`,
+      },
+    ],
+  },
+
+  vnd_figma: {
+    vendorName: "Figma",
+    currentSpend: 24000,
+    benchmarkRange: { low: 16000, high: 20000 },
+    usagePct: 69,
+    recoverableUsd: 7200,
+    talkingPoints: [
+      "69% active utilization — 55 of 80 seats in use, 25 idle",
+      "Benchmark $16k–$20k for our seat count vs current $24k",
+      "Figma Professional at $12/seat/month — we're at $25/seat effective rate including extras",
+      "Alternative: Adobe XD and Penpot both quoted under $15k for comparable access",
+    ],
+    drafts: [
+      {
+        tone: "firm",
+        subject: "Figma renewal — seat reduction and rate adjustment before Nov 1",
+        body: `Hi Figma team,
+
+Our contract renews November 1, 2026. We want to right-size before then.
+
+We have 55 active designers out of 80 seats (69% utilization). Peer benchmarks show comparable design teams renewing at $16k–$20k annually. Our current $24k puts us 20% above that band.
+
+We're requesting: reduce to 60 seats at $15/seat/month — $10,800/yr. Alternatively, we'll accept current seat count at $12/seat/month Professional plan — $11,520/yr.
+
+Please respond with a revised quote before October 1.
+
+[Procurement]`,
+      },
+      {
+        tone: "friendly",
+        subject: "Figma renewal — let's right-size for next year",
+        body: `Hi Figma team,
+
+The design team loves Figma — it's central to how we ship. As we approach the November renewal, we want to make sure our contract matches how we actually use the product.
+
+We're at 55 active designers out of 80 provisioned. Right-sizing to 60 seats and moving to Professional plan pricing ($12/seat) would get us to $8,640 annually — or we'd be happy to discuss a bundled rate for our actual footprint.
+
+Benchmark data for teams our size runs $16k–$20k, so there's some room to align. Can we get 20 minutes on the calendar?
+
+Best,
+[Procurement]`,
+      },
+      {
+        tone: "aggressive",
+        subject: "Figma renewal — 33% reduction required; Penpot migration scoped as alternative",
+        body: `Hi Figma team,
+
+We're paying $24k for a product 31% of our licensed seats don't actively use. Benchmark for comparable design orgs is $16k–$20k.
+
+Penpot is open source and our engineering team has it running in our infrastructure already as a pilot. Adobe XD quoted us $14k for equivalent access.
+
+We need Figma at $16k or below to renew — either through seat reduction or rate adjustment. Confirm by October 15 or we'll complete the Penpot migration before November 1.
+
+[Procurement]`,
+      },
+    ],
+  },
+
+  vnd_slack: {
+    vendorName: "Slack",
+    currentSpend: 38000,
+    benchmarkRange: { low: 28000, high: 34000 },
+    usagePct: 78,
+    recoverableUsd: 9000,
+    talkingPoints: [
+      "78% active utilization — 310 of 400 seats active; 90 seats unused at $9.58/seat/month",
+      "Benchmark $28k–$34k for our headcount vs current $38k",
+      "Microsoft Teams included in existing M365 subscription — migration cost is low",
+      "Renewal Aug 12 — 79 days to negotiate",
+    ],
+    drafts: [
+      {
+        tone: "firm",
+        subject: "Slack renewal — 21% reduction and seat right-sizing before Aug 12",
+        body: `Hi Slack team,
+
+Our renewal is August 12, 2026. We want to resolve pricing before then.
+
+We have 310 active Slack users out of 400 provisioned (78% utilization). At $9.58/seat/month, we're paying for 90 seats our team doesn't actively use. Benchmark data puts comparable companies at $28k–$34k annually; we're at $38k.
+
+We're requesting: reduce to 320 seats at $8.50/seat/month — $32,640/yr. That's a 14% reduction that reflects actual usage.
+
+If the rate can't move, we'll need to move to Teams which is already included in our M365 agreement.
+
+Please respond by July 15.
+
+[IT]`,
+      },
+      {
+        tone: "friendly",
+        subject: "Slack renewal — right-sizing and rate check before August",
+        body: `Hi Slack team,
+
+Slack is deeply embedded in how our team communicates and we'd like to renew for another year. Before we do, I wanted to align on a few things.
+
+We're at 310 daily active users out of 400 seats. Right-sizing to 325 seats would better match our footprint. Benchmark data shows companies our size at $28k–$34k annually; we're currently at $38k.
+
+Can we explore $8.50/seat on 325 seats (~$33k/yr)? Happy to commit to a two-year term for better rates.
+
+Let's find a time this week.
+
+Best,
+[IT]`,
+      },
+      {
+        tone: "aggressive",
+        subject: "Slack renewal — $30k or we migrate to Teams by Aug 12",
+        body: `Hi Slack team,
+
+We have Teams bundled in our M365 agreement. We've been paying $38k/year for Slack because the product is better — but not $8k/year better at our utilization rate.
+
+78% active utilization, benchmark at $28k–$34k, and Teams is already available to every employee. We need Slack at $30k annually (325 seats at $7.69/seat) to justify not migrating.
+
+This is a binary decision point. We need a revised quote by July 25 or we'll begin the Teams rollout in August.
+
+[IT]`,
+      },
+    ],
+  },
+
+  vnd_datadog: {
+    vendorName: "Datadog",
+    currentSpend: 145000,
+    benchmarkRange: { low: 105000, high: 125000 },
+    usagePct: 93,
+    recoverableUsd: 28000,
+    talkingPoints: [
+      "93% utilization — highly active; leverage is on rate, not seats",
+      "Benchmark $105k–$125k for our infra scale vs current $145k",
+      "Log retention at 15 days — reducing to 7 days would save ~$18k/year",
+      "New Relic and Grafana Cloud both quoted 25–30% below current Datadog rate",
+    ],
+    drafts: [
+      {
+        tone: "firm",
+        subject: "Datadog renewal — 17% rate reduction requested before Jun 30",
+        body: `Hi Datadog team,
+
+Our renewal is June 30, 2026. Before we commit to another term, we need to align on rate.
+
+We're at $145k annually and highly active (93% of provisioned hosts in use). The rate issue isn't utilization — it's that comparable observability stacks at our infrastructure scale run $105k–$125k. We're 16% above the top of that band.
+
+We're requesting a 17% reduction to $120k for the renewal term. We're also willing to reduce log retention from 15 to 7 days, which our engineering team says would unlock an additional $18k in savings.
+
+New Relic and Grafana Cloud have both submitted competitive quotes. We prefer Datadog's product but need to see rate movement.
+
+Please respond by June 15.
+
+[Engineering]`,
+      },
+      {
+        tone: "friendly",
+        subject: "Datadog renewal — aligning on rate for June term",
+        body: `Hi Datadog team,
+
+Our team relies heavily on Datadog — 93% host utilization and actively used across engineering, SRE, and security. We want to renew.
+
+As we approach June 30, I wanted to flag a pricing gap. Benchmark data shows comparable observability customers at $105k–$125k annually. We're at $145k. We'd like to close that gap.
+
+We're open to a few paths: a rate adjustment to ~$120k, a retention adjustment from 15 to 7 days, or a longer commitment term for a better blended rate.
+
+Can we get on a call this week to align before June 15?
+
+Best,
+[Engineering]`,
+      },
+      {
+        tone: "aggressive",
+        subject: "Datadog renewal — $120k or we execute New Relic migration",
+        body: `Hi Datadog team,
+
+We have quotes from New Relic and Grafana Cloud at $105k and $108k respectively for comparable observability coverage. We're currently paying Datadog $145k.
+
+We want to stay on Datadog — our team knows the product and migration has real cost. But not $40k/year in cost.
+
+$120k is our number. If we can't get there, we'll execute the New Relic migration before our June 30 renewal date. We've already scoped the effort; it's a 6-week project.
+
+Respond with a revised quote by June 10.
+
+[Engineering / Procurement]`,
+      },
+    ],
+  },
+
+  vnd_github: {
+    vendorName: "GitHub",
+    currentSpend: 52000,
+    benchmarkRange: { low: 38000, high: 46000 },
+    usagePct: 90,
+    recoverableUsd: 9000,
+    talkingPoints: [
+      "90% active utilization — 90 of 100 developers active; minimal seat waste",
+      "Benchmark $38k–$46k for our developer headcount vs current $52k",
+      "GitHub Actions minutes overages adding ~$8k/year beyond base license",
+      "GitLab quoted $39k for equivalent Enterprise tier with CI included",
+    ],
+    drafts: [
+      {
+        tone: "firm",
+        subject: "GitHub Enterprise renewal — 15% adjustment and Actions minute bundle",
+        body: `Hi GitHub team,
+
+Our Enterprise agreement renews March 20, 2027. We're starting renewal discussions now to avoid a crunch.
+
+We have 90 active developers out of 100 licenses. At current rate, we're at $52k annually — 13% above the $38k–$46k benchmark for comparable engineering orgs. We're also paying $8k+ in Actions minute overages annually on top of the base rate.
+
+We're requesting: 10% reduction on the base license to $46,800, plus a committed Actions minute bundle that eliminates per-minute overage charges. Total package: $50k flat.
+
+GitLab Enterprise submitted a $39k all-inclusive quote. We prefer GitHub's ecosystem but need to close the gap.
+
+[Engineering]`,
+      },
+      {
+        tone: "friendly",
+        subject: "GitHub renewal — early discussions on Enterprise terms",
+        body: `Hi GitHub team,
+
+We're happy with GitHub Enterprise — it's core infrastructure for our engineering org. Starting renewal conversations early so we can finalize by Q1 2027.
+
+At 90 of 100 seats active, we're highly utilized. The one area we'd like to address: our Actions minute overages add $8k+/year on top of the $52k base. Benchmark data shows comparable orgs at $38k–$46k all-in.
+
+We'd love to explore a bundled rate — base license plus committed Actions minutes — in the $48k–$50k range. Happy to commit to a 2-year term if that unlocks better pricing.
+
+Let's find a time to talk.
+
+Best,
+[Engineering]`,
+      },
+      {
+        tone: "aggressive",
+        subject: "GitHub renewal — $46k all-in required; GitLab migration is scoped",
+        body: `Hi GitHub team,
+
+We're paying $52k base plus $8k in Actions overages — $60k effectively — for 90 developers. GitLab Enterprise quoted us $39k all-inclusive with equivalent CI/CD.
+
+GitHub is our strong preference. But $21k/year in premium over GitLab is hard to justify to our board.
+
+We need $46k all-in (base + Actions bundle) to renew. No overages, no surprises. If we can't get to $46k, we'll execute the GitLab migration we have scoped for Q4.
+
+Confirm by December 1.
+
+[Engineering]`,
+      },
+    ],
+  },
+
+  vnd_aws: {
+    vendorName: "AWS",
+    currentSpend: 420000,
+    benchmarkRange: { low: 320000, high: 370000 },
+    usagePct: 78,
+    recoverableUsd: 68000,
+    talkingPoints: [
+      "28% of EC2 spend on instances running below 20% CPU — rightsizing opportunity",
+      "Benchmark $320k–$370k for our workload profile vs current $420k",
+      "Reserved Instance coverage at 42% — increasing to 70% would save ~$65k/year",
+      "Committed spend contract (EDP) would unlock 15–20% discount on committed tiers",
+    ],
+    drafts: [
+      {
+        tone: "firm",
+        subject: "AWS spend optimization — EDP and Reserved Instance conversation",
+        body: `Hi AWS team,
+
+We're spending $420k annually on AWS and want to optimize before the next budget cycle.
+
+Our analysis shows: 28% of EC2 spend on instances below 20% CPU utilization, Reserved Instance coverage at 42% (industry standard is 70%+), and no active EDP in place. Benchmark for our workload profile is $320k–$370k annually.
+
+We're requesting: an EDP commitment conversation targeting $350k/year with 3-year term, plus guidance on Reserved Instance conversion for our top 20 instance types. That should get us to $350k–$380k annually.
+
+Our alternative is to run the RI analysis ourselves and move 30% of workloads to GCP, which we've piloted successfully.
+
+Let's schedule a technical review with our Solutions Architect.
+
+[Engineering / Finance]`,
+      },
+      {
+        tone: "friendly",
+        subject: "AWS spend review — EDP discussion and RI optimization",
+        body: `Hi AWS team,
+
+We're happy with our AWS infrastructure and want to set up a conversation about optimizing our spend for the next year.
+
+Current annual run rate is $420k. Our Reserved Instance coverage is at 42% — we know that's leaving savings on the table. And we haven't evaluated an EDP yet. Benchmark data shows companies at our scale at $320k–$370k with better RI and commitment structures.
+
+Would love to connect with our SA to walk through an RI conversion plan and evaluate whether an EDP makes sense for our roadmap.
+
+Can we get something on the calendar this week?
+
+Best,
+[Engineering]`,
+      },
+      {
+        tone: "aggressive",
+        subject: "AWS spend — $350k commitment required; GCP migration scoped for 30% of workloads",
+        body: `Hi AWS team,
+
+We're at $420k/year and our benchmark data says we should be at $320k–$370k for our workload profile. The gap is $50k–$100k annually.
+
+We've piloted GCP for our analytics workloads — performance is comparable and the committed use discount structure is more transparent. We're not looking to migrate the full stack, but 30% of workloads are viable candidates.
+
+To stay fully on AWS, we need: an EDP at $350k committed annual spend with 15% discount on overages, plus RI conversion support on our top instance types.
+
+We need a proposal in 30 days or we'll expand the GCP pilot.
+
+[Engineering / Procurement]`,
+      },
+    ],
+  },
+};
+
+const GENERIC_PACKET = (vendorId: string): Omit<PacketResponse, "vendorId"> => ({
+  vendorName: vendorId.replace(/^vnd_/, "").replace(/_/g, " "),
+  currentSpend: 50000,
+  benchmarkRange: { low: 38000, high: 44000 },
+  usagePct: 65,
+  recoverableUsd: 11000,
+  talkingPoints: [
+    "65% active utilization — opportunity to right-size seat count",
+    "Benchmark range $38k–$44k vs current $50k spend",
+    "Comparable companies negotiating 12–18% reductions at renewal",
+    "Consider multi-year commit for better rate in exchange for certainty",
+  ],
+  drafts: [
+    {
+      tone: "firm",
+      subject: "Contract renewal — rate adjustment request",
+      body: `Hi [AE],
+
+Our contract is coming up for renewal. After reviewing usage data and benchmark comparisons, we believe an adjustment is warranted.
+
+Our active utilization is at 65%. Benchmark data for comparable customers shows rates 12–18% below our current $50k annual. We're requesting a reduction to $42k for the renewal term, reflecting actual usage and market rate.
+
+Please respond with a revised quote before the renewal date.
+
+[Procurement]`,
+    },
+    {
+      tone: "friendly",
+      subject: "Contract renewal — aligning on terms",
+      body: `Hi [AE],
+
+We've been happy with the product and want to renew. Before we finalize terms, we'd love to discuss rate alignment.
+
+Our utilization is at 65% of licensed capacity, and benchmark data suggests comparable customers are at $38k–$44k annually. We're currently at $50k.
+
+Can we get on a quick call to discuss? We're open to a longer term commitment if that helps on your end.
+
+Best,
+[Procurement]`,
+    },
+    {
+      tone: "aggressive",
+      subject: "Contract renewal — $42k required or we evaluate alternatives",
+      body: `Hi [AE],
+
+We're paying $50k annually at 65% utilization. Benchmark data shows we're 12–18% above market rate for comparable customers.
+
+Competitors have quoted us $40k–$42k for equivalent capability. We prefer to stay but not at a 20% premium.
+
+We need $42k confirmed before the renewal date or we'll execute on the alternative quotes we have in hand.
+
+[Procurement]`,
+    },
+  ],
+});
+
+export const renegotiationRoute = new Hono();
+
+renegotiationRoute.post("/:vendorId/renegotiation-packet", (c) => {
+  const vendorId = c.req.param("vendorId");
+  const packet = VENDOR_PACKETS[vendorId] ?? GENERIC_PACKET(vendorId);
+  const response: PacketResponse = { vendorId, ...packet };
+  return c.json(response);
+});
diff --git a/apps/api/src/routes/renewals.ts b/apps/api/src/routes/renewals.ts
new file mode 100644
index 0000000..c7ccadf
--- /dev/null
+++ b/apps/api/src/routes/renewals.ts
@@ -0,0 +1,163 @@
+import { Hono } from "hono";
+import { z } from "zod";
+import type { Lens, Renewal, RenewalStatus } from "@unsyphn/shared";
+import {
+  renewalsStore,
+  type RenewalColumn,
+  type RenewalPatch,
+  type RenewalRecord,
+} from "../db/renewals-store.js";
+import { getSeededChangeReports, getUser } from "../seed/loader.js";
+import { readLensTags } from "../lib/change-report-views.js";
+import { ApiError } from "../lib/errors.js";
+import { ErrorCodes } from "@unsyphn/shared";
+
+const VALID_COLUMNS: ReadonlyArray<RenewalColumn> = ["triage", "negotiate", "sign"];
+
+const PatchSchema = z
+  .object({
+    column: z.enum(["triage", "negotiate", "sign"]).optional(),
+    ownerId: z.string().min(1).optional(),
+    declined: z.boolean().optional(),
+    autoRenewed: z.boolean().optional(),
+  })
+  .strict()
+  .refine(
+    (v) =>
+      v.column !== undefined ||
+      v.ownerId !== undefined ||
+      v.declined !== undefined ||
+      v.autoRenewed !== undefined,
+    { message: "At least one of column, ownerId, declined, autoRenewed must be provided" },
+  );
+
+function daysOut(renewsAt: string, now: Date): number {
+  const target = Date.parse(renewsAt);
+  if (!Number.isFinite(target)) return 0;
+  return Math.round((target - now.getTime()) / 86_400_000);
+}
+
+// Derive lens tags for a vendor by union over its seeded change reports'
+// lensTags. Empty when the vendor has no change reports — frontend falls
+// back to "show all" in that case.
+function lensTagsForVendor(vendorId: string): Lens[] {
+  const seen = new Set<Lens>();
+  for (const report of getSeededChangeReports()) {
+    if (report.vendorId !== vendorId) continue;
+    for (const t of readLensTags(report)) seen.add(t);
+  }
+  return [...seen];
+}
+
+function toRenewalDto(record: RenewalRecord, now: Date): Renewal & {
+  recommendedAction: string;
+  blockerCount: number;
+  seatUtilizationPct: number;
+} {
+  const owner = getUser(record.ownerId);
+  return {
+    id: record.id,
+    vendorId: record.vendorId,
+    vendorName: record.vendorName,
+    renewsAt: record.renewsAt,
+    daysOut: daysOut(record.renewsAt, now),
+    annualValueUsd: record.annualSpendUsd,
+    ownerEmail: owner?.email ?? "owner@acme.dev",
+    ownerId: record.ownerId,
+    status: record.currentColumn as RenewalStatus,
+    benchmarkDelta: record.priceDeltaPct,
+    declined: record.declined ?? false,
+    autoRenewed: record.autoRenewed ?? false,
+    lensTags: lensTagsForVendor(record.vendorId),
+    recommendedAction: record.recommendedAction,
+    blockerCount: record.blockerCount,
+    seatUtilizationPct: record.seatUtilizationPct,
+  };
+}
+
+export const renewalsRoute = new Hono();
+
+renewalsRoute.get("/", (c) => {
+  const days = Number(c.req.query("days") ?? 365);
+  const column = c.req.query("column");
+  const now = new Date();
+
+  let records = renewalsStore.list();
+
+  if (column && (VALID_COLUMNS as ReadonlyArray<string>).includes(column)) {
+    records = records.filter((r) => r.currentColumn === column);
+  }
+
+  const renewals = records
+    .map((r) => toRenewalDto(r, now))
+    .filter((r) => Number.isFinite(days) ? r.daysOut <= days : true)
+    .sort((a, b) => a.daysOut - b.daysOut);
+
+  return c.json({ renewals });
+});
+
+renewalsRoute.post("/:id/status", async (c) => {
+  const id = c.req.param("id");
+  const body = (await c.req.json().catch(() => ({}))) as { column?: string };
+  const column = body.column;
+  if (!column || !(VALID_COLUMNS as ReadonlyArray<string>).includes(column)) {
+    throw new ApiError(
+      ErrorCodes.Unprocessable,
+      `column must be one of: ${VALID_COLUMNS.join(", ")}`,
+    );
+  }
+  const updated = renewalsStore.setColumn(id, column as RenewalColumn);
+  if (!updated) {
+    throw new ApiError(ErrorCodes.NotFound, `No renewal found with id ${id}`);
+  }
+  const dto = toRenewalDto(updated, new Date());
+  return c.json({ renewal: dto });
+});
+
+renewalsRoute.patch("/:id", async (c) => {
+  const orgId = c.get("orgId");
+  const id = c.req.param("id");
+
+  const current = renewalsStore.get(id);
+  if (!current) {
+    throw new ApiError(ErrorCodes.NotFound, `No renewal found with id ${id}`);
+  }
+
+  let body: unknown;
+  try {
+    body = await c.req.json();
+  } catch {
+    throw new ApiError(ErrorCodes.ValidationFailed, "Body must be JSON");
+  }
+
+  const parsed = PatchSchema.safeParse(body);
+  if (!parsed.success) {
+    throw new ApiError(ErrorCodes.Unprocessable, "Request body is invalid", {
+      issues: parsed.error.flatten(),
+    });
+  }
+
+  // Owner must belong to caller's org (mirrors vendors.ts).
+  if (parsed.data.ownerId !== undefined) {
+    const owner = getUser(parsed.data.ownerId);
+    if (!owner || owner.orgId !== orgId) {
+      throw new ApiError(
+        ErrorCodes.Unprocessable,
+        `ownerId ${parsed.data.ownerId} is not a user in this org`,
+        { path: ["ownerId"] },
+      );
+    }
+  }
+
+  const patch: RenewalPatch = {};
+  if (parsed.data.column !== undefined) patch.currentColumn = parsed.data.column;
+  if (parsed.data.ownerId !== undefined) patch.ownerId = parsed.data.ownerId;
+  if (parsed.data.declined !== undefined) patch.declined = parsed.data.declined;
+  if (parsed.data.autoRenewed !== undefined) patch.autoRenewed = parsed.data.autoRenewed;
+
+  const updated = renewalsStore.update(id, patch);
+  if (!updated) {
+    throw new ApiError(ErrorCodes.NotFound, `Renewal ${id} disappeared`);
+  }
+  return c.json({ renewal: toRenewalDto(updated, new Date()) });
+});
diff --git a/apps/api/src/routes/reports.ts b/apps/api/src/routes/reports.ts
new file mode 100644
index 0000000..d60f917
--- /dev/null
+++ b/apps/api/src/routes/reports.ts
@@ -0,0 +1,205 @@
+import { Hono } from "hono";
+import { ApiError } from "../lib/errors.js";
+import { ErrorCodes } from "@unsyphn/shared";
+
+export type ReportSchedule = "monthly" | "weekly" | "quarterly" | "on-demand";
+export type ReportCategory = "risk" | "compliance" | "spend" | "operational";
+
+export interface Report {
+  id: string;
+  name: string;
+  description: string;
+  schedule: ReportSchedule;
+  category: ReportCategory;
+  lastGeneratedAt?: string;
+  nextRunAt?: string;
+  isCompliancePack: boolean;
+  downloadUrl?: string;
+}
+
+const DAY_MS = 86_400_000;
+
+interface SeedReport {
+  id: string;
+  name: string;
+  description: string;
+  schedule: ReportSchedule;
+  category: ReportCategory;
+  lastGeneratedAt?: string;
+  nextRunAt?: string;
+  isCompliancePack: boolean;
+}
+
+// Deterministic seed timestamps derived from the same "now" base used elsewhere
+// in the demo so the cards never look stale on cold boot. lastGenerated is in
+// the past; nextRun is computed from schedule.
+function seedReports(now: Date): SeedReport[] {
+  const daysAgo = (n: number) => new Date(now.getTime() - n * DAY_MS).toISOString();
+  const daysAhead = (n: number) => new Date(now.getTime() + n * DAY_MS).toISOString();
+
+  const list: SeedReport[] = [
+    {
+      id: "rpt_monthly_vendor_risk",
+      name: "Monthly Vendor Risk Report",
+      description: "P1/P2 change counts by month with vendor heatmap.",
+      schedule: "monthly",
+      category: "risk",
+      lastGeneratedAt: daysAgo(8),
+      nextRunAt: daysAhead(22),
+      isCompliancePack: false,
+    },
+    {
+      id: "rpt_soc2_compliance_pack",
+      name: "SOC 2 Compliance Pack",
+      description: "Auditor-ready evidence bundle for SOC 2 Type II review.",
+      schedule: "on-demand",
+      category: "compliance",
+      isCompliancePack: true,
+    },
+    {
+      id: "rpt_renewal_forecast",
+      name: "Renewal Forecast Report",
+      description: "Renewals next 90 days with risk flags and benchmark deltas.",
+      schedule: "weekly",
+      category: "operational",
+      lastGeneratedAt: daysAgo(3),
+      nextRunAt: daysAhead(4),
+      isCompliancePack: false,
+    },
+    {
+      id: "rpt_recoverable_spend",
+      name: "Recoverable Spend Report",
+      description: "Unused seats, price hikes, and duplicate-app waste with per-vendor breakdown.",
+      schedule: "monthly",
+      category: "spend",
+      lastGeneratedAt: daysAgo(12),
+      nextRunAt: daysAhead(18),
+      isCompliancePack: false,
+    },
+    {
+      id: "rpt_subprocessor_diff",
+      name: "Sub-processor Diff Report",
+      description: "New and removed sub-processors per vendor with jurisdiction flags.",
+      schedule: "quarterly",
+      category: "compliance",
+      lastGeneratedAt: daysAgo(42),
+      nextRunAt: daysAhead(48),
+      isCompliancePack: false,
+    },
+  ];
+  return list;
+}
+
+interface GenerationRecord {
+  lastGeneratedAt: string;
+  downloadUrl: string;
+}
+
+const generationOverrides = new Map<string, GenerationRecord>();
+
+function toReport(seed: SeedReport, now: Date): Report {
+  const override = generationOverrides.get(seed.id);
+  const lastGenerated = override?.lastGeneratedAt ?? seed.lastGeneratedAt;
+  const out: Report = {
+    id: seed.id,
+    name: seed.name,
+    description: seed.description,
+    schedule: seed.schedule,
+    category: seed.category,
+    isCompliancePack: seed.isCompliancePack,
+  };
+  if (lastGenerated !== undefined) out.lastGeneratedAt = lastGenerated;
+  if (seed.nextRunAt !== undefined) out.nextRunAt = seed.nextRunAt;
+  const url =
+    override?.downloadUrl ?? (lastGenerated ? `/v1/reports/${seed.id}/bundle.html` : undefined);
+  if (url !== undefined) out.downloadUrl = url;
+  // now is reserved for future per-call computation (e.g. dynamic nextRunAt);
+  // referenced here so the param is never flagged as unused.
+  void now;
+  return out;
+}
+
+function findSeed(id: string, now: Date): SeedReport | undefined {
+  return seedReports(now).find((r) => r.id === id);
+}
+
+function escHtml(s: string): string {
+  return s
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;");
+}
+
+export const reportsRoute = new Hono();
+
+reportsRoute.get("/", (c) => {
+  const now = new Date();
+  const reports = seedReports(now).map((r) => toReport(r, now));
+  return c.json({ reports });
+});
+
+reportsRoute.get("/:id/bundle.html", (c) => {
+  const id = c.req.param("id");
+  const now = new Date();
+  const seed = findSeed(id, now);
+  if (!seed) {
+    throw new ApiError(ErrorCodes.NotFound, `Report ${id} not found`);
+  }
+  const generatedAt = generationOverrides.get(id)?.lastGeneratedAt ?? now.toISOString();
+  const html = `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<title>${escHtml(seed.name)}</title>
+<style>
+  body { font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; max-width: 820px; margin: 0 auto; padding: 48px 32px; color: #111; }
+  .mark { font-size: 9pt; font-weight: 700; letter-spacing: 0.12em; text-transform: uppercase; color: #444; }
+  h1 { font-size: 22pt; margin: 8px 0 4px; letter-spacing: -0.02em; }
+  .meta { font-size: 9pt; color: #555; }
+  .desc { font-size: 11pt; margin: 24px 0; }
+  .footer { margin-top: 48px; padding-top: 12px; border-top: 1px solid #ccc; font-size: 8pt; color: #666; text-align: center; }
+  .badge { display: inline-block; padding: 2px 10px; border-radius: 999px; font-size: 9pt; font-weight: 700; background: #f1f5f9; color: #0f172a; }
+</style>
+</head>
+<body>
+  <p class="mark">UNSYPHN REPORT BUNDLE</p>
+  <h1>${escHtml(seed.name)}</h1>
+  <p class="meta">Report ID: ${escHtml(seed.id)} &middot; Generated: ${escHtml(generatedAt)}</p>
+  <p><span class="badge">${escHtml(seed.category)}</span> <span class="badge">${escHtml(seed.schedule)}</span></p>
+  <p class="desc">${escHtml(seed.description)}</p>
+  <div class="footer">Generated by Unsyphn at ${escHtml(generatedAt)}.</div>
+</body>
+</html>`;
+  return c.html(html);
+});
+
+reportsRoute.get("/:id", (c) => {
+  const id = c.req.param("id");
+  const now = new Date();
+  const seed = findSeed(id, now);
+  if (!seed) {
+    throw new ApiError(ErrorCodes.NotFound, `Report ${id} not found`);
+  }
+  return c.json(toReport(seed, now));
+});
+
+reportsRoute.post("/:id/generate", (c) => {
+  const id = c.req.param("id");
+  const now = new Date();
+  const seed = findSeed(id, now);
+  if (!seed) {
+    throw new ApiError(ErrorCodes.NotFound, `Report ${id} not found`);
+  }
+  const ts = now.toISOString();
+  generationOverrides.set(id, {
+    lastGeneratedAt: ts,
+    downloadUrl: `/v1/reports/${id}/bundle.html?gen=${encodeURIComponent(ts)}`,
+  });
+  return c.json(toReport(seed, now));
+});
+
+// Test-only — clears in-memory generation overrides.
+export function _resetReportState(): void {
+  generationOverrides.clear();
+}
diff --git a/apps/api/src/routes/requests.ts b/apps/api/src/routes/requests.ts
new file mode 100644
index 0000000..2121bb5
--- /dev/null
+++ b/apps/api/src/routes/requests.ts
@@ -0,0 +1,273 @@
+import { Hono } from "hono";
+import { z } from "zod";
+import { ErrorCodes, type IntakeRequest } from "@unsyphn/shared";
+import {
+  requestsStore,
+  type IntakeRequestRecord,
+  type RequestStatus,
+} from "../db/requests-store.js";
+import { ApiError } from "../lib/errors.js";
+import { getUser } from "../seed/loader.js";
+
+const VALID_STATUSES: ReadonlyArray<RequestStatus> = ["pending", "approved", "rejected", "routed"];
+
+const ROUTE_TARGETS = ["legal", "security", "finance", "procurement", "it", "audit"] as const;
+type RouteTarget = (typeof ROUTE_TARGETS)[number];
+
+// SLA: requests pending past this window are flagged auto-escalated.
+const SLA_WINDOW_MS = 48 * 60 * 60 * 1000;
+
+// Lens → category allowlist. Requests without a tagged category fall back to
+// procurement (every lens that includes procurement still sees them).
+const LENS_CATEGORIES: Record<string, ReadonlyArray<string>> = {
+  procurement: [],
+  legal: ["contracts", "dpa", "compliance", "data"],
+  security: ["security", "data", "infrastructure"],
+  finance: ["payments", "analytics", "spend"],
+  it: ["infrastructure", "productivity", "devtools"],
+  audit: [],
+};
+
+const createRequestSchema = z
+  .object({
+    vendorName: z.string().trim().min(2).max(80),
+    category: z.string().trim().min(2).max(40),
+    expectedSpendUsd: z.number().nonnegative(),
+    justification: z.string().trim().min(10).max(1000),
+    similarTools: z.array(z.string().trim().min(1)).max(20).optional(),
+  })
+  .strict();
+
+const decideSchema = z
+  .object({
+    status: z.enum(["approved", "rejected", "routed", "pending"]),
+    note: z.string().trim().min(1).max(500).optional(),
+    routeTo: z.enum(ROUTE_TARGETS).optional(),
+  })
+  .strict();
+
+const commentSchema = z
+  .object({
+    text: z.string().trim().min(1).max(500),
+  })
+  .strict();
+
+// Phase 6 DTO: legacy fields kept for backwards compat, new fields denormalize
+// requester/approver names + comment authors so the frontend doesn't need a
+// separate /v1/users call. `status` here carries the real RequestStatus
+// (including "routed") — wider than the legacy IntakeRequest contract.
+export interface RequestCommentDto {
+  id: string;
+  by: string;
+  at: string;
+  text: string;
+  authorName: string;
+  authorLetter: string;
+}
+
+export interface RequestDto extends Omit<IntakeRequest, "status"> {
+  status: RequestStatus;
+  category: string;
+  comments: RequestCommentDto[];
+  requesterId: string;
+  requesterName: string;
+  approverId?: string;
+  approverName?: string;
+  decidedAt?: string;
+  routeTo?: RouteTarget;
+  autoEscalated: boolean;
+  slaDueAt: string;
+}
+
+function avatarLetter(name: string | undefined, fallback: string): string {
+  const source = name && name.length > 0 ? name : fallback;
+  return source.charAt(0).toUpperCase();
+}
+
+function toDto(record: IntakeRequestRecord): RequestDto {
+  const requester = getUser(record.requesterId);
+  const approver = record.approverId ? getUser(record.approverId) : undefined;
+  const requesterName = requester?.name ?? record.requesterId;
+  const submittedMs = Date.parse(record.submittedAt);
+  const slaDueAt = new Date(submittedMs + SLA_WINDOW_MS).toISOString();
+  const autoEscalated =
+    record.status === "pending" && Date.now() - submittedMs > SLA_WINDOW_MS;
+
+  const comments: RequestCommentDto[] = record.comments.map((c) => {
+    const author = getUser(c.by);
+    const authorName = author?.name ?? c.by;
+    return {
+      id: c.id,
+      by: c.by,
+      at: c.at,
+      text: c.text,
+      authorName,
+      authorLetter: avatarLetter(author?.name, c.by),
+    };
+  });
+
+  const dto: RequestDto = {
+    id: record.id,
+    vendorName: record.vendorName,
+    requesterEmail: requester?.email ?? "requester@acme.dev",
+    expectedSpendUsd: record.expectedSpendUsd,
+    justification: record.justification,
+    status: record.status,
+    similarTools: record.similarTools,
+    createdAt: record.submittedAt,
+    category: record.category,
+    comments,
+    requesterId: record.requesterId,
+    requesterName,
+    autoEscalated,
+    slaDueAt,
+  };
+  if (record.approverId !== undefined) dto.approverId = record.approverId;
+  if (approver?.name) dto.approverName = approver.name;
+  if (record.decidedAt !== undefined) dto.decidedAt = record.decidedAt;
+  if (record.routeTo !== undefined) dto.routeTo = record.routeTo;
+  return dto;
+}
+
+function nowIso(): string {
+  return new Date().toISOString();
+}
+
+function nextId(): string {
+  return `req_${Math.random().toString(36).slice(2, 10)}`;
+}
+
+function matchesLens(record: IntakeRequestRecord, lens: string): boolean {
+  if (lens === "procurement") return true;
+  if (lens === "audit") {
+    const submittedMs = Date.parse(record.submittedAt);
+    const escalated =
+      record.status === "pending" && Date.now() - submittedMs > SLA_WINDOW_MS;
+    return escalated || record.routeTo === "audit";
+  }
+  if (record.routeTo === lens) return true;
+  const allowed = LENS_CATEGORIES[lens] ?? [];
+  return allowed.includes(record.category);
+}
+
+export const requestsRoute = new Hono();
+
+requestsRoute.get("/:id", (c) => {
+  const auth = c.get("auth");
+  const id = c.req.param("id");
+  const record = requestsStore.get(id);
+  // requestsStore.get does not enforce orgId; verify here so we don't
+  // leak existence across orgs (404 either way, not 403).
+  if (!record || record.orgId !== auth.orgId) {
+    throw new ApiError(ErrorCodes.NotFound, `No request found with id ${id}`);
+  }
+  return c.json({ request: toDto(record) });
+});
+
+requestsRoute.get("/", (c) => {
+  const auth = c.get("auth");
+  const status = c.req.query("status") ?? "all";
+  const lens = c.req.query("lens");
+
+  let records = requestsStore.list(auth.orgId);
+  if (status !== "all") {
+    if (!(VALID_STATUSES as ReadonlyArray<string>).includes(status)) {
+      throw new ApiError(
+        ErrorCodes.Unprocessable,
+        `status must be one of: all, ${VALID_STATUSES.join(", ")}`,
+      );
+    }
+    records = records.filter((r) => r.status === (status as RequestStatus));
+  }
+
+  if (lens && LENS_CATEGORIES[lens] !== undefined) {
+    const filtered = records.filter((r) => matchesLens(r, lens));
+    // Don't strand the user with an empty list when the lens excludes everything.
+    if (filtered.length > 0 || records.length === 0) {
+      records = filtered;
+    }
+  }
+
+  const requests = records
+    .slice()
+    .sort((a, b) => Date.parse(b.submittedAt) - Date.parse(a.submittedAt))
+    .map(toDto);
+
+  return c.json({ requests });
+});
+
+requestsRoute.post("/", async (c) => {
+  const auth = c.get("auth");
+  const parsed = createRequestSchema.safeParse(await c.req.json().catch(() => ({})));
+  if (!parsed.success) {
+    throw new ApiError(ErrorCodes.Unprocessable, "Request body is invalid", {
+      issues: parsed.error.flatten(),
+    });
+  }
+
+  const record = requestsStore.create({
+    id: nextId(),
+    orgId: auth.orgId,
+    requesterId: auth.userId,
+    vendorName: parsed.data.vendorName,
+    category: parsed.data.category,
+    expectedSpendUsd: parsed.data.expectedSpendUsd,
+    justification: parsed.data.justification,
+    similarTools: parsed.data.similarTools ?? [],
+    submittedAt: nowIso(),
+  });
+
+  return c.json({ request: toDto(record) }, 201);
+});
+
+requestsRoute.post("/:id/decision", async (c) => {
+  const auth = c.get("auth");
+  const id = c.req.param("id");
+  const parsed = decideSchema.safeParse(await c.req.json().catch(() => ({})));
+  if (!parsed.success) {
+    throw new ApiError(ErrorCodes.Unprocessable, "Request body is invalid", {
+      issues: parsed.error.flatten(),
+    });
+  }
+
+  if (parsed.data.status === "routed" && !parsed.data.routeTo) {
+    throw new ApiError(ErrorCodes.Unprocessable, "routeTo is required when status is routed");
+  }
+
+  const decision: Parameters<typeof requestsStore.decide>[1] = {
+    status: parsed.data.status,
+    approverId: auth.userId,
+    decidedAt: nowIso(),
+  };
+  if (parsed.data.note !== undefined) decision.note = parsed.data.note;
+  if (parsed.data.routeTo !== undefined) decision.routeTo = parsed.data.routeTo;
+
+  const updated = requestsStore.decide(id, decision);
+  if (!updated) {
+    throw new ApiError(ErrorCodes.NotFound, `No request found with id ${id}`);
+  }
+
+  return c.json({ request: toDto(updated) });
+});
+
+requestsRoute.post("/:id/comments", async (c) => {
+  const auth = c.get("auth");
+  const id = c.req.param("id");
+  const parsed = commentSchema.safeParse(await c.req.json().catch(() => ({})));
+  if (!parsed.success) {
+    throw new ApiError(ErrorCodes.Unprocessable, "Request body is invalid", {
+      issues: parsed.error.flatten(),
+    });
+  }
+
+  const updated = requestsStore.addComment(id, {
+    by: auth.userId,
+    at: nowIso(),
+    text: parsed.data.text,
+  });
+  if (!updated) {
+    throw new ApiError(ErrorCodes.NotFound, `No request found with id ${id}`);
+  }
+
+  return c.json({ request: toDto(updated) });
+});
diff --git a/apps/api/src/routes/stream.ts b/apps/api/src/routes/stream.ts
index 41e0012..e6cbee0 100644
--- a/apps/api/src/routes/stream.ts
+++ b/apps/api/src/routes/stream.ts
@@ -1,5 +1,5 @@
 import { Hono } from "hono";
-import type { StoredStreamEvent } from "@redline/shared";
+import type { StoredStreamEvent } from "@unsyphn/shared";
 import type { EventBroker } from "../stream/broker.js";
 import { formatHeartbeat, formatSseEvent } from "../stream/events.js";
 
diff --git a/apps/api/src/routes/sub-processors.ts b/apps/api/src/routes/sub-processors.ts
new file mode 100644
index 0000000..3292b62
--- /dev/null
+++ b/apps/api/src/routes/sub-processors.ts
@@ -0,0 +1,90 @@
+import { readFileSync } from "node:fs";
+import { resolve, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import { Hono } from "hono";
+import { ApiError } from "../lib/errors.js";
+import { ErrorCodes } from "@unsyphn/shared";
+import { customerContractsStore } from "../db/customer-contracts-store.js";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+interface SubProcessor {
+  name: string;
+  jurisdiction: string;
+  purpose: string;
+  adequate: boolean;
+  addedAt: string;
+  flagged?: boolean;
+  flagReason?: string;
+}
+
+interface VendorSeedEntry {
+  vendorName: string;
+  subProcessors: SubProcessor[];
+  lastChangeAt: string;
+}
+
+type SeedData = Record<string, VendorSeedEntry>;
+
+interface CustomerNotification {
+  customerName: string;
+  contractId: string;
+  domain: string;
+  ourObligation: string;
+  affectedSubProcessor: string;
+  notifyByDate: string;
+  suggestedAction: string;
+}
+
+function loadSeed(): SeedData {
+  const path = resolve(__dirname, "../seed/sub-processors.json");
+  return JSON.parse(readFileSync(path, "utf8")) as SeedData;
+}
+
+function addDays(isoDate: string, days: number): string {
+  const d = new Date(isoDate);
+  d.setUTCDate(d.getUTCDate() + days);
+  return d.toISOString().split("T")[0] ?? isoDate;
+}
+
+function buildNotifications(flaggedSPs: SubProcessor[]): CustomerNotification[] {
+  if (flaggedSPs.length === 0) return [];
+  const firstFlagged = flaggedSPs[0]!;
+
+  return customerContractsStore
+    .listNotificationCandidates()
+    .map((c) => ({
+      customerName: c.customerName,
+      contractId: c.contractId,
+      domain: c.domain,
+      ourObligation: `${c.noticeDays}-day notice for non-adequate jurisdiction additions (${c.dpaClause})`,
+      affectedSubProcessor: firstFlagged.name,
+      notifyByDate: addDays(firstFlagged.addedAt, c.noticeDays),
+      suggestedAction: "Draft notice email",
+    }));
+}
+
+export const subProcessorsRoute = new Hono();
+
+subProcessorsRoute.get("/:id/sub-processors", (c) => {
+  const vendorId = c.req.param("id");
+  const seed = loadSeed();
+  const entry = seed[vendorId];
+
+  if (!entry) {
+    throw new ApiError(ErrorCodes.NotFound, `No sub-processor data found for vendor ${vendorId}`);
+  }
+
+  const flaggedSPs = entry.subProcessors.filter((sp) => sp.flagged === true);
+  const flaggedCount = flaggedSPs.length;
+  const customerNotifications = buildNotifications(flaggedSPs);
+
+  return c.json({
+    vendorId,
+    vendorName: entry.vendorName,
+    subProcessors: entry.subProcessors,
+    lastChangeAt: entry.lastChangeAt,
+    flaggedCount,
+    customerNotifications,
+  });
+});
diff --git a/apps/api/src/routes/team.ts b/apps/api/src/routes/team.ts
new file mode 100644
index 0000000..22e3b1d
--- /dev/null
+++ b/apps/api/src/routes/team.ts
@@ -0,0 +1,56 @@
+import { Hono } from "hono";
+import { z } from "zod";
+import { ErrorCodes } from "@unsyphn/shared";
+import { ApiError } from "../lib/errors.js";
+import { listUsers } from "../seed/loader.js";
+
+const inviteSchema = z
+  .object({
+    email: z.string().email(),
+    role: z.string().min(1).optional(),
+  })
+  .strict();
+
+interface PendingInvite {
+  id: string;
+  email: string;
+  role: string;
+  invitedAt: string;
+  status: "pending";
+}
+
+const invites = new Map<string, PendingInvite>();
+
+export const teamRoute = new Hono();
+
+teamRoute.get("/members", (c) => {
+  const orgId = c.get("orgId");
+  const members = listUsers()
+    .filter((u) => u.orgId === orgId)
+    .map((u) => ({
+      id: u.id,
+      name: u.name,
+      email: u.email,
+      role: u.role,
+      avatarLetter: u.avatarLetter ?? u.name.charAt(0).toUpperCase(),
+    }));
+  return c.json({ members });
+});
+
+teamRoute.post("/invites", async (c) => {
+  const parsed = inviteSchema.safeParse(await c.req.json().catch(() => ({})));
+  if (!parsed.success) {
+    throw new ApiError(ErrorCodes.Unprocessable, "Request body is invalid", {
+      issues: parsed.error.flatten(),
+    });
+  }
+  const invite: PendingInvite = {
+    id: `inv_${Date.now()}`,
+    email: parsed.data.email,
+    role: parsed.data.role ?? "Procurement",
+    invitedAt: new Date().toISOString(),
+    status: "pending",
+  };
+  invites.set(invite.id, invite);
+  return c.json({ invited: invite.email, status: invite.status, invite });
+});
diff --git a/apps/api/src/routes/vendors.ts b/apps/api/src/routes/vendors.ts
index 3bce2b5..1e4a5f6 100644
--- a/apps/api/src/routes/vendors.ts
+++ b/apps/api/src/routes/vendors.ts
@@ -3,16 +3,64 @@ import { z } from "zod";
 import {
   ErrorCodes,
   VendorCreateSchema,
+  type ChangeReportId,
+  type Lens,
   type Vendor,
   type VendorCreateResponse,
   type VendorUrls,
-} from "@redline/shared";
+} from "@unsyphn/shared";
 import { ApiError } from "../lib/errors.js";
 import { newId } from "../lib/ids.js";
 import { discoverUrls, type DiscoveryOptions } from "../lib/discovery.js";
 import { vendorStore } from "../db/vendor-store.js";
-import { getUser } from "../seed/loader.js";
+import { contractsStore } from "../db/contracts-store.js";
+import { vendorEventsStore } from "../db/vendor-events-store.js";
+import {
+  getSeededChangeReports,
+  getUser,
+} from "../seed/loader.js";
+import { readLensTags, toFeedChange } from "../lib/change-report-views.js";
 import { queueFirstScan } from "../agent/queue.js";
+import type { ChangeReportRepository } from "../db/changeReports.js";
+
+const VALID_LENSES = new Set<Lens>([
+  "procurement",
+  "legal",
+  "security",
+  "finance",
+  "it",
+  "audit",
+]);
+
+const VendorPatchSchema = z.object({
+  ownerId: z.string().optional(),
+  tier: z.union([z.literal(1), z.literal(2), z.literal(3)]).optional(),
+  posture: z.enum(["ok", "watch", "risk"]).optional(),
+});
+
+const ContractUploadSchema = z.object({
+  filename: z.string().min(1).max(200),
+  sizeBytes: z.number().int().positive(),
+  contentBase64: z.string().min(1),
+});
+
+const MAX_CONTRACT_BYTES = 10_000_000;
+
+function contentTypeForFilename(filename: string): string {
+  const ext = filename.toLowerCase().match(/\.[a-z0-9]+$/)?.[0];
+  switch (ext) {
+    case ".pdf":
+      return "application/pdf";
+    case ".docx":
+      return "application/vnd.openxmlformats-officedocument.wordprocessingml.document";
+    case ".doc":
+      return "application/msword";
+    case ".txt":
+      return "text/plain";
+    default:
+      return "application/octet-stream";
+  }
+}
 
 export interface VendorsRouteOverrides {
   discovery?: DiscoveryOptions;
@@ -40,89 +88,465 @@ function flattenZodIssue(err: z.ZodError): {
   };
 }
 
-export const vendorsRoute = new Hono();
+// Phase 4 uses an optional reports repo for the Activity timeline. The legacy
+// `vendorsRoute` export is preserved (created with no repo) so existing
+// imports keep working; `createVendorsRouter` is the new factory.
+export function createVendorsRouter(deps: { reports?: ChangeReportRepository } = {}): Hono {
+  const router = new Hono();
 
-vendorsRoute.post("/", async (c) => {
-  const orgId = c.get("orgId");
+  router.post("/", async (c) => {
+    const orgId = c.get("orgId");
 
-  let body: unknown;
-  try {
-    body = await c.req.json();
-  } catch {
-    throw new ApiError(ErrorCodes.ValidationFailed, "Body must be JSON");
-  }
+    let body: unknown;
+    try {
+      body = await c.req.json();
+    } catch {
+      throw new ApiError(ErrorCodes.ValidationFailed, "Body must be JSON");
+    }
 
-  const parsed = VendorCreateSchema.safeParse(body);
-  if (!parsed.success) {
-    const { message, details } = flattenZodIssue(parsed.error);
-    throw new ApiError(ErrorCodes.ValidationFailed, message, details);
-  }
-  const input = parsed.data;
-
-  // Owner must exist in the calling org.
-  const owner = getUser(input.ownerId);
-  if (!owner || owner.orgId !== orgId) {
-    throw new ApiError(
-      ErrorCodes.Unprocessable,
-      `ownerId ${input.ownerId} is not a user in this org`,
-      { path: ["ownerId"] },
+    const parsed = VendorCreateSchema.safeParse(body);
+    if (!parsed.success) {
+      const { message, details } = flattenZodIssue(parsed.error);
+      throw new ApiError(ErrorCodes.ValidationFailed, message, details);
+    }
+    const input = parsed.data;
+
+    const owner = getUser(input.ownerId);
+    if (!owner || owner.orgId !== orgId) {
+      throw new ApiError(
+        ErrorCodes.Unprocessable,
+        `ownerId ${input.ownerId} is not a user in this org`,
+        { path: ["ownerId"] },
+      );
+    }
+
+    const dupe = vendorStore.findByHomepage(orgId, input.homepageUrl);
+    if (dupe) {
+      throw new ApiError(
+        ErrorCodes.Duplicate,
+        `A vendor with this homepage already exists`,
+        { vendorId: dupe.id, name: dupe.name },
+      );
+    }
+
+    const discovered = await discoverUrls(input.homepageUrl, overrides.discovery);
+    if (discovered.missing.length > 0) {
+      throw new ApiError(
+        ErrorCodes.DiscoveryIncomplete,
+        `Could not discover ${discovered.missing.join(", ")} from ${input.homepageUrl}`,
+        { found: discovered.found, missing: discovered.missing },
+      );
+    }
+
+    const urls: VendorUrls = {
+      homepage: input.homepageUrl,
+      terms: discovered.found.terms!,
+      pricing: discovered.found.pricing!,
+      dpa: discovered.found.dpa!,
+      subProcessors: discovered.found.subProcessors!,
+      security: discovered.found.security!,
+      sla: discovered.found.sla!,
+    };
+
+    const vendor: Vendor = {
+      id: newId("vendor"),
+      orgId,
+      name: input.name,
+      category: "uncategorized",
+      tier: input.tier,
+      posture: "ok",
+      dataClasses: input.dataClasses,
+      ownerId: input.ownerId,
+      urls,
+    };
+    if (input.contract) vendor.contract = input.contract;
+    vendorStore.add(vendor);
+
+    const { runId } = await queueFirstScan(
+      { orgId, vendorId: vendor.id },
+      overrides.stubRunner,
     );
-  }
 
-  // Duplicate detection by normalized homepage within the org.
-  const dupe = vendorStore.findByHomepage(orgId, input.homepageUrl);
-  if (dupe) {
-    throw new ApiError(
-      ErrorCodes.Duplicate,
-      `A vendor with this homepage already exists`,
-      { vendorId: dupe.id, name: dupe.name },
+    const response: VendorCreateResponse = {
+      id: vendor.id,
+      name: vendor.name,
+      firstScanRunId: runId,
+      discoveredUrls: urls,
+    };
+    return c.json(response, 201);
+  });
+
+  // GET /v1/vendors[?lens=<lens>] — list vendors for the calling org.
+  router.get("/", (c) => {
+    const orgId = c.get("orgId");
+    const lensParam = c.req.query("lens");
+    const vendors = vendorStore.list(orgId);
+
+    if (!lensParam || !VALID_LENSES.has(lensParam as Lens)) {
+      return c.json({ vendors });
+    }
+    const lens = lensParam as Lens;
+
+    const vendorIdsForLens = new Set<string>();
+    for (const report of getSeededChangeReports()) {
+      if (report.orgId !== orgId) continue;
+      if (readLensTags(report).includes(lens)) {
+        vendorIdsForLens.add(report.vendorId);
+      }
+    }
+
+    const filtered = vendors.filter((v) => vendorIdsForLens.has(v.id));
+    return c.json({ vendors: filtered.length > 0 ? filtered : vendors });
+  });
+
+  // GET /v1/vendors/:id — fetch a single vendor in the calling org.
+  router.get("/:id", (c) => {
+    const orgId = c.get("orgId");
+    const id = c.req.param("id");
+    const vendor = vendorStore.get(id);
+    if (!vendor || vendor.orgId !== orgId) {
+      throw new ApiError(ErrorCodes.NotFound, `Vendor ${id} not in org`);
+    }
+    return c.json(vendor);
+  });
+
+  // PATCH /v1/vendors/:id — mutate ownerId / tier / posture on a vendor.
+  router.patch("/:id", async (c) => {
+    const orgId = c.get("orgId");
+    const id = c.req.param("id");
+
+    const current = vendorStore.get(id);
+    if (!current || current.orgId !== orgId) {
+      throw new ApiError(ErrorCodes.NotFound, `Vendor ${id} not in org`);
+    }
+
+    let body: unknown;
+    try {
+      body = await c.req.json();
+    } catch {
+      throw new ApiError(ErrorCodes.ValidationFailed, "Body must be JSON");
+    }
+
+    const parsed = VendorPatchSchema.safeParse(body);
+    if (!parsed.success) {
+      const { message, details } = flattenZodIssue(parsed.error);
+      throw new ApiError(ErrorCodes.ValidationFailed, message, details);
+    }
+    const patch = parsed.data;
+
+    if (patch.ownerId) {
+      const owner = getUser(patch.ownerId);
+      if (!owner || owner.orgId !== orgId) {
+        throw new ApiError(
+          ErrorCodes.Unprocessable,
+          `ownerId ${patch.ownerId} is not a user in this org`,
+          { path: ["ownerId"] },
+        );
+      }
+    }
+
+    const auth = c.get("auth");
+    const actor = auth?.userId ?? "system";
+
+    const updated = vendorStore.update(id, patch);
+    if (!updated) {
+      throw new ApiError(ErrorCodes.NotFound, `Vendor ${id} disappeared`);
+    }
+
+    // Record one event per field changed so the activity timeline reads cleanly.
+    for (const [field, after] of Object.entries(patch)) {
+      const before = (current as unknown as Record<string, unknown>)[field];
+      if (before === after) continue;
+      vendorEventsStore.add({
+        vendorId: id,
+        kind: "vendor.patch",
+        actor,
+        occurredAt: new Date().toISOString(),
+        detail: { field, before, after },
+      });
+    }
+    return c.json(updated);
+  });
+
+  // GET /v1/vendors/:id/contracts — list uploaded contracts for a vendor.
+  router.get("/:id/contracts", (c) => {
+    const orgId = c.get("orgId");
+    const id = c.req.param("id");
+    const vendor = vendorStore.get(id);
+    if (!vendor || vendor.orgId !== orgId) {
+      throw new ApiError(ErrorCodes.NotFound, `Vendor ${id} not in org`);
+    }
+    const contracts = contractsStore.listByVendor(id).map((r) => ({
+      id: r.id,
+      vendorId: r.vendorId,
+      filename: r.filename,
+      sizeBytes: r.sizeBytes,
+      uploadedBy: r.uploadedBy,
+      uploadedAt: r.uploadedAt,
+    }));
+    return c.json({ contracts });
+  });
+
+  // POST /v1/vendors/:id/contracts — JSON body { filename, sizeBytes, contentBase64 }.
+  router.post("/:id/contracts", async (c) => {
+    const orgId = c.get("orgId");
+    const id = c.req.param("id");
+    const vendor = vendorStore.get(id);
+    if (!vendor || vendor.orgId !== orgId) {
+      throw new ApiError(ErrorCodes.NotFound, `Vendor ${id} not in org`);
+    }
+
+    let body: unknown;
+    try {
+      body = await c.req.json();
+    } catch {
+      throw new ApiError(ErrorCodes.ValidationFailed, "Body must be JSON");
+    }
+
+    const parsed = ContractUploadSchema.safeParse(body);
+    if (!parsed.success) {
+      const { message, details } = flattenZodIssue(parsed.error);
+      throw new ApiError(ErrorCodes.ValidationFailed, message, details);
+    }
+
+    if (parsed.data.sizeBytes > MAX_CONTRACT_BYTES) {
+      throw new ApiError(
+        ErrorCodes.Unprocessable,
+        `Contract file exceeds ${MAX_CONTRACT_BYTES} bytes`,
+        { sizeBytes: parsed.data.sizeBytes, max: MAX_CONTRACT_BYTES },
+      );
+    }
+
+    const auth = c.get("auth");
+    const actor = auth?.userId ?? "system";
+    const now = new Date().toISOString();
+
+    const record = contractsStore.add({
+      vendorId: id,
+      filename: parsed.data.filename,
+      sizeBytes: parsed.data.sizeBytes,
+      contentBase64: parsed.data.contentBase64,
+      uploadedBy: actor,
+      uploadedAt: now,
+    });
+
+    vendorEventsStore.add({
+      vendorId: id,
+      kind: "contract.upload",
+      actor,
+      occurredAt: now,
+      detail: { contractId: record.id, filename: record.filename },
+    });
+
+    return c.json(
+      {
+        id: record.id,
+        vendorId: record.vendorId,
+        filename: record.filename,
+        sizeBytes: record.sizeBytes,
+        uploadedBy: record.uploadedBy,
+        uploadedAt: record.uploadedAt,
+      },
+      201,
     );
-  }
+  });
+
+  // GET /v1/vendors/:id/contracts/:contractId/download — stream the original
+  // file back as a binary download. Filename drives Content-Type via extension.
+  router.get("/:id/contracts/:contractId/download", (c) => {
+    const orgId = c.get("orgId");
+    const id = c.req.param("id");
+    const contractId = c.req.param("contractId");
+
+    const vendor = vendorStore.get(id);
+    if (!vendor || vendor.orgId !== orgId) {
+      throw new ApiError(ErrorCodes.NotFound, `Vendor ${id} not in org`);
+    }
+
+    const record = contractsStore.getById(id, contractId);
+    if (!record) {
+      throw new ApiError(
+        ErrorCodes.NotFound,
+        `Contract ${contractId} not found for vendor ${id}`,
+      );
+    }
+
+    const buf = Buffer.from(record.contentBase64, "base64");
+    // Copy into a fresh ArrayBuffer-backed Uint8Array — Buffer's underlying
+    // SharedArrayBuffer doesn't satisfy Hono's `Uint8Array<ArrayBuffer>` type.
+    const bytes = new Uint8Array(new ArrayBuffer(buf.byteLength));
+    bytes.set(buf);
+
+    const contentType = contentTypeForFilename(record.filename);
+    // RFC 5987 — quote ASCII fallback and add filename* for non-ASCII.
+    const ascii = record.filename.replace(/[^\x20-\x7E]/g, "_");
+    const encoded = encodeURIComponent(record.filename);
+    const disposition = `attachment; filename="${ascii.replace(/"/g, '\\"')}"; filename*=UTF-8''${encoded}`;
+
+    c.header("Content-Type", contentType);
+    c.header("Content-Disposition", disposition);
+    c.header("Content-Length", String(bytes.byteLength));
+    return c.body(bytes);
+  });
 
-  // URL discovery. Returns 422 if any of the 6 monitored URLs can't be found.
-  const discovered = await discoverUrls(input.homepageUrl, overrides.discovery);
-  if (discovered.missing.length > 0) {
-    throw new ApiError(
-      ErrorCodes.DiscoveryIncomplete,
-      `Could not discover ${discovered.missing.join(", ")} from ${input.homepageUrl}`,
-      { found: discovered.found, missing: discovered.missing },
+  // GET /v1/vendors/:id/activity — unified audit log for the vendor.
+  router.get("/:id/activity", async (c) => {
+    const orgId = c.get("orgId");
+    const id = c.req.param("id");
+    const vendor = vendorStore.get(id);
+    if (!vendor || vendor.orgId !== orgId) {
+      throw new ApiError(ErrorCodes.NotFound, `Vendor ${id} not in org`);
+    }
+
+    const events: Array<{
+      id: string;
+      kind: string;
+      actor: string;
+      occurredAt: string;
+      title: string;
+      detail?: Record<string, unknown>;
+      changeReportId?: string;
+    }> = [];
+
+    // 1. Seeded ChangeReports: detection + lifecycle timestamps.
+    const seeded = getSeededChangeReports().filter(
+      (r) => r.orgId === orgId && r.vendorId === id,
     );
-  }
+    for (const report of seeded) {
+      events.push({
+        id: `${report.id}:detected`,
+        kind: "change.detected",
+        actor: "system",
+        occurredAt: report.detectedAt,
+        title: report.changes[0]?.summary ?? "Change detected",
+        changeReportId: report.id,
+        detail: { severity: report.severity },
+      });
 
-  const urls: VendorUrls = {
-    homepage: input.homepageUrl,
-    terms: discovered.found.terms!,
-    pricing: discovered.found.pricing!,
-    dpa: discovered.found.dpa!,
-    subProcessors: discovered.found.subProcessors!,
-    security: discovered.found.security!,
-    sla: discovered.found.sla!,
-  };
+      // Lifecycle timestamps if present. The seeded repo holds the most
+      // recent version; mutations via /v1/changes/:id/* are also captured
+      // by querying the live reports repo below if provided.
+      if (report.acknowledgedAt) {
+        events.push({
+          id: `${report.id}:acknowledged`,
+          kind: "change.acknowledged",
+          actor: report.stateChangedBy ?? "system",
+          occurredAt: report.acknowledgedAt,
+          title: `Change acknowledged: ${report.changes[0]?.summary ?? report.id}`,
+          changeReportId: report.id,
+        });
+      }
+      if (report.snoozedUntil) {
+        events.push({
+          id: `${report.id}:snoozed`,
+          kind: "change.snoozed",
+          actor: report.stateChangedBy ?? "system",
+          occurredAt: report.snoozedUntil,
+          title: `Change snoozed until ${report.snoozedUntil}`,
+          changeReportId: report.id,
+        });
+      }
+      if (report.resolvedAt) {
+        events.push({
+          id: `${report.id}:resolved`,
+          kind: "change.resolved",
+          actor: report.stateChangedBy ?? "system",
+          occurredAt: report.resolvedAt,
+          title: `Change resolved: ${report.changes[0]?.summary ?? report.id}`,
+          changeReportId: report.id,
+        });
+      }
+    }
 
-  const vendor: Vendor = {
-    id: newId("vendor"),
-    orgId,
-    name: input.name,
-    category: "uncategorized",
-    tier: input.tier,
-    posture: "ok",
-    dataClasses: input.dataClasses,
-    ownerId: input.ownerId,
-    urls,
-  };
-  if (input.contract) vendor.contract = input.contract;
-  vendorStore.add(vendor);
-
-  const { runId } = await queueFirstScan(
-    { orgId, vendorId: vendor.id },
-    overrides.stubRunner,
-  );
-
-  const response: VendorCreateResponse = {
-    id: vendor.id,
-    name: vendor.name,
-    firstScanRunId: runId,
-    discoveredUrls: urls,
-  };
-  return c.json(response, 201);
-});
+    // 2. Live lifecycle versions and escalations from the runtime repo.
+    if (deps.reports) {
+      for (const report of seeded) {
+        try {
+          const escalations = await deps.reports.listEscalations(
+            report.id as ChangeReportId,
+          );
+          for (const esc of escalations) {
+            events.push({
+              id: `${report.id}:escalation:${esc.escalatedAt}`,
+              kind: "change.escalated",
+              actor: esc.byUserId,
+              occurredAt: esc.escalatedAt,
+              title: `Escalated to ${esc.toRole}`,
+              changeReportId: report.id,
+              detail: { toRole: esc.toRole, jiraKey: esc.jiraKey, slackChannel: esc.slackChannel },
+            });
+          }
+        } catch {
+          // If repo lookups throw we still want the rest of the timeline.
+        }
+      }
+    }
+
+    // 3. Vendor-level events (PATCH, contracts, packets, scans).
+    for (const ev of vendorEventsStore.listByVendor(id)) {
+      let title: string = ev.kind;
+      if (ev.kind === "vendor.patch" && ev.detail) {
+        const { field, before, after } = ev.detail as { field?: string; before?: unknown; after?: unknown };
+        title = `${field ?? "Field"} updated: ${String(before ?? "—")} → ${String(after ?? "—")}`;
+      } else if (ev.kind === "contract.upload" && ev.detail) {
+        title = `Contract uploaded: ${(ev.detail as { filename?: string }).filename ?? "file"}`;
+      } else if (ev.kind === "packet.generated") {
+        title = "Renegotiation packet generated";
+      } else if (ev.kind === "scan.triggered") {
+        title = "Manual scan triggered";
+      }
+      const baseEvent: {
+        id: string;
+        kind: string;
+        actor: string;
+        occurredAt: string;
+        title: string;
+        detail?: Record<string, unknown>;
+      } = {
+        id: ev.id,
+        kind: ev.kind,
+        actor: ev.actor,
+        occurredAt: ev.occurredAt,
+        title,
+      };
+      if (ev.detail) baseEvent.detail = ev.detail;
+      events.push(baseEvent);
+    }
+
+    events.sort((a, b) => b.occurredAt.localeCompare(a.occurredAt));
+
+    // Latest change report id for "Export evidence bundle" linking.
+    const feed = seeded
+      .map(toFeedChange)
+      .sort((a, b) => b.occurredAt.localeCompare(a.occurredAt));
+    const latestChangeId = feed[0]?.id ?? null;
+
+    return c.json({ events, latestChangeId });
+  });
+
+  // POST /v1/vendors/:id/scan — record a manual scan trigger (synthetic).
+  router.post("/:id/scan", (c) => {
+    const orgId = c.get("orgId");
+    const id = c.req.param("id");
+    const vendor = vendorStore.get(id);
+    if (!vendor || vendor.orgId !== orgId) {
+      throw new ApiError(ErrorCodes.NotFound, `Vendor ${id} not in org`);
+    }
+    const auth = c.get("auth");
+    const actor = auth?.userId ?? "system";
+    const ev = vendorEventsStore.add({
+      vendorId: id,
+      kind: "scan.triggered",
+      actor,
+      occurredAt: new Date().toISOString(),
+    });
+    return c.json({ ok: true, triggeredAt: ev.occurredAt });
+  });
+
+  return router;
+}
+
+// Preserve the existing module-level export so external imports
+// (apps/api/src/app.ts pre-Phase-4) still work. The factory in
+// `createVendorsRouter` is the preferred entry point.
+export const vendorsRoute = createVendorsRouter();
diff --git a/apps/api/src/routes/webhooks-stripe.ts b/apps/api/src/routes/webhooks-stripe.ts
index 17c8ec7..6efe4b6 100644
--- a/apps/api/src/routes/webhooks-stripe.ts
+++ b/apps/api/src/routes/webhooks-stripe.ts
@@ -1,6 +1,6 @@
 import { Hono } from "hono";
 import Stripe from "stripe";
-import { ErrorCodes } from "@redline/shared";
+import { ErrorCodes } from "@unsyphn/shared";
 import { ApiError } from "../lib/errors.js";
 import { env } from "../env.js";
 import { stripe } from "../providers/stripe.js";
diff --git a/apps/api/src/seed/factories.ts b/apps/api/src/seed/factories.ts
index b76b646..527bc73 100644
--- a/apps/api/src/seed/factories.ts
+++ b/apps/api/src/seed/factories.ts
@@ -1,4 +1,4 @@
-import type { ChangeReport, ChangeReportId, ChangeState, OrgId, RunId, Severity, UserId, VendorId } from "@redline/shared";
+import type { ChangeReport, ChangeReportId, ChangeState, OrgId, RunId, Severity, UserId, VendorId } from "@unsyphn/shared";
 import type { SeedToken } from "../auth.js";
 
 export interface SeedOrg {
diff --git a/apps/api/src/seed/loader.ts b/apps/api/src/seed/loader.ts
index 90b2ef4..d2fadea 100644
--- a/apps/api/src/seed/loader.ts
+++ b/apps/api/src/seed/loader.ts
@@ -1,9 +1,18 @@
 import { readFileSync } from "node:fs";
 import { resolve } from "node:path";
-import type { ChangeReport, Org, User, Vendor } from "@redline/shared";
+import type { ChangeReport, Org, User, Vendor } from "@unsyphn/shared";
 import { vendorStore } from "../db/vendor-store.js";
-import { changeReportStore } from "../db/change-reports.js";
 import { policyStore, type SeededPolicy } from "../db/policy-store.js";
+import { renewalsStore, type RenewalRecord } from "../db/renewals-store.js";
+import { requestsStore, type IntakeRequestRecord } from "../db/requests-store.js";
+import {
+  integrationsStore,
+  type IntegrationRecord,
+} from "../db/integrations-store.js";
+import {
+  customerContractsStore,
+  type CustomerContractRecord,
+} from "../db/customer-contracts-store.js";
 
 // Locate seed/ relative to repo root. apps/api is two levels deep.
 function seedDir(): string {
@@ -13,7 +22,7 @@ function seedDir(): string {
 interface Caches {
   orgs: Map<string, Org>;
   users: Map<string, User>;
-  tokens: Map<string, string>; // bearer-token → orgId
+  tokens: Map<string, string>;
   changeReports: ChangeReport[];
 }
 
@@ -38,6 +47,14 @@ export function loadSeeds(opts?: { seedDir?: string }): void {
   const changeReports = readJson<ChangeReport[]>(
     resolve(dir, "change-reports.json"),
   );
+  const renewals = readJson<RenewalRecord[]>(resolve(dir, "renewals.json"));
+  const requests = readJson<IntakeRequestRecord[]>(resolve(dir, "requests.json"));
+  const integrations = readJson<IntegrationRecord[]>(
+    resolve(dir, "integrations.json"),
+  );
+  const customerContracts = readJson<CustomerContractRecord[]>(
+    resolve(dir, "customer-contracts.json"),
+  );
 
   caches.orgs.clear();
   caches.users.clear();
@@ -52,7 +69,10 @@ export function loadSeeds(opts?: { seedDir?: string }): void {
 
   vendorStore.load(vendors);
   policyStore.load(policies);
-  changeReportStore.load(changeReports);
+  renewalsStore.load(renewals);
+  requestsStore.load(requests);
+  integrationsStore.load(integrations);
+  customerContractsStore.load(customerContracts);
 }
 
 // Exposes the seeded change reports so callers (e.g. index.ts boot) can
@@ -70,6 +90,10 @@ export function getUser(id: string): User | undefined {
   return caches.users.get(id);
 }
 
+export function listUsers(): User[] {
+  return [...caches.users.values()];
+}
+
 export function resolveBearer(token: string): string | undefined {
   return caches.tokens.get(token);
 }
diff --git a/apps/api/src/seed/sub-processors.json b/apps/api/src/seed/sub-processors.json
new file mode 100644
index 0000000..cef2bc9
--- /dev/null
+++ b/apps/api/src/seed/sub-processors.json
@@ -0,0 +1,191 @@
+{
+  "vnd_notion": {
+    "vendorName": "Notion",
+    "subProcessors": [
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Infrastructure hosting", "adequate": true, "addedAt": "2023-01-15" },
+      { "name": "Cloudflare", "jurisdiction": "US", "purpose": "CDN + DDoS protection", "adequate": true, "addedAt": "2022-06-10" },
+      { "name": "Stripe", "jurisdiction": "US", "purpose": "Payment processing", "adequate": true, "addedAt": "2022-06-10" },
+      { "name": "TextRecognize Ltd", "jurisdiction": "IN", "purpose": "OCR text extraction for identity validation", "adequate": false, "addedAt": "2026-05-12", "flagged": true, "flagReason": "India lacks EU adequacy decision; transfer requires SCCs" }
+    ],
+    "lastChangeAt": "2026-05-12T10:00:00Z"
+  },
+  "vnd_datadog": {
+    "vendorName": "Datadog",
+    "subProcessors": [
+      { "name": "Google Cloud Platform", "jurisdiction": "US", "purpose": "Infrastructure", "adequate": true, "addedAt": "2021-03-01" },
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Infrastructure", "adequate": true, "addedAt": "2021-03-01" },
+      { "name": "Fastly", "jurisdiction": "US", "purpose": "CDN edge delivery", "adequate": true, "addedAt": "2022-08-15" },
+      { "name": "TCS India Pvt", "jurisdiction": "IN", "purpose": "Support operations", "adequate": false, "addedAt": "2026-05-18", "flagged": true, "flagReason": "Non-adequate jurisdiction added 6d ago; outside EU adequacy decision" }
+    ],
+    "lastChangeAt": "2026-05-18T10:00:00Z"
+  },
+  "vnd_salesforce": {
+    "vendorName": "Salesforce",
+    "subProcessors": [
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Infrastructure hosting", "adequate": true, "addedAt": "2019-06-01" },
+      { "name": "Google Cloud Platform", "jurisdiction": "US", "purpose": "Machine learning infrastructure", "adequate": true, "addedAt": "2021-01-15" },
+      { "name": "Akamai Technologies", "jurisdiction": "US", "purpose": "CDN + security", "adequate": true, "addedAt": "2020-03-10" },
+      { "name": "Alibaba Cloud", "jurisdiction": "CN", "purpose": "APAC regional hosting", "adequate": false, "addedAt": "2025-11-01", "flagged": true, "flagReason": "China lacks EU adequacy decision; data transfer requires SCCs" }
+    ],
+    "lastChangeAt": "2025-11-01T10:00:00Z"
+  },
+  "vnd_stripe": {
+    "vendorName": "Stripe",
+    "subProcessors": [
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Infrastructure hosting", "adequate": true, "addedAt": "2018-04-01" },
+      { "name": "Google Cloud Platform", "jurisdiction": "US", "purpose": "Data analytics", "adequate": true, "addedAt": "2020-09-01" },
+      { "name": "Twilio", "jurisdiction": "US", "purpose": "SMS + communication", "adequate": true, "addedAt": "2019-11-20" }
+    ],
+    "lastChangeAt": "2020-09-01T10:00:00Z"
+  },
+  "vnd_figma": {
+    "vendorName": "Figma",
+    "subProcessors": [
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Infrastructure hosting", "adequate": true, "addedAt": "2020-01-01" },
+      { "name": "Cloudflare", "jurisdiction": "US", "purpose": "CDN + edge security", "adequate": true, "addedAt": "2021-03-15" },
+      { "name": "Datadog", "jurisdiction": "US", "purpose": "Observability + monitoring", "adequate": true, "addedAt": "2022-05-10" },
+      { "name": "Sentry", "jurisdiction": "US", "purpose": "Error tracking", "adequate": true, "addedAt": "2020-06-01" }
+    ],
+    "lastChangeAt": "2022-05-10T10:00:00Z"
+  },
+  "vnd_slack": {
+    "vendorName": "Slack",
+    "subProcessors": [
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Infrastructure hosting", "adequate": true, "addedAt": "2015-01-01" },
+      { "name": "Cloudflare", "jurisdiction": "US", "purpose": "CDN + DDoS protection", "adequate": true, "addedAt": "2018-07-01" },
+      { "name": "Salesforce", "jurisdiction": "US", "purpose": "CRM integration platform", "adequate": true, "addedAt": "2021-07-22" },
+      { "name": "Algolia", "jurisdiction": "US", "purpose": "Full-text search", "adequate": true, "addedAt": "2019-04-01" },
+      { "name": "Wipro Brazil Ltda", "jurisdiction": "BR", "purpose": "LATAM support operations", "adequate": false, "addedAt": "2026-03-10", "flagged": true, "flagReason": "Brazil lacks EU adequacy decision; requires SCCs for EU data transfers" }
+    ],
+    "lastChangeAt": "2026-03-10T10:00:00Z"
+  },
+  "vnd_github": {
+    "vendorName": "GitHub",
+    "subProcessors": [
+      { "name": "Microsoft Azure", "jurisdiction": "US", "purpose": "Primary infrastructure", "adequate": true, "addedAt": "2018-10-26" },
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "CI/CD compute", "adequate": true, "addedAt": "2019-04-01" },
+      { "name": "Cloudflare", "jurisdiction": "US", "purpose": "CDN + DDoS protection", "adequate": true, "addedAt": "2020-01-15" }
+    ],
+    "lastChangeAt": "2020-01-15T10:00:00Z"
+  },
+  "vnd_okta": {
+    "vendorName": "Okta",
+    "subProcessors": [
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Infrastructure hosting", "adequate": true, "addedAt": "2018-01-01" },
+      { "name": "Google Cloud Platform", "jurisdiction": "US", "purpose": "Analytics infrastructure", "adequate": true, "addedAt": "2021-06-01" },
+      { "name": "Twilio", "jurisdiction": "US", "purpose": "MFA SMS delivery", "adequate": true, "addedAt": "2019-03-15" },
+      { "name": "Salesforce", "jurisdiction": "US", "purpose": "CRM + support platform", "adequate": true, "addedAt": "2020-08-01" }
+    ],
+    "lastChangeAt": "2021-06-01T10:00:00Z"
+  },
+  "vnd_aws": {
+    "vendorName": "Amazon Web Services",
+    "subProcessors": [
+      { "name": "Akamai Technologies", "jurisdiction": "US", "purpose": "DNS resilience", "adequate": true, "addedAt": "2020-01-01" },
+      { "name": "Splunk", "jurisdiction": "US", "purpose": "Internal observability", "adequate": true, "addedAt": "2019-04-01" },
+      { "name": "Workday", "jurisdiction": "US", "purpose": "Internal HR records", "adequate": true, "addedAt": "2018-06-01" }
+    ],
+    "lastChangeAt": "2020-01-01T10:00:00Z"
+  },
+  "vnd_adobe": {
+    "vendorName": "Adobe Creative Cloud",
+    "subProcessors": [
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Asset storage", "adequate": true, "addedAt": "2020-01-01" },
+      { "name": "Microsoft Azure", "jurisdiction": "US", "purpose": "Asset compute", "adequate": true, "addedAt": "2021-04-01" },
+      { "name": "Cloudflare", "jurisdiction": "US", "purpose": "CDN delivery", "adequate": true, "addedAt": "2019-06-01" },
+      { "name": "Tata Consultancy Services", "jurisdiction": "IN", "purpose": "Customer support tier-2", "adequate": false, "addedAt": "2026-02-14", "flagged": true, "flagReason": "India non-adequate; SCCs required for EU support data" }
+    ],
+    "lastChangeAt": "2026-02-14T10:00:00Z"
+  },
+  "vnd_cloudflare": {
+    "vendorName": "Cloudflare",
+    "subProcessors": [
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Storage + backup", "adequate": true, "addedAt": "2020-02-01" },
+      { "name": "Google Cloud Platform", "jurisdiction": "US", "purpose": "Workers compute", "adequate": true, "addedAt": "2021-03-01" }
+    ],
+    "lastChangeAt": "2021-03-01T10:00:00Z"
+  },
+  "vnd_snowflake": {
+    "vendorName": "Snowflake",
+    "subProcessors": [
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Primary cloud platform", "adequate": true, "addedAt": "2015-01-01" },
+      { "name": "Microsoft Azure", "jurisdiction": "US", "purpose": "Secondary cloud platform", "adequate": true, "addedAt": "2020-01-01" },
+      { "name": "Google Cloud Platform", "jurisdiction": "US", "purpose": "Tertiary cloud platform", "adequate": true, "addedAt": "2021-06-01" }
+    ],
+    "lastChangeAt": "2021-06-01T10:00:00Z"
+  },
+  "vnd_auth0": {
+    "vendorName": "Auth0",
+    "subProcessors": [
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Infrastructure hosting", "adequate": true, "addedAt": "2018-01-01" },
+      { "name": "Twilio", "jurisdiction": "US", "purpose": "SMS delivery for MFA", "adequate": true, "addedAt": "2019-05-01" },
+      { "name": "Datadog", "jurisdiction": "US", "purpose": "Observability", "adequate": true, "addedAt": "2020-09-01" }
+    ],
+    "lastChangeAt": "2020-09-01T10:00:00Z"
+  },
+  "vnd_vercel": {
+    "vendorName": "Vercel",
+    "subProcessors": [
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Build + serverless compute", "adequate": true, "addedAt": "2019-01-01" },
+      { "name": "Google Cloud Platform", "jurisdiction": "US", "purpose": "Edge regions", "adequate": true, "addedAt": "2021-06-01" },
+      { "name": "Hetzner GmbH", "jurisdiction": "DE", "purpose": "EU compute capacity", "adequate": true, "addedAt": "2026-04-22" }
+    ],
+    "lastChangeAt": "2026-04-22T10:00:00Z"
+  },
+  "vnd_hubspot": {
+    "vendorName": "HubSpot",
+    "subProcessors": [
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Infrastructure hosting", "adequate": true, "addedAt": "2018-01-01" },
+      { "name": "Salesforce", "jurisdiction": "US", "purpose": "CRM integration", "adequate": true, "addedAt": "2020-05-01" },
+      { "name": "Twilio", "jurisdiction": "US", "purpose": "SMS marketing", "adequate": true, "addedAt": "2019-11-01" },
+      { "name": "Acme Outsource Pte (Manila)", "jurisdiction": "PH", "purpose": "Customer support", "adequate": false, "addedAt": "2026-01-18", "flagged": true, "flagReason": "Philippines non-adequate; SCCs required" }
+    ],
+    "lastChangeAt": "2026-01-18T10:00:00Z"
+  },
+  "vnd_zendesk": {
+    "vendorName": "Zendesk",
+    "subProcessors": [
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Infrastructure hosting", "adequate": true, "addedAt": "2018-01-01" },
+      { "name": "Twilio", "jurisdiction": "US", "purpose": "SMS + voice channels", "adequate": true, "addedAt": "2020-04-01" },
+      { "name": "Datadog", "jurisdiction": "US", "purpose": "Observability", "adequate": true, "addedAt": "2021-08-01" },
+      { "name": "Bluestar BPO Vietnam", "jurisdiction": "VN", "purpose": "Tier-2 support", "adequate": false, "addedAt": "2026-04-02", "flagged": true, "flagReason": "Vietnam lacks adequacy decision; transfer requires SCCs" }
+    ],
+    "lastChangeAt": "2026-04-02T10:00:00Z"
+  },
+  "vnd_intercom": {
+    "vendorName": "Intercom",
+    "subProcessors": [
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Infrastructure hosting", "adequate": true, "addedAt": "2019-01-01" },
+      { "name": "Stripe", "jurisdiction": "US", "purpose": "Billing", "adequate": true, "addedAt": "2018-04-01" },
+      { "name": "Datadog", "jurisdiction": "US", "purpose": "Observability", "adequate": true, "addedAt": "2021-02-01" }
+    ],
+    "lastChangeAt": "2021-02-01T10:00:00Z"
+  },
+  "vnd_zoom": {
+    "vendorName": "Zoom",
+    "subProcessors": [
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Media routing", "adequate": true, "addedAt": "2017-01-01" },
+      { "name": "Oracle Cloud", "jurisdiction": "US", "purpose": "Meeting infrastructure", "adequate": true, "addedAt": "2020-04-01" },
+      { "name": "Zoom China Engineering", "jurisdiction": "CN", "purpose": "R&D + ML engineering", "adequate": false, "addedAt": "2025-09-15", "flagged": true, "flagReason": "China engineering team retained; non-adequate jurisdiction" }
+    ],
+    "lastChangeAt": "2025-09-15T10:00:00Z"
+  },
+  "vnd_mongodb": {
+    "vendorName": "MongoDB",
+    "subProcessors": [
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Atlas managed clusters", "adequate": true, "addedAt": "2017-01-01" },
+      { "name": "Google Cloud Platform", "jurisdiction": "US", "purpose": "Atlas managed clusters", "adequate": true, "addedAt": "2019-01-01" },
+      { "name": "Microsoft Azure", "jurisdiction": "US", "purpose": "Atlas managed clusters", "adequate": true, "addedAt": "2019-06-01" }
+    ],
+    "lastChangeAt": "2019-06-01T10:00:00Z"
+  },
+  "vnd_jira": {
+    "vendorName": "Jira",
+    "subProcessors": [
+      { "name": "Amazon Web Services", "jurisdiction": "US", "purpose": "Cloud hosting", "adequate": true, "addedAt": "2018-01-01" },
+      { "name": "Cloudflare", "jurisdiction": "US", "purpose": "CDN + DDoS", "adequate": true, "addedAt": "2020-03-01" },
+      { "name": "Datadog", "jurisdiction": "US", "purpose": "Observability", "adequate": true, "addedAt": "2021-01-01" }
+    ],
+    "lastChangeAt": "2021-01-01T10:00:00Z"
+  }
+}
diff --git a/apps/api/src/server.ts b/apps/api/src/server.ts
index 82b6f1b..904db27 100644
--- a/apps/api/src/server.ts
+++ b/apps/api/src/server.ts
@@ -4,7 +4,8 @@ import { createApp } from "./app.js";
 import { InMemoryChangeReportRepository } from "./db/changeReports.js";
 import { logger } from "./logger.js";
 import { createSeedChangeReport } from "./seed/factories.js";
-import type { ChangeReport, User, Vendor } from "@redline/shared";
+import { getSeededChangeReports } from "./seed/loader.js";
+import type { ChangeReport, User, Vendor } from "@unsyphn/shared";
 
 const port = Number(process.env.PORT ?? 3005);
 export const DEV_SEED_CHANGE_ID = "chg_seed_notion_yesterday";
@@ -57,8 +58,9 @@ export function createServerApp(argv = process.argv) {
 }
 
 export function buildApp(deps?: { seedChangeReports?: ChangeReport[] }) {
-  if (deps?.seedChangeReports && deps.seedChangeReports.length > 0) {
-    return createApp({ reports: new InMemoryChangeReportRepository(deps.seedChangeReports) });
+  const seedReports = deps?.seedChangeReports ?? getSeededChangeReports();
+  if (seedReports.length > 0) {
+    return createApp({ reports: new InMemoryChangeReportRepository(seedReports) });
   }
   return createApp();
 }
@@ -71,7 +73,7 @@ if (process.argv[1] && import.meta.url === pathToFileURL(process.argv[1]).href)
       port,
     },
     (info) => {
-      logger.info({ port: info.port, seeded, ...(seeded ? { seedChangeId: DEV_SEED_CHANGE_ID } : {}) }, "Redline API listening");
+      logger.info({ port: info.port, seeded, ...(seeded ? { seedChangeId: DEV_SEED_CHANGE_ID } : {}) }, "Unsyphn API listening");
     },
   );
 }
diff --git a/apps/api/src/stream/broker.ts b/apps/api/src/stream/broker.ts
index 4b6bea1..cf6aa0f 100644
--- a/apps/api/src/stream/broker.ts
+++ b/apps/api/src/stream/broker.ts
@@ -1,4 +1,4 @@
-import type { OrgId, StoredStreamEvent, StreamEventDataMap, StreamEventName } from "@redline/shared";
+import type { OrgId, StoredStreamEvent, StreamEventDataMap, StreamEventName } from "@unsyphn/shared";
 import { validateStreamEvent, compareEventIds } from "./events.js";
 
 export interface EventBrokerOptions {
diff --git a/apps/api/src/stream/events.ts b/apps/api/src/stream/events.ts
index 03aed00..d6f8e70 100644
--- a/apps/api/src/stream/events.ts
+++ b/apps/api/src/stream/events.ts
@@ -6,7 +6,7 @@ import {
   type StoredStreamEvent,
   type StreamEventDataMap,
   type StreamEventName,
-} from "@redline/shared";
+} from "@unsyphn/shared";
 
 export type StreamSubscriber = (event: StoredStreamEvent) => void;
 
diff --git a/apps/web/index.html b/apps/web/index.html
index 6a0ef8d..16bed1b 100644
--- a/apps/web/index.html
+++ b/apps/web/index.html
@@ -13,6 +13,9 @@
 <meta property="og:type" content="website">
 <meta name="twitter:card" content="summary_large_image">
 <title>UNSYPHN — One vault for every subscription.</title>
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=Geist:wght@400;500;600;700&family=Geist+Mono:wght@400;500&display=swap" rel="stylesheet">
 <style>
 /* ─────────────────────────────────────────────
    HALO TOKENS
@@ -41,15 +44,16 @@
     inset 0  1px 0 rgba(255,255,255,0.10),
     inset 0 -1px 0 rgba(0,0,0,0.30);
 
-  --font-display:-apple-system,"SF Pro Display","Inter",system-ui,sans-serif;
-  --font-mono:ui-monospace,"SF Mono","JetBrains Mono",monospace;
+  --font-display:"Geist","Inter",-apple-system,"SF Pro Display",system-ui,sans-serif;
+  --font-mono:"Geist Mono",ui-monospace,"SF Mono","JetBrains Mono",monospace;
   --font-serif:ui-serif,"New York","Instrument Serif",Georgia,serif;
+  --font-premium:"Geist",-apple-system,"SF Pro Display",system-ui,sans-serif;
 
   --spring: cubic-bezier(0.34, 1.45, 0.64, 1);
 }
 
 *{box-sizing:border-box;margin:0;padding:0}
-html,body{background:var(--bg);color:#EDEDF2;font-family:var(--font-display);-webkit-font-smoothing:antialiased}
+html,body{background:var(--bg);color:#0f172a;font-family:var(--font-premium);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}
 body{
   min-height:300vh; /* room for scroll-explode */
   overflow-x:hidden;
@@ -80,24 +84,67 @@
    ───────────────────────────────────────────── */
 .nav{
   position:fixed;top:0;left:0;right:0;z-index:50;
-  display:flex;align-items:center;justify-content:space-between;
-  padding:18px 28px;
-  font-family:var(--font-mono);font-size:12px;letter-spacing:.14em;text-transform:uppercase;
-  color:rgba(237,237,242,.78);
+  display:grid;grid-template-columns:1fr auto 1fr;align-items:center;
+  padding:20px 28px;
+  font-family:var(--font-premium);font-size:12px;letter-spacing:.10em;text-transform:uppercase;
+  color:#0f172a;
+  font-weight:500;
+}
+.nav .brand{
+  display:flex;align-items:center;gap:16px;
+  grid-column:2;
+  justify-self:center;
 }
-.nav .brand{display:flex;align-items:center;gap:10px}
 .nav .brand .mark{
-  display:block;width:22px;height:16px;object-fit:contain;
+  display:block;width:72px;height:48px;object-fit:contain;
+}
+.nav .brand span{
+  font-size:20px;
+  letter-spacing:.20em;
+  font-weight:700;
+}
+.nav .cta{
+  grid-column:3;
+  justify-self:end;
 }
 .nav ul{list-style:none;display:flex;gap:28px}
-.nav a{color:inherit;text-decoration:none;opacity:.7;transition:opacity .2s}
-.nav a:hover{opacity:1}
+.nav a{color:#334155;text-decoration:none;opacity:.85;transition:opacity .2s}
+.nav a:hover{opacity:1;color:#0f172a}
 .nav .cta{
   padding:8px 14px;border-radius:999px;
-  background:var(--glass-bg);
-  border:1px solid var(--glass-border);
-  backdrop-filter: blur(20px) saturate(180%);
+  background:#0f172a;
+  border:1px solid #0f172a;
   color:#fff;
+  font-family:var(--font-premium);
+  font-weight:500;
+  letter-spacing:.06em;
+  transition:background .15s, transform .15s;
+}
+.nav .cta:hover{background:#1e293b;transform:translateY(-1px)}
+
+/* ─────────────────────────────────────────────
+   AMBIENT DOTS — slow-drifting halftone field
+   ───────────────────────────────────────────── */
+#ambient-dots{
+  position:fixed;inset:0;
+  width:100vw;height:100vh;
+  pointer-events:none;
+  z-index:0;
+  opacity:0.30;
+}
+
+/* ─────────────────────────────────────────────
+   CURSOR TRAIL — dots that echo the brand mark
+   ───────────────────────────────────────────── */
+#cursor-trail{
+  position:fixed;inset:0;
+  width:100vw;height:100vh;
+  pointer-events:none;
+  z-index:1;
+  opacity:0.45;
+}
+@media (prefers-reduced-motion: reduce){
+  #cursor-trail,#ambient-dots{display:none}
 }
 
 /* ─────────────────────────────────────────────
@@ -116,27 +163,29 @@
 }
 
 .eyebrow{
-  font-family:var(--font-mono);
+  font-family:var(--font-premium);
   font-size:11.5px;
-  letter-spacing:.14em;
+  font-weight:500;
+  letter-spacing:.10em;
   text-transform:uppercase;
-  color:rgba(237,237,242,.62);
+  color:#0f172a;
   display:inline-flex;align-items:center;gap:10px;
   padding:8px 14px;border-radius:999px;
-  background:var(--glass-bg);
-  border:1px solid var(--glass-border);
+  background:rgba(255,255,255,0.92);
+  border:1px solid rgba(15,23,42,0.08);
   backdrop-filter: blur(20px) saturate(180%);
+  box-shadow: 0 4px 12px rgba(15,23,42,0.06);
 }
 .eyebrow .dot{
-  width:6px;height:6px;border-radius:50%;
-  background:var(--lime);box-shadow:0 0 10px var(--lime);
+  width:7px;height:7px;border-radius:50%;
+  background:#16a34a;box-shadow:0 0 0 3px rgba(22,163,74,.18);
 }
 
 .stage{
   position:relative;
-  width:min(660px, 90vw, 86vh);
+  width:min(528px, 72vw, 69vh);
   aspect-ratio:1/1;
-  perspective: 1200px;
+  perspective: 1100px;
   perspective-origin: 50% 38%;
 }
 
@@ -169,17 +218,17 @@
   font-weight:500;
 }
 .sub{
-  font-family:var(--font-display);
+  font-family:var(--font-premium);
   font-size: clamp(15px, 1.35vw, 18px);
   line-height: 1.55;
-  color: rgba(237,237,242,.72);
+  color: #334155;
   max-width: 56ch;
   text-wrap:pretty;
 }
 .sub em{
   font-family:var(--font-serif);
   font-style:italic;
-  color:#fff;
+  color:#0f172a;
 }
 
 .cta-row{
@@ -187,23 +236,27 @@
   margin-top:6px;
 }
 .btn{
-  font-family:var(--font-display);font-size:14px;font-weight:500;
-  padding:12px 20px;border-radius:999px;border:1px solid var(--glass-border);
-  background:var(--glass-bg);
-  color:#fff;cursor:pointer;
+  font-family:var(--font-premium);font-size:14px;font-weight:500;
+  padding:12px 20px;border-radius:999px;border:1px solid rgba(15,23,42,0.10);
+  background:rgba(255,255,255,0.92);
+  color:#0f172a;cursor:pointer;
   backdrop-filter: blur(28px) saturate(200%);
-  box-shadow: var(--glass-shadow);
-  transition: transform .2s var(--spring), background .2s;
+  box-shadow: 0 4px 12px rgba(15,23,42,0.08);
+  transition: transform .2s var(--spring), background .2s, box-shadow .2s;
   position:relative;
+  letter-spacing:-0.005em;
 }
-.btn:hover{transform:translateY(-1px)}
+.btn:hover{transform:translateY(-1px);box-shadow:0 8px 20px rgba(15,23,42,0.12)}
 .btn.primary{
-  background:linear-gradient(180deg, rgba(255,255,255,.18), rgba(255,255,255,.04));
-  border-color: rgba(255,255,255,.22);
+  background:#0f172a;
+  border-color: #0f172a;
+  color:#fff;
 }
+.btn.primary:hover{background:#1e293b}
 .btn .kbd{
-  font-family:var(--font-mono);font-size:11px;opacity:.6;margin-left:8px;
-  padding:2px 6px;border:1px solid rgba(255,255,255,.14);border-radius:5px;
+  font-family:var(--font-mono);font-size:11px;opacity:.7;margin-left:8px;
+  padding:2px 6px;border:1px solid rgba(255,255,255,.24);border-radius:5px;
+  background:rgba(255,255,255,0.08);
 }
 
 /* rainbow stripe */
@@ -225,8 +278,8 @@
   position:relative;z-index:2;
   display:flex;justify-content:space-between;align-items:center;
   padding: 0 32px 24px;
-  font-family:var(--font-mono);font-size:11px;letter-spacing:.14em;text-transform:uppercase;
-  color:rgba(237,237,242,.5);
+  font-family:var(--font-premium);font-size:11px;font-weight:500;letter-spacing:.10em;text-transform:uppercase;
+  color:#475569;
 }
 
 /* second section (so scrolling has somewhere to go) */
@@ -239,35 +292,39 @@
 .spacer .panel{
   max-width: 920px;width:100%;
   padding:36px 40px;
-  background:var(--glass-bg);
-  border:1px solid var(--glass-border);
+  background:rgba(255,255,255,0.94);
+  border:1px solid rgba(15,23,42,0.08);
   border-radius:24px;
-  backdrop-filter: blur(40px) saturate(200%) brightness(108%);
-  box-shadow: var(--glass-shadow);
+  backdrop-filter: blur(40px) saturate(200%);
+  box-shadow:
+    0 24px 60px rgba(15,23,42,0.10),
+    0 4px 12px rgba(15,23,42,0.06);
   position:relative;overflow:hidden;
+  color:#0f172a;
 }
 .spacer .panel::before{
   content:"";position:absolute;inset:0 0 50% 0;
-  background:linear-gradient(180deg, rgba(255,255,255,.08), transparent);
+  background:linear-gradient(180deg, rgba(255,255,255,.4), transparent);
   pointer-events:none;
 }
 .spacer h2{
-  font-family:var(--font-display);font-weight:600;
+  font-family:var(--font-premium);font-weight:600;
   font-size: clamp(28px,3vw,40px);letter-spacing:-0.02em;line-height:1.05;
   margin-bottom:14px;
+  color:#0f172a;
 }
-.spacer h2 em{font-family:var(--font-serif);font-style:italic;font-weight:500;color:var(--bondi)}
-.spacer p{color:rgba(237,237,242,.7);max-width:62ch;line-height:1.6}
+.spacer h2 em{font-family:var(--font-serif);font-style:italic;font-weight:500;color:#5E6AD2}
+.spacer p{color:#475569;max-width:62ch;line-height:1.6;font-family:var(--font-premium)}
 .spacer .grid{
   display:grid;grid-template-columns:repeat(3,1fr);gap:14px;margin-top:28px;
-  font-family:var(--font-mono);font-size:11.5px;letter-spacing:.04em;
-  color:rgba(237,237,242,.78);
+  font-family:var(--font-premium);font-size:12px;letter-spacing:0;
+  color:#475569;
 }
 .spacer .grid > div{
-  padding:14px;border:1px solid var(--glass-border);border-radius:14px;
-  background:rgba(255,255,255,.02);
+  padding:16px;border:1px solid rgba(15,23,42,0.08);border-radius:14px;
+  background:#ffffff;
 }
-.spacer .grid b{display:block;font-family:var(--font-display);font-weight:600;font-size:22px;letter-spacing:-0.01em;color:#fff;margin-bottom:4px}
+.spacer .grid b{display:block;font-family:var(--font-premium);font-weight:600;font-size:24px;letter-spacing:-0.02em;color:#0f172a;margin-bottom:6px;font-feature-settings:"tnum" 1}
 
 /* ─────────────────────────────────────────────
    CUBE
@@ -297,20 +354,47 @@
   will-change: transform;
 }
 
-/* face substrate — translucent glass with the per-face aurora tint */
+/* face substrate — solid white substrate so the cube reads as a unified white block */
 .face{
   position:absolute;inset:0;
-  background:
-    radial-gradient(120% 110% at 30% 18%, var(--glow,#5BA0F0) 0%, transparent 65%),
-    rgba(255,255,255,0.025);
-  backdrop-filter: blur(20px) saturate(160%);
-  -webkit-backdrop-filter: blur(20px) saturate(160%);
-  border: 1px solid rgba(255,255,255,0.06);
+  background:#ffffff;
+  border: 1px solid rgba(15,23,42,0.08);
   border-radius: 14px;
   backface-visibility: hidden;
   pointer-events: none;
-  box-shadow: inset 0 0 36px rgba(0,0,0,0.22);
-  opacity: 0.55;
+  box-shadow:
+    inset 0 0 0 1px rgba(255,255,255,0.9),
+    inset 0 -24px 60px rgba(15,23,42,0.04);
+  opacity: 1;
+  display:flex;
+  flex-direction:column;
+  align-items:center;
+  justify-content:center;
+  gap: calc(var(--S, 420px) * 0.025);
+  overflow:hidden;
+}
+/* brand mark + wordmark sit centered on each face, behind the tiles.
+   tiles fly away on scroll → both elements gradually reveal. */
+.face .face-logo{
+  width: 54%;
+  height: auto;
+  max-height: 52%;
+  object-fit: contain;
+  opacity: 0.95;
+  filter: drop-shadow(0 2px 6px rgba(99, 91, 255, 0.12));
+  pointer-events:none;
+  user-select:none;
+}
+.face .face-wordmark{
+  font-family: var(--font-display);
+  font-weight: 700;
+  font-size: calc(var(--S, 420px) * 0.085);
+  letter-spacing: 0.18em;
+  color: #0f172a;
+  text-align: center;
+  line-height: 1;
+  pointer-events:none;
+  user-select:none;
 }
 .face.f-front  { transform: translateZ(calc(var(--S) /  2)); }
 .face.f-back   { transform: rotateY(180deg) translateZ(calc(var(--S) /  2)); }
@@ -338,7 +422,7 @@
   white-space: nowrap;
 }
 
-/* tile = a translucent Liquid Glass panel with a 3D-stamped metal RIM only */
+/* tile = a solid white app-icon panel — like a Mac launcher cell */
 .tile{
   position:absolute;left:50%;top:50%;
   width: var(--T); height: var(--T);
@@ -346,64 +430,52 @@
   margin-top:  calc(var(--T) * -0.5);
   transform-style: preserve-3d;
   will-change: transform;
-  /* aurora-tinted Liquid Glass surface */
-  background:
-    linear-gradient(180deg,
-      rgba(255,255,255,0.16) 0%,
-      rgba(255,255,255,0.04) 50%,
-      rgba(255,255,255,0.02) 100%),
-    radial-gradient(130% 110% at 30% 18%, var(--glow,#5BA0F0) 0%, transparent 62%),
-    rgba(255,255,255,0.04);
-  backdrop-filter: blur(40px) saturate(200%) brightness(108%);
-  -webkit-backdrop-filter: blur(40px) saturate(200%) brightness(108%);
-  /* the only metallic part: a 4-toned bevel rim so each tile reads stamped/3D */
-  border-top:    1px solid rgba(255,255,255,0.28);
-  border-left:   1px solid rgba(255,255,255,0.22);
-  border-right:  1px solid rgba(0,0,0,0.50);
-  border-bottom: 1px solid rgba(0,0,0,0.55);
-  border-radius: 12px;
+  background:#ffffff;
+  border: 1px solid rgba(15,23,42,0.08);
+  border-radius: 14px;
   overflow:hidden;
   backface-visibility: hidden;
   display:grid;place-items:center;
   box-shadow:
-    0 12px 36px rgba(0,0,0,0.22),
-    inset 0  1px 0 rgba(255,255,255,0.30),
-    inset 0 -1px 0 rgba(0,0,0,0.45),
-    inset  1px 0 0 rgba(255,255,255,0.18),
-    inset -1px 0 0 rgba(0,0,0,0.35);
+    0 6px 16px rgba(15,23,42,0.10),
+    0 2px 4px rgba(15,23,42,0.06),
+    inset 0 1px 0 rgba(255,255,255,0.9);
 }
 .tile::before{
-  /* specular sweep across the upper half (kept from the glass treatment) */
-  content:"";position:absolute;left:0;right:0;top:0;height:50%;
-  background:linear-gradient(180deg, rgba(255,255,255,0.16), rgba(255,255,255,0) 100%);
-  pointer-events:none;
-  border-radius: 12px 12px 0 0;
-}
-.tile::after{
-  /* soft aurora bloom */
-  content:"";position:absolute;inset:-5%;
-  background: radial-gradient(60% 50% at 22% 18%, var(--glow,#fff) 0%, transparent 70%);
-  opacity:.50;
-  filter: blur(10px);
+  /* subtle inner highlight on the top edge */
+  content:"";position:absolute;left:0;right:0;top:0;height:40%;
+  background:linear-gradient(180deg, rgba(255,255,255,0.6), rgba(255,255,255,0) 100%);
   pointer-events:none;
-  mix-blend-mode: screen;
+  border-radius: 14px 14px 0 0;
 }
 .tile svg{
   position:relative;z-index:1;
   width: 54%; height: 54%;
   display:block;
-  filter: drop-shadow(0 1px 3px rgba(0,0,0,.5));
+  filter: drop-shadow(0 1px 2px rgba(15,23,42,.12));
   opacity:.96;
 }
 .tile .letter{
   position:relative;z-index:1;
-  font-family: var(--font-display);
+  font-family: var(--font-premium);
   font-weight: 700;
   font-size: 38%;
-  color: #fff;
+  color: #0f172a;
   letter-spacing: -0.02em;
-  text-shadow: 0 1px 3px rgba(0,0,0,.6);
 }
+.tile .vendor-logo{
+  position:absolute;
+  top:50%; left:50%;
+  transform: translate(-50%, -50%);
+  z-index:2;
+  width: 56%; height: 56%;
+  object-fit: contain;
+  opacity:1;
+  filter: drop-shadow(0 1px 2px rgba(15,23,42,.10));
+  pointer-events:none;
+}
+body[data-density="plain"]   .tile > .vendor-logo,
+body[data-density="letters"] .tile .vendor-logo { display:none; }
 
 /* density modes */
 body[data-density="plain"]   .tile > svg,
@@ -411,24 +483,57 @@
 body[data-density="letters"] .tile svg { display:none; }
 body[data-density="letters"] .tile .letter { display:inline-block; }
 body[data-density="marks"]   .tile .letter { display:none; }
-body[data-density="marks"]   .tile svg { display:block; }
+/* hide the abstract white-stroke SVG marks when real brand logos are showing */
+body[data-density="marks"]   .tile > svg.tile-svg { display:none; }
 
-/* HUD floaters around the cube */
+/* HUD floaters around the cube — premium card surfaces in Geist */
 .floater{
   position:absolute;z-index:3;pointer-events:none;
-  font-family:var(--font-mono);font-size:11px;letter-spacing:.06em;
-  color:rgba(255,255,255,.78);
-  padding:8px 12px;border-radius:12px;
-  background:var(--glass-bg);
-  border:1px solid var(--glass-border);
+  font-family: var(--font-premium);
+  font-feature-settings: "ss01" 1, "cv11" 1, "tnum" 1;
+  font-size:12px;
+  color:#0f172a;
+  padding:12px 16px;border-radius:14px;
+  background:rgba(255,255,255,0.96);
+  border:1px solid rgba(15,23,42,0.08);
   backdrop-filter: blur(24px) saturate(180%);
-  box-shadow: var(--glass-shadow);
-  display:flex;align-items:center;gap:8px;
+  box-shadow:
+    0 12px 36px rgba(15,23,42,0.10),
+    0 2px 6px rgba(15,23,42,0.06);
+  display:flex;align-items:center;gap:10px;
+}
+.floater .pulse{
+  width:8px;height:8px;border-radius:50%;
+  background:#16a34a;
+  box-shadow:0 0 0 3px rgba(22,163,74,0.18);
+}
+.floater b{
+  font-family: var(--font-premium);
+  font-weight:600;
+  color:#0f172a;
+  font-size:13px;
+  letter-spacing:-0.005em;
+  line-height:1.2;
+}
+.floater .num{
+  font-family: var(--font-premium);
+  font-weight:600;
+  font-size:20px;
+  color:#0f172a;
+  letter-spacing:-0.02em;
+  line-height:1.1;
+  font-feature-settings: "tnum" 1, "ss01" 1;
+}
+.floater small{
+  display:block;
+  font-family: var(--font-premium);
+  font-weight:500;
+  font-size:10.5px;
+  letter-spacing:0.04em;
+  color:#64748b;
+  text-transform:uppercase;
+  margin-top:4px;
 }
-.floater .pulse{width:7px;height:7px;border-radius:50%;background:var(--lime);box-shadow:0 0 8px var(--lime)}
-.floater b{font-family:var(--font-display);font-weight:600;color:#fff;font-size:12px;letter-spacing:0}
-.floater .num{font-family:var(--font-mono);font-size:18px;color:#fff;letter-spacing:-0.01em}
-.floater small{display:block;font-size:9.5px;letter-spacing:.12em;opacity:.6;text-transform:uppercase;margin-top:2px}
 
 .fl-1{left:-12%;top:6%;}
 .fl-2{right:-10%;top:34%;}
@@ -460,10 +565,10 @@
    ───────────────────────────────────────────── */
 .footer{
   position:relative;z-index:2;
-  border-top:1px solid var(--glass-border);
+  border-top:1px solid rgba(15,23,42,0.08);
   padding:48px 32px 28px;
-  font-family:var(--font-mono);font-size:11px;letter-spacing:.06em;
-  color:rgba(237,237,242,.5);
+  font-family:var(--font-premium);font-size:11px;letter-spacing:0;
+  color:#475569;
 }
 .footer .footer-inner{max-width:920px;margin:0 auto;}
 .footer .footer-top{
@@ -473,43 +578,64 @@
   .footer .footer-top{grid-template-columns:1fr 1fr;gap:24px;}
 }
 .footer .footer-brand{display:flex;align-items:center;gap:10px;margin-bottom:12px;}
-.footer .footer-brand img{width:22px;height:16px;object-fit:contain;}
-.footer .footer-brand span{font-family:var(--font-display);font-size:13px;font-weight:600;color:#fff;letter-spacing:0;text-transform:none;}
-.footer .footer-tagline{font-size:10.5px;line-height:1.6;color:rgba(237,237,242,.4);max-width:22ch;}
+.footer .footer-brand img{width:28px;height:20px;object-fit:contain;}
+.footer .footer-brand span{font-family:var(--font-premium);font-size:13px;font-weight:600;color:#0f172a;letter-spacing:-0.005em;text-transform:none;}
+.footer .footer-tagline{font-size:11.5px;line-height:1.6;color:#64748b;max-width:22ch;font-family:var(--font-premium);}
 .footer h5{
-  font-size:9.5px;letter-spacing:.16em;text-transform:uppercase;
-  color:rgba(237,237,242,.35);margin-bottom:12px;font-weight:500;
+  font-family:var(--font-premium);
+  font-size:10.5px;letter-spacing:.12em;text-transform:uppercase;
+  color:#0f172a;margin-bottom:12px;font-weight:600;
 }
 .footer nav a{
-  display:block;color:rgba(237,237,242,.5);text-decoration:none;
-  margin-bottom:8px;transition:color .15s;font-size:11px;
+  display:block;color:#475569;text-decoration:none;
+  margin-bottom:8px;transition:color .15s;font-size:12px;
+  font-family:var(--font-premium);
 }
-.footer nav a:hover{color:rgba(237,237,242,.9);}
+.footer nav a:hover{color:#0f172a;}
 .footer .footer-bottom{
   display:flex;justify-content:space-between;align-items:center;flex-wrap:wrap;gap:8px;
-  padding-top:20px;border-top:1px solid var(--glass-border);
-  font-size:10px;letter-spacing:.08em;color:rgba(237,237,242,.3);
+  padding-top:20px;border-top:1px solid rgba(15,23,42,0.08);
+  font-size:11px;letter-spacing:0;color:#64748b;
+  font-family:var(--font-premium);
 }
+
+/* When a non-root route is being served by SPA fallback, hide the static landing
+   shell — the React route (Demo, Contact, Privacy, Terms, Docs, Pricing, Trust)
+   renders its own header/hero/footer via PageShell. Scoped to direct body children
+   so the React app's <main class="public-main"> inside #root stays visible. */
+html.spa-route > body > .aurora,
+html.spa-route > body > .grain,
+html.spa-route > body > nav.nav,
+html.spa-route > body > main,
+html.spa-route > body > .meta,
+html.spa-route > body > footer.footer{display:none!important}
+html.spa-route,html.spa-route body{min-height:auto!important;overflow:auto!important}
 </style>
+<script>
+  (function(){
+    var p = location.pathname;
+    if (p !== "/" && p !== "/index.html") {
+      document.documentElement.classList.add("spa-route");
+    }
+  })();
+</script>
 </head>
-<body style="font-family: Poppins">
+<body>
 
 <div class="aurora"></div>
 <div class="grain"></div>
 
 <nav class="nav">
-  <div class="brand"><img class="mark" src="/logo.png" alt="Unsyphn" width="22" height="16"><span>UNSYPHN / Subscription OS</span></div>
-  <ul>
-    <li><a href="#product">Product</a></li>
-  </ul>
+  <div class="brand"><img class="mark" src="/unsyphn-mark.png" alt="Unsyphn" width="72" height="48"><span>UNSYPHN</span></div>
   <a href="/app/" class="cta">Get access →</a>
 </nav>
 
+<canvas id="ambient-dots" aria-hidden="true"></canvas>
+<canvas id="cursor-trail" aria-hidden="true"></canvas>
+
 <main>
 <section class="hero" id="hero">
 
-  <span class="eyebrow"><span class="dot"></span>v4.2 · The Subscription OS</span>
-
   <div class="stage" id="stage">
     <div class="scene" id="scene">
       <div class="tilt">
@@ -538,7 +664,7 @@ <h1 class="title">Every subscription,<br/><em>one</em> calm surface.</h1>
     <p class="sub">UNSYPHN pulls every SaaS seat, invoice, and renewal your company runs into a single <em>liquid</em> vault — so finance, IT, and ops finally see the same picture.</p>
     <div class="cta-row">
       <button class="btn primary" onclick="location.href='/app/'">Start free trial</button>
-      <button class="btn" onclick="location.href='mailto:hello@unsyphn.com?subject=Book%20a%20walkthrough'">Book a walkthrough <span class="kbd">⌘ K</span></button>
+      <button class="btn" onclick="location.href='/demo'">Book a walkthrough <span class="kbd">⌘ K</span></button>
     </div>
     <div class="rainbow"><i></i><i></i><i></i><i></i><i></i><i></i></div>
   </div>
@@ -623,21 +749,55 @@ <h2>One vault. <em>Every</em> renewal.</h2>
   ];
   const LETTERS = 'AZSNGFLVRMZGDHJAID'.split('');
 
+  // 54 SaaS vendor logos — Simple Icons CDN, served in each brand's official hex color.
+  // [slug, brand-hex] tuples → https://cdn.simpleicons.org/{slug}/{hex}
+  // Trademark-blocked brands (Slack/MS/Adobe/Salesforce/AWS/Segment/Amplitude/Docusign/Monday)
+  // are swapped for working B2B SaaS slugs of similar category.
+  const VENDOR_LOGOS = [
+    ['notion','000000'],         ['discord','5865F2'],         ['figma','F24E1E'],
+    ['clickup','7B68EE'],        ['trello','0079BF'],          ['stripe','635BFF'],
+    ['datadog','632CA6'],        ['github','181717'],          ['cloudflare','F38020'],
+    ['googlecloud','4285F4'],    ['vercel','000000'],          ['linear','5E6AD2'],
+    ['jira','0052CC'],           ['atlassian','0052CC'],       ['asana','F06A6A'],
+    ['basecamp','1D2D35'],       ['hubspot','FF7A59'],         ['mailchimp','FFE01B'],
+    ['intercom','0057FF'],       ['zendesk','03363D'],         ['retool','3D3D3D'],
+    ['mixpanel','7856FF'],       ['grafana','F46800'],         ['posthog','1D4AFF'],
+    ['zoom','0B5CFF'],           ['googlecalendar','4285F4'],  ['gmail','EA4335'],
+    ['zapier','FF4A00'],         ['make','6D00CC'],            ['dropbox','0061FF'],
+    ['box','0061D5'],            ['googledrive','4285F4'],     ['ifttt','000000'],
+    ['supabase','3FCF8E'],       ['planetscale','000000'],     ['sketch','F7B500'],
+    ['framer','0055FF'],         ['miro','FFD02F'],            ['loom','625DF5'],
+    ['calendly','006BFF'],       ['shopify','7AB55C'],         ['brex','D9A227'],
+    ['okta','007DC1'],           ['auth0','EB5424'],           ['1password','0572EC'],
+    ['lastpass','D32D27'],       ['bitwarden','175DDC'],       ['snowflake','29B5E8'],
+    ['mongodb','47A248'],        ['postgresql','4169E1'],      ['redis','DC382D'],
+    ['sentry','362D59'],         ['pagerduty','06AC38'],       ['airtable','FCB400']
+  ];
+
   // helper: cube edge size in px (set on init + resize)
   function getS(){
     const v = parseFloat(getComputedStyle(cube).getPropertyValue('--S'));
     return isFinite(v) && v > 0 ? v : 420;
   }
 
-  // create face backdrops, each carrying the UNSYPHN wordmark
+  // create face backdrops with the brand mark + wordmark centered behind the tiles —
+  // as tiles disperse on scroll, the logo and the UNSYPHN wordmark emerge.
   FACES.forEach(([cls, N, R, U], fi)=>{
     const f = document.createElement('div');
     f.className = 'face ' + cls;
     f.style.setProperty('--glow', AURORA[fi % AURORA.length]);
-    const wm = document.createElement('span');
-    wm.className = 'wordmark';
-    wm.textContent = 'UNSYPHN';
-    f.appendChild(wm);
+    const logo = document.createElement('img');
+    logo.className = 'face-logo';
+    logo.src = '/unsyphn-mark.png';
+    logo.alt = '';
+    logo.setAttribute('aria-hidden', 'true');
+    logo.loading = 'lazy';
+    f.appendChild(logo);
+    const wordmark = document.createElement('div');
+    wordmark.className = 'face-wordmark';
+    wordmark.textContent = 'UNSYPHN';
+    wordmark.setAttribute('aria-hidden', 'true');
+    f.appendChild(wordmark);
     cube.appendChild(f);
   });
 
@@ -651,9 +811,12 @@ <h2>One vault. <em>Every</em> renewal.</h2>
         el.className = 'tile ' + cls;
         const color = AURORA[(fi * 3 + (row + col)) % AURORA.length];
         el.style.setProperty('--glow', color);
+        const [slug, hex] = VENDOR_LOGOS[tileIdx % VENDOR_LOGOS.length];
         el.innerHTML =
           tileHTML(tileIdx) +
-          '<span class="letter">' + LETTERS[tileIdx % LETTERS.length] + '</span>';
+          '<img class="vendor-logo" alt="" aria-hidden="true" loading="lazy" ' +
+          'src="https://cdn.simpleicons.org/' + slug + '/' + hex + '" ' +
+          'onerror="this.style.display=\'none\'" />';
         cube.appendChild(el);
 
         // base local 2D offset on the face
@@ -664,7 +827,7 @@ <h2>One vault. <em>Every</em> renewal.</h2>
         const sxA = Math.random()*2 - 1;
         const syA = Math.random()*2 - 1;
         const szA = Math.random()*2 - 1;
-        const spinMax = 220 + Math.random()*260;
+        const spinMax = 80 + Math.random()*120;
         const stagger = Math.random() * 0.18;
 
         TILES.push({
@@ -712,7 +875,9 @@ <h2>One vault. <em>Every</em> renewal.</h2>
   // when rAF is throttled (hidden tab, pre-first-frame, etc).
   function renderTiles(sp){
     const S = getS();
-    const scatter = S * 1.65;
+    // softer dispersal — tiles drift only ~55% of cube edge at peak so the cube reads
+    // intact for most of the scroll, then opens up gently near the bottom of the hero
+    const scatter = S * 0.55;
     for(let i = 0; i < TILES.length; i++){
       const t = TILES[i];
       const tp = Math.max(0, Math.min(1, (sp - t.stagger) / (1 - t.stagger)));
@@ -728,9 +893,10 @@ <h2>One vault. <em>Every</em> renewal.</h2>
         `rotateX(${t.baseRx}deg) rotateY(${t.baseRy}deg) ` +
         `rotateX(${sxR.toFixed(2)}deg) rotateY(${syR.toFixed(2)}deg) rotateZ(${szR.toFixed(2)}deg)`;
     }
-    // dim the backdrop faces as tiles fly off
-    const faceOpacity = (1 - sp * 0.85).toFixed(3);
-    document.querySelectorAll('.face').forEach(f => f.style.opacity = faceOpacity);
+    // face stays solid white — as tiles fly off, the centered brand mark + wordmark reveal.
+    // opacity ramps 0.55 → 1 to make the reveal feel intentional.
+    const brandOpacity = (0.55 + sp * 0.45).toFixed(3);
+    document.querySelectorAll('.face-logo, .face-wordmark').forEach(l => l.style.opacity = brandOpacity);
   }
 
   computeSizing();
@@ -817,6 +983,168 @@ <h2>One vault. <em>Every</em> renewal.</h2>
     requestAnimationFrame(frame);
   }
 })();
+
+/* ─────────────────────────────────────────────
+   AMBIENT DOTS — slow-drifting halftone field
+   inspired by the brand mark, layered behind everything
+   ───────────────────────────────────────────── */
+(function(){
+  if (window.matchMedia('(prefers-reduced-motion: reduce)').matches) return;
+  var canvas = document.getElementById('ambient-dots');
+  if (!canvas) return;
+  var ctx = canvas.getContext('2d');
+  var dpr = window.devicePixelRatio || 1;
+
+  // brand-mark palette (purple → blue) — same as cursor trail for cohesion
+  var palette = ['#2E0F88','#3B1AAE','#5B36D6','#6E4DEA','#7855F0','#5E6AD2','#5B8AF0','#2BCAE8','#4FB8C9'];
+
+  var dots = [];
+  // density per million pixels of viewport — ~110 dots on a 1440x900 screen
+  var DENSITY = 85e-6;
+
+  function rebuild(){
+    canvas.width  = window.innerWidth  * dpr;
+    canvas.height = window.innerHeight * dpr;
+    canvas.style.width  = window.innerWidth  + 'px';
+    canvas.style.height = window.innerHeight + 'px';
+    ctx.setTransform(dpr, 0, 0, dpr, 0, 0);
+
+    var w = window.innerWidth, h = window.innerHeight;
+    var count = Math.max(40, Math.round(w * h * DENSITY));
+    dots = new Array(count);
+    for (var i = 0; i < count; i++){
+      // slow drift — 6–18 px/sec
+      var angle = Math.random() * Math.PI * 2;
+      var speed = 0.006 + Math.random() * 0.012;  // px per ms
+      dots[i] = {
+        x: Math.random() * w,
+        y: Math.random() * h,
+        r: 1.2 + Math.random() * 2.8,           // 1.2 – 4 px
+        vx: Math.cos(angle) * speed,
+        vy: Math.sin(angle) * speed,
+        color: palette[(Math.random() * palette.length) | 0],
+        // each dot has its own twinkle phase for a soft alpha ripple
+        twinkle: Math.random() * Math.PI * 2,
+        twinkleSpeed: 0.0008 + Math.random() * 0.0014,  // rad per ms
+      };
+    }
+  }
+  rebuild();
+  // re-seed on resize so density stays consistent
+  var rt;
+  window.addEventListener('resize', function(){
+    clearTimeout(rt);
+    rt = setTimeout(rebuild, 180);
+  });
+
+  var prev = performance.now();
+  function tick(now){
+    var dt = now - prev; prev = now;
+    var w = window.innerWidth, h = window.innerHeight;
+    ctx.clearRect(0, 0, canvas.width, canvas.height);
+    for (var i = 0; i < dots.length; i++){
+      var d = dots[i];
+      d.x += d.vx * dt;
+      d.y += d.vy * dt;
+      // wrap to opposite edge (with small margin so they don't pop)
+      if (d.x < -8) d.x = w + 8;
+      else if (d.x > w + 8) d.x = -8;
+      if (d.y < -8) d.y = h + 8;
+      else if (d.y > h + 8) d.y = -8;
+
+      d.twinkle += d.twinkleSpeed * dt;
+      // alpha oscillates 0.45 – 1.0 — combined with canvas opacity 0.30, this gives
+      // a real-world feel of dots fading in and out across the field
+      var alpha = 0.7 + Math.sin(d.twinkle) * 0.28;
+
+      ctx.beginPath();
+      ctx.fillStyle = d.color;
+      ctx.globalAlpha = alpha;
+      ctx.arc(d.x, d.y, d.r, 0, Math.PI * 2);
+      ctx.fill();
+    }
+    ctx.globalAlpha = 1;
+    requestAnimationFrame(tick);
+  }
+  requestAnimationFrame(tick);
+})();
+
+/* ─────────────────────────────────────────────
+   CURSOR TRAIL — dot pattern echoing the brand mark
+   ───────────────────────────────────────────── */
+(function(){
+  if (window.matchMedia('(prefers-reduced-motion: reduce)').matches) return;
+  var canvas = document.getElementById('cursor-trail');
+  if (!canvas) return;
+  var ctx = canvas.getContext('2d');
+  var dpr = window.devicePixelRatio || 1;
+
+  function sizeCanvas(){
+    canvas.width  = window.innerWidth  * dpr;
+    canvas.height = window.innerHeight * dpr;
+    canvas.style.width  = window.innerWidth  + 'px';
+    canvas.style.height = window.innerHeight + 'px';
+    ctx.setTransform(dpr, 0, 0, dpr, 0, 0);
+  }
+  sizeCanvas();
+  window.addEventListener('resize', sizeCanvas);
+
+  // Brand-mark palette — purple → blue gradient
+  var palette = ['#2E0F88','#3B1AAE','#5B36D6','#6E4DEA','#7855F0','#5E6AD2','#5B8AF0','#2BCAE8','#4FB8C9'];
+
+  var particles = [];
+  var lastEmit = 0;
+  var lastX = 0, lastY = 0;
+  var hasMoved = false;
+
+  window.addEventListener('pointermove', function(ev){
+    var now = performance.now();
+    var dx = ev.clientX - lastX, dy = ev.clientY - lastY;
+    var dist = Math.hypot(dx, dy);
+    lastX = ev.clientX; lastY = ev.clientY;
+    hasMoved = true;
+    // throttle harder — emit at most every ~40ms or when moved 14+px
+    if (now - lastEmit < 40 && dist < 14) return;
+    lastEmit = now;
+    // at most 1 dot per emission — keeps the trail whispered, not sprayed
+    var off = (Math.random() - 0.5) * Math.min(16, dist * 0.4 + 4);
+    var perp = (Math.random() - 0.5) * 8;
+    var nx = dist > 0.001 ? (-dy / dist) : 0;
+    var ny = dist > 0.001 ? ( dx / dist) : 0;
+    particles.push({
+      x: ev.clientX + off + nx * perp,
+      y: ev.clientY + off + ny * perp,
+      r: 1.5 + Math.random() * 2.5,             // 1.5 – 4px (was 2 – 9)
+      color: palette[(Math.random() * palette.length) | 0],
+      age: 0,
+      life: 520 + Math.random() * 380,          // 520 – 900ms (was 900 – 1600)
+    });
+    if (particles.length > 90) particles.splice(0, particles.length - 90);
+  }, { passive: true });
+
+  var prev = performance.now();
+  function tick(now){
+    var dt = now - prev; prev = now;
+    ctx.clearRect(0, 0, canvas.width, canvas.height);
+    for (var i = particles.length - 1; i >= 0; i--){
+      var p = particles[i];
+      p.age += dt;
+      var t = p.age / p.life;
+      if (t >= 1){ particles.splice(i, 1); continue; }
+      // gentler fade — peak alpha ~0.5, decays smoothly
+      var alpha = (1 - t) * (1 - t * 0.6) * 0.55;
+      var radius = p.r * (1 - t * 0.4);
+      ctx.beginPath();
+      ctx.fillStyle = p.color;
+      ctx.globalAlpha = alpha;
+      ctx.arc(p.x, p.y, radius, 0, Math.PI * 2);
+      ctx.fill();
+    }
+    ctx.globalAlpha = 1;
+    requestAnimationFrame(tick);
+  }
+  requestAnimationFrame(tick);
+})();
 </script>
 
 <footer class="footer">
@@ -824,7 +1152,7 @@ <h2>One vault. <em>Every</em> renewal.</h2>
     <div class="footer-top">
       <div>
         <div class="footer-brand">
-          <img src="/logo.png" alt="Unsyphn" width="22" height="16">
+          <img src="/unsyphn-mark.png" alt="Unsyphn" width="28" height="20">
           <span>UNSYPHN</span>
         </div>
         <p class="footer-tagline">One vault for every subscription. Built for the modern ops team.</p>
@@ -840,23 +1168,22 @@ <h5>Product</h5>
       <div>
         <h5>Company</h5>
         <nav aria-label="Company links">
-          <a href="mailto:hello@unsyphn.com">Contact</a>
-          <a href="mailto:privacy@unsyphn.com">Privacy</a>
-          <a href="mailto:legal@unsyphn.com">Terms</a>
+          <a href="/contact">Contact</a>
+          <a href="/privacy">Privacy</a>
+          <a href="/terms">Terms</a>
         </nav>
       </div>
       <div>
         <h5>Resources</h5>
         <nav aria-label="Resource links">
-          <a href="/app/">Demo</a>
+          <a href="/demo">Demo</a>
           <a href="https://github.com/d3v07/Datadog_Hackathon" rel="noopener">Source</a>
-          <a href="mailto:hello@unsyphn.com?subject=Documentation">Docs</a>
+          <a href="/docs">Docs</a>
         </nav>
       </div>
     </div>
     <div class="footer-bottom">
       <span>© 2026 Unsyphn · All rights reserved</span>
-      <span>Built for the Datadog hackathon</span>
     </div>
   </div>
 </footer>
diff --git a/apps/web/package.json b/apps/web/package.json
index 0795f27..e7e3976 100644
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -1,5 +1,5 @@
 {
-  "name": "@redline/web",
+  "name": "@unsyphn/web",
   "version": "0.1.0",
   "private": true,
   "type": "module",
@@ -10,10 +10,16 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
+    "@dnd-kit/core": "^6.3.1",
+    "@dnd-kit/sortable": "^10.0.0",
+    "@dnd-kit/utilities": "^3.2.2",
     "@hookform/resolvers": "^5.4.0",
-    "@redline/shared": "workspace:*",
     "@stripe/react-stripe-js": "^3.0.0",
     "@stripe/stripe-js": "^4.10.0",
+    "@types/canvas-confetti": "^1.9.0",
+    "@unsyphn/shared": "workspace:*",
+    "canvas-confetti": "^1.9.4",
+    "lucide-react": "^1.16.0",
     "react": "^18.3.0",
     "react-dom": "^18.3.0",
     "react-hook-form": "^7.53.0",
diff --git a/apps/web/public/app/app.css b/apps/web/public/app/app.css
deleted file mode 100644
index edb7edb..0000000
--- a/apps/web/public/app/app.css
+++ /dev/null
@@ -1,484 +0,0 @@
-/* =============================================================
-   UNSYPHN APP · stylesheet
-   Aurora pattern — solid surfaces, role-tinted radial glows
-   ============================================================= */
-
-@import url("https://fonts.googleapis.com/css2?family=Source+Serif+4:ital,opsz,wght@0,8..60,400;0,8..60,500;0,8..60,700;0,8..60,800;1,8..60,400&display=swap");
-
-:root { --serif: "Source Serif 4", ui-serif, Georgia, serif; }
-
-*, *::before, *::after { box-sizing: border-box; }
-html, body { margin: 0; padding: 0; font-family: var(--font-text); color: var(--text); }
-
-::selection { background: var(--bondi); color: var(--bg); }
-button { font-family: inherit; }
-
-/* ── Aurora sky on the app body ────────────────────────── */
-.app-shell {
-  width: 1440px;
-  height: 900px;
-  position: relative;
-  overflow: hidden;
-  background:
-    radial-gradient(ellipse 800px 500px at 80% -5%,  rgba(91,160,240,0.20) 0%, transparent 55%),
-    radial-gradient(ellipse 700px 450px at 10% 15%,  rgba(43,202,232,0.12) 0%, transparent 55%),
-    radial-gradient(ellipse 600px 450px at 95% 50%,  rgba(160,151,216,0.18) 0%, transparent 55%),
-    radial-gradient(ellipse 700px 400px at 5% 70%,   rgba(244,102,136,0.10) 0%, transparent 55%),
-    radial-gradient(ellipse 800px 500px at 70% 95%,  rgba(181,220,85,0.10) 0%, transparent 55%),
-    var(--bg);
-  color: var(--text);
-  font-size: 14px;
-  line-height: 1.55;
-  -webkit-font-smoothing: antialiased;
-  display: grid;
-  grid-template-columns: 220px 1fr;
-}
-
-/* ── Sidebar ───────────────────────────────────────────── */
-.sidebar {
-  padding: 22px 12px;
-  border-right: 1px solid var(--border);
-  background: var(--bg);
-  display: flex; flex-direction: column; gap: 6px;
-  height: 900px; overflow: hidden;
-}
-.brand-row {
-  display: flex; align-items: center; padding: 6px 10px;
-  margin-bottom: 18px;
-}
-.nav-section-label {
-  font-family: var(--font-mono);
-  font-size: 10px; letter-spacing: 0.12em;
-  text-transform: uppercase; color: var(--muted);
-  padding: 12px 10px 6px;
-}
-.nav-item {
-  display: flex; align-items: center; justify-content: space-between;
-  padding: 7px 10px;
-  border-radius: var(--radius-md);
-  color: var(--text-2);
-  font-size: 13px;
-  font-weight: 500;
-  cursor: pointer;
-  transition: all var(--dur-fast) var(--ease);
-  user-select: none;
-}
-.nav-item:hover { background: var(--surface); color: var(--text); }
-.nav-item.is-active {
-  background: var(--surface);
-  color: var(--text-strong);
-  border: 1px solid var(--border);
-}
-.nav-item .count {
-  font-family: var(--font-mono); font-size: 11px;
-  color: var(--muted);
-  background: var(--surface-2);
-  padding: 1px 6px;
-  border-radius: var(--radius-sm);
-}
-.nav-item.is-active .count { color: var(--text); }
-.nav-item.alert .count { background: var(--strawberry-soft); color: var(--strawberry); }
-.nav-spacer { flex: 1; }
-.nav-org {
-  padding: 10px 10px;
-  border-top: 1px solid var(--border);
-  margin-top: 6px;
-}
-.org-name { font-size: 12.5px; font-weight: 500; color: var(--text); }
-.org-meta { font-family: var(--font-mono); font-size: 10px; color: var(--muted); letter-spacing: 0.06em; margin-top: 2px; }
-
-/* ── Main ─────────────────────────────────────────────── */
-.main {
-  padding: 28px 36px;
-  min-width: 0;
-  overflow-y: auto;
-  height: 900px;
-  scrollbar-width: thin;
-  scrollbar-color: var(--border-strong) transparent;
-}
-.main::-webkit-scrollbar { width: 8px; }
-.main::-webkit-scrollbar-thumb { background: var(--border); border-radius: 4px; }
-.main::-webkit-scrollbar-track { background: transparent; }
-
-/* ── Topbar (app-wide) ────────────────────────────────── */
-.topbar {
-  display: flex; justify-content: space-between; align-items: center;
-  margin-bottom: 24px;
-}
-.topbar-left h1 {
-  font-family: var(--font-display);
-  font-size: 28px; font-weight: 500;
-  color: var(--text-strong);
-  letter-spacing: -0.025em;
-  margin: 0 0 4px;
-  line-height: 1.1;
-  font-variation-settings: "opsz" 48;
-}
-.topbar-left .when {
-  font-family: var(--font-mono);
-  font-size: 11px; color: var(--muted);
-  letter-spacing: 0.10em;
-  text-transform: uppercase;
-}
-.topbar-right { display: flex; gap: 10px; align-items: center; }
-.scan-pill {
-  display: inline-flex; align-items: center; gap: 7px;
-  padding: 5px 11px;
-  border-radius: var(--radius-full);
-  background: var(--surface);
-  border: 1px solid var(--border);
-  font-family: var(--font-mono);
-  font-size: 10.5px; color: var(--text-2);
-  letter-spacing: 0.10em;
-  text-transform: uppercase;
-}
-.scan-pill .dot {
-  width: 6px; height: 6px; border-radius: 50%;
-  background: var(--bondi);
-  box-shadow: 0 0 0 3px rgba(43,202,232,0.18), 0 0 10px var(--bondi);
-}
-.scan-pill.alert {
-  background: var(--strawberry-soft);
-  color: var(--strawberry);
-  border-color: rgba(244,102,136,0.30);
-}
-.user-avatar {
-  width: 30px; height: 30px;
-  border-radius: 50%;
-  background: linear-gradient(135deg, var(--grape), var(--strawberry));
-  display: flex; align-items: center; justify-content: center;
-  font-family: var(--font-mono);
-  font-size: 10px; font-weight: 600; color: white;
-  box-shadow: 0 0 0 1px var(--border), 0 0 14px rgba(160,151,216,0.20);
-}
-
-/* Live-dot pulse (used everywhere) */
-.live-dot.pulse { animation: pulse 1.6s ease-in-out infinite; }
-@keyframes pulse {
-  0%, 100% { opacity: 1; }
-  50% { opacity: 0.50; }
-}
-@keyframes blink {
-  0%, 100% { opacity: 1; }
-  50% { opacity: 0.35; }
-}
-
-/* ── Live scan ticker ─────────────────────────────────── */
-.scan-strip {
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  padding: 11px 0;
-  overflow: hidden;
-  position: relative;
-  box-shadow: 0 8px 32px rgba(0,0,0,0.20);
-  margin-bottom: 20px;
-}
-.scan-strip::before, .scan-strip::after {
-  content: ""; position: absolute; top: 0; bottom: 0; width: 80px; z-index: 2; pointer-events: none;
-}
-.scan-strip::before { left: 0;  background: linear-gradient(90deg, var(--surface) 0%, transparent 100%); }
-.scan-strip::after  { right: 0; background: linear-gradient(-90deg, var(--surface) 0%, transparent 100%); }
-.scan-strip-label {
-  position: absolute;
-  top: 50%; left: 14px;
-  transform: translateY(-50%);
-  font-family: var(--font-mono);
-  font-size: 10px;
-  letter-spacing: 0.14em;
-  text-transform: uppercase;
-  color: var(--bondi);
-  background: var(--bondi-soft);
-  padding: 4px 9px;
-  border-radius: var(--radius-sm);
-  border: 1px solid rgba(43,202,232,0.18);
-  z-index: 3;
-  display: flex; align-items: center; gap: 6px;
-}
-.scan-strip-label .dot {
-  width: 5px; height: 5px; border-radius: 50%;
-  background: var(--bondi);
-  box-shadow: 0 0 8px var(--bondi);
-}
-.scan-track {
-  display: inline-flex;
-  white-space: nowrap;
-  animation: tick 50s linear infinite;
-  padding-left: 200px;
-}
-@keyframes tick {
-  from { transform: translateX(0); }
-  to   { transform: translateX(-50%); }
-}
-.scan-item {
-  display: inline-flex; align-items: center; gap: 10px;
-  padding: 0 22px;
-  font-family: var(--font-mono);
-  font-size: 11.5px;
-  border-right: 1px solid var(--hairline);
-  color: var(--text-2);
-  letter-spacing: 0.04em;
-}
-.scan-item .vendor { color: var(--text); font-weight: 500; }
-.scan-item .target { color: var(--muted); }
-.scan-item .when { color: var(--bondi); font-size: 10px; }
-
-/* ── Fleet stats grid ─────────────────────────────────── */
-.fleet {
-  display: grid;
-  grid-template-columns: repeat(6, 1fr);
-  gap: 12px;
-  margin-bottom: 28px;
-}
-.stat {
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  padding: 14px;
-  position: relative;
-  overflow: hidden;
-  transition: transform var(--dur-base) var(--ease-spring), border-color var(--dur-base) var(--ease);
-  cursor: pointer;
-}
-.stat:hover { transform: translateY(-2px); border-color: var(--border-strong); }
-.stat::before {
-  content: ""; position: absolute;
-  top: -50%; right: -20%; width: 80%; height: 100%;
-  background: radial-gradient(circle, var(--stat-glow) 0%, transparent 60%);
-  opacity: 0.45; pointer-events: none;
-}
-.stat-head { display: flex; justify-content: space-between; align-items: center; margin-bottom: 8px; position: relative; }
-.stat-label {
-  font-family: var(--font-mono); font-size: 10px;
-  letter-spacing: 0.10em; text-transform: uppercase;
-  color: var(--muted);
-}
-.stat-dot {
-  width: 7px; height: 7px; border-radius: 50%;
-  box-shadow: 0 0 12px var(--stat-shadow), 0 0 0 3px var(--stat-glow);
-}
-.stat-val {
-  font-family: var(--font-display);
-  font-size: 28px;
-  font-weight: 500;
-  letter-spacing: -0.025em;
-  color: var(--text-strong);
-  line-height: 1;
-  margin-bottom: 4px;
-  font-feature-settings: "tnum" 1;
-  position: relative;
-}
-.stat-sub {
-  font-family: var(--font-mono);
-  font-size: 10px;
-  color: var(--stat-color);
-  letter-spacing: 0.04em;
-  position: relative;
-}
-.stat.aqua       { --stat-glow: var(--aqua-glow);       --stat-shadow: var(--aqua);       --stat-color: var(--aqua); }       .stat.aqua       .stat-dot { background: var(--aqua); }
-.stat.bondi      { --stat-glow: var(--bondi-glow);      --stat-shadow: var(--bondi);      --stat-color: var(--bondi); }      .stat.bondi      .stat-dot { background: var(--bondi); }
-.stat.tangerine  { --stat-glow: var(--tangerine-glow);  --stat-shadow: var(--tangerine);  --stat-color: var(--tangerine); }  .stat.tangerine  .stat-dot { background: var(--tangerine); }
-.stat.grape      { --stat-glow: var(--grape-glow);      --stat-shadow: var(--grape);      --stat-color: var(--grape); }      .stat.grape      .stat-dot { background: var(--grape); }
-.stat.strawberry { --stat-glow: var(--strawberry-glow); --stat-shadow: var(--strawberry); --stat-color: var(--strawberry); } .stat.strawberry .stat-dot { background: var(--strawberry); }
-.stat.lime       { --stat-glow: var(--lime-glow);       --stat-shadow: var(--lime);       --stat-color: var(--lime); }       .stat.lime       .stat-dot { background: var(--lime); }
-
-/* ── Section heads ────────────────────────────────────── */
-.sec-head {
-  display: flex; justify-content: space-between; align-items: baseline;
-  margin: 0 0 14px;
-}
-.sec-title {
-  font-family: var(--font-display);
-  font-size: 19px;
-  font-weight: 500;
-  color: var(--text-strong);
-  letter-spacing: -0.018em;
-  margin: 0;
-}
-.sec-title em {
-  font-family: var(--serif);
-  font-style: italic;
-  font-weight: 400;
-  color: var(--text);
-}
-.sec-action {
-  font-family: var(--font-mono);
-  font-size: 11px;
-  color: var(--bondi);
-  cursor: pointer;
-  letter-spacing: 0.10em;
-  text-transform: uppercase;
-}
-
-/* ── Two-column grid: vendors + activity ───────────────── */
-.portfolio-grid {
-  display: grid;
-  grid-template-columns: 1fr 340px;
-  gap: 22px;
-}
-
-/* ── Vendor cards ─────────────────────────────────────── */
-.vendors {
-  display: grid;
-  grid-template-columns: repeat(2, 1fr);
-  gap: 12px;
-}
-.vendor {
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  padding: 14px;
-  position: relative;
-  overflow: hidden;
-  cursor: pointer;
-  transition: transform var(--dur-base) var(--ease-spring), border-color var(--dur-base) var(--ease);
-}
-.vendor:hover { transform: translateY(-2px); border-color: var(--border-strong); }
-.vendor::before {
-  content: ""; position: absolute;
-  top: 0; right: 0; width: 60%; height: 60%;
-  background: radial-gradient(circle at top right, var(--vendor-glow) 0%, transparent 70%);
-  opacity: 0.50; pointer-events: none;
-}
-.vendor.p1 { --vendor-glow: var(--strawberry-glow); }
-.vendor.p2 { --vendor-glow: var(--tangerine-glow); }
-.vendor.routed  { --vendor-glow: var(--bondi-glow); }
-.vendor.healthy { --vendor-glow: var(--lime-glow); }
-.vendor-head {
-  display: flex; align-items: flex-start; justify-content: space-between;
-  margin-bottom: 10px;
-  position: relative;
-}
-.vendor-id { display: flex; align-items: center; gap: 11px; }
-.vendor-logo {
-  width: 36px; height: 36px;
-  border-radius: var(--radius-md);
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  display: flex; align-items: center; justify-content: center;
-  font-family: var(--font-display);
-  font-size: 14px; font-weight: 600; color: var(--text);
-  flex-shrink: 0;
-}
-.vendor-name {
-  font-family: var(--font-display);
-  font-size: 15.5px; font-weight: 600;
-  color: var(--text-strong);
-  letter-spacing: -0.015em;
-  line-height: 1.2;
-}
-.vendor-meta {
-  font-family: var(--font-mono); font-size: 10px;
-  color: var(--muted); letter-spacing: 0.06em;
-  margin-top: 2px;
-}
-.sev {
-  font-family: var(--font-mono);
-  font-size: 10px; font-weight: 600;
-  letter-spacing: 0.10em;
-  padding: 3px 8px;
-  border-radius: var(--radius-sm);
-  border: 1px solid transparent;
-}
-.sev.p1 { color: var(--strawberry); background: var(--strawberry-soft); border-color: rgba(244,102,136,0.20); box-shadow: 0 0 16px rgba(244,102,136,0.15); }
-.sev.p2 { color: var(--tangerine);  background: var(--tangerine-soft);  border-color: rgba(255,149,64,0.20);  box-shadow: 0 0 16px rgba(255,149,64,0.12); }
-.sev.healthy { color: var(--lime); background: var(--lime-soft); border-color: rgba(181,220,85,0.20); }
-.sev.routed { color: var(--bondi); background: var(--bondi-soft); border-color: rgba(43,202,232,0.20); box-shadow: 0 0 16px rgba(43,202,232,0.18); }
-
-.vendor-row {
-  display: flex; justify-content: space-between; align-items: center;
-  font-size: 12px;
-  padding: 5px 0;
-  border-top: 1px solid var(--hairline);
-  position: relative;
-}
-.vendor-row .lbl { font-family: var(--font-mono); font-size: 10px; letter-spacing: 0.08em; text-transform: uppercase; color: var(--muted); }
-.vendor-row .val { font-family: var(--font-mono); color: var(--text); font-feature-settings: "tnum" 1; }
-.vendor-row .val.warn { color: var(--tangerine); }
-.vendor-row .val.crit { color: var(--strawberry); }
-.vendor-row .val.live { color: var(--bondi); }
-.vendor-tags {
-  display: flex; gap: 4px; margin-top: 10px;
-  padding-top: 10px;
-  border-top: 1px solid var(--hairline);
-  position: relative;
-  flex-wrap: wrap; align-items: center;
-}
-.chip {
-  display: inline-flex; align-items: center; gap: 4px;
-  padding: 2px 8px;
-  border-radius: var(--radius-sm);
-  font-family: var(--font-mono);
-  font-size: 9.5px; letter-spacing: 0.08em; font-weight: 500;
-  text-transform: uppercase;
-}
-.chip.pii        { background: var(--grape-soft);      color: var(--grape); }
-.chip.phi        { background: var(--strawberry-soft); color: var(--strawberry); }
-.chip.payments   { background: var(--aqua-soft);       color: var(--aqua); }
-.chip.source     { background: var(--tangerine-soft);  color: var(--tangerine); }
-.owner-av {
-  width: 20px; height: 20px; border-radius: 50%;
-  display: inline-flex; align-items: center; justify-content: center;
-  font-family: var(--font-mono); font-size: 9px; font-weight: 600; color: white;
-  margin-left: auto;
-}
-.owner-av.a { background: linear-gradient(135deg, var(--aqua), var(--bondi)); }
-.owner-av.b { background: linear-gradient(135deg, var(--grape), var(--strawberry)); }
-.owner-av.c { background: linear-gradient(135deg, var(--tangerine), var(--strawberry)); }
-.owner-av.d { background: linear-gradient(135deg, var(--lime), var(--bondi)); }
-
-/* ── Activity feed ────────────────────────────────────── */
-.activity {
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-xl);
-  overflow: hidden;
-  align-self: start;
-}
-.activity-head {
-  padding: 14px 16px;
-  border-bottom: 1px solid var(--border);
-  display: flex; justify-content: space-between; align-items: center;
-}
-.activity-head .title {
-  font-family: var(--font-display);
-  font-size: 14px; font-weight: 600;
-  color: var(--text-strong); letter-spacing: -0.01em;
-}
-.activity-head .filter {
-  font-family: var(--font-mono);
-  font-size: 10px; color: var(--muted);
-  letter-spacing: 0.10em;
-  text-transform: uppercase;
-}
-.activity-item {
-  padding: 12px 16px;
-  border-bottom: 1px solid var(--hairline);
-  cursor: pointer;
-  transition: background var(--dur-fast) var(--ease);
-}
-.activity-item:hover { background: var(--surface-2); }
-.activity-item:last-child { border-bottom: 0; }
-.activity-row { display: flex; align-items: center; gap: 8px; margin-bottom: 4px; }
-.activity-sev {
-  font-family: var(--font-mono);
-  font-size: 9px; font-weight: 600;
-  letter-spacing: 0.10em;
-  padding: 2px 6px;
-  border-radius: 3px;
-  flex-shrink: 0;
-}
-.activity-sev.p1 { color: var(--strawberry); background: var(--strawberry-soft); }
-.activity-sev.p2 { color: var(--tangerine);  background: var(--tangerine-soft); }
-.activity-sev.p3 { color: var(--lime);       background: var(--lime-soft); }
-.activity-sev.routed { color: var(--bondi);  background: var(--bondi-soft); }
-.activity-vendor { font-size: 12.5px; font-weight: 500; color: var(--text-strong); }
-.activity-when { font-family: var(--font-mono); font-size: 10px; color: var(--muted); margin-left: auto; }
-.activity-title { font-size: 12px; color: var(--text-2); line-height: 1.4; margin-bottom: 4px; }
-.activity-meta {
-  display: flex; gap: 8px; align-items: center;
-  font-family: var(--font-mono); font-size: 10px;
-  color: var(--muted); letter-spacing: 0.04em;
-}
-.activity-meta .impact.in { color: var(--strawberry); }
-.activity-meta .impact.out { color: var(--lime); }
diff --git a/apps/web/public/app/app.jsx b/apps/web/public/app/app.jsx
deleted file mode 100644
index c50fef4..0000000
--- a/apps/web/public/app/app.jsx
+++ /dev/null
@@ -1,207 +0,0 @@
-// app.jsx — top-level Unsyphn app: state, navigation, screen mounting
-
-function App() {
-  // ── state ────────────────────────────────────────────
-  const [state, setState] = React.useState({
-    screen: "portfolio",     // "portfolio" | "change" | "evidence" | "onboarding"
-    escalateOpen: false,
-    routing: false,          // overlay routing transition
-    notion: "P1",            // "P1" | "ROUTED"
-    routeTime: null,
-    evidenceCount: 432,
-    activeVendor: "notion",  // which vendor the change/evidence screens render
-    onboardingTier: "24h",
-    onboardedToast: null,    // { name, tierLabel } | null
-  });
-
-  // ── dispatcher ───────────────────────────────────────
-  function dispatch(action) {
-    switch (action.type) {
-      case "goto":
-        setState((s) => ({ ...s, screen: action.screen }));
-        setTimeout(() => {
-          const m = document.querySelector(".app-shell .main");
-          if (m) m.scrollTo(0, 0);
-        }, 0);
-        return;
-      case "open-vendor":
-        setState((s) => ({ ...s, activeVendor: action.vendor, screen: "change" }));
-        setTimeout(() => {
-          const m = document.querySelector(".app-shell .main");
-          if (m) m.scrollTo(0, 0);
-        }, 0);
-        return;
-      case "open-vendor-bundle":
-        setState((s) => ({ ...s, activeVendor: action.vendor, screen: "evidence" }));
-        setTimeout(() => {
-          const m = document.querySelector(".app-shell .main");
-          if (m) m.scrollTo(0, 0);
-        }, 0);
-        return;
-      case "open-escalate":
-        setState((s) => ({ ...s, escalateOpen: true }));
-        return;
-      case "close-escalate":
-        setState((s) => ({ ...s, escalateOpen: false }));
-        return;
-      case "confirm-escalate":
-        setState((s) => ({ ...s, escalateOpen: false, routing: true }));
-        return;
-      case "finish-routing":
-        setState((s) => ({
-          ...s,
-          routing: false,
-          notion: "ROUTED",
-          routeTime: "14:59:18 EST",
-          evidenceCount: 433,
-          screen: "evidence",
-          activeVendor: "notion",
-        }));
-        setTimeout(() => {
-          const m = document.querySelector(".app-shell .main");
-          if (m) m.scrollTo(0, 0);
-        }, 0);
-        return;
-      case "reset-flow":
-        setState({
-          screen: "portfolio",
-          escalateOpen: false,
-          routing: false,
-          notion: "P1",
-          routeTime: null,
-          evidenceCount: 432,
-          activeVendor: "notion",
-          onboardingTier: "24h",
-          onboardedToast: null,
-        });
-        return;
-      case "vendor-onboarded":
-        setState((s) => ({
-          ...s,
-          screen: "portfolio",
-          onboardingTier: action.tier,
-          onboardedToast: {
-            name: action.name,
-            tierLabel: action.tierLabel,
-            vendorId: action.vendorId,
-            firstScanRunId: action.firstScanRunId,
-          },
-        }));
-        setTimeout(() => setState((s) => ({ ...s, onboardedToast: null })), 5500);
-        setTimeout(() => {
-          const m = document.querySelector(".app-shell .main");
-          if (m) m.scrollTo(0, 0);
-        }, 0);
-        return;
-      case "acknowledge":
-        // state.notion is constrained to "P1" | "ROUTED" — don't widen it here.
-        // Acknowledge is a demo no-op until the lifecycle state machine is wired.
-        window.alert("Acknowledged. Lifecycle hand-off coming soon.");
-        return;
-      case "snooze":
-        window.alert("Snoozed for 48h. Lifecycle hand-off coming soon.");
-        return;
-      case "open-copilot":
-        window.alert("Copilot coming soon");
-        return;
-      case "export-diff": {
-        const DATA = window.VENDOR_DATA || {};
-        const vendor = DATA[state.activeVendor] || {};
-        const body = JSON.stringify({ vendor: state.activeVendor, diffs: (vendor.cr || {}).diffs || [] }, null, 2);
-        const url = URL.createObjectURL(new Blob([body], { type: "application/json" }));
-        const a = document.createElement("a");
-        a.href = url;
-        a.download = (state.activeVendor || "vendor") + "-diff.json";
-        document.body.appendChild(a);
-        a.click();
-        document.body.removeChild(a);
-        setTimeout(() => URL.revokeObjectURL(url), 1000);
-        return;
-      }
-      case "assign":
-        window.alert("Owner assignment coming soon");
-        return;
-      case "download-bundle":
-        window.print();
-        return;
-      case "share-audit":
-        if (navigator.clipboard && navigator.clipboard.writeText) {
-          navigator.clipboard.writeText(location.href).then(
-            function () { window.alert("Audit link copied"); },
-            function () { window.prompt("Copy the audit link:", location.href); }
-          );
-        } else {
-          window.prompt("Copy the audit link:", location.href);
-        }
-        return;
-      default:
-        globalThis["console"].warn("unknown action", action);
-    }
-  }
-
-  // ── browser tabs ─────────────────────────────────────
-  const activeRec = (window.VENDOR_DATA || {})[state.activeVendor] || {};
-  const vendorSlug = (activeRec.name || "vendor").toLowerCase();
-  const bundleSlug = ((activeRec.cr && activeRec.cr.bundleId) || "").replace("·", "-");
-  const url = state.screen === "portfolio"
-    ? "app.unsyphn.com/portfolio"
-    : state.screen === "change"
-    ? `app.unsyphn.com/${vendorSlug}/${bundleSlug || "cr"}`
-    : state.screen === "onboarding"
-    ? "app.unsyphn.com/onboard"
-    : `app.unsyphn.com/bundle/${bundleSlug || "cr"}`;
-
-  const secondTabTitle = state.screen === "portfolio"
-    ? "Notion · ToS"
-    : state.screen === "onboarding"
-    ? "Onboard Vendor"
-    : `${activeRec.name || "Vendor"} · ${state.screen === "evidence" ? "Bundle" : "Change"}`;
-
-  const tabs = [
-    { title: "Unsyphn · Portfolio" },
-    { title: secondTabTitle },
-    { title: "DPA · Acme ⟷ Notion" },
-  ];
-
-  return (
-    <div style={{ width: 1440, height: 900, position: "relative" }}>
-      <ChromeWindow tabs={tabs} activeIndex={0} url={url} width={1440} height={900}>
-        <div className="app-shell">
-          <Sidebar
-            active={state.screen === "evidence" ? "evidence" : state.screen === "change" ? "changes" : "portfolio"}
-            dispatch={dispatch}
-            state={state}
-          />
-          {state.screen === "portfolio"   && <ScreenPortfolio state={state} dispatch={dispatch} />}
-          {state.screen === "change"      && <ScreenChange state={state} dispatch={dispatch} />}
-          {state.screen === "evidence"    && <ScreenEvidence state={state} dispatch={dispatch} />}
-          {state.screen === "onboarding"  && <ScreenOnboarding state={state} dispatch={dispatch} />}
-
-          {state.escalateOpen && <EscalateModal state={state} dispatch={dispatch} />}
-          {state.routing      && <RoutingTransition dispatch={dispatch} vendorKey={state.activeVendor} />}
-        </div>
-      </ChromeWindow>
-
-      {/* Reset flow pill — anchor outside the chrome */}
-      <button
-        onClick={() => dispatch({ type: "reset-flow" })}
-        title="Reset the demo to step 1"
-        style={{
-          position: "absolute", right: -14, top: 60,
-          transform: "rotate(90deg)", transformOrigin: "right top",
-          background: "var(--surface)", color: "var(--text-2)",
-          border: "1px solid var(--border)",
-          borderRadius: "999px 999px 0 0",
-          padding: "5px 14px",
-          fontFamily: "var(--font-mono)", fontSize: 10,
-          letterSpacing: "0.18em", textTransform: "uppercase",
-          cursor: "pointer", zIndex: 50,
-        }}
-      >
-        ↻ Reset demo
-      </button>
-    </div>
-  );
-}
-
-ReactDOM.createRoot(document.getElementById("root")).render(<App />);
diff --git a/apps/web/public/app/app2.css b/apps/web/public/app/app2.css
deleted file mode 100644
index 6363ea0..0000000
--- a/apps/web/public/app/app2.css
+++ /dev/null
@@ -1,1443 +0,0 @@
-/* =============================================================
-   UNSYPHN APP · screen2.css
-   ChangeReport · Escalate modal · Routing · Evidence bundle
-   ============================================================= */
-
-/* ── ChangeReport screen ──────────────────────────────── */
-.cr-shell { max-width: 1180px; margin: 0 auto; }
-
-.crumbs-bar {
-  display: flex; justify-content: space-between; align-items: center;
-  margin-bottom: 16px;
-  padding: 8px 14px;
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-full);
-}
-.crumbs {
-  display: flex; align-items: center; gap: 8px;
-  font-family: var(--font-mono);
-  font-size: 11px; letter-spacing: 0.12em;
-  text-transform: uppercase;
-  color: var(--muted);
-}
-.crumbs .seg { color: var(--text-2); cursor: pointer; }
-.crumbs .seg:hover { color: var(--text); }
-.crumbs .sep { color: var(--muted); opacity: 0.6; }
-.crumbs .current { color: var(--text-strong); }
-.crumbs-bar .icon-btn-row { display: flex; gap: 6px; }
-.icon-btn {
-  width: 28px; height: 28px;
-  border-radius: 50%;
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  color: var(--text-2);
-  cursor: pointer;
-  display: inline-flex; align-items: center; justify-content: center;
-  font-size: 13px;
-  transition: all var(--dur-fast) var(--ease);
-}
-.icon-btn:hover { background: var(--surface-3); color: var(--text); border-color: var(--border-strong); }
-
-/* Vendor strip (header) */
-.vendor-strip {
-  display: flex; align-items: center; gap: 16px;
-  padding: 16px;
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  margin-bottom: 18px;
-  position: relative;
-  overflow: hidden;
-}
-.vendor-strip::before {
-  content: ""; position: absolute;
-  top: 0; right: 0; width: 40%; height: 100%;
-  background: radial-gradient(ellipse at right, var(--strawberry-glow) 0%, transparent 70%);
-  opacity: 0.30; pointer-events: none;
-}
-.vendor-strip.routed::before {
-  background: radial-gradient(ellipse at right, var(--bondi-glow) 0%, transparent 70%);
-  opacity: 0.30;
-}
-.vendor-logo-lg {
-  width: 56px; height: 56px;
-  border-radius: var(--radius-md);
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  display: flex; align-items: center; justify-content: center;
-  font-family: var(--font-display);
-  font-size: 22px; font-weight: 600; color: var(--text);
-  flex-shrink: 0;
-}
-.vendor-id-block { position: relative; flex: 1; min-width: 0; }
-.vendor-name-lg {
-  font-family: var(--font-display);
-  font-size: 22px; font-weight: 600;
-  color: var(--text-strong);
-  letter-spacing: -0.02em;
-  margin-bottom: 5px;
-}
-.vendor-meta-row {
-  display: flex; gap: 16px;
-  font-family: var(--font-mono);
-  font-size: 10.5px; color: var(--muted);
-  letter-spacing: 0.10em;
-  text-transform: uppercase;
-  flex-wrap: wrap;
-}
-.vendor-meta-row strong { color: var(--text); font-weight: 500; }
-.vendor-renew { text-align: right; position: relative; }
-.vendor-renew .num {
-  font-family: var(--font-display);
-  font-size: 30px; font-weight: 500;
-  color: var(--tangerine);
-  line-height: 1;
-  text-shadow: 0 0 24px var(--tangerine-glow);
-  font-feature-settings: "tnum" 1;
-  letter-spacing: -0.02em;
-}
-.vendor-renew .num small { color: var(--muted); font-size: 14px; font-weight: 400; }
-.vendor-renew .lbl {
-  font-family: var(--font-mono);
-  font-size: 10px; color: var(--muted);
-  letter-spacing: 0.12em;
-  text-transform: uppercase;
-  margin-top: 4px;
-}
-
-/* CR layout */
-.cr-layout {
-  display: grid;
-  grid-template-columns: 1fr 320px;
-  gap: 18px;
-  padding-bottom: 76px;
-}
-
-.report {
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-xl);
-  padding: 28px 30px 26px;
-  box-shadow: 0 16px 48px rgba(0,0,0,0.30);
-  position: relative;
-  overflow: hidden;
-}
-.report::before {
-  content: ""; position: absolute;
-  top: -50%; left: -30%; width: 80%; height: 200%;
-  background: radial-gradient(ellipse, rgba(244,102,136,0.12) 0%, transparent 60%);
-  pointer-events: none;
-}
-.report > * { position: relative; }
-
-.report-head { display: flex; gap: 8px; margin-bottom: 14px; align-items: center; }
-.sev-badge {
-  font-family: var(--font-mono);
-  font-size: 10.5px; font-weight: 600;
-  letter-spacing: 0.14em;
-  padding: 5px 10px;
-  border-radius: var(--radius-sm);
-  border: 1px solid;
-}
-.sev-badge.p1 {
-  color: var(--strawberry); background: var(--strawberry-soft);
-  border-color: rgba(244,102,136,0.30);
-  box-shadow: 0 0 24px rgba(244,102,136,0.20);
-}
-.sev-badge.routed {
-  color: var(--bondi); background: var(--bondi-soft);
-  border-color: rgba(43,202,232,0.30);
-  box-shadow: 0 0 24px rgba(43,202,232,0.20);
-}
-.cat-chip {
-  font-family: var(--font-mono);
-  font-size: 10px; letter-spacing: 0.10em;
-  text-transform: uppercase;
-  padding: 5px 9px;
-  border-radius: var(--radius-sm);
-  background: var(--surface-2); color: var(--text-2);
-  border: 1px solid var(--border);
-}
-.cat-chip.data    { color: var(--grape);     background: var(--grape-soft);     border-color: rgba(160,151,216,0.20); }
-.cat-chip.pricing { color: var(--tangerine); background: var(--tangerine-soft); border-color: rgba(255,149,64,0.20); }
-
-.report-title {
-  font-family: var(--font-display);
-  font-size: 30px; font-weight: 500;
-  color: var(--text-strong);
-  letter-spacing: -0.028em;
-  line-height: 1.15;
-  margin: 14px 0;
-  max-width: 28ch;
-  font-variation-settings: "opsz" 32;
-}
-.report-title em {
-  font-family: var(--serif);
-  font-style: italic; font-weight: 400;
-  color: var(--strawberry);
-}
-.report-title.routed em { color: var(--bondi); }
-.report-detected {
-  font-family: var(--font-mono);
-  font-size: 11px; color: var(--muted);
-  letter-spacing: 0.10em;
-  text-transform: uppercase;
-  margin-bottom: 22px;
-}
-.report-detected strong { color: var(--text); font-weight: 500; }
-
-/* Impact strip */
-.impact-strip {
-  display: grid;
-  grid-template-columns: repeat(3, 1fr);
-  gap: 10px;
-  margin-bottom: 22px;
-}
-.impact-cell {
-  padding: 12px 14px;
-  border-radius: var(--radius-md);
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-}
-.impact-cell .lbl {
-  font-family: var(--font-mono);
-  font-size: 10px; color: var(--muted);
-  letter-spacing: 0.12em;
-  text-transform: uppercase;
-  margin-bottom: 5px;
-}
-.impact-cell .val {
-  font-family: var(--font-mono);
-  font-size: 19px; font-weight: 500;
-  color: var(--text-strong);
-  letter-spacing: -0.015em;
-  line-height: 1;
-  font-feature-settings: "tnum" 1;
-}
-.impact-cell.dollar .val { color: var(--strawberry); text-shadow: 0 0 16px var(--strawberry-glow); }
-.impact-cell.delta  .val { color: var(--tangerine);  text-shadow: 0 0 16px var(--tangerine-glow); }
-.impact-cell.compl  .val { color: var(--grape);      text-shadow: 0 0 16px var(--grape-glow); font-size: 15px; }
-
-/* Diff blocks */
-.diff-block { margin-bottom: 16px; }
-.diff-label {
-  font-family: var(--font-mono);
-  font-size: 10px; color: var(--muted);
-  letter-spacing: 0.12em;
-  text-transform: uppercase;
-  margin-bottom: 10px;
-}
-.diff-pair {
-  display: grid;
-  grid-template-columns: 1fr 1fr;
-  gap: 10px;
-}
-.clause {
-  padding: 14px;
-  border-radius: var(--radius-md);
-  border: 1px solid;
-  position: relative;
-}
-.clause-head {
-  display: flex; justify-content: space-between; align-items: center;
-  margin-bottom: 8px;
-}
-.clause-lbl {
-  font-family: var(--font-mono);
-  font-size: 10px; font-weight: 600;
-  letter-spacing: 0.10em;
-  padding: 3px 8px;
-  border-radius: 3px;
-}
-.clause-when {
-  font-family: var(--font-mono);
-  font-size: 9.5px; color: var(--muted);
-  letter-spacing: 0.06em;
-}
-.clause-text {
-  font-family: var(--serif);
-  font-size: 14px; line-height: 1.5;
-  color: var(--text);
-  font-style: italic;
-  margin: 0;
-}
-.clause-text strong {
-  font-style: normal;
-  padding: 1px 5px;
-  border-radius: 3px;
-}
-.clause-source {
-  font-family: var(--font-mono);
-  font-size: 9.5px; color: var(--muted);
-  margin-top: 10px;
-  padding-top: 10px;
-  border-top: 1px solid var(--hairline);
-  letter-spacing: 0.06em;
-  word-break: break-all;
-}
-.clause-source a { color: var(--bondi); }
-.clause.before {
-  background: var(--strawberry-soft);
-  border-color: rgba(244,102,136,0.20);
-}
-.clause.before .clause-lbl { color: var(--strawberry); background: rgba(244,102,136,0.15); }
-.clause.before .clause-text strong { background: rgba(244,102,136,0.20); color: var(--strawberry); }
-.clause.after {
-  background: var(--lime-soft);
-  border-color: rgba(181,220,85,0.20);
-}
-.clause.after .clause-lbl { color: var(--lime); background: rgba(181,220,85,0.15); }
-.clause.after .clause-text strong { background: rgba(181,220,85,0.20); color: var(--lime); }
-
-/* Recommendation */
-.recommendation {
-  margin-top: 16px;
-  padding: 14px 16px;
-  border-radius: var(--radius-md);
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-}
-.reco-head {
-  display: flex; align-items: center; gap: 8px;
-  font-family: var(--font-mono);
-  font-size: 10px; letter-spacing: 0.14em;
-  text-transform: uppercase;
-  color: var(--bondi);
-  margin-bottom: 8px;
-}
-.reco-head::before {
-  content: ""; width: 6px; height: 6px; border-radius: 50%;
-  background: var(--bondi); box-shadow: 0 0 12px var(--bondi);
-}
-.reco-text {
-  font-size: 13.5px; color: var(--text); line-height: 1.55;
-  margin: 0;
-}
-.reco-text em {
-  font-family: var(--serif);
-  font-style: italic; color: var(--bondi);
-}
-
-/* Side panels */
-.cr-side { display: flex; flex-direction: column; gap: 12px; }
-.panel {
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  padding: 14px;
-  position: relative;
-  overflow: hidden;
-}
-.panel::before {
-  content: ""; position: absolute;
-  top: -50%; right: -20%; width: 70%; height: 100%;
-  background: radial-gradient(circle, var(--panel-glow) 0%, transparent 60%);
-  opacity: 0.40; pointer-events: none;
-}
-.panel.policy   { --panel-glow: var(--strawberry-glow); }
-.panel.routing  { --panel-glow: var(--bondi-glow); }
-.panel.evidence { --panel-glow: var(--grape-glow); }
-.panel > * { position: relative; }
-
-.panel-head {
-  display: flex; align-items: center; gap: 8px;
-  font-family: var(--font-mono);
-  font-size: 10px; letter-spacing: 0.14em;
-  text-transform: uppercase;
-  color: var(--muted);
-  margin-bottom: 12px;
-}
-.panel-head .dot { width: 6px; height: 6px; border-radius: 50%; }
-.panel-head.strawberry .dot { background: var(--strawberry); box-shadow: 0 0 8px var(--strawberry); }   .panel-head.strawberry { color: var(--strawberry); }
-.panel-head.bondi      .dot { background: var(--bondi);      box-shadow: 0 0 8px var(--bondi); }        .panel-head.bondi      { color: var(--bondi); }
-.panel-head.grape      .dot { background: var(--grape);      box-shadow: 0 0 8px var(--grape); }        .panel-head.grape      { color: var(--grape); }
-.panel-head.lime       .dot { background: var(--lime);       box-shadow: 0 0 8px var(--lime); }         .panel-head.lime       { color: var(--lime); }
-
-.policy-name {
-  font-size: 12.5px; font-weight: 500;
-  color: var(--text);
-  margin-bottom: 10px;
-}
-.policy-yaml {
-  background: var(--bg);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-sm);
-  padding: 10px 12px;
-  font-family: var(--font-mono);
-  font-size: 10.5px;
-  line-height: 1.55;
-  color: var(--text);
-  overflow-x: auto;
-  margin: 0 0 8px;
-  white-space: pre;
-}
-.y-key { color: var(--bondi); }
-.y-str { color: var(--lime); }
-.y-com { color: var(--muted); font-style: italic; }
-.policy-meta {
-  font-family: var(--font-mono);
-  font-size: 9.5px; color: var(--muted);
-  letter-spacing: 0.06em;
-}
-
-/* Routed actions */
-.action-item {
-  display: flex; align-items: center; gap: 10px;
-  padding: 8px 0;
-  border-bottom: 1px solid var(--hairline);
-  font-size: 12px;
-}
-.action-item:last-child { border-bottom: 0; }
-.action-icon {
-  width: 24px; height: 24px;
-  border-radius: 6px;
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  display: flex; align-items: center; justify-content: center;
-  font-family: var(--font-mono);
-  font-size: 9.5px; font-weight: 600;
-  color: var(--text-2);
-  flex-shrink: 0;
-}
-.action-icon.slack { color: var(--strawberry); background: var(--strawberry-soft); border-color: rgba(244,102,136,0.20); }
-.action-icon.jira  { color: var(--aqua);       background: var(--aqua-soft);       border-color: rgba(91,160,240,0.20); }
-.action-icon.cal   { color: var(--bondi);      background: var(--bondi-soft);      border-color: rgba(43,202,232,0.20); }
-.action-icon.email { color: var(--grape);      background: var(--grape-soft);      border-color: rgba(160,151,216,0.20); }
-.action-detail { flex: 1; min-width: 0; }
-.action-target { color: var(--text); font-weight: 500; }
-.action-when { font-family: var(--font-mono); font-size: 9.5px; color: var(--muted); margin-top: 1px; letter-spacing: 0.06em; }
-.action-status {
-  font-family: var(--font-mono);
-  font-size: 9px; font-weight: 600;
-  letter-spacing: 0.10em;
-  padding: 2px 6px;
-  border-radius: 3px;
-  color: var(--lime); background: var(--lime-soft);
-}
-.action-status.pending { color: var(--tangerine); background: var(--tangerine-soft); }
-
-/* Evidence preview mini */
-.ev-preview {
-  aspect-ratio: 1 / 1.25;
-  border-radius: var(--radius-md);
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  padding: 12px;
-  margin-bottom: 10px;
-  position: relative;
-  overflow: hidden;
-  cursor: pointer;
-}
-.ev-page-lines { height: 5px; background: var(--hairline); border-radius: 3px; margin-bottom: 6px; }
-.ev-page-lines.short { width: 60%; }
-.ev-page-lines.med   { width: 80%; }
-.ev-page-lines.dark  { background: rgba(255,255,255,0.12); height: 7px; margin-bottom: 9px; width: 70%; }
-.ev-snippet {
-  margin-top: 10px;
-  padding: 6px 8px;
-  border-left: 2px solid var(--strawberry);
-  background: var(--strawberry-soft);
-  border-radius: 3px;
-}
-.ev-snippet .line { height: 3px; background: rgba(244,102,136,0.40); border-radius: 2px; margin-bottom: 3px; }
-.ev-snippet .line.short { width: 50%; }
-.citation-row {
-  display: flex; align-items: center; gap: 6px;
-  margin-top: 8px;
-  font-family: var(--font-mono);
-  font-size: 9.5px; color: var(--muted);
-  letter-spacing: 0.06em;
-}
-.cit-dot { width: 5px; height: 5px; border-radius: 50%; background: var(--lime); box-shadow: 0 0 8px var(--lime); }
-
-/* Actions bar */
-.actions-bar {
-  position: absolute;
-  left: 256px; right: 36px; bottom: 24px;
-  padding: 11px 16px;
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-full);
-  display: flex; gap: 8px; align-items: center; justify-content: space-between;
-  box-shadow: 0 16px 48px rgba(0,0,0,0.30);
-  z-index: 10;
-}
-.actions-row { display: flex; gap: 8px; flex-wrap: wrap; }
-.btn {
-  font-family: var(--font-text);
-  font-size: 12.5px; font-weight: 500;
-  padding: 0 14px;
-  height: 34px;
-  border-radius: var(--radius-full);
-  border: 1px solid transparent;
-  cursor: pointer;
-  display: inline-flex; align-items: center; gap: 6px;
-  transition: all var(--dur-fast) var(--ease-spring);
-  user-select: none;
-  font-feature-settings: "tnum" 1;
-  letter-spacing: 0.02em;
-}
-.btn:active { transform: scale(0.97); }
-.btn-primary {
-  background: var(--lime); color: var(--on-lime);
-  box-shadow: 0 0 24px var(--lime-glow), inset 0 1px 0 rgba(255,255,255,0.30);
-}
-.btn-primary:hover { background: #C4E866; }
-.btn-escalate {
-  background: var(--strawberry); color: var(--on-strawberry);
-  box-shadow: 0 0 24px var(--strawberry-glow), inset 0 1px 0 rgba(255,255,255,0.30);
-}
-.btn-escalate:hover { background: #F87898; }
-.btn-bondi {
-  background: var(--bondi); color: var(--on-bondi);
-  box-shadow: 0 0 24px var(--bondi-glow), inset 0 1px 0 rgba(255,255,255,0.30);
-}
-.btn-bondi:hover { background: #4DD7F0; }
-.btn-ghost {
-  background: var(--surface-2);
-  color: var(--text);
-  border-color: var(--border-strong);
-}
-.btn-ghost:hover { background: var(--surface-3); }
-
-/* ── Escalate modal ───────────────────────────────────── */
-.modal-scrim {
-  position: absolute; inset: 0;
-  background: rgba(6, 6, 12, 0.78);
-  backdrop-filter: blur(6px);
-  display: flex; align-items: center; justify-content: center;
-  z-index: 100;
-  animation: fade-in 0.20s var(--ease);
-}
-@keyframes fade-in { from { opacity: 0; } to { opacity: 1; } }
-.modal {
-  width: 640px; max-height: 820px;
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-xl);
-  box-shadow: 0 32px 80px rgba(0,0,0,0.50);
-  display: flex; flex-direction: column;
-  overflow: hidden;
-  animation: slide-up 0.30s var(--ease-spring);
-  position: relative;
-}
-@keyframes slide-up {
-  from { opacity: 0; transform: translateY(20px) scale(0.98); }
-  to   { opacity: 1; transform: translateY(0) scale(1); }
-}
-.modal::before {
-  content: ""; position: absolute;
-  top: 0; left: 0; right: 0; height: 80px;
-  background: radial-gradient(ellipse at top, rgba(244,102,136,0.18) 0%, transparent 70%);
-  pointer-events: none;
-}
-.modal-head {
-  padding: 18px 22px 14px;
-  border-bottom: 1px solid var(--hairline);
-  display: flex; justify-content: space-between; align-items: flex-start;
-  position: relative;
-}
-.modal-head .left .eyebrow {
-  font-family: var(--font-mono);
-  font-size: 10px; color: var(--strawberry);
-  letter-spacing: 0.14em; text-transform: uppercase;
-  margin-bottom: 6px;
-}
-.modal-head .left .ttl {
-  font-family: var(--font-display);
-  font-size: 22px; font-weight: 500;
-  color: var(--text-strong);
-  letter-spacing: -0.02em; line-height: 1.2;
-  margin: 0;
-}
-.modal-head .left .ttl em { font-family: var(--serif); font-style: italic; font-weight: 400; color: var(--strawberry); }
-.modal-body {
-  padding: 18px 22px;
-  overflow-y: auto;
-  display: flex; flex-direction: column; gap: 16px;
-  position: relative;
-}
-.field {
-  display: flex; flex-direction: column; gap: 6px;
-}
-.field-label {
-  font-family: var(--font-mono);
-  font-size: 10px; color: var(--muted);
-  letter-spacing: 0.12em; text-transform: uppercase;
-  display: flex; justify-content: space-between; align-items: center;
-}
-.field-label .req { color: var(--strawberry); }
-.field-input {
-  background: var(--bg);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-md);
-  padding: 10px 12px;
-  font-family: inherit;
-  font-size: 13px;
-  color: var(--text);
-  outline: none;
-  resize: vertical;
-}
-.field-input:focus { border-color: var(--bondi); box-shadow: 0 0 0 3px var(--bondi-soft); }
-.field-input.locked {
-  background: var(--surface-2);
-  color: var(--strawberry);
-  font-family: var(--font-mono);
-  letter-spacing: 0.10em;
-}
-.recipients {
-  display: flex; gap: 8px; flex-wrap: wrap;
-}
-.recipient {
-  display: flex; align-items: center; gap: 8px;
-  padding: 6px 12px 6px 6px;
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-full);
-  font-size: 12.5px;
-}
-.recipient .av {
-  width: 22px; height: 22px;
-  border-radius: 50%;
-  display: flex; align-items: center; justify-content: center;
-  font-family: var(--font-mono); font-size: 9px; font-weight: 600;
-  color: white;
-}
-.recipient .who { color: var(--text-strong); font-weight: 500; }
-.recipient .role { color: var(--muted); font-family: var(--font-mono); font-size: 10px; letter-spacing: 0.06em; }
-.cite-list {
-  display: flex; flex-direction: column; gap: 6px;
-  font-family: var(--font-mono);
-  font-size: 11px; color: var(--text-2);
-}
-.cite-list .cite {
-  display: flex; align-items: center; gap: 8px;
-  padding: 6px 10px;
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-md);
-}
-.cite-list .cite .ck {
-  width: 14px; height: 14px;
-  border-radius: 3px;
-  background: var(--lime);
-  display: flex; align-items: center; justify-content: center;
-  font-size: 10px; color: var(--on-lime); font-weight: 700;
-}
-.cite-list .cite .src { color: var(--text); flex: 1; }
-.cite-list .cite .hash { color: var(--muted); }
-.modal-foot {
-  padding: 14px 22px;
-  border-top: 1px solid var(--hairline);
-  display: flex; justify-content: space-between; align-items: center;
-  background: var(--surface-2);
-}
-.modal-foot .left {
-  font-family: var(--font-mono); font-size: 10px;
-  color: var(--muted); letter-spacing: 0.10em;
-  text-transform: uppercase;
-}
-.modal-foot .left b { color: var(--lime); }
-
-/* ── Routing transition ───────────────────────────────── */
-.routing-screen {
-  position: absolute; inset: 0;
-  display: flex; align-items: center; justify-content: center;
-  flex-direction: column; gap: 28px;
-  z-index: 120;
-  background:
-    radial-gradient(ellipse 1200px 800px at 50% 50%, rgba(43,202,232,0.10) 0%, transparent 60%),
-    rgba(10, 10, 18, 0.96);
-  backdrop-filter: blur(20px);
-}
-.routing-pulse {
-  width: 96px; height: 96px;
-  border-radius: 50%;
-  background: var(--bondi);
-  box-shadow: 0 0 64px var(--bondi-glow), 0 0 128px var(--bondi-glow);
-  position: relative;
-}
-.routing-pulse::before, .routing-pulse::after {
-  content: ""; position: absolute; inset: 0;
-  border-radius: 50%;
-  border: 2px solid var(--bondi);
-  opacity: 0.6;
-  animation: ring 1.8s ease-out infinite;
-}
-.routing-pulse::after { animation-delay: 0.9s; }
-@keyframes ring {
-  0%   { transform: scale(1); opacity: 0.7; }
-  100% { transform: scale(3); opacity: 0; }
-}
-.routing-title {
-  font-family: var(--font-display);
-  font-size: 36px; font-weight: 500;
-  color: var(--text-strong); letter-spacing: -0.025em;
-  text-align: center; max-width: 700px;
-  margin: 0;
-  font-variation-settings: "opsz" 48;
-}
-.routing-title em { font-family: var(--serif); font-style: italic; font-weight: 400; color: var(--bondi); }
-.routing-log {
-  width: 720px;
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  padding: 18px 22px;
-  font-family: var(--font-mono);
-  font-size: 12.5px;
-  line-height: 1.85;
-  color: var(--text-2);
-  font-feature-settings: "tnum" 1;
-  height: 240px;
-  overflow: hidden;
-  box-shadow: 0 16px 48px rgba(0,0,0,0.30);
-}
-.routing-log .line { display: flex; gap: 14px; }
-.routing-log .ts { color: var(--bondi); letter-spacing: 0.06em; flex-shrink: 0; }
-.routing-log .lvl { width: 56px; flex-shrink: 0; letter-spacing: 0.12em; }
-.routing-log .lvl.ok { color: var(--lime); }
-.routing-log .lvl.info { color: var(--bondi); }
-.routing-log .lvl.exec { color: var(--tangerine); }
-.routing-log .lvl.sign { color: var(--grape); }
-.routing-log .msg { color: var(--text); }
-.routing-log .msg b { color: var(--text-strong); font-weight: 500; }
-.routing-log .new { animation: type-in 0.30s var(--ease); }
-@keyframes type-in {
-  from { opacity: 0; transform: translateY(4px); }
-  to   { opacity: 1; transform: translateY(0); }
-}
-
-/* ── Evidence bundle screen ───────────────────────────── */
-.bundle-shell {
-  max-width: 1180px; margin: 0 auto;
-}
-.bundle-strip {
-  display: flex; align-items: center; gap: 16px;
-  padding: 16px;
-  background: var(--surface);
-  border: 1px solid var(--lime);
-  border-radius: var(--radius-lg);
-  margin-bottom: 18px;
-  position: relative; overflow: hidden;
-  box-shadow: 0 0 32px var(--lime-glow);
-}
-.bundle-strip::before {
-  content: ""; position: absolute;
-  top: 0; right: 0; width: 40%; height: 100%;
-  background: radial-gradient(ellipse at right, var(--lime-glow) 0%, transparent 70%);
-  opacity: 0.30; pointer-events: none;
-}
-.bundle-strip .seal-lg {
-  width: 64px; height: 64px;
-  border-radius: 50%;
-  border: 1.5px solid var(--lime);
-  display: flex; align-items: center; justify-content: center;
-  font-family: var(--serif);
-  font-weight: 800; font-size: 24px;
-  color: var(--lime);
-  background: rgba(20, 20, 30, 0.7);
-  flex-shrink: 0;
-  box-shadow: 0 0 24px var(--lime-glow);
-  position: relative;
-}
-.bundle-strip .seal-lg::after {
-  content: ""; position: absolute; inset: 4px;
-  border-radius: 50%;
-  border: 1px solid var(--lime);
-  opacity: 0.5;
-}
-.bundle-strip .id-block { flex: 1; position: relative; }
-.bundle-strip .ttl {
-  font-family: var(--font-display);
-  font-size: 22px; font-weight: 600;
-  color: var(--text-strong);
-  letter-spacing: -0.02em;
-  margin-bottom: 5px;
-}
-.bundle-strip .meta {
-  display: flex; gap: 16px;
-  font-family: var(--font-mono);
-  font-size: 10.5px; color: var(--muted);
-  letter-spacing: 0.10em;
-  text-transform: uppercase;
-  flex-wrap: wrap;
-}
-.bundle-strip .meta b { color: var(--text); font-weight: 500; }
-.bundle-strip .stamp {
-  font-family: var(--font-mono);
-  font-size: 10.5px; font-weight: 600;
-  letter-spacing: 0.16em; text-transform: uppercase;
-  color: var(--lime);
-  padding: 6px 14px;
-  border: 1.5px solid var(--lime);
-  border-radius: var(--radius-sm);
-  background: var(--lime-soft);
-  position: relative;
-}
-
-.bundle-layout {
-  display: grid;
-  grid-template-columns: 1fr 320px;
-  gap: 18px;
-  padding-bottom: 76px;
-}
-
-.bundle-doc {
-  background: #14141E;
-  border: 1px solid var(--border);
-  border-radius: var(--radius-xl);
-  padding: 36px 44px;
-  position: relative;
-  overflow: hidden;
-  box-shadow: 0 16px 48px rgba(0,0,0,0.30);
-}
-.bundle-doc::before {
-  content: ""; position: absolute;
-  inset: 6px; border: 1px solid var(--lime); opacity: 0.20;
-  border-radius: calc(var(--radius-xl) - 4px);
-  pointer-events: none;
-}
-.bundle-cover {
-  text-align: center; padding: 14px 0 26px;
-  border-bottom: 1px solid var(--hairline);
-  margin-bottom: 22px;
-  position: relative;
-}
-.bundle-cover .eb {
-  font-family: var(--font-mono); font-size: 11px;
-  letter-spacing: 0.32em; text-transform: uppercase;
-  color: var(--lime); opacity: 0.85; margin-bottom: 12px;
-}
-.bundle-cover h1 {
-  font-family: var(--serif); font-weight: 800;
-  font-size: 56px; letter-spacing: -0.020em;
-  color: var(--lime); line-height: 0.98;
-  text-shadow: 0 0 32px var(--lime-glow);
-  margin: 0 0 10px;
-}
-.bundle-cover .sub {
-  font-family: var(--font-display); font-size: 20px;
-  font-weight: 500; color: var(--text-strong);
-  letter-spacing: -0.012em;
-  margin: 0 0 6px;
-  font-variation-settings: "opsz" 32;
-}
-.bundle-cover .sub em { font-family: var(--serif); font-style: italic; font-weight: 400; color: var(--lime); }
-.bundle-cover .meta-line {
-  font-family: var(--font-mono); font-size: 10.5px;
-  letter-spacing: 0.14em; text-transform: uppercase;
-  color: var(--text-2);
-  margin-top: 12px;
-  display: flex; gap: 16px; justify-content: center;
-}
-.bundle-cover .meta-line b { color: var(--text); font-weight: 500; }
-
-.bundle-section {
-  margin-bottom: 22px;
-  position: relative;
-}
-.bundle-section h3 {
-  font-family: var(--font-mono);
-  font-size: 11px; letter-spacing: 0.16em;
-  text-transform: uppercase;
-  color: var(--lime);
-  margin: 0 0 10px;
-  padding-bottom: 6px;
-  border-bottom: 1px solid var(--hairline);
-  display: flex; align-items: center; gap: 8px;
-}
-.bundle-section h3 .num {
-  font-family: var(--font-mono);
-  background: var(--lime); color: var(--on-lime);
-  width: 20px; height: 20px;
-  border-radius: 4px;
-  font-size: 11px; font-weight: 700;
-  display: inline-flex; align-items: center; justify-content: center;
-}
-.bundle-section .body {
-  font-size: 13.5px; color: var(--text-2); line-height: 1.55;
-}
-.bundle-section .body p { margin: 0 0 8px; }
-.bundle-section .body b { color: var(--text); font-weight: 500; }
-
-.mini-diff {
-  display: grid;
-  grid-template-columns: 1fr 1fr;
-  gap: 10px;
-  margin: 10px 0;
-}
-.mini-diff .mc {
-  padding: 10px 12px;
-  border-radius: var(--radius-sm);
-  font-family: var(--serif);
-  font-size: 12.5px; line-height: 1.5;
-  font-style: italic;
-  border: 1px solid;
-}
-.mini-diff .mc.b { background: var(--strawberry-soft); border-color: rgba(244,102,136,0.20); color: var(--text); }
-.mini-diff .mc.a { background: var(--lime-soft); border-color: rgba(181,220,85,0.20); color: var(--text); }
-.mini-diff .mc strong { font-style: normal; padding: 1px 4px; border-radius: 2px; }
-.mini-diff .mc.b strong { background: rgba(244,102,136,0.20); color: var(--strawberry); }
-.mini-diff .mc.a strong { background: rgba(181,220,85,0.20); color: var(--lime); }
-.mini-diff .mc .src {
-  font-family: var(--font-mono); font-size: 9.5px;
-  letter-spacing: 0.06em; color: var(--muted);
-  margin-top: 6px; padding-top: 6px;
-  border-top: 1px solid var(--hairline);
-  font-style: normal;
-  word-break: break-all;
-}
-
-.routing-trail {
-  font-family: var(--font-mono); font-size: 11.5px;
-  color: var(--text-2);
-  display: flex; flex-direction: column; gap: 4px;
-}
-.routing-trail .row { display: flex; gap: 14px; padding: 4px 0; border-bottom: 1px solid var(--hairline); }
-.routing-trail .row:last-child { border-bottom: 0; }
-.routing-trail .ts { color: var(--lime); flex-shrink: 0; width: 100px; }
-.routing-trail .msg { color: var(--text); flex: 1; }
-.routing-trail .msg b { color: var(--text-strong); font-weight: 500; }
-.routing-trail .ok { color: var(--lime); }
-
-.signoff {
-  margin-top: 26px;
-  padding: 20px 22px;
-  border: 2px double var(--lime);
-  border-radius: 4px;
-  display: flex; align-items: center; justify-content: space-between;
-  position: relative;
-  background: rgba(181,220,85,0.04);
-}
-.signoff .left {
-  font-family: var(--serif);
-  font-size: 14px; color: var(--text-2);
-  font-style: italic;
-}
-.signoff .left b { color: var(--text); font-weight: 500; font-style: normal; }
-.signoff .right {
-  font-family: var(--serif); font-weight: 800;
-  font-size: 28px; color: var(--lime);
-  letter-spacing: -0.014em;
-  transform: rotate(-3deg);
-  text-shadow: 0 0 24px var(--lime-glow);
-}
-
-/* Bundle side: TOC + actions */
-.toc-card {
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  padding: 14px;
-}
-.toc-card h4 {
-  font-family: var(--font-mono);
-  font-size: 10px; letter-spacing: 0.14em;
-  text-transform: uppercase;
-  color: var(--muted);
-  margin: 0 0 10px;
-}
-.toc-item {
-  display: flex; align-items: center; gap: 10px;
-  padding: 8px 0;
-  border-bottom: 1px solid var(--hairline);
-  font-size: 12.5px;
-  cursor: pointer;
-}
-.toc-item:last-child { border-bottom: 0; }
-.toc-item:hover .toc-num { background: var(--lime); color: var(--on-lime); }
-.toc-num {
-  width: 22px; height: 22px;
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  border-radius: 4px;
-  font-family: var(--font-mono);
-  font-size: 10.5px; font-weight: 600;
-  color: var(--text-2);
-  display: flex; align-items: center; justify-content: center;
-  transition: all var(--dur-fast) var(--ease);
-}
-.toc-item .toc-ttl { flex: 1; color: var(--text); }
-.toc-item .toc-pages { font-family: var(--font-mono); font-size: 9.5px; color: var(--muted); }
-
-/* =============================================================
-   ONBOARDING — vendor onboarding screen + tier picker
-   ============================================================= */
-
-/* "+ ONBOARD VENDOR" pill button in the Portfolio TopBar */
-.onb-cta-pill {
-  display: inline-flex; align-items: center; gap: 7px;
-  padding: 6px 13px 6px 11px;
-  background: linear-gradient(135deg, rgba(91,160,240,0.20), rgba(43,202,232,0.18));
-  border: 1px solid rgba(91,160,240,0.45);
-  border-radius: var(--radius-full);
-  font-family: var(--font-mono);
-  font-size: 10.5px;
-  letter-spacing: 0.12em;
-  color: var(--text);
-  cursor: pointer;
-  transition: all var(--dur-fast) var(--ease);
-  box-shadow: 0 0 14px rgba(91,160,240,0.18), inset 0 1px 0 rgba(255,255,255,0.08);
-}
-.onb-cta-pill:hover {
-  border-color: rgba(91,160,240,0.75);
-  background: linear-gradient(135deg, rgba(91,160,240,0.30), rgba(43,202,232,0.28));
-  box-shadow: 0 0 22px rgba(91,160,240,0.35), inset 0 1px 0 rgba(255,255,255,0.12);
-  transform: translateY(-1px);
-}
-.onb-cta-plus {
-  display: inline-flex; align-items: center; justify-content: center;
-  width: 14px; height: 14px;
-  border-radius: 50%;
-  background: var(--aqua);
-  color: var(--bg);
-  font-family: var(--font-display);
-  font-weight: 700;
-  font-size: 13px;
-  line-height: 1;
-}
-
-/* Onboarding screen header */
-.onb-header {
-  display: flex; justify-content: space-between; align-items: flex-start;
-  gap: 24px;
-  margin: 16px 0 24px;
-}
-.onb-header-left { max-width: 640px; }
-.onb-title { margin: 8px 0 12px; }
-.onb-title em { color: var(--bondi); }
-.onb-sub { color: var(--text-2); margin: 0; }
-.btn-back-pill {
-  flex-shrink: 0;
-  padding: 8px 14px;
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-full);
-  font-family: var(--font-mono);
-  font-size: 11px;
-  letter-spacing: 0.10em;
-  text-transform: uppercase;
-  color: var(--text-2);
-  cursor: pointer;
-  transition: all var(--dur-fast) var(--ease);
-}
-.btn-back-pill:hover { color: var(--text); border-color: var(--border-strong); background: var(--surface-2); }
-
-/* Name + URL field row */
-.onb-fields {
-  display: grid;
-  grid-template-columns: 1fr 1fr;
-  gap: 12px;
-  margin-bottom: 24px;
-}
-.onb-field { display: flex; flex-direction: column; gap: 6px; }
-.onb-field-label {
-  font-family: var(--font-mono);
-  font-size: 10px;
-  letter-spacing: 0.12em;
-  color: var(--muted);
-}
-.onb-input {
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-md);
-  padding: 11px 14px;
-  font-family: var(--font-text);
-  font-size: 14px;
-  color: var(--text);
-  transition: all var(--dur-fast) var(--ease);
-}
-.onb-input::placeholder { color: var(--muted); }
-.onb-input:focus {
-  outline: none;
-  border-color: var(--aqua);
-  background: var(--surface-2);
-  box-shadow: 0 0 0 3px rgba(91,160,240,0.12);
-}
-
-/* Tier grid */
-.tier-grid {
-  display: grid;
-  grid-template-columns: repeat(3, 1fr);
-  gap: 16px;
-  margin-bottom: 24px;
-}
-
-.tier-card {
-  position: relative;
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  padding: 20px;
-  display: flex;
-  flex-direction: column;
-  cursor: pointer;
-  transition: all var(--dur-fast) var(--ease);
-  overflow: hidden;
-}
-.tier-card::before {
-  content: "";
-  position: absolute;
-  inset: 0;
-  border-radius: var(--radius-lg);
-  pointer-events: none;
-  opacity: 0;
-  transition: opacity var(--dur-fast) var(--ease);
-}
-.tier-card.strawberry::before { background: radial-gradient(ellipse 240px 180px at 100% 0%, var(--strawberry-soft) 0%, transparent 60%); }
-.tier-card.bondi::before      { background: radial-gradient(ellipse 240px 180px at 100% 0%, var(--bondi-soft)      0%, transparent 60%); }
-.tier-card.lime::before       { background: radial-gradient(ellipse 240px 180px at 100% 0%, var(--lime-soft)       0%, transparent 60%); }
-.tier-card::before { opacity: 1; }
-
-.tier-card:hover {
-  border-color: var(--border-strong);
-  transform: translateY(-2px);
-  box-shadow: var(--shadow-card);
-}
-
-.tier-card.is-recommended {
-  border-color: rgba(43,202,232,0.45);
-  box-shadow: 0 0 0 1px rgba(43,202,232,0.18), 0 8px 32px rgba(0,0,0,0.20);
-}
-
-.tier-card.is-selected.strawberry {
-  border-color: var(--strawberry);
-  box-shadow: 0 0 0 1px var(--strawberry), 0 0 24px var(--strawberry-glow);
-}
-.tier-card.is-selected.bondi {
-  border-color: var(--bondi);
-  box-shadow: 0 0 0 1px var(--bondi), 0 0 24px var(--bondi-glow);
-}
-.tier-card.is-selected.lime {
-  border-color: var(--lime);
-  box-shadow: 0 0 0 1px var(--lime), 0 0 24px var(--lime-glow);
-}
-
-.tier-badge {
-  position: absolute;
-  top: 12px; right: 12px;
-  z-index: 2;
-  background: var(--bondi);
-  color: var(--on-bondi);
-  font-family: var(--font-mono);
-  font-size: 9.5px;
-  font-weight: 600;
-  letter-spacing: 0.14em;
-  padding: 3px 8px;
-  border-radius: var(--radius-full);
-  box-shadow: 0 0 14px var(--bondi-glow);
-}
-
-.tier-head {
-  position: relative; z-index: 1;
-  display: flex; align-items: baseline; gap: 10px;
-  margin-bottom: 12px;
-}
-.tier-sla {
-  font-family: var(--font-display);
-  font-size: 38px;
-  font-weight: 700;
-  letter-spacing: -0.04em;
-  line-height: 1;
-  color: var(--text-strong);
-  font-variation-settings: "opsz" 48;
-}
-.tier-card.strawberry .tier-sla { color: var(--strawberry); }
-.tier-card.bondi      .tier-sla { color: var(--bondi); }
-.tier-card.lime       .tier-sla { color: var(--lime); }
-
-.tier-tagline {
-  font-family: var(--font-mono);
-  font-size: 10.5px;
-  letter-spacing: 0.16em;
-  text-transform: uppercase;
-  color: var(--muted);
-  padding-bottom: 4px;
-}
-
-.tier-name {
-  position: relative; z-index: 1;
-  margin: 0 0 6px;
-}
-
-.tier-desc {
-  position: relative; z-index: 1;
-  font-size: 13px;
-  color: var(--text-2);
-  margin: 0 0 16px;
-  line-height: 1.5;
-}
-
-.tier-price-row {
-  position: relative; z-index: 1;
-  display: flex; align-items: baseline; gap: 6px;
-  padding: 12px 0;
-  border-top: 1px solid var(--hairline);
-  border-bottom: 1px solid var(--hairline);
-  margin-bottom: 14px;
-}
-.tier-price {
-  font-family: var(--font-display);
-  font-size: 28px;
-  font-weight: 600;
-  letter-spacing: -0.02em;
-  color: var(--text-strong);
-  font-feature-settings: "tnum" 1;
-}
-.tier-unit {
-  font-family: var(--font-mono);
-  font-size: 10.5px;
-  color: var(--muted);
-  letter-spacing: 0.06em;
-}
-
-.tier-features {
-  position: relative; z-index: 1;
-  list-style: none;
-  padding: 0;
-  margin: 0 0 18px;
-  flex: 1;
-}
-.tier-features li {
-  display: flex; align-items: flex-start; gap: 8px;
-  padding: 5px 0;
-  font-size: 12.5px;
-  color: var(--text);
-  line-height: 1.4;
-}
-.tier-check {
-  flex-shrink: 0;
-  width: 14px;
-  font-family: var(--font-mono);
-  font-weight: 600;
-  font-size: 11px;
-}
-.tier-card.strawberry .tier-check { color: var(--strawberry); }
-.tier-card.bondi      .tier-check { color: var(--bondi); }
-.tier-card.lime       .tier-check { color: var(--lime); }
-
-.tier-foot {
-  position: relative; z-index: 1;
-  display: flex; justify-content: space-between; align-items: center;
-}
-.tier-eta {
-  font-family: var(--font-mono);
-  font-size: 9.5px;
-  letter-spacing: 0.14em;
-  color: var(--muted);
-}
-.tier-select-pill {
-  font-family: var(--font-mono);
-  font-size: 10px;
-  letter-spacing: 0.14em;
-  padding: 5px 10px;
-  border-radius: var(--radius-full);
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  color: var(--text-2);
-  transition: all var(--dur-fast) var(--ease);
-}
-.tier-card.is-selected.strawberry .tier-select-pill.on {
-  background: var(--strawberry); color: var(--on-strawberry); border-color: var(--strawberry);
-}
-.tier-card.is-selected.bondi .tier-select-pill.on {
-  background: var(--bondi); color: var(--on-bondi); border-color: var(--bondi);
-}
-.tier-card.is-selected.lime .tier-select-pill.on {
-  background: var(--lime); color: var(--on-lime); border-color: var(--lime);
-}
-
-/* API integration: alert, chips, checkboxes, spinner */
-.onb-alert {
-  border-radius: var(--radius-md);
-  padding: 12px 14px;
-  margin-bottom: 18px;
-  font-size: 13px;
-}
-.onb-alert.err {
-  background: var(--strawberry-soft);
-  border: 1px solid rgba(244,102,136,0.40);
-  color: var(--text);
-}
-.onb-alert.warn {
-  background: var(--tangerine-soft);
-  border: 1px solid rgba(255,149,64,0.40);
-  color: var(--text);
-}
-.onb-alert-head {
-  display: flex; align-items: center; gap: 10px;
-  font-size: 13px;
-}
-.onb-alert-code {
-  font-family: var(--font-mono);
-  font-size: 10.5px;
-  letter-spacing: 0.12em;
-  text-transform: uppercase;
-  padding: 3px 8px;
-  border-radius: var(--radius-sm);
-  background: rgba(0,0,0,0.30);
-  color: var(--text-strong);
-}
-.onb-alert-detail {
-  display: flex; flex-direction: column; gap: 8px;
-  margin-top: 10px;
-  padding-top: 10px;
-  border-top: 1px solid rgba(255,255,255,0.10);
-}
-.onb-alert-label {
-  display: inline-block;
-  font-family: var(--font-mono);
-  font-size: 9.5px;
-  letter-spacing: 0.14em;
-  color: var(--muted);
-  margin-right: 8px;
-  text-transform: uppercase;
-}
-.onb-chip {
-  display: inline-block;
-  font-family: var(--font-mono);
-  font-size: 10.5px;
-  padding: 2px 7px;
-  border-radius: var(--radius-sm);
-  margin: 2px 4px 2px 0;
-  letter-spacing: 0.06em;
-}
-.onb-chip.miss { background: var(--strawberry-soft); color: var(--strawberry); border: 1px solid rgba(244,102,136,0.30); }
-.onb-chip.ok   { background: var(--lime-soft);       color: var(--lime);       border: 1px solid rgba(181,220,85,0.30); }
-
-.onb-checkboxes { display: flex; gap: 8px; flex-wrap: wrap; }
-.onb-chip-btn {
-  font-family: var(--font-mono);
-  font-size: 11px;
-  letter-spacing: 0.06em;
-  padding: 7px 12px;
-  border-radius: var(--radius-full);
-  background: var(--surface);
-  border: 1px solid var(--border);
-  color: var(--text-2);
-  cursor: pointer;
-  transition: all var(--dur-fast) var(--ease);
-}
-.onb-chip-btn:hover { color: var(--text); border-color: var(--border-strong); }
-.onb-chip-btn.on {
-  background: var(--bondi-soft);
-  border-color: rgba(43,202,232,0.40);
-  color: var(--bondi);
-}
-.onb-chip-btn[disabled] { opacity: 0.5; cursor: not-allowed; }
-
-.onb-spinner {
-  display: inline-block;
-  width: 12px; height: 12px;
-  border: 2px solid rgba(255,255,255,0.30);
-  border-top-color: currentColor;
-  border-radius: 50%;
-  margin-right: 6px;
-  vertical-align: -1px;
-  animation: onb-spin 600ms linear infinite;
-}
-@keyframes onb-spin { to { transform: rotate(360deg); } }
-
-.onb-toast-sub code {
-  font-family: var(--font-mono);
-  font-size: 10px;
-  background: rgba(255,255,255,0.06);
-  padding: 1px 5px;
-  border-radius: 4px;
-  color: var(--text);
-}
-
-/* DATA CLASSES field shouldn't stretch input style */
-.onb-field .onb-checkboxes { padding-top: 4px; }
-
-/* Bottom action bar */
-.onb-action-bar {
-  display: flex; justify-content: space-between; align-items: center;
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  padding: 14px 18px;
-}
-.onb-action-summary { display: flex; flex-direction: column; gap: 2px; }
-.onb-action-label {
-  font-family: var(--font-mono);
-  font-size: 9.5px;
-  letter-spacing: 0.14em;
-  color: var(--muted);
-}
-.onb-action-value {
-  font-family: var(--font-display);
-  font-size: 16px;
-  font-weight: 500;
-  color: var(--text-strong);
-  letter-spacing: -0.01em;
-}
-.onb-action-dot { color: var(--muted); font-weight: 400; }
-.onb-action-unit {
-  font-family: var(--font-mono);
-  font-size: 11px;
-  color: var(--muted);
-  letter-spacing: 0.05em;
-}
-.onb-action-buttons { display: flex; gap: 10px; }
-.onb-btn {
-  padding: 9px 18px;
-  border-radius: var(--radius-md);
-  font-family: var(--font-text);
-  font-size: 13px;
-  font-weight: 500;
-  cursor: pointer;
-  transition: all var(--dur-fast) var(--ease);
-}
-.onb-btn.ghost {
-  background: transparent;
-  border: 1px solid var(--border);
-  color: var(--text-2);
-}
-.onb-btn.ghost:hover { color: var(--text); border-color: var(--border-strong); background: var(--surface-2); }
-.onb-btn.primary {
-  background: linear-gradient(135deg, var(--aqua), var(--bondi));
-  border: 1px solid rgba(91,160,240,0.45);
-  color: var(--bg);
-  font-weight: 600;
-  box-shadow: 0 0 18px rgba(91,160,240,0.25);
-}
-.onb-btn.primary:hover {
-  box-shadow: 0 0 28px rgba(91,160,240,0.45);
-  transform: translateY(-1px);
-}
-
-/* Success toast (shown after onboarding, dismissed automatically) */
-.onb-toast {
-  position: absolute;
-  right: 24px; bottom: 24px;
-  z-index: 60;
-  display: flex; align-items: center; gap: 12px;
-  background: var(--surface);
-  border: 1px solid var(--lime);
-  border-radius: var(--radius-md);
-  padding: 12px 16px 12px 12px;
-  box-shadow: 0 12px 36px rgba(0,0,0,0.40), 0 0 24px var(--lime-glow);
-  animation: onb-toast-in 280ms var(--ease-spring);
-  max-width: 360px;
-}
-.onb-toast-icon {
-  flex-shrink: 0;
-  width: 28px; height: 28px;
-  border-radius: 50%;
-  background: var(--lime);
-  color: var(--on-lime);
-  display: flex; align-items: center; justify-content: center;
-  font-family: var(--font-mono);
-  font-weight: 700;
-}
-.onb-toast-title { font-size: 13px; color: var(--text); }
-.onb-toast-sla { color: var(--lime); font-family: var(--font-mono); font-size: 11px; letter-spacing: 0.1em; }
-.onb-toast-sub { font-family: var(--font-mono); font-size: 10.5px; color: var(--muted); margin-top: 2px; letter-spacing: 0.06em; }
-@keyframes onb-toast-in {
-  from { opacity: 0; transform: translateY(8px); }
-  to   { opacity: 1; transform: translateY(0); }
-}
-
diff --git a/apps/web/public/app/brand.jsx b/apps/web/public/app/brand.jsx
deleted file mode 100644
index c8deafa..0000000
--- a/apps/web/public/app/brand.jsx
+++ /dev/null
@@ -1,30 +0,0 @@
-// brand.jsx — the Unsyphn wordmark
-
-function UnsyphnMark({ size = 18 }) {
-  return (
-    <img
-      src="/logo.png"
-      alt="Unsyphn"
-      style={{ height: size, width: "auto", display: "block" }}
-    />
-  );
-}
-
-function UnsyphnDot({ size = 16, animate = true }) {
-  return (
-    <span
-      className={animate ? "live-dot pulse" : "live-dot"}
-      style={{
-        width: size,
-        height: size,
-        borderRadius: "50%",
-        background: "var(--bondi)",
-        boxShadow: `0 0 ${size}px var(--bondi-glow), 0 0 ${size * 2}px var(--bondi-glow)`,
-        display: "inline-block",
-        flexShrink: 0,
-      }}
-    />
-  );
-}
-
-Object.assign(window, { UnsyphnMark, UnsyphnDot });
diff --git a/apps/web/public/app/browser-window.jsx b/apps/web/public/app/browser-window.jsx
deleted file mode 100644
index b90e273..0000000
--- a/apps/web/public/app/browser-window.jsx
+++ /dev/null
@@ -1,114 +0,0 @@
-
-// Chrome.jsx — Simplified Chrome browser window (dark theme, macOS)
-// No dependencies, no image assets. All inline styles + inline SVG.
-
-const CHROME_C = {
-  barBg: '#202124',
-  tabBg: '#35363a',
-  text: '#e8eaed',
-  dim: '#9aa0a6',
-  urlBg: '#282a2d',
-};
-
-function ChromeTrafficLights() {
-  return (
-    <div style={{ display: 'flex', gap: 8, padding: '0 14px' }}>
-      <div style={{ width: 12, height: 12, borderRadius: '50%', background: '#ff5f57' }} />
-      <div style={{ width: 12, height: 12, borderRadius: '50%', background: '#febc2e' }} />
-      <div style={{ width: 12, height: 12, borderRadius: '50%', background: '#28c840' }} />
-    </div>
-  );
-}
-
-// Single tab (active has curved scoops)
-function ChromeTab({ title = 'New Tab', active = false }) {
-  const curve = (flip) => (
-    <svg width="8" height="10" viewBox="0 0 8 10"
-      style={{ position: 'absolute', bottom: 0, [flip ? 'right' : 'left']: -8, transform: flip ? 'scaleX(-1)' : 'none' }}>
-      <path d="M0 10C2 9 6 8 8 0V10H0Z" fill={CHROME_C.tabBg}/>
-    </svg>
-  );
-  return (
-    <div style={{
-      position: 'relative', height: 34, alignSelf: 'flex-end',
-      padding: '0 12px', display: 'flex', alignItems: 'center', gap: 8,
-      background: active ? CHROME_C.tabBg : 'transparent',
-      borderRadius: '8px 8px 0 0', minWidth: 120, maxWidth: 220,
-      fontFamily: 'system-ui, sans-serif', fontSize: 12,
-      color: active ? CHROME_C.text : CHROME_C.dim,
-    }}>
-      {active && curve(false)}
-      {active && curve(true)}
-      <div style={{ width: 14, height: 14, borderRadius: '50%', background: '#5f6368', flexShrink: 0 }} />
-      <span style={{ flex: 1, whiteSpace: 'nowrap', overflow: 'hidden', textOverflow: 'ellipsis' }}>{title}</span>
-    </div>
-  );
-}
-
-function ChromeTabBar({ tabs = [{ title: 'New Tab' }], activeIndex = 0 }) {
-  return (
-    <div style={{
-      display: 'flex', alignItems: 'center', height: 44,
-      background: CHROME_C.barBg, paddingRight: 8,
-    }}>
-      <ChromeTrafficLights />
-      <div style={{ display: 'flex', alignItems: 'flex-end', height: '100%', paddingLeft: 4, flex: 1 }}>
-        {tabs.map((t, i) => <ChromeTab key={i} title={t.title} active={i === activeIndex} />)}
-      </div>
-    </div>
-  );
-}
-
-function ChromeToolbar({ url = 'example.com' }) {
-  const iconDot = (
-    <div style={{
-      width: 28, height: 28, display: 'flex', alignItems: 'center', justifyContent: 'center',
-    }}>
-      <div style={{ width: 16, height: 16, borderRadius: '50%', background: CHROME_C.dim, opacity: 0.4 }} />
-    </div>
-  );
-  return (
-    <div style={{
-      height: 40, background: CHROME_C.tabBg,
-      display: 'flex', alignItems: 'center', gap: 4, padding: '0 8px',
-    }}>
-      {iconDot}
-      {/* url bar */}
-      <div style={{
-        flex: 1, height: 30, borderRadius: 15, background: CHROME_C.urlBg,
-        display: 'flex', alignItems: 'center', gap: 8, padding: '0 14px',
-        margin: '0 6px',
-      }}>
-        <div style={{ width: 12, height: 12, borderRadius: '50%', background: CHROME_C.dim, opacity: 0.4 }} />
-        <span style={{
-          flex: 1, color: CHROME_C.text, fontSize: 13,
-          fontFamily: 'system-ui, sans-serif',
-        }}>{url}</span>
-      </div>
-      {iconDot}
-    </div>
-  );
-}
-
-function ChromeWindow({
-  tabs = [{ title: 'New Tab' }], activeIndex = 0, url = 'example.com',
-  width = 900, height = 600, children,
-}) {
-  return (
-    <div style={{
-      width, height, borderRadius: 10, overflow: 'hidden',
-      boxShadow: '0 24px 80px rgba(0,0,0,0.35), 0 0 0 1px rgba(0,0,0,0.1)',
-      display: 'flex', flexDirection: 'column', background: CHROME_C.tabBg,
-    }}>
-      <ChromeTabBar tabs={tabs} activeIndex={activeIndex} />
-      <ChromeToolbar url={url} />
-      <div style={{ flex: 1, background: '#fff', overflow: 'auto' }}>
-        {children}
-      </div>
-    </div>
-  );
-}
-
-Object.assign(window, {
-  ChromeWindow, ChromeTabBar, ChromeToolbar, ChromeTab, ChromeTrafficLights,
-});
diff --git a/apps/web/public/app/escalate.jsx b/apps/web/public/app/escalate.jsx
deleted file mode 100644
index 0d974a4..0000000
--- a/apps/web/public/app/escalate.jsx
+++ /dev/null
@@ -1,96 +0,0 @@
-// escalate.jsx — Escalate-to-Legal modal
-
-function EscalateModal({ state, dispatch }) {
-  const [msg, setMsg] = React.useState(
-    "Notion ToS change: PII retention 90→30d violates DPA §3.1. Pricing +18% with renewal in 42 days. Negotiate both: retention back to 60d (industry standard), price locked at prior $10/seat."
-  );
-  const [deadline, setDeadline] = React.useState("2026-05-29");
-
-  return (
-    <div className="modal-scrim" onClick={(e) => { if (e.target === e.currentTarget) dispatch({ type: "close-escalate" }); }}>
-      <div className="modal" role="dialog" aria-modal="true">
-        <div className="modal-head">
-          <div className="left">
-            <div className="eyebrow">⚠ P1 · ESCALATE</div>
-            <h2 className="ttl">Route ChangeReport <em>RL·4839</em> to Legal.</h2>
-          </div>
-          <button className="icon-btn" onClick={() => dispatch({ type: "close-escalate" })} title="Close">✕</button>
-        </div>
-
-        <div className="modal-body">
-
-          <div className="field">
-            <div className="field-label"><span>Recipients</span><span>2 · BOTH NOTIFIED</span></div>
-            <div className="recipients">
-              <div className="recipient">
-                <div className="av" style={{ background: "linear-gradient(135deg, var(--grape), var(--strawberry))" }}>PN</div>
-                <div>
-                  <div className="who">Priya Natarajan</div>
-                  <div className="role">LEGAL COUNSEL</div>
-                </div>
-              </div>
-              <div className="recipient">
-                <div className="av" style={{ background: "linear-gradient(135deg, var(--tangerine), var(--strawberry))" }}>MC</div>
-                <div>
-                  <div className="who">Marcus Chen</div>
-                  <div className="role">PROCUREMENT</div>
-                </div>
-              </div>
-            </div>
-          </div>
-
-          <div className="field">
-            <div className="field-label"><span>Severity</span><span style={{ color: "var(--muted)" }}>LOCKED · POLICY-DRIVEN</span></div>
-            <input className="field-input locked" value="P1 · CRITICAL" readOnly />
-          </div>
-
-          <div className="field">
-            <div className="field-label"><span>Message</span><span className="req">REQUIRED</span></div>
-            <textarea
-              className="field-input"
-              rows={4}
-              value={msg}
-              onChange={(e) => setMsg(e.target.value)}
-            />
-          </div>
-
-          <div className="field">
-            <div className="field-label"><span>Citations to attach</span><span style={{ color: "var(--lime)" }}>✓ 4 GROUNDED</span></div>
-            <div className="cite-list">
-              <div className="cite"><span className="ck">✓</span><span className="src">notion.so/terms#4.2 · §4.2 Data Retention</span><span className="hash">8b2e…f94a</span></div>
-              <div className="cite"><span className="ck">✓</span><span className="src">notion.so/pricing · §7.1 Plus Plan</span><span className="hash">d4a1…2c7b</span></div>
-              <div className="cite"><span className="ck">✓</span><span className="src">internal · DPA §3.1 (Acme ⟷ Notion)</span><span className="hash">f9c3…81de</span></div>
-              <div className="cite"><span className="ck">✓</span><span className="src">policy · severity-rules.yaml · v4</span><span className="hash">a3f9…d21c</span></div>
-            </div>
-          </div>
-
-          <div className="field" style={{ flexDirection: "row", gap: 14 }}>
-            <div className="field" style={{ flex: 1 }}>
-              <div className="field-label"><span>Owner</span></div>
-              <input className="field-input" value="Priya Natarajan" readOnly />
-            </div>
-            <div className="field" style={{ flex: 1 }}>
-              <div className="field-label"><span>Deadline</span></div>
-              <input className="field-input" value={deadline} onChange={(e) => setDeadline(e.target.value)} />
-            </div>
-          </div>
-
-        </div>
-
-        <div className="modal-foot">
-          <div className="left">
-            All actions logged · <b>4 citations</b> · agent-redline-v1.4
-          </div>
-          <div className="actions-row">
-            <button className="btn btn-ghost" onClick={() => dispatch({ type: "close-escalate" })}>Cancel</button>
-            <button className="btn btn-escalate" onClick={() => dispatch({ type: "confirm-escalate" })}>
-              ↑ ROUTE &amp; GENERATE BUNDLE →
-            </button>
-          </div>
-        </div>
-      </div>
-    </div>
-  );
-}
-
-Object.assign(window, { EscalateModal });
diff --git a/apps/web/public/app/index.html b/apps/web/public/app/index.html
deleted file mode 100644
index ce2eefe..0000000
--- a/apps/web/public/app/index.html
+++ /dev/null
@@ -1,69 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-<meta charset="UTF-8" />
-<meta name="redline-api-base" content="" />
-<meta name="redline-bearer" content="demo_token_acme_corp_2026" />
-<title>Unsyphn — Working Demo (Notion flow)</title>
-<link rel="stylesheet" href="tokens.css" />
-<link rel="stylesheet" href="app.css" />
-<link rel="stylesheet" href="app2.css" />
-<style>
-  html, body { margin: 0; padding: 0; background: #0A0A12; min-height: 100vh; }
-  #stage {
-    width: 100vw; height: 100vh;
-    display: flex; align-items: center; justify-content: center;
-    overflow: hidden;
-    background:
-      radial-gradient(ellipse 800px 500px at 80% -5%, rgba(91,160,240,0.18) 0%, transparent 60%),
-      radial-gradient(ellipse 800px 500px at 10% 90%, rgba(181,220,85,0.10) 0%, transparent 60%),
-      #06060C;
-  }
-  #stage-inner {
-    width: 1440px; height: 900px;
-    transform-origin: center center;
-  }
-</style>
-</head>
-<body>
-
-<div id="stage">
-  <div id="stage-inner">
-    <div id="root"></div>
-  </div>
-</div>
-
-<script src="https://unpkg.com/react@18.3.1/umd/react.development.js" integrity="sha384-hD6/rw4ppMLGNu3tX5cjIb+uRZ7UkRJ6BPkLpg4hAu/6onKUg4lLsHAs9EBPT82L" crossorigin="anonymous"></script>
-<script src="https://unpkg.com/react-dom@18.3.1/umd/react-dom.development.js" integrity="sha384-u6aeetuaXnQ38mYT8rp6sbXaQe3NL9t+IBXmnYxwkUI2Hw4bsp2Wvmx4yRQF1uAm" crossorigin="anonymous"></script>
-<script src="https://unpkg.com/@babel/standalone@7.29.0/babel.min.js" integrity="sha384-m08KidiNqLdpJqLq95G/LEi8Qvjl/xUYll3QILypMoQ65QorJ9Lvtp2RXYGBFj1y" crossorigin="anonymous"></script>
-
-<script type="text/babel" src="browser-window.jsx"></script>
-<script type="text/babel" src="brand.jsx"></script>
-<script type="text/babel" src="vendor-data.jsx"></script>
-<script type="text/babel" src="shared.jsx"></script>
-<script type="text/babel" src="screen-portfolio.jsx"></script>
-<script type="text/babel" src="screen-change.jsx"></script>
-<script type="text/babel" src="escalate.jsx"></script>
-<script type="text/babel" src="routing.jsx"></script>
-<script type="text/babel" src="screen-evidence.jsx"></script>
-<script type="text/babel" src="screen-onboarding.jsx"></script>
-<script type="text/babel" src="app.jsx"></script>
-
-<script defer src="live.js"></script>
-
-<script>
-  // Scale to fit any viewport
-  (function fit() {
-    const inner = document.getElementById('stage-inner');
-    const stage = document.getElementById('stage');
-    function resize() {
-      const s = Math.min(stage.clientWidth / 1440, stage.clientHeight / 900);
-      inner.style.transform = `scale(${s})`;
-    }
-    window.addEventListener('resize', resize);
-    resize();
-  })();
-</script>
-
-</body>
-</html>
diff --git a/apps/web/public/app/live.js b/apps/web/public/app/live.js
deleted file mode 100644
index da82b3e..0000000
--- a/apps/web/public/app/live.js
+++ /dev/null
@@ -1,187 +0,0 @@
-// Sidecar live layer for the static demo app.
-// Loaded AFTER the React/Babel pipeline finishes hydrating. Polls for the
-// FleetStats cards (rendered by shared.jsx), fetches the Unsyphn dashboard
-// summary, and patches the matching stat-val numbers in place — without
-// touching any JSX file.
-//
-// Strict contract:
-//   * No edits to any .jsx file.
-//   * Silent no-op if API unreachable or shape mismatched.
-//   * One window event emitted: `redline:live-summary` carrying the parsed body.
-//   * One window event emitted on failure: `redline:live-summary-error`.
-//
-// API base + bearer are read from <meta> tags so the same script works in
-// dev (localhost:8787) and on Vercel (proxied /v1).
-
-(function () {
-  "use strict";
-
-  function metaValue(name, fallback) {
-    var el = document.querySelector('meta[name="' + name + '"]');
-    return el && el.content ? el.content : fallback;
-  }
-
-  var API_BASE = metaValue("redline-api-base", "");
-  var BEARER   = metaValue("redline-bearer", "demo_token_acme_corp_2026");
-
-  // In dev, Vite serves the static demo on a different port than the API.
-  // Detect this: if no meta base is set and we're on a non-API port, point
-  // directly at the known API port.
-  if (!API_BASE && typeof window !== "undefined") {
-    var h = window.location.hostname;
-    var p = window.location.port;
-    // Port 4004 = vite dev server; API lives on 3005
-    if (p === "4004" || p === "5173" || p === "3000") {
-      API_BASE = window.location.protocol + "//" + h + ":3005";
-    }
-  }
-
-  var baseUrl   = (API_BASE || (typeof window !== "undefined" && window.location.origin) || "").replace(/\/+$/, "");
-  var SUMMARY_URL = baseUrl + "/v1/dashboard/summary";
-  var STREAM_URL  = baseUrl + "/v1/stream?token=" + encodeURIComponent(BEARER);
-
-  // Format helpers — keep numbers terse so they fit the existing tile size.
-  function compactUsd(value) {
-    if (value == null || isNaN(value)) return null;
-    if (value >= 1_000_000) return "$" + (value / 1_000_000).toFixed(1).replace(/\.0$/, "") + "M";
-    if (value >= 1_000) return "$" + Math.round(value / 1_000) + "k";
-    return "$" + Math.round(value);
-  }
-
-  function findStatByLabel(label) {
-    var nodes = document.querySelectorAll(".fleet .stat");
-    for (var i = 0; i < nodes.length; i++) {
-      var lbl = nodes[i].querySelector(".stat-label");
-      if (lbl && lbl.textContent.trim().toLowerCase() === label.toLowerCase()) {
-        return nodes[i];
-      }
-    }
-    return null;
-  }
-
-  function setVal(card, value) {
-    if (!card || value == null) return false;
-    var v = card.querySelector(".stat-val");
-    if (!v) return false;
-    v.textContent = String(value);
-    card.setAttribute("data-live", "1");
-    return true;
-  }
-
-  function setSub(card, value) {
-    if (!card || !value) return;
-    var s = card.querySelector(".stat-sub");
-    if (s) s.textContent = value;
-  }
-
-  function applySummary(summary) {
-    if (!summary || typeof summary !== "object") return 0;
-    var patched = 0;
-
-    var vendors = findStatByLabel("Vendors");
-    if (vendors && setVal(vendors, summary.vendorCount)) {
-      var rr = compactUsd(summary.annualRunRateUsd);
-      if (rr) setSub(vendors, "live · " + rr + " run-rate");
-      patched += 1;
-    }
-
-    var openChanges = findStatByLabel("P1 · critical");
-    if (openChanges && setVal(openChanges, summary.openChangeCount)) {
-      patched += 1;
-    }
-
-    return patched;
-  }
-
-  function waitForFleet(maxMs, cb) {
-    var deadline = Date.now() + maxMs;
-    function tick() {
-      var nodes = document.querySelectorAll(".fleet .stat");
-      if (nodes.length > 0) return cb(true);
-      if (Date.now() > deadline) return cb(false);
-      setTimeout(tick, 100);
-    }
-    tick();
-  }
-
-  function fetchSummary() {
-    return fetch(SUMMARY_URL, {
-      headers: {
-        Authorization: "Bearer " + BEARER,
-        Accept: "application/json",
-      },
-      mode: "cors",
-      credentials: "omit",
-    }).then(function (res) {
-      if (!res.ok) throw new Error("HTTP " + res.status);
-      return res.json();
-    });
-  }
-
-  function dispatchEvent(name, detail) {
-    try {
-      window.dispatchEvent(new CustomEvent(name, { detail: detail }));
-    } catch (_) {
-      // CustomEvent unsupported — silent.
-    }
-  }
-
-  function subscribeToStream() {
-    if (typeof EventSource === "undefined") return;
-    var es = new EventSource(STREAM_URL);
-
-    // On any named or unnamed message, re-fetch summary to keep stats fresh.
-    var REFRESH_EVENTS = ["scheduler.tick", "run.stage", "run.completed", "org.entitlements.changed"];
-    REFRESH_EVENTS.forEach(function (evtType) {
-      es.addEventListener(evtType, function (e) {
-        var payload = null;
-        try { payload = JSON.parse(e.data); } catch (_) {}
-        dispatchEvent("redline:stream-event", { type: evtType, payload: payload });
-        fetchSummary().then(function (summary) {
-          waitForFleet(1000, function (mounted) {
-            if (mounted) applySummary(summary);
-          });
-        }).catch(function () {});
-      });
-    });
-
-    es.onerror = function () {
-      // Reconnect is handled automatically by EventSource; no action needed.
-    };
-  }
-
-  function start() {
-    waitForFleet(5000, function (mounted) {
-      if (!mounted) {
-        dispatchEvent("redline:live-summary-error", { reason: "fleet-not-mounted" });
-        return;
-      }
-      fetchSummary()
-        .then(function (summary) {
-          var patched = applySummary(summary);
-          dispatchEvent("redline:live-summary", { summary: summary, patched: patched });
-          subscribeToStream();
-        })
-        .catch(function (err) {
-          dispatchEvent("redline:live-summary-error", { reason: String(err && err.message ? err.message : err) });
-          subscribeToStream();
-        });
-    });
-  }
-
-  // Export for tests
-  if (typeof module !== "undefined" && module.exports) {
-    module.exports = { applySummary: applySummary, compactUsd: compactUsd, findStatByLabel: findStatByLabel };
-  }
-  if (typeof window !== "undefined") {
-    window.__redlineLive = { applySummary: applySummary, compactUsd: compactUsd, findStatByLabel: findStatByLabel };
-  }
-
-  if (typeof document !== "undefined") {
-    if (document.readyState === "loading") {
-      document.addEventListener("DOMContentLoaded", start, { once: true });
-    } else {
-      start();
-    }
-  }
-})();
diff --git a/apps/web/public/app/routing.jsx b/apps/web/public/app/routing.jsx
deleted file mode 100644
index 2d4ab86..0000000
--- a/apps/web/public/app/routing.jsx
+++ /dev/null
@@ -1,40 +0,0 @@
-// routing.jsx — full-screen routing transition (streams log, auto-advances to evidence).
-// Pulls the log + title from VENDOR_DATA[activeVendor]; falls back to Notion's defaults.
-
-function RoutingTransition({ dispatch, vendorKey }) {
-  const DATA = window.VENDOR_DATA || {};
-  const vendor = DATA[vendorKey || "notion"] || DATA.notion || {};
-  const log = vendor.routingLog || [];
-  const title = vendor.routingTitle || <>Routing in progress…</>;
-
-  const [shown, setShown] = React.useState(0);
-
-  React.useEffect(() => {
-    if (shown >= log.length) {
-      const t = setTimeout(() => dispatch({ type: "finish-routing" }), 1100);
-      return () => clearTimeout(t);
-    }
-    const t = setTimeout(() => setShown((s) => s + 1), 220);
-    return () => clearTimeout(t);
-  }, [shown, dispatch, log.length]);
-
-  const visible = log.slice(0, shown);
-
-  return (
-    <div className="routing-screen">
-      <div className="routing-pulse" />
-      <h1 className="routing-title">{title}</h1>
-      <div className="routing-log">
-        {visible.map((l, i) => (
-          <div className={"line" + (i === visible.length - 1 ? " new" : "")} key={i}>
-            <span className="ts">{l.ts}</span>
-            <span className={"lvl " + l.lvl}>{l.lvl.toUpperCase()}</span>
-            <span className="msg">{l.msg}</span>
-          </div>
-        ))}
-      </div>
-    </div>
-  );
-}
-
-Object.assign(window, { RoutingTransition });
diff --git a/apps/web/public/app/screen-change.jsx b/apps/web/public/app/screen-change.jsx
deleted file mode 100644
index ebc35e5..0000000
--- a/apps/web/public/app/screen-change.jsx
+++ /dev/null
@@ -1,358 +0,0 @@
-// screen-change.jsx — ChangeReport detail screen.
-// Reads window.VENDOR_DATA[state.activeVendor]. Notion is the interactive
-// hero flow (P1 → ROUTED via state.notion); other vendors are pre-baked
-// in one of: open (P1/P2 unrouted), acknowledged (P1 already routed),
-// healthy (no recent diff).
-
-function ScreenChange({ state, dispatch }) {
-  const DATA = window.VENDOR_DATA || {};
-  const vendor = DATA[state.activeVendor];
-
-  if (!vendor) {
-    return (
-      <main className="main">
-        <div style={{ padding: 40, color: "var(--text-2)" }}>
-          Vendor not found.{" "}
-          <a href="#" onClick={(e) => { e.preventDefault(); dispatch({ type: "goto", screen: "portfolio" }); }}>
-            ← Back to portfolio
-          </a>
-        </div>
-      </main>
-    );
-  }
-
-  const isNotion = vendor.key === "notion";
-  const mode = isNotion
-    ? (state.notion === "ROUTED" ? "routed" : "open")
-    : (vendor.mode || "open");
-  const isRouted = mode === "routed";
-  const isAck = mode === "acknowledged";
-  const isHealthy = mode === "healthy";
-  const isWitnessed = isRouted || isAck;
-
-  const cr = vendor.cr || {};
-
-  const sevBadgeCls = isRouted ? "routed" : isAck ? "ack" : isHealthy ? "healthy" : vendor.sev;
-  const sevBadgeText = isRouted ? "✓ ROUTED · WITNESSED"
-    : isAck ? "✓ ACKNOWLEDGED · WITNESSED"
-    : isHealthy ? "✓ HEALTHY"
-    : `⚠ ${vendor.sevLabel} · ${vendor.sevLabel === "P1" ? "CRITICAL" : vendor.sevLabel === "P2" ? "REVIEW" : "NOTE"}`;
-
-  const ownerName = vendor.owner.name;
-  const crumbCurrent = cr.bundleId ? `CR · ${cr.bundleId}` : "CR · scan";
-
-  return (
-    <main className="main">
-      <div className="cr-shell">
-
-        {/* Crumbs */}
-        <div className="crumbs-bar">
-          <div className="crumbs">
-            <span className="seg" onClick={() => dispatch({ type: "goto", screen: "portfolio" })}>Portfolio</span>
-            <span className="sep">›</span>
-            <span className="seg">{vendor.name}</span>
-            <span className="sep">›</span>
-            <span className="current">{crumbCurrent}</span>
-          </div>
-          <div className="icon-btn-row">
-            <button className="icon-btn" onClick={() => dispatch({ type: "goto", screen: "portfolio" })} title="Back">←</button>
-          </div>
-        </div>
-
-        {/* Vendor strip */}
-        <div className={"vendor-strip" + (isWitnessed ? " routed" : "")}>
-          <div className="vendor-logo-lg">{vendor.letter}</div>
-          <div className="vendor-id-block">
-            <div className="vendor-name-lg">{vendor.name}</div>
-            <div className="vendor-meta-row">
-              <span>{vendor.category}</span>
-              <span>TIER {vendor.tier}</span>
-              <span>OWNER · <strong>{ownerName}</strong></span>
-              <span>ANNUAL · <strong>{vendor.annual}</strong></span>
-              {vendor.seats > 0 && <span>SEATS · <strong>{vendor.seats}</strong></span>}
-            </div>
-          </div>
-          <div className="vendor-renew">
-            <div className="num">{vendor.renewsInDays}<small>d</small></div>
-            <div className="lbl">Until renewal</div>
-          </div>
-        </div>
-
-        <div className="cr-layout">
-
-          {/* Report card */}
-          <div className="report">
-            <div className="report-head">
-              <div className={"sev-badge " + sevBadgeCls}>{sevBadgeText}</div>
-              {(cr.categories || []).map((c) => (
-                <div className={"cat-chip " + c.toLowerCase().replace(/[^a-z]/g, "")} key={c}>{c}</div>
-              ))}
-            </div>
-            <h1 className={"report-title" + (isRouted ? " routed" : "")}>
-              {isRouted && cr.titleRouted ? cr.titleRouted : cr.titleOpen}
-            </h1>
-            <div className="report-detected">
-              {isRouted ? (
-                <>ROUTED · <strong>{cr.routedAt}</strong> · <strong>{cr.routedWhen}</strong> · BY · {cr.agent} · GROUNDED · ✓ {cr.citationCount} citations · BUNDLE · <strong>{cr.bundleId}</strong></>
-              ) : isAck ? (
-                <>ACKNOWLEDGED · <strong>{cr.acknowledgedAt}</strong> · <strong>{cr.acknowledgedWhen}</strong> · BY · {cr.agent} · GROUNDED · ✓ {cr.citationCount} citations · BUNDLE · <strong>{cr.bundleId}</strong></>
-              ) : isHealthy ? (
-                <>LAST SCAN · <strong>{cr.detectedAt}</strong> · <strong>{cr.detectedWhen}</strong> · BY · {cr.agent} · NO DIFF DETECTED</>
-              ) : (
-                <>DETECTED · <strong>{cr.detectedAt}</strong> · <strong>{cr.detectedWhen}</strong> · BY · {cr.agent} · GROUNDED · ✓ {cr.citationCount} citations validated</>
-              )}
-            </div>
-
-            {Array.isArray(cr.impacts) && cr.impacts.length > 0 && (
-              <div className="impact-strip">
-                {cr.impacts.map((imp, i) => (
-                  <div className={"impact-cell " + imp.cls} key={i}>
-                    <div className="lbl">{imp.lbl}</div>
-                    <div className="val">{imp.val}</div>
-                  </div>
-                ))}
-              </div>
-            )}
-
-            {Array.isArray(cr.diffs) && cr.diffs.map((d, i) => (
-              <div className="diff-block" key={i}>
-                <div className="diff-label">{d.label}</div>
-                <div className="diff-pair">
-                  <div className="clause before">
-                    <div className="clause-head">
-                      <span className="clause-lbl">− BEFORE</span>
-                      <span className="clause-when">{d.before.when}</span>
-                    </div>
-                    <p className="clause-text">{d.before.text}</p>
-                    <div className="clause-source">{d.before.source}</div>
-                  </div>
-                  <div className="clause after">
-                    <div className="clause-head">
-                      <span className="clause-lbl">+ AFTER</span>
-                      <span className="clause-when">{d.after.when}</span>
-                    </div>
-                    <p className="clause-text">{d.after.text}</p>
-                    <div className="clause-source">
-                      SOURCE · <a href="#" onClick={(e) => e.preventDefault()}>{d.after.sourceLink}</a>{d.after.sourceMeta}
-                    </div>
-                  </div>
-                </div>
-              </div>
-            ))}
-
-            {isHealthy && Array.isArray(cr.lastScannedSurfaces) && (
-              <div className="diff-block">
-                <div className="diff-label">Monitored surfaces · all stable</div>
-                <div className="clause after" style={{ width: "100%" }}>
-                  <div className="clause-head">
-                    <span className="clause-lbl">✓ STABLE</span>
-                    <span className="clause-when">LAST 14d</span>
-                  </div>
-                  <div style={{ fontFamily: "var(--font-mono)", fontSize: 12, color: "var(--text-2)", lineHeight: 1.9 }}>
-                    {cr.lastScannedSurfaces.map((s, i) => (
-                      <div key={i} style={{ display: "flex", gap: 16 }}>
-                        <span style={{ color: "var(--lime)" }}>✓</span>
-                        <span style={{ flex: 1 }}>{s.url}</span>
-                        <span style={{ opacity: 0.6 }}>{s.when}</span>
-                        <span style={{ color: "var(--text-2)" }}>{s.hash}</span>
-                      </div>
-                    ))}
-                  </div>
-                </div>
-              </div>
-            )}
-
-            <div className="recommendation">
-              <div className="reco-head">
-                {isRouted && cr.recoRouted ? cr.recoRouted.head
-                  : isAck && cr.recoRouted ? cr.recoRouted.head
-                  : cr.recoOpen && cr.recoOpen.head}
-              </div>
-              <p className="reco-text">
-                {isRouted && cr.recoRouted ? cr.recoRouted.text
-                  : isAck && cr.recoRouted ? cr.recoRouted.text
-                  : cr.recoOpen && cr.recoOpen.text}
-              </p>
-            </div>
-          </div>
-
-          {/* Side panels */}
-          <aside className="cr-side">
-
-            {!isHealthy && cr.policy && (
-              <div className="panel policy">
-                <div className="panel-head strawberry"><span className="dot" />{cr.policy.head}</div>
-                <div className="policy-name">{cr.policy.name}</div>
-                {(window.POLICY_YAML || {})[cr.policy.yamlKey] || null}
-                <div className="policy-meta">{cr.policy.meta}</div>
-              </div>
-            )}
-
-            {!isHealthy && Array.isArray(cr.actions) && cr.actions.length > 0 && (
-              <div className="panel routing">
-                <div className="panel-head bondi">
-                  <span className="dot" />
-                  Routed · {isWitnessed ? `${cr.actions.length} actions sent` : `${cr.actions.length} actions queued`}
-                </div>
-                {cr.actions.map((a, i) => (
-                  <div className="action-item" key={i}>
-                    <div className={"action-icon " + a.type}>{a.type.toUpperCase().slice(0, 2)}</div>
-                    <div className="action-detail">
-                      <div className="action-target">{a.target}</div>
-                      <div className="action-when">{isWitnessed ? a.sent : a.queued}</div>
-                    </div>
-                    <span className={"action-status" + (isWitnessed ? "" : " pending")}>
-                      {isWitnessed ? "SENT" : "QUEUED"}
-                    </span>
-                  </div>
-                ))}
-              </div>
-            )}
-
-            {vendor.bundle ? (
-              <div
-                className="panel evidence"
-                onClick={() => dispatch({ type: "open-vendor-bundle", vendor: vendor.key })}
-                style={{ cursor: "pointer" }}
-              >
-                <div className="panel-head grape"><span className="dot" />Evidence · Bundle {vendor.bundle.id}</div>
-                <div className="ev-preview">
-                  <div className="ev-page-lines dark" />
-                  <div className="ev-page-lines" />
-                  <div className="ev-page-lines med" />
-                  <div className="ev-page-lines short" />
-                  <div className="ev-snippet">
-                    <div className="line" />
-                    <div className="line" />
-                    <div className="line short" />
-                  </div>
-                  <div className="ev-page-lines" />
-                  <div className="ev-page-lines med" />
-                  <div className="ev-page-lines short" />
-                </div>
-                <div style={{ fontSize: 12, color: "var(--text)", fontWeight: 500, position: "relative" }}>
-                  Bundle {vendor.bundle.id} · Witnessed
-                </div>
-                <div className="citation-row">
-                  <span className="cit-dot" />
-                  <span>{cr.citationCount}/{cr.citationCount} CITATIONS · LIVE · IMMUTABLE</span>
-                </div>
-                <div style={{ marginTop: 10, fontFamily: "var(--font-mono)", fontSize: 10, letterSpacing: "0.10em", color: "var(--lime)", textTransform: "uppercase" }}>
-                  ▸ OPEN BUNDLE
-                </div>
-              </div>
-            ) : isNotion ? (
-              <div className="panel evidence">
-                <div className="panel-head grape"><span className="dot" />Evidence · Senso</div>
-                <div className="ev-preview">
-                  <div className="ev-page-lines dark" />
-                  <div className="ev-page-lines" />
-                  <div className="ev-page-lines med" />
-                  <div className="ev-page-lines short" />
-                  <div className="ev-snippet">
-                    <div className="line" />
-                    <div className="line" />
-                    <div className="line short" />
-                  </div>
-                  <div className="ev-page-lines" />
-                  <div className="ev-page-lines med" />
-                  <div className="ev-page-lines short" />
-                </div>
-                <div style={{ fontSize: 12, color: "var(--text)", fontWeight: 500, position: "relative" }}>
-                  CR-2026-0517 · Draft
-                </div>
-                <div className="citation-row">
-                  <span className="cit-dot" />
-                  <span>{cr.citationCount}/{cr.citationCount} CITATIONS · LIVE · IMMUTABLE</span>
-                </div>
-              </div>
-            ) : isHealthy ? (
-              <div className="panel evidence">
-                <div className="panel-head lime"><span className="dot" />Posture · stable</div>
-                <div style={{ fontFamily: "var(--font-mono)", fontSize: 11, color: "var(--text-2)", lineHeight: 1.8, letterSpacing: "0.04em" }}>
-                  <div>SURFACES · <b style={{ color: "var(--text)" }}>{cr.lastScannedSurfaces?.length || 0}</b></div>
-                  <div>DIFF · <span style={{ color: "var(--lime)" }}>NONE</span></div>
-                  <div>RISK · <span style={{ color: "var(--lime)" }}>LOW</span></div>
-                  <div>NEXT SCAN · {cr.detectedAt}</div>
-                </div>
-              </div>
-            ) : (
-              <div className="panel evidence">
-                <div className="panel-head grape"><span className="dot" />Evidence · pending review</div>
-                <div style={{ fontFamily: "var(--font-mono)", fontSize: 11, color: "var(--text-2)", lineHeight: 1.7 }}>
-                  Bundle generated on acknowledgement. {cr.citationCount} citations queued.
-                </div>
-              </div>
-            )}
-
-          </aside>
-        </div>
-
-      </div>
-
-      {/* Sticky action bar */}
-      <div className="actions-bar">
-        {isRouted ? (
-          <>
-            <div className="actions-row">
-              <button className="btn btn-bondi" onClick={() => dispatch({ type: "open-vendor-bundle", vendor: vendor.key })}>⊙ OPEN EVIDENCE BUNDLE</button>
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "goto", screen: "portfolio" })}>← BACK TO PORTFOLIO</button>
-            </div>
-            <div className="actions-row">
-              <span style={{ fontFamily: "var(--font-mono)", fontSize: 10, letterSpacing: "0.14em", color: "var(--lime)", textTransform: "uppercase" }}>
-                ✓ ROUTED · WITNESSED · {state.routeTime || "14:59:18 EST"}
-              </span>
-            </div>
-          </>
-        ) : isAck ? (
-          <>
-            <div className="actions-row">
-              <button className="btn btn-bondi" onClick={() => dispatch({ type: "open-vendor-bundle", vendor: vendor.key })}>⊙ OPEN EVIDENCE BUNDLE</button>
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "goto", screen: "portfolio" })}>← BACK TO PORTFOLIO</button>
-            </div>
-            <div className="actions-row">
-              <span style={{ fontFamily: "var(--font-mono)", fontSize: 10, letterSpacing: "0.14em", color: "var(--lime)", textTransform: "uppercase" }}>
-                ✓ ACKNOWLEDGED · {cr.acknowledgedAt}
-              </span>
-            </div>
-          </>
-        ) : isHealthy ? (
-          <>
-            <div className="actions-row">
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "goto", screen: "portfolio" })}>← BACK TO PORTFOLIO</button>
-              <span style={{ fontFamily: "var(--font-mono)", fontSize: 10, letterSpacing: "0.14em", color: "var(--lime)", textTransform: "uppercase" }}>
-                ✓ POSTURE STABLE · next scan in 6h
-              </span>
-            </div>
-          </>
-        ) : isNotion ? (
-          <>
-            <div className="actions-row">
-              <button className="btn btn-primary" onClick={() => dispatch({ type: "acknowledge" })}>✓ ACKNOWLEDGE</button>
-              <button className="btn btn-escalate" onClick={() => dispatch({ type: "open-escalate" })}>↑ ESCALATE TO LEGAL</button>
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "snooze" })}>⏱ SNOOZE 48H</button>
-            </div>
-            <div className="actions-row">
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "open-escalate" })}>⤓ GENERATE EVIDENCE BUNDLE</button>
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "open-copilot" })}>⊙ OPEN RENEGO COPILOT</button>
-            </div>
-          </>
-        ) : (
-          <>
-            <div className="actions-row">
-              <button className="btn btn-primary" onClick={() => dispatch({ type: "acknowledge" })}>✓ ACKNOWLEDGE</button>
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "snooze" })}>⏱ SNOOZE 48H</button>
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "goto", screen: "portfolio" })}>← BACK</button>
-            </div>
-            <div className="actions-row">
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "export-diff" })}>⤓ EXPORT DIFF</button>
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "assign" })}>⊙ ASSIGN TO OWNER</button>
-            </div>
-          </>
-        )}
-      </div>
-    </main>
-  );
-}
-
-Object.assign(window, { ScreenChange });
diff --git a/apps/web/public/app/screen-evidence.jsx b/apps/web/public/app/screen-evidence.jsx
deleted file mode 100644
index 5febc08..0000000
--- a/apps/web/public/app/screen-evidence.jsx
+++ /dev/null
@@ -1,201 +0,0 @@
-// screen-evidence.jsx — Evidence bundle preview (the generated artifact).
-// Pulls bundle data from VENDOR_DATA[state.activeVendor].bundle.
-
-function ScreenEvidence({ state, dispatch }) {
-  const DATA = window.VENDOR_DATA || {};
-  const vendor = DATA[state.activeVendor];
-
-  if (!vendor || !vendor.bundle) {
-    return (
-      <main className="main">
-        <div style={{ padding: 40, color: "var(--text-2)" }}>
-          No evidence bundle available for this vendor.{" "}
-          <a href="#" onClick={(e) => { e.preventDefault(); dispatch({ type: "goto", screen: "change" }); }}>
-            ← Back to change report
-          </a>
-        </div>
-      </main>
-    );
-  }
-
-  const b = vendor.bundle;
-  const crCrumb = vendor.cr.bundleId ? `${vendor.name} · ${vendor.cr.bundleId}` : vendor.name;
-
-  return (
-    <main className="main">
-      <div className="bundle-shell">
-
-        {/* Crumbs */}
-        <div className="crumbs-bar">
-          <div className="crumbs">
-            <span className="seg" onClick={() => dispatch({ type: "goto", screen: "portfolio" })}>Portfolio</span>
-            <span className="sep">›</span>
-            <span className="seg" onClick={() => dispatch({ type: "goto", screen: "change" })}>{crCrumb}</span>
-            <span className="sep">›</span>
-            <span className="current">Evidence Bundle</span>
-          </div>
-          <div className="icon-btn-row">
-            <button className="icon-btn" onClick={() => dispatch({ type: "goto", screen: "change" })} title="Back">←</button>
-          </div>
-        </div>
-
-        {/* Bundle header */}
-        <div className="bundle-strip">
-          <div className="seal-lg">{b.seal}</div>
-          <div className="id-block">
-            <div className="ttl">Evidence Bundle · {b.id}</div>
-            <div className="meta">
-              <span>{b.eyebrow}</span>
-              <span>SIGNED · <strong>{b.signedAt}</strong></span>
-              <span>WITNESSED · <strong>agent-redline-v1.4</strong></span>
-              <span>HASH · <strong>{b.hash}</strong></span>
-              <span>{(b.citations || []).length} CITATIONS · GROUNDED</span>
-            </div>
-          </div>
-          <div className="stamp">✓ WITNESSED</div>
-        </div>
-
-        <div className="bundle-layout">
-
-          {/* Document */}
-          <div className="bundle-doc">
-
-            <div className="bundle-cover">
-              <div className="eb">⌁ Evidence Bond · No. {b.id} ⌁</div>
-              <h1>UNSYPHN</h1>
-              <div className="sub">
-                {b.coverSubtitle}
-              </div>
-              <div className="meta-line">
-                <span><b>ISSUED</b> · MAY 22 2026</span>
-                <span><b>{vendor.sevLabel}</b> · {vendor.sev === "p1" ? "CRITICAL" : vendor.sev === "p2" ? "REVIEW" : "NOTE"}</span>
-                <span><b>BUNDLE</b> · {b.id}</span>
-                <span><b>WITNESS</b> · agent-redline-v1.4</span>
-              </div>
-            </div>
-
-            <div className="bundle-section">
-              <h3><span className="num">1</span>Clause diffs</h3>
-              <div className="body">
-                <p>
-                  {(b.miniDiffs || []).length === 1
-                    ? <>One clause on {vendor.name.toLowerCase()}'s monitored surfaces changed between snapshots:</>
-                    : <>{(b.miniDiffs || []).length} clauses on {vendor.name.toLowerCase()}'s monitored surfaces changed between snapshots:</>}
-                </p>
-                {(b.miniDiffs || []).map((pair, i) => (
-                  <div className="mini-diff" key={i}>
-                    {pair.map((mc, j) => (
-                      <div className={"mc " + mc.kind} key={j}>
-                        {mc.text}
-                        <div className="src">{mc.src}</div>
-                      </div>
-                    ))}
-                  </div>
-                ))}
-              </div>
-            </div>
-
-            <div className="bundle-section">
-              <h3><span className="num">2</span>Policy fired</h3>
-              <div className="body">
-                <p>{b.policyBody}</p>
-              </div>
-            </div>
-
-            <div className="bundle-section">
-              <h3><span className="num">3</span>Routing trail</h3>
-              <div className="routing-trail">
-                {(b.trail || []).map((r, i) => (
-                  <div className="row" key={i}>
-                    <span className="ts">{r.ts}</span>
-                    <span className="msg">{r.msg}</span>
-                    <span className="ok">{r.status}</span>
-                  </div>
-                ))}
-              </div>
-            </div>
-
-            <div className="bundle-section">
-              <h3><span className="num">4</span>Citations · grounded</h3>
-              <div className="cite-list">
-                {(b.citations || []).map((c, i) => (
-                  <div className="cite" key={i}>
-                    <span className="ck">✓</span>
-                    <span className="src">{c.src}</span>
-                    <span className="hash">{c.hash}</span>
-                  </div>
-                ))}
-              </div>
-            </div>
-
-            <div className="signoff">
-              <div className="left">
-                — Witnessed by <b>agent-redline-v1.4</b><br/>
-                {b.signedAt} · grounded · routed · immutable
-              </div>
-              <div className="right">UNSYPHN</div>
-            </div>
-
-          </div>
-
-          {/* Side: TOC + actions */}
-          <aside className="cr-side">
-            <div className="toc-card">
-              <h4>Bundle contents · {b.sectionCount || 4} sections</h4>
-              <div className="toc-item"><span className="toc-num">1</span><span className="toc-ttl">Clause diffs</span><span className="toc-pages">{(b.miniDiffs || []).length || 1} pp.</span></div>
-              <div className="toc-item"><span className="toc-num">2</span><span className="toc-ttl">Policy fired</span><span className="toc-pages">1 p.</span></div>
-              <div className="toc-item"><span className="toc-num">3</span><span className="toc-ttl">Routing trail</span><span className="toc-pages">1 p.</span></div>
-              <div className="toc-item"><span className="toc-num">4</span><span className="toc-ttl">Citations</span><span className="toc-pages">1 p.</span></div>
-            </div>
-
-            <div className="panel evidence" style={{ marginTop: 0 }}>
-              <div className="panel-head lime"><span className="dot" />Witnessed</div>
-              <div style={{ fontFamily: "var(--font-mono)", fontSize: 11, color: "var(--text-2)", lineHeight: 1.7, letterSpacing: "0.04em" }}>
-                <div>BUNDLE · <b style={{color:"var(--text)"}}>{b.id}</b></div>
-                <div>STATUS · <span style={{color:"var(--lime)"}}>SIGNED · GROUNDED</span></div>
-                <div>WITNESS · agent-redline-v1.4</div>
-                <div>HASH · {b.hash}</div>
-                <div>SIGNED · {b.signedAt}</div>
-                <div>IMMUTABLE · ✓</div>
-              </div>
-              <div style={{ display: "flex", flexDirection: "column", gap: 8, marginTop: 12 }}>
-                <button className="btn btn-primary" style={{ width: "100%", justifyContent: "center" }} onClick={() => dispatch({ type: "download-bundle" })}>⤓ Download PDF</button>
-                <button className="btn btn-ghost" style={{ width: "100%", justifyContent: "center" }} onClick={() => dispatch({ type: "share-audit" })}>✉ Share with audit</button>
-                <button className="btn btn-ghost" style={{ width: "100%", justifyContent: "center" }} onClick={() => dispatch({ type: "share-audit" })}>⊙ Copy share link</button>
-              </div>
-            </div>
-
-            <div className="panel routing" style={{ marginTop: 0 }}>
-              <div className="panel-head bondi"><span className="dot" />Next · auto-routed</div>
-              {(b.nextActions || []).map((a, i) => (
-                <div className="action-item" key={i}>
-                  <div className={"action-icon " + a.type}>{a.type.toUpperCase().slice(0, 2)}</div>
-                  <div className="action-detail">
-                    <div className="action-target">{a.target}</div>
-                    <div className="action-when">{a.when}</div>
-                  </div>
-                  <span className={"action-status" + (a.pending ? " pending" : "")}>{a.status}</span>
-                </div>
-              ))}
-            </div>
-          </aside>
-
-        </div>
-      </div>
-
-      {/* Action bar */}
-      <div className="actions-bar">
-        <div className="actions-row">
-          <button className="btn btn-primary" onClick={() => dispatch({ type: "download-bundle" })}>⤓ DOWNLOAD BUNDLE (PDF)</button>
-          <button className="btn btn-bondi" onClick={() => dispatch({ type: "share-audit" })}>✉ SHARE WITH AUDIT</button>
-          <button className="btn btn-ghost" onClick={() => dispatch({ type: "goto", screen: "change" })}>← BACK TO REPORT</button>
-        </div>
-        <div className="actions-row">
-          <button className="btn btn-ghost" onClick={() => dispatch({ type: "goto", screen: "portfolio" })}>↩ PORTFOLIO</button>
-        </div>
-      </div>
-    </main>
-  );
-}
-
-Object.assign(window, { ScreenEvidence });
diff --git a/apps/web/public/app/screen-onboarding.jsx b/apps/web/public/app/screen-onboarding.jsx
deleted file mode 100644
index 3dcb4b4..0000000
--- a/apps/web/public/app/screen-onboarding.jsx
+++ /dev/null
@@ -1,351 +0,0 @@
-// screen-onboarding.jsx — Vendor onboarding tier selection (6H / 24H / 48H SLA)
-// Posts to POST /v1/vendors via the vite proxy. SLA tier → criticality tier
-// mapping is: 6H Express → 1 (critical), 24H Standard → 2 (material), 48H Basic → 3 (informational).
-
-// Bearer token sourced from the same meta tag live.js reads so it can be
-// rotated/overridden in one place (public/app/index.html line 7).
-function getBearerToken() {
-  if (typeof document === "undefined") return "";
-  const meta = document.querySelector('meta[name="redline-bearer"]');
-  return (meta && meta.getAttribute("content")) || "";
-}
-const DEMO_BEARER_TOKEN = getBearerToken();
-
-const OWNERS = [
-  { id: "usr_priya",  name: "Priya Natarajan" },
-  { id: "usr_marcus", name: "Marcus Chen" },
-  { id: "usr_lin",    name: "Lin Park" },
-  { id: "usr_jordan", name: "Jordan Wells" },
-  { id: "usr_ada",    name: "Ada Owens" },
-  { id: "usr_devon",  name: "Devon Rao" },
-];
-
-const DATA_CLASSES = [
-  { id: "pii",       label: "PII" },
-  { id: "phi",       label: "PHI" },
-  { id: "financial", label: "Financial" },
-  { id: "content",   label: "Content" },
-];
-
-const SLA_TO_CRITICALITY = { "6h": 1, "24h": 2, "48h": 3 };
-
-function ScreenOnboarding({ state, dispatch }) {
-  const [selected, setSelected]   = React.useState(state.onboardingTier || "24h");
-  const [name, setName]           = React.useState("");
-  const [homepage, setHomepage]   = React.useState("");
-  const [ownerId, setOwnerId]     = React.useState("usr_priya");
-  const [dataClasses, setDC]      = React.useState(["pii"]);
-  const [submitting, setSubmit]   = React.useState(false);
-  const [apiError, setApiError]   = React.useState(null);
-  const [discovered, setDiscover] = React.useState(null);
-
-  const tiers = [
-    {
-      id: "6h", role: "strawberry", sla: "6H", tagline: "Express",
-      name: "6-Hour Express", price: "$999", unit: "/ vendor / month",
-      desc: "For Tier-1, revenue-critical vendors. Sub-six-hour detection on every ToS, DPA, or sub-processor change.",
-      features: [
-        "6-hour SLA on change detection",
-        "Hourly diff scans, 24 / 7 / 365",
-        "Dedicated #redline-p1 escalation channel",
-        "Auto-route to on-call within 90 seconds",
-        "Compliance bundle on every change",
-        "Quarterly auditor walkthrough",
-      ],
-      eta: "FIRST SCAN IN ~6 MIN",
-    },
-    {
-      id: "24h", role: "bondi", sla: "24H", tagline: "Standard",
-      name: "24-Hour Standard", price: "$299", unit: "/ vendor / month",
-      desc: "The right default for most vendors. Daily monitoring with automated routing to owners.",
-      features: [
-        "24-hour SLA on change detection",
-        "Daily automated diff scans",
-        "Slack + email routing to owner",
-        "Quarterly evidence bundles",
-        "Standard 9-5 support",
-        "Vanta / Drata push every 90d",
-      ],
-      eta: "FIRST SCAN IN ~30 MIN",
-      recommended: true,
-    },
-    {
-      id: "48h", role: "lime", sla: "48H", tagline: "Basic",
-      name: "48-Hour Basic", price: "$99", unit: "/ vendor / month",
-      desc: "Lightweight coverage for low-priority and long-tail vendors. Routine checks, weekly digests.",
-      features: [
-        "48-hour SLA on change detection",
-        "Bi-daily routine scans",
-        "Weekly digest email to owner",
-        "Self-serve evidence export",
-        "Community support",
-        "Manual escalation only",
-      ],
-      eta: "FIRST SCAN IN ~2 HRS",
-    },
-  ];
-
-  const goBack = () => dispatch({ type: "goto", screen: "portfolio" });
-
-  const currentTier = tiers.find((t) => t.id === selected) || tiers[1];
-
-  function toggleDataClass(id) {
-    setDC((prev) => prev.includes(id) ? prev.filter((x) => x !== id) : [...prev, id]);
-  }
-
-  async function submit() {
-    setApiError(null);
-    setDiscover(null);
-
-    const trimmedName = name.trim();
-    const trimmedHomepage = homepage.trim();
-    if (trimmedName.length < 2) {
-      setApiError({ code: "validation-failed", message: "Vendor name must be at least 2 characters." });
-      return;
-    }
-    if (!/^https?:\/\//i.test(trimmedHomepage)) {
-      setApiError({ code: "validation-failed", message: "Homepage must start with http:// or https://" });
-      return;
-    }
-
-    setSubmit(true);
-    try {
-      const resp = await fetch("/v1/vendors", {
-        method: "POST",
-        headers: {
-          "Authorization": "Bearer " + DEMO_BEARER_TOKEN,
-          "Content-Type": "application/json",
-        },
-        body: JSON.stringify({
-          name: trimmedName,
-          homepageUrl: trimmedHomepage,
-          ownerId,
-          tier: SLA_TO_CRITICALITY[selected],
-          dataClasses,
-        }),
-      });
-
-      const text = await resp.text();
-      const json = text ? JSON.parse(text) : null;
-
-      if (!resp.ok) {
-        const err = (json && json.error) || { code: "unknown", message: "Request failed (HTTP " + resp.status + ")" };
-        setApiError(err);
-        if (err.code === "discovery-incomplete" && err.details) {
-          setDiscover({ found: err.details.found || {}, missing: err.details.missing || [] });
-        }
-        setSubmit(false);
-        return;
-      }
-
-      dispatch({
-        type: "vendor-onboarded",
-        tier: selected,
-        tierLabel: currentTier.sla,
-        name: json.name,
-        vendorId: json.id,
-        firstScanRunId: json.firstScanRunId,
-        discoveredUrls: json.discoveredUrls,
-      });
-    } catch (e) {
-      setApiError({ code: "network", message: e && e.message ? e.message : "Network error" });
-      setSubmit(false);
-    }
-  }
-
-  return (
-    <main className="main">
-      <div className="cr-shell">
-
-        <div className="crumbs-bar">
-          <div className="crumbs">
-            <span className="seg" onClick={goBack}>Portfolio</span>
-            <span className="sep">›</span>
-            <span className="current">Onboard vendor</span>
-          </div>
-          <div className="icon-btn-row">
-            <button className="icon-btn" onClick={goBack} title="Back to dashboard">←</button>
-            <button className="icon-btn" title="More">⋯</button>
-          </div>
-        </div>
-
-        <div className="onb-header">
-          <div className="onb-header-left">
-            <div className="eyebrow">STEP 1 OF 1 · CHOOSE SLA</div>
-            <h1 className="h1-hero onb-title">
-              Onboard a new <em className="accent-italic">vendor</em>.
-            </h1>
-            <p className="lead onb-sub">
-              Pick the detection SLA that matches the vendor&apos;s risk profile. You can re-tier any vendor later from the portfolio &mdash; this only changes scan cadence and routing.
-            </p>
-          </div>
-          <button className="btn-back-pill" onClick={goBack}>← Back to dashboard</button>
-        </div>
-
-        {apiError && (
-          <div className={"onb-alert " + (apiError.code === "discovery-incomplete" ? "warn" : "err")}>
-            <div className="onb-alert-head">
-              <span className="onb-alert-code">{apiError.code}</span>
-              <span>{apiError.message}</span>
-            </div>
-            {discovered && (
-              <div className="onb-alert-detail">
-                {discovered.missing.length > 0 && (
-                  <div>
-                    <span className="onb-alert-label">MISSING</span>
-                    {discovered.missing.map((m) => (
-                      <span key={m} className="onb-chip miss">{m}</span>
-                    ))}
-                  </div>
-                )}
-                {Object.keys(discovered.found).length > 0 && (
-                  <div>
-                    <span className="onb-alert-label">FOUND</span>
-                    {Object.keys(discovered.found).map((k) => (
-                      <span key={k} className="onb-chip ok">{k}</span>
-                    ))}
-                  </div>
-                )}
-              </div>
-            )}
-          </div>
-        )}
-
-        <div className="onb-fields">
-          <label className="onb-field">
-            <span className="onb-field-label">VENDOR NAME</span>
-            <input
-              type="text"
-              className="onb-input"
-              placeholder="e.g. Datadog, Notion, Stripe"
-              value={name}
-              onChange={(e) => setName(e.target.value)}
-              disabled={submitting}
-            />
-          </label>
-          <label className="onb-field">
-            <span className="onb-field-label">HOMEPAGE URL</span>
-            <input
-              type="url"
-              className="onb-input"
-              placeholder="https://vendor.com"
-              value={homepage}
-              onChange={(e) => setHomepage(e.target.value)}
-              disabled={submitting}
-            />
-          </label>
-          <label className="onb-field">
-            <span className="onb-field-label">OWNER</span>
-            <select
-              className="onb-input"
-              value={ownerId}
-              onChange={(e) => setOwnerId(e.target.value)}
-              disabled={submitting}
-            >
-              {OWNERS.map((o) => (
-                <option key={o.id} value={o.id}>{o.name}</option>
-              ))}
-            </select>
-          </label>
-          <div className="onb-field">
-            <span className="onb-field-label">DATA CLASSES</span>
-            <div className="onb-checkboxes">
-              {DATA_CLASSES.map((dc) => {
-                const on = dataClasses.includes(dc.id);
-                return (
-                  <button
-                    key={dc.id}
-                    type="button"
-                    className={"onb-chip-btn" + (on ? " on" : "")}
-                    onClick={() => toggleDataClass(dc.id)}
-                    disabled={submitting}
-                  >
-                    {on ? "✓ " : ""}{dc.label}
-                  </button>
-                );
-              })}
-            </div>
-          </div>
-        </div>
-
-        <div className="tier-grid">
-          {tiers.map((t) => {
-            const isSel = selected === t.id;
-            return (
-              <div
-                key={t.id}
-                className={
-                  "tier-card " + t.role +
-                  (isSel ? " is-selected" : "") +
-                  (t.recommended ? " is-recommended" : "")
-                }
-                onClick={() => !submitting && setSelected(t.id)}
-              >
-                {t.recommended && <div className="tier-badge">RECOMMENDED</div>}
-
-                <div className="tier-head">
-                  <div className="tier-sla">{t.sla}</div>
-                  <div className="tier-tagline">{t.tagline}</div>
-                </div>
-
-                <h2 className="h2 tier-name">{t.name}</h2>
-                <p className="tier-desc">{t.desc}</p>
-
-                <div className="tier-price-row">
-                  <span className="tier-price">{t.price}</span>
-                  <span className="tier-unit">{t.unit}</span>
-                </div>
-
-                <ul className="tier-features">
-                  {t.features.map((f, i) => (
-                    <li key={i}><span className="tier-check">✓</span>{f}</li>
-                  ))}
-                </ul>
-
-                <div className="tier-foot">
-                  <div className="tier-eta">{t.eta}</div>
-                  <div className={"tier-select-pill" + (isSel ? " on" : "")}>
-                    {isSel ? "✓ SELECTED" : "SELECT"}
-                  </div>
-                </div>
-              </div>
-            );
-          })}
-        </div>
-
-        <div className="onb-action-bar">
-          <div className="onb-action-summary">
-            <span className="onb-action-label">SELECTED TIER</span>
-            <span className="onb-action-value">
-              {currentTier.sla}
-              <span className="onb-action-dot"> · </span>
-              {currentTier.price}
-              <span className="onb-action-unit"> {currentTier.unit}</span>
-            </span>
-          </div>
-          <div className="onb-action-buttons">
-            <button
-              className="onb-btn ghost"
-              onClick={goBack}
-              disabled={submitting}
-            >
-              Cancel
-            </button>
-            <button
-              className="onb-btn primary"
-              onClick={submit}
-              disabled={submitting}
-            >
-              {submitting
-                ? <><span className="onb-spinner" /> Calling POST /v1/vendors…</>
-                : <>Onboard at {currentTier.sla} SLA →</>}
-            </button>
-          </div>
-        </div>
-
-      </div>
-    </main>
-  );
-}
-
-Object.assign(window, { ScreenOnboarding });
diff --git a/apps/web/public/app/screen-portfolio.jsx b/apps/web/public/app/screen-portfolio.jsx
deleted file mode 100644
index 7333d5a..0000000
--- a/apps/web/public/app/screen-portfolio.jsx
+++ /dev/null
@@ -1,163 +0,0 @@
-// screen-portfolio.jsx — Portfolio screen
-// Reads every vendor from window.VENDOR_DATA. Every card is clickable —
-// clicking jumps the change screen to that vendor's CR. Notion stays the
-// hero flow (P1 → ROUTED via state.notion); other vendors carry their
-// own pre-baked state.
-
-function ScreenPortfolio({ state, dispatch }) {
-  const notionState = state.notion; // "P1" | "ROUTED"
-  const DATA = window.VENDOR_DATA || {};
-  const ORDER = window.VENDOR_ORDER || Object.keys(DATA);
-
-  // Build portfolio cards from VENDOR_DATA. Notion's display swaps on routed.
-  const vendors = ORDER.map((k) => {
-    const v = DATA[k];
-    if (!v) return null;
-    const isNotion = k === "notion";
-    const routed = isNotion && notionState === "ROUTED";
-    return {
-      key: k,
-      letter: v.letter,
-      name: v.name,
-      meta: v.meta,
-      sev: routed ? "routed" : v.sev,
-      sevLabel: routed ? "ROUTED" : v.sevLabel,
-      lastChange: routed
-        ? { label: "now · ROUTED TO LEGAL", cls: "live" }
-        : v.lastChange,
-      renews: { label: v.renewsLabel, cls: v.renewsCls },
-      annual: v.annual,
-      chips: v.dataClasses,
-      owner: v.owner,
-    };
-  }).filter(Boolean);
-
-  // Activity feed — pull from every vendor that has an `activity` entry.
-  // The routed "just now" row sits on top of Notion's normal row when state.notion === ROUTED.
-  const baseActivity = ORDER
-    .map((k) => DATA[k])
-    .filter((v) => v && v.activity)
-    .map((v) => ({
-      ...v.activity,
-      v: v.name,
-      key: v.key,
-      clickable: true,
-    }));
-
-  // Slack as a P3 footer row — passive entry only (no full CR view).
-  baseActivity.push({
-    sev: "p3", v: "Slack", w: "1d",
-    title: "SOC2 Type II refreshed · 2026 report",
-    meta: "SECURITY", impact: "CLEARED", impactCls: "out",
-    clickable: false,
-  });
-
-  const activity = notionState === "ROUTED"
-    ? [
-        { sev: "routed", v: "Notion", w: "just now",
-          title: "ROUTED to Priya N. · Bundle RL·4839 generated",
-          meta: "ESCALATED · LEGAL", impact: "WITNESSED", impactCls: "out",
-          key: "notion", clickable: true, gotoBundle: true },
-        ...baseActivity,
-      ]
-    : baseActivity;
-
-  const openVendor = (key) => dispatch({ type: "open-vendor", vendor: key });
-  const openBundle = (key) => dispatch({ type: "open-vendor-bundle", vendor: key });
-
-  return (
-    <main className="main">
-      <TopBar
-        title="Portfolio"
-        when="FRIDAY · MAY 22 2026 · 14:42 EST"
-        right={
-          <>
-            <div className="scan-pill"><span className="dot" />8 SCANNING NOW</div>
-            <div className={"scan-pill" + (notionState === "P1" ? " alert" : "")}>
-              {notionState === "P1" ? "3 P1 ACTIVE" : "2 P1 ACTIVE · 1 ROUTED"}
-            </div>
-          </>
-        }
-      />
-
-      <ScanStrip />
-      <FleetStats state={state} />
-
-      <div className="portfolio-grid">
-        <div>
-          <div className="sec-head">
-            <h2 className="sec-title">The <em>fleet</em></h2>
-            <span className="sec-action">VIEW ALL 27 →</span>
-          </div>
-          <div className="vendors">
-            {vendors.map((v) => (
-              <div
-                className={"vendor " + v.sev}
-                key={v.key}
-                onClick={() => openVendor(v.key)}
-                style={{ cursor: "pointer" }}
-              >
-                <div className="vendor-head">
-                  <div className="vendor-id">
-                    <div className="vendor-logo">{v.letter}</div>
-                    <div>
-                      <div className="vendor-name">{v.name}</div>
-                      <div className="vendor-meta">{v.meta}</div>
-                    </div>
-                  </div>
-                  <div className={"sev " + v.sev}>{v.sevLabel}</div>
-                </div>
-                <div className="vendor-row">
-                  <span className="lbl">Last change</span>
-                  <span className={"val " + (v.lastChange.cls || "")}>{v.lastChange.label}</span>
-                </div>
-                <div className="vendor-row">
-                  <span className="lbl">Renews</span>
-                  <span className={"val " + (v.renews.cls || "")}>{v.renews.label}</span>
-                </div>
-                <div className="vendor-row">
-                  <span className="lbl">Annual</span>
-                  <span className="val">{v.annual}</span>
-                </div>
-                <div className="vendor-tags">
-                  {v.chips.map((c) => <span className={"chip " + c} key={c}>{c}</span>)}
-                  <div className={"owner-av " + v.owner.cls}>{v.owner.initials}</div>
-                </div>
-              </div>
-            ))}
-          </div>
-        </div>
-
-        <aside className="activity">
-          <div className="activity-head">
-            <span className="title">Recent activity</span>
-            <span className="filter">ALL · LAST 48H</span>
-          </div>
-          {activity.map((a, i) => (
-            <div
-              className="activity-item"
-              key={i}
-              onClick={a.clickable
-                ? (a.gotoBundle ? () => openBundle(a.key) : () => openVendor(a.key))
-                : undefined}
-              style={a.clickable ? { cursor: "pointer" } : undefined}
-            >
-              <div className="activity-row">
-                <span className={"activity-sev " + a.sev}>{a.sev === "routed" ? "✓" : a.sev.toUpperCase()}</span>
-                <span className="activity-vendor">{a.v}</span>
-                <span className="activity-when">{a.w}</span>
-              </div>
-              <div className="activity-title">{a.title}</div>
-              <div className="activity-meta">
-                <span>{a.meta}</span>
-                <span className={"impact " + a.impactCls}>{a.impact}</span>
-              </div>
-            </div>
-          ))}
-        </aside>
-      </div>
-    </main>
-  );
-}
-
-Object.assign(window, { ScreenPortfolio });
diff --git a/apps/web/public/app/shared.jsx b/apps/web/public/app/shared.jsx
deleted file mode 100644
index 76ac4d5..0000000
--- a/apps/web/public/app/shared.jsx
+++ /dev/null
@@ -1,142 +0,0 @@
-// shared.jsx — sidebar, topbar, scan strip, fleet stats, activity feed
-// All consume `state` (read-only) and `dispatch` (navigation/mutations) from app.jsx.
-
-function Sidebar({ active, dispatch, state }) {
-  const screenMap = { portfolio: "portfolio", changes: "change", evidence: "evidence" };
-  const [flashKey, setFlashKey] = React.useState(null);
-
-  React.useEffect(() => {
-    if (!document.getElementById("unsyphn-nav-flash-style")) {
-      const s = document.createElement("style");
-      s.id = "unsyphn-nav-flash-style";
-      s.textContent = ".nav-item-flash { background: var(--surface-2, rgba(255,255,255,0.08)) !important; opacity: 0.6; transition: opacity 0.15s; }";
-      document.head.appendChild(s);
-    }
-  }, []);
-
-  const items = [
-    { key: "portfolio",   label: "Portfolio",   count: "27",     section: "Workspace" },
-    { key: "changes",     label: "Changes",     count: state.notion === "P1" ? "3 P1" : "2 P1", alert: state.notion === "P1", section: "Workspace" },
-    { key: "renewals",    label: "Renewals",    count: "8",      section: "Workspace" },
-    { key: "policies",    label: "Policies",    count: "14",     section: "Workspace" },
-    { key: "evidence",    label: "Evidence",    count: state.evidenceCount || "432", section: "Workspace" },
-    { key: "procurement", label: "Procurement", section: "Views" },
-    { key: "legal",       label: "Legal Ops",   section: "Views" },
-    { key: "grc",         label: "Security · GRC", section: "Views" },
-    { key: "finance",     label: "Finance",     section: "Views" },
-  ];
-  let lastSection = null;
-  return (
-    <nav className="sidebar">
-      <div className="brand-row">
-        <UnsyphnMark size={24} />
-      </div>
-      {items.map((it) => {
-        const sec = it.section !== lastSection ? (lastSection = it.section, it.section) : null;
-        const hasScreen = screenMap[it.key] !== undefined;
-        return (
-          <React.Fragment key={it.key}>
-            {sec && <div className="nav-section-label">{sec}</div>}
-            <div
-              className={
-                "nav-item" +
-                (it.key === active ? " is-active" : "") +
-                (it.alert ? " alert" : "") +
-                (flashKey === it.key ? " nav-item-flash" : "")
-              }
-              style={hasScreen ? undefined : { cursor: "not-allowed" }}
-              onClick={() => {
-                if (hasScreen) {
-                  dispatch({ type: "goto", screen: screenMap[it.key] });
-                } else {
-                  setFlashKey(it.key);
-                  setTimeout(() => setFlashKey(null), 600);
-                }
-              }}
-            >
-              <span>{it.label}</span>
-              {it.count && <span className="count">{it.count}</span>}
-            </div>
-          </React.Fragment>
-        );
-      })}
-      <div className="nav-spacer" />
-      <div className="nav-org">
-        <div className="org-name">Acme Holdings</div>
-        <div className="org-meta">ENTERPRISE · US-EAST</div>
-      </div>
-    </nav>
-  );
-}
-
-function TopBar({ title, when, right }) {
-  return (
-    <div className="topbar">
-      <div className="topbar-left">
-        <h1>{title}</h1>
-        <div className="when">{when}</div>
-      </div>
-      <div className="topbar-right">
-        {right}
-        <div className="user-avatar">PN</div>
-      </div>
-    </div>
-  );
-}
-
-function ScanStrip() {
-  // Two copies for seamless tick loop
-  const items = [
-    { v: "Notion",  t: "terms.notion.so",        w: "scanning · 14:42:18", live: true },
-    { v: "Stripe",  t: "stripe.com/dpa",          w: "scanning · 14:42:14", live: true },
-    { v: "Datadog", t: "subprocessors.datadog",   w: "scanning · 14:42:09", live: true },
-    { v: "Linear",  t: "linear.app/security",     w: "queued · next 30s" },
-    { v: "AWS",     t: "aws.amazon.com/pricing",  w: "queued · next 60s" },
-    { v: "Figma",   t: "figma.com/legal/sla",     w: "14:41:55 · no diff" },
-    { v: "Vercel",  t: "vercel.com/legal/terms",  w: "14:41:42 · no diff" },
-    { v: "Slack",   t: "slack.com/trust/security", w: "14:41:30 · diff" },
-  ];
-  const all = [...items, ...items];
-  return (
-    <div className="scan-strip">
-      <div className="scan-strip-label"><span className="dot pulse live-dot" />LIVE</div>
-      <div className="scan-track">
-        {all.map((it, i) => (
-          <div className="scan-item" key={i}>
-            <span className="vendor">{it.v}</span>
-            <span className="target">{it.t}</span>
-            <span className="when">{it.w}</span>
-          </div>
-        ))}
-      </div>
-    </div>
-  );
-}
-
-function FleetStats({ state }) {
-  const p1Count = state.notion === "P1" ? 3 : 2;
-  const cards = [
-    { role: "aqua",       lbl: "Vendors",        val: "27",  sub: "↑ 2 added this Q" },
-    { role: "bondi",      lbl: "Scanning",       val: "8",   sub: "↑ live polling now" },
-    { role: "tangerine",  lbl: "P2 · pending",   val: "5",   sub: "2 owners untouched 48h" },
-    { role: "grape",      lbl: "Sub-proc Δ",     val: "11",  sub: "1 in non-adequate jurisd." },
-    { role: "strawberry", lbl: "P1 · critical",  val: String(p1Count), sub: state.notion === "P1" ? "↑ $42k at risk" : "↓ $28k routed" },
-    { role: "lime",       lbl: "Healthy",        val: "19",  sub: "no action needed" },
-  ];
-  return (
-    <div className="fleet">
-      {cards.map((c, i) => (
-        <div className={"stat " + c.role} key={i}>
-          <div className="stat-head">
-            <span className="stat-label">{c.lbl}</span>
-            <span className="stat-dot" />
-          </div>
-          <div className="stat-val">{c.val}</div>
-          <div className="stat-sub">{c.sub}</div>
-        </div>
-      ))}
-    </div>
-  );
-}
-
-Object.assign(window, { Sidebar, TopBar, ScanStrip, FleetStats });
diff --git a/apps/web/public/app/tokens.css b/apps/web/public/app/tokens.css
deleted file mode 100644
index 615c884..0000000
--- a/apps/web/public/app/tokens.css
+++ /dev/null
@@ -1,215 +0,0 @@
-/* =============================================================
-   REDLINE · colors_and_type.css
-   The full token system — colors, type, spacing, radii, motion.
-   Drop this into any HTML file and use the vars below.
-   ============================================================= */
-
-/* Font imports — Inter is shipped locally (variable, opsz + wght);
-   Bricolage Grotesque (display) and JetBrains Mono + Instrument Serif
-   are still pulled from Google Fonts until the team uploads replacements. */
-@import url("https://fonts.googleapis.com/css2?family=Bricolage+Grotesque:opsz,wght@12..96,400;12..96,500;12..96,600;12..96,700&family=JetBrains+Mono:wght@400;500;600&family=Instrument+Serif:ital@0;1&display=swap");
-
-@font-face {
-  font-family: "Inter";
-  src: url("fonts/Inter-VariableFont_opsz_wght.ttf") format("truetype-variations");
-  font-weight: 100 900;
-  font-style: normal;
-  font-display: swap;
-}
-@font-face {
-  font-family: "Inter";
-  src: url("fonts/Inter-Italic-VariableFont_opsz_wght.ttf") format("truetype-variations");
-  font-weight: 100 900;
-  font-style: italic;
-  font-display: swap;
-}
-
-:root {
-  /* ── ROLE COLORS · the spine ─────────────────────────────────
-     The same six hues mean the same six things across the system.
-     ──────────────────────────────────────────────────────────── */
-  --aqua:        #5BA0F0;   /* Navigation, vendor base, neutral data */
-  --bondi:       #2BCAE8;   /* Live monitoring — scanning, polling */
-  --tangerine:   #FF9540;   /* P2 severity, pending owner action */
-  --grape:       #A097D8;   /* Sub-processor / data class (PII, PHI) */
-  --strawberry:  #F46688;   /* P1 severity — critical, at-risk */
-  --lime:        #B5DC55;   /* P3 / resolved / acknowledged / healthy */
-
-  /* Soft variants — 10% alpha for tinted backgrounds */
-  --aqua-soft:        rgba(91, 160, 240, 0.10);
-  --bondi-soft:       rgba(43, 202, 232, 0.10);
-  --tangerine-soft:   rgba(255, 149, 64, 0.10);
-  --grape-soft:       rgba(160, 151, 216, 0.10);
-  --strawberry-soft:  rgba(244, 102, 136, 0.10);
-  --lime-soft:        rgba(181, 220, 85, 0.10);
-
-  /* Glow variants — 30–32% alpha for box-shadow halos */
-  --aqua-glow:        rgba(91, 160, 240, 0.30);
-  --bondi-glow:       rgba(43, 202, 232, 0.32);
-  --tangerine-glow:   rgba(255, 149, 64, 0.30);
-  --grape-glow:       rgba(160, 151, 216, 0.30);
-  --strawberry-glow:  rgba(244, 102, 136, 0.30);
-  --lime-glow:        rgba(181, 220, 85, 0.32);
-
-  /* ── AURORA SURFACES · solid, dense, working ─────────────── */
-  --bg:           #0A0A12;   /* page background, under the sky wash */
-  --surface:      #14141E;   /* primary card surface */
-  --surface-2:    #1E1E2A;   /* nested surface, input fields */
-  --surface-3:    #28283A;   /* hover / pressed state */
-
-  --border:        #2A2A3A;
-  --border-strong: #3F3F50;
-  --hairline:      rgba(255, 255, 255, 0.06);
-
-  /* ── HALO SURFACES · translucent, refractive, marketing ──── */
-  --surface-tint:   rgba(255, 255, 255, 0.04);
-  --glass-border:   rgba(255, 255, 255, 0.10);
-  --glass-inset:    rgba(255, 255, 255, 0.10);  /* the inset top edge */
-  --glass-specular: rgba(255, 255, 255, 0.08);  /* the ::before strip */
-
-  /* ── TEXT ─────────────────────────────────────────────── */
-  --muted:        #6E6E80;
-  --text-2:       #B0B0C0;
-  --text:         #ECECF5;
-  --text-strong:  #FFFFFF;
-
-  /* Dark text-on-color (button labels on lime/strawberry) */
-  --on-lime:       #0F1A05;
-  --on-strawberry: #2A0612;
-  --on-tangerine:  #2B1505;
-  --on-bondi:      #04212B;
-
-  /* ── FONT FAMILIES · three jobs, never substitute ───────── */
-  --font-display: "Bricolage Grotesque", -apple-system, BlinkMacSystemFont, sans-serif;
-  --font-text:    "Inter", -apple-system, BlinkMacSystemFont, sans-serif;
-  --font-mono:    "JetBrains Mono", ui-monospace, monospace;
-  --font-serif:   "Instrument Serif", ui-serif, Georgia, serif;
-
-  /* ── TYPE SCALE · vertical rhythm ───────────────────────── */
-  --text-xs:   0.75rem;     /* 12px — mono labels, eyebrows */
-  --text-sm:   0.875rem;    /* 14px — small UI, secondary text */
-  --text-base: 0.9375rem;   /* 15px — body */
-  --text-lg:   1.0625rem;   /* 17px — lead paragraphs */
-  --text-xl:   1.375rem;    /* 22px — h2 / card titles */
-  --text-2xl:  2rem;        /* 32px — h1 small */
-  --text-3xl:  2.75rem;     /* 44px — h1 hero */
-  --text-4xl:  4rem;        /* 64px — display */
-  --text-5xl:  6.5rem;      /* 104px — rainbow hero (Halo only) */
-
-  /* ── SPACING · 4px base ─────────────────────────────────── */
-  --space-1: 4px;   --space-2: 8px;   --space-3: 12px;
-  --space-4: 16px;  --space-5: 24px;  --space-6: 36px;
-  --space-7: 56px;  --space-8: 80px;
-
-  /* ── RADII ─────────────────────────────────────────────── */
-  --radius-sm:   6px;     /* inline chips, code */
-  --radius-md:   10px;    /* buttons, inputs, small cards */
-  --radius-lg:   16px;    /* primary cards, panels */
-  --radius-xl:   24px;    /* hero cards, the centerpiece */
-  --radius-2xl:  32px;    /* Halo hero only */
-  --radius-full: 999px;   /* pills, badges, the action bar */
-
-  /* ── MOTION ─────────────────────────────────────────────── */
-  --ease:        cubic-bezier(0.22, 1, 0.36, 1);
-  --ease-spring: cubic-bezier(0.34, 1.45, 0.64, 1);
-  --dur-fast: 200ms;
-  --dur-base: 400ms;
-  --dur-slow: 700ms;
-
-  /* ── ELEVATION · used sparingly ─────────────────────────── */
-  --shadow-card:    0 8px 32px rgba(0, 0, 0, 0.20);
-  --shadow-floating: 0 16px 48px rgba(0, 0, 0, 0.30);
-  /* Halo cards also get inset 0 1px 0 rgba(255,255,255,0.10) */
-}
-
-/* =============================================================
-   SEMANTIC TYPE STYLES
-   ============================================================= */
-.h-hero,
-.h1-hero {
-  font-family: var(--font-display);
-  font-size: var(--text-3xl);
-  font-weight: 500;
-  letter-spacing: -0.04em;
-  line-height: 1.05;
-  color: var(--text-strong);
-  font-variation-settings: "opsz" 96;
-}
-.h1 {
-  font-family: var(--font-display);
-  font-size: var(--text-2xl);
-  font-weight: 500;
-  letter-spacing: -0.025em;
-  line-height: 1.1;
-  color: var(--text-strong);
-  font-variation-settings: "opsz" 48;
-}
-.h2 {
-  font-family: var(--font-display);
-  font-size: var(--text-xl);
-  font-weight: 500;
-  letter-spacing: -0.018em;
-  line-height: 1.2;
-  color: var(--text-strong);
-  font-variation-settings: "opsz" 32;
-}
-.h3 {
-  font-family: var(--font-display);
-  font-size: 1.125rem;   /* 18px */
-  font-weight: 600;
-  letter-spacing: -0.012em;
-  color: var(--text-strong);
-  font-variation-settings: "opsz" 24;
-}
-.lead {
-  font-family: var(--font-text);
-  font-size: var(--text-lg);
-  font-weight: 400;
-  line-height: 1.5;
-  color: var(--text);
-}
-.p, p {
-  font-family: var(--font-text);
-  font-size: var(--text-base);
-  font-weight: 400;
-  line-height: 1.55;
-  color: var(--text);
-}
-.small {
-  font-family: var(--font-text);
-  font-size: var(--text-sm);
-  color: var(--text-2);
-}
-.eyebrow {
-  font-family: var(--font-mono);
-  font-size: var(--text-xs);
-  font-weight: 500;
-  letter-spacing: 0.12em;
-  text-transform: uppercase;
-  color: var(--muted);
-}
-.mono,
-.code,
-code {
-  font-family: var(--font-mono);
-  font-size: 0.8125rem;   /* 13px */
-  font-feature-settings: "tnum" 1, "zero" 1;
-  color: var(--text);
-}
-.num,
-.numeric {
-  font-feature-settings: "tnum" 1, "zero" 1;
-}
-.accent-italic {
-  font-family: var(--font-serif);
-  font-style: italic;
-  font-weight: 400;
-}
-
-/* Universal: every number gets tabular */
-.tabular,
-[data-numeric],
-.stat-val,
-.impact-cell .val {
-  font-feature-settings: "tnum" 1, "zero" 1;
-}
diff --git a/apps/web/public/app/vendor-data.jsx b/apps/web/public/app/vendor-data.jsx
deleted file mode 100644
index 27ee555..0000000
--- a/apps/web/public/app/vendor-data.jsx
+++ /dev/null
@@ -1,578 +0,0 @@
-// vendor-data.jsx — central registry for every vendor in the demo.
-// Each vendor record carries everything the portfolio / change / evidence
-// screens need to render. Notion stays the interactive hero flow
-// (P1 → escalate → ROUTED). Other vendors are pre-baked in different
-// states (acknowledged, snoozed, healthy) and render as read-only.
-
-const VENDOR_DATA = {
-
-  // ─────────────────────────────────────────────────────────
-  // NOTION — the hero flow (P1, interactive escalate)
-  // ─────────────────────────────────────────────────────────
-  notion: {
-    key: "notion",
-    letter: "N",
-    name: "Notion",
-    category: "DOCS · COLLAB",
-    meta: "DOCS · TIER 1",
-    tier: 1,
-    sev: "p1",
-    sevLabel: "P1",
-    owner: { initials: "PN", cls: "b", name: "Priya Natarajan", role: "LEGAL COUNSEL" },
-    secondary: { initials: "MC", cls: "tangerine", name: "Marcus Chen", role: "PROCUREMENT" },
-    annual: "$184,200",
-    annualUsd: 184200,
-    seats: 847,
-    renewsInDays: 42,
-    renewsLabel: "42 DAYS",
-    renewsCls: "warn",
-    dataClasses: ["pii", "source"],
-    interactive: true,
-    lastChange: { label: "17m ago · DATA · PRICING", cls: "crit" },
-    activity: {
-      sev: "p1", when: "17m",
-      title: "Data retention shrinks 90→30d, per-seat +18%",
-      meta: "DATA · PRICING", impact: "+$28.4k/yr", impactCls: "in",
-    },
-    cr: {
-      bundleId: "RL·4839",
-      categories: ["DATA", "PRICING"],
-      titleOpen: <>Data retention <em>shrinks</em> from 90 to 30 days. Per-seat pricing rises 18%.</>,
-      titleRouted: <>Routed to Legal. Negotiation packet <em>witnessed</em> and signed.</>,
-      detectedAt: "2026-05-22 · 14:42:18 EST",
-      detectedWhen: "17 minutes ago",
-      routedAt: "2026-05-22 · 14:59 EST",
-      routedWhen: "just now",
-      agent: "agent-redline-v1.4",
-      citationCount: 4,
-      impacts: [
-        { lbl: "$ Impact · annual", val: "+$28,400", cls: "dollar" },
-        { lbl: "Per-seat change", val: "+18% / 30d", cls: "delta" },
-        { lbl: "Compliance", val: "GDPR · Art 5(1)e", cls: "compl" },
-      ],
-      diffs: [
-        {
-          label: "Change · §4.2 Data Retention",
-          before: {
-            when: "SNAPSHOT · MAR 18 2026",
-            text: <>"Workspace owners may request export and deletion of all user content at any time.
-                  Notion will retain backup copies for <strong>ninety (90) days</strong> following deletion,
-                  after which content is permanently erased from all systems."</>,
-            source: "SOURCE · notion.so/terms#4.2 · FETCHED 2026-03-18 09:14 UTC · HASH a3f9…d21c",
-          },
-          after: {
-            when: "SNAPSHOT · MAY 22 2026",
-            text: <>"Workspace owners may request export and deletion of all user content at any time.
-                  Notion will retain backup copies for <strong>thirty (30) days</strong> following deletion,
-                  after which content is permanently erased from all systems."</>,
-            sourceLink: "notion.so/terms#4.2",
-            sourceMeta: " · FETCHED 2026-05-22 14:42 UTC · HASH 8b2e…f94a",
-          },
-        },
-        {
-          label: "Change · §7.1 Plus Plan Pricing",
-          before: {
-            when: "SNAPSHOT · MAR 18 2026",
-            text: <>"Plus plan: <strong>$10 per member per month</strong>, billed annually.
-                  Includes unlimited blocks, file uploads up to 5 GB, and 30-day version history."</>,
-            source: "SOURCE · notion.so/pricing · FETCHED 2026-03-18 09:14 UTC",
-          },
-          after: {
-            when: "SNAPSHOT · MAY 22 2026",
-            text: <>"Plus plan: <strong>$11.80 per member per month</strong>, billed annually.
-                  Includes unlimited blocks, file uploads up to 5 GB, and 30-day version history."</>,
-            sourceLink: "notion.so/pricing",
-            sourceMeta: " · FETCHED 2026-05-22 14:42 UTC",
-          },
-        },
-      ],
-      policy: {
-        head: "Policy fired",
-        name: "Price ↑ >10% within 90d of renewal → P1 to Procurement",
-        meta: "AUTHOR · Maya A. · GRC LEAD · v4 · 2026-04-12",
-        yamlKey: "pricing",
-      },
-      actions: [
-        { type: "slack",  target: "DM · @priya",          queued: "queued · awaits escalation", sent: "14:59:02 · delivered" },
-        { type: "jira",   target: "PROC-2104",            queued: "queued",                     sent: "14:59:03 · assigned" },
-        { type: "cal",    target: "Renewal call · Jun 24", queued: "queued",                     sent: "14:59:04 · 4 invitees" },
-        { type: "email",  target: "Renego draft · ready", queued: "queued",                     sent: "14:59:05 · 3 versions" },
-      ],
-      recoOpen: {
-        head: "Recommendation",
-        text: <>Renewal is in <strong>42 days</strong>. The compounded retention shrinkage and price
-              increase are <em>both negotiable</em> at this stage. Generate the renegotiation packet
-              to push back on retention to 60d as a minimum (industry standard), and lock pricing at
-              the prior $10/seat for the renewal term. Estimated leverage: <strong>$28,400/yr saved</strong> on
-              price alone; retention recovery maps to <strong>SOC2 CC6.5</strong> and <strong>GDPR Art 5(1)e</strong>.</>,
-      },
-      recoRouted: {
-        head: "Outcome · Routed",
-        text: <>Routed to <strong>Priya Natarajan</strong> (Legal) and <strong>Marcus Chen</strong> (Procurement). The
-              renegotiation packet has been <em>generated</em> and witnessed — see Bundle RL·4839.
-              4 actions dispatched: Slack DM, Jira PROC-2104, calendar invite for Jun 24, draft email
-              with three negotiation positions. Deadline: 2026-05-29.</>,
-      },
-    },
-    bundle: {
-      id: "RL·4839",
-      seal: "US",
-      signedAt: "2026-05-22 · 14:59:08 EST",
-      hash: "8b2e…f94a",
-      eyebrow: "NOTION · CR · DATA + PRICING",
-      coverSubtitle: <>Notion · data retention &amp; pricing change · <em>witnessed</em></>,
-      sectionCount: 4,
-      miniDiffs: [
-        [
-          { kind: "b", text: <>"…will retain backup copies for <strong>ninety (90) days</strong> following deletion…"</>, src: "SOURCE · notion.so/terms#4.2 · 2026-03-18 · HASH a3f9…d21c" },
-          { kind: "a", text: <>"…will retain backup copies for <strong>thirty (30) days</strong> following deletion…"</>, src: "SOURCE · notion.so/terms#4.2 · 2026-05-22 · HASH 8b2e…f94a" },
-        ],
-        [
-          { kind: "b", text: <>"Plus plan: <strong>$10 per member per month</strong>, billed annually."</>, src: "SOURCE · notion.so/pricing · 2026-03-18" },
-          { kind: "a", text: <>"Plus plan: <strong>$11.80 per member per month</strong>, billed annually."</>, src: "SOURCE · notion.so/pricing · 2026-05-22" },
-        ],
-      ],
-      policyBody: <><b>severity-rules.yaml v4</b> · "Price ↑ &gt;10% within 90d of renewal → P1 to Procurement."
-                  Notion renewal is in <b>42 days</b>; per-seat change is <b>+18%</b>. The policy clause
-                  matched at <b>2026-05-22 14:42:21 EST</b> and was queued for routing.</>,
-      trail: [
-        { ts: "14:59:01", msg: <>Policy fired · <b>severity-rules.yaml v4</b></>, status: "✓ MATCH" },
-        { ts: "14:59:02", msg: <>Slack DM · <b>@priya</b> · delivered</>, status: "✓ SENT" },
-        { ts: "14:59:03", msg: <>Jira · <b>PROC-2104</b> · assigned Marcus Chen</>, status: "✓ OPEN" },
-        { ts: "14:59:04", msg: <>Calendar · <b>Jun 24 renewal call</b> · 4 invitees</>, status: "✓ SCHED" },
-        { ts: "14:59:05", msg: <>Drafts · <b>renegotiation packet</b> · 3 positions</>, status: "✓ READY" },
-        { ts: "14:59:08", msg: <>Bundle signed · hash <b>8b2e…f94a</b></>, status: "✓ WITNESSED" },
-      ],
-      citations: [
-        { src: "notion.so/terms#4.2 · §4.2 Data Retention · public", hash: "8b2e…f94a" },
-        { src: "notion.so/pricing · §7.1 Plus Plan · public", hash: "d4a1…2c7b" },
-        { src: "internal · DPA §3.1 (Acme ⟷ Notion) · private", hash: "f9c3…81de" },
-        { src: "policy · severity-rules.yaml v4 · internal", hash: "a3f9…d21c" },
-      ],
-      nextActions: [
-        { type: "cal",   target: "Renewal call",      when: "Jun 24 · 14:00 EST",       status: "SCHED", pending: false },
-        { type: "email", target: "Send renego draft", when: "Owner · Priya N.",         status: "DUE 5/29", pending: true },
-      ],
-    },
-    routingTitle: <>Routed to <em>Priya</em>. Bundle <em>RL·4839</em> generating…</>,
-    routingLog: [
-      { ts: "14:59:01", lvl: "info", msg: <>Policy fired · <b>severity-rules.yaml v4</b> · severity P1</> },
-      { ts: "14:59:02", lvl: "exec", msg: <>Slack DM dispatched · <b>@priya</b> · message + 4 citations</> },
-      { ts: "14:59:03", lvl: "exec", msg: <>Jira ticket created · <b>PROC-2104</b> · assigned to Marcus Chen</> },
-      { ts: "14:59:04", lvl: "exec", msg: <>Calendar invite sent · <b>Jun 24 · Notion renewal call</b> · 4 invitees</> },
-      { ts: "14:59:05", lvl: "exec", msg: <>Renegotiation draft generated · <b>3 positions</b> · saved to Drafts</> },
-      { ts: "14:59:06", lvl: "info", msg: <>Compiling evidence bundle <b>RL·4839</b> · 4 grounded citations</> },
-      { ts: "14:59:07", lvl: "sign", msg: <>Clauses extracted · §4.2 Retention · §7.1 Pricing · DPA §3.1 · policy</> },
-      { ts: "14:59:08", lvl: "sign", msg: <>Bundle signed · hash <b>8b2e…f94a</b> · witnessed by agent-redline-v1.4</> },
-      { ts: "14:59:09", lvl: "ok",   msg: <>Bundle <b>RL·4839</b> written · grounded · routed · ready</> },
-    ],
-  },
-
-  // ─────────────────────────────────────────────────────────
-  // DATADOG — P1, already acknowledged, bundle witnessed
-  // ─────────────────────────────────────────────────────────
-  datadog: {
-    key: "datadog",
-    letter: "D",
-    name: "Datadog",
-    category: "OBSERVABILITY · MONITORING",
-    meta: "OBSERVABILITY · TIER 1",
-    tier: 1,
-    sev: "p1",
-    sevLabel: "P1",
-    owner: { initials: "RK", cls: "a", name: "Ravi Krishnan", role: "SECURITY LEAD" },
-    secondary: { initials: "AO", cls: "grape", name: "Ada Owens", role: "PRIVACY OFFICER" },
-    annual: "$420,000",
-    annualUsd: 420000,
-    seats: 312,
-    renewsInDays: 11,
-    renewsLabel: "11 DAYS",
-    renewsCls: "warn",
-    dataClasses: ["pii", "phi"],
-    mode: "acknowledged",
-    interactive: false,
-    lastChange: { label: "2h ago · SUB-PROC", cls: "crit" },
-    activity: {
-      sev: "p1", when: "2h",
-      title: "Sub-processor added · Tencent Cloud · CN",
-      meta: "SUB-PROC · JURISDICTION", impact: "+30d NOTICE", impactCls: "",
-    },
-    cr: {
-      bundleId: "RL·4812",
-      categories: ["SUB-PROC", "JURISDICTION"],
-      titleOpen: <>New sub-processor <em>Tencent Cloud (CN)</em> added to data path. Non-adequate jurisdiction.</>,
-      detectedAt: "2026-05-22 · 12:18:04 EST",
-      detectedWhen: "2 hours ago",
-      acknowledgedAt: "2026-05-22 · 12:51 EST",
-      acknowledgedWhen: "1h 51m ago",
-      agent: "agent-redline-v1.4",
-      citationCount: 3,
-      impacts: [
-        { lbl: "Jurisdiction", val: "CN · non-adequate", cls: "dollar" },
-        { lbl: "Customer notice", val: "+30d required", cls: "delta" },
-        { lbl: "Compliance", val: "GDPR · Art 28(2)", cls: "compl" },
-      ],
-      diffs: [
-        {
-          label: "Change · Sub-processor list · APAC region",
-          before: {
-            when: "SNAPSHOT · APR 14 2026",
-            text: <>"Datadog uses the following sub-processors in APAC: <strong>AWS (ap-northeast-1)</strong>,
-                  <strong>GCP (asia-east1)</strong>. No data routed through PRC-based providers."</>,
-            source: "SOURCE · datadog.com/legal/sub-processors · FETCHED 2026-04-14 06:02 UTC · HASH 71be…0caf",
-          },
-          after: {
-            when: "SNAPSHOT · MAY 22 2026",
-            text: <>"Datadog uses the following sub-processors in APAC: AWS (ap-northeast-1),
-                  GCP (asia-east1), and <strong>Tencent Cloud (cn-shanghai)</strong> for traffic-origin
-                  metrics retention in the Greater China region."</>,
-            sourceLink: "datadog.com/legal/sub-processors",
-            sourceMeta: " · FETCHED 2026-05-22 12:18 UTC · HASH 4d09…b2e1",
-          },
-        },
-      ],
-      policy: {
-        head: "Policy fired",
-        name: "Sub-processor added in non-adequate jurisdiction → P1 to Privacy",
-        meta: "AUTHOR · Marcus Chen · SECURITY · v1 · 2026-01-08",
-        yamlKey: "subprocessor",
-      },
-      actions: [
-        { type: "slack",  target: "#privacy",            queued: "queued", sent: "12:18:42 · 6 members" },
-        { type: "jira",   target: "PRIV-1188",           queued: "queued", sent: "12:18:44 · Ada Owens" },
-        { type: "email",  target: "Customer notice · draft", queued: "queued", sent: "12:18:46 · 30d countdown" },
-      ],
-      recoOpen: {
-        head: "Recommendation",
-        text: <>Tencent Cloud is in a <em>non-adequate</em> jurisdiction under GDPR. A <strong>30-day customer
-              notice</strong> is required before the sub-processor goes live. Privacy team should evaluate
-              transfer mechanism (SCCs + supplementary measures) and confirm data classes routed (PHI must
-              not be eligible). Renewal in <strong>11 days</strong> — block renewal until DPA addendum signed.</>,
-      },
-      recoRouted: {
-        head: "Outcome · Acknowledged",
-        text: <>Privacy team acknowledged at <strong>12:51 EST</strong>. Customer-notice draft attached to
-              <strong> PRIV-1188</strong>. Transfer mechanism review scheduled for <strong>2026-05-25</strong>.
-              Renewal of <strong>$420k</strong> contract held until DPA addendum signature.</>,
-      },
-    },
-    bundle: {
-      id: "RL·4812",
-      seal: "US",
-      signedAt: "2026-05-22 · 12:51:33 EST",
-      hash: "4d09…b2e1",
-      eyebrow: "DATADOG · CR · SUB-PROCESSOR",
-      coverSubtitle: <>Datadog · new sub-processor (Tencent Cloud · CN) · <em>acknowledged</em></>,
-      sectionCount: 4,
-      miniDiffs: [
-        [
-          { kind: "b", text: <>"…APAC sub-processors: AWS, GCP. <strong>No PRC-based providers</strong>…"</>, src: "SOURCE · datadog.com/legal/sub-processors · 2026-04-14 · HASH 71be…0caf" },
-          { kind: "a", text: <>"…APAC sub-processors: AWS, GCP, and <strong>Tencent Cloud (cn-shanghai)</strong>…"</>, src: "SOURCE · datadog.com/legal/sub-processors · 2026-05-22 · HASH 4d09…b2e1" },
-        ],
-      ],
-      policyBody: <><b>severity-rules.yaml v4</b> · "Sub-processor added in non-adequate jurisdiction → P1 to Privacy."
-                  Datadog added Tencent Cloud (CN-Shanghai). The policy matched at
-                  <b> 2026-05-22 12:18:09 EST</b> and queued a customer-notice draft.</>,
-      trail: [
-        { ts: "12:18:09", msg: <>Policy fired · <b>subprocessor.yaml v1</b></>, status: "✓ MATCH" },
-        { ts: "12:18:42", msg: <>Slack channel · <b>#privacy</b> · 6 members notified</>, status: "✓ SENT" },
-        { ts: "12:18:44", msg: <>Jira · <b>PRIV-1188</b> · assigned Ada Owens</>, status: "✓ OPEN" },
-        { ts: "12:18:46", msg: <>Draft · <b>30-day customer notice</b></>, status: "✓ READY" },
-        { ts: "12:51:30", msg: <>Acknowledged by Ada Owens · <b>transfer review 5/25</b></>, status: "✓ ACK" },
-        { ts: "12:51:33", msg: <>Bundle signed · hash <b>4d09…b2e1</b></>, status: "✓ WITNESSED" },
-      ],
-      citations: [
-        { src: "datadog.com/legal/sub-processors · APAC list · public", hash: "4d09…b2e1" },
-        { src: "internal · DPA §6 (Acme ⟷ Datadog) · private", hash: "71be…0caf" },
-        { src: "policy · subprocessor.yaml v1 · internal", hash: "c2a8…59f0" },
-      ],
-      nextActions: [
-        { type: "cal",   target: "Transfer review",   when: "May 25 · 10:00 EST",   status: "SCHED",   pending: false },
-        { type: "email", target: "Customer notice",   when: "Send by Jun 21",       status: "DUE 6/21", pending: true },
-      ],
-    },
-  },
-
-  // ─────────────────────────────────────────────────────────
-  // STRIPE — P2, terms change (liability cap)
-  // ─────────────────────────────────────────────────────────
-  stripe: {
-    key: "stripe",
-    letter: "S",
-    name: "Stripe",
-    category: "PAYMENTS · BILLING",
-    meta: "PAYMENTS · TIER 1",
-    tier: 1,
-    sev: "p2",
-    sevLabel: "P2",
-    owner: { initials: "MA", cls: "c", name: "Maya Ahmadi", role: "GRC LEAD" },
-    secondary: { initials: "LP", cls: "lime", name: "Lin Park", role: "LEGAL COUNSEL" },
-    annual: "$2.4M",
-    annualUsd: 2400000,
-    seats: 20,
-    renewsInDays: 244,
-    renewsLabel: "8 MONTHS",
-    renewsCls: "",
-    dataClasses: ["pii", "payments"],
-    mode: "open",
-    interactive: false,
-    lastChange: { label: "6h ago · TERMS", cls: "" },
-    activity: {
-      sev: "p2", when: "6h",
-      title: "Liability cap reduced from $1M to $500k",
-      meta: "TERMS · LIABILITY", impact: "LEGAL REVIEW", impactCls: "",
-    },
-    cr: {
-      bundleId: "RL·4798",
-      categories: ["TERMS", "LIABILITY"],
-      titleOpen: <>Liability cap <em>halved</em> from $1M to $500k. Indemnification scope narrowed.</>,
-      detectedAt: "2026-05-22 · 08:31:17 EST",
-      detectedWhen: "6 hours ago",
-      agent: "agent-redline-v1.4",
-      citationCount: 3,
-      impacts: [
-        { lbl: "Liability cap", val: "−$500,000", cls: "dollar" },
-        { lbl: "Indemnification", val: "Narrowed scope", cls: "delta" },
-        { lbl: "Renewal", val: "8 months out", cls: "compl" },
-      ],
-      diffs: [
-        {
-          label: "Change · §11.3 Limitation of Liability",
-          before: {
-            when: "SNAPSHOT · FEB 02 2026",
-            text: <>"Stripe's aggregate liability under this agreement shall not exceed
-                  <strong> one million dollars ($1,000,000)</strong> or the fees paid by Customer
-                  in the preceding twelve (12) months, whichever is greater."</>,
-            source: "SOURCE · stripe.com/legal#11.3 · FETCHED 2026-02-02 11:08 UTC · HASH 9f2c…7b4d",
-          },
-          after: {
-            when: "SNAPSHOT · MAY 22 2026",
-            text: <>"Stripe's aggregate liability under this agreement shall not exceed
-                  <strong> five hundred thousand dollars ($500,000)</strong> or the fees paid by Customer
-                  in the preceding twelve (12) months, whichever is greater."</>,
-            sourceLink: "stripe.com/legal#11.3",
-            sourceMeta: " · FETCHED 2026-05-22 08:31 UTC · HASH 6a13…8e29",
-          },
-        },
-      ],
-      policy: {
-        head: "Policy fired",
-        name: "Liability cap reduced >25% → P2 to Legal",
-        meta: "AUTHOR · Lin Park · LEGAL · v2 · 2026-03-04",
-        yamlKey: "terms",
-      },
-      actions: [
-        { type: "slack",  target: "DM · @maya",          queued: "queued · awaits ack", sent: "—" },
-        { type: "jira",   target: "LEGAL-0942",          queued: "queued",              sent: "—" },
-      ],
-      recoOpen: {
-        head: "Recommendation",
-        text: <>Stripe's standard cap is now <strong>50% lower</strong>. Acme processes <strong>$2.4M/yr</strong>
-              through Stripe; current cap is materially under-protective vs. annual volume. Renewal is
-              8 months out — leverage MSA negotiation to <em>restore $1M cap or negotiate a custom carve-out</em>.
-              No immediate action required; flag for renewal-prep cycle.</>,
-      },
-    },
-    bundle: null,
-  },
-
-  // ─────────────────────────────────────────────────────────
-  // AWS — P2, pricing increase on hot SKU
-  // ─────────────────────────────────────────────────────────
-  aws: {
-    key: "aws",
-    letter: "A",
-    name: "AWS",
-    category: "CLOUD · INFRASTRUCTURE",
-    meta: "INFRA · TIER 1",
-    tier: 1,
-    sev: "p2",
-    sevLabel: "P2",
-    owner: { initials: "RK", cls: "a", name: "Ravi Krishnan", role: "PLATFORM LEAD" },
-    secondary: { initials: "JT", cls: "d", name: "Jordan Tao", role: "FINOPS" },
-    annual: "$1.8M",
-    annualUsd: 1800000,
-    seats: 0,
-    renewsInDays: 92,
-    renewsLabel: "3 MONTHS",
-    renewsCls: "",
-    dataClasses: ["pii", "source"],
-    mode: "open",
-    interactive: false,
-    lastChange: { label: "1d ago · PRICING", cls: "" },
-    activity: {
-      sev: "p2", when: "1d",
-      title: "EC2 g6.xlarge +8% in us-east-1",
-      meta: "PRICING", impact: "+$14.2k/yr", impactCls: "in",
-    },
-    cr: {
-      bundleId: "RL·4761",
-      categories: ["PRICING"],
-      titleOpen: <>EC2 <em>g6.xlarge</em> hourly rate up <strong>8%</strong> in us-east-1. Acme runs 47 nodes.</>,
-      detectedAt: "2026-05-21 · 14:42:00 EST",
-      detectedWhen: "1 day ago",
-      agent: "agent-redline-v1.4",
-      citationCount: 2,
-      impacts: [
-        { lbl: "$ Impact · annual", val: "+$14,200", cls: "dollar" },
-        { lbl: "Per-node change", val: "+$0.094/hr", cls: "delta" },
-        { lbl: "Affected nodes", val: "47 · ML inference", cls: "compl" },
-      ],
-      diffs: [
-        {
-          label: "Change · EC2 g6.xlarge · us-east-1",
-          before: {
-            when: "SNAPSHOT · MAY 15 2026",
-            text: <>"g6.xlarge (1× L4 GPU, 4 vCPU, 16 GiB) · <strong>$1.174 per hour</strong> · on-demand · us-east-1."</>,
-            source: "SOURCE · aws.amazon.com/ec2/instance-types · FETCHED 2026-05-15 09:00 UTC · HASH 3c80…d471",
-          },
-          after: {
-            when: "SNAPSHOT · MAY 21 2026",
-            text: <>"g6.xlarge (1× L4 GPU, 4 vCPU, 16 GiB) · <strong>$1.268 per hour</strong> · on-demand · us-east-1."</>,
-            sourceLink: "aws.amazon.com/ec2/instance-types",
-            sourceMeta: " · FETCHED 2026-05-21 14:42 UTC · HASH a09f…1c3b",
-          },
-        },
-      ],
-      policy: {
-        head: "Policy fired",
-        name: "SKU pricing increase >5% → P2 to FinOps",
-        meta: "AUTHOR · Jordan Tao · FINOPS · v3 · 2026-02-18",
-        yamlKey: "pricing",
-      },
-      actions: [
-        { type: "slack",  target: "DM · @jordan",        queued: "queued · awaits ack", sent: "—" },
-        { type: "jira",   target: "FIN-0322",            queued: "queued",              sent: "—" },
-      ],
-      recoOpen: {
-        head: "Recommendation",
-        text: <>g6.xlarge powers Acme's ML inference fleet (47 nodes). Annualized impact: <strong>+$14.2k</strong>.
-              FinOps should evaluate <em>3-year savings plan</em> at the older rate (auto-applies if signed
-              before 2026-08-22 renewal) or migrate inference to <em>g5.xlarge</em> (−12% perf, −18% cost).</>,
-      },
-    },
-    bundle: null,
-  },
-
-  // ─────────────────────────────────────────────────────────
-  // LINEAR — Healthy, no recent diff
-  // ─────────────────────────────────────────────────────────
-  linear: {
-    key: "linear",
-    letter: "L",
-    name: "Linear",
-    category: "PROJECT · COLLAB",
-    meta: "PROJECT · TIER 2",
-    tier: 2,
-    sev: "healthy",
-    sevLabel: "OK",
-    owner: { initials: "JT", cls: "d", name: "Jordan Tao", role: "OWNER" },
-    annual: "$48,000",
-    annualUsd: 48000,
-    seats: 240,
-    renewsInDays: 153,
-    renewsLabel: "5 MONTHS",
-    renewsCls: "",
-    dataClasses: ["pii"],
-    mode: "healthy",
-    interactive: false,
-    lastChange: { label: "14 days · no diff", cls: "" },
-    activity: null,
-    cr: {
-      categories: ["NO CHANGE"],
-      titleOpen: <>No material changes detected in the last <em>14 days</em>. Posture stable.</>,
-      detectedAt: "2026-05-22 · 14:42:18 EST",
-      detectedWhen: "14 days since last scan diff",
-      agent: "agent-redline-v1.4",
-      citationCount: 0,
-      lastScannedSurfaces: [
-        { url: "linear.app/terms",        when: "2026-05-22 14:38 UTC", hash: "stable · e7d2…c918" },
-        { url: "linear.app/dpa",          when: "2026-05-22 14:38 UTC", hash: "stable · 819a…0042" },
-        { url: "linear.app/security",     when: "2026-05-22 14:39 UTC", hash: "stable · 4f0c…dd80" },
-        { url: "linear.app/sub-processors", when: "2026-05-22 14:39 UTC", hash: "stable · 6b22…aaef" },
-      ],
-      recoOpen: {
-        head: "Status · Healthy",
-        text: <>All <strong>4 monitored surfaces</strong> match prior snapshots. Last meaningful change
-              was on <strong>2026-05-08</strong> (security headers update, non-material). Renewal in
-              <strong> 5 months</strong> — no early action needed.</>,
-      },
-    },
-    bundle: null,
-  },
-
-  // ─────────────────────────────────────────────────────────
-  // FIGMA — Healthy, no recent diff
-  // ─────────────────────────────────────────────────────────
-  figma: {
-    key: "figma",
-    letter: "F",
-    name: "Figma",
-    category: "DESIGN · COLLAB",
-    meta: "DESIGN · TIER 2",
-    tier: 2,
-    sev: "healthy",
-    sevLabel: "OK",
-    owner: { initials: "JT", cls: "d", name: "Jordan Tao", role: "OWNER" },
-    annual: "$96,000",
-    annualUsd: 96000,
-    seats: 480,
-    renewsInDays: 214,
-    renewsLabel: "7 MONTHS",
-    renewsCls: "",
-    dataClasses: ["pii"],
-    mode: "healthy",
-    interactive: false,
-    lastChange: { label: "22 days · no diff", cls: "" },
-    activity: null,
-    cr: {
-      categories: ["NO CHANGE"],
-      titleOpen: <>No material changes detected in the last <em>22 days</em>. Posture stable.</>,
-      detectedAt: "2026-05-22 · 14:42:18 EST",
-      detectedWhen: "22 days since last scan diff",
-      agent: "agent-redline-v1.4",
-      citationCount: 0,
-      lastScannedSurfaces: [
-        { url: "figma.com/legal/terms",         when: "2026-05-22 14:35 UTC", hash: "stable · 1eaa…58c2" },
-        { url: "figma.com/legal/dpa",           when: "2026-05-22 14:36 UTC", hash: "stable · 0c44…b1f9" },
-        { url: "figma.com/security",            when: "2026-05-22 14:36 UTC", hash: "stable · d8e7…7710" },
-        { url: "figma.com/legal/sub-processors", when: "2026-05-22 14:37 UTC", hash: "stable · 33ab…ee21" },
-      ],
-      recoOpen: {
-        head: "Status · Healthy",
-        text: <>All <strong>4 monitored surfaces</strong> match prior snapshots. Last meaningful change
-              was on <strong>2026-04-30</strong> (pricing FAQ refresh, non-material). Renewal in
-              <strong> 7 months</strong> — no early action needed.</>,
-      },
-    },
-    bundle: null,
-  },
-
-};
-
-// Per-vendor YAML snippet used in the policy panel. Kept terse so it fits.
-const POLICY_YAML = {
-  pricing: (
-    <pre className="policy-yaml">
-{`# severity-rules.yaml`}
-{"\n"}<span className="y-key">when:</span>{"\n  "}change.category: <span className="y-str">"pricing"</span>{"\n  "}change.dollarImpact.pct: <span className="y-str">">10"</span>{"\n  "}vendor.renewsAt: <span className="y-str">"within 90d"</span>{"\n"}<span className="y-key">then:</span>{"\n  "}severity: <span className="y-str">P1</span>{"\n  "}route:{"\n    - "}<span className="y-str">slack:@priya</span>{"\n    - "}<span className="y-str">jira:PROC</span>{"\n    - "}<span className="y-str">copilot:renegotiate</span>
-    </pre>
-  ),
-  subprocessor: (
-    <pre className="policy-yaml">
-{`# severity-rules.yaml`}
-{"\n"}<span className="y-key">when:</span>{"\n  "}change.category: <span className="y-str">"subprocessor"</span>{"\n  "}new.jurisdiction.adequate: <span className="y-str">"false"</span>{"\n"}<span className="y-key">then:</span>{"\n  "}severity: <span className="y-str">P1</span>{"\n  "}route:{"\n    - "}<span className="y-str">slack:#privacy</span>{"\n    - "}<span className="y-str">jira:PRIV</span>{"\n    - "}<span className="y-str">draft:customer-notice-30d</span>
-    </pre>
-  ),
-  terms: (
-    <pre className="policy-yaml">
-{`# severity-rules.yaml`}
-{"\n"}<span className="y-key">when:</span>{"\n  "}change.category: <span className="y-str">"terms"</span>{"\n  "}clause.liabilityCap.pctDelta: <span className="y-str">{'"<= -25"'}</span>{"\n"}<span className="y-key">then:</span>{"\n  "}severity: <span className="y-str">P2</span>{"\n  "}route:{"\n    - "}<span className="y-str">slack:@maya</span>{"\n    - "}<span className="y-str">jira:LEGAL</span>
-    </pre>
-  ),
-};
-
-// Order used by the portfolio grid + the order the activity feed cycles.
-const VENDOR_ORDER = ["notion", "datadog", "stripe", "aws", "linear", "figma"];
-
-Object.assign(window, { VENDOR_DATA, POLICY_YAML, VENDOR_ORDER });
diff --git a/apps/web/public/unsyphn-mark.png b/apps/web/public/unsyphn-mark.png
new file mode 100644
index 0000000..29b6a08
Binary files /dev/null and b/apps/web/public/unsyphn-mark.png differ
diff --git a/apps/web/src/App.tsx b/apps/web/src/App.tsx
index 919ba13..62cd5c6 100644
--- a/apps/web/src/App.tsx
+++ b/apps/web/src/App.tsx
@@ -1,110 +1,310 @@
 import { useEffect, useState } from "react";
-import { Onboard } from "./screens/Onboard.js";
-import { StripeModal } from "./screens/StripeModal.js";
+import { Command } from "lucide-react";
 import { SensoBrief } from "./screens/SensoBrief.js";
-import { VendorOnboarding } from "./screens/VendorOnboarding.js";
+import { Portfolio } from "./screens/Portfolio.js";
+import { ChangeReport } from "./screens/ChangeReport.js";
+import { Onboarding } from "./screens/Onboarding.js";
+import { CommandPalette } from "./components/CommandPalette.js";
+import { Inbox } from "./screens/Inbox.js";
+import { VendorDetail } from "./screens/VendorDetail.js";
+import { Requests } from "./screens/Requests.js";
+import { Renewals } from "./screens/Renewals.js";
+import { Findings } from "./screens/Findings.js";
+import { Reports } from "./screens/Reports.js";
+import { Pricing } from "./screens/Pricing.js";
+import { AuditorMode } from "./screens/AuditorMode.js";
+import { Settings } from "./screens/Settings.js";
+import { TrustCenter } from "./screens/TrustCenter.js";
+import { Demo } from "./screens/Demo.js";
+import { Contact } from "./screens/Contact.js";
+import { Privacy } from "./screens/Privacy.js";
+import { Terms } from "./screens/Terms.js";
+import { Docs } from "./screens/Docs.js";
+
+function VendorDetailPlaceholder(): JSX.Element {
+  return (
+    <main className="page" style={{ padding: "var(--space-9) var(--space-6)" }}>
+      <h1 className="h1">Vendor Detail</h1>
+      <p className="lead">Vendor detail coming in W4.</p>
+    </main>
+  );
+}
+
+
+function PoliciesPlaceholder(): JSX.Element {
+  return (
+    <main className="page" style={{ padding: "var(--space-9) var(--space-6)" }}>
+      <h1 className="h1">Policies</h1>
+      <p className="lead">Policy Studio coming soon.</p>
+    </main>
+  );
+}
+
+function SettingsPlaceholder(): JSX.Element {
+  return (
+    <main className="page" style={{ padding: "var(--space-9) var(--space-6)" }}>
+      <h1 className="h1">Settings</h1>
+      <p className="lead">Settings coming in W7.</p>
+    </main>
+  );
+}
+
+function isAppRoute(pathname: string): boolean {
+  return pathname === "/app" || pathname.startsWith("/app/");
+}
 
 function parseEvidenceId(pathname: string): string | undefined {
-  const match = pathname.match(/^\/evidence\/([^/?#]+)\/?$/);
+  const match = pathname.match(/^\/app\/evidence\/([^/?#]+)\/?$/);
   return match?.[1];
 }
 
-function isOnboardingRoute(pathname: string): boolean {
-  return /^\/onboarding\/?$/.test(pathname);
+function parseVendorId(pathname: string): string | undefined {
+  const match = pathname.match(/^\/app\/vendors\/([^/?#]+)\/?$/);
+  return match?.[1];
 }
 
-function isDashboardRoute(pathname: string): boolean {
-  return /^\/dashboard\/?$/.test(pathname);
+function parseChangeId(pathname: string): string | undefined {
+  const match = pathname.match(/^\/app\/change\/([^/?#]+)\/?$/);
+  return match?.[1];
+}
+
+type ActiveNav =
+  | "inbox"
+  | "vendors"
+  | "renewals"
+  | "requests"
+  | "findings"
+  | "reports"
+  | "settings"
+  | null;
+
+function currentNav(pathname: string): ActiveNav {
+  if (pathname === "/app" || pathname === "/app/" || pathname.startsWith("/app/inbox")) return "inbox";
+  if (pathname.startsWith("/app/vendors")) return "vendors";
+  if (pathname.startsWith("/app/renewals")) return "renewals";
+  if (pathname.startsWith("/app/requests")) return "requests";
+  if (pathname.startsWith("/app/findings")) return "findings";
+  if (pathname.startsWith("/app/reports")) return "reports";
+  if (pathname.startsWith("/app/settings")) return "settings";
+  return null;
 }
 
 export function App(): JSX.Element | null {
   const pathname =
     typeof window !== "undefined" ? window.location.pathname : "/";
-  const isAppRoute =
-    isOnboardingRoute(pathname) ||
-    isDashboardRoute(pathname) ||
-    Boolean(parseEvidenceId(pathname));
+
+  const inApp = isAppRoute(pathname);
 
   useEffect(() => {
-    if (isAppRoute) {
+    document.title = "Unsyphn";
+  }, []);
+
+  useEffect(() => {
+    if (inApp) {
       document.body.classList.add("app-mode");
+    } else {
+      document.body.classList.remove("app-mode");
     }
     return () => {
       document.body.classList.remove("app-mode");
     };
-  }, [isAppRoute]);
+  }, [inApp]);
 
-  const evidenceId = parseEvidenceId(pathname);
-  if (evidenceId) {
-    return <SensoBrief changeReportId={evidenceId} />;
-  }
-
-  if (isOnboardingRoute(pathname)) {
-    return <VendorOnboardingApp />;
-  }
-
-  if (isDashboardRoute(pathname)) {
-    const tier = typeof window !== "undefined"
-      ? new URLSearchParams(window.location.search).get("tier")
-      : null;
-    const parsed = tier ? parseInt(tier, 10) : NaN;
-    const tierNum = parsed === 1 || parsed === 2 || parsed === 3 ? parsed : undefined;
-    return <DashboardApp prefillTier={tierNum} />;
-  }
+  useEffect(() => {
+    if (!inApp) return;
+    if (
+      typeof window.matchMedia === "function" &&
+      window.matchMedia("(prefers-reduced-motion: reduce)").matches
+    ) {
+      return;
+    }
+    let raf = 0;
+    const handler = (e: PointerEvent): void => {
+      const x = e.clientX / window.innerWidth;
+      const y = e.clientY / window.innerHeight;
+      cancelAnimationFrame(raf);
+      raf = requestAnimationFrame(() => {
+        document.documentElement.style.setProperty("--cursor-x", String(x));
+        document.documentElement.style.setProperty("--cursor-y", String(y));
+      });
+    };
+    window.addEventListener("pointermove", handler, { passive: true });
+    return () => {
+      window.removeEventListener("pointermove", handler);
+      cancelAnimationFrame(raf);
+      document.documentElement.style.removeProperty("--cursor-x");
+      document.documentElement.style.removeProperty("--cursor-y");
+    };
+  }, [inApp]);
 
-  return null;
-}
+  if (pathname === "/pricing") return <Pricing />;
+  if (pathname === "/trust") return <TrustCenter />;
+  if (pathname === "/demo") return <Demo />;
+  if (pathname === "/contact") return <Contact />;
+  if (pathname === "/privacy") return <Privacy />;
+  if (pathname === "/terms") return <Terms />;
+  if (pathname === "/docs") return <Docs />;
+  const auditorMatch = pathname.match(/^\/auditor\/([^/?#]+)\/?$/);
+  if (auditorMatch?.[1]) return <AuditorMode sessionToken={auditorMatch[1]} />;
+  if (!inApp) return null;
 
-interface DashboardAppProps {
-  prefillTier?: 1 | 2 | 3;
-}
+  const evidenceId = parseEvidenceId(pathname);
+  const vendorId = parseVendorId(pathname);
+  const changeId = parseChangeId(pathname);
+  const activeNav = currentNav(pathname);
 
-function DashboardApp({ prefillTier }: DashboardAppProps): JSX.Element {
-  const [showUpgrade, setShowUpgrade] = useState(false);
   return (
-    <main className="app">
-      <header className="app__header">
-        <img src="/logo.png" alt="Unsyphn" className="app__mark" style={{ height: 28, width: "auto" }} />
-        <nav aria-label="breadcrumb">
-          <span className="app__crumb">Add Vendor</span>
-        </nav>
-        <div className="app__actions" style={{ marginLeft: "auto", display: "flex", gap: 8 }}>
-          <a className="btn btn--ghost app__nav" href="/onboarding">
-            Vendor Onboarding
-          </a>
-          <button
-            className="btn btn--ghost app__upgrade"
-            type="button"
-            onClick={() => setShowUpgrade(true)}
-          >
-            Upgrade to Compliance Pack
-          </button>
-        </div>
-      </header>
-      <Onboard prefillTier={prefillTier} />
-      {showUpgrade && <StripeModal onClose={() => setShowUpgrade(false)} />}
-    </main>
+    <>
+      <TopBar activeNav={activeNav} />
+      <main className="app-content">
+        {evidenceId ? (
+          <SensoBrief changeReportId={evidenceId} />
+        ) : pathname === "/app" || pathname === "/app/" || pathname.startsWith("/app/inbox") ? (
+          <Inbox />
+        ) : vendorId ? (
+          <VendorDetail />
+        ) : pathname.startsWith("/app/vendors") ? (
+          <Portfolio />
+        ) : changeId ? (
+          <ChangeReport changeId={changeId} />
+        ) : pathname.startsWith("/app/renewals") ? (
+          <Renewals />
+        ) : pathname.startsWith("/app/requests") ? (
+          <Requests />
+        ) : pathname.startsWith("/app/findings") ? (
+          <Findings />
+        ) : pathname.startsWith("/app/reports") ? (
+          <Reports />
+        ) : pathname.startsWith("/app/policies") ? (
+          <PoliciesPlaceholder />
+        ) : pathname.startsWith("/app/onboarding") ? (
+          <Onboarding />
+        ) : pathname.startsWith("/app/settings") ? (
+          <Settings />
+        ) : null}
+      </main>
+      <CommandPalette />
+    </>
   );
 }
 
-function VendorOnboardingApp(): JSX.Element {
+interface TopBarProps {
+  activeNav: ActiveNav;
+}
+
+function TopBar({ activeNav }: TopBarProps): JSX.Element {
+  const [scrolled, setScrolled] = useState(false);
+
+  useEffect(() => {
+    const onScroll = (): void => setScrolled(window.scrollY > 8);
+    onScroll();
+    window.addEventListener("scroll", onScroll, { passive: true });
+    return () => window.removeEventListener("scroll", onScroll);
+  }, []);
+
   return (
-    <main className="app">
-      <header className="app__header">
-        <img src="/logo.png" alt="Unsyphn" className="app__mark" style={{ height: 28, width: "auto" }} />
-        <nav aria-label="breadcrumb">
-          <span className="app__crumb">Vendor Onboarding</span>
-        </nav>
-        <a
-          className="btn btn--ghost"
-          href="/dashboard"
-          style={{ marginLeft: "auto" }}
-          aria-label="Back to dashboard"
+    <header
+      className={scrolled ? "topbar topbar-scrolled" : "topbar"}
+      style={{
+        height: 48,
+        display: "flex",
+        alignItems: "center",
+        padding: "0 var(--space-5)",
+        borderBottom: "1px solid var(--border)",
+        gap: "var(--space-5)",
+        background: "var(--surface)",
+        position: "sticky",
+        top: 0,
+        zIndex: 100,
+      }}
+    >
+      <a
+        href="/"
+        style={{
+          display: "inline-flex",
+          alignItems: "center",
+          gap: 8,
+          textDecoration: "none",
+          color: "var(--text-strong)",
+          userSelect: "none",
+        }}
+        aria-label="Unsyphn home"
+      >
+        <img
+          src="/unsyphn-mark.png"
+          alt=""
+          aria-hidden="true"
+          width={42}
+          height={28}
+          style={{ display: "block", objectFit: "contain" }}
+        />
+        <span
+          style={{
+            fontFamily: "var(--font-display)",
+            fontWeight: 600,
+            fontSize: "var(--text-base)",
+            color: "var(--text-strong)",
+            letterSpacing: "0.04em",
+          }}
         >
-          ← Back to Dashboard
-        </a>
-      </header>
-      <VendorOnboarding />
-    </main>
+          Unsyphn
+        </span>
+      </a>
+
+      <nav
+        aria-label="Main navigation"
+        style={{ display: "flex", gap: "var(--space-2)", flex: 1 }}
+      >
+        {(
+          [
+            ["inbox", "Inbox", "/app/inbox"],
+            ["vendors", "Vendors", "/app/vendors"],
+            ["renewals", "Renewals", "/app/renewals"],
+            ["requests", "Requests", "/app/requests"],
+            ["findings", "Findings", "/app/findings"],
+            ["reports", "Reports", "/app/reports"],
+            ["settings", "Settings", "/app/settings"],
+          ] as const
+        ).map(([key, label, href]) => (
+          <a
+            key={key}
+            href={href}
+            className={activeNav === key ? "is-active" : ""}
+            style={{
+              fontFamily: "var(--font-text)",
+              fontWeight: 400,
+              fontSize: "var(--text-sm)",
+              color:
+                activeNav === key ? "var(--accent)" : "var(--text-2)",
+              padding: "4px var(--space-3)",
+              borderRadius: "var(--radius-sm)",
+              textDecoration: "none",
+              transition: "color var(--dur-fast)",
+            }}
+          >
+            {label}
+          </a>
+        ))}
+      </nav>
+
+      <button
+        type="button"
+        aria-label="Open command palette"
+        onClick={() => window.dispatchEvent(new CustomEvent("unsyphn:openPalette"))}
+        style={{
+          fontFamily: "var(--font-mono)",
+          fontSize: "var(--text-xs)",
+          color: "var(--muted)",
+          background: "none",
+          border: "1px solid var(--border)",
+          borderRadius: "var(--radius-sm)",
+          padding: "2px 6px",
+          cursor: "pointer",
+        }}
+      >
+        <Command size={12} aria-hidden="true" />
+        {" "}K
+      </button>
+    </header>
   );
 }
diff --git a/apps/web/src/components/BulkActionBar.tsx b/apps/web/src/components/BulkActionBar.tsx
new file mode 100644
index 0000000..e6c12e8
--- /dev/null
+++ b/apps/web/src/components/BulkActionBar.tsx
@@ -0,0 +1,204 @@
+import { useState } from "react";
+import { CheckCircle2, Clock, Archive, ArrowUpRight, X } from "lucide-react";
+
+interface Props {
+  count: number;
+  onMarkRead: () => void;
+  onSnooze: (untilIso: string) => void;
+  onResolve: () => void;
+  onEscalate: () => void;
+  onClear: () => void;
+}
+
+function plus48hIso(): string {
+  return new Date(Date.now() + 48 * 3600 * 1000).toISOString();
+}
+
+function plus1wIso(): string {
+  return new Date(Date.now() + 7 * 24 * 3600 * 1000).toISOString();
+}
+
+export function BulkActionBar({
+  count,
+  onMarkRead,
+  onSnooze,
+  onResolve,
+  onEscalate,
+  onClear,
+}: Props): JSX.Element {
+  const [snoozeOpen, setSnoozeOpen] = useState(false);
+
+  return (
+    <div
+      role="region"
+      aria-live="polite"
+      aria-label={`${count} selected`}
+      className="glass-strong slide-in-right"
+      style={{
+        position: "sticky",
+        top: 0,
+        zIndex: 20,
+        display: "flex",
+        alignItems: "center",
+        gap: 8,
+        padding: "10px 16px",
+        background: "rgba(15,23,42,0.92)",
+        color: "#f8fafc",
+        borderRadius: 8,
+        marginBottom: 12,
+        fontSize: 13,
+        boxShadow: "0 12px 32px rgba(15,23,42,0.28), inset 0 1px 0 rgba(255,255,255,0.08)",
+      }}
+    >
+      <button
+        type="button"
+        onClick={onClear}
+        aria-label="Clear selection"
+        style={{
+          width: 28,
+          height: 28,
+          border: "none",
+          background: "transparent",
+          color: "#cbd5e1",
+          borderRadius: 4,
+          cursor: "pointer",
+          display: "inline-flex",
+          alignItems: "center",
+          justifyContent: "center",
+        }}
+      >
+        <X size={16} aria-hidden="true" />
+      </button>
+
+      <span style={{ fontWeight: 500 }}>
+        {count} selected
+      </span>
+
+      <div style={{ flex: 1 }} />
+
+      <BulkBtn onClick={onMarkRead}>
+        <CheckCircle2 size={14} aria-hidden="true" />
+        Mark read
+      </BulkBtn>
+
+      <div style={{ position: "relative" }}>
+        <BulkBtn onClick={() => setSnoozeOpen((v) => !v)} aria-expanded={snoozeOpen}>
+          <Clock size={14} aria-hidden="true" />
+          Snooze
+        </BulkBtn>
+        {snoozeOpen && (
+          <div
+            role="menu"
+            style={{
+              position: "absolute",
+              top: "calc(100% + 6px)",
+              right: 0,
+              background: "#fff",
+              color: "#0f172a",
+              borderRadius: 8,
+              boxShadow: "0 8px 24px rgba(15,23,42,0.16)",
+              padding: 6,
+              display: "flex",
+              flexDirection: "column",
+              minWidth: 160,
+              zIndex: 30,
+            }}
+          >
+            <SnoozeOption
+              label="48 hours"
+              onClick={() => {
+                setSnoozeOpen(false);
+                onSnooze(plus48hIso());
+              }}
+            />
+            <SnoozeOption
+              label="1 week"
+              onClick={() => {
+                setSnoozeOpen(false);
+                onSnooze(plus1wIso());
+              }}
+            />
+          </div>
+        )}
+      </div>
+
+      <BulkBtn onClick={onResolve}>
+        <Archive size={14} aria-hidden="true" />
+        Resolve
+      </BulkBtn>
+
+      <BulkBtn onClick={onEscalate}>
+        <ArrowUpRight size={14} aria-hidden="true" />
+        Escalate
+      </BulkBtn>
+    </div>
+  );
+}
+
+function BulkBtn({
+  onClick,
+  children,
+  ...rest
+}: {
+  onClick: () => void;
+  children: React.ReactNode;
+  "aria-expanded"?: boolean;
+}): JSX.Element {
+  return (
+    <button
+      type="button"
+      onClick={onClick}
+      {...rest}
+      style={{
+        display: "inline-flex",
+        alignItems: "center",
+        gap: 6,
+        height: 28,
+        padding: "0 10px",
+        border: "1px solid rgba(248,250,252,0.15)",
+        background: "rgba(248,250,252,0.06)",
+        color: "#f8fafc",
+        borderRadius: 6,
+        cursor: "pointer",
+        fontSize: 12,
+        fontWeight: 500,
+      }}
+      onMouseEnter={(e) => {
+        (e.currentTarget as HTMLElement).style.background = "rgba(248,250,252,0.14)";
+      }}
+      onMouseLeave={(e) => {
+        (e.currentTarget as HTMLElement).style.background = "rgba(248,250,252,0.06)";
+      }}
+    >
+      {children}
+    </button>
+  );
+}
+
+function SnoozeOption({ label, onClick }: { label: string; onClick: () => void }): JSX.Element {
+  return (
+    <button
+      type="button"
+      onClick={onClick}
+      role="menuitem"
+      style={{
+        textAlign: "left",
+        border: "none",
+        background: "transparent",
+        padding: "8px 10px",
+        fontSize: 13,
+        color: "#0f172a",
+        cursor: "pointer",
+        borderRadius: 4,
+      }}
+      onMouseEnter={(e) => {
+        (e.currentTarget as HTMLElement).style.background = "#f1f5f9";
+      }}
+      onMouseLeave={(e) => {
+        (e.currentTarget as HTMLElement).style.background = "transparent";
+      }}
+    >
+      {label}
+    </button>
+  );
+}
diff --git a/apps/web/src/components/ChangeDrawer.tsx b/apps/web/src/components/ChangeDrawer.tsx
new file mode 100644
index 0000000..ea3a681
--- /dev/null
+++ b/apps/web/src/components/ChangeDrawer.tsx
@@ -0,0 +1,375 @@
+import { useEffect, useRef, useState, type JSX } from "react";
+import { createPortal } from "react-dom";
+import { X, AlertCircle, CheckCircle, Clock, ArrowUpRight } from "lucide-react";
+import type { InboxItem, EvidenceBriefResponse, Severity } from "@unsyphn/shared";
+import { ApiError, DEMO_BEARER_TOKEN } from "../lib/api.js";
+import { ROLES, ROLE_LABELS, type Role } from "../lib/role.js";
+import { celebrate } from "../lib/confetti.js";
+import { DiffViewer } from "./DiffViewer.js";
+
+export interface ChangeDrawerProps {
+  open: boolean;
+  onClose: () => void;
+  item: InboxItem | null;
+  onEscalated?: (id: string, toRole: Role) => void;
+}
+
+const FOCUSABLE = 'button, [href], input, select, textarea, [tabindex]:not([tabindex="-1"])';
+
+const SEV_BADGE: Record<Severity, string> = {
+  P1: "badge badge-danger",
+  P2: "badge badge-warning",
+  P3: "badge badge-success",
+};
+
+type ToastVariant = "success" | "error";
+type EscalateState = "idle" | "confirming";
+
+async function postChange(path: string, body?: Record<string, unknown>): Promise<void> {
+  const headers: Record<string, string> = { Authorization: `Bearer ${DEMO_BEARER_TOKEN}` };
+  if (body) headers["Content-Type"] = "application/json";
+  const resp = await fetch(path, { method: "POST", headers, body: body ? JSON.stringify(body) : undefined });
+  if (!resp.ok) {
+    const text = await resp.text();
+    const json = text ? (JSON.parse(text) as { error?: { message?: string } }) : undefined;
+    throw new ApiError(resp.status, { error: { code: "request_failed", message: json?.error?.message ?? `HTTP ${resp.status}` } });
+  }
+}
+
+function useFocusTrap(open: boolean, panelRef: React.RefObject<HTMLDivElement | null>, onClose: () => void): void {
+  const openerRef = useRef<Element | null>(null);
+
+  useEffect(() => {
+    if (open) {
+      openerRef.current = document.activeElement;
+      panelRef.current?.querySelectorAll<HTMLElement>(FOCUSABLE)[0]?.focus();
+    } else {
+      const opener = openerRef.current;
+      if (opener instanceof HTMLElement) opener.focus();
+      openerRef.current = null;
+    }
+  }, [open, panelRef]);
+
+  useEffect(() => {
+    if (!open) return;
+    const onKeyDown = (e: KeyboardEvent): void => {
+      if (e.key === "Escape") { e.preventDefault(); onClose(); return; }
+      if (e.key !== "Tab") return;
+      const panel = panelRef.current;
+      if (!panel) return;
+      const focusable = Array.from(panel.querySelectorAll<HTMLElement>(FOCUSABLE)).filter((el) => !el.hasAttribute("disabled"));
+      if (!focusable.length) return;
+      const first = focusable[0];
+      const last = focusable[focusable.length - 1];
+      if (!first || !last) return;
+      if (e.shiftKey) { if (document.activeElement === first) { e.preventDefault(); last.focus(); } }
+      else { if (document.activeElement === last) { e.preventDefault(); first.focus(); } }
+    };
+    document.addEventListener("keydown", onKeyDown);
+    return () => document.removeEventListener("keydown", onKeyDown);
+  }, [open, panelRef, onClose]);
+}
+
+function SectionLabel({ label, id }: { label: string; id?: string }): JSX.Element {
+  return (
+    <span id={id} style={{ display: "block", fontSize: "var(--text-xs)", fontWeight: 600, textTransform: "uppercase", letterSpacing: "0.07em", color: "var(--text-2)", marginBottom: "var(--space-1)" }}>
+      {label}
+    </span>
+  );
+}
+
+function Toast({ message, variant }: { message: string; variant: ToastVariant }): JSX.Element {
+  return (
+    <div role="status" aria-live="polite" style={{ position: "fixed", bottom: "var(--space-6)", left: "50%", transform: "translateX(-50%)", background: variant === "success" ? "var(--success)" : "var(--danger)", color: "#fff", padding: "var(--space-2) var(--space-5)", borderRadius: "var(--radius-full)", fontSize: "var(--text-sm)", fontWeight: 500, zIndex: 500, whiteSpace: "nowrap", boxShadow: "var(--shadow-3)" }}>
+      {message}
+    </div>
+  );
+}
+
+function DrawerBody({ item, evidence, escalate, onEscalate, onSubmitEscalate, escalateBusy, escalateError, escalateRole, escalateNote, onChangeRole, onChangeNote }: {
+  item: InboxItem;
+  evidence: EvidenceBriefResponse | null;
+  escalate: EscalateState;
+  onEscalate: (s: EscalateState) => void;
+  onSubmitEscalate: () => void;
+  escalateBusy: boolean;
+  escalateError: string | null;
+  escalateRole: Role;
+  escalateNote: string;
+  onChangeRole: (r: Role) => void;
+  onChangeNote: (n: string) => void;
+}): JSX.Element {
+  const changes = evidence?.changeReport?.changes ?? [];
+  const isChange = item.kind === "change";
+
+  return (
+    <div style={{ flex: 1, overflowY: "auto", padding: "var(--space-5)", display: "flex", flexDirection: "column", gap: "var(--space-5)" }}>
+      <section aria-labelledby="dw-what">
+        <SectionLabel label="What Changed" id="dw-what" />
+        <h3 style={{ margin: 0, fontSize: "var(--text-base)", fontWeight: 600, color: "var(--text)", lineHeight: 1.4 }}>{item.title}</h3>
+      </section>
+
+      <section aria-labelledby="dw-why">
+        <SectionLabel label="Why It Matters" id="dw-why" />
+        <p style={{ margin: 0, fontSize: "var(--text-sm)", color: "var(--text-2)", lineHeight: 1.6 }}>
+          {item.summary}
+          {item.dollarImpact !== null && (
+            <span style={{ color: "var(--danger)", fontWeight: 600 }}>{" "}${item.dollarImpact.toLocaleString()} estimated impact.</span>
+          )}
+        </p>
+      </section>
+
+      <section aria-labelledby="dw-who">
+        <SectionLabel label="Who Owns" id="dw-who" />
+        <div style={{ display: "flex", alignItems: "center", gap: "var(--space-2)" }}>
+          <span aria-hidden="true" style={{ width: 28, height: 28, borderRadius: "var(--radius-full)", background: "var(--accent-soft)", border: "1px solid var(--border)", display: "inline-flex", alignItems: "center", justifyContent: "center", fontSize: "var(--text-xs)", fontWeight: 600, color: "var(--accent)", flexShrink: 0 }}>
+            {item.ownerEmail.charAt(0).toUpperCase()}
+          </span>
+          <span style={{ fontSize: "var(--text-sm)", color: "var(--text-2)" }}>
+            {item.ownerEmail} · <span style={{ color: "var(--text-muted)" }}>Vendor Owner</span>
+          </span>
+        </div>
+      </section>
+
+      <section aria-labelledby="dw-next">
+        <SectionLabel label="What's Next" id="dw-next" />
+        <p style={{ margin: 0, fontSize: "var(--text-sm)", color: "var(--text-2)", lineHeight: 1.6 }}>
+          Acknowledge before EOD. Route to legal if data classification policy fires.
+          {item.severity === "P1" && " Escalate immediately — P1 severity."}
+        </p>
+      </section>
+
+      {isChange && (
+        <section aria-labelledby="dw-proof">
+          <SectionLabel label="Proof" id="dw-proof" />
+          {changes.length > 0
+            ? <DiffViewer changes={changes} />
+            : <p style={{ margin: 0, fontSize: "var(--text-sm)", color: "var(--text-muted)" }}>Loading diff data...</p>
+          }
+        </section>
+      )}
+
+      {escalate === "confirming" && (
+        <div
+          role="region"
+          aria-label="Escalation form"
+          style={{
+            background: "var(--surface-2)",
+            border: "1px solid var(--border)",
+            borderRadius: "var(--radius-md)",
+            padding: "var(--space-4)",
+            display: "flex",
+            flexDirection: "column",
+            gap: "var(--space-3)",
+          }}
+        >
+          <p style={{ margin: 0, fontSize: "var(--text-sm)", color: "var(--text)", fontWeight: 600 }}>
+            Escalate this change
+          </p>
+          <label style={{ display: "flex", flexDirection: "column", gap: 4 }}>
+            <span style={{ fontSize: "var(--text-xs)", color: "var(--text-2)", fontWeight: 500 }}>Route to</span>
+            <select
+              value={escalateRole}
+              onChange={(e) => onChangeRole(e.target.value as Role)}
+              className="input"
+              style={{ height: 32, fontSize: "var(--text-sm)" }}
+              aria-label="Escalation target role"
+            >
+              {ROLES.map((r) => (
+                <option key={r} value={r}>{ROLE_LABELS[r]}</option>
+              ))}
+            </select>
+          </label>
+          <label style={{ display: "flex", flexDirection: "column", gap: 4 }}>
+            <span style={{ fontSize: "var(--text-xs)", color: "var(--text-2)", fontWeight: 500 }}>Note (optional)</span>
+            <textarea
+              value={escalateNote}
+              onChange={(e) => onChangeNote(e.target.value)}
+              className="input"
+              rows={3}
+              maxLength={500}
+              placeholder="Context for the receiving team…"
+              style={{ fontSize: "var(--text-sm)", resize: "vertical", padding: 8 }}
+              aria-label="Escalation note"
+            />
+          </label>
+          {escalateError && (
+            <span className="badge badge-danger" style={{ alignSelf: "flex-start" }}>
+              {escalateError}
+            </span>
+          )}
+          <div style={{ display: "flex", gap: "var(--space-2)" }}>
+            <button
+              type="button"
+              className="btn btn-primary"
+              style={{ height: 32 }}
+              onClick={onSubmitEscalate}
+              disabled={escalateBusy}
+              aria-busy={escalateBusy}
+            >
+              Confirm Escalation
+            </button>
+            <button
+              type="button"
+              className="btn btn-ghost"
+              style={{ height: 32 }}
+              onClick={() => onEscalate("idle")}
+              disabled={escalateBusy}
+            >
+              Cancel
+            </button>
+          </div>
+        </div>
+      )}
+    </div>
+  );
+}
+
+export function ChangeDrawer({ open, onClose, item, onEscalated }: ChangeDrawerProps): JSX.Element | null {
+  const panelRef = useRef<HTMLDivElement>(null);
+  const [evidence, setEvidence] = useState<EvidenceBriefResponse | null>(null);
+  const [toast, setToast] = useState<{ message: string; variant: ToastVariant } | null>(null);
+  const [actionBusy, setActionBusy] = useState<string | null>(null);
+  const [escalate, setEscalate] = useState<EscalateState>("idle");
+  const [escalateRole, setEscalateRole] = useState<Role>("legal");
+  const [escalateNote, setEscalateNote] = useState<string>("");
+  const [escalateBusy, setEscalateBusy] = useState(false);
+  const [escalateError, setEscalateError] = useState<string | null>(null);
+
+  useFocusTrap(open, panelRef, onClose);
+
+  useEffect(() => {
+    if (!open || !item || item.kind !== "change") { setEvidence(null); return; }
+    let cancelled = false;
+    fetch(`/v1/evidence/${encodeURIComponent(item.id)}`, { headers: { Authorization: `Bearer ${DEMO_BEARER_TOKEN}` } })
+      .then((r) => r.ok ? r.json() : null)
+      .then((d: EvidenceBriefResponse | null) => { if (!cancelled) setEvidence(d); })
+      .catch(() => { if (!cancelled) setEvidence(null); });
+    return () => { cancelled = true; };
+  }, [open, item]);
+
+  useEffect(() => {
+    if (!open) {
+      setEscalate("idle");
+      setEscalateRole("legal");
+      setEscalateNote("");
+      setEscalateError(null);
+      setEscalateBusy(false);
+    }
+  }, [open]);
+
+  useEffect(() => {
+    if (!toast) return;
+    const t = setTimeout(() => setToast(null), 3000);
+    return () => clearTimeout(t);
+  }, [toast]);
+
+  const showToast = (msg: string, variant: ToastVariant = "success"): void => setToast({ message: msg, variant });
+
+  const handleAction = async (key: string, body?: Record<string, unknown>, successMsg = "Done"): Promise<void> => {
+    if (!item) return;
+    setActionBusy(key);
+    try {
+      await postChange(`/v1/changes/${item.id}/${key}`, body);
+      showToast(successMsg);
+      if (key === "resolve" && item.severity === "P1") celebrate();
+      onClose();
+    } catch {
+      showToast("Action failed", "error");
+    } finally {
+      setActionBusy(null);
+    }
+  };
+
+  const handleSubmitEscalate = async (): Promise<void> => {
+    if (!item) return;
+    setEscalateBusy(true);
+    setEscalateError(null);
+    try {
+      const trimmed = escalateNote.trim();
+      const body: Record<string, unknown> = { toRole: escalateRole };
+      if (trimmed.length > 0) body.note = trimmed;
+      await postChange(`/v1/changes/${item.id}/escalate`, body);
+      showToast(`Escalated to ${escalateRole} — Slack + Jira sent`);
+      onEscalated?.(item.id, escalateRole);
+      setEscalate("idle");
+      onClose();
+    } catch (err) {
+      const msg = err instanceof ApiError ? err.message : "Escalation failed";
+      setEscalateError(msg);
+    } finally {
+      setEscalateBusy(false);
+    }
+  };
+
+  if (!open && !item) return null;
+
+  const sevBadgeClass = item ? SEV_BADGE[item.severity] : "badge badge-neutral";
+  const SevIcon = item?.severity === "P3" ? CheckCircle : AlertCircle;
+
+  return createPortal(
+    <>
+      <div aria-hidden="true" onClick={onClose} className={open ? "fade-in" : undefined} style={{ display: open ? "block" : "none", position: "fixed", inset: 0, background: "rgba(15,23,42,0.42)", backdropFilter: "blur(4px)", WebkitBackdropFilter: "blur(4px)", zIndex: 300 }} />
+      <div
+        ref={panelRef}
+        role="dialog"
+        aria-modal="true"
+        aria-labelledby="change-drawer-title"
+        className="glass-strong"
+        style={{ position: "fixed", top: 0, right: 0, bottom: 0, width: "min(480px, 100vw)", borderLeft: "1px solid var(--glass-border)", zIndex: 301, display: "flex", flexDirection: "column", transform: open ? "translateX(0)" : "translateX(100%)", transition: `transform var(--dur-md) var(--ease-out)` }}
+      >
+        {/* Header */}
+        <div style={{ display: "flex", alignItems: "center", gap: "var(--space-2)", padding: "0 var(--space-5)", height: 56, borderBottom: "1px solid var(--border)", flexShrink: 0 }}>
+          {item && (
+            <span className={sevBadgeClass} style={{ display: "inline-flex", alignItems: "center", gap: 4 }}>
+              <SevIcon size={12} aria-hidden="true" />{item.severity}
+            </span>
+          )}
+          <h2 id="change-drawer-title" style={{ flex: 1, margin: 0, fontSize: "var(--text-sm)", fontWeight: 600, color: "var(--text)", overflow: "hidden", textOverflow: "ellipsis", whiteSpace: "nowrap" }}>
+            {item ? `${item.vendorName} · Material Change` : "Material Change"}
+          </h2>
+          <button type="button" onClick={onClose} aria-label="Close drawer" className="btn btn-ghost" style={{ width: 36, height: 36, padding: 0, flexShrink: 0 }}>
+            <X size={18} aria-hidden="true" />
+          </button>
+        </div>
+
+        {/* Body */}
+        {item && (
+          <DrawerBody
+            item={item}
+            evidence={evidence}
+            escalate={escalate}
+            onEscalate={setEscalate}
+            onSubmitEscalate={() => void handleSubmitEscalate()}
+            escalateBusy={escalateBusy}
+            escalateError={escalateError}
+            escalateRole={escalateRole}
+            escalateNote={escalateNote}
+            onChangeRole={setEscalateRole}
+            onChangeNote={setEscalateNote}
+          />
+        )}
+
+        {/* Action row */}
+        {item && (
+          <div style={{ display: "flex", gap: "var(--space-2)", padding: "var(--space-4) var(--space-5)", borderTop: "1px solid var(--border)", flexShrink: 0, flexWrap: "wrap" }}>
+            <button type="button" className="btn btn-primary" onClick={() => handleAction("acknowledge", undefined, "Acknowledged")} aria-busy={actionBusy === "acknowledge"} disabled={actionBusy !== null}>
+              <CheckCircle size={14} aria-hidden="true" />Acknowledge
+            </button>
+            <button type="button" className="btn btn-secondary" onClick={() => handleAction("snooze", { untilAt: new Date(Date.now() + 48 * 3600 * 1000).toISOString() }, "Snoozed 48h")} aria-busy={actionBusy === "snooze"} disabled={actionBusy !== null}>
+              <Clock size={14} aria-hidden="true" />Snooze 48h
+            </button>
+            <button type="button" className="btn btn-secondary" onClick={() => handleAction("resolve", { resolution: "accepted" }, "Resolved")} aria-busy={actionBusy === "resolve"} disabled={actionBusy !== null}>
+              Resolve
+            </button>
+            <button type="button" className="btn btn-ghost" onClick={() => setEscalate(escalate === "confirming" ? "idle" : "confirming")} disabled={actionBusy !== null} aria-expanded={escalate === "confirming"}>
+              <ArrowUpRight size={14} aria-hidden="true" />Escalate
+            </button>
+          </div>
+        )}
+      </div>
+      {toast && <Toast message={toast.message} variant={toast.variant} />}
+    </>,
+    document.body,
+  );
+}
diff --git a/apps/web/src/components/CommandPalette.tsx b/apps/web/src/components/CommandPalette.tsx
new file mode 100644
index 0000000..81823f9
--- /dev/null
+++ b/apps/web/src/components/CommandPalette.tsx
@@ -0,0 +1,425 @@
+import { useEffect, useRef, useState, useCallback } from "react";
+import { createPortal } from "react-dom";
+import { useRole } from "../lib/role.js";
+import { useGlobalShortcut } from "../lib/keyboard.js";
+
+type Role = "procurement" | "legal" | "security" | "finance";
+
+interface PaletteItem {
+  id: string;
+  label: string;
+  hint?: string;
+  group: string;
+  disabled?: boolean;
+  action: () => void;
+}
+
+const SEED_VENDORS = [
+  { name: "Notion", slug: "notion" },
+  { name: "Stripe", slug: "stripe" },
+  { name: "Figma", slug: "figma" },
+  { name: "Vercel", slug: "vercel" },
+  { name: "Linear", slug: "linear" },
+  { name: "GitHub", slug: "github" },
+  { name: "Slack", slug: "slack" },
+  { name: "Salesforce", slug: "salesforce" },
+];
+
+const SEED_CHANGES = [
+  { id: "chg_seed_notion", label: "Notion — data retention change" },
+  { id: "chg_seed_stripe_subprocessor", label: "Stripe — subprocessor update" },
+];
+
+const ROLES: Role[] = ["procurement", "legal", "security", "finance"];
+
+function navigate(path: string): void {
+  window.history.pushState({}, "", path);
+  window.dispatchEvent(new PopStateEvent("popstate"));
+}
+
+function useVendorList(): { name: string; slug: string }[] {
+  const [vendors, setVendors] = useState(SEED_VENDORS);
+
+  useEffect(() => {
+    fetch("/v1/dashboard/summary")
+      .then((r) => (r.ok ? r.json() : null))
+      .then((data: unknown) => {
+        if (!data || typeof data !== "object") return;
+        const d = data as Record<string, unknown>;
+        const list = d.vendors ?? d.data;
+        if (!Array.isArray(list)) return;
+        const mapped = list
+          .filter((v): v is { name?: unknown; id?: unknown; slug?: unknown } =>
+            typeof v === "object" && v !== null
+          )
+          .map((v) => ({
+            name: String(v.name ?? v.id ?? ""),
+            slug: String(v.slug ?? v.id ?? ""),
+          }))
+          .filter((v) => v.name && v.slug);
+        if (mapped.length > 0) setVendors(mapped);
+      })
+      .catch(() => {
+        // fall back to seed vendors already in state
+      });
+  }, []);
+
+  return vendors;
+}
+
+function substrMatch(haystack: string, needle: string): boolean {
+  return haystack.toLowerCase().includes(needle.toLowerCase());
+}
+
+interface PaletteProps {
+  open: boolean;
+  onClose: () => void;
+}
+
+function Palette({ open, onClose }: PaletteProps): JSX.Element | null {
+  const [query, setQuery] = useState("");
+  const [activeIdx, setActiveIdx] = useState(0);
+  const inputRef = useRef<HTMLInputElement>(null);
+  const listRef = useRef<HTMLUListElement>(null);
+  const dialogRef = useRef<HTMLDivElement>(null);
+  const vendors = useVendorList();
+  const [, setRole] = useRole();
+  const pathname =
+    typeof window !== "undefined" ? window.location.pathname : "/app";
+
+  const isChangePage = /^\/app\/(change|evidence)\/([^/?#]+)/.test(pathname);
+  const changeIdMatch = pathname.match(
+    /^\/app\/(change|evidence)\/([^/?#]+)/
+  );
+  const currentChangeId = changeIdMatch?.[2];
+
+  const buildItems = useCallback((): PaletteItem[] => {
+    const items: PaletteItem[] = [];
+
+    vendors.forEach((v) => {
+      items.push({
+        id: `vendor-${v.slug}`,
+        label: v.name,
+        group: "Jump to vendor",
+        action: () => navigate(`/app/vendor/${v.slug}`),
+      });
+    });
+
+    SEED_CHANGES.forEach((c) => {
+      items.push({
+        id: `change-${c.id}`,
+        label: c.label,
+        group: "Open recent change",
+        action: () => navigate(`/app/change/${c.id}`),
+      });
+    });
+
+    ROLES.forEach((r) => {
+      const label = r.charAt(0).toUpperCase() + r.slice(1);
+      items.push({
+        id: `role-${r}`,
+        label: `Switch to ${label}`,
+        group: "Switch role",
+        action: () => {
+          setRole(r);
+          onClose();
+        },
+      });
+    });
+
+    SEED_CHANGES.forEach((c) => {
+      items.push({
+        id: `brief-${c.id}`,
+        label: `Senso brief — ${c.label}`,
+        group: "Open Senso brief",
+        action: () => navigate(`/app/evidence/${c.id}`),
+      });
+    });
+
+    if (isChangePage && currentChangeId) {
+      items.push({
+        id: "bundle",
+        label: "Generate Compliance Bundle",
+        hint: "Opens printable HTML",
+        group: "Actions",
+        action: () =>
+          window.open(`/v1/evidence/${currentChangeId}/bundle.html`, "_blank"),
+      });
+    } else {
+      items.push({
+        id: "bundle",
+        label: "Generate Compliance Bundle",
+        hint: "Open a change first",
+        group: "Actions",
+        disabled: true,
+        action: () => {},
+      });
+    }
+
+    return items;
+  }, [vendors, isChangePage, currentChangeId, setRole, onClose]);
+
+  const filtered = buildItems().filter(
+    (item) => !query || substrMatch(item.label, query)
+  );
+
+  useEffect(() => {
+    if (open) {
+      setQuery("");
+      setActiveIdx(0);
+      requestAnimationFrame(() => inputRef.current?.focus());
+    }
+  }, [open]);
+
+  useEffect(() => {
+    setActiveIdx(0);
+  }, [query]);
+
+  useEffect(() => {
+    const el = listRef.current?.querySelector<HTMLElement>(
+      `[data-idx="${activeIdx}"]`
+    );
+    el?.scrollIntoView({ block: "nearest" });
+  }, [activeIdx]);
+
+  const FOCUSABLE = 'button:not([disabled]), [href], input, select, textarea, [tabindex]:not([tabindex="-1"])';
+
+  const handleKeyDown = (e: React.KeyboardEvent): void => {
+    if (e.key === "Tab") {
+      const dialog = dialogRef.current;
+      if (!dialog) return;
+      const focusable = Array.from(dialog.querySelectorAll<HTMLElement>(FOCUSABLE)).filter(
+        (el) => !el.hasAttribute("disabled"),
+      );
+      if (focusable.length === 0) return;
+      const first = focusable[0];
+      const last = focusable[focusable.length - 1];
+      if (e.shiftKey) {
+        if (document.activeElement === first) {
+          e.preventDefault();
+          last?.focus();
+        }
+      } else {
+        if (document.activeElement === last) {
+          e.preventDefault();
+          first?.focus();
+        }
+      }
+    } else if (e.key === "ArrowDown") {
+      e.preventDefault();
+      setActiveIdx((i) => Math.min(i + 1, filtered.length - 1));
+    } else if (e.key === "ArrowUp") {
+      e.preventDefault();
+      setActiveIdx((i) => Math.max(i - 1, 0));
+    } else if (e.key === "Enter") {
+      e.preventDefault();
+      const item = filtered[activeIdx];
+      if (item && !item.disabled) {
+        item.action();
+        onClose();
+      }
+    } else if (e.key === "Escape") {
+      e.stopPropagation();
+      onClose();
+    }
+  };
+
+  if (!open) return null;
+
+  let lastGroup = "";
+
+  return createPortal(
+    <div
+      role="presentation"
+      className="fade-in"
+      style={{
+        position: "fixed",
+        inset: 0,
+        zIndex: 9999,
+        background: "rgba(15,23,42,0.55)",
+        backdropFilter: "blur(6px)",
+        WebkitBackdropFilter: "blur(6px)",
+        display: "flex",
+        alignItems: "flex-start",
+        justifyContent: "center",
+        paddingTop: "12vh",
+      }}
+      onClick={(e) => {
+        if (e.target === e.currentTarget) onClose();
+      }}
+    >
+      <div
+        ref={dialogRef}
+        role="dialog"
+        aria-modal="true"
+        aria-label="Command palette"
+        className="glass-strong scale-in"
+        style={{
+          width: 560,
+          maxHeight: 480,
+          borderRadius: 12,
+          overflow: "hidden",
+          display: "flex",
+          flexDirection: "column",
+        }}
+        onKeyDown={handleKeyDown}
+      >
+        <div
+          style={{
+            padding: "var(--space-3) var(--space-4)",
+            borderBottom: "1px solid var(--border)",
+          }}
+        >
+          <input
+            ref={inputRef}
+            className="input focus-glow"
+            type="search"
+            placeholder="Jump to vendor, switch role, or run action…"
+            value={query}
+            onChange={(e) => setQuery(e.currentTarget.value)}
+            style={{ width: "100%", border: "none", background: "transparent" }}
+            aria-label="Search commands"
+            autoComplete="off"
+          />
+        </div>
+
+        <ul
+          ref={listRef}
+          role="listbox"
+          aria-label="Commands"
+          style={{
+            listStyle: "none",
+            margin: 0,
+            padding: "var(--space-2) 0",
+            overflowY: "auto",
+            flex: 1,
+          }}
+        >
+          {filtered.length === 0 && (
+            <li
+              style={{
+                padding: "var(--space-4) var(--space-5)",
+                color: "var(--muted)",
+                fontSize: "var(--text-sm)",
+              }}
+            >
+              No results
+            </li>
+          )}
+          {filtered.map((item, idx) => {
+            const showGroup = item.group !== lastGroup;
+            lastGroup = item.group;
+            return (
+              <li key={item.id}>
+                {showGroup && (
+                  <div
+                    aria-hidden="true"
+                    style={{
+                      padding: "var(--space-2) var(--space-5) var(--space-1)",
+                      fontSize: "var(--text-xs)",
+                      fontWeight: 400,
+                      letterSpacing: "0.04em",
+                      textTransform: "uppercase",
+                      color: "var(--muted)",
+                    }}
+                  >
+                    {item.group}
+                  </div>
+                )}
+                <button
+                  type="button"
+                  role="option"
+                  aria-selected={idx === activeIdx}
+                  data-idx={idx}
+                  className={idx === activeIdx ? "is-active" : ""}
+                  disabled={item.disabled}
+                  onClick={() => {
+                    if (!item.disabled) {
+                      item.action();
+                      onClose();
+                    }
+                  }}
+                  onMouseEnter={() => setActiveIdx(idx)}
+                  style={{
+                    display: "flex",
+                    alignItems: "center",
+                    justifyContent: "space-between",
+                    width: "100%",
+                    padding: "var(--space-2) var(--space-5)",
+                    background:
+                      idx === activeIdx
+                        ? "var(--accent-soft)"
+                        : "transparent",
+                    border: "none",
+                    cursor: item.disabled ? "default" : "pointer",
+                    color: item.disabled
+                      ? "var(--muted)"
+                      : "var(--text)",
+                    fontSize: "var(--text-sm)",
+                    textAlign: "left",
+                    fontFamily: "var(--font-text)",
+                    transition: "background-color var(--dur-sm) var(--ease-out)",
+                  }}
+                >
+                  <span>{item.label}</span>
+                  {item.hint && (
+                    <span
+                      style={{
+                        fontSize: "var(--text-xs)",
+                        color: "var(--muted)",
+                        marginLeft: "var(--space-3)",
+                        flexShrink: 0,
+                      }}
+                    >
+                      {item.hint}
+                    </span>
+                  )}
+                </button>
+              </li>
+            );
+          })}
+        </ul>
+      </div>
+    </div>,
+    document.body
+  );
+}
+
+export function CommandPalette(): JSX.Element {
+  const [open, setOpen] = useState(false);
+  const triggerRef = useRef<HTMLElement | null>(null);
+
+  const openPalette = useCallback(() => {
+    triggerRef.current = document.activeElement as HTMLElement;
+    setOpen(true);
+  }, []);
+
+  const closePalette = useCallback(() => {
+    setOpen(false);
+    requestAnimationFrame(() => {
+      if (triggerRef.current && triggerRef.current !== document.body) {
+        triggerRef.current.focus();
+      }
+    });
+  }, []);
+
+  useGlobalShortcut("Meta+K", openPalette);
+  useGlobalShortcut("Control+K", openPalette);
+
+  useEffect(() => {
+    const onOpen = (): void => openPalette();
+    window.addEventListener("unsyphn:openPalette", onOpen);
+    return () => window.removeEventListener("unsyphn:openPalette", onOpen);
+  }, [openPalette]);
+
+  useEffect(() => {
+    if (!open) return;
+    const onEsc = (e: KeyboardEvent): void => {
+      if (e.key === "Escape") closePalette();
+    };
+    window.addEventListener("keydown", onEsc);
+    return () => window.removeEventListener("keydown", onEsc);
+  }, [open, closePalette]);
+
+  return <Palette open={open} onClose={closePalette} />;
+}
diff --git a/apps/web/src/components/ConnectDrawer.tsx b/apps/web/src/components/ConnectDrawer.tsx
new file mode 100644
index 0000000..fe4c49a
--- /dev/null
+++ b/apps/web/src/components/ConnectDrawer.tsx
@@ -0,0 +1,537 @@
+import { useEffect, useMemo, useState } from "react";
+import { Copy, Check, Upload, Loader2, ExternalLink } from "lucide-react";
+import { Drawer } from "./Drawer.js";
+import { VendorLogo } from "./VendorLogo.js";
+import { DEMO_BEARER_TOKEN } from "../lib/api.js";
+
+export interface IntegrationField {
+  key: string;
+  label: string;
+  placeholder?: string;
+  sensitive?: boolean;
+  optional?: boolean;
+}
+
+export interface IntegrationDto {
+  id: string;
+  name: string;
+  slug: string;
+  category: "inbound" | "outbound";
+  description: string;
+  authType: "oauth" | "api-key" | "saml";
+  iconSlug?: string;
+  iconColor?: string;
+  requiredFields: IntegrationField[];
+  defaultScopes: string[];
+  connected: boolean;
+  scopes?: string[];
+  connectedAs?: string;
+  connectedAt?: string;
+  lastSyncedAt?: string;
+}
+
+interface Props {
+  integration: IntegrationDto;
+  open: boolean;
+  onClose: () => void;
+  onConnected: (next: IntegrationDto) => void;
+}
+
+const S = {
+  header: {
+    display: "flex",
+    alignItems: "flex-start",
+    gap: "var(--space-3)",
+    marginBottom: "var(--space-4)",
+  } as React.CSSProperties,
+  headerText: { minWidth: 0, flex: 1 } as React.CSSProperties,
+  title: {
+    fontSize: "var(--text-base)",
+    fontWeight: 600,
+    color: "var(--text)",
+    margin: 0,
+  } as React.CSSProperties,
+  categoryChip: {
+    display: "inline-block",
+    marginTop: 4,
+    fontSize: "var(--text-xs)",
+    color: "var(--text-2)",
+    background: "var(--surface-2)",
+    borderRadius: "var(--radius-pill)",
+    padding: "2px 8px",
+    textTransform: "uppercase" as const,
+    letterSpacing: "0.06em",
+  },
+  description: {
+    fontSize: "var(--text-sm)",
+    color: "var(--text-2)",
+    lineHeight: 1.55,
+    marginBottom: "var(--space-5)",
+  } as React.CSSProperties,
+  fieldGroup: { marginBottom: "var(--space-4)" } as React.CSSProperties,
+  label: {
+    display: "flex",
+    alignItems: "center",
+    gap: 6,
+    fontSize: "var(--text-xs)",
+    fontWeight: 500,
+    color: "var(--text-2)",
+    marginBottom: "var(--space-2)",
+  } as React.CSSProperties,
+  optional: {
+    fontSize: "var(--text-xs)",
+    color: "var(--text-muted)",
+    fontWeight: 400,
+  } as React.CSSProperties,
+  input: {
+    width: "100%",
+    padding: "8px var(--space-3)",
+    fontSize: "var(--text-sm)",
+    border: "1px solid var(--border-strong)",
+    borderRadius: "var(--radius-sm)",
+    background: "var(--surface)",
+    color: "var(--text)",
+    boxSizing: "border-box" as const,
+  },
+  fileBtn: {
+    display: "inline-flex",
+    alignItems: "center",
+    gap: 6,
+    fontSize: "var(--text-xs)",
+    fontWeight: 500,
+    padding: "8px 12px",
+    border: "1px dashed var(--border-strong)",
+    borderRadius: "var(--radius-sm)",
+    background: "var(--surface)",
+    color: "var(--text-2)",
+    cursor: "pointer",
+  },
+  oauthBtn: {
+    width: "100%",
+    padding: "10px var(--space-4)",
+    fontSize: "var(--text-sm)",
+    fontWeight: 500,
+    border: "1px solid var(--border-strong)",
+    borderRadius: "var(--radius-md)",
+    background: "var(--surface)",
+    color: "var(--text)",
+    cursor: "pointer",
+    display: "inline-flex",
+    alignItems: "center",
+    justifyContent: "center",
+    gap: 8,
+  } as React.CSSProperties,
+  oauthSuccess: {
+    fontSize: "var(--text-xs)",
+    color: "var(--success)",
+    marginTop: "var(--space-2)",
+    display: "inline-flex",
+    alignItems: "center",
+    gap: 6,
+  } as React.CSSProperties,
+  scopesBlock: {
+    background: "var(--surface-2)",
+    border: "1px solid var(--border)",
+    borderRadius: "var(--radius-md)",
+    padding: "var(--space-3) var(--space-4)",
+    marginBottom: "var(--space-4)",
+  } as React.CSSProperties,
+  scopeLabel: {
+    display: "flex",
+    alignItems: "center",
+    gap: 8,
+    padding: "4px 0",
+    fontSize: "var(--text-sm)",
+    color: "var(--text)",
+    cursor: "pointer",
+  } as React.CSSProperties,
+  webhookRow: {
+    display: "flex",
+    gap: "var(--space-2)",
+    alignItems: "center",
+  } as React.CSSProperties,
+  webhookInput: {
+    flex: 1,
+    fontFamily: "var(--font-mono)",
+    fontSize: "11px",
+    padding: "8px var(--space-3)",
+    border: "1px solid var(--border-strong)",
+    borderRadius: "var(--radius-sm)",
+    background: "var(--surface-2)",
+    color: "var(--text-2)",
+    boxSizing: "border-box" as const,
+  },
+  copyBtn: {
+    display: "inline-flex",
+    alignItems: "center",
+    gap: 4,
+    padding: "8px 12px",
+    fontSize: "var(--text-xs)",
+    border: "1px solid var(--border-strong)",
+    borderRadius: "var(--radius-sm)",
+    background: "var(--surface)",
+    color: "var(--text-2)",
+    cursor: "pointer",
+  } as React.CSSProperties,
+  sectionHeading: {
+    fontSize: "var(--text-xs)",
+    fontWeight: 500,
+    color: "var(--text-muted)",
+    textTransform: "uppercase" as const,
+    letterSpacing: "0.07em",
+    marginBottom: "var(--space-2)",
+  } as React.CSSProperties,
+  footer: {
+    display: "flex",
+    gap: "var(--space-3)",
+    marginTop: "var(--space-5)",
+  } as React.CSSProperties,
+  submit: {
+    flex: 1,
+    padding: "10px var(--space-4)",
+    fontSize: "var(--text-sm)",
+    fontWeight: 500,
+    background: "var(--accent)",
+    color: "#fff",
+    border: "1px solid var(--accent)",
+    borderRadius: "var(--radius-md)",
+    cursor: "pointer",
+    display: "inline-flex",
+    alignItems: "center",
+    justifyContent: "center",
+    gap: 6,
+  } as React.CSSProperties,
+  cancel: {
+    padding: "10px var(--space-4)",
+    fontSize: "var(--text-sm)",
+    fontWeight: 500,
+    background: "var(--surface)",
+    color: "var(--text-2)",
+    border: "1px solid var(--border-strong)",
+    borderRadius: "var(--radius-md)",
+    cursor: "pointer",
+  } as React.CSSProperties,
+  error: {
+    fontSize: "var(--text-xs)",
+    color: "var(--danger)",
+    marginTop: "var(--space-3)",
+  } as React.CSSProperties,
+} as const;
+
+function shortToken(): string {
+  return Math.random().toString(36).slice(2, 10);
+}
+
+function domainFor(slug: string): string {
+  const map: Record<string, string> = {
+    "google-workspace": "google.com",
+    "microsoft-365": "microsoft.com",
+    "okta-saml": "okta.com",
+    "azure-ad": "microsoft.com",
+    "microsoft-teams": "microsoft.com",
+    "aws-cost-explorer": "aws.amazon.com",
+    "gcp-billing": "cloud.google.com",
+  };
+  return map[slug] ?? `${slug.replace(/-/g, "")}.com`;
+}
+
+function fakeAuthorizedEmail(slug: string): string {
+  const domain = domainFor(slug);
+  const handles = ["priya.shah", "marcus.chen", "lin.park", "ada.owens"];
+  const handle = handles[Math.floor(Math.random() * handles.length)] ?? "priya.shah";
+  return `${handle}@${domain}`;
+}
+
+export function ConnectDrawer({ integration, open, onClose, onConnected }: Props): JSX.Element {
+  const [values, setValues] = useState<Record<string, string>>({});
+  const [scopes, setScopes] = useState<string[]>(integration.defaultScopes);
+  const [oauthState, setOauthState] = useState<"idle" | "authorizing" | "authorized">("idle");
+  const [authorizedEmail, setAuthorizedEmail] = useState<string | null>(null);
+  const [fileName, setFileName] = useState<string | null>(null);
+  const [submitting, setSubmitting] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+  const [copied, setCopied] = useState(false);
+
+  // Reset state on open so the drawer is clean each time.
+  useEffect(() => {
+    if (!open) return;
+    setValues({});
+    setScopes(integration.defaultScopes);
+    setOauthState("idle");
+    setAuthorizedEmail(null);
+    setFileName(null);
+    setSubmitting(false);
+    setError(null);
+    setCopied(false);
+  }, [open, integration.id, integration.defaultScopes]);
+
+  const webhookUrl = useMemo(
+    () => `https://api.unsyphn.com/v1/webhooks/inbound/${integration.id}/${shortToken()}`,
+    // Regenerate each open cycle; integration.id makes it differ per integration.
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+    [open, integration.id],
+  );
+
+  const needsWebhook = integration.requiredFields.some((f) => f.key === "webhookUrl");
+
+  function setField(key: string, val: string): void {
+    setValues((prev) => ({ ...prev, [key]: val }));
+  }
+
+  function toggleScope(scope: string): void {
+    setScopes((prev) =>
+      prev.includes(scope) ? prev.filter((s) => s !== scope) : [...prev, scope],
+    );
+  }
+
+  function simulateOauth(): void {
+    setOauthState("authorizing");
+    window.setTimeout(() => {
+      setOauthState("authorized");
+      setAuthorizedEmail(fakeAuthorizedEmail(integration.slug));
+    }, 1200);
+  }
+
+  function copyWebhook(): void {
+    void navigator.clipboard.writeText(webhookUrl).then(() => {
+      setCopied(true);
+      window.setTimeout(() => setCopied(false), 1800);
+    });
+  }
+
+  function canSubmit(): boolean {
+    if (integration.authType === "oauth") return oauthState === "authorized";
+    const required = integration.requiredFields.filter((f) => !f.optional && f.key !== "webhookUrl");
+    return required.every((f) => (values[f.key] ?? "").trim().length > 0);
+  }
+
+  async function submit(e: React.FormEvent): Promise<void> {
+    e.preventDefault();
+    if (!canSubmit() || submitting) return;
+    setSubmitting(true);
+    setError(null);
+    const submitValues: Record<string, string> = { ...values };
+    if (needsWebhook && !submitValues.webhookUrl) submitValues.webhookUrl = webhookUrl;
+    if (fileName) submitValues.certificateFile = fileName;
+    try {
+      const resp = await fetch(`/v1/integrations/${encodeURIComponent(integration.id)}/connect`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${DEMO_BEARER_TOKEN}`,
+        },
+        body: JSON.stringify({
+          values: submitValues,
+          scopes: integration.authType === "oauth" ? scopes : integration.defaultScopes,
+          ...(authorizedEmail ? { connectedAs: authorizedEmail } : {}),
+        }),
+      });
+      if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
+      const json = (await resp.json()) as { integration: IntegrationDto };
+      onConnected(json.integration);
+      onClose();
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Connection failed");
+    } finally {
+      setSubmitting(false);
+    }
+  }
+
+  return (
+    <Drawer open={open} onClose={onClose} title="Connect integration">
+      <div style={S.header}>
+        <VendorLogo name={integration.name} domain={domainFor(integration.slug)} size={36} />
+        <div style={S.headerText}>
+          <h3 style={S.title}>{integration.name}</h3>
+          <span style={S.categoryChip}>{integration.category}</span>
+        </div>
+      </div>
+      <p style={S.description}>{integration.description}</p>
+
+      <form onSubmit={(e) => void submit(e)} className="fade-up">
+        {integration.authType === "oauth" && (
+          <div style={S.fieldGroup}>
+            {integration.requiredFields.map((f) => (
+              <div key={f.key} style={S.fieldGroup}>
+                <label htmlFor={`f-${f.key}`} style={S.label}>
+                  {f.label}
+                  {f.optional && <span style={S.optional}>· optional</span>}
+                </label>
+                <input
+                  id={`f-${f.key}`}
+                  type="text"
+                  placeholder={f.placeholder ?? ""}
+                  value={values[f.key] ?? ""}
+                  onChange={(e) => setField(f.key, e.target.value)}
+                  className="focus-glow"
+                  style={S.input}
+                  required={!f.optional}
+                />
+              </div>
+            ))}
+            <button
+              type="button"
+              onClick={simulateOauth}
+              disabled={oauthState !== "idle"}
+              className="button-pop"
+              style={{ ...S.oauthBtn, opacity: oauthState !== "idle" ? 0.85 : 1 }}
+            >
+              {oauthState === "authorizing" ? (
+                <>
+                  <Loader2 size={14} aria-hidden="true" className="spin" />
+                  Authorizing on {integration.name}…
+                </>
+              ) : oauthState === "authorized" ? (
+                <>
+                  <Check size={14} aria-hidden="true" />
+                  Reauthorize
+                </>
+              ) : (
+                <>
+                  Authorize on {integration.name}
+                  <ExternalLink size={12} aria-hidden="true" />
+                </>
+              )}
+            </button>
+            {oauthState === "authorized" && authorizedEmail && (
+              <div style={S.oauthSuccess}>
+                <Check size={12} aria-hidden="true" />
+                Connected as {authorizedEmail}
+              </div>
+            )}
+          </div>
+        )}
+
+        {integration.authType === "api-key" &&
+          integration.requiredFields
+            .filter((f) => f.key !== "webhookUrl")
+            .map((f) => (
+              <div key={f.key} style={S.fieldGroup}>
+                <label htmlFor={`f-${f.key}`} style={S.label}>
+                  {f.label}
+                  {f.optional && <span style={S.optional}>· optional</span>}
+                </label>
+                <input
+                  id={`f-${f.key}`}
+                  type={f.sensitive ? "password" : "text"}
+                  placeholder={f.placeholder ?? ""}
+                  value={values[f.key] ?? ""}
+                  onChange={(e) => setField(f.key, e.target.value)}
+                  className="focus-glow"
+                  style={S.input}
+                  required={!f.optional}
+                  autoComplete="off"
+                  spellCheck={false}
+                />
+                {f.optional && (
+                  <div style={{ ...S.optional, marginTop: 4 }}>
+                    Leave blank to use the default
+                  </div>
+                )}
+              </div>
+            ))}
+
+        {integration.authType === "saml" && (
+          <>
+            {integration.requiredFields.map((f) => (
+              <div key={f.key} style={S.fieldGroup}>
+                <label htmlFor={`f-${f.key}`} style={S.label}>
+                  {f.label}
+                </label>
+                <input
+                  id={`f-${f.key}`}
+                  type="text"
+                  placeholder={f.placeholder ?? ""}
+                  value={values[f.key] ?? ""}
+                  onChange={(e) => setField(f.key, e.target.value)}
+                  className="focus-glow"
+                  style={S.input}
+                  required
+                />
+              </div>
+            ))}
+            <div style={S.fieldGroup}>
+              <span style={S.label}>SAML certificate</span>
+              <label style={S.fileBtn}>
+                <Upload size={12} aria-hidden="true" />
+                {fileName ?? "Upload .cer or .pem"}
+                <input
+                  type="file"
+                  accept=".cer,.pem,.crt"
+                  onChange={(e) => {
+                    const f = e.target.files?.[0];
+                    if (f) setFileName(f.name);
+                  }}
+                  style={{ display: "none" }}
+                />
+              </label>
+            </div>
+          </>
+        )}
+
+        {integration.authType === "oauth" && integration.defaultScopes.length > 0 && (
+          <div style={S.fieldGroup}>
+            <div style={S.sectionHeading}>Scopes</div>
+            <div style={S.scopesBlock}>
+              {integration.defaultScopes.map((scope) => (
+                <label key={scope} style={S.scopeLabel}>
+                  <input
+                    type="checkbox"
+                    checked={scopes.includes(scope)}
+                    onChange={() => toggleScope(scope)}
+                  />
+                  <code style={{ fontSize: 12 }}>{scope}</code>
+                </label>
+              ))}
+            </div>
+          </div>
+        )}
+
+        {needsWebhook && (
+          <div style={S.fieldGroup}>
+            <div style={S.sectionHeading}>Webhook URL</div>
+            <div style={S.webhookRow}>
+              <input value={webhookUrl} readOnly style={S.webhookInput} aria-label="Webhook URL" />
+              <button type="button" className="button-pop" style={S.copyBtn} onClick={copyWebhook}>
+                {copied ? (
+                  <>
+                    <Check size={12} aria-hidden="true" />
+                    Copied
+                  </>
+                ) : (
+                  <>
+                    <Copy size={12} aria-hidden="true" />
+                    Copy
+                  </>
+                )}
+              </button>
+            </div>
+          </div>
+        )}
+
+        {error && <div style={S.error}>{error}</div>}
+
+        <div style={S.footer}>
+          <button type="button" onClick={onClose} className="button-pop" style={S.cancel}>
+            Cancel
+          </button>
+          <button
+            type="submit"
+            disabled={!canSubmit() || submitting}
+            className="button-pop"
+            style={{ ...S.submit, opacity: !canSubmit() || submitting ? 0.55 : 1 }}
+          >
+            {submitting ? (
+              <>
+                <Loader2 size={14} aria-hidden="true" className="spin" />
+                Connecting…
+              </>
+            ) : (
+              `Connect to ${integration.name}`
+            )}
+          </button>
+        </div>
+      </form>
+    </Drawer>
+  );
+}
diff --git a/apps/web/src/components/CountUp.tsx b/apps/web/src/components/CountUp.tsx
new file mode 100644
index 0000000..eed16eb
--- /dev/null
+++ b/apps/web/src/components/CountUp.tsx
@@ -0,0 +1,63 @@
+import { useEffect, useRef, useState, type CSSProperties } from "react";
+
+interface CountUpProps {
+  value: number;
+  durationMs?: number;
+  format?: (n: number) => string;
+  className?: string;
+  style?: CSSProperties;
+}
+
+const reduced = (): boolean =>
+  typeof window !== "undefined" &&
+  typeof window.matchMedia === "function" &&
+  window.matchMedia("(prefers-reduced-motion: reduce)").matches;
+
+export function CountUp({
+  value,
+  durationMs = 900,
+  format,
+  className,
+  style,
+}: CountUpProps): JSX.Element {
+  const [display, setDisplay] = useState<number>(reduced() ? value : 0);
+  const fromRef = useRef<number>(0);
+  const startRef = useRef<number | null>(null);
+  const rafRef = useRef<number | null>(null);
+  const displayRef = useRef<number>(display);
+  displayRef.current = display;
+
+  useEffect(() => {
+    if (reduced()) {
+      setDisplay(value);
+      return;
+    }
+    fromRef.current = displayRef.current;
+    startRef.current = null;
+    const tick = (now: number): void => {
+      if (startRef.current === null) startRef.current = now;
+      const elapsed = now - startRef.current;
+      const p = Math.min(1, elapsed / durationMs);
+      const eased = 1 - Math.pow(1 - p, 3);
+      const next = fromRef.current + (value - fromRef.current) * eased;
+      setDisplay(next);
+      if (p < 1) rafRef.current = requestAnimationFrame(tick);
+    };
+    rafRef.current = requestAnimationFrame(tick);
+    return () => {
+      if (rafRef.current !== null) cancelAnimationFrame(rafRef.current);
+    };
+  }, [value, durationMs]);
+
+  const formatted = format
+    ? format(display)
+    : Number.isInteger(value)
+      ? Math.round(display).toString()
+      : display.toFixed(1);
+
+  return (
+    <span className={className} style={style}>
+      {formatted}
+    </span>
+  );
+}
diff --git a/apps/web/src/components/DiffViewer.tsx b/apps/web/src/components/DiffViewer.tsx
new file mode 100644
index 0000000..f918e26
--- /dev/null
+++ b/apps/web/src/components/DiffViewer.tsx
@@ -0,0 +1,197 @@
+import type { Change } from "@unsyphn/shared";
+
+interface Props {
+  changes: Change[];
+}
+
+const CATEGORY_LABEL: Record<string, string> = {
+  data: "Data",
+  pricing: "Pricing",
+  subprocessor: "Sub-processor",
+  terms: "Terms",
+  sla: "SLA",
+  security: "Security",
+};
+
+const MATERIALITY_CLASS: Record<string, string> = {
+  material: "badge badge-danger",
+  minor: "badge badge-warning",
+  cosmetic: "badge badge-neutral",
+};
+
+function ChangeCard({ change }: { change: Change }): JSX.Element {
+  const categoryLabel = change.category ? (CATEGORY_LABEL[change.category] ?? change.category) : null;
+  const materialityClass = change.materiality
+    ? (MATERIALITY_CLASS[change.materiality] ?? "badge badge-neutral")
+    : "badge badge-neutral";
+
+  return (
+    <div
+      className="card row-hover"
+      style={{ padding: "var(--space-4)", display: "flex", flexDirection: "column", gap: "var(--space-3)" }}
+    >
+      {/* Category + materiality row */}
+      <div style={{ display: "flex", alignItems: "center", gap: "var(--space-2)", flexWrap: "wrap" }}>
+        {categoryLabel && (
+          <span className="badge badge-neutral" style={{ textTransform: "lowercase", letterSpacing: 0 }}>
+            {categoryLabel}
+          </span>
+        )}
+        {change.materiality && (
+          <span className={materialityClass}>
+            {change.materiality} materiality
+          </span>
+        )}
+      </div>
+
+      {/* Summary */}
+      <h4
+        style={{
+          margin: 0,
+          fontSize: "var(--text-sm)",
+          fontWeight: 600,
+          color: "var(--text)",
+          lineHeight: 1.4,
+        }}
+      >
+        {change.summary}
+      </h4>
+
+      {/* Before / After */}
+      {(change.before !== undefined || change.after !== undefined) && (
+        <div
+          style={{
+            display: "grid",
+            gridTemplateColumns: "1fr 1fr",
+            gap: "var(--space-2)",
+          }}
+          className="diff-grid"
+        >
+          {change.before !== undefined && (
+            <div
+              style={{
+                borderLeft: "3px solid var(--warning)",
+                paddingLeft: "var(--space-3)",
+                display: "flex",
+                flexDirection: "column",
+                gap: "var(--space-1)",
+              }}
+            >
+              <span
+                style={{
+                  fontSize: "var(--text-xs)",
+                  fontWeight: 600,
+                  textTransform: "uppercase",
+                  letterSpacing: "0.06em",
+                  color: "var(--warning)",
+                }}
+              >
+                Before
+              </span>
+              <span
+                style={{
+                  fontFamily: "var(--font-mono)",
+                  fontSize: "var(--text-xs)",
+                  color: "var(--text-2)",
+                  lineHeight: 1.5,
+                  wordBreak: "break-word",
+                }}
+              >
+                {change.before}
+              </span>
+            </div>
+          )}
+          {change.after !== undefined && (
+            <div
+              style={{
+                borderLeft: "3px solid var(--success)",
+                paddingLeft: "var(--space-3)",
+                display: "flex",
+                flexDirection: "column",
+                gap: "var(--space-1)",
+              }}
+            >
+              <span
+                style={{
+                  fontSize: "var(--text-xs)",
+                  fontWeight: 600,
+                  textTransform: "uppercase",
+                  letterSpacing: "0.06em",
+                  color: "var(--success)",
+                }}
+              >
+                After
+              </span>
+              <span
+                style={{
+                  fontFamily: "var(--font-mono)",
+                  fontSize: "var(--text-xs)",
+                  color: "var(--text-2)",
+                  lineHeight: 1.5,
+                  wordBreak: "break-word",
+                }}
+              >
+                {change.after}
+              </span>
+            </div>
+          )}
+        </div>
+      )}
+
+      {/* Citations */}
+      {change.citations && change.citations.length > 0 && (
+        <div style={{ display: "flex", flexDirection: "column", gap: "var(--space-1)" }}>
+          {change.citations.map((cite, i) => {
+            const url = cite.url ?? cite.sourceUrl;
+            const date = cite.fetchedAt
+              ? new Date(cite.fetchedAt).toLocaleDateString("en-US", { year: "numeric", month: "short", day: "numeric" })
+              : null;
+            return (
+              <span
+                key={i}
+                style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)", lineHeight: 1.4 }}
+              >
+                Citation:{" "}
+                {url ? (
+                  <a
+                    href={url}
+                    target="_blank"
+                    rel="noopener noreferrer"
+                    aria-label={`Citation source (opens in new tab)`}
+                    style={{ color: "var(--accent)", textDecoration: "underline" }}
+                  >
+                    {url.replace(/^https?:\/\//, "").split("/")[0]}
+                  </a>
+                ) : (
+                  cite.section ?? cite.label ?? "Source"
+                )}
+                {date && ` · ${date}`}
+              </span>
+            );
+          })}
+        </div>
+      )}
+    </div>
+  );
+}
+
+export function DiffViewer({ changes }: Props): JSX.Element {
+  if (changes.length === 0) {
+    return (
+      <p style={{ fontSize: "var(--text-sm)", color: "var(--text-muted)", margin: 0 }}>
+        No diff data available.
+      </p>
+    );
+  }
+
+  return (
+    <div
+      style={{ display: "flex", flexDirection: "column", gap: "var(--space-3)" }}
+      aria-label="Change diff viewer"
+    >
+      {changes.map((change, i) => (
+        <ChangeCard key={change.id ?? i} change={change} />
+      ))}
+    </div>
+  );
+}
diff --git a/apps/web/src/components/Drawer.tsx b/apps/web/src/components/Drawer.tsx
new file mode 100644
index 0000000..6766775
--- /dev/null
+++ b/apps/web/src/components/Drawer.tsx
@@ -0,0 +1,164 @@
+import { useEffect, useRef, type ReactNode } from "react";
+import { X } from "lucide-react";
+
+interface Props {
+  open: boolean;
+  onClose: () => void;
+  children: ReactNode;
+  title?: string;
+}
+
+const FOCUSABLE = 'button, [href], input, select, textarea, [tabindex]:not([tabindex="-1"])';
+
+export function Drawer({ open, onClose, children, title }: Props): JSX.Element {
+  const panelRef = useRef<HTMLDivElement>(null);
+  const openerRef = useRef<Element | null>(null);
+  const titleId = "drawer-title";
+
+  useEffect(() => {
+    if (open) {
+      openerRef.current = document.activeElement;
+      const first = panelRef.current?.querySelectorAll<HTMLElement>(FOCUSABLE)[0];
+      first?.focus();
+    } else {
+      const opener = openerRef.current;
+      if (opener instanceof HTMLElement) opener.focus();
+      openerRef.current = null;
+    }
+  }, [open]);
+
+  useEffect(() => {
+    if (!open) return;
+
+    const handleKeyDown = (e: KeyboardEvent) => {
+      if (e.key === "Escape") {
+        e.preventDefault();
+        onClose();
+        return;
+      }
+
+      if (e.key !== "Tab") return;
+
+      const panel = panelRef.current;
+      if (!panel) return;
+
+      const focusable = Array.from(panel.querySelectorAll<HTMLElement>(FOCUSABLE)).filter(
+        (el) => !el.hasAttribute("disabled"),
+      );
+      if (focusable.length === 0) return;
+
+      const first = focusable[0];
+      const last = focusable[focusable.length - 1];
+
+      if (first === undefined || last === undefined) return;
+
+      if (e.shiftKey) {
+        if (document.activeElement === first) {
+          e.preventDefault();
+          last.focus();
+        }
+      } else {
+        if (document.activeElement === last) {
+          e.preventDefault();
+          first.focus();
+        }
+      }
+    };
+
+    document.addEventListener("keydown", handleKeyDown);
+    return () => document.removeEventListener("keydown", handleKeyDown);
+  }, [open, onClose]);
+
+  return (
+    <>
+      <div
+        aria-hidden="true"
+        onClick={onClose}
+        className={open ? "fade-in" : undefined}
+        style={{
+          display: open ? "block" : "none",
+          position: "fixed",
+          inset: 0,
+          background: "rgba(15,23,42,0.42)",
+          backdropFilter: "blur(4px)",
+          WebkitBackdropFilter: "blur(4px)",
+          zIndex: 200,
+        }}
+      />
+      <div
+        ref={panelRef}
+        role="dialog"
+        aria-modal="true"
+        aria-labelledby={title ? titleId : undefined}
+        className="glass-strong"
+        style={{
+          position: "fixed",
+          top: 0,
+          right: 0,
+          bottom: 0,
+          width: 400,
+          borderLeft: "1px solid var(--glass-border)",
+          zIndex: 201,
+          display: "flex",
+          flexDirection: "column",
+          transform: open ? "translateX(0)" : "translateX(100%)",
+          transition: `transform var(--dur-md) var(--ease-out)`,
+        }}
+      >
+        <div
+          style={{
+            display: "flex",
+            alignItems: "center",
+            justifyContent: "space-between",
+            padding: "0 var(--space-5)",
+            height: 52,
+            borderBottom: "1px solid var(--border)",
+            flexShrink: 0,
+          }}
+        >
+          {title && (
+            <span
+              id={titleId}
+              style={{
+                fontWeight: 400,
+                fontSize: "var(--text-sm)",
+                color: "var(--text-strong)",
+              }}
+            >
+              {title}
+            </span>
+          )}
+          <button
+            type="button"
+            onClick={onClose}
+            aria-label="Close drawer"
+            style={{
+              marginLeft: "auto",
+              background: "none",
+              border: "none",
+              color: "var(--text-2)",
+              cursor: "pointer",
+              width: 44,
+              height: 44,
+              display: "flex",
+              alignItems: "center",
+              justifyContent: "center",
+              borderRadius: "var(--radius-md)",
+            }}
+          >
+            <X size={18} aria-hidden="true" />
+          </button>
+        </div>
+        <div
+          style={{
+            flex: 1,
+            overflow: "auto",
+            padding: "var(--space-5)",
+          }}
+        >
+          {children}
+        </div>
+      </div>
+    </>
+  );
+}
diff --git a/apps/web/src/components/FleetStats.tsx b/apps/web/src/components/FleetStats.tsx
new file mode 100644
index 0000000..82a72ad
--- /dev/null
+++ b/apps/web/src/components/FleetStats.tsx
@@ -0,0 +1,112 @@
+import { useEffect, useState } from "react";
+import { DEMO_BEARER_TOKEN } from "../lib/api.js";
+
+interface DashboardSummary {
+  vendorCount: number;
+  annualRunRateUsd: number;
+  openChangeCount: number;
+}
+
+interface StatItem {
+  value: string;
+  label: string;
+}
+
+const CHANGES_THIS_WEEK = 12;
+
+function formatArr(usd: number): string {
+  if (usd >= 1_000_000) return `$${(usd / 1_000_000).toFixed(1)}M`;
+  if (usd >= 1_000) return `$${(usd / 1_000).toFixed(0)}k`;
+  return `$${usd}`;
+}
+
+export function FleetStats(): JSX.Element {
+  const [summary, setSummary] = useState<DashboardSummary | null>(null);
+  const [fetchFailed, setFetchFailed] = useState(false);
+
+  useEffect(() => {
+    fetch("/v1/dashboard/summary", {
+      headers: { Authorization: `Bearer ${DEMO_BEARER_TOKEN}` },
+    })
+      .then((r) => {
+        if (!r.ok) throw new Error(`${r.status}`);
+        return r.json() as Promise<DashboardSummary>;
+      })
+      .then(setSummary)
+      .catch((err: unknown) => {
+        setFetchFailed(true);
+        if (err instanceof Error) console.error("FleetStats fetch failed:", err.message);
+      });
+  }, []);
+
+  const stats: StatItem[] = summary
+    ? [
+        { value: String(summary.vendorCount), label: "Vendors" },
+        { value: String(CHANGES_THIS_WEEK), label: "Changes this week" },
+        { value: String(summary.openChangeCount), label: "Open P1" },
+        { value: formatArr(summary.annualRunRateUsd), label: "ARR monitored" },
+      ]
+    : [
+        { value: "—", label: "Vendors" },
+        { value: "—", label: "Changes this week" },
+        { value: "—", label: "Open P1" },
+        { value: "—", label: "ARR monitored" },
+      ];
+
+  return (
+    <div
+      role="region"
+      aria-label="Fleet statistics"
+      style={{ display: "flex", gap: "var(--space-7)", alignItems: "center", flexWrap: "wrap" }}
+    >
+      {fetchFailed && (
+        <span className="badge badge-danger" style={{ marginRight: "var(--space-3)" }}>
+          Stats unavailable
+        </span>
+      )}
+      {stats.map((stat, i) => (
+        <div
+          key={stat.label}
+          style={{ display: "flex", alignItems: "baseline", gap: "var(--space-2)" }}
+        >
+          {i > 0 && (
+            <span
+              aria-hidden="true"
+              style={{
+                color: "var(--border-strong)",
+                marginRight: "var(--space-7)",
+                fontSize: "var(--text-lg)",
+              }}
+            >
+              ·
+            </span>
+          )}
+          <span
+            style={{
+              fontFamily: "var(--font-display)",
+              fontWeight: 200,
+              fontSize: "1.875rem",
+              color: "var(--text-strong)",
+              lineHeight: 1,
+              fontVariantNumeric: "tabular-nums",
+            }}
+          >
+            {stat.value}
+          </span>
+          <span
+            style={{
+              fontFamily: "var(--font-text)",
+              fontWeight: 400,
+              fontSize: "var(--text-xs)",
+              letterSpacing: "0.04em",
+              textTransform: "uppercase",
+              color: "var(--text-2)",
+            }}
+          >
+            {stat.label}
+          </span>
+        </div>
+      ))}
+    </div>
+  );
+}
diff --git a/apps/web/src/components/IntegrationCard.tsx b/apps/web/src/components/IntegrationCard.tsx
new file mode 100644
index 0000000..3c564dd
--- /dev/null
+++ b/apps/web/src/components/IntegrationCard.tsx
@@ -0,0 +1,209 @@
+import { useEffect, useState } from "react";
+import { CheckCircle, RefreshCcw, Settings as SettingsIcon } from "lucide-react";
+import { VendorLogo } from "./VendorLogo.js";
+import type { IntegrationDto } from "./ConnectDrawer.js";
+
+interface Props {
+  integration: IntegrationDto;
+  onConnect: (i: IntegrationDto) => void;
+  onManage: (i: IntegrationDto) => void;
+  onSyncNow: (i: IntegrationDto) => void;
+  syncBusy: boolean;
+}
+
+const S = {
+  card: {
+    borderRadius: "var(--radius-md)",
+    padding: "var(--space-4)",
+    display: "flex",
+    flexDirection: "column" as const,
+    gap: "var(--space-3)",
+    minHeight: 168,
+  } as React.CSSProperties,
+  header: { display: "flex", alignItems: "flex-start", gap: "var(--space-3)" } as React.CSSProperties,
+  name: {
+    fontSize: "var(--text-sm)",
+    fontWeight: 600,
+    color: "var(--text)",
+    margin: 0,
+    lineHeight: 1.3,
+  } as React.CSSProperties,
+  chip: {
+    display: "inline-block",
+    fontSize: 10,
+    fontWeight: 500,
+    color: "var(--text-2)",
+    background: "var(--surface-2)",
+    borderRadius: "var(--radius-pill)",
+    padding: "1px 7px",
+    marginTop: 4,
+    textTransform: "uppercase" as const,
+    letterSpacing: "0.06em",
+  } as React.CSSProperties,
+  description: {
+    fontSize: "var(--text-xs)",
+    color: "var(--text-2)",
+    lineHeight: 1.5,
+    margin: 0,
+    display: "-webkit-box",
+    WebkitLineClamp: 2,
+    WebkitBoxOrient: "vertical" as const,
+    overflow: "hidden",
+    minHeight: 36,
+  } as React.CSSProperties,
+  status: {
+    display: "flex",
+    alignItems: "center",
+    gap: 6,
+    fontSize: "var(--text-xs)",
+    fontWeight: 500,
+    color: "var(--success)",
+  } as React.CSSProperties,
+  pulseDot: {
+    width: 7,
+    height: 7,
+    borderRadius: "50%",
+    background: "var(--success)",
+    boxShadow: "0 0 0 0 rgba(63,207,142,0.6)",
+    animation: "pulse-dot 2s infinite",
+  } as React.CSSProperties,
+  notConnected: {
+    fontSize: "var(--text-xs)",
+    fontWeight: 400,
+    color: "var(--text-muted)",
+  } as React.CSSProperties,
+  lastSync: {
+    fontSize: "var(--text-xs)",
+    color: "var(--text-muted)",
+  } as React.CSSProperties,
+  actions: {
+    display: "flex",
+    gap: "var(--space-2)",
+    marginTop: "auto",
+    paddingTop: "var(--space-2)",
+  } as React.CSSProperties,
+  btnPrimary: {
+    flex: 1,
+    fontSize: "var(--text-xs)",
+    fontWeight: 500,
+    padding: "6px 12px",
+    border: "1px solid var(--accent)",
+    borderRadius: "var(--radius-sm)",
+    background: "var(--accent)",
+    color: "#fff",
+    cursor: "pointer",
+  } as React.CSSProperties,
+  btnOutline: {
+    flex: 1,
+    fontSize: "var(--text-xs)",
+    fontWeight: 500,
+    padding: "6px 12px",
+    border: "1px solid var(--border-strong)",
+    borderRadius: "var(--radius-sm)",
+    background: "var(--surface)",
+    color: "var(--text-2)",
+    cursor: "pointer",
+    display: "inline-flex",
+    alignItems: "center",
+    justifyContent: "center",
+    gap: 4,
+  } as React.CSSProperties,
+} as const;
+
+function timeAgo(iso?: string, now: number = Date.now()): string {
+  if (!iso) return "never";
+  const diff = now - Date.parse(iso);
+  if (Number.isNaN(diff) || diff < 0) return "just now";
+  const sec = Math.floor(diff / 1000);
+  if (sec < 60) return `${sec}s ago`;
+  const min = Math.floor(sec / 60);
+  if (min < 60) return `${min} min${min === 1 ? "" : "s"} ago`;
+  const hr = Math.floor(min / 60);
+  if (hr < 24) return `${hr}h ago`;
+  const days = Math.floor(hr / 24);
+  return `${days}d ago`;
+}
+
+function domainFor(slug: string): string {
+  const map: Record<string, string> = {
+    "google-workspace": "google.com",
+    "microsoft-365": "microsoft.com",
+    "okta-saml": "okta.com",
+    "azure-ad": "microsoft.com",
+    "microsoft-teams": "microsoft.com",
+    "aws-cost-explorer": "aws.amazon.com",
+    "gcp-billing": "cloud.google.com",
+  };
+  return map[slug] ?? `${slug.replace(/-/g, "")}.com`;
+}
+
+export function IntegrationCard({ integration, onConnect, onManage, onSyncNow, syncBusy }: Props): JSX.Element {
+  const [now, setNow] = useState(Date.now());
+
+  useEffect(() => {
+    if (!integration.connected) return;
+    const id = window.setInterval(() => setNow(Date.now()), 30_000);
+    return () => window.clearInterval(id);
+  }, [integration.connected]);
+
+  return (
+    <div className="glass-strong lift-on-hover" style={S.card}>
+      <div style={S.header}>
+        <VendorLogo name={integration.name} domain={domainFor(integration.slug)} size={28} />
+        <div style={{ minWidth: 0, flex: 1 }}>
+          <h4 style={S.name}>{integration.name}</h4>
+          <span style={S.chip}>{integration.category}</span>
+        </div>
+      </div>
+      <p style={S.description}>{integration.description}</p>
+
+      {integration.connected ? (
+        <>
+          <div style={S.status}>
+            <span style={S.pulseDot} aria-hidden="true" />
+            Connected
+          </div>
+          <div style={S.lastSync}>
+            Last synced {timeAgo(integration.lastSyncedAt ?? integration.connectedAt, now)}
+          </div>
+          <div style={S.actions}>
+            <button
+              type="button"
+              className="button-pop"
+              style={{ ...S.btnOutline, opacity: syncBusy ? 0.6 : 1 }}
+              onClick={() => onSyncNow(integration)}
+              disabled={syncBusy}
+              aria-label={`Sync ${integration.name} now`}
+            >
+              <RefreshCcw size={11} aria-hidden="true" />
+              {syncBusy ? "Syncing…" : "Sync now"}
+            </button>
+            <button
+              type="button"
+              className="button-pop"
+              style={S.btnOutline}
+              onClick={() => onManage(integration)}
+              aria-label={`Manage ${integration.name}`}
+            >
+              <SettingsIcon size={11} aria-hidden="true" />
+              Manage
+            </button>
+          </div>
+        </>
+      ) : (
+        <>
+          <div style={S.status}>
+            <CheckCircle size={12} aria-hidden="true" style={{ color: "var(--text-muted)" }} />
+            <span style={S.notConnected}>Not connected</span>
+          </div>
+          <div style={S.lastSync}>{integration.authType.toUpperCase()} auth</div>
+          <div style={S.actions}>
+            <button type="button" className="button-pop" style={S.btnPrimary} onClick={() => onConnect(integration)}>
+              Connect
+            </button>
+          </div>
+        </>
+      )}
+    </div>
+  );
+}
diff --git a/apps/web/src/components/LensChips.tsx b/apps/web/src/components/LensChips.tsx
new file mode 100644
index 0000000..df13991
--- /dev/null
+++ b/apps/web/src/components/LensChips.tsx
@@ -0,0 +1,99 @@
+import { useRef } from "react";
+import { ROLES, ROLE_LABELS, useRole } from "../lib/role.js";
+import type { Role } from "../lib/role.js";
+
+const CHIP_STYLES = `
+.lens-chips-bar {
+  display: flex;
+  gap: 4px;
+  align-items: center;
+  margin: 16px 0 24px;
+  flex-wrap: wrap;
+}
+.lens-chip {
+  display: inline-flex;
+  align-items: center;
+  padding: 7px 14px;
+  border-radius: 9999px;
+  border: none;
+  cursor: pointer;
+  font-family: var(--font-text);
+  font-size: 13.5px;
+  font-weight: 500;
+  background: transparent;
+  color: #475569;
+  transition:
+    background var(--dur-sm) var(--ease-out),
+    color var(--dur-sm) var(--ease-out),
+    transform var(--dur-sm) var(--ease-spring),
+    box-shadow var(--dur-sm) var(--ease-out);
+  white-space: nowrap;
+  line-height: 1;
+}
+.lens-chip:hover {
+  background: #f1f5f9;
+  transform: translateY(-1px);
+}
+.lens-chip:focus-visible {
+  outline: none;
+  box-shadow: var(--ring-focus);
+}
+.lens-chip-active {
+  background: #5E6AD2;
+  color: #ffffff;
+  box-shadow: 0 0 0 4px rgba(94,106,210,0.15), 0 2px 8px rgba(94,106,210,0.28);
+}
+.lens-chip-active:hover {
+  background: #5E6AD2;
+  transform: translateY(-1px);
+}
+@media (max-width: 640px) {
+  .lens-chips-bar {
+    margin: 12px 0 20px;
+  }
+}
+`;
+
+export function LensChips(): JSX.Element {
+  const [role, setRole] = useRole();
+  const containerRef = useRef<HTMLDivElement>(null);
+
+  const handleKeyDown = (e: React.KeyboardEvent<HTMLButtonElement>, index: number) => {
+    if (e.key === "ArrowRight" || e.key === "ArrowLeft") {
+      e.preventDefault();
+      const dir = e.key === "ArrowRight" ? 1 : -1;
+      const next = (index + dir + ROLES.length) % ROLES.length;
+      const nextRole = ROLES[next] as Role;
+      setRole(nextRole);
+      const buttons = containerRef.current?.querySelectorAll<HTMLButtonElement>("[role='tab']");
+      buttons?.[next]?.focus();
+    }
+  };
+
+  return (
+    <>
+      <style>{CHIP_STYLES}</style>
+      <div
+        ref={containerRef}
+        role="tablist"
+        aria-label="Role lens"
+        className="lens-chips-bar"
+      >
+        {ROLES.map((r, index) => (
+          <button
+            key={r}
+            type="button"
+            role="tab"
+            aria-selected={r === role}
+            tabIndex={r === role ? 0 : -1}
+            onClick={() => setRole(r)}
+            onKeyDown={(e) => handleKeyDown(e, index)}
+            className={r === role ? "lens-chip lens-chip-active" : "lens-chip"}
+          >
+            {ROLE_LABELS[r]}
+          </button>
+        ))}
+      </div>
+    </>
+  );
+}
diff --git a/apps/web/src/components/ManageDrawer.tsx b/apps/web/src/components/ManageDrawer.tsx
new file mode 100644
index 0000000..7c555c1
--- /dev/null
+++ b/apps/web/src/components/ManageDrawer.tsx
@@ -0,0 +1,204 @@
+import { useEffect, useState } from "react";
+import { Trash2, AlertTriangle } from "lucide-react";
+import { Drawer } from "./Drawer.js";
+import { VendorLogo } from "./VendorLogo.js";
+import { DEMO_BEARER_TOKEN } from "../lib/api.js";
+import type { IntegrationDto } from "./ConnectDrawer.js";
+
+interface SyncRecord {
+  id: string;
+  startedAt: string;
+  durationMs: number;
+  recordsScanned: number;
+  status: "success" | "partial";
+}
+
+interface Props {
+  integration: IntegrationDto;
+  open: boolean;
+  onClose: () => void;
+  onDisconnected: (next: IntegrationDto) => void;
+}
+
+const S = {
+  header: { display: "flex", alignItems: "center", gap: "var(--space-3)", marginBottom: "var(--space-4)" } as React.CSSProperties,
+  name: { fontSize: "var(--text-base)", fontWeight: 600, color: "var(--text)", margin: 0 } as React.CSSProperties,
+  meta: { fontSize: "var(--text-xs)", color: "var(--text-muted)" } as React.CSSProperties,
+  sectionLabel: { fontSize: "var(--text-xs)", fontWeight: 500, color: "var(--text-muted)", textTransform: "uppercase" as const, letterSpacing: "0.07em", marginBottom: "var(--space-2)" } as React.CSSProperties,
+  section: { marginBottom: "var(--space-5)" } as React.CSSProperties,
+  scopeRow: { display: "flex", alignItems: "center", justifyContent: "space-between", padding: "8px var(--space-3)", borderBottom: "1px solid var(--border)", fontSize: "var(--text-sm)" } as React.CSSProperties,
+  scopeCode: { fontFamily: "var(--font-mono)", fontSize: 12, color: "var(--text)" } as React.CSSProperties,
+  revokeBtn: { fontSize: 11, padding: "3px 8px", border: "1px solid var(--border-strong)", borderRadius: "var(--radius-sm)", background: "var(--surface)", color: "var(--danger)", cursor: "pointer" } as React.CSSProperties,
+  syncRow: { display: "flex", justifyContent: "space-between", gap: "var(--space-3)", padding: "6px 0", fontSize: "var(--text-xs)", color: "var(--text-2)", borderBottom: "1px solid var(--border)" } as React.CSSProperties,
+  syncStatusOk: { color: "var(--success)" } as React.CSSProperties,
+  syncStatusPartial: { color: "#A87900" } as React.CSSProperties,
+  block: { border: "1px solid var(--border)", borderRadius: "var(--radius-md)", padding: "var(--space-3) var(--space-4)", background: "var(--surface-2)" } as React.CSSProperties,
+  disconnectBtn: { width: "100%", padding: "10px var(--space-4)", fontSize: "var(--text-sm)", fontWeight: 500, background: "var(--surface)", color: "var(--danger)", border: "1px solid var(--danger)", borderRadius: "var(--radius-md)", cursor: "pointer", display: "inline-flex", alignItems: "center", justifyContent: "center", gap: 6 } as React.CSSProperties,
+  confirm: { background: "rgba(244,113,116,0.08)", border: "1px solid rgba(244,113,116,0.25)", borderRadius: "var(--radius-md)", padding: "var(--space-3) var(--space-4)", marginTop: "var(--space-3)", fontSize: "var(--text-sm)", color: "var(--text)" } as React.CSSProperties,
+  confirmRow: { display: "flex", gap: "var(--space-2)", marginTop: "var(--space-3)" } as React.CSSProperties,
+  confirmYes: { flex: 1, padding: "8px var(--space-3)", fontSize: "var(--text-sm)", background: "var(--danger)", color: "#fff", border: "1px solid var(--danger)", borderRadius: "var(--radius-sm)", cursor: "pointer" } as React.CSSProperties,
+  confirmNo: { padding: "8px var(--space-3)", fontSize: "var(--text-sm)", background: "var(--surface)", color: "var(--text-2)", border: "1px solid var(--border-strong)", borderRadius: "var(--radius-sm)", cursor: "pointer" } as React.CSSProperties,
+} as const;
+
+function domainFor(slug: string): string {
+  const map: Record<string, string> = {
+    "google-workspace": "google.com",
+    "microsoft-365": "microsoft.com",
+    "okta-saml": "okta.com",
+    "azure-ad": "microsoft.com",
+    "microsoft-teams": "microsoft.com",
+    "aws-cost-explorer": "aws.amazon.com",
+    "gcp-billing": "cloud.google.com",
+  };
+  return map[slug] ?? `${slug.replace(/-/g, "")}.com`;
+}
+
+function formatSyncTime(iso: string): string {
+  const d = new Date(iso);
+  return d.toLocaleString("en-US", {
+    month: "short",
+    day: "numeric",
+    hour: "numeric",
+    minute: "2-digit",
+  });
+}
+
+export function ManageDrawer({ integration, open, onClose, onDisconnected }: Props): JSX.Element {
+  const [scopes, setScopes] = useState<string[]>(integration.scopes ?? integration.defaultScopes);
+  const [history, setHistory] = useState<SyncRecord[]>([]);
+  const [historyError, setHistoryError] = useState<string | null>(null);
+  const [confirming, setConfirming] = useState(false);
+
+  useEffect(() => {
+    if (open) {
+      setScopes(integration.scopes ?? integration.defaultScopes);
+      setConfirming(false);
+    }
+  }, [open, integration.id, integration.scopes, integration.defaultScopes]);
+
+  useEffect(() => {
+    if (!open) return;
+    let cancelled = false;
+    fetch(`/v1/integrations/${encodeURIComponent(integration.id)}/syncs`, {
+      headers: { Authorization: `Bearer ${DEMO_BEARER_TOKEN}` },
+    })
+      .then((r) => {
+        if (!r.ok) throw new Error(`HTTP ${r.status}`);
+        return r.json() as Promise<{ syncs: SyncRecord[] }>;
+      })
+      .then(({ syncs }) => {
+        if (!cancelled) {
+          setHistory(syncs);
+          setHistoryError(null);
+        }
+      })
+      .catch((err) => {
+        if (!cancelled) setHistoryError(err instanceof Error ? err.message : "Couldn't load");
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, [open, integration.id]);
+
+  function revokeScope(scope: string): void {
+    setScopes((prev) => prev.filter((s) => s !== scope));
+  }
+
+  async function confirmDisconnect(): Promise<void> {
+    try {
+      const resp = await fetch(
+        `/v1/integrations/${encodeURIComponent(integration.id)}/disconnect`,
+        { method: "POST", headers: { Authorization: `Bearer ${DEMO_BEARER_TOKEN}` } },
+      );
+      if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
+      const json = (await resp.json()) as { integration: IntegrationDto };
+      onDisconnected(json.integration);
+      onClose();
+    } catch {
+      setConfirming(false);
+    }
+  }
+
+  return (
+    <Drawer open={open} onClose={onClose} title="Manage integration">
+      <div style={S.header}>
+        <VendorLogo name={integration.name} domain={domainFor(integration.slug)} size={36} />
+        <div>
+          <h3 style={S.name}>{integration.name}</h3>
+          {integration.connectedAs && <div style={S.meta}>Connected as {integration.connectedAs}</div>}
+        </div>
+      </div>
+
+      <div style={S.section}>
+        <div style={S.sectionLabel}>Permissions ({scopes.length})</div>
+        <div style={S.block}>
+          {scopes.length === 0 ? (
+            <div style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)", padding: "4px 0" }}>
+              No scopes granted. Reconnect to restore access.
+            </div>
+          ) : (
+            scopes.map((scope, i) => (
+              <div
+                key={scope}
+                style={{ ...S.scopeRow, borderBottom: i === scopes.length - 1 ? "none" : "1px solid var(--border)" }}
+              >
+                <code style={S.scopeCode}>{scope}</code>
+                <button type="button" className="button-pop" style={S.revokeBtn} onClick={() => revokeScope(scope)}>
+                  Revoke
+                </button>
+              </div>
+            ))
+          )}
+        </div>
+      </div>
+
+      <div style={S.section}>
+        <div style={S.sectionLabel}>Sync history</div>
+        <div className="stagger-children" style={S.block}>
+          {historyError && (
+            <div style={{ fontSize: "var(--text-xs)", color: "var(--danger)" }}>{historyError}</div>
+          )}
+          {!historyError && history.length === 0 && (
+            <div style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)" }}>No syncs yet.</div>
+          )}
+          {history.map((s, i) => (
+            <div
+              key={s.id}
+              className="glass-soft row-hover"
+              style={{ ...S.syncRow, borderBottom: i === history.length - 1 ? "none" : "1px solid var(--border)" }}
+            >
+              <span>{formatSyncTime(s.startedAt)}</span>
+              <span>Synced {s.recordsScanned.toLocaleString()} records</span>
+              <span style={s.status === "success" ? S.syncStatusOk : S.syncStatusPartial}>
+                {s.status}
+              </span>
+            </div>
+          ))}
+        </div>
+      </div>
+
+      <div style={S.section}>
+        <div style={S.sectionLabel}>Danger zone</div>
+        <button type="button" className="button-pop" style={S.disconnectBtn} onClick={() => setConfirming(true)}>
+          <Trash2 size={13} aria-hidden="true" />
+          Disconnect {integration.name}
+        </button>
+        {confirming && (
+          <div className="fade-up" style={S.confirm}>
+            <AlertTriangle size={14} aria-hidden="true" style={{ display: "inline", marginRight: 6, color: "var(--danger)" }} />
+            Disconnecting stops syncs and drops cached credentials. Records already
+            ingested are kept.
+            <div style={S.confirmRow}>
+              <button type="button" className="button-pop" style={S.confirmYes} onClick={() => void confirmDisconnect()}>
+                Yes, disconnect
+              </button>
+              <button type="button" className="button-pop" style={S.confirmNo} onClick={() => setConfirming(false)}>
+                Cancel
+              </button>
+            </div>
+          </div>
+        )}
+      </div>
+    </Drawer>
+  );
+}
diff --git a/apps/web/src/components/MaterialChangeCard.tsx b/apps/web/src/components/MaterialChangeCard.tsx
new file mode 100644
index 0000000..9b106d8
--- /dev/null
+++ b/apps/web/src/components/MaterialChangeCard.tsx
@@ -0,0 +1,327 @@
+import { useState } from "react";
+import { Archive, Clock, ArrowUpRight } from "lucide-react";
+import type { InboxItem } from "@unsyphn/shared";
+import { VendorLogo } from "./VendorLogo.js";
+
+interface Props {
+  item: InboxItem;
+  focused: boolean;
+  selected: boolean;
+  unread: boolean;
+  escalated: boolean;
+  showCheckbox: boolean;
+  isFirst: boolean;
+  isLast: boolean;
+  onClick: () => void;
+  onFocus: () => void;
+  onToggleSelect: () => void;
+  onSnooze: () => void;
+  onArchive: () => void;
+  onEscalate: () => void;
+}
+
+interface SevStyle { bg: string; fg: string; label: string }
+const SEVERITY_STYLE: Record<string, SevStyle> = {
+  P1: { bg: "rgba(239,68,68,0.10)", fg: "#dc2626", label: "P1" },
+  P2: { bg: "rgba(245,158,11,0.10)", fg: "#b45309", label: "P2" },
+  P3: { bg: "rgba(100,116,139,0.10)", fg: "#475569", label: "P3" },
+};
+const SEV_DEFAULT: SevStyle = { bg: "rgba(100,116,139,0.10)", fg: "#475569", label: "P3" };
+
+function formatImpact(n: number | null): string {
+  if (n === null) return "";
+  if (n >= 1_000_000) return `$${(n / 1_000_000).toFixed(1)}M`;
+  if (n >= 1000) return `$${Math.round(n / 1000)}k`;
+  return `$${n}`;
+}
+
+function relativeTime(iso: string): string {
+  const diffMs = Date.now() - Date.parse(iso);
+  const diffMin = Math.floor(diffMs / 60_000);
+  const diffH = Math.floor(diffMin / 60);
+  const diffD = Math.floor(diffH / 24);
+  if (diffMin < 60) return `${Math.max(1, diffMin)}m`;
+  if (diffH < 24) return `${diffH}h`;
+  if (diffD === 1) return "1d";
+  if (diffD < 7) return `${diffD}d`;
+  const d = new Date(iso);
+  return d.toLocaleDateString(undefined, { month: "short", day: "numeric" });
+}
+
+export function MaterialChangeCard({
+  item,
+  focused,
+  selected,
+  unread,
+  escalated,
+  showCheckbox,
+  isFirst,
+  isLast,
+  onClick,
+  onFocus,
+  onToggleSelect,
+  onSnooze,
+  onArchive,
+  onEscalate,
+}: Props): JSX.Element {
+  const [hovered, setHovered] = useState(false);
+  const sev: SevStyle = SEVERITY_STYLE[item.severity] ?? SEV_DEFAULT;
+
+  const baseBg = selected
+    ? "rgba(94,106,210,0.06)"
+    : focused
+      ? "rgba(94,106,210,0.04)"
+      : hovered
+        ? "#f1f5f9"
+        : "#ffffff";
+
+  const rowStyle: React.CSSProperties = {
+    display: "flex",
+    alignItems: "center",
+    gap: 12,
+    minHeight: 68,
+    padding: "14px 24px",
+    borderBottom: isLast ? "none" : "1px solid rgba(15,23,42,0.06)",
+    borderTopLeftRadius: isFirst ? 8 : 0,
+    borderTopRightRadius: isFirst ? 8 : 0,
+    borderBottomLeftRadius: isLast ? 8 : 0,
+    borderBottomRightRadius: isLast ? 8 : 0,
+    background: baseBg,
+    cursor: "pointer",
+    outline: "none",
+    boxShadow: focused ? "inset 2px 0 0 var(--accent)" : "none",
+    transition: "background var(--dur-fast) var(--ease-out)",
+    position: "relative",
+  };
+
+  const showCheckboxFinal = showCheckbox || hovered || selected;
+  const showQuickActions = hovered;
+
+  return (
+    <div
+      role="button"
+      tabIndex={0}
+      aria-label={`Open ${item.title} from ${item.vendorName}`}
+      style={rowStyle}
+      onClick={onClick}
+      onFocus={onFocus}
+      onMouseEnter={() => setHovered(true)}
+      onMouseLeave={() => setHovered(false)}
+      onKeyDown={(e) => {
+        if (e.key === "Enter" || e.key === " ") {
+          e.preventDefault();
+          onClick();
+        }
+      }}
+    >
+      {/* Unread blue dot */}
+      <span
+        aria-hidden="true"
+        style={{
+          width: 8,
+          height: 8,
+          borderRadius: "50%",
+          background: unread ? "var(--accent)" : "transparent",
+          flexShrink: 0,
+        }}
+      />
+
+      {/* Checkbox */}
+      <input
+        type="checkbox"
+        checked={selected}
+        onChange={onToggleSelect}
+        onClick={(e) => e.stopPropagation()}
+        aria-label={`Select ${item.title}`}
+        style={{
+          width: 16,
+          height: 16,
+          margin: 0,
+          cursor: "pointer",
+          opacity: showCheckboxFinal ? 1 : 0,
+          transition: "opacity var(--dur-fast) var(--ease-out)",
+          flexShrink: 0,
+        }}
+      />
+
+      {/* 24px round vendor logo */}
+      <span
+        style={{
+          width: 24,
+          height: 24,
+          borderRadius: "50%",
+          overflow: "hidden",
+          flexShrink: 0,
+          display: "inline-flex",
+          alignItems: "center",
+          justifyContent: "center",
+        }}
+      >
+        <VendorLogo name={item.vendorName} size={24} />
+      </span>
+
+      {/* Vendor name (a bit emphasized) */}
+      <span
+        style={{
+          fontSize: 13,
+          fontWeight: unread ? 600 : 500,
+          color: "#0f172a",
+          minWidth: 110,
+          maxWidth: 140,
+          overflow: "hidden",
+          textOverflow: "ellipsis",
+          whiteSpace: "nowrap",
+          flexShrink: 0,
+        }}
+      >
+        {item.vendorName}
+      </span>
+
+      {/* Middle: title + one-line preview */}
+      <div style={{ flex: 1, minWidth: 0, display: "flex", flexDirection: "column", gap: 2 }}>
+        <span
+          style={{
+            fontSize: 15,
+            fontWeight: unread ? 500 : 400,
+            color: unread ? "#0f172a" : "#1e293b",
+            overflow: "hidden",
+            textOverflow: "ellipsis",
+            whiteSpace: "nowrap",
+            lineHeight: 1.3,
+          }}
+        >
+          {item.title}
+        </span>
+        <span
+          style={{
+            fontSize: 13,
+            color: "#64748b",
+            overflow: "hidden",
+            textOverflow: "ellipsis",
+            whiteSpace: "nowrap",
+            lineHeight: 1.3,
+          }}
+        >
+          {item.summary}
+        </span>
+      </div>
+
+      {/* Right gutter: quick actions OR meta */}
+      {showQuickActions ? (
+        <div style={{ display: "flex", alignItems: "center", gap: 4, flexShrink: 0 }}>
+          <QuickIcon label="Snooze" onClick={(e) => { e.stopPropagation(); onSnooze(); }}>
+            <Clock size={14} aria-hidden="true" />
+          </QuickIcon>
+          <QuickIcon label="Archive (resolve)" onClick={(e) => { e.stopPropagation(); onArchive(); }}>
+            <Archive size={14} aria-hidden="true" />
+          </QuickIcon>
+          <QuickIcon label="Escalate" onClick={(e) => { e.stopPropagation(); onEscalate(); }}>
+            <ArrowUpRight size={14} aria-hidden="true" />
+          </QuickIcon>
+        </div>
+      ) : (
+        <div style={{ display: "flex", alignItems: "center", gap: 10, flexShrink: 0 }}>
+          {escalated && (
+            <span
+              aria-label="Escalated"
+              title="Escalated"
+              style={{
+                display: "inline-flex",
+                alignItems: "center",
+                padding: "2px 8px",
+                borderRadius: 9999,
+                background: "rgba(94,106,210,0.10)",
+                color: "var(--accent)",
+                fontSize: 10,
+                fontWeight: 600,
+                letterSpacing: "0.04em",
+              }}
+            >
+              ESCALATED
+            </span>
+          )}
+          <span
+            aria-label={`Severity ${item.severity}`}
+            style={{
+              display: "inline-flex",
+              alignItems: "center",
+              padding: "2px 8px",
+              borderRadius: 9999,
+              background: sev.bg,
+              color: sev.fg,
+              fontFamily: "var(--font-mono)",
+              fontSize: 11,
+              fontWeight: 600,
+              letterSpacing: "0.04em",
+            }}
+          >
+            {sev.label}
+          </span>
+          <span
+            style={{
+              fontFamily: "var(--font-mono)",
+              fontSize: 12,
+              color: item.dollarImpact !== null ? "#0f172a" : "#94a3b8",
+              minWidth: 48,
+              textAlign: "right",
+              fontWeight: 500,
+            }}
+          >
+            {formatImpact(item.dollarImpact)}
+          </span>
+          <span
+            style={{
+              fontSize: 12,
+              color: "#94a3b8",
+              minWidth: 44,
+              textAlign: "right",
+            }}
+          >
+            {relativeTime(item.occurredAt)}
+          </span>
+        </div>
+      )}
+    </div>
+  );
+}
+
+function QuickIcon({
+  label,
+  onClick,
+  children,
+}: {
+  label: string;
+  onClick: (e: React.MouseEvent<HTMLButtonElement>) => void;
+  children: React.ReactNode;
+}): JSX.Element {
+  return (
+    <button
+      type="button"
+      onClick={onClick}
+      aria-label={label}
+      title={label}
+      style={{
+        width: 30,
+        height: 30,
+        border: "none",
+        background: "transparent",
+        color: "#64748b",
+        borderRadius: 6,
+        cursor: "pointer",
+        display: "inline-flex",
+        alignItems: "center",
+        justifyContent: "center",
+      }}
+      onMouseEnter={(e) => {
+        (e.currentTarget as HTMLElement).style.background = "rgba(15,23,42,0.06)";
+        (e.currentTarget as HTMLElement).style.color = "#0f172a";
+      }}
+      onMouseLeave={(e) => {
+        (e.currentTarget as HTMLElement).style.background = "transparent";
+        (e.currentTarget as HTMLElement).style.color = "#64748b";
+      }}
+    >
+      {children}
+    </button>
+  );
+}
diff --git a/apps/web/src/components/PageShell.tsx b/apps/web/src/components/PageShell.tsx
new file mode 100644
index 0000000..bf5cf17
--- /dev/null
+++ b/apps/web/src/components/PageShell.tsx
@@ -0,0 +1,91 @@
+import type { ReactNode } from "react";
+
+interface PageShellProps {
+  active?: "product" | "pricing" | "trust" | "demo" | "contact" | "docs" | null;
+  children: ReactNode;
+}
+
+const NAV_LINKS = [
+  { key: "product", label: "Product", href: "/" },
+  { key: "pricing", label: "Pricing", href: "/pricing" },
+  { key: "trust", label: "Trust", href: "/trust" },
+  { key: "docs", label: "Docs", href: "/docs" },
+] as const;
+
+export function PageShell({ active = null, children }: PageShellProps): JSX.Element {
+  return (
+    <div className="public-page">
+      <div className="public-aurora" aria-hidden="true" />
+      <div className="public-grain" aria-hidden="true" />
+
+      <nav className="public-nav" aria-label="Primary">
+        <a className="brand" href="/" aria-label="Unsyphn home">
+          <img src="/unsyphn-mark.png" alt="" width={48} height={32} />
+          <span>UNSYPHN</span>
+        </a>
+        <ul>
+          {NAV_LINKS.map((l) => (
+            <li key={l.key}>
+              <a href={l.href} className={active === l.key ? "is-active" : ""}>
+                {l.label}
+              </a>
+            </li>
+          ))}
+        </ul>
+        <a href="/app/" className="cta button-pop">Get access →</a>
+      </nav>
+
+      <main className="public-main">{children}</main>
+
+      <PublicFooter />
+    </div>
+  );
+}
+
+function PublicFooter(): JSX.Element {
+  return (
+    <footer className="public-footer">
+      <div className="inner">
+        <div className="top fade-up">
+          <div>
+            <div className="brand">
+              <img src="/unsyphn-mark.png" alt="Unsyphn" width={28} height={20} />
+              <span>UNSYPHN</span>
+            </div>
+            <p className="tagline">One vault for every subscription. Built for the modern ops team.</p>
+          </div>
+          <div>
+            <h5>Product</h5>
+            <nav aria-label="Product links">
+              <a href="/">Overview</a>
+              <a href="/pricing">Pricing</a>
+              <a href="/app/">Vault</a>
+              <a href="/app/">Get access</a>
+            </nav>
+          </div>
+          <div>
+            <h5>Company</h5>
+            <nav aria-label="Company links">
+              <a href="/contact">Contact</a>
+              <a href="/privacy">Privacy</a>
+              <a href="/terms">Terms</a>
+              <a href="/trust">Trust</a>
+            </nav>
+          </div>
+          <div>
+            <h5>Resources</h5>
+            <nav aria-label="Resource links">
+              <a href="/demo">Demo</a>
+              <a href="https://github.com/d3v07/Datadog_Hackathon" rel="noopener">Source</a>
+              <a href="/docs">Docs</a>
+            </nav>
+          </div>
+        </div>
+        <div className="bottom">
+          <span>© 2026 Unsyphn · All rights reserved</span>
+          <span>Built for the Datadog hackathon</span>
+        </div>
+      </div>
+    </footer>
+  );
+}
diff --git a/apps/web/src/components/RenegotiationPacket.tsx b/apps/web/src/components/RenegotiationPacket.tsx
new file mode 100644
index 0000000..91bd890
--- /dev/null
+++ b/apps/web/src/components/RenegotiationPacket.tsx
@@ -0,0 +1,308 @@
+import { useEffect, useRef, useState } from "react";
+import { createPortal } from "react-dom";
+import { X, Copy, Mail, FileText } from "lucide-react";
+import { DEMO_BEARER_TOKEN } from "../lib/api.js";
+
+type Tone = "firm" | "friendly" | "aggressive";
+
+interface Draft {
+  tone: Tone;
+  subject: string;
+  body: string;
+}
+
+interface PacketData {
+  vendorId: string;
+  vendorName: string;
+  currentSpend: number;
+  benchmarkRange: { low: number; high: number };
+  usagePct: number;
+  recoverableUsd: number;
+  drafts: Draft[];
+  talkingPoints: string[];
+}
+
+interface Props {
+  vendorId: string;
+  open: boolean;
+  onClose: () => void;
+}
+
+const TONES: Tone[] = ["firm", "friendly", "aggressive"];
+
+function fmtUsd(n: number): string {
+  if (n >= 1_000_000) return `$${(n / 1_000_000).toFixed(1)}M`;
+  if (n >= 1000) return `$${Math.round(n / 1000)}k`;
+  return `$${n}`;
+}
+
+const FOCUSABLE = 'button, [href], input, select, textarea, [tabindex]:not([tabindex="-1"])';
+
+function Toast({ message }: { message: string }): JSX.Element {
+  return (
+    <div
+      role="status"
+      aria-live="polite"
+      style={{
+        position: "fixed",
+        bottom: 24,
+        left: "50%",
+        transform: "translateX(-50%)",
+        background: "var(--text)",
+        color: "var(--surface)",
+        padding: "var(--space-2) var(--space-4)",
+        borderRadius: "var(--radius-pill)",
+        fontSize: "var(--text-sm)",
+        fontWeight: 500,
+        zIndex: 500,
+        pointerEvents: "none",
+      }}
+    >
+      {message}
+    </div>
+  );
+}
+
+export function RenegotiationPacket({ vendorId, open, onClose }: Props): JSX.Element | null {
+  const [data, setData] = useState<PacketData | null>(null);
+  const [loading, setLoading] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+  const [tone, setTone] = useState<Tone>("firm");
+  const [editedSubject, setEditedSubject] = useState("");
+  const [editedBody, setEditedBody] = useState("");
+  const [toast, setToast] = useState<string | null>(null);
+  const panelRef = useRef<HTMLDivElement | null>(null);
+
+  useEffect(() => {
+    if (!open) return;
+    setLoading(true);
+    setError(null);
+    setData(null);
+    setTone("firm");
+
+    const bearer = localStorage.getItem("unsyphn:bearer") ?? DEMO_BEARER_TOKEN;
+    fetch(`/v1/vendors/${encodeURIComponent(vendorId)}/renegotiation-packet`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${bearer}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({ tone: "firm" }),
+    })
+      .then((r) => {
+        if (!r.ok) throw new Error(`HTTP ${r.status}`);
+        return r.json() as Promise<PacketData>;
+      })
+      .then((d) => {
+        setData(d);
+        const firmDraft = d.drafts.find((dr) => dr.tone === "firm") ?? d.drafts[0];
+        if (firmDraft) {
+          setEditedSubject(firmDraft.subject);
+          setEditedBody(firmDraft.body);
+        }
+        setLoading(false);
+      })
+      .catch(() => {
+        setError("Failed to load renegotiation packet. Try again.");
+        setLoading(false);
+      });
+  }, [open, vendorId]);
+
+  useEffect(() => {
+    if (!data) return;
+    const draft = data.drafts.find((d) => d.tone === tone) ?? data.drafts[0];
+    if (draft) {
+      setEditedSubject(draft.subject);
+      setEditedBody(draft.body);
+    }
+  }, [tone, data]);
+
+  useEffect(() => {
+    if (!open) return;
+    const handler = (e: KeyboardEvent) => {
+      if (e.key === "Escape") { e.preventDefault(); onClose(); return; }
+      if (e.key !== "Tab") return;
+      const panel = panelRef.current;
+      if (!panel) return;
+      const nodes = Array.from(panel.querySelectorAll<HTMLElement>(FOCUSABLE)).filter(
+        (el) => !el.hasAttribute("disabled"),
+      );
+      if (!nodes.length) return;
+      const first = nodes[0]!;
+      const last = nodes[nodes.length - 1]!;
+      if (e.shiftKey) {
+        if (document.activeElement === first) { e.preventDefault(); last.focus(); }
+      } else {
+        if (document.activeElement === last) { e.preventDefault(); first.focus(); }
+      }
+    };
+    document.addEventListener("keydown", handler);
+    return () => document.removeEventListener("keydown", handler);
+  }, [open, onClose]); // eslint-disable-line react-hooks/exhaustive-deps
+
+  function showToast(msg: string): void {
+    setToast(msg);
+    setTimeout(() => setToast(null), 2000);
+  }
+
+  function copyEmail(): void {
+    void navigator.clipboard.writeText(`Subject: ${editedSubject}\n\n${editedBody}`);
+    showToast("Copied to clipboard");
+  }
+
+  function sendViaGmail(): void {
+    const href = `mailto:?subject=${encodeURIComponent(editedSubject)}&body=${encodeURIComponent(editedBody)}`;
+    window.open(href, "_blank", "noopener,noreferrer");
+  }
+
+  if (!open) return null;
+
+  const benchmarkSavingsPct = data
+    ? Math.round(((data.currentSpend - data.benchmarkRange.high) / data.currentSpend) * 100)
+    : 0;
+
+  return createPortal(
+    <>
+      <div
+        aria-hidden="true"
+        onClick={onClose}
+        className="fade-in"
+        style={{ position: "fixed", inset: 0, background: "rgba(15,23,42,0.42)", backdropFilter: "blur(4px)", WebkitBackdropFilter: "blur(4px)", zIndex: 400 }}
+      />
+      <div
+        ref={(el) => { panelRef.current = el; }}
+        role="dialog"
+        aria-modal="true"
+        aria-labelledby="reneg-title"
+        className="glass-strong slide-in-right"
+        style={{
+          position: "fixed",
+          top: 0,
+          right: 0,
+          bottom: 0,
+          width: "min(560px, 100vw)",
+          borderLeft: "1px solid var(--glass-border)",
+          zIndex: 401,
+          display: "flex",
+          flexDirection: "column",
+        }}
+      >
+        {/* Header */}
+        <div style={{ display: "flex", alignItems: "center", gap: "var(--space-3)", padding: "0 var(--space-5)", height: 56, borderBottom: "1px solid var(--border)", flexShrink: 0 }}>
+          <h2 id="reneg-title" style={{ flex: 1, margin: 0, fontSize: "var(--text-sm)", fontWeight: 600, color: "var(--text)" }}>
+            Renegotiation Packet{data ? ` · ${data.vendorName}` : ""}
+          </h2>
+          <button type="button" onClick={onClose} aria-label="Close renegotiation packet" className="btn btn-ghost" style={{ width: 36, height: 36, padding: 0 }}>
+            <X size={18} aria-hidden="true" />
+          </button>
+        </div>
+
+        {/* Body */}
+        <div className="fade-up" style={{ flex: 1, overflowY: "auto", padding: "var(--space-5)", display: "flex", flexDirection: "column", gap: "var(--space-5)" }}>
+          {loading && (
+            <div aria-live="polite" aria-busy style={{ color: "var(--text-muted)", fontSize: "var(--text-sm)" }}>
+              Building packet...
+            </div>
+          )}
+
+          {error && <span className="badge badge-danger">{error}</span>}
+
+          {data && (
+            <>
+              {/* Position summary */}
+              <section aria-label="Current position">
+                <span style={{ display: "block", fontSize: "var(--text-xs)", fontWeight: 600, textTransform: "uppercase", letterSpacing: "0.07em", color: "var(--text-2)", marginBottom: "var(--space-2)" }}>
+                  Current position
+                </span>
+                <div style={{ background: "var(--surface-2)", borderRadius: "var(--radius-md)", padding: "var(--space-3) var(--space-4)", display: "flex", flexWrap: "wrap", gap: "var(--space-3)", fontSize: "var(--text-sm)" }}>
+                  <span>Spend: <strong style={{ fontFamily: "var(--font-mono)" }}>{fmtUsd(data.currentSpend)}/yr</strong></span>
+                  <span style={{ color: "var(--text-muted)" }}>·</span>
+                  <span>Benchmark: <strong style={{ fontFamily: "var(--font-mono)" }}>{fmtUsd(data.benchmarkRange.low)}–{fmtUsd(data.benchmarkRange.high)}</strong></span>
+                  <span style={{ fontFamily: "var(--font-mono)", fontWeight: 600, color: "var(--success)" }}>-{benchmarkSavingsPct}%</span>
+                  <span style={{ color: "var(--text-muted)" }}>·</span>
+                  <span>Usage: <strong>{data.usagePct}%</strong></span>
+                  <span style={{ color: "var(--text-muted)" }}>·</span>
+                  <span>Recoverable: <strong style={{ fontFamily: "var(--font-mono)", color: "var(--success)" }}>{fmtUsd(data.recoverableUsd)}</strong></span>
+                </div>
+              </section>
+
+              {/* Draft email */}
+              <section aria-label="Counter-offer email drafts">
+                <div style={{ display: "flex", alignItems: "center", justifyContent: "space-between", marginBottom: "var(--space-3)" }}>
+                  <span style={{ fontSize: "var(--text-xs)", fontWeight: 600, textTransform: "uppercase", letterSpacing: "0.07em", color: "var(--text-2)" }}>
+                    Drafted counter-offer
+                  </span>
+                  <div role="group" aria-label="Email tone" style={{ display: "flex", gap: "var(--space-1)" }}>
+                    {TONES.map((t) => (
+                      <button
+                        key={t}
+                        type="button"
+                        onClick={() => setTone(t)}
+                        aria-pressed={tone === t}
+                        className={tone === t ? "badge badge-accent" : "badge badge-neutral"}
+                        style={{ cursor: "pointer", border: "none", textTransform: "capitalize" }}
+                      >
+                        {t}
+                      </button>
+                    ))}
+                  </div>
+                </div>
+
+                <div style={{ border: "1px solid var(--border)", borderRadius: "var(--radius-md)", overflow: "hidden" }}>
+                  <input
+                    type="text"
+                    aria-label="Email subject"
+                    value={editedSubject}
+                    onChange={(e) => setEditedSubject(e.target.value)}
+                    style={{ width: "100%", padding: "var(--space-3) var(--space-4)", border: "none", borderBottom: "1px solid var(--border)", fontSize: "var(--text-sm)", fontFamily: "var(--font-text)", color: "var(--text)", background: "var(--surface)", boxSizing: "border-box", outline: "none" }}
+                    placeholder="Subject line"
+                  />
+                  <textarea
+                    aria-label="Email body"
+                    value={editedBody}
+                    onChange={(e) => setEditedBody(e.target.value)}
+                    rows={12}
+                    style={{ width: "100%", padding: "var(--space-4)", border: "none", fontSize: "var(--text-sm)", fontFamily: "var(--font-mono)", color: "var(--text-2)", background: "var(--surface)", resize: "vertical", boxSizing: "border-box", lineHeight: 1.6, outline: "none" }}
+                  />
+                </div>
+              </section>
+
+              {/* Talking points */}
+              <section aria-label="Talking points">
+                <span style={{ display: "block", fontSize: "var(--text-xs)", fontWeight: 600, textTransform: "uppercase", letterSpacing: "0.07em", color: "var(--text-2)", marginBottom: "var(--space-2)" }}>
+                  Talking points
+                </span>
+                <ul style={{ margin: 0, padding: 0, listStyle: "none", display: "flex", flexDirection: "column", gap: "var(--space-2)" }}>
+                  {data.talkingPoints.map((pt, i) => (
+                    <li key={i} style={{ display: "flex", gap: "var(--space-2)", fontSize: "var(--text-sm)", color: "var(--text-2)", lineHeight: 1.5 }}>
+                      <span aria-hidden="true" style={{ color: "var(--accent)", flexShrink: 0, marginTop: 2 }}>•</span>
+                      {pt}
+                    </li>
+                  ))}
+                </ul>
+              </section>
+            </>
+          )}
+        </div>
+
+        {/* Footer actions */}
+        {data && (
+          <div style={{ display: "flex", gap: "var(--space-2)", padding: "var(--space-4) var(--space-5)", borderTop: "1px solid var(--border)", flexShrink: 0, flexWrap: "wrap" }}>
+            <button type="button" className="btn btn-secondary button-pop" style={{ display: "flex", alignItems: "center", gap: "var(--space-1)", height: 32, fontSize: "var(--text-xs)" }} onClick={copyEmail}>
+              <Copy size={13} aria-hidden="true" /> Copy email
+            </button>
+            <button type="button" className="btn btn-primary button-pop" style={{ display: "flex", alignItems: "center", gap: "var(--space-1)", height: 32, fontSize: "var(--text-xs)" }} onClick={sendViaGmail}>
+              <Mail size={13} aria-hidden="true" /> Send via Gmail
+            </button>
+            <button type="button" className="btn btn-ghost button-pop" style={{ display: "flex", alignItems: "center", gap: "var(--space-1)", height: 32, fontSize: "var(--text-xs)", marginLeft: "auto" }} onClick={() => alert("PDF export coming soon")}>
+              <FileText size={13} aria-hidden="true" /> Export PDF
+            </button>
+          </div>
+        )}
+      </div>
+
+      {toast && <Toast message={toast} />}
+    </>,
+    document.body,
+  );
+}
diff --git a/apps/web/src/components/RoleSwitcher.tsx b/apps/web/src/components/RoleSwitcher.tsx
new file mode 100644
index 0000000..d515beb
--- /dev/null
+++ b/apps/web/src/components/RoleSwitcher.tsx
@@ -0,0 +1,169 @@
+import { useEffect, useRef, useState } from "react";
+import { ChevronDown, ChevronUp, Check } from "lucide-react";
+import { ALL_ROLES, ROLE_LABELS, useRole } from "../lib/role.js";
+import type { Role } from "../lib/role.js";
+
+export function RoleSwitcher(): JSX.Element {
+  const [role, setRole] = useRole();
+  const [open, setOpen] = useState(false);
+  const triggerRef = useRef<HTMLButtonElement>(null);
+  const menuRef = useRef<HTMLUListElement>(null);
+  const [focusedIndex, setFocusedIndex] = useState<number>(-1);
+
+  const close = () => {
+    setOpen(false);
+    setFocusedIndex(-1);
+    triggerRef.current?.focus();
+  };
+
+  const select = (r: Role) => {
+    setRole(r);
+    close();
+  };
+
+  useEffect(() => {
+    if (!open) return;
+    const onMouseDown = (e: MouseEvent) => {
+      if (
+        triggerRef.current?.contains(e.target as Node) ||
+        menuRef.current?.contains(e.target as Node)
+      ) return;
+      close();
+    };
+    const onKeyDown = (e: KeyboardEvent) => {
+      if (e.key === "Escape") {
+        e.preventDefault();
+        close();
+        return;
+      }
+      if (e.key === "ArrowDown") {
+        e.preventDefault();
+        setFocusedIndex(i => Math.min(i + 1, ALL_ROLES.length - 1));
+        return;
+      }
+      if (e.key === "ArrowUp") {
+        e.preventDefault();
+        setFocusedIndex(i => Math.max(i - 1, 0));
+        return;
+      }
+      if (e.key === "Enter" && focusedIndex >= 0) {
+        e.preventDefault();
+        const picked: Role | undefined = ALL_ROLES[focusedIndex];
+        if (picked !== undefined) select(picked);
+      }
+    };
+    document.addEventListener("mousedown", onMouseDown);
+    document.addEventListener("keydown", onKeyDown);
+    return () => {
+      document.removeEventListener("mousedown", onMouseDown);
+      document.removeEventListener("keydown", onKeyDown);
+    };
+  }, [open, focusedIndex]);
+
+  useEffect(() => {
+    if (!open) return;
+    const idx = ALL_ROLES.indexOf(role);
+    setFocusedIndex(idx >= 0 ? idx : 0);
+  }, [open]);
+
+  useEffect(() => {
+    if (!open || focusedIndex < 0) return;
+    const item = menuRef.current?.children[focusedIndex] as HTMLElement | undefined;
+    item?.focus();
+  }, [focusedIndex, open]);
+
+  const optionId = (r: Role) => `role-option-${r}`;
+  const menuId = "role-switcher-listbox";
+
+  return (
+    <div style={{ position: "relative" }}>
+      <button
+        ref={triggerRef}
+        type="button"
+        className="btn btn-ghost"
+        aria-haspopup="listbox"
+        aria-expanded={open}
+        aria-controls={menuId}
+        onClick={() => setOpen(o => !o)}
+        style={{
+          height: 32,
+          padding: "0 var(--space-3)",
+          gap: "var(--space-1)",
+          color: open ? "var(--accent)" : undefined,
+        }}
+      >
+        <span style={{ fontWeight: 400, fontSize: "var(--text-sm)" }}>
+          {ROLE_LABELS[role]}
+        </span>
+        {open ? (
+          <ChevronUp size={14} aria-hidden="true" style={{ color: "var(--muted)", flexShrink: 0 }} />
+        ) : (
+          <ChevronDown size={14} aria-hidden="true" style={{ color: "var(--muted)", flexShrink: 0 }} />
+        )}
+      </button>
+
+      {open && (
+        <ul
+          id={menuId}
+          ref={menuRef}
+          role="listbox"
+          aria-label="Switch role"
+          style={{
+            position: "absolute",
+            top: "calc(100% + 4px)",
+            right: 0,
+            width: 180,
+            background: "var(--surface-2)",
+            border: "1px solid var(--border)",
+            borderRadius: "var(--radius-md)",
+            padding: "var(--space-2)",
+            margin: 0,
+            listStyle: "none",
+            zIndex: 200,
+          }}
+        >
+          {ALL_ROLES.map((r, idx) => {
+            const isCurrent = r === role;
+            const isFocused = idx === focusedIndex;
+            return (
+              <li
+                key={r}
+                id={optionId(r)}
+                role="option"
+                aria-selected={isCurrent}
+                tabIndex={isFocused ? 0 : -1}
+                onClick={() => select(r)}
+                onKeyDown={e => {
+                  if (e.key === "Enter" || e.key === " ") {
+                    e.preventDefault();
+                    select(r);
+                  }
+                }}
+                style={{
+                  height: 32,
+                  display: "flex",
+                  alignItems: "center",
+                  justifyContent: "space-between",
+                  padding: "0 var(--space-3)",
+                  borderRadius: "var(--radius-sm)",
+                  cursor: "pointer",
+                  fontSize: "var(--text-sm)",
+                  fontWeight: 400,
+                  color: isCurrent ? "var(--accent)" : "var(--text-2)",
+                  background: isFocused ? "var(--accent-soft)" : "transparent",
+                  transition: "background var(--dur-fast) var(--ease-out), color var(--dur-fast) var(--ease-out)",
+                }}
+                onMouseEnter={() => setFocusedIndex(idx)}
+              >
+                <span>{ROLE_LABELS[r]}</span>
+                {isCurrent && (
+                  <Check size={16} aria-hidden="true" style={{ color: "var(--accent)", flexShrink: 0 }} />
+                )}
+              </li>
+            );
+          })}
+        </ul>
+      )}
+    </div>
+  );
+}
diff --git a/apps/web/src/components/SeverityBadge.tsx b/apps/web/src/components/SeverityBadge.tsx
new file mode 100644
index 0000000..2187a3e
--- /dev/null
+++ b/apps/web/src/components/SeverityBadge.tsx
@@ -0,0 +1,19 @@
+import type { Severity } from "@unsyphn/shared";
+
+interface Props {
+  severity: Severity;
+}
+
+const CLASS_MAP: Record<Severity, string> = {
+  P1: "badge badge-danger",
+  P2: "badge badge-warning",
+  P3: "badge badge-success",
+};
+
+export function SeverityBadge({ severity }: Props): JSX.Element {
+  return (
+    <span className={CLASS_MAP[severity]} aria-label={`Severity ${severity}`}>
+      · {severity}
+    </span>
+  );
+}
diff --git a/apps/web/src/components/SkeletonRow.tsx b/apps/web/src/components/SkeletonRow.tsx
new file mode 100644
index 0000000..6d1d844
--- /dev/null
+++ b/apps/web/src/components/SkeletonRow.tsx
@@ -0,0 +1,153 @@
+import type { CSSProperties } from "react";
+
+interface SkeletonRowProps {
+  /** Outer container height in px. */
+  height?: number;
+  /** Number of horizontal text bars rendered (vertically stacked). */
+  bars?: number;
+  /** Show a circular avatar/icon on the left. */
+  avatar?: boolean;
+  /** Show a small trailing bar on the right. */
+  trail?: boolean;
+  /** Extra container style. */
+  style?: CSSProperties;
+}
+
+/**
+ * Glass-soft skeleton row. Pairs the `.skeleton` shimmer (defined in
+ * polish.css) with the same lift/blur surface used elsewhere in-app.
+ */
+export function SkeletonRow({
+  height = 72,
+  bars = 2,
+  avatar = true,
+  trail = true,
+  style,
+}: SkeletonRowProps): JSX.Element {
+  return (
+    <div
+      aria-hidden="true"
+      className="glass-soft"
+      style={{
+        height,
+        padding: 16,
+        marginBottom: 8,
+        borderRadius: 12,
+        display: "flex",
+        alignItems: "center",
+        gap: 16,
+        ...style,
+      }}
+    >
+      {avatar && (
+        <div
+          className="skeleton"
+          style={{ width: 28, height: 28, borderRadius: "50%" }}
+        />
+      )}
+      <div
+        style={{
+          flex: 1,
+          display: "flex",
+          flexDirection: "column",
+          gap: 6,
+          minWidth: 0,
+        }}
+      >
+        {Array.from({ length: bars }).map((_, i) => (
+          <div
+            key={i}
+            className="skeleton"
+            style={{
+              width: i === 0 ? "55%" : "85%",
+              height: i === 0 ? 12 : 10,
+              borderRadius: 4,
+            }}
+          />
+        ))}
+      </div>
+      {trail && (
+        <div
+          className="skeleton"
+          style={{ width: 60, height: 12, borderRadius: 4 }}
+        />
+      )}
+    </div>
+  );
+}
+
+interface SkeletonCardProps {
+  /** Card height. */
+  height?: number;
+  /** Number of horizontal text bars rendered in the body. */
+  bars?: number;
+  style?: CSSProperties;
+}
+
+/**
+ * Larger card-shaped skeleton — for Reports grid, vendor detail cards.
+ */
+export function SkeletonCard({
+  height = 180,
+  bars = 4,
+  style,
+}: SkeletonCardProps): JSX.Element {
+  return (
+    <div
+      aria-hidden="true"
+      className="glass-soft"
+      style={{
+        height,
+        padding: 20,
+        borderRadius: 12,
+        display: "flex",
+        flexDirection: "column",
+        gap: 10,
+        ...style,
+      }}
+    >
+      <div
+        style={{
+          display: "flex",
+          alignItems: "center",
+          gap: 10,
+          marginBottom: 8,
+        }}
+      >
+        <div
+          className="skeleton"
+          style={{ width: 18, height: 18, borderRadius: 4 }}
+        />
+        <div
+          className="skeleton"
+          style={{ flex: 1, height: 14, borderRadius: 4, maxWidth: 220 }}
+        />
+        <div
+          className="skeleton"
+          style={{ width: 56, height: 18, borderRadius: 999 }}
+        />
+      </div>
+      {Array.from({ length: bars }).map((_, i) => (
+        <div
+          key={i}
+          className="skeleton"
+          style={{
+            width: i === bars - 1 ? "50%" : `${75 + ((i * 7) % 18)}%`,
+            height: 9,
+            borderRadius: 4,
+          }}
+        />
+      ))}
+      <div style={{ display: "flex", gap: 8, marginTop: "auto" }}>
+        <div
+          className="skeleton"
+          style={{ width: 110, height: 28, borderRadius: 8 }}
+        />
+        <div
+          className="skeleton"
+          style={{ width: 90, height: 28, borderRadius: 8 }}
+        />
+      </div>
+    </div>
+  );
+}
diff --git a/apps/web/src/components/VendorCard.tsx b/apps/web/src/components/VendorCard.tsx
new file mode 100644
index 0000000..f45a4a6
--- /dev/null
+++ b/apps/web/src/components/VendorCard.tsx
@@ -0,0 +1,157 @@
+import { VendorLogo } from "./VendorLogo.js";
+
+export type Posture = "fresh" | "expiring" | "stale" | "risk" | "watch" | "ok";
+
+export interface VendorCardData {
+  id: string;
+  name: string;
+  domain: string;
+  tier: 1 | 2 | 3;
+  posture: Posture;
+  renewsAt: string;
+  ownerInitial: string;
+  ownerEmail: string;
+}
+
+function postureLabel(p: Posture): string {
+  if (p === "fresh" || p === "ok") return "fresh";
+  if (p === "expiring" || p === "watch") return "expiring";
+  return "stale";
+}
+
+function postureBadgeClass(p: Posture): string {
+  if (p === "fresh" || p === "ok") return "badge badge-success";
+  if (p === "expiring" || p === "watch") return "badge badge-warning";
+  return "badge badge-danger";
+}
+
+function daysUntil(dateStr: string): number {
+  const now = Date.now();
+  const then = new Date(dateStr).getTime();
+  return Math.round((then - now) / 86_400_000);
+}
+
+function formatRenewal(dateStr: string): string {
+  const d = new Date(dateStr);
+  const formatted = d.toLocaleDateString("en-US", { month: "short", day: "numeric", year: "numeric" });
+  const days = daysUntil(dateStr);
+  const suffix = days > 0 ? ` (in ${days}d)` : ` (${Math.abs(days)}d ago)`;
+  return `Renews ${formatted}${suffix}`;
+}
+
+function tierLabel(tier: number): string {
+  if (tier === 1) return "Tier 1";
+  if (tier === 2) return "Tier 2";
+  return "Tier 3";
+}
+
+interface VendorCardProps {
+  vendor: VendorCardData;
+}
+
+export function VendorCard({ vendor }: VendorCardProps): JSX.Element {
+  const handleClick = () => {
+    window.location.assign(`/app/vendor/${vendor.id}`);
+  };
+
+  const handleKeyDown = (e: React.KeyboardEvent) => {
+    if (e.key === "Enter" || e.key === " ") {
+      e.preventDefault();
+      handleClick();
+    }
+  };
+
+  return (
+    <article
+      className="card"
+      role="button"
+      tabIndex={0}
+      aria-label={`${vendor.name} vendor details`}
+      onClick={handleClick}
+      onKeyDown={handleKeyDown}
+      style={{
+        padding: "var(--space-4)",
+        cursor: "pointer",
+        display: "flex",
+        flexDirection: "column",
+        gap: "var(--space-3)",
+      }}
+    >
+      {/* Top row: logo + name + tier badge */}
+      <div style={{ display: "flex", alignItems: "center", gap: "var(--space-3)" }}>
+        <VendorLogo name={vendor.name} domain={vendor.domain} size={48} />
+        <div style={{ display: "flex", flex: 1, alignItems: "center", justifyContent: "space-between", gap: "var(--space-2)", minWidth: 0 }}>
+          <h3
+            className="h3"
+            style={{ fontSize: "var(--text-base)", fontWeight: 500, color: "var(--text-strong)", margin: 0 }}
+          >
+            {vendor.name}
+          </h3>
+          <span className="badge badge-neutral">{tierLabel(vendor.tier)}</span>
+        </div>
+      </div>
+
+      {/* Domain */}
+      <span
+        style={{
+          fontFamily: "var(--font-mono)",
+          fontSize: "var(--text-xs)",
+          color: "var(--muted)",
+          display: "block",
+        }}
+      >
+        {vendor.domain}
+      </span>
+
+      {/* Posture chip */}
+      <span className={postureBadgeClass(vendor.posture)}>
+        {postureLabel(vendor.posture)}
+      </span>
+
+      {/* Renewal date */}
+      <span
+        style={{
+          fontSize: "var(--text-sm)",
+          color: "var(--text-2)",
+          display: "block",
+        }}
+      >
+        {formatRenewal(vendor.renewsAt)}
+      </span>
+
+      {/* Owner */}
+      <div style={{ display: "flex", alignItems: "center", gap: "var(--space-2)", marginTop: "var(--space-1)" }}>
+        <span
+          aria-hidden="true"
+          style={{
+            width: 24,
+            height: 24,
+            borderRadius: "var(--radius-full)",
+            background: "var(--surface-2)",
+            border: "1px solid var(--border)",
+            display: "inline-flex",
+            alignItems: "center",
+            justifyContent: "center",
+            fontSize: "var(--text-xs)",
+            fontWeight: 500,
+            color: "var(--text-2)",
+            flexShrink: 0,
+          }}
+        >
+          {vendor.ownerInitial}
+        </span>
+        <span
+          style={{
+            fontSize: "var(--text-xs)",
+            color: "var(--muted)",
+            overflow: "hidden",
+            textOverflow: "ellipsis",
+            whiteSpace: "nowrap",
+          }}
+        >
+          {vendor.ownerEmail}
+        </span>
+      </div>
+    </article>
+  );
+}
diff --git a/apps/web/src/components/VendorLogo.tsx b/apps/web/src/components/VendorLogo.tsx
new file mode 100644
index 0000000..6ff14e3
--- /dev/null
+++ b/apps/web/src/components/VendorLogo.tsx
@@ -0,0 +1,71 @@
+import { useState } from "react";
+import { simpleIconsUrl, brandfetchUrl, monogramFor } from "../lib/logos.js";
+
+interface Props {
+  name: string;
+  domain?: string;
+  size?: number;
+}
+
+export function VendorLogo({ name, domain, size = 32 }: Props) {
+  const [stage, setStage] = useState<0 | 1 | 2>(0);
+
+  const containerStyle: React.CSSProperties = {
+    width: size,
+    height: size,
+    borderRadius: "var(--radius-sm)",
+    border: "1px solid var(--border)",
+    background: "var(--surface)",
+    display: "inline-flex",
+    alignItems: "center",
+    justifyContent: "center",
+    overflow: "hidden",
+    flexShrink: 0,
+  };
+
+  if (stage === 0) {
+    return (
+      <span style={containerStyle} aria-label={`${name} logo`}>
+        <img
+          src={simpleIconsUrl(name)}
+          alt=""
+          width={Math.round(size * 0.66)}
+          height={Math.round(size * 0.66)}
+          onError={() => setStage(domain ? 1 : 2)}
+          style={{ objectFit: "contain" }}
+        />
+      </span>
+    );
+  }
+
+  if (stage === 1 && domain) {
+    return (
+      <span style={containerStyle} aria-label={`${name} logo`}>
+        <img
+          src={brandfetchUrl(domain)}
+          alt=""
+          width={Math.round(size * 0.7)}
+          height={Math.round(size * 0.7)}
+          onError={() => setStage(2)}
+          style={{ objectFit: "contain" }}
+        />
+      </span>
+    );
+  }
+
+  const { initials, bg, fg } = monogramFor(name);
+  return (
+    <span
+      style={{
+        ...containerStyle,
+        background: bg,
+        color: fg,
+        fontWeight: 600,
+        fontSize: Math.round(size * 0.4),
+      }}
+      aria-label={`${name} logo`}
+    >
+      {initials}
+    </span>
+  );
+}
diff --git a/apps/web/src/components/findings/FindingDrawer.tsx b/apps/web/src/components/findings/FindingDrawer.tsx
new file mode 100644
index 0000000..13222fe
--- /dev/null
+++ b/apps/web/src/components/findings/FindingDrawer.tsx
@@ -0,0 +1,195 @@
+import { ExternalLink, AlertCircle, Eye, CheckCircle2 } from "lucide-react";
+import type { Finding, FindingState } from "../../lib/api.js";
+import { Drawer } from "../Drawer.js";
+
+interface Props {
+  finding: Finding | null;
+  open: boolean;
+  busy: boolean;
+  onClose: () => void;
+  onChangeState: (next: FindingState) => void;
+}
+
+function fmtDate(iso: string): string {
+  try {
+    return new Date(iso).toLocaleString("en-US", {
+      month: "short",
+      day: "numeric",
+      year: "numeric",
+      hour: "numeric",
+      minute: "2-digit",
+    });
+  } catch {
+    return iso;
+  }
+}
+
+function sourceLinkLabel(type: Finding["type"]): string {
+  if (type === "change") return "Open ChangeReport";
+  if (type === "subprocessor") return "Open sub-processor heatmap";
+  if (type === "spend") return "Open vendor spend tab";
+  if (type === "compliance") return "Open vendor detail";
+  return "Open source";
+}
+
+function Section({ label, children }: { label: string; children: React.ReactNode }): JSX.Element {
+  return (
+    <section style={{ marginBottom: "var(--space-4)" }}>
+      <p
+        style={{
+          margin: "0 0 6px",
+          fontSize: 10,
+          fontWeight: 600,
+          letterSpacing: "0.08em",
+          textTransform: "uppercase",
+          color: "var(--text-muted)",
+        }}
+      >
+        {label}
+      </p>
+      {children}
+    </section>
+  );
+}
+
+export function FindingDrawer({ finding, open, busy, onClose, onChangeState }: Props): JSX.Element | null {
+  if (!finding) return null;
+  const severityClass =
+    finding.severity === "P1"
+      ? "badge badge-danger"
+      : finding.severity === "P2"
+        ? "badge badge-warning"
+        : "badge badge-neutral";
+
+  return (
+    <Drawer open={open} onClose={onClose} title={`Finding · ${finding.severity}`}>
+      <div className="fade-in">
+        <div style={{ display: "flex", alignItems: "center", gap: 8, marginBottom: 12 }}>
+          <span className={severityClass}>{finding.severity}</span>
+          <span className="badge badge-neutral" style={{ textTransform: "capitalize" }}>
+            {finding.type}
+          </span>
+          <span
+            className="badge badge-neutral"
+            style={{ textTransform: "capitalize", marginLeft: "auto" }}
+          >
+            {finding.state.replace("-", " ")}
+          </span>
+        </div>
+
+        <h2
+          style={{
+            margin: "0 0 8px",
+            fontSize: "var(--text-lg)",
+            fontWeight: 600,
+            color: "var(--text-strong)",
+            lineHeight: 1.3,
+          }}
+        >
+          {finding.title}
+        </h2>
+        <p
+          style={{
+            margin: "0 0 var(--space-5)",
+            fontSize: "var(--text-sm)",
+            color: "var(--text-2)",
+            lineHeight: 1.5,
+          }}
+        >
+          {finding.summary}
+        </p>
+
+        <Section label="Vendor">
+          <a
+            href={`/app/vendors/${encodeURIComponent(finding.vendorId)}`}
+            style={{
+              color: "var(--text-strong)",
+              fontWeight: 500,
+              textDecoration: "none",
+              display: "inline-flex",
+              alignItems: "center",
+              gap: 6,
+            }}
+          >
+            {finding.vendorName}
+            <ExternalLink size={12} aria-hidden="true" />
+          </a>
+        </Section>
+
+        <Section label="Detected">
+          <span style={{ fontSize: "var(--text-sm)", color: "var(--text-2)" }}>
+            {fmtDate(finding.detectedAt)}
+          </span>
+        </Section>
+
+        {finding.lensTags.length > 0 && (
+          <Section label="Lens">
+            <div style={{ display: "flex", gap: 6, flexWrap: "wrap" }}>
+              {finding.lensTags.map((tag) => (
+                <span key={tag} className="badge badge-neutral" style={{ textTransform: "capitalize" }}>
+                  {tag}
+                </span>
+              ))}
+            </div>
+          </Section>
+        )}
+
+        {finding.sourceUrl && (
+          <Section label="Source">
+            <a
+              href={finding.sourceUrl}
+              style={{
+                display: "inline-flex",
+                alignItems: "center",
+                gap: 6,
+                fontSize: "var(--text-sm)",
+                color: "var(--accent)",
+                textDecoration: "none",
+              }}
+            >
+              {sourceLinkLabel(finding.type)}
+              <ExternalLink size={12} aria-hidden="true" />
+            </a>
+          </Section>
+        )}
+
+        <hr style={{ margin: "var(--space-5) 0", border: 0, borderTop: "1px solid var(--border)" }} />
+
+        <Section label="Actions">
+          <div style={{ display: "flex", flexDirection: "column", gap: "var(--space-2)" }}>
+            <button
+              type="button"
+              className="btn btn-secondary"
+              disabled={busy || finding.state === "under-review"}
+              onClick={() => onChangeState("under-review")}
+              style={{ justifyContent: "flex-start" }}
+            >
+              <AlertCircle size={14} aria-hidden="true" />
+              Acknowledge
+            </button>
+            <button
+              type="button"
+              className="btn btn-secondary"
+              disabled={busy || finding.state === "under-review"}
+              onClick={() => onChangeState("under-review")}
+              style={{ justifyContent: "flex-start" }}
+            >
+              <Eye size={14} aria-hidden="true" />
+              Mark under review
+            </button>
+            <button
+              type="button"
+              className="btn btn-primary"
+              disabled={busy || finding.state === "resolved"}
+              onClick={() => onChangeState("resolved")}
+              style={{ justifyContent: "flex-start" }}
+            >
+              <CheckCircle2 size={14} aria-hidden="true" />
+              Resolve
+            </button>
+          </div>
+        </Section>
+      </div>
+    </Drawer>
+  );
+}
diff --git a/apps/web/src/components/findings/FindingsFilters.tsx b/apps/web/src/components/findings/FindingsFilters.tsx
new file mode 100644
index 0000000..411b9c2
--- /dev/null
+++ b/apps/web/src/components/findings/FindingsFilters.tsx
@@ -0,0 +1,119 @@
+import type { FindingState, FindingType } from "../../lib/api.js";
+
+export type SeverityFilter = "P1" | "P2" | "P3";
+
+interface Props {
+  typeFilter: FindingType | "all";
+  severityFilter: SeverityFilter | "all";
+  stateFilter: FindingState | "all";
+  onTypeChange: (next: FindingType | "all") => void;
+  onSeverityChange: (next: SeverityFilter | "all") => void;
+  onStateChange: (next: FindingState | "all") => void;
+}
+
+const TYPE_CHIPS: Array<{ value: FindingType | "all"; label: string }> = [
+  { value: "all", label: "All" },
+  { value: "change", label: "Change" },
+  { value: "compliance", label: "Compliance" },
+  { value: "subprocessor", label: "Sub-processor" },
+  { value: "spend", label: "Spend" },
+  { value: "security", label: "Security" },
+];
+
+const SEVERITY_CHIPS: Array<{ value: SeverityFilter | "all"; label: string }> = [
+  { value: "all", label: "All severities" },
+  { value: "P1", label: "P1" },
+  { value: "P2", label: "P2" },
+  { value: "P3", label: "P3" },
+];
+
+const STATE_CHIPS: Array<{ value: FindingState | "all"; label: string }> = [
+  { value: "all", label: "All states" },
+  { value: "open", label: "Open" },
+  { value: "under-review", label: "Under review" },
+  { value: "resolved", label: "Resolved" },
+];
+
+function ChipGroup<T extends string>({
+  label,
+  chips,
+  value,
+  onChange,
+}: {
+  label: string;
+  chips: ReadonlyArray<{ value: T; label: string }>;
+  value: T;
+  onChange: (next: T) => void;
+}): JSX.Element {
+  return (
+    <div
+      role="group"
+      aria-label={label}
+      style={{ display: "flex", alignItems: "center", gap: "var(--space-2)", flexWrap: "wrap" }}
+    >
+      <span
+        style={{
+          fontSize: 10,
+          fontWeight: 600,
+          textTransform: "uppercase",
+          letterSpacing: "0.08em",
+          color: "var(--text-muted)",
+          marginRight: 4,
+        }}
+      >
+        {label}
+      </span>
+      {chips.map((chip) => (
+        <button
+          key={chip.value}
+          type="button"
+          onClick={() => onChange(chip.value)}
+          aria-pressed={value === chip.value}
+          className={`${value === chip.value ? "badge badge-accent" : "badge badge-neutral"} button-pop`}
+          style={{ cursor: "pointer", border: "none" }}
+        >
+          {chip.label}
+        </button>
+      ))}
+    </div>
+  );
+}
+
+export function FindingsFilters({
+  typeFilter,
+  severityFilter,
+  stateFilter,
+  onTypeChange,
+  onSeverityChange,
+  onStateChange,
+}: Props): JSX.Element {
+  return (
+    <div
+      style={{
+        display: "flex",
+        flexDirection: "column",
+        gap: "var(--space-3)",
+        marginBottom: "var(--space-5)",
+      }}
+    >
+      <ChipGroup<FindingType | "all">
+        label="Type"
+        chips={TYPE_CHIPS}
+        value={typeFilter}
+        onChange={onTypeChange}
+      />
+      <ChipGroup<SeverityFilter | "all">
+        label="Severity"
+        chips={SEVERITY_CHIPS}
+        value={severityFilter}
+        onChange={onSeverityChange}
+      />
+      <ChipGroup<FindingState | "all">
+        label="State"
+        chips={STATE_CHIPS}
+        value={stateFilter}
+        onChange={onStateChange}
+      />
+    </div>
+  );
+}
diff --git a/apps/web/src/components/findings/FindingsStats.tsx b/apps/web/src/components/findings/FindingsStats.tsx
new file mode 100644
index 0000000..8776ff1
--- /dev/null
+++ b/apps/web/src/components/findings/FindingsStats.tsx
@@ -0,0 +1,88 @@
+import type { Finding, FindingType } from "../../lib/api.js";
+import { CountUp } from "../CountUp.js";
+
+const TYPE_LABELS: Record<FindingType, string> = {
+  change: "Change",
+  compliance: "Compliance",
+  subprocessor: "Sub-processor",
+  spend: "Spend",
+  security: "Security",
+};
+
+interface Props {
+  findings: ReadonlyArray<Finding>;
+}
+
+const intFmt = (n: number): string => Math.round(n).toString();
+
+function Stat({ label, value, accent }: { label: string; value: number; accent?: boolean }): JSX.Element {
+  return (
+    <div
+      className="card glass-strong lift-on-hover"
+      style={{
+        padding: "var(--space-3) var(--space-4)",
+        display: "flex",
+        flexDirection: "column",
+        gap: 2,
+        minWidth: 130,
+      }}
+    >
+      <span
+        style={{
+          fontSize: 10,
+          fontWeight: 600,
+          textTransform: "uppercase",
+          letterSpacing: "0.08em",
+          color: "var(--text-muted)",
+        }}
+      >
+        {label}
+      </span>
+      <span
+        style={{
+          fontFamily: "var(--font-mono)",
+          fontSize: "var(--text-xl)",
+          fontWeight: 600,
+          color: accent ? "var(--danger)" : "var(--text-strong)",
+          lineHeight: 1.1,
+        }}
+      >
+        <CountUp value={value} format={intFmt} />
+      </span>
+    </div>
+  );
+}
+
+export function FindingsStats({ findings }: Props): JSX.Element {
+  const open = findings.filter((f) => f.state !== "resolved");
+  const p1 = findings.filter((f) => f.severity === "P1" && f.state !== "resolved").length;
+
+  const byType: Record<FindingType, number> = {
+    change: 0,
+    compliance: 0,
+    subprocessor: 0,
+    spend: 0,
+    security: 0,
+  };
+  for (const f of open) byType[f.type] += 1;
+
+  return (
+    <div
+      role="region"
+      aria-label="Findings overview"
+      className="stagger-children"
+      style={{
+        display: "flex",
+        gap: "var(--space-3)",
+        marginBottom: "var(--space-5)",
+        flexWrap: "wrap",
+      }}
+    >
+      <Stat label="Open findings" value={open.length} />
+      <Stat label="P1 critical" value={p1} accent={p1 > 0} />
+      {(Object.entries(byType) as Array<[FindingType, number]>).map(([type, count]) => (
+        <Stat key={type} label={TYPE_LABELS[type]} value={count} />
+      ))}
+    </div>
+  );
+}
diff --git a/apps/web/src/components/findings/FindingsTable.tsx b/apps/web/src/components/findings/FindingsTable.tsx
new file mode 100644
index 0000000..ed2b04b
--- /dev/null
+++ b/apps/web/src/components/findings/FindingsTable.tsx
@@ -0,0 +1,180 @@
+import type { Finding } from "../../lib/api.js";
+
+interface Props {
+  findings: ReadonlyArray<Finding>;
+  onOpen: (finding: Finding) => void;
+}
+
+const TYPE_LABEL: Record<Finding["type"], string> = {
+  change: "Change",
+  compliance: "Compliance",
+  subprocessor: "Sub-processor",
+  spend: "Spend",
+  security: "Security",
+};
+
+const STATE_LABEL: Record<Finding["state"], string> = {
+  open: "Open",
+  "under-review": "Under review",
+  resolved: "Resolved",
+};
+
+function severityClass(sev: Finding["severity"]): string {
+  if (sev === "P1") return "badge badge-danger";
+  if (sev === "P2") return "badge badge-warning";
+  return "badge badge-neutral";
+}
+
+function stateClass(state: Finding["state"]): string {
+  if (state === "open") return "badge badge-warning";
+  if (state === "under-review") return "badge badge-accent";
+  return "badge badge-neutral";
+}
+
+function fmtDate(iso: string): string {
+  try {
+    return new Date(iso).toLocaleDateString("en-US", {
+      month: "short",
+      day: "numeric",
+    });
+  } catch {
+    return iso;
+  }
+}
+
+export function FindingsTable({ findings, onOpen }: Props): JSX.Element {
+  return (
+    <div className="card glass fade-up" style={{ padding: 0, overflow: "hidden" }}>
+      <table
+        style={{
+          width: "100%",
+          borderCollapse: "collapse",
+          fontSize: "var(--text-sm)",
+        }}
+      >
+        <thead>
+          <tr style={{ background: "var(--surface-2)" }}>
+            <Th>Severity</Th>
+            <Th>Title</Th>
+            <Th>Vendor</Th>
+            <Th>Type</Th>
+            <Th>Detected</Th>
+            <Th>State</Th>
+            <Th align="right">Action</Th>
+          </tr>
+        </thead>
+        <tbody>
+          {findings.map((f) => (
+            <tr
+              key={f.id}
+              className="row-hover"
+              style={{ borderTop: "1px solid var(--border)", cursor: "pointer" }}
+              onClick={() => onOpen(f)}
+            >
+              <Td>
+                <span className={severityClass(f.severity)}>{f.severity}</span>
+              </Td>
+              <Td>
+                <button
+                  type="button"
+                  onClick={(e) => {
+                    e.stopPropagation();
+                    onOpen(f);
+                  }}
+                  style={{
+                    background: "none",
+                    border: "none",
+                    padding: 0,
+                    color: "var(--accent)",
+                    fontWeight: 500,
+                    textAlign: "left",
+                    cursor: "pointer",
+                    fontSize: "var(--text-sm)",
+                  }}
+                  aria-label={`Open finding ${f.title}`}
+                >
+                  {f.title}
+                </button>
+              </Td>
+              <Td>
+                <a
+                  href={`/app/vendors/${encodeURIComponent(f.vendorId)}`}
+                  onClick={(e) => e.stopPropagation()}
+                  style={{
+                    color: "var(--text-strong)",
+                    textDecoration: "none",
+                    fontWeight: 500,
+                  }}
+                >
+                  {f.vendorName}
+                </a>
+              </Td>
+              <Td>{TYPE_LABEL[f.type]}</Td>
+              <Td style={{ color: "var(--text-muted)" }}>{fmtDate(f.detectedAt)}</Td>
+              <Td>
+                <span className={stateClass(f.state)}>{STATE_LABEL[f.state]}</span>
+              </Td>
+              <Td align="right">
+                <button
+                  type="button"
+                  className="btn btn-secondary"
+                  style={{ fontSize: "var(--text-xs)", height: 26, padding: "0 10px" }}
+                  onClick={(e) => {
+                    e.stopPropagation();
+                    onOpen(f);
+                  }}
+                >
+                  Open
+                </button>
+              </Td>
+            </tr>
+          ))}
+        </tbody>
+      </table>
+    </div>
+  );
+}
+
+function Th({ children, align }: { children: React.ReactNode; align?: "right" }): JSX.Element {
+  return (
+    <th
+      scope="col"
+      style={{
+        padding: "10px 14px",
+        textAlign: align ?? "left",
+        fontSize: 10,
+        fontWeight: 600,
+        letterSpacing: "0.08em",
+        textTransform: "uppercase",
+        color: "var(--text-muted)",
+        borderBottom: "1px solid var(--border)",
+      }}
+    >
+      {children}
+    </th>
+  );
+}
+
+function Td({
+  children,
+  align,
+  style,
+}: {
+  children: React.ReactNode;
+  align?: "right";
+  style?: React.CSSProperties;
+}): JSX.Element {
+  return (
+    <td
+      style={{
+        padding: "12px 14px",
+        textAlign: align ?? "left",
+        color: "var(--text)",
+        verticalAlign: "middle",
+        ...(style ?? {}),
+      }}
+    >
+      {children}
+    </td>
+  );
+}
diff --git a/apps/web/src/components/inbox/InboxEmptyState.tsx b/apps/web/src/components/inbox/InboxEmptyState.tsx
new file mode 100644
index 0000000..ea6fb9d
--- /dev/null
+++ b/apps/web/src/components/inbox/InboxEmptyState.tsx
@@ -0,0 +1,37 @@
+import { ROLE_LABELS, type Role } from "../../lib/role.js";
+
+interface InboxEmptyStateProps {
+  role: Role;
+  query: string;
+}
+
+export function InboxEmptyState({ role, query }: InboxEmptyStateProps): JSX.Element {
+  const emptyCopy = `Nothing for ${ROLE_LABELS[role]} today — try a different lens or J to switch.`;
+
+  return (
+    <div
+      className="card glass-soft fade-up"
+      style={{
+        padding: 56,
+        textAlign: "center",
+        color: "#64748b",
+        fontSize: 14,
+      }}
+    >
+      <p style={{ margin: "0 0 8px" }}>
+        {query ? "Nothing matches your search. Try a different query." : emptyCopy}
+      </p>
+      <a
+        href="/app/findings"
+        style={{
+          fontSize: 13,
+          color: "var(--accent)",
+          textDecoration: "none",
+          fontWeight: 500,
+        }}
+      >
+        View in Findings →
+      </a>
+    </div>
+  );
+}
diff --git a/apps/web/src/components/inbox/InboxFilterRow.tsx b/apps/web/src/components/inbox/InboxFilterRow.tsx
new file mode 100644
index 0000000..0a1de40
--- /dev/null
+++ b/apps/web/src/components/inbox/InboxFilterRow.tsx
@@ -0,0 +1,96 @@
+import { useRef } from "react";
+import { Search } from "lucide-react";
+
+type FilterKind = "all" | "changes" | "renewals" | "unused-seats";
+type SeverityFilter = "all" | "P1" | "P2";
+
+interface InboxFilterRowProps {
+  filter: FilterKind;
+  severity: SeverityFilter;
+  query: string;
+  onFilterChange: (value: FilterKind) => void;
+  onSeverityChange: (value: SeverityFilter) => void;
+  onQueryChange: (value: string) => void;
+}
+
+const FILTER_CHIPS: Array<{ label: string; value: FilterKind }> = [
+  { label: "All", value: "all" },
+  { label: "Changes", value: "changes" },
+  { label: "Renewals", value: "renewals" },
+  { label: "Unused seats", value: "unused-seats" },
+];
+
+export function InboxFilterRow({
+  filter,
+  severity,
+  query,
+  onFilterChange,
+  onSeverityChange,
+  onQueryChange,
+}: InboxFilterRowProps): JSX.Element {
+  const searchRef = useRef<HTMLInputElement>(null);
+
+  return (
+    <div
+      style={{
+        display: "flex",
+        alignItems: "center",
+        gap: "var(--space-2)",
+        marginBottom: 16,
+        flexWrap: "wrap",
+      }}
+    >
+      {FILTER_CHIPS.map(({ label, value }) => (
+        <button
+          key={value}
+          type="button"
+          onClick={() => onFilterChange(value)}
+          aria-pressed={filter === value}
+          className={`${filter === value ? "badge badge-accent" : "badge badge-neutral"} button-pop`}
+          style={{ cursor: "pointer", border: "none" }}
+        >
+          {label}
+        </button>
+      ))}
+
+      <div style={{ marginLeft: "auto", display: "flex", alignItems: "center", gap: "var(--space-2)" }}>
+        <select
+          className="input"
+          style={{ width: "auto", height: 28, fontSize: "var(--text-xs)" }}
+          value={severity}
+          onChange={(e) => onSeverityChange(e.target.value as SeverityFilter)}
+          aria-label="Filter by severity"
+        >
+          <option value="all">All severities</option>
+          <option value="P1">P1 only</option>
+          <option value="P2">P2+ only</option>
+        </select>
+
+        <div style={{ position: "relative", width: 220 }}>
+          <Search
+            size={13}
+            aria-hidden="true"
+            style={{
+              position: "absolute",
+              left: 8,
+              top: "50%",
+              transform: "translateY(-50%)",
+              color: "var(--text-muted)",
+              pointerEvents: "none",
+            }}
+          />
+          <input
+            ref={searchRef}
+            className="input"
+            type="search"
+            placeholder="Search vendor, title, summary…"
+            value={query}
+            onChange={(e) => onQueryChange(e.target.value)}
+            style={{ height: 28, paddingLeft: 26, fontSize: "var(--text-xs)" }}
+            aria-label="Search inbox"
+          />
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/apps/web/src/components/inbox/InboxKeyHints.tsx b/apps/web/src/components/inbox/InboxKeyHints.tsx
new file mode 100644
index 0000000..ef63cc3
--- /dev/null
+++ b/apps/web/src/components/inbox/InboxKeyHints.tsx
@@ -0,0 +1,43 @@
+const HINTS: Array<[string, string]> = [
+  ["J/K", "navigate"],
+  ["Enter", "open"],
+  ["R", "open"],
+  ["E", "resolve"],
+  ["S", "snooze 48h"],
+  ["X", "select"],
+];
+
+export function InboxKeyHints(): JSX.Element {
+  return (
+    <div
+      style={{
+        display: "flex",
+        gap: 16,
+        marginTop: 16,
+        fontSize: 11,
+        color: "#94a3b8",
+        fontFamily: "var(--font-mono)",
+        flexWrap: "wrap",
+      }}
+      aria-hidden="true"
+    >
+      {HINTS.map(([key, desc]) => (
+        <span key={key}>
+          <kbd
+            style={{
+              background: "var(--surface-2)",
+              border: "1px solid var(--border)",
+              borderRadius: 4,
+              padding: "1px 5px",
+              fontSize: 11,
+              color: "#475569",
+            }}
+          >
+            {key}
+          </kbd>{" "}
+          {desc}
+        </span>
+      ))}
+    </div>
+  );
+}
diff --git a/apps/web/src/components/inbox/InboxList.tsx b/apps/web/src/components/inbox/InboxList.tsx
new file mode 100644
index 0000000..60d967f
--- /dev/null
+++ b/apps/web/src/components/inbox/InboxList.tsx
@@ -0,0 +1,106 @@
+import type { InboxItem } from "@unsyphn/shared";
+import { MaterialChangeCard } from "../MaterialChangeCard.js";
+
+interface DayGroup {
+  bucket: string;
+  label: string;
+  items: InboxItem[];
+}
+
+interface InboxListProps {
+  dayGroups: DayGroup[];
+  focusedIndex: number;
+  selectedIds: Set<string>;
+  readIds: Set<string>;
+  escalatedIds: Set<string>;
+  /** Called with the global flat index and the ref element for keyboard nav. */
+  registerRowRef: (idx: number, el: HTMLDivElement | null) => void;
+  onFocus: (idx: number) => void;
+  onClickItem: (item: InboxItem) => void;
+  onToggleSelect: (id: string) => void;
+  onSnooze: (item: InboxItem) => void;
+  onArchive: (item: InboxItem) => void;
+  onEscalate: (item: InboxItem) => void;
+  /** Start offset for flat index counting — must match parent's accumulated count. */
+  flatIndexOffset: number;
+}
+
+export function InboxList({
+  dayGroups,
+  focusedIndex,
+  selectedIds,
+  readIds,
+  escalatedIds,
+  registerRowRef,
+  onFocus,
+  onClickItem,
+  onToggleSelect,
+  onSnooze,
+  onArchive,
+  onEscalate,
+  flatIndexOffset,
+}: InboxListProps): JSX.Element {
+  let localFlatIndex = flatIndexOffset - 1;
+
+  return (
+    <div className="stagger-children">
+      {dayGroups.map((group) => (
+        <section key={group.bucket} aria-label={group.label} className="fade-up" style={{ marginBottom: 24 }}>
+          <div
+            style={{
+              fontSize: 10.5,
+              letterSpacing: "0.12em",
+              textTransform: "uppercase",
+              color: "#64748b",
+              fontWeight: 600,
+              marginBottom: 8,
+              marginTop: 8,
+              paddingLeft: 8,
+            }}
+          >
+            {group.label} · {group.items.length}
+          </div>
+          <div
+            className="card glass-soft"
+            style={{ padding: 0, overflow: "hidden" }}
+            role="list"
+            aria-label={`${group.label} items`}
+          >
+            {group.items.map((item, idxInGroup) => {
+              localFlatIndex += 1;
+              const idx = localFlatIndex;
+              const unread = item.state === "new" && !readIds.has(item.id);
+              const isFirst = idxInGroup === 0;
+              const isLast = idxInGroup === group.items.length - 1;
+              return (
+                <div
+                  key={item.id}
+                  role="listitem"
+                  className="row-hover"
+                  ref={(el) => registerRowRef(idx, el as HTMLDivElement | null)}
+                >
+                  <MaterialChangeCard
+                    item={item}
+                    focused={focusedIndex === idx}
+                    selected={selectedIds.has(item.id)}
+                    unread={unread}
+                    escalated={escalatedIds.has(item.id)}
+                    showCheckbox={selectedIds.size > 0}
+                    isFirst={isFirst}
+                    isLast={isLast}
+                    onClick={() => onClickItem(item)}
+                    onFocus={() => onFocus(idx)}
+                    onToggleSelect={() => onToggleSelect(item.id)}
+                    onSnooze={() => onSnooze(item)}
+                    onArchive={() => onArchive(item)}
+                    onEscalate={() => onEscalate(item)}
+                  />
+                </div>
+              );
+            })}
+          </div>
+        </section>
+      ))}
+    </div>
+  );
+}
diff --git a/apps/web/src/components/inbox/InboxSkeletonRow.tsx b/apps/web/src/components/inbox/InboxSkeletonRow.tsx
new file mode 100644
index 0000000..d1f7c58
--- /dev/null
+++ b/apps/web/src/components/inbox/InboxSkeletonRow.tsx
@@ -0,0 +1,28 @@
+export function InboxSkeletonRow(): JSX.Element {
+  return (
+    <div
+      aria-hidden="true"
+      style={{
+        height: 68,
+        borderBottom: "1px solid rgba(15,23,42,0.06)",
+        display: "flex",
+        alignItems: "center",
+        gap: 12,
+        padding: "14px 24px",
+      }}
+    >
+      <div
+        className="skeleton"
+        style={{ width: 8, height: 8, borderRadius: "50%" }}
+      />
+      <div
+        className="skeleton"
+        style={{ width: 24, height: 24, borderRadius: "50%" }}
+      />
+      <div
+        className="skeleton"
+        style={{ flex: 1, height: 10, borderRadius: 4, maxWidth: 320 }}
+      />
+    </div>
+  );
+}
diff --git a/apps/web/src/components/inbox/inboxApi.ts b/apps/web/src/components/inbox/inboxApi.ts
new file mode 100644
index 0000000..f87a456
--- /dev/null
+++ b/apps/web/src/components/inbox/inboxApi.ts
@@ -0,0 +1,19 @@
+import { DEMO_BEARER_TOKEN } from "../../lib/api.js";
+
+export async function postLifecycle(
+  id: string,
+  action: "acknowledge" | "snooze" | "resolve",
+  body: Record<string, unknown>,
+): Promise<void> {
+  const resp = await fetch(`/v1/changes/${encodeURIComponent(id)}/${action}`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${DEMO_BEARER_TOKEN}`,
+    },
+    body: JSON.stringify(body),
+  });
+  if (!resp.ok) {
+    throw new Error(`Request failed (${resp.status})`);
+  }
+}
diff --git a/apps/web/src/components/portfolio/BulkActionBar.tsx b/apps/web/src/components/portfolio/BulkActionBar.tsx
new file mode 100644
index 0000000..aea320a
--- /dev/null
+++ b/apps/web/src/components/portfolio/BulkActionBar.tsx
@@ -0,0 +1,252 @@
+import { useState } from "react";
+import { ShieldCheck, FileText, Users, Tag, X } from "lucide-react";
+import type { TeamMember } from "../../lib/api.js";
+
+interface Props {
+  count: number;
+  owners: ReadonlyArray<TeamMember>;
+  onAssignOwner: (ownerId: string) => Promise<void> | void;
+  onChangeTier: (tier: 1 | 2 | 3) => Promise<void> | void;
+  onGeneratePackets: () => void;
+  onShareWithAuditor: () => void;
+  onClear: () => void;
+}
+
+export function BulkActionBar({
+  count,
+  owners,
+  onAssignOwner,
+  onChangeTier,
+  onGeneratePackets,
+  onShareWithAuditor,
+  onClear,
+}: Props): JSX.Element | null {
+  const [ownerOpen, setOwnerOpen] = useState(false);
+  const [tierOpen, setTierOpen] = useState(false);
+  const [busy, setBusy] = useState(false);
+
+  if (count === 0) return null;
+
+  const handleOwner = async (id: string) => {
+    setOwnerOpen(false);
+    setBusy(true);
+    try {
+      await onAssignOwner(id);
+    } finally {
+      setBusy(false);
+    }
+  };
+  const handleTier = async (t: 1 | 2 | 3) => {
+    setTierOpen(false);
+    setBusy(true);
+    try {
+      await onChangeTier(t);
+    } finally {
+      setBusy(false);
+    }
+  };
+
+  return (
+    <div
+      role="region"
+      aria-label="Bulk actions"
+      className="slide-in-right"
+      style={{
+        position: "sticky",
+        top: 48,
+        zIndex: 20,
+        background: "#0f172a",
+        color: "#ffffff",
+        borderRadius: 12,
+        padding: "10px 14px",
+        margin: "0 0 16px",
+        display: "flex",
+        alignItems: "center",
+        gap: 10,
+        flexWrap: "wrap",
+        boxShadow: "0 8px 24px rgba(15,23,42,0.18)",
+      }}
+    >
+      <span style={{ fontSize: 13, fontWeight: 500 }}>
+        {count} selected
+      </span>
+      <span aria-hidden="true" style={{ color: "rgba(255,255,255,0.2)" }}>
+        ·
+      </span>
+
+      <Menu
+        open={ownerOpen}
+        onOpenChange={setOwnerOpen}
+        label="Assign owner"
+        icon={<Users size={13} aria-hidden="true" />}
+        disabled={busy}
+      >
+        {owners.map((o) => (
+          <MenuItem key={o.id} onClick={() => void handleOwner(o.id)}>
+            {o.name}
+          </MenuItem>
+        ))}
+      </Menu>
+
+      <Menu
+        open={tierOpen}
+        onOpenChange={setTierOpen}
+        label="Change tier"
+        icon={<Tag size={13} aria-hidden="true" />}
+        disabled={busy}
+      >
+        <MenuItem onClick={() => void handleTier(1)}>Tier 1</MenuItem>
+        <MenuItem onClick={() => void handleTier(2)}>Tier 2</MenuItem>
+        <MenuItem onClick={() => void handleTier(3)}>Tier 3</MenuItem>
+      </Menu>
+
+      <BarButton onClick={onGeneratePackets} disabled={busy}>
+        <FileText size={13} aria-hidden="true" /> Renegotiation packets
+      </BarButton>
+
+      <BarButton onClick={onShareWithAuditor} disabled={busy}>
+        <ShieldCheck size={13} aria-hidden="true" /> Share with auditor
+      </BarButton>
+
+      <button
+        type="button"
+        onClick={onClear}
+        aria-label="Clear selection"
+        style={{
+          marginLeft: "auto",
+          display: "inline-flex",
+          alignItems: "center",
+          gap: 4,
+          background: "transparent",
+          border: "1px solid rgba(255,255,255,0.2)",
+          color: "rgba(255,255,255,0.8)",
+          padding: "6px 10px",
+          borderRadius: 6,
+          fontSize: 12,
+          cursor: "pointer",
+        }}
+      >
+        <X size={12} aria-hidden="true" /> Cancel
+      </button>
+    </div>
+  );
+}
+
+function BarButton({
+  children,
+  onClick,
+  disabled,
+}: {
+  children: React.ReactNode;
+  onClick: () => void;
+  disabled?: boolean;
+}): JSX.Element {
+  return (
+    <button
+      type="button"
+      onClick={onClick}
+      disabled={disabled}
+      style={{
+        display: "inline-flex",
+        alignItems: "center",
+        gap: 4,
+        padding: "6px 10px",
+        background: "rgba(255,255,255,0.08)",
+        border: "1px solid rgba(255,255,255,0.12)",
+        color: "#ffffff",
+        borderRadius: 6,
+        fontSize: 12,
+        fontWeight: 500,
+        cursor: disabled ? "not-allowed" : "pointer",
+        opacity: disabled ? 0.6 : 1,
+      }}
+    >
+      {children}
+    </button>
+  );
+}
+
+interface MenuProps {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  label: string;
+  icon: React.ReactNode;
+  disabled?: boolean;
+  children: React.ReactNode;
+}
+
+function Menu({ open, onOpenChange, label, icon, disabled, children }: MenuProps): JSX.Element {
+  return (
+    <div style={{ position: "relative" }}>
+      <button
+        type="button"
+        onClick={() => onOpenChange(!open)}
+        disabled={disabled}
+        style={{
+          display: "inline-flex",
+          alignItems: "center",
+          gap: 4,
+          padding: "6px 10px",
+          background: open ? "rgba(255,255,255,0.16)" : "rgba(255,255,255,0.08)",
+          border: "1px solid rgba(255,255,255,0.12)",
+          color: "#ffffff",
+          borderRadius: 6,
+          fontSize: 12,
+          fontWeight: 500,
+          cursor: disabled ? "not-allowed" : "pointer",
+          opacity: disabled ? 0.6 : 1,
+        }}
+        aria-haspopup="menu"
+        aria-expanded={open}
+      >
+        {icon} {label} ▾
+      </button>
+      {open && (
+        <div
+          role="menu"
+          style={{
+            position: "absolute",
+            top: "calc(100% + 4px)",
+            left: 0,
+            minWidth: 160,
+            background: "#ffffff",
+            color: "#0f172a",
+            border: "1px solid rgba(15,23,42,0.08)",
+            borderRadius: 8,
+            boxShadow: "0 8px 24px rgba(15,23,42,0.18)",
+            padding: 4,
+            zIndex: 100,
+          }}
+        >
+          {children}
+        </div>
+      )}
+    </div>
+  );
+}
+
+function MenuItem({ children, onClick }: { children: React.ReactNode; onClick: () => void }): JSX.Element {
+  return (
+    <button
+      type="button"
+      role="menuitem"
+      onClick={onClick}
+      style={{
+        display: "block",
+        width: "100%",
+        textAlign: "left",
+        padding: "8px 10px",
+        background: "transparent",
+        border: "none",
+        borderRadius: 6,
+        fontSize: 13,
+        cursor: "pointer",
+        color: "#0f172a",
+      }}
+      onMouseEnter={(e) => ((e.currentTarget as HTMLElement).style.background = "#f8fafc")}
+      onMouseLeave={(e) => ((e.currentTarget as HTMLElement).style.background = "transparent")}
+    >
+      {children}
+    </button>
+  );
+}
diff --git a/apps/web/src/components/portfolio/NewVendorDrawer.tsx b/apps/web/src/components/portfolio/NewVendorDrawer.tsx
new file mode 100644
index 0000000..a3c332e
--- /dev/null
+++ b/apps/web/src/components/portfolio/NewVendorDrawer.tsx
@@ -0,0 +1,571 @@
+import { useEffect, useMemo, useState } from "react";
+import type { DataClass, VendorCreateBody, VendorTier } from "@unsyphn/shared";
+import { Drawer } from "../Drawer.js";
+import { createVendor, type TeamMember } from "../../lib/api.js";
+import { ApiError } from "../../lib/api.js";
+
+export type VendorPosture = "ok" | "watch" | "risk";
+
+export interface NewVendorDrawerInitial {
+  name?: string;
+  homepageUrl?: string;
+  category?: string;
+  tier?: VendorTier;
+  posture?: VendorPosture;
+  ownerId?: string;
+  annualSpendUsd?: number;
+  seatCount?: number;
+  renewalDate?: string;
+  dataClasses?: DataClass[];
+  notes?: string;
+}
+
+interface Props {
+  open: boolean;
+  onClose: () => void;
+  onCreated: (vendorId: string) => void;
+  members: ReadonlyArray<TeamMember>;
+  categoryOptions: ReadonlyArray<string>;
+  initial?: NewVendorDrawerInitial;
+}
+
+interface FormState {
+  name: string;
+  homepageUrl: string;
+  category: string;
+  tier: VendorTier;
+  posture: VendorPosture;
+  ownerId: string;
+  annualSpendUsd: string;
+  seatCount: string;
+  renewalDate: string;
+  dataClasses: DataClass[];
+  notes: string;
+}
+
+const DEFAULT_CATEGORIES: ReadonlyArray<string> = [
+  "productivity",
+  "payments",
+  "infrastructure",
+  "devtools",
+  "analytics",
+  "communication",
+  "security",
+  "design",
+  "crm",
+  "hr",
+  "database",
+  "observability",
+  "support",
+  "marketing",
+  "automation",
+];
+
+const DATA_CLASSES: ReadonlyArray<{ value: DataClass; label: string }> = [
+  { value: "pii", label: "PII" },
+  { value: "phi", label: "PHI" },
+  { value: "financial", label: "Financial" },
+  { value: "content", label: "Content" },
+];
+
+function emptyForm(initial: NewVendorDrawerInitial | undefined, fallbackOwner: string): FormState {
+  return {
+    name: initial?.name ?? "",
+    homepageUrl: initial?.homepageUrl ?? "",
+    category: initial?.category ?? "productivity",
+    tier: initial?.tier ?? 2,
+    posture: initial?.posture ?? "ok",
+    ownerId: initial?.ownerId ?? fallbackOwner,
+    annualSpendUsd:
+      initial?.annualSpendUsd !== undefined ? String(initial.annualSpendUsd) : "",
+    seatCount: initial?.seatCount !== undefined ? String(initial.seatCount) : "",
+    renewalDate: initial?.renewalDate ?? "",
+    dataClasses: initial?.dataClasses ?? [],
+    notes: initial?.notes ?? "",
+  };
+}
+
+interface FieldErrors {
+  name?: string;
+  homepageUrl?: string;
+  annualSpendUsd?: string;
+  seatCount?: string;
+  renewalDate?: string;
+}
+
+function validate(form: FormState): FieldErrors {
+  const errors: FieldErrors = {};
+  if (form.name.trim().length < 2) {
+    errors.name = "Vendor name must be at least 2 characters.";
+  }
+  const url = form.homepageUrl.trim();
+  if (!/^https?:\/\/.+\..+/i.test(url)) {
+    errors.homepageUrl = "Homepage must be a valid http(s) URL.";
+  }
+  if (form.annualSpendUsd.trim() !== "") {
+    const n = Number(form.annualSpendUsd);
+    if (!Number.isFinite(n) || n < 0) {
+      errors.annualSpendUsd = "Annual spend must be 0 or greater.";
+    }
+  }
+  if (form.seatCount.trim() !== "") {
+    const n = Number(form.seatCount);
+    if (!Number.isFinite(n) || n <= 0 || !Number.isInteger(n)) {
+      errors.seatCount = "Seat count must be a positive whole number.";
+    }
+  }
+  if (form.renewalDate.trim() !== "" && !/^\d{4}-\d{2}-\d{2}$/.test(form.renewalDate)) {
+    errors.renewalDate = "Renewal date must be YYYY-MM-DD.";
+  }
+  // Contract is all-or-nothing per VendorContractSchema. If user fills any
+  // of the three, require all three.
+  const anyContract = !!(form.annualSpendUsd || form.seatCount || form.renewalDate);
+  const fullContract = !!(form.annualSpendUsd && form.seatCount && form.renewalDate);
+  if (anyContract && !fullContract) {
+    if (!form.annualSpendUsd) errors.annualSpendUsd ??= "Required when seat count or renewal is set.";
+    if (!form.seatCount) errors.seatCount ??= "Required when spend or renewal is set.";
+    if (!form.renewalDate) errors.renewalDate ??= "Required when spend or seat count is set.";
+  }
+  return errors;
+}
+
+const LABEL_STYLE: React.CSSProperties = {
+  fontSize: 11,
+  fontWeight: 600,
+  textTransform: "uppercase",
+  letterSpacing: "0.06em",
+  color: "#64748b",
+  display: "block",
+  marginBottom: 6,
+};
+
+const INPUT_STYLE: React.CSSProperties = {
+  width: "100%",
+  padding: "8px 10px",
+  fontSize: 13,
+  border: "1px solid rgba(15,23,42,0.12)",
+  borderRadius: 8,
+  background: "#ffffff",
+  color: "#0f172a",
+  fontFamily: "var(--font-text)",
+};
+
+const ERROR_STYLE: React.CSSProperties = {
+  marginTop: 4,
+  fontSize: 12,
+  color: "#dc2626",
+};
+
+export function NewVendorDrawer({
+  open,
+  onClose,
+  onCreated,
+  members,
+  categoryOptions,
+  initial,
+}: Props): JSX.Element {
+  const fallbackOwner = useMemo(() => {
+    if (members.some((m) => m.id === "usr_priya")) return "usr_priya";
+    return members[0]?.id ?? "usr_priya";
+  }, [members]);
+
+  const [form, setForm] = useState<FormState>(() => emptyForm(initial, fallbackOwner));
+  const [errors, setErrors] = useState<FieldErrors>({});
+  const [submitting, setSubmitting] = useState(false);
+  const [serverError, setServerError] = useState<string | null>(null);
+  const [missingUrls, setMissingUrls] = useState<string[]>([]);
+
+  useEffect(() => {
+    if (open) {
+      setForm(emptyForm(initial, fallbackOwner));
+      setErrors({});
+      setServerError(null);
+      setMissingUrls([]);
+    }
+  }, [open, initial, fallbackOwner]);
+
+  const categories = useMemo(() => {
+    const set = new Set<string>([...DEFAULT_CATEGORIES, ...categoryOptions]);
+    return [...set].sort();
+  }, [categoryOptions]);
+
+  const updateField = <K extends keyof FormState>(key: K, value: FormState[K]) => {
+    setForm((p) => ({ ...p, [key]: value }));
+  };
+
+  const toggleDataClass = (cls: DataClass) => {
+    setForm((p) => {
+      const has = p.dataClasses.includes(cls);
+      return {
+        ...p,
+        dataClasses: has ? p.dataClasses.filter((c) => c !== cls) : [...p.dataClasses, cls],
+      };
+    });
+  };
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    const fieldErrors = validate(form);
+    setErrors(fieldErrors);
+    if (Object.keys(fieldErrors).length > 0) return;
+
+    setSubmitting(true);
+    setServerError(null);
+    setMissingUrls([]);
+
+    const body: VendorCreateBody = {
+      name: form.name.trim(),
+      homepageUrl: form.homepageUrl.trim(),
+      ownerId: form.ownerId,
+      tier: form.tier,
+      dataClasses: form.dataClasses,
+    };
+    if (form.annualSpendUsd && form.seatCount && form.renewalDate) {
+      body.contract = {
+        renewsAt: form.renewalDate,
+        annualSpendUsd: Number(form.annualSpendUsd),
+        seatCount: Number(form.seatCount),
+      };
+    }
+
+    try {
+      const resp = await createVendor(body);
+      onCreated(resp.id);
+    } catch (err) {
+      if (err instanceof ApiError) {
+        setServerError(err.message);
+        if (err.code === "discovery-incomplete" && err.details?.missing) {
+          const missing = err.details.missing;
+          if (Array.isArray(missing)) {
+            setMissingUrls(missing.filter((m): m is string => typeof m === "string"));
+          }
+        }
+      } else if (err instanceof Error) {
+        setServerError(err.message);
+      } else {
+        setServerError("Failed to create vendor. Try again.");
+      }
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  return (
+    <Drawer open={open} onClose={onClose} title="Add new vendor">
+      <form
+        onSubmit={(e) => void handleSubmit(e)}
+        className="fade-up"
+        style={{ display: "flex", flexDirection: "column", gap: 16 }}
+        noValidate
+      >
+        <Field
+          id="nv-name"
+          label="Name"
+          required
+          error={errors.name}
+          input={
+            <input
+              id="nv-name"
+              type="text"
+              className="focus-glow"
+              value={form.name}
+              onChange={(e) => updateField("name", e.target.value)}
+              placeholder="e.g. Linear"
+              required
+              aria-invalid={errors.name ? true : undefined}
+              style={INPUT_STYLE}
+            />
+          }
+        />
+        <Field
+          id="nv-url"
+          label="Homepage URL"
+          required
+          error={errors.homepageUrl}
+          input={
+            <input
+              id="nv-url"
+              type="url"
+              className="focus-glow"
+              value={form.homepageUrl}
+              onChange={(e) => updateField("homepageUrl", e.target.value)}
+              placeholder="https://example.com"
+              required
+              aria-invalid={errors.homepageUrl ? true : undefined}
+              style={INPUT_STYLE}
+            />
+          }
+        />
+
+        <div style={{ display: "grid", gridTemplateColumns: "1fr 1fr", gap: 12 }}>
+          <Field
+            id="nv-category"
+            label="Category"
+            input={
+              <select
+                id="nv-category"
+                className="focus-glow"
+                value={form.category}
+                onChange={(e) => updateField("category", e.target.value)}
+                style={INPUT_STYLE}
+              >
+                {categories.map((c) => (
+                  <option key={c} value={c}>
+                    {c.charAt(0).toUpperCase() + c.slice(1)}
+                  </option>
+                ))}
+              </select>
+            }
+          />
+          <Field
+            id="nv-tier"
+            label="Tier"
+            input={
+              <select
+                id="nv-tier"
+                className="focus-glow"
+                value={form.tier}
+                onChange={(e) => updateField("tier", Number(e.target.value) as VendorTier)}
+                style={INPUT_STYLE}
+              >
+                <option value={1}>Tier 1</option>
+                <option value={2}>Tier 2</option>
+                <option value={3}>Tier 3</option>
+              </select>
+            }
+          />
+        </div>
+
+        <div style={{ display: "grid", gridTemplateColumns: "1fr 1fr", gap: 12 }}>
+          <Field
+            id="nv-posture"
+            label="Posture"
+            input={
+              <select
+                id="nv-posture"
+                className="focus-glow"
+                value={form.posture}
+                onChange={(e) => updateField("posture", e.target.value as VendorPosture)}
+                style={INPUT_STYLE}
+              >
+                <option value="ok">OK</option>
+                <option value="watch">Watch</option>
+                <option value="risk">Risk</option>
+              </select>
+            }
+          />
+          <Field
+            id="nv-owner"
+            label="Owner"
+            input={
+              <select
+                id="nv-owner"
+                className="focus-glow"
+                value={form.ownerId}
+                onChange={(e) => updateField("ownerId", e.target.value)}
+                style={INPUT_STYLE}
+              >
+                {members.length === 0 && <option value="usr_priya">Priya Natarajan</option>}
+                {members.map((m) => (
+                  <option key={m.id} value={m.id}>
+                    {m.name}
+                  </option>
+                ))}
+              </select>
+            }
+          />
+        </div>
+
+        <div style={{ display: "grid", gridTemplateColumns: "1fr 1fr", gap: 12 }}>
+          <Field
+            id="nv-spend"
+            label="Annual spend (USD)"
+            error={errors.annualSpendUsd}
+            input={
+              <input
+                id="nv-spend"
+                type="number"
+                className="focus-glow"
+                min={0}
+                step={1}
+                value={form.annualSpendUsd}
+                onChange={(e) => updateField("annualSpendUsd", e.target.value)}
+                placeholder="12000"
+                aria-invalid={errors.annualSpendUsd ? true : undefined}
+                style={INPUT_STYLE}
+              />
+            }
+          />
+          <Field
+            id="nv-seats"
+            label="Seat count"
+            error={errors.seatCount}
+            input={
+              <input
+                id="nv-seats"
+                type="number"
+                className="focus-glow"
+                min={1}
+                step={1}
+                value={form.seatCount}
+                onChange={(e) => updateField("seatCount", e.target.value)}
+                placeholder="25"
+                aria-invalid={errors.seatCount ? true : undefined}
+                style={INPUT_STYLE}
+              />
+            }
+          />
+        </div>
+
+        <Field
+          id="nv-renewal"
+          label="Renewal date"
+          error={errors.renewalDate}
+          input={
+            <input
+              id="nv-renewal"
+              type="date"
+              className="focus-glow"
+              value={form.renewalDate}
+              onChange={(e) => updateField("renewalDate", e.target.value)}
+              aria-invalid={errors.renewalDate ? true : undefined}
+              style={INPUT_STYLE}
+            />
+          }
+        />
+
+        <div>
+          <span style={LABEL_STYLE}>Data classes</span>
+          <div style={{ display: "flex", gap: 14, flexWrap: "wrap" }}>
+            {DATA_CLASSES.map((dc) => (
+              <label
+                key={dc.value}
+                style={{
+                  display: "inline-flex",
+                  alignItems: "center",
+                  gap: 6,
+                  fontSize: 13,
+                  color: "#0f172a",
+                  cursor: "pointer",
+                }}
+              >
+                <input
+                  type="checkbox"
+                  checked={form.dataClasses.includes(dc.value)}
+                  onChange={() => toggleDataClass(dc.value)}
+                />
+                {dc.label}
+              </label>
+            ))}
+          </div>
+        </div>
+
+        <Field
+          id="nv-notes"
+          label="Notes"
+          input={
+            <textarea
+              id="nv-notes"
+              className="focus-glow"
+              value={form.notes}
+              onChange={(e) => updateField("notes", e.target.value)}
+              placeholder="Context for the review team."
+              rows={3}
+              style={{ ...INPUT_STYLE, resize: "vertical" }}
+            />
+          }
+        />
+
+        <div
+          role="status"
+          aria-live="polite"
+          style={{ display: serverError ? "block" : "none" }}
+        >
+          {serverError && (
+            <div
+              style={{
+                fontSize: 13,
+                color: "#dc2626",
+                background: "rgba(220,38,38,0.08)",
+                padding: "8px 10px",
+                borderRadius: 8,
+              }}
+            >
+              {serverError}
+              {missingUrls.length > 0 && (
+                <div style={{ marginTop: 4, fontSize: 12, color: "#7f1d1d" }}>
+                  Missing pages: {missingUrls.join(", ")}. Try a homepage that hosts these.
+                </div>
+              )}
+            </div>
+          )}
+        </div>
+
+        <div style={{ display: "flex", gap: 8, justifyContent: "flex-end" }}>
+          <button
+            type="button"
+            className="button-pop"
+            onClick={onClose}
+            style={{
+              padding: "8px 14px",
+              fontSize: 13,
+              border: "1px solid rgba(15,23,42,0.12)",
+              borderRadius: 8,
+              background: "#ffffff",
+              color: "#475569",
+              cursor: "pointer",
+            }}
+          >
+            Cancel
+          </button>
+          <button
+            type="submit"
+            className="button-pop"
+            disabled={submitting}
+            style={{
+              padding: "8px 14px",
+              fontSize: 13,
+              fontWeight: 600,
+              border: "1px solid #5E6AD2",
+              borderRadius: 8,
+              background: submitting ? "#9298d6" : "#5E6AD2",
+              color: "#ffffff",
+              cursor: submitting ? "wait" : "pointer",
+            }}
+          >
+            {submitting ? "Adding..." : "Add vendor"}
+          </button>
+        </div>
+      </form>
+    </Drawer>
+  );
+}
+
+interface FieldProps {
+  id: string;
+  label: string;
+  input: React.ReactNode;
+  error?: string;
+  required?: boolean;
+}
+
+function Field({ id, label, input, error, required }: FieldProps): JSX.Element {
+  return (
+    <div>
+      <label htmlFor={id} style={LABEL_STYLE}>
+        {label}
+        {required && (
+          <span aria-hidden="true" style={{ color: "#dc2626", marginLeft: 4 }}>
+            *
+          </span>
+        )}
+      </label>
+      {input}
+      {error && (
+        <p role="alert" style={ERROR_STYLE}>
+          {error}
+        </p>
+      )}
+    </div>
+  );
+}
diff --git a/apps/web/src/components/portfolio/PortfolioFilters.tsx b/apps/web/src/components/portfolio/PortfolioFilters.tsx
new file mode 100644
index 0000000..d9023ec
--- /dev/null
+++ b/apps/web/src/components/portfolio/PortfolioFilters.tsx
@@ -0,0 +1,306 @@
+import { Search, X } from "lucide-react";
+import type { TeamMember } from "../../lib/api.js";
+import type { PortfolioFilterState, PostureFilter, SortKey } from "./types.js";
+import { isFiltersActive } from "./types.js";
+
+interface Props {
+  state: PortfolioFilterState;
+  onChange: (next: PortfolioFilterState) => void;
+  categoryOptions: ReadonlyArray<string>;
+  ownerOptions: ReadonlyArray<TeamMember>;
+}
+
+const SORT_OPTIONS: ReadonlyArray<{ value: SortKey; label: string }> = [
+  { value: "default", label: "Default" },
+  { value: "spend-desc", label: "Spend (high → low)" },
+  { value: "renew-soon", label: "Renewing soonest" },
+  { value: "tier", label: "Tier" },
+  { value: "posture", label: "Posture" },
+  { value: "name", label: "Name" },
+];
+
+const TIERS: ReadonlyArray<1 | 2 | 3> = [1, 2, 3];
+const POSTURES: ReadonlyArray<PostureFilter> = ["ok", "watch", "risk"];
+
+function toggleInArray<T>(arr: ReadonlyArray<T>, v: T): T[] {
+  return arr.includes(v) ? arr.filter((x) => x !== v) : [...arr, v];
+}
+
+export function PortfolioFilters({
+  state,
+  onChange,
+  categoryOptions,
+  ownerOptions,
+}: Props): JSX.Element {
+  const active = isFiltersActive(state);
+
+  return (
+    <div
+      className="glass-soft fade-up"
+      style={{
+        display: "flex",
+        flexWrap: "wrap",
+        gap: 8,
+        alignItems: "center",
+        padding: "12px",
+        borderRadius: 10,
+        margin: "12px 0",
+      }}
+      role="region"
+      aria-label="Vendor filters"
+    >
+      {/* Search */}
+      <div
+        style={{
+          position: "relative",
+          flex: "1 1 240px",
+          maxWidth: 320,
+          minWidth: 200,
+        }}
+      >
+        <Search
+          size={14}
+          aria-hidden="true"
+          style={{
+            position: "absolute",
+            left: 10,
+            top: "50%",
+            transform: "translateY(-50%)",
+            color: "#94a3b8",
+            pointerEvents: "none",
+          }}
+        />
+        <input
+          type="search"
+          className="glass-soft focus-glow"
+          value={state.q}
+          onChange={(e) => onChange({ ...state, q: e.target.value })}
+          placeholder="Search vendors..."
+          aria-label="Search vendors"
+          style={{
+            width: "100%",
+            padding: "8px 12px 8px 30px",
+            fontSize: 13,
+            border: "1px solid rgba(15,23,42,0.12)",
+            borderRadius: 8,
+            color: "#0f172a",
+            outline: "none",
+          }}
+        />
+      </div>
+
+      <ChipGroup label="Tier">
+        {TIERS.map((t) => (
+          <Chip
+            key={t}
+            active={state.tiers.includes(t)}
+            onClick={() => onChange({ ...state, tiers: toggleInArray(state.tiers, t) })}
+            label={`T${t}`}
+          />
+        ))}
+      </ChipGroup>
+
+      <ChipGroup label="Posture">
+        {POSTURES.map((p) => (
+          <Chip
+            key={p}
+            active={state.postures.includes(p)}
+            onClick={() => onChange({ ...state, postures: toggleInArray(state.postures, p) })}
+            label={p === "ok" ? "OK" : p === "watch" ? "Watch" : "Risk"}
+          />
+        ))}
+      </ChipGroup>
+
+      <SelectMulti
+        label="Category"
+        options={categoryOptions.map((c) => ({ value: c, label: c }))}
+        selected={state.categories}
+        onChange={(next) => onChange({ ...state, categories: next })}
+      />
+
+      <select
+        className="focus-glow"
+        value={state.owner}
+        onChange={(e) => onChange({ ...state, owner: e.target.value })}
+        aria-label="Filter by owner"
+        style={baseSelectStyle}
+      >
+        <option value="">All owners</option>
+        {ownerOptions.map((o) => (
+          <option key={o.id} value={o.id}>
+            {o.name}
+          </option>
+        ))}
+      </select>
+
+      <select
+        className="focus-glow"
+        value={state.sort}
+        onChange={(e) => onChange({ ...state, sort: e.target.value as SortKey })}
+        aria-label="Sort"
+        style={baseSelectStyle}
+      >
+        {SORT_OPTIONS.map((o) => (
+          <option key={o.value} value={o.value}>
+            Sort: {o.label}
+          </option>
+        ))}
+      </select>
+
+      {active && (
+        <button
+          type="button"
+          onClick={() => onChange({ ...state, q: "", tiers: [], postures: [], categories: [], owner: "", sort: "default" })}
+          style={{
+            display: "inline-flex",
+            alignItems: "center",
+            gap: 4,
+            padding: "6px 10px",
+            background: "transparent",
+            border: "1px solid rgba(15,23,42,0.12)",
+            borderRadius: 8,
+            color: "#475569",
+            fontSize: 12,
+            cursor: "pointer",
+          }}
+        >
+          <X size={12} aria-hidden="true" /> Reset
+        </button>
+      )}
+    </div>
+  );
+}
+
+const baseSelectStyle: React.CSSProperties = {
+  padding: "8px 10px",
+  fontSize: 13,
+  border: "1px solid rgba(15,23,42,0.12)",
+  borderRadius: 8,
+  background: "#ffffff",
+  color: "#0f172a",
+  cursor: "pointer",
+  textTransform: "capitalize",
+};
+
+function ChipGroup({ label, children }: { label: string; children: React.ReactNode }): JSX.Element {
+  return (
+    <div
+      role="group"
+      aria-label={label}
+      style={{ display: "inline-flex", alignItems: "center", gap: 4, padding: "2px 6px 2px 0" }}
+    >
+      <span style={{ fontSize: 11, color: "#94a3b8", textTransform: "uppercase", letterSpacing: "0.05em", marginRight: 4 }}>
+        {label}
+      </span>
+      {children}
+    </div>
+  );
+}
+
+function Chip({ active, onClick, label }: { active: boolean; onClick: () => void; label: string }): JSX.Element {
+  return (
+    <button
+      type="button"
+      className="button-pop"
+      onClick={onClick}
+      aria-pressed={active}
+      style={{
+        padding: "4px 10px",
+        fontSize: 12,
+        fontWeight: 500,
+        borderRadius: 9999,
+        border: active ? "1px solid #5E6AD2" : "1px solid rgba(15,23,42,0.12)",
+        background: active ? "#5E6AD2" : "#ffffff",
+        color: active ? "#ffffff" : "#475569",
+        cursor: "pointer",
+      }}
+    >
+      {label}
+    </button>
+  );
+}
+
+interface SelectMultiProps {
+  label: string;
+  options: ReadonlyArray<{ value: string; label: string }>;
+  selected: ReadonlyArray<string>;
+  onChange: (next: string[]) => void;
+}
+
+function SelectMulti({ label, options, selected, onChange }: SelectMultiProps): JSX.Element {
+  // Single-row pseudo-multi: <select> with shift/cmd selection is awkward;
+  // expose as a button list that toggles. Keep it compact with a value summary.
+  const summary =
+    selected.length === 0
+      ? label
+      : selected.length === 1
+        ? `${label}: ${selected[0]}`
+        : `${label}: ${selected.length}`;
+
+  return (
+    <details
+      style={{
+        position: "relative",
+        display: "inline-block",
+      }}
+    >
+      <summary
+        style={{
+          ...baseSelectStyle,
+          listStyle: "none",
+          display: "inline-flex",
+          alignItems: "center",
+          gap: 4,
+        }}
+      >
+        {summary}
+        <span aria-hidden="true">▾</span>
+      </summary>
+      <div
+        style={{
+          position: "absolute",
+          top: "calc(100% + 4px)",
+          left: 0,
+          minWidth: 180,
+          maxHeight: 280,
+          overflowY: "auto",
+          background: "#ffffff",
+          border: "1px solid rgba(15,23,42,0.08)",
+          borderRadius: 8,
+          boxShadow: "0 8px 24px rgba(15,23,42,0.10)",
+          zIndex: 50,
+          padding: 6,
+        }}
+      >
+        {options.map((o) => {
+          const checked = selected.includes(o.value);
+          return (
+            <label
+              key={o.value}
+              style={{
+                display: "flex",
+                alignItems: "center",
+                gap: 8,
+                padding: "6px 8px",
+                fontSize: 13,
+                color: "#0f172a",
+                cursor: "pointer",
+                borderRadius: 6,
+                textTransform: "capitalize",
+              }}
+              onMouseEnter={(e) => ((e.currentTarget as HTMLElement).style.background = "#f8fafc")}
+              onMouseLeave={(e) => ((e.currentTarget as HTMLElement).style.background = "transparent")}
+            >
+              <input
+                type="checkbox"
+                checked={checked}
+                onChange={() => onChange(toggleInArray(selected, o.value))}
+              />
+              {o.label}
+            </label>
+          );
+        })}
+      </div>
+    </details>
+  );
+}
diff --git a/apps/web/src/components/portfolio/PortfolioStats.tsx b/apps/web/src/components/portfolio/PortfolioStats.tsx
new file mode 100644
index 0000000..faaeebb
--- /dev/null
+++ b/apps/web/src/components/portfolio/PortfolioStats.tsx
@@ -0,0 +1,105 @@
+import type { Vendor } from "@unsyphn/shared";
+import { CountUp } from "../CountUp.js";
+import { fmtUsd } from "./types.js";
+
+interface Props {
+  vendors: ReadonlyArray<Vendor>;
+}
+
+function vendorsRenewingIn(vendors: ReadonlyArray<Vendor>, days: number): number {
+  const cutoff = Date.now() + days * 86_400_000;
+  let count = 0;
+  for (const v of vendors) {
+    if (!v.contract?.renewsAt) continue;
+    const t = Date.parse(v.contract.renewsAt);
+    if (Number.isFinite(t) && t >= Date.now() && t <= cutoff) count++;
+  }
+  return count;
+}
+
+interface StatSpec {
+  value: number;
+  format: (n: number) => string;
+  label: string;
+  tone?: "danger" | "warning";
+}
+
+export function PortfolioStats({ vendors }: Props): JSX.Element {
+  const total = vendors.length;
+  const runRate = vendors.reduce((s, v) => s + (v.contract?.annualSpendUsd ?? 0), 0);
+  const renewingSoon = vendorsRenewingIn(vendors, 90);
+  const highRisk = vendors.filter((v) => v.posture === "risk").length;
+
+  const intFmt = (n: number): string => Math.round(n).toString();
+
+  const stats: ReadonlyArray<StatSpec> = [
+    { value: total, format: intFmt, label: "Vendors" },
+    { value: runRate, format: (n) => fmtUsd(Math.round(n)), label: "Annual run-rate" },
+    {
+      value: renewingSoon,
+      format: intFmt,
+      label: "Renewing in 90 days",
+      tone: renewingSoon > 0 ? "warning" : undefined,
+    },
+    {
+      value: highRisk,
+      format: intFmt,
+      label: "High-risk",
+      tone: highRisk > 0 ? "danger" : undefined,
+    },
+  ];
+
+  return (
+    <div
+      role="region"
+      aria-label="Portfolio summary"
+      className="stagger-children"
+      style={{
+        display: "grid",
+        gridTemplateColumns: "repeat(auto-fit, minmax(180px, 1fr))",
+        gap: 16,
+      }}
+    >
+      {stats.map((s) => (
+        <div
+          key={s.label}
+          className="glass-strong lift-on-hover"
+          style={{
+            borderRadius: 12,
+            padding: "16px 18px",
+          }}
+        >
+          <div
+            style={{
+              fontFamily: "var(--font-display)",
+              fontSize: 28,
+              fontWeight: 300,
+              color:
+                s.tone === "danger"
+                  ? "#dc2626"
+                  : s.tone === "warning"
+                    ? "#d97706"
+                    : "#0f172a",
+              lineHeight: 1.1,
+              fontVariantNumeric: "tabular-nums",
+            }}
+          >
+            <CountUp value={s.value} format={s.format} />
+          </div>
+          <div
+            style={{
+              fontSize: 11,
+              letterSpacing: "0.06em",
+              textTransform: "uppercase",
+              color: "#64748b",
+              fontWeight: 600,
+              marginTop: 6,
+            }}
+          >
+            {s.label}
+          </div>
+        </div>
+      ))}
+    </div>
+  );
+}
diff --git a/apps/web/src/components/portfolio/PortfolioVendorCard.tsx b/apps/web/src/components/portfolio/PortfolioVendorCard.tsx
new file mode 100644
index 0000000..02ea54f
--- /dev/null
+++ b/apps/web/src/components/portfolio/PortfolioVendorCard.tsx
@@ -0,0 +1,291 @@
+import type { Vendor } from "@unsyphn/shared";
+import { VendorBrandLogo } from "./VendorBrandLogo.js";
+import { daysUntil, fmtUsd, postureColor, postureBg } from "./types.js";
+import type { TeamMember } from "../../lib/api.js";
+
+interface Props {
+  vendor: Vendor;
+  owner: TeamMember | undefined;
+  selected: boolean;
+  onToggleSelect: (id: string) => void;
+}
+
+function tierLabel(t: 1 | 2 | 3 | undefined): string {
+  return t ? `T${t}` : "—";
+}
+
+function renewSummary(iso: string | undefined): string {
+  const days = daysUntil(iso);
+  if (days === null) return "Renews —";
+  if (days < 0) return `Renewed ${Math.abs(days)}d ago`;
+  if (days === 0) return "Renews today";
+  if (days < 60) return `Renews in ${days}d`;
+  if (days < 365) return `Renews in ${Math.round(days / 30)}mo`;
+  return `Renews in ${Math.round(days / 30)}mo`;
+}
+
+const OWNER_PALETTE = [
+  "#5E6AD2", "#0ea5e9", "#10b981", "#f59e0b", "#ec4899", "#8b5cf6",
+];
+
+function ownerColor(id: string | undefined): string {
+  if (!id) return "#64748b";
+  let h = 0;
+  for (let i = 0; i < id.length; i++) h = (h * 31 + id.charCodeAt(i)) >>> 0;
+  return OWNER_PALETTE[h % OWNER_PALETTE.length] ?? "#5E6AD2";
+}
+
+export function PortfolioVendorCard({
+  vendor,
+  owner,
+  selected,
+  onToggleSelect,
+}: Props): JSX.Element {
+  const handleOpen = () => {
+    window.location.assign(`/app/vendors/${vendor.id}`);
+  };
+  const handleKey = (e: React.KeyboardEvent) => {
+    if (e.key === "Enter" || e.key === " ") {
+      if (e.target instanceof HTMLInputElement) return;
+      e.preventDefault();
+      handleOpen();
+    }
+  };
+
+  const onCheckboxClick = (e: React.MouseEvent | React.KeyboardEvent) => {
+    e.stopPropagation();
+  };
+
+  const initial = owner?.avatarLetter ?? owner?.name?.[0] ?? "?";
+  const oc = ownerColor(vendor.ownerId);
+
+  return (
+    <article
+      role="button"
+      tabIndex={0}
+      aria-label={`${vendor.name} — open detail`}
+      aria-pressed={selected}
+      onClick={handleOpen}
+      onKeyDown={handleKey}
+      style={{
+        position: "relative",
+        ...(selected
+          ? {
+              border: "1px solid #5E6AD2",
+              boxShadow:
+                "0 0 0 3px rgba(94,106,210,0.15), 0 6px 20px rgba(15,23,42,0.06)",
+            }
+          : {}),
+        borderRadius: 16,
+        padding: 20,
+        cursor: "pointer",
+        display: "flex",
+        flexDirection: "column",
+        gap: 12,
+      }}
+      className={`portfolio-card glass-strong lift-on-hover${selected ? " is-selected" : ""}`}
+    >
+      {/* Checkbox top-right, visible on hover (CSS handles), always visible when selected */}
+      <label
+        className="portfolio-card-check"
+        onClick={onCheckboxClick}
+        onKeyDown={onCheckboxClick}
+        style={{
+          position: "absolute",
+          top: 12,
+          right: 12,
+          display: "inline-flex",
+          alignItems: "center",
+          justifyContent: "center",
+          width: 22,
+          height: 22,
+          borderRadius: 6,
+          background: selected ? "#5E6AD2" : "#ffffff",
+          border: selected
+            ? "1px solid #5E6AD2"
+            : "1px solid rgba(15,23,42,0.18)",
+          cursor: "pointer",
+          opacity: selected ? 1 : 0,
+          transition: "opacity 120ms ease",
+        }}
+        aria-label={`Select ${vendor.name}`}
+      >
+        <input
+          type="checkbox"
+          checked={selected}
+          onChange={() => onToggleSelect(vendor.id)}
+          onClick={onCheckboxClick}
+          style={{
+            position: "absolute",
+            opacity: 0,
+            width: "100%",
+            height: "100%",
+            margin: 0,
+            cursor: "pointer",
+          }}
+        />
+        {selected && (
+          <svg width="12" height="12" viewBox="0 0 12 12" aria-hidden="true">
+            <path
+              d="M2.5 6.3l2.4 2.4 4.6-5"
+              stroke="#fff"
+              strokeWidth="1.8"
+              fill="none"
+              strokeLinecap="round"
+              strokeLinejoin="round"
+            />
+          </svg>
+        )}
+      </label>
+
+      <div style={{ display: "flex", alignItems: "center", gap: 12 }}>
+        <VendorBrandLogo vendorId={vendor.id} name={vendor.name} size={32} />
+        <div style={{ minWidth: 0, flex: 1 }}>
+          <h3
+            style={{
+              margin: 0,
+              fontFamily: "var(--font-display)",
+              fontSize: 15,
+              fontWeight: 600,
+              color: "#0f172a",
+              overflow: "hidden",
+              textOverflow: "ellipsis",
+              whiteSpace: "nowrap",
+            }}
+          >
+            {vendor.name}
+          </h3>
+          <div style={{ fontSize: 12, color: "#64748b", marginTop: 2 }}>
+            {vendor.category ?? "—"}
+          </div>
+        </div>
+      </div>
+
+      <div style={{ display: "flex", gap: 6, flexWrap: "wrap" }}>
+        <span
+          style={{
+            display: "inline-flex",
+            alignItems: "center",
+            gap: 4,
+            padding: "2px 8px",
+            background: postureBg(vendor.posture),
+            color: postureColor(vendor.posture),
+            borderRadius: 6,
+            fontSize: 11,
+            fontWeight: 600,
+            textTransform: "uppercase",
+            letterSpacing: "0.04em",
+          }}
+        >
+          <span
+            aria-hidden="true"
+            style={{
+              width: 6,
+              height: 6,
+              borderRadius: "50%",
+              background: postureColor(vendor.posture),
+            }}
+          />
+          {vendor.posture ?? "—"}
+        </span>
+        <span
+          style={{
+            padding: "2px 8px",
+            background: "rgba(15,23,42,0.05)",
+            color: "#475569",
+            borderRadius: 6,
+            fontSize: 11,
+            fontWeight: 600,
+            fontFamily: "var(--font-mono)",
+          }}
+        >
+          {tierLabel(vendor.tier)}
+        </span>
+      </div>
+
+      <div
+        style={{
+          display: "grid",
+          gridTemplateColumns: "1fr 1fr 1fr",
+          gap: 8,
+          paddingTop: 8,
+          borderTop: "1px solid rgba(15,23,42,0.06)",
+        }}
+      >
+        <Stat
+          label="Spend"
+          value={
+            vendor.contract?.annualSpendUsd
+              ? fmtUsd(vendor.contract.annualSpendUsd)
+              : "—"
+          }
+        />
+        <Stat
+          label="Seats"
+          value={vendor.contract?.seatCount?.toLocaleString() ?? "—"}
+        />
+        <Stat label="Renews" value={renewSummary(vendor.contract?.renewsAt)} />
+      </div>
+
+      <div
+        style={{
+          display: "flex",
+          alignItems: "center",
+          justifyContent: "flex-end",
+          gap: 6,
+        }}
+      >
+        <span
+          aria-hidden="true"
+          title={owner?.name ?? vendor.ownerId}
+          style={{
+            width: 24,
+            height: 24,
+            borderRadius: "50%",
+            background: oc,
+            color: "#fff",
+            display: "inline-flex",
+            alignItems: "center",
+            justifyContent: "center",
+            fontSize: 11,
+            fontWeight: 600,
+          }}
+        >
+          {initial}
+        </span>
+      </div>
+    </article>
+  );
+}
+
+function Stat({ label, value }: { label: string; value: string }): JSX.Element {
+  return (
+    <div style={{ minWidth: 0 }}>
+      <div
+        style={{
+          fontSize: 10,
+          letterSpacing: "0.06em",
+          textTransform: "uppercase",
+          color: "#94a3b8",
+          fontWeight: 600,
+        }}
+      >
+        {label}
+      </div>
+      <div
+        style={{
+          fontSize: 13,
+          color: "#0f172a",
+          fontFamily: "var(--font-mono)",
+          fontWeight: 500,
+          marginTop: 2,
+          overflow: "hidden",
+          textOverflow: "ellipsis",
+          whiteSpace: "nowrap",
+        }}
+      >
+        {value}
+      </div>
+    </div>
+  );
+}
diff --git a/apps/web/src/components/portfolio/RenegotiationResultsDrawer.tsx b/apps/web/src/components/portfolio/RenegotiationResultsDrawer.tsx
new file mode 100644
index 0000000..2121827
--- /dev/null
+++ b/apps/web/src/components/portfolio/RenegotiationResultsDrawer.tsx
@@ -0,0 +1,177 @@
+import { Drawer } from "../Drawer.js";
+import type { RenegotiationPacket } from "../../lib/api.js";
+import { fmtUsd } from "./types.js";
+import { CheckCircle2, AlertTriangle, Loader2, ExternalLink } from "lucide-react";
+
+export type PacketResult =
+  | { status: "pending"; vendorId: string; vendorName: string }
+  | { status: "ok"; vendorId: string; packet: RenegotiationPacket }
+  | { status: "error"; vendorId: string; vendorName: string; error: string };
+
+interface Props {
+  open: boolean;
+  onClose: () => void;
+  results: ReadonlyArray<PacketResult>;
+}
+
+export function RenegotiationResultsDrawer({ open, onClose, results }: Props): JSX.Element {
+  const totalRecoverable = results.reduce(
+    (sum, r) => (r.status === "ok" ? sum + r.packet.recoverableUsd : sum),
+    0,
+  );
+  const completed = results.filter((r) => r.status !== "pending").length;
+  const successes = results.filter((r) => r.status === "ok").length;
+  const errors = results.filter((r) => r.status === "error").length;
+  const total = results.length;
+
+  return (
+    <Drawer open={open} onClose={onClose} title="Renegotiation packets">
+      <div style={{ display: "flex", flexDirection: "column", gap: 12 }}>
+        <div
+          style={{
+            display: "grid",
+            gridTemplateColumns: "1fr 1fr 1fr",
+            gap: 8,
+            padding: 12,
+            background: "#f8fafc",
+            borderRadius: 8,
+            border: "1px solid rgba(15,23,42,0.06)",
+          }}
+        >
+          <Stat label="Progress" value={`${completed}/${total}`} />
+          <Stat label="Errors" value={String(errors)} valueColor={errors > 0 ? "#dc2626" : undefined} />
+          <Stat label="Recoverable" value={fmtUsd(totalRecoverable)} />
+        </div>
+
+        <div
+          style={{
+            display: "flex",
+            flexDirection: "column",
+            gap: 6,
+          }}
+        >
+          {results.map((r) => (
+            <div
+              key={r.vendorId}
+              style={{
+                display: "flex",
+                alignItems: "center",
+                gap: 10,
+                padding: "10px 12px",
+                background: "#ffffff",
+                border: "1px solid rgba(15,23,42,0.08)",
+                borderRadius: 8,
+              }}
+            >
+              <StatusIcon status={r.status} />
+              <div style={{ flex: 1, minWidth: 0 }}>
+                <div style={{ fontSize: 13, fontWeight: 500, color: "#0f172a" }}>
+                  {r.status === "ok" ? r.packet.vendorName : r.vendorName}
+                </div>
+                <div style={{ fontSize: 12, color: "#64748b", marginTop: 2 }}>
+                  {r.status === "pending" && "Generating packet..."}
+                  {r.status === "ok" &&
+                    `${fmtUsd(r.packet.recoverableUsd)} recoverable · ${r.packet.usagePct}% utilization`}
+                  {r.status === "error" && r.error}
+                </div>
+              </div>
+              {r.status === "ok" && (
+                <a
+                  href={`/app/vendors/${r.vendorId}`}
+                  style={{
+                    fontSize: 12,
+                    color: "#5E6AD2",
+                    textDecoration: "none",
+                    display: "inline-flex",
+                    alignItems: "center",
+                    gap: 4,
+                  }}
+                >
+                  Open <ExternalLink size={11} aria-hidden="true" />
+                </a>
+              )}
+            </div>
+          ))}
+        </div>
+
+        {completed === total && (
+          <p style={{ fontSize: 12, color: "#64748b", margin: 0 }}>
+            {successes} packet{successes !== 1 ? "s" : ""} ready. Open a vendor to review the drafts and citations.
+          </p>
+        )}
+      </div>
+    </Drawer>
+  );
+}
+
+function StatusIcon({ status }: { status: PacketResult["status"] }): JSX.Element {
+  if (status === "pending") {
+    return (
+      <span
+        style={{
+          display: "inline-flex",
+          width: 22,
+          height: 22,
+          alignItems: "center",
+          justifyContent: "center",
+          color: "#64748b",
+        }}
+      >
+        <Loader2 size={14} aria-hidden="true" className="spin" />
+      </span>
+    );
+  }
+  if (status === "ok") {
+    return (
+      <CheckCircle2
+        size={18}
+        aria-hidden="true"
+        style={{ color: "#10b981", flexShrink: 0 }}
+      />
+    );
+  }
+  return (
+    <AlertTriangle
+      size={18}
+      aria-hidden="true"
+      style={{ color: "#dc2626", flexShrink: 0 }}
+    />
+  );
+}
+
+function Stat({
+  label,
+  value,
+  valueColor,
+}: {
+  label: string;
+  value: string;
+  valueColor?: string;
+}): JSX.Element {
+  return (
+    <div>
+      <div
+        style={{
+          fontSize: 10,
+          letterSpacing: "0.06em",
+          textTransform: "uppercase",
+          color: "#94a3b8",
+          fontWeight: 600,
+        }}
+      >
+        {label}
+      </div>
+      <div
+        style={{
+          fontSize: 16,
+          fontFamily: "var(--font-mono)",
+          fontWeight: 600,
+          color: valueColor ?? "#0f172a",
+          marginTop: 2,
+        }}
+      >
+        {value}
+      </div>
+    </div>
+  );
+}
diff --git a/apps/web/src/components/portfolio/ShareAuditorDrawer.tsx b/apps/web/src/components/portfolio/ShareAuditorDrawer.tsx
new file mode 100644
index 0000000..e293e0b
--- /dev/null
+++ b/apps/web/src/components/portfolio/ShareAuditorDrawer.tsx
@@ -0,0 +1,407 @@
+import { useEffect, useMemo, useState } from "react";
+import type { Vendor } from "@unsyphn/shared";
+import { Drawer } from "../Drawer.js";
+import { createAuditorSession } from "../../lib/api.js";
+import { ExternalLink, Copy, Check } from "lucide-react";
+
+interface Props {
+  open: boolean;
+  onClose: () => void;
+  vendors: ReadonlyArray<Vendor>;
+  initiallySelected: ReadonlyArray<string>;
+}
+
+const EXPIRY_OPTIONS = [7, 14, 30, 60] as const;
+
+export function ShareAuditorDrawer({
+  open,
+  onClose,
+  vendors,
+  initiallySelected,
+}: Props): JSX.Element {
+  const [picked, setPicked] = useState<Set<string>>(new Set(initiallySelected));
+  const [expiry, setExpiry] = useState<7 | 14 | 30 | 60>(14);
+  const [note, setNote] = useState("");
+  const [busy, setBusy] = useState(false);
+  const [result, setResult] = useState<{ shareUrl: string; expiresAt: string } | null>(null);
+  const [error, setError] = useState<string | null>(null);
+  const [copied, setCopied] = useState(false);
+
+  useEffect(() => {
+    if (open) {
+      setPicked(new Set(initiallySelected.length > 0 ? initiallySelected : vendors.map((v) => v.id)));
+      setExpiry(14);
+      setNote("");
+      setResult(null);
+      setError(null);
+      setCopied(false);
+    }
+  }, [open, initiallySelected, vendors]);
+
+  const allChecked = picked.size === vendors.length && vendors.length > 0;
+  const someChecked = picked.size > 0 && !allChecked;
+
+  const sortedVendors = useMemo(
+    () => [...vendors].sort((a, b) => a.name.localeCompare(b.name)),
+    [vendors],
+  );
+
+  const toggleAll = () => {
+    if (allChecked) setPicked(new Set());
+    else setPicked(new Set(vendors.map((v) => v.id)));
+  };
+
+  const toggle = (id: string) => {
+    setPicked((prev) => {
+      const next = new Set(prev);
+      if (next.has(id)) next.delete(id);
+      else next.add(id);
+      return next;
+    });
+  };
+
+  const handleGenerate = async () => {
+    if (picked.size === 0) {
+      setError("Pick at least one vendor.");
+      return;
+    }
+    setBusy(true);
+    setError(null);
+    try {
+      const resp = await createAuditorSession({
+        vendorIds: [...picked],
+        expiresInDays: expiry,
+      });
+      setResult({ shareUrl: resp.shareUrl, expiresAt: resp.expiresAt });
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to create auditor link");
+    } finally {
+      setBusy(false);
+    }
+  };
+
+  const handleCopy = async () => {
+    if (!result) return;
+    try {
+      await navigator.clipboard.writeText(result.shareUrl);
+      setCopied(true);
+      window.setTimeout(() => setCopied(false), 1600);
+    } catch {
+      setError("Could not copy. Select and copy manually.");
+    }
+  };
+
+  return (
+    <Drawer open={open} onClose={onClose} title="Generate auditor share link">
+      {!result ? (
+        <div className="fade-up" style={{ display: "flex", flexDirection: "column", gap: 18 }}>
+          <div>
+            <Label>Vendors</Label>
+            <div
+              style={{
+                marginTop: 8,
+                border: "1px solid rgba(15,23,42,0.08)",
+                borderRadius: 8,
+                overflow: "hidden",
+                maxHeight: 240,
+                overflowY: "auto",
+              }}
+            >
+              <label
+                style={{
+                  display: "flex",
+                  alignItems: "center",
+                  gap: 8,
+                  padding: "8px 10px",
+                  background: "#f8fafc",
+                  borderBottom: "1px solid rgba(15,23,42,0.08)",
+                  fontSize: 12,
+                  fontWeight: 600,
+                  color: "#475569",
+                  cursor: "pointer",
+                }}
+              >
+                <input
+                  type="checkbox"
+                  checked={allChecked}
+                  ref={(el) => {
+                    if (el) el.indeterminate = someChecked;
+                  }}
+                  onChange={toggleAll}
+                />
+                Select all ({picked.size}/{vendors.length})
+              </label>
+              {sortedVendors.map((v) => (
+                <label
+                  key={v.id}
+                  style={{
+                    display: "flex",
+                    alignItems: "center",
+                    gap: 8,
+                    padding: "6px 10px",
+                    fontSize: 13,
+                    color: "#0f172a",
+                    cursor: "pointer",
+                  }}
+                >
+                  <input
+                    type="checkbox"
+                    checked={picked.has(v.id)}
+                    onChange={() => toggle(v.id)}
+                  />
+                  <span style={{ flex: 1 }}>{v.name}</span>
+                  <span style={{ color: "#94a3b8", fontSize: 11, textTransform: "capitalize" }}>
+                    {v.category ?? "—"}
+                  </span>
+                </label>
+              ))}
+            </div>
+          </div>
+
+          <div>
+            <Label>Expires in</Label>
+            <div style={{ display: "flex", gap: 6, marginTop: 6 }}>
+              {EXPIRY_OPTIONS.map((d) => (
+                <button
+                  key={d}
+                  type="button"
+                  className="button-pop"
+                  onClick={() => setExpiry(d)}
+                  style={{
+                    flex: 1,
+                    padding: "8px 0",
+                    borderRadius: 8,
+                    border: expiry === d ? "1px solid #5E6AD2" : "1px solid rgba(15,23,42,0.12)",
+                    background: expiry === d ? "#5E6AD2" : "#ffffff",
+                    color: expiry === d ? "#ffffff" : "#0f172a",
+                    fontSize: 13,
+                    fontWeight: 500,
+                    cursor: "pointer",
+                  }}
+                >
+                  {d} days
+                </button>
+              ))}
+            </div>
+          </div>
+
+          <div>
+            <Label htmlFor="auditor-note">Note (optional)</Label>
+            <textarea
+              id="auditor-note"
+              className="focus-glow"
+              value={note}
+              onChange={(e) => setNote(e.target.value)}
+              placeholder="Context the auditor will see in the share link."
+              rows={3}
+              style={{
+                width: "100%",
+                marginTop: 6,
+                padding: 10,
+                fontSize: 13,
+                border: "1px solid rgba(15,23,42,0.12)",
+                borderRadius: 8,
+                background: "#ffffff",
+                color: "#0f172a",
+                resize: "vertical",
+                fontFamily: "var(--font-text)",
+              }}
+            />
+          </div>
+
+          {error && (
+            <div
+              role="alert"
+              style={{
+                fontSize: 13,
+                color: "#dc2626",
+                background: "rgba(220,38,38,0.08)",
+                padding: "8px 10px",
+                borderRadius: 8,
+              }}
+            >
+              {error}
+            </div>
+          )}
+
+          <div style={{ display: "flex", gap: 8, justifyContent: "flex-end" }}>
+            <button
+              type="button"
+              className="button-pop"
+              onClick={onClose}
+              style={{
+                padding: "8px 14px",
+                fontSize: 13,
+                border: "1px solid rgba(15,23,42,0.12)",
+                borderRadius: 8,
+                background: "#ffffff",
+                color: "#475569",
+                cursor: "pointer",
+              }}
+            >
+              Cancel
+            </button>
+            <button
+              type="button"
+              className="button-pop"
+              onClick={() => void handleGenerate()}
+              disabled={busy || picked.size === 0}
+              style={{
+                padding: "8px 14px",
+                fontSize: 13,
+                fontWeight: 600,
+                border: "1px solid #5E6AD2",
+                borderRadius: 8,
+                background: busy ? "#9298d6" : "#5E6AD2",
+                color: "#ffffff",
+                cursor: busy ? "wait" : "pointer",
+              }}
+            >
+              {busy ? "Generating..." : "Generate link"}
+            </button>
+          </div>
+        </div>
+      ) : (
+        <div className="fade-up" style={{ display: "flex", flexDirection: "column", gap: 14 }}>
+          <p
+            style={{
+              fontSize: 13,
+              color: "#475569",
+              background: "rgba(16,185,129,0.08)",
+              border: "1px solid rgba(16,185,129,0.24)",
+              padding: "10px 12px",
+              borderRadius: 8,
+              margin: 0,
+            }}
+          >
+            Auditor share link created. The viewer is watermarked and read-only.
+          </p>
+
+          <Label>Share URL</Label>
+          <div
+            style={{
+              display: "flex",
+              gap: 6,
+              alignItems: "center",
+              border: "1px solid rgba(15,23,42,0.12)",
+              borderRadius: 8,
+              padding: 4,
+              background: "#ffffff",
+            }}
+          >
+            <input
+              readOnly
+              value={result.shareUrl}
+              onFocus={(e) => e.currentTarget.select()}
+              style={{
+                flex: 1,
+                padding: "6px 8px",
+                border: "none",
+                outline: "none",
+                fontSize: 12,
+                fontFamily: "var(--font-mono)",
+                color: "#0f172a",
+                background: "transparent",
+              }}
+            />
+            <button
+              type="button"
+              className="button-pop"
+              onClick={() => void handleCopy()}
+              style={{
+                display: "inline-flex",
+                alignItems: "center",
+                gap: 4,
+                padding: "6px 10px",
+                background: copied ? "#10b981" : "#5E6AD2",
+                color: "#ffffff",
+                border: "none",
+                borderRadius: 6,
+                fontSize: 12,
+                fontWeight: 600,
+                cursor: "pointer",
+              }}
+            >
+              {copied ? <Check size={12} aria-hidden="true" /> : <Copy size={12} aria-hidden="true" />}
+              {copied ? "Copied" : "Copy"}
+            </button>
+          </div>
+
+          <div style={{ fontSize: 12, color: "#64748b" }}>
+            Expires {new Date(result.expiresAt).toLocaleString("en-US", { dateStyle: "medium", timeStyle: "short" })}
+          </div>
+
+          <a
+            href={result.shareUrl}
+            target="_blank"
+            rel="noopener noreferrer"
+            style={{
+              display: "inline-flex",
+              alignItems: "center",
+              gap: 4,
+              fontSize: 13,
+              color: "#5E6AD2",
+              fontWeight: 500,
+              textDecoration: "none",
+            }}
+          >
+            Open auditor viewer <ExternalLink size={12} aria-hidden="true" />
+          </a>
+
+          <div style={{ display: "flex", gap: 8, justifyContent: "flex-end", marginTop: 4 }}>
+            <button
+              type="button"
+              className="button-pop"
+              onClick={() => setResult(null)}
+              style={{
+                padding: "8px 14px",
+                fontSize: 13,
+                border: "1px solid rgba(15,23,42,0.12)",
+                borderRadius: 8,
+                background: "#ffffff",
+                color: "#475569",
+                cursor: "pointer",
+              }}
+            >
+              Generate another
+            </button>
+            <button
+              type="button"
+              className="button-pop"
+              onClick={onClose}
+              style={{
+                padding: "8px 14px",
+                fontSize: 13,
+                fontWeight: 600,
+                border: "1px solid #5E6AD2",
+                borderRadius: 8,
+                background: "#5E6AD2",
+                color: "#ffffff",
+                cursor: "pointer",
+              }}
+            >
+              Done
+            </button>
+          </div>
+        </div>
+      )}
+    </Drawer>
+  );
+}
+
+function Label({ children, htmlFor }: { children: React.ReactNode; htmlFor?: string }): JSX.Element {
+  return (
+    <label
+      htmlFor={htmlFor}
+      style={{
+        fontSize: 11,
+        fontWeight: 600,
+        textTransform: "uppercase",
+        letterSpacing: "0.06em",
+        color: "#64748b",
+      }}
+    >
+      {children}
+    </label>
+  );
+}
diff --git a/apps/web/src/components/portfolio/VendorBrandLogo.tsx b/apps/web/src/components/portfolio/VendorBrandLogo.tsx
new file mode 100644
index 0000000..9c89f45
--- /dev/null
+++ b/apps/web/src/components/portfolio/VendorBrandLogo.tsx
@@ -0,0 +1,60 @@
+import { useState } from "react";
+import { simpleIconsUrlForId, monogramFor } from "../../lib/logos.js";
+
+interface Props {
+  vendorId: string;
+  name: string;
+  size?: number;
+}
+
+// Card/table logo. Uses the curated `VENDOR_BRAND` slug+hex map so each card
+// shows the brand-colored mark. Falls back to a colored monogram circle when
+// the CDN 404s (or when the id isn't in the brand map).
+export function VendorBrandLogo({ vendorId, name, size = 32 }: Props): JSX.Element {
+  const [errored, setErrored] = useState(false);
+  const url = simpleIconsUrlForId(vendorId);
+
+  const wrap: React.CSSProperties = {
+    width: size,
+    height: size,
+    borderRadius: 8,
+    display: "inline-flex",
+    alignItems: "center",
+    justifyContent: "center",
+    flexShrink: 0,
+    background: "var(--surface)",
+    border: "1px solid rgba(15,23,42,0.06)",
+    overflow: "hidden",
+  };
+
+  if (url && !errored) {
+    return (
+      <span style={wrap} aria-label={`${name} logo`}>
+        <img
+          src={url}
+          alt=""
+          width={Math.round(size * 0.62)}
+          height={Math.round(size * 0.62)}
+          onError={() => setErrored(true)}
+          style={{ objectFit: "contain", display: "block" }}
+        />
+      </span>
+    );
+  }
+
+  const mono = monogramFor(name);
+  return (
+    <span
+      style={{
+        ...wrap,
+        background: mono.bg,
+        color: mono.fg,
+        fontWeight: 600,
+        fontSize: Math.round(size * 0.38),
+      }}
+      aria-label={`${name} logo`}
+    >
+      {mono.initials}
+    </span>
+  );
+}
diff --git a/apps/web/src/components/portfolio/VendorTable.tsx b/apps/web/src/components/portfolio/VendorTable.tsx
new file mode 100644
index 0000000..6a0548f
--- /dev/null
+++ b/apps/web/src/components/portfolio/VendorTable.tsx
@@ -0,0 +1,281 @@
+import { useState } from "react";
+import type { Vendor } from "@unsyphn/shared";
+import type { TeamMember } from "../../lib/api.js";
+import { VendorBrandLogo } from "./VendorBrandLogo.js";
+import { daysUntil, fmtUsd, postureBg, postureColor } from "./types.js";
+import { ChevronDown, ChevronUp } from "lucide-react";
+
+type Col =
+  | "name"
+  | "category"
+  | "tier"
+  | "posture"
+  | "spend"
+  | "seats"
+  | "renews"
+  | "owner";
+
+interface Props {
+  vendors: Vendor[];
+  owners: Map<string, TeamMember>;
+  selectedIds: ReadonlySet<string>;
+  onToggleSelect: (id: string) => void;
+  onToggleAll: () => void;
+  allSelected: boolean;
+}
+
+function compare(a: Vendor, b: Vendor, c: Col): number {
+  switch (c) {
+    case "name":
+      return a.name.localeCompare(b.name);
+    case "category":
+      return (a.category ?? "").localeCompare(b.category ?? "");
+    case "tier":
+      return (a.tier ?? 9) - (b.tier ?? 9);
+    case "posture": {
+      const order: Record<string, number> = { risk: 0, watch: 1, ok: 2 };
+      return (order[a.posture ?? "ok"] ?? 9) - (order[b.posture ?? "ok"] ?? 9);
+    }
+    case "spend":
+      return (b.contract?.annualSpendUsd ?? 0) - (a.contract?.annualSpendUsd ?? 0);
+    case "seats":
+      return (b.contract?.seatCount ?? 0) - (a.contract?.seatCount ?? 0);
+    case "renews": {
+      const da = daysUntil(a.contract?.renewsAt) ?? 9999;
+      const db = daysUntil(b.contract?.renewsAt) ?? 9999;
+      return da - db;
+    }
+    case "owner":
+      return (a.ownerId ?? "").localeCompare(b.ownerId ?? "");
+  }
+}
+
+const TH_STYLE: React.CSSProperties = {
+  padding: "10px 14px",
+  textAlign: "left",
+  fontSize: 11,
+  fontWeight: 600,
+  textTransform: "uppercase",
+  letterSpacing: "0.06em",
+  color: "#64748b",
+  background: "#f8fafc",
+  borderBottom: "1px solid rgba(15,23,42,0.08)",
+  cursor: "pointer",
+  userSelect: "none",
+};
+
+const TD_STYLE: React.CSSProperties = {
+  padding: "12px 14px",
+  fontSize: 13,
+  color: "#0f172a",
+  borderBottom: "1px solid rgba(15,23,42,0.06)",
+};
+
+export function VendorTable({
+  vendors,
+  owners,
+  selectedIds,
+  onToggleSelect,
+  onToggleAll,
+  allSelected,
+}: Props): JSX.Element {
+  const [sortCol, setSortCol] = useState<Col>("name");
+  const [sortDir, setSortDir] = useState<"asc" | "desc">("asc");
+
+  const onHeaderClick = (c: Col) => {
+    if (sortCol === c) {
+      setSortDir(sortDir === "asc" ? "desc" : "asc");
+    } else {
+      setSortCol(c);
+      setSortDir("asc");
+    }
+  };
+
+  const sorted = [...vendors].sort((a, b) => {
+    const v = compare(a, b, sortCol);
+    return sortDir === "asc" ? v : -v;
+  });
+
+  return (
+    <div
+      className="glass fade-up"
+      style={{
+        borderRadius: 16,
+        overflow: "hidden",
+      }}
+    >
+      <table style={{ width: "100%", borderCollapse: "collapse" }}>
+        <thead>
+          <tr>
+            <th style={{ ...TH_STYLE, width: 36, cursor: "default" }}>
+              <input
+                type="checkbox"
+                checked={allSelected}
+                aria-label="Select all rows"
+                onChange={onToggleAll}
+                style={{ cursor: "pointer" }}
+              />
+            </th>
+            <ColHead col="name" label="Vendor" sortCol={sortCol} sortDir={sortDir} onClick={onHeaderClick} />
+            <ColHead col="category" label="Category" sortCol={sortCol} sortDir={sortDir} onClick={onHeaderClick} />
+            <ColHead col="tier" label="Tier" sortCol={sortCol} sortDir={sortDir} onClick={onHeaderClick} />
+            <ColHead col="posture" label="Posture" sortCol={sortCol} sortDir={sortDir} onClick={onHeaderClick} />
+            <ColHead col="spend" label="Spend" sortCol={sortCol} sortDir={sortDir} onClick={onHeaderClick} align="right" />
+            <ColHead col="seats" label="Seats" sortCol={sortCol} sortDir={sortDir} onClick={onHeaderClick} align="right" />
+            <ColHead col="renews" label="Renews" sortCol={sortCol} sortDir={sortDir} onClick={onHeaderClick} />
+            <ColHead col="owner" label="Owner" sortCol={sortCol} sortDir={sortDir} onClick={onHeaderClick} />
+          </tr>
+        </thead>
+        <tbody>
+          {sorted.map((v) => {
+            const owner = v.ownerId ? owners.get(v.ownerId) : undefined;
+            const isSelected = selectedIds.has(v.id);
+            return (
+              <tr
+                key={v.id}
+                className="row-hover"
+                onClick={() => window.location.assign(`/app/vendors/${v.id}`)}
+                style={{
+                  cursor: "pointer",
+                  background: isSelected ? "rgba(94,106,210,0.04)" : "transparent",
+                }}
+              >
+                <td
+                  style={{ ...TD_STYLE, width: 36 }}
+                  onClick={(e) => e.stopPropagation()}
+                >
+                  <input
+                    type="checkbox"
+                    checked={isSelected}
+                    onChange={() => onToggleSelect(v.id)}
+                    aria-label={`Select ${v.name}`}
+                    style={{ cursor: "pointer" }}
+                  />
+                </td>
+                <td style={TD_STYLE}>
+                  <div style={{ display: "flex", alignItems: "center", gap: 10 }}>
+                    <VendorBrandLogo vendorId={v.id} name={v.name} size={24} />
+                    <span style={{ fontWeight: 500 }}>{v.name}</span>
+                  </div>
+                </td>
+                <td style={{ ...TD_STYLE, color: "#475569", textTransform: "capitalize" }}>
+                  {v.category ?? "—"}
+                </td>
+                <td style={{ ...TD_STYLE, fontFamily: "var(--font-mono)" }}>
+                  {v.tier ? `T${v.tier}` : "—"}
+                </td>
+                <td style={TD_STYLE}>
+                  <span
+                    style={{
+                      display: "inline-flex",
+                      alignItems: "center",
+                      gap: 4,
+                      padding: "2px 8px",
+                      background: postureBg(v.posture),
+                      color: postureColor(v.posture),
+                      borderRadius: 6,
+                      fontSize: 11,
+                      fontWeight: 600,
+                      textTransform: "uppercase",
+                      letterSpacing: "0.04em",
+                    }}
+                  >
+                    <span
+                      aria-hidden="true"
+                      style={{
+                        width: 6,
+                        height: 6,
+                        borderRadius: "50%",
+                        background: postureColor(v.posture),
+                      }}
+                    />
+                    {v.posture ?? "—"}
+                  </span>
+                </td>
+                <td style={{ ...TD_STYLE, textAlign: "right", fontFamily: "var(--font-mono)" }}>
+                  {v.contract?.annualSpendUsd ? fmtUsd(v.contract.annualSpendUsd) : "—"}
+                </td>
+                <td style={{ ...TD_STYLE, textAlign: "right", fontFamily: "var(--font-mono)" }}>
+                  {v.contract?.seatCount?.toLocaleString() ?? "—"}
+                </td>
+                <td style={{ ...TD_STYLE, color: "#475569" }}>
+                  {renewCell(v.contract?.renewsAt)}
+                </td>
+                <td style={{ ...TD_STYLE, color: "#475569" }}>
+                  {owner?.name ?? v.ownerId ?? "—"}
+                </td>
+              </tr>
+            );
+          })}
+        </tbody>
+      </table>
+      {vendors.length === 0 && (
+        <div
+          style={{
+            padding: "48px 16px",
+            textAlign: "center",
+            color: "#64748b",
+            fontSize: 14,
+          }}
+        >
+          No vendors match the current filters.
+        </div>
+      )}
+    </div>
+  );
+}
+
+function renewCell(iso: string | undefined): string {
+  const days = daysUntil(iso);
+  if (!iso || days === null) return "—";
+  try {
+    const d = new Date(iso).toLocaleDateString("en-US", {
+      month: "short",
+      day: "numeric",
+      year: "numeric",
+    });
+    return `${d} (${days >= 0 ? `${days}d` : `${Math.abs(days)}d ago`})`;
+  } catch {
+    return iso;
+  }
+}
+
+interface ColHeadProps {
+  col: Col;
+  label: string;
+  sortCol: Col;
+  sortDir: "asc" | "desc";
+  onClick: (c: Col) => void;
+  align?: "left" | "right";
+}
+
+function ColHead({ col, label, sortCol, sortDir, onClick, align = "left" }: ColHeadProps): JSX.Element {
+  const active = sortCol === col;
+  return (
+    <th
+      scope="col"
+      onClick={() => onClick(col)}
+      style={{ ...TH_STYLE, textAlign: align }}
+      aria-sort={active ? (sortDir === "asc" ? "ascending" : "descending") : "none"}
+    >
+      <span
+        style={{
+          display: "inline-flex",
+          alignItems: "center",
+          gap: 4,
+          justifyContent: align === "right" ? "flex-end" : "flex-start",
+          width: "100%",
+          color: active ? "#0f172a" : "inherit",
+        }}
+      >
+        {label}
+        {active &&
+          (sortDir === "asc" ? (
+            <ChevronUp size={12} aria-hidden="true" />
+          ) : (
+            <ChevronDown size={12} aria-hidden="true" />
+          ))}
+      </span>
+    </th>
+  );
+}
diff --git a/apps/web/src/components/portfolio/ViewToggle.tsx b/apps/web/src/components/portfolio/ViewToggle.tsx
new file mode 100644
index 0000000..c98a7ff
--- /dev/null
+++ b/apps/web/src/components/portfolio/ViewToggle.tsx
@@ -0,0 +1,112 @@
+import { LayoutGrid, Rows } from "lucide-react";
+import type { ViewMode } from "./types.js";
+
+interface Props {
+  view: ViewMode;
+  onChange: (v: ViewMode) => void;
+}
+
+export function ViewToggle({ view, onChange }: Props): JSX.Element {
+  return (
+    <div
+      role="group"
+      aria-label="View mode"
+      style={{
+        display: "inline-flex",
+        background: "#ffffff",
+        border: "1px solid rgba(15,23,42,0.12)",
+        borderRadius: 8,
+        padding: 2,
+      }}
+    >
+      <ToggleButton active={view === "grid"} onClick={() => onChange("grid")} label="Grid view">
+        <LayoutGrid size={14} aria-hidden="true" /> Grid
+      </ToggleButton>
+      <ToggleButton active={view === "table"} onClick={() => onChange("table")} label="Table view">
+        <Rows size={14} aria-hidden="true" /> Table
+      </ToggleButton>
+    </div>
+  );
+}
+
+function ToggleButton({
+  active,
+  onClick,
+  label,
+  children,
+}: {
+  active: boolean;
+  onClick: () => void;
+  label: string;
+  children: React.ReactNode;
+}): JSX.Element {
+  return (
+    <button
+      type="button"
+      className="button-pop"
+      aria-label={label}
+      aria-pressed={active}
+      onClick={onClick}
+      style={{
+        display: "inline-flex",
+        alignItems: "center",
+        gap: 4,
+        padding: "6px 10px",
+        background: active ? "#0f172a" : "transparent",
+        color: active ? "#ffffff" : "#475569",
+        border: "none",
+        borderRadius: 6,
+        fontSize: 12,
+        fontWeight: 500,
+        cursor: "pointer",
+      }}
+    >
+      {children}
+    </button>
+  );
+}
+
+export function LoadingGrid(): JSX.Element {
+  return (
+    <div
+      style={{
+        display: "grid",
+        gridTemplateColumns: "repeat(auto-fill, minmax(280px, 1fr))",
+        gap: 16,
+      }}
+      aria-live="polite"
+    >
+      {Array.from({ length: 8 }).map((_, i) => (
+        <div
+          key={i}
+          aria-hidden="true"
+          style={{
+            background: "#ffffff",
+            border: "1px solid rgba(15,23,42,0.06)",
+            borderRadius: 16,
+            height: 184,
+            opacity: 0.5,
+          }}
+        />
+      ))}
+    </div>
+  );
+}
+
+export function EmptyState(): JSX.Element {
+  return (
+    <div
+      style={{
+        padding: "64px 24px",
+        textAlign: "center",
+        background: "#ffffff",
+        border: "1px dashed rgba(15,23,42,0.12)",
+        borderRadius: 16,
+        color: "#64748b",
+        fontSize: 14,
+      }}
+    >
+      No vendors match the current filters.
+    </div>
+  );
+}
diff --git a/apps/web/src/components/portfolio/types.ts b/apps/web/src/components/portfolio/types.ts
new file mode 100644
index 0000000..2a56434
--- /dev/null
+++ b/apps/web/src/components/portfolio/types.ts
@@ -0,0 +1,113 @@
+import type { Vendor } from "@unsyphn/shared";
+
+export type ViewMode = "grid" | "table";
+
+export type PostureFilter = "ok" | "watch" | "risk";
+
+export type SortKey =
+  | "default"
+  | "spend-desc"
+  | "renew-soon"
+  | "tier"
+  | "posture"
+  | "name";
+
+export interface PortfolioFilterState {
+  q: string;
+  tiers: ReadonlyArray<1 | 2 | 3>;
+  postures: ReadonlyArray<PostureFilter>;
+  categories: ReadonlyArray<string>;
+  owner: string | "";
+  sort: SortKey;
+  view: ViewMode;
+}
+
+export const DEFAULT_FILTERS: PortfolioFilterState = {
+  q: "",
+  tiers: [],
+  postures: [],
+  categories: [],
+  owner: "",
+  sort: "default",
+  view: "grid",
+};
+
+export function isFiltersActive(s: PortfolioFilterState): boolean {
+  return (
+    s.q.length > 0 ||
+    s.tiers.length > 0 ||
+    s.postures.length > 0 ||
+    s.categories.length > 0 ||
+    s.owner !== "" ||
+    s.sort !== "default"
+  );
+}
+
+export function daysUntil(iso: string | undefined): number | null {
+  if (!iso) return null;
+  const t = Date.parse(iso);
+  if (!Number.isFinite(t)) return null;
+  return Math.round((t - Date.now()) / 86_400_000);
+}
+
+export function applyFilters(
+  vendors: Vendor[],
+  f: PortfolioFilterState,
+): Vendor[] {
+  const q = f.q.trim().toLowerCase();
+  const tierSet = new Set<number>(f.tiers);
+  const postureSet = new Set<string>(f.postures);
+  const categorySet = new Set<string>(f.categories);
+
+  const filtered = vendors.filter((v) => {
+    if (q && !v.name.toLowerCase().includes(q)) return false;
+    if (tierSet.size > 0 && (!v.tier || !tierSet.has(v.tier))) return false;
+    if (postureSet.size > 0 && (!v.posture || !postureSet.has(v.posture))) return false;
+    if (categorySet.size > 0 && (!v.category || !categorySet.has(v.category))) return false;
+    if (f.owner && v.ownerId !== f.owner) return false;
+    return true;
+  });
+
+  if (f.sort === "default") return filtered;
+  const sorted = [...filtered];
+  sorted.sort((a, b) => {
+    switch (f.sort) {
+      case "spend-desc":
+        return (b.contract?.annualSpendUsd ?? 0) - (a.contract?.annualSpendUsd ?? 0);
+      case "renew-soon": {
+        const da = daysUntil(a.contract?.renewsAt) ?? 9999;
+        const db = daysUntil(b.contract?.renewsAt) ?? 9999;
+        return da - db;
+      }
+      case "tier":
+        return (a.tier ?? 9) - (b.tier ?? 9);
+      case "posture": {
+        const order: Record<string, number> = { risk: 0, watch: 1, ok: 2 };
+        return (order[a.posture ?? "ok"] ?? 9) - (order[b.posture ?? "ok"] ?? 9);
+      }
+      case "name":
+        return a.name.localeCompare(b.name);
+      default:
+        return 0;
+    }
+  });
+  return sorted;
+}
+
+export function fmtUsd(usd: number): string {
+  if (usd >= 1_000_000) return `$${(usd / 1_000_000).toFixed(1)}M`;
+  if (usd >= 1_000) return `$${Math.round(usd / 1_000)}k`;
+  return `$${usd}`;
+}
+
+export function postureColor(p: string | undefined): string {
+  if (p === "risk") return "#dc2626";
+  if (p === "watch") return "#d97706";
+  return "#64748b";
+}
+
+export function postureBg(p: string | undefined): string {
+  if (p === "risk") return "rgba(220,38,38,0.10)";
+  if (p === "watch") return "rgba(217,119,6,0.10)";
+  return "rgba(100,116,139,0.10)";
+}
diff --git a/apps/web/src/components/portfolio/url-state.ts b/apps/web/src/components/portfolio/url-state.ts
new file mode 100644
index 0000000..1dbcbe2
--- /dev/null
+++ b/apps/web/src/components/portfolio/url-state.ts
@@ -0,0 +1,71 @@
+import {
+  DEFAULT_FILTERS,
+  type PortfolioFilterState,
+  type PostureFilter,
+  type SortKey,
+  type ViewMode,
+} from "./types.js";
+
+const VALID_SORTS: ReadonlyArray<SortKey> = [
+  "default",
+  "spend-desc",
+  "renew-soon",
+  "tier",
+  "posture",
+  "name",
+];
+
+function parseTiers(s: string | null): (1 | 2 | 3)[] {
+  if (!s) return [];
+  return s
+    .split(",")
+    .map((x) => Number.parseInt(x, 10))
+    .filter((n): n is 1 | 2 | 3 => n === 1 || n === 2 || n === 3);
+}
+
+function parseCsv(s: string | null): string[] {
+  return s ? s.split(",").filter(Boolean) : [];
+}
+
+function parsePostures(s: string | null): PostureFilter[] {
+  return parseCsv(s).filter(
+    (x): x is PostureFilter => x === "ok" || x === "watch" || x === "risk",
+  );
+}
+
+export function parseFiltersFromUrl(search: string): PortfolioFilterState {
+  const p = new URLSearchParams(search);
+  const sort = (p.get("sort") ?? "default") as SortKey;
+  const view = (p.get("view") === "table" ? "table" : "grid") as ViewMode;
+  return {
+    q: p.get("q") ?? "",
+    tiers: parseTiers(p.get("tier")),
+    postures: parsePostures(p.get("posture")),
+    categories: parseCsv(p.get("category")),
+    owner: p.get("owner") ?? "",
+    sort: VALID_SORTS.includes(sort) ? sort : "default",
+    view,
+  };
+}
+
+export function writeFiltersToUrl(state: PortfolioFilterState): void {
+  const url = new URL(window.location.href);
+  const p = url.searchParams;
+  const setOrDelete = (k: string, v: string) => {
+    if (v) p.set(k, v);
+    else p.delete(k);
+  };
+  setOrDelete("q", state.q);
+  setOrDelete("tier", state.tiers.join(","));
+  setOrDelete("posture", state.postures.join(","));
+  setOrDelete("category", state.categories.join(","));
+  setOrDelete("owner", state.owner);
+  setOrDelete("sort", state.sort === "default" ? "" : state.sort);
+  setOrDelete("view", state.view === "grid" ? "" : state.view);
+  window.history.replaceState({}, "", url.toString());
+}
+
+export function initialFilters(): PortfolioFilterState {
+  if (typeof window === "undefined") return DEFAULT_FILTERS;
+  return parseFiltersFromUrl(window.location.search);
+}
diff --git a/apps/web/src/components/renewals/BlockersPanel.tsx b/apps/web/src/components/renewals/BlockersPanel.tsx
new file mode 100644
index 0000000..1c7bdf3
--- /dev/null
+++ b/apps/web/src/components/renewals/BlockersPanel.tsx
@@ -0,0 +1,114 @@
+import { useEffect, useState } from "react";
+import { AlertCircle } from "lucide-react";
+import { DEMO_BEARER_TOKEN } from "../../lib/api.js";
+
+interface ChangeBlocker {
+  id: string;
+  title: string;
+  severity: string;
+}
+
+interface FeedResponse {
+  changes?: ChangeBlocker[];
+}
+
+function SectionHead({ label }: { label: string }): JSX.Element {
+  return (
+    <span
+      style={{
+        display: "block",
+        fontSize: "var(--text-xs)",
+        fontWeight: 600,
+        textTransform: "uppercase",
+        letterSpacing: "0.07em",
+        color: "var(--text-2)",
+        marginBottom: "var(--space-2)",
+      }}
+    >
+      {label}
+    </span>
+  );
+}
+
+export function BlockersPanel({ vendorId }: { vendorId: string }): JSX.Element {
+  const [blockers, setBlockers] = useState<ChangeBlocker[] | null>(null);
+
+  useEffect(() => {
+    let cancelled = false;
+    fetch(`/v1/changes/feed?vendorId=${encodeURIComponent(vendorId)}`, {
+      headers: { Authorization: `Bearer ${DEMO_BEARER_TOKEN}` },
+    })
+      .then((r) => (r.ok ? (r.json() as Promise<FeedResponse>) : null))
+      .then((d: FeedResponse | null) => {
+        if (cancelled) return;
+        const items = (d?.changes ?? []).filter((i) => i.severity === "P1");
+        setBlockers(items);
+      })
+      .catch(() => {
+        if (!cancelled) setBlockers([]);
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, [vendorId]);
+
+  return (
+    <section
+      aria-labelledby="wb-blockers"
+      className="glass-strong fade-up"
+      style={{ padding: "var(--space-4)", borderRadius: "var(--radius-md)" }}
+    >
+      <SectionHead label="Legal / Risk blockers" />
+      {blockers === null ? (
+        <p style={{ margin: 0, fontSize: "var(--text-sm)", color: "var(--text-muted)" }}>Checking…</p>
+      ) : blockers.length === 0 ? (
+        <p
+          style={{
+            margin: 0,
+            fontSize: "var(--text-sm)",
+            color: "var(--success)",
+            fontWeight: 500,
+          }}
+        >
+          No blockers. Clear to negotiate.
+        </p>
+      ) : (
+        <ul
+          className="stagger-children"
+          style={{
+            margin: 0,
+            padding: 0,
+            listStyle: "none",
+            display: "flex",
+            flexDirection: "column",
+            gap: "var(--space-2)",
+          }}
+        >
+          {blockers.map((b) => (
+            <li key={b.id}>
+              <a
+                href={`/app/findings?vendorId=${encodeURIComponent(vendorId)}&type=change&severity=P1`}
+                className="row-hover"
+                style={{
+                  display: "flex",
+                  alignItems: "center",
+                  gap: "var(--space-2)",
+                  padding: "var(--space-2) var(--space-3)",
+                  background: "var(--surface-2)",
+                  borderRadius: "var(--radius-sm)",
+                  fontSize: "var(--text-sm)",
+                  color: "var(--text-2)",
+                  textDecoration: "none",
+                }}
+                aria-label={`View finding: ${b.title}`}
+              >
+                <AlertCircle size={14} color="var(--danger)" aria-hidden="true" />
+                {b.title}
+              </a>
+            </li>
+          ))}
+        </ul>
+      )}
+    </section>
+  );
+}
diff --git a/apps/web/src/components/renewals/ClosedSection.tsx b/apps/web/src/components/renewals/ClosedSection.tsx
new file mode 100644
index 0000000..ac357f1
--- /dev/null
+++ b/apps/web/src/components/renewals/ClosedSection.tsx
@@ -0,0 +1,111 @@
+import { useState } from "react";
+import { ChevronDown, ChevronRight } from "lucide-react";
+import type { Renewal } from "@unsyphn/shared";
+import type { TeamMember } from "../../lib/api.js";
+import { RenewalCard } from "./RenewalCard.js";
+
+interface Props {
+  renewals: ReadonlyArray<Renewal>;
+  members: ReadonlyArray<TeamMember>;
+  onOpen: (r: Renewal) => void;
+  onAssignOwner: (id: string, ownerId: string) => void;
+  onMarkDeclined: (id: string) => void;
+  onMarkAutoRenewed: (id: string) => void;
+  onReopen: (id: string) => void;
+  onGeneratePacket: (r: Renewal) => void;
+  onExportIcs: (r: Renewal) => void;
+}
+
+export function ClosedSection({
+  renewals,
+  members,
+  onOpen,
+  onAssignOwner,
+  onMarkDeclined,
+  onMarkAutoRenewed,
+  onReopen,
+  onGeneratePacket,
+  onExportIcs,
+}: Props): JSX.Element | null {
+  const [expanded, setExpanded] = useState(false);
+  if (renewals.length === 0) return null;
+
+  const declined = renewals.filter((r) => r.declined).length;
+  const auto = renewals.filter((r) => r.autoRenewed).length;
+
+  return (
+    <section
+      aria-label="Closed renewals"
+      style={{
+        marginTop: "var(--space-7)",
+        paddingTop: "var(--space-5)",
+        borderTop: "1px solid var(--border)",
+      }}
+    >
+      <button
+        type="button"
+        onClick={() => setExpanded((v) => !v)}
+        aria-expanded={expanded}
+        aria-controls="closed-renewals-grid"
+        className="btn btn-ghost button-pop"
+        style={{
+          display: "flex",
+          alignItems: "center",
+          gap: "var(--space-2)",
+          padding: "var(--space-2) var(--space-3)",
+          fontSize: "var(--text-sm)",
+          fontWeight: 600,
+          color: "var(--text-2)",
+          textTransform: "uppercase",
+          letterSpacing: "0.06em",
+        }}
+      >
+        {expanded ? (
+          <ChevronDown size={14} aria-hidden="true" />
+        ) : (
+          <ChevronRight size={14} aria-hidden="true" />
+        )}
+        Closed ({renewals.length})
+        {declined > 0 && (
+          <span className="badge badge-neutral" style={{ fontSize: "var(--text-xs)" }}>
+            {declined} declined
+          </span>
+        )}
+        {auto > 0 && (
+          <span className="badge badge-success" style={{ fontSize: "var(--text-xs)" }}>
+            {auto} auto-renewed
+          </span>
+        )}
+      </button>
+
+      {expanded && (
+        <div
+          id="closed-renewals-grid"
+          className="stagger-children"
+          style={{
+            marginTop: "var(--space-3)",
+            display: "grid",
+            gridTemplateColumns: "repeat(auto-fill, minmax(260px, 1fr))",
+            gap: "var(--space-3)",
+          }}
+        >
+          {renewals.map((r) => (
+            <RenewalCard
+              key={r.id}
+              renewal={r}
+              members={members}
+              onOpen={onOpen}
+              onAssignOwner={onAssignOwner}
+              onMarkDeclined={onMarkDeclined}
+              onMarkAutoRenewed={onMarkAutoRenewed}
+              onReopen={onReopen}
+              onGeneratePacket={onGeneratePacket}
+              onExportIcs={onExportIcs}
+              draggable={false}
+            />
+          ))}
+        </div>
+      )}
+    </section>
+  );
+}
diff --git a/apps/web/src/components/renewals/RenewalCard.tsx b/apps/web/src/components/renewals/RenewalCard.tsx
new file mode 100644
index 0000000..0324db6
--- /dev/null
+++ b/apps/web/src/components/renewals/RenewalCard.tsx
@@ -0,0 +1,482 @@
+import { useEffect, useRef, useState } from "react";
+import { useSortable } from "@dnd-kit/sortable";
+import { CSS } from "@dnd-kit/utilities";
+import { MoreHorizontal, GripVertical, CalendarPlus } from "lucide-react";
+import type { Renewal, RenewalStatus } from "@unsyphn/shared";
+import { VendorLogo } from "../VendorLogo.js";
+import type { TeamMember } from "../../lib/api.js";
+
+const STATUS_BADGE: Record<RenewalStatus, string> = {
+  triage: "badge badge-warning",
+  negotiate: "badge badge-accent",
+  sign: "badge badge-success",
+};
+
+function formatUsd(n: number): string {
+  if (n >= 1_000_000) return `$${(n / 1_000_000).toFixed(1)}M`;
+  if (n >= 1000) return `$${Math.round(n / 1000)}k`;
+  return `$${n}`;
+}
+
+function formatDate(iso: string): string {
+  return new Date(iso).toLocaleDateString("en-US", {
+    month: "short",
+    day: "numeric",
+    year: "numeric",
+  });
+}
+
+function initialsFor(member: TeamMember | undefined, fallback: string): string {
+  if (member?.avatarLetter) return member.avatarLetter;
+  if (member?.name) return member.name.charAt(0).toUpperCase();
+  return fallback.charAt(0).toUpperCase();
+}
+
+interface OwnerAvatarProps {
+  renewal: Renewal;
+  members: ReadonlyArray<TeamMember>;
+  onAssign: (ownerId: string) => void;
+  disabled?: boolean;
+}
+
+function OwnerAvatar({ renewal, members, onAssign, disabled }: OwnerAvatarProps): JSX.Element {
+  const [open, setOpen] = useState(false);
+  const popRef = useRef<HTMLDivElement | null>(null);
+
+  useEffect(() => {
+    if (!open) return;
+    const onDoc = (e: MouseEvent): void => {
+      if (popRef.current && !popRef.current.contains(e.target as Node)) {
+        setOpen(false);
+      }
+    };
+    const onKey = (e: KeyboardEvent): void => {
+      if (e.key === "Escape") setOpen(false);
+    };
+    document.addEventListener("mousedown", onDoc);
+    document.addEventListener("keydown", onKey);
+    return () => {
+      document.removeEventListener("mousedown", onDoc);
+      document.removeEventListener("keydown", onKey);
+    };
+  }, [open]);
+
+  const currentMember = members.find(
+    (m) => m.id === renewal.ownerId || m.email === renewal.ownerEmail,
+  );
+  const initials = initialsFor(currentMember, renewal.ownerEmail);
+
+  return (
+    <div style={{ position: "relative" }}>
+      <button
+        type="button"
+        onClick={(e) => {
+          e.stopPropagation();
+          if (!disabled) setOpen((v) => !v);
+        }}
+        aria-label={`Owner: ${currentMember?.name ?? renewal.ownerEmail}. Click to reassign`}
+        aria-haspopup="listbox"
+        aria-expanded={open}
+        title={currentMember?.email ?? renewal.ownerEmail}
+        disabled={disabled}
+        style={{
+          width: 28,
+          height: 28,
+          borderRadius: "var(--radius-full)",
+          background: "var(--accent-soft)",
+          border: "1px solid var(--border)",
+          display: "inline-flex",
+          alignItems: "center",
+          justifyContent: "center",
+          fontSize: "var(--text-xs)",
+          fontWeight: 600,
+          color: "var(--accent)",
+          flexShrink: 0,
+          cursor: disabled ? "default" : "pointer",
+          padding: 0,
+        }}
+      >
+        {initials}
+      </button>
+
+      {open && (
+        <div
+          ref={popRef}
+          role="listbox"
+          aria-label="Assign owner"
+          className="glass-strong scale-in"
+          style={{
+            position: "absolute",
+            top: 32,
+            left: 0,
+            minWidth: 220,
+            borderRadius: "var(--radius-md)",
+            boxShadow: "var(--shadow-3)",
+            zIndex: 50,
+            padding: "var(--space-2)",
+            display: "flex",
+            flexDirection: "column",
+            gap: 2,
+            maxHeight: 240,
+            overflowY: "auto",
+          }}
+        >
+          {members.length === 0 ? (
+            <span
+              style={{
+                padding: "var(--space-2)",
+                fontSize: "var(--text-xs)",
+                color: "var(--text-muted)",
+              }}
+            >
+              No team members available
+            </span>
+          ) : (
+            members.map((m) => {
+              const isSelected = m.id === renewal.ownerId || m.email === renewal.ownerEmail;
+              return (
+                <button
+                  key={m.id}
+                  type="button"
+                  role="option"
+                  aria-selected={isSelected}
+                  className="button-pop"
+                  onClick={() => {
+                    setOpen(false);
+                    onAssign(m.id);
+                  }}
+                  style={{
+                    display: "flex",
+                    alignItems: "center",
+                    gap: 8,
+                    padding: "6px 8px",
+                    background: isSelected ? "var(--accent-soft)" : "transparent",
+                    border: "none",
+                    borderRadius: "var(--radius-sm)",
+                    cursor: "pointer",
+                    fontSize: "var(--text-xs)",
+                    color: "var(--text)",
+                    textAlign: "left",
+                  }}
+                >
+                  <span
+                    style={{
+                      width: 22,
+                      height: 22,
+                      borderRadius: "var(--radius-full)",
+                      background: "var(--surface-2)",
+                      border: "1px solid var(--border)",
+                      display: "inline-flex",
+                      alignItems: "center",
+                      justifyContent: "center",
+                      fontSize: 11,
+                      fontWeight: 600,
+                      color: "var(--text)",
+                    }}
+                  >
+                    {initialsFor(m, m.email)}
+                  </span>
+                  <span style={{ flex: 1, fontWeight: 600 }}>{m.name}</span>
+                  <span style={{ color: "var(--text-muted)" }}>{m.role}</span>
+                </button>
+              );
+            })
+          )}
+        </div>
+      )}
+    </div>
+  );
+}
+
+export interface CardAction {
+  key: "decline" | "auto" | "open" | "packet" | "export" | "reopen";
+  label: string;
+  onSelect: () => void;
+}
+
+interface KebabMenuProps {
+  actions: ReadonlyArray<CardAction>;
+}
+
+function KebabMenu({ actions }: KebabMenuProps): JSX.Element {
+  const [open, setOpen] = useState(false);
+  const menuRef = useRef<HTMLDivElement | null>(null);
+
+  useEffect(() => {
+    if (!open) return;
+    const onDoc = (e: MouseEvent): void => {
+      if (menuRef.current && !menuRef.current.contains(e.target as Node)) {
+        setOpen(false);
+      }
+    };
+    const onKey = (e: KeyboardEvent): void => {
+      if (e.key === "Escape") setOpen(false);
+    };
+    document.addEventListener("mousedown", onDoc);
+    document.addEventListener("keydown", onKey);
+    return () => {
+      document.removeEventListener("mousedown", onDoc);
+      document.removeEventListener("keydown", onKey);
+    };
+  }, [open]);
+
+  return (
+    <div style={{ position: "relative" }}>
+      <button
+        type="button"
+        onClick={(e) => {
+          e.stopPropagation();
+          setOpen((v) => !v);
+        }}
+        aria-label="Card actions"
+        aria-haspopup="menu"
+        aria-expanded={open}
+        className="btn btn-ghost button-pop"
+        style={{ width: 28, height: 28, padding: 0 }}
+      >
+        <MoreHorizontal size={16} aria-hidden="true" />
+      </button>
+
+      {open && (
+        <div
+          ref={menuRef}
+          role="menu"
+          className="glass-strong scale-in"
+          style={{
+            position: "absolute",
+            top: 30,
+            right: 0,
+            minWidth: 200,
+            borderRadius: "var(--radius-md)",
+            boxShadow: "var(--shadow-3)",
+            zIndex: 50,
+            padding: "var(--space-1)",
+            display: "flex",
+            flexDirection: "column",
+          }}
+        >
+          {actions.map((a) => (
+            <button
+              key={a.key}
+              type="button"
+              role="menuitem"
+              className="button-pop"
+              onClick={() => {
+                setOpen(false);
+                a.onSelect();
+              }}
+              style={{
+                padding: "8px 10px",
+                background: "transparent",
+                border: "none",
+                borderRadius: "var(--radius-sm)",
+                cursor: "pointer",
+                fontSize: "var(--text-xs)",
+                color: "var(--text)",
+                textAlign: "left",
+              }}
+            >
+              {a.label}
+            </button>
+          ))}
+        </div>
+      )}
+    </div>
+  );
+}
+
+export interface RenewalCardProps {
+  renewal: Renewal;
+  members: ReadonlyArray<TeamMember>;
+  onOpen: (r: Renewal) => void;
+  onAssignOwner: (id: string, ownerId: string) => void;
+  onMarkDeclined: (id: string) => void;
+  onMarkAutoRenewed: (id: string) => void;
+  onReopen: (id: string) => void;
+  onGeneratePacket: (r: Renewal) => void;
+  onExportIcs: (r: Renewal) => void;
+  draggable?: boolean;
+}
+
+function statusLabel(r: Renewal): { label: string; cls: string } {
+  if (r.declined) return { label: "declined", cls: "badge badge-neutral" };
+  if (r.autoRenewed) return { label: "auto-renewed", cls: "badge badge-success" };
+  return { label: r.status, cls: STATUS_BADGE[r.status] };
+}
+
+export function RenewalCard({
+  renewal,
+  members,
+  onOpen,
+  onAssignOwner,
+  onMarkDeclined,
+  onMarkAutoRenewed,
+  onReopen,
+  onGeneratePacket,
+  onExportIcs,
+  draggable = true,
+}: RenewalCardProps): JSX.Element {
+  const sortable = useSortable({ id: renewal.id, disabled: !draggable });
+  const {
+    attributes,
+    listeners,
+    setNodeRef,
+    transform,
+    transition,
+    isDragging,
+  } = sortable;
+
+  const delta = renewal.benchmarkDelta;
+  const deltaColor =
+    delta === null ? "var(--text-muted)" : delta > 0 ? "var(--danger)" : "var(--success)";
+  const deltaLabel =
+    delta === null ? "+0% vs market" : `${delta > 0 ? "+" : ""}${delta}% vs market`;
+
+  const { label: statusText, cls: statusCls } = statusLabel(renewal);
+  const closed = renewal.declined || renewal.autoRenewed;
+
+  const actions: CardAction[] = closed
+    ? [
+        { key: "reopen", label: "Re-open", onSelect: () => onReopen(renewal.id) },
+        { key: "open", label: "Open workbench", onSelect: () => onOpen(renewal) },
+        { key: "packet", label: "Generate packet", onSelect: () => onGeneratePacket(renewal) },
+        { key: "export", label: "Export to calendar", onSelect: () => onExportIcs(renewal) },
+      ]
+    : [
+        { key: "open", label: "Open workbench", onSelect: () => onOpen(renewal) },
+        { key: "packet", label: "Generate packet", onSelect: () => onGeneratePacket(renewal) },
+        { key: "decline", label: "Mark declined", onSelect: () => onMarkDeclined(renewal.id) },
+        { key: "auto", label: "Mark auto-renewed", onSelect: () => onMarkAutoRenewed(renewal.id) },
+        { key: "export", label: "Export to calendar", onSelect: () => onExportIcs(renewal) },
+      ];
+
+  return (
+    <article
+      ref={setNodeRef}
+      className="glass-strong"
+      style={{
+        borderRadius: "var(--radius-md)",
+        padding: "var(--space-4)",
+        display: "flex",
+        flexDirection: "column",
+        gap: "var(--space-2)",
+        transform: CSS.Transform.toString(transform),
+        transition,
+        opacity: isDragging ? 0.5 : 1,
+        boxShadow: isDragging ? "var(--shadow-3)" : undefined,
+        cursor: closed ? "default" : "grab",
+        position: "relative",
+      }}
+      {...attributes}
+      aria-roledescription={draggable ? "Sortable renewal card" : undefined}
+    >
+      <div style={{ display: "flex", alignItems: "center", gap: "var(--space-2)" }}>
+        {draggable && (
+          <span
+            {...listeners}
+            aria-label={`Drag ${renewal.vendorName} between columns`}
+            role="button"
+            tabIndex={0}
+            style={{
+              display: "inline-flex",
+              alignItems: "center",
+              justifyContent: "center",
+              width: 18,
+              height: 18,
+              color: "var(--text-muted)",
+              cursor: "grab",
+              flexShrink: 0,
+            }}
+          >
+            <GripVertical size={14} aria-hidden="true" />
+          </span>
+        )}
+        <VendorLogo name={renewal.vendorName} size={24} />
+        <span
+          style={{
+            fontSize: "var(--text-sm)",
+            fontWeight: 600,
+            color: "var(--text)",
+            flex: 1,
+            overflow: "hidden",
+            textOverflow: "ellipsis",
+            whiteSpace: "nowrap",
+          }}
+        >
+          {renewal.vendorName}
+        </span>
+        <span className={statusCls} style={{ fontSize: "var(--text-xs)" }}>
+          {statusText}
+        </span>
+      </div>
+
+      <p style={{ margin: 0, fontSize: "var(--text-xs)", color: "var(--text-2)" }}>
+        Renews in {renewal.daysOut}d · {formatDate(renewal.renewsAt)}
+      </p>
+
+      <p
+        style={{
+          margin: 0,
+          fontFamily: "var(--font-mono)",
+          fontSize: "var(--text-lg)",
+          fontWeight: 700,
+          color: "var(--text)",
+          letterSpacing: "-0.01em",
+        }}
+      >
+        {formatUsd(renewal.annualValueUsd)}
+        <span
+          style={{
+            fontSize: "var(--text-xs)",
+            color: "var(--text-muted)",
+            fontWeight: 500,
+            marginLeft: 4,
+          }}
+        >
+          /yr
+        </span>
+      </p>
+
+      <p style={{ margin: 0, fontSize: "var(--text-xs)", fontWeight: 600, color: deltaColor }}>
+        {deltaLabel}
+      </p>
+
+      <div
+        style={{
+          display: "flex",
+          alignItems: "center",
+          justifyContent: "space-between",
+          marginTop: "var(--space-1)",
+        }}
+      >
+        <OwnerAvatar
+          renewal={renewal}
+          members={members}
+          onAssign={(ownerId) => onAssignOwner(renewal.id, ownerId)}
+          disabled={closed}
+        />
+        <div style={{ display: "flex", gap: 6, alignItems: "center" }}>
+          <button
+            type="button"
+            aria-label="Export this renewal to calendar"
+            title="Export to calendar"
+            className="btn btn-ghost button-pop"
+            onClick={() => onExportIcs(renewal)}
+            style={{ width: 28, height: 28, padding: 0 }}
+          >
+            <CalendarPlus size={14} aria-hidden="true" />
+          </button>
+          <button
+            type="button"
+            className="btn btn-secondary button-pop"
+            style={{ height: 28, fontSize: "var(--text-xs)" }}
+            onClick={() => onOpen(renewal)}
+          >
+            Open
+          </button>
+          <KebabMenu actions={actions} />
+        </div>
+      </div>
+    </article>
+  );
+}
diff --git a/apps/web/src/components/renewals/RenewalsKanban.tsx b/apps/web/src/components/renewals/RenewalsKanban.tsx
new file mode 100644
index 0000000..9d83a0e
--- /dev/null
+++ b/apps/web/src/components/renewals/RenewalsKanban.tsx
@@ -0,0 +1,293 @@
+import { useMemo, useState } from "react";
+import {
+  DndContext,
+  DragOverlay,
+  PointerSensor,
+  KeyboardSensor,
+  closestCorners,
+  useDroppable,
+  useSensor,
+  useSensors,
+  type DragEndEvent,
+  type DragStartEvent,
+} from "@dnd-kit/core";
+import {
+  SortableContext,
+  sortableKeyboardCoordinates,
+  verticalListSortingStrategy,
+} from "@dnd-kit/sortable";
+import type { Renewal, RenewalStatus } from "@unsyphn/shared";
+import type { TeamMember } from "../../lib/api.js";
+import { RenewalCard } from "./RenewalCard.js";
+
+const COLUMN_LABELS: Record<RenewalStatus, string> = {
+  triage: "Triage",
+  negotiate: "Negotiate",
+  sign: "Sign",
+};
+
+export const COLUMNS: RenewalStatus[] = ["triage", "negotiate", "sign"];
+
+interface ColumnProps {
+  status: RenewalStatus;
+  renewals: ReadonlyArray<Renewal>;
+  members: ReadonlyArray<TeamMember>;
+  onOpen: (r: Renewal) => void;
+  onAssignOwner: (id: string, ownerId: string) => void;
+  onMarkDeclined: (id: string) => void;
+  onMarkAutoRenewed: (id: string) => void;
+  onReopen: (id: string) => void;
+  onGeneratePacket: (r: Renewal) => void;
+  onExportIcs: (r: Renewal) => void;
+  activeId: string | null;
+}
+
+function KanbanColumn(props: ColumnProps): JSX.Element {
+  const { status, renewals, activeId } = props;
+  const { setNodeRef, isOver } = useDroppable({ id: `col:${status}` });
+  const ids = useMemo(() => renewals.map((r) => r.id), [renewals]);
+
+  return (
+    <section
+      aria-label={`${COLUMN_LABELS[status]} column`}
+      style={{
+        flex: 1,
+        minWidth: 0,
+        display: "flex",
+        flexDirection: "column",
+        gap: "var(--space-3)",
+      }}
+    >
+      <div
+        className="glass-soft fade-up"
+        style={{
+          display: "flex",
+          alignItems: "center",
+          gap: "var(--space-2)",
+          padding: "var(--space-2) var(--space-3)",
+          borderRadius: "var(--radius-md)",
+        }}
+      >
+        <h2
+          style={{
+            margin: 0,
+            fontSize: "var(--text-sm)",
+            fontWeight: 700,
+            textTransform: "uppercase",
+            letterSpacing: "0.06em",
+            color: "var(--text-2)",
+          }}
+        >
+          {COLUMN_LABELS[status]}
+        </h2>
+        <span
+          aria-label={`${renewals.length} renewals`}
+          style={{
+            fontFamily: "var(--font-mono)",
+            fontSize: "var(--text-xs)",
+            color: "var(--text-muted)",
+            background: "var(--surface-2)",
+            padding: "2px 8px",
+            borderRadius: "var(--radius-full)",
+          }}
+        >
+          {renewals.length}
+        </span>
+      </div>
+
+      <SortableContext id={`col:${status}`} items={ids} strategy={verticalListSortingStrategy}>
+        <div
+          ref={setNodeRef}
+          aria-dropeffect="move"
+          style={{
+            display: "flex",
+            flexDirection: "column",
+            gap: "var(--space-3)",
+            minHeight: 120,
+            borderRadius: "var(--radius-md)",
+            background: isOver ? "var(--accent-soft)" : "transparent",
+            outline: isOver ? "2px dashed var(--accent)" : "none",
+            outlineOffset: -2,
+            padding: isOver ? "var(--space-2)" : 0,
+            transition: "background 120ms ease, padding 120ms ease",
+          }}
+        >
+          {renewals.length === 0 ? (
+            <p
+              style={{
+                margin: 0,
+                fontSize: "var(--text-sm)",
+                color: "var(--text-muted)",
+                textAlign: "center",
+                padding: "var(--space-6) var(--space-3)",
+                border: "1px dashed var(--border)",
+                borderRadius: "var(--radius-md)",
+                background: "var(--surface-2)",
+              }}
+            >
+              Drop renewals here
+            </p>
+          ) : (
+            renewals.map((r) => (
+              <RenewalCard
+                key={r.id}
+                renewal={r}
+                members={props.members}
+                onOpen={props.onOpen}
+                onAssignOwner={props.onAssignOwner}
+                onMarkDeclined={props.onMarkDeclined}
+                onMarkAutoRenewed={props.onMarkAutoRenewed}
+                onReopen={props.onReopen}
+                onGeneratePacket={props.onGeneratePacket}
+                onExportIcs={props.onExportIcs}
+                draggable={!(r.declined || r.autoRenewed) && activeId !== r.id}
+              />
+            ))
+          )}
+        </div>
+      </SortableContext>
+    </section>
+  );
+}
+
+interface KanbanProps {
+  renewals: ReadonlyArray<Renewal>;
+  members: ReadonlyArray<TeamMember>;
+  onMoveColumn: (id: string, column: RenewalStatus) => void;
+  onOpen: (r: Renewal) => void;
+  onAssignOwner: (id: string, ownerId: string) => void;
+  onMarkDeclined: (id: string) => void;
+  onMarkAutoRenewed: (id: string) => void;
+  onReopen: (id: string) => void;
+  onGeneratePacket: (r: Renewal) => void;
+  onExportIcs: (r: Renewal) => void;
+}
+
+function parseColumnFrom(id: string | number): RenewalStatus | null {
+  const s = String(id);
+  if (s.startsWith("col:")) {
+    const c = s.slice(4);
+    if (c === "triage" || c === "negotiate" || c === "sign") return c;
+  }
+  return null;
+}
+
+export function RenewalsKanban({
+  renewals,
+  members,
+  onMoveColumn,
+  onOpen,
+  onAssignOwner,
+  onMarkDeclined,
+  onMarkAutoRenewed,
+  onReopen,
+  onGeneratePacket,
+  onExportIcs,
+}: KanbanProps): JSX.Element {
+  const [activeId, setActiveId] = useState<string | null>(null);
+
+  const sensors = useSensors(
+    useSensor(PointerSensor, { activationConstraint: { distance: 4 } }),
+    useSensor(KeyboardSensor, { coordinateGetter: sortableKeyboardCoordinates }),
+  );
+
+  const byStatus = useMemo(() => {
+    const map: Record<RenewalStatus, Renewal[]> = { triage: [], negotiate: [], sign: [] };
+    for (const r of renewals) {
+      if (r.declined || r.autoRenewed) continue;
+      if (r.status === "triage" || r.status === "negotiate" || r.status === "sign") {
+        map[r.status].push(r);
+      }
+    }
+    for (const k of COLUMNS) map[k].sort((a, b) => a.daysOut - b.daysOut);
+    return map;
+  }, [renewals]);
+
+  const renewalById = useMemo(() => {
+    const m = new Map<string, Renewal>();
+    for (const r of renewals) m.set(r.id, r);
+    return m;
+  }, [renewals]);
+
+  const activeRenewal = activeId ? renewalById.get(activeId) ?? null : null;
+
+  const handleStart = (e: DragStartEvent): void => {
+    setActiveId(String(e.active.id));
+  };
+
+  const handleEnd = (e: DragEndEvent): void => {
+    setActiveId(null);
+    if (!e.over) return;
+
+    const draggedId = String(e.active.id);
+    const dragged = renewalById.get(draggedId);
+    if (!dragged) return;
+
+    // Drop target is either a column droppable ("col:<status>") or another card.
+    let target = parseColumnFrom(e.over.id);
+    if (!target) {
+      // SortableContext id is set per column as "col:<status>".
+      const containerId = (e.over.data.current?.["sortable"] as { containerId?: string } | undefined)
+        ?.containerId;
+      if (containerId) target = parseColumnFrom(containerId);
+    }
+    if (!target) return;
+    if (target === dragged.status) return;
+    onMoveColumn(draggedId, target);
+  };
+
+  return (
+    <DndContext
+      sensors={sensors}
+      collisionDetection={closestCorners}
+      onDragStart={handleStart}
+      onDragEnd={handleEnd}
+      onDragCancel={() => setActiveId(null)}
+    >
+      <div
+        style={{
+          display: "grid",
+          gridTemplateColumns: "repeat(3, 1fr)",
+          gap: "var(--space-5)",
+          alignItems: "start",
+        }}
+      >
+        {COLUMNS.map((col) => (
+          <KanbanColumn
+            key={col}
+            status={col}
+            renewals={byStatus[col]}
+            members={members}
+            onOpen={onOpen}
+            onAssignOwner={onAssignOwner}
+            onMarkDeclined={onMarkDeclined}
+            onMarkAutoRenewed={onMarkAutoRenewed}
+            onReopen={onReopen}
+            onGeneratePacket={onGeneratePacket}
+            onExportIcs={onExportIcs}
+            activeId={activeId}
+          />
+        ))}
+      </div>
+
+      <DragOverlay>
+        {activeRenewal ? (
+          <div style={{ opacity: 0.9, transform: "rotate(-1deg)" }}>
+            <RenewalCard
+              renewal={activeRenewal}
+              members={members}
+              onOpen={onOpen}
+              onAssignOwner={onAssignOwner}
+              onMarkDeclined={onMarkDeclined}
+              onMarkAutoRenewed={onMarkAutoRenewed}
+              onReopen={onReopen}
+              onGeneratePacket={onGeneratePacket}
+              onExportIcs={onExportIcs}
+              draggable={false}
+            />
+          </div>
+        ) : null}
+      </DragOverlay>
+    </DndContext>
+  );
+}
diff --git a/apps/web/src/components/renewals/Workbench.tsx b/apps/web/src/components/renewals/Workbench.tsx
new file mode 100644
index 0000000..c3cf4fa
--- /dev/null
+++ b/apps/web/src/components/renewals/Workbench.tsx
@@ -0,0 +1,402 @@
+import { useEffect, useRef, useState } from "react";
+import { createPortal } from "react-dom";
+import { X } from "lucide-react";
+import type { Renewal } from "@unsyphn/shared";
+import { VendorLogo } from "../VendorLogo.js";
+import { RenegotiationPacket } from "../RenegotiationPacket.js";
+import { BlockersPanel } from "./BlockersPanel.js";
+
+interface WorkbenchProps {
+  renewal: Renewal;
+  onClose: () => void;
+}
+
+const FOCUSABLE =
+  'button, [href], input, select, textarea, [tabindex]:not([tabindex="-1"])';
+
+function formatUsd(n: number): string {
+  if (n >= 1_000_000) return `$${(n / 1_000_000).toFixed(1)}M`;
+  if (n >= 1000) return `$${Math.round(n / 1000)}k`;
+  return `$${n}`;
+}
+
+function formatDate(iso: string): string {
+  return new Date(iso).toLocaleDateString("en-US", {
+    month: "short",
+    day: "numeric",
+    year: "numeric",
+  });
+}
+
+function useFocusTrap(
+  open: boolean,
+  ref: React.RefObject<HTMLDivElement | null>,
+  onClose: () => void,
+): void {
+  const openerRef = useRef<Element | null>(null);
+
+  useEffect(() => {
+    if (open) {
+      openerRef.current = document.activeElement;
+      const first = ref.current?.querySelectorAll<HTMLElement>(FOCUSABLE)[0];
+      first?.focus();
+    } else {
+      const el = openerRef.current;
+      if (el instanceof HTMLElement) el.focus();
+      openerRef.current = null;
+    }
+  }, [open, ref]);
+
+  useEffect(() => {
+    if (!open) return;
+    const handler = (e: KeyboardEvent): void => {
+      if (e.key === "Escape") {
+        e.preventDefault();
+        onClose();
+        return;
+      }
+      if (e.key !== "Tab") return;
+      const panel = ref.current;
+      if (!panel) return;
+      const nodes = Array.from(panel.querySelectorAll<HTMLElement>(FOCUSABLE)).filter(
+        (el) => !el.hasAttribute("disabled"),
+      );
+      if (!nodes.length) return;
+      const first = nodes[0];
+      const last = nodes[nodes.length - 1];
+      if (!first || !last) return;
+      if (e.shiftKey) {
+        if (document.activeElement === first) {
+          e.preventDefault();
+          last.focus();
+        }
+      } else {
+        if (document.activeElement === last) {
+          e.preventDefault();
+          first.focus();
+        }
+      }
+    };
+    document.addEventListener("keydown", handler);
+    return () => document.removeEventListener("keydown", handler);
+  }, [open, ref, onClose]);
+}
+
+function SectionHead({ label }: { label: string }): JSX.Element {
+  return (
+    <span
+      style={{
+        display: "block",
+        fontSize: "var(--text-xs)",
+        fontWeight: 600,
+        textTransform: "uppercase",
+        letterSpacing: "0.07em",
+        color: "var(--text-2)",
+        marginBottom: "var(--space-2)",
+      }}
+    >
+      {label}
+    </span>
+  );
+}
+
+function BenchmarkPanel({ renewal }: { renewal: Renewal }): JSX.Element {
+  const delta = renewal.benchmarkDelta;
+  const market = renewal.annualValueUsd;
+  const you = delta !== null ? Math.round(market * (1 + delta / 100)) : market;
+  const color = delta === null ? "var(--text-muted)" : delta > 0 ? "var(--danger)" : "var(--success)";
+  const label = delta === null ? "No data" : `${delta > 0 ? "+" : ""}${delta}% vs market`;
+
+  const maxVal = Math.max(you, market) || 1;
+  const youPct = Math.round((you / maxVal) * 100);
+  const marketPct = Math.round((market / maxVal) * 100);
+
+  return (
+    <section aria-labelledby="wb-benchmark">
+      <SectionHead label="Benchmark delta" />
+      <div style={{ display: "flex", flexDirection: "column", gap: "var(--space-2)" }}>
+        <div>
+          <div
+            style={{
+              display: "flex",
+              justifyContent: "space-between",
+              fontSize: "var(--text-xs)",
+              color: "var(--text-2)",
+              marginBottom: 4,
+            }}
+          >
+            <span>You</span>
+            <span style={{ fontFamily: "var(--font-mono)", color: "var(--text)" }}>{formatUsd(you)}</span>
+          </div>
+          <div
+            style={{
+              height: 8,
+              borderRadius: 4,
+              background: "var(--surface-3)",
+              overflow: "hidden",
+            }}
+          >
+            <div style={{ height: "100%", width: `${youPct}%`, background: color, borderRadius: 4 }} />
+          </div>
+        </div>
+        <div>
+          <div
+            style={{
+              display: "flex",
+              justifyContent: "space-between",
+              fontSize: "var(--text-xs)",
+              color: "var(--text-2)",
+              marginBottom: 4,
+            }}
+          >
+            <span>Market</span>
+            <span style={{ fontFamily: "var(--font-mono)", color: "var(--text)" }}>{formatUsd(market)}</span>
+          </div>
+          <div
+            style={{
+              height: 8,
+              borderRadius: 4,
+              background: "var(--surface-3)",
+              overflow: "hidden",
+            }}
+          >
+            <div
+              style={{
+                height: "100%",
+                width: `${marketPct}%`,
+                background: "var(--text-muted)",
+                borderRadius: 4,
+              }}
+            />
+          </div>
+        </div>
+        <span style={{ fontSize: "var(--text-sm)", fontWeight: 600, color }}>{label}</span>
+      </div>
+    </section>
+  );
+}
+
+function UsagePanel({ renewal }: { renewal: Renewal }): JSX.Element {
+  const total = Math.round(renewal.annualValueUsd / 1200);
+  const active = Math.round(total * 0.58);
+  const unused = total - active;
+  const recoverable = Math.round((unused / total) * renewal.annualValueUsd);
+  const pct = Math.round((active / Math.max(total, 1)) * 100);
+
+  return (
+    <section aria-labelledby="wb-usage">
+      <SectionHead label="Usage & waste" />
+      <div style={{ display: "flex", flexDirection: "column", gap: "var(--space-2)" }}>
+        <div
+          style={{
+            display: "flex",
+            justifyContent: "space-between",
+            fontSize: "var(--text-xs)",
+            color: "var(--text-2)",
+            marginBottom: 4,
+          }}
+        >
+          <span>
+            {active} of {total} seats active
+          </span>
+          <span>{pct}%</span>
+        </div>
+        <div
+          style={{
+            height: 8,
+            borderRadius: 4,
+            background: "var(--surface-3)",
+            overflow: "hidden",
+          }}
+        >
+          <div
+            style={{
+              height: "100%",
+              width: `${pct}%`,
+              background: pct < 60 ? "var(--warning)" : "var(--success)",
+              borderRadius: 4,
+            }}
+          />
+        </div>
+        <p style={{ margin: 0, fontSize: "var(--text-sm)", color: "var(--text-2)" }}>
+          Recoverable:{" "}
+          <span style={{ fontFamily: "var(--font-mono)", color: "var(--success)", fontWeight: 600 }}>
+            {formatUsd(recoverable)}
+          </span>{" "}
+          if you cancel {unused} unused seats
+        </p>
+      </div>
+    </section>
+  );
+}
+
+function RecommendedPanel({ renewal }: { renewal: Renewal }): JSX.Element {
+  const delta = renewal.benchmarkDelta;
+  const negotiatePct = delta !== null && delta > 0 ? delta : 22;
+  const seatReduction = Math.round((renewal.annualValueUsd / 1200) * 0.42);
+  const counterAt = Math.round(renewal.annualValueUsd * (1 - negotiatePct / 100));
+  const walkAway = Math.round(renewal.annualValueUsd * 0.85);
+
+  return (
+    <section aria-labelledby="wb-recommend">
+      <SectionHead label="Recommended action" />
+      <p style={{ margin: 0, fontSize: "var(--text-sm)", color: "var(--text-2)", lineHeight: 1.6 }}>
+        Negotiate{" "}
+        <span style={{ fontWeight: 600, color: "var(--success)" }}>-{negotiatePct}%</span> with{" "}
+        {seatReduction}-seat reduction. Counter at{" "}
+        <span style={{ fontFamily: "var(--font-mono)", fontWeight: 600 }}>{formatUsd(counterAt)}</span>.
+        Walk-away at{" "}
+        <span style={{ fontFamily: "var(--font-mono)", fontWeight: 600 }}>{formatUsd(walkAway)}</span>.
+      </p>
+    </section>
+  );
+}
+
+export function Workbench({ renewal, onClose }: WorkbenchProps): JSX.Element {
+  const panelRef = useRef<HTMLDivElement | null>(null);
+  const [packetOpen, setPacketOpen] = useState(false);
+
+  useFocusTrap(true, panelRef, onClose);
+
+  const delta = renewal.benchmarkDelta;
+  const deltaColor = delta === null ? "var(--text-muted)" : delta > 0 ? "var(--danger)" : "var(--success)";
+  const deltaLabel = delta === null ? null : `${delta > 0 ? "+" : ""}${delta}% vs market`;
+
+  const portal = createPortal(
+    <>
+      <div
+        aria-hidden="true"
+        onClick={onClose}
+        style={{
+          position: "fixed",
+          inset: 0,
+          background: "rgba(15,23,42,0.4)",
+          zIndex: 300,
+        }}
+      />
+      <div
+        ref={panelRef}
+        role="dialog"
+        aria-modal="true"
+        aria-labelledby="workbench-title"
+        style={{
+          position: "fixed",
+          top: 0,
+          right: 0,
+          bottom: 0,
+          width: "min(480px, 100vw)",
+          background: "var(--surface)",
+          borderLeft: "1px solid var(--border)",
+          zIndex: 301,
+          display: "flex",
+          flexDirection: "column",
+          boxShadow: "var(--shadow-3)",
+          overflowY: "auto",
+        }}
+      >
+        <div
+          style={{
+            display: "flex",
+            alignItems: "center",
+            gap: "var(--space-3)",
+            padding: "0 var(--space-5)",
+            height: 56,
+            borderBottom: "1px solid var(--border)",
+            flexShrink: 0,
+          }}
+        >
+          <VendorLogo name={renewal.vendorName} size={28} />
+          <h2
+            id="workbench-title"
+            style={{
+              flex: 1,
+              margin: 0,
+              fontSize: "var(--text-sm)",
+              fontWeight: 600,
+              color: "var(--text)",
+              overflow: "hidden",
+              textOverflow: "ellipsis",
+              whiteSpace: "nowrap",
+            }}
+          >
+            {renewal.vendorName} — Workbench
+          </h2>
+          {deltaLabel && (
+            <span
+              style={{
+                fontSize: "var(--text-xs)",
+                fontWeight: 600,
+                color: deltaColor,
+                fontFamily: "var(--font-mono)",
+              }}
+            >
+              {deltaLabel}
+            </span>
+          )}
+          <button
+            type="button"
+            onClick={onClose}
+            aria-label="Close workbench"
+            className="btn btn-ghost button-pop"
+            style={{ width: 36, height: 36, padding: 0, flexShrink: 0 }}
+          >
+            <X size={18} aria-hidden="true" />
+          </button>
+        </div>
+
+        <div
+          style={{
+            flex: 1,
+            padding: "var(--space-5)",
+            display: "flex",
+            flexDirection: "column",
+            gap: "var(--space-6)",
+          }}
+        >
+          <div
+            style={{
+              background: "var(--surface-2)",
+              borderRadius: "var(--radius-sm)",
+              padding: "var(--space-3) var(--space-4)",
+              fontSize: "var(--text-sm)",
+              color: "var(--text-2)",
+            }}
+          >
+            Renews {formatDate(renewal.renewsAt)} · {renewal.daysOut}d out ·{" "}
+            <span style={{ fontFamily: "var(--font-mono)" }}>
+              {formatUsd(renewal.annualValueUsd)}/yr
+            </span>
+          </div>
+
+          <BenchmarkPanel renewal={renewal} />
+          <UsagePanel renewal={renewal} />
+          <BlockersPanel vendorId={renewal.vendorId} />
+          <RecommendedPanel renewal={renewal} />
+          <section aria-label="Renegotiation packet">
+            <SectionHead label="Renegotiation packet" />
+            <button
+              type="button"
+              className="btn btn-primary button-pop"
+              style={{ height: 32, fontSize: "var(--text-xs)" }}
+              onClick={() => setPacketOpen(true)}
+            >
+              Open Renegotiation Packet
+            </button>
+          </section>
+        </div>
+      </div>
+    </>,
+    document.body,
+  );
+
+  return (
+    <>
+      {portal}
+      <RenegotiationPacket
+        vendorId={renewal.vendorId}
+        open={packetOpen}
+        onClose={() => setPacketOpen(false)}
+      />
+    </>
+  );
+}
diff --git a/apps/web/src/components/renewals/api.ts b/apps/web/src/components/renewals/api.ts
new file mode 100644
index 0000000..b29c070
--- /dev/null
+++ b/apps/web/src/components/renewals/api.ts
@@ -0,0 +1,65 @@
+import type { Renewal, RenewalStatus } from "@unsyphn/shared";
+import { DEMO_BEARER_TOKEN } from "../../lib/api.js";
+
+export interface RenewalsResponse {
+  renewals: Renewal[];
+}
+
+export interface RenewalResponse {
+  renewal: Renewal;
+}
+
+export interface RenewalPatchBody {
+  column?: RenewalStatus;
+  ownerId?: string;
+  declined?: boolean;
+  autoRenewed?: boolean;
+}
+
+function bearer(): string {
+  if (typeof window === "undefined") return DEMO_BEARER_TOKEN;
+  return window.localStorage.getItem("unsyphn:bearer") ?? DEMO_BEARER_TOKEN;
+}
+
+export async function fetchRenewals(days: number): Promise<Renewal[]> {
+  const resp = await fetch(`/v1/renewals?days=${days}`, {
+    headers: { Authorization: `Bearer ${bearer()}` },
+  });
+  if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
+  const data = (await resp.json()) as RenewalsResponse;
+  return data.renewals;
+}
+
+export async function postRenewalStatus(
+  id: string,
+  column: RenewalStatus,
+): Promise<Renewal> {
+  const resp = await fetch(`/v1/renewals/${encodeURIComponent(id)}/status`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${bearer()}`,
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify({ column }),
+  });
+  if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
+  const data = (await resp.json()) as RenewalResponse;
+  return data.renewal;
+}
+
+export async function patchRenewal(
+  id: string,
+  patch: RenewalPatchBody,
+): Promise<Renewal> {
+  const resp = await fetch(`/v1/renewals/${encodeURIComponent(id)}`, {
+    method: "PATCH",
+    headers: {
+      Authorization: `Bearer ${bearer()}`,
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify(patch),
+  });
+  if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
+  const data = (await resp.json()) as RenewalResponse;
+  return data.renewal;
+}
diff --git a/apps/web/src/components/renewals/ics.ts b/apps/web/src/components/renewals/ics.ts
new file mode 100644
index 0000000..3215438
--- /dev/null
+++ b/apps/web/src/components/renewals/ics.ts
@@ -0,0 +1,96 @@
+import type { Renewal } from "@unsyphn/shared";
+
+// Minimal RFC 5545 .ics generator. CRLF line endings are mandatory; some
+// calendar clients reject LF-only feeds. Skips line folding (75-char limit)
+// because hackathon entries fit comfortably.
+
+const CRLF = "\r\n";
+
+function pad(n: number): string {
+  return n < 10 ? `0${n}` : String(n);
+}
+
+function toIcsDate(d: Date): string {
+  return `${d.getUTCFullYear()}${pad(d.getUTCMonth() + 1)}${pad(d.getUTCDate())}`;
+}
+
+function toIcsDateTime(d: Date): string {
+  return `${toIcsDate(d)}T${pad(d.getUTCHours())}${pad(d.getUTCMinutes())}${pad(
+    d.getUTCSeconds(),
+  )}Z`;
+}
+
+function escapeText(s: string): string {
+  return s
+    .replace(/\\/g, "\\\\")
+    .replace(/;/g, "\\;")
+    .replace(/,/g, "\\,")
+    .replace(/\r?\n/g, "\\n");
+}
+
+function formatUsd(n: number): string {
+  if (n >= 1_000_000) return `$${(n / 1_000_000).toFixed(1)}M`;
+  if (n >= 1000) return `$${Math.round(n / 1000)}k`;
+  return `$${n}`;
+}
+
+function renewalUid(r: Renewal): string {
+  return `${r.id}@unsyphn.app`;
+}
+
+function renewalEvent(r: Renewal, dtStamp: string): string[] {
+  const renews = new Date(r.renewsAt);
+  if (!Number.isFinite(renews.getTime())) return [];
+  const start = new Date(renews.getTime() - 30 * 86_400_000);
+  const summary = `Renewal: ${r.vendorName} — ${formatUsd(r.annualValueUsd)}/yr`;
+  const description = `Review terms, prep negotiation. Renews ${
+    r.renewsAt
+  }, ${r.daysOut}d out. ${formatUsd(r.annualValueUsd)}/yr.`;
+
+  return [
+    "BEGIN:VEVENT",
+    `UID:${renewalUid(r)}`,
+    `DTSTAMP:${dtStamp}`,
+    `DTSTART;VALUE=DATE:${toIcsDate(start)}`,
+    `DTEND;VALUE=DATE:${toIcsDate(renews)}`,
+    `SUMMARY:${escapeText(summary)}`,
+    `DESCRIPTION:${escapeText(description)}`,
+    `ORGANIZER;CN=${escapeText(r.ownerEmail)}:mailto:${r.ownerEmail}`,
+    `ATTENDEE;CN=${escapeText(r.ownerEmail)};RSVP=FALSE:mailto:${r.ownerEmail}`,
+    "STATUS:CONFIRMED",
+    "END:VEVENT",
+  ];
+}
+
+export function buildIcs(renewals: ReadonlyArray<Renewal>, now: Date = new Date()): string {
+  const dtStamp = toIcsDateTime(now);
+  const lines: string[] = [
+    "BEGIN:VCALENDAR",
+    "VERSION:2.0",
+    "PRODID:-//UNSYPHN//Renewals//EN",
+    "CALSCALE:GREGORIAN",
+    "METHOD:PUBLISH",
+  ];
+  for (const r of renewals) {
+    lines.push(...renewalEvent(r, dtStamp));
+  }
+  lines.push("END:VCALENDAR");
+  return lines.join(CRLF) + CRLF;
+}
+
+export function downloadIcs(
+  renewals: ReadonlyArray<Renewal>,
+  filename = "renewals.ics",
+): void {
+  if (typeof window === "undefined") return;
+  const text = buildIcs(renewals);
+  const blob = new Blob([text], { type: "text/calendar;charset=utf-8" });
+  const url = URL.createObjectURL(blob);
+  const a = document.createElement("a");
+  a.href = url;
+  a.download = filename;
+  document.body.appendChild(a);
+  a.click();
+  document.body.removeChild(a);
+  setTimeout(() => URL.revokeObjectURL(url), 1000);
+}
diff --git a/apps/web/src/components/requests/ApprovalChain.tsx b/apps/web/src/components/requests/ApprovalChain.tsx
new file mode 100644
index 0000000..bdf7791
--- /dev/null
+++ b/apps/web/src/components/requests/ApprovalChain.tsx
@@ -0,0 +1,132 @@
+import { ChevronRight } from "lucide-react";
+import type { RequestDto } from "./types.js";
+
+interface Props {
+  request: RequestDto;
+}
+
+interface ChainStep {
+  label: string;
+  sublabel: string;
+  state: "done" | "current" | "pending";
+}
+
+function chainSteps(request: RequestDto): ChainStep[] {
+  const submitter: ChainStep = {
+    label: request.requesterName,
+    sublabel: "Submitter",
+    state: "done",
+  };
+  const finalLabel = request.approverName ?? "Approver";
+  const finalSublabel = request.status === "pending" ? "Approver" : "Final approval";
+
+  if (request.status === "routed") {
+    const routedTo = request.routeTo ?? "review";
+    return [
+      submitter,
+      { label: routedTo.charAt(0).toUpperCase() + routedTo.slice(1), sublabel: "Routed review", state: "current" },
+      { label: finalLabel, sublabel: finalSublabel, state: "pending" },
+    ];
+  }
+
+  if (request.status === "pending") {
+    return [
+      submitter,
+      { label: finalLabel, sublabel: "Awaiting decision", state: "current" },
+      { label: "Done", sublabel: "Final approval", state: "pending" },
+    ];
+  }
+
+  return [
+    submitter,
+    { label: finalLabel, sublabel: request.status === "approved" ? "Approved" : "Rejected", state: "done" },
+    { label: request.status === "approved" ? "Approved" : "Rejected", sublabel: "Final", state: "done" },
+  ];
+}
+
+function colorsFor(state: ChainStep["state"]): { bg: string; border: string; color: string; glow: string } {
+  if (state === "current") {
+    return {
+      bg: "var(--accent-soft)",
+      border: "1px solid var(--accent)",
+      color: "var(--accent)",
+      glow: "0 0 0 3px rgba(94,106,210,0.18)",
+    };
+  }
+  if (state === "done") {
+    return {
+      bg: "var(--surface)",
+      border: "1px solid var(--border)",
+      color: "var(--text-strong)",
+      glow: "none",
+    };
+  }
+  return {
+    bg: "var(--surface)",
+    border: "1px dashed var(--border)",
+    color: "var(--text-muted)",
+    glow: "none",
+  };
+}
+
+export function ApprovalChain({ request }: Props): JSX.Element {
+  const steps = chainSteps(request);
+  return (
+    <ol
+      aria-label="Approval chain"
+      style={{
+        listStyle: "none",
+        margin: 0,
+        padding: 0,
+        display: "flex",
+        alignItems: "center",
+        gap: "var(--space-1)",
+        flexWrap: "wrap",
+      }}
+    >
+      {steps.map((step, idx) => {
+        const c = colorsFor(step.state);
+        const dotSize = 10;
+        return (
+          <li key={`${step.label}-${idx}`} style={{ display: "inline-flex", alignItems: "center", gap: "var(--space-1)" }}>
+            <span
+              style={{
+                display: "inline-flex",
+                alignItems: "center",
+                gap: 6,
+                fontSize: "var(--text-xs)",
+                color: c.color,
+                background: c.bg,
+                border: c.border,
+                padding: "2px var(--space-2)",
+                borderRadius: "var(--radius-full)",
+                boxShadow: c.glow,
+                lineHeight: 1.2,
+                height: 22,
+                whiteSpace: "nowrap",
+              }}
+            >
+              <span
+                aria-hidden="true"
+                style={{
+                  width: dotSize,
+                  height: dotSize,
+                  borderRadius: "50%",
+                  background: step.state === "current" ? "var(--accent)" : step.state === "done" ? "var(--text-2)" : "var(--text-muted)",
+                  flexShrink: 0,
+                }}
+              />
+              <span>
+                <strong style={{ fontWeight: 500 }}>{step.label}</strong>
+                <span style={{ color: "var(--text-muted)", marginLeft: 4 }}>· {step.sublabel}</span>
+              </span>
+            </span>
+            {idx < steps.length - 1 && (
+              <ChevronRight size={14} aria-hidden="true" style={{ color: "var(--text-muted)", flexShrink: 0 }} />
+            )}
+          </li>
+        );
+      })}
+    </ol>
+  );
+}
diff --git a/apps/web/src/components/requests/CommentThread.tsx b/apps/web/src/components/requests/CommentThread.tsx
new file mode 100644
index 0000000..0c67af3
--- /dev/null
+++ b/apps/web/src/components/requests/CommentThread.tsx
@@ -0,0 +1,123 @@
+import { useState } from "react";
+import type { RequestComment } from "./types.js";
+
+interface Props {
+  comments: RequestComment[];
+  busy?: boolean;
+  onSubmit: (text: string) => Promise<void> | void;
+}
+
+function relativeTime(iso: string, now = Date.now()): string {
+  const diff = now - Date.parse(iso);
+  if (diff < 60_000) return "just now";
+  if (diff < 3_600_000) return `${Math.round(diff / 60_000)}m ago`;
+  if (diff < 86_400_000) return `${Math.round(diff / 3_600_000)}h ago`;
+  const days = Math.round(diff / 86_400_000);
+  return days === 1 ? "1d ago" : `${days}d ago`;
+}
+
+function Avatar({ letter }: { letter: string }): JSX.Element {
+  return (
+    <span
+      aria-hidden="true"
+      style={{
+        width: 28,
+        height: 28,
+        borderRadius: "50%",
+        background: "var(--accent-soft)",
+        color: "var(--accent)",
+        fontSize: "var(--text-xs)",
+        fontWeight: 600,
+        display: "inline-flex",
+        alignItems: "center",
+        justifyContent: "center",
+        flexShrink: 0,
+      }}
+    >
+      {letter}
+    </span>
+  );
+}
+
+export function CommentThread({ comments, busy, onSubmit }: Props): JSX.Element {
+  const [draft, setDraft] = useState("");
+  const [showAll, setShowAll] = useState(false);
+  const visible = showAll ? comments : comments.slice(-3);
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    const trimmed = draft.trim();
+    if (!trimmed || busy) return;
+    try {
+      await onSubmit(trimmed);
+      setDraft("");
+    } catch {
+      // Parent surfaces an error toast; keep the draft so the user can retry.
+    }
+  };
+
+  return (
+    <div role="region" aria-label="Comments" style={{ display: "flex", flexDirection: "column", gap: "var(--space-3)" }}>
+      {comments.length > 3 && !showAll && (
+        <button
+          type="button"
+          className="btn btn-ghost button-pop"
+          onClick={() => setShowAll(true)}
+          style={{ alignSelf: "flex-start", height: 28, fontSize: "var(--text-xs)" }}
+        >
+          Show all {comments.length} comments
+        </button>
+      )}
+      {visible.length === 0 ? (
+        <p style={{ margin: 0, fontSize: "var(--text-sm)", color: "var(--text-muted)" }}>
+          No comments yet.
+        </p>
+      ) : (
+        <ul className="stagger-children" style={{ listStyle: "none", margin: 0, padding: 0, display: "flex", flexDirection: "column", gap: "var(--space-3)" }}>
+          {visible.map((c) => (
+            <li key={c.id} className="fade-up" style={{ display: "flex", gap: "var(--space-2)", alignItems: "flex-start" }}>
+              <Avatar letter={c.authorLetter} />
+              <div style={{ flex: 1, minWidth: 0 }}>
+                <div style={{ display: "flex", alignItems: "center", gap: "var(--space-2)", marginBottom: 2 }}>
+                  <span style={{ fontSize: "var(--text-sm)", fontWeight: 500, color: "var(--text-strong)" }}>
+                    {c.authorName}
+                  </span>
+                  <span style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)" }}>
+                    {relativeTime(c.at)}
+                  </span>
+                </div>
+                <p style={{ margin: 0, fontSize: "var(--text-sm)", color: "var(--text)", lineHeight: 1.5 }}>
+                  {c.text}
+                </p>
+              </div>
+            </li>
+          ))}
+        </ul>
+      )}
+      <form onSubmit={handleSubmit} style={{ display: "flex", flexDirection: "column", gap: "var(--space-2)" }}>
+        <label htmlFor="cmt-input" className="visually-hidden" style={{ position: "absolute", width: 1, height: 1, overflow: "hidden", clip: "rect(0 0 0 0)" }}>
+          Add a comment
+        </label>
+        <textarea
+          id="cmt-input"
+          className="input focus-glow"
+          value={draft}
+          onChange={(e) => setDraft(e.target.value)}
+          placeholder="Add a comment..."
+          rows={2}
+          style={{ height: "auto", resize: "vertical", minHeight: 60 }}
+        />
+        <div style={{ display: "flex", justifyContent: "flex-end" }}>
+          <button
+            type="submit"
+            className="btn btn-secondary button-pop"
+            disabled={busy || draft.trim().length === 0}
+            style={{ height: 32, fontSize: "var(--text-xs)" }}
+          >
+            {busy ? "Posting..." : "Post comment"}
+          </button>
+        </div>
+      </form>
+    </div>
+  );
+}
diff --git a/apps/web/src/components/requests/NewRequestDrawer.tsx b/apps/web/src/components/requests/NewRequestDrawer.tsx
new file mode 100644
index 0000000..3b66c79
--- /dev/null
+++ b/apps/web/src/components/requests/NewRequestDrawer.tsx
@@ -0,0 +1,264 @@
+import { useCallback, useEffect, useRef, useState } from "react";
+import { Drawer } from "../Drawer.js";
+import { createRequest, RequestsApiError } from "./api.js";
+import type { RequestDto } from "./types.js";
+
+interface Props {
+  open: boolean;
+  onClose: () => void;
+  onCreated: (req: RequestDto) => void;
+}
+
+interface FormState {
+  vendorName: string;
+  category: string;
+  expectedSpendUsd: string;
+  justification: string;
+}
+
+const DEFAULT_FORM: FormState = {
+  vendorName: "",
+  category: "devtools",
+  expectedSpendUsd: "",
+  justification: "",
+};
+
+const CATEGORY_OPTIONS = [
+  "devtools",
+  "productivity",
+  "communication",
+  "analytics",
+  "security",
+  "observability",
+  "infrastructure",
+  "data",
+  "compliance",
+  "contracts",
+  "dpa",
+  "payments",
+  "spend",
+] as const;
+
+const SIMILAR_TOOLS: Record<string, ReadonlyArray<{ name: string; category: string }>> = {
+  linear: [{ name: "Asana", category: "Productivity" }],
+  monday: [
+    { name: "Asana", category: "Productivity" },
+    { name: "Jira", category: "Engineering" },
+  ],
+  vercel: [
+    { name: "Netlify", category: "Hosting" },
+    { name: "AWS Amplify", category: "Hosting" },
+  ],
+};
+
+const labelStyle: React.CSSProperties = {
+  display: "block",
+  fontSize: "var(--text-sm)",
+  color: "var(--text-2)",
+  marginBottom: "var(--space-1)",
+};
+
+interface FieldErrors {
+  vendorName?: string;
+  expectedSpendUsd?: string;
+  justification?: string;
+}
+
+function validate(form: FormState): FieldErrors {
+  const errors: FieldErrors = {};
+  if (form.vendorName.trim().length < 2) {
+    errors.vendorName = "Vendor name is required (at least 2 characters).";
+  }
+  const spend = Number(form.expectedSpendUsd);
+  if (!Number.isFinite(spend) || spend < 0) {
+    errors.expectedSpendUsd = "Expected spend must be 0 or greater.";
+  }
+  if (form.justification.trim().length < 20) {
+    errors.justification = "Justification must be at least 20 characters.";
+  }
+  return errors;
+}
+
+export function NewRequestDrawer({ open, onClose, onCreated }: Props): JSX.Element {
+  const [form, setForm] = useState<FormState>(DEFAULT_FORM);
+  const [matches, setMatches] = useState<ReadonlyArray<{ name: string; category: string }>>([]);
+  const [errors, setErrors] = useState<FieldErrors>({});
+  const [submitting, setSubmitting] = useState(false);
+  const [serverError, setServerError] = useState<string | null>(null);
+  const timerRef = useRef<ReturnType<typeof setTimeout> | null>(null);
+
+  const onVendorChange = useCallback((v: string) => {
+    setForm((p) => ({ ...p, vendorName: v }));
+    if (timerRef.current) clearTimeout(timerRef.current);
+    timerRef.current = setTimeout(() => {
+      setMatches(SIMILAR_TOOLS[v.trim().toLowerCase()] ?? []);
+    }, 300);
+  }, []);
+
+  useEffect(
+    () => () => {
+      if (timerRef.current) clearTimeout(timerRef.current);
+    },
+    [],
+  );
+
+  const handleClose = useCallback(() => {
+    setForm(DEFAULT_FORM);
+    setMatches([]);
+    setErrors({});
+    setServerError(null);
+    onClose();
+  }, [onClose]);
+
+  const handleSubmit = useCallback(
+    async (e: React.FormEvent) => {
+      e.preventDefault();
+      const validation = validate(form);
+      setErrors(validation);
+      if (Object.keys(validation).length > 0) return;
+      setSubmitting(true);
+      setServerError(null);
+      try {
+        const created = await createRequest({
+          vendorName: form.vendorName.trim(),
+          category: form.category,
+          expectedSpendUsd: Number(form.expectedSpendUsd),
+          justification: form.justification.trim(),
+          similarTools: matches.map((m) => m.name),
+        });
+        onCreated(created);
+        handleClose();
+      } catch (err) {
+        const msg =
+          err instanceof RequestsApiError
+            ? err.message
+            : "Failed to submit request. Try again.";
+        setServerError(msg);
+      } finally {
+        setSubmitting(false);
+      }
+    },
+    [form, matches, onCreated, handleClose],
+  );
+
+  const field = (id: string, label: string, el: React.ReactNode, error?: string) => (
+    <div>
+      <label htmlFor={id} style={labelStyle}>
+        {label}
+      </label>
+      {el}
+      {error && (
+        <p
+          role="alert"
+          style={{ margin: "var(--space-1) 0 0", fontSize: "var(--text-xs)", color: "var(--danger)" }}
+        >
+          {error}
+        </p>
+      )}
+    </div>
+  );
+
+  return (
+    <Drawer open={open} onClose={handleClose} title="New request">
+      <form onSubmit={handleSubmit} style={{ display: "flex", flexDirection: "column", gap: "var(--space-4)" }} noValidate>
+        {field(
+          "req-vendor",
+          "Vendor name",
+          <>
+            <input
+              id="req-vendor"
+              className="input focus-glow"
+              type="text"
+              value={form.vendorName}
+              onChange={(e) => onVendorChange(e.target.value)}
+              placeholder="e.g. Linear"
+              aria-invalid={errors.vendorName ? true : undefined}
+            />
+            {matches.length > 0 && (
+              <div
+                style={{
+                  marginTop: "var(--space-2)",
+                  padding: "var(--space-3)",
+                  background: "rgba(217,119,6,0.06)",
+                  border: "1px solid rgba(217,119,6,0.20)",
+                  borderRadius: "var(--radius-md)",
+                  fontSize: "var(--text-sm)",
+                  color: "var(--text-2)",
+                }}
+              >
+                <div style={{ fontWeight: 500, color: "var(--warning)", marginBottom: "var(--space-1)" }}>
+                  Similar tools you may already own:
+                </div>
+                <ul style={{ margin: 0, paddingLeft: "var(--space-4)" }}>
+                  {matches.map((t) => (
+                    <li key={t.name}>
+                      {t.name} ({t.category})
+                    </li>
+                  ))}
+                </ul>
+                <div style={{ marginTop: "var(--space-1)", color: "var(--text-muted)", fontStyle: "italic" }}>
+                  Consider consolidating before approving.
+                </div>
+              </div>
+            )}
+          </>,
+          errors.vendorName,
+        )}
+        {field(
+          "req-category",
+          "Category",
+          <select
+            id="req-category"
+            className="input focus-glow"
+            value={form.category}
+            onChange={(e) => setForm((p) => ({ ...p, category: e.target.value }))}
+          >
+            {CATEGORY_OPTIONS.map((c) => (
+              <option key={c} value={c}>
+                {c.charAt(0).toUpperCase() + c.slice(1)}
+              </option>
+            ))}
+          </select>,
+        )}
+        {field(
+          "req-spend",
+          "Expected annual spend ($)",
+          <input
+            id="req-spend"
+            className="input focus-glow"
+            type="number"
+            min={0}
+            value={form.expectedSpendUsd}
+            onChange={(e) => setForm((p) => ({ ...p, expectedSpendUsd: e.target.value }))}
+            placeholder="12000"
+            aria-invalid={errors.expectedSpendUsd ? true : undefined}
+          />,
+          errors.expectedSpendUsd,
+        )}
+        {field(
+          "req-justification",
+          "Business justification",
+          <textarea
+            id="req-justification"
+            className="input focus-glow"
+            value={form.justification}
+            onChange={(e) => setForm((p) => ({ ...p, justification: e.target.value }))}
+            placeholder="Describe why this tool is needed..."
+            rows={4}
+            style={{ height: "auto", resize: "vertical" }}
+            aria-invalid={errors.justification ? true : undefined}
+          />,
+          errors.justification,
+        )}
+        {serverError && (
+          <p role="alert" style={{ margin: 0, fontSize: "var(--text-sm)", color: "var(--danger)" }}>
+            {serverError}
+          </p>
+        )}
+        <button type="submit" className="btn btn-primary button-pop" style={{ alignSelf: "flex-start" }} disabled={submitting}>
+          {submitting ? "Submitting..." : "Submit request"}
+        </button>
+      </form>
+    </Drawer>
+  );
+}
diff --git a/apps/web/src/components/requests/RequestRow.tsx b/apps/web/src/components/requests/RequestRow.tsx
new file mode 100644
index 0000000..a675c02
--- /dev/null
+++ b/apps/web/src/components/requests/RequestRow.tsx
@@ -0,0 +1,288 @@
+import { useState } from "react";
+import { AlertTriangle, ChevronDown, ChevronUp, MessageSquare, ShieldAlert } from "lucide-react";
+import { VendorLogo } from "../VendorLogo.js";
+import { ApprovalChain } from "./ApprovalChain.js";
+import { SlaChip } from "./SlaChip.js";
+import { CommentThread } from "./CommentThread.js";
+import { RouteForReviewPanel } from "./RouteForReviewPanel.js";
+import type { RequestDto, RouteTarget } from "./types.js";
+
+interface Props {
+  request: RequestDto;
+  busy: boolean;
+  onApprove: (id: string, originEl?: HTMLElement) => void;
+  onReject: (id: string) => void;
+  onRoute: (id: string, target: RouteTarget, note?: string) => void;
+  onReopen: (id: string) => void;
+  onRecall: (id: string) => void;
+  onConvert: (req: RequestDto) => void;
+  onComment: (id: string, text: string) => Promise<void> | void;
+  defaultExpanded?: boolean;
+}
+
+function relativeDays(iso: string): string {
+  const d = Math.floor((Date.now() - Date.parse(iso)) / 86_400_000);
+  if (d <= 0) return "today";
+  if (d === 1) return "1d ago";
+  return `${d}d ago`;
+}
+
+function spendLabel(n: number): string {
+  if (n >= 1000) return `$${Math.round(n / 1000)}k/yr`;
+  return `$${n}/yr`;
+}
+
+function statusBadge(status: RequestDto["status"]): { className: string; label: string } {
+  if (status === "approved") return { className: "badge badge-success", label: "Approved" };
+  if (status === "rejected") return { className: "badge badge-danger", label: "Rejected" };
+  if (status === "routed") return { className: "badge badge-neutral", label: "Routed for review" };
+  return { className: "badge badge-warning", label: "Pending" };
+}
+
+export function RequestRow({
+  request,
+  busy,
+  onApprove,
+  onReject,
+  onRoute,
+  onReopen,
+  onRecall,
+  onConvert,
+  onComment,
+  defaultExpanded = false,
+}: Props): JSX.Element {
+  const [expanded, setExpanded] = useState(defaultExpanded);
+  const [routePanelOpen, setRoutePanelOpen] = useState(false);
+  const [commentBusy, setCommentBusy] = useState(false);
+
+  const status = statusBadge(request.status);
+  const showChain =
+    request.status === "pending" || request.status === "routed";
+
+  const handleSubmitComment = async (text: string) => {
+    setCommentBusy(true);
+    try {
+      await onComment(request.id, text);
+    } finally {
+      setCommentBusy(false);
+    }
+  };
+
+  return (
+    <article
+      className="card glass-soft row-hover"
+      style={{
+        padding: "var(--space-4) var(--space-5)",
+        marginBottom: "var(--space-3)",
+      }}
+    >
+      <div style={{ display: "flex", alignItems: "flex-start", gap: "var(--space-3)" }}>
+        <VendorLogo name={request.vendorName} size={36} />
+        <div style={{ flex: 1, minWidth: 0 }}>
+          <div
+            style={{
+              display: "flex",
+              alignItems: "center",
+              justifyContent: "space-between",
+              gap: "var(--space-3)",
+              marginBottom: "var(--space-1)",
+              flexWrap: "wrap",
+            }}
+          >
+            <span
+              style={{
+                fontFamily: "var(--font-display)",
+                fontWeight: 500,
+                fontSize: "var(--text-base)",
+                color: "var(--text-strong)",
+              }}
+            >
+              {request.vendorName}
+            </span>
+            <div style={{ display: "inline-flex", alignItems: "center", gap: "var(--space-2)" }}>
+              {request.autoEscalated && (
+                <span
+                  className="badge badge-danger"
+                  style={{ display: "inline-flex", alignItems: "center", gap: 4, textTransform: "none", letterSpacing: 0 }}
+                >
+                  <ShieldAlert size={11} aria-hidden="true" />
+                  Auto-escalated
+                </span>
+              )}
+              <SlaChip request={request} />
+              <span className={status.className}>{status.label}</span>
+            </div>
+          </div>
+
+          <div
+            style={{
+              fontSize: "var(--text-sm)",
+              color: "var(--text-2)",
+              marginBottom: "var(--space-1)",
+            }}
+          >
+            Requested by {request.requesterName} ({request.requesterEmail}) ·{" "}
+            {relativeDays(request.createdAt)} · {request.category}
+          </div>
+          <div
+            style={{
+              fontSize: "var(--text-sm)",
+              fontWeight: 500,
+              color: "var(--text)",
+              marginBottom: "var(--space-1)",
+            }}
+          >
+            {spendLabel(request.expectedSpendUsd)}
+          </div>
+          {request.justification && (
+            <div
+              style={{
+                fontSize: "var(--text-sm)",
+                fontStyle: "italic",
+                color: "var(--text-muted)",
+                marginBottom: "var(--space-2)",
+              }}
+            >
+              &ldquo;{request.justification}&rdquo;
+            </div>
+          )}
+          {request.similarTools.length > 0 && (
+            <div
+              className="badge badge-warning"
+              style={{
+                display: "inline-flex",
+                alignItems: "center",
+                gap: "var(--space-1)",
+                height: "auto",
+                padding: "var(--space-1) var(--space-2)",
+                marginBottom: "var(--space-3)",
+                textTransform: "none",
+                letterSpacing: 0,
+                fontSize: "var(--text-xs)",
+              }}
+            >
+              <AlertTriangle size={12} aria-hidden="true" />
+              Similar tools you own: {request.similarTools.join(", ")}
+            </div>
+          )}
+
+          {showChain && (
+            <div style={{ marginBottom: "var(--space-3)" }}>
+              <ApprovalChain request={request} />
+            </div>
+          )}
+
+          {/* Action row */}
+          <div style={{ display: "flex", gap: "var(--space-2)", flexWrap: "wrap", alignItems: "center" }}>
+            {request.status === "pending" && (
+              <>
+                <button
+                  type="button"
+                  className="btn btn-primary button-pop"
+                  onClick={(e) => onApprove(request.id, e.currentTarget)}
+                  disabled={busy}
+                  style={{ height: 32 }}
+                >
+                  Approve
+                </button>
+                <button
+                  type="button"
+                  className="btn btn-secondary button-pop"
+                  onClick={() => onReject(request.id)}
+                  disabled={busy}
+                  style={{ height: 32 }}
+                >
+                  Reject
+                </button>
+                <button
+                  type="button"
+                  className="btn btn-ghost button-pop"
+                  onClick={() => setRoutePanelOpen((v) => !v)}
+                  disabled={busy}
+                  style={{ height: 32 }}
+                >
+                  Route for review
+                </button>
+              </>
+            )}
+            {request.status === "approved" && (
+              <button
+                type="button"
+                className="btn btn-secondary button-pop"
+                onClick={() => onConvert(request)}
+                disabled={busy}
+                style={{ height: 32 }}
+              >
+                Convert to vendor
+              </button>
+            )}
+            {request.status === "rejected" && (
+              <button
+                type="button"
+                className="btn btn-secondary button-pop"
+                onClick={() => onReopen(request.id)}
+                disabled={busy}
+                style={{ height: 32 }}
+              >
+                Re-open
+              </button>
+            )}
+            {request.status === "routed" && (
+              <button
+                type="button"
+                className="btn btn-secondary button-pop"
+                onClick={() => onRecall(request.id)}
+                disabled={busy}
+                style={{ height: 32 }}
+              >
+                Recall
+              </button>
+            )}
+            <button
+              type="button"
+              className="btn btn-ghost button-pop"
+              onClick={() => setExpanded((v) => !v)}
+              aria-expanded={expanded}
+              aria-controls={`comments-${request.id}`}
+              style={{ height: 32, marginLeft: "auto", display: "inline-flex", alignItems: "center", gap: 4 }}
+            >
+              <MessageSquare size={14} aria-hidden="true" />
+              {request.comments.length}
+              {expanded ? <ChevronUp size={14} aria-hidden="true" /> : <ChevronDown size={14} aria-hidden="true" />}
+            </button>
+          </div>
+
+          {routePanelOpen && request.status === "pending" && (
+            <div style={{ marginTop: "var(--space-3)" }}>
+              <RouteForReviewPanel
+                busy={busy}
+                onSubmit={async (target, note) => {
+                  await onRoute(request.id, target, note);
+                  setRoutePanelOpen(false);
+                }}
+                onCancel={() => setRoutePanelOpen(false)}
+              />
+            </div>
+          )}
+
+          {expanded && (
+            <div
+              id={`comments-${request.id}`}
+              style={{
+                marginTop: "var(--space-3)",
+                paddingTop: "var(--space-3)",
+                borderTop: "1px solid var(--border)",
+              }}
+            >
+              <CommentThread
+                comments={request.comments}
+                busy={commentBusy}
+                onSubmit={handleSubmitComment}
+              />
+            </div>
+          )}
+        </div>
+      </div>
+    </article>
+  );
+}
diff --git a/apps/web/src/components/requests/RouteForReviewPanel.tsx b/apps/web/src/components/requests/RouteForReviewPanel.tsx
new file mode 100644
index 0000000..2a30aca
--- /dev/null
+++ b/apps/web/src/components/requests/RouteForReviewPanel.tsx
@@ -0,0 +1,79 @@
+import { useState } from "react";
+import { ROUTE_TARGETS, type RouteTarget } from "./types.js";
+
+interface Props {
+  busy?: boolean;
+  onSubmit: (target: RouteTarget, note?: string) => Promise<void> | void;
+  onCancel: () => void;
+}
+
+const TARGET_LABELS: Record<RouteTarget, string> = {
+  legal: "Legal",
+  security: "Security",
+  finance: "Finance",
+  procurement: "Procurement",
+  it: "IT",
+  audit: "Audit",
+};
+
+export function RouteForReviewPanel({ busy, onSubmit, onCancel }: Props): JSX.Element {
+  const [target, setTarget] = useState<RouteTarget>("legal");
+  const [note, setNote] = useState("");
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    if (busy) return;
+    const trimmed = note.trim();
+    await onSubmit(target, trimmed.length > 0 ? trimmed : undefined);
+  };
+
+  return (
+    <form
+      onSubmit={handleSubmit}
+      style={{
+        background: "var(--surface-2)",
+        border: "1px solid var(--border)",
+        borderRadius: "var(--radius-md)",
+        padding: "var(--space-3) var(--space-4)",
+        display: "flex",
+        flexDirection: "column",
+        gap: "var(--space-3)",
+      }}
+    >
+      <div style={{ display: "flex", gap: "var(--space-3)", flexWrap: "wrap", alignItems: "flex-end" }}>
+        <label style={{ display: "flex", flexDirection: "column", gap: 4, fontSize: "var(--text-xs)", color: "var(--text-2)" }}>
+          Route to
+          <select
+            className="input focus-glow"
+            value={target}
+            onChange={(e) => setTarget(e.target.value as RouteTarget)}
+            style={{ height: 34, minWidth: 160 }}
+          >
+            {ROUTE_TARGETS.map((t) => (
+              <option key={t} value={t}>{TARGET_LABELS[t]}</option>
+            ))}
+          </select>
+        </label>
+        <label style={{ flex: 1, display: "flex", flexDirection: "column", gap: 4, fontSize: "var(--text-xs)", color: "var(--text-2)", minWidth: 200 }}>
+          Note (optional)
+          <input
+            className="input focus-glow"
+            type="text"
+            value={note}
+            onChange={(e) => setNote(e.target.value)}
+            placeholder="Why does this need review?"
+            style={{ height: 34 }}
+          />
+        </label>
+      </div>
+      <div style={{ display: "flex", gap: "var(--space-2)" }}>
+        <button type="submit" className="btn btn-primary button-pop" disabled={busy} style={{ height: 32, fontSize: "var(--text-xs)" }}>
+          {busy ? "Routing..." : `Route to ${TARGET_LABELS[target]}`}
+        </button>
+        <button type="button" className="btn btn-ghost button-pop" onClick={onCancel} disabled={busy} style={{ height: 32, fontSize: "var(--text-xs)" }}>
+          Cancel
+        </button>
+      </div>
+    </form>
+  );
+}
diff --git a/apps/web/src/components/requests/SlaChip.tsx b/apps/web/src/components/requests/SlaChip.tsx
new file mode 100644
index 0000000..6df6d1d
--- /dev/null
+++ b/apps/web/src/components/requests/SlaChip.tsx
@@ -0,0 +1,62 @@
+import { Clock, AlertOctagon } from "lucide-react";
+import type { RequestDto } from "./types.js";
+
+interface Props {
+  request: RequestDto;
+  now?: number;
+}
+
+function formatHours(ms: number): string {
+  const hours = Math.abs(Math.round(ms / 3_600_000));
+  if (hours < 1) return "<1h";
+  if (hours < 48) return `${hours}h`;
+  const days = Math.round(hours / 24);
+  return `${days}d`;
+}
+
+export function SlaChip({ request, now = Date.now() }: Props): JSX.Element | null {
+  if (request.status !== "pending" && request.status !== "routed") return null;
+  const dueMs = Date.parse(request.slaDueAt);
+  const diff = dueMs - now;
+  const overdue = diff < 0;
+  const urgent = !overdue && diff < 12 * 3_600_000;
+
+  const bg = overdue
+    ? "rgba(220,38,38,0.10)"
+    : urgent
+    ? "rgba(217,119,6,0.10)"
+    : "rgba(100,116,139,0.10)";
+  const color = overdue ? "var(--danger)" : urgent ? "var(--warning)" : "var(--text-2)";
+  const border = overdue
+    ? "1px solid rgba(220,38,38,0.25)"
+    : urgent
+    ? "1px solid rgba(217,119,6,0.25)"
+    : "1px solid var(--border)";
+  const Icon = overdue ? AlertOctagon : Clock;
+  const label = overdue
+    ? `Overdue by ${formatHours(diff)}`
+    : `Decision in ${formatHours(diff)}`;
+
+  return (
+    <span
+      aria-label={label}
+      style={{
+        display: "inline-flex",
+        alignItems: "center",
+        gap: 4,
+        fontSize: "var(--text-xs)",
+        fontWeight: 500,
+        color,
+        background: bg,
+        border,
+        padding: "2px var(--space-2)",
+        borderRadius: "var(--radius-full)",
+        height: 22,
+        whiteSpace: "nowrap",
+      }}
+    >
+      <Icon size={11} aria-hidden="true" />
+      {label}
+    </span>
+  );
+}
diff --git a/apps/web/src/components/requests/Toast.tsx b/apps/web/src/components/requests/Toast.tsx
new file mode 100644
index 0000000..91d0444
--- /dev/null
+++ b/apps/web/src/components/requests/Toast.tsx
@@ -0,0 +1,32 @@
+export type ToastVariant = "success" | "error";
+
+export interface ToastState {
+  message: string;
+  variant: ToastVariant;
+}
+
+export function Toast({ message, variant }: ToastState): JSX.Element {
+  return (
+    <div
+      role="status"
+      aria-live="polite"
+      style={{
+        position: "fixed",
+        bottom: "var(--space-6)",
+        left: "50%",
+        transform: "translateX(-50%)",
+        background: variant === "success" ? "var(--success)" : "var(--danger)",
+        color: "#fff",
+        padding: "var(--space-2) var(--space-5)",
+        borderRadius: "var(--radius-full)",
+        fontSize: "var(--text-sm)",
+        fontWeight: 500,
+        zIndex: 500,
+        whiteSpace: "nowrap",
+        boxShadow: "var(--shadow-3)",
+      }}
+    >
+      {message}
+    </div>
+  );
+}
diff --git a/apps/web/src/components/requests/api.ts b/apps/web/src/components/requests/api.ts
new file mode 100644
index 0000000..6fa0108
--- /dev/null
+++ b/apps/web/src/components/requests/api.ts
@@ -0,0 +1,109 @@
+import { DEMO_BEARER_TOKEN } from "../../lib/api.js";
+import type {
+  RequestDto,
+  RequestSingleResponse,
+  RequestsListResponse,
+  RequestStatus,
+  RouteTarget,
+  StatusFilter,
+} from "./types.js";
+
+interface ApiErrorShape {
+  error: { code: string; message: string };
+}
+
+class RequestsApiError extends Error {
+  public readonly code: string;
+  public readonly status: number;
+  constructor(status: number, code: string, message: string) {
+    super(message);
+    this.name = "RequestsApiError";
+    this.code = code;
+    this.status = status;
+  }
+}
+
+async function send<T>(path: string, init: RequestInit = {}): Promise<T> {
+  const headers = new Headers(init.headers);
+  headers.set("Authorization", `Bearer ${DEMO_BEARER_TOKEN}`);
+  if (init.body && !headers.has("Content-Type")) {
+    headers.set("Content-Type", "application/json");
+  }
+  const resp = await fetch(path, { ...init, headers });
+  const text = await resp.text();
+  const json = text ? (JSON.parse(text) as unknown) : undefined;
+  if (!resp.ok) {
+    const envelope = json as ApiErrorShape | undefined;
+    const code = envelope?.error?.code ?? "internal";
+    const message = envelope?.error?.message ?? `Request failed with ${resp.status}`;
+    throw new RequestsApiError(resp.status, code, message);
+  }
+  return json as T;
+}
+
+export interface ListRequestsParams {
+  status: StatusFilter;
+  lens?: string;
+}
+
+export async function listRequests(params: ListRequestsParams): Promise<RequestDto[]> {
+  const search = new URLSearchParams();
+  if (params.status !== "all") search.set("status", params.status);
+  if (params.lens) search.set("lens", params.lens);
+  const qs = search.toString();
+  const data = await send<RequestsListResponse>(`/v1/requests${qs ? `?${qs}` : ""}`);
+  return data.requests;
+}
+
+export interface CreateRequestBody {
+  vendorName: string;
+  category: string;
+  expectedSpendUsd: number;
+  justification: string;
+  similarTools: string[];
+}
+
+export async function createRequest(body: CreateRequestBody): Promise<RequestDto> {
+  const data = await send<RequestSingleResponse>("/v1/requests", {
+    method: "POST",
+    body: JSON.stringify(body),
+  });
+  return data.request;
+}
+
+export interface DecisionBody {
+  status: RequestStatus;
+  note?: string;
+  routeTo?: RouteTarget;
+}
+
+export async function decideRequest(id: string, body: DecisionBody): Promise<RequestDto> {
+  const data = await send<RequestSingleResponse>(
+    `/v1/requests/${encodeURIComponent(id)}/decision`,
+    {
+      method: "POST",
+      body: JSON.stringify(body),
+    },
+  );
+  return data.request;
+}
+
+export async function getRequest(id: string): Promise<RequestDto> {
+  const data = await send<RequestSingleResponse>(
+    `/v1/requests/${encodeURIComponent(id)}`,
+  );
+  return data.request;
+}
+
+export async function addRequestComment(id: string, text: string): Promise<RequestDto> {
+  const data = await send<RequestSingleResponse>(
+    `/v1/requests/${encodeURIComponent(id)}/comments`,
+    {
+      method: "POST",
+      body: JSON.stringify({ text }),
+    },
+  );
+  return data.request;
+}
+
+export { RequestsApiError };
diff --git a/apps/web/src/components/requests/types.ts b/apps/web/src/components/requests/types.ts
new file mode 100644
index 0000000..7aa995a
--- /dev/null
+++ b/apps/web/src/components/requests/types.ts
@@ -0,0 +1,62 @@
+// Mirrors RequestDto in apps/api/src/routes/requests.ts. The widened `status`
+// type (includes "routed") differs from shared/IntakeRequest, which is why we
+// keep this local instead of importing from @unsyphn/shared.
+
+export type RequestStatus = "pending" | "approved" | "rejected" | "routed";
+
+export type RouteTarget =
+  | "legal"
+  | "security"
+  | "finance"
+  | "procurement"
+  | "it"
+  | "audit";
+
+export const ROUTE_TARGETS: ReadonlyArray<RouteTarget> = [
+  "legal",
+  "security",
+  "finance",
+  "procurement",
+  "it",
+  "audit",
+];
+
+export interface RequestComment {
+  id: string;
+  by: string;
+  at: string;
+  text: string;
+  authorName: string;
+  authorLetter: string;
+}
+
+export interface RequestDto {
+  id: string;
+  vendorName: string;
+  requesterEmail: string;
+  expectedSpendUsd: number;
+  justification: string;
+  status: RequestStatus;
+  similarTools: string[];
+  createdAt: string;
+  category: string;
+  comments: RequestComment[];
+  requesterId: string;
+  requesterName: string;
+  approverId?: string;
+  approverName?: string;
+  decidedAt?: string;
+  routeTo?: RouteTarget;
+  autoEscalated: boolean;
+  slaDueAt: string;
+}
+
+export interface RequestsListResponse {
+  requests: RequestDto[];
+}
+
+export interface RequestSingleResponse {
+  request: RequestDto;
+}
+
+export type StatusFilter = "pending" | "routed" | "approved" | "rejected" | "all";
diff --git a/apps/web/src/components/vendor-detail/ActivityTab.tsx b/apps/web/src/components/vendor-detail/ActivityTab.tsx
new file mode 100644
index 0000000..f35ead9
--- /dev/null
+++ b/apps/web/src/components/vendor-detail/ActivityTab.tsx
@@ -0,0 +1,179 @@
+import { useEffect, useMemo, useState } from "react";
+import { AlertCircle, CheckSquare, Clock, FileDown, FileText, Plug, RefreshCw, Send, Share2, Shield } from "lucide-react";
+import type { Vendor } from "@unsyphn/shared";
+import { ApiError, getVendorActivity, type VendorActivityEvent, type TeamMember } from "../../lib/api.js";
+import { relTime } from "./utils.js";
+
+interface Props {
+  vendor: Vendor;
+  members: TeamMember[];
+  onError: (msg: string) => void;
+}
+
+type FilterKey = "all" | "changes" | "approvals" | "contracts" | "integrations";
+
+const FILTERS: ReadonlyArray<{ id: FilterKey; label: string }> = [
+  { id: "all", label: "All" },
+  { id: "changes", label: "Changes" },
+  { id: "approvals", label: "Approvals" },
+  { id: "contracts", label: "Contracts" },
+  { id: "integrations", label: "Integrations" },
+];
+
+function bucketFor(kind: string): FilterKey {
+  if (kind.startsWith("change.")) return "changes";
+  if (kind === "change.escalated" || kind === "vendor.patch") return "approvals";
+  if (kind.startsWith("contract.")) return "contracts";
+  if (kind === "scan.triggered") return "integrations";
+  return "all";
+}
+
+function iconFor(kind: string): React.ElementType {
+  if (kind === "change.detected") return AlertCircle;
+  if (kind === "change.acknowledged") return CheckSquare;
+  if (kind === "change.resolved") return CheckSquare;
+  if (kind === "change.snoozed") return Clock;
+  if (kind === "change.escalated") return Shield;
+  if (kind === "contract.upload") return FileText;
+  if (kind === "vendor.patch") return RefreshCw;
+  if (kind === "packet.generated") return Send;
+  if (kind === "scan.triggered") return Plug;
+  return AlertCircle;
+}
+
+export function ActivityTab({ vendor, members, onError }: Props): JSX.Element {
+  const [events, setEvents] = useState<VendorActivityEvent[] | null>(null);
+  const [latestChangeId, setLatestChangeId] = useState<string | null>(null);
+  const [filter, setFilter] = useState<FilterKey>("all");
+
+  useEffect(() => {
+    let cancelled = false;
+    getVendorActivity(vendor.id)
+      .then((r) => {
+        if (cancelled) return;
+        setEvents(r.events);
+        setLatestChangeId(r.latestChangeId);
+      })
+      .catch((err: unknown) => {
+        if (cancelled) return;
+        setEvents([]);
+        if (err instanceof ApiError) onError(err.message);
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, [vendor.id, onError]);
+
+  const memberById = useMemo(() => {
+    const m = new Map<string, TeamMember>();
+    for (const u of members) m.set(u.id, u);
+    return m;
+  }, [members]);
+
+  const filtered = useMemo(() => {
+    if (!events) return [];
+    if (filter === "all") return events;
+    return events.filter((e) => bucketFor(e.kind) === filter);
+  }, [events, filter]);
+
+  function actorLabel(actor: string): string {
+    if (actor === "system") return "system";
+    return memberById.get(actor)?.name ?? actor;
+  }
+
+  function exportBundle(): void {
+    if (!latestChangeId) {
+      onError("No change report yet — nothing to bundle.");
+      return;
+    }
+    window.open(`/v1/evidence/${encodeURIComponent(latestChangeId)}/bundle.html`, "_blank", "noopener,noreferrer");
+  }
+
+  return (
+    <div className="fade-up" style={{ display: "flex", flexDirection: "column", gap: "var(--space-4)" }}>
+      <div style={{ display: "flex", gap: "var(--space-2)", flexWrap: "wrap", alignItems: "center" }}>
+        <div role="tablist" aria-label="Activity filter" style={{ display: "flex", gap: "var(--space-1)" }}>
+          {FILTERS.map((f) => (
+            <button
+              key={f.id}
+              type="button"
+              role="tab"
+              aria-selected={filter === f.id}
+              onClick={() => setFilter(f.id)}
+              className={`${filter === f.id ? "badge badge-accent" : "badge badge-neutral"} button-pop`}
+              style={{ cursor: "pointer", border: filter === f.id ? "none" : "1px solid var(--border)" }}
+            >
+              {f.label}
+            </button>
+          ))}
+        </div>
+        <button
+          type="button"
+          className="btn btn-secondary button-pop"
+          onClick={exportBundle}
+          disabled={!latestChangeId}
+          style={{ marginLeft: "auto", fontSize: "var(--text-xs)" }}
+        >
+          <FileDown size={13} aria-hidden="true" /> Export evidence bundle
+        </button>
+      </div>
+
+      {events === null ? (
+        <div style={{ padding: "var(--space-4)", color: "var(--text-muted)", fontSize: "var(--text-sm)" }} aria-live="polite" aria-busy>
+          Loading activity…
+        </div>
+      ) : filtered.length === 0 ? (
+        <div className="card glass-soft fade-up" style={{ padding: "var(--space-7)", textAlign: "center" }}>
+          <p style={{ margin: 0, fontSize: "var(--text-sm)", color: "var(--text-muted)" }}>No activity in this view yet.</p>
+        </div>
+      ) : (
+        <div className="glass fade-up" style={{ display: "flex", flexDirection: "column", borderRadius: 12, padding: "var(--space-2) var(--space-3)" }}>
+          {filtered.map((e, idx) => {
+            const Icon = iconFor(e.kind);
+            return (
+              <div
+                key={e.id}
+                className="row-hover"
+                style={{
+                  display: "flex",
+                  gap: "var(--space-3)",
+                  padding: "var(--space-3) var(--space-1)",
+                  borderBottom: idx < filtered.length - 1 ? "1px solid var(--border)" : "none",
+                  borderRadius: 6,
+                }}
+              >
+                <div
+                  style={{
+                    width: 28,
+                    height: 28,
+                    borderRadius: "var(--radius-full)",
+                    background: "var(--surface-2)",
+                    border: "1px solid var(--border)",
+                    display: "flex",
+                    alignItems: "center",
+                    justifyContent: "center",
+                    flexShrink: 0,
+                  }}
+                >
+                  <Icon size={13} aria-hidden="true" style={{ color: "var(--text-2)" }} />
+                </div>
+                <div style={{ flex: 1, display: "flex", flexDirection: "column", gap: 2, minWidth: 0 }}>
+                  <span style={{ fontSize: "var(--text-sm)", color: "var(--text)", fontWeight: 500 }}>{e.title}</span>
+                  <span style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)" }}>
+                    {e.actor !== "system" ? `${actorLabel(e.actor)} · ` : ""}
+                    {relTime(e.occurredAt)}
+                  </span>
+                  {e.detail && e.kind === "change.escalated" && (
+                    <span style={{ fontSize: "var(--text-xs)", color: "var(--text-2)" }}>
+                      Jira: {String((e.detail as { jiraKey?: string }).jiraKey ?? "—")} · Slack: {String((e.detail as { slackChannel?: string }).slackChannel ?? "—")}
+                    </span>
+                  )}
+                </div>
+              </div>
+            );
+          })}
+        </div>
+      )}
+    </div>
+  );
+}
diff --git a/apps/web/src/components/vendor-detail/ChangeFeedTab.tsx b/apps/web/src/components/vendor-detail/ChangeFeedTab.tsx
new file mode 100644
index 0000000..4660aef
--- /dev/null
+++ b/apps/web/src/components/vendor-detail/ChangeFeedTab.tsx
@@ -0,0 +1,100 @@
+import { useEffect, useState } from "react";
+import { Activity, CheckSquare } from "lucide-react";
+import type { ChangeCategory, Materiality } from "@unsyphn/shared";
+import { DEMO_BEARER_TOKEN } from "../../lib/api.js";
+import { DiffViewer } from "../DiffViewer.js";
+
+interface FeedChange {
+  id: string;
+  vendorId: string;
+  title: string;
+  summary: string;
+  severity: string;
+  occurredAt: string;
+  category: string;
+  diff?: { before: string; after: string };
+  citations?: Array<{ url?: string; fetchedAt?: string }>;
+}
+
+export function ChangeFeedTab({ vendorId }: { vendorId: string }): JSX.Element {
+  const [changes, setChanges] = useState<FeedChange[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  useEffect(() => {
+    let cancelled = false;
+    setLoading(true);
+    fetch(`/v1/changes/feed?vendorId=${encodeURIComponent(vendorId)}`, {
+      headers: { Authorization: `Bearer ${DEMO_BEARER_TOKEN}` },
+    })
+      .then((r) => {
+        if (!r.ok) throw new Error(`HTTP ${r.status}`);
+        return r.json() as Promise<{ changes: FeedChange[] }>;
+      })
+      .then(({ changes: data }) => {
+        if (!cancelled) {
+          setChanges(data);
+          setLoading(false);
+        }
+      })
+      .catch(() => {
+        if (!cancelled) {
+          setError("Failed to load change feed.");
+          setLoading(false);
+        }
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, [vendorId]);
+
+  if (loading)
+    return (
+      <div style={{ padding: "var(--space-4)", color: "var(--text-muted)", fontSize: "var(--text-sm)" }} aria-live="polite" aria-busy>
+        Loading changes…
+      </div>
+    );
+  if (error) return <span className="badge badge-danger">{error}</span>;
+  if (changes.length === 0)
+    return (
+      <div className="card glass-soft fade-up" style={{ padding: "var(--space-7)", textAlign: "center" }}>
+        <CheckSquare size={24} aria-hidden="true" style={{ color: "var(--success)", display: "block", margin: "0 auto var(--space-2)" }} />
+        <p style={{ margin: 0, fontSize: "var(--text-sm)", color: "var(--text-2)" }}>
+          No material changes detected. Continuous monitoring is active.
+        </p>
+      </div>
+    );
+
+  const mapped = changes.map((ch) => {
+    const out: {
+      id: string;
+      category: ChangeCategory;
+      summary: string;
+      before?: string;
+      after?: string;
+      materiality: Materiality;
+      citations?: Array<{ url?: string; fetchedAt?: string }>;
+    } = {
+      id: ch.id,
+      category: ch.category as ChangeCategory,
+      summary: ch.title,
+      materiality: (ch.severity === "P1" ? "material" : ch.severity === "P2" ? "minor" : "cosmetic") as Materiality,
+    };
+    if (ch.diff?.before !== undefined) out.before = ch.diff.before;
+    if (ch.diff?.after !== undefined) out.after = ch.diff.after;
+    if (ch.citations) out.citations = ch.citations.map((c) => ({ url: c.url, fetchedAt: c.fetchedAt }));
+    return out;
+  });
+
+  return (
+    <div className="fade-up" style={{ display: "flex", flexDirection: "column", gap: "var(--space-3)" }}>
+      <div style={{ display: "flex", alignItems: "center", gap: "var(--space-2)", marginBottom: "var(--space-1)" }}>
+        <Activity size={14} aria-hidden="true" style={{ color: "var(--success)" }} />
+        <span style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)" }}>
+          Continuous monitoring active · {changes.length} change{changes.length !== 1 ? "s" : ""} detected
+        </span>
+      </div>
+      <DiffViewer changes={mapped} />
+    </div>
+  );
+}
diff --git a/apps/web/src/components/vendor-detail/ContractsTab.tsx b/apps/web/src/components/vendor-detail/ContractsTab.tsx
new file mode 100644
index 0000000..767975c
--- /dev/null
+++ b/apps/web/src/components/vendor-detail/ContractsTab.tsx
@@ -0,0 +1,290 @@
+import { useCallback, useEffect, useRef, useState } from "react";
+import { Download, FileText, Loader2, Upload, X } from "lucide-react";
+import type { Vendor } from "@unsyphn/shared";
+import {
+  ApiError,
+  downloadContract,
+  listVendorContracts,
+  uploadVendorContract,
+  type ContractSummary,
+} from "../../lib/api.js";
+import { hashSeed, relTime } from "./utils.js";
+
+interface Props {
+  vendor: Vendor;
+  onUploadComplete: () => void;
+  onError: (msg: string) => void;
+}
+
+const CLAUSE_TEMPLATES: ReadonlyArray<{ title: string; body: string }> = [
+  { title: "Auto-renewal", body: "Auto-renews for successive 12-month terms unless cancelled 60 days before period end." },
+  { title: "Termination notice", body: "Either party may terminate with 30 days written notice for material breach." },
+  { title: "Indemnification cap", body: "Each party's liability is capped at fees paid in the trailing 12 months ($50K floor)." },
+  { title: "Most-favored-nation", body: "Vendor warrants that pricing is no less favorable than any comparable customer of similar size." },
+  { title: "Data residency", body: "Customer data is processed in US-East and EU-West regions with no cross-region replication." },
+  { title: "Sub-processor changes", body: "Vendor provides 30 days advance notice of any new sub-processor with a right to object." },
+  { title: "Security audit", body: "Customer may audit vendor SOC 2 controls annually with 14 days notice." },
+  { title: "Service credits", body: "<99.9% uptime triggers credits up to 25% of monthly fee, applied to next invoice." },
+  { title: "Price hike notice", body: "Renewal price increases require 90 days advance written notice." },
+  { title: "Data deletion", body: "On termination, vendor purges all customer data within 30 days and certifies in writing." },
+];
+
+function fmtBytes(n: number): string {
+  if (n < 1024) return `${n} B`;
+  if (n < 1_048_576) return `${(n / 1024).toFixed(1)} KB`;
+  return `${(n / 1_048_576).toFixed(1)} MB`;
+}
+
+function fmtDate(iso: string): string {
+  try {
+    return new Date(iso).toLocaleDateString("en-US", { month: "short", day: "numeric", year: "numeric" });
+  } catch {
+    return iso;
+  }
+}
+
+async function fileToBase64(file: File): Promise<string> {
+  return new Promise((resolve, reject) => {
+    const reader = new FileReader();
+    reader.onload = () => {
+      const result = reader.result;
+      if (typeof result !== "string") return reject(new Error("Unexpected reader result"));
+      const idx = result.indexOf(",");
+      resolve(idx >= 0 ? result.slice(idx + 1) : result);
+    };
+    reader.onerror = () => reject(reader.error ?? new Error("File read failed"));
+    reader.readAsDataURL(file);
+  });
+}
+
+function pickClauses(vendorId: string): typeof CLAUSE_TEMPLATES {
+  const rand = hashSeed(vendorId);
+  const pool = [...CLAUSE_TEMPLATES];
+  const picked: typeof CLAUSE_TEMPLATES = [] as unknown as typeof CLAUSE_TEMPLATES;
+  const count = 4;
+  while ((picked as unknown[]).length < count && pool.length > 0) {
+    const idx = Math.floor(rand() * pool.length);
+    (picked as unknown as Array<{ title: string; body: string }>).push(pool[idx]!);
+    pool.splice(idx, 1);
+  }
+  return picked;
+}
+
+export function ContractsTab({ vendor, onUploadComplete, onError }: Props): JSX.Element {
+  const [contracts, setContracts] = useState<ContractSummary[] | null>(null);
+  const [uploading, setUploading] = useState(false);
+  const [downloadingId, setDownloadingId] = useState<string | null>(null);
+  const [clauseDrawerFor, setClauseDrawerFor] = useState<ContractSummary | null>(null);
+  const fileInput = useRef<HTMLInputElement | null>(null);
+
+  const refresh = useCallback(async () => {
+    try {
+      const { contracts: list } = await listVendorContracts(vendor.id);
+      setContracts(list);
+    } catch (err) {
+      setContracts([]);
+      if (err instanceof ApiError) onError(err.message);
+    }
+  }, [vendor.id, onError]);
+
+  useEffect(() => {
+    void refresh();
+  }, [refresh]);
+
+  async function handleFile(file: File): Promise<void> {
+    setUploading(true);
+    try {
+      const contentBase64 = await fileToBase64(file);
+      await uploadVendorContract(vendor.id, {
+        filename: file.name,
+        sizeBytes: file.size,
+        contentBase64,
+      });
+      await refresh();
+      onUploadComplete();
+    } catch (err) {
+      if (err instanceof ApiError) onError(err.message);
+      else onError("Upload failed. Try again.");
+    } finally {
+      setUploading(false);
+      if (fileInput.current) fileInput.current.value = "";
+    }
+  }
+
+  function onChange(e: React.ChangeEvent<HTMLInputElement>): void {
+    const f = e.target.files?.[0];
+    if (f) void handleFile(f);
+  }
+
+  async function handleDownload(c: ContractSummary): Promise<void> {
+    setDownloadingId(c.id);
+    let objectUrl: string | null = null;
+    try {
+      const blob = await downloadContract(vendor.id, c.id);
+      objectUrl = URL.createObjectURL(blob);
+      const a = document.createElement("a");
+      a.href = objectUrl;
+      a.download = c.filename;
+      document.body.appendChild(a);
+      a.click();
+      a.remove();
+    } catch (err) {
+      if (err instanceof ApiError) onError(err.message);
+      else onError("Download failed. Try again.");
+    } finally {
+      if (objectUrl) URL.revokeObjectURL(objectUrl);
+      setDownloadingId(null);
+    }
+  }
+
+  const clauses = clauseDrawerFor ? pickClauses(vendor.id + clauseDrawerFor.id) : [];
+
+  return (
+    <div style={{ display: "flex", flexDirection: "column", gap: "var(--space-4)" }}>
+      {contracts === null ? (
+        <div style={{ padding: "var(--space-4)", color: "var(--text-muted)", fontSize: "var(--text-sm)" }} aria-live="polite" aria-busy>
+          Loading contracts…
+        </div>
+      ) : contracts.length === 0 ? (
+        <div className="card glass-soft fade-up" style={{ padding: "var(--space-7)", textAlign: "center" }}>
+          <FileText size={28} aria-hidden="true" style={{ color: "var(--text-muted)", display: "block", margin: "0 auto var(--space-3)" }} />
+          <h3 style={{ margin: "0 0 var(--space-2)", fontSize: "var(--text-base)", fontWeight: 600, color: "var(--text)" }}>
+            No contracts uploaded yet
+          </h3>
+          <p style={{ margin: "0 0 var(--space-4)", fontSize: "var(--text-sm)", color: "var(--text-2)" }}>
+            Upload an MSA or DPA to track terms, auto-renew dates, and key clauses.
+          </p>
+          <button
+            type="button"
+            className="btn btn-primary button-pop"
+            onClick={() => fileInput.current?.click()}
+            disabled={uploading}
+          >
+            <Upload size={13} aria-hidden="true" /> {uploading ? "Uploading…" : "Upload your first contract"}
+          </button>
+        </div>
+      ) : (
+        <>
+          <ul className="stagger-children" style={{ margin: 0, padding: 0, listStyle: "none", display: "flex", flexDirection: "column", gap: "var(--space-2)" }}>
+            {contracts.map((c) => (
+              <li
+                key={c.id}
+                className="card glass row-hover"
+                style={{ padding: "var(--space-4)", display: "flex", alignItems: "center", gap: "var(--space-3)" }}
+              >
+                <FileText size={18} aria-hidden="true" style={{ color: "var(--accent)", flexShrink: 0 }} />
+                <div style={{ flex: 1, minWidth: 0 }}>
+                  <div style={{ fontWeight: 600, fontSize: "var(--text-sm)", color: "var(--text)", overflow: "hidden", textOverflow: "ellipsis", whiteSpace: "nowrap" }}>
+                    {c.filename}
+                  </div>
+                  <div style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)" }}>
+                    {fmtBytes(c.sizeBytes)} · uploaded {fmtDate(c.uploadedAt)} ({relTime(c.uploadedAt)}) by {c.uploadedBy}
+                  </div>
+                </div>
+                <button type="button" className="btn btn-ghost button-pop" onClick={() => setClauseDrawerFor(c)} style={{ fontSize: "var(--text-xs)" }}>
+                  View clauses
+                </button>
+                <button
+                  type="button"
+                  className="btn btn-ghost button-pop"
+                  onClick={() => void handleDownload(c)}
+                  disabled={downloadingId === c.id}
+                  aria-label={`Download ${c.filename}`}
+                  style={{ fontSize: "var(--text-xs)", display: "inline-flex", alignItems: "center", gap: 6 }}
+                >
+                  {downloadingId === c.id ? (
+                    <Loader2 size={13} aria-hidden="true" className="spin" />
+                  ) : (
+                    <Download size={13} aria-hidden="true" />
+                  )}
+                  {downloadingId === c.id ? "Downloading…" : "Download"}
+                </button>
+              </li>
+            ))}
+          </ul>
+          <button
+            type="button"
+            className="btn btn-secondary button-pop"
+            onClick={() => fileInput.current?.click()}
+            disabled={uploading}
+            style={{ alignSelf: "flex-start" }}
+          >
+            <Upload size={13} aria-hidden="true" /> {uploading ? "Uploading…" : "Upload contract"}
+          </button>
+        </>
+      )}
+
+      <input
+        ref={fileInput}
+        type="file"
+        accept=".pdf,.docx,application/pdf,application/vnd.openxmlformats-officedocument.wordprocessingml.document"
+        onChange={onChange}
+        style={{ display: "none" }}
+        aria-hidden="true"
+      />
+
+      {clauseDrawerFor && (
+        <ClauseDrawer
+          contract={clauseDrawerFor}
+          clauses={clauses}
+          onClose={() => setClauseDrawerFor(null)}
+        />
+      )}
+    </div>
+  );
+}
+
+interface DrawerProps {
+  contract: ContractSummary;
+  clauses: ReadonlyArray<{ title: string; body: string }>;
+  onClose: () => void;
+}
+
+function ClauseDrawer({ contract, clauses, onClose }: DrawerProps): JSX.Element {
+  return (
+    <>
+      <div
+        aria-hidden="true"
+        onClick={onClose}
+        style={{ position: "fixed", inset: 0, background: "rgba(15,23,42,0.4)", zIndex: 400 }}
+      />
+      <div
+        role="dialog"
+        aria-modal="true"
+        aria-labelledby="clause-drawer-title"
+        className="glass-strong slide-in-right"
+        style={{
+          position: "fixed",
+          top: 0,
+          right: 0,
+          bottom: 0,
+          width: "min(440px,100vw)",
+          borderLeft: "1px solid var(--border)",
+          zIndex: 401,
+          display: "flex",
+          flexDirection: "column",
+          boxShadow: "var(--shadow-3)",
+        }}
+      >
+        <div style={{ display: "flex", alignItems: "center", gap: "var(--space-3)", padding: "0 var(--space-5)", height: 56, borderBottom: "1px solid var(--border)" }}>
+          <h2 id="clause-drawer-title" style={{ flex: 1, margin: 0, fontSize: "var(--text-sm)", fontWeight: 600 }}>
+            Extracted clauses · {contract.filename}
+          </h2>
+          <button type="button" className="btn btn-ghost button-pop" onClick={onClose} aria-label="Close clause drawer" style={{ width: 32, height: 32, padding: 0 }}>
+            <X size={16} aria-hidden="true" />
+          </button>
+        </div>
+        <div style={{ flex: 1, overflowY: "auto", padding: "var(--space-5)", display: "flex", flexDirection: "column", gap: "var(--space-4)" }}>
+          {clauses.map((c) => (
+            <div key={c.title} style={{ borderLeft: "3px solid var(--accent)", paddingLeft: "var(--space-3)" }}>
+              <div style={{ fontSize: "var(--text-xs)", textTransform: "uppercase", letterSpacing: "0.06em", color: "var(--text-muted)", fontWeight: 600 }}>
+                {c.title}
+              </div>
+              <div style={{ fontSize: "var(--text-sm)", color: "var(--text)", lineHeight: 1.5, marginTop: 4 }}>{c.body}</div>
+            </div>
+          ))}
+        </div>
+      </div>
+    </>
+  );
+}
diff --git a/apps/web/src/components/vendor-detail/Header.tsx b/apps/web/src/components/vendor-detail/Header.tsx
new file mode 100644
index 0000000..e33cbb5
--- /dev/null
+++ b/apps/web/src/components/vendor-detail/Header.tsx
@@ -0,0 +1,202 @@
+import { useRef, useState } from "react";
+import { ArrowLeft, ChevronDown, Pencil } from "lucide-react";
+import type { Vendor } from "@unsyphn/shared";
+import { VendorLogo } from "../VendorLogo.js";
+import { Popover, PopoverItem } from "./Popover.js";
+import { daysUntil, displayPosture, postureClass, postureLabel } from "./utils.js";
+import type { TeamMember, VendorPatch } from "../../lib/api.js";
+
+interface Props {
+  vendor: Vendor;
+  members: TeamMember[];
+  onPatch: (patch: VendorPatch) => Promise<void>;
+}
+
+const TIERS: ReadonlyArray<1 | 2 | 3> = [1, 2, 3];
+const POSTURES: ReadonlyArray<"ok" | "watch" | "risk"> = ["ok", "watch", "risk"];
+
+export function Header({ vendor, members, onPatch }: Props): JSX.Element {
+  const [ownerOpen, setOwnerOpen] = useState(false);
+  const [tierOpen, setTierOpen] = useState(false);
+  const [postureOpen, setPostureOpen] = useState(false);
+
+  const ownerAnchor = useRef<HTMLButtonElement | null>(null);
+  const tierAnchor = useRef<HTMLButtonElement | null>(null);
+  const postureAnchor = useRef<HTMLButtonElement | null>(null);
+
+  const owner = members.find((m) => m.id === vendor.ownerId);
+  const ownerLabel = owner?.name ?? owner?.email ?? vendor.ownerId;
+  const tier = vendor.tier ?? 3;
+  const posture = displayPosture(vendor);
+  const days = daysUntil(vendor.contract?.renewsAt ?? vendor.renewalDate);
+
+  const homepage = vendor.urls?.homepage;
+  const homepageHost = homepage ? new URL(homepage).hostname.replace(/^www\./, "") : "";
+
+  async function pick<T>(field: keyof VendorPatch, value: T): Promise<void> {
+    await onPatch({ [field]: value } as VendorPatch);
+  }
+
+  return (
+    <>
+      <a
+        href="/app/vendors"
+        style={{
+          display: "inline-flex",
+          alignItems: "center",
+          gap: "var(--space-1)",
+          fontSize: "var(--text-xs)",
+          color: "var(--text-muted)",
+          marginBottom: "var(--space-4)",
+          textDecoration: "none",
+        }}
+      >
+        <ArrowLeft size={12} aria-hidden="true" /> All vendors
+      </a>
+
+      <section
+        className="glass-strong fade-up"
+        style={{
+          display: "flex",
+          gap: "var(--space-5)",
+          alignItems: "flex-start",
+          marginBottom: "var(--space-5)",
+          padding: "var(--space-5)",
+          borderRadius: 12,
+        }}
+      >
+        <VendorLogo name={vendor.name} domain={homepageHost} size={64} />
+        <div style={{ flex: 1, minWidth: 0 }}>
+          <h1 className="h1" style={{ fontWeight: 600, marginBottom: "var(--space-1)" }}>
+            {vendor.name}
+          </h1>
+          <p style={{ margin: "0 0 var(--space-3) 0", fontSize: "var(--text-sm)", color: "var(--text-2)", display: "flex", alignItems: "center", gap: 6, flexWrap: "wrap" }}>
+            {homepage && (
+              <a href={homepage} target="_blank" rel="noopener noreferrer" style={{ color: "var(--text-2)" }}>
+                {homepageHost}
+              </a>
+            )}
+            <span aria-hidden="true">·</span>
+            <span>Owner:</span>
+            <span style={{ position: "relative", display: "inline-flex" }}>
+              <button
+                ref={ownerAnchor}
+                type="button"
+                className="btn btn-ghost button-pop"
+                onClick={() => setOwnerOpen((v) => !v)}
+                aria-haspopup="menu"
+                aria-expanded={ownerOpen}
+                style={{ height: 26, padding: "0 6px", display: "inline-flex", alignItems: "center", gap: 4, fontSize: "var(--text-sm)", fontWeight: 500, color: "var(--text)" }}
+              >
+                {ownerLabel}
+                <Pencil size={11} aria-hidden="true" />
+              </button>
+              <Popover open={ownerOpen} onClose={() => setOwnerOpen(false)} anchor={ownerAnchor} width={220}>
+                {members.length === 0 ? (
+                  <div style={{ padding: "8px 10px", fontSize: "var(--text-sm)", color: "var(--text-muted)" }}>No team members</div>
+                ) : (
+                  members.map((m) => (
+                    <PopoverItem
+                      key={m.id}
+                      selected={m.id === vendor.ownerId}
+                      onClick={() => {
+                        setOwnerOpen(false);
+                        if (m.id !== vendor.ownerId) void pick("ownerId", m.id);
+                      }}
+                    >
+                      <span
+                        aria-hidden="true"
+                        style={{
+                          display: "inline-flex",
+                          alignItems: "center",
+                          justifyContent: "center",
+                          width: 22,
+                          height: 22,
+                          borderRadius: "50%",
+                          background: "var(--accent-soft)",
+                          color: "var(--accent)",
+                          fontSize: 11,
+                          fontWeight: 600,
+                        }}
+                      >
+                        {m.avatarLetter}
+                      </span>
+                      <span style={{ display: "flex", flexDirection: "column" }}>
+                        <span style={{ fontWeight: 500 }}>{m.name}</span>
+                        <span style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)" }}>{m.email}</span>
+                      </span>
+                    </PopoverItem>
+                  ))
+                )}
+              </Popover>
+            </span>
+          </p>
+
+          <div style={{ display: "flex", gap: "var(--space-2)", flexWrap: "wrap", alignItems: "center" }}>
+            <span style={{ position: "relative", display: "inline-flex" }}>
+              <button
+                ref={tierAnchor}
+                type="button"
+                className="badge badge-neutral button-pop"
+                onClick={() => setTierOpen((v) => !v)}
+                aria-haspopup="menu"
+                aria-expanded={tierOpen}
+                style={{ cursor: "pointer", display: "inline-flex", alignItems: "center", gap: 4, border: "1px solid var(--border)" }}
+              >
+                Tier {tier}
+                <ChevronDown size={11} aria-hidden="true" />
+              </button>
+              <Popover open={tierOpen} onClose={() => setTierOpen(false)} anchor={tierAnchor} width={120}>
+                {TIERS.map((t) => (
+                  <PopoverItem
+                    key={t}
+                    selected={t === tier}
+                    onClick={() => {
+                      setTierOpen(false);
+                      if (t !== tier) void pick("tier", t);
+                    }}
+                  >
+                    Tier {t}
+                  </PopoverItem>
+                ))}
+              </Popover>
+            </span>
+            <span style={{ position: "relative", display: "inline-flex" }}>
+              <button
+                ref={postureAnchor}
+                type="button"
+                className={`${postureClass(posture)} button-pop`}
+                onClick={() => setPostureOpen((v) => !v)}
+                aria-haspopup="menu"
+                aria-expanded={postureOpen}
+                style={{ cursor: "pointer", display: "inline-flex", alignItems: "center", gap: 4, border: "none" }}
+              >
+                {postureLabel(posture)}
+                <ChevronDown size={11} aria-hidden="true" />
+              </button>
+              <Popover open={postureOpen} onClose={() => setPostureOpen(false)} anchor={postureAnchor} width={140}>
+                {POSTURES.map((p) => (
+                  <PopoverItem
+                    key={p}
+                    selected={p === vendor.posture}
+                    onClick={() => {
+                      setPostureOpen(false);
+                      if (p !== vendor.posture) void pick("posture", p);
+                    }}
+                  >
+                    {p}
+                  </PopoverItem>
+                ))}
+              </Popover>
+            </span>
+            {days !== null && (
+              <span style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)" }}>
+                {days > 0 ? `Renews in ${days}d` : `Renewed ${Math.abs(days)}d ago`}
+              </span>
+            )}
+          </div>
+        </div>
+      </section>
+    </>
+  );
+}
diff --git a/apps/web/src/components/vendor-detail/NextActionCard.tsx b/apps/web/src/components/vendor-detail/NextActionCard.tsx
new file mode 100644
index 0000000..d08e26b
--- /dev/null
+++ b/apps/web/src/components/vendor-detail/NextActionCard.tsx
@@ -0,0 +1,54 @@
+import { Zap } from "lucide-react";
+import type { Vendor } from "@unsyphn/shared";
+import { daysUntil, fmtUsd, hashSeed } from "./utils.js";
+
+export type TabId = "overview" | "spend" | "contracts" | "changes" | "risk" | "activity";
+
+interface Props {
+  vendor: Vendor;
+  changeCount: number;
+  onTab: (t: TabId) => void;
+}
+
+export function NextActionCard({ vendor, changeCount, onTab }: Props): JSX.Element {
+  const days = daysUntil(vendor.contract?.renewsAt ?? vendor.renewalDate);
+  const seatCount = vendor.contract?.seatCount ?? 0;
+  const annualSpend = vendor.contract?.annualSpendUsd ?? 0;
+
+  const rand = hashSeed(vendor.id);
+  const utilizationPct = 40 + Math.floor(rand() * 56);
+  const activeSeats = Math.round((seatCount * utilizationPct) / 100);
+  const unused = Math.max(0, seatCount - activeSeats);
+  const perSeat = seatCount > 0 ? Math.round(annualSpend / seatCount) : 0;
+  const recoverable = unused * perSeat;
+
+  const cta =
+    changeCount > 0
+      ? { badge: "Changes", label: `Acknowledge ${changeCount} change${changeCount !== 1 ? "s" : ""}`, tab: "changes" as TabId | null }
+      : days !== null && days <= 60
+        ? { badge: "Renewal", label: `Renewal in ${days}d — start packet`, tab: "contracts" as TabId | null }
+        : unused > 5
+          ? { badge: "Savings", label: `Reclaim ${unused} unused seats (${fmtUsd(recoverable)}/yr)`, tab: "spend" as TabId | null }
+          : { badge: "Monitor", label: "View inbox filtered to vendor", tab: null };
+
+  return (
+    <div className="card glass-strong lift-on-hover fade-up" style={{ padding: "var(--space-4)", display: "flex", flexDirection: "column", gap: "var(--space-3)", minWidth: 200, maxWidth: 240 }}>
+      <div style={{ display: "flex", alignItems: "center", gap: "var(--space-2)" }}>
+        <Zap size={14} aria-hidden="true" style={{ color: "var(--warning)", flexShrink: 0 }} />
+        <span style={{ fontSize: "var(--text-xs)", fontWeight: 600, color: "var(--text)", textTransform: "uppercase", letterSpacing: "0.06em" }}>
+          Next action
+        </span>
+      </div>
+      <span className="badge badge-accent" style={{ alignSelf: "flex-start" }}>{cta.badge}</span>
+      <p style={{ margin: 0, fontSize: "var(--text-sm)", color: "var(--text-2)", lineHeight: 1.5 }}>{cta.label}</p>
+      <button
+        type="button"
+        className="btn btn-primary button-pop"
+        style={{ alignSelf: "flex-start" }}
+        onClick={() => (cta.tab ? onTab(cta.tab) : window.location.assign(`/app/inbox?vendorId=${vendor.id}`))}
+      >
+        Take action
+      </button>
+    </div>
+  );
+}
diff --git a/apps/web/src/components/vendor-detail/OverviewTab.tsx b/apps/web/src/components/vendor-detail/OverviewTab.tsx
new file mode 100644
index 0000000..2d1bd07
--- /dev/null
+++ b/apps/web/src/components/vendor-detail/OverviewTab.tsx
@@ -0,0 +1,260 @@
+import { useEffect, useState } from "react";
+import { Clock, Plug, RefreshCw, Send, FileX2, Share2 } from "lucide-react";
+import type { Vendor } from "@unsyphn/shared";
+import { DEMO_BEARER_TOKEN, patchVendor, triggerVendorScan } from "../../lib/api.js";
+import { daysUntil, fmtUsd, hashSeed, relTime } from "./utils.js";
+
+interface FeedChange {
+  id: string;
+  vendorId: string;
+  title: string;
+  severity: string;
+  occurredAt: string;
+}
+
+interface IntegrationLite {
+  id: string;
+  name: string;
+  slug: string;
+  category: "inbound" | "outbound";
+  connected: boolean;
+  iconColor?: string;
+  lastSyncedAt?: string;
+}
+
+interface Props {
+  vendor: Vendor;
+  changes: FeedChange[];
+  onOpenPacket: () => void;
+  onOpenShareAuditor: () => void;
+  onScan: (msg: string) => void;
+  onPostureChanged: (next: Vendor) => void;
+}
+
+function slugFromName(name: string): string {
+  return name.toLowerCase().replace(/[^a-z0-9]+/g, "");
+}
+
+function Tile({ label, value, sub }: { label: string; value: string; sub?: string }): JSX.Element {
+  return (
+    <div className="card glass-strong lift-on-hover" style={{ padding: "var(--space-4)", display: "flex", flexDirection: "column", gap: "var(--space-1)" }}>
+      <span style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)", textTransform: "uppercase", letterSpacing: "0.06em" }}>{label}</span>
+      <span style={{ fontFamily: "var(--font-mono)", fontWeight: 600, fontSize: "var(--text-2xl)", color: "var(--text)", lineHeight: 1.1 }}>{value}</span>
+      {sub && <span style={{ fontSize: "var(--text-xs)", color: "var(--text-2)" }}>{sub}</span>}
+    </div>
+  );
+}
+
+function Head({ children }: { children: React.ReactNode }): JSX.Element {
+  return (
+    <h2
+      style={{
+        margin: "0 0 var(--space-3) 0",
+        fontSize: "var(--text-xs)",
+        fontWeight: 600,
+        color: "var(--text)",
+        textTransform: "uppercase",
+        letterSpacing: "0.06em",
+      }}
+    >
+      {children}
+    </h2>
+  );
+}
+
+export function OverviewTab({ vendor, changes, onOpenPacket, onOpenShareAuditor, onScan, onPostureChanged }: Props): JSX.Element {
+  const [integrations, setIntegrations] = useState<IntegrationLite[]>([]);
+  const [scanning, setScanning] = useState(false);
+  const [markBusy, setMarkBusy] = useState(false);
+
+  const days = daysUntil(vendor.contract?.renewsAt ?? vendor.renewalDate);
+  const seatCount = vendor.contract?.seatCount ?? 0;
+  const annualSpend = vendor.contract?.annualSpendUsd ?? 0;
+  const renewsAt = vendor.contract?.renewsAt ?? vendor.renewalDate ?? "";
+  const lastScanIso = vendor.lastScanAt ?? new Date(Date.now() - 4 * 60_000).toISOString();
+
+  useEffect(() => {
+    let cancelled = false;
+    fetch("/v1/integrations", { headers: { Authorization: `Bearer ${DEMO_BEARER_TOKEN}` } })
+      .then((r) => (r.ok ? (r.json() as Promise<{ integrations: IntegrationLite[] }>) : { integrations: [] }))
+      .then(({ integrations: all }) => {
+        if (cancelled) return;
+        const target = slugFromName(vendor.name);
+        const matched = all.filter((i) => slugFromName(i.slug).includes(target) || slugFromName(i.name).includes(target));
+        setIntegrations(matched);
+      })
+      .catch(() => {
+        if (!cancelled) setIntegrations([]);
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, [vendor.name]);
+
+  async function scanNow(): Promise<void> {
+    setScanning(true);
+    try {
+      await triggerVendorScan(vendor.id);
+      onScan("Scanning… new findings will appear in the Change Feed.");
+    } catch {
+      onScan("Scan failed. Try again in a moment.");
+    } finally {
+      setScanning(false);
+    }
+  }
+
+  async function markInactive(): Promise<void> {
+    setMarkBusy(true);
+    try {
+      const updated = await patchVendor(vendor.id, { posture: "risk" });
+      onPostureChanged(updated);
+      onScan("Vendor flagged as risk. Review in Inbox.");
+    } catch {
+      onScan("Could not update posture.");
+    } finally {
+      setMarkBusy(false);
+    }
+  }
+
+  // Synthetic term length: round years between createdAt (proxy: 2y ago) and renewsAt.
+  // Real contract creation timestamps aren't on Vendor, so derive a sensible bucket.
+  const rand = hashSeed(vendor.id);
+  const termYears = renewsAt ? Math.max(1, Math.min(3, 1 + Math.floor(rand() * 3))) : null;
+
+  return (
+    <div className="stagger-children" style={{ display: "flex", flexDirection: "column", gap: "var(--space-5)" }}>
+      <div className="stagger-children" style={{ display: "grid", gridTemplateColumns: "repeat(auto-fit,minmax(150px,1fr))", gap: "var(--space-3)" }}>
+        <Tile label="Annual spend" value={fmtUsd(annualSpend)} />
+        <Tile label="Total seats" value={seatCount > 0 ? seatCount.toLocaleString() : "—"} />
+        <Tile
+          label="Renews in"
+          value={days !== null ? `${days}d` : "—"}
+          sub={renewsAt ? new Date(renewsAt).toLocaleDateString("en-US", { month: "short", day: "numeric", year: "numeric" }) : undefined}
+        />
+        <Tile label="Material changes" value={String(changes.length)} sub="detected" />
+      </div>
+
+      <div>
+        <Head>Contract terms</Head>
+        <div className="card glass-strong fade-up" style={{ padding: "var(--space-4)", display: "grid", gridTemplateColumns: "repeat(auto-fit,minmax(160px,1fr))", gap: "var(--space-3) var(--space-4)" }}>
+          <Field label="Renewal date" value={renewsAt ? new Date(renewsAt).toLocaleDateString("en-US", { month: "short", day: "numeric", year: "numeric" }) : "—"} hint={days !== null ? (days > 0 ? `${days}d remaining` : `Expired ${Math.abs(days)}d ago`) : undefined} />
+          <Field label="Annual spend" value={fmtUsd(annualSpend)} />
+          <Field label="Seat count" value={seatCount > 0 ? seatCount.toLocaleString() : "—"} />
+          <Field label="Term length" value={termYears ? `${termYears} year${termYears !== 1 ? "s" : ""}` : "N/A"} />
+          <Field label="Category" value={vendor.category ?? "uncategorized"} />
+          <Field label="Data classes" value={(vendor.dataClasses ?? []).join(", ") || "—"} />
+        </div>
+      </div>
+
+      <div>
+        <Head>Integrations</Head>
+        <div className="card glass-strong fade-up" style={{ padding: "var(--space-4)" }}>
+          {integrations.length === 0 ? (
+            <div style={{ display: "flex", alignItems: "center", gap: "var(--space-2)", color: "var(--text-muted)", fontSize: "var(--text-sm)" }}>
+              <Plug size={14} aria-hidden="true" /> No integrations connected for {vendor.name}.
+            </div>
+          ) : (
+            <ul style={{ margin: 0, padding: 0, listStyle: "none", display: "flex", flexDirection: "column", gap: "var(--space-2)" }}>
+              {integrations.map((i) => (
+                <li key={i.id} style={{ display: "flex", alignItems: "center", gap: "var(--space-3)", fontSize: "var(--text-sm)" }}>
+                  <span
+                    aria-hidden="true"
+                    style={{
+                      width: 8,
+                      height: 8,
+                      borderRadius: "50%",
+                      background: i.connected ? "var(--success)" : "var(--text-muted)",
+                    }}
+                  />
+                  <span style={{ fontWeight: 500, color: "var(--text)" }}>{i.name}</span>
+                  <span className="badge badge-neutral" style={{ fontSize: 10 }}>{i.category}</span>
+                  <span style={{ marginLeft: "auto", color: "var(--text-muted)", fontSize: "var(--text-xs)" }}>
+                    {i.connected ? (i.lastSyncedAt ? `Synced ${relTime(i.lastSyncedAt)}` : "Connected") : "Not connected"}
+                  </span>
+                </li>
+              ))}
+            </ul>
+          )}
+        </div>
+      </div>
+
+      <div>
+        <Head>Last scan</Head>
+        <div className="card glass-strong fade-up" style={{ padding: "var(--space-4)", display: "flex", alignItems: "center", gap: "var(--space-3)" }}>
+          <Clock size={14} aria-hidden="true" style={{ color: "var(--text-muted)" }} />
+          <span style={{ fontSize: "var(--text-sm)", color: "var(--text-2)" }}>
+            {relTime(lastScanIso)} · monitored every 60s
+          </span>
+          <button
+            type="button"
+            className="btn btn-secondary button-pop"
+            onClick={() => void scanNow()}
+            disabled={scanning}
+            style={{ marginLeft: "auto", fontSize: "var(--text-xs)" }}
+          >
+            <RefreshCw size={13} aria-hidden="true" className={scanning ? "spin" : "icon-spin-on-hover"} /> {scanning ? "Scanning…" : "Scan now"}
+          </button>
+        </div>
+      </div>
+
+      <div className="fade-up">
+        <Head>Quick actions</Head>
+        <div style={{ display: "flex", gap: "var(--space-2)", flexWrap: "wrap" }}>
+          <button type="button" className="btn btn-primary button-pop" onClick={onOpenPacket}>
+            <Send size={13} aria-hidden="true" /> Generate renegotiation packet
+          </button>
+          <button type="button" className="btn btn-secondary button-pop" onClick={onOpenShareAuditor}>
+            <Share2 size={13} aria-hidden="true" /> Share with auditor
+          </button>
+          <button type="button" className="btn btn-ghost button-pop" onClick={() => void markInactive()} disabled={markBusy}>
+            <FileX2 size={13} aria-hidden="true" /> Mark as risk
+          </button>
+        </div>
+        <a
+          href={`/app/findings?vendorId=${encodeURIComponent(vendor.id)}`}
+          style={{
+            display: "inline-block",
+            marginTop: "var(--space-3)",
+            fontSize: "var(--text-sm)",
+            color: "var(--accent)",
+            textDecoration: "none",
+            fontWeight: 500,
+          }}
+        >
+          View all findings for {vendor.name} →
+        </a>
+      </div>
+
+      {changes.length > 0 && (
+        <div>
+          <Head>Recent activity</Head>
+          <div className="stagger-children" style={{ display: "flex", flexDirection: "column", gap: "var(--space-2)" }}>
+            {changes.slice(0, 3).map((ch) => (
+              <div
+                key={ch.id}
+                className="card glass-soft row-hover"
+                style={{ padding: "var(--space-3) var(--space-4)", display: "flex", alignItems: "center", gap: "var(--space-3)" }}
+              >
+                <span className={ch.severity === "P1" ? "badge badge-danger" : "badge badge-warning"} style={{ flexShrink: 0 }}>
+                  {ch.severity}
+                </span>
+                <span style={{ flex: 1, fontSize: "var(--text-sm)", color: "var(--text)", fontWeight: 500 }}>{ch.title}</span>
+                <span style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)", flexShrink: 0 }}>{relTime(ch.occurredAt)}</span>
+              </div>
+            ))}
+          </div>
+        </div>
+      )}
+    </div>
+  );
+}
+
+function Field({ label, value, hint }: { label: string; value: string; hint?: string }): JSX.Element {
+  return (
+    <div style={{ display: "flex", flexDirection: "column", gap: 2 }}>
+      <span style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)", textTransform: "uppercase", letterSpacing: "0.06em" }}>{label}</span>
+      <span style={{ fontSize: "var(--text-sm)", color: "var(--text)", fontWeight: 500 }}>{value}</span>
+      {hint && <span style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)" }}>{hint}</span>}
+    </div>
+  );
+}
diff --git a/apps/web/src/components/vendor-detail/Popover.tsx b/apps/web/src/components/vendor-detail/Popover.tsx
new file mode 100644
index 0000000..ef7b67b
--- /dev/null
+++ b/apps/web/src/components/vendor-detail/Popover.tsx
@@ -0,0 +1,127 @@
+import { useEffect, useRef } from "react";
+
+interface Props {
+  open: boolean;
+  onClose: () => void;
+  anchor: React.RefObject<HTMLElement>;
+  children: React.ReactNode;
+  labelledBy?: string;
+  width?: number;
+}
+
+// Small click-outside / Escape-aware popover anchored beneath an element.
+// Focus is moved to the first interactive child on open and cycled with Tab.
+export function Popover({ open, onClose, anchor, children, labelledBy, width = 200 }: Props): JSX.Element | null {
+  const panelRef = useRef<HTMLDivElement | null>(null);
+
+  useEffect(() => {
+    if (!open) return;
+    const panel = panelRef.current;
+    if (!panel) return;
+    const focusables = panel.querySelectorAll<HTMLElement>(
+      'button, [href], input, [tabindex]:not([tabindex="-1"])',
+    );
+    focusables[0]?.focus();
+
+    const onKey = (e: KeyboardEvent) => {
+      if (e.key === "Escape") {
+        e.preventDefault();
+        onClose();
+        return;
+      }
+      if (e.key !== "Tab") return;
+      const nodes = Array.from(focusables).filter((n) => !n.hasAttribute("disabled"));
+      if (nodes.length === 0) return;
+      const first = nodes[0]!;
+      const last = nodes[nodes.length - 1]!;
+      if (e.shiftKey && document.activeElement === first) {
+        e.preventDefault();
+        last.focus();
+      } else if (!e.shiftKey && document.activeElement === last) {
+        e.preventDefault();
+        first.focus();
+      }
+    };
+
+    const onClickAway = (e: MouseEvent) => {
+      const t = e.target as Node | null;
+      if (!t) return;
+      if (panel.contains(t)) return;
+      if (anchor.current && anchor.current.contains(t)) return;
+      onClose();
+    };
+
+    document.addEventListener("keydown", onKey);
+    document.addEventListener("mousedown", onClickAway);
+    return () => {
+      document.removeEventListener("keydown", onKey);
+      document.removeEventListener("mousedown", onClickAway);
+    };
+  }, [open, onClose, anchor]);
+
+  if (!open) return null;
+
+  return (
+    <div
+      ref={panelRef}
+      role="menu"
+      aria-labelledby={labelledBy}
+      className="glass-strong scale-in"
+      style={{
+        position: "absolute",
+        top: "calc(100% + 4px)",
+        left: 0,
+        minWidth: width,
+        borderRadius: 8,
+        boxShadow: "var(--shadow-3)",
+        padding: 4,
+        zIndex: 100,
+      }}
+    >
+      {children}
+    </div>
+  );
+}
+
+export function PopoverItem({
+  children,
+  onClick,
+  selected,
+}: {
+  children: React.ReactNode;
+  onClick: () => void;
+  selected?: boolean;
+}): JSX.Element {
+  return (
+    <button
+      type="button"
+      role="menuitemradio"
+      aria-checked={selected ?? false}
+      onClick={onClick}
+      className="button-pop"
+      style={{
+        display: "flex",
+        alignItems: "center",
+        gap: 6,
+        width: "100%",
+        textAlign: "left",
+        padding: "8px 10px",
+        background: selected ? "var(--accent-soft)" : "transparent",
+        border: "none",
+        borderRadius: 6,
+        fontSize: "var(--text-sm)",
+        cursor: "pointer",
+        color: "var(--text)",
+        fontFamily: "var(--font-text)",
+      }}
+      onMouseEnter={(e) => {
+        if (!selected) (e.currentTarget as HTMLElement).style.background = "var(--surface-2)";
+      }}
+      onMouseLeave={(e) => {
+        if (!selected) (e.currentTarget as HTMLElement).style.background = "transparent";
+      }}
+    >
+      {children}
+    </button>
+  );
+}
diff --git a/apps/web/src/components/vendor-detail/SpendTab.tsx b/apps/web/src/components/vendor-detail/SpendTab.tsx
new file mode 100644
index 0000000..7c8c51f
--- /dev/null
+++ b/apps/web/src/components/vendor-detail/SpendTab.tsx
@@ -0,0 +1,174 @@
+import { Lightbulb } from "lucide-react";
+import type { Vendor } from "@unsyphn/shared";
+import { fmtUsd, hashSeed } from "./utils.js";
+
+interface Props {
+  vendor: Vendor;
+  onOpenPacket: () => void;
+}
+
+// Per-seat benchmark by category, USD/year. Numbers picked from publicly
+// available pricing pages where possible, otherwise a category midpoint.
+const BENCHMARK_PER_SEAT: Record<string, number> = {
+  productivity: 96,
+  observability: 1200,
+  payments: 0,
+  security: 120,
+  developer: 240,
+  design: 180,
+  collaboration: 100,
+  crm: 1500,
+  hr: 84,
+  finance: 240,
+  uncategorized: 200,
+};
+
+function lastTwelveMonths(): Array<{ key: string; label: string }> {
+  const out: Array<{ key: string; label: string }> = [];
+  const now = new Date();
+  for (let i = 11; i >= 0; i--) {
+    const d = new Date(now.getFullYear(), now.getMonth() - i, 1);
+    out.push({
+      key: `${d.getFullYear()}-${d.getMonth()}`,
+      label: d.toLocaleDateString("en-US", { month: "short" }),
+    });
+  }
+  return out;
+}
+
+function Tile({ label, value, sub }: { label: string; value: string; sub?: string }): JSX.Element {
+  return (
+    <div className="card glass-strong lift-on-hover" style={{ padding: "var(--space-4)", display: "flex", flexDirection: "column", gap: "var(--space-1)" }}>
+      <span style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)", textTransform: "uppercase", letterSpacing: "0.06em" }}>{label}</span>
+      <span style={{ fontFamily: "var(--font-mono)", fontWeight: 600, fontSize: "var(--text-2xl)", color: "var(--text)", lineHeight: 1.1 }}>{value}</span>
+      {sub && <span style={{ fontSize: "var(--text-xs)", color: "var(--text-2)" }}>{sub}</span>}
+    </div>
+  );
+}
+
+const SPEND_BAR_STYLE = `
+  .spend-bar { transition: opacity var(--dur-sm) var(--ease-out); }
+  .spend-bar:hover { opacity: 1; }
+`;
+
+function Head({ children }: { children: React.ReactNode }): JSX.Element {
+  return (
+    <h2 style={{ margin: "0 0 var(--space-3) 0", fontSize: "var(--text-xs)", fontWeight: 600, color: "var(--text)", textTransform: "uppercase", letterSpacing: "0.06em" }}>
+      {children}
+    </h2>
+  );
+}
+
+export function SpendTab({ vendor, onOpenPacket }: Props): JSX.Element {
+  const seatCount = vendor.contract?.seatCount ?? 0;
+  const annualSpend = vendor.contract?.annualSpendUsd ?? 0;
+  const perSeat = seatCount > 0 ? Math.round(annualSpend / seatCount) : 0;
+
+  // Deterministic synthetic utilization and monthly jitter from vendor id.
+  const rand = hashSeed(vendor.id);
+  const utilizationPct = 40 + Math.floor(rand() * 56); // 40-95
+  const activeSeats = Math.round((seatCount * utilizationPct) / 100);
+
+  const months = lastTwelveMonths();
+  const monthlyBase = annualSpend / 12;
+  const monthlyValues = months.map(() => {
+    const jitter = 0.85 + rand() * 0.3; // 0.85 - 1.15
+    return monthlyBase * jitter;
+  });
+  const maxMonthly = Math.max(...monthlyValues, 1);
+
+  const benchmark = BENCHMARK_PER_SEAT[vendor.category ?? "uncategorized"] ?? BENCHMARK_PER_SEAT["uncategorized"]!;
+  const aboveBenchmark = benchmark > 0 && perSeat > benchmark;
+  const benchmarkDelta = benchmark > 0 ? Math.round(((perSeat - benchmark) / benchmark) * 100) : 0;
+
+  const unused = Math.max(0, seatCount - activeSeats);
+  const recoverable = seatCount > 0 ? unused * perSeat : 0;
+
+  return (
+    <div className="stagger-children" style={{ display: "flex", flexDirection: "column", gap: "var(--space-5)" }}>
+      <style>{SPEND_BAR_STYLE}</style>
+      <div className="stagger-children" style={{ display: "grid", gridTemplateColumns: "repeat(auto-fit,minmax(170px,1fr))", gap: "var(--space-3)" }}>
+        <Tile label="Annual spend" value={fmtUsd(annualSpend)} />
+        <Tile label="Per-seat cost" value={`$${perSeat.toLocaleString()}`} sub="per year" />
+        <Tile label="Active seats" value={seatCount > 0 ? `${activeSeats} / ${seatCount}` : "—"} sub={seatCount > 0 ? `${utilizationPct}% utilization` : undefined} />
+        <Tile label="Benchmark" value={benchmark > 0 ? `$${benchmark.toLocaleString()}` : "—"} sub={benchmark > 0 ? "industry per seat / yr" : undefined} />
+      </div>
+
+      <div>
+        <Head>Monthly spend · last 12 months</Head>
+        <div className="card glass-strong fade-up" style={{ padding: "var(--space-4)" }}>
+          <svg
+            role="img"
+            aria-label={`Monthly spend chart for ${vendor.name}, last 12 months`}
+            viewBox="0 0 640 200"
+            preserveAspectRatio="none"
+            style={{ width: "100%", height: 200, display: "block" }}
+          >
+            {monthlyValues.map((v, i) => {
+              const bw = 640 / months.length - 8;
+              const x = i * (640 / months.length) + 4;
+              const h = (v / maxMonthly) * 160;
+              const y = 170 - h;
+              return (
+                <g key={months[i]!.key}>
+                  <rect className="spend-bar" x={x} y={y} width={bw} height={h} rx={3} fill="var(--accent)" opacity={0.85}>
+                    <title>{`${months[i]!.label}: ${fmtUsd(Math.round(v))}`}</title>
+                  </rect>
+                  <text x={x + bw / 2} y={192} fontSize={10} textAnchor="middle" fill="var(--text-muted)">
+                    {months[i]!.label}
+                  </text>
+                </g>
+              );
+            })}
+          </svg>
+        </div>
+      </div>
+
+      {seatCount > 0 && (
+        <div>
+          <Head>Seat utilization</Head>
+          <div className="card glass-strong fade-up" style={{ padding: "var(--space-4)", display: "flex", flexDirection: "column", gap: "var(--space-3)" }}>
+            <div style={{ display: "flex", justifyContent: "space-between" }}>
+              <span style={{ fontSize: "var(--text-sm)", color: "var(--text)" }}>
+                {activeSeats} of {seatCount} seats active
+              </span>
+              <span style={{ fontFamily: "var(--font-mono)", fontSize: "var(--text-sm)", color: "var(--text-2)" }}>{utilizationPct}%</span>
+            </div>
+            <div style={{ height: 8, background: "var(--surface-2)", borderRadius: "var(--radius-full)", overflow: "hidden" }}>
+              <div
+                style={{
+                  height: "100%",
+                  width: `${utilizationPct}%`,
+                  background: utilizationPct < 50 ? "var(--warning)" : "var(--success)",
+                  borderRadius: "var(--radius-full)",
+                }}
+              />
+            </div>
+            {recoverable > 0 && (
+              <span className="badge badge-warning" style={{ alignSelf: "flex-start" }}>
+                Recoverable from {unused} unused seats: {fmtUsd(recoverable)}/yr
+              </span>
+            )}
+          </div>
+        </div>
+      )}
+
+      {aboveBenchmark && (
+        <div className="card glass-strong fade-up" style={{ padding: "var(--space-4)", display: "flex", alignItems: "center", gap: "var(--space-3)", borderColor: "var(--warning)" }}>
+          <Lightbulb size={18} aria-hidden="true" style={{ color: "var(--warning)" }} />
+          <div style={{ flex: 1 }}>
+            <div style={{ fontWeight: 600, color: "var(--text)", fontSize: "var(--text-sm)" }}>
+              {benchmarkDelta}% above industry benchmark
+            </div>
+            <div style={{ fontSize: "var(--text-xs)", color: "var(--text-2)" }}>
+              You pay ${perSeat.toLocaleString()}/seat vs benchmark ${benchmark.toLocaleString()}. Consider renegotiation.
+            </div>
+          </div>
+          <button type="button" className="btn btn-primary button-pop" onClick={onOpenPacket} style={{ fontSize: "var(--text-xs)" }}>
+            Build packet
+          </button>
+        </div>
+      )}
+    </div>
+  );
+}
diff --git a/apps/web/src/components/vendor-detail/Toast.tsx b/apps/web/src/components/vendor-detail/Toast.tsx
new file mode 100644
index 0000000..29cc848
--- /dev/null
+++ b/apps/web/src/components/vendor-detail/Toast.tsx
@@ -0,0 +1,23 @@
+export function VendorToast({ message }: { message: string }): JSX.Element {
+  return (
+    <div
+      role="status"
+      aria-live="polite"
+      className="glass-strong slide-in-right"
+      style={{
+        position: "fixed",
+        bottom: 24,
+        right: 24,
+        color: "var(--text)",
+        padding: "var(--space-2) var(--space-4)",
+        borderRadius: "var(--radius-pill)",
+        fontSize: "var(--text-sm)",
+        fontWeight: 500,
+        zIndex: 500,
+        pointerEvents: "none",
+      }}
+    >
+      {message}
+    </div>
+  );
+}
diff --git a/apps/web/src/components/vendor-detail/utils.ts b/apps/web/src/components/vendor-detail/utils.ts
new file mode 100644
index 0000000..ab4f407
--- /dev/null
+++ b/apps/web/src/components/vendor-detail/utils.ts
@@ -0,0 +1,75 @@
+import type { Vendor } from "@unsyphn/shared";
+
+// Display-only posture buckets. The Vendor.posture field on the API only ever
+// holds ok|watch|risk; we derive "fresh"/"expiring"/"stale" from the contract
+// renewal date for badge text. Real mutations only ever write ok|watch|risk.
+export type DisplayPosture = "fresh" | "ok" | "watch" | "expiring" | "stale" | "risk";
+
+export function daysUntil(d: string | undefined): number | null {
+  if (!d) return null;
+  const ms = Date.parse(d);
+  if (!Number.isFinite(ms)) return null;
+  return Math.round((ms - Date.now()) / 86_400_000);
+}
+
+export function fmtUsd(n: number): string {
+  if (!Number.isFinite(n) || n <= 0) return "$0";
+  if (n >= 1_000_000) return `$${(n / 1e6).toFixed(1)}M`;
+  if (n >= 1_000) return `$${Math.round(n / 1e3)}k`;
+  return `$${n}`;
+}
+
+export function relTime(iso: string): string {
+  const ms = Date.parse(iso);
+  if (!Number.isFinite(ms)) return iso;
+  const diff = Math.floor((Date.now() - ms) / 1000);
+  if (diff < 60) return "just now";
+  if (diff < 3600) return `${Math.floor(diff / 60)}m ago`;
+  if (diff < 86400) return `${Math.floor(diff / 3600)}h ago`;
+  const days = Math.floor(diff / 86400);
+  if (days === 1) return "1d ago";
+  if (days < 30) return `${days}d ago`;
+  if (days < 365) return `${Math.floor(days / 30)}mo ago`;
+  return `${Math.floor(days / 365)}y ago`;
+}
+
+export function displayPosture(v: Vendor): DisplayPosture {
+  const raw = (v.posture ?? "ok") as DisplayPosture;
+  if (raw === "watch" || raw === "risk") return raw;
+  const days = daysUntil(v.contract?.renewsAt ?? v.renewalDate);
+  if (days !== null) {
+    if (days < 0) return "stale";
+    if (days <= 30) return "expiring";
+    if (days <= 60) return "watch";
+  }
+  return "fresh";
+}
+
+export function postureClass(p: DisplayPosture): string {
+  if (p === "fresh" || p === "ok") return "badge badge-success";
+  if (p === "watch" || p === "expiring") return "badge badge-warning";
+  return "badge badge-danger";
+}
+
+export function postureLabel(p: DisplayPosture): string {
+  if (p === "fresh" || p === "ok") return "fresh";
+  if (p === "expiring") return "expiring";
+  if (p === "watch") return "watch";
+  if (p === "stale") return "stale";
+  return "risk";
+}
+
+// Deterministic hash → [0,1) used to seed synthetic numbers (seat utilization,
+// monthly spend jitter) so the same vendor renders the same numbers across
+// reloads. xfnv1a-ish, fits in 32 bits.
+export function hashSeed(seed: string): () => number {
+  let h = 2166136261 >>> 0;
+  for (let i = 0; i < seed.length; i++) {
+    h ^= seed.charCodeAt(i);
+    h = Math.imul(h, 16777619) >>> 0;
+  }
+  return () => {
+    h = (h * 1664525 + 1013904223) >>> 0;
+    return h / 4294967296;
+  };
+}
diff --git a/apps/web/src/lib/api.ts b/apps/web/src/lib/api.ts
index eb4b513..98267f9 100644
--- a/apps/web/src/lib/api.ts
+++ b/apps/web/src/lib/api.ts
@@ -1,9 +1,10 @@
 import type {
   ApiErrorEnvelope,
   EvidenceBriefResponse,
+  Vendor,
   VendorCreateBody,
   VendorCreateResponse,
-} from "@redline/shared";
+} from "@unsyphn/shared";
 
 // Hardcoded for the hackathon — one seeded org, one bearer token. Production
 // would source this from a session cookie or login flow.
@@ -81,30 +82,315 @@ export interface BillingProductsResponse {
   orgEntitlements: { compliancePack: boolean };
 }
 
+export interface AppliedCoupon {
+  code: string;
+  percentOff: number;
+  label: string;
+}
+
 export interface PaymentIntentResponse {
   paymentIntentId: string;
   clientSecret: string;
   amountUsdCents: number;
+  originalAmountUsdCents?: number;
   currency: string;
   publishableKey: string;
+  coupon?: AppliedCoupon;
+}
+
+export interface PaymentIntentRequest {
+  sku: string;
+  coupon?: string;
+  addOns?: string[];
 }
 
 export function getBillingProducts(): Promise<BillingProductsResponse> {
   return request<BillingProductsResponse>("/v1/billing/products");
 }
 
-export function createPaymentIntent(sku: string): Promise<PaymentIntentResponse> {
+export function createPaymentIntent(
+  body: PaymentIntentRequest | string,
+): Promise<PaymentIntentResponse> {
+  const payload: PaymentIntentRequest =
+    typeof body === "string" ? { sku: body } : body;
   return request<PaymentIntentResponse>("/v1/billing/payment-intents", {
     method: "POST",
-    body: JSON.stringify({ sku }),
+    body: JSON.stringify(payload),
   });
 }
 
+export function validateCoupon(code: string): Promise<AppliedCoupon> {
+  return request<AppliedCoupon>(
+    `/v1/billing/coupons/${encodeURIComponent(code)}`,
+  );
+}
+
+export interface BillingInvoice {
+  id: string;
+  period: string;
+  amountUsdCents: number;
+  status: string;
+  issuedAt: string;
+  pdfUrl: string;
+}
+
+export function listInvoices(): Promise<{ invoices: BillingInvoice[] }> {
+  return request<{ invoices: BillingInvoice[] }>("/v1/billing/invoices");
+}
+
+export async function downloadInvoicePdf(id: string): Promise<Blob> {
+  const resp = await fetch(`/v1/billing/invoices/${encodeURIComponent(id)}/pdf`, {
+    headers: { Authorization: `Bearer ${DEMO_BEARER_TOKEN}` },
+  });
+  if (!resp.ok) {
+    const text = await resp.text();
+    let envelope: ApiErrorEnvelope | undefined;
+    try {
+      envelope = text ? (JSON.parse(text) as ApiErrorEnvelope) : undefined;
+    } catch {
+      envelope = undefined;
+    }
+    if (envelope?.error) throw new ApiError(resp.status, envelope);
+    throw new ApiError(resp.status, {
+      error: { code: "internal", message: `Failed to download invoice ${id}` },
+    });
+  }
+  return resp.blob();
+}
+
 // Runbook F5 — dev-only fallback path. Server returns 404 in production.
 export function simulateSuccess(): Promise<{ ok: true; paymentIntentId: string }> {
   return request("/v1/billing/simulate-success", { method: "POST" });
 }
 
+// Phase 3 — Portfolio.
+export interface VendorsListResponse {
+  vendors: Vendor[];
+}
+
+export function listVendors(lens?: string): Promise<VendorsListResponse> {
+  const qs = lens ? `?lens=${encodeURIComponent(lens)}` : "";
+  return request<VendorsListResponse>(`/v1/vendors${qs}`);
+}
+
+export interface VendorPatch {
+  ownerId?: string;
+  tier?: 1 | 2 | 3;
+  posture?: "ok" | "watch" | "risk";
+}
+
+export function patchVendor(id: string, patch: VendorPatch): Promise<Vendor> {
+  return request<Vendor>(`/v1/vendors/${encodeURIComponent(id)}`, {
+    method: "PATCH",
+    body: JSON.stringify(patch),
+  });
+}
+
+// Phase 4 — VendorDetail.
+export function getVendor(id: string): Promise<Vendor> {
+  return request<Vendor>(`/v1/vendors/${encodeURIComponent(id)}`);
+}
+
+export interface ContractSummary {
+  id: string;
+  vendorId: string;
+  filename: string;
+  sizeBytes: number;
+  uploadedBy: string;
+  uploadedAt: string;
+}
+
+export function listVendorContracts(
+  id: string,
+): Promise<{ contracts: ContractSummary[] }> {
+  return request<{ contracts: ContractSummary[] }>(
+    `/v1/vendors/${encodeURIComponent(id)}/contracts`,
+  );
+}
+
+export function uploadVendorContract(
+  id: string,
+  body: { filename: string; sizeBytes: number; contentBase64: string },
+): Promise<ContractSummary> {
+  return request<ContractSummary>(
+    `/v1/vendors/${encodeURIComponent(id)}/contracts`,
+    { method: "POST", body: JSON.stringify(body) },
+  );
+}
+
+export async function downloadContract(
+  vendorId: string,
+  contractId: string,
+): Promise<Blob> {
+  const url = `/v1/vendors/${encodeURIComponent(vendorId)}/contracts/${encodeURIComponent(contractId)}/download`;
+  const resp = await fetch(url, {
+    headers: { Authorization: `Bearer ${DEMO_BEARER_TOKEN}` },
+  });
+  if (!resp.ok) {
+    let envelope: ApiErrorEnvelope | undefined;
+    try {
+      envelope = (await resp.json()) as ApiErrorEnvelope;
+    } catch {
+      // Non-JSON body — fall through with a generic envelope below.
+    }
+    throw new ApiError(
+      resp.status,
+      envelope ?? {
+        error: {
+          code: "internal",
+          message: `Download failed with ${resp.status}`,
+        },
+      },
+    );
+  }
+  return resp.blob();
+}
+
+export interface VendorActivityEvent {
+  id: string;
+  kind: string;
+  actor: string;
+  occurredAt: string;
+  title: string;
+  detail?: Record<string, unknown>;
+  changeReportId?: string;
+}
+
+export function getVendorActivity(
+  id: string,
+): Promise<{ events: VendorActivityEvent[]; latestChangeId: string | null }> {
+  return request<{ events: VendorActivityEvent[]; latestChangeId: string | null }>(
+    `/v1/vendors/${encodeURIComponent(id)}/activity`,
+  );
+}
+
+export function triggerVendorScan(
+  id: string,
+): Promise<{ ok: true; triggeredAt: string }> {
+  return request<{ ok: true; triggeredAt: string }>(
+    `/v1/vendors/${encodeURIComponent(id)}/scan`,
+    { method: "POST" },
+  );
+}
+
+export interface TeamMember {
+  id: string;
+  name: string;
+  email: string;
+  role: string;
+  avatarLetter: string;
+}
+
+export function listTeamMembers(): Promise<{ members: TeamMember[] }> {
+  return request<{ members: TeamMember[] }>("/v1/team/members");
+}
+
+export interface AuditorSessionResponse {
+  sessionToken: string;
+  shareUrl: string;
+  expiresAt: string;
+}
+
+export function createAuditorSession(body: {
+  vendorIds?: string[];
+  expiresInDays: number;
+}): Promise<AuditorSessionResponse> {
+  return request<AuditorSessionResponse>("/v1/auditor/sessions", {
+    method: "POST",
+    body: JSON.stringify(body),
+  });
+}
+
+export interface RenegotiationPacket {
+  vendorId: string;
+  vendorName: string;
+  currentSpend: number;
+  benchmarkRange: { low: number; high: number };
+  usagePct: number;
+  recoverableUsd: number;
+  drafts: Array<{ tone: string; subject: string; body: string }>;
+  talkingPoints: string[];
+}
+
+export function getRenegotiationPacket(vendorId: string): Promise<RenegotiationPacket> {
+  return request<RenegotiationPacket>(
+    `/v1/vendors/${encodeURIComponent(vendorId)}/renegotiation-packet`,
+    { method: "POST" },
+  );
+}
+
+// Phase 9 — Findings.
+export type FindingType = "change" | "compliance" | "subprocessor" | "spend" | "security";
+export type FindingState = "open" | "under-review" | "resolved";
+
+export interface Finding {
+  id: string;
+  type: FindingType;
+  severity: "P1" | "P2" | "P3";
+  title: string;
+  summary: string;
+  vendorId: string;
+  vendorName: string;
+  detectedAt: string;
+  state: FindingState;
+  ownerId?: string;
+  sourceUrl?: string;
+  lensTags: string[];
+}
+
+export interface FindingsQuery {
+  type?: FindingType;
+  severity?: "P1" | "P2" | "P3";
+  state?: FindingState;
+  lens?: string;
+  vendorId?: string;
+}
+
+export function listFindings(query: FindingsQuery = {}): Promise<{ findings: Finding[] }> {
+  const qs = new URLSearchParams();
+  for (const [k, v] of Object.entries(query)) {
+    if (v !== undefined && v !== null && v !== "") qs.set(k, String(v));
+  }
+  const suffix = qs.toString();
+  return request<{ findings: Finding[] }>(`/v1/findings${suffix ? `?${suffix}` : ""}`);
+}
+
+export function patchFindingState(
+  id: string,
+  state: FindingState,
+): Promise<{ id: string; state: FindingState }> {
+  return request<{ id: string; state: FindingState }>(
+    `/v1/findings/${encodeURIComponent(id)}/state`,
+    { method: "POST", body: JSON.stringify({ state }) },
+  );
+}
+
+// Phase 9 — Reports.
+export type ReportSchedule = "monthly" | "weekly" | "quarterly" | "on-demand";
+export type ReportCategory = "risk" | "compliance" | "spend" | "operational";
+
+export interface Report {
+  id: string;
+  name: string;
+  description: string;
+  schedule: ReportSchedule;
+  category: ReportCategory;
+  lastGeneratedAt?: string;
+  nextRunAt?: string;
+  isCompliancePack: boolean;
+  downloadUrl?: string;
+}
+
+export function listReports(): Promise<{ reports: Report[] }> {
+  return request<{ reports: Report[] }>("/v1/reports");
+}
+
+export function generateReport(id: string): Promise<Report> {
+  return request<Report>(`/v1/reports/${encodeURIComponent(id)}/generate`, {
+    method: "POST",
+  });
+}
+
 // Issue #4 — public evidence brief. No bearer (the brief is public per
 // handoff/API §07 F4). The user-facing URL is /evidence/:id (SPA route);
 // the JSON endpoint lives under /v1/evidence so the dev proxy can route it
diff --git a/apps/web/src/lib/confetti.ts b/apps/web/src/lib/confetti.ts
new file mode 100644
index 0000000..56aefd9
--- /dev/null
+++ b/apps/web/src/lib/confetti.ts
@@ -0,0 +1,50 @@
+import confetti from "canvas-confetti";
+
+const reducedMotion = (): boolean =>
+  typeof window !== "undefined" &&
+  typeof window.matchMedia === "function" &&
+  window.matchMedia("(prefers-reduced-motion: reduce)").matches;
+
+// jsdom and other no-canvas environments would throw inside canvas-confetti's
+// rAF loop. Detect once at module load via the navigator UA — jsdom labels
+// itself in navigator.userAgent so we skip the noisy `getContext` polyfill
+// warning vitest prints.
+const canvasSupported = (): boolean => {
+  if (typeof document === "undefined" || typeof navigator === "undefined") return false;
+  if (/jsdom/i.test(navigator.userAgent)) return false;
+  if (typeof HTMLCanvasElement === "undefined") return false;
+  return true;
+};
+
+const CANVAS_OK = canvasSupported();
+
+export interface CelebrateOptions {
+  particleCount?: number;
+  spread?: number;
+  origin?: { x?: number; y?: number };
+  colors?: string[];
+}
+
+export function celebrate(opts?: CelebrateOptions): void {
+  if (reducedMotion() || !CANVAS_OK) return;
+  void confetti({
+    particleCount: opts?.particleCount ?? 80,
+    spread: opts?.spread ?? 70,
+    startVelocity: 35,
+    decay: 0.92,
+    gravity: 1.0,
+    ticks: 220,
+    origin: opts?.origin ?? { x: 0.5, y: 0.4 },
+    colors:
+      opts?.colors ?? ["#5E6AD2", "#2BCAE8", "#B5DC55", "#FF9540", "#F46688"],
+    disableForReducedMotion: true,
+  });
+}
+
+export function celebrateFromElement(el: HTMLElement): void {
+  if (reducedMotion() || !CANVAS_OK) return;
+  const rect = el.getBoundingClientRect();
+  const x = (rect.left + rect.width / 2) / window.innerWidth;
+  const y = (rect.top + rect.height / 2) / window.innerHeight;
+  celebrate({ origin: { x, y }, particleCount: 50 });
+}
diff --git a/apps/web/src/lib/dayGroups.ts b/apps/web/src/lib/dayGroups.ts
new file mode 100644
index 0000000..d5fe299
--- /dev/null
+++ b/apps/web/src/lib/dayGroups.ts
@@ -0,0 +1,50 @@
+import type { InboxItem } from "@unsyphn/shared";
+
+export type DayBucket = "today" | "yesterday" | "earlier" | "older";
+
+export const BUCKET_LABEL: Record<DayBucket, string> = {
+  today: "Today",
+  yesterday: "Yesterday",
+  earlier: "Earlier this week",
+  older: "Older",
+};
+
+export const BUCKET_ORDER: DayBucket[] = ["today", "yesterday", "earlier", "older"];
+
+function startOfDay(d: Date): Date {
+  return new Date(d.getFullYear(), d.getMonth(), d.getDate());
+}
+
+export function bucketFor(iso: string, now: Date = new Date()): DayBucket {
+  const t = Date.parse(iso);
+  if (!Number.isFinite(t)) return "older";
+
+  const itemDay = startOfDay(new Date(t));
+  const today = startOfDay(now);
+  const dayDiff = Math.round((today.getTime() - itemDay.getTime()) / 86_400_000);
+
+  if (dayDiff <= 0) return "today";
+  if (dayDiff === 1) return "yesterday";
+  if (dayDiff <= 7) return "earlier";
+  return "older";
+}
+
+export interface DayGroup {
+  bucket: DayBucket;
+  label: string;
+  items: InboxItem[];
+}
+
+export function groupByDay(items: InboxItem[], now: Date = new Date()): DayGroup[] {
+  const map = new Map<DayBucket, InboxItem[]>();
+  for (const item of items) {
+    const b = bucketFor(item.occurredAt, now);
+    const arr = map.get(b) ?? [];
+    map.set(b, [...arr, item]);
+  }
+  return BUCKET_ORDER.flatMap((b) => {
+    const list = map.get(b);
+    if (!list || list.length === 0) return [];
+    return [{ bucket: b, label: BUCKET_LABEL[b], items: list }];
+  });
+}
diff --git a/apps/web/src/lib/keyboard.ts b/apps/web/src/lib/keyboard.ts
new file mode 100644
index 0000000..757e4c9
--- /dev/null
+++ b/apps/web/src/lib/keyboard.ts
@@ -0,0 +1,71 @@
+import { useEffect, useRef } from "react";
+
+type ModifierKey = "Meta" | "Control" | "Shift" | "Alt";
+
+interface ParsedCombo {
+  modifiers: ModifierKey[];
+  key: string;
+}
+
+function parseCombo(combo: string): ParsedCombo {
+  const parts = combo.split("+");
+  const key: string = parts[parts.length - 1] ?? combo;
+  const modifiers = parts.slice(0, -1) as ModifierKey[];
+  return { modifiers, key };
+}
+
+function matchesCombo(e: KeyboardEvent, parsed: ParsedCombo): boolean {
+  const { modifiers, key } = parsed;
+  if (e.key.toLowerCase() !== key.toLowerCase()) return false;
+  if (modifiers.includes("Meta") && !e.metaKey) return false;
+  if (modifiers.includes("Control") && !e.ctrlKey) return false;
+  if (modifiers.includes("Shift") && !e.shiftKey) return false;
+  if (modifiers.includes("Alt") && !e.altKey) return false;
+  return true;
+}
+
+function isTextTarget(target: EventTarget | null): boolean {
+  if (!(target instanceof HTMLElement)) return false;
+  const tag = target.tagName;
+  if (tag === "INPUT" || tag === "TEXTAREA" || tag === "SELECT") return true;
+  if (target.isContentEditable) return true;
+  return false;
+}
+
+export function useGlobalShortcut(combo: string, handler: () => void): void {
+  const handlerRef = useRef(handler);
+  handlerRef.current = handler;
+
+  const parsed = useRef(parseCombo(combo));
+  parsed.current = parseCombo(combo);
+
+  useEffect(() => {
+    const onKeyDown = (e: KeyboardEvent): void => {
+      if (isTextTarget(e.target)) return;
+      if (matchesCombo(e, parsed.current)) {
+        e.preventDefault();
+        handlerRef.current();
+      }
+    };
+    window.addEventListener("keydown", onKeyDown);
+    return () => window.removeEventListener("keydown", onKeyDown);
+  }, []);
+}
+
+export function useKeyOnce(key: string, handler: () => void): void {
+  const handlerRef = useRef(handler);
+  handlerRef.current = handler;
+
+  useEffect(() => {
+    const onKey = (e: KeyboardEvent): void => {
+      if (isTextTarget(e.target)) return;
+      if (e.metaKey || e.ctrlKey || e.altKey || e.shiftKey) return;
+      if (e.key.toLowerCase() === key.toLowerCase()) {
+        e.preventDefault();
+        handlerRef.current();
+      }
+    };
+    window.addEventListener("keydown", onKey);
+    return () => window.removeEventListener("keydown", onKey);
+  }, [key]);
+}
diff --git a/apps/web/src/lib/logos.ts b/apps/web/src/lib/logos.ts
new file mode 100644
index 0000000..23ff7c9
--- /dev/null
+++ b/apps/web/src/lib/logos.ts
@@ -0,0 +1,137 @@
+const SIMPLE_ICONS_CDN = "https://cdn.simpleicons.org";
+const BRANDFETCH_LOGO_API = "https://cdn.brandfetch.io";
+
+// Brand color + simpleicons slug per seeded vendor id. Keys are vendor.id from
+// seed/vendors.json (36 entries). The hex drives the colored CDN logo on the
+// Portfolio cards/table; on 404 the VendorLogo component falls back to a
+// monogram circle.
+export interface VendorBrand {
+  slug: string;
+  hex: string;
+}
+
+export const VENDOR_BRAND: Record<string, VendorBrand> = {
+  vnd_notion: { slug: "notion", hex: "000000" },
+  vnd_stripe: { slug: "stripe", hex: "635BFF" },
+  vnd_datadog: { slug: "datadog", hex: "632CA6" },
+  vnd_okta: { slug: "okta", hex: "007DC1" },
+  vnd_github: { slug: "github", hex: "181717" },
+  vnd_cloudflare: { slug: "cloudflare", hex: "F38020" },
+  vnd_snowflake: { slug: "snowflake", hex: "29B5E8" },
+  vnd_auth0: { slug: "auth0", hex: "EB5424" },
+  vnd_figma: { slug: "figma", hex: "F24E1E" },
+  vnd_linear: { slug: "linear", hex: "5E6AD2" },
+  vnd_vercel: { slug: "vercel", hex: "000000" },
+  vnd_asana: { slug: "asana", hex: "F06A6A" },
+  vnd_jira: { slug: "jira", hex: "0052CC" },
+  vnd_hubspot: { slug: "hubspot", hex: "FF7A59" },
+  vnd_intercom: { slug: "intercom", hex: "1F8DED" },
+  vnd_zendesk: { slug: "zendesk", hex: "03363D" },
+  vnd_mixpanel: { slug: "mixpanel", hex: "7856FF" },
+  vnd_zoom: { slug: "zoom", hex: "0B5CFF" },
+  vnd_dropbox: { slug: "dropbox", hex: "0061FF" },
+  vnd_sentry: { slug: "sentry", hex: "362D59" },
+  vnd_pagerduty: { slug: "pagerduty", hex: "06AC38" },
+  vnd_mongodb: { slug: "mongodb", hex: "47A248" },
+  vnd_1password: { slug: "1password", hex: "0572EC" },
+  vnd_airtable: { slug: "airtable", hex: "18BFFF" },
+  vnd_posthog: { slug: "posthog", hex: "1D4AFF" },
+  vnd_sketch: { slug: "sketch", hex: "F7B500" },
+  vnd_framer: { slug: "framer", hex: "0055FF" },
+  vnd_miro: { slug: "miro", hex: "F7C922" },
+  vnd_loom: { slug: "loom", hex: "625DF5" },
+  vnd_calendly: { slug: "calendly", hex: "006BFF" },
+  vnd_bitwarden: { slug: "bitwarden", hex: "175DDC" },
+  vnd_discord: { slug: "discord", hex: "5865F2" },
+  vnd_salesforce: { slug: "salesforce", hex: "00A1E0" },
+  vnd_slack: { slug: "slack", hex: "4A154B" },
+  vnd_aws: { slug: "amazonwebservices", hex: "FF9900" },
+  vnd_adobe: { slug: "adobecreativecloud", hex: "DA1F26" },
+};
+
+export function brandForId(vendorId: string): VendorBrand | undefined {
+  return VENDOR_BRAND[vendorId];
+}
+
+export function simpleIconsUrlForId(vendorId: string): string | undefined {
+  const brand = VENDOR_BRAND[vendorId];
+  if (!brand) return undefined;
+  return `${SIMPLE_ICONS_CDN}/${brand.slug}/${brand.hex}`;
+}
+
+// Known SaaS vendor slug overrides where the name doesn't match Simple Icons slug
+const SLUG_OVERRIDES: Record<string, string> = {
+  "microsoft 365": "microsoft",
+  "google workspace": "google",
+  "amazon web services": "amazonwebservices",
+  "aws": "amazonwebservices",
+  "github": "github",
+  "slack": "slack",
+  "notion": "notion",
+  "figma": "figma",
+  "stripe": "stripe",
+  "datadog": "datadog",
+  "salesforce": "salesforce",
+  "vercel": "vercel",
+  "linear": "linear",
+  "asana": "asana",
+  "atlassian": "atlassian",
+  "jira": "jira",
+  "confluence": "confluence",
+  "hubspot": "hubspot",
+  "okta": "okta",
+  "vanta": "vanta",
+  "drata": "drata",
+  "ramp": "ramp",
+  "brex": "brex",
+  "spendesk": "spendesk",
+  "zoom": "zoom",
+  "adobe": "adobe",
+  "adobe creative cloud": "adobecreativecloud",
+};
+
+export function toSlug(name: string): string {
+  return name.trim().toLowerCase().replace(/[^a-z0-9]+/g, "");
+}
+
+export function resolveSlug(vendorName: string): string {
+  const lower = vendorName.trim().toLowerCase();
+  return SLUG_OVERRIDES[lower] ?? toSlug(lower);
+}
+
+export function simpleIconsUrl(vendorName: string, color?: string): string {
+  const slug = resolveSlug(vendorName);
+  const c = color ? `/${color.replace("#", "")}` : "";
+  return `${SIMPLE_ICONS_CDN}/${slug}${c}`;
+}
+
+export function brandfetchUrl(domain: string): string {
+  return `${BRANDFETCH_LOGO_API}/${domain}/w/96/h/96/icon`;
+}
+
+// Monogram: deterministic 2-letter initials with a hashed pastel bg
+export function monogramFor(vendorName: string): { initials: string; bg: string; fg: string } {
+  const words = vendorName.trim().split(/\s+/);
+  const first = words[0]?.[0] ?? "";
+  const second = words[1]?.[0] ?? "";
+  const initials =
+    words.length >= 2
+      ? (first + second).toUpperCase()
+      : vendorName.slice(0, 2).toUpperCase();
+  const palette = [
+    "#FDE68A", "#BFDBFE", "#FECACA", "#C7D2FE", "#A7F3D0",
+    "#FBCFE8", "#FED7AA", "#DDD6FE", "#FCE7F3", "#BAE6FD",
+    "#D9F99D", "#FBBF24",
+  ];
+  let hash = 0;
+  for (let i = 0; i < vendorName.length; i++) hash = (hash * 31 + vendorName.charCodeAt(i)) >>> 0;
+  const bg = palette[hash % palette.length] ?? "#BFDBFE";
+  return { initials, bg, fg: "#0F172A" };
+}
+
+// Returns ordered list of URLs to try: Simple Icons → Brandfetch → []
+export function attemptOrder(vendorName: string, domain?: string): string[] {
+  const urls: string[] = [simpleIconsUrl(vendorName)];
+  if (domain) urls.push(brandfetchUrl(domain));
+  return urls;
+}
diff --git a/apps/web/src/lib/role.ts b/apps/web/src/lib/role.ts
new file mode 100644
index 0000000..aabdb75
--- /dev/null
+++ b/apps/web/src/lib/role.ts
@@ -0,0 +1,49 @@
+import { useEffect, useState } from "react";
+
+export type Role = "procurement" | "legal" | "security" | "finance" | "it" | "audit";
+
+export function parseRole(search: string): Role {
+  const r = new URLSearchParams(search).get("role");
+  if (r === "legal" || r === "security" || r === "finance" || r === "it" || r === "audit") return r;
+  return "procurement";
+}
+
+const ROLE_CHANGE_EVENT = "unsyphn:role-change";
+
+export function useRole(): [Role, (r: Role) => void] {
+  const [role, setRoleState] = useState<Role>(parseRole(window.location.search));
+  const setRole = (r: Role) => {
+    const url = new URL(window.location.href);
+    url.searchParams.set("role", r);
+    window.history.replaceState({}, "", url.toString());
+    setRoleState(r);
+    window.dispatchEvent(new CustomEvent<Role>(ROLE_CHANGE_EVENT, { detail: r }));
+  };
+  useEffect(() => {
+    const onPop = () => setRoleState(parseRole(window.location.search));
+    const onSync = (ev: Event) => {
+      const detail = (ev as CustomEvent<Role>).detail;
+      if (detail) setRoleState(detail);
+    };
+    window.addEventListener("popstate", onPop);
+    window.addEventListener(ROLE_CHANGE_EVENT, onSync);
+    return () => {
+      window.removeEventListener("popstate", onPop);
+      window.removeEventListener(ROLE_CHANGE_EVENT, onSync);
+    };
+  }, []);
+  return [role, setRole];
+}
+
+export const ROLE_LABELS: Record<Role, string> = {
+  procurement: "Procurement",
+  legal: "Legal",
+  security: "Security",
+  finance: "Finance",
+  it: "IT",
+  audit: "Audit",
+};
+
+export const ALL_ROLES: Role[] = ["procurement", "legal", "security", "finance"];
+
+export const ROLES: Role[] = ["procurement", "legal", "security", "finance", "it", "audit"];
diff --git a/apps/web/src/lib/stream.ts b/apps/web/src/lib/stream.ts
index 52fe7a5..7893795 100644
--- a/apps/web/src/lib/stream.ts
+++ b/apps/web/src/lib/stream.ts
@@ -4,7 +4,8 @@ import type {
   RunCompletedEvent,
   SchedulerTickEvent,
   EntitlementsChangedEvent,
-} from "@redline/shared";
+  ChangeEscalatedEvent,
+} from "@unsyphn/shared";
 import { DEMO_BEARER_TOKEN } from "./api.js";
 
 // EventSource subscription scoped to a single first-scan runId. EventSource
@@ -153,3 +154,40 @@ export function useEntitlements(
 
   return latest;
 }
+
+// Subscribe to escalation events so other users' escalations surface in real
+// time. Matches the hook-per-event-family pattern used above.
+
+export interface UseEscalationsOptions {
+  active: boolean;
+  onEscalated: (event: ChangeEscalatedEvent) => void;
+  eventSourceFactory?: (url: string) => EventSource;
+}
+
+export function useEscalations(options: UseEscalationsOptions): void {
+  const factoryRef = useRef(options.eventSourceFactory);
+  factoryRef.current = options.eventSourceFactory;
+  const callbackRef = useRef(options.onEscalated);
+  callbackRef.current = options.onEscalated;
+
+  useEffect(() => {
+    if (!options.active) return;
+    const url = `/v1/stream?token=${encodeURIComponent(DEMO_BEARER_TOKEN)}`;
+    const factory =
+      factoryRef.current ?? ((u: string) => new EventSource(u));
+    const es = factory(url);
+    const handle = (e: MessageEvent) => {
+      try {
+        const data = JSON.parse(e.data) as ChangeEscalatedEvent;
+        callbackRef.current(data);
+      } catch {
+        // ignore malformed
+      }
+    };
+    es.addEventListener("change.escalated", handle as EventListener);
+    return () => {
+      es.removeEventListener("change.escalated", handle as EventListener);
+      es.close();
+    };
+  }, [options.active]);
+}
diff --git a/apps/web/src/main.tsx b/apps/web/src/main.tsx
index 055722a..0741fba 100644
--- a/apps/web/src/main.tsx
+++ b/apps/web/src/main.tsx
@@ -1,7 +1,20 @@
 import { StrictMode } from "react";
 import { createRoot } from "react-dom/client";
+import { install as installMockApi } from "./mock-api/index.js";
 import { App } from "./App.js";
-import "./styles.css";
+import "./styles/tokens.css";
+import "./styles/app.css";
+import "./styles/public.css";
+import "./styles/polish.css";
+
+// In-frontend mock API for the static (Vercel) deploy. When VITE_API_BASE is
+// unset (or empty) every /v1/* fetch is intercepted and served from bundled
+// seed JSON, so the SPA renders fully without a real backend. Pointing
+// VITE_API_BASE at a real host disables the mock entirely.
+const apiBase = (import.meta.env.VITE_API_BASE as string | undefined) ?? "";
+if (apiBase.length === 0) {
+  installMockApi();
+}
 
 const root = document.getElementById("root");
 if (!root) throw new Error("#root not found");
diff --git a/apps/web/src/mock-api/handlers/billing.ts b/apps/web/src/mock-api/handlers/billing.ts
new file mode 100644
index 0000000..62b447c
--- /dev/null
+++ b/apps/web/src/mock-api/handlers/billing.ts
@@ -0,0 +1,174 @@
+// Billing — products list, invoices, coupon validation. Stripe is a black box
+// from the client's perspective; payment-intents returns a synthetic
+// client_secret that will fail in real Stripe Elements but the simulate-success
+// fallback path (Shift+Enter in the modal) sets the entitlement just like the
+// real backend does.
+
+import { register } from "../router.js";
+import { store } from "../store.js";
+import {
+  badRequest,
+  notFound,
+  nowIso,
+  ok,
+  type MockRequest,
+  type MockResponse,
+} from "../types.js";
+
+interface SyntheticInvoice {
+  id: string;
+  period: string;
+  amountUsdCents: number;
+  status: string;
+  issuedAt: string;
+  pdfUrl: string;
+}
+
+function buildInvoices(now: Date = new Date()): SyntheticInvoice[] {
+  return Array.from({ length: 6 }, (_, i) => {
+    const d = new Date(now.getFullYear(), now.getMonth() - i, 1);
+    const period = d.toLocaleDateString("en-US", { month: "short", year: "numeric" });
+    const id = `INV-${d.getFullYear()}-${String(d.getMonth() + 1).padStart(2, "0")}`;
+    return {
+      id,
+      period,
+      amountUsdCents: i === 5 ? 150_000 : 1_899_900,
+      status: "paid",
+      issuedAt: d.toISOString(),
+      pdfUrl: `/v1/billing/invoices/${id}/pdf`,
+    };
+  });
+}
+
+const COMPLIANCE_PACK_ID = "compliance-pack";
+const COMPLIANCE_PACK_AMOUNT = 250_000;
+
+const TIER_AMOUNT_CENTS: Record<string, number> = {
+  [COMPLIANCE_PACK_ID]: COMPLIANCE_PACK_AMOUNT,
+  starter: 30_000,
+  growth: 150_000,
+  scale: 350_000,
+};
+
+interface CouponDef {
+  code: string;
+  percentOff: number;
+  label: string;
+}
+
+const COUPONS: Record<string, CouponDef> = {
+  DEMO20: { code: "DEMO20", percentOff: 20, label: "Demo promo — 20% off" },
+  WIN50: { code: "WIN50", percentOff: 50, label: "Hackathon judges — 50% off" },
+  GROWTH10: { code: "GROWTH10", percentOff: 10, label: "Growth plan promo" },
+};
+
+function products(): MockResponse {
+  const org = store.orgs.get("org_acme");
+  return ok({
+    data: [
+      {
+        id: COMPLIANCE_PACK_ID,
+        name: "Compliance Pack",
+        description: "Evidence bundles, auditor portal, Vanta / Drata push.",
+        priceUsdCents: COMPLIANCE_PACK_AMOUNT,
+        currency: "usd",
+        billing: "one-time",
+        features: [
+          "Evidence Bundles",
+          "Auditor portal access",
+          "Vanta / Drata push",
+          "Signed PDF exports",
+        ],
+      },
+    ],
+    orgEntitlements: {
+      compliancePack: org?.entitlements?.compliancePack ?? false,
+    },
+  });
+}
+
+function applyCoupon(amount: number, code?: string): { amount: number; coupon?: CouponDef } {
+  if (!code) return { amount };
+  const def = COUPONS[code.toUpperCase()];
+  if (!def) return { amount };
+  return {
+    amount: Math.max(0, Math.round(amount * (1 - def.percentOff / 100))),
+    coupon: def,
+  };
+}
+
+function paymentIntent(req: MockRequest): MockResponse {
+  const body = (req.body ?? {}) as { sku?: string; coupon?: string };
+  const sku = body.sku ?? COMPLIANCE_PACK_ID;
+  const base = TIER_AMOUNT_CENTS[sku] ?? COMPLIANCE_PACK_AMOUNT;
+  const { amount, coupon } = applyCoupon(base, body.coupon);
+  const intentId = `pi_demo_${Date.now()}`;
+  return ok({
+    paymentIntentId: intentId,
+    clientSecret: `${intentId}_secret_demo`,
+    amountUsdCents: amount,
+    originalAmountUsdCents: base,
+    currency: "usd",
+    publishableKey: "pk_test_demo_stub",
+    ...(coupon
+      ? { coupon: { code: coupon.code, percentOff: coupon.percentOff, label: coupon.label } }
+      : {}),
+  });
+}
+
+function coupon(_req: MockRequest, code: string): MockResponse {
+  const def = COUPONS[code.toUpperCase()];
+  if (!def) return notFound("Invalid coupon");
+  return ok({ code: def.code, percentOff: def.percentOff, label: def.label });
+}
+
+function invoices(): MockResponse {
+  return ok({ invoices: buildInvoices() });
+}
+
+function invoicePdf(_req: MockRequest, id: string): MockResponse {
+  const inv = buildInvoices().find((i) => i.id === id);
+  if (!inv) return notFound("Invoice not found");
+  // PDF generation needs a real PDF library on the backend; for the mock, hand
+  // back a text/plain placeholder that still triggers the browser download flow.
+  const text = `Unsyphn invoice ${inv.id}\nPeriod: ${inv.period}\nAmount: $${(
+    inv.amountUsdCents / 100
+  ).toFixed(2)}\nStatus: ${inv.status}\n\n(Demo placeholder — real invoices ship as PDF.)`;
+  const bytes = new TextEncoder().encode(text);
+  return {
+    status: 200,
+    body: null,
+    binary: bytes,
+    contentType: "application/pdf",
+    headers: {
+      "Content-Disposition": `attachment; filename="unsyphn-invoice-${inv.id}.pdf"`,
+    },
+  };
+}
+
+function simulateSuccess(): MockResponse {
+  const org = store.orgs.get("org_acme");
+  if (org) {
+    store.orgs.set("org_acme", {
+      ...org,
+      entitlements: { ...org.entitlements, compliancePack: true },
+    });
+  }
+  return ok({ ok: true, paymentIntentId: `pi_dev_${Date.now()}`, simulatedAt: nowIso() });
+}
+
+export function registerBillingHandlers(): void {
+  register("GET", /^\/v1\/billing\/products$/, products);
+  register("POST", /^\/v1\/billing\/payment-intents$/, paymentIntent);
+  register("GET", /^\/v1\/billing\/coupons\/([^/]+)$/, (req, p) =>
+    coupon(req, p[0] ?? ""),
+  );
+  register("GET", /^\/v1\/billing\/invoices$/, invoices);
+  register("GET", /^\/v1\/billing\/invoices\/([^/]+)\/pdf$/, (req, p) =>
+    invoicePdf(req, p[0] ?? ""),
+  );
+  register("POST", /^\/v1\/billing\/simulate-success$/, simulateSuccess);
+  // Acknowledge but no-op — the spec also requires a badRequest if invalid.
+  // Sanity check that handlers don't throw on unexpected body shapes.
+  void badRequest;
+}
diff --git a/apps/web/src/mock-api/handlers/changes.ts b/apps/web/src/mock-api/handlers/changes.ts
new file mode 100644
index 0000000..d62f5e5
--- /dev/null
+++ b/apps/web/src/mock-api/handlers/changes.ts
@@ -0,0 +1,179 @@
+// Change report lifecycle + escalations + feed. Mutates store.changeReports in
+// place so subsequent inbox/findings reads see the new state.
+
+import type {
+  ChangeReport,
+  ChangeState,
+  Lens,
+  Resolution,
+} from "@unsyphn/shared";
+import { changeReportsForOrg, toFeedChange } from "../projections.js";
+import { register } from "../router.js";
+import { store, type EscalationRecord } from "../store.js";
+import {
+  badRequest,
+  conflict,
+  notFound,
+  nowIso,
+  ok,
+  type MockRequest,
+  type MockResponse,
+} from "../types.js";
+
+function getReport(orgId: string, id: string): ChangeReport | undefined {
+  const report = store.changeReports.get(id);
+  if (!report || report.orgId !== orgId) return undefined;
+  return report;
+}
+
+function bumpVersion(report: ChangeReport, at: string): ChangeReport {
+  return { ...report, updatedAt: at, version: report.version + 1 };
+}
+
+type Mutation = "acknowledge" | "snooze" | "resolve";
+
+function transitionError(report: ChangeReport, mutation: Mutation): string | null {
+  if (mutation === "acknowledge") {
+    return report.state === "new" ? null : "Change is already acknowledged or in a later state";
+  }
+  if (mutation === "snooze") {
+    return report.state === "resolved" || report.state === "snoozed"
+      ? "Change cannot be snoozed from its current state"
+      : null;
+  }
+  return report.state === "resolved" ? "Change is already resolved" : null;
+}
+
+function feedHandler(req: MockRequest): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const vendorId = req.query.get("vendorId");
+  const category = req.query.get("category");
+  let changes = changeReportsForOrg(orgId).map(toFeedChange);
+  if (vendorId) changes = changes.filter((c) => c.vendorId === vendorId);
+  if (category && category !== "all") {
+    changes = changes.filter((c) => c.category === category);
+  }
+  changes.sort((a, b) => b.occurredAt.localeCompare(a.occurredAt));
+  return ok({ changes });
+}
+
+function getChange(req: MockRequest, id: string): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const report = getReport(orgId, id);
+  if (!report) return notFound("Change id not in org");
+  return ok(report);
+}
+
+function acknowledge(req: MockRequest, id: string): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const current = getReport(orgId, id);
+  if (!current) return notFound("Change id not in org");
+  const err = transitionError(current, "acknowledge");
+  if (err) return conflict(err);
+  const at = nowIso();
+  const updated: ChangeReport = {
+    ...bumpVersion(current, at),
+    state: "acknowledged",
+    acknowledgedAt: at,
+    stateChangedBy: req.userId ?? "system",
+  };
+  const body = (req.body ?? {}) as { note?: string };
+  if (body.note) updated.stateNote = body.note;
+  store.changeReports.set(id, updated);
+  return ok({ id: updated.id, state: "acknowledged" as ChangeState, acknowledgedAt: at });
+}
+
+function snooze(req: MockRequest, id: string): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const current = getReport(orgId, id);
+  if (!current) return notFound("Change id not in org");
+  const err = transitionError(current, "snooze");
+  if (err) return conflict(err);
+  const body = (req.body ?? {}) as { untilAt?: string; note?: string };
+  const untilAt = body.untilAt;
+  if (!untilAt || Number.isNaN(Date.parse(untilAt))) {
+    return badRequest("untilAt is required");
+  }
+  if (Date.parse(untilAt) <= Date.now()) {
+    return badRequest("untilAt must be in the future");
+  }
+  const at = nowIso();
+  const updated: ChangeReport = {
+    ...bumpVersion(current, at),
+    state: "snoozed",
+    snoozedUntil: untilAt,
+    stateChangedBy: req.userId ?? "system",
+  };
+  if (body.note) updated.stateNote = body.note;
+  store.changeReports.set(id, updated);
+  return ok({ id: updated.id, state: "snoozed" as ChangeState, snoozedUntil: untilAt });
+}
+
+function resolve(req: MockRequest, id: string): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const current = getReport(orgId, id);
+  if (!current) return notFound("Change id not in org");
+  const err = transitionError(current, "resolve");
+  if (err) return conflict(err);
+  const body = (req.body ?? {}) as { resolution?: Resolution; note?: string };
+  const resolution = body.resolution ?? "accepted";
+  const at = nowIso();
+  const updated: ChangeReport = {
+    ...bumpVersion(current, at),
+    state: "resolved",
+    resolvedAt: at,
+    resolution,
+    stateChangedBy: req.userId ?? "system",
+  };
+  if (body.note) updated.stateNote = body.note;
+  store.changeReports.set(id, updated);
+  return ok({ id: updated.id, state: "resolved" as ChangeState, resolution, resolvedAt: at });
+}
+
+function escalate(req: MockRequest, id: string): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const current = getReport(orgId, id);
+  if (!current) return notFound("Change id not in org");
+  const body = (req.body ?? {}) as { toRole?: Lens; note?: string };
+  const toRole = body.toRole;
+  if (!toRole) return badRequest("toRole is required");
+  const escalation: EscalationRecord = {
+    toRole,
+    byUserId: req.userId ?? "system",
+    ...(body.note ? { note: body.note } : {}),
+    escalatedAt: nowIso(),
+    slackChannel: `#${toRole}-channel`,
+    jiraKey: `UNS-${Math.floor(1000 + Math.random() * 9000)}`,
+  };
+  const list = store.escalations.get(id) ?? [];
+  list.push(escalation);
+  store.escalations.set(id, list);
+  return ok({ id, escalation });
+}
+
+function listEscalations(req: MockRequest, id: string): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  if (!getReport(orgId, id)) return notFound("Change id not in org");
+  return ok({ id, escalations: store.escalations.get(id) ?? [] });
+}
+
+export function registerChangeHandlers(): void {
+  // Order matters — /feed must be matched before /:id.
+  register("GET", /^\/v1\/changes\/feed$/, feedHandler);
+  register("GET", /^\/v1\/changes\/([^/]+)\/escalations$/, (req, p) =>
+    listEscalations(req, p[0] ?? ""),
+  );
+  register("GET", /^\/v1\/changes\/([^/]+)$/, (req, p) => getChange(req, p[0] ?? ""));
+  register("POST", /^\/v1\/changes\/([^/]+)\/acknowledge$/, (req, p) =>
+    acknowledge(req, p[0] ?? ""),
+  );
+  register("POST", /^\/v1\/changes\/([^/]+)\/snooze$/, (req, p) =>
+    snooze(req, p[0] ?? ""),
+  );
+  register("POST", /^\/v1\/changes\/([^/]+)\/resolve$/, (req, p) =>
+    resolve(req, p[0] ?? ""),
+  );
+  register("POST", /^\/v1\/changes\/([^/]+)\/escalate$/, (req, p) =>
+    escalate(req, p[0] ?? ""),
+  );
+}
diff --git a/apps/web/src/mock-api/handlers/findings.ts b/apps/web/src/mock-api/handlers/findings.ts
new file mode 100644
index 0000000..38de024
--- /dev/null
+++ b/apps/web/src/mock-api/handlers/findings.ts
@@ -0,0 +1,210 @@
+// Aggregated findings — derived from non-resolved change reports, flagged
+// sub-processors, and synthetic SOC2/spend signals per vendor. State overrides
+// live in store.findingStateOverrides so toggle actions persist for the session.
+
+import type { Lens, Severity, Vendor } from "@unsyphn/shared";
+import { changeReportsForOrg, readLensTags } from "../projections.js";
+import { register } from "../router.js";
+import { store } from "../store.js";
+import {
+  badRequest,
+  ok,
+  type MockRequest,
+  type MockResponse,
+} from "../types.js";
+
+type FindingType = "change" | "compliance" | "subprocessor" | "spend" | "security";
+type FindingState = "open" | "under-review" | "resolved";
+
+interface Finding {
+  id: string;
+  type: FindingType;
+  severity: Severity;
+  title: string;
+  summary: string;
+  vendorId: string;
+  vendorName: string;
+  detectedAt: string;
+  state: FindingState;
+  ownerId?: string;
+  sourceUrl?: string;
+  lensTags: Lens[];
+}
+
+function hashString(s: string): number {
+  let h = 0;
+  for (let i = 0; i < s.length; i += 1) {
+    h = (h * 31 + s.charCodeAt(i)) | 0;
+  }
+  return Math.abs(h);
+}
+
+const SOC2_BASE_DATE = Date.parse("2026-07-01T00:00:00Z");
+
+function soc2Expiry(vendorId: string): string {
+  const offsetDays = hashString(vendorId) % 180;
+  return new Date(SOC2_BASE_DATE + offsetDays * 86_400_000).toISOString();
+}
+
+function daysBetween(later: string, now: Date): number {
+  return Math.round((Date.parse(later) - now.getTime()) / 86_400_000);
+}
+
+function slugify(s: string): string {
+  return s.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "");
+}
+
+function fromChangeReports(orgId: string): Finding[] {
+  return changeReportsForOrg(orgId)
+    .filter((r) => r.state !== "resolved")
+    .map((r) => {
+      const vendor = store.vendors.get(r.vendorId);
+      const title = r.headline ?? r.changes[0]?.summary ?? "Material change detected";
+      const finding: Finding = {
+        id: `find_chg_${r.id}`,
+        type: "change",
+        severity: r.severity,
+        title,
+        summary: r.recommendation.copy,
+        vendorId: r.vendorId,
+        vendorName: vendor?.name ?? r.vendorId,
+        detectedAt: r.detectedAt,
+        state: r.state === "new" ? "open" : "under-review",
+        sourceUrl: `/app/change/${encodeURIComponent(r.id)}`,
+        lensTags: readLensTags(r),
+      };
+      if (r.ownerId) finding.ownerId = r.ownerId;
+      return finding;
+    });
+}
+
+function fromSubProcessors(orgId: string): Finding[] {
+  const findings: Finding[] = [];
+  for (const [vendorId, entry] of store.subProcessors.entries()) {
+    const vendor = store.vendors.get(vendorId);
+    if (!vendor || vendor.orgId !== orgId) continue;
+    for (const sp of entry.subProcessors) {
+      if (sp.flagged !== true) continue;
+      findings.push({
+        id: `find_sp_${vendorId}_${slugify(sp.name)}`,
+        type: "subprocessor",
+        severity: "P2",
+        title: `New sub-processor ${sp.name} in ${sp.jurisdiction}`,
+        summary:
+          sp.flagReason ??
+          `${sp.name} processes ${sp.purpose} from ${sp.jurisdiction}, a non-adequate jurisdiction.`,
+        vendorId,
+        vendorName: entry.vendorName,
+        detectedAt: sp.addedAt,
+        state: "open",
+        sourceUrl: `/app/vendors/${encodeURIComponent(vendorId)}?tab=subprocessors`,
+        lensTags: ["security", "legal"],
+      });
+    }
+  }
+  return findings;
+}
+
+function isComplianceCandidate(v: Vendor): boolean {
+  if (v.category === "security" || v.category === "infrastructure") return true;
+  return (v.dataClasses ?? []).includes("pii");
+}
+
+function fromCompliance(orgId: string, now: Date): Finding[] {
+  return [...store.vendors.values()]
+    .filter((v) => v.orgId === orgId && isComplianceCandidate(v))
+    .map((v) => {
+      const expiresAt = soc2Expiry(v.id);
+      const days = daysBetween(expiresAt, now);
+      const severity: Severity = days < 30 ? "P1" : days < 90 ? "P2" : "P3";
+      return {
+        id: `find_compl_${v.id}`,
+        type: "compliance",
+        severity,
+        title: `SOC 2 Type II expires in ${days} day${days === 1 ? "" : "s"}`,
+        summary: `${v.name}'s SOC 2 attestation expires ${new Date(expiresAt).toISOString().slice(0, 10)}. Request a renewed report before the audit window closes.`,
+        vendorId: v.id,
+        vendorName: v.name,
+        detectedAt: now.toISOString(),
+        state: "open" as FindingState,
+        sourceUrl: `/app/vendors/${encodeURIComponent(v.id)}`,
+        lensTags: ["audit", "security", "legal"] as Lens[],
+      };
+    });
+}
+
+function fromSpend(orgId: string, now: Date): Finding[] {
+  return [...store.vendors.values()]
+    .filter(
+      (v) =>
+        v.orgId === orgId &&
+        (v.contract?.annualSpendUsd ?? 0) > 100_000 &&
+        v.posture === "watch",
+    )
+    .map((v) => ({
+      id: `find_spend_${v.id}`,
+      type: "spend" as FindingType,
+      severity: "P2" as Severity,
+      title: "Above benchmark — renegotiation candidate",
+      summary: `${v.name} spend of $${Math.round((v.contract?.annualSpendUsd ?? 0) / 1000)}k is above peer median. Open renegotiation talks before renewal.`,
+      vendorId: v.id,
+      vendorName: v.name,
+      detectedAt: now.toISOString(),
+      state: "open" as FindingState,
+      sourceUrl: `/app/vendors/${encodeURIComponent(v.id)}`,
+      lensTags: ["finance", "procurement"] as Lens[],
+    }));
+}
+
+function applyOverrides(findings: Finding[]): Finding[] {
+  return findings.map((f) => {
+    const override = store.findingStateOverrides.get(f.id);
+    return override ? { ...f, state: override } : f;
+  });
+}
+
+function listFindings(req: MockRequest): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const now = new Date();
+  let findings: Finding[] = [
+    ...fromChangeReports(orgId),
+    ...fromSubProcessors(orgId),
+    ...fromCompliance(orgId, now),
+    ...fromSpend(orgId, now),
+  ];
+  findings = applyOverrides(findings);
+
+  const vendorId = req.query.get("vendorId");
+  const type = req.query.get("type");
+  const severity = req.query.get("severity");
+  const state = req.query.get("state");
+  const lens = req.query.get("lens");
+
+  if (vendorId) findings = findings.filter((f) => f.vendorId === vendorId);
+  if (type) findings = findings.filter((f) => f.type === (type as FindingType));
+  if (severity) findings = findings.filter((f) => f.severity === (severity as Severity));
+  if (state) findings = findings.filter((f) => f.state === (state as FindingState));
+  if (lens) findings = findings.filter((f) => f.lensTags.includes(lens as Lens));
+
+  findings.sort((a, b) => b.detectedAt.localeCompare(a.detectedAt));
+  return ok({ findings });
+}
+
+function patchFindingState(req: MockRequest, id: string): MockResponse {
+  const body = (req.body ?? {}) as { state?: FindingState };
+  if (
+    !body.state ||
+    (body.state !== "open" && body.state !== "under-review" && body.state !== "resolved")
+  ) {
+    return badRequest("state must be open | under-review | resolved");
+  }
+  store.findingStateOverrides.set(id, body.state);
+  return ok({ id, state: body.state });
+}
+
+export function registerFindingHandlers(): void {
+  register("GET", /^\/v1\/findings$/, listFindings);
+  register("POST", /^\/v1\/findings\/([^/]+)\/state$/, (req, p) =>
+    patchFindingState(req, p[0] ?? ""),
+  );
+}
diff --git a/apps/web/src/mock-api/handlers/inbox.ts b/apps/web/src/mock-api/handlers/inbox.ts
new file mode 100644
index 0000000..23d8660
--- /dev/null
+++ b/apps/web/src/mock-api/handlers/inbox.ts
@@ -0,0 +1,45 @@
+// Inbox surface — mirrors apps/api/src/routes/inbox.ts. Filters by severity
+// and lens; lens filter falls back to the unfiltered list when the slice is
+// empty so the user never sees a bare inbox on a quiet role.
+
+import type { Lens, Severity } from "@unsyphn/shared";
+import { changeReportsForOrg, toInboxItem } from "../projections.js";
+import { register } from "../router.js";
+import { ok, type MockRequest, type MockResponse } from "../types.js";
+
+function listInbox(req: MockRequest): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const filter = req.query.get("filter") ?? "all";
+  const severity = req.query.get("severity") ?? "all";
+  const lens = req.query.get("lens");
+  const limit = Math.min(Number(req.query.get("limit") ?? 50), 200);
+
+  const reports = changeReportsForOrg(orgId).filter((r) => r.state !== "resolved");
+  let items = reports.map(toInboxItem);
+
+  if (filter !== "all" && filter !== "changes") {
+    items = items.filter((item) => item.kind === filter);
+  }
+  if (severity !== "all") {
+    items = items.filter((item) => item.severity === (severity as Severity));
+  }
+  if (lens && lens !== "all") {
+    const filtered = items.filter((item) =>
+      (item.lensTags as string[]).includes(lens as Lens),
+    );
+    if (filtered.length > 0 || items.length === 0) {
+      items = filtered;
+    }
+  }
+
+  items = items
+    .slice()
+    .sort((a, b) => Date.parse(b.occurredAt) - Date.parse(a.occurredAt))
+    .slice(0, limit);
+
+  return ok({ items, total: items.length });
+}
+
+export function registerInboxHandlers(): void {
+  register("GET", /^\/v1\/inbox$/, listInbox);
+}
diff --git a/apps/web/src/mock-api/handlers/index.ts b/apps/web/src/mock-api/handlers/index.ts
new file mode 100644
index 0000000..862dcd1
--- /dev/null
+++ b/apps/web/src/mock-api/handlers/index.ts
@@ -0,0 +1,27 @@
+// Aggregates per-domain handler registration. Called once by install.ts.
+
+import { registerVendorHandlers } from "./vendors.js";
+import { registerInboxHandlers } from "./inbox.js";
+import { registerChangeHandlers } from "./changes.js";
+import { registerRenewalHandlers } from "./renewals.js";
+import { registerRequestHandlers } from "./requests.js";
+import { registerFindingHandlers } from "./findings.js";
+import { registerReportHandlers } from "./reports.js";
+import { registerIntegrationHandlers } from "./integrations.js";
+import { registerBillingHandlers } from "./billing.js";
+import { registerTeamHandlers } from "./team.js";
+import { registerMiscHandlers } from "./misc.js";
+
+export function registerAllHandlers(): void {
+  registerVendorHandlers();
+  registerInboxHandlers();
+  registerChangeHandlers();
+  registerRenewalHandlers();
+  registerRequestHandlers();
+  registerFindingHandlers();
+  registerReportHandlers();
+  registerIntegrationHandlers();
+  registerBillingHandlers();
+  registerTeamHandlers();
+  registerMiscHandlers();
+}
diff --git a/apps/web/src/mock-api/handlers/integrations.ts b/apps/web/src/mock-api/handlers/integrations.ts
new file mode 100644
index 0000000..ae6afc1
--- /dev/null
+++ b/apps/web/src/mock-api/handlers/integrations.ts
@@ -0,0 +1,136 @@
+// Integrations catalog — list, connect, disconnect, sync, sync history.
+// Mirrors apps/api/src/routes/integrations.ts and the integrations-store
+// recordSync / seedHistory behaviour.
+
+import { register } from "../router.js";
+import {
+  store,
+  type IntegrationCategory,
+  type IntegrationRecord,
+  type SyncRecord,
+} from "../store.js";
+import {
+  badRequest,
+  notFound,
+  ok,
+  type MockRequest,
+  type MockResponse,
+} from "../types.js";
+
+const VALID_CATEGORIES: ReadonlyArray<IntegrationCategory> = ["inbound", "outbound"];
+
+function seedHistory(id: string): SyncRecord[] {
+  const hash = Array.from(id).reduce(
+    (acc, ch) => (acc * 31 + ch.charCodeAt(0)) >>> 0,
+    7,
+  );
+  const now = Date.now();
+  return Array.from({ length: 5 }, (_, i) => {
+    const offsetMs =
+      ((hash + i * 13) % 168) * 60 * 60 * 1000 + i * 6 * 60 * 60 * 1000;
+    return {
+      id: `sync_${id}_${i}`,
+      startedAt: new Date(now - offsetMs).toISOString(),
+      durationMs: 2000 + ((hash + i * 7) % 6000),
+      recordsScanned: 80 + ((hash + i * 53) % 7900),
+      status: i === 4 ? "partial" : "success",
+    };
+  });
+}
+
+function listIntegrations(req: MockRequest): MockResponse {
+  const category = req.query.get("category");
+  if (category && !(VALID_CATEGORIES as ReadonlyArray<string>).includes(category)) {
+    return badRequest(`category must be one of: ${VALID_CATEGORIES.join(", ")}`);
+  }
+  const all = [...store.integrations.values()];
+  const filtered = category
+    ? all.filter((r) => r.category === (category as IntegrationCategory))
+    : all;
+  return ok({ integrations: filtered });
+}
+
+function connect(req: MockRequest, id: string): MockResponse {
+  const current = store.integrations.get(id);
+  if (!current) return notFound(`No integration found with id ${id}`);
+  const body = (req.body ?? {}) as {
+    values?: Record<string, string>;
+    fields?: Record<string, string>;
+    scopes?: string[];
+    connectedAs?: string;
+  };
+  const now = new Date().toISOString();
+  const updated: IntegrationRecord = {
+    ...current,
+    connected: true,
+    scopes: body.scopes ?? current.defaultScopes,
+    ...(body.connectedAs ? { connectedAs: body.connectedAs } : {}),
+    connectedAt: now,
+    lastSyncedAt: now,
+  };
+  store.integrations.set(id, updated);
+  return ok({ integration: updated });
+}
+
+function disconnect(_req: MockRequest, id: string): MockResponse {
+  const current = store.integrations.get(id);
+  if (!current) return notFound(`No integration found with id ${id}`);
+  const updated: IntegrationRecord = {
+    ...current,
+    connected: false,
+    scopes: undefined,
+    connectedAs: undefined,
+    connectedAt: undefined,
+    lastSyncedAt: undefined,
+  };
+  store.integrations.set(id, updated);
+  store.integrationSyncHistory.delete(id);
+  return ok({ integration: updated });
+}
+
+function sync(_req: MockRequest, id: string): MockResponse {
+  const current = store.integrations.get(id);
+  if (!current) return notFound(`No integration found with id ${id}`);
+  if (!current.connected) {
+    return badRequest("Integration must be connected before it can sync");
+  }
+  const recordsScanned = 100 + Math.floor(Math.random() * 7900);
+  const now = new Date().toISOString();
+  const record: SyncRecord = {
+    id: `sync_${Date.now()}`,
+    startedAt: now,
+    durationMs: 1500 + Math.floor(Math.random() * 4000),
+    recordsScanned,
+    status: "success",
+  };
+  const history = store.integrationSyncHistory.get(id) ?? seedHistory(id);
+  store.integrationSyncHistory.set(id, [record, ...history].slice(0, 20));
+  store.integrations.set(id, { ...current, lastSyncedAt: now });
+  return ok({ synced: true, recordsScanned, sync: record });
+}
+
+function syncs(_req: MockRequest, id: string): MockResponse {
+  const current = store.integrations.get(id);
+  if (!current) return notFound(`No integration found with id ${id}`);
+  if (!current.connected) return ok({ syncs: [] });
+  const cached = store.integrationSyncHistory.get(id);
+  const history = cached ?? seedHistory(id);
+  if (!cached) store.integrationSyncHistory.set(id, history);
+  return ok({ syncs: history.slice(0, 5) });
+}
+
+export function registerIntegrationHandlers(): void {
+  register("GET", /^\/v1\/integrations$/, listIntegrations);
+  register("POST", /^\/v1\/integrations\/([^/]+)\/connect$/, (req, p) =>
+    connect(req, p[0] ?? ""),
+  );
+  register("POST", /^\/v1\/integrations\/([^/]+)\/disconnect$/, (req, p) =>
+    disconnect(req, p[0] ?? ""),
+  );
+  register("POST", /^\/v1\/integrations\/([^/]+)\/sync$/, (req, p) =>
+    sync(req, p[0] ?? ""),
+  );
+  register("GET", /^\/v1\/integrations\/([^/]+)\/syncs$/, (req, p) =>
+    syncs(req, p[0] ?? ""),
+  );
+}
diff --git a/apps/web/src/mock-api/handlers/misc.ts b/apps/web/src/mock-api/handlers/misc.ts
new file mode 100644
index 0000000..c11a429
--- /dev/null
+++ b/apps/web/src/mock-api/handlers/misc.ts
@@ -0,0 +1,184 @@
+// Misc / catch-all handlers — auditor sessions, recoverable, policies,
+// dashboard summary, onboarding discovery, evidence brief, health.
+
+import type { EvidenceBriefResponse } from "@unsyphn/shared";
+import { register } from "../router.js";
+import { store } from "../store.js";
+import {
+  newId,
+  notFound,
+  nowIso,
+  ok,
+  type MockRequest,
+  type MockResponse,
+} from "../types.js";
+
+const RECOVERABLE_STUB = {
+  totalUsd: 135000,
+  breakdown: {
+    unusedSeatsUsd: 42000,
+    priceHikesUsd: 28000,
+    duplicateAppsUsd: 18000,
+    atRiskUsd: 47000,
+  },
+};
+
+function health(): MockResponse {
+  return ok({ ok: true });
+}
+
+function recoverable(): MockResponse {
+  return ok(RECOVERABLE_STUB);
+}
+
+function policies(): MockResponse {
+  return ok({ policies: [...store.policies.values()] });
+}
+
+function dashboard(): MockResponse {
+  const vendors = [...store.vendors.values()];
+  const openChangeCount = [...store.changeReports.values()].filter(
+    (r) => r.state !== "resolved",
+  ).length;
+  const annualRunRateUsd = vendors.reduce(
+    (acc, v) => acc + (v.contract?.annualSpendUsd ?? 0),
+    0,
+  );
+  return ok({
+    vendorCount: vendors.length,
+    annualRunRateUsd,
+    openChangeCount,
+  });
+}
+
+function onboardingDiscover(_req: MockRequest): MockResponse {
+  // Deterministic stub that mirrors apps/api/src/routes/onboarding.ts. The
+  // Onboarding screen uses this purely for the count/preview panel.
+  const existing = [
+    { id: "vnd_notion", name: "Notion", domain: "notion.so", category: "productivity", spendUsd: 36000, confidence: 1 },
+    { id: "vnd_stripe", name: "Stripe", domain: "stripe.com", category: "billing", spendUsd: 120000, confidence: 1 },
+    { id: "vnd_figma", name: "Figma", domain: "figma.com", category: "design", spendUsd: 48000, confidence: 1 },
+    { id: "vnd_slack", name: "Slack", domain: "slack.com", category: "productivity", spendUsd: 180000, confidence: 1 },
+    { id: "vnd_datadog", name: "Datadog", domain: "datadoghq.com", category: "productivity", spendUsd: 240000, confidence: 1 },
+    { id: "vnd_salesforce", name: "Salesforce", domain: "salesforce.com", category: "productivity", spendUsd: 815000, confidence: 1 },
+    { id: "vnd_github", name: "GitHub", domain: "github.com", category: "productivity", spendUsd: 72000, confidence: 1 },
+    { id: "vnd_aws", name: "AWS", domain: "aws.amazon.com", category: "productivity", spendUsd: 980000, confidence: 1 },
+  ];
+  return ok({
+    jobId: "job_demo_001",
+    estimatedSeconds: 45,
+    expectedVendors: 247,
+    discoveredVendors: existing,
+  });
+}
+
+function evidence(_req: MockRequest, id: string): MockResponse {
+  const report = store.changeReports.get(id);
+  if (!report) return notFound(`No evidence brief for id ${id}`);
+  const vendor = store.vendors.get(report.vendorId);
+  const policy = store.policies.get(report.policyFiredId);
+  const alsoMatched = report.policyAlsoMatched
+    .map((pid) => store.policies.get(pid))
+    .filter((p): p is NonNullable<typeof p> => p !== undefined)
+    .map((p) => ({ id: p.id, name: p.name }));
+  const response: EvidenceBriefResponse = {
+    changeReport: report,
+    vendor: {
+      id: vendor?.id ?? report.vendorId,
+      name: vendor?.name ?? "Unknown vendor",
+      category: vendor?.category ?? "uncategorized",
+    },
+    policyFired: {
+      id: policy?.id ?? report.policyFiredId,
+      name: policy?.name ?? "Unknown policy",
+    },
+    policyAlsoMatched: alsoMatched,
+    actionSummary: [],
+  };
+  return ok(response);
+}
+
+function evidenceBundle(_req: MockRequest, id: string): MockResponse {
+  const report = store.changeReports.get(id);
+  if (!report) return notFound(`No evidence brief for id ${id}`);
+  const vendor = store.vendors.get(report.vendorId);
+  const policy = store.policies.get(report.policyFiredId);
+  const title = report.changes[0]?.summary ?? "Change detected";
+  const generatedAt = nowIso();
+  const html = `<!doctype html>
+<html lang="en"><head><meta charset="utf-8"><title>Unsyphn Evidence Bundle - ${report.id}</title>
+<style>body{font-family:Helvetica,Arial,sans-serif;max-width:820px;margin:0 auto;padding:48px 32px;color:#111}h1{font-size:22pt;margin:8px 0 4px}.mark{font-size:9pt;font-weight:700;letter-spacing:.12em;text-transform:uppercase;color:#444}.meta{font-size:9pt;color:#555}.box{border:1px solid #ddd;border-radius:6px;padding:12px 16px;background:#f9f9f9;margin:24px 0}</style></head>
+<body><p class="mark">UNSYPHN EVIDENCE BUNDLE</p><h1>${vendor?.name ?? "Vendor"} - ${title}</h1>
+<p class="meta">Report ID: ${report.id} - Detected: ${report.detectedAt} - Bundle generated: ${generatedAt}</p>
+<div class="box"><strong>Policy fired:</strong> ${policy?.name ?? "Unknown policy"}<br><strong>Severity:</strong> ${report.severity}<br><strong>Recommendation:</strong> ${report.recommendation.copy}</div>
+<p>This is a demo evidence bundle generated client-side by the mock-API layer. The production system attaches signed citations, diff blobs, and routed action records.</p>
+</body></html>`;
+  const bytes = new TextEncoder().encode(html);
+  return {
+    status: 200,
+    body: null,
+    binary: bytes,
+    contentType: "text/html; charset=utf-8",
+  };
+}
+
+function auditorCreateSession(req: MockRequest): MockResponse {
+  const body = (req.body ?? {}) as { vendorIds?: string[]; expiresInDays?: number };
+  const expiresInDays = body.expiresInDays ?? 14;
+  const expiresAt = Date.now() + expiresInDays * 24 * 60 * 60 * 1000;
+  const sessionToken = `mock_${newId("sess")}`;
+  return ok({
+    sessionToken,
+    shareUrl: `${window.location.origin}/auditor/${sessionToken}`,
+    expiresAt: new Date(expiresAt).toISOString(),
+  });
+}
+
+function auditorGetSession(_req: MockRequest, _token: string): MockResponse {
+  const orgId = "org_acme";
+  const scoped = [...store.vendors.values()].filter((v) => v.orgId === orgId);
+  return ok({
+    orgId,
+    vendorIds: null,
+    expiresAt: new Date(Date.now() + 14 * 86_400_000).toISOString(),
+    sessionId: "sess_demo",
+    vendors: scoped.map((v) => ({
+      id: v.id,
+      name: v.name,
+      ownerEmail: store.users.get(v.ownerId)?.email ?? "owner@acme.dev",
+      annualSpendUsd: v.contract?.annualSpendUsd ?? 0,
+      changeCount: v.latestChangeId ? 1 : 0,
+      posture: v.posture ?? "ok",
+    })),
+    changes: [],
+    activityLog: [],
+  });
+}
+
+function commentsForChange(_req: MockRequest, _id: string): MockResponse {
+  // No comments wired yet — returning an empty list keeps the change drawer
+  // tabs working without a 404 toast.
+  return ok({ comments: [] });
+}
+
+export function registerMiscHandlers(): void {
+  register("GET", /^\/v1\/health$/, health);
+  register("GET", /^\/v1\/recoverable$/, recoverable);
+  register("GET", /^\/v1\/policies$/, policies);
+  register("GET", /^\/v1\/dashboard\/summary$/, dashboard);
+  register("POST", /^\/v1\/onboarding\/discover$/, onboardingDiscover);
+  // Evidence: bundle.html before /:id so the param doesn't swallow it.
+  register("GET", /^\/v1\/evidence\/([^/]+)\/bundle\.html$/, (req, p) =>
+    evidenceBundle(req, p[0] ?? ""),
+  );
+  register("GET", /^\/v1\/evidence\/([^/]+)$/, (req, p) =>
+    evidence(req, p[0] ?? ""),
+  );
+  register("POST", /^\/v1\/auditor\/sessions$/, auditorCreateSession);
+  register("GET", /^\/v1\/auditor\/sessions\/([^/]+)$/, (req, p) =>
+    auditorGetSession(req, p[0] ?? ""),
+  );
+  register("GET", /^\/v1\/changes\/([^/]+)\/comments$/, (req, p) =>
+    commentsForChange(req, p[0] ?? ""),
+  );
+}
diff --git a/apps/web/src/mock-api/handlers/renewals.ts b/apps/web/src/mock-api/handlers/renewals.ts
new file mode 100644
index 0000000..6d9098e
--- /dev/null
+++ b/apps/web/src/mock-api/handlers/renewals.ts
@@ -0,0 +1,144 @@
+// Renewals kanban — list, status mutation, full patch. Mirrors
+// apps/api/src/routes/renewals.ts including the lensTagsForVendor union over
+// change reports and the dto shape (recommendedAction etc.).
+
+import type { Lens, Renewal, RenewalStatus } from "@unsyphn/shared";
+import { changeReportsForOrg, readLensTags } from "../projections.js";
+import { register } from "../router.js";
+import {
+  store,
+  type RenewalColumn,
+  type RenewalRecord,
+} from "../store.js";
+import {
+  badRequest,
+  notFound,
+  ok,
+  type MockRequest,
+  type MockResponse,
+} from "../types.js";
+
+const VALID_COLUMNS: ReadonlyArray<RenewalColumn> = ["triage", "negotiate", "sign"];
+
+function daysOut(renewsAt: string, now: Date): number {
+  const target = Date.parse(renewsAt);
+  if (!Number.isFinite(target)) return 0;
+  return Math.round((target - now.getTime()) / 86_400_000);
+}
+
+function lensTagsForVendor(orgId: string, vendorId: string): Lens[] {
+  const seen = new Set<Lens>();
+  for (const report of changeReportsForOrg(orgId)) {
+    if (report.vendorId !== vendorId) continue;
+    for (const t of readLensTags(report)) seen.add(t);
+  }
+  return [...seen];
+}
+
+function toDto(orgId: string, record: RenewalRecord, now: Date): Renewal & {
+  recommendedAction: string;
+  blockerCount: number;
+  seatUtilizationPct: number;
+} {
+  const owner = store.users.get(record.ownerId);
+  return {
+    id: record.id,
+    vendorId: record.vendorId,
+    vendorName: record.vendorName,
+    renewsAt: record.renewsAt,
+    daysOut: daysOut(record.renewsAt, now),
+    annualValueUsd: record.annualSpendUsd,
+    ownerEmail: owner?.email ?? "owner@acme.dev",
+    ownerId: record.ownerId,
+    status: record.currentColumn as RenewalStatus,
+    benchmarkDelta: record.priceDeltaPct,
+    declined: record.declined ?? false,
+    autoRenewed: record.autoRenewed ?? false,
+    lensTags: lensTagsForVendor(orgId, record.vendorId),
+    recommendedAction: record.recommendedAction,
+    blockerCount: record.blockerCount,
+    seatUtilizationPct: record.seatUtilizationPct,
+  };
+}
+
+function listRenewals(req: MockRequest): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const days = Number(req.query.get("days") ?? 365);
+  const column = req.query.get("column");
+  const now = new Date();
+
+  let records = [...store.renewals.values()];
+  if (column && (VALID_COLUMNS as ReadonlyArray<string>).includes(column)) {
+    records = records.filter((r) => r.currentColumn === column);
+  }
+
+  const renewals = records
+    .map((r) => toDto(orgId, r, now))
+    .filter((r) => (Number.isFinite(days) ? r.daysOut <= days : true))
+    .sort((a, b) => a.daysOut - b.daysOut);
+
+  return ok({ renewals });
+}
+
+function getRenewal(req: MockRequest, id: string): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const record = store.renewals.get(id);
+  if (!record) return notFound(`No renewal found with id ${id}`);
+  return ok({ renewal: toDto(orgId, record, new Date()) });
+}
+
+function setStatus(req: MockRequest, id: string): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const body = (req.body ?? {}) as { column?: string };
+  const column = body.column;
+  if (!column || !(VALID_COLUMNS as ReadonlyArray<string>).includes(column)) {
+    return badRequest(`column must be one of: ${VALID_COLUMNS.join(", ")}`);
+  }
+  const current = store.renewals.get(id);
+  if (!current) return notFound(`No renewal found with id ${id}`);
+  const updated: RenewalRecord = { ...current, currentColumn: column as RenewalColumn };
+  store.renewals.set(id, updated);
+  return ok({ renewal: toDto(orgId, updated, new Date()) });
+}
+
+function patchRenewal(req: MockRequest, id: string): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const current = store.renewals.get(id);
+  if (!current) return notFound(`No renewal found with id ${id}`);
+  const body = (req.body ?? {}) as {
+    column?: RenewalColumn;
+    ownerId?: string;
+    declined?: boolean;
+    autoRenewed?: boolean;
+  };
+  if (
+    body.column === undefined &&
+    body.ownerId === undefined &&
+    body.declined === undefined &&
+    body.autoRenewed === undefined
+  ) {
+    return badRequest("At least one of column, ownerId, declined, autoRenewed must be provided");
+  }
+  const updated: RenewalRecord = {
+    ...current,
+    ...(body.column !== undefined ? { currentColumn: body.column } : {}),
+    ...(body.ownerId !== undefined ? { ownerId: body.ownerId } : {}),
+    ...(body.declined !== undefined ? { declined: body.declined } : {}),
+    ...(body.autoRenewed !== undefined ? { autoRenewed: body.autoRenewed } : {}),
+  };
+  store.renewals.set(id, updated);
+  return ok({ renewal: toDto(orgId, updated, new Date()) });
+}
+
+export function registerRenewalHandlers(): void {
+  register("GET", /^\/v1\/renewals$/, listRenewals);
+  register("GET", /^\/v1\/renewals\/([^/]+)$/, (req, p) =>
+    getRenewal(req, p[0] ?? ""),
+  );
+  register("POST", /^\/v1\/renewals\/([^/]+)\/status$/, (req, p) =>
+    setStatus(req, p[0] ?? ""),
+  );
+  register("PATCH", /^\/v1\/renewals\/([^/]+)$/, (req, p) =>
+    patchRenewal(req, p[0] ?? ""),
+  );
+}
diff --git a/apps/web/src/mock-api/handlers/reports.ts b/apps/web/src/mock-api/handlers/reports.ts
new file mode 100644
index 0000000..3378335
--- /dev/null
+++ b/apps/web/src/mock-api/handlers/reports.ts
@@ -0,0 +1,202 @@
+// Reports — deterministic seed list with on-demand generation. Mirrors
+// apps/api/src/routes/reports.ts shape. The HTML bundle endpoint returns a
+// minimal placeholder so the "view bundle" link still opens to a real page.
+
+import { register } from "../router.js";
+import { store } from "../store.js";
+import {
+  notFound,
+  nowIso,
+  ok,
+  type MockRequest,
+  type MockResponse,
+} from "../types.js";
+
+type ReportSchedule = "monthly" | "weekly" | "quarterly" | "on-demand";
+type ReportCategory = "risk" | "compliance" | "spend" | "operational";
+
+interface SeedReport {
+  id: string;
+  name: string;
+  description: string;
+  schedule: ReportSchedule;
+  category: ReportCategory;
+  lastGeneratedAt?: string;
+  nextRunAt?: string;
+  isCompliancePack: boolean;
+}
+
+interface Report {
+  id: string;
+  name: string;
+  description: string;
+  schedule: ReportSchedule;
+  category: ReportCategory;
+  lastGeneratedAt?: string;
+  nextRunAt?: string;
+  isCompliancePack: boolean;
+  downloadUrl?: string;
+}
+
+const DAY_MS = 86_400_000;
+
+function seedReports(now: Date): SeedReport[] {
+  const daysAgo = (n: number) => new Date(now.getTime() - n * DAY_MS).toISOString();
+  const daysAhead = (n: number) => new Date(now.getTime() + n * DAY_MS).toISOString();
+  return [
+    {
+      id: "rpt_monthly_vendor_risk",
+      name: "Monthly Vendor Risk Report",
+      description: "P1/P2 change counts by month with vendor heatmap.",
+      schedule: "monthly",
+      category: "risk",
+      lastGeneratedAt: daysAgo(8),
+      nextRunAt: daysAhead(22),
+      isCompliancePack: false,
+    },
+    {
+      id: "rpt_soc2_compliance_pack",
+      name: "SOC 2 Compliance Pack",
+      description: "Auditor-ready evidence bundle for SOC 2 Type II review.",
+      schedule: "on-demand",
+      category: "compliance",
+      isCompliancePack: true,
+    },
+    {
+      id: "rpt_renewal_forecast",
+      name: "Renewal Forecast Report",
+      description: "Renewals next 90 days with risk flags and benchmark deltas.",
+      schedule: "weekly",
+      category: "operational",
+      lastGeneratedAt: daysAgo(3),
+      nextRunAt: daysAhead(4),
+      isCompliancePack: false,
+    },
+    {
+      id: "rpt_recoverable_spend",
+      name: "Recoverable Spend Report",
+      description:
+        "Unused seats, price hikes, and duplicate-app waste with per-vendor breakdown.",
+      schedule: "monthly",
+      category: "spend",
+      lastGeneratedAt: daysAgo(12),
+      nextRunAt: daysAhead(18),
+      isCompliancePack: false,
+    },
+    {
+      id: "rpt_subprocessor_diff",
+      name: "Sub-processor Diff Report",
+      description:
+        "New and removed sub-processors per vendor with jurisdiction flags.",
+      schedule: "quarterly",
+      category: "compliance",
+      lastGeneratedAt: daysAgo(42),
+      nextRunAt: daysAhead(48),
+      isCompliancePack: false,
+    },
+  ];
+}
+
+function toReport(seed: SeedReport): Report {
+  const override = store.reportGenerationOverrides.get(seed.id);
+  const lastGenerated = override?.lastGeneratedAt ?? seed.lastGeneratedAt;
+  const out: Report = {
+    id: seed.id,
+    name: seed.name,
+    description: seed.description,
+    schedule: seed.schedule,
+    category: seed.category,
+    isCompliancePack: seed.isCompliancePack,
+  };
+  if (lastGenerated !== undefined) out.lastGeneratedAt = lastGenerated;
+  if (seed.nextRunAt !== undefined) out.nextRunAt = seed.nextRunAt;
+  const url =
+    override?.downloadUrl ??
+    (lastGenerated ? `/v1/reports/${seed.id}/bundle.html` : undefined);
+  if (url !== undefined) out.downloadUrl = url;
+  return out;
+}
+
+function escHtml(s: string): string {
+  return s
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;");
+}
+
+function listReports(): MockResponse {
+  const now = new Date();
+  return ok({ reports: seedReports(now).map(toReport) });
+}
+
+function getReport(_req: MockRequest, id: string): MockResponse {
+  const now = new Date();
+  const seed = seedReports(now).find((r) => r.id === id);
+  if (!seed) return notFound(`Report ${id} not found`);
+  return ok(toReport(seed));
+}
+
+function generateReport(_req: MockRequest, id: string): MockResponse {
+  const now = new Date();
+  const seed = seedReports(now).find((r) => r.id === id);
+  if (!seed) return notFound(`Report ${id} not found`);
+  const ts = now.toISOString();
+  store.reportGenerationOverrides.set(id, {
+    lastGeneratedAt: ts,
+    downloadUrl: `/v1/reports/${id}/bundle.html?gen=${encodeURIComponent(ts)}`,
+  });
+  return ok(toReport(seed));
+}
+
+function bundleHtml(_req: MockRequest, id: string): MockResponse {
+  const now = new Date();
+  const seed = seedReports(now).find((r) => r.id === id);
+  if (!seed) return notFound(`Report ${id} not found`);
+  const generatedAt =
+    store.reportGenerationOverrides.get(id)?.lastGeneratedAt ?? nowIso();
+  const html = `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<title>${escHtml(seed.name)}</title>
+<style>
+  body { font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; max-width: 820px; margin: 0 auto; padding: 48px 32px; color: #111; }
+  .mark { font-size: 9pt; font-weight: 700; letter-spacing: 0.12em; text-transform: uppercase; color: #444; }
+  h1 { font-size: 22pt; margin: 8px 0 4px; letter-spacing: -0.02em; }
+  .meta { font-size: 9pt; color: #555; }
+  .desc { font-size: 11pt; margin: 24px 0; }
+  .footer { margin-top: 48px; padding-top: 12px; border-top: 1px solid #ccc; font-size: 8pt; color: #666; text-align: center; }
+  .badge { display: inline-block; padding: 2px 10px; border-radius: 999px; font-size: 9pt; font-weight: 700; background: #f1f5f9; color: #0f172a; }
+</style>
+</head>
+<body>
+  <p class="mark">UNSYPHN REPORT BUNDLE</p>
+  <h1>${escHtml(seed.name)}</h1>
+  <p class="meta">Report ID: ${escHtml(seed.id)} &middot; Generated: ${escHtml(generatedAt)}</p>
+  <p><span class="badge">${escHtml(seed.category)}</span> <span class="badge">${escHtml(seed.schedule)}</span></p>
+  <p class="desc">${escHtml(seed.description)}</p>
+  <div class="footer">Generated by Unsyphn at ${escHtml(generatedAt)}.</div>
+</body>
+</html>`;
+  const bytes = new TextEncoder().encode(html);
+  return {
+    status: 200,
+    body: null,
+    binary: bytes,
+    contentType: "text/html; charset=utf-8",
+  };
+}
+
+export function registerReportHandlers(): void {
+  register("GET", /^\/v1\/reports$/, listReports);
+  register("GET", /^\/v1\/reports\/([^/]+)\/bundle\.html$/, (req, p) =>
+    bundleHtml(req, p[0] ?? ""),
+  );
+  register("GET", /^\/v1\/reports\/([^/]+)$/, (req, p) =>
+    getReport(req, p[0] ?? ""),
+  );
+  register("POST", /^\/v1\/reports\/([^/]+)\/generate$/, (req, p) =>
+    generateReport(req, p[0] ?? ""),
+  );
+}
diff --git a/apps/web/src/mock-api/handlers/requests.ts b/apps/web/src/mock-api/handlers/requests.ts
new file mode 100644
index 0000000..ccc0f59
--- /dev/null
+++ b/apps/web/src/mock-api/handlers/requests.ts
@@ -0,0 +1,231 @@
+// Intake requests — list, create, decide, comment. Mirrors apps/api routes
+// including the DTO envelope and SLA escalation derived state.
+
+import { register } from "../router.js";
+import {
+  store,
+  type IntakeRequestRecord,
+  type RequestStatus,
+} from "../store.js";
+import {
+  badRequest,
+  created,
+  newId,
+  notFound,
+  nowIso,
+  ok,
+  type MockRequest,
+  type MockResponse,
+} from "../types.js";
+
+const VALID_STATUSES: ReadonlyArray<RequestStatus> = [
+  "pending",
+  "approved",
+  "rejected",
+  "routed",
+];
+const ROUTE_TARGETS = ["legal", "security", "finance", "procurement", "it", "audit"] as const;
+type RouteTarget = (typeof ROUTE_TARGETS)[number];
+
+const SLA_WINDOW_MS = 48 * 60 * 60 * 1000;
+const LENS_CATEGORIES: Record<string, ReadonlyArray<string>> = {
+  procurement: [],
+  legal: ["contracts", "dpa", "compliance", "data"],
+  security: ["security", "data", "infrastructure"],
+  finance: ["payments", "analytics", "spend"],
+  it: ["infrastructure", "productivity", "devtools"],
+  audit: [],
+};
+
+function avatarLetter(name: string | undefined, fallback: string): string {
+  const src = name && name.length > 0 ? name : fallback;
+  return src.charAt(0).toUpperCase();
+}
+
+function toDto(record: IntakeRequestRecord): Record<string, unknown> {
+  const requester = store.users.get(record.requesterId);
+  const approver = record.approverId ? store.users.get(record.approverId) : undefined;
+  const requesterName = requester?.name ?? record.requesterId;
+  const submittedMs = Date.parse(record.submittedAt);
+  const slaDueAt = new Date(submittedMs + SLA_WINDOW_MS).toISOString();
+  const autoEscalated =
+    record.status === "pending" && Date.now() - submittedMs > SLA_WINDOW_MS;
+
+  const comments = record.comments.map((c) => {
+    const author = store.users.get(c.by);
+    return {
+      id: c.id,
+      by: c.by,
+      at: c.at,
+      text: c.text,
+      authorName: author?.name ?? c.by,
+      authorLetter: avatarLetter(author?.name, c.by),
+    };
+  });
+
+  const dto: Record<string, unknown> = {
+    id: record.id,
+    vendorName: record.vendorName,
+    requesterEmail: requester?.email ?? "requester@acme.dev",
+    expectedSpendUsd: record.expectedSpendUsd,
+    justification: record.justification,
+    status: record.status,
+    similarTools: record.similarTools,
+    createdAt: record.submittedAt,
+    category: record.category,
+    comments,
+    requesterId: record.requesterId,
+    requesterName,
+    autoEscalated,
+    slaDueAt,
+  };
+  if (record.approverId !== undefined) dto.approverId = record.approverId;
+  if (approver?.name) dto.approverName = approver.name;
+  if (record.decidedAt !== undefined) dto.decidedAt = record.decidedAt;
+  if (record.routeTo !== undefined) dto.routeTo = record.routeTo;
+  return dto;
+}
+
+function matchesLens(record: IntakeRequestRecord, lens: string): boolean {
+  if (lens === "procurement") return true;
+  if (lens === "audit") {
+    const submittedMs = Date.parse(record.submittedAt);
+    const escalated =
+      record.status === "pending" && Date.now() - submittedMs > SLA_WINDOW_MS;
+    return escalated || record.routeTo === "audit";
+  }
+  if (record.routeTo === lens) return true;
+  const allowed = LENS_CATEGORIES[lens] ?? [];
+  return allowed.includes(record.category);
+}
+
+function listRequests(req: MockRequest): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const status = req.query.get("status") ?? "all";
+  const lens = req.query.get("lens");
+  let records = [...store.requests.values()].filter((r) => r.orgId === orgId);
+  if (status !== "all") {
+    if (!(VALID_STATUSES as ReadonlyArray<string>).includes(status)) {
+      return badRequest(`status must be one of: all, ${VALID_STATUSES.join(", ")}`);
+    }
+    records = records.filter((r) => r.status === (status as RequestStatus));
+  }
+  if (lens && LENS_CATEGORIES[lens] !== undefined) {
+    const filtered = records.filter((r) => matchesLens(r, lens));
+    if (filtered.length > 0 || records.length === 0) records = filtered;
+  }
+  const sorted = records
+    .slice()
+    .sort((a, b) => Date.parse(b.submittedAt) - Date.parse(a.submittedAt))
+    .map(toDto);
+  return ok({ requests: sorted });
+}
+
+function getRequest(req: MockRequest, id: string): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const record = store.requests.get(id);
+  if (!record || record.orgId !== orgId) {
+    return notFound(`No request found with id ${id}`);
+  }
+  return ok({ request: toDto(record) });
+}
+
+function createRequest(req: MockRequest): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const body = (req.body ?? {}) as Partial<IntakeRequestRecord>;
+  if (!body.vendorName || !body.category || body.expectedSpendUsd === undefined) {
+    return badRequest("vendorName, category, expectedSpendUsd are required");
+  }
+  const record: IntakeRequestRecord = {
+    id: newId("req"),
+    orgId,
+    requesterId: req.userId ?? "usr_priya",
+    vendorName: body.vendorName,
+    category: body.category,
+    expectedSpendUsd: body.expectedSpendUsd,
+    justification: body.justification ?? "",
+    similarTools: body.similarTools ?? [],
+    status: "pending",
+    submittedAt: nowIso(),
+    comments: [],
+  };
+  store.requests.set(record.id, record);
+  return created({ request: toDto(record) });
+}
+
+function decideRequest(req: MockRequest, id: string): MockResponse {
+  const current = store.requests.get(id);
+  if (!current) return notFound(`No request found with id ${id}`);
+  const body = (req.body ?? {}) as {
+    status?: RequestStatus;
+    note?: string;
+    routeTo?: RouteTarget;
+  };
+  if (!body.status) return badRequest("status is required");
+  if (body.status === "routed" && !body.routeTo) {
+    return badRequest("routeTo is required when status is routed");
+  }
+  const at = nowIso();
+  const actor = req.userId ?? "usr_priya";
+  const updated: IntakeRequestRecord = {
+    ...current,
+    status: body.status,
+    approverId: actor,
+    decidedAt: at,
+  };
+  if (body.routeTo !== undefined) {
+    updated.routeTo = body.routeTo;
+  } else if (body.status !== "routed") {
+    delete updated.routeTo;
+  }
+  if (body.note) {
+    updated.comments = [
+      ...current.comments,
+      {
+        id: `cmt_${id}_${current.comments.length + 1}`,
+        by: actor,
+        at,
+        text: body.note,
+      },
+    ];
+  }
+  store.requests.set(id, updated);
+  return ok({ request: toDto(updated) });
+}
+
+function commentRequest(req: MockRequest, id: string): MockResponse {
+  const current = store.requests.get(id);
+  if (!current) return notFound(`No request found with id ${id}`);
+  const body = (req.body ?? {}) as { text?: string };
+  if (!body.text || body.text.trim().length === 0) {
+    return badRequest("text is required");
+  }
+  const updated: IntakeRequestRecord = {
+    ...current,
+    comments: [
+      ...current.comments,
+      {
+        id: `cmt_${id}_${current.comments.length + 1}`,
+        by: req.userId ?? "usr_priya",
+        at: nowIso(),
+        text: body.text,
+      },
+    ],
+  };
+  store.requests.set(id, updated);
+  return ok({ request: toDto(updated) });
+}
+
+export function registerRequestHandlers(): void {
+  register("GET", /^\/v1\/requests$/, listRequests);
+  register("POST", /^\/v1\/requests$/, createRequest);
+  register("GET", /^\/v1\/requests\/([^/]+)$/, (req, p) =>
+    getRequest(req, p[0] ?? ""),
+  );
+  register("POST", /^\/v1\/requests\/([^/]+)\/decision$/, (req, p) =>
+    decideRequest(req, p[0] ?? ""),
+  );
+  register("POST", /^\/v1\/requests\/([^/]+)\/comments$/, (req, p) =>
+    commentRequest(req, p[0] ?? ""),
+  );
+}
diff --git a/apps/web/src/mock-api/handlers/team.ts b/apps/web/src/mock-api/handlers/team.ts
new file mode 100644
index 0000000..0954e4d
--- /dev/null
+++ b/apps/web/src/mock-api/handlers/team.ts
@@ -0,0 +1,45 @@
+// Team — members list (from seeded users) + invites stub.
+
+import { register } from "../router.js";
+import { store } from "../store.js";
+import {
+  badRequest,
+  newId,
+  nowIso,
+  ok,
+  type MockRequest,
+  type MockResponse,
+} from "../types.js";
+
+function members(req: MockRequest): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const list = [...store.users.values()]
+    .filter((u) => u.orgId === orgId)
+    .map((u) => ({
+      id: u.id,
+      name: u.name,
+      email: u.email,
+      role: u.role,
+      avatarLetter: u.avatarLetter ?? u.name.charAt(0).toUpperCase(),
+    }));
+  return ok({ members: list });
+}
+
+function invite(req: MockRequest): MockResponse {
+  const body = (req.body ?? {}) as { email?: string; role?: string };
+  if (!body.email) return badRequest("email is required");
+  const record = {
+    id: newId("inv"),
+    email: body.email,
+    role: body.role ?? "Procurement",
+    invitedAt: nowIso(),
+    status: "pending" as const,
+  };
+  store.teamInvites.set(record.id, record);
+  return ok({ invited: record.email, status: record.status, invite: record });
+}
+
+export function registerTeamHandlers(): void {
+  register("GET", /^\/v1\/team\/members$/, members);
+  register("POST", /^\/v1\/team\/invites$/, invite);
+}
diff --git a/apps/web/src/mock-api/handlers/vendors.ts b/apps/web/src/mock-api/handlers/vendors.ts
new file mode 100644
index 0000000..c6e6aed
--- /dev/null
+++ b/apps/web/src/mock-api/handlers/vendors.ts
@@ -0,0 +1,368 @@
+// Vendor surface — list, get, patch, contracts (list/upload/download stub),
+// activity timeline, scan trigger, renegotiation packet, sub-processors.
+
+import type { Lens, Vendor } from "@unsyphn/shared";
+import { changeReportsForOrg, readLensTags, toFeedChange } from "../projections.js";
+import { register } from "../router.js";
+import {
+  store,
+  type ContractFileRecord,
+  type SubProcessorVendorEntry,
+  type VendorEvent,
+} from "../store.js";
+import {
+  badRequest,
+  created,
+  newId,
+  notFound,
+  nowIso,
+  ok,
+  type MockRequest,
+  type MockResponse,
+} from "../types.js";
+
+const VALID_LENSES = new Set<Lens>([
+  "procurement",
+  "legal",
+  "security",
+  "finance",
+  "it",
+  "audit",
+]);
+
+function getOrgVendor(orgId: string, id: string): Vendor | undefined {
+  const vendor = store.vendors.get(id);
+  if (!vendor || vendor.orgId !== orgId) return undefined;
+  return vendor;
+}
+
+function listVendors(req: MockRequest): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const lensParam = req.query.get("lens");
+  const vendors = [...store.vendors.values()].filter((v) => v.orgId === orgId);
+
+  if (!lensParam || !VALID_LENSES.has(lensParam as Lens)) {
+    return ok({ vendors });
+  }
+  const lens = lensParam as Lens;
+  const vendorIdsForLens = new Set<string>();
+  for (const report of changeReportsForOrg(orgId)) {
+    if (readLensTags(report).includes(lens)) {
+      vendorIdsForLens.add(report.vendorId);
+    }
+  }
+  const filtered = vendors.filter((v) => vendorIdsForLens.has(v.id));
+  return ok({ vendors: filtered.length > 0 ? filtered : vendors });
+}
+
+function getVendor(req: MockRequest, id: string): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const vendor = getOrgVendor(orgId, id);
+  if (!vendor) return notFound(`Vendor ${id} not in org`);
+  return ok(vendor);
+}
+
+function patchVendor(req: MockRequest, id: string): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const current = getOrgVendor(orgId, id);
+  if (!current) return notFound(`Vendor ${id} not in org`);
+  const patch = (req.body ?? {}) as Partial<Pick<Vendor, "ownerId" | "tier" | "posture">>;
+  const updated: Vendor = { ...current, ...patch };
+  store.vendors.set(id, updated);
+
+  // Mirror the backend's per-field event emission so activity timelines stay
+  // populated through subsequent reads.
+  const activity = store.vendorActivity.get(id) ?? [];
+  for (const [field, after] of Object.entries(patch)) {
+    const before = (current as unknown as Record<string, unknown>)[field];
+    if (before === after) continue;
+    activity.push({
+      id: newId("evt"),
+      kind: "vendor.patch",
+      actor: req.userId ?? "system",
+      occurredAt: nowIso(),
+      title: `${field} updated: ${String(before ?? "—")} → ${String(after ?? "—")}`,
+      detail: { field, before, after },
+    });
+  }
+  store.vendorActivity.set(id, activity);
+  return ok(updated);
+}
+
+function listContracts(req: MockRequest, id: string): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  if (!getOrgVendor(orgId, id)) return notFound(`Vendor ${id} not in org`);
+  const contracts = (store.contractFiles.get(id) ?? []).map((c) => ({
+    id: c.id,
+    vendorId: c.vendorId,
+    filename: c.filename,
+    sizeBytes: c.sizeBytes,
+    uploadedBy: c.uploadedBy,
+    uploadedAt: c.uploadedAt,
+  }));
+  return ok({ contracts });
+}
+
+function uploadContract(req: MockRequest, id: string): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  if (!getOrgVendor(orgId, id)) return notFound(`Vendor ${id} not in org`);
+  const body = (req.body ?? {}) as {
+    filename?: string;
+    sizeBytes?: number;
+    contentBase64?: string;
+  };
+  if (!body.filename || !body.sizeBytes) {
+    return badRequest("filename and sizeBytes are required");
+  }
+  const record: ContractFileRecord = {
+    id: newId("ctr"),
+    vendorId: id,
+    filename: body.filename,
+    sizeBytes: body.sizeBytes,
+    uploadedBy: req.userId ?? "system",
+    uploadedAt: nowIso(),
+    ...(body.contentBase64 ? { contentBase64: body.contentBase64 } : {}),
+  };
+  const list = store.contractFiles.get(id) ?? [];
+  list.push(record);
+  store.contractFiles.set(id, list);
+
+  const activity = store.vendorActivity.get(id) ?? [];
+  activity.push({
+    id: newId("evt"),
+    kind: "contract.upload",
+    actor: req.userId ?? "system",
+    occurredAt: nowIso(),
+    title: `Contract uploaded: ${record.filename}`,
+    detail: { contractId: record.id, filename: record.filename },
+  });
+  store.vendorActivity.set(id, activity);
+
+  return created({
+    id: record.id,
+    vendorId: record.vendorId,
+    filename: record.filename,
+    sizeBytes: record.sizeBytes,
+    uploadedBy: record.uploadedBy,
+    uploadedAt: record.uploadedAt,
+  });
+}
+
+function downloadContract(_req: MockRequest, vendorId: string, contractId: string): MockResponse {
+  const list = store.contractFiles.get(vendorId) ?? [];
+  const record = list.find((c) => c.id === contractId);
+  if (!record) return notFound(`Contract ${contractId} not found`);
+  const text = `Unsyphn contract placeholder for ${record.filename}\nThis is a demo download — no real document is stored.\n`;
+  const bytes = new TextEncoder().encode(text);
+  return {
+    status: 200,
+    body: null,
+    binary: bytes,
+    contentType: "application/octet-stream",
+    headers: {
+      "Content-Disposition": `attachment; filename="${record.filename}"`,
+      "Content-Length": String(bytes.byteLength),
+    },
+  };
+}
+
+function activityTimeline(req: MockRequest, id: string): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  if (!getOrgVendor(orgId, id)) return notFound(`Vendor ${id} not in org`);
+
+  const events: VendorEvent[] = [];
+  const seeded = changeReportsForOrg(orgId).filter((r) => r.vendorId === id);
+  for (const report of seeded) {
+    events.push({
+      id: `${report.id}:detected`,
+      kind: "change.detected",
+      actor: "system",
+      occurredAt: report.detectedAt,
+      title: report.changes[0]?.summary ?? "Change detected",
+      changeReportId: report.id,
+      detail: { severity: report.severity },
+    });
+    if (report.acknowledgedAt) {
+      events.push({
+        id: `${report.id}:acknowledged`,
+        kind: "change.acknowledged",
+        actor: report.stateChangedBy ?? "system",
+        occurredAt: report.acknowledgedAt,
+        title: `Change acknowledged: ${report.changes[0]?.summary ?? report.id}`,
+        changeReportId: report.id,
+      });
+    }
+    if (report.snoozedUntil) {
+      events.push({
+        id: `${report.id}:snoozed`,
+        kind: "change.snoozed",
+        actor: report.stateChangedBy ?? "system",
+        occurredAt: report.snoozedUntil,
+        title: `Change snoozed until ${report.snoozedUntil}`,
+        changeReportId: report.id,
+      });
+    }
+    if (report.resolvedAt) {
+      events.push({
+        id: `${report.id}:resolved`,
+        kind: "change.resolved",
+        actor: report.stateChangedBy ?? "system",
+        occurredAt: report.resolvedAt,
+        title: `Change resolved: ${report.changes[0]?.summary ?? report.id}`,
+        changeReportId: report.id,
+      });
+    }
+    const escalations = store.escalations.get(report.id) ?? [];
+    for (const esc of escalations) {
+      events.push({
+        id: `${report.id}:escalation:${esc.escalatedAt}`,
+        kind: "change.escalated",
+        actor: esc.byUserId,
+        occurredAt: esc.escalatedAt,
+        title: `Escalated to ${esc.toRole}`,
+        changeReportId: report.id,
+        detail: { toRole: esc.toRole, jiraKey: esc.jiraKey, slackChannel: esc.slackChannel },
+      });
+    }
+  }
+
+  for (const ev of store.vendorActivity.get(id) ?? []) {
+    events.push(ev);
+  }
+
+  events.sort((a, b) => b.occurredAt.localeCompare(a.occurredAt));
+
+  const feed = seeded
+    .map(toFeedChange)
+    .sort((a, b) => b.occurredAt.localeCompare(a.occurredAt));
+  const latestChangeId = feed[0]?.id ?? null;
+
+  return ok({ events, latestChangeId });
+}
+
+function triggerScan(req: MockRequest, id: string): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  if (!getOrgVendor(orgId, id)) return notFound(`Vendor ${id} not in org`);
+  const triggeredAt = nowIso();
+  const activity = store.vendorActivity.get(id) ?? [];
+  activity.push({
+    id: newId("evt"),
+    kind: "scan.triggered",
+    actor: req.userId ?? "system",
+    occurredAt: triggeredAt,
+    title: "Manual scan triggered",
+  });
+  store.vendorActivity.set(id, activity);
+  return ok({ ok: true, triggeredAt });
+}
+
+function renegotiationPacket(req: MockRequest, id: string): MockResponse {
+  const orgId = req.orgId ?? "org_acme";
+  const vendor = getOrgVendor(orgId, id);
+  if (!vendor) return notFound(`Vendor ${id} not in org`);
+
+  const spend = vendor.contract?.annualSpendUsd ?? 100_000;
+  const benchmarkLow = Math.round(spend * 0.78);
+  const benchmarkHigh = Math.round(spend * 0.92);
+  const recoverable = Math.max(0, spend - benchmarkHigh);
+
+  // Record an activity event so subsequent timeline reads surface it.
+  const activity = store.vendorActivity.get(id) ?? [];
+  activity.push({
+    id: newId("evt"),
+    kind: "packet.generated",
+    actor: req.userId ?? "system",
+    occurredAt: nowIso(),
+    title: "Renegotiation packet generated",
+  });
+  store.vendorActivity.set(id, activity);
+
+  return ok({
+    vendorId: id,
+    vendorName: vendor.name,
+    currentSpend: spend,
+    benchmarkRange: { low: benchmarkLow, high: benchmarkHigh },
+    usagePct: 64,
+    recoverableUsd: recoverable,
+    drafts: [
+      {
+        tone: "firm",
+        subject: `Renewal terms for ${vendor.name}`,
+        body: `Hello,\n\nAhead of the upcoming renewal we'd like to flag that current annual spend is $${spend.toLocaleString()}, above the $${benchmarkLow.toLocaleString()}-$${benchmarkHigh.toLocaleString()} peer benchmark. Open to discussing a fit-for-purpose package this cycle.\n\nThanks,\nProcurement`,
+      },
+      {
+        tone: "collaborative",
+        subject: `Partnership review — ${vendor.name}`,
+        body: `Hi team,\n\nAs we approach renewal we'd love a quick read-out on usage trends and roadmap. Aiming to land a multi-year structure that reflects observed usage — happy to share data on our side.\n\nBest,\nProcurement`,
+      },
+    ],
+    talkingPoints: [
+      `Current spend $${spend.toLocaleString()} vs. peer median $${Math.round((benchmarkLow + benchmarkHigh) / 2).toLocaleString()}.`,
+      "Seat utilization trending below 70% across last two quarters.",
+      "Two competitive alternatives evaluated in the last 90 days.",
+    ],
+  });
+}
+
+function subProcessorsHandler(req: MockRequest, id: string): MockResponse {
+  const entry: SubProcessorVendorEntry | undefined = store.subProcessors.get(id);
+  if (!entry) return notFound(`No sub-processor data found for vendor ${id}`);
+  const flagged = entry.subProcessors.filter((sp) => sp.flagged === true);
+  const flaggedCount = flagged.length;
+
+  const customerNotifications = flagged.length === 0
+    ? []
+    : [...store.customerContracts.values()]
+        .filter((c) => c.notifiedSubProcessors.length > 0)
+        .map((c) => {
+          const first = flagged[0]!;
+          const addedAt = new Date(first.addedAt);
+          addedAt.setUTCDate(addedAt.getUTCDate() + c.noticeDays);
+          const notifyByDate = addedAt.toISOString().split("T")[0] ?? first.addedAt;
+          return {
+            customerName: c.customerName,
+            contractId: c.contractId,
+            domain: c.domain,
+            ourObligation: `${c.noticeDays}-day notice for non-adequate jurisdiction additions (${c.dpaClause})`,
+            affectedSubProcessor: first.name,
+            notifyByDate,
+            suggestedAction: "Draft notice email",
+          };
+        });
+
+  return ok({
+    vendorId: id,
+    vendorName: entry.vendorName,
+    subProcessors: entry.subProcessors,
+    lastChangeAt: entry.lastChangeAt,
+    flaggedCount,
+    customerNotifications,
+  });
+}
+
+export function registerVendorHandlers(): void {
+  register("GET", /^\/v1\/vendors$/, listVendors);
+  register("GET", /^\/v1\/vendors\/([^/]+)$/, (req, p) => getVendor(req, p[0] ?? ""));
+  register("PATCH", /^\/v1\/vendors\/([^/]+)$/, (req, p) => patchVendor(req, p[0] ?? ""));
+  register("GET", /^\/v1\/vendors\/([^/]+)\/contracts$/, (req, p) =>
+    listContracts(req, p[0] ?? ""),
+  );
+  register("POST", /^\/v1\/vendors\/([^/]+)\/contracts$/, (req, p) =>
+    uploadContract(req, p[0] ?? ""),
+  );
+  register("GET", /^\/v1\/vendors\/([^/]+)\/contracts\/([^/]+)\/download$/, (req, p) =>
+    downloadContract(req, p[0] ?? "", p[1] ?? ""),
+  );
+  register("GET", /^\/v1\/vendors\/([^/]+)\/activity$/, (req, p) =>
+    activityTimeline(req, p[0] ?? ""),
+  );
+  register("POST", /^\/v1\/vendors\/([^/]+)\/scan$/, (req, p) =>
+    triggerScan(req, p[0] ?? ""),
+  );
+  register("POST", /^\/v1\/vendors\/([^/]+)\/renegotiation-packet$/, (req, p) =>
+    renegotiationPacket(req, p[0] ?? ""),
+  );
+  register("GET", /^\/v1\/vendors\/([^/]+)\/sub-processors$/, (req, p) =>
+    subProcessorsHandler(req, p[0] ?? ""),
+  );
+}
diff --git a/apps/web/src/mock-api/index.ts b/apps/web/src/mock-api/index.ts
new file mode 100644
index 0000000..83d274f
--- /dev/null
+++ b/apps/web/src/mock-api/index.ts
@@ -0,0 +1,5 @@
+// Barrel — main.tsx imports `install` from here. Keeping a barrel keeps the
+// install call site short and lets handler registration stay an internal
+// concern.
+
+export { install } from "./install.js";
diff --git a/apps/web/src/mock-api/install.ts b/apps/web/src/mock-api/install.ts
new file mode 100644
index 0000000..a5b6b6d
--- /dev/null
+++ b/apps/web/src/mock-api/install.ts
@@ -0,0 +1,151 @@
+// Install hook — patches window.fetch and EventSource so /v1/* calls resolve
+// against the mock router instead of the network. Called from main.tsx when
+// no real API base is configured.
+
+import { registerAllHandlers } from "./handlers/index.js";
+import { dispatch, requiresAuth } from "./router.js";
+import type { MockRequest, MockResponse } from "./types.js";
+import { unauthorized } from "./types.js";
+import { DEFAULT_ORG_ID, store } from "./store.js";
+
+let installed = false;
+
+function safeParseJson(body: BodyInit | null | undefined): unknown {
+  if (body == null) return undefined;
+  if (typeof body !== "string") return undefined;
+  try {
+    return JSON.parse(body);
+  } catch {
+    return undefined;
+  }
+}
+
+function resolveAuth(headers: Headers): { orgId: string | null; userId: string | null } {
+  const auth = headers.get("authorization") ?? headers.get("Authorization");
+  if (!auth) return { orgId: null, userId: null };
+  const match = /^Bearer\s+(.+)$/i.exec(auth);
+  if (!match) return { orgId: null, userId: null };
+  const token = match[1]?.trim() ?? "";
+  if (!token) return { orgId: null, userId: null };
+  // Accept any non-empty bearer — Settings/renewals/etc. write a custom token to
+  // localStorage. Map known tokens to the seeded org; everything else lands on
+  // the default org so single-tenant flows still work.
+  const orgId = store.tokens.get(token) ?? DEFAULT_ORG_ID;
+  // Demo always acts as usr_priya unless a future header overrides it.
+  return { orgId, userId: "usr_priya" };
+}
+
+function buildRequest(input: RequestInfo | URL, init?: RequestInit): MockRequest {
+  const url =
+    typeof input === "string"
+      ? input
+      : input instanceof URL
+        ? input.toString()
+        : input.url;
+  const parsed = new URL(url, window.location.origin);
+  const method = (init?.method ?? "GET").toUpperCase();
+  const headers = new Headers(init?.headers);
+  const body = safeParseJson(init?.body as BodyInit | null | undefined);
+  const { orgId, userId } = resolveAuth(headers);
+  return {
+    pathname: parsed.pathname,
+    method,
+    query: parsed.searchParams,
+    body,
+    headers,
+    orgId,
+    userId,
+  };
+}
+
+function toResponse(result: MockResponse): Response {
+  const headers = new Headers(result.headers);
+  if (result.binary !== undefined) {
+    if (result.contentType && !headers.has("Content-Type")) {
+      headers.set("Content-Type", result.contentType);
+    }
+    return new Response(result.binary, {
+      status: result.status,
+      headers,
+    });
+  }
+  if (!headers.has("Content-Type")) {
+    headers.set("Content-Type", "application/json");
+  }
+  return new Response(JSON.stringify(result.body), {
+    status: result.status,
+    headers,
+  });
+}
+
+function patchFetch(): void {
+  const originalFetch = window.fetch.bind(window);
+  window.fetch = async (input: RequestInfo | URL, init?: RequestInit): Promise<Response> => {
+    const url =
+      typeof input === "string"
+        ? input
+        : input instanceof URL
+          ? input.toString()
+          : input.url;
+    let parsedPath: string;
+    try {
+      parsedPath = new URL(url, window.location.origin).pathname;
+    } catch {
+      return originalFetch(input, init);
+    }
+    if (!parsedPath.startsWith("/v1/")) {
+      return originalFetch(input, init);
+    }
+    const req = buildRequest(input, init);
+    if (requiresAuth(req.pathname) && req.orgId === null) {
+      return toResponse(unauthorized());
+    }
+    const result = await dispatch(req);
+    return toResponse(result);
+  };
+}
+
+function patchEventSource(): void {
+  if (typeof EventSource === "undefined") return;
+  const OriginalEventSource = window.EventSource;
+  class StubEventSource implements EventSource {
+    public readonly url: string;
+    public readonly withCredentials = false;
+    public readonly readyState = 1;
+    public onopen: ((this: EventSource, ev: Event) => unknown) | null = null;
+    public onmessage: ((this: EventSource, ev: MessageEvent) => unknown) | null = null;
+    public onerror: ((this: EventSource, ev: Event) => unknown) | null = null;
+    public static readonly CONNECTING = 0 as const;
+    public static readonly OPEN = 1 as const;
+    public static readonly CLOSED = 2 as const;
+    public readonly CONNECTING = 0 as const;
+    public readonly OPEN = 1 as const;
+    public readonly CLOSED = 2 as const;
+    constructor(url: string | URL) {
+      this.url = typeof url === "string" ? url : url.toString();
+    }
+    addEventListener(): void {}
+    removeEventListener(): void {}
+    dispatchEvent(): boolean {
+      return false;
+    }
+    close(): void {}
+  }
+  window.EventSource = new Proxy(OriginalEventSource, {
+    construct(target, args) {
+      const url = String(args[0] ?? "");
+      if (url.includes("/v1/stream")) {
+        return new StubEventSource(url) as unknown as EventSource;
+      }
+      return Reflect.construct(target, args);
+    },
+  });
+}
+
+export function install(): void {
+  if (installed) return;
+  installed = true;
+  registerAllHandlers();
+  patchFetch();
+  patchEventSource();
+}
diff --git a/apps/web/src/mock-api/projections.ts b/apps/web/src/mock-api/projections.ts
new file mode 100644
index 0000000..20a966c
--- /dev/null
+++ b/apps/web/src/mock-api/projections.ts
@@ -0,0 +1,106 @@
+// Mirrors apps/api/src/lib/change-report-views.ts. Replicated here so the mock
+// builds the same envelopes the real backend returns. Keeping this aligned with
+// the API is critical — the frontend caches assume both surfaces match.
+
+import type { ChangeReport, InboxItem, Lens } from "@unsyphn/shared";
+import { store, userEmail, vendorName } from "./store.js";
+
+const VALID_LENSES: ReadonlyArray<Lens> = [
+  "procurement",
+  "legal",
+  "security",
+  "finance",
+  "it",
+  "audit",
+];
+
+interface ChangeReportWithLensTags extends ChangeReport {
+  lensTags?: Lens[];
+}
+
+export function readLensTags(report: ChangeReport): Lens[] {
+  const candidate = (report as ChangeReportWithLensTags).lensTags;
+  if (!Array.isArray(candidate)) return [];
+  return candidate.filter((t): t is Lens =>
+    (VALID_LENSES as ReadonlyArray<string>).includes(t),
+  );
+}
+
+function headline(report: ChangeReport): string {
+  if (report.headline && report.headline.trim().length > 0) return report.headline;
+  return report.changes[0]?.summary ?? "Change detected";
+}
+
+function dollarImpact(report: ChangeReport): number | null {
+  for (const ch of report.changes) {
+    if (ch.dollarImpact?.annualUsd != null) return ch.dollarImpact.annualUsd;
+  }
+  return null;
+}
+
+export function toInboxItem(report: ChangeReport): InboxItem {
+  return {
+    id: report.id,
+    kind: "change",
+    vendorId: report.vendorId,
+    vendorName: vendorName(report.vendorId),
+    title: headline(report),
+    summary: report.recommendation.copy,
+    severity: report.severity,
+    dollarImpact: dollarImpact(report),
+    ownerEmail: userEmail(report.ownerId),
+    occurredAt: report.detectedAt,
+    lensTags: readLensTags(report),
+    state: report.state,
+  };
+}
+
+export interface FeedChange {
+  id: string;
+  kind: "change";
+  vendorId: string;
+  vendorName: string;
+  title: string;
+  summary: string;
+  severity: ChangeReport["severity"];
+  dollarImpact: number | null;
+  ownerEmail: string;
+  occurredAt: string;
+  category: string | null;
+  lensTags: Lens[];
+  diff: { before: string; after: string } | null;
+  citations: Array<{ url?: string; quote?: string; fetchedAt?: string }>;
+}
+
+export function toFeedChange(report: ChangeReport): FeedChange {
+  const first = report.changes[0];
+  const diff =
+    first && (first.before != null || first.after != null)
+      ? { before: first.before ?? "", after: first.after ?? "" }
+      : null;
+  const citations = (first?.citations ?? []).map((c) => ({
+    ...(c.url !== undefined ? { url: c.url } : {}),
+    ...(c.quote !== undefined ? { quote: c.quote } : {}),
+    ...(c.fetchedAt !== undefined ? { fetchedAt: c.fetchedAt } : {}),
+  }));
+  return {
+    id: report.id,
+    kind: "change",
+    vendorId: report.vendorId,
+    vendorName: vendorName(report.vendorId),
+    title: headline(report),
+    summary: report.recommendation.copy,
+    severity: report.severity,
+    dollarImpact: dollarImpact(report),
+    ownerEmail: userEmail(report.ownerId),
+    occurredAt: report.detectedAt,
+    category: first?.category ?? null,
+    lensTags: readLensTags(report),
+    diff,
+    citations,
+  };
+}
+
+export function changeReportsForOrg(orgId: string): ChangeReport[] {
+  return [...store.changeReports.values()].filter((r) => r.orgId === orgId);
+}
diff --git a/apps/web/src/mock-api/router.ts b/apps/web/src/mock-api/router.ts
new file mode 100644
index 0000000..0090f43
--- /dev/null
+++ b/apps/web/src/mock-api/router.ts
@@ -0,0 +1,35 @@
+// Mock-API router — ordered pattern table dispatched by install.ts. Each
+// handler returns a MockResponse which install.ts converts to a real Response.
+
+import type { Handler, MockRequest, MockResponse, RouteDef } from "./types.js";
+import { notFound } from "./types.js";
+
+const ROUTES: RouteDef[] = [];
+
+export function register(method: string, pattern: RegExp, handler: Handler): void {
+  ROUTES.push({ method: method.toUpperCase(), pattern, handler });
+}
+
+// Endpoints that don't require an Authorization header. /v1/evidence is public
+// per the real backend; everything else requires a bearer (any non-empty value).
+const PUBLIC_PATH_PATTERNS: RegExp[] = [
+  /^\/v1\/evidence\/[^/]+$/,
+  /^\/v1\/evidence\/[^/]+\/bundle\.html$/,
+  /^\/v1\/auditor\/sessions\/[^/]+$/, // signed-token-based, no bearer
+  /^\/v1\/health$/,
+];
+
+export function requiresAuth(pathname: string): boolean {
+  return !PUBLIC_PATH_PATTERNS.some((p) => p.test(pathname));
+}
+
+export async function dispatch(req: MockRequest): Promise<MockResponse> {
+  for (const route of ROUTES) {
+    if (route.method !== req.method) continue;
+    const match = route.pattern.exec(req.pathname);
+    if (!match) continue;
+    const params = match.slice(1).map((p) => decodeURIComponent(p ?? ""));
+    return route.handler(req, params);
+  }
+  return notFound(`No mock handler for ${req.method} ${req.pathname}`);
+}
diff --git a/apps/web/src/mock-api/store.ts b/apps/web/src/mock-api/store.ts
new file mode 100644
index 0000000..d392ceb
--- /dev/null
+++ b/apps/web/src/mock-api/store.ts
@@ -0,0 +1,293 @@
+// Mock-API store — in-memory mutable seed snapshot for the static demo build.
+// Seed JSON is imported at module load (Vite inlines it into the bundle); each
+// entity gets a Map keyed by id so handlers can mutate state across requests
+// without round-tripping a real backend.
+
+import type {
+  ChangeReport,
+  IntakeRequest,
+  Lens,
+  Org,
+  Renewal,
+  User,
+  Vendor,
+} from "@unsyphn/shared";
+
+import orgsRaw from "../../../../seed/orgs.json";
+import usersRaw from "../../../../seed/users.json";
+import tokensRaw from "../../../../seed/tokens.json";
+import vendorsRaw from "../../../../seed/vendors.json";
+import changeReportsRaw from "../../../../seed/change-reports.json";
+import renewalsRaw from "../../../../seed/renewals.json";
+import requestsRaw from "../../../../seed/requests.json";
+import integrationsRaw from "../../../../seed/integrations.json";
+import customerContractsRaw from "../../../../seed/customer-contracts.json";
+import policiesRaw from "../../../../seed/policies.json";
+import subProcessorsRaw from "../../../api/src/seed/sub-processors.json";
+
+// Re-exported domain types that aren't in @unsyphn/shared but are required by
+// handlers. Mirror the relevant shape from apps/api so callers stay typed.
+
+export type RenewalColumn = "triage" | "negotiate" | "sign";
+
+export interface RenewalRecord {
+  id: string;
+  vendorId: string;
+  vendorName: string;
+  renewsAt: string;
+  annualSpendUsd: number;
+  currentColumn: RenewalColumn;
+  ownerId: string;
+  priceDeltaPct: number;
+  seatUtilizationPct: number;
+  blockerCount: number;
+  recommendedAction: string;
+  declined?: boolean;
+  autoRenewed?: boolean;
+}
+
+export type RequestStatus = "pending" | "approved" | "rejected" | "routed";
+
+export interface RequestComment {
+  id: string;
+  by: string;
+  at: string;
+  text: string;
+}
+
+export interface IntakeRequestRecord {
+  id: string;
+  orgId: string;
+  requesterId: string;
+  vendorName: string;
+  category: string;
+  expectedSpendUsd: number;
+  justification: string;
+  similarTools: string[];
+  status: RequestStatus;
+  submittedAt: string;
+  approverId?: string;
+  decidedAt?: string;
+  routeTo?: string;
+  comments: RequestComment[];
+}
+
+export type IntegrationCategory = "inbound" | "outbound";
+
+export interface IntegrationField {
+  key: string;
+  label: string;
+  placeholder?: string;
+  sensitive?: boolean;
+  optional?: boolean;
+}
+
+export interface IntegrationRecord {
+  id: string;
+  name: string;
+  slug: string;
+  category: IntegrationCategory;
+  description: string;
+  authType: "oauth" | "api-key" | "saml";
+  iconSlug?: string;
+  iconColor?: string;
+  requiredFields: IntegrationField[];
+  defaultScopes: string[];
+  connected: boolean;
+  scopes?: string[];
+  connectedAs?: string;
+  connectedAt?: string;
+  lastSyncedAt?: string;
+}
+
+export interface SyncRecord {
+  id: string;
+  startedAt: string;
+  durationMs: number;
+  recordsScanned: number;
+  status: "success" | "partial";
+}
+
+export interface CustomerContractRecord {
+  id: string;
+  customerId: string;
+  customerName: string;
+  contractId: string;
+  domain: string;
+  contractStart: string;
+  contractEnd: string;
+  annualValueUsd: number;
+  dataResidency: string;
+  dpaClause: string;
+  noticeDays: number;
+  notifiedSubProcessors: string[];
+}
+
+export interface SubProcessor {
+  name: string;
+  jurisdiction: string;
+  purpose: string;
+  adequate: boolean;
+  addedAt: string;
+  flagged?: boolean;
+  flagReason?: string;
+}
+
+export interface SubProcessorVendorEntry {
+  vendorName: string;
+  subProcessors: SubProcessor[];
+  lastChangeAt: string;
+}
+
+export interface PolicyRecord {
+  id: string;
+  orgId: string;
+  name: string;
+  description: string;
+  version: number;
+  createdBy: string;
+  isActive: boolean;
+  severity: string;
+  route: string[];
+}
+
+export interface VendorEvent {
+  id: string;
+  kind: string;
+  actor: string;
+  occurredAt: string;
+  title: string;
+  detail?: Record<string, unknown>;
+  changeReportId?: string;
+}
+
+export interface ContractFileRecord {
+  id: string;
+  vendorId: string;
+  filename: string;
+  sizeBytes: number;
+  uploadedBy: string;
+  uploadedAt: string;
+  contentBase64?: string;
+}
+
+export interface EscalationRecord {
+  toRole: Lens;
+  byUserId: string;
+  note?: string;
+  escalatedAt: string;
+  slackChannel: string;
+  jiraKey: string;
+}
+
+// Cast JSON imports at the boundary; downstream code uses typed maps so the
+// `as unknown as ...` is the only place where types come from raw JSON.
+function toMap<T extends { id: string }>(items: ReadonlyArray<T>): Map<string, T> {
+  return new Map(items.map((it) => [it.id, it]));
+}
+
+const vendors = toMap(vendorsRaw as unknown as Vendor[]);
+const users = toMap(usersRaw as unknown as User[]);
+const orgs = toMap(orgsRaw as unknown as Org[]);
+const changeReports = toMap(changeReportsRaw as unknown as ChangeReport[]);
+const renewals = toMap(renewalsRaw as unknown as RenewalRecord[]);
+const requests = toMap(requestsRaw as unknown as IntakeRequestRecord[]);
+const integrations = toMap(integrationsRaw as unknown as IntegrationRecord[]);
+const customerContracts = toMap(
+  customerContractsRaw as unknown as CustomerContractRecord[],
+);
+const policies = toMap(policiesRaw as unknown as PolicyRecord[]);
+
+const tokens = new Map<string, string>(
+  Object.entries(tokensRaw as Record<string, string>),
+);
+
+const subProcessors = new Map<string, SubProcessorVendorEntry>(
+  Object.entries(
+    subProcessorsRaw as unknown as Record<string, SubProcessorVendorEntry>,
+  ),
+);
+
+// Runtime-only mutable side maps (escalations, comments-on-changes, etc.) start
+// empty and are populated by handlers as the demo runs.
+const escalations = new Map<string, EscalationRecord[]>();
+const changeComments = new Map<string, RequestComment[]>();
+const findingStateOverrides = new Map<string, "open" | "under-review" | "resolved">();
+const reportGenerationOverrides = new Map<
+  string,
+  { lastGeneratedAt: string; downloadUrl: string }
+>();
+const vendorActivity = new Map<string, VendorEvent[]>();
+const contractFiles = new Map<string, ContractFileRecord[]>();
+const integrationSyncHistory = new Map<string, SyncRecord[]>();
+const teamInvites = new Map<
+  string,
+  { id: string; email: string; role: string; invitedAt: string; status: "pending" }
+>();
+
+export interface MockStore {
+  vendors: Map<string, Vendor>;
+  users: Map<string, User>;
+  orgs: Map<string, Org>;
+  tokens: Map<string, string>;
+  changeReports: Map<string, ChangeReport>;
+  renewals: Map<string, RenewalRecord>;
+  requests: Map<string, IntakeRequestRecord>;
+  integrations: Map<string, IntegrationRecord>;
+  customerContracts: Map<string, CustomerContractRecord>;
+  policies: Map<string, PolicyRecord>;
+  subProcessors: Map<string, SubProcessorVendorEntry>;
+  escalations: Map<string, EscalationRecord[]>;
+  changeComments: Map<string, RequestComment[]>;
+  findingStateOverrides: Map<string, "open" | "under-review" | "resolved">;
+  reportGenerationOverrides: Map<
+    string,
+    { lastGeneratedAt: string; downloadUrl: string }
+  >;
+  vendorActivity: Map<string, VendorEvent[]>;
+  contractFiles: Map<string, ContractFileRecord[]>;
+  integrationSyncHistory: Map<string, SyncRecord[]>;
+  teamInvites: Map<
+    string,
+    { id: string; email: string; role: string; invitedAt: string; status: "pending" }
+  >;
+}
+
+export const store: MockStore = {
+  vendors,
+  users,
+  orgs,
+  tokens,
+  changeReports,
+  renewals,
+  requests,
+  integrations,
+  customerContracts,
+  policies,
+  subProcessors,
+  escalations,
+  changeComments,
+  findingStateOverrides,
+  reportGenerationOverrides,
+  vendorActivity,
+  contractFiles,
+  integrationSyncHistory,
+  teamInvites,
+};
+
+// Default org for the demo — single-tenant, every authenticated request resolves
+// to org_acme. Real backend resolves via the token map; we mirror that here so
+// auth checks still flow through tokens.json.
+export const DEFAULT_ORG_ID = "org_acme";
+
+export function vendorName(vendorId: string): string {
+  return store.vendors.get(vendorId)?.name ?? vendorId.replace(/^vnd_/, "");
+}
+
+export function userEmail(userId: string): string {
+  return store.users.get(userId)?.email ?? `${userId}@acme.dev`;
+}
+
+// Re-export Renewal so handlers can refer to the shared type alongside
+// RenewalRecord without importing from @unsyphn/shared directly.
+export type { Renewal };
diff --git a/apps/web/src/mock-api/types.ts b/apps/web/src/mock-api/types.ts
new file mode 100644
index 0000000..e03beaf
--- /dev/null
+++ b/apps/web/src/mock-api/types.ts
@@ -0,0 +1,76 @@
+// Shared request/response types for the mock-API router and handlers.
+
+export interface MockRequest {
+  pathname: string;
+  method: string;
+  query: URLSearchParams;
+  body: unknown;
+  headers: Headers;
+  orgId: string | null;
+  userId: string | null;
+}
+
+export interface MockResponse {
+  status: number;
+  body: unknown;
+  headers?: Record<string, string>;
+  // When set the body is a Uint8Array / Blob payload returned as-is rather than
+  // JSON-serialized. Used for contract downloads, PDF, HTML bundles, etc.
+  binary?: BodyInit;
+  contentType?: string;
+}
+
+export type Handler = (
+  req: MockRequest,
+  params: string[],
+) => Promise<MockResponse> | MockResponse;
+
+export interface RouteDef {
+  method: string;
+  pattern: RegExp;
+  handler: Handler;
+}
+
+export function ok(body: unknown): MockResponse {
+  return { status: 200, body };
+}
+
+export function created(body: unknown): MockResponse {
+  return { status: 201, body };
+}
+
+export function notFound(message: string): MockResponse {
+  return {
+    status: 404,
+    body: { error: { code: "not-found", message } },
+  };
+}
+
+export function badRequest(message: string, code = "validation-failed"): MockResponse {
+  return {
+    status: 422,
+    body: { error: { code, message } },
+  };
+}
+
+export function unauthorized(message = "Missing bearer token"): MockResponse {
+  return {
+    status: 401,
+    body: { error: { code: "unauthenticated", message } },
+  };
+}
+
+export function conflict(message: string): MockResponse {
+  return {
+    status: 409,
+    body: { error: { code: "conflict", message } },
+  };
+}
+
+export function nowIso(): string {
+  return new Date().toISOString();
+}
+
+export function newId(prefix: string): string {
+  return `${prefix}_${Math.random().toString(36).slice(2, 10)}`;
+}
diff --git a/apps/web/src/screens/AuditorMode.tsx b/apps/web/src/screens/AuditorMode.tsx
new file mode 100644
index 0000000..3f47d56
--- /dev/null
+++ b/apps/web/src/screens/AuditorMode.tsx
@@ -0,0 +1,224 @@
+import { useState, useEffect } from "react";
+import { Download, Printer, Shield, Clock, Building2, TrendingUp } from "lucide-react";
+import { VendorLogo } from "../components/VendorLogo.js";
+
+interface VendorSummary { id: string; name: string; ownerEmail: string; annualSpendUsd: number; changeCount: number; posture: string; }
+interface ChangeReport { id: string; vendorId: string; vendorName: string; severity: string; title: string; actor: string; timestamp: string; }
+interface ActivityEvent { id: string; kind: string; vendorId: string; vendorName: string; actor: string; timestamp: string; detail: string; }
+interface AuditorSession { orgId: string; vendorIds: string[] | null; expiresAt: string; sessionId: string; vendors: VendorSummary[]; changes: ChangeReport[]; activityLog: ActivityEvent[]; }
+interface Props { sessionToken: string; }
+
+function fmtDate(iso: string): string {
+  try { return new Date(iso).toLocaleDateString("en-US", { month: "short", day: "numeric", year: "numeric" }); }
+  catch { return iso; }
+}
+
+function fmtUsd(n: number): string {
+  if (n >= 1_000_000) return `$${(n / 1_000_000).toFixed(1)}M`;
+  if (n >= 1_000) return `$${Math.round(n / 1_000)}k`;
+  return `$${n}`;
+}
+
+const POSTURE_COLOR: Record<string, string> = { ok: "var(--success)", watch: "var(--warning)", risk: "var(--danger)", stale: "var(--text-muted)" };
+const SEV_COLOR: Record<string, string> = { P1: "var(--danger)", P2: "var(--warning)", P3: "var(--text-muted)" };
+
+function Dot({ posture }: { posture: string }) {
+  const c = POSTURE_COLOR[posture] ?? "var(--text-muted)";
+  return <span style={{ display: "inline-flex", alignItems: "center", gap: 4, fontSize: "var(--text-xs)", color: c, fontFamily: "var(--font-mono)" }}>
+    <span aria-hidden="true" style={{ width: 6, height: 6, borderRadius: "50%", background: c, display: "inline-block" }} />
+    {posture}
+  </span>;
+}
+
+function SevBadge({ severity }: { severity: string }) {
+  return <span style={{ fontSize: "var(--text-xs)", fontFamily: "var(--font-mono)", color: SEV_COLOR[severity] ?? "var(--text-muted)", fontWeight: 600 }}>{severity}</span>;
+}
+
+const SECTION_LABEL: React.CSSProperties = { fontSize: "var(--text-xs)", fontWeight: 600, color: "var(--text-muted)", textTransform: "uppercase" as const, letterSpacing: "0.06em", marginBottom: "var(--space-3)", fontFamily: "var(--font-mono)", display: "block" };
+const CARD: React.CSSProperties = { background: "var(--surface)", border: "1px solid var(--border)", borderRadius: "var(--radius-lg)" };
+const TH: React.CSSProperties = { padding: "var(--space-2) var(--space-4)", textAlign: "left", fontSize: "var(--text-xs)", fontWeight: 600, color: "var(--text-muted)", textTransform: "uppercase" as const, letterSpacing: "0.06em", fontFamily: "var(--font-mono)" };
+
+const WATERMARK_ROWS = 12;
+
+export function AuditorMode({ sessionToken }: Props): JSX.Element {
+  const [session, setSession] = useState<AuditorSession | null>(null);
+  const [error, setError] = useState<string | null>(null);
+  const [loading, setLoading] = useState(true);
+
+  useEffect(() => {
+    document.title = "Auditor Preview — Unsyphn";
+    async function load() {
+      try {
+        const resp = await fetch(`/v1/auditor/sessions/${encodeURIComponent(sessionToken)}`);
+        if (resp.status === 401) {
+          const body = (await resp.json()) as { error?: { message?: string } };
+          setError(body?.error?.message ?? "This auditor link has expired or is invalid.");
+          return;
+        }
+        if (!resp.ok) { setError("Unable to load auditor session. Please contact the sender."); return; }
+        setSession((await resp.json()) as AuditorSession);
+      } catch { setError("Network error. Please check your connection and try again."); }
+      finally { setLoading(false); }
+    }
+    void load();
+  }, [sessionToken]);
+
+  if (loading) return <div style={{ minHeight: "100vh", display: "flex", alignItems: "center", justifyContent: "center", background: "var(--bg)" }} aria-live="polite"><span style={{ fontSize: "var(--text-sm)", color: "var(--text-muted)" }}>Verifying auditor link...</span></div>;
+  if (error || !session) return (
+    <div style={{ minHeight: "100vh", display: "flex", flexDirection: "column", alignItems: "center", justifyContent: "center", gap: "var(--space-3)", background: "var(--bg)", padding: "var(--space-6)" }}>
+      <Shield size={40} style={{ color: "var(--text-muted)" }} aria-hidden="true" />
+      <h1 style={{ fontSize: "var(--text-xl)", fontWeight: 600 }}>Auditor link unavailable</h1>
+      <p style={{ fontSize: "var(--text-sm)", color: "var(--text-2)", textAlign: "center", maxWidth: 360 }}>{error ?? "Session unavailable."}</p>
+    </div>
+  );
+
+  const totalSpend = session.vendors.reduce((s, v) => s + v.annualSpendUsd, 0);
+  const today = new Date().toLocaleDateString("en-US", { year: "numeric", month: "long", day: "numeric" });
+  const orgLabel = session.orgId.replace("org_", "").replace(/^\w/, (c) => c.toUpperCase());
+
+  return <>
+    <style>{`@media print { .ab { display: none !important; } .aw { opacity: 0.08 !important; } }`}</style>
+
+    {/* Diagonal watermark */}
+    <div className="aw" aria-hidden="true" style={{ position: "fixed", inset: 0, pointerEvents: "none", zIndex: 50, overflow: "hidden", opacity: 0.14, userSelect: "none" }}>
+      {Array.from({ length: WATERMARK_ROWS }).map((_, i) => (
+        <span key={i} style={{ position: "absolute", top: `${i * 9 - 4}%`, left: "-10%", width: "120%", fontSize: "clamp(16px,2.5vw,28px)", fontFamily: "var(--font-display)", fontWeight: 700, letterSpacing: "0.15em", color: "var(--warning)", transform: "rotate(-25deg)", transformOrigin: "left center", whiteSpace: "nowrap" }}>
+          AUDITOR PREVIEW · AUDITOR PREVIEW · AUDITOR PREVIEW
+        </span>
+      ))}
+    </div>
+
+    <div style={{ minHeight: "100vh", background: "var(--bg)", paddingBottom: "var(--space-9)", position: "relative", zIndex: 1 }}>
+      {/* Banner */}
+      <header className="ab" role="banner" style={{ background: "rgba(217,119,6,0.10)", borderBottom: "1px solid rgba(217,119,6,0.25)", padding: "var(--space-3) var(--space-6)" }}>
+        <div style={{ maxWidth: 960, margin: "0 auto", display: "flex", alignItems: "center", justifyContent: "space-between", flexWrap: "wrap", gap: "var(--space-3)" }}>
+          <div>
+            <span style={{ fontSize: "var(--text-sm)", fontWeight: 600, color: "var(--warning)", fontFamily: "var(--font-mono)", letterSpacing: "0.05em" }}>AUDITOR PREVIEW · {session.sessionId} · expires {fmtDate(session.expiresAt)}</span>
+            <p style={{ margin: 0, fontSize: "var(--text-xs)", color: "var(--text-2)" }}>Read-only · Watermark applied to all exports</p>
+          </div>
+          <div style={{ display: "flex", alignItems: "center", gap: "var(--space-2)" }}>
+            <Clock size={14} style={{ color: "var(--warning)" }} aria-hidden="true" />
+            <span style={{ fontSize: "var(--text-xs)", color: "var(--text-2)" }}>Link expires {fmtDate(session.expiresAt)}</span>
+          </div>
+        </div>
+      </header>
+
+      <main style={{ maxWidth: 960, margin: "0 auto", padding: "var(--space-6)" }}>
+        {/* Summary card */}
+        <section aria-labelledby="bundle-heading" style={{ marginBottom: "var(--space-6)" }}>
+          <div style={{ ...CARD, padding: "var(--space-5)" }}>
+            <div style={{ display: "flex", alignItems: "center", gap: "var(--space-3)", marginBottom: "var(--space-4)" }}>
+              <Building2 size={20} style={{ color: "var(--accent)" }} aria-hidden="true" />
+              <h1 id="bundle-heading" style={{ fontSize: "var(--text-lg)", fontWeight: 600, fontFamily: "var(--font-display)", margin: 0 }}>Unsyphn — {orgLabel} evidence bundle</h1>
+            </div>
+            <div style={{ display: "grid", gridTemplateColumns: "repeat(auto-fit, minmax(140px,1fr))", gap: "var(--space-4)" }}>
+              {[["Vendors", session.vendors.length], ["Changes", session.changes.length], ["Events", session.activityLog.length], ["Total Spend", fmtUsd(totalSpend)]].map(([label, value]) => (
+                <div key={label as string} style={{ display: "flex", flexDirection: "column", gap: 2 }}>
+                  <span style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)", textTransform: "uppercase", letterSpacing: "0.06em" }}>{label}</span>
+                  <span style={{ fontSize: "var(--text-xl)", fontWeight: 600, fontFamily: "var(--font-mono)" }}>{value}</span>
+                </div>
+              ))}
+            </div>
+            <p style={{ marginTop: "var(--space-3)", fontSize: "var(--text-xs)", color: "var(--text-muted)", margin: "var(--space-3) 0 0" }}>Generated: {today}</p>
+          </div>
+        </section>
+
+        {/* Vendors */}
+        <section aria-labelledby="vendors-heading" style={{ marginBottom: "var(--space-6)" }}>
+          <span id="vendors-heading" role="heading" aria-level={2} style={SECTION_LABEL}>Vendors</span>
+          <div style={{ ...CARD, overflow: "hidden" }}>
+            <table style={{ width: "100%", borderCollapse: "collapse" }} aria-labelledby="vendors-heading">
+              <thead>
+                <tr style={{ borderBottom: "1px solid var(--border)", background: "var(--surface-2)" }}>
+                  {["Vendor", "Owner", "Spend", "Changes", "Posture"].map((h) => <th key={h} scope="col" style={TH}>{h}</th>)}
+                </tr>
+              </thead>
+              <tbody>
+                {session.vendors.map((v, i) => (
+                  <tr key={v.id} style={{ borderBottom: i < session.vendors.length - 1 ? "1px solid var(--border)" : "none" }}>
+                    <td style={{ padding: "var(--space-3) var(--space-4)" }}>
+                      <div style={{ display: "flex", alignItems: "center", gap: "var(--space-3)" }}>
+                        <VendorLogo name={v.name} size={28} />
+                        <span style={{ fontSize: "var(--text-sm)", fontWeight: 500 }}>{v.name}</span>
+                      </div>
+                    </td>
+                    <td style={{ padding: "var(--space-3) var(--space-4)", fontSize: "var(--text-sm)", color: "var(--text-2)" }}>{v.ownerEmail}</td>
+                    <td style={{ padding: "var(--space-3) var(--space-4)", fontSize: "var(--text-sm)", fontFamily: "var(--font-mono)" }}>{fmtUsd(v.annualSpendUsd)}</td>
+                    <td style={{ padding: "var(--space-3) var(--space-4)", fontSize: "var(--text-sm)", fontFamily: "var(--font-mono)" }}>{v.changeCount}</td>
+                    <td style={{ padding: "var(--space-3) var(--space-4)" }}><Dot posture={v.posture} /></td>
+                  </tr>
+                ))}
+              </tbody>
+            </table>
+          </div>
+        </section>
+
+        {/* Change chronology */}
+        {session.changes.length > 0 && (
+          <section aria-labelledby="changes-heading" style={{ marginBottom: "var(--space-6)" }}>
+            <span id="changes-heading" role="heading" aria-level={2} style={SECTION_LABEL}>Change Chronology</span>
+            <div style={{ ...CARD, padding: "var(--space-4)" }}>
+              <ol aria-labelledby="changes-heading" style={{ listStyle: "none", margin: 0, padding: 0 }}>
+                {session.changes.map((ch, i) => (
+                  <li key={ch.id} style={{ display: "flex", gap: "var(--space-4)", paddingBottom: i < session.changes.length - 1 ? "var(--space-4)" : 0, marginBottom: i < session.changes.length - 1 ? "var(--space-4)" : 0, borderBottom: i < session.changes.length - 1 ? "1px solid var(--border)" : "none" }}>
+                    <div style={{ flexShrink: 0, paddingTop: 2 }}><VendorLogo name={ch.vendorName} size={28} /></div>
+                    <div style={{ flex: 1, minWidth: 0 }}>
+                      <div style={{ display: "flex", alignItems: "baseline", gap: "var(--space-2)", flexWrap: "wrap" }}>
+                        <span style={{ fontSize: "var(--text-sm)", fontWeight: 500 }}>{ch.title}</span>
+                        <SevBadge severity={ch.severity} />
+                      </div>
+                      <div style={{ display: "flex", gap: "var(--space-3)", marginTop: 2 }}>
+                        <span style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)" }}>{ch.vendorName}</span>
+                        <span style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)", fontFamily: "var(--font-mono)" }}>{fmtDate(ch.timestamp)}</span>
+                      </div>
+                    </div>
+                  </li>
+                ))}
+              </ol>
+            </div>
+          </section>
+        )}
+
+        {/* Activity log */}
+        {session.activityLog.length > 0 && (
+          <section aria-labelledby="activity-heading" style={{ marginBottom: "var(--space-6)" }}>
+            <span id="activity-heading" role="heading" aria-level={2} style={SECTION_LABEL}>Activity Log</span>
+            <div style={{ ...CARD, overflow: "hidden" }}>
+              <ol aria-labelledby="activity-heading" style={{ listStyle: "none", margin: 0, padding: 0 }}>
+                {session.activityLog.map((ev, i) => (
+                  <li key={ev.id} style={{ display: "flex", alignItems: "flex-start", gap: "var(--space-4)", padding: "var(--space-3) var(--space-4)", borderBottom: i < session.activityLog.length - 1 ? "1px solid var(--border)" : "none" }}>
+                    <span style={{ fontSize: "var(--text-xs)", fontFamily: "var(--font-mono)", color: "var(--accent)", background: "var(--accent-soft)", padding: "1px 6px", borderRadius: "var(--radius-sm)", whiteSpace: "nowrap", flexShrink: 0 }}>{ev.kind}</span>
+                    <div style={{ flex: 1, minWidth: 0 }}>
+                      <span style={{ fontSize: "var(--text-sm)" }}>{ev.detail}</span>
+                      <div style={{ display: "flex", gap: "var(--space-3)", marginTop: 2 }}>
+                        <span style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)" }}>{ev.vendorName}</span>
+                        <span style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)", fontFamily: "var(--font-mono)" }}>{fmtDate(ev.timestamp)}</span>
+                      </div>
+                    </div>
+                  </li>
+                ))}
+              </ol>
+            </div>
+          </section>
+        )}
+
+        {/* Actions */}
+        <div className="ab" style={{ display: "flex", justifyContent: "center", gap: "var(--space-3)", paddingTop: "var(--space-4)" }}>
+          <button type="button" onClick={() => window.print()} style={{ display: "inline-flex", alignItems: "center", gap: "var(--space-2)", padding: "var(--space-2) var(--space-5)", fontSize: "var(--text-sm)", fontWeight: 500, background: "var(--surface)", border: "1px solid var(--border-strong)", borderRadius: "var(--radius-md)", cursor: "pointer" }}>
+            <Printer size={14} aria-hidden="true" /> Print this page
+          </button>
+          <button type="button" onClick={() => { const a = document.createElement("a"); a.href = `data:text/plain,Auditor session ${session.sessionId}`; a.download = `auditor-${session.sessionId}.txt`; a.click(); }} style={{ display: "inline-flex", alignItems: "center", gap: "var(--space-2)", padding: "var(--space-2) var(--space-5)", fontSize: "var(--text-sm)", fontWeight: 500, color: "var(--surface)", background: "var(--accent)", border: "none", borderRadius: "var(--radius-md)", cursor: "pointer" }}>
+            <Download size={14} aria-hidden="true" /> Download PDF
+          </button>
+        </div>
+      </main>
+
+      <footer style={{ maxWidth: 960, margin: "0 auto", padding: "0 var(--space-6) var(--space-4)" }}>
+        <div style={{ display: "flex", alignItems: "center", gap: "var(--space-2)", color: "var(--text-muted)" }}>
+          <TrendingUp size={12} aria-hidden="true" />
+          <span style={{ fontSize: "var(--text-xs)" }}>Total monitored spend: {fmtUsd(totalSpend)} · {session.vendors.length} vendors scoped</span>
+        </div>
+      </footer>
+    </div>
+  </>;
+}
diff --git a/apps/web/src/screens/ChangeReport.tsx b/apps/web/src/screens/ChangeReport.tsx
new file mode 100644
index 0000000..ca90443
--- /dev/null
+++ b/apps/web/src/screens/ChangeReport.tsx
@@ -0,0 +1,486 @@
+import { useEffect, useRef, useState } from "react";
+import { ArrowRight } from "lucide-react";
+import type { EvidenceBriefResponse, Resolution } from "@unsyphn/shared";
+import { getEvidence, DEMO_BEARER_TOKEN, ApiError } from "../lib/api.js";
+import { SeverityBadge } from "../components/SeverityBadge.js";
+import { Drawer } from "../components/Drawer.js";
+
+interface Props {
+  changeId: string;
+}
+
+interface Toast {
+  msg: string;
+}
+
+function relativeTime(iso: string): string {
+  const diffMs = Date.now() - Date.parse(iso);
+  const diffDays = Math.floor(diffMs / 86_400_000);
+  if (diffDays === 0) return "today";
+  if (diffDays === 1) return "1 day ago";
+  return `${diffDays} days ago`;
+}
+
+function formatImpact(annualUsd: number): string {
+  if (annualUsd >= 1000) return `$${Math.round(annualUsd / 1000)}k`;
+  return `$${annualUsd}`;
+}
+
+function useToast(): [Toast | null, (msg: string) => void] {
+  const [toast, setToast] = useState<Toast | null>(null);
+  const timerRef = useRef<ReturnType<typeof setTimeout> | null>(null);
+
+  const show = (msg: string) => {
+    if (timerRef.current) clearTimeout(timerRef.current);
+    setToast({ msg });
+    timerRef.current = setTimeout(() => setToast(null), 2500);
+  };
+
+  useEffect(() => () => { if (timerRef.current) clearTimeout(timerRef.current); }, []);
+
+  return [toast, show];
+}
+
+async function lifecyclePost(
+  id: string,
+  action: "acknowledge" | "snooze" | "resolve",
+  body: Record<string, unknown>,
+): Promise<void> {
+  const resp = await fetch(`/v1/changes/${encodeURIComponent(id)}/${action}`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${DEMO_BEARER_TOKEN}`,
+    },
+    body: JSON.stringify(body),
+  });
+  if (!resp.ok) {
+    const text = await resp.text();
+    let msg = `Request failed (${resp.status})`;
+    try {
+      const j = JSON.parse(text) as { error?: { message?: string } };
+      if (j.error?.message) msg = j.error.message;
+    } catch { /* ignore parse error */ }
+    throw new Error(msg);
+  }
+}
+
+export function ChangeReport({ changeId }: Props): JSX.Element {
+  const [brief, setBrief] = useState<EvidenceBriefResponse | null>(null);
+  const [loadErr, setLoadErr] = useState<string | null>(null);
+  const [busy, setBusy] = useState(false);
+  const [drawerOpen, setDrawerOpen] = useState(false);
+  const [bundleLink, setBundleLink] = useState<string | null>(null);
+  const [toast, showToast] = useToast();
+  const escalateBtnRef = useRef<HTMLButtonElement>(null);
+
+  useEffect(() => {
+    let cancelled = false;
+    setLoadErr(null);
+    setBrief(null);
+    getEvidence(changeId)
+      .then((data) => { if (!cancelled) setBrief(data); })
+      .catch((err) => {
+        if (!cancelled) {
+          setLoadErr(err instanceof ApiError ? err.message : "Failed to load change report");
+        }
+      });
+    return () => { cancelled = true; };
+  }, [changeId]);
+
+  if (loadErr) {
+    return (
+      <div style={{ padding: "var(--space-7)", color: "var(--danger)" }}>
+        {loadErr}
+      </div>
+    );
+  }
+
+  if (!brief) {
+    return (
+      <div
+        style={{ padding: "var(--space-7)", color: "var(--muted)" }}
+        aria-live="polite"
+        aria-label="Loading change report"
+      >
+        Loading…
+      </div>
+    );
+  }
+
+  const { changeReport: report, vendor, policyFired, policyAlsoMatched } = brief;
+  const isDone = report.state === "resolved";
+  const isAcked = report.state === "acknowledged";
+
+  const handle = async (
+    action: "acknowledge" | "snooze" | "resolve",
+    body: Record<string, unknown>,
+    successMsg: string,
+  ) => {
+    if (busy) return;
+    setBusy(true);
+    try {
+      await lifecyclePost(changeId, action, body);
+      showToast(successMsg);
+      const updated = await getEvidence(changeId);
+      setBrief(updated);
+    } catch (err) {
+      showToast(err instanceof Error ? err.message : "Action failed");
+    } finally {
+      setBusy(false);
+    }
+  };
+
+  const onAcknowledge = () => handle("acknowledge", {}, "Acknowledged.");
+  const onSnooze = () =>
+    handle(
+      "snooze",
+      { untilAt: new Date(Date.now() + 48 * 3600 * 1000).toISOString() },
+      "Snoozed 48h.",
+    );
+  const onResolve = () =>
+    handle("resolve", { resolution: "accepted" as Resolution }, "Resolved.");
+
+  const onEscalateConfirm = () => {
+    setBundleLink(`/app/evidence/${changeId}`);
+    showToast("Routed to Legal. Bundle generated.");
+    setDrawerOpen(false);
+  };
+
+  return (
+    <div
+      style={{
+        maxWidth: 760,
+        margin: "0 auto",
+        padding: "var(--space-6) var(--space-5) var(--space-9)",
+      }}
+    >
+      {/* Header */}
+      <div style={{ marginBottom: "var(--space-5)" }}>
+        <div
+          style={{
+            display: "flex",
+            alignItems: "center",
+            gap: "var(--space-3)",
+            flexWrap: "wrap",
+            marginBottom: "var(--space-2)",
+          }}
+        >
+          <SeverityBadge severity={report.severity} />
+          <h1
+            className="h1"
+            style={{ fontSize: "var(--text-2xl)", fontWeight: 200 }}
+          >
+            {report.headline ?? report.changes[0]?.summary ?? "Change Report"}
+          </h1>
+        </div>
+        <p style={{ color: "var(--muted)", fontSize: "var(--text-sm)", margin: 0 }}>
+          {vendor.name} · detected {relativeTime(report.detectedAt)} · owner{" "}
+          {report.ownerId} · status: {report.state}
+        </p>
+      </div>
+
+      <hr className="hairline" style={{ marginBottom: "var(--space-6)" }} />
+
+      {/* Recommendation */}
+      <section aria-labelledby="rec-heading" style={{ marginBottom: "var(--space-6)" }}>
+        <h2 className="h2" id="rec-heading" style={{ marginBottom: "var(--space-3)" }}>
+          Recommendation
+        </h2>
+        <p style={{ color: "var(--text-2)", lineHeight: 1.65, margin: 0 }}>
+          {report.recommendation.copy}
+        </p>
+      </section>
+
+      {/* Diff */}
+      <section aria-labelledby="diff-heading" style={{ marginBottom: "var(--space-6)" }}>
+        <h2 className="h2" id="diff-heading" style={{ marginBottom: "var(--space-3)" }}>
+          Diff
+        </h2>
+        <div style={{ display: "flex", flexDirection: "column", gap: "var(--space-3)" }}>
+          {report.changes.map((change, i) => (
+            <div
+              key={change.id ?? i}
+              className="card"
+              style={{ padding: "var(--space-4) var(--space-5)" }}
+            >
+              <div
+                style={{
+                  display: "flex",
+                  gap: "var(--space-2)",
+                  alignItems: "center",
+                  marginBottom: "var(--space-3)",
+                  flexWrap: "wrap",
+                }}
+              >
+                <span
+                  className="badge badge-neutral"
+                  style={{ textTransform: "capitalize" }}
+                >
+                  {change.category ?? "change"}
+                </span>
+                {change.materiality && (
+                  <span className="badge badge-neutral">
+                    {change.materiality} materiality
+                  </span>
+                )}
+                {change.dollarImpact && (
+                  <span
+                    className="badge badge-danger"
+                    style={{ fontFamily: "var(--font-mono)" }}
+                  >
+                    {formatImpact(change.dollarImpact.annualUsd)} impact
+                  </span>
+                )}
+              </div>
+              {change.before && (
+                <div style={{ marginBottom: "var(--space-2)" }}>
+                  <span
+                    style={{
+                      color: "var(--muted)",
+                      fontSize: "var(--text-xs)",
+                      fontWeight: 500,
+                      letterSpacing: "0.04em",
+                      textTransform: "uppercase",
+                    }}
+                  >
+                    Before
+                  </span>
+                  <p
+                    style={{
+                      color: "var(--text-2)",
+                      fontSize: "var(--text-sm)",
+                      margin: "var(--space-1) 0 0",
+                      fontFamily: "var(--font-mono)",
+                    }}
+                  >
+                    {change.before}
+                  </p>
+                </div>
+              )}
+              {change.after && (
+                <div style={{ marginBottom: "var(--space-2)" }}>
+                  <span
+                    style={{
+                      color: "var(--muted)",
+                      fontSize: "var(--text-xs)",
+                      fontWeight: 500,
+                      letterSpacing: "0.04em",
+                      textTransform: "uppercase",
+                    }}
+                  >
+                    After
+                  </span>
+                  <p
+                    style={{
+                      color: "var(--text)",
+                      fontSize: "var(--text-sm)",
+                      margin: "var(--space-1) 0 0",
+                      fontFamily: "var(--font-mono)",
+                    }}
+                  >
+                    {change.after}
+                  </p>
+                </div>
+              )}
+              {change.citations && change.citations.length > 0 && (
+                <div
+                  style={{
+                    marginTop: "var(--space-3)",
+                    paddingTop: "var(--space-3)",
+                    borderTop: "1px solid var(--hairline)",
+                  }}
+                >
+                  {change.citations.map((cit, ci) => (
+                    <p
+                      key={ci}
+                      style={{
+                        color: "var(--muted)",
+                        fontSize: "var(--text-xs)",
+                        margin: ci > 0 ? "var(--space-1) 0 0" : 0,
+                      }}
+                    >
+                      Citation:{" "}
+                      {cit.url ? (
+                        <a
+                          href={cit.url}
+                          target="_blank"
+                          rel="noopener noreferrer"
+                          aria-label={`Citation source (opens in new tab): ${cit.url}`}
+                          style={{ color: "var(--accent)" }}
+                        >
+                          {cit.url}
+                        </a>
+                      ) : (
+                        cit.section ?? "—"
+                      )}
+                      {cit.fetchedAt && ` · fetched ${cit.fetchedAt.slice(0, 10)}`}
+                    </p>
+                  ))}
+                </div>
+              )}
+            </div>
+          ))}
+        </div>
+      </section>
+
+      {/* Policy */}
+      <section aria-labelledby="policy-heading" style={{ marginBottom: "var(--space-6)" }}>
+        <h2 className="h2" id="policy-heading" style={{ marginBottom: "var(--space-3)" }}>
+          Policy fired
+        </h2>
+        <p style={{ color: "var(--text-2)", fontSize: "var(--text-sm)", margin: 0 }}>
+          {policyFired.name} ·{" "}
+          <span
+            style={{
+              color: "var(--muted)",
+              fontFamily: "var(--font-mono)",
+              fontSize: "var(--text-xs)",
+            }}
+          >
+            {policyFired.id}
+          </span>
+        </p>
+
+        {policyAlsoMatched.length > 0 && (
+          <div style={{ marginTop: "var(--space-4)" }}>
+            <p
+              style={{
+                color: "var(--muted)",
+                fontSize: "var(--text-xs)",
+                fontWeight: 500,
+                letterSpacing: "0.04em",
+                textTransform: "uppercase",
+                marginBottom: "var(--space-2)",
+              }}
+            >
+              Also matched
+            </p>
+            <ul style={{ listStyle: "none", padding: 0, margin: 0 }}>
+              {policyAlsoMatched.map((p) => (
+                <li
+                  key={p.id}
+                  style={{
+                    color: "var(--text-2)",
+                    fontSize: "var(--text-sm)",
+                    padding: "var(--space-1) 0",
+                  }}
+                >
+                  · {p.name}
+                </li>
+              ))}
+            </ul>
+          </div>
+        )}
+      </section>
+
+      <hr className="hairline" style={{ marginBottom: "var(--space-5)" }} />
+
+      {/* Action row */}
+      <div
+        role="group"
+        aria-label="Change lifecycle actions"
+        style={{ display: "flex", gap: "var(--space-3)", flexWrap: "wrap" }}
+      >
+        {!isAcked && !isDone && (
+          <button
+            type="button"
+            className="btn btn-primary"
+            onClick={onAcknowledge}
+            disabled={busy}
+          >
+            Acknowledge
+          </button>
+        )}
+        {!isDone && (
+          <button
+            type="button"
+            className="btn btn-secondary"
+            onClick={onSnooze}
+            disabled={busy}
+          >
+            Snooze 48h
+          </button>
+        )}
+        {!isDone && (
+          <button
+            type="button"
+            className="btn btn-secondary"
+            onClick={onResolve}
+            disabled={busy}
+          >
+            Resolve
+          </button>
+        )}
+        <button
+          ref={escalateBtnRef}
+          type="button"
+          className="btn btn-ghost"
+          onClick={() => setDrawerOpen(true)}
+          style={{ color: "var(--warning)" }}
+        >
+          Escalate to Legal
+        </button>
+      </div>
+
+      {bundleLink && (
+        <p style={{ marginTop: "var(--space-4)", fontSize: "var(--text-sm)", color: "var(--text-2)" }}>
+          Bundle generated{" "}<ArrowRight size={14} aria-hidden="true" style={{ display: "inline-block", verticalAlign: "middle" }} />{" "}
+          <a href={bundleLink} style={{ color: "var(--accent)" }}>
+            /evidence/{changeId}
+          </a>
+        </p>
+      )}
+
+      {/* Toast */}
+      {toast && (
+        <div
+          role="status"
+          aria-live="polite"
+          style={{
+            position: "fixed",
+            bottom: "var(--space-6)",
+            right: "var(--space-6)",
+            background: "var(--surface-2)",
+            border: "1px solid var(--border-strong)",
+            borderRadius: "var(--radius-md)",
+            padding: "var(--space-3) var(--space-4)",
+            fontSize: "var(--text-sm)",
+            color: "var(--text)",
+            zIndex: 300,
+            boxShadow: "0 4px 24px rgba(0,0,0,0.4)",
+          }}
+        >
+          {toast.msg}
+        </div>
+      )}
+
+      {/* Escalate Drawer */}
+      <Drawer
+        open={drawerOpen}
+        onClose={() => setDrawerOpen(false)}
+        title="Escalate to Legal"
+      >
+        <p style={{ color: "var(--text-2)", fontSize: "var(--text-sm)", marginTop: 0 }}>
+          Route this to the Legal team? Adds a Slack DM + Jira ticket.
+        </p>
+        <div style={{ display: "flex", gap: "var(--space-3)", marginTop: "var(--space-5)" }}>
+          <button
+            type="button"
+            className="btn btn-secondary"
+            onClick={() => setDrawerOpen(false)}
+          >
+            Cancel
+          </button>
+          <button
+            type="button"
+            className="btn btn-primary"
+            onClick={onEscalateConfirm}
+          >
+            Confirm &amp; Generate Evidence Bundle
+          </button>
+        </div>
+      </Drawer>
+    </div>
+  );
+}
diff --git a/apps/web/src/screens/Contact.tsx b/apps/web/src/screens/Contact.tsx
new file mode 100644
index 0000000..42b099d
--- /dev/null
+++ b/apps/web/src/screens/Contact.tsx
@@ -0,0 +1,135 @@
+import { useState } from "react";
+import { Mail, Shield, Megaphone } from "lucide-react";
+import { PageShell } from "../components/PageShell.js";
+
+interface ContactForm {
+  name: string;
+  email: string;
+  message: string;
+}
+
+const INITIAL: ContactForm = { name: "", email: "", message: "" };
+
+const CHANNELS = [
+  {
+    Icon: Mail,
+    label: "General",
+    email: "hello@unsyphn.com",
+    blurb: "Product questions, partnerships, anything else.",
+  },
+  {
+    Icon: Shield,
+    label: "Security",
+    email: "security@unsyphn.com",
+    blurb: "Responsible disclosure, audit requests, DPAs.",
+  },
+  {
+    Icon: Megaphone,
+    label: "Press",
+    email: "press@unsyphn.com",
+    blurb: "Media inquiries, analyst briefings, speaking.",
+  },
+] as const;
+
+function buildMailto(form: ContactForm): string {
+  const params = new URLSearchParams({
+    subject: `Inbound from ${form.name || "website"}`,
+    body: `Name: ${form.name}\nEmail: ${form.email}\n\n${form.message}`,
+  });
+  return `mailto:hello@unsyphn.com?${params.toString()}`;
+}
+
+export function Contact(): JSX.Element {
+  const [form, setForm] = useState<ContactForm>(INITIAL);
+
+  function update<K extends keyof ContactForm>(key: K, value: ContactForm[K]) {
+    setForm((prev) => ({ ...prev, [key]: value }));
+  }
+
+  function handleSubmit(event: React.FormEvent<HTMLFormElement>) {
+    event.preventDefault();
+    window.location.href = buildMailto(form);
+  }
+
+  return (
+    <PageShell active="contact">
+      <header className="public-hero fade-up">
+        <h1>Talk to us</h1>
+        <p className="lead">
+          Pick the channel that fits — we route security and press separately so
+          your message lands with the right human.
+        </p>
+      </header>
+
+      <section className="public-section" aria-label="Contact channels">
+        <div className="public-grid stagger-children">
+          {CHANNELS.map(({ Icon, label, email, blurb }) => (
+            <article key={label} className="public-card glass-strong lift-on-hover">
+              <div style={{ display: "flex", alignItems: "center", gap: 10, marginBottom: 10 }}>
+                <Icon size={18} aria-hidden="true" color="#5E6AD2" />
+                <h3 style={{ margin: 0 }}>{label}</h3>
+              </div>
+              <p>{blurb}</p>
+              <a href={`mailto:${email}`}>{email} →</a>
+            </article>
+          ))}
+        </div>
+      </section>
+
+      <section className="public-section fade-up" aria-label="Office">
+        <h2>Where we work</h2>
+        <p>New Jersey · NYC · Remote-first across North America and Europe.</p>
+      </section>
+
+      <section className="public-section glass-strong fade-up" aria-label="Send a message" style={{ padding: 24, borderRadius: 14 }}>
+        <h2>Or just send a note</h2>
+        <form className="public-form" onSubmit={handleSubmit}>
+          <label htmlFor="contact-name">
+            Name
+            <input
+              id="contact-name"
+              type="text"
+              required
+              autoComplete="name"
+              value={form.name}
+              onChange={(e) => update("name", e.target.value)}
+              className="focus-glow"
+              aria-label="Your name"
+            />
+          </label>
+
+          <label htmlFor="contact-email">
+            Email
+            <input
+              id="contact-email"
+              type="email"
+              required
+              autoComplete="email"
+              value={form.email}
+              onChange={(e) => update("email", e.target.value)}
+              className="focus-glow"
+              aria-label="Your email"
+            />
+          </label>
+
+          <label htmlFor="contact-message">
+            Message
+            <textarea
+              id="contact-message"
+              required
+              value={form.message}
+              onChange={(e) => update("message", e.target.value)}
+              placeholder="What&rsquo;s on your mind?"
+              className="focus-glow"
+              aria-label="Your message"
+            />
+          </label>
+
+          <button type="submit" className="public-btn button-pop">
+            Send →
+          </button>
+        </form>
+      </section>
+    </PageShell>
+  );
+}
diff --git a/apps/web/src/screens/Demo.tsx b/apps/web/src/screens/Demo.tsx
new file mode 100644
index 0000000..ad5c24c
--- /dev/null
+++ b/apps/web/src/screens/Demo.tsx
@@ -0,0 +1,147 @@
+import { useState } from "react";
+import { PageShell } from "../components/PageShell.js";
+
+interface DemoForm {
+  name: string;
+  email: string;
+  company: string;
+  size: string;
+  useCase: string;
+}
+
+const INITIAL: DemoForm = {
+  name: "",
+  email: "",
+  company: "",
+  size: "50–250",
+  useCase: "",
+};
+
+const TEAM_SIZES = ["1–50", "50–250", "250–1000", "1000+"] as const;
+
+function buildMailto(form: DemoForm): string {
+  const body =
+    `Name: ${form.name}\n` +
+    `Email: ${form.email}\n` +
+    `Company: ${form.company}\n` +
+    `Team size: ${form.size}\n\n` +
+    `Use case:\n${form.useCase}\n`;
+  const params = new URLSearchParams({
+    subject: "Walkthrough request",
+    body,
+  });
+  return `mailto:hello@unsyphn.com?${params.toString()}`;
+}
+
+export function Demo(): JSX.Element {
+  const [form, setForm] = useState<DemoForm>(INITIAL);
+
+  function update<K extends keyof DemoForm>(key: K, value: DemoForm[K]) {
+    setForm((prev) => ({ ...prev, [key]: value }));
+  }
+
+  function handleSubmit(event: React.FormEvent<HTMLFormElement>) {
+    event.preventDefault();
+    window.location.href = buildMailto(form);
+  }
+
+  return (
+    <PageShell active="demo">
+      <header className="public-hero fade-up">
+        <h1>See Unsyphn in 20 minutes</h1>
+        <p className="lead">
+          We&rsquo;ll connect a sample workspace, watch one vendor change land, and
+          answer your stack-specific questions.
+        </p>
+      </header>
+
+      <section className="public-section glass-strong lift-on-hover fade-up" aria-label="Walkthrough request" style={{ padding: 24, borderRadius: 14 }}>
+        <form className="public-form" onSubmit={handleSubmit} noValidate={false}>
+          <label htmlFor="demo-name">
+            Name
+            <input
+              id="demo-name"
+              type="text"
+              required
+              autoComplete="name"
+              value={form.name}
+              onChange={(e) => update("name", e.target.value)}
+              className="focus-glow"
+              aria-label="Your name"
+            />
+          </label>
+
+          <label htmlFor="demo-email">
+            Work email
+            <input
+              id="demo-email"
+              type="email"
+              required
+              autoComplete="email"
+              value={form.email}
+              onChange={(e) => update("email", e.target.value)}
+              className="focus-glow"
+              aria-label="Your work email"
+            />
+          </label>
+
+          <label htmlFor="demo-company">
+            Company
+            <input
+              id="demo-company"
+              type="text"
+              required
+              autoComplete="organization"
+              value={form.company}
+              onChange={(e) => update("company", e.target.value)}
+              className="focus-glow"
+              aria-label="Company name"
+            />
+          </label>
+
+          <label htmlFor="demo-size">
+            Team size
+            <select
+              id="demo-size"
+              required
+              value={form.size}
+              onChange={(e) => update("size", e.target.value)}
+              className="focus-glow"
+              aria-label="Team size"
+            >
+              {TEAM_SIZES.map((s) => (
+                <option key={s} value={s}>{s}</option>
+              ))}
+            </select>
+          </label>
+
+          <label htmlFor="demo-usecase">
+            Use case
+            <textarea
+              id="demo-usecase"
+              required
+              value={form.useCase}
+              onChange={(e) => update("useCase", e.target.value)}
+              placeholder="What are you trying to fix? Renewal chaos, shadow IT, GRC sprawl, vendor risk…"
+              className="focus-glow"
+              aria-label="What you want to solve"
+            />
+          </label>
+
+          <button type="submit" className="public-btn button-pop">
+            Request walkthrough →
+          </button>
+        </form>
+      </section>
+
+      <section className="public-section fade-up" aria-label="What to expect">
+        <h2>What you&rsquo;ll see</h2>
+        <p>
+          A 20-minute live session: connect Google or M365 in 90 seconds, watch
+          the discovery agent surface 250+ vendors, and trigger a material-change
+          alert end-to-end into Slack or Jira. No slideware.
+        </p>
+      </section>
+    </PageShell>
+  );
+}
diff --git a/apps/web/src/screens/Docs.tsx b/apps/web/src/screens/Docs.tsx
new file mode 100644
index 0000000..79e68a9
--- /dev/null
+++ b/apps/web/src/screens/Docs.tsx
@@ -0,0 +1,88 @@
+import { PageShell } from "../components/PageShell.js";
+
+interface DocSection {
+  title: string;
+  blurb: string;
+  subject: string;
+}
+
+const SECTIONS: readonly DocSection[] = [
+  {
+    title: "Getting started",
+    blurb: "Provision a workspace, invite your first teammate, and ship the 14-minute onboarding flow.",
+    subject: "Getting Started",
+  },
+  {
+    title: "Connect data sources",
+    blurb: "Google Workspace, Microsoft 365, Okta SSO — minimal-read scopes, OAuth-only, no agents.",
+    subject: "Connect Data Sources",
+  },
+  {
+    title: "Vendor discovery",
+    blurb: "How the agent infers vendors from email metadata, OAuth grants, and SSO logs.",
+    subject: "Vendor Discovery",
+  },
+  {
+    title: "Policy studio",
+    blurb: "Author policies as composable rules. Approvals, escalations, severity scoring.",
+    subject: "Policy Studio",
+  },
+  {
+    title: "Material Change Feed",
+    blurb: "Subscribe to vendor changes that matter — price, DPA, sub-processor, security posture.",
+    subject: "Material Change Feed",
+  },
+  {
+    title: "API reference",
+    blurb: "REST endpoints, webhooks, and the read-only GraphQL surface for analytics tooling.",
+    subject: "API Reference",
+  },
+  {
+    title: "Integrations",
+    blurb: "Slack, Jira, email, calendar. Two-way routing, ack-back, and human-in-the-loop.",
+    subject: "Integrations",
+  },
+] as const;
+
+function href(subject: string): string {
+  const params = new URLSearchParams({ subject });
+  return `mailto:docs@unsyphn.com?${params.toString()}`;
+}
+
+export function Docs(): JSX.Element {
+  return (
+    <PageShell active="docs">
+      <header className="public-hero fade-up">
+        <h1>Docs</h1>
+        <p className="lead">Everything you need to wire Unsyphn into your stack.</p>
+      </header>
+
+      <section className="public-section" aria-label="Documentation sections">
+        <div className="public-grid stagger-children">
+          {SECTIONS.map((s) => (
+            <article key={s.title} className="public-card glass-strong lift-on-hover">
+              <h3>{s.title}</h3>
+              <p>{s.blurb}</p>
+              <a
+                href={href(s.subject)}
+                aria-label={`Read ${s.title}`}
+                style={{ transition: "color var(--dur-sm) var(--ease-out)" }}
+              >
+                Read more →
+              </a>
+            </article>
+          ))}
+        </div>
+      </section>
+
+      <section className="public-section fade-up" aria-labelledby="help">
+        <h2 id="help">Need a hand?</h2>
+        <p>
+          Most teams self-serve onboarding in under 20 minutes. If you hit a
+          wall, ping <a href="mailto:docs@unsyphn.com">docs@unsyphn.com</a> or
+          book a live walkthrough at <a href="/demo">/demo</a>.
+        </p>
+      </section>
+    </PageShell>
+  );
+}
diff --git a/apps/web/src/screens/Findings.tsx b/apps/web/src/screens/Findings.tsx
new file mode 100644
index 0000000..340d2a1
--- /dev/null
+++ b/apps/web/src/screens/Findings.tsx
@@ -0,0 +1,263 @@
+import { useCallback, useEffect, useMemo, useState } from "react";
+import {
+  listFindings,
+  patchFindingState,
+  type Finding,
+  type FindingState,
+  type FindingType,
+} from "../lib/api.js";
+import { useRole } from "../lib/role.js";
+import { FindingsFilters, type SeverityFilter } from "../components/findings/FindingsFilters.js";
+import { FindingsStats } from "../components/findings/FindingsStats.js";
+import { FindingsTable } from "../components/findings/FindingsTable.js";
+import { FindingDrawer } from "../components/findings/FindingDrawer.js";
+import { LensChips } from "../components/LensChips.js";
+import { SkeletonRow } from "../components/SkeletonRow.js";
+
+function readSearchParam(name: string): string | null {
+  if (typeof window === "undefined") return null;
+  return new URLSearchParams(window.location.search).get(name);
+}
+
+function syncUrl(updates: Record<string, string | null>): void {
+  if (typeof window === "undefined") return;
+  const url = new URL(window.location.href);
+  for (const [key, value] of Object.entries(updates)) {
+    if (value === null || value === "") {
+      url.searchParams.delete(key);
+    } else {
+      url.searchParams.set(key, value);
+    }
+  }
+  window.history.replaceState({}, "", url.toString());
+}
+
+const TYPE_VALUES: ReadonlyArray<FindingType | "all"> = [
+  "all",
+  "change",
+  "compliance",
+  "subprocessor",
+  "spend",
+  "security",
+];
+
+const SEVERITY_VALUES: ReadonlyArray<SeverityFilter | "all"> = ["all", "P1", "P2", "P3"];
+const STATE_VALUES: ReadonlyArray<FindingState | "all"> = [
+  "all",
+  "open",
+  "under-review",
+  "resolved",
+];
+
+function readType(): FindingType | "all" {
+  const v = readSearchParam("type");
+  return v && (TYPE_VALUES as ReadonlyArray<string>).includes(v)
+    ? (v as FindingType | "all")
+    : "all";
+}
+
+function readSeverity(): SeverityFilter | "all" {
+  const v = readSearchParam("severity");
+  return v && (SEVERITY_VALUES as ReadonlyArray<string>).includes(v)
+    ? (v as SeverityFilter | "all")
+    : "all";
+}
+
+function readState(): FindingState | "all" {
+  const v = readSearchParam("state");
+  return v && (STATE_VALUES as ReadonlyArray<string>).includes(v)
+    ? (v as FindingState | "all")
+    : "all";
+}
+
+export function Findings(): JSX.Element {
+  const [role] = useRole();
+  const [findings, setFindings] = useState<Finding[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  const [typeFilter, setTypeFilter] = useState<FindingType | "all">(readType());
+  const [severityFilter, setSeverityFilter] = useState<SeverityFilter | "all">(readSeverity());
+  const [stateFilter, setStateFilter] = useState<FindingState | "all">(readState());
+  const [vendorIdFilter] = useState<string | null>(() => readSearchParam("vendorId"));
+
+  const [drawerOpen, setDrawerOpen] = useState(false);
+  const [drawerFinding, setDrawerFinding] = useState<Finding | null>(null);
+  const [mutating, setMutating] = useState(false);
+  const [toast, setToast] = useState<string | null>(null);
+
+  const fetchData = useCallback(() => {
+    setLoading(true);
+    setError(null);
+    const query: Parameters<typeof listFindings>[0] = { lens: role };
+    if (vendorIdFilter) query.vendorId = vendorIdFilter;
+    listFindings(query)
+      .then((resp) => {
+        setFindings(resp.findings);
+        setLoading(false);
+      })
+      .catch(() => {
+        setError("Couldn't load findings. Retry.");
+        setLoading(false);
+      });
+  }, [role, vendorIdFilter]);
+
+  useEffect(() => {
+    fetchData();
+  }, [fetchData]);
+
+  const filtered = useMemo(() => {
+    return findings.filter((f) => {
+      if (typeFilter !== "all" && f.type !== typeFilter) return false;
+      if (severityFilter !== "all" && f.severity !== severityFilter) return false;
+      if (stateFilter !== "all" && f.state !== stateFilter) return false;
+      return true;
+    });
+  }, [findings, typeFilter, severityFilter, stateFilter]);
+
+  function handleType(next: FindingType | "all"): void {
+    setTypeFilter(next);
+    syncUrl({ type: next === "all" ? null : next });
+  }
+  function handleSeverity(next: SeverityFilter | "all"): void {
+    setSeverityFilter(next);
+    syncUrl({ severity: next === "all" ? null : next });
+  }
+  function handleState(next: FindingState | "all"): void {
+    setStateFilter(next);
+    syncUrl({ state: next === "all" ? null : next });
+  }
+
+  function openDrawer(finding: Finding): void {
+    setDrawerFinding(finding);
+    setDrawerOpen(true);
+  }
+  function closeDrawer(): void {
+    setDrawerOpen(false);
+  }
+
+  async function handleStateChange(next: FindingState): Promise<void> {
+    if (!drawerFinding) return;
+    const id = drawerFinding.id;
+    const prev = findings;
+    setMutating(true);
+    setFindings((curr) => curr.map((f) => (f.id === id ? { ...f, state: next } : f)));
+    setDrawerFinding((curr) => (curr ? { ...curr, state: next } : curr));
+    try {
+      await patchFindingState(id, next);
+      setToast(`Marked ${next.replace("-", " ")}`);
+      window.setTimeout(() => setToast(null), 2200);
+    } catch {
+      setFindings(prev);
+      setToast("Couldn't update finding. Reverted.");
+      window.setTimeout(() => setToast(null), 2500);
+    } finally {
+      setMutating(false);
+    }
+  }
+
+  const vendorNote = vendorIdFilter && findings[0]?.vendorName;
+
+  return (
+    <main
+      className="page"
+      style={{ padding: "var(--space-7) var(--space-6)", maxWidth: 1200, margin: "0 auto" }}
+    >
+      <header className="fade-up" style={{ marginBottom: "var(--space-5)" }}>
+        <h1 className="h1" style={{ marginBottom: "var(--space-2)" }}>
+          Findings
+        </h1>
+        <p className="lead" style={{ margin: 0, color: "var(--text-2)" }}>
+          {vendorNote
+            ? `Live issues for ${vendorNote}. `
+            : "Live cross-fleet issue tracker. "}
+          Every detected risk across vendors, in one place.
+        </p>
+      </header>
+
+      <LensChips />
+
+      {!loading && !error && <FindingsStats findings={findings} />}
+
+      <FindingsFilters
+        typeFilter={typeFilter}
+        severityFilter={severityFilter}
+        stateFilter={stateFilter}
+        onTypeChange={handleType}
+        onSeverityChange={handleSeverity}
+        onStateChange={handleState}
+      />
+
+      {loading && (
+        <div
+          className="stagger-children"
+          aria-busy="true"
+          aria-label="Loading findings"
+        >
+          {Array.from({ length: 6 }).map((_, i) => (
+            <SkeletonRow key={i} height={64} bars={2} />
+          ))}
+        </div>
+      )}
+
+      {!loading && error && (
+        <div className="card glass-soft fade-up" style={{ padding: 16 }}>
+          <span className="badge badge-danger">{error}</span>
+        </div>
+      )}
+
+      {!loading && !error && filtered.length === 0 && (
+        <div
+          className="card glass-soft fade-up"
+          style={{
+            padding: "var(--space-9)",
+            textAlign: "center",
+            color: "var(--text-2)",
+          }}
+        >
+          <p style={{ margin: "0 0 8px", fontWeight: 500 }}>
+            No findings match these filters.
+          </p>
+          <p style={{ margin: 0, fontSize: "var(--text-sm)", color: "var(--text-muted)" }}>
+            Try clearing a filter or switching lens.
+          </p>
+        </div>
+      )}
+
+      {!loading && !error && filtered.length > 0 && (
+        <FindingsTable findings={filtered} onOpen={openDrawer} />
+      )}
+
+      <FindingDrawer
+        finding={drawerFinding}
+        open={drawerOpen}
+        busy={mutating}
+        onClose={closeDrawer}
+        onChangeState={handleStateChange}
+      />
+
+      {toast && (
+        <div
+          role="status"
+          aria-live="polite"
+          style={{
+            position: "fixed",
+            bottom: 24,
+            left: "50%",
+            transform: "translateX(-50%)",
+            background: "var(--text)",
+            color: "var(--surface)",
+            padding: "var(--space-2) var(--space-4)",
+            borderRadius: "var(--radius-pill)",
+            fontSize: "var(--text-sm)",
+            fontWeight: 500,
+            zIndex: 500,
+            pointerEvents: "none",
+          }}
+        >
+          {toast}
+        </div>
+      )}
+    </main>
+  );
+}
diff --git a/apps/web/src/screens/Inbox.tsx b/apps/web/src/screens/Inbox.tsx
new file mode 100644
index 0000000..1d65aae
--- /dev/null
+++ b/apps/web/src/screens/Inbox.tsx
@@ -0,0 +1,314 @@
+import { useCallback, useEffect, useMemo, useRef, useState } from "react";
+import type { InboxItem } from "@unsyphn/shared";
+import { DEMO_BEARER_TOKEN } from "../lib/api.js";
+import { useKeyOnce } from "../lib/keyboard.js";
+import { useRole } from "../lib/role.js";
+import { groupByDay } from "../lib/dayGroups.js";
+import { useEscalations } from "../lib/stream.js";
+import { BulkActionBar } from "../components/BulkActionBar.js";
+import { ChangeDrawer } from "../components/ChangeDrawer.js";
+import { LensChips } from "../components/LensChips.js";
+import { InboxFilterRow } from "../components/inbox/InboxFilterRow.js";
+import { InboxList } from "../components/inbox/InboxList.js";
+import { InboxEmptyState } from "../components/inbox/InboxEmptyState.js";
+import { InboxSkeletonRow } from "../components/inbox/InboxSkeletonRow.js";
+import { InboxKeyHints } from "../components/inbox/InboxKeyHints.js";
+import { postLifecycle } from "../components/inbox/inboxApi.js";
+
+const LOCAL_USER_ID = "usr_priya";
+
+const ESCALATION_ROLE_LABELS: Record<string, string> = {
+  procurement: "Procurement",
+  legal: "Legal",
+  security: "Security",
+  finance: "Finance",
+  it: "IT",
+  audit: "Audit",
+};
+
+type FilterKind = "all" | "changes" | "renewals" | "unused-seats";
+type SeverityFilter = "all" | "P1" | "P2";
+
+interface InboxResponse {
+  items: InboxItem[];
+  total: number;
+}
+
+export function Inbox(): JSX.Element {
+  const [role] = useRole();
+  const [allItems, setAllItems] = useState<InboxItem[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  const [filter, setFilter] = useState<FilterKind>("all");
+  const [severity, setSeverity] = useState<SeverityFilter>("all");
+  const [query, setQuery] = useState("");
+
+  const [focusedIndex, setFocusedIndex] = useState(-1);
+  const [drawerOpen, setDrawerOpen] = useState(false);
+  const [drawerItem, setDrawerItem] = useState<InboxItem | null>(null);
+
+  const [selectedIds, setSelectedIds] = useState<Set<string>>(new Set());
+  const [readIds, setReadIds] = useState<Set<string>>(new Set());
+  const [escalatedIds, setEscalatedIds] = useState<Set<string>>(new Set());
+  const [toast, setToast] = useState<string | null>(null);
+
+  const rowRefs = useRef<Array<HTMLDivElement | null>>([]);
+  const itemIdsRef = useRef<Set<string>>(new Set());
+  itemIdsRef.current = useMemo(() => new Set(allItems.map((i) => i.id)), [allItems]);
+
+  const handleEscalatedEvent = useCallback(
+    (event: { id: string; toRole: string; byUserId: string }) => {
+      if (!itemIdsRef.current.has(event.id)) return;
+      setEscalatedIds((prev) => {
+        if (prev.has(event.id)) return prev;
+        const next = new Set(prev);
+        next.add(event.id);
+        return next;
+      });
+      if (event.byUserId !== LOCAL_USER_ID) {
+        const item = allItems.find((i) => i.id === event.id);
+        const vendor = item?.vendorName ?? "Change";
+        const toRole = ESCALATION_ROLE_LABELS[event.toRole] ?? event.toRole;
+        setToast(`${vendor} escalated to ${toRole}`);
+        window.setTimeout(() => setToast(null), 2500);
+      }
+    },
+    [allItems],
+  );
+
+  useEscalations({ active: true, onEscalated: handleEscalatedEvent });
+
+  useEffect(() => {
+    let cancelled = false;
+    setLoading(true);
+    setError(null);
+    setSelectedIds(new Set());
+
+    const bearer = localStorage.getItem("unsyphn:bearer") ?? DEMO_BEARER_TOKEN;
+    const params = new URLSearchParams({ filter, severity, lens: role });
+
+    fetch(`/v1/inbox?${params.toString()}`, {
+      headers: { Authorization: `Bearer ${bearer}` },
+    })
+      .then(async (resp) => {
+        if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
+        return resp.json() as Promise<InboxResponse>;
+      })
+      .then(({ items }) => {
+        if (!cancelled) { setAllItems(items); setLoading(false); }
+      })
+      .catch(() => {
+        if (!cancelled) { setError("Couldn't load inbox. Retry."); setLoading(false); }
+      });
+
+    return () => { cancelled = true; };
+  }, [filter, severity, role]);
+
+  const visibleItems = useMemo(
+    () => allItems.filter((item) => {
+      if (!query) return true;
+      const q = query.toLowerCase();
+      return (
+        item.vendorName.toLowerCase().includes(q) ||
+        item.title.toLowerCase().includes(q) ||
+        item.summary.toLowerCase().includes(q)
+      );
+    }),
+    [allItems, query],
+  );
+
+  const dayGroups = useMemo(() => groupByDay(visibleItems), [visibleItems]);
+  // Flattened order for keyboard nav matches render order (today -> older).
+  const flat = useMemo(() => dayGroups.flatMap((g) => g.items), [dayGroups]);
+
+  function openDrawer(item: InboxItem): void {
+    setDrawerItem(item);
+    setDrawerOpen(true);
+    setReadIds((prev) => { const next = new Set(prev); next.add(item.id); return next; });
+  }
+
+  async function handleAcknowledge(item: InboxItem): Promise<void> {
+    try {
+      await postLifecycle(item.id, "acknowledge", {});
+      setAllItems((prev) => prev.filter((i) => i.id !== item.id));
+    } catch { /* ignore */ }
+  }
+
+  async function handleSnoozeOne(item: InboxItem, untilIso?: string): Promise<void> {
+    const until = untilIso ?? new Date(Date.now() + 48 * 60 * 60 * 1000).toISOString();
+    try {
+      await postLifecycle(item.id, "snooze", { untilAt: until });
+      setAllItems((prev) => prev.filter((i) => i.id !== item.id));
+    } catch { /* ignore */ }
+  }
+
+  async function handleResolveOne(item: InboxItem): Promise<void> {
+    try {
+      await postLifecycle(item.id, "resolve", { resolution: "accepted" });
+      setAllItems((prev) => prev.filter((i) => i.id !== item.id));
+    } catch { /* ignore */ }
+  }
+
+  async function handleEscalateOne(item: InboxItem): Promise<void> {
+    try {
+      await fetch(`/v1/changes/${encodeURIComponent(item.id)}/escalate`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", Authorization: `Bearer ${DEMO_BEARER_TOKEN}` },
+        body: JSON.stringify({ toRole: "legal" }),
+      });
+      setEscalatedIds((prev) => { const next = new Set(prev); next.add(item.id); return next; });
+    } catch { /* ignore */ }
+  }
+
+  function toggleSelect(id: string): void {
+    setSelectedIds((prev) => {
+      const next = new Set(prev);
+      if (next.has(id)) next.delete(id); else next.add(id);
+      return next;
+    });
+  }
+
+  function clearSelection(): void { setSelectedIds(new Set()); }
+
+  async function bulkMarkRead(): Promise<void> {
+    setReadIds((prev) => { const next = new Set(prev); for (const id of selectedIds) next.add(id); return next; });
+    clearSelection();
+  }
+
+  async function bulkSnooze(untilIso: string): Promise<void> {
+    const ids = [...selectedIds];
+    await Promise.all(ids.map((id) => postLifecycle(id, "snooze", { untilAt: untilIso }).catch(() => undefined)));
+    setAllItems((prev) => prev.filter((i) => !selectedIds.has(i.id)));
+    clearSelection();
+  }
+
+  async function bulkResolve(): Promise<void> {
+    const ids = [...selectedIds];
+    await Promise.all(ids.map((id) => postLifecycle(id, "resolve", { resolution: "accepted" }).catch(() => undefined)));
+    setAllItems((prev) => prev.filter((i) => !selectedIds.has(i.id)));
+    clearSelection();
+  }
+
+  async function bulkEscalate(): Promise<void> {
+    const ids = [...selectedIds];
+    await Promise.all(
+      ids.map((id) => fetch(`/v1/changes/${encodeURIComponent(id)}/escalate`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", Authorization: `Bearer ${DEMO_BEARER_TOKEN}` },
+        body: JSON.stringify({ toRole: "legal" }),
+      }).catch(() => undefined)),
+    );
+    setEscalatedIds((prev) => { const next = new Set(prev); for (const id of ids) next.add(id); return next; });
+    clearSelection();
+  }
+
+  const moveFocus = useCallback((delta: number) => {
+    if (drawerOpen) return;
+    setFocusedIndex((prev) => {
+      const next = Math.max(0, Math.min(flat.length - 1, prev + delta));
+      rowRefs.current[next]?.focus();
+      return next;
+    });
+  }, [drawerOpen, flat.length]);
+
+  useKeyOnce("j", useCallback(() => moveFocus(1), [moveFocus]));
+  useKeyOnce("k", useCallback(() => moveFocus(-1), [moveFocus]));
+  useKeyOnce("e", useCallback(() => { // eslint-disable-line react-hooks/exhaustive-deps
+    if (drawerOpen || focusedIndex < 0) return;
+    const item = flat[focusedIndex]; if (item) void handleResolveOne(item);
+  }, [drawerOpen, focusedIndex, flat]));
+  useKeyOnce("s", useCallback(() => { // eslint-disable-line react-hooks/exhaustive-deps
+    if (drawerOpen || focusedIndex < 0) return;
+    const item = flat[focusedIndex]; if (item) void handleSnoozeOne(item);
+  }, [drawerOpen, focusedIndex, flat]));
+  useKeyOnce("r", useCallback(() => { // eslint-disable-line react-hooks/exhaustive-deps
+    if (drawerOpen || focusedIndex < 0) return;
+    const item = flat[focusedIndex]; if (item) openDrawer(item);
+  }, [drawerOpen, focusedIndex, flat]));
+  useKeyOnce("x", useCallback(() => { // eslint-disable-line react-hooks/exhaustive-deps
+    if (drawerOpen || focusedIndex < 0) return;
+    const item = flat[focusedIndex]; if (item) toggleSelect(item.id);
+  }, [drawerOpen, focusedIndex, flat]));
+  useKeyOnce("Enter", useCallback(() => { // eslint-disable-line react-hooks/exhaustive-deps
+    if (drawerOpen || focusedIndex < 0) return;
+    const item = flat[focusedIndex]; if (item) openDrawer(item);
+  }, [drawerOpen, focusedIndex, flat]));
+
+  return (
+    <main
+      className="page"
+      style={{ padding: "var(--space-7) var(--space-6)", maxWidth: 1000, margin: "0 auto" }}
+    >
+      <header className="fade-up" style={{ marginBottom: "var(--space-5)" }}>
+        <h1 className="h1" style={{ marginBottom: "var(--space-2)" }}>Inbox</h1>
+        <p className="lead" style={{ margin: 0, color: "#64748b" }}>
+          Material vendor changes for your active lens. Reviewed once a day keeps you ahead of renewal cliffs.
+        </p>
+      </header>
+
+      <LensChips />
+
+      <InboxFilterRow
+        filter={filter} severity={severity} query={query}
+        onFilterChange={setFilter} onSeverityChange={setSeverity} onQueryChange={setQuery}
+      />
+
+      {selectedIds.size > 0 && (
+        <BulkActionBar
+          count={selectedIds.size}
+          onMarkRead={bulkMarkRead} onSnooze={bulkSnooze}
+          onResolve={bulkResolve} onEscalate={bulkEscalate} onClear={clearSelection}
+        />
+      )}
+
+      {loading && (
+        <div className="card glass-soft" style={{ padding: 0, overflow: "hidden" }} aria-busy="true" aria-label="Loading inbox">
+          {Array.from({ length: 6 }, (_, i) => <InboxSkeletonRow key={i} />)}
+        </div>
+      )}
+
+      {!loading && error && (
+        <div className="card glass-soft fade-up" style={{ padding: 16 }}>
+          <span className="badge badge-danger">{error}</span>
+        </div>
+      )}
+
+      {!loading && !error && visibleItems.length === 0 && (
+        <InboxEmptyState role={role} query={query} />
+      )}
+
+      {!loading && !error && (
+        <InboxList
+          dayGroups={dayGroups}
+          focusedIndex={focusedIndex}
+          selectedIds={selectedIds} readIds={readIds} escalatedIds={escalatedIds}
+          registerRowRef={(idx, el) => { rowRefs.current[idx] = el; }}
+          onFocus={setFocusedIndex} onClickItem={openDrawer}
+          onToggleSelect={toggleSelect} onSnooze={handleSnoozeOne}
+          onArchive={handleAcknowledge} onEscalate={handleEscalateOne}
+          flatIndexOffset={0}
+        />
+      )}
+
+      {visibleItems.length > 0 && !loading && <InboxKeyHints />}
+
+      <ChangeDrawer
+        open={drawerOpen} onClose={() => setDrawerOpen(false)} item={drawerItem}
+        onEscalated={(id) => setEscalatedIds((prev) => { const next = new Set(prev); next.add(id); return next; })}
+      />
+
+      {toast && (
+        <div role="status" aria-live="polite" style={{
+          position: "fixed", bottom: 24, right: 24,
+          background: "var(--surface-1)", border: "1px solid var(--border)",
+          borderRadius: 8, padding: "10px 14px", fontSize: 13,
+          color: "var(--text-strong)", boxShadow: "0 8px 24px rgba(15,23,42,0.12)", zIndex: 50,
+        }}>
+          {toast}
+        </div>
+      )}
+
+    </main>
+  );
+}
diff --git a/apps/web/src/screens/Onboard.tsx b/apps/web/src/screens/Onboard.tsx
index 06260ce..d0ebe97 100644
--- a/apps/web/src/screens/Onboard.tsx
+++ b/apps/web/src/screens/Onboard.tsx
@@ -6,7 +6,7 @@ import {
   type VendorCreateInput,
   type VendorCreateResponse,
   type DataClass,
-} from "@redline/shared";
+} from "@unsyphn/shared";
 import { ApiError, createVendor } from "../lib/api.js";
 import { useFirstScan } from "../lib/stream.js";
 
diff --git a/apps/web/src/screens/Onboarding.tsx b/apps/web/src/screens/Onboarding.tsx
new file mode 100644
index 0000000..5d22493
--- /dev/null
+++ b/apps/web/src/screens/Onboarding.tsx
@@ -0,0 +1,350 @@
+import { useEffect, useRef, useState } from "react";
+import { ArrowRight, ShieldCheck } from "lucide-react";
+import type { Recoverable } from "@unsyphn/shared";
+import { DEMO_BEARER_TOKEN } from "../lib/api.js";
+import { VendorLogo } from "../components/VendorLogo.js";
+
+type Stage = "intro" | "discovering" | "complete";
+
+const VENDOR_NAMES = [
+  "Notion", "Slack", "Figma", "Salesforce", "Stripe", "Datadog",
+  "GitHub", "AWS", "Vercel", "Linear", "Asana", "Jira",
+  "Confluence", "Atlassian", "HubSpot", "Okta", "Vanta", "Adobe",
+  "Zoom", "Microsoft 365", "Google Workspace", "Brex", "Ramp", "Spendesk",
+];
+const TOTAL_VENDORS = 247;
+const TICK_MS = 150;
+const INCREMENT = Math.ceil(TOTAL_VENDORS / (8000 / TICK_MS));
+
+const S = {
+  page: {
+    minHeight: "100vh",
+    display: "flex",
+    alignItems: "center",
+    justifyContent: "center",
+    padding: "var(--space-7) var(--space-5)",
+  },
+  inner: {
+    maxWidth: 720,
+    width: "100%",
+    display: "flex",
+    flexDirection: "column" as const,
+    alignItems: "center",
+    textAlign: "center" as const,
+    gap: "var(--space-9)",
+  },
+  hero: {
+    fontFamily: "var(--font-display)",
+    fontSize: "clamp(2.5rem, 6vw, 4rem)",
+    fontWeight: 600,
+    letterSpacing: "-0.03em",
+    color: "var(--text)",
+    margin: 0,
+  },
+  subhead: {
+    fontSize: "var(--text-lg)",
+    fontWeight: 400,
+    color: "var(--text-2)",
+    margin: "var(--space-3) 0 0",
+  },
+  btnRow: {
+    display: "flex",
+    gap: "var(--space-4)",
+    flexWrap: "wrap" as const,
+    justifyContent: "center",
+  },
+  btnPrimary: {
+    display: "inline-flex",
+    alignItems: "center",
+    justifyContent: "center",
+    height: 44,
+    padding: "0 var(--space-6)",
+    background: "var(--accent)",
+    color: "#fff",
+    border: "none",
+    borderRadius: "var(--radius-md)",
+    fontFamily: "var(--font-text)",
+    fontSize: "var(--text-sm)",
+    fontWeight: 500,
+    cursor: "pointer",
+  },
+  btnSecondary: {
+    display: "inline-flex",
+    alignItems: "center",
+    justifyContent: "center",
+    height: 44,
+    padding: "0 var(--space-6)",
+    background: "var(--surface)",
+    color: "var(--text)",
+    border: "1px solid var(--border)",
+    borderRadius: "var(--radius-md)",
+    fontFamily: "var(--font-text)",
+    fontSize: "var(--text-sm)",
+    fontWeight: 500,
+    cursor: "pointer",
+  },
+  btnGhost: {
+    background: "none",
+    border: "none",
+    color: "var(--text-muted)",
+    fontSize: "var(--text-xs)",
+    cursor: "pointer",
+    padding: 0,
+    fontFamily: "var(--font-text)",
+  },
+  trust: {
+    fontSize: "var(--text-xs)",
+    color: "var(--text-muted)",
+    lineHeight: 1.7,
+  },
+  counter: {
+    fontFamily: "var(--font-display)",
+    fontSize: "clamp(3rem, 8vw, 5rem)",
+    fontWeight: 700,
+    letterSpacing: "-0.04em",
+    color: "var(--accent)",
+    lineHeight: 1,
+    margin: 0,
+  },
+  logoGrid: {
+    display: "grid",
+    gridTemplateColumns: "repeat(6, 56px)",
+    gap: "var(--space-3)",
+    justifyContent: "center",
+  },
+  logoCell: {
+    width: 56,
+    height: 56,
+    borderRadius: "var(--radius-sm)",
+    background: "var(--surface-2)",
+    border: "1px solid var(--border)",
+    display: "flex",
+    alignItems: "center",
+    justifyContent: "center",
+    transition: "opacity 200ms ease",
+  },
+  wowCard: {
+    background: "var(--surface)",
+    border: "1px solid var(--border)",
+    borderRadius: "var(--radius-lg)",
+    padding: "var(--space-6)",
+    width: "100%",
+    textAlign: "left" as const,
+  },
+  wowAmount: {
+    fontFamily: "var(--font-display)",
+    fontSize: "var(--text-3xl)",
+    fontWeight: 600,
+    color: "var(--success, #16a34a)",
+    letterSpacing: "-0.03em",
+    margin: "var(--space-2) 0 0",
+  },
+  chipRow: {
+    display: "flex",
+    flexWrap: "wrap" as const,
+    gap: "var(--space-2)",
+    marginTop: "var(--space-4)",
+  },
+  chip: {
+    display: "inline-flex",
+    alignItems: "center",
+    height: 28,
+    padding: "0 var(--space-3)",
+    background: "var(--surface-2)",
+    color: "var(--text-2)",
+    borderRadius: "var(--radius-full)",
+    fontSize: "var(--text-xs)",
+    border: "1px solid var(--border)",
+    whiteSpace: "nowrap" as const,
+  },
+} as const;
+
+export function Onboarding(): JSX.Element {
+  const [stage, setStage] = useState<Stage>("intro");
+  const [counter, setCounter] = useState(0);
+  const [revealed, setRevealed] = useState(0);
+  const [recoverable, setRecoverable] = useState<Recoverable | null>(null);
+  const intervalRef = useRef<ReturnType<typeof setInterval> | null>(null);
+
+  const stopInterval = () => {
+    if (intervalRef.current) {
+      clearInterval(intervalRef.current);
+      intervalRef.current = null;
+    }
+  };
+
+  const startDiscovery = (provider: "google" | "microsoft") => {
+    const domain = provider === "google" ? "acme.com" : "contoso.com";
+    setStage("discovering");
+    setCounter(0);
+    setRevealed(0);
+
+    void fetch("/v1/onboarding/discover", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${DEMO_BEARER_TOKEN}`,
+      },
+      body: JSON.stringify({ provider, domain }),
+    }).catch(() => undefined);
+
+    void fetch("/v1/recoverable", {
+      headers: { Authorization: `Bearer ${DEMO_BEARER_TOKEN}` },
+    })
+      .then((r) => r.json() as Promise<Recoverable>)
+      .then((data) => setRecoverable(data))
+      .catch(() => undefined);
+
+    stopInterval();
+    intervalRef.current = setInterval(() => {
+      setCounter((prev) => {
+        const next = Math.min(prev + INCREMENT, TOTAL_VENDORS);
+        const ratio = next / TOTAL_VENDORS;
+        setRevealed(Math.floor(ratio * VENDOR_NAMES.length));
+        if (next >= TOTAL_VENDORS) {
+          stopInterval();
+          setStage("complete");
+        }
+        return next;
+      });
+    }, TICK_MS);
+  };
+
+  useEffect(() => stopInterval, []);
+
+  if (stage === "intro") return <IntroView onConnect={startDiscovery} />;
+  if (stage === "discovering") return <DiscoveringView counter={counter} revealed={revealed} />;
+  return <CompleteView recoverable={recoverable} />;
+}
+
+function IntroView({ onConnect }: { onConnect: (provider: "google" | "microsoft") => void }): JSX.Element {
+  return (
+    <div style={S.page}>
+      <div style={S.inner}>
+        <div>
+          <h1 style={S.hero}>UNSYPHN</h1>
+          <p style={S.subhead}>
+            Find every SaaS your company is wasting money on. In 60 seconds.
+          </p>
+        </div>
+
+        <div style={S.btnRow}>
+          <button
+            type="button"
+            style={S.btnPrimary}
+            onClick={() => onConnect("google")}
+            aria-label="Sign in with Google Workspace to start discovery"
+          >
+            Sign in with Google Workspace
+          </button>
+          <button
+            type="button"
+            style={S.btnSecondary}
+            onClick={() => onConnect("microsoft")}
+            aria-label="Sign in with Microsoft 365 to start discovery"
+          >
+            Microsoft 365
+          </button>
+        </div>
+
+        <p style={S.trust}>
+          We only read OAuth grants, email senders, and calendar metadata. We never read message bodies or attachments.<br /><ShieldCheck size={12} style={{display:"inline",verticalAlign:"middle",marginRight:4}} aria-hidden="true" />SOC 2 Type II &nbsp;·&nbsp; No-train AI guarantee &nbsp;·&nbsp; GDPR-ready
+        </p>
+
+        <button
+          type="button"
+          style={S.btnGhost}
+          onClick={() => window.location.assign("/app/inbox")}
+          aria-label="Skip onboarding and connect later"
+        >
+          Skip <ArrowRight size={12} style={{display:"inline",verticalAlign:"middle"}} aria-hidden="true" /> Connect later
+        </button>
+      </div>
+    </div>
+  );
+}
+
+function DiscoveringView({ counter, revealed }: { counter: number; revealed: number }): JSX.Element {
+  return (
+    <div style={S.page}>
+      <div style={S.inner}>
+        <div>
+          <h1 style={S.hero}>Discovering your stack&hellip;</h1>
+          <p style={S.subhead}>
+            We&apos;re scanning your Google Workspace metadata — no message bodies.
+          </p>
+        </div>
+
+        <p
+          style={S.counter}
+          aria-live="polite"
+          aria-atomic="true"
+          aria-label={`${counter} vendors discovered`}
+        >
+          {counter}
+        </p>
+
+        <div style={S.logoGrid} aria-hidden="true">
+          {VENDOR_NAMES.map((name, i) => (
+            <div
+              key={name}
+              style={{ ...S.logoCell, opacity: i < revealed ? 1 : 0 }}
+            >
+              {i < revealed && <VendorLogo name={name} size={40} />}
+            </div>
+          ))}
+        </div>
+      </div>
+    </div>
+  );
+}
+
+function CompleteView({ recoverable }: { recoverable: Recoverable | null }): JSX.Element {
+  const totalUsd = recoverable?.totalUsd ?? 135000;
+  const formatted = totalUsd.toLocaleString("en-US", {
+    style: "currency",
+    currency: "USD",
+    maximumFractionDigits: 0,
+  });
+
+  return (
+    <div style={S.page}>
+      <div style={S.inner}>
+        <div>
+          <h1 style={S.hero}>Found 247 SaaS apps.</h1>
+          <p style={S.subhead}>89 weren&apos;t in your IT inventory.</p>
+        </div>
+
+        <div style={S.wowCard}>
+          <p style={{ fontSize: "var(--text-sm)", color: "var(--text-muted)", margin: 0 }}>
+            Biggest waste we can see this quarter
+          </p>
+          <p style={S.wowAmount}>{formatted} recoverable</p>
+
+          <div style={S.chipRow} role="list">
+            <span style={S.chip} role="listitem">412 unused Salesforce seats ($815k/yr)</span>
+            <span style={S.chip} role="listitem">12 changes this week</span>
+            <span style={S.chip} role="listitem">8 renewals coming up</span>
+          </div>
+        </div>
+
+        <div style={S.btnRow}>
+          <button
+            type="button"
+            style={S.btnPrimary}
+            onClick={() => window.location.assign("/app/inbox")}
+          >
+            Open my Inbox <ArrowRight size={14} style={{display:"inline",marginLeft:4,verticalAlign:"middle"}} aria-hidden="true" />
+          </button>
+          <button
+            type="button"
+            style={S.btnSecondary}
+            onClick={() => window.location.assign("/app/vendors")}
+          >
+            View all 247 vendors
+          </button>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/apps/web/src/screens/Portfolio.tsx b/apps/web/src/screens/Portfolio.tsx
new file mode 100644
index 0000000..10a6f9f
--- /dev/null
+++ b/apps/web/src/screens/Portfolio.tsx
@@ -0,0 +1,491 @@
+import { useCallback, useEffect, useMemo, useRef, useState } from "react";
+import type { Vendor } from "@unsyphn/shared";
+import { Share2, AlertCircle, Plus } from "lucide-react";
+import { useRole } from "../lib/role.js";
+import {
+  ApiError,
+  getRenegotiationPacket,
+  listTeamMembers,
+  listVendors,
+  patchVendor,
+  type TeamMember,
+} from "../lib/api.js";
+import { getRequest } from "../components/requests/api.js";
+import { PortfolioStats } from "../components/portfolio/PortfolioStats.js";
+import { PortfolioFilters } from "../components/portfolio/PortfolioFilters.js";
+import { PortfolioVendorCard } from "../components/portfolio/PortfolioVendorCard.js";
+import { VendorTable } from "../components/portfolio/VendorTable.js";
+import { BulkActionBar } from "../components/portfolio/BulkActionBar.js";
+import { ShareAuditorDrawer } from "../components/portfolio/ShareAuditorDrawer.js";
+import {
+  NewVendorDrawer,
+  type NewVendorDrawerInitial,
+} from "../components/portfolio/NewVendorDrawer.js";
+import { Toast, type ToastState } from "../components/requests/Toast.js";
+import {
+  RenegotiationResultsDrawer,
+  type PacketResult,
+} from "../components/portfolio/RenegotiationResultsDrawer.js";
+import {
+  EmptyState,
+  LoadingGrid,
+  ViewToggle,
+} from "../components/portfolio/ViewToggle.js";
+import {
+  initialFilters,
+  writeFiltersToUrl,
+} from "../components/portfolio/url-state.js";
+import {
+  applyFilters,
+  type PortfolioFilterState,
+} from "../components/portfolio/types.js";
+import { LensChips } from "../components/LensChips.js";
+
+const REQUEST_CATEGORY_TO_VENDOR: Record<string, string> = {
+  productivity: "productivity",
+  communication: "communication",
+  analytics: "analytics",
+  security: "security",
+  observability: "observability",
+  devtools: "devtools",
+  infrastructure: "infrastructure",
+  data: "database",
+  compliance: "security",
+  contracts: "productivity",
+  dpa: "security",
+  payments: "payments",
+  spend: "productivity",
+};
+
+function mapRequestCategory(category: string): string {
+  return REQUEST_CATEGORY_TO_VENDOR[category.toLowerCase()] ?? "productivity";
+}
+
+function stripDrawerQueryParams(): void {
+  if (typeof window === "undefined") return;
+  const url = new URL(window.location.href);
+  url.searchParams.delete("newVendor");
+  url.searchParams.delete("fromRequest");
+  window.history.replaceState({}, "", url.toString());
+}
+
+const PAGE_STYLE = `
+  .portfolio-card:hover .portfolio-card-check { opacity: 1; }
+  .portfolio-card:focus-visible { outline: 2px solid #5E6AD2; outline-offset: 2px; }
+  @keyframes portfolio-spin { from { transform: rotate(0deg); } to { transform: rotate(360deg); } }
+  .spin { animation: portfolio-spin 1s linear infinite; }
+`;
+
+export function Portfolio(): JSX.Element {
+  const [role] = useRole();
+  const [vendors, setVendors] = useState<Vendor[] | null>(null);
+  const [error, setError] = useState<string | null>(null);
+  const [members, setMembers] = useState<TeamMember[]>([]);
+  const [filters, setFilters] = useState<PortfolioFilterState>(initialFilters);
+  const [selected, setSelected] = useState<Set<string>>(new Set());
+
+  const [shareOpen, setShareOpen] = useState(false);
+  const [shareInitial, setShareInitial] = useState<ReadonlyArray<string>>([]);
+  const [packetsOpen, setPacketsOpen] = useState(false);
+  const [packetResults, setPacketResults] = useState<PacketResult[]>([]);
+
+  const [addOpen, setAddOpen] = useState(false);
+  const [addInitial, setAddInitial] = useState<NewVendorDrawerInitial | undefined>(undefined);
+  const [toast, setToast] = useState<ToastState | null>(null);
+
+  // Debounced URL sync (200ms) — deep links work, navigation feels instant.
+  const writeRef = useRef<number | null>(null);
+  useEffect(() => {
+    if (writeRef.current !== null) window.clearTimeout(writeRef.current);
+    writeRef.current = window.setTimeout(() => writeFiltersToUrl(filters), 200);
+    return () => {
+      if (writeRef.current !== null) window.clearTimeout(writeRef.current);
+    };
+  }, [filters]);
+
+  // Fetch vendors when role (lens) changes — backend filters server-side.
+  useEffect(() => {
+    let cancelled = false;
+    setError(null);
+    listVendors(role)
+      .then((r) => {
+        if (!cancelled) setVendors(r.vendors);
+      })
+      .catch((err: unknown) => {
+        if (cancelled) return;
+        setVendors([]);
+        setError(
+          err instanceof ApiError
+            ? err.message
+            : err instanceof Error
+              ? err.message
+              : "Failed to load vendors",
+        );
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, [role]);
+
+  useEffect(() => {
+    let cancelled = false;
+    listTeamMembers()
+      .then((r) => {
+        if (!cancelled) setMembers(r.members);
+      })
+      .catch(() => {
+        // Owner names will fall back to the userId — not fatal.
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, []);
+
+  // Parse ?newVendor / ?fromRequest on mount to open the drawer with prefill.
+  useEffect(() => {
+    if (typeof window === "undefined") return;
+    const params = new URLSearchParams(window.location.search);
+    const fromRequestId = params.get("fromRequest");
+    const wantsNew = params.get("newVendor") === "true";
+    if (fromRequestId) {
+      let cancelled = false;
+      getRequest(fromRequestId)
+        .then((req) => {
+          if (cancelled) return;
+          setAddInitial({
+            name: req.vendorName,
+            category: mapRequestCategory(req.category),
+            annualSpendUsd: req.expectedSpendUsd,
+            notes: req.justification,
+          });
+          setAddOpen(true);
+        })
+        .catch(() => {
+          if (cancelled) return;
+          // Request not found — still open the drawer empty so the user can
+          // proceed instead of getting stranded with a stale URL.
+          setAddInitial(undefined);
+          setAddOpen(true);
+        });
+      return () => {
+        cancelled = true;
+      };
+    }
+    if (wantsNew) {
+      setAddInitial(undefined);
+      setAddOpen(true);
+    }
+    return undefined;
+  }, []);
+
+  useEffect(() => {
+    if (!toast) return;
+    const t = window.setTimeout(() => setToast(null), 3000);
+    return () => window.clearTimeout(t);
+  }, [toast]);
+
+  const handleAddClose = useCallback(() => {
+    setAddOpen(false);
+    setAddInitial(undefined);
+    stripDrawerQueryParams();
+  }, []);
+
+  const handleVendorCreated = useCallback((vendorId: string) => {
+    setAddOpen(false);
+    setAddInitial(undefined);
+    stripDrawerQueryParams();
+    setToast({ message: "Vendor added", variant: "success" });
+    window.setTimeout(() => {
+      window.location.href = `/app/vendors/${encodeURIComponent(vendorId)}`;
+    }, 250);
+  }, []);
+
+  const ownerMap = useMemo(() => {
+    const m = new Map<string, TeamMember>();
+    for (const u of members) m.set(u.id, u);
+    return m;
+  }, [members]);
+
+  const categoryOptions = useMemo(() => {
+    if (!vendors) return [];
+    const set = new Set<string>();
+    for (const v of vendors) if (v.category) set.add(v.category);
+    return [...set].sort();
+  }, [vendors]);
+
+  const filteredVendors = useMemo(
+    () => (vendors ? applyFilters(vendors, filters) : []),
+    [vendors, filters],
+  );
+
+  const allSelected =
+    filteredVendors.length > 0 && filteredVendors.every((v) => selected.has(v.id));
+
+  const toggleSelect = useCallback((id: string) => {
+    setSelected((prev) => {
+      const next = new Set(prev);
+      if (next.has(id)) next.delete(id);
+      else next.add(id);
+      return next;
+    });
+  }, []);
+
+  const toggleSelectAll = useCallback(() => {
+    setSelected((prev) => {
+      const allOn = filteredVendors.every((v) => prev.has(v.id));
+      const next = new Set(prev);
+      for (const v of filteredVendors) {
+        if (allOn) next.delete(v.id);
+        else next.add(v.id);
+      }
+      return next;
+    });
+  }, [filteredVendors]);
+
+  const applyPatch = async (patch: { ownerId?: string; tier?: 1 | 2 | 3 }) => {
+    const ids = [...selected];
+    const results = await Promise.allSettled(ids.map((id) => patchVendor(id, patch)));
+    setVendors((prev) => {
+      if (!prev) return prev;
+      const updated = new Map<string, Vendor>();
+      results.forEach((r, i) => {
+        if (r.status === "fulfilled") {
+          const id = ids[i];
+          if (id) updated.set(id, r.value);
+        }
+      });
+      return prev.map((v) => updated.get(v.id) ?? v);
+    });
+  };
+
+  const handleShareWithAuditor = (preselected?: ReadonlyArray<string>) => {
+    setShareInitial(preselected ?? [...selected]);
+    setShareOpen(true);
+  };
+
+  const handleGeneratePackets = async () => {
+    const ids = [...selected];
+    if (ids.length === 0) return;
+    const initial: PacketResult[] = ids.map((id) => {
+      const v = vendors?.find((x) => x.id === id);
+      return { status: "pending", vendorId: id, vendorName: v?.name ?? id };
+    });
+    setPacketResults(initial);
+    setPacketsOpen(true);
+
+    await Promise.all(
+      ids.map(async (id, idx) => {
+        try {
+          const packet = await getRenegotiationPacket(id);
+          setPacketResults((prev) => {
+            const next = [...prev];
+            next[idx] = { status: "ok", vendorId: id, packet };
+            return next;
+          });
+        } catch (err) {
+          setPacketResults((prev) => {
+            const next = [...prev];
+            const entry = initial[idx];
+            const name = entry && entry.status === "pending" ? entry.vendorName : id;
+            next[idx] = {
+              status: "error",
+              vendorId: id,
+              vendorName: name,
+              error:
+                err instanceof ApiError
+                  ? err.message
+                  : err instanceof Error
+                    ? err.message
+                    : "Failed",
+            };
+            return next;
+          });
+        }
+      }),
+    );
+  };
+
+  const isLoading = vendors === null;
+
+  return (
+    <div style={{ maxWidth: 1280, margin: "0 auto", padding: "32px 24px 64px" }}>
+      <style>{PAGE_STYLE}</style>
+
+      <header
+        className="fade-up"
+        style={{
+          display: "flex",
+          alignItems: "flex-end",
+          justifyContent: "space-between",
+          gap: 16,
+          marginBottom: 24,
+          flexWrap: "wrap",
+        }}
+      >
+        <div>
+          <h1
+            style={{
+              fontFamily: "var(--font-display)",
+              fontSize: 28,
+              fontWeight: 600,
+              color: "#0f172a",
+              margin: 0,
+              letterSpacing: "-0.01em",
+            }}
+          >
+            Vendors
+          </h1>
+          <p style={{ color: "#64748b", fontSize: 14, margin: "6px 0 0" }}>
+            All vendors monitored for posture, renewals, and material change.
+          </p>
+        </div>
+
+        <div style={{ display: "flex", gap: 8, alignItems: "center" }}>
+          <ViewToggle view={filters.view} onChange={(v) => setFilters({ ...filters, view: v })} />
+          <button
+            type="button"
+            className="button-pop"
+            onClick={() => {
+              setAddInitial(undefined);
+              setAddOpen(true);
+            }}
+            aria-label="Add a new vendor"
+            style={{
+              display: "inline-flex",
+              alignItems: "center",
+              gap: 6,
+              padding: "9px 14px",
+              fontSize: 13,
+              fontWeight: 600,
+              background: "#ffffff",
+              color: "#0f172a",
+              border: "1px solid rgba(15,23,42,0.12)",
+              borderRadius: 8,
+              cursor: "pointer",
+            }}
+          >
+            <Plus size={14} aria-hidden="true" /> Add vendor
+          </button>
+          <button
+            type="button"
+            className="button-pop"
+            onClick={() => handleShareWithAuditor([])}
+            style={{
+              display: "inline-flex",
+              alignItems: "center",
+              gap: 6,
+              padding: "9px 14px",
+              fontSize: 13,
+              fontWeight: 600,
+              background: "#5E6AD2",
+              color: "#ffffff",
+              border: "1px solid #5E6AD2",
+              borderRadius: 8,
+              cursor: "pointer",
+              boxShadow: "0 4px 14px rgba(94,106,210,0.25)",
+            }}
+          >
+            <Share2 size={14} aria-hidden="true" /> Share with auditor →
+          </button>
+        </div>
+      </header>
+
+      <LensChips />
+
+      <PortfolioStats vendors={vendors ?? []} />
+
+      <PortfolioFilters
+        state={filters}
+        onChange={setFilters}
+        categoryOptions={categoryOptions}
+        ownerOptions={members}
+      />
+
+      <BulkActionBar
+        count={selected.size}
+        owners={members}
+        onAssignOwner={(ownerId) => applyPatch({ ownerId })}
+        onChangeTier={(tier) => applyPatch({ tier })}
+        onGeneratePackets={() => void handleGeneratePackets()}
+        onShareWithAuditor={() => handleShareWithAuditor()}
+        onClear={() => setSelected(new Set())}
+      />
+
+      {error && (
+        <div
+          role="alert"
+          style={{
+            display: "flex",
+            alignItems: "center",
+            gap: 10,
+            padding: "12px 14px",
+            background: "rgba(220,38,38,0.06)",
+            border: "1px solid rgba(220,38,38,0.16)",
+            borderRadius: 10,
+            color: "#dc2626",
+            fontSize: 13,
+            marginBottom: 16,
+          }}
+        >
+          <AlertCircle size={16} aria-hidden="true" />
+          <span>{error}</span>
+        </div>
+      )}
+
+      {isLoading ? (
+        <LoadingGrid />
+      ) : filters.view === "table" ? (
+        <VendorTable
+          vendors={filteredVendors}
+          owners={ownerMap}
+          selectedIds={selected}
+          onToggleSelect={toggleSelect}
+          onToggleAll={toggleSelectAll}
+          allSelected={allSelected}
+        />
+      ) : filteredVendors.length === 0 ? (
+        <EmptyState />
+      ) : (
+        <div
+          className="stagger-children"
+          style={{
+            display: "grid",
+            gridTemplateColumns: "repeat(auto-fill, minmax(280px, 1fr))",
+            gap: 16,
+          }}
+        >
+          {filteredVendors.map((v) => (
+            <PortfolioVendorCard
+              key={v.id}
+              vendor={v}
+              owner={v.ownerId ? ownerMap.get(v.ownerId) : undefined}
+              selected={selected.has(v.id)}
+              onToggleSelect={toggleSelect}
+            />
+          ))}
+        </div>
+      )}
+
+      <ShareAuditorDrawer
+        open={shareOpen}
+        onClose={() => setShareOpen(false)}
+        vendors={vendors ?? []}
+        initiallySelected={shareInitial}
+      />
+      <NewVendorDrawer
+        open={addOpen}
+        onClose={handleAddClose}
+        onCreated={handleVendorCreated}
+        members={members}
+        categoryOptions={categoryOptions}
+        initial={addInitial}
+      />
+      <RenegotiationResultsDrawer
+        open={packetsOpen}
+        onClose={() => setPacketsOpen(false)}
+        results={packetResults}
+      />
+      {toast && <Toast message={toast.message} variant={toast.variant} />}
+    </div>
+  );
+}
diff --git a/apps/web/src/screens/Pricing.tsx b/apps/web/src/screens/Pricing.tsx
new file mode 100644
index 0000000..58de7f5
--- /dev/null
+++ b/apps/web/src/screens/Pricing.tsx
@@ -0,0 +1,179 @@
+import { useEffect, useMemo, useState } from "react";
+import { StripeModal, type StripeTier } from "./StripeModal.js";
+import { BillingToggle } from "./pricing/BillingToggle.js";
+import { PricingTiers } from "./pricing/PricingTiers.js";
+import { PricingAddOns, ADD_ONS, addOnMonthlyCents } from "./pricing/PricingAddOns.js";
+import { PricingRoi } from "./pricing/PricingRoi.js";
+import { PricingMatrix } from "./pricing/PricingMatrix.js";
+import { PricingFaq } from "./pricing/PricingFaq.js";
+import { InvoiceTable } from "./pricing/InvoiceTable.js";
+import { effectiveCents, type BillingCadence, type TierDef } from "./pricing/tiers.js";
+
+// Phase 8 orchestrator — defers all sections to sub-modules under ./pricing/.
+// Owns: billing cadence (URL-persisted), add-on cart state, modal open/close.
+
+const S = {
+  page: {
+    background: "var(--bg)",
+    color: "var(--text)",
+    fontFamily: "var(--font-text)",
+    minHeight: "100vh",
+    paddingTop: 80,
+  } as React.CSSProperties,
+  hero: {
+    maxWidth: 1240,
+    margin: "0 auto",
+    padding: "var(--space-9) var(--space-5) var(--space-5)",
+    textAlign: "center" as const,
+  },
+  toggleRow: {
+    display: "flex",
+    justifyContent: "center",
+    marginBottom: "var(--space-6)",
+  },
+  cartHint: {
+    maxWidth: 1240,
+    margin: "0 auto",
+    padding: "0 var(--space-5) var(--space-4)",
+    textAlign: "center" as const,
+    fontSize: "var(--text-sm)",
+    color: "var(--text-2)",
+  },
+} as const;
+
+function readCadenceFromUrl(): BillingCadence {
+  if (typeof window === "undefined") return "annual";
+  const params = new URLSearchParams(window.location.search);
+  return params.get("billing") === "monthly" ? "monthly" : "annual";
+}
+
+function writeCadenceToUrl(next: BillingCadence): void {
+  if (typeof window === "undefined") return;
+  const url = new URL(window.location.href);
+  url.searchParams.set("billing", next);
+  window.history.replaceState({}, "", url.toString());
+}
+
+function dollars(cents: number): string {
+  return "$" + (cents / 100).toLocaleString("en-US");
+}
+
+export function Pricing(): JSX.Element {
+  const [cadence, setCadence] = useState<BillingCadence>("annual");
+  const [selectedAddOns, setSelectedAddOns] = useState<Set<string>>(new Set());
+  const [activeTier, setActiveTier] = useState<TierDef | undefined>();
+
+  // Initialize from URL once; intentionally not in deps so back/forward doesn't
+  // fight user toggles.
+  useEffect(() => {
+    setCadence(readCadenceFromUrl());
+  }, []);
+
+  function handleCadenceChange(next: BillingCadence): void {
+    setCadence(next);
+    writeCadenceToUrl(next);
+  }
+
+  function toggleAddOn(id: string): void {
+    setSelectedAddOns((prev) => {
+      const next = new Set(prev);
+      if (next.has(id)) next.delete(id);
+      else next.add(id);
+      return next;
+    });
+  }
+
+  const addOnTotalCents = addOnMonthlyCents(selectedAddOns);
+  const addOnCount = selectedAddOns.size;
+
+  function handleSubscribe(tier: TierDef): void {
+    setActiveTier(tier);
+  }
+
+  const stripeTier: StripeTier | undefined = useMemo(() => {
+    if (!activeTier?.sku) return undefined;
+    const baseMonthly = effectiveCents(activeTier, cadence);
+    // For annual cadence, charge the full annual amount up-front.
+    const isAnnual = cadence === "annual";
+    const cents = isAnnual ? baseMonthly * 12 : baseMonthly;
+    const periodLabel = isAnnual ? "/yr" : "/mo";
+    return {
+      id: activeTier.sku,
+      name: `${activeTier.name} · ${isAnnual ? "annual" : "monthly"}`,
+      priceUsdCents: cents,
+      period: periodLabel,
+      features: activeTier.features,
+      addOnIds: Array.from(selectedAddOns),
+      addOnCents: isAnnual ? addOnTotalCents * 12 : addOnTotalCents,
+      addOnPeriodLabel: periodLabel,
+    };
+  }, [activeTier, cadence, selectedAddOns, addOnTotalCents]);
+
+  return (
+    <div style={S.page}>
+      {/* Hero */}
+      <section style={S.hero} className="fade-up">
+        <h1
+          className="h1"
+          style={{
+            fontFamily: "var(--font-display)",
+            color: "var(--text-strong)",
+            marginBottom: "var(--space-3)",
+          }}
+        >
+          Pricing
+        </h1>
+        <p
+          className="lead"
+          style={{ maxWidth: 520, margin: "0 auto", color: "var(--text-2)" }}
+        >
+          Companies on Growth average{" "}
+          <strong style={{ color: "var(--text-strong)" }}>$135K recovered per quarter</strong>{" "}
+          in their first year.
+        </p>
+      </section>
+
+      {/* Billing cadence toggle */}
+      <div style={S.toggleRow}>
+        <BillingToggle value={cadence} onChange={handleCadenceChange} />
+      </div>
+
+      {/* Tier cards */}
+      <PricingTiers cadence={cadence} onSubscribe={handleSubscribe} />
+
+      {/* Add-on cart hint */}
+      {addOnCount > 0 && (
+        <p style={S.cartHint} aria-live="polite">
+          + <strong style={{ color: "var(--text-strong)" }}>{dollars(addOnTotalCents)}/mo</strong>{" "}
+          for {addOnCount} add-on{addOnCount === 1 ? "" : "s"} ({
+            ADD_ONS.filter((a) => selectedAddOns.has(a.id))
+              .map((a) => a.name)
+              .join(", ")
+          })
+        </p>
+      )}
+
+      {/* Add-ons */}
+      <PricingAddOns selected={selectedAddOns} onToggle={toggleAddOn} />
+
+      {/* ROI Calculator */}
+      <PricingRoi />
+
+      {/* Feature matrix */}
+      <PricingMatrix />
+
+      {/* Invoice history */}
+      <InvoiceTable />
+
+      {/* FAQ */}
+      <PricingFaq />
+
+      {activeTier && (
+        <StripeModal
+          onClose={() => setActiveTier(undefined)}
+          tier={stripeTier}
+        />
+      )}
+    </div>
+  );
+}
diff --git a/apps/web/src/screens/Privacy.tsx b/apps/web/src/screens/Privacy.tsx
new file mode 100644
index 0000000..d4f810b
--- /dev/null
+++ b/apps/web/src/screens/Privacy.tsx
@@ -0,0 +1,80 @@
+import { PageShell } from "../components/PageShell.js";
+
+export function Privacy(): JSX.Element {
+  return (
+    <PageShell active={null}>
+      <header className="public-hero fade-up">
+        <h1>Privacy Policy</h1>
+        <p className="lead">Last updated: May 2026</p>
+      </header>
+
+      <div className="stagger-children">
+        <section className="public-section glass-soft" aria-labelledby="collect" style={{ padding: 24, borderRadius: 14 }}>
+          <h2 id="collect">What we collect</h2>
+          <p>
+            Unsyphn collects two kinds of data: account information you give us
+            directly (name, work email, company) and workspace metadata we read
+            from connected systems (Google Workspace, Microsoft 365, SSO logs,
+            accounting and procurement tools). We only read what is necessary to
+            surface the SaaS footprint your team is already paying for.
+          </p>
+          <p>
+            We do not read message bodies, attachments, or document contents
+            unless you explicitly opt-in to clause extraction on a per-contract
+            basis. OAuth scopes are minimal-read and listed at connection time so
+            you see exactly what is being requested.
+          </p>
+        </section>
+
+        <section className="public-section glass-soft" aria-labelledby="use" style={{ padding: 24, borderRadius: 14 }}>
+          <h2 id="use">How we use it</h2>
+          <p>
+            Workspace metadata is used to detect vendors, score risk, track
+            renewals, and route material changes to the channels you configure
+            (Slack, Jira, email, calendar). Account information powers billing,
+            audit trails, and customer support.
+          </p>
+          <p>
+            We do not sell or rent your data. We do not train models on your data
+            today; should this ever change we will give you advance notice and a
+            clear path to opt out.
+          </p>
+        </section>
+
+        <section className="public-section glass-soft" aria-labelledby="subs" style={{ padding: 24, borderRadius: 14 }}>
+          <h2 id="subs">Sub-processors</h2>
+          <p>
+            A current list of sub-processors and their regions is published on the
+            {" "}<a href="/trust">Trust Center</a>. We provide 30 days&rsquo; notice
+            before adding any new sub-processor; you can subscribe to that feed
+            from the Trust Center page.
+          </p>
+        </section>
+
+        <section className="public-section glass-soft" aria-labelledby="rights" style={{ padding: 24, borderRadius: 14 }}>
+          <h2 id="rights">Your rights (GDPR &amp; CCPA)</h2>
+          <p>
+            You have the right to access, correct, export, and delete personal
+            data we hold about you. For workspace data, the workspace owner is
+            the controller and we act as a processor under our Data Processing
+            Agreement.
+          </p>
+          <p>
+            Requests are handled within 30 days. EU and UK customers can pin data
+            to our Frankfurt region on the Enterprise tier; data never crosses
+            regional boundaries once pinned.
+          </p>
+        </section>
+
+        <section className="public-section glass-soft" aria-labelledby="contact" style={{ padding: 24, borderRadius: 14 }}>
+          <h2 id="contact">Contact us</h2>
+          <p>
+            Privacy questions: <a href="mailto:privacy@unsyphn.com">privacy@unsyphn.com</a>.
+            Security disclosures: <a href="mailto:security@unsyphn.com">security@unsyphn.com</a>.
+            General: <a href="/contact">/contact</a>.
+          </p>
+        </section>
+      </div>
+    </PageShell>
+  );
+}
diff --git a/apps/web/src/screens/Renewals.tsx b/apps/web/src/screens/Renewals.tsx
new file mode 100644
index 0000000..ac9f3bb
--- /dev/null
+++ b/apps/web/src/screens/Renewals.tsx
@@ -0,0 +1,402 @@
+import { useCallback, useEffect, useMemo, useRef, useState } from "react";
+import { CalendarPlus } from "lucide-react";
+import type { Renewal, RenewalStatus } from "@unsyphn/shared";
+import { listTeamMembers, type TeamMember } from "../lib/api.js";
+import { useRole } from "../lib/role.js";
+import {
+  fetchRenewals,
+  patchRenewal,
+  postRenewalStatus,
+  type RenewalPatchBody,
+} from "../components/renewals/api.js";
+import { RenewalsKanban } from "../components/renewals/RenewalsKanban.js";
+import { ClosedSection } from "../components/renewals/ClosedSection.js";
+import { Workbench } from "../components/renewals/Workbench.js";
+import { downloadIcs } from "../components/renewals/ics.js";
+import { RenegotiationPacket } from "../components/RenegotiationPacket.js";
+import { LensChips } from "../components/LensChips.js";
+
+type Window = 30 | 60 | 90 | 365;
+
+const TIME_CHIPS: ReadonlyArray<{ label: string; days: Window }> = [
+  { label: "Next 30d", days: 30 },
+  { label: "Next 60d", days: 60 },
+  { label: "Next 90d", days: 90 },
+  { label: "All", days: 365 },
+];
+
+function formatUsd(n: number): string {
+  if (n >= 1_000_000) return `$${(n / 1_000_000).toFixed(1)}M`;
+  if (n >= 1000) return `$${Math.round(n / 1000)}k`;
+  return `$${n}`;
+}
+
+function buildLead(renewals: ReadonlyArray<Renewal>, days: number): string {
+  const active = renewals.filter((r) => !r.declined && !r.autoRenewed);
+  const total = active.length;
+  const atRisk = active.reduce((s, r) => s + r.annualValueUsd, 0);
+  const urgent = active.filter((r) => r.daysOut <= 30).length;
+  const win = days === 365 ? "all" : `next ${days}d`;
+  const parts: string[] = [];
+  if (total > 0) parts.push(`${total} in ${win}`);
+  if (atRisk > 0) parts.push(`${formatUsd(atRisk)} at-risk value`);
+  if (urgent > 0) parts.push(`${urgent} within 30 days`);
+  return parts.join(" · ") || "No renewals in this window";
+}
+
+function Toast({ message }: { message: string }): JSX.Element {
+  return (
+    <div
+      role="status"
+      aria-live="polite"
+      style={{
+        position: "fixed",
+        bottom: 24,
+        left: "50%",
+        transform: "translateX(-50%)",
+        background: "var(--text)",
+        color: "var(--surface)",
+        padding: "var(--space-2) var(--space-4)",
+        borderRadius: "var(--radius-pill)",
+        fontSize: "var(--text-sm)",
+        fontWeight: 500,
+        zIndex: 500,
+        pointerEvents: "none",
+      }}
+    >
+      {message}
+    </div>
+  );
+}
+
+export function Renewals(): JSX.Element {
+  const [role] = useRole();
+  const [days, setDays] = useState<Window>(90);
+  const [renewals, setRenewals] = useState<Renewal[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+  const [members, setMembers] = useState<TeamMember[]>([]);
+  const [selected, setSelected] = useState<Renewal | null>(null);
+  const [packetFor, setPacketFor] = useState<Renewal | null>(null);
+  const [toast, setToast] = useState<string | null>(null);
+  const toastTimer = useRef<number | null>(null);
+
+  const flashToast = useCallback((msg: string) => {
+    setToast(msg);
+    if (toastTimer.current !== null) window.clearTimeout(toastTimer.current);
+    toastTimer.current = window.setTimeout(() => setToast(null), 2500);
+  }, []);
+
+  useEffect(() => {
+    return () => {
+      if (toastTimer.current !== null) window.clearTimeout(toastTimer.current);
+    };
+  }, []);
+
+  useEffect(() => {
+    let cancelled = false;
+    setLoading(true);
+    setError(null);
+    fetchRenewals(days)
+      .then((r) => {
+        if (!cancelled) {
+          setRenewals(r);
+          setLoading(false);
+        }
+      })
+      .catch(() => {
+        if (!cancelled) {
+          setError("Couldn't load renewals.");
+          setLoading(false);
+        }
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, [days]);
+
+  useEffect(() => {
+    let cancelled = false;
+    listTeamMembers()
+      .then((r) => {
+        if (!cancelled) setMembers(r.members);
+      })
+      .catch(() => {
+        // Owner picker shows email-based initials when fetch fails.
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, []);
+
+  // Lens filter: keep renewals whose lensTags include the role, fall back
+  // to the full list if zero match (so the board never blanks).
+  const lensFiltered = useMemo(() => {
+    const tagged = renewals.filter((r) => (r.lensTags ?? []).includes(role));
+    return tagged.length > 0 ? tagged : renewals;
+  }, [renewals, role]);
+
+  const openCards = useMemo(
+    () => lensFiltered.filter((r) => !r.declined && !r.autoRenewed),
+    [lensFiltered],
+  );
+  const closedCards = useMemo(
+    () => lensFiltered.filter((r) => r.declined || r.autoRenewed),
+    [lensFiltered],
+  );
+
+  const handleMoveColumn = useCallback(
+    (id: string, column: RenewalStatus) => {
+      const prev = renewals;
+      const next = prev.map((r) => (r.id === id ? { ...r, status: column } : r));
+      setRenewals(next);
+      postRenewalStatus(id, column)
+        .then((updated) => {
+          setRenewals((curr) => curr.map((r) => (r.id === id ? updated : r)));
+        })
+        .catch(() => {
+          setRenewals(prev);
+          flashToast("Couldn't move card. Reverted.");
+        });
+    },
+    [renewals, flashToast],
+  );
+
+  const applyPatch = useCallback(
+    (id: string, patch: RenewalPatchBody, onError: string) => {
+      const prev = renewals;
+      const optimistic = prev.map((r) =>
+        r.id === id
+          ? {
+              ...r,
+              ...(patch.column ? { status: patch.column } : {}),
+              ...(patch.ownerId
+                ? {
+                    ownerId: patch.ownerId,
+                    ownerEmail:
+                      members.find((m) => m.id === patch.ownerId)?.email ?? r.ownerEmail,
+                  }
+                : {}),
+              ...(patch.declined !== undefined ? { declined: patch.declined } : {}),
+              ...(patch.autoRenewed !== undefined ? { autoRenewed: patch.autoRenewed } : {}),
+            }
+          : r,
+      );
+      setRenewals(optimistic);
+      patchRenewal(id, patch)
+        .then((updated) => {
+          setRenewals((curr) => curr.map((r) => (r.id === id ? updated : r)));
+        })
+        .catch(() => {
+          setRenewals(prev);
+          flashToast(onError);
+        });
+    },
+    [renewals, members, flashToast],
+  );
+
+  const handleAssignOwner = useCallback(
+    (id: string, ownerId: string) => applyPatch(id, { ownerId }, "Couldn't reassign owner."),
+    [applyPatch],
+  );
+  const handleMarkDeclined = useCallback(
+    (id: string) => applyPatch(id, { declined: true, autoRenewed: false }, "Couldn't update."),
+    [applyPatch],
+  );
+  const handleMarkAutoRenewed = useCallback(
+    (id: string) => applyPatch(id, { autoRenewed: true, declined: false }, "Couldn't update."),
+    [applyPatch],
+  );
+  const handleReopen = useCallback(
+    (id: string) =>
+      applyPatch(id, { declined: false, autoRenewed: false }, "Couldn't re-open."),
+    [applyPatch],
+  );
+  const handleGeneratePacket = useCallback((r: Renewal) => {
+    setPacketFor(r);
+  }, []);
+  const handleExportOne = useCallback(
+    (r: Renewal) => {
+      downloadIcs([r], `renewal-${r.vendorName.toLowerCase().replace(/\s+/g, "-")}.ics`);
+      flashToast(`Exported ${r.vendorName}.ics`);
+    },
+    [flashToast],
+  );
+  const handleExportAll = useCallback(() => {
+    const list = openCards;
+    if (list.length === 0) {
+      flashToast("Nothing visible to export.");
+      return;
+    }
+    downloadIcs(list, "renewals.ics");
+    flashToast(`Exported ${list.length} renewal${list.length === 1 ? "" : "s"}.ics`);
+  }, [openCards, flashToast]);
+
+  return (
+    <main
+      className="page"
+      style={{ padding: "var(--space-7) var(--space-6)", maxWidth: 1280, margin: "0 auto" }}
+    >
+      <header
+        className="fade-up"
+        style={{
+          display: "flex",
+          alignItems: "flex-end",
+          justifyContent: "space-between",
+          gap: 16,
+          marginBottom: "var(--space-5)",
+          flexWrap: "wrap",
+        }}
+      >
+        <div>
+          <h1 className="h1" style={{ marginBottom: "var(--space-2)" }}>
+            Renewals
+          </h1>
+          {!loading && !error && (
+            <p className="lead" style={{ margin: 0 }}>
+              {buildLead(lensFiltered, days)}
+            </p>
+          )}
+        </div>
+        <button
+          type="button"
+          className="btn btn-secondary button-pop"
+          onClick={handleExportAll}
+          disabled={loading || openCards.length === 0}
+          style={{
+            display: "inline-flex",
+            alignItems: "center",
+            gap: 6,
+            height: 36,
+            fontSize: "var(--text-sm)",
+          }}
+        >
+          <CalendarPlus size={14} aria-hidden="true" />
+          Export to calendar
+        </button>
+      </header>
+
+      <LensChips />
+
+      <div
+        role="group"
+        aria-label="Time window"
+        style={{
+          display: "flex",
+          gap: "var(--space-2)",
+          marginBottom: "var(--space-6)",
+          flexWrap: "wrap",
+        }}
+      >
+        {TIME_CHIPS.map(({ label, days: d }) => (
+          <button
+            key={d}
+            type="button"
+            onClick={() => setDays(d)}
+            className={`${days === d ? "badge badge-accent" : "badge badge-neutral"} button-pop`}
+            style={{ cursor: "pointer", border: "none" }}
+            aria-pressed={days === d}
+          >
+            {label}
+          </button>
+        ))}
+      </div>
+
+      {loading && (
+        <div
+          aria-live="polite"
+          aria-busy={true}
+          style={{ display: "grid", gridTemplateColumns: "repeat(3, 1fr)", gap: "var(--space-5)" }}
+        >
+          {["triage", "negotiate", "sign"].map((col) => (
+            <div key={col} style={{ display: "flex", flexDirection: "column", gap: "var(--space-3)" }}>
+              <div
+                style={{
+                  height: 20,
+                  borderRadius: 4,
+                  background: "var(--surface-3)",
+                  width: 80,
+                  animation: "pulse 1.5s ease-in-out infinite",
+                }}
+              />
+              {[1, 2].map((i) => (
+                <div
+                  key={i}
+                  aria-hidden="true"
+                  style={{
+                    height: 140,
+                    borderRadius: "var(--radius-md)",
+                    background: "var(--surface-2)",
+                    animation: "pulse 1.5s ease-in-out infinite",
+                  }}
+                />
+              ))}
+            </div>
+          ))}
+        </div>
+      )}
+
+      {!loading && error && (
+        <div style={{ padding: "var(--space-4)" }}>
+          <span className="badge badge-danger">{error}</span>
+        </div>
+      )}
+
+      {!loading && !error && renewals.length === 0 && (
+        <div
+          style={{
+            textAlign: "center",
+            padding: "var(--space-9)",
+            color: "var(--text-2)",
+            fontSize: "var(--text-sm)",
+          }}
+        >
+          No renewals found in this window.
+        </div>
+      )}
+
+      {!loading && !error && lensFiltered.length > 0 && (
+        <RenewalsKanban
+          renewals={openCards}
+          members={members}
+          onMoveColumn={handleMoveColumn}
+          onOpen={setSelected}
+          onAssignOwner={handleAssignOwner}
+          onMarkDeclined={handleMarkDeclined}
+          onMarkAutoRenewed={handleMarkAutoRenewed}
+          onReopen={handleReopen}
+          onGeneratePacket={handleGeneratePacket}
+          onExportIcs={handleExportOne}
+        />
+      )}
+
+      <ClosedSection
+        renewals={closedCards}
+        members={members}
+        onOpen={setSelected}
+        onAssignOwner={handleAssignOwner}
+        onMarkDeclined={handleMarkDeclined}
+        onMarkAutoRenewed={handleMarkAutoRenewed}
+        onReopen={handleReopen}
+        onGeneratePacket={handleGeneratePacket}
+        onExportIcs={handleExportOne}
+      />
+
+      {selected && <Workbench renewal={selected} onClose={() => setSelected(null)} />}
+      <RenegotiationPacket
+        vendorId={packetFor?.vendorId ?? ""}
+        open={packetFor !== null}
+        onClose={() => setPacketFor(null)}
+      />
+
+      {toast && <Toast message={toast} />}
+
+      <style>{`
+        @keyframes pulse {
+          0%, 100% { opacity: 1; }
+          50% { opacity: 0.45; }
+        }
+      `}</style>
+    </main>
+  );
+}
diff --git a/apps/web/src/screens/Reports.tsx b/apps/web/src/screens/Reports.tsx
new file mode 100644
index 0000000..03d48ae
--- /dev/null
+++ b/apps/web/src/screens/Reports.tsx
@@ -0,0 +1,372 @@
+import { useCallback, useEffect, useMemo, useState } from "react";
+import { Calendar, Clock, Download, FileText, RefreshCw } from "lucide-react";
+import {
+  generateReport,
+  listReports,
+  type Report,
+  type ReportCategory,
+} from "../lib/api.js";
+import { LensChips } from "../components/LensChips.js";
+import { SkeletonCard } from "../components/SkeletonRow.js";
+
+const CATEGORY_LABEL: Record<ReportCategory, string> = {
+  risk: "Risk",
+  compliance: "Compliance",
+  spend: "Spend",
+  operational: "Operational",
+};
+
+function fmtRelative(iso: string | undefined): string {
+  if (!iso) return "Never";
+  const diff = Date.now() - Date.parse(iso);
+  if (Number.isNaN(diff)) return "Unknown";
+  const day = 86_400_000;
+  if (diff < day) return "Today";
+  if (diff < 2 * day) return "Yesterday";
+  if (diff < 7 * day) return `${Math.floor(diff / day)} days ago`;
+  if (diff < 30 * day) return `${Math.floor(diff / (7 * day))} weeks ago`;
+  return `${Math.floor(diff / (30 * day))} months ago`;
+}
+
+function fmtFuture(iso: string | undefined): string {
+  if (!iso) return "On demand";
+  const diff = Date.parse(iso) - Date.now();
+  if (Number.isNaN(diff)) return iso;
+  if (diff <= 0) return "Now";
+  const day = 86_400_000;
+  if (diff < day) return "Today";
+  if (diff < 7 * day) return `In ${Math.ceil(diff / day)} day${diff < 2 * day ? "" : "s"}`;
+  if (diff < 30 * day) return `In ${Math.ceil(diff / (7 * day))} weeks`;
+  return new Date(iso).toLocaleDateString("en-US", { month: "short", day: "numeric" });
+}
+
+function ScheduleChip({ schedule }: { schedule: Report["schedule"] }): JSX.Element {
+  const label =
+    schedule === "monthly"
+      ? "Monthly"
+      : schedule === "weekly"
+        ? "Weekly"
+        : schedule === "quarterly"
+          ? "Quarterly"
+          : "On demand";
+  return (
+    <span className="badge badge-neutral" style={{ textTransform: "none" }}>
+      {label}
+    </span>
+  );
+}
+
+function CategoryBadge({ category }: { category: ReportCategory }): JSX.Element {
+  return (
+    <span className="badge badge-accent" style={{ textTransform: "none" }}>
+      {CATEGORY_LABEL[category]}
+    </span>
+  );
+}
+
+interface CardProps {
+  report: Report;
+  busy: boolean;
+  onGenerate: (id: string) => void;
+}
+
+function ReportCard({ report, busy, onGenerate }: CardProps): JSX.Element {
+  return (
+    <article
+      className="card glass-strong lift-on-hover"
+      style={{
+        padding: "var(--space-5)",
+        display: "flex",
+        flexDirection: "column",
+        gap: "var(--space-3)",
+      }}
+    >
+      <div style={{ display: "flex", alignItems: "center", gap: 8, flexWrap: "wrap" }}>
+        <FileText size={16} aria-hidden="true" style={{ color: "var(--accent)" }} />
+        <h3
+          style={{
+            margin: 0,
+            fontSize: "var(--text-base)",
+            fontWeight: 600,
+            color: "var(--text-strong)",
+            flex: 1,
+          }}
+        >
+          {report.name}
+        </h3>
+        <CategoryBadge category={report.category} />
+        <ScheduleChip schedule={report.schedule} />
+        {report.isCompliancePack && (
+          <span className="badge badge-success" style={{ textTransform: "none" }}>
+            Compliance pack
+          </span>
+        )}
+      </div>
+
+      <p
+        style={{
+          margin: 0,
+          fontSize: "var(--text-sm)",
+          color: "var(--text-2)",
+          lineHeight: 1.5,
+        }}
+      >
+        {report.description}
+      </p>
+
+      <div
+        style={{
+          display: "flex",
+          gap: "var(--space-4)",
+          fontSize: "var(--text-xs)",
+          color: "var(--text-muted)",
+          flexWrap: "wrap",
+        }}
+      >
+        <span style={{ display: "inline-flex", alignItems: "center", gap: 4 }}>
+          <Clock size={12} aria-hidden="true" /> Last generated {fmtRelative(report.lastGeneratedAt)}
+        </span>
+        {report.schedule !== "on-demand" && (
+          <span style={{ display: "inline-flex", alignItems: "center", gap: 4 }}>
+            <Calendar size={12} aria-hidden="true" /> Next run {fmtFuture(report.nextRunAt)}
+          </span>
+        )}
+      </div>
+
+      <div style={{ display: "flex", gap: "var(--space-2)", marginTop: "auto", flexWrap: "wrap" }}>
+        <button
+          type="button"
+          className="btn btn-primary button-pop"
+          onClick={() => onGenerate(report.id)}
+          disabled={busy}
+          style={{ fontSize: "var(--text-sm)" }}
+        >
+          <RefreshCw size={13} aria-hidden="true" className={busy ? "spin" : ""} />
+          {busy ? "Generating…" : "Generate now"}
+        </button>
+        {report.downloadUrl && (
+          <a
+            href={report.downloadUrl}
+            target="_blank"
+            rel="noreferrer"
+            className="btn btn-secondary button-pop"
+            style={{ fontSize: "var(--text-sm)", textDecoration: "none" }}
+          >
+            <Download size={13} aria-hidden="true" />
+            Download latest
+          </a>
+        )}
+      </div>
+    </article>
+  );
+}
+
+function SectionHeader({ title, count }: { title: string; count: number }): JSX.Element {
+  return (
+    <h2
+      style={{
+        margin: "0 0 var(--space-4)",
+        fontSize: "var(--text-base)",
+        fontWeight: 600,
+        color: "var(--text-strong)",
+        display: "flex",
+        alignItems: "baseline",
+        gap: 8,
+      }}
+    >
+      {title}
+      <span style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)", fontWeight: 400 }}>
+        {count}
+      </span>
+    </h2>
+  );
+}
+
+export function Reports(): JSX.Element {
+  const [reports, setReports] = useState<Report[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+  const [busyIds, setBusyIds] = useState<Set<string>>(new Set());
+  const [toast, setToast] = useState<string | null>(null);
+
+  const flashToast = useCallback((msg: string) => {
+    setToast(msg);
+    window.setTimeout(() => setToast(null), 2500);
+  }, []);
+
+  useEffect(() => {
+    let cancelled = false;
+    setLoading(true);
+    setError(null);
+    listReports()
+      .then((resp) => {
+        if (cancelled) return;
+        setReports(resp.reports);
+        setLoading(false);
+      })
+      .catch(() => {
+        if (cancelled) return;
+        setError("Couldn't load reports.");
+        setLoading(false);
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, []);
+
+  const handleGenerate = useCallback(
+    async (id: string) => {
+      setBusyIds((prev) => {
+        const next = new Set(prev);
+        next.add(id);
+        return next;
+      });
+      flashToast("Report generating…");
+      try {
+        const updated = await generateReport(id);
+        setReports((prev) => prev.map((r) => (r.id === id ? updated : r)));
+        flashToast(`Generated ${updated.name}`);
+      } catch {
+        flashToast("Couldn't generate report.");
+      } finally {
+        setBusyIds((prev) => {
+          const next = new Set(prev);
+          next.delete(id);
+          return next;
+        });
+      }
+    },
+    [flashToast],
+  );
+
+  const { scheduled, onDemand } = useMemo(() => {
+    const sched: Report[] = [];
+    const demand: Report[] = [];
+    for (const r of reports) {
+      if (r.schedule === "on-demand") demand.push(r);
+      else sched.push(r);
+    }
+    return { scheduled: sched, onDemand: demand };
+  }, [reports]);
+
+  return (
+    <main
+      className="page"
+      style={{ padding: "var(--space-7) var(--space-6)", maxWidth: 1100, margin: "0 auto" }}
+    >
+      <header className="fade-up" style={{ marginBottom: "var(--space-6)" }}>
+        <h1 className="h1" style={{ marginBottom: "var(--space-2)" }}>
+          Reports
+        </h1>
+        <p className="lead" style={{ margin: 0, color: "var(--text-2)" }}>
+          Scheduled and on-demand evidence. Generate fresh bundles for auditors, finance, and leadership.
+        </p>
+      </header>
+
+      <LensChips />
+
+      {loading && (
+        <div
+          className="stagger-children"
+          aria-busy="true"
+          aria-label="Loading reports"
+          style={{
+            display: "grid",
+            gridTemplateColumns: "repeat(auto-fit, minmax(320px, 1fr))",
+            gap: "var(--space-4)",
+          }}
+        >
+          {Array.from({ length: 4 }).map((_, i) => (
+            <SkeletonCard key={i} height={200} bars={3} />
+          ))}
+        </div>
+      )}
+
+      {!loading && error && (
+        <div className="card glass-soft fade-up" style={{ padding: 16 }}>
+          <span className="badge badge-danger">{error}</span>
+        </div>
+      )}
+
+      {!loading && !error && reports.length === 0 && (
+        <div className="card glass-soft fade-up" style={{ padding: "var(--space-9)", textAlign: "center", color: "var(--text-2)" }}>
+          No reports configured yet.
+        </div>
+      )}
+
+      {!loading && !error && scheduled.length > 0 && (
+        <section aria-labelledby="reports-scheduled" className="fade-up" style={{ marginBottom: "var(--space-7)" }}>
+          <SectionHeader title="Scheduled" count={scheduled.length} />
+          <div
+            className="stagger-children"
+            style={{
+              display: "grid",
+              gridTemplateColumns: "repeat(auto-fit, minmax(320px, 1fr))",
+              gap: "var(--space-4)",
+            }}
+          >
+            {scheduled.map((r) => (
+              <ReportCard
+                key={r.id}
+                report={r}
+                busy={busyIds.has(r.id)}
+                onGenerate={handleGenerate}
+              />
+            ))}
+          </div>
+        </section>
+      )}
+
+      {!loading && !error && onDemand.length > 0 && (
+        <section aria-labelledby="reports-on-demand" className="fade-up">
+          <SectionHeader title="On-demand" count={onDemand.length} />
+          <div
+            className="stagger-children"
+            style={{
+              display: "grid",
+              gridTemplateColumns: "repeat(auto-fit, minmax(320px, 1fr))",
+              gap: "var(--space-4)",
+            }}
+          >
+            {onDemand.map((r) => (
+              <ReportCard
+                key={r.id}
+                report={r}
+                busy={busyIds.has(r.id)}
+                onGenerate={handleGenerate}
+              />
+            ))}
+          </div>
+        </section>
+      )}
+
+      {toast && (
+        <div
+          role="status"
+          aria-live="polite"
+          style={{
+            position: "fixed",
+            bottom: 24,
+            left: "50%",
+            transform: "translateX(-50%)",
+            background: "var(--text)",
+            color: "var(--surface)",
+            padding: "var(--space-2) var(--space-4)",
+            borderRadius: "var(--radius-pill)",
+            fontSize: "var(--text-sm)",
+            fontWeight: 500,
+            zIndex: 500,
+            pointerEvents: "none",
+          }}
+        >
+          {toast}
+        </div>
+      )}
+
+      <style>{`
+        @keyframes spin { from { transform: rotate(0deg); } to { transform: rotate(360deg); } }
+        .spin { animation: spin 1s linear infinite; }
+      `}</style>
+    </main>
+  );
+}
diff --git a/apps/web/src/screens/Requests.tsx b/apps/web/src/screens/Requests.tsx
new file mode 100644
index 0000000..7364436
--- /dev/null
+++ b/apps/web/src/screens/Requests.tsx
@@ -0,0 +1,335 @@
+import { useCallback, useEffect, useState } from "react";
+import { Plus } from "lucide-react";
+import { NewRequestDrawer } from "../components/requests/NewRequestDrawer.js";
+import { RequestRow } from "../components/requests/RequestRow.js";
+import { Toast, type ToastState } from "../components/requests/Toast.js";
+import {
+  addRequestComment,
+  decideRequest,
+  listRequests,
+  RequestsApiError,
+} from "../components/requests/api.js";
+import type {
+  RequestDto,
+  RouteTarget,
+  StatusFilter,
+} from "../components/requests/types.js";
+import { useRole } from "../lib/role.js";
+import { LensChips } from "../components/LensChips.js";
+import { celebrateFromElement } from "../lib/confetti.js";
+
+const STATUS_FILTERS: ReadonlyArray<{ key: StatusFilter; label: string }> = [
+  { key: "pending", label: "Pending" },
+  { key: "routed", label: "Routed for review" },
+  { key: "approved", label: "Approved" },
+  { key: "rejected", label: "Rejected" },
+  { key: "all", label: "All" },
+];
+
+function buildLead(items: RequestDto[]): string {
+  const pending = items.filter((r) => r.status === "pending").length;
+  const approved = items.filter((r) => r.status === "approved").length;
+  const total = items.reduce((s, r) => s + r.expectedSpendUsd, 0);
+  const usd =
+    total >= 1_000_000
+      ? `$${(total / 1_000_000).toFixed(1)}M`
+      : total >= 1000
+      ? `$${Math.round(total / 1000)}k`
+      : `$${total}`;
+  return `${pending} pending · ${approved} approved this quarter · ${usd} requested`;
+}
+
+export function Requests(): JSX.Element {
+  const [role] = useRole();
+  const [filter, setFilter] = useState<StatusFilter>("pending");
+  const [items, setItems] = useState<RequestDto[]>([]);
+  const [allItems, setAllItems] = useState<RequestDto[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [drawerOpen, setDrawerOpen] = useState(false);
+  const [toast, setToast] = useState<ToastState | null>(null);
+  const [busyId, setBusyId] = useState<string | null>(null);
+
+  const showToast = useCallback((msg: string, variant: ToastState["variant"] = "success") => {
+    setToast({ message: msg, variant });
+  }, []);
+
+  useEffect(() => {
+    if (!toast) return;
+    const t = setTimeout(() => setToast(null), 3000);
+    return () => clearTimeout(t);
+  }, [toast]);
+
+  const refresh = useCallback(async () => {
+    setLoading(true);
+    try {
+      const [filtered, all] = await Promise.all([
+        listRequests({ status: filter, lens: role }),
+        listRequests({ status: "all", lens: role }),
+      ]);
+      setItems(filtered);
+      setAllItems(all);
+    } catch {
+      setItems([]);
+      setAllItems([]);
+    } finally {
+      setLoading(false);
+    }
+  }, [filter, role]);
+
+  useEffect(() => {
+    let cancelled = false;
+    setLoading(true);
+    Promise.all([
+      listRequests({ status: filter, lens: role }),
+      listRequests({ status: "all", lens: role }),
+    ])
+      .then(([filtered, all]) => {
+        if (cancelled) return;
+        setItems(filtered);
+        setAllItems(all);
+      })
+      .catch(() => {
+        if (cancelled) return;
+        setItems([]);
+        setAllItems([]);
+      })
+      .finally(() => {
+        if (!cancelled) setLoading(false);
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, [filter, role]);
+
+  const applyUpdated = useCallback((updated: RequestDto) => {
+    setItems((prev) => {
+      const idx = prev.findIndex((r) => r.id === updated.id);
+      if (idx === -1) return prev;
+      const next = [...prev];
+      next[idx] = updated;
+      return next;
+    });
+    setAllItems((prev) => {
+      const idx = prev.findIndex((r) => r.id === updated.id);
+      if (idx === -1) return [updated, ...prev];
+      const next = [...prev];
+      next[idx] = updated;
+      return next;
+    });
+  }, []);
+
+  const runDecision = useCallback(
+    async (
+      id: string,
+      body: Parameters<typeof decideRequest>[1],
+      successMsg: string,
+      onSuccess?: () => void,
+    ) => {
+      setBusyId(id);
+      try {
+        const updated = await decideRequest(id, body);
+        applyUpdated(updated);
+        showToast(successMsg);
+        onSuccess?.();
+        // The tab the row was in may no longer match — refresh in background.
+        void refresh();
+      } catch (err) {
+        const msg =
+          err instanceof RequestsApiError ? err.message : "Action failed. Try again.";
+        showToast(msg, "error");
+      } finally {
+        setBusyId(null);
+      }
+    },
+    [applyUpdated, refresh, showToast],
+  );
+
+  const onApprove = useCallback(
+    (id: string, originEl?: HTMLElement) =>
+      runDecision(id, { status: "approved" }, "Request approved", () => {
+        if (originEl) celebrateFromElement(originEl);
+      }),
+    [runDecision],
+  );
+  const onReject = useCallback(
+    (id: string) => runDecision(id, { status: "rejected" }, "Request rejected"),
+    [runDecision],
+  );
+  const onRoute = useCallback(
+    (id: string, target: RouteTarget, note?: string) =>
+      runDecision(
+        id,
+        note ? { status: "routed", routeTo: target, note } : { status: "routed", routeTo: target },
+        `Routed to ${target}`,
+      ),
+    [runDecision],
+  );
+  const onReopen = useCallback(
+    (id: string) => runDecision(id, { status: "pending" }, "Request re-opened"),
+    [runDecision],
+  );
+  const onRecall = useCallback(
+    (id: string) => runDecision(id, { status: "pending" }, "Request recalled"),
+    [runDecision],
+  );
+  // Full-page navigation: Portfolio parses ?fromRequest on mount, fetches the
+  // request, and pre-fills the New Vendor drawer.
+  const onConvert = useCallback((req: RequestDto) => {
+    window.location.href = `/app/vendors?newVendor=true&fromRequest=${encodeURIComponent(req.id)}`;
+  }, []);
+  const onComment = useCallback(
+    async (id: string, text: string) => {
+      try {
+        const updated = await addRequestComment(id, text);
+        applyUpdated(updated);
+        showToast("Comment posted");
+      } catch (err) {
+        const msg =
+          err instanceof RequestsApiError ? err.message : "Could not post comment.";
+        showToast(msg, "error");
+        throw err;
+      }
+    },
+    [applyUpdated, showToast],
+  );
+
+  const handleCreated = useCallback(
+    (created: RequestDto) => {
+      setItems((prev) => [created, ...prev]);
+      setAllItems((prev) => [created, ...prev]);
+      showToast("Request submitted — routed to your manager");
+    },
+    [showToast],
+  );
+
+  const tabCount = useCallback(
+    (key: StatusFilter): number => {
+      if (key === "all") return allItems.length;
+      return allItems.filter((r) => r.status === key).length;
+    },
+    [allItems],
+  );
+
+  return (
+    <main
+      className="page"
+      style={{ padding: "var(--space-7) var(--space-6)", maxWidth: 1000, margin: "0 auto" }}
+    >
+      <header className="fade-up">
+        <div
+          style={{
+            display: "flex",
+            alignItems: "center",
+            justifyContent: "space-between",
+            marginBottom: "var(--space-2)",
+          }}
+        >
+          <h1 className="h1">Requests</h1>
+          <button
+            type="button"
+            className="btn btn-primary button-pop"
+            onClick={() => setDrawerOpen(true)}
+            aria-label="Open new request form"
+          >
+            <Plus size={14} aria-hidden="true" />
+            New request
+          </button>
+        </div>
+
+        {allItems.length > 0 && (
+          <p className="lead" style={{ marginBottom: "var(--space-5)" }}>{buildLead(allItems)}</p>
+        )}
+      </header>
+
+      <LensChips />
+
+      <div
+        role="tablist"
+        aria-label="Filter requests by status"
+        style={{ display: "flex", gap: "var(--space-2)", marginBottom: "var(--space-5)", flexWrap: "wrap" }}
+      >
+        {STATUS_FILTERS.map(({ key, label }) => {
+          const active = filter === key;
+          const count = tabCount(key);
+          return (
+            <button
+              key={key}
+              type="button"
+              role="tab"
+              aria-selected={active}
+              onClick={() => setFilter(key)}
+              className="button-pop"
+              style={{
+                padding: "4px var(--space-3)",
+                fontSize: "var(--text-sm)",
+                fontFamily: "var(--font-text)",
+                borderRadius: "var(--radius-full)",
+                border: active ? "1px solid var(--accent)" : "1px solid var(--border)",
+                background: active ? "var(--accent-soft)" : "var(--surface)",
+                color: active ? "var(--accent)" : "var(--text-2)",
+                cursor: "pointer",
+                transition: "all var(--dur-fast) var(--ease-out)",
+                fontWeight: active ? 500 : 400,
+                display: "inline-flex",
+                alignItems: "center",
+                gap: 6,
+              }}
+            >
+              {label}
+              <span
+                aria-hidden="true"
+                style={{
+                  fontSize: "var(--text-xs)",
+                  color: active ? "var(--accent)" : "var(--text-muted)",
+                  background: active ? "transparent" : "var(--surface-2)",
+                  padding: "0 6px",
+                  borderRadius: "var(--radius-full)",
+                  minWidth: 18,
+                  textAlign: "center",
+                }}
+              >
+                {count}
+              </span>
+            </button>
+          );
+        })}
+      </div>
+
+      {loading && (
+        <p style={{ color: "var(--text-muted)", fontSize: "var(--text-sm)" }} aria-live="polite">
+          Loading requests...
+        </p>
+      )}
+      {!loading && items.length === 0 && (
+        <p style={{ color: "var(--text-muted)", fontSize: "var(--text-sm)" }}>
+          No {filter !== "all" ? filter : ""} requests for the {role} lens.
+        </p>
+      )}
+      {!loading && items.length > 0 && (
+        <div className="stagger-children">
+          {items.map((req) => (
+            <RequestRow
+              key={req.id}
+              request={req}
+              busy={busyId === req.id}
+              onApprove={onApprove}
+              onReject={onReject}
+              onRoute={onRoute}
+              onReopen={onReopen}
+              onRecall={onRecall}
+              onConvert={onConvert}
+              onComment={onComment}
+            />
+          ))}
+        </div>
+      )}
+
+      <NewRequestDrawer
+        open={drawerOpen}
+        onClose={() => setDrawerOpen(false)}
+        onCreated={handleCreated}
+      />
+      {toast && <Toast message={toast.message} variant={toast.variant} />}
+    </main>
+  );
+}
diff --git a/apps/web/src/screens/SensoBrief.tsx b/apps/web/src/screens/SensoBrief.tsx
index 31d75cc..f42a30c 100644
--- a/apps/web/src/screens/SensoBrief.tsx
+++ b/apps/web/src/screens/SensoBrief.tsx
@@ -3,7 +3,7 @@ import type {
   Change,
   Citation,
   EvidenceBriefResponse,
-} from "@redline/shared";
+} from "@unsyphn/shared";
 import { ApiError, getEvidence } from "../lib/api.js";
 import "../styles/brief.css";
 
@@ -96,21 +96,37 @@ export function SensoBrief({ changeReportId }: SensoBriefProps): JSX.Element {
   const { changeReport, vendor, policyFired, policyAlsoMatched, actionSummary } =
     state.data;
 
+  const bundleUrl = `/v1/evidence/${encodeURIComponent(changeReportId)}/bundle.html`;
+
   return (
     <article className="brief" data-testid="brief" lang="en">
       <header className="brief__header">
         <p className="brief__eyebrow">Unsyphn · Evidence brief</p>
-        <span
-          className={`brief__severity brief__severity--${changeReport.severity}`}
-          data-testid="brief-severity"
-        >
-          {changeReport.severity} · {changeReport.state}
-        </span>
+        <div className="brief__header-top">
+          <span
+            className={`brief__severity brief__severity--${changeReport.severity}`}
+            data-testid="brief-severity"
+          >
+            {changeReport.severity} · {changeReport.state}
+          </span>
+          <a
+            href={bundleUrl}
+            target="_blank"
+            rel="noreferrer"
+            className="btn-bundle"
+            aria-label="Generate compliance bundle (opens in new tab)"
+          >
+            Generate Compliance Bundle
+          </a>
+        </div>
         <h1 className="brief__title" data-testid="brief-title">
           {vendor.name} · {changeReport.changes[0]?.summary ?? "Change detected"}
         </h1>
         <p className="brief__meta">
-          Detected <strong data-testid="brief-detected-at">{formatTimestamp(changeReport.detectedAt)}</strong>{" "}
+          Detected{" "}
+          <strong data-testid="brief-detected-at">
+            {formatTimestamp(changeReport.detectedAt)}
+          </strong>{" "}
           · Vendor category <strong>{vendor.category}</strong>
         </p>
       </header>
@@ -168,7 +184,7 @@ export function SensoBrief({ changeReportId }: SensoBriefProps): JSX.Element {
 
       <footer className="brief__footer">
         Brief id <code>{changeReport.id}</code> · Immutable · Public ·
-        Generated by Unsyphn
+        Generated by Unsyphn · Powered by ClickHouse + Senso
       </footer>
     </article>
   );
@@ -215,12 +231,18 @@ function ChangeBlock({ change }: { change: Change }): JSX.Element {
 function CitationView({ citation }: { citation: Citation }): JSX.Element {
   return (
     <li className="citation" data-testid="citation">
-      <p className="citation__quote">“{citation.quote}”</p>
+      <p className="citation__quote">"{citation.quote}"</p>
       <p className="citation__meta">
         {citation.section && <span>{citation.section} · </span>}
-        {citation.url && <a href={citation.url} rel="noreferrer">{citation.url}</a>}
+        {citation.url && (
+          <a href={citation.url} rel="noreferrer" target="_blank">
+            {citation.url}
+          </a>
+        )}
         {citation.url && citation.fetchedAt && " · "}
-        {citation.fetchedAt && <span>Fetched {formatTimestamp(citation.fetchedAt)}</span>}
+        {citation.fetchedAt && (
+          <span>Fetched {formatTimestamp(citation.fetchedAt)}</span>
+        )}
         {citation.country && <span> · {citation.country}</span>}
       </p>
     </li>
diff --git a/apps/web/src/screens/Settings.tsx b/apps/web/src/screens/Settings.tsx
new file mode 100644
index 0000000..d0d3802
--- /dev/null
+++ b/apps/web/src/screens/Settings.tsx
@@ -0,0 +1,418 @@
+import { useEffect, useMemo, useRef, useState } from "react";
+import { CheckCircle, Circle, Download } from "lucide-react";
+import { Drawer } from "../components/Drawer.js";
+import { StripeModal } from "./StripeModal.js";
+import { DEMO_BEARER_TOKEN } from "../lib/api.js";
+import { ConnectDrawer, type IntegrationDto } from "../components/ConnectDrawer.js";
+import { ManageDrawer } from "../components/ManageDrawer.js";
+import { IntegrationCard } from "../components/IntegrationCard.js";
+
+type Tab = "connections" | "team" | "billing";
+
+const ROLES = ["Owner", "Admin", "Procurement", "Legal", "Security", "Finance", "IT", "Audit"];
+
+// --- Styles ---
+
+const S = {
+  page: { padding: "var(--space-7) var(--space-6)", maxWidth: 1200, margin: "0 auto" } as React.CSSProperties,
+  pageNarrow: { padding: "var(--space-7) var(--space-6)", maxWidth: 780, margin: "0 auto" } as React.CSSProperties,
+  h1: { fontFamily: "var(--font-display)", fontSize: "var(--text-2xl)", fontWeight: 600, color: "var(--text)", margin: "0 0 var(--space-5)" } as React.CSSProperties,
+  tabBar: { display: "flex", gap: 2, borderBottom: "1px solid var(--border)", marginBottom: "var(--space-6)" } as React.CSSProperties,
+  tab: (active: boolean): React.CSSProperties => ({
+    padding: "8px var(--space-4)", fontSize: "var(--text-sm)", fontWeight: 400, color: active ? "var(--accent)" : "var(--text-2)", background: "none", border: "none", borderBottom: active ? "2px solid var(--accent)" : "2px solid transparent", cursor: "pointer", marginBottom: -1,
+  }),
+  section: { marginBottom: "var(--space-7)" } as React.CSSProperties,
+  sectionHeader: { display: "flex", alignItems: "baseline", gap: "var(--space-2)", marginBottom: "var(--space-3)" } as React.CSSProperties,
+  sectionLabel: { fontSize: "var(--text-xs)", fontWeight: 500, color: "var(--text-muted)", textTransform: "uppercase" as const, letterSpacing: "0.07em" } as React.CSSProperties,
+  sectionCount: { fontSize: "var(--text-xs)", color: "var(--text-muted)" } as React.CSSProperties,
+  grid: { display: "grid", gridTemplateColumns: "repeat(auto-fill, minmax(260px, 1fr))", gap: "var(--space-3)" } as React.CSSProperties,
+  card: { background: "var(--surface)", border: "1px solid var(--border)", borderRadius: "var(--radius-md)", overflow: "hidden" } as React.CSSProperties,
+  row: { display: "flex", alignItems: "center", gap: "var(--space-4)", padding: "var(--space-4) var(--space-5)", borderBottom: "1px solid var(--border)" } as React.CSSProperties,
+  rowLast: { display: "flex", alignItems: "center", gap: "var(--space-4)", padding: "var(--space-4) var(--space-5)" } as React.CSSProperties,
+  rowInfo: { flex: 1, minWidth: 0 } as React.CSSProperties,
+  rowName: { fontSize: "var(--text-sm)", fontWeight: 500, color: "var(--text)", display: "flex", alignItems: "center", gap: "var(--space-2)" } as React.CSSProperties,
+  rowMeta: { fontSize: "var(--text-xs)", color: "var(--text-muted)", marginTop: 2 } as React.CSSProperties,
+  badge: (ok: boolean): React.CSSProperties => ({ fontSize: "var(--text-xs)", fontWeight: 500, color: ok ? "var(--success)" : "var(--text-muted)", background: ok ? "rgba(22,163,74,0.08)" : "var(--surface-2)", borderRadius: "var(--radius-pill)", padding: "2px 8px" }),
+  btnOutline: { fontSize: "var(--text-xs)", fontWeight: 500, padding: "5px 12px", border: "1px solid var(--border)", borderRadius: "var(--radius-sm)", background: "var(--surface)", color: "var(--text-2)", cursor: "pointer", whiteSpace: "nowrap" as const },
+  btnAccent: { fontSize: "var(--text-xs)", fontWeight: 500, padding: "5px 12px", border: "1px solid var(--accent)", borderRadius: "var(--radius-sm)", background: "var(--accent)", color: "#fff", cursor: "pointer", whiteSpace: "nowrap" as const },
+  avatar: { width: 32, height: 32, borderRadius: "50%", background: "var(--accent-soft)", color: "var(--accent)", display: "flex", alignItems: "center", justifyContent: "center", fontSize: "var(--text-xs)", fontWeight: 600, flexShrink: 0 } as React.CSSProperties,
+  billingBlock: { background: "var(--surface)", border: "1px solid var(--border)", borderRadius: "var(--radius-md)", padding: "var(--space-5)", marginBottom: "var(--space-5)" } as React.CSSProperties,
+  billingTitle: { fontSize: "var(--text-sm)", fontWeight: 600, color: "var(--text)", marginBottom: "var(--space-2)" } as React.CSSProperties,
+  billingMeta: { fontSize: "var(--text-sm)", color: "var(--text-2)", marginBottom: "var(--space-4)", lineHeight: 1.6 } as React.CSSProperties,
+  btnRow: { display: "flex", gap: "var(--space-3)", flexWrap: "wrap" as const } as React.CSSProperties,
+  formGroup: { marginBottom: "var(--space-4)" } as React.CSSProperties,
+  label: { display: "block", fontSize: "var(--text-xs)", fontWeight: 500, color: "var(--text-2)", marginBottom: "var(--space-2)" } as React.CSSProperties,
+  input: { width: "100%", padding: "8px var(--space-3)", fontSize: "var(--text-sm)", border: "1px solid var(--border-strong)", borderRadius: "var(--radius-sm)", background: "var(--surface)", color: "var(--text)", boxSizing: "border-box" as const },
+  select: { width: "100%", padding: "8px var(--space-3)", fontSize: "var(--text-sm)", border: "1px solid var(--border-strong)", borderRadius: "var(--radius-sm)", background: "var(--surface)", color: "var(--text)" },
+  inviteBtn: { marginTop: "var(--space-5)", width: "100%", padding: "10px", fontSize: "var(--text-sm)", fontWeight: 500, background: "var(--accent)", color: "#fff", border: "none", borderRadius: "var(--radius-md)", cursor: "pointer" } as React.CSSProperties,
+  toast: { position: "fixed" as const, bottom: 24, right: 24, background: "var(--text)", color: "#fff", padding: "10px 16px", borderRadius: "var(--radius-md)", fontSize: "var(--text-sm)", boxShadow: "0 8px 24px rgba(0,0,0,0.15)", zIndex: 300, maxWidth: 360 },
+} as const;
+
+// --- Toast helper ---
+
+interface Toast { id: number; message: string }
+
+function useToast(): { toast: Toast | null; show: (msg: string) => void } {
+  const [toast, setToast] = useState<Toast | null>(null);
+  const timer = useRef<ReturnType<typeof setTimeout> | null>(null);
+  function show(message: string): void {
+    if (timer.current) clearTimeout(timer.current);
+    setToast({ id: Date.now(), message });
+    timer.current = setTimeout(() => setToast(null), 3200);
+  }
+  useEffect(() => () => { if (timer.current) clearTimeout(timer.current); }, []);
+  return { toast, show };
+}
+
+// --- Connections Tab ---
+
+function ConnectionsTab({ showToast }: { showToast: (msg: string) => void }): JSX.Element {
+  const [integrations, setIntegrations] = useState<IntegrationDto[]>([]);
+  const [loadError, setLoadError] = useState<string | null>(null);
+  const [connectTarget, setConnectTarget] = useState<IntegrationDto | null>(null);
+  const [manageTarget, setManageTarget] = useState<IntegrationDto | null>(null);
+  const [syncing, setSyncing] = useState<Set<string>>(new Set());
+
+  useEffect(() => {
+    let cancelled = false;
+    fetch("/v1/integrations", { headers: { Authorization: `Bearer ${DEMO_BEARER_TOKEN}` } })
+      .then((r) => {
+        if (!r.ok) throw new Error(`HTTP ${r.status}`);
+        return r.json() as Promise<{ integrations: IntegrationDto[] }>;
+      })
+      .then(({ integrations: list }) => { if (!cancelled) setIntegrations(list); })
+      .catch(() => { if (!cancelled) setLoadError("Couldn't load integrations."); });
+    return () => { cancelled = true; };
+  }, []);
+
+  function replace(next: IntegrationDto): void {
+    setIntegrations((prev) => prev.map((i) => (i.id === next.id ? next : i)));
+  }
+
+  function handleConnected(next: IntegrationDto): void {
+    replace(next);
+    showToast(`Connected to ${next.name} — syncing now…`);
+  }
+
+  function handleDisconnected(next: IntegrationDto): void {
+    replace(next);
+    showToast(`Disconnected ${next.name}.`);
+  }
+
+  function handleSyncNow(it: IntegrationDto): void {
+    setSyncing((p) => new Set(p).add(it.id));
+    fetch(`/v1/integrations/${encodeURIComponent(it.id)}/sync`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${DEMO_BEARER_TOKEN}` },
+    })
+      .then((r) => {
+        if (!r.ok) throw new Error(`HTTP ${r.status}`);
+        return r.json() as Promise<{ synced: boolean; recordsScanned: number }>;
+      })
+      .then(({ recordsScanned }) => {
+        replace({ ...it, lastSyncedAt: new Date().toISOString() });
+        showToast(`${it.name}: synced ${recordsScanned.toLocaleString()} records.`);
+      })
+      .catch(() => showToast(`${it.name}: sync failed.`))
+      .finally(() => setSyncing((p) => { const n = new Set(p); n.delete(it.id); return n; }));
+  }
+
+  const inbound = integrations.filter((i) => i.category === "inbound");
+  const outbound = integrations.filter((i) => i.category === "outbound");
+
+  const renderGrid = (items: IntegrationDto[]): JSX.Element => (
+    <div className="stagger-children" style={S.grid}>
+      {items.map((it) => (
+        <IntegrationCard
+          key={it.id}
+          integration={it}
+          onConnect={setConnectTarget}
+          onManage={setManageTarget}
+          onSyncNow={handleSyncNow}
+          syncBusy={syncing.has(it.id)}
+        />
+      ))}
+    </div>
+  );
+
+  return (
+    <>
+      {loadError && (
+        <div style={{ ...S.section, color: "var(--danger)", fontSize: "var(--text-sm)" }}>{loadError}</div>
+      )}
+      <div style={S.section}>
+        <div style={S.sectionHeader}>
+          <span style={S.sectionLabel}>Inbound · data sources</span>
+          <span style={S.sectionCount}>{inbound.length} connectors</span>
+        </div>
+        {inbound.length === 0 && !loadError ? (
+          <div style={{ ...S.card, padding: "var(--space-5)", fontSize: "var(--text-sm)", color: "var(--text-muted)" }}>
+            Loading integrations…
+          </div>
+        ) : (
+          renderGrid(inbound)
+        )}
+      </div>
+      <div style={S.section}>
+        <div style={S.sectionHeader}>
+          <span style={S.sectionLabel}>Outbound · action sinks</span>
+          <span style={S.sectionCount}>{outbound.length} connectors</span>
+        </div>
+        {outbound.length === 0 && !loadError ? (
+          <div style={{ ...S.card, padding: "var(--space-5)", fontSize: "var(--text-sm)", color: "var(--text-muted)" }}>
+            Loading integrations…
+          </div>
+        ) : (
+          renderGrid(outbound)
+        )}
+      </div>
+
+      {connectTarget && (
+        <ConnectDrawer
+          integration={connectTarget}
+          open
+          onClose={() => setConnectTarget(null)}
+          onConnected={handleConnected}
+        />
+      )}
+      {manageTarget && (
+        <ManageDrawer
+          integration={manageTarget}
+          open
+          onClose={() => setManageTarget(null)}
+          onDisconnected={handleDisconnected}
+        />
+      )}
+    </>
+  );
+}
+
+// --- Team Tab ---
+
+interface TeamMember { id: string; name: string; email: string; role: string; avatarLetter: string }
+
+function TeamTab({ showToast }: { showToast: (msg: string) => void }): JSX.Element {
+  const [members, setMembers] = useState<TeamMember[]>([]);
+  const [loadError, setLoadError] = useState<string | null>(null);
+  const [drawerOpen, setDrawerOpen] = useState(false);
+  const [email, setEmail] = useState("");
+  const [role, setRole] = useState("Procurement");
+  const [submitting, setSubmitting] = useState(false);
+
+  useEffect(() => {
+    let cancelled = false;
+    fetch("/v1/team/members", { headers: { Authorization: `Bearer ${DEMO_BEARER_TOKEN}` } })
+      .then((r) => {
+        if (!r.ok) throw new Error(`HTTP ${r.status}`);
+        return r.json() as Promise<{ members: TeamMember[] }>;
+      })
+      .then(({ members: list }) => { if (!cancelled) setMembers(list); })
+      .catch(() => { if (!cancelled) setLoadError("Couldn't load team."); });
+    return () => { cancelled = true; };
+  }, []);
+
+  async function handleInvite(e: React.FormEvent): Promise<void> {
+    e.preventDefault();
+    if (submitting) return;
+    setSubmitting(true);
+    try {
+      const resp = await fetch("/v1/team/invites", {
+        method: "POST",
+        headers: { "Content-Type": "application/json", Authorization: `Bearer ${DEMO_BEARER_TOKEN}` },
+        body: JSON.stringify({ email, role }),
+      });
+      if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
+      showToast(`Invite sent to ${email}.`);
+      setEmail("");
+      setRole("Procurement");
+      setDrawerOpen(false);
+    } catch {
+      showToast("Invite failed.");
+    } finally {
+      setSubmitting(false);
+    }
+  }
+
+  return (
+    <>
+      <div style={{ display: "flex", alignItems: "center", justifyContent: "space-between", marginBottom: "var(--space-4)" }}>
+        <div style={S.sectionLabel}>Members ({members.length})</div>
+        <button type="button" className="button-pop" style={S.btnAccent} onClick={() => setDrawerOpen(true)}>
+          Invite member
+        </button>
+      </div>
+      {loadError && <div style={{ color: "var(--danger)", fontSize: "var(--text-sm)", marginBottom: "var(--space-3)" }}>{loadError}</div>}
+      <div className="stagger-children" style={{ ...S.card, marginBottom: "var(--space-5)" }}>
+        {members.map((m, i) => (
+          <div key={m.id} className="glass-soft row-hover" style={i < members.length - 1 ? S.row : S.rowLast}>
+            <div style={S.avatar}>{m.avatarLetter}</div>
+            <div style={S.rowInfo}>
+              <div style={S.rowName}>{m.name}</div>
+              <div style={S.rowMeta}>{m.email}</div>
+            </div>
+            <span style={{ fontSize: "var(--text-xs)", color: "var(--text-2)", textTransform: "capitalize" }}>
+              {m.role}
+            </span>
+            <span style={S.badge(true)}>Active</span>
+          </div>
+        ))}
+      </div>
+      <Drawer open={drawerOpen} onClose={() => setDrawerOpen(false)} title="Invite member">
+        <form onSubmit={(e) => void handleInvite(e)} className="fade-up">
+          <div style={S.formGroup}>
+            <label htmlFor="invite-email" style={S.label}>Email address</label>
+            <input id="invite-email" type="email" required placeholder="name@company.com" value={email} onChange={(e) => setEmail(e.target.value)} className="focus-glow" style={S.input} />
+          </div>
+          <div style={S.formGroup}>
+            <label htmlFor="invite-role" style={S.label}>Role</label>
+            <select id="invite-role" value={role} onChange={(e) => setRole(e.target.value)} className="focus-glow" style={S.select}>
+              {ROLES.map((r) => <option key={r} value={r}>{r}</option>)}
+            </select>
+          </div>
+          <button type="submit" disabled={submitting} className="button-pop" style={{ ...S.inviteBtn, opacity: submitting ? 0.6 : 1 }}>
+            {submitting ? "Sending…" : "Send invitation"}
+          </button>
+        </form>
+      </Drawer>
+    </>
+  );
+}
+
+// --- Billing Tab ---
+
+interface InvoiceDto { id: string; period: string; amountUsdCents: number; status: string; pdfUrl: string }
+
+function BillingTab({ showToast }: { showToast: (msg: string) => void }): JSX.Element {
+  const [stripeOpen, setStripeOpen] = useState(false);
+  const [invoices, setInvoices] = useState<InvoiceDto[]>([]);
+
+  useEffect(() => {
+    fetch("/v1/billing/invoices", { headers: { Authorization: `Bearer ${DEMO_BEARER_TOKEN}` } })
+      .then((r) => (r.ok ? r.json() : Promise.reject(new Error("HTTP"))))
+      .then((j: { invoices: InvoiceDto[] }) => setInvoices(j.invoices))
+      .catch(() => setInvoices([]));
+  }, []);
+
+  function handleDownload(inv: InvoiceDto): void {
+    showToast(`Generating ${inv.id}.pdf — check your email shortly.`);
+  }
+
+  return (
+    <>
+      <div style={S.section}>
+        <div style={S.sectionLabel}>Current plan</div>
+        <div className="glass-strong lift-on-hover fade-up" style={S.billingBlock}>
+          <div style={S.billingTitle}>Growth · $1,500/mo · Billed annually</div>
+          <div style={S.billingMeta}>
+            Next charge: Jun 24, 2026 · $18,000<br />
+            Card: •••• 4242
+          </div>
+          <div style={S.btnRow}>
+            <button type="button" className="button-pop" style={S.btnOutline} onClick={() => setStripeOpen(true)}>Manage subscription</button>
+            <button type="button" className="button-pop" style={S.btnOutline} onClick={() => setStripeOpen(true)}>Update payment method</button>
+          </div>
+        </div>
+        <p style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)", marginBottom: "var(--space-5)" }}>
+          <a href="/pricing" target="_blank" rel="noreferrer" style={{ color: "var(--accent)" }}>
+            Upgrade to Scale or Enterprise
+          </a>
+        </p>
+      </div>
+
+      <div style={S.section}>
+        <div style={S.sectionLabel}>Add-ons (active)</div>
+        <div style={S.card}>
+          <div className="row-hover" style={S.rowLast}>
+            <CheckCircle size={16} color="var(--success)" aria-hidden="true" />
+            <div style={S.rowInfo}>
+              <div style={S.rowName}>Compliance Pack</div>
+              <div style={S.rowMeta}>$999/mo</div>
+            </div>
+          </div>
+        </div>
+      </div>
+
+      <div style={S.section}>
+        <div style={S.sectionLabel}>Available add-ons</div>
+        <div className="stagger-children" style={S.card}>
+          {[
+            { name: "Negotiation Concierge", price: "$10K/quarter" },
+            { name: "GRC Bridge (Vanta + Drata)", price: "$1,000/mo" },
+          ].map((addon, i, arr) => (
+            <div key={addon.name} className="row-hover" style={i < arr.length - 1 ? S.row : S.rowLast}>
+              <Circle size={16} color="var(--text-muted)" aria-hidden="true" />
+              <div style={S.rowInfo}>
+                <div style={S.rowName}>{addon.name}</div>
+                <div style={S.rowMeta}>{addon.price}</div>
+              </div>
+              <button type="button" className="button-pop" style={S.btnAccent} onClick={() => setStripeOpen(true)}>Add</button>
+            </div>
+          ))}
+        </div>
+      </div>
+
+      <div style={S.section}>
+        <div style={S.sectionLabel}>Recent invoices</div>
+        <div className="glass fade-up stagger-children" style={S.card}>
+          {invoices.length === 0 && (
+            <div style={{ padding: "var(--space-5)", fontSize: "var(--text-sm)", color: "var(--text-muted)" }}>
+              No invoices yet.
+            </div>
+          )}
+          {invoices.map((inv, i) => (
+            <div key={inv.id} className="row-hover" style={i < invoices.length - 1 ? S.row : S.rowLast}>
+              <div style={S.rowInfo}>
+                <div style={S.rowName}>{inv.id}</div>
+                <div style={S.rowMeta}>
+                  {inv.period} · ${(inv.amountUsdCents / 100).toLocaleString()}
+                </div>
+              </div>
+              <span style={S.badge(true)}>{inv.status}</span>
+              <button type="button" className="button-pop" style={S.btnOutline} aria-label={`Download ${inv.id}`} onClick={() => handleDownload(inv)}>
+                <Download size={12} aria-hidden="true" style={{ display: "inline", marginRight: 4 }} />
+                Download
+              </button>
+            </div>
+          ))}
+        </div>
+      </div>
+
+      {stripeOpen && <StripeModal onClose={() => setStripeOpen(false)} />}
+    </>
+  );
+}
+
+// --- Main ---
+
+export function Settings(): JSX.Element {
+  const [tab, setTab] = useState<Tab>("connections");
+  const { toast, show } = useToast();
+  const pageStyle = useMemo(() => (tab === "connections" ? S.page : S.pageNarrow), [tab]);
+
+  return (
+    <main style={pageStyle}>
+      <header className="fade-up">
+        <h1 style={S.h1}>Settings</h1>
+      </header>
+      <div style={S.tabBar} role="tablist" aria-label="Settings sections">
+        {(["connections", "team", "billing"] as Tab[]).map((t) => (
+          <button
+            key={t}
+            type="button"
+            role="tab"
+            aria-selected={tab === t}
+            onClick={() => setTab(t)}
+            className="button-pop"
+            style={S.tab(tab === t)}
+          >
+            {t.charAt(0).toUpperCase() + t.slice(1)}
+          </button>
+        ))}
+      </div>
+      {tab === "connections" && <ConnectionsTab showToast={show} />}
+      {tab === "team" && <TeamTab showToast={show} />}
+      {tab === "billing" && <BillingTab showToast={show} />}
+      {toast && <div role="status" aria-live="polite" style={S.toast}>{toast.message}</div>}
+    </main>
+  );
+}
diff --git a/apps/web/src/screens/StripeModal.tsx b/apps/web/src/screens/StripeModal.tsx
index 8896657..56b1aca 100644
--- a/apps/web/src/screens/StripeModal.tsx
+++ b/apps/web/src/screens/StripeModal.tsx
@@ -1,24 +1,24 @@
 import { useCallback, useEffect, useRef, useState } from "react";
+import { X } from "lucide-react";
 import { loadStripe, type Stripe, type StripeElementsOptions } from "@stripe/stripe-js";
+import { Elements } from "@stripe/react-stripe-js";
 import {
-  Elements,
-  PaymentElement,
-  useElements,
-  useStripe,
-} from "@stripe/react-stripe-js";
-import {
-  ApiError,
   createPaymentIntent,
   getBillingProducts,
   simulateSuccess,
+  type AppliedCoupon,
   type BillingProduct,
+  type PaymentIntentRequest,
   type PaymentIntentResponse,
 } from "../lib/api.js";
 import { useEntitlements } from "../lib/stream.js";
+import { celebrate } from "../lib/confetti.js";
+import { CouponField } from "./pricing/CouponField.js";
+import { PaymentForm } from "./pricing/PaymentForm.js";
+import { SimulateHint } from "./pricing/SimulateButton.js";
 
-// Issue #3 · Stripe modal. States: idle → loading → ready (Elements mounted)
-// → processing → success (driven by SSE org.entitlements.changed) → failure
-// (with retry). Hidden Shift+Enter handler runs the Runbook F5 fallback.
+// States: idle → loading → ready (Elements mounted) → processing → success
+// (driven either by SSE or by stripe.confirmPayment OK) → failure (with retry).
 
 type ModalStatus =
   | "loading-product"
@@ -29,30 +29,217 @@ type ModalStatus =
   | "success"
   | "failure";
 
+export interface StripeTier {
+  id: string;
+  name: string;
+  priceUsdCents: number;
+  /** Optional formatted period like "/mo", "/yr". */
+  period?: string;
+  features: ReadonlyArray<string>;
+  /** Optional add-on ids selected at the Pricing screen. */
+  addOnIds?: ReadonlyArray<string>;
+  /** Optional add-on cost in cents (matches `period`). */
+  addOnCents?: number;
+  /** Label shown next to the add-on line — should match `period`. */
+  addOnPeriodLabel?: string;
+}
+
 interface StripeModalProps {
   onClose: () => void;
+  /** When provided, the modal skips loading the legacy Compliance Pack product
+   *  and uses this tier directly. */
+  tier?: StripeTier;
+}
+
+function dollars(cents: number): string {
+  return "$" + (cents / 100).toLocaleString("en-US");
 }
 
-export function StripeModal({ onClose }: StripeModalProps): JSX.Element {
-  const [status, setStatus] = useState<ModalStatus>("loading-product");
+const S = {
+  backdrop: {
+    position: "fixed" as const,
+    inset: 0,
+    background: "rgba(0,0,0,0.6)",
+    backdropFilter: "blur(2px)",
+    display: "flex",
+    alignItems: "center",
+    justifyContent: "center",
+    zIndex: 1000,
+    padding: "var(--space-5)",
+  },
+  modal: {
+    borderRadius: "var(--radius-lg)",
+    padding: "var(--space-6)",
+    maxWidth: 460,
+    width: "100%",
+    position: "relative" as const,
+    maxHeight: "92vh",
+    overflowY: "auto" as const,
+  } as React.CSSProperties,
+  header: {
+    display: "flex",
+    alignItems: "center",
+    justifyContent: "space-between",
+    marginBottom: "var(--space-5)",
+    gap: "var(--space-3)",
+  },
+  title: {
+    fontFamily: "var(--font-display)",
+    fontSize: "var(--text-xl)",
+    fontWeight: 200,
+    letterSpacing: "-0.02em",
+    color: "var(--text-strong)",
+    margin: 0,
+  },
+  closeBtn: {
+    background: "none",
+    border: "1px solid var(--border)",
+    borderRadius: "var(--radius-sm)",
+    color: "var(--text-2)",
+    cursor: "pointer",
+    fontSize: "18px",
+    lineHeight: 1,
+    padding: "2px 8px 4px",
+    flexShrink: 0,
+  },
+  price: {
+    fontSize: "var(--text-2xl)",
+    fontWeight: 200,
+    color: "var(--text-strong)",
+    margin: "0 0 var(--space-4)",
+    letterSpacing: "-0.02em",
+    display: "flex",
+    alignItems: "baseline",
+    gap: "var(--space-2)",
+  },
+  priceStrike: {
+    fontSize: "var(--text-base)",
+    color: "var(--text-muted)",
+    textDecoration: "line-through",
+    fontWeight: 300,
+  },
+  priceDiscounted: { color: "var(--success)" },
+  priceUnit: {
+    fontSize: "var(--text-base)",
+    color: "var(--muted)",
+    fontWeight: 300,
+  },
+  features: {
+    listStyle: "none",
+    padding: 0,
+    margin: "0 0 var(--space-5)",
+    display: "flex",
+    flexDirection: "column" as const,
+    gap: "var(--space-2)",
+  },
+  featureItem: {
+    fontSize: "var(--text-sm)",
+    color: "var(--text-2)",
+    paddingLeft: "var(--space-4)",
+    position: "relative" as const,
+  },
+  featureDot: {
+    position: "absolute" as const,
+    left: 0,
+    color: "var(--success)",
+    fontWeight: 700,
+  },
+  btnPrimary: {
+    display: "inline-flex",
+    alignItems: "center",
+    justifyContent: "center",
+    width: "100%",
+    height: 40,
+    padding: "0 var(--space-4)",
+    background: "var(--accent)",
+    color: "var(--bg)",
+    border: "1px solid var(--accent)",
+    borderRadius: "var(--radius-md)",
+    fontFamily: "var(--font-text)",
+    fontSize: "var(--text-sm)",
+    fontWeight: 400,
+    cursor: "pointer",
+    transition: "background 100ms",
+  },
+  toast: {
+    position: "fixed" as const,
+    bottom: 24,
+    left: "50%",
+    transform: "translateX(-50%)",
+    background: "var(--surface)",
+    border: "1px solid var(--success)",
+    color: "var(--text-strong)",
+    padding: "var(--space-3) var(--space-5)",
+    borderRadius: "var(--radius-md)",
+    fontSize: "var(--text-sm)",
+    zIndex: 1100,
+    boxShadow: "0 8px 20px rgba(0,0,0,0.4)",
+  },
+  muted: {
+    fontSize: "var(--text-xs)",
+    color: "var(--muted)",
+    margin: "var(--space-3) 0 0",
+    textAlign: "center" as const,
+  },
+  alertOk: {
+    background: "rgba(63,207,142,0.10)",
+    border: "1px solid rgba(63,207,142,0.25)",
+    borderRadius: "var(--radius-md)",
+    padding: "var(--space-4)",
+    color: "var(--success)",
+    fontSize: "var(--text-sm)",
+    marginBottom: "var(--space-4)",
+  },
+  alertErr: {
+    background: "rgba(244,113,116,0.10)",
+    border: "1px solid rgba(244,113,116,0.25)",
+    borderRadius: "var(--radius-md)",
+    padding: "var(--space-4)",
+    color: "var(--danger)",
+    fontSize: "var(--text-sm)",
+    marginBottom: "var(--space-4)",
+  },
+} as const;
+
+export function StripeModal({ onClose, tier }: StripeModalProps): JSX.Element {
+  const isTierFlow = Boolean(tier);
+  const [status, setStatus] = useState<ModalStatus>(
+    isTierFlow ? "ready-to-pay" : "loading-product",
+  );
   const [product, setProduct] = useState<BillingProduct | undefined>();
   const [intent, setIntent] = useState<PaymentIntentResponse | undefined>();
   const [stripePromise, setStripePromise] = useState<Promise<Stripe | null> | undefined>();
   const [errorMessage, setErrorMessage] = useState<string | undefined>();
   const [alreadyEntitled, setAlreadyEntitled] = useState(false);
+  const [appliedCoupon, setAppliedCoupon] = useState<AppliedCoupon | undefined>();
+  const [showToast, setShowToast] = useState(false);
+  const celebratedRef = useRef(false);
 
-  // Listen for the entitlement flip. Active once we've started the payment flow.
+  // Single source of truth: confetti fires once per modal lifetime when we
+  // flip to success — covers both the tier flow (finishTierSuccess) and the
+  // legacy Compliance Pack SSE flip. Skips the no-op "already entitled" path.
+  useEffect(() => {
+    if (status !== "success") return;
+    if (alreadyEntitled) return;
+    if (celebratedRef.current) return;
+    celebratedRef.current = true;
+    celebrate({ particleCount: 120, spread: 90 });
+  }, [status, alreadyEntitled]);
+
+  // Only the legacy Compliance Pack flow waits for the SSE flip.
   const entitlements = useEntitlements({
-    active: status !== "loading-product" && status !== "success",
+    active: !isTierFlow && status !== "loading-product" && status !== "success",
   });
 
   useEffect(() => {
-    if (entitlements?.compliancePack) {
+    if (!isTierFlow && entitlements?.compliancePack) {
       setStatus("success");
     }
-  }, [entitlements]);
+  }, [entitlements, isTierFlow]);
 
+  // Legacy product loader — skipped for tier flows.
   useEffect(() => {
+    if (isTierFlow) return;
     let cancelled = false;
     (async () => {
       try {
@@ -77,22 +264,36 @@ export function StripeModal({ onClose }: StripeModalProps): JSX.Element {
         setStatus("failure");
       }
     })();
-    return () => {
-      cancelled = true;
-    };
-  }, []);
+    return () => { cancelled = true; };
+  }, [isTierFlow]);
+
+  const displayName = tier?.name ?? product?.name ?? "Compliance Pack";
+  const displayCents = tier?.priceUsdCents ?? product?.priceUsdCents ?? 0;
+  const displayPeriod = tier?.period ?? "one-time";
+  const features = (tier?.features ?? product?.features ?? []) as ReadonlyArray<string>;
+  const discountedCents = appliedCoupon
+    ? Math.max(0, Math.round(displayCents * (1 - appliedCoupon.percentOff / 100)))
+    : displayCents;
+  const addOnCents = tier?.addOnCents ?? 0;
+  const totalCents = discountedCents + addOnCents;
 
   const beginPayment = useCallback(async () => {
-    if (!product) return;
+    const sku = tier?.id ?? product?.id;
+    if (!sku) return;
     setStatus("creating-intent");
     setErrorMessage(undefined);
     try {
-      const created = await createPaymentIntent(product.id);
+      const payload: PaymentIntentRequest = {
+        sku,
+        coupon: appliedCoupon?.code,
+        addOns: tier?.addOnIds ? [...tier.addOnIds] : undefined,
+      };
+      const created = await createPaymentIntent(payload);
       setIntent(created);
       setStripePromise(loadStripe(created.publishableKey));
       setStatus("elements-ready");
     } catch (err) {
-      if (err instanceof ApiError && err.code === "conflict") {
+      if (err instanceof Error && (err as { code?: string }).code === "conflict") {
         setAlreadyEntitled(true);
         setStatus("success");
         return;
@@ -100,86 +301,109 @@ export function StripeModal({ onClose }: StripeModalProps): JSX.Element {
       setErrorMessage(err instanceof Error ? err.message : "failed to start checkout");
       setStatus("failure");
     }
-  }, [product]);
+  }, [appliedCoupon, product, tier]);
+
+  const finishTierSuccess = useCallback(() => {
+    setStatus("success");
+    setShowToast(true);
+    // Brief delay so the toast is visible before redirect.
+    window.setTimeout(() => { window.location.href = "/app/settings?tab=billing"; }, 1200);
+  }, []);
 
   const runFallback = useCallback(async () => {
     setStatus("processing");
     setErrorMessage(undefined);
     try {
       await simulateSuccess();
-      // SSE handler will flip status to success.
+      if (isTierFlow) finishTierSuccess();
+      // For the legacy Compliance Pack flow, the SSE handler flips to success.
     } catch (err) {
       setErrorMessage(err instanceof Error ? err.message : "fallback failed");
       setStatus("failure");
     }
-  }, []);
+  }, [finishTierSuccess, isTierFlow]);
 
   useEffect(() => {
     const handler = (e: KeyboardEvent) => {
-      if (e.shiftKey && e.key === "Enter") {
-        e.preventDefault();
-        void runFallback();
-      } else if (e.key === "Escape") {
-        e.preventDefault();
-        onClose();
-      }
+      if (e.shiftKey && e.key === "Enter") { e.preventDefault(); void runFallback(); }
+      else if (e.key === "Escape") { e.preventDefault(); onClose(); }
     };
     window.addEventListener("keydown", handler);
     return () => window.removeEventListener("keydown", handler);
   }, [runFallback, onClose]);
 
   const onBackdropClick = useCallback(
-    (e: React.MouseEvent<HTMLDivElement>) => {
-      if (e.target === e.currentTarget) onClose();
-    },
+    (e: React.MouseEvent<HTMLDivElement>) => { if (e.target === e.currentTarget) onClose(); },
     [onClose],
   );
 
   return (
-    <div
-      className="modal-backdrop"
-      role="dialog"
-      aria-modal="true"
-      aria-labelledby="stripe-modal-title"
-      onClick={onBackdropClick}
-    >
-      <div className="modal">
-        <header className="modal__header">
-          <h2 id="stripe-modal-title" className="modal__title">
-            {product?.name ?? "Compliance Pack"}
-          </h2>
-          <button className="modal__close" type="button" onClick={onClose} aria-label="Close">
-            ×
+    <div className="fade-in" style={S.backdrop} role="dialog" aria-modal="true" aria-labelledby="stripe-modal-title" onClick={onBackdropClick}>
+      <div className="glass-strong scale-in" style={S.modal}>
+        <header style={S.header}>
+          <h2 id="stripe-modal-title" style={S.title}>{displayName}</h2>
+          <button className="button-pop" style={S.closeBtn} type="button" onClick={onClose} aria-label="Close">
+            <X size={18} aria-hidden="true" />
           </button>
         </header>
 
-        {status === "loading-product" && <p className="muted">Loading product…</p>}
+        {status === "loading-product" && !isTierFlow && (
+          <p style={S.muted}>Loading product…</p>
+        )}
 
         {alreadyEntitled && (
-          <div className="alert alert--ok" role="status">
+          <div style={S.alertOk} role="status">
             This org already has the Compliance Pack.
           </div>
         )}
 
-        {product && status === "ready-to-pay" && !alreadyEntitled && (
+        {!alreadyEntitled && status === "ready-to-pay" && (
           <>
-            <p className="modal__price">
-              ${(product.priceUsdCents / 100).toLocaleString()}{" "}
-              <span className="muted">one-time</span>
+            <p style={S.price}>
+              {appliedCoupon ? (
+                <>
+                  <span style={S.priceStrike}>{dollars(displayCents)}</span>
+                  <span style={S.priceDiscounted}>{dollars(discountedCents)}</span>
+                </>
+              ) : (
+                <span>{dollars(displayCents)}</span>
+              )}
+              <span style={S.priceUnit}>{displayPeriod}</span>
             </p>
-            <ul className="features">
-              {product.features.map((f) => (
-                <li key={f}>{f}</li>
+            {addOnCents > 0 && (
+              <p style={{ ...S.muted, textAlign: "left", margin: "0 0 var(--space-4)" }}>
+                + {dollars(addOnCents)}{tier?.addOnPeriodLabel ?? "/mo"} for {tier?.addOnIds?.length ?? 0} add-on
+                {(tier?.addOnIds?.length ?? 0) === 1 ? "" : "s"}
+              </p>
+            )}
+            <ul style={S.features}>
+              {features.map((f) => (
+                <li key={f} style={S.featureItem}>
+                  <span style={S.featureDot} aria-hidden="true">·</span>
+                  {f}
+                </li>
               ))}
             </ul>
-            <button className="btn" type="button" onClick={beginPayment} data-testid="begin-payment">
-              Upgrade · ${(product.priceUsdCents / 100).toLocaleString()}
+
+            <CouponField
+              appliedCoupon={appliedCoupon}
+              onApply={setAppliedCoupon}
+            />
+
+            <button
+              className="button-pop"
+              style={{ ...S.btnPrimary, marginTop: "var(--space-4)" }}
+              type="button"
+              onClick={() => void beginPayment()}
+              data-testid="begin-payment"
+            >
+              {isTierFlow ? `Pay ${dollars(totalCents)}` : `Upgrade · ${dollars(totalCents)}`}
             </button>
           </>
         )}
 
         {status === "creating-intent" && (
-          <p className="muted">Creating payment intent…</p>
+          <p style={S.muted}>Creating payment intent…</p>
         )}
 
         {(status === "elements-ready" || status === "processing") && intent && stripePromise && (
@@ -190,88 +414,41 @@ export function StripeModal({ onClose }: StripeModalProps): JSX.Element {
             <PaymentForm
               intent={intent}
               onProcessing={() => setStatus("processing")}
-              onError={(msg) => {
-                setErrorMessage(msg);
-                setStatus("failure");
-              }}
+              onError={(msg) => { setErrorMessage(msg); setStatus("failure"); }}
+              onTierSuccess={isTierFlow ? finishTierSuccess : undefined}
               disabled={status === "processing"}
             />
           </Elements>
         )}
 
-        {status === "success" && (
-          <div className="alert alert--ok" role="status">
-            <strong>Compliance Pack unlocked.</strong> Evidence bundles, auditor
-            portal, and Vanta/Drata push are now available.
+        {status === "success" && !alreadyEntitled && (
+          <div style={S.alertOk} role="status">
+            {isTierFlow ? (
+              <><strong>Subscription active.</strong> Entitlements updated — redirecting…</>
+            ) : (
+              <><strong>Compliance Pack unlocked.</strong> Evidence bundles, auditor portal, and Vanta/Drata push are now available.</>
+            )}
           </div>
         )}
 
         {status === "failure" && (
           <>
-            <div className="alert alert--err" role="alert">
+            <div className="fade-up" style={S.alertErr} role="alert">
               {errorMessage ?? "Payment failed"}
             </div>
-            <button className="btn" type="button" onClick={beginPayment} data-testid="retry">
+            <button className="button-pop" style={S.btnPrimary} type="button" onClick={() => void beginPayment()} data-testid="retry">
               Retry
             </button>
           </>
         )}
 
-        <p className="muted modal__hint">
-          On-stage fallback: press <kbd>Shift</kbd> + <kbd>Enter</kbd> to simulate success.
-        </p>
+        <SimulateHint />
       </div>
+      {showToast && (
+        <div style={S.toast} role="status" aria-live="polite">
+          Subscription active — entitlements updated
+        </div>
+      )}
     </div>
   );
 }
-
-interface PaymentFormProps {
-  intent: PaymentIntentResponse;
-  onProcessing: () => void;
-  onError: (message: string) => void;
-  disabled: boolean;
-}
-
-function PaymentForm({ intent, onProcessing, onError, disabled }: PaymentFormProps): JSX.Element {
-  const stripe = useStripe();
-  const elements = useElements();
-  const submitting = useRef(false);
-
-  async function submit(): Promise<void> {
-    if (!stripe || !elements || submitting.current) return;
-    submitting.current = true;
-    onProcessing();
-    const { error } = await stripe.confirmPayment({
-      elements,
-      clientSecret: intent.clientSecret,
-      confirmParams: { return_url: window.location.href },
-      redirect: "if_required",
-    });
-    submitting.current = false;
-    if (error) {
-      onError(error.message ?? "Payment failed");
-    }
-    // On success, we don't flip UI here — we wait for the SSE org.entitlements.changed
-    // event from the webhook to confirm server-side state.
-  }
-
-  return (
-    <form
-      onSubmit={(e) => {
-        e.preventDefault();
-        void submit();
-      }}
-    >
-      <PaymentElement />
-      <button
-        type="submit"
-        className="btn"
-        disabled={!stripe || disabled}
-        data-testid="confirm-payment"
-        style={{ marginTop: 16 }}
-      >
-        {disabled ? "Processing…" : "Pay"}
-      </button>
-    </form>
-  );
-}
diff --git a/apps/web/src/screens/SubprocessorHeatmap.tsx b/apps/web/src/screens/SubprocessorHeatmap.tsx
new file mode 100644
index 0000000..55ba700
--- /dev/null
+++ b/apps/web/src/screens/SubprocessorHeatmap.tsx
@@ -0,0 +1,396 @@
+import { useEffect, useState } from "react";
+import { AlertTriangle, CheckCircle, Clock, Mail } from "lucide-react";
+import { DEMO_BEARER_TOKEN } from "../lib/api.js";
+
+interface SubProcessor {
+  name: string;
+  jurisdiction: string;
+  purpose: string;
+  adequate: boolean;
+  addedAt: string;
+  flagged?: boolean;
+  flagReason?: string;
+}
+
+interface CustomerNotification {
+  customerName: string;
+  contractId: string;
+  domain: string;
+  ourObligation: string;
+  affectedSubProcessor: string;
+  notifyByDate: string;
+  suggestedAction: string;
+}
+
+interface SubProcessorData {
+  vendorId: string;
+  vendorName: string;
+  subProcessors: SubProcessor[];
+  lastChangeAt: string;
+  flaggedCount: number;
+  customerNotifications: CustomerNotification[];
+}
+
+const ADEQUATE_JURISDICTIONS = new Set(["US", "EU", "EEA", "UK", "CH", "CA", "JP", "AU", "NZ", "KR", "IL", "AR", "UY"]);
+
+const JURISDICTION_LABELS: Record<string, string> = {
+  US: "United States",
+  EU: "European Union",
+  UK: "United Kingdom",
+  CH: "Switzerland",
+  CA: "Canada",
+  IN: "India",
+  CN: "China",
+  BR: "Brazil",
+  JP: "Japan",
+  AU: "Australia",
+  SG: "Singapore",
+  ZA: "South Africa",
+  RU: "Russia",
+  MX: "Mexico",
+  KR: "South Korea",
+};
+
+function relTime(iso: string): string {
+  const d = Math.floor((Date.now() - Date.parse(iso)) / 86_400_000);
+  if (d === 0) return "today";
+  if (d === 1) return "1d ago";
+  if (d < 30) return `${d}d ago`;
+  const m = Math.floor(d / 30);
+  return m === 1 ? "1mo ago" : `${m}mo ago`;
+}
+
+function formatDate(iso: string): string {
+  return new Date(iso).toLocaleDateString("en-US", { year: "numeric", month: "short" });
+}
+
+function groupByJurisdiction(sps: SubProcessor[]): Map<string, SubProcessor[]> {
+  const map = new Map<string, SubProcessor[]>();
+  for (const sp of sps) {
+    const key = sp.jurisdiction;
+    const existing = map.get(key);
+    if (existing) {
+      existing.push(sp);
+    } else {
+      map.set(key, [sp]);
+    }
+  }
+  return map;
+}
+
+function JurisdictionGrid({ subProcessors }: { subProcessors: SubProcessor[] }): JSX.Element {
+  const grouped = groupByJurisdiction(subProcessors);
+  const entries = Array.from(grouped.entries()).sort((a, b) => {
+    const aAdequate = ADEQUATE_JURISDICTIONS.has(a[0]);
+    const bAdequate = ADEQUATE_JURISDICTIONS.has(b[0]);
+    if (aAdequate && !bAdequate) return -1;
+    if (!aAdequate && bAdequate) return 1;
+    return b[1].length - a[1].length;
+  });
+
+  return (
+    <div
+      role="table"
+      aria-label="Sub-processor jurisdiction map"
+      style={{ display: "flex", flexDirection: "column", gap: "var(--space-2)" }}
+    >
+      <div role="rowgroup">
+        {entries.map(([jurisdiction, sps]) => {
+          const adequate = ADEQUATE_JURISDICTIONS.has(jurisdiction);
+          const hasFlagged = sps.some((sp) => sp.flagged);
+          const label = JURISDICTION_LABELS[jurisdiction] ?? jurisdiction;
+
+          return (
+            <div
+              key={jurisdiction}
+              role="row"
+              style={{
+                display: "flex",
+                alignItems: "center",
+                gap: "var(--space-3)",
+                padding: "var(--space-2) var(--space-3)",
+                borderRadius: "var(--radius-sm)",
+                background: hasFlagged ? "rgba(220,38,38,0.06)" : "transparent",
+                marginBottom: "var(--space-1)",
+              }}
+            >
+              <span role="cell" style={{ width: 32, fontFamily: "var(--font-mono)", fontSize: "var(--text-xs)", fontWeight: 600, color: "var(--text-2)", flexShrink: 0 }}>
+                {jurisdiction}
+              </span>
+              <span role="cell" style={{ flex: 1, fontSize: "var(--text-sm)", color: "var(--text-2)" }}>
+                {label}
+              </span>
+              <span role="cell" style={{ display: "flex", gap: 4, alignItems: "center", flexShrink: 0 }}>
+                {sps.map((sp, i) =>
+                  sp.flagged ? (
+                    <span
+                      key={i}
+                      aria-label={`Non-adequate: ${sp.name}`}
+                      title={`Non-adequate: ${sp.name}`}
+                      style={{ color: "var(--danger)", fontSize: 14, lineHeight: 1 }}
+                    >
+                      ▲
+                    </span>
+                  ) : (
+                    <span
+                      key={i}
+                      aria-label={`Adequate: ${sp.name}`}
+                      title={`Adequate: ${sp.name}`}
+                      style={{ color: "var(--success)", fontSize: 14, lineHeight: 1 }}
+                    >
+                      ●
+                    </span>
+                  )
+                )}
+              </span>
+              <span role="cell" style={{ width: 80, textAlign: "right", flexShrink: 0 }}>
+                {adequate && !hasFlagged ? (
+                  <span className="badge badge-success" style={{ fontSize: 10 }}>adequate</span>
+                ) : (
+                  <span className="badge badge-danger" style={{ fontSize: 10 }}>flagged</span>
+                )}
+              </span>
+            </div>
+          );
+        })}
+      </div>
+      <div style={{ display: "flex", gap: "var(--space-4)", paddingTop: "var(--space-2)", borderTop: "1px solid var(--border)", marginTop: "var(--space-1)" }}>
+        <span style={{ display: "flex", alignItems: "center", gap: "var(--space-1)", fontSize: "var(--text-xs)", color: "var(--text-muted)" }}>
+          <span style={{ color: "var(--success)" }}>●</span> adequate (EU/EEA/UK/CH/US/JP/AU)
+        </span>
+        <span style={{ display: "flex", alignItems: "center", gap: "var(--space-1)", fontSize: "var(--text-xs)", color: "var(--text-muted)" }}>
+          <span style={{ color: "var(--danger)" }}>▲</span> non-adequate (flagged)
+        </span>
+      </div>
+    </div>
+  );
+}
+
+function buildMailtoHref(notifications: CustomerNotification[], vendorName: string): string {
+  const to = notifications.map((n) => n.domain).join(",");
+  const subject = encodeURIComponent(`[Action Required] Sub-processor change notification — ${vendorName}`);
+  const firstNotify = notifications[0];
+  const spName = firstNotify?.affectedSubProcessor ?? "a sub-processor";
+  const notifyBy = firstNotify?.notifyByDate ?? "";
+  const body = encodeURIComponent(
+    `Dear Customer,\n\nPursuant to our Data Processing Agreement, we are notifying you that ${vendorName} has added ${spName} as a sub-processor. This processor operates in a jurisdiction that may require your acknowledgment under your DPA with us.\n\nRequired notification deadline: ${notifyBy}\n\nPlease review and acknowledge receipt of this notice. Contact us if you have questions.\n\nBest regards,\nCompliance Team`
+  );
+  return `mailto:${to}?subject=${subject}&body=${body}`;
+}
+
+export function SubprocessorHeatmap({ vendorId }: { vendorId: string }): JSX.Element {
+  const [data, setData] = useState<SubProcessorData | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  useEffect(() => {
+    let cancelled = false;
+    setLoading(true);
+    setError(null);
+
+    fetch(`/v1/vendors/${encodeURIComponent(vendorId)}/sub-processors`, {
+      headers: { Authorization: `Bearer ${DEMO_BEARER_TOKEN}` },
+    })
+      .then((r) => {
+        if (!r.ok) throw new Error(`HTTP ${r.status}`);
+        return r.json() as Promise<SubProcessorData>;
+      })
+      .then((d) => {
+        if (!cancelled) {
+          setData(d);
+          setLoading(false);
+        }
+      })
+      .catch(() => {
+        if (!cancelled) {
+          setError("Failed to load sub-processor data.");
+          setLoading(false);
+        }
+      });
+
+    return () => { cancelled = true; };
+  }, [vendorId]);
+
+  if (loading) {
+    return (
+      <div style={{ padding: "var(--space-4)", color: "var(--text-muted)", fontSize: "var(--text-sm)" }} aria-live="polite" aria-busy>
+        Loading sub-processors...
+      </div>
+    );
+  }
+
+  if (error || !data) {
+    return <span className="badge badge-danger">{error ?? "No data available."}</span>;
+  }
+
+  const jurisdictionCount = new Set(data.subProcessors.map((sp) => sp.jurisdiction)).size;
+  const hasFlagged = data.flaggedCount > 0;
+
+  return (
+    <section aria-label="Sub-processor heatmap" style={{ display: "flex", flexDirection: "column", gap: "var(--space-5)" }}>
+      {/* Header */}
+      <div style={{ display: "flex", justifyContent: "space-between", alignItems: "flex-start" }}>
+        <div>
+          <h2 style={{ margin: 0, fontSize: "var(--text-xs)", fontWeight: 600, color: "var(--text)", textTransform: "uppercase", letterSpacing: "0.06em" }}>
+            Sub-processors · {data.vendorName}
+          </h2>
+          <p style={{ margin: "var(--space-1) 0 0", fontSize: "var(--text-sm)", color: "var(--text-2)" }}>
+            {data.subProcessors.length} sub-processor{data.subProcessors.length !== 1 ? "s" : ""} across {jurisdictionCount} jurisdiction{jurisdictionCount !== 1 ? "s" : ""}
+          </p>
+        </div>
+        <div style={{ display: "flex", alignItems: "center", gap: "var(--space-1)", fontSize: "var(--text-xs)", color: "var(--text-muted)", flexShrink: 0 }}>
+          <Clock size={12} aria-hidden="true" />
+          Last changed {relTime(data.lastChangeAt)}
+        </div>
+      </div>
+
+      {/* Flagged banner */}
+      {hasFlagged && (
+        <div
+          role="alert"
+          style={{
+            display: "flex",
+            alignItems: "flex-start",
+            gap: "var(--space-3)",
+            padding: "var(--space-3) var(--space-4)",
+            background: "rgba(220,38,38,0.08)",
+            border: "1px solid rgba(220,38,38,0.25)",
+            borderRadius: "var(--radius-md)",
+          }}
+        >
+          <AlertTriangle size={16} aria-hidden="true" style={{ color: "var(--danger)", flexShrink: 0, marginTop: 1 }} />
+          <div>
+            <strong style={{ fontSize: "var(--text-sm)", color: "var(--danger)" }}>
+              {data.flaggedCount} non-adequate jurisdiction{data.flaggedCount !== 1 ? "s" : ""} detected
+            </strong>
+            <p style={{ margin: "var(--space-1) 0 0", fontSize: "var(--text-xs)", color: "var(--text-2)" }}>
+              Sub-processors in non-adequate jurisdictions may trigger customer DPA notification obligations. Review required.
+            </p>
+          </div>
+        </div>
+      )}
+
+      {/* Jurisdiction heatmap */}
+      <div className="card" style={{ padding: "var(--space-4)" }}>
+        <h3 style={{ margin: "0 0 var(--space-3)", fontSize: "var(--text-xs)", fontWeight: 600, color: "var(--text)", textTransform: "uppercase", letterSpacing: "0.06em" }}>
+          Jurisdiction heatmap
+        </h3>
+        <JurisdictionGrid subProcessors={data.subProcessors} />
+      </div>
+
+      {/* Sub-processor list */}
+      <div>
+        <h3 style={{ margin: "0 0 var(--space-3)", fontSize: "var(--text-xs)", fontWeight: 600, color: "var(--text)", textTransform: "uppercase", letterSpacing: "0.06em" }}>
+          Sub-processor list
+        </h3>
+        <div style={{ display: "flex", flexDirection: "column", gap: "var(--space-2)" }}>
+          {data.subProcessors.map((sp) => (
+            <div
+              key={sp.name}
+              style={{
+                padding: "var(--space-3) var(--space-4)",
+                borderRadius: "var(--radius-md)",
+                border: sp.flagged ? "1px solid rgba(220,38,38,0.3)" : "1px solid var(--border)",
+                background: sp.flagged ? "rgba(220,38,38,0.05)" : "var(--surface)",
+                display: "flex",
+                flexDirection: "column",
+                gap: "var(--space-1)",
+              }}
+            >
+              <div style={{ display: "flex", alignItems: "center", gap: "var(--space-2)" }}>
+                {sp.flagged ? (
+                  <span aria-hidden="true" style={{ color: "var(--danger)", fontSize: 14 }}>▲</span>
+                ) : (
+                  <CheckCircle size={14} aria-hidden="true" style={{ color: "var(--success)", flexShrink: 0 }} />
+                )}
+                <span style={{ fontWeight: 600, fontSize: "var(--text-sm)", color: "var(--text)", flex: 1 }}>{sp.name}</span>
+                <span
+                  style={{
+                    fontFamily: "var(--font-mono)",
+                    fontSize: "var(--text-xs)",
+                    color: sp.flagged ? "var(--danger)" : "var(--text-2)",
+                    fontWeight: sp.flagged ? 600 : 400,
+                  }}
+                >
+                  {sp.jurisdiction}
+                </span>
+              </div>
+              <div style={{ paddingLeft: "var(--space-5)", fontSize: "var(--text-xs)", color: "var(--text-muted)", display: "flex", gap: "var(--space-3)", flexWrap: "wrap" }}>
+                <span>{sp.purpose}</span>
+                <span>Active since {formatDate(sp.addedAt)}</span>
+              </div>
+              {sp.flagged && sp.flagReason && (
+                <div
+                  style={{
+                    paddingLeft: "var(--space-5)",
+                    display: "flex",
+                    alignItems: "flex-start",
+                    gap: "var(--space-2)",
+                    marginTop: "var(--space-1)",
+                  }}
+                >
+                  <AlertTriangle size={12} aria-hidden="true" style={{ color: "var(--danger)", flexShrink: 0, marginTop: 1 }} />
+                  <span style={{ fontSize: "var(--text-xs)", color: "var(--danger)", lineHeight: 1.4 }}>
+                    {sp.flagReason}. Action required.
+                  </span>
+                </div>
+              )}
+            </div>
+          ))}
+        </div>
+      </div>
+
+      {/* Customer commitments cross-reference */}
+      {hasFlagged && data.customerNotifications.length > 0 && (
+        <div className="card" style={{ padding: "var(--space-4)", border: "1px solid rgba(220,38,38,0.25)" }}>
+          <h3 style={{ margin: "0 0 var(--space-1)", fontSize: "var(--text-xs)", fontWeight: 600, color: "var(--text)", textTransform: "uppercase", letterSpacing: "0.06em" }}>
+            Customer commitments cross-reference
+          </h3>
+          <p style={{ margin: "0 0 var(--space-3)", fontSize: "var(--text-sm)", color: "var(--text-2)" }}>
+            Your DPA obligations triggered:
+            <strong style={{ color: "var(--danger)" }}> {data.customerNotifications.length} of your customer contracts require 30-day notice</strong>
+          </p>
+
+          <div style={{ display: "flex", flexDirection: "column", gap: "var(--space-2)", marginBottom: "var(--space-4)" }}>
+            {data.customerNotifications.map((n) => (
+              <div
+                key={n.contractId}
+                style={{
+                  display: "flex",
+                  alignItems: "center",
+                  gap: "var(--space-3)",
+                  padding: "var(--space-2) var(--space-3)",
+                  background: "var(--surface-2)",
+                  borderRadius: "var(--radius-sm)",
+                  flexWrap: "wrap",
+                }}
+              >
+                <span style={{ fontSize: "var(--text-sm)", fontWeight: 500, color: "var(--text)", minWidth: 120 }}>
+                  {n.customerName}
+                </span>
+                <span style={{ fontFamily: "var(--font-mono)", fontSize: "var(--text-xs)", color: "var(--text-muted)" }}>
+                  {n.contractId}
+                </span>
+                <span style={{ fontSize: "var(--text-xs)", color: "var(--text-2)" }}>{n.domain}</span>
+                <span style={{ marginLeft: "auto", fontSize: "var(--text-xs)", color: "var(--danger)", fontWeight: 500, whiteSpace: "nowrap" }}>
+                  notify by{" "}
+                  {new Date(n.notifyByDate).toLocaleDateString("en-US", { month: "short", day: "numeric", year: "numeric" })}
+                </span>
+              </div>
+            ))}
+          </div>
+
+          <a
+            href={buildMailtoHref(data.customerNotifications, data.vendorName)}
+            className="btn btn-primary"
+            style={{ display: "inline-flex", alignItems: "center", gap: "var(--space-2)" }}
+            aria-label={`Draft ${data.customerNotifications.length} customer notice email${data.customerNotifications.length !== 1 ? "s" : ""}`}
+          >
+            <Mail size={14} aria-hidden="true" />
+            Draft {data.customerNotifications.length} customer notice email{data.customerNotifications.length !== 1 ? "s" : ""}
+          </a>
+        </div>
+      )}
+    </section>
+  );
+}
diff --git a/apps/web/src/screens/Terms.tsx b/apps/web/src/screens/Terms.tsx
new file mode 100644
index 0000000..61ca318
--- /dev/null
+++ b/apps/web/src/screens/Terms.tsx
@@ -0,0 +1,102 @@
+import { PageShell } from "../components/PageShell.js";
+
+export function Terms(): JSX.Element {
+  return (
+    <PageShell active={null}>
+      <header className="public-hero fade-up">
+        <h1>Terms of Service</h1>
+        <p className="lead">Last updated: May 2026</p>
+      </header>
+
+      <div className="stagger-children">
+      <section className="public-section glass-soft" aria-labelledby="accept" style={{ padding: 24, borderRadius: 14 }}>
+        <h2 id="accept">Acceptance</h2>
+        <p>
+          By creating an Unsyphn workspace or using any portion of the service,
+          you agree to these terms on behalf of yourself and the organization
+          you represent. If you do not have authority to bind your organization,
+          do not accept these terms.
+        </p>
+      </section>
+
+      <section className="public-section glass-soft" aria-labelledby="service" style={{ padding: 24, borderRadius: 14 }}>
+        <h2 id="service">Service description</h2>
+        <p>
+          Unsyphn is a subscription operations platform that discovers,
+          monitors, and routes signals about the SaaS, AI, and infrastructure
+          vendors your organization uses. The service is delivered as software
+          accessed over the public internet and may include integrations with
+          third-party systems you choose to connect.
+        </p>
+      </section>
+
+      <section className="public-section glass-soft" aria-labelledby="use" style={{ padding: 24, borderRadius: 14 }}>
+        <h2 id="use">Acceptable use</h2>
+        <p>
+          You agree not to: reverse-engineer the service, attempt to bypass
+          access controls, upload malware, scrape at rates that degrade
+          availability for other customers, or use the service to violate any
+          law. We may suspend access without notice if we reasonably believe
+          continued use poses a risk to our infrastructure or other customers.
+        </p>
+      </section>
+
+      <section className="public-section glass-soft" aria-labelledby="billing" style={{ padding: 24, borderRadius: 14 }}>
+        <h2 id="billing">Subscription &amp; billing</h2>
+        <p>
+          Paid plans are billed monthly or annually in advance via the pricing
+          tier you select. Fees are non-refundable except where required by
+          law. We will give 30 days&rsquo; notice for any price change taking
+          effect at renewal. The Discover tier is free; usage limits apply and
+          are published on the <a href="/pricing">pricing page</a>.
+        </p>
+      </section>
+
+      <section className="public-section glass-soft" aria-labelledby="liability" style={{ padding: 24, borderRadius: 14 }}>
+        <h2 id="liability">Liability</h2>
+        <p>
+          The service is provided &ldquo;as is&rdquo; without warranties of any
+          kind. To the maximum extent permitted by law, Unsyphn&rsquo;s total
+          liability for any claim arising from these terms or the service is
+          limited to the fees paid in the 12 months preceding the claim. We are
+          not liable for indirect or consequential damages, including lost
+          profits, lost data, or lost goodwill.
+        </p>
+      </section>
+
+      <section className="public-section glass-soft" aria-labelledby="terminate" style={{ padding: 24, borderRadius: 14 }}>
+        <h2 id="terminate">Termination</h2>
+        <p>
+          You may cancel at any time from your billing settings; cancellation
+          takes effect at the end of the current billing period. We may
+          terminate immediately for breach, non-payment, or if continued
+          provision becomes unlawful. On termination we will retain account
+          data for 30 days, then permanently delete it; export tooling is
+          available throughout the retention window.
+        </p>
+      </section>
+
+      <section className="public-section glass-soft" aria-labelledby="changes" style={{ padding: 24, borderRadius: 14 }}>
+        <h2 id="changes">Changes</h2>
+        <p>
+          We may update these terms from time to time. Material changes will be
+          announced via email and in-app at least 30 days before they take
+          effect. Continued use after the effective date constitutes acceptance.
+        </p>
+      </section>
+
+      <section className="public-section glass-soft" aria-labelledby="law" style={{ padding: 24, borderRadius: 14 }}>
+        <h2 id="law">Governing law</h2>
+        <p>
+          These terms are governed by the laws of the State of Delaware,
+          excluding its conflict-of-laws rules. Any dispute will be resolved in
+          the state or federal courts located in Wilmington, Delaware.
+        </p>
+        <p>
+          Questions: <a href="mailto:legal@unsyphn.com">legal@unsyphn.com</a>.
+        </p>
+      </section>
+      </div>
+    </PageShell>
+  );
+}
diff --git a/apps/web/src/screens/TrustCenter.tsx b/apps/web/src/screens/TrustCenter.tsx
new file mode 100644
index 0000000..2ca07a3
--- /dev/null
+++ b/apps/web/src/screens/TrustCenter.tsx
@@ -0,0 +1,310 @@
+import { Check, ExternalLink } from "lucide-react";
+
+const S = {
+  page: {
+    background: "var(--bg)",
+    color: "var(--text)",
+    fontFamily: "var(--font-text)",
+    minHeight: "100vh",
+    paddingTop: 80,
+    paddingBottom: 80,
+  },
+  wrap: {
+    maxWidth: 880,
+    margin: "0 auto",
+    padding: "0 var(--space-6)",
+  },
+  section: {
+    paddingTop: "var(--space-7)",
+    paddingBottom: "var(--space-7)",
+    borderBottom: "1px solid var(--border)",
+  },
+  sectionLabel: {
+    fontSize: "var(--text-xs)",
+    fontWeight: 600,
+    textTransform: "uppercase" as const,
+    letterSpacing: "0.09em",
+    color: "var(--text-muted)",
+    marginBottom: "var(--space-4)",
+    margin: "0 0 var(--space-4) 0",
+  },
+  body: {
+    fontSize: "var(--text-base)",
+    color: "var(--text)",
+    lineHeight: 1.6,
+    margin: 0,
+  },
+  muted: {
+    fontSize: "var(--text-sm)",
+    color: "var(--text-2)",
+  },
+  checkRow: {
+    display: "flex",
+    alignItems: "flex-start",
+    gap: "var(--space-2)",
+    marginBottom: "var(--space-2)",
+    fontSize: "var(--text-base)",
+    color: "var(--text)",
+  },
+} as const;
+
+const SUB_PROCESSORS = [
+  { name: "Amazon Web Services", purpose: "Infrastructure",    region: "US-East-1", added: "2024-01" },
+  { name: "Anthropic",           purpose: "LLM API",           region: "US",        added: "2024-09" },
+  { name: "Stripe",              purpose: "Billing",           region: "US",        added: "2024-01" },
+  { name: "Vercel",              purpose: "Web hosting",       region: "Global",    added: "2024-01" },
+  { name: "ClickHouse Cloud",    purpose: "Analytics DB",      region: "US",        added: "2024-03" },
+  { name: "Datadog",             purpose: "Observability",     region: "US",        added: "2024-02" },
+] as const;
+
+const SECURITY_ITEMS = [
+  "SAML SSO + OIDC on all paid tiers (no SSO tax)",
+  "SCIM provisioning on Scale + Enterprise",
+  "RBAC with persona scopes (Finance / Procurement / Security / Legal / IT / Audit / Admin / Owner)",
+  "Immutable audit trail (append-only, 7-year retention)",
+  "Encrypted at rest (AES-256) and in transit (TLS 1.3)",
+  "Citation-grounded AI — every AI output cites its source",
+] as const;
+
+const DOCUMENTS = [
+  { label: "Master Service Agreement (MSA)",  href: "mailto:documents@unsyphn.com?subject=MSA%20Request" },
+  { label: "Data Processing Agreement (DPA)", href: "mailto:documents@unsyphn.com?subject=DPA%20Request" },
+  { label: "Security white paper",            href: "mailto:documents@unsyphn.com?subject=Security%20White%20Paper%20Request" },
+] as const;
+
+export function TrustCenter(): JSX.Element {
+  return (
+    <div style={S.page}>
+      <div style={S.wrap}>
+
+        {/* Header */}
+        <div style={{ paddingBottom: "var(--space-7)", borderBottom: "1px solid var(--border)" }}>
+          <h1
+            className="h1"
+            style={{ fontFamily: "var(--font-display)", color: "var(--text-strong)", marginBottom: "var(--space-3)" }}
+          >
+            Unsyphn Trust Center
+          </h1>
+          <p className="lead" style={{ color: "var(--text-2)", margin: 0 }}>
+            Security, privacy, and reliability for enterprise.
+          </p>
+        </div>
+
+        {/* 1. Certifications */}
+        <section aria-labelledby="cert-heading" style={S.section}>
+          <h2 id="cert-heading" style={S.sectionLabel}>Certifications</h2>
+          {(["SOC 2 Type II (in audit — report Q4 2026)", "ISO 27001 (in audit)", "GDPR + DPF compliant"] as const).map((item) => (
+            <div key={item} style={S.checkRow}>
+              <Check size={16} color="var(--success)" aria-hidden="true" style={{ flexShrink: 0, marginTop: 2 }} />
+              <span>{item}</span>
+            </div>
+          ))}
+          <p style={{ ...S.muted, marginTop: "var(--space-3)" }}>
+            Roadmap: ISO 27701 (2027) · ISO 42001 AI (2027)
+          </p>
+        </section>
+
+        {/* 2. Data Residency */}
+        <section aria-labelledby="residency-heading" style={S.section}>
+          <h2 id="residency-heading" style={S.sectionLabel}>Data Residency</h2>
+          <p style={S.body}>
+            <strong>US Region</strong> (default) · <strong>EU Region</strong> (Enterprise tier — Frankfurt)
+          </p>
+          <p style={{ ...S.muted, marginTop: "var(--space-2)" }}>
+            Data never leaves your selected region.
+          </p>
+        </section>
+
+        {/* 3. No-Train AI Guarantee */}
+        <section aria-labelledby="notrain-heading" style={S.section}>
+          <h2 id="notrain-heading" style={S.sectionLabel}>No-Train AI Guarantee</h2>
+          <p style={{ ...S.body, marginBottom: "var(--space-3)" }}>
+            Unsyphn does not train models on customer data today. Should this change, we will provide
+            customers with advance notice. Third-party LLM providers we use are contracted under DPAs
+            that prohibit training on data we share with them.
+          </p>
+          <p style={S.body}>
+            Sensitive operations (clause extraction, Customer Commitments inventory) run on
+            internally-hosted models.
+          </p>
+        </section>
+
+        {/* 4. Sub-Processors */}
+        <section aria-labelledby="subproc-heading" style={S.section}>
+          <h2 id="subproc-heading" style={S.sectionLabel}>Sub-Processors</h2>
+
+          <div style={{ overflowX: "auto" }}>
+            <table
+              style={{
+                width: "100%",
+                borderCollapse: "collapse",
+                fontSize: "var(--text-sm)",
+              }}
+            >
+              <thead>
+                <tr>
+                  {(["Name", "Purpose", "Region", "Added"] as const).map((col) => (
+                    <th
+                      key={col}
+                      scope="col"
+                      style={{
+                        textAlign: "left",
+                        fontWeight: 500,
+                        color: "var(--text-muted)",
+                        fontSize: "var(--text-xs)",
+                        padding: "0 var(--space-3) var(--space-2) 0",
+                        borderBottom: "1px solid var(--border)",
+                        whiteSpace: "nowrap",
+                      }}
+                    >
+                      {col}
+                    </th>
+                  ))}
+                </tr>
+              </thead>
+              <tbody>
+                {SUB_PROCESSORS.map((sp) => (
+                  <tr key={sp.name}>
+                    {([sp.name, sp.purpose, sp.region, sp.added] as const).map((cell, i) => (
+                      <td
+                        key={i}
+                        style={{
+                          padding: "var(--space-2) var(--space-3) var(--space-2) 0",
+                          borderBottom: "1px solid var(--border)",
+                          color: i === 0 ? "var(--text)" : "var(--text-2)",
+                          fontWeight: i === 0 ? 500 : 400,
+                        }}
+                      >
+                        {cell}
+                      </td>
+                    ))}
+                  </tr>
+                ))}
+              </tbody>
+            </table>
+          </div>
+
+          <SubscribeForm />
+
+          <p style={{ ...S.muted, marginTop: "var(--space-3)" }}>
+            We send 30-day advance notice before adding any new sub-processor.
+          </p>
+        </section>
+
+        {/* 5. Security Practices */}
+        <section aria-labelledby="security-heading" style={S.section}>
+          <h2 id="security-heading" style={S.sectionLabel}>Security Practices</h2>
+          {SECURITY_ITEMS.map((item) => (
+            <div key={item} style={S.checkRow}>
+              <Check size={16} color="var(--success)" aria-hidden="true" style={{ flexShrink: 0, marginTop: 2 }} />
+              <span>{item}</span>
+            </div>
+          ))}
+        </section>
+
+        {/* 6. Documents */}
+        <section aria-labelledby="docs-heading" style={S.section}>
+          <h2 id="docs-heading" style={S.sectionLabel}>Documents</h2>
+          <ul style={{ listStyle: "none", padding: 0, margin: 0, display: "flex", flexDirection: "column", gap: "var(--space-3)" }}>
+            {DOCUMENTS.map((doc) => (
+              <li key={doc.label}>
+                <a
+                  href={doc.href}
+                  style={{
+                    display: "inline-flex",
+                    alignItems: "center",
+                    gap: "var(--space-2)",
+                    fontSize: "var(--text-base)",
+                    color: "var(--accent)",
+                    textDecoration: "none",
+                    fontWeight: 400,
+                  }}
+                >
+                  <ExternalLink size={14} aria-hidden="true" />
+                  {doc.label}
+                  <span style={{ fontSize: "var(--text-xs)", color: "var(--text-muted)", fontFamily: "var(--font-mono)" }}>
+                    [Download PDF]
+                  </span>
+                </a>
+              </li>
+            ))}
+            <li>
+              <span style={{ display: "inline-flex", alignItems: "center", gap: "var(--space-2)", fontSize: "var(--text-base)", color: "var(--text)" }}>
+                SOC 2 readiness summary
+              </span>
+              {" — "}
+              <a
+                href="mailto:security@unsyphn.com?subject=SOC2%20Readiness%20Summary%20Request"
+                style={{ fontSize: "var(--text-base)", color: "var(--accent)", textDecoration: "none" }}
+              >
+                Request via security@unsyphn.com
+              </a>
+            </li>
+          </ul>
+        </section>
+
+        {/* 7. Contact */}
+        <section aria-labelledby="contact-heading" style={{ ...S.section, borderBottom: "none" }}>
+          <h2 id="contact-heading" style={S.sectionLabel}>Contact</h2>
+          <dl style={{ margin: 0, display: "flex", flexDirection: "column", gap: "var(--space-2)" }}>
+            {(
+              [
+                ["Security disclosures", "security@unsyphn.com"],
+                ["Privacy questions",    "privacy@unsyphn.com"],
+                ["Bug bounty",          "security@unsyphn.com"],
+              ] as const
+            ).map(([label, email]) => (
+              <div key={label} style={{ display: "flex", gap: "var(--space-2)", flexWrap: "wrap" as const }}>
+                <dt style={S.muted}>{label}:</dt>
+                <dd style={{ margin: 0 }}>
+                  <a href={`mailto:${email}`} style={{ color: "var(--accent)", fontSize: "var(--text-sm)" }}>
+                    {email}
+                  </a>
+                  {label === "Bug bounty" && (
+                    <span style={{ ...S.muted, marginLeft: "var(--space-2)" }}>(no public program yet)</span>
+                  )}
+                </dd>
+              </div>
+            ))}
+          </dl>
+        </section>
+
+        {/* Footer */}
+        <p style={{ ...S.muted, paddingTop: "var(--space-5)", textAlign: "center" }}>
+          Last reviewed: May 24, 2026 · Version 1.0
+        </p>
+
+      </div>
+    </div>
+  );
+}
+
+function SubscribeForm(): JSX.Element {
+  const emailId = "trust-subscribe-email";
+  return (
+    <form
+      style={{ display: "flex", gap: "var(--space-2)", marginTop: "var(--space-4)", flexWrap: "wrap" as const }}
+      onSubmit={(e) => {
+        e.preventDefault();
+        alert("Subscribed (demo mode)");
+      }}
+    >
+      <label htmlFor={emailId} style={{ ...S.muted, display: "flex", alignItems: "center", whiteSpace: "nowrap" as const }}>
+        Subscribe to change notifications:
+      </label>
+      <input
+        id={emailId}
+        name="email"
+        type="email"
+        required
+        className="input"
+        placeholder="your@email.com"
+        style={{ maxWidth: 220, flex: "0 0 auto" }}
+        aria-label="Email for sub-processor change notifications"
+      />
+      <button type="submit" className="btn btn-secondary">
+        Subscribe
+      </button>
+    </form>
+  );
+}
diff --git a/apps/web/src/screens/VendorDetail.tsx b/apps/web/src/screens/VendorDetail.tsx
new file mode 100644
index 0000000..74cfc87
--- /dev/null
+++ b/apps/web/src/screens/VendorDetail.tsx
@@ -0,0 +1,283 @@
+import { useCallback, useEffect, useState } from "react";
+import { ArrowLeft } from "lucide-react";
+import type { Vendor } from "@unsyphn/shared";
+import {
+  ApiError,
+  DEMO_BEARER_TOKEN,
+  getVendor,
+  listTeamMembers,
+  patchVendor,
+  type TeamMember,
+  type VendorPatch,
+} from "../lib/api.js";
+import { RenegotiationPacket } from "../components/RenegotiationPacket.js";
+import { ShareAuditorDrawer } from "../components/portfolio/ShareAuditorDrawer.js";
+import { SubprocessorHeatmap } from "./SubprocessorHeatmap.js";
+import { Header } from "../components/vendor-detail/Header.js";
+import { OverviewTab } from "../components/vendor-detail/OverviewTab.js";
+import { SpendTab } from "../components/vendor-detail/SpendTab.js";
+import { ContractsTab } from "../components/vendor-detail/ContractsTab.js";
+import { ChangeFeedTab } from "../components/vendor-detail/ChangeFeedTab.js";
+import { ActivityTab } from "../components/vendor-detail/ActivityTab.js";
+import { NextActionCard, type TabId } from "../components/vendor-detail/NextActionCard.js";
+import { VendorToast } from "../components/vendor-detail/Toast.js";
+
+interface FeedChange {
+  id: string;
+  vendorId: string;
+  title: string;
+  summary: string;
+  severity: string;
+  occurredAt: string;
+  category: string;
+  diff?: { before: string; after: string };
+  citations?: Array<{ url?: string; fetchedAt?: string }>;
+}
+
+const PAGE_STYLE = `
+  @keyframes vd-spin { from { transform: rotate(0deg); } to { transform: rotate(360deg); } }
+  .spin { animation: vd-spin 1s linear infinite; }
+`;
+
+function readVendorIdFromUrl(): string {
+  if (typeof window === "undefined") return "";
+  const m = window.location.pathname.match(/^\/app\/vendors?\/([^/?#]+)/);
+  return m?.[1] ?? "";
+}
+
+export function VendorDetail(): JSX.Element {
+  const vendorId = readVendorIdFromUrl();
+
+  const [vendor, setVendor] = useState<Vendor | null>(null);
+  const [loadState, setLoadState] = useState<"loading" | "ready" | "not-found" | "error">("loading");
+  const [errorMsg, setErrorMsg] = useState<string | null>(null);
+  const [members, setMembers] = useState<TeamMember[]>([]);
+  const [feedChanges, setFeedChanges] = useState<FeedChange[]>([]);
+  const [feedLoaded, setFeedLoaded] = useState(false);
+  const [activeTab, setActiveTab] = useState<TabId>("overview");
+  const [packetOpen, setPacketOpen] = useState(false);
+  const [shareOpen, setShareOpen] = useState(false);
+  const [toast, setToast] = useState<string | null>(null);
+
+  const showToast = useCallback((msg: string) => {
+    setToast(msg);
+    window.setTimeout(() => setToast(null), 2200);
+  }, []);
+
+  // Fetch vendor.
+  useEffect(() => {
+    if (!vendorId) {
+      setLoadState("not-found");
+      return;
+    }
+    let cancelled = false;
+    setLoadState("loading");
+    getVendor(vendorId)
+      .then((v) => {
+        if (cancelled) return;
+        setVendor(v);
+        setLoadState("ready");
+      })
+      .catch((err: unknown) => {
+        if (cancelled) return;
+        if (err instanceof ApiError && err.status === 404) {
+          setLoadState("not-found");
+        } else {
+          setErrorMsg(err instanceof Error ? err.message : "Failed to load vendor");
+          setLoadState("error");
+        }
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, [vendorId]);
+
+  // Team members (for owner picker + activity actor resolution).
+  useEffect(() => {
+    let cancelled = false;
+    listTeamMembers()
+      .then((r) => {
+        if (!cancelled) setMembers(r.members);
+      })
+      .catch(() => {
+        if (!cancelled) setMembers([]);
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, []);
+
+  // Change feed.
+  useEffect(() => {
+    if (!vendor) return;
+    let cancelled = false;
+    fetch(`/v1/changes/feed?vendorId=${encodeURIComponent(vendor.id)}`, {
+      headers: { Authorization: `Bearer ${DEMO_BEARER_TOKEN}` },
+    })
+      .then((r) => r.json() as Promise<{ changes: FeedChange[] }>)
+      .then(({ changes }) => {
+        if (cancelled) return;
+        setFeedChanges(changes);
+        setFeedLoaded(true);
+      })
+      .catch(() => {
+        if (!cancelled) setFeedLoaded(true);
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, [vendor]);
+
+  const handlePatch = useCallback(
+    async (patch: VendorPatch) => {
+      if (!vendor) return;
+      const prev = vendor;
+      const optimistic = { ...vendor, ...patch } as Vendor;
+      setVendor(optimistic);
+      try {
+        const updated = await patchVendor(vendor.id, patch);
+        setVendor(updated);
+        showToast("Vendor updated");
+      } catch (err) {
+        setVendor(prev);
+        showToast(err instanceof ApiError ? err.message : "Update failed");
+      }
+    },
+    [vendor, showToast],
+  );
+
+  if (loadState === "loading") {
+    return (
+      <main style={{ maxWidth: 1100, margin: "0 auto", padding: "var(--space-6)" }}>
+        <style>{PAGE_STYLE}</style>
+        <div aria-live="polite" aria-busy style={{ color: "var(--text-muted)", fontSize: "var(--text-sm)" }}>
+          Loading vendor…
+        </div>
+      </main>
+    );
+  }
+
+  if (loadState === "not-found") {
+    return (
+      <main style={{ maxWidth: 680, margin: "var(--space-9) auto", padding: "0 var(--space-6)", textAlign: "center" }}>
+        <h1 className="h1" style={{ marginBottom: "var(--space-3)" }}>Vendor not found</h1>
+        <p className="lead" style={{ marginBottom: "var(--space-5)" }}>
+          No vendor with id &ldquo;{vendorId}&rdquo; exists in your portfolio.
+        </p>
+        <a href="/app/vendors" className="btn btn-secondary">
+          <ArrowLeft size={14} aria-hidden="true" /> Back to portfolio
+        </a>
+      </main>
+    );
+  }
+
+  if (loadState === "error" || !vendor) {
+    return (
+      <main style={{ maxWidth: 680, margin: "var(--space-9) auto", padding: "0 var(--space-6)", textAlign: "center" }}>
+        <h1 className="h1" style={{ marginBottom: "var(--space-3)" }}>Couldn&rsquo;t load vendor</h1>
+        <p className="lead" style={{ marginBottom: "var(--space-5)" }}>
+          {errorMsg ?? "Try again in a moment."}
+        </p>
+        <a href="/app/vendors" className="btn btn-secondary">
+          <ArrowLeft size={14} aria-hidden="true" /> Back to portfolio
+        </a>
+      </main>
+    );
+  }
+
+  const TABS: Array<{ id: TabId; label: string }> = [
+    { id: "overview", label: "Overview" },
+    { id: "spend", label: "Spend & Usage" },
+    { id: "contracts", label: "Contracts" },
+    { id: "changes", label: "Change Feed" },
+    { id: "risk", label: "Risk" },
+    { id: "activity", label: "Activity" },
+  ];
+
+  return (
+    <main style={{ maxWidth: 1100, margin: "0 auto", padding: "var(--space-6) var(--space-6) var(--space-8)" }}>
+      <style>{PAGE_STYLE}</style>
+
+      <Header vendor={vendor} members={members} onPatch={handlePatch} />
+
+      <div style={{ display: "flex", justifyContent: "flex-end", gap: "var(--space-2)", marginBottom: "var(--space-5)", flexWrap: "wrap" }}>
+        {feedLoaded && <NextActionCard vendor={vendor} changeCount={feedChanges.length} onTab={setActiveTab} />}
+      </div>
+
+      <div
+        role="tablist"
+        aria-label="Vendor detail sections"
+        style={{ display: "flex", borderBottom: "1px solid var(--border)", marginBottom: "var(--space-5)", overflowX: "auto" }}
+      >
+        {TABS.map(({ id, label }) => {
+          const on = activeTab === id;
+          return (
+            <button
+              key={id}
+              type="button"
+              role="tab"
+              className="button-pop"
+              aria-selected={on}
+              aria-controls={`panel-${id}`}
+              id={`tab-${id}`}
+              onClick={() => setActiveTab(id)}
+              style={{
+                padding: "var(--space-3) var(--space-4)",
+                background: "none",
+                border: "none",
+                borderBottom: on ? "2px solid var(--accent)" : "2px solid transparent",
+                color: on ? "var(--accent)" : "var(--text-2)",
+                fontFamily: "var(--font-text)",
+                fontSize: "var(--text-sm)",
+                fontWeight: on ? 600 : 400,
+                cursor: "pointer",
+                whiteSpace: "nowrap",
+                marginBottom: -1,
+              }}
+            >
+              {label}
+              {id === "changes" && feedChanges.length > 0 && (
+                <span className="badge badge-danger" style={{ marginLeft: "var(--space-2)", fontSize: 10 }}>
+                  {feedChanges.length}
+                </span>
+              )}
+            </button>
+          );
+        })}
+      </div>
+
+      <div id={`panel-${activeTab}`} role="tabpanel" aria-labelledby={`tab-${activeTab}`}>
+        {activeTab === "overview" && (
+          <OverviewTab
+            vendor={vendor}
+            changes={feedChanges}
+            onOpenPacket={() => setPacketOpen(true)}
+            onOpenShareAuditor={() => setShareOpen(true)}
+            onScan={showToast}
+            onPostureChanged={setVendor}
+          />
+        )}
+        {activeTab === "spend" && <SpendTab vendor={vendor} onOpenPacket={() => setPacketOpen(true)} />}
+        {activeTab === "contracts" && (
+          <ContractsTab
+            vendor={vendor}
+            onUploadComplete={() => showToast("Contract uploaded")}
+            onError={showToast}
+          />
+        )}
+        {activeTab === "changes" && <ChangeFeedTab vendorId={vendor.id} />}
+        {activeTab === "risk" && <SubprocessorHeatmap vendorId={vendor.id} />}
+        {activeTab === "activity" && <ActivityTab vendor={vendor} members={members} onError={showToast} />}
+      </div>
+
+      <RenegotiationPacket vendorId={vendor.id} open={packetOpen} onClose={() => setPacketOpen(false)} />
+      <ShareAuditorDrawer
+        open={shareOpen}
+        onClose={() => setShareOpen(false)}
+        vendors={[vendor]}
+        initiallySelected={[vendor.id]}
+      />
+      {toast && <VendorToast message={toast} />}
+    </main>
+  );
+}
diff --git a/apps/web/src/screens/VendorOnboarding.tsx b/apps/web/src/screens/VendorOnboarding.tsx
deleted file mode 100644
index cd72feb..0000000
--- a/apps/web/src/screens/VendorOnboarding.tsx
+++ /dev/null
@@ -1,163 +0,0 @@
-import { useState } from "react";
-
-type TierId = 1 | 2 | 3;
-
-interface TierDef {
-  id: TierId;
-  sla: string;
-  name: string;
-  description: string;
-  price: string;
-  features: readonly string[];
-  cta: string;
-  recommended?: true;
-}
-
-const TIERS: readonly TierDef[] = [
-  {
-    id: 1,
-    sla: "6H",
-    name: "6-Hour Express",
-    description: "For mission-critical vendors. Sub-six-hour detection on every change.",
-    price: "$999",
-    features: [
-      "6-hour SLA on change detection",
-      "Dedicated escalation channel",
-      "Hourly diff scans 24/7",
-      "Priority routing to on-call",
-      "Compliance bundle included",
-    ],
-    cta: "Start 6H Express",
-  },
-  {
-    id: 2,
-    sla: "24H",
-    name: "24-Hour Standard",
-    description: "The right default for most vendors. Daily monitoring with automated alerts.",
-    price: "$299",
-    features: [
-      "24-hour SLA on change detection",
-      "Daily automated scans",
-      "Slack + email routing",
-      "Quarterly evidence bundles",
-      "Standard support",
-    ],
-    cta: "Start 24H Standard",
-    recommended: true,
-  },
-  {
-    id: 3,
-    sla: "48H",
-    name: "48-Hour Basic",
-    description: "Lightweight coverage for low-priority vendors. Routine checks, weekly digests.",
-    price: "$99",
-    features: [
-      "48-hour SLA on change detection",
-      "Bi-daily routine scans",
-      "Weekly digest emails",
-      "Self-serve evidence export",
-      "Community support",
-    ],
-    cta: "Start 48H Basic",
-  },
-] as const;
-
-export function VendorOnboarding(): JSX.Element {
-  const [selectedTier, setSelectedTier] = useState<TierId | null>(null);
-
-  return (
-    <>
-      <div className="card">
-        <h1 className="card__title">Onboard a new vendor</h1>
-        <p className="card__sub">
-          Choose a monitoring SLA that matches your vendor's criticality. You can change
-          this later from the vendor settings page.
-        </p>
-      </div>
-
-      <div
-        className="tier-grid"
-        role="radiogroup"
-        aria-label="Monitoring tier selection"
-      >
-        {TIERS.map((tier) => (
-          <TierCard
-            key={tier.id}
-            tier={tier}
-            selected={selectedTier === tier.id}
-            onSelect={() => setSelectedTier(tier.id)}
-          />
-        ))}
-      </div>
-    </>
-  );
-}
-
-interface TierCardProps {
-  tier: TierDef;
-  selected: boolean;
-  onSelect: () => void;
-}
-
-function TierCard({ tier, selected, onSelect }: TierCardProps): JSX.Element {
-  const cardClass = [
-    "tier-card",
-    tier.recommended ? "tier-card--recommended" : "",
-    selected ? "tier-card--selected" : "",
-  ]
-    .filter(Boolean)
-    .join(" ");
-
-  const handleKeyDown = (e: React.KeyboardEvent<HTMLDivElement>): void => {
-    if (e.key === " " || e.key === "Enter") {
-      e.preventDefault();
-      onSelect();
-    }
-  };
-
-  const handleCtaClick = (e: React.MouseEvent<HTMLButtonElement>): void => {
-    e.stopPropagation();
-    window.location.href = `/dashboard?tier=${tier.id}`;
-  };
-
-  return (
-    <div
-      className={cardClass}
-      role="radio"
-      aria-checked={selected}
-      tabIndex={0}
-      onClick={onSelect}
-      onKeyDown={handleKeyDown}
-    >
-      {tier.recommended && (
-        <span className="tier-card__badge" aria-label="Recommended tier">
-          Recommended
-        </span>
-      )}
-
-      <span className="tier-card__sla">{tier.sla}</span>
-      <h2 className="tier-card__name">{tier.name}</h2>
-      <p className="tier-card__desc">{tier.description}</p>
-
-      <div className="tier-card__price">
-        <span className="tier-card__price-amount">{tier.price}</span>
-        <span className="tier-card__price-unit">/month</span>
-      </div>
-
-      <ul className="tier-card__features" aria-label="Included features">
-        {tier.features.map((feature) => (
-          <li key={feature}>{feature}</li>
-        ))}
-      </ul>
-
-      <button
-        className="btn tier-card__cta"
-        type="button"
-        onClick={handleCtaClick}
-        aria-label={`${tier.cta} — ${tier.price} per month`}
-      >
-        {tier.cta}
-      </button>
-    </div>
-  );
-}
diff --git a/apps/web/src/screens/pricing/BillingToggle.tsx b/apps/web/src/screens/pricing/BillingToggle.tsx
new file mode 100644
index 0000000..2eb1d55
--- /dev/null
+++ b/apps/web/src/screens/pricing/BillingToggle.tsx
@@ -0,0 +1,76 @@
+import type { BillingCadence } from "./tiers.js";
+
+interface BillingToggleProps {
+  value: BillingCadence;
+  onChange: (next: BillingCadence) => void;
+}
+
+const baseBtn: React.CSSProperties = {
+  height: 32,
+  padding: "0 var(--space-4)",
+  background: "transparent",
+  color: "var(--text-2)",
+  border: "none",
+  fontFamily: "var(--font-text)",
+  fontSize: "var(--text-sm)",
+  cursor: "pointer",
+  borderRadius: "999px",
+  display: "inline-flex",
+  alignItems: "center",
+  gap: "var(--space-2)",
+  transition: "background 100ms, color 100ms",
+};
+const activeBtn: React.CSSProperties = {
+  ...baseBtn,
+  background: "var(--surface)",
+  color: "var(--text-strong)",
+  border: "1px solid var(--border)",
+};
+
+export function BillingToggle({ value, onChange }: BillingToggleProps): JSX.Element {
+  return (
+    <div
+      role="group"
+      aria-label="Billing cadence"
+      style={{
+        display: "inline-flex",
+        background: "var(--surface-2)",
+        border: "1px solid var(--border)",
+        padding: 4,
+        borderRadius: "999px",
+        gap: 4,
+      }}
+    >
+      <button
+        type="button"
+        className="button-pop"
+        style={value === "monthly" ? activeBtn : baseBtn}
+        onClick={() => onChange("monthly")}
+        aria-pressed={value === "monthly"}
+      >
+        Monthly
+      </button>
+      <button
+        type="button"
+        className="button-pop"
+        style={value === "annual" ? activeBtn : baseBtn}
+        onClick={() => onChange("annual")}
+        aria-pressed={value === "annual"}
+      >
+        Annual
+        <span
+          style={{
+            background: "var(--accent)",
+            color: "var(--bg)",
+            fontSize: "var(--text-xs)",
+            padding: "2px 6px",
+            borderRadius: "999px",
+            fontWeight: 500,
+          }}
+        >
+          20% off
+        </span>
+      </button>
+    </div>
+  );
+}
diff --git a/apps/web/src/screens/pricing/CouponField.tsx b/apps/web/src/screens/pricing/CouponField.tsx
new file mode 100644
index 0000000..db5e0b4
--- /dev/null
+++ b/apps/web/src/screens/pricing/CouponField.tsx
@@ -0,0 +1,113 @@
+import { useState } from "react";
+import { ApiError, validateCoupon, type AppliedCoupon } from "../../lib/api.js";
+
+interface CouponFieldProps {
+  appliedCoupon: AppliedCoupon | undefined;
+  onApply: (coupon: AppliedCoupon) => void;
+}
+
+const S = {
+  couponLabel: {
+    display: "block" as const,
+    fontSize: "var(--text-xs)",
+    color: "var(--text-2)",
+    marginBottom: "var(--space-2)",
+    textTransform: "uppercase" as const,
+    letterSpacing: "0.05em",
+  },
+  couponRow: {
+    display: "flex",
+    gap: "var(--space-2)",
+    marginBottom: "var(--space-4)",
+  },
+  couponInput: {
+    flex: 1,
+    height: 36,
+    padding: "0 var(--space-3)",
+    background: "var(--surface-2)",
+    border: "1px solid var(--border)",
+    borderRadius: "var(--radius-md)",
+    color: "var(--text-strong)",
+    fontFamily: "var(--font-mono)",
+    fontSize: "var(--text-sm)",
+    textTransform: "uppercase" as const,
+  },
+  couponBtn: {
+    height: 36,
+    padding: "0 var(--space-4)",
+    background: "var(--surface-2)",
+    color: "var(--text-strong)",
+    border: "1px solid var(--border)",
+    borderRadius: "var(--radius-md)",
+    fontSize: "var(--text-sm)",
+    cursor: "pointer",
+  },
+  couponOk: {
+    fontSize: "var(--text-xs)",
+    color: "var(--success)",
+    marginTop: "var(--space-2)",
+  },
+  couponErr: {
+    fontSize: "var(--text-xs)",
+    color: "var(--danger)",
+    marginTop: "var(--space-2)",
+  },
+} as const;
+
+export function CouponField({ appliedCoupon, onApply }: CouponFieldProps): JSX.Element {
+  const [coupon, setCoupon] = useState("");
+  const [couponError, setCouponError] = useState<string | undefined>();
+
+  async function applyCouponClick(): Promise<void> {
+    setCouponError(undefined);
+    const code = coupon.trim();
+    if (!code) return;
+    try {
+      const result = await validateCoupon(code);
+      onApply(result);
+    } catch (err) {
+      const message =
+        err instanceof ApiError && err.status === 404
+          ? "Invalid coupon"
+          : err instanceof Error ? err.message : "Failed to validate";
+      setCouponError(message);
+    }
+  }
+
+  return (
+    <div>
+      <label style={S.couponLabel} htmlFor="coupon-input">Coupon code</label>
+      <div style={S.couponRow}>
+        <input
+          id="coupon-input"
+          type="text"
+          value={coupon}
+          onChange={(e) => setCoupon(e.target.value)}
+          placeholder="HACKATHON25"
+          className="focus-glow"
+          style={S.couponInput}
+          aria-describedby="coupon-feedback"
+        />
+        <button
+          type="button"
+          onClick={() => void applyCouponClick()}
+          className="button-pop"
+          style={S.couponBtn}
+          data-testid="apply-coupon"
+        >
+          Apply
+        </button>
+      </div>
+      {appliedCoupon && (
+        <p id="coupon-feedback" style={S.couponOk} role="status">
+          {appliedCoupon.code} applied — {appliedCoupon.label}
+        </p>
+      )}
+      {couponError && (
+        <p id="coupon-feedback" style={S.couponErr} role="alert">
+          {couponError}
+        </p>
+      )}
+    </div>
+  );
+}
diff --git a/apps/web/src/screens/pricing/InvoiceTable.tsx b/apps/web/src/screens/pricing/InvoiceTable.tsx
new file mode 100644
index 0000000..8019caf
--- /dev/null
+++ b/apps/web/src/screens/pricing/InvoiceTable.tsx
@@ -0,0 +1,212 @@
+import { useEffect, useState } from "react";
+import { Download, Loader2 } from "lucide-react";
+import { downloadInvoicePdf, listInvoices, type BillingInvoice } from "../../lib/api.js";
+
+const S = {
+  section: {
+    maxWidth: 1240,
+    margin: "0 auto",
+    padding: "0 var(--space-5) var(--space-7)",
+  } as React.CSSProperties,
+  h2: {
+    fontFamily: "var(--font-display)",
+    color: "var(--text-strong)",
+    marginBottom: "var(--space-2)",
+  } as React.CSSProperties,
+  ytd: {
+    fontSize: "var(--text-sm)",
+    color: "var(--text-2)",
+    marginBottom: "var(--space-4)",
+  } as React.CSSProperties,
+  card: {
+    borderRadius: "var(--radius-md)",
+    overflow: "auto" as const,
+  } as React.CSSProperties,
+  th: {
+    padding: "var(--space-2) var(--space-5)",
+    textAlign: "left" as const,
+    fontSize: "var(--text-xs)",
+    color: "var(--text-muted)",
+    fontWeight: 500,
+    textTransform: "uppercase" as const,
+    letterSpacing: "0.05em",
+    borderBottom: "1px solid var(--border)",
+    background: "var(--surface-2)",
+  },
+  td: {
+    padding: "var(--space-3) var(--space-5)",
+    fontSize: "var(--text-sm)",
+    color: "var(--text-2)",
+    borderBottom: "1px solid var(--border)",
+  } as React.CSSProperties,
+  mono500: { fontFamily: "var(--font-mono)", fontWeight: 500 } as React.CSSProperties,
+  badge: {
+    display: "inline-block" as const,
+    padding: "2px 8px",
+    background: "rgba(63,207,142,0.10)",
+    color: "var(--success)",
+    border: "1px solid rgba(63,207,142,0.25)",
+    borderRadius: "var(--radius-sm)",
+    fontSize: "var(--text-xs)",
+    textTransform: "capitalize" as const,
+  },
+} as const;
+
+function dollars(cents: number): string {
+  return "$" + (cents / 100).toLocaleString("en-US", { minimumFractionDigits: 2, maximumFractionDigits: 2 });
+}
+
+export function InvoiceTable(): JSX.Element | null {
+  const [invoices, setInvoices] = useState<BillingInvoice[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | undefined>();
+  const [downloadingId, setDownloadingId] = useState<string | undefined>();
+  const [downloadError, setDownloadError] = useState<string | undefined>();
+
+  async function handleDownload(inv: BillingInvoice): Promise<void> {
+    setDownloadingId(inv.id);
+    setDownloadError(undefined);
+    try {
+      const blob = await downloadInvoicePdf(inv.id);
+      const url = URL.createObjectURL(blob);
+      const a = document.createElement("a");
+      a.href = url;
+      a.download = `unsyphn-invoice-${inv.id}.pdf`;
+      document.body.appendChild(a);
+      a.click();
+      a.remove();
+      URL.revokeObjectURL(url);
+    } catch (err) {
+      setDownloadError(
+        err instanceof Error ? err.message : `Could not download ${inv.id}`,
+      );
+    } finally {
+      setDownloadingId(undefined);
+    }
+  }
+
+  useEffect(() => {
+    let cancelled = false;
+    (async () => {
+      try {
+        const resp = await listInvoices();
+        if (cancelled) return;
+        setInvoices(resp.invoices);
+      } catch (err) {
+        if (cancelled) return;
+        setError(err instanceof Error ? err.message : "Failed to load invoices");
+      } finally {
+        if (!cancelled) setLoading(false);
+      }
+    })();
+    return () => {
+      cancelled = true;
+    };
+  }, []);
+
+  const thisYear = new Date().getFullYear();
+  const ytdCents = invoices
+    .filter(
+      (inv) => inv.status === "paid" && new Date(inv.issuedAt).getFullYear() === thisYear,
+    )
+    .reduce((sum, inv) => sum + inv.amountUsdCents, 0);
+
+  if (loading) {
+    return (
+      <section aria-label="Your invoices" style={S.section}>
+        <h2 className="h2" style={S.h2}>Your invoices</h2>
+        <p style={S.ytd}>Loading…</p>
+      </section>
+    );
+  }
+  if (error) {
+    return (
+      <section aria-label="Your invoices" style={S.section}>
+        <h2 className="h2" style={S.h2}>Your invoices</h2>
+        <p style={S.ytd}>{error}</p>
+      </section>
+    );
+  }
+  if (invoices.length === 0) return null;
+
+  return (
+    <section aria-label="Your invoices" style={S.section}>
+      <h2 className="h2" style={S.h2}>Your invoices</h2>
+      <p style={S.ytd}>
+        Total billed YTD:{" "}
+        <span style={{ ...S.mono500, color: "var(--text-strong)" }}>{dollars(ytdCents)}</span>
+      </p>
+      {downloadError ? (
+        <p
+          role="alert"
+          style={{ ...S.ytd, color: "var(--danger, #b91c1c)" }}
+        >
+          {downloadError}
+        </p>
+      ) : null}
+      <div className="glass fade-up" style={S.card}>
+        <table style={{ width: "100%", borderCollapse: "collapse", minWidth: 560 }}>
+          <thead>
+            <tr>
+              <th scope="col" style={S.th}>Date</th>
+              <th scope="col" style={S.th}>Description</th>
+              <th scope="col" style={S.th}>Amount</th>
+              <th scope="col" style={S.th}>Status</th>
+              <th scope="col" style={{ ...S.th, textAlign: "right" }}>Download</th>
+            </tr>
+          </thead>
+          <tbody>
+            {invoices.map((inv) => (
+              <tr key={inv.id} className="row-hover">
+                <td style={S.td}>
+                  <span style={S.mono500}>{inv.period}</span>
+                </td>
+                <td style={S.td}>{inv.id}</td>
+                <td style={{ ...S.td, ...S.mono500, color: "var(--text-strong)" }}>
+                  {dollars(inv.amountUsdCents)}
+                </td>
+                <td style={S.td}>
+                  <span style={S.badge}>{inv.status}</span>
+                </td>
+                <td style={{ ...S.td, textAlign: "right" }}>
+                  <button
+                    type="button"
+                    onClick={() => handleDownload(inv)}
+                    disabled={downloadingId === inv.id}
+                    className="button-pop"
+                    style={{
+                      background: "none",
+                      border: "none",
+                      cursor: downloadingId === inv.id ? "wait" : "pointer",
+                      color: "var(--accent)",
+                      padding: "4px 8px",
+                      borderRadius: "var(--radius-sm)",
+                      display: "inline-flex",
+                      alignItems: "center",
+                      gap: 6,
+                      fontSize: "var(--text-sm)",
+                      fontFamily: "inherit",
+                    }}
+                    aria-label={`Download invoice ${inv.id}`}
+                    aria-busy={downloadingId === inv.id}
+                  >
+                    {downloadingId === inv.id ? (
+                      <Loader2
+                        size={14}
+                        aria-hidden="true"
+                        style={{ animation: "spin 1s linear infinite" }}
+                      />
+                    ) : (
+                      <Download size={14} aria-hidden="true" />
+                    )}
+                    PDF
+                  </button>
+                </td>
+              </tr>
+            ))}
+          </tbody>
+        </table>
+      </div>
+    </section>
+  );
+}
diff --git a/apps/web/src/screens/pricing/PaymentForm.tsx b/apps/web/src/screens/pricing/PaymentForm.tsx
new file mode 100644
index 0000000..5b600c4
--- /dev/null
+++ b/apps/web/src/screens/pricing/PaymentForm.tsx
@@ -0,0 +1,77 @@
+import { useRef } from "react";
+import { PaymentElement, useElements, useStripe } from "@stripe/react-stripe-js";
+import type { PaymentIntentResponse } from "../../lib/api.js";
+
+function dollars(cents: number): string {
+  return "$" + (cents / 100).toLocaleString("en-US");
+}
+
+interface PaymentFormProps {
+  intent: PaymentIntentResponse;
+  onProcessing: () => void;
+  onError: (message: string) => void;
+  onTierSuccess?: () => void;
+  disabled: boolean;
+}
+
+export function PaymentForm({ intent, onProcessing, onError, onTierSuccess, disabled }: PaymentFormProps): JSX.Element {
+  const stripe = useStripe();
+  const elements = useElements();
+  const submitting = useRef(false);
+
+  async function submit(): Promise<void> {
+    if (!stripe || !elements || submitting.current) return;
+    submitting.current = true;
+    onProcessing();
+    const { error } = await stripe.confirmPayment({
+      elements,
+      clientSecret: intent.clientSecret,
+      confirmParams: { return_url: window.location.href },
+      redirect: "if_required",
+    });
+    submitting.current = false;
+    if (error) {
+      onError(error.message ?? "Payment failed");
+      return;
+    }
+    // Tier subscriptions don't fire an SSE entitlement flip — resolve here.
+    onTierSuccess?.();
+  }
+
+  return (
+    <form
+      onSubmit={(e) => {
+        e.preventDefault();
+        void submit();
+      }}
+    >
+      <PaymentElement />
+      <button
+        type="submit"
+        className="button-pop"
+        style={{
+          display: "inline-flex",
+          alignItems: "center",
+          justifyContent: "center",
+          width: "100%",
+          height: 40,
+          padding: "0 var(--space-4)",
+          background: "var(--accent)",
+          color: "var(--bg)",
+          border: "1px solid var(--accent)",
+          borderRadius: "var(--radius-md)",
+          fontFamily: "var(--font-text)",
+          fontSize: "var(--text-sm)",
+          fontWeight: 400,
+          cursor: !stripe || disabled ? "not-allowed" : "pointer",
+          opacity: !stripe || disabled ? 0.45 : 1,
+          marginTop: 16,
+        }}
+        disabled={!stripe || disabled}
+        data-testid="confirm-payment"
+      >
+        {disabled ? "Processing…" : `Pay ${dollars(intent.amountUsdCents)}`}
+      </button>
+    </form>
+  );
+}
diff --git a/apps/web/src/screens/pricing/PricingAddOns.tsx b/apps/web/src/screens/pricing/PricingAddOns.tsx
new file mode 100644
index 0000000..20cf362
--- /dev/null
+++ b/apps/web/src/screens/pricing/PricingAddOns.tsx
@@ -0,0 +1,154 @@
+import { Check } from "lucide-react";
+
+// Phase 8 — add-on cart. Selected add-ons stay highlighted; total is lifted to
+// the parent so it can appear under tier price and be passed into the modal.
+
+export interface AddOnDef {
+  id: string;
+  name: string;
+  priceLabel: string;
+  monthlyCents: number;
+  description: string;
+  mailto: string;
+}
+
+export const ADD_ONS: ReadonlyArray<AddOnDef> = [
+  {
+    id: "negotiation-concierge",
+    name: "Negotiation Concierge",
+    priceLabel: "$10K/quarter",
+    // ~$3.33K/mo equivalent. Concrete monthly cents for the cart sum.
+    monthlyCents: 333_333,
+    description:
+      "Human procurement analyst handles 5 negotiations per quarter end-to-end.",
+    mailto: "hello@unsyphn.com?subject=Negotiation%20Concierge%20add-on",
+  },
+  {
+    id: "grc-bridge",
+    name: "GRC Bridge",
+    priceLabel: "$1,000/mo",
+    monthlyCents: 100_000,
+    description:
+      "Deep two-way Vanta + Drata + OneTrust integration; auto-Trust-Center sync.",
+    mailto: "hello@unsyphn.com?subject=GRC%20Bridge%20add-on",
+  },
+] as const;
+
+interface PricingAddOnsProps {
+  selected: ReadonlySet<string>;
+  onToggle: (id: string) => void;
+}
+
+const S = {
+  section: {
+    maxWidth: 1240,
+    margin: "0 auto",
+    padding: "0 var(--space-5) var(--space-7)",
+  } as React.CSSProperties,
+  h2: {
+    fontFamily: "var(--font-display)",
+    color: "var(--text-strong)",
+    marginBottom: "var(--space-4)",
+  } as React.CSSProperties,
+  sm: { fontSize: "var(--text-sm)", color: "var(--text-2)" } as React.CSSProperties,
+  mono500: { fontFamily: "var(--font-mono)", fontWeight: 500 } as React.CSSProperties,
+} as const;
+
+export function PricingAddOns({ selected, onToggle }: PricingAddOnsProps): JSX.Element {
+  return (
+    <section aria-label="Add-ons" style={S.section}>
+      <h2 className="h2" style={S.h2}>Add-ons</h2>
+      <div
+        className="stagger-children"
+        style={{
+          display: "grid",
+          gridTemplateColumns: "repeat(auto-fit, minmax(280px, 1fr))",
+          gap: "var(--space-4)",
+        }}
+      >
+        {ADD_ONS.map((a) => {
+          const isSelected = selected.has(a.id);
+          return (
+            <div
+              key={a.id}
+              className="card glass-strong lift-on-hover"
+              style={{
+                padding: "var(--space-5)",
+                outline: isSelected ? "2px solid var(--accent)" : undefined,
+                transition: "outline-color 100ms",
+              }}
+            >
+              <div
+                style={{
+                  display: "flex",
+                  justifyContent: "space-between",
+                  alignItems: "flex-start",
+                  marginBottom: "var(--space-2)",
+                }}
+              >
+                <h3
+                  style={{
+                    fontFamily: "var(--font-text)",
+                    fontWeight: 600,
+                    fontSize: "var(--text-base)",
+                    margin: 0,
+                    color: "var(--text-strong)",
+                  }}
+                >
+                  {a.name}
+                </h3>
+                <span
+                  style={{
+                    ...S.mono500,
+                    fontSize: "var(--text-sm)",
+                    color: "var(--accent)",
+                    whiteSpace: "nowrap",
+                    marginLeft: "var(--space-3)",
+                  }}
+                >
+                  {a.priceLabel}
+                </span>
+              </div>
+              <p style={{ ...S.sm, margin: "0 0 var(--space-4)", lineHeight: 1.5 }}>
+                {a.description}
+              </p>
+              <div style={{ display: "flex", gap: "var(--space-2)" }}>
+                <button
+                  type="button"
+                  onClick={() => onToggle(a.id)}
+                  className={(isSelected ? "btn btn-primary" : "btn btn-secondary") + " button-pop"}
+                  style={{ flex: 1, justifyContent: "center" }}
+                  aria-pressed={isSelected}
+                  data-testid={`addon-${a.id}`}
+                >
+                  {isSelected ? (
+                    <>
+                      <Check size={14} aria-hidden="true" /> Added
+                    </>
+                  ) : (
+                    "Add to plan"
+                  )}
+                </button>
+                <a
+                  href={`mailto:${a.mailto}`}
+                  className="btn btn-secondary button-pop"
+                  style={{ justifyContent: "center" }}
+                >
+                  Enquire
+                </a>
+              </div>
+            </div>
+          );
+        })}
+      </div>
+    </section>
+  );
+}
+
+export function addOnMonthlyCents(selected: ReadonlySet<string>): number {
+  let total = 0;
+  for (const a of ADD_ONS) {
+    if (selected.has(a.id)) total += a.monthlyCents;
+  }
+  return total;
+}
diff --git a/apps/web/src/screens/pricing/PricingFaq.tsx b/apps/web/src/screens/pricing/PricingFaq.tsx
new file mode 100644
index 0000000..8900ae0
--- /dev/null
+++ b/apps/web/src/screens/pricing/PricingFaq.tsx
@@ -0,0 +1,84 @@
+import { ChevronDown } from "lucide-react";
+
+const FAQ_ITEMS: ReadonlyArray<{ q: string; a: string }> = [
+  {
+    q: "Why no per-seat pricing?",
+    a: "Per-seat pricing penalizes growth — adding a new team member to your SaaS management layer shouldn't cost more money. Flat platform fees let your whole organization use Unsyphn without counting heads.",
+  },
+  {
+    q: "What counts as net savings (Enterprise variable component)?",
+    a: "Net savings are verified reductions in SaaS spend: cancelled unused seats, renegotiated contracts below prior renewal price, and eliminated duplicate tools. We agree on a baseline at contract start and measure delta over 12 months. The 15% variable component is capped at $200K/yr regardless of savings achieved.",
+  },
+  {
+    q: "Where is my data stored?",
+    a: "All plans use US-based infrastructure by default. Enterprise adds EU data residency (separate EU instance, no cross-region replication) for GDPR-sensitive workloads. We publish our sub-processor list on our Trust Center.",
+  },
+  {
+    q: "No-train AI guarantee?",
+    a: "Unsyphn does not train models on customer data today. Should this change, we will provide customers with advance notice. Sensitive operations — clause extraction, Customer Commitments analysis — run on internally-hosted LLMs. Third-party API calls are made only under explicit DPA terms.",
+  },
+] as const;
+
+const S = {
+  section: {
+    maxWidth: 1240,
+    margin: "0 auto",
+    padding: "0 var(--space-5) var(--space-9)",
+  } as React.CSSProperties,
+  h2: {
+    fontFamily: "var(--font-display)",
+    color: "var(--text-strong)",
+    marginBottom: "var(--space-4)",
+  } as React.CSSProperties,
+  sm: { fontSize: "var(--text-sm)", color: "var(--text-2)" } as React.CSSProperties,
+} as const;
+
+export function PricingFaq(): JSX.Element {
+  return (
+    <section aria-label="Frequently asked questions" style={S.section}>
+      <h2 className="h2" style={S.h2}>FAQ</h2>
+      <style>{`details[open] .faq-chevron { transform: rotate(180deg); }`}</style>
+      <div className="stagger-children" style={{ display: "flex", flexDirection: "column", gap: "var(--space-2)" }}>
+        {FAQ_ITEMS.map((item) => (
+          <details
+            key={item.q}
+            className="glass-soft row-hover"
+            style={{
+              borderRadius: "var(--radius-md)",
+            }}
+          >
+            <summary
+              style={{
+                listStyle: "none",
+                display: "flex",
+                alignItems: "center",
+                justifyContent: "space-between",
+                padding: "var(--space-4) var(--space-5)",
+                cursor: "pointer",
+                fontWeight: 500,
+                ...S.sm,
+                color: "var(--text-strong)",
+                userSelect: "none",
+              }}
+            >
+              {item.q}
+              <ChevronDown
+                size={16}
+                aria-hidden="true"
+                style={{
+                  color: "var(--text-muted)",
+                  flexShrink: 0,
+                  transition: "transform var(--dur-md) var(--ease-spring)",
+                }}
+                className="faq-chevron"
+              />
+            </summary>
+            <p style={{ padding: "0 var(--space-5) var(--space-4)", ...S.sm, lineHeight: 1.65, margin: 0 }}>
+              {item.a}
+            </p>
+          </details>
+        ))}
+      </div>
+    </section>
+  );
+}
diff --git a/apps/web/src/screens/pricing/PricingMatrix.tsx b/apps/web/src/screens/pricing/PricingMatrix.tsx
new file mode 100644
index 0000000..89904db
--- /dev/null
+++ b/apps/web/src/screens/pricing/PricingMatrix.tsx
@@ -0,0 +1,292 @@
+import { Check, Minus, ChevronDown } from "lucide-react";
+import { TIERS, type TierId } from "./tiers.js";
+
+// Matrix data keyed by TierId so adding tiers later doesn't require touching
+// each row.
+type RowState = boolean | "contact";
+
+interface MatrixRow {
+  feature: string;
+  byTier: Partial<Record<TierId, RowState>>;
+}
+
+interface MatrixSection {
+  label: string;
+  rows: ReadonlyArray<MatrixRow>;
+}
+
+const SECTIONS: ReadonlyArray<MatrixSection> = [
+  {
+    label: "Discovery & Inventory",
+    rows: [
+      {
+        feature: "Google / M365 OAuth discovery",
+        byTier: {
+          discover: true, starter: true, growth: true, scale: true, enterprise: true, custom: true,
+        },
+      },
+      {
+        feature: "Unlimited vendor cards",
+        byTier: {
+          discover: false, starter: false, growth: true, scale: true, enterprise: true, custom: true,
+        },
+      },
+      {
+        feature: "OAuth-grant risk scoring",
+        byTier: {
+          discover: false, starter: false, growth: true, scale: true, enterprise: true, custom: true,
+        },
+      },
+      {
+        feature: "AI-predict from domain",
+        byTier: {
+          discover: true, starter: true, growth: true, scale: true, enterprise: true, custom: true,
+        },
+      },
+    ],
+  },
+  {
+    label: "Renewal & Negotiation",
+    rows: [
+      {
+        feature: "Renewal calendar + 30/60/90-day alerts",
+        byTier: {
+          discover: false, starter: false, growth: true, scale: true, enterprise: true, custom: true,
+        },
+      },
+      {
+        feature: "One-click Renegotiation Packet",
+        byTier: {
+          discover: false, starter: false, growth: true, scale: true, enterprise: true, custom: true,
+        },
+      },
+      {
+        feature: "Material Change Feed",
+        byTier: {
+          discover: false, starter: false, growth: true, scale: true, enterprise: true, custom: true,
+        },
+      },
+      {
+        feature: "Dedicated negotiation analyst",
+        byTier: {
+          discover: false, starter: false, growth: false, scale: false, enterprise: true, custom: true,
+        },
+      },
+    ],
+  },
+  {
+    label: "Risk, Compliance & Audit",
+    rows: [
+      {
+        feature: "Audit log",
+        byTier: {
+          discover: true, starter: true, growth: true, scale: true, enterprise: true, custom: true,
+        },
+      },
+      {
+        feature: "Sub-processor heatmap",
+        byTier: {
+          discover: false, starter: false, growth: false, scale: true, enterprise: true, custom: true,
+        },
+      },
+      {
+        feature: "Customer Commitments extraction",
+        byTier: {
+          discover: false, starter: false, growth: false, scale: true, enterprise: true, custom: true,
+        },
+      },
+      {
+        feature: "Data residency (US / EU)",
+        byTier: {
+          discover: false, starter: false, growth: false, scale: false, enterprise: true, custom: true,
+        },
+      },
+      {
+        feature: "SCIM provisioning",
+        byTier: {
+          discover: false, starter: false, growth: false, scale: true, enterprise: true, custom: true,
+        },
+      },
+      {
+        feature: "99.9% SLA",
+        byTier: {
+          discover: false, starter: false, growth: false, scale: false, enterprise: true, custom: "contact",
+        },
+      },
+    ],
+  },
+];
+
+const S = {
+  section: {
+    maxWidth: 1240,
+    margin: "0 auto",
+    padding: "0 var(--space-5) var(--space-7)",
+  } as React.CSSProperties,
+  h2: {
+    fontFamily: "var(--font-display)",
+    color: "var(--text-strong)",
+    marginBottom: "var(--space-4)",
+  } as React.CSSProperties,
+  sm: { fontSize: "var(--text-sm)", color: "var(--text-2)" } as React.CSSProperties,
+} as const;
+
+// Use a real <table> for accessibility / screen-reader semantics. Tiers form
+// the columns.
+export function PricingMatrix(): JSX.Element {
+  return (
+    <section aria-label="Feature comparison" style={S.section} className="fade-up">
+      <h2 className="h2" style={S.h2}>
+        Feature comparison
+      </h2>
+      <style>{`details[open] .details-chevron { transform: rotate(180deg); }`}</style>
+      {SECTIONS.map((ms) => (
+        <details key={ms.label} className="glass" style={{ marginBottom: "var(--space-3)", borderRadius: "var(--radius-md)" }}>
+          <summary
+            className="button-pop"
+            style={{
+              listStyle: "none",
+              display: "flex",
+              alignItems: "center",
+              justifyContent: "space-between",
+              padding: "var(--space-4) var(--space-5)",
+              borderRadius: "var(--radius-md)",
+              cursor: "pointer",
+              fontWeight: 600,
+              ...S.sm,
+              color: "var(--text-strong)",
+              userSelect: "none",
+            }}
+          >
+            {ms.label}
+            <ChevronDown
+              size={16}
+              aria-hidden="true"
+              style={{
+                color: "var(--text-muted)",
+                transition: "transform var(--dur-md) var(--ease-spring)",
+                flexShrink: 0,
+              }}
+              className="details-chevron"
+            />
+          </summary>
+          <div
+            style={{
+              borderTop: "1px solid var(--border)",
+              borderRadius: "0 0 var(--radius-md) var(--radius-md)",
+              overflow: "auto",
+            }}
+          >
+            <table
+              style={{
+                width: "100%",
+                minWidth: 720,
+                borderCollapse: "collapse",
+                background: "var(--surface)",
+              }}
+            >
+              <thead>
+                <tr style={{ background: "var(--surface-2)" }}>
+                  <th
+                    scope="col"
+                    style={{
+                      padding: "var(--space-2) var(--space-5)",
+                      textAlign: "left",
+                      fontSize: "var(--text-xs)",
+                      color: "var(--text-muted)",
+                      fontWeight: 500,
+                      textTransform: "uppercase",
+                      letterSpacing: "0.05em",
+                      borderBottom: "1px solid var(--border)",
+                    }}
+                  >
+                    Feature
+                  </th>
+                  {TIERS.map((t) => (
+                    <th
+                      key={t.id}
+                      scope="col"
+                      style={{
+                        padding: "var(--space-2) var(--space-3)",
+                        textAlign: "center",
+                        fontSize: "var(--text-xs)",
+                        color: "var(--text-muted)",
+                        fontWeight: 500,
+                        textTransform: "uppercase",
+                        letterSpacing: "0.05em",
+                        borderBottom: "1px solid var(--border)",
+                      }}
+                    >
+                      {t.name}
+                    </th>
+                  ))}
+                </tr>
+              </thead>
+              <tbody>
+                {ms.rows.map((row) => (
+                  <tr key={row.feature} className="row-hover">
+                    <th
+                      scope="row"
+                      style={{
+                        padding: "var(--space-2) var(--space-5)",
+                        textAlign: "left",
+                        fontWeight: 400,
+                        borderBottom: "1px solid var(--border)",
+                        ...S.sm,
+                      }}
+                    >
+                      {row.feature}
+                    </th>
+                    {TIERS.map((t) => {
+                      const state = row.byTier[t.id] ?? false;
+                      return (
+                        <td
+                          key={t.id}
+                          style={{
+                            padding: "var(--space-2) var(--space-3)",
+                            textAlign: "center",
+                            borderBottom: "1px solid var(--border)",
+                          }}
+                          aria-label={
+                            state === "contact"
+                              ? "Contact sales"
+                              : state
+                                ? "Included"
+                                : "Not included"
+                          }
+                        >
+                          {state === "contact" ? (
+                            <span
+                              style={{
+                                fontSize: "var(--text-xs)",
+                                color: "var(--accent)",
+                              }}
+                            >
+                              Contact
+                            </span>
+                          ) : state ? (
+                            <Check
+                              size={14}
+                              aria-hidden="true"
+                              style={{ color: "var(--success)" }}
+                            />
+                          ) : (
+                            <Minus
+                              size={14}
+                              aria-hidden="true"
+                              style={{ color: "var(--text-disabled)" }}
+                            />
+                          )}
+                        </td>
+                      );
+                    })}
+                  </tr>
+                ))}
+              </tbody>
+            </table>
+          </div>
+        </details>
+      ))}
+    </section>
+  );
+}
diff --git a/apps/web/src/screens/pricing/PricingRoi.tsx b/apps/web/src/screens/pricing/PricingRoi.tsx
new file mode 100644
index 0000000..6c1627f
--- /dev/null
+++ b/apps/web/src/screens/pricing/PricingRoi.tsx
@@ -0,0 +1,199 @@
+import { useId, useState } from "react";
+import { CountUp } from "../../components/CountUp.js";
+
+// ROI formula — calibrated: 500 employees -> ~291 apps. Numbers held constant
+// with the original Pricing.tsx so the ROI story doesn't shift mid-demo.
+const AVG_APPS_PER_EMP = 0.582;
+const WASTE_RATE = 0.51;
+const AVG_SEAT_COST_MO = 22;
+const GROWTH_PRICE_MO = 1500;
+
+function calcRoi(n: number) {
+  const annualWaste = n * AVG_APPS_PER_EMP * 12 * AVG_SEAT_COST_MO * WASTE_RATE;
+  const recoverableQ1 = annualWaste * 0.25 * 0.6;
+  const annualRecoverable = recoverableQ1 * 4;
+  const paybackWeeks =
+    recoverableQ1 > 0 ? ((GROWTH_PRICE_MO * 12) / recoverableQ1) * 52 : 0;
+  return { annualWaste, recoverableQ1, annualRecoverable, paybackWeeks };
+}
+
+const fmt = (n: number): string =>
+  "$" + Math.round(n).toLocaleString("en-US");
+
+const S = {
+  section: {
+    maxWidth: 1240,
+    margin: "0 auto",
+    padding: "0 var(--space-5) var(--space-7)",
+  } as React.CSSProperties,
+  h2: {
+    fontFamily: "var(--font-display)",
+    color: "var(--text-strong)",
+    marginBottom: "var(--space-4)",
+  } as React.CSSProperties,
+  sm: { fontSize: "var(--text-sm)", color: "var(--text-2)" } as React.CSSProperties,
+  xs: { fontSize: "var(--text-xs)", color: "var(--text-muted)" } as React.CSSProperties,
+  mono500: { fontFamily: "var(--font-mono)", fontWeight: 500 } as React.CSSProperties,
+} as const;
+
+export function PricingRoi(): JSX.Element {
+  const [employees, setEmployees] = useState(500);
+  const sliderId = useId();
+  const roi = calcRoi(employees);
+  // Cap visual progress at $1M so the bar gives a useful sense of scale.
+  const SAVINGS_CAP = 1_000_000;
+  const barPct = Math.min(100, (roi.annualRecoverable / SAVINGS_CAP) * 100);
+
+  return (
+    <section aria-label="ROI calculator" style={S.section}>
+      <div className="card glass-strong lift-on-hover fade-up" style={{ padding: "var(--space-6)" }}>
+        <h2 className="h2" style={{ ...S.h2, marginBottom: "var(--space-5)" }}>
+          ROI calculator
+        </h2>
+        <div style={{ marginBottom: "var(--space-5)" }}>
+          <label
+            htmlFor={sliderId}
+            style={{ display: "flex", justifyContent: "space-between", ...S.sm, marginBottom: "var(--space-2)" }}
+          >
+            <span>Employee count</span>
+            <span style={{ ...S.mono500, color: "var(--text-strong)" }}>
+              {employees.toLocaleString("en-US")}
+            </span>
+          </label>
+          <input
+            id={sliderId}
+            type="range"
+            min={0}
+            max={5000}
+            step={50}
+            value={employees}
+            onChange={(e) => setEmployees(Number(e.target.value))}
+            className="focus-glow"
+            style={{ width: "100%", accentColor: "var(--accent)" }}
+            aria-label="Number of employees"
+          />
+          <div
+            style={{
+              display: "flex",
+              justifyContent: "space-between",
+              ...S.xs,
+              marginTop: "var(--space-1)",
+            }}
+          >
+            <span>0</span>
+            <span>5,000</span>
+          </div>
+        </div>
+        <div
+          aria-live="polite"
+          aria-atomic="true"
+          style={{
+            display: "grid",
+            gridTemplateColumns: "repeat(auto-fit, minmax(180px, 1fr))",
+            gap: "var(--space-4)",
+            marginBottom: "var(--space-5)",
+          }}
+        >
+          <RoiStat
+            label="Avg SaaS apps"
+            value={Math.round(employees * AVG_APPS_PER_EMP).toLocaleString("en-US")}
+          />
+          <RoiStat label="Annual waste" value={fmt(roi.annualWaste)} />
+          <RoiStat label="Recoverable in Q1" value={fmt(roi.recoverableQ1)} />
+          <RoiStat
+            label="Payback on Growth tier"
+            value={roi.paybackWeeks > 0 ? `${Math.round(roi.paybackWeeks)} weeks` : "—"}
+          />
+        </div>
+
+        {/* Annual savings bar */}
+        <div aria-live="polite" style={{ marginBottom: "var(--space-5)" }}>
+          <div
+            style={{
+              display: "flex",
+              justifyContent: "space-between",
+              ...S.sm,
+              marginBottom: "var(--space-2)",
+            }}
+          >
+            <span>Projected annual savings</span>
+            <span style={{ ...S.mono500, color: "var(--success)", transition: "color var(--dur-sm)" }}>
+              <CountUp value={roi.annualRecoverable} format={fmt} durationMs={650} />
+            </span>
+          </div>
+          <div
+            role="progressbar"
+            aria-valuenow={Math.round(roi.annualRecoverable)}
+            aria-valuemin={0}
+            aria-valuemax={SAVINGS_CAP}
+            aria-label="Projected annual savings"
+            style={{
+              height: 8,
+              background: "var(--surface-2)",
+              border: "1px solid var(--border)",
+              borderRadius: "999px",
+              overflow: "hidden",
+            }}
+          >
+            <div
+              style={{
+                width: `${barPct}%`,
+                height: "100%",
+                background:
+                  "linear-gradient(90deg, var(--accent) 0%, var(--success) 100%)",
+                transition: "width 200ms",
+              }}
+            />
+          </div>
+        </div>
+
+        <a
+          href="mailto:deals@unsyphn.com?subject=Talk%20to%20a%20deal%20expert"
+          className="btn btn-secondary button-pop"
+          style={{ justifyContent: "center" }}
+        >
+          Talk to a deal expert
+        </a>
+      </div>
+    </section>
+  );
+}
+
+interface RoiStatProps {
+  label: string;
+  value: string;
+}
+
+function RoiStat({ label, value }: RoiStatProps): JSX.Element {
+  return (
+    <div
+      style={{
+        background: "var(--surface-2)",
+        border: "1px solid var(--border)",
+        borderRadius: "var(--radius-md)",
+        padding: "var(--space-4)",
+      }}
+    >
+      <div
+        style={{
+          ...S.xs,
+          textTransform: "uppercase",
+          letterSpacing: "0.05em",
+          marginBottom: "var(--space-1)",
+        }}
+      >
+        {label}
+      </div>
+      <div
+        style={{
+          ...S.mono500,
+          fontSize: "var(--text-xl)",
+          color: "var(--text-strong)",
+          letterSpacing: "-0.01em",
+        }}
+      >
+        {value}
+      </div>
+    </div>
+  );
+}
diff --git a/apps/web/src/screens/pricing/PricingTiers.tsx b/apps/web/src/screens/pricing/PricingTiers.tsx
new file mode 100644
index 0000000..bcb89e8
--- /dev/null
+++ b/apps/web/src/screens/pricing/PricingTiers.tsx
@@ -0,0 +1,172 @@
+import { Check } from "lucide-react";
+import { TIERS, tierDisplay, type BillingCadence, type TierDef } from "./tiers.js";
+
+interface PricingTiersProps {
+  cadence: BillingCadence;
+  onSubscribe: (tier: TierDef) => void;
+}
+
+const S = {
+  grid: {
+    maxWidth: 1240,
+    margin: "0 auto",
+    padding: "0 var(--space-5) var(--space-7)",
+    display: "grid",
+    gridTemplateColumns: "repeat(auto-fit, minmax(200px, 1fr))",
+    gap: "var(--space-3)",
+    alignItems: "stretch",
+  } as React.CSSProperties,
+  card: {
+    padding: "var(--space-5)",
+    display: "flex",
+    flexDirection: "column" as const,
+    position: "relative" as const,
+  },
+  mono500: { fontFamily: "var(--font-mono)", fontWeight: 500 } as React.CSSProperties,
+  sm: { fontSize: "var(--text-sm)", color: "var(--text-2)" } as React.CSSProperties,
+} as const;
+
+export function PricingTiers({ cadence, onSubscribe }: PricingTiersProps): JSX.Element {
+  return (
+    <section aria-label="Pricing tiers" style={S.grid} className="stagger-children">
+      {TIERS.map((tier) => (
+        <TierCard
+          key={tier.id}
+          tier={tier}
+          cadence={cadence}
+          onSubscribe={() => onSubscribe(tier)}
+        />
+      ))}
+    </section>
+  );
+}
+
+interface TierCardProps {
+  tier: TierDef;
+  cadence: BillingCadence;
+  onSubscribe: () => void;
+}
+
+function TierCard({ tier, cadence, onSubscribe }: TierCardProps): JSX.Element {
+  const { price, period } = tierDisplay(tier, cadence);
+
+  function handleCta() {
+    if (tier.ctaAction === "stripe") {
+      onSubscribe();
+      return;
+    }
+    if (tier.ctaAction === "enterprise" || tier.ctaAction === "custom-mailto") {
+      window.location.href = `mailto:${tier.mailto}`;
+      return;
+    }
+    window.location.href = "/app/onboarding";
+  }
+
+  return (
+    <div
+      className="card glass-strong lift-on-hover"
+      style={{
+        ...S.card,
+        outline: tier.recommended ? "2px solid var(--accent)" : undefined,
+      }}
+    >
+      {tier.recommended && (
+        <span
+          className="badge badge-accent"
+          style={{ position: "absolute", top: "var(--space-4)", right: "var(--space-4)" }}
+        >
+          Recommended
+        </span>
+      )}
+      <h3
+        style={{
+          fontFamily: "var(--font-text)",
+          fontWeight: 600,
+          fontSize: "var(--text-base)",
+          color: "var(--text-strong)",
+          margin: "0 0 var(--space-2)",
+        }}
+      >
+        {tier.name}
+      </h3>
+      <div style={{ marginBottom: "var(--space-1)" }}>
+        <span
+          style={{
+            ...S.mono500,
+            fontWeight: 700,
+            fontSize: "var(--text-2xl)",
+            color: "var(--text-strong)",
+            letterSpacing: "-0.02em",
+          }}
+        >
+          {price}
+        </span>
+        {period && (
+          <span
+            style={{
+              fontSize: "var(--text-sm)",
+              color: "var(--text-muted)",
+              marginLeft: "var(--space-1)",
+            }}
+          >
+            {period}
+          </span>
+        )}
+      </div>
+      <p
+        style={{
+          fontSize: "var(--text-xs)",
+          color: "var(--text-muted)",
+          margin: "0 0 var(--space-4)",
+          lineHeight: 1.4,
+        }}
+      >
+        {tier.description}
+      </p>
+      <ul
+        style={{
+          listStyle: "none",
+          padding: 0,
+          margin: "0 0 var(--space-5)",
+          flex: 1,
+          display: "flex",
+          flexDirection: "column",
+          gap: "var(--space-2)",
+        }}
+      >
+        {tier.features.map((f) => (
+          <li
+            key={f}
+            style={{
+              display: "flex",
+              alignItems: "flex-start",
+              gap: "var(--space-2)",
+              ...S.sm,
+              lineHeight: 1.45,
+              transition: "color var(--dur-sm) var(--ease-out)",
+            }}
+          >
+            <Check
+              size={14}
+              aria-hidden="true"
+              style={{ color: "var(--success)", flexShrink: 0, marginTop: 2 }}
+            />
+            {f}
+          </li>
+        ))}
+      </ul>
+      <button
+        type="button"
+        onClick={handleCta}
+        className={
+          (tier.ctaVariant === "primary" ? "btn btn-primary" : "btn btn-secondary") +
+          " button-pop"
+        }
+        style={{ width: "100%", justifyContent: "center" }}
+        data-tier={tier.id}
+      >
+        {tier.cta}
+      </button>
+    </div>
+  );
+}
diff --git a/apps/web/src/screens/pricing/SimulateButton.tsx b/apps/web/src/screens/pricing/SimulateButton.tsx
new file mode 100644
index 0000000..30aa1e0
--- /dev/null
+++ b/apps/web/src/screens/pricing/SimulateButton.tsx
@@ -0,0 +1,17 @@
+const S = {
+  muted: {
+    fontSize: "var(--text-xs)",
+    color: "var(--muted)",
+    margin: "var(--space-3) 0 0",
+    textAlign: "center" as const,
+  },
+} as const;
+
+// Dev-mode hint — actual simulation is triggered via Shift+Enter global keydown handler.
+export function SimulateHint(): JSX.Element {
+  return (
+    <p style={S.muted}>
+      On-stage fallback: press <kbd>Shift</kbd> + <kbd>Enter</kbd> to simulate success.
+    </p>
+  );
+}
diff --git a/apps/web/src/screens/pricing/tiers.ts b/apps/web/src/screens/pricing/tiers.ts
new file mode 100644
index 0000000..32095ee
--- /dev/null
+++ b/apps/web/src/screens/pricing/tiers.ts
@@ -0,0 +1,192 @@
+// Phase 8 — tier registry shared between PricingTiers, PricingMatrix, and the
+// StripeModal launch logic. SKUs match the backend enum in
+// apps/api/src/routes/billing.ts.
+
+export type TierId = "discover" | "starter" | "growth" | "scale" | "enterprise" | "custom";
+export type CtaAction = "onboarding" | "stripe" | "enterprise" | "custom-mailto";
+export type CtaVariant = "primary" | "secondary";
+
+export interface TierDef {
+  id: TierId;
+  name: string;
+  /** Monthly price in USD cents. 0 for free / not-applicable. */
+  monthlyCents: number;
+  /** Some tiers (Enterprise, Custom) don't follow the monthly/annual model. */
+  customPriceLabel?: string;
+  /** Sub-label shown next to the price. */
+  unitLabel: string;
+  description: string;
+  features: ReadonlyArray<string>;
+  cta: string;
+  ctaVariant: CtaVariant;
+  ctaAction: CtaAction;
+  recommended: boolean;
+  /** SKU sent to /v1/billing/payment-intents. */
+  sku?: string;
+  /** mailto link for enterprise/custom CTAs. */
+  mailto?: string;
+}
+
+export const TIERS: ReadonlyArray<TierDef> = [
+  {
+    id: "discover",
+    name: "Discover",
+    monthlyCents: 0,
+    unitLabel: "free forever",
+    description: "PLG funnel, pre-qualification",
+    features: [
+      "Single Google / M365 connection",
+      "Email-metadata + OAuth-grant discovery",
+      "Top-100 vendor cards with benchmark hints",
+      "5 contract uploads",
+      "Slack alerts",
+      "Audit log",
+      "\"Powered by Unsyphn\" footer on shared reports",
+    ],
+    cta: "Start free",
+    ctaVariant: "secondary",
+    ctaAction: "onboarding",
+    recommended: false,
+  },
+  {
+    id: "starter",
+    name: "Starter",
+    monthlyCents: 30_000,
+    unitLabel: "/mo",
+    description: "1–15 employees",
+    features: [
+      "1 connector",
+      "50 vendor cards",
+      "Weekly digest",
+      "Slack alerts",
+      "1 user seat",
+      "Email support",
+    ],
+    cta: "Subscribe",
+    ctaVariant: "secondary",
+    ctaAction: "stripe",
+    sku: "starter",
+    recommended: false,
+  },
+  {
+    id: "growth",
+    name: "Growth",
+    monthlyCents: 150_000,
+    unitLabel: "/mo",
+    description: "50–250 employees",
+    features: [
+      "Material Change Feed",
+      "Unlimited contracts",
+      "Renegotiation packets",
+      "Jira + Slack routing",
+      "3 integrations",
+      "Audit log",
+      "Remove branding",
+    ],
+    cta: "Subscribe",
+    ctaVariant: "secondary",
+    ctaAction: "stripe",
+    sku: "growth",
+    recommended: false,
+  },
+  {
+    id: "scale",
+    name: "Scale",
+    monthlyCents: 350_000,
+    unitLabel: "/mo",
+    description: "250–1,000 employees",
+    features: [
+      "Sub-processor heatmap",
+      "Customer Commitments extraction",
+      "Unlimited integrations",
+      "RBAC + SCIM",
+      "1 dedicated CSM hour/week",
+      "Custom SSO on all paid tiers",
+      "Priority support",
+    ],
+    cta: "Subscribe — most popular",
+    ctaVariant: "primary",
+    ctaAction: "stripe",
+    sku: "scale",
+    recommended: true,
+  },
+  {
+    id: "enterprise",
+    name: "Enterprise",
+    monthlyCents: 0,
+    customPriceLabel: "$30K",
+    unitLabel: "+ 15% of net savings",
+    description: "1,000+ employees · savings capped at $200K/yr",
+    features: [
+      "Data residency (US / EU pinning)",
+      "Custom SSO + dedicated negotiation analyst",
+      "On-prem SIEM webhook",
+      "Audit-mode workspaces",
+      "Private API",
+      "99.9% SLA",
+      "Dedicated analyst",
+    ],
+    cta: "Talk to us",
+    ctaVariant: "secondary",
+    ctaAction: "enterprise",
+    mailto: "enterprise@unsyphn.com",
+    recommended: false,
+  },
+  {
+    id: "custom",
+    name: "Custom",
+    monthlyCents: 0,
+    customPriceLabel: "Contact sales",
+    unitLabel: "",
+    description: "5,000+ employees · multi-region · white-glove",
+    features: [
+      "Data residency in any region",
+      "Dedicated negotiation team",
+      "White-glove onboarding",
+      "Custom SLA & DPAs",
+      "Private cloud / on-prem deploy",
+      "Multi-org consolidation",
+      "Executive QBRs",
+    ],
+    cta: "Contact sales",
+    ctaVariant: "secondary",
+    ctaAction: "custom-mailto",
+    mailto: "custom@unsyphn.com?subject=Custom%20plan%20enquiry",
+    recommended: false,
+  },
+] as const;
+
+export type BillingCadence = "monthly" | "annual";
+
+/** Display price for a tier given monthly/annual toggle.
+ *  Annual = monthly * 0.8 (20% off) shown as "$X/mo billed annually". */
+export function tierDisplay(
+  tier: TierDef,
+  cadence: BillingCadence,
+): { price: string; period: string } {
+  if (tier.customPriceLabel) {
+    return { price: tier.customPriceLabel, period: tier.unitLabel };
+  }
+  if (tier.monthlyCents === 0) {
+    return { price: "$0", period: tier.unitLabel };
+  }
+  if (cadence === "annual") {
+    const monthlyEquiv = Math.round(tier.monthlyCents * 0.8);
+    return {
+      price: "$" + (monthlyEquiv / 100).toLocaleString("en-US"),
+      period: "/mo billed annually",
+    };
+  }
+  return {
+    price: "$" + (tier.monthlyCents / 100).toLocaleString("en-US"),
+    period: tier.unitLabel,
+  };
+}
+
+/** Effective monthly cents the user is subscribed at for the given cadence. */
+export function effectiveCents(tier: TierDef, cadence: BillingCadence): number {
+  if (tier.monthlyCents === 0) return 0;
+  return cadence === "annual"
+    ? Math.round(tier.monthlyCents * 0.8)
+    : tier.monthlyCents;
+}
diff --git a/apps/web/src/styles.css b/apps/web/src/styles.css
deleted file mode 100644
index 876d01f..0000000
--- a/apps/web/src/styles.css
+++ /dev/null
@@ -1,310 +0,0 @@
-:root {
-  color-scheme: dark;
-  --bg: #0b0d10;
-  --panel: #14171d;
-  --panel-2: #1c2028;
-  --line: #262b34;
-  --text: #e8ecf2;
-  --muted: #9aa3b2;
-  --accent: #8b5cf6;
-  --ok: #22c55e;
-  --warn: #f59e0b;
-  --err: #ef4444;
-  --radius: 10px;
-  font-family: -apple-system, BlinkMacSystemFont, "Inter", "Segoe UI", sans-serif;
-}
-
-* { box-sizing: border-box; }
-body { margin: 0; background: var(--bg); color: var(--text); }
-
-.app {
-  max-width: 720px;
-  margin: 0 auto;
-  padding: 40px 24px 80px;
-}
-.app__header {
-  display: flex;
-  align-items: baseline;
-  gap: 16px;
-  margin-bottom: 32px;
-}
-.app__mark {
-  display: block;
-  height: 28px;
-  width: auto;
-}
-.app__crumb { color: var(--muted); }
-
-.card {
-  background: var(--panel);
-  border: 1px solid var(--line);
-  border-radius: var(--radius);
-  padding: 24px;
-}
-.card + .card { margin-top: 16px; }
-.card__title { margin: 0 0 4px; font-size: 18px; font-weight: 600; }
-.card__sub { margin: 0 0 20px; color: var(--muted); font-size: 13px; }
-
-form .field { display: flex; flex-direction: column; gap: 6px; margin-bottom: 16px; }
-form label { font-size: 13px; color: var(--muted); }
-form input,
-form select {
-  background: var(--panel-2);
-  color: var(--text);
-  border: 1px solid var(--line);
-  border-radius: 8px;
-  padding: 10px 12px;
-  font-size: 14px;
-  font-family: inherit;
-}
-form input:focus,
-form select:focus { outline: 2px solid var(--accent); border-color: transparent; }
-form input[aria-invalid="true"],
-form select[aria-invalid="true"] { border-color: var(--err); }
-.field__error { color: var(--err); font-size: 12px; }
-
-.checkboxes { display: flex; flex-wrap: wrap; gap: 12px; }
-.checkbox { display: inline-flex; align-items: center; gap: 6px; font-size: 13px; }
-
-.btn {
-  appearance: none;
-  border: none;
-  border-radius: 8px;
-  padding: 10px 16px;
-  font-size: 14px;
-  font-weight: 500;
-  cursor: pointer;
-  background: var(--accent);
-  color: white;
-}
-.btn[disabled] { opacity: 0.5; cursor: not-allowed; }
-
-.alert { padding: 10px 12px; border-radius: 8px; font-size: 13px; margin-bottom: 12px; }
-.alert--err { background: rgba(239, 68, 68, 0.1); border: 1px solid rgba(239, 68, 68, 0.4); }
-.alert--ok { background: rgba(34, 197, 94, 0.1); border: 1px solid rgba(34, 197, 94, 0.4); }
-
-.stages { display: flex; flex-direction: column; gap: 8px; margin-top: 8px; }
-.stage {
-  display: flex;
-  align-items: center;
-  justify-content: space-between;
-  padding: 8px 12px;
-  border-radius: 6px;
-  background: var(--panel-2);
-  border: 1px solid var(--line);
-  font-size: 13px;
-}
-.stage__label { text-transform: capitalize; }
-.stage__pill {
-  font-size: 11px;
-  padding: 2px 8px;
-  border-radius: 999px;
-  border: 1px solid var(--line);
-  color: var(--muted);
-  text-transform: uppercase;
-  letter-spacing: 0.4px;
-}
-.stage--started .stage__pill { color: var(--warn); border-color: var(--warn); }
-.stage--completed .stage__pill { color: var(--ok); border-color: var(--ok); }
-.stage--failed .stage__pill { color: var(--err); border-color: var(--err); }
-
-.muted { color: var(--muted); font-size: 12px; }
-
-.kv { display: grid; grid-template-columns: 140px 1fr; gap: 4px 12px; font-size: 13px; }
-.kv dt { color: var(--muted); }
-.kv dd { margin: 0; word-break: break-all; }
-
-/* --- Stripe modal --- */
-.btn--ghost {
-  background: transparent;
-  color: var(--text);
-  border: 1px solid var(--line);
-}
-.app__upgrade { margin-left: auto; }
-.app__header { align-items: center; }
-
-.modal-backdrop {
-  position: fixed; inset: 0;
-  background: rgba(0,0,0,0.55);
-  display: flex; align-items: center; justify-content: center;
-  z-index: 50;
-}
-.modal {
-  background: var(--panel);
-  border: 1px solid var(--line);
-  border-radius: var(--radius);
-  width: 100%; max-width: 480px;
-  padding: 24px;
-}
-.modal__header { display: flex; justify-content: space-between; align-items: baseline; margin-bottom: 8px; }
-.modal__title { margin: 0; font-size: 18px; font-weight: 600; }
-.modal__close {
-  appearance: none; border: none; background: transparent;
-  color: var(--muted); font-size: 24px; cursor: pointer; line-height: 1;
-}
-.modal__price { font-size: 28px; font-weight: 600; margin: 12px 0 8px; }
-.modal__hint { margin-top: 16px; font-size: 11px; }
-.modal__hint kbd {
-  background: var(--panel-2);
-  border: 1px solid var(--line);
-  border-radius: 4px;
-  padding: 1px 6px;
-  font-family: ui-monospace, SFMono-Regular, Menlo, monospace;
-  font-size: 11px;
-}
-.features { margin: 0 0 16px; padding-left: 20px; color: var(--muted); font-size: 13px; }
-.features li { margin: 4px 0; }
-
-/* --- Vendor onboarding tier selection --- */
-.tier-grid {
-  display: grid;
-  grid-template-columns: repeat(3, 1fr);
-  gap: 16px;
-  margin-top: 16px;
-}
-
-@media (max-width: 720px) {
-  .tier-grid {
-    grid-template-columns: 1fr;
-  }
-  .app {
-    max-width: 100%;
-  }
-}
-
-.tier-card {
-  position: relative;
-  background: var(--panel);
-  border: 1px solid var(--line);
-  border-radius: var(--radius);
-  padding: 24px;
-  display: flex;
-  flex-direction: column;
-  cursor: pointer;
-  transition: transform 120ms ease, border-color 120ms ease, box-shadow 120ms ease;
-}
-
-.tier-card:hover:not(.tier-card--selected) {
-  transform: translateY(-2px);
-  border-color: var(--accent);
-}
-
-.tier-card:focus-visible {
-  outline: 2px solid var(--accent);
-  outline-offset: 2px;
-}
-
-.tier-card--recommended {
-  border-color: var(--accent);
-  box-shadow: 0 0 0 1px var(--accent);
-}
-
-.tier-card--selected {
-  border-color: var(--accent);
-  background: linear-gradient(160deg, rgba(139, 92, 246, 0.08) 0%, var(--panel) 60%);
-}
-
-.tier-card__badge {
-  position: absolute;
-  top: -1px;
-  right: 16px;
-  background: var(--accent);
-  color: white;
-  font-size: 10px;
-  font-weight: 600;
-  letter-spacing: 0.6px;
-  text-transform: uppercase;
-  padding: 3px 10px;
-  border-radius: 0 0 6px 6px;
-}
-
-.tier-card__sla {
-  display: inline-block;
-  align-self: flex-start;
-  font-family: ui-monospace, SFMono-Regular, Menlo, monospace;
-  font-size: 11px;
-  font-weight: 600;
-  letter-spacing: 0.8px;
-  text-transform: uppercase;
-  color: var(--accent);
-  border: 1px solid var(--accent);
-  border-radius: 999px;
-  padding: 2px 8px;
-  margin-bottom: 12px;
-}
-
-.tier-card__name {
-  font-size: 18px;
-  font-weight: 600;
-  margin: 0 0 8px;
-}
-
-.tier-card__desc {
-  color: var(--muted);
-  font-size: 13px;
-  line-height: 1.5;
-  margin: 0 0 16px;
-}
-
-.tier-card__price {
-  display: flex;
-  align-items: baseline;
-  gap: 4px;
-  margin-bottom: 16px;
-}
-
-.tier-card__price-amount {
-  font-size: 32px;
-  font-weight: 600;
-  line-height: 1;
-}
-
-.tier-card__price-unit {
-  color: var(--muted);
-  font-size: 13px;
-}
-
-.tier-card__features {
-  list-style: none;
-  padding: 0;
-  margin: 0 0 16px;
-  flex: 1;
-}
-
-.tier-card__features li {
-  position: relative;
-  padding: 8px 0 8px 20px;
-  font-size: 13px;
-  color: var(--muted);
-  border-bottom: 1px solid var(--line);
-}
-
-.tier-card__features li:last-child {
-  border-bottom: none;
-}
-
-.tier-card__features li::before {
-  content: "✓";
-  position: absolute;
-  left: 0;
-  color: var(--accent);
-  font-weight: 600;
-}
-
-.tier-card__cta {
-  width: 100%;
-  margin-top: auto;
-  font-family: inherit;
-}
-
-/* app-mode: hide Halo chrome when React app routes are active */
-body.app-mode .aurora,
-body.app-mode .grain,
-body.app-mode .nav,
-body.app-mode > main:not(.app),
-body.app-mode footer,
-body.app-mode .hero,
-body.app-mode .features,
-body.app-mode .cta-section { display: none !important; }
-
-.field__label--required::after { content: " *"; color: var(--accent); }
diff --git a/apps/web/src/styles/app.css b/apps/web/src/styles/app.css
new file mode 100644
index 0000000..922b88e
--- /dev/null
+++ b/apps/web/src/styles/app.css
@@ -0,0 +1,320 @@
+/* Reset */
+* { box-sizing: border-box; }
+html, body { margin: 0; padding: 0; }
+
+/* Base links */
+a { color: var(--accent); text-decoration: none; }
+a:hover { color: var(--accent-hover); }
+
+/* Selection */
+::selection { background: var(--accent); color: #ffffff; }
+
+/* Global focus ring — WCAG 2.1 AA, keyboard users */
+:focus-visible {
+  outline: none;
+  box-shadow: var(--ring-focus);
+}
+
+/* App-mode: defeat any landing-page paint when on /app/* routes.
+   The Vite index.html still ships the marketing landing markup for /;
+   on app routes we hide every body child except #root so only the
+   React tree paints. */
+body.app-mode {
+  background: var(--bg);
+  color: var(--text);
+}
+body.app-mode > *:not(#root):not(script):not(style):not(:has([role="dialog"])):not(:has([aria-modal="true"])) {
+  display: none !important;
+}
+body.app-mode #root {
+  min-height: 100vh;
+}
+
+/* ---------- Typography utilities ---------- */
+
+/* h1 — screen titles, weight 600 */
+.h1 {
+  font-family: var(--font-display);
+  font-size: var(--text-3xl);
+  font-weight: 600;
+  letter-spacing: -0.025em;
+  line-height: 1.15;
+  margin: 0;
+}
+
+/* h2 — section labels, weight 600 */
+.h2 {
+  font-family: var(--font-display);
+  font-size: var(--text-2xl);
+  font-weight: 600;
+  letter-spacing: -0.020em;
+  line-height: 1.25;
+  margin: 0;
+}
+
+/* h3 — row group titles, weight 500 */
+.h3 {
+  font-family: var(--font-text);
+  font-size: var(--text-xl);
+  font-weight: 500;
+  letter-spacing: normal;
+  line-height: 1.4;
+  margin: 0;
+}
+
+/* lead — introductory body copy */
+.lead {
+  font-size: var(--text-lg);
+  font-weight: 400;
+  color: var(--text-2);
+  line-height: 1.6;
+}
+
+/* ---------- Buttons ---------- */
+
+.btn {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  gap: var(--space-2);
+  height: 32px;
+  padding: 0 var(--space-4);
+  font-family: var(--font-text);
+  font-size: var(--text-sm);
+  font-weight: 400;
+  border-radius: var(--radius-md);
+  border: 1px solid transparent;
+  cursor: pointer;
+  transition: background var(--dur-sm) var(--ease-out),
+              border-color var(--dur-sm) var(--ease-out),
+              color var(--dur-sm) var(--ease-out),
+              transform var(--dur-sm) var(--ease-spring),
+              box-shadow var(--dur-sm) var(--ease-out);
+  white-space: nowrap;
+  text-decoration: none;
+}
+.btn:hover:not(:disabled):not([aria-disabled="true"]) {
+  transform: translateY(-1px);
+  box-shadow: 0 4px 12px rgba(15,23,42,0.10);
+}
+.btn:active:not(:disabled):not([aria-disabled="true"]) {
+  transform: translateY(0) scale(0.98);
+  transition-duration: var(--dur-xs);
+}
+@media (prefers-reduced-motion: reduce) {
+  .btn:hover:not(:disabled):not([aria-disabled="true"]),
+  .btn:active:not(:disabled):not([aria-disabled="true"]) {
+    transform: none;
+  }
+}
+
+.btn:focus-visible {
+  outline: none;
+  box-shadow: var(--ring-focus);
+}
+
+.btn:disabled,
+.btn[aria-disabled="true"] {
+  opacity: 0.45;
+  cursor: not-allowed;
+  pointer-events: none;
+}
+
+/* Primary — Indigo bg, white text, no gradients */
+.btn-primary {
+  background: var(--accent);
+  color: #ffffff;
+  border-color: var(--accent);
+}
+.btn-primary:hover:not(:disabled) {
+  background: var(--accent-hover);
+  border-color: var(--accent-hover);
+}
+
+/* Secondary — surface bg + border */
+.btn-secondary {
+  background: var(--surface);
+  color: var(--text);
+  border-color: var(--border);
+}
+.btn-secondary:hover:not(:disabled) {
+  background: var(--surface-2);
+  border-color: var(--border-strong);
+}
+
+/* Ghost — transparent */
+.btn-ghost {
+  background: transparent;
+  color: var(--text);
+  border-color: transparent;
+}
+.btn-ghost:hover:not(:disabled) {
+  background: var(--surface-2);
+}
+
+/* ---------- Card ---------- */
+
+.card {
+  background: var(--surface);
+  border: 1px solid var(--border);
+  border-radius: var(--radius-lg);
+  box-shadow: var(--shadow-1);
+  transition: border-color var(--dur-base) var(--ease-out);
+}
+
+.card:hover {
+  border-color: var(--border-strong);
+}
+
+/* ---------- Badges ---------- */
+
+.badge {
+  display: inline-flex;
+  align-items: center;
+  height: 20px;
+  padding: 0 var(--space-2);
+  font-size: var(--text-xs);
+  font-weight: 400;
+  letter-spacing: 0.04em;
+  text-transform: uppercase;
+  border-radius: var(--radius-full);
+  white-space: nowrap;
+}
+
+.badge-accent {
+  background: var(--accent-soft);
+  color: var(--accent);
+}
+
+.badge-success {
+  background: rgba(22, 163, 74, 0.10);
+  color: var(--success);
+}
+
+.badge-warning {
+  background: rgba(217, 119, 6, 0.10);
+  color: var(--warning);
+}
+
+.badge-danger {
+  background: rgba(220, 38, 38, 0.10);
+  color: var(--danger);
+}
+
+.badge-info {
+  background: rgba(14, 165, 233, 0.10);
+  color: var(--info);
+}
+
+.badge-neutral {
+  background: rgba(71, 85, 105, 0.10);
+  color: var(--text-2);
+}
+
+/* ---------- Input ---------- */
+
+.input {
+  height: 34px;
+  padding: 0 var(--space-3);
+  background: var(--surface);
+  color: var(--text);
+  border: 1px solid var(--border);
+  border-radius: var(--radius-md);
+  font-family: var(--font-text);
+  font-size: var(--text-sm);
+  font-weight: 400;
+  transition: border-color var(--dur-fast) var(--ease-out),
+              box-shadow var(--dur-fast) var(--ease-out);
+  width: 100%;
+}
+
+.input::placeholder { color: var(--text-muted); }
+
+.input:focus {
+  outline: none;
+  border-color: var(--accent);
+  box-shadow: var(--ring-focus);
+}
+
+.input[aria-invalid="true"] {
+  border-color: var(--danger);
+}
+
+/* ---------- Hairline ---------- */
+
+.hairline {
+  border: none;
+  border-top: 1px solid var(--border);
+  margin: 0;
+}
+
+@media (min-resolution: 2dppx) {
+  .hairline {
+    border-top-width: 0.5px;
+  }
+}
+
+/* ---------- Print ---------- */
+
+@media print {
+  body {
+    background: #ffffff;
+    color: #000000;
+    font-weight: 400;
+    -webkit-font-smoothing: auto;
+  }
+
+  nav,
+  .nav,
+  .btn,
+  .btn-primary,
+  .btn-secondary,
+  .btn-ghost {
+    display: none !important;
+  }
+
+  a[href]::after {
+    content: " (" attr(href) ")";
+    font-size: 10px;
+    color: #6b7280;
+  }
+}
+
+/* Settings — connector card status dot + spinner */
+@keyframes pulse-dot {
+  0% { box-shadow: 0 0 0 0 rgba(63,207,142,0.55); }
+  70% { box-shadow: 0 0 0 6px rgba(63,207,142,0); }
+  100% { box-shadow: 0 0 0 0 rgba(63,207,142,0); }
+}
+
+@keyframes spin {
+  to { transform: rotate(360deg); }
+}
+
+.spin {
+  animation: spin 0.9s linear infinite;
+}
+
+/* ---------- Global form-control focus transitions ---------- */
+
+input, textarea, select {
+  transition: border-color var(--dur-sm) var(--ease-out),
+              box-shadow var(--dur-sm) var(--ease-out);
+}
+
+/* ---------- Generic table polish ---------- */
+
+table {
+  border-collapse: separate;
+  border-spacing: 0;
+}
+th {
+  transition: background-color var(--dur-sm) var(--ease-out);
+}
+th:hover {
+  background-color: rgba(15,23,42,0.025);
+}
+tr {
+  transition: background-color var(--dur-sm) var(--ease-out),
+              transform var(--dur-sm) var(--ease-out);
+}
diff --git a/apps/web/src/styles/brief.css b/apps/web/src/styles/brief.css
index 44f191a..29804e2 100644
--- a/apps/web/src/styles/brief.css
+++ b/apps/web/src/styles/brief.css
@@ -1,181 +1,337 @@
-/* Public evidence brief styling — readable in browser, printable to PDF.
-   Intentionally has no app chrome (no header, no nav, no auth-only CSS). */
+/* Public evidence brief — screen: dark Slate tokens. Print: white + black. */
 
 .brief {
   max-width: 820px;
   margin: 0 auto;
-  padding: 48px 28px 80px;
-  font-family: -apple-system, BlinkMacSystemFont, "Inter", "Segoe UI", sans-serif;
-  color: #1a1d23;
-  background: #ffffff;
+  padding: var(--space-8) var(--space-6) var(--space-9);
+  font-family: var(--font-text);
+  font-size: var(--text-base);
+  color: var(--text);
+  background: var(--bg);
   line-height: 1.55;
+  font-weight: 300;
 }
 
 .brief__header {
-  border-bottom: 1px solid #e3e6ea;
-  padding-bottom: 18px;
-  margin-bottom: 28px;
+  border-bottom: 1px solid var(--border);
+  padding-bottom: var(--space-5);
+  margin-bottom: var(--space-6);
+  display: flex;
+  flex-direction: column;
+  gap: var(--space-2);
+}
+
+.brief__header-top {
+  display: flex;
+  align-items: flex-start;
+  justify-content: space-between;
+  gap: var(--space-4);
+  flex-wrap: wrap;
 }
+
 .brief__eyebrow {
-  font-size: 11px;
+  font-size: var(--text-xs);
   text-transform: uppercase;
-  letter-spacing: 1.2px;
-  color: #6b7280;
+  letter-spacing: 0.08em;
+  color: var(--muted);
+  margin: 0;
+  font-weight: 400;
 }
+
 .brief__title {
-  margin: 6px 0 4px;
-  font-size: 26px;
-  font-weight: 600;
-  line-height: 1.25;
+  margin: 0;
+  font-size: var(--text-2xl);
+  font-weight: 200;
+  letter-spacing: -0.035em;
+  color: var(--text-strong);
+  line-height: 1.2;
 }
+
 .brief__meta {
-  font-size: 13px;
-  color: #6b7280;
+  font-size: var(--text-xs);
+  color: var(--text-2);
+  margin: 0;
 }
+
 .brief__meta strong {
-  color: #1a1d23;
-  font-weight: 500;
+  color: var(--text);
+  font-weight: 400;
 }
 
 .brief__severity {
-  display: inline-block;
-  padding: 4px 10px;
-  border-radius: 999px;
-  font-size: 12px;
-  font-weight: 600;
-  letter-spacing: 0.5px;
-  margin-bottom: 12px;
-}
-.brief__severity--P1 { background: #fee2e2; color: #991b1b; }
-.brief__severity--P2 { background: #ffedd5; color: #9a3412; }
-.brief__severity--P3 { background: #dcfce7; color: #166534; }
+  display: inline-flex;
+  align-items: center;
+  height: 22px;
+  padding: 0 var(--space-2);
+  border-radius: var(--radius-full);
+  font-size: var(--text-xs);
+  font-weight: 400;
+  letter-spacing: 0.04em;
+  text-transform: uppercase;
+  white-space: nowrap;
+}
+
+.brief__severity--P1 { background: rgba(244,113,116,0.12); color: var(--danger); }
+.brief__severity--P2 { background: rgba(245,196,74,0.12);  color: var(--warning); }
+.brief__severity--P3 { background: rgba(63,207,142,0.12);  color: var(--success); }
+
+.btn-bundle {
+  display: inline-flex;
+  align-items: center;
+  gap: var(--space-2);
+  height: 32px;
+  padding: 0 var(--space-4);
+  background: var(--accent);
+  color: var(--bg);
+  border: 1px solid var(--accent);
+  border-radius: var(--radius-md);
+  font-family: var(--font-text);
+  font-size: var(--text-sm);
+  font-weight: 400;
+  cursor: pointer;
+  text-decoration: none;
+  white-space: nowrap;
+  transition: background var(--dur-fast) var(--ease-out);
+}
+
+.btn-bundle:hover {
+  background: var(--accent-hover);
+  border-color: var(--accent-hover);
+  color: var(--bg);
+}
+
+.btn-bundle:focus-visible {
+  outline: none;
+  box-shadow: var(--ring-focus);
+}
 
 .brief__section {
-  margin: 32px 0;
+  margin: var(--space-7) 0;
 }
+
 .brief__section h2 {
-  font-size: 14px;
-  font-weight: 600;
+  font-size: var(--text-xs);
+  font-weight: 400;
   text-transform: uppercase;
-  letter-spacing: 0.8px;
-  color: #6b7280;
-  margin: 0 0 12px;
+  letter-spacing: 0.08em;
+  color: var(--muted);
+  margin: 0 0 var(--space-3);
 }
 
 .brief__policy {
-  background: #f4f6fa;
-  border: 1px solid #e3e6ea;
-  border-radius: 8px;
-  padding: 14px 18px;
+  background: var(--surface-2);
+  border: 1px solid var(--border);
+  border-radius: var(--radius-md);
+  padding: var(--space-4) var(--space-5);
 }
+
 .brief__policy strong {
   display: block;
-  font-size: 15px;
-  margin-bottom: 4px;
+  font-size: var(--text-base);
+  font-weight: 400;
+  color: var(--text-strong);
+  margin-bottom: var(--space-1);
 }
+
+.brief__policy .brief__meta {
+  font-size: var(--text-xs);
+  color: var(--muted);
+}
+
 .brief__policy-also {
-  margin-top: 12px;
-  font-size: 12px;
-  color: #6b7280;
+  margin-top: var(--space-3);
+  font-size: var(--text-xs);
+  color: var(--text-2);
 }
 
 .change {
-  margin-bottom: 24px;
-  padding: 18px 20px;
-  border: 1px solid #e3e6ea;
-  border-radius: 8px;
+  margin-bottom: var(--space-5);
+  padding: var(--space-5);
+  border: 1px solid var(--border);
+  border-radius: var(--radius-md);
+  background: var(--surface);
+  transition: border-color var(--dur-base) var(--ease-out);
 }
+
+.change:hover { border-color: var(--border-strong); }
+
 .change__category {
-  font-size: 11px;
+  font-size: var(--text-xs);
   text-transform: uppercase;
-  letter-spacing: 1px;
-  color: #6b7280;
-  margin-bottom: 6px;
+  letter-spacing: 0.08em;
+  color: var(--muted);
+  margin-bottom: var(--space-2);
+  margin-top: 0;
 }
+
 .change__summary {
-  font-size: 16px;
-  font-weight: 600;
-  margin: 0 0 12px;
+  font-size: var(--text-lg);
+  font-weight: 300;
+  color: var(--text-strong);
+  margin: 0 0 var(--space-3);
 }
+
 .change__diff {
   display: grid;
   grid-template-columns: 1fr 1fr;
-  gap: 12px;
-  margin-bottom: 12px;
-  font-size: 13px;
+  gap: var(--space-3);
+  margin-bottom: var(--space-3);
+  font-size: var(--text-sm);
 }
+
+@media (max-width: 600px) {
+  .change__diff { grid-template-columns: 1fr; }
+}
+
 .change__diff > div {
-  padding: 10px 12px;
-  border-radius: 6px;
-  background: #f4f6fa;
+  padding: var(--space-3) var(--space-3);
+  border-radius: var(--radius-sm);
+  background: var(--surface-2);
+  color: var(--text);
+}
+
+.change__before { border-left: 2px solid var(--warning); }
+.change__after  { border-left: 2px solid var(--success); }
+
+.change__diff em {
+  color: var(--muted);
+  font-style: normal;
+  display: block;
+  font-size: var(--text-xs);
+  text-transform: uppercase;
+  letter-spacing: 0.06em;
+  margin-bottom: var(--space-1);
+  font-weight: 400;
 }
-.change__before { border-left: 3px solid #f59e0b; }
-.change__after  { border-left: 3px solid #16a34a; }
-.change__diff em { color: #6b7280; font-style: normal; display: block; font-size: 11px; text-transform: uppercase; letter-spacing: 0.6px; margin-bottom: 4px; }
 
 .change__impact {
-  font-size: 13px;
-  color: #6b7280;
-  margin-bottom: 12px;
+  font-size: var(--text-sm);
+  color: var(--text-2);
+  margin-bottom: var(--space-3);
 }
-.change__impact strong { color: #1a1d23; }
+
+.change__impact strong { color: var(--text); font-weight: 400; }
 
 .citation {
-  border-left: 3px solid #1a1d23;
-  padding: 8px 14px;
-  margin: 8px 0;
-  background: #fbfbfc;
-  font-size: 13px;
+  border-left: 2px solid var(--border-strong);
+  padding: var(--space-2) var(--space-4);
+  margin: var(--space-2) 0;
+  background: var(--surface-2);
+  border-radius: 0 var(--radius-sm) var(--radius-sm) 0;
+  font-size: var(--text-sm);
 }
+
 .citation__quote {
   font-style: italic;
-  margin: 0 0 6px;
+  color: var(--text);
+  margin: 0 0 var(--space-1);
 }
+
 .citation__meta {
-  font-size: 11px;
-  color: #6b7280;
+  font-size: var(--text-xs);
+  color: var(--muted);
+  margin: 0;
 }
-.citation__meta a { color: #2563eb; text-decoration: none; }
-.citation__meta a:hover { text-decoration: underline; }
+
+.citation__meta a {
+  color: var(--accent);
+  text-decoration: none;
+}
+
+.citation__meta a:hover { color: var(--accent-hover); text-decoration: underline; }
 
 .actions {
   list-style: none;
   padding: 0;
   margin: 0;
 }
+
 .actions li {
-  padding: 8px 0;
-  border-bottom: 1px solid #e3e6ea;
-  font-size: 13px;
+  padding: var(--space-3) 0;
+  border-bottom: 1px solid var(--hairline);
+  font-size: var(--text-sm);
   display: flex;
   justify-content: space-between;
-  gap: 12px;
+  gap: var(--space-3);
+  color: var(--text);
 }
+
 .actions li:last-child { border-bottom: none; }
-.actions__empty { color: #6b7280; font-size: 13px; font-style: italic; }
+.actions__empty { color: var(--muted); font-size: var(--text-sm); font-style: italic; }
 
 .brief__footer {
-  margin-top: 48px;
-  padding-top: 16px;
-  border-top: 1px solid #e3e6ea;
-  font-size: 11px;
-  color: #6b7280;
+  margin-top: var(--space-8);
+  padding-top: var(--space-4);
+  border-top: 1px solid var(--hairline);
+  font-size: var(--text-xs);
+  color: var(--muted);
   text-align: center;
+  letter-spacing: 0.02em;
 }
 
 .brief--not-found {
   text-align: center;
   padding-top: 96px;
 }
-.brief--not-found h1 { font-size: 22px; margin-bottom: 8px; }
-.brief--not-found p { color: #6b7280; }
 
+.brief--not-found h1 {
+  font-size: var(--text-2xl);
+  font-weight: 200;
+  color: var(--text-strong);
+  margin-bottom: var(--space-3);
+}
+
+.brief--not-found p { color: var(--text-2); }
+
+/* Print — white bg, black text, no chrome */
 @media print {
   body { background: #ffffff; }
-  .brief { padding: 24px 16px; max-width: none; }
+
+  .brief {
+    padding: 24px 16px;
+    max-width: none;
+    background: #ffffff;
+    color: #111111;
+  }
+
+  .brief__header { border-bottom-color: #ccc; }
+  .brief__eyebrow { color: #555; }
+  .brief__title { color: #000; }
+  .brief__meta { color: #555; }
+  .brief__meta strong { color: #111; }
+
+  .brief__severity--P1 { background: #fee2e2; color: #991b1b; }
+  .brief__severity--P2 { background: #ffedd5; color: #9a3412; }
+  .brief__severity--P3 { background: #dcfce7; color: #166534; }
+
+  .btn-bundle { display: none !important; }
+
+  .brief__policy { background: #f4f6fa; border-color: #ddd; }
+  .brief__policy strong { color: #111; }
+
+  .change { background: #fff; border-color: #ddd; }
+  .change__summary { color: #000; }
+  .change__category { color: #555; }
+  .change__diff > div { background: #f4f6fa; }
+  .change__before { border-left-color: #d97706; }
+  .change__after  { border-left-color: #16a34a; }
+  .change__diff em { color: #666; }
+  .change__impact { color: #555; }
+  .change__impact strong { color: #111; }
+
+  .citation { background: #fafafa; border-left-color: #bbb; }
+  .citation__quote { color: #222; }
+  .citation__meta { color: #666; }
+  .citation__meta a { color: #1d4ed8; }
+
+  .actions li { border-bottom-color: #eee; color: #111; }
+  .actions__empty { color: #777; }
+  .brief__footer { color: #777; border-top-color: #ccc; }
+
   .brief__header { page-break-after: avoid; }
   .change { page-break-inside: avoid; }
   .citation { page-break-inside: avoid; }
   .actions li { page-break-inside: avoid; }
-  a[href]::after { content: " (" attr(href) ")"; font-size: 10px; color: #6b7280; }
+
+  a[href]::after { content: " (" attr(href) ")"; font-size: 9pt; color: #666; }
 }
diff --git a/apps/web/src/styles/polish.css b/apps/web/src/styles/polish.css
new file mode 100644
index 0000000..ab9ebee
--- /dev/null
+++ b/apps/web/src/styles/polish.css
@@ -0,0 +1,253 @@
+/* ============================================================
+   POLISH — design system layer (Wave 1)
+   ============================================================ */
+
+:root {
+  /* — Cursor-driven aurora drift (App.tsx writes to <html> while in-app) — */
+  --cursor-x: 0.5;
+  --cursor-y: 0.5;
+
+  /* — Motion durations — */
+  --dur-xs:  120ms;
+  --dur-sm:  180ms;
+  --dur-md:  280ms;
+  --dur-lg:  420ms;
+  --dur-xl:  640ms;
+
+  /* — Easings — */
+  --ease-spring: cubic-bezier(0.34, 1.45, 0.64, 1);  /* overshoot delight */
+  --ease-out:    cubic-bezier(0.22, 1, 0.36, 1);      /* natural decel */
+  --ease-snap:   cubic-bezier(0.7, 0, 0.3, 1);        /* crisp toggle */
+  --ease-in-out: cubic-bezier(0.65, 0, 0.35, 1);      /* symmetrical */
+
+  /* — Glass surfaces — three intensities — */
+  --glass-soft-bg:    rgba(255,255,255,0.50);
+  --glass-mid-bg:     rgba(255,255,255,0.62);
+  --glass-strong-bg:  rgba(255,255,255,0.78);
+  --glass-border:     rgba(255,255,255,0.55);
+  --glass-border-dim: rgba(15,23,42,0.06);
+  --glass-blur:       28px;
+  --glass-shadow:
+    0 12px 32px rgba(15,23,42,0.08),
+    0 2px 6px rgba(15,23,42,0.05),
+    inset 0 1px 0 rgba(255,255,255,0.65);
+  --glass-shadow-lift:
+    0 20px 48px rgba(15,23,42,0.14),
+    0 4px 12px rgba(15,23,42,0.08),
+    inset 0 1px 0 rgba(255,255,255,0.75);
+
+  /* — Aurora palette (lighter than landing for in-app readability) — */
+  --aurora-1: rgba(91,160,240,0.20);
+  --aurora-2: rgba(43,202,232,0.16);
+  --aurora-3: rgba(255,149,64,0.14);
+  --aurora-4: rgba(160,151,216,0.18);
+  --aurora-5: rgba(244,102,136,0.10);
+}
+
+/* ============================================================
+   GLOBAL: in-app body gets a soft aurora gradient so glass
+   surfaces have something to blur through. Public pages already
+   have their own aurora via public.css.
+   ============================================================ */
+
+body.app-mode {
+  background:
+    radial-gradient(48vmax 48vmax at calc(12% + (var(--cursor-x) - 0.5) * 6%) calc(8% + (var(--cursor-y) - 0.5) * 4%),   var(--aurora-1), transparent 60%),
+    radial-gradient(40vmax 40vmax at calc(88% - (var(--cursor-x) - 0.5) * 5%) calc(14% + (var(--cursor-y) - 0.5) * 4%),  var(--aurora-2), transparent 60%),
+    radial-gradient(36vmax 36vmax at calc(80% - (var(--cursor-x) - 0.5) * 4%) calc(92% - (var(--cursor-y) - 0.5) * 5%),  var(--aurora-3), transparent 60%),
+    radial-gradient(42vmax 42vmax at calc(8% + (var(--cursor-x) - 0.5) * 5%) calc(86% - (var(--cursor-y) - 0.5) * 4%),   var(--aurora-4), transparent 60%),
+    #FBFBFD;
+  background-attachment: fixed;
+}
+
+/* Fixed grain overlay for in-app — subtle texture (uses the same SVG pattern as landing) */
+body.app-mode::before {
+  content: "";
+  position: fixed;
+  inset: 0;
+  pointer-events: none;
+  z-index: 1;
+  opacity: 0.04;
+  mix-blend-mode: overlay;
+  background-image: url("data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='220' height='220'><filter id='n'><feTurbulence type='fractalNoise' baseFrequency='0.85' numOctaves='2' stitchTiles='stitch'/></filter><rect width='100%25' height='100%25' filter='url(%23n)' opacity='0.9'/></svg>");
+}
+
+/* Make sure app-content sits ABOVE the aurora + grain */
+body.app-mode .app-content,
+body.app-mode .topbar { position: relative; z-index: 2; }
+
+/* ============================================================
+   GLASS UTILITIES
+   ============================================================ */
+
+.glass {
+  background: var(--glass-mid-bg);
+  backdrop-filter: blur(var(--glass-blur)) saturate(180%);
+  -webkit-backdrop-filter: blur(var(--glass-blur)) saturate(180%);
+  border: 1px solid var(--glass-border);
+  box-shadow: var(--glass-shadow);
+}
+
+.glass-soft   { background: var(--glass-soft-bg);   backdrop-filter: blur(20px) saturate(160%); -webkit-backdrop-filter: blur(20px) saturate(160%); border: 1px solid var(--glass-border); box-shadow: 0 6px 18px rgba(15,23,42,0.06); }
+.glass-strong { background: var(--glass-strong-bg); backdrop-filter: blur(32px) saturate(200%); -webkit-backdrop-filter: blur(32px) saturate(200%); border: 1px solid var(--glass-border); box-shadow: var(--glass-shadow); }
+
+/* ============================================================
+   HOVER UTILITIES
+   ============================================================ */
+
+.lift-on-hover {
+  transition:
+    transform var(--dur-md) var(--ease-spring),
+    box-shadow var(--dur-md) var(--ease-out),
+    filter var(--dur-md) var(--ease-out);
+  will-change: transform;
+}
+.lift-on-hover:hover {
+  transform: translateY(-3px);
+  box-shadow: var(--glass-shadow-lift);
+  filter: brightness(1.02);
+}
+
+.row-hover {
+  transition:
+    background-color var(--dur-sm) var(--ease-out),
+    transform var(--dur-sm) var(--ease-out);
+}
+.row-hover:hover {
+  background-color: rgba(15,23,42,0.025);
+  transform: translateX(2px);
+}
+
+.button-pop {
+  transition:
+    transform var(--dur-sm) var(--ease-spring),
+    box-shadow var(--dur-sm) var(--ease-out),
+    background-color var(--dur-sm) var(--ease-out);
+}
+.button-pop:hover {
+  transform: translateY(-1px);
+  box-shadow: 0 8px 20px rgba(15,23,42,0.12);
+}
+.button-pop:active {
+  transform: translateY(0) scale(0.98);
+  transition-duration: var(--dur-xs);
+}
+
+.icon-spin-on-hover { transition: transform var(--dur-md) var(--ease-spring); }
+.icon-spin-on-hover:hover { transform: rotate(12deg); }
+
+/* ============================================================
+   ENTRANCE ANIMATIONS
+   ============================================================ */
+
+@keyframes fade-up {
+  from { opacity: 0; transform: translateY(8px); }
+  to   { opacity: 1; transform: translateY(0); }
+}
+@keyframes fade-in {
+  from { opacity: 0; } to { opacity: 1; }
+}
+@keyframes scale-in {
+  from { opacity: 0; transform: scale(0.96); }
+  to   { opacity: 1; transform: scale(1); }
+}
+@keyframes slide-in-right {
+  from { opacity: 0; transform: translateX(24px); }
+  to   { opacity: 1; transform: translateX(0); }
+}
+@keyframes shimmer {
+  0% { background-position: -200% 0; }
+  100% { background-position: 200% 0; }
+}
+
+.fade-up   { animation: fade-up   var(--dur-lg) var(--ease-out) both; }
+.fade-in   { animation: fade-in   var(--dur-md) var(--ease-out) both; }
+.scale-in  { animation: scale-in  var(--dur-md) var(--ease-spring) both; }
+.slide-in-right { animation: slide-in-right var(--dur-md) var(--ease-out) both; }
+
+/* Whole in-app surface fades in on route mount. Keeps nav perceived snappy. */
+.app-content { animation: fade-in var(--dur-lg) var(--ease-out) both; }
+
+/* Soft heartbeat — for live-sync indicators inside the app surface only. */
+@keyframes pulse-soft {
+  0%, 100% { opacity: 0.7; transform: scale(1); }
+  50%       { opacity: 1;   transform: scale(1.15); }
+}
+.pulse-soft {
+  animation: pulse-soft 1.8s var(--ease-in-out) infinite;
+  transform-origin: center;
+}
+
+/* Stagger children of a container — apply to a list, animates each child */
+.stagger-children > * {
+  animation: fade-up var(--dur-lg) var(--ease-out) both;
+}
+.stagger-children > *:nth-child(1)  { animation-delay:  0ms; }
+.stagger-children > *:nth-child(2)  { animation-delay: 40ms; }
+.stagger-children > *:nth-child(3)  { animation-delay: 80ms; }
+.stagger-children > *:nth-child(4)  { animation-delay: 120ms; }
+.stagger-children > *:nth-child(5)  { animation-delay: 160ms; }
+.stagger-children > *:nth-child(6)  { animation-delay: 200ms; }
+.stagger-children > *:nth-child(7)  { animation-delay: 240ms; }
+.stagger-children > *:nth-child(8)  { animation-delay: 280ms; }
+.stagger-children > *:nth-child(9)  { animation-delay: 320ms; }
+.stagger-children > *:nth-child(10) { animation-delay: 360ms; }
+.stagger-children > *:nth-child(n+11) { animation-delay: 400ms; }
+
+/* ============================================================
+   TOPBAR — scroll lift shadow
+   ============================================================ */
+
+.topbar {
+  transition: box-shadow var(--dur-md) var(--ease-out);
+}
+.topbar-scrolled {
+  box-shadow: 0 4px 16px rgba(15,23,42,0.06);
+}
+
+/* ============================================================
+   FORM FOCUS
+   ============================================================ */
+
+.focus-glow:focus-visible {
+  outline: none;
+  box-shadow:
+    0 0 0 3px rgba(94,106,210,0.18),
+    0 0 0 1px #5E6AD2;
+  border-color: #5E6AD2;
+  transition: box-shadow var(--dur-sm) var(--ease-out), border-color var(--dur-sm) var(--ease-out);
+}
+
+/* ============================================================
+   SKELETON SHIMMER (used in Wave 4 for loading states)
+   ============================================================ */
+
+.skeleton {
+  background: linear-gradient(90deg, rgba(15,23,42,0.04) 0%, rgba(15,23,42,0.08) 50%, rgba(15,23,42,0.04) 100%);
+  background-size: 200% 100%;
+  animation: shimmer 1.4s linear infinite;
+  border-radius: 8px;
+}
+
+/* ============================================================
+   PREFERS-REDUCED-MOTION — kill all motion, keep visuals
+   ============================================================ */
+
+@media (prefers-reduced-motion: reduce) {
+  :root {
+    --dur-xs: 0ms;
+    --dur-sm: 0ms;
+    --dur-md: 0ms;
+    --dur-lg: 0ms;
+    --dur-xl: 0ms;
+  }
+  .fade-up, .fade-in, .scale-in, .slide-in-right,
+  .stagger-children > *,
+  .skeleton, .app-content, .pulse-soft {
+    animation: none !important;
+  }
+  .lift-on-hover:hover, .row-hover:hover, .button-pop:hover, .button-pop:active,
+  .icon-spin-on-hover:hover {
+    transform: none !important;
+  }
+}
diff --git a/apps/web/src/styles/public.css b/apps/web/src/styles/public.css
new file mode 100644
index 0000000..9120b3f
--- /dev/null
+++ b/apps/web/src/styles/public.css
@@ -0,0 +1,347 @@
+/* Shared public-marketing-page styles — kept in sync with index.html aesthetic */
+
+.public-page {
+  position: relative;
+  min-height: 100vh;
+  background: #FFFFFF;
+  color: #0f172a;
+  font-family: var(--font-display);
+  overflow-x: hidden;
+}
+
+.public-aurora {
+  position: fixed;
+  inset: 0;
+  z-index: 0;
+  pointer-events: none;
+  background:
+    radial-gradient(38vmax 38vmax at  8% 12%, rgba(91,160,240,.22), transparent 60%),
+    radial-gradient(34vmax 34vmax at 92% 18%, rgba(43,202,232,.18), transparent 60%),
+    radial-gradient(30vmax 30vmax at 78% 88%, rgba(255,149,64,.16), transparent 60%),
+    radial-gradient(36vmax 36vmax at 12% 86%, rgba(160,151,216,.20), transparent 60%);
+  background-attachment: fixed;
+  filter: saturate(115%);
+}
+
+.public-grain {
+  position: fixed;
+  inset: -50%;
+  z-index: 1;
+  pointer-events: none;
+  opacity: .04;
+  mix-blend-mode: overlay;
+  background-image: url("data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='220' height='220'><filter id='n'><feTurbulence type='fractalNoise' baseFrequency='0.85' numOctaves='2' stitchTiles='stitch'/></filter><rect width='100%25' height='100%25' filter='url(%23n)' opacity='0.9'/></svg>");
+}
+
+.public-nav {
+  position: sticky;
+  top: 0;
+  left: 0;
+  right: 0;
+  z-index: 50;
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  padding: 18px 28px;
+  font-family: var(--font-display);
+  font-size: 12px;
+  letter-spacing: .10em;
+  text-transform: uppercase;
+  color: #0f172a;
+  font-weight: 500;
+  background: rgba(255,255,255,0.72);
+  backdrop-filter: blur(20px) saturate(180%);
+  border-bottom: 1px solid rgba(15,23,42,0.06);
+}
+
+.public-nav .brand {
+  display: flex;
+  align-items: center;
+  gap: 12px;
+  text-decoration: none;
+  color: inherit;
+}
+
+.public-nav .brand img {
+  display: block;
+  width: 48px;
+  height: 32px;
+  object-fit: contain;
+}
+
+.public-nav .brand span {
+  font-size: 13px;
+  letter-spacing: .16em;
+  font-weight: 600;
+}
+
+.public-nav ul {
+  list-style: none;
+  display: flex;
+  gap: 28px;
+  margin: 0;
+  padding: 0;
+}
+
+.public-nav a {
+  color: #334155;
+  text-decoration: none;
+  opacity: .85;
+  transition: opacity .2s, color .2s;
+}
+
+.public-nav a:hover { opacity: 1; color: #0f172a; }
+.public-nav a.is-active { color: #0f172a; opacity: 1; }
+
+.public-nav .cta {
+  padding: 8px 14px;
+  border-radius: 999px;
+  background: #0f172a;
+  border: 1px solid #0f172a;
+  color: #fff;
+  font-family: var(--font-display);
+  font-weight: 500;
+  letter-spacing: .06em;
+  transition: background .15s, transform .15s;
+}
+
+.public-nav .cta:hover { background: #1e293b; transform: translateY(-1px); }
+
+.public-main {
+  position: relative;
+  z-index: 2;
+  max-width: 920px;
+  margin: 0 auto;
+  padding: 64px 28px 96px;
+}
+
+.public-hero {
+  padding-top: 24px;
+  padding-bottom: 56px;
+  border-bottom: 1px solid rgba(15,23,42,0.08);
+  margin-bottom: 56px;
+}
+
+.public-hero h1 {
+  font-family: var(--font-display);
+  font-weight: 600;
+  font-size: clamp(34px, 5.2vw, 56px);
+  line-height: 1.04;
+  letter-spacing: -0.025em;
+  color: #0f172a;
+  margin: 0 0 18px;
+  text-wrap: balance;
+}
+
+.public-hero p.lead {
+  font-family: var(--font-display);
+  font-size: clamp(15px, 1.4vw, 18px);
+  line-height: 1.6;
+  color: #475569;
+  max-width: 60ch;
+  margin: 0;
+}
+
+.public-section {
+  margin-bottom: 56px;
+}
+
+.public-section h2 {
+  font-family: var(--font-display);
+  font-weight: 600;
+  font-size: clamp(22px, 2.4vw, 28px);
+  letter-spacing: -0.02em;
+  color: #0f172a;
+  margin: 0 0 18px;
+}
+
+.public-section p {
+  color: #475569;
+  line-height: 1.65;
+  margin: 0 0 14px;
+  max-width: 62ch;
+  font-size: 15px;
+}
+
+.public-section p:last-child { margin-bottom: 0; }
+.public-section a { color: #5E6AD2; text-decoration: none; }
+.public-section a:hover { text-decoration: underline; }
+
+.public-card {
+  background: rgba(255,255,255,0.94);
+  border: 1px solid rgba(15,23,42,0.08);
+  border-radius: 14px;
+  padding: 24px;
+  box-shadow: 0 6px 20px rgba(15,23,42,0.06);
+  backdrop-filter: blur(24px) saturate(180%);
+}
+
+.public-card h3 {
+  font-family: var(--font-display);
+  font-weight: 600;
+  font-size: 16px;
+  letter-spacing: -0.01em;
+  color: #0f172a;
+  margin: 0 0 8px;
+}
+
+.public-card p {
+  font-size: 14px;
+  line-height: 1.55;
+  color: #475569;
+  margin: 0 0 12px;
+}
+
+.public-card a {
+  font-size: 13px;
+  font-weight: 500;
+  color: #5E6AD2;
+  text-decoration: none;
+}
+
+.public-card a:hover { text-decoration: underline; }
+
+.public-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(240px, 1fr));
+  gap: 16px;
+}
+
+.public-form {
+  display: flex;
+  flex-direction: column;
+  gap: 14px;
+  max-width: 520px;
+}
+
+.public-form label {
+  display: flex;
+  flex-direction: column;
+  gap: 6px;
+  font-size: 13px;
+  font-weight: 500;
+  color: #0f172a;
+  font-family: var(--font-display);
+}
+
+.public-form input,
+.public-form select,
+.public-form textarea {
+  font-family: var(--font-display);
+  font-size: 14px;
+  padding: 10px 12px;
+  border-radius: 8px;
+  border: 1px solid rgba(15,23,42,0.12);
+  background: #ffffff;
+  color: #0f172a;
+  transition: border-color .15s, box-shadow .15s;
+}
+
+.public-form input:focus,
+.public-form select:focus,
+.public-form textarea:focus {
+  outline: none;
+  border-color: #5E6AD2;
+  box-shadow: 0 0 0 3px rgba(94,106,210,0.18);
+}
+
+.public-form textarea { min-height: 110px; resize: vertical; }
+
+.public-btn {
+  font-family: var(--font-display);
+  font-size: 14px;
+  font-weight: 500;
+  padding: 12px 20px;
+  border-radius: 999px;
+  border: 1px solid #0f172a;
+  background: #0f172a;
+  color: #fff;
+  cursor: pointer;
+  transition: background .15s, transform .15s, box-shadow .15s;
+  letter-spacing: -0.005em;
+  align-self: flex-start;
+}
+
+.public-btn:hover { background: #1e293b; transform: translateY(-1px); box-shadow: 0 8px 20px rgba(15,23,42,0.12); }
+.public-btn:disabled { opacity: 0.5; cursor: not-allowed; transform: none; }
+
+.public-footer {
+  position: relative;
+  z-index: 2;
+  border-top: 1px solid rgba(15,23,42,0.08);
+  padding: 48px 28px 28px;
+  font-family: var(--font-display);
+  font-size: 11px;
+  color: #475569;
+}
+
+.public-footer .inner { max-width: 920px; margin: 0 auto; }
+
+.public-footer .top {
+  display: grid;
+  grid-template-columns: 1.5fr 1fr 1fr 1fr;
+  gap: 32px;
+  margin-bottom: 40px;
+}
+
+@media (max-width: 680px) {
+  .public-footer .top { grid-template-columns: 1fr 1fr; gap: 24px; }
+  .public-nav ul { display: flex; flex-wrap: wrap; gap: 14px; font-size: 11px; }
+  .public-nav { padding: 14px 18px; }
+  .public-main { padding: 40px 18px 64px; }
+}
+
+.public-footer .brand {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  margin-bottom: 12px;
+}
+
+.public-footer .brand img { width: 28px; height: 20px; object-fit: contain; }
+
+.public-footer .brand span {
+  font-size: 13px;
+  font-weight: 600;
+  color: #0f172a;
+  letter-spacing: -0.005em;
+}
+
+.public-footer .tagline {
+  font-size: 11.5px;
+  line-height: 1.6;
+  color: #64748b;
+  max-width: 22ch;
+}
+
+.public-footer h5 {
+  font-size: 10.5px;
+  letter-spacing: .12em;
+  text-transform: uppercase;
+  color: #0f172a;
+  margin: 0 0 12px;
+  font-weight: 600;
+}
+
+.public-footer nav a {
+  display: block;
+  color: #475569;
+  text-decoration: none;
+  margin-bottom: 8px;
+  font-size: 12px;
+  transition: color .15s;
+}
+
+.public-footer nav a:hover { color: #0f172a; }
+
+.public-footer .bottom {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  flex-wrap: wrap;
+  gap: 8px;
+  padding-top: 20px;
+  border-top: 1px solid rgba(15,23,42,0.08);
+  font-size: 11px;
+  color: #64748b;
+}
diff --git a/apps/web/src/styles/tokens.css b/apps/web/src/styles/tokens.css
new file mode 100644
index 0000000..45af4be
--- /dev/null
+++ b/apps/web/src/styles/tokens.css
@@ -0,0 +1,84 @@
+:root {
+  /* Surfaces — warm neutral hierarchy */
+  --bg:               #F7F8FA;
+  --surface:          #FFFFFF;
+  --surface-2:        #F3F5F7;
+  --surface-3:        #EDEDEB;
+
+  /* Borders */
+  --border:           #E5E7EB;
+  --border-strong:    #D1D5DB;
+
+  /* Text */
+  --text:             #0F172A;
+  --text-2:           #475569;
+  --text-muted:       #64748B;
+  --text-disabled:    #A3A3A3;
+
+  /* Backward-compat aliases (used by components outside this wave) */
+  --muted:            #64748B;
+  --text-strong:      #0F172A;
+  --hairline:         rgba(15,23,42,0.06);
+
+  /* Brand accent — Indigo */
+  --accent:           #4F46E5;
+  --accent-hover:     #4338CA;
+  --accent-strong:    #4F5BC9;
+  --accent-soft:      rgba(79,70,229,0.10);
+  --accent-ring:      rgba(79,70,229,0.30);
+
+  /* Semantic */
+  --success:          #16A34A;
+  --warning:          #D97706;
+  --danger:           #DC2626;
+  --info:             #0EA5E9;
+
+  /* Type */
+  --font-display:     "Geist", "Inter", system-ui, sans-serif;
+  --font-text:        "Inter", system-ui, sans-serif;
+  --font-mono:        "Geist Mono", "IBM Plex Mono", ui-monospace, monospace;
+
+  /* Sizes — keep current scale (it works) */
+  --text-xs:   0.75rem;
+  --text-sm:   0.8125rem;
+  --text-base: 0.9375rem;
+  --text-lg:   1.0625rem;
+  --text-xl:   1.25rem;
+  --text-2xl:  1.625rem;
+  --text-3xl:  2.25rem;
+  --text-4xl:  3rem;
+
+  /* Space (8px base) */
+  --space-1: 4px;  --space-2: 8px;  --space-3: 12px;
+  --space-4: 16px; --space-5: 20px; --space-6: 28px;
+  --space-7: 40px; --space-8: 56px; --space-9: 80px;
+
+  /* Radius */
+  --radius-sm: 6px;
+  --radius-md: 8px;
+  --radius-lg: 12px;
+  --radius-full: 999px;
+
+  /* Elevation — light mode uses borders + soft shadows */
+  --shadow-1: 0 1px 2px rgba(15,23,42,0.04);
+  --shadow-2: 0 4px 10px rgba(15,23,42,0.06);
+  --shadow-3: 0 12px 24px rgba(15,23,42,0.10);
+
+  /* Motion */
+  --ease-out: cubic-bezier(0.22, 1, 0.36, 1);
+  --dur-fast: 100ms;
+  --dur-base: 180ms;
+  --dur-slow: 300ms;
+
+  --ring-focus: 0 0 0 2px var(--surface), 0 0 0 4px var(--accent-ring);
+}
+
+body {
+  background: var(--bg);
+  color: var(--text);
+  font-family: var(--font-text);
+  font-size: var(--text-base);
+  line-height: 1.55;
+  font-weight: 400;        /* Light mode default = 400 (not the dark-mode 300) */
+  -webkit-font-smoothing: antialiased;
+}
diff --git a/apps/web/vercel.json b/apps/web/vercel.json
index bf1b668..db5a0ea 100644
--- a/apps/web/vercel.json
+++ b/apps/web/vercel.json
@@ -5,5 +5,11 @@
       "destination": "/app/",
       "permanent": false
     }
+  ],
+  "rewrites": [
+    {
+      "source": "/(demo|contact|privacy|terms|docs|pricing|trust)",
+      "destination": "/index.html"
+    }
   ]
 }
diff --git a/apps/web/vite.config.ts b/apps/web/vite.config.ts
index 491bde7..8b8238b 100644
--- a/apps/web/vite.config.ts
+++ b/apps/web/vite.config.ts
@@ -1,59 +1,10 @@
-import { readFileSync } from "node:fs";
-import { resolve } from "node:path";
 import { defineConfig } from "vite";
 import react from "@vitejs/plugin-react";
 
-function isAppDocumentRequest(url?: string): boolean {
-  if (!url) return false;
-  const path = url.split("?")[0] ?? "";
-  return path === "/app/" || path === "/app/index.html" || (path.startsWith("/app/") && !path.split("/").pop()?.includes("."));
-}
-
-function appIndexHtml(): string {
-  return readFileSync(resolve(__dirname, "public/app/index.html"), "utf8");
-}
-
 export default defineConfig({
-  plugins: [
-    react(),
-    {
-      name: "app-directory-redirect",
-      configureServer(server) {
-        server.middlewares.use((req, res, next) => {
-          if (req.url === "/app") {
-            res.statusCode = 302;
-            res.setHeader("Location", "/app/");
-            res.end();
-            return;
-          }
-          if (isAppDocumentRequest(req.url)) {
-            res.setHeader("Content-Type", "text/html; charset=utf-8");
-            res.end(appIndexHtml());
-            return;
-          }
-          next();
-        });
-      },
-      configurePreviewServer(server) {
-        server.middlewares.use((req, res, next) => {
-          if (req.url === "/app") {
-            res.statusCode = 302;
-            res.setHeader("Location", "/app/");
-            res.end();
-            return;
-          }
-          if (isAppDocumentRequest(req.url)) {
-            res.setHeader("Content-Type", "text/html; charset=utf-8");
-            res.end(appIndexHtml());
-            return;
-          }
-          next();
-        });
-      },
-    },
-  ],
+  plugins: [react()],
   server: {
-    port: 4004,
+    port: 4321,
     strictPort: true,
     proxy: {
       "/v1": {
diff --git a/backgroundlesslogo.png b/backgroundlesslogo.png
new file mode 100644
index 0000000..e7b0853
Binary files /dev/null and b/backgroundlesslogo.png differ
diff --git a/docs/runbooks/vercel-deploy-noninteractive.md b/docs/runbooks/vercel-deploy-noninteractive.md
new file mode 100644
index 0000000..1cdc311
--- /dev/null
+++ b/docs/runbooks/vercel-deploy-noninteractive.md
@@ -0,0 +1,64 @@
+# Deploy to Vercel from a non-interactive shell
+
+When `vercel link` or `vercel deploy --yes` returns:
+
+```json
+{
+  "status": "action_required",
+  "reason": "missing_scope",
+  "message": "Provide --scope or --team explicitly. No default is applied in non-interactive mode.",
+  "choices": [{ "id": "team_XXXXXXXX", "name": "my-team-slug" }]
+}
+```
+
+…and the suggested `--scope my-team-slug` returns the same gate, use the env-var path below.
+
+## Setup
+
+```bash
+TEAM_ID=team_XXXXXXXX    # the "id" from the gate JSON, NOT the slug
+PROJECT=my-project-name
+```
+
+## One-time (creates project + first deploy)
+
+```bash
+# 1. Create the project explicitly
+VERCEL_ORG_ID=$TEAM_ID vercel projects add $PROJECT
+
+# 2. Grab the real project id (prj_…)
+PROJECT_ID=$(VERCEL_ORG_ID=$TEAM_ID vercel project inspect $PROJECT 2>&1 \
+  | awk '/^[[:space:]]+ID/ {print $2}')
+echo "$PROJECT_ID"   # prj_XXXX
+
+# 3. Deploy — BOTH env vars set is the key
+cd path/to/app
+VERCEL_ORG_ID=$TEAM_ID \
+VERCEL_PROJECT_ID=$PROJECT_ID \
+vercel deploy --prod --yes
+```
+
+The first deploy writes `.vercel/project.json` with the two IDs.
+
+## Subsequent deploys
+
+From the same directory:
+
+```bash
+vercel deploy --prod
+```
+
+No env vars needed — `.vercel/project.json` is read automatically.
+
+## Traps
+
+- `--scope my-team-slug` → triggers the gate.
+- `--scope team_XXXX` (the id) → passes the wrapper, then complains it also needs `VERCEL_PROJECT_ID`. The env-var path is cleaner.
+- Setting your personal account as scope returns `You cannot set your Personal Account as the scope.` — use the hobby/personal-workspace `team_*` id from the gate's `choices[0].id` instead.
+- `vercel.json` with `buildCommand: null` + `outputDirectory: public` can still trigger framework auto-detection if the dashboard project config overrides `vercel.json`. To force static-only:
+  - Set **Framework Preset → Other** in the project settings, or
+  - `vercel project rm <project>` and recreate.
+
+## Why the env-var path works
+
+`--scope` is a CLI flag that the new non-interactive gate happens to ignore in many resolution paths. `VERCEL_ORG_ID` + `VERCEL_PROJECT_ID` short-circuit the resolution at a lower level — vercel never needs to "pick a scope" because both targets are already pinned.
diff --git a/marketing/customers.html b/marketing/customers.html
new file mode 100644
index 0000000..741e83c
--- /dev/null
+++ b/marketing/customers.html
@@ -0,0 +1,189 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1" />
+<title>Customers — Unsyphn</title>
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
+<link rel="stylesheet" href="styles.css" />
+</head>
+<body>
+
+<div class="banner">$18M wasted on SaaS per enterprise per year — <a href="#">read the 2026 SaaS Sprawl report →</a></div>
+
+<header class="header">
+  <div class="header-inner">
+    <a href="index.html" class="brand"><span class="brand-mark"></span> Unsyphn</a>
+    <nav class="nav" aria-label="Primary">
+      <a href="product.html">Product</a>
+      <a href="solutions.html">Solutions</a>
+      <a href="customers.html" class="is-active">Customers</a>
+      <a href="pricing.html">Pricing</a>
+      <a href="resources.html">Resources</a>
+    </nav>
+    <div class="nav-cta">
+      <a class="btn btn-ghost" href="http://localhost:4321/app/inbox">Sign in</a>
+      <a class="btn btn-primary" href="http://localhost:4321/app/onboarding">Try free</a>
+    </div>
+  </div>
+</header>
+
+<section class="page-hero">
+  <div class="container-narrow">
+    <span class="section-eyebrow">Customers</span>
+    <h1>2,400+ enterprises. $1.2B recovered.</h1>
+    <p>From 200-person startups to Fortune 500s, Unsyphn customers reclaim an average of $135K every quarter — without re-platforming their procurement.</p>
+  </div>
+</section>
+
+<section class="section">
+  <div class="container">
+    <div class="stat-strip">
+      <div class="stat"><div class="stat-num">2,400+</div><div class="stat-label">enterprises monitoring 280K+ vendors</div></div>
+      <div class="stat"><div class="stat-num">$1.2B</div><div class="stat-label">cumulative recovered savings</div></div>
+      <div class="stat"><div class="stat-num">17.3%</div><div class="stat-label">average SaaS spend reduction</div></div>
+      <div class="stat"><div class="stat-num">9.4×</div><div class="stat-label">avg first-year ROI</div></div>
+    </div>
+  </div>
+</section>
+
+<section class="section section-tint">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-eyebrow">Logo wall</span>
+      <h2>Trusted by procurement, legal, and security at:</h2>
+    </div>
+    <div class="customer-grid">
+      <div class="customer-tile">Cargill</div>
+      <div class="customer-tile">Mavenir</div>
+      <div class="customer-tile">Whatfix</div>
+      <div class="customer-tile">Cloudflare</div>
+      <div class="customer-tile">Databricks</div>
+      <div class="customer-tile">Snowflake</div>
+      <div class="customer-tile">Brex</div>
+      <div class="customer-tile">Ramp</div>
+      <div class="customer-tile">Linear</div>
+      <div class="customer-tile">Plaid</div>
+      <div class="customer-tile">Cohere</div>
+      <div class="customer-tile">Modal</div>
+      <div class="customer-tile">Mercury</div>
+      <div class="customer-tile">Vanta</div>
+      <div class="customer-tile">Drata</div>
+      <div class="customer-tile">Hex</div>
+    </div>
+  </div>
+</section>
+
+<section class="section">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-eyebrow">Customer outcomes</span>
+      <h2>Real metrics from real teams.</h2>
+    </div>
+    <div class="outcome-grid">
+      <div class="outcome-card">
+        <div class="outcome-metric">$182K</div>
+        <p class="outcome-quote">"Reclaimed in 90 days on three renewals. The renegotiation packet for our Datadog contract paid for the platform 6× in the first quarter."</p>
+        <div class="outcome-author"><div class="outcome-avatar">JR</div><div><p class="outcome-author-name">Jamie Rodríguez</p><p class="outcome-author-title">VP Procurement · Cargill Digital</p></div></div>
+      </div>
+      <div class="outcome-card">
+        <div class="outcome-metric">90 sec</div>
+        <p class="outcome-quote">"SOC 2 evidence collection went from a two-week scramble to a 90-second auditor-mode export. Our QSA called it the cleanest vendor evidence they've seen this year."</p>
+        <div class="outcome-author"><div class="outcome-avatar">AC</div><div><p class="outcome-author-name">Ada Chen</p><p class="outcome-author-title">CISO · Mavenir Health</p></div></div>
+      </div>
+      <div class="outcome-card">
+        <div class="outcome-metric">3 hrs</div>
+        <p class="outcome-quote">"Datadog quietly added an Indian sub-processor. Unsyphn diff'd it, cross-referenced our customer DPAs, and drafted notices to 14 customers — before legal was even in the office."</p>
+        <div class="outcome-author"><div class="outcome-avatar">PS</div><div><p class="outcome-author-name">Priya Shah</p><p class="outcome-author-title">General Counsel · Whatfix</p></div></div>
+      </div>
+      <div class="outcome-card">
+        <div class="outcome-metric">412 seats</div>
+        <p class="outcome-quote">"Identified 412 unused Salesforce seats in week one. Cancelled 350 of them. That's an unforced $58k/yr we'd have happily paid forever."</p>
+        <div class="outcome-author"><div class="outcome-avatar">MK</div><div><p class="outcome-author-name">Marcus Lee</p><p class="outcome-author-title">CFO · TechStart Co</p></div></div>
+      </div>
+      <div class="outcome-card">
+        <div class="outcome-metric">−47%</div>
+        <p class="outcome-quote">"Cut our shadow IT footprint by 47% in 60 days. The email-metadata discovery surfaced 84 apps our IT inventory had never seen."</p>
+        <div class="outcome-author"><div class="outcome-avatar">DL</div><div><p class="outcome-author-name">Devon Lin</p><p class="outcome-author-title">Head of IT · Cloudflare</p></div></div>
+      </div>
+      <div class="outcome-card">
+        <div class="outcome-metric">60 sec</div>
+        <p class="outcome-quote">"Time to first wow was actually 47 seconds. Founders walked in expecting a 3-week implementation; left with 247 apps mapped and a $135k recoverable number on screen."</p>
+        <div class="outcome-author"><div class="outcome-avatar">AL</div><div><p class="outcome-author-name">Alex Liang</p><p class="outcome-author-title">CTO · Mercury Banking</p></div></div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- Featured case study -->
+<section class="section section-tint">
+  <div class="container">
+    <div class="split">
+      <div>
+        <span class="split-eyebrow">Case study · Cargill Digital</span>
+        <h3>How Cargill recovered $1.4M in their first year.</h3>
+        <p>
+          Cargill's procurement team was managing 437 SaaS vendors across 12 business units
+          with three procurement analysts and a Google Sheet. Renewal misses were
+          measured in dollars per week. Within 90 days of Unsyphn, they had a full
+          fleet inventory, renegotiated 8 contracts at average 23% reductions, and
+          surfaced $1.4M of recoverable spend hidden in unused licenses.
+        </p>
+        <ul class="split-bullets">
+          <li>437 vendors mapped in 4 minutes (Google Workspace OAuth)</li>
+          <li>$1.4M recoverable identified in first 30 days</li>
+          <li>8 renewals renegotiated at 23% avg reduction in Q1</li>
+          <li>SOC 2 prep time reduced 89% (auditor-mode export)</li>
+        </ul>
+        <a class="btn btn-dark btn-arrow" href="#" style="margin-top: 16px;">Read full case study</a>
+      </div>
+      <div class="split-image">
+        <div style="text-align:center;">
+          <div style="font-family:var(--font-mono);font-size:11px;color:var(--text-muted);text-transform:uppercase;letter-spacing:0.08em;margin-bottom:12px;">Before / After Q1</div>
+          <div style="display:grid;grid-template-columns:1fr 1fr;gap:16px;">
+            <div style="padding:24px;background:white;border-radius:12px;border:1px solid var(--border);">
+              <div style="font-size:var(--text-3xl);font-weight:700;color:var(--danger);margin-bottom:4px;">$8.2M</div>
+              <div style="font-size:var(--text-sm);color:var(--text-2);">Annual SaaS spend (before)</div>
+            </div>
+            <div style="padding:24px;background:white;border-radius:12px;border:2px solid var(--success);">
+              <div style="font-size:var(--text-3xl);font-weight:700;color:var(--success);margin-bottom:4px;">$6.8M</div>
+              <div style="font-size:var(--text-sm);color:var(--text-2);">Annual SaaS spend (after)</div>
+            </div>
+          </div>
+          <div style="margin-top:16px;padding:12px;background:white;border-radius:8px;border:1px solid var(--border);font-size:var(--text-sm);">
+            <strong>$1.4M recovered</strong> · <span style="color:var(--text-muted);">17% reduction in 90 days</span>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<section class="big-cta">
+  <div class="container-narrow">
+    <h2>Your next $135K is hiding in your stack.</h2>
+    <p>Connect Google Workspace or Microsoft 365 in one click. See your fleet in 60 seconds.</p>
+    <div class="hero-actions">
+      <a class="btn btn-primary btn-lg btn-arrow" href="http://localhost:4321/app/onboarding">Try Unsyphn free</a>
+      <a class="btn btn-secondary btn-lg" href="mailto:enterprise@unsyphn.com">Talk to sales</a>
+    </div>
+  </div>
+</section>
+
+<footer class="footer">
+  <div class="container">
+    <div class="footer-grid">
+      <div><a href="index.html" class="brand"><span class="brand-mark"></span> Unsyphn</a><p class="footer-brand">Vendor Change & Savings OS for enterprise SaaS.</p></div>
+      <div><h4>Product</h4><ul><li><a href="product.html">Inbox</a></li><li><a href="pricing.html">Pricing</a></li></ul></div>
+      <div><h4>Solutions</h4><ul><li><a href="solutions.html#cfo">CFO</a></li><li><a href="solutions.html#procurement">Procurement</a></li></ul></div>
+      <div><h4>Company</h4><ul><li><a href="customers.html">Customers</a></li><li><a href="resources.html">Resources</a></li></ul></div>
+      <div><h4>Get updates</h4><p style="font-size:var(--text-sm);color:var(--text-2);margin:0;">Monthly SaaS sprawl reports.</p></div>
+    </div>
+    <div class="footer-bottom"><span>© 2026 Unsyphn, Inc.</span><span>SOC 2 Type II</span></div>
+  </div>
+</footer>
+
+</body>
+</html>
diff --git a/marketing/index.html b/marketing/index.html
new file mode 100644
index 0000000..3eb5000
--- /dev/null
+++ b/marketing/index.html
@@ -0,0 +1,418 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1" />
+<title>Unsyphn — The Vendor Change & Savings OS for Enterprise SaaS</title>
+<meta name="description" content="Rocket Money for the 291 SaaS apps your company runs. Auto-discover, watch every vendor's pricing/terms/sub-processors, route material changes, and recover $135k a quarter." />
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
+<link rel="stylesheet" href="styles.css" />
+</head>
+<body>
+
+<!-- Top banner -->
+<div class="banner">
+  $18M wasted on SaaS per enterprise per year — <a href="#research">read the 2026 SaaS Sprawl report →</a>
+</div>
+
+<!-- Sticky header -->
+<header class="header">
+  <div class="header-inner">
+    <a href="/" class="brand">
+      <span class="brand-mark"></span>
+      Unsyphn
+    </a>
+    <nav class="nav" aria-label="Primary">
+      <a href="product.html">Product</a>
+      <a href="solutions.html">Solutions</a>
+      <a href="customers.html">Customers</a>
+      <a href="pricing.html">Pricing</a>
+      <a href="resources.html">Resources</a>
+    </nav>
+    <div class="nav-cta">
+      <a class="btn btn-ghost" href="http://localhost:4321/app/inbox">Sign in</a>
+      <a class="btn btn-primary" href="http://localhost:4321/app/onboarding">Try free</a>
+    </div>
+  </div>
+</header>
+
+<!-- Hero -->
+<section class="hero">
+  <div class="hero-blob"></div>
+  <div class="hero-inner">
+    <span class="eyebrow">
+      <span class="eyebrow-dot"></span>
+      Featured by Procurement Leaders 2026
+    </span>
+    <h1>Recover <em>$135K a quarter</em><br/>from SaaS you didn't know you were wasting.</h1>
+    <p class="hero-sub">
+      Unsyphn auto-discovers every SaaS in your stack, watches every vendor's pricing, terms,
+      and sub-processors continuously, and routes material changes to the right owner — with
+      audit-ready evidence attached.
+    </p>
+    <div class="hero-actions">
+      <a class="btn btn-primary btn-lg btn-arrow" href="http://localhost:4321/app/onboarding">Start free in 60 seconds</a>
+      <a class="btn btn-secondary btn-lg" href="#tour">Watch the 3-min demo</a>
+    </div>
+    <div class="hero-meta">
+      <span class="hero-stars">★★★★★</span>
+      <strong>4.9</strong> on G2 · 2,400+ enterprises monitored · <strong>$1.2B</strong> recovered
+    </div>
+  </div>
+</section>
+
+<!-- Logo wall -->
+<section class="logo-wall">
+  <p class="logo-wall-label">Trusted by procurement, legal, and security at:</p>
+  <div class="logo-row">
+    <img src="https://cdn.simpleicons.org/cisco/0A1F3D" alt="Cisco" />
+    <img src="https://cdn.simpleicons.org/hp/0A1F3D" alt="HP" />
+    <img src="https://cdn.simpleicons.org/intuit/0A1F3D" alt="Intuit" />
+    <img src="https://cdn.simpleicons.org/instacart/0A1F3D" alt="Instacart" />
+    <img src="https://cdn.simpleicons.org/cloudflare/0A1F3D" alt="Cloudflare" />
+    <img src="https://cdn.simpleicons.org/databricks/0A1F3D" alt="Databricks" />
+    <img src="https://cdn.simpleicons.org/figma/0A1F3D" alt="Figma" />
+    <img src="https://cdn.simpleicons.org/notion/0A1F3D" alt="Notion" />
+  </div>
+</section>
+
+<!-- Main feature block: gateway -->
+<section class="section">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-eyebrow">Discover · Watch · Route · Recover</span>
+      <h2>The system of record for every SaaS your company runs.</h2>
+      <p class="section-sub">
+        Connect Google Workspace or Microsoft 365 in one click. See your full vendor fleet in 60 seconds.
+        Then watch Unsyphn turn 291 apps' worth of silent change into a single triaged inbox.
+      </p>
+    </div>
+
+    <!-- Split: discovery -->
+    <div class="split">
+      <div>
+        <span class="split-eyebrow">Discovery</span>
+        <h3>From email to fleet visible in 60 seconds.</h3>
+        <p>
+          We don't ask you to map your stack. One OAuth grant on Google Workspace or
+          Microsoft 365 surfaces every SaaS that has ever sent a billing email,
+          access invite, or password-reset notification — including the shadow IT
+          your CMDB has never heard of.
+        </p>
+        <ul class="split-bullets">
+          <li>Email-metadata discovery (Nudge-pattern, but stitched to spend)</li>
+          <li>OAuth-grant inventory with scope risk scoring</li>
+          <li>Brex / Ramp / NetSuite / QuickBooks ingestion as second source</li>
+        </ul>
+      </div>
+      <div class="split-image">
+        <div class="mock-card">
+          <div class="mock-row"><img class="vendor-logo" src="https://cdn.simpleicons.org/notion/0A1F3D" alt=""/><span>Notion</span><span class="meta">42 active users</span></div>
+          <div class="mock-row"><img class="vendor-logo" src="https://cdn.simpleicons.org/slack/0A1F3D" alt=""/><span>Slack</span><span class="meta">1,200 active</span></div>
+          <div class="mock-row"><img class="vendor-logo" src="https://cdn.simpleicons.org/figma/0A1F3D" alt=""/><span>Figma</span><span class="meta">38 active</span></div>
+          <div class="mock-row"><img class="vendor-logo" src="https://cdn.simpleicons.org/datadog/0A1F3D" alt=""/><span>Datadog</span><span class="meta">12 active</span></div>
+          <div class="mock-row"><img class="vendor-logo" src="https://cdn.simpleicons.org/stripe/0A1F3D" alt=""/><span>Stripe</span><span class="meta">8 active</span></div>
+          <div class="mock-row"><img class="vendor-logo" src="https://cdn.simpleicons.org/airtable/0A1F3D" alt=""/><span>Airtable</span><span class="meta">shadow IT</span></div>
+        </div>
+      </div>
+    </div>
+
+    <!-- Split: change feed (reverse) -->
+    <div class="split reverse">
+      <div>
+        <span class="split-eyebrow">Material Change Feed</span>
+        <h3>We watch every pricing page so your procurement team doesn't have to.</h3>
+        <p>
+          Unsyphn polls every vendor's pricing, terms, sub-processor, and security pages
+          daily — then produces a Git-style diff the moment something changes. Each diff
+          is ranked by dollar impact, legal risk, and security blast radius, then routed
+          to the right owner in Slack with citations attached.
+        </p>
+        <ul class="split-bullets">
+          <li>Continuous external monitoring (no SMP does this today)</li>
+          <li>Cross-references your customer DPAs for sub-processor changes</li>
+          <li>One-click "Draft 30-day customer notice" when obligations trigger</li>
+        </ul>
+      </div>
+      <div class="split-image">
+        <div class="mock-card">
+          <div class="mock-row"><span class="dot red"></span><strong>P1</strong><span style="margin-left:6px;">Notion · retention 90→30 days</span><span class="meta">$28k</span></div>
+          <div class="mock-row"><span class="dot red"></span><strong>P1</strong><span style="margin-left:6px;">Datadog · sub-processor added (IN)</span><span class="meta">P1</span></div>
+          <div class="mock-row"><span class="dot amber"></span><strong>P2</strong><span style="margin-left:6px;">Salesforce · renewal 47d, 412 unused</span><span class="meta">$84k</span></div>
+          <div class="mock-row"><span class="dot amber"></span><strong>P2</strong><span style="margin-left:6px;">Stripe · $0.30/intent fee added</span><span class="meta">$12k</span></div>
+          <div class="mock-row"><span class="dot green"></span><strong>P3</strong><span style="margin-left:6px;">Figma · 18 unused Enterprise seats</span><span class="meta">$2k</span></div>
+        </div>
+      </div>
+    </div>
+
+    <!-- Split: renegotiation -->
+    <div class="split">
+      <div>
+        <span class="split-eyebrow">Renegotiation Copilot</span>
+        <h3>One-click renegotiation packets, sourced from real benchmarks.</h3>
+        <p>
+          When a renewal lands in the inbox, Unsyphn assembles a counter-offer packet
+          in seconds: your usage data, the vendor's public pricing diff, peer
+          benchmarks, and three drafted email variants. Send via Gmail with one click —
+          average customer recovers $9,200 on a single Datadog renewal.
+        </p>
+        <ul class="split-bullets">
+          <li>Drafted counter-offer emails in 3 tones (firm / friendly / aggressive)</li>
+          <li>Benchmarked against $15B+ of public pricing data</li>
+          <li>Auto-attaches usage proof and clause-by-clause diff</li>
+        </ul>
+      </div>
+      <div class="split-image">
+        <div class="mock-card">
+          <div style="font-family: var(--font-mono); font-size: 11px; color: var(--text-muted); margin-bottom: 8px;">DRAFT · Tone: firm</div>
+          <div style="font-size: 13px; color: var(--text); line-height: 1.55;">
+            Hi Sarah,<br/><br/>
+            Reviewing our Datadog renewal: <strong>412 of 850 seats are inactive (48%)</strong>.
+            Our current rate ($165/seat) is 18% above the $135/seat your peers pay (Brex,
+            Linear, Ramp).<br/><br/>
+            Proposing: <strong>$95k/yr</strong> for 500 active seats (renewable),
+            with a $25/seat overage cap...
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- Stat strip -->
+<section class="section section-tint">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-eyebrow">By the numbers</span>
+      <h2>Built on the largest dataset in vendor change intelligence.</h2>
+    </div>
+    <div class="stat-strip">
+      <div class="stat">
+        <div class="stat-num">291</div>
+        <div class="stat-label">avg SaaS apps per enterprise</div>
+      </div>
+      <div class="stat">
+        <div class="stat-num">51%</div>
+        <div class="stat-label">of licenses go unused</div>
+      </div>
+      <div class="stat">
+        <div class="stat-num">$135K</div>
+        <div class="stat-label">recovered per quarter (Growth avg)</div>
+      </div>
+      <div class="stat">
+        <div class="stat-num">60s</div>
+        <div class="stat-label">to fleet-visible from OAuth</div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- 4 feature cards -->
+<section class="section">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-eyebrow">Why teams choose Unsyphn</span>
+      <h2>Four things no other SaaS management platform combines.</h2>
+    </div>
+    <div class="feature-grid">
+      <div class="feature-card">
+        <div class="feature-icon">📡</div>
+        <h3>Continuous external watch</h3>
+        <p>We poll every vendor's pricing / terms / sub-processor / security pages daily. Vendr negotiates. We tell you what changed before they ask.</p>
+      </div>
+      <div class="feature-card">
+        <div class="feature-icon">🎯</div>
+        <h3>Owner-routed, not dashboarded</h3>
+        <p>Every material change auto-routes to the persona who owns it (Procurement, Legal, Security, Finance). Slack DM + Jira ticket attached.</p>
+      </div>
+      <div class="feature-card">
+        <div class="feature-icon">📑</div>
+        <h3>Citation-grounded evidence</h3>
+        <p>Every claim is cited. Every AI output links to its source quote with a fetch timestamp. Auditor mode exports the full chronology.</p>
+      </div>
+      <div class="feature-card">
+        <div class="feature-icon">🔗</div>
+        <h3>Customer Commitments cross-ref</h3>
+        <p>When a vendor adds a sub-processor in a non-adequate region, we cross-check <em>your</em> DPAs and draft the 30-day customer notices.</p>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- Compliance / trust -->
+<section class="section section-tint">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-eyebrow">Enterprise-ready</span>
+      <h2>Built for the security review your CISO will run.</h2>
+      <p class="section-sub">
+        Data residency, no-train AI guarantee, SCIM provisioning, immutable audit log, and
+        a public Trust Center on day one.
+      </p>
+    </div>
+    <div class="compliance-row">
+      <div class="compliance-badge">SOC 2 Type II</div>
+      <div class="compliance-badge">GDPR-ready</div>
+      <div class="compliance-badge">ISO 27001</div>
+      <div class="compliance-badge">EU + US data residency</div>
+      <div class="compliance-badge">No-train AI guarantee</div>
+      <div class="compliance-badge">SCIM + SAML SSO</div>
+    </div>
+  </div>
+</section>
+
+<!-- Customer outcomes -->
+<section class="section">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-eyebrow">Real outcomes</span>
+      <h2>What customers recover with Unsyphn.</h2>
+    </div>
+    <div class="outcome-grid">
+      <div class="outcome-card">
+        <div class="outcome-metric">$182k</div>
+        <p class="outcome-quote">
+          "Reclaimed in 90 days on three renewals. The renegotiation packet for our
+          Datadog contract paid for the platform 6x in the first quarter."
+        </p>
+        <div class="outcome-author">
+          <div class="outcome-avatar">JR</div>
+          <div>
+            <p class="outcome-author-name">Jamie Rodríguez</p>
+            <p class="outcome-author-title">VP Procurement · Cargill Digital</p>
+          </div>
+        </div>
+      </div>
+      <div class="outcome-card">
+        <div class="outcome-metric">14 days</div>
+        <p class="outcome-quote">
+          "SOC 2 evidence collection went from a two-week scramble to a 90-second
+          auditor-mode export. Our QSA called it the cleanest vendor evidence
+          they've seen this year."
+        </p>
+        <div class="outcome-author">
+          <div class="outcome-avatar">AC</div>
+          <div>
+            <p class="outcome-author-name">Ada Chen</p>
+            <p class="outcome-author-title">CISO · Mavenir Health</p>
+          </div>
+        </div>
+      </div>
+      <div class="outcome-card">
+        <div class="outcome-metric">3 hours</div>
+        <p class="outcome-quote">
+          "Datadog quietly added an Indian sub-processor. Unsyphn diff'd it, cross-
+          referenced our customer DPAs, and drafted notices to 14 customers — before
+          legal was even in the office."
+        </p>
+        <div class="outcome-author">
+          <div class="outcome-avatar">PS</div>
+          <div>
+            <p class="outcome-author-name">Priya Shah</p>
+            <p class="outcome-author-title">General Counsel · Whatfix</p>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- Integrations -->
+<section class="section section-tint">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-eyebrow">Integrations</span>
+      <h2>Plugs into the stack you already run.</h2>
+      <p class="section-sub">Inbound discovery + outbound routing across 24 systems.</p>
+    </div>
+    <div class="integration-grid">
+      <a class="integration-tile" href="#"><img src="https://cdn.simpleicons.org/google/0A1F3D" alt=""><span>Google Workspace</span></a>
+      <a class="integration-tile" href="#"><img src="https://cdn.simpleicons.org/microsoft/0A1F3D" alt=""><span>Microsoft 365</span></a>
+      <a class="integration-tile" href="#"><img src="https://cdn.simpleicons.org/okta/0A1F3D" alt=""><span>Okta</span></a>
+      <a class="integration-tile" href="#"><img src="https://cdn.simpleicons.org/auth0/0A1F3D" alt=""><span>Auth0</span></a>
+      <a class="integration-tile" href="#"><img src="https://cdn.simpleicons.org/brex/0A1F3D" alt=""><span>Brex</span></a>
+      <a class="integration-tile" href="#"><img src="https://cdn.simpleicons.org/intuit/0A1F3D" alt=""><span>QuickBooks</span></a>
+      <a class="integration-tile" href="#"><img src="https://cdn.simpleicons.org/slack/0A1F3D" alt=""><span>Slack</span></a>
+      <a class="integration-tile" href="#"><img src="https://cdn.simpleicons.org/jira/0A1F3D" alt=""><span>Jira</span></a>
+      <a class="integration-tile" href="#"><img src="https://cdn.simpleicons.org/linear/0A1F3D" alt=""><span>Linear</span></a>
+      <a class="integration-tile" href="#"><img src="https://cdn.simpleicons.org/notion/0A1F3D" alt=""><span>Notion</span></a>
+      <a class="integration-tile" href="#"><img src="https://cdn.simpleicons.org/docusign/0A1F3D" alt=""><span>DocuSign</span></a>
+      <a class="integration-tile" href="#"><img src="https://cdn.simpleicons.org/datadog/0A1F3D" alt=""><span>Datadog</span></a>
+    </div>
+  </div>
+</section>
+
+<!-- Big CTA -->
+<section class="big-cta">
+  <div class="container-narrow">
+    <h2>The next $135K is hiding in your stack.</h2>
+    <p>Connect Google Workspace or Microsoft 365 in one click. See your fleet in 60 seconds. Free, forever, up to 25 vendors.</p>
+    <div class="hero-actions">
+      <a class="btn btn-primary btn-lg btn-arrow" href="http://localhost:4321/app/onboarding">Try Unsyphn free</a>
+      <a class="btn btn-secondary btn-lg" href="mailto:enterprise@unsyphn.com">Talk to enterprise</a>
+    </div>
+  </div>
+</section>
+
+<!-- Footer -->
+<footer class="footer">
+  <div class="container">
+    <div class="footer-grid">
+      <div>
+        <a href="/" class="brand">
+          <span class="brand-mark"></span>
+          Unsyphn
+        </a>
+        <p class="footer-brand">
+          The Vendor Change & Savings Operating System for enterprise SaaS.
+          Rocket Money for the 291 apps your company runs.
+        </p>
+      </div>
+      <div>
+        <h4>Product</h4>
+        <ul>
+          <li><a href="product.html">Inbox</a></li>
+          <li><a href="product.html#change-feed">Material Change Feed</a></li>
+          <li><a href="product.html#renegotiate">Renegotiation Copilot</a></li>
+          <li><a href="product.html#auditor">Auditor Mode</a></li>
+          <li><a href="pricing.html">Pricing</a></li>
+        </ul>
+      </div>
+      <div>
+        <h4>Solutions</h4>
+        <ul>
+          <li><a href="solutions.html#cfo">For CFO</a></li>
+          <li><a href="solutions.html#procurement">For Procurement</a></li>
+          <li><a href="solutions.html#legal">For Legal</a></li>
+          <li><a href="solutions.html#security">For Security</a></li>
+        </ul>
+      </div>
+      <div>
+        <h4>Company</h4>
+        <ul>
+          <li><a href="customers.html">Customers</a></li>
+          <li><a href="resources.html">Resources</a></li>
+          <li><a href="http://localhost:4321/trust">Trust</a></li>
+          <li><a href="mailto:hello@unsyphn.com">Contact</a></li>
+        </ul>
+      </div>
+      <div>
+        <h4>Newsletter</h4>
+        <p style="font-size: var(--text-sm); color: var(--text-2); margin: 0 0 12px;">Monthly SaaS sprawl reports.</p>
+        <form onsubmit="event.preventDefault(); alert('Subscribed (demo)');">
+          <input type="email" placeholder="you@company.com" style="width: 100%; padding: 8px 12px; border: 1px solid var(--border); border-radius: var(--r-sm); font-size: var(--text-sm); margin-bottom: 8px;" required />
+          <button class="btn btn-primary" style="width: 100%; padding: 8px;">Subscribe</button>
+        </form>
+      </div>
+    </div>
+    <div class="footer-bottom">
+      <span>© 2026 Unsyphn, Inc. · SOC 2 Type II · ISO 27001</span>
+      <span>Made for procurement teams in Brooklyn + Bangalore</span>
+    </div>
+  </div>
+</footer>
+
+</body>
+</html>
diff --git a/marketing/pricing.html b/marketing/pricing.html
new file mode 100644
index 0000000..ee0439d
--- /dev/null
+++ b/marketing/pricing.html
@@ -0,0 +1,241 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1" />
+<title>Pricing — Unsyphn</title>
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
+<link rel="stylesheet" href="styles.css" />
+</head>
+<body>
+
+<div class="banner">$18M wasted on SaaS per enterprise per year — <a href="#">read the 2026 SaaS Sprawl report →</a></div>
+
+<header class="header">
+  <div class="header-inner">
+    <a href="index.html" class="brand"><span class="brand-mark"></span> Unsyphn</a>
+    <nav class="nav" aria-label="Primary">
+      <a href="product.html">Product</a>
+      <a href="solutions.html">Solutions</a>
+      <a href="customers.html">Customers</a>
+      <a href="pricing.html" class="is-active">Pricing</a>
+      <a href="resources.html">Resources</a>
+    </nav>
+    <div class="nav-cta">
+      <a class="btn btn-ghost" href="http://localhost:4321/app/inbox">Sign in</a>
+      <a class="btn btn-primary" href="http://localhost:4321/app/onboarding">Try free</a>
+    </div>
+  </div>
+</header>
+
+<section class="page-hero">
+  <div class="container-narrow">
+    <span class="section-eyebrow">Pricing</span>
+    <h1>Companies on Growth recover $135K per quarter.</h1>
+    <p>Flat platform fee. No per-seat tax. No surprise overages. A free Discover tier so you can prove ROI before you pay a dollar.</p>
+  </div>
+</section>
+
+<section class="section">
+  <div class="container">
+    <div class="pricing-grid">
+      <div class="price-card">
+        <p class="price-name">Discover</p>
+        <p class="price-value">Free<span></span></p>
+        <p class="price-tag">For anyone curious if Unsyphn finds money.</p>
+        <ul class="price-features">
+          <li>1 data source (Google or M365)</li>
+          <li>Up to 25 vendors</li>
+          <li>Top-100 vendor benchmarks</li>
+          <li>Slack alerts</li>
+          <li>Manual contract upload (5 max)</li>
+          <li>"Powered by Unsyphn" footer</li>
+        </ul>
+        <a class="btn btn-secondary" href="http://localhost:4321/app/onboarding">Start free</a>
+      </div>
+      <div class="price-card featured">
+        <p class="price-name">Growth</p>
+        <p class="price-value">$1,500<span> / mo</span></p>
+        <p class="price-tag">For 50–250 employee teams ready to recover real money.</p>
+        <ul class="price-features">
+          <li>Everything in Discover</li>
+          <li>Unlimited vendors</li>
+          <li>Material Change Feed (the wedge)</li>
+          <li>Renegotiation Packet generator</li>
+          <li>Jira + Slack routing</li>
+          <li>3 integrations</li>
+          <li>Audit log + bundles</li>
+          <li>Custom branding</li>
+        </ul>
+        <a class="btn btn-primary" href="http://localhost:4321/app/onboarding">Start 14-day trial</a>
+      </div>
+      <div class="price-card">
+        <p class="price-name">Scale</p>
+        <p class="price-value">$3,500<span> / mo</span></p>
+        <p class="price-tag">For 250–1,000 employee orgs with compliance needs.</p>
+        <ul class="price-features">
+          <li>Everything in Growth</li>
+          <li>Sub-processor heatmap</li>
+          <li>Customer Commitments cross-ref</li>
+          <li>Unlimited integrations</li>
+          <li>RBAC + SCIM</li>
+          <li>1 dedicated CSM hour / wk</li>
+        </ul>
+        <a class="btn btn-secondary" href="mailto:hello@unsyphn.com?subject=Scale plan">Contact sales</a>
+      </div>
+      <div class="price-card">
+        <p class="price-name">Enterprise</p>
+        <p class="price-value">$30K<span> + 15% of net savings, capped $200K/yr</span></p>
+        <p class="price-tag">For 1,000+ employee orgs.</p>
+        <ul class="price-features">
+          <li>Everything in Scale</li>
+          <li>US / EU data residency</li>
+          <li>Custom SSO + audit-mode workspaces</li>
+          <li>Dedicated negotiation analyst</li>
+          <li>On-prem SIEM webhook</li>
+          <li>Private API + 99.9% SLA</li>
+        </ul>
+        <a class="btn btn-secondary" href="mailto:enterprise@unsyphn.com">Talk to sales</a>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- Add-ons -->
+<section class="section section-tint">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-eyebrow">Add-ons</span>
+      <h2>Optional capabilities, no tier-gating.</h2>
+    </div>
+    <div class="feature-grid" style="grid-template-columns: 1fr 1fr;">
+      <div class="feature-card">
+        <div class="feature-icon">🤝</div>
+        <h3>Negotiation Concierge — $10K/quarter</h3>
+        <p>A human procurement analyst handles 5 negotiations end-to-end per quarter. Vendr-style managed motion, sold separately. Average net savings 4× the add-on cost.</p>
+      </div>
+      <div class="feature-card">
+        <div class="feature-icon">🔐</div>
+        <h3>GRC Bridge — $1,000/mo</h3>
+        <p>Deep two-way integration with Vanta, Drata, and OneTrust. Auto-sync sub-processor lists to your Trust Center. Customer Commitments inventory exchange.</p>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- ROI calculator -->
+<section class="section">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-eyebrow">ROI calculator</span>
+      <h2>How much is your stack costing you?</h2>
+      <p class="section-sub">Slide the employee count. We'll estimate waste, recovery, and payback period on the Growth tier.</p>
+    </div>
+    <div class="split-image" style="max-width: 720px; margin: var(--space-6) auto 0;">
+      <label for="roi-slider" style="display:block;font-size:var(--text-sm);color:var(--text-2);margin-bottom:var(--space-2);">Employees</label>
+      <div style="display:flex;gap:var(--space-4);align-items:center;margin-bottom:var(--space-5);">
+        <input type="range" id="roi-slider" min="50" max="5000" step="50" value="500" style="flex:1;" />
+        <strong id="roi-employees" style="font-family:var(--font-mono);font-size:var(--text-lg);min-width:80px;text-align:right;">500</strong>
+      </div>
+      <div style="display:grid;grid-template-columns:repeat(3,1fr);gap:var(--space-4);">
+        <div style="text-align:center;padding:var(--space-4);background:white;border-radius:var(--r-md);border:1px solid var(--border);">
+          <div style="font-family:var(--font-mono);font-size:var(--text-xs);color:var(--text-muted);text-transform:uppercase;letter-spacing:0.08em;margin-bottom:6px;">Annual waste (est.)</div>
+          <div id="roi-waste" style="font-family:var(--font-display);font-size:var(--text-2xl);font-weight:700;color:var(--danger);">$396,000</div>
+        </div>
+        <div style="text-align:center;padding:var(--space-4);background:white;border-radius:var(--r-md);border:1px solid var(--border);">
+          <div style="font-family:var(--font-mono);font-size:var(--text-xs);color:var(--text-muted);text-transform:uppercase;letter-spacing:0.08em;margin-bottom:6px;">Recoverable Q1</div>
+          <div id="roi-recover" style="font-family:var(--font-display);font-size:var(--text-2xl);font-weight:700;color:var(--success);">$59,400</div>
+        </div>
+        <div style="text-align:center;padding:var(--space-4);background:white;border-radius:var(--r-md);border:1px solid var(--border);">
+          <div style="font-family:var(--font-mono);font-size:var(--text-xs);color:var(--text-muted);text-transform:uppercase;letter-spacing:0.08em;margin-bottom:6px;">Payback on Growth</div>
+          <div id="roi-payback" style="font-family:var(--font-display);font-size:var(--text-2xl);font-weight:700;color:var(--accent);">15 days</div>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- FAQ -->
+<section class="section section-tint">
+  <div class="container-narrow">
+    <div class="section-head">
+      <span class="section-eyebrow">FAQ</span>
+      <h2>Common questions.</h2>
+    </div>
+    <details style="background:white;border:1px solid var(--border);border-radius:var(--r-md);padding:16px 20px;margin-bottom:8px;cursor:pointer;">
+      <summary style="font-weight:600;font-size:var(--text-base);">Why no per-seat pricing?</summary>
+      <p style="margin-top:12px;font-size:var(--text-sm);color:var(--text-2);">Per-seat punishes growth. Every CFO sees through it. We sell flat platform tiers because the value is the platform, not the seat count. Enterprise adds a percent-of-savings component with a hard $200K cap.</p>
+    </details>
+    <details style="background:white;border:1px solid var(--border);border-radius:var(--r-md);padding:16px 20px;margin-bottom:8px;cursor:pointer;">
+      <summary style="font-weight:600;font-size:var(--text-base);">What counts as "net savings" on Enterprise?</summary>
+      <p style="margin-top:12px;font-size:var(--text-sm);color:var(--text-2);">Dollar reductions on contracts you renegotiated using an Unsyphn-generated packet, minus any cost increases on the same vendor. We audit jointly with your finance team quarterly. Hard cap $200K/yr; you'll never owe more than that on top of the $30K platform fee.</p>
+    </details>
+    <details style="background:white;border:1px solid var(--border);border-radius:var(--r-md);padding:16px 20px;margin-bottom:8px;cursor:pointer;">
+      <summary style="font-weight:600;font-size:var(--text-base);">Where is my data stored?</summary>
+      <p style="margin-top:12px;font-size:var(--text-sm);color:var(--text-2);">US-East by default. EU data residency (Frankfurt) at Enterprise tier. We don't replicate across regions without your explicit consent. Full data-residency map in our <a href="http://localhost:4321/trust" style="color:var(--accent);">Trust Center</a>.</p>
+    </details>
+    <details style="background:white;border:1px solid var(--border);border-radius:var(--r-md);padding:16px 20px;margin-bottom:8px;cursor:pointer;">
+      <summary style="font-weight:600;font-size:var(--text-base);">Do you train AI on my data?</summary>
+      <p style="margin-top:12px;font-size:var(--text-sm);color:var(--text-2);"><strong>No.</strong> Verbatim: Unsyphn does not train models on customer data today. Should this change, we will provide customers with advance notice. Sensitive operations (clause extraction, Customer Commitments) run on internally-hosted models. Third-party API use only with explicit DPA terms forbidding training.</p>
+    </details>
+    <details style="background:white;border:1px solid var(--border);border-radius:var(--r-md);padding:16px 20px;cursor:pointer;">
+      <summary style="font-weight:600;font-size:var(--text-base);">How long is implementation?</summary>
+      <p style="margin-top:12px;font-size:var(--text-sm);color:var(--text-2);"><strong>60 seconds for Discover/Growth.</strong> One Google or M365 OAuth, fleet visible. Scale + Enterprise typically add 1–2 weeks for SCIM, additional integrations, and CSM kickoff — but the core platform is live the moment you sign in.</p>
+    </details>
+  </div>
+</section>
+
+<section class="big-cta">
+  <div class="container-narrow">
+    <h2>Start free. Pay when you've recovered the cost.</h2>
+    <p>No credit card, no sales call. Connect Google Workspace and see your fleet in 60 seconds.</p>
+    <div class="hero-actions">
+      <a class="btn btn-primary btn-lg btn-arrow" href="http://localhost:4321/app/onboarding">Start free</a>
+      <a class="btn btn-secondary btn-lg" href="mailto:enterprise@unsyphn.com">Talk to enterprise</a>
+    </div>
+  </div>
+</section>
+
+<footer class="footer">
+  <div class="container">
+    <div class="footer-grid">
+      <div><a href="index.html" class="brand"><span class="brand-mark"></span> Unsyphn</a><p class="footer-brand">Vendor Change & Savings OS for enterprise SaaS.</p></div>
+      <div><h4>Product</h4><ul><li><a href="product.html">Inbox</a></li><li><a href="pricing.html">Pricing</a></li></ul></div>
+      <div><h4>Solutions</h4><ul><li><a href="solutions.html#cfo">CFO</a></li><li><a href="solutions.html#procurement">Procurement</a></li></ul></div>
+      <div><h4>Company</h4><ul><li><a href="customers.html">Customers</a></li><li><a href="resources.html">Resources</a></li></ul></div>
+      <div><h4>Trust</h4><ul><li><a href="http://localhost:4321/trust">Trust Center</a></li></ul></div>
+    </div>
+    <div class="footer-bottom"><span>© 2026 Unsyphn, Inc.</span><span>SOC 2 Type II</span></div>
+  </div>
+</footer>
+
+<script>
+  // ROI calculator
+  const slider = document.getElementById('roi-slider');
+  const empOut = document.getElementById('roi-employees');
+  const wasteOut = document.getElementById('roi-waste');
+  const recoverOut = document.getElementById('roi-recover');
+  const paybackOut = document.getElementById('roi-payback');
+  function fmt(n) { return '$' + Math.round(n).toLocaleString('en-US'); }
+  function compute() {
+    const employees = +slider.value;
+    const appsPerEmp = 0.58;
+    const seatCostMo = 22;
+    const wasteRate = 0.51;
+    const annualWaste = employees * appsPerEmp * 12 * seatCostMo * wasteRate;
+    const recoverQ1 = annualWaste * 0.25 * 0.6;
+    const monthlyFee = 1500;
+    const paybackDays = Math.max(1, Math.round((monthlyFee * 12 / Math.max(recoverQ1, 1)) * 365 / 12));
+    empOut.textContent = employees.toLocaleString('en-US');
+    wasteOut.textContent = fmt(annualWaste);
+    recoverOut.textContent = fmt(recoverQ1);
+    paybackOut.textContent = paybackDays + ' days';
+  }
+  slider.addEventListener('input', compute);
+  compute();
+</script>
+
+</body>
+</html>
diff --git a/marketing/product.html b/marketing/product.html
new file mode 100644
index 0000000..a5dfc4a
--- /dev/null
+++ b/marketing/product.html
@@ -0,0 +1,261 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1" />
+<title>Product — Unsyphn</title>
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
+<link rel="stylesheet" href="styles.css" />
+</head>
+<body>
+
+<div class="banner">$18M wasted on SaaS per enterprise per year — <a href="#">read the 2026 SaaS Sprawl report →</a></div>
+
+<header class="header">
+  <div class="header-inner">
+    <a href="index.html" class="brand"><span class="brand-mark"></span> Unsyphn</a>
+    <nav class="nav" aria-label="Primary">
+      <a href="product.html" class="is-active">Product</a>
+      <a href="solutions.html">Solutions</a>
+      <a href="customers.html">Customers</a>
+      <a href="pricing.html">Pricing</a>
+      <a href="resources.html">Resources</a>
+    </nav>
+    <div class="nav-cta">
+      <a class="btn btn-ghost" href="http://localhost:4321/app/inbox">Sign in</a>
+      <a class="btn btn-primary" href="http://localhost:4321/app/onboarding">Try free</a>
+    </div>
+  </div>
+</header>
+
+<section class="page-hero">
+  <div class="container-narrow">
+    <span class="section-eyebrow">Product</span>
+    <h1>One inbox. Every SaaS your company runs.</h1>
+    <p>Unsyphn turns 291 vendors' worth of silent change — price hikes, terms updates, sub-processor swaps, posture drift, unused seats — into a single owner-routed action queue.</p>
+  </div>
+</section>
+
+<!-- Module 1: Inbox -->
+<section class="section" id="inbox">
+  <div class="container">
+    <div class="split">
+      <div>
+        <span class="split-eyebrow">Module 1 · Inbox</span>
+        <h3>Triage, not dashboards.</h3>
+        <p>
+          Every material change lands in one ranked queue. Filter by changes / renewals /
+          unused seats. Triage with the keyboard: <code>J/K</code> navigate, <code>E</code>
+          acknowledge, <code>S</code> snooze, <code>R</code> resolve, <code>X</code> escalate.
+          Linear-grade speed for procurement work.
+        </p>
+        <ul class="split-bullets">
+          <li>50 rows visible, virtualized — sub-second load</li>
+          <li>Severity dot · vendor logo · title · $ impact · owner</li>
+          <li>Drawer slides in from right; never lose list context</li>
+          <li>Bulk select; acknowledge 10 P3s in one keystroke</li>
+        </ul>
+        <a class="btn btn-dark btn-arrow" href="http://localhost:4321/app/inbox" style="margin-top: 16px;">Open Inbox</a>
+      </div>
+      <div class="split-image">
+        <div class="mock-card">
+          <div class="mock-row"><span class="dot red"></span><strong>P1</strong><span style="margin-left:6px;">Notion · retention 90→30 days</span><span class="meta">$28k · 2d</span></div>
+          <div class="mock-row"><span class="dot red"></span><strong>P1</strong><span style="margin-left:6px;">Datadog · sub-processor IN</span><span class="meta">— · 3d</span></div>
+          <div class="mock-row"><span class="dot amber"></span><strong>P2</strong><span style="margin-left:6px;">Salesforce · renewal 47d</span><span class="meta">$84k · today</span></div>
+          <div class="mock-row"><span class="dot amber"></span><strong>P2</strong><span style="margin-left:6px;">Stripe · $0.30/intent added</span><span class="meta">$12k · 4d</span></div>
+          <div class="mock-row"><span class="dot green"></span><strong>P3</strong><span style="margin-left:6px;">Figma · 18 unused seats</span><span class="meta">$2k · 1d</span></div>
+          <div class="mock-row"><span class="dot amber"></span><strong>P2</strong><span style="margin-left:6px;">Slack · DPA AI clause</span><span class="meta">— · 5d</span></div>
+          <div style="margin-top:12px;padding-top:8px;border-top:1px solid var(--border);font-family:var(--font-mono);font-size:11px;color:var(--text-muted);">
+            J/K navigate · ↵ open · E ack · S snooze · R resolve · X escalate
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- Module 2: Change Feed -->
+<section class="section section-tint" id="change-feed">
+  <div class="container">
+    <div class="split reverse">
+      <div>
+        <span class="split-eyebrow">Module 2 · Material Change Feed</span>
+        <h3>The diff card no other SMP ships.</h3>
+        <p>
+          We poll every vendor's pricing, terms, sub-processor, and security pages every 24
+          hours. The moment something changes, we render a Git-style before/after diff with
+          the original page citation and fetch timestamp. No claim without proof.
+        </p>
+        <ul class="split-bullets">
+          <li>4 categories monitored: price · terms · sub-processor · security posture</li>
+          <li>Materiality scoring (high / medium / low) per change</li>
+          <li>Citations link to the source paragraph + fetched-at ISO timestamp</li>
+          <li>Auto-routes to owner persona based on category</li>
+        </ul>
+      </div>
+      <div class="split-image">
+        <div class="mock-card">
+          <div style="font-size:11px;font-family:var(--font-mono);color:var(--text-muted);margin-bottom:8px;">DATA · HIGH MATERIALITY</div>
+          <div style="font-weight:600;font-size:14px;margin-bottom:10px;">Retention period shortened</div>
+          <div style="background:#FEE2E2;border-left:3px solid var(--danger);padding:8px 10px;border-radius:6px;margin-bottom:6px;font-family:var(--font-mono);font-size:11px;">
+            <strong style="display:block;font-size:9px;letter-spacing:0.08em;color:#991B1B;margin-bottom:3px;">BEFORE</strong>
+            "Personal data retained for ninety (90) days following account deletion."
+          </div>
+          <div style="background:#DCFCE7;border-left:3px solid var(--success);padding:8px 10px;border-radius:6px;margin-bottom:10px;font-family:var(--font-mono);font-size:11px;">
+            <strong style="display:block;font-size:9px;letter-spacing:0.08em;color:#166534;margin-bottom:3px;">AFTER</strong>
+            "Personal data retained for thirty (30) days following account deletion."
+          </div>
+          <div style="font-size:11px;color:var(--text-muted);font-family:var(--font-mono);">
+            notion.so/terms · fetched 2026-05-22T14:42Z
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- Module 3: Renegotiation -->
+<section class="section" id="renegotiate">
+  <div class="container">
+    <div class="split">
+      <div>
+        <span class="split-eyebrow">Module 3 · Renegotiation Copilot</span>
+        <h3>Turn every renewal into a counter-offer.</h3>
+        <p>
+          One click on a renewal alert assembles a complete packet: your usage data,
+          the vendor's pricing diff over the last 90 days, peer benchmarks from $15B+
+          of public spend, and three drafted email variants in different tones.
+        </p>
+        <ul class="split-bullets">
+          <li>Drafted in firm / friendly / aggressive tones — pick one</li>
+          <li>Send-via-Gmail handoff; nothing leaves your inbox</li>
+          <li>Tracks acceptance rate per vendor over time</li>
+          <li>Average customer recovers $9,200 on a single Datadog renewal</li>
+        </ul>
+      </div>
+      <div class="split-image">
+        <div class="mock-card">
+          <div style="font-family:var(--font-mono);font-size:11px;color:var(--text-muted);margin-bottom:10px;">RENEGOTIATION PACKET · Datadog · Tone: firm</div>
+          <div style="font-size:13px;color:var(--text);line-height:1.6;">
+            <strong>Subject:</strong> Datadog renewal — adjusted ask<br/><br/>
+            Hi Sarah,<br/><br/>
+            Reviewing our 2026 renewal: <strong>412 of 850 seats are inactive (48%)</strong>,
+            and our current rate ($165/seat) is 18% above what comparable customers
+            (Brex, Linear, Ramp) pay ($135/seat).<br/><br/>
+            Proposed terms: <strong>$95k/yr</strong> for 500 active seats with a $25/seat
+            overage cap. We'd appreciate your feedback by Jun 12.
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- Module 4: Sub-processor heatmap -->
+<section class="section section-tint" id="subprocessor">
+  <div class="container">
+    <div class="split reverse">
+      <div>
+        <span class="split-eyebrow">Module 4 · Sub-processor Heatmap</span>
+        <h3>The Customer Commitments cross-reference no one else builds.</h3>
+        <p>
+          When a vendor adds a sub-processor in a non-adequate jurisdiction, we don't just
+          flag it — we cross-reference <em>your</em> customer DPAs to find the ones requiring
+          30-day notice, then draft those customer emails for you to review.
+        </p>
+        <ul class="split-bullets">
+          <li>Geographic heatmap of all vendor sub-processors</li>
+          <li>Adequacy decision tracking (EEA, UK, CH, US-DPF)</li>
+          <li>Auto-detection of changes within 24h of vendor announcement</li>
+          <li>Pre-drafted customer notification packets</li>
+        </ul>
+      </div>
+      <div class="split-image">
+        <div class="mock-card">
+          <div style="font-size:12px;color:var(--text-muted);margin-bottom:8px;">DATADOG · 8 SUB-PROCESSORS · 4 JURISDICTIONS</div>
+          <div style="display:flex;gap:6px;flex-wrap:wrap;margin-bottom:14px;">
+            <span style="padding:4px 10px;background:#DCFCE7;color:#166534;border-radius:999px;font-size:11px;font-weight:600;">● US (5)</span>
+            <span style="padding:4px 10px;background:#DCFCE7;color:#166534;border-radius:999px;font-size:11px;font-weight:600;">● EU (1)</span>
+            <span style="padding:4px 10px;background:#DCFCE7;color:#166534;border-radius:999px;font-size:11px;font-weight:600;">● UK (1)</span>
+            <span style="padding:4px 10px;background:#FEE2E2;color:#991B1B;border-radius:999px;font-size:11px;font-weight:600;">▲ IN (1) flagged</span>
+          </div>
+          <div style="padding:10px;background:#FEE2E2;border-radius:6px;font-size:12px;color:#991B1B;margin-bottom:8px;">
+            <strong>Action required:</strong> 3 of your customer contracts require 30-day notice for new non-adequate sub-processors.
+          </div>
+          <button style="width:100%;padding:8px;background:var(--text);color:white;border:none;border-radius:6px;font-size:12px;font-weight:600;cursor:pointer;">Draft 3 customer notice emails →</button>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- Module 5: Auditor Mode -->
+<section class="section" id="auditor">
+  <div class="container">
+    <div class="split">
+      <div>
+        <span class="split-eyebrow">Module 5 · Auditor Mode</span>
+        <h3>SOC 2 evidence in 90 seconds, not two weeks.</h3>
+        <p>
+          One click creates a time-boxed, watermarked, read-only workspace for your
+          auditor. They see the immutable change history, action timeline, and citation
+          trail per vendor — exportable as a signed PDF bundle.
+        </p>
+        <ul class="split-bullets">
+          <li>HMAC-signed time-boxed access tokens (no auth needed for auditor)</li>
+          <li>"AUDITOR PREVIEW" watermark on every page + PDF</li>
+          <li>Viewer activity log: what was viewed and when</li>
+          <li>Append-only event ledger per vendor — 7-year retention</li>
+        </ul>
+      </div>
+      <div class="split-image">
+        <div class="mock-card" style="background:#FFFBEB;border-color:#F59E0B;">
+          <div style="font-family:var(--font-mono);font-size:10px;color:#92400E;letter-spacing:0.08em;text-transform:uppercase;font-weight:700;margin-bottom:8px;">AUDITOR PREVIEW · expires 2026-07-22</div>
+          <div style="font-size:13px;color:var(--text);">
+            <strong>Datadog · vendor evidence</strong><br/>
+            <span style="color:var(--text-muted);font-size:11px;font-family:var(--font-mono);">12 events · 47 citations · 8 sub-processors tracked</span>
+          </div>
+          <div style="margin-top:10px;padding-top:10px;border-top:1px solid var(--border);font-size:11px;color:var(--text-2);">
+            ✓ SOC 2 attestation current (Jan 2026)<br/>
+            ✓ DPA executed (Jun 2025) · v3.2<br/>
+            ⚠ New sub-processor flagged · pending review<br/>
+            ✓ Last 90-day uptime: 99.97%
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- CTA -->
+<section class="big-cta">
+  <div class="container-narrow">
+    <h2>See your fleet in 60 seconds.</h2>
+    <p>Free up to 25 vendors. Email-metadata discovery, OAuth grants, top-100 benchmarks. No credit card.</p>
+    <div class="hero-actions">
+      <a class="btn btn-primary btn-lg btn-arrow" href="http://localhost:4321/app/onboarding">Start free</a>
+      <a class="btn btn-secondary btn-lg" href="pricing.html">See pricing</a>
+    </div>
+  </div>
+</section>
+
+<footer class="footer">
+  <div class="container">
+    <div class="footer-grid">
+      <div>
+        <a href="index.html" class="brand"><span class="brand-mark"></span> Unsyphn</a>
+        <p class="footer-brand">Vendor Change & Savings OS for enterprise SaaS.</p>
+      </div>
+      <div><h4>Product</h4><ul><li><a href="product.html">Inbox</a></li><li><a href="product.html#change-feed">Change Feed</a></li><li><a href="product.html#renegotiate">Renegotiation</a></li><li><a href="pricing.html">Pricing</a></li></ul></div>
+      <div><h4>Solutions</h4><ul><li><a href="solutions.html#cfo">For CFO</a></li><li><a href="solutions.html#procurement">For Procurement</a></li><li><a href="solutions.html#legal">For Legal</a></li><li><a href="solutions.html#security">For Security</a></li></ul></div>
+      <div><h4>Company</h4><ul><li><a href="customers.html">Customers</a></li><li><a href="resources.html">Resources</a></li><li><a href="http://localhost:4321/trust">Trust</a></li><li><a href="mailto:hello@unsyphn.com">Contact</a></li></ul></div>
+      <div><h4>Get updates</h4><p style="font-size:var(--text-sm);color:var(--text-2);margin:0;">Monthly SaaS sprawl reports.</p></div>
+    </div>
+    <div class="footer-bottom"><span>© 2026 Unsyphn, Inc.</span><span>SOC 2 Type II · ISO 27001</span></div>
+  </div>
+</footer>
+
+</body>
+</html>
diff --git a/marketing/resources.html b/marketing/resources.html
new file mode 100644
index 0000000..ad0079e
--- /dev/null
+++ b/marketing/resources.html
@@ -0,0 +1,214 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1" />
+<title>Resources — Unsyphn</title>
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
+<link rel="stylesheet" href="styles.css" />
+</head>
+<body>
+
+<div class="banner">$18M wasted on SaaS per enterprise per year — <a href="#">read the 2026 SaaS Sprawl report →</a></div>
+
+<header class="header">
+  <div class="header-inner">
+    <a href="index.html" class="brand"><span class="brand-mark"></span> Unsyphn</a>
+    <nav class="nav" aria-label="Primary">
+      <a href="product.html">Product</a>
+      <a href="solutions.html">Solutions</a>
+      <a href="customers.html">Customers</a>
+      <a href="pricing.html">Pricing</a>
+      <a href="resources.html" class="is-active">Resources</a>
+    </nav>
+    <div class="nav-cta">
+      <a class="btn btn-ghost" href="http://localhost:4321/app/inbox">Sign in</a>
+      <a class="btn btn-primary" href="http://localhost:4321/app/onboarding">Try free</a>
+    </div>
+  </div>
+</header>
+
+<section class="page-hero">
+  <div class="container-narrow">
+    <span class="section-eyebrow">Resources</span>
+    <h1>Reports, playbooks, docs, and the SaaS sprawl podcast.</h1>
+    <p>Everything we know about reducing SaaS waste, negotiating better, and surviving audits — all in one place.</p>
+  </div>
+</section>
+
+<!-- Featured report -->
+<section class="section">
+  <div class="container">
+    <div class="split">
+      <div>
+        <span class="split-eyebrow">Featured · 2026 Annual Report</span>
+        <h3>The 2026 SaaS Sprawl Index</h3>
+        <p>
+          We analyzed 2,400 enterprises and 280K vendor relationships. Median SaaS count
+          per enterprise jumped 12% YoY to 291. Wasted spend is up 18% to $18M. The full
+          report has cost benchmarks, renewal-win-rate data, and the 12 most-common
+          shadow-IT vendors.
+        </p>
+        <ul class="split-bullets">
+          <li>87 pages · 142 charts · 24 case studies</li>
+          <li>Benchmarks for the top 200 enterprise SaaS vendors</li>
+          <li>Free download · email required</li>
+        </ul>
+        <a class="btn btn-dark btn-arrow" href="#" style="margin-top: 16px;">Download the report</a>
+      </div>
+      <div class="split-image">
+        <div style="text-align:center;padding:32px;background:white;border-radius:12px;border:1px solid var(--border);">
+          <div style="font-family:var(--font-mono);font-size:11px;color:var(--text-muted);text-transform:uppercase;letter-spacing:0.08em;margin-bottom:8px;">Unsyphn Research</div>
+          <h4 style="font-size:24px;font-weight:700;letter-spacing:-0.02em;margin:0 0 12px;">2026 SaaS Sprawl Index</h4>
+          <p style="font-size:13px;color:var(--text-2);margin:0 0 16px;">The definitive report on enterprise SaaS waste, vendor change velocity, and renewal economics.</p>
+          <div style="display:grid;grid-template-columns:repeat(3,1fr);gap:8px;font-family:var(--font-mono);font-size:11px;">
+            <div><strong style="display:block;font-size:18px;color:var(--accent);">291</strong>apps</div>
+            <div><strong style="display:block;font-size:18px;color:var(--accent);">$18M</strong>waste</div>
+            <div><strong style="display:block;font-size:18px;color:var(--accent);">51%</strong>unused</div>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- Resource library -->
+<section class="section section-tint">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-eyebrow">Library</span>
+      <h2>Playbooks, guides, and docs.</h2>
+    </div>
+    <div class="resource-grid">
+      <a class="resource-card" href="#">
+        <div class="resource-cover"></div>
+        <div class="resource-body">
+          <p class="resource-type">Playbook</p>
+          <p class="resource-title">The 90-day SaaS spend optimization playbook</p>
+          <p class="resource-meta">12 min read · May 2026</p>
+        </div>
+      </a>
+      <a class="resource-card" href="#">
+        <div class="resource-cover pink"></div>
+        <div class="resource-body">
+          <p class="resource-type">Guide</p>
+          <p class="resource-title">How to read a vendor DPA before signing it</p>
+          <p class="resource-meta">18 min read · Apr 2026</p>
+        </div>
+      </a>
+      <a class="resource-card" href="#">
+        <div class="resource-cover warm"></div>
+        <div class="resource-body">
+          <p class="resource-type">Case study</p>
+          <p class="resource-title">How Cargill recovered $1.4M in their first 90 days</p>
+          <p class="resource-meta">8 min read · Mar 2026</p>
+        </div>
+      </a>
+      <a class="resource-card" href="#">
+        <div class="resource-cover pink"></div>
+        <div class="resource-body">
+          <p class="resource-type">Template</p>
+          <p class="resource-title">Counter-offer email templates for the top 50 SaaS vendors</p>
+          <p class="resource-meta">Downloadable · Mar 2026</p>
+        </div>
+      </a>
+      <a class="resource-card" href="#">
+        <div class="resource-cover"></div>
+        <div class="resource-body">
+          <p class="resource-type">Webinar</p>
+          <p class="resource-title">Sub-processor monitoring after Schrems II</p>
+          <p class="resource-meta">42 min · Feb 2026</p>
+        </div>
+      </a>
+      <a class="resource-card" href="#">
+        <div class="resource-cover warm"></div>
+        <div class="resource-body">
+          <p class="resource-type">Docs</p>
+          <p class="resource-title">Unsyphn API reference v1</p>
+          <p class="resource-meta">Updated weekly</p>
+        </div>
+      </a>
+    </div>
+  </div>
+</section>
+
+<!-- Recent posts -->
+<section class="section">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-eyebrow">Blog</span>
+      <h2>Recent posts.</h2>
+    </div>
+    <div style="max-width:720px;margin:0 auto;">
+      <a href="#" style="display:flex;justify-content:space-between;align-items:center;padding:24px 0;border-bottom:1px solid var(--border);">
+        <div>
+          <p style="font-family:var(--font-mono);font-size:11px;color:var(--accent);text-transform:uppercase;letter-spacing:0.08em;margin:0 0 6px;">Procurement</p>
+          <h4 style="font-size:18px;font-weight:600;margin:0 0 4px;letter-spacing:-0.01em;">Why 51% of your SaaS seats are unused (and the 5-step protocol to reclaim them)</h4>
+          <p style="font-size:14px;color:var(--text-muted);margin:0;">12 min · May 22, 2026</p>
+        </div>
+        <span style="font-size:24px;color:var(--text-muted);">→</span>
+      </a>
+      <a href="#" style="display:flex;justify-content:space-between;align-items:center;padding:24px 0;border-bottom:1px solid var(--border);">
+        <div>
+          <p style="font-family:var(--font-mono);font-size:11px;color:var(--accent);text-transform:uppercase;letter-spacing:0.08em;margin:0 0 6px;">Legal</p>
+          <h4 style="font-size:18px;font-weight:600;margin:0 0 4px;letter-spacing:-0.01em;">The Slack DPA AI-training clause — what changed and what to do</h4>
+          <p style="font-size:14px;color:var(--text-muted);margin:0;">8 min · May 18, 2026</p>
+        </div>
+        <span style="font-size:24px;color:var(--text-muted);">→</span>
+      </a>
+      <a href="#" style="display:flex;justify-content:space-between;align-items:center;padding:24px 0;border-bottom:1px solid var(--border);">
+        <div>
+          <p style="font-family:var(--font-mono);font-size:11px;color:var(--accent);text-transform:uppercase;letter-spacing:0.08em;margin:0 0 6px;">Security</p>
+          <h4 style="font-size:18px;font-weight:600;margin:0 0 4px;letter-spacing:-0.01em;">When a vendor adds an Indian sub-processor: a 30-day customer notice protocol</h4>
+          <p style="font-size:14px;color:var(--text-muted);margin:0;">10 min · May 14, 2026</p>
+        </div>
+        <span style="font-size:24px;color:var(--text-muted);">→</span>
+      </a>
+      <a href="#" style="display:flex;justify-content:space-between;align-items:center;padding:24px 0;border-bottom:1px solid var(--border);">
+        <div>
+          <p style="font-family:var(--font-mono);font-size:11px;color:var(--accent);text-transform:uppercase;letter-spacing:0.08em;margin:0 0 6px;">Finance</p>
+          <h4 style="font-size:18px;font-weight:600;margin:0 0 4px;letter-spacing:-0.01em;">Accrual-based SaaS forecasting: a CFO's primer</h4>
+          <p style="font-size:14px;color:var(--text-muted);margin:0;">15 min · May 9, 2026</p>
+        </div>
+        <span style="font-size:24px;color:var(--text-muted);">→</span>
+      </a>
+      <a href="#" style="display:flex;justify-content:space-between;align-items:center;padding:24px 0;">
+        <div>
+          <p style="font-family:var(--font-mono);font-size:11px;color:var(--accent);text-transform:uppercase;letter-spacing:0.08em;margin:0 0 6px;">Engineering</p>
+          <h4 style="font-size:18px;font-weight:600;margin:0 0 4px;letter-spacing:-0.01em;">How we built continuous vendor monitoring without rate-limiting our targets</h4>
+          <p style="font-size:14px;color:var(--text-muted);margin:0;">14 min · May 2, 2026</p>
+        </div>
+        <span style="font-size:24px;color:var(--text-muted);">→</span>
+      </a>
+    </div>
+  </div>
+</section>
+
+<section class="big-cta">
+  <div class="container-narrow">
+    <h2>Get the monthly SaaS Sprawl report.</h2>
+    <p>One curated newsletter, first Tuesday of each month. Cost benchmarks, vendor changes, and renewal data.</p>
+    <form style="display:flex;gap:8px;justify-content:center;flex-wrap:wrap;max-width:480px;margin:0 auto;" onsubmit="event.preventDefault(); alert('Subscribed (demo)');">
+      <input type="email" placeholder="you@company.com" style="flex:1;min-width:240px;padding:14px 18px;border:0;border-radius:999px;font-size:15px;" required />
+      <button class="btn btn-primary btn-lg" type="submit">Subscribe</button>
+    </form>
+  </div>
+</section>
+
+<footer class="footer">
+  <div class="container">
+    <div class="footer-grid">
+      <div><a href="index.html" class="brand"><span class="brand-mark"></span> Unsyphn</a><p class="footer-brand">Vendor Change & Savings OS for enterprise SaaS.</p></div>
+      <div><h4>Product</h4><ul><li><a href="product.html">Inbox</a></li><li><a href="pricing.html">Pricing</a></li></ul></div>
+      <div><h4>Solutions</h4><ul><li><a href="solutions.html#cfo">CFO</a></li><li><a href="solutions.html#procurement">Procurement</a></li></ul></div>
+      <div><h4>Company</h4><ul><li><a href="customers.html">Customers</a></li><li><a href="resources.html">Resources</a></li></ul></div>
+      <div><h4>Trust</h4><ul><li><a href="http://localhost:4321/trust">Trust Center</a></li></ul></div>
+    </div>
+    <div class="footer-bottom"><span>© 2026 Unsyphn, Inc.</span><span>SOC 2 Type II</span></div>
+  </div>
+</footer>
+
+</body>
+</html>
diff --git a/marketing/solutions.html b/marketing/solutions.html
new file mode 100644
index 0000000..ea7e497
--- /dev/null
+++ b/marketing/solutions.html
@@ -0,0 +1,234 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1" />
+<title>Solutions — Unsyphn</title>
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
+<link rel="stylesheet" href="styles.css" />
+</head>
+<body>
+
+<div class="banner">$18M wasted on SaaS per enterprise per year — <a href="#">read the 2026 SaaS Sprawl report →</a></div>
+
+<header class="header">
+  <div class="header-inner">
+    <a href="index.html" class="brand"><span class="brand-mark"></span> Unsyphn</a>
+    <nav class="nav" aria-label="Primary">
+      <a href="product.html">Product</a>
+      <a href="solutions.html" class="is-active">Solutions</a>
+      <a href="customers.html">Customers</a>
+      <a href="pricing.html">Pricing</a>
+      <a href="resources.html">Resources</a>
+    </nav>
+    <div class="nav-cta">
+      <a class="btn btn-ghost" href="http://localhost:4321/app/inbox">Sign in</a>
+      <a class="btn btn-primary" href="http://localhost:4321/app/onboarding">Try free</a>
+    </div>
+  </div>
+</header>
+
+<section class="page-hero">
+  <div class="container-narrow">
+    <span class="section-eyebrow">Solutions by persona</span>
+    <h1>One product, six lenses.</h1>
+    <p>Procurement, Legal, Security, Finance, IT, and Internal Audit each see Unsyphn through their own lens — same canonical data, different ranking, different actions.</p>
+  </div>
+</section>
+
+<!-- CFO -->
+<section class="section" id="cfo">
+  <div class="container">
+    <div class="split">
+      <div>
+        <span class="split-eyebrow">CFO / VP Finance</span>
+        <h3>The SaaS line item your board will actually trust.</h3>
+        <p>
+          See the total spend number drop quarter over quarter with citations for every
+          dollar. Accrual-based forecasting that doesn't pretend mid-year price hikes are
+          predictable. ROI proven before procurement opens a single negotiation.
+        </p>
+        <ul class="split-bullets">
+          <li>Recoverable savings dashboard updated daily</li>
+          <li>Mid-year price-hike alerts with dollar exposure quantified</li>
+          <li>Department-level spend rollups for budget defense</li>
+          <li>Board-ready PDF export every Friday</li>
+        </ul>
+      </div>
+      <div class="split-image">
+        <div class="mock-card">
+          <div style="font-family:var(--font-mono);font-size:11px;color:var(--text-muted);margin-bottom:10px;">CFO SCORECARD · Q2 2026</div>
+          <div style="display:flex;justify-content:space-between;padding:10px 0;border-bottom:1px solid var(--border);">
+            <span style="font-size:13px;color:var(--text-2);">Total SaaS spend</span><strong style="font-family:var(--font-mono);">$4.82M</strong>
+          </div>
+          <div style="display:flex;justify-content:space-between;padding:10px 0;border-bottom:1px solid var(--border);">
+            <span style="font-size:13px;color:var(--text-2);">Recovered this quarter</span><strong style="font-family:var(--font-mono);color:var(--success);">−$182K</strong>
+          </div>
+          <div style="display:flex;justify-content:space-between;padding:10px 0;border-bottom:1px solid var(--border);">
+            <span style="font-size:13px;color:var(--text-2);">At-risk next 90d</span><strong style="font-family:var(--font-mono);color:var(--warning);">$84K</strong>
+          </div>
+          <div style="display:flex;justify-content:space-between;padding:10px 0;">
+            <span style="font-size:13px;color:var(--text-2);">Predicted Q3 burn</span><strong style="font-family:var(--font-mono);">$1.18M</strong>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- Procurement -->
+<section class="section section-tint" id="procurement">
+  <div class="container">
+    <div class="split reverse">
+      <div>
+        <span class="split-eyebrow">Head of Procurement</span>
+        <h3>Leverage at every renewal, not just the ones you remember.</h3>
+        <p>
+          When a renewal lands 90 days out, Unsyphn already has your usage data, the
+          vendor's pricing diff over the last quarter, peer benchmarks from $15B+ of
+          public spend, and three drafted counter-offer emails ready to send.
+        </p>
+        <ul class="split-bullets">
+          <li>One-click Renegotiation Packet per vendor</li>
+          <li>Benchmark database: 130K+ deals across 12K+ vendors</li>
+          <li>Renewal kanban: Triage → Negotiate → Sign</li>
+          <li>Average customer saves $9.2K per Datadog-tier renewal</li>
+        </ul>
+      </div>
+      <div class="split-image">
+        <div class="mock-card">
+          <div style="font-family:var(--font-mono);font-size:11px;color:var(--text-muted);margin-bottom:8px;">RENEWAL · Salesforce · 47d out</div>
+          <div style="font-size:13px;line-height:1.6;color:var(--text-2);">
+            Annual: <strong style="color:var(--text);">$815k</strong><br/>
+            Active seats: <strong style="color:var(--danger);">412 / 850 (48%)</strong><br/>
+            Peer avg: <strong style="color:var(--text);">$135 / seat</strong><br/>
+            Your rate: <strong style="color:var(--warning);">$165 / seat (+22%)</strong><br/>
+            <br/>
+            <strong style="color:var(--success);">Estimated savings if renegotiated: $182k/yr</strong>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- Legal -->
+<section class="section" id="legal">
+  <div class="container">
+    <div class="split">
+      <div>
+        <span class="split-eyebrow">General Counsel · Legal Ops</span>
+        <h3>Liability creep, caught at the diff.</h3>
+        <p>
+          ToS and DPA changes show up as Git-style redlines, scored for clause-level
+          materiality. When a sub-processor crosses jurisdictions, we cross-reference
+          your customer contracts and draft the 30-day notice emails.
+        </p>
+        <ul class="split-bullets">
+          <li>Continuous monitoring of ToS, DPA, MSA, security pages</li>
+          <li>Clause-level diff: indemnity, IP, AI training, sub-processors, term</li>
+          <li>Customer Commitments cross-reference (the Vanta-pattern)</li>
+          <li>Pre-drafted objection emails and customer notices</li>
+        </ul>
+      </div>
+      <div class="split-image">
+        <div class="mock-card">
+          <div style="font-family:var(--font-mono);font-size:11px;color:var(--text-muted);margin-bottom:8px;">DPA DIFF · Slack · 4d ago</div>
+          <div style="background:#FEE2E2;border-left:3px solid var(--danger);padding:8px 10px;border-radius:6px;margin-bottom:4px;font-family:var(--font-mono);font-size:10px;">
+            <strong style="font-size:8px;color:#991B1B;">REMOVED</strong><br/>
+            "Customer Data shall not be used to train any AI/ML model."
+          </div>
+          <div style="background:#DCFCE7;border-left:3px solid var(--success);padding:8px 10px;border-radius:6px;font-family:var(--font-mono);font-size:10px;">
+            <strong style="font-size:8px;color:#166534;">ADDED</strong><br/>
+            "Customer Data may be used to train AI models with prior written notice."
+          </div>
+          <button style="margin-top:10px;width:100%;padding:8px;background:var(--text);color:white;border:none;border-radius:6px;font-size:12px;font-weight:600;cursor:pointer;">Draft objection email →</button>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- Security -->
+<section class="section section-tint" id="security">
+  <div class="container">
+    <div class="split reverse">
+      <div>
+        <span class="split-eyebrow">CISO · GRC Lead</span>
+        <h3>Vendor posture you don't have to refresh manually.</h3>
+        <p>
+          Continuous polling of vendor trust centers. The moment a SOC 2 expires, a new
+          sub-processor appears, or a breach is disclosed, we route the alert to the
+          right owner — with the evidence already in the bundle.
+        </p>
+        <ul class="split-bullets">
+          <li>SOC 2 / ISO 27001 / GDPR attestation expiry tracking</li>
+          <li>Sub-processor jurisdiction heatmap with adequacy flags</li>
+          <li>OAuth-grant risk scoring across the fleet</li>
+          <li>Datadog / Splunk / Sumo webhook out for SIEM correlation</li>
+        </ul>
+      </div>
+      <div class="split-image">
+        <div class="mock-card">
+          <div style="font-family:var(--font-mono);font-size:11px;color:var(--text-muted);margin-bottom:10px;">POSTURE WATCH · 6 vendors</div>
+          <div class="mock-row"><span class="dot green"></span><span>Notion · SOC 2 current (8mo)</span><span class="meta">✓</span></div>
+          <div class="mock-row"><span class="dot green"></span><span>Stripe · ISO 27001 current</span><span class="meta">✓</span></div>
+          <div class="mock-row"><span class="dot amber"></span><span>Datadog · sub-processor (IN)</span><span class="meta">P2</span></div>
+          <div class="mock-row"><span class="dot red"></span><span>Acme Vendor · SOC 2 expired</span><span class="meta">14d ago</span></div>
+          <div class="mock-row"><span class="dot green"></span><span>Slack · GDPR addendum updated</span><span class="meta">✓</span></div>
+        </div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<!-- IT + Audit (compact) -->
+<section class="section">
+  <div class="container">
+    <div class="section-head">
+      <span class="section-eyebrow">Two more lenses</span>
+      <h2>IT and Internal Audit get the same canonical data.</h2>
+    </div>
+    <div class="feature-grid" style="grid-template-columns: 1fr 1fr;">
+      <div class="feature-card">
+        <div class="feature-icon">⚙️</div>
+        <h3>IT Admin · Vendor Owner</h3>
+        <p>Auto-deprovision flow when an employee offboards (HRIS webhook → SSO + virtual-card pause). Inactive-seat reclamation lists. One Slack DM per material change. Less context-switching, fewer tickets.</p>
+      </div>
+      <div class="feature-card">
+        <div class="feature-icon">📋</div>
+        <h3>Internal Audit</h3>
+        <p>Auditor Mode generates time-boxed read-only workspaces with watermarked PDFs. Immutable event log per vendor, 7-year retention. SOC 2 evidence collection goes from two weeks to 90 seconds.</p>
+      </div>
+    </div>
+  </div>
+</section>
+
+<section class="big-cta">
+  <div class="container-narrow">
+    <h2>Same data. Six lenses. One product.</h2>
+    <p>The role chips at the top of every page re-rank everything for the persona viewing. Same vendor, same change, different action.</p>
+    <div class="hero-actions">
+      <a class="btn btn-primary btn-lg btn-arrow" href="http://localhost:4321/app/onboarding">Try Unsyphn free</a>
+      <a class="btn btn-secondary btn-lg" href="customers.html">Read customer stories</a>
+    </div>
+  </div>
+</section>
+
+<footer class="footer">
+  <div class="container">
+    <div class="footer-grid">
+      <div><a href="index.html" class="brand"><span class="brand-mark"></span> Unsyphn</a><p class="footer-brand">Vendor Change & Savings OS for enterprise SaaS.</p></div>
+      <div><h4>Product</h4><ul><li><a href="product.html">Inbox</a></li><li><a href="product.html#change-feed">Change Feed</a></li><li><a href="pricing.html">Pricing</a></li></ul></div>
+      <div><h4>Solutions</h4><ul><li><a href="solutions.html#cfo">CFO</a></li><li><a href="solutions.html#procurement">Procurement</a></li><li><a href="solutions.html#legal">Legal</a></li><li><a href="solutions.html#security">Security</a></li></ul></div>
+      <div><h4>Company</h4><ul><li><a href="customers.html">Customers</a></li><li><a href="resources.html">Resources</a></li><li><a href="http://localhost:4321/trust">Trust</a></li></ul></div>
+      <div><h4>Get updates</h4><p style="font-size:var(--text-sm);color:var(--text-2);margin:0;">Monthly SaaS sprawl reports.</p></div>
+    </div>
+    <div class="footer-bottom"><span>© 2026 Unsyphn, Inc.</span><span>SOC 2 Type II</span></div>
+  </div>
+</footer>
+
+</body>
+</html>
diff --git a/marketing/styles.css b/marketing/styles.css
new file mode 100644
index 0000000..ff15485
--- /dev/null
+++ b/marketing/styles.css
@@ -0,0 +1,997 @@
+/* Unsyphn marketing — TrueFoundry-inspired design system */
+
+:root {
+  /* Surfaces */
+  --bg: #FFFFFF;
+  --bg-soft: #FAFAFA;
+  --bg-tint: #F5F7FB;
+  --bg-card: #FFFFFF;
+  --border: #E5E7EB;
+  --border-strong: #D1D5DB;
+
+  /* Text — deep navy hierarchy */
+  --text: #0A1F3D;
+  --text-2: #4B5563;
+  --text-muted: #6B7280;
+
+  /* Accent — bright electric cyan (TrueFoundry vibe) */
+  --accent: #06B6D4;
+  --accent-hover: #0891B2;
+  --accent-soft: rgba(6, 182, 212, 0.10);
+
+  /* Brand secondary — indigo (matches app) */
+  --brand: #4F46E5;
+  --brand-hover: #4338CA;
+
+  /* Decorative gradients */
+  --grad-pink: linear-gradient(135deg, #FCE7F3 0%, #F3E8FF 100%);
+  --grad-cyan: linear-gradient(135deg, #CFFAFE 0%, #DBEAFE 100%);
+  --grad-warm: linear-gradient(135deg, #FEF3C7 0%, #FED7AA 100%);
+
+  /* Semantic */
+  --success: #10B981;
+  --warning: #F59E0B;
+  --danger: #EF4444;
+
+  /* Type */
+  --font-sans: "Inter", -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+  --font-display: "Inter", -apple-system, sans-serif;
+  --font-mono: "JetBrains Mono", "Geist Mono", ui-monospace, monospace;
+
+  /* Scale */
+  --text-xs: 0.75rem;
+  --text-sm: 0.875rem;
+  --text-base: 1rem;
+  --text-lg: 1.125rem;
+  --text-xl: 1.25rem;
+  --text-2xl: 1.5rem;
+  --text-3xl: 1.875rem;
+  --text-4xl: 2.5rem;
+  --text-5xl: 3.5rem;
+  --text-6xl: 4.5rem;
+
+  /* Spacing */
+  --space-1: 4px;
+  --space-2: 8px;
+  --space-3: 12px;
+  --space-4: 16px;
+  --space-5: 24px;
+  --space-6: 32px;
+  --space-7: 48px;
+  --space-8: 64px;
+  --space-9: 96px;
+  --space-10: 128px;
+
+  /* Radius */
+  --r-sm: 6px;
+  --r-md: 10px;
+  --r-lg: 16px;
+  --r-xl: 24px;
+  --r-pill: 999px;
+
+  /* Shadows */
+  --shadow-sm: 0 1px 2px rgba(10, 31, 61, 0.04);
+  --shadow-md: 0 4px 16px rgba(10, 31, 61, 0.06);
+  --shadow-lg: 0 16px 40px rgba(10, 31, 61, 0.10);
+  --shadow-glow: 0 8px 32px rgba(6, 182, 212, 0.25);
+}
+
+*, *::before, *::after { box-sizing: border-box; }
+html { scroll-behavior: smooth; }
+body {
+  margin: 0;
+  font-family: var(--font-sans);
+  font-size: var(--text-base);
+  line-height: 1.6;
+  color: var(--text);
+  background: var(--bg);
+  -webkit-font-smoothing: antialiased;
+  text-rendering: optimizeLegibility;
+}
+a { color: inherit; text-decoration: none; }
+img { display: block; max-width: 100%; }
+
+/* ─── Container ─── */
+.container {
+  max-width: 1200px;
+  margin: 0 auto;
+  padding: 0 var(--space-5);
+}
+.container-narrow {
+  max-width: 920px;
+  margin: 0 auto;
+  padding: 0 var(--space-5);
+}
+
+/* ─── Top notification banner ─── */
+.banner {
+  background: var(--text);
+  color: white;
+  text-align: center;
+  padding: var(--space-3) var(--space-5);
+  font-size: var(--text-sm);
+}
+.banner a {
+  color: var(--accent);
+  font-weight: 500;
+  text-decoration: underline;
+  text-underline-offset: 3px;
+}
+
+/* ─── Sticky header ─── */
+.header {
+  position: sticky;
+  top: 0;
+  z-index: 100;
+  background: rgba(255, 255, 255, 0.9);
+  backdrop-filter: saturate(180%) blur(20px);
+  -webkit-backdrop-filter: saturate(180%) blur(20px);
+  border-bottom: 1px solid var(--border);
+}
+.header-inner {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  height: 64px;
+  max-width: 1200px;
+  margin: 0 auto;
+  padding: 0 var(--space-5);
+}
+.brand {
+  display: flex;
+  align-items: center;
+  gap: var(--space-2);
+  font-weight: 700;
+  font-size: var(--text-lg);
+  letter-spacing: -0.02em;
+  color: var(--text);
+}
+.brand-mark {
+  width: 28px; height: 28px;
+  background: linear-gradient(135deg, var(--brand) 0%, var(--accent) 100%);
+  border-radius: var(--r-sm);
+  display: inline-block;
+  position: relative;
+}
+.brand-mark::after {
+  content: "";
+  position: absolute;
+  inset: 4px;
+  background: white;
+  border-radius: 2px;
+  clip-path: polygon(0 50%, 50% 0, 100% 50%, 50% 100%);
+}
+.nav {
+  display: flex;
+  gap: var(--space-5);
+  align-items: center;
+}
+.nav a {
+  font-size: var(--text-sm);
+  font-weight: 500;
+  color: var(--text-2);
+  transition: color 120ms;
+}
+.nav a:hover { color: var(--accent); }
+.nav a.is-active { color: var(--text); }
+.nav-cta {
+  display: flex;
+  gap: var(--space-3);
+  align-items: center;
+}
+
+/* ─── Buttons ─── */
+.btn {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  gap: var(--space-2);
+  font-family: var(--font-sans);
+  font-size: var(--text-sm);
+  font-weight: 600;
+  padding: 10px 20px;
+  border-radius: var(--r-pill);
+  border: 1px solid transparent;
+  cursor: pointer;
+  transition: all 150ms ease;
+  white-space: nowrap;
+  letter-spacing: -0.005em;
+}
+.btn-primary {
+  background: var(--accent);
+  color: white;
+  box-shadow: var(--shadow-glow);
+}
+.btn-primary:hover {
+  background: var(--accent-hover);
+  transform: translateY(-1px);
+  box-shadow: 0 12px 36px rgba(6, 182, 212, 0.35);
+}
+.btn-dark {
+  background: var(--text);
+  color: white;
+}
+.btn-dark:hover { background: #1A2F4D; }
+.btn-secondary {
+  background: white;
+  color: var(--text);
+  border-color: var(--border-strong);
+}
+.btn-secondary:hover { background: var(--bg-soft); border-color: var(--text); }
+.btn-ghost {
+  background: transparent;
+  color: var(--text-2);
+  padding: 10px 12px;
+}
+.btn-ghost:hover { color: var(--text); }
+.btn-lg {
+  font-size: var(--text-base);
+  padding: 14px 28px;
+}
+.btn-arrow::after {
+  content: "→";
+  margin-left: 4px;
+  transition: transform 200ms;
+}
+.btn-arrow:hover::after { transform: translateX(3px); }
+
+/* ─── Hero ─── */
+.hero {
+  position: relative;
+  padding: var(--space-9) 0 var(--space-10);
+  overflow: hidden;
+}
+.hero-blob {
+  position: absolute;
+  inset: 0;
+  pointer-events: none;
+  z-index: 0;
+}
+.hero-blob::before,
+.hero-blob::after {
+  content: "";
+  position: absolute;
+  border-radius: 50%;
+  filter: blur(80px);
+  opacity: 0.6;
+}
+.hero-blob::before {
+  width: 480px; height: 480px;
+  background: var(--grad-pink);
+  top: -120px; left: -80px;
+}
+.hero-blob::after {
+  width: 520px; height: 520px;
+  background: var(--grad-cyan);
+  bottom: -180px; right: -120px;
+}
+.hero-inner {
+  position: relative;
+  z-index: 1;
+  text-align: center;
+  max-width: 920px;
+  margin: 0 auto;
+  padding: 0 var(--space-5);
+}
+.eyebrow {
+  display: inline-flex;
+  align-items: center;
+  gap: var(--space-2);
+  padding: 6px 14px;
+  background: white;
+  border: 1px solid var(--border);
+  border-radius: var(--r-pill);
+  font-size: var(--text-xs);
+  font-weight: 500;
+  color: var(--text-2);
+  margin-bottom: var(--space-5);
+  box-shadow: var(--shadow-sm);
+}
+.eyebrow-dot {
+  width: 6px; height: 6px;
+  border-radius: 50%;
+  background: var(--accent);
+  box-shadow: 0 0 0 4px var(--accent-soft);
+}
+.hero h1 {
+  font-family: var(--font-display);
+  font-size: clamp(2.5rem, 6vw, 4.5rem);
+  font-weight: 700;
+  line-height: 1.05;
+  letter-spacing: -0.035em;
+  color: var(--text);
+  margin: 0 0 var(--space-5);
+}
+.hero h1 em {
+  font-style: normal;
+  background: linear-gradient(135deg, var(--brand) 0%, var(--accent) 100%);
+  -webkit-background-clip: text;
+  background-clip: text;
+  -webkit-text-fill-color: transparent;
+}
+.hero-sub {
+  font-size: var(--text-xl);
+  color: var(--text-2);
+  font-weight: 400;
+  max-width: 680px;
+  margin: 0 auto var(--space-7);
+  line-height: 1.5;
+}
+.hero-actions {
+  display: flex;
+  gap: var(--space-3);
+  justify-content: center;
+  flex-wrap: wrap;
+  margin-bottom: var(--space-6);
+}
+.hero-meta {
+  display: inline-flex;
+  align-items: center;
+  gap: var(--space-3);
+  font-size: var(--text-sm);
+  color: var(--text-muted);
+}
+.hero-meta strong { color: var(--text); font-weight: 600; }
+.hero-stars { color: #F59E0B; font-size: var(--text-base); letter-spacing: 1px; }
+
+/* ─── Section base ─── */
+.section {
+  padding: var(--space-9) 0;
+}
+.section-tint {
+  background: var(--bg-tint);
+}
+.section-dark {
+  background: var(--text);
+  color: white;
+}
+.section-dark h2, .section-dark h3 { color: white; }
+.section-dark p { color: rgba(255, 255, 255, 0.7); }
+.section-head {
+  text-align: center;
+  margin-bottom: var(--space-8);
+}
+.section-eyebrow {
+  display: inline-block;
+  font-family: var(--font-mono);
+  font-size: var(--text-xs);
+  font-weight: 500;
+  text-transform: uppercase;
+  letter-spacing: 0.12em;
+  color: var(--accent);
+  margin-bottom: var(--space-3);
+}
+.section h2 {
+  font-family: var(--font-display);
+  font-size: clamp(1.875rem, 4vw, var(--text-4xl));
+  font-weight: 700;
+  letter-spacing: -0.03em;
+  line-height: 1.15;
+  margin: 0 0 var(--space-4);
+  color: var(--text);
+}
+.section-sub {
+  font-size: var(--text-lg);
+  color: var(--text-2);
+  max-width: 640px;
+  margin: 0 auto;
+}
+
+/* ─── Logo wall ─── */
+.logo-wall {
+  padding: var(--space-7) 0;
+  border-top: 1px solid var(--border);
+  border-bottom: 1px solid var(--border);
+}
+.logo-wall-label {
+  text-align: center;
+  font-size: var(--text-sm);
+  color: var(--text-muted);
+  margin-bottom: var(--space-5);
+}
+.logo-row {
+  display: flex;
+  justify-content: space-around;
+  align-items: center;
+  flex-wrap: wrap;
+  gap: var(--space-7);
+  max-width: 1100px;
+  margin: 0 auto;
+  padding: 0 var(--space-5);
+}
+.logo-row img {
+  height: 28px;
+  filter: grayscale(100%) brightness(0) saturate(100%) opacity(0.55);
+  transition: filter 200ms;
+}
+.logo-row img:hover { filter: grayscale(0%) opacity(1); }
+
+/* ─── Feature grid ─── */
+.feature-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(260px, 1fr));
+  gap: var(--space-5);
+  margin-top: var(--space-7);
+}
+.feature-card {
+  background: var(--bg-card);
+  border: 1px solid var(--border);
+  border-radius: var(--r-lg);
+  padding: var(--space-6);
+  transition: all 200ms ease;
+}
+.feature-card:hover {
+  border-color: var(--accent);
+  transform: translateY(-2px);
+  box-shadow: var(--shadow-md);
+}
+.feature-icon {
+  width: 44px; height: 44px;
+  border-radius: var(--r-md);
+  background: var(--accent-soft);
+  color: var(--accent);
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  font-size: 22px;
+  margin-bottom: var(--space-4);
+}
+.feature-card h3 {
+  font-size: var(--text-lg);
+  font-weight: 600;
+  margin: 0 0 var(--space-2);
+  letter-spacing: -0.01em;
+}
+.feature-card p {
+  font-size: var(--text-sm);
+  color: var(--text-2);
+  margin: 0;
+  line-height: 1.55;
+}
+
+/* ─── Big feature row (alternating text/image) ─── */
+.split {
+  display: grid;
+  grid-template-columns: 1fr 1fr;
+  gap: var(--space-8);
+  align-items: center;
+  margin: var(--space-9) 0;
+}
+.split.reverse > :first-child { order: 2; }
+.split-image {
+  background: var(--bg-tint);
+  border: 1px solid var(--border);
+  border-radius: var(--r-xl);
+  padding: var(--space-6);
+  position: relative;
+  overflow: hidden;
+}
+.split-image::before {
+  content: "";
+  position: absolute;
+  inset: 0;
+  background: var(--grad-cyan);
+  opacity: 0.3;
+  z-index: 0;
+}
+.split-image > * { position: relative; z-index: 1; }
+.split h3 {
+  font-size: var(--text-3xl);
+  font-weight: 700;
+  letter-spacing: -0.025em;
+  line-height: 1.15;
+  margin: 0 0 var(--space-4);
+}
+.split-eyebrow {
+  font-family: var(--font-mono);
+  font-size: var(--text-xs);
+  font-weight: 500;
+  text-transform: uppercase;
+  letter-spacing: 0.12em;
+  color: var(--accent);
+  margin-bottom: var(--space-3);
+  display: block;
+}
+.split p {
+  font-size: var(--text-base);
+  color: var(--text-2);
+  line-height: 1.65;
+  margin: 0 0 var(--space-5);
+}
+.split-bullets {
+  list-style: none;
+  padding: 0;
+  margin: 0;
+}
+.split-bullets li {
+  padding: var(--space-2) 0;
+  display: flex;
+  gap: var(--space-3);
+  align-items: flex-start;
+  font-size: var(--text-sm);
+  color: var(--text-2);
+}
+.split-bullets li::before {
+  content: "✓";
+  color: var(--success);
+  font-weight: 700;
+  flex-shrink: 0;
+}
+@media (max-width: 800px) {
+  .split { grid-template-columns: 1fr; gap: var(--space-6); }
+  .split.reverse > :first-child { order: 0; }
+}
+
+/* ─── Mock product UI inside split-image ─── */
+.mock-card {
+  background: white;
+  border: 1px solid var(--border);
+  border-radius: var(--r-md);
+  padding: var(--space-4);
+  box-shadow: var(--shadow-md);
+}
+.mock-row {
+  display: flex;
+  align-items: center;
+  gap: var(--space-3);
+  padding: var(--space-2) 0;
+  border-bottom: 1px solid var(--border);
+  font-size: var(--text-sm);
+}
+.mock-row:last-child { border-bottom: none; }
+.mock-row .dot {
+  width: 8px; height: 8px;
+  border-radius: 50%;
+  flex-shrink: 0;
+}
+.mock-row .dot.red { background: var(--danger); }
+.mock-row .dot.amber { background: var(--warning); }
+.mock-row .dot.green { background: var(--success); }
+.mock-row .meta {
+  margin-left: auto;
+  font-size: var(--text-xs);
+  color: var(--text-muted);
+  font-family: var(--font-mono);
+}
+.mock-row .vendor-logo {
+  width: 20px; height: 20px;
+  border-radius: 4px;
+  background: var(--bg-tint);
+}
+
+/* ─── Compliance badges ─── */
+.compliance-row {
+  display: flex;
+  justify-content: center;
+  gap: var(--space-4);
+  flex-wrap: wrap;
+  margin-top: var(--space-6);
+}
+.compliance-badge {
+  display: inline-flex;
+  align-items: center;
+  gap: var(--space-2);
+  padding: 10px 16px;
+  background: white;
+  border: 1px solid var(--border);
+  border-radius: var(--r-md);
+  font-size: var(--text-sm);
+  font-weight: 600;
+  color: var(--text);
+  box-shadow: var(--shadow-sm);
+}
+.compliance-badge::before {
+  content: "✓";
+  color: var(--success);
+  font-weight: 700;
+}
+
+/* ─── Testimonial / outcome cards ─── */
+.outcome-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(300px, 1fr));
+  gap: var(--space-4);
+  margin-top: var(--space-7);
+}
+.outcome-card {
+  background: white;
+  border: 1px solid var(--border);
+  border-radius: var(--r-lg);
+  padding: var(--space-6);
+  transition: all 200ms;
+}
+.outcome-card:hover {
+  border-color: var(--accent);
+  box-shadow: var(--shadow-md);
+}
+.outcome-metric {
+  font-family: var(--font-display);
+  font-size: var(--text-4xl);
+  font-weight: 700;
+  letter-spacing: -0.02em;
+  background: linear-gradient(135deg, var(--brand) 0%, var(--accent) 100%);
+  -webkit-background-clip: text;
+  background-clip: text;
+  -webkit-text-fill-color: transparent;
+  margin-bottom: var(--space-2);
+}
+.outcome-quote {
+  font-size: var(--text-base);
+  color: var(--text);
+  line-height: 1.55;
+  margin: 0 0 var(--space-5);
+}
+.outcome-author {
+  display: flex;
+  align-items: center;
+  gap: var(--space-3);
+  padding-top: var(--space-4);
+  border-top: 1px solid var(--border);
+}
+.outcome-avatar {
+  width: 40px; height: 40px;
+  border-radius: 50%;
+  background: var(--grad-pink);
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  font-weight: 600;
+  color: var(--text);
+  font-size: var(--text-sm);
+}
+.outcome-author-name {
+  font-size: var(--text-sm);
+  font-weight: 600;
+  margin: 0;
+}
+.outcome-author-title {
+  font-size: var(--text-xs);
+  color: var(--text-muted);
+  margin: 0;
+}
+
+/* ─── Integration grid ─── */
+.integration-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(120px, 1fr));
+  gap: var(--space-3);
+  margin-top: var(--space-7);
+  max-width: 1000px;
+  margin-left: auto;
+  margin-right: auto;
+}
+.integration-tile {
+  aspect-ratio: 1.2;
+  background: white;
+  border: 1px solid var(--border);
+  border-radius: var(--r-md);
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+  gap: var(--space-2);
+  transition: all 200ms;
+  text-align: center;
+  padding: var(--space-3);
+}
+.integration-tile:hover {
+  border-color: var(--accent);
+  transform: translateY(-2px);
+  box-shadow: var(--shadow-sm);
+}
+.integration-tile img {
+  width: 32px; height: 32px;
+}
+.integration-tile span {
+  font-size: var(--text-xs);
+  color: var(--text-2);
+  font-weight: 500;
+}
+
+/* ─── Big CTA section ─── */
+.big-cta {
+  text-align: center;
+  padding: var(--space-10) 0;
+  background: linear-gradient(135deg, #0A1F3D 0%, #1E3A8A 50%, #06B6D4 100%);
+  color: white;
+}
+.big-cta h2 {
+  color: white;
+  font-size: clamp(2rem, 5vw, 3.5rem);
+  margin-bottom: var(--space-4);
+  letter-spacing: -0.025em;
+}
+.big-cta p {
+  color: rgba(255, 255, 255, 0.85);
+  font-size: var(--text-lg);
+  margin: 0 auto var(--space-7);
+  max-width: 580px;
+}
+.big-cta .btn-primary {
+  background: white;
+  color: var(--text);
+  box-shadow: 0 8px 28px rgba(0,0,0,0.2);
+}
+.big-cta .btn-primary:hover { background: #f3f3f3; transform: translateY(-1px); }
+.big-cta .btn-secondary {
+  background: transparent;
+  color: white;
+  border-color: rgba(255, 255, 255, 0.4);
+}
+.big-cta .btn-secondary:hover { background: rgba(255, 255, 255, 0.1); border-color: white; }
+
+/* ─── Footer ─── */
+.footer {
+  background: var(--bg-soft);
+  border-top: 1px solid var(--border);
+  padding: var(--space-9) 0 var(--space-6);
+}
+.footer-grid {
+  display: grid;
+  grid-template-columns: 2fr 1fr 1fr 1fr 1fr;
+  gap: var(--space-6);
+  margin-bottom: var(--space-8);
+}
+.footer-brand {
+  font-size: var(--text-sm);
+  color: var(--text-2);
+  margin-top: var(--space-3);
+  max-width: 280px;
+}
+.footer h4 {
+  font-size: var(--text-xs);
+  font-weight: 600;
+  text-transform: uppercase;
+  letter-spacing: 0.08em;
+  color: var(--text-muted);
+  margin: 0 0 var(--space-3);
+}
+.footer ul {
+  list-style: none;
+  padding: 0;
+  margin: 0;
+}
+.footer li {
+  margin: var(--space-2) 0;
+}
+.footer li a {
+  font-size: var(--text-sm);
+  color: var(--text-2);
+  transition: color 120ms;
+}
+.footer li a:hover { color: var(--accent); }
+.footer-bottom {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  padding-top: var(--space-5);
+  border-top: 1px solid var(--border);
+  font-size: var(--text-xs);
+  color: var(--text-muted);
+}
+@media (max-width: 800px) {
+  .footer-grid { grid-template-columns: 1fr 1fr; }
+}
+
+/* ─── Page hero (non-home pages) ─── */
+.page-hero {
+  padding: var(--space-9) 0 var(--space-7);
+  text-align: center;
+  background: var(--bg-tint);
+  border-bottom: 1px solid var(--border);
+}
+.page-hero h1 {
+  font-size: clamp(2rem, 5vw, var(--text-5xl));
+  font-weight: 700;
+  letter-spacing: -0.03em;
+  margin: var(--space-3) 0 var(--space-4);
+}
+.page-hero p {
+  font-size: var(--text-lg);
+  color: var(--text-2);
+  max-width: 640px;
+  margin: 0 auto;
+}
+
+/* ─── Pricing ─── */
+.pricing-grid {
+  display: grid;
+  grid-template-columns: repeat(4, 1fr);
+  gap: var(--space-4);
+  margin-top: var(--space-7);
+}
+.price-card {
+  background: white;
+  border: 1px solid var(--border);
+  border-radius: var(--r-lg);
+  padding: var(--space-6);
+  display: flex;
+  flex-direction: column;
+}
+.price-card.featured {
+  border-color: var(--accent);
+  border-width: 2px;
+  box-shadow: 0 16px 40px rgba(6, 182, 212, 0.15);
+  position: relative;
+}
+.price-card.featured::before {
+  content: "Most popular";
+  position: absolute;
+  top: -12px;
+  left: 50%;
+  transform: translateX(-50%);
+  background: var(--accent);
+  color: white;
+  font-size: var(--text-xs);
+  font-weight: 600;
+  padding: 4px 12px;
+  border-radius: var(--r-pill);
+}
+.price-name {
+  font-size: var(--text-base);
+  font-weight: 600;
+  color: var(--text-2);
+  text-transform: uppercase;
+  letter-spacing: 0.05em;
+  margin: 0 0 var(--space-3);
+}
+.price-value {
+  font-size: var(--text-4xl);
+  font-weight: 700;
+  letter-spacing: -0.025em;
+  margin: 0 0 var(--space-2);
+}
+.price-value span {
+  font-size: var(--text-base);
+  font-weight: 400;
+  color: var(--text-muted);
+}
+.price-tag {
+  font-size: var(--text-sm);
+  color: var(--text-2);
+  margin: 0 0 var(--space-5);
+  min-height: 40px;
+}
+.price-features {
+  list-style: none;
+  padding: 0;
+  margin: 0 0 var(--space-5);
+  flex: 1;
+}
+.price-features li {
+  padding: 6px 0;
+  font-size: var(--text-sm);
+  color: var(--text-2);
+  display: flex;
+  gap: var(--space-2);
+  align-items: flex-start;
+}
+.price-features li::before {
+  content: "✓";
+  color: var(--success);
+  flex-shrink: 0;
+}
+@media (max-width: 900px) {
+  .pricing-grid { grid-template-columns: 1fr; }
+}
+
+/* ─── Resource cards ─── */
+.resource-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
+  gap: var(--space-5);
+  margin-top: var(--space-7);
+}
+.resource-card {
+  background: white;
+  border: 1px solid var(--border);
+  border-radius: var(--r-lg);
+  overflow: hidden;
+  display: flex;
+  flex-direction: column;
+  transition: all 200ms;
+}
+.resource-card:hover {
+  border-color: var(--accent);
+  box-shadow: var(--shadow-md);
+  transform: translateY(-2px);
+}
+.resource-cover {
+  height: 160px;
+  background: var(--grad-cyan);
+  position: relative;
+}
+.resource-cover.pink { background: var(--grad-pink); }
+.resource-cover.warm { background: var(--grad-warm); }
+.resource-body {
+  padding: var(--space-5);
+}
+.resource-type {
+  font-family: var(--font-mono);
+  font-size: var(--text-xs);
+  text-transform: uppercase;
+  letter-spacing: 0.08em;
+  color: var(--accent);
+  font-weight: 500;
+  margin-bottom: var(--space-2);
+}
+.resource-title {
+  font-size: var(--text-lg);
+  font-weight: 600;
+  letter-spacing: -0.01em;
+  margin: 0 0 var(--space-2);
+  line-height: 1.35;
+}
+.resource-meta {
+  font-size: var(--text-xs);
+  color: var(--text-muted);
+}
+
+/* ─── Stat strip ─── */
+.stat-strip {
+  display: grid;
+  grid-template-columns: repeat(4, 1fr);
+  gap: var(--space-5);
+  margin-top: var(--space-7);
+}
+.stat-strip .stat {
+  text-align: center;
+}
+.stat-num {
+  font-family: var(--font-display);
+  font-size: var(--text-5xl);
+  font-weight: 700;
+  letter-spacing: -0.03em;
+  line-height: 1;
+  background: linear-gradient(135deg, var(--brand) 0%, var(--accent) 100%);
+  -webkit-background-clip: text;
+  background-clip: text;
+  -webkit-text-fill-color: transparent;
+  margin-bottom: var(--space-2);
+}
+.stat-label {
+  font-size: var(--text-sm);
+  color: var(--text-2);
+}
+@media (max-width: 700px) {
+  .stat-strip { grid-template-columns: repeat(2, 1fr); }
+}
+
+/* ─── Customer logo grid (large) ─── */
+.customer-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(160px, 1fr));
+  gap: 1px;
+  background: var(--border);
+  border: 1px solid var(--border);
+  border-radius: var(--r-lg);
+  overflow: hidden;
+  margin-top: var(--space-7);
+}
+.customer-tile {
+  background: white;
+  aspect-ratio: 16 / 10;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  font-weight: 700;
+  font-size: var(--text-lg);
+  color: var(--text-2);
+  letter-spacing: -0.02em;
+  transition: all 200ms;
+}
+.customer-tile:hover {
+  background: var(--bg-tint);
+  color: var(--text);
+}
+
+/* ─── Visually hidden ─── */
+.sr-only {
+  position: absolute;
+  width: 1px; height: 1px;
+  padding: 0; margin: -1px;
+  overflow: hidden;
+  clip: rect(0,0,0,0);
+  white-space: nowrap;
+  border: 0;
+}
diff --git a/package.json b/package.json
index 26ee62f..3416776 100644
--- a/package.json
+++ b/package.json
@@ -1,5 +1,5 @@
 {
-  "name": "redline-datadog-hackathon",
+  "name": "unsyphn-datadog-hackathon",
   "version": "0.1.0",
   "private": true,
   "type": "module",
@@ -8,15 +8,15 @@
     "node": ">=20.0.0"
   },
   "scripts": {
-    "dev:api": "pnpm --filter @redline/api dev",
-    "dev:web": "pnpm --filter @redline/web dev",
+    "dev:api": "pnpm --filter @unsyphn/api dev",
+    "dev:web": "pnpm --filter @unsyphn/web dev",
     "dev:static": "npx --yes serve public -l 3000 --no-clipboard",
     "dev": "pnpm -r --parallel --stream dev",
-    "build": "pnpm --filter @redline/shared build && pnpm --filter @redline/api build && pnpm --filter @redline/web build",
-    "typecheck": "pnpm --filter @redline/shared typecheck && pnpm --filter @redline/api typecheck && pnpm --filter @redline/web typecheck",
+    "build": "pnpm --filter @unsyphn/shared build && pnpm --filter @unsyphn/api build && pnpm --filter @unsyphn/web build",
+    "typecheck": "pnpm --filter @unsyphn/shared typecheck && pnpm --filter @unsyphn/api typecheck && pnpm --filter @unsyphn/web typecheck",
     "test": "vitest run",
     "test:watch": "vitest",
-    "db:migrate": "pnpm --filter @redline/api db:migrate"
+    "db:migrate": "pnpm --filter @unsyphn/api db:migrate"
   },
   "devDependencies": {
     "@testing-library/jest-dom": "^6.5.0",
diff --git a/packages/shared/package.json b/packages/shared/package.json
index b835189..7afe923 100644
--- a/packages/shared/package.json
+++ b/packages/shared/package.json
@@ -1,5 +1,5 @@
 {
-  "name": "@redline/shared",
+  "name": "@unsyphn/shared",
   "version": "0.1.0",
   "private": true,
   "type": "module",
diff --git a/packages/shared/src/schemas.ts b/packages/shared/src/schemas.ts
index 573c917..2e40be9 100644
--- a/packages/shared/src/schemas.ts
+++ b/packages/shared/src/schemas.ts
@@ -55,6 +55,38 @@ export const resolveChangeRequestSchema = z
   })
   .strict();
 
+export const lensSchema = z.enum([
+  "procurement",
+  "legal",
+  "security",
+  "finance",
+  "it",
+  "audit",
+]);
+
+export const escalateChangeRequestSchema = z
+  .object({
+    toRole: lensSchema,
+    note: noteSchema.optional(),
+  })
+  .strict();
+
+export type EscalateChangeRequest = z.infer<typeof escalateChangeRequestSchema>;
+
+export interface EscalationRecord {
+  toRole: z.infer<typeof lensSchema>;
+  byUserId: string;
+  note?: string;
+  escalatedAt: string;
+  slackChannel: string;
+  jiraKey: string;
+}
+
+export interface EscalateChangeResponse {
+  id: string;
+  escalation: EscalationRecord;
+}
+
 export const VendorContractSchema = z.object({
   renewsAt: IsoDateSchema,
   annualSpendUsd: z.number().int().nonnegative(),
@@ -361,6 +393,16 @@ export const streamEventSchemas = {
       by: z.string().min(1),
     })
     .strict(),
+  "change.escalated": z
+    .object({
+      id: z.string().min(1),
+      toRole: lensSchema,
+      byUserId: z.string().min(1),
+      at: iso8601Schema,
+      slackChannel: z.string().min(1),
+      jiraKey: z.string().min(1),
+    })
+    .strict(),
   "org.entitlements.changed": z
     .object({
       compliancePack: z.boolean(),
diff --git a/packages/shared/src/types.ts b/packages/shared/src/types.ts
index 9cd934d..f9d2b9e 100644
--- a/packages/shared/src/types.ts
+++ b/packages/shared/src/types.ts
@@ -303,6 +303,7 @@ export type StreamEventName =
   | "change.detected"
   | "action.delivered"
   | "change.stateChanged"
+  | "change.escalated"
   | "org.entitlements.changed";
 
 export interface SchedulerTickEvent {
@@ -343,6 +344,15 @@ export interface ActionDeliveredEvent {
   externalId?: string;
 }
 
+export interface ChangeEscalatedEvent {
+  id: ChangeReportId | string;
+  toRole: Lens;
+  byUserId: UserId | string;
+  at: Iso8601;
+  slackChannel: string;
+  jiraKey: string;
+}
+
 export interface OrgEntitlementsChangedEvent {
   compliancePack: boolean;
   auditorPortal?: boolean;
@@ -358,6 +368,7 @@ export interface StreamEventDataMap {
   "change.detected": ChangeDetectedEvent;
   "action.delivered": ActionDeliveredEvent;
   "change.stateChanged": ChangeStateChangedEvent;
+  "change.escalated": ChangeEscalatedEvent;
   "org.entitlements.changed": OrgEntitlementsChangedEvent;
 }
 
@@ -397,3 +408,74 @@ export interface ApiErrorEnvelope {
     requestId?: string;
   };
 }
+
+export type Lens = "procurement" | "legal" | "security" | "finance" | "it" | "audit";
+export type InboxItemKind = "change" | "renewal" | "unused-seats";
+export type RenewalStatus = "triage" | "negotiate" | "sign";
+export type DiscoveryProvider = "google" | "microsoft";
+
+export interface InboxItem {
+  id: string;
+  kind: InboxItemKind;
+  vendorId: string;
+  vendorName: string;
+  title: string;
+  summary: string;
+  severity: Severity;
+  dollarImpact: number | null;
+  ownerEmail: string;
+  occurredAt: Iso8601;
+  lensTags: Lens[];
+  state: ChangeState;
+}
+
+export interface Renewal {
+  id: string;
+  vendorId: string;
+  vendorName: string;
+  renewsAt: IsoDate;
+  daysOut: number;
+  annualValueUsd: number;
+  ownerEmail: string;
+  ownerId?: UserId;
+  status: RenewalStatus;
+  benchmarkDelta: number | null;
+  declined?: boolean;
+  autoRenewed?: boolean;
+  lensTags?: Lens[];
+}
+
+export interface IntakeRequest {
+  id: string;
+  vendorName: string;
+  requesterEmail: string;
+  expectedSpendUsd: number;
+  justification: string;
+  status: "pending" | "approved" | "rejected";
+  similarTools: string[];
+  createdAt: Iso8601;
+}
+
+export interface Recoverable {
+  totalUsd: number;
+  breakdown: {
+    unusedSeatsUsd: number;
+    priceHikesUsd: number;
+    duplicateAppsUsd: number;
+    atRiskUsd: number;
+  };
+}
+
+export interface DiscoveryJob {
+  jobId: string;
+  estimatedSeconds: number;
+  expectedVendors: number;
+  discoveredVendors: Array<{
+    id: string;
+    name: string;
+    domain: string;
+    category: string;
+    spendUsd: number;
+    confidence: number;
+  }>;
+}
diff --git a/plan.md b/plan.md
index ff4bcd3..56eb822 100644
--- a/plan.md
+++ b/plan.md
@@ -1,9 +1,9 @@
-# Redline — Build Plan (saasb2b branch)
+# Unsyphn — Build Plan (saasb2b branch)
 
 A clean, minimal B2B SaaS app for **Vendor Change Intelligence (VCI)**.
 Style is a deliberate hybrid: **Slate** layout + **Seven** typography.
 
-> Source: `Redline-Enterprise-Vision.pdf` (the 10-flow product surface).
+> Source: `Unsyphn-Enterprise-Vision.pdf` (the 10-flow product surface).
 > Web research May 2026: B2B dashboards now favor *restraint over density*,
 > progressive disclosure, and role-aware views — Linear, Vercel, Notion lineage.
 
@@ -12,7 +12,7 @@ Style is a deliberate hybrid: **Slate** layout + **Seven** typography.
 ## 0. Constraints I'm honoring
 
 1. **Build on the existing monorepo** — `apps/web`, `apps/api`, `packages/shared`. Don't fork.
-2. **One brand**: "Redline" (drop the legacy "Unsyphn" string everywhere).
+2. **One brand**: "Unsyphn" (drop the legacy "Unsyphn" string everywhere).
 3. **Hero flow first** — Portfolio → Change → Routing → Evidence → Transact → Bundle. Everything else is staged.
 4. **Real where it matters, faked where it doesn't** — one real change run, one real Senso URL, one real Stripe checkout. The rest is seeded.
 5. **No marketing chrome on the app surface** — landing page lives at `/`; product lives at `/app`.
@@ -103,7 +103,7 @@ body {
 
 | Token | Weight | Letter-spacing | Use |
 |---|---|---|---|
-| Hero (landing only) | **100** | -0.045em | "Redline." mark, 96–144px |
+| Hero (landing only) | **100** | -0.045em | "Unsyphn." mark, 96–144px |
 | h1 (in-app) | **200** | -0.035em | screen titles, 36–48px |
 | h2 | **300** | -0.020em | section labels, 20–26px |
 | h3 | **500** | normal | row group titles, 13–15px |
@@ -181,7 +181,7 @@ From PDF §12 "Demo dressing" + my taste pass:
 These are the *changes I'm making* on `saasb2b` — not a rewrite.
 
 ### 5.1 Brand & shell
-- [ ] Rip "Unsyphn" everywhere → "Redline" (text + nav marks + favicon alt + page titles).
+- [ ] Rip "Unsyphn" everywhere → "Unsyphn" (text + nav marks + favicon alt + page titles).
 - [ ] Replace `unsyphlogo.png` references with a new `/logo.png` (mark + wordmark). Keep all favicon sizes.
 - [ ] Rewrite `apps/web/src/styles.css` against the new tokens in §1.1.
 - [ ] One global font load (`Helvetica Neue` system → `Inter` web fallback) — delete the existing Inter `<link>` if Helvetica Neue is local.
@@ -250,7 +250,7 @@ Each screen passes when:
 - `pnpm dev` → both servers up in one command (already wired).
 - A11y: keyboard reaches every interactive element; focus rings visible; landmarks present; contrast ≥ 4.5:1 on the dark theme (periwinkle on `#0A0B0F` = 8.1:1, text on bg = 14.2:1 — both pass AA).
 - No `console.log` in shipped code (Stop hook enforces).
-- No "Unsyphn" / "Redline" string mixing — `grep -rin "unsyphn" apps/` returns zero.
+- No "Unsyphn" / "Unsyphn" string mixing — `grep -rin "unsyphn" apps/` returns zero.
 
 ---
 
@@ -283,7 +283,7 @@ Each step ends with a working demo of *that slice*. No "scaffold everything, wir
 
 ## 10. References
 
-- `Redline-Enterprise-Vision.pdf` — source of truth for what the product *is*.
+- `Unsyphn-Enterprise-Vision.pdf` — source of truth for what the product *is*.
 - `the-kit/seven.html` — Helvetica Neue type discipline + iOS 7 candy palette semantics.
 - `the-kit/slate.html` — dark surfaces, periwinkle accent, command palette, density.
 - `PAGE_AUDIT.md` — what's broken on `main` today.
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 6c28f4e..2fa0000 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -59,12 +59,15 @@ importers:
       '@hono/node-server':
         specifier: ^1.19.6
         version: 1.19.14(hono@4.12.22)
-      '@redline/shared':
+      '@unsyphn/shared':
         specifier: workspace:*
         version: link:../../packages/shared
       hono:
         specifier: ^4.10.7
         version: 4.12.22
+      pdfkit:
+        specifier: ^0.18.0
+        version: 0.18.0
       pino:
         specifier: ^10.3.1
         version: 10.3.1
@@ -81,6 +84,9 @@ importers:
       '@types/node':
         specifier: ^24.10.2
         version: 24.12.4
+      '@types/pdfkit':
+        specifier: ^0.17.6
+        version: 0.17.6
       tsx:
         specifier: ^4.21.0
         version: 4.22.3
@@ -90,18 +96,36 @@ importers:
 
   apps/web:
     dependencies:
+      '@dnd-kit/core':
+        specifier: ^6.3.1
+        version: 6.3.1(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
+      '@dnd-kit/sortable':
+        specifier: ^10.0.0
+        version: 10.0.0(@dnd-kit/core@6.3.1(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(react@18.3.1)
+      '@dnd-kit/utilities':
+        specifier: ^3.2.2
+        version: 3.2.2(react@18.3.1)
       '@hookform/resolvers':
         specifier: ^5.4.0
         version: 5.4.0(react-hook-form@7.76.1(react@18.3.1))
-      '@redline/shared':
-        specifier: workspace:*
-        version: link:../../packages/shared
       '@stripe/react-stripe-js':
         specifier: ^3.0.0
         version: 3.10.0(@stripe/stripe-js@4.10.0)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
       '@stripe/stripe-js':
         specifier: ^4.10.0
         version: 4.10.0
+      '@types/canvas-confetti':
+        specifier: ^1.9.0
+        version: 1.9.0
+      '@unsyphn/shared':
+        specifier: workspace:*
+        version: link:../../packages/shared
+      canvas-confetti:
+        specifier: ^1.9.4
+        version: 1.9.4
+      lucide-react:
+        specifier: ^1.16.0
+        version: 1.16.0(react@18.3.1)
       react:
         specifier: ^18.3.0
         version: 18.3.1
@@ -271,6 +295,28 @@ packages:
     resolution: {integrity: sha512-Vd/9EVDiu6PPJt9yAh6roZP6El1xHrdvIVGjyBsHR0RYwNHgL7FJPyIIW4fANJNG6FtyZfvlRPpFI4ZM/lubvw==}
     engines: {node: '>=18'}
 
+  '@dnd-kit/accessibility@3.1.1':
+    resolution: {integrity: sha512-2P+YgaXF+gRsIihwwY1gCsQSYnu9Zyj2py8kY5fFvUM1qm2WA2u639R6YNVfU4GWr+ZM5mqEsfHZZLoRONbemw==}
+    peerDependencies:
+      react: '>=16.8.0'
+
+  '@dnd-kit/core@6.3.1':
+    resolution: {integrity: sha512-xkGBRQQab4RLwgXxoqETICr6S5JlogafbhNsidmrkVv2YRs5MLwpjoF2qpiGjQt8S9AoxtIV603s0GIUpY5eYQ==}
+    peerDependencies:
+      react: '>=16.8.0'
+      react-dom: '>=16.8.0'
+
+  '@dnd-kit/sortable@10.0.0':
+    resolution: {integrity: sha512-+xqhmIIzvAYMGfBYYnbKuNicfSsk4RksY2XdmJhT+HAC01nix6fHCztU68jooFiMUB01Ky3F0FyOvhG/BZrWkg==}
+    peerDependencies:
+      '@dnd-kit/core': ^6.3.0
+      react: '>=16.8.0'
+
+  '@dnd-kit/utilities@3.2.2':
+    resolution: {integrity: sha512-+MKAJEOfaBe5SmV6t34p80MMKhjvUz0vRrvVJbPT0WElzaOJ/1xs+D+KDv+tD/NE5ujfrChEcshd4fLn0wpiqg==}
+    peerDependencies:
+      react: '>=16.8.0'
+
   '@emnapi/core@1.10.0':
     resolution: {integrity: sha512-yq6OkJ4p82CAfPl0u9mQebQHKPJkY7WrIuk205cTYnYe+k2Z8YBh11FrbRG/H6ihirqcacOgl2BIO8oyMQLeXw==}
 
@@ -607,6 +653,14 @@ packages:
       '@emnapi/core': ^1.7.1
       '@emnapi/runtime': ^1.7.1
 
+  '@noble/ciphers@1.3.0':
+    resolution: {integrity: sha512-2I0gnIVPtfnMw9ee9h1dJG7tp81+8Ob3OJb3Mv37rx5L40/b0i7djjCVvGOVqc9AEIQyvyu1i6ypKdFw8R8gQw==}
+    engines: {node: ^14.21.3 || >=16}
+
+  '@noble/hashes@1.8.0':
+    resolution: {integrity: sha512-jCs9ldd7NwzpgXDIf6P3+NrHh9/sD6CQdxHyjQI+h/6rDNo88ypBxxz45UDuZHz9r3tNz7N/VInSVoVdtXEI4A==}
+    engines: {node: ^14.21.3 || >=16}
+
   '@oxc-project/types@0.132.0':
     resolution: {integrity: sha512-FESMOxil5Se014ui/Eq8fT5uHJo6nIRwH0PfJrZJXs6Gek3ZVFOrpUv3YIZT20m+extU98Hg1Ym72U58rlsxUQ==}
 
@@ -850,6 +904,9 @@ packages:
     resolution: {integrity: sha512-KrMOL+sH69htCIXCaZ4JluJ35bchuCCznyPyrbN8JXSGQfwBI1SuIEMZNwvy8L8ykj29t6sa5BAAiL7fNoLZ8A==}
     engines: {node: '>=12.16'}
 
+  '@swc/helpers@0.5.21':
+    resolution: {integrity: sha512-jI/VAmtdjB/RnI8GTnokyX7Ug8c+g+ffD6QRLa6XQewtnGyukKkKSk3wLTM3b5cjt1jNh9x0jfVlagdN2gDKQg==}
+
   '@testing-library/dom@10.4.1':
     resolution: {integrity: sha512-o4PXJQidqJl82ckFaXUeoAW+XysPLauYI43Abki5hABd853iMhitooc6znOnczgbTYmEP6U6/y1ZyKAIsvMKGg==}
     engines: {node: '>=18'}
@@ -897,6 +954,9 @@ packages:
   '@types/babel__traverse@7.28.0':
     resolution: {integrity: sha512-8PvcXf70gTDZBgt9ptxJ8elBeBjcLOAcOtoO/mPJjtji1+CdGbHgm77om1GrsPxsiE+uXIpNSK64UYaIwQXd4Q==}
 
+  '@types/canvas-confetti@1.9.0':
+    resolution: {integrity: sha512-aBGj/dULrimR1XDZLtG9JwxX1b4HPRF6CX9Yfwh3NvstZEm1ZL7RBnel4keCPSqs1ANRu1u2Aoz9R+VmtjYuTg==}
+
   '@types/chai@5.2.3':
     resolution: {integrity: sha512-Mw558oeA9fFbv65/y4mHtXDs9bPnFMZAL/jxdPFUpOHHIXX91mcgEHbS5Lahr+pwZFR8A7GQleRWeI6cGFC2UA==}
 
@@ -912,6 +972,9 @@ packages:
   '@types/node@24.12.4':
     resolution: {integrity: sha512-GUUEShf+PBCGW2KaXwcIt3Yk+e3pkKwWKb9GSyM9WQVE+ep2jzmHdGsHzu4wgcZy5fN9FBdVzjpBQsYlpfpgLA==}
 
+  '@types/pdfkit@0.17.6':
+    resolution: {integrity: sha512-tIwzxk2uWKp0Cq9JIluQXJid77lYhF52EsIOwhsMF4iWLA6YneoBR1xVKYYdAysHuepUB0OX4tdwMiUDdGKmig==}
+
   '@types/prop-types@15.7.15':
     resolution: {integrity: sha512-F6bEyamV9jKGAFBEmlQnesRPGOQqS2+Uwi0Em15xenOxHaf2hv6L8YCVn3rPdPJOiJfPiCnLIRyvwVaqMY3MIw==}
 
@@ -988,11 +1051,24 @@ packages:
     resolution: {integrity: sha512-kNOjDqAh7px0XWNI+4QbzoiR/nTkHAWNud2uvnJquD1/x5a7EQZMJT0AczqK0Qn67oY/TTQ1LbUKajZpp3I9tQ==}
     engines: {node: '>=8.0.0'}
 
+  base64-js@0.0.8:
+    resolution: {integrity: sha512-3XSA2cR/h/73EzlXXdU6YNycmYI7+kicTxks4eJg2g39biHR84slg2+des+p7iHYhbRg/udIS4TD53WabcOUkw==}
+    engines: {node: '>= 0.4'}
+
+  base64-js@1.5.1:
+    resolution: {integrity: sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==}
+
   baseline-browser-mapping@2.10.32:
     resolution: {integrity: sha512-wbPvpyjJPC0zdfdKXxqEL3Ea+bOMD/87X4lftiJkkaBiuG6ALQy1SLmEd7BSmVCuwCQsBrCamgBoLyfFDD1EPg==}
     engines: {node: '>=6.0.0'}
     hasBin: true
 
+  brotli@1.3.3:
+    resolution: {integrity: sha512-oTKjJdShmDuGW94SyyaoQvAjf30dZaHnjJ8uAF+u2/vGJkJbJPJAT1gDiOJP5v1Zb6f9KEyW/1HpuaWIXtGHPg==}
+
+  browserify-zlib@0.2.0:
+    resolution: {integrity: sha512-Z942RysHXmJrhqk88FmKBVq/v5tqmSkDz7p54G/MGyjMnCFFnC79XWNbg+Vta8W6Wb2qtSZTSxIGkJrRpCFEiA==}
+
   browserslist@4.28.2:
     resolution: {integrity: sha512-48xSriZYYg+8qXna9kwqjIVzuQxi+KYWp2+5nCYnYKPTr0LvD89Jqk2Or5ogxz0NUMfIjhh2lIUX/LyX9B4oIg==}
     engines: {node: ^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7}
@@ -1009,10 +1085,17 @@ packages:
   caniuse-lite@1.0.30001793:
     resolution: {integrity: sha512-iwSsYWaCOoh26cV8NwNRViHlrfUvYsHDfRVcbtmw0Kg6PJIZZXwMkj1442FYLBGkeUf1juAsU3DTfxW579mrPA==}
 
+  canvas-confetti@1.9.4:
+    resolution: {integrity: sha512-yxQbJkAVrFXWNbTUjPqjF7G+g6pDotOUHGbkZq2NELZUMDpiJ85rIEazVb8GTaAptNW2miJAXbs1BtioA251Pw==}
+
   chai@6.2.2:
     resolution: {integrity: sha512-NUPRluOfOiTKBKvWPtSD4PhFvWCqOi0BGStNWs57X9js7XGTprSmFoz5F0tWhR4WPjNeR9jXqdC7/UpSJTnlRg==}
     engines: {node: '>=18'}
 
+  clone@2.1.2:
+    resolution: {integrity: sha512-3Pe/CF1Nn94hyhIYpjtiLhdCoEoz0DqQ+988E9gmeEdQZlojxnOb74wctFyuwWQHzqyf9X7C7MG8juUpqBJT8w==}
+    engines: {node: '>=0.8'}
+
   combined-stream@1.0.8:
     resolution: {integrity: sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==}
     engines: {node: '>= 0.8'}
@@ -1058,6 +1141,9 @@ packages:
     resolution: {integrity: sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==}
     engines: {node: '>=8'}
 
+  dfa@1.2.0:
+    resolution: {integrity: sha512-ED3jP8saaweFTjeGX8HQPjeC1YYyZs98jGNZx6IiBvxW7JG5v492kamAQB3m2wop07CvU/RQmzcKr6bgcC5D/Q==}
+
   dom-accessibility-api@0.5.16:
     resolution: {integrity: sha512-X7BJ2yElsnOJ30pZF4uIIDfBEVgF4XEBxL9Bxhy6dnrm5hkzqmsWHGTiHqRiITNhMyFLyAiWndIJP7Z1NTteDg==}
 
@@ -1115,6 +1201,9 @@ packages:
     resolution: {integrity: sha512-knvyeauYhqjOYvQ66MznSMs83wmHrCycNEN6Ao+2AeYEfxUIkuiVxdEa1qlGEPK+We3n0THiDciYSsCcgW/DoA==}
     engines: {node: '>=12.0.0'}
 
+  fast-deep-equal@3.1.3:
+    resolution: {integrity: sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==}
+
   fdir@6.5.0:
     resolution: {integrity: sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==}
     engines: {node: '>=12.0.0'}
@@ -1124,6 +1213,9 @@ packages:
       picomatch:
         optional: true
 
+  fontkit@2.0.4:
+    resolution: {integrity: sha512-syetQadaUEDNdxdugga9CpEYVaQIxOwk7GlwZWWZ19//qW4zE5bknOKeMBDYAASwnpaSHKJITRLMF9m1fp3s6g==}
+
   form-data@4.0.5:
     resolution: {integrity: sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==}
     engines: {node: '>= 6'}
@@ -1191,6 +1283,9 @@ packages:
   is-potential-custom-element-name@1.0.1:
     resolution: {integrity: sha512-bCYeRA2rVibKZd+s2625gGnGF/t7DSqDs4dP7CrLA1m7jKWz6pps0LpYLJN8Q64HtmPKJ1hrN3nzPNKFEKOUiQ==}
 
+  js-md5@0.8.3:
+    resolution: {integrity: sha512-qR0HB5uP6wCuRMrWPTrkMaev7MJZwJuuw4fnwAzRgP4J4/F8RwtodOKpGp4XpqsLBFzzgqIO42efFAyz2Et6KQ==}
+
   js-tokens@4.0.0:
     resolution: {integrity: sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==}
 
@@ -1283,6 +1378,9 @@ packages:
     resolution: {integrity: sha512-NXYBzinNrblfraPGyrbPoD19C1h9lfI/1mzgWYvXUTe414Gz/X1FD2XBZSZM7rRTrMA8JL3OtAaGifrIKhQ5yQ==}
     engines: {node: '>= 12.0.0'}
 
+  linebreak@1.1.0:
+    resolution: {integrity: sha512-MHp03UImeVhB7XZtjd0E4n6+3xr5Dq/9xI/5FptGk5FrbDR3zagPa2DS6U8ks/3HjbKWG9Q1M2ufOzxV2qLYSQ==}
+
   loose-envify@1.4.0:
     resolution: {integrity: sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==}
     hasBin: true
@@ -1293,6 +1391,11 @@ packages:
   lru-cache@5.1.1:
     resolution: {integrity: sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w==}
 
+  lucide-react@1.16.0:
+    resolution: {integrity: sha512-dYwyPzb4MEKpGUmNYk3WKWPnMrHs3FKM+q94kAnJrcDIqqn1hq2xY8scaS2ovsOCM5D51ey2gaRG3PBb1vgoYQ==}
+    peerDependencies:
+      react: ^16.5.1 || ^17.0.0 || ^18.0.0 || ^19.0.0
+
   lz-string@1.5.0:
     resolution: {integrity: sha512-h5bgJWpxJNswbU7qCrV0tIKQCaS3blPDrqKWx+QxzuzL1zGUzij9XCWLrSLsJPu5t+eWA/ycetzYAO5IOMcWAQ==}
     hasBin: true
@@ -1346,12 +1449,21 @@ packages:
     resolution: {integrity: sha512-0eJJY6hXLGf1udHwfNftBqH+g73EU4B504nZeKpz1sYRKafAghwxEJunB2O7rDZkL4PGfsMVnTXZ2EjibbqcsA==}
     engines: {node: '>=14.0.0'}
 
+  pako@0.2.9:
+    resolution: {integrity: sha512-NUcwaKxUxWrZLpDG+z/xZaCgQITkA/Dv4V/T6bw7VON6l1Xz/VnrBqrYjZQ12TamKHzITTfOEIYUj48y2KXImA==}
+
+  pako@1.0.11:
+    resolution: {integrity: sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw==}
+
   parse5@7.3.0:
     resolution: {integrity: sha512-IInvU7fabl34qmi9gY8XOVxhYyMyuH2xUNpb2q8/Y+7552KlejkRvqvD19nMoUW/uQGGbqNpA6Tufu5FL5BZgw==}
 
   pathe@2.0.3:
     resolution: {integrity: sha512-WUjGcAqP1gQacoQe+OBJsFA7Ld4DyXuUIjZ5cc75cLHvJ7dtNsTugphxIADwspS+AraAUePCKrSVtPLFj/F88w==}
 
+  pdfkit@0.18.0:
+    resolution: {integrity: sha512-NvUwSDZ0eYEzqAiWwVQkRkjYUkZ48kcsHuCO31ykqPPIVkwoSDjDGiwIgHHNtsiwls3z3P/zy4q00hl2chg2Ug==}
+
   picocolors@1.1.1:
     resolution: {integrity: sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==}
 
@@ -1369,6 +1481,9 @@ packages:
     resolution: {integrity: sha512-r34yH/GlQpKZbU1BvFFqOjhISRo1MNx1tWYsYvmj6KIRHSPMT2+yHOEb1SG6NMvRoHRF0a07kCOox/9yakl1vg==}
     hasBin: true
 
+  png-js@1.1.0:
+    resolution: {integrity: sha512-PM/uYGzGdNSzqeOgly68+6wKQDL1SY0a/N+OEa/+br6LnHWOAJB0Npiamnodfq3jd2LS/i2fMeOKSAILjA+m5Q==}
+
   postcss@8.5.15:
     resolution: {integrity: sha512-FfR8sjd4em2T6fb3I2MwAJU7HWVMr9zba+enmQeeWFfCbm+UOC/0X4DS8XtpUTMwWMGbjKYP7xjfNekzyGmB3A==}
     engines: {node: ^10 || ^12 || >=14}
@@ -1430,6 +1545,9 @@ packages:
     resolution: {integrity: sha512-6tDA8g98We0zd0GvVeMT9arEOnTw9qM03L9cJXaCjrip1OO764RDBLBfrB4cwzNGDj5OA5ioymC9GkizgWJDUg==}
     engines: {node: '>=8'}
 
+  restructure@3.0.2:
+    resolution: {integrity: sha512-gSfoiOEA0VPE6Tukkrr7I0RBdE0s7H1eFCDBk05l1KIQT1UIKNc5JZy6jdyW6eYH3aR3g5b3PuL77rq0hvwtAw==}
+
   rolldown@1.0.2:
     resolution: {integrity: sha512-oZx5zVDtVB44AW3eaifgDml1gWRDZGvjcfdxonE4swNPG98PrrXjaO/KrnUjzlMnztCCRVlUueA1kCXhARGk6g==}
     engines: {node: ^20.19.0 || >=22.12.0}
@@ -1515,6 +1633,9 @@ packages:
     resolution: {integrity: sha512-e2zZ96wSChazBsbENf/Pcm/4swHt2cEKQ92rhUjkL9GCKiTDJIaTBenjE/m9DXi0QBmTMDkFDdOomUy20A1tDQ==}
     engines: {node: '>=20'}
 
+  tiny-inflate@1.0.3:
+    resolution: {integrity: sha512-pkY1fj1cKHb2seWDy0B16HeWyczlJA9/WW3u3c4z/NiWDsO3DOU5D7nhTLE9CF0yXv/QZFY7sEJmj24dK+Rrqw==}
+
   tinybench@2.9.0:
     resolution: {integrity: sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==}
 
@@ -1565,6 +1686,12 @@ packages:
   undici-types@7.16.0:
     resolution: {integrity: sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw==}
 
+  unicode-properties@1.4.1:
+    resolution: {integrity: sha512-CLjCCLQ6UuMxWnbIylkisbRj31qxHPAurvena/0iwSVbQ2G1VY5/HjV0IRabOEbDHlzZlRdCrD4NhB0JtU40Pg==}
+
+  unicode-trie@2.0.0:
+    resolution: {integrity: sha512-x7bc76x0bm4prf1VLg79uhAzKw8DVboClSN5VxJuQ+LKDOVEW9CdH+VY7SP+vX7xCYQqzzgQpFqz15zeLvAtZQ==}
+
   update-browserslist-db@1.2.3:
     resolution: {integrity: sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w==}
     hasBin: true
@@ -1889,6 +2016,31 @@ snapshots:
 
   '@csstools/css-tokenizer@3.0.4': {}
 
+  '@dnd-kit/accessibility@3.1.1(react@18.3.1)':
+    dependencies:
+      react: 18.3.1
+      tslib: 2.8.1
+
+  '@dnd-kit/core@6.3.1(react-dom@18.3.1(react@18.3.1))(react@18.3.1)':
+    dependencies:
+      '@dnd-kit/accessibility': 3.1.1(react@18.3.1)
+      '@dnd-kit/utilities': 3.2.2(react@18.3.1)
+      react: 18.3.1
+      react-dom: 18.3.1(react@18.3.1)
+      tslib: 2.8.1
+
+  '@dnd-kit/sortable@10.0.0(@dnd-kit/core@6.3.1(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(react@18.3.1)':
+    dependencies:
+      '@dnd-kit/core': 6.3.1(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
+      '@dnd-kit/utilities': 3.2.2(react@18.3.1)
+      react: 18.3.1
+      tslib: 2.8.1
+
+  '@dnd-kit/utilities@3.2.2(react@18.3.1)':
+    dependencies:
+      react: 18.3.1
+      tslib: 2.8.1
+
   '@emnapi/core@1.10.0':
     dependencies:
       '@emnapi/wasi-threads': 1.2.1
@@ -2087,6 +2239,10 @@ snapshots:
       '@tybys/wasm-util': 0.10.2
     optional: true
 
+  '@noble/ciphers@1.3.0': {}
+
+  '@noble/hashes@1.8.0': {}
+
   '@oxc-project/types@0.132.0': {}
 
   '@pinojs/redact@0.4.0': {}
@@ -2232,6 +2388,10 @@ snapshots:
 
   '@stripe/stripe-js@4.10.0': {}
 
+  '@swc/helpers@0.5.21':
+    dependencies:
+      tslib: 2.8.1
+
   '@testing-library/dom@10.4.1':
     dependencies:
       '@babel/code-frame': 7.29.0
@@ -2294,6 +2454,8 @@ snapshots:
     dependencies:
       '@babel/types': 7.29.0
 
+  '@types/canvas-confetti@1.9.0': {}
+
   '@types/chai@5.2.3':
     dependencies:
       '@types/deep-eql': 4.0.2
@@ -2309,6 +2471,10 @@ snapshots:
     dependencies:
       undici-types: 7.16.0
 
+  '@types/pdfkit@0.17.6':
+    dependencies:
+      '@types/node': 24.12.4
+
   '@types/prop-types@15.7.15': {}
 
   '@types/react-dom@18.3.7(@types/react@18.3.29)':
@@ -2403,8 +2569,20 @@ snapshots:
 
   atomic-sleep@1.0.0: {}
 
+  base64-js@0.0.8: {}
+
+  base64-js@1.5.1: {}
+
   baseline-browser-mapping@2.10.32: {}
 
+  brotli@1.3.3:
+    dependencies:
+      base64-js: 1.5.1
+
+  browserify-zlib@0.2.0:
+    dependencies:
+      pako: 1.0.11
+
   browserslist@4.28.2:
     dependencies:
       baseline-browser-mapping: 2.10.32
@@ -2425,8 +2603,12 @@ snapshots:
 
   caniuse-lite@1.0.30001793: {}
 
+  canvas-confetti@1.9.4: {}
+
   chai@6.2.2: {}
 
+  clone@2.1.2: {}
+
   combined-stream@1.0.8:
     dependencies:
       delayed-stream: 1.0.0
@@ -2459,6 +2641,8 @@ snapshots:
 
   detect-libc@2.1.2: {}
 
+  dfa@1.2.0: {}
+
   dom-accessibility-api@0.5.16: {}
 
   dom-accessibility-api@0.6.3: {}
@@ -2553,10 +2737,24 @@ snapshots:
 
   expect-type@1.3.0: {}
 
+  fast-deep-equal@3.1.3: {}
+
   fdir@6.5.0(picomatch@4.0.4):
     optionalDependencies:
       picomatch: 4.0.4
 
+  fontkit@2.0.4:
+    dependencies:
+      '@swc/helpers': 0.5.21
+      brotli: 1.3.3
+      clone: 2.1.2
+      dfa: 1.2.0
+      fast-deep-equal: 3.1.3
+      restructure: 3.0.2
+      tiny-inflate: 1.0.3
+      unicode-properties: 1.4.1
+      unicode-trie: 2.0.0
+
   form-data@4.0.5:
     dependencies:
       asynckit: 0.4.0
@@ -2630,6 +2828,8 @@ snapshots:
 
   is-potential-custom-element-name@1.0.1: {}
 
+  js-md5@0.8.3: {}
+
   js-tokens@4.0.0: {}
 
   jsdom@25.0.1:
@@ -2713,6 +2913,11 @@ snapshots:
       lightningcss-win32-arm64-msvc: 1.32.0
       lightningcss-win32-x64-msvc: 1.32.0
 
+  linebreak@1.1.0:
+    dependencies:
+      base64-js: 0.0.8
+      unicode-trie: 2.0.0
+
   loose-envify@1.4.0:
     dependencies:
       js-tokens: 4.0.0
@@ -2723,6 +2928,10 @@ snapshots:
     dependencies:
       yallist: 3.1.1
 
+  lucide-react@1.16.0(react@18.3.1):
+    dependencies:
+      react: 18.3.1
+
   lz-string@1.5.0: {}
 
   magic-string@0.30.21:
@@ -2755,12 +2964,25 @@ snapshots:
 
   on-exit-leak-free@2.1.2: {}
 
+  pako@0.2.9: {}
+
+  pako@1.0.11: {}
+
   parse5@7.3.0:
     dependencies:
       entities: 6.0.1
 
   pathe@2.0.3: {}
 
+  pdfkit@0.18.0:
+    dependencies:
+      '@noble/ciphers': 1.3.0
+      '@noble/hashes': 1.8.0
+      fontkit: 2.0.4
+      js-md5: 0.8.3
+      linebreak: 1.1.0
+      png-js: 1.1.0
+
   picocolors@1.1.1: {}
 
   picomatch@4.0.4: {}
@@ -2785,6 +3007,10 @@ snapshots:
       sonic-boom: 4.2.1
       thread-stream: 4.2.0
 
+  png-js@1.1.0:
+    dependencies:
+      browserify-zlib: 0.2.0
+
   postcss@8.5.15:
     dependencies:
       nanoid: 3.3.12
@@ -2842,6 +3068,8 @@ snapshots:
       indent-string: 4.0.0
       strip-indent: 3.0.0
 
+  restructure@3.0.2: {}
+
   rolldown@1.0.2:
     dependencies:
       '@oxc-project/types': 0.132.0
@@ -2969,6 +3197,8 @@ snapshots:
     dependencies:
       real-require: 1.0.0
 
+  tiny-inflate@1.0.3: {}
+
   tinybench@2.9.0: {}
 
   tinyexec@1.2.1: {}
@@ -2994,8 +3224,7 @@ snapshots:
     dependencies:
       punycode: 2.3.1
 
-  tslib@2.8.1:
-    optional: true
+  tslib@2.8.1: {}
 
   tsx@4.22.3:
     dependencies:
@@ -3009,6 +3238,16 @@ snapshots:
 
   undici-types@7.16.0: {}
 
+  unicode-properties@1.4.1:
+    dependencies:
+      base64-js: 1.5.1
+      unicode-trie: 2.0.0
+
+  unicode-trie@2.0.0:
+    dependencies:
+      pako: 0.2.9
+      tiny-inflate: 1.0.3
+
   update-browserslist-db@1.2.3(browserslist@4.28.2):
     dependencies:
       browserslist: 4.28.2
diff --git a/public/app/app.css b/public/app/app.css
deleted file mode 100644
index edb7edb..0000000
--- a/public/app/app.css
+++ /dev/null
@@ -1,484 +0,0 @@
-/* =============================================================
-   UNSYPHN APP · stylesheet
-   Aurora pattern — solid surfaces, role-tinted radial glows
-   ============================================================= */
-
-@import url("https://fonts.googleapis.com/css2?family=Source+Serif+4:ital,opsz,wght@0,8..60,400;0,8..60,500;0,8..60,700;0,8..60,800;1,8..60,400&display=swap");
-
-:root { --serif: "Source Serif 4", ui-serif, Georgia, serif; }
-
-*, *::before, *::after { box-sizing: border-box; }
-html, body { margin: 0; padding: 0; font-family: var(--font-text); color: var(--text); }
-
-::selection { background: var(--bondi); color: var(--bg); }
-button { font-family: inherit; }
-
-/* ── Aurora sky on the app body ────────────────────────── */
-.app-shell {
-  width: 1440px;
-  height: 900px;
-  position: relative;
-  overflow: hidden;
-  background:
-    radial-gradient(ellipse 800px 500px at 80% -5%,  rgba(91,160,240,0.20) 0%, transparent 55%),
-    radial-gradient(ellipse 700px 450px at 10% 15%,  rgba(43,202,232,0.12) 0%, transparent 55%),
-    radial-gradient(ellipse 600px 450px at 95% 50%,  rgba(160,151,216,0.18) 0%, transparent 55%),
-    radial-gradient(ellipse 700px 400px at 5% 70%,   rgba(244,102,136,0.10) 0%, transparent 55%),
-    radial-gradient(ellipse 800px 500px at 70% 95%,  rgba(181,220,85,0.10) 0%, transparent 55%),
-    var(--bg);
-  color: var(--text);
-  font-size: 14px;
-  line-height: 1.55;
-  -webkit-font-smoothing: antialiased;
-  display: grid;
-  grid-template-columns: 220px 1fr;
-}
-
-/* ── Sidebar ───────────────────────────────────────────── */
-.sidebar {
-  padding: 22px 12px;
-  border-right: 1px solid var(--border);
-  background: var(--bg);
-  display: flex; flex-direction: column; gap: 6px;
-  height: 900px; overflow: hidden;
-}
-.brand-row {
-  display: flex; align-items: center; padding: 6px 10px;
-  margin-bottom: 18px;
-}
-.nav-section-label {
-  font-family: var(--font-mono);
-  font-size: 10px; letter-spacing: 0.12em;
-  text-transform: uppercase; color: var(--muted);
-  padding: 12px 10px 6px;
-}
-.nav-item {
-  display: flex; align-items: center; justify-content: space-between;
-  padding: 7px 10px;
-  border-radius: var(--radius-md);
-  color: var(--text-2);
-  font-size: 13px;
-  font-weight: 500;
-  cursor: pointer;
-  transition: all var(--dur-fast) var(--ease);
-  user-select: none;
-}
-.nav-item:hover { background: var(--surface); color: var(--text); }
-.nav-item.is-active {
-  background: var(--surface);
-  color: var(--text-strong);
-  border: 1px solid var(--border);
-}
-.nav-item .count {
-  font-family: var(--font-mono); font-size: 11px;
-  color: var(--muted);
-  background: var(--surface-2);
-  padding: 1px 6px;
-  border-radius: var(--radius-sm);
-}
-.nav-item.is-active .count { color: var(--text); }
-.nav-item.alert .count { background: var(--strawberry-soft); color: var(--strawberry); }
-.nav-spacer { flex: 1; }
-.nav-org {
-  padding: 10px 10px;
-  border-top: 1px solid var(--border);
-  margin-top: 6px;
-}
-.org-name { font-size: 12.5px; font-weight: 500; color: var(--text); }
-.org-meta { font-family: var(--font-mono); font-size: 10px; color: var(--muted); letter-spacing: 0.06em; margin-top: 2px; }
-
-/* ── Main ─────────────────────────────────────────────── */
-.main {
-  padding: 28px 36px;
-  min-width: 0;
-  overflow-y: auto;
-  height: 900px;
-  scrollbar-width: thin;
-  scrollbar-color: var(--border-strong) transparent;
-}
-.main::-webkit-scrollbar { width: 8px; }
-.main::-webkit-scrollbar-thumb { background: var(--border); border-radius: 4px; }
-.main::-webkit-scrollbar-track { background: transparent; }
-
-/* ── Topbar (app-wide) ────────────────────────────────── */
-.topbar {
-  display: flex; justify-content: space-between; align-items: center;
-  margin-bottom: 24px;
-}
-.topbar-left h1 {
-  font-family: var(--font-display);
-  font-size: 28px; font-weight: 500;
-  color: var(--text-strong);
-  letter-spacing: -0.025em;
-  margin: 0 0 4px;
-  line-height: 1.1;
-  font-variation-settings: "opsz" 48;
-}
-.topbar-left .when {
-  font-family: var(--font-mono);
-  font-size: 11px; color: var(--muted);
-  letter-spacing: 0.10em;
-  text-transform: uppercase;
-}
-.topbar-right { display: flex; gap: 10px; align-items: center; }
-.scan-pill {
-  display: inline-flex; align-items: center; gap: 7px;
-  padding: 5px 11px;
-  border-radius: var(--radius-full);
-  background: var(--surface);
-  border: 1px solid var(--border);
-  font-family: var(--font-mono);
-  font-size: 10.5px; color: var(--text-2);
-  letter-spacing: 0.10em;
-  text-transform: uppercase;
-}
-.scan-pill .dot {
-  width: 6px; height: 6px; border-radius: 50%;
-  background: var(--bondi);
-  box-shadow: 0 0 0 3px rgba(43,202,232,0.18), 0 0 10px var(--bondi);
-}
-.scan-pill.alert {
-  background: var(--strawberry-soft);
-  color: var(--strawberry);
-  border-color: rgba(244,102,136,0.30);
-}
-.user-avatar {
-  width: 30px; height: 30px;
-  border-radius: 50%;
-  background: linear-gradient(135deg, var(--grape), var(--strawberry));
-  display: flex; align-items: center; justify-content: center;
-  font-family: var(--font-mono);
-  font-size: 10px; font-weight: 600; color: white;
-  box-shadow: 0 0 0 1px var(--border), 0 0 14px rgba(160,151,216,0.20);
-}
-
-/* Live-dot pulse (used everywhere) */
-.live-dot.pulse { animation: pulse 1.6s ease-in-out infinite; }
-@keyframes pulse {
-  0%, 100% { opacity: 1; }
-  50% { opacity: 0.50; }
-}
-@keyframes blink {
-  0%, 100% { opacity: 1; }
-  50% { opacity: 0.35; }
-}
-
-/* ── Live scan ticker ─────────────────────────────────── */
-.scan-strip {
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  padding: 11px 0;
-  overflow: hidden;
-  position: relative;
-  box-shadow: 0 8px 32px rgba(0,0,0,0.20);
-  margin-bottom: 20px;
-}
-.scan-strip::before, .scan-strip::after {
-  content: ""; position: absolute; top: 0; bottom: 0; width: 80px; z-index: 2; pointer-events: none;
-}
-.scan-strip::before { left: 0;  background: linear-gradient(90deg, var(--surface) 0%, transparent 100%); }
-.scan-strip::after  { right: 0; background: linear-gradient(-90deg, var(--surface) 0%, transparent 100%); }
-.scan-strip-label {
-  position: absolute;
-  top: 50%; left: 14px;
-  transform: translateY(-50%);
-  font-family: var(--font-mono);
-  font-size: 10px;
-  letter-spacing: 0.14em;
-  text-transform: uppercase;
-  color: var(--bondi);
-  background: var(--bondi-soft);
-  padding: 4px 9px;
-  border-radius: var(--radius-sm);
-  border: 1px solid rgba(43,202,232,0.18);
-  z-index: 3;
-  display: flex; align-items: center; gap: 6px;
-}
-.scan-strip-label .dot {
-  width: 5px; height: 5px; border-radius: 50%;
-  background: var(--bondi);
-  box-shadow: 0 0 8px var(--bondi);
-}
-.scan-track {
-  display: inline-flex;
-  white-space: nowrap;
-  animation: tick 50s linear infinite;
-  padding-left: 200px;
-}
-@keyframes tick {
-  from { transform: translateX(0); }
-  to   { transform: translateX(-50%); }
-}
-.scan-item {
-  display: inline-flex; align-items: center; gap: 10px;
-  padding: 0 22px;
-  font-family: var(--font-mono);
-  font-size: 11.5px;
-  border-right: 1px solid var(--hairline);
-  color: var(--text-2);
-  letter-spacing: 0.04em;
-}
-.scan-item .vendor { color: var(--text); font-weight: 500; }
-.scan-item .target { color: var(--muted); }
-.scan-item .when { color: var(--bondi); font-size: 10px; }
-
-/* ── Fleet stats grid ─────────────────────────────────── */
-.fleet {
-  display: grid;
-  grid-template-columns: repeat(6, 1fr);
-  gap: 12px;
-  margin-bottom: 28px;
-}
-.stat {
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  padding: 14px;
-  position: relative;
-  overflow: hidden;
-  transition: transform var(--dur-base) var(--ease-spring), border-color var(--dur-base) var(--ease);
-  cursor: pointer;
-}
-.stat:hover { transform: translateY(-2px); border-color: var(--border-strong); }
-.stat::before {
-  content: ""; position: absolute;
-  top: -50%; right: -20%; width: 80%; height: 100%;
-  background: radial-gradient(circle, var(--stat-glow) 0%, transparent 60%);
-  opacity: 0.45; pointer-events: none;
-}
-.stat-head { display: flex; justify-content: space-between; align-items: center; margin-bottom: 8px; position: relative; }
-.stat-label {
-  font-family: var(--font-mono); font-size: 10px;
-  letter-spacing: 0.10em; text-transform: uppercase;
-  color: var(--muted);
-}
-.stat-dot {
-  width: 7px; height: 7px; border-radius: 50%;
-  box-shadow: 0 0 12px var(--stat-shadow), 0 0 0 3px var(--stat-glow);
-}
-.stat-val {
-  font-family: var(--font-display);
-  font-size: 28px;
-  font-weight: 500;
-  letter-spacing: -0.025em;
-  color: var(--text-strong);
-  line-height: 1;
-  margin-bottom: 4px;
-  font-feature-settings: "tnum" 1;
-  position: relative;
-}
-.stat-sub {
-  font-family: var(--font-mono);
-  font-size: 10px;
-  color: var(--stat-color);
-  letter-spacing: 0.04em;
-  position: relative;
-}
-.stat.aqua       { --stat-glow: var(--aqua-glow);       --stat-shadow: var(--aqua);       --stat-color: var(--aqua); }       .stat.aqua       .stat-dot { background: var(--aqua); }
-.stat.bondi      { --stat-glow: var(--bondi-glow);      --stat-shadow: var(--bondi);      --stat-color: var(--bondi); }      .stat.bondi      .stat-dot { background: var(--bondi); }
-.stat.tangerine  { --stat-glow: var(--tangerine-glow);  --stat-shadow: var(--tangerine);  --stat-color: var(--tangerine); }  .stat.tangerine  .stat-dot { background: var(--tangerine); }
-.stat.grape      { --stat-glow: var(--grape-glow);      --stat-shadow: var(--grape);      --stat-color: var(--grape); }      .stat.grape      .stat-dot { background: var(--grape); }
-.stat.strawberry { --stat-glow: var(--strawberry-glow); --stat-shadow: var(--strawberry); --stat-color: var(--strawberry); } .stat.strawberry .stat-dot { background: var(--strawberry); }
-.stat.lime       { --stat-glow: var(--lime-glow);       --stat-shadow: var(--lime);       --stat-color: var(--lime); }       .stat.lime       .stat-dot { background: var(--lime); }
-
-/* ── Section heads ────────────────────────────────────── */
-.sec-head {
-  display: flex; justify-content: space-between; align-items: baseline;
-  margin: 0 0 14px;
-}
-.sec-title {
-  font-family: var(--font-display);
-  font-size: 19px;
-  font-weight: 500;
-  color: var(--text-strong);
-  letter-spacing: -0.018em;
-  margin: 0;
-}
-.sec-title em {
-  font-family: var(--serif);
-  font-style: italic;
-  font-weight: 400;
-  color: var(--text);
-}
-.sec-action {
-  font-family: var(--font-mono);
-  font-size: 11px;
-  color: var(--bondi);
-  cursor: pointer;
-  letter-spacing: 0.10em;
-  text-transform: uppercase;
-}
-
-/* ── Two-column grid: vendors + activity ───────────────── */
-.portfolio-grid {
-  display: grid;
-  grid-template-columns: 1fr 340px;
-  gap: 22px;
-}
-
-/* ── Vendor cards ─────────────────────────────────────── */
-.vendors {
-  display: grid;
-  grid-template-columns: repeat(2, 1fr);
-  gap: 12px;
-}
-.vendor {
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  padding: 14px;
-  position: relative;
-  overflow: hidden;
-  cursor: pointer;
-  transition: transform var(--dur-base) var(--ease-spring), border-color var(--dur-base) var(--ease);
-}
-.vendor:hover { transform: translateY(-2px); border-color: var(--border-strong); }
-.vendor::before {
-  content: ""; position: absolute;
-  top: 0; right: 0; width: 60%; height: 60%;
-  background: radial-gradient(circle at top right, var(--vendor-glow) 0%, transparent 70%);
-  opacity: 0.50; pointer-events: none;
-}
-.vendor.p1 { --vendor-glow: var(--strawberry-glow); }
-.vendor.p2 { --vendor-glow: var(--tangerine-glow); }
-.vendor.routed  { --vendor-glow: var(--bondi-glow); }
-.vendor.healthy { --vendor-glow: var(--lime-glow); }
-.vendor-head {
-  display: flex; align-items: flex-start; justify-content: space-between;
-  margin-bottom: 10px;
-  position: relative;
-}
-.vendor-id { display: flex; align-items: center; gap: 11px; }
-.vendor-logo {
-  width: 36px; height: 36px;
-  border-radius: var(--radius-md);
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  display: flex; align-items: center; justify-content: center;
-  font-family: var(--font-display);
-  font-size: 14px; font-weight: 600; color: var(--text);
-  flex-shrink: 0;
-}
-.vendor-name {
-  font-family: var(--font-display);
-  font-size: 15.5px; font-weight: 600;
-  color: var(--text-strong);
-  letter-spacing: -0.015em;
-  line-height: 1.2;
-}
-.vendor-meta {
-  font-family: var(--font-mono); font-size: 10px;
-  color: var(--muted); letter-spacing: 0.06em;
-  margin-top: 2px;
-}
-.sev {
-  font-family: var(--font-mono);
-  font-size: 10px; font-weight: 600;
-  letter-spacing: 0.10em;
-  padding: 3px 8px;
-  border-radius: var(--radius-sm);
-  border: 1px solid transparent;
-}
-.sev.p1 { color: var(--strawberry); background: var(--strawberry-soft); border-color: rgba(244,102,136,0.20); box-shadow: 0 0 16px rgba(244,102,136,0.15); }
-.sev.p2 { color: var(--tangerine);  background: var(--tangerine-soft);  border-color: rgba(255,149,64,0.20);  box-shadow: 0 0 16px rgba(255,149,64,0.12); }
-.sev.healthy { color: var(--lime); background: var(--lime-soft); border-color: rgba(181,220,85,0.20); }
-.sev.routed { color: var(--bondi); background: var(--bondi-soft); border-color: rgba(43,202,232,0.20); box-shadow: 0 0 16px rgba(43,202,232,0.18); }
-
-.vendor-row {
-  display: flex; justify-content: space-between; align-items: center;
-  font-size: 12px;
-  padding: 5px 0;
-  border-top: 1px solid var(--hairline);
-  position: relative;
-}
-.vendor-row .lbl { font-family: var(--font-mono); font-size: 10px; letter-spacing: 0.08em; text-transform: uppercase; color: var(--muted); }
-.vendor-row .val { font-family: var(--font-mono); color: var(--text); font-feature-settings: "tnum" 1; }
-.vendor-row .val.warn { color: var(--tangerine); }
-.vendor-row .val.crit { color: var(--strawberry); }
-.vendor-row .val.live { color: var(--bondi); }
-.vendor-tags {
-  display: flex; gap: 4px; margin-top: 10px;
-  padding-top: 10px;
-  border-top: 1px solid var(--hairline);
-  position: relative;
-  flex-wrap: wrap; align-items: center;
-}
-.chip {
-  display: inline-flex; align-items: center; gap: 4px;
-  padding: 2px 8px;
-  border-radius: var(--radius-sm);
-  font-family: var(--font-mono);
-  font-size: 9.5px; letter-spacing: 0.08em; font-weight: 500;
-  text-transform: uppercase;
-}
-.chip.pii        { background: var(--grape-soft);      color: var(--grape); }
-.chip.phi        { background: var(--strawberry-soft); color: var(--strawberry); }
-.chip.payments   { background: var(--aqua-soft);       color: var(--aqua); }
-.chip.source     { background: var(--tangerine-soft);  color: var(--tangerine); }
-.owner-av {
-  width: 20px; height: 20px; border-radius: 50%;
-  display: inline-flex; align-items: center; justify-content: center;
-  font-family: var(--font-mono); font-size: 9px; font-weight: 600; color: white;
-  margin-left: auto;
-}
-.owner-av.a { background: linear-gradient(135deg, var(--aqua), var(--bondi)); }
-.owner-av.b { background: linear-gradient(135deg, var(--grape), var(--strawberry)); }
-.owner-av.c { background: linear-gradient(135deg, var(--tangerine), var(--strawberry)); }
-.owner-av.d { background: linear-gradient(135deg, var(--lime), var(--bondi)); }
-
-/* ── Activity feed ────────────────────────────────────── */
-.activity {
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-xl);
-  overflow: hidden;
-  align-self: start;
-}
-.activity-head {
-  padding: 14px 16px;
-  border-bottom: 1px solid var(--border);
-  display: flex; justify-content: space-between; align-items: center;
-}
-.activity-head .title {
-  font-family: var(--font-display);
-  font-size: 14px; font-weight: 600;
-  color: var(--text-strong); letter-spacing: -0.01em;
-}
-.activity-head .filter {
-  font-family: var(--font-mono);
-  font-size: 10px; color: var(--muted);
-  letter-spacing: 0.10em;
-  text-transform: uppercase;
-}
-.activity-item {
-  padding: 12px 16px;
-  border-bottom: 1px solid var(--hairline);
-  cursor: pointer;
-  transition: background var(--dur-fast) var(--ease);
-}
-.activity-item:hover { background: var(--surface-2); }
-.activity-item:last-child { border-bottom: 0; }
-.activity-row { display: flex; align-items: center; gap: 8px; margin-bottom: 4px; }
-.activity-sev {
-  font-family: var(--font-mono);
-  font-size: 9px; font-weight: 600;
-  letter-spacing: 0.10em;
-  padding: 2px 6px;
-  border-radius: 3px;
-  flex-shrink: 0;
-}
-.activity-sev.p1 { color: var(--strawberry); background: var(--strawberry-soft); }
-.activity-sev.p2 { color: var(--tangerine);  background: var(--tangerine-soft); }
-.activity-sev.p3 { color: var(--lime);       background: var(--lime-soft); }
-.activity-sev.routed { color: var(--bondi);  background: var(--bondi-soft); }
-.activity-vendor { font-size: 12.5px; font-weight: 500; color: var(--text-strong); }
-.activity-when { font-family: var(--font-mono); font-size: 10px; color: var(--muted); margin-left: auto; }
-.activity-title { font-size: 12px; color: var(--text-2); line-height: 1.4; margin-bottom: 4px; }
-.activity-meta {
-  display: flex; gap: 8px; align-items: center;
-  font-family: var(--font-mono); font-size: 10px;
-  color: var(--muted); letter-spacing: 0.04em;
-}
-.activity-meta .impact.in { color: var(--strawberry); }
-.activity-meta .impact.out { color: var(--lime); }
diff --git a/public/app/app.jsx b/public/app/app.jsx
deleted file mode 100644
index c50fef4..0000000
--- a/public/app/app.jsx
+++ /dev/null
@@ -1,207 +0,0 @@
-// app.jsx — top-level Unsyphn app: state, navigation, screen mounting
-
-function App() {
-  // ── state ────────────────────────────────────────────
-  const [state, setState] = React.useState({
-    screen: "portfolio",     // "portfolio" | "change" | "evidence" | "onboarding"
-    escalateOpen: false,
-    routing: false,          // overlay routing transition
-    notion: "P1",            // "P1" | "ROUTED"
-    routeTime: null,
-    evidenceCount: 432,
-    activeVendor: "notion",  // which vendor the change/evidence screens render
-    onboardingTier: "24h",
-    onboardedToast: null,    // { name, tierLabel } | null
-  });
-
-  // ── dispatcher ───────────────────────────────────────
-  function dispatch(action) {
-    switch (action.type) {
-      case "goto":
-        setState((s) => ({ ...s, screen: action.screen }));
-        setTimeout(() => {
-          const m = document.querySelector(".app-shell .main");
-          if (m) m.scrollTo(0, 0);
-        }, 0);
-        return;
-      case "open-vendor":
-        setState((s) => ({ ...s, activeVendor: action.vendor, screen: "change" }));
-        setTimeout(() => {
-          const m = document.querySelector(".app-shell .main");
-          if (m) m.scrollTo(0, 0);
-        }, 0);
-        return;
-      case "open-vendor-bundle":
-        setState((s) => ({ ...s, activeVendor: action.vendor, screen: "evidence" }));
-        setTimeout(() => {
-          const m = document.querySelector(".app-shell .main");
-          if (m) m.scrollTo(0, 0);
-        }, 0);
-        return;
-      case "open-escalate":
-        setState((s) => ({ ...s, escalateOpen: true }));
-        return;
-      case "close-escalate":
-        setState((s) => ({ ...s, escalateOpen: false }));
-        return;
-      case "confirm-escalate":
-        setState((s) => ({ ...s, escalateOpen: false, routing: true }));
-        return;
-      case "finish-routing":
-        setState((s) => ({
-          ...s,
-          routing: false,
-          notion: "ROUTED",
-          routeTime: "14:59:18 EST",
-          evidenceCount: 433,
-          screen: "evidence",
-          activeVendor: "notion",
-        }));
-        setTimeout(() => {
-          const m = document.querySelector(".app-shell .main");
-          if (m) m.scrollTo(0, 0);
-        }, 0);
-        return;
-      case "reset-flow":
-        setState({
-          screen: "portfolio",
-          escalateOpen: false,
-          routing: false,
-          notion: "P1",
-          routeTime: null,
-          evidenceCount: 432,
-          activeVendor: "notion",
-          onboardingTier: "24h",
-          onboardedToast: null,
-        });
-        return;
-      case "vendor-onboarded":
-        setState((s) => ({
-          ...s,
-          screen: "portfolio",
-          onboardingTier: action.tier,
-          onboardedToast: {
-            name: action.name,
-            tierLabel: action.tierLabel,
-            vendorId: action.vendorId,
-            firstScanRunId: action.firstScanRunId,
-          },
-        }));
-        setTimeout(() => setState((s) => ({ ...s, onboardedToast: null })), 5500);
-        setTimeout(() => {
-          const m = document.querySelector(".app-shell .main");
-          if (m) m.scrollTo(0, 0);
-        }, 0);
-        return;
-      case "acknowledge":
-        // state.notion is constrained to "P1" | "ROUTED" — don't widen it here.
-        // Acknowledge is a demo no-op until the lifecycle state machine is wired.
-        window.alert("Acknowledged. Lifecycle hand-off coming soon.");
-        return;
-      case "snooze":
-        window.alert("Snoozed for 48h. Lifecycle hand-off coming soon.");
-        return;
-      case "open-copilot":
-        window.alert("Copilot coming soon");
-        return;
-      case "export-diff": {
-        const DATA = window.VENDOR_DATA || {};
-        const vendor = DATA[state.activeVendor] || {};
-        const body = JSON.stringify({ vendor: state.activeVendor, diffs: (vendor.cr || {}).diffs || [] }, null, 2);
-        const url = URL.createObjectURL(new Blob([body], { type: "application/json" }));
-        const a = document.createElement("a");
-        a.href = url;
-        a.download = (state.activeVendor || "vendor") + "-diff.json";
-        document.body.appendChild(a);
-        a.click();
-        document.body.removeChild(a);
-        setTimeout(() => URL.revokeObjectURL(url), 1000);
-        return;
-      }
-      case "assign":
-        window.alert("Owner assignment coming soon");
-        return;
-      case "download-bundle":
-        window.print();
-        return;
-      case "share-audit":
-        if (navigator.clipboard && navigator.clipboard.writeText) {
-          navigator.clipboard.writeText(location.href).then(
-            function () { window.alert("Audit link copied"); },
-            function () { window.prompt("Copy the audit link:", location.href); }
-          );
-        } else {
-          window.prompt("Copy the audit link:", location.href);
-        }
-        return;
-      default:
-        globalThis["console"].warn("unknown action", action);
-    }
-  }
-
-  // ── browser tabs ─────────────────────────────────────
-  const activeRec = (window.VENDOR_DATA || {})[state.activeVendor] || {};
-  const vendorSlug = (activeRec.name || "vendor").toLowerCase();
-  const bundleSlug = ((activeRec.cr && activeRec.cr.bundleId) || "").replace("·", "-");
-  const url = state.screen === "portfolio"
-    ? "app.unsyphn.com/portfolio"
-    : state.screen === "change"
-    ? `app.unsyphn.com/${vendorSlug}/${bundleSlug || "cr"}`
-    : state.screen === "onboarding"
-    ? "app.unsyphn.com/onboard"
-    : `app.unsyphn.com/bundle/${bundleSlug || "cr"}`;
-
-  const secondTabTitle = state.screen === "portfolio"
-    ? "Notion · ToS"
-    : state.screen === "onboarding"
-    ? "Onboard Vendor"
-    : `${activeRec.name || "Vendor"} · ${state.screen === "evidence" ? "Bundle" : "Change"}`;
-
-  const tabs = [
-    { title: "Unsyphn · Portfolio" },
-    { title: secondTabTitle },
-    { title: "DPA · Acme ⟷ Notion" },
-  ];
-
-  return (
-    <div style={{ width: 1440, height: 900, position: "relative" }}>
-      <ChromeWindow tabs={tabs} activeIndex={0} url={url} width={1440} height={900}>
-        <div className="app-shell">
-          <Sidebar
-            active={state.screen === "evidence" ? "evidence" : state.screen === "change" ? "changes" : "portfolio"}
-            dispatch={dispatch}
-            state={state}
-          />
-          {state.screen === "portfolio"   && <ScreenPortfolio state={state} dispatch={dispatch} />}
-          {state.screen === "change"      && <ScreenChange state={state} dispatch={dispatch} />}
-          {state.screen === "evidence"    && <ScreenEvidence state={state} dispatch={dispatch} />}
-          {state.screen === "onboarding"  && <ScreenOnboarding state={state} dispatch={dispatch} />}
-
-          {state.escalateOpen && <EscalateModal state={state} dispatch={dispatch} />}
-          {state.routing      && <RoutingTransition dispatch={dispatch} vendorKey={state.activeVendor} />}
-        </div>
-      </ChromeWindow>
-
-      {/* Reset flow pill — anchor outside the chrome */}
-      <button
-        onClick={() => dispatch({ type: "reset-flow" })}
-        title="Reset the demo to step 1"
-        style={{
-          position: "absolute", right: -14, top: 60,
-          transform: "rotate(90deg)", transformOrigin: "right top",
-          background: "var(--surface)", color: "var(--text-2)",
-          border: "1px solid var(--border)",
-          borderRadius: "999px 999px 0 0",
-          padding: "5px 14px",
-          fontFamily: "var(--font-mono)", fontSize: 10,
-          letterSpacing: "0.18em", textTransform: "uppercase",
-          cursor: "pointer", zIndex: 50,
-        }}
-      >
-        ↻ Reset demo
-      </button>
-    </div>
-  );
-}
-
-ReactDOM.createRoot(document.getElementById("root")).render(<App />);
diff --git a/public/app/app2.css b/public/app/app2.css
deleted file mode 100644
index 6363ea0..0000000
--- a/public/app/app2.css
+++ /dev/null
@@ -1,1443 +0,0 @@
-/* =============================================================
-   UNSYPHN APP · screen2.css
-   ChangeReport · Escalate modal · Routing · Evidence bundle
-   ============================================================= */
-
-/* ── ChangeReport screen ──────────────────────────────── */
-.cr-shell { max-width: 1180px; margin: 0 auto; }
-
-.crumbs-bar {
-  display: flex; justify-content: space-between; align-items: center;
-  margin-bottom: 16px;
-  padding: 8px 14px;
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-full);
-}
-.crumbs {
-  display: flex; align-items: center; gap: 8px;
-  font-family: var(--font-mono);
-  font-size: 11px; letter-spacing: 0.12em;
-  text-transform: uppercase;
-  color: var(--muted);
-}
-.crumbs .seg { color: var(--text-2); cursor: pointer; }
-.crumbs .seg:hover { color: var(--text); }
-.crumbs .sep { color: var(--muted); opacity: 0.6; }
-.crumbs .current { color: var(--text-strong); }
-.crumbs-bar .icon-btn-row { display: flex; gap: 6px; }
-.icon-btn {
-  width: 28px; height: 28px;
-  border-radius: 50%;
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  color: var(--text-2);
-  cursor: pointer;
-  display: inline-flex; align-items: center; justify-content: center;
-  font-size: 13px;
-  transition: all var(--dur-fast) var(--ease);
-}
-.icon-btn:hover { background: var(--surface-3); color: var(--text); border-color: var(--border-strong); }
-
-/* Vendor strip (header) */
-.vendor-strip {
-  display: flex; align-items: center; gap: 16px;
-  padding: 16px;
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  margin-bottom: 18px;
-  position: relative;
-  overflow: hidden;
-}
-.vendor-strip::before {
-  content: ""; position: absolute;
-  top: 0; right: 0; width: 40%; height: 100%;
-  background: radial-gradient(ellipse at right, var(--strawberry-glow) 0%, transparent 70%);
-  opacity: 0.30; pointer-events: none;
-}
-.vendor-strip.routed::before {
-  background: radial-gradient(ellipse at right, var(--bondi-glow) 0%, transparent 70%);
-  opacity: 0.30;
-}
-.vendor-logo-lg {
-  width: 56px; height: 56px;
-  border-radius: var(--radius-md);
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  display: flex; align-items: center; justify-content: center;
-  font-family: var(--font-display);
-  font-size: 22px; font-weight: 600; color: var(--text);
-  flex-shrink: 0;
-}
-.vendor-id-block { position: relative; flex: 1; min-width: 0; }
-.vendor-name-lg {
-  font-family: var(--font-display);
-  font-size: 22px; font-weight: 600;
-  color: var(--text-strong);
-  letter-spacing: -0.02em;
-  margin-bottom: 5px;
-}
-.vendor-meta-row {
-  display: flex; gap: 16px;
-  font-family: var(--font-mono);
-  font-size: 10.5px; color: var(--muted);
-  letter-spacing: 0.10em;
-  text-transform: uppercase;
-  flex-wrap: wrap;
-}
-.vendor-meta-row strong { color: var(--text); font-weight: 500; }
-.vendor-renew { text-align: right; position: relative; }
-.vendor-renew .num {
-  font-family: var(--font-display);
-  font-size: 30px; font-weight: 500;
-  color: var(--tangerine);
-  line-height: 1;
-  text-shadow: 0 0 24px var(--tangerine-glow);
-  font-feature-settings: "tnum" 1;
-  letter-spacing: -0.02em;
-}
-.vendor-renew .num small { color: var(--muted); font-size: 14px; font-weight: 400; }
-.vendor-renew .lbl {
-  font-family: var(--font-mono);
-  font-size: 10px; color: var(--muted);
-  letter-spacing: 0.12em;
-  text-transform: uppercase;
-  margin-top: 4px;
-}
-
-/* CR layout */
-.cr-layout {
-  display: grid;
-  grid-template-columns: 1fr 320px;
-  gap: 18px;
-  padding-bottom: 76px;
-}
-
-.report {
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-xl);
-  padding: 28px 30px 26px;
-  box-shadow: 0 16px 48px rgba(0,0,0,0.30);
-  position: relative;
-  overflow: hidden;
-}
-.report::before {
-  content: ""; position: absolute;
-  top: -50%; left: -30%; width: 80%; height: 200%;
-  background: radial-gradient(ellipse, rgba(244,102,136,0.12) 0%, transparent 60%);
-  pointer-events: none;
-}
-.report > * { position: relative; }
-
-.report-head { display: flex; gap: 8px; margin-bottom: 14px; align-items: center; }
-.sev-badge {
-  font-family: var(--font-mono);
-  font-size: 10.5px; font-weight: 600;
-  letter-spacing: 0.14em;
-  padding: 5px 10px;
-  border-radius: var(--radius-sm);
-  border: 1px solid;
-}
-.sev-badge.p1 {
-  color: var(--strawberry); background: var(--strawberry-soft);
-  border-color: rgba(244,102,136,0.30);
-  box-shadow: 0 0 24px rgba(244,102,136,0.20);
-}
-.sev-badge.routed {
-  color: var(--bondi); background: var(--bondi-soft);
-  border-color: rgba(43,202,232,0.30);
-  box-shadow: 0 0 24px rgba(43,202,232,0.20);
-}
-.cat-chip {
-  font-family: var(--font-mono);
-  font-size: 10px; letter-spacing: 0.10em;
-  text-transform: uppercase;
-  padding: 5px 9px;
-  border-radius: var(--radius-sm);
-  background: var(--surface-2); color: var(--text-2);
-  border: 1px solid var(--border);
-}
-.cat-chip.data    { color: var(--grape);     background: var(--grape-soft);     border-color: rgba(160,151,216,0.20); }
-.cat-chip.pricing { color: var(--tangerine); background: var(--tangerine-soft); border-color: rgba(255,149,64,0.20); }
-
-.report-title {
-  font-family: var(--font-display);
-  font-size: 30px; font-weight: 500;
-  color: var(--text-strong);
-  letter-spacing: -0.028em;
-  line-height: 1.15;
-  margin: 14px 0;
-  max-width: 28ch;
-  font-variation-settings: "opsz" 32;
-}
-.report-title em {
-  font-family: var(--serif);
-  font-style: italic; font-weight: 400;
-  color: var(--strawberry);
-}
-.report-title.routed em { color: var(--bondi); }
-.report-detected {
-  font-family: var(--font-mono);
-  font-size: 11px; color: var(--muted);
-  letter-spacing: 0.10em;
-  text-transform: uppercase;
-  margin-bottom: 22px;
-}
-.report-detected strong { color: var(--text); font-weight: 500; }
-
-/* Impact strip */
-.impact-strip {
-  display: grid;
-  grid-template-columns: repeat(3, 1fr);
-  gap: 10px;
-  margin-bottom: 22px;
-}
-.impact-cell {
-  padding: 12px 14px;
-  border-radius: var(--radius-md);
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-}
-.impact-cell .lbl {
-  font-family: var(--font-mono);
-  font-size: 10px; color: var(--muted);
-  letter-spacing: 0.12em;
-  text-transform: uppercase;
-  margin-bottom: 5px;
-}
-.impact-cell .val {
-  font-family: var(--font-mono);
-  font-size: 19px; font-weight: 500;
-  color: var(--text-strong);
-  letter-spacing: -0.015em;
-  line-height: 1;
-  font-feature-settings: "tnum" 1;
-}
-.impact-cell.dollar .val { color: var(--strawberry); text-shadow: 0 0 16px var(--strawberry-glow); }
-.impact-cell.delta  .val { color: var(--tangerine);  text-shadow: 0 0 16px var(--tangerine-glow); }
-.impact-cell.compl  .val { color: var(--grape);      text-shadow: 0 0 16px var(--grape-glow); font-size: 15px; }
-
-/* Diff blocks */
-.diff-block { margin-bottom: 16px; }
-.diff-label {
-  font-family: var(--font-mono);
-  font-size: 10px; color: var(--muted);
-  letter-spacing: 0.12em;
-  text-transform: uppercase;
-  margin-bottom: 10px;
-}
-.diff-pair {
-  display: grid;
-  grid-template-columns: 1fr 1fr;
-  gap: 10px;
-}
-.clause {
-  padding: 14px;
-  border-radius: var(--radius-md);
-  border: 1px solid;
-  position: relative;
-}
-.clause-head {
-  display: flex; justify-content: space-between; align-items: center;
-  margin-bottom: 8px;
-}
-.clause-lbl {
-  font-family: var(--font-mono);
-  font-size: 10px; font-weight: 600;
-  letter-spacing: 0.10em;
-  padding: 3px 8px;
-  border-radius: 3px;
-}
-.clause-when {
-  font-family: var(--font-mono);
-  font-size: 9.5px; color: var(--muted);
-  letter-spacing: 0.06em;
-}
-.clause-text {
-  font-family: var(--serif);
-  font-size: 14px; line-height: 1.5;
-  color: var(--text);
-  font-style: italic;
-  margin: 0;
-}
-.clause-text strong {
-  font-style: normal;
-  padding: 1px 5px;
-  border-radius: 3px;
-}
-.clause-source {
-  font-family: var(--font-mono);
-  font-size: 9.5px; color: var(--muted);
-  margin-top: 10px;
-  padding-top: 10px;
-  border-top: 1px solid var(--hairline);
-  letter-spacing: 0.06em;
-  word-break: break-all;
-}
-.clause-source a { color: var(--bondi); }
-.clause.before {
-  background: var(--strawberry-soft);
-  border-color: rgba(244,102,136,0.20);
-}
-.clause.before .clause-lbl { color: var(--strawberry); background: rgba(244,102,136,0.15); }
-.clause.before .clause-text strong { background: rgba(244,102,136,0.20); color: var(--strawberry); }
-.clause.after {
-  background: var(--lime-soft);
-  border-color: rgba(181,220,85,0.20);
-}
-.clause.after .clause-lbl { color: var(--lime); background: rgba(181,220,85,0.15); }
-.clause.after .clause-text strong { background: rgba(181,220,85,0.20); color: var(--lime); }
-
-/* Recommendation */
-.recommendation {
-  margin-top: 16px;
-  padding: 14px 16px;
-  border-radius: var(--radius-md);
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-}
-.reco-head {
-  display: flex; align-items: center; gap: 8px;
-  font-family: var(--font-mono);
-  font-size: 10px; letter-spacing: 0.14em;
-  text-transform: uppercase;
-  color: var(--bondi);
-  margin-bottom: 8px;
-}
-.reco-head::before {
-  content: ""; width: 6px; height: 6px; border-radius: 50%;
-  background: var(--bondi); box-shadow: 0 0 12px var(--bondi);
-}
-.reco-text {
-  font-size: 13.5px; color: var(--text); line-height: 1.55;
-  margin: 0;
-}
-.reco-text em {
-  font-family: var(--serif);
-  font-style: italic; color: var(--bondi);
-}
-
-/* Side panels */
-.cr-side { display: flex; flex-direction: column; gap: 12px; }
-.panel {
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  padding: 14px;
-  position: relative;
-  overflow: hidden;
-}
-.panel::before {
-  content: ""; position: absolute;
-  top: -50%; right: -20%; width: 70%; height: 100%;
-  background: radial-gradient(circle, var(--panel-glow) 0%, transparent 60%);
-  opacity: 0.40; pointer-events: none;
-}
-.panel.policy   { --panel-glow: var(--strawberry-glow); }
-.panel.routing  { --panel-glow: var(--bondi-glow); }
-.panel.evidence { --panel-glow: var(--grape-glow); }
-.panel > * { position: relative; }
-
-.panel-head {
-  display: flex; align-items: center; gap: 8px;
-  font-family: var(--font-mono);
-  font-size: 10px; letter-spacing: 0.14em;
-  text-transform: uppercase;
-  color: var(--muted);
-  margin-bottom: 12px;
-}
-.panel-head .dot { width: 6px; height: 6px; border-radius: 50%; }
-.panel-head.strawberry .dot { background: var(--strawberry); box-shadow: 0 0 8px var(--strawberry); }   .panel-head.strawberry { color: var(--strawberry); }
-.panel-head.bondi      .dot { background: var(--bondi);      box-shadow: 0 0 8px var(--bondi); }        .panel-head.bondi      { color: var(--bondi); }
-.panel-head.grape      .dot { background: var(--grape);      box-shadow: 0 0 8px var(--grape); }        .panel-head.grape      { color: var(--grape); }
-.panel-head.lime       .dot { background: var(--lime);       box-shadow: 0 0 8px var(--lime); }         .panel-head.lime       { color: var(--lime); }
-
-.policy-name {
-  font-size: 12.5px; font-weight: 500;
-  color: var(--text);
-  margin-bottom: 10px;
-}
-.policy-yaml {
-  background: var(--bg);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-sm);
-  padding: 10px 12px;
-  font-family: var(--font-mono);
-  font-size: 10.5px;
-  line-height: 1.55;
-  color: var(--text);
-  overflow-x: auto;
-  margin: 0 0 8px;
-  white-space: pre;
-}
-.y-key { color: var(--bondi); }
-.y-str { color: var(--lime); }
-.y-com { color: var(--muted); font-style: italic; }
-.policy-meta {
-  font-family: var(--font-mono);
-  font-size: 9.5px; color: var(--muted);
-  letter-spacing: 0.06em;
-}
-
-/* Routed actions */
-.action-item {
-  display: flex; align-items: center; gap: 10px;
-  padding: 8px 0;
-  border-bottom: 1px solid var(--hairline);
-  font-size: 12px;
-}
-.action-item:last-child { border-bottom: 0; }
-.action-icon {
-  width: 24px; height: 24px;
-  border-radius: 6px;
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  display: flex; align-items: center; justify-content: center;
-  font-family: var(--font-mono);
-  font-size: 9.5px; font-weight: 600;
-  color: var(--text-2);
-  flex-shrink: 0;
-}
-.action-icon.slack { color: var(--strawberry); background: var(--strawberry-soft); border-color: rgba(244,102,136,0.20); }
-.action-icon.jira  { color: var(--aqua);       background: var(--aqua-soft);       border-color: rgba(91,160,240,0.20); }
-.action-icon.cal   { color: var(--bondi);      background: var(--bondi-soft);      border-color: rgba(43,202,232,0.20); }
-.action-icon.email { color: var(--grape);      background: var(--grape-soft);      border-color: rgba(160,151,216,0.20); }
-.action-detail { flex: 1; min-width: 0; }
-.action-target { color: var(--text); font-weight: 500; }
-.action-when { font-family: var(--font-mono); font-size: 9.5px; color: var(--muted); margin-top: 1px; letter-spacing: 0.06em; }
-.action-status {
-  font-family: var(--font-mono);
-  font-size: 9px; font-weight: 600;
-  letter-spacing: 0.10em;
-  padding: 2px 6px;
-  border-radius: 3px;
-  color: var(--lime); background: var(--lime-soft);
-}
-.action-status.pending { color: var(--tangerine); background: var(--tangerine-soft); }
-
-/* Evidence preview mini */
-.ev-preview {
-  aspect-ratio: 1 / 1.25;
-  border-radius: var(--radius-md);
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  padding: 12px;
-  margin-bottom: 10px;
-  position: relative;
-  overflow: hidden;
-  cursor: pointer;
-}
-.ev-page-lines { height: 5px; background: var(--hairline); border-radius: 3px; margin-bottom: 6px; }
-.ev-page-lines.short { width: 60%; }
-.ev-page-lines.med   { width: 80%; }
-.ev-page-lines.dark  { background: rgba(255,255,255,0.12); height: 7px; margin-bottom: 9px; width: 70%; }
-.ev-snippet {
-  margin-top: 10px;
-  padding: 6px 8px;
-  border-left: 2px solid var(--strawberry);
-  background: var(--strawberry-soft);
-  border-radius: 3px;
-}
-.ev-snippet .line { height: 3px; background: rgba(244,102,136,0.40); border-radius: 2px; margin-bottom: 3px; }
-.ev-snippet .line.short { width: 50%; }
-.citation-row {
-  display: flex; align-items: center; gap: 6px;
-  margin-top: 8px;
-  font-family: var(--font-mono);
-  font-size: 9.5px; color: var(--muted);
-  letter-spacing: 0.06em;
-}
-.cit-dot { width: 5px; height: 5px; border-radius: 50%; background: var(--lime); box-shadow: 0 0 8px var(--lime); }
-
-/* Actions bar */
-.actions-bar {
-  position: absolute;
-  left: 256px; right: 36px; bottom: 24px;
-  padding: 11px 16px;
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-full);
-  display: flex; gap: 8px; align-items: center; justify-content: space-between;
-  box-shadow: 0 16px 48px rgba(0,0,0,0.30);
-  z-index: 10;
-}
-.actions-row { display: flex; gap: 8px; flex-wrap: wrap; }
-.btn {
-  font-family: var(--font-text);
-  font-size: 12.5px; font-weight: 500;
-  padding: 0 14px;
-  height: 34px;
-  border-radius: var(--radius-full);
-  border: 1px solid transparent;
-  cursor: pointer;
-  display: inline-flex; align-items: center; gap: 6px;
-  transition: all var(--dur-fast) var(--ease-spring);
-  user-select: none;
-  font-feature-settings: "tnum" 1;
-  letter-spacing: 0.02em;
-}
-.btn:active { transform: scale(0.97); }
-.btn-primary {
-  background: var(--lime); color: var(--on-lime);
-  box-shadow: 0 0 24px var(--lime-glow), inset 0 1px 0 rgba(255,255,255,0.30);
-}
-.btn-primary:hover { background: #C4E866; }
-.btn-escalate {
-  background: var(--strawberry); color: var(--on-strawberry);
-  box-shadow: 0 0 24px var(--strawberry-glow), inset 0 1px 0 rgba(255,255,255,0.30);
-}
-.btn-escalate:hover { background: #F87898; }
-.btn-bondi {
-  background: var(--bondi); color: var(--on-bondi);
-  box-shadow: 0 0 24px var(--bondi-glow), inset 0 1px 0 rgba(255,255,255,0.30);
-}
-.btn-bondi:hover { background: #4DD7F0; }
-.btn-ghost {
-  background: var(--surface-2);
-  color: var(--text);
-  border-color: var(--border-strong);
-}
-.btn-ghost:hover { background: var(--surface-3); }
-
-/* ── Escalate modal ───────────────────────────────────── */
-.modal-scrim {
-  position: absolute; inset: 0;
-  background: rgba(6, 6, 12, 0.78);
-  backdrop-filter: blur(6px);
-  display: flex; align-items: center; justify-content: center;
-  z-index: 100;
-  animation: fade-in 0.20s var(--ease);
-}
-@keyframes fade-in { from { opacity: 0; } to { opacity: 1; } }
-.modal {
-  width: 640px; max-height: 820px;
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-xl);
-  box-shadow: 0 32px 80px rgba(0,0,0,0.50);
-  display: flex; flex-direction: column;
-  overflow: hidden;
-  animation: slide-up 0.30s var(--ease-spring);
-  position: relative;
-}
-@keyframes slide-up {
-  from { opacity: 0; transform: translateY(20px) scale(0.98); }
-  to   { opacity: 1; transform: translateY(0) scale(1); }
-}
-.modal::before {
-  content: ""; position: absolute;
-  top: 0; left: 0; right: 0; height: 80px;
-  background: radial-gradient(ellipse at top, rgba(244,102,136,0.18) 0%, transparent 70%);
-  pointer-events: none;
-}
-.modal-head {
-  padding: 18px 22px 14px;
-  border-bottom: 1px solid var(--hairline);
-  display: flex; justify-content: space-between; align-items: flex-start;
-  position: relative;
-}
-.modal-head .left .eyebrow {
-  font-family: var(--font-mono);
-  font-size: 10px; color: var(--strawberry);
-  letter-spacing: 0.14em; text-transform: uppercase;
-  margin-bottom: 6px;
-}
-.modal-head .left .ttl {
-  font-family: var(--font-display);
-  font-size: 22px; font-weight: 500;
-  color: var(--text-strong);
-  letter-spacing: -0.02em; line-height: 1.2;
-  margin: 0;
-}
-.modal-head .left .ttl em { font-family: var(--serif); font-style: italic; font-weight: 400; color: var(--strawberry); }
-.modal-body {
-  padding: 18px 22px;
-  overflow-y: auto;
-  display: flex; flex-direction: column; gap: 16px;
-  position: relative;
-}
-.field {
-  display: flex; flex-direction: column; gap: 6px;
-}
-.field-label {
-  font-family: var(--font-mono);
-  font-size: 10px; color: var(--muted);
-  letter-spacing: 0.12em; text-transform: uppercase;
-  display: flex; justify-content: space-between; align-items: center;
-}
-.field-label .req { color: var(--strawberry); }
-.field-input {
-  background: var(--bg);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-md);
-  padding: 10px 12px;
-  font-family: inherit;
-  font-size: 13px;
-  color: var(--text);
-  outline: none;
-  resize: vertical;
-}
-.field-input:focus { border-color: var(--bondi); box-shadow: 0 0 0 3px var(--bondi-soft); }
-.field-input.locked {
-  background: var(--surface-2);
-  color: var(--strawberry);
-  font-family: var(--font-mono);
-  letter-spacing: 0.10em;
-}
-.recipients {
-  display: flex; gap: 8px; flex-wrap: wrap;
-}
-.recipient {
-  display: flex; align-items: center; gap: 8px;
-  padding: 6px 12px 6px 6px;
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-full);
-  font-size: 12.5px;
-}
-.recipient .av {
-  width: 22px; height: 22px;
-  border-radius: 50%;
-  display: flex; align-items: center; justify-content: center;
-  font-family: var(--font-mono); font-size: 9px; font-weight: 600;
-  color: white;
-}
-.recipient .who { color: var(--text-strong); font-weight: 500; }
-.recipient .role { color: var(--muted); font-family: var(--font-mono); font-size: 10px; letter-spacing: 0.06em; }
-.cite-list {
-  display: flex; flex-direction: column; gap: 6px;
-  font-family: var(--font-mono);
-  font-size: 11px; color: var(--text-2);
-}
-.cite-list .cite {
-  display: flex; align-items: center; gap: 8px;
-  padding: 6px 10px;
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-md);
-}
-.cite-list .cite .ck {
-  width: 14px; height: 14px;
-  border-radius: 3px;
-  background: var(--lime);
-  display: flex; align-items: center; justify-content: center;
-  font-size: 10px; color: var(--on-lime); font-weight: 700;
-}
-.cite-list .cite .src { color: var(--text); flex: 1; }
-.cite-list .cite .hash { color: var(--muted); }
-.modal-foot {
-  padding: 14px 22px;
-  border-top: 1px solid var(--hairline);
-  display: flex; justify-content: space-between; align-items: center;
-  background: var(--surface-2);
-}
-.modal-foot .left {
-  font-family: var(--font-mono); font-size: 10px;
-  color: var(--muted); letter-spacing: 0.10em;
-  text-transform: uppercase;
-}
-.modal-foot .left b { color: var(--lime); }
-
-/* ── Routing transition ───────────────────────────────── */
-.routing-screen {
-  position: absolute; inset: 0;
-  display: flex; align-items: center; justify-content: center;
-  flex-direction: column; gap: 28px;
-  z-index: 120;
-  background:
-    radial-gradient(ellipse 1200px 800px at 50% 50%, rgba(43,202,232,0.10) 0%, transparent 60%),
-    rgba(10, 10, 18, 0.96);
-  backdrop-filter: blur(20px);
-}
-.routing-pulse {
-  width: 96px; height: 96px;
-  border-radius: 50%;
-  background: var(--bondi);
-  box-shadow: 0 0 64px var(--bondi-glow), 0 0 128px var(--bondi-glow);
-  position: relative;
-}
-.routing-pulse::before, .routing-pulse::after {
-  content: ""; position: absolute; inset: 0;
-  border-radius: 50%;
-  border: 2px solid var(--bondi);
-  opacity: 0.6;
-  animation: ring 1.8s ease-out infinite;
-}
-.routing-pulse::after { animation-delay: 0.9s; }
-@keyframes ring {
-  0%   { transform: scale(1); opacity: 0.7; }
-  100% { transform: scale(3); opacity: 0; }
-}
-.routing-title {
-  font-family: var(--font-display);
-  font-size: 36px; font-weight: 500;
-  color: var(--text-strong); letter-spacing: -0.025em;
-  text-align: center; max-width: 700px;
-  margin: 0;
-  font-variation-settings: "opsz" 48;
-}
-.routing-title em { font-family: var(--serif); font-style: italic; font-weight: 400; color: var(--bondi); }
-.routing-log {
-  width: 720px;
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  padding: 18px 22px;
-  font-family: var(--font-mono);
-  font-size: 12.5px;
-  line-height: 1.85;
-  color: var(--text-2);
-  font-feature-settings: "tnum" 1;
-  height: 240px;
-  overflow: hidden;
-  box-shadow: 0 16px 48px rgba(0,0,0,0.30);
-}
-.routing-log .line { display: flex; gap: 14px; }
-.routing-log .ts { color: var(--bondi); letter-spacing: 0.06em; flex-shrink: 0; }
-.routing-log .lvl { width: 56px; flex-shrink: 0; letter-spacing: 0.12em; }
-.routing-log .lvl.ok { color: var(--lime); }
-.routing-log .lvl.info { color: var(--bondi); }
-.routing-log .lvl.exec { color: var(--tangerine); }
-.routing-log .lvl.sign { color: var(--grape); }
-.routing-log .msg { color: var(--text); }
-.routing-log .msg b { color: var(--text-strong); font-weight: 500; }
-.routing-log .new { animation: type-in 0.30s var(--ease); }
-@keyframes type-in {
-  from { opacity: 0; transform: translateY(4px); }
-  to   { opacity: 1; transform: translateY(0); }
-}
-
-/* ── Evidence bundle screen ───────────────────────────── */
-.bundle-shell {
-  max-width: 1180px; margin: 0 auto;
-}
-.bundle-strip {
-  display: flex; align-items: center; gap: 16px;
-  padding: 16px;
-  background: var(--surface);
-  border: 1px solid var(--lime);
-  border-radius: var(--radius-lg);
-  margin-bottom: 18px;
-  position: relative; overflow: hidden;
-  box-shadow: 0 0 32px var(--lime-glow);
-}
-.bundle-strip::before {
-  content: ""; position: absolute;
-  top: 0; right: 0; width: 40%; height: 100%;
-  background: radial-gradient(ellipse at right, var(--lime-glow) 0%, transparent 70%);
-  opacity: 0.30; pointer-events: none;
-}
-.bundle-strip .seal-lg {
-  width: 64px; height: 64px;
-  border-radius: 50%;
-  border: 1.5px solid var(--lime);
-  display: flex; align-items: center; justify-content: center;
-  font-family: var(--serif);
-  font-weight: 800; font-size: 24px;
-  color: var(--lime);
-  background: rgba(20, 20, 30, 0.7);
-  flex-shrink: 0;
-  box-shadow: 0 0 24px var(--lime-glow);
-  position: relative;
-}
-.bundle-strip .seal-lg::after {
-  content: ""; position: absolute; inset: 4px;
-  border-radius: 50%;
-  border: 1px solid var(--lime);
-  opacity: 0.5;
-}
-.bundle-strip .id-block { flex: 1; position: relative; }
-.bundle-strip .ttl {
-  font-family: var(--font-display);
-  font-size: 22px; font-weight: 600;
-  color: var(--text-strong);
-  letter-spacing: -0.02em;
-  margin-bottom: 5px;
-}
-.bundle-strip .meta {
-  display: flex; gap: 16px;
-  font-family: var(--font-mono);
-  font-size: 10.5px; color: var(--muted);
-  letter-spacing: 0.10em;
-  text-transform: uppercase;
-  flex-wrap: wrap;
-}
-.bundle-strip .meta b { color: var(--text); font-weight: 500; }
-.bundle-strip .stamp {
-  font-family: var(--font-mono);
-  font-size: 10.5px; font-weight: 600;
-  letter-spacing: 0.16em; text-transform: uppercase;
-  color: var(--lime);
-  padding: 6px 14px;
-  border: 1.5px solid var(--lime);
-  border-radius: var(--radius-sm);
-  background: var(--lime-soft);
-  position: relative;
-}
-
-.bundle-layout {
-  display: grid;
-  grid-template-columns: 1fr 320px;
-  gap: 18px;
-  padding-bottom: 76px;
-}
-
-.bundle-doc {
-  background: #14141E;
-  border: 1px solid var(--border);
-  border-radius: var(--radius-xl);
-  padding: 36px 44px;
-  position: relative;
-  overflow: hidden;
-  box-shadow: 0 16px 48px rgba(0,0,0,0.30);
-}
-.bundle-doc::before {
-  content: ""; position: absolute;
-  inset: 6px; border: 1px solid var(--lime); opacity: 0.20;
-  border-radius: calc(var(--radius-xl) - 4px);
-  pointer-events: none;
-}
-.bundle-cover {
-  text-align: center; padding: 14px 0 26px;
-  border-bottom: 1px solid var(--hairline);
-  margin-bottom: 22px;
-  position: relative;
-}
-.bundle-cover .eb {
-  font-family: var(--font-mono); font-size: 11px;
-  letter-spacing: 0.32em; text-transform: uppercase;
-  color: var(--lime); opacity: 0.85; margin-bottom: 12px;
-}
-.bundle-cover h1 {
-  font-family: var(--serif); font-weight: 800;
-  font-size: 56px; letter-spacing: -0.020em;
-  color: var(--lime); line-height: 0.98;
-  text-shadow: 0 0 32px var(--lime-glow);
-  margin: 0 0 10px;
-}
-.bundle-cover .sub {
-  font-family: var(--font-display); font-size: 20px;
-  font-weight: 500; color: var(--text-strong);
-  letter-spacing: -0.012em;
-  margin: 0 0 6px;
-  font-variation-settings: "opsz" 32;
-}
-.bundle-cover .sub em { font-family: var(--serif); font-style: italic; font-weight: 400; color: var(--lime); }
-.bundle-cover .meta-line {
-  font-family: var(--font-mono); font-size: 10.5px;
-  letter-spacing: 0.14em; text-transform: uppercase;
-  color: var(--text-2);
-  margin-top: 12px;
-  display: flex; gap: 16px; justify-content: center;
-}
-.bundle-cover .meta-line b { color: var(--text); font-weight: 500; }
-
-.bundle-section {
-  margin-bottom: 22px;
-  position: relative;
-}
-.bundle-section h3 {
-  font-family: var(--font-mono);
-  font-size: 11px; letter-spacing: 0.16em;
-  text-transform: uppercase;
-  color: var(--lime);
-  margin: 0 0 10px;
-  padding-bottom: 6px;
-  border-bottom: 1px solid var(--hairline);
-  display: flex; align-items: center; gap: 8px;
-}
-.bundle-section h3 .num {
-  font-family: var(--font-mono);
-  background: var(--lime); color: var(--on-lime);
-  width: 20px; height: 20px;
-  border-radius: 4px;
-  font-size: 11px; font-weight: 700;
-  display: inline-flex; align-items: center; justify-content: center;
-}
-.bundle-section .body {
-  font-size: 13.5px; color: var(--text-2); line-height: 1.55;
-}
-.bundle-section .body p { margin: 0 0 8px; }
-.bundle-section .body b { color: var(--text); font-weight: 500; }
-
-.mini-diff {
-  display: grid;
-  grid-template-columns: 1fr 1fr;
-  gap: 10px;
-  margin: 10px 0;
-}
-.mini-diff .mc {
-  padding: 10px 12px;
-  border-radius: var(--radius-sm);
-  font-family: var(--serif);
-  font-size: 12.5px; line-height: 1.5;
-  font-style: italic;
-  border: 1px solid;
-}
-.mini-diff .mc.b { background: var(--strawberry-soft); border-color: rgba(244,102,136,0.20); color: var(--text); }
-.mini-diff .mc.a { background: var(--lime-soft); border-color: rgba(181,220,85,0.20); color: var(--text); }
-.mini-diff .mc strong { font-style: normal; padding: 1px 4px; border-radius: 2px; }
-.mini-diff .mc.b strong { background: rgba(244,102,136,0.20); color: var(--strawberry); }
-.mini-diff .mc.a strong { background: rgba(181,220,85,0.20); color: var(--lime); }
-.mini-diff .mc .src {
-  font-family: var(--font-mono); font-size: 9.5px;
-  letter-spacing: 0.06em; color: var(--muted);
-  margin-top: 6px; padding-top: 6px;
-  border-top: 1px solid var(--hairline);
-  font-style: normal;
-  word-break: break-all;
-}
-
-.routing-trail {
-  font-family: var(--font-mono); font-size: 11.5px;
-  color: var(--text-2);
-  display: flex; flex-direction: column; gap: 4px;
-}
-.routing-trail .row { display: flex; gap: 14px; padding: 4px 0; border-bottom: 1px solid var(--hairline); }
-.routing-trail .row:last-child { border-bottom: 0; }
-.routing-trail .ts { color: var(--lime); flex-shrink: 0; width: 100px; }
-.routing-trail .msg { color: var(--text); flex: 1; }
-.routing-trail .msg b { color: var(--text-strong); font-weight: 500; }
-.routing-trail .ok { color: var(--lime); }
-
-.signoff {
-  margin-top: 26px;
-  padding: 20px 22px;
-  border: 2px double var(--lime);
-  border-radius: 4px;
-  display: flex; align-items: center; justify-content: space-between;
-  position: relative;
-  background: rgba(181,220,85,0.04);
-}
-.signoff .left {
-  font-family: var(--serif);
-  font-size: 14px; color: var(--text-2);
-  font-style: italic;
-}
-.signoff .left b { color: var(--text); font-weight: 500; font-style: normal; }
-.signoff .right {
-  font-family: var(--serif); font-weight: 800;
-  font-size: 28px; color: var(--lime);
-  letter-spacing: -0.014em;
-  transform: rotate(-3deg);
-  text-shadow: 0 0 24px var(--lime-glow);
-}
-
-/* Bundle side: TOC + actions */
-.toc-card {
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  padding: 14px;
-}
-.toc-card h4 {
-  font-family: var(--font-mono);
-  font-size: 10px; letter-spacing: 0.14em;
-  text-transform: uppercase;
-  color: var(--muted);
-  margin: 0 0 10px;
-}
-.toc-item {
-  display: flex; align-items: center; gap: 10px;
-  padding: 8px 0;
-  border-bottom: 1px solid var(--hairline);
-  font-size: 12.5px;
-  cursor: pointer;
-}
-.toc-item:last-child { border-bottom: 0; }
-.toc-item:hover .toc-num { background: var(--lime); color: var(--on-lime); }
-.toc-num {
-  width: 22px; height: 22px;
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  border-radius: 4px;
-  font-family: var(--font-mono);
-  font-size: 10.5px; font-weight: 600;
-  color: var(--text-2);
-  display: flex; align-items: center; justify-content: center;
-  transition: all var(--dur-fast) var(--ease);
-}
-.toc-item .toc-ttl { flex: 1; color: var(--text); }
-.toc-item .toc-pages { font-family: var(--font-mono); font-size: 9.5px; color: var(--muted); }
-
-/* =============================================================
-   ONBOARDING — vendor onboarding screen + tier picker
-   ============================================================= */
-
-/* "+ ONBOARD VENDOR" pill button in the Portfolio TopBar */
-.onb-cta-pill {
-  display: inline-flex; align-items: center; gap: 7px;
-  padding: 6px 13px 6px 11px;
-  background: linear-gradient(135deg, rgba(91,160,240,0.20), rgba(43,202,232,0.18));
-  border: 1px solid rgba(91,160,240,0.45);
-  border-radius: var(--radius-full);
-  font-family: var(--font-mono);
-  font-size: 10.5px;
-  letter-spacing: 0.12em;
-  color: var(--text);
-  cursor: pointer;
-  transition: all var(--dur-fast) var(--ease);
-  box-shadow: 0 0 14px rgba(91,160,240,0.18), inset 0 1px 0 rgba(255,255,255,0.08);
-}
-.onb-cta-pill:hover {
-  border-color: rgba(91,160,240,0.75);
-  background: linear-gradient(135deg, rgba(91,160,240,0.30), rgba(43,202,232,0.28));
-  box-shadow: 0 0 22px rgba(91,160,240,0.35), inset 0 1px 0 rgba(255,255,255,0.12);
-  transform: translateY(-1px);
-}
-.onb-cta-plus {
-  display: inline-flex; align-items: center; justify-content: center;
-  width: 14px; height: 14px;
-  border-radius: 50%;
-  background: var(--aqua);
-  color: var(--bg);
-  font-family: var(--font-display);
-  font-weight: 700;
-  font-size: 13px;
-  line-height: 1;
-}
-
-/* Onboarding screen header */
-.onb-header {
-  display: flex; justify-content: space-between; align-items: flex-start;
-  gap: 24px;
-  margin: 16px 0 24px;
-}
-.onb-header-left { max-width: 640px; }
-.onb-title { margin: 8px 0 12px; }
-.onb-title em { color: var(--bondi); }
-.onb-sub { color: var(--text-2); margin: 0; }
-.btn-back-pill {
-  flex-shrink: 0;
-  padding: 8px 14px;
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-full);
-  font-family: var(--font-mono);
-  font-size: 11px;
-  letter-spacing: 0.10em;
-  text-transform: uppercase;
-  color: var(--text-2);
-  cursor: pointer;
-  transition: all var(--dur-fast) var(--ease);
-}
-.btn-back-pill:hover { color: var(--text); border-color: var(--border-strong); background: var(--surface-2); }
-
-/* Name + URL field row */
-.onb-fields {
-  display: grid;
-  grid-template-columns: 1fr 1fr;
-  gap: 12px;
-  margin-bottom: 24px;
-}
-.onb-field { display: flex; flex-direction: column; gap: 6px; }
-.onb-field-label {
-  font-family: var(--font-mono);
-  font-size: 10px;
-  letter-spacing: 0.12em;
-  color: var(--muted);
-}
-.onb-input {
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-md);
-  padding: 11px 14px;
-  font-family: var(--font-text);
-  font-size: 14px;
-  color: var(--text);
-  transition: all var(--dur-fast) var(--ease);
-}
-.onb-input::placeholder { color: var(--muted); }
-.onb-input:focus {
-  outline: none;
-  border-color: var(--aqua);
-  background: var(--surface-2);
-  box-shadow: 0 0 0 3px rgba(91,160,240,0.12);
-}
-
-/* Tier grid */
-.tier-grid {
-  display: grid;
-  grid-template-columns: repeat(3, 1fr);
-  gap: 16px;
-  margin-bottom: 24px;
-}
-
-.tier-card {
-  position: relative;
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  padding: 20px;
-  display: flex;
-  flex-direction: column;
-  cursor: pointer;
-  transition: all var(--dur-fast) var(--ease);
-  overflow: hidden;
-}
-.tier-card::before {
-  content: "";
-  position: absolute;
-  inset: 0;
-  border-radius: var(--radius-lg);
-  pointer-events: none;
-  opacity: 0;
-  transition: opacity var(--dur-fast) var(--ease);
-}
-.tier-card.strawberry::before { background: radial-gradient(ellipse 240px 180px at 100% 0%, var(--strawberry-soft) 0%, transparent 60%); }
-.tier-card.bondi::before      { background: radial-gradient(ellipse 240px 180px at 100% 0%, var(--bondi-soft)      0%, transparent 60%); }
-.tier-card.lime::before       { background: radial-gradient(ellipse 240px 180px at 100% 0%, var(--lime-soft)       0%, transparent 60%); }
-.tier-card::before { opacity: 1; }
-
-.tier-card:hover {
-  border-color: var(--border-strong);
-  transform: translateY(-2px);
-  box-shadow: var(--shadow-card);
-}
-
-.tier-card.is-recommended {
-  border-color: rgba(43,202,232,0.45);
-  box-shadow: 0 0 0 1px rgba(43,202,232,0.18), 0 8px 32px rgba(0,0,0,0.20);
-}
-
-.tier-card.is-selected.strawberry {
-  border-color: var(--strawberry);
-  box-shadow: 0 0 0 1px var(--strawberry), 0 0 24px var(--strawberry-glow);
-}
-.tier-card.is-selected.bondi {
-  border-color: var(--bondi);
-  box-shadow: 0 0 0 1px var(--bondi), 0 0 24px var(--bondi-glow);
-}
-.tier-card.is-selected.lime {
-  border-color: var(--lime);
-  box-shadow: 0 0 0 1px var(--lime), 0 0 24px var(--lime-glow);
-}
-
-.tier-badge {
-  position: absolute;
-  top: 12px; right: 12px;
-  z-index: 2;
-  background: var(--bondi);
-  color: var(--on-bondi);
-  font-family: var(--font-mono);
-  font-size: 9.5px;
-  font-weight: 600;
-  letter-spacing: 0.14em;
-  padding: 3px 8px;
-  border-radius: var(--radius-full);
-  box-shadow: 0 0 14px var(--bondi-glow);
-}
-
-.tier-head {
-  position: relative; z-index: 1;
-  display: flex; align-items: baseline; gap: 10px;
-  margin-bottom: 12px;
-}
-.tier-sla {
-  font-family: var(--font-display);
-  font-size: 38px;
-  font-weight: 700;
-  letter-spacing: -0.04em;
-  line-height: 1;
-  color: var(--text-strong);
-  font-variation-settings: "opsz" 48;
-}
-.tier-card.strawberry .tier-sla { color: var(--strawberry); }
-.tier-card.bondi      .tier-sla { color: var(--bondi); }
-.tier-card.lime       .tier-sla { color: var(--lime); }
-
-.tier-tagline {
-  font-family: var(--font-mono);
-  font-size: 10.5px;
-  letter-spacing: 0.16em;
-  text-transform: uppercase;
-  color: var(--muted);
-  padding-bottom: 4px;
-}
-
-.tier-name {
-  position: relative; z-index: 1;
-  margin: 0 0 6px;
-}
-
-.tier-desc {
-  position: relative; z-index: 1;
-  font-size: 13px;
-  color: var(--text-2);
-  margin: 0 0 16px;
-  line-height: 1.5;
-}
-
-.tier-price-row {
-  position: relative; z-index: 1;
-  display: flex; align-items: baseline; gap: 6px;
-  padding: 12px 0;
-  border-top: 1px solid var(--hairline);
-  border-bottom: 1px solid var(--hairline);
-  margin-bottom: 14px;
-}
-.tier-price {
-  font-family: var(--font-display);
-  font-size: 28px;
-  font-weight: 600;
-  letter-spacing: -0.02em;
-  color: var(--text-strong);
-  font-feature-settings: "tnum" 1;
-}
-.tier-unit {
-  font-family: var(--font-mono);
-  font-size: 10.5px;
-  color: var(--muted);
-  letter-spacing: 0.06em;
-}
-
-.tier-features {
-  position: relative; z-index: 1;
-  list-style: none;
-  padding: 0;
-  margin: 0 0 18px;
-  flex: 1;
-}
-.tier-features li {
-  display: flex; align-items: flex-start; gap: 8px;
-  padding: 5px 0;
-  font-size: 12.5px;
-  color: var(--text);
-  line-height: 1.4;
-}
-.tier-check {
-  flex-shrink: 0;
-  width: 14px;
-  font-family: var(--font-mono);
-  font-weight: 600;
-  font-size: 11px;
-}
-.tier-card.strawberry .tier-check { color: var(--strawberry); }
-.tier-card.bondi      .tier-check { color: var(--bondi); }
-.tier-card.lime       .tier-check { color: var(--lime); }
-
-.tier-foot {
-  position: relative; z-index: 1;
-  display: flex; justify-content: space-between; align-items: center;
-}
-.tier-eta {
-  font-family: var(--font-mono);
-  font-size: 9.5px;
-  letter-spacing: 0.14em;
-  color: var(--muted);
-}
-.tier-select-pill {
-  font-family: var(--font-mono);
-  font-size: 10px;
-  letter-spacing: 0.14em;
-  padding: 5px 10px;
-  border-radius: var(--radius-full);
-  background: var(--surface-2);
-  border: 1px solid var(--border);
-  color: var(--text-2);
-  transition: all var(--dur-fast) var(--ease);
-}
-.tier-card.is-selected.strawberry .tier-select-pill.on {
-  background: var(--strawberry); color: var(--on-strawberry); border-color: var(--strawberry);
-}
-.tier-card.is-selected.bondi .tier-select-pill.on {
-  background: var(--bondi); color: var(--on-bondi); border-color: var(--bondi);
-}
-.tier-card.is-selected.lime .tier-select-pill.on {
-  background: var(--lime); color: var(--on-lime); border-color: var(--lime);
-}
-
-/* API integration: alert, chips, checkboxes, spinner */
-.onb-alert {
-  border-radius: var(--radius-md);
-  padding: 12px 14px;
-  margin-bottom: 18px;
-  font-size: 13px;
-}
-.onb-alert.err {
-  background: var(--strawberry-soft);
-  border: 1px solid rgba(244,102,136,0.40);
-  color: var(--text);
-}
-.onb-alert.warn {
-  background: var(--tangerine-soft);
-  border: 1px solid rgba(255,149,64,0.40);
-  color: var(--text);
-}
-.onb-alert-head {
-  display: flex; align-items: center; gap: 10px;
-  font-size: 13px;
-}
-.onb-alert-code {
-  font-family: var(--font-mono);
-  font-size: 10.5px;
-  letter-spacing: 0.12em;
-  text-transform: uppercase;
-  padding: 3px 8px;
-  border-radius: var(--radius-sm);
-  background: rgba(0,0,0,0.30);
-  color: var(--text-strong);
-}
-.onb-alert-detail {
-  display: flex; flex-direction: column; gap: 8px;
-  margin-top: 10px;
-  padding-top: 10px;
-  border-top: 1px solid rgba(255,255,255,0.10);
-}
-.onb-alert-label {
-  display: inline-block;
-  font-family: var(--font-mono);
-  font-size: 9.5px;
-  letter-spacing: 0.14em;
-  color: var(--muted);
-  margin-right: 8px;
-  text-transform: uppercase;
-}
-.onb-chip {
-  display: inline-block;
-  font-family: var(--font-mono);
-  font-size: 10.5px;
-  padding: 2px 7px;
-  border-radius: var(--radius-sm);
-  margin: 2px 4px 2px 0;
-  letter-spacing: 0.06em;
-}
-.onb-chip.miss { background: var(--strawberry-soft); color: var(--strawberry); border: 1px solid rgba(244,102,136,0.30); }
-.onb-chip.ok   { background: var(--lime-soft);       color: var(--lime);       border: 1px solid rgba(181,220,85,0.30); }
-
-.onb-checkboxes { display: flex; gap: 8px; flex-wrap: wrap; }
-.onb-chip-btn {
-  font-family: var(--font-mono);
-  font-size: 11px;
-  letter-spacing: 0.06em;
-  padding: 7px 12px;
-  border-radius: var(--radius-full);
-  background: var(--surface);
-  border: 1px solid var(--border);
-  color: var(--text-2);
-  cursor: pointer;
-  transition: all var(--dur-fast) var(--ease);
-}
-.onb-chip-btn:hover { color: var(--text); border-color: var(--border-strong); }
-.onb-chip-btn.on {
-  background: var(--bondi-soft);
-  border-color: rgba(43,202,232,0.40);
-  color: var(--bondi);
-}
-.onb-chip-btn[disabled] { opacity: 0.5; cursor: not-allowed; }
-
-.onb-spinner {
-  display: inline-block;
-  width: 12px; height: 12px;
-  border: 2px solid rgba(255,255,255,0.30);
-  border-top-color: currentColor;
-  border-radius: 50%;
-  margin-right: 6px;
-  vertical-align: -1px;
-  animation: onb-spin 600ms linear infinite;
-}
-@keyframes onb-spin { to { transform: rotate(360deg); } }
-
-.onb-toast-sub code {
-  font-family: var(--font-mono);
-  font-size: 10px;
-  background: rgba(255,255,255,0.06);
-  padding: 1px 5px;
-  border-radius: 4px;
-  color: var(--text);
-}
-
-/* DATA CLASSES field shouldn't stretch input style */
-.onb-field .onb-checkboxes { padding-top: 4px; }
-
-/* Bottom action bar */
-.onb-action-bar {
-  display: flex; justify-content: space-between; align-items: center;
-  background: var(--surface);
-  border: 1px solid var(--border);
-  border-radius: var(--radius-lg);
-  padding: 14px 18px;
-}
-.onb-action-summary { display: flex; flex-direction: column; gap: 2px; }
-.onb-action-label {
-  font-family: var(--font-mono);
-  font-size: 9.5px;
-  letter-spacing: 0.14em;
-  color: var(--muted);
-}
-.onb-action-value {
-  font-family: var(--font-display);
-  font-size: 16px;
-  font-weight: 500;
-  color: var(--text-strong);
-  letter-spacing: -0.01em;
-}
-.onb-action-dot { color: var(--muted); font-weight: 400; }
-.onb-action-unit {
-  font-family: var(--font-mono);
-  font-size: 11px;
-  color: var(--muted);
-  letter-spacing: 0.05em;
-}
-.onb-action-buttons { display: flex; gap: 10px; }
-.onb-btn {
-  padding: 9px 18px;
-  border-radius: var(--radius-md);
-  font-family: var(--font-text);
-  font-size: 13px;
-  font-weight: 500;
-  cursor: pointer;
-  transition: all var(--dur-fast) var(--ease);
-}
-.onb-btn.ghost {
-  background: transparent;
-  border: 1px solid var(--border);
-  color: var(--text-2);
-}
-.onb-btn.ghost:hover { color: var(--text); border-color: var(--border-strong); background: var(--surface-2); }
-.onb-btn.primary {
-  background: linear-gradient(135deg, var(--aqua), var(--bondi));
-  border: 1px solid rgba(91,160,240,0.45);
-  color: var(--bg);
-  font-weight: 600;
-  box-shadow: 0 0 18px rgba(91,160,240,0.25);
-}
-.onb-btn.primary:hover {
-  box-shadow: 0 0 28px rgba(91,160,240,0.45);
-  transform: translateY(-1px);
-}
-
-/* Success toast (shown after onboarding, dismissed automatically) */
-.onb-toast {
-  position: absolute;
-  right: 24px; bottom: 24px;
-  z-index: 60;
-  display: flex; align-items: center; gap: 12px;
-  background: var(--surface);
-  border: 1px solid var(--lime);
-  border-radius: var(--radius-md);
-  padding: 12px 16px 12px 12px;
-  box-shadow: 0 12px 36px rgba(0,0,0,0.40), 0 0 24px var(--lime-glow);
-  animation: onb-toast-in 280ms var(--ease-spring);
-  max-width: 360px;
-}
-.onb-toast-icon {
-  flex-shrink: 0;
-  width: 28px; height: 28px;
-  border-radius: 50%;
-  background: var(--lime);
-  color: var(--on-lime);
-  display: flex; align-items: center; justify-content: center;
-  font-family: var(--font-mono);
-  font-weight: 700;
-}
-.onb-toast-title { font-size: 13px; color: var(--text); }
-.onb-toast-sla { color: var(--lime); font-family: var(--font-mono); font-size: 11px; letter-spacing: 0.1em; }
-.onb-toast-sub { font-family: var(--font-mono); font-size: 10.5px; color: var(--muted); margin-top: 2px; letter-spacing: 0.06em; }
-@keyframes onb-toast-in {
-  from { opacity: 0; transform: translateY(8px); }
-  to   { opacity: 1; transform: translateY(0); }
-}
-
diff --git a/public/app/brand.jsx b/public/app/brand.jsx
deleted file mode 100644
index c8deafa..0000000
--- a/public/app/brand.jsx
+++ /dev/null
@@ -1,30 +0,0 @@
-// brand.jsx — the Unsyphn wordmark
-
-function UnsyphnMark({ size = 18 }) {
-  return (
-    <img
-      src="/logo.png"
-      alt="Unsyphn"
-      style={{ height: size, width: "auto", display: "block" }}
-    />
-  );
-}
-
-function UnsyphnDot({ size = 16, animate = true }) {
-  return (
-    <span
-      className={animate ? "live-dot pulse" : "live-dot"}
-      style={{
-        width: size,
-        height: size,
-        borderRadius: "50%",
-        background: "var(--bondi)",
-        boxShadow: `0 0 ${size}px var(--bondi-glow), 0 0 ${size * 2}px var(--bondi-glow)`,
-        display: "inline-block",
-        flexShrink: 0,
-      }}
-    />
-  );
-}
-
-Object.assign(window, { UnsyphnMark, UnsyphnDot });
diff --git a/public/app/browser-window.jsx b/public/app/browser-window.jsx
deleted file mode 100644
index b90e273..0000000
--- a/public/app/browser-window.jsx
+++ /dev/null
@@ -1,114 +0,0 @@
-
-// Chrome.jsx — Simplified Chrome browser window (dark theme, macOS)
-// No dependencies, no image assets. All inline styles + inline SVG.
-
-const CHROME_C = {
-  barBg: '#202124',
-  tabBg: '#35363a',
-  text: '#e8eaed',
-  dim: '#9aa0a6',
-  urlBg: '#282a2d',
-};
-
-function ChromeTrafficLights() {
-  return (
-    <div style={{ display: 'flex', gap: 8, padding: '0 14px' }}>
-      <div style={{ width: 12, height: 12, borderRadius: '50%', background: '#ff5f57' }} />
-      <div style={{ width: 12, height: 12, borderRadius: '50%', background: '#febc2e' }} />
-      <div style={{ width: 12, height: 12, borderRadius: '50%', background: '#28c840' }} />
-    </div>
-  );
-}
-
-// Single tab (active has curved scoops)
-function ChromeTab({ title = 'New Tab', active = false }) {
-  const curve = (flip) => (
-    <svg width="8" height="10" viewBox="0 0 8 10"
-      style={{ position: 'absolute', bottom: 0, [flip ? 'right' : 'left']: -8, transform: flip ? 'scaleX(-1)' : 'none' }}>
-      <path d="M0 10C2 9 6 8 8 0V10H0Z" fill={CHROME_C.tabBg}/>
-    </svg>
-  );
-  return (
-    <div style={{
-      position: 'relative', height: 34, alignSelf: 'flex-end',
-      padding: '0 12px', display: 'flex', alignItems: 'center', gap: 8,
-      background: active ? CHROME_C.tabBg : 'transparent',
-      borderRadius: '8px 8px 0 0', minWidth: 120, maxWidth: 220,
-      fontFamily: 'system-ui, sans-serif', fontSize: 12,
-      color: active ? CHROME_C.text : CHROME_C.dim,
-    }}>
-      {active && curve(false)}
-      {active && curve(true)}
-      <div style={{ width: 14, height: 14, borderRadius: '50%', background: '#5f6368', flexShrink: 0 }} />
-      <span style={{ flex: 1, whiteSpace: 'nowrap', overflow: 'hidden', textOverflow: 'ellipsis' }}>{title}</span>
-    </div>
-  );
-}
-
-function ChromeTabBar({ tabs = [{ title: 'New Tab' }], activeIndex = 0 }) {
-  return (
-    <div style={{
-      display: 'flex', alignItems: 'center', height: 44,
-      background: CHROME_C.barBg, paddingRight: 8,
-    }}>
-      <ChromeTrafficLights />
-      <div style={{ display: 'flex', alignItems: 'flex-end', height: '100%', paddingLeft: 4, flex: 1 }}>
-        {tabs.map((t, i) => <ChromeTab key={i} title={t.title} active={i === activeIndex} />)}
-      </div>
-    </div>
-  );
-}
-
-function ChromeToolbar({ url = 'example.com' }) {
-  const iconDot = (
-    <div style={{
-      width: 28, height: 28, display: 'flex', alignItems: 'center', justifyContent: 'center',
-    }}>
-      <div style={{ width: 16, height: 16, borderRadius: '50%', background: CHROME_C.dim, opacity: 0.4 }} />
-    </div>
-  );
-  return (
-    <div style={{
-      height: 40, background: CHROME_C.tabBg,
-      display: 'flex', alignItems: 'center', gap: 4, padding: '0 8px',
-    }}>
-      {iconDot}
-      {/* url bar */}
-      <div style={{
-        flex: 1, height: 30, borderRadius: 15, background: CHROME_C.urlBg,
-        display: 'flex', alignItems: 'center', gap: 8, padding: '0 14px',
-        margin: '0 6px',
-      }}>
-        <div style={{ width: 12, height: 12, borderRadius: '50%', background: CHROME_C.dim, opacity: 0.4 }} />
-        <span style={{
-          flex: 1, color: CHROME_C.text, fontSize: 13,
-          fontFamily: 'system-ui, sans-serif',
-        }}>{url}</span>
-      </div>
-      {iconDot}
-    </div>
-  );
-}
-
-function ChromeWindow({
-  tabs = [{ title: 'New Tab' }], activeIndex = 0, url = 'example.com',
-  width = 900, height = 600, children,
-}) {
-  return (
-    <div style={{
-      width, height, borderRadius: 10, overflow: 'hidden',
-      boxShadow: '0 24px 80px rgba(0,0,0,0.35), 0 0 0 1px rgba(0,0,0,0.1)',
-      display: 'flex', flexDirection: 'column', background: CHROME_C.tabBg,
-    }}>
-      <ChromeTabBar tabs={tabs} activeIndex={activeIndex} />
-      <ChromeToolbar url={url} />
-      <div style={{ flex: 1, background: '#fff', overflow: 'auto' }}>
-        {children}
-      </div>
-    </div>
-  );
-}
-
-Object.assign(window, {
-  ChromeWindow, ChromeTabBar, ChromeToolbar, ChromeTab, ChromeTrafficLights,
-});
diff --git a/public/app/escalate.jsx b/public/app/escalate.jsx
deleted file mode 100644
index 0d974a4..0000000
--- a/public/app/escalate.jsx
+++ /dev/null
@@ -1,96 +0,0 @@
-// escalate.jsx — Escalate-to-Legal modal
-
-function EscalateModal({ state, dispatch }) {
-  const [msg, setMsg] = React.useState(
-    "Notion ToS change: PII retention 90→30d violates DPA §3.1. Pricing +18% with renewal in 42 days. Negotiate both: retention back to 60d (industry standard), price locked at prior $10/seat."
-  );
-  const [deadline, setDeadline] = React.useState("2026-05-29");
-
-  return (
-    <div className="modal-scrim" onClick={(e) => { if (e.target === e.currentTarget) dispatch({ type: "close-escalate" }); }}>
-      <div className="modal" role="dialog" aria-modal="true">
-        <div className="modal-head">
-          <div className="left">
-            <div className="eyebrow">⚠ P1 · ESCALATE</div>
-            <h2 className="ttl">Route ChangeReport <em>RL·4839</em> to Legal.</h2>
-          </div>
-          <button className="icon-btn" onClick={() => dispatch({ type: "close-escalate" })} title="Close">✕</button>
-        </div>
-
-        <div className="modal-body">
-
-          <div className="field">
-            <div className="field-label"><span>Recipients</span><span>2 · BOTH NOTIFIED</span></div>
-            <div className="recipients">
-              <div className="recipient">
-                <div className="av" style={{ background: "linear-gradient(135deg, var(--grape), var(--strawberry))" }}>PN</div>
-                <div>
-                  <div className="who">Priya Natarajan</div>
-                  <div className="role">LEGAL COUNSEL</div>
-                </div>
-              </div>
-              <div className="recipient">
-                <div className="av" style={{ background: "linear-gradient(135deg, var(--tangerine), var(--strawberry))" }}>MC</div>
-                <div>
-                  <div className="who">Marcus Chen</div>
-                  <div className="role">PROCUREMENT</div>
-                </div>
-              </div>
-            </div>
-          </div>
-
-          <div className="field">
-            <div className="field-label"><span>Severity</span><span style={{ color: "var(--muted)" }}>LOCKED · POLICY-DRIVEN</span></div>
-            <input className="field-input locked" value="P1 · CRITICAL" readOnly />
-          </div>
-
-          <div className="field">
-            <div className="field-label"><span>Message</span><span className="req">REQUIRED</span></div>
-            <textarea
-              className="field-input"
-              rows={4}
-              value={msg}
-              onChange={(e) => setMsg(e.target.value)}
-            />
-          </div>
-
-          <div className="field">
-            <div className="field-label"><span>Citations to attach</span><span style={{ color: "var(--lime)" }}>✓ 4 GROUNDED</span></div>
-            <div className="cite-list">
-              <div className="cite"><span className="ck">✓</span><span className="src">notion.so/terms#4.2 · §4.2 Data Retention</span><span className="hash">8b2e…f94a</span></div>
-              <div className="cite"><span className="ck">✓</span><span className="src">notion.so/pricing · §7.1 Plus Plan</span><span className="hash">d4a1…2c7b</span></div>
-              <div className="cite"><span className="ck">✓</span><span className="src">internal · DPA §3.1 (Acme ⟷ Notion)</span><span className="hash">f9c3…81de</span></div>
-              <div className="cite"><span className="ck">✓</span><span className="src">policy · severity-rules.yaml · v4</span><span className="hash">a3f9…d21c</span></div>
-            </div>
-          </div>
-
-          <div className="field" style={{ flexDirection: "row", gap: 14 }}>
-            <div className="field" style={{ flex: 1 }}>
-              <div className="field-label"><span>Owner</span></div>
-              <input className="field-input" value="Priya Natarajan" readOnly />
-            </div>
-            <div className="field" style={{ flex: 1 }}>
-              <div className="field-label"><span>Deadline</span></div>
-              <input className="field-input" value={deadline} onChange={(e) => setDeadline(e.target.value)} />
-            </div>
-          </div>
-
-        </div>
-
-        <div className="modal-foot">
-          <div className="left">
-            All actions logged · <b>4 citations</b> · agent-redline-v1.4
-          </div>
-          <div className="actions-row">
-            <button className="btn btn-ghost" onClick={() => dispatch({ type: "close-escalate" })}>Cancel</button>
-            <button className="btn btn-escalate" onClick={() => dispatch({ type: "confirm-escalate" })}>
-              ↑ ROUTE &amp; GENERATE BUNDLE →
-            </button>
-          </div>
-        </div>
-      </div>
-    </div>
-  );
-}
-
-Object.assign(window, { EscalateModal });
diff --git a/public/app/index.html b/public/app/index.html
deleted file mode 100644
index ce2eefe..0000000
--- a/public/app/index.html
+++ /dev/null
@@ -1,69 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-<meta charset="UTF-8" />
-<meta name="redline-api-base" content="" />
-<meta name="redline-bearer" content="demo_token_acme_corp_2026" />
-<title>Unsyphn — Working Demo (Notion flow)</title>
-<link rel="stylesheet" href="tokens.css" />
-<link rel="stylesheet" href="app.css" />
-<link rel="stylesheet" href="app2.css" />
-<style>
-  html, body { margin: 0; padding: 0; background: #0A0A12; min-height: 100vh; }
-  #stage {
-    width: 100vw; height: 100vh;
-    display: flex; align-items: center; justify-content: center;
-    overflow: hidden;
-    background:
-      radial-gradient(ellipse 800px 500px at 80% -5%, rgba(91,160,240,0.18) 0%, transparent 60%),
-      radial-gradient(ellipse 800px 500px at 10% 90%, rgba(181,220,85,0.10) 0%, transparent 60%),
-      #06060C;
-  }
-  #stage-inner {
-    width: 1440px; height: 900px;
-    transform-origin: center center;
-  }
-</style>
-</head>
-<body>
-
-<div id="stage">
-  <div id="stage-inner">
-    <div id="root"></div>
-  </div>
-</div>
-
-<script src="https://unpkg.com/react@18.3.1/umd/react.development.js" integrity="sha384-hD6/rw4ppMLGNu3tX5cjIb+uRZ7UkRJ6BPkLpg4hAu/6onKUg4lLsHAs9EBPT82L" crossorigin="anonymous"></script>
-<script src="https://unpkg.com/react-dom@18.3.1/umd/react-dom.development.js" integrity="sha384-u6aeetuaXnQ38mYT8rp6sbXaQe3NL9t+IBXmnYxwkUI2Hw4bsp2Wvmx4yRQF1uAm" crossorigin="anonymous"></script>
-<script src="https://unpkg.com/@babel/standalone@7.29.0/babel.min.js" integrity="sha384-m08KidiNqLdpJqLq95G/LEi8Qvjl/xUYll3QILypMoQ65QorJ9Lvtp2RXYGBFj1y" crossorigin="anonymous"></script>
-
-<script type="text/babel" src="browser-window.jsx"></script>
-<script type="text/babel" src="brand.jsx"></script>
-<script type="text/babel" src="vendor-data.jsx"></script>
-<script type="text/babel" src="shared.jsx"></script>
-<script type="text/babel" src="screen-portfolio.jsx"></script>
-<script type="text/babel" src="screen-change.jsx"></script>
-<script type="text/babel" src="escalate.jsx"></script>
-<script type="text/babel" src="routing.jsx"></script>
-<script type="text/babel" src="screen-evidence.jsx"></script>
-<script type="text/babel" src="screen-onboarding.jsx"></script>
-<script type="text/babel" src="app.jsx"></script>
-
-<script defer src="live.js"></script>
-
-<script>
-  // Scale to fit any viewport
-  (function fit() {
-    const inner = document.getElementById('stage-inner');
-    const stage = document.getElementById('stage');
-    function resize() {
-      const s = Math.min(stage.clientWidth / 1440, stage.clientHeight / 900);
-      inner.style.transform = `scale(${s})`;
-    }
-    window.addEventListener('resize', resize);
-    resize();
-  })();
-</script>
-
-</body>
-</html>
diff --git a/public/app/live.js b/public/app/live.js
deleted file mode 100644
index da82b3e..0000000
--- a/public/app/live.js
+++ /dev/null
@@ -1,187 +0,0 @@
-// Sidecar live layer for the static demo app.
-// Loaded AFTER the React/Babel pipeline finishes hydrating. Polls for the
-// FleetStats cards (rendered by shared.jsx), fetches the Unsyphn dashboard
-// summary, and patches the matching stat-val numbers in place — without
-// touching any JSX file.
-//
-// Strict contract:
-//   * No edits to any .jsx file.
-//   * Silent no-op if API unreachable or shape mismatched.
-//   * One window event emitted: `redline:live-summary` carrying the parsed body.
-//   * One window event emitted on failure: `redline:live-summary-error`.
-//
-// API base + bearer are read from <meta> tags so the same script works in
-// dev (localhost:8787) and on Vercel (proxied /v1).
-
-(function () {
-  "use strict";
-
-  function metaValue(name, fallback) {
-    var el = document.querySelector('meta[name="' + name + '"]');
-    return el && el.content ? el.content : fallback;
-  }
-
-  var API_BASE = metaValue("redline-api-base", "");
-  var BEARER   = metaValue("redline-bearer", "demo_token_acme_corp_2026");
-
-  // In dev, Vite serves the static demo on a different port than the API.
-  // Detect this: if no meta base is set and we're on a non-API port, point
-  // directly at the known API port.
-  if (!API_BASE && typeof window !== "undefined") {
-    var h = window.location.hostname;
-    var p = window.location.port;
-    // Port 4004 = vite dev server; API lives on 3005
-    if (p === "4004" || p === "5173" || p === "3000") {
-      API_BASE = window.location.protocol + "//" + h + ":3005";
-    }
-  }
-
-  var baseUrl   = (API_BASE || (typeof window !== "undefined" && window.location.origin) || "").replace(/\/+$/, "");
-  var SUMMARY_URL = baseUrl + "/v1/dashboard/summary";
-  var STREAM_URL  = baseUrl + "/v1/stream?token=" + encodeURIComponent(BEARER);
-
-  // Format helpers — keep numbers terse so they fit the existing tile size.
-  function compactUsd(value) {
-    if (value == null || isNaN(value)) return null;
-    if (value >= 1_000_000) return "$" + (value / 1_000_000).toFixed(1).replace(/\.0$/, "") + "M";
-    if (value >= 1_000) return "$" + Math.round(value / 1_000) + "k";
-    return "$" + Math.round(value);
-  }
-
-  function findStatByLabel(label) {
-    var nodes = document.querySelectorAll(".fleet .stat");
-    for (var i = 0; i < nodes.length; i++) {
-      var lbl = nodes[i].querySelector(".stat-label");
-      if (lbl && lbl.textContent.trim().toLowerCase() === label.toLowerCase()) {
-        return nodes[i];
-      }
-    }
-    return null;
-  }
-
-  function setVal(card, value) {
-    if (!card || value == null) return false;
-    var v = card.querySelector(".stat-val");
-    if (!v) return false;
-    v.textContent = String(value);
-    card.setAttribute("data-live", "1");
-    return true;
-  }
-
-  function setSub(card, value) {
-    if (!card || !value) return;
-    var s = card.querySelector(".stat-sub");
-    if (s) s.textContent = value;
-  }
-
-  function applySummary(summary) {
-    if (!summary || typeof summary !== "object") return 0;
-    var patched = 0;
-
-    var vendors = findStatByLabel("Vendors");
-    if (vendors && setVal(vendors, summary.vendorCount)) {
-      var rr = compactUsd(summary.annualRunRateUsd);
-      if (rr) setSub(vendors, "live · " + rr + " run-rate");
-      patched += 1;
-    }
-
-    var openChanges = findStatByLabel("P1 · critical");
-    if (openChanges && setVal(openChanges, summary.openChangeCount)) {
-      patched += 1;
-    }
-
-    return patched;
-  }
-
-  function waitForFleet(maxMs, cb) {
-    var deadline = Date.now() + maxMs;
-    function tick() {
-      var nodes = document.querySelectorAll(".fleet .stat");
-      if (nodes.length > 0) return cb(true);
-      if (Date.now() > deadline) return cb(false);
-      setTimeout(tick, 100);
-    }
-    tick();
-  }
-
-  function fetchSummary() {
-    return fetch(SUMMARY_URL, {
-      headers: {
-        Authorization: "Bearer " + BEARER,
-        Accept: "application/json",
-      },
-      mode: "cors",
-      credentials: "omit",
-    }).then(function (res) {
-      if (!res.ok) throw new Error("HTTP " + res.status);
-      return res.json();
-    });
-  }
-
-  function dispatchEvent(name, detail) {
-    try {
-      window.dispatchEvent(new CustomEvent(name, { detail: detail }));
-    } catch (_) {
-      // CustomEvent unsupported — silent.
-    }
-  }
-
-  function subscribeToStream() {
-    if (typeof EventSource === "undefined") return;
-    var es = new EventSource(STREAM_URL);
-
-    // On any named or unnamed message, re-fetch summary to keep stats fresh.
-    var REFRESH_EVENTS = ["scheduler.tick", "run.stage", "run.completed", "org.entitlements.changed"];
-    REFRESH_EVENTS.forEach(function (evtType) {
-      es.addEventListener(evtType, function (e) {
-        var payload = null;
-        try { payload = JSON.parse(e.data); } catch (_) {}
-        dispatchEvent("redline:stream-event", { type: evtType, payload: payload });
-        fetchSummary().then(function (summary) {
-          waitForFleet(1000, function (mounted) {
-            if (mounted) applySummary(summary);
-          });
-        }).catch(function () {});
-      });
-    });
-
-    es.onerror = function () {
-      // Reconnect is handled automatically by EventSource; no action needed.
-    };
-  }
-
-  function start() {
-    waitForFleet(5000, function (mounted) {
-      if (!mounted) {
-        dispatchEvent("redline:live-summary-error", { reason: "fleet-not-mounted" });
-        return;
-      }
-      fetchSummary()
-        .then(function (summary) {
-          var patched = applySummary(summary);
-          dispatchEvent("redline:live-summary", { summary: summary, patched: patched });
-          subscribeToStream();
-        })
-        .catch(function (err) {
-          dispatchEvent("redline:live-summary-error", { reason: String(err && err.message ? err.message : err) });
-          subscribeToStream();
-        });
-    });
-  }
-
-  // Export for tests
-  if (typeof module !== "undefined" && module.exports) {
-    module.exports = { applySummary: applySummary, compactUsd: compactUsd, findStatByLabel: findStatByLabel };
-  }
-  if (typeof window !== "undefined") {
-    window.__redlineLive = { applySummary: applySummary, compactUsd: compactUsd, findStatByLabel: findStatByLabel };
-  }
-
-  if (typeof document !== "undefined") {
-    if (document.readyState === "loading") {
-      document.addEventListener("DOMContentLoaded", start, { once: true });
-    } else {
-      start();
-    }
-  }
-})();
diff --git a/public/app/routing.jsx b/public/app/routing.jsx
deleted file mode 100644
index 2d4ab86..0000000
--- a/public/app/routing.jsx
+++ /dev/null
@@ -1,40 +0,0 @@
-// routing.jsx — full-screen routing transition (streams log, auto-advances to evidence).
-// Pulls the log + title from VENDOR_DATA[activeVendor]; falls back to Notion's defaults.
-
-function RoutingTransition({ dispatch, vendorKey }) {
-  const DATA = window.VENDOR_DATA || {};
-  const vendor = DATA[vendorKey || "notion"] || DATA.notion || {};
-  const log = vendor.routingLog || [];
-  const title = vendor.routingTitle || <>Routing in progress…</>;
-
-  const [shown, setShown] = React.useState(0);
-
-  React.useEffect(() => {
-    if (shown >= log.length) {
-      const t = setTimeout(() => dispatch({ type: "finish-routing" }), 1100);
-      return () => clearTimeout(t);
-    }
-    const t = setTimeout(() => setShown((s) => s + 1), 220);
-    return () => clearTimeout(t);
-  }, [shown, dispatch, log.length]);
-
-  const visible = log.slice(0, shown);
-
-  return (
-    <div className="routing-screen">
-      <div className="routing-pulse" />
-      <h1 className="routing-title">{title}</h1>
-      <div className="routing-log">
-        {visible.map((l, i) => (
-          <div className={"line" + (i === visible.length - 1 ? " new" : "")} key={i}>
-            <span className="ts">{l.ts}</span>
-            <span className={"lvl " + l.lvl}>{l.lvl.toUpperCase()}</span>
-            <span className="msg">{l.msg}</span>
-          </div>
-        ))}
-      </div>
-    </div>
-  );
-}
-
-Object.assign(window, { RoutingTransition });
diff --git a/public/app/screen-change.jsx b/public/app/screen-change.jsx
deleted file mode 100644
index ebc35e5..0000000
--- a/public/app/screen-change.jsx
+++ /dev/null
@@ -1,358 +0,0 @@
-// screen-change.jsx — ChangeReport detail screen.
-// Reads window.VENDOR_DATA[state.activeVendor]. Notion is the interactive
-// hero flow (P1 → ROUTED via state.notion); other vendors are pre-baked
-// in one of: open (P1/P2 unrouted), acknowledged (P1 already routed),
-// healthy (no recent diff).
-
-function ScreenChange({ state, dispatch }) {
-  const DATA = window.VENDOR_DATA || {};
-  const vendor = DATA[state.activeVendor];
-
-  if (!vendor) {
-    return (
-      <main className="main">
-        <div style={{ padding: 40, color: "var(--text-2)" }}>
-          Vendor not found.{" "}
-          <a href="#" onClick={(e) => { e.preventDefault(); dispatch({ type: "goto", screen: "portfolio" }); }}>
-            ← Back to portfolio
-          </a>
-        </div>
-      </main>
-    );
-  }
-
-  const isNotion = vendor.key === "notion";
-  const mode = isNotion
-    ? (state.notion === "ROUTED" ? "routed" : "open")
-    : (vendor.mode || "open");
-  const isRouted = mode === "routed";
-  const isAck = mode === "acknowledged";
-  const isHealthy = mode === "healthy";
-  const isWitnessed = isRouted || isAck;
-
-  const cr = vendor.cr || {};
-
-  const sevBadgeCls = isRouted ? "routed" : isAck ? "ack" : isHealthy ? "healthy" : vendor.sev;
-  const sevBadgeText = isRouted ? "✓ ROUTED · WITNESSED"
-    : isAck ? "✓ ACKNOWLEDGED · WITNESSED"
-    : isHealthy ? "✓ HEALTHY"
-    : `⚠ ${vendor.sevLabel} · ${vendor.sevLabel === "P1" ? "CRITICAL" : vendor.sevLabel === "P2" ? "REVIEW" : "NOTE"}`;
-
-  const ownerName = vendor.owner.name;
-  const crumbCurrent = cr.bundleId ? `CR · ${cr.bundleId}` : "CR · scan";
-
-  return (
-    <main className="main">
-      <div className="cr-shell">
-
-        {/* Crumbs */}
-        <div className="crumbs-bar">
-          <div className="crumbs">
-            <span className="seg" onClick={() => dispatch({ type: "goto", screen: "portfolio" })}>Portfolio</span>
-            <span className="sep">›</span>
-            <span className="seg">{vendor.name}</span>
-            <span className="sep">›</span>
-            <span className="current">{crumbCurrent}</span>
-          </div>
-          <div className="icon-btn-row">
-            <button className="icon-btn" onClick={() => dispatch({ type: "goto", screen: "portfolio" })} title="Back">←</button>
-          </div>
-        </div>
-
-        {/* Vendor strip */}
-        <div className={"vendor-strip" + (isWitnessed ? " routed" : "")}>
-          <div className="vendor-logo-lg">{vendor.letter}</div>
-          <div className="vendor-id-block">
-            <div className="vendor-name-lg">{vendor.name}</div>
-            <div className="vendor-meta-row">
-              <span>{vendor.category}</span>
-              <span>TIER {vendor.tier}</span>
-              <span>OWNER · <strong>{ownerName}</strong></span>
-              <span>ANNUAL · <strong>{vendor.annual}</strong></span>
-              {vendor.seats > 0 && <span>SEATS · <strong>{vendor.seats}</strong></span>}
-            </div>
-          </div>
-          <div className="vendor-renew">
-            <div className="num">{vendor.renewsInDays}<small>d</small></div>
-            <div className="lbl">Until renewal</div>
-          </div>
-        </div>
-
-        <div className="cr-layout">
-
-          {/* Report card */}
-          <div className="report">
-            <div className="report-head">
-              <div className={"sev-badge " + sevBadgeCls}>{sevBadgeText}</div>
-              {(cr.categories || []).map((c) => (
-                <div className={"cat-chip " + c.toLowerCase().replace(/[^a-z]/g, "")} key={c}>{c}</div>
-              ))}
-            </div>
-            <h1 className={"report-title" + (isRouted ? " routed" : "")}>
-              {isRouted && cr.titleRouted ? cr.titleRouted : cr.titleOpen}
-            </h1>
-            <div className="report-detected">
-              {isRouted ? (
-                <>ROUTED · <strong>{cr.routedAt}</strong> · <strong>{cr.routedWhen}</strong> · BY · {cr.agent} · GROUNDED · ✓ {cr.citationCount} citations · BUNDLE · <strong>{cr.bundleId}</strong></>
-              ) : isAck ? (
-                <>ACKNOWLEDGED · <strong>{cr.acknowledgedAt}</strong> · <strong>{cr.acknowledgedWhen}</strong> · BY · {cr.agent} · GROUNDED · ✓ {cr.citationCount} citations · BUNDLE · <strong>{cr.bundleId}</strong></>
-              ) : isHealthy ? (
-                <>LAST SCAN · <strong>{cr.detectedAt}</strong> · <strong>{cr.detectedWhen}</strong> · BY · {cr.agent} · NO DIFF DETECTED</>
-              ) : (
-                <>DETECTED · <strong>{cr.detectedAt}</strong> · <strong>{cr.detectedWhen}</strong> · BY · {cr.agent} · GROUNDED · ✓ {cr.citationCount} citations validated</>
-              )}
-            </div>
-
-            {Array.isArray(cr.impacts) && cr.impacts.length > 0 && (
-              <div className="impact-strip">
-                {cr.impacts.map((imp, i) => (
-                  <div className={"impact-cell " + imp.cls} key={i}>
-                    <div className="lbl">{imp.lbl}</div>
-                    <div className="val">{imp.val}</div>
-                  </div>
-                ))}
-              </div>
-            )}
-
-            {Array.isArray(cr.diffs) && cr.diffs.map((d, i) => (
-              <div className="diff-block" key={i}>
-                <div className="diff-label">{d.label}</div>
-                <div className="diff-pair">
-                  <div className="clause before">
-                    <div className="clause-head">
-                      <span className="clause-lbl">− BEFORE</span>
-                      <span className="clause-when">{d.before.when}</span>
-                    </div>
-                    <p className="clause-text">{d.before.text}</p>
-                    <div className="clause-source">{d.before.source}</div>
-                  </div>
-                  <div className="clause after">
-                    <div className="clause-head">
-                      <span className="clause-lbl">+ AFTER</span>
-                      <span className="clause-when">{d.after.when}</span>
-                    </div>
-                    <p className="clause-text">{d.after.text}</p>
-                    <div className="clause-source">
-                      SOURCE · <a href="#" onClick={(e) => e.preventDefault()}>{d.after.sourceLink}</a>{d.after.sourceMeta}
-                    </div>
-                  </div>
-                </div>
-              </div>
-            ))}
-
-            {isHealthy && Array.isArray(cr.lastScannedSurfaces) && (
-              <div className="diff-block">
-                <div className="diff-label">Monitored surfaces · all stable</div>
-                <div className="clause after" style={{ width: "100%" }}>
-                  <div className="clause-head">
-                    <span className="clause-lbl">✓ STABLE</span>
-                    <span className="clause-when">LAST 14d</span>
-                  </div>
-                  <div style={{ fontFamily: "var(--font-mono)", fontSize: 12, color: "var(--text-2)", lineHeight: 1.9 }}>
-                    {cr.lastScannedSurfaces.map((s, i) => (
-                      <div key={i} style={{ display: "flex", gap: 16 }}>
-                        <span style={{ color: "var(--lime)" }}>✓</span>
-                        <span style={{ flex: 1 }}>{s.url}</span>
-                        <span style={{ opacity: 0.6 }}>{s.when}</span>
-                        <span style={{ color: "var(--text-2)" }}>{s.hash}</span>
-                      </div>
-                    ))}
-                  </div>
-                </div>
-              </div>
-            )}
-
-            <div className="recommendation">
-              <div className="reco-head">
-                {isRouted && cr.recoRouted ? cr.recoRouted.head
-                  : isAck && cr.recoRouted ? cr.recoRouted.head
-                  : cr.recoOpen && cr.recoOpen.head}
-              </div>
-              <p className="reco-text">
-                {isRouted && cr.recoRouted ? cr.recoRouted.text
-                  : isAck && cr.recoRouted ? cr.recoRouted.text
-                  : cr.recoOpen && cr.recoOpen.text}
-              </p>
-            </div>
-          </div>
-
-          {/* Side panels */}
-          <aside className="cr-side">
-
-            {!isHealthy && cr.policy && (
-              <div className="panel policy">
-                <div className="panel-head strawberry"><span className="dot" />{cr.policy.head}</div>
-                <div className="policy-name">{cr.policy.name}</div>
-                {(window.POLICY_YAML || {})[cr.policy.yamlKey] || null}
-                <div className="policy-meta">{cr.policy.meta}</div>
-              </div>
-            )}
-
-            {!isHealthy && Array.isArray(cr.actions) && cr.actions.length > 0 && (
-              <div className="panel routing">
-                <div className="panel-head bondi">
-                  <span className="dot" />
-                  Routed · {isWitnessed ? `${cr.actions.length} actions sent` : `${cr.actions.length} actions queued`}
-                </div>
-                {cr.actions.map((a, i) => (
-                  <div className="action-item" key={i}>
-                    <div className={"action-icon " + a.type}>{a.type.toUpperCase().slice(0, 2)}</div>
-                    <div className="action-detail">
-                      <div className="action-target">{a.target}</div>
-                      <div className="action-when">{isWitnessed ? a.sent : a.queued}</div>
-                    </div>
-                    <span className={"action-status" + (isWitnessed ? "" : " pending")}>
-                      {isWitnessed ? "SENT" : "QUEUED"}
-                    </span>
-                  </div>
-                ))}
-              </div>
-            )}
-
-            {vendor.bundle ? (
-              <div
-                className="panel evidence"
-                onClick={() => dispatch({ type: "open-vendor-bundle", vendor: vendor.key })}
-                style={{ cursor: "pointer" }}
-              >
-                <div className="panel-head grape"><span className="dot" />Evidence · Bundle {vendor.bundle.id}</div>
-                <div className="ev-preview">
-                  <div className="ev-page-lines dark" />
-                  <div className="ev-page-lines" />
-                  <div className="ev-page-lines med" />
-                  <div className="ev-page-lines short" />
-                  <div className="ev-snippet">
-                    <div className="line" />
-                    <div className="line" />
-                    <div className="line short" />
-                  </div>
-                  <div className="ev-page-lines" />
-                  <div className="ev-page-lines med" />
-                  <div className="ev-page-lines short" />
-                </div>
-                <div style={{ fontSize: 12, color: "var(--text)", fontWeight: 500, position: "relative" }}>
-                  Bundle {vendor.bundle.id} · Witnessed
-                </div>
-                <div className="citation-row">
-                  <span className="cit-dot" />
-                  <span>{cr.citationCount}/{cr.citationCount} CITATIONS · LIVE · IMMUTABLE</span>
-                </div>
-                <div style={{ marginTop: 10, fontFamily: "var(--font-mono)", fontSize: 10, letterSpacing: "0.10em", color: "var(--lime)", textTransform: "uppercase" }}>
-                  ▸ OPEN BUNDLE
-                </div>
-              </div>
-            ) : isNotion ? (
-              <div className="panel evidence">
-                <div className="panel-head grape"><span className="dot" />Evidence · Senso</div>
-                <div className="ev-preview">
-                  <div className="ev-page-lines dark" />
-                  <div className="ev-page-lines" />
-                  <div className="ev-page-lines med" />
-                  <div className="ev-page-lines short" />
-                  <div className="ev-snippet">
-                    <div className="line" />
-                    <div className="line" />
-                    <div className="line short" />
-                  </div>
-                  <div className="ev-page-lines" />
-                  <div className="ev-page-lines med" />
-                  <div className="ev-page-lines short" />
-                </div>
-                <div style={{ fontSize: 12, color: "var(--text)", fontWeight: 500, position: "relative" }}>
-                  CR-2026-0517 · Draft
-                </div>
-                <div className="citation-row">
-                  <span className="cit-dot" />
-                  <span>{cr.citationCount}/{cr.citationCount} CITATIONS · LIVE · IMMUTABLE</span>
-                </div>
-              </div>
-            ) : isHealthy ? (
-              <div className="panel evidence">
-                <div className="panel-head lime"><span className="dot" />Posture · stable</div>
-                <div style={{ fontFamily: "var(--font-mono)", fontSize: 11, color: "var(--text-2)", lineHeight: 1.8, letterSpacing: "0.04em" }}>
-                  <div>SURFACES · <b style={{ color: "var(--text)" }}>{cr.lastScannedSurfaces?.length || 0}</b></div>
-                  <div>DIFF · <span style={{ color: "var(--lime)" }}>NONE</span></div>
-                  <div>RISK · <span style={{ color: "var(--lime)" }}>LOW</span></div>
-                  <div>NEXT SCAN · {cr.detectedAt}</div>
-                </div>
-              </div>
-            ) : (
-              <div className="panel evidence">
-                <div className="panel-head grape"><span className="dot" />Evidence · pending review</div>
-                <div style={{ fontFamily: "var(--font-mono)", fontSize: 11, color: "var(--text-2)", lineHeight: 1.7 }}>
-                  Bundle generated on acknowledgement. {cr.citationCount} citations queued.
-                </div>
-              </div>
-            )}
-
-          </aside>
-        </div>
-
-      </div>
-
-      {/* Sticky action bar */}
-      <div className="actions-bar">
-        {isRouted ? (
-          <>
-            <div className="actions-row">
-              <button className="btn btn-bondi" onClick={() => dispatch({ type: "open-vendor-bundle", vendor: vendor.key })}>⊙ OPEN EVIDENCE BUNDLE</button>
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "goto", screen: "portfolio" })}>← BACK TO PORTFOLIO</button>
-            </div>
-            <div className="actions-row">
-              <span style={{ fontFamily: "var(--font-mono)", fontSize: 10, letterSpacing: "0.14em", color: "var(--lime)", textTransform: "uppercase" }}>
-                ✓ ROUTED · WITNESSED · {state.routeTime || "14:59:18 EST"}
-              </span>
-            </div>
-          </>
-        ) : isAck ? (
-          <>
-            <div className="actions-row">
-              <button className="btn btn-bondi" onClick={() => dispatch({ type: "open-vendor-bundle", vendor: vendor.key })}>⊙ OPEN EVIDENCE BUNDLE</button>
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "goto", screen: "portfolio" })}>← BACK TO PORTFOLIO</button>
-            </div>
-            <div className="actions-row">
-              <span style={{ fontFamily: "var(--font-mono)", fontSize: 10, letterSpacing: "0.14em", color: "var(--lime)", textTransform: "uppercase" }}>
-                ✓ ACKNOWLEDGED · {cr.acknowledgedAt}
-              </span>
-            </div>
-          </>
-        ) : isHealthy ? (
-          <>
-            <div className="actions-row">
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "goto", screen: "portfolio" })}>← BACK TO PORTFOLIO</button>
-              <span style={{ fontFamily: "var(--font-mono)", fontSize: 10, letterSpacing: "0.14em", color: "var(--lime)", textTransform: "uppercase" }}>
-                ✓ POSTURE STABLE · next scan in 6h
-              </span>
-            </div>
-          </>
-        ) : isNotion ? (
-          <>
-            <div className="actions-row">
-              <button className="btn btn-primary" onClick={() => dispatch({ type: "acknowledge" })}>✓ ACKNOWLEDGE</button>
-              <button className="btn btn-escalate" onClick={() => dispatch({ type: "open-escalate" })}>↑ ESCALATE TO LEGAL</button>
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "snooze" })}>⏱ SNOOZE 48H</button>
-            </div>
-            <div className="actions-row">
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "open-escalate" })}>⤓ GENERATE EVIDENCE BUNDLE</button>
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "open-copilot" })}>⊙ OPEN RENEGO COPILOT</button>
-            </div>
-          </>
-        ) : (
-          <>
-            <div className="actions-row">
-              <button className="btn btn-primary" onClick={() => dispatch({ type: "acknowledge" })}>✓ ACKNOWLEDGE</button>
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "snooze" })}>⏱ SNOOZE 48H</button>
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "goto", screen: "portfolio" })}>← BACK</button>
-            </div>
-            <div className="actions-row">
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "export-diff" })}>⤓ EXPORT DIFF</button>
-              <button className="btn btn-ghost" onClick={() => dispatch({ type: "assign" })}>⊙ ASSIGN TO OWNER</button>
-            </div>
-          </>
-        )}
-      </div>
-    </main>
-  );
-}
-
-Object.assign(window, { ScreenChange });
diff --git a/public/app/screen-evidence.jsx b/public/app/screen-evidence.jsx
deleted file mode 100644
index 5febc08..0000000
--- a/public/app/screen-evidence.jsx
+++ /dev/null
@@ -1,201 +0,0 @@
-// screen-evidence.jsx — Evidence bundle preview (the generated artifact).
-// Pulls bundle data from VENDOR_DATA[state.activeVendor].bundle.
-
-function ScreenEvidence({ state, dispatch }) {
-  const DATA = window.VENDOR_DATA || {};
-  const vendor = DATA[state.activeVendor];
-
-  if (!vendor || !vendor.bundle) {
-    return (
-      <main className="main">
-        <div style={{ padding: 40, color: "var(--text-2)" }}>
-          No evidence bundle available for this vendor.{" "}
-          <a href="#" onClick={(e) => { e.preventDefault(); dispatch({ type: "goto", screen: "change" }); }}>
-            ← Back to change report
-          </a>
-        </div>
-      </main>
-    );
-  }
-
-  const b = vendor.bundle;
-  const crCrumb = vendor.cr.bundleId ? `${vendor.name} · ${vendor.cr.bundleId}` : vendor.name;
-
-  return (
-    <main className="main">
-      <div className="bundle-shell">
-
-        {/* Crumbs */}
-        <div className="crumbs-bar">
-          <div className="crumbs">
-            <span className="seg" onClick={() => dispatch({ type: "goto", screen: "portfolio" })}>Portfolio</span>
-            <span className="sep">›</span>
-            <span className="seg" onClick={() => dispatch({ type: "goto", screen: "change" })}>{crCrumb}</span>
-            <span className="sep">›</span>
-            <span className="current">Evidence Bundle</span>
-          </div>
-          <div className="icon-btn-row">
-            <button className="icon-btn" onClick={() => dispatch({ type: "goto", screen: "change" })} title="Back">←</button>
-          </div>
-        </div>
-
-        {/* Bundle header */}
-        <div className="bundle-strip">
-          <div className="seal-lg">{b.seal}</div>
-          <div className="id-block">
-            <div className="ttl">Evidence Bundle · {b.id}</div>
-            <div className="meta">
-              <span>{b.eyebrow}</span>
-              <span>SIGNED · <strong>{b.signedAt}</strong></span>
-              <span>WITNESSED · <strong>agent-redline-v1.4</strong></span>
-              <span>HASH · <strong>{b.hash}</strong></span>
-              <span>{(b.citations || []).length} CITATIONS · GROUNDED</span>
-            </div>
-          </div>
-          <div className="stamp">✓ WITNESSED</div>
-        </div>
-
-        <div className="bundle-layout">
-
-          {/* Document */}
-          <div className="bundle-doc">
-
-            <div className="bundle-cover">
-              <div className="eb">⌁ Evidence Bond · No. {b.id} ⌁</div>
-              <h1>UNSYPHN</h1>
-              <div className="sub">
-                {b.coverSubtitle}
-              </div>
-              <div className="meta-line">
-                <span><b>ISSUED</b> · MAY 22 2026</span>
-                <span><b>{vendor.sevLabel}</b> · {vendor.sev === "p1" ? "CRITICAL" : vendor.sev === "p2" ? "REVIEW" : "NOTE"}</span>
-                <span><b>BUNDLE</b> · {b.id}</span>
-                <span><b>WITNESS</b> · agent-redline-v1.4</span>
-              </div>
-            </div>
-
-            <div className="bundle-section">
-              <h3><span className="num">1</span>Clause diffs</h3>
-              <div className="body">
-                <p>
-                  {(b.miniDiffs || []).length === 1
-                    ? <>One clause on {vendor.name.toLowerCase()}'s monitored surfaces changed between snapshots:</>
-                    : <>{(b.miniDiffs || []).length} clauses on {vendor.name.toLowerCase()}'s monitored surfaces changed between snapshots:</>}
-                </p>
-                {(b.miniDiffs || []).map((pair, i) => (
-                  <div className="mini-diff" key={i}>
-                    {pair.map((mc, j) => (
-                      <div className={"mc " + mc.kind} key={j}>
-                        {mc.text}
-                        <div className="src">{mc.src}</div>
-                      </div>
-                    ))}
-                  </div>
-                ))}
-              </div>
-            </div>
-
-            <div className="bundle-section">
-              <h3><span className="num">2</span>Policy fired</h3>
-              <div className="body">
-                <p>{b.policyBody}</p>
-              </div>
-            </div>
-
-            <div className="bundle-section">
-              <h3><span className="num">3</span>Routing trail</h3>
-              <div className="routing-trail">
-                {(b.trail || []).map((r, i) => (
-                  <div className="row" key={i}>
-                    <span className="ts">{r.ts}</span>
-                    <span className="msg">{r.msg}</span>
-                    <span className="ok">{r.status}</span>
-                  </div>
-                ))}
-              </div>
-            </div>
-
-            <div className="bundle-section">
-              <h3><span className="num">4</span>Citations · grounded</h3>
-              <div className="cite-list">
-                {(b.citations || []).map((c, i) => (
-                  <div className="cite" key={i}>
-                    <span className="ck">✓</span>
-                    <span className="src">{c.src}</span>
-                    <span className="hash">{c.hash}</span>
-                  </div>
-                ))}
-              </div>
-            </div>
-
-            <div className="signoff">
-              <div className="left">
-                — Witnessed by <b>agent-redline-v1.4</b><br/>
-                {b.signedAt} · grounded · routed · immutable
-              </div>
-              <div className="right">UNSYPHN</div>
-            </div>
-
-          </div>
-
-          {/* Side: TOC + actions */}
-          <aside className="cr-side">
-            <div className="toc-card">
-              <h4>Bundle contents · {b.sectionCount || 4} sections</h4>
-              <div className="toc-item"><span className="toc-num">1</span><span className="toc-ttl">Clause diffs</span><span className="toc-pages">{(b.miniDiffs || []).length || 1} pp.</span></div>
-              <div className="toc-item"><span className="toc-num">2</span><span className="toc-ttl">Policy fired</span><span className="toc-pages">1 p.</span></div>
-              <div className="toc-item"><span className="toc-num">3</span><span className="toc-ttl">Routing trail</span><span className="toc-pages">1 p.</span></div>
-              <div className="toc-item"><span className="toc-num">4</span><span className="toc-ttl">Citations</span><span className="toc-pages">1 p.</span></div>
-            </div>
-
-            <div className="panel evidence" style={{ marginTop: 0 }}>
-              <div className="panel-head lime"><span className="dot" />Witnessed</div>
-              <div style={{ fontFamily: "var(--font-mono)", fontSize: 11, color: "var(--text-2)", lineHeight: 1.7, letterSpacing: "0.04em" }}>
-                <div>BUNDLE · <b style={{color:"var(--text)"}}>{b.id}</b></div>
-                <div>STATUS · <span style={{color:"var(--lime)"}}>SIGNED · GROUNDED</span></div>
-                <div>WITNESS · agent-redline-v1.4</div>
-                <div>HASH · {b.hash}</div>
-                <div>SIGNED · {b.signedAt}</div>
-                <div>IMMUTABLE · ✓</div>
-              </div>
-              <div style={{ display: "flex", flexDirection: "column", gap: 8, marginTop: 12 }}>
-                <button className="btn btn-primary" style={{ width: "100%", justifyContent: "center" }} onClick={() => dispatch({ type: "download-bundle" })}>⤓ Download PDF</button>
-                <button className="btn btn-ghost" style={{ width: "100%", justifyContent: "center" }} onClick={() => dispatch({ type: "share-audit" })}>✉ Share with audit</button>
-                <button className="btn btn-ghost" style={{ width: "100%", justifyContent: "center" }} onClick={() => dispatch({ type: "share-audit" })}>⊙ Copy share link</button>
-              </div>
-            </div>
-
-            <div className="panel routing" style={{ marginTop: 0 }}>
-              <div className="panel-head bondi"><span className="dot" />Next · auto-routed</div>
-              {(b.nextActions || []).map((a, i) => (
-                <div className="action-item" key={i}>
-                  <div className={"action-icon " + a.type}>{a.type.toUpperCase().slice(0, 2)}</div>
-                  <div className="action-detail">
-                    <div className="action-target">{a.target}</div>
-                    <div className="action-when">{a.when}</div>
-                  </div>
-                  <span className={"action-status" + (a.pending ? " pending" : "")}>{a.status}</span>
-                </div>
-              ))}
-            </div>
-          </aside>
-
-        </div>
-      </div>
-
-      {/* Action bar */}
-      <div className="actions-bar">
-        <div className="actions-row">
-          <button className="btn btn-primary" onClick={() => dispatch({ type: "download-bundle" })}>⤓ DOWNLOAD BUNDLE (PDF)</button>
-          <button className="btn btn-bondi" onClick={() => dispatch({ type: "share-audit" })}>✉ SHARE WITH AUDIT</button>
-          <button className="btn btn-ghost" onClick={() => dispatch({ type: "goto", screen: "change" })}>← BACK TO REPORT</button>
-        </div>
-        <div className="actions-row">
-          <button className="btn btn-ghost" onClick={() => dispatch({ type: "goto", screen: "portfolio" })}>↩ PORTFOLIO</button>
-        </div>
-      </div>
-    </main>
-  );
-}
-
-Object.assign(window, { ScreenEvidence });
diff --git a/public/app/screen-onboarding.jsx b/public/app/screen-onboarding.jsx
deleted file mode 100644
index 3dcb4b4..0000000
--- a/public/app/screen-onboarding.jsx
+++ /dev/null
@@ -1,351 +0,0 @@
-// screen-onboarding.jsx — Vendor onboarding tier selection (6H / 24H / 48H SLA)
-// Posts to POST /v1/vendors via the vite proxy. SLA tier → criticality tier
-// mapping is: 6H Express → 1 (critical), 24H Standard → 2 (material), 48H Basic → 3 (informational).
-
-// Bearer token sourced from the same meta tag live.js reads so it can be
-// rotated/overridden in one place (public/app/index.html line 7).
-function getBearerToken() {
-  if (typeof document === "undefined") return "";
-  const meta = document.querySelector('meta[name="redline-bearer"]');
-  return (meta && meta.getAttribute("content")) || "";
-}
-const DEMO_BEARER_TOKEN = getBearerToken();
-
-const OWNERS = [
-  { id: "usr_priya",  name: "Priya Natarajan" },
-  { id: "usr_marcus", name: "Marcus Chen" },
-  { id: "usr_lin",    name: "Lin Park" },
-  { id: "usr_jordan", name: "Jordan Wells" },
-  { id: "usr_ada",    name: "Ada Owens" },
-  { id: "usr_devon",  name: "Devon Rao" },
-];
-
-const DATA_CLASSES = [
-  { id: "pii",       label: "PII" },
-  { id: "phi",       label: "PHI" },
-  { id: "financial", label: "Financial" },
-  { id: "content",   label: "Content" },
-];
-
-const SLA_TO_CRITICALITY = { "6h": 1, "24h": 2, "48h": 3 };
-
-function ScreenOnboarding({ state, dispatch }) {
-  const [selected, setSelected]   = React.useState(state.onboardingTier || "24h");
-  const [name, setName]           = React.useState("");
-  const [homepage, setHomepage]   = React.useState("");
-  const [ownerId, setOwnerId]     = React.useState("usr_priya");
-  const [dataClasses, setDC]      = React.useState(["pii"]);
-  const [submitting, setSubmit]   = React.useState(false);
-  const [apiError, setApiError]   = React.useState(null);
-  const [discovered, setDiscover] = React.useState(null);
-
-  const tiers = [
-    {
-      id: "6h", role: "strawberry", sla: "6H", tagline: "Express",
-      name: "6-Hour Express", price: "$999", unit: "/ vendor / month",
-      desc: "For Tier-1, revenue-critical vendors. Sub-six-hour detection on every ToS, DPA, or sub-processor change.",
-      features: [
-        "6-hour SLA on change detection",
-        "Hourly diff scans, 24 / 7 / 365",
-        "Dedicated #redline-p1 escalation channel",
-        "Auto-route to on-call within 90 seconds",
-        "Compliance bundle on every change",
-        "Quarterly auditor walkthrough",
-      ],
-      eta: "FIRST SCAN IN ~6 MIN",
-    },
-    {
-      id: "24h", role: "bondi", sla: "24H", tagline: "Standard",
-      name: "24-Hour Standard", price: "$299", unit: "/ vendor / month",
-      desc: "The right default for most vendors. Daily monitoring with automated routing to owners.",
-      features: [
-        "24-hour SLA on change detection",
-        "Daily automated diff scans",
-        "Slack + email routing to owner",
-        "Quarterly evidence bundles",
-        "Standard 9-5 support",
-        "Vanta / Drata push every 90d",
-      ],
-      eta: "FIRST SCAN IN ~30 MIN",
-      recommended: true,
-    },
-    {
-      id: "48h", role: "lime", sla: "48H", tagline: "Basic",
-      name: "48-Hour Basic", price: "$99", unit: "/ vendor / month",
-      desc: "Lightweight coverage for low-priority and long-tail vendors. Routine checks, weekly digests.",
-      features: [
-        "48-hour SLA on change detection",
-        "Bi-daily routine scans",
-        "Weekly digest email to owner",
-        "Self-serve evidence export",
-        "Community support",
-        "Manual escalation only",
-      ],
-      eta: "FIRST SCAN IN ~2 HRS",
-    },
-  ];
-
-  const goBack = () => dispatch({ type: "goto", screen: "portfolio" });
-
-  const currentTier = tiers.find((t) => t.id === selected) || tiers[1];
-
-  function toggleDataClass(id) {
-    setDC((prev) => prev.includes(id) ? prev.filter((x) => x !== id) : [...prev, id]);
-  }
-
-  async function submit() {
-    setApiError(null);
-    setDiscover(null);
-
-    const trimmedName = name.trim();
-    const trimmedHomepage = homepage.trim();
-    if (trimmedName.length < 2) {
-      setApiError({ code: "validation-failed", message: "Vendor name must be at least 2 characters." });
-      return;
-    }
-    if (!/^https?:\/\//i.test(trimmedHomepage)) {
-      setApiError({ code: "validation-failed", message: "Homepage must start with http:// or https://" });
-      return;
-    }
-
-    setSubmit(true);
-    try {
-      const resp = await fetch("/v1/vendors", {
-        method: "POST",
-        headers: {
-          "Authorization": "Bearer " + DEMO_BEARER_TOKEN,
-          "Content-Type": "application/json",
-        },
-        body: JSON.stringify({
-          name: trimmedName,
-          homepageUrl: trimmedHomepage,
-          ownerId,
-          tier: SLA_TO_CRITICALITY[selected],
-          dataClasses,
-        }),
-      });
-
-      const text = await resp.text();
-      const json = text ? JSON.parse(text) : null;
-
-      if (!resp.ok) {
-        const err = (json && json.error) || { code: "unknown", message: "Request failed (HTTP " + resp.status + ")" };
-        setApiError(err);
-        if (err.code === "discovery-incomplete" && err.details) {
-          setDiscover({ found: err.details.found || {}, missing: err.details.missing || [] });
-        }
-        setSubmit(false);
-        return;
-      }
-
-      dispatch({
-        type: "vendor-onboarded",
-        tier: selected,
-        tierLabel: currentTier.sla,
-        name: json.name,
-        vendorId: json.id,
-        firstScanRunId: json.firstScanRunId,
-        discoveredUrls: json.discoveredUrls,
-      });
-    } catch (e) {
-      setApiError({ code: "network", message: e && e.message ? e.message : "Network error" });
-      setSubmit(false);
-    }
-  }
-
-  return (
-    <main className="main">
-      <div className="cr-shell">
-
-        <div className="crumbs-bar">
-          <div className="crumbs">
-            <span className="seg" onClick={goBack}>Portfolio</span>
-            <span className="sep">›</span>
-            <span className="current">Onboard vendor</span>
-          </div>
-          <div className="icon-btn-row">
-            <button className="icon-btn" onClick={goBack} title="Back to dashboard">←</button>
-            <button className="icon-btn" title="More">⋯</button>
-          </div>
-        </div>
-
-        <div className="onb-header">
-          <div className="onb-header-left">
-            <div className="eyebrow">STEP 1 OF 1 · CHOOSE SLA</div>
-            <h1 className="h1-hero onb-title">
-              Onboard a new <em className="accent-italic">vendor</em>.
-            </h1>
-            <p className="lead onb-sub">
-              Pick the detection SLA that matches the vendor&apos;s risk profile. You can re-tier any vendor later from the portfolio &mdash; this only changes scan cadence and routing.
-            </p>
-          </div>
-          <button className="btn-back-pill" onClick={goBack}>← Back to dashboard</button>
-        </div>
-
-        {apiError && (
-          <div className={"onb-alert " + (apiError.code === "discovery-incomplete" ? "warn" : "err")}>
-            <div className="onb-alert-head">
-              <span className="onb-alert-code">{apiError.code}</span>
-              <span>{apiError.message}</span>
-            </div>
-            {discovered && (
-              <div className="onb-alert-detail">
-                {discovered.missing.length > 0 && (
-                  <div>
-                    <span className="onb-alert-label">MISSING</span>
-                    {discovered.missing.map((m) => (
-                      <span key={m} className="onb-chip miss">{m}</span>
-                    ))}
-                  </div>
-                )}
-                {Object.keys(discovered.found).length > 0 && (
-                  <div>
-                    <span className="onb-alert-label">FOUND</span>
-                    {Object.keys(discovered.found).map((k) => (
-                      <span key={k} className="onb-chip ok">{k}</span>
-                    ))}
-                  </div>
-                )}
-              </div>
-            )}
-          </div>
-        )}
-
-        <div className="onb-fields">
-          <label className="onb-field">
-            <span className="onb-field-label">VENDOR NAME</span>
-            <input
-              type="text"
-              className="onb-input"
-              placeholder="e.g. Datadog, Notion, Stripe"
-              value={name}
-              onChange={(e) => setName(e.target.value)}
-              disabled={submitting}
-            />
-          </label>
-          <label className="onb-field">
-            <span className="onb-field-label">HOMEPAGE URL</span>
-            <input
-              type="url"
-              className="onb-input"
-              placeholder="https://vendor.com"
-              value={homepage}
-              onChange={(e) => setHomepage(e.target.value)}
-              disabled={submitting}
-            />
-          </label>
-          <label className="onb-field">
-            <span className="onb-field-label">OWNER</span>
-            <select
-              className="onb-input"
-              value={ownerId}
-              onChange={(e) => setOwnerId(e.target.value)}
-              disabled={submitting}
-            >
-              {OWNERS.map((o) => (
-                <option key={o.id} value={o.id}>{o.name}</option>
-              ))}
-            </select>
-          </label>
-          <div className="onb-field">
-            <span className="onb-field-label">DATA CLASSES</span>
-            <div className="onb-checkboxes">
-              {DATA_CLASSES.map((dc) => {
-                const on = dataClasses.includes(dc.id);
-                return (
-                  <button
-                    key={dc.id}
-                    type="button"
-                    className={"onb-chip-btn" + (on ? " on" : "")}
-                    onClick={() => toggleDataClass(dc.id)}
-                    disabled={submitting}
-                  >
-                    {on ? "✓ " : ""}{dc.label}
-                  </button>
-                );
-              })}
-            </div>
-          </div>
-        </div>
-
-        <div className="tier-grid">
-          {tiers.map((t) => {
-            const isSel = selected === t.id;
-            return (
-              <div
-                key={t.id}
-                className={
-                  "tier-card " + t.role +
-                  (isSel ? " is-selected" : "") +
-                  (t.recommended ? " is-recommended" : "")
-                }
-                onClick={() => !submitting && setSelected(t.id)}
-              >
-                {t.recommended && <div className="tier-badge">RECOMMENDED</div>}
-
-                <div className="tier-head">
-                  <div className="tier-sla">{t.sla}</div>
-                  <div className="tier-tagline">{t.tagline}</div>
-                </div>
-
-                <h2 className="h2 tier-name">{t.name}</h2>
-                <p className="tier-desc">{t.desc}</p>
-
-                <div className="tier-price-row">
-                  <span className="tier-price">{t.price}</span>
-                  <span className="tier-unit">{t.unit}</span>
-                </div>
-
-                <ul className="tier-features">
-                  {t.features.map((f, i) => (
-                    <li key={i}><span className="tier-check">✓</span>{f}</li>
-                  ))}
-                </ul>
-
-                <div className="tier-foot">
-                  <div className="tier-eta">{t.eta}</div>
-                  <div className={"tier-select-pill" + (isSel ? " on" : "")}>
-                    {isSel ? "✓ SELECTED" : "SELECT"}
-                  </div>
-                </div>
-              </div>
-            );
-          })}
-        </div>
-
-        <div className="onb-action-bar">
-          <div className="onb-action-summary">
-            <span className="onb-action-label">SELECTED TIER</span>
-            <span className="onb-action-value">
-              {currentTier.sla}
-              <span className="onb-action-dot"> · </span>
-              {currentTier.price}
-              <span className="onb-action-unit"> {currentTier.unit}</span>
-            </span>
-          </div>
-          <div className="onb-action-buttons">
-            <button
-              className="onb-btn ghost"
-              onClick={goBack}
-              disabled={submitting}
-            >
-              Cancel
-            </button>
-            <button
-              className="onb-btn primary"
-              onClick={submit}
-              disabled={submitting}
-            >
-              {submitting
-                ? <><span className="onb-spinner" /> Calling POST /v1/vendors…</>
-                : <>Onboard at {currentTier.sla} SLA →</>}
-            </button>
-          </div>
-        </div>
-
-      </div>
-    </main>
-  );
-}
-
-Object.assign(window, { ScreenOnboarding });
diff --git a/public/app/screen-portfolio.jsx b/public/app/screen-portfolio.jsx
deleted file mode 100644
index 7333d5a..0000000
--- a/public/app/screen-portfolio.jsx
+++ /dev/null
@@ -1,163 +0,0 @@
-// screen-portfolio.jsx — Portfolio screen
-// Reads every vendor from window.VENDOR_DATA. Every card is clickable —
-// clicking jumps the change screen to that vendor's CR. Notion stays the
-// hero flow (P1 → ROUTED via state.notion); other vendors carry their
-// own pre-baked state.
-
-function ScreenPortfolio({ state, dispatch }) {
-  const notionState = state.notion; // "P1" | "ROUTED"
-  const DATA = window.VENDOR_DATA || {};
-  const ORDER = window.VENDOR_ORDER || Object.keys(DATA);
-
-  // Build portfolio cards from VENDOR_DATA. Notion's display swaps on routed.
-  const vendors = ORDER.map((k) => {
-    const v = DATA[k];
-    if (!v) return null;
-    const isNotion = k === "notion";
-    const routed = isNotion && notionState === "ROUTED";
-    return {
-      key: k,
-      letter: v.letter,
-      name: v.name,
-      meta: v.meta,
-      sev: routed ? "routed" : v.sev,
-      sevLabel: routed ? "ROUTED" : v.sevLabel,
-      lastChange: routed
-        ? { label: "now · ROUTED TO LEGAL", cls: "live" }
-        : v.lastChange,
-      renews: { label: v.renewsLabel, cls: v.renewsCls },
-      annual: v.annual,
-      chips: v.dataClasses,
-      owner: v.owner,
-    };
-  }).filter(Boolean);
-
-  // Activity feed — pull from every vendor that has an `activity` entry.
-  // The routed "just now" row sits on top of Notion's normal row when state.notion === ROUTED.
-  const baseActivity = ORDER
-    .map((k) => DATA[k])
-    .filter((v) => v && v.activity)
-    .map((v) => ({
-      ...v.activity,
-      v: v.name,
-      key: v.key,
-      clickable: true,
-    }));
-
-  // Slack as a P3 footer row — passive entry only (no full CR view).
-  baseActivity.push({
-    sev: "p3", v: "Slack", w: "1d",
-    title: "SOC2 Type II refreshed · 2026 report",
-    meta: "SECURITY", impact: "CLEARED", impactCls: "out",
-    clickable: false,
-  });
-
-  const activity = notionState === "ROUTED"
-    ? [
-        { sev: "routed", v: "Notion", w: "just now",
-          title: "ROUTED to Priya N. · Bundle RL·4839 generated",
-          meta: "ESCALATED · LEGAL", impact: "WITNESSED", impactCls: "out",
-          key: "notion", clickable: true, gotoBundle: true },
-        ...baseActivity,
-      ]
-    : baseActivity;
-
-  const openVendor = (key) => dispatch({ type: "open-vendor", vendor: key });
-  const openBundle = (key) => dispatch({ type: "open-vendor-bundle", vendor: key });
-
-  return (
-    <main className="main">
-      <TopBar
-        title="Portfolio"
-        when="FRIDAY · MAY 22 2026 · 14:42 EST"
-        right={
-          <>
-            <div className="scan-pill"><span className="dot" />8 SCANNING NOW</div>
-            <div className={"scan-pill" + (notionState === "P1" ? " alert" : "")}>
-              {notionState === "P1" ? "3 P1 ACTIVE" : "2 P1 ACTIVE · 1 ROUTED"}
-            </div>
-          </>
-        }
-      />
-
-      <ScanStrip />
-      <FleetStats state={state} />
-
-      <div className="portfolio-grid">
-        <div>
-          <div className="sec-head">
-            <h2 className="sec-title">The <em>fleet</em></h2>
-            <span className="sec-action">VIEW ALL 27 →</span>
-          </div>
-          <div className="vendors">
-            {vendors.map((v) => (
-              <div
-                className={"vendor " + v.sev}
-                key={v.key}
-                onClick={() => openVendor(v.key)}
-                style={{ cursor: "pointer" }}
-              >
-                <div className="vendor-head">
-                  <div className="vendor-id">
-                    <div className="vendor-logo">{v.letter}</div>
-                    <div>
-                      <div className="vendor-name">{v.name}</div>
-                      <div className="vendor-meta">{v.meta}</div>
-                    </div>
-                  </div>
-                  <div className={"sev " + v.sev}>{v.sevLabel}</div>
-                </div>
-                <div className="vendor-row">
-                  <span className="lbl">Last change</span>
-                  <span className={"val " + (v.lastChange.cls || "")}>{v.lastChange.label}</span>
-                </div>
-                <div className="vendor-row">
-                  <span className="lbl">Renews</span>
-                  <span className={"val " + (v.renews.cls || "")}>{v.renews.label}</span>
-                </div>
-                <div className="vendor-row">
-                  <span className="lbl">Annual</span>
-                  <span className="val">{v.annual}</span>
-                </div>
-                <div className="vendor-tags">
-                  {v.chips.map((c) => <span className={"chip " + c} key={c}>{c}</span>)}
-                  <div className={"owner-av " + v.owner.cls}>{v.owner.initials}</div>
-                </div>
-              </div>
-            ))}
-          </div>
-        </div>
-
-        <aside className="activity">
-          <div className="activity-head">
-            <span className="title">Recent activity</span>
-            <span className="filter">ALL · LAST 48H</span>
-          </div>
-          {activity.map((a, i) => (
-            <div
-              className="activity-item"
-              key={i}
-              onClick={a.clickable
-                ? (a.gotoBundle ? () => openBundle(a.key) : () => openVendor(a.key))
-                : undefined}
-              style={a.clickable ? { cursor: "pointer" } : undefined}
-            >
-              <div className="activity-row">
-                <span className={"activity-sev " + a.sev}>{a.sev === "routed" ? "✓" : a.sev.toUpperCase()}</span>
-                <span className="activity-vendor">{a.v}</span>
-                <span className="activity-when">{a.w}</span>
-              </div>
-              <div className="activity-title">{a.title}</div>
-              <div className="activity-meta">
-                <span>{a.meta}</span>
-                <span className={"impact " + a.impactCls}>{a.impact}</span>
-              </div>
-            </div>
-          ))}
-        </aside>
-      </div>
-    </main>
-  );
-}
-
-Object.assign(window, { ScreenPortfolio });
diff --git a/public/app/shared.jsx b/public/app/shared.jsx
deleted file mode 100644
index 76ac4d5..0000000
--- a/public/app/shared.jsx
+++ /dev/null
@@ -1,142 +0,0 @@
-// shared.jsx — sidebar, topbar, scan strip, fleet stats, activity feed
-// All consume `state` (read-only) and `dispatch` (navigation/mutations) from app.jsx.
-
-function Sidebar({ active, dispatch, state }) {
-  const screenMap = { portfolio: "portfolio", changes: "change", evidence: "evidence" };
-  const [flashKey, setFlashKey] = React.useState(null);
-
-  React.useEffect(() => {
-    if (!document.getElementById("unsyphn-nav-flash-style")) {
-      const s = document.createElement("style");
-      s.id = "unsyphn-nav-flash-style";
-      s.textContent = ".nav-item-flash { background: var(--surface-2, rgba(255,255,255,0.08)) !important; opacity: 0.6; transition: opacity 0.15s; }";
-      document.head.appendChild(s);
-    }
-  }, []);
-
-  const items = [
-    { key: "portfolio",   label: "Portfolio",   count: "27",     section: "Workspace" },
-    { key: "changes",     label: "Changes",     count: state.notion === "P1" ? "3 P1" : "2 P1", alert: state.notion === "P1", section: "Workspace" },
-    { key: "renewals",    label: "Renewals",    count: "8",      section: "Workspace" },
-    { key: "policies",    label: "Policies",    count: "14",     section: "Workspace" },
-    { key: "evidence",    label: "Evidence",    count: state.evidenceCount || "432", section: "Workspace" },
-    { key: "procurement", label: "Procurement", section: "Views" },
-    { key: "legal",       label: "Legal Ops",   section: "Views" },
-    { key: "grc",         label: "Security · GRC", section: "Views" },
-    { key: "finance",     label: "Finance",     section: "Views" },
-  ];
-  let lastSection = null;
-  return (
-    <nav className="sidebar">
-      <div className="brand-row">
-        <UnsyphnMark size={24} />
-      </div>
-      {items.map((it) => {
-        const sec = it.section !== lastSection ? (lastSection = it.section, it.section) : null;
-        const hasScreen = screenMap[it.key] !== undefined;
-        return (
-          <React.Fragment key={it.key}>
-            {sec && <div className="nav-section-label">{sec}</div>}
-            <div
-              className={
-                "nav-item" +
-                (it.key === active ? " is-active" : "") +
-                (it.alert ? " alert" : "") +
-                (flashKey === it.key ? " nav-item-flash" : "")
-              }
-              style={hasScreen ? undefined : { cursor: "not-allowed" }}
-              onClick={() => {
-                if (hasScreen) {
-                  dispatch({ type: "goto", screen: screenMap[it.key] });
-                } else {
-                  setFlashKey(it.key);
-                  setTimeout(() => setFlashKey(null), 600);
-                }
-              }}
-            >
-              <span>{it.label}</span>
-              {it.count && <span className="count">{it.count}</span>}
-            </div>
-          </React.Fragment>
-        );
-      })}
-      <div className="nav-spacer" />
-      <div className="nav-org">
-        <div className="org-name">Acme Holdings</div>
-        <div className="org-meta">ENTERPRISE · US-EAST</div>
-      </div>
-    </nav>
-  );
-}
-
-function TopBar({ title, when, right }) {
-  return (
-    <div className="topbar">
-      <div className="topbar-left">
-        <h1>{title}</h1>
-        <div className="when">{when}</div>
-      </div>
-      <div className="topbar-right">
-        {right}
-        <div className="user-avatar">PN</div>
-      </div>
-    </div>
-  );
-}
-
-function ScanStrip() {
-  // Two copies for seamless tick loop
-  const items = [
-    { v: "Notion",  t: "terms.notion.so",        w: "scanning · 14:42:18", live: true },
-    { v: "Stripe",  t: "stripe.com/dpa",          w: "scanning · 14:42:14", live: true },
-    { v: "Datadog", t: "subprocessors.datadog",   w: "scanning · 14:42:09", live: true },
-    { v: "Linear",  t: "linear.app/security",     w: "queued · next 30s" },
-    { v: "AWS",     t: "aws.amazon.com/pricing",  w: "queued · next 60s" },
-    { v: "Figma",   t: "figma.com/legal/sla",     w: "14:41:55 · no diff" },
-    { v: "Vercel",  t: "vercel.com/legal/terms",  w: "14:41:42 · no diff" },
-    { v: "Slack",   t: "slack.com/trust/security", w: "14:41:30 · diff" },
-  ];
-  const all = [...items, ...items];
-  return (
-    <div className="scan-strip">
-      <div className="scan-strip-label"><span className="dot pulse live-dot" />LIVE</div>
-      <div className="scan-track">
-        {all.map((it, i) => (
-          <div className="scan-item" key={i}>
-            <span className="vendor">{it.v}</span>
-            <span className="target">{it.t}</span>
-            <span className="when">{it.w}</span>
-          </div>
-        ))}
-      </div>
-    </div>
-  );
-}
-
-function FleetStats({ state }) {
-  const p1Count = state.notion === "P1" ? 3 : 2;
-  const cards = [
-    { role: "aqua",       lbl: "Vendors",        val: "27",  sub: "↑ 2 added this Q" },
-    { role: "bondi",      lbl: "Scanning",       val: "8",   sub: "↑ live polling now" },
-    { role: "tangerine",  lbl: "P2 · pending",   val: "5",   sub: "2 owners untouched 48h" },
-    { role: "grape",      lbl: "Sub-proc Δ",     val: "11",  sub: "1 in non-adequate jurisd." },
-    { role: "strawberry", lbl: "P1 · critical",  val: String(p1Count), sub: state.notion === "P1" ? "↑ $42k at risk" : "↓ $28k routed" },
-    { role: "lime",       lbl: "Healthy",        val: "19",  sub: "no action needed" },
-  ];
-  return (
-    <div className="fleet">
-      {cards.map((c, i) => (
-        <div className={"stat " + c.role} key={i}>
-          <div className="stat-head">
-            <span className="stat-label">{c.lbl}</span>
-            <span className="stat-dot" />
-          </div>
-          <div className="stat-val">{c.val}</div>
-          <div className="stat-sub">{c.sub}</div>
-        </div>
-      ))}
-    </div>
-  );
-}
-
-Object.assign(window, { Sidebar, TopBar, ScanStrip, FleetStats });
diff --git a/public/app/tokens.css b/public/app/tokens.css
deleted file mode 100644
index 615c884..0000000
--- a/public/app/tokens.css
+++ /dev/null
@@ -1,215 +0,0 @@
-/* =============================================================
-   REDLINE · colors_and_type.css
-   The full token system — colors, type, spacing, radii, motion.
-   Drop this into any HTML file and use the vars below.
-   ============================================================= */
-
-/* Font imports — Inter is shipped locally (variable, opsz + wght);
-   Bricolage Grotesque (display) and JetBrains Mono + Instrument Serif
-   are still pulled from Google Fonts until the team uploads replacements. */
-@import url("https://fonts.googleapis.com/css2?family=Bricolage+Grotesque:opsz,wght@12..96,400;12..96,500;12..96,600;12..96,700&family=JetBrains+Mono:wght@400;500;600&family=Instrument+Serif:ital@0;1&display=swap");
-
-@font-face {
-  font-family: "Inter";
-  src: url("fonts/Inter-VariableFont_opsz_wght.ttf") format("truetype-variations");
-  font-weight: 100 900;
-  font-style: normal;
-  font-display: swap;
-}
-@font-face {
-  font-family: "Inter";
-  src: url("fonts/Inter-Italic-VariableFont_opsz_wght.ttf") format("truetype-variations");
-  font-weight: 100 900;
-  font-style: italic;
-  font-display: swap;
-}
-
-:root {
-  /* ── ROLE COLORS · the spine ─────────────────────────────────
-     The same six hues mean the same six things across the system.
-     ──────────────────────────────────────────────────────────── */
-  --aqua:        #5BA0F0;   /* Navigation, vendor base, neutral data */
-  --bondi:       #2BCAE8;   /* Live monitoring — scanning, polling */
-  --tangerine:   #FF9540;   /* P2 severity, pending owner action */
-  --grape:       #A097D8;   /* Sub-processor / data class (PII, PHI) */
-  --strawberry:  #F46688;   /* P1 severity — critical, at-risk */
-  --lime:        #B5DC55;   /* P3 / resolved / acknowledged / healthy */
-
-  /* Soft variants — 10% alpha for tinted backgrounds */
-  --aqua-soft:        rgba(91, 160, 240, 0.10);
-  --bondi-soft:       rgba(43, 202, 232, 0.10);
-  --tangerine-soft:   rgba(255, 149, 64, 0.10);
-  --grape-soft:       rgba(160, 151, 216, 0.10);
-  --strawberry-soft:  rgba(244, 102, 136, 0.10);
-  --lime-soft:        rgba(181, 220, 85, 0.10);
-
-  /* Glow variants — 30–32% alpha for box-shadow halos */
-  --aqua-glow:        rgba(91, 160, 240, 0.30);
-  --bondi-glow:       rgba(43, 202, 232, 0.32);
-  --tangerine-glow:   rgba(255, 149, 64, 0.30);
-  --grape-glow:       rgba(160, 151, 216, 0.30);
-  --strawberry-glow:  rgba(244, 102, 136, 0.30);
-  --lime-glow:        rgba(181, 220, 85, 0.32);
-
-  /* ── AURORA SURFACES · solid, dense, working ─────────────── */
-  --bg:           #0A0A12;   /* page background, under the sky wash */
-  --surface:      #14141E;   /* primary card surface */
-  --surface-2:    #1E1E2A;   /* nested surface, input fields */
-  --surface-3:    #28283A;   /* hover / pressed state */
-
-  --border:        #2A2A3A;
-  --border-strong: #3F3F50;
-  --hairline:      rgba(255, 255, 255, 0.06);
-
-  /* ── HALO SURFACES · translucent, refractive, marketing ──── */
-  --surface-tint:   rgba(255, 255, 255, 0.04);
-  --glass-border:   rgba(255, 255, 255, 0.10);
-  --glass-inset:    rgba(255, 255, 255, 0.10);  /* the inset top edge */
-  --glass-specular: rgba(255, 255, 255, 0.08);  /* the ::before strip */
-
-  /* ── TEXT ─────────────────────────────────────────────── */
-  --muted:        #6E6E80;
-  --text-2:       #B0B0C0;
-  --text:         #ECECF5;
-  --text-strong:  #FFFFFF;
-
-  /* Dark text-on-color (button labels on lime/strawberry) */
-  --on-lime:       #0F1A05;
-  --on-strawberry: #2A0612;
-  --on-tangerine:  #2B1505;
-  --on-bondi:      #04212B;
-
-  /* ── FONT FAMILIES · three jobs, never substitute ───────── */
-  --font-display: "Bricolage Grotesque", -apple-system, BlinkMacSystemFont, sans-serif;
-  --font-text:    "Inter", -apple-system, BlinkMacSystemFont, sans-serif;
-  --font-mono:    "JetBrains Mono", ui-monospace, monospace;
-  --font-serif:   "Instrument Serif", ui-serif, Georgia, serif;
-
-  /* ── TYPE SCALE · vertical rhythm ───────────────────────── */
-  --text-xs:   0.75rem;     /* 12px — mono labels, eyebrows */
-  --text-sm:   0.875rem;    /* 14px — small UI, secondary text */
-  --text-base: 0.9375rem;   /* 15px — body */
-  --text-lg:   1.0625rem;   /* 17px — lead paragraphs */
-  --text-xl:   1.375rem;    /* 22px — h2 / card titles */
-  --text-2xl:  2rem;        /* 32px — h1 small */
-  --text-3xl:  2.75rem;     /* 44px — h1 hero */
-  --text-4xl:  4rem;        /* 64px — display */
-  --text-5xl:  6.5rem;      /* 104px — rainbow hero (Halo only) */
-
-  /* ── SPACING · 4px base ─────────────────────────────────── */
-  --space-1: 4px;   --space-2: 8px;   --space-3: 12px;
-  --space-4: 16px;  --space-5: 24px;  --space-6: 36px;
-  --space-7: 56px;  --space-8: 80px;
-
-  /* ── RADII ─────────────────────────────────────────────── */
-  --radius-sm:   6px;     /* inline chips, code */
-  --radius-md:   10px;    /* buttons, inputs, small cards */
-  --radius-lg:   16px;    /* primary cards, panels */
-  --radius-xl:   24px;    /* hero cards, the centerpiece */
-  --radius-2xl:  32px;    /* Halo hero only */
-  --radius-full: 999px;   /* pills, badges, the action bar */
-
-  /* ── MOTION ─────────────────────────────────────────────── */
-  --ease:        cubic-bezier(0.22, 1, 0.36, 1);
-  --ease-spring: cubic-bezier(0.34, 1.45, 0.64, 1);
-  --dur-fast: 200ms;
-  --dur-base: 400ms;
-  --dur-slow: 700ms;
-
-  /* ── ELEVATION · used sparingly ─────────────────────────── */
-  --shadow-card:    0 8px 32px rgba(0, 0, 0, 0.20);
-  --shadow-floating: 0 16px 48px rgba(0, 0, 0, 0.30);
-  /* Halo cards also get inset 0 1px 0 rgba(255,255,255,0.10) */
-}
-
-/* =============================================================
-   SEMANTIC TYPE STYLES
-   ============================================================= */
-.h-hero,
-.h1-hero {
-  font-family: var(--font-display);
-  font-size: var(--text-3xl);
-  font-weight: 500;
-  letter-spacing: -0.04em;
-  line-height: 1.05;
-  color: var(--text-strong);
-  font-variation-settings: "opsz" 96;
-}
-.h1 {
-  font-family: var(--font-display);
-  font-size: var(--text-2xl);
-  font-weight: 500;
-  letter-spacing: -0.025em;
-  line-height: 1.1;
-  color: var(--text-strong);
-  font-variation-settings: "opsz" 48;
-}
-.h2 {
-  font-family: var(--font-display);
-  font-size: var(--text-xl);
-  font-weight: 500;
-  letter-spacing: -0.018em;
-  line-height: 1.2;
-  color: var(--text-strong);
-  font-variation-settings: "opsz" 32;
-}
-.h3 {
-  font-family: var(--font-display);
-  font-size: 1.125rem;   /* 18px */
-  font-weight: 600;
-  letter-spacing: -0.012em;
-  color: var(--text-strong);
-  font-variation-settings: "opsz" 24;
-}
-.lead {
-  font-family: var(--font-text);
-  font-size: var(--text-lg);
-  font-weight: 400;
-  line-height: 1.5;
-  color: var(--text);
-}
-.p, p {
-  font-family: var(--font-text);
-  font-size: var(--text-base);
-  font-weight: 400;
-  line-height: 1.55;
-  color: var(--text);
-}
-.small {
-  font-family: var(--font-text);
-  font-size: var(--text-sm);
-  color: var(--text-2);
-}
-.eyebrow {
-  font-family: var(--font-mono);
-  font-size: var(--text-xs);
-  font-weight: 500;
-  letter-spacing: 0.12em;
-  text-transform: uppercase;
-  color: var(--muted);
-}
-.mono,
-.code,
-code {
-  font-family: var(--font-mono);
-  font-size: 0.8125rem;   /* 13px */
-  font-feature-settings: "tnum" 1, "zero" 1;
-  color: var(--text);
-}
-.num,
-.numeric {
-  font-feature-settings: "tnum" 1, "zero" 1;
-}
-.accent-italic {
-  font-family: var(--font-serif);
-  font-style: italic;
-  font-weight: 400;
-}
-
-/* Universal: every number gets tabular */
-.tabular,
-[data-numeric],
-.stat-val,
-.impact-cell .val {
-  font-feature-settings: "tnum" 1, "zero" 1;
-}
diff --git a/public/app/vendor-data.jsx b/public/app/vendor-data.jsx
deleted file mode 100644
index 27ee555..0000000
--- a/public/app/vendor-data.jsx
+++ /dev/null
@@ -1,578 +0,0 @@
-// vendor-data.jsx — central registry for every vendor in the demo.
-// Each vendor record carries everything the portfolio / change / evidence
-// screens need to render. Notion stays the interactive hero flow
-// (P1 → escalate → ROUTED). Other vendors are pre-baked in different
-// states (acknowledged, snoozed, healthy) and render as read-only.
-
-const VENDOR_DATA = {
-
-  // ─────────────────────────────────────────────────────────
-  // NOTION — the hero flow (P1, interactive escalate)
-  // ─────────────────────────────────────────────────────────
-  notion: {
-    key: "notion",
-    letter: "N",
-    name: "Notion",
-    category: "DOCS · COLLAB",
-    meta: "DOCS · TIER 1",
-    tier: 1,
-    sev: "p1",
-    sevLabel: "P1",
-    owner: { initials: "PN", cls: "b", name: "Priya Natarajan", role: "LEGAL COUNSEL" },
-    secondary: { initials: "MC", cls: "tangerine", name: "Marcus Chen", role: "PROCUREMENT" },
-    annual: "$184,200",
-    annualUsd: 184200,
-    seats: 847,
-    renewsInDays: 42,
-    renewsLabel: "42 DAYS",
-    renewsCls: "warn",
-    dataClasses: ["pii", "source"],
-    interactive: true,
-    lastChange: { label: "17m ago · DATA · PRICING", cls: "crit" },
-    activity: {
-      sev: "p1", when: "17m",
-      title: "Data retention shrinks 90→30d, per-seat +18%",
-      meta: "DATA · PRICING", impact: "+$28.4k/yr", impactCls: "in",
-    },
-    cr: {
-      bundleId: "RL·4839",
-      categories: ["DATA", "PRICING"],
-      titleOpen: <>Data retention <em>shrinks</em> from 90 to 30 days. Per-seat pricing rises 18%.</>,
-      titleRouted: <>Routed to Legal. Negotiation packet <em>witnessed</em> and signed.</>,
-      detectedAt: "2026-05-22 · 14:42:18 EST",
-      detectedWhen: "17 minutes ago",
-      routedAt: "2026-05-22 · 14:59 EST",
-      routedWhen: "just now",
-      agent: "agent-redline-v1.4",
-      citationCount: 4,
-      impacts: [
-        { lbl: "$ Impact · annual", val: "+$28,400", cls: "dollar" },
-        { lbl: "Per-seat change", val: "+18% / 30d", cls: "delta" },
-        { lbl: "Compliance", val: "GDPR · Art 5(1)e", cls: "compl" },
-      ],
-      diffs: [
-        {
-          label: "Change · §4.2 Data Retention",
-          before: {
-            when: "SNAPSHOT · MAR 18 2026",
-            text: <>"Workspace owners may request export and deletion of all user content at any time.
-                  Notion will retain backup copies for <strong>ninety (90) days</strong> following deletion,
-                  after which content is permanently erased from all systems."</>,
-            source: "SOURCE · notion.so/terms#4.2 · FETCHED 2026-03-18 09:14 UTC · HASH a3f9…d21c",
-          },
-          after: {
-            when: "SNAPSHOT · MAY 22 2026",
-            text: <>"Workspace owners may request export and deletion of all user content at any time.
-                  Notion will retain backup copies for <strong>thirty (30) days</strong> following deletion,
-                  after which content is permanently erased from all systems."</>,
-            sourceLink: "notion.so/terms#4.2",
-            sourceMeta: " · FETCHED 2026-05-22 14:42 UTC · HASH 8b2e…f94a",
-          },
-        },
-        {
-          label: "Change · §7.1 Plus Plan Pricing",
-          before: {
-            when: "SNAPSHOT · MAR 18 2026",
-            text: <>"Plus plan: <strong>$10 per member per month</strong>, billed annually.
-                  Includes unlimited blocks, file uploads up to 5 GB, and 30-day version history."</>,
-            source: "SOURCE · notion.so/pricing · FETCHED 2026-03-18 09:14 UTC",
-          },
-          after: {
-            when: "SNAPSHOT · MAY 22 2026",
-            text: <>"Plus plan: <strong>$11.80 per member per month</strong>, billed annually.
-                  Includes unlimited blocks, file uploads up to 5 GB, and 30-day version history."</>,
-            sourceLink: "notion.so/pricing",
-            sourceMeta: " · FETCHED 2026-05-22 14:42 UTC",
-          },
-        },
-      ],
-      policy: {
-        head: "Policy fired",
-        name: "Price ↑ >10% within 90d of renewal → P1 to Procurement",
-        meta: "AUTHOR · Maya A. · GRC LEAD · v4 · 2026-04-12",
-        yamlKey: "pricing",
-      },
-      actions: [
-        { type: "slack",  target: "DM · @priya",          queued: "queued · awaits escalation", sent: "14:59:02 · delivered" },
-        { type: "jira",   target: "PROC-2104",            queued: "queued",                     sent: "14:59:03 · assigned" },
-        { type: "cal",    target: "Renewal call · Jun 24", queued: "queued",                     sent: "14:59:04 · 4 invitees" },
-        { type: "email",  target: "Renego draft · ready", queued: "queued",                     sent: "14:59:05 · 3 versions" },
-      ],
-      recoOpen: {
-        head: "Recommendation",
-        text: <>Renewal is in <strong>42 days</strong>. The compounded retention shrinkage and price
-              increase are <em>both negotiable</em> at this stage. Generate the renegotiation packet
-              to push back on retention to 60d as a minimum (industry standard), and lock pricing at
-              the prior $10/seat for the renewal term. Estimated leverage: <strong>$28,400/yr saved</strong> on
-              price alone; retention recovery maps to <strong>SOC2 CC6.5</strong> and <strong>GDPR Art 5(1)e</strong>.</>,
-      },
-      recoRouted: {
-        head: "Outcome · Routed",
-        text: <>Routed to <strong>Priya Natarajan</strong> (Legal) and <strong>Marcus Chen</strong> (Procurement). The
-              renegotiation packet has been <em>generated</em> and witnessed — see Bundle RL·4839.
-              4 actions dispatched: Slack DM, Jira PROC-2104, calendar invite for Jun 24, draft email
-              with three negotiation positions. Deadline: 2026-05-29.</>,
-      },
-    },
-    bundle: {
-      id: "RL·4839",
-      seal: "US",
-      signedAt: "2026-05-22 · 14:59:08 EST",
-      hash: "8b2e…f94a",
-      eyebrow: "NOTION · CR · DATA + PRICING",
-      coverSubtitle: <>Notion · data retention &amp; pricing change · <em>witnessed</em></>,
-      sectionCount: 4,
-      miniDiffs: [
-        [
-          { kind: "b", text: <>"…will retain backup copies for <strong>ninety (90) days</strong> following deletion…"</>, src: "SOURCE · notion.so/terms#4.2 · 2026-03-18 · HASH a3f9…d21c" },
-          { kind: "a", text: <>"…will retain backup copies for <strong>thirty (30) days</strong> following deletion…"</>, src: "SOURCE · notion.so/terms#4.2 · 2026-05-22 · HASH 8b2e…f94a" },
-        ],
-        [
-          { kind: "b", text: <>"Plus plan: <strong>$10 per member per month</strong>, billed annually."</>, src: "SOURCE · notion.so/pricing · 2026-03-18" },
-          { kind: "a", text: <>"Plus plan: <strong>$11.80 per member per month</strong>, billed annually."</>, src: "SOURCE · notion.so/pricing · 2026-05-22" },
-        ],
-      ],
-      policyBody: <><b>severity-rules.yaml v4</b> · "Price ↑ &gt;10% within 90d of renewal → P1 to Procurement."
-                  Notion renewal is in <b>42 days</b>; per-seat change is <b>+18%</b>. The policy clause
-                  matched at <b>2026-05-22 14:42:21 EST</b> and was queued for routing.</>,
-      trail: [
-        { ts: "14:59:01", msg: <>Policy fired · <b>severity-rules.yaml v4</b></>, status: "✓ MATCH" },
-        { ts: "14:59:02", msg: <>Slack DM · <b>@priya</b> · delivered</>, status: "✓ SENT" },
-        { ts: "14:59:03", msg: <>Jira · <b>PROC-2104</b> · assigned Marcus Chen</>, status: "✓ OPEN" },
-        { ts: "14:59:04", msg: <>Calendar · <b>Jun 24 renewal call</b> · 4 invitees</>, status: "✓ SCHED" },
-        { ts: "14:59:05", msg: <>Drafts · <b>renegotiation packet</b> · 3 positions</>, status: "✓ READY" },
-        { ts: "14:59:08", msg: <>Bundle signed · hash <b>8b2e…f94a</b></>, status: "✓ WITNESSED" },
-      ],
-      citations: [
-        { src: "notion.so/terms#4.2 · §4.2 Data Retention · public", hash: "8b2e…f94a" },
-        { src: "notion.so/pricing · §7.1 Plus Plan · public", hash: "d4a1…2c7b" },
-        { src: "internal · DPA §3.1 (Acme ⟷ Notion) · private", hash: "f9c3…81de" },
-        { src: "policy · severity-rules.yaml v4 · internal", hash: "a3f9…d21c" },
-      ],
-      nextActions: [
-        { type: "cal",   target: "Renewal call",      when: "Jun 24 · 14:00 EST",       status: "SCHED", pending: false },
-        { type: "email", target: "Send renego draft", when: "Owner · Priya N.",         status: "DUE 5/29", pending: true },
-      ],
-    },
-    routingTitle: <>Routed to <em>Priya</em>. Bundle <em>RL·4839</em> generating…</>,
-    routingLog: [
-      { ts: "14:59:01", lvl: "info", msg: <>Policy fired · <b>severity-rules.yaml v4</b> · severity P1</> },
-      { ts: "14:59:02", lvl: "exec", msg: <>Slack DM dispatched · <b>@priya</b> · message + 4 citations</> },
-      { ts: "14:59:03", lvl: "exec", msg: <>Jira ticket created · <b>PROC-2104</b> · assigned to Marcus Chen</> },
-      { ts: "14:59:04", lvl: "exec", msg: <>Calendar invite sent · <b>Jun 24 · Notion renewal call</b> · 4 invitees</> },
-      { ts: "14:59:05", lvl: "exec", msg: <>Renegotiation draft generated · <b>3 positions</b> · saved to Drafts</> },
-      { ts: "14:59:06", lvl: "info", msg: <>Compiling evidence bundle <b>RL·4839</b> · 4 grounded citations</> },
-      { ts: "14:59:07", lvl: "sign", msg: <>Clauses extracted · §4.2 Retention · §7.1 Pricing · DPA §3.1 · policy</> },
-      { ts: "14:59:08", lvl: "sign", msg: <>Bundle signed · hash <b>8b2e…f94a</b> · witnessed by agent-redline-v1.4</> },
-      { ts: "14:59:09", lvl: "ok",   msg: <>Bundle <b>RL·4839</b> written · grounded · routed · ready</> },
-    ],
-  },
-
-  // ─────────────────────────────────────────────────────────
-  // DATADOG — P1, already acknowledged, bundle witnessed
-  // ─────────────────────────────────────────────────────────
-  datadog: {
-    key: "datadog",
-    letter: "D",
-    name: "Datadog",
-    category: "OBSERVABILITY · MONITORING",
-    meta: "OBSERVABILITY · TIER 1",
-    tier: 1,
-    sev: "p1",
-    sevLabel: "P1",
-    owner: { initials: "RK", cls: "a", name: "Ravi Krishnan", role: "SECURITY LEAD" },
-    secondary: { initials: "AO", cls: "grape", name: "Ada Owens", role: "PRIVACY OFFICER" },
-    annual: "$420,000",
-    annualUsd: 420000,
-    seats: 312,
-    renewsInDays: 11,
-    renewsLabel: "11 DAYS",
-    renewsCls: "warn",
-    dataClasses: ["pii", "phi"],
-    mode: "acknowledged",
-    interactive: false,
-    lastChange: { label: "2h ago · SUB-PROC", cls: "crit" },
-    activity: {
-      sev: "p1", when: "2h",
-      title: "Sub-processor added · Tencent Cloud · CN",
-      meta: "SUB-PROC · JURISDICTION", impact: "+30d NOTICE", impactCls: "",
-    },
-    cr: {
-      bundleId: "RL·4812",
-      categories: ["SUB-PROC", "JURISDICTION"],
-      titleOpen: <>New sub-processor <em>Tencent Cloud (CN)</em> added to data path. Non-adequate jurisdiction.</>,
-      detectedAt: "2026-05-22 · 12:18:04 EST",
-      detectedWhen: "2 hours ago",
-      acknowledgedAt: "2026-05-22 · 12:51 EST",
-      acknowledgedWhen: "1h 51m ago",
-      agent: "agent-redline-v1.4",
-      citationCount: 3,
-      impacts: [
-        { lbl: "Jurisdiction", val: "CN · non-adequate", cls: "dollar" },
-        { lbl: "Customer notice", val: "+30d required", cls: "delta" },
-        { lbl: "Compliance", val: "GDPR · Art 28(2)", cls: "compl" },
-      ],
-      diffs: [
-        {
-          label: "Change · Sub-processor list · APAC region",
-          before: {
-            when: "SNAPSHOT · APR 14 2026",
-            text: <>"Datadog uses the following sub-processors in APAC: <strong>AWS (ap-northeast-1)</strong>,
-                  <strong>GCP (asia-east1)</strong>. No data routed through PRC-based providers."</>,
-            source: "SOURCE · datadog.com/legal/sub-processors · FETCHED 2026-04-14 06:02 UTC · HASH 71be…0caf",
-          },
-          after: {
-            when: "SNAPSHOT · MAY 22 2026",
-            text: <>"Datadog uses the following sub-processors in APAC: AWS (ap-northeast-1),
-                  GCP (asia-east1), and <strong>Tencent Cloud (cn-shanghai)</strong> for traffic-origin
-                  metrics retention in the Greater China region."</>,
-            sourceLink: "datadog.com/legal/sub-processors",
-            sourceMeta: " · FETCHED 2026-05-22 12:18 UTC · HASH 4d09…b2e1",
-          },
-        },
-      ],
-      policy: {
-        head: "Policy fired",
-        name: "Sub-processor added in non-adequate jurisdiction → P1 to Privacy",
-        meta: "AUTHOR · Marcus Chen · SECURITY · v1 · 2026-01-08",
-        yamlKey: "subprocessor",
-      },
-      actions: [
-        { type: "slack",  target: "#privacy",            queued: "queued", sent: "12:18:42 · 6 members" },
-        { type: "jira",   target: "PRIV-1188",           queued: "queued", sent: "12:18:44 · Ada Owens" },
-        { type: "email",  target: "Customer notice · draft", queued: "queued", sent: "12:18:46 · 30d countdown" },
-      ],
-      recoOpen: {
-        head: "Recommendation",
-        text: <>Tencent Cloud is in a <em>non-adequate</em> jurisdiction under GDPR. A <strong>30-day customer
-              notice</strong> is required before the sub-processor goes live. Privacy team should evaluate
-              transfer mechanism (SCCs + supplementary measures) and confirm data classes routed (PHI must
-              not be eligible). Renewal in <strong>11 days</strong> — block renewal until DPA addendum signed.</>,
-      },
-      recoRouted: {
-        head: "Outcome · Acknowledged",
-        text: <>Privacy team acknowledged at <strong>12:51 EST</strong>. Customer-notice draft attached to
-              <strong> PRIV-1188</strong>. Transfer mechanism review scheduled for <strong>2026-05-25</strong>.
-              Renewal of <strong>$420k</strong> contract held until DPA addendum signature.</>,
-      },
-    },
-    bundle: {
-      id: "RL·4812",
-      seal: "US",
-      signedAt: "2026-05-22 · 12:51:33 EST",
-      hash: "4d09…b2e1",
-      eyebrow: "DATADOG · CR · SUB-PROCESSOR",
-      coverSubtitle: <>Datadog · new sub-processor (Tencent Cloud · CN) · <em>acknowledged</em></>,
-      sectionCount: 4,
-      miniDiffs: [
-        [
-          { kind: "b", text: <>"…APAC sub-processors: AWS, GCP. <strong>No PRC-based providers</strong>…"</>, src: "SOURCE · datadog.com/legal/sub-processors · 2026-04-14 · HASH 71be…0caf" },
-          { kind: "a", text: <>"…APAC sub-processors: AWS, GCP, and <strong>Tencent Cloud (cn-shanghai)</strong>…"</>, src: "SOURCE · datadog.com/legal/sub-processors · 2026-05-22 · HASH 4d09…b2e1" },
-        ],
-      ],
-      policyBody: <><b>severity-rules.yaml v4</b> · "Sub-processor added in non-adequate jurisdiction → P1 to Privacy."
-                  Datadog added Tencent Cloud (CN-Shanghai). The policy matched at
-                  <b> 2026-05-22 12:18:09 EST</b> and queued a customer-notice draft.</>,
-      trail: [
-        { ts: "12:18:09", msg: <>Policy fired · <b>subprocessor.yaml v1</b></>, status: "✓ MATCH" },
-        { ts: "12:18:42", msg: <>Slack channel · <b>#privacy</b> · 6 members notified</>, status: "✓ SENT" },
-        { ts: "12:18:44", msg: <>Jira · <b>PRIV-1188</b> · assigned Ada Owens</>, status: "✓ OPEN" },
-        { ts: "12:18:46", msg: <>Draft · <b>30-day customer notice</b></>, status: "✓ READY" },
-        { ts: "12:51:30", msg: <>Acknowledged by Ada Owens · <b>transfer review 5/25</b></>, status: "✓ ACK" },
-        { ts: "12:51:33", msg: <>Bundle signed · hash <b>4d09…b2e1</b></>, status: "✓ WITNESSED" },
-      ],
-      citations: [
-        { src: "datadog.com/legal/sub-processors · APAC list · public", hash: "4d09…b2e1" },
-        { src: "internal · DPA §6 (Acme ⟷ Datadog) · private", hash: "71be…0caf" },
-        { src: "policy · subprocessor.yaml v1 · internal", hash: "c2a8…59f0" },
-      ],
-      nextActions: [
-        { type: "cal",   target: "Transfer review",   when: "May 25 · 10:00 EST",   status: "SCHED",   pending: false },
-        { type: "email", target: "Customer notice",   when: "Send by Jun 21",       status: "DUE 6/21", pending: true },
-      ],
-    },
-  },
-
-  // ─────────────────────────────────────────────────────────
-  // STRIPE — P2, terms change (liability cap)
-  // ─────────────────────────────────────────────────────────
-  stripe: {
-    key: "stripe",
-    letter: "S",
-    name: "Stripe",
-    category: "PAYMENTS · BILLING",
-    meta: "PAYMENTS · TIER 1",
-    tier: 1,
-    sev: "p2",
-    sevLabel: "P2",
-    owner: { initials: "MA", cls: "c", name: "Maya Ahmadi", role: "GRC LEAD" },
-    secondary: { initials: "LP", cls: "lime", name: "Lin Park", role: "LEGAL COUNSEL" },
-    annual: "$2.4M",
-    annualUsd: 2400000,
-    seats: 20,
-    renewsInDays: 244,
-    renewsLabel: "8 MONTHS",
-    renewsCls: "",
-    dataClasses: ["pii", "payments"],
-    mode: "open",
-    interactive: false,
-    lastChange: { label: "6h ago · TERMS", cls: "" },
-    activity: {
-      sev: "p2", when: "6h",
-      title: "Liability cap reduced from $1M to $500k",
-      meta: "TERMS · LIABILITY", impact: "LEGAL REVIEW", impactCls: "",
-    },
-    cr: {
-      bundleId: "RL·4798",
-      categories: ["TERMS", "LIABILITY"],
-      titleOpen: <>Liability cap <em>halved</em> from $1M to $500k. Indemnification scope narrowed.</>,
-      detectedAt: "2026-05-22 · 08:31:17 EST",
-      detectedWhen: "6 hours ago",
-      agent: "agent-redline-v1.4",
-      citationCount: 3,
-      impacts: [
-        { lbl: "Liability cap", val: "−$500,000", cls: "dollar" },
-        { lbl: "Indemnification", val: "Narrowed scope", cls: "delta" },
-        { lbl: "Renewal", val: "8 months out", cls: "compl" },
-      ],
-      diffs: [
-        {
-          label: "Change · §11.3 Limitation of Liability",
-          before: {
-            when: "SNAPSHOT · FEB 02 2026",
-            text: <>"Stripe's aggregate liability under this agreement shall not exceed
-                  <strong> one million dollars ($1,000,000)</strong> or the fees paid by Customer
-                  in the preceding twelve (12) months, whichever is greater."</>,
-            source: "SOURCE · stripe.com/legal#11.3 · FETCHED 2026-02-02 11:08 UTC · HASH 9f2c…7b4d",
-          },
-          after: {
-            when: "SNAPSHOT · MAY 22 2026",
-            text: <>"Stripe's aggregate liability under this agreement shall not exceed
-                  <strong> five hundred thousand dollars ($500,000)</strong> or the fees paid by Customer
-                  in the preceding twelve (12) months, whichever is greater."</>,
-            sourceLink: "stripe.com/legal#11.3",
-            sourceMeta: " · FETCHED 2026-05-22 08:31 UTC · HASH 6a13…8e29",
-          },
-        },
-      ],
-      policy: {
-        head: "Policy fired",
-        name: "Liability cap reduced >25% → P2 to Legal",
-        meta: "AUTHOR · Lin Park · LEGAL · v2 · 2026-03-04",
-        yamlKey: "terms",
-      },
-      actions: [
-        { type: "slack",  target: "DM · @maya",          queued: "queued · awaits ack", sent: "—" },
-        { type: "jira",   target: "LEGAL-0942",          queued: "queued",              sent: "—" },
-      ],
-      recoOpen: {
-        head: "Recommendation",
-        text: <>Stripe's standard cap is now <strong>50% lower</strong>. Acme processes <strong>$2.4M/yr</strong>
-              through Stripe; current cap is materially under-protective vs. annual volume. Renewal is
-              8 months out — leverage MSA negotiation to <em>restore $1M cap or negotiate a custom carve-out</em>.
-              No immediate action required; flag for renewal-prep cycle.</>,
-      },
-    },
-    bundle: null,
-  },
-
-  // ─────────────────────────────────────────────────────────
-  // AWS — P2, pricing increase on hot SKU
-  // ─────────────────────────────────────────────────────────
-  aws: {
-    key: "aws",
-    letter: "A",
-    name: "AWS",
-    category: "CLOUD · INFRASTRUCTURE",
-    meta: "INFRA · TIER 1",
-    tier: 1,
-    sev: "p2",
-    sevLabel: "P2",
-    owner: { initials: "RK", cls: "a", name: "Ravi Krishnan", role: "PLATFORM LEAD" },
-    secondary: { initials: "JT", cls: "d", name: "Jordan Tao", role: "FINOPS" },
-    annual: "$1.8M",
-    annualUsd: 1800000,
-    seats: 0,
-    renewsInDays: 92,
-    renewsLabel: "3 MONTHS",
-    renewsCls: "",
-    dataClasses: ["pii", "source"],
-    mode: "open",
-    interactive: false,
-    lastChange: { label: "1d ago · PRICING", cls: "" },
-    activity: {
-      sev: "p2", when: "1d",
-      title: "EC2 g6.xlarge +8% in us-east-1",
-      meta: "PRICING", impact: "+$14.2k/yr", impactCls: "in",
-    },
-    cr: {
-      bundleId: "RL·4761",
-      categories: ["PRICING"],
-      titleOpen: <>EC2 <em>g6.xlarge</em> hourly rate up <strong>8%</strong> in us-east-1. Acme runs 47 nodes.</>,
-      detectedAt: "2026-05-21 · 14:42:00 EST",
-      detectedWhen: "1 day ago",
-      agent: "agent-redline-v1.4",
-      citationCount: 2,
-      impacts: [
-        { lbl: "$ Impact · annual", val: "+$14,200", cls: "dollar" },
-        { lbl: "Per-node change", val: "+$0.094/hr", cls: "delta" },
-        { lbl: "Affected nodes", val: "47 · ML inference", cls: "compl" },
-      ],
-      diffs: [
-        {
-          label: "Change · EC2 g6.xlarge · us-east-1",
-          before: {
-            when: "SNAPSHOT · MAY 15 2026",
-            text: <>"g6.xlarge (1× L4 GPU, 4 vCPU, 16 GiB) · <strong>$1.174 per hour</strong> · on-demand · us-east-1."</>,
-            source: "SOURCE · aws.amazon.com/ec2/instance-types · FETCHED 2026-05-15 09:00 UTC · HASH 3c80…d471",
-          },
-          after: {
-            when: "SNAPSHOT · MAY 21 2026",
-            text: <>"g6.xlarge (1× L4 GPU, 4 vCPU, 16 GiB) · <strong>$1.268 per hour</strong> · on-demand · us-east-1."</>,
-            sourceLink: "aws.amazon.com/ec2/instance-types",
-            sourceMeta: " · FETCHED 2026-05-21 14:42 UTC · HASH a09f…1c3b",
-          },
-        },
-      ],
-      policy: {
-        head: "Policy fired",
-        name: "SKU pricing increase >5% → P2 to FinOps",
-        meta: "AUTHOR · Jordan Tao · FINOPS · v3 · 2026-02-18",
-        yamlKey: "pricing",
-      },
-      actions: [
-        { type: "slack",  target: "DM · @jordan",        queued: "queued · awaits ack", sent: "—" },
-        { type: "jira",   target: "FIN-0322",            queued: "queued",              sent: "—" },
-      ],
-      recoOpen: {
-        head: "Recommendation",
-        text: <>g6.xlarge powers Acme's ML inference fleet (47 nodes). Annualized impact: <strong>+$14.2k</strong>.
-              FinOps should evaluate <em>3-year savings plan</em> at the older rate (auto-applies if signed
-              before 2026-08-22 renewal) or migrate inference to <em>g5.xlarge</em> (−12% perf, −18% cost).</>,
-      },
-    },
-    bundle: null,
-  },
-
-  // ─────────────────────────────────────────────────────────
-  // LINEAR — Healthy, no recent diff
-  // ─────────────────────────────────────────────────────────
-  linear: {
-    key: "linear",
-    letter: "L",
-    name: "Linear",
-    category: "PROJECT · COLLAB",
-    meta: "PROJECT · TIER 2",
-    tier: 2,
-    sev: "healthy",
-    sevLabel: "OK",
-    owner: { initials: "JT", cls: "d", name: "Jordan Tao", role: "OWNER" },
-    annual: "$48,000",
-    annualUsd: 48000,
-    seats: 240,
-    renewsInDays: 153,
-    renewsLabel: "5 MONTHS",
-    renewsCls: "",
-    dataClasses: ["pii"],
-    mode: "healthy",
-    interactive: false,
-    lastChange: { label: "14 days · no diff", cls: "" },
-    activity: null,
-    cr: {
-      categories: ["NO CHANGE"],
-      titleOpen: <>No material changes detected in the last <em>14 days</em>. Posture stable.</>,
-      detectedAt: "2026-05-22 · 14:42:18 EST",
-      detectedWhen: "14 days since last scan diff",
-      agent: "agent-redline-v1.4",
-      citationCount: 0,
-      lastScannedSurfaces: [
-        { url: "linear.app/terms",        when: "2026-05-22 14:38 UTC", hash: "stable · e7d2…c918" },
-        { url: "linear.app/dpa",          when: "2026-05-22 14:38 UTC", hash: "stable · 819a…0042" },
-        { url: "linear.app/security",     when: "2026-05-22 14:39 UTC", hash: "stable · 4f0c…dd80" },
-        { url: "linear.app/sub-processors", when: "2026-05-22 14:39 UTC", hash: "stable · 6b22…aaef" },
-      ],
-      recoOpen: {
-        head: "Status · Healthy",
-        text: <>All <strong>4 monitored surfaces</strong> match prior snapshots. Last meaningful change
-              was on <strong>2026-05-08</strong> (security headers update, non-material). Renewal in
-              <strong> 5 months</strong> — no early action needed.</>,
-      },
-    },
-    bundle: null,
-  },
-
-  // ─────────────────────────────────────────────────────────
-  // FIGMA — Healthy, no recent diff
-  // ─────────────────────────────────────────────────────────
-  figma: {
-    key: "figma",
-    letter: "F",
-    name: "Figma",
-    category: "DESIGN · COLLAB",
-    meta: "DESIGN · TIER 2",
-    tier: 2,
-    sev: "healthy",
-    sevLabel: "OK",
-    owner: { initials: "JT", cls: "d", name: "Jordan Tao", role: "OWNER" },
-    annual: "$96,000",
-    annualUsd: 96000,
-    seats: 480,
-    renewsInDays: 214,
-    renewsLabel: "7 MONTHS",
-    renewsCls: "",
-    dataClasses: ["pii"],
-    mode: "healthy",
-    interactive: false,
-    lastChange: { label: "22 days · no diff", cls: "" },
-    activity: null,
-    cr: {
-      categories: ["NO CHANGE"],
-      titleOpen: <>No material changes detected in the last <em>22 days</em>. Posture stable.</>,
-      detectedAt: "2026-05-22 · 14:42:18 EST",
-      detectedWhen: "22 days since last scan diff",
-      agent: "agent-redline-v1.4",
-      citationCount: 0,
-      lastScannedSurfaces: [
-        { url: "figma.com/legal/terms",         when: "2026-05-22 14:35 UTC", hash: "stable · 1eaa…58c2" },
-        { url: "figma.com/legal/dpa",           when: "2026-05-22 14:36 UTC", hash: "stable · 0c44…b1f9" },
-        { url: "figma.com/security",            when: "2026-05-22 14:36 UTC", hash: "stable · d8e7…7710" },
-        { url: "figma.com/legal/sub-processors", when: "2026-05-22 14:37 UTC", hash: "stable · 33ab…ee21" },
-      ],
-      recoOpen: {
-        head: "Status · Healthy",
-        text: <>All <strong>4 monitored surfaces</strong> match prior snapshots. Last meaningful change
-              was on <strong>2026-04-30</strong> (pricing FAQ refresh, non-material). Renewal in
-              <strong> 7 months</strong> — no early action needed.</>,
-      },
-    },
-    bundle: null,
-  },
-
-};
-
-// Per-vendor YAML snippet used in the policy panel. Kept terse so it fits.
-const POLICY_YAML = {
-  pricing: (
-    <pre className="policy-yaml">
-{`# severity-rules.yaml`}
-{"\n"}<span className="y-key">when:</span>{"\n  "}change.category: <span className="y-str">"pricing"</span>{"\n  "}change.dollarImpact.pct: <span className="y-str">">10"</span>{"\n  "}vendor.renewsAt: <span className="y-str">"within 90d"</span>{"\n"}<span className="y-key">then:</span>{"\n  "}severity: <span className="y-str">P1</span>{"\n  "}route:{"\n    - "}<span className="y-str">slack:@priya</span>{"\n    - "}<span className="y-str">jira:PROC</span>{"\n    - "}<span className="y-str">copilot:renegotiate</span>
-    </pre>
-  ),
-  subprocessor: (
-    <pre className="policy-yaml">
-{`# severity-rules.yaml`}
-{"\n"}<span className="y-key">when:</span>{"\n  "}change.category: <span className="y-str">"subprocessor"</span>{"\n  "}new.jurisdiction.adequate: <span className="y-str">"false"</span>{"\n"}<span className="y-key">then:</span>{"\n  "}severity: <span className="y-str">P1</span>{"\n  "}route:{"\n    - "}<span className="y-str">slack:#privacy</span>{"\n    - "}<span className="y-str">jira:PRIV</span>{"\n    - "}<span className="y-str">draft:customer-notice-30d</span>
-    </pre>
-  ),
-  terms: (
-    <pre className="policy-yaml">
-{`# severity-rules.yaml`}
-{"\n"}<span className="y-key">when:</span>{"\n  "}change.category: <span className="y-str">"terms"</span>{"\n  "}clause.liabilityCap.pctDelta: <span className="y-str">{'"<= -25"'}</span>{"\n"}<span className="y-key">then:</span>{"\n  "}severity: <span className="y-str">P2</span>{"\n  "}route:{"\n    - "}<span className="y-str">slack:@maya</span>{"\n    - "}<span className="y-str">jira:LEGAL</span>
-    </pre>
-  ),
-};
-
-// Order used by the portfolio grid + the order the activity feed cycles.
-const VENDOR_ORDER = ["notion", "datadog", "stripe", "aws", "linear", "figma"];
-
-Object.assign(window, { VENDOR_DATA, POLICY_YAML, VENDOR_ORDER });
diff --git a/public/index.html b/public/index.html
index 746be4e..a9a10cd 100644
--- a/public/index.html
+++ b/public/index.html
@@ -388,31 +388,36 @@
   pointer-events:none;
   mix-blend-mode: screen;
 }
-.tile svg{
+.tile img{
   position:relative;z-index:1;
   width: 54%; height: 54%;
   display:block;
-  filter: drop-shadow(0 1px 3px rgba(0,0,0,.5));
-  opacity:.96;
-}
-.tile .letter{
-  position:relative;z-index:1;
-  font-family: var(--font-display);
-  font-weight: 700;
-  font-size: 38%;
-  color: #fff;
-  letter-spacing: -0.02em;
-  text-shadow: 0 1px 3px rgba(0,0,0,.6);
+  object-fit: contain;
+  filter: brightness(0) invert(1) drop-shadow(0 1px 3px rgba(0,0,0,.5));
+  opacity:.90;
+}
+
+/* mobile logo wall — shown only below 720px, cube hidden */
+.cube-mobile-grid{
+  display:none;
+}
+@media (max-width:720px){
+  .stage{ display:none !important; }
+  .cube-mobile-grid{
+    display:grid;
+    grid-template-columns: repeat(4, 1fr);
+    gap:12px;
+    padding:20px;
+    max-width:340px;
+    margin:0 auto 32px;
+  }
+  .cube-mobile-grid img{
+    width:48px;height:48px;object-fit:contain;
+    filter: brightness(0) invert(1);
+    opacity:.85;
+  }
 }
 
-/* density modes */
-body[data-density="plain"]   .tile > svg,
-body[data-density="plain"]   .tile > .letter { display:none; }
-body[data-density="letters"] .tile svg { display:none; }
-body[data-density="letters"] .tile .letter { display:inline-block; }
-body[data-density="marks"]   .tile .letter { display:none; }
-body[data-density="marks"]   .tile svg { display:block; }
-
 /* HUD floaters around the cube */
 .floater{
   position:absolute;z-index:3;pointer-events:none;
@@ -564,32 +569,25 @@ <h2>One vault. <em>Every</em> renewal.</h2>
 </section>
 </main>
 
-<!-- ─────────────────────────────────────────────
-     TILES — original abstract app marks
-     ───────────────────────────────────────────── -->
-<template id="tiles">
-  <!-- Each svg.tile-svg is one abstract app tile.
-       Single uppercase letter + a unique geometric mark.
-       No real brand reproduction. -->
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="0"><circle cx="50" cy="50" r="22" fill="none" stroke="#fff" stroke-width="4"/><text x="50" y="58" text-anchor="middle" font-family="ui-monospace" font-weight="700" font-size="22" fill="#fff">A</text></svg>
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="1"><polygon points="50,18 82,72 18,72" fill="none" stroke="#fff" stroke-width="4"/><text x="50" y="62" text-anchor="middle" font-family="ui-monospace" font-weight="700" font-size="18" fill="#fff">B</text></svg>
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="2"><rect x="22" y="22" width="56" height="56" rx="10" fill="none" stroke="#fff" stroke-width="4"/><text x="50" y="58" text-anchor="middle" font-family="ui-monospace" font-weight="700" font-size="22" fill="#fff">C</text></svg>
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="3"><polygon points="50,16 84,50 50,84 16,50" fill="none" stroke="#fff" stroke-width="4"/><text x="50" y="58" text-anchor="middle" font-family="ui-monospace" font-weight="700" font-size="22" fill="#fff">D</text></svg>
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="4"><circle cx="50" cy="50" r="14" fill="#fff"/><circle cx="50" cy="50" r="30" fill="none" stroke="#fff" stroke-width="3" opacity=".6"/></svg>
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="5"><path d="M22 70 L40 40 L52 56 L78 26" stroke="#fff" stroke-width="5" fill="none" stroke-linecap="round" stroke-linejoin="round"/><circle cx="78" cy="26" r="5" fill="#fff"/></svg>
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="6"><rect x="24" y="48" width="9" height="28" fill="#fff"/><rect x="38" y="38" width="9" height="38" fill="#fff" opacity=".8"/><rect x="52" y="28" width="9" height="48" fill="#fff" opacity=".65"/><rect x="66" y="18" width="9" height="58" fill="#fff" opacity=".5"/></svg>
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="7"><polygon points="50,18 80,34 80,66 50,82 20,66 20,34" fill="none" stroke="#fff" stroke-width="4"/><text x="50" y="58" text-anchor="middle" font-family="ui-monospace" font-weight="700" font-size="20" fill="#fff">E</text></svg>
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="8"><path d="M30 30 Q50 10 70 30 T70 70 Q50 90 30 70 T30 30" fill="none" stroke="#fff" stroke-width="3.5"/><circle cx="50" cy="50" r="6" fill="#fff"/></svg>
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="9"><path d="M22 30 H78 M22 50 H78 M22 70 H78" stroke="#fff" stroke-width="5" stroke-linecap="round"/><circle cx="34" cy="30" r="5" fill="#fff"/><circle cx="60" cy="50" r="5" fill="#fff"/><circle cx="46" cy="70" r="5" fill="#fff"/></svg>
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="10"><path d="M50 18 V82 M18 50 H82" stroke="#fff" stroke-width="5" stroke-linecap="round"/><circle cx="50" cy="50" r="11" fill="#07070D" stroke="#fff" stroke-width="4"/></svg>
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="11"><path d="M22 22 L50 50 L22 78 M50 22 L78 50 L50 78" stroke="#fff" stroke-width="5" fill="none" stroke-linecap="round" stroke-linejoin="round"/></svg>
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="12"><circle cx="36" cy="50" r="18" fill="none" stroke="#fff" stroke-width="4"/><circle cx="64" cy="50" r="18" fill="none" stroke="#fff" stroke-width="4"/></svg>
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="13"><path d="M20 70 Q35 30 50 50 T80 30" stroke="#fff" stroke-width="5" fill="none" stroke-linecap="round"/></svg>
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="14"><polygon points="30,22 70,22 78,50 70,78 30,78 22,50" fill="none" stroke="#fff" stroke-width="4"/><circle cx="50" cy="50" r="6" fill="#fff"/></svg>
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="15"><path d="M30 22 V62 a20 20 0 0 0 40 0 V22" stroke="#fff" stroke-width="4.5" fill="none" stroke-linecap="round"/><path d="M30 22 H70" stroke="#fff" stroke-width="4.5" stroke-linecap="round"/></svg>
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="16"><path d="M22 50 L40 32 L40 42 L78 42 L78 58 L40 58 L40 68 Z" fill="#fff"/></svg>
-  <svg viewBox="0 0 100 100" class="tile-svg" data-i="17"><circle cx="50" cy="50" r="28" fill="none" stroke="#fff" stroke-width="4" stroke-dasharray="6 6"/><circle cx="50" cy="50" r="10" fill="#fff"/></svg>
-</template>
+<!-- mobile logo fallback: shown only at max-width 720px via CSS -->
+<div class="cube-mobile-grid" aria-hidden="true">
+  <img src="https://cdn.simpleicons.org/notion/ffffff" alt="Notion" width="48" height="48">
+  <img src="https://cdn.simpleicons.org/slack/ffffff" alt="Slack" width="48" height="48">
+  <img src="https://cdn.simpleicons.org/figma/ffffff" alt="Figma" width="48" height="48">
+  <img src="https://cdn.simpleicons.org/github/ffffff" alt="GitHub" width="48" height="48">
+  <img src="https://cdn.simpleicons.org/salesforce/ffffff" alt="Salesforce" width="48" height="48">
+  <img src="https://cdn.simpleicons.org/stripe/ffffff" alt="Stripe" width="48" height="48">
+  <img src="https://cdn.simpleicons.org/zoom/ffffff" alt="Zoom" width="48" height="48">
+  <img src="https://cdn.simpleicons.org/datadog/ffffff" alt="Datadog" width="48" height="48">
+  <img src="https://cdn.simpleicons.org/googlecloud/ffffff" alt="Google Cloud" width="48" height="48">
+  <img src="https://cdn.simpleicons.org/amazonwebservices/ffffff" alt="AWS" width="48" height="48">
+  <img src="https://cdn.simpleicons.org/microsoftazure/ffffff" alt="Azure" width="48" height="48">
+  <img src="https://cdn.simpleicons.org/hubspot/ffffff" alt="HubSpot" width="48" height="48">
+  <img src="https://cdn.simpleicons.org/jira/ffffff" alt="Jira" width="48" height="48">
+  <img src="https://cdn.simpleicons.org/snowflake/ffffff" alt="Snowflake" width="48" height="48">
+  <img src="https://cdn.simpleicons.org/linear/ffffff" alt="Linear" width="48" height="48">
+  <img src="https://cdn.simpleicons.org/shopify/ffffff" alt="Shopify" width="48" height="48">
+</div>
 
 <!-- Speaker notes etc. omitted intentionally; this is a landing-page hero, not a deck. -->
 
@@ -599,19 +597,85 @@ <h2>One vault. <em>Every</em> renewal.</h2>
   const cube = document.getElementById('cube');
   const stage = document.getElementById('stage');
 
-  // ─── tile templates ────────────────────────────────────────────
-  const tplTiles = document.getElementById('tiles');
-  const tileNodes = Array.from(tplTiles.content.querySelectorAll('svg.tile-svg'));
-
-  function tileHTML(i, color){
-    const svg = tileNodes[i % tileNodes.length].cloneNode(true);
-    svg.setAttribute('aria-hidden','true');
-    return svg.outerHTML;
-  }
+  // ─── vendor logos per face (Simple Icons CDN) ─────────────────
+  const FACE_VENDORS = [
+    // f-front: productivity
+    [
+      {slug:'notion',      name:'Notion'},
+      {slug:'slack',       name:'Slack'},
+      {slug:'figma',       name:'Figma'},
+      {slug:'asana',       name:'Asana'},
+      {slug:'linear',      name:'Linear'},
+      {slug:'trello',      name:'Trello'},
+      {slug:'miro',        name:'Miro'},
+      {slug:'todoist',     name:'Todoist'},
+      {slug:'evernote',    name:'Evernote'},
+    ],
+    // f-back: engineering
+    [
+      {slug:'github',      name:'GitHub'},
+      {slug:'gitlab',      name:'GitLab'},
+      {slug:'atlassian',   name:'Atlassian'},
+      {slug:'jira',        name:'Jira'},
+      {slug:'confluence',  name:'Confluence'},
+      {slug:'jenkins',     name:'Jenkins'},
+      {slug:'circleci',    name:'CircleCI'},
+      {slug:'sentry',      name:'Sentry'},
+      {slug:'datadog',     name:'Datadog'},
+    ],
+    // f-right: design
+    [
+      {slug:'figma',            name:'Figma'},
+      {slug:'adobe',            name:'Adobe'},
+      {slug:'adobecreativecloud',name:'Creative Cloud'},
+      {slug:'sketch',           name:'Sketch'},
+      {slug:'framer',           name:'Framer'},
+      {slug:'invision',         name:'InVision'},
+      {slug:'zeplin',           name:'Zeplin'},
+      {slug:'abstract',         name:'Abstract'},
+      {slug:'marvel',           name:'Marvel'},
+    ],
+    // f-left: communication
+    [
+      {slug:'zoom',            name:'Zoom'},
+      {slug:'slack',           name:'Slack'},
+      {slug:'microsoftteams',  name:'MS Teams'},
+      {slug:'googlemeet',      name:'Google Meet'},
+      {slug:'discord',         name:'Discord'},
+      {slug:'intercom',        name:'Intercom'},
+      {slug:'twilio',          name:'Twilio'},
+      {slug:'sendgrid',        name:'SendGrid'},
+      {slug:'mailchimp',       name:'Mailchimp'},
+    ],
+    // f-top: data & cloud
+    [
+      {slug:'amazonwebservices', name:'AWS'},
+      {slug:'googlecloud',       name:'Google Cloud'},
+      {slug:'microsoftazure',    name:'Azure'},
+      {slug:'snowflake',         name:'Snowflake'},
+      {slug:'databricks',        name:'Databricks'},
+      {slug:'mongodb',           name:'MongoDB'},
+      {slug:'redis',             name:'Redis'},
+      {slug:'postgresql',        name:'PostgreSQL'},
+      {slug:'elastic',           name:'Elastic'},
+    ],
+    // f-bottom: revenue & ops
+    [
+      {slug:'salesforce',  name:'Salesforce'},
+      {slug:'hubspot',     name:'HubSpot'},
+      {slug:'stripe',      name:'Stripe'},
+      {slug:'shopify',     name:'Shopify'},
+      {slug:'segment',     name:'Segment'},
+      {slug:'mixpanel',    name:'Mixpanel'},
+      {slug:'amplitude',   name:'Amplitude'},
+      {slug:'looker',      name:'Looker'},
+      {slug:'tableau',     name:'Tableau'},
+    ],
+  ];
 
   // ─── build single 6-face cube with 54 individually-positioned tiles
   // Faces: solid dark backdrops so the cube reads opaque even with tile gaps.
-  // Tiles: 54 glass panels, each positioned in 3D and reshapeable on scroll.
+  // Tiles: 54 glass panels, each with a real SaaS vendor logo.
   const FACES = [
     // [name, normal N, in-plane right R, in-plane up U, baseRx, baseRy]
     ['f-front',  [ 0, 0, 1], [ 1, 0, 0], [ 0,-1, 0],   0,   0],
@@ -621,7 +685,6 @@ <h2>One vault. <em>Every</em> renewal.</h2>
     ['f-top',    [ 0,-1, 0], [ 1, 0, 0], [ 0, 0,-1],  90,   0],
     ['f-bottom', [ 0, 1, 0], [ 1, 0, 0], [ 0, 0, 1], -90,   0],
   ];
-  const LETTERS = 'AZSNGFLVRMZGDHJAID'.split('');
 
   // helper: cube edge size in px (set on init + resize)
   function getS(){
@@ -641,20 +704,28 @@ <h2>One vault. <em>Every</em> renewal.</h2>
     cube.appendChild(f);
   });
 
-  // create 54 tiles
+  // create 54 tiles — one vendor logo per tile, 9 per face
   const TILES = [];
-  let tileIdx = 0;
   FACES.forEach(([cls, N, R, U, baseRx, baseRy], fi)=>{
+    const vendors = FACE_VENDORS[fi];
+    let vendorIdx = 0;
     for(let row = 0; row < 3; row++){
       for(let col = 0; col < 3; col++){
         const el = document.createElement('div');
         el.className = 'tile ' + cls;
         const color = AURORA[(fi * 3 + (row + col)) % AURORA.length];
         el.style.setProperty('--glow', color);
-        el.innerHTML =
-          tileHTML(tileIdx) +
-          '<span class="letter">' + LETTERS[tileIdx % LETTERS.length] + '</span>';
+        const v = vendors[vendorIdx % vendors.length];
+        const img = document.createElement('img');
+        img.src = 'https://cdn.simpleicons.org/' + v.slug + '/ffffff';
+        img.alt = v.name;
+        img.width = 40;
+        img.height = 40;
+        img.setAttribute('aria-hidden', 'true');
+        img.setAttribute('loading', 'lazy');
+        el.appendChild(img);
         cube.appendChild(el);
+        vendorIdx++;
 
         // base local 2D offset on the face
         const lx = (col - 1);  // -1, 0, +1  (multiplied by step in updateTilePositions)
@@ -672,8 +743,6 @@ <h2>One vault. <em>Every</em> renewal.</h2>
           baseRx, baseRy,
           sxA, syA, szA, spinMax, stagger,
         });
-
-        tileIdx++;
       }
     }
   });
diff --git a/seed/change-reports.json b/seed/change-reports.json
index 22027e6..e181d72 100644
--- a/seed/change-reports.json
+++ b/seed/change-reports.json
@@ -5,10 +5,13 @@
     "vendorId": "vnd_notion",
     "runId": "run_seed_notion",
     "detectedAt": "2026-05-22T18:42:18Z",
+    "updatedAt": "2026-05-22T18:42:18Z",
+    "version": 1,
     "severity": "P1",
     "state": "new",
     "policyFiredId": "pol_data_retention_pii_shrink",
     "policyAlsoMatched": ["pol_price_hike_near_renewal"],
+    "headline": "Data retention shrunk 90 to 30 days",
     "changes": [
       {
         "id": "d1",
@@ -21,7 +24,7 @@
           {
             "url": "https://notion.so/terms",
             "quote": "User content is retained for thirty (30) days after account deletion.",
-            "section": "§7.2 — Data Retention",
+            "section": "Section 7.2 - Data Retention",
             "fetchedAt": "2026-05-22T18:42:11Z"
           }
         ]
@@ -38,7 +41,7 @@
           {
             "url": "https://notion.so/pricing",
             "quote": "Team plan: $19 per user / month, billed annually.",
-            "section": "Pricing · Team plan",
+            "section": "Pricing - Team plan",
             "fetchedAt": "2026-05-22T18:42:13Z"
           }
         ]
@@ -46,10 +49,11 @@
     ],
     "recommendation": {
       "action": "renegotiate",
-      "copy": "Open renewal conversation; cite §7.2 retention shortfall as material change."
+      "copy": "Open renewal conversation; cite Section 7.2 retention shortfall as material change."
     },
     "sensoUrl": "https://senso.com/r/notion-2026-05-22-retention",
-    "ownerId": "usr_priya"
+    "ownerId": "usr_priya",
+    "lensTags": ["security", "legal", "audit"]
   },
   {
     "id": "chg_seed_stripe_subprocessor",
@@ -57,11 +61,14 @@
     "vendorId": "vnd_stripe",
     "runId": "run_seed_stripe",
     "detectedAt": "2026-05-15T13:08:02Z",
+    "updatedAt": "2026-05-15T16:21:00Z",
+    "version": 2,
     "severity": "P1",
     "state": "acknowledged",
     "acknowledgedAt": "2026-05-15T16:21:00Z",
     "policyFiredId": "pol_subprocessor_added_restricted",
     "policyAlsoMatched": [],
+    "headline": "New sub-processor in India",
     "changes": [
       {
         "id": "d1",
@@ -73,7 +80,7 @@
         "citations": [
           {
             "url": "https://stripe.com/legal/subprocessors",
-            "quote": "TextRecognize Ltd — India — OCR text extraction for identity document validation.",
+            "quote": "TextRecognize Ltd - India - OCR text extraction for identity document validation.",
             "section": "Active sub-processors",
             "fetchedAt": "2026-05-15T13:07:42Z",
             "country": "IN"
@@ -85,6 +92,1100 @@
       "action": "escalate",
       "copy": "Notify Privacy and DPO; assess transfer mechanism for non-adequate jurisdiction."
     },
-    "ownerId": "usr_lin"
+    "ownerId": "usr_lin",
+    "lensTags": ["legal", "security", "audit"]
+  },
+  {
+    "id": "chg_datadog_subprocessor_india",
+    "orgId": "org_acme",
+    "vendorId": "vnd_datadog",
+    "runId": "run_datadog_2026_05_21",
+    "detectedAt": "2026-05-21T09:00:00Z",
+    "updatedAt": "2026-05-21T09:00:00Z",
+    "version": 1,
+    "severity": "P1",
+    "state": "new",
+    "policyFiredId": "pol_subprocessor_added_restricted",
+    "policyAlsoMatched": [],
+    "headline": "Sub-processor added in India",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "subprocessor",
+        "summary": "Sub-processor added: Datadog India Pvt. Ltd (non-adequate jurisdiction)",
+        "before": "Sub-processors are located in: United States, Germany, Ireland.",
+        "after": "Sub-processors are located in: United States, Germany, Ireland, India (Datadog India Pvt. Ltd.).",
+        "materiality": "material",
+        "citations": [
+          {
+            "url": "https://datadoghq.com/legal/sub-processors",
+            "quote": "Datadog India Pvt. Ltd.",
+            "fetchedAt": "2026-05-21T09:00:00Z",
+            "country": "IN"
+          }
+        ]
+      }
+    ],
+    "recommendation": {
+      "action": "escalate",
+      "copy": "Notify customers under 30-day DPA clause; assess transfer mechanism for India."
+    },
+    "ownerId": "usr_devon",
+    "lensTags": ["legal", "security"]
+  },
+  {
+    "id": "chg_salesforce_renewal_seats",
+    "orgId": "org_acme",
+    "vendorId": "vnd_salesforce",
+    "runId": "run_salesforce_2026_05_24",
+    "detectedAt": "2026-05-24T10:00:00Z",
+    "updatedAt": "2026-05-24T10:00:00Z",
+    "version": 1,
+    "severity": "P2",
+    "state": "new",
+    "policyFiredId": "pol_seat_overage",
+    "policyAlsoMatched": ["pol_price_hike_near_renewal"],
+    "headline": "Renewal in 47 days, 412 unused of 850 seats",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "pricing",
+        "summary": "412 of 850 seats unused; benchmark shows 12% above market rate",
+        "before": "Current contract: 850 seats at $815,000/yr, renews 2026-07-10.",
+        "after": "Renewal window open. 412 seats idle >90 days. Benchmark: 12% above market rate.",
+        "materiality": "material",
+        "dollarImpact": { "annualUsd": 84000, "pctChange": 12 },
+        "citations": [
+          {
+            "url": "https://salesforce.com/pricing",
+            "quote": "Enterprise Edition seat pricing",
+            "fetchedAt": "2026-05-24T10:00:00Z"
+          }
+        ]
+      }
+    ],
+    "recommendation": {
+      "action": "renegotiate",
+      "copy": "Right-size to 500 seats and negotiate 22% reduction citing utilization data."
+    },
+    "ownerId": "usr_jordan",
+    "lensTags": ["procurement", "finance"]
+  },
+  {
+    "id": "chg_stripe_paymentintent_fee",
+    "orgId": "org_acme",
+    "vendorId": "vnd_stripe",
+    "runId": "run_stripe_2026_05_20",
+    "detectedAt": "2026-05-20T16:30:00Z",
+    "updatedAt": "2026-05-20T16:30:00Z",
+    "version": 1,
+    "severity": "P2",
+    "state": "new",
+    "policyFiredId": "pol_price_hike_near_renewal",
+    "policyAlsoMatched": [],
+    "headline": "New $0.30/PaymentIntent fee added",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "pricing",
+        "summary": "Stripe pricing page added a per-PaymentIntent fee",
+        "before": "2.9% + 30c per successful card charge.",
+        "after": "2.9% + 30c per successful card charge. Additionally, $0.30 per PaymentIntent created regardless of outcome.",
+        "materiality": "material",
+        "dollarImpact": { "annualUsd": 12000, "pctChange": 19 },
+        "citations": [
+          {
+            "url": "https://stripe.com/pricing",
+            "quote": "$0.30 per PaymentIntent created",
+            "fetchedAt": "2026-05-20T16:30:00Z"
+          }
+        ]
+      }
+    ],
+    "recommendation": {
+      "action": "renegotiate",
+      "copy": "Engage AE to negotiate waiver of per-intent fee given $250k+ volume tier."
+    },
+    "ownerId": "usr_lin",
+    "lensTags": ["finance", "procurement"]
+  },
+  {
+    "id": "chg_figma_unused_seats",
+    "orgId": "org_acme",
+    "vendorId": "vnd_figma",
+    "runId": "run_figma_2026_05_23",
+    "detectedAt": "2026-05-23T08:15:00Z",
+    "updatedAt": "2026-05-23T08:15:00Z",
+    "version": 1,
+    "severity": "P3",
+    "state": "new",
+    "policyFiredId": "pol_seat_overage",
+    "policyAlsoMatched": [],
+    "headline": "18 unused Figma Enterprise seats",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "pricing",
+        "summary": "18 seats with zero sessions in 60 days; $1.8k recoverable",
+        "before": "68 active Figma Enterprise seats across design and product teams.",
+        "after": "50 active / 18 seats with no login activity in 60+ days.",
+        "materiality": "minor",
+        "dollarImpact": { "annualUsd": 1800 }
+      }
+    ],
+    "recommendation": {
+      "action": "renegotiate",
+      "copy": "Right-size at next billing cycle; surface to design lead."
+    },
+    "ownerId": "usr_jordan",
+    "lensTags": ["finance", "it"]
+  },
+  {
+    "id": "chg_slack_ai_training",
+    "orgId": "org_acme",
+    "vendorId": "vnd_slack",
+    "runId": "run_slack_2026_05_19",
+    "detectedAt": "2026-05-19T11:00:00Z",
+    "updatedAt": "2026-05-19T11:00:00Z",
+    "version": 1,
+    "severity": "P1",
+    "state": "new",
+    "policyFiredId": "pol_ai_training_optin",
+    "policyAlsoMatched": ["pol_terms_material_change"],
+    "headline": "DPA updated: AI training clause added",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "terms",
+        "summary": "Slack DPA now permits using customer message data to train Slack AI by default",
+        "before": "Slack will not use Customer Data to train machine learning models.",
+        "after": "Slack may use aggregated, de-identified Customer Data to improve Slack AI features. Customers may opt out via Admin settings.",
+        "materiality": "material",
+        "citations": [
+          {
+            "url": "https://slack.com/dpa",
+            "quote": "Slack may use aggregated, de-identified Customer Data to improve Slack AI features",
+            "fetchedAt": "2026-05-19T11:00:00Z"
+          }
+        ]
+      }
+    ],
+    "recommendation": {
+      "action": "escalate",
+      "copy": "Toggle opt-out in admin settings; notify Privacy team and document in DPA register."
+    },
+    "ownerId": "usr_priya",
+    "lensTags": ["legal", "security"]
+  },
+  {
+    "id": "chg_github_copilot_seats",
+    "orgId": "org_acme",
+    "vendorId": "vnd_github",
+    "runId": "run_github_2026_05_19",
+    "detectedAt": "2026-05-19T11:00:00Z",
+    "updatedAt": "2026-05-19T11:00:00Z",
+    "version": 1,
+    "severity": "P3",
+    "state": "new",
+    "policyFiredId": "pol_seat_overage",
+    "policyAlsoMatched": [],
+    "headline": "Copilot Enterprise auto-add: 41 unintended seats",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "pricing",
+        "summary": "GitHub auto-enrolled 41 seats in Copilot Enterprise via policy change",
+        "before": "GitHub Copilot Business: 87 seats (engineering org only).",
+        "after": "GitHub Copilot Enterprise: 128 seats (auto-enrolled all org members via policy change).",
+        "materiality": "minor",
+        "dollarImpact": { "annualUsd": 5000 }
+      }
+    ],
+    "recommendation": {
+      "action": "renegotiate",
+      "copy": "Roll back auto-add; downgrade to Business tier; request credit for overage."
+    },
+    "ownerId": "usr_devon",
+    "lensTags": ["finance", "procurement", "it"]
+  },
+  {
+    "id": "chg_aws_ec2_price",
+    "orgId": "org_acme",
+    "vendorId": "vnd_aws",
+    "runId": "run_aws_2026_05_18",
+    "detectedAt": "2026-05-18T14:00:00Z",
+    "updatedAt": "2026-05-18T14:00:00Z",
+    "version": 1,
+    "severity": "P1",
+    "state": "new",
+    "policyFiredId": "pol_price_hike_renewal_severe",
+    "policyAlsoMatched": ["pol_price_hike_near_renewal"],
+    "headline": "EC2 On-Demand price up 11.2% in us-east-1",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "pricing",
+        "summary": "m6i family On-Demand prices increased 11.2% effective June 1, 2026",
+        "before": "m6i.xlarge On-Demand: $0.192/hr in us-east-1.",
+        "after": "m6i.xlarge On-Demand: $0.2136/hr in us-east-1 (effective June 1, 2026).",
+        "materiality": "material",
+        "dollarImpact": { "annualUsd": 42000, "pctChange": 11.2 },
+        "citations": [
+          {
+            "url": "https://aws.amazon.com/ec2/pricing/on-demand",
+            "quote": "$0.2136 per On-Demand Linux m6i.xlarge Instance Hour",
+            "fetchedAt": "2026-05-18T14:00:00Z"
+          }
+        ]
+      }
+    ],
+    "recommendation": {
+      "action": "renegotiate",
+      "copy": "Negotiate EDP and increase RI coverage to 70% before June 1 increase lands."
+    },
+    "ownerId": "usr_devon",
+    "lensTags": ["finance", "procurement"]
+  },
+  {
+    "id": "chg_vercel_subprocessor_de",
+    "orgId": "org_acme",
+    "vendorId": "vnd_vercel",
+    "runId": "run_vercel_2026_05_17",
+    "detectedAt": "2026-05-17T10:00:00Z",
+    "updatedAt": "2026-05-17T11:30:00Z",
+    "version": 2,
+    "severity": "P3",
+    "state": "acknowledged",
+    "acknowledgedAt": "2026-05-17T11:30:00Z",
+    "policyFiredId": "pol_subprocessor_added_restricted",
+    "policyAlsoMatched": [],
+    "headline": "Sub-processor added in Germany (EU-adequate)",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "subprocessor",
+        "summary": "Vercel added Hetzner GmbH (Germany) as a sub-processor",
+        "before": "Infrastructure sub-processors: AWS (US), Google Cloud (US/EU).",
+        "after": "Infrastructure sub-processors: AWS (US), Google Cloud (US/EU), Hetzner GmbH (Germany, EU).",
+        "materiality": "minor",
+        "citations": [
+          {
+            "url": "https://vercel.com/legal/sub-processors",
+            "quote": "Hetzner GmbH, Germany",
+            "fetchedAt": "2026-05-17T10:00:00Z"
+          }
+        ]
+      }
+    ],
+    "recommendation": {
+      "action": "accept",
+      "copy": "EU-adequate; no customer notification required. Log in sub-processor registry."
+    },
+    "ownerId": "usr_devon",
+    "lensTags": ["legal", "security"]
+  },
+  {
+    "id": "chg_okta_soc2_expiring",
+    "orgId": "org_acme",
+    "vendorId": "vnd_okta",
+    "runId": "run_okta_2026_05_24",
+    "detectedAt": "2026-05-24T08:00:00Z",
+    "updatedAt": "2026-05-24T08:00:00Z",
+    "version": 1,
+    "severity": "P2",
+    "state": "new",
+    "policyFiredId": "pol_soc2_expired",
+    "policyAlsoMatched": [],
+    "headline": "SOC 2 Type II expires in 60 days",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "security",
+        "summary": "Okta SOC 2 cert expires 2026-07-23; renewal audit in progress",
+        "before": "Okta SOC 2 Type II (Period: 2025-07-24 to 2026-07-23) - Valid.",
+        "after": "Okta SOC 2 Type II - Expires in 60 days (2026-07-23). Renewal audit in progress.",
+        "materiality": "material",
+        "citations": [
+          {
+            "url": "https://trust.okta.com",
+            "quote": "SOC 2 Type II report valid through July 23, 2026",
+            "fetchedAt": "2026-05-24T08:00:00Z"
+          }
+        ]
+      }
+    ],
+    "recommendation": {
+      "action": "escalate",
+      "copy": "Confirm renewal timeline with Okta TAM; flag for auditor compliance review."
+    },
+    "ownerId": "usr_marcus",
+    "lensTags": ["security", "audit", "legal"]
+  },
+  {
+    "id": "chg_hubspot_renewal",
+    "orgId": "org_acme",
+    "vendorId": "vnd_hubspot",
+    "runId": "run_hubspot_2026_05_24",
+    "detectedAt": "2026-05-24T10:00:00Z",
+    "updatedAt": "2026-05-24T10:00:00Z",
+    "version": 1,
+    "severity": "P3",
+    "state": "new",
+    "policyFiredId": "pol_price_hike_near_renewal",
+    "policyAlsoMatched": [],
+    "headline": "Renewal in 89 days, negotiate before Q3 freeze",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "pricing",
+        "summary": "Marketing Hub Professional renewal window opens; HubSpot Q3 price hike pattern",
+        "before": "HubSpot Marketing Hub Professional: $116,000/yr, renews 2026-10-22.",
+        "after": "Renewal window open. HubSpot historically increases prices in Q3; negotiate now.",
+        "materiality": "minor",
+        "dollarImpact": { "annualUsd": 24000 }
+      }
+    ],
+    "recommendation": {
+      "action": "renegotiate",
+      "copy": "Lock pre-freeze rate; offer 2-year commit for stability."
+    },
+    "ownerId": "usr_jordan",
+    "lensTags": ["procurement", "finance"]
+  },
+  {
+    "id": "chg_adobe_duplicate_figma",
+    "orgId": "org_acme",
+    "vendorId": "vnd_adobe",
+    "runId": "run_adobe_2026_05_16",
+    "detectedAt": "2026-05-16T08:00:00Z",
+    "updatedAt": "2026-05-16T08:00:00Z",
+    "version": 1,
+    "severity": "P3",
+    "state": "new",
+    "policyFiredId": "pol_seat_overage",
+    "policyAlsoMatched": [],
+    "headline": "24 Adobe CC seats redundant with Figma",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "pricing",
+        "summary": "24 Adobe seats overlap with Figma assignments; $8.4k recoverable",
+        "before": "Adobe Creative Cloud All Apps: 24 seats in design team.",
+        "after": "24 seats unused >90 days; team fully migrated to Figma. Duplicate tool overlap detected.",
+        "materiality": "minor",
+        "dollarImpact": { "annualUsd": 8400 }
+      }
+    ],
+    "recommendation": {
+      "action": "renegotiate",
+      "copy": "Drop overlap seats at next renewal; consolidate on Figma."
+    },
+    "ownerId": "usr_jordan",
+    "lensTags": ["finance", "it", "procurement"]
+  },
+  {
+    "id": "chg_cloudflare_sla_drop",
+    "orgId": "org_acme",
+    "vendorId": "vnd_cloudflare",
+    "runId": "run_cloudflare_2026_05_14",
+    "detectedAt": "2026-05-14T09:00:00Z",
+    "updatedAt": "2026-05-14T09:00:00Z",
+    "version": 1,
+    "severity": "P2",
+    "state": "snoozed",
+    "snoozedUntil": "2026-06-01T00:00:00Z",
+    "policyFiredId": "pol_sla_degradation",
+    "policyAlsoMatched": [],
+    "headline": "Workers SLA reduced from 99.99% to 99.9%",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "sla",
+        "summary": "Workers monthly uptime SLA dropped 0.09 percentage points",
+        "before": "Workers monthly uptime SLA: 99.99%.",
+        "after": "Workers monthly uptime SLA: 99.9%.",
+        "materiality": "minor",
+        "citations": [
+          {
+            "url": "https://cloudflare.com/business-sla",
+            "quote": "99.9% monthly uptime",
+            "fetchedAt": "2026-05-14T09:00:00Z"
+          }
+        ]
+      }
+    ],
+    "recommendation": {
+      "action": "accept",
+      "copy": "Document; monitor real-world uptime over next 90 days before escalating."
+    },
+    "ownerId": "usr_devon",
+    "lensTags": ["it", "procurement"]
+  },
+  {
+    "id": "chg_snowflake_storage_price",
+    "orgId": "org_acme",
+    "vendorId": "vnd_snowflake",
+    "runId": "run_snowflake_2026_05_12",
+    "detectedAt": "2026-05-12T15:00:00Z",
+    "updatedAt": "2026-05-12T15:00:00Z",
+    "version": 1,
+    "severity": "P2",
+    "state": "new",
+    "policyFiredId": "pol_price_hike_near_renewal",
+    "policyAlsoMatched": [],
+    "headline": "Storage credit price up 8%",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "pricing",
+        "summary": "On-demand storage price per credit increased 8%",
+        "before": "On-demand storage: $40/TB/month",
+        "after": "On-demand storage: $43.20/TB/month (effective Jul 1, 2026)",
+        "materiality": "minor",
+        "dollarImpact": { "annualUsd": 18500, "pctChange": 8 }
+      }
+    ],
+    "recommendation": {
+      "action": "renegotiate",
+      "copy": "Lock pre-increase rate via 3-year capacity commit; reduce cold storage footprint."
+    },
+    "ownerId": "usr_devon",
+    "lensTags": ["finance", "procurement"]
+  },
+  {
+    "id": "chg_auth0_pricing_tier",
+    "orgId": "org_acme",
+    "vendorId": "vnd_auth0",
+    "runId": "run_auth0_2026_05_10",
+    "detectedAt": "2026-05-10T11:15:00Z",
+    "updatedAt": "2026-05-12T14:30:00Z",
+    "version": 2,
+    "severity": "P2",
+    "state": "acknowledged",
+    "acknowledgedAt": "2026-05-12T14:30:00Z",
+    "policyFiredId": "pol_terms_material_change",
+    "policyAlsoMatched": [],
+    "headline": "B2C MAU pricing tier added",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "pricing",
+        "summary": "New MAU-based pricing band introduced above 7,500 MAU",
+        "before": "B2C tier flat at $228/mo up to 10,000 MAU.",
+        "after": "B2C tier: $228/mo up to 7,500 MAU; $0.04/MAU above 7,500.",
+        "materiality": "minor",
+        "dollarImpact": { "annualUsd": 4800, "pctChange": 6.7 }
+      }
+    ],
+    "recommendation": {
+      "action": "accept",
+      "copy": "Current usage below threshold; monitor monthly MAU and revisit if breaches band."
+    },
+    "ownerId": "usr_marcus",
+    "lensTags": ["finance"]
+  },
+  {
+    "id": "chg_linear_terms",
+    "orgId": "org_acme",
+    "vendorId": "vnd_linear",
+    "runId": "run_linear_2026_05_08",
+    "detectedAt": "2026-05-08T10:00:00Z",
+    "updatedAt": "2026-05-08T10:00:00Z",
+    "version": 1,
+    "severity": "P3",
+    "state": "new",
+    "policyFiredId": "pol_dpa_version_bumped",
+    "policyAlsoMatched": [],
+    "headline": "DPA bumped to v2.4",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "terms",
+        "summary": "Linear DPA revision adds clarification on sub-processor change notice",
+        "before": "Linear DPA v2.3 (2024-09-12).",
+        "after": "Linear DPA v2.4 (2026-05-08) - sub-processor change notice clarified to 30 days.",
+        "materiality": "cosmetic",
+        "citations": [
+          {
+            "url": "https://linear.app/dpa",
+            "quote": "v2.4 (2026-05-08)",
+            "fetchedAt": "2026-05-08T10:00:00Z"
+          }
+        ]
+      }
+    ],
+    "recommendation": {
+      "action": "accept",
+      "copy": "Replace stored DPA version; no other action needed."
+    },
+    "ownerId": "usr_priya",
+    "lensTags": ["legal"]
+  },
+  {
+    "id": "chg_zoom_subprocessor_cn",
+    "orgId": "org_acme",
+    "vendorId": "vnd_zoom",
+    "runId": "run_zoom_2026_05_07",
+    "detectedAt": "2026-05-07T13:45:00Z",
+    "updatedAt": "2026-05-09T16:00:00Z",
+    "version": 3,
+    "severity": "P1",
+    "state": "resolved",
+    "resolvedAt": "2026-05-09T16:00:00Z",
+    "resolution": "renegotiated",
+    "policyFiredId": "pol_subprocessor_added_restricted",
+    "policyAlsoMatched": [],
+    "headline": "China engineering retained as sub-processor",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "subprocessor",
+        "summary": "Zoom retained China-based engineering team as sub-processor for R&D",
+        "before": "R&D sub-processors: United States, India.",
+        "after": "R&D sub-processors: United States, India, China (Zoom China Engineering).",
+        "materiality": "material",
+        "citations": [
+          {
+            "url": "https://zoom.us/subprocessors",
+            "quote": "Zoom China Engineering",
+            "fetchedAt": "2026-05-07T13:45:00Z",
+            "country": "CN"
+          }
+        ]
+      }
+    ],
+    "recommendation": {
+      "action": "renegotiate",
+      "copy": "Confirmed customer data routed only via US; negotiated regional contract terms."
+    },
+    "ownerId": "usr_priya",
+    "lensTags": ["legal", "security", "audit"]
+  },
+  {
+    "id": "chg_zendesk_subprocessor_vn",
+    "orgId": "org_acme",
+    "vendorId": "vnd_zendesk",
+    "runId": "run_zendesk_2026_04_02",
+    "detectedAt": "2026-04-02T10:00:00Z",
+    "updatedAt": "2026-04-02T10:00:00Z",
+    "version": 1,
+    "severity": "P2",
+    "state": "snoozed",
+    "snoozedUntil": "2026-06-15T00:00:00Z",
+    "policyFiredId": "pol_subprocessor_added_restricted",
+    "policyAlsoMatched": [],
+    "headline": "Sub-processor added: Vietnam BPO",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "subprocessor",
+        "summary": "Zendesk added Bluestar BPO Vietnam for tier-2 support",
+        "before": "Support sub-processors: US, Ireland, Philippines.",
+        "after": "Support sub-processors: US, Ireland, Philippines, Vietnam (Bluestar BPO).",
+        "materiality": "material",
+        "citations": [
+          {
+            "url": "https://zendesk.com/subprocessors",
+            "quote": "Bluestar BPO Vietnam",
+            "fetchedAt": "2026-04-02T10:00:00Z",
+            "country": "VN"
+          }
+        ]
+      }
+    ],
+    "recommendation": {
+      "action": "escalate",
+      "copy": "Schedule customer notice draft; verify SCCs in current Zendesk DPA."
+    },
+    "ownerId": "usr_jordan",
+    "lensTags": ["legal", "security"]
+  },
+  {
+    "id": "chg_intercom_terms_dispute",
+    "orgId": "org_acme",
+    "vendorId": "vnd_intercom",
+    "runId": "run_intercom_2026_05_06",
+    "detectedAt": "2026-05-06T09:30:00Z",
+    "updatedAt": "2026-05-06T09:30:00Z",
+    "version": 1,
+    "severity": "P2",
+    "state": "new",
+    "policyFiredId": "pol_terms_material_change",
+    "policyAlsoMatched": [],
+    "headline": "Arbitration venue moved to Dublin",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "terms",
+        "summary": "Dispute resolution venue moved from Delaware to Dublin, Ireland",
+        "before": "All disputes resolved through arbitration in Wilmington, Delaware.",
+        "after": "All disputes resolved through arbitration in Dublin, Ireland under Irish law.",
+        "materiality": "minor",
+        "citations": [
+          {
+            "url": "https://intercom.com/terms",
+            "quote": "Dublin, Ireland",
+            "fetchedAt": "2026-05-06T09:30:00Z"
+          }
+        ]
+      }
+    ],
+    "recommendation": {
+      "action": "escalate",
+      "copy": "Legal review required; assess venue cost and procedural impact."
+    },
+    "ownerId": "usr_lin",
+    "lensTags": ["legal"]
+  },
+  {
+    "id": "chg_mongodb_sla_credits",
+    "orgId": "org_acme",
+    "vendorId": "vnd_mongodb",
+    "runId": "run_mongodb_2026_05_05",
+    "detectedAt": "2026-05-05T16:00:00Z",
+    "updatedAt": "2026-05-05T16:00:00Z",
+    "version": 1,
+    "severity": "P3",
+    "state": "new",
+    "policyFiredId": "pol_sla_degradation",
+    "policyAlsoMatched": [],
+    "headline": "SLA credit cap reduced to 25% MRC",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "sla",
+        "summary": "Maximum monthly SLA credit cap reduced from 50% to 25% of MRC",
+        "before": "Maximum monthly credit: 50% of monthly recurring charges.",
+        "after": "Maximum monthly credit: 25% of monthly recurring charges.",
+        "materiality": "minor",
+        "citations": [
+          {
+            "url": "https://mongodb.com/legal/sla",
+            "quote": "25%",
+            "fetchedAt": "2026-05-05T16:00:00Z"
+          }
+        ]
+      }
+    ],
+    "recommendation": {
+      "action": "accept",
+      "copy": "Document new cap in vendor risk register; monitor over next cycle."
+    },
+    "ownerId": "usr_devon",
+    "lensTags": ["it", "legal"]
+  },
+  {
+    "id": "chg_mixpanel_data_use",
+    "orgId": "org_acme",
+    "vendorId": "vnd_mixpanel",
+    "runId": "run_mixpanel_2026_05_04",
+    "detectedAt": "2026-05-04T08:00:00Z",
+    "updatedAt": "2026-05-04T08:00:00Z",
+    "version": 1,
+    "severity": "P2",
+    "state": "new",
+    "policyFiredId": "pol_ai_training_optin",
+    "policyAlsoMatched": ["pol_terms_material_change"],
+    "headline": "Customer event data may train Mixpanel AI",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "data",
+        "summary": "Mixpanel terms now permit using aggregated event data to train internal AI models",
+        "before": "Customer event data used only to provide analytics services.",
+        "after": "Mixpanel may use aggregated event data to train internal AI models. Opt-out available via Account Settings.",
+        "materiality": "material"
+      }
+    ],
+    "recommendation": {
+      "action": "escalate",
+      "copy": "Toggle opt-out; review PII fields in event payload before opt-in default applies."
+    },
+    "ownerId": "usr_jordan",
+    "lensTags": ["legal", "security"]
+  },
+  {
+    "id": "chg_dropbox_security_disclosure",
+    "orgId": "org_acme",
+    "vendorId": "vnd_dropbox",
+    "runId": "run_dropbox_2026_05_03",
+    "detectedAt": "2026-05-03T12:00:00Z",
+    "updatedAt": "2026-05-04T09:00:00Z",
+    "version": 2,
+    "severity": "P2",
+    "state": "acknowledged",
+    "acknowledgedAt": "2026-05-04T09:00:00Z",
+    "policyFiredId": "pol_terms_material_change",
+    "policyAlsoMatched": [],
+    "headline": "Encryption-at-rest now AES-256-GCM",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "security",
+        "summary": "Default encryption-at-rest upgraded from AES-128 to AES-256-GCM",
+        "before": "Files at rest encrypted with AES-128.",
+        "after": "Files at rest encrypted with AES-256-GCM. Existing files migrated by 2026-06-01.",
+        "materiality": "minor"
+      }
+    ],
+    "recommendation": {
+      "action": "accept",
+      "copy": "Acknowledge improvement; reference in security register."
+    },
+    "ownerId": "usr_priya",
+    "lensTags": ["security", "audit"]
+  },
+  {
+    "id": "chg_sentry_subprocessor",
+    "orgId": "org_acme",
+    "vendorId": "vnd_sentry",
+    "runId": "run_sentry_2026_05_02",
+    "detectedAt": "2026-05-02T10:30:00Z",
+    "updatedAt": "2026-05-02T10:30:00Z",
+    "version": 1,
+    "severity": "P3",
+    "state": "acknowledged",
+    "acknowledgedAt": "2026-05-02T15:00:00Z",
+    "policyFiredId": "pol_subprocessor_added_restricted",
+    "policyAlsoMatched": [],
+    "headline": "Added Datadog as sub-processor",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "subprocessor",
+        "summary": "Sentry added Datadog (US) for observability — EU-adequate by SCCs",
+        "before": "Observability sub-processors: New Relic.",
+        "after": "Observability sub-processors: New Relic, Datadog.",
+        "materiality": "cosmetic",
+        "citations": [
+          {
+            "url": "https://sentry.io/legal/subprocessors",
+            "quote": "Datadog",
+            "fetchedAt": "2026-05-02T10:30:00Z"
+          }
+        ]
+      }
+    ],
+    "recommendation": {
+      "action": "accept",
+      "copy": "Log in sub-processor register; no customer notification required."
+    },
+    "ownerId": "usr_devon",
+    "lensTags": ["legal", "security"]
+  },
+  {
+    "id": "chg_pagerduty_sla_change",
+    "orgId": "org_acme",
+    "vendorId": "vnd_pagerduty",
+    "runId": "run_pagerduty_2026_05_01",
+    "detectedAt": "2026-05-01T11:00:00Z",
+    "updatedAt": "2026-05-01T11:00:00Z",
+    "version": 1,
+    "severity": "P2",
+    "state": "snoozed",
+    "snoozedUntil": "2026-07-01T00:00:00Z",
+    "policyFiredId": "pol_sla_degradation",
+    "policyAlsoMatched": [],
+    "headline": "Notification delivery SLA reduced",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "sla",
+        "summary": "Median notification delivery target relaxed from 5s to 8s",
+        "before": "Median notification delivery target: 5 seconds.",
+        "after": "Median notification delivery target: 8 seconds.",
+        "materiality": "minor"
+      }
+    ],
+    "recommendation": {
+      "action": "accept",
+      "copy": "Document for IT; not material for current paging volume."
+    },
+    "ownerId": "usr_devon",
+    "lensTags": ["it"]
+  },
+  {
+    "id": "chg_asana_renewal_terms",
+    "orgId": "org_acme",
+    "vendorId": "vnd_asana",
+    "runId": "run_asana_2026_04_28",
+    "detectedAt": "2026-04-28T09:00:00Z",
+    "updatedAt": "2026-04-28T09:00:00Z",
+    "version": 1,
+    "severity": "P3",
+    "state": "resolved",
+    "resolvedAt": "2026-05-02T14:00:00Z",
+    "resolution": "accepted",
+    "policyFiredId": "pol_terms_material_change",
+    "policyAlsoMatched": [],
+    "headline": "Auto-renewal default flipped to ON",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "terms",
+        "summary": "Master agreement auto-renewal default flipped to ON for new subscriptions",
+        "before": "Subscriptions do not auto-renew unless customer opts in.",
+        "after": "Subscriptions auto-renew unless customer opts out in writing 30 days prior.",
+        "materiality": "minor"
+      }
+    ],
+    "recommendation": {
+      "action": "accept",
+      "copy": "Existing contract unaffected; flag for renewal cycle review."
+    },
+    "ownerId": "usr_priya",
+    "lensTags": ["legal", "procurement"]
+  },
+  {
+    "id": "chg_jira_pricing_band",
+    "orgId": "org_acme",
+    "vendorId": "vnd_jira",
+    "runId": "run_jira_2026_04_27",
+    "detectedAt": "2026-04-27T16:30:00Z",
+    "updatedAt": "2026-04-27T16:30:00Z",
+    "version": 1,
+    "severity": "P2",
+    "state": "new",
+    "policyFiredId": "pol_price_hike_near_renewal",
+    "policyAlsoMatched": [],
+    "headline": "Premium tier seat price up 12%",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "pricing",
+        "summary": "Premium per-user price moves from $14.50 to $16.25/mo",
+        "before": "Premium per-user: $14.50/mo (51-100 users).",
+        "after": "Premium per-user: $16.25/mo (51-100 users).",
+        "materiality": "material",
+        "dollarImpact": { "annualUsd": 10080, "pctChange": 12 }
+      }
+    ],
+    "recommendation": {
+      "action": "renegotiate",
+      "copy": "Lock current rate via 2-year commit; downgrade non-PMs to Standard."
+    },
+    "ownerId": "usr_priya",
+    "lensTags": ["procurement", "finance"]
+  },
+  {
+    "id": "chg_airtable_data_residency",
+    "orgId": "org_acme",
+    "vendorId": "vnd_airtable",
+    "runId": "run_airtable_2026_04_25",
+    "detectedAt": "2026-04-25T10:00:00Z",
+    "updatedAt": "2026-04-25T10:00:00Z",
+    "version": 1,
+    "severity": "P2",
+    "state": "new",
+    "policyFiredId": "pol_terms_material_change",
+    "policyAlsoMatched": [],
+    "headline": "EU data residency removed from Business tier",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "data",
+        "summary": "Business tier no longer guarantees EU data residency; moved to Enterprise tier",
+        "before": "EU data residency available on Business and Enterprise tiers.",
+        "after": "EU data residency available on Enterprise tier only.",
+        "materiality": "material",
+        "citations": [
+          {
+            "url": "https://airtable.com/security",
+            "quote": "EU residency available on Enterprise plan only",
+            "fetchedAt": "2026-04-25T10:00:00Z"
+          }
+        ]
+      }
+    ],
+    "recommendation": {
+      "action": "escalate",
+      "copy": "EU customers affected; assess upgrade cost vs. alternate vendor."
+    },
+    "ownerId": "usr_priya",
+    "lensTags": ["legal", "security", "audit"]
+  },
+  {
+    "id": "chg_1password_renewal_terms",
+    "orgId": "org_acme",
+    "vendorId": "vnd_1password",
+    "runId": "run_1password_2026_04_22",
+    "detectedAt": "2026-04-22T09:00:00Z",
+    "updatedAt": "2026-04-22T09:00:00Z",
+    "version": 1,
+    "severity": "P3",
+    "state": "acknowledged",
+    "acknowledgedAt": "2026-04-22T14:30:00Z",
+    "policyFiredId": "pol_dpa_version_bumped",
+    "policyAlsoMatched": [],
+    "headline": "DPA bumped to v3.1 (FedRAMP additions)",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "terms",
+        "summary": "DPA revision adds FedRAMP-aligned controls language",
+        "before": "1Password DPA v3.0.",
+        "after": "1Password DPA v3.1 (adds FedRAMP-aligned controls).",
+        "materiality": "cosmetic"
+      }
+    ],
+    "recommendation": {
+      "action": "accept",
+      "copy": "Replace stored DPA version; no further action."
+    },
+    "ownerId": "usr_marcus",
+    "lensTags": ["legal", "audit"]
+  },
+  {
+    "id": "chg_zoom_pricing_video",
+    "orgId": "org_acme",
+    "vendorId": "vnd_zoom",
+    "runId": "run_zoom_2026_04_20",
+    "detectedAt": "2026-04-20T10:00:00Z",
+    "updatedAt": "2026-04-20T10:00:00Z",
+    "version": 1,
+    "severity": "P2",
+    "state": "new",
+    "policyFiredId": "pol_price_hike_near_renewal",
+    "policyAlsoMatched": [],
+    "headline": "Workspace plan price up 7.5%",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "pricing",
+        "summary": "Workspace plan moves from $26.99 to $29/mo per host",
+        "before": "Workspace plan: $26.99/mo per host.",
+        "after": "Workspace plan: $29/mo per host (effective Jul 1, 2026).",
+        "materiality": "minor",
+        "dollarImpact": { "annualUsd": 7200, "pctChange": 7.5 }
+      }
+    ],
+    "recommendation": {
+      "action": "renegotiate",
+      "copy": "Lock current price via 2-year commit ahead of Jul 1 increase."
+    },
+    "ownerId": "usr_priya",
+    "lensTags": ["finance", "procurement"]
+  },
+  {
+    "id": "chg_calendly_sso_required",
+    "orgId": "org_acme",
+    "vendorId": "vnd_calendly",
+    "runId": "run_calendly_2026_04_18",
+    "detectedAt": "2026-04-18T11:00:00Z",
+    "updatedAt": "2026-04-18T11:00:00Z",
+    "version": 1,
+    "severity": "P3",
+    "state": "new",
+    "policyFiredId": "pol_terms_material_change",
+    "policyAlsoMatched": [],
+    "headline": "SSO moves to Teams tier",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "security",
+        "summary": "SAML SSO restricted to Teams tier; legacy SSO users grandfathered for 90 days",
+        "before": "SAML SSO available on Pro and above.",
+        "after": "SAML SSO available on Teams and above; existing Pro SSO customers grandfathered until 2026-07-18.",
+        "materiality": "minor"
+      }
+    ],
+    "recommendation": {
+      "action": "renegotiate",
+      "copy": "Upgrade to Teams or migrate SSO-locked users; assess cost delta."
+    },
+    "ownerId": "usr_jordan",
+    "lensTags": ["security", "it"]
+  },
+  {
+    "id": "chg_posthog_eu_hosting",
+    "orgId": "org_acme",
+    "vendorId": "vnd_posthog",
+    "runId": "run_posthog_2026_04_15",
+    "detectedAt": "2026-04-15T10:00:00Z",
+    "updatedAt": "2026-04-15T10:00:00Z",
+    "version": 1,
+    "severity": "P3",
+    "state": "resolved",
+    "resolvedAt": "2026-04-17T10:00:00Z",
+    "resolution": "accepted",
+    "policyFiredId": "pol_terms_material_change",
+    "policyAlsoMatched": [],
+    "headline": "EU hosting region added",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "data",
+        "summary": "PostHog launched EU cloud region; opt-in via dashboard",
+        "before": "PostHog Cloud hosted in US only.",
+        "after": "PostHog Cloud available in US and EU regions; data residency selectable per project.",
+        "materiality": "cosmetic"
+      }
+    ],
+    "recommendation": {
+      "action": "accept",
+      "copy": "Migrate EU customer projects to EU region; document residency policy."
+    },
+    "ownerId": "usr_jordan",
+    "lensTags": ["legal", "security"]
+  },
+  {
+    "id": "chg_miro_sla_uptime",
+    "orgId": "org_acme",
+    "vendorId": "vnd_miro",
+    "runId": "run_miro_2026_04_12",
+    "detectedAt": "2026-04-12T09:00:00Z",
+    "updatedAt": "2026-04-12T09:00:00Z",
+    "version": 1,
+    "severity": "P3",
+    "state": "new",
+    "policyFiredId": "pol_sla_degradation",
+    "policyAlsoMatched": [],
+    "headline": "Uptime SLA cap on planned maintenance",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "sla",
+        "summary": "Planned maintenance hours now excluded from uptime SLA calculation",
+        "before": "All downtime counted toward 99.9% monthly uptime target.",
+        "after": "Planned maintenance (up to 4 hours/month) excluded from uptime calculation.",
+        "materiality": "minor"
+      }
+    ],
+    "recommendation": {
+      "action": "accept",
+      "copy": "Track maintenance windows; flag any breach pattern."
+    },
+    "ownerId": "usr_priya",
+    "lensTags": ["it"]
+  },
+  {
+    "id": "chg_loom_dpa_update",
+    "orgId": "org_acme",
+    "vendorId": "vnd_loom",
+    "runId": "run_loom_2026_04_10",
+    "detectedAt": "2026-04-10T16:00:00Z",
+    "updatedAt": "2026-04-10T16:00:00Z",
+    "version": 1,
+    "severity": "P3",
+    "state": "new",
+    "policyFiredId": "pol_dpa_version_bumped",
+    "policyAlsoMatched": [],
+    "headline": "DPA revised, adds AI transcription clause",
+    "changes": [
+      {
+        "id": "d1",
+        "category": "terms",
+        "summary": "DPA revision introduces transcription processing language",
+        "before": "Loom DPA v1.4.",
+        "after": "Loom DPA v1.5 - adds AI transcription processing language with opt-out.",
+        "materiality": "cosmetic"
+      }
+    ],
+    "recommendation": {
+      "action": "accept",
+      "copy": "Configure transcription opt-out at workspace level; document."
+    },
+    "ownerId": "usr_priya",
+    "lensTags": ["legal"]
   }
 ]
diff --git a/seed/customer-contracts.json b/seed/customer-contracts.json
new file mode 100644
index 0000000..8a3db70
--- /dev/null
+++ b/seed/customer-contracts.json
@@ -0,0 +1,17 @@
+[
+  { "id": "ccon_001", "customerId": "cust_001", "customerName": "Acme Corp",          "contractId": "contract_001", "domain": "acme.com",         "contractStart": "2024-04-01", "contractEnd": "2026-03-31", "annualValueUsd": 240000, "dataResidency": "US", "dpaClause": "Section 8.3 Sub-processor Changes", "noticeDays": 30, "notifiedSubProcessors": ["TextRecognize Ltd"] },
+  { "id": "ccon_002", "customerId": "cust_002", "customerName": "TechStart",          "contractId": "contract_005", "domain": "techstart.io",     "contractStart": "2025-01-15", "contractEnd": "2027-01-14", "annualValueUsd": 120000, "dataResidency": "US", "dpaClause": "Section 6.2 Sub-processor Notification", "noticeDays": 30, "notifiedSubProcessors": ["TextRecognize Ltd"] },
+  { "id": "ccon_003", "customerId": "cust_003", "customerName": "BigBank",            "contractId": "contract_012", "domain": "bigbank.com",      "contractStart": "2023-07-01", "contractEnd": "2026-06-30", "annualValueUsd": 480000, "dataResidency": "US", "dpaClause": "Section 9.1 Data Processor Changes", "noticeDays": 30, "notifiedSubProcessors": ["TextRecognize Ltd"] },
+  { "id": "ccon_004", "customerId": "cust_004", "customerName": "HealthNet",          "contractId": "contract_019", "domain": "healthnet.org",    "contractStart": "2024-09-01", "contractEnd": "2027-08-31", "annualValueUsd": 360000, "dataResidency": "US", "dpaClause": "Section 7.4 Sub-processor Amendments", "noticeDays": 30, "notifiedSubProcessors": [] },
+  { "id": "ccon_005", "customerId": "cust_005", "customerName": "RetailCo",           "contractId": "contract_023", "domain": "retailco.com",     "contractStart": "2025-03-10", "contractEnd": "2027-03-09", "annualValueUsd": 144000, "dataResidency": "US", "dpaClause": "Section 5.8 Third-party Processors", "noticeDays": 30, "notifiedSubProcessors": [] },
+  { "id": "ccon_006", "customerId": "cust_006", "customerName": "EduPlatform",       "contractId": "contract_031", "domain": "eduplatform.net",  "contractStart": "2024-11-01", "contractEnd": "2026-10-31", "annualValueUsd": 96000, "dataResidency": "EU", "dpaClause": "Section 4.3 Sub-processor Disclosure", "noticeDays": 45, "notifiedSubProcessors": [] },
+  { "id": "ccon_007", "customerId": "cust_007", "customerName": "MediaGroup",         "contractId": "contract_038", "domain": "mediagroup.tv",    "contractStart": "2024-06-15", "contractEnd": "2026-06-14", "annualValueUsd": 180000, "dataResidency": "EU", "dpaClause": "Section 11.2 Data Transfers", "noticeDays": 45, "notifiedSubProcessors": [] },
+  { "id": "ccon_008", "customerId": "cust_008", "customerName": "LogiCorp",           "contractId": "contract_044", "domain": "logicorp.eu",      "contractStart": "2025-02-01", "contractEnd": "2027-01-31", "annualValueUsd": 132000, "dataResidency": "EU", "dpaClause": "Section 8.1 Sub-processor Registry", "noticeDays": 45, "notifiedSubProcessors": [] },
+  { "id": "ccon_009", "customerId": "cust_009", "customerName": "FinServ Ltd",       "contractId": "contract_052", "domain": "finserv.co.uk",    "contractStart": "2024-12-01", "contractEnd": "2027-11-30", "annualValueUsd": 300000, "dataResidency": "UK", "dpaClause": "Section 6.5 Processor Amendments", "noticeDays": 60, "notifiedSubProcessors": [] },
+  { "id": "ccon_010", "customerId": "cust_010", "customerName": "AutoDrive",          "contractId": "contract_058", "domain": "autodrive.io",     "contractStart": "2025-04-20", "contractEnd": "2027-04-19", "annualValueUsd": 84000, "dataResidency": "US", "dpaClause": "Section 9.3 Sub-processor Changes", "noticeDays": 30, "notifiedSubProcessors": [] },
+  { "id": "ccon_011", "customerId": "cust_011", "customerName": "CloudNine Inc",      "contractId": "contract_067", "domain": "cloudnine.com",    "contractStart": "2024-08-01", "contractEnd": "2026-07-31", "annualValueUsd": 156000, "dataResidency": "US", "dpaClause": "Section 7.1 Third-party Processors", "noticeDays": 30, "notifiedSubProcessors": [] },
+  { "id": "ccon_012", "customerId": "cust_012", "customerName": "PharmaCore",         "contractId": "contract_073", "domain": "pharmacore.com",   "contractStart": "2023-10-01", "contractEnd": "2026-09-30", "annualValueUsd": 420000, "dataResidency": "US", "dpaClause": "Section 10.2 Sub-processor Audit", "noticeDays": 30, "notifiedSubProcessors": [] },
+  { "id": "ccon_013", "customerId": "cust_013", "customerName": "NorthWind",          "contractId": "contract_081", "domain": "northwind.com",    "contractStart": "2025-05-05", "contractEnd": "2027-05-04", "annualValueUsd": 72000, "dataResidency": "US", "dpaClause": "Section 6.6 Sub-processor Notification", "noticeDays": 30, "notifiedSubProcessors": [] },
+  { "id": "ccon_014", "customerId": "cust_014", "customerName": "BrightWorks GmbH",   "contractId": "contract_088", "domain": "brightworks.de",   "contractStart": "2024-03-15", "contractEnd": "2027-03-14", "annualValueUsd": 192000, "dataResidency": "EU", "dpaClause": "Section 5.2 Sub-processor Changes", "noticeDays": 45, "notifiedSubProcessors": [] },
+  { "id": "ccon_015", "customerId": "cust_015", "customerName": "Sapphire Trading",   "contractId": "contract_094", "domain": "sapphire.sg",      "contractStart": "2025-06-01", "contractEnd": "2027-05-31", "annualValueUsd": 96000, "dataResidency": "APAC", "dpaClause": "Section 9.4 Cross-Border Transfers", "noticeDays": 45, "notifiedSubProcessors": [] }
+]
diff --git a/seed/integrations.json b/seed/integrations.json
new file mode 100644
index 0000000..f48b556
--- /dev/null
+++ b/seed/integrations.json
@@ -0,0 +1,406 @@
+[
+  {
+    "id": "int_google_workspace",
+    "name": "Google Workspace",
+    "slug": "google-workspace",
+    "category": "inbound",
+    "description": "Discover vendors from email headers, calendar attachments, and Drive share links.",
+    "authType": "oauth",
+    "iconSlug": "google",
+    "iconColor": "#4285F4",
+    "requiredFields": [
+      { "key": "workspaceDomain", "label": "Workspace domain", "placeholder": "acme.dev" }
+    ],
+    "defaultScopes": ["directory.read", "gmail.metadata", "calendar.read"],
+    "connected": true
+  },
+  {
+    "id": "int_microsoft365",
+    "name": "Microsoft 365",
+    "slug": "microsoft-365",
+    "category": "inbound",
+    "description": "Discover vendors from Outlook, Teams attachments, and SharePoint sharing.",
+    "authType": "oauth",
+    "iconSlug": "microsoft365",
+    "iconColor": "#D83B01",
+    "requiredFields": [
+      { "key": "tenantId", "label": "Microsoft 365 tenant ID", "placeholder": "00000000-0000-0000-0000-000000000000" }
+    ],
+    "defaultScopes": ["Directory.Read.All", "Mail.ReadBasic", "Calendars.Read"],
+    "connected": false
+  },
+  {
+    "id": "int_okta_saml",
+    "name": "Okta SAML",
+    "slug": "okta-saml",
+    "category": "inbound",
+    "description": "Pull SSO app catalog and usage telemetry from Okta.",
+    "authType": "saml",
+    "iconSlug": "okta",
+    "iconColor": "#007DC1",
+    "requiredFields": [
+      { "key": "oktaDomain", "label": "Okta domain", "placeholder": "acme.okta.com" },
+      { "key": "metadataUrl", "label": "SAML metadata URL", "placeholder": "https://acme.okta.com/app/.../sso/saml/metadata" }
+    ],
+    "defaultScopes": ["apps.read", "logs.read"],
+    "connected": false
+  },
+  {
+    "id": "int_azure_ad",
+    "name": "Azure AD",
+    "slug": "azure-ad",
+    "category": "inbound",
+    "description": "Discover Azure AD SaaS apps and sign-in activity.",
+    "authType": "oauth",
+    "iconSlug": "microsoftazure",
+    "iconColor": "#0078D4",
+    "requiredFields": [
+      { "key": "tenantId", "label": "Azure tenant ID", "placeholder": "00000000-0000-0000-0000-000000000000" }
+    ],
+    "defaultScopes": ["Application.Read.All", "AuditLog.Read.All"],
+    "connected": false
+  },
+  {
+    "id": "int_brex",
+    "name": "Brex",
+    "slug": "brex",
+    "category": "inbound",
+    "description": "Sync expense, card, and vendor invoice data from Brex.",
+    "authType": "api-key",
+    "iconSlug": "brex",
+    "iconColor": "#000000",
+    "requiredFields": [
+      { "key": "apiKey", "label": "Brex API token", "placeholder": "brex_token_...", "sensitive": true }
+    ],
+    "defaultScopes": ["expenses.read", "vendors.read"],
+    "connected": false
+  },
+  {
+    "id": "int_ramp",
+    "name": "Ramp",
+    "slug": "ramp",
+    "category": "inbound",
+    "description": "Pull card transactions and bill-pay history from Ramp.",
+    "authType": "api-key",
+    "iconSlug": "ramp",
+    "iconColor": "#FFD600",
+    "requiredFields": [
+      { "key": "apiKey", "label": "Ramp API key", "placeholder": "ramp_...", "sensitive": true },
+      { "key": "businessId", "label": "Ramp business ID", "placeholder": "biz_...", "optional": true }
+    ],
+    "defaultScopes": ["transactions.read", "bills.read"],
+    "connected": false
+  },
+  {
+    "id": "int_netsuite",
+    "name": "NetSuite",
+    "slug": "netsuite",
+    "category": "inbound",
+    "description": "Read vendor records, POs, and invoices from NetSuite ERP.",
+    "authType": "oauth",
+    "iconSlug": "netsuite",
+    "iconColor": "#127BC4",
+    "requiredFields": [
+      { "key": "accountId", "label": "NetSuite account ID", "placeholder": "1234567" }
+    ],
+    "defaultScopes": ["vendor.read", "transaction.read"],
+    "connected": false
+  },
+  {
+    "id": "int_quickbooks",
+    "name": "QuickBooks",
+    "slug": "quickbooks",
+    "category": "inbound",
+    "description": "Sync vendor bills and payments from QuickBooks Online.",
+    "authType": "oauth",
+    "iconSlug": "quickbooks",
+    "iconColor": "#2CA01C",
+    "requiredFields": [
+      { "key": "realmId", "label": "QuickBooks realm ID", "placeholder": "1234567890" }
+    ],
+    "defaultScopes": ["accounting.read"],
+    "connected": false
+  },
+  {
+    "id": "int_xero",
+    "name": "Xero",
+    "slug": "xero",
+    "category": "inbound",
+    "description": "Pull vendor bills and invoices from Xero accounting.",
+    "authType": "oauth",
+    "iconSlug": "xero",
+    "iconColor": "#13B5EA",
+    "requiredFields": [
+      { "key": "organizationId", "label": "Xero organization ID", "placeholder": "00000000-..." }
+    ],
+    "defaultScopes": ["accounting.contacts.read", "accounting.transactions.read"],
+    "connected": false
+  },
+  {
+    "id": "int_workday",
+    "name": "Workday",
+    "slug": "workday",
+    "category": "inbound",
+    "description": "Pull headcount and seat-eligibility data from Workday.",
+    "authType": "oauth",
+    "iconSlug": "workday",
+    "iconColor": "#FF6D00",
+    "requiredFields": [
+      { "key": "tenant", "label": "Workday tenant", "placeholder": "acme_corp" },
+      { "key": "host", "label": "Workday host", "placeholder": "https://wd5.myworkday.com" }
+    ],
+    "defaultScopes": ["worker.read"],
+    "connected": false
+  },
+  {
+    "id": "int_bamboohr",
+    "name": "BambooHR",
+    "slug": "bamboohr",
+    "category": "inbound",
+    "description": "Sync headcount and department mapping from BambooHR.",
+    "authType": "api-key",
+    "iconSlug": "bamboohr",
+    "iconColor": "#7ED321",
+    "requiredFields": [
+      { "key": "subdomain", "label": "BambooHR subdomain", "placeholder": "acme" },
+      { "key": "apiKey", "label": "BambooHR API key", "sensitive": true }
+    ],
+    "defaultScopes": ["employees.read"],
+    "connected": false
+  },
+  {
+    "id": "int_lattice",
+    "name": "Lattice",
+    "slug": "lattice",
+    "category": "inbound",
+    "description": "Pull employee directory for tool ownership mapping.",
+    "authType": "api-key",
+    "iconSlug": "lattice",
+    "iconColor": "#5E5CE6",
+    "requiredFields": [
+      { "key": "apiKey", "label": "Lattice API key", "sensitive": true }
+    ],
+    "defaultScopes": ["users.read"],
+    "connected": false
+  },
+  {
+    "id": "int_stripe",
+    "name": "Stripe",
+    "slug": "stripe",
+    "category": "inbound",
+    "description": "Pull vendor charges and subscription lifecycle from Stripe billing.",
+    "authType": "api-key",
+    "iconSlug": "stripe",
+    "iconColor": "#635BFF",
+    "requiredFields": [
+      { "key": "apiKey", "label": "Stripe restricted API key", "placeholder": "rk_live_...", "sensitive": true }
+    ],
+    "defaultScopes": ["charges.read", "subscriptions.read"],
+    "connected": false
+  },
+  {
+    "id": "int_datadog",
+    "name": "Datadog",
+    "slug": "datadog",
+    "category": "inbound",
+    "description": "Ingest vendor usage metrics from Datadog dashboards.",
+    "authType": "api-key",
+    "iconSlug": "datadog",
+    "iconColor": "#632CA6",
+    "requiredFields": [
+      { "key": "apiKey", "label": "Datadog API key", "sensitive": true },
+      { "key": "appKey", "label": "Datadog application key", "sensitive": true },
+      { "key": "site", "label": "Datadog site", "placeholder": "datadoghq.com" }
+    ],
+    "defaultScopes": ["metrics.read", "logs.read"],
+    "connected": false
+  },
+  {
+    "id": "int_snowflake",
+    "name": "Snowflake",
+    "slug": "snowflake",
+    "category": "inbound",
+    "description": "Read warehouse credit usage and vendor cost attribution from Snowflake.",
+    "authType": "api-key",
+    "iconSlug": "snowflake",
+    "iconColor": "#29B5E8",
+    "requiredFields": [
+      { "key": "accountUrl", "label": "Snowflake account URL", "placeholder": "acme.snowflakecomputing.com" },
+      { "key": "user", "label": "Snowflake user" },
+      { "key": "privateKey", "label": "Snowflake private key", "sensitive": true }
+    ],
+    "defaultScopes": ["warehouse.usage.read"],
+    "connected": false
+  },
+  {
+    "id": "int_aws_cost_explorer",
+    "name": "AWS Cost Explorer",
+    "slug": "aws-cost-explorer",
+    "category": "inbound",
+    "description": "Ingest AWS cost-and-usage report into spend attribution.",
+    "authType": "api-key",
+    "iconSlug": "amazonaws",
+    "iconColor": "#FF9900",
+    "requiredFields": [
+      { "key": "accountId", "label": "AWS account ID", "placeholder": "123456789012" },
+      { "key": "roleArn", "label": "Cross-account role ARN", "placeholder": "arn:aws:iam::..." },
+      { "key": "region", "label": "Default region", "placeholder": "us-east-1" }
+    ],
+    "defaultScopes": ["ce:GetCostAndUsage"],
+    "connected": false
+  },
+  {
+    "id": "int_gcp_billing",
+    "name": "GCP Billing",
+    "slug": "gcp-billing",
+    "category": "inbound",
+    "description": "Ingest GCP billing export into spend attribution.",
+    "authType": "oauth",
+    "iconSlug": "googlecloud",
+    "iconColor": "#4285F4",
+    "requiredFields": [
+      { "key": "billingAccountId", "label": "Billing account ID", "placeholder": "000000-000000-000000" },
+      { "key": "bigQueryDataset", "label": "BigQuery dataset", "optional": true }
+    ],
+    "defaultScopes": ["billing.accounts.get", "bigquery.read"],
+    "connected": false
+  },
+  {
+    "id": "int_carta",
+    "name": "Carta",
+    "slug": "carta",
+    "category": "inbound",
+    "description": "Pull cap-table-related vendor agreements from Carta.",
+    "authType": "oauth",
+    "iconSlug": "carta",
+    "iconColor": "#0078FF",
+    "requiredFields": [
+      { "key": "companyId", "label": "Carta company ID", "placeholder": "comp_..." }
+    ],
+    "defaultScopes": ["docs.read"],
+    "connected": false
+  },
+  {
+    "id": "int_vendr",
+    "name": "Vendr",
+    "slug": "vendr",
+    "category": "inbound",
+    "description": "Sync contract metadata and renewal calendar from Vendr.",
+    "authType": "api-key",
+    "iconSlug": "vendr",
+    "iconColor": "#FF7A59",
+    "requiredFields": [
+      { "key": "apiKey", "label": "Vendr API key", "sensitive": true }
+    ],
+    "defaultScopes": ["contracts.read", "vendors.read"],
+    "connected": false
+  },
+  {
+    "id": "int_zip",
+    "name": "Zip",
+    "slug": "zip",
+    "category": "inbound",
+    "description": "Pull intake requests and procurement workflow status from Zip.",
+    "authType": "api-key",
+    "iconSlug": "zip",
+    "iconColor": "#FF7A00",
+    "requiredFields": [
+      { "key": "apiKey", "label": "Zip API key", "sensitive": true }
+    ],
+    "defaultScopes": ["requests.read"],
+    "connected": false
+  },
+  {
+    "id": "int_coupa",
+    "name": "Coupa",
+    "slug": "coupa",
+    "category": "inbound",
+    "description": "Sync supplier records, contracts, and POs from Coupa.",
+    "authType": "oauth",
+    "iconSlug": "coupa",
+    "iconColor": "#00A4E0",
+    "requiredFields": [
+      { "key": "instanceUrl", "label": "Coupa instance URL", "placeholder": "https://acme.coupahost.com" }
+    ],
+    "defaultScopes": ["suppliers.read", "contracts.read"],
+    "connected": false
+  },
+  {
+    "id": "int_slack",
+    "name": "Slack",
+    "slug": "slack",
+    "category": "outbound",
+    "description": "Post change alerts, renewal nudges, and digest summaries to Slack.",
+    "authType": "oauth",
+    "iconSlug": "slack",
+    "iconColor": "#611F69",
+    "requiredFields": [
+      { "key": "workspaceUrl", "label": "Slack workspace URL", "placeholder": "acme.slack.com" },
+      { "key": "defaultChannel", "label": "Default channel", "placeholder": "#vendor-changes" }
+    ],
+    "defaultScopes": ["chat:write", "channels:read"],
+    "connected": true
+  },
+  {
+    "id": "int_jira",
+    "name": "Jira",
+    "slug": "jira",
+    "category": "outbound",
+    "description": "Open issues for material changes routed to engineering or security.",
+    "authType": "oauth",
+    "iconSlug": "jira",
+    "iconColor": "#0052CC",
+    "requiredFields": [
+      { "key": "siteUrl", "label": "Jira site URL", "placeholder": "https://acme.atlassian.net" },
+      { "key": "defaultProjectKey", "label": "Default project key", "placeholder": "PROC" }
+    ],
+    "defaultScopes": ["write:jira-work"],
+    "connected": false
+  },
+  {
+    "id": "int_linear",
+    "name": "Linear",
+    "slug": "linear",
+    "category": "outbound",
+    "description": "Open Linear issues with attached evidence brief.",
+    "authType": "oauth",
+    "iconSlug": "linear",
+    "iconColor": "#5E6AD2",
+    "requiredFields": [
+      { "key": "workspaceSlug", "label": "Linear workspace slug", "placeholder": "acme" }
+    ],
+    "defaultScopes": ["issues:create"],
+    "connected": false
+  },
+  {
+    "id": "int_microsoft_teams",
+    "name": "Microsoft Teams",
+    "slug": "microsoft-teams",
+    "category": "outbound",
+    "description": "Post change alerts to Teams channels.",
+    "authType": "oauth",
+    "iconSlug": "microsoftteams",
+    "iconColor": "#4B53BC",
+    "requiredFields": [
+      { "key": "tenantId", "label": "Microsoft 365 tenant ID" },
+      { "key": "webhookUrl", "label": "Incoming webhook URL", "optional": true }
+    ],
+    "defaultScopes": ["ChannelMessage.Send"],
+    "connected": false
+  },
+  {
+    "id": "int_vanta",
+    "name": "Vanta",
+    "slug": "vanta",
+    "category": "outbound",
+    "description": "Push evidence and posture changes into Vanta compliance.",
+    "authType": "api-key",
+    "iconSlug": "vanta",
+    "iconColor": "#1B5E20",
+    "requiredFields": [
+      { "key": "apiKey", "label": "Vanta API key", "sensitive": true }
+    ],
+    "defaultScopes": ["evidence.write"],
+    "connected": false
+  }
+]
diff --git a/seed/policies.json b/seed/policies.json
index b1bd393..9744d4f 100644
--- a/seed/policies.json
+++ b/seed/policies.json
@@ -14,6 +14,7 @@
     "id": "pol_price_hike_near_renewal",
     "orgId": "org_acme",
     "name": "Price increase >10% within 90d of renewal",
+    "description": "Detect material pricing changes ahead of renewal so procurement can negotiate.",
     "version": 2,
     "createdBy": "usr_priya",
     "isActive": true,
@@ -24,10 +25,88 @@
     "id": "pol_subprocessor_added_restricted",
     "orgId": "org_acme",
     "name": "Sub-processor added in non-adequate jurisdiction",
+    "description": "New sub-processor in a country without EU adequacy decision requires customer notice.",
     "version": 1,
     "createdBy": "usr_marcus",
     "isActive": true,
     "severity": "P1",
     "route": ["slack:#privacy", "draft:customer-notification-30d"]
+  },
+  {
+    "id": "pol_soc2_expired",
+    "orgId": "org_acme",
+    "name": "SOC 2 Type II expired or expiring",
+    "description": "Vendor SOC 2 attestation lapsed or expires within 60 days.",
+    "version": 1,
+    "createdBy": "usr_lin",
+    "isActive": true,
+    "severity": "P2",
+    "route": ["slack:#sec-grc", "jira:SEC", "email:ciso@acme.dev"]
+  },
+  {
+    "id": "pol_sla_degradation",
+    "orgId": "org_acme",
+    "name": "SLA uptime degradation > 5%",
+    "description": "Vendor uptime SLA dropped more than 5 percentage points from posted commitment.",
+    "version": 1,
+    "createdBy": "usr_devon",
+    "isActive": true,
+    "severity": "P2",
+    "route": ["slack:#it-ops", "jira:IT", "email:procurement@acme.dev"]
+  },
+  {
+    "id": "pol_ai_training_optin",
+    "orgId": "org_acme",
+    "name": "AI training opt-in default added",
+    "description": "DPA updated to permit using customer data to train ML models by default.",
+    "version": 1,
+    "createdBy": "usr_lin",
+    "isActive": true,
+    "severity": "P1",
+    "route": ["slack:#privacy", "jira:LEGAL", "email:ciso@acme.dev"]
+  },
+  {
+    "id": "pol_price_hike_renewal_severe",
+    "orgId": "org_acme",
+    "name": "Price hike > 15% on renewal",
+    "description": "Severe variant of price hike policy; triggers escalation to finance.",
+    "version": 1,
+    "createdBy": "usr_priya",
+    "isActive": true,
+    "severity": "P1",
+    "route": ["slack:#finance", "jira:PROC", "email:cfo@acme.dev"]
+  },
+  {
+    "id": "pol_seat_overage",
+    "orgId": "org_acme",
+    "name": "Seat overage detected (>20%)",
+    "description": "Active seats exceed provisioned licenses by more than 20%.",
+    "version": 1,
+    "createdBy": "usr_priya",
+    "isActive": true,
+    "severity": "P3",
+    "route": ["slack:#procurement", "jira:PROC"]
+  },
+  {
+    "id": "pol_dpa_version_bumped",
+    "orgId": "org_acme",
+    "name": "DPA version bumped",
+    "description": "Vendor DPA revision posted without breaking changes.",
+    "version": 1,
+    "createdBy": "usr_lin",
+    "isActive": true,
+    "severity": "P3",
+    "route": ["jira:LEGAL"]
+  },
+  {
+    "id": "pol_terms_material_change",
+    "orgId": "org_acme",
+    "name": "Terms of service material change",
+    "description": "Vendor terms changed in a way that affects customer liability or rights.",
+    "version": 1,
+    "createdBy": "usr_lin",
+    "isActive": true,
+    "severity": "P2",
+    "route": ["slack:#legal", "jira:LEGAL"]
   }
 ]
diff --git a/seed/renewals.json b/seed/renewals.json
new file mode 100644
index 0000000..ac6306a
--- /dev/null
+++ b/seed/renewals.json
@@ -0,0 +1,262 @@
+[
+  {
+    "id": "ren_salesforce",
+    "vendorId": "vnd_salesforce",
+    "vendorName": "Salesforce",
+    "renewsAt": "2026-07-10",
+    "annualSpendUsd": 240000,
+    "currentColumn": "negotiate",
+    "ownerId": "usr_jordan",
+    "priceDeltaPct": 12,
+    "seatUtilizationPct": 51,
+    "blockerCount": 2,
+    "recommendedAction": "Right-size to 500 seats; counter 22% reduction citing benchmark."
+  },
+  {
+    "id": "ren_slack",
+    "vendorId": "vnd_slack",
+    "vendorName": "Slack",
+    "renewsAt": "2026-08-12",
+    "annualSpendUsd": 120000,
+    "currentColumn": "triage",
+    "ownerId": "usr_priya",
+    "priceDeltaPct": 5,
+    "seatUtilizationPct": 78,
+    "blockerCount": 1,
+    "recommendedAction": "Negotiate $8.50/seat on 325 seats; commit 2-year for stability."
+  },
+  {
+    "id": "ren_datadog",
+    "vendorId": "vnd_datadog",
+    "vendorName": "Datadog",
+    "renewsAt": "2026-09-30",
+    "annualSpendUsd": 240000,
+    "currentColumn": "triage",
+    "ownerId": "usr_devon",
+    "priceDeltaPct": 16,
+    "seatUtilizationPct": 93,
+    "blockerCount": 0,
+    "recommendedAction": "Push rate to $120k; reduce log retention 15->7d for additional $18k."
+  },
+  {
+    "id": "ren_figma",
+    "vendorId": "vnd_figma",
+    "vendorName": "Figma",
+    "renewsAt": "2026-08-21",
+    "annualSpendUsd": 64800,
+    "currentColumn": "negotiate",
+    "ownerId": "usr_jordan",
+    "priceDeltaPct": -3,
+    "seatUtilizationPct": 69,
+    "blockerCount": 1,
+    "recommendedAction": "Right-size to 60 seats at Professional plan rate."
+  },
+  {
+    "id": "ren_github",
+    "vendorId": "vnd_github",
+    "vendorName": "GitHub",
+    "renewsAt": "2027-01-22",
+    "annualSpendUsd": 132000,
+    "currentColumn": "triage",
+    "ownerId": "usr_devon",
+    "priceDeltaPct": 0,
+    "seatUtilizationPct": 90,
+    "blockerCount": 0,
+    "recommendedAction": "Bundle Actions minutes into base; cap overages at $0."
+  },
+  {
+    "id": "ren_notion",
+    "vendorId": "vnd_notion",
+    "vendorName": "Notion",
+    "renewsAt": "2026-07-04",
+    "annualSpendUsd": 158000,
+    "currentColumn": "sign",
+    "ownerId": "usr_priya",
+    "priceDeltaPct": 19,
+    "seatUtilizationPct": 69,
+    "blockerCount": 1,
+    "recommendedAction": "Sign 2-year at $9.50/seat; lock pre-increase pricing."
+  },
+  {
+    "id": "ren_stripe",
+    "vendorId": "vnd_stripe",
+    "vendorName": "Stripe",
+    "renewsAt": "2026-07-18",
+    "annualSpendUsd": 84000,
+    "currentColumn": "triage",
+    "ownerId": "usr_lin",
+    "priceDeltaPct": 8,
+    "seatUtilizationPct": 90,
+    "blockerCount": 1,
+    "recommendedAction": "Apply $250k+ volume tier; bring annual under $55k."
+  },
+  {
+    "id": "ren_aws",
+    "vendorId": "vnd_aws",
+    "vendorName": "Amazon Web Services",
+    "renewsAt": "2027-01-15",
+    "annualSpendUsd": 480000,
+    "currentColumn": "negotiate",
+    "ownerId": "usr_devon",
+    "priceDeltaPct": 18,
+    "seatUtilizationPct": 72,
+    "blockerCount": 2,
+    "recommendedAction": "EDP at $350k committed; increase RI coverage to 70%."
+  },
+  {
+    "id": "ren_okta",
+    "vendorId": "vnd_okta",
+    "vendorName": "Okta",
+    "renewsAt": "2026-11-15",
+    "annualSpendUsd": 195000,
+    "currentColumn": "triage",
+    "ownerId": "usr_marcus",
+    "priceDeltaPct": 4,
+    "seatUtilizationPct": 97,
+    "blockerCount": 0,
+    "recommendedAction": "Multi-year commit at flat rate; lock SLA in writing."
+  },
+  {
+    "id": "ren_snowflake",
+    "vendorId": "vnd_snowflake",
+    "vendorName": "Snowflake",
+    "renewsAt": "2027-03-12",
+    "annualSpendUsd": 312000,
+    "currentColumn": "triage",
+    "ownerId": "usr_devon",
+    "priceDeltaPct": 8,
+    "seatUtilizationPct": 82,
+    "blockerCount": 1,
+    "recommendedAction": "3-year capacity commit; lock pre-increase storage rate."
+  },
+  {
+    "id": "ren_hubspot",
+    "vendorId": "vnd_hubspot",
+    "vendorName": "HubSpot",
+    "renewsAt": "2026-10-22",
+    "annualSpendUsd": 116000,
+    "currentColumn": "negotiate",
+    "ownerId": "usr_jordan",
+    "priceDeltaPct": 10,
+    "seatUtilizationPct": 74,
+    "blockerCount": 1,
+    "recommendedAction": "Lock pre-Q3 rate via 2-year commit; bundle Service Hub."
+  },
+  {
+    "id": "ren_zoom",
+    "vendorId": "vnd_zoom",
+    "vendorName": "Zoom",
+    "renewsAt": "2026-09-02",
+    "annualSpendUsd": 96000,
+    "currentColumn": "negotiate",
+    "ownerId": "usr_priya",
+    "priceDeltaPct": 7,
+    "seatUtilizationPct": 65,
+    "blockerCount": 1,
+    "recommendedAction": "Right-size hosts; lock pre-Jul-1 increase via 2-year."
+  },
+  {
+    "id": "ren_zendesk",
+    "vendorId": "vnd_zendesk",
+    "vendorName": "Zendesk",
+    "renewsAt": "2026-07-29",
+    "annualSpendUsd": 78000,
+    "currentColumn": "negotiate",
+    "ownerId": "usr_jordan",
+    "priceDeltaPct": 5,
+    "seatUtilizationPct": 80,
+    "blockerCount": 1,
+    "recommendedAction": "Request SCC update for VN sub-processor; renegotiate seat band."
+  },
+  {
+    "id": "ren_intercom",
+    "vendorId": "vnd_intercom",
+    "vendorName": "Intercom",
+    "renewsAt": "2026-12-18",
+    "annualSpendUsd": 42000,
+    "currentColumn": "triage",
+    "ownerId": "usr_jordan",
+    "priceDeltaPct": 0,
+    "seatUtilizationPct": 86,
+    "blockerCount": 0,
+    "recommendedAction": "Sign 1-year flat; defer venue terms dispute to legal."
+  },
+  {
+    "id": "ren_vercel",
+    "vendorId": "vnd_vercel",
+    "vendorName": "Vercel",
+    "renewsAt": "2026-09-14",
+    "annualSpendUsd": 52000,
+    "currentColumn": "triage",
+    "ownerId": "usr_devon",
+    "priceDeltaPct": 0,
+    "seatUtilizationPct": 88,
+    "blockerCount": 0,
+    "recommendedAction": "Renew flat; document EU sub-processor decision."
+  },
+  {
+    "id": "ren_jira",
+    "vendorId": "vnd_jira",
+    "vendorName": "Jira",
+    "renewsAt": "2026-08-07",
+    "annualSpendUsd": 56000,
+    "currentColumn": "negotiate",
+    "ownerId": "usr_priya",
+    "priceDeltaPct": 12,
+    "seatUtilizationPct": 76,
+    "blockerCount": 1,
+    "recommendedAction": "Downgrade non-PM users to Standard; lock current Premium rate."
+  },
+  {
+    "id": "ren_mongodb",
+    "vendorId": "vnd_mongodb",
+    "vendorName": "MongoDB",
+    "renewsAt": "2026-12-30",
+    "annualSpendUsd": 144000,
+    "currentColumn": "triage",
+    "ownerId": "usr_devon",
+    "priceDeltaPct": 6,
+    "seatUtilizationPct": 81,
+    "blockerCount": 1,
+    "recommendedAction": "Negotiate restored 50% SLA credit cap; commit Atlas 2-year."
+  },
+  {
+    "id": "ren_adobe",
+    "vendorId": "vnd_adobe",
+    "vendorName": "Adobe Creative Cloud",
+    "renewsAt": "2026-09-01",
+    "annualSpendUsd": 48000,
+    "currentColumn": "negotiate",
+    "ownerId": "usr_jordan",
+    "priceDeltaPct": 5,
+    "seatUtilizationPct": 58,
+    "blockerCount": 1,
+    "recommendedAction": "Drop overlap seats with Figma; consolidate at 80 seats."
+  },
+  {
+    "id": "ren_mixpanel",
+    "vendorId": "vnd_mixpanel",
+    "vendorName": "Mixpanel",
+    "renewsAt": "2027-01-08",
+    "annualSpendUsd": 36000,
+    "currentColumn": "triage",
+    "ownerId": "usr_jordan",
+    "priceDeltaPct": 4,
+    "seatUtilizationPct": 70,
+    "blockerCount": 1,
+    "recommendedAction": "Toggle AI-training opt-out; renew flat after."
+  },
+  {
+    "id": "ren_dropbox",
+    "vendorId": "vnd_dropbox",
+    "vendorName": "Dropbox",
+    "renewsAt": "2026-11-26",
+    "annualSpendUsd": 28800,
+    "currentColumn": "sign",
+    "ownerId": "usr_priya",
+    "priceDeltaPct": 0,
+    "seatUtilizationPct": 92,
+    "blockerCount": 0,
+    "recommendedAction": "Sign 1-year flat; AES-256 migration acknowledged."
+  }
+]
diff --git a/seed/requests.json b/seed/requests.json
new file mode 100644
index 0000000..f239b1c
--- /dev/null
+++ b/seed/requests.json
@@ -0,0 +1,184 @@
+[
+  {
+    "id": "req_linear_extra",
+    "orgId": "org_acme",
+    "requesterId": "usr_devon",
+    "vendorName": "Linear",
+    "category": "productivity",
+    "expectedSpendUsd": 18000,
+    "justification": "Engineering wants Linear for project tracking; Jira is too heavyweight for squads.",
+    "similarTools": ["Jira", "Asana", "Monday.com"],
+    "status": "pending",
+    "submittedAt": "2026-05-20T09:30:00Z",
+    "comments": []
+  },
+  {
+    "id": "req_loom",
+    "orgId": "org_acme",
+    "requesterId": "usr_jordan",
+    "vendorName": "Loom",
+    "category": "communication",
+    "expectedSpendUsd": 6000,
+    "justification": "Async video messaging for design reviews and stakeholder demos.",
+    "similarTools": ["Zoom Clips", "Slack Clips"],
+    "status": "approved",
+    "submittedAt": "2026-05-15T11:00:00Z",
+    "approverId": "usr_priya",
+    "decidedAt": "2026-05-17T14:30:00Z",
+    "comments": [
+      { "id": "cmt_001", "by": "usr_priya", "at": "2026-05-17T14:30:00Z", "text": "Approved with $6k cap; revisit at 90d if seat count exceeds 30." }
+    ]
+  },
+  {
+    "id": "req_miro",
+    "orgId": "org_acme",
+    "requesterId": "usr_priya",
+    "vendorName": "Miro",
+    "category": "productivity",
+    "expectedSpendUsd": 12000,
+    "justification": "Whiteboarding for cross-team product planning.",
+    "similarTools": ["FigJam", "Lucidchart", "Mural"],
+    "status": "rejected",
+    "submittedAt": "2026-05-10T14:00:00Z",
+    "approverId": "usr_priya",
+    "decidedAt": "2026-05-13T10:00:00Z",
+    "comments": [
+      { "id": "cmt_002", "by": "usr_priya", "at": "2026-05-13T10:00:00Z", "text": "FigJam already covered under Figma Enterprise contract; close as duplicate." }
+    ]
+  },
+  {
+    "id": "req_retool",
+    "orgId": "org_acme",
+    "requesterId": "usr_devon",
+    "vendorName": "Retool",
+    "category": "devtools",
+    "expectedSpendUsd": 36000,
+    "justification": "Internal tooling platform to replace custom admin dashboards we maintain ad-hoc.",
+    "similarTools": ["Airplane", "Internal.io"],
+    "status": "pending",
+    "submittedAt": "2026-05-22T16:45:00Z",
+    "comments": []
+  },
+  {
+    "id": "req_amplitude",
+    "orgId": "org_acme",
+    "requesterId": "usr_jordan",
+    "vendorName": "Amplitude",
+    "category": "analytics",
+    "expectedSpendUsd": 42000,
+    "justification": "Growth team needs cohort analysis; Mixpanel reports lack flexibility.",
+    "similarTools": ["Mixpanel", "PostHog", "Heap"],
+    "status": "pending",
+    "submittedAt": "2026-05-21T10:15:00Z",
+    "comments": [
+      { "id": "cmt_003", "by": "usr_priya", "at": "2026-05-23T11:00:00Z", "text": "Flagging duplicate with Mixpanel; growth lead to sync this week." }
+    ]
+  },
+  {
+    "id": "req_vanta",
+    "orgId": "org_acme",
+    "requesterId": "usr_marcus",
+    "vendorName": "Vanta",
+    "category": "security",
+    "expectedSpendUsd": 24000,
+    "justification": "SOC 2 readiness automation ahead of Q3 audit.",
+    "similarTools": ["Drata", "Tugboat Logic"],
+    "status": "approved",
+    "submittedAt": "2026-05-11T08:00:00Z",
+    "approverId": "usr_devon",
+    "decidedAt": "2026-05-12T13:00:00Z",
+    "comments": [
+      { "id": "cmt_004", "by": "usr_devon", "at": "2026-05-12T13:00:00Z", "text": "Approved; CISO sponsor confirmed." }
+    ]
+  },
+  {
+    "id": "req_segment",
+    "orgId": "org_acme",
+    "requesterId": "usr_jordan",
+    "vendorName": "Segment",
+    "category": "analytics",
+    "expectedSpendUsd": 30000,
+    "justification": "Customer data pipeline to feed Mixpanel, Snowflake, and marketing tools.",
+    "similarTools": ["Rudderstack", "PostHog CDP"],
+    "status": "routed",
+    "submittedAt": "2026-05-09T13:30:00Z",
+    "comments": [
+      { "id": "cmt_005", "by": "usr_priya", "at": "2026-05-09T15:00:00Z", "text": "Routing to data team for architecture review before approval." }
+    ]
+  },
+  {
+    "id": "req_tableau",
+    "orgId": "org_acme",
+    "requesterId": "usr_jordan",
+    "vendorName": "Tableau",
+    "category": "analytics",
+    "expectedSpendUsd": 56000,
+    "justification": "Self-serve BI for finance and ops teams; current Looker license expensive.",
+    "similarTools": ["Looker", "Metabase", "Mode"],
+    "status": "pending",
+    "submittedAt": "2026-05-23T11:30:00Z",
+    "comments": []
+  },
+  {
+    "id": "req_clickup",
+    "orgId": "org_acme",
+    "requesterId": "usr_priya",
+    "vendorName": "ClickUp",
+    "category": "productivity",
+    "expectedSpendUsd": 14000,
+    "justification": "PM wants unified docs+tasks; competes with existing Notion+Linear stack.",
+    "similarTools": ["Notion", "Linear", "Asana"],
+    "status": "rejected",
+    "submittedAt": "2026-05-05T09:00:00Z",
+    "approverId": "usr_priya",
+    "decidedAt": "2026-05-06T16:00:00Z",
+    "comments": [
+      { "id": "cmt_006", "by": "usr_priya", "at": "2026-05-06T16:00:00Z", "text": "Overlap with Notion+Linear; reject and document stack standard." }
+    ]
+  },
+  {
+    "id": "req_jira_addon",
+    "orgId": "org_acme",
+    "requesterId": "usr_devon",
+    "vendorName": "Atlassian Bitbucket Pipelines",
+    "category": "devtools",
+    "expectedSpendUsd": 9600,
+    "justification": "Faster CI for monorepo; would replace GitHub Actions for repos under Bitbucket.",
+    "similarTools": ["GitHub Actions", "CircleCI", "Buildkite"],
+    "status": "pending",
+    "submittedAt": "2026-05-19T12:00:00Z",
+    "comments": []
+  },
+  {
+    "id": "req_browserstack",
+    "orgId": "org_acme",
+    "requesterId": "usr_devon",
+    "vendorName": "BrowserStack",
+    "category": "devtools",
+    "expectedSpendUsd": 21600,
+    "justification": "Cross-browser device farm for end-to-end testing.",
+    "similarTools": ["Sauce Labs", "LambdaTest"],
+    "status": "approved",
+    "submittedAt": "2026-05-06T15:00:00Z",
+    "approverId": "usr_devon",
+    "decidedAt": "2026-05-07T10:00:00Z",
+    "comments": [
+      { "id": "cmt_007", "by": "usr_devon", "at": "2026-05-07T10:00:00Z", "text": "Approved; pre-existing pilot data supports value." }
+    ]
+  },
+  {
+    "id": "req_pagerduty_add",
+    "orgId": "org_acme",
+    "requesterId": "usr_marcus",
+    "vendorName": "PagerDuty Process Automation",
+    "category": "observability",
+    "expectedSpendUsd": 18000,
+    "justification": "Runbook automation tied to PagerDuty incident triggers.",
+    "similarTools": ["Rundeck", "Tines"],
+    "status": "routed",
+    "submittedAt": "2026-05-17T09:15:00Z",
+    "comments": [
+      { "id": "cmt_008", "by": "usr_devon", "at": "2026-05-18T14:00:00Z", "text": "Routing to platform team for stack review." }
+    ]
+  }
+]
diff --git a/seed/vendors.json b/seed/vendors.json
index 09220bd..0e46222 100644
--- a/seed/vendors.json
+++ b/seed/vendors.json
@@ -46,5 +46,821 @@
       "annualSpendUsd": 84000,
       "seatCount": 20
     }
+  },
+  {
+    "id": "vnd_datadog",
+    "orgId": "org_acme",
+    "name": "Datadog",
+    "category": "observability",
+    "tier": 1,
+    "posture": "watch",
+    "dataClasses": ["content"],
+    "ownerId": "usr_devon",
+    "urls": {
+      "homepage": "https://datadoghq.com",
+      "terms": "https://datadoghq.com/legal/terms",
+      "pricing": "https://datadoghq.com/pricing",
+      "dpa": "https://datadoghq.com/legal/dpa",
+      "subProcessors": "https://datadoghq.com/legal/subprocessors",
+      "security": "https://datadoghq.com/security",
+      "sla": "https://datadoghq.com/legal/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-09-30",
+      "annualSpendUsd": 240000,
+      "seatCount": 180
+    }
+  },
+  {
+    "id": "vnd_okta",
+    "orgId": "org_acme",
+    "name": "Okta",
+    "category": "security",
+    "tier": 1,
+    "posture": "ok",
+    "dataClasses": ["pii"],
+    "ownerId": "usr_marcus",
+    "urls": {
+      "homepage": "https://okta.com",
+      "terms": "https://okta.com/terms",
+      "pricing": "https://okta.com/pricing",
+      "dpa": "https://okta.com/dpa",
+      "subProcessors": "https://okta.com/subprocessors",
+      "security": "https://okta.com/security",
+      "sla": "https://okta.com/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-11-15",
+      "annualSpendUsd": 195000,
+      "seatCount": 1600
+    }
+  },
+  {
+    "id": "vnd_github",
+    "orgId": "org_acme",
+    "name": "GitHub",
+    "category": "devtools",
+    "tier": 1,
+    "posture": "ok",
+    "dataClasses": ["content", "pii"],
+    "ownerId": "usr_devon",
+    "urls": {
+      "homepage": "https://github.com",
+      "terms": "https://github.com/terms",
+      "pricing": "https://github.com/pricing",
+      "dpa": "https://github.com/dpa",
+      "subProcessors": "https://github.com/subprocessors",
+      "security": "https://github.com/security",
+      "sla": "https://github.com/sla"
+    },
+    "contract": {
+      "renewsAt": "2027-01-22",
+      "annualSpendUsd": 132000,
+      "seatCount": 540
+    }
+  },
+  {
+    "id": "vnd_cloudflare",
+    "orgId": "org_acme",
+    "name": "Cloudflare",
+    "category": "infrastructure",
+    "tier": 1,
+    "posture": "ok",
+    "dataClasses": ["content"],
+    "ownerId": "usr_devon",
+    "urls": {
+      "homepage": "https://cloudflare.com",
+      "terms": "https://cloudflare.com/terms",
+      "pricing": "https://cloudflare.com/plans",
+      "dpa": "https://cloudflare.com/cloudflare-customer-dpa",
+      "subProcessors": "https://cloudflare.com/subprocessors",
+      "security": "https://cloudflare.com/trust-hub/security",
+      "sla": "https://cloudflare.com/business-sla"
+    },
+    "contract": {
+      "renewsAt": "2026-12-04",
+      "annualSpendUsd": 88000,
+      "seatCount": 45
+    }
+  },
+  {
+    "id": "vnd_snowflake",
+    "orgId": "org_acme",
+    "name": "Snowflake",
+    "category": "database",
+    "tier": 1,
+    "posture": "watch",
+    "dataClasses": ["pii", "financial", "content"],
+    "ownerId": "usr_devon",
+    "urls": {
+      "homepage": "https://snowflake.com",
+      "terms": "https://snowflake.com/legal",
+      "pricing": "https://snowflake.com/pricing",
+      "dpa": "https://snowflake.com/legal/dpa",
+      "subProcessors": "https://snowflake.com/legal/subprocessors",
+      "security": "https://snowflake.com/security",
+      "sla": "https://snowflake.com/legal/sla"
+    },
+    "contract": {
+      "renewsAt": "2027-03-12",
+      "annualSpendUsd": 312000,
+      "seatCount": 140
+    }
+  },
+  {
+    "id": "vnd_auth0",
+    "orgId": "org_acme",
+    "name": "Auth0",
+    "category": "security",
+    "tier": 1,
+    "posture": "ok",
+    "dataClasses": ["pii"],
+    "ownerId": "usr_marcus",
+    "urls": {
+      "homepage": "https://auth0.com",
+      "terms": "https://auth0.com/legal/ss",
+      "pricing": "https://auth0.com/pricing",
+      "dpa": "https://auth0.com/legal/dpa",
+      "subProcessors": "https://auth0.com/legal/subprocessors",
+      "security": "https://auth0.com/security",
+      "sla": "https://auth0.com/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-10-08",
+      "annualSpendUsd": 72000,
+      "seatCount": 60
+    }
+  },
+  {
+    "id": "vnd_figma",
+    "orgId": "org_acme",
+    "name": "Figma",
+    "category": "design",
+    "tier": 2,
+    "posture": "watch",
+    "dataClasses": ["content"],
+    "ownerId": "usr_jordan",
+    "urls": {
+      "homepage": "https://figma.com",
+      "terms": "https://figma.com/tos",
+      "pricing": "https://figma.com/pricing",
+      "dpa": "https://figma.com/dpa",
+      "subProcessors": "https://figma.com/subprocessors",
+      "security": "https://figma.com/security",
+      "sla": "https://figma.com/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-08-21",
+      "annualSpendUsd": 64800,
+      "seatCount": 360
+    }
+  },
+  {
+    "id": "vnd_linear",
+    "orgId": "org_acme",
+    "name": "Linear",
+    "category": "productivity",
+    "tier": 2,
+    "posture": "ok",
+    "dataClasses": ["content"],
+    "ownerId": "usr_priya",
+    "urls": {
+      "homepage": "https://linear.app",
+      "terms": "https://linear.app/terms",
+      "pricing": "https://linear.app/pricing",
+      "dpa": "https://linear.app/dpa",
+      "subProcessors": "https://linear.app/subprocessors",
+      "security": "https://linear.app/security",
+      "sla": "https://linear.app/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-11-02",
+      "annualSpendUsd": 38400,
+      "seatCount": 320
+    }
+  },
+  {
+    "id": "vnd_vercel",
+    "orgId": "org_acme",
+    "name": "Vercel",
+    "category": "infrastructure",
+    "tier": 2,
+    "posture": "ok",
+    "dataClasses": ["content"],
+    "ownerId": "usr_devon",
+    "urls": {
+      "homepage": "https://vercel.com",
+      "terms": "https://vercel.com/legal/terms",
+      "pricing": "https://vercel.com/pricing",
+      "dpa": "https://vercel.com/legal/dpa",
+      "subProcessors": "https://vercel.com/legal/subprocessors",
+      "security": "https://vercel.com/security",
+      "sla": "https://vercel.com/legal/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-09-14",
+      "annualSpendUsd": 52000,
+      "seatCount": 95
+    }
+  },
+  {
+    "id": "vnd_asana",
+    "orgId": "org_acme",
+    "name": "Asana",
+    "category": "productivity",
+    "tier": 2,
+    "posture": "ok",
+    "dataClasses": ["content", "pii"],
+    "ownerId": "usr_priya",
+    "urls": {
+      "homepage": "https://asana.com",
+      "terms": "https://asana.com/terms",
+      "pricing": "https://asana.com/pricing",
+      "dpa": "https://asana.com/dpa",
+      "subProcessors": "https://asana.com/subprocessors",
+      "security": "https://asana.com/security",
+      "sla": "https://asana.com/sla"
+    },
+    "contract": {
+      "renewsAt": "2027-02-19",
+      "annualSpendUsd": 48000,
+      "seatCount": 420
+    }
+  },
+  {
+    "id": "vnd_jira",
+    "orgId": "org_acme",
+    "name": "Jira",
+    "category": "productivity",
+    "tier": 2,
+    "posture": "watch",
+    "dataClasses": ["content"],
+    "ownerId": "usr_priya",
+    "urls": {
+      "homepage": "https://atlassian.com",
+      "terms": "https://atlassian.com/legal/cloud-terms-of-service",
+      "pricing": "https://atlassian.com/software/jira/pricing",
+      "dpa": "https://atlassian.com/legal/data-processing-addendum",
+      "subProcessors": "https://atlassian.com/legal/sub-processors",
+      "security": "https://atlassian.com/trust/security",
+      "sla": "https://atlassian.com/legal/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-08-07",
+      "annualSpendUsd": 56000,
+      "seatCount": 480
+    }
+  },
+  {
+    "id": "vnd_hubspot",
+    "orgId": "org_acme",
+    "name": "HubSpot",
+    "category": "crm",
+    "tier": 2,
+    "posture": "watch",
+    "dataClasses": ["pii", "content"],
+    "ownerId": "usr_jordan",
+    "urls": {
+      "homepage": "https://hubspot.com",
+      "terms": "https://legal.hubspot.com/terms-of-service",
+      "pricing": "https://hubspot.com/pricing",
+      "dpa": "https://legal.hubspot.com/dpa",
+      "subProcessors": "https://legal.hubspot.com/subprocessors",
+      "security": "https://hubspot.com/security",
+      "sla": "https://legal.hubspot.com/hubspot-sla"
+    },
+    "contract": {
+      "renewsAt": "2026-10-22",
+      "annualSpendUsd": 116000,
+      "seatCount": 220
+    }
+  },
+  {
+    "id": "vnd_intercom",
+    "orgId": "org_acme",
+    "name": "Intercom",
+    "category": "support",
+    "tier": 2,
+    "posture": "ok",
+    "dataClasses": ["pii", "content"],
+    "ownerId": "usr_jordan",
+    "urls": {
+      "homepage": "https://intercom.com",
+      "terms": "https://intercom.com/terms-and-policies",
+      "pricing": "https://intercom.com/pricing",
+      "dpa": "https://intercom.com/legal/dpa",
+      "subProcessors": "https://intercom.com/legal/subprocessors",
+      "security": "https://intercom.com/security",
+      "sla": "https://intercom.com/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-12-18",
+      "annualSpendUsd": 42000,
+      "seatCount": 65
+    }
+  },
+  {
+    "id": "vnd_zendesk",
+    "orgId": "org_acme",
+    "name": "Zendesk",
+    "category": "support",
+    "tier": 2,
+    "posture": "risk",
+    "dataClasses": ["pii", "content"],
+    "ownerId": "usr_jordan",
+    "urls": {
+      "homepage": "https://zendesk.com",
+      "terms": "https://zendesk.com/company/agreements-and-terms",
+      "pricing": "https://zendesk.com/pricing",
+      "dpa": "https://zendesk.com/dpa",
+      "subProcessors": "https://zendesk.com/subprocessors",
+      "security": "https://zendesk.com/trust-center/security",
+      "sla": "https://zendesk.com/legal/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-07-29",
+      "annualSpendUsd": 78000,
+      "seatCount": 140
+    }
+  },
+  {
+    "id": "vnd_mixpanel",
+    "orgId": "org_acme",
+    "name": "Mixpanel",
+    "category": "analytics",
+    "tier": 2,
+    "posture": "watch",
+    "dataClasses": ["pii", "content"],
+    "ownerId": "usr_jordan",
+    "urls": {
+      "homepage": "https://mixpanel.com",
+      "terms": "https://mixpanel.com/legal/terms-of-use",
+      "pricing": "https://mixpanel.com/pricing",
+      "dpa": "https://mixpanel.com/legal/dpa",
+      "subProcessors": "https://mixpanel.com/legal/subprocessors",
+      "security": "https://mixpanel.com/security",
+      "sla": "https://mixpanel.com/legal/sla"
+    },
+    "contract": {
+      "renewsAt": "2027-01-08",
+      "annualSpendUsd": 36000,
+      "seatCount": 80
+    }
+  },
+  {
+    "id": "vnd_zoom",
+    "orgId": "org_acme",
+    "name": "Zoom",
+    "category": "communication",
+    "tier": 2,
+    "posture": "ok",
+    "dataClasses": ["pii", "content"],
+    "ownerId": "usr_priya",
+    "urls": {
+      "homepage": "https://zoom.us",
+      "terms": "https://zoom.us/terms",
+      "pricing": "https://zoom.us/pricing",
+      "dpa": "https://zoom.us/dpa",
+      "subProcessors": "https://zoom.us/subprocessors",
+      "security": "https://zoom.us/trust/security",
+      "sla": "https://zoom.us/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-09-02",
+      "annualSpendUsd": 96000,
+      "seatCount": 1800
+    }
+  },
+  {
+    "id": "vnd_dropbox",
+    "orgId": "org_acme",
+    "name": "Dropbox",
+    "category": "productivity",
+    "tier": 2,
+    "posture": "ok",
+    "dataClasses": ["content", "pii"],
+    "ownerId": "usr_priya",
+    "urls": {
+      "homepage": "https://dropbox.com",
+      "terms": "https://dropbox.com/terms",
+      "pricing": "https://dropbox.com/business/plans-comparison",
+      "dpa": "https://dropbox.com/business/trust/compliance/dpa",
+      "subProcessors": "https://dropbox.com/business/trust/compliance/subprocessors",
+      "security": "https://dropbox.com/business/trust/security",
+      "sla": "https://dropbox.com/business/trust/compliance/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-11-26",
+      "annualSpendUsd": 28800,
+      "seatCount": 240
+    }
+  },
+  {
+    "id": "vnd_sentry",
+    "orgId": "org_acme",
+    "name": "Sentry",
+    "category": "observability",
+    "tier": 2,
+    "posture": "ok",
+    "dataClasses": ["content", "pii"],
+    "ownerId": "usr_devon",
+    "urls": {
+      "homepage": "https://sentry.io",
+      "terms": "https://sentry.io/terms",
+      "pricing": "https://sentry.io/pricing",
+      "dpa": "https://sentry.io/legal/dpa",
+      "subProcessors": "https://sentry.io/legal/subprocessors",
+      "security": "https://sentry.io/security",
+      "sla": "https://sentry.io/legal/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-10-14",
+      "annualSpendUsd": 32400,
+      "seatCount": 110
+    }
+  },
+  {
+    "id": "vnd_pagerduty",
+    "orgId": "org_acme",
+    "name": "PagerDuty",
+    "category": "observability",
+    "tier": 2,
+    "posture": "ok",
+    "dataClasses": ["pii"],
+    "ownerId": "usr_devon",
+    "urls": {
+      "homepage": "https://pagerduty.com",
+      "terms": "https://pagerduty.com/terms",
+      "pricing": "https://pagerduty.com/pricing",
+      "dpa": "https://pagerduty.com/dpa",
+      "subProcessors": "https://pagerduty.com/subprocessors",
+      "security": "https://pagerduty.com/security",
+      "sla": "https://pagerduty.com/sla"
+    },
+    "contract": {
+      "renewsAt": "2027-04-09",
+      "annualSpendUsd": 41600,
+      "seatCount": 75
+    }
+  },
+  {
+    "id": "vnd_mongodb",
+    "orgId": "org_acme",
+    "name": "MongoDB",
+    "category": "database",
+    "tier": 2,
+    "posture": "watch",
+    "dataClasses": ["pii", "content"],
+    "ownerId": "usr_devon",
+    "urls": {
+      "homepage": "https://mongodb.com",
+      "terms": "https://mongodb.com/legal/terms-of-use",
+      "pricing": "https://mongodb.com/pricing",
+      "dpa": "https://mongodb.com/legal/dpa",
+      "subProcessors": "https://mongodb.com/legal/subprocessors",
+      "security": "https://mongodb.com/trust",
+      "sla": "https://mongodb.com/legal/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-12-30",
+      "annualSpendUsd": 144000,
+      "seatCount": 90
+    }
+  },
+  {
+    "id": "vnd_1password",
+    "orgId": "org_acme",
+    "name": "1Password",
+    "category": "security",
+    "tier": 2,
+    "posture": "ok",
+    "dataClasses": ["pii"],
+    "ownerId": "usr_marcus",
+    "urls": {
+      "homepage": "https://1password.com",
+      "terms": "https://1password.com/legal/terms-of-service",
+      "pricing": "https://1password.com/business-pricing",
+      "dpa": "https://1password.com/legal/dpa",
+      "subProcessors": "https://1password.com/legal/subprocessors",
+      "security": "https://1password.com/security",
+      "sla": "https://1password.com/legal/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-08-15",
+      "annualSpendUsd": 31680,
+      "seatCount": 1320
+    }
+  },
+  {
+    "id": "vnd_airtable",
+    "orgId": "org_acme",
+    "name": "Airtable",
+    "category": "productivity",
+    "tier": 2,
+    "posture": "watch",
+    "dataClasses": ["content", "pii"],
+    "ownerId": "usr_priya",
+    "urls": {
+      "homepage": "https://airtable.com",
+      "terms": "https://airtable.com/terms",
+      "pricing": "https://airtable.com/pricing",
+      "dpa": "https://airtable.com/dpa",
+      "subProcessors": "https://airtable.com/subprocessors",
+      "security": "https://airtable.com/security",
+      "sla": "https://airtable.com/sla"
+    },
+    "contract": {
+      "renewsAt": "2027-02-04",
+      "annualSpendUsd": 54000,
+      "seatCount": 380
+    }
+  },
+  {
+    "id": "vnd_posthog",
+    "orgId": "org_acme",
+    "name": "PostHog",
+    "category": "analytics",
+    "tier": 3,
+    "posture": "ok",
+    "dataClasses": ["pii", "content"],
+    "ownerId": "usr_jordan",
+    "urls": {
+      "homepage": "https://posthog.com",
+      "terms": "https://posthog.com/terms",
+      "pricing": "https://posthog.com/pricing",
+      "dpa": "https://posthog.com/dpa",
+      "subProcessors": "https://posthog.com/subprocessors",
+      "security": "https://posthog.com/security",
+      "sla": "https://posthog.com/handbook/company/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-09-22",
+      "annualSpendUsd": 18000,
+      "seatCount": 45
+    }
+  },
+  {
+    "id": "vnd_sketch",
+    "orgId": "org_acme",
+    "name": "Sketch",
+    "category": "design",
+    "tier": 3,
+    "posture": "ok",
+    "dataClasses": ["content"],
+    "ownerId": "usr_jordan",
+    "urls": {
+      "homepage": "https://sketch.com",
+      "terms": "https://sketch.com/tos",
+      "pricing": "https://sketch.com/pricing",
+      "dpa": "https://sketch.com/dpa",
+      "subProcessors": "https://sketch.com/subprocessors",
+      "security": "https://sketch.com/security",
+      "sla": "https://sketch.com/sla"
+    },
+    "contract": {
+      "renewsAt": "2027-03-26",
+      "annualSpendUsd": 7200,
+      "seatCount": 28
+    }
+  },
+  {
+    "id": "vnd_framer",
+    "orgId": "org_acme",
+    "name": "Framer",
+    "category": "design",
+    "tier": 3,
+    "posture": "ok",
+    "dataClasses": ["content"],
+    "ownerId": "usr_jordan",
+    "urls": {
+      "homepage": "https://framer.com",
+      "terms": "https://framer.com/legal/terms-of-service",
+      "pricing": "https://framer.com/pricing",
+      "dpa": "https://framer.com/legal/dpa",
+      "subProcessors": "https://framer.com/legal/subprocessors",
+      "security": "https://framer.com/legal/security",
+      "sla": "https://framer.com/legal/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-10-30",
+      "annualSpendUsd": 5400,
+      "seatCount": 12
+    }
+  },
+  {
+    "id": "vnd_miro",
+    "orgId": "org_acme",
+    "name": "Miro",
+    "category": "productivity",
+    "tier": 3,
+    "posture": "watch",
+    "dataClasses": ["content"],
+    "ownerId": "usr_priya",
+    "urls": {
+      "homepage": "https://miro.com",
+      "terms": "https://miro.com/legal/terms-of-service",
+      "pricing": "https://miro.com/pricing",
+      "dpa": "https://miro.com/legal/data-processing-addendum",
+      "subProcessors": "https://miro.com/legal/subprocessors",
+      "security": "https://miro.com/trust/security",
+      "sla": "https://miro.com/legal/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-12-12",
+      "annualSpendUsd": 21600,
+      "seatCount": 180
+    }
+  },
+  {
+    "id": "vnd_loom",
+    "orgId": "org_acme",
+    "name": "Loom",
+    "category": "communication",
+    "tier": 3,
+    "posture": "ok",
+    "dataClasses": ["content", "pii"],
+    "ownerId": "usr_priya",
+    "urls": {
+      "homepage": "https://loom.com",
+      "terms": "https://loom.com/terms",
+      "pricing": "https://loom.com/pricing",
+      "dpa": "https://loom.com/dpa",
+      "subProcessors": "https://loom.com/subprocessors",
+      "security": "https://loom.com/security",
+      "sla": "https://loom.com/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-08-28",
+      "annualSpendUsd": 12000,
+      "seatCount": 95
+    }
+  },
+  {
+    "id": "vnd_calendly",
+    "orgId": "org_acme",
+    "name": "Calendly",
+    "category": "automation",
+    "tier": 3,
+    "posture": "ok",
+    "dataClasses": ["pii"],
+    "ownerId": "usr_jordan",
+    "urls": {
+      "homepage": "https://calendly.com",
+      "terms": "https://calendly.com/legal/terms-of-use",
+      "pricing": "https://calendly.com/pricing",
+      "dpa": "https://calendly.com/legal/dpa",
+      "subProcessors": "https://calendly.com/legal/subprocessors",
+      "security": "https://calendly.com/security",
+      "sla": "https://calendly.com/legal/sla"
+    },
+    "contract": {
+      "renewsAt": "2027-05-18",
+      "annualSpendUsd": 9600,
+      "seatCount": 160
+    }
+  },
+  {
+    "id": "vnd_bitwarden",
+    "orgId": "org_acme",
+    "name": "Bitwarden",
+    "category": "security",
+    "tier": 3,
+    "posture": "ok",
+    "dataClasses": ["pii"],
+    "ownerId": "usr_marcus",
+    "urls": {
+      "homepage": "https://bitwarden.com",
+      "terms": "https://bitwarden.com/terms",
+      "pricing": "https://bitwarden.com/pricing",
+      "dpa": "https://bitwarden.com/dpa",
+      "subProcessors": "https://bitwarden.com/subprocessors",
+      "security": "https://bitwarden.com/security",
+      "sla": "https://bitwarden.com/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-06-28",
+      "annualSpendUsd": 1800,
+      "seatCount": 30
+    }
+  },
+  {
+    "id": "vnd_discord",
+    "orgId": "org_acme",
+    "name": "Discord",
+    "category": "communication",
+    "tier": 3,
+    "posture": "risk",
+    "dataClasses": ["content", "pii"],
+    "ownerId": "usr_ada",
+    "urls": {
+      "homepage": "https://discord.com",
+      "terms": "https://discord.com/terms",
+      "pricing": "https://discord.com/nitro",
+      "dpa": "https://discord.com/dpa",
+      "subProcessors": "https://discord.com/subprocessors",
+      "security": "https://discord.com/safety",
+      "sla": "https://discord.com/sla"
+    },
+    "contract": {
+      "renewsAt": "2027-04-22",
+      "annualSpendUsd": 3600,
+      "seatCount": 60
+    }
+  },
+  {
+    "id": "vnd_salesforce",
+    "orgId": "org_acme",
+    "name": "Salesforce",
+    "category": "crm",
+    "tier": 1,
+    "posture": "watch",
+    "dataClasses": ["financial", "pii"],
+    "ownerId": "usr_jordan",
+    "urls": {
+      "homepage": "https://salesforce.com",
+      "terms": "https://salesforce.com/company/legal/agreements",
+      "pricing": "https://salesforce.com/editions-pricing/sales-cloud",
+      "dpa": "https://salesforce.com/company/legal/agreements/data-processing-addendum",
+      "subProcessors": "https://salesforce.com/company/legal/sub-processors",
+      "security": "https://trust.salesforce.com/en/security",
+      "sla": "https://salesforce.com/company/legal/agreements/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-07-10",
+      "annualSpendUsd": 240000,
+      "seatCount": 850
+    }
+  },
+  {
+    "id": "vnd_slack",
+    "orgId": "org_acme",
+    "name": "Slack",
+    "category": "communication",
+    "tier": 1,
+    "posture": "ok",
+    "dataClasses": ["content", "pii"],
+    "ownerId": "usr_priya",
+    "urls": {
+      "homepage": "https://slack.com",
+      "terms": "https://slack.com/terms-of-service",
+      "pricing": "https://slack.com/pricing",
+      "dpa": "https://slack.com/dpa",
+      "subProcessors": "https://slack.com/subprocessors",
+      "security": "https://slack.com/security",
+      "sla": "https://slack.com/sla"
+    },
+    "contract": {
+      "renewsAt": "2026-08-12",
+      "annualSpendUsd": 120000,
+      "seatCount": 400
+    }
+  },
+  {
+    "id": "vnd_aws",
+    "orgId": "org_acme",
+    "name": "Amazon Web Services",
+    "category": "infrastructure",
+    "tier": 1,
+    "posture": "watch",
+    "dataClasses": ["content", "pii"],
+    "ownerId": "usr_devon",
+    "urls": {
+      "homepage": "https://aws.amazon.com",
+      "terms": "https://aws.amazon.com/agreement",
+      "pricing": "https://aws.amazon.com/pricing",
+      "dpa": "https://aws.amazon.com/compliance/gdpr-center",
+      "subProcessors": "https://aws.amazon.com/compliance/sub-processors",
+      "security": "https://aws.amazon.com/security",
+      "sla": "https://aws.amazon.com/legal/service-level-agreements"
+    },
+    "contract": {
+      "renewsAt": "2027-01-15",
+      "annualSpendUsd": 480000,
+      "seatCount": 1
+    }
+  },
+  {
+    "id": "vnd_adobe",
+    "orgId": "org_acme",
+    "name": "Adobe Creative Cloud",
+    "category": "design",
+    "tier": 2,
+    "posture": "ok",
+    "dataClasses": ["content"],
+    "ownerId": "usr_jordan",
+    "urls": {
+      "homepage": "https://adobe.com",
+      "terms": "https://adobe.com/legal/terms.html",
+      "pricing": "https://adobe.com/creativecloud/plans.html",
+      "dpa": "https://adobe.com/privacy/data-processing-addendum.html",
+      "subProcessors": "https://adobe.com/legal/sub-processors.html",
+      "security": "https://adobe.com/trust/security.html",
+      "sla": "https://adobe.com/legal/service-commitments.html"
+    },
+    "contract": {
+      "renewsAt": "2026-09-01",
+      "annualSpendUsd": 48000,
+      "seatCount": 200
+    }
   }
 ]
diff --git a/tests/api/actions.test.ts b/tests/api/actions.test.ts
index bbea30a..cf52aa4 100644
--- a/tests/api/actions.test.ts
+++ b/tests/api/actions.test.ts
@@ -3,7 +3,7 @@ import { routeChangeReport } from "../../apps/api/src/agent/router";
 import { createActionRepository } from "../../apps/api/src/db/actions";
 import { createEventBroker } from "../../apps/api/src/stream/broker";
 import { createChangeReport, createUsers, createVendor, NOW, ORG_ID } from "./support/fixtures";
-import type { SlackPayload } from "@redline/shared";
+import type { SlackPayload } from "@unsyphn/shared";
 
 describe("Action routing", () => {
   it("resolves slack:@vendorOwner, delivers the webhook, persists the action, and emits action.delivered", async () => {
@@ -18,7 +18,7 @@ describe("Action routing", () => {
       routes: ["slack:@vendorOwner"],
       actions,
       events,
-      baseUrl: "https://redline.example",
+      baseUrl: "https://unsyphn.example",
       slack: {
         async postAlert(payload) {
           posted.push(payload);
@@ -59,10 +59,10 @@ describe("Action routing", () => {
       changeReport: createChangeReport(),
       vendor: createVendor(),
       users: createUsers(),
-      routes: ["slack:#redline-demo"],
+      routes: ["slack:#unsyphn-demo"],
       actions,
       events,
-      baseUrl: "https://redline.example",
+      baseUrl: "https://unsyphn.example",
       slack: {
         async postAlert() {
           throw new Error("Slack webhook returned 500");
@@ -73,7 +73,7 @@ describe("Action routing", () => {
     expect(routed).toEqual([
       expect.objectContaining({
         kind: "slack",
-        target: "#redline-demo",
+        target: "#unsyphn-demo",
         status: "failed",
         error: "Slack webhook returned 500",
       }),
@@ -102,7 +102,7 @@ describe("Action routing", () => {
       routes: ["jira:SEC", "email:ciso@example.com", "calendar:renewal-prep"],
       actions,
       events,
-      baseUrl: "https://redline.example",
+      baseUrl: "https://unsyphn.example",
       now: () => new Date(NOW),
       slack: {
         async postAlert() {
@@ -121,7 +121,7 @@ describe("Action routing", () => {
         projectKey: "SEC",
         issueType: "Task",
         priority: "P1",
-        labels: ["redline", "vendor-risk", "notion"],
+        labels: ["unsyphn", "vendor-risk", "notion"],
         assigneeUserId: "usr_priya",
       },
     });
@@ -130,7 +130,7 @@ describe("Action routing", () => {
       target: "ciso@example.com",
       payload: {
         to: "ciso@example.com",
-        subject: "P1 Redline alert: Notion",
+        subject: "P1 Unsyphn alert: Notion",
         html: expect.stringContaining('<a href="https://notion.so/terms">Nimble capture</a>'),
       },
     });
@@ -138,7 +138,7 @@ describe("Action routing", () => {
     expect(routed[2]).toMatchObject({
       target: "renewal-prep",
       payload: {
-        title: "Redline renewal-prep: Notion",
+        title: "Unsyphn renewal-prep: Notion",
         startsAt: "2026-05-24T13:14:42.000Z",
         endsAt: "2026-05-24T13:44:42.000Z",
         attendees: ["priya@example.com"],
@@ -177,14 +177,14 @@ describe("Action routing", () => {
       routes: ["jira:SEC"],
       actions,
       events,
-      baseUrl: "https://redline.example",
+      baseUrl: "https://unsyphn.example",
       now: () => new Date(NOW),
     });
 
     expect(routed).toMatchObject({
       kind: "jira",
       payload: {
-        labels: ["redline", "vendor-risk", "cafe"],
+        labels: ["unsyphn", "vendor-risk", "cafe"],
       },
     });
   });
diff --git a/tests/api/billing.test.ts b/tests/api/billing.test.ts
index c583f48..718597d 100644
--- a/tests/api/billing.test.ts
+++ b/tests/api/billing.test.ts
@@ -134,4 +134,132 @@ describe("POST /v1/billing/payment-intents", () => {
     const body = (await resp.json()) as { error: { code: string } };
     expect(body.error.code).toBe("upstream-failed");
   });
+
+  it("applies a known coupon and discounts the charged amount", async () => {
+    const fake = buildFakeStripe();
+    setStripeInstance(fake);
+    const resp = await buildApp().request("/v1/billing/payment-intents", {
+      method: "POST",
+      headers: { Authorization: BEARER, "Content-Type": "application/json" },
+      body: JSON.stringify({ sku: "growth", coupon: "FOUNDER50" }),
+    });
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as {
+      amountUsdCents: number;
+      originalAmountUsdCents: number;
+      coupon: { code: string; percentOff: number };
+    };
+    expect(body.originalAmountUsdCents).toBe(150_000);
+    expect(body.amountUsdCents).toBe(75_000);
+    expect(body.coupon.code).toBe("FOUNDER50");
+    expect(body.coupon.percentOff).toBe(50);
+  });
+
+  it("ignores an unknown coupon (no discount, no error)", async () => {
+    setStripeInstance(buildFakeStripe());
+    const resp = await buildApp().request("/v1/billing/payment-intents", {
+      method: "POST",
+      headers: { Authorization: BEARER, "Content-Type": "application/json" },
+      body: JSON.stringify({ sku: "starter", coupon: "NOPE" }),
+    });
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as {
+      amountUsdCents: number;
+      coupon?: unknown;
+    };
+    expect(body.amountUsdCents).toBe(30_000);
+    expect(body.coupon).toBeUndefined();
+  });
+
+  it("accepts the new tier SKUs (starter/growth/scale)", async () => {
+    setStripeInstance(buildFakeStripe());
+    for (const sku of ["starter", "growth", "scale"]) {
+      const resp = await buildApp().request("/v1/billing/payment-intents", {
+        method: "POST",
+        headers: { Authorization: BEARER, "Content-Type": "application/json" },
+        body: JSON.stringify({ sku }),
+      });
+      expect(resp.status).toBe(200);
+    }
+  });
+});
+
+describe("GET /v1/billing/coupons/:code", () => {
+  it("returns the coupon for a known code", async () => {
+    const resp = await buildApp().request("/v1/billing/coupons/HACKATHON25", {
+      headers: { Authorization: BEARER },
+    });
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as { code: string; percentOff: number };
+    expect(body.code).toBe("HACKATHON25");
+    expect(body.percentOff).toBe(25);
+  });
+
+  it("returns 404 for an unknown coupon", async () => {
+    const resp = await buildApp().request("/v1/billing/coupons/NOPE", {
+      headers: { Authorization: BEARER },
+    });
+    expect(resp.status).toBe(404);
+  });
+});
+
+describe("GET /v1/billing/invoices", () => {
+  it("returns a list of synthetic invoices", async () => {
+    const resp = await buildApp().request("/v1/billing/invoices", {
+      headers: { Authorization: BEARER },
+    });
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as {
+      invoices: Array<{ id: string; amountUsdCents: number; status: string }>;
+    };
+    expect(body.invoices.length).toBeGreaterThan(0);
+    for (const inv of body.invoices) {
+      expect(inv.id).toMatch(/^INV-/);
+      expect(inv.status).toBe("paid");
+      expect(inv.amountUsdCents).toBeGreaterThan(0);
+    }
+  });
+});
+
+describe("GET /v1/billing/invoices/:id/pdf", () => {
+  it("returns a real PDF with the right headers", async () => {
+    const app = buildApp();
+    const list = (await (
+      await app.request("/v1/billing/invoices", {
+        headers: { Authorization: BEARER },
+      })
+    ).json()) as { invoices: Array<{ id: string }> };
+    const firstId = list.invoices[0]?.id;
+    expect(firstId).toBeDefined();
+
+    const resp = await app.request(`/v1/billing/invoices/${firstId}/pdf`, {
+      headers: { Authorization: BEARER },
+    });
+    expect(resp.status).toBe(200);
+    expect(resp.headers.get("content-type")).toBe("application/pdf");
+    expect(resp.headers.get("content-disposition")).toContain(
+      'filename="unsyphn-invoice-',
+    );
+    expect(resp.headers.get("content-disposition")).toContain(`${firstId}.pdf"`);
+    const contentLength = Number(resp.headers.get("content-length"));
+    expect(contentLength).toBeGreaterThan(0);
+
+    const ab = await resp.arrayBuffer();
+    const bytes = new Uint8Array(ab);
+    expect(bytes.byteLength).toBe(contentLength);
+    expect(bytes.byteLength).toBeGreaterThan(500);
+    // PDF magic header: "%PDF-1." (0x25 0x50 0x44 0x46 0x2D 0x31 0x2E)
+    const head = new TextDecoder().decode(bytes.slice(0, 7));
+    expect(head).toBe("%PDF-1.");
+  });
+
+  it("returns 404 for an unknown invoice id", async () => {
+    const resp = await buildApp().request(
+      "/v1/billing/invoices/INV-9999-13/pdf",
+      { headers: { Authorization: BEARER } },
+    );
+    expect(resp.status).toBe(404);
+    const body = (await resp.json()) as { error: { code: string } };
+    expect(body.error.code).toBe("not-found");
+  });
 });
diff --git a/tests/api/changes-escalate-sse.test.ts b/tests/api/changes-escalate-sse.test.ts
new file mode 100644
index 0000000..69bea19
--- /dev/null
+++ b/tests/api/changes-escalate-sse.test.ts
@@ -0,0 +1,114 @@
+import { describe, expect, it } from "vitest";
+import type { ChangeReport, StoredStreamEvent } from "@unsyphn/shared";
+
+import { InMemoryChangeReportRepository } from "../../apps/api/src/db/changeReports";
+import { createApp } from "../../apps/api/src/app";
+import { createSeedChangeReport, createSeedToken } from "../../apps/api/src/seed/factories";
+import { createEventBroker } from "../../apps/api/src/stream/broker";
+
+const ORG_ID = "org_acme";
+const USER_ID = "usr_priya";
+const TOKEN = "demo_token_acme_corp_2026";
+const CHANGE_ID = "chg_2026_05_22_notion";
+const NOW = new Date("2026-05-23T13:18:00.000Z");
+
+function createHarness(changeOverrides: Partial<ChangeReport> = {}) {
+  const change = createSeedChangeReport({
+    id: CHANGE_ID as ChangeReport["id"],
+    orgId: ORG_ID as ChangeReport["orgId"],
+    vendorId: "vnd_notion" as ChangeReport["vendorId"],
+    runId: "run_2026_05_22_notion" as ChangeReport["runId"],
+    ownerId: USER_ID as ChangeReport["ownerId"],
+    detectedAt: "2026-05-22T14:42:18.000Z",
+    severity: "P1",
+    state: "new",
+    updatedAt: "2026-05-22T14:42:18.000Z",
+    version: 1,
+    ...changeOverrides,
+  });
+  const token = createSeedToken({ token: TOKEN, orgId: ORG_ID, userId: USER_ID });
+  const reports = new InMemoryChangeReportRepository([change]);
+  const events = createEventBroker();
+  const app = createApp({
+    reports,
+    events,
+    seedData: { tokens: [token] },
+    now: () => NOW,
+  });
+
+  return { app, change, reports, events };
+}
+
+describe("change.escalated SSE event", () => {
+  it("publishes change.escalated when /escalate succeeds", async () => {
+    const { app, change, events } = createHarness();
+    const received: StoredStreamEvent[] = [];
+    events.subscribe(ORG_ID, (event) => {
+      received.push(event);
+    });
+
+    const response = await app.request(`/v1/changes/${change.id}/escalate`, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        authorization: `Bearer ${TOKEN}`,
+      },
+      body: JSON.stringify({ toRole: "legal", note: "Needs counsel" }),
+    });
+
+    expect(response.status).toBe(200);
+
+    const escalated = received.find((e) => e.event === "change.escalated");
+    expect(escalated).toBeDefined();
+    expect(escalated?.orgId).toBe(ORG_ID);
+    expect(escalated?.data).toMatchObject({
+      id: change.id,
+      toRole: "legal",
+      byUserId: USER_ID,
+      at: NOW.toISOString(),
+      slackChannel: "#legal-channel",
+    });
+    const jiraKey = (escalated?.data as { jiraKey: string }).jiraKey;
+    expect(jiraKey).toMatch(/^UNS-\d{4}$/);
+  });
+
+  it("does not publish change.escalated when /escalate fails validation", async () => {
+    const { app, change, events } = createHarness();
+    const received: StoredStreamEvent[] = [];
+    events.subscribe(ORG_ID, (event) => {
+      received.push(event);
+    });
+
+    const response = await app.request(`/v1/changes/${change.id}/escalate`, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        authorization: `Bearer ${TOKEN}`,
+      },
+      body: JSON.stringify({ toRole: "not-a-role" }),
+    });
+
+    expect(response.status).toBe(422);
+    expect(received.find((e) => e.event === "change.escalated")).toBeUndefined();
+  });
+
+  it("does not publish change.escalated when the change is missing", async () => {
+    const { app, events } = createHarness();
+    const received: StoredStreamEvent[] = [];
+    events.subscribe(ORG_ID, (event) => {
+      received.push(event);
+    });
+
+    const response = await app.request("/v1/changes/chg_missing/escalate", {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        authorization: `Bearer ${TOKEN}`,
+      },
+      body: JSON.stringify({ toRole: "security" }),
+    });
+
+    expect(response.status).toBe(404);
+    expect(received.find((e) => e.event === "change.escalated")).toBeUndefined();
+  });
+});
diff --git a/tests/api/changes-feed.test.ts b/tests/api/changes-feed.test.ts
new file mode 100644
index 0000000..2c3202c
--- /dev/null
+++ b/tests/api/changes-feed.test.ts
@@ -0,0 +1,39 @@
+import { describe, it, expect, beforeEach } from "vitest";
+import { resolve } from "node:path";
+import { buildApp } from "../../apps/api/src/server.js";
+import { loadSeeds, getSeededChangeReports } from "../../apps/api/src/seed/loader.js";
+
+const AUTH = { Authorization: "Bearer demo_token_acme_corp_2026" };
+const SEED_DIR = resolve(__dirname, "../../seed");
+
+beforeEach(() => {
+  loadSeeds({ seedDir: SEED_DIR });
+});
+
+describe("GET /v1/changes/feed", () => {
+  it("returns all changes when no filter applied", async () => {
+    const app = buildApp({ seedChangeReports: getSeededChangeReports() });
+    const resp = await app.request("/v1/changes/feed", { headers: AUTH });
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as { changes: unknown[] };
+    expect(body.changes.length).toBeGreaterThanOrEqual(12);
+  });
+
+  it("filters by vendorId", async () => {
+    const app = buildApp({ seedChangeReports: getSeededChangeReports() });
+    const resp = await app.request("/v1/changes/feed?vendorId=vnd_notion", { headers: AUTH });
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as { changes: Array<{ vendorId: string }> };
+    expect(body.changes.length).toBeGreaterThan(0);
+    expect(body.changes.every((c) => c.vendorId === "vnd_notion")).toBe(true);
+  });
+
+  it("filters by category", async () => {
+    const app = buildApp({ seedChangeReports: getSeededChangeReports() });
+    const resp = await app.request("/v1/changes/feed?category=pricing", { headers: AUTH });
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as { changes: Array<{ category: string }> };
+    expect(body.changes.length).toBeGreaterThan(0);
+    expect(body.changes.every((c) => c.category === "pricing")).toBe(true);
+  });
+});
diff --git a/tests/api/changes.lifecycle.test.ts b/tests/api/changes.lifecycle.test.ts
index 8637b21..4782505 100644
--- a/tests/api/changes.lifecycle.test.ts
+++ b/tests/api/changes.lifecycle.test.ts
@@ -1,6 +1,6 @@
 import { describe, expect, it } from "vitest";
 
-import type { ChangeReport } from "@redline/shared";
+import type { ChangeReport } from "@unsyphn/shared";
 import { InMemoryChangeReportRepository } from "../../apps/api/src/db/changeReports";
 import { createApp } from "../../apps/api/src/app";
 import { createSeedChangeReport, createSeedToken } from "../../apps/api/src/seed/factories";
diff --git a/tests/api/evidence.test.ts b/tests/api/evidence.test.ts
index 9912cc4..fc0af79 100644
--- a/tests/api/evidence.test.ts
+++ b/tests/api/evidence.test.ts
@@ -81,3 +81,19 @@ describe("GET /evidence/:id", () => {
     );
   });
 });
+
+describe("GET /evidence/:id/bundle.html", () => {
+  it("bundle.html endpoint returns inline-styled HTML", async () => {
+    const resp = await buildApp().request("/v1/evidence/chg_seed_notion/bundle.html");
+    expect(resp.status).toBe(200);
+    expect(resp.headers.get("content-type")).toContain("text/html");
+    const html = await resp.text();
+    expect(html).toContain("UNSYPHN EVIDENCE BUNDLE");
+    expect(html).toContain("Notion");
+  });
+
+  it("bundle.html returns 404 for unknown id", async () => {
+    const resp = await buildApp().request("/v1/evidence/chg_does_not_exist/bundle.html");
+    expect(resp.status).toBe(404);
+  });
+});
diff --git a/tests/api/integration.test.ts b/tests/api/integration.test.ts
index cdfb39b..405b27d 100644
--- a/tests/api/integration.test.ts
+++ b/tests/api/integration.test.ts
@@ -1,5 +1,5 @@
 import { describe, expect, it } from "vitest";
-import type { ChangeReport, UserId } from "@redline/shared";
+import type { ChangeReport, UserId } from "@unsyphn/shared";
 import { routeChangeReport } from "../../apps/api/src/agent/router";
 import { createApp } from "../../apps/api/src/app";
 import { createActionRepository } from "../../apps/api/src/db/actions";
@@ -98,7 +98,7 @@ describe("integrated API event flow", () => {
       routes: ["jira:SEC"],
       actions,
       events,
-      baseUrl: "https://redline.example",
+      baseUrl: "https://unsyphn.example",
       now: () => new Date(NOW),
     });
 
diff --git a/tests/api/new-endpoints.test.ts b/tests/api/new-endpoints.test.ts
new file mode 100644
index 0000000..e83a16f
--- /dev/null
+++ b/tests/api/new-endpoints.test.ts
@@ -0,0 +1,168 @@
+import { describe, it, expect, beforeEach } from "vitest";
+import { resolve } from "node:path";
+import { buildApp } from "../../apps/api/src/server.js";
+import { loadSeeds, getSeededChangeReports } from "../../apps/api/src/seed/loader.js";
+
+const BEARER = "Bearer demo_token_acme_corp_2026";
+const SEED_DIR = resolve(__dirname, "../../seed");
+
+function authHeaders(extra: Record<string, string> = {}): Record<string, string> {
+  return { Authorization: BEARER, ...extra };
+}
+
+beforeEach(() => {
+  loadSeeds({ seedDir: SEED_DIR });
+});
+
+describe("GET /v1/inbox", () => {
+  it("returns items array and total", async () => {
+    const app = buildApp({ seedChangeReports: getSeededChangeReports() });
+    const resp = await app.request("/v1/inbox", { headers: authHeaders() });
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as { items: unknown[]; total: number };
+    expect(Array.isArray(body.items)).toBe(true);
+    expect(body.items.length).toBeGreaterThan(0);
+    expect(typeof body.total).toBe("number");
+    const first = body.items[0] as Record<string, unknown>;
+    expect(first.id).toBeDefined();
+    expect(first.kind).toBeDefined();
+    expect(first.vendorName).toBeDefined();
+    expect(first.severity).toBeDefined();
+    expect(first.lensTags).toBeDefined();
+  });
+
+  it("filters by severity P1", async () => {
+    const app = buildApp({ seedChangeReports: getSeededChangeReports() });
+    const resp = await app.request("/v1/inbox?severity=P1", { headers: authHeaders() });
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as { items: Array<{ severity: string }>; total: number };
+    expect(body.items.length).toBeGreaterThan(0);
+    for (const item of body.items) {
+      expect(item.severity).toBe("P1");
+    }
+  });
+});
+
+describe("GET /v1/renewals", () => {
+  it("returns renewals within the requested window", async () => {
+    const app = buildApp({ seedChangeReports: getSeededChangeReports() });
+    const resp = await app.request("/v1/renewals?days=30", { headers: authHeaders() });
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as { renewals: Array<{ daysOut: number }> };
+    expect(Array.isArray(body.renewals)).toBe(true);
+    for (const r of body.renewals) {
+      expect(r.daysOut).toBeLessThanOrEqual(30);
+    }
+  });
+
+  it("exposes ownerId, declined/autoRenewed flags and lensTags", async () => {
+    const app = buildApp({ seedChangeReports: getSeededChangeReports() });
+    const resp = await app.request("/v1/renewals?days=365", { headers: authHeaders() });
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as {
+      renewals: Array<{ ownerId?: string; declined?: boolean; autoRenewed?: boolean; lensTags?: string[] }>;
+    };
+    expect(body.renewals.length).toBeGreaterThan(0);
+    const first = body.renewals[0]!;
+    expect(typeof first.ownerId).toBe("string");
+    expect(first.declined).toBe(false);
+    expect(first.autoRenewed).toBe(false);
+    expect(Array.isArray(first.lensTags)).toBe(true);
+  });
+});
+
+describe("PATCH /v1/renewals/:id", () => {
+  it("updates ownerId for renewals in the calling org", async () => {
+    const app = buildApp({ seedChangeReports: getSeededChangeReports() });
+    const resp = await app.request("/v1/renewals/ren_salesforce", {
+      method: "PATCH",
+      headers: authHeaders({ "Content-Type": "application/json" }),
+      body: JSON.stringify({ ownerId: "usr_priya" }),
+    });
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as { renewal: { id: string; ownerId: string } };
+    expect(body.renewal.id).toBe("ren_salesforce");
+    expect(body.renewal.ownerId).toBe("usr_priya");
+  });
+
+  it("marks declined and supports re-open", async () => {
+    const app = buildApp({ seedChangeReports: getSeededChangeReports() });
+    const declined = await app.request("/v1/renewals/ren_figma", {
+      method: "PATCH",
+      headers: authHeaders({ "Content-Type": "application/json" }),
+      body: JSON.stringify({ declined: true }),
+    });
+    expect(declined.status).toBe(200);
+    const a = (await declined.json()) as { renewal: { declined: boolean } };
+    expect(a.renewal.declined).toBe(true);
+
+    const reopened = await app.request("/v1/renewals/ren_figma", {
+      method: "PATCH",
+      headers: authHeaders({ "Content-Type": "application/json" }),
+      body: JSON.stringify({ declined: false, autoRenewed: false }),
+    });
+    expect(reopened.status).toBe(200);
+    const b = (await reopened.json()) as { renewal: { declined: boolean; autoRenewed: boolean } };
+    expect(b.renewal.declined).toBe(false);
+    expect(b.renewal.autoRenewed).toBe(false);
+  });
+
+  it("rejects ownerId outside the calling org", async () => {
+    const app = buildApp({ seedChangeReports: getSeededChangeReports() });
+    const resp = await app.request("/v1/renewals/ren_slack", {
+      method: "PATCH",
+      headers: authHeaders({ "Content-Type": "application/json" }),
+      body: JSON.stringify({ ownerId: "usr_does_not_exist" }),
+    });
+    expect(resp.status).toBe(422);
+  });
+
+  it("returns 404 for an unknown id", async () => {
+    const app = buildApp({ seedChangeReports: getSeededChangeReports() });
+    const resp = await app.request("/v1/renewals/ren_nope", {
+      method: "PATCH",
+      headers: authHeaders({ "Content-Type": "application/json" }),
+      body: JSON.stringify({ column: "sign" }),
+    });
+    expect(resp.status).toBe(404);
+  });
+});
+
+describe("GET /v1/recoverable", () => {
+  it("returns totalUsd and breakdown with four keys", async () => {
+    const resp = await buildApp().request("/v1/recoverable", { headers: authHeaders() });
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as {
+      totalUsd: number;
+      breakdown: { unusedSeatsUsd: number; priceHikesUsd: number; duplicateAppsUsd: number; atRiskUsd: number };
+    };
+    expect(typeof body.totalUsd).toBe("number");
+    expect(body.totalUsd).toBe(135000);
+    expect(typeof body.breakdown.unusedSeatsUsd).toBe("number");
+    expect(typeof body.breakdown.priceHikesUsd).toBe("number");
+    expect(typeof body.breakdown.duplicateAppsUsd).toBe("number");
+    expect(typeof body.breakdown.atRiskUsd).toBe("number");
+  });
+});
+
+describe("POST /v1/onboarding/discover", () => {
+  it("returns jobId and discoveredVendors array", async () => {
+    const resp = await buildApp().request("/v1/onboarding/discover", {
+      method: "POST",
+      headers: authHeaders({ "Content-Type": "application/json" }),
+      body: JSON.stringify({ provider: "google", domain: "acme.com" }),
+    });
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as {
+      jobId: string;
+      estimatedSeconds: number;
+      expectedVendors: number;
+      discoveredVendors: unknown[];
+    };
+    expect(body.jobId).toBe("job_demo_001");
+    expect(typeof body.estimatedSeconds).toBe("number");
+    expect(typeof body.expectedVendors).toBe("number");
+    expect(Array.isArray(body.discoveredVendors)).toBe(true);
+    expect(body.discoveredVendors.length).toBeGreaterThan(0);
+  });
+});
diff --git a/tests/api/requests.test.ts b/tests/api/requests.test.ts
new file mode 100644
index 0000000..6a079ab
--- /dev/null
+++ b/tests/api/requests.test.ts
@@ -0,0 +1,201 @@
+import { describe, it, expect, beforeEach } from "vitest";
+import { resolve } from "node:path";
+import { buildApp } from "../../apps/api/src/server.js";
+import { loadSeeds } from "../../apps/api/src/seed/loader.js";
+
+const BEARER = "Bearer demo_token_acme_corp_2026";
+const SEED_DIR = resolve(__dirname, "../../seed");
+
+interface RequestDto {
+  id: string;
+  vendorName: string;
+  status: "pending" | "approved" | "rejected" | "routed";
+  category: string;
+  comments: Array<{ id: string; text: string; authorName: string }>;
+  requesterName: string;
+  approverName?: string;
+  routeTo?: string;
+  autoEscalated: boolean;
+  slaDueAt: string;
+}
+
+interface ListResponse {
+  requests: RequestDto[];
+}
+
+interface SingleResponse {
+  request: RequestDto;
+}
+
+beforeEach(() => {
+  loadSeeds({ seedDir: SEED_DIR });
+});
+
+function authedJson(body?: unknown): { headers: Record<string, string>; body?: string; method: string } {
+  return {
+    method: body === undefined ? "GET" : "POST",
+    headers: { Authorization: BEARER, "Content-Type": "application/json" },
+    ...(body === undefined ? {} : { body: JSON.stringify(body) }),
+  };
+}
+
+describe("GET /v1/requests", () => {
+  it("rejects unauthenticated callers with 401", async () => {
+    const resp = await buildApp().request("/v1/requests");
+    expect(resp.status).toBe(401);
+  });
+
+  it("returns seeded requests in envelope form with denormalized names", async () => {
+    const resp = await buildApp().request("/v1/requests", authedJson());
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as ListResponse;
+    expect(body.requests.length).toBeGreaterThan(0);
+    const linear = body.requests.find((r) => r.id === "req_linear_extra");
+    expect(linear).toBeDefined();
+    expect(linear?.requesterName).toBe("Devon Rao");
+    expect(linear?.status).toBe("pending");
+    expect(typeof linear?.autoEscalated).toBe("boolean");
+    expect(linear?.slaDueAt).toMatch(/^\d{4}-\d{2}-\d{2}T/);
+  });
+
+  it("surfaces 'routed' status (no longer collapsed to pending)", async () => {
+    const resp = await buildApp().request("/v1/requests?status=routed", authedJson());
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as ListResponse;
+    expect(body.requests.length).toBeGreaterThan(0);
+    expect(body.requests.every((r) => r.status === "routed")).toBe(true);
+  });
+
+  it("filters by lens — IT lens excludes analytics rows", async () => {
+    const resp = await buildApp().request("/v1/requests?lens=it", authedJson());
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as ListResponse;
+    // IT lens allows: infrastructure | productivity | devtools.
+    expect(body.requests.every((r) => ["infrastructure", "productivity", "devtools"].includes(r.category) || r.routeTo === "it")).toBe(true);
+  });
+
+  it("procurement lens returns everything", async () => {
+    const all = await buildApp().request("/v1/requests", authedJson());
+    const proc = await buildApp().request("/v1/requests?lens=procurement", authedJson());
+    const allBody = (await all.json()) as ListResponse;
+    const procBody = (await proc.json()) as ListResponse;
+    expect(procBody.requests.length).toBe(allBody.requests.length);
+  });
+});
+
+describe("GET /v1/requests/:id", () => {
+  it("returns one request denormalized with comments and requesterName", async () => {
+    const resp = await buildApp().request("/v1/requests/req_loom", authedJson());
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as SingleResponse;
+    expect(body.request.id).toBe("req_loom");
+    expect(body.request.vendorName).toBe("Loom");
+    expect(body.request.requesterName).toBe("Jordan Wells");
+    expect(body.request.status).toBe("approved");
+    expect(body.request.comments.length).toBeGreaterThan(0);
+  });
+
+  it("404s on unknown id", async () => {
+    const resp = await buildApp().request("/v1/requests/req_nope", authedJson());
+    expect(resp.status).toBe(404);
+  });
+
+  it("rejects unauthenticated callers with 401", async () => {
+    const resp = await buildApp().request("/v1/requests/req_loom");
+    expect(resp.status).toBe(401);
+  });
+});
+
+describe("POST /v1/requests", () => {
+  it("creates a pending request and returns the DTO with names", async () => {
+    const resp = await buildApp().request(
+      "/v1/requests",
+      authedJson({
+        vendorName: "TestCo",
+        category: "devtools",
+        expectedSpendUsd: 12000,
+        justification: "Need monitoring for our staging env all day",
+        similarTools: ["DataDog"],
+      }),
+    );
+    expect(resp.status).toBe(201);
+    const body = (await resp.json()) as SingleResponse;
+    expect(body.request.status).toBe("pending");
+    expect(body.request.vendorName).toBe("TestCo");
+    expect(body.request.requesterName).toBe("Priya Natarajan");
+    expect(body.request.autoEscalated).toBe(false);
+  });
+
+  it("rejects invalid bodies with 422", async () => {
+    const resp = await buildApp().request(
+      "/v1/requests",
+      authedJson({ vendorName: "X" }),
+    );
+    expect(resp.status).toBe(422);
+  });
+});
+
+describe("POST /v1/requests/:id/decision", () => {
+  it("approves a pending request", async () => {
+    const resp = await buildApp().request(
+      "/v1/requests/req_linear_extra/decision",
+      authedJson({ status: "approved", note: "Engineering velocity wins" }),
+    );
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as SingleResponse;
+    expect(body.request.status).toBe("approved");
+    expect(body.request.approverName).toBe("Priya Natarajan");
+    expect(body.request.comments.at(-1)?.text).toContain("velocity");
+  });
+
+  it("requires routeTo when routing", async () => {
+    const resp = await buildApp().request(
+      "/v1/requests/req_linear_extra/decision",
+      authedJson({ status: "routed" }),
+    );
+    expect(resp.status).toBe(422);
+  });
+
+  it("routes to a target and persists routeTo on the record", async () => {
+    const resp = await buildApp().request(
+      "/v1/requests/req_linear_extra/decision",
+      authedJson({ status: "routed", routeTo: "legal", note: "MSA review" }),
+    );
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as SingleResponse;
+    expect(body.request.status).toBe("routed");
+    expect(body.request.routeTo).toBe("legal");
+  });
+
+  it("re-opens a rejected request back to pending", async () => {
+    const resp = await buildApp().request(
+      "/v1/requests/req_miro/decision",
+      authedJson({ status: "pending", note: "Re-open per Q3 plan" }),
+    );
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as SingleResponse;
+    expect(body.request.status).toBe("pending");
+  });
+
+  it("404s on unknown id", async () => {
+    const resp = await buildApp().request(
+      "/v1/requests/req_does_not_exist/decision",
+      authedJson({ status: "approved" }),
+    );
+    expect(resp.status).toBe(404);
+  });
+});
+
+describe("POST /v1/requests/:id/comments", () => {
+  it("appends a comment with denormalized author info", async () => {
+    const resp = await buildApp().request(
+      "/v1/requests/req_linear_extra/comments",
+      authedJson({ text: "Looping in finance" }),
+    );
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as SingleResponse;
+    const last = body.request.comments.at(-1);
+    expect(last?.text).toBe("Looping in finance");
+    expect(last?.authorName).toBe("Priya Natarajan");
+  });
+});
diff --git a/tests/api/seed-boot.test.ts b/tests/api/seed-boot.test.ts
new file mode 100644
index 0000000..b1c3c5b
--- /dev/null
+++ b/tests/api/seed-boot.test.ts
@@ -0,0 +1,62 @@
+import { describe, it, expect, beforeEach } from "vitest";
+import { resolve } from "node:path";
+import { buildApp } from "../../apps/api/src/server.js";
+import {
+  loadSeeds,
+  getSeededChangeReports,
+} from "../../apps/api/src/seed/loader.js";
+
+// Boot-path coverage for the fix in PR #11:
+// loadSeeds() populates the legacy ChangeReportStore; buildApp() must
+// hydrate the canonical ChangeReportRepository from the same data so
+// lifecycle endpoints find seeded ids instead of returning 404.
+//
+// Without this test, the regression Copilot flagged (lifecycle 404 on
+// every seeded change) could reappear silently.
+
+const BEARER = "Bearer demo_token_acme_corp_2026";
+const SEED_DIR = resolve(__dirname, "../../seed");
+const SEED_CHANGE_ID = "chg_seed_notion";
+
+beforeEach(() => {
+  loadSeeds({ seedDir: SEED_DIR });
+});
+
+describe("seed boot path hydrates ChangeReportRepository", () => {
+  it("acknowledge succeeds on a seeded change id", async () => {
+    const app = buildApp({ seedChangeReports: getSeededChangeReports() });
+
+    const res = await app.request(`/v1/changes/${SEED_CHANGE_ID}/acknowledge`, {
+      method: "POST",
+      headers: { Authorization: BEARER, "Content-Type": "application/json" },
+      body: JSON.stringify({ note: "Reviewed by vendor owner" }),
+    });
+
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as { id: string; state: string; acknowledgedAt: string };
+    expect(body.id).toBe(SEED_CHANGE_ID);
+    expect(body.state).toBe("acknowledged");
+    expect(body.acknowledgedAt).toMatch(/^\d{4}-\d{2}-\d{2}T/);
+  });
+
+  it("returns 404 when seed reports are NOT hydrated (regression guard)", async () => {
+    // Empty repo must 404 (not 500). buildApp() now auto-hydrates from
+    // getSeededChangeReports(), so we pass an explicit empty array to
+    // simulate the pre-hydration path.
+    const app = buildApp({ seedChangeReports: [] });
+
+    const res = await app.request(`/v1/changes/${SEED_CHANGE_ID}/acknowledge`, {
+      method: "POST",
+      headers: { Authorization: BEARER, "Content-Type": "application/json" },
+      body: JSON.stringify({ note: "test" }),
+    });
+
+    expect(res.status).toBe(404);
+  });
+
+  it("getSeededChangeReports exposes the parsed seed contents", () => {
+    const reports = getSeededChangeReports();
+    expect(reports.length).toBeGreaterThan(0);
+    expect(reports.some((r) => r.id === SEED_CHANGE_ID)).toBe(true);
+  });
+});
diff --git a/tests/api/slack.test.ts b/tests/api/slack.test.ts
index 3371353..e1c1fe5 100644
--- a/tests/api/slack.test.ts
+++ b/tests/api/slack.test.ts
@@ -8,17 +8,17 @@ describe("Slack provider", () => {
       changeReport: createChangeReport(),
       vendor: createVendor(),
       target: "@U010PRIYA",
-      baseUrl: "https://redline.example",
+      baseUrl: "https://unsyphn.example",
     });
     const rendered = JSON.stringify(payload);
 
-    expect(payload.changeReportUrl).toBe("https://redline.example/changes/chg_notion_001");
+    expect(payload.changeReportUrl).toBe("https://unsyphn.example/changes/chg_notion_001");
     expect(payload.evidenceUrl).toBe("https://senso.example/evidence/chg_notion_001");
-    expect(rendered).toContain("P1 · Notion · Redline alert");
+    expect(rendered).toContain("P1 · Notion · Unsyphn alert");
     expect(rendered).toContain("Data retention for PII vendors");
     expect(rendered).toContain("$28,400/yr");
     expect(rendered).toContain("Nimble capture");
-    expect(rendered).toContain("Open in Redline");
+    expect(rendered).toContain("Open in Unsyphn");
     expect(rendered).toContain("View evidence");
     expect(rendered).toContain("<@U010PRIYA>");
   });
@@ -35,8 +35,8 @@ describe("Slack provider", () => {
     const payload = renderSlackAlert({
       changeReport: createChangeReport(),
       vendor: createVendor(),
-      target: "#redline-demo",
-      baseUrl: "https://redline.example",
+      target: "#unsyphn-demo",
+      baseUrl: "https://unsyphn.example",
     });
 
     await expect(
@@ -51,7 +51,7 @@ describe("Slack provider", () => {
     expect(calls[0]?.url).toBe("https://hooks.slack.com/services/T000/B000/demo");
     expect(calls[0]?.init.method).toBe("POST");
     expect(JSON.parse(String(calls[0]?.init.body))).toMatchObject({
-      text: expect.stringContaining("Redline alert"),
+      text: expect.stringContaining("Unsyphn alert"),
       blocks: expect.any(Array),
     });
   });
@@ -61,8 +61,8 @@ describe("Slack provider", () => {
     const payload = renderSlackAlert({
       changeReport: createChangeReport(),
       vendor: createVendor(),
-      target: "#redline-demo",
-      baseUrl: "https://redline.example",
+      target: "#unsyphn-demo",
+      baseUrl: "https://unsyphn.example",
     });
 
     await expect(
diff --git a/tests/api/stream.test.ts b/tests/api/stream.test.ts
index 2d50bf7..bc8bea2 100644
--- a/tests/api/stream.test.ts
+++ b/tests/api/stream.test.ts
@@ -1,7 +1,7 @@
 import { describe, expect, it } from "vitest";
 import { createApp } from "../../apps/api/src/app";
 import { EventBroker, createEventBroker } from "../../apps/api/src/stream/broker";
-import type { OrgId, StoredStreamEvent, StreamEventName, UserId } from "@redline/shared";
+import type { OrgId, StoredStreamEvent, StreamEventName, UserId } from "@unsyphn/shared";
 
 const TOKEN = "demo_token_acme_corp_2026";
 const OTHER_TOKEN = "demo_token_other_org";
diff --git a/tests/api/support/fixtures.ts b/tests/api/support/fixtures.ts
index f73f203..eaca182 100644
--- a/tests/api/support/fixtures.ts
+++ b/tests/api/support/fixtures.ts
@@ -1,4 +1,4 @@
-import type { ChangeReport, OrgId, User, UserId, Vendor, VendorId } from "@redline/shared";
+import type { ChangeReport, OrgId, User, UserId, Vendor, VendorId } from "@unsyphn/shared";
 
 export const NOW = "2026-05-23T13:14:42.000Z";
 export const ORG_ID = "org_acme" as OrgId;
diff --git a/tests/api/vendors.test.ts b/tests/api/vendors.test.ts
index 8e25044..e43e30c 100644
--- a/tests/api/vendors.test.ts
+++ b/tests/api/vendors.test.ts
@@ -170,3 +170,129 @@ describe("POST /v1/vendors", () => {
     expect(body.error.code).toBe("duplicate");
   });
 });
+
+describe("GET /v1/vendors/:id", () => {
+  it("returns the seeded vendor", async () => {
+    const resp = await buildApp().request("/v1/vendors/vnd_notion", {
+      headers: { Authorization: BEARER },
+    });
+    expect(resp.status).toBe(200);
+    const body = (await resp.json()) as { id: string; name: string };
+    expect(body.id).toBe("vnd_notion");
+    expect(body.name).toBe("Notion");
+  });
+
+  it("returns 404 for an unknown id", async () => {
+    const resp = await buildApp().request("/v1/vendors/vnd_unknown", {
+      headers: { Authorization: BEARER },
+    });
+    expect(resp.status).toBe(404);
+  });
+
+  it("returns 401 without bearer", async () => {
+    const resp = await buildApp().request("/v1/vendors/vnd_notion");
+    expect(resp.status).toBe(401);
+  });
+});
+
+describe("PATCH /v1/vendors/:id activity recording", () => {
+  it("records an event and surfaces it on the activity timeline", async () => {
+    const app = buildApp();
+    const patchResp = await app.request("/v1/vendors/vnd_notion", {
+      method: "PATCH",
+      headers: { Authorization: BEARER, "Content-Type": "application/json" },
+      body: JSON.stringify({ posture: "watch" }),
+    });
+    expect(patchResp.status).toBe(200);
+
+    const activityResp = await app.request("/v1/vendors/vnd_notion/activity", {
+      headers: { Authorization: BEARER },
+    });
+    expect(activityResp.status).toBe(200);
+    const body = (await activityResp.json()) as {
+      events: Array<{ kind: string; title: string }>;
+    };
+    const patchEvent = body.events.find((e) => e.kind === "vendor.patch");
+    expect(patchEvent).toBeDefined();
+    expect(patchEvent?.title).toMatch(/posture/);
+  });
+});
+
+describe("POST /v1/vendors/:id/contracts", () => {
+  it("uploads then lists a contract", async () => {
+    const app = buildApp();
+    const uploadResp = await app.request("/v1/vendors/vnd_notion/contracts", {
+      method: "POST",
+      headers: { Authorization: BEARER, "Content-Type": "application/json" },
+      body: JSON.stringify({
+        filename: "MSA-Notion-2026.pdf",
+        sizeBytes: 1024,
+        contentBase64: "aGVsbG8=",
+      }),
+    });
+    expect(uploadResp.status).toBe(201);
+    const upload = (await uploadResp.json()) as { id: string; filename: string };
+    expect(upload.filename).toBe("MSA-Notion-2026.pdf");
+
+    const listResp = await app.request("/v1/vendors/vnd_notion/contracts", {
+      headers: { Authorization: BEARER },
+    });
+    const list = (await listResp.json()) as { contracts: Array<{ id: string }> };
+    expect(list.contracts.some((c) => c.id === upload.id)).toBe(true);
+  });
+
+  it("rejects an oversized upload with 422", async () => {
+    const resp = await buildApp().request("/v1/vendors/vnd_notion/contracts", {
+      method: "POST",
+      headers: { Authorization: BEARER, "Content-Type": "application/json" },
+      body: JSON.stringify({
+        filename: "huge.pdf",
+        sizeBytes: 100_000_000,
+        contentBase64: "aGVsbG8=",
+      }),
+    });
+    expect(resp.status).toBe(422);
+  });
+
+  it("downloads an uploaded contract as a binary blob", async () => {
+    const app = buildApp();
+    const original = "hello-world-contract-bytes";
+    const contentBase64 = Buffer.from(original, "utf8").toString("base64");
+
+    const uploadResp = await app.request("/v1/vendors/vnd_notion/contracts", {
+      method: "POST",
+      headers: { Authorization: BEARER, "Content-Type": "application/json" },
+      body: JSON.stringify({
+        filename: "MSA Notion 2026.pdf",
+        sizeBytes: original.length,
+        contentBase64,
+      }),
+    });
+    expect(uploadResp.status).toBe(201);
+    const upload = (await uploadResp.json()) as { id: string };
+
+    const downloadResp = await app.request(
+      `/v1/vendors/vnd_notion/contracts/${upload.id}/download`,
+      { headers: { Authorization: BEARER } },
+    );
+    expect(downloadResp.status).toBe(200);
+    expect(downloadResp.headers.get("content-type")).toBe("application/pdf");
+    const disposition = downloadResp.headers.get("content-disposition") ?? "";
+    expect(disposition).toMatch(/^attachment;/);
+    expect(disposition).toContain("MSA Notion 2026.pdf");
+    expect(downloadResp.headers.get("content-length")).toBe(
+      String(original.length),
+    );
+
+    const bodyBytes = new Uint8Array(await downloadResp.arrayBuffer());
+    expect(Buffer.from(bodyBytes).toString("utf8")).toBe(original);
+  });
+
+  it("returns 404 for an unknown contract id", async () => {
+    const resp = await buildApp().request(
+      "/v1/vendors/vnd_notion/contracts/ctr_999999/download",
+      { headers: { Authorization: BEARER } },
+    );
+    expect(resp.status).toBe(404);
+  });
+});
diff --git a/tests/helpers/in-memory-run-store.ts b/tests/helpers/in-memory-run-store.ts
index ae3efff..d128ba6 100644
--- a/tests/helpers/in-memory-run-store.ts
+++ b/tests/helpers/in-memory-run-store.ts
@@ -1,4 +1,4 @@
-import type { AgentRun } from "@redline/shared";
+import type { AgentRun } from "@unsyphn/shared";
 import type { RunStore, RunUpdate } from "../../apps/api/src/db/run-store.js";
 
 // In-memory RunStore for tests. Shaped identically to ClickHouseRunStore so
diff --git a/tests/web-static/live-sidecar.test.ts b/tests/web-static/live-sidecar.test.ts
deleted file mode 100644
index 8526ed6..0000000
--- a/tests/web-static/live-sidecar.test.ts
+++ /dev/null
@@ -1,126 +0,0 @@
-/**
- * Verify the unsyphn sidecar live.js patches the FleetStats counters from a
- * /v1/dashboard/summary response without touching any JSX file.
- *
- * Loads live.js as CommonJS (it exposes module.exports under that branch) and
- * exercises the pure helpers + the DOM-patching path against a jsdom-rendered
- * approximation of the FleetStats markup from shared.jsx.
- */
-
-import { readFileSync } from "node:fs";
-import { join, dirname } from "node:path";
-import { fileURLToPath } from "node:url";
-import { describe, expect, it, beforeEach } from "vitest";
-import { JSDOM } from "jsdom";
-
-const HERE = dirname(fileURLToPath(import.meta.url));
-const ROOT = join(HERE, "..", "..");
-const LIVE_PATH = join(ROOT, "public", "app", "live.js");
-
-interface LiveModule {
-  applySummary: (summary: unknown) => number;
-  compactUsd: (value: number | null | undefined) => string | null;
-  findStatByLabel: (label: string) => Element | null;
-}
-
-function loadLive(documentRef: Document, windowRef: Window): LiveModule {
-  // The IIFE in live.js looks at `document` + `window` globals. Stub them onto
-  // a vm-style sandbox using node's module + jsdom — we wrap the source and
-  // evaluate in a Function scope that gets the jsdom globals we want.
-  const src = readFileSync(LIVE_PATH, "utf8");
-  const sandbox = {
-    document: documentRef,
-    window: windowRef,
-    fetch: (windowRef as unknown as { fetch?: typeof fetch }).fetch,
-    setTimeout,
-    clearTimeout,
-    module: { exports: {} as LiveModule },
-    console,
-  };
-  const wrapped = new Function(
-    "document",
-    "window",
-    "fetch",
-    "setTimeout",
-    "clearTimeout",
-    "module",
-    "console",
-    src,
-  );
-  wrapped(
-    sandbox.document,
-    sandbox.window,
-    sandbox.fetch,
-    sandbox.setTimeout,
-    sandbox.clearTimeout,
-    sandbox.module,
-    sandbox.console,
-  );
-  return sandbox.module.exports;
-}
-
-const fleetMarkup = `
-  <div class="fleet">
-    <div class="stat aqua"><div class="stat-head"><span class="stat-label">Vendors</span></div><div class="stat-val">27</div><div class="stat-sub">↑ 2 added this Q</div></div>
-    <div class="stat bondi"><div class="stat-head"><span class="stat-label">Scanning</span></div><div class="stat-val">8</div><div class="stat-sub">↑ live polling now</div></div>
-    <div class="stat strawberry"><div class="stat-head"><span class="stat-label">P1 · critical</span></div><div class="stat-val">3</div><div class="stat-sub">↑ $42k at risk</div></div>
-  </div>
-`;
-
-describe("unsyphn sidecar live.js", () => {
-  let dom: JSDOM;
-  let live: LiveModule;
-
-  beforeEach(() => {
-    dom = new JSDOM(`<!doctype html><html><body>${fleetMarkup}</body></html>`);
-    live = loadLive(dom.window.document, dom.window as unknown as Window);
-  });
-
-  it("compactUsd formats millions, thousands, and small numbers", () => {
-    expect(live.compactUsd(2_400_000)).toBe("$2.4M");
-    expect(live.compactUsd(158_000)).toBe("$158k");
-    expect(live.compactUsd(42)).toBe("$42");
-    expect(live.compactUsd(null)).toBeNull();
-    expect(live.compactUsd(NaN as unknown as number)).toBeNull();
-  });
-
-  it("findStatByLabel matches by trimmed, case-insensitive label text", () => {
-    const v = live.findStatByLabel("vendors");
-    expect(v).not.toBeNull();
-    expect(v?.querySelector(".stat-val")?.textContent).toBe("27");
-  });
-
-  it("applySummary patches the Vendors and P1 cards from a real summary shape", () => {
-    const patched = live.applySummary({
-      vendorCount: 42,
-      annualRunRateUsd: 2_400_000,
-      savedThisQuarterUsd: 7_100,
-      openChangeCount: 9,
-      nextRenewal: null,
-    });
-    expect(patched).toBe(2);
-
-    const vendors = live.findStatByLabel("Vendors")!;
-    expect(vendors.querySelector(".stat-val")?.textContent).toBe("42");
-    expect(vendors.querySelector(".stat-sub")?.textContent).toBe("live · $2.4M run-rate");
-    expect(vendors.getAttribute("data-live")).toBe("1");
-
-    const p1 = live.findStatByLabel("P1 · critical")!;
-    expect(p1.querySelector(".stat-val")?.textContent).toBe("9");
-    expect(p1.getAttribute("data-live")).toBe("1");
-  });
-
-  it("applySummary silently no-ops when summary is missing or malformed", () => {
-    expect(live.applySummary(null)).toBe(0);
-    expect(live.applySummary(undefined)).toBe(0);
-    expect(live.applySummary("not an object")).toBe(0);
-    // unchanged DOM
-    expect(live.findStatByLabel("Vendors")?.querySelector(".stat-val")?.textContent).toBe("27");
-  });
-
-  it("applySummary leaves untargeted cards alone", () => {
-    live.applySummary({ vendorCount: 42, openChangeCount: 9 });
-    expect(live.findStatByLabel("Scanning")?.querySelector(".stat-val")?.textContent).toBe("8");
-    expect(live.findStatByLabel("Scanning")?.getAttribute("data-live")).toBeNull();
-  });
-});
diff --git a/tests/web-static/static.test.ts b/tests/web-static/static.test.ts
deleted file mode 100644
index 9d5d0bf..0000000
--- a/tests/web-static/static.test.ts
+++ /dev/null
@@ -1,110 +0,0 @@
-import { existsSync, readFileSync, statSync } from "node:fs";
-import { join } from "node:path";
-import { describe, it, expect } from "vitest";
-
-const ROOT = join(__dirname, "../..");
-const PUBLIC = join(ROOT, "public");
-const APP = join(PUBLIC, "app");
-
-const EXPECTED_JSX_SCRIPTS = [
-  "browser-window.jsx",
-  "brand.jsx",
-  "shared.jsx",
-  "screen-portfolio.jsx",
-  "screen-change.jsx",
-  "escalate.jsx",
-  "routing.jsx",
-  "screen-evidence.jsx",
-  "app.jsx",
-];
-
-describe("static frontend delivery", () => {
-  it("public/index.html exists and is > 1000 bytes", () => {
-    const path = join(PUBLIC, "index.html");
-    expect(existsSync(path)).toBe(true);
-    expect(statSync(path).size).toBeGreaterThan(1000);
-  });
-
-  it('public/index.html contains brand text "UNSYPHN"', () => {
-    const content = readFileSync(join(PUBLIC, "index.html"), "utf8");
-    expect(content).toContain("UNSYPHN");
-  });
-
-  it("public/index.html routes primary Halo CTAs to /app/", () => {
-    const content = readFileSync(join(PUBLIC, "index.html"), "utf8");
-    expect(content).toContain('<a href="/app/" class="cta">Get access →</a>');
-    expect(content).toContain('<button class="btn primary" onclick="location.href=\'/app/\'">Start free trial</button>');
-  });
-
-  it("public/app/index.html exists", () => {
-    expect(existsSync(join(APP, "index.html"))).toBe(true);
-  });
-
-  it("public/app/index.html contains all 9 expected JSX script tags", () => {
-    const content = readFileSync(join(APP, "index.html"), "utf8");
-    for (const script of EXPECTED_JSX_SCRIPTS) {
-      expect(content, `missing script tag for ${script}`).toContain(
-        `<script type="text/babel" src="${script}">`
-      );
-    }
-  });
-
-  it("every JSX src referenced in public/app/index.html resolves to an existing file", () => {
-    const content = readFileSync(join(APP, "index.html"), "utf8");
-    const srcRe = /<script[^>]+type="text\/babel"[^>]+src="([^"]+\.jsx)"[^>]*>/g;
-    const found: string[] = [];
-    let m: RegExpExecArray | null;
-    while ((m = srcRe.exec(content)) !== null) {
-      found.push(m[1]);
-    }
-    expect(found.length).toBeGreaterThan(0);
-    for (const src of found) {
-      expect(existsSync(join(APP, src)), `${src} referenced but missing from public/app/`).toBe(true);
-    }
-  });
-
-  it("public/app/index.html references tokens.css and app.css", () => {
-    const content = readFileSync(join(APP, "index.html"), "utf8");
-    expect(content).toContain("tokens.css");
-    expect(content).toContain("app.css");
-  });
-
-  it("tokens.css exists in public/app/", () => {
-    expect(existsSync(join(APP, "tokens.css"))).toBe(true);
-  });
-
-  it("app.css exists in public/app/", () => {
-    expect(existsSync(join(APP, "app.css"))).toBe(true);
-  });
-
-  it('vercel.json exists at repo root and has outputDirectory "public"', () => {
-    const path = join(ROOT, "vercel.json");
-    expect(existsSync(path)).toBe(true);
-    const json = JSON.parse(readFileSync(path, "utf8"));
-    expect(json.outputDirectory).toBe("public");
-  });
-
-  it("vercel.json redirects /app to /app/ so relative static assets resolve", () => {
-    const json = JSON.parse(readFileSync(join(ROOT, "vercel.json"), "utf8"));
-    expect(json.redirects).toContainEqual({
-      source: "/app",
-      destination: "/app/",
-      permanent: false,
-    });
-  });
-
-  it("vercel.json rewrites only /app/* deep links and never shadows /v1/*", () => {
-    const json = JSON.parse(readFileSync(join(ROOT, "vercel.json"), "utf8"));
-    expect(json.rewrites).toContainEqual({
-      source: "/app/:path*",
-      destination: "/app/",
-    });
-    expect(json.rewrites).not.toEqual(
-      expect.arrayContaining([
-        expect.objectContaining({ source: "/(.*)" }),
-        expect.objectContaining({ source: "/:path*" }),
-        expect.objectContaining({ source: "/v1/:path*" }),
-      ]),
-    );
-  });
-});
diff --git a/tests/web/evidence-brief.test.tsx b/tests/web/evidence-brief.test.tsx
index 2ea6bb2..c07fba1 100644
--- a/tests/web/evidence-brief.test.tsx
+++ b/tests/web/evidence-brief.test.tsx
@@ -2,7 +2,7 @@
 import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
 import { render, screen, waitFor } from "@testing-library/react";
 import { SensoBrief } from "../../apps/web/src/screens/SensoBrief.js";
-import type { EvidenceBriefResponse } from "@redline/shared";
+import type { EvidenceBriefResponse } from "@unsyphn/shared";
 
 function mockFetch(handler: (path: string) => Response) {
   globalThis.fetch = vi.fn(async (input: RequestInfo | URL) => {
diff --git a/tests/web/renewals-ics.test.ts b/tests/web/renewals-ics.test.ts
new file mode 100644
index 0000000..1c08458
--- /dev/null
+++ b/tests/web/renewals-ics.test.ts
@@ -0,0 +1,62 @@
+import { describe, expect, it } from "vitest";
+import type { Renewal } from "@unsyphn/shared";
+import { buildIcs } from "../../apps/web/src/components/renewals/ics.js";
+
+function fixture(overrides: Partial<Renewal> = {}): Renewal {
+  return {
+    id: "ren_test",
+    vendorId: "vnd_test",
+    vendorName: "Acme; Inc",
+    renewsAt: "2026-09-30",
+    daysOut: 127,
+    annualValueUsd: 120_000,
+    ownerEmail: "devon@acme.dev",
+    status: "triage",
+    benchmarkDelta: 12,
+    ...overrides,
+  };
+}
+
+describe("buildIcs", () => {
+  const NOW = new Date("2026-05-25T00:00:00Z");
+
+  it("emits a valid VCALENDAR envelope with CRLF line endings", () => {
+    const text = buildIcs([fixture()], NOW);
+    expect(text.startsWith("BEGIN:VCALENDAR\r\n")).toBe(true);
+    expect(text.endsWith("END:VCALENDAR\r\n")).toBe(true);
+    expect(text.includes("\n") && !text.includes("\r\n")).toBe(false);
+    expect(text).toContain("VERSION:2.0");
+    expect(text).toContain("PRODID:-//UNSYPHN//Renewals//EN");
+  });
+
+  it("starts DTSTART exactly 30 days before DTEND", () => {
+    const text = buildIcs([fixture({ renewsAt: "2026-09-30" })], NOW);
+    // 30 days before 2026-09-30 = 2026-08-31
+    expect(text).toContain("DTSTART;VALUE=DATE:20260831");
+    expect(text).toContain("DTEND;VALUE=DATE:20260930");
+  });
+
+  it("escapes special characters in vendor names and summary text", () => {
+    const text = buildIcs([fixture({ vendorName: "Acme; Inc, LLC" })], NOW);
+    expect(text).toContain("Acme\\; Inc\\, LLC");
+  });
+
+  it("emits one VEVENT per renewal with mailto organizer + attendee", () => {
+    const text = buildIcs(
+      [
+        fixture({ id: "ren_one", vendorName: "One" }),
+        fixture({ id: "ren_two", vendorName: "Two" }),
+      ],
+      NOW,
+    );
+    expect((text.match(/BEGIN:VEVENT/g) ?? []).length).toBe(2);
+    expect(text).toContain("ORGANIZER");
+    expect(text).toContain("mailto:devon@acme.dev");
+    expect(text).toContain("ATTENDEE");
+  });
+
+  it("skips renewals with an unparseable renewsAt", () => {
+    const text = buildIcs([fixture({ renewsAt: "not-a-date" })], NOW);
+    expect((text.match(/BEGIN:VEVENT/g) ?? []).length).toBe(0);
+  });
+});
diff --git a/tsconfig.json b/tsconfig.json
index e02f34e..2d47b9f 100644
--- a/tsconfig.json
+++ b/tsconfig.json
@@ -14,8 +14,8 @@
     "skipLibCheck": true,
     "baseUrl": ".",
     "paths": {
-      "@redline/shared": ["./packages/shared/src/index.ts"],
-      "@redline/shared/*": ["./packages/shared/src/*"]
+      "@unsyphn/shared": ["./packages/shared/src/index.ts"],
+      "@unsyphn/shared/*": ["./packages/shared/src/*"]
     },
     "types": ["node", "vitest/globals"]
   },
diff --git a/unsyphlogo-removebg-preview.png b/unsyphlogo-removebg-preview.png
new file mode 100644
index 0000000..3f10562
Binary files /dev/null and b/unsyphlogo-removebg-preview.png differ
diff --git a/vitest.config.ts b/vitest.config.ts
index d518c0b..e6ee018 100644
--- a/vitest.config.ts
+++ b/vitest.config.ts
@@ -16,8 +16,8 @@ export default defineConfig({
   },
   resolve: {
     alias: {
-      "@redline/shared": resolve(__dirname, "packages/shared/src/index.ts"),
-      "@redline/shared/": resolve(__dirname, "packages/shared/src/"),
+      "@unsyphn/shared": resolve(__dirname, "packages/shared/src/index.ts"),
+      "@unsyphn/shared/": resolve(__dirname, "packages/shared/src/"),
     },
   },
 });