diff --git a/README.md b/README.md
index 53417a0b..0af7c4d6 100644
--- a/README.md
+++ b/README.md
@@ -113,8 +113,10 @@ The redacted template for a project config lives at `decodex.example.toml`.
 When a project enables `[codex.accounts]`, the shared ChatGPT account pool is
 `~/.codex/decodex/accounts.jsonl`; it is global Decodex state, not a project-local
 file, and project configs do not own an account-pool path override. Set
-`[codex.accounts].fixed_account` to pin runs to one account; the operator dashboard can
-write the same project config field from the Accounts UI.
+`[codex.accounts].fixed_account` in `~/.codex/decodex/config.toml` to pin all new
+account-pool runs to one account. When that global selector is absent, Decodex balances
+new runs across the pool. The operator dashboard Accounts UI writes and clears the same
+global selector; project configs do not pin specific accounts.
 
 `decodex diagnose --json` writes the local agent evidence index under
 `~/.codex/decodex/agent-evidence/<service-id>/` and prints the same handoff index for
diff --git a/apps/decodex/src/agent/codex_accounts.rs b/apps/decodex/src/agent/codex_accounts.rs
index 733b15ba..0b0a7917 100644
--- a/apps/decodex/src/agent/codex_accounts.rs
+++ b/apps/decodex/src/agent/codex_accounts.rs
@@ -43,11 +43,13 @@ pub(crate) struct CodexAccountPool {
 }
 impl CodexAccountPool {
 	pub(crate) fn from_config(config: &ProjectCodexAccountsConfig) -> crate::prelude::Result<Self> {
+		let fixed_account = runtime::global_fixed_account_selector()?;
+
 		Self::new_with_fixed_account(
 			runtime::accounts_path()?,
 			config.usage_endpoint().unwrap_or(DEFAULT_USAGE_ENDPOINT),
 			config.refresh_endpoint().unwrap_or(DEFAULT_REFRESH_ENDPOINT),
-			config.fixed_account(),
+			fixed_account.as_deref(),
 		)
 	}
 
diff --git a/apps/decodex/src/config.rs b/apps/decodex/src/config.rs
index c7364762..4410fa30 100644
--- a/apps/decodex/src/config.rs
+++ b/apps/decodex/src/config.rs
@@ -215,7 +215,6 @@ impl Default for ProjectCodexConfig {
 pub struct ProjectCodexAccountsConfig {
 	usage_endpoint: Option<String>,
 	refresh_endpoint: Option<String>,
-	fixed_account: Option<String>,
 }
 impl ProjectCodexAccountsConfig {
 	/// Override for ChatGPT usage probes. Defaults to the Codex `/wham/usage` endpoint.
@@ -228,11 +227,6 @@ impl ProjectCodexAccountsConfig {
 		self.refresh_endpoint.as_deref()
 	}
 
-	/// Fixed account selector for runs. Matches an account email, id, or displayed fingerprint.
-	pub fn fixed_account(&self) -> Option<&str> {
-		self.fixed_account.as_deref()
-	}
-
 	fn validate(&self) -> Result<()> {
 		validate_optional_nonempty_string(
 			"codex.accounts.usage_endpoint",
@@ -242,10 +236,6 @@ impl ProjectCodexAccountsConfig {
 			"codex.accounts.refresh_endpoint",
 			self.refresh_endpoint.as_deref(),
 		)?;
-		validate_optional_nonempty_string(
-			"codex.accounts.fixed_account",
-			self.fixed_account.as_deref(),
-		)?;
 
 		Ok(())
 	}
@@ -1099,7 +1089,6 @@ mod tests {
 					[codex.accounts]
 					usage_endpoint = "http://127.0.0.1:1234/wham/usage"
 					refresh_endpoint = "http://127.0.0.1:1234/oauth/token"
-					fixed_account = "primary@example.com"
 				"#,
 		);
 		let config = ServiceConfig::from_path(&config_path).expect("accounts should parse");
@@ -1107,7 +1096,30 @@ mod tests {
 
 		assert_eq!(accounts.usage_endpoint(), Some("http://127.0.0.1:1234/wham/usage"));
 		assert_eq!(accounts.refresh_endpoint(), Some("http://127.0.0.1:1234/oauth/token"));
-		assert_eq!(accounts.fixed_account(), Some("primary@example.com"));
+	}
+
+	#[test]
+	fn rejects_project_scoped_codex_fixed_account() {
+		let temp_dir = TempDir::new().expect("temp dir should exist");
+		let config_path = write_config_file(
+			temp_dir.path(),
+			r#"
+				service_id = "pubfi"
+
+				[tracker]
+					api_key_env_var = "HOME"
+
+					[github]
+					token_env_var = "HOME"
+
+					[codex.accounts]
+					fixed_account = "primary@example.com"
+				"#,
+		);
+		let error = ServiceConfig::from_path(&config_path)
+			.expect_err("project-scoped account selection should fail");
+
+		assert!(error.to_string().contains("fixed_account"));
 	}
 
 	#[test]
diff --git a/apps/decodex/src/orchestrator.rs b/apps/decodex/src/orchestrator.rs
index df3db304..893ac5f5 100644
--- a/apps/decodex/src/orchestrator.rs
+++ b/apps/decodex/src/orchestrator.rs
@@ -27,7 +27,7 @@ use time::{OffsetDateTime, format_description::well_known::Rfc3339};
 
 use crate::{agent, default_branch_sync, git_credentials, state};
 #[rustfmt::skip]
-use crate::{agent::{ACTIVE_RUN_IDLE_TIMEOUT, AppServerCapabilityPreflightFailure, AppServerDynamicToolFailure, AppServerHomePreflightFailure, AppServerProcessEnv, AppServerRunRequest, AppServerRunResult, AppServerTransportFailure, AppServerTurnFailure, ISSUE_DELIVERY_CLOSEOUT_COMPLETE_TOOL_NAME, ISSUE_LABEL_ADD_TOOL_NAME, ISSUE_PROGRESS_CHECKPOINT_TOOL_NAME, ISSUE_REVIEW_CHECKPOINT_TOOL_NAME, ISSUE_REVIEW_HANDOFF_TOOL_NAME, ISSUE_REVIEW_REPAIR_COMPLETE_TOOL_NAME, ISSUE_TERMINAL_FINALIZE_TOOL_NAME, ISSUE_TRANSITION_TOOL_NAME, DecodexRunContext, DecodexToolBridge, ReviewExecutionMode, ReviewHandoffContext, ReviewHandoffWritebackFailed, ReviewPolicyStopReason, ReviewPolicyStopRequested, RunCompletionDisposition, TrackerToolBridge, TurnContinuationGuard}, config::{InternalReviewMode, ProjectCodexAccountsConfig, ServiceConfig}, git_credentials::GitCredentialSource, github, prelude::{Result, eyre}, state::{ChildAgentActivityBucket, ChildAgentActivitySummary, CodexAccountActivitySummary, ProjectRegistration, ProjectRunStatus, ProtocolActivitySummary, RUN_OPERATION_AGENT_RUN, RUN_OPERATION_APP_SERVER_PREFLIGHT, RUN_OPERATION_GIT_CREDENTIALS, RUN_OPERATION_IDLE, RUN_OPERATION_RECONCILIATION, RUN_OPERATION_REPO_GATE, RUN_OPERATION_REVIEW_WRITEBACK, RUN_OPERATION_WAITING_EXTERNAL, ReviewHandoffMarker, ReviewOrchestrationMarker, RunActivityMarker, RunAttempt, StateStore, WorktreeMapping}, tracker::{IssueTracker, TrackerComment, TrackerIssue, linear::LinearClient, records}, workflow::{WorkflowDocument, WorkflowExecution}, worktree::{WorktreeManager, WorktreeSpec}};
+use crate::{agent::{ACTIVE_RUN_IDLE_TIMEOUT, AppServerCapabilityPreflightFailure, AppServerDynamicToolFailure, AppServerHomePreflightFailure, AppServerProcessEnv, AppServerRunRequest, AppServerRunResult, AppServerTransportFailure, AppServerTurnFailure, ISSUE_DELIVERY_CLOSEOUT_COMPLETE_TOOL_NAME, ISSUE_LABEL_ADD_TOOL_NAME, ISSUE_PROGRESS_CHECKPOINT_TOOL_NAME, ISSUE_REVIEW_CHECKPOINT_TOOL_NAME, ISSUE_REVIEW_HANDOFF_TOOL_NAME, ISSUE_REVIEW_REPAIR_COMPLETE_TOOL_NAME, ISSUE_TERMINAL_FINALIZE_TOOL_NAME, ISSUE_TRANSITION_TOOL_NAME, DecodexRunContext, DecodexToolBridge, ReviewExecutionMode, ReviewHandoffContext, ReviewHandoffWritebackFailed, ReviewPolicyStopReason, ReviewPolicyStopRequested, RunCompletionDisposition, TrackerToolBridge, TurnContinuationGuard}, config::{InternalReviewMode, ServiceConfig}, git_credentials::GitCredentialSource, github, prelude::{Result, eyre}, state::{ChildAgentActivityBucket, ChildAgentActivitySummary, CodexAccountActivitySummary, ProjectRegistration, ProjectRunStatus, ProtocolActivitySummary, RUN_OPERATION_AGENT_RUN, RUN_OPERATION_APP_SERVER_PREFLIGHT, RUN_OPERATION_GIT_CREDENTIALS, RUN_OPERATION_IDLE, RUN_OPERATION_RECONCILIATION, RUN_OPERATION_REPO_GATE, RUN_OPERATION_REVIEW_WRITEBACK, RUN_OPERATION_WAITING_EXTERNAL, ReviewHandoffMarker, ReviewOrchestrationMarker, RunActivityMarker, RunAttempt, StateStore, WorktreeMapping}, tracker::{IssueTracker, TrackerComment, TrackerIssue, linear::LinearClient, records}, workflow::{WorkflowDocument, WorkflowExecution}, worktree::{WorktreeManager, WorktreeSpec}};
 
 include!("orchestrator/types.rs");
 
diff --git a/apps/decodex/src/orchestrator/entrypoints.rs b/apps/decodex/src/orchestrator/entrypoints.rs
index 5ad84c81..aefa6f5d 100644
--- a/apps/decodex/src/orchestrator/entrypoints.rs
+++ b/apps/decodex/src/orchestrator/entrypoints.rs
@@ -376,6 +376,7 @@ where
 		aggregate_control_plane_snapshot(registered_project_count, project_snapshots);
 
 	snapshot.projects = project_statuses;
+	snapshot.account_control = global_codex_account_control_status();
 
 	for warning in snapshot_warnings {
 		add_operator_snapshot_warning(&mut snapshot, warning);
diff --git a/apps/decodex/src/orchestrator/operator_dashboard.html b/apps/decodex/src/orchestrator/operator_dashboard.html
index d00b6975..3da61c3e 100644
--- a/apps/decodex/src/orchestrator/operator_dashboard.html
+++ b/apps/decodex/src/orchestrator/operator_dashboard.html
@@ -783,6 +783,16 @@
 				background: var(--section-tone);
 			}
 
+			.section-marker-meta {
+				flex: 0 1 auto;
+				min-width: 0;
+				max-width: min(320px, 50vw);
+				overflow: hidden;
+				text-overflow: ellipsis;
+				white-space: nowrap;
+				text-align: right;
+			}
+
 			.section-marker-control {
 				--section-tone: var(--tone-muted);
 			}
@@ -814,15 +824,6 @@
 					transform var(--medium) var(--ease);
 			}
 
-			#account-pool-panel {
-				padding-bottom: var(--space-md);
-				background: transparent;
-			}
-
-			#account-pool-panel .panel-body {
-				padding-bottom: 4px;
-			}
-
 			#active-panel {
 				background: transparent;
 			}
@@ -1893,6 +1894,8 @@
 
 			.account-row {
 				--account-accent: var(--tone-muted);
+				--account-confirm-accent: var(--tone-run);
+				--account-confirm-cycle: 1.45s;
 				position: relative;
 				isolation: isolate;
 				display: grid;
@@ -1961,10 +1964,6 @@
 				--account-accent: var(--success);
 			}
 
-			.account-row.is-fixed {
-				--account-accent: var(--success);
-			}
-
 			.account-row.is-ready {
 				--account-accent: var(--success);
 			}
@@ -1988,6 +1987,10 @@
 				--account-accent: var(--danger);
 			}
 
+			.account-row.is-fixed {
+				--account-accent: var(--info);
+			}
+
 			.account-row.is-warn::after,
 			.account-row.is-danger::after {
 				opacity: 0.35;
@@ -2005,12 +2008,67 @@
 				transform: scaleX(1.45) scaleY(1.08);
 			}
 
+			.account-row.is-armed:hover::before,
+			.account-row.is-armed:focus-within::before {
+				transform: none;
+			}
+
+			.account-row.is-armed:not(.is-selected):not(.is-fixed):hover::before,
+			.account-row.is-armed:not(.is-selected):not(.is-fixed):focus-within::before {
+				box-shadow: none;
+			}
+
+			.account-row.is-armed.is-selected:hover::before,
+			.account-row.is-armed.is-selected:focus-within::before,
+			.account-row.is-armed.is-fixed:hover::before,
+			.account-row.is-armed.is-fixed:focus-within::before {
+				box-shadow: 0 0 10px color-mix(in srgb, var(--account-accent) 22%, transparent);
+			}
+
 			.account-row:hover::after,
 			.account-row:focus-within::after {
 				opacity: 0.85;
 				transform: scaleX(1);
 			}
 
+			@keyframes account-confirm-name-breathe {
+				0%,
+				100% {
+					color: color-mix(in srgb, var(--account-confirm-accent) 46%, var(--muted));
+					text-shadow: none;
+				}
+				50% {
+					color: var(--account-confirm-accent);
+					text-shadow:
+						0 0 6px color-mix(in srgb, var(--account-confirm-accent) 34%, transparent),
+						0 0 15px color-mix(in srgb, var(--account-confirm-accent) 20%, transparent);
+				}
+			}
+
+			@keyframes account-confirm-bracket-left {
+				0%,
+				100% {
+					opacity: 0.36;
+					transform: translate(0.18ch, -50%);
+				}
+				50% {
+					opacity: 0.98;
+					transform: translate(-0.12ch, -50%);
+				}
+			}
+
+			@keyframes account-confirm-bracket-right {
+				0%,
+				100% {
+					opacity: 0.36;
+					transform: translate(-0.18ch, -50%);
+				}
+				50% {
+					opacity: 0.98;
+					transform: translate(0.12ch, -50%);
+				}
+			}
+
 			.account-row-id {
 				grid-area: id;
 				display: flex;
@@ -2035,80 +2093,135 @@
 				font-weight: var(--weight-label);
 			}
 
-			.account-name-reroll {
+			.account-name-button {
+				position: relative;
 				display: inline-flex;
 				align-items: center;
 				justify-content: center;
-				flex: 0 0 auto;
-				width: 16px;
-				height: 16px;
-				padding: 0;
+				min-width: 0;
+				max-width: 100%;
+				padding: 0 2px;
 				border: 0;
-				border-radius: 999px;
 				background: transparent;
-				color: var(--muted);
+				color: var(--text);
+				font-family: var(--mono);
+				font-size: var(--type-label);
+				font-variant-ligatures: none;
+				font-weight: var(--weight-label);
+				letter-spacing: 0;
+				line-height: 1.25;
 				cursor: pointer;
 				transition:
-					background-color var(--fast) var(--ease),
-					color var(--fast) var(--ease);
+					color var(--fast) var(--ease),
+					text-shadow var(--medium) var(--ease);
 			}
 
-			.account-name-reroll svg {
+			.account-name-button::before,
+			.account-name-button::after {
+				position: absolute;
+				top: 50%;
 				display: block;
-				width: 12px;
-				height: 12px;
-				stroke-width: 2.1;
+				color: var(--account-confirm-accent);
+				font-weight: var(--weight-strong);
+				line-height: 1;
+				opacity: 0;
+				pointer-events: none;
+				text-shadow:
+					0 0 8px color-mix(in srgb, var(--account-confirm-accent) 42%, transparent),
+					0 0 16px color-mix(in srgb, var(--account-confirm-accent) 22%, transparent);
+				will-change: opacity, transform;
 			}
 
-			.account-name-reroll:hover {
-				background: var(--surface-muted);
-				color: var(--text);
+			.account-name-button::before {
+				content: ">";
+				left: -1.35ch;
+				transform: translate(0.18ch, -50%);
 			}
 
-			.account-name-reroll:focus-visible {
-				color: var(--text);
+			.account-name-button::after {
+				content: "<";
+				right: -1.35ch;
+				transform: translate(-0.18ch, -50%);
+			}
+
+			.account-name-button .account-name {
+				min-width: 0;
+				overflow: hidden;
+				text-overflow: ellipsis;
+				white-space: nowrap;
+			}
+
+			.account-name-button:hover,
+			.account-name-button.is-fixed {
+				color: var(--account-confirm-accent);
+			}
+
+			.account-name-button.is-fixed {
+				text-shadow:
+					0 0 6px color-mix(in srgb, var(--account-confirm-accent) 34%, transparent),
+					0 0 15px color-mix(in srgb, var(--account-confirm-accent) 20%, transparent);
+			}
+
+			.account-name-button.is-fixed::before,
+			.account-name-button.is-fixed::after {
+				opacity: 0.72;
+				transform: translate(0, -50%);
+			}
+
+			.account-name-button.is-armed {
+				animation: account-confirm-name-breathe var(--account-confirm-cycle) var(--ease) infinite;
+				will-change: color, text-shadow;
+			}
+
+			.account-name-button.is-armed::before {
+				animation: account-confirm-bracket-left var(--account-confirm-cycle) var(--ease) infinite;
+			}
+
+			.account-name-button.is-armed::after {
+				animation: account-confirm-bracket-right var(--account-confirm-cycle) var(--ease) infinite;
+			}
+
+			.account-name-button:focus-visible {
 				outline: 2px solid var(--info);
-				outline-offset: 2px;
+				outline-offset: 4px;
 			}
 
-			.account-select-button {
+			.account-name-reroll {
 				display: inline-flex;
 				align-items: center;
 				justify-content: center;
 				flex: 0 0 auto;
-				width: 18px;
-				height: 18px;
+				width: 16px;
+				height: 16px;
 				padding: 0;
-				border: 1px solid color-mix(in srgb, var(--line-strong) 70%, transparent);
+				border: 0;
 				border-radius: 999px;
-				background: color-mix(in srgb, var(--surface-muted) 74%, transparent);
+				background: transparent;
 				color: var(--muted);
 				cursor: pointer;
 				transition:
 					background-color var(--fast) var(--ease),
-					border-color var(--fast) var(--ease),
-					color var(--fast) var(--ease),
-					transform var(--fast) var(--ease);
+					color var(--fast) var(--ease);
 			}
 
-			.account-select-button svg {
+			.account-name-button + .account-name-reroll {
+				margin-left: 8px;
+			}
+
+			.account-name-reroll svg {
 				display: block;
 				width: 12px;
 				height: 12px;
-				stroke-width: 2.2;
-			}
-
-			.account-select-button:hover,
-			.account-select-button.is-fixed {
-				border-color: color-mix(in srgb, var(--success) 58%, var(--line-strong));
-				color: var(--success);
+				stroke-width: 2.1;
 			}
 
-			.account-select-button:hover {
-				transform: translateY(-1px);
+			.account-name-reroll:hover {
+				background: var(--surface-muted);
+				color: var(--text);
 			}
 
-			.account-select-button:focus-visible {
+			.account-name-reroll:focus-visible {
+				color: var(--text);
 				outline: 2px solid var(--info);
 				outline-offset: 2px;
 			}
@@ -2282,6 +2395,7 @@
 			}
 
 			.account-row.is-selected .account-status,
+			.account-row.is-fixed .account-status,
 			.account-row.is-ready .account-status {
 				color: var(--account-accent);
 			}
@@ -3168,6 +3282,7 @@ <h1 id="project-title">Decodex</h1>
 						aria-label="Accounts group"
 					>
 						<span>Accounts</span>
+						<p class="table-meta section-marker-meta" id="account-mode-meta"></p>
 					</div>
 					<section class="panel section-control" id="account-pool-panel">
 						<div class="panel-body">
@@ -3238,7 +3353,7 @@ <h2 id="queue-title">Intake Queue</h2>
 							<div>
 								<h2>Review &amp; Landing</h2>
 							</div>
-							<p class="table-meta" id="review-lanes-meta">Snapshot pending</p>
+							<p class="table-meta" id="review-lanes-meta">0 PRs · 0 need attention · 0 ready · 0 waiting</p>
 						</div>
 						<div class="panel-body">
 							<div class="card-list" id="review-queue"></div>
@@ -3399,6 +3514,7 @@ <h2 id="recent-title">Run History</h2>
 				themeButtons: [...document.querySelectorAll("[data-theme-choice]")],
 				workspace: document.getElementById("workspace"),
 				primaryStack: document.getElementById("primary-stack"),
+				accountModeMeta: document.getElementById("account-mode-meta"),
 				panels: {
 					projects: document.getElementById("projects-panel"),
 					accountPool: document.getElementById("account-pool-panel"),
@@ -3448,6 +3564,7 @@ <h2 id="recent-title">Run History</h2>
 			let accountEmailsHidden = loadAccountPrivacy();
 			let accountNameOffsets = loadAccountNameOffsets();
 			let accountPoolSort = loadAccountPoolSort();
+			let accountSelectionConfirmation = null;
 			let projectFilterMode = loadProjectFilterMode();
 			let projectLocationsHidden = loadProjectLocationPrivacy();
 			let projectSort = loadProjectSort();
@@ -3471,7 +3588,6 @@ <h2 id="recent-title">Run History</h2>
 				runningInlineMetaPlural: "already running",
 				protocolEvent: "Protocol event",
 				staleClosed: "closed labels",
-				waitingSnapshot: "Snapshot pending",
 			};
 
 			function escapeHtml(value) {
@@ -4907,10 +5023,8 @@ <h2 id="recent-title">Run History</h2>
 				`;
 			}
 
-			function renderRoutineEmptyList(container, snapshot, waitingCopy = "") {
-				container.innerHTML = snapshot
-					? ""
-					: renderEmptyState(COPY.waitingSnapshot, waitingCopy);
+			function renderRoutineEmptyList(container) {
+				container.innerHTML = "";
 			}
 
 			function keyedPatchNodeKey(node) {
@@ -5584,25 +5698,14 @@ <h2 id="recent-title">Run History</h2>
 					return account?.plan_type || "";
 				}
 
-				function codexAccountControlProjectId(snapshot) {
-					const snapshotProjectId = String(snapshot?.project_id || "").trim();
-					if (snapshotProjectId && snapshotProjectId !== "all") {
-						return snapshotProjectId;
-					}
-
-					const projects = Array.isArray(snapshot?.projects)
-						? snapshot.projects.filter((project) => project?.project_id)
-						: [];
-
-					return projects.length === 1 ? String(projects[0].project_id) : "";
-				}
-
 				function codexAccountControlSelector(account) {
 					return codexAccountEmail(account) || codexAccountFingerprint(account);
 				}
 
 				function codexAccountConfiguredSelector(snapshot) {
-					return String(snapshot?.account_control?.account_selector || "").trim();
+					const accountControl = snapshot?.account_control || {};
+
+					return String(accountControl.account_selector || "").trim();
 				}
 
 				function codexAccountMatchesConfiguredSelector(account, snapshot) {
@@ -5617,6 +5720,94 @@ <h2 id="recent-title">Run History</h2>
 					);
 				}
 
+				function accountSelectionConfirmationKey(action, selector) {
+					return `${String(action || "").trim()}:${String(selector || "").trim()}`;
+				}
+
+				function accountSelectionConfirmationMatches(action, selector) {
+					if (!accountSelectionConfirmation) {
+						return false;
+					}
+
+					return (
+						accountSelectionConfirmation.key ===
+						accountSelectionConfirmationKey(action, selector)
+					);
+				}
+
+				function accountSelectionControlTitle(action, displayTitle, armed) {
+					const prefix =
+						action === "clearAccountSelection"
+							? armed
+								? "Click again to return the global account pool to balanced selection"
+								: "Click once, then again to return the global account pool to balanced selection"
+							: armed
+								? "Click again to use this account for new global runs"
+								: "Click once, then again to use this account for new global runs";
+
+					return displayTitle ? `${prefix}: ${displayTitle}` : prefix;
+				}
+
+				function syncAccountSelectionConfirmationDom() {
+					for (const button of nodes.accountPool.querySelectorAll("[data-account-confirm-action]")) {
+						const action = button.dataset.accountConfirmAction;
+						const selector = button.dataset.accountSelector || "";
+						const armed = accountSelectionConfirmationMatches(action, selector);
+						const row = button.closest(".account-row");
+						const title = accountSelectionControlTitle(
+							action,
+							button.dataset.accountDisplayTitle || "",
+							armed,
+						);
+
+						button.classList.toggle("is-armed", armed);
+						button.setAttribute("aria-label", title);
+						button.setAttribute("title", title);
+						if (row) {
+							row.classList.toggle("is-armed", armed);
+						}
+					}
+				}
+
+				function clearAccountSelectionConfirmation(syncDom = true) {
+					accountSelectionConfirmation = null;
+					if (syncDom) {
+						syncAccountSelectionConfirmationDom();
+					}
+				}
+
+				function armAccountSelectionConfirmation(action, selector) {
+					accountSelectionConfirmation = {
+						key: accountSelectionConfirmationKey(action, selector),
+						action,
+						selector,
+					};
+					syncAccountSelectionConfirmationDom();
+				}
+
+				function confirmAccountSelection(action, selector) {
+					clearAccountSelectionConfirmation(false);
+					if (action === "selectAccount") {
+						sendDashboardControl(action, { accountSelector: selector });
+					} else if (action === "clearAccountSelection") {
+						sendDashboardControl(action);
+					}
+					syncAccountSelectionConfirmationDom();
+				}
+
+				function handleAccountSelectionConfirmation(action, selector) {
+					if (!selector || !["selectAccount", "clearAccountSelection"].includes(action)) {
+						return;
+					}
+
+					if (accountSelectionConfirmationMatches(action, selector)) {
+						confirmAccountSelection(action, selector);
+						return;
+					}
+
+					armAccountSelectionConfirmation(action, selector);
+				}
+
 				function codexAccountEmail(account) {
 					return String(account?.account_email || account?.email || "").trim();
 				}
@@ -5724,29 +5915,24 @@ <h2 id="recent-title">Run History</h2>
 					`;
 				}
 
-				function renderCodexAccountSelectButton(account, snapshot) {
-					const projectId = codexAccountControlProjectId(snapshot);
+				function renderCodexAccountNameControl(account, snapshot) {
 					const selector = codexAccountControlSelector(account);
-					if (!projectId || !selector) {
-						return "";
+					const displayTitle = codexAccountDisplayTitle(account);
+					const visibleName = codexAccountVisibleName(account);
+					if (!selector) {
+						return `<strong class="account-name" title="${escapeHtml(displayTitle)}">${escapeHtml(visibleName)}</strong>`;
 					}
 
 					const fixed = codexAccountMatchesConfiguredSelector(account, snapshot);
 					const action = fixed ? "clearAccountSelection" : "selectAccount";
-					const title = fixed
-						? "Return this project to balanced account selection"
-						: "Use this account for new runs";
+					const armed = accountSelectionConfirmationMatches(action, selector);
 					const fixedClass = fixed ? " is-fixed" : "";
+					const armedClass = armed ? " is-armed" : "";
+					const title = accountSelectionControlTitle(action, displayTitle, armed);
 
 					return `
-						<button class="account-select-button${fixedClass}" type="button" data-account-select="${escapeHtml(action)}" data-project-id="${escapeHtml(projectId)}" data-account-selector="${escapeHtml(selector)}" aria-label="${escapeHtml(title)}" title="${escapeHtml(title)}">
-							<svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round">
-								${
-									fixed
-										? '<path d="M6 18 18 6"></path><path d="m6 6 12 12"></path>'
-										: '<path d="M20 6 9 17l-5-5"></path>'
-								}
-							</svg>
+						<button class="account-name-button${fixedClass}${armedClass}" type="button" data-account-confirm-action="${escapeHtml(action)}" data-account-selector="${escapeHtml(selector)}" data-account-display-title="${escapeHtml(displayTitle)}" aria-pressed="${fixed ? "true" : "false"}" aria-label="${escapeHtml(title)}" title="${escapeHtml(title)}">
+							<span class="account-name">${escapeHtml(visibleName)}</span>
 						</button>
 					`;
 				}
@@ -6123,14 +6309,15 @@ <h2 id="recent-title">Run History</h2>
 				}
 
 				function renderCodexAccountPoolRow(account, snapshot) {
-					const displayTitle = codexAccountDisplayTitle(account);
-					const visibleName = codexAccountVisibleName(account);
 					const plan = codexAccountPlanLabel(account);
 					const statusTone = codexAccountStatusTone(account);
 					const toneClass = statusTone ? ` is-${statusTone}` : "";
-					const fixedClass = codexAccountMatchesConfiguredSelector(account, snapshot)
-						? " is-fixed"
-						: "";
+					const fixed = codexAccountMatchesConfiguredSelector(account, snapshot);
+					const fixedClass = fixed ? " is-fixed" : "";
+					const selector = codexAccountControlSelector(account);
+					const action = fixed ? "clearAccountSelection" : "selectAccount";
+					const armedClass =
+						selector && accountSelectionConfirmationMatches(action, selector) ? " is-armed" : "";
 					const selectedClass =
 						String(account.status || "").toLowerCase() === "selected" ? " is-selected" : "";
 				const metaFacts = codexAccountMetaFacts(account);
@@ -6140,11 +6327,10 @@ <h2 id="recent-title">Run History</h2>
 				const identityClass = codexAccountShowsEmail(account) ? " is-machine" : "";
 
 				return `
-						<div class="account-row${selectedClass}${fixedClass}${toneClass}">
+						<div class="account-row${selectedClass}${fixedClass}${armedClass}${toneClass}">
 							<div class="account-row-id${identityClass}">
-								<strong class="account-name" title="${escapeHtml(displayTitle)}">${escapeHtml(visibleName)}</strong>
+								${renderCodexAccountNameControl(account, snapshot)}
 								${renderCodexAccountRandomNameButton(account)}
-								${renderCodexAccountSelectButton(account, snapshot)}
 							</div>
 							<div class="account-row-plan">${escapeHtml(plan)}</div>
 							${renderCodexAccountPoolWindow(account, "primary")}
@@ -6200,14 +6386,39 @@ <h2 id="recent-title">Run History</h2>
 					return `<span class="account-pool-heading">${sortButton}${accountPrivacyToggleMarkup()}</span>`;
 				}
 
-				function renderCodexAccountPool(accounts, snapshot) {
-					if (!accounts.length) {
-						return renderEmptyState(
-							"No accounts",
-							"Account usage appears after snapshot publish.",
-						);
+				function codexAccountControlStatusLabel(snapshot) {
+					const accountControl = snapshot?.account_control || {};
+					const selector = String(accountControl.account_selector || "").trim();
+					if (!selector) {
+						return "Balanced";
+					}
+
+					const account = codexAccountPoolAccounts(snapshot).find(
+						(candidate) =>
+							selector === codexAccountEmail(candidate) ||
+							selector === codexAccountFingerprint(candidate),
+					);
+					if (account) {
+						const label = codexAccountShowsEmail(account)
+							? compactAccountIdentity(selector)
+							: codexAccountVisibleName(account);
+						return `Fixed · ${label}`;
 					}
 
+					return `Fixed · ${accountEmailsHidden ? "account" : compactAccountIdentity(selector)}`;
+				}
+
+				function renderAccountModeControl(snapshot) {
+					const title = codexAccountControlStatusLabel(snapshot);
+					nodes.accountModeMeta.textContent = title;
+					nodes.accountModeMeta.title = title;
+				}
+
+			function renderCodexAccountPool(accounts, snapshot) {
+				if (!accounts.length) {
+					return "";
+				}
+
 					return `
 						<div class="account-pool-list" aria-label="Accounts">
 							<div class="account-pool-guide">
@@ -6306,7 +6517,10 @@ <h2 id="recent-title">Run History</h2>
 											? "available"
 											: account.status,
 							};
-							if (!existing || codexAccountPoolRank(candidate) >= codexAccountPoolRank(existing)) {
+							if (
+								!existing ||
+								codexAccountPoolMergeRank(candidate) >= codexAccountPoolMergeRank(existing)
+							) {
 								accountsByIdentity.set(identity, candidate);
 							}
 						}
@@ -6315,7 +6529,7 @@ <h2 id="recent-title">Run History</h2>
 					return sortCodexAccountPoolAccounts([...accountsByIdentity.values()]);
 				}
 
-				function codexAccountPoolRank(account) {
+				function codexAccountPoolMergeRank(account) {
 					const status = String(account?.status || "").toLowerCase();
 
 					return status === "selected" ? 1 : 0;
@@ -6385,46 +6599,31 @@ <h2 id="recent-title">Run History</h2>
 					return direction === "desc" ? -delta : delta;
 				}
 
-				function codexAccountPoolSortKey(account) {
-					const identity =
-						codexAccountIdentity(account) ||
-						account?.plan_type ||
-						"account";
-					const hash = codexAccountIdentityHash(identity).toString(16).padStart(8, "0");
-
-					return hash;
-				}
-
-				function compareCodexAccountPoolStable(left, right) {
-					const rankDelta = codexAccountPoolRank(right) - codexAccountPoolRank(left);
-					if (rankDelta) {
-						return rankDelta;
+				function sortCodexAccountPoolAccounts(accounts) {
+					if (!accountPoolSort.key) {
+						return accounts;
 					}
 
-					return codexAccountPoolSortKey(left).localeCompare(codexAccountPoolSortKey(right));
-				}
-
-				function sortCodexAccountPoolAccounts(accounts) {
 					return accounts.sort((left, right) => {
-						if (accountPoolSort.key) {
-							const columnDelta = compareCodexAccountPoolColumn(
-								left,
-								right,
-								accountPoolSort.key,
-								accountPoolSort.direction,
-							);
-							if (columnDelta) {
-								return columnDelta;
-							}
+						const columnDelta = compareCodexAccountPoolColumn(
+							left,
+							right,
+							accountPoolSort.key,
+							accountPoolSort.direction,
+						);
+						if (columnDelta) {
+							return columnDelta;
 						}
 
-						return compareCodexAccountPoolStable(left, right);
+						return 0;
 					});
 				}
 
 				function renderAccountPool(snapshot) {
 					const accounts = codexAccountPoolAccounts(snapshot);
-					nodes.accountPool.innerHTML = renderCodexAccountPool(accounts, snapshot);
+					renderAccountModeControl(snapshot);
+					renderStableList(nodes.accountPool, renderCodexAccountPool(accounts, snapshot));
+					syncAccountSelectionConfirmationDom();
 					renderAccountPrivacyToggle();
 				}
 
@@ -7961,7 +8160,7 @@ <h2 id="recent-title">Run History</h2>
 				if (!snapshot) {
 					renderProjectFilterToggle();
 					nodes.projectOverview.classList.add("is-empty", "is-waiting");
-					nodes.projectOverview.innerHTML = renderEmptyState(COPY.waitingSnapshot);
+					nodes.projectOverview.innerHTML = "";
 					return;
 				}
 
@@ -8048,7 +8247,7 @@ <h2 id="recent-title">Run History</h2>
 
 			function backlogMetaText(snapshot, derived) {
 				if (!snapshot) {
-					return COPY.waitingSnapshot;
+					return "0 queued";
 				}
 
 				const parts = [`${derived.queueBacklogCandidates.length} queued`];
@@ -8081,13 +8280,9 @@ <h2 id="recent-title">Run History</h2>
 				return parts.join(" · ");
 			}
 
-			function renderQueuedCandidates(container, items, snapshot) {
+			function renderQueuedCandidates(container, items) {
 				if (!items.length) {
-					renderRoutineEmptyList(
-						container,
-						snapshot,
-						"Appears after /state publishes a snapshot.",
-					);
+					renderRoutineEmptyList(container);
 					return;
 				}
 
@@ -8129,9 +8324,9 @@ <h4>${escapeHtml(candidate.title)}</h4>
 					.join("");
 			}
 
-			function renderActionCards(container, items, snapshot, waitingCopy = "") {
+			function renderActionCards(container, items) {
 				if (!items.length) {
-					renderRoutineEmptyList(container, snapshot, waitingCopy);
+					renderRoutineEmptyList(container);
 					return;
 				}
 
@@ -8206,16 +8401,12 @@ <h4>${escapeHtml(item.title)}</h4>
 				const runs = snapshot?.active_runs ?? [];
 				setPanelMeta(
 					nodes.activeRunsMeta,
-					snapshot ? runningLaneMetaText(derived) : COPY.waitingSnapshot,
+					runningLaneMetaText(derived),
 					derived.runningAttentionCount ? "attention" : "",
 				);
 
 				if (!runs.length) {
-					renderRoutineEmptyList(
-						nodes.activeRuns,
-						snapshot,
-						"Appears after /state publishes a snapshot.",
-					);
+					renderRoutineEmptyList(nodes.activeRuns);
 					return;
 				}
 
@@ -8365,7 +8556,7 @@ <h3 class="run-title">${escapeHtml(issueTitle)}</h3>
 									? ` · ${pluralize(hiddenActiveCount, COPY.runningInlineMeta, COPY.runningInlineMetaPlural)}`
 									: ""
 							}`
-						: COPY.waitingSnapshot,
+						: "0 issues · 0 attempts",
 				);
 
 				if (!lanes.length) {
@@ -9153,21 +9344,18 @@ <h4>${escapeHtml(worktree.branch_name)}</h4>
 				renderQueuedCandidates(
 					nodes.queuedCandidates,
 					derived.queueBacklogCandidates,
-					snapshot,
 				);
 				setPanelMeta(nodes.queuedMeta, backlogMetaText(snapshot, derived));
 				renderRecentRuns(snapshot);
 				renderActionCards(
 					nodes.reviewQueue,
 					reviewItems,
-					snapshot,
-					"Appears after /state publishes a snapshot.",
 				);
 				setPanelMeta(
 					nodes.reviewLanesMeta,
 					snapshot
 						? `${pluralize(derived.postReviewLanes.length, "PR")} · ${pluralize(derived.reviewBlockerCount, "needs attention", "need attention")} · ${derived.readyItems.length} ready · ${derived.reviewWaitingCount} waiting`
-						: COPY.waitingSnapshot,
+						: "0 PRs · 0 need attention · 0 ready · 0 waiting",
 				);
 				renderWorktrees(snapshot);
 			}
@@ -9254,18 +9442,12 @@ <h4>${escapeHtml(worktree.branch_name)}</h4>
 					return;
 				}
 
-				const selectButton = event.target.closest("[data-account-select]");
-				if (selectButton) {
+				const confirmButton = event.target.closest("[data-account-confirm-action]");
+				if (confirmButton) {
 					event.preventDefault();
-					const action = selectButton.dataset.accountSelect;
-					const projectId = selectButton.dataset.projectId || null;
-					const accountSelector = selectButton.dataset.accountSelector || null;
-
-					if (action === "selectAccount") {
-						sendDashboardControl(action, { projectId, accountSelector });
-					} else if (action === "clearAccountSelection") {
-						sendDashboardControl(action, { projectId });
-					}
+					const action = confirmButton.dataset.accountConfirmAction;
+					const accountSelector = confirmButton.dataset.accountSelector || null;
+					handleAccountSelectionConfirmation(action, accountSelector);
 					return;
 				}
 
@@ -9363,6 +9545,13 @@ <h4>${escapeHtml(worktree.branch_name)}</h4>
 					return;
 				}
 
+				if (
+					accountSelectionConfirmation &&
+					!event.target.closest("[data-account-confirm-action]")
+				) {
+					clearAccountSelectionConfirmation(true);
+				}
+
 				if (!event.target.closest("[data-project-work-info]")) {
 					projectWorkInfoOpen = false;
 					renderProjectWorkInfoState();
diff --git a/apps/decodex/src/orchestrator/operator_http.rs b/apps/decodex/src/orchestrator/operator_http.rs
index 39e7a7fa..234e0f98 100644
--- a/apps/decodex/src/orchestrator/operator_http.rs
+++ b/apps/decodex/src/orchestrator/operator_http.rs
@@ -782,14 +782,11 @@ fn dashboard_project_enabled_control_ack(
 
 fn dashboard_account_selection_control_ack(
 	session: &DashboardWebSocketSession,
-	state_store: &StateStore,
+	_state_store: &StateStore,
 	message: &DashboardClientMessage,
 	action: &str,
 	set_fixed: bool,
 ) -> Value {
-	let Some(project_id) = dashboard_required_project_id(message) else {
-		return dashboard_missing_project_control_ack(session, message, action);
-	};
 	let selector = if set_fixed {
 		match dashboard_required_account_selector(message) {
 			Some(selector) => Some(selector),
@@ -800,7 +797,7 @@ fn dashboard_account_selection_control_ack(
 					accepted: false,
 					status: "missing_account",
 					message: "Account selection requires an account selector.",
-					project_id: Some(project_id),
+					project_id: None,
 					issue_id: message.issue_id.as_deref(),
 					run_id: message.run_id.as_deref(),
 					subscription: Some(&session.subscription),
@@ -810,17 +807,17 @@ fn dashboard_account_selection_control_ack(
 	} else {
 		None
 	};
-	let result = update_project_codex_account_selection(state_store, project_id, selector);
+	let result = runtime::write_global_fixed_account_selector(selector);
 	let (accepted, status, copy) = match (set_fixed, result) {
 		(true, Ok(())) => (
 			true,
 			"fixed",
-			String::from("Project config now pins new Codex runs to the selected account."),
+			String::from("Global Codex account pool now pins new runs to the selected account."),
 		),
 		(false, Ok(())) => (
 			true,
 			"balanced",
-			String::from("Project config now uses balanced Codex account selection."),
+			String::from("Global Codex account pool now uses balanced account selection."),
 		),
 		(_, Err(error)) => (false, "failed", error.to_string()),
 	};
@@ -831,7 +828,7 @@ fn dashboard_account_selection_control_ack(
 		accepted,
 		status,
 		message: &copy,
-		project_id: Some(project_id),
+		project_id: None,
 		issue_id: message.issue_id.as_deref(),
 		run_id: message.run_id.as_deref(),
 		subscription: Some(&session.subscription),
@@ -1003,84 +1000,6 @@ fn dashboard_required_account_selector(message: &DashboardClientMessage) -> Opti
 		.filter(|value| !value.is_empty())
 }
 
-fn update_project_codex_account_selection(
-	state_store: &StateStore,
-	project_id: &str,
-	selector: Option<&str>,
-) -> Result<()> {
-	let registration = state_store
-		.list_projects()?
-		.into_iter()
-		.find(|project| project.service_id() == project_id)
-		.ok_or_else(|| eyre::eyre!("Decodex project `{project_id}` is not registered."))?;
-
-	write_project_codex_account_selection(registration.config_path(), selector)?;
-
-	runtime::register_project_config(
-		state_store,
-		registration.config_path(),
-		registration.enabled(),
-	)?;
-
-	Ok(())
-}
-
-fn write_project_codex_account_selection(
-	config_path: &Path,
-	selector: Option<&str>,
-) -> Result<()> {
-	let config_path = ServiceConfig::resolve_project_config_path(config_path)?;
-	let input = fs::read_to_string(&config_path)?;
-	let mut document = toml::from_str::<toml::Table>(&input)?;
-
-	match selector.map(str::trim).filter(|value| !value.is_empty()) {
-		Some(selector) => {
-			let accounts = ensure_toml_table(ensure_toml_table(&mut document, "codex")?, "accounts")?;
-
-			accounts.insert(String::from("fixed_account"), selector.to_owned().into());
-		},
-		None => {
-			if let Some(codex) = document.get_mut("codex").and_then(|value| value.as_table_mut())
-				&& let Some(accounts) = codex.get_mut("accounts").and_then(|value| value.as_table_mut())
-			{
-				accounts.remove("fixed_account");
-			}
-		},
-	}
-
-	let output = toml::to_string_pretty(&document)?;
-	let temp_path = dashboard_project_config_temp_path(&config_path)?;
-
-	fs::write(&temp_path, output)?;
-	fs::rename(temp_path, &config_path)?;
-	ServiceConfig::from_path(&config_path)?;
-
-	Ok(())
-}
-
-fn ensure_toml_table<'a>(table: &'a mut toml::Table, key: &str) -> Result<&'a mut toml::Table> {
-	if !table.contains_key(key) {
-		table.insert(String::from(key), toml::Table::new().into());
-	}
-
-	table
-		.get_mut(key)
-		.and_then(|value| value.as_table_mut())
-		.ok_or_else(|| eyre::eyre!("Project config `{key}` must be a TOML table."))
-}
-
-fn dashboard_project_config_temp_path(config_path: &Path) -> Result<PathBuf> {
-	let parent = config_path.parent().ok_or_else(|| {
-		eyre::eyre!("Project config `{}` must have a parent directory.", config_path.display())
-	})?;
-	let file_name = config_path
-		.file_name()
-		.and_then(|name| name.to_str())
-		.ok_or_else(|| eyre::eyre!("Project config path must end in a valid file name."))?;
-
-	Ok(parent.join(format!(".{file_name}.tmp-{}", process::id())))
-}
-
 fn dashboard_clean_scope_value(value: Option<&str>) -> Option<String> {
 	value
 		.map(str::trim)
diff --git a/apps/decodex/src/orchestrator/status.rs b/apps/decodex/src/orchestrator/status.rs
index 007b5aac..c2799fab 100644
--- a/apps/decodex/src/orchestrator/status.rs
+++ b/apps/decodex/src/orchestrator/status.rs
@@ -182,7 +182,7 @@ fn build_operator_status_snapshot(
 			last_activity_at: None,
 			warning_count: 0,
 		}],
-		account_control: codex_account_control_status(project),
+		account_control: global_codex_account_control_status(),
 		accounts,
 		active_runs,
 		recent_runs,
@@ -198,12 +198,10 @@ fn build_operator_status_snapshot(
 	Ok(snapshot)
 }
 
-fn codex_account_control_status(project: &ServiceConfig) -> OperatorCodexAccountControlStatus {
-	let account_selector = project
-		.codex()
-		.accounts()
-		.and_then(ProjectCodexAccountsConfig::fixed_account)
-		.map(str::to_owned);
+fn global_codex_account_control_status() -> OperatorCodexAccountControlStatus {
+	let account_selector = runtime::global_fixed_account_selector()
+		.ok()
+		.flatten();
 	let mode = if account_selector.is_some() { "fixed" } else { "balanced" };
 
 	OperatorCodexAccountControlStatus {
diff --git a/apps/decodex/src/orchestrator/tests.rs b/apps/decodex/src/orchestrator/tests.rs
index 263252fa..80e140f6 100644
--- a/apps/decodex/src/orchestrator/tests.rs
+++ b/apps/decodex/src/orchestrator/tests.rs
@@ -28,7 +28,7 @@ use crate::tracker::records;
 		TurnContinuationGuard,
 	};
 #[rustfmt::skip]
-use crate::config::{InternalReviewMode, ProjectCodexAccountsConfig, ServiceConfig};
+use crate::config::{InternalReviewMode, ServiceConfig};
 #[rustfmt::skip]
 use crate::github;
 #[rustfmt::skip]
diff --git a/apps/decodex/src/orchestrator/tests/operator/status/control_plane.rs b/apps/decodex/src/orchestrator/tests/operator/status/control_plane.rs
index 44eaeb79..bbfe06eb 100644
--- a/apps/decodex/src/orchestrator/tests/operator/status/control_plane.rs
+++ b/apps/decodex/src/orchestrator/tests/operator/status/control_plane.rs
@@ -21,6 +21,8 @@ fn control_plane_snapshot_lists_disabled_registered_projects() {
 	assert_eq!(snapshot.projects.len(), 1);
 	assert_eq!(project.project_id, "pubfi");
 	assert!(!project.enabled);
+	assert_eq!(snapshot.account_control.mode, "balanced");
+	assert_eq!(snapshot.account_control.account_selector, None);
 	assert_eq!(project.connector_state, "disabled");
 	assert_eq!(project.active_run_count, 0);
 	assert_eq!(project.retained_worktree_count, 0);
@@ -114,6 +116,7 @@ fn control_plane_snapshot_aggregates_top_level_lanes_for_all_registered_projects
 		project_by_id.get("rsnap").expect("idle project summary should exist").active_run_count,
 		0,
 	);
+	assert_eq!(snapshot.account_control.mode, "balanced");
 	assert_eq!(snapshot.active_runs.len(), 1);
 	assert_eq!(snapshot.active_runs[0].run_id, "run-active");
 	assert_eq!(snapshot.active_runs[0].project_id, "pubfi");
diff --git a/apps/decodex/src/orchestrator/tests/operator/status/dashboard.rs b/apps/decodex/src/orchestrator/tests/operator/status/dashboard.rs
index 3ce5a543..3e0896a3 100644
--- a/apps/decodex/src/orchestrator/tests/operator/status/dashboard.rs
+++ b/apps/decodex/src/orchestrator/tests/operator/status/dashboard.rs
@@ -328,7 +328,9 @@ fn operator_dashboard_child_bucket_rows_split_time_bars_from_event_diagnostics()
 	assert!(response.contains("const parts = [`${derived.liveRuns ?? 0} running`];"));
 	assert!(response.contains("attentionCount === 1"));
 	assert!(response.contains("nodes.activeRunsMeta,"));
-	assert!(response.contains("snapshot ? runningLaneMetaText(derived) : COPY.waitingSnapshot"));
+	assert!(response.contains("runningLaneMetaText(derived),"));
+	assert!(!response.contains("Snapshot pending"));
+	assert!(!response.contains("COPY.waitingSnapshot"));
 	assert!(!response.contains("const parts = [`${derived.liveRuns} live`];"));
 	assert!(!response.contains("parts.push(`${derived.runningAttentionCount} stalled`)"));
 	assert!(response.contains("runStaleWithoutKnownProcessNeedsAttention"));
@@ -421,15 +423,30 @@ fn operator_dashboard_renders_account_usage_controls() {
 	assert!(response.contains("function codexAccountStatusTone(account)"));
 	assert!(response.contains("function renderRunCodexAccountInline(run)"));
 	assert!(response.contains("function renderAccountPool(snapshot)"));
+	assert!(response.contains("function renderAccountModeControl(snapshot)"));
+	assert!(response.contains("nodes.accountModeMeta.textContent = title;"));
+	assert!(response.contains("nodes.accountModeMeta.title = title;"));
 	assert!(response.contains("function codexAccountPoolAccounts(snapshot)"));
-	assert!(response.contains("function codexAccountPoolRank(account)"));
-	assert!(response.contains("function codexAccountPoolSortKey(account)"));
+	assert!(response.contains("function codexAccountPoolMergeRank(account)"));
 	assert!(response.contains("function renderCodexAccountPool(accounts, snapshot)"));
 	assert!(!response.contains("function renderCodexAccountPoolHeader(accounts)"));
 	assert!(response.contains("function renderCodexAccountPoolRow(account, snapshot)"));
-	assert!(response.contains("function renderCodexAccountSelectButton(account, snapshot)"));
-	assert!(response.contains("data-account-select=\"${escapeHtml(action)}\""));
-	assert!(response.contains("sendDashboardControl(action, { projectId, accountSelector });"));
+	assert!(response.contains("function renderCodexAccountNameControl(account, snapshot)"));
+	assert!(!response.contains("ACCOUNT_SELECTION_CONFIRMATION_MS"));
+	assert!(!response.contains("accountSelectionConfirmationTimer"));
+	assert!(response.contains("function accountSelectionConfirmationMatches(action, selector)"));
+	assert!(response.contains("function syncAccountSelectionConfirmationDom()"));
+	assert!(response.contains("clearAccountSelectionConfirmation(true);"));
+	assert!(response.contains("function accountSelectionControlTitle(action, displayTitle, armed)"));
+	assert!(response.contains("function handleAccountSelectionConfirmation(action, selector)"));
+	assert!(response.contains("data-account-confirm-action=\"${escapeHtml(action)}\""));
+	assert!(response.contains("data-account-display-title=\"${escapeHtml(displayTitle)}\""));
+	assert!(!response.contains("data-account-select=\""));
+	assert!(!response.contains("dataset.accountSelect;"));
+	assert!(!response.contains("account-select-button"));
+	assert!(!response.contains("data-account-project-select"));
+	assert!(response.contains("sendDashboardControl(action, { accountSelector: selector });"));
+	assert!(response.contains("sendDashboardControl(action);"));
 	assert!(response.contains("clearAccountSelection"));
 	assert!(response.contains("selectAccount"));
 	assert!(response.contains("function codexAccountDebugSummary(account)"));
@@ -450,7 +467,11 @@ fn operator_dashboard_renders_account_usage_controls() {
 	assert!(response.contains("section-marker section-marker-projects"));
 	assert!(response.contains("aria-label=\"Accounts group\""));
 	assert!(response.contains("<span>Accounts</span>"));
+	assert!(response.contains("<p class=\"table-meta section-marker-meta\" id=\"account-mode-meta\"></p>"));
+	assert!(response.contains("accountModeMeta: document.getElementById(\"account-mode-meta\")"));
 	assert!(!response.contains("Accounts\n\t\t\t\t\t\t\t<button class=\"account-privacy-toggle\""));
+	assert!(!response.contains("account-mode-control"));
+	assert!(!response.contains("account-mode-status"));
 	assert!(!response.contains("<span>Control Plane</span>"));
 	assert!(response.contains("Projects\n\t\t\t\t\t\t\t<button class=\"project-filter-toggle\""));
 	assert!(!response.contains("id=\"account-pool-meta\""));
@@ -473,7 +494,8 @@ fn operator_dashboard_renders_account_usage_controls() {
 	assert!(response.contains("nodes.projectTitle.textContent = \"Decodex\""));
 	assert!(!response.contains("Decodex Operator"));
 	assert!(response.contains("primary: [\"accountPool\", \"projects\", \"active\", \"queue\", \"review\", \"worktrees\", \"recent\"]"));
-	assert!(response.contains("#account-pool-panel {"));
+	assert!(!response.contains("#account-pool-panel {"));
+	assert!(!response.contains("No accounts"));
 	assert!(response.contains("#active-panel {\n\t\t\t\tbackground: transparent;"));
 	assert!(!response.contains("account-pool-title"));
 	assert!(response.contains("account-privacy-toggle"));
@@ -512,17 +534,26 @@ fn operator_dashboard_account_privacy_controls_use_compact_identities() {
 	assert!(response.contains("function codexAccountShowsEmail(account)"));
 	assert!(response.contains("function codexAccountVisibleName(account)"));
 	assert!(response.contains("function codexAccountDisplayTitle(account)"));
+	assert!(response.contains("function codexAccountControlStatusLabel(snapshot)"));
 	assert!(response.contains("return codexAccountShowsEmail(account) ? email : codexAccountRandomName(account);"));
 	assert!(response.contains("? compactAccountEmail(email)"));
+	assert!(response.contains("const account = codexAccountPoolAccounts(snapshot).find("));
+	assert!(response.contains("? compactAccountIdentity(selector)"));
+	assert!(response.contains(": codexAccountVisibleName(account);"));
+	assert!(response.contains("return \"Balanced\";"));
+	assert!(response.contains("return `Fixed · ${label}`;"));
+	assert!(response.contains("return `Fixed · ${accountEmailsHidden ? \"account\" : compactAccountIdentity(selector)}`;"));
+	assert!(response.contains("const title = codexAccountControlStatusLabel(snapshot);"));
+	assert!(!response.contains("const title = `Mode ${modeLabel}`;"));
 	assert!(response.contains("account-name-reroll"));
 	assert!(response.contains("data-account-name-reroll"));
 	assert!(response.contains("aria-label=\"Change account name\""));
 	assert!(response.contains("return `${local.slice(0, 3)}...${local.slice(-3)}${domain}`;"));
 	assert!(response.contains("return ACCOUNT_RANDOM_NAMES[index];"));
 	assert!(response.contains("return status === \"selected\" ? 1 : 0;"));
-	assert!(response.contains("return codexAccountPoolSortKey(left).localeCompare(codexAccountPoolSortKey(right));"));
-	assert!(response.contains("const hash = codexAccountIdentityHash(identity).toString(16).padStart(8, \"0\");"));
-	assert!(response.contains("return hash;"));
+	assert!(response.contains("return accounts;"));
+	assert!(!response.contains("function codexAccountPoolSortKey(account)"));
+	assert!(!response.contains("return codexAccountPoolSortKey(left).localeCompare(codexAccountPoolSortKey(right));"));
 	assert!(!response.contains("const checkedAt = codexAccountNumber(account?.checked_at_unix_epoch) || 0;"));
 	assert!(!response.contains("localeCompare(codexAccountDisplayName(right))"));
 	assert!(!response.contains("return account.account_fingerprint;"));
@@ -530,6 +561,7 @@ fn operator_dashboard_account_privacy_controls_use_compact_identities() {
 	assert!(!response.contains("const fingerprint = account.account_fingerprint || \"unknown\";"));
 	assert!(!response.contains("account.account_fingerprint || \"unknown\",\n"));
 	assert!(response.contains("renderAccountPrivacyToggle();"));
+	assert!(response.contains("renderAccountModeControl(snapshot);"));
 	assert!(response.contains("persistAccountPrivacy(accountEmailsHidden);"));
 	assert!(response.contains("persistAccountNameOffsets();"));
 	assert!(response.contains("let lastDashboardRender = null;"));
@@ -543,6 +575,8 @@ fn operator_dashboard_account_privacy_controls_use_compact_identities() {
 	assert!(!response.contains("text-transform: uppercase;"));
 	assert!(response.contains("function renderCodexAccountPoolGuideCell(column)"));
 	assert!(response.contains("return `<span class=\"account-pool-heading\">${sortButton}${accountPrivacyToggleMarkup()}</span>`;"));
+	assert!(response.contains(".section-marker-meta {"));
+	assert!(response.contains("text-align: right;"));
 	assert!(!response.contains("setPanelMeta(nodes.accountPoolMeta"));
 	assert!(!response.contains("${pluralize(accounts.length, \"account\")} · ${activeCount} active"));
 }
@@ -575,8 +609,10 @@ fn operator_dashboard_renders_account_sort_controls() {
 	assert!(response.contains("account-sort-down"));
 	assert!(response.contains("function codexAccountPoolColumnSortValue(account, key)"));
 	assert!(response.contains("function compareCodexAccountPoolColumn(left, right, key, direction)"));
-	assert!(response.contains("function compareCodexAccountPoolStable(left, right)"));
+	assert!(!response.contains("function compareCodexAccountPoolStable(left, right)"));
 	assert!(response.contains("function sortCodexAccountPoolAccounts(accounts)"));
+	assert!(response.contains("if (!accountPoolSort.key)"));
+	assert!(response.contains("return 0;"));
 	assert!(response.contains("codexAccountWindowData(account, \"primary\").remainingPercent"));
 	assert!(response.contains("codexAccountWindowData(account, \"secondary\").remainingPercent"));
 	assert!(response.contains("codexAccountCreditsSortValue(account)"));
@@ -672,10 +708,53 @@ fn operator_dashboard_accounts_keeps_compact_table_layout() {
 	assert!(response.contains("title=\"${escapeHtml(resetTitle)}\""));
 	assert!(response.contains("account-window-date"));
 	assert!(!response.contains("<span class=\"is-reset\">Reset</span>"));
+}
+
+#[test]
+fn operator_dashboard_accounts_renders_fixed_selection_affordance() {
+	let response = dashboard_response();
+
 	assert!(response.contains("is-selected"));
 	assert!(response.contains("is-ready"));
+	assert!(response.contains("is-armed"));
 	assert!(response.contains("--account-accent: var(--tone-muted);"));
+	assert!(response.contains("--account-confirm-accent: var(--tone-run);"));
 	assert!(response.contains(".account-row.is-ready {\n\t\t\t\t--account-accent: var(--success);"));
+	assert!(response.contains(".account-row.is-fixed {\n\t\t\t\t--account-accent: var(--info);"));
+	assert!(!response.contains(".account-row.is-armed {\n\t\t\t\t--account-accent: var(--warning);"));
+	assert!(response.contains("--account-confirm-cycle: 1.45s;"));
+	assert!(!response.contains("--account-confirm-color-cycle"));
+	assert!(!response.contains("account-confirm-bar-breathe"));
+	assert!(response.contains("@keyframes account-confirm-name-breathe"));
+	assert!(response.contains("@keyframes account-confirm-bracket-left"));
+	assert!(response.contains("@keyframes account-confirm-bracket-right"));
+	assert!(response.contains("color: var(--account-confirm-accent);"));
+	assert!(!response.contains("12.5%"));
+	assert!(!response.contains("37.5%"));
+	assert!(!response.contains("62.5%"));
+	assert!(!response.contains("87.5%"));
+	assert!(response.contains(
+		"color: color-mix(in srgb, var(--account-confirm-accent) 46%, var(--muted));"
+	));
+	assert!(response.contains("text-shadow: none;"));
+	assert!(response.contains(".account-name-button.is-fixed::before"));
+	assert!(response.contains(".account-name-button.is-fixed::after"));
+	assert!(response.contains(
+		".account-name-button.is-fixed {\n\t\t\t\tcolor: var(--account-confirm-accent);"
+	));
+	assert!(response.contains(".account-name-button + .account-name-reroll"));
+	assert!(response.contains("margin-left: 8px;"));
+	assert!(response.contains("opacity: 0.72;"));
+	assert!(response.contains("animation: account-confirm-name-breathe var(--account-confirm-cycle) var(--ease) infinite;"));
+	assert!(response.contains("animation: account-confirm-bracket-left var(--account-confirm-cycle) var(--ease) infinite;"));
+	assert!(response.contains("animation: account-confirm-bracket-right var(--account-confirm-cycle) var(--ease) infinite;"));
+	assert!(!response.contains("infinite alternate;"));
+}
+
+#[test]
+fn operator_dashboard_accounts_keeps_identity_rows_compact() {
+	let response = dashboard_response();
+
 	assert!(response.contains("grid-template-areas:"));
 	assert!(response.contains("\"id plan primary secondary credit state\""));
 	assert!(response.contains("\"meta meta meta meta meta meta\""));
@@ -693,7 +772,8 @@ fn operator_dashboard_accounts_keeps_compact_table_layout() {
 	assert!(response.contains(".account-row-plan {\n\t\t\t\tgrid-area: plan;"));
 	assert!(response.contains("<div class=\"account-row-id${identityClass}\">"));
 	assert!(response.contains("<div class=\"account-row-plan\">${escapeHtml(plan)}</div>"));
-	assert!(response.contains("<strong class=\"account-name\""));
+	assert!(response.contains("<button class=\"account-name-button${fixedClass}${armedClass}\""));
+	assert!(response.contains("<span class=\"account-name\">${escapeHtml(visibleName)}</span>"));
 	assert!(response.contains("<span class=\"run-meta-icon\" aria-hidden=\"true\">"));
 	assert!(response.contains("<svg viewBox=\"0 0 16 16\" fill=\"none\">"));
 	assert!(response.contains("<path fill=\"currentColor\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" d=\"M3.35 2.25h9.3"));
@@ -748,6 +828,8 @@ fn operator_dashboard_accounts_keeps_window_status_and_credit_copy_compact() {
 	assert!(response.contains(".account-row:focus-within .account-window"));
 	assert!(response.contains(".account-status::before"));
 	assert!(response.contains(".account-row.is-selected .account-status"));
+	assert!(response.contains(".account-row.is-fixed .account-status"));
+	assert!(!response.contains(".account-row.is-armed .account-status"));
 	assert!(response.contains(".account-row.is-ready .account-status"));
 	assert!(response.contains(".account-row.is-warn .account-status"));
 	assert!(response.contains(".account-row.is-danger .account-status"));
@@ -864,8 +946,11 @@ fn operator_dashboard_accounts_keeps_debug_credit_and_reset_copy_compact() {
 	assert!(!response.contains("lowestRemaining <= 20"));
 	assert!(!response.contains("account-meter"));
 	assert!(!response.contains("lowestRemaining}%"));
-	assert!(response
-		.contains("nodes.accountPool.innerHTML = renderCodexAccountPool(accounts, snapshot)"));
+	assert!(response.contains(
+		"renderStableList(nodes.accountPool, renderCodexAccountPool(accounts, snapshot));"
+	));
+	assert!(response.contains("syncAccountSelectionConfirmationDom();"));
+	assert!(!response.contains("nodes.accountPool.innerHTML = renderCodexAccountPool(accounts, snapshot)"));
 	assert!(response.contains("renderAccountPrivacyToggle();"));
 	assert!(!response.contains("setPanelMeta(nodes.accountPoolMeta"));
 	assert!(!response.contains("nodes.accountPoolMeta.textContent = snapshot"));
@@ -944,10 +1029,10 @@ fn operator_dashboard_projects_keep_status_summary_compact() {
 	assert!(response.contains("function renderProjectTable(projects, activeProjectRows, selectedId)"));
 	assert!(response.contains("function projectFilterRows(projects, activeProjectRows)"));
 	assert!(response.contains("function renderEmptyState(title, copy = \"\")"));
-	assert!(response.contains("function renderRoutineEmptyList(container, snapshot, waitingCopy = \"\")"));
-	assert!(response.contains("nodes.projectOverview.innerHTML = renderEmptyState(COPY.waitingSnapshot);"));
+	assert!(response.contains("function renderRoutineEmptyList(container)"));
+	assert!(response.contains("nodes.projectOverview.innerHTML = \"\";"));
 	assert!(response.contains("renderRoutineEmptyList("));
-	assert!(response.contains("Appears after /state publishes a snapshot."));
+	assert!(!response.contains("Appears after /state publishes a snapshot."));
 	assert!(response.contains("renderQueuedCandidates("));
 	assert!(response.contains("function formatDetailToken(value)"));
 	assert!(response.contains("return token || \"NONE\";"));
@@ -1184,9 +1269,14 @@ fn operator_dashboard_projects_filter_uses_icon_toggle() {
 fn operator_dashboard_empty_lane_meta_uses_counts() {
 	let response = dashboard_response();
 
-	assert!(response.contains("snapshot ? runningLaneMetaText(derived) : COPY.waitingSnapshot"));
+	assert!(!response.contains("Snapshot pending"));
+	assert!(!response.contains("COPY.waitingSnapshot"));
+	assert!(response.contains("runningLaneMetaText(derived),"));
+	assert!(response.contains(": \"0 issues · 0 attempts\","));
+	assert!(response.contains(": \"0 PRs · 0 need attention · 0 ready · 0 waiting\","));
 	assert!(response.contains("const parts = [`${derived.liveRuns ?? 0} running`];"));
 	assert!(response.contains("const parts = [`${derived.queueBacklogCandidates.length} queued`];"));
+	assert!(response.contains("return \"0 queued\";"));
 	assert!(response.contains("setPanelMeta(nodes.queuedMeta, backlogMetaText(snapshot, derived));"));
 	assert!(response.contains(": \"0 worktrees\","));
 	assert!(!response.contains("queue empty"));
diff --git a/apps/decodex/src/orchestrator/tests/operator/status/http.rs b/apps/decodex/src/orchestrator/tests/operator/status/http.rs
index d9b1de96..d480716b 100644
--- a/apps/decodex/src/orchestrator/tests/operator/status/http.rs
+++ b/apps/decodex/src/orchestrator/tests/operator/status/http.rs
@@ -1,5 +1,7 @@
 use std::net::SocketAddr;
 
+use crate::runtime;
+
 #[test]
 fn operator_state_endpoint_serves_snapshot_json() {
 	let (_temp_dir, config, _workflow) = temp_project_layout();
@@ -550,9 +552,12 @@ fn assert_dashboard_account_selection_controls(
 	frame: &mut Vec<u8>,
 	repo_root: &Path,
 ) {
+	let home = repo_root.parent().expect("fixture repo root should have a parent");
+	let _home_guard = TestEnvVarGuard::set("HOME", home.to_str().expect("fixture home should be UTF-8"));
+
 	client
 		.write_all(&websocket_client_text_frame(
-			r#"{"type":"control","requestId":"account-1","action":"selectAccount","projectId":"pubfi","accountSelector":"copy@example.com"}"#,
+			r#"{"type":"control","requestId":"account-1","action":"selectAccount","accountSelector":"copy@example.com"}"#,
 		))
 		.expect("client should send account selection");
 
@@ -562,15 +567,20 @@ fn assert_dashboard_account_selection_controls(
 
 	assert_eq!(account_ack["payload"]["accepted"], true);
 	assert_eq!(account_ack["payload"]["status"], "fixed");
-
-	let updated_config = load_service_config(repo_root);
-	let accounts = updated_config.codex().accounts().expect("accounts should be configured");
-
-	assert_eq!(accounts.fixed_account(), Some("copy@example.com"));
+	assert_eq!(
+		runtime::global_fixed_account_selector().expect("global account selector should read"),
+		Some(String::from("copy@example.com"))
+	);
+	assert!(
+		!fs::read_to_string(service_config_path(repo_root))
+			.expect("project config should remain readable")
+			.contains("fixed_account"),
+		"account selection should not write project-scoped fixed_account"
+	);
 
 	client
 		.write_all(&websocket_client_text_frame(
-			r#"{"type":"control","requestId":"account-clear","action":"clearAccountSelection","projectId":"pubfi"}"#,
+			r#"{"type":"control","requestId":"account-clear","action":"clearAccountSelection"}"#,
 		))
 		.expect("client should send account clear");
 
@@ -581,10 +591,7 @@ fn assert_dashboard_account_selection_controls(
 	assert_eq!(account_clear_ack["payload"]["accepted"], true);
 	assert_eq!(account_clear_ack["payload"]["status"], "balanced");
 	assert_eq!(
-		load_service_config(repo_root)
-			.codex()
-			.accounts()
-			.and_then(ProjectCodexAccountsConfig::fixed_account),
+		runtime::global_fixed_account_selector().expect("global account selector should read"),
 		None
 	);
 }
diff --git a/apps/decodex/src/orchestrator/tests/operator/status/running_lanes.rs b/apps/decodex/src/orchestrator/tests/operator/status/running_lanes.rs
index 7b80c49d..1a9e738d 100644
--- a/apps/decodex/src/orchestrator/tests/operator/status/running_lanes.rs
+++ b/apps/decodex/src/orchestrator/tests/operator/status/running_lanes.rs
@@ -296,6 +296,11 @@ fn idle_operator_status_snapshot_includes_configured_codex_accounts() {
 		snapshot_json["accounts"].as_array().expect("snapshot should expose configured accounts");
 
 	assert!(snapshot.active_runs.is_empty());
+	assert_eq!(snapshot_json["account_control"]["mode"], "balanced");
+	assert_eq!(
+		snapshot_json["account_control"]["account_selector"],
+		serde_json::Value::Null,
+	);
 	assert_eq!(accounts.len(), 2);
 	assert_eq!(accounts[0]["email"], "default@example.com");
 	assert_eq!(accounts[0]["status"], "available");
diff --git a/apps/decodex/src/runtime.rs b/apps/decodex/src/runtime.rs
index ca56ac62..0729d387 100644
--- a/apps/decodex/src/runtime.rs
+++ b/apps/decodex/src/runtime.rs
@@ -3,9 +3,13 @@
 use std::{
 	cmp::Reverse,
 	env, fs,
+	io::ErrorKind,
 	path::{Path, PathBuf},
+	process,
 };
 
+use toml::Value;
+
 use crate::{
 	config::ServiceConfig,
 	prelude::{Result, eyre},
@@ -26,6 +30,89 @@ pub(crate) fn global_config_path() -> Result<PathBuf> {
 	Ok(decodex_home_dir()?.join("config.toml"))
 }
 
+/// Read the global fixed account selector, when the operator pinned one.
+pub(crate) fn global_fixed_account_selector() -> Result<Option<String>> {
+	let config_path = global_config_path()?;
+	let input = match fs::read_to_string(&config_path) {
+		Ok(input) => input,
+		Err(error) if error.kind() == ErrorKind::NotFound => return Ok(None),
+		Err(error) => {
+			eyre::bail!(
+				"Failed to read Decodex global config `{}`: {error}",
+				config_path.display()
+			);
+		},
+	};
+	let document = toml::from_str::<toml::Table>(&input)?;
+	let selector = document
+		.get("codex")
+		.and_then(Value::as_table)
+		.and_then(|codex| codex.get("accounts"))
+		.and_then(Value::as_table)
+		.and_then(|accounts| accounts.get("fixed_account"))
+		.and_then(Value::as_str)
+		.map(str::trim)
+		.filter(|value| !value.is_empty())
+		.map(str::to_owned);
+
+	Ok(selector)
+}
+
+/// Write the global fixed account selector. `None` returns the pool to balanced mode.
+pub(crate) fn write_global_fixed_account_selector(selector: Option<&str>) -> Result<()> {
+	let config_path = global_config_path()?;
+	let input = match fs::read_to_string(&config_path) {
+		Ok(input) => input,
+		Err(error) if error.kind() == ErrorKind::NotFound => String::new(),
+		Err(error) => {
+			eyre::bail!(
+				"Failed to read Decodex global config `{}`: {error}",
+				config_path.display()
+			);
+		},
+	};
+	let mut document = if input.trim().is_empty() {
+		toml::Table::new()
+	} else {
+		toml::from_str::<toml::Table>(&input)?
+	};
+
+	match selector.map(str::trim).filter(|value| !value.is_empty()) {
+		Some(selector) => {
+			let accounts =
+				ensure_toml_table(ensure_toml_table(&mut document, "codex")?, "accounts")?;
+
+			accounts.insert(String::from("fixed_account"), selector.to_owned().into());
+		},
+		None => {
+			if let Some(codex) = document.get_mut("codex").and_then(Value::as_table_mut)
+				&& let Some(accounts) = codex.get_mut("accounts").and_then(Value::as_table_mut)
+			{
+				accounts.remove("fixed_account");
+			}
+		},
+	}
+
+	let parent = config_path.parent().ok_or_else(|| {
+		eyre::eyre!(
+			"Decodex global config `{}` must have a parent directory.",
+			config_path.display()
+		)
+	})?;
+	let file_name = config_path
+		.file_name()
+		.and_then(|name| name.to_str())
+		.ok_or_else(|| eyre::eyre!("Decodex global config path must end in a valid file name."))?;
+	let temp_path = parent.join(format!(".{file_name}.tmp-{}", process::id()));
+	let output = toml::to_string_pretty(&document)?;
+
+	fs::create_dir_all(parent)?;
+	fs::write(&temp_path, output)?;
+	fs::rename(temp_path, &config_path)?;
+
+	Ok(())
+}
+
 /// Resolve the global ChatGPT account-pool JSONL path.
 pub(crate) fn accounts_path() -> Result<PathBuf> {
 	Ok(decodex_home_dir()?.join("accounts.jsonl"))
@@ -127,6 +214,17 @@ fn decodex_home_dir_from(home: PathBuf) -> PathBuf {
 	home.join(".codex").join("decodex")
 }
 
+fn ensure_toml_table<'a>(table: &'a mut toml::Table, key: &str) -> Result<&'a mut toml::Table> {
+	if !table.contains_key(key) {
+		table.insert(String::from(key), toml::Table::new().into());
+	}
+
+	table
+		.get_mut(key)
+		.and_then(Value::as_table_mut)
+		.ok_or_else(|| eyre::eyre!("Decodex global config `{key}` must be a TOML table."))
+}
+
 fn config_fingerprint(config_path: &Path, workflow_path: &Path) -> Result<String> {
 	let config_body = fs::read(config_path)?;
 	let workflow_body = fs::read(workflow_path)?;
@@ -178,6 +276,47 @@ mod tests {
 		);
 	}
 
+	#[test]
+	fn global_fixed_account_selector_round_trips_global_config() {
+		let temp_dir = TempDir::new().expect("temp dir should exist");
+		let _home_guard = set_test_home(temp_dir.path());
+
+		assert_eq!(
+			runtime::global_fixed_account_selector().expect("missing selector should read"),
+			None
+		);
+
+		runtime::write_global_fixed_account_selector(Some("copy@example.com"))
+			.expect("selector should write");
+
+		assert_eq!(
+			runtime::global_fixed_account_selector().expect("selector should read"),
+			Some(String::from("copy@example.com"))
+		);
+
+		let global_config = fs::read_to_string(
+			runtime::global_config_path().expect("global config path should resolve"),
+		)
+		.expect("global config should exist");
+
+		assert!(global_config.contains("[codex.accounts]"));
+		assert!(global_config.contains("fixed_account = \"copy@example.com\""));
+
+		runtime::write_global_fixed_account_selector(None).expect("selector should clear");
+
+		assert_eq!(
+			runtime::global_fixed_account_selector().expect("cleared selector should read"),
+			None
+		);
+
+		let global_config = fs::read_to_string(
+			runtime::global_config_path().expect("global config path should resolve"),
+		)
+		.expect("global config should still exist");
+
+		assert!(!global_config.contains("fixed_account"));
+	}
+
 	#[test]
 	fn agent_evidence_path_lives_under_decodex_home() {
 		let temp_dir = TempDir::new().expect("temp dir should create");
diff --git a/decodex.example.toml b/decodex.example.toml
index b73eed37..862e02f3 100644
--- a/decodex.example.toml
+++ b/decodex.example.toml
@@ -14,8 +14,9 @@ internal_review_mode    = "loop"
 
 # Optional shared Codex account pool.
 # Uncomment the block to use the global `~/.codex/decodex/accounts.jsonl` pool.
+# Fixed-account mode is global. To pin all account-pool runs, set
+# `[codex.accounts].fixed_account` in `~/.codex/decodex/config.toml`.
 # [codex.accounts]
-# fixed_account = "account@example.com"
 
 # Required project paths. Project configs are managed outside checkouts, for example under
 # `~/.codex/decodex/projects/<service-id>/project.toml`.
diff --git a/dev/operator-dashboard-mock.mjs b/dev/operator-dashboard-mock.mjs
index e755dfff..48422c64 100755
--- a/dev/operator-dashboard-mock.mjs
+++ b/dev/operator-dashboard-mock.mjs
@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 
 import http from "node:http";
+import crypto from "node:crypto";
 import fs from "node:fs/promises";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
@@ -493,11 +494,47 @@ function historyLane(accounts) {
 	};
 }
 
-function buildSnapshot(accounts) {
+function accountSelector(account) {
+	return account.account_email || account.account_fingerprint || "";
+}
+
+function accountMatchesSelector(account, selector) {
+	const value = String(selector || "").trim();
+
+	return Boolean(value && [account.account_email, account.account_fingerprint].includes(value));
+}
+
+function selectedAccountForControl(accounts, fixedAccountSelector) {
+	if (fixedAccountSelector) {
+		const fixedAccount = accounts.find((item) => accountMatchesSelector(item, fixedAccountSelector));
+		if (fixedAccount) {
+			return fixedAccount;
+		}
+	}
+
+	return accounts.find((item) => item.status === "selected") || accounts[0] || null;
+}
+
+function accountsWithSelection(accounts, fixedAccountSelector) {
+	const selectedAccount = selectedAccountForControl(accounts, fixedAccountSelector);
+
+	return accounts.map((item) => {
+		const selected = selectedAccount && accountSelector(item) === accountSelector(selectedAccount);
+
+		return {
+			...item,
+			status: selected ? "selected" : accountUsageStatus(item),
+			selected_at_unix_epoch: selected ? nowUnix() - 20 : null,
+		};
+	});
+}
+
+function buildSnapshot(accounts, fixedAccountSelector) {
+	const controlledAccounts = accountsWithSelection(accounts, fixedAccountSelector);
 	const activeRuns = [
-		activeRun({ accounts }),
+		activeRun({ accounts: controlledAccounts }),
 		activeRun({
-			accounts,
+			accounts: controlledAccounts,
 			attempt: 2,
 			issue: "XY-452",
 			title: "Stalled lane requiring attention",
@@ -543,10 +580,15 @@ function buildSnapshot(accounts) {
 				warning_count: 1,
 			},
 		],
+		account_control: {
+			mode: fixedAccountSelector ? "fixed" : "balanced",
+			account_selector: fixedAccountSelector || null,
+		},
+		accounts: controlledAccounts,
 		active_runs: activeRuns,
 		queued_candidates: queuedCandidates(),
 		recent_runs: [],
-		history_lanes: [historyLane(accounts)],
+		history_lanes: [historyLane(controlledAccounts)],
 		worktrees: worktrees(),
 		post_review_lanes: reviewLanes,
 	};
@@ -678,11 +720,127 @@ function send(response, statusCode, contentType, body, headers = {}) {
 	response.end(body);
 }
 
+function websocketAcceptValue(key) {
+	return crypto
+		.createHash("sha1")
+		.update(`${key}258EAFA5-E914-47DA-95CA-C5AB0DC85B11`)
+		.digest("base64");
+}
+
+function encodeWebSocketText(payload) {
+	const body = Buffer.from(JSON.stringify(payload), "utf8");
+	if (body.length <= 125) {
+		return Buffer.concat([Buffer.from([0x81, body.length]), body]);
+	}
+	if (body.length <= 65_535) {
+		const header = Buffer.alloc(4);
+		header[0] = 0x81;
+		header[1] = 126;
+		header.writeUInt16BE(body.length, 2);
+		return Buffer.concat([header, body]);
+	}
+
+	const header = Buffer.alloc(10);
+	header[0] = 0x81;
+	header[1] = 127;
+	header.writeBigUInt64BE(BigInt(body.length), 2);
+	return Buffer.concat([header, body]);
+}
+
+function sendWebSocketJson(socket, payload) {
+	if (socket.destroyed) {
+		return;
+	}
+	socket.write(encodeWebSocketText(payload));
+}
+
+function decodeWebSocketFrames(buffer) {
+	const messages = [];
+	let offset = 0;
+	let closed = false;
+
+	while (buffer.length - offset >= 2) {
+		const first = buffer[offset];
+		const second = buffer[offset + 1];
+		const opcode = first & 0x0f;
+		const masked = (second & 0x80) === 0x80;
+		let length = second & 0x7f;
+		let headerLength = 2;
+
+		if (length === 126) {
+			if (buffer.length - offset < 4) {
+				break;
+			}
+			length = buffer.readUInt16BE(offset + 2);
+			headerLength = 4;
+		} else if (length === 127) {
+			if (buffer.length - offset < 10) {
+				break;
+			}
+			length = Number(buffer.readBigUInt64BE(offset + 2));
+			headerLength = 10;
+		}
+
+		const maskLength = masked ? 4 : 0;
+		const frameLength = headerLength + maskLength + length;
+		if (buffer.length - offset < frameLength) {
+			break;
+		}
+
+		const mask = masked
+			? buffer.subarray(offset + headerLength, offset + headerLength + 4)
+			: null;
+		const payloadStart = offset + headerLength + maskLength;
+		const payload = Buffer.from(buffer.subarray(payloadStart, payloadStart + length));
+		if (mask) {
+			for (let index = 0; index < payload.length; index += 1) {
+				payload[index] ^= mask[index % 4];
+			}
+		}
+
+		if (opcode === 0x8) {
+			closed = true;
+			offset += frameLength;
+			break;
+		}
+		if (opcode === 0x1) {
+			messages.push(payload.toString("utf8"));
+		}
+		offset += frameLength;
+	}
+
+	return {
+		closed,
+		messages,
+		remaining: buffer.subarray(offset),
+	};
+}
+
+function dashboardControlAck(message, accepted, status, copy) {
+	return {
+		type: "controlAck",
+		payload: {
+			requestId: message.requestId || null,
+			action: message.action || message.type || "control",
+			accepted,
+			status,
+			message: copy,
+			projectId: message.projectId || null,
+			issueId: message.issueId || null,
+			runId: message.runId || null,
+		},
+	};
+}
+
 async function main() {
 	const options = parseArgs(process.argv.slice(2));
 	const staticAccounts = options.authDir
 		? await codexAuthAccounts(options.authDir)
 		: mockAccounts();
+	let fixedAccountSelector =
+		staticAccounts.find((item) => item.status === "selected")?.account_email ||
+		staticAccounts[0]?.account_email ||
+		null;
 	let lastPublishedAt = nowUnix();
 	const { host, port } = splitListenAddress(options.listenAddress);
 	const server = http.createServer(async (request, response) => {
@@ -713,7 +871,7 @@ async function main() {
 			}
 			if (url.pathname === "/state") {
 				lastPublishedAt = nowUnix();
-				const snapshot = buildSnapshot(staticAccounts);
+				const snapshot = buildSnapshot(staticAccounts, fixedAccountSelector);
 				send(response, 200, "application/json", JSON.stringify(snapshot), {
 					"X-Decodex-Snapshot-Unix-Epoch": String(lastPublishedAt),
 				});
@@ -726,6 +884,144 @@ async function main() {
 		}
 	});
 
+	server.on("upgrade", (request, socket) => {
+		const url = new URL(request.url || "/", `http://${options.listenAddress}`);
+		if (url.pathname !== "/dashboard/control") {
+			socket.destroy();
+			return;
+		}
+
+		const key = request.headers["sec-websocket-key"];
+		if (!key) {
+			socket.destroy();
+			return;
+		}
+
+		socket.write(
+			[
+				"HTTP/1.1 101 Switching Protocols",
+				"Upgrade: websocket",
+				"Connection: Upgrade",
+				`Sec-WebSocket-Accept: ${websocketAcceptValue(key)}`,
+				"",
+				"",
+			].join("\r\n"),
+		);
+
+		let buffered = Buffer.alloc(0);
+		socket.on("data", (chunk) => {
+			buffered = Buffer.concat([buffered, chunk]);
+			const decoded = decodeWebSocketFrames(buffered);
+			buffered = decoded.remaining;
+			if (decoded.closed) {
+				socket.end();
+				return;
+			}
+
+			for (const text of decoded.messages) {
+				let message;
+				try {
+					message = JSON.parse(text);
+				} catch (_error) {
+					sendWebSocketJson(socket, {
+						type: "controlAck",
+						payload: {
+							requestId: null,
+							action: "control",
+							accepted: false,
+							status: "invalid_json",
+							message: "Mock dashboard control received invalid JSON.",
+						},
+					});
+					continue;
+				}
+
+				if (message.type === "subscribe") {
+					sendWebSocketJson(
+						socket,
+						dashboardControlAck(message, true, "accepted", "Mock subscription accepted."),
+					);
+					continue;
+				}
+
+				if (message.type !== "control") {
+					sendWebSocketJson(
+						socket,
+						dashboardControlAck(
+							message,
+							false,
+							"unsupported",
+							"Mock dashboard control type is unsupported.",
+						),
+					);
+					continue;
+				}
+
+				if (message.action === "selectAccount") {
+					const selector = String(message.accountSelector || "").trim();
+					if (!staticAccounts.some((item) => accountMatchesSelector(item, selector))) {
+						sendWebSocketJson(
+							socket,
+							dashboardControlAck(
+								message,
+								false,
+								"unknown_account",
+								"Mock account selector was not found.",
+							),
+						);
+						continue;
+					}
+					fixedAccountSelector = selector;
+					lastPublishedAt = nowUnix();
+					sendWebSocketJson(
+						socket,
+						dashboardControlAck(message, true, "accepted", "Mock account selection updated."),
+					);
+					sendWebSocketJson(socket, {
+						type: "snapshot",
+						payload: {
+							snapshot: buildSnapshot(staticAccounts, fixedAccountSelector),
+							snapshotPublishedAtUnixEpoch: lastPublishedAt,
+						},
+					});
+					continue;
+				}
+
+				if (message.action === "clearAccountSelection") {
+					fixedAccountSelector = null;
+					lastPublishedAt = nowUnix();
+					sendWebSocketJson(
+						socket,
+						dashboardControlAck(
+							message,
+							true,
+							"accepted",
+							"Mock account selection returned to balanced mode.",
+						),
+					);
+					sendWebSocketJson(socket, {
+						type: "snapshot",
+						payload: {
+							snapshot: buildSnapshot(staticAccounts, fixedAccountSelector),
+							snapshotPublishedAtUnixEpoch: lastPublishedAt,
+						},
+					});
+					continue;
+				}
+
+				sendWebSocketJson(
+					socket,
+					dashboardControlAck(
+						message,
+						false,
+						"unsupported",
+						"Mock dashboard control action is unsupported.",
+					),
+				);
+			}
+		});
+	});
+
 	server.listen(port, host, () => {
 		console.log(`operator dashboard mock: http://${host}:${port}/dashboard`);
 		console.log(
diff --git a/docs/reference/operator-control-plane.md b/docs/reference/operator-control-plane.md
index 3a934e98..c2229d3c 100644
--- a/docs/reference/operator-control-plane.md
+++ b/docs/reference/operator-control-plane.md
@@ -112,7 +112,7 @@ durable outside the local operator surface.
 
 | Section | Meaning |
 | --- | --- |
-| `Accounts` | Shared Codex account pool and usage table from `~/.codex/decodex/accounts.jsonl` when `[codex.accounts]` is enabled for a project. Account identity can be obscured from the `Account` column header eye without changing the underlying snapshot. Selecting an account writes `[codex.accounts].fixed_account` in the registered project config; clearing it returns new runs to balanced account selection. |
+| `Accounts` | Shared Codex account pool and usage table from `~/.codex/decodex/accounts.jsonl` when `[codex.accounts]` is enabled for a project. Account identity can be obscured from the `Account` column header eye without changing the underlying snapshot. Selecting an account writes the global `[codex.accounts].fixed_account` selector in `~/.codex/decodex/config.toml`; clearing it returns all new account-pool runs to balanced account selection. The selector is global and does not pin a project to an account. |
 | `Projects` | Fleet-level project table. The section-level filter toggles between active project work and the full registry. Location is its own compact path column and can be obscured from the location header eye. `Activity` shows a relative timestamp or `-`; `Work` is `running/waiting/attention`. It should not duplicate per-lane details already shown below. |
 | `Running Lanes` | Active leased or live-executing issue lanes. A lane here is currently owned by this local control plane, or a live process/thread/protocol marker still explains active execution even when the queue lease is not held. It shows issue identity, phase, operation, attempt, queue lease state, execution liveness, thread/protocol status, child-agent activity when captured, timing, branch, and worktree. |
 | `Intake Queue` | Queued tracker issues before execution. Candidates are classified as `ready`, capacity-waiting, claimed without a matching local lane, blocked, or closed/stale. A blocked queued candidate can still show an attached `.worktrees/XY-*` path when the queue owns the attention state; if that worktree has tracked changes after retries, the candidate is partial retained progress and not just a generic retry-budget hold. Running lanes are not repeated as normal intake work. |
diff --git a/docs/runbook/self-dogfood-pilot.md b/docs/runbook/self-dogfood-pilot.md
index 2225ab4f..c0f9b676 100644
--- a/docs/runbook/self-dogfood-pilot.md
+++ b/docs/runbook/self-dogfood-pilot.md
@@ -73,9 +73,11 @@ projects.
 If the project uses managed ChatGPT accounts, enable `[codex.accounts]` in
 `project.toml` and keep the JSONL pool at `~/.codex/decodex/accounts.jsonl`. Do not
 store the shared pool under a project directory or configure a project-local account
-path. To keep every new run on one account, set
-`[codex.accounts].fixed_account = "<email-or-fingerprint>"`; the operator dashboard
-Accounts UI writes that same field when selecting or clearing a fixed account.
+path. To keep every new account-pool run on one account, set
+`[codex.accounts].fixed_account = "<email-or-fingerprint>"` in
+`~/.codex/decodex/config.toml`; the operator dashboard Accounts UI writes and clears
+that same global selector. When the selector is absent, Decodex balances new runs
+across the global pool.
 
 After restarting `decodex serve`, verify the registry still points at the centralized
 project directory:
diff --git a/docs/spec/app-server.md b/docs/spec/app-server.md
index d94a2f15..bb72d751 100644
--- a/docs/spec/app-server.md
+++ b/docs/spec/app-server.md
@@ -120,17 +120,19 @@ override. The pool accepts flat `auth.json`-style JSONL records or records wrapp
 Before login, Decodex probes configured accounts through the ChatGPT usage endpoint.
 By default, it skips disabled, cooling-down, and incomplete records, penalizes
 usage-limited records, prefers the highest remaining usage, and uses the
-least-recently selected account to break equal usage scores. If
-`[codex.accounts].fixed_account` is set, Decodex only considers the matching account
-instead of balancing across the pool. The selector matches an account email, full
-account id, or redacted account fingerprint as displayed in the operator UI.
+least-recently selected account to break equal usage scores. If the global
+`~/.codex/decodex/config.toml` sets `[codex.accounts].fixed_account`, Decodex only
+considers the matching account instead of balancing across the pool. The selector
+matches an account email, full account id, or redacted account fingerprint as displayed
+in the operator UI. Project configs can enable account-pool use, but they do not own a
+project-scoped fixed account.
 Successful selection writes `last_selected_at_unix_epoch` back to the JSONL file.
 
 Decodex owns token freshness for injected `chatgptAuthTokens`. It proactively refreshes
 an account before probing when the access-token JWT `exp` is expired. If no expiration
 claim is available, it refreshes when `last_refresh` is more than eight days old. If
 the app-server later sends `account/chatgptAuthTokens/refresh`, Decodex refreshes the
-fixed account when configured, otherwise the previous account id supplied by the
+globally fixed account when configured, otherwise the previous account id supplied by the
 request. It updates the JSONL record with returned tokens and `last_refresh`, records
 a redacted local protocol event, and responds with fresh `chatgptAuthTokens`.
 
diff --git a/docs/spec/runtime.md b/docs/spec/runtime.md
index 18b02dda..8bafce69 100644
--- a/docs/spec/runtime.md
+++ b/docs/spec/runtime.md
@@ -296,7 +296,7 @@ and idempotency fields are defined by
 
 ## Local operational state
 
-The local runtime store is the global Decodex SQLite database for one local installation. It lives at `~/.codex/decodex/runtime.sqlite3`, not inside any registered project checkout or worktree. Every row that belongs to a repo is scoped by `project_id`. Decodex logs live beside that database under `~/.codex/decodex/logs/`, the optional shared Codex account pool lives at `~/.codex/decodex/accounts.jsonl`, and agent-readable derived evidence lives under `~/.codex/decodex/agent-evidence/<service-id>/`; vendor-qualified app-data directories and per-project runtime databases are not part of the runtime contract.
+The local runtime store is the global Decodex SQLite database for one local installation. It lives at `~/.codex/decodex/runtime.sqlite3`, not inside any registered project checkout or worktree. Every row that belongs to a repo is scoped by `project_id`. Decodex logs live beside that database under `~/.codex/decodex/logs/`, the optional shared Codex account pool lives at `~/.codex/decodex/accounts.jsonl`, global operator config lives at `~/.codex/decodex/config.toml`, and agent-readable derived evidence lives under `~/.codex/decodex/agent-evidence/<service-id>/`; vendor-qualified app-data directories and per-project runtime databases are not part of the runtime contract.
 
 Project contracts live outside registered repositories under `~/.codex/decodex/projects/<service-id>/`. Each project directory must contain `project.toml` and `WORKFLOW.md`; arbitrary project file names such as `<service-id>.toml` are not part of the contract. `project.toml` must set `[paths].repo_root` so the project contract is explicit. Project registration stores the centralized `config_path`, target `repo_root`, `worktree_root`, and workflow path in the global runtime database. Commands that start inside a registered checkout or lane worktree resolve the project through that registry; they do not discover or trust worktree-local config files. `decodex serve` loads enabled registered projects from the global runtime database. It must not scan `.codex` history, repo-local config files, or currently open worktrees to infer additional projects.