diff --git a/.claude/rules/backend/feature-flags.md b/.claude/rules/backend/feature-flags.md
new file mode 100644
index 000000000..0baea03de
--- /dev/null
+++ b/.claude/rules/backend/feature-flags.md
@@ -0,0 +1,65 @@
+---
+description: Non-obvious behaviour of the feature flag system on the backend (declaration, evaluation, lifecycle, ownership)
+---
+
+# Feature Flags (backend)
+
+Load this when adding, removing, or changing how a feature flag is evaluated or stored. The obvious parts (declare a field, read `executionContext.UserInfo.FeatureFlags`) are not repeated.
+
+## Subtype Is the Contract
+
+The `FeatureFlagDefinition` subtype on a field is not just a permissions tag — it rewires database-row ownership and validator behaviour at runtime. The subtype hierarchy replaced what used to be runtime checks (see the comment above the registry in `application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlags.cs`).
+
+- `PlanGatedTenantFlag` makes `PlanBasedFeatureFlagEvaluator` the exclusive writer of tenant overrides on every JWT refresh; the reconciler stamps `Source=Plan` on the base row and the Set/Remove validators block manual edits.
+- `SystemFeatureFlag` skips the database entirely — config + frontend env var only. There is no per-tenant override.
+- `TenantAbTestFlag` / `UserAbTestFlag` enable rollout buckets; `IsAbTestEligible` and `ConfigurableBy*` are mutually exclusive by construction (the disjoint subtype branches), and `BucketStart/End` are ignored if you pick a non-AB subtype.
+- `TenantOwnerConfigurableFlag` requires `AdminLevel.TenantOwner` and `Scope.Tenant`; handlers check both. If those ever drift you get a silent 403.
+
+Switching subtypes on an existing flag changes the row owner on the next reconcile — confirm that's what you want before flipping a `TenantAbTestFlag` to `PlanGatedTenantFlag`.
+
+## `IsKillSwitchEnabled` Defaults the Row to Inactive
+
+`isKillSwitchEnabled: true` causes the reconciler to create the base row with `EnabledAt = null` — an admin must click Activate before anyone sees the flag. `ActivateFeatureFlag` / `DeactivateFeatureFlag` only operate on kill-switch flags; default-false flags (e.g. `TenantOwnerConfigurableFlag`) are globally un-killable by design — only per-tenant overrides can turn them off.
+
+## Soft-Delete Burns the Key
+
+The startup reconciler marks orphaned rows (`OrphanedAt`), and re-adding the same key restores them — including any orphaned tenant/user overrides. **But** once a row is `DeletedAt`-stamped (back-office hard-delete), re-adding the same key in C# throws on startup and aborts deployment. Don't re-use a name; pick a new one.
+
+## The Four BackOffice Query Mirrors Drift Silently
+
+`FeatureFlagEvaluator` is the canonical runtime path. The four BackOffice query handlers (`GetUserFeatureFlags`, `GetTenantFeatureFlags`, `GetFeatureFlagUsers`, `GetFeatureFlagTenants`) each carry their own copy of `EvaluateAbRollout`, `ComputeInclusionThresholdPercentage`, and `ComputeDefaultEnabled`. They agree today by construction, not by tests — if you change evaluation math, update all five and rely on `FeatureFlagEvaluatorTests` for the canonical contract.
+
+Known divergences worth being aware of: the mirrors do NOT consult parent-dependency, and `EvaluateOverride` in the bulk-list mirrors returns `IsEnabled=true` without checking `baseRow.IsActive`. BackOffice display can therefore report a flag as enabled while runtime evaluation excludes it.
+
+## Disable Semantics Are Asymmetric
+
+The four "disable this flag for this entity" paths look symmetric but aren't:
+
+- `SetTenantFeatureFlagInternal(Enabled=false)` (admin) creates a new override row with `EnabledAt == DisabledAt` if none exists. This is required: without it, the entity would stay enabled-by-rollout. Same applies to `SetUserFeatureFlagInternal`.
+- `SetTenantFeatureFlagOwner(Enabled=false)` (tenant owner) no-ops if no override exists — owners can't yank themselves out of a rollout they were never explicitly in.
+- `RemoveTenantFeatureFlagOverride` (admin only) is a hard `Remove`; the row is dropped.
+- `SetTenantFeatureFlagInternal(Enabled=false)` is a soft `Deactivate`; the row is kept with `DisabledAt` set.
+
+Both removal paths emit `FeatureFlagTenantOverrideRemoved`, but they produce different `OverrideCount` results in bulk admin lists because the list counts `Source=Manual` rows — `Remove` drops them, `Deactivate` keeps them.
+
+`SetTenantFeatureFlagOwner` is NOT a back-office mutation. It lives under `/api/account/feature-flags/{key}/tenant-override` and self-validates `Role == Owner`. Plan-gated flags are explicitly blocked at the validator level for both manual paths.
+
+## Rollout Math Is Deterministic by Flag
+
+`RolloutBucketHasher` is a van der Corput low-discrepancy sequence offset by a per-flag FNV-1a hash of the key. Two flags at the same percentage do NOT cover the same tenants, and ramping up never reshuffles existing members — a tenant included at 10% stays included at 20%. Don't replace this with a random or modulo strategy.
+
+`ComputeInclusionThresholdPercentage` returns the percentage at which an entity would join the rollout, but it's special-cased for pins (`AlwaysOn` → 0, `NeverOn` → null). After the pin-trumps-rollout change, pins are unconditional, so the "joins at N%" column in BackOffice lists is meaningless for pinned rows.
+
+## Reading vs Writing
+
+- Handlers: read `executionContext.UserInfo.FeatureFlags` (already populated from the JWT claim). Re-querying the DB at request time means you've stepped outside the JWT-claim contract.
+- The `FeatureFlagEvaluator` runs at JWT refresh, not per request. Flag changes take up to the 5-minute access-token TTL to propagate.
+- Mutations that change the actor's own claim must chain `AddRefreshAuthenticationTokens()` so the gateway refreshes the JWT in-flight; without that the user waits up to 5 minutes. Plain mutations of other users' flags don't need this — they'll see it on their next refresh.
+
+## Architecture Test Guards
+
+Every new back-office mutation belongs in `EndpointMetadataTests.AdminPolicyBackOfficeRoutes` if admin-only, and gets a paired `_WhenNonAdminBackOfficeIdentity_ShouldReturnForbidden` test. The architecture test fails if a route's declared `RequireAuthorization` policy doesn't match the allowlist.
+
+## Telemetry
+
+Override events (`FeatureFlagTenantOverrideSet/Removed`, `FeatureFlagUserOverrideSet/Removed`) carry a `FeatureFlagOverrideTrigger` axis: `Internal` (back-office staff), `Owner` (tenant owner), `Self` (end-user preference). Plan-source transitions emit their own `FeatureFlagPlanOverrideActivated/Deactivated` events — they're not in the trigger enum. Per-flag telemetry tags are emitted as a single comma-separated `user.feature_flags` dimension; `feature_flag.*` is reserved by the OTel semantic-conventions registry, do not reintroduce it.
diff --git a/.claude/rules/frontend/feature-flags.md b/.claude/rules/frontend/feature-flags.md
new file mode 100644
index 000000000..7ec9e78ba
--- /dev/null
+++ b/.claude/rules/frontend/feature-flags.md
@@ -0,0 +1,37 @@
+---
+description: Non-obvious behaviour of the feature flag system on the frontend (hook, codegen, propagation timing)
+---
+
+# Feature Flags (frontend)
+
+Load this when gating UI on a feature flag, displaying a flag, or wondering why a toggle isn't reflecting in the SPA. The obvious parts (`useFeatureFlag(<key>)` returns `{ enabled }`) are not repeated.
+
+## `FeatureFlagKey` Is a Type-Level Contract
+
+`<key>` is typed against `FeatureFlagKey`, a codegen string-literal union built from `SharedKernel.FeatureFlags.FeatureFlags.cs`. Never cast a string to `FeatureFlagKey`; never accept a `string` parameter where `FeatureFlagKey` would do. Removing or renaming a flag in C# turns every stale callsite into a TS compile error after the next backend build — that compile error is the safety net.
+
+The codegen also enforces backend-before-frontend deploy order: the frontend build cannot reference a flag the backend hasn't shipped because the union is regenerated from the C# manifest.
+
+## The Hook Doesn't Subscribe — `AuthenticationProvider` Does
+
+`useFeatureFlag` reads `useUserInfo().featureFlags`. The bridge that turns the `x-user-feature-flags` response header into a re-render lives in `AuthenticationProvider` and short-circuits on identical flag sets, so re-renders are cheap. **Every authenticated response is the eventing channel** — there is no push, no SSE, no polling, and there is no flag-specific TanStack query to invalidate. Don't call `queryClient.invalidateQueries` for flag changes.
+
+## System Flags Bypass the User Path
+
+For `Scope: "system"` flags the hook reads `import.meta.runtime_env[envVar]` and ignores `userInfo` entirely. The hook handles this transparently — just call `useFeatureFlag(<key>)` regardless of scope. There is no per-tenant or per-user override for a system flag; if you need that, the flag is the wrong subtype on the backend.
+
+## Propagation Has a 5-Minute Floor
+
+Flag state lags behind a back-office or self-service toggle by up to the 5-minute access-token TTL. The mutation response carries `x-user-feature-flags` only when the mutating endpoint chains `AddRefreshAuthenticationTokens()` AND the gateway's endpoint-triggered refresh succeeds. Don't optimistically update for flag-driven UI; the response is the source of truth. If the backend was transiently unavailable during the refresh, the gateway suppresses `x-user-feature-flags` rather than emit the stale claim — so a "no change visible after toggle" outcome is a possible (rare) UI state.
+
+## Labels Are Codegen Too
+
+Display copy lives in `@repo/ui/featureFlags/labels` (`labels.generated.ts`), sourced from each `FeatureFlagDefinition.Label` / `Description`. Don't write parallel Lingui strings for flag names in components — call `getFeatureFlagLabel(key)`. The labels participate in the shared Lingui catalog under `shared-webapp/ui/translations/locale/`; translate there, not in the per-system catalog.
+
+## Where the Surfaces Live
+
+- Owner self-service: `/account/settings` (Features section) — `TenantOwnerConfigurableFlag` only.
+- User preferences: same area — `UserConfigurableFlag` only.
+- Back-office admin: `/feature-flags/{key}` — every scope.
+
+Orphaned and soft-deleted flags surface read-only in the back-office. They never reach `useFeatureFlag` (the codegen union drops them on the next backend build), so call sites don't need a "deleted flag" branch.
diff --git a/.claude/skills/db-query/SKILL.md b/.claude/skills/db-query/SKILL.md
index 4c20fb527..19575bddf 100644
--- a/.claude/skills/db-query/SKILL.md
+++ b/.claude/skills/db-query/SKILL.md
@@ -5,6 +5,8 @@ description: Query the local Postgres database of the active Aspire worktree via
 
 # Database Query
 
+**Port = `.workspace/port.txt` base + 2. Never trust Aspire MCP for the port — a common critical failure that silently runs SQL on another worktree's database.**
+
 **Read-only. Every write needs explicit user approval for that exact statement, every time — prior approvals never carry over.**
 
 **For destructive operations (DROP, TRUNCATE, DELETE, ALTER, or anything that loses data), take extreme care. If anything in the request is even slightly unclear about the scope, target, or intent, stop and ask for clarification before executing. Always assume the most conservative interpretation.**
diff --git a/.gitignore b/.gitignore
index cf072a5ae..b3b424ed7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -132,6 +132,7 @@ $tf/
 
 # Visual Studio Code
 .vscode
+*.lscache
 
 # ReSharper is a .NET coding add-in
 _ReSharper*/
@@ -392,6 +393,7 @@ FodyWeavers.xsd
 **/package.g.props
 **/*.generated.d.ts
 **/*.generated.ts
+**/*.generated.json
 **/Api/swagger.json
 **/lib/api/*.Api.json
 **/lib/api/*.Api_*.json
diff --git a/AGENTS.md b/AGENTS.md
index 23850f3a0..5a28de9b4 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -18,7 +18,7 @@ Run `build` first, then `format`, `lint`, `test` in parallel with `--no-build`.
 
 **Slow:** Aspire restart, backend format, backend lint, end-to-end tests. **Fast:** frontend format/lint, backend test.
 
-**Aspire**: The `aspire-restart` skill manages the AppHost - always use it; never `aspire run`, `aspire restart`, or the developer CLI's `run` command. Use the Aspire MCP `list_resources` tool to look up service URLs (or read `.workspace/port.txt` if you only need the base port). In the agentic workflow, only the Guardian agent restarts Aspire. All other agents must notify the Guardian if they need it restarted.
+**Aspire**: The `aspire-restart` skill manages the AppHost - always use it; never `aspire run`, `aspire restart`, or the developer CLI's `run` command. Port = `.workspace/port.txt` base + 2. Never trust Aspire MCP for the port — a common critical failure that silently runs SQL on another worktree's database. If you need other Aspire MCP data, call `mcp__aspire__select_apphost` with the cwd path first. In the agentic workflow, only the Guardian agent restarts Aspire. All other agents must notify the Guardian if they need it restarted.
 
 Never commit, amend, or revert without explicit user instruction each time. Commit messages: one descriptive line in imperative form, no description body.
 
diff --git a/README.md b/README.md
index 806a59ede..41ce6c577 100644
--- a/README.md
+++ b/README.md
@@ -22,37 +22,56 @@
 
 Kick-start building top-tier B2B & B2C cloud SaaS products with sleek design, fully localized and accessible, vertical slice architecture, automated and fast DevOps, and top-notch security.
 
+Ships with signup and login via Google or email one-time password, Stripe-powered subscription and payment management with plan upgrades, downgrades, and invoicing, feature flags with A/B-rollout, plan-gating, and per-user/tenant overrides, and a back-office dashboard with MRR and revenue trends, plan distribution, and tenant growth.
+
 Built to demonstrate seamless flow: backend contracts feed a fully-typed React UI, pipelines make fully automated deployments to Azure, and a multi-agent workflow built on Claude Code's native [Agent Teams](https://code.claude.com/docs/en/agent-teams) where PlatformPlatform-expert agents collaborate to deliver complete features following the opinionated architecture. Think of it as a ready-made blueprint, not a pile of parts to assemble.
 
 ## What's inside
 
-* **Backend** - .NET 10 and C# 14 adhering to the principles of vertical slice architecture, DDD, CQRS, and clean code
+* **Backend** - .NET 10 and C# 14 following the principles of vertical slice architecture, DDD, CQRS, and clean code
 * **Frontend** - React 19, TypeScript, TanStack Router & Query, ShadCN 2.0 with Base UI for accessible UI
 * **CI/CD** - GitHub actions for fast passwordless deployments of docker containers and infrastructure (Bicep)
-* **Infrastructure** - Cost efficient and scalable Azure PaaS services like Azure Container Apps, Azure PostgreSQL, etc.
+* **Infrastructure** - Cost efficient and scalable Azure PaaS like Azure Container Apps and PostgreSQL
 * **Developer CLI** - Extendable .NET CLI for DevEx - set up CI/CD is one command and a couple of questions
-* **AI rules** - 30+ rules & workflows for Claude Code - sync to other editors can be enabled via `.gitignore`
+* **AI rules** - 30+ rules & skills, refined and battle-tested over a year of daily use, capturing our opinionated patterns
 * **Multi-agent development** - Agent Teams workflow where specialized Claude Code agents with deep PlatformPlatform expertise collaborate end-to-end
 
-Follow our [up-to-date roadmap](https://github.com/orgs/PlatformPlatform/projects/2/views/2) with core SaaS features like SSO, monitoring, alerts, multi-region, feature flags, back office for support, etc.
+Follow our [up-to-date roadmap](https://github.com/orgs/PlatformPlatform/projects/2/views/2).
 
 Show your support for our project - give us a star on GitHub! It truly means a lot! ⭐
 
 ### Back office
 
-Operate the platform: manage account signups, users, and logins, and monitor revenue, MRR, churn, invoices, and Stripe drift.
+Operate the platform from a dedicated SPA on its own hostname, secured by Entra ID Easy Auth:
+
+* **Dashboard** - KPI tiles for total accounts, blended MRR, all-time revenue, active users, and live sessions; trend cards for MRR, revenue, tenant growth, plan distribution, user logins; activity feeds for recent signups, payments, logins, and Stripe webhook events
+* **Accounts** - Search and filter every tenant; drill into detail with owner, plan, and signup activity
+* **Users** - Cross-tenant user list with role and last-seen filters; drill into per-user profile and tenant
+* **Invoices** - Paginated invoice ledger across every account with Stripe drift detection so finance can reconcile what's in Stripe vs. what landed in the database
+* **Billing events** - Authoritative event log of subscription, payment, and billing transitions, filterable by event type and account, with deep-link from dashboard cards
+* **Feature flags** - Four levers (System / Subscription plan / Account / User) plus A/B-rollout with rich telemetry; declared in C# and surfaced as a strongly-typed React hook; back-office UI for rollouts and overrides
 
 <img src="https://platformplatformgithub.blob.core.windows.net/BackOffice.gif" alt="PlatformPlatform Back Office" title="PlatformPlatform Back Office" />
 
-### Product demo
+### User-facing SaaS product
 
-End-user flows: tenant signup, account settings, Google login, welcome flow, accessibility and localization, and Stripe-powered subscription signup and management.
+Production-ready end-user surfaces — fully localized, accessible, and ready to brand as your own product:
+
+* **Signup** - Tenant signup with email one-time password or Google OAuth (OpenID Connect with PKCE)
+* **Login** - Same OTP and Google sign-in flows, with `UNLOCK` shortcut on localhost so dev mail is optional
+* **Welcome** - First-run guided flow for naming the account, uploading a logo, and inviting colleagues
+* **Account settings** - Owner-editable account name, logo, and danger-zone account deletion
+* **User management** - Invite users, change roles (Owner/Admin/Member), bulk delete, and recycle-bin restore
+* **Subscription & billing** - Embedded Stripe Checkout & Payment Element, prorated upgrades/downgrades, billing-info editing, scheduled-downgrade banner, dunning, and payment history with invoices and credit notes
+* **User profile** - Personal profile with avatar upload (Gravatar fallback), first/last name, email, and job title
+* **User preferences** - Theme (light/dark/system) and zoom per device, language per profile
+* **Sessions** - Active session list with device type, browser, and OS, plus one-click revocation of any session
 
 <img src="https://platformplatformgithub.blob.core.windows.net/$root/PlatformPlatformDemo.gif" alt="PlatformPlatform Demo" title="PlatformPlatform Demo" />
 
 # Getting Started
 
-TL;DR: Open the [PlatformPlatform](./application/PlatformPlatform.slnx) solution in Rider or Visual Studio and run the [Aspire AppHost](./application/AppHost/AppHost.csproj) project.
+TL;DR: Requires .NET 10, Node, and Docker. Clone the repo and `dotnet run` from `developer-cli/` to start Aspire.
 
 ### Prerequisites
 
@@ -283,8 +302,6 @@ cd application/AppHost
 dotnet run
 ```
 
-Alternatively, open the [PlatformPlatform](./application/PlatformPlatform.slnx) solution in Rider or Visual Studio and run the [Aspire AppHost](./application/AppHost/AppHost.csproj) project.
-
 On first startup, Aspire will prompt for `stripe-enabled` -- enter `true` to configure Stripe integration (see the optional Stripe setup section below) or `false` to skip.
 
 Once the Aspire dashboard fully loads, click to the WebApp and sign up for a new account (https://app.dev.localhost:9000/signup). A one-time password (OTP) will be sent to the development mail server, but for local development, you can always use the code `UNLOCK` instead of checking the mail server.
diff --git a/application/AppGateway.Tests/AuthenticationCookiePathTests.cs b/application/AppGateway.Tests/AuthenticationCookiePathTests.cs
index bd1cba95e..cff37ab5f 100644
--- a/application/AppGateway.Tests/AuthenticationCookiePathTests.cs
+++ b/application/AppGateway.Tests/AuthenticationCookiePathTests.cs
@@ -1,7 +1,13 @@
+using System.Net;
+using System.Security.Claims;
 using AppGateway.Middleware;
 using FluentAssertions;
+using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.Features;
+using Microsoft.AspNetCore.Mvc.Testing;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.IdentityModel.Tokens;
 using SharedKernel.Authentication;
@@ -13,31 +19,25 @@ namespace AppGateway.Tests;
 public sealed class AuthenticationCookiePathTests(AppGatewayApplicationFactory factory) : IClassFixture<AppGatewayApplicationFactory>
 {
     [Fact]
-    public async Task ReplaceAuthenticationHeaderWithCookie_WhenInnerHandlerSetsTokenHeaders_ShouldIssueHostCookiesWithPathSlash()
+    public async Task InvokeAsync_WhenUpstreamResponseCarriesTokenHeaders_ShouldIssueHostCookiesWithPathSlash()
     {
         // Arrange
         await using var scope = factory.Services.CreateAsyncScope();
         var middleware = scope.ServiceProvider.GetRequiredService<AuthenticationCookieMiddleware>();
         var signingClient = scope.ServiceProvider.GetRequiredService<ITokenSigningClient>();
-
-        var refreshToken = CreateSignedToken(signingClient, 60);
-        var accessToken = CreateSignedToken(signingClient, 5);
-
-        var context = new DefaultHttpContext
-        {
-            Request = { Path = "/api/account/authentication/switch-tenant" },
-            Response = { Body = new MemoryStream() }
-        };
-
-        Task Next(HttpContext ctx)
-        {
-            ctx.Response.Headers[AuthenticationTokenHttpKeys.RefreshTokenHttpHeaderKey] = refreshToken;
-            ctx.Response.Headers[AuthenticationTokenHttpKeys.AccessTokenHttpHeaderKey] = accessToken;
-            return Task.CompletedTask;
-        }
+        var refreshToken = CreateSignedToken(signingClient, 60, []);
+        var accessToken = CreateSignedToken(signingClient, 5, []);
+        var context = CreateHttpContext("/api/account/authentication/switch-tenant");
 
         // Act
-        await middleware.InvokeAsync(context, Next);
+        await middleware.InvokeAsync(context, downstream =>
+            {
+                downstream.Response.Headers[AuthenticationTokenHttpKeys.RefreshTokenHttpHeaderKey] = refreshToken;
+                downstream.Response.Headers[AuthenticationTokenHttpKeys.AccessTokenHttpHeaderKey] = accessToken;
+                return Task.CompletedTask;
+            }
+        );
+        await TriggerOnStartingAsync(context);
 
         // Assert
         var setCookieHeaders = context.Response.Headers.SetCookie.ToArray();
@@ -50,28 +50,20 @@ Task Next(HttpContext ctx)
     }
 
     [Fact]
-    public async Task ExpiredRefreshToken_WhenMiddlewareDeletesCookies_ShouldIssueDeletionWithPathSlash()
+    public async Task InvokeAsync_WhenRefreshTokenCookieHasExpired_ShouldDeleteCookiesWithPathSlash()
     {
         // Arrange
         await using var scope = factory.Services.CreateAsyncScope();
         var middleware = scope.ServiceProvider.GetRequiredService<AuthenticationCookieMiddleware>();
         var signingClient = scope.ServiceProvider.GetRequiredService<ITokenSigningClient>();
-
-        var expiredRefreshToken = CreateSignedToken(signingClient, -10);
-        var expiredAccessToken = CreateSignedToken(signingClient, -10);
-
-        var context = new DefaultHttpContext
-        {
-            Request =
-            {
-                Path = "/some-spa-path",
-                Headers = { Cookie = $"{AuthenticationTokenHttpKeys.RefreshTokenCookieName}={expiredRefreshToken}; {AuthenticationTokenHttpKeys.AccessTokenCookieName}={expiredAccessToken}" }
-            },
-            Response = { Body = new MemoryStream() }
-        };
+        var expiredRefreshToken = CreateSignedToken(signingClient, -10, []);
+        var expiredAccessToken = CreateSignedToken(signingClient, -10, []);
+        var context = CreateHttpContext("/some-spa-path");
+        context.Request.Headers.Cookie = $"{AuthenticationTokenHttpKeys.RefreshTokenCookieName}={expiredRefreshToken}; {AuthenticationTokenHttpKeys.AccessTokenCookieName}={expiredAccessToken}";
 
         // Act
         await middleware.InvokeAsync(context, _ => Task.CompletedTask);
+        await TriggerOnStartingAsync(context);
 
         // Assert
         var setCookieHeaders = context.Response.Headers.SetCookie.ToArray();
@@ -82,7 +74,212 @@ public async Task ExpiredRefreshToken_WhenMiddlewareDeletesCookies_ShouldIssueDe
         }
     }
 
-    private static string CreateSignedToken(ITokenSigningClient signingClient, int validForMinutes)
+    [Fact]
+    public async Task InvokeAsync_WhenAuthenticatedRequestHasFeatureFlagsClaim_ShouldEmitUserFeatureFlagsHeader()
+    {
+        // Arrange
+        await using var scope = factory.Services.CreateAsyncScope();
+        var middleware = scope.ServiceProvider.GetRequiredService<AuthenticationCookieMiddleware>();
+        var signingClient = scope.ServiceProvider.GetRequiredService<ITokenSigningClient>();
+        var refreshToken = CreateSignedToken(signingClient, 60, []);
+        var accessToken = CreateSignedToken(signingClient, 5, [new Claim(AuthenticationTokenHttpKeys.FeatureFlagsClaimName, "account-overview,compact-view")]);
+        var context = CreateHttpContext("/api/account/me");
+        context.Request.Headers.Cookie = $"{AuthenticationTokenHttpKeys.RefreshTokenCookieName}={refreshToken}; {AuthenticationTokenHttpKeys.AccessTokenCookieName}={accessToken}";
+
+        // Act
+        await middleware.InvokeAsync(context, _ => Task.CompletedTask);
+        await TriggerOnStartingAsync(context);
+
+        // Assert
+        context.Response.Headers[AuthenticationTokenHttpKeys.UserFeatureFlagsHeaderKey].ToString().Should().Be("account-overview,compact-view");
+    }
+
+    [Fact]
+    public async Task InvokeAsync_WhenAccessTokenHasNoFeatureFlagsClaim_ShouldOmitUserFeatureFlagsHeader()
+    {
+        // Arrange
+        await using var scope = factory.Services.CreateAsyncScope();
+        var middleware = scope.ServiceProvider.GetRequiredService<AuthenticationCookieMiddleware>();
+        var signingClient = scope.ServiceProvider.GetRequiredService<ITokenSigningClient>();
+        var refreshToken = CreateSignedToken(signingClient, 60, []);
+        var accessToken = CreateSignedToken(signingClient, 5, []);
+        var context = CreateHttpContext("/api/account/me");
+        context.Request.Headers.Cookie = $"{AuthenticationTokenHttpKeys.RefreshTokenCookieName}={refreshToken}; {AuthenticationTokenHttpKeys.AccessTokenCookieName}={accessToken}";
+
+        // Act
+        await middleware.InvokeAsync(context, _ => Task.CompletedTask);
+        await TriggerOnStartingAsync(context);
+
+        // Assert
+        context.Response.Headers.Should().NotContainKey(AuthenticationTokenHttpKeys.UserFeatureFlagsHeaderKey);
+    }
+
+    [Fact]
+    public async Task InvokeAsync_WhenAccessTokenHasEmptyFeatureFlagsClaim_ShouldEmitEmptyUserFeatureFlagsHeader()
+    {
+        // Arrange
+        await using var scope = factory.Services.CreateAsyncScope();
+        var middleware = scope.ServiceProvider.GetRequiredService<AuthenticationCookieMiddleware>();
+        var signingClient = scope.ServiceProvider.GetRequiredService<ITokenSigningClient>();
+        var refreshToken = CreateSignedToken(signingClient, 60, []);
+        var accessToken = CreateSignedToken(signingClient, 5, [new Claim(AuthenticationTokenHttpKeys.FeatureFlagsClaimName, string.Empty)]);
+        var context = CreateHttpContext("/api/account/me");
+        context.Request.Headers.Cookie = $"{AuthenticationTokenHttpKeys.RefreshTokenCookieName}={refreshToken}; {AuthenticationTokenHttpKeys.AccessTokenCookieName}={accessToken}";
+
+        // Act
+        await middleware.InvokeAsync(context, _ => Task.CompletedTask);
+        await TriggerOnStartingAsync(context);
+
+        // Assert
+        context.Response.Headers.Should().ContainKey(AuthenticationTokenHttpKeys.UserFeatureFlagsHeaderKey);
+        context.Response.Headers[AuthenticationTokenHttpKeys.UserFeatureFlagsHeaderKey].ToString().Should().BeEmpty();
+    }
+
+    [Fact]
+    public async Task InvokeAsync_WhenUpstreamSetsRefreshAuthenticationTokensHeader_ShouldEmitHeaderReflectingPostRefreshJwt()
+    {
+        // Arrange
+        await using var stubFactory = new RefreshStubAppGatewayApplicationFactory();
+        var middleware = stubFactory.Services.GetRequiredService<AuthenticationCookieMiddleware>();
+        var signingClient = stubFactory.Services.GetRequiredService<ITokenSigningClient>();
+        var inboundRefreshToken = CreateSignedToken(signingClient, 60, []);
+        var preRefreshAccessToken = CreateSignedToken(signingClient, 5, [new Claim(AuthenticationTokenHttpKeys.FeatureFlagsClaimName, "stale-flag")]);
+        var postRefreshAccessToken = CreateSignedToken(signingClient, 5, [new Claim(AuthenticationTokenHttpKeys.FeatureFlagsClaimName, "account-overview")]);
+        var postRefreshRefreshToken = CreateSignedToken(signingClient, 60, []);
+        RefreshStubAppGatewayApplicationFactory.SetStubResponse(postRefreshRefreshToken, postRefreshAccessToken);
+        var context = CreateHttpContext("/api/account/feature-flags/account-overview/tenant-override");
+        context.Request.Headers.Cookie = $"{AuthenticationTokenHttpKeys.RefreshTokenCookieName}={inboundRefreshToken}; {AuthenticationTokenHttpKeys.AccessTokenCookieName}={preRefreshAccessToken}";
+
+        // Act
+        await middleware.InvokeAsync(context, downstream =>
+            {
+                downstream.Response.Headers[AuthenticationTokenHttpKeys.RefreshAuthenticationTokensHeaderKey] = "true";
+                return Task.CompletedTask;
+            }
+        );
+        await TriggerOnStartingAsync(context);
+
+        // Assert
+        context.Response.Headers[AuthenticationTokenHttpKeys.UserFeatureFlagsHeaderKey].ToString().Should().Be("account-overview");
+        context.Response.Headers.Should().NotContainKey(AuthenticationTokenHttpKeys.RefreshAuthenticationTokensHeaderKey);
+        var setCookieHeaders = context.Response.Headers.SetCookie.ToArray();
+        setCookieHeaders.Should().Contain(h => h!.Contains(AuthenticationTokenHttpKeys.RefreshTokenCookieName));
+        setCookieHeaders.Should().Contain(h => h!.Contains(AuthenticationTokenHttpKeys.AccessTokenCookieName));
+    }
+
+    [Fact]
+    public async Task InvokeAsync_WhenInlineRefreshPrecedesEndpointTriggeredRefresh_ShouldUseRotatedRefreshTokenForSecondCall()
+    {
+        // Arrange - expired access token forces inline refresh on the inbound path. The downstream
+        // endpoint then signals x-refresh-authentication-tokens-required, triggering a second refresh.
+        // Without M8 the second call would reuse the v=1 cookie value and fall back on the 30-second
+        // grace window; with M8 the second call uses the v=2 token returned from the first refresh.
+        await using var stubFactory = new RefreshStubAppGatewayApplicationFactory();
+        var middleware = stubFactory.Services.GetRequiredService<AuthenticationCookieMiddleware>();
+        var signingClient = stubFactory.Services.GetRequiredService<ITokenSigningClient>();
+        var inboundRefreshTokenV1 = CreateSignedToken(signingClient, 60, []);
+        var expiredAccessToken = CreateSignedToken(signingClient, -1, []);
+        var rotatedRefreshTokenV2 = CreateSignedToken(signingClient, 60, []);
+        var inlineRefreshedAccessToken = CreateSignedToken(signingClient, 5, []);
+        var finalRefreshToken = CreateSignedToken(signingClient, 60, []);
+        var finalAccessToken = CreateSignedToken(signingClient, 5, [new Claim(AuthenticationTokenHttpKeys.FeatureFlagsClaimName, "account-overview")]);
+        RefreshStubAppGatewayApplicationFactory.SetStubResponse(rotatedRefreshTokenV2, inlineRefreshedAccessToken);
+        RefreshStubAppGatewayApplicationFactory.EnqueueStubResponse(finalRefreshToken, finalAccessToken);
+        var context = CreateHttpContext("/api/account/me/change-locale");
+        context.Request.Headers.Cookie = $"{AuthenticationTokenHttpKeys.RefreshTokenCookieName}={inboundRefreshTokenV1}; {AuthenticationTokenHttpKeys.AccessTokenCookieName}={expiredAccessToken}";
+
+        // Act
+        await middleware.InvokeAsync(context, downstream =>
+            {
+                downstream.Response.Headers[AuthenticationTokenHttpKeys.RefreshAuthenticationTokensHeaderKey] = "true";
+                return Task.CompletedTask;
+            }
+        );
+        await TriggerOnStartingAsync(context);
+
+        // Assert
+        var bearerTokens = RefreshStubAppGatewayApplicationFactory.ReceivedBearerTokens;
+        bearerTokens.Should().HaveCount(2, "both an inline refresh and an endpoint-triggered refresh fired");
+        bearerTokens[0].Should().Be(inboundRefreshTokenV1, "the inline refresh uses the cookie's v=1 token");
+        bearerTokens[1].Should().Be(rotatedRefreshTokenV2, "the endpoint-triggered refresh must use the v=2 token returned from the inline refresh, not the stale v=1");
+        context.Response.Headers[AuthenticationTokenHttpKeys.UserFeatureFlagsHeaderKey].ToString().Should().Be("account-overview");
+    }
+
+    [Fact]
+    public async Task InvokeAsync_WhenEndpointTriggeredRefreshHitsBackendOutage_ShouldOmitUserFeatureFlagsHeader()
+    {
+        // Arrange - downstream PUT succeeds and signals endpoint-triggered refresh. The refresh call to
+        // the account backend throws HttpRequestException (simulating a transient outage). The middleware
+        // logs and lets the mutation response through, but must NOT emit x-user-feature-flags from the
+        // pre-refresh access token — that would mislead the SPA into "your toggle didn't take effect".
+        await using var stubFactory = new RefreshStubAppGatewayApplicationFactory();
+        var middleware = stubFactory.Services.GetRequiredService<AuthenticationCookieMiddleware>();
+        var signingClient = stubFactory.Services.GetRequiredService<ITokenSigningClient>();
+        var inboundRefreshToken = CreateSignedToken(signingClient, 60, []);
+        var preRefreshAccessToken = CreateSignedToken(signingClient, 5, [new Claim(AuthenticationTokenHttpKeys.FeatureFlagsClaimName, "stale-flag")]);
+        RefreshStubAppGatewayApplicationFactory.SetStubBackendUnavailable();
+        var context = CreateHttpContext("/api/account/feature-flags/stale-flag/tenant-override");
+        context.Request.Headers.Cookie = $"{AuthenticationTokenHttpKeys.RefreshTokenCookieName}={inboundRefreshToken}; {AuthenticationTokenHttpKeys.AccessTokenCookieName}={preRefreshAccessToken}";
+
+        // Act
+        await middleware.InvokeAsync(context, downstream =>
+            {
+                downstream.Response.StatusCode = StatusCodes.Status204NoContent;
+                downstream.Response.Headers[AuthenticationTokenHttpKeys.RefreshAuthenticationTokensHeaderKey] = "true";
+                return Task.CompletedTask;
+            }
+        );
+        await TriggerOnStartingAsync(context);
+
+        // Assert
+        context.Response.StatusCode.Should().Be(StatusCodes.Status204NoContent, "the mutation response must pass through unchanged");
+        context.Response.Headers.Should().NotContainKey(AuthenticationTokenHttpKeys.UserFeatureFlagsHeaderKey, "emitting the pre-refresh claim would tell the SPA the mutation had no effect");
+        context.Response.Headers.Should().NotContainKey(AuthenticationTokenHttpKeys.RefreshAuthenticationTokensHeaderKey);
+    }
+
+    [Fact]
+    public async Task InvokeAsync_WhenRefreshEndpointSignalsSessionRevoked_ShouldOverwriteResponseWith401AndClearCookies()
+    {
+        // Arrange
+        await using var stubFactory = new RefreshStubAppGatewayApplicationFactory();
+        var middleware = stubFactory.Services.GetRequiredService<AuthenticationCookieMiddleware>();
+        var signingClient = stubFactory.Services.GetRequiredService<ITokenSigningClient>();
+        var inboundRefreshToken = CreateSignedToken(signingClient, 60, []);
+        var preRefreshAccessToken = CreateSignedToken(signingClient, 5, [new Claim(AuthenticationTokenHttpKeys.FeatureFlagsClaimName, "stale-flag")]);
+        RefreshStubAppGatewayApplicationFactory.SetStubRevoked("ReplayAttackDetected");
+        var context = CreateHttpContext("/api/account/feature-flags/account-overview/tenant-override");
+        context.Request.Headers.Cookie = $"{AuthenticationTokenHttpKeys.RefreshTokenCookieName}={inboundRefreshToken}; {AuthenticationTokenHttpKeys.AccessTokenCookieName}={preRefreshAccessToken}";
+
+        // Act
+        await middleware.InvokeAsync(context, downstream =>
+            {
+                downstream.Response.Headers[AuthenticationTokenHttpKeys.RefreshAuthenticationTokensHeaderKey] = "true";
+                return Task.CompletedTask;
+            }
+        );
+        await TriggerOnStartingAsync(context);
+
+        // Assert
+        context.Response.StatusCode.Should().Be(StatusCodes.Status401Unauthorized);
+        context.Response.Headers[AuthenticationTokenHttpKeys.UnauthorizedReasonHeaderKey].ToString().Should().Be("ReplayAttackDetected");
+        context.Response.Headers.Should().NotContainKey(AuthenticationTokenHttpKeys.UserFeatureFlagsHeaderKey);
+        context.Response.Headers.Should().NotContainKey(AuthenticationTokenHttpKeys.RefreshAuthenticationTokensHeaderKey);
+    }
+
+    private static DefaultHttpContext CreateHttpContext(string path)
+    {
+        var context = new DefaultHttpContext { Request = { Path = path }, Response = { Body = new MemoryStream() } };
+        context.Features.Set<IHttpResponseFeature>(new CapturingResponseFeature());
+        return context;
+    }
+
+    private static Task TriggerOnStartingAsync(HttpContext context)
+    {
+        var feature = (CapturingResponseFeature)context.Features.GetRequiredFeature<IHttpResponseFeature>();
+        return feature.TriggerOnStartingAsync();
+    }
+
+    private static string CreateSignedToken(ITokenSigningClient signingClient, int validForMinutes, Claim[] claims)
     {
         var now = DateTimeOffset.UtcNow;
         var notBefore = validForMinutes >= 0 ? now.UtcDateTime : now.AddMinutes(validForMinutes - 1).UtcDateTime;
@@ -93,8 +290,111 @@ private static string CreateSignedToken(ITokenSigningClient signingClient, int v
             Expires = now.AddMinutes(validForMinutes).UtcDateTime,
             Issuer = signingClient.Issuer,
             Audience = signingClient.Audience,
-            SigningCredentials = signingClient.GetSigningCredentials()
+            SigningCredentials = signingClient.GetSigningCredentials(),
+            Subject = claims.Length == 0 ? null : new ClaimsIdentity(claims)
         };
         return new JsonWebTokenHandler().CreateToken(descriptor);
     }
+
+    /// <summary>
+    ///     DefaultHttpContext's stock HttpResponseFeature treats OnStarting callbacks as no-ops because
+    ///     the response is never actually started in a unit test. This replacement captures the
+    ///     callbacks so the test can flush them after the downstream pipeline has set its response.
+    /// </summary>
+    private sealed class CapturingResponseFeature : HttpResponseFeature
+    {
+        private readonly List<(Func<object, Task> Callback, object State)> _onStartingCallbacks = [];
+
+        public override void OnStarting(Func<object, Task> callback, object state)
+        {
+            _onStartingCallbacks.Add((callback, state));
+        }
+
+        public override void OnCompleted(Func<object, Task> callback, object state)
+        {
+        }
+
+        public async Task TriggerOnStartingAsync()
+        {
+            foreach (var (callback, state) in _onStartingCallbacks)
+            {
+                await callback(state);
+            }
+        }
+    }
+}
+
+internal sealed class RefreshStubAppGatewayApplicationFactory : WebApplicationFactory<Program>
+{
+    private static readonly Queue<(string Refresh, string Access)> ResponseQueue = new();
+    private static readonly List<string?> ReceivedBearerTokensField = [];
+    private static string? _revokedReason;
+    private static bool _backendUnavailable;
+
+    public static IReadOnlyList<string?> ReceivedBearerTokens => ReceivedBearerTokensField;
+
+    public static void SetStubResponse(string refreshToken, string accessToken)
+    {
+        ResetStub();
+        ResponseQueue.Enqueue((refreshToken, accessToken));
+    }
+
+    public static void EnqueueStubResponse(string refreshToken, string accessToken)
+    {
+        ResponseQueue.Enqueue((refreshToken, accessToken));
+    }
+
+    public static void SetStubRevoked(string revokedReason)
+    {
+        ResetStub();
+        _revokedReason = revokedReason;
+    }
+
+    public static void SetStubBackendUnavailable()
+    {
+        ResetStub();
+        _backendUnavailable = true;
+    }
+
+    private static void ResetStub()
+    {
+        ResponseQueue.Clear();
+        ReceivedBearerTokensField.Clear();
+        _revokedReason = null;
+        _backendUnavailable = false;
+    }
+
+    protected override void ConfigureWebHost(IWebHostBuilder builder)
+    {
+        builder.UseEnvironment("Development");
+        builder.ConfigureLogging(logging => logging.AddFilter(_ => false));
+        builder.ConfigureServices(services => { services.AddHttpClient("Account").ConfigurePrimaryHttpMessageHandler(() => new StubRefreshHandler()); }
+        );
+    }
+
+    private sealed class StubRefreshHandler : HttpMessageHandler
+    {
+        protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+        {
+            ReceivedBearerTokensField.Add(request.Headers.Authorization?.Parameter);
+
+            if (_backendUnavailable)
+            {
+                throw new HttpRequestException("Stub backend unavailable.");
+            }
+
+            if (_revokedReason is not null)
+            {
+                var revoked = new HttpResponseMessage(HttpStatusCode.Unauthorized);
+                revoked.Headers.Add(AuthenticationTokenHttpKeys.UnauthorizedReasonHeaderKey, _revokedReason);
+                return Task.FromResult(revoked);
+            }
+
+            var (refreshToken, accessToken) = ResponseQueue.Dequeue();
+            var response = new HttpResponseMessage(HttpStatusCode.OK);
+            response.Headers.Add(AuthenticationTokenHttpKeys.RefreshTokenHttpHeaderKey, refreshToken);
+            response.Headers.Add(AuthenticationTokenHttpKeys.AccessTokenHttpHeaderKey, accessToken);
+            return Task.FromResult(response);
+        }
+    }
 }
diff --git a/application/AppGateway/Middleware/AuthenticationCookieMiddleware.cs b/application/AppGateway/Middleware/AuthenticationCookieMiddleware.cs
index ef6d72a23..70e2762ad 100644
--- a/application/AppGateway/Middleware/AuthenticationCookieMiddleware.cs
+++ b/application/AppGateway/Middleware/AuthenticationCookieMiddleware.cs
@@ -7,7 +7,7 @@
 
 namespace AppGateway.Middleware;
 
-public class AuthenticationCookieMiddleware(
+public sealed class AuthenticationCookieMiddleware(
     ITokenSigningClient tokenSigningClient,
     IHttpClientFactory httpClientFactory,
     TimeProvider timeProvider,
@@ -21,13 +21,18 @@ ILogger<AuthenticationCookieMiddleware> logger
 
     public async Task InvokeAsync(HttpContext context, RequestDelegate next)
     {
-        if (context.Request.Cookies.TryGetValue(AuthenticationTokenHttpKeys.RefreshTokenCookieName, out var refreshTokenCookieValue))
+        var tokenState = new TokenState();
+
+        if (context.Request.Cookies.TryGetValue(AuthenticationTokenHttpKeys.RefreshTokenCookieName, out var refreshTokenFromCookie))
         {
+            tokenState.InboundRefreshToken = refreshTokenFromCookie;
             context.Request.Cookies.TryGetValue(AuthenticationTokenHttpKeys.AccessTokenCookieName, out var accessTokenCookieValue);
-            await ValidateAuthenticationCookieAndConvertToHttpBearerHeader(context, refreshTokenCookieValue, accessTokenCookieValue);
+            tokenState.CurrentAccessToken = await ValidateAuthenticationCookieAndConvertToHttpBearerHeader(context, tokenState, accessTokenCookieValue);
         }
 
-        // If session was revoked during refresh, handle based on request type
+        // If session was revoked during the inbound cookie validation, short-circuit before reaching
+        // downstream. The OnStarting callback registered below will still emit x-user-feature-flags if
+        // a current token exists; in this revoked path we return early without a token, so no header.
         if (context.Items.TryGetValue(UnauthorizedReasonItemKey, out var reason) && reason is string unauthorizedReason)
         {
             if (context.Request.Path.StartsWithSegments("/api"))
@@ -45,24 +50,87 @@ public async Task InvokeAsync(HttpContext context, RequestDelegate next)
             context.Response.Cookies.Delete(AuthenticationTokenHttpKeys.AccessTokenCookieName, hostCookieOptions);
         }
 
-        await next(context);
+        // Single OnStarting hook for everything driven by the downstream response: header-mode
+        // cookie swap (login / signup / switch-tenant), endpoint-triggered refresh
+        // (x-refresh-authentication-tokens-required), session-revoked 401 override, and
+        // x-user-feature-flags emission from the current (possibly just-refreshed) access token.
+        // Sequential execution in one hook eliminates the race the split YARP-transform design had.
+        context.Response.OnStarting(async state =>
+            {
+                var (httpContext, currentState) = ((HttpContext, TokenState))state;
+                await HandleOutgoingResponseAsync(httpContext, currentState);
+            }, (context, tokenState)
+        );
 
+        await next(context);
+    }
 
+    private async Task HandleOutgoingResponseAsync(HttpContext context, TokenState tokenState)
+    {
         if (context.Response.Headers.TryGetValue(AuthenticationTokenHttpKeys.RefreshAuthenticationTokensHeaderKey, out _))
         {
-            logger.LogDebug("Refreshing authentication tokens as requested by endpoint");
-            var (refreshToken, accessToken) = await RefreshAuthenticationTokensAsync(refreshTokenCookieValue!);
-            await ReplaceAuthenticationHeaderWithCookieAsync(context, refreshToken, accessToken);
+            // Endpoint-triggered refresh: the downstream signaled the actor's claims have changed
+            // (e.g. PUT /me, PUT /me/change-locale, PUT /api/account/feature-flags/{key}/tenant-override).
+            // Refresh the JWT now so the same response carries fresh cookies AND a fresh x-user-feature-flags.
+            if (tokenState.InboundRefreshToken is { } refreshToken)
+            {
+                try
+                {
+                    logger.LogDebug("Refreshing authentication tokens as requested by endpoint");
+                    var (newRefreshToken, newAccessToken) = await RefreshAuthenticationTokensAsync(refreshToken);
+                    await ReplaceAuthenticationHeaderWithCookieAsync(context, newRefreshToken, newAccessToken);
+                    tokenState.CurrentAccessToken = newAccessToken;
+                }
+                catch (SessionRevokedException ex)
+                {
+                    OverwriteWithUnauthorized(context, ex.RevokedReason);
+                    logger.LogWarning(ex, "Session revoked during endpoint-triggered refresh. Reason: {Reason}", ex.RevokedReason);
+                    return;
+                }
+                catch (SecurityTokenException ex)
+                {
+                    OverwriteWithUnauthorized(context, nameof(UnauthorizedReason.SessionNotFound));
+                    logger.LogWarning(ex, "Endpoint-triggered token refresh failed validation. Path: {Path}", context.Request.Path);
+                    return;
+                }
+                catch (HttpRequestException ex)
+                {
+                    // Backend temporarily unreachable: the upstream mutation already succeeded, so
+                    // let the response through. The SPA picks up new claims on the next refresh. The
+                    // degraded flag below suppresses x-user-feature-flags emission so the SPA isn't
+                    // told the pre-mutation flag set is current — that would look like the mutation
+                    // didn't take effect.
+                    logger.LogWarning(ex, "Backend unavailable during endpoint-triggered refresh. Path: {Path}", context.Request.Path);
+                    tokenState.EndpointTriggeredRefreshFailedDegraded = true;
+                }
+                catch (TaskCanceledException ex) when (!context.RequestAborted.IsCancellationRequested)
+                {
+                    logger.LogWarning(ex, "Backend timed out during endpoint-triggered refresh. Path: {Path}", context.Request.Path);
+                    tokenState.EndpointTriggeredRefreshFailedDegraded = true;
+                }
+            }
+
             context.Response.Headers.Remove(AuthenticationTokenHttpKeys.RefreshAuthenticationTokensHeaderKey);
         }
-        else if (context.Response.Headers.TryGetValue(AuthenticationTokenHttpKeys.RefreshTokenHttpHeaderKey, out var refreshToken) &&
-                 context.Response.Headers.TryGetValue(AuthenticationTokenHttpKeys.AccessTokenHttpHeaderKey, out var accessToken))
+        else if (context.Response.Headers.TryGetValue(AuthenticationTokenHttpKeys.RefreshTokenHttpHeaderKey, out var refreshTokenHeader) &&
+                 context.Response.Headers.TryGetValue(AuthenticationTokenHttpKeys.AccessTokenHttpHeaderKey, out var accessTokenHeader))
+        {
+            // Login / signup / switch-tenant flows return the new tokens in response headers
+            // for AppGateway to convert into cookies before egress.
+            var newRefreshToken = refreshTokenHeader.Single()!;
+            var newAccessToken = accessTokenHeader.Single()!;
+            await ReplaceAuthenticationHeaderWithCookieAsync(context, newRefreshToken, newAccessToken);
+            tokenState.CurrentAccessToken = newAccessToken;
+        }
+
+        if (tokenState is { EndpointTriggeredRefreshFailedDegraded: false, CurrentAccessToken: { } currentAccessToken } &&
+            ExtractFeatureFlagsClaim(currentAccessToken) is { } featureFlagsClaim)
         {
-            await ReplaceAuthenticationHeaderWithCookieAsync(context, refreshToken.Single()!, accessToken.Single()!);
+            context.Response.Headers[AuthenticationTokenHttpKeys.UserFeatureFlagsHeaderKey] = featureFlagsClaim;
         }
     }
 
-    private async Task ValidateAuthenticationCookieAndConvertToHttpBearerHeader(HttpContext context, string refreshToken, string? accessToken)
+    private async Task<string?> ValidateAuthenticationCookieAndConvertToHttpBearerHeader(HttpContext context, TokenState tokenState, string? accessToken)
     {
         if (context.Request.Headers.ContainsKey(AuthenticationTokenHttpKeys.RefreshTokenHttpHeaderKey) ||
             context.Request.Headers.ContainsKey(AuthenticationTokenHttpKeys.AccessTokenHttpHeaderKey))
@@ -73,6 +141,8 @@ private async Task ValidateAuthenticationCookieAndConvertToHttpBearerHeader(Http
 
         try
         {
+            var refreshToken = tokenState.InboundRefreshToken!;
+
             if (accessToken is null || await ExtractExpirationFromTokenAsync(accessToken) < timeProvider.GetUtcNow())
             {
                 if (await ExtractExpirationFromTokenAsync(refreshToken) < timeProvider.GetUtcNow())
@@ -81,18 +151,25 @@ private async Task ValidateAuthenticationCookieAndConvertToHttpBearerHeader(Http
                     context.Response.Cookies.Delete(AuthenticationTokenHttpKeys.RefreshTokenCookieName, expiredCookieOptions);
                     context.Response.Cookies.Delete(AuthenticationTokenHttpKeys.AccessTokenCookieName, expiredCookieOptions);
                     logger.LogDebug("The refresh-token has expired; authentication token cookies are removed");
-                    return;
+                    return null;
                 }
 
                 logger.LogDebug("The access-token has expired, attempting to refresh");
 
                 (refreshToken, accessToken) = await RefreshAuthenticationTokensAsync(refreshToken);
 
+                // Mirror the rotated refresh token onto tokenState so a downstream-triggered refresh in
+                // HandleOutgoingResponseAsync uses the v=2 jti, not the stale v=1 cookie value. Without
+                // this the second refresh fell back to the 30-second grace window in Session.IsRefreshTokenValid
+                // and would emit a spurious 401 once the gap exceeded the grace window.
+                tokenState.InboundRefreshToken = refreshToken;
+
                 // Update the authentication token cookies with the new tokens
                 await ReplaceAuthenticationHeaderWithCookieAsync(context, refreshToken, accessToken);
             }
 
             context.Request.Headers.Authorization = $"Bearer {accessToken}";
+            return accessToken;
         }
         catch (SessionRevokedException ex)
         {
@@ -124,6 +201,8 @@ private async Task ValidateAuthenticationCookieAndConvertToHttpBearerHeader(Http
             context.Items[UnauthorizedReasonItemKey] = nameof(UnauthorizedReason.SessionNotFound);
             logger.LogError(ex, "Unexpected exception during authentication token validation. Path: {Path}", context.Request.Path);
         }
+
+        return null;
     }
 
     private async Task<(string newRefreshToken, string newAccessToken)> RefreshAuthenticationTokensAsync(string refreshToken)
@@ -234,6 +313,43 @@ private async Task<DateTimeOffset> ExtractExpirationFromTokenAsync(string token)
 
         return DateTimeOffset.FromUnixTimeSeconds(long.Parse(expires));
     }
+
+    private static string? ExtractFeatureFlagsClaim(string accessToken)
+    {
+        if (!TokenHandler.CanReadToken(accessToken)) return null;
+        var jwt = TokenHandler.ReadJsonWebToken(accessToken);
+        return jwt.TryGetClaim(AuthenticationTokenHttpKeys.FeatureFlagsClaimName, out var claim) ? claim.Value : null;
+    }
+
+    /// <summary>
+    ///     Convert the upstream success response into a 401 with <c>x-unauthorized-reason</c> so the
+    ///     SPA's authentication middleware can react (redirect to login, surface revocation reason).
+    /// </summary>
+    private static void OverwriteWithUnauthorized(HttpContext context, string unauthorizedReason)
+    {
+        context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+        context.Response.Headers[AuthenticationTokenHttpKeys.UnauthorizedReasonHeaderKey] = unauthorizedReason;
+        context.Response.Headers.Remove(AuthenticationTokenHttpKeys.RefreshAuthenticationTokensHeaderKey);
+        context.Response.Headers.Remove(AuthenticationTokenHttpKeys.RefreshTokenHttpHeaderKey);
+        context.Response.Headers.Remove(AuthenticationTokenHttpKeys.AccessTokenHttpHeaderKey);
+
+        var hostCookieOptions = new CookieOptions { Secure = true, Path = "/" };
+        context.Response.Cookies.Delete(AuthenticationTokenHttpKeys.RefreshTokenCookieName, hostCookieOptions);
+        context.Response.Cookies.Delete(AuthenticationTokenHttpKeys.AccessTokenCookieName, hostCookieOptions);
+    }
+
+    private sealed class TokenState
+    {
+        public string? CurrentAccessToken { get; set; }
+
+        public string? InboundRefreshToken { get; set; }
+
+        // Set when an endpoint-triggered refresh swallows a transient backend failure so the response
+        // does NOT emit x-user-feature-flags from the now-stale pre-refresh access token. Without this,
+        // the SPA would interpret a successful mutation + stale claim header as "the toggle didn't
+        // apply", causing flag-toggle UX confusion.
+        public bool EndpointTriggeredRefreshFailedDegraded { get; set; }
+    }
 }
 
 public sealed class SessionRevokedException(string revokedReason) : SecurityTokenException($"Session has been revoked. Reason: {revokedReason}")
diff --git a/application/AppGateway/Transformations/BlockInternalApiTransform.cs b/application/AppGateway/Transformations/BlockInternalApiTransform.cs
index e2157170f..79a1e097c 100644
--- a/application/AppGateway/Transformations/BlockInternalApiTransform.cs
+++ b/application/AppGateway/Transformations/BlockInternalApiTransform.cs
@@ -11,6 +11,9 @@ public override async ValueTask ApplyAsync(RequestTransformContext context)
             context.HttpContext.Response.StatusCode = StatusCodes.Status403Forbidden;
             context.HttpContext.Response.ContentType = "text/plain";
             await context.HttpContext.Response.WriteAsync("Access to internal API is forbidden.");
+            // Finalize the response so the YARP forwarder cannot pick up the request and forward it
+            // upstream after we've already written the 403 body.
+            await context.HttpContext.Response.CompleteAsync();
         }
     }
 }
diff --git a/application/account/Api/Account.Api.csproj b/application/account/Api/Account.Api.csproj
index cc9eb042e..35b4cdf0d 100644
--- a/application/account/Api/Account.Api.csproj
+++ b/application/account/Api/Account.Api.csproj
@@ -41,6 +41,30 @@
         <PackageReference Include="Yarp.ReverseProxy"/>
     </ItemGroup>
 
+    <!--
+        Emit the feature flag manifest JSON for the frontend codegen step. Runs after Build by
+        invoking Account.Api.dll with the emit-feature-flags-manifest argument. The frontend script
+        application/shared-webapp/ui/scripts/generateFeatureFlagArtifacts.mjs reads this JSON and
+        produces application/shared-webapp/ui/featureFlags/labels.generated.ts and
+        registry.generated.ts with Lingui macros and runtime metadata for every flag declared in
+        FeatureFlags.cs. Inputs/Outputs let MSBuild skip the target when nothing has changed.
+    -->
+    <PropertyGroup>
+        <_FeatureFlagsManifestPath>$([System.IO.Path]::GetFullPath('$(MSBuildProjectDirectory)\..\..\shared-webapp\ui\featureFlags\featureFlags.generated.json'))</_FeatureFlagsManifestPath>
+        <_FeatureFlagsLabelsPath>$([System.IO.Path]::GetFullPath('$(MSBuildProjectDirectory)\..\..\shared-webapp\ui\featureFlags\labels.generated.ts'))</_FeatureFlagsLabelsPath>
+        <_FeatureFlagsRegistryPath>$([System.IO.Path]::GetFullPath('$(MSBuildProjectDirectory)\..\..\shared-webapp\ui\featureFlags\registry.generated.ts'))</_FeatureFlagsRegistryPath>
+        <_FeatureFlagsSourcePath>$([System.IO.Path]::GetFullPath('$(MSBuildProjectDirectory)\..\..\shared-kernel\SharedKernel\FeatureFlags\FeatureFlags.cs'))</_FeatureFlagsSourcePath>
+        <_FeatureFlagsCodegenScriptPath>$([System.IO.Path]::GetFullPath('$(MSBuildProjectDirectory)\..\..\shared-webapp\ui\scripts\generateFeatureFlagArtifacts.mjs'))</_FeatureFlagsCodegenScriptPath>
+    </PropertyGroup>
+    <Target Name="GenerateFeatureFlagsManifest" AfterTargets="Build" Condition="'$(DesignTimeBuild)' != 'true'"
+            Inputs="$(_FeatureFlagsSourcePath);$(_FeatureFlagsCodegenScriptPath);$(TargetPath)"
+            Outputs="$(_FeatureFlagsManifestPath);$(_FeatureFlagsLabelsPath);$(_FeatureFlagsRegistryPath)">
+        <Message Importance="high" Text="%0AGenerateFeatureFlagsManifest:" />
+        <Message Importance="high" Text="  Writing $(_FeatureFlagsManifestPath)" />
+        <Exec Command="dotnet &quot;$(TargetPath)&quot; --emit-feature-flags-manifest &quot;$(_FeatureFlagsManifestPath)&quot;" LogStandardErrorAsError="true" />
+        <Exec Command="node &quot;$(_FeatureFlagsCodegenScriptPath)&quot;" LogStandardErrorAsError="true" />
+    </Target>
+
     <!--
         Emit the 'back-office' OpenAPI document to account/BackOffice so the BackOffice SPA
         can run openapi-typescript on it. Runs after the built-in GenerateOpenApiDocuments target
diff --git a/application/account/Api/BackOffice/FeatureFlagEndpoints.cs b/application/account/Api/BackOffice/FeatureFlagEndpoints.cs
new file mode 100644
index 000000000..0d40942b3
--- /dev/null
+++ b/application/account/Api/BackOffice/FeatureFlagEndpoints.cs
@@ -0,0 +1,71 @@
+using Account.Features.FeatureFlags.Commands;
+using Account.Features.FeatureFlags.Queries;
+using Microsoft.Extensions.Options;
+using SharedKernel.ApiResults;
+using SharedKernel.Authentication.BackOfficeIdentity;
+using SharedKernel.Domain;
+using SharedKernel.Endpoints;
+using SharedKernel.OpenApi;
+
+namespace Account.Api.BackOffice;
+
+public sealed class FeatureFlagEndpoints : IEndpoints
+{
+    private const string RoutesPrefix = "/api/back-office/feature-flags";
+
+    public void MapEndpoints(IEndpointRouteBuilder routes)
+    {
+        var backOfficeHost = routes.ServiceProvider.GetRequiredService<IOptions<BackOfficeHostOptions>>().Value.Host;
+
+        var group = routes.MapGroup(RoutesPrefix)
+            .WithTags("BackOfficeFeatureFlags")
+            .WithGroupName(OpenApiDocumentNames.BackOffice)
+            .RequireHost(backOfficeHost)
+            .RequireAuthorization(BackOfficeIdentityDefaults.PolicyName)
+            .ProducesValidationProblem();
+
+        group.MapGet("/", async Task<ApiResult<GetFeatureFlagsResponse>> ([AsParameters] GetFeatureFlagsQuery query, IMediator mediator)
+            => await mediator.Send(query)
+        ).Produces<GetFeatureFlagsResponse>();
+
+        group.MapGet("/{flagKey}/tenants", async Task<ApiResult<GetFeatureFlagTenantsResponse>> (string flagKey, [AsParameters] GetFeatureFlagTenantsQuery query, IMediator mediator)
+            => await mediator.Send(query with { FlagKey = flagKey })
+        ).Produces<GetFeatureFlagTenantsResponse>();
+
+        group.MapPut("/{flagKey}/activate", async Task<ApiResult> (string flagKey, IMediator mediator)
+            => await mediator.Send(new ActivateFeatureFlagCommand(flagKey))
+        ).RequireAuthorization(BackOfficeIdentityDefaults.AdminPolicyName);
+
+        group.MapPut("/{flagKey}/deactivate", async Task<ApiResult> (string flagKey, IMediator mediator)
+            => await mediator.Send(new DeactivateFeatureFlagCommand(flagKey))
+        ).RequireAuthorization(BackOfficeIdentityDefaults.AdminPolicyName);
+
+        group.MapDelete("/{flagKey}", async Task<ApiResult> (string flagKey, IMediator mediator)
+            => await mediator.Send(new DeleteFeatureFlagCommand(flagKey))
+        ).RequireAuthorization(BackOfficeIdentityDefaults.AdminPolicyName);
+
+        group.MapPut("/{flagKey}/tenant-override", async Task<ApiResult> (string flagKey, SetTenantFeatureFlagInternalCommand command, IMediator mediator)
+            => await mediator.Send(command with { FlagKey = flagKey })
+        ).RequireAuthorization(BackOfficeIdentityDefaults.AdminPolicyName);
+
+        group.MapPut("/{flagKey}/rollout-percentage", async Task<ApiResult> (string flagKey, SetFeatureFlagRolloutPercentageCommand command, IMediator mediator)
+            => await mediator.Send(command with { FlagKey = flagKey })
+        ).RequireAuthorization(BackOfficeIdentityDefaults.AdminPolicyName);
+
+        group.MapDelete("/{flagKey}/tenant-override", async Task<ApiResult> (string flagKey, TenantId tenantId, IMediator mediator)
+            => await mediator.Send(new RemoveTenantFeatureFlagOverrideCommand { FlagKey = flagKey, TenantId = tenantId })
+        ).RequireAuthorization(BackOfficeIdentityDefaults.AdminPolicyName);
+
+        group.MapGet("/{flagKey}/users", async Task<ApiResult<GetFeatureFlagUsersResponse>> (string flagKey, [AsParameters] GetFeatureFlagUsersQuery query, IMediator mediator)
+            => await mediator.Send(query with { FlagKey = flagKey })
+        ).Produces<GetFeatureFlagUsersResponse>();
+
+        group.MapPut("/{flagKey}/user-override", async Task<ApiResult> (string flagKey, SetUserFeatureFlagInternalCommand command, IMediator mediator)
+            => await mediator.Send(command with { FlagKey = flagKey })
+        ).RequireAuthorization(BackOfficeIdentityDefaults.AdminPolicyName);
+
+        group.MapDelete("/{flagKey}/user-override", async Task<ApiResult> (string flagKey, UserId userId, TenantId tenantId, IMediator mediator)
+            => await mediator.Send(new RemoveUserFeatureFlagOverrideCommand { FlagKey = flagKey, UserId = userId, TenantId = tenantId })
+        ).RequireAuthorization(BackOfficeIdentityDefaults.AdminPolicyName);
+    }
+}
diff --git a/application/account/Api/BackOffice/TenantsEndpoints.cs b/application/account/Api/BackOffice/TenantsEndpoints.cs
index bf59e2937..a09bf9d98 100644
--- a/application/account/Api/BackOffice/TenantsEndpoints.cs
+++ b/application/account/Api/BackOffice/TenantsEndpoints.cs
@@ -1,3 +1,4 @@
+using Account.Features.FeatureFlags.Queries;
 using Account.Features.Tenants.BackOffice.Commands;
 using Account.Features.Tenants.BackOffice.Queries;
 using Microsoft.Extensions.Options;
@@ -48,6 +49,10 @@ public void MapEndpoints(IEndpointRouteBuilder routes)
             => await mediator.Send(query with { Id = id })
         ).Produces<TenantPaymentHistoryResponse>();
 
+        group.MapGet("/{id}/feature-flags", async Task<ApiResult<GetTenantFeatureFlagsResponse>> (TenantId id, IMediator mediator)
+            => await mediator.Send(new GetTenantFeatureFlagsQuery { TenantId = id })
+        ).Produces<GetTenantFeatureFlagsResponse>();
+
         group.MapPost("/{id}/reconcile-with-stripe", async Task<ApiResult<ReconcileTenantWithStripeResponse>> (TenantId id, IMediator mediator)
             => await mediator.Send(new ReconcileTenantWithStripeCommand { TenantId = id })
         ).Produces<ReconcileTenantWithStripeResponse>().RequireAuthorization(BackOfficeIdentityDefaults.AdminPolicyName);
@@ -59,5 +64,9 @@ public void MapEndpoints(IEndpointRouteBuilder routes)
         group.MapPost("/{id}/drift/acknowledge", async Task<ApiResult> (TenantId id, IMediator mediator)
             => await mediator.Send(new AcknowledgeBillingDriftCommand { TenantId = id })
         ).RequireAuthorization(BackOfficeIdentityDefaults.AdminPolicyName);
+
+        group.MapPut("/{id}/ab-inclusion-pin", async Task<ApiResult> (TenantId id, SetTenantAbInclusionPinCommand command, IMediator mediator)
+            => await mediator.Send(command with { TenantId = id })
+        ).RequireAuthorization(BackOfficeIdentityDefaults.AdminPolicyName);
     }
 }
diff --git a/application/account/Api/BackOffice/UsersEndpoints.cs b/application/account/Api/BackOffice/UsersEndpoints.cs
index f2f2b6928..ce51fa14f 100644
--- a/application/account/Api/BackOffice/UsersEndpoints.cs
+++ b/application/account/Api/BackOffice/UsersEndpoints.cs
@@ -1,3 +1,5 @@
+using Account.Features.FeatureFlags.Queries;
+using Account.Features.Users.BackOffice.Commands;
 using Account.Features.Users.BackOffice.Queries;
 using Microsoft.Extensions.Options;
 using SharedKernel.ApiResults;
@@ -38,5 +40,13 @@ public void MapEndpoints(IEndpointRouteBuilder routes)
         group.MapGet("/{id}/login-history", async Task<ApiResult<BackOfficeUserLoginHistoryResponse>> (UserId id, [AsParameters] GetBackOfficeUserLoginHistoryQuery query, IMediator mediator)
             => await mediator.Send(query with { Id = id })
         ).Produces<BackOfficeUserLoginHistoryResponse>();
+
+        group.MapGet("/{id}/feature-flags", async Task<ApiResult<GetUserFeatureFlagsResponse>> (UserId id, IMediator mediator)
+            => await mediator.Send(new GetUserFeatureFlagsQuery { UserId = id })
+        ).Produces<GetUserFeatureFlagsResponse>();
+
+        group.MapPut("/{id}/ab-inclusion-pin", async Task<ApiResult> (UserId id, SetUserAbInclusionPinCommand command, IMediator mediator)
+            => await mediator.Send(command with { UserId = id })
+        ).RequireAuthorization(BackOfficeIdentityDefaults.AdminPolicyName);
     }
 }
diff --git a/application/account/Api/Endpoints/FeatureFlagEndpoints.cs b/application/account/Api/Endpoints/FeatureFlagEndpoints.cs
new file mode 100644
index 000000000..b6cff2408
--- /dev/null
+++ b/application/account/Api/Endpoints/FeatureFlagEndpoints.cs
@@ -0,0 +1,31 @@
+using Account.Features.FeatureFlags.Commands;
+using Account.Features.FeatureFlags.Queries;
+using SharedKernel.ApiResults;
+using SharedKernel.Endpoints;
+using SharedKernel.OpenApi;
+
+namespace Account.Api.Endpoints;
+
+public sealed class FeatureFlagEndpoints : IEndpoints
+{
+    public void MapEndpoints(IEndpointRouteBuilder routes)
+    {
+        var group = routes.MapGroup("/api/account/feature-flags").WithTags("FeatureFlags").WithGroupName(OpenApiDocumentNames.Account).RequireAuthorization().ProducesValidationProblem();
+
+        group.MapGet("/tenant-configurable", async Task<ApiResult<TenantConfigurableFeatureFlagsResponse>> (IMediator mediator)
+            => await mediator.Send(new GetTenantConfigurableFeatureFlagsQuery())
+        ).Produces<TenantConfigurableFeatureFlagsResponse>();
+
+        group.MapGet("/user-configurable", async Task<ApiResult<UserConfigurableFeatureFlagsResponse>> (IMediator mediator)
+            => await mediator.Send(new GetUserConfigurableFeatureFlagsQuery())
+        ).Produces<UserConfigurableFeatureFlagsResponse>();
+
+        group.MapPut("/{flagKey}/tenant-override", async Task<ApiResult> (string flagKey, SetTenantFeatureFlagOwnerCommand command, IMediator mediator)
+            => (await mediator.Send(command with { FlagKey = flagKey })).AddRefreshAuthenticationTokens()
+        );
+
+        group.MapPut("/{flagKey}/user-override", async Task<ApiResult> (string flagKey, SetUserFeatureFlagCommand command, IMediator mediator)
+            => (await mediator.Send(command with { FlagKey = flagKey })).AddRefreshAuthenticationTokens()
+        );
+    }
+}
diff --git a/application/account/Api/Endpoints/TenantEndpoints.cs b/application/account/Api/Endpoints/TenantEndpoints.cs
index 8af2dd8b3..82643ca23 100644
--- a/application/account/Api/Endpoints/TenantEndpoints.cs
+++ b/application/account/Api/Endpoints/TenantEndpoints.cs
@@ -36,7 +36,6 @@ public void MapEndpoints(IEndpointRouteBuilder routes)
         );
 
         // Internal-only endpoint reachable backend-to-backend via the cluster's localhost address.
-        // BlockInternalApiTransform in AppGateway rejects external callers.
         routes.MapDelete("/internal-api/account/tenants/{id}", async Task<ApiResult> (TenantId id, IMediator mediator)
             => await mediator.Send(new DeleteTenantCommand(id))
         ).WithGroupName(OpenApiDocumentNames.Account);
diff --git a/application/account/Api/FeatureFlagsManifestEmitter.cs b/application/account/Api/FeatureFlagsManifestEmitter.cs
new file mode 100644
index 000000000..295e738c7
--- /dev/null
+++ b/application/account/Api/FeatureFlagsManifestEmitter.cs
@@ -0,0 +1,73 @@
+using System.Text.Json;
+using JetBrains.Annotations;
+using SharedKernel.FeatureFlags;
+
+namespace Account.Api;
+
+// Build-time tool that serializes the feature flag registry to JSON. Invoked by the
+// GenerateFeatureFlagsManifest MSBuild target in Account.Api.csproj after Build via
+// `dotnet "$(TargetPath)" --emit-feature-flags-manifest <path>`. The frontend codegen
+// script application/shared-webapp/ui/scripts/generateFeatureFlagArtifacts.mjs reads
+// the emitted JSON and produces labels.generated.ts + registry.generated.ts.
+internal static class FeatureFlagsManifestEmitter
+{
+    private static readonly JsonSerializerOptions Options = new()
+    {
+        WriteIndented = true,
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+        DefaultIgnoreCondition = JsonIgnoreCondition.Never
+    };
+
+    public static void Emit(string manifestPath)
+    {
+        var directory = Path.GetDirectoryName(manifestPath);
+        if (!string.IsNullOrEmpty(directory) && !Directory.Exists(directory))
+        {
+            Directory.CreateDirectory(directory);
+        }
+
+        var manifest = FeatureFlags.GetAll().Select(featureFlag => new FeatureFlagManifestEntry(
+                featureFlag.Key,
+                featureFlag.Scope.ToString(),
+                featureFlag.AdminLevel.ToString(),
+                featureFlag.Label,
+                featureFlag.Description,
+                featureFlag.ParentDependency,
+                featureFlag.IsAbTestEligible,
+                featureFlag.ConfigurableByTenant,
+                featureFlag.ConfigurableByUser,
+                featureFlag.TrackInTelemetry,
+                featureFlag.TelemetryName,
+                featureFlag.RequiredPlan?.ToString(),
+                featureFlag.SystemConfigKey,
+                featureFlag.SystemConfigExpectedValue,
+                featureFlag.FrontendEnvVar,
+                featureFlag.IsKillSwitchEnabled,
+                featureFlag.IsStableModule
+            )
+        ).ToArray();
+
+        File.WriteAllText(manifestPath, JsonSerializer.Serialize(manifest, Options) + Environment.NewLine);
+    }
+
+    [UsedImplicitly]
+    private sealed record FeatureFlagManifestEntry(
+        string Key,
+        string Scope,
+        string AdminLevel,
+        string Label,
+        string Description,
+        string? ParentDependency,
+        bool IsAbTestEligible,
+        bool ConfigurableByTenant,
+        bool ConfigurableByUser,
+        bool TrackInTelemetry,
+        string? TelemetryName,
+        string? RequiredPlan,
+        string? SystemConfigKey,
+        string? SystemConfigExpectedValue,
+        string? FrontendEnvVar,
+        bool IsKillSwitchEnabled,
+        bool IsStableModule
+    );
+}
diff --git a/application/account/Api/Program.cs b/application/account/Api/Program.cs
index 677333590..af2d2dee0 100644
--- a/application/account/Api/Program.cs
+++ b/application/account/Api/Program.cs
@@ -10,6 +10,13 @@
 using SharedKernel.OpenApi;
 using SharedKernel.SinglePageApp;
 
+// Build-time manifest emitter dispatcher. See FeatureFlagsManifestEmitter.cs.
+if (args is ["--emit-feature-flags-manifest", var manifestPath])
+{
+    FeatureFlagsManifestEmitter.Emit(manifestPath);
+    return;
+}
+
 var builder = WebApplication.CreateBuilder(args);
 
 // Configure storage infrastructure like Database, BlobStorage, Logging, Telemetry, Entity Framework DB Context, etc.
diff --git a/application/account/BackOffice/routes/-shared/AbInclusionPinBadge.tsx b/application/account/BackOffice/routes/-shared/AbInclusionPinBadge.tsx
new file mode 100644
index 000000000..4834a2e39
--- /dev/null
+++ b/application/account/BackOffice/routes/-shared/AbInclusionPinBadge.tsx
@@ -0,0 +1,31 @@
+import { Trans } from "@lingui/react/macro";
+import { Badge } from "@repo/ui/components/Badge";
+import { CircleCheckIcon, CircleSlashIcon } from "lucide-react";
+
+import { AbInclusionPin } from "@/shared/lib/api/client";
+
+interface AbInclusionPinBadgeProps {
+  pin: AbInclusionPin | null;
+}
+
+// Shows the entity-global A/B inclusion pin (AlwaysOn / NeverOn) when set. Null pin renders nothing
+// so the header stays clean for the common case where the pin has never been touched.
+export function AbInclusionPinBadge({ pin }: Readonly<AbInclusionPinBadgeProps>) {
+  if (pin === null) return null;
+
+  if (pin === AbInclusionPin.AlwaysOn) {
+    return (
+      <Badge variant="outline" className="gap-1 border-success/30 text-success">
+        <CircleCheckIcon className="size-3" aria-hidden={true} />
+        <Trans>First in feature flag rollouts</Trans>
+      </Badge>
+    );
+  }
+
+  return (
+    <Badge variant="outline" className="gap-1 border-warning/30 text-warning">
+      <CircleSlashIcon className="size-3" aria-hidden={true} />
+      <Trans>Last in feature flag rollouts</Trans>
+    </Badge>
+  );
+}
diff --git a/application/account/BackOffice/routes/-shared/AbInclusionPinMenuItems.tsx b/application/account/BackOffice/routes/-shared/AbInclusionPinMenuItems.tsx
new file mode 100644
index 000000000..e2ac4fd1b
--- /dev/null
+++ b/application/account/BackOffice/routes/-shared/AbInclusionPinMenuItems.tsx
@@ -0,0 +1,26 @@
+import { Trans } from "@lingui/react/macro";
+import { DropdownMenuItem, DropdownMenuSeparator } from "@repo/ui/components/DropdownMenu";
+import { CircleDotIcon } from "lucide-react";
+
+// Single menu item that opens the A/B inclusion pin dialog. The dialog itself MUST be rendered as
+// a sibling of the DropdownMenu — keeping it inside the dropdown's subtree causes BaseUI to unmount
+// the dialog the instant the menu closes (the dialog flashes for ~500ms then disappears).
+interface AbInclusionPinMenuItemsProps {
+  withLeadingSeparator?: boolean;
+  onSelect: () => void;
+}
+
+export function AbInclusionPinMenuItems({
+  withLeadingSeparator = false,
+  onSelect
+}: Readonly<AbInclusionPinMenuItemsProps>) {
+  return (
+    <>
+      {withLeadingSeparator && <DropdownMenuSeparator />}
+      <DropdownMenuItem trackingLabel="Open feature flag rollouts dialog" onClick={onSelect}>
+        <CircleDotIcon className="size-4" />
+        <Trans>Feature flag rollouts</Trans>
+      </DropdownMenuItem>
+    </>
+  );
+}
diff --git a/application/account/BackOffice/routes/-shared/SetAbInclusionPinDialog.tsx b/application/account/BackOffice/routes/-shared/SetAbInclusionPinDialog.tsx
new file mode 100644
index 000000000..10f71c475
--- /dev/null
+++ b/application/account/BackOffice/routes/-shared/SetAbInclusionPinDialog.tsx
@@ -0,0 +1,188 @@
+import { t } from "@lingui/core/macro";
+import { Trans } from "@lingui/react/macro";
+import { Button } from "@repo/ui/components/Button";
+import {
+  DialogBody,
+  DialogClose,
+  DialogContent,
+  DialogFooter,
+  DialogForm,
+  DialogHeader,
+  DialogTitle
+} from "@repo/ui/components/Dialog";
+import { DirtyDialog } from "@repo/ui/components/DirtyDialog";
+import { useDialogSetDirty } from "@repo/ui/components/DirtyDialogContext";
+import { Field, FieldContent, FieldDescription, FieldLabel, FieldTitle } from "@repo/ui/components/Field";
+import { RadioGroup, RadioGroupItem } from "@repo/ui/components/RadioGroup";
+import { useState } from "react";
+import { toast } from "sonner";
+
+import { AbInclusionPin, api, queryClient } from "@/shared/lib/api/client";
+
+type Entity = "tenant" | "user";
+
+// `default` (no pin) cannot be represented as a RadioGroup value of `null`, so we encode it as a
+// distinct radio value. On submit we translate `default` back to the API's `null` body.
+type RadioValue = AbInclusionPin | "default";
+
+interface SetAbInclusionPinDialogProps {
+  entity: Entity;
+  entityId: string;
+  entityLabel: string;
+  currentPin: AbInclusionPin | null;
+  isOpen: boolean;
+  onOpenChange: (isOpen: boolean) => void;
+}
+
+export function SetAbInclusionPinDialog({
+  entity,
+  entityId,
+  entityLabel,
+  currentPin,
+  isOpen,
+  onOpenChange
+}: Readonly<SetAbInclusionPinDialogProps>) {
+  const handleClose = () => onOpenChange(false);
+  return (
+    <DirtyDialog open={isOpen} onOpenChange={onOpenChange} trackingTitle="Feature flag rollouts">
+      <DialogContent className="sm:w-dialog-lg">
+        <DialogHeader>
+          <DialogTitle>
+            <Trans>Feature flag rollouts</Trans>
+          </DialogTitle>
+        </DialogHeader>
+        <SetAbInclusionPinDialogBody
+          entity={entity}
+          entityId={entityId}
+          entityLabel={entityLabel}
+          currentPin={currentPin}
+          onClose={handleClose}
+        />
+      </DialogContent>
+    </DirtyDialog>
+  );
+}
+
+function SetAbInclusionPinDialogBody({
+  entity,
+  entityId,
+  entityLabel,
+  currentPin,
+  onClose
+}: Readonly<{
+  entity: Entity;
+  entityId: string;
+  entityLabel: string;
+  currentPin: AbInclusionPin | null;
+  onClose: () => void;
+}>) {
+  const setDirty = useDialogSetDirty();
+  const [selected, setSelected] = useState<RadioValue>(currentPin ?? "default");
+
+  const tenantMutation = api.useMutation("put", "/api/back-office/tenants/{id}/ab-inclusion-pin");
+  const userMutation = api.useMutation("put", "/api/back-office/users/{id}/ab-inclusion-pin");
+  const mutation = entity === "tenant" ? tenantMutation : userMutation;
+
+  const invalidate = () => {
+    if (entity === "tenant") {
+      queryClient.invalidateQueries({ queryKey: ["get", "/api/back-office/tenants/{id}"] });
+    } else {
+      queryClient.invalidateQueries({ queryKey: ["get", "/api/back-office/users/{id}"] });
+    }
+    queryClient.invalidateQueries({ queryKey: ["get", "/api/back-office/feature-flags/{flagKey}/tenants"] });
+    queryClient.invalidateQueries({ queryKey: ["get", "/api/back-office/feature-flags/{flagKey}/users"] });
+    queryClient.invalidateQueries({ queryKey: ["get", "/api/back-office/tenants/{id}/feature-flags"] });
+    queryClient.invalidateQueries({ queryKey: ["get", "/api/back-office/users/{id}/feature-flags"] });
+  };
+
+  const handleSubmit = () => {
+    const pin: AbInclusionPin | null = selected === "default" ? null : selected;
+    const onSuccess = () => {
+      const message =
+        pin === AbInclusionPin.AlwaysOn
+          ? t`${entityLabel} is now first in feature flag rollouts`
+          : pin === AbInclusionPin.NeverOn
+            ? t`${entityLabel} is now last in feature flag rollouts`
+            : t`Feature flag rollouts reset to default for ${entityLabel}`;
+      toast.success(message);
+      invalidate();
+      onClose();
+    };
+    if (entity === "tenant") {
+      tenantMutation.mutate({ params: { path: { id: entityId } }, body: { abInclusionPin: pin } }, { onSuccess });
+    } else {
+      userMutation.mutate({ params: { path: { id: entityId } }, body: { abInclusionPin: pin } }, { onSuccess });
+    }
+  };
+
+  return (
+    <DialogForm onSubmit={handleSubmit} validationErrors={mutation.error?.errors}>
+      <DialogBody>
+        <p className="text-sm text-muted-foreground">
+          <Trans>
+            Choose how {entityLabel} participates in feature flag rollouts. Per-flag manual overrides still take
+            precedence over this setting.
+          </Trans>
+        </p>
+
+        <RadioGroup
+          aria-label={t`Feature flag rollouts`}
+          value={selected}
+          onValueChange={(value) => {
+            setSelected(value as RadioValue);
+            setDirty(true);
+          }}
+          className="mt-3"
+        >
+          <FieldLabel>
+            <Field orientation="horizontal">
+              <RadioGroupItem value="default" id="pin-default" autoFocus={true} />
+              <FieldContent>
+                <FieldTitle>
+                  <Trans>Default</Trans>
+                </FieldTitle>
+                <FieldDescription>
+                  <Trans>Included in feature flag rollouts based on the assigned rollout bucket.</Trans>
+                </FieldDescription>
+              </FieldContent>
+            </Field>
+          </FieldLabel>
+          <FieldLabel>
+            <Field orientation="horizontal">
+              <RadioGroupItem value={AbInclusionPin.AlwaysOn} id="pin-always" />
+              <FieldContent>
+                <FieldTitle>
+                  <Trans>First in feature flag rollouts</Trans>
+                </FieldTitle>
+                <FieldDescription>
+                  <Trans>Included at 1% — the first to receive any feature flag rollout.</Trans>
+                </FieldDescription>
+              </FieldContent>
+            </Field>
+          </FieldLabel>
+          <FieldLabel>
+            <Field orientation="horizontal">
+              <RadioGroupItem value={AbInclusionPin.NeverOn} id="pin-never" />
+              <FieldContent>
+                <FieldTitle>
+                  <Trans>Last in feature flag rollouts</Trans>
+                </FieldTitle>
+                <FieldDescription>
+                  <Trans>Included at 100% — the last to receive any feature flag rollout.</Trans>
+                </FieldDescription>
+              </FieldContent>
+            </Field>
+          </FieldLabel>
+        </RadioGroup>
+      </DialogBody>
+      <DialogFooter>
+        <DialogClose render={<Button type="reset" variant="secondary" disabled={mutation.isPending} />}>
+          <Trans>Cancel</Trans>
+        </DialogClose>
+        <Button type="submit" isPending={mutation.isPending}>
+          {mutation.isPending ? <Trans>Saving...</Trans> : <Trans>Save changes</Trans>}
+        </Button>
+      </DialogFooter>
+    </DialogForm>
+  );
+}
diff --git a/application/account/BackOffice/routes/accounts/$tenantId.tsx b/application/account/BackOffice/routes/accounts/$tenantId.tsx
index 5da040f4f..c5a2c385c 100644
--- a/application/account/BackOffice/routes/accounts/$tenantId.tsx
+++ b/application/account/BackOffice/routes/accounts/$tenantId.tsx
@@ -4,7 +4,7 @@ import { AppLayout } from "@repo/ui/components/AppLayout";
 import { SidebarInset, SidebarProvider } from "@repo/ui/components/Sidebar";
 import { Tabs, TabsContent, TabsList, TabsTrigger } from "@repo/ui/components/Tabs";
 import { createFileRoute, useNavigate } from "@tanstack/react-router";
-import { ActivityIcon, LayoutGridIcon, ReceiptIcon, UsersIcon } from "lucide-react";
+import { ActivityIcon, FlagIcon, LayoutGridIcon, ReceiptIcon, UsersIcon } from "lucide-react";
 import { useCallback } from "react";
 import { z } from "zod";
 
@@ -14,16 +14,17 @@ import { api } from "@/shared/lib/api/client";
 import { AccountBillingTab } from "./-components/AccountBillingTab";
 import { AccountCurrentPlanCard } from "./-components/AccountCurrentPlanCard";
 import { AccountDetailHeader } from "./-components/AccountDetailHeader";
+import { AccountFeatureFlagsTab } from "./-components/AccountFeatureFlagsTab";
 import { AccountHealthTiles } from "./-components/AccountHealthTiles";
 import { AccountOverviewTab } from "./-components/AccountOverviewTab";
 import { AccountUsersTab } from "./-components/AccountUsersTab";
 
-type AccountDetailTab = "overview" | "users" | "invoices" | "billing-events";
+type AccountDetailTab = "overview" | "users" | "invoices" | "billing-events" | "feature-flags";
 
 const isSubscriptionEnabled = import.meta.runtime_env.PUBLIC_SUBSCRIPTION_ENABLED === "true";
 
 const accountDetailSearchSchema = z.object({
-  tab: z.enum(["overview", "users", "invoices", "billing-events"]).optional()
+  tab: z.enum(["overview", "users", "invoices", "billing-events", "feature-flags"]).optional()
 });
 
 export const Route = createFileRoute("/accounts/$tenantId")({
@@ -86,6 +87,10 @@ function AccountDetailPage() {
                     <Trans>Billing events</Trans>
                   </TabsTrigger>
                 )}
+                <TabsTrigger value="feature-flags">
+                  <FlagIcon className="size-4" aria-hidden={true} />
+                  <Trans>Feature flags</Trans>
+                </TabsTrigger>
               </TabsList>
               <TabsContent value="overview" className="flex flex-col gap-6">
                 <AccountOverviewTab tenant={tenant} tenantId={tenantId} isLoading={tenantQuery.isLoading} />
@@ -118,6 +123,9 @@ function AccountDetailPage() {
                   <AccountBillingTab tenantId={tenantId} variant="events-full" />
                 </TabsContent>
               )}
+              <TabsContent value="feature-flags">
+                <AccountFeatureFlagsTab tenantId={tenantId} />
+              </TabsContent>
             </Tabs>
           </div>
         </AppLayout>
diff --git a/application/account/BackOffice/routes/accounts/-components/AccountActionsMenu.tsx b/application/account/BackOffice/routes/accounts/-components/AccountActionsMenu.tsx
index 48ce75164..b484337c8 100644
--- a/application/account/BackOffice/routes/accounts/-components/AccountActionsMenu.tsx
+++ b/application/account/BackOffice/routes/accounts/-components/AccountActionsMenu.tsx
@@ -22,9 +22,13 @@ import { Tooltip, TooltipContent, TooltipTrigger } from "@repo/ui/components/Too
 import { AlertTriangleIcon, ExternalLinkIcon, MoreVerticalIcon, RefreshCwIcon } from "lucide-react";
 import { useState } from "react";
 
+import type { AbInclusionPin } from "@/shared/lib/api/client";
+
 import { useMe } from "@/shared/hooks/useMe";
 import { api } from "@/shared/lib/api/client";
 
+import { AbInclusionPinMenuItems } from "../../-shared/AbInclusionPinMenuItems";
+import { SetAbInclusionPinDialog } from "../../-shared/SetAbInclusionPinDialog";
 import { ReconcileResultDialog, type ReconcileResult } from "./ReconcileResultDialog";
 import {
   type ArchivedAwaitingConfirmation,
@@ -35,14 +39,21 @@ import {
 
 interface AccountActionsMenuProps {
   tenantId: string;
+  tenantName: string | undefined;
   stripeCustomerUrl: string | null | undefined;
+  abInclusionPin: AbInclusionPin | null | undefined;
 }
 
 interface ReconcileApiResult extends ReconcileResult {
   archivedEventsAwaitingConfirmation: ArchivedAwaitingConfirmation | null;
 }
 
-export function AccountActionsMenu({ tenantId, stripeCustomerUrl }: Readonly<AccountActionsMenuProps>) {
+export function AccountActionsMenu({
+  tenantId,
+  tenantName,
+  stripeCustomerUrl,
+  abInclusionPin
+}: Readonly<AccountActionsMenuProps>) {
   const { data: me } = useMe();
   const [result, setResult] = useState<ReconcileApiResult | null>(null);
   const [replayResult, setReplayResult] = useState<ReplayArchivedResult | null>(null);
@@ -51,6 +62,7 @@ export function AccountActionsMenu({ tenantId, stripeCustomerUrl }: Readonly<Acc
   const [archivedAwaiting, setArchivedAwaiting] = useState<ArchivedAwaitingConfirmation | null>(null);
   const [isReplayConfirmOpen, setIsReplayConfirmOpen] = useState(false);
   const [isReplayResultOpen, setIsReplayResultOpen] = useState(false);
+  const [isPinDialogOpen, setIsPinDialogOpen] = useState(false);
 
   const reconcileMutation = api.useMutation("post", "/api/back-office/tenants/{id}/reconcile-with-stripe", {
     onSuccess: (data) => {
@@ -140,6 +152,7 @@ export function AccountActionsMenu({ tenantId, stripeCustomerUrl }: Readonly<Acc
               <Trans>Open in Stripe</Trans>
             </DropdownMenuItem>
           )}
+          <AbInclusionPinMenuItems withLeadingSeparator={true} onSelect={() => setIsPinDialogOpen(true)} />
         </DropdownMenuContent>
       </DropdownMenu>
 
@@ -191,6 +204,15 @@ export function AccountActionsMenu({ tenantId, stripeCustomerUrl }: Readonly<Acc
         onOpenChange={setIsReplayResultOpen}
         result={replayResult}
       />
+
+      <SetAbInclusionPinDialog
+        entity="tenant"
+        entityId={tenantId}
+        entityLabel={tenantName ?? t`This account`}
+        currentPin={abInclusionPin ?? null}
+        isOpen={isPinDialogOpen}
+        onOpenChange={setIsPinDialogOpen}
+      />
     </>
   );
 }
diff --git a/application/account/BackOffice/routes/accounts/-components/AccountDetailHeader.tsx b/application/account/BackOffice/routes/accounts/-components/AccountDetailHeader.tsx
index e21a599e3..6c8759de5 100644
--- a/application/account/BackOffice/routes/accounts/-components/AccountDetailHeader.tsx
+++ b/application/account/BackOffice/routes/accounts/-components/AccountDetailHeader.tsx
@@ -13,6 +13,7 @@ import { PlannedSubscriptionChange, TenantState } from "@/shared/lib/api/client"
 import { getSubscriptionPlanLabel, getTenantStateLabel } from "@/shared/lib/api/labels";
 import { getSubscriptionPlanBadgeClass } from "@/shared/lib/planBadge";
 
+import { AbInclusionPinBadge } from "../../-shared/AbInclusionPinBadge";
 import { AccountActionsMenu } from "./AccountActionsMenu";
 import { TenantStatusBadge } from "./TenantStatusBadge";
 
@@ -51,6 +52,7 @@ export function AccountDetailHeader({ tenant, tenantId, isLoading }: Readonly<Ac
                   plannedChange={derivePlannedChange(tenant)}
                   hasEverSubscribed={tenant.hasEverSubscribed}
                 />
+                <AbInclusionPinBadge pin={tenant.abInclusionPin} />
               </div>
             </div>
             <div className="flex flex-wrap items-center gap-x-3 gap-y-1 text-sm text-muted-foreground">
@@ -61,6 +63,7 @@ export function AccountDetailHeader({ tenant, tenantId, isLoading }: Readonly<Ac
                   plannedChange={derivePlannedChange(tenant)}
                   hasEverSubscribed={tenant.hasEverSubscribed}
                 />
+                <AbInclusionPinBadge pin={tenant.abInclusionPin} />
               </div>
               {tenant.billingAddress?.country && (
                 <span className="inline-flex items-center gap-1.5">
@@ -83,7 +86,12 @@ export function AccountDetailHeader({ tenant, tenantId, isLoading }: Readonly<Ac
           </>
         )}
       </div>
-      <AccountActionsMenu tenantId={tenantId} stripeCustomerUrl={tenant?.stripeCustomerUrl} />
+      <AccountActionsMenu
+        tenantId={tenantId}
+        tenantName={tenant?.name}
+        stripeCustomerUrl={tenant?.stripeCustomerUrl}
+        abInclusionPin={tenant?.abInclusionPin}
+      />
     </div>
   );
 }
diff --git a/application/account/BackOffice/routes/accounts/-components/AccountFeatureFlagRow.tsx b/application/account/BackOffice/routes/accounts/-components/AccountFeatureFlagRow.tsx
new file mode 100644
index 000000000..bd4c38d7d
--- /dev/null
+++ b/application/account/BackOffice/routes/accounts/-components/AccountFeatureFlagRow.tsx
@@ -0,0 +1,132 @@
+import { t } from "@lingui/core/macro";
+import { Trans } from "@lingui/react/macro";
+import { Badge } from "@repo/ui/components/Badge";
+import { TableCell, TableRow } from "@repo/ui/components/Table";
+import { getFeatureFlagDescription, getFeatureFlagName } from "@repo/ui/featureFlags/labels";
+import { useNavigate } from "@tanstack/react-router";
+import { useEffect, useState } from "react";
+import { toast } from "sonner";
+
+import type { components } from "@/shared/lib/api/client";
+
+import { api } from "@/shared/lib/api/client";
+
+import { OverrideSwitch } from "../../feature-flags/-components/OverrideSwitch";
+import { ScopeIcon } from "../../feature-flags/-components/ScopeIcon";
+
+type TenantFeatureFlagInfo = components["schemas"]["TenantFeatureFlagInfo"];
+
+export function AccountFeatureFlagRow({
+  tenantId,
+  flag,
+  isPlanGroup,
+  showBucketColumn
+}: Readonly<{ tenantId: string; flag: TenantFeatureFlagInfo; isPlanGroup: boolean; showBucketColumn: boolean }>) {
+  const [optimisticEnabled, setOptimisticEnabled] = useState(flag.isEnabled);
+  const [optimisticIsOverride, setOptimisticIsOverride] = useState(flag.source === "manual_override");
+  // No hover-defer here — the tenant-detail feature-flag tab has no filters, so the row can never be
+  // removed from view by a mutation. The global mutation handler invalidates queries automatically.
+  const overrideMutation = api.useMutation("put", "/api/back-office/feature-flags/{flagKey}/tenant-override");
+  const removeMutation = api.useMutation("delete", "/api/back-office/feature-flags/{flagKey}/tenant-override");
+  const navigate = useNavigate();
+
+  useEffect(() => {
+    setOptimisticEnabled(flag.isEnabled);
+    setOptimisticIsOverride(flag.source === "manual_override");
+  }, [flag.isEnabled, flag.source]);
+
+  const flagName = getFeatureFlagName(flag.flagKey);
+  const flagDescription = getFeatureFlagDescription(flag.flagKey) || flag.description;
+
+  const handleRemoveOverride = () => {
+    setOptimisticEnabled(flag.defaultEnabled);
+    setOptimisticIsOverride(false);
+    removeMutation.mutate(
+      { params: { path: { flagKey: flag.flagKey }, query: { tenantId } } },
+      {
+        onSuccess: () =>
+          toast.success(t`Override removed for ${flagName}`, {
+            description: t`It takes up to 5 minutes for changes to reach all users.`
+          }),
+        onError: () => {
+          setOptimisticEnabled(flag.isEnabled);
+          setOptimisticIsOverride(flag.source === "manual_override");
+        }
+      }
+    );
+  };
+
+  const handleSetOverride = (checked: boolean) => {
+    setOptimisticEnabled(checked);
+    setOptimisticIsOverride(true);
+    overrideMutation.mutate(
+      { params: { path: { flagKey: flag.flagKey } }, body: { tenantId, enabled: checked } },
+      {
+        onSuccess: () =>
+          toast.success(checked ? t`${flagName} enabled` : t`${flagName} disabled`, {
+            description: t`It takes up to 5 minutes for changes to reach all users.`
+          }),
+        onError: () => {
+          setOptimisticEnabled(flag.isEnabled);
+          setOptimisticIsOverride(flag.source === "manual_override");
+        }
+      }
+    );
+  };
+
+  const handleToggle = (checked: boolean) => {
+    if (flag.isAbTestEligible && optimisticIsOverride && optimisticEnabled === flag.defaultEnabled) {
+      handleRemoveOverride();
+      return;
+    }
+    handleSetOverride(checked);
+  };
+
+  const isPending = overrideMutation.isPending || removeMutation.isPending;
+
+  return (
+    <TableRow
+      rowKey={flag.flagKey}
+      className="cursor-pointer"
+      onClick={() => navigate({ to: "/feature-flags/$flagKey", params: { flagKey: flag.flagKey } })}
+    >
+      <TableCell>
+        <div className="flex min-w-0 flex-col">
+          <span className="flex items-center gap-2 font-medium">
+            <ScopeIcon scope={flag.scope} isAbTestEligible={flag.isAbTestEligible} />
+            <span className="truncate">{flagName}</span>
+          </span>
+          {flagDescription && (
+            <span className="hidden truncate text-sm text-muted-foreground sm:block">{flagDescription}</span>
+          )}
+        </div>
+      </TableCell>
+      {isPlanGroup && (
+        <TableCell className="hidden text-center sm:table-cell">
+          <Badge variant="outline">{flag.requiredPlan}</Badge>
+        </TableCell>
+      )}
+      {showBucketColumn && (
+        <TableCell className="hidden text-center text-muted-foreground sm:table-cell">
+          {flag.inclusionThresholdPercentage != null ? `${flag.inclusionThresholdPercentage}%` : null}
+        </TableCell>
+      )}
+      <TableCell className="text-center" onClick={(event) => event.stopPropagation()}>
+        {isPlanGroup ? (
+          <Badge variant={flag.isEnabled ? "default" : "outline"}>
+            {flag.isEnabled ? <Trans>Enabled</Trans> : <Trans>Disabled</Trans>}
+          </Badge>
+        ) : (
+          <OverrideSwitch
+            isManualOverride={optimisticIsOverride && flag.isAbTestEligible}
+            checked={optimisticEnabled}
+            onCheckedChange={handleToggle}
+            disabled={isPending}
+            dimmed={!flag.isBaseRowActive && optimisticEnabled}
+            ariaLabel={t`Override for ${flagName}`}
+          />
+        )}
+      </TableCell>
+    </TableRow>
+  );
+}
diff --git a/application/account/BackOffice/routes/accounts/-components/AccountFeatureFlagsTab.tsx b/application/account/BackOffice/routes/accounts/-components/AccountFeatureFlagsTab.tsx
new file mode 100644
index 000000000..f8252ab07
--- /dev/null
+++ b/application/account/BackOffice/routes/accounts/-components/AccountFeatureFlagsTab.tsx
@@ -0,0 +1,139 @@
+import { t } from "@lingui/core/macro";
+import { Trans } from "@lingui/react/macro";
+import { Empty, EmptyDescription, EmptyHeader, EmptyTitle } from "@repo/ui/components/Empty";
+import { Skeleton } from "@repo/ui/components/Skeleton";
+import { Table, TableBody, TableHead, TableHeader, TableRow } from "@repo/ui/components/Table";
+import { useMemo } from "react";
+
+import type { components } from "@/shared/lib/api/client";
+
+import { api } from "@/shared/lib/api/client";
+
+import { AccountFeatureFlagRow } from "./AccountFeatureFlagRow";
+
+type TenantFeatureFlagInfo = components["schemas"]["TenantFeatureFlagInfo"];
+
+interface AccountFeatureFlagsTabProps {
+  tenantId: string;
+}
+
+export function AccountFeatureFlagsTab({ tenantId }: Readonly<AccountFeatureFlagsTabProps>) {
+  const { data, isLoading } = api.useQuery("get", "/api/back-office/tenants/{id}/feature-flags", {
+    params: { path: { id: tenantId } }
+  });
+
+  const { accountFlags, planFlags } = useMemo(() => {
+    const flags = data?.flags ?? [];
+    return {
+      accountFlags: flags.filter((f) => f.requiredPlan == null),
+      planFlags: flags.filter((f) => f.requiredPlan != null)
+    };
+  }, [data?.flags]);
+
+  if (isLoading) {
+    return <FeatureFlagsTabSkeleton />;
+  }
+
+  if (accountFlags.length === 0 && planFlags.length === 0) {
+    return (
+      <Empty className="border">
+        <EmptyHeader>
+          <EmptyTitle>
+            <Trans>No feature flags</Trans>
+          </EmptyTitle>
+          <EmptyDescription>
+            <Trans>No tenant-scoped feature flags are defined for this account.</Trans>
+          </EmptyDescription>
+        </EmptyHeader>
+      </Empty>
+    );
+  }
+
+  return (
+    <div className="flex flex-col gap-8">
+      {accountFlags.length > 0 && (
+        <FeatureFlagGroup
+          tenantId={tenantId}
+          flags={accountFlags}
+          title={t`Account flags`}
+          description={t`Per-account flags. Toggle the override switch to enable or disable for this account.`}
+          isPlanGroup={false}
+        />
+      )}
+      {planFlags.length > 0 && (
+        <FeatureFlagGroup
+          tenantId={tenantId}
+          flags={planFlags}
+          title={t`Plan flags`}
+          description={t`Gated by the account's subscription plan. Read-only.`}
+          isPlanGroup={true}
+        />
+      )}
+    </div>
+  );
+}
+
+function FeatureFlagGroup({
+  tenantId,
+  flags,
+  title,
+  description,
+  isPlanGroup
+}: Readonly<{
+  tenantId: string;
+  flags: TenantFeatureFlagInfo[];
+  title: string;
+  description: string;
+  isPlanGroup: boolean;
+}>) {
+  const hasAbTestFlag = flags.some((f) => f.isAbTestEligible);
+  return (
+    <div className="flex flex-col gap-2">
+      <h3>{title}</h3>
+      <p className="text-sm text-muted-foreground">{description}</p>
+      <Table rowSize="compact" aria-label={title} className="w-full table-fixed">
+        <TableHeader>
+          <TableRow>
+            <TableHead>
+              <Trans>Name</Trans>
+            </TableHead>
+            {isPlanGroup && (
+              <TableHead className="hidden w-[8rem] text-center sm:table-cell">
+                <Trans>Required plan</Trans>
+              </TableHead>
+            )}
+            {!isPlanGroup && hasAbTestFlag && (
+              <TableHead className="hidden w-[8rem] text-center sm:table-cell">
+                <Trans>Included at</Trans>
+              </TableHead>
+            )}
+            <TableHead className="w-[8rem] text-center">
+              {isPlanGroup ? <Trans>Status</Trans> : <Trans>Override</Trans>}
+            </TableHead>
+          </TableRow>
+        </TableHeader>
+        <TableBody>
+          {flags.map((flag) => (
+            <AccountFeatureFlagRow
+              key={flag.flagKey}
+              tenantId={tenantId}
+              flag={flag}
+              isPlanGroup={isPlanGroup}
+              showBucketColumn={!isPlanGroup && hasAbTestFlag}
+            />
+          ))}
+        </TableBody>
+      </Table>
+    </div>
+  );
+}
+
+function FeatureFlagsTabSkeleton() {
+  return (
+    <div className="flex flex-col gap-2">
+      <Skeleton className="h-10 w-full rounded-md" />
+      <Skeleton className="h-14 w-full rounded-md" />
+      <Skeleton className="h-14 w-full rounded-md" />
+    </div>
+  );
+}
diff --git a/application/account/BackOffice/routes/accounts/-components/AccountUserRow.tsx b/application/account/BackOffice/routes/accounts/-components/AccountUserRow.tsx
index 70c14a54f..a26f1c7fe 100644
--- a/application/account/BackOffice/routes/accounts/-components/AccountUserRow.tsx
+++ b/application/account/BackOffice/routes/accounts/-components/AccountUserRow.tsx
@@ -47,9 +47,9 @@ export function AccountUserRow({
         </div>
       </TableCell>
       <TableCell className="hidden md:table-cell">
-        <span className="inline-flex items-center gap-1.5">
+        <span className="flex min-w-0 items-center gap-1.5">
           <MailIcon className="size-3.5 shrink-0 text-muted-foreground" aria-hidden={true} />
-          <span>{user.email}</span>
+          <span className="truncate">{user.email}</span>
         </span>
       </TableCell>
       <TableCell className="hidden lg:table-cell">
diff --git a/application/account/BackOffice/routes/accounts/-components/AccountUsersTab.tsx b/application/account/BackOffice/routes/accounts/-components/AccountUsersTab.tsx
index f42ffdb2d..4a9f11395 100644
--- a/application/account/BackOffice/routes/accounts/-components/AccountUsersTab.tsx
+++ b/application/account/BackOffice/routes/accounts/-components/AccountUsersTab.tsx
@@ -176,7 +176,13 @@ function UserList({
   }
 
   return (
-    <Table rowSize="spacious" aria-label={t`Account users`} selectionMode="single" onActivate={handleActivate}>
+    <Table
+      rowSize="spacious"
+      aria-label={t`Account users`}
+      selectionMode="single"
+      onActivate={handleActivate}
+      className="w-full table-fixed"
+    >
       <TableHeader>
         <TableRow>
           <TableHead>
@@ -185,10 +191,10 @@ function UserList({
           <TableHead className="hidden md:table-cell">
             <Trans>Email</Trans>
           </TableHead>
-          <TableHead className="hidden lg:table-cell">
+          <TableHead className="hidden w-[8rem] lg:table-cell">
             <Trans>Role</Trans>
           </TableHead>
-          <TableHead className="hidden lg:table-cell">
+          <TableHead className="hidden w-[10rem] lg:table-cell">
             <Trans>Last seen</Trans>
           </TableHead>
         </TableRow>
diff --git a/application/account/BackOffice/routes/accounts/-components/AccountsTableRow.tsx b/application/account/BackOffice/routes/accounts/-components/AccountsTableRow.tsx
index de14a75e9..fdca81e3a 100644
--- a/application/account/BackOffice/routes/accounts/-components/AccountsTableRow.tsx
+++ b/application/account/BackOffice/routes/accounts/-components/AccountsTableRow.tsx
@@ -2,27 +2,19 @@ import { Badge } from "@repo/ui/components/Badge";
 import { TableCell, TableRow } from "@repo/ui/components/Table";
 import { TenantLogo } from "@repo/ui/components/TenantLogo";
 import { getCountryFlagEmoji } from "@repo/ui/utils/countryFlag";
-import { formatCurrency } from "@repo/utils/currency/formatCurrency";
 
 import type { components } from "@/shared/lib/api/client";
 
 import { SmartDateTime } from "@/shared/components/SmartDateTime";
-import { PlannedSubscriptionChange } from "@/shared/lib/api/client";
 import { getSubscriptionPlanLabel } from "@/shared/lib/api/labels";
 import { getSubscriptionPlanBadgeClass } from "@/shared/lib/planBadge";
 
 import { getUserDisplayName } from "../../users/-components/userDisplay";
+import { MrrCell } from "./MrrCell";
 import { TenantStatusBadge } from "./TenantStatusBadge";
 
 type TenantSummary = components["schemas"]["TenantSummary"];
 
-function formatMonthlyRevenue(amount: number | null, currency: string | null): string {
-  if (amount === null || currency === null) {
-    return "-";
-  }
-  return formatCurrency(amount, currency);
-}
-
 export function AccountsTableRow({
   tenant,
   formatDate
@@ -59,7 +51,13 @@ export function AccountsTableRow({
                 />
               </div>
               <div className="shrink-0 text-right text-sm text-muted-foreground tabular-nums">
-                <MrrCell tenant={tenant} align="end" />
+                <MrrCell
+                  monthlyRecurringRevenue={tenant.monthlyRecurringRevenue}
+                  scheduledPriceAmount={tenant.scheduledPriceAmount}
+                  currency={tenant.currency}
+                  plannedChange={tenant.plannedChange}
+                  align="end"
+                />
               </div>
             </div>
           </div>
@@ -69,7 +67,12 @@ export function AccountsTableRow({
         <Badge className={getSubscriptionPlanBadgeClass(tenant.plan)}>{getSubscriptionPlanLabel(tenant.plan)}</Badge>
       </TableCell>
       <TableCell className="hidden tabular-nums md:table-cell">
-        <MrrCell tenant={tenant} />
+        <MrrCell
+          monthlyRecurringRevenue={tenant.monthlyRecurringRevenue}
+          scheduledPriceAmount={tenant.scheduledPriceAmount}
+          currency={tenant.currency}
+          plannedChange={tenant.plannedChange}
+        />
       </TableCell>
       <TableCell className="hidden lg:table-cell">
         {tenant.renewalDate ? formatDate(tenant.renewalDate) : <span className="text-muted-foreground">-</span>}
@@ -107,26 +110,3 @@ export function AccountsTableRow({
     </TableRow>
   );
 }
-
-function MrrCell({ tenant, align = "start" }: Readonly<{ tenant: TenantSummary; align?: "start" | "end" }>) {
-  const currentAmount = formatMonthlyRevenue(tenant.monthlyRecurringRevenue, tenant.currency);
-  const isCanceling = tenant.plannedChange === PlannedSubscriptionChange.Cancellation;
-  const isDowngrading = tenant.plannedChange === PlannedSubscriptionChange.ScheduledPlanChange;
-  const newAmount =
-    isCanceling && tenant.currency !== null
-      ? formatCurrency(0, tenant.currency)
-      : isDowngrading && tenant.scheduledPriceAmount !== null && tenant.currency !== null
-        ? formatCurrency(tenant.scheduledPriceAmount, tenant.currency)
-        : null;
-
-  if (newAmount === null) {
-    return <span>{currentAmount}</span>;
-  }
-
-  return (
-    <div className={`flex flex-col leading-tight ${align === "end" ? "items-end" : ""}`}>
-      <span className="text-xs text-muted-foreground line-through">{currentAmount}</span>
-      <span>{newAmount}</span>
-    </div>
-  );
-}
diff --git a/application/account/BackOffice/routes/accounts/-components/AccountsToolbar.tsx b/application/account/BackOffice/routes/accounts/-components/AccountsToolbar.tsx
index c9b6717c6..75672a376 100644
--- a/application/account/BackOffice/routes/accounts/-components/AccountsToolbar.tsx
+++ b/application/account/BackOffice/routes/accounts/-components/AccountsToolbar.tsx
@@ -28,9 +28,8 @@ export function AccountsToolbar({ search, plans, statuses, unsynced, driftDetect
   const debouncedSearch = useDebounce(searchInput, 500);
 
   useEffect(() => {
-    if ((debouncedSearch || undefined) === search) {
-      return;
-    }
+    // See UsersToolbar.tsx for the rationale on omitting `search` from this effect's deps.
+    if ((debouncedSearch || undefined) === search) return;
     navigate({
       to: "/accounts",
       search: (previous) => ({
@@ -40,7 +39,8 @@ export function AccountsToolbar({ search, plans, statuses, unsynced, driftDetect
         pageOffset: undefined
       })
     });
-  }, [debouncedSearch, navigate, search]);
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [debouncedSearch, navigate]);
 
   useEffect(() => {
     setSearchInput(search ?? "");
diff --git a/application/account/BackOffice/routes/accounts/-components/MrrCell.tsx b/application/account/BackOffice/routes/accounts/-components/MrrCell.tsx
new file mode 100644
index 000000000..c30ecc279
--- /dev/null
+++ b/application/account/BackOffice/routes/accounts/-components/MrrCell.tsx
@@ -0,0 +1,49 @@
+import { formatCurrency } from "@repo/utils/currency/formatCurrency";
+
+import type { components } from "@/shared/lib/api/client";
+
+import { PlannedSubscriptionChange } from "@/shared/lib/api/client";
+
+type PlannedSubscriptionChangeValue = components["schemas"]["PlannedSubscriptionChange"] | null;
+
+interface MrrCellProps {
+  monthlyRecurringRevenue: number | null;
+  scheduledPriceAmount: number | null;
+  currency: string | null;
+  plannedChange: PlannedSubscriptionChangeValue;
+  align?: "start" | "end";
+}
+
+function formatMonthlyRevenue(amount: number | null, currency: string | null): string {
+  if (amount === null || currency === null) return "-";
+  return formatCurrency(amount, currency);
+}
+
+export function MrrCell({
+  monthlyRecurringRevenue,
+  scheduledPriceAmount,
+  currency,
+  plannedChange,
+  align = "start"
+}: Readonly<MrrCellProps>) {
+  const currentAmount = formatMonthlyRevenue(monthlyRecurringRevenue, currency);
+  const isCanceling = plannedChange === PlannedSubscriptionChange.Cancellation;
+  const isDowngrading = plannedChange === PlannedSubscriptionChange.ScheduledPlanChange;
+  const newAmount =
+    isCanceling && currency !== null
+      ? formatCurrency(0, currency)
+      : isDowngrading && scheduledPriceAmount !== null && currency !== null
+        ? formatCurrency(scheduledPriceAmount, currency)
+        : null;
+
+  if (newAmount === null) {
+    return <span>{currentAmount}</span>;
+  }
+
+  return (
+    <div className={`flex flex-col leading-tight ${align === "end" ? "items-end" : ""}`}>
+      <span className="text-xs text-muted-foreground line-through">{currentAmount}</span>
+      <span>{newAmount}</span>
+    </div>
+  );
+}
diff --git a/application/account/BackOffice/routes/billing-events/-components/BillingEventsToolbar.tsx b/application/account/BackOffice/routes/billing-events/-components/BillingEventsToolbar.tsx
index 5abf3fcf8..6cc4a6bb1 100644
--- a/application/account/BackOffice/routes/billing-events/-components/BillingEventsToolbar.tsx
+++ b/application/account/BackOffice/routes/billing-events/-components/BillingEventsToolbar.tsx
@@ -25,9 +25,8 @@ export function BillingEventsToolbar({ search, view }: Readonly<BillingEventsToo
   const debouncedSearch = useDebounce(searchInput, 500);
 
   useEffect(() => {
-    if ((debouncedSearch || undefined) === search) {
-      return;
-    }
+    // See UsersToolbar.tsx for the rationale on omitting `search` from this effect's deps.
+    if ((debouncedSearch || undefined) === search) return;
     navigate({
       to: "/billing-events",
       search: (previous) => ({
@@ -38,7 +37,8 @@ export function BillingEventsToolbar({ search, view }: Readonly<BillingEventsToo
         pageOffset: undefined
       })
     });
-  }, [debouncedSearch, navigate, search]);
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [debouncedSearch, navigate]);
 
   useEffect(() => {
     setSearchInput(search ?? "");
diff --git a/application/account/BackOffice/routes/feature-flags/$flagKey.tsx b/application/account/BackOffice/routes/feature-flags/$flagKey.tsx
new file mode 100644
index 000000000..ca5fe7560
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/$flagKey.tsx
@@ -0,0 +1,214 @@
+import { Trans } from "@lingui/react/macro";
+import { useUserInfo } from "@repo/infrastructure/auth/hooks";
+import { AppLayout } from "@repo/ui/components/AppLayout";
+import { Button } from "@repo/ui/components/Button";
+import { SidebarInset, SidebarProvider } from "@repo/ui/components/Sidebar";
+import { getFeatureFlagDescription, getFeatureFlagName } from "@repo/ui/featureFlags/labels";
+import { createFileRoute } from "@tanstack/react-router";
+import { Trash2Icon } from "lucide-react";
+import { useState } from "react";
+import { z } from "zod";
+
+import { BackOfficeSideMenu } from "@/shared/components/BackOfficeSideMenu";
+import {
+  api,
+  FeatureFlagAudienceState,
+  SortableFeatureFlagTenantProperties,
+  SortableFeatureFlagUserProperties,
+  SortOrder,
+  SubscriptionPlan,
+  UserRole
+} from "@/shared/lib/api/client";
+
+import type { GetFeatureFlagsResponse } from "./-components/types";
+
+import { DeleteFeatureFlagDialog } from "./-components/DeleteFeatureFlagDialog";
+import { FeatureFlagDetailSkeleton } from "./-components/FeatureFlagDetailSkeleton";
+import { FeatureFlagDetailTitle } from "./-components/FeatureFlagDetailTitle";
+import { FeatureFlagInfoSection } from "./-components/FeatureFlagInfoSection";
+import { PlanFeatureFlagInfoSection, PlanFeatureFlagTenantsSection } from "./-components/PlanFeatureFlagSections";
+import { ALL_STATE_FILTER } from "./-components/stateFilter";
+import { TenantOverridesSection } from "./-components/TenantOverridesSection";
+import { UserOverridesSection } from "./-components/UserOverridesSection";
+
+const stateFilterSchema = z.enum([
+  FeatureFlagAudienceState.Enabled,
+  FeatureFlagAudienceState.Disabled,
+  ALL_STATE_FILTER
+]);
+
+const flagKeySearchSchema = z.object({
+  tenantsSearch: z.string().optional(),
+  tenantsPlans: z.array(z.nativeEnum(SubscriptionPlan)).max(10).optional(),
+  tenantsState: stateFilterSchema.optional(),
+  tenantsHasOverride: z.boolean().optional(),
+  tenantsPageOffset: z.number().int().nonnegative().optional(),
+  tenantsOrderBy: z.nativeEnum(SortableFeatureFlagTenantProperties).optional(),
+  tenantsSortOrder: z.nativeEnum(SortOrder).optional(),
+  usersSearch: z.string().optional(),
+  usersRoles: z.array(z.nativeEnum(UserRole)).max(10).optional(),
+  usersState: stateFilterSchema.optional(),
+  usersHasOverride: z.boolean().optional(),
+  usersPageOffset: z.number().int().nonnegative().optional(),
+  usersOrderBy: z.nativeEnum(SortableFeatureFlagUserProperties).optional(),
+  usersSortOrder: z.nativeEnum(SortOrder).optional()
+});
+
+export const Route = createFileRoute("/feature-flags/$flagKey")({
+  staticData: { trackingTitle: "Feature flag detail" },
+  validateSearch: flagKeySearchSchema,
+  component: FeatureFlagDetailPage
+});
+
+export default function FeatureFlagDetailPage() {
+  const { flagKey } = Route.useParams();
+  const {
+    tenantsSearch,
+    tenantsPlans,
+    tenantsState,
+    tenantsHasOverride,
+    tenantsPageOffset,
+    tenantsOrderBy,
+    tenantsSortOrder,
+    usersSearch,
+    usersRoles,
+    usersState,
+    usersHasOverride,
+    usersPageOffset,
+    usersOrderBy,
+    usersSortOrder
+  } = Route.useSearch();
+
+  const [isDeleteDialogOpen, setIsDeleteDialogOpen] = useState(false);
+
+  // Activate/Deactivate and Delete server-side endpoints require AdminPolicyName (admin group
+  // membership), so the matching controls are disabled for non-admin back-office users. UserInfo.role
+  // mirrors the back-office groups claim — null when the principal has no group, set otherwise.
+  const userInfo = useUserInfo();
+  const canActivate = userInfo?.role != null;
+
+  const { data: featureFlagsData, isLoading: isLoadingFeatureFlags } = api.useQuery(
+    "get",
+    "/api/back-office/feature-flags",
+    { params: { query: { IncludeDeleted: true } } }
+  ) as {
+    data: GetFeatureFlagsResponse | undefined;
+    isLoading: boolean;
+  };
+
+  const featureFlag = featureFlagsData?.flags?.find((f) => f.key === flagKey);
+  const isDeleted = featureFlag?.deletedAt != null;
+  const isOrphaned = featureFlag?.orphanedAt != null && !isDeleted;
+
+  const isPlanFeatureFlag = featureFlag?.requiredPlan != null;
+  const isLoading = isLoadingFeatureFlags;
+  const featureFlagName = featureFlag ? getFeatureFlagName(featureFlag.key) : flagKey;
+  const description = featureFlag ? getFeatureFlagDescription(featureFlag.key) || featureFlag.description : "";
+
+  return (
+    <SidebarProvider>
+      <BackOfficeSideMenu />
+      <SidebarInset>
+        <AppLayout
+          variant="center"
+          maxWidth="64rem"
+          browserTitle={featureFlagName}
+          title={<FeatureFlagDetailTitle featureFlag={featureFlag} featureFlagName={featureFlagName} />}
+          subtitle={featureFlag ? description : undefined}
+        >
+          {isLoading ? (
+            <FeatureFlagDetailSkeleton />
+          ) : featureFlag ? (
+            // min-h-0 + flex-1 lets the trailing list section claim the remaining vertical space so
+            // its Empty state renders centred — matches the /users, /accounts, /invoices, and
+            // /billing-events layouts where Empty is a direct child of AppLayout's flex-1 body.
+            <div className="flex min-h-0 flex-1 flex-col gap-8">
+              {isPlanFeatureFlag ? (
+                <PlanFeatureFlagInfoSection featureFlag={featureFlag} />
+              ) : (
+                <FeatureFlagInfoSection
+                  featureFlag={featureFlag}
+                  orphanedAt={featureFlag.deletedAt ?? featureFlag.orphanedAt}
+                  canActivate={canActivate}
+                />
+              )}
+              {isDeleted && (
+                <div className="rounded-lg border border-muted-foreground/30 bg-muted/30 p-4 text-sm text-muted-foreground">
+                  <Trans>
+                    This flag has been deleted. It is retained for historical telemetry. Adding a new feature flag with
+                    the same name will fail deployment.
+                  </Trans>
+                </div>
+              )}
+              {isOrphaned && (
+                <div className="flex items-center justify-between gap-4 rounded-lg border border-destructive/30 bg-destructive/5 p-4">
+                  <span className="text-sm text-destructive">
+                    <Trans>
+                      This flag no longer exists in code. Delete it to remove all account and user overrides.
+                    </Trans>
+                  </span>
+                  <Button
+                    variant="destructive"
+                    className="shrink-0"
+                    onClick={() => setIsDeleteDialogOpen(true)}
+                    disabled={!canActivate}
+                  >
+                    <Trash2Icon className="size-4" aria-hidden={true} />
+                    <Trans>Delete flag and all overrides</Trans>
+                  </Button>
+                </div>
+              )}
+              {!isDeleted && !isOrphaned && featureFlag.scope === "Tenant" && !isPlanFeatureFlag && (
+                <TenantOverridesSection
+                  flagKey={featureFlag.key}
+                  featureFlagDescription={featureFlagName}
+                  showRolloutBucket={featureFlag.isAbTestEligible}
+                  isFeatureFlagActive={featureFlag.isActive}
+                  search={tenantsSearch}
+                  plans={tenantsPlans ?? []}
+                  state={tenantsState}
+                  hasOverride={tenantsHasOverride ?? false}
+                  pageOffset={tenantsPageOffset}
+                  orderBy={tenantsOrderBy}
+                  sortOrder={tenantsSortOrder}
+                />
+              )}
+              {!isDeleted && !isOrphaned && featureFlag.scope === "Tenant" && isPlanFeatureFlag && (
+                <PlanFeatureFlagTenantsSection
+                  flagKey={featureFlag.key}
+                  requiredPlan={featureFlag.requiredPlan}
+                  search={tenantsSearch}
+                  plans={tenantsPlans ?? []}
+                  pageOffset={tenantsPageOffset}
+                />
+              )}
+              {!isDeleted && !isOrphaned && featureFlag.scope === "User" && (
+                <UserOverridesSection
+                  flagKey={featureFlag.key}
+                  featureFlagDescription={featureFlagName}
+                  showRolloutBucket={featureFlag.isAbTestEligible}
+                  isFeatureFlagActive={featureFlag.isActive}
+                  search={usersSearch}
+                  roles={usersRoles ?? []}
+                  state={usersState}
+                  hasOverride={usersHasOverride ?? false}
+                  pageOffset={usersPageOffset}
+                  orderBy={usersOrderBy}
+                  sortOrder={usersSortOrder}
+                />
+              )}
+            </div>
+          ) : null}
+        </AppLayout>
+      </SidebarInset>
+      {featureFlag && isOrphaned && (
+        <DeleteFeatureFlagDialog
+          flagKey={featureFlag.key}
+          flagName={featureFlagName}
+          isOpen={isDeleteDialogOpen}
+          onOpenChange={setIsDeleteDialogOpen}
+        />
+      )}
+    </SidebarProvider>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/DeleteFeatureFlagDialog.tsx b/application/account/BackOffice/routes/feature-flags/-components/DeleteFeatureFlagDialog.tsx
new file mode 100644
index 000000000..fa34906ef
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/DeleteFeatureFlagDialog.tsx
@@ -0,0 +1,83 @@
+import { t } from "@lingui/core/macro";
+import { Trans } from "@lingui/react/macro";
+import {
+  AlertDialog,
+  AlertDialogAction,
+  AlertDialogCancel,
+  AlertDialogContent,
+  AlertDialogDescription,
+  AlertDialogFooter,
+  AlertDialogHeader,
+  AlertDialogMedia,
+  AlertDialogTitle
+} from "@repo/ui/components/AlertDialog";
+import { useQueryClient } from "@tanstack/react-query";
+import { useNavigate } from "@tanstack/react-router";
+import { Trash2Icon } from "lucide-react";
+import { toast } from "sonner";
+
+import { api } from "@/shared/lib/api/client";
+
+interface DeleteFeatureFlagDialogProps {
+  flagKey: string;
+  flagName: string;
+  isOpen: boolean;
+  onOpenChange: (isOpen: boolean) => void;
+}
+
+export function DeleteFeatureFlagDialog({
+  flagKey,
+  flagName,
+  isOpen,
+  onOpenChange
+}: Readonly<DeleteFeatureFlagDialogProps>) {
+  const navigate = useNavigate();
+  const queryClient = useQueryClient();
+
+  const deleteMutation = api.useMutation("delete", "/api/back-office/feature-flags/{flagKey}", {
+    onSuccess: async () => {
+      toast.success(t`Feature flag deleted: ${flagName}`);
+      await queryClient.invalidateQueries({
+        predicate: (query) =>
+          Array.isArray(query.queryKey) &&
+          query.queryKey[0] === "get" &&
+          query.queryKey[1] === "/api/back-office/feature-flags"
+      });
+      onOpenChange(false);
+      navigate({ to: "/feature-flags" });
+    }
+  });
+
+  const handleDelete = () => {
+    deleteMutation.mutate({ params: { path: { flagKey } } });
+  };
+
+  return (
+    <AlertDialog open={isOpen} onOpenChange={onOpenChange} trackingTitle="Delete feature flag">
+      <AlertDialogContent>
+        <AlertDialogHeader>
+          <AlertDialogMedia className="bg-destructive/10">
+            <Trash2Icon className="text-destructive" />
+          </AlertDialogMedia>
+          <AlertDialogTitle>
+            <Trans>Delete feature flag</Trans>
+          </AlertDialogTitle>
+          <AlertDialogDescription>
+            <Trans>
+              Permanently delete <b>{flagName}</b> ({flagKey}) and all account and user overrides. This cannot be
+              undone.
+            </Trans>
+          </AlertDialogDescription>
+        </AlertDialogHeader>
+        <AlertDialogFooter>
+          <AlertDialogCancel variant="secondary" disabled={deleteMutation.isPending}>
+            <Trans>Cancel</Trans>
+          </AlertDialogCancel>
+          <AlertDialogAction variant="destructive" isPending={deleteMutation.isPending} onClick={handleDelete}>
+            <Trans>Delete flag and all overrides</Trans>
+          </AlertDialogAction>
+        </AlertDialogFooter>
+      </AlertDialogContent>
+    </AlertDialog>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagAudienceStats.tsx b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagAudienceStats.tsx
new file mode 100644
index 000000000..75299a5f6
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagAudienceStats.tsx
@@ -0,0 +1,50 @@
+import { api } from "@/shared/lib/api/client";
+
+import type { FeatureFlagScope } from "./types";
+
+import { OverrideStats } from "./OverrideStats";
+
+interface FeatureFlagAudienceStatsProps {
+  flagKey: string;
+  scope: FeatureFlagScope;
+  showOverride: boolean;
+}
+
+// Header-level audience stats. Fetched without filters so the numbers stay stable as users change
+// the toolbar selection below the header — the chips describe "the flag's audience" rather than
+// "the current view".
+export function FeatureFlagAudienceStats({ flagKey, scope, showOverride }: Readonly<FeatureFlagAudienceStatsProps>) {
+  const isTenantScope = scope === "Tenant";
+
+  const tenantStats = api.useQuery(
+    "get",
+    "/api/back-office/feature-flags/{flagKey}/tenants",
+    { params: { path: { flagKey }, query: { PageSize: 1 } } },
+    { enabled: isTenantScope }
+  );
+
+  const userStats = api.useQuery(
+    "get",
+    "/api/back-office/feature-flags/{flagKey}/users",
+    { params: { path: { flagKey }, query: { PageSize: 1 } } },
+    { enabled: !isTenantScope }
+  );
+
+  const data = isTenantScope ? tenantStats.data : userStats.data;
+  // Reserve the chip row height while loading so the page does not grow when the query resolves
+  // (otherwise the user sees the page suddenly extend after a moment and a new scroll range appears).
+  if (data === undefined) return <div className="h-[2.125rem]" aria-hidden={true} />;
+
+  const populationCount = data.enabledCount + data.disabledCount;
+  if (populationCount === 0) return <div className="h-[2.125rem]" aria-hidden={true} />;
+
+  return (
+    <OverrideStats
+      total={populationCount}
+      enabled={data.enabledCount}
+      disabled={data.disabledCount}
+      override={data.overrideCount}
+      showOverride={showOverride}
+    />
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagAudienceToolbar.tsx b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagAudienceToolbar.tsx
new file mode 100644
index 000000000..cfeb356ca
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagAudienceToolbar.tsx
@@ -0,0 +1,138 @@
+import { t } from "@lingui/core/macro";
+import { Trans } from "@lingui/react/macro";
+import { InputGroup, InputGroupAddon, InputGroupButton, InputGroupInput } from "@repo/ui/components/InputGroup";
+import { ToggleGroup, ToggleGroupItem } from "@repo/ui/components/ToggleGroup";
+import { useDebounce } from "@repo/ui/hooks/useDebounce";
+import { SearchIcon, XIcon } from "lucide-react";
+import { useEffect, useState } from "react";
+
+import { FeatureFlagAudienceState } from "@/shared/lib/api/client";
+
+import type { StateFilter } from "./stateFilter";
+
+import { ALL_STATE_FILTER, DEFAULT_STATE_FILTER } from "./stateFilter";
+
+interface FeatureFlagAudienceToolbarProps {
+  search: string | undefined;
+  searchPlaceholder: string;
+  state: StateFilter | undefined;
+  hasOverride: boolean;
+  hideState?: boolean;
+  hideHasOverride?: boolean;
+  onSearchChange: (search: string | undefined) => void;
+  onStateChange: (state: StateFilter | undefined) => void;
+  onHasOverrideChange: (hasOverride: boolean) => void;
+  children?: React.ReactNode;
+}
+
+const HAS_OVERRIDE_VALUE = "true";
+
+// Shared toolbar for tenant- and user-audience feature flag tables. Owns the search input
+// (with 500ms debounce), the State chip group, and the Has-override chip group. Audience-specific
+// chip groups (Plan for tenants, Role for users) are rendered via `children`. Each caller wires its
+// own URL-schema-aware navigation callbacks so this component stays unaware of route param names.
+export function FeatureFlagAudienceToolbar({
+  search,
+  searchPlaceholder,
+  state,
+  hasOverride,
+  hideState,
+  hideHasOverride,
+  onSearchChange,
+  onStateChange,
+  onHasOverrideChange,
+  children
+}: Readonly<FeatureFlagAudienceToolbarProps>) {
+  const [searchInput, setSearchInput] = useState(search ?? "");
+  const debouncedSearch = useDebounce(searchInput, 500);
+
+  useEffect(() => {
+    // `search` and `onSearchChange` are intentionally NOT deps. `search` would fire this effect on
+    // external URL changes (Clear filters) with a stale debouncedSearch and immediately re-push the
+    // old typed value. `onSearchChange` is a fresh inline arrow on every parent render, so keeping
+    // it in deps causes the same regression. The companion sync effect below handles URL → input.
+    // This effect only runs when the user types something new and the debounce settles.
+    if ((debouncedSearch || undefined) === search) return;
+    onSearchChange(debouncedSearch || undefined);
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [debouncedSearch]);
+
+  useEffect(() => {
+    setSearchInput(search ?? "");
+  }, [search]);
+
+  const handleStateChange = (values: string[]) => {
+    // Single-select with multi-select "last item wins" — keep the most recently clicked chip pressed.
+    // Clicking the already-pressed chip would otherwise deselect to []; default back to Enabled so one chip is always on.
+    const next = (values[values.length - 1] as StateFilter | undefined) ?? DEFAULT_STATE_FILTER;
+    onStateChange(next === DEFAULT_STATE_FILTER ? undefined : next);
+  };
+
+  const handleHasOverrideChange = (values: string[]) => {
+    onHasOverrideChange(values.length > 0);
+  };
+
+  return (
+    <div className="mb-4 flex flex-wrap items-center gap-3">
+      <div className="max-w-[20rem] min-w-[14rem] flex-1">
+        <InputGroup>
+          <InputGroupAddon>
+            <SearchIcon />
+          </InputGroupAddon>
+          <InputGroupInput
+            type="text"
+            role="searchbox"
+            aria-label={t`Search`}
+            placeholder={searchPlaceholder}
+            value={searchInput}
+            onChange={(event) => setSearchInput(event.target.value)}
+            onKeyDown={(event) => event.key === "Escape" && searchInput && setSearchInput("")}
+          />
+          {searchInput && (
+            <InputGroupAddon align="inline-end">
+              <InputGroupButton onClick={() => setSearchInput("")} size="icon-xs" aria-label={t`Clear search`}>
+                <XIcon />
+              </InputGroupButton>
+            </InputGroupAddon>
+          )}
+        </InputGroup>
+      </div>
+
+      {!hideState && (
+        <ToggleGroup
+          variant="outline"
+          aria-label={t`State`}
+          multiple={true}
+          value={[state ?? DEFAULT_STATE_FILTER]}
+          onValueChange={handleStateChange}
+        >
+          <ToggleGroupItem value={ALL_STATE_FILTER} className="min-w-[5rem] justify-center">
+            <Trans>All</Trans>
+          </ToggleGroupItem>
+          <ToggleGroupItem value={FeatureFlagAudienceState.Enabled} className="min-w-[5rem] justify-center">
+            <Trans>Enabled</Trans>
+          </ToggleGroupItem>
+          <ToggleGroupItem value={FeatureFlagAudienceState.Disabled} className="min-w-[5rem] justify-center">
+            <Trans>Disabled</Trans>
+          </ToggleGroupItem>
+        </ToggleGroup>
+      )}
+
+      {!hideHasOverride && (
+        <ToggleGroup
+          variant="outline"
+          aria-label={t`Override`}
+          multiple={true}
+          value={hasOverride ? [HAS_OVERRIDE_VALUE] : []}
+          onValueChange={handleHasOverrideChange}
+        >
+          <ToggleGroupItem value={HAS_OVERRIDE_VALUE} className="min-w-[5rem] justify-center">
+            <Trans>Has override</Trans>
+          </ToggleGroupItem>
+        </ToggleGroup>
+      )}
+
+      {children}
+    </div>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagDetailSkeleton.tsx b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagDetailSkeleton.tsx
new file mode 100644
index 000000000..b36137096
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagDetailSkeleton.tsx
@@ -0,0 +1,15 @@
+import { Skeleton } from "@repo/ui/components/Skeleton";
+
+export function FeatureFlagDetailSkeleton() {
+  return (
+    <div className="flex flex-col gap-8">
+      <Skeleton className="h-20 w-full rounded-lg" />
+      <div className="flex flex-col gap-4">
+        <Skeleton className="h-6 w-40" />
+        <Skeleton className="h-10 w-full rounded-md" />
+        <Skeleton className="h-14 w-full rounded-md" />
+        <Skeleton className="h-14 w-full rounded-md" />
+      </div>
+    </div>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagDetailTitle.tsx b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagDetailTitle.tsx
new file mode 100644
index 000000000..ebfa92d21
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagDetailTitle.tsx
@@ -0,0 +1,30 @@
+import { t } from "@lingui/core/macro";
+import { Link } from "@tanstack/react-router";
+import { ArrowLeftIcon } from "lucide-react";
+
+import type { FeatureFlagInfo } from "./types";
+
+import { ScopeIcon } from "./ScopeIcon";
+
+interface FeatureFlagDetailTitleProps {
+  featureFlag: FeatureFlagInfo | undefined;
+  featureFlagName: string;
+}
+
+export function FeatureFlagDetailTitle({ featureFlag, featureFlagName }: Readonly<FeatureFlagDetailTitleProps>) {
+  return (
+    <div className="flex flex-wrap items-center gap-3">
+      <Link to="/feature-flags" className="text-muted-foreground hover:text-foreground">
+        <ArrowLeftIcon className="size-5" aria-label={t`Back to feature flags`} />
+      </Link>
+      {featureFlag && (
+        <ScopeIcon
+          scope={featureFlag.scope}
+          isAbTestEligible={featureFlag.isAbTestEligible}
+          className="size-6 stroke-[2.5] text-foreground"
+        />
+      )}
+      <span>{featureFlagName}</span>
+    </div>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagInfoSection.tsx b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagInfoSection.tsx
new file mode 100644
index 000000000..92d673156
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagInfoSection.tsx
@@ -0,0 +1,181 @@
+import { t } from "@lingui/core/macro";
+import { Trans } from "@lingui/react/macro";
+import { Badge } from "@repo/ui/components/Badge";
+import { NumberField } from "@repo/ui/components/NumberField";
+import { SwitchField } from "@repo/ui/components/SwitchField";
+import { Tooltip, TooltipContent, TooltipTrigger } from "@repo/ui/components/Tooltip";
+import { InfoIcon } from "lucide-react";
+import { useState } from "react";
+import { toast } from "sonner";
+
+import { api } from "@/shared/lib/api/client";
+
+import type { FeatureFlagInfo } from "./types";
+
+import { FeatureFlagAudienceStats } from "./FeatureFlagAudienceStats";
+import { formatRolloutBucketRange } from "./rolloutBucket";
+
+interface FeatureFlagInfoSectionProps {
+  featureFlag: FeatureFlagInfo;
+  orphanedAt: string | null;
+  // True when the signed-in back-office user belongs to the admin group claim. Activate/Deactivate
+  // and Delete are gated by AdminPolicyName server-side, so the Switch and Delete button are
+  // disabled (not hidden) for non-admin back-office users to avoid silent 403s. Rollout %, overrides,
+  // and read operations work for any authenticated back-office identity and stay interactive.
+  canActivate: boolean;
+}
+
+export function FeatureFlagInfoSection({
+  featureFlag,
+  orphanedAt,
+  canActivate
+}: Readonly<FeatureFlagInfoSectionProps>) {
+  const activateMutation = api.useMutation("put", "/api/back-office/feature-flags/{flagKey}/activate");
+  const deactivateMutation = api.useMutation("put", "/api/back-office/feature-flags/{flagKey}/deactivate");
+  const isPending = activateMutation.isPending || deactivateMutation.isPending;
+
+  const handleToggle = (checked: boolean) => {
+    const mutation = checked ? activateMutation : deactivateMutation;
+    mutation.mutate(
+      { params: { path: { flagKey: featureFlag.key } } },
+      {
+        onSuccess: () => {
+          toast.success(checked ? t`Feature flag activated` : t`Feature flag deactivated`, {
+            description: t`It takes up to 5 minutes for changes to reach all users.`
+          });
+        }
+      }
+    );
+  };
+
+  const rolloutMutation = api.useMutation("put", "/api/back-office/feature-flags/{flagKey}/rollout-percentage");
+  const [rolloutPercentage, setRolloutPercentage] = useState<number>(featureFlag.rolloutPercentage ?? 0);
+  const commitRolloutPercentage = (value: number) => {
+    setRolloutPercentage(value);
+    if (value === (featureFlag.rolloutPercentage ?? 0)) return;
+    rolloutMutation.mutate(
+      { params: { path: { flagKey: featureFlag.key } }, body: { rolloutPercentage: value } },
+      {
+        onSuccess: () =>
+          toast.success(t`Rollout percentage updated`, {
+            description: t`It takes up to 5 minutes for changes to reach all users.`
+          })
+      }
+    );
+  };
+
+  // The Activate/Deactivate endpoints reject any flag whose definition doesn't carry
+  // isKillSwitchEnabled: true (Activate/DeactivateFeatureFlagValidator). Hide the toggle for those
+  // flags so the UI never exposes a button guaranteed to 400 — non-kill-switch flags get the
+  // read-only Badge branch below instead.
+  const showToggle = orphanedAt === null && !featureFlag.isStableModule && featureFlag.isKillSwitchEnabled;
+  const isFlagAudienceVisible = orphanedAt === null && featureFlag.scope !== "System";
+
+  return (
+    <div className="flex flex-col gap-4">
+      <div className="flex items-start justify-between gap-4">
+        <FeatureFlagMetadata featureFlag={featureFlag} />
+        <div className="flex shrink-0 items-end gap-6">
+          {showToggle && featureFlag.isAbTestEligible && (
+            <NumberField
+              label={t`Rollout %`}
+              tooltip={t`Percentage of accounts or users included in the A/B rollout. Buckets are assigned consistently per account or user.`}
+              name="rolloutPercentage"
+              value={rolloutPercentage}
+              minValue={0}
+              maxValue={100}
+              onChange={(value) => commitRolloutPercentage(value ?? 0)}
+              className="w-[7rem]"
+            />
+          )}
+          {showToggle ? (
+            <SwitchField
+              label={featureFlag.isActive ? t`Active` : t`Inactive`}
+              tooltip={t`Toggle whether this feature flag is currently active. When inactive, accounts and users receive the disabled state regardless of overrides.`}
+              checked={featureFlag.isActive}
+              onCheckedChange={handleToggle}
+              disabled={isPending || !canActivate}
+              aria-label={t`Toggle activation`}
+            />
+          ) : orphanedAt === null ? (
+            <Badge variant={featureFlag.isActive ? "default" : "outline"} className="shrink-0">
+              {featureFlag.isStableModule ? t`Always on` : featureFlag.isActive ? t`Active` : t`Inactive`}
+            </Badge>
+          ) : null}
+        </div>
+      </div>
+      {isFlagAudienceVisible && (
+        <FeatureFlagAudienceStats
+          flagKey={featureFlag.key}
+          scope={featureFlag.scope}
+          showOverride={featureFlag.isAbTestEligible}
+        />
+      )}
+      {featureFlag.isStableModule && orphanedAt === null && (
+        <p className="text-sm text-muted-foreground">
+          <Trans>This is a stable module. It is always on and cannot be deactivated.</Trans>
+        </p>
+      )}
+    </div>
+  );
+}
+
+function FeatureFlagMetadata({ featureFlag }: Readonly<{ featureFlag: FeatureFlagInfo }>) {
+  const enabledLine =
+    featureFlag.enabledAt && featureFlag.disabledAt
+      ? t`Enabled period: ${formatTimestamp(featureFlag.enabledAt)} - ${formatTimestamp(featureFlag.disabledAt)}`
+      : featureFlag.enabledAt
+        ? t`Enabled: ${formatTimestamp(featureFlag.enabledAt)}`
+        : null;
+
+  const deletedLine = featureFlag.deletedAt ? t`Deleted: ${formatTimestamp(featureFlag.deletedAt)}` : null;
+
+  const rolloutBucketLine =
+    featureFlag.isAbTestEligible &&
+    featureFlag.rolloutBucketStart != null &&
+    featureFlag.rolloutBucketEnd != null &&
+    featureFlag.rolloutPercentage != null
+      ? formatRolloutBucketRange(
+          featureFlag.rolloutBucketStart,
+          featureFlag.rolloutBucketEnd,
+          featureFlag.rolloutPercentage
+        )
+      : null;
+
+  return (
+    <div className="flex flex-col gap-0.5 text-sm text-muted-foreground">
+      <span>
+        <Trans>Name:</Trans> <span className="font-mono">{featureFlag.key}</span>
+      </span>
+      {enabledLine && <span>{enabledLine}</span>}
+      {deletedLine && <span>{deletedLine}</span>}
+      {rolloutBucketLine && (
+        <span className="flex items-center gap-1">
+          {rolloutBucketLine}
+          <Tooltip>
+            <TooltipTrigger>
+              <InfoIcon className="size-3.5" aria-label={t`Rollout bucket information`} />
+            </TooltipTrigger>
+            <TooltipContent className="max-w-[20rem]">
+              <Trans>
+                Each account or user is assigned a fixed bucket (0-99) based on their sequence number. The rollout
+                targets a specific range of buckets, ensuring consistent and predictable feature rollout.
+              </Trans>
+            </TooltipContent>
+          </Tooltip>
+        </span>
+      )}
+    </div>
+  );
+}
+
+function formatTimestamp(isoDate: string): string {
+  const date = new Date(isoDate);
+  return new Intl.DateTimeFormat(navigator.language, {
+    year: "numeric",
+    month: "long",
+    day: "numeric",
+    hour: "numeric",
+    minute: "2-digit"
+  }).format(date);
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagStatusBadge.tsx b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagStatusBadge.tsx
new file mode 100644
index 000000000..72572eff8
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagStatusBadge.tsx
@@ -0,0 +1,33 @@
+import { Trans } from "@lingui/react/macro";
+import { Badge } from "@repo/ui/components/Badge";
+
+import type { FeatureFlagInfo } from "./types";
+
+export function FeatureFlagStatusBadge({ featureFlag }: Readonly<{ featureFlag: FeatureFlagInfo }>) {
+  if (featureFlag.deletedAt) {
+    return (
+      <Badge variant="destructive">
+        <Trans>Deleted</Trans>
+      </Badge>
+    );
+  }
+  if (featureFlag.orphanedAt) {
+    return (
+      <Badge variant="destructive">
+        <Trans>Removed</Trans>
+      </Badge>
+    );
+  }
+  if (featureFlag.isStableModule) {
+    return (
+      <Badge variant="default">
+        <Trans>Always on</Trans>
+      </Badge>
+    );
+  }
+  return (
+    <Badge variant={featureFlag.isActive ? "default" : "outline"}>
+      {featureFlag.isActive ? <Trans>Active</Trans> : <Trans>Inactive</Trans>}
+    </Badge>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagTenantsEmpty.tsx b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagTenantsEmpty.tsx
new file mode 100644
index 000000000..9af1d7869
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagTenantsEmpty.tsx
@@ -0,0 +1,52 @@
+import { Trans } from "@lingui/react/macro";
+import { Button } from "@repo/ui/components/Button";
+import { Empty, EmptyContent, EmptyDescription, EmptyHeader, EmptyMedia, EmptyTitle } from "@repo/ui/components/Empty";
+import { useNavigate } from "@tanstack/react-router";
+import { Building2Icon } from "lucide-react";
+
+// Shared empty state for the tenant-audience tables on /feature-flags/{flagKey}. Both the Plan
+// section and the regular Tenant overrides section render this — the wording is identical, only
+// the "no entities yet" / "no entities match" branch differs by filter state.
+export function FeatureFlagTenantsEmpty({ flagKey, hasFilters }: Readonly<{ flagKey: string; hasFilters: boolean }>) {
+  const navigate = useNavigate();
+  return (
+    <Empty>
+      <EmptyHeader>
+        <EmptyMedia variant="icon">
+          <Building2Icon />
+        </EmptyMedia>
+        <EmptyTitle>
+          {hasFilters ? (
+            <Trans>No accounts match your filters</Trans>
+          ) : (
+            <Trans>No accounts qualify for this feature yet</Trans>
+          )}
+        </EmptyTitle>
+        <EmptyDescription>
+          {hasFilters ? (
+            <Trans>Try clearing the search or filters to see more results.</Trans>
+          ) : (
+            <Trans>Accounts will appear here as they qualify for this feature.</Trans>
+          )}
+        </EmptyDescription>
+      </EmptyHeader>
+      {hasFilters && (
+        <EmptyContent>
+          <Button
+            variant="outline"
+            size="sm"
+            onClick={() =>
+              navigate({
+                to: "/feature-flags/$flagKey",
+                params: { flagKey },
+                search: () => ({})
+              })
+            }
+          >
+            <Trans>Clear filters</Trans>
+          </Button>
+        </EmptyContent>
+      )}
+    </Empty>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagTenantsToolbar.tsx b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagTenantsToolbar.tsx
new file mode 100644
index 000000000..fdc96e781
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagTenantsToolbar.tsx
@@ -0,0 +1,95 @@
+import { t } from "@lingui/core/macro";
+import { ToggleGroup, ToggleGroupItem } from "@repo/ui/components/ToggleGroup";
+import { useNavigate } from "@tanstack/react-router";
+
+import { SubscriptionPlan } from "@/shared/lib/api/client";
+import { getSubscriptionPlanLabel } from "@/shared/lib/api/labels";
+
+import type { StateFilter } from "./stateFilter";
+
+import { FeatureFlagAudienceToolbar } from "./FeatureFlagAudienceToolbar";
+
+interface FeatureFlagTenantsToolbarProps {
+  flagKey: string;
+  search: string | undefined;
+  plans: SubscriptionPlan[];
+  state: StateFilter | undefined;
+  hasOverride: boolean;
+  hideHasOverride?: boolean;
+  hideState?: boolean;
+}
+
+export function FeatureFlagTenantsToolbar({
+  flagKey,
+  search,
+  plans,
+  state,
+  hasOverride,
+  hideHasOverride,
+  hideState
+}: Readonly<FeatureFlagTenantsToolbarProps>) {
+  const navigate = useNavigate();
+
+  const handlePlansChange = (values: string[]) => {
+    const next = values as SubscriptionPlan[];
+    navigate({
+      to: "/feature-flags/$flagKey",
+      params: { flagKey },
+      search: (previous) => ({
+        ...previous,
+        tenantsPlans: next.length === 0 ? undefined : next,
+        tenantsPageOffset: undefined
+      })
+    });
+  };
+
+  return (
+    <FeatureFlagAudienceToolbar
+      search={search}
+      searchPlaceholder={t`Search by account name or owner email`}
+      state={state}
+      hasOverride={hasOverride}
+      hideHasOverride={hideHasOverride}
+      hideState={hideState}
+      onSearchChange={(next) =>
+        navigate({
+          to: "/feature-flags/$flagKey",
+          params: { flagKey },
+          search: (previous) => ({ ...previous, tenantsSearch: next, tenantsPageOffset: undefined })
+        })
+      }
+      onStateChange={(next) =>
+        navigate({
+          to: "/feature-flags/$flagKey",
+          params: { flagKey },
+          search: (previous) => ({ ...previous, tenantsState: next, tenantsPageOffset: undefined })
+        })
+      }
+      onHasOverrideChange={(next) =>
+        navigate({
+          to: "/feature-flags/$flagKey",
+          params: { flagKey },
+          search: (previous) => ({
+            ...previous,
+            tenantsHasOverride: next ? true : undefined,
+            tenantsPageOffset: undefined
+          })
+        })
+      }
+    >
+      <ToggleGroup
+        variant="outline"
+        aria-label={t`Plan`}
+        multiple={true}
+        value={plans}
+        onValueChange={handlePlansChange}
+      >
+        {[SubscriptionPlan.Premium, SubscriptionPlan.Standard, SubscriptionPlan.Basis].map((value) => (
+          <ToggleGroupItem key={value} value={value} className="min-w-[5rem] justify-center">
+            {getSubscriptionPlanLabel(value)}
+          </ToggleGroupItem>
+        ))}
+      </ToggleGroup>
+    </FeatureFlagAudienceToolbar>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagUsersEmpty.tsx b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagUsersEmpty.tsx
new file mode 100644
index 000000000..e1d6ee67c
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagUsersEmpty.tsx
@@ -0,0 +1,49 @@
+import { Trans } from "@lingui/react/macro";
+import { Button } from "@repo/ui/components/Button";
+import { Empty, EmptyContent, EmptyDescription, EmptyHeader, EmptyMedia, EmptyTitle } from "@repo/ui/components/Empty";
+import { useNavigate } from "@tanstack/react-router";
+import { UsersIcon } from "lucide-react";
+
+export function FeatureFlagUsersEmpty({ flagKey, hasFilters }: Readonly<{ flagKey: string; hasFilters: boolean }>) {
+  const navigate = useNavigate();
+  return (
+    <Empty>
+      <EmptyHeader>
+        <EmptyMedia variant="icon">
+          <UsersIcon />
+        </EmptyMedia>
+        <EmptyTitle>
+          {hasFilters ? (
+            <Trans>No users match your search</Trans>
+          ) : (
+            <Trans>No users qualify for this feature yet</Trans>
+          )}
+        </EmptyTitle>
+        <EmptyDescription>
+          {hasFilters ? (
+            <Trans>Try clearing the search or filters to see more results.</Trans>
+          ) : (
+            <Trans>Users will appear here as they qualify for this feature.</Trans>
+          )}
+        </EmptyDescription>
+      </EmptyHeader>
+      {hasFilters && (
+        <EmptyContent>
+          <Button
+            variant="outline"
+            size="sm"
+            onClick={() =>
+              navigate({
+                to: "/feature-flags/$flagKey",
+                params: { flagKey },
+                search: () => ({})
+              })
+            }
+          >
+            <Trans>Clear filters</Trans>
+          </Button>
+        </EmptyContent>
+      )}
+    </Empty>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagUsersToolbar.tsx b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagUsersToolbar.tsx
new file mode 100644
index 000000000..e61111280
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/FeatureFlagUsersToolbar.tsx
@@ -0,0 +1,95 @@
+import { t } from "@lingui/core/macro";
+import { ToggleGroup, ToggleGroupItem } from "@repo/ui/components/ToggleGroup";
+import { useNavigate } from "@tanstack/react-router";
+
+import { UserRole } from "@/shared/lib/api/client";
+import { getUserRoleLabel } from "@/shared/lib/api/labels";
+
+import type { StateFilter } from "./stateFilter";
+
+import { FeatureFlagAudienceToolbar } from "./FeatureFlagAudienceToolbar";
+
+interface FeatureFlagUsersToolbarProps {
+  flagKey: string;
+  search: string | undefined;
+  roles: UserRole[];
+  state: StateFilter | undefined;
+  hasOverride: boolean;
+  hideHasOverride?: boolean;
+  hideState?: boolean;
+}
+
+export function FeatureFlagUsersToolbar({
+  flagKey,
+  search,
+  roles,
+  state,
+  hasOverride,
+  hideHasOverride,
+  hideState
+}: Readonly<FeatureFlagUsersToolbarProps>) {
+  const navigate = useNavigate();
+
+  const handleRolesChange = (values: string[]) => {
+    const next = values as UserRole[];
+    navigate({
+      to: "/feature-flags/$flagKey",
+      params: { flagKey },
+      search: (previous) => ({
+        ...previous,
+        usersRoles: next.length === 0 ? undefined : next,
+        usersPageOffset: undefined
+      })
+    });
+  };
+
+  return (
+    <FeatureFlagAudienceToolbar
+      search={search}
+      searchPlaceholder={t`Search by name or email`}
+      state={state}
+      hasOverride={hasOverride}
+      hideHasOverride={hideHasOverride}
+      hideState={hideState}
+      onSearchChange={(next) =>
+        navigate({
+          to: "/feature-flags/$flagKey",
+          params: { flagKey },
+          search: (previous) => ({ ...previous, usersSearch: next, usersPageOffset: undefined })
+        })
+      }
+      onStateChange={(next) =>
+        navigate({
+          to: "/feature-flags/$flagKey",
+          params: { flagKey },
+          search: (previous) => ({ ...previous, usersState: next, usersPageOffset: undefined })
+        })
+      }
+      onHasOverrideChange={(next) =>
+        navigate({
+          to: "/feature-flags/$flagKey",
+          params: { flagKey },
+          search: (previous) => ({
+            ...previous,
+            usersHasOverride: next ? true : undefined,
+            usersPageOffset: undefined
+          })
+        })
+      }
+    >
+      <ToggleGroup
+        variant="outline"
+        aria-label={t`Role`}
+        multiple={true}
+        value={roles}
+        onValueChange={handleRolesChange}
+      >
+        {[UserRole.Owner, UserRole.Admin, UserRole.Member].map((value) => (
+          <ToggleGroupItem key={value} value={value} className="min-w-[5rem] justify-center">
+            {getUserRoleLabel(value)}
+          </ToggleGroupItem>
+        ))}
+      </ToggleGroup>
+    </FeatureFlagAudienceToolbar>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/OverrideStats.tsx b/application/account/BackOffice/routes/feature-flags/-components/OverrideStats.tsx
new file mode 100644
index 000000000..28b612405
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/OverrideStats.tsx
@@ -0,0 +1,66 @@
+import { Trans } from "@lingui/react/macro";
+import { CircleCheckIcon, CircleSlashIcon, PenLineIcon, UsersIcon } from "lucide-react";
+
+interface OverrideStatsProps {
+  total: number;
+  enabled: number;
+  disabled: number;
+  override: number;
+  showOverride: boolean;
+}
+
+// Compact summary chips shown above the table. Counts come from the response and reflect the
+// population after search/plans/roles filtering but before state/has-override filtering — so the
+// numbers describe the addressable audience for the flag rather than the current view.
+export function OverrideStats({ total, enabled, disabled, override, showOverride }: Readonly<OverrideStatsProps>) {
+  return (
+    <div className="flex flex-wrap items-center gap-2 text-sm">
+      <StatChip
+        icon={<UsersIcon className="size-3.5" aria-hidden={true} />}
+        value={total}
+        label={<Trans>Total</Trans>}
+        className="border-border text-muted-foreground"
+      />
+      <StatChip
+        icon={<CircleCheckIcon className="size-3.5" aria-hidden={true} />}
+        value={enabled}
+        label={<Trans>Enabled</Trans>}
+        className="border-success/30 text-success"
+      />
+      <StatChip
+        icon={<CircleSlashIcon className="size-3.5" aria-hidden={true} />}
+        value={disabled}
+        label={<Trans>Disabled</Trans>}
+        className="border-muted-foreground/30 text-muted-foreground"
+      />
+      {showOverride && (
+        <StatChip
+          icon={<PenLineIcon className="size-3.5" aria-hidden={true} />}
+          value={override}
+          label={<Trans>With override</Trans>}
+          className="border-warning/30 text-warning"
+        />
+      )}
+    </div>
+  );
+}
+
+function StatChip({
+  icon,
+  value,
+  label,
+  className
+}: Readonly<{
+  icon: React.ReactNode;
+  value: number;
+  label: React.ReactNode;
+  className: string;
+}>) {
+  return (
+    <span className={`inline-flex items-center gap-1.5 rounded-md border px-2 py-1 ${className}`}>
+      {icon}
+      <span className="font-medium tabular-nums">{value}</span>
+      <span>{label}</span>
+    </span>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/OverrideSwitch.tsx b/application/account/BackOffice/routes/feature-flags/-components/OverrideSwitch.tsx
new file mode 100644
index 000000000..b758aa6b3
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/OverrideSwitch.tsx
@@ -0,0 +1,55 @@
+import { Trans } from "@lingui/react/macro";
+import { Switch } from "@repo/ui/components/Switch";
+import { Tooltip, TooltipContent, TooltipTrigger } from "@repo/ui/components/Tooltip";
+
+interface OverrideSwitchProps {
+  isManualOverride: boolean;
+  checked: boolean;
+  onCheckedChange: (checked: boolean) => void;
+  disabled: boolean;
+  dimmed: boolean;
+  ariaLabel: string;
+}
+
+// Shared switch for feature-flag override toggling. Renders a warning-colored switch wrapped in a tooltip
+// when the row currently has a manual override (signals "this row deviates from the default and a third
+// click will clear the override"); otherwise renders the plain switch.
+export function OverrideSwitch({
+  isManualOverride,
+  checked,
+  onCheckedChange,
+  disabled,
+  dimmed,
+  ariaLabel
+}: Readonly<OverrideSwitchProps>) {
+  const dimClass = dimmed ? "opacity-50" : "";
+  if (!isManualOverride) {
+    return (
+      <Switch
+        checked={checked}
+        onCheckedChange={onCheckedChange}
+        disabled={disabled}
+        className={dimClass}
+        aria-label={ariaLabel}
+      />
+    );
+  }
+  return (
+    <Tooltip>
+      <TooltipTrigger
+        render={
+          <Switch
+            checked={checked}
+            onCheckedChange={onCheckedChange}
+            disabled={disabled}
+            className={`data-checked:bg-warning data-unchecked:bg-warning dark:data-unchecked:bg-warning ${dimClass}`}
+            aria-label={ariaLabel}
+          />
+        }
+      />
+      <TooltipContent>
+        <Trans>Manual override active. Click again to flip, three times to clear.</Trans>
+      </TooltipContent>
+    </Tooltip>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/PlanFeatureFlagSections.tsx b/application/account/BackOffice/routes/feature-flags/-components/PlanFeatureFlagSections.tsx
new file mode 100644
index 000000000..54e4b94cb
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/PlanFeatureFlagSections.tsx
@@ -0,0 +1,179 @@
+import { t } from "@lingui/core/macro";
+import { Trans } from "@lingui/react/macro";
+import { Badge } from "@repo/ui/components/Badge";
+import { Skeleton } from "@repo/ui/components/Skeleton";
+import { TablePagination } from "@repo/ui/components/TablePagination";
+import { keepPreviousData } from "@tanstack/react-query";
+import { useNavigate } from "@tanstack/react-router";
+import { useCallback } from "react";
+
+import { api, SubscriptionPlan } from "@/shared/lib/api/client";
+import { getSubscriptionPlanLabel } from "@/shared/lib/api/labels";
+import { getSubscriptionPlanBadgeClass } from "@/shared/lib/planBadge";
+
+import type { FeatureFlagInfo } from "./types";
+
+import { FeatureFlagTenantsEmpty } from "./FeatureFlagTenantsEmpty";
+import { FeatureFlagTenantsToolbar } from "./FeatureFlagTenantsToolbar";
+import { PlanFeatureFlagTenantTable } from "./PlanFeatureFlagTenantTable";
+
+// Ordered low → high tier. A plan-gated feature is enabled for accounts on the required plan or any
+// higher plan, so the default selection on entry is everything from the required plan upward.
+const PLAN_ORDER = [SubscriptionPlan.Basis, SubscriptionPlan.Standard, SubscriptionPlan.Premium] as const;
+
+function plansAtOrAboveRequired(requiredPlan: string | null): SubscriptionPlan[] {
+  if (!requiredPlan) return [];
+  const idx = PLAN_ORDER.indexOf(requiredPlan as SubscriptionPlan);
+  if (idx < 0) return [];
+  return PLAN_ORDER.slice(idx);
+}
+
+export function PlanFeatureFlagInfoSection({ featureFlag }: Readonly<{ featureFlag: FeatureFlagInfo }>) {
+  return (
+    <div className="flex flex-col gap-4">
+      <div className="flex flex-col gap-4 lg:flex-row lg:items-center lg:justify-between">
+        <div className="flex flex-col gap-0.5 text-sm text-muted-foreground">
+          <span>
+            <Trans>Name:</Trans> <span className="font-mono">{featureFlag.key}</span>
+          </span>
+          <span>
+            <Trans>Required plan:</Trans>{" "}
+            {featureFlag.requiredPlan !== null && (
+              <Badge className={getSubscriptionPlanBadgeClass(featureFlag.requiredPlan as SubscriptionPlan)}>
+                {getSubscriptionPlanLabel(featureFlag.requiredPlan as SubscriptionPlan)}
+              </Badge>
+            )}
+          </span>
+        </div>
+        <Badge variant={featureFlag.isActive ? "default" : "outline"}>
+          {featureFlag.isActive ? t`Active` : t`Inactive`}
+        </Badge>
+      </div>
+      <p className="text-sm text-muted-foreground">
+        <Trans>
+          This flag is managed by the subscription plan. It is automatically enabled for accounts on the required plan
+          or higher.
+        </Trans>
+      </p>
+    </div>
+  );
+}
+
+interface PlanFeatureFlagTenantsSectionProps {
+  flagKey: string;
+  requiredPlan: string | null;
+  search: string | undefined;
+  plans: SubscriptionPlan[];
+  pageOffset: number | undefined;
+}
+
+export function PlanFeatureFlagTenantsSection({
+  flagKey,
+  requiredPlan,
+  search,
+  plans,
+  pageOffset
+}: Readonly<PlanFeatureFlagTenantsSectionProps>) {
+  const navigate = useNavigate();
+
+  // On entry (no plans param in URL) pre-select the plans the flag is active for — for plan-gated
+  // flags those are the only accounts where the feature is relevant. If the user explicitly clears
+  // every chip the toolbar drops the URL param, which we treat as "back to the default selection";
+  // they always have to pass through "everything selected" or another chip combination to see other
+  // accounts.
+  const effectivePlans = plans.length === 0 ? plansAtOrAboveRequired(requiredPlan) : plans;
+
+  const { data, isLoading } = api.useQuery(
+    "get",
+    "/api/back-office/feature-flags/{flagKey}/tenants",
+    {
+      params: {
+        path: { flagKey },
+        query: {
+          Search: search,
+          Plans: effectivePlans.length === 0 ? undefined : effectivePlans,
+          PageOffset: pageOffset
+        }
+      }
+    },
+    { placeholderData: keepPreviousData }
+  );
+
+  const tenants = data?.tenants ?? [];
+  const totalPages = data?.totalPages ?? 0;
+  const currentPage = (data?.currentPageOffset ?? 0) + 1;
+  const hasFilters = Boolean(search) || plans.length > 0;
+
+  const handlePageChange = useCallback(
+    (page: number) => {
+      navigate({
+        to: "/feature-flags/$flagKey",
+        params: { flagKey },
+        search: (previous) => ({
+          ...previous,
+          tenantsPageOffset: page === 1 ? undefined : page - 1
+        })
+      });
+    },
+    [navigate, flagKey]
+  );
+
+  return (
+    <div className="flex min-h-0 flex-1 flex-col gap-4">
+      <div>
+        <h3>
+          <Trans>Account status</Trans>
+        </h3>
+        <p className="text-sm text-muted-foreground">
+          <Trans>
+            Accounts are automatically enabled or disabled based on their subscription plan. No manual overrides are
+            available for plan-managed flags.
+          </Trans>
+        </p>
+      </div>
+      <FeatureFlagTenantsToolbar
+        flagKey={flagKey}
+        search={search}
+        plans={effectivePlans}
+        state={undefined}
+        hasOverride={false}
+        hideHasOverride={true}
+        hideState={true}
+      />
+      {isLoading && tenants.length === 0 ? (
+        <PlanFeatureFlagTenantsSkeleton />
+      ) : tenants.length === 0 ? (
+        <FeatureFlagTenantsEmpty flagKey={flagKey} hasFilters={hasFilters} />
+      ) : (
+        <>
+          <div className="flex-1 overflow-visible sm:min-h-48 sm:overflow-auto">
+            <PlanFeatureFlagTenantTable ariaLabel={t`Accounts`} tenants={tenants} />
+          </div>
+          {totalPages > 1 && (
+            <div className="shrink-0 pt-4">
+              <TablePagination
+                currentPage={currentPage}
+                totalPages={totalPages}
+                onPageChange={handlePageChange}
+                previousLabel={t`Previous`}
+                nextLabel={t`Next`}
+                trackingTitle="Plan feature flag tenants"
+                className="w-full"
+              />
+            </div>
+          )}
+        </>
+      )}
+    </div>
+  );
+}
+
+function PlanFeatureFlagTenantsSkeleton() {
+  return (
+    <div className="flex flex-col gap-2">
+      <Skeleton className="h-10 w-full rounded-md" />
+      <Skeleton className="h-14 w-full rounded-md" />
+      <Skeleton className="h-14 w-full rounded-md" />
+    </div>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/PlanFeatureFlagTenantTable.tsx b/application/account/BackOffice/routes/feature-flags/-components/PlanFeatureFlagTenantTable.tsx
new file mode 100644
index 000000000..fcd829871
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/PlanFeatureFlagTenantTable.tsx
@@ -0,0 +1,105 @@
+import { t } from "@lingui/core/macro";
+import { Trans } from "@lingui/react/macro";
+import { Badge } from "@repo/ui/components/Badge";
+import { Table, TableBody, TableCell, TableHead, TableHeader, TableRow } from "@repo/ui/components/Table";
+import { TenantLogo } from "@repo/ui/components/TenantLogo";
+import { useFormatDate } from "@repo/ui/hooks/useSmartDate";
+import { useNavigate } from "@tanstack/react-router";
+
+import { getSubscriptionPlanLabel } from "@/shared/lib/api/labels";
+import { getSubscriptionPlanBadgeClass } from "@/shared/lib/planBadge";
+
+import type { FeatureFlagTenantInfo } from "./types";
+
+import { MrrCell } from "../../accounts/-components/MrrCell";
+import { TenantStatusBadge } from "../../accounts/-components/TenantStatusBadge";
+import { getUserDisplayName } from "../../users/-components/userDisplay";
+
+export function PlanFeatureFlagTenantTable({
+  ariaLabel,
+  tenants
+}: Readonly<{ ariaLabel: string; tenants: FeatureFlagTenantInfo[] }>) {
+  return (
+    <Table rowSize="compact" aria-label={ariaLabel} className="w-full table-fixed" containerClassName="overflow-x-clip">
+      <TableHeader>
+        <TableRow>
+          <TableHead>
+            <Trans>Account</Trans>
+          </TableHead>
+          <TableHead className="hidden w-[6rem] md:table-cell">
+            <Trans>Plan</Trans>
+          </TableHead>
+          <TableHead className="hidden w-[6rem] lg:table-cell">
+            <Trans>MRR</Trans>
+          </TableHead>
+          <TableHead className="hidden w-[7rem] lg:table-cell">
+            <Trans>Renewal</Trans>
+          </TableHead>
+          <TableHead className="hidden w-[6rem] md:table-cell">
+            <Trans>Status</Trans>
+          </TableHead>
+          <TableHead className="w-[6rem] text-right">
+            <Trans>State</Trans>
+          </TableHead>
+        </TableRow>
+      </TableHeader>
+      <TableBody>
+        {tenants.map((tenant) => (
+          <PlanFeatureFlagTenantRow key={tenant.id} tenant={tenant} />
+        ))}
+      </TableBody>
+    </Table>
+  );
+}
+
+function PlanFeatureFlagTenantRow({ tenant }: Readonly<{ tenant: FeatureFlagTenantInfo }>) {
+  const formatDate = useFormatDate();
+  const navigate = useNavigate();
+  const ownerLabel = tenant.owner
+    ? getUserDisplayName(tenant.owner.firstName, tenant.owner.lastName, tenant.owner.email)
+    : null;
+
+  return (
+    <TableRow
+      rowKey={tenant.id}
+      className="cursor-pointer"
+      onClick={() =>
+        navigate({ to: "/accounts/$tenantId", params: { tenantId: tenant.id }, search: { tab: "feature-flags" } })
+      }
+    >
+      <TableCell>
+        <div className="flex min-w-0 items-center gap-3">
+          <TenantLogo logoUrl={tenant.logoUrl} tenantName={tenant.name} size="md" className="size-9 shrink-0" />
+          <div className="flex min-w-0 flex-col gap-0.5">
+            <span className="truncate font-medium text-foreground">{tenant.name}</span>
+            {ownerLabel && <span className="truncate text-xs text-muted-foreground">{ownerLabel}</span>}
+          </div>
+        </div>
+      </TableCell>
+      <TableCell className="hidden md:table-cell">
+        <Badge className={getSubscriptionPlanBadgeClass(tenant.plan)}>{getSubscriptionPlanLabel(tenant.plan)}</Badge>
+      </TableCell>
+      <TableCell className="hidden tabular-nums lg:table-cell">
+        <MrrCell
+          monthlyRecurringRevenue={tenant.monthlyRecurringRevenue}
+          scheduledPriceAmount={tenant.scheduledPriceAmount}
+          currency={tenant.currency}
+          plannedChange={tenant.plannedChange}
+        />
+      </TableCell>
+      <TableCell className="hidden lg:table-cell">
+        {tenant.renewalDate ? formatDate(tenant.renewalDate) : <span className="text-muted-foreground">-</span>}
+      </TableCell>
+      <TableCell className="hidden md:table-cell">
+        <TenantStatusBadge
+          plan={tenant.plan}
+          plannedChange={tenant.plannedChange}
+          hasEverSubscribed={tenant.hasEverSubscribed}
+        />
+      </TableCell>
+      <TableCell className="text-right">
+        <Badge variant={tenant.isEnabled ? "default" : "outline"}>{tenant.isEnabled ? t`Enabled` : t`Disabled`}</Badge>
+      </TableCell>
+    </TableRow>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/ScopeIcon.tsx b/application/account/BackOffice/routes/feature-flags/-components/ScopeIcon.tsx
new file mode 100644
index 000000000..2ba04bfad
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/ScopeIcon.tsx
@@ -0,0 +1,28 @@
+import { t } from "@lingui/core/macro";
+import { Tooltip, TooltipContent, TooltipTrigger } from "@repo/ui/components/Tooltip";
+import { FlaskConicalIcon, GlobeIcon, UserIcon, UsersIcon } from "lucide-react";
+
+import type { FeatureFlagScope } from "./types";
+
+const scopeConfig: Record<FeatureFlagScope, { icon: typeof UsersIcon; label: () => string }> = {
+  Tenant: { icon: UsersIcon, label: () => t`Account` },
+  User: { icon: UserIcon, label: () => t`User` },
+  System: { icon: GlobeIcon, label: () => t`System` }
+};
+
+export function ScopeIcon({
+  scope,
+  isAbTestEligible,
+  className
+}: Readonly<{ scope: FeatureFlagScope; isAbTestEligible?: boolean; className?: string }>) {
+  const Icon = isAbTestEligible ? FlaskConicalIcon : scopeConfig[scope].icon;
+  const label = isAbTestEligible ? t`A/B test` : scopeConfig[scope].label();
+  return (
+    <Tooltip>
+      <TooltipTrigger>
+        <Icon className={className ?? "size-4 text-muted-foreground"} aria-label={label} />
+      </TooltipTrigger>
+      <TooltipContent>{label}</TooltipContent>
+    </Tooltip>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/SortableHead.tsx b/application/account/BackOffice/routes/feature-flags/-components/SortableHead.tsx
new file mode 100644
index 000000000..e7f01b64d
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/SortableHead.tsx
@@ -0,0 +1,40 @@
+import { TableHead } from "@repo/ui/components/Table";
+import { ChevronDownIcon, ChevronUpIcon } from "lucide-react";
+
+import { SortOrder } from "@/shared/lib/api/client";
+
+interface SortableHeadProps<TColumn extends string> {
+  column: TColumn;
+  effectiveOrderBy: TColumn;
+  effectiveSortOrder: SortOrder;
+  onSort: (column: TColumn) => void;
+  className?: string;
+  children: React.ReactNode;
+}
+
+export function SortableHead<TColumn extends string>({
+  column,
+  effectiveOrderBy,
+  effectiveSortOrder,
+  onSort,
+  className,
+  children
+}: Readonly<SortableHeadProps<TColumn>>) {
+  const isActive = effectiveOrderBy === column;
+  const isDescending = isActive && effectiveSortOrder === SortOrder.Descending;
+  const ariaSort = isActive ? (isDescending ? "descending" : "ascending") : "none";
+
+  return (
+    <TableHead className={className} aria-sort={ariaSort} onClick={() => onSort(column)}>
+      <span className="inline-flex cursor-pointer items-center gap-1 select-none">
+        {children}
+        {isActive &&
+          (isDescending ? (
+            <ChevronDownIcon className="size-3 shrink-0" aria-hidden={true} />
+          ) : (
+            <ChevronUpIcon className="size-3 shrink-0" aria-hidden={true} />
+          ))}
+      </span>
+    </TableHead>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/TenantOverrideRow.tsx b/application/account/BackOffice/routes/feature-flags/-components/TenantOverrideRow.tsx
new file mode 100644
index 000000000..be7dbb421
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/TenantOverrideRow.tsx
@@ -0,0 +1,175 @@
+import { t } from "@lingui/core/macro";
+import { Badge } from "@repo/ui/components/Badge";
+import { TableCell, TableRow } from "@repo/ui/components/Table";
+import { TenantLogo } from "@repo/ui/components/TenantLogo";
+import { useFormatDate } from "@repo/ui/hooks/useSmartDate";
+import { useNavigate } from "@tanstack/react-router";
+import { useEffect, useState } from "react";
+import { toast } from "sonner";
+
+import { api, queryClient } from "@/shared/lib/api/client";
+import { getSubscriptionPlanLabel } from "@/shared/lib/api/labels";
+import { getSubscriptionPlanBadgeClass } from "@/shared/lib/planBadge";
+
+import type { FeatureFlagTenantInfo } from "./types";
+
+import { TenantStatusBadge } from "../../accounts/-components/TenantStatusBadge";
+import { getUserDisplayName } from "../../users/-components/userDisplay";
+import { OverrideSwitch } from "./OverrideSwitch";
+
+// Mutations skip the global auto-invalidate and refetch is deferred 500ms so the user sees the
+// optimistic switch flip before the table refetches — without it, sort reordering, pagination
+// totals, or filter drops happen instantly and make the toggle feel unresponsive.
+const TENANTS_QUERY_KEY = ["get", "/api/back-office/feature-flags/{flagKey}/tenants"] as const;
+const SKIP_AUTO_INVALIDATE = { meta: { skipQueryInvalidation: true } };
+
+interface TenantOverrideRowProps {
+  flagKey: string;
+  featureFlagDescription: string;
+  tenant: FeatureFlagTenantInfo;
+  showRolloutBucket: boolean;
+  isFeatureFlagActive: boolean;
+}
+
+export function TenantOverrideRow({
+  flagKey,
+  featureFlagDescription,
+  tenant,
+  showRolloutBucket,
+  isFeatureFlagActive
+}: Readonly<TenantOverrideRowProps>) {
+  const [optimisticEnabled, setOptimisticEnabled] = useState(tenant.isEnabled);
+  const [optimisticIsOverride, setOptimisticIsOverride] = useState(tenant.source === "manual_override");
+  const overrideMutation = api.useMutation(
+    "put",
+    "/api/back-office/feature-flags/{flagKey}/tenant-override",
+    SKIP_AUTO_INVALIDATE
+  );
+  const removeMutation = api.useMutation(
+    "delete",
+    "/api/back-office/feature-flags/{flagKey}/tenant-override",
+    SKIP_AUTO_INVALIDATE
+  );
+  const formatDate = useFormatDate();
+  const navigate = useNavigate();
+
+  useEffect(() => {
+    setOptimisticEnabled(tenant.isEnabled);
+    setOptimisticIsOverride(tenant.source === "manual_override");
+  }, [tenant.isEnabled, tenant.source]);
+
+  const refreshAfter = () => {
+    setTimeout(() => queryClient.invalidateQueries({ queryKey: TENANTS_QUERY_KEY }), 500);
+  };
+
+  const handleRemoveOverride = () => {
+    setOptimisticEnabled(tenant.defaultEnabled);
+    setOptimisticIsOverride(false);
+    removeMutation.mutate(
+      { params: { path: { flagKey }, query: { tenantId: tenant.id } } },
+      {
+        onSuccess: () => {
+          toast.success(t`Override removed for ${tenant.name}`, {
+            description: t`It takes up to 5 minutes for changes to reach all users.`
+          });
+          refreshAfter();
+        },
+        onError: () => {
+          setOptimisticEnabled(tenant.isEnabled);
+          setOptimisticIsOverride(tenant.source === "manual_override");
+        }
+      }
+    );
+  };
+
+  const handleSetOverride = (checked: boolean) => {
+    setOptimisticEnabled(checked);
+    setOptimisticIsOverride(true);
+    overrideMutation.mutate(
+      { params: { path: { flagKey } }, body: { tenantId: tenant.id, enabled: checked } },
+      {
+        onSuccess: () => {
+          toast.success(
+            checked
+              ? t`${featureFlagDescription} enabled for ${tenant.name}`
+              : t`${featureFlagDescription} disabled for ${tenant.name}`,
+            { description: t`It takes up to 5 minutes for changes to reach all users.` }
+          );
+          refreshAfter();
+        },
+        onError: () => {
+          setOptimisticEnabled(tenant.isEnabled);
+          setOptimisticIsOverride(tenant.source === "manual_override");
+        }
+      }
+    );
+  };
+
+  const handleToggle = (checked: boolean) => {
+    // The "single-click clears redundant override" rule only applies to A/B-eligible flags. For non-A/B
+    // flags the override is the only mechanism to turn the flag on for an account, so every click must
+    // PUT (or update) the override; we never auto-remove based on state matching defaultEnabled (which
+    // is always false on non-A/B flags and would otherwise trigger spurious removals on every toggle-off).
+    if (showRolloutBucket && optimisticIsOverride && optimisticEnabled === tenant.defaultEnabled) {
+      handleRemoveOverride();
+      return;
+    }
+    handleSetOverride(checked);
+  };
+
+  const isPending = overrideMutation.isPending || removeMutation.isPending;
+  const ownerLabel = tenant.owner
+    ? getUserDisplayName(tenant.owner.firstName, tenant.owner.lastName, tenant.owner.email)
+    : null;
+
+  return (
+    <TableRow
+      rowKey={tenant.id}
+      className="cursor-pointer transition-opacity duration-500"
+      onClick={() =>
+        navigate({ to: "/accounts/$tenantId", params: { tenantId: tenant.id }, search: { tab: "feature-flags" } })
+      }
+    >
+      <TableCell>
+        <div className="flex min-w-0 items-center gap-3">
+          <TenantLogo logoUrl={tenant.logoUrl} tenantName={tenant.name} size="md" className="size-9 shrink-0" />
+          <div className="flex min-w-0 flex-col gap-0.5">
+            <span className="truncate font-medium text-foreground">{tenant.name}</span>
+            {ownerLabel && <span className="truncate text-xs text-muted-foreground">{ownerLabel}</span>}
+          </div>
+        </div>
+      </TableCell>
+      <TableCell className="hidden md:table-cell">
+        <Badge className={getSubscriptionPlanBadgeClass(tenant.plan)}>{getSubscriptionPlanLabel(tenant.plan)}</Badge>
+      </TableCell>
+      <TableCell className="hidden md:table-cell">
+        <TenantStatusBadge
+          plan={tenant.plan}
+          plannedChange={tenant.plannedChange}
+          hasEverSubscribed={tenant.hasEverSubscribed}
+        />
+      </TableCell>
+      <TableCell className="hidden lg:table-cell">
+        {(() => {
+          const updatedAt = tenant.overrideDisabledAt ?? tenant.overrideEnabledAt;
+          return updatedAt ? formatDate(updatedAt) : <span className="text-muted-foreground">-</span>;
+        })()}
+      </TableCell>
+      {showRolloutBucket && (
+        <TableCell className="hidden text-center text-muted-foreground lg:table-cell">
+          {tenant.inclusionThresholdPercentage != null ? `${tenant.inclusionThresholdPercentage}%` : null}
+        </TableCell>
+      )}
+      <TableCell className="text-right" onClick={(event) => event.stopPropagation()}>
+        <OverrideSwitch
+          isManualOverride={optimisticIsOverride && showRolloutBucket}
+          checked={optimisticEnabled}
+          onCheckedChange={handleToggle}
+          disabled={isPending}
+          dimmed={!isFeatureFlagActive && optimisticEnabled}
+          ariaLabel={t`Override for ${tenant.name}`}
+        />
+      </TableCell>
+    </TableRow>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/TenantOverrideTable.tsx b/application/account/BackOffice/routes/feature-flags/-components/TenantOverrideTable.tsx
new file mode 100644
index 000000000..4242a7f87
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/TenantOverrideTable.tsx
@@ -0,0 +1,134 @@
+import { Trans } from "@lingui/react/macro";
+import { Table, TableBody, TableHead, TableHeader, TableRow } from "@repo/ui/components/Table";
+import { useNavigate } from "@tanstack/react-router";
+
+import { SortableFeatureFlagTenantProperties, SortOrder } from "@/shared/lib/api/client";
+
+import type { FeatureFlagTenantInfo } from "./types";
+
+import { SortableHead } from "./SortableHead";
+import { TenantOverrideRow } from "./TenantOverrideRow";
+
+export interface TenantOverrideTableProps {
+  ariaLabel: string;
+  tenants: FeatureFlagTenantInfo[];
+  flagKey: string;
+  featureFlagDescription: string;
+  showRolloutBucket: boolean;
+  isFeatureFlagActive: boolean;
+  orderBy: SortableFeatureFlagTenantProperties | undefined;
+  sortOrder: SortOrder | undefined;
+  defaultOrderBy: SortableFeatureFlagTenantProperties;
+}
+
+export function TenantOverrideTable({
+  ariaLabel,
+  tenants,
+  flagKey,
+  featureFlagDescription,
+  showRolloutBucket,
+  isFeatureFlagActive,
+  orderBy,
+  sortOrder,
+  defaultOrderBy
+}: Readonly<TenantOverrideTableProps>) {
+  const navigate = useNavigate();
+  const effectiveOrderBy = orderBy ?? defaultOrderBy;
+  const effectiveSortOrder = sortOrder ?? SortOrder.Ascending;
+
+  // Click cycle: same column flips asc <-> desc, second-flip clears to default; different column resets to asc.
+  const handleSort = (column: SortableFeatureFlagTenantProperties) => {
+    let nextOrderBy: SortableFeatureFlagTenantProperties | undefined = column;
+    let nextSortOrder: SortOrder | undefined;
+    if (effectiveOrderBy === column) {
+      if (effectiveSortOrder === SortOrder.Ascending) {
+        nextSortOrder = SortOrder.Descending;
+      } else {
+        nextOrderBy = undefined;
+        nextSortOrder = undefined;
+      }
+    } else {
+      nextSortOrder = SortOrder.Ascending;
+    }
+    navigate({
+      to: "/feature-flags/$flagKey",
+      params: { flagKey },
+      search: (previous) => ({
+        ...previous,
+        tenantsOrderBy: nextOrderBy,
+        tenantsSortOrder: nextSortOrder,
+        tenantsPageOffset: undefined
+      })
+    });
+  };
+
+  return (
+    <Table rowSize="compact" aria-label={ariaLabel} className="w-full table-fixed" containerClassName="overflow-x-clip">
+      <TableHeader>
+        <TableRow>
+          <SortableHead
+            column={SortableFeatureFlagTenantProperties.Name}
+            effectiveOrderBy={effectiveOrderBy}
+            effectiveSortOrder={effectiveSortOrder}
+            onSort={handleSort}
+          >
+            <Trans>Account</Trans>
+          </SortableHead>
+          <SortableHead
+            column={SortableFeatureFlagTenantProperties.Plan}
+            effectiveOrderBy={effectiveOrderBy}
+            effectiveSortOrder={effectiveSortOrder}
+            onSort={handleSort}
+            className="hidden w-[6rem] md:table-cell"
+          >
+            <Trans>Plan</Trans>
+          </SortableHead>
+          <TableHead className="hidden w-[6rem] md:table-cell">
+            <Trans>Status</Trans>
+          </TableHead>
+          <SortableHead
+            column={SortableFeatureFlagTenantProperties.OverrideUpdatedAt}
+            effectiveOrderBy={effectiveOrderBy}
+            effectiveSortOrder={effectiveSortOrder}
+            onSort={handleSort}
+            className="hidden w-[8rem] lg:table-cell"
+          >
+            <Trans>Last changed</Trans>
+          </SortableHead>
+          {showRolloutBucket && (
+            <SortableHead
+              column={SortableFeatureFlagTenantProperties.InclusionThresholdPercentage}
+              effectiveOrderBy={effectiveOrderBy}
+              effectiveSortOrder={effectiveSortOrder}
+              onSort={handleSort}
+              className="hidden w-[7rem] text-center lg:table-cell"
+            >
+              <Trans>Included at</Trans>
+            </SortableHead>
+          )}
+          <SortableHead
+            column={SortableFeatureFlagTenantProperties.IsEnabled}
+            effectiveOrderBy={effectiveOrderBy}
+            effectiveSortOrder={effectiveSortOrder}
+            onSort={handleSort}
+            className="w-[5rem] text-right"
+          >
+            <Trans>Override</Trans>
+          </SortableHead>
+        </TableRow>
+      </TableHeader>
+      <TableBody>
+        {tenants.map((tenant) => (
+          <TenantOverrideRow
+            key={tenant.id}
+            flagKey={flagKey}
+            featureFlagDescription={featureFlagDescription}
+            tenant={tenant}
+            showRolloutBucket={showRolloutBucket}
+            isFeatureFlagActive={isFeatureFlagActive}
+          />
+        ))}
+      </TableBody>
+    </Table>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/TenantOverridesSection.tsx b/application/account/BackOffice/routes/feature-flags/-components/TenantOverridesSection.tsx
new file mode 100644
index 000000000..8db8cac96
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/TenantOverridesSection.tsx
@@ -0,0 +1,167 @@
+import { t } from "@lingui/core/macro";
+import { Trans } from "@lingui/react/macro";
+import { Skeleton } from "@repo/ui/components/Skeleton";
+import { TablePagination } from "@repo/ui/components/TablePagination";
+import { keepPreviousData } from "@tanstack/react-query";
+import { useNavigate } from "@tanstack/react-router";
+import { useCallback } from "react";
+
+import type { SortOrder, SubscriptionPlan } from "@/shared/lib/api/client";
+
+import { api, SortableFeatureFlagTenantProperties } from "@/shared/lib/api/client";
+
+import type { StateFilter } from "./stateFilter";
+
+import { FeatureFlagTenantsEmpty } from "./FeatureFlagTenantsEmpty";
+import { FeatureFlagTenantsToolbar } from "./FeatureFlagTenantsToolbar";
+import { DEFAULT_STATE_FILTER, toApiState } from "./stateFilter";
+import { TenantOverrideTable } from "./TenantOverrideTable";
+
+interface TenantOverridesSectionProps {
+  flagKey: string;
+  featureFlagDescription: string;
+  showRolloutBucket: boolean;
+  isFeatureFlagActive: boolean;
+  search: string | undefined;
+  plans: SubscriptionPlan[];
+  state: StateFilter | undefined;
+  hasOverride: boolean;
+  pageOffset: number | undefined;
+  orderBy: SortableFeatureFlagTenantProperties | undefined;
+  sortOrder: SortOrder | undefined;
+}
+
+export function TenantOverridesSection({
+  flagKey,
+  featureFlagDescription,
+  showRolloutBucket,
+  isFeatureFlagActive,
+  search,
+  plans,
+  state,
+  hasOverride,
+  pageOffset,
+  orderBy,
+  sortOrder
+}: Readonly<TenantOverridesSectionProps>) {
+  const navigate = useNavigate();
+
+  // A/B-eligible flags default to "Included at" ascending so admins see who joins the rollout first;
+  // non-A/B flags fall back to alphabetical Name ascending.
+  const defaultOrderBy = showRolloutBucket
+    ? SortableFeatureFlagTenantProperties.InclusionThresholdPercentage
+    : SortableFeatureFlagTenantProperties.Name;
+  const effectiveOrderBy = orderBy ?? defaultOrderBy;
+
+  const { data, isLoading } = api.useQuery(
+    "get",
+    "/api/back-office/feature-flags/{flagKey}/tenants",
+    {
+      params: {
+        path: { flagKey },
+        query: {
+          Search: search,
+          Plans: plans.length === 0 ? undefined : plans,
+          State: toApiState(state),
+          HasOverride: hasOverride ? true : undefined,
+          PageOffset: pageOffset,
+          OrderBy: effectiveOrderBy,
+          SortOrder: sortOrder
+        }
+      }
+    },
+    { placeholderData: keepPreviousData }
+  );
+
+  const tenants = data?.tenants ?? [];
+  const totalPages = data?.totalPages ?? 0;
+  const currentPage = (data?.currentPageOffset ?? 0) + 1;
+  const effectiveState = state ?? DEFAULT_STATE_FILTER;
+  const hasFilters = Boolean(search) || plans.length > 0 || effectiveState !== DEFAULT_STATE_FILTER || hasOverride;
+
+  const handlePageChange = useCallback(
+    (page: number) => {
+      navigate({
+        to: "/feature-flags/$flagKey",
+        params: { flagKey },
+        search: (previous) => ({
+          ...previous,
+          tenantsPageOffset: page === 1 ? undefined : page - 1
+        })
+      });
+    },
+    [navigate, flagKey]
+  );
+
+  return (
+    <div className="flex min-h-0 flex-1 flex-col gap-4">
+      <div>
+        <h3>
+          <Trans>Account status</Trans>
+        </h3>
+        <p className="text-sm text-muted-foreground">
+          {showRolloutBucket ? (
+            <Trans>
+              Accounts are automatically included based on their rollout bucket. Use overrides to manually include or
+              exclude specific accounts.
+            </Trans>
+          ) : (
+            <Trans>Toggle the override switch to enable this feature for specific accounts.</Trans>
+          )}
+        </p>
+      </div>
+      <FeatureFlagTenantsToolbar
+        flagKey={flagKey}
+        search={search}
+        plans={plans}
+        state={state}
+        hasOverride={hasOverride}
+        hideHasOverride={!showRolloutBucket}
+      />
+      {isLoading && tenants.length === 0 ? (
+        <TenantOverridesSkeleton />
+      ) : tenants.length === 0 ? (
+        <FeatureFlagTenantsEmpty flagKey={flagKey} hasFilters={hasFilters} />
+      ) : (
+        <>
+          <div className="flex-1 overflow-visible sm:min-h-48 sm:overflow-auto">
+            <TenantOverrideTable
+              ariaLabel={t`Accounts`}
+              tenants={tenants}
+              flagKey={flagKey}
+              featureFlagDescription={featureFlagDescription}
+              showRolloutBucket={showRolloutBucket}
+              isFeatureFlagActive={isFeatureFlagActive}
+              orderBy={orderBy}
+              sortOrder={sortOrder}
+              defaultOrderBy={defaultOrderBy}
+            />
+          </div>
+          {totalPages > 1 && (
+            <div className="shrink-0 pt-4">
+              <TablePagination
+                currentPage={currentPage}
+                totalPages={totalPages}
+                onPageChange={handlePageChange}
+                previousLabel={t`Previous`}
+                nextLabel={t`Next`}
+                trackingTitle="Feature flag tenants"
+                className="w-full"
+              />
+            </div>
+          )}
+        </>
+      )}
+    </div>
+  );
+}
+
+function TenantOverridesSkeleton() {
+  return (
+    <div className="flex flex-col gap-2">
+      <Skeleton className="h-10 w-full rounded-md" />
+      <Skeleton className="h-14 w-full rounded-md" />
+      <Skeleton className="h-14 w-full rounded-md" />
+    </div>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/UserOverrideRow.tsx b/application/account/BackOffice/routes/feature-flags/-components/UserOverrideRow.tsx
new file mode 100644
index 000000000..c6f88efd6
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/UserOverrideRow.tsx
@@ -0,0 +1,172 @@
+import { t } from "@lingui/core/macro";
+import { Avatar, AvatarFallback, AvatarImage } from "@repo/ui/components/Avatar";
+import { Badge } from "@repo/ui/components/Badge";
+import { TableCell, TableRow } from "@repo/ui/components/Table";
+import { useFormatDate } from "@repo/ui/hooks/useSmartDate";
+import { useNavigate } from "@tanstack/react-router";
+import { MailIcon } from "lucide-react";
+import { useEffect, useState } from "react";
+import { toast } from "sonner";
+
+import { api, queryClient } from "@/shared/lib/api/client";
+import { getUserRoleLabel } from "@/shared/lib/api/labels";
+
+import type { FeatureFlagUserInfo } from "./types";
+
+import { getUserDisplayName, getUserInitials } from "../../users/-components/userDisplay";
+import { OverrideSwitch } from "./OverrideSwitch";
+
+// Mutations skip the global auto-invalidate and refetch is deferred 500ms so the user sees the
+// optimistic switch flip before the table refetches — without it, sort reordering, pagination
+// totals, or filter drops happen instantly and make the toggle feel unresponsive.
+const USERS_QUERY_KEY = ["get", "/api/back-office/feature-flags/{flagKey}/users"] as const;
+const SKIP_AUTO_INVALIDATE = { meta: { skipQueryInvalidation: true } };
+
+interface UserOverrideRowProps {
+  flagKey: string;
+  featureFlagDescription: string;
+  user: FeatureFlagUserInfo;
+  showRolloutBucket: boolean;
+  isFeatureFlagActive: boolean;
+}
+
+export function UserOverrideRow({
+  flagKey,
+  featureFlagDescription,
+  user,
+  showRolloutBucket,
+  isFeatureFlagActive
+}: Readonly<UserOverrideRowProps>) {
+  const [optimisticEnabled, setOptimisticEnabled] = useState(user.isEnabled);
+  const [optimisticIsOverride, setOptimisticIsOverride] = useState(user.source === "manual_override");
+  const overrideMutation = api.useMutation(
+    "put",
+    "/api/back-office/feature-flags/{flagKey}/user-override",
+    SKIP_AUTO_INVALIDATE
+  );
+  const removeMutation = api.useMutation(
+    "delete",
+    "/api/back-office/feature-flags/{flagKey}/user-override",
+    SKIP_AUTO_INVALIDATE
+  );
+  const formatDate = useFormatDate();
+  const navigate = useNavigate();
+
+  useEffect(() => {
+    setOptimisticEnabled(user.isEnabled);
+    setOptimisticIsOverride(user.source === "manual_override");
+  }, [user.isEnabled, user.source]);
+
+  const refreshAfter = () => {
+    setTimeout(() => queryClient.invalidateQueries({ queryKey: USERS_QUERY_KEY }), 500);
+  };
+
+  const handleRemoveOverride = () => {
+    setOptimisticEnabled(user.defaultEnabled);
+    setOptimisticIsOverride(false);
+    removeMutation.mutate(
+      { params: { path: { flagKey }, query: { userId: user.id, tenantId: user.tenantId } } },
+      {
+        onSuccess: () => {
+          toast.success(t`Override removed for ${user.email}`, {
+            description: t`It takes up to 5 minutes for changes to reach all users.`
+          });
+          refreshAfter();
+        },
+        onError: () => {
+          setOptimisticEnabled(user.isEnabled);
+          setOptimisticIsOverride(user.source === "manual_override");
+        }
+      }
+    );
+  };
+
+  const handleSetOverride = (checked: boolean) => {
+    setOptimisticEnabled(checked);
+    setOptimisticIsOverride(true);
+    overrideMutation.mutate(
+      {
+        params: { path: { flagKey } },
+        body: { userId: user.id, tenantId: user.tenantId, enabled: checked }
+      },
+      {
+        onSuccess: () => {
+          toast.success(
+            checked
+              ? t`${featureFlagDescription} enabled for ${user.email}`
+              : t`${featureFlagDescription} disabled for ${user.email}`,
+            { description: t`It takes up to 5 minutes for changes to reach all users.` }
+          );
+          refreshAfter();
+        },
+        onError: () => {
+          setOptimisticEnabled(user.isEnabled);
+          setOptimisticIsOverride(user.source === "manual_override");
+        }
+      }
+    );
+  };
+
+  const handleToggle = (checked: boolean) => {
+    if (showRolloutBucket && optimisticIsOverride && optimisticEnabled === user.defaultEnabled) {
+      handleRemoveOverride();
+      return;
+    }
+    handleSetOverride(checked);
+  };
+
+  const isPending = overrideMutation.isPending || removeMutation.isPending;
+  const displayName = getUserDisplayName(user.firstName, user.lastName, user.email);
+  const initials = getUserInitials(user.firstName, user.lastName, user.email);
+
+  return (
+    <TableRow
+      rowKey={user.id}
+      className="cursor-pointer transition-opacity duration-500"
+      onClick={() => navigate({ to: "/users/$userId", params: { userId: user.id }, search: { tab: "feature-flags" } })}
+    >
+      <TableCell>
+        <div className="flex min-w-0 items-center gap-3">
+          <Avatar size="default" className="size-9 shrink-0">
+            {user.avatarUrl && <AvatarImage src={user.avatarUrl} alt={displayName} />}
+            <AvatarFallback>{initials}</AvatarFallback>
+          </Avatar>
+          <div className="flex min-w-0 flex-col gap-0.5">
+            <span className="truncate font-medium text-foreground">{displayName}</span>
+            <span className="flex min-w-0 items-center gap-1.5 text-xs text-muted-foreground">
+              <MailIcon className="size-3 shrink-0" aria-hidden={true} />
+              <span className="truncate">{user.email}</span>
+            </span>
+          </div>
+        </div>
+      </TableCell>
+      <TableCell className="hidden md:table-cell">
+        <span className="block truncate text-sm">{user.tenantName}</span>
+      </TableCell>
+      <TableCell className="hidden lg:table-cell">
+        <Badge variant="outline">{getUserRoleLabel(user.role)}</Badge>
+      </TableCell>
+      <TableCell className="hidden lg:table-cell">
+        {(() => {
+          const updatedAt = user.overrideDisabledAt ?? user.overrideEnabledAt;
+          return updatedAt ? formatDate(updatedAt, true, true) : <span className="text-muted-foreground">-</span>;
+        })()}
+      </TableCell>
+      {showRolloutBucket && (
+        <TableCell className="hidden text-center text-muted-foreground lg:table-cell">
+          {user.inclusionThresholdPercentage != null ? `${user.inclusionThresholdPercentage}%` : null}
+        </TableCell>
+      )}
+      <TableCell className="text-right" onClick={(event) => event.stopPropagation()}>
+        <OverrideSwitch
+          isManualOverride={optimisticIsOverride && showRolloutBucket}
+          checked={optimisticEnabled}
+          onCheckedChange={handleToggle}
+          disabled={isPending}
+          dimmed={!isFeatureFlagActive && optimisticEnabled}
+          ariaLabel={t`Override for ${user.email}`}
+        />
+      </TableCell>
+    </TableRow>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/UserOverridesSection.tsx b/application/account/BackOffice/routes/feature-flags/-components/UserOverridesSection.tsx
new file mode 100644
index 000000000..fe9f6c7b1
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/UserOverridesSection.tsx
@@ -0,0 +1,165 @@
+import { t } from "@lingui/core/macro";
+import { Trans } from "@lingui/react/macro";
+import { Skeleton } from "@repo/ui/components/Skeleton";
+import { TablePagination } from "@repo/ui/components/TablePagination";
+import { keepPreviousData } from "@tanstack/react-query";
+import { useNavigate } from "@tanstack/react-router";
+import { useCallback } from "react";
+
+import type { SortOrder, UserRole } from "@/shared/lib/api/client";
+
+import { api, SortableFeatureFlagUserProperties } from "@/shared/lib/api/client";
+
+import type { StateFilter } from "./stateFilter";
+
+import { FeatureFlagUsersEmpty } from "./FeatureFlagUsersEmpty";
+import { FeatureFlagUsersToolbar } from "./FeatureFlagUsersToolbar";
+import { DEFAULT_STATE_FILTER, toApiState } from "./stateFilter";
+import { UserOverridesTable } from "./UserOverridesTable";
+
+interface UserOverridesSectionProps {
+  flagKey: string;
+  featureFlagDescription: string;
+  showRolloutBucket: boolean;
+  isFeatureFlagActive: boolean;
+  search: string | undefined;
+  roles: UserRole[];
+  state: StateFilter | undefined;
+  hasOverride: boolean;
+  pageOffset: number | undefined;
+  orderBy: SortableFeatureFlagUserProperties | undefined;
+  sortOrder: SortOrder | undefined;
+}
+
+export function UserOverridesSection({
+  flagKey,
+  featureFlagDescription,
+  showRolloutBucket,
+  isFeatureFlagActive,
+  search,
+  roles,
+  state,
+  hasOverride,
+  pageOffset,
+  orderBy,
+  sortOrder
+}: Readonly<UserOverridesSectionProps>) {
+  const navigate = useNavigate();
+
+  const defaultOrderBy = showRolloutBucket
+    ? SortableFeatureFlagUserProperties.InclusionThresholdPercentage
+    : SortableFeatureFlagUserProperties.Name;
+  const effectiveOrderBy = orderBy ?? defaultOrderBy;
+
+  const { data, isLoading } = api.useQuery(
+    "get",
+    "/api/back-office/feature-flags/{flagKey}/users",
+    {
+      params: {
+        path: { flagKey },
+        query: {
+          Search: search,
+          Roles: roles.length === 0 ? undefined : roles,
+          State: toApiState(state),
+          HasOverride: hasOverride ? true : undefined,
+          PageOffset: pageOffset,
+          OrderBy: effectiveOrderBy,
+          SortOrder: sortOrder
+        }
+      }
+    },
+    { placeholderData: keepPreviousData }
+  );
+
+  const users = data?.users ?? [];
+  const totalPages = data?.totalPages ?? 0;
+  const currentPage = (data?.currentPageOffset ?? 0) + 1;
+  const effectiveState = state ?? DEFAULT_STATE_FILTER;
+  const hasFilters = Boolean(search) || roles.length > 0 || effectiveState !== DEFAULT_STATE_FILTER || hasOverride;
+
+  const handlePageChange = useCallback(
+    (page: number) => {
+      navigate({
+        to: "/feature-flags/$flagKey",
+        params: { flagKey },
+        search: (previous) => ({
+          ...previous,
+          usersPageOffset: page === 1 ? undefined : page - 1
+        })
+      });
+    },
+    [navigate, flagKey]
+  );
+
+  return (
+    <div className="flex min-h-0 flex-1 flex-col gap-4">
+      <div>
+        <h3>
+          <Trans>User status</Trans>
+        </h3>
+        <p className="text-sm text-muted-foreground">
+          {showRolloutBucket ? (
+            <Trans>
+              Users are automatically included based on their rollout bucket. Use overrides to manually include or
+              exclude specific users.
+            </Trans>
+          ) : (
+            <Trans>Toggle the override switch to enable this feature for specific users.</Trans>
+          )}
+        </p>
+      </div>
+      <FeatureFlagUsersToolbar
+        flagKey={flagKey}
+        search={search}
+        roles={roles}
+        state={state}
+        hasOverride={hasOverride}
+        hideHasOverride={!showRolloutBucket}
+      />
+      {isLoading && users.length === 0 ? (
+        <UserOverridesSkeleton />
+      ) : users.length === 0 ? (
+        <FeatureFlagUsersEmpty flagKey={flagKey} hasFilters={hasFilters} />
+      ) : (
+        <>
+          <div className="flex-1 overflow-visible sm:min-h-48 sm:overflow-auto">
+            <UserOverridesTable
+              ariaLabel={t`Users`}
+              users={users}
+              flagKey={flagKey}
+              featureFlagDescription={featureFlagDescription}
+              showRolloutBucket={showRolloutBucket}
+              isFeatureFlagActive={isFeatureFlagActive}
+              orderBy={orderBy}
+              sortOrder={sortOrder}
+              defaultOrderBy={defaultOrderBy}
+            />
+          </div>
+          {totalPages > 1 && (
+            <div className="shrink-0 pt-4">
+              <TablePagination
+                currentPage={currentPage}
+                totalPages={totalPages}
+                onPageChange={handlePageChange}
+                previousLabel={t`Previous`}
+                nextLabel={t`Next`}
+                trackingTitle="Feature flag users"
+                className="w-full"
+              />
+            </div>
+          )}
+        </>
+      )}
+    </div>
+  );
+}
+
+function UserOverridesSkeleton() {
+  return (
+    <div className="flex flex-col gap-2">
+      <Skeleton className="h-10 w-full rounded-md" />
+      <Skeleton className="h-14 w-full rounded-md" />
+      <Skeleton className="h-14 w-full rounded-md" />
+    </div>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/UserOverridesTable.tsx b/application/account/BackOffice/routes/feature-flags/-components/UserOverridesTable.tsx
new file mode 100644
index 000000000..e9c32ff02
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/UserOverridesTable.tsx
@@ -0,0 +1,139 @@
+import { Trans } from "@lingui/react/macro";
+import { Table, TableBody, TableHeader, TableRow } from "@repo/ui/components/Table";
+import { useNavigate } from "@tanstack/react-router";
+
+import { SortableFeatureFlagUserProperties, SortOrder } from "@/shared/lib/api/client";
+
+import type { FeatureFlagUserInfo } from "./types";
+
+import { SortableHead } from "./SortableHead";
+import { UserOverrideRow } from "./UserOverrideRow";
+
+export interface UserOverridesTableProps {
+  ariaLabel: string;
+  users: FeatureFlagUserInfo[];
+  flagKey: string;
+  featureFlagDescription: string;
+  showRolloutBucket: boolean;
+  isFeatureFlagActive: boolean;
+  orderBy: SortableFeatureFlagUserProperties | undefined;
+  sortOrder: SortOrder | undefined;
+  defaultOrderBy: SortableFeatureFlagUserProperties;
+}
+
+export function UserOverridesTable({
+  ariaLabel,
+  users,
+  flagKey,
+  featureFlagDescription,
+  showRolloutBucket,
+  isFeatureFlagActive,
+  orderBy,
+  sortOrder,
+  defaultOrderBy
+}: Readonly<UserOverridesTableProps>) {
+  const navigate = useNavigate();
+  const effectiveOrderBy = orderBy ?? defaultOrderBy;
+  const effectiveSortOrder = sortOrder ?? SortOrder.Ascending;
+
+  const handleSort = (column: SortableFeatureFlagUserProperties) => {
+    let nextOrderBy: SortableFeatureFlagUserProperties | undefined = column;
+    let nextSortOrder: SortOrder | undefined;
+    if (effectiveOrderBy === column) {
+      if (effectiveSortOrder === SortOrder.Ascending) {
+        nextSortOrder = SortOrder.Descending;
+      } else {
+        nextOrderBy = undefined;
+        nextSortOrder = undefined;
+      }
+    } else {
+      nextSortOrder = SortOrder.Ascending;
+    }
+    navigate({
+      to: "/feature-flags/$flagKey",
+      params: { flagKey },
+      search: (previous) => ({
+        ...previous,
+        usersOrderBy: nextOrderBy,
+        usersSortOrder: nextSortOrder,
+        usersPageOffset: undefined
+      })
+    });
+  };
+
+  return (
+    <Table rowSize="compact" aria-label={ariaLabel} className="w-full table-fixed" containerClassName="overflow-x-clip">
+      <TableHeader>
+        <TableRow>
+          <SortableHead
+            column={SortableFeatureFlagUserProperties.Name}
+            effectiveOrderBy={effectiveOrderBy}
+            effectiveSortOrder={effectiveSortOrder}
+            onSort={handleSort}
+          >
+            <Trans>User</Trans>
+          </SortableHead>
+          <SortableHead
+            column={SortableFeatureFlagUserProperties.TenantName}
+            effectiveOrderBy={effectiveOrderBy}
+            effectiveSortOrder={effectiveSortOrder}
+            onSort={handleSort}
+            className="hidden md:table-cell"
+          >
+            <Trans>Account</Trans>
+          </SortableHead>
+          <SortableHead
+            column={SortableFeatureFlagUserProperties.Role}
+            effectiveOrderBy={effectiveOrderBy}
+            effectiveSortOrder={effectiveSortOrder}
+            onSort={handleSort}
+            className="hidden w-[6rem] lg:table-cell"
+          >
+            <Trans>Role</Trans>
+          </SortableHead>
+          <SortableHead
+            column={SortableFeatureFlagUserProperties.OverrideUpdatedAt}
+            effectiveOrderBy={effectiveOrderBy}
+            effectiveSortOrder={effectiveSortOrder}
+            onSort={handleSort}
+            className="hidden w-[8.5rem] lg:table-cell"
+          >
+            <Trans>Last changed</Trans>
+          </SortableHead>
+          {showRolloutBucket && (
+            <SortableHead
+              column={SortableFeatureFlagUserProperties.InclusionThresholdPercentage}
+              effectiveOrderBy={effectiveOrderBy}
+              effectiveSortOrder={effectiveSortOrder}
+              onSort={handleSort}
+              className="hidden w-[7rem] text-center lg:table-cell"
+            >
+              <Trans>Included at</Trans>
+            </SortableHead>
+          )}
+          <SortableHead
+            column={SortableFeatureFlagUserProperties.IsEnabled}
+            effectiveOrderBy={effectiveOrderBy}
+            effectiveSortOrder={effectiveSortOrder}
+            onSort={handleSort}
+            className="w-[5rem] text-right"
+          >
+            <Trans>Override</Trans>
+          </SortableHead>
+        </TableRow>
+      </TableHeader>
+      <TableBody>
+        {users.map((user) => (
+          <UserOverrideRow
+            key={user.id}
+            flagKey={flagKey}
+            featureFlagDescription={featureFlagDescription}
+            user={user}
+            showRolloutBucket={showRolloutBucket}
+            isFeatureFlagActive={isFeatureFlagActive}
+          />
+        ))}
+      </TableBody>
+    </Table>
+  );
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/rolloutBucket.ts b/application/account/BackOffice/routes/feature-flags/-components/rolloutBucket.ts
new file mode 100644
index 000000000..f93dc8fdf
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/rolloutBucket.ts
@@ -0,0 +1,12 @@
+import { t } from "@lingui/core/macro";
+
+export function formatRolloutBucketRange(
+  rolloutBucketStart: number,
+  rolloutBucketEnd: number,
+  rolloutPercentage: number
+): string {
+  if (rolloutBucketStart <= rolloutBucketEnd) {
+    return t`Rollout buckets: ${rolloutBucketStart}-${rolloutBucketEnd} (${rolloutPercentage}%)`;
+  }
+  return t`Rollout buckets: ${rolloutBucketStart}-99 and 0-${rolloutBucketEnd} (${rolloutPercentage}%)`;
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/stateFilter.ts b/application/account/BackOffice/routes/feature-flags/-components/stateFilter.ts
new file mode 100644
index 000000000..920d9ad86
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/stateFilter.ts
@@ -0,0 +1,19 @@
+import { FeatureFlagAudienceState } from "@/shared/lib/api/client";
+
+/**
+ * URL representation of the single-select state filter on the override toolbars.
+ *
+ * - URL param absent is the fresh-visit default and renders the Enabled chip pressed.
+ * - `All` shows all rows: API call omits `State`, UI marks the All chip pressed.
+ * - `Enabled` / `Disabled` filter the API call to that subset.
+ */
+export const ALL_STATE_FILTER = "All";
+
+export type StateFilter = FeatureFlagAudienceState | typeof ALL_STATE_FILTER;
+
+export const DEFAULT_STATE_FILTER: StateFilter = FeatureFlagAudienceState.Enabled;
+
+export function toApiState(filter: StateFilter | undefined): FeatureFlagAudienceState | undefined {
+  if (filter === ALL_STATE_FILTER) return undefined;
+  return filter ?? FeatureFlagAudienceState.Enabled;
+}
diff --git a/application/account/BackOffice/routes/feature-flags/-components/types.ts b/application/account/BackOffice/routes/feature-flags/-components/types.ts
new file mode 100644
index 000000000..a1645dead
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/-components/types.ts
@@ -0,0 +1,13 @@
+import type { components } from "@/shared/lib/api/client";
+
+export type FeatureFlagInfo = components["schemas"]["FeatureFlagInfo"];
+
+export type FeatureFlagScope = components["schemas"]["FeatureFlagScope"];
+
+export type GetFeatureFlagsResponse = components["schemas"]["GetFeatureFlagsResponse"];
+
+export type FeatureFlagTenantInfo = components["schemas"]["FeatureFlagTenantInfo"];
+
+export type FeatureFlagUserInfo = components["schemas"]["FeatureFlagUserInfo"];
+
+export type FeatureFlagSourceLiteral = "manual_override" | "ab_rollout" | "plan" | "default";
diff --git a/application/account/BackOffice/routes/feature-flags/index.tsx b/application/account/BackOffice/routes/feature-flags/index.tsx
new file mode 100644
index 000000000..9ee33c0c6
--- /dev/null
+++ b/application/account/BackOffice/routes/feature-flags/index.tsx
@@ -0,0 +1,210 @@
+import { t } from "@lingui/core/macro";
+import { Trans } from "@lingui/react/macro";
+import { AppLayout } from "@repo/ui/components/AppLayout";
+import { Badge } from "@repo/ui/components/Badge";
+import { Label } from "@repo/ui/components/Label";
+import { SidebarInset, SidebarProvider } from "@repo/ui/components/Sidebar";
+import { Skeleton } from "@repo/ui/components/Skeleton";
+import { Switch } from "@repo/ui/components/Switch";
+import { Table, TableBody, TableCell, TableHead, TableHeader, TableRow } from "@repo/ui/components/Table";
+import { getFeatureFlagDescription, getFeatureFlagName } from "@repo/ui/featureFlags/labels";
+import { createFileRoute, useNavigate } from "@tanstack/react-router";
+import { useMemo, useState } from "react";
+
+import { BackOfficeSideMenu } from "@/shared/components/BackOfficeSideMenu";
+import { api, type SubscriptionPlan } from "@/shared/lib/api/client";
+import { getSubscriptionPlanLabel } from "@/shared/lib/api/labels";
+import { getSubscriptionPlanBadgeClass } from "@/shared/lib/planBadge";
+
+import type { FeatureFlagInfo, FeatureFlagScope, GetFeatureFlagsResponse } from "./-components/types";
+
+import { FeatureFlagStatusBadge } from "./-components/FeatureFlagStatusBadge";
+import { ScopeIcon } from "./-components/ScopeIcon";
+
+export const Route = createFileRoute("/feature-flags/")({
+  staticData: { trackingTitle: "Feature flags" },
+  component: FeatureFlagsPage
+});
+
+type FeatureFlagGroupKey = "Tenant" | "Plan" | "User" | "System";
+
+interface FeatureFlagGroup {
+  groupKey: FeatureFlagGroupKey;
+  label: string;
+  featureFlags: FeatureFlagInfo[];
+}
+
+export default function FeatureFlagsPage() {
+  const [showDeleted, setShowDeleted] = useState(false);
+
+  const { data, isLoading } = api.useQuery("get", "/api/back-office/feature-flags", {
+    params: { query: { IncludeDeleted: showDeleted } }
+  }) as {
+    data: GetFeatureFlagsResponse | undefined;
+    isLoading: boolean;
+  };
+
+  const groups = useMemo(() => {
+    if (!data?.flags) return [];
+    const groupOrder: FeatureFlagGroupKey[] = ["Tenant", "Plan", "User", "System"];
+    const groupLabels: Record<FeatureFlagGroupKey, string> = {
+      Tenant: t`Account flags`,
+      Plan: t`Plan flags`,
+      User: t`User flags`,
+      System: t`System flags`
+    };
+    return groupOrder
+      .map((groupKey) => ({
+        groupKey,
+        label: groupLabels[groupKey],
+        featureFlags: data.flags.filter((featureFlag) => {
+          if (groupKey === "Plan") return featureFlag.scope === "Tenant" && featureFlag.requiredPlan != null;
+          if (groupKey === "Tenant") return featureFlag.scope === "Tenant" && featureFlag.requiredPlan == null;
+          return featureFlag.scope === groupKey;
+        })
+      }))
+      .filter((group) => group.featureFlags.length > 0);
+  }, [data?.flags]);
+
+  return (
+    <SidebarProvider>
+      <BackOfficeSideMenu />
+      <SidebarInset>
+        <AppLayout
+          variant="center"
+          maxWidth="64rem"
+          title={t`Feature flags`}
+          subtitle={t`Feature flags are defined in code. This view controls their activation and rollout. It takes up to 5 minutes for changes to reach all users.`}
+        >
+          <div className="flex items-center justify-end gap-3 pb-2">
+            <Label htmlFor="show-deleted-toggle" className="text-sm text-muted-foreground">
+              <Trans>Show deleted</Trans>
+            </Label>
+            <Switch id="show-deleted-toggle" checked={showDeleted} onCheckedChange={setShowDeleted} />
+          </div>
+          {isLoading ? <FeatureFlagsSkeleton /> : <FeatureFlagGroupList groups={groups} />}
+        </AppLayout>
+      </SidebarInset>
+    </SidebarProvider>
+  );
+}
+
+function FeatureFlagGroupList({ groups }: Readonly<{ groups: FeatureFlagGroup[] }>) {
+  const navigate = useNavigate();
+  const hasDetail = (groupKey: FeatureFlagGroupKey, scope: FeatureFlagScope) =>
+    groupKey === "Plan" || scope === "Tenant" || scope === "User";
+
+  return (
+    <div className="flex flex-col gap-8">
+      {groups.map((group) => {
+        const isPlanGroup = group.groupKey === "Plan";
+        const isSystemGroup = group.groupKey === "System";
+        const showRollout = !isSystemGroup && !isPlanGroup;
+        return (
+          <div key={group.groupKey} className="flex flex-col gap-2">
+            <h3>{group.label}</h3>
+            <p className="text-sm text-muted-foreground">
+              <FeatureFlagGroupSubtitle groupKey={group.groupKey} />
+            </p>
+            <Table rowSize="compact" aria-label={group.label} className="w-full table-fixed">
+              <TableHeader>
+                <TableRow>
+                  <TableHead>
+                    <Trans>Name</Trans>
+                  </TableHead>
+                  {isPlanGroup && (
+                    <TableHead className="hidden w-[7rem] text-center sm:table-cell">
+                      <Trans>Required plan</Trans>
+                    </TableHead>
+                  )}
+                  {showRollout && (
+                    <TableHead className="hidden w-[7rem] text-center sm:table-cell">
+                      <Trans>Rollout</Trans>
+                    </TableHead>
+                  )}
+                  <TableHead className="hidden w-[7rem] text-center sm:table-cell">
+                    <Trans>Status</Trans>
+                  </TableHead>
+                </TableRow>
+              </TableHeader>
+              <TableBody>
+                {group.featureFlags.map((featureFlag) => (
+                  <TableRow
+                    key={featureFlag.key}
+                    className={hasDetail(group.groupKey, featureFlag.scope) ? "cursor-pointer" : undefined}
+                    onClick={
+                      hasDetail(group.groupKey, featureFlag.scope)
+                        ? () => navigate({ to: "/feature-flags/$flagKey", params: { flagKey: featureFlag.key } })
+                        : undefined
+                    }
+                  >
+                    <TableCell>
+                      <div className="flex min-w-0 flex-col">
+                        <span className="flex items-center gap-2 font-medium">
+                          <ScopeIcon scope={featureFlag.scope} isAbTestEligible={featureFlag.isAbTestEligible} />
+                          <span className="truncate">{getFeatureFlagName(featureFlag.key)}</span>
+                        </span>
+                        <span className="hidden truncate text-sm text-muted-foreground sm:block">
+                          {getFeatureFlagDescription(featureFlag.key) || featureFlag.description}
+                        </span>
+                      </div>
+                    </TableCell>
+                    {isPlanGroup && featureFlag.requiredPlan !== null && (
+                      <TableCell className="hidden text-center sm:table-cell">
+                        <Badge className={getSubscriptionPlanBadgeClass(featureFlag.requiredPlan as SubscriptionPlan)}>
+                          {getSubscriptionPlanLabel(featureFlag.requiredPlan as SubscriptionPlan)}
+                        </Badge>
+                      </TableCell>
+                    )}
+                    {showRollout && (
+                      <TableCell className="hidden text-center sm:table-cell">
+                        {featureFlag.isAbTestEligible && (
+                          <span
+                            className={
+                              featureFlag.isActive && !featureFlag.deletedAt ? undefined : "text-muted-foreground"
+                            }
+                          >
+                            {featureFlag.rolloutPercentage ?? 0}%
+                          </span>
+                        )}
+                      </TableCell>
+                    )}
+                    <TableCell className="hidden text-center sm:table-cell">
+                      <FeatureFlagStatusBadge featureFlag={featureFlag} />
+                    </TableCell>
+                  </TableRow>
+                ))}
+              </TableBody>
+            </Table>
+          </div>
+        );
+      })}
+    </div>
+  );
+}
+
+function FeatureFlagGroupSubtitle({ groupKey }: Readonly<{ groupKey: FeatureFlagGroupKey }>) {
+  switch (groupKey) {
+    case "Tenant":
+      return <Trans>Per-account flags. Owners can toggle configurable flags. Admins control A/B rollouts.</Trans>;
+    case "Plan":
+      return <Trans>Gated by subscription plan and recomputed when the plan changes. Configured only in code.</Trans>;
+    case "User":
+      return <Trans>Per-user flags. Users can toggle configurable flags. Admins control A/B rollouts.</Trans>;
+    case "System":
+      return (
+        <Trans>Platform-wide capabilities set at deployment via environment variables. Configured only in code.</Trans>
+      );
+  }
+}
+
+function FeatureFlagsSkeleton() {
+  return (
+    <div className="flex flex-col gap-2">
+      <Skeleton className="h-10 w-full rounded-md" />
+      <Skeleton className="h-14 w-full rounded-md" />
+      <Skeleton className="h-14 w-full rounded-md" />
+      <Skeleton className="h-14 w-full rounded-md" />
+    </div>
+  );
+}
diff --git a/application/account/BackOffice/routes/invoices/-components/InvoicesToolbar.tsx b/application/account/BackOffice/routes/invoices/-components/InvoicesToolbar.tsx
index 886793350..1b433f5a6 100644
--- a/application/account/BackOffice/routes/invoices/-components/InvoicesToolbar.tsx
+++ b/application/account/BackOffice/routes/invoices/-components/InvoicesToolbar.tsx
@@ -22,9 +22,8 @@ export function InvoicesToolbar({ search, view }: Readonly<InvoicesToolbarProps>
   const debouncedSearch = useDebounce(searchInput, 500);
 
   useEffect(() => {
-    if ((debouncedSearch || undefined) === search) {
-      return;
-    }
+    // See UsersToolbar.tsx for the rationale on omitting `search` from this effect's deps.
+    if ((debouncedSearch || undefined) === search) return;
     navigate({
       to: "/invoices",
       search: (previous) => ({
@@ -35,7 +34,8 @@ export function InvoicesToolbar({ search, view }: Readonly<InvoicesToolbarProps>
         pageOffset: undefined
       })
     });
-  }, [debouncedSearch, navigate, search]);
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [debouncedSearch, navigate]);
 
   useEffect(() => {
     setSearchInput(search ?? "");
diff --git a/application/account/BackOffice/routes/invoices/index.tsx b/application/account/BackOffice/routes/invoices/index.tsx
index 50277a7d3..9b1703875 100644
--- a/application/account/BackOffice/routes/invoices/index.tsx
+++ b/application/account/BackOffice/routes/invoices/index.tsx
@@ -116,17 +116,8 @@ function InvoicesListPage() {
               </EmptyHeader>
               {hasSearch && (
                 <EmptyContent>
-                  <Button
-                    variant="outline"
-                    size="sm"
-                    onClick={() =>
-                      navigate({
-                        to: "/invoices",
-                        search: () => ({ view: activeView === "all" ? undefined : activeView })
-                      })
-                    }
-                  >
-                    <Trans>Clear search</Trans>
+                  <Button variant="outline" size="sm" onClick={() => navigate({ to: "/invoices", search: () => ({}) })}>
+                    <Trans>Clear filters</Trans>
                   </Button>
                 </EmptyContent>
               )}
diff --git a/application/account/BackOffice/routes/users/$userId.tsx b/application/account/BackOffice/routes/users/$userId.tsx
index 5c5ae99c8..bb79acb22 100644
--- a/application/account/BackOffice/routes/users/$userId.tsx
+++ b/application/account/BackOffice/routes/users/$userId.tsx
@@ -4,7 +4,7 @@ import { AppLayout } from "@repo/ui/components/AppLayout";
 import { SidebarInset, SidebarProvider } from "@repo/ui/components/Sidebar";
 import { Tabs, TabsContent, TabsList, TabsTrigger } from "@repo/ui/components/Tabs";
 import { createFileRoute, useNavigate } from "@tanstack/react-router";
-import { Building2Icon, KeyIcon, MonitorIcon } from "lucide-react";
+import { Building2Icon, FlagIcon, KeyIcon, MonitorIcon } from "lucide-react";
 import { useCallback } from "react";
 import { z } from "zod";
 
@@ -14,14 +14,15 @@ import { api } from "@/shared/lib/api/client";
 import { UserActivityTiles } from "./-components/UserActivityTiles";
 import { UserDetailHeader } from "./-components/UserDetailHeader";
 import { getUserDisplayName } from "./-components/userDisplay";
+import { UserFeatureFlagsSection } from "./-components/UserFeatureFlagsSection";
 import { UserLoginHistorySection } from "./-components/UserLoginHistorySection";
 import { UserSessionsSection } from "./-components/UserSessionsSection";
 import { UserTenantsSection } from "./-components/UserTenantsSection";
 
-type UserDetailTab = "overview" | "sessions" | "logins";
+type UserDetailTab = "overview" | "sessions" | "logins" | "feature-flags";
 
 const userDetailSearchSchema = z.object({
-  tab: z.enum(["overview", "sessions", "logins"]).optional()
+  tab: z.enum(["overview", "sessions", "logins", "feature-flags"]).optional()
 });
 
 export const Route = createFileRoute("/users/$userId")({
@@ -77,6 +78,10 @@ function UserDetailPage() {
                   <MonitorIcon className="size-4" />
                   <Trans>Sessions</Trans>
                 </TabsTrigger>
+                <TabsTrigger value="feature-flags">
+                  <FlagIcon className="size-4" />
+                  <Trans>Feature flags</Trans>
+                </TabsTrigger>
               </TabsList>
               <TabsContent value="overview">
                 <UserTenantsSection user={user} />
@@ -87,6 +92,9 @@ function UserDetailPage() {
               <TabsContent value="sessions">
                 <UserSessionsSection userId={userId} />
               </TabsContent>
+              <TabsContent value="feature-flags">
+                <UserFeatureFlagsSection userId={userId} />
+              </TabsContent>
             </Tabs>
           </div>
         </AppLayout>
diff --git a/application/account/BackOffice/routes/users/-components/UserActionsMenu.tsx b/application/account/BackOffice/routes/users/-components/UserActionsMenu.tsx
new file mode 100644
index 000000000..4bc1c439a
--- /dev/null
+++ b/application/account/BackOffice/routes/users/-components/UserActionsMenu.tsx
@@ -0,0 +1,61 @@
+import { t } from "@lingui/core/macro";
+import { Button } from "@repo/ui/components/Button";
+import { DropdownMenu, DropdownMenuContent, DropdownMenuTrigger } from "@repo/ui/components/DropdownMenu";
+import { Tooltip, TooltipContent, TooltipTrigger } from "@repo/ui/components/Tooltip";
+import { MoreVerticalIcon } from "lucide-react";
+import { useState } from "react";
+
+import type { AbInclusionPin } from "@/shared/lib/api/client";
+
+import { useMe } from "@/shared/hooks/useMe";
+
+import { AbInclusionPinMenuItems } from "../../-shared/AbInclusionPinMenuItems";
+import { SetAbInclusionPinDialog } from "../../-shared/SetAbInclusionPinDialog";
+
+interface UserActionsMenuProps {
+  userId: string;
+  userLabel: string;
+  abInclusionPin: AbInclusionPin | null | undefined;
+}
+
+export function UserActionsMenu({ userId, userLabel, abInclusionPin }: Readonly<UserActionsMenuProps>) {
+  const { data: me } = useMe();
+  const [isPinDialogOpen, setIsPinDialogOpen] = useState(false);
+
+  if (!me?.isAdmin) {
+    return null;
+  }
+
+  return (
+    <>
+      <DropdownMenu trackingTitle="User actions">
+        <Tooltip>
+          <TooltipTrigger
+            render={
+              <DropdownMenuTrigger
+                render={
+                  <Button variant="outline" size="icon-sm" aria-label={t`User actions`}>
+                    <MoreVerticalIcon className="size-4" />
+                  </Button>
+                }
+              />
+            }
+          />
+          <TooltipContent>{t`User actions`}</TooltipContent>
+        </Tooltip>
+        <DropdownMenuContent align="end">
+          <AbInclusionPinMenuItems onSelect={() => setIsPinDialogOpen(true)} />
+        </DropdownMenuContent>
+      </DropdownMenu>
+
+      <SetAbInclusionPinDialog
+        entity="user"
+        entityId={userId}
+        entityLabel={userLabel}
+        currentPin={abInclusionPin ?? null}
+        isOpen={isPinDialogOpen}
+        onOpenChange={setIsPinDialogOpen}
+      />
+    </>
+  );
+}
diff --git a/application/account/BackOffice/routes/users/-components/UserDetailHeader.tsx b/application/account/BackOffice/routes/users/-components/UserDetailHeader.tsx
index cae0d26de..e6e959f6e 100644
--- a/application/account/BackOffice/routes/users/-components/UserDetailHeader.tsx
+++ b/application/account/BackOffice/routes/users/-components/UserDetailHeader.tsx
@@ -7,6 +7,8 @@ import { CalendarIcon, CheckCircle2Icon, HashIcon, MailIcon, XCircleIcon } from
 
 import type { components } from "@/shared/lib/api/client";
 
+import { AbInclusionPinBadge } from "../../-shared/AbInclusionPinBadge";
+import { UserActionsMenu } from "./UserActionsMenu";
 import { getUserDisplayName, getUserInitials } from "./userDisplay";
 
 type BackOfficeUserDetailResponse = components["schemas"]["BackOfficeUserDetailResponse"];
@@ -60,6 +62,7 @@ export function UserDetailHeader({ user, userId, isLoading }: Readonly<UserDetai
                   </span>
                 </Badge>
               )}
+              <AbInclusionPinBadge pin={user.abInclusionPin} />
             </div>
             <div className="flex flex-wrap items-center gap-x-3 gap-y-1 text-sm text-muted-foreground">
               <span className="inline-flex items-center gap-1.5">
@@ -79,6 +82,11 @@ export function UserDetailHeader({ user, userId, isLoading }: Readonly<UserDetai
               </span>
             </div>
           </div>
+          <UserActionsMenu
+            userId={userId}
+            userLabel={getUserDisplayName(user.firstName, user.lastName, user.email)}
+            abInclusionPin={user.abInclusionPin}
+          />
         </>
       )}
     </div>
diff --git a/application/account/BackOffice/routes/users/-components/UserFeatureFlagRow.tsx b/application/account/BackOffice/routes/users/-components/UserFeatureFlagRow.tsx
new file mode 100644
index 000000000..984d24fdf
--- /dev/null
+++ b/application/account/BackOffice/routes/users/-components/UserFeatureFlagRow.tsx
@@ -0,0 +1,118 @@
+import { t } from "@lingui/core/macro";
+import { TableCell, TableRow } from "@repo/ui/components/Table";
+import { getFeatureFlagDescription, getFeatureFlagName } from "@repo/ui/featureFlags/labels";
+import { useNavigate } from "@tanstack/react-router";
+import { useEffect, useState } from "react";
+import { toast } from "sonner";
+
+import type { components } from "@/shared/lib/api/client";
+
+import { api } from "@/shared/lib/api/client";
+
+import { OverrideSwitch } from "../../feature-flags/-components/OverrideSwitch";
+import { ScopeIcon } from "../../feature-flags/-components/ScopeIcon";
+
+type UserFeatureFlagInfo = components["schemas"]["UserFeatureFlagInfo"];
+
+export function UserFeatureFlagRow({
+  userId,
+  flag,
+  showBucketColumn
+}: Readonly<{ userId: string; flag: UserFeatureFlagInfo; showBucketColumn: boolean }>) {
+  const [optimisticEnabled, setOptimisticEnabled] = useState(flag.isEnabled);
+  const [optimisticIsOverride, setOptimisticIsOverride] = useState(flag.source === "manual_override");
+  // No hover-defer here — the user-detail feature-flag tab has no filters, so the row can never be
+  // removed from view by a mutation. The global mutation handler invalidates queries automatically.
+  const overrideMutation = api.useMutation("put", "/api/back-office/feature-flags/{flagKey}/user-override");
+  const removeMutation = api.useMutation("delete", "/api/back-office/feature-flags/{flagKey}/user-override");
+  const navigate = useNavigate();
+
+  useEffect(() => {
+    setOptimisticEnabled(flag.isEnabled);
+    setOptimisticIsOverride(flag.source === "manual_override");
+  }, [flag.isEnabled, flag.source]);
+
+  const flagName = getFeatureFlagName(flag.flagKey);
+  const flagDescription = getFeatureFlagDescription(flag.flagKey) || flag.description;
+
+  const handleRemoveOverride = () => {
+    setOptimisticEnabled(flag.defaultEnabled);
+    setOptimisticIsOverride(false);
+    removeMutation.mutate(
+      { params: { path: { flagKey: flag.flagKey }, query: { userId, tenantId: flag.tenantId } } },
+      {
+        onSuccess: () =>
+          toast.success(t`Override removed for ${flagName}`, {
+            description: t`It takes up to 5 minutes for changes to reach all users.`
+          }),
+        onError: () => {
+          setOptimisticEnabled(flag.isEnabled);
+          setOptimisticIsOverride(flag.source === "manual_override");
+        }
+      }
+    );
+  };
+
+  const handleSetOverride = (checked: boolean) => {
+    setOptimisticEnabled(checked);
+    setOptimisticIsOverride(true);
+    overrideMutation.mutate(
+      { params: { path: { flagKey: flag.flagKey } }, body: { userId, tenantId: flag.tenantId, enabled: checked } },
+      {
+        onSuccess: () =>
+          toast.success(checked ? t`${flagName} enabled` : t`${flagName} disabled`, {
+            description: t`It takes up to 5 minutes for changes to reach all users.`
+          }),
+        onError: () => {
+          setOptimisticEnabled(flag.isEnabled);
+          setOptimisticIsOverride(flag.source === "manual_override");
+        }
+      }
+    );
+  };
+
+  const handleToggle = (checked: boolean) => {
+    if (flag.isAbTestEligible && optimisticIsOverride && optimisticEnabled === flag.defaultEnabled) {
+      handleRemoveOverride();
+      return;
+    }
+    handleSetOverride(checked);
+  };
+
+  const isPending = overrideMutation.isPending || removeMutation.isPending;
+
+  return (
+    <TableRow
+      rowKey={flag.flagKey}
+      className="cursor-pointer"
+      onClick={() => navigate({ to: "/feature-flags/$flagKey", params: { flagKey: flag.flagKey } })}
+    >
+      <TableCell>
+        <div className="flex min-w-0 flex-col">
+          <span className="flex items-center gap-2 font-medium">
+            <ScopeIcon scope={flag.scope} isAbTestEligible={flag.isAbTestEligible} />
+            <span className="truncate">{flagName}</span>
+          </span>
+          {flagDescription && (
+            <span className="hidden truncate text-sm text-muted-foreground sm:block">{flagDescription}</span>
+          )}
+        </div>
+      </TableCell>
+      {showBucketColumn && (
+        <TableCell className="hidden text-center text-muted-foreground sm:table-cell">
+          {flag.inclusionThresholdPercentage != null ? `${flag.inclusionThresholdPercentage}%` : null}
+        </TableCell>
+      )}
+      <TableCell className="text-center" onClick={(event) => event.stopPropagation()}>
+        <OverrideSwitch
+          isManualOverride={optimisticIsOverride && flag.isAbTestEligible}
+          checked={optimisticEnabled}
+          onCheckedChange={handleToggle}
+          disabled={isPending}
+          dimmed={!flag.isBaseRowActive && optimisticEnabled}
+          ariaLabel={t`Override for ${flagName}`}
+        />
+      </TableCell>
+    </TableRow>
+  );
+}
diff --git a/application/account/BackOffice/routes/users/-components/UserFeatureFlagsSection.tsx b/application/account/BackOffice/routes/users/-components/UserFeatureFlagsSection.tsx
new file mode 100644
index 000000000..ace9c7f8d
--- /dev/null
+++ b/application/account/BackOffice/routes/users/-components/UserFeatureFlagsSection.tsx
@@ -0,0 +1,91 @@
+import { t } from "@lingui/core/macro";
+import { Trans } from "@lingui/react/macro";
+import { Empty, EmptyDescription, EmptyHeader, EmptyTitle } from "@repo/ui/components/Empty";
+import { Skeleton } from "@repo/ui/components/Skeleton";
+import { Table, TableBody, TableHead, TableHeader, TableRow } from "@repo/ui/components/Table";
+
+import { api } from "@/shared/lib/api/client";
+
+import { UserFeatureFlagRow } from "./UserFeatureFlagRow";
+
+interface UserFeatureFlagsSectionProps {
+  userId: string;
+}
+
+export function UserFeatureFlagsSection({ userId }: Readonly<UserFeatureFlagsSectionProps>) {
+  const { data, isLoading } = api.useQuery("get", "/api/back-office/users/{id}/feature-flags", {
+    params: { path: { id: userId } }
+  });
+
+  if (isLoading) {
+    return <UserFeatureFlagsSectionSkeleton />;
+  }
+
+  const flags = data?.flags ?? [];
+
+  if (flags.length === 0) {
+    return (
+      <section className="flex flex-col gap-3">
+        <h3>
+          <Trans>Feature flags</Trans>
+        </h3>
+        <Empty className="border">
+          <EmptyHeader>
+            <EmptyTitle>
+              <Trans>No feature flags</Trans>
+            </EmptyTitle>
+            <EmptyDescription>
+              <Trans>No user-scoped feature flags are defined.</Trans>
+            </EmptyDescription>
+          </EmptyHeader>
+        </Empty>
+      </section>
+    );
+  }
+
+  const hasAbTestFlag = flags.some((f) => f.isAbTestEligible);
+  return (
+    <section className="flex flex-col gap-3">
+      <div>
+        <h3>
+          <Trans>Feature flags</Trans>
+        </h3>
+        <p className="text-sm text-muted-foreground">
+          <Trans>Per-user flags. Toggle the override switch to enable or disable for this user.</Trans>
+        </p>
+      </div>
+      <Table rowSize="compact" aria-label={t`Feature flags`} className="w-full table-fixed">
+        <TableHeader>
+          <TableRow>
+            <TableHead>
+              <Trans>Name</Trans>
+            </TableHead>
+            {hasAbTestFlag && (
+              <TableHead className="hidden w-[8rem] text-center text-muted-foreground sm:table-cell">
+                <Trans>Included at</Trans>
+              </TableHead>
+            )}
+            <TableHead className="w-[8rem] text-center">
+              <Trans>Override</Trans>
+            </TableHead>
+          </TableRow>
+        </TableHeader>
+        <TableBody>
+          {flags.map((flag) => (
+            <UserFeatureFlagRow key={flag.flagKey} userId={userId} flag={flag} showBucketColumn={hasAbTestFlag} />
+          ))}
+        </TableBody>
+      </Table>
+    </section>
+  );
+}
+
+function UserFeatureFlagsSectionSkeleton() {
+  return (
+    <section className="flex flex-col gap-2">
+      <Skeleton className="h-6 w-40" />
+      <Skeleton className="h-10 w-full rounded-md" />
+      <Skeleton className="h-14 w-full rounded-md" />
+    </section>
+  );
+}
diff --git a/application/account/BackOffice/routes/users/-components/UsersToolbar.tsx b/application/account/BackOffice/routes/users/-components/UsersToolbar.tsx
index 5b93618e4..de4e0b888 100644
--- a/application/account/BackOffice/routes/users/-components/UsersToolbar.tsx
+++ b/application/account/BackOffice/routes/users/-components/UsersToolbar.tsx
@@ -22,14 +22,17 @@ export function UsersToolbar({ search, roles, activity }: Readonly<UsersToolbarP
   const debouncedSearch = useDebounce(searchInput, 500);
 
   useEffect(() => {
-    if ((debouncedSearch || undefined) === search) {
-      return;
-    }
+    // `search` is intentionally NOT a dep here so external URL changes (Clear filters) don't fire
+    // this effect with a stale debouncedSearch and immediately re-push the old typed value back
+    // into the URL. The companion sync effect below handles URL → input. This effect only runs
+    // when the user types something new and the debounce settles.
+    if ((debouncedSearch || undefined) === search) return;
     navigate({
       to: "/users",
       search: (previous) => ({ ...previous, search: debouncedSearch || undefined, pageOffset: undefined })
     });
-  }, [debouncedSearch, navigate, search]);
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [debouncedSearch, navigate]);
 
   useEffect(() => {
     setSearchInput(search ?? "");
diff --git a/application/account/BackOffice/routes/users/index.tsx b/application/account/BackOffice/routes/users/index.tsx
index e8875606d..25c8b4760 100644
--- a/application/account/BackOffice/routes/users/index.tsx
+++ b/application/account/BackOffice/routes/users/index.tsx
@@ -1,10 +1,11 @@
 import { t } from "@lingui/core/macro";
 import { Trans } from "@lingui/react/macro";
 import { AppLayout } from "@repo/ui/components/AppLayout";
-import { Empty, EmptyDescription, EmptyHeader, EmptyMedia, EmptyTitle } from "@repo/ui/components/Empty";
+import { Button } from "@repo/ui/components/Button";
+import { Empty, EmptyContent, EmptyDescription, EmptyHeader, EmptyMedia, EmptyTitle } from "@repo/ui/components/Empty";
 import { SidebarInset, SidebarProvider } from "@repo/ui/components/Sidebar";
 import { keepPreviousData } from "@tanstack/react-query";
-import { createFileRoute } from "@tanstack/react-router";
+import { createFileRoute, useNavigate } from "@tanstack/react-router";
 import { UsersIcon } from "lucide-react";
 import { z } from "zod";
 
@@ -66,19 +67,7 @@ function UsersSearchPage() {
           <UsersToolbar search={search} roles={roles ?? []} activity={activity} />
 
           {showNoResults ? (
-            <Empty>
-              <EmptyHeader>
-                <EmptyMedia variant="icon">
-                  <UsersIcon />
-                </EmptyMedia>
-                <EmptyTitle>
-                  <Trans>No users match your search</Trans>
-                </EmptyTitle>
-                <EmptyDescription>
-                  <Trans>Try a different search term or clear the role and activity filters.</Trans>
-                </EmptyDescription>
-              </EmptyHeader>
-            </Empty>
+            <UsersNoResultsEmpty />
           ) : showEmpty ? (
             <Empty>
               <EmptyHeader>
@@ -108,3 +97,27 @@ function UsersSearchPage() {
     </SidebarProvider>
   );
 }
+
+function UsersNoResultsEmpty() {
+  const navigate = useNavigate();
+  return (
+    <Empty>
+      <EmptyHeader>
+        <EmptyMedia variant="icon">
+          <UsersIcon />
+        </EmptyMedia>
+        <EmptyTitle>
+          <Trans>No users match your search</Trans>
+        </EmptyTitle>
+        <EmptyDescription>
+          <Trans>Try a different search term or clear the role and activity filters.</Trans>
+        </EmptyDescription>
+      </EmptyHeader>
+      <EmptyContent>
+        <Button variant="outline" size="sm" onClick={() => navigate({ to: "/users", search: () => ({}) })}>
+          <Trans>Clear filters</Trans>
+        </Button>
+      </EmptyContent>
+    </Empty>
+  );
+}
diff --git a/application/account/BackOffice/shared/components/BackOfficeSideMenu.tsx b/application/account/BackOffice/shared/components/BackOfficeSideMenu.tsx
index 4c7ceddbf..f88d4cace 100644
--- a/application/account/BackOffice/shared/components/BackOfficeSideMenu.tsx
+++ b/application/account/BackOffice/shared/components/BackOfficeSideMenu.tsx
@@ -13,7 +13,7 @@ import {
   SidebarRail
 } from "@repo/ui/components/Sidebar";
 import { Link as RouterLink, useRouter } from "@tanstack/react-router";
-import { Building2Icon, HomeIcon, ReceiptIcon, UsersIcon, ZapIcon } from "lucide-react";
+import { Building2Icon, FlagIcon, HomeIcon, ReceiptIcon, UsersIcon, ZapIcon } from "lucide-react";
 
 import { BackOfficeAvatarMenu } from "./BackOfficeAvatarMenu";
 
@@ -28,6 +28,7 @@ export function BackOfficeSideMenu() {
   const isUsersActive = currentPath === "/users" || currentPath.startsWith("/users/");
   const isBillingEventsActive = currentPath === "/billing-events" || currentPath.startsWith("/billing-events/");
   const isInvoicesActive = currentPath === "/invoices" || currentPath.startsWith("/invoices/");
+  const isFeatureFlagsActive = currentPath === "/feature-flags" || currentPath.startsWith("/feature-flags/");
 
   return (
     <Sidebar collapsible="icon">
@@ -106,6 +107,25 @@ export function BackOfficeSideMenu() {
               </SidebarGroupContent>
             </SidebarGroup>
           )}
+          <SidebarGroup>
+            <SidebarGroupLabel>
+              <Trans>Platform</Trans>
+            </SidebarGroupLabel>
+            <SidebarGroupContent>
+              <SidebarMenu>
+                <SidebarMenuItem>
+                  <SidebarMenuButton asChild={true} isActive={isFeatureFlagsActive} tooltip={t`Feature flags`}>
+                    <RouterLink to="/feature-flags">
+                      <FlagIcon />
+                      <span>
+                        <Trans>Feature flags</Trans>
+                      </span>
+                    </RouterLink>
+                  </SidebarMenuButton>
+                </SidebarMenuItem>
+              </SidebarMenu>
+            </SidebarGroupContent>
+          </SidebarGroup>
         </SidebarContent>
       </nav>
       <SidebarRail />
diff --git a/application/account/BackOffice/shared/lib/api/client.ts b/application/account/BackOffice/shared/lib/api/client.ts
index 9dea4fbbd..ccd08f64d 100644
--- a/application/account/BackOffice/shared/lib/api/client.ts
+++ b/application/account/BackOffice/shared/lib/api/client.ts
@@ -4,4 +4,4 @@ import type { components, paths } from "./api.generated";
 
 export * from "./api.generated.d";
 export type Schemas = components["schemas"];
-export const { api, queryClient } = createApiClient<paths>();
+export const { api, apiClient, queryClient } = createApiClient<paths>();
diff --git a/application/account/BackOffice/shared/translations/locale/da-DK.po b/application/account/BackOffice/shared/translations/locale/da-DK.po
index dbccce70e..86bed4562 100644
--- a/application/account/BackOffice/shared/translations/locale/da-DK.po
+++ b/application/account/BackOffice/shared/translations/locale/da-DK.po
@@ -41,6 +41,28 @@ msgstr "{count, plural, one {# konto er endnu ikke synkroniseret — MRR-tendens
 msgid "{diffDays, plural, one {# day ago} other {# days ago}}"
 msgstr "{diffDays, plural, one {# dag siden} other {# dage siden}}"
 
+msgid "{entityLabel} is now first in feature flag rollouts"
+msgstr "{entityLabel} er nu først i feature flag-udrulninger"
+
+msgid "{entityLabel} is now last in feature flag rollouts"
+msgstr "{entityLabel} er nu sidst i feature flag-udrulninger"
+
+#. placeholder {0}: tenant.name
+#. placeholder {0}: user.email
+msgid "{featureFlagDescription} disabled for {0}"
+msgstr "{featureFlagDescription} deaktiveret for {0}"
+
+#. placeholder {0}: tenant.name
+#. placeholder {0}: user.email
+msgid "{featureFlagDescription} enabled for {0}"
+msgstr "{featureFlagDescription} aktiveret for {0}"
+
+msgid "{flagName} disabled"
+msgstr "{flagName} deaktiveret"
+
+msgid "{flagName} enabled"
+msgstr "{flagName} aktiveret"
+
 msgid "{inactiveUsers} inactive"
 msgstr "{inactiveUsers} inaktive"
 
@@ -87,12 +109,18 @@ msgstr "7d"
 msgid "90d"
 msgstr "90d"
 
+msgid "A/B test"
+msgstr "A/B-test"
+
 msgid "Account"
 msgstr "Konto"
 
 msgid "Account actions"
 msgstr "Kontohandlinger"
 
+msgid "Account flags"
+msgstr "Kontoflag"
+
 msgid "Account growth"
 msgstr "Kontovækst"
 
@@ -104,6 +132,9 @@ msgstr "Kontoen har {0} afvigelser. Sidst afstemt {1}. Hvis standard-afstemning
 msgid "Account preview"
 msgstr "Kontoforhåndsvisning"
 
+msgid "Account status"
+msgstr "Kontostatus"
+
 msgid "Account users"
 msgstr "Kontobrugere"
 
@@ -113,9 +144,18 @@ msgstr "konti"
 msgid "Accounts"
 msgstr "Konti"
 
+msgid "Accounts are automatically enabled or disabled based on their subscription plan. No manual overrides are available for plan-managed flags."
+msgstr "Konti aktiveres eller deaktiveres automatisk baseret på deres abonnement. Manuelle tilsidesættelser er ikke tilgængelige for abonnementsstyrede flag."
+
+msgid "Accounts are automatically included based on their rollout bucket. Use overrides to manually include or exclude specific accounts."
+msgstr "Konti inkluderes automatisk baseret på deres udrulningsbucket. Brug tilsidesættelser for manuelt at inkludere eller udelukke specifikke konti."
+
 msgid "Accounts will appear here as they are created."
 msgstr "Konti vises her, når de oprettes."
 
+msgid "Accounts will appear here as they qualify for this feature."
+msgstr "Konti vises her, efterhånden som de kvalificerer til denne funktion."
+
 msgid "Actions"
 msgstr "Handlinger"
 
@@ -135,10 +175,10 @@ msgid "All"
 msgstr "Alle"
 
 msgid "All accounts this user is a member of, with their plan and role."
-msgstr "Alle konti, brugeren er medlem af, med deres plan og rolle."
+msgstr "Alle konti denne bruger er medlem af, med deres abonnement og rolle."
 
 msgid "All users across every account, most recently seen first. Search and filter to narrow down."
-msgstr "Alle brugere på tværs af konti, senest sete først. Søg og filtrér for at indsnævre."
+msgstr "Alle brugere på tværs af alle konti, senest sete først. Søg og filtrér for at indsnævre."
 
 msgid "All-time"
 msgstr "Samlet"
@@ -146,6 +186,9 @@ msgstr "Samlet"
 msgid "All-time, excluding VAT"
 msgstr "Hele perioden, eksklusiv moms"
 
+msgid "Always on"
+msgstr "Altid aktiveret"
+
 msgid "Amount"
 msgstr "Beløb"
 
@@ -158,7 +201,7 @@ msgid "Appended {0} new billing events. Last reconciled at {1}."
 msgstr "Tilføjede {0} nye faktureringshændelser. Sidst afstemt {1}."
 
 msgid "Authoritative log of subscription, payment, and billing transitions across all accounts."
-msgstr "Autoritativ log over abonnements-, betalings- og faktureringsændringer på tværs af alle konti."
+msgstr "Autoritativ log over abonnements-, betalings- og faktureringsovergange på tværs af alle konti."
 
 msgid "Back Office"
 msgstr "Back Office"
@@ -169,6 +212,9 @@ msgstr "Back Office - Localhost"
 msgid "Back Office overview · {today}"
 msgstr "Back Office oversigt · {today}"
 
+msgid "Back to feature flags"
+msgstr "Tilbage til feature flags"
+
 msgid "Basis"
 msgstr "Basis"
 
@@ -182,10 +228,10 @@ msgid "Billing events"
 msgstr "Faktureringshændelser"
 
 msgid "Billing info added"
-msgstr "Faktureringsinfo tilføjet"
+msgstr "Faktureringsoplysninger tilføjet"
 
 msgid "Billing info updated"
-msgstr "Faktureringsinfo opdateret"
+msgstr "Faktureringsoplysninger opdateret"
 
 msgid "blended"
 msgstr "blandet"
@@ -197,7 +243,7 @@ msgid "Browser"
 msgstr "Browser"
 
 msgid "Cancel"
-msgstr "Annuller"
+msgstr "Annullér"
 
 msgid "Canceled"
 msgstr "Opsagt"
@@ -223,6 +269,9 @@ msgstr "Skift tema"
 msgid "Change zoom level"
 msgstr "Skift zoomniveau"
 
+msgid "Choose how {entityLabel} participates in feature flag rollouts. Per-flag manual overrides still take precedence over this setting."
+msgstr "Vælg hvordan {entityLabel} deltager i feature flag-udrulninger. Manuelle tilsidesættelser pr. flag har stadig forrang over denne indstilling."
+
 msgid "Clear filter"
 msgstr "Ryd filter"
 
@@ -270,7 +319,7 @@ msgstr "Dashboard"
 #. placeholder {0}: formatCurrency(data.kpiMonthlyRecurringRevenue, currency)
 #. placeholder {1}: formatCurrency(data.trendLatestMonthlyRecurringRevenue, currency)
 msgid "Dashboard MRR mismatch: KPI shows {0}, trend latest shows {1}."
-msgstr "MRR-uoverensstemmelse på dashboard: KPI viser {0}, seneste tendens viser {1}."
+msgstr "Dashboard MRR uoverensstemmelse: KPI viser {0}, tendens viser senest {1}."
 
 msgid "Date"
 msgstr "Dato"
@@ -278,12 +327,28 @@ msgstr "Dato"
 msgid "Default"
 msgstr "Standard"
 
+msgid "Delete feature flag"
+msgstr "Slet feature flag"
+
+msgid "Delete flag and all overrides"
+msgstr "Slet flag og alle tilsidesættelser"
+
+msgid "Deleted"
+msgstr "Slettet"
+
+#. placeholder {0}: formatTimestamp(featureFlag.deletedAt)
+msgid "Deleted: {0}"
+msgstr "Slettet: {0}"
+
 msgid "Desktop"
 msgstr "Computer"
 
 msgid "Device"
 msgstr "Enhed"
 
+msgid "Disabled"
+msgstr "Deaktiveret"
+
 msgid "Disaster recovery complete"
 msgstr "Katastrofegendannelse fuldført"
 
@@ -305,6 +370,9 @@ msgstr "Nedgraderer"
 msgid "Drift detected"
 msgstr "Afvigelser fundet"
 
+msgid "Each account or user is assigned a fixed bucket (0-99) based on their sequence number. The rollout targets a specific range of buckets, ensuring consistent and predictable feature rollout."
+msgstr "Hver konto eller bruger tildeles en fast bucket (0-99) baseret på deres sekvensnummer. Udrulningen rammer et specifikt interval af buckets, hvilket sikrer en konsistent og forudsigelig udrulning."
+
 msgid "Email"
 msgstr "E-mail"
 
@@ -314,8 +382,20 @@ msgstr "E-mail bekræftet"
 msgid "Email pending"
 msgstr "E-mail afventer"
 
+msgid "Enabled"
+msgstr "Aktiveret"
+
+#. placeholder {0}: formatTimestamp(featureFlag.enabledAt)
+#. placeholder {1}: formatTimestamp(featureFlag.disabledAt)
+msgid "Enabled period: {0} - {1}"
+msgstr "Aktiveret periode: {0} - {1}"
+
+#. placeholder {0}: formatTimestamp(featureFlag.enabledAt)
+msgid "Enabled: {0}"
+msgstr "Aktiveret: {0}"
+
 msgid "Enter kiosk mode"
-msgstr "Aktivér kiosktilstand"
+msgstr "Skift til kiosktilstand"
 
 msgid "Event"
 msgstr "Hændelse"
@@ -324,16 +404,16 @@ msgid "Event view"
 msgstr "Hændelsesvisning"
 
 msgid "Every invoice, refund, and credit note — the money in and out for this subscription."
-msgstr "Alle fakturaer, refusioner og kreditnotaer — pengene ind og ud for dette abonnement."
+msgstr "Alle fakturaer, refunderinger og kreditnotaer — pengestrømmen ind og ud for dette abonnement."
 
 msgid "Every invoice, refund, and credit note across all accounts."
-msgstr "Alle fakturaer, refusioner og kreditnotaer på tværs af alle konti."
+msgstr "Alle fakturaer, refunderinger og kreditnotaer på tværs af alle konti."
 
 msgid "Every sign-in attempt over the last 30 days, successful or failed, across email and external providers."
-msgstr "Alle log-ind-forsøg de seneste 30 dage, lykkedes eller mislykkedes, på tværs af e-mail og eksterne udbydere."
+msgstr "Alle login-forsøg de seneste 30 dage, succesfulde eller mislykkede, på tværs af e-mail og eksterne udbydere."
 
 msgid "Exit kiosk mode"
-msgstr "Afslut kiosktilstand"
+msgstr "Forlad kiosktilstand"
 
 msgid "Expired"
 msgstr "Udløbet"
@@ -344,21 +424,66 @@ msgstr "Udløber"
 msgid "Failed"
 msgstr "Mislykket"
 
+msgid "Feature flag activated"
+msgstr "Feature flag aktiveret"
+
+msgid "Feature flag deactivated"
+msgstr "Feature flag deaktiveret"
+
+msgid "Feature flag deleted: {flagName}"
+msgstr "Feature flag slettet: {flagName}"
+
+msgid "Feature flag rollouts"
+msgstr "Feature flag-udrulninger"
+
+msgid "Feature flag rollouts reset to default for {entityLabel}"
+msgstr "Feature flag-udrulninger nulstillet til standard for {entityLabel}"
+
+msgid "Feature flags"
+msgstr "Feature flags"
+
+msgid "Feature flags are defined in code. This view controls their activation and rollout. It takes up to 5 minutes for changes to reach all users."
+msgstr "Feature flags er defineret i koden. Denne visning styrer deres aktivering og udrulning. Det tager op til 5 minutter, før ændringer når alle brugere."
+
+msgid "First in feature flag rollouts"
+msgstr "Først i feature flag-udrulninger"
+
 msgid "Free"
 msgstr "Gratis"
 
+msgid "Gated by subscription plan and recomputed when the plan changes. Configured only in code."
+msgstr "Begrænset af abonnementet og genberegnet når abonnementet ændres. Konfigureres kun i koden."
+
+msgid "Gated by the account's subscription plan. Read-only."
+msgstr "Begrænset af kontoens abonnement. Skrivebeskyttet."
+
 msgid "Go to home"
 msgstr "Gå til forsiden"
 
 msgid "Google"
 msgstr "Google"
 
+msgid "Has override"
+msgstr "Med tilsidesættelse"
+
 msgid "Hide details"
 msgstr "Skjul detaljer"
 
 msgid "Inactive"
 msgstr "Inaktive"
 
+msgid "Included at"
+msgstr "Inkluderet ved"
+
+msgid "Included at 1% — the first to receive any feature flag rollout."
+msgstr "Inkluderet ved 1 % — den første til at modtage enhver feature flag-udrulning."
+
+msgid "Included at 100% — the last to receive any feature flag rollout."
+msgstr "Inkluderet ved 100 % — den sidste til at modtage enhver feature flag-udrulning."
+
+msgid "Included in feature flag rollouts based on the assigned rollout bucket."
+msgstr "Inkluderet i feature flag-udrulninger baseret på den tildelte udrulningsbucket."
+
 msgid "Invoice"
 msgstr "Faktura"
 
@@ -369,11 +494,14 @@ msgid "Invoices"
 msgstr "Fakturaer"
 
 msgid "Invoices will appear here as accounts subscribe and Stripe webhooks are processed."
-msgstr "Fakturaer vises her, når konti tilmelder sig, og Stripe-webhooks behandles."
+msgstr "Fakturaer vises her efterhånden som konti abonnerer, og Stripe-webhooks behandles."
 
 msgid "IP address"
 msgstr "IP-adresse"
 
+msgid "It takes up to 5 minutes for changes to reach all users."
+msgstr "Det tager op til 5 minutter, før ændringer når alle brugere."
+
 msgid "Just now"
 msgstr "Lige nu"
 
@@ -392,6 +520,12 @@ msgstr "Sidste {periodDays} dage"
 msgid "Last 24 hours"
 msgstr "Sidste 24 timer"
 
+msgid "Last changed"
+msgstr "Senest ændret"
+
+msgid "Last in feature flag rollouts"
+msgstr "Sidst i feature flag-udrulninger"
+
 msgid "Last invoice"
 msgstr "Sidste faktura"
 
@@ -437,6 +571,9 @@ msgstr "Logo"
 msgid "Main navigation"
 msgstr "Hovednavigation"
 
+msgid "Manual override active. Click again to flip, three times to clear."
+msgstr "Manuel tilsidesættelse er aktiv. Klik igen for at skifte, tre gange for at fjerne."
+
 msgid "Member"
 msgstr "Medlem"
 
@@ -464,6 +601,9 @@ msgstr "MRR-tendens"
 msgid "Name"
 msgstr "Navn"
 
+msgid "Name:"
+msgstr "Navn:"
+
 msgid "Navigation"
 msgstr "Navigation"
 
@@ -482,6 +622,9 @@ msgstr "Ingen kontomedlemskaber"
 msgid "No accounts match your filters"
 msgstr "Ingen konti matcher dine filtre"
 
+msgid "No accounts qualify for this feature yet"
+msgstr "Ingen konti kvalificerer til denne funktion endnu"
+
 msgid "No accounts yet"
 msgstr "Ingen konti endnu"
 
@@ -503,11 +646,14 @@ msgstr "Ingen faktureringshændelser endnu"
 msgid "No change"
 msgstr "Ingen ændring"
 
+msgid "No feature flags"
+msgstr "Ingen feature flags"
+
 msgid "No invoices yet"
 msgstr "Ingen fakturaer endnu"
 
 msgid "No invoices, refunds, or credit notes yet."
-msgstr "Ingen fakturaer, refusioner eller kreditnotaer endnu."
+msgstr "Ingen fakturaer, refunderinger eller kreditnotaer endnu."
 
 msgid "No login history"
 msgstr "Ingen login-historik"
@@ -516,7 +662,7 @@ msgid "No matching users"
 msgstr "Ingen matchende brugere"
 
 msgid "No new billing events were appended. Account state matches Stripe."
-msgstr "Ingen nye faktureringshændelser blev tilføjet. Kontotilstand matcher Stripe."
+msgstr "Ingen nye faktureringshændelser blev tilføjet. Kontotilstanden matcher Stripe."
 
 msgid "No owners"
 msgstr "Ingen ejere"
@@ -560,9 +706,15 @@ msgstr "Ingen sessioner"
 msgid "No sign-in attempts in the last 30 days."
 msgstr "Ingen login-forsøg de seneste 30 dage."
 
+msgid "No tenant-scoped feature flags are defined for this account."
+msgstr "Der er ingen feature flags defineret for denne konto."
+
 msgid "No transactions"
 msgstr "Ingen transaktioner"
 
+msgid "No user-scoped feature flags are defined."
+msgstr "Der er ingen brugeromfattede feature flags defineret."
+
 msgid "No users"
 msgstr "Ingen brugere"
 
@@ -572,6 +724,9 @@ msgstr "Ingen brugere matcher dine filtre."
 msgid "No users match your search"
 msgstr "Ingen brugere matcher din søgning"
 
+msgid "No users qualify for this feature yet"
+msgstr "Ingen brugere kvalificerer til denne funktion endnu"
+
 msgid "No users yet"
 msgstr "Ingen brugere endnu"
 
@@ -579,10 +734,10 @@ msgid "Not synced yet"
 msgstr "Ikke synkroniseret endnu"
 
 msgid "Occurred"
-msgstr "Tidspunkt"
+msgstr "Forekom"
 
 msgid "One row per device or browser the user is signed in from. Revoked sessions cannot sign in again."
-msgstr "En række pr. enhed eller browser, brugeren er logget ind fra. Tilbagekaldte sessioner kan ikke logge ind igen."
+msgstr "En række pr. enhed eller browser brugeren er logget ind fra. Tilbagekaldte sessioner kan ikke logge ind igen."
 
 msgid "One-time password"
 msgstr "Engangskode"
@@ -608,6 +763,25 @@ msgstr "Resultat"
 msgid "over period"
 msgstr "over perioden"
 
+msgid "Override"
+msgstr "Tilsidesættelse"
+
+#. placeholder {0}: tenant.name
+#. placeholder {0}: user.email
+msgid "Override for {0}"
+msgstr "Tilsidesættelse for {0}"
+
+msgid "Override for {flagName}"
+msgstr "Tilsidesættelse for {flagName}"
+
+#. placeholder {0}: tenant.name
+#. placeholder {0}: user.email
+msgid "Override removed for {0}"
+msgstr "Tilsidesættelse fjernet for {0}"
+
+msgid "Override removed for {flagName}"
+msgstr "Tilsidesættelse fjernet for {flagName}"
+
 msgid "Overview"
 msgstr "Overblik"
 
@@ -647,9 +821,27 @@ msgstr "Afventer"
 msgid "per month, billed monthly"
 msgstr "pr. måned, faktureres månedligt"
 
+msgid "Per-account flags. Owners can toggle configurable flags. Admins control A/B rollouts."
+msgstr "Konto-specifikke flag. Ejere kan slå konfigurerbare flag til og fra. Admins styrer A/B-udrulninger."
+
+msgid "Per-account flags. Toggle the override switch to enable or disable for this account."
+msgstr "Per-konto flags. Skift tilsidesættelsesknappen for at aktivere eller deaktivere for denne konto."
+
+msgid "Per-user flags. Toggle the override switch to enable or disable for this user."
+msgstr "Per-bruger flags. Skift tilsidesættelsesknappen for at aktivere eller deaktivere for denne bruger."
+
+msgid "Per-user flags. Users can toggle configurable flags. Admins control A/B rollouts."
+msgstr "Brugerspecifikke flag. Brugere kan slå konfigurerbare flag til og fra. Admins styrer A/B-udrulninger."
+
+msgid "Percentage of accounts or users included in the A/B rollout. Buckets are assigned consistently per account or user."
+msgstr "Procentdel af konti eller brugere inkluderet i A/B-udrulningen. Buckets tildeles konsekvent pr. konto eller bruger."
+
 msgid "Period"
 msgstr "Periode"
 
+msgid "Permanently delete <0>{flagName}</0> ({flagKey}) and all account and user overrides. This cannot be undone."
+msgstr "Slet <0>{flagName}</0> ({flagKey}) og alle konto- og brugertilsidesættelser permanent. Dette kan ikke fortrydes."
+
 msgid "Plan"
 msgstr "Plan"
 
@@ -657,13 +849,22 @@ msgid "Plan & revenue"
 msgstr "Abonnement og omsætning"
 
 msgid "Plan changes, renewals, cancellations, and payment outcomes — the subscription lifecycle and its MRR impact over time."
-msgstr "Planændringer, fornyelser, opsigelser og betalingsresultater — abonnementets livscyklus og dets MRR-effekt over tid."
+msgstr "Abonnementsændringer, fornyelser, opsigelser og betalingsresultater — abonnementets livscyklus og dets MRR-effekt over tid."
 
 msgid "Plan distribution"
 msgstr "Plan-fordeling"
 
+msgid "Plan flags"
+msgstr "Abonnementsflag"
+
 msgid "Plan transition"
-msgstr "Abonnementsændring"
+msgstr "Abonnementsovergang"
+
+msgid "Platform"
+msgstr "Platform"
+
+msgid "Platform-wide capabilities set at deployment via environment variables. Configured only in code."
+msgstr "Platformomspændende funktioner sat ved udrulning via miljøvariabler. Konfigureres kun i koden."
 
 msgid "PlatformPlatform logo"
 msgstr "PlatformPlatform logo"
@@ -702,10 +903,10 @@ msgid "Reconcile"
 msgstr "Afstem"
 
 msgid "Reconcile complete"
-msgstr "Afstemning fuldført"
+msgstr "Afstemning gennemført"
 
 msgid "Reconcile complete with drift detected"
-msgstr "Afstemning fuldført med afvigelser fundet"
+msgstr "Afstemning gennemført med afvigelser fundet"
 
 #. placeholder {0}: archivedAwaiting.count
 #. placeholder {1}: formatDate(archivedAwaiting.oldestOccurredAt)
@@ -737,6 +938,9 @@ msgstr "Refunderinger og kreditnotaer"
 msgid "Refunds and credit notes across all accounts."
 msgstr "Refunderinger og kreditnotaer på tværs af alle konti."
 
+msgid "Removed"
+msgstr "Fjernet"
+
 msgid "Renewal"
 msgstr "Fornyelse"
 
@@ -756,6 +960,12 @@ msgstr "Fornyes {0}"
 msgid "Replayed {0} archived events into the billing event ledger at {1}."
 msgstr "Afspillede {0} arkiverede hændelser til faktureringshændelseslogen {1}."
 
+msgid "Required plan"
+msgstr "Krævet abonnement"
+
+msgid "Required plan:"
+msgstr "Krævet abonnement:"
+
 msgid "Revenue"
 msgstr "Omsætning"
 
@@ -765,9 +975,33 @@ msgstr "Tilbagekaldt"
 msgid "Role"
 msgstr "Rolle"
 
+msgid "Rollout"
+msgstr "Udrulning"
+
+msgid "Rollout %"
+msgstr "Udrulning %"
+
+msgid "Rollout bucket information"
+msgstr "Information om udrulningsbucket"
+
+msgid "Rollout buckets: {rolloutBucketStart}-{rolloutBucketEnd} ({rolloutPercentage}%)"
+msgstr "Udrulningsbuckets: {rolloutBucketStart}-{rolloutBucketEnd} ({rolloutPercentage}%)"
+
+msgid "Rollout buckets: {rolloutBucketStart}-99 and 0-{rolloutBucketEnd} ({rolloutPercentage}%)"
+msgstr "Udrulningsbuckets: {rolloutBucketStart}-99 og 0-{rolloutBucketEnd} ({rolloutPercentage}%)"
+
+msgid "Rollout percentage updated"
+msgstr "Udrulningsprocent opdateret"
+
 msgid "Run disaster recovery"
 msgstr "Kør katastrofegendannelse"
 
+msgid "Save changes"
+msgstr "Gem ændringer"
+
+msgid "Saving..."
+msgstr "Gemmer..."
+
 msgid "Scheduled plan change"
 msgstr "Planlagt planændring"
 
@@ -780,6 +1014,9 @@ msgstr "Søg"
 msgid "Search by account name"
 msgstr "Søg efter kontonavn"
 
+msgid "Search by account name or owner email"
+msgstr "Søg efter kontonavn eller ejer-e-mail"
+
 msgid "Search by email, name, or account"
 msgstr "Søg på e-mail, navn eller konto"
 
@@ -798,6 +1035,9 @@ msgstr "Søg, filtrér og gennemse konti."
 msgid "Sessions"
 msgstr "Sessioner"
 
+msgid "Show deleted"
+msgstr "Vis slettede"
+
 msgid "Show details"
 msgstr "Vis detaljer"
 
@@ -822,6 +1062,9 @@ msgstr "Noget gik galt"
 msgid "Standard"
 msgstr "Standard"
 
+msgid "State"
+msgstr "Tilstand"
+
 msgid "Status"
 msgstr "Status"
 
@@ -835,10 +1078,10 @@ msgid "Subscription state"
 msgstr "Abonnementstilstand"
 
 msgid "Subscription, payment, and billing transitions will appear here as Stripe webhooks are processed."
-msgstr "Abonnements-, betalings- og faktureringsændringer vises her, når Stripe-webhooks behandles."
+msgstr "Abonnements-, betalings- og faktureringsovergange vises her efterhånden som Stripe-webhooks behandles."
 
 msgid "Subscription, payment, and billing transitions will appear here."
-msgstr "Abonnements-, betalings- og faktureringsændringer vises her."
+msgstr "Abonnements-, betalings- og faktureringsovergange vises her."
 
 msgid "Subscriptions, upgrades, and cancellations will appear here."
 msgstr "Tilmeldinger, opgraderinger og opsigelser vises her."
@@ -850,7 +1093,7 @@ msgid "Succeeded"
 msgstr "Gennemført"
 
 msgid "Successful logins will appear here as users sign in."
-msgstr "Vellykkede logins vises her, når brugere logger ind."
+msgstr "Succesfulde logins vises her, efterhånden som brugere logger ind."
 
 msgid "Successful, pending, and failed invoices across all accounts."
 msgstr "Gennemførte, afventende og mislykkede fakturaer på tværs af alle konti."
@@ -861,6 +1104,9 @@ msgstr "Suspenderet"
 msgid "System"
 msgstr "System"
 
+msgid "System flags"
+msgstr "Systemflag"
+
 msgid "Tablet"
 msgstr "Tablet"
 
@@ -870,9 +1116,24 @@ msgstr "Siden du leder efter findes ikke eller er blevet flyttet."
 msgid "Theme"
 msgstr "Tema"
 
+msgid "This account"
+msgstr "Denne konto"
+
 msgid "This account has no users."
 msgstr "Denne konto har ingen brugere."
 
+msgid "This flag has been deleted. It is retained for historical telemetry. Adding a new feature flag with the same name will fail deployment."
+msgstr "Dette feature flag er blevet slettet. Det bevares til historisk telemetri. Tilføjelse af et nyt feature flag med samme navn vil få deployment til at fejle."
+
+msgid "This flag is managed by the subscription plan. It is automatically enabled for accounts on the required plan or higher."
+msgstr "Dette flag styres af abonnementet. Det aktiveres automatisk for konti på det krævede abonnement eller højere."
+
+msgid "This flag no longer exists in code. Delete it to remove all account and user overrides."
+msgstr "Dette feature flag findes ikke længere i koden. Slet det for at fjerne alle konto- og brugertilsidesættelser."
+
+msgid "This is a stable module. It is always on and cannot be deactivated."
+msgstr "Dette er et stabilt modul. Det er altid aktiveret og kan ikke slås fra."
+
 msgid "this period"
 msgstr "denne periode"
 
@@ -885,6 +1146,18 @@ msgstr "Denne bruger har ingen registrerede sessioner."
 msgid "This user is not a member of any account."
 msgstr "Denne bruger er ikke medlem af nogen konto."
 
+msgid "Toggle activation"
+msgstr "Skift aktivering"
+
+msgid "Toggle the override switch to enable this feature for specific accounts."
+msgstr "Skift tilsidesættelsesknappen for at aktivere denne funktion for specifikke konti."
+
+msgid "Toggle the override switch to enable this feature for specific users."
+msgstr "Skift tilsidesættelsesknappen for at aktivere denne funktion for specifikke brugere."
+
+msgid "Toggle whether this feature flag is currently active. When inactive, accounts and users receive the disabled state regardless of overrides."
+msgstr "Skift om dette feature flag er aktivt. Når inaktivt, modtager konti og brugere den deaktiverede tilstand uanset tilsidesættelser."
+
 msgid "Total"
 msgstr "I alt"
 
@@ -918,23 +1191,38 @@ msgstr "Opgraderet"
 msgid "User"
 msgstr "Bruger"
 
+msgid "User actions"
+msgstr "Brugerhandlinger"
+
 msgid "User detail"
 msgstr "Brugerdetalje"
 
+msgid "User flags"
+msgstr "Brugerflag"
+
 msgid "User logins / day"
 msgstr "Brugerlogins / dag"
 
 msgid "User menu"
 msgstr "Brugermenu"
 
+msgid "User status"
+msgstr "Brugerstatus"
+
 msgid "Users"
 msgstr "Brugere"
 
 msgid "Users active"
 msgstr "Aktive brugere"
 
+msgid "Users are automatically included based on their rollout bucket. Use overrides to manually include or exclude specific users."
+msgstr "Brugere inkluderes automatisk baseret på deres udrulningsbucket. Brug tilsidesættelser for manuelt at inkludere eller udelukke specifikke brugere."
+
 msgid "Users will appear here as accounts are created."
-msgstr "Brugere vises her, efterhånden som konti oprettes."
+msgstr "Brugere vises her efterhånden som konti oprettes."
+
+msgid "Users will appear here as they qualify for this feature."
+msgstr "Brugere vises her, efterhånden som de kvalificerer til denne funktion."
 
 msgid "VAT"
 msgstr "Moms"
@@ -963,6 +1251,9 @@ msgstr "mod forrige periode"
 msgid "When"
 msgstr "Hvornår"
 
+msgid "With override"
+msgstr "Med tilsidesættelse"
+
 msgid "Yesterday"
 msgstr "I går"
 
diff --git a/application/account/BackOffice/shared/translations/locale/en-US.po b/application/account/BackOffice/shared/translations/locale/en-US.po
index 190dc5b5d..ac90e0bdf 100644
--- a/application/account/BackOffice/shared/translations/locale/en-US.po
+++ b/application/account/BackOffice/shared/translations/locale/en-US.po
@@ -41,6 +41,28 @@ msgstr "{count, plural, one {# account has not been synced yet — MRR trend is
 msgid "{diffDays, plural, one {# day ago} other {# days ago}}"
 msgstr "{diffDays, plural, one {# day ago} other {# days ago}}"
 
+msgid "{entityLabel} is now first in feature flag rollouts"
+msgstr "{entityLabel} is now first in feature flag rollouts"
+
+msgid "{entityLabel} is now last in feature flag rollouts"
+msgstr "{entityLabel} is now last in feature flag rollouts"
+
+#. placeholder {0}: tenant.name
+#. placeholder {0}: user.email
+msgid "{featureFlagDescription} disabled for {0}"
+msgstr "{featureFlagDescription} disabled for {0}"
+
+#. placeholder {0}: tenant.name
+#. placeholder {0}: user.email
+msgid "{featureFlagDescription} enabled for {0}"
+msgstr "{featureFlagDescription} enabled for {0}"
+
+msgid "{flagName} disabled"
+msgstr "{flagName} disabled"
+
+msgid "{flagName} enabled"
+msgstr "{flagName} enabled"
+
 msgid "{inactiveUsers} inactive"
 msgstr "{inactiveUsers} inactive"
 
@@ -87,12 +109,18 @@ msgstr "7d"
 msgid "90d"
 msgstr "90d"
 
+msgid "A/B test"
+msgstr "A/B test"
+
 msgid "Account"
 msgstr "Account"
 
 msgid "Account actions"
 msgstr "Account actions"
 
+msgid "Account flags"
+msgstr "Account flags"
+
 msgid "Account growth"
 msgstr "Account growth"
 
@@ -104,6 +132,9 @@ msgstr "Account has {0} drift discrepancies. Last reconciled at {1}. If standard
 msgid "Account preview"
 msgstr "Account preview"
 
+msgid "Account status"
+msgstr "Account status"
+
 msgid "Account users"
 msgstr "Account users"
 
@@ -113,9 +144,18 @@ msgstr "accounts"
 msgid "Accounts"
 msgstr "Accounts"
 
+msgid "Accounts are automatically enabled or disabled based on their subscription plan. No manual overrides are available for plan-managed flags."
+msgstr "Accounts are automatically enabled or disabled based on their subscription plan. No manual overrides are available for plan-managed flags."
+
+msgid "Accounts are automatically included based on their rollout bucket. Use overrides to manually include or exclude specific accounts."
+msgstr "Accounts are automatically included based on their rollout bucket. Use overrides to manually include or exclude specific accounts."
+
 msgid "Accounts will appear here as they are created."
 msgstr "Accounts will appear here as they are created."
 
+msgid "Accounts will appear here as they qualify for this feature."
+msgstr "Accounts will appear here as they qualify for this feature."
+
 msgid "Actions"
 msgstr "Actions"
 
@@ -146,6 +186,9 @@ msgstr "All-time"
 msgid "All-time, excluding VAT"
 msgstr "All-time, excluding VAT"
 
+msgid "Always on"
+msgstr "Always on"
+
 msgid "Amount"
 msgstr "Amount"
 
@@ -169,6 +212,9 @@ msgstr "Back Office - Localhost"
 msgid "Back Office overview · {today}"
 msgstr "Back Office overview · {today}"
 
+msgid "Back to feature flags"
+msgstr "Back to feature flags"
+
 msgid "Basis"
 msgstr "Basis"
 
@@ -223,6 +269,9 @@ msgstr "Change theme"
 msgid "Change zoom level"
 msgstr "Change zoom level"
 
+msgid "Choose how {entityLabel} participates in feature flag rollouts. Per-flag manual overrides still take precedence over this setting."
+msgstr "Choose how {entityLabel} participates in feature flag rollouts. Per-flag manual overrides still take precedence over this setting."
+
 msgid "Clear filter"
 msgstr "Clear filter"
 
@@ -278,12 +327,28 @@ msgstr "Date"
 msgid "Default"
 msgstr "Default"
 
+msgid "Delete feature flag"
+msgstr "Delete feature flag"
+
+msgid "Delete flag and all overrides"
+msgstr "Delete flag and all overrides"
+
+msgid "Deleted"
+msgstr "Deleted"
+
+#. placeholder {0}: formatTimestamp(featureFlag.deletedAt)
+msgid "Deleted: {0}"
+msgstr "Deleted: {0}"
+
 msgid "Desktop"
 msgstr "Desktop"
 
 msgid "Device"
 msgstr "Device"
 
+msgid "Disabled"
+msgstr "Disabled"
+
 msgid "Disaster recovery complete"
 msgstr "Disaster recovery complete"
 
@@ -305,6 +370,9 @@ msgstr "Downgrading"
 msgid "Drift detected"
 msgstr "Drift detected"
 
+msgid "Each account or user is assigned a fixed bucket (0-99) based on their sequence number. The rollout targets a specific range of buckets, ensuring consistent and predictable feature rollout."
+msgstr "Each account or user is assigned a fixed bucket (0-99) based on their sequence number. The rollout targets a specific range of buckets, ensuring consistent and predictable feature rollout."
+
 msgid "Email"
 msgstr "Email"
 
@@ -314,6 +382,18 @@ msgstr "Email confirmed"
 msgid "Email pending"
 msgstr "Email pending"
 
+msgid "Enabled"
+msgstr "Enabled"
+
+#. placeholder {0}: formatTimestamp(featureFlag.enabledAt)
+#. placeholder {1}: formatTimestamp(featureFlag.disabledAt)
+msgid "Enabled period: {0} - {1}"
+msgstr "Enabled period: {0} - {1}"
+
+#. placeholder {0}: formatTimestamp(featureFlag.enabledAt)
+msgid "Enabled: {0}"
+msgstr "Enabled: {0}"
+
 msgid "Enter kiosk mode"
 msgstr "Enter kiosk mode"
 
@@ -344,21 +424,66 @@ msgstr "Expires"
 msgid "Failed"
 msgstr "Failed"
 
+msgid "Feature flag activated"
+msgstr "Feature flag activated"
+
+msgid "Feature flag deactivated"
+msgstr "Feature flag deactivated"
+
+msgid "Feature flag deleted: {flagName}"
+msgstr "Feature flag deleted: {flagName}"
+
+msgid "Feature flag rollouts"
+msgstr "Feature flag rollouts"
+
+msgid "Feature flag rollouts reset to default for {entityLabel}"
+msgstr "Feature flag rollouts reset to default for {entityLabel}"
+
+msgid "Feature flags"
+msgstr "Feature flags"
+
+msgid "Feature flags are defined in code. This view controls their activation and rollout. It takes up to 5 minutes for changes to reach all users."
+msgstr "Feature flags are defined in code. This view controls their activation and rollout. It takes up to 5 minutes for changes to reach all users."
+
+msgid "First in feature flag rollouts"
+msgstr "First in feature flag rollouts"
+
 msgid "Free"
 msgstr "Free"
 
+msgid "Gated by subscription plan and recomputed when the plan changes. Configured only in code."
+msgstr "Gated by subscription plan and recomputed when the plan changes. Configured only in code."
+
+msgid "Gated by the account's subscription plan. Read-only."
+msgstr "Gated by the account's subscription plan. Read-only."
+
 msgid "Go to home"
 msgstr "Go to home"
 
 msgid "Google"
 msgstr "Google"
 
+msgid "Has override"
+msgstr "Has override"
+
 msgid "Hide details"
 msgstr "Hide details"
 
 msgid "Inactive"
 msgstr "Inactive"
 
+msgid "Included at"
+msgstr "Included at"
+
+msgid "Included at 1% — the first to receive any feature flag rollout."
+msgstr "Included at 1% — the first to receive any feature flag rollout."
+
+msgid "Included at 100% — the last to receive any feature flag rollout."
+msgstr "Included at 100% — the last to receive any feature flag rollout."
+
+msgid "Included in feature flag rollouts based on the assigned rollout bucket."
+msgstr "Included in feature flag rollouts based on the assigned rollout bucket."
+
 msgid "Invoice"
 msgstr "Invoice"
 
@@ -374,6 +499,9 @@ msgstr "Invoices will appear here as accounts subscribe and Stripe webhooks are
 msgid "IP address"
 msgstr "IP address"
 
+msgid "It takes up to 5 minutes for changes to reach all users."
+msgstr "It takes up to 5 minutes for changes to reach all users."
+
 msgid "Just now"
 msgstr "Just now"
 
@@ -392,6 +520,12 @@ msgstr "Last {periodDays} days"
 msgid "Last 24 hours"
 msgstr "Last 24 hours"
 
+msgid "Last changed"
+msgstr "Last changed"
+
+msgid "Last in feature flag rollouts"
+msgstr "Last in feature flag rollouts"
+
 msgid "Last invoice"
 msgstr "Last invoice"
 
@@ -437,6 +571,9 @@ msgstr "Logo"
 msgid "Main navigation"
 msgstr "Main navigation"
 
+msgid "Manual override active. Click again to flip, three times to clear."
+msgstr "Manual override active. Click again to flip, three times to clear."
+
 msgid "Member"
 msgstr "Member"
 
@@ -464,6 +601,9 @@ msgstr "MRR trend"
 msgid "Name"
 msgstr "Name"
 
+msgid "Name:"
+msgstr "Name:"
+
 msgid "Navigation"
 msgstr "Navigation"
 
@@ -482,6 +622,9 @@ msgstr "No account memberships"
 msgid "No accounts match your filters"
 msgstr "No accounts match your filters"
 
+msgid "No accounts qualify for this feature yet"
+msgstr "No accounts qualify for this feature yet"
+
 msgid "No accounts yet"
 msgstr "No accounts yet"
 
@@ -503,6 +646,9 @@ msgstr "No billing events yet"
 msgid "No change"
 msgstr "No change"
 
+msgid "No feature flags"
+msgstr "No feature flags"
+
 msgid "No invoices yet"
 msgstr "No invoices yet"
 
@@ -560,9 +706,15 @@ msgstr "No sessions"
 msgid "No sign-in attempts in the last 30 days."
 msgstr "No sign-in attempts in the last 30 days."
 
+msgid "No tenant-scoped feature flags are defined for this account."
+msgstr "No tenant-scoped feature flags are defined for this account."
+
 msgid "No transactions"
 msgstr "No transactions"
 
+msgid "No user-scoped feature flags are defined."
+msgstr "No user-scoped feature flags are defined."
+
 msgid "No users"
 msgstr "No users"
 
@@ -572,6 +724,9 @@ msgstr "No users match your filters."
 msgid "No users match your search"
 msgstr "No users match your search"
 
+msgid "No users qualify for this feature yet"
+msgstr "No users qualify for this feature yet"
+
 msgid "No users yet"
 msgstr "No users yet"
 
@@ -608,6 +763,25 @@ msgstr "Outcome"
 msgid "over period"
 msgstr "over period"
 
+msgid "Override"
+msgstr "Override"
+
+#. placeholder {0}: tenant.name
+#. placeholder {0}: user.email
+msgid "Override for {0}"
+msgstr "Override for {0}"
+
+msgid "Override for {flagName}"
+msgstr "Override for {flagName}"
+
+#. placeholder {0}: tenant.name
+#. placeholder {0}: user.email
+msgid "Override removed for {0}"
+msgstr "Override removed for {0}"
+
+msgid "Override removed for {flagName}"
+msgstr "Override removed for {flagName}"
+
 msgid "Overview"
 msgstr "Overview"
 
@@ -647,9 +821,27 @@ msgstr "Pending"
 msgid "per month, billed monthly"
 msgstr "per month, billed monthly"
 
+msgid "Per-account flags. Owners can toggle configurable flags. Admins control A/B rollouts."
+msgstr "Per-account flags. Owners can toggle configurable flags. Admins control A/B rollouts."
+
+msgid "Per-account flags. Toggle the override switch to enable or disable for this account."
+msgstr "Per-account flags. Toggle the override switch to enable or disable for this account."
+
+msgid "Per-user flags. Toggle the override switch to enable or disable for this user."
+msgstr "Per-user flags. Toggle the override switch to enable or disable for this user."
+
+msgid "Per-user flags. Users can toggle configurable flags. Admins control A/B rollouts."
+msgstr "Per-user flags. Users can toggle configurable flags. Admins control A/B rollouts."
+
+msgid "Percentage of accounts or users included in the A/B rollout. Buckets are assigned consistently per account or user."
+msgstr "Percentage of accounts or users included in the A/B rollout. Buckets are assigned consistently per account or user."
+
 msgid "Period"
 msgstr "Period"
 
+msgid "Permanently delete <0>{flagName}</0> ({flagKey}) and all account and user overrides. This cannot be undone."
+msgstr "Permanently delete <0>{flagName}</0> ({flagKey}) and all account and user overrides. This cannot be undone."
+
 msgid "Plan"
 msgstr "Plan"
 
@@ -662,9 +854,18 @@ msgstr "Plan changes, renewals, cancellations, and payment outcomes — the subs
 msgid "Plan distribution"
 msgstr "Plan distribution"
 
+msgid "Plan flags"
+msgstr "Plan flags"
+
 msgid "Plan transition"
 msgstr "Plan transition"
 
+msgid "Platform"
+msgstr "Platform"
+
+msgid "Platform-wide capabilities set at deployment via environment variables. Configured only in code."
+msgstr "Platform-wide capabilities set at deployment via environment variables. Configured only in code."
+
 msgid "PlatformPlatform logo"
 msgstr "PlatformPlatform logo"
 
@@ -737,6 +938,9 @@ msgstr "Refunds and credit notes"
 msgid "Refunds and credit notes across all accounts."
 msgstr "Refunds and credit notes across all accounts."
 
+msgid "Removed"
+msgstr "Removed"
+
 msgid "Renewal"
 msgstr "Renewal"
 
@@ -756,6 +960,12 @@ msgstr "Renews {0}"
 msgid "Replayed {0} archived events into the billing event ledger at {1}."
 msgstr "Replayed {0} archived events into the billing event ledger at {1}."
 
+msgid "Required plan"
+msgstr "Required plan"
+
+msgid "Required plan:"
+msgstr "Required plan:"
+
 msgid "Revenue"
 msgstr "Revenue"
 
@@ -765,9 +975,33 @@ msgstr "Revoked"
 msgid "Role"
 msgstr "Role"
 
+msgid "Rollout"
+msgstr "Rollout"
+
+msgid "Rollout %"
+msgstr "Rollout %"
+
+msgid "Rollout bucket information"
+msgstr "Rollout bucket information"
+
+msgid "Rollout buckets: {rolloutBucketStart}-{rolloutBucketEnd} ({rolloutPercentage}%)"
+msgstr "Rollout buckets: {rolloutBucketStart}-{rolloutBucketEnd} ({rolloutPercentage}%)"
+
+msgid "Rollout buckets: {rolloutBucketStart}-99 and 0-{rolloutBucketEnd} ({rolloutPercentage}%)"
+msgstr "Rollout buckets: {rolloutBucketStart}-99 and 0-{rolloutBucketEnd} ({rolloutPercentage}%)"
+
+msgid "Rollout percentage updated"
+msgstr "Rollout percentage updated"
+
 msgid "Run disaster recovery"
 msgstr "Run disaster recovery"
 
+msgid "Save changes"
+msgstr "Save changes"
+
+msgid "Saving..."
+msgstr "Saving..."
+
 msgid "Scheduled plan change"
 msgstr "Scheduled plan change"
 
@@ -780,6 +1014,9 @@ msgstr "Search"
 msgid "Search by account name"
 msgstr "Search by account name"
 
+msgid "Search by account name or owner email"
+msgstr "Search by account name or owner email"
+
 msgid "Search by email, name, or account"
 msgstr "Search by email, name, or account"
 
@@ -798,6 +1035,9 @@ msgstr "Search, filter, and review accounts."
 msgid "Sessions"
 msgstr "Sessions"
 
+msgid "Show deleted"
+msgstr "Show deleted"
+
 msgid "Show details"
 msgstr "Show details"
 
@@ -822,6 +1062,9 @@ msgstr "Something went wrong"
 msgid "Standard"
 msgstr "Standard"
 
+msgid "State"
+msgstr "State"
+
 msgid "Status"
 msgstr "Status"
 
@@ -861,6 +1104,9 @@ msgstr "Suspended"
 msgid "System"
 msgstr "System"
 
+msgid "System flags"
+msgstr "System flags"
+
 msgid "Tablet"
 msgstr "Tablet"
 
@@ -870,9 +1116,24 @@ msgstr "The page you are looking for does not exist or was moved."
 msgid "Theme"
 msgstr "Theme"
 
+msgid "This account"
+msgstr "This account"
+
 msgid "This account has no users."
 msgstr "This account has no users."
 
+msgid "This flag has been deleted. It is retained for historical telemetry. Adding a new feature flag with the same name will fail deployment."
+msgstr "This flag has been deleted. It is retained for historical telemetry. Adding a new feature flag with the same name will fail deployment."
+
+msgid "This flag is managed by the subscription plan. It is automatically enabled for accounts on the required plan or higher."
+msgstr "This flag is managed by the subscription plan. It is automatically enabled for accounts on the required plan or higher."
+
+msgid "This flag no longer exists in code. Delete it to remove all account and user overrides."
+msgstr "This flag no longer exists in code. Delete it to remove all account and user overrides."
+
+msgid "This is a stable module. It is always on and cannot be deactivated."
+msgstr "This is a stable module. It is always on and cannot be deactivated."
+
 msgid "this period"
 msgstr "this period"
 
@@ -885,6 +1146,18 @@ msgstr "This user has no recorded sessions."
 msgid "This user is not a member of any account."
 msgstr "This user is not a member of any account."
 
+msgid "Toggle activation"
+msgstr "Toggle activation"
+
+msgid "Toggle the override switch to enable this feature for specific accounts."
+msgstr "Toggle the override switch to enable this feature for specific accounts."
+
+msgid "Toggle the override switch to enable this feature for specific users."
+msgstr "Toggle the override switch to enable this feature for specific users."
+
+msgid "Toggle whether this feature flag is currently active. When inactive, accounts and users receive the disabled state regardless of overrides."
+msgstr "Toggle whether this feature flag is currently active. When inactive, accounts and users receive the disabled state regardless of overrides."
+
 msgid "Total"
 msgstr "Total"
 
@@ -918,24 +1191,39 @@ msgstr "Upgraded"
 msgid "User"
 msgstr "User"
 
+msgid "User actions"
+msgstr "User actions"
+
 msgid "User detail"
 msgstr "User detail"
 
+msgid "User flags"
+msgstr "User flags"
+
 msgid "User logins / day"
 msgstr "User logins / day"
 
 msgid "User menu"
 msgstr "User menu"
 
+msgid "User status"
+msgstr "User status"
+
 msgid "Users"
 msgstr "Users"
 
 msgid "Users active"
 msgstr "Users active"
 
+msgid "Users are automatically included based on their rollout bucket. Use overrides to manually include or exclude specific users."
+msgstr "Users are automatically included based on their rollout bucket. Use overrides to manually include or exclude specific users."
+
 msgid "Users will appear here as accounts are created."
 msgstr "Users will appear here as accounts are created."
 
+msgid "Users will appear here as they qualify for this feature."
+msgstr "Users will appear here as they qualify for this feature."
+
 msgid "VAT"
 msgstr "VAT"
 
@@ -963,6 +1251,9 @@ msgstr "vs prior period"
 msgid "When"
 msgstr "When"
 
+msgid "With override"
+msgstr "With override"
+
 msgid "Yesterday"
 msgstr "Yesterday"
 
diff --git a/application/account/Core/Configuration.cs b/application/account/Core/Configuration.cs
index 611bbad97..07877ba78 100644
--- a/application/account/Core/Configuration.cs
+++ b/application/account/Core/Configuration.cs
@@ -2,6 +2,7 @@
 using Account.Features.EmailAuthentication.Shared;
 using Account.Features.ExternalAuthentication;
 using Account.Features.ExternalAuthentication.Shared;
+using Account.Features.FeatureFlags.Shared;
 using Account.Features.Subscriptions.Shared;
 using Account.Features.Users.Shared;
 using Account.Integrations.Gravatar;
@@ -70,6 +71,8 @@ public IServiceCollection AddAccountServices()
                 .AddScoped<StartEmailConfirmation>()
                 .AddScoped<CompleteEmailConfirmation>()
                 .AddScoped<AvatarUpdater>()
+                .AddScoped<FeatureFlagEvaluator>()
+                .AddScoped<PlanBasedFeatureFlagEvaluator>()
                 .AddScoped<UserInfoFactory>()
                 .AddScoped<ProcessPendingStripeEvents>()
                 .AddScoped<ExternalAuthenticationService>()
diff --git a/application/account/Core/Database/Migrations/20260514122911_AddFeatureFlagsSchema.cs b/application/account/Core/Database/Migrations/20260514122911_AddFeatureFlagsSchema.cs
new file mode 100644
index 000000000..42cd6cf04
--- /dev/null
+++ b/application/account/Core/Database/Migrations/20260514122911_AddFeatureFlagsSchema.cs
@@ -0,0 +1,146 @@
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+namespace Account.Database.Migrations;
+
+[DbContext(typeof(AccountDbContext))]
+[Migration("20260514122911_AddFeatureFlagsSchema")]
+public sealed class AddFeatureFlagsSchema : Migration
+{
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.CreateTable(
+            "feature_flags",
+            table => new
+            {
+                tenant_id = table.Column<long>("bigint", nullable: true),
+                id = table.Column<string>("text", nullable: false),
+                user_id = table.Column<string>("text", nullable: true),
+                created_at = table.Column<DateTimeOffset>("timestamptz", nullable: false),
+                modified_at = table.Column<DateTimeOffset>("timestamptz", nullable: true),
+                deleted_at = table.Column<DateTimeOffset>("timestamptz", nullable: true),
+                orphaned_at = table.Column<DateTimeOffset>("timestamptz", nullable: true),
+                flag_key = table.Column<string>("text", nullable: false),
+                enabled_at = table.Column<DateTimeOffset>("timestamptz", nullable: true),
+                disabled_at = table.Column<DateTimeOffset>("timestamptz", nullable: true),
+                bucket_start = table.Column<int>("integer", nullable: true),
+                bucket_end = table.Column<int>("integer", nullable: true),
+                source = table.Column<string>("text", nullable: false),
+                scope = table.Column<string>("text", nullable: false)
+            },
+            constraints: table =>
+            {
+                table.PrimaryKey("pk_feature_flags", x => x.id);
+                table.ForeignKey("fk_feature_flags_users_user_id", x => x.user_id, "users", "id", onDelete: ReferentialAction.Cascade);
+            }
+        );
+
+        migrationBuilder.Sql(
+            "CREATE UNIQUE INDEX ix_feature_flags_flag_key_tenant_id_user_id ON feature_flags (flag_key, tenant_id, user_id) NULLS NOT DISTINCT;"
+        );
+
+        // Indexes for the hot evaluator query paths. The unique index above leads on flag_key, which
+        // cannot serve the tenant-scoped / user-scoped lookups the evaluator runs on every JWT refresh.
+        migrationBuilder.CreateIndex("ix_feature_flags_tenant_id", "feature_flags", "tenant_id");
+        migrationBuilder.CreateIndex("ix_feature_flags_user_id", "feature_flags", "user_id", filter: "user_id IS NOT NULL");
+        migrationBuilder.CreateIndex(
+            "ix_feature_flags_tenant_id_source",
+            "feature_flags",
+            ["tenant_id", "source"],
+            filter: "source = 'Plan' AND user_id IS NULL"
+        );
+
+        migrationBuilder.Sql(
+            "ALTER TABLE feature_flags ADD CONSTRAINT ck_feature_flags_user_requires_tenant CHECK (user_id IS NULL OR tenant_id IS NOT NULL);"
+        );
+
+        migrationBuilder.Sql(
+            """
+            ALTER TABLE feature_flags ADD CONSTRAINT ck_feature_flags_bucket_range
+            CHECK ((bucket_start IS NULL) = (bucket_end IS NULL) AND (bucket_start IS NULL OR (bucket_start BETWEEN 0 AND 99 AND bucket_end BETWEEN 0 AND 99)));
+            """
+        );
+
+        // Add rollout_bucket to tenants and users, computed via van der Corput sequence so existing rows
+        // are evenly spread across 0..99 for low-percent rollout fairness.
+        migrationBuilder.AddColumn<short>("rollout_bucket", "tenants", "smallint", nullable: true);
+        migrationBuilder.AddColumn<short>("rollout_bucket", "users", "smallint", nullable: true);
+
+        // Stored as text rather than an enum-by-int so the JSON wire value (AlwaysOn / NeverOn) round-trips
+        // through EF's enum-to-string conversion and remains readable in raw SQL inspections.
+        migrationBuilder.AddColumn<string>("ab_inclusion_pin", "tenants", "text", nullable: true);
+        migrationBuilder.AddColumn<string>("ab_inclusion_pin", "users", "text", nullable: true);
+
+        migrationBuilder.Sql(
+            "ALTER TABLE tenants ADD CONSTRAINT ck_tenants_ab_inclusion_pin CHECK (ab_inclusion_pin IS NULL OR ab_inclusion_pin IN ('AlwaysOn', 'NeverOn'));"
+        );
+        migrationBuilder.Sql(
+            "ALTER TABLE users ADD CONSTRAINT ck_users_ab_inclusion_pin CHECK (ab_inclusion_pin IS NULL OR ab_inclusion_pin IN ('AlwaysOn', 'NeverOn'));"
+        );
+
+        migrationBuilder.Sql(
+            """
+            CREATE OR REPLACE FUNCTION van_der_corput_bucket(seq integer) RETURNS integer AS $$
+            DECLARE
+                result double precision := 0;
+                denominator double precision := 2;
+                n integer := seq;
+            BEGIN
+                WHILE n > 0 LOOP
+                    result := result + (n & 1)::double precision / denominator;
+                    n := n >> 1;
+                    denominator := denominator * 2;
+                END LOOP;
+                RETURN floor(result * 100)::integer;
+            END;
+            $$ LANGUAGE plpgsql IMMUTABLE;
+            """
+        );
+
+        migrationBuilder.Sql(
+            """
+            WITH numbered AS (
+                SELECT id, row_number() OVER (ORDER BY created_at, id) - 1 AS seq
+                FROM tenants
+            )
+            UPDATE tenants SET rollout_bucket = van_der_corput_bucket(numbered.seq::integer)
+            FROM numbered WHERE tenants.id = numbered.id;
+            """
+        );
+
+        migrationBuilder.Sql("ALTER TABLE tenants ALTER COLUMN rollout_bucket SET NOT NULL;");
+
+        migrationBuilder.Sql(
+            """
+            WITH numbered AS (
+                SELECT id, row_number() OVER (ORDER BY created_at, id) - 1 AS seq
+                FROM users
+            )
+            UPDATE users SET rollout_bucket = van_der_corput_bucket(numbered.seq::integer)
+            FROM numbered WHERE users.id = numbered.id;
+            """
+        );
+
+        migrationBuilder.Sql("ALTER TABLE users ALTER COLUMN rollout_bucket SET NOT NULL;");
+
+        migrationBuilder.Sql("DROP FUNCTION van_der_corput_bucket(integer);");
+
+        // Postgres sequences hand out monotonically increasing values atomically across concurrent transactions;
+        // a COUNT(*)-based index would lose uniqueness under parallel CreateTenantCommand / CreateUserCommand.
+        // Seeded from the row count so the next index is strictly greater than any previously assigned,
+        // preserving the low-discrepancy bucket spread for already-created rows.
+        // SQLite (test database) has no sequence support; the repository falls back to COUNT(*) on that provider.
+        migrationBuilder.Sql(
+            "DO $$ DECLARE start_value bigint; BEGIN " +
+            "SELECT COUNT(*) + 1 INTO start_value FROM tenants; " +
+            "EXECUTE format('CREATE SEQUENCE IF NOT EXISTS tenant_rollout_index_sequence AS bigint START WITH %s', start_value); " +
+            "END $$;"
+        );
+        migrationBuilder.Sql(
+            "DO $$ DECLARE start_value bigint; BEGIN " +
+            "SELECT COUNT(*) + 1 INTO start_value FROM users; " +
+            "EXECUTE format('CREATE SEQUENCE IF NOT EXISTS user_rollout_index_sequence AS bigint START WITH %s', start_value); " +
+            "END $$;"
+        );
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Commands/ActivateFeatureFlag.cs b/application/account/Core/Features/FeatureFlags/Commands/ActivateFeatureFlag.cs
new file mode 100644
index 000000000..7947c2adb
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Commands/ActivateFeatureFlag.cs
@@ -0,0 +1,38 @@
+using Account.Features.FeatureFlags.Domain;
+using FluentValidation;
+using JetBrains.Annotations;
+using SharedKernel.Cqrs;
+using SharedKernel.Telemetry;
+
+namespace Account.Features.FeatureFlags.Commands;
+
+[PublicAPI]
+public sealed record ActivateFeatureFlagCommand(string FlagKey) : ICommand, IRequest<Result>;
+
+public sealed class ActivateFeatureFlagValidator : AbstractValidator<ActivateFeatureFlagCommand>
+{
+    public ActivateFeatureFlagValidator()
+    {
+        RuleFor(x => x.FlagKey)
+            .NotEmpty().WithMessage("Feature flag key must not be empty.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key) is not null).WithMessage("Feature flag key must exist in the registry.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key)?.IsKillSwitchEnabled == true).WithMessage("Only kill-switch-enabled feature flags can be globally activated.");
+    }
+}
+
+public sealed class ActivateFeatureFlagHandler(IFeatureFlagRepository featureFlagRepository, TimeProvider timeProvider, ITelemetryEventsCollector events)
+    : IRequestHandler<ActivateFeatureFlagCommand, Result>
+{
+    public async Task<Result> Handle(ActivateFeatureFlagCommand command, CancellationToken cancellationToken)
+    {
+        var featureFlag = await featureFlagRepository.GetByKeyAndScopeAsync(command.FlagKey, null, null, cancellationToken);
+        if (featureFlag is null) return Result.NotFound($"Feature flag with key '{command.FlagKey}' not found.");
+
+        featureFlag.Activate(timeProvider.GetUtcNow());
+        featureFlagRepository.Update(featureFlag);
+
+        events.CollectEvent(new FeatureFlagActivated(command.FlagKey));
+
+        return Result.Success();
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Commands/DeactivateFeatureFlag.cs b/application/account/Core/Features/FeatureFlags/Commands/DeactivateFeatureFlag.cs
new file mode 100644
index 000000000..7f8973fd5
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Commands/DeactivateFeatureFlag.cs
@@ -0,0 +1,38 @@
+using Account.Features.FeatureFlags.Domain;
+using FluentValidation;
+using JetBrains.Annotations;
+using SharedKernel.Cqrs;
+using SharedKernel.Telemetry;
+
+namespace Account.Features.FeatureFlags.Commands;
+
+[PublicAPI]
+public sealed record DeactivateFeatureFlagCommand(string FlagKey) : ICommand, IRequest<Result>;
+
+public sealed class DeactivateFeatureFlagValidator : AbstractValidator<DeactivateFeatureFlagCommand>
+{
+    public DeactivateFeatureFlagValidator()
+    {
+        RuleFor(x => x.FlagKey)
+            .NotEmpty().WithMessage("Feature flag key must not be empty.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key) is not null).WithMessage("Feature flag key must exist in the registry.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key)?.IsKillSwitchEnabled == true).WithMessage("Only kill-switch-enabled feature flags can be globally deactivated.");
+    }
+}
+
+public sealed class DeactivateFeatureFlagHandler(IFeatureFlagRepository featureFlagRepository, TimeProvider timeProvider, ITelemetryEventsCollector events)
+    : IRequestHandler<DeactivateFeatureFlagCommand, Result>
+{
+    public async Task<Result> Handle(DeactivateFeatureFlagCommand command, CancellationToken cancellationToken)
+    {
+        var featureFlag = await featureFlagRepository.GetByKeyAndScopeAsync(command.FlagKey, null, null, cancellationToken);
+        if (featureFlag is null) return Result.NotFound($"Feature flag with key '{command.FlagKey}' not found.");
+
+        featureFlag.Deactivate(timeProvider.GetUtcNow());
+        featureFlagRepository.Update(featureFlag);
+
+        events.CollectEvent(new FeatureFlagDeactivated(command.FlagKey));
+
+        return Result.Success();
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Commands/DeleteFeatureFlag.cs b/application/account/Core/Features/FeatureFlags/Commands/DeleteFeatureFlag.cs
new file mode 100644
index 000000000..21e2a7d35
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Commands/DeleteFeatureFlag.cs
@@ -0,0 +1,56 @@
+using Account.Features.FeatureFlags.Domain;
+using FluentValidation;
+using JetBrains.Annotations;
+using SharedKernel.Cqrs;
+using SharedKernel.Telemetry;
+
+namespace Account.Features.FeatureFlags.Commands;
+
+[PublicAPI]
+public sealed record DeleteFeatureFlagCommand(string FlagKey) : ICommand, IRequest<Result>;
+
+public sealed class DeleteFeatureFlagValidator : AbstractValidator<DeleteFeatureFlagCommand>
+{
+    public DeleteFeatureFlagValidator()
+    {
+        RuleFor(x => x.FlagKey).NotEmpty().WithMessage("Feature flag key must not be empty.");
+    }
+}
+
+public sealed class DeleteFeatureFlagHandler(
+    IFeatureFlagRepository featureFlagRepository,
+    TimeProvider timeProvider,
+    ITelemetryEventsCollector events
+) : IRequestHandler<DeleteFeatureFlagCommand, Result>
+{
+    public async Task<Result> Handle(DeleteFeatureFlagCommand command, CancellationToken cancellationToken)
+    {
+        var baseRow = await featureFlagRepository.GetByKeyAndScopeAsync(command.FlagKey, null, null, cancellationToken);
+        if (baseRow is null) return Result.NotFound($"Feature flag with key '{command.FlagKey}' not found.");
+
+        // Only orphaned flags can be deleted. Live flags must first be removed from FeatureFlags.cs so the
+        // reconciler marks them orphaned on the next deploy; this preserves the audit trail and lets admins
+        // review impact before the row is retired.
+        if (baseRow.OrphanedAt is null) return Result.BadRequest($"Feature flag '{command.FlagKey}' is not orphaned - only flags removed from the C# definitions can be deleted.");
+
+        if (baseRow.DeletedAt is not null) return Result.BadRequest($"Feature flag '{command.FlagKey}' is already deleted.");
+
+        // Soft-delete the base row to retain the flag key for historical telemetry; hard-delete the
+        // tenant and user override rows because they carry no historical value once the flag is retired.
+        var now = timeProvider.GetUtcNow();
+        var daysSinceOrphaned = (int)(now - baseRow.OrphanedAt.Value).TotalDays;
+        baseRow.MarkDeleted(now);
+        featureFlagRepository.Update(baseRow);
+
+        var overrides = await featureFlagRepository.GetRowsByFlagKeyUnfilteredAsync(command.FlagKey, cancellationToken);
+        var overrideRowsToRemove = overrides.Where(r => r.TenantId is not null || r.UserId is not null).ToArray();
+        foreach (var row in overrideRowsToRemove)
+        {
+            featureFlagRepository.Remove(row);
+        }
+
+        events.CollectEvent(new FeatureFlagDeleted(command.FlagKey, overrideRowsToRemove.Length, daysSinceOrphaned));
+
+        return Result.Success();
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Commands/RemoveTenantFeatureFlagOverride.cs b/application/account/Core/Features/FeatureFlags/Commands/RemoveTenantFeatureFlagOverride.cs
new file mode 100644
index 000000000..c53efe604
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Commands/RemoveTenantFeatureFlagOverride.cs
@@ -0,0 +1,53 @@
+using Account.Features.FeatureFlags.Domain;
+using Account.Features.Tenants.Domain;
+using FluentValidation;
+using JetBrains.Annotations;
+using SharedKernel.Cqrs;
+using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Telemetry;
+
+namespace Account.Features.FeatureFlags.Commands;
+
+[PublicAPI]
+public sealed record RemoveTenantFeatureFlagOverrideCommand : ICommand, IRequest<Result>
+{
+    [JsonIgnore] // Removes from API contract
+    public string FlagKey { get; init; } = null!;
+
+    public required TenantId TenantId { get; init; }
+}
+
+public sealed class RemoveTenantFeatureFlagOverrideValidator : AbstractValidator<RemoveTenantFeatureFlagOverrideCommand>
+{
+    public RemoveTenantFeatureFlagOverrideValidator()
+    {
+        RuleFor(x => x.FlagKey)
+            .NotEmpty().WithMessage("Feature flag key must not be empty.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key) is not null).WithMessage("Feature flag key must exist in the registry.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key)?.Scope == FeatureFlagScope.Tenant).WithMessage("Feature flag must have tenant scope.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key)?.RequiredPlan is null).WithMessage("Plan-gated feature flags cannot be removed manually; change the tenant's subscription plan instead.");
+    }
+}
+
+public sealed class RemoveTenantFeatureFlagOverrideHandler(IFeatureFlagRepository featureFlagRepository, ITenantRepository tenantRepository, ITelemetryEventsCollector events)
+    : IRequestHandler<RemoveTenantFeatureFlagOverrideCommand, Result>
+{
+    public async Task<Result> Handle(RemoveTenantFeatureFlagOverrideCommand command, CancellationToken cancellationToken)
+    {
+        var tenant = await tenantRepository.GetByIdUnfilteredAsync(command.TenantId, cancellationToken);
+        if (tenant is null)
+        {
+            return Result.NotFound($"Tenant '{command.TenantId}' not found.");
+        }
+
+        var tenantOverride = await featureFlagRepository.GetByKeyAndScopeAsync(command.FlagKey, command.TenantId, null, cancellationToken);
+        if (tenantOverride is null) return Result.NotFound($"No tenant override found for flag '{command.FlagKey}' and tenant '{command.TenantId}'.");
+
+        featureFlagRepository.Remove(tenantOverride);
+
+        events.CollectEvent(new FeatureFlagTenantOverrideRemoved(command.FlagKey, command.TenantId, FeatureFlagOverrideTrigger.Internal));
+
+        return Result.Success();
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Commands/RemoveUserFeatureFlagOverride.cs b/application/account/Core/Features/FeatureFlags/Commands/RemoveUserFeatureFlagOverride.cs
new file mode 100644
index 000000000..5698cf2ce
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Commands/RemoveUserFeatureFlagOverride.cs
@@ -0,0 +1,54 @@
+using Account.Features.FeatureFlags.Domain;
+using Account.Features.Users.Domain;
+using FluentValidation;
+using JetBrains.Annotations;
+using SharedKernel.Cqrs;
+using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Telemetry;
+
+namespace Account.Features.FeatureFlags.Commands;
+
+[PublicAPI]
+public sealed record RemoveUserFeatureFlagOverrideCommand : ICommand, IRequest<Result>
+{
+    [JsonIgnore] // Removes from API contract
+    public string FlagKey { get; init; } = null!;
+
+    public required UserId UserId { get; init; }
+
+    public required TenantId TenantId { get; init; }
+}
+
+public sealed class RemoveUserFeatureFlagOverrideValidator : AbstractValidator<RemoveUserFeatureFlagOverrideCommand>
+{
+    public RemoveUserFeatureFlagOverrideValidator()
+    {
+        RuleFor(x => x.FlagKey)
+            .NotEmpty().WithMessage("Feature flag key must not be empty.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key) is not null).WithMessage("Feature flag key must exist in the registry.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key)?.Scope == FeatureFlagScope.User).WithMessage("Feature flag must have user scope.");
+    }
+}
+
+public sealed class RemoveUserFeatureFlagOverrideHandler(IFeatureFlagRepository featureFlagRepository, IUserRepository userRepository, ITelemetryEventsCollector events)
+    : IRequestHandler<RemoveUserFeatureFlagOverrideCommand, Result>
+{
+    public async Task<Result> Handle(RemoveUserFeatureFlagOverrideCommand command, CancellationToken cancellationToken)
+    {
+        var user = await userRepository.GetByIdUnfilteredAsync(command.UserId, cancellationToken);
+        if (user is null || user.TenantId != command.TenantId)
+        {
+            return Result.NotFound($"User '{command.UserId}' not found in tenant '{command.TenantId}'.");
+        }
+
+        var userOverride = await featureFlagRepository.GetByKeyAndScopeAsync(command.FlagKey, command.TenantId, command.UserId, cancellationToken);
+        if (userOverride is null) return Result.NotFound($"No user override found for flag '{command.FlagKey}' and user '{command.UserId}'.");
+
+        featureFlagRepository.Remove(userOverride);
+
+        events.CollectEvent(new FeatureFlagUserOverrideRemoved(command.FlagKey, command.UserId, FeatureFlagOverrideTrigger.Internal));
+
+        return Result.Success();
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Commands/SetFeatureFlagRolloutPercentage.cs b/application/account/Core/Features/FeatureFlags/Commands/SetFeatureFlagRolloutPercentage.cs
new file mode 100644
index 000000000..5fd4d9f62
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Commands/SetFeatureFlagRolloutPercentage.cs
@@ -0,0 +1,69 @@
+using Account.Features.FeatureFlags.Domain;
+using FluentValidation;
+using JetBrains.Annotations;
+using SharedKernel.Cqrs;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Telemetry;
+
+namespace Account.Features.FeatureFlags.Commands;
+
+[PublicAPI]
+public sealed record SetFeatureFlagRolloutPercentageCommand : ICommand, IRequest<Result>
+{
+    [JsonIgnore] // Removes this property from the API contract
+    public string FlagKey { get; init; } = null!;
+
+    public required int RolloutPercentage { get; init; }
+}
+
+public sealed class SetFeatureFlagRolloutPercentageValidator : AbstractValidator<SetFeatureFlagRolloutPercentageCommand>
+{
+    public SetFeatureFlagRolloutPercentageValidator()
+    {
+        RuleFor(x => x.FlagKey)
+            .NotEmpty().WithMessage("Feature flag key must not be empty.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key) is not null).WithMessage("Feature flag key must exist in the registry.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key)?.IsAbTestEligible == true).WithMessage("Feature flag must be eligible for A/B testing.");
+
+        RuleFor(x => x.RolloutPercentage)
+            .InclusiveBetween(0, RolloutBucketHasher.BucketCount).WithMessage($"Rollout percentage must be between 0 and {RolloutBucketHasher.BucketCount}.");
+    }
+}
+
+public sealed class SetFeatureFlagRolloutPercentageHandler(IFeatureFlagRepository featureFlagRepository, ITelemetryEventsCollector events)
+    : IRequestHandler<SetFeatureFlagRolloutPercentageCommand, Result>
+{
+    public async Task<Result> Handle(SetFeatureFlagRolloutPercentageCommand command, CancellationToken cancellationToken)
+    {
+        var featureFlag = await featureFlagRepository.GetByKeyAndScopeAsync(command.FlagKey, null, null, cancellationToken);
+        if (featureFlag is null) return Result.NotFound($"Feature flag with key '{command.FlagKey}' not found.");
+
+        var fromPercentage = RolloutBucketHasher.ComputeRolloutPercentage(featureFlag.BucketStart, featureFlag.BucketEnd) ?? 0;
+
+        int? rolloutBucketStart;
+        int? rolloutBucketEnd;
+
+        if (command.RolloutPercentage == 0)
+        {
+            rolloutBucketStart = null;
+            rolloutBucketEnd = null;
+        }
+        else if (command.RolloutPercentage == RolloutBucketHasher.BucketCount)
+        {
+            rolloutBucketStart = 0;
+            rolloutBucketEnd = RolloutBucketHasher.MaxBucketInclusive;
+        }
+        else
+        {
+            rolloutBucketStart = RolloutBucketHasher.ComputeStartingRolloutBucket(command.FlagKey);
+            rolloutBucketEnd = (rolloutBucketStart.Value + command.RolloutPercentage - 1) % RolloutBucketHasher.BucketCount;
+        }
+
+        featureFlag.SetRolloutRange(rolloutBucketStart, rolloutBucketEnd);
+        featureFlagRepository.Update(featureFlag);
+
+        events.CollectEvent(new FeatureFlagRolloutPercentageUpdated(command.FlagKey, fromPercentage, command.RolloutPercentage));
+
+        return Result.Success();
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Commands/SetTenantFeatureFlagInternal.cs b/application/account/Core/Features/FeatureFlags/Commands/SetTenantFeatureFlagInternal.cs
new file mode 100644
index 000000000..30dd71892
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Commands/SetTenantFeatureFlagInternal.cs
@@ -0,0 +1,89 @@
+using Account.Features.FeatureFlags.Domain;
+using Account.Features.Tenants.Domain;
+using FluentValidation;
+using JetBrains.Annotations;
+using SharedKernel.Cqrs;
+using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Telemetry;
+
+namespace Account.Features.FeatureFlags.Commands;
+
+[PublicAPI]
+public sealed record SetTenantFeatureFlagInternalCommand : ICommand, IRequest<Result>
+{
+    [JsonIgnore] // Removes this property from the API contract
+    public string FlagKey { get; init; } = null!;
+
+    public required TenantId TenantId { get; init; }
+
+    public required bool Enabled { get; init; }
+}
+
+public sealed class SetTenantFeatureFlagInternalValidator : AbstractValidator<SetTenantFeatureFlagInternalCommand>
+{
+    public SetTenantFeatureFlagInternalValidator()
+    {
+        RuleFor(x => x.FlagKey)
+            .NotEmpty().WithMessage("Feature flag key must not be empty.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key) is not null).WithMessage("Feature flag key must exist in the registry.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key)?.Scope == FeatureFlagScope.Tenant).WithMessage("Feature flag must have tenant scope.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key)?.RequiredPlan is null).WithMessage("Plan-gated feature flags cannot be set manually; change the tenant's subscription plan instead.");
+    }
+}
+
+public sealed class SetTenantFeatureFlagInternalHandler(IFeatureFlagRepository featureFlagRepository, ITenantRepository tenantRepository, TimeProvider timeProvider, ITelemetryEventsCollector events)
+    : IRequestHandler<SetTenantFeatureFlagInternalCommand, Result>
+{
+    public async Task<Result> Handle(SetTenantFeatureFlagInternalCommand command, CancellationToken cancellationToken)
+    {
+        var tenant = await tenantRepository.GetByIdUnfilteredAsync(command.TenantId, cancellationToken);
+        if (tenant is null)
+        {
+            return Result.NotFound($"Tenant '{command.TenantId}' not found.");
+        }
+
+        var now = timeProvider.GetUtcNow();
+
+        if (command.Enabled)
+        {
+            var tenantOverride = await featureFlagRepository.GetByKeyAndScopeAsync(command.FlagKey, command.TenantId, null, cancellationToken);
+            if (tenantOverride is null)
+            {
+                tenantOverride = FeatureFlag.CreateTenantOverride(command.FlagKey, command.TenantId, FeatureFlagScope.Tenant);
+                tenantOverride.Activate(now);
+                await featureFlagRepository.AddAsync(tenantOverride, cancellationToken);
+            }
+            else
+            {
+                tenantOverride.Activate(now);
+                featureFlagRepository.Update(tenantOverride);
+            }
+
+            events.CollectEvent(new FeatureFlagTenantOverrideSet(command.FlagKey, command.TenantId, FeatureFlagOverrideTrigger.Internal));
+        }
+        else
+        {
+            var tenantOverride = await featureFlagRepository.GetByKeyAndScopeAsync(command.FlagKey, command.TenantId, null, cancellationToken);
+            if (tenantOverride is null)
+            {
+                // Create the override row in a disabled state. Without an explicit override, the evaluator
+                // falls back to the base row + rollout, so a tenant currently enabled-by-rollout would stay
+                // enabled if we just no-op'd here. The row's EnabledAt == DisabledAt makes IsActive=false.
+                tenantOverride = FeatureFlag.CreateTenantOverride(command.FlagKey, command.TenantId, FeatureFlagScope.Tenant);
+                tenantOverride.Activate(now);
+                tenantOverride.Deactivate(now);
+                await featureFlagRepository.AddAsync(tenantOverride, cancellationToken);
+            }
+            else
+            {
+                tenantOverride.Deactivate(now);
+                featureFlagRepository.Update(tenantOverride);
+            }
+
+            events.CollectEvent(new FeatureFlagTenantOverrideRemoved(command.FlagKey, command.TenantId, FeatureFlagOverrideTrigger.Internal));
+        }
+
+        return Result.Success();
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Commands/SetTenantFeatureFlagOwner.cs b/application/account/Core/Features/FeatureFlags/Commands/SetTenantFeatureFlagOwner.cs
new file mode 100644
index 000000000..5137dd7ce
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Commands/SetTenantFeatureFlagOwner.cs
@@ -0,0 +1,83 @@
+using Account.Features.FeatureFlags.Domain;
+using Account.Features.Users.Domain;
+using FluentValidation;
+using JetBrains.Annotations;
+using SharedKernel.Cqrs;
+using SharedKernel.ExecutionContext;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Telemetry;
+
+namespace Account.Features.FeatureFlags.Commands;
+
+[PublicAPI]
+public sealed record SetTenantFeatureFlagOwnerCommand : ICommand, IRequest<Result>
+{
+    [JsonIgnore] // Removes this property from the API contract
+    public string FlagKey { get; init; } = null!;
+
+    public required bool Enabled { get; init; }
+}
+
+public sealed class SetTenantFeatureFlagOwnerValidator : AbstractValidator<SetTenantFeatureFlagOwnerCommand>
+{
+    public SetTenantFeatureFlagOwnerValidator()
+    {
+        RuleFor(x => x.FlagKey)
+            .NotEmpty().WithMessage("Feature flag key must not be empty.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key) is not null).WithMessage("Feature flag key must exist in the registry.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key)?.Scope == FeatureFlagScope.Tenant).WithMessage("Feature flag must have tenant scope.");
+    }
+}
+
+public sealed class SetTenantFeatureFlagOwnerHandler(IFeatureFlagRepository featureFlagRepository, IExecutionContext executionContext, TimeProvider timeProvider, ITelemetryEventsCollector events)
+    : IRequestHandler<SetTenantFeatureFlagOwnerCommand, Result>
+{
+    public async Task<Result> Handle(SetTenantFeatureFlagOwnerCommand command, CancellationToken cancellationToken)
+    {
+        if (executionContext.UserInfo.Role != nameof(UserRole.Owner))
+        {
+            return Result.Forbidden("Only owners are allowed to configure tenant feature flags.");
+        }
+
+        var definition = SharedKernel.FeatureFlags.FeatureFlags.Get(command.FlagKey);
+        if (definition is null) return Result.NotFound($"Feature flag with key '{command.FlagKey}' not found.");
+
+        if (definition.AdminLevel != FeatureFlagAdminLevel.TenantOwner || !definition.ConfigurableByTenant)
+        {
+            return Result.Forbidden($"Feature flag '{command.FlagKey}' is not configurable by tenant owners.");
+        }
+
+        var tenantId = executionContext.TenantId!;
+        var now = timeProvider.GetUtcNow();
+
+        if (command.Enabled)
+        {
+            var tenantOverride = await featureFlagRepository.GetByKeyAndScopeAsync(command.FlagKey, tenantId, null, cancellationToken);
+            if (tenantOverride is null)
+            {
+                tenantOverride = FeatureFlag.CreateTenantOverride(command.FlagKey, tenantId, FeatureFlagScope.Tenant);
+                tenantOverride.Activate(now);
+                await featureFlagRepository.AddAsync(tenantOverride, cancellationToken);
+            }
+            else
+            {
+                tenantOverride.Activate(now);
+                featureFlagRepository.Update(tenantOverride);
+            }
+
+            events.CollectEvent(new FeatureFlagTenantOverrideSet(command.FlagKey, tenantId, FeatureFlagOverrideTrigger.Owner));
+        }
+        else
+        {
+            var tenantOverride = await featureFlagRepository.GetByKeyAndScopeAsync(command.FlagKey, tenantId, null, cancellationToken);
+            if (tenantOverride is not null)
+            {
+                tenantOverride.Deactivate(now);
+                featureFlagRepository.Update(tenantOverride);
+                events.CollectEvent(new FeatureFlagTenantOverrideRemoved(command.FlagKey, tenantId, FeatureFlagOverrideTrigger.Owner));
+            }
+        }
+
+        return Result.Success();
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Commands/SetUserFeatureFlag.cs b/application/account/Core/Features/FeatureFlags/Commands/SetUserFeatureFlag.cs
new file mode 100644
index 000000000..51aa6f6ac
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Commands/SetUserFeatureFlag.cs
@@ -0,0 +1,78 @@
+using Account.Features.FeatureFlags.Domain;
+using FluentValidation;
+using JetBrains.Annotations;
+using SharedKernel.Cqrs;
+using SharedKernel.ExecutionContext;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Telemetry;
+
+namespace Account.Features.FeatureFlags.Commands;
+
+[PublicAPI]
+public sealed record SetUserFeatureFlagCommand : ICommand, IRequest<Result>
+{
+    [JsonIgnore] // Removes this property from the API contract
+    public string FlagKey { get; init; } = null!;
+
+    public required bool Enabled { get; init; }
+}
+
+public sealed class SetUserFeatureFlagValidator : AbstractValidator<SetUserFeatureFlagCommand>
+{
+    public SetUserFeatureFlagValidator()
+    {
+        RuleFor(x => x.FlagKey)
+            .NotEmpty().WithMessage("Feature flag key must not be empty.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key) is not null).WithMessage("Feature flag key must exist in the registry.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key)?.Scope == FeatureFlagScope.User).WithMessage("Feature flag must have user scope.");
+    }
+}
+
+public sealed class SetUserFeatureFlagHandler(IFeatureFlagRepository featureFlagRepository, IExecutionContext executionContext, TimeProvider timeProvider, ITelemetryEventsCollector events)
+    : IRequestHandler<SetUserFeatureFlagCommand, Result>
+{
+    public async Task<Result> Handle(SetUserFeatureFlagCommand command, CancellationToken cancellationToken)
+    {
+        var definition = SharedKernel.FeatureFlags.FeatureFlags.Get(command.FlagKey);
+        if (definition is null) return Result.NotFound($"Feature flag with key '{command.FlagKey}' not found.");
+
+        if (definition.AdminLevel != FeatureFlagAdminLevel.User || !definition.ConfigurableByUser)
+        {
+            return Result.Forbidden($"Feature flag '{command.FlagKey}' is not configurable by users.");
+        }
+
+        var tenantId = executionContext.TenantId!;
+        var userId = executionContext.UserInfo.Id!;
+        var now = timeProvider.GetUtcNow();
+
+        if (command.Enabled)
+        {
+            var userOverride = await featureFlagRepository.GetByKeyAndScopeAsync(command.FlagKey, tenantId, userId, cancellationToken);
+            if (userOverride is null)
+            {
+                userOverride = FeatureFlag.CreateUserOverride(command.FlagKey, tenantId, userId, FeatureFlagScope.User);
+                userOverride.Activate(now);
+                await featureFlagRepository.AddAsync(userOverride, cancellationToken);
+            }
+            else
+            {
+                userOverride.Activate(now);
+                featureFlagRepository.Update(userOverride);
+            }
+
+            events.CollectEvent(new FeatureFlagUserOverrideSet(command.FlagKey, userId, FeatureFlagOverrideTrigger.Self));
+        }
+        else
+        {
+            var userOverride = await featureFlagRepository.GetByKeyAndScopeAsync(command.FlagKey, tenantId, userId, cancellationToken);
+            if (userOverride is not null)
+            {
+                userOverride.Deactivate(now);
+                featureFlagRepository.Update(userOverride);
+                events.CollectEvent(new FeatureFlagUserOverrideRemoved(command.FlagKey, userId, FeatureFlagOverrideTrigger.Self));
+            }
+        }
+
+        return Result.Success();
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Commands/SetUserFeatureFlagInternal.cs b/application/account/Core/Features/FeatureFlags/Commands/SetUserFeatureFlagInternal.cs
new file mode 100644
index 000000000..66fa9ddd0
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Commands/SetUserFeatureFlagInternal.cs
@@ -0,0 +1,90 @@
+using Account.Features.FeatureFlags.Domain;
+using Account.Features.Users.Domain;
+using FluentValidation;
+using JetBrains.Annotations;
+using SharedKernel.Cqrs;
+using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Telemetry;
+
+namespace Account.Features.FeatureFlags.Commands;
+
+[PublicAPI]
+public sealed record SetUserFeatureFlagInternalCommand : ICommand, IRequest<Result>
+{
+    [JsonIgnore] // Removes from API contract
+    public string FlagKey { get; init; } = null!;
+
+    public required UserId UserId { get; init; }
+
+    public required TenantId TenantId { get; init; }
+
+    public required bool Enabled { get; init; }
+}
+
+public sealed class SetUserFeatureFlagInternalValidator : AbstractValidator<SetUserFeatureFlagInternalCommand>
+{
+    public SetUserFeatureFlagInternalValidator()
+    {
+        RuleFor(x => x.FlagKey)
+            .NotEmpty().WithMessage("Feature flag key must not be empty.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key) is not null).WithMessage("Feature flag key must exist in the registry.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key)?.Scope == FeatureFlagScope.User).WithMessage("Feature flag must have user scope.");
+    }
+}
+
+public sealed class SetUserFeatureFlagInternalHandler(IFeatureFlagRepository featureFlagRepository, IUserRepository userRepository, TimeProvider timeProvider, ITelemetryEventsCollector events)
+    : IRequestHandler<SetUserFeatureFlagInternalCommand, Result>
+{
+    public async Task<Result> Handle(SetUserFeatureFlagInternalCommand command, CancellationToken cancellationToken)
+    {
+        var user = await userRepository.GetByIdUnfilteredAsync(command.UserId, cancellationToken);
+        if (user is null || user.TenantId != command.TenantId)
+        {
+            return Result.NotFound($"User '{command.UserId}' not found in tenant '{command.TenantId}'.");
+        }
+
+        var now = timeProvider.GetUtcNow();
+
+        if (command.Enabled)
+        {
+            var userOverride = await featureFlagRepository.GetByKeyAndScopeAsync(command.FlagKey, command.TenantId, command.UserId, cancellationToken);
+            if (userOverride is null)
+            {
+                userOverride = FeatureFlag.CreateUserOverride(command.FlagKey, command.TenantId, command.UserId, FeatureFlagScope.User);
+                userOverride.Activate(now);
+                await featureFlagRepository.AddAsync(userOverride, cancellationToken);
+            }
+            else
+            {
+                userOverride.Activate(now);
+                featureFlagRepository.Update(userOverride);
+            }
+
+            events.CollectEvent(new FeatureFlagUserOverrideSet(command.FlagKey, command.UserId, FeatureFlagOverrideTrigger.Internal));
+        }
+        else
+        {
+            var userOverride = await featureFlagRepository.GetByKeyAndScopeAsync(command.FlagKey, command.TenantId, command.UserId, cancellationToken);
+            if (userOverride is null)
+            {
+                // Create the override row in a disabled state. Without an explicit override, the evaluator
+                // falls back to the base row + rollout, so a user currently enabled-by-rollout would stay
+                // enabled if we just no-op'd here. The row's EnabledAt == DisabledAt makes IsActive=false.
+                userOverride = FeatureFlag.CreateUserOverride(command.FlagKey, command.TenantId, command.UserId, FeatureFlagScope.User);
+                userOverride.Activate(now);
+                userOverride.Deactivate(now);
+                await featureFlagRepository.AddAsync(userOverride, cancellationToken);
+            }
+            else
+            {
+                userOverride.Deactivate(now);
+                featureFlagRepository.Update(userOverride);
+            }
+
+            events.CollectEvent(new FeatureFlagUserOverrideRemoved(command.FlagKey, command.UserId, FeatureFlagOverrideTrigger.Internal));
+        }
+
+        return Result.Success();
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Domain/FeatureFlag.cs b/application/account/Core/Features/FeatureFlags/Domain/FeatureFlag.cs
new file mode 100644
index 000000000..9311c0c1b
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Domain/FeatureFlag.cs
@@ -0,0 +1,155 @@
+using System.ComponentModel.DataAnnotations.Schema;
+using JetBrains.Annotations;
+using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
+using SharedKernel.StronglyTypedIds;
+
+namespace Account.Features.FeatureFlags.Domain;
+
+public sealed class FeatureFlag : AggregateRoot<FeatureFlagId>
+{
+    [UsedImplicitly]
+    private FeatureFlag() : base(FeatureFlagId.NewId())
+    {
+        FlagKey = string.Empty;
+    }
+
+    private FeatureFlag(string flagKey, TenantId? tenantId, UserId? userId, FeatureFlagSource source, FeatureFlagScope scope)
+        : base(FeatureFlagId.NewId())
+    {
+        FlagKey = flagKey;
+        TenantId = tenantId;
+        UserId = userId;
+        Source = source;
+        Scope = scope;
+    }
+
+    public DateTimeOffset? DeletedAt { get; private set; }
+
+    public DateTimeOffset? OrphanedAt { get; private set; }
+
+    public string FlagKey { get; private set; }
+
+    public TenantId? TenantId { get; }
+
+    public UserId? UserId { get; }
+
+    public DateTimeOffset? EnabledAt { get; private set; }
+
+    public DateTimeOffset? DisabledAt { get; private set; }
+
+    public int? BucketStart { get; private set; }
+
+    public int? BucketEnd { get; private set; }
+
+    public FeatureFlagSource Source { get; private set; }
+
+    // Persisted on every row so orphaned and soft-deleted base rows can still be grouped correctly in
+    // the BackOffice (Tenant/User) after their definition is removed from FeatureFlags.cs. Override rows
+    // also carry it for consistency with the base row they inherit from.
+    public FeatureFlagScope Scope { get; private set; }
+
+    [NotMapped]
+    public bool IsActive => EnabledAt is not null && (DisabledAt is null || EnabledAt > DisabledAt);
+
+    public static FeatureFlag Create(string flagKey, FeatureFlagScope scope, FeatureFlagSource source = FeatureFlagSource.Manual)
+    {
+        return new FeatureFlag(flagKey, null, null, source, scope);
+    }
+
+    public static FeatureFlag CreateTenantOverride(string flagKey, TenantId tenantId, FeatureFlagScope scope, FeatureFlagSource source = FeatureFlagSource.Manual)
+    {
+        return new FeatureFlag(flagKey, tenantId, null, source, scope);
+    }
+
+    public static FeatureFlag CreateUserOverride(string flagKey, TenantId tenantId, UserId userId, FeatureFlagScope scope, FeatureFlagSource source = FeatureFlagSource.Manual)
+    {
+        return new FeatureFlag(flagKey, tenantId, userId, source, scope);
+    }
+
+    public void Activate(DateTimeOffset now)
+    {
+        EnabledAt = now;
+        DisabledAt = null;
+    }
+
+    public void Deactivate(DateTimeOffset now)
+    {
+        if (EnabledAt is null) return;
+
+        DisabledAt = now;
+    }
+
+    public void SetSource(FeatureFlagSource source)
+    {
+        Source = source;
+    }
+
+    public void SetScope(FeatureFlagScope scope)
+    {
+        Scope = scope;
+    }
+
+    public void MarkOrphaned(DateTimeOffset now)
+    {
+        if (OrphanedAt is not null) return;
+
+        OrphanedAt = now;
+    }
+
+    // Soft-delete is the only delete path: the base row is retained for historical telemetry so admin
+    // surfaces can still resolve the flag key after the definition is removed from code. Tenant and user
+    // override rows are hard-deleted by the command handler (they carry no historical value).
+    public void MarkDeleted(DateTimeOffset now)
+    {
+        if (TenantId is not null || UserId is not null)
+        {
+            throw new InvalidOperationException("Only base feature flag rows can be soft-deleted.");
+        }
+
+        if (DeletedAt is not null) return;
+
+        DeletedAt = now;
+    }
+
+    // Clears OrphanedAt and DeletedAt together. Called by the reconciler when a previously-removed flag
+    // is re-added to FeatureFlags.cs (rollback or intentional reintroduction). Reuse is by design — the
+    // existing base row keeps its history and telemetry continuity rather than starting a fresh row.
+    public void Restore()
+    {
+        OrphanedAt = null;
+        DeletedAt = null;
+    }
+
+    public void SetRolloutRange(int? rolloutBucketStart, int? rolloutBucketEnd)
+    {
+        if (rolloutBucketStart is null != rolloutBucketEnd is null)
+        {
+            throw new ArgumentException("Bucket start and bucket end must both be set or both be null.");
+        }
+
+        if (rolloutBucketStart is not null && (rolloutBucketStart < 0 || rolloutBucketStart > RolloutBucketHasher.MaxBucketInclusive))
+        {
+            throw new ArgumentOutOfRangeException(nameof(rolloutBucketStart), $"Bucket start must be between 0 and {RolloutBucketHasher.MaxBucketInclusive}.");
+        }
+
+        if (rolloutBucketEnd is not null && (rolloutBucketEnd < 0 || rolloutBucketEnd > RolloutBucketHasher.MaxBucketInclusive))
+        {
+            throw new ArgumentOutOfRangeException(nameof(rolloutBucketEnd), $"Bucket end must be between 0 and {RolloutBucketHasher.MaxBucketInclusive}.");
+        }
+
+        BucketStart = rolloutBucketStart;
+        BucketEnd = rolloutBucketEnd;
+    }
+}
+
+[PublicAPI]
+[IdPrefix("fflag")]
+[JsonConverter(typeof(StronglyTypedIdJsonConverter<string, FeatureFlagId>))]
+public sealed record FeatureFlagId(string Value) : StronglyTypedUlid<FeatureFlagId>(Value)
+{
+    public override string ToString()
+    {
+        return Value;
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Domain/FeatureFlagConfiguration.cs b/application/account/Core/Features/FeatureFlags/Domain/FeatureFlagConfiguration.cs
new file mode 100644
index 000000000..7249b9402
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Domain/FeatureFlagConfiguration.cs
@@ -0,0 +1,24 @@
+using Account.Features.Users.Domain;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Metadata.Builders;
+using SharedKernel.Domain;
+using SharedKernel.EntityFramework;
+
+namespace Account.Features.FeatureFlags.Domain;
+
+public sealed class FeatureFlagConfiguration : IEntityTypeConfiguration<FeatureFlag>
+{
+    public void Configure(EntityTypeBuilder<FeatureFlag> builder)
+    {
+        builder.MapStronglyTypedUuid<FeatureFlag, FeatureFlagId>(f => f.Id);
+        builder.MapStronglyTypedNullableLongId<FeatureFlag, TenantId>(f => f.TenantId);
+        builder.MapStronglyTypedNullableId<FeatureFlag, UserId, string>(f => f.UserId);
+
+        // Cascade deletes user-scoped override rows when the user is hard-deleted (purge / bulk purge /
+        // recycle-bin empty). Without this, override rows would survive as orphans referencing a missing user.
+        builder.HasOne<User>()
+            .WithMany()
+            .HasForeignKey(f => f.UserId)
+            .OnDelete(DeleteBehavior.Cascade);
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Domain/FeatureFlagRepository.cs b/application/account/Core/Features/FeatureFlags/Domain/FeatureFlagRepository.cs
new file mode 100644
index 000000000..5abe7da46
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Domain/FeatureFlagRepository.cs
@@ -0,0 +1,127 @@
+using Account.Database;
+using Microsoft.EntityFrameworkCore;
+using SharedKernel.Domain;
+using SharedKernel.Persistence;
+
+namespace Account.Features.FeatureFlags.Domain;
+
+/// <summary>
+///     The <see cref="FeatureFlag" /> aggregate intentionally does not implement <c>ITenantScopedEntity</c>:
+///     a single physical table stores base rows (<c>tenant_id IS NULL</c>), tenant overrides, and user
+///     overrides, so the global tenant query filter cannot be applied. Every method on this repository
+///     reads or writes rows across multiple tenant scopes by design - never compare to other repositories
+///     where <c>UnfilteredAsync</c> suffixes flag rare exceptions.
+/// </summary>
+public interface IFeatureFlagRepository : ICrudRepository<FeatureFlag, FeatureFlagId>
+{
+    Task<FeatureFlag[]> GetAllRelevantRowsAsync(TenantId tenantId, UserId userId, CancellationToken cancellationToken);
+
+    Task<FeatureFlag[]> GetTenantScopedRowsAsync(TenantId tenantId, CancellationToken cancellationToken);
+
+    Task<FeatureFlag[]> GetUserScopedRowsAsync(TenantId tenantId, UserId userId, CancellationToken cancellationToken);
+
+    Task<FeatureFlag[]> GetAllBaseRowsAsync(CancellationToken cancellationToken);
+
+    Task<FeatureFlag[]> GetTenantOverridesForFlagAsync(string flagKey, CancellationToken cancellationToken);
+
+    Task<FeatureFlag?> GetByKeyAndScopeAsync(string flagKey, TenantId? tenantId, UserId? userId, CancellationToken cancellationToken);
+
+    Task<FeatureFlag[]> GetUserOverridesForFlagAsync(string flagKey, CancellationToken cancellationToken);
+
+    Task<FeatureFlag[]> GetPlanBasedOverridesForTenantAsync(TenantId tenantId, CancellationToken cancellationToken);
+
+    /// <summary>
+    ///     Returns every feature_flag row across all tenants and users. Used by the reconciler to sweep for
+    ///     orphans (rows whose flag_key no longer exists in FeatureFlags.cs). MUST only be called from
+    ///     startup/admin paths — never from a tenant-scoped request.
+    /// </summary>
+    Task<FeatureFlag[]> GetAllRowsUnfilteredAsync(CancellationToken cancellationToken);
+
+    /// <summary>
+    ///     Returns every row (base + tenant + user overrides) for a single flag_key across all tenants and
+    ///     users. Used by the back-office hard-delete to cascade-remove an orphaned flag. MUST only be called
+    ///     from admin paths — never from a tenant-scoped request.
+    /// </summary>
+    Task<FeatureFlag[]> GetRowsByFlagKeyUnfilteredAsync(string flagKey, CancellationToken cancellationToken);
+
+    /// <summary>
+    ///     Returns every row (tenant overrides + user overrides for users of this tenant) bound to a single
+    ///     tenant. Used to cascade-delete on tenant removal so stale flag rows don't accumulate. Base rows
+    ///     (tenant_id IS NULL) are not returned.
+    /// </summary>
+    Task<FeatureFlag[]> GetRowsByTenantAsync(TenantId tenantId, CancellationToken cancellationToken);
+}
+
+internal sealed class FeatureFlagRepository(AccountDbContext accountDbContext)
+    : RepositoryBase<FeatureFlag, FeatureFlagId>(accountDbContext), IFeatureFlagRepository
+{
+    public async Task<FeatureFlag[]> GetAllRelevantRowsAsync(TenantId tenantId, UserId userId, CancellationToken cancellationToken)
+    {
+        return await DbSet
+            .Where(f => (f.TenantId == null || f.TenantId == tenantId) && (f.UserId == null || f.UserId == userId))
+            .ToArrayAsync(cancellationToken);
+    }
+
+    public async Task<FeatureFlag[]> GetTenantScopedRowsAsync(TenantId tenantId, CancellationToken cancellationToken)
+    {
+        return await DbSet
+            .Where(f => (f.TenantId == null || f.TenantId == tenantId) && f.UserId == null)
+            .ToArrayAsync(cancellationToken);
+    }
+
+    public async Task<FeatureFlag[]> GetUserScopedRowsAsync(TenantId tenantId, UserId userId, CancellationToken cancellationToken)
+    {
+        return await DbSet
+            .Where(f => (f.TenantId == null && f.UserId == null) || (f.TenantId == tenantId && f.UserId == userId))
+            .ToArrayAsync(cancellationToken);
+    }
+
+    public async Task<FeatureFlag[]> GetAllBaseRowsAsync(CancellationToken cancellationToken)
+    {
+        return await DbSet
+            .Where(f => f.TenantId == null && f.UserId == null)
+            .ToArrayAsync(cancellationToken);
+    }
+
+    public async Task<FeatureFlag[]> GetTenantOverridesForFlagAsync(string flagKey, CancellationToken cancellationToken)
+    {
+        return await DbSet
+            .Where(f => f.FlagKey == flagKey && f.TenantId != null && f.UserId == null)
+            .ToArrayAsync(cancellationToken);
+    }
+
+    public async Task<FeatureFlag?> GetByKeyAndScopeAsync(string flagKey, TenantId? tenantId, UserId? userId, CancellationToken cancellationToken)
+    {
+        return await DbSet
+            .FirstOrDefaultAsync(f => f.FlagKey == flagKey && f.TenantId == tenantId && f.UserId == userId, cancellationToken);
+    }
+
+    public async Task<FeatureFlag[]> GetUserOverridesForFlagAsync(string flagKey, CancellationToken cancellationToken)
+    {
+        return await DbSet
+            .Where(f => f.FlagKey == flagKey && f.UserId != null)
+            .ToArrayAsync(cancellationToken);
+    }
+
+    public async Task<FeatureFlag[]> GetPlanBasedOverridesForTenantAsync(TenantId tenantId, CancellationToken cancellationToken)
+    {
+        return await DbSet
+            .Where(f => f.TenantId == tenantId && f.UserId == null && f.Source == FeatureFlagSource.Plan)
+            .ToArrayAsync(cancellationToken);
+    }
+
+    public async Task<FeatureFlag[]> GetAllRowsUnfilteredAsync(CancellationToken cancellationToken)
+    {
+        return await DbSet.ToArrayAsync(cancellationToken);
+    }
+
+    public async Task<FeatureFlag[]> GetRowsByFlagKeyUnfilteredAsync(string flagKey, CancellationToken cancellationToken)
+    {
+        return await DbSet.Where(f => f.FlagKey == flagKey).ToArrayAsync(cancellationToken);
+    }
+
+    public async Task<FeatureFlag[]> GetRowsByTenantAsync(TenantId tenantId, CancellationToken cancellationToken)
+    {
+        return await DbSet.Where(f => f.TenantId == tenantId).ToArrayAsync(cancellationToken);
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Domain/FeatureFlagTypes.cs b/application/account/Core/Features/FeatureFlags/Domain/FeatureFlagTypes.cs
new file mode 100644
index 000000000..3497577cc
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Domain/FeatureFlagTypes.cs
@@ -0,0 +1,18 @@
+namespace Account.Features.FeatureFlags.Domain;
+
+// JsonStringEnumMemberName preserves the snake-case wire vocabulary that the frontend already filters on,
+// while letting C# callers use the enum directly. The `Default` member has no domain row counterpart —
+// it is only used as a wire value when no override, plan grant, or A/B rollout applies.
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum FeatureFlagSource
+{
+    [JsonStringEnumMemberName("manual_override")]
+    Manual,
+
+    [JsonStringEnumMemberName("plan")] Plan,
+
+    [JsonStringEnumMemberName("ab_rollout")]
+    AbRollout,
+
+    [JsonStringEnumMemberName("default")] Default
+}
diff --git a/application/account/Core/Features/FeatureFlags/Queries/GetFeatureFlagTenants.cs b/application/account/Core/Features/FeatureFlags/Queries/GetFeatureFlagTenants.cs
new file mode 100644
index 000000000..439092ce7
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Queries/GetFeatureFlagTenants.cs
@@ -0,0 +1,289 @@
+using Account.Features.FeatureFlags.Domain;
+using Account.Features.Subscriptions.Domain;
+using Account.Features.Tenants.BackOffice.Queries;
+using Account.Features.Tenants.Domain;
+using Account.Features.Users.Domain;
+using FluentValidation;
+using JetBrains.Annotations;
+using Mapster;
+using SharedKernel.Cqrs;
+using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Persistence;
+
+namespace Account.Features.FeatureFlags.Queries;
+
+[PublicAPI]
+public sealed record GetFeatureFlagTenantsQuery(
+    string? Search = null,
+    SubscriptionPlan[]? Plans = null,
+    FeatureFlagAudienceState? State = null,
+    bool? HasOverride = null,
+    SortableFeatureFlagTenantProperties OrderBy = SortableFeatureFlagTenantProperties.Name,
+    SortOrder SortOrder = SortOrder.Ascending,
+    int PageOffset = 0,
+    int PageSize = 25
+) : IRequest<Result<GetFeatureFlagTenantsResponse>>
+{
+    [JsonIgnore] // Removes from API contract
+    public string FlagKey { get; init; } = null!;
+
+    public string? Search { get; } = Search?.Trim().ToLower();
+
+    public SubscriptionPlan[] Plans { get; } = Plans ?? [];
+}
+
+[PublicAPI]
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum SortableFeatureFlagTenantProperties
+{
+    Name,
+    Plan,
+    MonthlyRecurringRevenue,
+    RenewalDate,
+    IsEnabled,
+    OverrideUpdatedAt,
+    InclusionThresholdPercentage
+}
+
+[PublicAPI]
+public sealed record GetFeatureFlagTenantsResponse(
+    int TotalCount,
+    int PageSize,
+    int TotalPages,
+    int CurrentPageOffset,
+    int EnabledCount,
+    int DisabledCount,
+    int OverrideCount,
+    FeatureFlagTenantInfo[] Tenants
+);
+
+// Field names mirror TenantSummary so Mapster's convention-based mapping covers the shared subset. Override fields
+// (RolloutBucket, IsEnabled, Source) come from the feature-flag evaluation and are applied via `with` on top of Adapt.
+[PublicAPI]
+public sealed record FeatureFlagTenantInfo(
+    TenantId Id,
+    string Name,
+    string? LogoUrl,
+    SubscriptionPlan Plan,
+    decimal? MonthlyRecurringRevenue,
+    decimal? ScheduledPriceAmount,
+    string? Currency,
+    DateTimeOffset? RenewalDate,
+    PlannedSubscriptionChange? PlannedChange,
+    bool HasEverSubscribed,
+    string? Country,
+    DateTimeOffset CreatedAt,
+    TenantOwnerSummary? Owner,
+    int RolloutBucket,
+    bool IsEnabled,
+    FeatureFlagSource Source,
+    int? InclusionThresholdPercentage,
+    bool DefaultEnabled,
+    DateTimeOffset? OverrideEnabledAt,
+    DateTimeOffset? OverrideDisabledAt,
+    AbInclusionPin? TenantAbInclusionPin
+);
+
+public sealed class GetFeatureFlagTenantsValidator : AbstractValidator<GetFeatureFlagTenantsQuery>
+{
+    public GetFeatureFlagTenantsValidator()
+    {
+        RuleFor(x => x.FlagKey)
+            .NotEmpty().WithMessage("Feature flag key must not be empty.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key) is not null).WithMessage("Feature flag key must exist in the registry.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key)?.Scope == FeatureFlagScope.Tenant).WithMessage("Feature flag must have tenant scope.");
+
+        RuleFor(x => x.Search).MaximumLength(100).WithMessage("The search term must be at most 100 characters.");
+        RuleFor(x => x.Plans.Length).LessThanOrEqualTo(10).WithMessage("Plans filter must contain no more than 10 values.");
+        // Plan-gated flag detail page requests every tenant in one shot (PLAN_TENANT_LIST_CAP = 1000) so it can
+        // group them by plan without pagination. Other call sites still use the default 25.
+        RuleFor(x => x.PageSize).InclusiveBetween(1, 1000).WithMessage("Page size must be between 1 and 1000.");
+        RuleFor(x => x.PageOffset).GreaterThanOrEqualTo(0).WithMessage("Page offset must be greater than or equal to 0.");
+    }
+}
+
+public sealed class GetFeatureFlagTenantsHandler(
+    IFeatureFlagRepository featureFlagRepository,
+    ITenantRepository tenantRepository,
+    ISubscriptionRepository subscriptionRepository,
+    IUserRepository userRepository
+) : IRequestHandler<GetFeatureFlagTenantsQuery, Result<GetFeatureFlagTenantsResponse>>
+{
+    public async Task<Result<GetFeatureFlagTenantsResponse>> Handle(GetFeatureFlagTenantsQuery query, CancellationToken cancellationToken)
+    {
+        var definition = SharedKernel.FeatureFlags.FeatureFlags.Get(query.FlagKey);
+        if (definition is null) return Result<GetFeatureFlagTenantsResponse>.NotFound($"Feature flag with key '{query.FlagKey}' not found.");
+
+        // Load all tenants then narrow in memory: search must match tenant name OR owner email, which can't be expressed
+        // by the existing SearchAllTenantsAsync (name + id only). Tenant counts in back-office are bounded.
+        var tenants = await tenantRepository.GetAllUnfilteredAsync(cancellationToken);
+
+        if (query.Plans.Length > 0)
+        {
+            tenants = tenants.Where(t => query.Plans.Contains(t.Plan)).ToArray();
+        }
+
+        var tenantIds = tenants.Select(t => t.Id).ToArray();
+
+        var subscriptions = tenantIds.Length == 0
+            ? []
+            : await subscriptionRepository.GetByTenantIdsUnfilteredAsync(tenantIds, cancellationToken);
+        var subscriptionsByTenantId = subscriptions.ToDictionary(s => s.TenantId);
+
+        var ownerByTenantId = tenantIds.Length == 0
+            ? new Dictionary<TenantId, User>()
+            : await userRepository.GetFirstOwnerByTenantIdsUnfilteredAsync(tenantIds, cancellationToken);
+
+        if (!string.IsNullOrEmpty(query.Search))
+        {
+            tenants = tenants.Where(t =>
+                t.Name.ToLowerInvariant().Contains(query.Search) ||
+                (ownerByTenantId.TryGetValue(t.Id, out var owner) && owner.Email.Contains(query.Search))
+            ).ToArray();
+        }
+
+        var tenantOverrides = await featureFlagRepository.GetTenantOverridesForFlagAsync(query.FlagKey, cancellationToken);
+        var overridesByTenantId = tenantOverrides.ToDictionary(f => f.TenantId!);
+
+        var baseRow = await featureFlagRepository.GetByKeyAndScopeAsync(query.FlagKey, null, null, cancellationToken);
+
+        var featureFlagTenants = tenants.Select(tenant =>
+            {
+                var summary = TenantSummary.FromAggregate(
+                    tenant,
+                    subscriptionsByTenantId.GetValueOrDefault(tenant.Id),
+                    ownerByTenantId.GetValueOrDefault(tenant.Id)
+                );
+
+                var (isEnabled, source) = EvaluateOverride(definition, baseRow, overridesByTenantId, tenant);
+
+                var defaultEnabled = ComputeDefaultEnabled(definition, baseRow, tenant.RolloutBucket, tenant.AbInclusionPin);
+                var inclusionThresholdPercentage = ComputeInclusionThresholdPercentage(definition, tenant.RolloutBucket, tenant.AbInclusionPin, query.FlagKey);
+
+                overridesByTenantId.TryGetValue(tenant.Id, out var tenantOverrideRow);
+
+                return summary.Adapt<FeatureFlagTenantInfo>() with
+                {
+                    RolloutBucket = tenant.RolloutBucket,
+                    IsEnabled = isEnabled,
+                    Source = source,
+                    InclusionThresholdPercentage = inclusionThresholdPercentage,
+                    DefaultEnabled = defaultEnabled,
+                    OverrideEnabledAt = tenantOverrideRow?.EnabledAt,
+                    OverrideDisabledAt = tenantOverrideRow?.DisabledAt,
+                    TenantAbInclusionPin = tenant.AbInclusionPin
+                };
+            }
+        ).ToArray();
+
+        // Aggregate stats reflect the population AFTER search/plans filtering but BEFORE state/has-override
+        // filtering, so they describe "the addressable accounts for this flag" rather than the current view.
+        var enabledCount = featureFlagTenants.Count(t => t.IsEnabled);
+        var disabledCount = featureFlagTenants.Length - enabledCount;
+        var overrideCount = featureFlagTenants.Count(t => t.Source == FeatureFlagSource.Manual);
+
+        var filtered = query.State switch
+        {
+            FeatureFlagAudienceState.Enabled => featureFlagTenants.Where(t => t.IsEnabled).ToArray(),
+            FeatureFlagAudienceState.Disabled => featureFlagTenants.Where(t => !t.IsEnabled).ToArray(),
+            _ => featureFlagTenants
+        };
+
+        if (query.HasOverride == true)
+        {
+            filtered = filtered.Where(t => t.Source == FeatureFlagSource.Manual).ToArray();
+        }
+
+        var ordered = Sort(filtered, query.OrderBy, query.SortOrder).ToArray();
+
+        var totalCount = ordered.Length;
+        var totalPages = totalCount == 0 ? 0 : (totalCount - 1) / query.PageSize + 1;
+        if (query.PageOffset > 0 && query.PageOffset >= totalPages)
+        {
+            return Result<GetFeatureFlagTenantsResponse>.BadRequest($"The page offset '{query.PageOffset}' is greater than the total number of pages.");
+        }
+
+        var paged = ordered.Skip(query.PageOffset * query.PageSize).Take(query.PageSize).ToArray();
+
+        return new GetFeatureFlagTenantsResponse(totalCount, query.PageSize, totalPages, query.PageOffset, enabledCount, disabledCount, overrideCount, paged);
+    }
+
+    // Stable tie-break by Id keeps paginated results deterministic when the primary key has duplicates.
+    private static IEnumerable<FeatureFlagTenantInfo> Sort(FeatureFlagTenantInfo[] items, SortableFeatureFlagTenantProperties orderBy, SortOrder sortOrder)
+    {
+        return (orderBy, sortOrder) switch
+        {
+            (SortableFeatureFlagTenantProperties.Plan, SortOrder.Ascending) => items.OrderBy(t => t.Plan).ThenBy(t => t.Id.Value),
+            (SortableFeatureFlagTenantProperties.Plan, _) => items.OrderByDescending(t => t.Plan).ThenBy(t => t.Id.Value),
+            (SortableFeatureFlagTenantProperties.MonthlyRecurringRevenue, SortOrder.Ascending) => items.OrderBy(t => t.MonthlyRecurringRevenue ?? 0m).ThenBy(t => t.Id.Value),
+            (SortableFeatureFlagTenantProperties.MonthlyRecurringRevenue, _) => items.OrderByDescending(t => t.MonthlyRecurringRevenue ?? 0m).ThenBy(t => t.Id.Value),
+            (SortableFeatureFlagTenantProperties.RenewalDate, SortOrder.Ascending) => items.OrderBy(t => t.RenewalDate ?? DateTimeOffset.MaxValue).ThenBy(t => t.Id.Value),
+            (SortableFeatureFlagTenantProperties.RenewalDate, _) => items.OrderByDescending(t => t.RenewalDate ?? DateTimeOffset.MinValue).ThenBy(t => t.Id.Value),
+            (SortableFeatureFlagTenantProperties.IsEnabled, SortOrder.Ascending) => items.OrderBy(t => t.IsEnabled).ThenBy(t => t.Id.Value),
+            (SortableFeatureFlagTenantProperties.IsEnabled, _) => items.OrderByDescending(t => t.IsEnabled).ThenBy(t => t.Id.Value),
+            (SortableFeatureFlagTenantProperties.OverrideUpdatedAt, SortOrder.Ascending) => items.OrderBy(t => t.OverrideDisabledAt ?? t.OverrideEnabledAt ?? DateTimeOffset.MaxValue).ThenBy(t => t.Id.Value),
+            (SortableFeatureFlagTenantProperties.OverrideUpdatedAt, _) => items.OrderByDescending(t => t.OverrideDisabledAt ?? t.OverrideEnabledAt ?? DateTimeOffset.MinValue).ThenBy(t => t.Id.Value),
+            (SortableFeatureFlagTenantProperties.InclusionThresholdPercentage, SortOrder.Ascending) => items.OrderBy(t => t.InclusionThresholdPercentage ?? int.MaxValue).ThenBy(t => t.Id.Value),
+            (SortableFeatureFlagTenantProperties.InclusionThresholdPercentage, _) => items.OrderByDescending(t => t.InclusionThresholdPercentage ?? int.MinValue).ThenBy(t => t.Id.Value),
+            (SortableFeatureFlagTenantProperties.Name, SortOrder.Descending) => items.OrderByDescending(t => t.Name).ThenBy(t => t.Id.Value),
+            _ => items.OrderBy(t => t.Name).ThenBy(t => t.Id.Value)
+        };
+    }
+
+    // The state a tenant would have if no manual override existed. Pins are unconditional: AlwaysOn includes
+    // the tenant regardless of rollout, NeverOn excludes them regardless of rollout. Mirrors FeatureFlagEvaluator.
+    private static bool ComputeDefaultEnabled(FeatureFlagDefinition definition, FeatureFlag? baseRow, int rolloutBucket, AbInclusionPin? abInclusionPin)
+    {
+        if (baseRow is null || !baseRow.IsActive) return false;
+        if (!definition.IsAbTestEligible) return false;
+        return EvaluateAbRollout(baseRow, rolloutBucket, abInclusionPin);
+    }
+
+    private static bool EvaluateAbRollout(FeatureFlag baseRow, int rolloutBucket, AbInclusionPin? abInclusionPin)
+    {
+        if (abInclusionPin is AbInclusionPin.AlwaysOn) return true;
+        if (abInclusionPin is AbInclusionPin.NeverOn) return false;
+        if (baseRow.BucketStart is null || baseRow.BucketEnd is null) return false;
+        return RolloutBucketHasher.IsInRolloutBucketRange(rolloutBucket, baseRow.BucketStart.Value, baseRow.BucketEnd.Value);
+    }
+
+    // Pinned entities bypass the rollout: AlwaysOn → 0 (always included) and NeverOn → null (never included
+    // by rollout). Without a pin we fall back to the per-key threshold.
+    private static int? ComputeInclusionThresholdPercentage(FeatureFlagDefinition definition, int rolloutBucket, AbInclusionPin? abInclusionPin, string flagKey)
+    {
+        if (!definition.IsAbTestEligible) return null;
+        if (abInclusionPin is AbInclusionPin.AlwaysOn) return 0;
+        if (abInclusionPin is AbInclusionPin.NeverOn) return null;
+        return RolloutBucketHasher.ComputeInclusionThresholdPercentage(rolloutBucket, flagKey);
+    }
+
+    private static (bool IsEnabled, FeatureFlagSource Source) EvaluateOverride(
+        FeatureFlagDefinition definition,
+        FeatureFlag? baseRow,
+        Dictionary<TenantId, FeatureFlag> overridesByTenantId,
+        Tenant tenant
+    )
+    {
+        if (overridesByTenantId.TryGetValue(tenant.Id, out var tenantOverride))
+        {
+            // Gate on baseRow.IsActive so a globally-Deactivated kill-switch flag reports as disabled even when
+            // an override row exists — matching the runtime FeatureFlagEvaluator.cs:48 short-circuit.
+            var isOverrideActive = tenantOverride.EnabledAt is not null && (tenantOverride.DisabledAt is null || tenantOverride.EnabledAt > tenantOverride.DisabledAt);
+            var isEnabled = baseRow is { IsActive: true } && isOverrideActive;
+            // The override row's Source column distinguishes a manual admin toggle from a plan-driven row.
+            var source = tenantOverride.Source == FeatureFlagSource.Plan ? FeatureFlagSource.Plan : FeatureFlagSource.Manual;
+            return (isEnabled, source);
+        }
+
+        // Gate by baseRow.IsActive so a globally-deactivated flag never shows as Enabled in the
+        // bulk admin view — matches FeatureFlagEvaluator.EvaluateAsync which skips entirely when
+        // the base row is inactive.
+        if (definition.IsAbTestEligible && baseRow is { IsActive: true })
+        {
+            return (EvaluateAbRollout(baseRow, tenant.RolloutBucket, tenant.AbInclusionPin), FeatureFlagSource.AbRollout);
+        }
+
+        return (false, FeatureFlagSource.Default);
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Queries/GetFeatureFlagUsers.cs b/application/account/Core/Features/FeatureFlags/Queries/GetFeatureFlagUsers.cs
new file mode 100644
index 000000000..af2003154
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Queries/GetFeatureFlagUsers.cs
@@ -0,0 +1,266 @@
+using Account.Features.FeatureFlags.Domain;
+using Account.Features.Subscriptions.Domain;
+using Account.Features.Tenants.Domain;
+using Account.Features.Users.BackOffice.Queries;
+using Account.Features.Users.Domain;
+using FluentValidation;
+using JetBrains.Annotations;
+using Mapster;
+using SharedKernel.Cqrs;
+using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Persistence;
+
+namespace Account.Features.FeatureFlags.Queries;
+
+[PublicAPI]
+public sealed record GetFeatureFlagUsersQuery(
+    string? Search = null,
+    UserRole[]? Roles = null,
+    FeatureFlagAudienceState? State = null,
+    bool? HasOverride = null,
+    SortableFeatureFlagUserProperties OrderBy = SortableFeatureFlagUserProperties.Name,
+    SortOrder SortOrder = SortOrder.Ascending,
+    int PageOffset = 0,
+    int PageSize = 25
+) : IRequest<Result<GetFeatureFlagUsersResponse>>
+{
+    [JsonIgnore] // Removes from API contract
+    public string FlagKey { get; init; } = null!;
+
+    public string? Search { get; } = Search?.Trim().ToLower();
+
+    public UserRole[] Roles { get; } = Roles ?? [];
+}
+
+[PublicAPI]
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum SortableFeatureFlagUserProperties
+{
+    Name,
+    TenantName,
+    Role,
+    LastSeenAt,
+    IsEnabled,
+    OverrideUpdatedAt,
+    InclusionThresholdPercentage
+}
+
+[PublicAPI]
+public sealed record GetFeatureFlagUsersResponse(
+    int TotalCount,
+    int PageSize,
+    int TotalPages,
+    int CurrentPageOffset,
+    int EnabledCount,
+    int DisabledCount,
+    int OverrideCount,
+    FeatureFlagUserInfo[] Users
+);
+
+// Field names mirror the User aggregate so Mapster's convention-based mapping covers the user subset. Tenant-derived
+// fields (TenantName, TenantPlan) and override fields (RolloutBucket, IsEnabled, Source) are applied via `with`.
+[PublicAPI]
+public sealed record FeatureFlagUserInfo(
+    UserId Id,
+    TenantId TenantId,
+    string Email,
+    string? FirstName,
+    string? LastName,
+    string? AvatarUrl,
+    UserRole Role,
+    DateTimeOffset? LastSeenAt,
+    DateTimeOffset CreatedAt,
+    string TenantName,
+    SubscriptionPlan TenantPlan,
+    int RolloutBucket,
+    bool IsEnabled,
+    FeatureFlagSource Source,
+    int? InclusionThresholdPercentage,
+    bool DefaultEnabled,
+    DateTimeOffset? OverrideEnabledAt,
+    DateTimeOffset? OverrideDisabledAt,
+    AbInclusionPin? UserAbInclusionPin
+);
+
+public sealed class GetFeatureFlagUsersValidator : AbstractValidator<GetFeatureFlagUsersQuery>
+{
+    public GetFeatureFlagUsersValidator()
+    {
+        RuleFor(x => x.FlagKey)
+            .NotEmpty().WithMessage("Feature flag key must not be empty.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key) is not null).WithMessage("Feature flag key must exist in the registry.")
+            .Must(key => SharedKernel.FeatureFlags.FeatureFlags.Get(key)?.Scope == FeatureFlagScope.User).WithMessage("Feature flag must have user scope.");
+
+        RuleFor(x => x.Search).MaximumLength(100).WithMessage("The search term must be at most 100 characters.");
+        RuleFor(x => x.Roles.Length).LessThanOrEqualTo(10).WithMessage("Roles filter must contain no more than 10 values.");
+        RuleFor(x => x.PageSize).InclusiveBetween(1, 100).WithMessage("Page size must be between 1 and 100.");
+        RuleFor(x => x.PageOffset).GreaterThanOrEqualTo(0).WithMessage("Page offset must be greater than or equal to 0.");
+    }
+}
+
+public sealed class GetFeatureFlagUsersHandler(IFeatureFlagRepository featureFlagRepository, IUserRepository userRepository, ITenantRepository tenantRepository, TimeProvider timeProvider)
+    : IRequestHandler<GetFeatureFlagUsersQuery, Result<GetFeatureFlagUsersResponse>>
+{
+    public async Task<Result<GetFeatureFlagUsersResponse>> Handle(GetFeatureFlagUsersQuery query, CancellationToken cancellationToken)
+    {
+        var definition = SharedKernel.FeatureFlags.FeatureFlags.Get(query.FlagKey);
+        if (definition is null) return Result<GetFeatureFlagUsersResponse>.NotFound($"Feature flag with key '{query.FlagKey}' not found.");
+
+        var (users, _, _) = await userRepository.SearchAllUsersUnfilteredAsync(
+            query.Search ?? string.Empty,
+            query.Roles,
+            null,
+            timeProvider.GetUtcNow(),
+            SortableBackOfficeUserProperties.Name,
+            SortOrder.Ascending,
+            0,
+            int.MaxValue,
+            cancellationToken
+        );
+
+        var userOverrides = await featureFlagRepository.GetUserOverridesForFlagAsync(query.FlagKey, cancellationToken);
+        var overridesByUserId = userOverrides.ToDictionary(f => f.UserId!);
+
+        var baseRow = await featureFlagRepository.GetByKeyAndScopeAsync(query.FlagKey, null, null, cancellationToken);
+
+        var tenantIds = users.Select(u => u.TenantId).Distinct().ToArray();
+        var tenants = await tenantRepository.GetByIdsUnfilteredAsync(tenantIds, cancellationToken);
+        var tenantsById = tenants.ToDictionary(t => t.Id);
+
+        var featureFlagUsers = users.Select(user =>
+            {
+                tenantsById.TryGetValue(user.TenantId, out var tenant);
+                var (isEnabled, source) = EvaluateOverride(definition, baseRow, overridesByUserId, user);
+                overridesByUserId.TryGetValue(user.Id, out var userOverrideRow);
+
+                return user.Adapt<FeatureFlagUserInfo>() with
+                {
+                    AvatarUrl = user.Avatar.Url,
+                    TenantName = tenant?.Name ?? "Unknown",
+                    TenantPlan = tenant?.Plan ?? SubscriptionPlan.Basis,
+                    IsEnabled = isEnabled,
+                    Source = source,
+                    InclusionThresholdPercentage = ComputeInclusionThresholdPercentage(definition, user.RolloutBucket, user.AbInclusionPin, query.FlagKey),
+                    DefaultEnabled = ComputeDefaultEnabled(definition, baseRow, user.RolloutBucket, user.AbInclusionPin),
+                    OverrideEnabledAt = userOverrideRow?.EnabledAt,
+                    OverrideDisabledAt = userOverrideRow?.DisabledAt,
+                    UserAbInclusionPin = user.AbInclusionPin
+                };
+            }
+        ).ToArray();
+
+        // Aggregate stats reflect the population AFTER search/roles filtering but BEFORE state/has-override
+        // filtering, so they describe "the addressable users for this flag" rather than the current view.
+        var enabledCount = featureFlagUsers.Count(u => u.IsEnabled);
+        var disabledCount = featureFlagUsers.Length - enabledCount;
+        var overrideCount = featureFlagUsers.Count(u => u.Source == FeatureFlagSource.Manual);
+
+        var filtered = query.State switch
+        {
+            FeatureFlagAudienceState.Enabled => featureFlagUsers.Where(u => u.IsEnabled).ToArray(),
+            FeatureFlagAudienceState.Disabled => featureFlagUsers.Where(u => !u.IsEnabled).ToArray(),
+            _ => featureFlagUsers
+        };
+
+        if (query.HasOverride == true)
+        {
+            filtered = filtered.Where(u => u.Source == FeatureFlagSource.Manual).ToArray();
+        }
+
+        var ordered = Sort(filtered, query.OrderBy, query.SortOrder).ToArray();
+
+        var totalCount = ordered.Length;
+        var totalPages = totalCount == 0 ? 0 : (totalCount - 1) / query.PageSize + 1;
+        if (query.PageOffset > 0 && query.PageOffset >= totalPages)
+        {
+            return Result<GetFeatureFlagUsersResponse>.BadRequest($"The page offset '{query.PageOffset}' is greater than the total number of pages.");
+        }
+
+        var paged = ordered.Skip(query.PageOffset * query.PageSize).Take(query.PageSize).ToArray();
+
+        return new GetFeatureFlagUsersResponse(totalCount, query.PageSize, totalPages, query.PageOffset, enabledCount, disabledCount, overrideCount, paged);
+    }
+
+    private static IEnumerable<FeatureFlagUserInfo> Sort(FeatureFlagUserInfo[] items, SortableFeatureFlagUserProperties orderBy, SortOrder sortOrder)
+    {
+        // Stable tie-break by Id keeps paginated results deterministic. Name is composed from FirstName + LastName + Email so callers see a single column.
+        return (orderBy, sortOrder) switch
+        {
+            (SortableFeatureFlagUserProperties.TenantName, SortOrder.Ascending) => items.OrderBy(u => u.TenantName).ThenBy(u => u.Id.Value),
+            (SortableFeatureFlagUserProperties.TenantName, _) => items.OrderByDescending(u => u.TenantName).ThenBy(u => u.Id.Value),
+            (SortableFeatureFlagUserProperties.Role, SortOrder.Ascending) => items.OrderBy(u => u.Role).ThenBy(u => u.Id.Value),
+            (SortableFeatureFlagUserProperties.Role, _) => items.OrderByDescending(u => u.Role).ThenBy(u => u.Id.Value),
+            (SortableFeatureFlagUserProperties.LastSeenAt, SortOrder.Ascending) => items.OrderBy(u => u.LastSeenAt ?? DateTimeOffset.MaxValue).ThenBy(u => u.Id.Value),
+            (SortableFeatureFlagUserProperties.LastSeenAt, _) => items.OrderByDescending(u => u.LastSeenAt ?? DateTimeOffset.MinValue).ThenBy(u => u.Id.Value),
+            (SortableFeatureFlagUserProperties.IsEnabled, SortOrder.Ascending) => items.OrderBy(u => u.IsEnabled).ThenBy(u => u.Id.Value),
+            (SortableFeatureFlagUserProperties.IsEnabled, _) => items.OrderByDescending(u => u.IsEnabled).ThenBy(u => u.Id.Value),
+            (SortableFeatureFlagUserProperties.OverrideUpdatedAt, SortOrder.Ascending) => items.OrderBy(u => u.OverrideDisabledAt ?? u.OverrideEnabledAt ?? DateTimeOffset.MaxValue).ThenBy(u => u.Id.Value),
+            (SortableFeatureFlagUserProperties.OverrideUpdatedAt, _) => items.OrderByDescending(u => u.OverrideDisabledAt ?? u.OverrideEnabledAt ?? DateTimeOffset.MinValue).ThenBy(u => u.Id.Value),
+            (SortableFeatureFlagUserProperties.InclusionThresholdPercentage, SortOrder.Ascending) => items.OrderBy(u => u.InclusionThresholdPercentage ?? int.MaxValue).ThenBy(u => u.Id.Value),
+            (SortableFeatureFlagUserProperties.InclusionThresholdPercentage, _) => items.OrderByDescending(u => u.InclusionThresholdPercentage ?? int.MinValue).ThenBy(u => u.Id.Value),
+            (SortableFeatureFlagUserProperties.Name, SortOrder.Descending) => items.OrderByDescending(NameSortKey).ThenBy(u => u.Id.Value),
+            _ => items.OrderBy(NameSortKey).ThenBy(u => u.Id.Value)
+        };
+    }
+
+    private static string NameSortKey(FeatureFlagUserInfo user)
+    {
+        // Mirror the front-office convention: "FirstName LastName", falling back to email when both are null.
+        return $"{user.FirstName} {user.LastName}".Trim() is { Length: > 0 } composed ? composed : user.Email;
+    }
+
+    // Pins are unconditional: AlwaysOn includes the user regardless of rollout, NeverOn excludes them
+    // regardless of rollout. Mirrors FeatureFlagEvaluator's precedence chain.
+    private static bool ComputeDefaultEnabled(FeatureFlagDefinition definition, FeatureFlag? baseRow, int rolloutBucket, AbInclusionPin? abInclusionPin)
+    {
+        if (baseRow is null || !baseRow.IsActive) return false;
+        if (!definition.IsAbTestEligible) return false;
+        return EvaluateAbRollout(baseRow, rolloutBucket, abInclusionPin);
+    }
+
+    private static bool EvaluateAbRollout(FeatureFlag baseRow, int rolloutBucket, AbInclusionPin? abInclusionPin)
+    {
+        if (abInclusionPin is AbInclusionPin.AlwaysOn) return true;
+        if (abInclusionPin is AbInclusionPin.NeverOn) return false;
+        if (baseRow.BucketStart is null || baseRow.BucketEnd is null) return false;
+        return RolloutBucketHasher.IsInRolloutBucketRange(rolloutBucket, baseRow.BucketStart.Value, baseRow.BucketEnd.Value);
+    }
+
+    // Pins are unconditional and bypass the rollout, so AlwaysOn → 0 (always included) and
+    // NeverOn → null (never included by rollout). Without a pin we fall back to the per-key threshold.
+    private static int? ComputeInclusionThresholdPercentage(FeatureFlagDefinition definition, int rolloutBucket, AbInclusionPin? abInclusionPin, string flagKey)
+    {
+        if (!definition.IsAbTestEligible) return null;
+        if (abInclusionPin is AbInclusionPin.AlwaysOn) return 0;
+        if (abInclusionPin is AbInclusionPin.NeverOn) return null;
+        return RolloutBucketHasher.ComputeInclusionThresholdPercentage(rolloutBucket, flagKey);
+    }
+
+    private static (bool IsEnabled, FeatureFlagSource Source) EvaluateOverride(
+        FeatureFlagDefinition definition,
+        FeatureFlag? baseRow,
+        Dictionary<UserId, FeatureFlag> overridesByUserId,
+        User user
+    )
+    {
+        if (overridesByUserId.TryGetValue(user.Id, out var userOverride))
+        {
+            // Gate on baseRow.IsActive so a globally-Deactivated kill-switch flag reports as disabled even when
+            // an override row exists — matching the runtime FeatureFlagEvaluator.cs:48 short-circuit.
+            var isOverrideActive = userOverride.EnabledAt is not null && (userOverride.DisabledAt is null || userOverride.EnabledAt > userOverride.DisabledAt);
+            var isEnabled = baseRow is { IsActive: true } && isOverrideActive;
+            return (isEnabled, FeatureFlagSource.Manual);
+        }
+
+        // Gate by baseRow.IsActive so a globally-deactivated flag never shows as Enabled in the
+        // bulk admin view — matches FeatureFlagEvaluator.EvaluateAsync which skips entirely when
+        // the base row is inactive.
+        if (definition.IsAbTestEligible && baseRow is { IsActive: true })
+        {
+            return (EvaluateAbRollout(baseRow, user.RolloutBucket, user.AbInclusionPin), FeatureFlagSource.AbRollout);
+        }
+
+        return (false, FeatureFlagSource.Default);
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Queries/GetFeatureFlags.cs b/application/account/Core/Features/FeatureFlags/Queries/GetFeatureFlags.cs
new file mode 100644
index 000000000..56aef79b4
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Queries/GetFeatureFlags.cs
@@ -0,0 +1,99 @@
+using Account.Features.FeatureFlags.Domain;
+using JetBrains.Annotations;
+using Microsoft.Extensions.Configuration;
+using SharedKernel.Cqrs;
+using SharedKernel.FeatureFlags;
+
+namespace Account.Features.FeatureFlags.Queries;
+
+[PublicAPI]
+public sealed record GetFeatureFlagsQuery(bool IncludeDeleted = false) : IRequest<Result<GetFeatureFlagsResponse>>;
+
+[PublicAPI]
+public sealed record GetFeatureFlagsResponse(FeatureFlagInfo[] Flags);
+
+[PublicAPI]
+public sealed record FeatureFlagInfo(
+    string Key,
+    FeatureFlagScope Scope,
+    FeatureFlagAdminLevel AdminLevel,
+    string Description,
+    bool IsAbTestEligible,
+    bool ConfigurableByTenant,
+    bool ConfigurableByUser,
+    string? RequiredPlan,
+    DateTimeOffset? CreatedAt,
+    DateTimeOffset? EnabledAt,
+    DateTimeOffset? DisabledAt,
+    int? RolloutBucketStart,
+    int? RolloutBucketEnd,
+    int? RolloutPercentage,
+    bool IsActive,
+    bool IsKillSwitchEnabled,
+    bool IsStableModule,
+    DateTimeOffset? OrphanedAt,
+    DateTimeOffset? DeletedAt
+);
+
+public sealed class GetFeatureFlagsHandler(IFeatureFlagRepository featureFlagRepository, IConfiguration configuration)
+    : IRequestHandler<GetFeatureFlagsQuery, Result<GetFeatureFlagsResponse>>
+{
+    public async Task<Result<GetFeatureFlagsResponse>> Handle(GetFeatureFlagsQuery request, CancellationToken cancellationToken)
+    {
+        var definitions = SharedKernel.FeatureFlags.FeatureFlags.GetAll();
+        var baseRows = await featureFlagRepository.GetAllBaseRowsAsync(cancellationToken);
+        var baseRowsByKey = baseRows.ToDictionary(f => f.FlagKey);
+
+        var activeFlags = definitions.Select(definition =>
+            {
+                if (definition.Scope == FeatureFlagScope.System)
+                {
+                    var isSystemFeatureFlagActive = definition.IsSystemFeatureFlagEnabled(configuration);
+                    return new FeatureFlagInfo(
+                        definition.Key, definition.Scope, definition.AdminLevel, definition.Description,
+                        definition.IsAbTestEligible, definition.ConfigurableByTenant, definition.ConfigurableByUser, definition.RequiredPlan?.ToString(),
+                        null, null, null, null, null, null, isSystemFeatureFlagActive, definition.IsKillSwitchEnabled, definition.IsStableModule, null, null
+                    );
+                }
+
+                baseRowsByKey.TryGetValue(definition.Key, out var baseRow);
+
+                var createdAt = baseRow?.CreatedAt;
+                var enabledAt = baseRow?.EnabledAt;
+                var disabledAt = baseRow?.DisabledAt;
+                var rolloutBucketStart = baseRow?.BucketStart;
+                var rolloutBucketEnd = baseRow?.BucketEnd;
+                var isActive = enabledAt is not null && (disabledAt is null || enabledAt > disabledAt);
+                var rolloutPercentage = ComputeRolloutPercentage(rolloutBucketStart, rolloutBucketEnd);
+
+                return new FeatureFlagInfo(
+                    definition.Key, definition.Scope, definition.AdminLevel, definition.Description,
+                    definition.IsAbTestEligible, definition.ConfigurableByTenant, definition.ConfigurableByUser, definition.RequiredPlan?.ToString(),
+                    createdAt, enabledAt, disabledAt, rolloutBucketStart, rolloutBucketEnd, rolloutPercentage, isActive, definition.IsKillSwitchEnabled, definition.IsStableModule, baseRow?.OrphanedAt, baseRow?.DeletedAt
+                );
+            }
+        );
+
+        // Surface orphaned (and optionally soft-deleted) rows whose key is no longer in the C# definitions
+        // so admins can review and retire them. Scope is row-persisted; other definition-side fields use
+        // safe defaults because no live behavior depends on them once the definition is gone.
+        var definitionKeys = definitions.Select(d => d.Key).ToHashSet();
+        var historicalFlags = baseRowsByKey.Values
+            .Where(row => !definitionKeys.Contains(row.FlagKey))
+            .Where(row => row.DeletedAt is null || request.IncludeDeleted)
+            .Select(row => new FeatureFlagInfo(
+                    row.FlagKey, row.Scope, FeatureFlagAdminLevel.SystemAdmin, string.Empty,
+                    row.BucketStart is not null || row.BucketEnd is not null, false, false, null,
+                    row.CreatedAt, row.EnabledAt, row.DisabledAt, row.BucketStart, row.BucketEnd,
+                    ComputeRolloutPercentage(row.BucketStart, row.BucketEnd), row.IsActive, false, false, row.OrphanedAt, row.DeletedAt
+                )
+            );
+
+        return new GetFeatureFlagsResponse(activeFlags.Concat(historicalFlags).ToArray());
+    }
+
+    private static int? ComputeRolloutPercentage(int? rolloutBucketStart, int? rolloutBucketEnd)
+    {
+        return RolloutBucketHasher.ComputeRolloutPercentage(rolloutBucketStart, rolloutBucketEnd);
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Queries/GetTenantConfigurableFeatureFlags.cs b/application/account/Core/Features/FeatureFlags/Queries/GetTenantConfigurableFeatureFlags.cs
new file mode 100644
index 000000000..b2ebab590
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Queries/GetTenantConfigurableFeatureFlags.cs
@@ -0,0 +1,47 @@
+using Account.Features.FeatureFlags.Domain;
+using JetBrains.Annotations;
+using SharedKernel.Cqrs;
+using SharedKernel.ExecutionContext;
+using SharedKernel.FeatureFlags;
+
+namespace Account.Features.FeatureFlags.Queries;
+
+[PublicAPI]
+public sealed record GetTenantConfigurableFeatureFlagsQuery : IRequest<Result<TenantConfigurableFeatureFlagsResponse>>;
+
+[PublicAPI]
+public sealed record TenantConfigurableFeatureFlagsResponse(TenantConfigurableFeatureFlag[] Flags);
+
+[PublicAPI]
+public sealed record TenantConfigurableFeatureFlag(string FlagKey, bool Enabled);
+
+public sealed class GetTenantConfigurableFeatureFlagsHandler(IFeatureFlagRepository featureFlagRepository, IExecutionContext executionContext)
+    : IRequestHandler<GetTenantConfigurableFeatureFlagsQuery, Result<TenantConfigurableFeatureFlagsResponse>>
+{
+    public async Task<Result<TenantConfigurableFeatureFlagsResponse>> Handle(GetTenantConfigurableFeatureFlagsQuery query, CancellationToken cancellationToken)
+    {
+        var tenantId = executionContext.TenantId!;
+
+        var configurableDefinitions = SharedKernel.FeatureFlags.FeatureFlags.GetAll()
+            .Where(f => f is { Scope: FeatureFlagScope.Tenant, ConfigurableByTenant: true })
+            .ToArray();
+
+        var allRows = await featureFlagRepository.GetTenantScopedRowsAsync(tenantId, cancellationToken);
+        var baseRows = allRows.Where(r => r.TenantId is null && r.UserId is null).ToDictionary(r => r.FlagKey);
+        var tenantOverrides = allRows.Where(r => r.TenantId == tenantId && r.UserId is null).ToDictionary(r => r.FlagKey);
+
+        // Hide flags an admin has globally deactivated via the BackOffice kill switch. The user-facing
+        // toggle would otherwise let a tenant flip a row whose evaluation is short-circuited at the base.
+        var flags = configurableDefinitions
+            .Where(definition => baseRows.TryGetValue(definition.Key, out var baseRow) && baseRow.IsActive)
+            .Select(definition =>
+                {
+                    tenantOverrides.TryGetValue(definition.Key, out var tenantOverride);
+                    var enabled = tenantOverride?.IsActive == true;
+                    return new TenantConfigurableFeatureFlag(definition.Key, enabled);
+                }
+            ).ToArray();
+
+        return new TenantConfigurableFeatureFlagsResponse(flags);
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Queries/GetTenantFeatureFlags.cs b/application/account/Core/Features/FeatureFlags/Queries/GetTenantFeatureFlags.cs
new file mode 100644
index 000000000..96e459a95
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Queries/GetTenantFeatureFlags.cs
@@ -0,0 +1,148 @@
+using Account.Features.FeatureFlags.Domain;
+using Account.Features.Tenants.Domain;
+using JetBrains.Annotations;
+using SharedKernel.Cqrs;
+using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
+
+namespace Account.Features.FeatureFlags.Queries;
+
+[PublicAPI]
+public sealed record GetTenantFeatureFlagsQuery : IRequest<Result<GetTenantFeatureFlagsResponse>>
+{
+    [JsonIgnore] // Removes from API contract
+    public TenantId TenantId { get; init; } = null!;
+}
+
+[PublicAPI]
+public sealed record GetTenantFeatureFlagsResponse(TenantFeatureFlagInfo[] Flags);
+
+[PublicAPI]
+public sealed record TenantFeatureFlagInfo(
+    string FlagKey,
+    FeatureFlagScope Scope,
+    string Description,
+    string? RequiredPlan,
+    bool IsAbTestEligible,
+    int? BucketStart,
+    int? BucketEnd,
+    int? RolloutPercentage,
+    bool IsEnabled,
+    FeatureFlagSource Source,
+    bool IsBaseRowActive,
+    int RolloutBucket,
+    int? InclusionThresholdPercentage,
+    bool DefaultEnabled,
+    AbInclusionPin? TenantAbInclusionPin
+);
+
+public sealed class GetTenantFeatureFlagsHandler(IFeatureFlagRepository featureFlagRepository, ITenantRepository tenantRepository)
+    : IRequestHandler<GetTenantFeatureFlagsQuery, Result<GetTenantFeatureFlagsResponse>>
+{
+    public async Task<Result<GetTenantFeatureFlagsResponse>> Handle(GetTenantFeatureFlagsQuery query, CancellationToken cancellationToken)
+    {
+        var tenant = await tenantRepository.GetByIdUnfilteredAsync(query.TenantId, cancellationToken);
+        if (tenant is null) return Result<GetTenantFeatureFlagsResponse>.NotFound($"Tenant with ID '{query.TenantId}' not found.");
+
+        var tenantScopedDefinitions = SharedKernel.FeatureFlags.FeatureFlags.GetAll()
+            .Where(f => f.Scope == FeatureFlagScope.Tenant)
+            .ToArray();
+
+        var allRows = await featureFlagRepository.GetTenantScopedRowsAsync(tenant.Id, cancellationToken);
+        var baseRowsByKey = allRows.Where(r => r.TenantId is null).ToDictionary(r => r.FlagKey);
+        var tenantOverridesByKey = allRows.Where(r => r.TenantId == tenant.Id).ToDictionary(r => r.FlagKey);
+
+        var flags = tenantScopedDefinitions
+            .Select(definition => Evaluate(definition, baseRowsByKey, tenantOverridesByKey, tenant.RolloutBucket, tenant.AbInclusionPin))
+            .ToArray();
+
+        return new GetTenantFeatureFlagsResponse(flags);
+    }
+
+    private static TenantFeatureFlagInfo Evaluate(
+        FeatureFlagDefinition definition,
+        Dictionary<string, FeatureFlag> baseRowsByKey,
+        Dictionary<string, FeatureFlag> tenantOverridesByKey,
+        int tenantRolloutBucket,
+        AbInclusionPin? abInclusionPin
+    )
+    {
+        baseRowsByKey.TryGetValue(definition.Key, out var baseRow);
+        var isBaseRowActive = baseRow?.IsActive == true;
+        tenantOverridesByKey.TryGetValue(definition.Key, out var tenantOverride);
+
+        bool isEnabled;
+        FeatureFlagSource source;
+
+        if (tenantOverride is not null)
+        {
+            // Gate on baseRow.IsActive so a globally-Deactivated kill-switch flag reports as disabled even when
+            // an override row exists — matching the runtime FeatureFlagEvaluator.cs:48 short-circuit.
+            isEnabled = isBaseRowActive && tenantOverride.IsActive;
+            // The row's Source column is authoritative — a manually-toggled plan-gated flag must still surface as
+            // Manual so admins see they overrode the plan-driven default, rather than the plan granting it.
+            source = tenantOverride.Source == FeatureFlagSource.Plan ? FeatureFlagSource.Plan : FeatureFlagSource.Manual;
+        }
+        else if (definition.IsAbTestEligible)
+        {
+            isEnabled = isBaseRowActive && EvaluateAbRollout(baseRow, tenantRolloutBucket, abInclusionPin);
+            source = FeatureFlagSource.AbRollout;
+        }
+        else
+        {
+            isEnabled = false;
+            source = FeatureFlagSource.Default;
+        }
+
+        var defaultEnabled = ComputeDefaultEnabled(definition, baseRow, isBaseRowActive, tenantRolloutBucket, abInclusionPin);
+        var inclusionThresholdPercentage = ComputeInclusionThresholdPercentage(definition, tenantRolloutBucket, abInclusionPin);
+
+        return new TenantFeatureFlagInfo(
+            definition.Key,
+            definition.Scope,
+            definition.Description,
+            definition.RequiredPlan?.ToString(),
+            definition.IsAbTestEligible,
+            baseRow?.BucketStart,
+            baseRow?.BucketEnd,
+            ComputeRolloutPercentage(baseRow?.BucketStart, baseRow?.BucketEnd),
+            isEnabled,
+            source,
+            isBaseRowActive,
+            tenantRolloutBucket,
+            inclusionThresholdPercentage,
+            defaultEnabled,
+            abInclusionPin
+        );
+    }
+
+    private static bool ComputeDefaultEnabled(FeatureFlagDefinition definition, FeatureFlag? baseRow, bool isBaseRowActive, int rolloutBucket, AbInclusionPin? abInclusionPin)
+    {
+        if (!isBaseRowActive) return false;
+        if (!definition.IsAbTestEligible) return false;
+        return EvaluateAbRollout(baseRow, rolloutBucket, abInclusionPin);
+    }
+
+    private static bool EvaluateAbRollout(FeatureFlag? baseRow, int rolloutBucket, AbInclusionPin? abInclusionPin)
+    {
+        if (abInclusionPin is AbInclusionPin.AlwaysOn) return true;
+        if (abInclusionPin is AbInclusionPin.NeverOn) return false;
+        if (baseRow?.BucketStart is null || baseRow.BucketEnd is null) return false;
+        return RolloutBucketHasher.IsInRolloutBucketRange(rolloutBucket, baseRow.BucketStart.Value, baseRow.BucketEnd.Value);
+    }
+
+    // Pins are unconditional and bypass the rollout, so AlwaysOn → 0 (always included) and
+    // NeverOn → null (never included by rollout). Without a pin we fall back to the per-key threshold.
+    private static int? ComputeInclusionThresholdPercentage(FeatureFlagDefinition definition, int rolloutBucket, AbInclusionPin? abInclusionPin)
+    {
+        if (!definition.IsAbTestEligible) return null;
+        if (abInclusionPin is AbInclusionPin.AlwaysOn) return 0;
+        if (abInclusionPin is AbInclusionPin.NeverOn) return null;
+        return RolloutBucketHasher.ComputeInclusionThresholdPercentage(rolloutBucket, definition.Key);
+    }
+
+    private static int? ComputeRolloutPercentage(int? bucketStart, int? bucketEnd)
+    {
+        return RolloutBucketHasher.ComputeRolloutPercentage(bucketStart, bucketEnd);
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Queries/GetUserConfigurableFeatureFlags.cs b/application/account/Core/Features/FeatureFlags/Queries/GetUserConfigurableFeatureFlags.cs
new file mode 100644
index 000000000..39fc24b63
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Queries/GetUserConfigurableFeatureFlags.cs
@@ -0,0 +1,48 @@
+using Account.Features.FeatureFlags.Domain;
+using JetBrains.Annotations;
+using SharedKernel.Cqrs;
+using SharedKernel.ExecutionContext;
+using SharedKernel.FeatureFlags;
+
+namespace Account.Features.FeatureFlags.Queries;
+
+[PublicAPI]
+public sealed record GetUserConfigurableFeatureFlagsQuery : IRequest<Result<UserConfigurableFeatureFlagsResponse>>;
+
+[PublicAPI]
+public sealed record UserConfigurableFeatureFlagsResponse(UserConfigurableFeatureFlag[] Flags);
+
+[PublicAPI]
+public sealed record UserConfigurableFeatureFlag(string FlagKey, bool Enabled);
+
+public sealed class GetUserConfigurableFeatureFlagsHandler(IFeatureFlagRepository featureFlagRepository, IExecutionContext executionContext)
+    : IRequestHandler<GetUserConfigurableFeatureFlagsQuery, Result<UserConfigurableFeatureFlagsResponse>>
+{
+    public async Task<Result<UserConfigurableFeatureFlagsResponse>> Handle(GetUserConfigurableFeatureFlagsQuery query, CancellationToken cancellationToken)
+    {
+        var tenantId = executionContext.TenantId!;
+        var userId = executionContext.UserInfo.Id!;
+
+        var configurableDefinitions = SharedKernel.FeatureFlags.FeatureFlags.GetAll()
+            .Where(f => f is { Scope: FeatureFlagScope.User, ConfigurableByUser: true })
+            .ToArray();
+
+        var allRows = await featureFlagRepository.GetUserScopedRowsAsync(tenantId, userId, cancellationToken);
+        var baseRows = allRows.Where(r => r.TenantId is null && r.UserId is null).ToDictionary(r => r.FlagKey);
+        var userOverrides = allRows.Where(r => r.TenantId == tenantId && r.UserId == userId).ToDictionary(r => r.FlagKey);
+
+        // Hide flags an admin has globally deactivated via the BackOffice kill switch. The user-facing
+        // toggle would otherwise let a user flip a row whose evaluation is short-circuited at the base.
+        var flags = configurableDefinitions
+            .Where(definition => baseRows.TryGetValue(definition.Key, out var baseRow) && baseRow.IsActive)
+            .Select(definition =>
+                {
+                    userOverrides.TryGetValue(definition.Key, out var userOverride);
+                    var enabled = userOverride?.IsActive == true;
+                    return new UserConfigurableFeatureFlag(definition.Key, enabled);
+                }
+            ).ToArray();
+
+        return new UserConfigurableFeatureFlagsResponse(flags);
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Queries/GetUserFeatureFlags.cs b/application/account/Core/Features/FeatureFlags/Queries/GetUserFeatureFlags.cs
new file mode 100644
index 000000000..323c3fcc0
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Queries/GetUserFeatureFlags.cs
@@ -0,0 +1,147 @@
+using Account.Features.FeatureFlags.Domain;
+using Account.Features.Users.Domain;
+using JetBrains.Annotations;
+using SharedKernel.Cqrs;
+using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
+
+namespace Account.Features.FeatureFlags.Queries;
+
+[PublicAPI]
+public sealed record GetUserFeatureFlagsQuery : IRequest<Result<GetUserFeatureFlagsResponse>>
+{
+    [JsonIgnore] // Removes from API contract
+    public UserId UserId { get; init; } = null!;
+}
+
+[PublicAPI]
+public sealed record GetUserFeatureFlagsResponse(UserFeatureFlagInfo[] Flags);
+
+[PublicAPI]
+public sealed record UserFeatureFlagInfo(
+    string FlagKey,
+    FeatureFlagScope Scope,
+    string Description,
+    bool IsAbTestEligible,
+    int? BucketStart,
+    int? BucketEnd,
+    int? RolloutPercentage,
+    bool IsEnabled,
+    FeatureFlagSource Source,
+    bool IsBaseRowActive,
+    int RolloutBucket,
+    TenantId TenantId,
+    int? InclusionThresholdPercentage,
+    bool DefaultEnabled,
+    AbInclusionPin? UserAbInclusionPin
+);
+
+public sealed class GetUserFeatureFlagsHandler(IFeatureFlagRepository featureFlagRepository, IUserRepository userRepository)
+    : IRequestHandler<GetUserFeatureFlagsQuery, Result<GetUserFeatureFlagsResponse>>
+{
+    public async Task<Result<GetUserFeatureFlagsResponse>> Handle(GetUserFeatureFlagsQuery query, CancellationToken cancellationToken)
+    {
+        var user = await userRepository.GetByIdUnfilteredAsync(query.UserId, cancellationToken);
+        if (user is null) return Result<GetUserFeatureFlagsResponse>.NotFound($"User with ID '{query.UserId}' not found.");
+
+        var userScopedDefinitions = SharedKernel.FeatureFlags.FeatureFlags.GetAll()
+            .Where(f => f.Scope == FeatureFlagScope.User)
+            .ToArray();
+
+        var allRows = await featureFlagRepository.GetUserScopedRowsAsync(user.TenantId, user.Id, cancellationToken);
+        var baseRowsByKey = allRows.Where(r => r.TenantId is null && r.UserId is null).ToDictionary(r => r.FlagKey);
+        var userOverridesByKey = allRows.Where(r => r.UserId == user.Id).ToDictionary(r => r.FlagKey);
+
+        var flags = userScopedDefinitions
+            .Select(definition => Evaluate(definition, baseRowsByKey, userOverridesByKey, user.RolloutBucket, user.TenantId, user.AbInclusionPin))
+            .ToArray();
+
+        return new GetUserFeatureFlagsResponse(flags);
+    }
+
+    private static UserFeatureFlagInfo Evaluate(
+        FeatureFlagDefinition definition,
+        Dictionary<string, FeatureFlag> baseRowsByKey,
+        Dictionary<string, FeatureFlag> userOverridesByKey,
+        int userRolloutBucket,
+        TenantId tenantId,
+        AbInclusionPin? abInclusionPin
+    )
+    {
+        baseRowsByKey.TryGetValue(definition.Key, out var baseRow);
+        var isBaseRowActive = baseRow?.IsActive == true;
+        userOverridesByKey.TryGetValue(definition.Key, out var userOverride);
+
+        bool isEnabled;
+        FeatureFlagSource source;
+
+        if (userOverride is not null)
+        {
+            // Gate on baseRow.IsActive so a globally-Deactivated kill-switch flag reports as disabled even when
+            // an override row exists — matching the runtime FeatureFlagEvaluator.cs:48 short-circuit.
+            isEnabled = isBaseRowActive && userOverride.IsActive;
+            source = FeatureFlagSource.Manual;
+        }
+        else if (definition.IsAbTestEligible)
+        {
+            isEnabled = isBaseRowActive && EvaluateAbRollout(baseRow, userRolloutBucket, abInclusionPin);
+            source = FeatureFlagSource.AbRollout;
+        }
+        else
+        {
+            isEnabled = false;
+            source = FeatureFlagSource.Default;
+        }
+
+        var defaultEnabled = ComputeDefaultEnabled(definition, baseRow, isBaseRowActive, userRolloutBucket, abInclusionPin);
+        var inclusionThresholdPercentage = ComputeInclusionThresholdPercentage(definition, userRolloutBucket, abInclusionPin);
+
+        return new UserFeatureFlagInfo(
+            definition.Key,
+            definition.Scope,
+            definition.Description,
+            definition.IsAbTestEligible,
+            baseRow?.BucketStart,
+            baseRow?.BucketEnd,
+            ComputeRolloutPercentage(baseRow?.BucketStart, baseRow?.BucketEnd),
+            isEnabled,
+            source,
+            isBaseRowActive,
+            userRolloutBucket,
+            tenantId,
+            inclusionThresholdPercentage,
+            defaultEnabled,
+            abInclusionPin
+        );
+    }
+
+    private static bool ComputeDefaultEnabled(FeatureFlagDefinition definition, FeatureFlag? baseRow, bool isBaseRowActive, int rolloutBucket, AbInclusionPin? abInclusionPin)
+    {
+        if (!isBaseRowActive) return false;
+        if (!definition.IsAbTestEligible) return false;
+        return EvaluateAbRollout(baseRow, rolloutBucket, abInclusionPin);
+    }
+
+    private static bool EvaluateAbRollout(FeatureFlag? baseRow, int rolloutBucket, AbInclusionPin? abInclusionPin)
+    {
+        if (abInclusionPin is AbInclusionPin.AlwaysOn) return true;
+        if (abInclusionPin is AbInclusionPin.NeverOn) return false;
+        if (baseRow?.BucketStart is null || baseRow.BucketEnd is null) return false;
+        return RolloutBucketHasher.IsInRolloutBucketRange(rolloutBucket, baseRow.BucketStart.Value, baseRow.BucketEnd.Value);
+    }
+
+    // Pins are unconditional and bypass the rollout, so AlwaysOn → 0 (always included) and
+    // NeverOn → null (never included by rollout). Without a pin we fall back to the per-key threshold.
+    private static int? ComputeInclusionThresholdPercentage(FeatureFlagDefinition definition, int rolloutBucket, AbInclusionPin? abInclusionPin)
+    {
+        if (!definition.IsAbTestEligible) return null;
+        if (abInclusionPin is AbInclusionPin.AlwaysOn) return 0;
+        if (abInclusionPin is AbInclusionPin.NeverOn) return null;
+        return RolloutBucketHasher.ComputeInclusionThresholdPercentage(rolloutBucket, definition.Key);
+    }
+
+    private static int? ComputeRolloutPercentage(int? bucketStart, int? bucketEnd)
+    {
+        return RolloutBucketHasher.ComputeRolloutPercentage(bucketStart, bucketEnd);
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Shared/FeatureFlagEvaluator.cs b/application/account/Core/Features/FeatureFlags/Shared/FeatureFlagEvaluator.cs
new file mode 100644
index 000000000..f9ff4fade
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Shared/FeatureFlagEvaluator.cs
@@ -0,0 +1,131 @@
+using Account.Features.FeatureFlags.Domain;
+using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
+
+namespace Account.Features.FeatureFlags.Shared;
+
+/// <summary>
+///     Resolves the enabled feature flags for a (tenant, user) context. Precedence runs base-row-active
+///     and parent-dependency as gates, then manual override > AB inclusion pin > rollout bucket > default
+///     off. Pins are unconditional: AlwaysOn forces inclusion even at 0% rollout, NeverOn forces exclusion
+///     even at 100%. Plan-gated flags participate as manual overrides because the Stripe pipeline writes
+///     them as Source=Plan tenant rows. The four BackOffice query mirrors apply the same ordering.
+/// </summary>
+public sealed class FeatureFlagEvaluator(IFeatureFlagRepository featureFlagRepository)
+{
+    // The definitions source defaults to the reflected registry but is overridable for tests that need
+    // to exercise specific topologies (e.g., parent-dependency gating) without contributing test-only
+    // flags to the production registry.
+    public Func<FeatureFlagDefinition[]> DefinitionsProvider { get; init; } = SharedKernel.FeatureFlags.FeatureFlags.GetAll;
+
+    public async Task<IReadOnlyList<string>> EvaluateAsync(
+        TenantId tenantId,
+        UserId userId,
+        int tenantRolloutBucket,
+        int? userRolloutBucket,
+        AbInclusionPin? tenantAbInclusionPin,
+        AbInclusionPin? userAbInclusionPin,
+        CancellationToken cancellationToken
+    )
+    {
+        var allRows = await featureFlagRepository.GetAllRelevantRowsAsync(tenantId, userId, cancellationToken);
+        var enabledFeatureFlags = new List<string>();
+
+        var definitions = DefinitionsProvider();
+
+        // Sort feature flags so parents are evaluated before children
+        var sorted = SortByParentDependencyFirst(definitions);
+
+        var enabledFeatureFlagSet = new HashSet<string>();
+
+        foreach (var definition in sorted)
+        {
+            if (definition.Scope == FeatureFlagScope.System) continue;
+
+            var baseRow = allRows.FirstOrDefault(f => f.FlagKey == definition.Key && f.TenantId is null && f.UserId is null);
+            if (baseRow is null) continue;
+
+            if (!baseRow.IsActive) continue;
+
+            if (definition.ParentDependency is not null && !enabledFeatureFlagSet.Contains(definition.ParentDependency)) continue;
+
+            var isEnabled = definition.Scope switch
+            {
+                FeatureFlagScope.Tenant => EvaluateTenantScope(definition, baseRow, allRows, tenantId, tenantRolloutBucket, tenantAbInclusionPin),
+                FeatureFlagScope.User => EvaluateUserScope(definition, baseRow, allRows, tenantId, userId, userRolloutBucket, userAbInclusionPin),
+                _ => false
+            };
+
+            if (!isEnabled) continue;
+
+            enabledFeatureFlagSet.Add(definition.Key);
+            enabledFeatureFlags.Add(definition.Key);
+        }
+
+        return enabledFeatureFlags;
+    }
+
+    private static bool EvaluateTenantScope(FeatureFlagDefinition definition, FeatureFlag baseRow, FeatureFlag[] allRows, TenantId tenantId, int tenantRolloutBucket, AbInclusionPin? tenantAbInclusionPin)
+    {
+        var tenantOverride = allRows.FirstOrDefault(f => f.FlagKey == definition.Key && f.TenantId == tenantId && f.UserId is null);
+        if (tenantOverride is not null) return tenantOverride.IsActive;
+
+        if (!definition.IsAbTestEligible) return false;
+
+        // Precedence (matches .claude/rules/backend/backend.md): manual override (above) > pin > rollout.
+        // Pins are unconditional: AlwaysOn includes the tenant even when rollout is at 0%/unset, and
+        // NeverOn excludes the tenant even at 100% rollout. This is what the project-level precedence
+        // story documents and what admins expect from a pin labelled "always on".
+        if (tenantAbInclusionPin is AbInclusionPin.AlwaysOn) return true;
+        if (tenantAbInclusionPin is AbInclusionPin.NeverOn) return false;
+
+        if (baseRow.BucketStart is null || baseRow.BucketEnd is null) return false;
+
+        return RolloutBucketHasher.IsInRolloutBucketRange(tenantRolloutBucket, baseRow.BucketStart.Value, baseRow.BucketEnd.Value);
+    }
+
+    private static bool EvaluateUserScope(FeatureFlagDefinition definition, FeatureFlag baseRow, FeatureFlag[] allRows, TenantId tenantId, UserId userId, int? userRolloutBucket, AbInclusionPin? userAbInclusionPin)
+    {
+        var userOverride = allRows.FirstOrDefault(f => f.FlagKey == definition.Key && f.TenantId == tenantId && f.UserId == userId);
+        if (userOverride is not null) return userOverride.IsActive;
+
+        if (!definition.IsAbTestEligible) return false;
+
+        if (userAbInclusionPin is AbInclusionPin.AlwaysOn) return true;
+        if (userAbInclusionPin is AbInclusionPin.NeverOn) return false;
+
+        if (baseRow.BucketStart is null || baseRow.BucketEnd is null) return false;
+        if (userRolloutBucket is null) return false;
+
+        return RolloutBucketHasher.IsInRolloutBucketRange(userRolloutBucket.Value, baseRow.BucketStart.Value, baseRow.BucketEnd.Value);
+    }
+
+    // Two-pass parent-first ordering: parentless flags first, then flags with a parent. This relies on
+    // the one-level dependency invariant enforced by FeatureFlags.ValidateFlags — a parent can never
+    // itself have a parent, so a single pass over each bucket is sufficient (no full topological sort
+    // is needed).
+    private static FeatureFlagDefinition[] SortByParentDependencyFirst(FeatureFlagDefinition[] definitions)
+    {
+        var result = new List<FeatureFlagDefinition>(definitions.Length);
+
+        // Add feature flags without parent dependencies first
+        foreach (var definition in definitions)
+        {
+            if (definition.ParentDependency is null)
+            {
+                result.Add(definition);
+            }
+        }
+
+        // Then add feature flags with parent dependencies
+        foreach (var definition in definitions)
+        {
+            if (definition.ParentDependency is not null)
+            {
+                result.Add(definition);
+            }
+        }
+
+        return result.ToArray();
+    }
+}
diff --git a/application/account/Core/Features/FeatureFlags/Shared/PlanBasedFeatureFlagEvaluator.cs b/application/account/Core/Features/FeatureFlags/Shared/PlanBasedFeatureFlagEvaluator.cs
new file mode 100644
index 000000000..406b453a1
--- /dev/null
+++ b/application/account/Core/Features/FeatureFlags/Shared/PlanBasedFeatureFlagEvaluator.cs
@@ -0,0 +1,91 @@
+using Account.Database;
+using Account.Features.FeatureFlags.Domain;
+using Account.Features.Subscriptions.Domain;
+using Microsoft.EntityFrameworkCore;
+using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Telemetry;
+
+namespace Account.Features.FeatureFlags.Shared;
+
+public sealed class PlanBasedFeatureFlagEvaluator(
+    IFeatureFlagRepository featureFlagRepository,
+    AccountDbContext accountDbContext,
+    TimeProvider timeProvider,
+    ITelemetryEventsCollector telemetryEventsCollector
+)
+{
+    public async Task EvaluatePlanFlagsForTenantAsync(TenantId tenantId, SubscriptionPlan subscriptionPlan, CancellationToken cancellationToken)
+    {
+        var subscriptionPlanTier = MapToPlanTier(subscriptionPlan);
+        var planFeatureFlagDefinitions = SharedKernel.FeatureFlags.FeatureFlags.GetAll().Where(f => f.RequiredPlan is not null).ToArray();
+
+        if (planFeatureFlagDefinitions.Length == 0) return;
+
+        // Serialize the read-then-insert window per tenant. `pg_advisory_xact_lock` auto-releases at
+        // commit, so the read-existing-overrides → conditional-insert pair is atomic per tenant.
+        // Required because this evaluator runs on every JWT refresh / login, and concurrent fan-in for
+        // the same tenant otherwise hits the unique index as a 500. The lock is PostgreSQL-specific;
+        // in-memory SQLite test runs cannot exhibit cross-process concurrency, so we skip it there.
+        if (accountDbContext.Database.ProviderName is not "Microsoft.EntityFrameworkCore.Sqlite")
+        {
+            await accountDbContext.Database.ExecuteSqlAsync(
+                $"SELECT pg_advisory_xact_lock(hashtextextended('plan_flags:' || {tenantId.Value}, 0))",
+                cancellationToken
+            );
+        }
+
+        var existingOverrides = await featureFlagRepository.GetPlanBasedOverridesForTenantAsync(tenantId, cancellationToken);
+        var overridesByKey = existingOverrides.ToDictionary(f => f.FlagKey);
+        var now = timeProvider.GetUtcNow();
+
+        foreach (var definition in planFeatureFlagDefinitions)
+        {
+            var shouldBeEnabled = subscriptionPlanTier >= definition.RequiredPlan!.Value;
+            overridesByKey.TryGetValue(definition.Key, out var existingOverride);
+
+            if (shouldBeEnabled)
+            {
+                if (existingOverride is null)
+                {
+                    var featureFlag = FeatureFlag.CreateTenantOverride(definition.Key, tenantId, definition.Scope, FeatureFlagSource.Plan);
+                    featureFlag.Activate(now);
+                    await featureFlagRepository.AddAsync(featureFlag, cancellationToken);
+                    telemetryEventsCollector.CollectEvent(new FeatureFlagPlanOverrideActivated(definition.Key, tenantId, subscriptionPlanTier));
+                }
+                else if (!existingOverride.IsActive)
+                {
+                    existingOverride.Activate(now);
+                    featureFlagRepository.Update(existingOverride);
+                    telemetryEventsCollector.CollectEvent(new FeatureFlagPlanOverrideActivated(definition.Key, tenantId, subscriptionPlanTier));
+                }
+            }
+            else
+            {
+                if (existingOverride?.IsActive == true)
+                {
+                    existingOverride.Deactivate(now);
+                    featureFlagRepository.Update(existingOverride);
+                    telemetryEventsCollector.CollectEvent(new FeatureFlagPlanOverrideDeactivated(definition.Key, tenantId, subscriptionPlanTier));
+                }
+            }
+        }
+
+        // Commit so the subsequent FeatureFlagEvaluator.EvaluateAsync read (typically the very next
+        // call in UserInfoFactory) sees the rows this method just inserted. Without this commit, the
+        // EF query reads pre-insert state and the JWT ships missing the newly-eligible plan flags
+        // until the next refresh. The advisory_xact_lock acquired above releases here on commit.
+        await accountDbContext.SaveChangesAsync(cancellationToken);
+    }
+
+    private static PlanTier MapToPlanTier(SubscriptionPlan plan)
+    {
+        return plan switch
+        {
+            SubscriptionPlan.Basis => PlanTier.Free,
+            SubscriptionPlan.Standard => PlanTier.Standard,
+            SubscriptionPlan.Premium => PlanTier.Premium,
+            _ => throw new UnreachableException($"Unknown subscription plan '{plan}'.")
+        };
+    }
+}
diff --git a/application/account/Core/Features/Subscriptions/Domain/Subscription.cs b/application/account/Core/Features/Subscriptions/Domain/Subscription.cs
index 7c23119b3..c351ac00c 100644
--- a/application/account/Core/Features/Subscriptions/Domain/Subscription.cs
+++ b/application/account/Core/Features/Subscriptions/Domain/Subscription.cs
@@ -189,6 +189,10 @@ public void SetPaymentMethod(PaymentMethod? paymentMethod)
         PaymentMethod = paymentMethod;
     }
 
+    // ENTITLEMENT POLICY: Failed payments do NOT immediately revoke plan-tier entitlements.
+    // Stripe Smart Retries handle recovery during the dunning window (typically ~3 weeks).
+    // If all retries fail, Stripe cancels the subscription server-side and subscriptionSuspended
+    // flips Plan to Basis. During the retry window the customer keeps premium features by design.
     public void SetPaymentFailed(DateTimeOffset failedAt)
     {
         FirstPaymentFailedAt = failedAt;
diff --git a/application/account/Core/Features/Subscriptions/Shared/ProcessPendingStripeEvents.cs b/application/account/Core/Features/Subscriptions/Shared/ProcessPendingStripeEvents.cs
index 4c849e184..1cc67a572 100644
--- a/application/account/Core/Features/Subscriptions/Shared/ProcessPendingStripeEvents.cs
+++ b/application/account/Core/Features/Subscriptions/Shared/ProcessPendingStripeEvents.cs
@@ -1,6 +1,7 @@
 using System.Data;
 using System.Globalization;
 using Account.Database;
+using Account.Features.FeatureFlags.Shared;
 using Account.Features.Subscriptions.Domain;
 using Account.Features.Tenants.Domain;
 using Account.Integrations.Stripe;
@@ -30,6 +31,7 @@ public sealed class ProcessPendingStripeEvents(
     StripeClientFactory stripeClientFactory,
     TimeProvider timeProvider,
     ITelemetryEventsCollector events,
+    PlanBasedFeatureFlagEvaluator planBasedFeatureFlagEvaluator,
     TelemetryClient telemetryClient,
     ILogger<ProcessPendingStripeEvents> logger
 )
@@ -78,6 +80,8 @@ public async Task ExecuteAsync(StripeCustomerId stripeCustomerId, PendingWebhook
 
         var tenant = (await tenantRepository.GetByIdUnfilteredAsync(subscription.TenantId, cancellationToken))!;
 
+        var previousPlan = subscription.Plan;
+
         // The hot path runs whenever a webhook just landed (justAcknowledgedEvent is not null), an admin
         // reconcile click sets forceSync, or accumulated Pending stripe_events rows from a prior partial
         // delivery need a self-heal sync (the tenant-side process-pending-events polling endpoint
@@ -106,6 +110,11 @@ public async Task ExecuteAsync(StripeCustomerId stripeCustomerId, PendingWebhook
             }
         }
 
+        if (subscription.Plan != previousPlan)
+        {
+            await planBasedFeatureFlagEvaluator.EvaluatePlanFlagsForTenantAsync(subscription.TenantId, subscription.Plan, cancellationToken);
+        }
+
         await dbContext.SaveChangesAsync(cancellationToken);
         await transaction.CommitAsync(cancellationToken);
 
diff --git a/application/account/Core/Features/TelemetryEvents.cs b/application/account/Core/Features/TelemetryEvents.cs
index 5edfedd97..f8315ea1a 100644
--- a/application/account/Core/Features/TelemetryEvents.cs
+++ b/application/account/Core/Features/TelemetryEvents.cs
@@ -1,11 +1,13 @@
 using Account.Features.Authentication.Domain;
 using Account.Features.EmailAuthentication.Domain;
 using Account.Features.ExternalAuthentication.Domain;
+using Account.Features.FeatureFlags.Domain;
 using Account.Features.Subscriptions.Domain;
 using Account.Features.Tenants.Domain;
 using Account.Features.Users.Domain;
 using SharedKernel.Authentication.TokenGeneration;
 using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
 using SharedKernel.Telemetry;
 
 namespace Account.Features;
@@ -64,6 +66,54 @@ public sealed class ExternalSignupFailed(ExternalLoginId? externalLoginId, Exter
 public sealed class ExternalSignupStarted(ExternalProviderType providerType)
     : TelemetryEvent(("provider_type", providerType));
 
+public sealed class FeatureFlagActivated(string flagKey)
+    : TelemetryEvent(("flag_key", flagKey));
+
+public sealed class FeatureFlagDeactivated(string flagKey)
+    : TelemetryEvent(("flag_key", flagKey));
+
+public sealed class FeatureFlagDeleted(string flagKey, int overridesRemoved, int daysSinceOrphaned)
+    : TelemetryEvent(("flag_key", flagKey), ("overrides_removed", overridesRemoved), ("days_since_orphaned", daysSinceOrphaned));
+
+public sealed class FeatureFlagOrphanedByReconciler(string flagKey)
+    : TelemetryEvent(("flag_key", flagKey));
+
+public sealed class FeatureFlagPlanOverrideActivated(string flagKey, TenantId tenantId, PlanTier planTier)
+    : TelemetryEvent(("flag_key", flagKey), ("tenant_id", tenantId), ("plan_tier", planTier));
+
+public sealed class FeatureFlagPlanOverrideDeactivated(string flagKey, TenantId tenantId, PlanTier planTier)
+    : TelemetryEvent(("flag_key", flagKey), ("tenant_id", tenantId), ("plan_tier", planTier));
+
+public sealed class FeatureFlagRestoredByReconciler(string flagKey, int overridesRestored)
+    : TelemetryEvent(("flag_key", flagKey), ("overrides_restored", overridesRestored));
+
+public sealed class FeatureFlagRolloutPercentageUpdated(string flagKey, int fromPercentage, int toPercentage)
+    : TelemetryEvent(("flag_key", flagKey), ("from_percentage", fromPercentage), ("to_percentage", toPercentage));
+
+public sealed class FeatureFlagSourceTransitionedByReconciler(string flagKey, FeatureFlagSource fromSource, FeatureFlagSource toSource, int staleOverridesRemoved)
+    : TelemetryEvent(("flag_key", flagKey), ("from_source", fromSource), ("to_source", toSource), ("stale_overrides_removed", staleOverridesRemoved));
+
+// Attributes Set/Removed override events to the actor that invoked the mutation. Plan-source
+// override transitions have their own FeatureFlagPlanOverride* events and are not represented here.
+public enum FeatureFlagOverrideTrigger
+{
+    Internal,
+    Owner,
+    Self
+}
+
+public sealed class FeatureFlagTenantOverrideRemoved(string flagKey, TenantId tenantId, FeatureFlagOverrideTrigger trigger)
+    : TelemetryEvent(("flag_key", flagKey), ("tenant_id", tenantId), ("trigger", trigger));
+
+public sealed class FeatureFlagTenantOverrideSet(string flagKey, TenantId tenantId, FeatureFlagOverrideTrigger trigger)
+    : TelemetryEvent(("flag_key", flagKey), ("tenant_id", tenantId), ("trigger", trigger));
+
+public sealed class FeatureFlagUserOverrideRemoved(string flagKey, UserId userId, FeatureFlagOverrideTrigger trigger)
+    : TelemetryEvent(("flag_key", flagKey), ("user_id", userId), ("trigger", trigger));
+
+public sealed class FeatureFlagUserOverrideSet(string flagKey, UserId userId, FeatureFlagOverrideTrigger trigger)
+    : TelemetryEvent(("flag_key", flagKey), ("user_id", userId), ("trigger", trigger));
+
 public sealed class GravatarUpdated(long size)
     : TelemetryEvent(("size", size));
 
@@ -214,14 +264,17 @@ string currency
 )
     : TelemetryEvent(("subscription_id", subscriptionId), ("from_plan", fromPlan), ("to_plan", toPlan), ("days_on_current_plan", daysOnCurrentPlan), ("previous_price_amount", previousPriceAmount), ("new_price_amount", newPriceAmount), ("mrr_impact", mrrImpact), ("currency", currency));
 
+public sealed class TenantAbInclusionPinUpdated(TenantId tenantId, AbInclusionPin? fromPin, AbInclusionPin? toPin)
+    : TelemetryEvent(("tenant_id", tenantId), ("from_pin", fromPin as object ?? "none"), ("to_pin", toPin as object ?? "none"));
+
 public sealed class TenantBillingDriftAcknowledged(SubscriptionId subscriptionId)
     : TelemetryEvent(("subscription_id", subscriptionId));
 
 public sealed class TenantCreated(TenantId tenantId, TenantState state)
     : TelemetryEvent(("tenant_id", tenantId), ("tenant_state", state));
 
-public sealed class TenantDeleted(TenantId tenantId, TenantState tenantState)
-    : TelemetryEvent(("tenant_id", tenantId), ("tenant_state", tenantState));
+public sealed class TenantDeleted(TenantId tenantId, TenantState tenantState, int featureFlagRowsRemoved)
+    : TelemetryEvent(("tenant_id", tenantId), ("tenant_state", tenantState), ("feature_flag_rows_removed", featureFlagRowsRemoved));
 
 public sealed class TenantLogoRemoved
     : TelemetryEvent;
@@ -241,6 +294,9 @@ public sealed class TenantSwitched(TenantId fromTenantId, TenantId toTenantId, U
 public sealed class TenantUpdated
     : TelemetryEvent;
 
+public sealed class UserAbInclusionPinUpdated(UserId userId, AbInclusionPin? fromPin, AbInclusionPin? toPin)
+    : TelemetryEvent(("user_id", userId), ("from_pin", fromPin as object ?? "none"), ("to_pin", toPin as object ?? "none"));
+
 public sealed class UserAvatarRemoved
     : TelemetryEvent;
 
diff --git a/application/account/Core/Features/Tenants/BackOffice/Commands/SetTenantAbInclusionPin.cs b/application/account/Core/Features/Tenants/BackOffice/Commands/SetTenantAbInclusionPin.cs
new file mode 100644
index 000000000..e97f26617
--- /dev/null
+++ b/application/account/Core/Features/Tenants/BackOffice/Commands/SetTenantAbInclusionPin.cs
@@ -0,0 +1,35 @@
+using Account.Features.Tenants.Domain;
+using JetBrains.Annotations;
+using SharedKernel.Cqrs;
+using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Telemetry;
+
+namespace Account.Features.Tenants.BackOffice.Commands;
+
+[PublicAPI]
+public sealed record SetTenantAbInclusionPinCommand : ICommand, IRequest<Result>
+{
+    [JsonIgnore] // Removes from API contract
+    public TenantId TenantId { get; init; } = null!;
+
+    public AbInclusionPin? AbInclusionPin { get; init; }
+}
+
+public sealed class SetTenantAbInclusionPinHandler(ITenantRepository tenantRepository, ITelemetryEventsCollector events)
+    : IRequestHandler<SetTenantAbInclusionPinCommand, Result>
+{
+    public async Task<Result> Handle(SetTenantAbInclusionPinCommand command, CancellationToken cancellationToken)
+    {
+        var tenant = await tenantRepository.GetByIdUnfilteredAsync(command.TenantId, cancellationToken);
+        if (tenant is null) return Result.NotFound($"Tenant with id '{command.TenantId}' not found.");
+
+        var fromPin = tenant.AbInclusionPin;
+        tenant.SetAbInclusionPin(command.AbInclusionPin);
+        tenantRepository.Update(tenant);
+
+        events.CollectEvent(new TenantAbInclusionPinUpdated(tenant.Id, fromPin, command.AbInclusionPin));
+
+        return Result.Success();
+    }
+}
diff --git a/application/account/Core/Features/Tenants/BackOffice/Queries/GetTenantDetail.cs b/application/account/Core/Features/Tenants/BackOffice/Queries/GetTenantDetail.cs
index e13944403..c751b1379 100644
--- a/application/account/Core/Features/Tenants/BackOffice/Queries/GetTenantDetail.cs
+++ b/application/account/Core/Features/Tenants/BackOffice/Queries/GetTenantDetail.cs
@@ -4,6 +4,7 @@
 using JetBrains.Annotations;
 using SharedKernel.Cqrs;
 using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
 
 namespace Account.Features.Tenants.BackOffice.Queries;
 
@@ -37,7 +38,8 @@ public sealed record TenantDetailResponse(
     bool HasDriftDetected,
     DateTimeOffset? DriftCheckedAt,
     DriftDiscrepancy[] DriftDiscrepancies,
-    string? StripeCustomerUrl
+    string? StripeCustomerUrl,
+    AbInclusionPin? AbInclusionPin
 );
 
 [PublicAPI]
@@ -109,7 +111,8 @@ public async Task<Result<TenantDetailResponse>> Handle(GetTenantDetailQuery quer
             subscription?.HasDriftDetected ?? false,
             subscription?.DriftCheckedAt,
             subscription?.DriftDiscrepancies.ToArray() ?? [],
-            subscription?.StripeCustomerId is { } stripeCustomerId ? stripeClientFactory.GetClient().BuildCustomerDashboardUrl(stripeCustomerId) : null
+            subscription?.StripeCustomerId is { } stripeCustomerId ? stripeClientFactory.GetClient().BuildCustomerDashboardUrl(stripeCustomerId) : null,
+            tenant.AbInclusionPin
         );
     }
 }
diff --git a/application/account/Core/Features/Tenants/BackOffice/Queries/GetTenants.cs b/application/account/Core/Features/Tenants/BackOffice/Queries/GetTenants.cs
index 818d0643c..a61758033 100644
--- a/application/account/Core/Features/Tenants/BackOffice/Queries/GetTenants.cs
+++ b/application/account/Core/Features/Tenants/BackOffice/Queries/GetTenants.cs
@@ -48,7 +48,42 @@ public sealed record TenantSummary(
     DateTimeOffset CreatedAt,
     DateTimeOffset? ModifiedAt,
     TenantOwnerSummary? Owner
-);
+)
+{
+    // Shared factory used by every back-office view that renders the rich tenant row (accounts list + feature-flag
+    // override views). Keeping construction co-located with the record avoids drift between call sites.
+    public static TenantSummary FromAggregate(Tenant tenant, Subscription? subscription, User? owner)
+    {
+        var plannedChange = subscription switch
+        {
+            { CancelAtPeriodEnd: true } => PlannedSubscriptionChange.Cancellation,
+            { ScheduledPlan: not null } => PlannedSubscriptionChange.ScheduledPlanChange,
+            _ => (PlannedSubscriptionChange?)null
+        };
+
+        // Refunded counts as "ever subscribed" — money flowed in before being credited back, so the tenant did pay at
+        // some point. Distinguishes a refunded customer (Canceled) from never having paid at all (Free).
+        var hasEverSubscribed = subscription?.PaymentTransactions
+            .Any(transaction => transaction.Status is PaymentTransactionStatus.Succeeded or PaymentTransactionStatus.Refunded) == true;
+
+        return new TenantSummary(
+            tenant.Id,
+            tenant.Name,
+            tenant.Logo.Url,
+            tenant.Plan,
+            subscription?.CurrentPriceAmount,
+            subscription?.ScheduledPriceAmount,
+            subscription?.CurrentPriceCurrency,
+            subscription?.CurrentPeriodEnd,
+            plannedChange,
+            hasEverSubscribed,
+            subscription?.BillingInfo?.Address?.Country,
+            tenant.CreatedAt,
+            tenant.ModifiedAt,
+            owner is null ? null : new TenantOwnerSummary(owner.Id, owner.FirstName, owner.LastName, owner.Email)
+        );
+    }
+}
 
 [PublicAPI]
 public sealed record TenantOwnerSummary(UserId UserId, string? FirstName, string? LastName, string Email);
@@ -136,7 +171,7 @@ public async Task<Result<TenantsResponse>> Handle(GetTenantsQuery query, Cancell
             ? new Dictionary<TenantId, User>()
             : await userRepository.GetFirstOwnerByTenantIdsUnfilteredAsync(tenants.Select(t => t.Id).ToArray(), cancellationToken);
 
-        var summaries = tenants.Select(tenant => MapTenantSummary(
+        var summaries = tenants.Select(tenant => TenantSummary.FromAggregate(
                 tenant,
                 subscriptionsByTenantId.GetValueOrDefault(tenant.Id),
                 ownerByTenantId.GetValueOrDefault(tenant.Id)
@@ -206,37 +241,4 @@ private static TenantStatusFilter GetStatus(TenantSummary summary)
             _ => TenantStatusFilter.Free
         };
     }
-
-    private static TenantSummary MapTenantSummary(Tenant tenant, Subscription? subscription, User? owner)
-    {
-        var plannedChange = subscription switch
-        {
-            { CancelAtPeriodEnd: true } => PlannedSubscriptionChange.Cancellation,
-            { ScheduledPlan: not null } => PlannedSubscriptionChange.ScheduledPlanChange,
-            _ => (PlannedSubscriptionChange?)null
-        };
-
-        // Refunded counts as "ever subscribed" — money flowed in before being credited back, so the
-        // tenant did pay at some point. Distinguishes a refunded customer (Canceled) from never having
-        // paid at all (Free).
-        var hasEverSubscribed = subscription?.PaymentTransactions
-            .Any(transaction => transaction.Status is PaymentTransactionStatus.Succeeded or PaymentTransactionStatus.Refunded) == true;
-
-        return new TenantSummary(
-            tenant.Id,
-            tenant.Name,
-            tenant.Logo.Url,
-            tenant.Plan,
-            subscription?.CurrentPriceAmount,
-            subscription?.ScheduledPriceAmount,
-            subscription?.CurrentPriceCurrency,
-            subscription?.CurrentPeriodEnd,
-            plannedChange,
-            hasEverSubscribed,
-            subscription?.BillingInfo?.Address?.Country,
-            tenant.CreatedAt,
-            tenant.ModifiedAt,
-            owner is null ? null : new TenantOwnerSummary(owner.Id, owner.FirstName, owner.LastName, owner.Email)
-        );
-    }
 }
diff --git a/application/account/Core/Features/Tenants/Commands/CreateTenant.cs b/application/account/Core/Features/Tenants/Commands/CreateTenant.cs
index d2885a4f3..94e0397b4 100644
--- a/application/account/Core/Features/Tenants/Commands/CreateTenant.cs
+++ b/application/account/Core/Features/Tenants/Commands/CreateTenant.cs
@@ -18,7 +18,8 @@ internal sealed class CreateTenantHandler(ITenantRepository tenantRepository, IS
 {
     public async Task<Result<CreateTenantResponse>> Handle(CreateTenantCommand command, CancellationToken cancellationToken)
     {
-        var tenant = Tenant.Create(command.OwnerEmail);
+        var rolloutIndex = await tenantRepository.GetNextRolloutIndexUnfilteredAsync(cancellationToken);
+        var tenant = Tenant.Create(command.OwnerEmail, rolloutIndex);
         await tenantRepository.AddAsync(tenant, cancellationToken);
 
         var subscription = Subscription.Create(tenant.Id);
diff --git a/application/account/Core/Features/Tenants/Commands/DeleteTenant.cs b/application/account/Core/Features/Tenants/Commands/DeleteTenant.cs
index 9fe16df8f..3a59a7a7f 100644
--- a/application/account/Core/Features/Tenants/Commands/DeleteTenant.cs
+++ b/application/account/Core/Features/Tenants/Commands/DeleteTenant.cs
@@ -1,3 +1,4 @@
+using Account.Features.FeatureFlags.Domain;
 using Account.Features.Subscriptions.Domain;
 using Account.Features.Tenants.Domain;
 using JetBrains.Annotations;
@@ -10,8 +11,12 @@ namespace Account.Features.Tenants.Commands;
 [PublicAPI]
 public sealed record DeleteTenantCommand(TenantId Id) : ICommand, IRequest<Result>;
 
-public sealed class DeleteTenantHandler(ITenantRepository tenantRepository, ISubscriptionRepository subscriptionRepository, ITelemetryEventsCollector events)
-    : IRequestHandler<DeleteTenantCommand, Result>
+public sealed class DeleteTenantHandler(
+    ITenantRepository tenantRepository,
+    ISubscriptionRepository subscriptionRepository,
+    IFeatureFlagRepository featureFlagRepository,
+    ITelemetryEventsCollector events
+) : IRequestHandler<DeleteTenantCommand, Result>
 {
     public async Task<Result> Handle(DeleteTenantCommand command, CancellationToken cancellationToken)
     {
@@ -24,9 +29,18 @@ public async Task<Result> Handle(DeleteTenantCommand command, CancellationToken
             return Result.BadRequest("Cannot delete a tenant with an active subscription.");
         }
 
+        // Cascade-delete tenant-scoped feature flag rows so soft-deleted tenants don't leak orphaned
+        // override / plan-source rows in feature_flags. The reconciler does not sweep these rows, and
+        // re-creating a tenant with the same Stripe customer ID would otherwise inherit stale state.
+        var tenantFlagRows = await featureFlagRepository.GetRowsByTenantAsync(command.Id, cancellationToken);
+        foreach (var row in tenantFlagRows)
+        {
+            featureFlagRepository.Remove(row);
+        }
+
         tenantRepository.Remove(tenant);
 
-        events.CollectEvent(new TenantDeleted(tenant.Id, tenant.State));
+        events.CollectEvent(new TenantDeleted(tenant.Id, tenant.State, tenantFlagRows.Length));
 
         return Result.Success();
     }
diff --git a/application/account/Core/Features/Tenants/Domain/Tenant.cs b/application/account/Core/Features/Tenants/Domain/Tenant.cs
index 09aa46643..cc214daa8 100644
--- a/application/account/Core/Features/Tenants/Domain/Tenant.cs
+++ b/application/account/Core/Features/Tenants/Domain/Tenant.cs
@@ -1,15 +1,17 @@
 using Account.Features.Subscriptions.Domain;
 using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
 
 namespace Account.Features.Tenants.Domain;
 
 public sealed class Tenant : SoftDeletableAggregateRoot<TenantId>
 {
-    private Tenant() : base(TenantId.NewId())
+    private Tenant(int rolloutBucket) : base(TenantId.NewId())
     {
         State = TenantState.Active;
         Plan = SubscriptionPlan.Basis;
         Logo = new Logo();
+        RolloutBucket = rolloutBucket;
     }
 
     public string Name { get; private set; } = string.Empty;
@@ -24,9 +26,13 @@ private Tenant() : base(TenantId.NewId())
 
     public Logo Logo { get; private set; }
 
-    public static Tenant Create(string email)
+    public int RolloutBucket { get; private set; }
+
+    public AbInclusionPin? AbInclusionPin { get; private set; }
+
+    public static Tenant Create(string email, int existingCount)
     {
-        var tenant = new Tenant();
+        var tenant = new Tenant(RolloutBucketHasher.ComputeRolloutBucket(existingCount));
         tenant.AddDomainEvent(new TenantCreatedEvent(tenant.Id, email));
         return tenant;
     }
@@ -64,6 +70,11 @@ public void UpdatePlan(SubscriptionPlan plan)
     {
         Plan = plan;
     }
+
+    public void SetAbInclusionPin(AbInclusionPin? abInclusionPin)
+    {
+        AbInclusionPin = abInclusionPin;
+    }
 }
 
 public sealed record Logo(string? Url = null, int Version = 0);
diff --git a/application/account/Core/Features/Tenants/Domain/TenantRepository.cs b/application/account/Core/Features/Tenants/Domain/TenantRepository.cs
index 2aa097c5b..a759e26ed 100644
--- a/application/account/Core/Features/Tenants/Domain/TenantRepository.cs
+++ b/application/account/Core/Features/Tenants/Domain/TenantRepository.cs
@@ -16,6 +16,12 @@ public interface ITenantRepository : ICrudRepository<Tenant, TenantId>, ISoftDel
 
     Task<Tenant[]> GetByIdsAsync(TenantId[] ids, CancellationToken cancellationToken);
 
+    /// <summary>
+    ///     Retrieves tenants by IDs without applying tenant query filters.
+    ///     This method should only be used for internal back-office operations that need cross-tenant access.
+    /// </summary>
+    Task<Tenant[]> GetByIdsUnfilteredAsync(TenantId[] ids, CancellationToken cancellationToken);
+
     /// <summary>
     ///     Retrieves a tenant by ID without applying tenant query filters.
     ///     This method should only be used in webhook processing where tenant context is not established.
@@ -31,13 +37,6 @@ public interface ITenantRepository : ICrudRepository<Tenant, TenantId>, ISoftDel
     /// </summary>
     Task<Dictionary<TenantId, string>> GetNamesByIdsUnfilteredAsync(TenantId[] ids, CancellationToken cancellationToken);
 
-    /// <summary>
-    ///     Loads tenants by id without applying tenant query filters.
-    ///     Used by back-office cross-tenant queries that need full tenant data (logo, plan, ...) where
-    ///     tenant context is not established.
-    /// </summary>
-    Task<Tenant[]> GetByIdsUnfilteredAsync(TenantId[] ids, CancellationToken cancellationToken);
-
     /// <summary>
     ///     Returns every tenant created at or after <paramref name="since" /> without applying tenant query filters.
     ///     Used by the back-office dashboard to compute new-tenant trend buckets across all tenants.
@@ -47,6 +46,7 @@ public interface ITenantRepository : ICrudRepository<Tenant, TenantId>, ISoftDel
     /// <summary>
     ///     Returns every tenant without applying tenant query filters.
     ///     Used by the back-office dashboard KPI snapshot to count tenants by state and plan across all tenants.
+    ///     Also used by internal API endpoints where tenant context is not established.
     /// </summary>
     Task<Tenant[]> GetAllUnfilteredAsync(CancellationToken cancellationToken);
 
@@ -55,6 +55,15 @@ public interface ITenantRepository : ICrudRepository<Tenant, TenantId>, ISoftDel
     ///     Used by the back-office dashboard "Recent signups" list.
     /// </summary>
     Task<Tenant[]> GetMostRecentSignupsUnfilteredAsync(int limit, CancellationToken cancellationToken);
+
+    /// <summary>
+    ///     Returns the next monotonic rollout index for a new tenant, used by the low-discrepancy bucket
+    ///     function in <see cref="Tenant" /> to assign a well-spread rollout bucket. The Postgres sequence
+    ///     guarantees uniqueness under concurrent CreateTenantCommand calls; SQLite (test database) falls
+    ///     back to COUNT(*) which preserves the previous behavior.
+    ///     Tenant query filter is ignored because tenant creation predates tenant context.
+    /// </summary>
+    Task<int> GetNextRolloutIndexUnfilteredAsync(CancellationToken cancellationToken);
 }
 
 public sealed class TenantRepository(AccountDbContext accountDbContext, IExecutionContext executionContext)
@@ -71,6 +80,17 @@ public async Task<Tenant[]> GetByIdsAsync(TenantId[] ids, CancellationToken canc
         return await DbSet.Where(t => ids.AsEnumerable().Contains(t.Id)).ToArrayAsync(cancellationToken);
     }
 
+    /// <summary>
+    ///     Retrieves tenants by IDs without applying tenant query filters.
+    ///     This method should only be used for internal back-office operations that need cross-tenant access.
+    /// </summary>
+    public async Task<Tenant[]> GetByIdsUnfilteredAsync(TenantId[] ids, CancellationToken cancellationToken)
+    {
+        if (ids.Length == 0) return [];
+
+        return await DbSet.IgnoreQueryFilters([QueryFilterNames.Tenant]).Where(t => ids.AsEnumerable().Contains(t.Id)).ToArrayAsync(cancellationToken);
+    }
+
     /// <summary>
     ///     Retrieves a tenant by ID without applying tenant query filters.
     ///     This method should only be used in webhook processing where tenant context is not established.
@@ -115,18 +135,6 @@ public async Task<Dictionary<TenantId, string>> GetNamesByIdsUnfilteredAsync(Ten
             .ToDictionaryAsync(t => t.Id, t => t.Name, cancellationToken);
     }
 
-    /// <summary>
-    ///     Loads tenants by id without applying tenant query filters.
-    ///     Used by back-office cross-tenant queries that need full tenant data (logo, plan, ...) where
-    ///     tenant context is not established.
-    /// </summary>
-    public async Task<Tenant[]> GetByIdsUnfilteredAsync(TenantId[] ids, CancellationToken cancellationToken)
-    {
-        if (ids.Length == 0) return [];
-
-        return await DbSet.IgnoreQueryFilters([QueryFilterNames.Tenant]).Where(t => ids.AsEnumerable().Contains(t.Id)).ToArrayAsync(cancellationToken);
-    }
-
     /// <summary>
     ///     Returns every tenant created at or after <paramref name="since" /> without applying tenant query filters.
     ///     Used by the back-office dashboard to compute new-tenant trend buckets across all tenants.
@@ -142,10 +150,11 @@ public async Task<Tenant[]> GetCreatedSinceUnfilteredAsync(DateTimeOffset since,
     /// <summary>
     ///     Returns every tenant without applying tenant query filters.
     ///     Used by the back-office dashboard KPI snapshot to count tenants by state and plan across all tenants.
+    ///     Also used by internal API endpoints where tenant context is not established.
     /// </summary>
     public async Task<Tenant[]> GetAllUnfilteredAsync(CancellationToken cancellationToken)
     {
-        return await DbSet.IgnoreQueryFilters([QueryFilterNames.Tenant]).ToArrayAsync(cancellationToken);
+        return await DbSet.IgnoreQueryFilters([QueryFilterNames.Tenant]).OrderBy(t => t.Id).ToArrayAsync(cancellationToken);
     }
 
     /// <summary>
@@ -159,4 +168,29 @@ public async Task<Tenant[]> GetMostRecentSignupsUnfilteredAsync(int limit, Cance
         var tenants = await DbSet.IgnoreQueryFilters([QueryFilterNames.Tenant]).ToArrayAsync(cancellationToken);
         return tenants.OrderByDescending(t => t.CreatedAt).Take(limit).ToArray();
     }
+
+    /// <summary>
+    ///     Returns the next monotonic rollout index for a new tenant, used by the low-discrepancy bucket
+    ///     function in <see cref="Tenant" /> to assign a well-spread rollout bucket. The Postgres sequence
+    ///     guarantees uniqueness under concurrent CreateTenantCommand calls; SQLite (test database) falls
+    ///     back to COUNT(*) which preserves the previous behavior.
+    ///     Tenant query filter is ignored because tenant creation predates tenant context.
+    /// </summary>
+    public async Task<int> GetNextRolloutIndexUnfilteredAsync(CancellationToken cancellationToken)
+    {
+        if (accountDbContext.Database.ProviderName is "Microsoft.EntityFrameworkCore.Sqlite")
+        {
+            return await DbSet.IgnoreQueryFilters([QueryFilterNames.Tenant]).CountAsync(cancellationToken);
+        }
+
+        var nextSequenceValue = await accountDbContext.Database
+            .SqlQueryRaw<long>("SELECT nextval('tenant_rollout_index_sequence') AS \"Value\"")
+            .SingleAsync(cancellationToken);
+
+        // Sequence is seeded at COUNT(*)+1, so the first nextval after migration equals the previous COUNT+1.
+        // Subtracting 1 preserves the original count-based contract used by Tenant.Create. The mask keeps
+        // the cast non-negative past 2.1B cumulative inserts (including rolled-back/leaked values) while
+        // preserving int.MaxValue itself (the `% int.MaxValue` form silently collapses that value to 0).
+        return (int)((nextSequenceValue - 1) & 0x7FFF_FFFF);
+    }
 }
diff --git a/application/account/Core/Features/Users/BackOffice/Commands/SetUserAbInclusionPin.cs b/application/account/Core/Features/Users/BackOffice/Commands/SetUserAbInclusionPin.cs
new file mode 100644
index 000000000..e08088140
--- /dev/null
+++ b/application/account/Core/Features/Users/BackOffice/Commands/SetUserAbInclusionPin.cs
@@ -0,0 +1,35 @@
+using Account.Features.Users.Domain;
+using JetBrains.Annotations;
+using SharedKernel.Cqrs;
+using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Telemetry;
+
+namespace Account.Features.Users.BackOffice.Commands;
+
+[PublicAPI]
+public sealed record SetUserAbInclusionPinCommand : ICommand, IRequest<Result>
+{
+    [JsonIgnore] // Removes from API contract
+    public UserId UserId { get; init; } = null!;
+
+    public AbInclusionPin? AbInclusionPin { get; init; }
+}
+
+public sealed class SetUserAbInclusionPinHandler(IUserRepository userRepository, ITelemetryEventsCollector events)
+    : IRequestHandler<SetUserAbInclusionPinCommand, Result>
+{
+    public async Task<Result> Handle(SetUserAbInclusionPinCommand command, CancellationToken cancellationToken)
+    {
+        var user = await userRepository.GetByIdUnfilteredAsync(command.UserId, cancellationToken);
+        if (user is null) return Result.NotFound($"User with id '{command.UserId}' not found.");
+
+        var fromPin = user.AbInclusionPin;
+        user.SetAbInclusionPin(command.AbInclusionPin);
+        userRepository.Update(user);
+
+        events.CollectEvent(new UserAbInclusionPinUpdated(user.Id, fromPin, command.AbInclusionPin));
+
+        return Result.Success();
+    }
+}
diff --git a/application/account/Core/Features/Users/BackOffice/Queries/GetBackOfficeUserDetail.cs b/application/account/Core/Features/Users/BackOffice/Queries/GetBackOfficeUserDetail.cs
index 5e5e079a5..824077862 100644
--- a/application/account/Core/Features/Users/BackOffice/Queries/GetBackOfficeUserDetail.cs
+++ b/application/account/Core/Features/Users/BackOffice/Queries/GetBackOfficeUserDetail.cs
@@ -5,6 +5,7 @@
 using JetBrains.Annotations;
 using SharedKernel.Cqrs;
 using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
 
 namespace Account.Features.Users.BackOffice.Queries;
 
@@ -27,7 +28,8 @@ public sealed record BackOfficeUserDetailResponse(
     DateTimeOffset? ModifiedAt,
     DateTimeOffset? LastSeenAt,
     string? AvatarUrl,
-    BackOfficeUserTenantMembership[] TenantMemberships
+    BackOfficeUserTenantMembership[] TenantMemberships,
+    AbInclusionPin? AbInclusionPin
 );
 
 // A "tenant membership" is another user record sharing the same email in a different tenant. Each row in the back-office
@@ -126,7 +128,8 @@ public async Task<Result<BackOfficeUserDetailResponse>> Handle(GetBackOfficeUser
             user.ModifiedAt,
             user.LastSeenAt,
             user.Avatar.Url,
-            memberships
+            memberships,
+            user.AbInclusionPin
         );
     }
 }
diff --git a/application/account/Core/Features/Users/Commands/CreateUser.cs b/application/account/Core/Features/Users/Commands/CreateUser.cs
index d8c61b3b7..23a13c586 100644
--- a/application/account/Core/Features/Users/Commands/CreateUser.cs
+++ b/application/account/Core/Features/Users/Commands/CreateUser.cs
@@ -48,7 +48,8 @@ public async Task<Result<UserId>> Handle(CreateUserCommand command, Cancellation
         var locale = SinglePageAppConfiguration.SupportedLocalizations.Contains(command.PreferredLocale)
             ? command.PreferredLocale
             : string.Empty;
-        var user = User.Create(command.TenantId, command.Email, command.UserRole, command.EmailConfirmed, locale);
+        var rolloutIndex = await userRepository.GetNextRolloutIndexUnfilteredAsync(cancellationToken);
+        var user = User.Create(command.TenantId, command.Email, command.UserRole, command.EmailConfirmed, locale, rolloutIndex);
 
         await userRepository.AddAsync(user, cancellationToken);
         var gravatar = await gravatarClient.GetGravatar(user.Id, user.Email, cancellationToken);
diff --git a/application/account/Core/Features/Users/Domain/User.cs b/application/account/Core/Features/Users/Domain/User.cs
index 505de57b0..81c141284 100644
--- a/application/account/Core/Features/Users/Domain/User.cs
+++ b/application/account/Core/Features/Users/Domain/User.cs
@@ -1,12 +1,14 @@
 using System.Collections.Immutable;
 using Account.Features.ExternalAuthentication.Domain;
 using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Platform;
 
 namespace Account.Features.Users.Domain;
 
 public sealed class User : SoftDeletableAggregateRoot<UserId>, ITenantScopedEntity
 {
-    private User(TenantId tenantId, string email, UserRole role, bool emailConfirmed, string? locale)
+    private User(TenantId tenantId, string email, UserRole role, bool emailConfirmed, string? locale, int rolloutBucket)
         : base(UserId.NewId())
     {
         Email = email;
@@ -16,6 +18,7 @@ private User(TenantId tenantId, string email, UserRole role, bool emailConfirmed
         Locale = locale ?? string.Empty;
         Avatar = new Avatar();
         ExternalIdentities = [];
+        RolloutBucket = rolloutBucket;
     }
 
     public string Email
@@ -38,15 +41,21 @@ public string Email
 
     public string Locale { get; private set; }
 
+    public bool IsInternalUser => Email.EndsWith(Settings.Current.Identity.InternalEmailDomain, StringComparison.OrdinalIgnoreCase);
+
     public DateTimeOffset? LastSeenAt { get; private set; }
 
     public ImmutableArray<ExternalIdentity> ExternalIdentities { get; private set; }
 
+    public int RolloutBucket { get; private set; }
+
+    public AbInclusionPin? AbInclusionPin { get; private set; }
+
     public TenantId TenantId { get; }
 
-    public static User Create(TenantId tenantId, string email, UserRole role, bool emailConfirmed, string? locale)
+    public static User Create(TenantId tenantId, string email, UserRole role, bool emailConfirmed, string? locale, int existingCount)
     {
-        return new User(tenantId, email, role, emailConfirmed, locale);
+        return new User(tenantId, email, role, emailConfirmed, locale, RolloutBucketHasher.ComputeRolloutBucket(existingCount));
     }
 
     public void Update(string firstName, string lastName, string title)
@@ -105,6 +114,11 @@ public void AddExternalIdentity(ExternalProviderType provider, string providerUs
     {
         return ExternalIdentities.FirstOrDefault(e => e.Provider == provider);
     }
+
+    public void SetAbInclusionPin(AbInclusionPin? abInclusionPin)
+    {
+        AbInclusionPin = abInclusionPin;
+    }
 }
 
 public sealed record Avatar(string? Url = null, int Version = 0, bool IsGravatar = false);
diff --git a/application/account/Core/Features/Users/Domain/UserRepository.cs b/application/account/Core/Features/Users/Domain/UserRepository.cs
index 12458e37c..67aef4944 100644
--- a/application/account/Core/Features/Users/Domain/UserRepository.cs
+++ b/application/account/Core/Features/Users/Domain/UserRepository.cs
@@ -28,6 +28,18 @@ public interface IUserRepository : ICrudRepository<User, UserId>, IBulkRemoveRep
 
     Task<User[]> GetByIdsAsync(UserId[] ids, CancellationToken cancellationToken);
 
+    /// <summary>
+    ///     Retrieves users by IDs without applying tenant query filters.
+    ///     This method should only be used for internal back-office operations that need cross-tenant access.
+    /// </summary>
+    Task<User[]> GetByIdsUnfilteredAsync(UserId[] ids, CancellationToken cancellationToken);
+
+    /// <summary>
+    ///     Searches users by email without applying tenant query filters.
+    ///     This method should only be used for internal back-office operations that need cross-tenant access.
+    /// </summary>
+    Task<User[]> SearchByEmailUnfilteredAsync(string search, CancellationToken cancellationToken);
+
     Task<User[]> GetDeletedByIdsAsync(UserId[] ids, CancellationToken cancellationToken);
 
     Task<(User[] Users, int TotalItems, int TotalPages)> Search(
@@ -104,6 +116,15 @@ CancellationToken cancellationToken
     ///     so the time filter runs in memory; the user count is bounded by the dashboard's audience.
     /// </summary>
     Task<User[]> GetAllUnfilteredAsync(CancellationToken cancellationToken);
+
+    /// <summary>
+    ///     Returns the next monotonic rollout index for a new user, used by the low-discrepancy bucket
+    ///     function in <see cref="User" /> to assign a well-spread rollout bucket. The Postgres sequence
+    ///     guarantees uniqueness under concurrent CreateUserCommand calls; SQLite (test database) falls
+    ///     back to COUNT(*) which preserves the previous behavior.
+    ///     Tenant query filter is ignored because user creation can occur before tenant context is established.
+    /// </summary>
+    Task<int> GetNextRolloutIndexUnfilteredAsync(CancellationToken cancellationToken);
 }
 
 public sealed class UserRepository(AccountDbContext accountDbContext, IExecutionContext executionContext, TimeProvider timeProvider)
@@ -165,6 +186,32 @@ public async Task<User[]> GetByIdsAsync(UserId[] ids, CancellationToken cancella
         return await DbSet.Where(u => ids.AsEnumerable().Contains(u.Id)).ToArrayAsync(cancellationToken);
     }
 
+    /// <summary>
+    ///     Retrieves users by IDs without applying tenant query filters.
+    ///     This method should only be used for internal back-office operations that need cross-tenant access.
+    /// </summary>
+    public async Task<User[]> GetByIdsUnfilteredAsync(UserId[] ids, CancellationToken cancellationToken)
+    {
+        return await DbSet
+            .IgnoreQueryFilters([QueryFilterNames.Tenant])
+            .Where(u => ids.AsEnumerable().Contains(u.Id))
+            .ToArrayAsync(cancellationToken);
+    }
+
+    /// <summary>
+    ///     Searches users by email without applying tenant query filters.
+    ///     This method should only be used for internal back-office operations that need cross-tenant access.
+    /// </summary>
+    public async Task<User[]> SearchByEmailUnfilteredAsync(string search, CancellationToken cancellationToken)
+    {
+        var lowerSearch = search.ToLowerInvariant();
+        return await DbSet
+            .IgnoreQueryFilters([QueryFilterNames.Tenant])
+            .Where(u => u.Email.Contains(lowerSearch))
+            .OrderBy(u => u.Id)
+            .ToArrayAsync(cancellationToken);
+    }
+
     public async Task<User[]> GetDeletedByIdsAsync(UserId[] ids, CancellationToken cancellationToken)
     {
         return await DbSet
@@ -508,7 +555,35 @@ public async Task<User[]> GetCreatedSinceUnfilteredAsync(DateTimeOffset since, C
     /// </summary>
     public async Task<User[]> GetAllUnfilteredAsync(CancellationToken cancellationToken)
     {
-        return await DbSet.IgnoreQueryFilters([QueryFilterNames.Tenant]).ToArrayAsync(cancellationToken);
+        return await DbSet
+            .IgnoreQueryFilters([QueryFilterNames.Tenant])
+            .OrderBy(u => u.Id)
+            .ToArrayAsync(cancellationToken);
+    }
+
+    /// <summary>
+    ///     Returns the next monotonic rollout index for a new user, used by the low-discrepancy bucket
+    ///     function in <see cref="User" /> to assign a well-spread rollout bucket. The Postgres sequence
+    ///     guarantees uniqueness under concurrent CreateUserCommand calls; SQLite (test database) falls
+    ///     back to COUNT(*) which preserves the previous behavior.
+    ///     Tenant query filter is ignored because user creation can occur before tenant context is established.
+    /// </summary>
+    public async Task<int> GetNextRolloutIndexUnfilteredAsync(CancellationToken cancellationToken)
+    {
+        if (accountDbContext.Database.ProviderName is "Microsoft.EntityFrameworkCore.Sqlite")
+        {
+            return await DbSet.IgnoreQueryFilters([QueryFilterNames.Tenant]).CountAsync(cancellationToken);
+        }
+
+        var nextSequenceValue = await accountDbContext.Database
+            .SqlQueryRaw<long>("SELECT nextval('user_rollout_index_sequence') AS \"Value\"")
+            .SingleAsync(cancellationToken);
+
+        // Sequence is seeded at COUNT(*)+1, so the first nextval after migration equals the previous COUNT+1.
+        // Subtracting 1 preserves the original count-based contract used by User.Create. The mask keeps
+        // the cast non-negative past 2.1B cumulative inserts (including rolled-back/leaked values) while
+        // preserving int.MaxValue itself (the `% int.MaxValue` form silently collapses that value to 0).
+        return (int)((nextSequenceValue - 1) & 0x7FFF_FFFF);
     }
 
     /// <summary>
diff --git a/application/account/Core/Features/Users/Shared/UserInfoFactory.cs b/application/account/Core/Features/Users/Shared/UserInfoFactory.cs
index b51ee3e91..a392d7afa 100644
--- a/application/account/Core/Features/Users/Shared/UserInfoFactory.cs
+++ b/application/account/Core/Features/Users/Shared/UserInfoFactory.cs
@@ -1,3 +1,4 @@
+using Account.Features.FeatureFlags.Shared;
 using Account.Features.Subscriptions.Domain;
 using Account.Features.Tenants.Domain;
 using Account.Features.Users.Domain;
@@ -11,7 +12,12 @@ namespace Account.Features.Users.Shared;
 ///     Factory for creating UserInfo instances with tenant information.
 ///     Centralizes the logic for creating UserInfo to follow SRP and avoid duplication.
 /// </summary>
-public sealed class UserInfoFactory(ITenantRepository tenantRepository, ISubscriptionRepository subscriptionRepository)
+public sealed class UserInfoFactory(
+    ITenantRepository tenantRepository,
+    ISubscriptionRepository subscriptionRepository,
+    FeatureFlagEvaluator featureFlagEvaluator,
+    PlanBasedFeatureFlagEvaluator planBasedFeatureFlagEvaluator
+)
 {
     /// <summary>
     ///     Creates a UserInfo instance from a User entity, including tenant name.
@@ -22,7 +28,14 @@ public async Task<Result<UserInfo>> CreateUserInfoAsync(User user, SessionId? se
         var tenant = await tenantRepository.GetByIdAsync(user.TenantId, cancellationToken);
         if (tenant is null) return Result<UserInfo>.BadRequest("Tenant has been deleted.");
 
-        var subscription = await subscriptionRepository.GetByTenantIdUnfilteredAsync(user.TenantId, cancellationToken);
+        var subscription = await subscriptionRepository.GetByTenantIdUnfilteredAsync(user.TenantId, cancellationToken)
+                           ?? throw new InvalidOperationException($"Subscription not found for tenant '{user.TenantId}'.");
+
+        await planBasedFeatureFlagEvaluator.EvaluatePlanFlagsForTenantAsync(tenant.Id, subscription.Plan, cancellationToken);
+
+        var enabledFlags = await featureFlagEvaluator.EvaluateAsync(
+            tenant.Id, user.Id, tenant.RolloutBucket, user.RolloutBucket, tenant.AbInclusionPin, user.AbInclusionPin, cancellationToken
+        );
 
         return new UserInfo
         {
@@ -38,8 +51,12 @@ public async Task<Result<UserInfo>> CreateUserInfoAsync(User user, SessionId? se
             AvatarUrl = user.Avatar.Url,
             TenantName = tenant.Name,
             TenantLogoUrl = tenant.Logo.Url,
-            SubscriptionPlan = subscription!.Plan.ToString(),
-            Locale = user.Locale
+            SubscriptionPlan = subscription.Plan.ToString(),
+            Locale = user.Locale,
+            IsInternalUser = user.IsInternalUser,
+            FeatureFlags = new HashSet<string>(enabledFlags),
+            TenantRolloutBucket = tenant.RolloutBucket,
+            UserRolloutBucket = user.RolloutBucket
         };
     }
 }
diff --git a/application/account/Tests/ArchitectureTests/EndpointMetadataTests.cs b/application/account/Tests/ArchitectureTests/EndpointMetadataTests.cs
index bc23b3a01..7e1967707 100644
--- a/application/account/Tests/ArchitectureTests/EndpointMetadataTests.cs
+++ b/application/account/Tests/ArchitectureTests/EndpointMetadataTests.cs
@@ -1,10 +1,13 @@
 using FluentAssertions;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc.Testing;
 using Microsoft.AspNetCore.Routing;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using SharedKernel.Authentication.BackOfficeIdentity;
 using SharedKernel.OpenApi;
+using SharedKernel.SinglePageApp;
 using Xunit;
 
 namespace Account.Tests.ArchitectureTests;
@@ -22,11 +25,68 @@ public sealed class EndpointMetadataTests : IDisposable
 {
     private const string AppHost = "app.test.localhost";
     private const string BackOfficeHost = "back-office.test.localhost";
+    private const string TestPublicUrl = "https://localhost";
+
+    // Anonymous-by-design /internal-api/* endpoints. Adding a new entry requires a documented
+    // rationale alongside the route key: the endpoint either has no credential available in-cluster
+    // (ACA health probes), is the credential issuance route itself (refresh-authentication-tokens),
+    // is a backend-to-backend call from downstream main SCS projects that cannot pass an auth token
+    // today, or is the framework-level catch-all that returns 404 for unmatched /internal-api/* paths.
+    private static readonly string[] AnonymousInternalApiAllowlist =
+    [
+        // Refresh-authentication-tokens: anonymous by design — the refresh token in the request body
+        // is the bearer credential. AppGateway's AuthenticationCookieMiddleware re-issues cookies via
+        // this route when an upstream sets `x-refresh-authentication-tokens-required`.
+        "POST:/internal-api/account/authentication/refresh-authentication-tokens",
+        // ACA container app liveness + readiness probes. The probes do not carry credentials.
+        "GET:/internal-api/live",
+        "GET:/internal-api/ready",
+        // /internal-api/account/tenants/{id} stays anonymous: server-to-server call from main SCS in
+        // downstream projects (DataMentor, ProductConnect). Until downstream callers can pass an auth
+        // token, the BlockInternalApiTransform + ACA private ingress are the perimeter.
+        "DELETE:/internal-api/account/tenants/{id}",
+        // SinglePageAppFallbackExtensions registers a framework-level catch-all that emits 404 for
+        // any unmatched /internal-api/* path. The 404 emitter is not a callable endpoint.
+        "GET:/internal-api/{**_}",
+        "POST:/internal-api/{**_}",
+        "PUT:/internal-api/{**_}",
+        "DELETE:/internal-api/{**_}",
+        "PATCH:/internal-api/{**_}",
+        "HEAD:/internal-api/{**_}",
+        "OPTIONS:/internal-api/{**_}"
+    ];
+
+    // Back-office write endpoints that must require AdminPolicyName. Adding a new mutation here forces
+    // the implementer to explicitly opt into either the admin set or the regular set — the assertion
+    // below catches the case where a refactor swaps PolicyName for AdminPolicyName or vice versa on a
+    // hand-listed route, which the previous "any allowed policy" check let through silently.
+    private static readonly string[] AdminPolicyBackOfficeRoutes =
+    [
+        "PUT:/api/back-office/feature-flags/{flagKey}/activate",
+        "PUT:/api/back-office/feature-flags/{flagKey}/deactivate",
+        "DELETE:/api/back-office/feature-flags/{flagKey}",
+        "PUT:/api/back-office/feature-flags/{flagKey}/tenant-override",
+        "PUT:/api/back-office/feature-flags/{flagKey}/rollout-percentage",
+        "DELETE:/api/back-office/feature-flags/{flagKey}/tenant-override",
+        "PUT:/api/back-office/feature-flags/{flagKey}/user-override",
+        "DELETE:/api/back-office/feature-flags/{flagKey}/user-override",
+        "POST:/api/back-office/tenants/{id}/reconcile-with-stripe",
+        "POST:/api/back-office/tenants/{id}/replay-archived-stripe-events",
+        "POST:/api/back-office/tenants/{id}/drift/acknowledge",
+        "PUT:/api/back-office/tenants/{id}/ab-inclusion-pin",
+        "PUT:/api/back-office/users/{id}/ab-inclusion-pin"
+    ];
 
     private readonly WebApplicationFactory<Program> _webApplicationFactory;
 
     public EndpointMetadataTests()
     {
+        // SinglePageAppConfiguration reads these env vars on host start to build the CSP. Without
+        // them, host construction throws "Invalid URI: The URI is empty" before the endpoint data
+        // source becomes available. The values are throwaway — only their well-formedness matters.
+        Environment.SetEnvironmentVariable(SinglePageAppConfiguration.PublicUrlKey, TestPublicUrl);
+        Environment.SetEnvironmentVariable(SinglePageAppConfiguration.CdnUrlKey, $"{TestPublicUrl}/account");
+
         _webApplicationFactory = new WebApplicationFactory<Program>().WithWebHostBuilder(builder =>
             {
                 builder.ConfigureLogging(logging => logging.AddFilter(_ => false));
@@ -120,6 +180,65 @@ public void BackOfficeEndpoints_ShouldAllDeclareBackOfficeGroupName()
         endpointsMissingGroupName.Should().BeEmpty("back-office endpoints must declare WithGroupName(\"back-office\") so they appear in the back-office OpenAPI document");
     }
 
+    [Fact]
+    public void InternalApiEndpoints_ShouldEitherRequireAuthorizationOrBeOnAllowlist()
+    {
+        // Arrange
+        var routeEndpoints = GetRouteEndpoints();
+        var internalApiEndpoints = routeEndpoints
+            .Where(endpoint => endpoint.RoutePattern.RawText is { } pattern && pattern.StartsWith("/internal-api/", StringComparison.OrdinalIgnoreCase))
+            .ToList();
+        internalApiEndpoints.Should().NotBeEmpty("the account host must register at least one /internal-api/* endpoint (refresh-tokens, health probes)");
+
+        // Assert
+        var violations = internalApiEndpoints
+            .Where(endpoint => endpoint.Metadata.GetMetadata<IAuthorizeData>() is null)
+            .Where(endpoint => !AnonymousInternalApiAllowlist.Contains(BuildEndpointKey(endpoint)))
+            .Select(BuildEndpointKey)
+            .ToList();
+        violations.Should().BeEmpty(
+            "every /internal-api/* endpoint must either declare RequireAuthorization, or be added to AnonymousInternalApiAllowlist with a documented rationale. Anonymous /internal-api/* endpoints bypass BlockInternalApiTransform on pod-to-pod traffic and have been the source of cross-tenant data-exposure regressions."
+        );
+    }
+
+    [Fact]
+    public void BackOfficeWriteEndpoints_ShouldDeclareExpectedAuthorizationPolicy()
+    {
+        // Arrange
+        var routeEndpoints = GetRouteEndpoints();
+        var backOfficeWriteEndpoints = routeEndpoints
+            .Where(endpoint => endpoint.RoutePattern.RawText is { } pattern && pattern.StartsWith("/api/back-office/", StringComparison.OrdinalIgnoreCase))
+            .Where(endpoint => endpoint.Metadata.GetMetadata<HttpMethodMetadata>()?.HttpMethods.Any(method => method is "POST" or "PUT" or "PATCH" or "DELETE") == true)
+            .ToList();
+        backOfficeWriteEndpoints.Should().NotBeEmpty("the back-office route group must register at least one write endpoint");
+
+        // Assert
+        var violations = new List<string>();
+        foreach (var endpoint in backOfficeWriteEndpoints)
+        {
+            var endpointKey = BuildEndpointKey(endpoint);
+            var declaredPolicies = endpoint.Metadata.GetOrderedMetadata<IAuthorizeData>().Select(data => data.Policy).ToArray();
+            var expectedPolicy = AdminPolicyBackOfficeRoutes.Contains(endpointKey)
+                ? BackOfficeIdentityDefaults.AdminPolicyName
+                : BackOfficeIdentityDefaults.PolicyName;
+
+            if (!declaredPolicies.Contains(expectedPolicy))
+            {
+                violations.Add($"{endpointKey} (expected '{expectedPolicy}', declared [{string.Join(", ", declaredPolicies)}])");
+            }
+        }
+
+        violations.Should().BeEmpty(
+            $"every back-office write endpoint must declare its expected RequireAuthorization policy: routes listed in {nameof(AdminPolicyBackOfficeRoutes)} require '{BackOfficeIdentityDefaults.AdminPolicyName}' (admin-only), every other write endpoint requires '{BackOfficeIdentityDefaults.PolicyName}' (regular back-office). Add new admin-gated mutations to the allowlist and add a `_WhenNonAdminBackOfficeIdentity_ShouldReturnForbidden` test alongside the mutation."
+        );
+    }
+
+    private static string BuildEndpointKey(RouteEndpoint endpoint)
+    {
+        var method = endpoint.Metadata.GetMetadata<HttpMethodMetadata>()?.HttpMethods.FirstOrDefault() ?? "GET";
+        return $"{method}:{endpoint.RoutePattern.RawText}";
+    }
+
     private List<RouteEndpoint> GetRouteEndpoints()
     {
         return _webApplicationFactory.Services
diff --git a/application/account/Tests/ArchitectureTests/InternalApiRoutesRemovedTests.cs b/application/account/Tests/ArchitectureTests/InternalApiRoutesRemovedTests.cs
new file mode 100644
index 000000000..ad28db92e
--- /dev/null
+++ b/application/account/Tests/ArchitectureTests/InternalApiRoutesRemovedTests.cs
@@ -0,0 +1,40 @@
+using System.Net;
+using System.Net.Http.Json;
+using Account.Database;
+using FluentAssertions;
+using Xunit;
+
+namespace Account.Tests.ArchitectureTests;
+
+// Regression guard for PP-1251. The /internal-api/account/feature-flags/* routes were unauthenticated
+// and unhost-pinned, and the legacy /internal-api/account/tenants GET exposed cross-tenant data.
+// The InternalApiEndpoints_ShouldEitherRequireAuthorizationOrBeOnAllowlist arch test enforces the
+// auth-or-allowlist invariant going forward; this Theory locks in that the specific routes deleted
+// by PP-1251 stay deleted (a future contributor cannot accidentally remap them).
+public sealed class InternalApiRoutesRemovedTests : EndpointBaseTest<AccountDbContext>
+{
+    [Theory]
+    [InlineData("GET", "/internal-api/account/feature-flags")]
+    [InlineData("GET", "/internal-api/account/feature-flags/beta-features/tenants")]
+    [InlineData("GET", "/internal-api/account/feature-flags/beta-features/users")]
+    [InlineData("PUT", "/internal-api/account/feature-flags/beta-features/activate")]
+    [InlineData("PUT", "/internal-api/account/feature-flags/beta-features/deactivate")]
+    [InlineData("PUT", "/internal-api/account/feature-flags/beta-features/tenant-override")]
+    [InlineData("PUT", "/internal-api/account/feature-flags/beta-features/rollout-percentage")]
+    [InlineData("DELETE", "/internal-api/account/feature-flags/beta-features/tenant-override")]
+    [InlineData("PUT", "/internal-api/account/feature-flags/beta-features/user-override")]
+    [InlineData("DELETE", "/internal-api/account/feature-flags/beta-features/user-override")]
+    [InlineData("GET", "/internal-api/account/tenants")]
+    public async Task DeletedInternalApiRoute_ShouldReturnNotFound(string method, string path)
+    {
+        // Act - anonymous client because these routes were anonymous when they existed; if the route
+        // were silently re-registered with auth, an anonymous caller would see 401 not 404 and the
+        // test would still fail loudly.
+        var request = new HttpRequestMessage(new HttpMethod(method), path);
+        if (method is "PUT" or "POST") request.Content = JsonContent.Create(new { });
+        var response = await AnonymousHttpClient.SendAsync(request);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.NotFound, $"the {method} {path} route was deleted by PP-1251 and must not be re-introduced");
+    }
+}
diff --git a/application/account/Tests/Authentication/GetUserSessionsTests.cs b/application/account/Tests/Authentication/GetUserSessionsTests.cs
index 5deba3589..20428a570 100644
--- a/application/account/Tests/Authentication/GetUserSessionsTests.cs
+++ b/application/account/Tests/Authentication/GetUserSessionsTests.cs
@@ -136,7 +136,8 @@ private long InsertTenant(string name)
                 ("name", name),
                 ("state", "Active"),
                 ("logo", """{"Url":null,"Version":0}"""),
-                ("plan", nameof(SubscriptionPlan.Basis))
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -160,7 +161,8 @@ private void InsertUser(long tenantId, UserId userId, string email)
                 ("avatar", """{"Url":null,"Version":0,"IsGravatar":false}"""),
                 ("role", "Owner"),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
     }
diff --git a/application/account/Tests/Authentication/SwitchTenantTests.cs b/application/account/Tests/Authentication/SwitchTenantTests.cs
index b3e46989e..cb84b6230 100644
--- a/application/account/Tests/Authentication/SwitchTenantTests.cs
+++ b/application/account/Tests/Authentication/SwitchTenantTests.cs
@@ -31,7 +31,8 @@ public async Task SwitchTenant_WhenUserExistsInTargetTenant_ShouldSwitchSuccessf
                 ("name", tenant2Name),
                 ("state", nameof(TenantState.Active)),
                 ("logo", """{"Url":null,"Version":0}"""),
-                ("plan", nameof(SubscriptionPlan.Basis))
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -50,7 +51,8 @@ public async Task SwitchTenant_WhenUserExistsInTargetTenant_ShouldSwitchSuccessf
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Member)),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -112,7 +114,8 @@ public async Task SwitchTenant_WhenUserDoesNotExistInTargetTenant_ShouldReturnFo
                 ("name", Faker.Company.CompanyName()),
                 ("state", nameof(TenantState.Active)),
                 ("logo", """{"Url":null,"Version":0}"""),
-                ("plan", nameof(SubscriptionPlan.Basis))
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -129,7 +132,8 @@ public async Task SwitchTenant_WhenUserDoesNotExistInTargetTenant_ShouldReturnFo
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Owner)),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -173,7 +177,8 @@ public async Task SwitchTenant_WhenUserEmailNotConfirmed_ShouldConfirmEmail()
                 ("name", tenant2Name),
                 ("state", nameof(TenantState.Active)),
                 ("logo", """{"Url":null,"Version":0}"""),
-                ("plan", nameof(SubscriptionPlan.Basis))
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -192,7 +197,8 @@ public async Task SwitchTenant_WhenUserEmailNotConfirmed_ShouldConfirmEmail()
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Member)),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -244,7 +250,8 @@ public async Task SwitchTenant_WhenAcceptingInvite_ShouldCopyProfileData()
                 ("name", tenant2Name),
                 ("state", nameof(TenantState.Active)),
                 ("logo", """{"Url":null,"Version":0}"""),
-                ("plan", nameof(SubscriptionPlan.Basis))
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -264,7 +271,8 @@ public async Task SwitchTenant_WhenAcceptingInvite_ShouldCopyProfileData()
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Member)),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -323,7 +331,8 @@ public async Task SwitchTenant_WhenSessionAlreadyRevoked_ShouldReturnUnauthorize
                 ("name", Faker.Company.CompanyName()),
                 ("state", nameof(TenantState.Active)),
                 ("logo", """{"Url":null,"Version":0}"""),
-                ("plan", nameof(SubscriptionPlan.Basis))
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -342,7 +351,8 @@ public async Task SwitchTenant_WhenSessionAlreadyRevoked_ShouldReturnUnauthorize
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Member)),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
diff --git a/application/account/Tests/BackOffice/BillingDrift/GetDashboardMrrConsistencySummaryTests.cs b/application/account/Tests/BackOffice/BillingDrift/GetDashboardMrrConsistencySummaryTests.cs
index ad0185819..a27cefb81 100644
--- a/application/account/Tests/BackOffice/BillingDrift/GetDashboardMrrConsistencySummaryTests.cs
+++ b/application/account/Tests/BackOffice/BillingDrift/GetDashboardMrrConsistencySummaryTests.cs
@@ -115,7 +115,8 @@ private TenantId SeedTenant(string name)
                 ("name", name),
                 ("state", nameof(TenantState.Active)),
                 ("plan", nameof(SubscriptionPlan.Premium)),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 50)
             ]
         );
         return tenantId;
diff --git a/application/account/Tests/BackOffice/BillingDrift/GetUnsyncedSubscriptionsSummaryTests.cs b/application/account/Tests/BackOffice/BillingDrift/GetUnsyncedSubscriptionsSummaryTests.cs
index be667ae57..2513c3844 100644
--- a/application/account/Tests/BackOffice/BillingDrift/GetUnsyncedSubscriptionsSummaryTests.cs
+++ b/application/account/Tests/BackOffice/BillingDrift/GetUnsyncedSubscriptionsSummaryTests.cs
@@ -65,7 +65,8 @@ private TenantId SeedTenant(string name)
                 ("name", name),
                 ("state", nameof(TenantState.Active)),
                 ("plan", nameof(SubscriptionPlan.Premium)),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 50)
             ]
         );
         return tenantId;
diff --git a/application/account/Tests/BackOffice/Dashboard/GetDashboardKpisTests.cs b/application/account/Tests/BackOffice/Dashboard/GetDashboardKpisTests.cs
index b7f87ed64..fafcea2d1 100644
--- a/application/account/Tests/BackOffice/Dashboard/GetDashboardKpisTests.cs
+++ b/application/account/Tests/BackOffice/Dashboard/GetDashboardKpisTests.cs
@@ -265,7 +265,8 @@ private TenantId SeedTenant(string name, SubscriptionPlan plan, DateTimeOffset c
                 ("name", name),
                 ("state", nameof(TenantState.Active)),
                 ("plan", plan.ToString()),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 50)
             ]
         );
         return tenantId;
@@ -392,7 +393,8 @@ private UserId SeedUser(TenantId tenantId, string email, DateTimeOffset createdA
                 ("title", null),
                 ("role", nameof(UserRole.Owner)),
                 ("locale", "en-US"),
-                ("avatar", JsonSerializer.Serialize(new Avatar()))
+                ("avatar", JsonSerializer.Serialize(new Avatar())),
+                ("rollout_bucket", 50)
             ]
         );
         return userId;
diff --git a/application/account/Tests/BackOffice/Dashboard/GetDashboardMrrTrendTests.cs b/application/account/Tests/BackOffice/Dashboard/GetDashboardMrrTrendTests.cs
index 706df7c0e..9e1f95f66 100644
--- a/application/account/Tests/BackOffice/Dashboard/GetDashboardMrrTrendTests.cs
+++ b/application/account/Tests/BackOffice/Dashboard/GetDashboardMrrTrendTests.cs
@@ -114,7 +114,8 @@ private TenantId SeedTenant(string name)
                 ("name", name),
                 ("state", nameof(TenantState.Active)),
                 ("plan", nameof(SubscriptionPlan.Standard)),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 50)
             ]
         );
         return tenantId;
diff --git a/application/account/Tests/BackOffice/Dashboard/GetDashboardPlanDistributionTests.cs b/application/account/Tests/BackOffice/Dashboard/GetDashboardPlanDistributionTests.cs
index 105a12553..754a47b4f 100644
--- a/application/account/Tests/BackOffice/Dashboard/GetDashboardPlanDistributionTests.cs
+++ b/application/account/Tests/BackOffice/Dashboard/GetDashboardPlanDistributionTests.cs
@@ -89,7 +89,8 @@ private TenantId SeedTenant(string name, SubscriptionPlan plan)
                 ("name", name),
                 ("state", nameof(TenantState.Active)),
                 ("plan", plan.ToString()),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 50)
             ]
         );
         return tenantId;
diff --git a/application/account/Tests/BackOffice/Dashboard/GetDashboardRecentSignupsTests.cs b/application/account/Tests/BackOffice/Dashboard/GetDashboardRecentSignupsTests.cs
index 1bec665ce..d713b431c 100644
--- a/application/account/Tests/BackOffice/Dashboard/GetDashboardRecentSignupsTests.cs
+++ b/application/account/Tests/BackOffice/Dashboard/GetDashboardRecentSignupsTests.cs
@@ -82,7 +82,8 @@ private void SeedTenant(string name, DateTimeOffset createdAt)
                 ("name", name),
                 ("state", nameof(TenantState.Active)),
                 ("plan", nameof(SubscriptionPlan.Basis)),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 50)
             ]
         );
     }
diff --git a/application/account/Tests/BackOffice/Dashboard/GetDashboardRecentStripeEventsTests.cs b/application/account/Tests/BackOffice/Dashboard/GetDashboardRecentStripeEventsTests.cs
index 041eb1289..004757544 100644
--- a/application/account/Tests/BackOffice/Dashboard/GetDashboardRecentStripeEventsTests.cs
+++ b/application/account/Tests/BackOffice/Dashboard/GetDashboardRecentStripeEventsTests.cs
@@ -110,7 +110,8 @@ private TenantId SeedTenant(string name)
                 ("name", name),
                 ("state", nameof(TenantState.Active)),
                 ("plan", nameof(SubscriptionPlan.Standard)),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 50)
             ]
         );
         return tenantId;
diff --git a/application/account/Tests/BackOffice/Dashboard/GetDashboardRevenueTrendTests.cs b/application/account/Tests/BackOffice/Dashboard/GetDashboardRevenueTrendTests.cs
index b48f61600..f10da66b0 100644
--- a/application/account/Tests/BackOffice/Dashboard/GetDashboardRevenueTrendTests.cs
+++ b/application/account/Tests/BackOffice/Dashboard/GetDashboardRevenueTrendTests.cs
@@ -303,7 +303,8 @@ private TenantId SeedTenant(string name)
                 ("name", name),
                 ("state", nameof(TenantState.Active)),
                 ("plan", nameof(SubscriptionPlan.Standard)),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 0)
             ]
         );
         return tenantId;
diff --git a/application/account/Tests/BackOffice/Dashboard/GetDashboardTrendsTests.cs b/application/account/Tests/BackOffice/Dashboard/GetDashboardTrendsTests.cs
index baec52c24..46af029ed 100644
--- a/application/account/Tests/BackOffice/Dashboard/GetDashboardTrendsTests.cs
+++ b/application/account/Tests/BackOffice/Dashboard/GetDashboardTrendsTests.cs
@@ -190,7 +190,8 @@ private TenantId SeedTenant(string name, DateTimeOffset createdAt)
                 ("name", name),
                 ("state", nameof(TenantState.Active)),
                 ("plan", nameof(SubscriptionPlan.Basis)),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 50)
             ]
         );
         return tenantId;
@@ -211,7 +212,8 @@ private void SeedUser(TenantId tenantId, string email, DateTimeOffset createdAt)
                 ("title", null),
                 ("role", nameof(UserRole.Owner)),
                 ("locale", "en-US"),
-                ("avatar", JsonSerializer.Serialize(new Avatar()))
+                ("avatar", JsonSerializer.Serialize(new Avatar())),
+                ("rollout_bucket", 50)
             ]
         );
     }
diff --git a/application/account/Tests/BackOffice/FeatureFlags/FeatureFlagBackOfficeTests.cs b/application/account/Tests/BackOffice/FeatureFlags/FeatureFlagBackOfficeTests.cs
new file mode 100644
index 000000000..a379436a8
--- /dev/null
+++ b/application/account/Tests/BackOffice/FeatureFlags/FeatureFlagBackOfficeTests.cs
@@ -0,0 +1,1906 @@
+using System.Net;
+using System.Net.Http.Json;
+using Account.Features.FeatureFlags.Commands;
+using Account.Features.FeatureFlags.Domain;
+using Account.Features.FeatureFlags.Queries;
+using Account.Features.Subscriptions.Domain;
+using Account.Features.Users.Domain;
+using FluentAssertions;
+using SharedKernel.Authentication;
+using SharedKernel.Authentication.MockEasyAuth;
+using SharedKernel.Domain;
+using SharedKernel.Tests;
+using SharedKernel.Tests.Persistence;
+using SharedKernel.Validation;
+using Xunit;
+using FeatureFlagRegistry = SharedKernel.FeatureFlags.FeatureFlags;
+using FeatureFlagScope = SharedKernel.FeatureFlags.FeatureFlagScope;
+
+namespace Account.Tests.BackOffice.FeatureFlags;
+
+// Exercises the back-office feature-flag endpoints at /api/back-office/feature-flags/*.
+// All mutations (activate, deactivate, tenant/user overrides, rollout percentage, delete) carry the
+// AdminPolicyName requirement; GET queries use the regular back-office identity policy so support
+// staff can investigate state without being able to change it.
+public sealed class FeatureFlagBackOfficeTests : BackOfficeEndpointBaseTest
+{
+    private const string RegularBackOfficeIdentityId = "user";
+    private const string AdminBackOfficeIdentityId = "admin";
+
+    private HttpClient CreateRegularBackOfficeClient()
+    {
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == RegularBackOfficeIdentityId);
+        return CreateBackOfficeClientForIdentity(identity);
+    }
+
+    private HttpClient CreateAdminBackOfficeClient()
+    {
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == AdminBackOfficeIdentityId);
+        return CreateBackOfficeClientForIdentity(identity);
+    }
+
+    // Activate / deactivate kill-switch (AdminPolicyName)
+
+    [Fact]
+    public async Task ActivateFeatureFlag_WhenAdmin_ShouldSetEnabledAt()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        using var client = CreateAdminBackOfficeClient();
+
+        // Act
+        var response = await client.PutAsync($"/api/back-office/feature-flags/{flagKey}/activate", null);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+
+        var enabledAt = Connection.ExecuteScalar<string>(
+            "SELECT enabled_at FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        enabledAt.Should().NotBeNullOrEmpty();
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().ContainSingle(e => e.GetType().Name == "FeatureFlagActivated");
+        TelemetryEventsCollectorSpy.CollectedEvents[0].Properties["event.flag_key"].Should().Be(flagKey);
+        TelemetryEventsCollectorSpy.AreAllEventsDispatched.Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task ActivateFeatureFlag_WhenAlreadyActiveAndAdmin_ShouldUpdateEnabledAt()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        var originalEnabledAt = Connection.ExecuteScalar<string>(
+            "SELECT enabled_at FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        using var client = CreateAdminBackOfficeClient();
+
+        // Act
+        var response = await client.PutAsync($"/api/back-office/feature-flags/{flagKey}/activate", null);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+
+        var updatedEnabledAt = Connection.ExecuteScalar<string>(
+            "SELECT enabled_at FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        updatedEnabledAt.Should().NotBe(originalEnabledAt);
+    }
+
+    [Fact]
+    public async Task ActivateFeatureFlag_WhenFlagIsNotKillSwitch_ShouldReturnBadRequest()
+    {
+        // Arrange — sso is a PlanGatedTenantFlag without IsKillSwitchEnabled set; the validator
+        // must reject global Activate so the panic-button contract is enforced.
+        var flagKey = "sso";
+        using var client = CreateAdminBackOfficeClient();
+
+        // Act
+        var response = await client.PutAsync($"/api/back-office/feature-flags/{flagKey}/activate", null);
+
+        // Assert
+        var expectedErrors = new[]
+        {
+            new ErrorDetail("FlagKey", "Only kill-switch-enabled feature flags can be globally activated.")
+        };
+        await response.ShouldHaveErrorStatusCode(HttpStatusCode.BadRequest, expectedErrors);
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+    }
+
+    [Fact]
+    public async Task DeactivateFeatureFlag_WhenFlagIsNotKillSwitch_ShouldReturnBadRequest()
+    {
+        // Arrange — sso is a PlanGatedTenantFlag without IsKillSwitchEnabled set; the validator
+        // must reject global Deactivate so the panic-button contract is enforced.
+        var flagKey = "sso";
+        using var client = CreateAdminBackOfficeClient();
+
+        // Act
+        var response = await client.PutAsync($"/api/back-office/feature-flags/{flagKey}/deactivate", null);
+
+        // Assert
+        var expectedErrors = new[]
+        {
+            new ErrorDetail("FlagKey", "Only kill-switch-enabled feature flags can be globally deactivated.")
+        };
+        await response.ShouldHaveErrorStatusCode(HttpStatusCode.BadRequest, expectedErrors);
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+    }
+
+    [Fact]
+    public async Task ActivateFeatureFlag_WhenNonAdminBackOfficeIdentity_ShouldReturnForbidden()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.PutAsync($"/api/back-office/feature-flags/{flagKey}/activate", null);
+
+        // Assert - the activate route is gated by AdminPolicyName, so a regular back-office identity
+        // without the admin group claim must be rejected.
+        response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+    }
+
+    [Fact]
+    public async Task DeactivateFeatureFlag_WhenAdmin_ShouldSetDisabledAt()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        using var client = CreateAdminBackOfficeClient();
+
+        // Act
+        var response = await client.PutAsync($"/api/back-office/feature-flags/{flagKey}/deactivate", null);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+
+        var disabledAt = Connection.ExecuteScalar<string>(
+            "SELECT disabled_at FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        var enabledAt = Connection.ExecuteScalar<string>(
+            "SELECT enabled_at FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        disabledAt.Should().NotBeNullOrEmpty();
+        enabledAt.Should().NotBeNullOrEmpty("EnabledAt should be preserved on deactivation");
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().ContainSingle(e => e.GetType().Name == "FeatureFlagDeactivated");
+    }
+
+    [Fact]
+    public async Task DeactivateFeatureFlag_WhenAlreadyInactiveAndAdmin_ShouldHandleGracefully()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        using var client = CreateAdminBackOfficeClient();
+        // First deactivate to make it inactive, then deactivate again to test idempotency
+        await client.PutAsync($"/api/back-office/feature-flags/{flagKey}/deactivate", null);
+
+        // Act
+        var response = await client.PutAsync($"/api/back-office/feature-flags/{flagKey}/deactivate", null);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+    }
+
+    [Fact]
+    public async Task DeactivateFeatureFlag_WhenNonAdminBackOfficeIdentity_ShouldReturnForbidden()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.PutAsync($"/api/back-office/feature-flags/{flagKey}/deactivate", null);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+    }
+
+    [Fact]
+    public async Task ActivateFeatureFlag_AfterDeactivationByAdmin_ShouldReactivateFlag()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        using var client = CreateAdminBackOfficeClient();
+        await client.PutAsync($"/api/back-office/feature-flags/{flagKey}/deactivate", null);
+        TelemetryEventsCollectorSpy.Reset();
+
+        // Act
+        var response = await client.PutAsync($"/api/back-office/feature-flags/{flagKey}/activate", null);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+
+        var disabledAt = Connection.ExecuteScalar<string>(
+            "SELECT disabled_at FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        disabledAt.Should().BeNull("DisabledAt should be cleared on reactivation");
+    }
+
+    // Tenant override (AdminPolicy)
+
+    [Fact]
+    public async Task SetTenantOverride_WhenEnabledAsAdmin_ShouldCreateOverrideRow()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        using var client = CreateAdminBackOfficeClient();
+        var command = new SetTenantFeatureFlagInternalCommand { TenantId = tenantId, Enabled = true };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/tenant-override", command);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+
+        var rowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE flag_key = @flagKey AND tenant_id = @tenantId AND user_id IS NULL",
+            [new { flagKey, tenantId = tenantId.Value }]
+        );
+        rowCount.Should().Be(1);
+        var enabledAt = Connection.ExecuteScalar<string>(
+            "SELECT enabled_at FROM feature_flags WHERE flag_key = @flagKey AND tenant_id = @tenantId AND user_id IS NULL",
+            [new { flagKey, tenantId = tenantId.Value }]
+        );
+        enabledAt.Should().NotBeNullOrEmpty();
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().ContainSingle(e => e.GetType().Name == "FeatureFlagTenantOverrideSet");
+        TelemetryEventsCollectorSpy.CollectedEvents[0].Properties["event.trigger"].Should().Be("Internal");
+    }
+
+    [Fact]
+    public async Task RemoveTenantOverride_WhenOverrideExists_ShouldDeleteRow()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        InsertTenantOverride(flagKey, tenantId, true);
+        using var client = CreateAdminBackOfficeClient();
+
+        // Act
+        var response = await client.DeleteAsync($"/api/back-office/feature-flags/{flagKey}/tenant-override?tenantId={tenantId}");
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+
+        var rowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE flag_key = @flagKey AND tenant_id = @tenantId AND user_id IS NULL",
+            [new { flagKey, tenantId = tenantId.Value }]
+        );
+        rowCount.Should().Be(0);
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().ContainSingle(e => e.GetType().Name == "FeatureFlagTenantOverrideRemoved");
+        TelemetryEventsCollectorSpy.CollectedEvents[0].Properties["event.trigger"].Should().Be("Internal");
+    }
+
+    [Fact]
+    public async Task RemoveTenantOverride_WhenNoOverrideExists_ShouldReturnNotFound()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        using var client = CreateAdminBackOfficeClient();
+
+        // Act
+        var response = await client.DeleteAsync($"/api/back-office/feature-flags/{flagKey}/tenant-override?tenantId={tenantId}");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.NotFound);
+    }
+
+    [Fact]
+    public async Task SetTenantOverride_WhenNonAdminBackOfficeIdentity_ShouldReturnForbidden()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        using var client = CreateRegularBackOfficeClient();
+        var command = new SetTenantFeatureFlagInternalCommand { TenantId = tenantId, Enabled = true };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/tenant-override", command);
+
+        // Assert - tenant-override mutations are gated by AdminPolicyName; a regular back-office identity
+        // without the admin group claim must be rejected before any repository write.
+        response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+        var rowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE flag_key = @flagKey AND tenant_id = @tenantId AND user_id IS NULL",
+            [new { flagKey, tenantId = tenantId.Value }]
+        );
+        rowCount.Should().Be(0, "the policy guard must run before any repository write");
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+    }
+
+    [Fact]
+    public async Task RemoveTenantOverride_WhenNonAdminBackOfficeIdentity_ShouldReturnForbidden()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        InsertTenantOverride(flagKey, tenantId, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.DeleteAsync($"/api/back-office/feature-flags/{flagKey}/tenant-override?tenantId={tenantId}");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+        var rowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE flag_key = @flagKey AND tenant_id = @tenantId AND user_id IS NULL",
+            [new { flagKey, tenantId = tenantId.Value }]
+        );
+        rowCount.Should().Be(1, "the override must remain when a non-admin caller is rejected");
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+    }
+
+    // User override (AdminPolicy)
+
+    [Fact]
+    public async Task SetUserOverride_WhenEnabledAsAdmin_ShouldCreateOverrideRow()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        var userId = DatabaseSeeder.Tenant1Owner.Id;
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        using var client = CreateAdminBackOfficeClient();
+        var command = new SetUserFeatureFlagInternalCommand { UserId = userId, TenantId = tenantId, Enabled = true };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/user-override", command);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+
+        var rowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE flag_key = @flagKey AND user_id = @userId",
+            [new { flagKey, userId = userId.Value }]
+        );
+        rowCount.Should().Be(1);
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().ContainSingle(e => e.GetType().Name == "FeatureFlagUserOverrideSet");
+        TelemetryEventsCollectorSpy.CollectedEvents[0].Properties["event.trigger"].Should().Be("Internal");
+    }
+
+    [Fact]
+    public async Task RemoveUserOverride_WhenOverrideExists_ShouldDeleteRow()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        var userId = DatabaseSeeder.Tenant1Owner.Id.ToString();
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        InsertUserOverride(flagKey, tenantId, userId, true);
+        using var client = CreateAdminBackOfficeClient();
+
+        // Act
+        var response = await client.DeleteAsync($"/api/back-office/feature-flags/{flagKey}/user-override?userId={userId}&tenantId={tenantId}");
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+
+        var rowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE flag_key = @flagKey AND user_id = @userId",
+            [new { flagKey, userId }]
+        );
+        rowCount.Should().Be(0);
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().ContainSingle(e => e.GetType().Name == "FeatureFlagUserOverrideRemoved");
+        TelemetryEventsCollectorSpy.CollectedEvents[0].Properties["event.trigger"].Should().Be("Internal");
+    }
+
+    [Fact]
+    public async Task RemoveUserOverride_WhenNoOverrideExists_ShouldReturnNotFound()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        var userId = DatabaseSeeder.Tenant1Owner.Id.ToString();
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        using var client = CreateAdminBackOfficeClient();
+
+        // Act
+        var response = await client.DeleteAsync($"/api/back-office/feature-flags/{flagKey}/user-override?userId={userId}&tenantId={tenantId}");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.NotFound);
+    }
+
+    [Fact]
+    public async Task SetUserOverride_WhenNonAdminBackOfficeIdentity_ShouldReturnForbidden()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        var userId = DatabaseSeeder.Tenant1Owner.Id;
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        using var client = CreateRegularBackOfficeClient();
+        var command = new SetUserFeatureFlagInternalCommand { UserId = userId, TenantId = tenantId, Enabled = true };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/user-override", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+        var rowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE flag_key = @flagKey AND user_id = @userId",
+            [new { flagKey, userId = userId.Value }]
+        );
+        rowCount.Should().Be(0, "the policy guard must run before any repository write");
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+    }
+
+    [Fact]
+    public async Task RemoveUserOverride_WhenNonAdminBackOfficeIdentity_ShouldReturnForbidden()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        var userId = DatabaseSeeder.Tenant1Owner.Id.ToString();
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        InsertUserOverride(flagKey, tenantId, userId, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.DeleteAsync($"/api/back-office/feature-flags/{flagKey}/user-override?userId={userId}&tenantId={tenantId}");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+        var rowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE flag_key = @flagKey AND user_id = @userId",
+            [new { flagKey, userId }]
+        );
+        rowCount.Should().Be(1, "the override must remain when a non-admin caller is rejected");
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+    }
+
+    // User/tenant verification guards — the back-office can target any tenant, so handlers verify the
+    // (TenantId, UserId) pair exists before any repository write. A mismatched or non-existent target
+    // must short-circuit with NotFound, leaving no override row and no telemetry behind.
+
+    [Fact]
+    public async Task SetUserFeatureFlagInternal_WhenUserDoesNotBelongToTenant_ShouldReturnNotFound()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        var userId = DatabaseSeeder.Tenant1Owner.Id;
+        var otherTenantId = new TenantId(999999);
+        using var client = CreateAdminBackOfficeClient();
+        var command = new SetUserFeatureFlagInternalCommand { UserId = userId, TenantId = otherTenantId, Enabled = true };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/user-override", command);
+
+        // Assert
+        await response.ShouldHaveErrorStatusCode(HttpStatusCode.NotFound, $"User '{userId}' not found in tenant '{otherTenantId}'.");
+
+        var rowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE flag_key = @flagKey AND user_id = @userId",
+            [new { flagKey, userId = userId.Value }]
+        );
+        rowCount.Should().Be(0, "the guard must run before any repository write");
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+    }
+
+    [Fact]
+    public async Task RemoveUserFeatureFlagOverride_WhenUserDoesNotBelongToTenant_ShouldReturnNotFound()
+    {
+        // Arrange - seed an override on the real tenant; the back-office request targets a different
+        // tenant so the guard must reject it without touching the existing override row.
+        var flagKey = "compact-view";
+        var userId = DatabaseSeeder.Tenant1Owner.Id;
+        var realTenantId = DatabaseSeeder.Tenant1.Id;
+        var otherTenantId = new TenantId(999999);
+        InsertUserOverride(flagKey, realTenantId, userId.Value, true);
+        using var client = CreateAdminBackOfficeClient();
+
+        // Act
+        var response = await client.DeleteAsync($"/api/back-office/feature-flags/{flagKey}/user-override?userId={userId}&tenantId={otherTenantId}");
+
+        // Assert
+        await response.ShouldHaveErrorStatusCode(HttpStatusCode.NotFound, $"User '{userId}' not found in tenant '{otherTenantId}'.");
+
+        var rowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE flag_key = @flagKey AND user_id = @userId",
+            [new { flagKey, userId = userId.Value }]
+        );
+        rowCount.Should().Be(1, "the guard must run before any repository write");
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+    }
+
+    [Fact]
+    public async Task SetUserFeatureFlagInternal_WhenUserDoesNotExist_ShouldReturnNotFound()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        var missingUserId = UserId.NewId();
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        using var client = CreateAdminBackOfficeClient();
+        var command = new SetUserFeatureFlagInternalCommand { UserId = missingUserId, TenantId = tenantId, Enabled = true };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/user-override", command);
+
+        // Assert
+        await response.ShouldHaveErrorStatusCode(HttpStatusCode.NotFound, $"User '{missingUserId}' not found in tenant '{tenantId}'.");
+
+        var rowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE flag_key = @flagKey AND user_id = @userId",
+            [new { flagKey, userId = missingUserId.Value }]
+        );
+        rowCount.Should().Be(0, "the guard must run before any repository write");
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+    }
+
+    [Fact]
+    public async Task SetTenantFeatureFlagInternal_WhenTenantDoesNotExist_ShouldReturnNotFound()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        var missingTenantId = new TenantId(999999);
+        using var client = CreateAdminBackOfficeClient();
+        var command = new SetTenantFeatureFlagInternalCommand { TenantId = missingTenantId, Enabled = true };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/tenant-override", command);
+
+        // Assert
+        await response.ShouldHaveErrorStatusCode(HttpStatusCode.NotFound, $"Tenant '{missingTenantId}' not found.");
+
+        var rowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE flag_key = @flagKey AND tenant_id = @tenantId AND user_id IS NULL",
+            [new { flagKey, tenantId = missingTenantId.Value }]
+        );
+        rowCount.Should().Be(0, "the guard must run before any repository write");
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+    }
+
+    [Fact]
+    public async Task SetTenantFeatureFlagInternal_WhenDisableAndNoOverrideExists_ShouldCreateExplicitDisableOverride()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        using var client = CreateAdminBackOfficeClient();
+        var command = new SetTenantFeatureFlagInternalCommand { TenantId = tenantId, Enabled = false };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/tenant-override", command);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+
+        var rowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE flag_key = @flagKey AND tenant_id = @tenantId AND user_id IS NULL",
+            [new { flagKey, tenantId = tenantId.Value }]
+        );
+        rowCount.Should().Be(1, "an explicit-disable override must be written so the evaluator overrides the rollout for this tenant");
+
+        var enabledAt = Connection.ExecuteScalar<string>(
+            "SELECT enabled_at FROM feature_flags WHERE flag_key = @flagKey AND tenant_id = @tenantId AND user_id IS NULL",
+            [new { flagKey, tenantId = tenantId.Value }]
+        );
+        var disabledAt = Connection.ExecuteScalar<string>(
+            "SELECT disabled_at FROM feature_flags WHERE flag_key = @flagKey AND tenant_id = @tenantId AND user_id IS NULL",
+            [new { flagKey, tenantId = tenantId.Value }]
+        );
+        enabledAt.Should().NotBeNullOrEmpty();
+        disabledAt.Should().NotBeNullOrEmpty();
+        enabledAt.Should().Be(disabledAt, "EnabledAt and DisabledAt at the same instant make FeatureFlag.IsActive evaluate to false");
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().ContainSingle(e => e.GetType().Name == "FeatureFlagTenantOverrideRemoved");
+        TelemetryEventsCollectorSpy.CollectedEvents[0].Properties["event.trigger"].Should().Be("Internal");
+    }
+
+    [Fact]
+    public async Task SetUserFeatureFlagInternal_WhenDisableAndNoOverrideExists_ShouldCreateExplicitDisableOverride()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        var userId = DatabaseSeeder.Tenant1Owner.Id;
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        using var client = CreateAdminBackOfficeClient();
+        var command = new SetUserFeatureFlagInternalCommand { UserId = userId, TenantId = tenantId, Enabled = false };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/user-override", command);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+
+        var rowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE flag_key = @flagKey AND user_id = @userId",
+            [new { flagKey, userId = userId.Value }]
+        );
+        rowCount.Should().Be(1, "an explicit-disable override must be written so the evaluator overrides the rollout for this user");
+
+        var enabledAt = Connection.ExecuteScalar<string>(
+            "SELECT enabled_at FROM feature_flags WHERE flag_key = @flagKey AND user_id = @userId",
+            [new { flagKey, userId = userId.Value }]
+        );
+        var disabledAt = Connection.ExecuteScalar<string>(
+            "SELECT disabled_at FROM feature_flags WHERE flag_key = @flagKey AND user_id = @userId",
+            [new { flagKey, userId = userId.Value }]
+        );
+        enabledAt.Should().NotBeNullOrEmpty();
+        disabledAt.Should().NotBeNullOrEmpty();
+        enabledAt.Should().Be(disabledAt, "EnabledAt and DisabledAt at the same instant make FeatureFlag.IsActive evaluate to false");
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().ContainSingle(e => e.GetType().Name == "FeatureFlagUserOverrideRemoved");
+        TelemetryEventsCollectorSpy.CollectedEvents[0].Properties["event.trigger"].Should().Be("Internal");
+    }
+
+    [Fact]
+    public async Task RemoveTenantFeatureFlagOverride_WhenTenantDoesNotExist_ShouldReturnNotFound()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        var missingTenantId = new TenantId(999999);
+        using var client = CreateAdminBackOfficeClient();
+
+        // Act
+        var response = await client.DeleteAsync($"/api/back-office/feature-flags/{flagKey}/tenant-override?tenantId={missingTenantId}");
+
+        // Assert
+        await response.ShouldHaveErrorStatusCode(HttpStatusCode.NotFound, $"Tenant '{missingTenantId}' not found.");
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+    }
+
+    // Rollout percentage (AdminPolicy)
+
+    [Fact]
+    public async Task SetRolloutPercentage_WhenValidPercentageAsAdmin_ShouldUpdateBucketRange()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        using var client = CreateAdminBackOfficeClient();
+        var command = new SetFeatureFlagRolloutPercentageCommand { RolloutPercentage = 50 };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/rollout-percentage", command);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+
+        var rolloutBucketStart = Connection.ExecuteScalar<long?>(
+            "SELECT bucket_start FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        var rolloutBucketEnd = Connection.ExecuteScalar<long?>(
+            "SELECT bucket_end FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        rolloutBucketStart.Should().NotBeNull();
+        rolloutBucketEnd.Should().NotBeNull();
+        CountBucketsInRange((int)rolloutBucketStart.Value, (int)rolloutBucketEnd.Value).Should().Be(50);
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().ContainSingle(e => e.GetType().Name == "FeatureFlagRolloutPercentageUpdated");
+        TelemetryEventsCollectorSpy.CollectedEvents[0].Properties["event.from_percentage"].Should().Be("0");
+        TelemetryEventsCollectorSpy.CollectedEvents[0].Properties["event.to_percentage"].Should().Be("50");
+    }
+
+    [Theory]
+    [InlineData(1)]
+    [InlineData(99)]
+    public async Task SetRolloutPercentage_WhenSetToNPercent_ShouldIncludeExactlyNBuckets(int percentage)
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        using var client = CreateAdminBackOfficeClient();
+        var command = new SetFeatureFlagRolloutPercentageCommand { RolloutPercentage = percentage };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/rollout-percentage", command);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+
+        var rolloutBucketStart = Connection.ExecuteScalar<long?>(
+            "SELECT bucket_start FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        var rolloutBucketEnd = Connection.ExecuteScalar<long?>(
+            "SELECT bucket_end FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        CountBucketsInRange((int)rolloutBucketStart!.Value, (int)rolloutBucketEnd!.Value).Should().Be(percentage);
+    }
+
+    [Fact]
+    public async Task SetRolloutPercentage_WhenInvalidPercentage_ShouldFailValidation()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        using var client = CreateAdminBackOfficeClient();
+        var command = new SetFeatureFlagRolloutPercentageCommand { RolloutPercentage = 101 };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/rollout-percentage", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
+    }
+
+    [Fact]
+    public async Task SetRolloutPercentage_WhenNonAbTestEligibleFlag_ShouldFailValidation()
+    {
+        // Arrange
+        var flagKey = "sso";
+        using var client = CreateAdminBackOfficeClient();
+        var command = new SetFeatureFlagRolloutPercentageCommand { RolloutPercentage = 50 };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/rollout-percentage", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
+    }
+
+    [Fact]
+    public async Task SetRolloutPercentage_WhenZeroPercent_ShouldClearBucketRange()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        using var client = CreateAdminBackOfficeClient();
+        await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/rollout-percentage", new SetFeatureFlagRolloutPercentageCommand { RolloutPercentage = 50 });
+        TelemetryEventsCollectorSpy.Reset();
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/rollout-percentage", new SetFeatureFlagRolloutPercentageCommand { RolloutPercentage = 0 });
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+
+        var rolloutBucketStart = Connection.ExecuteScalar<long?>(
+            "SELECT bucket_start FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        var rolloutBucketEnd = Connection.ExecuteScalar<long?>(
+            "SELECT bucket_end FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        rolloutBucketStart.Should().BeNull();
+        rolloutBucketEnd.Should().BeNull();
+    }
+
+    [Fact]
+    public async Task SetRolloutPercentage_WhenNonAdminBackOfficeIdentity_ShouldReturnForbidden()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        using var client = CreateRegularBackOfficeClient();
+        var command = new SetFeatureFlagRolloutPercentageCommand { RolloutPercentage = 50 };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/rollout-percentage", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+        var bucketStart = Connection.ExecuteScalar<long?>(
+            "SELECT bucket_start FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        bucketStart.Should().BeNull("the policy guard must run before any repository write");
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+    }
+
+    [Fact]
+    public async Task SetRolloutPercentage_WhenHundredPercent_ShouldSetFullRange()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        using var client = CreateAdminBackOfficeClient();
+        var command = new SetFeatureFlagRolloutPercentageCommand { RolloutPercentage = 100 };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/rollout-percentage", command);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+
+        var rolloutBucketStart = Connection.ExecuteScalar<long?>(
+            "SELECT bucket_start FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        var rolloutBucketEnd = Connection.ExecuteScalar<long?>(
+            "SELECT bucket_end FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        rolloutBucketStart.Should().Be(0);
+        rolloutBucketEnd.Should().Be(99);
+    }
+
+    // Flag tenants query (regular PolicyName)
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenTenantScopedFlag_ShouldReturnAllTenantsWithDefaultSource()
+    {
+        // Arrange
+        var flagKey = "sso";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        result.Should().NotBeNull();
+        result.Tenants.Should().NotBeEmpty();
+        result.Tenants.Should().AllSatisfy(t =>
+            {
+                t.Source.Should().Be(FeatureFlagSource.Default);
+                t.IsEnabled.Should().BeFalse();
+            }
+        );
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenTenantHasOverride_ShouldReturnManualOverrideSource()
+    {
+        // Arrange
+        var flagKey = "sso";
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        ActivateBaseRow(flagKey);
+        InsertTenantOverride(flagKey, tenantId, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        result.Should().NotBeNull();
+        var tenantResult = result.Tenants.Single(t => t.Id.Value == tenantId);
+        tenantResult.IsEnabled.Should().BeTrue();
+        tenantResult.Source.Should().Be(FeatureFlagSource.Manual);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenFlagHasRollout_ShouldReturnAbRolloutSource()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        var baseRowId = Connection.ExecuteScalar<string>(
+            "SELECT id FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        Connection.Update("feature_flags", "id", baseRowId, [
+                ("bucket_start", 0),
+                ("bucket_end", 99)
+            ]
+        );
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        result.Should().NotBeNull();
+        result.Tenants.Should().AllSatisfy(t =>
+            {
+                t.Source.Should().Be(FeatureFlagSource.AbRollout);
+                t.IsEnabled.Should().BeTrue();
+            }
+        );
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenTenantDisabledViaOverrideWhileAbRolloutActive_ShouldReturnManualOverrideDisabled()
+    {
+        // Arrange - 100% rollout means every tenant is enabled, then add a disabled manual override.
+        var flagKey = "beta-features";
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        var baseRowId = Connection.ExecuteScalar<string>(
+            "SELECT id FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        Connection.Update("feature_flags", "id", baseRowId, [
+                ("bucket_start", 0),
+                ("bucket_end", 99)
+            ]
+        );
+        InsertTenantOverride(flagKey, tenantId, false);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants");
+
+        // Assert - manual override takes precedence over the A/B rollout.
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        result.Should().NotBeNull();
+        var tenantResult = result.Tenants.Single(t => t.Id.Value == tenantId);
+        tenantResult.IsEnabled.Should().BeFalse();
+        tenantResult.Source.Should().Be(FeatureFlagSource.Manual);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenBaseRowInactiveAndOverrideActive_ShouldReportIsEnabledFalse()
+    {
+        // Arrange — globally Deactivate beta-features (base row enabled_at=null) but keep an active
+        // manual override row for the tenant. The runtime FeatureFlagEvaluator short-circuits on
+        // !baseRow.IsActive (FeatureFlagEvaluator.cs:48) so this bulk list must mirror that contract.
+        var flagKey = "beta-features";
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        var baseRowId = Connection.ExecuteScalar<string>(
+            "SELECT id FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        Connection.Update("feature_flags", "id", baseRowId, [("enabled_at", null)]);
+        InsertTenantOverride(flagKey, tenantId, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants");
+
+        // Assert — row Source stays Manual (override is authoritative for that column), but
+        // IsEnabled must be false because the global kill switch is off.
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        result.Should().NotBeNull();
+        var tenantResult = result.Tenants.Single(t => t.Id.Value == tenantId);
+        tenantResult.IsEnabled.Should().BeFalse();
+        tenantResult.Source.Should().Be(FeatureFlagSource.Manual);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenNonExistentFlag_ShouldReturnBadRequest()
+    {
+        using var client = CreateRegularBackOfficeClient();
+        var response = await client.GetAsync("/api/back-office/feature-flags/non-existent/tenants");
+        response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenSystemScopedFlag_ShouldReturnBadRequest()
+    {
+        using var client = CreateRegularBackOfficeClient();
+        var response = await client.GetAsync("/api/back-office/feature-flags/google-oauth/tenants");
+        response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenSearchMatchesOwnerEmail_ShouldReturnMatchingTenants()
+    {
+        // Arrange
+        var flagKey = "sso";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act - DatabaseSeeder.Tenant1Owner email is "owner@tenant-1.com", so "tenant-1" hits owner email.
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants?Search=tenant-1");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        result.Should().NotBeNull();
+        result.Tenants.Should().NotBeEmpty();
+        result.Tenants.Should().OnlyContain(t => t.Owner!.Email.Contains("tenant-1"));
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenSearchHasNoMatches_ShouldReturnEmpty()
+    {
+        // Arrange
+        var flagKey = "sso";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants?Search=does-not-exist-anywhere");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        result.Should().NotBeNull();
+        result.Tenants.Should().BeEmpty();
+        result.TotalCount.Should().Be(0);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenPlansFilterMatches_ShouldReturnOnlyTenantsOnSelectedPlans()
+    {
+        // Arrange - DatabaseSeeder.Tenant1 is on the Basis plan.
+        var flagKey = "sso";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var matchResponse = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants?Plans=Basis");
+        var noMatchResponse = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants?Plans=Premium");
+
+        // Assert
+        matchResponse.ShouldBeSuccessfulGetRequest();
+        noMatchResponse.ShouldBeSuccessfulGetRequest();
+        var matchResult = await matchResponse.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        var noMatchResult = await noMatchResponse.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        matchResult!.Tenants.Should().OnlyContain(t => t.Plan == SubscriptionPlan.Basis);
+        matchResult.TotalCount.Should().BeGreaterThan(0);
+        noMatchResult!.Tenants.Should().BeEmpty();
+        noMatchResult.TotalCount.Should().Be(0);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenStateEnabledAndTenantHasManualOverride_ShouldReturnOnlyEnabledTenants()
+    {
+        // Arrange - tenant-1 gets a manual enable for `sso`; other tenants remain disabled.
+        var flagKey = "sso";
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        ActivateBaseRow(flagKey);
+        InsertTenantOverride(flagKey, tenantId, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants?State=Enabled");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        result.Should().NotBeNull();
+        result.Tenants.Should().OnlyContain(t => t.IsEnabled);
+        result.Tenants.Should().Contain(t => t.Id.Value == tenantId);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenStateDisabledAndTenantIsEnabledViaOverride_ShouldExcludeTenant()
+    {
+        // Arrange
+        var flagKey = "sso";
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        ActivateBaseRow(flagKey);
+        InsertTenantOverride(flagKey, tenantId, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants?State=Disabled");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        result.Should().NotBeNull();
+        result.Tenants.Should().NotContain(t => t.Id.Value == tenantId);
+        result.Tenants.Where(t => t.IsEnabled).Should().BeEmpty();
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenStateOmitted_ShouldNotFilterByState()
+    {
+        // Arrange - tenant-1 gets enabled, then ask without State.
+        var flagKey = "sso";
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        InsertTenantOverride(flagKey, tenantId, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var omittedResponse = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants");
+        var enabledResponse = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants?State=Enabled");
+
+        // Assert
+        omittedResponse.ShouldBeSuccessfulGetRequest();
+        enabledResponse.ShouldBeSuccessfulGetRequest();
+        var omitted = await omittedResponse.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        var enabled = await enabledResponse.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        omitted!.TotalCount.Should().BeGreaterThanOrEqualTo(enabled!.TotalCount);
+        omitted.Tenants.Should().Contain(t => t.Id.Value == tenantId);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenPaginated_ShouldReturnCorrectPagingMetadata()
+    {
+        // Arrange
+        var flagKey = "sso";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants?PageSize=1&PageOffset=0");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        result.Should().NotBeNull();
+        result.PageSize.Should().Be(1);
+        result.CurrentPageOffset.Should().Be(0);
+        result.Tenants.Length.Should().BeLessOrEqualTo(1);
+        result.TotalPages.Should().Be(result.TotalCount);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenSortedByName_ShouldReturnTenantsInAscendingNameOrder()
+    {
+        // Arrange
+        var flagKey = "sso";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        result.Should().NotBeNull();
+        result.Tenants.Should().BeInAscendingOrder(t => t.Name);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenHasOverrideOmitted_ShouldNotFilterByOverride()
+    {
+        // Arrange - seed an override so the dataset has both override and non-override rows.
+        var flagKey = "sso";
+        InsertTenantOverride(flagKey, DatabaseSeeder.Tenant1.Id, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        result.Should().NotBeNull();
+        result.Tenants.Should().Contain(t => t.Source == FeatureFlagSource.Manual);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenHasOverrideTrue_ShouldReturnOnlyTenantsWithManualOverride()
+    {
+        // Arrange
+        var flagKey = "sso";
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        InsertTenantOverride(flagKey, tenantId, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants?HasOverride=true");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        result.Should().NotBeNull();
+        result.Tenants.Should().OnlyContain(t => t.Source == FeatureFlagSource.Manual);
+        result.Tenants.Should().Contain(t => t.Id.Value == tenantId);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenHasOverrideTrueAndStateDisabled_ShouldReturnDisabledOverrides()
+    {
+        // Arrange - tenant-1 has a disabling manual override.
+        var flagKey = "sso";
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        InsertTenantOverride(flagKey, tenantId, false);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants?HasOverride=true&State=Disabled");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        result.Should().NotBeNull();
+        result.Tenants.Should().OnlyContain(t => t.Source == FeatureFlagSource.Manual && !t.IsEnabled);
+        result.Tenants.Should().Contain(t => t.Id.Value == tenantId);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenHasOverrideTrueAndNoTenantHasOverride_ShouldReturnEmpty()
+    {
+        // Arrange
+        var flagKey = "sso";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants?HasOverride=true");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        result.Should().NotBeNull();
+        result.Tenants.Should().BeEmpty();
+        result.TotalCount.Should().Be(0);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenHasOverrideTrueOnAbRolloutFlag_ShouldExcludeAbRolloutAndDefaultRows()
+    {
+        // Arrange - beta-features at 100% rollout means every tenant is "ab_rollout"; the manual
+        // override for tenant-1 should be the only row HasOverride=true keeps.
+        var flagKey = "beta-features";
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        var baseRowId = Connection.ExecuteScalar<string>(
+            "SELECT id FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        Connection.Update("feature_flags", "id", baseRowId, [
+                ("bucket_start", 0),
+                ("bucket_end", 99)
+            ]
+        );
+        InsertTenantOverride(flagKey, tenantId, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants?HasOverride=true");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        result.Should().NotBeNull();
+        result.Tenants.Should().OnlyContain(t => t.Source == FeatureFlagSource.Manual);
+        result.Tenants.Should().Contain(t => t.Id.Value == tenantId);
+    }
+
+    // Flag users query (regular PolicyName)
+
+    [Fact]
+    public async Task GetFeatureFlagUsers_WhenNoSearchProvided_ShouldReturnAllUsersPaginated()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/users");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagUsersResponse>();
+        result.Should().NotBeNull();
+        result.Users.Should().NotBeEmpty();
+        result.TotalCount.Should().BeGreaterThan(0);
+        result.PageSize.Should().Be(25);
+        result.CurrentPageOffset.Should().Be(0);
+        result.TotalPages.Should().BeGreaterThan(0);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagUsers_WhenSearchMatchesEmail_ShouldReturnMatchingUsersWithDefaultSource()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/users?search=owner@tenant-1");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagUsersResponse>();
+        result.Should().NotBeNull();
+        result.Users.Should().NotBeEmpty();
+        result.Users.Should().OnlyContain(u => u.Source == FeatureFlagSource.Default);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagUsers_WhenUserHasOverride_ShouldReturnUserWithManualOverrideSource()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        var userId = DatabaseSeeder.Tenant1Owner.Id.ToString();
+        InsertUserOverride(flagKey, DatabaseSeeder.Tenant1.Id, userId, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/users?search=owner@tenant-1");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagUsersResponse>();
+        result.Should().NotBeNull();
+        result.Users.Should().NotBeEmpty();
+        var userResult = result.Users.Single(u => u.Id.Value == userId);
+        userResult.IsEnabled.Should().BeTrue();
+        userResult.Source.Should().Be(FeatureFlagSource.Manual);
+        userResult.Email.Should().NotBe("Unknown");
+        userResult.TenantName.Should().NotBe("Unknown");
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagUsers_WhenBaseRowInactiveAndOverrideActive_ShouldReportIsEnabledFalse()
+    {
+        // Arrange — globally Deactivate compact-view (base row enabled_at=null) but keep an active
+        // manual override row for the user. The runtime FeatureFlagEvaluator short-circuits on
+        // !baseRow.IsActive (FeatureFlagEvaluator.cs:48) so this bulk list must mirror that contract.
+        var flagKey = "compact-view";
+        var userId = DatabaseSeeder.Tenant1Owner.Id.ToString();
+        var baseRowId = Connection.ExecuteScalar<string>(
+            "SELECT id FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        Connection.Update("feature_flags", "id", baseRowId, [("enabled_at", null)]);
+        InsertUserOverride(flagKey, DatabaseSeeder.Tenant1.Id, userId, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/users?search=owner@tenant-1");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagUsersResponse>();
+        result.Should().NotBeNull();
+        var userResult = result.Users.Single(u => u.Id.Value == userId);
+        userResult.IsEnabled.Should().BeFalse();
+        userResult.Source.Should().Be(FeatureFlagSource.Manual);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagUsers_WhenNonUserScopedFlag_ShouldReturnBadRequest()
+    {
+        using var client = CreateRegularBackOfficeClient();
+        var response = await client.GetAsync("/api/back-office/feature-flags/sso/users");
+        response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagUsers_WhenSearchOnlyMatchingEmail_ShouldReturnOnlyMatchingUsers()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/users?Search=owner@tenant-1");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagUsersResponse>();
+        result.Should().NotBeNull();
+        result.Users.Should().NotBeEmpty();
+        result.Users.Should().OnlyContain(u => u.Email.Contains("owner@tenant-1"));
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagUsers_WhenRolesFilterApplied_ShouldReturnOnlyUsersWithSelectedRoles()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/users?Roles=Owner");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagUsersResponse>();
+        result.Should().NotBeNull();
+        result.Users.Should().NotBeEmpty();
+        result.Users.Should().OnlyContain(u => u.Role == UserRole.Owner);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagUsers_WhenStateEnabledAndUserHasManualOverride_ShouldReturnOnlyEnabledUsers()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        var userId = DatabaseSeeder.Tenant1Owner.Id.ToString();
+        InsertUserOverride(flagKey, DatabaseSeeder.Tenant1.Id, userId, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/users?State=Enabled");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagUsersResponse>();
+        result.Should().NotBeNull();
+        result.Users.Should().OnlyContain(u => u.IsEnabled);
+        result.Users.Should().Contain(u => u.Id.Value == userId);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagUsers_WhenStateDisabled_ShouldReturnOnlyDisabledUsers()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        var userId = DatabaseSeeder.Tenant1Owner.Id.ToString();
+        InsertUserOverride(flagKey, DatabaseSeeder.Tenant1.Id, userId, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/users?State=Disabled");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagUsersResponse>();
+        result.Should().NotBeNull();
+        result.Users.Should().OnlyContain(u => !u.IsEnabled);
+        result.Users.Should().NotContain(u => u.Id.Value == userId);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagUsers_WhenPaginated_ShouldReturnCorrectPagingMetadata()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/users?PageSize=1&PageOffset=0");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagUsersResponse>();
+        result.Should().NotBeNull();
+        result.PageSize.Should().Be(1);
+        result.CurrentPageOffset.Should().Be(0);
+        result.Users.Length.Should().BeLessOrEqualTo(1);
+        result.TotalPages.Should().Be(result.TotalCount);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagUsers_WhenPageOffsetExceedsTotalPages_ShouldReturnBadRequest()
+    {
+        using var client = CreateRegularBackOfficeClient();
+        var response = await client.GetAsync("/api/back-office/feature-flags/compact-view/users?PageOffset=100");
+        response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagUsers_WhenHasOverrideOmitted_ShouldNotFilterByOverride()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        var userId = DatabaseSeeder.Tenant1Owner.Id.ToString();
+        InsertUserOverride(flagKey, DatabaseSeeder.Tenant1.Id, userId, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/users");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagUsersResponse>();
+        result.Should().NotBeNull();
+        result.Users.Should().Contain(u => u.Source == FeatureFlagSource.Manual);
+        result.Users.Should().Contain(u => u.Source == FeatureFlagSource.Default);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagUsers_WhenHasOverrideTrue_ShouldReturnOnlyUsersWithManualOverride()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        var userId = DatabaseSeeder.Tenant1Owner.Id.ToString();
+        InsertUserOverride(flagKey, DatabaseSeeder.Tenant1.Id, userId, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/users?HasOverride=true");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagUsersResponse>();
+        result.Should().NotBeNull();
+        result.Users.Should().OnlyContain(u => u.Source == FeatureFlagSource.Manual);
+        result.Users.Should().Contain(u => u.Id.Value == userId);
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagUsers_WhenHasOverrideTrueAndRoleFiltered_ShouldReturnOnlyMatchingUsersWithOverride()
+    {
+        // Arrange - only the owner gets the override.
+        var flagKey = "compact-view";
+        var ownerId = DatabaseSeeder.Tenant1Owner.Id.ToString();
+        InsertUserOverride(flagKey, DatabaseSeeder.Tenant1.Id, ownerId, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var matchResponse = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/users?HasOverride=true&Roles=Owner");
+        var noMatchResponse = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/users?HasOverride=true&Roles=Member");
+
+        // Assert
+        matchResponse.ShouldBeSuccessfulGetRequest();
+        noMatchResponse.ShouldBeSuccessfulGetRequest();
+        var matchResult = await matchResponse.DeserializeResponse<GetFeatureFlagUsersResponse>();
+        var noMatchResult = await noMatchResponse.DeserializeResponse<GetFeatureFlagUsersResponse>();
+        matchResult!.Users.Should().OnlyContain(u => u.Source == FeatureFlagSource.Manual && u.Role == UserRole.Owner);
+        matchResult.Users.Should().Contain(u => u.Id.Value == ownerId);
+        noMatchResult!.Users.Should().BeEmpty();
+    }
+
+    // List-all-flags query (regular PolicyName)
+
+    [Fact]
+    public async Task GetFeatureFlags_WhenCalled_ShouldReturnAllFlagsWithDatabaseState()
+    {
+        // Arrange
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync("/api/back-office/feature-flags");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagsResponse>();
+        result.Should().NotBeNull();
+        result.Flags.Should().HaveCount(FeatureFlagRegistry.GetAll().Length);
+
+        result.Flags.Single(f => f.Key == "google-oauth").Scope.Should().Be(FeatureFlagScope.System);
+        result.Flags.Single(f => f.Key == "subscriptions").Scope.Should().Be(FeatureFlagScope.System);
+        var betaFeatures = result.Flags.Single(f => f.Key == "beta-features");
+        betaFeatures.Scope.Should().Be(FeatureFlagScope.Tenant);
+        betaFeatures.IsAbTestEligible.Should().BeTrue();
+        betaFeatures.IsActive.Should().BeTrue();
+        result.Flags.Single(f => f.Key == "sso").IsActive.Should().BeFalse();
+        result.Flags.Single(f => f.Key == "account-overview").ConfigurableByTenant.Should().BeTrue();
+        result.Flags.Single(f => f.Key == "compact-view").ConfigurableByUser.Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task GetFeatureFlags_WhenOrphanedRowWithScope_ShouldIncludeInResponse()
+    {
+        // Arrange
+        InsertHistoricalBaseRow("removed-feature", FeatureFlagScope.Tenant);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync("/api/back-office/feature-flags");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagsResponse>();
+        result.Should().NotBeNull();
+        var orphan = result.Flags.Single(f => f.Key == "removed-feature");
+        orphan.Scope.Should().Be(FeatureFlagScope.Tenant);
+        orphan.OrphanedAt.Should().NotBeNull();
+        orphan.DeletedAt.Should().BeNull();
+    }
+
+    [Fact]
+    public async Task GetFeatureFlags_WhenSoftDeletedRowAndIncludeDeletedFalse_ShouldExcludeFromResponse()
+    {
+        // Arrange
+        InsertHistoricalBaseRow("removed-feature", FeatureFlagScope.Tenant, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync("/api/back-office/feature-flags");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagsResponse>();
+        result.Should().NotBeNull();
+        result.Flags.Should().NotContain(f => f.Key == "removed-feature");
+    }
+
+    [Fact]
+    public async Task GetFeatureFlags_WhenSoftDeletedRowAndIncludeDeletedTrue_ShouldIncludeWithDeletedAt()
+    {
+        // Arrange
+        InsertHistoricalBaseRow("removed-feature", FeatureFlagScope.Tenant, true);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync("/api/back-office/feature-flags?IncludeDeleted=true");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagsResponse>();
+        result.Should().NotBeNull();
+        var deleted = result.Flags.Single(f => f.Key == "removed-feature");
+        deleted.DeletedAt.Should().NotBeNull();
+        deleted.OrphanedAt.Should().NotBeNull();
+    }
+
+    // Back-office mutations do NOT chain AddRefreshAuthenticationTokens() because the back-office
+    // actor's own claim set is unchanged when they mutate flags for other tenants/users. Target
+    // sessions pick up the change via the x-user-feature-flags header on their next request.
+
+    [Fact]
+    public async Task ActivateFeatureFlag_WhenCalledByAdmin_ShouldNotAddRefreshAuthenticationTokensHeader()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        using var client = CreateAdminBackOfficeClient();
+
+        // Act
+        var response = await client.PutAsync($"/api/back-office/feature-flags/{flagKey}/activate", null);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+        response.Headers.Should().NotContainKey(AuthenticationTokenHttpKeys.RefreshAuthenticationTokensHeaderKey);
+    }
+
+    [Fact]
+    public async Task DeactivateFeatureFlag_WhenCalledByAdmin_ShouldNotAddRefreshAuthenticationTokensHeader()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        using var client = CreateAdminBackOfficeClient();
+
+        // Act
+        var response = await client.PutAsync($"/api/back-office/feature-flags/{flagKey}/deactivate", null);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+        response.Headers.Should().NotContainKey(AuthenticationTokenHttpKeys.RefreshAuthenticationTokensHeaderKey);
+    }
+
+    [Fact]
+    public async Task SetTenantOverride_WhenCalled_ShouldNotAddRefreshAuthenticationTokensHeader()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        using var client = CreateAdminBackOfficeClient();
+        var command = new SetTenantFeatureFlagInternalCommand { TenantId = tenantId, Enabled = true };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/tenant-override", command);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+        response.Headers.Should().NotContainKey(AuthenticationTokenHttpKeys.RefreshAuthenticationTokensHeaderKey);
+    }
+
+    [Fact]
+    public async Task SetRolloutPercentage_WhenCalled_ShouldNotAddRefreshAuthenticationTokensHeader()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        using var client = CreateAdminBackOfficeClient();
+        var command = new SetFeatureFlagRolloutPercentageCommand { RolloutPercentage = 50 };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/feature-flags/{flagKey}/rollout-percentage", command);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+        response.Headers.Should().NotContainKey(AuthenticationTokenHttpKeys.RefreshAuthenticationTokensHeaderKey);
+    }
+
+    // Delete feature flag (AdminPolicyName, orphan-only)
+
+    [Fact]
+    public async Task DeleteFeatureFlag_WhenOrphanedAndAdmin_ShouldSoftDeleteBaseAndHardDeleteOverridesAndEmitTelemetry()
+    {
+        // Arrange
+        var flagKey = "removed-feature";
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        var userId = DatabaseSeeder.Tenant1Owner.Id.ToString();
+        InsertOrphanedBaseRow(flagKey);
+        InsertTenantOverride(flagKey, tenantId, true);
+        InsertUserOverride(flagKey, tenantId, userId, true);
+        using var client = CreateAdminBackOfficeClient();
+
+        // Act
+        var response = await client.DeleteAsync($"/api/back-office/feature-flags/{flagKey}");
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+        var baseRowDeletedAt = Connection.ExecuteScalar<string>(
+            "SELECT deleted_at FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        baseRowDeletedAt.Should().NotBeNullOrEmpty();
+
+        var overrideCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE flag_key = @flagKey AND (tenant_id IS NOT NULL OR user_id IS NOT NULL)", [new { flagKey }]
+        );
+        overrideCount.Should().Be(0);
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().ContainSingle(e => e.GetType().Name == "FeatureFlagDeleted");
+        TelemetryEventsCollectorSpy.CollectedEvents[0].Properties["event.flag_key"].Should().Be(flagKey);
+    }
+
+    [Fact]
+    public async Task DeleteFeatureFlag_WhenAlreadySoftDeleted_ShouldReturnBadRequest()
+    {
+        // Arrange
+        var flagKey = "removed-feature";
+        InsertOrphanedBaseRow(flagKey, true);
+        using var client = CreateAdminBackOfficeClient();
+
+        // Act
+        var response = await client.DeleteAsync($"/api/back-office/feature-flags/{flagKey}");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+    }
+
+    [Fact]
+    public async Task DeleteFeatureFlag_WhenNotOrphaned_ShouldReturnBadRequest()
+    {
+        // Arrange - sso is a live flag with OrphanedAt = NULL; hard-delete must be rejected.
+        var flagKey = "sso";
+        using var client = CreateAdminBackOfficeClient();
+
+        // Act
+        var response = await client.DeleteAsync($"/api/back-office/feature-flags/{flagKey}");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
+        var baseRowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        baseRowCount.Should().Be(1, "a non-orphaned flag must not be deleted");
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+    }
+
+    [Fact]
+    public async Task DeleteFeatureFlag_WhenFlagDoesNotExist_ShouldReturnNotFound()
+    {
+        // Arrange
+        using var client = CreateAdminBackOfficeClient();
+
+        // Act
+        var response = await client.DeleteAsync("/api/back-office/feature-flags/does-not-exist");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.NotFound);
+    }
+
+    [Fact]
+    public async Task DeleteFeatureFlag_WhenNonAdminBackOfficeIdentity_ShouldReturnForbidden()
+    {
+        // Arrange
+        var flagKey = "removed-feature";
+        InsertOrphanedBaseRow(flagKey);
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.DeleteAsync($"/api/back-office/feature-flags/{flagKey}");
+
+        // Assert - the delete route is gated by AdminPolicyName, so a regular back-office identity without
+        // the admin group claim must be rejected.
+        response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+        var baseRowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE flag_key = @flagKey", [new { flagKey }]
+        );
+        baseRowCount.Should().Be(1, "the orphaned row must remain when a non-admin caller is rejected");
+    }
+
+    // Server-side sort smoke tests
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenSortedByNameAscendingAndDescending_ShouldReturnOppositeOrder()
+    {
+        // Arrange
+        var flagKey = "sso";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var ascResponse = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants?OrderBy=Name&SortOrder=Ascending");
+        var descResponse = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants?OrderBy=Name&SortOrder=Descending");
+
+        // Assert
+        ascResponse.ShouldBeSuccessfulGetRequest();
+        descResponse.ShouldBeSuccessfulGetRequest();
+        var ascResult = await ascResponse.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        var descResult = await descResponse.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        ascResult.Should().NotBeNull();
+        descResult.Should().NotBeNull();
+        ascResult.Tenants.Should().NotBeEmpty();
+        ascResult.Tenants.Select(t => t.Name).Should().BeInAscendingOrder();
+        descResult.Tenants.Select(t => t.Name).Should().BeInDescendingOrder();
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagTenants_WhenSortedByPlan_ShouldReturnOrderedByPlan()
+    {
+        // Arrange
+        var flagKey = "sso";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/tenants?OrderBy=Plan&SortOrder=Ascending");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagTenantsResponse>();
+        result.Should().NotBeNull();
+        result.Tenants.Select(t => t.Plan).Should().BeInAscendingOrder();
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagUsers_WhenSortedByNameAscendingAndDescending_ShouldReturnOppositeOrder()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var ascResponse = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/users?OrderBy=Name&SortOrder=Ascending");
+        var descResponse = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/users?OrderBy=Name&SortOrder=Descending");
+
+        // Assert
+        ascResponse.ShouldBeSuccessfulGetRequest();
+        descResponse.ShouldBeSuccessfulGetRequest();
+        var ascResult = await ascResponse.DeserializeResponse<GetFeatureFlagUsersResponse>();
+        var descResult = await descResponse.DeserializeResponse<GetFeatureFlagUsersResponse>();
+        ascResult.Should().NotBeNull();
+        descResult.Should().NotBeNull();
+        ascResult.Users.Should().NotBeEmpty();
+        ascResult.Users.Select(u => u.Email).Should().Equal(descResult.Users.Select(u => u.Email).Reverse());
+    }
+
+    [Fact]
+    public async Task GetFeatureFlagUsers_WhenSortedByRole_ShouldReturnOrderedByRole()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        using var client = CreateRegularBackOfficeClient();
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/feature-flags/{flagKey}/users?OrderBy=Role&SortOrder=Ascending");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<GetFeatureFlagUsersResponse>();
+        result.Should().NotBeNull();
+        result.Users.Select(u => u.Role).Should().BeInAscendingOrder();
+    }
+
+    // The reconciler creates non-kill-switch base rows with EnabledAt=null until an admin Activates.
+    // Tests that exercise override-driven IsEnabled need the base row Active so the mirror query
+    // path is reached at all — FeatureFlagEvaluator.cs:48 short-circuits when baseRow.IsActive is false.
+    private void ActivateBaseRow(string flagKey)
+    {
+        var baseRowId = Connection.ExecuteScalar<string>(
+            "SELECT id FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        Connection.Update("feature_flags", "id", baseRowId, [("enabled_at", TimeProvider.System.GetUtcNow())]);
+    }
+
+    private void InsertOrphanedBaseRow(string flagKey, bool softDeleted = false)
+    {
+        InsertHistoricalBaseRow(flagKey, FeatureFlagScope.Tenant, softDeleted);
+    }
+
+    private void InsertHistoricalBaseRow(string flagKey, FeatureFlagScope scope, bool softDeleted = false)
+    {
+        var rowId = FeatureFlagId.NewId().ToString();
+        var now = TimeProvider.System.GetUtcNow();
+        Connection.Insert("feature_flags", [
+                ("id", rowId),
+                ("created_at", now),
+                ("modified_at", null),
+                ("deleted_at", softDeleted ? now : null),
+                ("orphaned_at", now),
+                ("flag_key", flagKey),
+                ("tenant_id", null),
+                ("user_id", null),
+                ("enabled_at", now),
+                ("disabled_at", null),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", "Manual"),
+                ("scope", scope.ToString())
+            ]
+        );
+    }
+
+    private void InsertTenantOverride(string flagKey, TenantId tenantId, bool enabled)
+    {
+        var overrideId = FeatureFlagId.NewId().ToString();
+        var now = TimeProvider.System.GetUtcNow();
+        Connection.Insert("feature_flags", [
+                ("id", overrideId),
+                ("created_at", now),
+                ("modified_at", null),
+                ("flag_key", flagKey),
+                ("tenant_id", tenantId.Value),
+                ("user_id", null),
+                ("enabled_at", enabled ? now : null),
+                ("disabled_at", enabled ? null : now),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", "Manual"),
+                ("scope", "Tenant")
+            ]
+        );
+    }
+
+    private void InsertUserOverride(string flagKey, TenantId tenantId, string userId, bool enabled)
+    {
+        var overrideId = FeatureFlagId.NewId().ToString();
+        var now = TimeProvider.System.GetUtcNow();
+        Connection.Insert("feature_flags", [
+                ("id", overrideId),
+                ("created_at", now),
+                ("modified_at", null),
+                ("flag_key", flagKey),
+                ("tenant_id", tenantId.Value),
+                ("user_id", userId),
+                ("enabled_at", enabled ? now : null),
+                ("disabled_at", enabled ? null : now),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", "Manual"),
+                ("scope", "User")
+            ]
+        );
+    }
+
+    private static int CountBucketsInRange(int rolloutBucketStart, int rolloutBucketEnd)
+    {
+        if (rolloutBucketStart <= rolloutBucketEnd) return rolloutBucketEnd - rolloutBucketStart + 1;
+        return 100 - rolloutBucketStart + rolloutBucketEnd + 1;
+    }
+}
diff --git a/application/account/Tests/BackOffice/GetBackOfficeBillingEventsTests.cs b/application/account/Tests/BackOffice/GetBackOfficeBillingEventsTests.cs
index 55e4336a8..f90a09f5b 100644
--- a/application/account/Tests/BackOffice/GetBackOfficeBillingEventsTests.cs
+++ b/application/account/Tests/BackOffice/GetBackOfficeBillingEventsTests.cs
@@ -251,7 +251,8 @@ private TenantId SeedTenant(string name)
                 ("name", name),
                 ("state", nameof(TenantState.Active)),
                 ("plan", nameof(SubscriptionPlan.Standard)),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 50)
             ]
         );
         return tenantId;
diff --git a/application/account/Tests/DatabaseSeeder.cs b/application/account/Tests/DatabaseSeeder.cs
index af922c599..007c85a8e 100644
--- a/application/account/Tests/DatabaseSeeder.cs
+++ b/application/account/Tests/DatabaseSeeder.cs
@@ -1,14 +1,21 @@
 using System.Net;
 using Account.Database;
 using Account.Features.Authentication.Domain;
+using Account.Features.FeatureFlags.Domain;
 using Account.Features.Subscriptions.Domain;
 using Account.Features.Tenants.Domain;
 using Account.Features.Users.Domain;
+using SharedKernel.FeatureFlags;
 
 namespace Account.Tests;
 
 public sealed class DatabaseSeeder
 {
+    public readonly FeatureFlag AccountOverviewFlag;
+    public readonly FeatureFlag BetaFeaturesFlag;
+    public readonly FeatureFlag CompactViewFlag;
+    public readonly FeatureFlag ExperimentalUiFlag;
+    public readonly FeatureFlag SsoFlag;
     public readonly Tenant Tenant1;
     public readonly User Tenant1Member;
     public readonly Session Tenant1MemberSession;
@@ -18,13 +25,13 @@ public sealed class DatabaseSeeder
 
     public DatabaseSeeder(AccountDbContext accountDbContext)
     {
-        Tenant1 = Tenant.Create("owner@tenant-1.com");
+        Tenant1 = Tenant.Create("owner@tenant-1.com", 0);
         accountDbContext.Set<Tenant>().AddRange(Tenant1);
 
-        Tenant1Owner = User.Create(Tenant1.Id, "owner@tenant-1.com", UserRole.Owner, true, null);
+        Tenant1Owner = User.Create(Tenant1.Id, "owner@tenant-1.com", UserRole.Owner, true, null, 0);
         accountDbContext.Set<User>().AddRange(Tenant1Owner);
 
-        Tenant1Member = User.Create(Tenant1.Id, "member1@tenant-1.com", UserRole.Member, true, null);
+        Tenant1Member = User.Create(Tenant1.Id, "member1@tenant-1.com", UserRole.Member, true, null, 1);
         accountDbContext.Set<User>().AddRange(Tenant1Member);
 
         Tenant1OwnerSession = Session.Create(Tenant1.Id, Tenant1Owner.Id, LoginMethod.OneTimePassword, "TestUserAgent", IPAddress.Loopback);
@@ -36,6 +43,27 @@ public DatabaseSeeder(AccountDbContext accountDbContext)
         Tenant1Subscription = Subscription.Create(Tenant1.Id);
         accountDbContext.Set<Subscription>().Add(Tenant1Subscription);
 
+        var now = DateTimeOffset.UtcNow;
+
+        BetaFeaturesFlag = FeatureFlag.Create("beta-features", FeatureFlagScope.Tenant);
+        BetaFeaturesFlag.Activate(now);
+        accountDbContext.Set<FeatureFlag>().Add(BetaFeaturesFlag);
+
+        SsoFlag = FeatureFlag.Create("sso", FeatureFlagScope.Tenant);
+        accountDbContext.Set<FeatureFlag>().Add(SsoFlag);
+
+        AccountOverviewFlag = FeatureFlag.Create("account-overview", FeatureFlagScope.Tenant);
+        AccountOverviewFlag.Activate(now);
+        accountDbContext.Set<FeatureFlag>().Add(AccountOverviewFlag);
+
+        CompactViewFlag = FeatureFlag.Create("compact-view", FeatureFlagScope.User);
+        CompactViewFlag.Activate(now);
+        accountDbContext.Set<FeatureFlag>().Add(CompactViewFlag);
+
+        ExperimentalUiFlag = FeatureFlag.Create("experimental-ui", FeatureFlagScope.User);
+        ExperimentalUiFlag.Activate(now);
+        accountDbContext.Set<FeatureFlag>().Add(ExperimentalUiFlag);
+
         accountDbContext.SaveChanges();
     }
 }
diff --git a/application/account/Tests/EmailAuthentication/CompleteEmailLoginTests.cs b/application/account/Tests/EmailAuthentication/CompleteEmailLoginTests.cs
index 78439eb49..f6bbafffa 100644
--- a/application/account/Tests/EmailAuthentication/CompleteEmailLoginTests.cs
+++ b/application/account/Tests/EmailAuthentication/CompleteEmailLoginTests.cs
@@ -219,7 +219,8 @@ public async Task CompleteEmailLogin_WithValidPreferredTenant_ShouldLoginToPrefe
                 ("name", Faker.Company.CompanyName()),
                 ("state", nameof(TenantState.Active)),
                 ("logo", """{"Url":null,"Version":0}"""),
-                ("plan", nameof(SubscriptionPlan.Basis))
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -261,7 +262,8 @@ public async Task CompleteEmailLogin_WithValidPreferredTenant_ShouldLoginToPrefe
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Owner)),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -321,7 +323,8 @@ public async Task CompleteEmailLogin_WithPreferredTenantUserDoesNotHaveAccess_Sh
                 ("name", Faker.Company.CompanyName()),
                 ("state", nameof(TenantState.Active)),
                 ("logo", """{"Url":null,"Version":0}"""),
-                ("plan", nameof(SubscriptionPlan.Basis))
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
             ]
         );
 
diff --git a/application/account/Tests/EmailAuthentication/ResendEmailLoginCodeTests.cs b/application/account/Tests/EmailAuthentication/ResendEmailLoginCodeTests.cs
index bf3939275..00fba3b73 100644
--- a/application/account/Tests/EmailAuthentication/ResendEmailLoginCodeTests.cs
+++ b/application/account/Tests/EmailAuthentication/ResendEmailLoginCodeTests.cs
@@ -75,7 +75,8 @@ public async Task ResendEmailLoginCode_WhenUserHasDanishLocale_ShouldSendDanishR
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "da-DK"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 50)
             ]
         );
         var emailLoginId = await StartEmailLogin(email);
diff --git a/application/account/Tests/EmailAuthentication/StartEmailLoginTests.cs b/application/account/Tests/EmailAuthentication/StartEmailLoginTests.cs
index f1d8b3f33..c1209fc09 100644
--- a/application/account/Tests/EmailAuthentication/StartEmailLoginTests.cs
+++ b/application/account/Tests/EmailAuthentication/StartEmailLoginTests.cs
@@ -74,7 +74,8 @@ public async Task StartEmailLogin_WhenUserHasDanishLocale_ShouldSendDanishLoginE
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "da-DK"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 50)
             ]
         );
         var command = new StartEmailLoginCommand(email);
@@ -227,7 +228,8 @@ public async Task StartEmailLogin_WhenUserIsSoftDeleted_ShouldReturnFakeEmailLog
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
diff --git a/application/account/Tests/ExternalAuthentication/CompleteExternalLoginTests.cs b/application/account/Tests/ExternalAuthentication/CompleteExternalLoginTests.cs
index afa476d89..52911f9c3 100644
--- a/application/account/Tests/ExternalAuthentication/CompleteExternalLoginTests.cs
+++ b/application/account/Tests/ExternalAuthentication/CompleteExternalLoginTests.cs
@@ -217,7 +217,8 @@ public async Task CompleteExternalLogin_WhenUserHasNoExternalIdentity_ShouldLink
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Member)),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
         var (callbackUrl, cookies) = await StartLoginFlow();
@@ -258,7 +259,8 @@ public async Task CompleteExternalLogin_WhenInvitedUserHasNoName_ShouldUpdateNam
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Member)),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
         var (callbackUrl, cookies) = await StartLoginFlow();
@@ -300,7 +302,8 @@ public async Task CompleteExternalLogin_WhenUserAlreadyHasName_ShouldNotOverwrit
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Member)),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
         var (callbackUrl, cookies) = await StartLoginFlow();
@@ -408,7 +411,8 @@ public async Task CompleteExternalLogin_WithValidPreferredTenant_ShouldLoginToPr
                 ("name", Faker.Company.CompanyName()),
                 ("state", nameof(TenantState.Active)),
                 ("logo", """{"Url":null,"Version":0}"""),
-                ("plan", nameof(SubscriptionPlan.Basis))
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -451,7 +455,8 @@ public async Task CompleteExternalLogin_WithValidPreferredTenant_ShouldLoginToPr
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Member)),
                 ("locale", "en-US"),
-                ("external_identities", identities)
+                ("external_identities", identities),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -468,7 +473,8 @@ public async Task CompleteExternalLogin_WithValidPreferredTenant_ShouldLoginToPr
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Owner)),
                 ("locale", "en-US"),
-                ("external_identities", identities)
+                ("external_identities", identities),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -589,7 +595,8 @@ public async Task CompleteExternalLogin_WithPreferredTenantUserDoesNotHaveAccess
                 ("name", Faker.Company.CompanyName()),
                 ("state", nameof(TenantState.Active)),
                 ("logo", """{"Url":null,"Version":0}"""),
-                ("plan", nameof(SubscriptionPlan.Basis))
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
             ]
         );
 
diff --git a/application/account/Tests/ExternalAuthentication/Domain/ExternalLoginTests.cs b/application/account/Tests/ExternalAuthentication/Domain/ExternalLoginTests.cs
index 7ee4b9727..6e46532fe 100644
--- a/application/account/Tests/ExternalAuthentication/Domain/ExternalLoginTests.cs
+++ b/application/account/Tests/ExternalAuthentication/Domain/ExternalLoginTests.cs
@@ -197,7 +197,7 @@ public void IsExpired_WhenNowIsBeforeCreatedAt_ShouldThrowSecurityException()
     public void AddExternalIdentity_WhenNewProvider_ShouldAddIdentity()
     {
         // Arrange
-        var user = User.Create(TenantId.NewId(), "user@example.com", UserRole.Member, true, "en-US");
+        var user = User.Create(TenantId.NewId(), "user@example.com", UserRole.Member, true, "en-US", 0);
 
         // Act
         user.AddExternalIdentity(ExternalProviderType.Google, "google-user-id-123");
@@ -212,7 +212,7 @@ public void AddExternalIdentity_WhenNewProvider_ShouldAddIdentity()
     public void AddExternalIdentity_WhenDuplicateProvider_ShouldThrowUnreachableException()
     {
         // Arrange
-        var user = User.Create(TenantId.NewId(), "user@example.com", UserRole.Member, true, "en-US");
+        var user = User.Create(TenantId.NewId(), "user@example.com", UserRole.Member, true, "en-US", 0);
         user.AddExternalIdentity(ExternalProviderType.Google, "google-user-id-123");
 
         // Act
@@ -227,7 +227,7 @@ public void AddExternalIdentity_WhenDuplicateProvider_ShouldThrowUnreachableExce
     public void GetExternalIdentity_WhenProviderExists_ShouldReturnIdentity()
     {
         // Arrange
-        var user = User.Create(TenantId.NewId(), "user@example.com", UserRole.Member, true, "en-US");
+        var user = User.Create(TenantId.NewId(), "user@example.com", UserRole.Member, true, "en-US", 0);
         user.AddExternalIdentity(ExternalProviderType.Google, "google-user-id-123");
 
         // Act
@@ -243,7 +243,7 @@ public void GetExternalIdentity_WhenProviderExists_ShouldReturnIdentity()
     public void GetExternalIdentity_WhenProviderDoesNotExist_ShouldReturnNull()
     {
         // Arrange
-        var user = User.Create(TenantId.NewId(), "user@example.com", UserRole.Member, true, "en-US");
+        var user = User.Create(TenantId.NewId(), "user@example.com", UserRole.Member, true, "en-US", 0);
 
         // Act
         var identity = user.GetExternalIdentity(ExternalProviderType.Google);
diff --git a/application/account/Tests/ExternalAuthentication/ExternalAuthenticationTestBase.cs b/application/account/Tests/ExternalAuthentication/ExternalAuthenticationTestBase.cs
index 5ea450586..25a8b10ed 100644
--- a/application/account/Tests/ExternalAuthentication/ExternalAuthenticationTestBase.cs
+++ b/application/account/Tests/ExternalAuthentication/ExternalAuthenticationTestBase.cs
@@ -234,7 +234,8 @@ protected UserId InsertUserWithExternalIdentity(string email, ExternalProviderTy
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Member)),
                 ("locale", "en-US"),
-                ("external_identities", identities)
+                ("external_identities", identities),
+                ("rollout_bucket", 42)
             ]
         );
         return userId;
diff --git a/application/account/Tests/FeatureFlags/FeatureFlagEvaluatorTests.cs b/application/account/Tests/FeatureFlags/FeatureFlagEvaluatorTests.cs
new file mode 100644
index 000000000..8ecb67a7b
--- /dev/null
+++ b/application/account/Tests/FeatureFlags/FeatureFlagEvaluatorTests.cs
@@ -0,0 +1,437 @@
+using Account.Database;
+using Account.Features.FeatureFlags.Domain;
+using Account.Features.FeatureFlags.Shared;
+using FluentAssertions;
+using Microsoft.Data.Sqlite;
+using Microsoft.Extensions.DependencyInjection;
+using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Tests.Persistence;
+using Xunit;
+
+namespace Account.Tests.FeatureFlags;
+
+public sealed class FeatureFlagEvaluatorTests : EndpointBaseTest<AccountDbContext>
+{
+    private readonly FeatureFlagEvaluator _evaluationService;
+    private readonly IServiceScope _scope;
+
+    public FeatureFlagEvaluatorTests()
+    {
+        _scope = Provider.CreateScope();
+        _evaluationService = _scope.ServiceProvider.GetRequiredService<FeatureFlagEvaluator>();
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenNoBaseRow_ShouldReturnEmpty()
+    {
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, 50, null, null, CancellationToken.None);
+
+        // Assert
+        result.Should().BeEmpty();
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenBaseRowActiveWithTenantOverride_ShouldReturnEnabled()
+    {
+        // Arrange
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("sso", null, null, now, null, null, null);
+        InsertFeatureFlag("sso", DatabaseSeeder.Tenant1.Id.Value, null, now, null, null, null);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, 50, null, null, CancellationToken.None);
+
+        // Assert
+        result.Should().Contain("sso");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenBaseRowInactive_ShouldReturnEmpty()
+    {
+        // Arrange
+        InsertFeatureFlag("sso", null, null, null, null, null, null);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, 50, null, null, CancellationToken.None);
+
+        // Assert
+        result.Should().NotContain("sso");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenManualOverrideEnabledAndBaseRowInactive_ShouldExcludeFlag()
+    {
+        // Arrange — beta-features is a kill-switch flag and the base row is left inactive (the panic
+        // button is pulled). The tenant has an active manual override. Per the documented precedence
+        // chain, an inactive base row short-circuits before the manual-override step is reached so
+        // pulling the kill switch is truly global, even for tenants admins had explicitly opted in.
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("beta-features", null, null, null, null, null, null);
+        InsertFeatureFlag("beta-features", DatabaseSeeder.Tenant1.Id.Value, null, now, null, null, null);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, 50, null, null, CancellationToken.None);
+
+        // Assert
+        result.Should().NotContain("beta-features");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenReactivated_EnabledAtAfterDisabledAt_ShouldReturnEnabled()
+    {
+        // Arrange
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("sso", null, null, now, now.AddMinutes(-5), null, null);
+        InsertFeatureFlag("sso", DatabaseSeeder.Tenant1.Id.Value, null, now, null, null, null);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, 50, null, null, CancellationToken.None);
+
+        // Assert
+        result.Should().Contain("sso");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenDisabledAtAfterEnabledAt_ShouldReturnEmpty()
+    {
+        // Arrange
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("sso", null, null, now.AddMinutes(-10), now, null, null);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, 50, null, null, CancellationToken.None);
+
+        // Assert
+        result.Should().NotContain("sso");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenAbTestEligibleAndBucketInRange_ShouldReturnEnabled()
+    {
+        // Arrange
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("beta-features", null, null, now, null, 40, 60);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, null, null, null, CancellationToken.None);
+
+        // Assert
+        result.Should().Contain("beta-features");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenAbTestEligibleAndBucketOutOfRange_ShouldReturnEmpty()
+    {
+        // Arrange
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("beta-features", null, null, now, null, 40, 60);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 70, null, null, null, CancellationToken.None);
+
+        // Assert
+        result.Should().NotContain("beta-features");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenBucketWrapAround_ShouldIncludeWrappedRange()
+    {
+        // Arrange
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("beta-features", null, null, now, null, 90, 10);
+
+        // Act
+        var resultInUpperRange = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 95, null, null, null, CancellationToken.None);
+        var resultInLowerRange = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 5, null, null, null, CancellationToken.None);
+        var resultOutOfRange = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, null, null, null, CancellationToken.None);
+
+        // Assert
+        resultInUpperRange.Should().Contain("beta-features");
+        resultInLowerRange.Should().Contain("beta-features");
+        resultOutOfRange.Should().NotContain("beta-features");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenNullBucketStartAndEnd_ShouldNotEnableViaRollout()
+    {
+        // Arrange
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("beta-features", null, null, now, null, null, null);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, null, null, null, CancellationToken.None);
+
+        // Assert
+        result.Should().NotContain("beta-features");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenUserOverrideActive_ShouldReturnEnabled()
+    {
+        // Arrange
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("compact-view", null, null, now, null, null, null);
+        InsertFeatureFlag("compact-view", DatabaseSeeder.Tenant1.Id.Value, DatabaseSeeder.Tenant1Owner.Id.Value, now, null, null, null);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, 50, null, null, CancellationToken.None);
+
+        // Assert
+        result.Should().Contain("compact-view");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenTenantOverrideDisabled_ShouldNotReturnFlag()
+    {
+        // Arrange
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("sso", null, null, now, null, null, null);
+        InsertFeatureFlag("sso", DatabaseSeeder.Tenant1.Id.Value, null, now.AddMinutes(-10), now, null, null);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, 50, null, null, CancellationToken.None);
+
+        // Assert
+        result.Should().NotContain("sso");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenTenantOverrideExistsForDifferentTenant_ShouldNotReturnFlag()
+    {
+        // Arrange
+        var now = TimeProvider.System.GetUtcNow();
+        var otherTenantId = TenantId.NewId().Value;
+        InsertFeatureFlag("sso", null, null, now, null, null, null);
+        InsertFeatureFlag("sso", otherTenantId, null, now, null, null, null);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, 50, null, null, CancellationToken.None);
+
+        // Assert
+        result.Should().NotContain("sso");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenTenantPinAlwaysOnAndBucketOutOfRange_ShouldReturnEnabled()
+    {
+        // Arrange
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("beta-features", null, null, now, null, 40, 60);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 70, null, AbInclusionPin.AlwaysOn, null, CancellationToken.None);
+
+        // Assert
+        result.Should().Contain("beta-features");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenTenantPinNeverOnAndBucketInRange_ShouldReturnEmpty()
+    {
+        // Arrange
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("beta-features", null, null, now, null, 40, 60);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, null, AbInclusionPin.NeverOn, null, CancellationToken.None);
+
+        // Assert
+        result.Should().NotContain("beta-features");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenManualOverrideAndTenantPinDisagree_ManualOverrideWins()
+    {
+        // Arrange — manual override disables, pin says AlwaysOn. Manual must win.
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("beta-features", null, null, now, null, 40, 60);
+        InsertFeatureFlag("beta-features", DatabaseSeeder.Tenant1.Id.Value, null, now.AddMinutes(-10), now, null, null);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, null, AbInclusionPin.AlwaysOn, null, CancellationToken.None);
+
+        // Assert
+        result.Should().NotContain("beta-features");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenUserPinAlwaysOnAndBucketOutOfRange_ShouldReturnEnabled()
+    {
+        // Arrange
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("experimental-ui", null, null, now, null, 40, 60);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, 70, null, AbInclusionPin.AlwaysOn, CancellationToken.None);
+
+        // Assert
+        result.Should().Contain("experimental-ui");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenUserPinNeverOnAndBucketInRange_ShouldReturnEmpty()
+    {
+        // Arrange
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("experimental-ui", null, null, now, null, 40, 60);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, 50, null, AbInclusionPin.NeverOn, CancellationToken.None);
+
+        // Assert
+        result.Should().NotContain("experimental-ui");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenTenantPinAlwaysOnAndRolloutZeroPercent_ShouldStillIncludeTenant()
+    {
+        // Arrange — 0% rollout writes BucketStart=BucketEnd=NULL. Pre-fix, the rollout-null short-circuit
+        // would silently disable an AlwaysOn-pinned tenant. Pins must trump rollout: an admin who pins a
+        // tenant ahead of launch and leaves the rollout at 0% must still see the flag for that tenant.
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("beta-features", null, null, now, null, null, null);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, null, AbInclusionPin.AlwaysOn, null, CancellationToken.None);
+
+        // Assert
+        result.Should().Contain("beta-features");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenTenantPinNeverOnAndRolloutHundredPercent_ShouldStillExcludeTenant()
+    {
+        // Arrange — 100% rollout (BucketStart=0, BucketEnd=99) covers every bucket. Pre-fix, the
+        // pin-as-synthetic-bucket logic landed NeverOn in the covered range and the tenant was included
+        // anyway. Pins must trump rollout: NeverOn excludes the tenant regardless of rollout percentage.
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("beta-features", null, null, now, null, 0, 99);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, null, AbInclusionPin.NeverOn, null, CancellationToken.None);
+
+        // Assert
+        result.Should().NotContain("beta-features");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenUserPinAlwaysOnAndRolloutZeroPercent_ShouldStillIncludeUser()
+    {
+        // Arrange
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("experimental-ui", null, null, now, null, null, null);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, 50, null, AbInclusionPin.AlwaysOn, CancellationToken.None);
+
+        // Assert
+        result.Should().Contain("experimental-ui");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenUserPinNeverOnAndRolloutHundredPercent_ShouldStillExcludeUser()
+    {
+        // Arrange
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("experimental-ui", null, null, now, null, 0, 99);
+
+        // Act
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, 50, null, AbInclusionPin.NeverOn, CancellationToken.None);
+
+        // Assert
+        result.Should().NotContain("experimental-ui");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenTenantPinAlwaysOnAndBucketStartIsZero_ShouldIncludeAtOnePercentRollout()
+    {
+        // Arrange — AlwaysOn pin must map to BucketStart, which is the first slot in the rollout sequence
+        // (threshold 1%). A 1% rollout starting at bucket 0 covers exactly bucket 0, so a pinned tenant
+        // whose actual bucket is outside that range must still resolve to enabled.
+        var now = TimeProvider.System.GetUtcNow();
+        InsertFeatureFlag("beta-features", null, null, now, null, 0, 0);
+
+        // Act — pass a tenant bucket that is far from 0 to prove the pin (not the bucket) drove the result.
+        var result = await _evaluationService.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, null, AbInclusionPin.AlwaysOn, null, CancellationToken.None);
+
+        // Assert
+        result.Should().Contain("beta-features");
+    }
+
+    [Fact]
+    public async Task Evaluate_WhenChildHasParentDependencyAndParentBaseRowInactive_ShouldExcludeChild()
+    {
+        // Arrange — override the evaluator's definitions provider with a stub topology that pairs a
+        // parent flag with a parent-dependent child. The production registry does not currently declare
+        // any parent-dep relationship, so this exercises the gating in FeatureFlagEvaluator without
+        // contributing test-only flags to the real registry.
+        var parent = new TenantAbTestFlag("test-parent", "Test parent", "Parent flag for evaluator test", false, false);
+        var child = new TenantAbTestFlag("test-child", "Test child", "Child flag for evaluator test", false, false, "test-parent");
+        var evaluator = new FeatureFlagEvaluator(_scope.ServiceProvider.GetRequiredService<IFeatureFlagRepository>())
+        {
+            DefinitionsProvider = () => [parent, child]
+        };
+
+        var now = TimeProvider.System.GetUtcNow();
+        // Parent base row exists but is inactive (EnabledAt is null).
+        InsertFeatureFlag(parent.Key, null, null, null, null, null, null);
+        // Child base row is active with a rollout that would otherwise include the tenant.
+        InsertFeatureFlag(child.Key, null, null, now, null, 0, 99);
+
+        // Act
+        var result = await evaluator.EvaluateAsync(DatabaseSeeder.Tenant1.Id, DatabaseSeeder.Tenant1Owner.Id, 50, 50, null, null, CancellationToken.None);
+
+        // Assert — child must be gated by its parent and excluded when the parent is inactive.
+        result.Should().NotContain(child.Key);
+    }
+
+    protected override void Dispose(bool disposing)
+    {
+        if (disposing) _scope.Dispose();
+        base.Dispose(disposing);
+    }
+
+    private void InsertFeatureFlag(string flagKey, long? tenantId, string? userId, DateTimeOffset? enabledAt, DateTimeOffset? disabledAt, int? rolloutBucketStart, int? rolloutBucketEnd)
+    {
+        // Delete any seeded row with the same scope to avoid unique constraint conflicts. The guard
+        // below ensures the helper only ever clears a single seed row — if a future migration introduces
+        // multiple seeded rows for the same (key, tenant, scope) tuple, the test fails fast instead of
+        // silently overwriting them.
+        using var deleteCommand = new SqliteCommand(
+            tenantId is null && userId is null
+                ? "DELETE FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL"
+                : "DELETE FROM feature_flags WHERE flag_key = @flagKey AND tenant_id = @tenantId AND user_id IS NULL",
+            Connection
+        );
+        deleteCommand.Parameters.AddWithValue("@flagKey", flagKey);
+        if (tenantId is not null)
+        {
+            deleteCommand.Parameters.AddWithValue("@tenantId", tenantId);
+        }
+
+        var rowsDeleted = deleteCommand.ExecuteNonQuery();
+        if (rowsDeleted > 1)
+        {
+            throw new InvalidOperationException($"InsertFeatureFlag deleted '{rowsDeleted}' seeded rows for key '{flagKey}'; expected at most 1. Update the helper if the seed contract changed.");
+        }
+
+        var id = FeatureFlagId.NewId().ToString();
+        Connection.Insert("feature_flags", [
+                ("id", id),
+                ("flag_key", flagKey),
+                ("tenant_id", tenantId),
+                ("user_id", userId),
+                ("created_at", TimeProvider.System.GetUtcNow()),
+                ("modified_at", null),
+                ("enabled_at", enabledAt),
+                ("disabled_at", disabledAt),
+                ("bucket_start", rolloutBucketStart),
+                ("bucket_end", rolloutBucketEnd),
+                ("source", "Manual"),
+                ("scope", tenantId is null && userId is null ? "Tenant" : userId is not null ? "User" : "Tenant")
+            ]
+        );
+    }
+}
diff --git a/application/account/Tests/FeatureFlags/FeatureFlagTests.cs b/application/account/Tests/FeatureFlags/FeatureFlagTests.cs
new file mode 100644
index 000000000..581b6757c
--- /dev/null
+++ b/application/account/Tests/FeatureFlags/FeatureFlagTests.cs
@@ -0,0 +1,257 @@
+using System.Net;
+using System.Net.Http.Json;
+using Account.Database;
+using Account.Features.FeatureFlags.Commands;
+using Account.Features.FeatureFlags.Queries;
+using FluentAssertions;
+using SharedKernel.Authentication;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Tests;
+using Xunit;
+
+namespace Account.Tests.FeatureFlags;
+
+// Tests for the owner/user-facing /api/account/feature-flags/* endpoints plus pure unit tests for the
+// rollout-bucket math. Back-office (cross-tenant) feature-flag behavior is exercised in the parallel
+// FeatureFlagBackOfficeTests.cs under Tests/BackOffice/FeatureFlags/ — that file owns the kill-switch,
+// rollout, override, and listing flows that used to live on /internal-api/account/feature-flags/*.
+public sealed class FeatureFlagTests : EndpointBaseTest<AccountDbContext>
+{
+    // Tenant override tests (owner API)
+
+    [Fact]
+    public async Task SetTenantFeatureFlagOwner_WhenOwnerForConfigurableFlag_ShouldSucceed()
+    {
+        // Arrange
+        var flagKey = "account-overview";
+        var command = new SetTenantFeatureFlagOwnerCommand { Enabled = true };
+
+        // Act
+        var response = await AuthenticatedOwnerHttpClient.PutAsJsonAsync($"/api/account/feature-flags/{flagKey}/tenant-override", command);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Count.Should().Be(1);
+        TelemetryEventsCollectorSpy.CollectedEvents[0].GetType().Name.Should().Be("FeatureFlagTenantOverrideSet");
+        TelemetryEventsCollectorSpy.CollectedEvents[0].Properties["event.trigger"].Should().Be("Owner");
+        TelemetryEventsCollectorSpy.AreAllEventsDispatched.Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task SetTenantFeatureFlagOwner_WhenOwnerForNonConfigurableFlag_ShouldReturnForbidden()
+    {
+        // Arrange
+        var flagKey = "sso";
+        var command = new SetTenantFeatureFlagOwnerCommand { Enabled = true };
+
+        // Act
+        var response = await AuthenticatedOwnerHttpClient.PutAsJsonAsync($"/api/account/feature-flags/{flagKey}/tenant-override", command);
+
+        // Assert
+        await response.ShouldHaveErrorStatusCode(HttpStatusCode.Forbidden, $"Feature flag '{flagKey}' is not configurable by tenant owners.");
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+        TelemetryEventsCollectorSpy.AreAllEventsDispatched.Should().BeFalse();
+    }
+
+    [Fact]
+    public async Task SetTenantFeatureFlagOwner_WhenOwnerForAdminOnlyFlag_ShouldReturnForbidden()
+    {
+        // Arrange
+        var flagKey = "beta-features";
+        var command = new SetTenantFeatureFlagOwnerCommand { Enabled = true };
+
+        // Act
+        var response = await AuthenticatedOwnerHttpClient.PutAsJsonAsync($"/api/account/feature-flags/{flagKey}/tenant-override", command);
+
+        // Assert
+        await response.ShouldHaveErrorStatusCode(HttpStatusCode.Forbidden, $"Feature flag '{flagKey}' is not configurable by tenant owners.");
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+        TelemetryEventsCollectorSpy.AreAllEventsDispatched.Should().BeFalse();
+    }
+
+    [Fact]
+    public async Task SetTenantFeatureFlagOwner_WhenMember_ShouldReturnForbidden()
+    {
+        // Arrange
+        var flagKey = "account-overview";
+        var command = new SetTenantFeatureFlagOwnerCommand { Enabled = true };
+
+        // Act
+        var response = await AuthenticatedMemberHttpClient.PutAsJsonAsync($"/api/account/feature-flags/{flagKey}/tenant-override", command);
+
+        // Assert
+        await response.ShouldHaveErrorStatusCode(HttpStatusCode.Forbidden, "Only owners are allowed to configure tenant feature flags.");
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+        TelemetryEventsCollectorSpy.AreAllEventsDispatched.Should().BeFalse();
+    }
+
+    // User override tests (owner API)
+
+    [Fact]
+    public async Task SetUserFeatureFlag_WhenUserConfigurable_ShouldCreateOverrideRow()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        var command = new SetUserFeatureFlagCommand { Enabled = true };
+
+        // Act
+        var response = await AuthenticatedOwnerHttpClient.PutAsJsonAsync($"/api/account/feature-flags/{flagKey}/user-override", command);
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Count.Should().Be(1);
+        TelemetryEventsCollectorSpy.CollectedEvents[0].GetType().Name.Should().Be("FeatureFlagUserOverrideSet");
+        TelemetryEventsCollectorSpy.CollectedEvents[0].Properties["event.trigger"].Should().Be("Self");
+        TelemetryEventsCollectorSpy.AreAllEventsDispatched.Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task SetUserFeatureFlag_WhenNotUserScoped_ShouldFailValidation()
+    {
+        // Arrange
+        var flagKey = "sso";
+        var command = new SetUserFeatureFlagCommand { Enabled = true };
+
+        // Act
+        var response = await AuthenticatedOwnerHttpClient.PutAsJsonAsync($"/api/account/feature-flags/{flagKey}/user-override", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().BeEmpty();
+        TelemetryEventsCollectorSpy.AreAllEventsDispatched.Should().BeFalse();
+    }
+
+    // Configurable-flag query tests
+
+    [Fact]
+    public async Task GetTenantConfigurableFlags_WhenCalled_ShouldReturnConfigurableFlagsWithCurrentOverrideState()
+    {
+        // Act
+        var response = await AuthenticatedOwnerHttpClient.GetAsync("/api/account/feature-flags/tenant-configurable");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<TenantConfigurableFeatureFlagsResponse>();
+        result.Should().NotBeNull();
+        result.Flags.Should().Contain(f => f.FlagKey == "account-overview" && f.Enabled == false);
+    }
+
+    [Fact]
+    public async Task GetUserConfigurableFlags_WhenCalled_ShouldReturnConfigurableUserFlagsWithCurrentOverrideState()
+    {
+        // Act
+        var response = await AuthenticatedOwnerHttpClient.GetAsync("/api/account/feature-flags/user-configurable");
+
+        // Assert
+        response.ShouldBeSuccessfulGetRequest();
+        var result = await response.DeserializeResponse<UserConfigurableFeatureFlagsResponse>();
+        result.Should().NotBeNull();
+        result.Flags.Should().Contain(f => f.FlagKey == "compact-view" && f.Enabled == false);
+    }
+
+    // Self-service flag mutations chain AddRefreshAuthenticationTokens() so the actor's own JWT is
+    // refreshed by the gateway in the same request cycle. Back-office mutations do not.
+
+    [Fact]
+    public async Task SetTenantFeatureFlagOwner_WhenCalled_ShouldAddRefreshAuthenticationTokensHeader()
+    {
+        // Arrange
+        var flagKey = "account-overview";
+        var command = new SetTenantFeatureFlagOwnerCommand { Enabled = true };
+
+        // Act
+        var response = await AuthenticatedOwnerHttpClient.PutAsJsonAsync($"/api/account/feature-flags/{flagKey}/tenant-override", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        response.Headers.Should().ContainKey(AuthenticationTokenHttpKeys.RefreshAuthenticationTokensHeaderKey);
+    }
+
+    [Fact]
+    public async Task SetUserFeatureFlag_WhenCalled_ShouldAddRefreshAuthenticationTokensHeader()
+    {
+        // Arrange
+        var flagKey = "compact-view";
+        var command = new SetUserFeatureFlagCommand { Enabled = true };
+
+        // Act
+        var response = await AuthenticatedOwnerHttpClient.PutAsJsonAsync($"/api/account/feature-flags/{flagKey}/user-override", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        response.Headers.Should().ContainKey(AuthenticationTokenHttpKeys.RefreshAuthenticationTokensHeaderKey);
+    }
+
+    // A/B rollout bucket math (pure unit tests, no HTTP)
+
+    [Fact]
+    public void BucketRange_WhenNormalRange_ShouldMatchCorrectly()
+    {
+        IsInRolloutBucketRange(50, 40, 60).Should().BeTrue();
+        IsInRolloutBucketRange(39, 40, 60).Should().BeFalse();
+        IsInRolloutBucketRange(61, 40, 60).Should().BeFalse();
+        IsInRolloutBucketRange(40, 40, 60).Should().BeTrue();
+        IsInRolloutBucketRange(60, 40, 60).Should().BeTrue();
+    }
+
+    [Fact]
+    public void BucketRange_WhenWrapAround_ShouldMatchCorrectly()
+    {
+        // Wrap-around within 0-99 range.
+        IsInRolloutBucketRange(95, 90, 10).Should().BeTrue();
+        IsInRolloutBucketRange(5, 90, 10).Should().BeTrue();
+        IsInRolloutBucketRange(50, 90, 10).Should().BeFalse();
+        IsInRolloutBucketRange(90, 90, 10).Should().BeTrue();
+        IsInRolloutBucketRange(10, 90, 10).Should().BeTrue();
+        IsInRolloutBucketRange(11, 90, 10).Should().BeFalse();
+        IsInRolloutBucketRange(89, 90, 10).Should().BeFalse();
+        IsInRolloutBucketRange(0, 90, 10).Should().BeTrue();
+    }
+
+    [Fact]
+    public void RolloutBucket_ShouldBeDeterministic()
+    {
+        // Arrange
+        var sequenceNumber = 42;
+
+        // Act
+        var bucket1 = RolloutBucketHasher.ComputeRolloutBucket(sequenceNumber);
+        var bucket2 = RolloutBucketHasher.ComputeRolloutBucket(sequenceNumber);
+
+        // Assert
+        bucket1.Should().Be(bucket2);
+        bucket1.Should().BeInRange(0, 99);
+    }
+
+    [Fact]
+    public void VanDerCorput_ShouldDistributeEvenly()
+    {
+        // Arrange
+        var bucketCounts = new int[100];
+
+        // Act
+        for (var i = 0; i < 1000; i++)
+        {
+            var bucket = RolloutBucketHasher.ComputeRolloutBucket(i);
+            bucket.Should().BeInRange(0, 99);
+            bucketCounts[bucket]++;
+        }
+
+        // Assert
+        foreach (var count in bucketCounts)
+        {
+            count.Should().BeInRange(9, 11, "van der Corput should distribute within +/-1 of ideal");
+        }
+    }
+
+    private static bool IsInRolloutBucketRange(int bucket, int rolloutBucketStart, int rolloutBucketEnd)
+    {
+        return RolloutBucketHasher.IsInRolloutBucketRange(bucket, rolloutBucketStart, rolloutBucketEnd);
+    }
+}
diff --git a/application/account/Tests/FeatureFlags/FeatureFlagsManifestContractTests.cs b/application/account/Tests/FeatureFlags/FeatureFlagsManifestContractTests.cs
new file mode 100644
index 000000000..d601ad8cb
--- /dev/null
+++ b/application/account/Tests/FeatureFlags/FeatureFlagsManifestContractTests.cs
@@ -0,0 +1,62 @@
+using System.Text.Json;
+using FluentAssertions;
+using Xunit;
+
+namespace Account.Tests.FeatureFlags;
+
+// Codegen contract: every public instance property defined on every concrete FeatureFlagDefinition
+// subtype must appear in the entry of the generated manifest for at least one flag
+// (application/shared-webapp/ui/featureFlags/featureFlags.generated.json). The manifest is the
+// source-of-truth bridge between C# and the TS registry consumed by useFeatureFlag. Reflecting over
+// the base class would miss subtype-only properties (a new `MyNewCapability { get; }` on a future
+// subtype), which is exactly the drift class the contract test exists to prevent.
+public sealed class FeatureFlagsManifestContractTests
+{
+    [Fact]
+    public void EveryPublicPropertyOnEveryFlagSubtype_AppearsInManifestEntry()
+    {
+        var manifestPath = ResolveManifestPath();
+        File.Exists(manifestPath).Should().BeTrue($"manifest must exist at '{manifestPath}'; run `build --backend` to regenerate");
+
+        var manifestJson = File.ReadAllText(manifestPath);
+        using var manifest = JsonDocument.Parse(manifestJson);
+        manifest.RootElement.ValueKind.Should().Be(JsonValueKind.Array);
+        manifest.RootElement.GetArrayLength().Should().BeGreaterThan(0);
+
+        var manifestKeys = manifest.RootElement.EnumerateArray()
+            .SelectMany(entry => entry.EnumerateObject().Select(p => p.Name))
+            .ToHashSet(StringComparer.Ordinal);
+
+        var expectedKeys = global::SharedKernel.FeatureFlags.FeatureFlags.GetAll()
+            .SelectMany(f => f.GetType().GetProperties(BindingFlags.Public | BindingFlags.Instance))
+            .Select(p => ToCamelCase(p.Name))
+            .ToHashSet(StringComparer.Ordinal);
+
+        var missing = expectedKeys.Except(manifestKeys).ToArray();
+        missing.Should().BeEmpty(
+            $"At least one FeatureFlagDefinition subtype exposes properties that the manifest emitter does not project. "
+            + $"Add these to FeatureFlagsManifestEmitter.cs and regenerate: {string.Join(", ", missing)}"
+        );
+    }
+
+    private static string ToCamelCase(string value)
+    {
+        if (string.IsNullOrEmpty(value) || char.IsLower(value[0])) return value;
+        return char.ToLowerInvariant(value[0]) + value[1..];
+    }
+
+    private static string ResolveManifestPath()
+    {
+        // Walk up from the test binary directory to the repository root, then descend into the
+        // generated artifacts location. Matches the layout that the MSBuild target writes to.
+        var directory = new DirectoryInfo(AppContext.BaseDirectory);
+        while (directory is not null && !Directory.Exists(Path.Combine(directory.FullName, "application")))
+        {
+            directory = directory.Parent;
+        }
+
+        if (directory is null) throw new InvalidOperationException("Could not locate repository root from test binary directory.");
+
+        return Path.Combine(directory.FullName, "application", "shared-webapp", "ui", "featureFlags", "featureFlags.generated.json");
+    }
+}
diff --git a/application/account/Tests/FeatureFlags/GetTenantFeatureFlagsTests.cs b/application/account/Tests/FeatureFlags/GetTenantFeatureFlagsTests.cs
new file mode 100644
index 000000000..f53c0b8b0
--- /dev/null
+++ b/application/account/Tests/FeatureFlags/GetTenantFeatureFlagsTests.cs
@@ -0,0 +1,206 @@
+using System.Net;
+using System.Net.Http.Json;
+using Account.Features.FeatureFlags.Domain;
+using Account.Features.FeatureFlags.Queries;
+using Account.Tests.BackOffice;
+using FluentAssertions;
+using SharedKernel.Authentication.MockEasyAuth;
+using SharedKernel.Domain;
+using SharedKernel.Tests.Persistence;
+using Xunit;
+
+namespace Account.Tests.FeatureFlags;
+
+public sealed class GetTenantFeatureFlagsTests : BackOfficeEndpointBaseTest
+{
+    [Fact]
+    public async Task GetTenantFeatureFlags_WhenCalled_ShouldReturnAllTenantScopedFlagsWithDefaultSource()
+    {
+        // Arrange
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "user");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/tenants/{tenantId}/feature-flags");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var payload = await response.Content.ReadFromJsonAsync<GetTenantFeatureFlagsResponse>();
+        payload.Should().NotBeNull();
+        payload.Flags.Should().NotBeEmpty();
+        payload.Flags.Should().Contain(f => f.FlagKey == "beta-features");
+        payload.Flags.Should().Contain(f => f.FlagKey == "sso");
+        payload.Flags.Should().Contain(f => f.FlagKey == "account-overview");
+    }
+
+    [Fact]
+    public async Task GetTenantFeatureFlags_WhenTenantHasManualOverrideOnPlanGatedFlag_ShouldReturnManualOverrideSource()
+    {
+        // Arrange — plan-gated flag (sso) but the row Source column is "Manual" (admin manually toggled it on).
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        var flagKey = "sso";
+        ActivateBaseRow(flagKey);
+        InsertTenantOverride(tenantId, flagKey, "Manual", TimeProvider.System.GetUtcNow());
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "user");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/tenants/{tenantId}/feature-flags");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var payload = await response.Content.ReadFromJsonAsync<GetTenantFeatureFlagsResponse>();
+        payload.Should().NotBeNull();
+        var sso = payload.Flags.Single(f => f.FlagKey == "sso");
+        sso.IsEnabled.Should().BeTrue();
+        sso.Source.Should().Be(FeatureFlagSource.Manual);
+    }
+
+    [Fact]
+    public async Task GetTenantFeatureFlags_WhenTenantHasPlanGrantedRow_ShouldReturnPlanSource()
+    {
+        // Arrange — plan-gated flag (sso) with Source="Plan" (the upgrade evaluator wrote it).
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        var flagKey = "sso";
+        ActivateBaseRow(flagKey);
+        InsertTenantOverride(tenantId, flagKey, "Plan", TimeProvider.System.GetUtcNow());
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "user");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/tenants/{tenantId}/feature-flags");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var payload = await response.Content.ReadFromJsonAsync<GetTenantFeatureFlagsResponse>();
+        payload.Should().NotBeNull();
+        var sso = payload.Flags.Single(f => f.FlagKey == "sso");
+        sso.IsEnabled.Should().BeTrue();
+        sso.Source.Should().Be(FeatureFlagSource.Plan);
+    }
+
+    [Fact]
+    public async Task GetTenantFeatureFlags_WhenTenantInAbRolloutRange_ShouldReturnAbRolloutSourceEnabled()
+    {
+        // Arrange
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        var flagKey = "beta-features";
+        var baseRowId = Connection.ExecuteScalar<string>(
+            "SELECT id FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        Connection.Update("feature_flags", "id", baseRowId, [
+                ("bucket_start", 0),
+                ("bucket_end", 99)
+            ]
+        );
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "user");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/tenants/{tenantId}/feature-flags");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var payload = await response.Content.ReadFromJsonAsync<GetTenantFeatureFlagsResponse>();
+        payload.Should().NotBeNull();
+        var betaFeatures = payload.Flags.Single(f => f.FlagKey == "beta-features");
+        betaFeatures.IsEnabled.Should().BeTrue();
+        betaFeatures.Source.Should().Be(FeatureFlagSource.AbRollout);
+    }
+
+    [Fact]
+    public async Task GetTenantFeatureFlags_WhenBaseRowInactiveAndOverrideActive_ShouldReportIsEnabledFalse()
+    {
+        // Arrange — globally Deactivate beta-features so the base row reads IsActive=false, but keep an
+        // active manual override row for the tenant. The runtime FeatureFlagEvaluator short-circuits on
+        // !baseRow.IsActive (FeatureFlagEvaluator.cs:48) so this query must mirror that contract.
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        var flagKey = "beta-features";
+        var baseRowId = Connection.ExecuteScalar<string>(
+            "SELECT id FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        Connection.Update("feature_flags", "id", baseRowId, [("enabled_at", null)]);
+        InsertTenantOverride(tenantId, flagKey, "Manual", TimeProvider.System.GetUtcNow());
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "user");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/tenants/{tenantId}/feature-flags");
+
+        // Assert — the row Source stays Manual (the override is authoritative for that column), but
+        // IsEnabled must be false because the base row is globally deactivated.
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var payload = await response.Content.ReadFromJsonAsync<GetTenantFeatureFlagsResponse>();
+        payload.Should().NotBeNull();
+        var betaFeatures = payload.Flags.Single(f => f.FlagKey == "beta-features");
+        betaFeatures.IsEnabled.Should().BeFalse();
+        betaFeatures.Source.Should().Be(FeatureFlagSource.Manual);
+    }
+
+    [Fact]
+    public async Task GetTenantFeatureFlags_WhenTenantDoesNotExist_ShouldReturnNotFound()
+    {
+        // Arrange
+        var nonExistentId = TenantId.NewId();
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "user");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/tenants/{nonExistentId}/feature-flags");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.NotFound);
+    }
+
+    [Fact]
+    public async Task GetTenantFeatureFlags_WhenScopeFilteredToTenant_ShouldOnlyIncludeTenantScopedFlags()
+    {
+        // Arrange
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "user");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/tenants/{tenantId}/feature-flags");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var payload = await response.Content.ReadFromJsonAsync<GetTenantFeatureFlagsResponse>();
+        payload.Should().NotBeNull();
+        payload.Flags.Should().NotContain(f => f.FlagKey == "google-oauth");
+        payload.Flags.Should().NotContain(f => f.FlagKey == "subscriptions");
+        payload.Flags.Should().NotContain(f => f.FlagKey == "compact-view");
+        payload.Flags.Should().NotContain(f => f.FlagKey == "experimental-ui");
+    }
+
+    // The reconciler creates non-kill-switch base rows with EnabledAt=null until an admin Activates.
+    // Tests that exercise Source attribution over an existing override need the base row Active so
+    // the mirror query path is reached at all — FeatureFlagEvaluator.cs:48 short-circuits otherwise.
+    private void ActivateBaseRow(string flagKey)
+    {
+        var baseRowId = Connection.ExecuteScalar<string>(
+            "SELECT id FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        Connection.Update("feature_flags", "id", baseRowId, [("enabled_at", TimeProvider.System.GetUtcNow())]);
+    }
+
+    private void InsertTenantOverride(TenantId tenantId, string flagKey, string source, DateTimeOffset? enabledAt)
+    {
+        Connection.Insert("feature_flags", [
+                ("id", FeatureFlagId.NewId().ToString()),
+                ("created_at", TimeProvider.System.GetUtcNow()),
+                ("modified_at", null),
+                ("flag_key", flagKey),
+                ("tenant_id", tenantId.Value),
+                ("user_id", null),
+                ("enabled_at", enabledAt),
+                ("disabled_at", null),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", source),
+                ("scope", "Tenant")
+            ]
+        );
+    }
+}
diff --git a/application/account/Tests/FeatureFlags/GetUserFeatureFlagsTests.cs b/application/account/Tests/FeatureFlags/GetUserFeatureFlagsTests.cs
new file mode 100644
index 000000000..89707f4d0
--- /dev/null
+++ b/application/account/Tests/FeatureFlags/GetUserFeatureFlagsTests.cs
@@ -0,0 +1,180 @@
+using System.Net;
+using System.Net.Http.Json;
+using Account.Features.FeatureFlags.Domain;
+using Account.Features.FeatureFlags.Queries;
+using Account.Tests.BackOffice;
+using FluentAssertions;
+using SharedKernel.Authentication.MockEasyAuth;
+using SharedKernel.Domain;
+using SharedKernel.Tests.Persistence;
+using Xunit;
+
+namespace Account.Tests.FeatureFlags;
+
+public sealed class GetUserFeatureFlagsTests : BackOfficeEndpointBaseTest
+{
+    [Fact]
+    public async Task GetUserFeatureFlags_WhenCalled_ShouldReturnAllUserScopedFlags()
+    {
+        // Arrange
+        var userId = DatabaseSeeder.Tenant1Owner.Id;
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "user");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/users/{userId}/feature-flags");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var payload = await response.Content.ReadFromJsonAsync<GetUserFeatureFlagsResponse>();
+        payload.Should().NotBeNull();
+        payload.Flags.Should().Contain(f => f.FlagKey == "compact-view");
+        payload.Flags.Should().Contain(f => f.FlagKey == "experimental-ui");
+    }
+
+    [Fact]
+    public async Task GetUserFeatureFlags_WhenUserHasManualOverride_ShouldReturnManualOverrideSource()
+    {
+        // Arrange
+        var userId = DatabaseSeeder.Tenant1Owner.Id;
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        var flagKey = "compact-view";
+        Connection.Insert("feature_flags", [
+                ("id", FeatureFlagId.NewId().ToString()),
+                ("created_at", TimeProvider.System.GetUtcNow()),
+                ("modified_at", null),
+                ("flag_key", flagKey),
+                ("tenant_id", tenantId.Value),
+                ("user_id", userId.Value),
+                ("enabled_at", TimeProvider.System.GetUtcNow()),
+                ("disabled_at", null),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", "Manual"),
+                ("scope", "User")
+            ]
+        );
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "user");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/users/{userId}/feature-flags");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var payload = await response.Content.ReadFromJsonAsync<GetUserFeatureFlagsResponse>();
+        payload.Should().NotBeNull();
+        var compactView = payload.Flags.Single(f => f.FlagKey == "compact-view");
+        compactView.IsEnabled.Should().BeTrue();
+        compactView.Source.Should().Be(FeatureFlagSource.Manual);
+    }
+
+    [Fact]
+    public async Task GetUserFeatureFlags_WhenBaseRowInactiveAndOverrideActive_ShouldReportIsEnabledFalse()
+    {
+        // Arrange — globally Deactivate compact-view so the base row reads IsActive=false, but keep an
+        // active manual override row for the user. The runtime FeatureFlagEvaluator short-circuits on
+        // !baseRow.IsActive (FeatureFlagEvaluator.cs:48) so this query must mirror that contract.
+        var userId = DatabaseSeeder.Tenant1Owner.Id;
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        var flagKey = "compact-view";
+        var baseRowId = Connection.ExecuteScalar<string>(
+            "SELECT id FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        Connection.Update("feature_flags", "id", baseRowId, [("enabled_at", null)]);
+        Connection.Insert("feature_flags", [
+                ("id", FeatureFlagId.NewId().ToString()),
+                ("created_at", TimeProvider.System.GetUtcNow()),
+                ("modified_at", null),
+                ("flag_key", flagKey),
+                ("tenant_id", tenantId.Value),
+                ("user_id", userId.Value),
+                ("enabled_at", TimeProvider.System.GetUtcNow()),
+                ("disabled_at", null),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", "Manual"),
+                ("scope", "User")
+            ]
+        );
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "user");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/users/{userId}/feature-flags");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var payload = await response.Content.ReadFromJsonAsync<GetUserFeatureFlagsResponse>();
+        payload.Should().NotBeNull();
+        var compactView = payload.Flags.Single(f => f.FlagKey == "compact-view");
+        compactView.IsEnabled.Should().BeFalse();
+        compactView.Source.Should().Be(FeatureFlagSource.Manual);
+    }
+
+    [Fact]
+    public async Task GetUserFeatureFlags_WhenUserInAbRolloutRange_ShouldReturnAbRolloutSourceEnabled()
+    {
+        // Arrange
+        var userId = DatabaseSeeder.Tenant1Owner.Id;
+        var flagKey = "experimental-ui";
+        var baseRowId = Connection.ExecuteScalar<string>(
+            "SELECT id FROM feature_flags WHERE flag_key = @flagKey AND tenant_id IS NULL AND user_id IS NULL", [new { flagKey }]
+        );
+        Connection.Update("feature_flags", "id", baseRowId, [
+                ("bucket_start", 0),
+                ("bucket_end", 99)
+            ]
+        );
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "user");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/users/{userId}/feature-flags");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var payload = await response.Content.ReadFromJsonAsync<GetUserFeatureFlagsResponse>();
+        payload.Should().NotBeNull();
+        var experimentalUi = payload.Flags.Single(f => f.FlagKey == "experimental-ui");
+        experimentalUi.IsEnabled.Should().BeTrue();
+        experimentalUi.Source.Should().Be(FeatureFlagSource.AbRollout);
+    }
+
+    [Fact]
+    public async Task GetUserFeatureFlags_WhenUserDoesNotExist_ShouldReturnNotFound()
+    {
+        // Arrange
+        var nonExistentId = UserId.NewId();
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "user");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/users/{nonExistentId}/feature-flags");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.NotFound);
+    }
+
+    [Fact]
+    public async Task GetUserFeatureFlags_WhenScopeFilteredToUser_ShouldOnlyIncludeUserScopedFlags()
+    {
+        // Arrange
+        var userId = DatabaseSeeder.Tenant1Owner.Id;
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "user");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+
+        // Act
+        var response = await client.GetAsync($"/api/back-office/users/{userId}/feature-flags");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var payload = await response.Content.ReadFromJsonAsync<GetUserFeatureFlagsResponse>();
+        payload.Should().NotBeNull();
+        // No system or tenant scoped flags should leak through
+        payload.Flags.Should().NotContain(f => f.FlagKey == "google-oauth");
+        payload.Flags.Should().NotContain(f => f.FlagKey == "sso");
+        payload.Flags.Should().NotContain(f => f.FlagKey == "beta-features");
+        payload.Flags.Should().NotContain(f => f.FlagKey == "account-overview");
+    }
+}
diff --git a/application/account/Tests/FeatureFlags/PlanBasedFeatureFlagEvaluatorTests.cs b/application/account/Tests/FeatureFlags/PlanBasedFeatureFlagEvaluatorTests.cs
new file mode 100644
index 000000000..1795258f4
--- /dev/null
+++ b/application/account/Tests/FeatureFlags/PlanBasedFeatureFlagEvaluatorTests.cs
@@ -0,0 +1,148 @@
+using Account.Database;
+using Account.Features.FeatureFlags.Shared;
+using Account.Features.Subscriptions.Domain;
+using FluentAssertions;
+using Microsoft.Extensions.DependencyInjection;
+using SharedKernel.Tests.Persistence;
+using Xunit;
+
+namespace Account.Tests.FeatureFlags;
+
+public sealed class PlanBasedFeatureFlagEvaluatorTests : EndpointBaseTest<AccountDbContext>
+{
+    private readonly AccountDbContext _dbContext;
+    private readonly PlanBasedFeatureFlagEvaluator _service;
+
+    public PlanBasedFeatureFlagEvaluatorTests()
+    {
+        var scope = Provider.CreateScope();
+        _service = scope.ServiceProvider.GetRequiredService<PlanBasedFeatureFlagEvaluator>();
+        _dbContext = scope.ServiceProvider.GetRequiredService<AccountDbContext>();
+    }
+
+    [Fact]
+    public async Task EvaluatePlanFlags_WhenPremiumPlan_ShouldActivatePremiumFlags()
+    {
+        // Arrange
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+
+        // Act
+        await _service.EvaluatePlanFlagsForTenantAsync(tenantId, SubscriptionPlan.Premium, CancellationToken.None);
+        await _dbContext.SaveChangesAsync();
+
+        // Assert
+        var ssoEnabled = Connection.ExecuteScalar<string>(
+            "SELECT enabled_at FROM feature_flags WHERE flag_key = 'sso' AND tenant_id = @tenantId AND user_id IS NULL",
+            [new { tenantId = tenantId.Value }]
+        );
+        ssoEnabled.Should().NotBeNullOrEmpty();
+
+        var source = Connection.ExecuteScalar<string>(
+            "SELECT source FROM feature_flags WHERE flag_key = 'sso' AND tenant_id = @tenantId AND user_id IS NULL",
+            [new { tenantId = tenantId.Value }]
+        );
+        source.Should().Be("Plan");
+    }
+
+    [Fact]
+    public async Task EvaluatePlanFlags_WhenFreePlan_ShouldDeactivatePremiumFlags()
+    {
+        // Arrange
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        await _service.EvaluatePlanFlagsForTenantAsync(tenantId, SubscriptionPlan.Premium, CancellationToken.None);
+        await _dbContext.SaveChangesAsync();
+
+        // Act
+        await _service.EvaluatePlanFlagsForTenantAsync(tenantId, SubscriptionPlan.Basis, CancellationToken.None);
+        await _dbContext.SaveChangesAsync();
+
+        // Assert
+        var disabledAt = Connection.ExecuteScalar<string>(
+            "SELECT disabled_at FROM feature_flags WHERE flag_key = 'sso' AND tenant_id = @tenantId AND user_id IS NULL",
+            [new { tenantId = tenantId.Value }]
+        );
+        disabledAt.Should().NotBeNullOrEmpty();
+
+        var enabledAt = Connection.ExecuteScalar<string>(
+            "SELECT enabled_at FROM feature_flags WHERE flag_key = 'sso' AND tenant_id = @tenantId AND user_id IS NULL",
+            [new { tenantId = tenantId.Value }]
+        );
+        enabledAt.Should().NotBeNullOrEmpty("EnabledAt should be preserved on deactivation");
+    }
+
+    [Fact]
+    public async Task EvaluatePlanFlags_WhenAlreadyActive_ShouldBeIdempotent()
+    {
+        // Arrange
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        await _service.EvaluatePlanFlagsForTenantAsync(tenantId, SubscriptionPlan.Premium, CancellationToken.None);
+        await _dbContext.SaveChangesAsync();
+
+        var firstEnabledAt = Connection.ExecuteScalar<string>(
+            "SELECT enabled_at FROM feature_flags WHERE flag_key = 'sso' AND tenant_id = @tenantId AND user_id IS NULL",
+            [new { tenantId = tenantId.Value }]
+        );
+
+        // Act
+        await _service.EvaluatePlanFlagsForTenantAsync(tenantId, SubscriptionPlan.Premium, CancellationToken.None);
+        await _dbContext.SaveChangesAsync();
+
+        // Assert
+        var secondEnabledAt = Connection.ExecuteScalar<string>(
+            "SELECT enabled_at FROM feature_flags WHERE flag_key = 'sso' AND tenant_id = @tenantId AND user_id IS NULL",
+            [new { tenantId = tenantId.Value }]
+        );
+        secondEnabledAt.Should().Be(firstEnabledAt);
+    }
+
+    [Fact]
+    public async Task EvaluatePlanFlags_WhenUpgradingToPremium_ShouldEmitPlanOverrideActivatedEvent()
+    {
+        // Arrange
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        TelemetryEventsCollectorSpy.Reset();
+
+        // Act
+        await _service.EvaluatePlanFlagsForTenantAsync(tenantId, SubscriptionPlan.Premium, CancellationToken.None);
+        await _dbContext.SaveChangesAsync();
+
+        // Assert
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().Contain(e => e.GetType().Name == "FeatureFlagPlanOverrideActivated");
+    }
+
+    [Fact]
+    public async Task EvaluatePlanFlags_WhenDowngradingFromPremium_ShouldEmitPlanOverrideDeactivatedEvent()
+    {
+        // Arrange
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        await _service.EvaluatePlanFlagsForTenantAsync(tenantId, SubscriptionPlan.Premium, CancellationToken.None);
+        await _dbContext.SaveChangesAsync();
+        TelemetryEventsCollectorSpy.Reset();
+
+        // Act
+        await _service.EvaluatePlanFlagsForTenantAsync(tenantId, SubscriptionPlan.Basis, CancellationToken.None);
+        await _dbContext.SaveChangesAsync();
+
+        // Assert
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().Contain(e => e.GetType().Name == "FeatureFlagPlanOverrideDeactivated");
+    }
+
+    [Fact]
+    public async Task EvaluatePlanFlags_WhenNoChange_ShouldNotEmitTelemetryEvent()
+    {
+        // Arrange
+        var tenantId = DatabaseSeeder.Tenant1.Id;
+        await _service.EvaluatePlanFlagsForTenantAsync(tenantId, SubscriptionPlan.Premium, CancellationToken.None);
+        await _dbContext.SaveChangesAsync();
+        TelemetryEventsCollectorSpy.Reset();
+
+        // Act
+        await _service.EvaluatePlanFlagsForTenantAsync(tenantId, SubscriptionPlan.Premium, CancellationToken.None);
+        await _dbContext.SaveChangesAsync();
+
+        // Assert — handler is idempotent; a no-op pass must not emit any plan-override events.
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().NotContain(e =>
+            e.GetType().Name == "FeatureFlagPlanOverrideActivated" || e.GetType().Name == "FeatureFlagPlanOverrideDeactivated"
+        );
+    }
+}
diff --git a/application/account/Tests/Subscriptions/Domain/BillingEventRepositoryTests.cs b/application/account/Tests/Subscriptions/Domain/BillingEventRepositoryTests.cs
index 535d5b5cb..23da04e32 100644
--- a/application/account/Tests/Subscriptions/Domain/BillingEventRepositoryTests.cs
+++ b/application/account/Tests/Subscriptions/Domain/BillingEventRepositoryTests.cs
@@ -54,7 +54,8 @@ private TenantId SeedTenant(string name)
                 ("name", name),
                 ("state", nameof(TenantState.Active)),
                 ("plan", nameof(SubscriptionPlan.Premium)),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 0)
             ]
         );
         return tenantId;
diff --git a/application/account/Tests/Subscriptions/Domain/SubscriptionRepositoryDriftScopeTests.cs b/application/account/Tests/Subscriptions/Domain/SubscriptionRepositoryDriftScopeTests.cs
index 5c6e2ef00..a8782e513 100644
--- a/application/account/Tests/Subscriptions/Domain/SubscriptionRepositoryDriftScopeTests.cs
+++ b/application/account/Tests/Subscriptions/Domain/SubscriptionRepositoryDriftScopeTests.cs
@@ -77,7 +77,8 @@ private TenantId SeedTenant(string name, string plan = nameof(SubscriptionPlan.P
                 ("name", name),
                 ("state", nameof(TenantState.Active)),
                 ("plan", plan),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 0)
             ]
         );
         return tenantId;
diff --git a/application/account/Tests/Subscriptions/Domain/SubscriptionRepositoryTests.cs b/application/account/Tests/Subscriptions/Domain/SubscriptionRepositoryTests.cs
index 192c9878a..768561acc 100644
--- a/application/account/Tests/Subscriptions/Domain/SubscriptionRepositoryTests.cs
+++ b/application/account/Tests/Subscriptions/Domain/SubscriptionRepositoryTests.cs
@@ -54,7 +54,8 @@ private TenantId SeedTenant(string name)
                 ("name", name),
                 ("state", nameof(TenantState.Active)),
                 ("plan", nameof(SubscriptionPlan.Premium)),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 0)
             ]
         );
         return tenantId;
diff --git a/application/account/Tests/Tenants/BackOffice/GetTenantDetailTests.cs b/application/account/Tests/Tenants/BackOffice/GetTenantDetailTests.cs
index 805903246..1d82eb1d5 100644
--- a/application/account/Tests/Tenants/BackOffice/GetTenantDetailTests.cs
+++ b/application/account/Tests/Tenants/BackOffice/GetTenantDetailTests.cs
@@ -29,7 +29,8 @@ public async Task GetTenantDetail_WhenTenantExists_ShouldReturnFullDetail()
                 ("name", "Acme Corp"),
                 ("state", nameof(TenantState.Active)),
                 ("plan", nameof(SubscriptionPlan.Premium)),
-                ("logo", """{"Url":"https://example.com/logo.png","Version":1}""")
+                ("logo", """{"Url":"https://example.com/logo.png","Version":1}"""),
+                ("rollout_bucket", 50)
             ]
         );
 
@@ -100,7 +101,8 @@ public async Task GetTenantDetail_WhenSubscriptionMissing_ShouldReturnNullSubscr
                 ("name", "No Subscription Inc"),
                 ("state", nameof(TenantState.Active)),
                 ("plan", nameof(SubscriptionPlan.Basis)),
-                ("logo", """{"Url":null,"Version":1}""")
+                ("logo", """{"Url":null,"Version":1}"""),
+                ("rollout_bucket", 50)
             ]
         );
 
@@ -130,7 +132,8 @@ public async Task GetTenantDetail_WhenSubscriptionHasRefundedTransaction_ShouldE
                 ("name", "Refunded Customer"),
                 ("state", nameof(TenantState.Active)),
                 ("plan", nameof(SubscriptionPlan.Premium)),
-                ("logo", """{"Url":null,"Version":1}""")
+                ("logo", """{"Url":null,"Version":1}"""),
+                ("rollout_bucket", 50)
             ]
         );
 
diff --git a/application/account/Tests/Tenants/BackOffice/GetTenantUserCountsTests.cs b/application/account/Tests/Tenants/BackOffice/GetTenantUserCountsTests.cs
index 888f5b996..85880d40c 100644
--- a/application/account/Tests/Tenants/BackOffice/GetTenantUserCountsTests.cs
+++ b/application/account/Tests/Tenants/BackOffice/GetTenantUserCountsTests.cs
@@ -93,7 +93,8 @@ private void SeedUser(TenantId tenantId, string email, DateTimeOffset? lastSeenA
                 ("title", null),
                 ("role", nameof(UserRole.Member)),
                 ("locale", "en-US"),
-                ("avatar", JsonSerializer.Serialize(new Avatar()))
+                ("avatar", JsonSerializer.Serialize(new Avatar())),
+                ("rollout_bucket", 50)
             ]
         );
     }
diff --git a/application/account/Tests/Tenants/BackOffice/GetTenantUsersTests.cs b/application/account/Tests/Tenants/BackOffice/GetTenantUsersTests.cs
index ce67ea963..6a2d96f1b 100644
--- a/application/account/Tests/Tenants/BackOffice/GetTenantUsersTests.cs
+++ b/application/account/Tests/Tenants/BackOffice/GetTenantUsersTests.cs
@@ -30,7 +30,8 @@ public async Task GetTenantUsers_WhenCalled_ShouldReturnUsersForThatTenantOnly()
                 ("name", "Other"),
                 ("state", "Active"),
                 ("plan", "Basis"),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 50)
             ]
         );
         SeedUser(otherTenantId, "outsider@other.com", "Outsider", null, UserRole.Member);
@@ -152,7 +153,8 @@ private void SeedUser(TenantId tenantId, string email, string? firstName, string
                 ("title", null),
                 ("role", role.ToString()),
                 ("locale", "en-US"),
-                ("avatar", JsonSerializer.Serialize(new Avatar()))
+                ("avatar", JsonSerializer.Serialize(new Avatar())),
+                ("rollout_bucket", 50)
             ]
         );
     }
diff --git a/application/account/Tests/Tenants/BackOffice/GetTenantsTests.cs b/application/account/Tests/Tenants/BackOffice/GetTenantsTests.cs
index 887899294..d3edbe3c6 100644
--- a/application/account/Tests/Tenants/BackOffice/GetTenantsTests.cs
+++ b/application/account/Tests/Tenants/BackOffice/GetTenantsTests.cs
@@ -379,7 +379,8 @@ private TenantId SeedTenant(string name, SubscriptionPlan plan, decimal? mrr, st
                 ("name", name),
                 ("state", nameof(TenantState.Active)),
                 ("plan", plan.ToString()),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 50)
             ]
         );
 
diff --git a/application/account/Tests/Tenants/BackOffice/SetTenantAbInclusionPinTests.cs b/application/account/Tests/Tenants/BackOffice/SetTenantAbInclusionPinTests.cs
new file mode 100644
index 000000000..3c480dafb
--- /dev/null
+++ b/application/account/Tests/Tenants/BackOffice/SetTenantAbInclusionPinTests.cs
@@ -0,0 +1,139 @@
+using System.Net;
+using System.Net.Http.Json;
+using Account.Features.Tenants.BackOffice.Commands;
+using Account.Tests.BackOffice;
+using FluentAssertions;
+using SharedKernel.Authentication.MockEasyAuth;
+using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Tests.Persistence;
+using Xunit;
+
+namespace Account.Tests.Tenants.BackOffice;
+
+public sealed class SetTenantAbInclusionPinTests : BackOfficeEndpointBaseTest
+{
+    [Fact]
+    public async Task SetTenantAbInclusionPin_WhenAlwaysOn_ShouldPersistPin()
+    {
+        // Arrange
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "admin");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+        var command = new SetTenantAbInclusionPinCommand { AbInclusionPin = AbInclusionPin.AlwaysOn };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/tenants/{DatabaseSeeder.Tenant1.Id}/ab-inclusion-pin", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var storedPin = Connection.ExecuteScalar<string>(
+            "SELECT ab_inclusion_pin FROM tenants WHERE id = @id", [new { id = DatabaseSeeder.Tenant1.Id.Value }]
+        );
+        storedPin.Should().Be(nameof(AbInclusionPin.AlwaysOn));
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().ContainSingle(e => e.GetType().Name == "TenantAbInclusionPinUpdated");
+        TelemetryEventsCollectorSpy.CollectedEvents[0].Properties["event.from_pin"].Should().Be("none");
+        TelemetryEventsCollectorSpy.CollectedEvents[0].Properties["event.to_pin"].Should().Be("AlwaysOn");
+    }
+
+    [Fact]
+    public async Task SetTenantAbInclusionPin_WhenNullClearsExistingPin_ShouldPersistNull()
+    {
+        // Arrange - seed an existing pin to verify null clears it
+        Connection.Update("tenants", "id", DatabaseSeeder.Tenant1.Id.Value, [("ab_inclusion_pin", nameof(AbInclusionPin.AlwaysOn))]);
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "admin");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+        var command = new SetTenantAbInclusionPinCommand { AbInclusionPin = null };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/tenants/{DatabaseSeeder.Tenant1.Id}/ab-inclusion-pin", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var storedPin = Connection.ExecuteScalar<string?>(
+            "SELECT ab_inclusion_pin FROM tenants WHERE id = @id", [new { id = DatabaseSeeder.Tenant1.Id.Value }]
+        );
+        storedPin.Should().BeNull();
+    }
+
+    [Fact]
+    public async Task SetTenantAbInclusionPin_WhenTenantNotFound_ShouldReturnNotFound()
+    {
+        // Arrange
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "admin");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+        var unknownTenantId = TenantId.NewId();
+        var command = new SetTenantAbInclusionPinCommand { AbInclusionPin = AbInclusionPin.AlwaysOn };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/tenants/{unknownTenantId}/ab-inclusion-pin", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.NotFound);
+    }
+
+    [Fact]
+    public async Task SetTenantAbInclusionPin_WhenAlwaysOn_ShouldFlipEvaluatorOutcomeForOutOfRangeAbFlag()
+    {
+        // Arrange - put the tenant at bucket 70 with a rollout of 40..60, so the flag is normally off
+        Connection.Update("tenants", "id", DatabaseSeeder.Tenant1.Id.Value, [("rollout_bucket", (short)70)]);
+        var now = DateTimeOffset.UtcNow;
+        Connection.Update("feature_flags", "flag_key", "beta-features", [
+                ("enabled_at", now),
+                ("bucket_start", 40),
+                ("bucket_end", 60)
+            ]
+        );
+
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "admin");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+
+        // Act - first read flags without a pin: tenant is out of range, so flag is disabled
+        var beforeResponse = await client.GetAsync($"/api/back-office/tenants/{DatabaseSeeder.Tenant1.Id}/feature-flags");
+        beforeResponse.StatusCode.Should().Be(HttpStatusCode.OK);
+        var beforeBody = await beforeResponse.Content.ReadAsStringAsync();
+        beforeBody.Should().Contain("\"flagKey\":\"beta-features\"");
+        beforeBody.Should().Contain("\"isEnabled\":false");
+
+        // Apply AlwaysOn pin
+        var command = new SetTenantAbInclusionPinCommand { AbInclusionPin = AbInclusionPin.AlwaysOn };
+        var pinResponse = await client.PutAsJsonAsync($"/api/back-office/tenants/{DatabaseSeeder.Tenant1.Id}/ab-inclusion-pin", command);
+        pinResponse.StatusCode.Should().Be(HttpStatusCode.OK);
+
+        // Assert - read flags again: tenant is pinned on, so flag is enabled despite being out of bucket range
+        var afterResponse = await client.GetAsync($"/api/back-office/tenants/{DatabaseSeeder.Tenant1.Id}/feature-flags");
+        afterResponse.StatusCode.Should().Be(HttpStatusCode.OK);
+        var afterBody = await afterResponse.Content.ReadAsStringAsync();
+        afterBody.Should().Contain("\"flagKey\":\"beta-features\"");
+        afterBody.Should().Contain("\"isEnabled\":true");
+    }
+
+    [Fact]
+    public async Task SetTenantAbInclusionPin_WhenNonAdminBackOfficeUser_ShouldReturnForbidden()
+    {
+        // Arrange
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "user");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+        var command = new SetTenantAbInclusionPinCommand { AbInclusionPin = AbInclusionPin.AlwaysOn };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/tenants/{DatabaseSeeder.Tenant1.Id}/ab-inclusion-pin", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+    }
+
+    [Fact]
+    public async Task SetTenantAbInclusionPin_WhenUnauthenticated_ShouldReturnUnauthorized()
+    {
+        // Arrange
+        using var client = CreateBackOfficeClient();
+        var command = new SetTenantAbInclusionPinCommand { AbInclusionPin = AbInclusionPin.AlwaysOn };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/tenants/{DatabaseSeeder.Tenant1.Id}/ab-inclusion-pin", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
+    }
+}
diff --git a/application/account/Tests/Tenants/DeleteTenantTests.cs b/application/account/Tests/Tenants/DeleteTenantTests.cs
index 73e37b259..b96597e2c 100644
--- a/application/account/Tests/Tenants/DeleteTenantTests.cs
+++ b/application/account/Tests/Tenants/DeleteTenantTests.cs
@@ -1,6 +1,8 @@
 using System.Net;
 using Account.Database;
+using Account.Features.FeatureFlags.Domain;
 using Account.Features.Subscriptions.Domain;
+using Account.Features.Tenants.Domain;
 using FluentAssertions;
 using SharedKernel.Domain;
 using SharedKernel.Tests;
@@ -51,6 +53,70 @@ public async Task DeleteTenant_WhenValid_ShouldSoftDeleteTenant()
         TelemetryEventsCollectorSpy.AreAllEventsDispatched.Should().BeTrue();
     }
 
+    [Fact]
+    public async Task DeleteTenant_WhenTenantHasFeatureFlagOverrides_ShouldRemoveOnlyDeletedTenantRowsAndReportRowCount()
+    {
+        // Arrange — seed two tenants each with one Manual and one Plan override on a shared key, then
+        // delete tenant A and verify only A's rows are gone, B's survive, and the TenantDeleted event
+        // reports the correct feature_flag_rows_removed count.
+        var deletedTenantId = DatabaseSeeder.Tenant1.Id;
+        var survivingTenantId = TenantId.NewId();
+        Connection.Insert("tenants", [
+                ("id", survivingTenantId.Value),
+                ("created_at", TimeProvider.GetUtcNow()),
+                ("modified_at", null),
+                ("name", "Surviving tenant"),
+                ("state", nameof(TenantState.Active)),
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
+            ]
+        );
+        InsertTenantFeatureFlagOverride("sso", deletedTenantId, "Plan");
+        InsertTenantFeatureFlagOverride("beta-features", deletedTenantId, "Manual");
+        InsertTenantFeatureFlagOverride("sso", survivingTenantId, "Plan");
+        InsertTenantFeatureFlagOverride("beta-features", survivingTenantId, "Manual");
+
+        // Act
+        var response = await AuthenticatedOwnerHttpClient.DeleteAsync($"/internal-api/account/tenants/{deletedTenantId}");
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+
+        var deletedTenantRowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE tenant_id = @tenantId", [new { tenantId = deletedTenantId.Value }]
+        );
+        deletedTenantRowCount.Should().Be(0, "the cascade must remove every feature_flag row owned by the deleted tenant");
+
+        var survivingTenantRowCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE tenant_id = @tenantId", [new { tenantId = survivingTenantId.Value }]
+        );
+        survivingTenantRowCount.Should().Be(2, "other tenants' overrides must not be touched");
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().ContainSingle(e => e.GetType().Name == "TenantDeleted");
+        var tenantDeleted = TelemetryEventsCollectorSpy.CollectedEvents.Single(e => e.GetType().Name == "TenantDeleted");
+        tenantDeleted.Properties["event.feature_flag_rows_removed"].Should().Be("2");
+    }
+
+    private void InsertTenantFeatureFlagOverride(string flagKey, TenantId tenantId, string source)
+    {
+        Connection.Insert("feature_flags", [
+                ("id", FeatureFlagId.NewId().ToString()),
+                ("created_at", TimeProvider.GetUtcNow()),
+                ("modified_at", null),
+                ("flag_key", flagKey),
+                ("tenant_id", tenantId.Value),
+                ("user_id", null),
+                ("enabled_at", TimeProvider.GetUtcNow()),
+                ("disabled_at", null),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", source),
+                ("scope", "Tenant")
+            ]
+        );
+    }
+
     [Fact]
     public async Task DeleteTenant_WhenActiveSubscription_ShouldReturnBadRequest()
     {
diff --git a/application/account/Tests/Tenants/GetTenantsForUserTests.cs b/application/account/Tests/Tenants/GetTenantsForUserTests.cs
index 87fde3a27..9deec0ca0 100644
--- a/application/account/Tests/Tenants/GetTenantsForUserTests.cs
+++ b/application/account/Tests/Tenants/GetTenantsForUserTests.cs
@@ -31,7 +31,8 @@ public async Task GetTenants_UserWithMultipleTenants_ReturnsAllTenants()
                 ("name", tenant2Name),
                 ("state", nameof(TenantState.Active)),
                 ("logo", """{"Url":null,"Version":0}"""),
-                ("plan", nameof(SubscriptionPlan.Basis))
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -48,7 +49,8 @@ public async Task GetTenants_UserWithMultipleTenants_ReturnsAllTenants()
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Owner)),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -106,7 +108,8 @@ public async Task GetTenants_CurrentTenantIncluded_VerifyCurrentTenantInResponse
                 ("name", "Other Tenant"),
                 ("state", nameof(TenantState.Active)),
                 ("logo", """{"Url":null,"Version":0}"""),
-                ("plan", nameof(SubscriptionPlan.Basis))
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -123,7 +126,8 @@ public async Task GetTenants_CurrentTenantIncluded_VerifyCurrentTenantInResponse
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Member)),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -152,7 +156,8 @@ public async Task GetTenants_UsersOnlySeeTheirOwnTenants_DoesNotReturnOtherUsers
                 ("name", "Other User Tenant"),
                 ("state", nameof(TenantState.Active)),
                 ("logo", """{"Url":null,"Version":0}"""),
-                ("plan", nameof(SubscriptionPlan.Basis))
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -169,7 +174,8 @@ public async Task GetTenants_UsersOnlySeeTheirOwnTenants_DoesNotReturnOtherUsers
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Member)),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -199,7 +205,8 @@ public async Task GetTenants_UserWithUnconfirmedEmail_ShowsAsNewTenant()
                 ("name", tenant2Name),
                 ("state", nameof(TenantState.Active)),
                 ("logo", """{"Url":null,"Version":0}"""),
-                ("plan", nameof(SubscriptionPlan.Basis))
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -216,7 +223,8 @@ public async Task GetTenants_UserWithUnconfirmedEmail_ShowsAsNewTenant()
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Member)),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
diff --git a/application/account/Tests/Users/BackOffice/GetBackOfficeUserDetailTests.cs b/application/account/Tests/Users/BackOffice/GetBackOfficeUserDetailTests.cs
index d61292d1d..e875aac5c 100644
--- a/application/account/Tests/Users/BackOffice/GetBackOfficeUserDetailTests.cs
+++ b/application/account/Tests/Users/BackOffice/GetBackOfficeUserDetailTests.cs
@@ -126,7 +126,8 @@ private TenantId SeedTenant(string name)
                 ("name", name),
                 ("state", nameof(TenantState.Active)),
                 ("plan", nameof(SubscriptionPlan.Basis)),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 50)
             ]
         );
 
@@ -149,7 +150,8 @@ private UserId SeedUser(TenantId tenantId, string email, string? firstName, stri
                 ("title", null),
                 ("role", role.ToString()),
                 ("locale", "en-US"),
-                ("avatar", JsonSerializer.Serialize(new Avatar()))
+                ("avatar", JsonSerializer.Serialize(new Avatar())),
+                ("rollout_bucket", 50)
             ]
         );
         return userId;
diff --git a/application/account/Tests/Users/BackOffice/GetBackOfficeUserSessionsTests.cs b/application/account/Tests/Users/BackOffice/GetBackOfficeUserSessionsTests.cs
index b5dab0b76..26f012e85 100644
--- a/application/account/Tests/Users/BackOffice/GetBackOfficeUserSessionsTests.cs
+++ b/application/account/Tests/Users/BackOffice/GetBackOfficeUserSessionsTests.cs
@@ -125,7 +125,8 @@ private TenantId SeedTenant(string name)
                 ("name", name),
                 ("state", nameof(TenantState.Active)),
                 ("plan", nameof(SubscriptionPlan.Basis)),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 50)
             ]
         );
         return tenantId;
@@ -147,7 +148,8 @@ private UserId SeedUser(TenantId tenantId, string email, UserRole role)
                 ("title", null),
                 ("role", role.ToString()),
                 ("locale", "en-US"),
-                ("avatar", JsonSerializer.Serialize(new Avatar()))
+                ("avatar", JsonSerializer.Serialize(new Avatar())),
+                ("rollout_bucket", 50)
             ]
         );
         return userId;
diff --git a/application/account/Tests/Users/BackOffice/GetBackOfficeUsersTests.cs b/application/account/Tests/Users/BackOffice/GetBackOfficeUsersTests.cs
index f6dac59ac..247726e23 100644
--- a/application/account/Tests/Users/BackOffice/GetBackOfficeUsersTests.cs
+++ b/application/account/Tests/Users/BackOffice/GetBackOfficeUsersTests.cs
@@ -286,7 +286,8 @@ private TenantId SeedTenant(string name, SubscriptionPlan plan = SubscriptionPla
                 ("name", name),
                 ("state", nameof(TenantState.Active)),
                 ("plan", plan.ToString()),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 50)
             ]
         );
 
@@ -343,7 +344,8 @@ private void SeedUser(TenantId tenantId, string email, string? firstName, string
                 ("title", null),
                 ("role", role.ToString()),
                 ("locale", "en-US"),
-                ("avatar", JsonSerializer.Serialize(new Avatar()))
+                ("avatar", JsonSerializer.Serialize(new Avatar())),
+                ("rollout_bucket", 50)
             ]
         );
     }
diff --git a/application/account/Tests/Users/BackOffice/SetUserAbInclusionPinTests.cs b/application/account/Tests/Users/BackOffice/SetUserAbInclusionPinTests.cs
new file mode 100644
index 000000000..c5299ec79
--- /dev/null
+++ b/application/account/Tests/Users/BackOffice/SetUserAbInclusionPinTests.cs
@@ -0,0 +1,139 @@
+using System.Net;
+using System.Net.Http.Json;
+using Account.Features.Users.BackOffice.Commands;
+using Account.Tests.BackOffice;
+using FluentAssertions;
+using SharedKernel.Authentication.MockEasyAuth;
+using SharedKernel.Domain;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Tests.Persistence;
+using Xunit;
+
+namespace Account.Tests.Users.BackOffice;
+
+public sealed class SetUserAbInclusionPinTests : BackOfficeEndpointBaseTest
+{
+    [Fact]
+    public async Task SetUserAbInclusionPin_WhenAlwaysOn_ShouldPersistPin()
+    {
+        // Arrange
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "admin");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+        var command = new SetUserAbInclusionPinCommand { AbInclusionPin = AbInclusionPin.AlwaysOn };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/users/{DatabaseSeeder.Tenant1Owner.Id}/ab-inclusion-pin", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var storedPin = Connection.ExecuteScalar<string>(
+            "SELECT ab_inclusion_pin FROM users WHERE id = @id", [new { id = DatabaseSeeder.Tenant1Owner.Id.ToString() }]
+        );
+        storedPin.Should().Be(nameof(AbInclusionPin.AlwaysOn));
+
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().ContainSingle(e => e.GetType().Name == "UserAbInclusionPinUpdated");
+        TelemetryEventsCollectorSpy.CollectedEvents[0].Properties["event.from_pin"].Should().Be("none");
+        TelemetryEventsCollectorSpy.CollectedEvents[0].Properties["event.to_pin"].Should().Be("AlwaysOn");
+    }
+
+    [Fact]
+    public async Task SetUserAbInclusionPin_WhenNullClearsExistingPin_ShouldPersistNull()
+    {
+        // Arrange
+        Connection.Update("users", "id", DatabaseSeeder.Tenant1Owner.Id.ToString(), [("ab_inclusion_pin", nameof(AbInclusionPin.NeverOn))]);
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "admin");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+        var command = new SetUserAbInclusionPinCommand { AbInclusionPin = null };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/users/{DatabaseSeeder.Tenant1Owner.Id}/ab-inclusion-pin", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.OK);
+        var storedPin = Connection.ExecuteScalar<string?>(
+            "SELECT ab_inclusion_pin FROM users WHERE id = @id", [new { id = DatabaseSeeder.Tenant1Owner.Id.ToString() }]
+        );
+        storedPin.Should().BeNull();
+    }
+
+    [Fact]
+    public async Task SetUserAbInclusionPin_WhenUserNotFound_ShouldReturnNotFound()
+    {
+        // Arrange
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "admin");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+        var unknownUserId = UserId.NewId();
+        var command = new SetUserAbInclusionPinCommand { AbInclusionPin = AbInclusionPin.AlwaysOn };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/users/{unknownUserId}/ab-inclusion-pin", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.NotFound);
+    }
+
+    [Fact]
+    public async Task SetUserAbInclusionPin_WhenNeverOn_ShouldFlipEvaluatorOutcomeForInRangeAbFlag()
+    {
+        // Arrange - put the user at bucket 50, with a rollout of 40..60. Flag is normally ON.
+        Connection.Update("users", "id", DatabaseSeeder.Tenant1Owner.Id.ToString(), [("rollout_bucket", (short)50)]);
+        var now = DateTimeOffset.UtcNow;
+        Connection.Update("feature_flags", "flag_key", "experimental-ui", [
+                ("enabled_at", now),
+                ("bucket_start", 40),
+                ("bucket_end", 60)
+            ]
+        );
+
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "admin");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+
+        // Act - flag is enabled without pin
+        var beforeResponse = await client.GetAsync($"/api/back-office/users/{DatabaseSeeder.Tenant1Owner.Id}/feature-flags");
+        beforeResponse.StatusCode.Should().Be(HttpStatusCode.OK);
+        var beforeBody = await beforeResponse.Content.ReadAsStringAsync();
+        beforeBody.Should().Contain("\"flagKey\":\"experimental-ui\"");
+        beforeBody.Should().Contain("\"isEnabled\":true");
+
+        // Apply NeverOn pin
+        var command = new SetUserAbInclusionPinCommand { AbInclusionPin = AbInclusionPin.NeverOn };
+        var pinResponse = await client.PutAsJsonAsync($"/api/back-office/users/{DatabaseSeeder.Tenant1Owner.Id}/ab-inclusion-pin", command);
+        pinResponse.StatusCode.Should().Be(HttpStatusCode.OK);
+
+        // Assert - flag is disabled despite being in bucket range
+        var afterResponse = await client.GetAsync($"/api/back-office/users/{DatabaseSeeder.Tenant1Owner.Id}/feature-flags");
+        afterResponse.StatusCode.Should().Be(HttpStatusCode.OK);
+        var afterBody = await afterResponse.Content.ReadAsStringAsync();
+        afterBody.Should().Contain("\"flagKey\":\"experimental-ui\"");
+        afterBody.Should().Contain("\"isEnabled\":false");
+    }
+
+    [Fact]
+    public async Task SetUserAbInclusionPin_WhenNonAdminBackOfficeUser_ShouldReturnForbidden()
+    {
+        // Arrange
+        var identity = MockEasyAuthIdentities.Default.Single(i => i.Id == "user");
+        using var client = CreateBackOfficeClientForIdentity(identity);
+        var command = new SetUserAbInclusionPinCommand { AbInclusionPin = AbInclusionPin.AlwaysOn };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/users/{DatabaseSeeder.Tenant1Owner.Id}/ab-inclusion-pin", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+    }
+
+    [Fact]
+    public async Task SetUserAbInclusionPin_WhenUnauthenticated_ShouldReturnUnauthorized()
+    {
+        // Arrange
+        using var client = CreateBackOfficeClient();
+        var command = new SetUserAbInclusionPinCommand { AbInclusionPin = AbInclusionPin.AlwaysOn };
+
+        // Act
+        var response = await client.PutAsJsonAsync($"/api/back-office/users/{DatabaseSeeder.Tenant1Owner.Id}/ab-inclusion-pin", command);
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
+    }
+}
diff --git a/application/account/Tests/Users/BulkDeleteUsersTests.cs b/application/account/Tests/Users/BulkDeleteUsersTests.cs
index 1d7c74c1a..6de1e559d 100644
--- a/application/account/Tests/Users/BulkDeleteUsersTests.cs
+++ b/application/account/Tests/Users/BulkDeleteUsersTests.cs
@@ -38,7 +38,8 @@ public async Task BulkDeleteUsers_WhenUsersExist_ShouldSoftDeleteUsers()
                     ("email_confirmed", true),
                     ("avatar", JsonSerializer.Serialize(new Avatar())),
                     ("locale", "en-US"),
-                    ("external_identities", "[]")
+                    ("external_identities", "[]"),
+                    ("rollout_bucket", 42)
                 ]
             );
         }
@@ -149,7 +150,8 @@ public async Task BulkDeleteUsers_WhenMixedConfirmedAndUnconfirmed_ShouldSoftDel
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -167,7 +169,8 @@ public async Task BulkDeleteUsers_WhenMixedConfirmedAndUnconfirmed_ShouldSoftDel
                 ("email_confirmed", false),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
diff --git a/application/account/Tests/Users/BulkPurgeUsersTests.cs b/application/account/Tests/Users/BulkPurgeUsersTests.cs
index dc8176296..5e48b1bd7 100644
--- a/application/account/Tests/Users/BulkPurgeUsersTests.cs
+++ b/application/account/Tests/Users/BulkPurgeUsersTests.cs
@@ -35,7 +35,8 @@ public async Task BulkPurgeUsers_WhenOwnerDeletesMultipleDeletedUsers_ShouldPerm
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
         Connection.Insert("users", [
@@ -52,7 +53,8 @@ public async Task BulkPurgeUsers_WhenOwnerDeletesMultipleDeletedUsers_ShouldPerm
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
         Connection.Insert("users", [
@@ -69,7 +71,8 @@ public async Task BulkPurgeUsers_WhenOwnerDeletesMultipleDeletedUsers_ShouldPerm
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -111,7 +114,8 @@ public async Task BulkPurgeUsers_WhenMember_ShouldReturnForbidden()
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
diff --git a/application/account/Tests/Users/DeclineInvitationTests.cs b/application/account/Tests/Users/DeclineInvitationTests.cs
index f23ca9946..09166040c 100644
--- a/application/account/Tests/Users/DeclineInvitationTests.cs
+++ b/application/account/Tests/Users/DeclineInvitationTests.cs
@@ -30,7 +30,8 @@ public async Task DeclineInvitation_WhenValidInviteExists_ShouldDeleteUserAndCol
                 ("name", Faker.Company.CompanyName()),
                 ("state", nameof(TenantState.Active)),
                 ("logo", """{"Url":null,"Version":0}"""),
-                ("plan", nameof(SubscriptionPlan.Basis))
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -48,7 +49,8 @@ public async Task DeclineInvitation_WhenValidInviteExists_ShouldDeleteUserAndCol
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Member)),
                 ("locale", ""),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -103,7 +105,8 @@ public async Task DeclineInvitation_WhenMultipleInvitesExist_ShouldDeclineSpecif
                 ("name", Faker.Company.CompanyName()),
                 ("state", nameof(TenantState.Active)),
                 ("logo", """{"Url":null,"Version":0}"""),
-                ("plan", nameof(SubscriptionPlan.Basis))
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -114,7 +117,8 @@ public async Task DeclineInvitation_WhenMultipleInvitesExist_ShouldDeclineSpecif
                 ("name", Faker.Company.CompanyName()),
                 ("state", nameof(TenantState.Active)),
                 ("logo", """{"Url":null,"Version":0}"""),
-                ("plan", nameof(SubscriptionPlan.Basis))
+                ("plan", nameof(SubscriptionPlan.Basis)),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -132,7 +136,8 @@ public async Task DeclineInvitation_WhenMultipleInvitesExist_ShouldDeclineSpecif
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Member)),
                 ("locale", ""),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -150,7 +155,8 @@ public async Task DeclineInvitation_WhenMultipleInvitesExist_ShouldDeclineSpecif
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("role", nameof(UserRole.Member)),
                 ("locale", ""),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
diff --git a/application/account/Tests/Users/DeleteUserTests.cs b/application/account/Tests/Users/DeleteUserTests.cs
index 1aa7c57c4..1c28dd9ce 100644
--- a/application/account/Tests/Users/DeleteUserTests.cs
+++ b/application/account/Tests/Users/DeleteUserTests.cs
@@ -45,7 +45,8 @@ public async Task DeleteUser_WhenUserExists_ShouldSoftDeleteUser()
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -91,7 +92,8 @@ public async Task DeleteUser_WhenUserHasEmailLoginHistory_ShouldSoftDeleteUserAn
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -140,7 +142,8 @@ public async Task DeleteUser_WhenUserNeverConfirmedEmail_ShouldSoftDeleteUser()
                 ("email_confirmed", false),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
diff --git a/application/account/Tests/Users/EmptyRecycleBinTests.cs b/application/account/Tests/Users/EmptyRecycleBinTests.cs
index 53a9eb8aa..781e31e89 100644
--- a/application/account/Tests/Users/EmptyRecycleBinTests.cs
+++ b/application/account/Tests/Users/EmptyRecycleBinTests.cs
@@ -33,7 +33,8 @@ public async Task EmptyRecycleBin_WhenOwnerEmptiesRecycleBin_ShouldPermanentlyDe
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
         Connection.Insert("users", [
@@ -50,7 +51,8 @@ public async Task EmptyRecycleBin_WhenOwnerEmptiesRecycleBin_ShouldPermanentlyDe
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
diff --git a/application/account/Tests/Users/GetDeletedUsersTests.cs b/application/account/Tests/Users/GetDeletedUsersTests.cs
index 7599281c5..21e7f3ec2 100644
--- a/application/account/Tests/Users/GetDeletedUsersTests.cs
+++ b/application/account/Tests/Users/GetDeletedUsersTests.cs
@@ -33,7 +33,8 @@ public async Task GetDeletedUsers_WhenOwner_ShouldReturnDeletedUsers()
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
diff --git a/application/account/Tests/Users/GetUserByIdTests.cs b/application/account/Tests/Users/GetUserByIdTests.cs
index ce461487a..0024c63c7 100644
--- a/application/account/Tests/Users/GetUserByIdTests.cs
+++ b/application/account/Tests/Users/GetUserByIdTests.cs
@@ -30,7 +30,8 @@ public GetUserByIdTests()
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
     }
diff --git a/application/account/Tests/Users/GetUserSummaryTests.cs b/application/account/Tests/Users/GetUserSummaryTests.cs
index 8eed028b9..042e92cc1 100644
--- a/application/account/Tests/Users/GetUserSummaryTests.cs
+++ b/application/account/Tests/Users/GetUserSummaryTests.cs
@@ -37,7 +37,8 @@ public async Task GetUserSummary_WhenUsersHaveVariousLastSeenDates_ShouldCountAc
                 ("last_seen_at", now.AddDays(-5)),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -56,7 +57,8 @@ public async Task GetUserSummary_WhenUsersHaveVariousLastSeenDates_ShouldCountAc
                 ("last_seen_at", thirtyOneDaysAgo),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -75,7 +77,8 @@ public async Task GetUserSummary_WhenUsersHaveVariousLastSeenDates_ShouldCountAc
                 ("last_seen_at", null),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
diff --git a/application/account/Tests/Users/GetUsersTests.cs b/application/account/Tests/Users/GetUsersTests.cs
index 06e4f4a00..0a0ac5609 100644
--- a/application/account/Tests/Users/GetUsersTests.cs
+++ b/application/account/Tests/Users/GetUsersTests.cs
@@ -32,7 +32,8 @@ public GetUsersTests()
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
         Connection.Insert("users", [
@@ -48,7 +49,8 @@ public GetUsersTests()
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
     }
diff --git a/application/account/Tests/Users/InviteUserTests.cs b/application/account/Tests/Users/InviteUserTests.cs
index a759d44ff..834eaf2b1 100644
--- a/application/account/Tests/Users/InviteUserTests.cs
+++ b/application/account/Tests/Users/InviteUserTests.cs
@@ -177,7 +177,8 @@ public async Task InviteUser_WhenDeletedUserExists_ShouldReturnBadRequest()
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
diff --git a/application/account/Tests/Users/PurgeUserTests.cs b/application/account/Tests/Users/PurgeUserTests.cs
index 881a30052..e02f40638 100644
--- a/application/account/Tests/Users/PurgeUserTests.cs
+++ b/application/account/Tests/Users/PurgeUserTests.cs
@@ -1,6 +1,7 @@
 using System.Net;
 using System.Text.Json;
 using Account.Database;
+using Account.Features.FeatureFlags.Domain;
 using Account.Features.Users.Domain;
 using FluentAssertions;
 using SharedKernel.Domain;
@@ -31,7 +32,8 @@ public async Task PurgeUser_WhenOwnerDeletesSoftDeletedUser_ShouldSucceed()
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -92,7 +94,8 @@ public async Task PurgeUser_WhenUserNotDeleted_ShouldReturnNotFound()
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -102,4 +105,77 @@ public async Task PurgeUser_WhenUserNotDeleted_ShouldReturnNotFound()
         // Assert
         await response.ShouldHaveErrorStatusCode(HttpStatusCode.NotFound, $"Deleted user with id '{activeUserId}' not found.");
     }
+
+    [Fact]
+    public async Task PurgeUser_WhenUserHasFeatureFlagOverrides_ShouldCascadeDeleteOverrideRows()
+    {
+        // Arrange - soft-deleted user with two user-scoped feature-flag override rows. Purge must cascade
+        // them to keep the feature_flags table free of orphans pointing at a removed user.
+        var deletedUserId = UserId.NewId();
+        Connection.Insert("users", [
+                ("tenant_id", DatabaseSeeder.Tenant1.Id.ToString()),
+                ("id", deletedUserId.ToString()),
+                ("created_at", TimeProvider.GetUtcNow().AddDays(-10)),
+                ("modified_at", TimeProvider.GetUtcNow().AddDays(-1)),
+                ("deleted_at", TimeProvider.GetUtcNow().AddDays(-1)),
+                ("email", Faker.Internet.UniqueEmail()),
+                ("first_name", Faker.Person.FirstName),
+                ("last_name", Faker.Person.LastName),
+                ("title", "Former Employee"),
+                ("role", nameof(UserRole.Member)),
+                ("email_confirmed", true),
+                ("avatar", JsonSerializer.Serialize(new Avatar())),
+                ("locale", "en-US"),
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
+            ]
+        );
+
+        var now = TimeProvider.GetUtcNow();
+        var flagRowId1 = FeatureFlagId.NewId().ToString();
+        var flagRowId2 = FeatureFlagId.NewId().ToString();
+        Connection.Insert("feature_flags", [
+                ("id", flagRowId1),
+                ("created_at", now),
+                ("modified_at", null),
+                ("flag_key", "compact-view"),
+                ("tenant_id", DatabaseSeeder.Tenant1.Id.Value),
+                ("user_id", deletedUserId.ToString()),
+                ("enabled_at", now),
+                ("disabled_at", null),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", "Manual"),
+                ("scope", "User")
+            ]
+        );
+        Connection.Insert("feature_flags", [
+                ("id", flagRowId2),
+                ("created_at", now),
+                ("modified_at", null),
+                ("flag_key", "experimental-ui"),
+                ("tenant_id", DatabaseSeeder.Tenant1.Id.Value),
+                ("user_id", deletedUserId.ToString()),
+                ("enabled_at", now),
+                ("disabled_at", null),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", "Manual"),
+                ("scope", "User")
+            ]
+        );
+
+        // Act
+        var response = await AuthenticatedOwnerHttpClient.DeleteAsync($"/api/account/users/{deletedUserId}/purge");
+
+        // Assert
+        response.ShouldHaveEmptyHeaderAndLocationOnSuccess();
+        Connection.RowExists("users", deletedUserId.ToString()).Should().BeFalse();
+
+        var orphanCount = Connection.ExecuteScalar<long>(
+            "SELECT COUNT(*) FROM feature_flags WHERE user_id = @userId",
+            [new { userId = deletedUserId.ToString() }]
+        );
+        orphanCount.Should().Be(0, "feature_flags rows for the purged user must cascade-delete");
+    }
 }
diff --git a/application/account/Tests/Users/RestoreUserTests.cs b/application/account/Tests/Users/RestoreUserTests.cs
index 85d833f59..af9485568 100644
--- a/application/account/Tests/Users/RestoreUserTests.cs
+++ b/application/account/Tests/Users/RestoreUserTests.cs
@@ -31,7 +31,8 @@ public async Task RestoreUser_WhenOwnerRestoresDeletedUser_ShouldSucceed()
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
@@ -92,7 +93,8 @@ public async Task RestoreUser_WhenUserNotDeleted_ShouldReturnNotFound()
                 ("email_confirmed", true),
                 ("avatar", JsonSerializer.Serialize(new Avatar())),
                 ("locale", "en-US"),
-                ("external_identities", "[]")
+                ("external_identities", "[]"),
+                ("rollout_bucket", 42)
             ]
         );
 
diff --git a/application/account/Tests/Workers/BillingDriftWorkerTests.cs b/application/account/Tests/Workers/BillingDriftWorkerTests.cs
index d94b6d2fd..1bf86f713 100644
--- a/application/account/Tests/Workers/BillingDriftWorkerTests.cs
+++ b/application/account/Tests/Workers/BillingDriftWorkerTests.cs
@@ -239,7 +239,8 @@ private long SeedExtraTenantWithSubscription(string stripeCustomerId, string str
                 ("name", $"Worker Test Tenant {tenantId.Value}"),
                 ("state", nameof(TenantState.Active)),
                 ("plan", nameof(SubscriptionPlan.Standard)),
-                ("logo", """{"Url":null,"Version":0}""")
+                ("logo", """{"Url":null,"Version":0}"""),
+                ("rollout_bucket", 0)
             ]
         );
 
diff --git a/application/account/Tests/Workers/FeatureFlagDefinitionReconcilerTests.cs b/application/account/Tests/Workers/FeatureFlagDefinitionReconcilerTests.cs
new file mode 100644
index 000000000..af8e900fd
--- /dev/null
+++ b/application/account/Tests/Workers/FeatureFlagDefinitionReconcilerTests.cs
@@ -0,0 +1,445 @@
+extern alias workers;
+using Account.Database;
+using Account.Features.FeatureFlags.Domain;
+using Account.Features.Subscriptions.Domain;
+using Account.Features.Users.Shared;
+using FluentAssertions;
+using Microsoft.ApplicationInsights;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging.Abstractions;
+using SharedKernel.Telemetry;
+using SharedKernel.Tests.Persistence;
+using Xunit;
+using FeatureFlagDefinitionReconciler = workers::Account.Workers.FeatureFlagDefinitionReconciler;
+
+namespace Account.Tests.Workers;
+
+/// <summary>
+///     Backend acceptance tests for the FeatureFlagDefinitionReconciler per PP-1250. The reconciler runs
+///     inline at Worker startup and converges the feature_flags table to the C# definitions in
+///     <c>SharedKernel.FeatureFlags.FeatureFlags</c>. These tests exercise the reconciler against the
+///     production code path that the existing test harness's hand-built fixtures do not cover.
+/// </summary>
+public sealed class FeatureFlagDefinitionReconcilerTests : EndpointBaseTest<AccountDbContext>
+{
+    [Fact]
+    public async Task Reconciler_WhenPremiumTenantWithPlanOverride_ShouldEnableSsoInUserInfo()
+    {
+        // Arrange - simulate the production state after a Premium subscription: ProcessPendingStripeEvents
+        // would have committed a Source=Plan tenant override via MediatR UnitOfWork. We pre-insert that row
+        // here to verify that when the override row exists in the DB, the resulting UserInfo carries sso.
+        // The reconciler's contract (C1 fix) is that the base row's IsActive state is owned by admins, not
+        // the reconciler, so the test activates sso explicitly to mirror real production where admins flip
+        // the base row on before plan-source overrides start landing.
+        Connection.Update("subscriptions", "tenant_id", DatabaseSeeder.Tenant1.Id.Value, [("plan", nameof(SubscriptionPlan.Premium))]);
+        var ssoBaseRowId = Connection.ExecuteScalar<string>(
+            "SELECT id FROM feature_flags WHERE flag_key = 'sso' AND tenant_id IS NULL AND user_id IS NULL", []
+        );
+        Connection.Update("feature_flags", "id", ssoBaseRowId, [("enabled_at", TimeProvider.GetUtcNow()), ("source", "Plan")]);
+        Connection.Insert("feature_flags", [
+                ("id", FeatureFlagId.NewId().ToString()),
+                ("created_at", TimeProvider.GetUtcNow()),
+                ("modified_at", null),
+                ("deleted_at", null),
+                ("orphaned_at", null),
+                ("flag_key", "sso"),
+                ("tenant_id", DatabaseSeeder.Tenant1.Id.Value),
+                ("user_id", null),
+                ("enabled_at", TimeProvider.GetUtcNow()),
+                ("disabled_at", null),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", "Plan"),
+                ("scope", "Tenant")
+            ]
+        );
+
+        await RunReconcilerAsync();
+
+        using var scope = Provider.CreateScope();
+        var userInfoFactory = scope.ServiceProvider.GetRequiredService<UserInfoFactory>();
+
+        // Act
+        var userInfoResult = await userInfoFactory.CreateUserInfoAsync(DatabaseSeeder.Tenant1Owner, DatabaseSeeder.Tenant1OwnerSession.Id, CancellationToken.None);
+
+        // Assert
+        userInfoResult.IsSuccess.Should().BeTrue();
+        userInfoResult.Value!.FeatureFlags.Should().Contain("sso", "Premium tenants with a Plan-source override must have sso in their JWT feature_flags claim");
+    }
+
+    [Fact]
+    public async Task Reconciler_WhenBasisTenantAndLogin_ShouldNotEnableSsoInUserInfo()
+    {
+        // Arrange - the seeder defaults the subscription plan to Basis, so no Plan-source override exists.
+        await RunReconcilerAsync();
+
+        using var scope = Provider.CreateScope();
+        var userInfoFactory = scope.ServiceProvider.GetRequiredService<UserInfoFactory>();
+
+        // Act
+        var userInfoResult = await userInfoFactory.CreateUserInfoAsync(DatabaseSeeder.Tenant1Owner, DatabaseSeeder.Tenant1OwnerSession.Id, CancellationToken.None);
+
+        // Assert
+        userInfoResult.IsSuccess.Should().BeTrue();
+        userInfoResult.Value!.FeatureFlags.Should().NotContain("sso", "Basis tenants must not have sso in their JWT feature_flags claim");
+    }
+
+    [Fact]
+    public async Task Reconciler_WhenFlagFlipsFromManualToPlan_ShouldRemoveStaleManualTenantOverride()
+    {
+        // Arrange - the test seeder created the sso base row with default Source=Manual. Add a Manual
+        // tenant override for a Basis tenant to simulate the pre-PP-1250 state where the flag was
+        // operator-set rather than plan-derived.
+        var staleOverrideId = FeatureFlagId.NewId().ToString();
+        Connection.Insert("feature_flags", [
+                ("id", staleOverrideId),
+                ("created_at", TimeProvider.GetUtcNow()),
+                ("modified_at", null),
+                ("deleted_at", null),
+                ("orphaned_at", null),
+                ("flag_key", "sso"),
+                ("tenant_id", DatabaseSeeder.Tenant1.Id.Value),
+                ("user_id", null),
+                ("enabled_at", TimeProvider.GetUtcNow()),
+                ("disabled_at", null),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", "Manual"),
+                ("scope", "Tenant")
+            ]
+        );
+
+        // Act
+        await RunReconcilerAsync();
+
+        // Assert
+        Connection.RowExists("feature_flags", staleOverrideId).Should().BeFalse("the reconciler must remove Manual-source rows for a flag whose definition now requires Plan source");
+
+        var baseRowSource = Connection.ExecuteScalar<string>(
+            "SELECT source FROM feature_flags WHERE flag_key = 'sso' AND tenant_id IS NULL AND user_id IS NULL", []
+        );
+        baseRowSource.Should().Be("Plan", "the reconciler must transition the base row to the expected Plan source");
+    }
+
+    [Fact]
+    public async Task Reconciler_WhenFlagFlipsFromManualToPlan_ShouldRemoveStaleManualUserOverride()
+    {
+        // Arrange - a user-scoped override with Source=Manual survives if the flag is later redefined as
+        // PlanGatedTenantFlag with the same key. The reconciler must converge both tenant- and user-scoped
+        // override rows when the source transitions, not just tenant ones.
+        var staleUserOverrideId = FeatureFlagId.NewId().ToString();
+        Connection.Insert("feature_flags", [
+                ("id", staleUserOverrideId),
+                ("created_at", TimeProvider.GetUtcNow()),
+                ("modified_at", null),
+                ("deleted_at", null),
+                ("orphaned_at", null),
+                ("flag_key", "sso"),
+                ("tenant_id", DatabaseSeeder.Tenant1.Id.Value),
+                ("user_id", DatabaseSeeder.Tenant1Owner.Id.Value),
+                ("enabled_at", TimeProvider.GetUtcNow()),
+                ("disabled_at", null),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", "Manual"),
+                ("scope", "User")
+            ]
+        );
+
+        // Act
+        await RunReconcilerAsync();
+
+        // Assert
+        Connection.RowExists("feature_flags", staleUserOverrideId).Should().BeFalse("the reconciler must remove Manual-source user-scoped rows for a flag whose definition now requires Plan source");
+    }
+
+    [Fact]
+    public async Task Reconciler_WhenRunTwice_ShouldBeIdempotent()
+    {
+        // Arrange - first pass converges the seeder rows
+        await RunReconcilerAsync();
+        var rowCountAfterFirstPass = Connection.ExecuteScalar<long>("SELECT COUNT(*) FROM feature_flags", []);
+        // Capture a per-row fingerprint that changes if any column the reconciler ever writes changes.
+        // A bare COUNT(*) assertion would miss a regression that re-issues Update on every pass without
+        // adding or deleting rows; this fingerprint catches that case.
+        var fingerprintAfterFirstPass = Connection.ExecuteScalar<string>(
+            "SELECT GROUP_CONCAT(id || ':' || COALESCE(modified_at, '') || ':' || COALESCE(enabled_at, '') || ':' || COALESCE(disabled_at, '') || ':' || source || ':' || COALESCE(orphaned_at, '')) FROM feature_flags ORDER BY id", []
+        );
+
+        // Act
+        await RunReconcilerAsync();
+
+        // Assert
+        var rowCountAfterSecondPass = Connection.ExecuteScalar<long>("SELECT COUNT(*) FROM feature_flags", []);
+        rowCountAfterSecondPass.Should().Be(rowCountAfterFirstPass, "a second reconciler pass must not insert or delete rows");
+
+        var fingerprintAfterSecondPass = Connection.ExecuteScalar<string>(
+            "SELECT GROUP_CONCAT(id || ':' || COALESCE(modified_at, '') || ':' || COALESCE(enabled_at, '') || ':' || COALESCE(disabled_at, '') || ':' || source || ':' || COALESCE(orphaned_at, '')) FROM feature_flags ORDER BY id", []
+        );
+        fingerprintAfterSecondPass.Should().Be(fingerprintAfterFirstPass, "a second reconciler pass must not modify any row (modified_at, enabled_at, disabled_at, source, orphaned_at all unchanged)");
+    }
+
+    [Fact]
+    public async Task Reconciler_WhenRowExistsForRemovedFlag_ShouldMarkOrphaned()
+    {
+        // Arrange - insert a row whose flag_key is not in FeatureFlags.cs (simulating a flag removed
+        // from the C# definitions between deploys).
+        var orphanRowId = FeatureFlagId.NewId().ToString();
+        Connection.Insert("feature_flags", [
+                ("id", orphanRowId),
+                ("created_at", TimeProvider.GetUtcNow()),
+                ("modified_at", null),
+                ("deleted_at", null),
+                ("orphaned_at", null),
+                ("flag_key", "removed-feature"),
+                ("tenant_id", null),
+                ("user_id", null),
+                ("enabled_at", TimeProvider.GetUtcNow()),
+                ("disabled_at", null),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", "Manual"),
+                ("scope", "Tenant")
+            ]
+        );
+
+        // Act
+        await RunReconcilerAsync();
+
+        // Assert
+        var orphanedAt = Connection.ExecuteScalar<string>(
+            "SELECT orphaned_at FROM feature_flags WHERE id = @id", [new { id = orphanRowId }]
+        );
+        orphanedAt.Should().NotBeNullOrEmpty("the reconciler must mark rows whose flag_key is no longer in the C# definitions");
+
+        var ssoOrphanedAt = Connection.ExecuteScalar<string>(
+            "SELECT orphaned_at FROM feature_flags WHERE flag_key = 'sso' AND tenant_id IS NULL AND user_id IS NULL", []
+        );
+        ssoOrphanedAt.Should().BeNullOrEmpty("known flag rows must never be marked orphaned");
+    }
+
+    [Fact]
+    public async Task Reconciler_WhenOrphanedBaseRowKeyIsBackInDefinitions_ShouldClearOrphanedAt()
+    {
+        // Arrange
+        var baseRowId = Connection.ExecuteScalar<string>(
+            "SELECT id FROM feature_flags WHERE flag_key = 'sso' AND tenant_id IS NULL AND user_id IS NULL", []
+        );
+        Connection.Update("feature_flags", "id", baseRowId, [("orphaned_at", TimeProvider.GetUtcNow())]);
+
+        // Act
+        await RunReconcilerAsync();
+
+        // Assert
+        var orphanedAt = Connection.ExecuteScalar<string>(
+            "SELECT orphaned_at FROM feature_flags WHERE id = @id", [new { id = baseRowId }]
+        );
+        orphanedAt.Should().BeNullOrEmpty();
+    }
+
+    [Fact]
+    public async Task Reconciler_WhenOrphanedBaseRowKeyIsBackInDefinitions_ShouldAlsoClearOrphanedAtOnOverrides()
+    {
+        // Arrange - a prior reconciler sweep orphaned the base row and every override sharing the key. A
+        // rollback that re-adds the definition must restore the per-tenant/per-user state along with the
+        // base row, otherwise the previously-enabled tenant/user appear flag-less even though their rows
+        // still exist.
+        var orphanedAt = TimeProvider.GetUtcNow();
+        var baseRowId = Connection.ExecuteScalar<string>(
+            "SELECT id FROM feature_flags WHERE flag_key = 'sso' AND tenant_id IS NULL AND user_id IS NULL", []
+        );
+        Connection.Update("feature_flags", "id", baseRowId, [("orphaned_at", orphanedAt)]);
+
+        var tenantOverrideId = FeatureFlagId.NewId().ToString();
+        Connection.Insert("feature_flags", [
+                ("id", tenantOverrideId),
+                ("created_at", TimeProvider.GetUtcNow()),
+                ("modified_at", null),
+                ("deleted_at", null),
+                ("orphaned_at", orphanedAt),
+                ("flag_key", "sso"),
+                ("tenant_id", DatabaseSeeder.Tenant1.Id.Value),
+                ("user_id", null),
+                ("enabled_at", TimeProvider.GetUtcNow()),
+                ("disabled_at", null),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", "Plan"),
+                ("scope", "Tenant")
+            ]
+        );
+
+        var userOverrideId = FeatureFlagId.NewId().ToString();
+        Connection.Insert("feature_flags", [
+                ("id", userOverrideId),
+                ("created_at", TimeProvider.GetUtcNow()),
+                ("modified_at", null),
+                ("deleted_at", null),
+                ("orphaned_at", orphanedAt),
+                ("flag_key", "sso"),
+                ("tenant_id", DatabaseSeeder.Tenant1.Id.Value),
+                ("user_id", DatabaseSeeder.Tenant1Owner.Id.Value),
+                ("enabled_at", TimeProvider.GetUtcNow()),
+                ("disabled_at", null),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", "Plan"),
+                ("scope", "Tenant")
+            ]
+        );
+
+        // Act
+        await RunReconcilerAsync();
+
+        // Assert
+        var baseOrphanedAt = Connection.ExecuteScalar<string>(
+            "SELECT orphaned_at FROM feature_flags WHERE id = @id", [new { id = baseRowId }]
+        );
+        baseOrphanedAt.Should().BeNullOrEmpty();
+
+        var tenantOverrideOrphanedAt = Connection.ExecuteScalar<string>(
+            "SELECT orphaned_at FROM feature_flags WHERE id = @id", [new { id = tenantOverrideId }]
+        );
+        tenantOverrideOrphanedAt.Should().BeNullOrEmpty("tenant overrides that were orphaned alongside the base row must be restored when the flag is re-added");
+
+        var userOverrideOrphanedAt = Connection.ExecuteScalar<string>(
+            "SELECT orphaned_at FROM feature_flags WHERE id = @id", [new { id = userOverrideId }]
+        );
+        userOverrideOrphanedAt.Should().BeNullOrEmpty("user overrides that were orphaned alongside the base row must be restored when the flag is re-added");
+    }
+
+    [Fact]
+    public async Task Reconciler_WhenSoftDeletedBaseRowKeyIsBackInDefinitions_ShouldAbortDeployment()
+    {
+        // Arrange
+        var baseRowId = Connection.ExecuteScalar<string>(
+            "SELECT id FROM feature_flags WHERE flag_key = 'sso' AND tenant_id IS NULL AND user_id IS NULL", []
+        );
+        Connection.Update("feature_flags", "id", baseRowId, [
+                ("orphaned_at", TimeProvider.GetUtcNow()),
+                ("deleted_at", TimeProvider.GetUtcNow())
+            ]
+        );
+
+        // Act
+        var act = async () => await RunReconcilerAsync();
+
+        // Assert
+        await act.Should().ThrowAsync<InvalidOperationException>()
+            .WithMessage("Feature flag 'sso' was previously deleted*");
+        var deletedAt = Connection.ExecuteScalar<string>(
+            "SELECT deleted_at FROM feature_flags WHERE id = @id", [new { id = baseRowId }]
+        );
+        deletedAt.Should().NotBeNullOrEmpty("the reconciler must not clear DeletedAt; it must fail deployment instead");
+    }
+
+    [Fact]
+    public async Task Reconciler_WhenRowExistsForRemovedFlag_ShouldEmitOrphanedTelemetryEvent()
+    {
+        // Arrange
+        Connection.Insert("feature_flags", [
+                ("id", FeatureFlagId.NewId().ToString()),
+                ("created_at", TimeProvider.GetUtcNow()),
+                ("modified_at", null),
+                ("deleted_at", null),
+                ("orphaned_at", null),
+                ("flag_key", "removed-feature"),
+                ("tenant_id", null),
+                ("user_id", null),
+                ("enabled_at", TimeProvider.GetUtcNow()),
+                ("disabled_at", null),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", "Manual"),
+                ("scope", "Tenant")
+            ]
+        );
+        TelemetryEventsCollectorSpy.Reset();
+
+        // Act
+        await RunReconcilerAsync();
+
+        // Assert
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().ContainSingle(e => e.GetType().Name == "FeatureFlagOrphanedByReconciler");
+    }
+
+    [Fact]
+    public async Task Reconciler_WhenOrphanedBaseRowKeyIsBackInDefinitions_ShouldEmitRestoredTelemetryEvent()
+    {
+        // Arrange — orphan the sso base row and a tenant override sharing the key so the restore
+        // event reports a non-zero overrides_restored count.
+        var orphanedAt = TimeProvider.GetUtcNow();
+        var baseRowId = Connection.ExecuteScalar<string>(
+            "SELECT id FROM feature_flags WHERE flag_key = 'sso' AND tenant_id IS NULL AND user_id IS NULL", []
+        );
+        Connection.Update("feature_flags", "id", baseRowId, [("orphaned_at", orphanedAt)]);
+        Connection.Insert("feature_flags", [
+                ("id", FeatureFlagId.NewId().ToString()),
+                ("created_at", TimeProvider.GetUtcNow()),
+                ("modified_at", null),
+                ("deleted_at", null),
+                ("orphaned_at", orphanedAt),
+                ("flag_key", "sso"),
+                ("tenant_id", DatabaseSeeder.Tenant1.Id.Value),
+                ("user_id", null),
+                ("enabled_at", TimeProvider.GetUtcNow()),
+                ("disabled_at", null),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", "Plan"),
+                ("scope", "Tenant")
+            ]
+        );
+        TelemetryEventsCollectorSpy.Reset();
+
+        // Act
+        await RunReconcilerAsync();
+
+        // Assert
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().ContainSingle(e => e.GetType().Name == "FeatureFlagRestoredByReconciler");
+        var restored = TelemetryEventsCollectorSpy.CollectedEvents.Single(e => e.GetType().Name == "FeatureFlagRestoredByReconciler");
+        restored.Properties["event.overrides_restored"].Should().Be("1");
+    }
+
+    [Fact]
+    public async Task Reconciler_WhenSsoTenantOverrideSourceDiffersFromDefinition_ShouldEmitSourceTransitionedTelemetryEvent()
+    {
+        // Arrange — sso is a PlanGatedTenantFlag (definition Source=Plan). Seed a Manual override
+        // row so the reconciler's source-transition sweep removes it and emits the event.
+        Connection.Insert("feature_flags", [
+                ("id", FeatureFlagId.NewId().ToString()),
+                ("created_at", TimeProvider.GetUtcNow()),
+                ("modified_at", null),
+                ("deleted_at", null),
+                ("orphaned_at", null),
+                ("flag_key", "sso"),
+                ("tenant_id", DatabaseSeeder.Tenant1.Id.Value),
+                ("user_id", null),
+                ("enabled_at", TimeProvider.GetUtcNow()),
+                ("disabled_at", null),
+                ("bucket_start", null),
+                ("bucket_end", null),
+                ("source", "Manual"),
+                ("scope", "Tenant")
+            ]
+        );
+        TelemetryEventsCollectorSpy.Reset();
+
+        // Act
+        await RunReconcilerAsync();
+
+        // Assert
+        TelemetryEventsCollectorSpy.CollectedEvents.Should().Contain(e => e.GetType().Name == "FeatureFlagSourceTransitionedByReconciler");
+    }
+
+    private async Task RunReconcilerAsync()
+    {
+        using var scope = Provider.CreateScope();
+        var featureFlagRepository = scope.ServiceProvider.GetRequiredService<IFeatureFlagRepository>();
+        var dbContext = scope.ServiceProvider.GetRequiredService<AccountDbContext>();
+        var telemetryCollector = scope.ServiceProvider.GetRequiredService<ITelemetryEventsCollector>();
+        var telemetryClient = scope.ServiceProvider.GetRequiredService<TelemetryClient>();
+        var reconciler = new FeatureFlagDefinitionReconciler(featureFlagRepository, dbContext, TimeProvider, telemetryCollector, telemetryClient, NullLogger<FeatureFlagDefinitionReconciler>.Instance);
+        await reconciler.ReconcileAsync(CancellationToken.None);
+    }
+}
diff --git a/application/account/WebApp/routes/account/index.tsx b/application/account/WebApp/routes/account/index.tsx
index f364be8f8..46dd994eb 100644
--- a/application/account/WebApp/routes/account/index.tsx
+++ b/application/account/WebApp/routes/account/index.tsx
@@ -1,13 +1,23 @@
 import { t } from "@lingui/core/macro";
 import { Trans } from "@lingui/react/macro";
+import { isFeatureFlagEnabled } from "@repo/infrastructure/featureFlags/useFeatureFlag";
 import { AppLayout } from "@repo/ui/components/AppLayout";
 import { LinkCard } from "@repo/ui/components/LinkCard";
 import { getDateDaysAgo, getTodayIsoDate } from "@repo/utils/date/formatDate";
-import { createFileRoute } from "@tanstack/react-router";
+import { createFileRoute, redirect } from "@tanstack/react-router";
 
 import { api, UserStatus } from "@/shared/lib/api/client";
 
 export const Route = createFileRoute("/account/")({
+  beforeLoad: () => {
+    // The /account dashboard is gated by the account-overview feature flag. When the flag is off
+    // the AccountSideMenu hides the entry, but the route remains reachable by typing the URL or
+    // following a stale bookmark. Redirect to /account/users so direct navigation lands on a
+    // surface the user can actually use.
+    if (!isFeatureFlagEnabled("account-overview")) {
+      throw redirect({ to: "/account/users" });
+    }
+  },
   staticData: { trackingTitle: "Account overview" },
   component: Home
 });
diff --git a/application/account/WebApp/routes/account/settings/-components/FeaturesSection.tsx b/application/account/WebApp/routes/account/settings/-components/FeaturesSection.tsx
new file mode 100644
index 000000000..6884df8a6
--- /dev/null
+++ b/application/account/WebApp/routes/account/settings/-components/FeaturesSection.tsx
@@ -0,0 +1,94 @@
+import { t } from "@lingui/core/macro";
+import { Trans } from "@lingui/react/macro";
+import { trackInteraction } from "@repo/infrastructure/applicationInsights/ApplicationInsightsProvider";
+import { Separator } from "@repo/ui/components/Separator";
+import { Skeleton } from "@repo/ui/components/Skeleton";
+import { Switch } from "@repo/ui/components/Switch";
+import { getFeatureFlagLabel } from "@repo/ui/featureFlags/labels";
+import { toast } from "sonner";
+
+import { api, type Schemas } from "@/shared/lib/api/client";
+
+type TenantFlag = Schemas["TenantConfigurableFeatureFlag"];
+
+export function FeaturesSection() {
+  const { data, isLoading } = api.useQuery("get", "/api/account/feature-flags/tenant-configurable");
+
+  if (isLoading) {
+    return <FeaturesSkeleton />;
+  }
+
+  const tenantFlags = data?.flags ?? [];
+  if (tenantFlags.length === 0) {
+    return null;
+  }
+
+  return (
+    <div className="mt-12 flex flex-col gap-4">
+      <h3>
+        <Trans>Features</Trans>
+      </h3>
+      <Separator />
+      <p className="text-sm text-muted-foreground">
+        <Trans>Toggle features available to your account.</Trans>
+      </p>
+      <div className="flex flex-col gap-2">
+        {tenantFlags.map((f) => (
+          <TenantFlagToggle key={f.flagKey} flagKey={f.flagKey} enabled={f.enabled} />
+        ))}
+      </div>
+    </div>
+  );
+}
+
+function TenantFlagToggle({ flagKey, enabled }: Readonly<TenantFlag>) {
+  const label = getFeatureFlagLabel(flagKey);
+
+  const toggleMutation = api.useMutation("put", "/api/account/feature-flags/{flagKey}/tenant-override", {
+    onSuccess: () => {
+      // Keep the title a static msgid (label.name is itself a translated value — interpolating it
+      // into a t-template would store the localized name inside the msgid and split the catalog
+      // per locale). The dynamic name + the 5-minute notice are joined outside Lingui.
+      toast.success(t`Feature updated successfully`, {
+        description: `${label.name}. ${t`It takes up to 5 minutes for changes to reach all users.`}`
+      });
+    }
+  });
+
+  const handleToggle = (checked: boolean) => {
+    // Use the kebab-case `flagKey` (not the localized `label.name`) so the App Insights event
+    // action stays a stable identifier across locales — dashboards group by it without splitting
+    // per language.
+    trackInteraction("Account settings", "interaction", `Change ${flagKey} to "${checked ? "enabled" : "disabled"}"`);
+    toggleMutation.mutate({ params: { path: { flagKey } }, body: { enabled: checked } });
+  };
+
+  return (
+    <div className="flex items-center justify-between rounded-lg border p-4">
+      <div className="flex flex-col gap-1">
+        <span className="text-sm font-medium">{label.name}</span>
+        <span className="text-sm text-muted-foreground">{label.description}</span>
+      </div>
+      <Switch
+        checked={enabled}
+        onCheckedChange={handleToggle}
+        disabled={toggleMutation.isPending}
+        aria-label={label.name}
+      />
+    </div>
+  );
+}
+
+function FeaturesSkeleton() {
+  return (
+    <div className="mt-12 flex flex-col gap-4">
+      <Skeleton className="h-6 w-24" />
+      <Separator />
+      <Skeleton className="h-4 w-64" />
+      <div className="flex flex-col gap-2">
+        <Skeleton className="h-[4.5rem] w-full rounded-lg" />
+        <Skeleton className="h-[4.5rem] w-full rounded-lg" />
+      </div>
+    </div>
+  );
+}
diff --git a/application/account/WebApp/routes/account/settings/index.tsx b/application/account/WebApp/routes/account/settings/index.tsx
index 291b312fa..5b91b3178 100644
--- a/application/account/WebApp/routes/account/settings/index.tsx
+++ b/application/account/WebApp/routes/account/settings/index.tsx
@@ -20,6 +20,7 @@ import { api, type Schemas, UserRole } from "@/shared/lib/api/client";
 
 import { AccountInfoFields } from "./-components/AccountInfoFields";
 import DeleteAccountConfirmation from "./-components/DeleteAccountConfirmation";
+import { FeaturesSection } from "./-components/FeaturesSection";
 
 export const Route = createFileRoute("/account/settings/")({
   staticData: { trackingTitle: "Account settings" },
@@ -149,6 +150,7 @@ export function AccountSettings() {
           )}
         </Form>
 
+        {isOwner && <FeaturesSection />}
         {isOwner && <DangerZone setIsDeleteModalOpen={setIsDeleteModalOpen} />}
       </AppLayout>
 
diff --git a/application/account/WebApp/routes/login/index.tsx b/application/account/WebApp/routes/login/index.tsx
index 4b5e97c53..2d87cdf81 100644
--- a/application/account/WebApp/routes/login/index.tsx
+++ b/application/account/WebApp/routes/login/index.tsx
@@ -2,6 +2,7 @@ import { t } from "@lingui/core/macro";
 import { Trans } from "@lingui/react/macro";
 import { signUpPath } from "@repo/infrastructure/auth/constants";
 import { isValidReturnPath } from "@repo/infrastructure/auth/util";
+import { useFeatureFlag } from "@repo/infrastructure/featureFlags/useFeatureFlag";
 import { Button } from "@repo/ui/components/Button";
 import { Form } from "@repo/ui/components/Form";
 import { Link } from "@repo/ui/components/Link";
@@ -58,6 +59,7 @@ export function LoginForm() {
   const { email: signupEmail } = getSignupState(); // Prefill from signup page if user navigated here
   const [email, setEmail] = useState(savedEmail || signupEmail || "");
   const { returnPath } = Route.useSearch();
+  const { enabled: isGoogleOAuthEnabled } = useFeatureFlag("google-oauth");
 
   const startLoginMutation = api.useMutation("post", "/api/account/authentication/email/login/start");
   const [isGoogleLoginPending, setIsGoogleLoginPending] = useState(false);
@@ -132,7 +134,7 @@ export function LoginForm() {
       >
         {startLoginMutation.isPending ? <Trans>Sending verification code...</Trans> : <Trans>Log in with email</Trans>}
       </Button>
-      {import.meta.runtime_env.PUBLIC_GOOGLE_OAUTH_ENABLED === "true" && (
+      {isGoogleOAuthEnabled && (
         <>
           <div className="flex w-full items-center gap-4">
             <div className="h-px flex-1 bg-border" />
diff --git a/application/account/WebApp/routes/signup/index.tsx b/application/account/WebApp/routes/signup/index.tsx
index d23745800..ca88ba90d 100644
--- a/application/account/WebApp/routes/signup/index.tsx
+++ b/application/account/WebApp/routes/signup/index.tsx
@@ -1,6 +1,7 @@
 import { t } from "@lingui/core/macro";
 import { Trans } from "@lingui/react/macro";
 import { loginPath } from "@repo/infrastructure/auth/constants";
+import { useFeatureFlag } from "@repo/infrastructure/featureFlags/useFeatureFlag";
 import { preferredLocaleKey } from "@repo/infrastructure/translations/constants";
 import { Button } from "@repo/ui/components/Button";
 import { Field, FieldDescription, FieldLabel } from "@repo/ui/components/Field";
@@ -55,6 +56,7 @@ export function StartSignupForm() {
   const { email: savedEmail } = getSignupState();
   const { email: loginEmail } = getLoginState(); // Prefill from login page if user navigated here
   const [email, setEmail] = useState(savedEmail || loginEmail || "");
+  const { enabled: isGoogleOAuthEnabled } = useFeatureFlag("google-oauth");
 
   const startSignupMutation = api.useMutation("post", "/api/account/authentication/email/signup/start");
   const [isGoogleSignupPending, setIsGoogleSignupPending] = useState(false);
@@ -147,7 +149,7 @@ export function StartSignupForm() {
           <Trans>Sign up with email</Trans>
         )}
       </Button>
-      {import.meta.runtime_env.PUBLIC_GOOGLE_OAUTH_ENABLED === "true" && (
+      {isGoogleOAuthEnabled && (
         <>
           <div className="flex w-full items-center gap-4">
             <div className="h-px flex-1 bg-border" />
diff --git a/application/account/WebApp/routes/user/preferences/-components/PreferencesFeatureFlagsSection.tsx b/application/account/WebApp/routes/user/preferences/-components/PreferencesFeatureFlagsSection.tsx
new file mode 100644
index 000000000..e247a9972
--- /dev/null
+++ b/application/account/WebApp/routes/user/preferences/-components/PreferencesFeatureFlagsSection.tsx
@@ -0,0 +1,87 @@
+import { t } from "@lingui/core/macro";
+import { Trans } from "@lingui/react/macro";
+import { trackInteraction } from "@repo/infrastructure/applicationInsights/ApplicationInsightsProvider";
+import { Skeleton } from "@repo/ui/components/Skeleton";
+import { Switch } from "@repo/ui/components/Switch";
+import { getFeatureFlagLabel } from "@repo/ui/featureFlags/labels";
+import { toast } from "sonner";
+
+import { api, type Schemas } from "@/shared/lib/api/client";
+
+type UserFlag = Schemas["UserConfigurableFeatureFlag"];
+
+export function PreferencesFeatureFlagsSection() {
+  const { data, isLoading } = api.useQuery("get", "/api/account/feature-flags/user-configurable");
+
+  if (isLoading) {
+    return <PreferencesFeatureFlagsSkeleton />;
+  }
+
+  const userFlags = data?.flags ?? [];
+  if (userFlags.length === 0) {
+    return null;
+  }
+
+  return (
+    <section>
+      <h3 className="mb-1">
+        <Trans>Feature preferences</Trans>
+      </h3>
+      <p className="mb-4 text-sm text-muted-foreground">
+        <Trans>Customize which optional features are enabled for your account.</Trans>
+      </p>
+      <div className="flex flex-col gap-2">
+        {userFlags.map((f) => (
+          <UserFlagToggle key={f.flagKey} flagKey={f.flagKey} enabled={f.enabled} />
+        ))}
+      </div>
+    </section>
+  );
+}
+
+function UserFlagToggle({ flagKey, enabled }: Readonly<UserFlag>) {
+  const label = getFeatureFlagLabel(flagKey);
+
+  const toggleMutation = api.useMutation("put", "/api/account/feature-flags/{flagKey}/user-override", {
+    onSuccess: () => {
+      toast.success(t`Preference updated successfully`, {
+        description: `${label.name}. ${t`It takes up to 5 minutes for changes to reach all users.`}`
+      });
+    }
+  });
+
+  const handleToggle = (checked: boolean) => {
+    // Use the kebab-case `flagKey` (not the localized `label.name`) so the App Insights event
+    // action stays a stable identifier across locales — dashboards group by it without splitting
+    // per language.
+    trackInteraction("User preferences", "interaction", `Change ${flagKey} to "${checked ? "enabled" : "disabled"}"`);
+    toggleMutation.mutate({ params: { path: { flagKey } }, body: { enabled: checked } });
+  };
+
+  return (
+    <div className="flex items-center justify-between rounded-lg border p-4">
+      <div className="flex flex-col gap-1">
+        <span className="text-sm font-medium">{label.name}</span>
+        <span className="text-sm text-muted-foreground">{label.description}</span>
+      </div>
+      <Switch
+        checked={enabled}
+        onCheckedChange={handleToggle}
+        disabled={toggleMutation.isPending}
+        aria-label={label.name}
+      />
+    </div>
+  );
+}
+
+function PreferencesFeatureFlagsSkeleton() {
+  return (
+    <section>
+      <Skeleton className="mb-1 h-6 w-32" />
+      <Skeleton className="mb-4 h-4 w-80" />
+      <div className="flex flex-col gap-2">
+        <Skeleton className="h-[4.5rem] w-full rounded-lg" />
+      </div>
+    </section>
+  );
+}
diff --git a/application/account/WebApp/routes/user/preferences/index.tsx b/application/account/WebApp/routes/user/preferences/index.tsx
index cc87f96fd..568e17f2c 100644
--- a/application/account/WebApp/routes/user/preferences/index.tsx
+++ b/application/account/WebApp/routes/user/preferences/index.tsx
@@ -5,6 +5,7 @@ import { ToggleGroup, ToggleGroupItem } from "@repo/ui/components/ToggleGroup";
 import { createFileRoute } from "@tanstack/react-router";
 import { MoonIcon, SunIcon } from "lucide-react";
 
+import { PreferencesFeatureFlagsSection } from "./-components/PreferencesFeatureFlagsSection";
 import { ThemeMode, locales, usePreferences } from "./-components/usePreferences";
 
 export const Route = createFileRoute("/user/preferences/")({
@@ -119,6 +120,8 @@ function PreferencesPage() {
             ))}
           </ToggleGroup>
         </section>
+
+        <PreferencesFeatureFlagsSection />
       </div>
     </AppLayout>
   );
diff --git a/application/account/WebApp/shared/components/AccountSideMenu.tsx b/application/account/WebApp/shared/components/AccountSideMenu.tsx
index ca6cd4f1a..e1ab1e0c9 100644
--- a/application/account/WebApp/shared/components/AccountSideMenu.tsx
+++ b/application/account/WebApp/shared/components/AccountSideMenu.tsx
@@ -1,6 +1,7 @@
 import { t } from "@lingui/core/macro";
 import { Trans } from "@lingui/react/macro";
 import { useUserInfo } from "@repo/infrastructure/auth/hooks";
+import { useFeatureFlag } from "@repo/infrastructure/featureFlags/useFeatureFlag";
 import {
   collapsedContext,
   Sidebar,
@@ -43,13 +44,15 @@ export function AccountSideMenu() {
   const router = useRouter();
   const currentPath = normalizePath(router.state.location.pathname);
   const { navigateToMain } = useMainNavigation();
+  const { enabled: isSubscriptionEnabled } = useFeatureFlag("subscriptions");
+  const { enabled: isAccountOverviewEnabled } = useFeatureFlag("account-overview");
 
   const isActive = (target: string, matchPrefix = false) => {
     const normalized = normalizePath(target);
     return matchPrefix ? currentPath.startsWith(normalized) : currentPath === normalized;
   };
 
-  const showBilling = userInfo?.role === "Owner" && import.meta.runtime_env.PUBLIC_SUBSCRIPTION_ENABLED === "true";
+  const showBilling = userInfo?.role === "Owner" && isSubscriptionEnabled;
 
   return (
     <Sidebar collapsible="icon" mobileContent={<MobileMenu onNavigate={navigateToMain ?? undefined} />}>
@@ -108,16 +111,18 @@ export function AccountSideMenu() {
             </SidebarGroupLabel>
             <SidebarGroupContent>
               <SidebarMenu>
-                <SidebarMenuItem>
-                  <SidebarMenuButton asChild={true} isActive={isActive("/account")} tooltip={t`Overview`}>
-                    <RouterLink to="/account">
-                      <HomeIcon />
-                      <span>
-                        <Trans>Overview</Trans>
-                      </span>
-                    </RouterLink>
-                  </SidebarMenuButton>
-                </SidebarMenuItem>
+                {isAccountOverviewEnabled && (
+                  <SidebarMenuItem>
+                    <SidebarMenuButton asChild={true} isActive={isActive("/account")} tooltip={t`Overview`}>
+                      <RouterLink to="/account">
+                        <HomeIcon />
+                        <span>
+                          <Trans>Overview</Trans>
+                        </span>
+                      </RouterLink>
+                    </SidebarMenuButton>
+                  </SidebarMenuItem>
+                )}
                 <SidebarMenuItem>
                   <SidebarMenuButton asChild={true} isActive={isActive("/account/settings")} tooltip={t`Settings`}>
                     <RouterLink to="/account/settings">
diff --git a/application/account/WebApp/shared/translations/locale/da-DK.po b/application/account/WebApp/shared/translations/locale/da-DK.po
index 61893a830..882c52cfe 100644
--- a/application/account/WebApp/shared/translations/locale/da-DK.po
+++ b/application/account/WebApp/shared/translations/locale/da-DK.po
@@ -813,6 +813,9 @@ msgstr "Nuværende plan"
 msgid "Customer deleted"
 msgstr "Kunde slettet"
 
+msgid "Customize which optional features are enabled for your account."
+msgstr "Tilpas hvilke valgfri funktioner der er aktiveret for din konto."
+
 msgid "Customize your theme, language, and zoom settings."
 msgstr "Tilpas dit tema, sprog og zoomindstillinger."
 
@@ -1153,6 +1156,12 @@ msgstr "Mislykket"
 msgid "Failed to load payment processor."
 msgstr "Kunne ikke indlæse betalingsprocessor."
 
+msgid "Feature preferences"
+msgstr "Funktionspræferencer"
+
+msgid "Feature updated successfully"
+msgstr "Funktion opdateret succesfuldt"
+
 msgid "Features"
 msgstr "Funktioner"
 
@@ -1339,6 +1348,9 @@ msgstr "Er der andet, du gerne vil fortælle os? (valgfrit)"
 msgid "It may take up to 5 minutes before the device is logged out."
 msgstr "Det kan tage op til 5 minutter, før enheden er logget ud."
 
+msgid "It takes up to 5 minutes for changes to reach all users."
+msgstr "Det tager op til 5 minutter, før ændringer når alle brugere."
+
 msgid "Italian"
 msgstr "Italiensk"
 
@@ -1955,6 +1967,9 @@ msgstr "Powered by"
 msgid "Pozole rojo"
 msgstr "Pozole rojo"
 
+msgid "Preference updated successfully"
+msgstr "Præference opdateret succesfuldt"
+
 msgid "Preferences"
 msgstr "Præferencer"
 
@@ -2666,6 +2681,9 @@ msgstr "Skift fed"
 msgid "Toggle buttons"
 msgstr "Skifteknapper"
 
+msgid "Toggle features available to your account."
+msgstr "Skift funktioner tilgængelige for din konto."
+
 msgid "Toggle group"
 msgstr "Skiftegruppe"
 
diff --git a/application/account/WebApp/shared/translations/locale/en-US.po b/application/account/WebApp/shared/translations/locale/en-US.po
index ec00a308b..a1e9eb61a 100644
--- a/application/account/WebApp/shared/translations/locale/en-US.po
+++ b/application/account/WebApp/shared/translations/locale/en-US.po
@@ -813,6 +813,9 @@ msgstr "Current plan"
 msgid "Customer deleted"
 msgstr "Customer deleted"
 
+msgid "Customize which optional features are enabled for your account."
+msgstr "Customize which optional features are enabled for your account."
+
 msgid "Customize your theme, language, and zoom settings."
 msgstr "Customize your theme, language, and zoom settings."
 
@@ -1153,6 +1156,12 @@ msgstr "Failed"
 msgid "Failed to load payment processor."
 msgstr "Failed to load payment processor."
 
+msgid "Feature preferences"
+msgstr "Feature preferences"
+
+msgid "Feature updated successfully"
+msgstr "Feature updated successfully"
+
 msgid "Features"
 msgstr "Features"
 
@@ -1339,6 +1348,9 @@ msgstr "Is there anything else you would like us to know? (optional)"
 msgid "It may take up to 5 minutes before the device is logged out."
 msgstr "It may take up to 5 minutes before the device is logged out."
 
+msgid "It takes up to 5 minutes for changes to reach all users."
+msgstr "It takes up to 5 minutes for changes to reach all users."
+
 msgid "Italian"
 msgstr "Italian"
 
@@ -1955,6 +1967,9 @@ msgstr "Powered by"
 msgid "Pozole rojo"
 msgstr "Pozole rojo"
 
+msgid "Preference updated successfully"
+msgstr "Preference updated successfully"
+
 msgid "Preferences"
 msgstr "Preferences"
 
@@ -2666,6 +2681,9 @@ msgstr "Toggle bold"
 msgid "Toggle buttons"
 msgstr "Toggle buttons"
 
+msgid "Toggle features available to your account."
+msgstr "Toggle features available to your account."
+
 msgid "Toggle group"
 msgstr "Toggle group"
 
diff --git a/application/account/WebApp/tests/e2e/back-office-flows.spec.ts b/application/account/WebApp/tests/e2e/back-office-flows.spec.ts
index c17cfd0e2..8684608e9 100644
--- a/application/account/WebApp/tests/e2e/back-office-flows.spec.ts
+++ b/application/account/WebApp/tests/e2e/back-office-flows.spec.ts
@@ -2,6 +2,7 @@ import { expect, request } from "@playwright/test";
 import { test } from "@shared/e2e/fixtures/page-auth";
 import { getBackOfficeBaseUrl, getBaseUrl } from "@shared/e2e/utils/constants";
 import { createTestContext } from "@shared/e2e/utils/test-assertions";
+import { logInAsAdmin } from "@shared/e2e/utils/test-data";
 import { step } from "@shared/e2e/utils/test-step-wrapper";
 
 const BACK_OFFICE_BASE_URL = getBackOfficeBaseUrl();
@@ -15,7 +16,10 @@ test.describe("@smoke", () => {
    * the accounts route, and the tenant detail route in one journey so any regression to the back-office
    * shell trips this test on every deployment.
    */
-  test("should log in to back-office, render dashboard, and load tenant detail", async ({ browser }) => {
+  test("should log in to back-office, render dashboard, and load tenant detail", async ({ ownerPage, browser }) => {
+    // ownerPage fixture provisions a tenant for this worker so the back-office Accounts list is non-empty
+    // even when this test runs before signup-driven tests on a fresh database.
+    createTestContext(ownerPage);
     const backOfficeContext = await browser.newContext({ baseURL: BACK_OFFICE_BASE_URL, ignoreHTTPSErrors: true });
     const page = await backOfficeContext.newPage();
     createTestContext(page);
@@ -23,11 +27,7 @@ test.describe("@smoke", () => {
     await step("Log in as Admin via MockEasyAuth & verify redirect to back-office dashboard")(async () => {
       await page.goto(`${BACK_OFFICE_BASE_URL}/`);
 
-      await expect(page.getByRole("radio", { name: "Admin Log in with admin rights" })).toBeVisible();
-      await page.getByRole("radio", { name: "Admin Log in with admin rights" }).click();
-      await page.getByRole("button", { name: "Log in" }).click();
-
-      await expect(page).toHaveURL(`${BACK_OFFICE_BASE_URL}/`);
+      await logInAsAdmin(page, `${BACK_OFFICE_BASE_URL}/`);
       await expect(page.getByRole("heading", { name: "Dashboard" })).toBeVisible();
     })();
 
@@ -93,11 +93,7 @@ test.describe("@comprehensive", () => {
     await step("Log in as Admin via MockEasyAuth & verify dashboard loads")(async () => {
       await page.goto(`${BACK_OFFICE_BASE_URL}/`);
 
-      await expect(page.getByRole("radio", { name: "Admin Log in with admin rights" })).toBeVisible();
-      await page.getByRole("radio", { name: "Admin Log in with admin rights" }).click();
-      await page.getByRole("button", { name: "Log in" }).click();
-
-      await expect(page).toHaveURL(`${BACK_OFFICE_BASE_URL}/`);
+      await logInAsAdmin(page, `${BACK_OFFICE_BASE_URL}/`);
     })();
 
     // === DRIFT BANNER ===
diff --git a/application/account/WebApp/tests/e2e/feature-flag-flows.spec.ts b/application/account/WebApp/tests/e2e/feature-flag-flows.spec.ts
new file mode 100644
index 000000000..33ea40a56
--- /dev/null
+++ b/application/account/WebApp/tests/e2e/feature-flag-flows.spec.ts
@@ -0,0 +1,556 @@
+import { expect, type Page } from "@playwright/test";
+import { test } from "@shared/e2e/fixtures/page-auth";
+import { getBackOfficeBaseUrl } from "@shared/e2e/utils/constants";
+import {
+  blurActiveElement,
+  createTestContext,
+  expectFeatureFlagHeaderResponse,
+  expectToastMessage
+} from "@shared/e2e/utils/test-assertions";
+import { logInAsAdmin } from "@shared/e2e/utils/test-data";
+import { step } from "@shared/e2e/utils/test-step-wrapper";
+
+const BACK_OFFICE_BASE_URL = getBackOfficeBaseUrl();
+
+// Both tests in this file mutate the shared `beta-features` rollout pin. Playwright runs @smoke and
+// @comprehensive in separate projects (see playwright.config.ts), so file-level serial mode would NOT
+// serialize across projects. Instead, both tests target the same idempotent end state (active +
+// rollout=100 + no override on the worker tenant): each test activates the flag and pins rollout to
+// 100 at the start, removes any leftover Test Organization override before driving the toggle steps,
+// and at cleanup re-pins rollout to 100 and removes the override rather than resetting to 0.
+// Concurrent runs converge to the same activate/rollout end state; the override-toggle steps must
+// remain reload-free between clicks so a concurrent cleanup can't DELETE an override mid-sequence.
+
+// SPA shells inject the antiforgery token into a `<meta name="antiforgeryToken">` tag at runtime.
+// Back-office mutation endpoints removed `.DisableAntiforgery()`, so Playwright API calls now have to
+// send `x-xsrf-token` just like the SPA's fetch middleware does. The antiforgery cookie ships with
+// the page context automatically.
+async function getAntiforgeryHeaders(page: Page): Promise<{ "x-xsrf-token": string }> {
+  const token = await page.evaluate(
+    () => document.head.querySelector('meta[name="antiforgeryToken"]')?.getAttribute("content") ?? ""
+  );
+  return { "x-xsrf-token": token };
+}
+
+// Activate the flag and pin rollout to 100 — both are idempotent and the test relies on tenants
+// evaluating Enabled. The flag may have been deactivated by a prior @comprehensive run (or human),
+// in which case rollout alone produces an empty Accounts table.
+async function activateAndPinRollout(page: Page, flagKey: string, rolloutPercentage: number): Promise<void> {
+  const headers = await getAntiforgeryHeaders(page);
+  const activateResponse = await page.request.put(
+    `${BACK_OFFICE_BASE_URL}/api/back-office/feature-flags/${flagKey}/activate`,
+    { headers }
+  );
+  expect(activateResponse.ok()).toBe(true);
+
+  const rolloutResponse = await page.request.put(
+    `${BACK_OFFICE_BASE_URL}/api/back-office/feature-flags/${flagKey}/rollout-percentage`,
+    { data: { rolloutPercentage }, headers }
+  );
+  expect(rolloutResponse.ok()).toBe(true);
+}
+
+// Remove every tenant-override on `flagKey` across the entire database. The override toggles in
+// @smoke pick the first "Test Organization" row, but the back-office tables interleave every
+// worker's tenant (and stale rows from old runs), so the .first() row is unpredictable unless we
+// scrub overrides upfront. Doing this once at the start (and once at the end) keeps the cross-test
+// state symmetric without leaking implementation details (the cleanup endpoint is internal).
+async function removeAllTenantOverrides(page: Page, flagKey: string): Promise<void> {
+  const headers = await getAntiforgeryHeaders(page);
+  // Always read page 0: every iteration deletes the current page, shifting the remaining records
+  // forward into the first page on the next query. Incrementing pageOffset against a shrinking
+  // result set would skip rows (e.g., with 250 overrides and pageSize=100, OFFSET=100 on the
+  // remaining 150 returns rows 200-249 of the original, leaving rows 100-199 untouched).
+  const pageSize = 100;
+  while (true) {
+    const response = await page.request.get(
+      `${BACK_OFFICE_BASE_URL}/api/back-office/feature-flags/${flagKey}/tenants?HasOverride=true&PageSize=${pageSize}&PageOffset=0`
+    );
+    expect(response.ok()).toBe(true);
+    const body = await response.json();
+    const tenants = body.tenants as { id: string }[];
+    if (tenants.length === 0) return;
+
+    for (const tenant of tenants) {
+      const deleteResponse = await page.request.delete(
+        `${BACK_OFFICE_BASE_URL}/api/back-office/feature-flags/${flagKey}/tenant-override?tenantId=${tenant.id}`,
+        { headers }
+      );
+      // 200 = override existed and was removed; 404 = override raced away (e.g., concurrent worker).
+      expect([200, 404]).toContain(deleteResponse.status());
+    }
+    if (tenants.length < pageSize) return;
+  }
+}
+
+test.describe("@smoke", () => {
+  // Holds the already-logged-in back-office page from the test body so the afterEach can reuse it
+  // for the cleanup PUTs (one MockEasyAuth roundtrip instead of two). Falls back to spinning up a
+  // fresh context if the test failed before the back-office login completed.
+  let backOfficePageForCleanup: Page | null = null;
+
+  // Restore the idempotent end state (beta-features active, rollout=100, no Test Organization
+  // override) after every test, including failures. Without this hook a mid-test failure between
+  // the start-of-test scrub and the end-of-test scrub would leak the override into subsequent runs.
+  test.afterEach(async ({ browser }) => {
+    if (backOfficePageForCleanup) {
+      await removeAllTenantOverrides(backOfficePageForCleanup, "beta-features");
+      await activateAndPinRollout(backOfficePageForCleanup, "beta-features", 100);
+      await backOfficePageForCleanup.context().close();
+      backOfficePageForCleanup = null;
+      return;
+    }
+
+    const cleanupContext = await browser.newContext({ baseURL: BACK_OFFICE_BASE_URL, ignoreHTTPSErrors: true });
+    const cleanupPage = await cleanupContext.newPage();
+
+    await cleanupPage.goto(`${BACK_OFFICE_BASE_URL}/feature-flags`);
+    await logInAsAdmin(cleanupPage, `${BACK_OFFICE_BASE_URL}/feature-flags`);
+    await removeAllTenantOverrides(cleanupPage, "beta-features");
+    await activateAndPinRollout(cleanupPage, "beta-features", 100);
+
+    await cleanupContext.close();
+  });
+
+  /**
+   * FEATURE FLAG SYSTEM E2E TEST
+   *
+   * Tests the full feature flag management flow:
+   * - Back-office flag list: view flags grouped by scope (Account, Plan, User, System)
+   * - Back-office flag detail: navigate into account-scoped flag, search by name, toggle override pair, set A/B rollout percentage
+   * - Account settings: verify Features section, toggle account-scoped account-overview flag
+   * - User preferences: verify Beta features section, toggle user-scoped compact view flag
+   * - x-user-feature-flags propagation: AppGateway emits the header on every authenticated response;
+   *   owner and user self-toggles trigger AddRefreshAuthenticationTokens so the same response cycle
+   *   already carries the updated flag set (no waiting for the next 5-min JWT refresh boundary).
+   */
+  test("should manage feature flags across back-office, account settings & user preferences", async ({
+    ownerPage,
+    browser
+  }) => {
+    const ownerContext = createTestContext(ownerPage);
+    const backOfficeContext = await browser.newContext({ baseURL: BACK_OFFICE_BASE_URL, ignoreHTTPSErrors: true });
+    const page = await backOfficeContext.newPage();
+    const context = createTestContext(page);
+
+    await step("Log in as Admin via MockEasyAuth & verify redirect to feature flags page")(async () => {
+      await page.goto(`${BACK_OFFICE_BASE_URL}/feature-flags`);
+
+      await logInAsAdmin(page, `${BACK_OFFICE_BASE_URL}/feature-flags`);
+    })();
+
+    // Hand the logged-in back-office page to afterEach so the cleanup PUTs reuse this session
+    // rather than spinning up a third browser context.
+    backOfficePageForCleanup = page;
+
+    // === BACK-OFFICE FLAG LIST ===
+
+    await step("Load feature flags page & verify flags grouped by scope")(async () => {
+      await expect(page.getByRole("heading", { name: "Feature flags" })).toBeVisible();
+
+      const accountTable = page.getByRole("table", { name: "Account flags" });
+      await expect(accountTable.getByText("Beta features")).toBeVisible();
+      await expect(accountTable.getByText("Account overview page")).toBeVisible();
+
+      const planTable = page.getByRole("table", { name: "Plan flags" });
+      await expect(planTable.getByText("Single sign-on")).toBeVisible();
+
+      const userTable = page.getByRole("table", { name: "User flags" });
+      await expect(userTable.getByText("Compact view")).toBeVisible();
+
+      const systemTable = page.getByRole("table", { name: "System flags" });
+      await expect(systemTable.getByText("Google OAuth")).toBeVisible();
+      await expect(systemTable.getByText("Subscriptions")).toBeVisible();
+    })();
+
+    // === BACK-OFFICE FLAG DETAIL ===
+
+    const accountsTable = page.getByRole("table", { name: "Accounts" });
+    const testOrgRow = accountsTable.getByRole("row").filter({ hasText: "Test Organization" }).first();
+
+    await step("Click into beta-features flag detail & verify detail page loads")(async () => {
+      const accountTable = page.getByRole("table", { name: "Account flags" });
+      const betaRow = accountTable.locator("tr").filter({ hasText: "Beta features" });
+      await betaRow.click();
+
+      await expect(page).toHaveURL(`${BACK_OFFICE_BASE_URL}/feature-flags/beta-features`);
+      await expect(page.getByRole("heading", { name: "Account status" })).toBeVisible();
+    })();
+
+    // Both @smoke and @comprehensive mutate the shared beta-features rollout; both leave it at 100
+    // and remove any tenant-override they created, so cross-test ordering is deterministic.
+    await step("Activate beta-features and pin rollout to 100 via back-office API & verify tenants evaluate enabled")(
+      async () => {
+        await activateAndPinRollout(page, "beta-features", 100);
+      }
+    )();
+
+    await step("Remove all leftover tenant overrides for beta-features & verify clean precondition")(async () => {
+      await removeAllTenantOverrides(page, "beta-features");
+      // The detail page caches tenant override state in TanStack Query; the API DELETEs above
+      // don't invalidate that cache. Reload so the next steps see post-cleanup data.
+      await page.reload();
+      await expect(page.getByRole("heading", { name: "Account status" })).toBeVisible();
+    })();
+
+    await step("Switch to the All state filter and search by Test Organization & verify a matching row renders")(
+      async () => {
+        await page.getByRole("group", { name: "State" }).getByRole("button", { name: "All" }).click();
+        await page.getByRole("searchbox", { name: "Search" }).fill("Test Organization");
+
+        await expect(page).toHaveURL((url) => url.searchParams.get("tenantsSearch") === "Test Organization");
+        await expect(testOrgRow).toBeVisible();
+      }
+    )();
+
+    // Tenant override toggle starts ON because rollout=100; first click writes a disable-override,
+    // second flips to enable-override. Cleanup deletes the override so the next run starts from the
+    // same precondition.
+    await step(
+      "Click the Test Organization switch from default-enabled to disabled & verify disable toast and switch off"
+    )(async () => {
+      const overrideSwitch = testOrgRow.getByRole("switch");
+      await overrideSwitch.click();
+
+      await expectToastMessage(context, "Beta features");
+      await expect(overrideSwitch).not.toBeChecked();
+    })();
+
+    await step(
+      "Click the Test Organization switch back from disabled override to enabled override & verify enable toast and switch on"
+    )(async () => {
+      const overrideSwitch = testOrgRow.getByRole("switch");
+      await overrideSwitch.click();
+
+      await expectToastMessage(context, "Beta features");
+      await expect(overrideSwitch).toBeChecked();
+    })();
+
+    await step("Remove all tenant overrides for beta-features via back-office API & verify clean end state")(
+      async () => {
+        await removeAllTenantOverrides(page, "beta-features");
+      }
+    )();
+
+    await step("Set A/B rollout percentage to 42 via the rollout input & verify toast and input value")(async () => {
+      const percentageInput = page.getByLabel("Rollout %");
+      await percentageInput.fill("42");
+      await blurActiveElement(page);
+
+      await expectToastMessage(context, "Rollout percentage updated");
+      await expect(percentageInput).toHaveValue("42");
+    })();
+
+    await step("Navigate back to flag list & verify return to list page")(async () => {
+      await page.getByRole("link", { name: "Back to feature flags" }).click();
+
+      await expect(page).toHaveURL(`${BACK_OFFICE_BASE_URL}/feature-flags`);
+      await expect(page.getByRole("heading", { name: "Feature flags" })).toBeVisible();
+    })();
+
+    // Globally activating non-kill-switch flags (account-overview, compact-view) was previously
+    // tested here, but the ActivateFeatureFlagValidator now rejects flags whose definition has
+    // `IsKillSwitchEnabled: false` with a 400. The activation surface for those flags is the
+    // owner-scoped tenant-override and the user-scoped user-override toggles exercised below.
+    // The back-office context stays open so afterEach reuses its logged-in admin session.
+
+    // === ACCOUNT SETTINGS: ACCOUNT FEATURE FLAGS ===
+
+    await step("Navigate to account settings & verify Features section with account flags")(async () => {
+      await ownerPage.goto("/account/settings");
+
+      await expect(ownerPage.getByRole("heading", { name: "Features" })).toBeVisible();
+      await expect(ownerPage.getByText("Account overview page")).toBeVisible();
+    })();
+
+    await step("Toggle account-overview flag ON & verify response carries x-user-feature-flags with account-overview")(
+      async () => {
+        const toggle = ownerPage.getByRole("switch", { name: "Account overview page" });
+
+        await expectFeatureFlagHeaderResponse(ownerPage, toggle, {
+          urlSubstring: "/api/account/feature-flags/account-overview/tenant-override",
+          expectedFlag: "account-overview",
+          shouldContain: true
+        });
+
+        await expectToastMessage(ownerContext, "Feature updated");
+        await expect(toggle).toBeChecked();
+      }
+    )();
+
+    await step("Navigate to /account with account-overview ON & verify the dashboard heading renders")(async () => {
+      await ownerPage.goto("/account");
+
+      await expect(ownerPage).toHaveURL("/account");
+      await expect(ownerPage.getByRole("heading", { name: "Account overview" })).toBeVisible();
+    })();
+
+    await step("Return to account settings & verify Features section ready for next toggle")(async () => {
+      await ownerPage.goto("/account/settings");
+
+      await expect(ownerPage.getByRole("heading", { name: "Features" })).toBeVisible();
+    })();
+
+    await step("Toggle account-overview flag OFF & verify response x-user-feature-flags no longer contains it")(
+      async () => {
+        const toggle = ownerPage.getByRole("switch", { name: "Account overview page" });
+
+        await expectFeatureFlagHeaderResponse(ownerPage, toggle, {
+          urlSubstring: "/api/account/feature-flags/account-overview/tenant-override",
+          expectedFlag: "account-overview",
+          shouldContain: false
+        });
+
+        await expectToastMessage(ownerContext, "Feature updated");
+        await expect(toggle).not.toBeChecked();
+      }
+    )();
+
+    await step("Navigate to /account with account-overview OFF & verify redirect to /account/users")(async () => {
+      await ownerPage.goto("/account");
+
+      await expect(ownerPage).toHaveURL("/account/users");
+      await expect(ownerPage.getByRole("heading", { name: "Users" })).toBeVisible();
+    })();
+
+    // === USER PREFERENCES: USER FEATURE FLAGS ===
+
+    await step("Navigate to user preferences & verify Feature preferences section with user flags")(async () => {
+      await ownerPage.goto("/user/preferences");
+
+      // The section was renamed from "Beta features" to "Feature preferences" when the toggle list
+      // grew to surface every user-configurable feature flag, not just the Beta features flag.
+      await expect(ownerPage.getByRole("heading", { name: "Feature preferences" })).toBeVisible();
+      await expect(ownerPage.getByText("Compact view")).toBeVisible();
+    })();
+
+    await step("Toggle compact view user flag ON & verify response carries x-user-feature-flags with compact-view")(
+      async () => {
+        const toggle = ownerPage.getByRole("switch", { name: "Compact view" });
+
+        await expectFeatureFlagHeaderResponse(ownerPage, toggle, {
+          urlSubstring: "/api/account/feature-flags/compact-view/user-override",
+          expectedFlag: "compact-view",
+          shouldContain: true
+        });
+
+        await expectToastMessage(ownerContext, "Preference updated");
+        await expect(toggle).toBeChecked();
+      }
+    )();
+
+    await step("Toggle compact view flag OFF & verify response x-user-feature-flags no longer contains it")(
+      async () => {
+        const toggle = ownerPage.getByRole("switch", { name: "Compact view" });
+
+        await expectFeatureFlagHeaderResponse(ownerPage, toggle, {
+          urlSubstring: "/api/account/feature-flags/compact-view/user-override",
+          expectedFlag: "compact-view",
+          shouldContain: false
+        });
+
+        await expectToastMessage(ownerContext, "Preference updated");
+        await expect(toggle).not.toBeChecked();
+      }
+    )();
+
+    // Cleanup (remove overrides + re-activate with rollout=100) runs in test.afterEach so it
+    // executes on both success and failure paths.
+  });
+});
+
+test.describe("@comprehensive", () => {
+  /**
+   * FEATURE FLAG DETAIL FILTER & PAGINATION E2E TEST
+   *
+   * Tests the toolbar and pagination on /feature-flags/{flagKey}. Preconditions
+   * pin beta-features rollout to 100 via the back-office API so every tenant
+   * evaluates enabled regardless of cold-DB state, then restore it at the end.
+   * - Tenants tab: default load has the URL bare and the Enabled chip pressed
+   * - Tenants tab: clicking Disabled from default switches the URL to tenantsState=All
+   * - Tenants tab: reloading from `?tenantsState=All` shows BOTH chips pressed
+   * - Tenants tab: clicking Enabled from the All view yields tenantsState=Disabled with only Disabled pressed
+   * - Tenants tab: search debounces and narrows the visible rows via tenantsSearch
+   * - Tenants tab: plan chip toggles tenantsPlans=["Premium"] and unpresses when toggled off
+   * - Tenants tab: re-pinning rollout=100 keeps the Enabled view non-empty with the worker tenant
+   * - Users tab (compact-view flag): role chip filters down to usersRoles=["Owner"]
+   */
+  test("should filter and paginate tenants and users on the feature flag detail page", async ({
+    ownerPage,
+    browser
+  }) => {
+    // ownerPage fixture provisions a tenant for this worker so the Accounts table is non-empty in
+    // Enabled state even when this test runs before signup-driven tests on a fresh database.
+    createTestContext(ownerPage);
+    const backOfficeContext = await browser.newContext({ baseURL: BACK_OFFICE_BASE_URL, ignoreHTTPSErrors: true });
+    const page = await backOfficeContext.newPage();
+    createTestContext(page);
+
+    await step("Log in as Admin via MockEasyAuth & verify redirect to beta-features detail")(async () => {
+      await page.goto(`${BACK_OFFICE_BASE_URL}/feature-flags/beta-features`);
+
+      await logInAsAdmin(page, `${BACK_OFFICE_BASE_URL}/feature-flags/beta-features`);
+      await expect(page.getByRole("heading", { name: "Account status" })).toBeVisible();
+    })();
+
+    // Both @smoke and @comprehensive mutate the shared beta-features rollout; both leave it active
+    // with rollout=100 so cross-test ordering is deterministic.
+    await step("Activate beta-features and pin rollout to 100 via back-office API & verify tenants evaluate enabled")(
+      async () => {
+        await activateAndPinRollout(page, "beta-features", 100);
+      }
+    )();
+
+    // === TENANTS: STATE CHIPS (single-select; default Enabled pressed; All/Enabled/Disabled exclusive) ===
+
+    const accountsTable = page.getByRole("table", { name: "Accounts" });
+    const stateGroup = page.getByRole("group", { name: "State" });
+    const allChip = stateGroup.getByRole("button", { name: "All" });
+    const enabledChip = stateGroup.getByRole("button", { name: "Enabled" });
+    const disabledChip = stateGroup.getByRole("button", { name: "Disabled" });
+
+    await step("Reload bare URL & verify Enabled chip is pressed by default and the other chips are unpressed")(
+      async () => {
+        await page.goto(`${BACK_OFFICE_BASE_URL}/feature-flags/beta-features`);
+
+        await expect(enabledChip).toHaveAttribute("aria-pressed", "true");
+        await expect(disabledChip).toHaveAttribute("aria-pressed", "false");
+        await expect(allChip).toHaveAttribute("aria-pressed", "false");
+        await expect(accountsTable).toBeVisible();
+      }
+    )();
+
+    await step("Click Disabled chip from default & verify URL switches to Disabled and only Disabled is pressed")(
+      async () => {
+        await disabledChip.click();
+
+        await expect(page).toHaveURL(`${BACK_OFFICE_BASE_URL}/feature-flags/beta-features?tenantsState=Disabled`);
+        await expect(disabledChip).toHaveAttribute("aria-pressed", "true");
+        await expect(enabledChip).toHaveAttribute("aria-pressed", "false");
+        // Note: with rollout=100 and no explicit Disabled overrides, the Disabled filter yields zero
+        // tenants and the UI shows the Empty state instead of the Accounts table. The chip behavior
+        // is fully verified above; the table rendering is exercised by the Enabled step.
+      }
+    )();
+
+    await step("Click All chip from Disabled & verify URL switches to All and only All is pressed")(async () => {
+      await allChip.click();
+
+      await expect(page).toHaveURL(`${BACK_OFFICE_BASE_URL}/feature-flags/beta-features?tenantsState=All`);
+      await expect(allChip).toHaveAttribute("aria-pressed", "true");
+      await expect(enabledChip).toHaveAttribute("aria-pressed", "false");
+      await expect(disabledChip).toHaveAttribute("aria-pressed", "false");
+    })();
+
+    await step("Reload from the All URL & verify only the All chip is pressed")(async () => {
+      await page.goto(`${BACK_OFFICE_BASE_URL}/feature-flags/beta-features?tenantsState=All`);
+
+      await expect(allChip).toHaveAttribute("aria-pressed", "true");
+      await expect(enabledChip).toHaveAttribute("aria-pressed", "false");
+      await expect(disabledChip).toHaveAttribute("aria-pressed", "false");
+    })();
+
+    await step("Click Enabled chip from the All state & verify URL drops the state param and only Enabled is pressed")(
+      async () => {
+        await enabledChip.click();
+
+        await expect(page).toHaveURL(`${BACK_OFFICE_BASE_URL}/feature-flags/beta-features`);
+        await expect(enabledChip).toHaveAttribute("aria-pressed", "true");
+        await expect(allChip).toHaveAttribute("aria-pressed", "false");
+        await expect(disabledChip).toHaveAttribute("aria-pressed", "false");
+      }
+    )();
+
+    // === TENANTS: SEARCH ===
+
+    const searchBox = page.getByRole("searchbox", { name: "Search" });
+
+    await step("Reload bare URL & verify default Enabled state and search box is empty")(async () => {
+      await page.goto(`${BACK_OFFICE_BASE_URL}/feature-flags/beta-features`);
+
+      await expect(enabledChip).toHaveAttribute("aria-pressed", "true");
+      await expect(searchBox).toHaveValue("");
+    })();
+
+    await step("Type into search box & verify URL contains debounced search term and the table re-renders")(
+      async () => {
+        await searchBox.fill("Test Organization");
+
+        await expect(page).toHaveURL((url) => url.searchParams.get("tenantsSearch") === "Test Organization");
+        await expect(accountsTable.getByRole("row").filter({ hasText: "Test Organization" }).first()).toBeVisible();
+      }
+    )();
+
+    await step("Clear search via Clear search button & verify URL drops the search param")(async () => {
+      await page.getByRole("button", { name: "Clear search" }).click();
+
+      await expect(page).toHaveURL(`${BACK_OFFICE_BASE_URL}/feature-flags/beta-features`);
+    })();
+
+    // === TENANTS: PLAN FILTER ===
+
+    const premiumChip = page.getByRole("group", { name: "Plan" }).getByRole("button", { name: "Premium" });
+
+    await step("Click Premium plan chip & verify URL serializes the plan array and the chip is pressed")(async () => {
+      await premiumChip.click();
+
+      await expect(page).toHaveURL((url) => url.searchParams.get("tenantsPlans") === '["Premium"]');
+      await expect(premiumChip).toHaveAttribute("aria-pressed", "true");
+    })();
+
+    await step("Click Premium plan chip again & verify chip is unpressed and the URL drops the plan filter")(
+      async () => {
+        await premiumChip.click();
+
+        await expect(premiumChip).toHaveAttribute("aria-pressed", "false");
+        await expect(page).toHaveURL(`${BACK_OFFICE_BASE_URL}/feature-flags/beta-features`);
+      }
+    )();
+
+    await step("Reload accounts table & verify the worker tenant renders in the Enabled view")(async () => {
+      await page.reload();
+
+      await expect(accountsTable.locator("tbody tr").first()).toBeVisible();
+    })();
+
+    // === USERS: ROLE FILTER ===
+
+    await step(
+      "Navigate to compact-view user-scoped flag & verify default Enabled chip is pressed, then click All to render Users table"
+    )(async () => {
+      await page.goto(`${BACK_OFFICE_BASE_URL}/feature-flags/compact-view`);
+
+      await expect(page.getByRole("heading", { name: "User status" })).toBeVisible();
+      await expect(page.getByRole("group", { name: "State" }).getByRole("button", { name: "Enabled" })).toHaveAttribute(
+        "aria-pressed",
+        "true"
+      );
+
+      // compact-view is ConfigurableByUser (not A/B-eligible), so no user is Enabled by default.
+      // Click All to ensure the Users table renders the worker tenant's users for the role chip test below.
+      await page.getByRole("group", { name: "State" }).getByRole("button", { name: "All" }).click();
+      await expect(page.getByRole("table", { name: "Users" })).toBeVisible();
+    })();
+
+    const ownerChip = page.getByRole("group", { name: "Role" }).getByRole("button", { name: "Owner" });
+
+    await step("Click Owner role chip & verify URL serializes the role array and the chip is pressed")(async () => {
+      await ownerChip.click();
+
+      await expect(page).toHaveURL((url) => url.searchParams.get("usersRoles") === '["Owner"]');
+      await expect(ownerChip).toHaveAttribute("aria-pressed", "true");
+    })();
+
+    // === CLEANUP: remove any tenant overrides + re-activate + pin beta-features rollout to 100 ===
+    // (idempotent end state shared with @smoke — enforced inside this step, not by earlier step ordering)
+
+    await step(
+      "Remove all beta-features tenant overrides and re-pin rollout to 100 via back-office API & verify idempotent end state"
+    )(async () => {
+      await removeAllTenantOverrides(page, "beta-features");
+      await activateAndPinRollout(page, "beta-features", 100);
+    })();
+
+    await backOfficeContext.close();
+  });
+});
diff --git a/application/account/WebApp/tests/e2e/global-ui-flows.spec.ts b/application/account/WebApp/tests/e2e/global-ui-flows.spec.ts
index a6c5b1daa..f95393be9 100644
--- a/application/account/WebApp/tests/e2e/global-ui-flows.spec.ts
+++ b/application/account/WebApp/tests/e2e/global-ui-flows.spec.ts
@@ -18,11 +18,13 @@ test.describe("@comprehensive", () => {
   test("should handle theme switching with persistence across viewport sizes", async ({ ownerPage }) => {
     createTestContext(ownerPage);
 
-    await step("Navigate to admin dashboard & verify default light theme and CSP nonce")(async () => {
-      const response = await ownerPage.goto("/account");
+    await step("Navigate to users page & verify default light theme and CSP nonce")(async () => {
+      // The /account dashboard route is gated by the account-overview flag (off by default for
+      // new tenants). Land on /account/users directly so this test isn't coupled to the flag.
+      const response = await ownerPage.goto("/account/users");
 
-      // Verify dashboard loads with default light theme
-      await expect(ownerPage.getByRole("heading", { name: "Overview" })).toBeVisible();
+      // Verify page loads with default light theme
+      await expect(ownerPage.getByRole("heading", { name: "Users" })).toBeVisible();
       await expect(ownerPage.locator("html")).not.toHaveClass("dark");
 
       // Verify CSP nonce is configured in meta tag and response headers
@@ -38,7 +40,7 @@ test.describe("@comprehensive", () => {
 
     await step("Navigate to preferences page & select dark theme")(async () => {
       await ownerPage.goto("/user/preferences");
-      await expect(ownerPage.getByRole("heading", { name: "Preferences" })).toBeVisible();
+      await expect(ownerPage.getByRole("heading", { name: "User preferences", level: 1 })).toBeVisible();
 
       await ownerPage.getByRole("button", { name: "Dark" }).click();
 
@@ -48,7 +50,7 @@ test.describe("@comprehensive", () => {
     await step("Reload page & verify dark theme persists")(async () => {
       await ownerPage.reload();
 
-      await expect(ownerPage.getByRole("heading", { name: "Preferences" })).toBeVisible();
+      await expect(ownerPage.getByRole("heading", { name: "User preferences", level: 1 })).toBeVisible();
       await expect(ownerPage.locator("html")).toHaveClass("dark");
     })();
 
@@ -62,7 +64,7 @@ test.describe("@comprehensive", () => {
 
     await step("Navigate to preferences & select system theme")(async () => {
       await ownerPage.goto("/user/preferences");
-      await expect(ownerPage.getByRole("heading", { name: "Preferences" })).toBeVisible();
+      await expect(ownerPage.getByRole("heading", { name: "User preferences", level: 1 })).toBeVisible();
 
       await ownerPage.getByRole("button", { name: "System" }).click();
 
@@ -81,7 +83,7 @@ test.describe("@comprehensive", () => {
 
     await step("Navigate to preferences at 4K & select dark theme")(async () => {
       await ownerPage.goto("/user/preferences");
-      await expect(ownerPage.getByRole("heading", { name: "Preferences" })).toBeVisible();
+      await expect(ownerPage.getByRole("heading", { name: "User preferences", level: 1 })).toBeVisible();
 
       await ownerPage.getByRole("button", { name: "Dark" }).click();
 
@@ -121,7 +123,7 @@ test.describe("@comprehensive", () => {
 
     await step("Navigate to preferences on mobile & switch to light theme")(async () => {
       await ownerPage.goto("/user/preferences");
-      await expect(ownerPage.getByRole("heading", { name: "Preferences" })).toBeVisible();
+      await expect(ownerPage.getByRole("heading", { name: "User preferences", level: 1 })).toBeVisible();
 
       await ownerPage.getByRole("button", { name: "Light" }).click();
 
@@ -140,7 +142,7 @@ test.describe("@comprehensive", () => {
 
     await step("Navigate to preferences & set dark theme before session test")(async () => {
       await ownerPage.goto("/user/preferences");
-      await expect(ownerPage.getByRole("heading", { name: "Preferences" })).toBeVisible();
+      await expect(ownerPage.getByRole("heading", { name: "User preferences", level: 1 })).toBeVisible();
 
       await ownerPage.getByRole("button", { name: "Dark" }).click();
 
@@ -150,9 +152,9 @@ test.describe("@comprehensive", () => {
     await step("Open new browser tab & verify dark theme persists across sessions")(async () => {
       // Open a new tab in the same context to verify theme persistence
       const newPage = await ownerPage.context().newPage();
-      await newPage.goto("/account");
+      await newPage.goto("/account/users");
 
-      await expect(newPage.getByRole("heading", { name: "Overview" })).toBeVisible();
+      await expect(newPage.getByRole("heading", { name: "Users" })).toBeVisible();
       await expect(newPage.locator("html")).toHaveClass("dark");
 
       await newPage.close();
@@ -188,20 +190,22 @@ test.describe("@comprehensive", () => {
       await expect(page).toHaveURL("/dashboard");
       await expect(page.getByRole("heading", { name: "Your dashboard is empty" })).toBeVisible();
 
-      await page.goto("/account");
-      await expect(page.getByRole("heading", { name: "Overview" })).toBeVisible();
+      // The /account dashboard is gated by the account-overview feature flag (off by default for
+      // new tenants); land on /account/users directly so this test is decoupled from the flag.
+      await page.goto("/account/users");
+      await expect(page.getByRole("heading", { name: "Users" })).toBeVisible();
     })();
 
     await step("Navigate to preferences & select dark theme")(async () => {
       await page.goto("/user/preferences");
-      await expect(page.getByRole("heading", { name: "Preferences" })).toBeVisible();
+      await expect(page.getByRole("heading", { name: "User preferences", level: 1 })).toBeVisible();
 
       await page.getByRole("button", { name: "Dark" }).click();
 
       await expect(page.locator("html")).toHaveClass("dark");
 
-      await page.goto("/account");
-      await expect(page.getByRole("heading", { name: "Overview" })).toBeVisible();
+      await page.goto("/account/users");
+      await expect(page.getByRole("heading", { name: "Users" })).toBeVisible();
     })();
 
     await step("Log out via User menu & verify dark theme persists on login page")(async () => {
@@ -218,7 +222,9 @@ test.describe("@comprehensive", () => {
       await expect(logoutMenuItem).toBeVisible();
       await logoutMenuItem.dispatchEvent("click");
 
-      await expect(page).toHaveURL("/login?returnPath=%2Faccount");
+      // After logout the returnPath reflects the last visited /account/users page (the dashboard
+      // route would have redirected here anyway with the account-overview flag off).
+      await expect(page).toHaveURL("/login?returnPath=%2Faccount%2Fusers");
       await expect(page.getByRole("heading", { name: "Hi! Welcome back" })).toBeVisible();
 
       // Dark theme should persist after logout
@@ -237,15 +243,16 @@ test.describe("@comprehensive", () => {
       await page.getByRole("textbox", { name: "Email" }).fill(existingUser.email);
       await page.getByRole("button", { name: "Log in with email" }).click();
 
-      await expect(page).toHaveURL("/login/verify?returnPath=%2Faccount");
+      await expect(page).toHaveURL("/login/verify?returnPath=%2Faccount%2Fusers");
       await typeOneTimeCode(page, getVerificationCode());
 
       // Wait for redirect after OTP verification
-      await expect(page).not.toHaveURL("/login/verify?returnPath=%2Faccount");
+      await expect(page).not.toHaveURL("/login/verify?returnPath=%2Faccount%2Fusers");
 
-      // Navigate to account
-      await page.goto("/account");
-      await expect(page.getByRole("heading", { name: "Overview" })).toBeVisible();
+      // Verify the user lands on /account/users (the dashboard route is gated by the
+      // account-overview flag which is off by default for new tenants).
+      await page.goto("/account/users");
+      await expect(page.getByRole("heading", { name: "Users" })).toBeVisible();
     })();
 
     await step("Navigate to non-existent admin route & verify 404 page displays")(async () => {
@@ -263,9 +270,9 @@ test.describe("@comprehensive", () => {
     })();
 
     // === ERROR PAGE VIA KONAMI CODE ===
-    await step("Navigate to admin dashboard & enter Konami code to trigger error page")(async () => {
-      await page.goto("/account");
-      await expect(page.getByRole("heading", { name: "Overview" })).toBeVisible();
+    await step("Navigate to users page & enter Konami code to trigger error page")(async () => {
+      await page.goto("/account/users");
+      await expect(page.getByRole("heading", { name: "Users" })).toBeVisible();
 
       await page.keyboard.press("ArrowUp");
       await page.keyboard.press("ArrowUp");
@@ -288,12 +295,12 @@ test.describe("@comprehensive", () => {
       await expect(page.getByText("Error triggered via Konami code.", { exact: true })).toBeVisible();
     })();
 
-    await step("Click Try again button & verify error page resets to admin dashboard")(async () => {
+    await step("Click Try again button & verify error page resets to users page")(async () => {
       context.monitoring.consoleMessages = [];
 
       await page.getByRole("button", { name: "Try again" }).click();
 
-      await expect(page.getByRole("heading", { name: "Overview" })).toBeVisible();
+      await expect(page.getByRole("heading", { name: "Users" })).toBeVisible();
     })();
   });
 });
diff --git a/application/account/WebApp/tests/e2e/localization-flows.spec.ts b/application/account/WebApp/tests/e2e/localization-flows.spec.ts
index 261a7412b..95788e21c 100644
--- a/application/account/WebApp/tests/e2e/localization-flows.spec.ts
+++ b/application/account/WebApp/tests/e2e/localization-flows.spec.ts
@@ -119,8 +119,10 @@ test.describe("@comprehensive", () => {
 
       await page.getByRole("button", { name: "English" }).click();
 
-      // Language change triggers page reload
-      await expect(page.getByRole("heading", { name: "Preferences" })).toBeVisible();
+      // Language change triggers page reload. The User preferences screen now renders both a "User
+      // preferences" h1 and a "Feature preferences" h3, so match the exact h1 to avoid strict-mode
+      // collisions on the substring "Preferences".
+      await expect(page.getByRole("heading", { name: "User preferences", exact: true })).toBeVisible();
 
       await expect(page.evaluate(() => localStorage.getItem("preferred-locale"))).resolves.toBe("en-US");
     })();
diff --git a/application/account/WebApp/tests/e2e/tenant-switching-flows.spec.ts b/application/account/WebApp/tests/e2e/tenant-switching-flows.spec.ts
index 01571c08a..0374cdc72 100644
--- a/application/account/WebApp/tests/e2e/tenant-switching-flows.spec.ts
+++ b/application/account/WebApp/tests/e2e/tenant-switching-flows.spec.ts
@@ -45,6 +45,10 @@ test.describe("@comprehensive", () => {
     const secondaryTenantName = `Secondary-${timestamp}`;
     const tertiaryTenantName = `Tertiary-${timestamp}`;
 
+    // The last accepted invitation tenant (set after both invitations are accepted)
+    // Invitation order is non-deterministic, so we capture which tenant was accepted last
+    let lastAcceptedTenantName = "";
+
     // === SINGLE TENANT DISPLAY ===
     await step("Create single tenant & verify dropdown is hidden")(async () => {
       await completeSignupFlow(page1, expect, user, testContext1);
@@ -187,12 +191,12 @@ test.describe("@comprehensive", () => {
       await expect(accountMenuButton).toBeVisible();
     })();
 
-    // === TERTIARY TENANT INVITATION ACCEPTANCE ===
-    await step("Accept invitation for tertiary tenant & verify successful tenant switch")(async () => {
+    // === REMAINING INVITATION ACCEPTANCE ===
+    await step("Accept remaining invitation & verify successful tenant switch")(async () => {
       // Remaining pending invitation shows in banner
       await expect(page1.getByText("You have been invited to join")).toBeVisible();
 
-      // Click View invitation to accept the tertiary tenant invitation
+      // Click View invitation to accept the remaining invitation
       await page1.getByRole("button", { name: "View invitation" }).click();
 
       // Accept invitation dialog should appear for this tenant
@@ -205,9 +209,11 @@ test.describe("@comprehensive", () => {
       // Wait for navigation to complete after accepting invitation
       await expect(page1.locator('nav[aria-label="Main navigation"]')).toBeVisible();
 
-      // Account menu now shows the tertiary tenant name
+      // Capture which tenant the user ended up on (invitation order is non-deterministic)
       const accountMenuButton = page1.getByRole("button", { name: "User menu" });
-      await expect(accountMenuButton).toContainText(tertiaryTenantName);
+      const menuText = await accountMenuButton.textContent();
+      lastAcceptedTenantName = [secondaryTenantName, tertiaryTenantName].find((name) => menuText?.includes(name)) ?? "";
+      expect(lastAcceptedTenantName).not.toBe("");
     })();
 
     // === OPEN SECOND TAB ===
@@ -220,19 +226,19 @@ test.describe("@comprehensive", () => {
       await expect(page1.locator('nav[aria-label="Main navigation"]')).toBeVisible();
       await expect(page2.locator('nav[aria-label="Main navigation"]')).toBeVisible();
 
-      // Both tabs should show the same tenant (tertiary)
-      await expect(page1.locator('nav[aria-label="Main navigation"]')).toContainText(tertiaryTenantName);
-      await expect(page2.locator('nav[aria-label="Main navigation"]')).toContainText(tertiaryTenantName);
+      // Both tabs should show the same tenant (last accepted)
+      await expect(page1.locator('nav[aria-label="Main navigation"]')).toContainText(lastAcceptedTenantName);
+      await expect(page2.locator('nav[aria-label="Main navigation"]')).toContainText(lastAcceptedTenantName);
     })();
 
     // === TENANT PREFERENCE PERSISTENCE ===
     await step("Logout and login again & verify tenant preference persists")(async () => {
       // Reuse the existing tenant button reference
       const navElement = page1.locator("nav").first();
-      const tenantButton = navElement.locator("button").filter({ hasText: tertiaryTenantName });
+      const tenantButton = navElement.locator("button").filter({ hasText: lastAcceptedTenantName });
 
-      // Should still be on tertiary tenant
-      await expect(tenantButton).toContainText(tertiaryTenantName);
+      // Should still be on last accepted tenant
+      await expect(tenantButton).toContainText(lastAcceptedTenantName);
 
       // Logout
       testContext1.monitoring.expectedStatusCodes.push(401);
@@ -260,30 +266,30 @@ test.describe("@comprehensive", () => {
       // Wait for navigation to complete - no auth sync dialog since it's the same user
       await expect(page1.locator('nav[aria-label="Main navigation"]')).toBeVisible();
 
-      // Should login to tertiary tenant (last selected)
+      // Should login to last accepted tenant (last selected)
       const navElementAfter = page1.locator("nav").first();
-      const tenantButtonAfter = navElementAfter.locator("button").filter({ hasText: tertiaryTenantName });
-      await expect(tenantButtonAfter).toContainText(tertiaryTenantName);
+      const tenantButtonAfter = navElementAfter.locator("button").filter({ hasText: lastAcceptedTenantName });
+      await expect(tenantButtonAfter).toContainText(lastAcceptedTenantName);
 
-      // page2 also shows tertiary tenant when navigated
+      // page2 also shows last accepted tenant when navigated
       await page2.goto("/account");
       await expect(page2.locator('nav[aria-label="Main navigation"]')).toBeVisible();
-      await expect(page2.locator('nav[aria-label="Main navigation"]')).toContainText(tertiaryTenantName);
+      await expect(page2.locator('nav[aria-label="Main navigation"]')).toContainText(lastAcceptedTenantName);
     })();
 
     // === TENANT CONTEXT ACROSS NAVIGATION ===
     await step("Navigate across pages & verify tenant context remains consistent")(async () => {
       const accountMenuButton = page1.getByRole("button", { name: "User menu" });
 
-      // We're on tertiary tenant at this point
-      await expect(accountMenuButton).toContainText(tertiaryTenantName);
+      // We're on last accepted tenant at this point
+      await expect(accountMenuButton).toContainText(lastAcceptedTenantName);
 
       // Navigate to Users page
       await page1.goto("/account/users");
       await expect(page1.getByRole("heading", { name: "Users" })).toBeVisible();
 
       // Tenant should still be visible
-      await expect(accountMenuButton).toContainText(tertiaryTenantName);
+      await expect(accountMenuButton).toContainText(lastAcceptedTenantName);
 
       // Navigate to Account settings page
       await page1.goto("/account/settings");
@@ -291,7 +297,7 @@ test.describe("@comprehensive", () => {
 
       // Should show correct tenant name in account settings
       const accountNameInput = page1.getByRole("textbox", { name: "Account name" });
-      await expect(accountNameInput).toHaveValue(tertiaryTenantName);
+      await expect(accountNameInput).toHaveValue(lastAcceptedTenantName);
 
       // Switch to primary tenant via Account menu > Switch account submenu
       await accountMenuButton.dispatchEvent("click");
diff --git a/application/account/WebApp/tests/e2e/user-management-flows.spec.ts b/application/account/WebApp/tests/e2e/user-management-flows.spec.ts
index 6d187703d..69b5bcd10 100644
--- a/application/account/WebApp/tests/e2e/user-management-flows.spec.ts
+++ b/application/account/WebApp/tests/e2e/user-management-flows.spec.ts
@@ -510,6 +510,20 @@ test.describe("@comprehensive", () => {
       await expect(page.locator("tbody").first().first().locator("tr")).toHaveCount(3); // owner + 2 invited users
     })();
 
+    // === FEATURE FLAG PRECONDITION ===
+    await step("Enable the account-overview feature flag via settings & verify the toggle is checked")(async () => {
+      // The /account dashboard is gated by the account-overview feature flag (off by default for
+      // new tenants). Owners enable it via the Features section on /account/settings.
+      await page.goto("/account/settings");
+      await expect(page.getByRole("heading", { name: "Features" })).toBeVisible();
+
+      const toggle = page.getByRole("switch", { name: "Account overview page" });
+      await toggle.click();
+
+      await expectToastMessage(context, "Feature updated");
+      await expect(toggle).toBeChecked();
+    })();
+
     // === DASHBOARD METRICS SECTION ===
     await step("Navigate to dashboard & verify user count metrics display correctly")(async () => {
       await page.goto("/account/");
diff --git a/application/account/Workers/FeatureFlagDefinitionReconciler.cs b/application/account/Workers/FeatureFlagDefinitionReconciler.cs
new file mode 100644
index 000000000..33e4c3dc3
--- /dev/null
+++ b/application/account/Workers/FeatureFlagDefinitionReconciler.cs
@@ -0,0 +1,231 @@
+using System.Security.Cryptography;
+using System.Text;
+using Account.Database;
+using Account.Features;
+using Account.Features.FeatureFlags.Domain;
+using Microsoft.ApplicationInsights;
+using Microsoft.EntityFrameworkCore;
+using SharedKernel.FeatureFlags;
+using SharedKernel.Telemetry;
+
+namespace Account.Workers;
+
+/// <summary>
+///     Converges the <c>feature_flags</c> table to the C# definitions in
+///     <see cref="SharedKernel.FeatureFlags.FeatureFlags" /> on every worker startup. Replaces the
+///     deleted one-shot <c>SeedFeatureFlags</c> and <c>SeedPlanBasedFeatureFlags</c> data migrations
+///     with a converging path that handles future flag-definition changes (plan-tier transitions,
+///     flag removal) without writing new data migrations.
+///     For every non-System definition the reconciler ensures the global row exists with the correct
+///     <see cref="FeatureFlag.Source" />. The base row's IsActive state is set on creation (active
+///     when <see cref="FeatureFlagDefinition.IsKillSwitchEnabled" /> is <c>false</c>, inactive
+///     otherwise) and thereafter is owned by admins via Activate/Deactivate commands — the
+///     reconciler never flips it. Stale tenant overrides whose Source no longer matches the
+///     definition are removed (so
+///     <see cref="Features.FeatureFlags.Shared.PlanBasedFeatureFlagEvaluator" /> can rebuild them on
+///     the next login). Any DB row whose flag_key is not in the C# definitions is marked
+///     <see cref="FeatureFlag.OrphanedAt" /> at the current time. If a definition reuses a key that
+///     was previously soft-deleted, the reconciler throws to abort deployment.
+///     The reconciler is idempotent — a second pass on top of a converged DB produces no changes.
+///     Runs inline at Worker startup (NOT a BackgroundService) so that a failure aborts the process
+///     before it accepts traffic — better to fail to start than to run with inconsistent flag state.
+///     A PostgreSQL session-scoped advisory lock serializes concurrent reconciles across worker
+///     replicas during rolling deploys or KEDA scale-from-zero.
+/// </summary>
+public sealed class FeatureFlagDefinitionReconciler(
+    IFeatureFlagRepository featureFlagRepository,
+    AccountDbContext accountDbContext,
+    TimeProvider timeProvider,
+    ITelemetryEventsCollector telemetryEventsCollector,
+    TelemetryClient telemetryClient,
+    ILogger<FeatureFlagDefinitionReconciler> logger
+)
+{
+    // Stable per-reconciler advisory-lock key derived from the type name (mirrors DataMigrationRunner's
+    // BitConverter.ToInt64(SHA256(typeof(TContext).FullName)) pattern). Naming the key from the type
+    // namespace isolates it from the migration runner's lock so the two coexist on the same DB session.
+    private static readonly long AdvisoryLockKey = BitConverter.ToInt64(
+        SHA256.HashData(Encoding.UTF8.GetBytes(typeof(FeatureFlagDefinitionReconciler).FullName!))
+    );
+
+    public async Task ReconcileAsync(CancellationToken cancellationToken)
+    {
+        // Session-scoped advisory locks are PostgreSQL-only. In-memory SQLite tests run the same code
+        // path and would otherwise blow up on `no such function: pg_advisory_lock` — the cross-replica
+        // race the lock guards against cannot happen in a single-process unit test anyway.
+        var isPostgres = accountDbContext.Database.ProviderName is not "Microsoft.EntityFrameworkCore.Sqlite";
+
+        if (isPostgres)
+        {
+            await accountDbContext.Database.ExecuteSqlAsync(
+                $"SELECT pg_advisory_lock({AdvisoryLockKey})",
+                cancellationToken
+            );
+        }
+
+        try
+        {
+            await ReconcileInternalAsync(cancellationToken);
+        }
+        finally
+        {
+            if (isPostgres)
+            {
+                await accountDbContext.Database.ExecuteSqlAsync(
+                    $"SELECT pg_advisory_unlock({AdvisoryLockKey})",
+                    CancellationToken.None
+                );
+            }
+        }
+    }
+
+    private async Task ReconcileInternalAsync(CancellationToken cancellationToken)
+    {
+        var now = timeProvider.GetUtcNow();
+        var definitions = FeatureFlags.GetAll().Where(d => d.Scope != FeatureFlagScope.System).ToArray();
+
+        // Load every row up front so the per-definition reconcile loop is in-memory only. The same set
+        // also drives the orphan-marking pass below, so a single read replaces both a per-definition
+        // tenant-override query and the trailing all-rows query.
+        var allRows = await featureFlagRepository.GetAllRowsUnfilteredAsync(cancellationToken);
+        var baseRowsByKey = allRows.Where(r => r.TenantId is null).ToDictionary(r => r.FlagKey);
+        var overrideRowsByKey = allRows.Where(r => r.TenantId is not null).ToLookup(r => r.FlagKey);
+
+        var baseRowsCreated = 0;
+        var baseRowsRestored = 0;
+        var overrideRowsRestored = 0;
+        var sourceTransitions = 0;
+        var staleRowsRemoved = 0;
+
+        foreach (var definition in definitions)
+        {
+            var expectedSource = definition.RequiredPlan is not null ? FeatureFlagSource.Plan : FeatureFlagSource.Manual;
+            baseRowsByKey.TryGetValue(definition.Key, out var baseRow);
+
+            if (baseRow is null)
+            {
+                baseRow = FeatureFlag.Create(definition.Key, definition.Scope, expectedSource);
+                if (!definition.IsKillSwitchEnabled) baseRow.Activate(now);
+                await featureFlagRepository.AddAsync(baseRow, cancellationToken);
+                baseRowsCreated++;
+                logger.LogInformation(
+                    "Reconciler created base row for '{FlagKey}' (source '{Source}', scope '{Scope}', active '{IsActive}')",
+                    definition.Key, expectedSource, definition.Scope, baseRow.IsActive
+                );
+                continue;
+            }
+
+            // A deleted base row with the same key signals that an admin explicitly retired the flag.
+            // Reusing the key would conflate historical telemetry between the retired flag and a new one
+            // that happens to share the name, so deployment is aborted. Choose a different key, or
+            // manually clear DeletedAt in the database if you are sure you want to reuse it.
+            if (baseRow.DeletedAt is not null)
+            {
+                throw new InvalidOperationException(
+                    $"Feature flag '{definition.Key}' was previously deleted on {baseRow.DeletedAt:O}. Adding a new feature flag with the same name is not allowed."
+                );
+            }
+
+            // An orphaned (but not deleted) base row is back in code. This is the rollback / intentional
+            // reintroduction path — clear the timestamp so the row participates as a live flag again,
+            // preserving historical telemetry on the same row instead of starting a new one. Tenant/user
+            // override rows that were orphaned in the same sweep are restored alongside the base row;
+            // without this, the rollback would leave their OrphanedAt set and the evaluator would treat
+            // every previously-enabled tenant/user as if they had no override.
+            if (baseRow.OrphanedAt is not null)
+            {
+                baseRow.Restore();
+                featureFlagRepository.Update(baseRow);
+                baseRowsRestored++;
+
+                var overridesRestoredForFlag = 0;
+                foreach (var orphanedOverride in overrideRowsByKey[definition.Key].Where(r => r.OrphanedAt is not null))
+                {
+                    orphanedOverride.Restore();
+                    featureFlagRepository.Update(orphanedOverride);
+                    overridesRestoredForFlag++;
+                }
+
+                overrideRowsRestored += overridesRestoredForFlag;
+
+                telemetryEventsCollector.CollectEvent(new FeatureFlagRestoredByReconciler(definition.Key, overridesRestoredForFlag));
+                logger.LogInformation(
+                    "Reconciler restored '{FlagKey}' and {OverridesRestored} orphaned override rows after re-add to the C# definitions",
+                    definition.Key, overridesRestoredForFlag
+                );
+            }
+
+            // Converge if a definition changed scope (e.g., subtype renamed across scopes between deploys).
+            if (baseRow.Scope != definition.Scope)
+            {
+                baseRow.SetScope(definition.Scope);
+                featureFlagRepository.Update(baseRow);
+            }
+
+            if (baseRow.Source != expectedSource)
+            {
+                var fromSource = baseRow.Source;
+                // Walk both tenant- and user-scoped overrides: a flag whose scope was flipped (e.g.
+                // UserAbTestFlag retired, re-added as PlanGatedTenantFlag with the same key) would
+                // otherwise leave Source=Manual user overrides behind that surface as drift in the
+                // back-office. The evaluator routes by (TenantId, UserId), so user overrides keyed to
+                // a now-tenant-scoped flag are inert today — but the reconciler advertises convergence
+                // for both sides and the symmetric cleanup is one extra predicate.
+                var staleRowsToRemove = overrideRowsByKey[definition.Key]
+                    .Where(r => r.Source != expectedSource)
+                    .ToArray();
+                foreach (var staleRow in staleRowsToRemove)
+                {
+                    featureFlagRepository.Remove(staleRow);
+                    staleRowsRemoved++;
+                }
+
+                baseRow.SetSource(expectedSource);
+                featureFlagRepository.Update(baseRow);
+                sourceTransitions++;
+                telemetryEventsCollector.CollectEvent(new FeatureFlagSourceTransitionedByReconciler(
+                        definition.Key, fromSource, expectedSource, staleRowsToRemove.Length
+                    )
+                );
+                logger.LogInformation(
+                    "Reconciler transitioned '{FlagKey}' source to '{Source}' and removed '{StaleCount}' stale override rows",
+                    definition.Key, expectedSource, staleRowsToRemove.Length
+                );
+            }
+        }
+
+        var knownKeys = definitions.Select(d => d.Key).ToHashSet();
+
+        var orphansMarked = 0;
+        foreach (var row in allRows.Where(r => !knownKeys.Contains(r.FlagKey) && r.OrphanedAt is null))
+        {
+            row.MarkOrphaned(now);
+            featureFlagRepository.Update(row);
+            orphansMarked++;
+            // Only emit the structured event once per orphaned flag key (base row), not for every
+            // override row that happens to carry the same stale key.
+            if (row.TenantId is null && row.UserId is null)
+            {
+                telemetryEventsCollector.CollectEvent(new FeatureFlagOrphanedByReconciler(row.FlagKey));
+            }
+
+            logger.LogInformation("Reconciler marked '{FlagKey}' (id '{Id}') as orphaned", row.FlagKey, row.Id);
+        }
+
+        await accountDbContext.SaveChangesAsync(cancellationToken);
+
+        // Publish AFTER the DB commit so we never emit telemetry for state that did not persist.
+        // The reconciler is idempotent — a crash between SaveChanges and publish means the next
+        // worker startup converges to the same state but does not re-emit (no work to do).
+        while (telemetryEventsCollector.HasEvents)
+        {
+            var telemetryEvent = telemetryEventsCollector.Dequeue();
+            telemetryClient.TrackEvent(telemetryEvent.GetType().Name, telemetryEvent.Properties);
+        }
+
+        logger.LogInformation(
+            "Reconciler completed: {DefinitionCount} definitions reconciled, {BaseRowsCreated} base rows created, {BaseRowsRestored} re-added rows restored, {OverrideRowsRestored} orphaned override rows restored, {SourceTransitions} source transitions, {StaleRowsRemoved} stale tenant rows removed, {OrphansMarked} orphans marked",
+            definitions.Length, baseRowsCreated, baseRowsRestored, overrideRowsRestored, sourceTransitions, staleRowsRemoved, orphansMarked
+        );
+    }
+}
diff --git a/application/account/Workers/Program.cs b/application/account/Workers/Program.cs
index 334c20eba..50cb78d8c 100644
--- a/application/account/Workers/Program.cs
+++ b/application/account/Workers/Program.cs
@@ -19,6 +19,7 @@
 
 builder.Services.AddTransient<DatabaseMigrationService<AccountDbContext>>();
 builder.Services.AddTransient<DataMigrationRunner<AccountDbContext>>();
+builder.Services.AddTransient<FeatureFlagDefinitionReconciler>();
 
 builder.Services.AddHostedService<BillingDriftWorker>();
 
@@ -38,4 +39,10 @@
 var dataMigrationRunner = scope.ServiceProvider.GetRequiredService<DataMigrationRunner<AccountDbContext>>();
 await dataMigrationRunner.RunMigrationsAsync(lifetime.ApplicationStopping);
 
+// Converge the feature_flags table to the C# definitions on every Worker startup. Must complete
+// successfully before the worker accepts traffic - if reconciliation throws, the process exits
+// non-zero so the orchestrator notices, which is preferable to running with inconsistent flag state.
+var featureFlagDefinitionReconciler = scope.ServiceProvider.GetRequiredService<FeatureFlagDefinitionReconciler>();
+await featureFlagDefinitionReconciler.ReconcileAsync(lifetime.ApplicationStopping);
+
 await host.RunAsync();
diff --git a/application/main/WebApp/tests/e2e/federated-navigation-flows.spec.ts b/application/main/WebApp/tests/e2e/federated-navigation-flows.spec.ts
index 256eb9580..09194d765 100644
--- a/application/main/WebApp/tests/e2e/federated-navigation-flows.spec.ts
+++ b/application/main/WebApp/tests/e2e/federated-navigation-flows.spec.ts
@@ -64,12 +64,14 @@ test.describe("@smoke", () => {
     })();
 
     // === ACCOUNT AREA NAVIGATION ===
-    await step("Navigate to account page & verify dashboard renders")(async () => {
+    await step("Navigate to /account & verify redirect to /account/users")(async () => {
+      // The /account dashboard route is gated by the account-overview feature flag, which is off
+      // for new tenants. The route's beforeLoad guard redirects to /account/users so direct
+      // navigation lands on a surface the user can actually use.
       await page.goto("/account");
 
-      await expect(page).toHaveURL("/account");
-      await expect(page.getByRole("heading", { name: "Overview" })).toBeVisible();
-      await expect(page.getByRole("link", { name: "View users" })).toBeVisible();
+      await expect(page).toHaveURL("/account/users");
+      await expect(page.getByRole("heading", { name: "Users" })).toBeVisible();
     })();
 
     await step("Navigate to users page & verify account users page renders")(async () => {
diff --git a/application/shared-kernel/SharedKernel/Antiforgery/AntiforgeryMiddleware.cs b/application/shared-kernel/SharedKernel/Antiforgery/AntiforgeryMiddleware.cs
index 42c9b1f6d..807a5c17c 100644
--- a/application/shared-kernel/SharedKernel/Antiforgery/AntiforgeryMiddleware.cs
+++ b/application/shared-kernel/SharedKernel/Antiforgery/AntiforgeryMiddleware.cs
@@ -14,7 +14,7 @@ public async Task InvokeAsync(HttpContext context, RequestDelegate next)
             return;
         }
 
-        if (bool.TryParse(Environment.GetEnvironmentVariable("BypassAntiforgeryValidation"), out _))
+        if (bool.TryParse(Environment.GetEnvironmentVariable("BypassAntiforgeryValidation"), out var bypass) && bypass)
         {
             logger.LogDebug("Bypassing antiforgery validation due to environment variable setting");
             await next(context);
diff --git a/application/shared-kernel/SharedKernel/Authentication/AuthenticationTokenHttpKeys.cs b/application/shared-kernel/SharedKernel/Authentication/AuthenticationTokenHttpKeys.cs
index 9ebd3f939..9142aa7a9 100644
--- a/application/shared-kernel/SharedKernel/Authentication/AuthenticationTokenHttpKeys.cs
+++ b/application/shared-kernel/SharedKernel/Authentication/AuthenticationTokenHttpKeys.cs
@@ -10,6 +10,10 @@ public static class AuthenticationTokenHttpKeys
 
     public const string RefreshAuthenticationTokensHeaderKey = "x-refresh-authentication-tokens-required";
 
+    public const string UserFeatureFlagsHeaderKey = "x-user-feature-flags";
+
+    public const string FeatureFlagsClaimName = "feature_flags";
+
     public const string UnauthorizedReasonHeaderKey = "x-unauthorized-reason";
 
     // __Host prefix ensures the cookie is sent only to the host, requires Secure, HTTPS, Path=/ and no Domain specified
diff --git a/application/shared-kernel/SharedKernel/Authentication/TokenGeneration/AccessTokenGenerator.cs b/application/shared-kernel/SharedKernel/Authentication/TokenGeneration/AccessTokenGenerator.cs
index 7d5d5596b..a2f7d0ffe 100644
--- a/application/shared-kernel/SharedKernel/Authentication/TokenGeneration/AccessTokenGenerator.cs
+++ b/application/shared-kernel/SharedKernel/Authentication/TokenGeneration/AccessTokenGenerator.cs
@@ -28,7 +28,10 @@ public string Generate(UserInfo userInfo)
                     new Claim("title", userInfo.Title ?? string.Empty),
                     new Claim("avatar_url", userInfo.AvatarUrl ?? string.Empty),
                     new Claim("locale", userInfo.Locale!),
-                    new Claim("session_id", userInfo.SessionId?.ToString() ?? string.Empty)
+                    new Claim("session_id", userInfo.SessionId?.ToString() ?? string.Empty),
+                    new Claim(AuthenticationTokenHttpKeys.FeatureFlagsClaimName, string.Join(",", userInfo.FeatureFlags)),
+                    new Claim("tenant_rollout_bucket", userInfo.TenantRolloutBucket.ToString()),
+                    new Claim("user_rollout_bucket", userInfo.UserRolloutBucket?.ToString() ?? string.Empty)
                 ]
             )
         };
diff --git a/application/shared-kernel/SharedKernel/Authentication/UserInfo.cs b/application/shared-kernel/SharedKernel/Authentication/UserInfo.cs
index f950de90a..5a6e21234 100644
--- a/application/shared-kernel/SharedKernel/Authentication/UserInfo.cs
+++ b/application/shared-kernel/SharedKernel/Authentication/UserInfo.cs
@@ -1,6 +1,7 @@
 using System.Security.Claims;
 using SharedKernel.Authentication.TokenGeneration;
 using SharedKernel.Domain;
+using SharedKernel.Platform;
 using SharedKernel.SinglePageApp;
 
 namespace SharedKernel.Authentication;
@@ -13,6 +14,8 @@ public class UserInfo
 {
     private const string DefaultLocale = "en-US";
 
+    private static readonly IReadOnlySet<string> EmptyFeatureFlags = new HashSet<string>();
+
     /// <summary>
     ///     Represents the system user, typically used for background tasks or where no user is directly authenticated.
     /// </summary>
@@ -54,6 +57,19 @@ public class UserInfo
 
     public SessionId? SessionId { get; init; }
 
+    public bool IsInternalUser { get; init; }
+
+    public IReadOnlySet<string> FeatureFlags { get; init; } = EmptyFeatureFlags;
+
+    public int TenantRolloutBucket { get; init; }
+
+    public int? UserRolloutBucket { get; init; }
+
+    public bool IsFeatureFlagEnabled(string flagKey)
+    {
+        return FeatureFlags.Contains(flagKey);
+    }
+
     public static UserInfo Create(ClaimsPrincipal? user, string? browserLocale, string? zoomLevel = null, string? theme = null)
     {
         if (user?.Identity?.IsAuthenticated != true)
@@ -70,6 +86,10 @@ public static UserInfo Create(ClaimsPrincipal? user, string? browserLocale, stri
         var userId = user.FindFirstValue(ClaimTypes.NameIdentifier);
         var tenantId = user.FindFirstValue("tenant_id");
         var sessionId = user.FindFirstValue("session_id");
+        var email = user.FindFirstValue(ClaimTypes.Email);
+        var featureFlagsClaim = user.FindFirstValue(AuthenticationTokenHttpKeys.FeatureFlagsClaimName);
+        var tenantRolloutBucketClaim = user.FindFirstValue("tenant_rollout_bucket");
+        var userRolloutBucketClaim = user.FindFirstValue("user_rollout_bucket");
         return new UserInfo
         {
             IsAuthenticated = true,
@@ -87,10 +107,26 @@ public static UserInfo Create(ClaimsPrincipal? user, string? browserLocale, stri
             SubscriptionPlan = user.FindFirstValue("subscription_plan"),
             Locale = GetValidLocale(user.FindFirstValue("locale")),
             ZoomLevel = zoomLevel,
-            Theme = theme
+            Theme = theme,
+            IsInternalUser = IsInternalUserEmail(email),
+            FeatureFlags = ParseFeatureFlags(featureFlagsClaim),
+            TenantRolloutBucket = !string.IsNullOrEmpty(tenantRolloutBucketClaim) ? int.Parse(tenantRolloutBucketClaim) : 0,
+            UserRolloutBucket = !string.IsNullOrEmpty(userRolloutBucketClaim) ? int.Parse(userRolloutBucketClaim) : null
         };
     }
 
+    private static IReadOnlySet<string> ParseFeatureFlags(string? claim)
+    {
+        if (string.IsNullOrEmpty(claim)) return EmptyFeatureFlags;
+        return new HashSet<string>(claim.Split(',', StringSplitOptions.RemoveEmptyEntries));
+    }
+
+    private static bool IsInternalUserEmail(string? email)
+    {
+        if (string.IsNullOrEmpty(email)) return false;
+        return email.EndsWith(Settings.Current.Identity.InternalEmailDomain, StringComparison.OrdinalIgnoreCase);
+    }
+
     private static string GetValidLocale(string? locale)
     {
         if (string.IsNullOrEmpty(locale))
diff --git a/application/shared-kernel/SharedKernel/FeatureFlags/AbInclusionPin.cs b/application/shared-kernel/SharedKernel/FeatureFlags/AbInclusionPin.cs
new file mode 100644
index 000000000..6ff15622f
--- /dev/null
+++ b/application/shared-kernel/SharedKernel/FeatureFlags/AbInclusionPin.cs
@@ -0,0 +1,9 @@
+namespace SharedKernel.FeatureFlags;
+
+[PublicAPI]
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum AbInclusionPin
+{
+    AlwaysOn = 0,
+    NeverOn = 1
+}
diff --git a/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagAdminLevel.cs b/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagAdminLevel.cs
new file mode 100644
index 000000000..4bff8646b
--- /dev/null
+++ b/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagAdminLevel.cs
@@ -0,0 +1,8 @@
+namespace SharedKernel.FeatureFlags;
+
+public enum FeatureFlagAdminLevel
+{
+    SystemAdmin,
+    TenantOwner,
+    User
+}
diff --git a/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagAudienceState.cs b/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagAudienceState.cs
new file mode 100644
index 000000000..416a2d39b
--- /dev/null
+++ b/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagAudienceState.cs
@@ -0,0 +1,9 @@
+namespace SharedKernel.FeatureFlags;
+
+[PublicAPI]
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum FeatureFlagAudienceState
+{
+    Enabled,
+    Disabled
+}
diff --git a/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagDefinition.cs b/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagDefinition.cs
new file mode 100644
index 000000000..2bd21e3b1
--- /dev/null
+++ b/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagDefinition.cs
@@ -0,0 +1,248 @@
+using Microsoft.Extensions.Configuration;
+
+namespace SharedKernel.FeatureFlags;
+
+// Abstract base. Each valid combination of Scope, AdminLevel, and capability flags lives in its own
+// sealed subtype, so illegal combinations are compile-time errors rather than runtime throws in
+// FeatureFlags.ValidateFlags(). The flat virtual property API is preserved so the ~20 consumer files
+// (evaluator, queries, command handlers, telemetry, manifest emitter, reconciler) keep reading
+// `flag.Scope`, `flag.IsAbTestEligible`, etc. unchanged. Subtypes override only the properties
+// relevant to their flavor and leave the rest at the safe defaults below.
+[PublicAPI]
+public abstract class FeatureFlagDefinition(string key, string label, string description)
+{
+    /// <summary>
+    ///     Stable identifier used in URLs, telemetry property names, JWT claims, and the feature_flags DB column.
+    ///     Lowercase kebab-case, max 50 chars.
+    /// </summary>
+    public string Key { get; } = key;
+
+    /// <summary>Human-readable name shown in the BackOffice and (via Lingui codegen) in user-facing settings.</summary>
+    public string Label { get; } = label;
+
+    /// <summary>Human-readable description shown in tooltips and detail pages.</summary>
+    public string Description { get; } = description;
+
+    /// <summary>Where the flag is evaluated. System = env/config; Tenant = per-tenant DB row; User = per-user DB row.</summary>
+    public abstract FeatureFlagScope Scope { get; }
+
+    /// <summary>
+    ///     Who is allowed to change the flag's state. Mapped to back-office and account-app policies at the controller
+    ///     level.
+    /// </summary>
+    public abstract FeatureFlagAdminLevel AdminLevel { get; }
+
+    /// <summary>Another flag's Key that must be enabled for this flag to evaluate true. Only one level of nesting allowed.</summary>
+    public virtual string? ParentDependency => null;
+
+    /// <summary>
+    ///     Gradual rollout via BucketStart/BucketEnd. Mutually exclusive with ConfigurableByTenant/User — admins drive
+    ///     the rollout, not end users.
+    /// </summary>
+    public virtual bool IsAbTestEligible => false;
+
+    /// <summary>Tenant owners can toggle the flag from account settings. Cannot combine with IsAbTestEligible.</summary>
+    public virtual bool ConfigurableByTenant => false;
+
+    /// <summary>End users can toggle the flag from preferences. Cannot combine with IsAbTestEligible.</summary>
+    public virtual bool ConfigurableByUser => false;
+
+    /// <summary>Emit the flag's evaluated value as a property on every telemetry event so analytics can segment on it.</summary>
+    public abstract bool TrackInTelemetry { get; }
+
+    /// <summary>Override for the telemetry property name. Null = use Key verbatim.</summary>
+    public virtual string? TelemetryName => null;
+
+    /// <summary>
+    ///     Subscription plan tier that activates this flag. Reconciler binds Source=Plan when set so the plan evaluator
+    ///     owns the row.
+    /// </summary>
+    public virtual PlanTier? RequiredPlan => null;
+
+    /// <summary>appsettings.json key consulted by IsSystemFeatureFlagEnabled. System scope only.</summary>
+    public virtual string? SystemConfigKey => null;
+
+    /// <summary>
+    ///     Exact value the SystemConfigKey must equal to enable the flag. Null = any non-empty value is treated as
+    ///     enabled.
+    /// </summary>
+    public virtual string? SystemConfigExpectedValue => null;
+
+    /// <summary>
+    ///     Runtime env-var name the frontend reads via import.meta.runtime_env to evaluate the flag client-side. System
+    ///     scope only.
+    /// </summary>
+    public virtual string? FrontendEnvVar => null;
+
+    /// <summary>
+    ///     True = the reconciler creates the base row inactive on first sight so an admin must explicitly enable it;
+    ///     false = activated automatically.
+    /// </summary>
+    public virtual bool IsKillSwitchEnabled => false;
+
+    /// <summary>
+    ///     True = the flag represents a stable module that is always on; the BackOffice hides the
+    ///     Activate/Deactivate toggle so admins can't accidentally kill it. False = a regular feature
+    ///     flag that admins can globally deactivate.
+    /// </summary>
+    public virtual bool IsStableModule => false;
+
+    public bool IsSystemFeatureFlagEnabled(IConfiguration configuration)
+    {
+        if (Scope != FeatureFlagScope.System || SystemConfigKey is null) return false;
+
+        var configValue = configuration[SystemConfigKey];
+
+        return SystemConfigExpectedValue is not null
+            ? configValue == SystemConfigExpectedValue
+            : !string.IsNullOrEmpty(configValue);
+    }
+}
+
+// System scope: env-var-driven kill switch. SystemConfigKey and FrontendEnvVar are required by the
+// constructor so a SystemFeatureFlag can never be built without both.
+[PublicAPI]
+public sealed class SystemFeatureFlag(
+    string key,
+    string label,
+    string description,
+    string systemConfigKey,
+    string frontendEnvVar,
+    bool trackInTelemetry,
+    string? systemConfigExpectedValue = null
+) : FeatureFlagDefinition(key, label, description)
+{
+    public override FeatureFlagScope Scope => FeatureFlagScope.System;
+
+    public override FeatureFlagAdminLevel AdminLevel => FeatureFlagAdminLevel.SystemAdmin;
+
+    public override string SystemConfigKey => systemConfigKey;
+
+    public override string FrontendEnvVar => frontendEnvVar;
+
+    public override string? SystemConfigExpectedValue => systemConfigExpectedValue;
+
+    public override bool TrackInTelemetry => trackInTelemetry;
+}
+
+// Tenant scope, A/B-eligible, system-admin-managed. Used for flags rolled out gradually across the
+// tenant population (e.g., beta features). Cannot be ConfigurableByTenant because the rollout is
+// admin-driven.
+[PublicAPI]
+public sealed class TenantAbTestFlag(
+    string key,
+    string label,
+    string description,
+    bool trackInTelemetry,
+    bool isKillSwitchEnabled,
+    string? parentDependency = null,
+    string? telemetryName = null
+) : FeatureFlagDefinition(key, label, description)
+{
+    public override FeatureFlagScope Scope => FeatureFlagScope.Tenant;
+
+    public override FeatureFlagAdminLevel AdminLevel => FeatureFlagAdminLevel.SystemAdmin;
+
+    public override bool IsAbTestEligible => true;
+
+    public override string? ParentDependency => parentDependency;
+
+    public override bool TrackInTelemetry => trackInTelemetry;
+
+    public override string? TelemetryName => telemetryName;
+
+    public override bool IsKillSwitchEnabled => isKillSwitchEnabled;
+}
+
+// Tenant scope, plan-gated. Activation is driven by the tenant's subscription plan — no manual
+// admin toggling, no A/B rollout, no kill switch (the plan is the source of truth).
+[PublicAPI]
+public sealed class PlanGatedTenantFlag(
+    string key,
+    string label,
+    string description,
+    PlanTier requiredPlan,
+    bool trackInTelemetry
+) : FeatureFlagDefinition(key, label, description)
+{
+    public override FeatureFlagScope Scope => FeatureFlagScope.Tenant;
+
+    public override FeatureFlagAdminLevel AdminLevel => FeatureFlagAdminLevel.SystemAdmin;
+
+    public override PlanTier? RequiredPlan => requiredPlan;
+
+    public override bool TrackInTelemetry => trackInTelemetry;
+}
+
+// Tenant scope, owner-toggled. Tenant owners flip these on/off in account settings. Mutually
+// exclusive with A/B-rollout by construction.
+[PublicAPI]
+public sealed class TenantOwnerConfigurableFlag(
+    string key,
+    string label,
+    string description,
+    bool trackInTelemetry,
+    bool isKillSwitchEnabled,
+    bool isStableModule = false
+) : FeatureFlagDefinition(key, label, description)
+{
+    public override FeatureFlagScope Scope => FeatureFlagScope.Tenant;
+
+    public override FeatureFlagAdminLevel AdminLevel => FeatureFlagAdminLevel.TenantOwner;
+
+    public override bool ConfigurableByTenant => true;
+
+    public override bool TrackInTelemetry => trackInTelemetry;
+
+    public override bool IsKillSwitchEnabled => isKillSwitchEnabled;
+
+    public override bool IsStableModule => isStableModule;
+}
+
+// User scope, user-toggled. Individual users flip these on/off in their preferences.
+[PublicAPI]
+public sealed class UserConfigurableFlag(
+    string key,
+    string label,
+    string description,
+    bool trackInTelemetry,
+    bool isKillSwitchEnabled,
+    bool isStableModule = false
+) : FeatureFlagDefinition(key, label, description)
+{
+    public override FeatureFlagScope Scope => FeatureFlagScope.User;
+
+    public override FeatureFlagAdminLevel AdminLevel => FeatureFlagAdminLevel.User;
+
+    public override bool ConfigurableByUser => true;
+
+    public override bool TrackInTelemetry => trackInTelemetry;
+
+    public override bool IsKillSwitchEnabled => isKillSwitchEnabled;
+
+    public override bool IsStableModule => isStableModule;
+}
+
+// User scope, A/B-eligible. Used for per-user experimental UI rollouts.
+[PublicAPI]
+public sealed class UserAbTestFlag(
+    string key,
+    string label,
+    string description,
+    bool trackInTelemetry,
+    bool isKillSwitchEnabled,
+    string? telemetryName = null
+) : FeatureFlagDefinition(key, label, description)
+{
+    public override FeatureFlagScope Scope => FeatureFlagScope.User;
+
+    public override FeatureFlagAdminLevel AdminLevel => FeatureFlagAdminLevel.User;
+
+    public override bool IsAbTestEligible => true;
+
+    public override bool TrackInTelemetry => trackInTelemetry;
+
+    public override string? TelemetryName => telemetryName;
+
+    public override bool IsKillSwitchEnabled => isKillSwitchEnabled;
+}
diff --git a/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagScope.cs b/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagScope.cs
new file mode 100644
index 000000000..692dca0a2
--- /dev/null
+++ b/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagScope.cs
@@ -0,0 +1,9 @@
+namespace SharedKernel.FeatureFlags;
+
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum FeatureFlagScope
+{
+    System,
+    Tenant,
+    User
+}
diff --git a/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagTelemetryProperties.cs b/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagTelemetryProperties.cs
new file mode 100644
index 000000000..91c027b97
--- /dev/null
+++ b/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagTelemetryProperties.cs
@@ -0,0 +1,40 @@
+namespace SharedKernel.FeatureFlags;
+
+public static class FeatureFlagTelemetryProperties
+{
+    // Per-flag tags namespaced under `user.feature_flags.*` for User-scope flags and
+    // `tenant.feature_flags.*` for Tenant-scope flags. Plural `feature_flags` keeps us clear of
+    // the OpenTelemetry-reserved `feature_flag.*` semantic-convention namespace, which is a fixed
+    // closed set (`feature_flag.key`, `feature_flag.result.value`, ...) routed by vendor
+    // integrations to feature-flag-specific dashboards. Splitting by scope lets KQL group by who
+    // carries each setting — `tenant.feature_flags.beta-features` is a property of the tenant,
+    // `user.feature_flags.compact-view` is a property of the user. The value is `enabled`; the
+    // tag is absent when the flag is not enabled, so KQL can filter on presence
+    // (`isnotempty(customDimensions["user.feature_flags.compact-view"])`). Iteration is over
+    // current C# definitions only — orphaned flag keys never reach telemetry because the
+    // reconciler marks them OrphanedAt at startup and they drop out of `GetAll()`.
+    public const string UserScopePrefix = "user.feature_flags.";
+    public const string TenantScopePrefix = "tenant.feature_flags.";
+    public const string EnabledValue = "enabled";
+
+    public static IEnumerable<(string Name, string Value)> GetEnabledFeatureFlagTags(IReadOnlySet<string> enabledFlags)
+    {
+        foreach (var definition in FeatureFlags.GetAll())
+        {
+            if (!definition.TrackInTelemetry) continue;
+            if (!enabledFlags.Contains(definition.Key)) continue;
+
+            var prefix = definition.Scope switch
+            {
+                FeatureFlagScope.Tenant => TenantScopePrefix,
+                FeatureFlagScope.User => UserScopePrefix,
+                _ => null
+            };
+
+            if (prefix is null) continue;
+
+            var telemetryKey = definition.TelemetryName ?? definition.Key;
+            yield return ($"{prefix}{telemetryKey}", EnabledValue);
+        }
+    }
+}
diff --git a/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlags.cs b/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlags.cs
new file mode 100644
index 000000000..7ad04f635
--- /dev/null
+++ b/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlags.cs
@@ -0,0 +1,81 @@
+namespace SharedKernel.FeatureFlags;
+
+// Add a new feature flag by declaring a `public static readonly FeatureFlagDefinition` field below.
+// The registry in FeatureFlagsRegistry.cs picks it up by reflection at startup — no manual list
+// maintenance, no DI wiring, no JSON. Choose the subtype (SystemFeatureFlag, TenantAbTestFlag,
+// PlanGatedTenantFlag, TenantOwnerConfigurableFlag, UserAbTestFlag, UserConfigurableFlag) that
+// matches how the flag should be evaluated and who is allowed to change it.
+//
+// On startup, the Account Worker's FeatureFlagDefinitionReconciler upserts a row in the
+// feature_flags table for every non-System flag declared here, so it shows up in the Back Office
+// immediately after deployment — no migration, no seed script. SystemFeatureFlag definitions are
+// evaluated from config and env vars instead, so they never get a DB row. Removing a flag marks
+// its row as orphaned but keeps it visible until you hard-delete it from the Back Office.
+//
+// The label and description below are also surfaced in the frontend: `build --backend` runs the
+// GenerateFeatureFlagsManifest MSBuild target which emits featureFlags.generated.json, and the
+// shared-webapp generateFeatureFlagArtifacts.mjs script turns that into labels.generated.ts with
+// Lingui `t` macros. Lingui extraction then writes the strings into the locale .po files for
+// translators, so every flag added here automatically becomes translatable in the UI.
+[PublicAPI]
+public static partial class FeatureFlags
+{
+    public static readonly FeatureFlagDefinition GoogleOauth = new SystemFeatureFlag(
+        "google-oauth",
+        "Google OAuth",
+        "Sign in with Google using OpenID Connect",
+        "OAuth:Google:ClientId",
+        "PUBLIC_GOOGLE_OAUTH_ENABLED",
+        false
+    );
+
+    public static readonly FeatureFlagDefinition Subscriptions = new SystemFeatureFlag(
+        "subscriptions",
+        "Subscriptions",
+        "Stripe-powered subscription billing and plan management",
+        "Stripe:SubscriptionEnabled",
+        "PUBLIC_SUBSCRIPTION_ENABLED",
+        false,
+        "true"
+    );
+
+    public static readonly FeatureFlagDefinition BetaFeatures = new TenantAbTestFlag(
+        "beta-features",
+        "Beta features",
+        "Early access to experimental features before general availability",
+        true,
+        true
+    );
+
+    public static readonly FeatureFlagDefinition Sso = new PlanGatedTenantFlag(
+        "sso",
+        "Single sign-on",
+        "Allow users to authenticate using enterprise identity providers",
+        PlanTier.Premium,
+        false
+    );
+
+    public static readonly FeatureFlagDefinition AccountOverview = new TenantOwnerConfigurableFlag(
+        "account-overview",
+        "Account overview page",
+        "Show the account overview dashboard with user statistics at /account. When disabled, signed-in users go straight to the users list.",
+        true,
+        true
+    );
+
+    public static readonly FeatureFlagDefinition CompactView = new UserConfigurableFlag(
+        "compact-view",
+        "Compact view",
+        "Reduce spacing between UI elements for a denser layout",
+        true,
+        true
+    );
+
+    public static readonly FeatureFlagDefinition ExperimentalUi = new UserAbTestFlag(
+        "experimental-ui",
+        "Experimental UI",
+        "Try out experimental user interface components",
+        true,
+        true
+    );
+}
diff --git a/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagsRegistry.cs b/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagsRegistry.cs
new file mode 100644
index 000000000..508ba033d
--- /dev/null
+++ b/application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlagsRegistry.cs
@@ -0,0 +1,89 @@
+using System.Text.RegularExpressions;
+
+namespace SharedKernel.FeatureFlags;
+
+// Registry mechanism backing the developer-facing definitions in FeatureFlags.cs. Reflects over
+// every `public static readonly FeatureFlagDefinition` field declared there, validates them at
+// startup, and exposes lookup helpers. Adding a flag does not require touching this file.
+public static partial class FeatureFlags
+{
+    private static readonly FeatureFlagDefinition[] AllFeatureFlags =
+        typeof(FeatureFlags)
+            .GetFields(BindingFlags.Public | BindingFlags.Static)
+            .Where(f => f.IsInitOnly && f.FieldType == typeof(FeatureFlagDefinition))
+            .Select(f => (FeatureFlagDefinition)f.GetValue(null)!)
+            .ToArray();
+
+    private static readonly Regex FeatureFlagKeyPattern =
+        new("^[a-z0-9]+(-[a-z0-9]+)*$", RegexOptions.Compiled);
+
+    static FeatureFlags()
+    {
+        ValidateFlags();
+    }
+
+    public static FeatureFlagDefinition[] GetAll()
+    {
+        return AllFeatureFlags;
+    }
+
+    public static FeatureFlagDefinition? Get(string key)
+    {
+        return AllFeatureFlags.FirstOrDefault(f => f.Key == key);
+    }
+
+    // Keys are surfaced verbatim in URLs, JWT claim payloads, telemetry property names, frontend
+    // route params, and the configurable-feature-flag toggle UI. Lowercase kebab-case keeps every
+    // consumer's case-handling simple and removes ambiguity for the comma-separated `feature_flags`
+    // JWT claim. Internal so SharedKernel.Tests can pin the pattern.
+    internal static bool IsValidKey(string key)
+    {
+        return FeatureFlagKeyPattern.IsMatch(key);
+    }
+
+    // Subtype hierarchy in FeatureFlagDefinition.cs enforces all cross-property invariants at compile
+    // time. This method now validates only what subtypes cannot: key format, parent-dependency
+    // existence + depth (parent must exist in the registry and itself have no parent), and
+    // TelemetryName uniqueness (since telemetry property names must remain stable for forever).
+    private static void ValidateFlags()
+    {
+        var featureFlagsByKey = AllFeatureFlags.ToDictionary(f => f.Key);
+        var telemetryNamesSeen = new Dictionary<string, string>();
+
+        foreach (var featureFlag in AllFeatureFlags)
+        {
+            if (featureFlag.Key.Length > 50)
+            {
+                throw new InvalidOperationException($"Feature flag key '{featureFlag.Key}' exceeds 50 characters.");
+            }
+
+            if (!IsValidKey(featureFlag.Key))
+            {
+                throw new InvalidOperationException($"Feature flag key '{featureFlag.Key}' must be lowercase kebab-case (a-z, 0-9, hyphen). No leading/trailing hyphens, no consecutive hyphens, no other characters.");
+            }
+
+            if (featureFlag.ParentDependency is not null)
+            {
+                if (!featureFlagsByKey.TryGetValue(featureFlag.ParentDependency, out var parent))
+                {
+                    throw new InvalidOperationException($"Feature flag '{featureFlag.Key}' references non-existent parent dependency '{featureFlag.ParentDependency}'.");
+                }
+
+                if (parent.ParentDependency is not null)
+                {
+                    throw new InvalidOperationException($"Feature flag '{featureFlag.Key}' has parent '{featureFlag.ParentDependency}' which itself has a parent dependency. Only one level of dependency is allowed.");
+                }
+            }
+
+            if (featureFlag.TelemetryName is not null)
+            {
+                if (telemetryNamesSeen.TryGetValue(featureFlag.TelemetryName, out var existingKey))
+                {
+                    throw new InvalidOperationException($"Feature flag '{featureFlag.Key}' uses TelemetryName '{featureFlag.TelemetryName}' which is already used by '{existingKey}'. TelemetryName must be unique across all flags so historical telemetry stays unambiguous.");
+                }
+
+                telemetryNamesSeen[featureFlag.TelemetryName] = featureFlag.Key;
+            }
+        }
+    }
+}
diff --git a/application/shared-kernel/SharedKernel/FeatureFlags/PlanTier.cs b/application/shared-kernel/SharedKernel/FeatureFlags/PlanTier.cs
new file mode 100644
index 000000000..aa5f5b643
--- /dev/null
+++ b/application/shared-kernel/SharedKernel/FeatureFlags/PlanTier.cs
@@ -0,0 +1,10 @@
+namespace SharedKernel.FeatureFlags;
+
+[PublicAPI]
+[JsonConverter(typeof(JsonStringEnumConverter))]
+public enum PlanTier
+{
+    Free = 0,
+    Standard = 1,
+    Premium = 2
+}
diff --git a/application/shared-kernel/SharedKernel/FeatureFlags/RolloutBucketHasher.cs b/application/shared-kernel/SharedKernel/FeatureFlags/RolloutBucketHasher.cs
new file mode 100644
index 000000000..d19897c4d
--- /dev/null
+++ b/application/shared-kernel/SharedKernel/FeatureFlags/RolloutBucketHasher.cs
@@ -0,0 +1,85 @@
+namespace SharedKernel.FeatureFlags;
+
+public static class RolloutBucketHasher
+{
+    // Total number of buckets in the rollout space. A 1% rollout covers exactly one bucket; a 100%
+    // rollout covers BucketCount buckets (indices 0..MaxBucketInclusive).
+    public const int BucketCount = 100;
+
+    public const int MaxBucketInclusive = BucketCount - 1;
+
+    // Effective bucket for an AB.NeverOn pin: the bucket immediately before BucketStart, wrapping around
+    // the [0, BucketCount) range. This is the bucket that gets included only when rollout reaches 100%,
+    // i.e., the last one in the rollout sequence for this flag.
+    public static int ComputeNeverOnBucket(int bucketStart)
+    {
+        return (bucketStart - 1 + BucketCount) % BucketCount;
+    }
+
+    public static int ComputeRolloutBucket(int sequenceNumber)
+    {
+        var value = VanDerCorput(sequenceNumber);
+        return (int)(value * BucketCount);
+    }
+
+    public static bool IsInRolloutBucketRange(int bucket, int rolloutBucketStart, int rolloutBucketEnd)
+    {
+        if (rolloutBucketStart <= rolloutBucketEnd)
+        {
+            return bucket >= rolloutBucketStart && bucket <= rolloutBucketEnd;
+        }
+
+        // Wrap-around case (e.g., start=90, end=10 means 90-99 and 0-10)
+        return bucket >= rolloutBucketStart || bucket <= rolloutBucketEnd;
+    }
+
+    // Stable per-flag starting bucket derived from the flag key. SetFeatureFlagRolloutPercentage uses this
+    // to assign a non-zero rollout range, so every flag has a deterministic starting offset regardless of the
+    // current rollout state.
+    public static int ComputeStartingRolloutBucket(string flagKey)
+    {
+        unchecked
+        {
+            var hash = 2166136261u;
+            foreach (var c in flagKey)
+            {
+                hash ^= c;
+                hash *= 16777619u;
+            }
+
+            return (int)(hash % BucketCount);
+        }
+    }
+
+    // The rollout percentage at which the given bucket first becomes included in an A/B rollout for this flag.
+    // Returns 1-100. Useful for surfacing "this account/user gets the feature when rollout reaches N%" in admin UIs.
+    public static int ComputeInclusionThresholdPercentage(int bucket, string flagKey)
+    {
+        var start = ComputeStartingRolloutBucket(flagKey);
+        return (bucket - start + BucketCount) % BucketCount + 1;
+    }
+
+    // How many buckets are covered by a [start, end] rollout range, handling the wrap-around case
+    // (e.g., start=45, end=0 covers buckets 45..99 + 0 = 56). Both endpoints are inclusive. Returns
+    // null when either endpoint is null (no rollout configured, i.e., 0%).
+    public static int? ComputeRolloutPercentage(int? bucketStart, int? bucketEnd)
+    {
+        if (bucketStart is null || bucketEnd is null) return null;
+        return (bucketEnd.Value - bucketStart.Value + BucketCount) % BucketCount + 1;
+    }
+
+    private static double VanDerCorput(int n)
+    {
+        double result = 0;
+        double denominator = 2;
+
+        while (n > 0)
+        {
+            result += (n & 1) / denominator;
+            n >>= 1;
+            denominator *= 2;
+        }
+
+        return result;
+    }
+}
diff --git a/application/shared-kernel/SharedKernel/Middleware/GlobalExceptionHandler.cs b/application/shared-kernel/SharedKernel/Middleware/GlobalExceptionHandler.cs
index a5236c45e..ad3274a5a 100644
--- a/application/shared-kernel/SharedKernel/Middleware/GlobalExceptionHandler.cs
+++ b/application/shared-kernel/SharedKernel/Middleware/GlobalExceptionHandler.cs
@@ -1,6 +1,7 @@
 using Microsoft.AspNetCore.Diagnostics;
 using Microsoft.AspNetCore.Http;
 using Microsoft.EntityFrameworkCore;
+using Npgsql;
 
 namespace SharedKernel.Middleware;
 
@@ -31,6 +32,14 @@ public async ValueTask<bool> TryHandleAsync(HttpContext httpContext, Exception e
                 title = "Conflict";
                 detail = "The data was modified by another process. Please try again.";
                 break;
+            // PG 23505 unique_violation wraps as DbUpdateException with a PostgresException inner.
+            // EF Core does not auto-map this to DbUpdateConcurrencyException (which is reserved for
+            // zero-row UPDATE). Treat the race as a 409 so SPA retry/error handling can act on it.
+            case DbUpdateException { InnerException: PostgresException { SqlState: PostgresErrorCodes.UniqueViolation } }:
+                statusCode = StatusCodes.Status409Conflict;
+                title = "Conflict";
+                detail = "The resource was modified by another process. Please try again.";
+                break;
             default:
                 statusCode = StatusCodes.Status500InternalServerError;
                 title = "Internal Server Error";
diff --git a/application/shared-kernel/SharedKernel/Platform/Settings.cs b/application/shared-kernel/SharedKernel/Platform/Settings.cs
index 2f80ac82b..16bb4bf97 100644
--- a/application/shared-kernel/SharedKernel/Platform/Settings.cs
+++ b/application/shared-kernel/SharedKernel/Platform/Settings.cs
@@ -8,6 +8,8 @@ public sealed class Settings
 
     public static Settings Current => Instance.Value;
 
+    public required IdentityConfig Identity { get; init; }
+
     public required BrandingConfig Branding { get; init; }
 
     private static Settings LoadFromEmbeddedResource()
@@ -28,6 +30,11 @@ private static Settings LoadFromEmbeddedResource()
                ?? throw new InvalidOperationException("Failed to deserialize platform settings");
     }
 
+    public sealed class IdentityConfig
+    {
+        public required string InternalEmailDomain { get; init; }
+    }
+
     public sealed class BrandingConfig
     {
         public required string ProductName { get; init; }
diff --git a/application/shared-kernel/SharedKernel/Platform/platform-settings.jsonc b/application/shared-kernel/SharedKernel/Platform/platform-settings.jsonc
index c2685748c..63357a6ad 100644
--- a/application/shared-kernel/SharedKernel/Platform/platform-settings.jsonc
+++ b/application/shared-kernel/SharedKernel/Platform/platform-settings.jsonc
@@ -8,6 +8,13 @@
   // Security Note: Only include non-sensitive configuration here
   // Sensitive values (like API keys) should be stored in environment variables or key vaults
 
+  "identity": {
+    // Email domain suffix that identifies internal users
+    // Users with this domain get access to BackOffice and other internal features
+    // Currently used by backend only - frontend relies on isInternalUser flag from backend
+    "internalEmailDomain": "@platformplatform.net"
+  },
+
   "branding": {
     // Product/platform name used throughout the application
     // Placeholder for future use - currently hardcoded in various places
diff --git a/application/shared-kernel/SharedKernel/Telemetry/ApplicationInsightsTelemetryInitializer.cs b/application/shared-kernel/SharedKernel/Telemetry/ApplicationInsightsTelemetryInitializer.cs
index 65788109f..b13fb7036 100644
--- a/application/shared-kernel/SharedKernel/Telemetry/ApplicationInsightsTelemetryInitializer.cs
+++ b/application/shared-kernel/SharedKernel/Telemetry/ApplicationInsightsTelemetryInitializer.cs
@@ -3,6 +3,7 @@
 using Microsoft.ApplicationInsights.Extensibility;
 using SharedKernel.Configuration;
 using SharedKernel.ExecutionContext;
+using SharedKernel.FeatureFlags;
 
 namespace SharedKernel.Telemetry;
 
@@ -68,6 +69,11 @@ public void Initialize(ITelemetry telemetry)
         AddCustomProperty(telemetry, "user.theme", executionContext.UserInfo.Theme);
         AddCustomProperty(telemetry, "user.role", executionContext.UserInfo.Role);
         AddCustomProperty(telemetry, "user.session_id", executionContext.UserInfo.SessionId?.Value);
+
+        foreach (var (name, value) in FeatureFlagTelemetryProperties.GetEnabledFeatureFlagTags(executionContext.UserInfo.FeatureFlags))
+        {
+            AddCustomProperty(telemetry, name, value);
+        }
     }
 
     public static void SetContext(IExecutionContext executionContext)
diff --git a/application/shared-kernel/SharedKernel/Telemetry/OpenTelemetryEnricher.cs b/application/shared-kernel/SharedKernel/Telemetry/OpenTelemetryEnricher.cs
index 9e7210811..c0e71b29c 100644
--- a/application/shared-kernel/SharedKernel/Telemetry/OpenTelemetryEnricher.cs
+++ b/application/shared-kernel/SharedKernel/Telemetry/OpenTelemetryEnricher.cs
@@ -1,4 +1,5 @@
 using SharedKernel.ExecutionContext;
+using SharedKernel.FeatureFlags;
 
 namespace SharedKernel.Telemetry;
 
@@ -34,5 +35,10 @@ public void Apply()
 
         Activity.Current.SetTag("user.role", executionContext.UserInfo.Role);
         Activity.Current.SetTag("user.session_id", executionContext.UserInfo.SessionId?.Value);
+
+        foreach (var (name, value) in FeatureFlagTelemetryProperties.GetEnabledFeatureFlagTags(executionContext.UserInfo.FeatureFlags))
+        {
+            Activity.Current.SetTag(name, value);
+        }
     }
 }
diff --git a/application/shared-kernel/Tests/FeatureFlags/FeatureFlagKeyValidationTests.cs b/application/shared-kernel/Tests/FeatureFlags/FeatureFlagKeyValidationTests.cs
new file mode 100644
index 000000000..1c8d4fd9f
--- /dev/null
+++ b/application/shared-kernel/Tests/FeatureFlags/FeatureFlagKeyValidationTests.cs
@@ -0,0 +1,44 @@
+using FluentAssertions;
+using Xunit;
+using FeatureFlagRegistry = SharedKernel.FeatureFlags.FeatureFlags;
+
+namespace SharedKernel.Tests.FeatureFlags;
+
+public sealed class FeatureFlagKeyValidationTests
+{
+    [Theory]
+    [InlineData("sso")]
+    [InlineData("google-oauth")]
+    [InlineData("account-overview")]
+    [InlineData("subscriptions")]
+    [InlineData("compact-view")]
+    [InlineData("experimental-ui")]
+    [InlineData("a")]
+    [InlineData("a1")]
+    [InlineData("1-a")]
+    [InlineData("plan-tier-2")]
+    public void IsValidKey_WhenKeyIsLowercaseKebabCase_ShouldReturnTrue(string key)
+    {
+        FeatureFlagRegistry.IsValidKey(key).Should().BeTrue();
+    }
+
+    [Theory]
+    [InlineData("")]
+    [InlineData("-")]
+    [InlineData("-leading")]
+    [InlineData("trailing-")]
+    [InlineData("double--hyphen")]
+    [InlineData("UPPER")]
+    [InlineData("Mixed-Case")]
+    [InlineData("with_underscore")]
+    [InlineData("with space")]
+    [InlineData("with.dot")]
+    [InlineData("with,comma")]
+    [InlineData("with/slash")]
+    [InlineData("with:colon")]
+    [InlineData("emoji-😀")]
+    public void IsValidKey_WhenKeyViolatesKebabCase_ShouldReturnFalse(string key)
+    {
+        FeatureFlagRegistry.IsValidKey(key).Should().BeFalse();
+    }
+}
diff --git a/application/shared-kernel/Tests/Telemetry/ApplicationInsightsTelemetryInitializerTests.cs b/application/shared-kernel/Tests/Telemetry/ApplicationInsightsTelemetryInitializerTests.cs
index 1f8d2c068..f18500ad0 100644
--- a/application/shared-kernel/Tests/Telemetry/ApplicationInsightsTelemetryInitializerTests.cs
+++ b/application/shared-kernel/Tests/Telemetry/ApplicationInsightsTelemetryInitializerTests.cs
@@ -90,6 +90,75 @@ public void Initialize_WhenUserIsNotAuthenticated_ShouldNotSetSessionIdInTelemet
         telemetry.Context.GlobalProperties.Should().NotContainKey("user.theme");
     }
 
+    [Fact]
+    public void Initialize_WhenTrackableFeatureFlagsEnabled_ShouldEmitScopedPerFlagProperties()
+    {
+        // Arrange - beta-features (Tenant) and experimental-ui (User) are the registry's two
+        // TrackInTelemetry=true flags with different scopes. Symmetric with OpenTelemetryEnricherTests.
+        var userInfo = new UserInfo
+        {
+            IsAuthenticated = true,
+            Id = UserId.NewId(),
+            TenantId = new TenantId(12345),
+            Locale = "en-US",
+            Role = "Admin",
+            FeatureFlags = new HashSet<string> { "experimental-ui", "beta-features" }
+        };
+
+        var executionContext = Substitute.For<IExecutionContext>();
+        executionContext.UserInfo.Returns(userInfo);
+        executionContext.TenantId.Returns(userInfo.TenantId);
+        executionContext.ClientIpAddress.Returns(IPAddress.Parse("192.168.1.1"));
+
+        ApplicationInsightsTelemetryInitializer.SetContext(executionContext);
+
+        var telemetry = new RequestTelemetry();
+        var initializer = new ApplicationInsightsTelemetryInitializer();
+
+        // Act
+        initializer.Initialize(telemetry);
+
+        // Assert - per-flag dimensions scoped by who carries the setting, value is "enabled",
+        // and the OTel-reserved feature_flag.* namespace is never emitted.
+        telemetry.Context.GlobalProperties.Should().ContainKey("tenant.feature_flags.beta-features");
+        telemetry.Context.GlobalProperties["tenant.feature_flags.beta-features"].Should().Be("enabled");
+        telemetry.Context.GlobalProperties.Should().ContainKey("user.feature_flags.experimental-ui");
+        telemetry.Context.GlobalProperties["user.feature_flags.experimental-ui"].Should().Be("enabled");
+        telemetry.Context.GlobalProperties.Keys.Should().NotContain(k => k.StartsWith("feature_flag.", StringComparison.Ordinal));
+    }
+
+    [Fact]
+    public void Initialize_WhenNoTrackableFeatureFlagsEnabled_ShouldOmitFeatureFlagProperties()
+    {
+        // Arrange
+        var userInfo = new UserInfo
+        {
+            IsAuthenticated = true,
+            Id = UserId.NewId(),
+            TenantId = new TenantId(12345),
+            Locale = "en-US",
+            Role = "Admin",
+            FeatureFlags = new HashSet<string>()
+        };
+
+        var executionContext = Substitute.For<IExecutionContext>();
+        executionContext.UserInfo.Returns(userInfo);
+        executionContext.TenantId.Returns(userInfo.TenantId);
+        executionContext.ClientIpAddress.Returns(IPAddress.Parse("192.168.1.1"));
+
+        ApplicationInsightsTelemetryInitializer.SetContext(executionContext);
+
+        var telemetry = new RequestTelemetry();
+        var initializer = new ApplicationInsightsTelemetryInitializer();
+
+        // Act
+        initializer.Initialize(telemetry);
+
+        // Assert
+        telemetry.Context.GlobalProperties.Keys.Should().NotContain(k => k.StartsWith("user.feature_flags.", StringComparison.Ordinal));
+        telemetry.Context.GlobalProperties.Keys.Should().NotContain(k => k.StartsWith("tenant.feature_flags.", StringComparison.Ordinal));
+    }
+
     [Fact]
     public void Initialize_WhenSessionIdIsNull_ShouldNotSetSessionIdInTelemetry()
     {
diff --git a/application/shared-kernel/Tests/Telemetry/OpenTelemetryEnricherTests.cs b/application/shared-kernel/Tests/Telemetry/OpenTelemetryEnricherTests.cs
index faeea3862..6b25c37a4 100644
--- a/application/shared-kernel/Tests/Telemetry/OpenTelemetryEnricherTests.cs
+++ b/application/shared-kernel/Tests/Telemetry/OpenTelemetryEnricherTests.cs
@@ -119,6 +119,87 @@ public void Apply_WhenSessionIdIsNull_ShouldSetNullSessionIdTag()
         }
     }
 
+    [Fact]
+    public void Apply_WhenTrackableFeatureFlagsEnabled_ShouldEmitScopedPerFlagTags()
+    {
+        // Arrange - beta-features (Tenant) and experimental-ui (User) are the registry's
+        // two TrackInTelemetry=true flags with different scopes.
+        var userInfo = new UserInfo
+        {
+            IsAuthenticated = true,
+            Id = UserId.NewId(),
+            TenantId = new TenantId(12345),
+            Locale = "en-US",
+            Role = "Admin",
+            FeatureFlags = new HashSet<string> { "experimental-ui", "beta-features" }
+        };
+
+        var executionContext = Substitute.For<IExecutionContext>();
+        executionContext.UserInfo.Returns(userInfo);
+        executionContext.TenantId.Returns(userInfo.TenantId);
+        executionContext.ClientIpAddress.Returns(IPAddress.Parse("192.168.1.1"));
+
+        var enricher = new OpenTelemetryEnricher(executionContext);
+
+        using var activitySource = new ActivitySource("TestSource");
+        var listener = new ActivityListener { ShouldListenTo = _ => true, Sample = SampleAllData };
+        using (listener)
+        {
+            ActivitySource.AddActivityListener(listener);
+
+            using var activity = activitySource.StartActivity();
+            activity.Should().NotBeNull();
+
+            // Act
+            enricher.Apply();
+
+            // Assert - per-flag tags scoped by who carries the setting, value is "enabled",
+            // and the OTel-reserved feature_flag.* namespace is never emitted.
+            activity.Tags.Should().Contain(t => t.Key == "tenant.feature_flags.beta-features" && t.Value == "enabled");
+            activity.Tags.Should().Contain(t => t.Key == "user.feature_flags.experimental-ui" && t.Value == "enabled");
+            activity.Tags.Should().NotContain(t => t.Key.StartsWith("feature_flag.", StringComparison.Ordinal));
+        }
+    }
+
+    [Fact]
+    public void Apply_WhenNoTrackableFeatureFlagsEnabled_ShouldOmitFeatureFlagsTag()
+    {
+        // Arrange
+        var userInfo = new UserInfo
+        {
+            IsAuthenticated = true,
+            Id = UserId.NewId(),
+            TenantId = new TenantId(12345),
+            Locale = "en-US",
+            Role = "Admin",
+            FeatureFlags = new HashSet<string>()
+        };
+
+        var executionContext = Substitute.For<IExecutionContext>();
+        executionContext.UserInfo.Returns(userInfo);
+        executionContext.TenantId.Returns(userInfo.TenantId);
+        executionContext.ClientIpAddress.Returns(IPAddress.Parse("192.168.1.1"));
+
+        var enricher = new OpenTelemetryEnricher(executionContext);
+
+        using var activitySource = new ActivitySource("TestSource");
+        var listener = new ActivityListener { ShouldListenTo = _ => true, Sample = SampleAllData };
+        using (listener)
+        {
+            ActivitySource.AddActivityListener(listener);
+
+            using var activity = activitySource.StartActivity();
+            activity.Should().NotBeNull();
+
+            // Act
+            enricher.Apply();
+
+            // Assert
+            activity.Tags.Should().NotContain(t => t.Key.StartsWith("user.feature_flags.", StringComparison.Ordinal));
+            activity.Tags.Should().NotContain(t => t.Key.StartsWith("tenant.feature_flags.", StringComparison.Ordinal));
+        }
+    }
+
     [Fact]
     public void Apply_WhenNoCurrentActivity_ShouldNotThrow()
     {
diff --git a/application/shared-webapp/build/environment.d.ts b/application/shared-webapp/build/environment.d.ts
index eac04dc51..5db908f4a 100644
--- a/application/shared-webapp/build/environment.d.ts
+++ b/application/shared-webapp/build/environment.d.ts
@@ -96,6 +96,22 @@ export declare global {
      * Tenant logo URL
      **/
     tenantLogoUrl?: string | null;
+    /**
+     * Is internal user (has access to BackOffice)
+     **/
+    isInternalUser?: boolean;
+    /**
+     * Tenant rollout bucket (1-100) for A/B testing
+     **/
+    tenantRolloutBucket?: number;
+    /**
+     * User rollout bucket (1-100) for A/B testing
+     **/
+    userRolloutBucket?: number | null;
+    /**
+     * Enabled feature flag keys (database-scoped flags evaluated server-side at token issuance)
+     **/
+    featureFlags?: string[];
   }
 
   /**
diff --git a/application/shared-webapp/infrastructure/auth/AuthenticationProvider.tsx b/application/shared-webapp/infrastructure/auth/AuthenticationProvider.tsx
index 57dae0a95..f45d46210 100644
--- a/application/shared-webapp/infrastructure/auth/AuthenticationProvider.tsx
+++ b/application/shared-webapp/infrastructure/auth/AuthenticationProvider.tsx
@@ -1,7 +1,9 @@
 import type { NavigateOptions } from "@tanstack/react-router";
 import type React from "react";
 
-import { createContext, useCallback, useMemo, useState } from "react";
+import { createContext, useCallback, useEffect, useMemo, useState } from "react";
+
+import { subscribeToUserFeatureFlags } from "../featureFlags/userFeatureFlagsHeader";
 
 export type UserInfo = {
   initials: string;
@@ -35,6 +37,19 @@ export function AuthenticationProvider({ children }: Readonly<AuthenticationProv
     });
   }, []);
 
+  // Bridge the `x-user-feature-flags` response header into provider state. Only re-render when the
+  // set of enabled keys actually changes; otherwise every API response would trigger a needless
+  // re-render across every component using `useFeatureFlag`.
+  useEffect(() => {
+    return subscribeToUserFeatureFlags((nextFlagKeys) => {
+      setUserInfo((prevUserInfo) => {
+        if (prevUserInfo === null) return prevUserInfo;
+        if (sameFlagKeys(prevUserInfo.featureFlags ?? [], nextFlagKeys)) return prevUserInfo;
+        return createUserInfo({ ...prevUserInfo, featureFlags: nextFlagKeys });
+      });
+    });
+  }, []);
+
   const authenticationContext = useMemo(
     () => ({
       userInfo,
@@ -46,6 +61,15 @@ export function AuthenticationProvider({ children }: Readonly<AuthenticationProv
   return <AuthenticationContext.Provider value={authenticationContext}>{children}</AuthenticationContext.Provider>;
 }
 
+function sameFlagKeys(previous: string[], next: string[]): boolean {
+  if (previous.length !== next.length) return false;
+  const previousSet = new Set(previous);
+  for (const key of next) {
+    if (!previousSet.has(key)) return false;
+  }
+  return true;
+}
+
 function createUserInfo(userInfoEnv: UserInfoEnv): UserInfo {
   const { firstName, lastName, email } = userInfoEnv;
   const getInitial = (name: string | undefined) => name?.[0] ?? "";
diff --git a/application/shared-webapp/infrastructure/featureFlags/useFeatureFlag.ts b/application/shared-webapp/infrastructure/featureFlags/useFeatureFlag.ts
new file mode 100644
index 000000000..2b7049090
--- /dev/null
+++ b/application/shared-webapp/infrastructure/featureFlags/useFeatureFlag.ts
@@ -0,0 +1,58 @@
+import { type FeatureFlagKey, getFlag } from "@repo/ui/featureFlags/registry.generated";
+
+import { useUserInfo } from "../auth/hooks";
+import { getLatestUserFeatureFlags } from "./userFeatureFlagsHeader";
+
+type FeatureFlagResult = { enabled: boolean };
+
+const DISABLED: FeatureFlagResult = { enabled: false };
+const ENABLED: FeatureFlagResult = { enabled: true };
+
+// `flagKey: FeatureFlagKey` is the codegen-emitted union of every key in FeatureFlags.cs. Passing a
+// string that isn't a current backend flag is a TS compile error, so deleting or renaming a flag
+// surfaces every dead callsite at build time instead of silently returning DISABLED at runtime.
+export function useFeatureFlag(flagKey: FeatureFlagKey): FeatureFlagResult {
+  // Read on every render so re-renders triggered by AuthenticationProvider state updates pick up
+  // the new flag set without a page reload.
+  const userInfo = useUserInfo();
+
+  const definition = getFlag(flagKey);
+
+  if (definition.scope === "system") {
+    // `RuntimeEnv` is hand-maintained in shared-webapp/build/environment.d.ts, but
+    // `definition.envVar` is sourced from the C# `FrontendEnvVar` field via codegen. Guard at
+    // runtime so a system flag whose env var hasn't been declared on `RuntimeEnv` returns DISABLED
+    // explicitly instead of silently reading `undefined` through an unchecked cast.
+    const { envVar } = definition;
+    if (!(envVar in import.meta.runtime_env)) return DISABLED;
+    return import.meta.runtime_env[envVar as keyof RuntimeEnv] === "true" ? ENABLED : DISABLED;
+  }
+
+  if (!userInfo?.isAuthenticated) return DISABLED;
+
+  const enabledFlags = userInfo.featureFlags ?? [];
+  return enabledFlags.includes(flagKey) ? ENABLED : DISABLED;
+}
+
+// Synchronous flag check for non-React callers (TanStack Router `beforeLoad` guards, fetch
+// interceptors, etc.). Reads the live header-dispatched flag set when an authenticated response
+// has already resolved in this session, and falls back to the bootstrap meta tag only on first
+// load. Without the live-read step, in-session toggles (owner self-service, admin override) would
+// diverge from the `useFeatureFlag` hook until a full page reload.
+export function isFeatureFlagEnabled(flagKey: FeatureFlagKey): boolean {
+  const definition = getFlag(flagKey);
+
+  if (definition.scope === "system") {
+    const { envVar } = definition;
+    if (!(envVar in import.meta.runtime_env)) return false;
+    return import.meta.runtime_env[envVar as keyof RuntimeEnv] === "true";
+  }
+
+  const liveFlags = getLatestUserFeatureFlags();
+  if (liveFlags !== null) return liveFlags.includes(flagKey);
+
+  const userInfo = import.meta.user_info_env;
+  if (!userInfo.isAuthenticated) return false;
+  const bootstrapFlags = userInfo.featureFlags ?? [];
+  return bootstrapFlags.includes(flagKey);
+}
diff --git a/application/shared-webapp/infrastructure/featureFlags/userFeatureFlagsHeader.ts b/application/shared-webapp/infrastructure/featureFlags/userFeatureFlagsHeader.ts
new file mode 100644
index 000000000..d5ce38dd8
--- /dev/null
+++ b/application/shared-webapp/infrastructure/featureFlags/userFeatureFlagsHeader.ts
@@ -0,0 +1,81 @@
+/**
+ * Bridge between the fetch layer (no React) and AuthenticationProvider (React).
+ *
+ * AppGateway emits `x-user-feature-flags` on every authenticated response with the comma-separated
+ * keys of database-scoped flags currently enabled for the user. Fetch interceptors call
+ * `dispatchUserFeatureFlagsFromResponse(response)`; AuthenticationProvider subscribes on mount.
+ *
+ * The listener Set is stored on globalThis under a Symbol.for key so every federated bundle that
+ * imports this module shares one Set. Without this, each bundle's module instance owns its own Set
+ * and dispatches do not cross the host/remote boundary (e.g., a flag toggled from the Account
+ * remote never updates main-host `useFeatureFlag` consumers).
+ *
+ * Contract:
+ * - Header missing on a response = no dispatch (preserves prior state).
+ * - Header present with empty value = dispatch `[]` (user has zero enabled flags now).
+ * - Parsed flag keys are deduplicated and sorted so equality checks downstream are stable.
+ * - Late subscribers receive the most recently dispatched value immediately so a fetch that
+ *   resolves before AuthenticationProvider's useEffect runs is not silently dropped.
+ */
+
+export const USER_FEATURE_FLAGS_HEADER = "x-user-feature-flags";
+
+type Listener = (flagKeys: string[]) => void;
+
+type Registry = {
+  listeners: Set<Listener>;
+  lastFlagKeys: string[] | null;
+};
+
+const REGISTRY_KEY = Symbol.for("@repo/infrastructure/userFeatureFlagsHeader");
+
+function getRegistry(): Registry {
+  const globalRegistry = globalThis as unknown as { [REGISTRY_KEY]?: Registry };
+  if (!globalRegistry[REGISTRY_KEY]) {
+    globalRegistry[REGISTRY_KEY] = { listeners: new Set(), lastFlagKeys: null };
+  }
+  return globalRegistry[REGISTRY_KEY];
+}
+
+function parseHeader(value: string): string[] {
+  const seen = new Set<string>();
+  for (const segment of value.split(",")) {
+    const key = segment.trim();
+    if (key.length > 0) seen.add(key);
+  }
+  return [...seen].sort();
+}
+
+export function dispatchUserFeatureFlagsFromResponse(response: Response): void {
+  const headerValue = response.headers.get(USER_FEATURE_FLAGS_HEADER);
+  if (headerValue === null) return;
+
+  const flagKeys = parseHeader(headerValue);
+  const registry = getRegistry();
+  registry.lastFlagKeys = flagKeys;
+  for (const listener of registry.listeners) {
+    listener(flagKeys);
+  }
+}
+
+export function subscribeToUserFeatureFlags(listener: Listener): () => void {
+  const registry = getRegistry();
+  registry.listeners.add(listener);
+  if (registry.lastFlagKeys !== null) {
+    listener(registry.lastFlagKeys);
+  }
+  return () => {
+    registry.listeners.delete(listener);
+  };
+}
+
+/**
+ * Synchronous read of the most recent header-dispatched flag set. Returns null when no header has
+ * been seen yet (no authenticated response has resolved in this session). Used by non-React
+ * callers — TanStack Router `beforeLoad` guards, fetch interceptors — so they share the live
+ * eventing channel instead of reading a bootstrap meta tag that goes stale after the first
+ * mid-session toggle.
+ */
+export function getLatestUserFeatureFlags(): string[] | null {
+  return getRegistry().lastFlagKeys;
+}
diff --git a/application/shared-webapp/infrastructure/http/httpClient.ts b/application/shared-webapp/infrastructure/http/httpClient.ts
index 3b69170b3..f757f1659 100644
--- a/application/shared-webapp/infrastructure/http/httpClient.ts
+++ b/application/shared-webapp/infrastructure/http/httpClient.ts
@@ -9,6 +9,7 @@
  * Use this module when working with endpoints that don't have OpenAPI/strongly-typed definitions
  */
 import { getHasPendingAuthSync } from "../auth/AuthSyncService";
+import { dispatchUserFeatureFlagsFromResponse } from "../featureFlags/userFeatureFlagsHeader";
 import { normalizeError } from "./errorHandler";
 
 /**
@@ -59,6 +60,8 @@ export async function enhancedFetch(input: RequestInfo | URL, init?: RequestInit
   try {
     const response = await window.fetch(input, enhancedInit);
 
+    dispatchUserFeatureFlagsFromResponse(response);
+
     if (!response.ok) {
       throw await normalizeError(response);
     }
diff --git a/application/shared-webapp/infrastructure/http/queryClient.ts b/application/shared-webapp/infrastructure/http/queryClient.ts
index 5cdc0b56c..30f0119eb 100644
--- a/application/shared-webapp/infrastructure/http/queryClient.ts
+++ b/application/shared-webapp/infrastructure/http/queryClient.ts
@@ -16,6 +16,7 @@ import createClient from "openapi-react-query";
 
 import { createAuthenticationMiddleware } from "../auth/AuthenticationMiddleware";
 import { getHasPendingAuthSync } from "../auth/AuthSyncService";
+import { dispatchUserFeatureFlagsFromResponse } from "../featureFlags/userFeatureFlagsHeader";
 import { preferredLocaleKey } from "../translations/constants";
 import { type HttpError, normalizeError } from "./errorHandler";
 import { DEFAULT_TIMEOUT } from "./httpClient";
@@ -71,6 +72,8 @@ function createHttpMiddleware() {
       return new Request(request, { signal });
     },
     onResponse: async ({ response }: { request: Request; response: Response }) => {
+      dispatchUserFeatureFlagsFromResponse(response);
+
       if (!response.ok) {
         // Normalize error and re-throw, so failed requests are handled via error handling
         throw await normalizeError(response);
diff --git a/application/shared-webapp/tests/e2e/utils/test-assertions.ts b/application/shared-webapp/tests/e2e/utils/test-assertions.ts
index 03c80818d..3b6ee41b5 100644
--- a/application/shared-webapp/tests/e2e/utils/test-assertions.ts
+++ b/application/shared-webapp/tests/e2e/utils/test-assertions.ts
@@ -457,6 +457,44 @@ export async function clickSelectOption(page: Page, optionName: string): Promise
   await expect(popup).not.toBeVisible();
 }
 
+/**
+ * Click a Playwright locator and assert that the resulting authenticated response carries the
+ * `x-user-feature-flags` header containing (or not containing) the supplied flag key.
+ *
+ * AppGateway emits `x-user-feature-flags` on every authenticated response; self-service toggles
+ * call `AddRefreshAuthenticationTokens` so the same response cycle already carries the updated
+ * flag set. Using this helper avoids a `Promise.all` / `waitForResponse` idiom in test files and
+ * keeps the assertion focused on the propagation contract.
+ *
+ * @param page Playwright page that issues the mutation request
+ * @param trigger Locator that, when clicked, triggers the mutation (e.g. a switch)
+ * @param options.urlSubstring Substring that must appear in the response URL (e.g. the route)
+ * @param options.method HTTP method of the mutation request (default: "PUT")
+ * @param options.expectedFlag Flag key that must be present in the `x-user-feature-flags` header
+ * @param options.shouldContain Whether the flag should be present (true) or absent (false)
+ */
+export async function expectFeatureFlagHeaderResponse(
+  page: Page,
+  trigger: Locator,
+  options: { urlSubstring: string; method?: string; expectedFlag: string; shouldContain: boolean }
+): Promise<void> {
+  const { urlSubstring, method = "PUT", expectedFlag, shouldContain } = options;
+
+  const [response] = await Promise.all([
+    page.waitForResponse(
+      (response) => response.url().includes(urlSubstring) && response.request().method() === method
+    ),
+    trigger.click()
+  ]);
+
+  const headerValue = response.headers()["x-user-feature-flags"];
+  if (shouldContain) {
+    expect(headerValue).toContain(expectedFlag);
+  } else {
+    expect(headerValue).not.toContain(expectedFlag);
+  }
+}
+
 /**
  * Type an OTP verification code into the one-time-code inputs.
  *
diff --git a/application/shared-webapp/tests/e2e/utils/test-data.ts b/application/shared-webapp/tests/e2e/utils/test-data.ts
index 0e0653513..0fa167558 100644
--- a/application/shared-webapp/tests/e2e/utils/test-data.ts
+++ b/application/shared-webapp/tests/e2e/utils/test-data.ts
@@ -1,5 +1,5 @@
 import { faker } from "@faker-js/faker";
-import type { Page } from "@playwright/test";
+import { expect, type Page } from "@playwright/test";
 import { isLocalhost } from "./constants";
 import type { TestContext } from "./test-assertions";
 import { typeOneTimeCode } from "./test-assertions";
@@ -84,6 +84,25 @@ export function testUser() {
   };
 }
 
+/**
+ * Log in as Admin via MockEasyAuth on the back-office host.
+ *
+ * Selects the Admin radio, submits the login form, and waits for the back-office
+ * page to land on its expected URL. The caller is responsible for navigating to
+ * the desired back-office route before calling this helper, since MockEasyAuth
+ * redirects to whichever back-office URL initiated the auth challenge.
+ *
+ * @param backOfficePage Playwright page bound to the back-office baseURL
+ * @param expectedUrl The full back-office URL that should be active after login
+ */
+export async function logInAsAdmin(backOfficePage: Page, expectedUrl: string): Promise<void> {
+  await expect(backOfficePage.getByRole("radio", { name: "Admin Log in with admin rights" })).toBeVisible();
+  await backOfficePage.getByRole("radio", { name: "Admin Log in with admin rights" }).click();
+  await backOfficePage.getByRole("button", { name: "Log in" }).click();
+
+  await expect(backOfficePage).toHaveURL(expectedUrl);
+}
+
 /**
  * Complete the full signup flow for a user
  * @param page Playwright page instance
diff --git a/application/shared-webapp/ui/components/Pagination.tsx b/application/shared-webapp/ui/components/Pagination.tsx
index 7f50cda09..9a7c16a2e 100644
--- a/application/shared-webapp/ui/components/Pagination.tsx
+++ b/application/shared-webapp/ui/components/Pagination.tsx
@@ -75,7 +75,11 @@ function PaginationEllipsis({ className, ...props }: React.ComponentProps<"span"
       aria-hidden={true}
       data-slot="pagination-ellipsis"
       className={cn(
-        "flex size-[var(--control-height)] items-center justify-center [&_svg:not([class*='size-'])]:size-4",
+        // `relative` keeps the inner `sr-only` span's `position: absolute` containing block scoped to
+        // this ellipsis. Without it the sr-only falls back to the next positioned ancestor (the page's
+        // outer <main>) where the auto top calculation lands at the bottom of the document, inflating
+        // the page scrollHeight and producing a phantom second window scrollbar.
+        "relative flex size-[var(--control-height)] items-center justify-center [&_svg:not([class*='size-'])]:size-4",
         className
       )}
       {...props}
diff --git a/application/shared-webapp/ui/featureFlags/labels.generated.ts b/application/shared-webapp/ui/featureFlags/labels.generated.ts
new file mode 100644
index 000000000..4e7e5b0c7
--- /dev/null
+++ b/application/shared-webapp/ui/featureFlags/labels.generated.ts
@@ -0,0 +1,86 @@
+// AUTO-GENERATED FROM application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlags.cs.
+// Regenerate with `dotnet run --project developer-cli -- build --backend`. Do not edit by hand.
+//
+// The English copy here mirrors the Label and Description fields on each FeatureFlagDefinition.
+// Lingui extracts these strings at frontend build time into shared-webapp/ui/translations/locale/*.po
+// for translators to localize.
+//
+// Helpers accept `string` (not the strict FeatureFlagKey union) because flag keys arrive here
+// from API responses too — values that the type system can't pin to the current set. Unknown keys
+// fall back to a humanized form so historical telemetry and stale tenant overrides still display
+// readably. Strict-typing for hard-coded keys happens at the `useFeatureFlag` hook, not here.
+
+import { t } from "@lingui/core/macro";
+
+interface FeatureFlagLabel {
+  name: string;
+  description: string;
+}
+
+function getKnownFeatureFlagLabels(): Record<string, FeatureFlagLabel> {
+  return {
+    "google-oauth": {
+      name: t`Google OAuth`,
+      description: t`Sign in with Google using OpenID Connect`
+    },
+    "subscriptions": {
+      name: t`Subscriptions`,
+      description: t`Stripe-powered subscription billing and plan management`
+    },
+    "beta-features": {
+      name: t`Beta features`,
+      description: t`Early access to experimental features before general availability`
+    },
+    "sso": {
+      name: t`Single sign-on`,
+      description: t`Allow users to authenticate using enterprise identity providers`
+    },
+    "account-overview": {
+      name: t`Account overview page`,
+      description: t`Show the account overview dashboard with user statistics at /account. When disabled, signed-in users go straight to the users list.`
+    },
+    "compact-view": {
+      name: t`Compact view`,
+      description: t`Reduce spacing between UI elements for a denser layout`
+    },
+    "experimental-ui": {
+      name: t`Experimental UI`,
+      description: t`Try out experimental user interface components`
+    }
+  };
+}
+
+function formatFeatureFlagKey(flagKey: string): string {
+  const formatted = flagKey.replace(/-/g, " ");
+  return formatted.charAt(0).toUpperCase() + formatted.slice(1);
+}
+
+export function getFeatureFlagLabel(flagKey: string): FeatureFlagLabel {
+  const known = getKnownFeatureFlagLabels()[flagKey];
+  if (known) return known;
+  const name = formatFeatureFlagKey(flagKey);
+  return { name, description: name };
+}
+
+export function getFeatureFlagName(flagKey: string): string {
+  return getFeatureFlagLabel(flagKey).name;
+}
+
+export function getFeatureFlagDescription(flagKey: string): string {
+  return getFeatureFlagLabel(flagKey).description;
+}
+
+export function getFeatureFlagSourceLabel(source: string): string {
+  switch (source) {
+    case "manual_override":
+      return t`Manual override`;
+    case "ab_rollout":
+      return t`A/B rollout`;
+    case "plan":
+      return t`Plan`;
+    case "default":
+      return t`Default`;
+    default:
+      return source;
+  }
+}
diff --git a/application/shared-webapp/ui/featureFlags/labels.ts b/application/shared-webapp/ui/featureFlags/labels.ts
new file mode 100644
index 000000000..ceb50e866
--- /dev/null
+++ b/application/shared-webapp/ui/featureFlags/labels.ts
@@ -0,0 +1,10 @@
+// Stable consumer entry point for the generated feature flag labels. The implementation lives in
+// `labels.generated.ts`, regenerated on every backend build from FeatureFlags.cs (see the
+// GenerateFeatureFlagsManifest target in application/account/Api/Account.Api.csproj). This wrapper
+// exists so consumer imports (`@repo/ui/featureFlags/labels`) don't leak the codegen mechanism.
+export {
+  getFeatureFlagDescription,
+  getFeatureFlagLabel,
+  getFeatureFlagName,
+  getFeatureFlagSourceLabel
+} from "./labels.generated";
diff --git a/application/shared-webapp/ui/featureFlags/registry.generated.ts b/application/shared-webapp/ui/featureFlags/registry.generated.ts
new file mode 100644
index 000000000..a6d6cc8f1
--- /dev/null
+++ b/application/shared-webapp/ui/featureFlags/registry.generated.ts
@@ -0,0 +1,98 @@
+// AUTO-GENERATED FROM application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlags.cs.
+// Regenerate with `dotnet run --project developer-cli -- build --backend`. Do not edit by hand.
+//
+// Carries the runtime metadata that `useFeatureFlag` needs to evaluate a flag client-side. System
+// flags additionally carry the frontend env-var name so the hook can read from import.meta.runtime_env.
+//
+// FeatureFlagKey is the union of every key defined in FeatureFlags.cs. Hook + helper signatures
+// accept this union instead of `string`, so deleting or renaming a backend flag turns every
+// `useFeatureFlag(deletedKey)` and `getFeatureFlagLabel(deletedKey)` callsite into a TS compile
+// error after the next backend build regenerates this file.
+
+export type FeatureFlagKey = "google-oauth" | "subscriptions" | "beta-features" | "sso" | "account-overview" | "compact-view" | "experimental-ui";
+
+type FeatureFlagScope = "system" | "tenant" | "user";
+type FeatureFlagAdminLevel = "systemAdmin" | "tenantOwner" | "user";
+
+type BaseFeatureFlagDefinition = {
+  key: FeatureFlagKey;
+  scope: FeatureFlagScope;
+  adminLevel: FeatureFlagAdminLevel;
+  parentDependency: FeatureFlagKey | null;
+  description: string;
+};
+
+type SystemFeatureFlagDefinition = BaseFeatureFlagDefinition & {
+  scope: "system";
+  envVar: string;
+};
+
+type DatabaseFeatureFlagDefinition = BaseFeatureFlagDefinition & {
+  scope: "tenant" | "user";
+};
+
+export type FeatureFlagDefinition = SystemFeatureFlagDefinition | DatabaseFeatureFlagDefinition;
+
+const featureFlagRegistry: Record<FeatureFlagKey, FeatureFlagDefinition> = {
+    "google-oauth": {
+      key: "google-oauth",
+      scope: "system",
+      adminLevel: "systemAdmin",
+      parentDependency: null,
+      description: "Sign in with Google using OpenID Connect",
+      envVar: "PUBLIC_GOOGLE_OAUTH_ENABLED"
+    },
+    "subscriptions": {
+      key: "subscriptions",
+      scope: "system",
+      adminLevel: "systemAdmin",
+      parentDependency: null,
+      description: "Stripe-powered subscription billing and plan management",
+      envVar: "PUBLIC_SUBSCRIPTION_ENABLED"
+    },
+    "beta-features": {
+      key: "beta-features",
+      scope: "tenant",
+      adminLevel: "systemAdmin",
+      parentDependency: null,
+      description: "Early access to experimental features before general availability"
+    },
+    "sso": {
+      key: "sso",
+      scope: "tenant",
+      adminLevel: "systemAdmin",
+      parentDependency: null,
+      description: "Allow users to authenticate using enterprise identity providers"
+    },
+    "account-overview": {
+      key: "account-overview",
+      scope: "tenant",
+      adminLevel: "tenantOwner",
+      parentDependency: null,
+      description: "Show the account overview dashboard with user statistics at /account. When disabled, signed-in users go straight to the users list."
+    },
+    "compact-view": {
+      key: "compact-view",
+      scope: "user",
+      adminLevel: "user",
+      parentDependency: null,
+      description: "Reduce spacing between UI elements for a denser layout"
+    },
+    "experimental-ui": {
+      key: "experimental-ui",
+      scope: "user",
+      adminLevel: "user",
+      parentDependency: null,
+      description: "Try out experimental user interface components"
+    }
+};
+
+export function getFlag(key: FeatureFlagKey): FeatureFlagDefinition {
+  return featureFlagRegistry[key];
+}
+
+export function getAllFlags(): FeatureFlagDefinition[] {
+  return Object.values(featureFlagRegistry);
+}
+
+export { featureFlagRegistry };
diff --git a/application/shared-webapp/ui/scripts/generateFeatureFlagArtifacts.mjs b/application/shared-webapp/ui/scripts/generateFeatureFlagArtifacts.mjs
new file mode 100644
index 000000000..3e9b58b83
--- /dev/null
+++ b/application/shared-webapp/ui/scripts/generateFeatureFlagArtifacts.mjs
@@ -0,0 +1,202 @@
+#!/usr/bin/env node
+/**
+ * Generates two TS artifacts from application/shared-webapp/ui/featureFlags/featureFlags.generated.json:
+ *
+ *   - labels.generated.ts   — Lingui t`...` macros for every flag's Label and Description.
+ *                              Frontend Lingui extraction reads this and writes the strings into
+ *                              shared-webapp/ui/translations/locale/*.po for translators to localize.
+ *
+ *   - registry.generated.ts — Runtime registry consumed by `useFeatureFlag`. Carries the metadata
+ *                              the React hook needs to evaluate a flag (scope discrimination, the
+ *                              frontend env var name for system flags, etc.).
+ *
+ * The JSON manifest is emitted by the GenerateFeatureFlagsManifest MSBuild target in
+ * application/account/Api/Account.Api.csproj. Run `build --backend` to regenerate both the manifest
+ * and these artifacts.
+ *
+ * Both generated files match the "**\/*.generated.*" glob in application/.oxfmtrc.json, so the
+ * formatter leaves them alone. Hand-edits to either file would be overwritten on the next build.
+ */
+import { readFileSync, writeFileSync } from "node:fs";
+import { dirname, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const scriptDirectory = dirname(fileURLToPath(import.meta.url));
+const featureFlagsDirectory = resolve(scriptDirectory, "../featureFlags");
+const manifestPath = resolve(featureFlagsDirectory, "featureFlags.generated.json");
+const labelsOutputPath = resolve(featureFlagsDirectory, "labels.generated.ts");
+const registryOutputPath = resolve(featureFlagsDirectory, "registry.generated.ts");
+
+const flags = JSON.parse(readFileSync(manifestPath, "utf-8"));
+
+function escapeTemplateLiteral(value) {
+    return value.replace(/\\/g, "\\\\").replace(/`/g, "\\`").replace(/\$\{/g, "\\${");
+}
+
+function jsonString(value) {
+    return JSON.stringify(value);
+}
+
+function scopeLiteral(scope) {
+    return jsonString(scope.toLowerCase());
+}
+
+function adminLevelLiteral(level) {
+    // Backend enum uses PascalCase (SystemAdmin, TenantOwner, User); the TS contract is camelCase.
+    const map = { SystemAdmin: "systemAdmin", TenantOwner: "tenantOwner", User: "user" };
+    if (!(level in map)) throw new Error(`Unknown AdminLevel: ${level}`);
+    return jsonString(map[level]);
+}
+
+// ---------- labels.generated.ts ----------
+
+const labelEntries = flags
+    .map((flag) => {
+        const key = jsonString(flag.key);
+        const label = escapeTemplateLiteral(flag.label);
+        const description = escapeTemplateLiteral(flag.description);
+        return `    ${key}: {\n      name: t\`${label}\`,\n      description: t\`${description}\`\n    }`;
+    })
+    .join(",\n");
+
+const labelsContent = `// AUTO-GENERATED FROM application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlags.cs.
+// Regenerate with \`dotnet run --project developer-cli -- build --backend\`. Do not edit by hand.
+//
+// The English copy here mirrors the Label and Description fields on each FeatureFlagDefinition.
+// Lingui extracts these strings at frontend build time into shared-webapp/ui/translations/locale/*.po
+// for translators to localize.
+//
+// Helpers accept \`string\` (not the strict FeatureFlagKey union) because flag keys arrive here
+// from API responses too — values that the type system can't pin to the current set. Unknown keys
+// fall back to a humanized form so historical telemetry and stale tenant overrides still display
+// readably. Strict-typing for hard-coded keys happens at the \`useFeatureFlag\` hook, not here.
+
+import { t } from "@lingui/core/macro";
+
+interface FeatureFlagLabel {
+  name: string;
+  description: string;
+}
+
+function getKnownFeatureFlagLabels(): Record<string, FeatureFlagLabel> {
+  return {
+${labelEntries}
+  };
+}
+
+function formatFeatureFlagKey(flagKey: string): string {
+  const formatted = flagKey.replace(/-/g, " ");
+  return formatted.charAt(0).toUpperCase() + formatted.slice(1);
+}
+
+export function getFeatureFlagLabel(flagKey: string): FeatureFlagLabel {
+  const known = getKnownFeatureFlagLabels()[flagKey];
+  if (known) return known;
+  const name = formatFeatureFlagKey(flagKey);
+  return { name, description: name };
+}
+
+export function getFeatureFlagName(flagKey: string): string {
+  return getFeatureFlagLabel(flagKey).name;
+}
+
+export function getFeatureFlagDescription(flagKey: string): string {
+  return getFeatureFlagLabel(flagKey).description;
+}
+
+export function getFeatureFlagSourceLabel(source: string): string {
+  switch (source) {
+    case "manual_override":
+      return t\`Manual override\`;
+    case "ab_rollout":
+      return t\`A/B rollout\`;
+    case "plan":
+      return t\`Plan\`;
+    case "default":
+      return t\`Default\`;
+    default:
+      return source;
+  }
+}
+`;
+
+writeFileSync(labelsOutputPath, labelsContent);
+
+// ---------- registry.generated.ts ----------
+
+const registryEntries = flags
+    .map((flag) => {
+        const fields = [
+            `      key: ${jsonString(flag.key)}`,
+            `      scope: ${scopeLiteral(flag.scope)}`,
+            `      adminLevel: ${adminLevelLiteral(flag.adminLevel)}`,
+            `      parentDependency: ${flag.parentDependency === null ? "null" : jsonString(flag.parentDependency)}`,
+            `      description: ${jsonString(flag.description)}`
+        ];
+        if (flag.scope === "System") {
+            if (flag.frontendEnvVar == null) {
+                throw new Error(`System flag '${flag.key}' is missing FrontendEnvVar; set it in FeatureFlags.cs.`);
+            }
+            fields.push(`      envVar: ${jsonString(flag.frontendEnvVar)}`);
+        }
+        return `    ${jsonString(flag.key)}: {\n${fields.join(",\n")}\n    }`;
+    })
+    .join(",\n");
+
+const keyUnion = flags.map((flag) => jsonString(flag.key)).join(" | ");
+
+const registryContent = `// AUTO-GENERATED FROM application/shared-kernel/SharedKernel/FeatureFlags/FeatureFlags.cs.
+// Regenerate with \`dotnet run --project developer-cli -- build --backend\`. Do not edit by hand.
+//
+// Carries the runtime metadata that \`useFeatureFlag\` needs to evaluate a flag client-side. System
+// flags additionally carry the frontend env-var name so the hook can read from import.meta.runtime_env.
+//
+// FeatureFlagKey is the union of every key defined in FeatureFlags.cs. Hook + helper signatures
+// accept this union instead of \`string\`, so deleting or renaming a backend flag turns every
+// \`useFeatureFlag(deletedKey)\` and \`getFeatureFlagLabel(deletedKey)\` callsite into a TS compile
+// error after the next backend build regenerates this file.
+
+export type FeatureFlagKey = ${keyUnion};
+
+type FeatureFlagScope = "system" | "tenant" | "user";
+type FeatureFlagAdminLevel = "systemAdmin" | "tenantOwner" | "user";
+
+type BaseFeatureFlagDefinition = {
+  key: FeatureFlagKey;
+  scope: FeatureFlagScope;
+  adminLevel: FeatureFlagAdminLevel;
+  parentDependency: FeatureFlagKey | null;
+  description: string;
+};
+
+type SystemFeatureFlagDefinition = BaseFeatureFlagDefinition & {
+  scope: "system";
+  envVar: string;
+};
+
+type DatabaseFeatureFlagDefinition = BaseFeatureFlagDefinition & {
+  scope: "tenant" | "user";
+};
+
+export type FeatureFlagDefinition = SystemFeatureFlagDefinition | DatabaseFeatureFlagDefinition;
+
+const featureFlagRegistry: Record<FeatureFlagKey, FeatureFlagDefinition> = {
+${registryEntries}
+};
+
+export function getFlag(key: FeatureFlagKey): FeatureFlagDefinition {
+  return featureFlagRegistry[key];
+}
+
+export function getAllFlags(): FeatureFlagDefinition[] {
+  return Object.values(featureFlagRegistry);
+}
+
+export { featureFlagRegistry };
+`;
+
+writeFileSync(registryOutputPath, registryContent);
+
+console.log(
+    `generateFeatureFlagArtifacts: wrote ${flags.length} flags to labels.generated.ts and registry.generated.ts`
+);
diff --git a/application/shared-webapp/ui/translations/locale/da-DK.po b/application/shared-webapp/ui/translations/locale/da-DK.po
index b8096296a..cfc23ae83 100644
--- a/application/shared-webapp/ui/translations/locale/da-DK.po
+++ b/application/shared-webapp/ui/translations/locale/da-DK.po
@@ -20,6 +20,18 @@ msgstr "{0, plural, one {for # dag siden} other {for # dage siden}}"
 msgid "{diffDays, plural, one {In # day} other {In # days}}"
 msgstr "{diffDays, plural, one {Om # dag} other {Om # dage}}"
 
+msgid "A/B rollout"
+msgstr "A/B-udrulning"
+
+msgid "Account overview page"
+msgstr "Kontooversigtsside"
+
+msgid "Allow users to authenticate using enterprise identity providers"
+msgstr "Tillad brugere at logge ind via virksomhedsidentitetsudbydere"
+
+msgid "Beta features"
+msgstr "Beta-funktioner"
+
 msgid "Breadcrumb"
 msgstr "Brødkrumme"
 
@@ -38,21 +50,36 @@ msgstr "Luk menu"
 msgid "Close sidebar"
 msgstr "Luk sidemenu"
 
+msgid "Compact view"
+msgstr "Kompakt visning"
+
 msgid "Create <0>{search}</0>"
 msgstr "Opret <0>{search}</0>"
 
 msgid "Decrease"
 msgstr "Formindsk"
 
+msgid "Default"
+msgstr "Standard"
+
 msgid "Drop files here, or click to browse"
 msgstr "Slip filer her, eller klik for at vælge"
 
+msgid "Early access to experimental features before general availability"
+msgstr "Tidlig adgang til eksperimentelle funktioner inden generel tilgængelighed"
+
+msgid "Experimental UI"
+msgstr "Eksperimentel UI"
+
 msgid "Go to next page"
 msgstr "Gå til næste side"
 
 msgid "Go to previous page"
 msgstr "Gå til forrige side"
 
+msgid "Google OAuth"
+msgstr "Google OAuth"
+
 msgid "Increase"
 msgstr "Forøg"
 
@@ -65,6 +92,9 @@ msgstr "Indlæser"
 msgid "Main content"
 msgstr "Hovedindhold"
 
+msgid "Manual override"
+msgstr "Manuel tilsidesættelse"
+
 msgid "Mobile navigation menu"
 msgstr "Mobilnavigationsmenu"
 
@@ -86,9 +116,15 @@ msgstr "Åbn navigationsmenu"
 msgid "Pagination"
 msgstr "Paginering"
 
+msgid "Plan"
+msgstr "Plan"
+
 msgid "Previous"
 msgstr "Forrige"
 
+msgid "Reduce spacing between UI elements for a denser layout"
+msgstr "Reducér afstanden mellem UI-elementer for et tættere layout"
+
 msgid "Resize sidebar"
 msgstr "Ændr bredde på sidepanel"
 
@@ -101,12 +137,27 @@ msgstr "Vælg tidszone"
 msgid "Show more"
 msgstr "Vis flere"
 
+msgid "Show the account overview dashboard with user statistics at /account. When disabled, signed-in users go straight to the users list."
+msgstr "Vis kontooversigten med brugerstatistik på /account. Når deaktiveret, sendes loggede brugere direkte til brugerlisten."
+
+msgid "Sign in with Google using OpenID Connect"
+msgstr "Log ind med Google via OpenID Connect"
+
+msgid "Single sign-on"
+msgstr "Single sign-on"
+
 msgid "Skip to main content"
 msgstr "Spring til hovedindhold"
 
 msgid "Stay"
 msgstr "Bliv"
 
+msgid "Stripe-powered subscription billing and plan management"
+msgstr "Stripe-drevet abonnementsfakturering og abonnementsstyring"
+
+msgid "Subscriptions"
+msgstr "Abonnementer"
+
 msgid "Today"
 msgstr "I dag"
 
@@ -116,6 +167,9 @@ msgstr "Skift sidepanel"
 msgid "Tomorrow"
 msgstr "I morgen"
 
+msgid "Try out experimental user interface components"
+msgstr "Afprøv eksperimentelle brugergrænsefladekomponenter"
+
 msgid "Unsaved changes"
 msgstr "Ugemte ændringer"
 
diff --git a/application/shared-webapp/ui/translations/locale/en-US.po b/application/shared-webapp/ui/translations/locale/en-US.po
index d4ac703da..aa5d61718 100644
--- a/application/shared-webapp/ui/translations/locale/en-US.po
+++ b/application/shared-webapp/ui/translations/locale/en-US.po
@@ -20,6 +20,18 @@ msgstr "{0, plural, one {# day ago} other {# days ago}}"
 msgid "{diffDays, plural, one {In # day} other {In # days}}"
 msgstr "{diffDays, plural, one {In # day} other {In # days}}"
 
+msgid "A/B rollout"
+msgstr "A/B rollout"
+
+msgid "Account overview page"
+msgstr "Account overview page"
+
+msgid "Allow users to authenticate using enterprise identity providers"
+msgstr "Allow users to authenticate using enterprise identity providers"
+
+msgid "Beta features"
+msgstr "Beta features"
+
 msgid "Breadcrumb"
 msgstr "Breadcrumb"
 
@@ -38,21 +50,36 @@ msgstr "Close menu"
 msgid "Close sidebar"
 msgstr "Close sidebar"
 
+msgid "Compact view"
+msgstr "Compact view"
+
 msgid "Create <0>{search}</0>"
 msgstr "Create <0>{search}</0>"
 
 msgid "Decrease"
 msgstr "Decrease"
 
+msgid "Default"
+msgstr "Default"
+
 msgid "Drop files here, or click to browse"
 msgstr "Drop files here, or click to browse"
 
+msgid "Early access to experimental features before general availability"
+msgstr "Early access to experimental features before general availability"
+
+msgid "Experimental UI"
+msgstr "Experimental UI"
+
 msgid "Go to next page"
 msgstr "Go to next page"
 
 msgid "Go to previous page"
 msgstr "Go to previous page"
 
+msgid "Google OAuth"
+msgstr "Google OAuth"
+
 msgid "Increase"
 msgstr "Increase"
 
@@ -65,6 +92,9 @@ msgstr "Loading"
 msgid "Main content"
 msgstr "Main content"
 
+msgid "Manual override"
+msgstr "Manual override"
+
 msgid "Mobile navigation menu"
 msgstr "Mobile navigation menu"
 
@@ -86,9 +116,15 @@ msgstr "Open navigation menu"
 msgid "Pagination"
 msgstr "Pagination"
 
+msgid "Plan"
+msgstr "Plan"
+
 msgid "Previous"
 msgstr "Previous"
 
+msgid "Reduce spacing between UI elements for a denser layout"
+msgstr "Reduce spacing between UI elements for a denser layout"
+
 msgid "Resize sidebar"
 msgstr "Resize sidebar"
 
@@ -101,12 +137,27 @@ msgstr "Select time zone"
 msgid "Show more"
 msgstr "Show more"
 
+msgid "Show the account overview dashboard with user statistics at /account. When disabled, signed-in users go straight to the users list."
+msgstr "Show the account overview dashboard with user statistics at /account. When disabled, signed-in users go straight to the users list."
+
+msgid "Sign in with Google using OpenID Connect"
+msgstr "Sign in with Google using OpenID Connect"
+
+msgid "Single sign-on"
+msgstr "Single sign-on"
+
 msgid "Skip to main content"
 msgstr "Skip to main content"
 
 msgid "Stay"
 msgstr "Stay"
 
+msgid "Stripe-powered subscription billing and plan management"
+msgstr "Stripe-powered subscription billing and plan management"
+
+msgid "Subscriptions"
+msgstr "Subscriptions"
+
 msgid "Today"
 msgstr "Today"
 
@@ -116,6 +167,9 @@ msgstr "Toggle sidebar"
 msgid "Tomorrow"
 msgstr "Tomorrow"
 
+msgid "Try out experimental user interface components"
+msgstr "Try out experimental user interface components"
+
 msgid "Unsaved changes"
 msgstr "Unsaved changes"